From 96d51c38abc47fc5ea5dee0949f5fc0323b31026 Mon Sep 17 00:00:00 2001
From: Charlie Root <root@jozanofastora.xyz>
Date: Wed, 27 Apr 2022 14:02:54 +0000
Subject: First commit

---
 usr/local/etc/nginx/nginx.conf | 192 +++++++++++++++++++++++++++++++++++++++++
 usr/local/etc/pf.conf          |  60 +++++++++++++
 2 files changed, 252 insertions(+)
 create mode 100644 usr/local/etc/nginx/nginx.conf
 create mode 100644 usr/local/etc/pf.conf

(limited to 'usr/local')

diff --git a/usr/local/etc/nginx/nginx.conf b/usr/local/etc/nginx/nginx.conf
new file mode 100644
index 0000000..2cfd861
--- /dev/null
+++ b/usr/local/etc/nginx/nginx.conf
@@ -0,0 +1,192 @@
+worker_processes  1;
+
+events {
+	worker_connections  1024;
+}
+
+http {
+	include			mime.types;
+	default_type		application/octet-stream;
+	sendfile		on;
+	keepalive_timeout	65;
+	gzip			on;
+	gzip_vary		on;
+	gzip_min_length		1024;
+	gzip_proxied		expired no-cache no-store private auth;
+
+	server{
+		server_name  jozanofastora.xyz;
+		root   /usr/local/www/jozan;
+		index  index.html;
+		location / {
+			try_files $uri $uri/ =404;
+		} 
+		location ~ /\.ht {
+			deny all;
+		}
+		error_page  403 /403.html;
+		location = /403.html {
+			root /usr/local/www/jozan/err;
+		}
+		error_page  404 /404.html;
+		location = /404.html {
+			root /usr/local/www/jozan/err;
+		}
+		error_page   500 502 503 504  /50x.html;
+		location = /50x.html {
+			root   /usr/local/www/nginx-dist;
+		}
+	
+
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /usr/local/etc/letsencrypt/live/jozanofastora.xyz-0001/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /usr/local/etc/letsencrypt/live/jozanofastora.xyz-0001/privkey.pem; # managed by Certbot
+    include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+}
+
+	server{
+		server_name  gitjoe.xyz git.jozanofastora.xyz;
+		root   /usr/local/www/gitjoe;
+		index  index.html;
+		location / {
+			try_files $uri $uri/ =404;
+		} 
+		location ~ /\.ht {
+			deny all;
+		}
+		error_page  403 /403.html;
+		location = /403.html {
+			root /usr/local/www/gitjoe/err;
+		}
+		error_page  404 /404.html;
+		location = /404.html {
+			root /usr/local/www/gitjoe/err;
+		}
+		error_page   500 502 503 504  /50x.html;
+		location = /50x.html {
+			root   /usr/local/www/nginx-dist;
+		}
+	
+
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /usr/local/etc/letsencrypt/live/jozanofastora.xyz-0001/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /usr/local/etc/letsencrypt/live/jozanofastora.xyz-0001/privkey.pem; # managed by Certbot
+    include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+
+}
+
+	server {
+		listen 80;
+		server_name cgit.gitjoe.xyz;
+		root /usr/local/www/cgit;
+
+		# Serve static files with nginx
+		location ~* ^.+(cgit.(css|png)|favicon.ico|robots.txt) {
+			root /usr/share/webapps/cgit;
+			expires 30d;
+		}
+		location / {
+			try_files $uri @cgit;
+		}
+		location @cgit {
+			gzip off;
+			include uwsgi_params;
+			uwsgi_modifier1 9;
+			uwsgi_pass unix:/var/run/uwsgi/cgit.sock;
+		}
+	} 
+
+	server {
+		server_name fossil.jozanofastora.xyz;
+		index  index.html;
+		root /usr/local/www/fossiljoe;
+
+		# Bypass Fossil for the static documentation generated from
+		# our source code by Doxygen, so it merges into the embedded
+		# doc URL hierarchy at Fossil’s $ROOT/doc without requiring that
+		# these generated files actually be stored in the repo.  This
+		# also lets us set aggressive caching on these docs, since
+		# they rarely change.
+		location /code/doc/html {
+			root /usr/local/www/fossiljoe;
+
+			location ~* \.(html|ico|css|js|gif|jpg|png)$ {
+				expires 7d;
+				add_header Vary Accept-Encoding;
+				access_log off;
+			}
+		}
+		# Redirect everything else to the Fossil instance
+		location /code {
+			include scgi_params;
+			scgi_param SCRIPT_NAME "/code";
+			scgi_pass 127.0.0.1:12345;
+		}
+	
+
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /usr/local/etc/letsencrypt/live/jozanofastora.xyz-0001/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /usr/local/etc/letsencrypt/live/jozanofastora.xyz-0001/privkey.pem; # managed by Certbot
+    include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Ce/srvrtbot
+    ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Cert/srvbot
+
+	}
+
+
+server{
+	if ($host = git.jozanofastora.xyz) {
+		return 301 https://gitjoe.xyz$request_uri;
+	} # managed by Certbot
+
+	if ($host = www.gitjoe.xyz) {
+		return 301 https://gitjoe.xyz$request_uri;
+	} # managed by Certbot
+
+	if ($host = gitjoe.xyz) {
+		return 301 https://$host$request_uri;
+	} # managed by Certbot
+
+
+	server_name  gitjoe.xyz;
+	listen 80;
+	return 404; # managed by Certbot
+
+
+
+
+}
+
+server{
+	if ($host = www.jozanofastora.xyz) {
+		return 301 https://jozanofastora.xyz$request_uri;
+	} # managed by Certbot
+
+	if ($host = jozanofastora.xyz) {
+		return 301 https://$host$request_uri;
+	} # managed by Certbot
+
+
+	server_name  jozanofastora.xyz;
+	listen 80;
+	return 404; # managed by Certbot
+
+
+}
+
+server {
+	if ($host = fossil.jozanofastora.xyz) {
+		return 301 https://$host$request_uri;
+	} # managed by Certbot
+
+
+	server_name fossil.jozanofastora.xyz;
+	listen 80;
+	return 404; # managed by Certbot
+
+
+}
+}
diff --git a/usr/local/etc/pf.conf b/usr/local/etc/pf.conf
new file mode 100644
index 0000000..1838656
--- /dev/null
+++ b/usr/local/etc/pf.conf
@@ -0,0 +1,60 @@
+## Set public interface ##
+ext_if="vtnet0"
+
+## set and drop IP ranges on the public interface ##
+martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
+	    10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
+	    0.0.0.0/8, 240.0.0.0/4 }"
+
+table <spamd> persist
+table <spamd-allow> persist
+
+# Allowed webmail services
+table <webmail> persist file "/usr/local/etc/pf.webmail.ip.conf"
+
+## Skip loop back interface - Skip all PF processing on interface ##
+set skip on lo
+
+## Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked ##
+set loginterface $ext_if
+
+# Deal with attacks based on incorrect handling of packet fragments 
+scrub in all
+
+
+# Pass spamd allow list
+pass quick log on $ext_if inet proto tcp from <spamd-allow> to $ext_if port smtp \
+	-> 127.0.0.1 port 25
+# Pass webmail servers
+rdr pass quick log on $ext_if inet proto tcp from <gmail> to $ext_if port smtp \
+	-> 127.0.0.1 port 25
+# pass submission messages.
+pass quick log on $ext_if inet proto tcp from any to $ext_if port submission modulate state
+# Pass unknown mail to spamd
+rdr pass log on $ext_if inet proto tcp from {!<spamd-allow> <spamd>} to $ext_if port smtp \
+	    -> 127.0.0.1 port 8025 
+
+## Blocking spoofed packets
+antispoof quick for $ext_if
+
+## Set default policy ##
+block return in log all
+block out all
+
+# Drop all Non-Routable Addresses 
+block drop in quick on $ext_if from $martians to any
+block drop out quick on $ext_if from any to $martians
+
+pass in inet proto tcp to $ext_if port ssh
+
+# Allow Ping-Pong stuff. Be a good sysadmin 
+pass inet proto icmp icmp-type echoreq
+
+# Open up imap/pop3 support
+pass quick on $ext_if proto tcp from any to any port {imap, imaps, pop3, pop3s} modulate state
+
+
+# Allow outgoing traffic
+pass out on $ext_if proto tcp from any to any modulate state
+pass out on $ext_if proto udp from any to any keep state
+pass quick on $ext_if from any to any port http
-- 
cgit v1.2.3