cloud-init/erpnext.yml

@@ -1,108 +0,0 @@
-#cloud-config
-
-ssh_genkeytypes: [ecdsa, ed25519]
-
-# upgrade system
-package_update: true
-package_upgrade: true
-
-# various dependencies
-packages:
-  - ca-certificates
-  - curl
-  - gnupg
-  - lsb-release
-  - fail2ban
-  - nginx
-  - certbot
-  - python3-certbot-nginx
-  - iptables-persistent
-  - unattended-upgrades
-  - apt-listchanges
-  - vim
-  - libffi-dev
-  - python3-pip
-  - python3-dev
-  - python3-testresources
-  - libssl-dev
-  - wkhtmltopdf
-  - curl
-  - git
-  - python3.10-venv
-  - supervisor
-
-write_files:
-  - path: /etc/iptables/rules.v4
-    permissions: 0644
-    owner: root:root
-    content: |
-      *filter
-      :INPUT DROP [0:0]
-      :FORWARD DROP [0:0]
-      :OUTPUT ACCEPT [0:0]
-      -A INPUT -i lo -j ACCEPT
-      -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-      -A INPUT -m conntrack --ctstate INVALID -j DROP
-      -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-      -A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-      -A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-      -A INPUT -p tcp -m tcp --dport 587 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-      -A OUTPUT -o lo -j ACCEPT
-      -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-      -A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-      -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
-      -A OUTPUT -p tcp -m tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-      -A OUTPUT -p tcp -m tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-      -A OUTPUT -p tcp -m tcp --sport 587 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-      COMMIT
-  - path: /etc/systemd/journald.conf.d/size.conf
-    permissions: 0644
-    owner: root:root
-    content: |
-      [Journal]
-      SystemMaxUse=250M
-      SystemMaxFileSize=50M
-  - path: /etc/fstab
-    append: true
-    content: |
-      /swapfile swap swap defaults 0 0
-  - path: /etc/apt/apt.conf.d/20auto-upgrades
-    permissions: 0644
-    owner: root:root
-    content: |
-      APT::Periodic::Update-Package-Lists "1";
-      APT::Periodic::Unattended-Upgrade "1";
-      APT::Periodic::AutocleanInterval "7";
-
-runcmd:
-  - 'iptables-restore < /etc/iptables/rules.v4'
-
-  - [systemctl, enable, --now, fail2ban]
-
-  - 'fallocate -l 2G /swapfile'
-  - 'chmod 600 /swapfile'
-  - 'mkswap /swapfile'
-  - 'swapon /swapfile'
-
-  - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/ssh/etc/ssh/sshd_config, --output, /etc/ssh/sshd_config.d/99-hardening.conf]
-  - [systemctl, restart, ssh]
-
-  - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/modprobe/etc/modprobe.d/disable-network-filesystems.conf, --output, /etc/modprobe.d/disable-network-filesystems.conf]
-  - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/modprobe/etc/modprobe.d/disable-rare-filesystems.conf, --output, /etc/modprobe.d/disable-rare-filesystems.conf]
-  - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/modprobe/etc/modprobe.d/disable-rare-protocols.conf, --output, /etc/modprobe.d/disable-rare-protocols.conf]
-  - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/modprobe/etc/modprobe.d/disable-vivid.conf, --output, /etc/modprobe.d/disable-vivid.conf]
-
-  - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/sysctl/etc/sysctl.conf, --output, /etc/sysctl.d/99-hardening.conf]
-  - [sysctl, -p]
-
-  - [sed, -r, -i, 's/\/\/Unattended-Upgrade::Mail\ "";/Unattended-Upgrade::Mail\ "root";/', /etc/apt/apt.conf.d/50unattended-upgrades]
-
-  - [timedatectl, set-timezone, Europe/Rome]
-
-  - 'curl --silent --location https://deb.nodesource.com/setup_14.x | sudo bash -'
-  - 'curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor | sudo tee /usr/share/keyrings/yarnkey.gpg >/dev/null'
-  - 'echo "deb [signed-by=/usr/share/keyrings/yarnkey.gpg] https://dl.yarnpkg.com/debian stable main" | sudo tee /etc/apt/sources.list.d/yarn.list'
-  - 'apt-get update && apt-get install yarn'
-  - 'apt -y install gcc g++ make nodejs redis-server'
-
-  - 'apt -y install nginx mariadb-server'

cloud-init/matrix-synapse.yml

@@ -17,8 +17,6 @@ packages:
   - certbot
   - python3-certbot-nginx
   - iptables-persistent
-  - unattended-upgrades
-  - apt-listchanges
 
 write_files:
   - path: /etc/iptables/rules.v4
@@ -50,13 +48,6 @@ write_files:
     append: true
     content: |
       /swapfile swap swap defaults 0 0
-  - path: /etc/apt/apt.conf.d/20auto-upgrades
-    permissions: 0644
-    owner: root:root
-    content: |
-      APT::Periodic::Update-Package-Lists "1";
-      APT::Periodic::Unattended-Upgrade "1";
-      APT::Periodic::AutocleanInterval "7";
 
 runcmd:
   - 'iptables-restore < /etc/iptables/rules.v4'
@@ -79,6 +70,4 @@ runcmd:
   - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/sysctl/etc/sysctl.conf, --output, /etc/sysctl.d/99-hardening.conf]
   - [sysctl, -p]
 
-  - [sed, -r, -i, 's/\/\/Unattended-Upgrade::Mail\ "";/Unattended-Upgrade::Mail\ "root";/', /etc/apt/apt.conf.d/50unattended-upgrades]
-
   - [timedatectl, set-timezone, Europe/Rome]

cloud-init/swarm-manager.yml

@@ -14,8 +14,6 @@ packages:
   - lsb-release
   - fail2ban
   - iptables-persistent
-  - unattended-upgrades
-  - apt-listchanges
 
 write_files:
   - path: /etc/iptables/rules.v4
@@ -67,13 +65,6 @@ write_files:
     append: true
     content: |
       /swapfile swap swap defaults 0 0
-  - path: /etc/apt/apt.conf.d/20auto-upgrades
-    permissions: 0644
-    owner: root:root
-    content: |
-      APT::Periodic::Update-Package-Lists "1";
-      APT::Periodic::Unattended-Upgrade "1";
-      APT::Periodic::AutocleanInterval "7";
 
 runcmd:
   - 'iptables-restore < /etc/iptables/rules.v4'
@@ -98,8 +89,6 @@ runcmd:
   - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/sysctl/etc/sysctl.d/99-swarm.conf, --output, /etc/sysctl.d/99-swarm.conf]
   - [sysctl, -p]
 
-  - [sed, -r, -i, 's/\/\/Unattended-Upgrade::Mail\ "";/Unattended-Upgrade::Mail\ "root";/', /etc/apt/apt.conf.d/50unattended-upgrades]
-
   - [mkdir, -p, /usr/local/apt-keys]
   - [gpg, --fetch-keys, https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt]
   - 'gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | tee /usr/local/apt-keys/yggdrasil-keyring.gpg > /dev/null'

cloud-init/swarm-worker.yml

@@ -15,8 +15,6 @@ packages:
   - fail2ban
   - iptables-persistent
   - glusterfs-client
-  - unattended-upgrades
-  - apt-listchanges
 
 write_files:
   - path: /etc/iptables/rules.v4
@@ -61,13 +59,6 @@ write_files:
       [Journal]
       SystemMaxUse=250M
       SystemMaxFileSize=50M
-  - path: /etc/apt/apt.conf.d/20auto-upgrades
-    permissions: 0644
-    owner: root:root
-    content: |
-      APT::Periodic::Update-Package-Lists "1";
-      APT::Periodic::Unattended-Upgrade "1";
-      APT::Periodic::AutocleanInterval "7";
   - path: /etc/fstab
     append: true
     content: |
@@ -102,8 +93,6 @@ runcmd:
   - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/sysctl/etc/sysctl.d/99-swarm.conf, --output, /etc/sysctl.d/99-swarm.conf]
   - [sysctl, -p]
 
-  - [sed, -r, -i, 's/\/\/Unattended-Upgrade::Mail\ "";/Unattended-Upgrade::Mail\ "root";/', /etc/apt/apt.conf.d/50unattended-upgrades]
-
   - [mkdir, -p, /usr/local/apt-keys]
   - [gpg, --fetch-keys, https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt]
   - 'gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | tee /usr/local/apt-keys/yggdrasil-keyring.gpg > /dev/null'

glusterfs/README.md

@@ -1,3 +0,0 @@
-## optimizations
-
-https://docs.gluster.org/en/main/Administrator-Guide/Performance-Tuning/#directory-operations

glusterfs/etc/fstab

@@ -1 +0,0 @@
-SERVER_NAME:/VOLNAME /mnt/DIR glusterfs defaults,_netdev,log-level=WARNING,log-file=/var/log/gluster.log,backupvolfile-server=SERVER_NAME_BACKUP 0 0