unitoo/configurations
1
0
Fork 2
Code Issues 3 Pull requests Projects Releases Packages Wiki Activity

rebase #19

Merged
unitoo merged 12 commits from claudiomaradonna/configurations:master into master 2022-08-23 10:19:21 +02:00
Conversation 0 Commits 12 Files changed 20 +11746 -35
20 changed files with 11746 additions and 35 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -25,5 +25,5 @@ In order to display the proper syntax highlighting on Gitea, you should use the
--- ---
> [unitoo.it](https://www.unitoo.it)  ·  > [unitoo.it](https://www.unitoo.it)  · 
> Mastodon [@unitoo](https://mastodon.uno/@unitoo)  ·  > Fediverse [admin@social.unitoo.it](https://social.unitoo.it/admin)  · 
> GitHub [@UnitooTeam](https://github.com/UnitooTeam) > GitHub [@UnitooTeam](https://github.com/UnitooTeam)

73
cloud-init/matrix-synapse.yml Normal file
View file

@ -0,0 +1,73 @@
#cloud-config
ssh_genkeytypes: [ecdsa, ed25519]
# upgrade system
package_update: true
package_upgrade: true
# various dependencies
packages:
- ca-certificates
- curl
- gnupg
- lsb-release
- fail2ban
- nginx
- certbot
- python3-certbot-nginx
- iptables-persistent
write_files:
- path: /etc/iptables/rules.v4
permissions: 0644
owner: root:root
content: |
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8448 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
COMMIT
- path: /etc/systemd/journald.conf.d/size.conf
permissions: 0644
owner: root:root
content: |
[Journal]
SystemMaxUse=250M
SystemMaxFileSize=50M
- path: /etc/fstab
append: true
content: |
/swapfile swap swap defaults 0 0
runcmd:
- 'iptables-restore < /etc/iptables/rules.v4'
- [systemctl, enable, --now, fail2ban]
- 'fallocate -l 3G /swapfile'
- 'chmod 600 /swapfile'
- 'mkswap /swapfile'
- 'swapon /swapfile'
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/ssh/etc/ssh/sshd_config, --output, /etc/ssh/sshd_config.d/99-hardening.conf]
- [systemctl, restart, ssh]
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-network-filesystems.conf, --output, /etc/modprobe.d/disable-network-filesystems.conf]
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-rare-filesystems.conf, --output, /etc/modprobe.d/disable-rare-filesystems.conf]
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-rare-protocols.conf, --output, /etc/modprobe.d/disable-rare-protocols.conf]
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-vivid.conf, --output, /etc/modprobe.d/disable-vivid.conf]
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/sysctl/etc/sysctl.conf, --output, /etc/sysctl.d/99-hardening.conf]
- [sysctl, -p]
- [timedatectl, set-timezone, Europe/Rome]

109
cloud-init/swarm-manager.yml Normal file
View file

@ -0,0 +1,109 @@
#cloud-config
ssh_genkeytypes: [ecdsa, ed25519]
# upgrade system
package_update: true
package_upgrade: true
# various dependencies
packages:
- ca-certificates
- curl
- gnupg
- lsb-release
- fail2ban
- iptables-persistent
write_files:
- path: /etc/iptables/rules.v4
permissions: 0644
owner: root:root
content: |
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp --dport 2376 -j ACCEPT -m comment --comment "Docker Swarm"
-A INPUT -p tcp --dport 2377 -j ACCEPT -m comment --comment "Docker Swarm"
-A INPUT -p tcp -m tcp --dport 7946 -m comment --comment "Docker Swarm" -j ACCEPT
-A INPUT -p udp -m udp --dport 7946 -m comment --comment "Docker Swarm" -j ACCEPT
-A INPUT -p udp -m udp --dport 4789 -m comment --comment "Docker Swarm" -j ACCEPT
-A INPUT -i $SPECIFY_INTERFACE -p tcp --dport 24007 -j ACCEPT -m comment --comment "GlusterFS Management"
-A INPUT -i $SPECIFY_INTERFACE -p tcp -m tcp --dport 49152:60999 -m comment --comment "GlusterFS Bricks" -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
COMMIT
- path: /etc/iptables/rules.v6
permissions: 0644
owner: root:root
content: |
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp6-port-unreachable
COMMIT
- path: /etc/systemd/journald.conf.d/size.conf
permissions: 0644
owner: root:root
content: |
[Journal]
SystemMaxUse=250M
SystemMaxFileSize=50M
- path: /etc/fstab
append: true
content: |
/swapfile swap swap defaults 0 0
runcmd:
- 'iptables-restore < /etc/iptables/rules.v4'
- 'ip6tables-restore < /etc/iptables/rules.v6'
- [systemctl, enable, --now, fail2ban]
- 'fallocate -l 2G /swapfile'
- 'chmod 600 /swapfile'
- 'mkswap /swapfile'
- 'swapon /swapfile'
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/ssh/etc/ssh/sshd_config, --output, /etc/ssh/sshd_config.d/99-hardening.conf]
- [systemctl, restart, ssh]
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-network-filesystems.conf, --output, /etc/modprobe.d/disable-network-filesystems.conf]
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-rare-filesystems.conf, --output, /etc/modprobe.d/disable-rare-filesystems.conf]
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-rare-protocols.conf, --output, /etc/modprobe.d/disable-rare-protocols.conf]
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-vivid.conf, --output, /etc/modprobe.d/disable-vivid.conf]
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/sysctl/etc/sysctl.conf, --output, /etc/sysctl.d/99-hardening.conf]
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/sysctl/etc/sysctl.d/99-swarm.conf, --output, /etc/sysctl.d/99-swarm.conf]
- [sysctl, -p]
- [mkdir, -p, /usr/local/apt-keys]
- [gpg, --fetch-keys, https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt]
- 'gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | tee /usr/local/apt-keys/yggdrasil-keyring.gpg > /dev/null'
- "echo 'deb [signed-by=/usr/local/apt-keys/yggdrasil-keyring.gpg] http://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/ debian yggdrasil' | tee /etc/apt/sources.list.d/yggdrasil.list"
- [mkdir, -p, /etc/apt/keyrings]
- "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg"
- 'echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null'
- [chmod, a+r, /etc/apt/keyrings/docker.gpg]
- [apt-get, update]
- 'apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin yggdrasil'
- [sed, -r, -i, 's/Peers:\s\[\]/Peers: [\n\ttls:\/\/[2001:470:1f13:e56::64]:39575\n\ttls:\/\/s2.i2pd.xyz:39575\n\ttls:\/\/51.255.223.60:54232\n\ttls:\/\/45.147.198.155:6010\n\ttls:\/\/ygg1.ezdomain.ru:11130\n\ttls:\/\/ygg.mkg20001.io:443\n ]/', /etc/yggdrasil.conf]
- [sed, -r, -i, 's/AllowedPublicKeys:\s\[\]/AllowedPublicKeys: [\n"9939ce2585a046ce869e523c9efedb01b55fa032637d5237631ab4e09cafcb33"\n]/', /etc/yggdrasil.conf]
#- [systemctl, enable, --now, yggdrasil]
- [timedatectl, set-timezone, Europe/Rome]

115
cloud-init/swarm-worker.yml Normal file
View file

@ -0,0 +1,115 @@
#cloud-config
ssh_genkeytypes: [ecdsa, ed25519]
# upgrade system
package_update: true
package_upgrade: true
# various dependencies
packages:
- ca-certificates
- curl
- gnupg
- lsb-release
- fail2ban
- iptables-persistent
- glusterfs-client
write_files:
- path: /etc/iptables/rules.v4
permissions: 0644
owner: root:root
content: |
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp --dport 2376 -j ACCEPT -m comment --comment "Docker Swarm"
-A INPUT -p tcp -m tcp --dport 7946 -m comment --comment "Docker Swarm" -j ACCEPT
-A INPUT -p udp -m udp --dport 7946 -m comment --comment "Docker Swarm" -j ACCEPT
-A INPUT -p udp -m udp --dport 4789 -m comment --comment "Docker Swarm" -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
COMMIT
- path: /etc/iptables/rules.v6
permissions: 0644
owner: root:root
content: |
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp6-port-unreachable
COMMIT
- path: /etc/systemd/journald.conf.d/size.conf
permissions: 0644
owner: root:root
content: |
[Journal]
SystemMaxUse=250M
SystemMaxFileSize=50M
- path: /etc/fstab
append: true
content: |
/swapfile swap swap defaults 0 0
- path: /etc/hosts
append: true
content: |
192.168.178.2 swarm-manager-1
192.168.178.3 swarm-manager-2
192.168.178.4 swarm-manager-3
runcmd:
- 'iptables-restore < /etc/iptables/rules.v4'
- 'ip6tables-restore < /etc/iptables/rules.v6'
- [systemctl, enable, --now, fail2ban]
- 'fallocate -l 2G /swapfile'
- 'chmod 600 /swapfile'
- 'mkswap /swapfile'
- 'swapon /swapfile'
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/ssh/etc/ssh/sshd_config, --output, /etc/ssh/sshd_config.d/99-hardening.conf]
- [systemctl, restart, ssh]
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-network-filesystems.conf, --output, /etc/modprobe.d/disable-network-filesystems.conf]
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-rare-filesystems.conf, --output, /etc/modprobe.d/disable-rare-filesystems.conf]
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-rare-protocols.conf, --output, /etc/modprobe.d/disable-rare-protocols.conf]
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-vivid.conf, --output, /etc/modprobe.d/disable-vivid.conf]
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/sysctl/etc/sysctl.conf, --output, /etc/sysctl.d/99-hardening.conf]
- [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/sysctl/etc/sysctl.d/99-swarm.conf, --output, /etc/sysctl.d/99-swarm.conf]
- [sysctl, -p]
- [mkdir, -p, /usr/local/apt-keys]
- [gpg, --fetch-keys, https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt]
- 'gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | tee /usr/local/apt-keys/yggdrasil-keyring.gpg > /dev/null'
- "echo 'deb [signed-by=/usr/local/apt-keys/yggdrasil-keyring.gpg] http://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/ debian yggdrasil' | tee /etc/apt/sources.list.d/yggdrasil.list"
- [mkdir, -p, /etc/apt/keyrings]
- "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg"
- 'echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null'
- [chmod, a+r, /etc/apt/keyrings/docker.gpg]
- [apt-get, update]
- 'apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin yggdrasil'
- [sed, -r, -i, 's/Peers:\s\[\]/Peers: [\n\ttls:\/\/[2001:470:1f13:e56::64]:39575\n\ttls:\/\/s2.i2pd.xyz:39575\n\ttls:\/\/51.255.223.60:54232\n\ttls:\/\/45.147.198.155:6010\n\ttls:\/\/ygg1.ezdomain.ru:11130\n\ttls:\/\/ygg.mkg20001.io:443\n ]/', /etc/yggdrasil.conf]
- [sed, -r, -i, 's/AllowedPublicKeys:\s\[\]/AllowedPublicKeys: [\n"9939ce2585a046ce869e523c9efedb01b55fa032637d5237631ab4e09cafcb33"\n]/', /etc/yggdrasil.conf]
#- [systemctl, enable, --now, yggdrasil]
- [timedatectl, set-timezone, Europe/Rome]
- [mkdir, /mnt/swarm-data]

82
erpnext/print-formats/print-style.css Normal file
View file

@ -0,0 +1,82 @@
.print-format {
font-size: 12px;
background: white;
}
.print-heading {
border-bottom: none;
padding-bottom: 5px;
margin-bottom: 10px;
}
.print-format .letter-head {
margin-bottom: 30px;
}
.print-format label {
font-weight: normal;
font-size: 13px;
color: #4C5A67;
margin-bottom: 0;
}
.print-format .data-field {
margin-top: 0;
margin-bottom: 0;
}
.print-format .value {
color: #192734;
line-height: 1.8;
}
.print-format .section-break:not(:last-child) {
margin-bottom: 0;
}
.print-format .row:not(.section-break) {
line-height: 1.6;
margin-top: 15px !important;
}
.print-format .important .value {
font-size: 13px;
font-weight: 600;
}
.print-format th {
color: #74808b;
font-weight: normal;
border-bottom-width: 1px !important;
}
.print-format .table-bordered td, .print-format .table-bordered th {
border: 1px solid #f4f5f6;
}
.print-format .table-bordered {
border: 1px solid #f4f5f6;
}
.print-format .table-bordered thead {
text-transform: uppercase;
font-size: 8px;
}
.print-format .table-sr {
display: none;
}
.print-format td, .print-format th {
padding: 5px 10px !important;
}
.print-format .primary.compact-item {
font-weight: normal;
}
.print-format table td .value {
font-size: 12px;
line-height: 1.8;
}

164
erpnext/print-formats/quotations.html Normal file
View file

@ -0,0 +1,164 @@
<!-- HEADING SECTION -->
<div class="print-heading row">
<div class="col-xs-4">
<a href=""> <img src="" alt="logo" style="font-family: 'Oxygen', 'Helvetica Neue', 'Arial', 'sans-serif' !important;max-width: 600px;outline: none;text-decoration: none;-ms-interpolation-mode: bicubic;border: none;"></a>
</div>
<div class="col-xs-8 text-right">
{% set u_company = frappe.get_doc('Company', doc.company) %}
{% set links = frappe.get_all('Dynamic Link', filters={'link_doctype': 'Company', 'link_name': doc.company, 'parenttype': 'Address'}, fields=['parent']) %}
<div class="strong">{{ doc.company }}</div>
{% if links %}
<div>
{{frappe.db.get_value("Address", links[0].parent, "address_line1")}} -
{{frappe.db.get_value("Address", links[0].parent, "pincode")}} -
{{frappe.db.get_value("Address", links[0].parent, "city")}}
{% set province = frappe.db.get_value("Address", links[0].parent, "state") %}
{% if province %}
({{ province }})
{% endif %}
</div>
{% endif %}
VAT: {{ u_company.tax_id }} - F.C.: {{ u_company.fiscal_code }}
<br>
<div class="h5"><strong>QUOTATION</strong> nr. <strong>{{ doc.name }}</strong> of <strong>{{ frappe.utils.formatdate(doc.get('transaction_date'),"dd-mm-yyyy") }}</strong></div>
</div>
</div>
<hr>
<!-- END SECTION -->
<!-- SECTION 2 COLUMNS -->
<!-- FIRST COLUMN -->
{% set customer = frappe.get_list('Customer', filters = { 'customer_name': doc.customer_name}, fields = ['tax_id', 'fiscal_code']) %}
{% set contacts = frappe.get_all('Dynamic Link', filters={'link_doctype': 'Customer', 'link_name': doc.customer_name, 'parenttype': 'Contact'}, fields=['parent']) %}
{% if customer %}
<div><strong>VAT</strong> {{ customer[0].tax_id }}</div>
<div><strong>F.C.</strong> {{ customer[0].fiscal_code }}</div>
{% endif %}
{% if contacts %}
<div>
<strong>EMAIL </strong>
{% set break = false %}
{% for contact_id in contacts if not break %}
{% set contact = frappe.get_doc('Contact', contact_id.parent) %}
{% if contact.is_billing_contact %}
{{ contact.email_id }}
{% set break = true %}
{% endif %}
{% endfor %}
</div>
{% endif %}
<!-- SECOND COLUMN -->
<div><small>RECIPIENT</small></div>
<div><strong>{{ doc.customer_name }}</strong></div>
{% set links = frappe.get_all('Dynamic Link', filters={'link_doctype': 'Customer', 'link_name': doc.customer_name, 'parenttype': 'Address'}, fields=['parent']) %}
{% if links %}
<div>
{{frappe.db.get_value("Address", links[0].parent, "address_line1")}}
</div>
<div>
{{frappe.db.get_value("Address", links[0].parent, "state_code")}} {{frappe.db.get_value("Address", links[0].parent, "city")}} ({{ frappe.db.get_value("Address", links[0].parent, "state") }})
</div>
<div>
{{frappe.db.get_value("Address", links[0].parent, "country")}}
</div>
{% endif %}
<!-- END SECTION -->
<!-- SECTION 1 COLUMN -->
<hr>
<!-- END SECTION -->
<!-- SECTION 1 COLUMN -->
<!-- ADD ITEMS (TABLE): Description, Amount, Tax Amount -->
<hr>
<!-- END SECTION -->
<!-- SECTION 1 COLUMN -->
<div><small>PAYMENT TERMS</small></div>
{% set bank_account = frappe.get_doc('Bank Account', 'BANK NAME') %}
{% if bank_account %}
<div>IBAN: <strong>{{ bank_account.iban }}</strong></div>
<div>Holder: <strong>{{ bank_account.company }}</strong></div>
<div>Bank: <strong>{{ bank_account.bank }}</strong></div>
{% endif %}
<hr>
<!-- END SECTION -->
<!-- SECTION 1 COLUMN -->
{% set quotation_items = doc.items %}
{% set total_without_stamp = [] %}
{% set stamp = [0] %}
{% for item in quotation_items %}
{% if item.item_name != 'MARCADABOLLO' %}
{% set __ = total_without_stamp.append(item.base_amount) %}
{% else %}
{% set __ = stamp.append(1) %}
{% endif %}
{% endfor %}
{% set total = ("€ %.2f"|format(total_without_stamp|sum)).replace('.', ',') %}
<div class="row" style="margin-top: 0">
<div class="col-xs-7" style="border-right: 1px solid #ddd;">
<table class="table table-borderless table-condensed">
<thead>
<tr>
<th>VAT Summary</th>
<th class="text-right" width=100>Taxable</th>
<th class="text-right" width=75>Taxes</th>
</tr>
</thead>
<tbody>
<tr>
<td>
0% - <span class="font-italic">Operazione non soggetta a IVA ai sensi dell'art. 1, commi 54-89, Legge n. 190/2014 e succ. modifiche/ integrazioni</span>
</td>
<td class="text-right">{{ total }}</td>
<td class="text-right">€ 0,00</td>
</tr>
{% if (stamp|sum) > 0 %}
<tr>
<td>0% - <span class="font-italic">Escluso Art. 15</span></td>
<td class="text-right">2,00</td>
<td class="text-right">€ 0,00</td>
</tr>
{% endif %}
</tbody>
</table>
</div>
<div class="col-xs-5 text-right">
<div>Taxable {{ total }}</div>
{% if (stamp|sum) > 0 %}
<div>Not taxable € 2,00</div>
{% endif %}
<h1>{{ ("€ %.2f"|format(doc.grand_total)).replace('.', ',') }}</h1>
</div>
</div>
<hr>
<!-- END SECTION -->
<!-- SECTION 1 COLUMN -->
<div class="col-xs-12">
{% if not no_letterhead and footer %}
{{ footer }}
{% endif %}
</div>
<!-- END SECTION -->

6
etc/systemd/system/certbot-renewal.service Normal file
View file

@ -0,0 +1,6 @@
[Unit]
Description=Automatically renews SSL certificates obtained with certbot
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew -q --post-hook /usr/local/bin/certbot-restart-nginx

10
etc/systemd/system/certbot-renewal.timer Normal file
View file

@ -0,0 +1,10 @@
[Unit]
Description=This is the timer schedule Automatic renewals of SSL certificates obtained with certbot
[Timer]
OnCalendar=daily
RandomizedDelaySec=6hours
Persistent=true
[Install]
WantedBy=timers.target

10892
grafana/dashboards/synapse.json Normal file
View file

File diff suppressed because it is too large Load diff

131
ipfs/etc/nginx/sites-available/ipfs-gateway.conf Normal file
View file

@ -0,0 +1,131 @@
upstream gateway {
server 127.0.0.1:8081;
}
server {
server_name ipfs.unitoo.it ipns.unitoo.it; # managed by Certbot
listen 443 default_server ssl;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'X-Requested-With, Range, Content-Range, X-Chunked-Output, X-Stream-Output' always;
add_header 'Access-Control-Expose-Headers' 'Content-Range, X-Chunked-Output, X-Stream-Output' always;
proxy_pass_header Server;
proxy_read_timeout 1800s;
error_page 403 /403.html;
location /403.html {
root /var/www/html;
allow all;
}
location /403.png {
root /var/www/html;
allow all;
}
location /400.html {
root /var/www/html;
allow all;
}
location /ipns {
proxy_pass http://gateway;
proxy_set_header Host unitoo.it;
proxy_cache_bypass $http_upgrade;
proxy_intercept_errors on;
allow all;
error_page 400 /400.html;
}
location /ipfs {
proxy_pass http://gateway;
proxy_set_header Host unitoo.it;
proxy_cache_bypass $http_upgrade;
proxy_intercept_errors on;
allow all;
error_page 400 /400.html;
}
location / {
proxy_pass http://localhost:5001;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
deny all; # <- Deny other traffic
}
ssl_certificate /etc/letsencrypt/live/ipfs.unitoo.it/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/ipfs.unitoo.it/privkey.pem; # managed by Certbot
include snippets/denylist.conf;
}
server {
server_name *.ipfs.unitoo.it *.ipns.unitoo.it;
listen 443 ssl;
proxy_read_timeout 1800s;
error_page 403 /403.html;
location /403.html {
root /var/www/html;
allow all;
}
location /403.png {
root /var/www/html;
allow all;
}
location /400.html {
root /var/www/html;
allow all;
}
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'X-Requested-With, Range, Content-Range, X-Chunked-Output, X-Stream-Output' always;
add_header 'Access-Control-Expose-Headers' 'Content-Range, X-Chunked-Output, X-Stream-Output' always;
include snippets/denylist.conf;
location / {
proxy_set_header Host $host;
proxy_set_header X-Ipfs-Gateway-Prefix "";
proxy_pass http://gateway;
}
}
server {
server_name ipfs.unitoo.it ipns.unitoo.it;
listen 80;
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'X-Requested-With, Range, Content-Range, X-Chunked-Output, X-Stream-Output' always;
add_header 'Access-Control-Expose-Headers' 'Content-Range, X-Chunked-Output, X-Stream-Output' always;
proxy_pass_header Server;
proxy_read_timeout 1800s;
include snippets/denylist.conf;
location ~ "^/(ipfs|ipns|api)(/|$)" {
proxy_set_header Host unitoo.it;
proxy_set_header X-Ipfs-Gateway-Prefix "";
proxy_pass http://gateway;
}
return 404;
}

57
ipfs/lib/systemd/system/ipfs.service Normal file
View file

@ -0,0 +1,57 @@
[Unit]
Description=IPFS Daemon
Documentation=https://docs.ipfs.io/
After=network.target
[Service]
# hardening
ReadWritePaths=/home/ipfs /mnt/ipfs
NoNewPrivileges=true
ProtectSystem=strict
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
PrivateDevices=true
DevicePolicy=closed
ProtectControlGroups=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
ProtectHostname=true
PrivateTmp=true
ProtectClock=true
LockPersonality=true
RestrictNamespaces=true
RestrictRealtime=true
MemoryDenyWriteExecute=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged
#ProtectHome=true
RemoveIPC=true
RestrictSUIDSGID=true
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
LimitNOFILE=8192
#LimitNice=10
MemoryAccounting=true
#MemoryHigh=768M
#MemoryMax=1024M
MemorySwapMax=0
CPUAccounting=true
CPUQuota=40%
TimeoutStartSec=infinity
Type=notify
Environment="IPFS_PATH=/mnt/ipfs"
Environment=IPFS_LOGGING="error"
Environment=IPFS_FD_MAX=8192
ExecStart=/home/ipfs/.local/bin/ipfs daemon --init --enable-gc --migrate
User=ipfs
Group=ipfs
StateDirectory=ipfs
Restart=always
RestartSec=60
KillMode=process
KillSignal=SIGINT
[Install]
WantedBy=multi-user.target

6
iptables/iptables-http-full-f2b.fw
View file

@ -1,7 +1,7 @@
*filter *filter
:INPUT DROP [4414218:211789180] :INPUT DROP [0:0]
:FORWARD ACCEPT [0:0] :FORWARD DROP [0:0]
:OUTPUT ACCEPT [17973:1146056] :OUTPUT ACCEPT [0:0]
:f2b-sshd - [0:0] :f2b-sshd - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -i lo -j ACCEPT -A INPUT -i lo -j ACCEPT

6
iptables/iptables-http-full.fw
View file

@ -1,7 +1,7 @@
*filter *filter
:INPUT DROP [4414218:211789180] :INPUT DROP [0:0]
:FORWARD ACCEPT [0:0] :FORWARD DROP [0:0]
:OUTPUT ACCEPT [17973:1146056] :OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT -A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -m conntrack --ctstate INVALID -j DROP

6
iptables/iptables-ssh-only.fw
View file

@ -1,7 +1,7 @@
*filter *filter
:INPUT DROP [4414218:211789180] :INPUT DROP [0:0]
:FORWARD ACCEPT [0:0] :FORWARD DROP [0:0]
:OUTPUT ACCEPT [17973:1146056] :OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT -A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -m conntrack --ctstate INVALID -j DROP

5
matrix/database_vacuum_instructions.md Normal file
View file

@ -0,0 +1,5 @@
1. Activate `synapse-admin` following instructions provided by playbook
2. Use `synapse-admin` to clean rooms or what you don't need
3. Stop `synapse`
3. Run `REINDEX (VERBOSE) DATABASE dbnamehere;` from your db client
4. Run `VACUUM FULL VERBOSE;` from your db client

21
nextcloud/var/www/html/nextcloud/config/config.s3.php
View file

@ -9,7 +9,7 @@ $CONFIG = array (
), ),
'datadirectory' => '/var/www/html/nextcloud/data', 'datadirectory' => '/var/www/html/nextcloud/data',
'dbtype' => 'mysql', 'dbtype' => 'mysql',
'version' => '21.0.3.1', 'version' => '23.0.3.2',
'overwrite.cli.url' => 'http://your_domain/', 'overwrite.cli.url' => 'http://your_domain/',
'htaccess.RewriteBase' => '/', 'htaccess.RewriteBase' => '/',
'dbname' => 'nextcloud', 'dbname' => 'nextcloud',
@ -61,4 +61,23 @@ $CONFIG = array (
'mail_smtppassword' => '', 'mail_smtppassword' => '',
'maintenance' => false, 'maintenance' => false,
'default_phone_region' => 'IT', 'default_phone_region' => 'IT',
'enable_previews' => true,
'preview_max_x' => 4096,
'preview_max_y' => 4096,
'preview_max_memory' => 768,
'preview_max_filesize_image' => 50,
'enabledPreviewProviders' => [
'OC\Preview\PNG',
'OC\Preview\JPEG',
'OC\Preview\GIF',
'OC\Preview\HEIC',
'OC\Preview\BMP',
'OC\Preview\XBitmap',
'OC\Preview\MP3',
'OC\Preview\TXT',
'OC\Preview\MarkDown',
'OC\Preview\OpenDocument',
'OC\Preview\Krita',
'OC\Preview\PDF',
],
); );

73
ssh/etc/ssh/sshd_config
View file

@ -1,27 +1,52 @@
HostKey /etc/ssh/ssh_host_rsa_key Protocol 2 # Protocol 1 is fundamentally broken
HostKey /etc/ssh/ssh_host_ecdsa_key StrictModes yes # Protects from misconfiguration
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV #ListenAddress [ip-here] # Listening address
Port 22 # Listening port. Normal 22
AllowGroups sshlogin AuthenticationMethods publickey # Only public key authentication allowed
PermitRootLogin WITHOUT-PASSWORD
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys
IgnoreRhosts yes PubkeyAuthentication yes # Allow public key authentication
MaxSessions 4 HostKey /etc/ssh/ssh_host_ed25519_key # Only allow ECDSA pubic key authentication
MaxAuthTries 4 HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 # Host keys the client should accepts
ClientAliveCountMax 2 KexAlgorithms curve25519-sha256 # Specifies the available KEX (Key Exchange) algorithms
LogLevel VERBOSE Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com # Specifies the ciphers allowed
PasswordAuthentication no MACs hmac-sha2-512-etm@openssh.com # Specifies the available MAC alg.
ChallengeResponseAuthentication no
GSSAPIAuthentication no #Only allow incoming ECDSA and ed25519 sessions:
UsePAM yes HostbasedAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
PrintMotd no PubkeyAcceptedKeyTypes sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,ssh-ed25519
X11Forwarding no #CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT PermitRootLogin WITHOUT-PASSWORD # Enable/disable root login
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE #AllowUsers [username] # Authorized SSH users are inside the admin group
AcceptEnv XMODIFIERS MaxAuthTries 5 # Maximum allowed authentication attempts
Subsystem sftp /usr/lib/openssh/sftp-server MaxSessions 2 # Maximum allowed sessions by the user
PasswordAuthentication no # No username password authentication
PermitEmptyPasswords no # No empty password authentcation allowed
IgnoreRhosts yes # Dont read users rhost files
HostbasedAuthentication no # Disable host-based authentication
ChallengeResponseAuthentication no # Unused authentication scheme
X11Forwarding no # Disable X11 forwarding
LogLevel VERBOSE # Fingerprint details of failed login attempts
SyslogFacility AUTH # Logging authentication and authorization related commands
UseDNS no # Client from a location without proper DNS generate a warning in the logs
PermitTunnel no # Only SSH connection and nothing else
AllowTcpForwarding no # Disablow tunneling out via SSH
AllowStreamLocalForwarding no # Disablow tunneling out via SSH
GatewayPorts no # Disablow tunneling out via SSH
AllowAgentForwarding no # Do not allow agent forwarding
#Banner /etc/issue.net # Show legal login banner
PrintLastLog yes # Show last login
ClientAliveInterval 900 # Client timeout (15 minutes)
ClientAliveCountMax 0 # This way enforces timeouts on the server side
LoginGraceTime 30 # Authenticatin must happen within 30 seconds
MaxStartups 2 # Max concurrent SSH sessions
TCPKeepAlive yes # Do not use TCP keep-alive
AcceptEnv LANG LC_* # Allow client to pass locale environment variables

5
sysctl/etc/sysctl.d/99-swarm.conf Normal file
View file

@ -0,0 +1,5 @@
net.ipv4.conf.all.forwarding=1
net.ipv6.conf.eth0.accept_ra=2
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.default.forwarding=1

5
usr/local/bin/certbot-restart-nginx Normal file
View file

@ -0,0 +1,5 @@
#!/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
nginx -tq && systemctl restart nginx

13
wireguard/client/etc/wireguard/wg0.conf Normal file
View file

@ -0,0 +1,13 @@
[Interface]
Address=<local_address>
PrivateKey = `wg genkey`
ListenPort = <listen_port>
[Peer]
PublicKey = <server_public_key>
Endpoint = <server_public_ip>:<server_port>
AllowedIPs = <subnet>/24
# This is for if you're behind a NAT and
# want the connection to be kept alive.
PersistentKeepalive = 25