diff --git a/docs/dmzrs/README.md b/docs/dmzrs/README.md new file mode 100644 index 0000000..d2943af --- /dev/null +++ b/docs/dmzrs/README.md @@ -0,0 +1,26 @@ +Add this configuration to ~/.ssh/config file + +Host dmzkrovdmzrs12 + Hostname veyxphzuqnooc7wb7utfza3joaoopgqgwp6l6d4en5yfmyr7kxvminqd.onion + User root + IdentityFile ~/.ssh/id_rsa + PasswordAuthentication no + +Now you can log in by typing: +torsocks ssh dmzkrovdmzrs12 + +Install all needed packages +apt install rsync git nginx +git clone https://gitea.dmz.rs/Decentrala/website + +Run updatewebsite.sh script every minute using crontab (run "crontab -e") +This fill automaticlly pull from git repo and regenerate events page + +Add nginx-dmz.rs.conf to /etc/nginx/sites-available/dmz.rs and create a symlink +from /etc/nginx/sites-enabled/dmz.rs to that file +You can do this by running: +ln -s /etc/nginx/sites-available/dmz.rs /etc/nginx/sites-enabled/dmz.rs + +Increase server_names_hash_bucket_size to 256 in /etc/nginx/nginx.conf in order to support onion addresses. + +In the nginx configuration /account/ is redirected to luser (https://gitea.dmz.rs/fram3d/luser) instance running at 192.168.1.211 diff --git a/docs/dmzrs/nginx-dmz.rs.conf b/docs/dmzrs/nginx-dmz.rs.conf new file mode 100644 index 0000000..55b6fac --- /dev/null +++ b/docs/dmzrs/nginx-dmz.rs.conf @@ -0,0 +1,45 @@ +server { + listen 80 ; + listen [::]:80 ; + + server_name dmz.rs decentrala.org www.dmz.rs www.decentrala.org krov.dmz.rs krov.decentrala.org 64l3awuotocv6ynibul6malho6wdorggjrz6fiyuselniifhdv2kv6qd.onion; + + autoindex off; + default_type "text/html"; + + index index.html index.htm index.nginx-debian.html; + + error_page 404 /404.html; + + root /var/www/dmzrs; + + # If page doesn't exist try appending .html to the end + location / { + try_files $uri $uri.html; + } + + # Don't append .html if url is just / , since there is no file named /.html + location = / { + } + + # If url ends with .html don't reddirect + location ~* \.html$ { + } + + # If url is /en/ set english index file + location = /en/ { + try_files $uri $uri/index.html; + } + + location /account/ { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + + proxy_pass http://192.168.1.211$request_uri; + } + + location = /account { + try_files $uri $uri.html; + } + +} diff --git a/docs/dmzrs/updatewebsite.sh b/docs/dmzrs/updatewebsite.sh new file mode 100755 index 0000000..4517f0a --- /dev/null +++ b/docs/dmzrs/updatewebsite.sh @@ -0,0 +1,7 @@ +#!/bin/bash +cd /root/website +/usr/bin/git restore . +/usr/bin/git pull +/usr/bin/python3 prep.py +/usr/bin/python3 build_pages.py +/usr/bin/rsync -a --delete /root/website/site/* /var/www/dmzrs/ diff --git a/docs/ejabberd/README.md b/docs/ejabberd/README.md new file mode 100644 index 0000000..288cc6b --- /dev/null +++ b/docs/ejabberd/README.md @@ -0,0 +1,33 @@ +#On your PC +Add this configuration to ~/.ssh/config + +Host dmzkrovejabberd12 + Hostname zd4bzozu3uapjpqftoux66l22kfyju7bkxnooefqia3lp7hplg3ayiid.onion + User root + IdentityFile ~/.ssh/id_rsa + PasswordAuthentication no + +Now you can log in by typing: +torsocks ssh dmzkrovejabberd12 + +#On the server: +Add to /etc/hosts file +192.168.1.209 sql.krov.dmz.rs +192.168.1.205 ldap.krov.dmz.rs + +Copy cert directory from dmzkrovsshfs12:/var/shareddirs/nginx12ejabberd12/xmpp.krov.dmz.rs to /etc/ssl/certs/ + +set permissions (set gid bit) for /etc/ssl/certs directory +You can do this by typing: +chown 2770 /etc/ssl/certs + +Add to crontab with ("crontab -e") commands to copy with scp certificates the domain from dmzkrovsshfs12 +0 1 * * * /usr/bin/scp -r dmzkrovsshfs12:/var/shareddirs/nginx12ejabberd12/xmpp.krov.dmz.rs /etc/ssl/certs/ +1 1 * * * /usr/bin/chmod 600 /etc/ssl/certs/xmpp.krov.dmz.rs/privkey.pem +2 1 * * * /usr/sbin/ejabberdctl restart + +Generate dhparm keys with: +openssl dhparam -out /etc/ejabberd/dhparams.pem 2048 + +Copy ejabberd.yml to /etc/ejabberd/ +ejabberdctl restart diff --git a/docs/ejabberd/ejabberd.yml b/docs/ejabberd/ejabberd.yml new file mode 100644 index 0000000..aeeb9d4 --- /dev/null +++ b/docs/ejabberd/ejabberd.yml @@ -0,0 +1,339 @@ +### +### ejabberd configuration file +### +### The parameters used in this configuration file are explained at +### +### https://docs.ejabberd.im/admin/configuration +### +### The configuration file is written in YAML. +### ******************************************************* +### ******* !!! WARNING !!! ******* +### ******* YAML IS INDENTATION SENSITIVE ******* +### ******* MAKE SURE YOU INDENT SECTIONS CORRECTLY ******* +### ******************************************************* +### Refer to http://en.wikipedia.org/wiki/YAML for the brief description. +### + + +# loglevel: Verbosity of log files generated by ejabberd +loglevel: info + +# rotation: Disable ejabberd's internal log rotation, as the Debian package +# uses logrotate(8). +log_rotate_count: 0 + +# hosts: Domains served by ejabberd. +# You can define one or several, for example: +# hosts: +# - "example.net" +# - "example.com" +# - "example.org" + +hosts: + - "dmz.rs" + +certfiles: +# - "/etc/ejabberd/ejabberd.pem" +# - /etc/letsencrypt/live/localhost/fullchain.pem +# - /etc/letsencrypt/live/localhost/privkey.pem + - /etc/ssl/certs/xmpp.krov.dmz.rs/fullchain.pem + - /etc/ssl/certs/xmpp.krov.dmz.rs/privkey.pem + +# TLS configuration +define_macro: + 'TLS_CIPHERS': "HIGH:!aNULL:!eNULL:!3DES:@STRENGTH" + 'TLS_OPTIONS': + - "no_sslv3" + - "no_tlsv1" + - "no_tlsv1_1" + - "cipher_server_preference" + - "no_compression" + 'DH_FILE': "/etc/ejabberd/dhparams.pem" + # generated with: openssl dhparam -out dhparams.pem 2048 + +c2s_ciphers: 'TLS_CIPHERS' +s2s_ciphers: 'TLS_CIPHERS' +c2s_protocol_options: 'TLS_OPTIONS' +s2s_protocol_options: 'TLS_OPTIONS' +c2s_dhfile: 'DH_FILE' +s2s_dhfile: 'DH_FILE' + +listen: + - + port: 5222 + ip: "::" + module: ejabberd_c2s + max_stanza_size: 262144 + shaper: c2s_shaper + access: c2s + starttls_required: true + protocol_options: 'TLS_OPTIONS' + - + port: 5223 + ip: "::" + module: ejabberd_c2s + max_stanza_size: 262144 + shaper: c2s_shaper + access: c2s + tls: true + protocol_options: 'TLS_OPTIONS' + - + port: 5269 + ip: "::" + module: ejabberd_s2s_in + max_stanza_size: 524288 + - + port: 5443 + ip: "::" + module: ejabberd_http + tls: true + protocol_options: 'TLS_OPTIONS' + request_handlers: + /api: mod_http_api + /bosh: mod_bosh + /captcha: ejabberd_captcha + /upload: mod_http_upload + /register: mod_register_web + /ws: ejabberd_http_ws + - + port: 5280 + ip: "::" + module: ejabberd_http + tls: true + protocol_options: 'TLS_OPTIONS' + request_handlers: + /admin: ejabberd_web_admin + /.well-known/acme-challenge: ejabberd_acme + - + port: 3478 + ip: "::" + transport: udp + module: ejabberd_stun + use_turn: true + ## The server's public IPv4 address: + # turn_ipv4_address: "203.0.113.3" + ## The server's public IPv6 address: + # turn_ipv6_address: "2001:db8::3" + - + port: 1883 + ip: "::" + module: mod_mqtt + backlog: 1000 + + +## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text +## password storage (see auth_password_format option). +disable_sasl_mechanisms: + - "digest-md5" + - "X-OAUTH2" + +s2s_use_starttls: required + +## Store the plain passwords or hashed for SCRAM: +#auth_password_format: scram + +## Full path to a script that generates the image. +captcha_cmd: "/usr/share/ejabberd/captcha.sh" + +default_db: sql + +sql_type: pgsql +sql_server: sql.krov.dmz.rs +sql_port: 5432 +sql_database: ejabberddb +sql_username: ejabberd12 +sql_password: "sqlpassword" +sql_pool_size: 5 + +auth_method: ldap + +# LDAP +ldap_servers: + - ldap.krov.dmz.rs +ldap_port: 636 +ldap_encrypt: tls +ldap_tls_verify: true +ldap_rootdn: "uid=xmppldapkrov,ou=Users,dc=dmz,dc=rs" +ldap_password: "ldappassword" +ldap_base: "ou=Users,dc=dmz,dc=rs" + +acl: + admin: + user: + - "" + + local: + user_regexp: "" + loopback: + ip: + - 127.0.0.0/8 + - ::1/128 + +access_rules: + local: + allow: local + c2s: + deny: blocked + allow: all + announce: + allow: admin + configure: + allow: admin + muc_create: + allow: local + pubsub_createnode: + allow: local + trusted_network: + allow: local + allow: all + +api_permissions: + "console commands": + from: + - ejabberd_ctl + who: all + what: "*" + "admin access": + who: + access: + allow: + - acl: loopback + - acl: admin + oauth: + scope: "ejabberd:admin" + access: + allow: + - acl: loopback + - acl: admin + what: + - "*" + - "!stop" + - "!start" + "public commands": + who: + ip: 127.0.0.1/8 + what: + - status + - connected_users_number + +shaper: + normal: + rate: 3000 + burst_size: 20000 + fast: 200000 + +shaper_rules: + max_user_sessions: 10 + max_user_offline_messages: + 5000: admin + 100: all + c2s_shaper: + none: admin + normal: all + s2s_shaper: fast + +modules: + mod_adhoc: {} + mod_admin_extra: {} + mod_announce: + access: announce + mod_avatar: {} + mod_blocking: {} + mod_bosh: {} + mod_caps: {} + mod_carboncopy: {} + mod_client_state: {} + mod_configure: {} + ## mod_delegation: {} # for xep0356 + mod_disco: + server_info: + - + modules: all + name: "abuse-addresses" + urls: ["mailto:abusecontact@yourserver.com"] + mod_fail2ban: {} + mod_http_api: {} + mod_http_upload: + put_url: https://@HOST@:5443/upload + custom_headers: + "Access-Control-Allow-Origin": "https://@HOST@" + "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS" + "Access-Control-Allow-Headers": "Content-Type" + mod_last: {} + mod_mam: + ## Mnesia is limited to 2GB, better to use an SQL backend + ## For small servers SQLite is a good fit and is very easy + ## to configure. Uncomment this when you have SQL configured: + db_type: sql + assume_mam_usage: true + default: always + mod_mqtt: {} + mod_muc: + access: + - allow + access_admin: + - allow: admin + #access_create: muc_create + access_create: all + #access_persistent: muc_create + access_persistent: all + access_mam: + - allow + default_room_options: + mam: true + mod_muc_admin: {} + mod_offline: + access_max_user_messages: max_user_offline_messages + mod_ping: + send_pings: true + ping_interval: 4 min + timeout_action: kill + mod_pres_counter: + count: 5 + interval: 60 + mod_privacy: {} + mod_private: {} + mod_proxy65: + access: local + max_connections: 5 + mod_pubsub: + access_createnode: pubsub_createnode + plugins: + - flat + - pep + force_node_config: + "eu.siacs.conversations.axolotl.*": + access_model: open + ## Avoid buggy clients to make their bookmarks public + storage:bookmarks: + access_model: whitelist + mod_push: {} + mod_push_keepalive: {} + mod_register: + ## Only accept registration requests from the "trusted" + ## network (see access_rules section above). + ## Think twice before enabling registration from any + ## address. See the Jabber SPAM Manifesto for details: + ## https://github.com/ge0rg/jabber-spam-fighting-manifesto + redirect_url: "https://dmz.rs/account/register/" + #captcha_protected: true + #ip_access: trusted_network + mod_roster: + versioning: true + mod_s2s_dialback: {} + mod_shared_roster: {} + mod_sic: {} + mod_stream_mgmt: + #resend_on_timeout: if_offline + resend_on_timeout: true + #resume_timeout: 5 min + mod_stun_disco: {} + mod_vcard: + search: false + mod_vcard_xupdate: {} + mod_version: {} + +### Local Variables: +### mode: yaml +### End: +### vim: set filetype=yaml tabstop=8 diff --git a/hosts/krov/opensmtpd12/etc/crontab b/hosts/krov/opensmtpd12/etc/crontab deleted file mode 100644 index e69de29..0000000