new structure

This kicks off the basic tree structure, where the docs all mirror the
reality, like an ascii penumbra.

kralizec/README.md

@@ -0,0 +1,27 @@
+# List of containers
+
+VMID Name  
+101  tor11  
+102  xmppmirror11  
+104  http11  
+105  postgresql11  
+106  ejabberd11  
+108  nginx  
+109  flaskldap11  
+111  dynamicdns11  
+112  sshfs11  
+113  postfix11  
+114  ssh11  
+115  cgit11  
+116  radionice11  
+117  gitea11  
+118  dmzrsflask11  
+119  elinearch  
+120  wiki11  
+121  krovhttp11  
+122  dmzrs12  
+123  roundcube12  
+124  donationcalc12  
+125  webring12  
+126  cryptpad-deb-12  
+127  openldap12  

kralizec/dmzrs/README.md

@@ -0,0 +1,26 @@
+Add this configuration to ~/.ssh/config file
+
+Host dmzkrovdmzrs12
+  Hostname veyxphzuqnooc7wb7utfza3joaoopgqgwp6l6d4en5yfmyr7kxvminqd.onion
+  User root 
+  IdentityFile ~/.ssh/id_rsa
+  PasswordAuthentication no
+
+Now you can log in by typing:
+torsocks ssh dmzkrovdmzrs12
+
+Install all needed packages
+apt install rsync git nginx
+git clone https://gitea.dmz.rs/Decentrala/website
+
+Run updatewebsite.sh script every minute using crontab (run "crontab -e")
+This fill automaticlly pull from git repo and regenerate events page
+
+Add nginx-dmz.rs.conf to /etc/nginx/sites-available/dmz.rs and create a symlink
+from /etc/nginx/sites-enabled/dmz.rs to that file
+You can do this by running:
+ln -s /etc/nginx/sites-available/dmz.rs /etc/nginx/sites-enabled/dmz.rs
+
+Increase server_names_hash_bucket_size to 256 in /etc/nginx/nginx.conf in order to support onion addresses.
+
+In the nginx configuration /account/ is redirected to luser (https://gitea.dmz.rs/fram3d/luser) instance running at 192.168.1.211

kralizec/dmzrs/nginx-dmz.rs.conf

@@ -0,0 +1,45 @@
+server {
+	listen 80 ;
+	listen [::]:80 ;
+
+	server_name dmz.rs decentrala.org www.dmz.rs www.decentrala.org krov.dmz.rs krov.decentrala.org 64l3awuotocv6ynibul6malho6wdorggjrz6fiyuselniifhdv2kv6qd.onion;
+
+	autoindex off;
+	default_type "text/html";
+
+	index index.html index.htm index.nginx-debian.html;
+
+	error_page 404 /404.html;
+
+	root /var/www/dmzrs;
+
+	# If page doesn't exist try appending .html to the end
+	location / {
+		try_files  $uri $uri.html;
+	}
+
+	# Don't append .html if url is just / , since there is no file named /.html
+	location = / {
+	}
+
+	# If url ends with .html don't reddirect
+	location ~* \.html$ {
+	}
+
+	# If url is /en/ set english index file
+	location = /en/ {
+		try_files  $uri $uri/index.html;
+	}
+
+	location /account/ {
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+
+		proxy_pass http://192.168.1.211$request_uri;
+	}
+
+	location = /account {
+		try_files  $uri $uri.html;
+	}
+
+}

kralizec/dmzrs/updatewebsite.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+cd /root/website
+/usr/bin/git restore .
+/usr/bin/git pull
+/usr/bin/python3 prep.py
+/usr/bin/python3 build_pages.py
+/usr/bin/rsync -a --delete /root/website/site/* /var/www/dmzrs/

kralizec/dmzrsaccount/README.md

@@ -0,0 +1,13 @@
+install luser.deb
+change /var/luser/luser/config.ini
+
+add ldap.krov.dmz.rs to /etc/hosts with the IP address op slapd vm by adding a line like "192.168.1.205 ldap.krov.dmz.rs"
+
+config.ini should contain following:
+
+LDAPHOST = ldap.krov.dmz.rs
+LDAPADMINNAME = cn=admin,dc=dmz,dc=rs
+LDAPPASS = <admin password set during installation of slapd program and dpkg-reconfigure on slapd vm>
+USERBASE = ou=Users,dc=dmz,dc=rs
+
+run prepare.py

kralizec/dmzrsaccount/listuserskralizec.py

@@ -0,0 +1,12 @@
+#!/usr/bin/env python3
+import ldap3
+
+LDAPADMINNAME='uid=krovslapd,ou=xmpp,dc=dmz,dc=rs'
+LDAPPASS='<krovslapd password>'
+USERATTRIBUTES=['cn' , 'sn', 'givenName', 'uid', 'uidNumber' , 'gidNumber', 'homeDirectory', 'loginShell', 'gecos' , 'shadowLastChange', 'shadowMax', 'userPassword', 'mail']
+
+
+ldapserver=ldap3.Server('2001:470:1f1a:1a4:0:1:0:1d',use_ssl=True)
+ldapconnection = ldap3.Connection(ldapserver, LDAPADMINNAME,LDAPPASS, auto_bind=True)
+ldapconnection.search(search_base=f'ou=xmpp,dc=dmz,dc=rs',search_filter='(objectClass=person)', attributes=USERATTRIBUTES)
+print(str(ldapconnection.response))

kralizec/dmzrsaccount/listuserskrov.py

@@ -0,0 +1,17 @@
+#!/usr/bin/env python3
+import ldap3
+import configparser
+
+CONFIG_PATH = '/var/luser/luser/config.ini'
+config = configparser.ConfigParser()
+config.read(CONFIG_PATH)
+LDAPHOST = config.get('credentials', 'LDAPHOST')
+LDAPADMINNAME = config.get('credentials', 'LDAPADMINNAME')
+LDAPPASS = config.get('credentials', 'LDAPPASS')
+USERBASE = config.get('credentials', 'USERBASE')
+USERATTRIBUTES=['cn' , 'sn', 'givenName', 'uid', 'uidNumber' , 'gidNumber', 'homeDirectory', 'loginShell', 'gecos' , 'shadowLastChange', 'shadowMax', 'userPassword', 'mail']
+
+ldapserver=ldap3.Server(LDAPHOST,use_ssl=True)
+ldapconnection = ldap3.Connection(ldapserver, LDAPADMINNAME,LDAPPASS, auto_bind=True)
+ldapconnection.search(search_base=f'{USERBASE}',search_filter='(objectClass=person)', attributes=USERATTRIBUTES)
+print(str(ldapconnection.response))

kralizec/dmzrsaccount/prepare.py

@@ -0,0 +1,18 @@
+#!/usr/bin/env python3
+import ldap3
+import configparser
+
+CONFIG_PATH = "/var/luser/luser/config.ini"
+config = configparser.ConfigParser()
+config.read(CONFIG_PATH)
+LDAPHOST = config.get('credentials', 'LDAPHOST')
+LDAPADMINNAME = config.get('credentials', 'LDAPADMINNAME')
+LDAPPASS = config.get('credentials', 'LDAPPASS')
+USERBASE = config.get('credentials', 'USERBASE')
+
+ldapserver=ldap3.Server(LDAPHOST,use_ssl=True)
+ldapconnection = ldap3.Connection(ldapserver, LDAPADMINNAME, LDAPPASS, auto_bind=True)
+rcode1=ldapconnection.add(f'{USERBASE}', ['dcObject', 'organization'], {'o' : "dmz", 'dc' : "dmz"})
+rcode2=ldapconnection.add(USERBASE, ['top', 'organizationalUnit'], {'ou' : "Users"})
+print(str(rcode1))
+print(str(rcode2))

kralizec/dmzrsaccount/testanon.py

@@ -0,0 +1,18 @@
+#!/usr/bin/env python3
+import ldap3
+import configparser
+
+CONFIG_PATH = '/var/luser/luser/config.ini'
+config = configparser.ConfigParser()
+config.read(CONFIG_PATH)
+LDAPHOST = config.get('credentials', 'LDAPHOST')
+USERBASE = config.get('credentials', 'USERBASE')
+USERATTRIBUTES=['cn' , 'sn', 'givenName', 'uid', 'uidNumber' , 'gidNumber', 'homeDirectory', 'loginShell', 'gecos' , 'shadowLastChange', 'shadowMax', 'userPassword', 'mail']
+
+LDAPADMINNAME=''
+LDAPPASS=""
+
+ldapserver=ldap3.Server(LDAPHOST,use_ssl=True)
+ldapconnection = ldap3.Connection(ldapserver, LDAPADMINNAME,LDAPPASS, auto_bind=True)
+ldapconnection.search(search_base=f'{USERBASE}',search_filter='(objectClass=person)', attributes=USERATTRIBUTES)
+print(str(ldapconnection.response))

kralizec/dmzrsaccount/testuser.py

@@ -0,0 +1,18 @@
+#!/usr/bin/env python3
+import ldap3
+import configparser
+
+CONFIG_PATH = '/var/luser/luser/config.ini'
+config = configparser.ConfigParser()
+config.read(CONFIG_PATH)
+LDAPHOST = config.get('credentials', 'LDAPHOST')
+USERBASE = config.get('credentials', 'USERBASE')
+USERATTRIBUTES=['cn' , 'sn', 'givenName', 'uid', 'uidNumber' , 'gidNumber', 'homeDirectory', 'loginShell', 'gecos' , 'shadowLastChange', 'shadowMax', 'userPassword', 'mail']
+
+LDAPADMINNAME="uid=korisnik,ou=Users,dc=dmz,dc=rs"
+LDAPPASS="<password of korisnik>"
+
+ldapserver=ldap3.Server(LDAPHOST,use_ssl=True)
+ldapconnection = ldap3.Connection(ldapserver, LDAPADMINNAME,LDAPPASS, auto_bind=True)
+ldapconnection.search(search_base=f'{USERBASE}',search_filter='(objectClass=person)', attributes=USERATTRIBUTES)
+print(str(ldapconnection.response))

kralizec/ejabberd/README.md

@@ -0,0 +1,33 @@
+#On your PC
+Add this configuration to ~/.ssh/config
+
+Host dmzkrovejabberd12
+  Hostname zd4bzozu3uapjpqftoux66l22kfyju7bkxnooefqia3lp7hplg3ayiid.onion
+  User root
+  IdentityFile ~/.ssh/id_rsa
+  PasswordAuthentication no
+
+Now you can log in by typing:
+torsocks ssh dmzkrovejabberd12
+
+#On the server:
+Add to /etc/hosts file
+192.168.1.209 sql.krov.dmz.rs 
+192.168.1.205 ldap.krov.dmz.rs 
+
+Copy cert directory from dmzkrovsshfs12:/var/shareddirs/nginx12ejabberd12/xmpp.krov.dmz.rs to /etc/ssl/certs/ 
+
+set permissions (set gid bit) for /etc/ssl/certs directory
+You can do this by typing:
+chown 2770 /etc/ssl/certs
+
+Add to crontab with ("crontab -e") commands to copy with scp certificates the domain from dmzkrovsshfs12
+0 1 * * * /usr/bin/scp -r dmzkrovsshfs12:/var/shareddirs/nginx12ejabberd12/xmpp.krov.dmz.rs /etc/ssl/certs/
+1 1 * * * /usr/bin/chmod 600 /etc/ssl/certs/xmpp.krov.dmz.rs/privkey.pem
+2 1 * * * /usr/sbin/ejabberdctl restart
+
+Generate dhparm keys with:
+openssl dhparam -out /etc/ejabberd/dhparams.pem 2048
+
+Copy ejabberd.yml to /etc/ejabberd/
+ejabberdctl restart

kralizec/ejabberd/ejabberd.yml

@@ -0,0 +1,339 @@
+###
+###              ejabberd configuration file
+###
+### The parameters used in this configuration file are explained at
+###
+###       https://docs.ejabberd.im/admin/configuration
+###
+### The configuration file is written in YAML.
+### *******************************************************
+### *******           !!! WARNING !!!               *******
+### *******     YAML IS INDENTATION SENSITIVE       *******
+### ******* MAKE SURE YOU INDENT SECTIONS CORRECTLY *******
+### *******************************************************
+### Refer to http://en.wikipedia.org/wiki/YAML for the brief description.
+###
+
+
+# loglevel: Verbosity of log files generated by ejabberd
+loglevel: info
+
+# rotation: Disable ejabberd's internal log rotation, as the Debian package
+# uses logrotate(8).
+log_rotate_count: 0
+
+# hosts: Domains served by ejabberd.
+# You can define one or several, for example:
+# hosts:
+#   - "example.net"
+#   - "example.com"
+#   - "example.org"
+
+hosts:
+  - "dmz.rs"
+
+certfiles:
+#  - "/etc/ejabberd/ejabberd.pem"
+#  - /etc/letsencrypt/live/localhost/fullchain.pem
+#  - /etc/letsencrypt/live/localhost/privkey.pem
+  - /etc/ssl/certs/xmpp.krov.dmz.rs/fullchain.pem
+  - /etc/ssl/certs/xmpp.krov.dmz.rs/privkey.pem
+
+# TLS configuration
+define_macro:
+  'TLS_CIPHERS': "HIGH:!aNULL:!eNULL:!3DES:@STRENGTH"
+  'TLS_OPTIONS':
+    - "no_sslv3"
+    - "no_tlsv1"
+    - "no_tlsv1_1"
+    - "cipher_server_preference"
+    - "no_compression"
+  'DH_FILE': "/etc/ejabberd/dhparams.pem"
+    # generated with: openssl dhparam -out dhparams.pem 2048
+
+c2s_ciphers: 'TLS_CIPHERS'
+s2s_ciphers: 'TLS_CIPHERS'
+c2s_protocol_options: 'TLS_OPTIONS'
+s2s_protocol_options: 'TLS_OPTIONS'
+c2s_dhfile: 'DH_FILE'
+s2s_dhfile: 'DH_FILE'
+
+listen:
+  -
+    port: 5222
+    ip: "::"
+    module: ejabberd_c2s
+    max_stanza_size: 262144
+    shaper: c2s_shaper
+    access: c2s
+    starttls_required: true
+    protocol_options: 'TLS_OPTIONS'
+  -
+    port: 5223
+    ip: "::"
+    module: ejabberd_c2s
+    max_stanza_size: 262144
+    shaper: c2s_shaper
+    access: c2s
+    tls: true
+    protocol_options: 'TLS_OPTIONS'
+  -
+    port: 5269
+    ip: "::"
+    module: ejabberd_s2s_in
+    max_stanza_size: 524288
+  -
+    port: 5443
+    ip: "::"
+    module: ejabberd_http
+    tls: true
+    protocol_options: 'TLS_OPTIONS'
+    request_handlers:
+      /api: mod_http_api
+      /bosh: mod_bosh
+      /captcha: ejabberd_captcha
+      /upload: mod_http_upload
+      /register: mod_register_web
+      /ws: ejabberd_http_ws
+  -
+    port: 5280
+    ip: "::"
+    module: ejabberd_http
+    tls: true
+    protocol_options: 'TLS_OPTIONS'
+    request_handlers:
+      /admin: ejabberd_web_admin
+      /.well-known/acme-challenge: ejabberd_acme
+  -
+    port: 3478
+    ip: "::"
+    transport: udp
+    module: ejabberd_stun
+    use_turn: true
+    ## The server's public IPv4 address:
+    # turn_ipv4_address: "203.0.113.3"
+    ## The server's public IPv6 address:
+    # turn_ipv6_address: "2001:db8::3"
+  -
+    port: 1883
+    ip: "::"
+    module: mod_mqtt
+    backlog: 1000
+
+
+## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text
+## password storage (see auth_password_format option).
+disable_sasl_mechanisms:
+  - "digest-md5"
+  - "X-OAUTH2"
+
+s2s_use_starttls: required
+
+## Store the plain passwords or hashed for SCRAM:
+#auth_password_format: scram
+
+## Full path to a script that generates the image.
+captcha_cmd: "/usr/share/ejabberd/captcha.sh"
+ 
+default_db: sql
+
+sql_type: pgsql
+sql_server: sql.krov.dmz.rs
+sql_port: 5432
+sql_database: ejabberddb
+sql_username: ejabberd12
+sql_password: "sqlpassword"
+sql_pool_size: 5
+
+auth_method: ldap
+
+# LDAP
+ldap_servers:
+  - ldap.krov.dmz.rs
+ldap_port: 636
+ldap_encrypt: tls
+ldap_tls_verify: true
+ldap_rootdn: "uid=xmppldapkrov,ou=Users,dc=dmz,dc=rs"
+ldap_password: "ldappassword"
+ldap_base: "ou=Users,dc=dmz,dc=rs"
+
+acl:
+  admin:
+     user:
+       - ""
+
+  local:
+    user_regexp: ""
+  loopback:
+    ip:
+      - 127.0.0.0/8
+      - ::1/128
+
+access_rules:
+  local:
+    allow: local
+  c2s:
+    deny: blocked
+    allow: all
+  announce:
+    allow: admin
+  configure:
+    allow: admin
+  muc_create:
+    allow: local
+  pubsub_createnode:
+    allow: local
+  trusted_network:
+    allow: local
+    allow: all
+
+api_permissions:
+  "console commands":
+    from:
+      - ejabberd_ctl
+    who: all
+    what: "*"
+  "admin access":
+    who:
+      access:
+        allow:
+          - acl: loopback
+          - acl: admin
+      oauth:
+        scope: "ejabberd:admin"
+        access:
+          allow:
+            - acl: loopback
+            - acl: admin
+    what:
+      - "*"
+      - "!stop"
+      - "!start"
+  "public commands":
+    who:
+      ip: 127.0.0.1/8
+    what:
+      - status
+      - connected_users_number
+
+shaper:
+  normal:
+    rate: 3000
+    burst_size: 20000
+  fast: 200000
+
+shaper_rules:
+  max_user_sessions: 10
+  max_user_offline_messages:
+    5000: admin
+    100: all
+  c2s_shaper:
+    none: admin
+    normal: all
+  s2s_shaper: fast
+
+modules:
+  mod_adhoc: {}
+  mod_admin_extra: {}
+  mod_announce:
+    access: announce
+  mod_avatar: {}
+  mod_blocking: {}
+  mod_bosh: {}
+  mod_caps: {}
+  mod_carboncopy: {}
+  mod_client_state: {}
+  mod_configure: {}
+  ## mod_delegation: {}   # for xep0356
+  mod_disco:
+    server_info:
+    -
+      modules: all
+      name: "abuse-addresses"
+      urls: ["mailto:abusecontact@yourserver.com"]
+  mod_fail2ban: {}
+  mod_http_api: {}
+  mod_http_upload:
+    put_url: https://@HOST@:5443/upload
+    custom_headers:
+      "Access-Control-Allow-Origin": "https://@HOST@"
+      "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS"
+      "Access-Control-Allow-Headers": "Content-Type"
+  mod_last: {}
+  mod_mam:
+    ## Mnesia is limited to 2GB, better to use an SQL backend
+    ## For small servers SQLite is a good fit and is very easy
+    ## to configure. Uncomment this when you have SQL configured:
+    db_type: sql
+    assume_mam_usage: true
+    default: always
+  mod_mqtt: {}
+  mod_muc:
+    access:
+      - allow
+    access_admin:
+      - allow: admin
+    #access_create: muc_create
+    access_create: all
+    #access_persistent: muc_create
+    access_persistent: all
+    access_mam:
+      - allow
+    default_room_options:
+      mam: true
+  mod_muc_admin: {}
+  mod_offline:
+    access_max_user_messages: max_user_offline_messages
+  mod_ping:
+    send_pings: true
+    ping_interval: 4 min
+    timeout_action: kill
+  mod_pres_counter:
+    count: 5
+    interval: 60
+  mod_privacy: {}
+  mod_private: {}
+  mod_proxy65:
+    access: local
+    max_connections: 5
+  mod_pubsub:
+    access_createnode: pubsub_createnode
+    plugins:
+      - flat
+      - pep
+    force_node_config:
+      "eu.siacs.conversations.axolotl.*":
+        access_model: open
+      ## Avoid buggy clients to make their bookmarks public
+      storage:bookmarks:
+        access_model: whitelist
+  mod_push: {}
+  mod_push_keepalive: {}
+  mod_register:
+    ## Only accept registration requests from the "trusted"
+    ## network (see access_rules section above).
+    ## Think twice before enabling registration from any
+    ## address. See the Jabber SPAM Manifesto for details:
+    ## https://github.com/ge0rg/jabber-spam-fighting-manifesto
+    redirect_url: "https://dmz.rs/account/register/"
+    #captcha_protected: true
+    #ip_access: trusted_network
+  mod_roster:
+    versioning: true
+  mod_s2s_dialback: {}
+  mod_shared_roster: {}
+  mod_sic: {}
+  mod_stream_mgmt:
+    #resend_on_timeout: if_offline
+    resend_on_timeout: true
+    #resume_timeout: 5 min
+  mod_stun_disco: {}
+  mod_vcard:
+    search: false
+  mod_vcard_xupdate: {}
+  mod_version: {}
+
+### Local Variables:
+### mode: yaml
+### End:
+### vim: set filetype=yaml tabstop=8

kralizec/slapd/.gitignore

@@ -0,0 +1,2 @@
+acladd.ldif
+*gpg

kralizec/slapd/README.md

@@ -0,0 +1,18 @@
+Create ldap users at dmz.rs/account for users in the servicesaccounts.txt
+these accounts should be listed in /root/ldifs/addacl.ldif
+to generate addacl.ldif run generateacl.sh
+
+add tls keys in /etc/ssl/certs/ldap.krov.dmz.rs
+
+# Generate password for admin user on this server only and add it when asked during installation
+apt install slapd
+
+# For domain set dmz.rs for Organization set Users for admin password use previously generated password
+dpkg-reconfigure slapd
+
+# change /etc/default/slapd to replace ldap:// with ldaps:// under SLAPD_SERVICES
+service slapd restart
+./setup.sh
+
+dmzrsaccount vm should run prepare.py 
+ldapsync vm should run sync.py

kralizec/slapd/acladd-template.ldif

@@ -0,0 +1,18 @@
+dn: olcDatabase={1}mdb,cn=config
+add: olcAccess
+olcAccess: {1}to attrs=userPassword by self write by anonymous auth
+
+dn: olcDatabase={1}mdb,cn=config
+add: olcAccess
+#olcAccess: {2}to * by * none
+olcAccess: {2}to * by self write READUSERS by anonymous none
+
+dn: olcDatabase={-1}frontend,cn=config
+add: olcAccess
+olcAccess: {1}to attrs=userPassword by self write by anonymous auth
+
+dn: olcDatabase={-1}frontend,cn=config
+add: olcAccess
+#olcAccess: {2}to * by * none
+olcAccess: {2}to * by self READUSERS by anonymous none
+

kralizec/slapd/generateacl.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+READUSERS=""
+for i in $(cat servicesaccounts.txt); do READUSERS="$READUSERS by dn=\"$i\" read" ; done
+
+sed 's/READUSERS/'"$READUSERS"'/g' acladd-template.ldif > acladd.ldif
+

kralizec/slapd/generatecreds.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+function genpass(){
+echo $(shuf ../../scripts/shared/english.txt | head) | sed "s/ //g"
+}
+
+for i in $(cat servicesaccounts.txt) ; do printf "%s\n" $(echo -n $i | cut -d"," -f 1 | cut -d"=" -f2 ; genpass) | gpg -e -r fram3d@dmz.rs -r sienna@dmz.rs --output creds/$(echo -n $i | cut -d"," -f 1 | cut -d"=" -f2).gpg ; done
+

kralizec/slapd/servicesaccounts.txt

@@ -0,0 +1,9 @@
+uid=readonlykrov,ou=Users,dc=dmz,dc=rs
+uid=wikildapkrov,ou=Users,dc=dmz,dc=rs
+uid=forumldapkrov,ou=Users,dc=dmz,dc=rs
+uid=gitealdapkrov,ou=Users,dc=dmz,dc=rs
+uid=xmppldapkrov,ou=Users,dc=dmz,dc=rs
+uid=dovecotldapkrov,ou=Users,dc=dmz,dc=rs
+uid=postfixldapkrov,ou=Users,dc=dmz,dc=rs
+uid=smtpdldapkrov,ou=Users,dc=dmz,dc=rs
+uid=kralizecslapd,ou=Users,dc=dmz,dc=rs