diff options
| -rw-r--r-- | etc/rc.conf | 21 | ||||
| -rw-r--r-- | root/.cshrc | 49 | ||||
| -rw-r--r-- | usr/local/etc/nginx/nginx.conf | 192 | ||||
| -rw-r--r-- | usr/local/etc/pf.conf | 60 |
4 files changed, 322 insertions, 0 deletions
diff --git a/etc/rc.conf b/etc/rc.conf new file mode 100644 index 0000000..8c8846a --- /dev/null +++ b/etc/rc.conf @@ -0,0 +1,21 @@ +hostname="jozanofastora.xyz" +sshd_enable="YES" +ntpd_enable="YES" +static_routes="linklocal" +ifconfig_vtnet0="DHCP" +ifconfig_vtnet0_ipv6="inet6 accept_rtadv" +ipv6_activate_all_interfaces="YES" +rtsold_enable="YES" +rtsold_flags="-aF" +nginx_enable="YES" +uwsgi_enable="YES" +cron_flags="-m ''" +gmid_enable="YES" +pf_enable="NO" +pf_rules="/usr/local/etc/pf.conf" +plog_enable="NO" +pflog_logfile="/var/log/pflog" +obspamd_enable="NO" +obspamd_flags="-v" +obspamlogd_enable="NO" +dovecot_enable="NO" diff --git a/root/.cshrc b/root/.cshrc new file mode 100644 index 0000000..f4436db --- /dev/null +++ b/root/.cshrc @@ -0,0 +1,49 @@ +# $FreeBSD: releng/12.1/bin/csh/dot.cshrc 338374 2018-08-29 16:59:19Z brd $ +# +# .cshrc - csh resource script, read at beginning of execution by each shell +# +# see also csh(1), environ(7). +# more examples available at /usr/share/examples/csh/ +# + +alias h history 25 +alias j jobs -l +alias la ls -aF +alias lf ls -FA +alias ll ls -lAF +alias ls ls -lhG +alias tree tree -C +alias c clear +alias vim nvim +alias diff colordiff -c +alias confgit git --git-dir=/usr/local/git/jozan/jozanofastora-conf.git --work-tree=/ + +# A righteous umask +umask 22 + +set path = (/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin $HOME/bin) + +setenv EDITOR vi +setenv PAGER less +setenv BLOCKSIZE K + +if ($?prompt) then + # An interactive shell -- set some stuff up + set prompt = "%N@%m:%~ %# " + set promptchars = "%#" + + set filec + set history = 1000 + set savehist = (1000 merge) + set autolist = ambiguous + # Use history to aid expansion + set autoexpand + set autorehash + set mail = (/var/mail/$USER) + if ( $?tcsh ) then + bindkey "^W" backward-delete-word + bindkey -k up history-search-backward + bindkey -k down history-search-forward + bindkey -v + endif +endif diff --git a/usr/local/etc/nginx/nginx.conf b/usr/local/etc/nginx/nginx.conf new file mode 100644 index 0000000..2cfd861 --- /dev/null +++ b/usr/local/etc/nginx/nginx.conf @@ -0,0 +1,192 @@ +worker_processes 1; + +events { + worker_connections 1024; +} + +http { + include mime.types; + default_type application/octet-stream; + sendfile on; + keepalive_timeout 65; + gzip on; + gzip_vary on; + gzip_min_length 1024; + gzip_proxied expired no-cache no-store private auth; + + server{ + server_name jozanofastora.xyz; + root /usr/local/www/jozan; + index index.html; + location / { + try_files $uri $uri/ =404; + } + location ~ /\.ht { + deny all; + } + error_page 403 /403.html; + location = /403.html { + root /usr/local/www/jozan/err; + } + error_page 404 /404.html; + location = /404.html { + root /usr/local/www/jozan/err; + } + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/local/www/nginx-dist; + } + + + listen 443 ssl; # managed by Certbot + ssl_certificate /usr/local/etc/letsencrypt/live/jozanofastora.xyz-0001/fullchain.pem; # managed by Certbot + ssl_certificate_key /usr/local/etc/letsencrypt/live/jozanofastora.xyz-0001/privkey.pem; # managed by Certbot + include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + +} + + server{ + server_name gitjoe.xyz git.jozanofastora.xyz; + root /usr/local/www/gitjoe; + index index.html; + location / { + try_files $uri $uri/ =404; + } + location ~ /\.ht { + deny all; + } + error_page 403 /403.html; + location = /403.html { + root /usr/local/www/gitjoe/err; + } + error_page 404 /404.html; + location = /404.html { + root /usr/local/www/gitjoe/err; + } + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/local/www/nginx-dist; + } + + + listen 443 ssl; # managed by Certbot + ssl_certificate /usr/local/etc/letsencrypt/live/jozanofastora.xyz-0001/fullchain.pem; # managed by Certbot + ssl_certificate_key /usr/local/etc/letsencrypt/live/jozanofastora.xyz-0001/privkey.pem; # managed by Certbot + include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + +} + + server { + listen 80; + server_name cgit.gitjoe.xyz; + root /usr/local/www/cgit; + + # Serve static files with nginx + location ~* ^.+(cgit.(css|png)|favicon.ico|robots.txt) { + root /usr/share/webapps/cgit; + expires 30d; + } + location / { + try_files $uri @cgit; + } + location @cgit { + gzip off; + include uwsgi_params; + uwsgi_modifier1 9; + uwsgi_pass unix:/var/run/uwsgi/cgit.sock; + } + } + + server { + server_name fossil.jozanofastora.xyz; + index index.html; + root /usr/local/www/fossiljoe; + + # Bypass Fossil for the static documentation generated from + # our source code by Doxygen, so it merges into the embedded + # doc URL hierarchy at Fossil’s $ROOT/doc without requiring that + # these generated files actually be stored in the repo. This + # also lets us set aggressive caching on these docs, since + # they rarely change. + location /code/doc/html { + root /usr/local/www/fossiljoe; + + location ~* \.(html|ico|css|js|gif|jpg|png)$ { + expires 7d; + add_header Vary Accept-Encoding; + access_log off; + } + } + # Redirect everything else to the Fossil instance + location /code { + include scgi_params; + scgi_param SCRIPT_NAME "/code"; + scgi_pass 127.0.0.1:12345; + } + + + listen 443 ssl; # managed by Certbot + ssl_certificate /usr/local/etc/letsencrypt/live/jozanofastora.xyz-0001/fullchain.pem; # managed by Certbot + ssl_certificate_key /usr/local/etc/letsencrypt/live/jozanofastora.xyz-0001/privkey.pem; # managed by Certbot + include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Ce/srvrtbot + ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Cert/srvbot + + } + + +server{ + if ($host = git.jozanofastora.xyz) { + return 301 https://gitjoe.xyz$request_uri; + } # managed by Certbot + + if ($host = www.gitjoe.xyz) { + return 301 https://gitjoe.xyz$request_uri; + } # managed by Certbot + + if ($host = gitjoe.xyz) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + server_name gitjoe.xyz; + listen 80; + return 404; # managed by Certbot + + + + +} + +server{ + if ($host = www.jozanofastora.xyz) { + return 301 https://jozanofastora.xyz$request_uri; + } # managed by Certbot + + if ($host = jozanofastora.xyz) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + server_name jozanofastora.xyz; + listen 80; + return 404; # managed by Certbot + + +} + +server { + if ($host = fossil.jozanofastora.xyz) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + server_name fossil.jozanofastora.xyz; + listen 80; + return 404; # managed by Certbot + + +} +} diff --git a/usr/local/etc/pf.conf b/usr/local/etc/pf.conf new file mode 100644 index 0000000..1838656 --- /dev/null +++ b/usr/local/etc/pf.conf @@ -0,0 +1,60 @@ +## Set public interface ## +ext_if="vtnet0" + +## set and drop IP ranges on the public interface ## +martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ + 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \ + 0.0.0.0/8, 240.0.0.0/4 }" + +table <spamd> persist +table <spamd-allow> persist + +# Allowed webmail services +table <webmail> persist file "/usr/local/etc/pf.webmail.ip.conf" + +## Skip loop back interface - Skip all PF processing on interface ## +set skip on lo + +## Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked ## +set loginterface $ext_if + +# Deal with attacks based on incorrect handling of packet fragments +scrub in all + + +# Pass spamd allow list +pass quick log on $ext_if inet proto tcp from <spamd-allow> to $ext_if port smtp \ + -> 127.0.0.1 port 25 +# Pass webmail servers +rdr pass quick log on $ext_if inet proto tcp from <gmail> to $ext_if port smtp \ + -> 127.0.0.1 port 25 +# pass submission messages. +pass quick log on $ext_if inet proto tcp from any to $ext_if port submission modulate state +# Pass unknown mail to spamd +rdr pass log on $ext_if inet proto tcp from {!<spamd-allow> <spamd>} to $ext_if port smtp \ + -> 127.0.0.1 port 8025 + +## Blocking spoofed packets +antispoof quick for $ext_if + +## Set default policy ## +block return in log all +block out all + +# Drop all Non-Routable Addresses +block drop in quick on $ext_if from $martians to any +block drop out quick on $ext_if from any to $martians + +pass in inet proto tcp to $ext_if port ssh + +# Allow Ping-Pong stuff. Be a good sysadmin +pass inet proto icmp icmp-type echoreq + +# Open up imap/pop3 support +pass quick on $ext_if proto tcp from any to any port {imap, imaps, pop3, pop3s} modulate state + + +# Allow outgoing traffic +pass out on $ext_if proto tcp from any to any modulate state +pass out on $ext_if proto udp from any to any keep state +pass quick on $ext_if from any to any port http |