From 96d51c38abc47fc5ea5dee0949f5fc0323b31026 Mon Sep 17 00:00:00 2001
From: Charlie Root <root@jozanofastora.xyz>
Date: Wed, 27 Apr 2022 14:02:54 +0000
Subject: First commit

---
 etc/rc.conf                    |  21 +++++
 root/.cshrc                    |  49 +++++++++++
 usr/local/etc/nginx/nginx.conf | 192 +++++++++++++++++++++++++++++++++++++++++
 usr/local/etc/pf.conf          |  60 +++++++++++++
 4 files changed, 322 insertions(+)
 create mode 100644 etc/rc.conf
 create mode 100644 root/.cshrc
 create mode 100644 usr/local/etc/nginx/nginx.conf
 create mode 100644 usr/local/etc/pf.conf

diff --git a/etc/rc.conf b/etc/rc.conf
new file mode 100644
index 0000000..8c8846a
--- /dev/null
+++ b/etc/rc.conf
@@ -0,0 +1,21 @@
+hostname="jozanofastora.xyz"
+sshd_enable="YES"
+ntpd_enable="YES"
+static_routes="linklocal"
+ifconfig_vtnet0="DHCP"
+ifconfig_vtnet0_ipv6="inet6 accept_rtadv"
+ipv6_activate_all_interfaces="YES"
+rtsold_enable="YES"
+rtsold_flags="-aF"
+nginx_enable="YES"
+uwsgi_enable="YES"
+cron_flags="-m ''"
+gmid_enable="YES"
+pf_enable="NO"
+pf_rules="/usr/local/etc/pf.conf"
+plog_enable="NO"
+pflog_logfile="/var/log/pflog"
+obspamd_enable="NO"
+obspamd_flags="-v"
+obspamlogd_enable="NO"
+dovecot_enable="NO"
diff --git a/root/.cshrc b/root/.cshrc
new file mode 100644
index 0000000..f4436db
--- /dev/null
+++ b/root/.cshrc
@@ -0,0 +1,49 @@
+# $FreeBSD: releng/12.1/bin/csh/dot.cshrc 338374 2018-08-29 16:59:19Z brd $
+#
+# .cshrc - csh resource script, read at beginning of execution by each shell
+#
+# see also csh(1), environ(7).
+# more examples available at /usr/share/examples/csh/
+#
+
+alias h		history 25
+alias j		jobs -l
+alias la	ls -aF
+alias lf	ls -FA
+alias ll	ls -lAF
+alias ls	ls -lhG
+alias tree	tree -C
+alias c		clear
+alias vim	nvim
+alias diff	colordiff -c
+alias confgit	git --git-dir=/usr/local/git/jozan/jozanofastora-conf.git --work-tree=/
+
+# A righteous umask
+umask 22
+
+set path = (/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin $HOME/bin)
+
+setenv	EDITOR	vi
+setenv	PAGER	less
+setenv	BLOCKSIZE	K
+
+if ($?prompt) then
+	# An interactive shell -- set some stuff up
+	set prompt = "%N@%m:%~ %# "
+	set promptchars = "%#"
+
+	set filec
+	set history = 1000
+	set savehist = (1000 merge)
+	set autolist = ambiguous
+	# Use history to aid expansion
+	set autoexpand
+	set autorehash
+	set mail = (/var/mail/$USER)
+	if ( $?tcsh ) then
+		bindkey "^W" backward-delete-word
+		bindkey -k up history-search-backward
+		bindkey -k down history-search-forward
+		bindkey -v
+	endif
+endif
diff --git a/usr/local/etc/nginx/nginx.conf b/usr/local/etc/nginx/nginx.conf
new file mode 100644
index 0000000..2cfd861
--- /dev/null
+++ b/usr/local/etc/nginx/nginx.conf
@@ -0,0 +1,192 @@
+worker_processes  1;
+
+events {
+	worker_connections  1024;
+}
+
+http {
+	include			mime.types;
+	default_type		application/octet-stream;
+	sendfile		on;
+	keepalive_timeout	65;
+	gzip			on;
+	gzip_vary		on;
+	gzip_min_length		1024;
+	gzip_proxied		expired no-cache no-store private auth;
+
+	server{
+		server_name  jozanofastora.xyz;
+		root   /usr/local/www/jozan;
+		index  index.html;
+		location / {
+			try_files $uri $uri/ =404;
+		} 
+		location ~ /\.ht {
+			deny all;
+		}
+		error_page  403 /403.html;
+		location = /403.html {
+			root /usr/local/www/jozan/err;
+		}
+		error_page  404 /404.html;
+		location = /404.html {
+			root /usr/local/www/jozan/err;
+		}
+		error_page   500 502 503 504  /50x.html;
+		location = /50x.html {
+			root   /usr/local/www/nginx-dist;
+		}
+	
+
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /usr/local/etc/letsencrypt/live/jozanofastora.xyz-0001/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /usr/local/etc/letsencrypt/live/jozanofastora.xyz-0001/privkey.pem; # managed by Certbot
+    include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+}
+
+	server{
+		server_name  gitjoe.xyz git.jozanofastora.xyz;
+		root   /usr/local/www/gitjoe;
+		index  index.html;
+		location / {
+			try_files $uri $uri/ =404;
+		} 
+		location ~ /\.ht {
+			deny all;
+		}
+		error_page  403 /403.html;
+		location = /403.html {
+			root /usr/local/www/gitjoe/err;
+		}
+		error_page  404 /404.html;
+		location = /404.html {
+			root /usr/local/www/gitjoe/err;
+		}
+		error_page   500 502 503 504  /50x.html;
+		location = /50x.html {
+			root   /usr/local/www/nginx-dist;
+		}
+	
+
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /usr/local/etc/letsencrypt/live/jozanofastora.xyz-0001/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /usr/local/etc/letsencrypt/live/jozanofastora.xyz-0001/privkey.pem; # managed by Certbot
+    include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+
+}
+
+	server {
+		listen 80;
+		server_name cgit.gitjoe.xyz;
+		root /usr/local/www/cgit;
+
+		# Serve static files with nginx
+		location ~* ^.+(cgit.(css|png)|favicon.ico|robots.txt) {
+			root /usr/share/webapps/cgit;
+			expires 30d;
+		}
+		location / {
+			try_files $uri @cgit;
+		}
+		location @cgit {
+			gzip off;
+			include uwsgi_params;
+			uwsgi_modifier1 9;
+			uwsgi_pass unix:/var/run/uwsgi/cgit.sock;
+		}
+	} 
+
+	server {
+		server_name fossil.jozanofastora.xyz;
+		index  index.html;
+		root /usr/local/www/fossiljoe;
+
+		# Bypass Fossil for the static documentation generated from
+		# our source code by Doxygen, so it merges into the embedded
+		# doc URL hierarchy at Fossil’s $ROOT/doc without requiring that
+		# these generated files actually be stored in the repo.  This
+		# also lets us set aggressive caching on these docs, since
+		# they rarely change.
+		location /code/doc/html {
+			root /usr/local/www/fossiljoe;
+
+			location ~* \.(html|ico|css|js|gif|jpg|png)$ {
+				expires 7d;
+				add_header Vary Accept-Encoding;
+				access_log off;
+			}
+		}
+		# Redirect everything else to the Fossil instance
+		location /code {
+			include scgi_params;
+			scgi_param SCRIPT_NAME "/code";
+			scgi_pass 127.0.0.1:12345;
+		}
+	
+
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /usr/local/etc/letsencrypt/live/jozanofastora.xyz-0001/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /usr/local/etc/letsencrypt/live/jozanofastora.xyz-0001/privkey.pem; # managed by Certbot
+    include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Ce/srvrtbot
+    ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Cert/srvbot
+
+	}
+
+
+server{
+	if ($host = git.jozanofastora.xyz) {
+		return 301 https://gitjoe.xyz$request_uri;
+	} # managed by Certbot
+
+	if ($host = www.gitjoe.xyz) {
+		return 301 https://gitjoe.xyz$request_uri;
+	} # managed by Certbot
+
+	if ($host = gitjoe.xyz) {
+		return 301 https://$host$request_uri;
+	} # managed by Certbot
+
+
+	server_name  gitjoe.xyz;
+	listen 80;
+	return 404; # managed by Certbot
+
+
+
+
+}
+
+server{
+	if ($host = www.jozanofastora.xyz) {
+		return 301 https://jozanofastora.xyz$request_uri;
+	} # managed by Certbot
+
+	if ($host = jozanofastora.xyz) {
+		return 301 https://$host$request_uri;
+	} # managed by Certbot
+
+
+	server_name  jozanofastora.xyz;
+	listen 80;
+	return 404; # managed by Certbot
+
+
+}
+
+server {
+	if ($host = fossil.jozanofastora.xyz) {
+		return 301 https://$host$request_uri;
+	} # managed by Certbot
+
+
+	server_name fossil.jozanofastora.xyz;
+	listen 80;
+	return 404; # managed by Certbot
+
+
+}
+}
diff --git a/usr/local/etc/pf.conf b/usr/local/etc/pf.conf
new file mode 100644
index 0000000..1838656
--- /dev/null
+++ b/usr/local/etc/pf.conf
@@ -0,0 +1,60 @@
+## Set public interface ##
+ext_if="vtnet0"
+
+## set and drop IP ranges on the public interface ##
+martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
+	    10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
+	    0.0.0.0/8, 240.0.0.0/4 }"
+
+table <spamd> persist
+table <spamd-allow> persist
+
+# Allowed webmail services
+table <webmail> persist file "/usr/local/etc/pf.webmail.ip.conf"
+
+## Skip loop back interface - Skip all PF processing on interface ##
+set skip on lo
+
+## Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked ##
+set loginterface $ext_if
+
+# Deal with attacks based on incorrect handling of packet fragments 
+scrub in all
+
+
+# Pass spamd allow list
+pass quick log on $ext_if inet proto tcp from <spamd-allow> to $ext_if port smtp \
+	-> 127.0.0.1 port 25
+# Pass webmail servers
+rdr pass quick log on $ext_if inet proto tcp from <gmail> to $ext_if port smtp \
+	-> 127.0.0.1 port 25
+# pass submission messages.
+pass quick log on $ext_if inet proto tcp from any to $ext_if port submission modulate state
+# Pass unknown mail to spamd
+rdr pass log on $ext_if inet proto tcp from {!<spamd-allow> <spamd>} to $ext_if port smtp \
+	    -> 127.0.0.1 port 8025 
+
+## Blocking spoofed packets
+antispoof quick for $ext_if
+
+## Set default policy ##
+block return in log all
+block out all
+
+# Drop all Non-Routable Addresses 
+block drop in quick on $ext_if from $martians to any
+block drop out quick on $ext_if from any to $martians
+
+pass in inet proto tcp to $ext_if port ssh
+
+# Allow Ping-Pong stuff. Be a good sysadmin 
+pass inet proto icmp icmp-type echoreq
+
+# Open up imap/pop3 support
+pass quick on $ext_if proto tcp from any to any port {imap, imaps, pop3, pop3s} modulate state
+
+
+# Allow outgoing traffic
+pass out on $ext_if proto tcp from any to any modulate state
+pass out on $ext_if proto udp from any to any keep state
+pass quick on $ext_if from any to any port http
-- 
cgit v1.2.3