From 5bb9fd292ce515f37f7689047dc923797d5de313 Mon Sep 17 00:00:00 2001 From: Claudio Maradonna Date: Thu, 6 Jan 2022 20:49:12 +0100 Subject: [PATCH 1/6] feat: add some wireguard client example config --- wireguard/client/etc/wireguard/wg0.conf | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 wireguard/client/etc/wireguard/wg0.conf diff --git a/wireguard/client/etc/wireguard/wg0.conf b/wireguard/client/etc/wireguard/wg0.conf new file mode 100644 index 0000000..cc746fe --- /dev/null +++ b/wireguard/client/etc/wireguard/wg0.conf @@ -0,0 +1,13 @@ +[Interface] +Address= +PrivateKey = `wg genkey` +ListenPort = + +[Peer] +PublicKey = +Endpoint = : +AllowedIPs = /24 + +# This is for if you're behind a NAT and +# want the connection to be kept alive. +PersistentKeepalive = 25 -- 2.45.2 From c08567ba6e71172035e1e924e8584e9c864f4778 Mon Sep 17 00:00:00 2001 From: Claudio Maradonna Date: Sun, 24 Apr 2022 01:06:24 +0200 Subject: [PATCH 2/6] update nextcloud s3 config. add ipfs config nginx + systemd --- .../nginx/sites-available/ipfs-gateway.conf | 131 ++++++++++++++++++ ipfs/lib/systemd/system/ipfs.service | 26 ++++ .../www/html/nextcloud/config/config.s3.php | 3 +- 3 files changed, 159 insertions(+), 1 deletion(-) create mode 100644 ipfs/etc/nginx/sites-available/ipfs-gateway.conf create mode 100644 ipfs/lib/systemd/system/ipfs.service diff --git a/ipfs/etc/nginx/sites-available/ipfs-gateway.conf b/ipfs/etc/nginx/sites-available/ipfs-gateway.conf new file mode 100644 index 0000000..97687da --- /dev/null +++ b/ipfs/etc/nginx/sites-available/ipfs-gateway.conf @@ -0,0 +1,131 @@ +upstream gateway { + server 127.0.0.1:8081; +} + +server { + server_name ipfs.unitoo.it ipns.unitoo.it; # managed by Certbot + listen 443 default_server ssl; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always; + add_header 'Access-Control-Allow-Headers' 'X-Requested-With, Range, Content-Range, X-Chunked-Output, X-Stream-Output' always; + add_header 'Access-Control-Expose-Headers' 'Content-Range, X-Chunked-Output, X-Stream-Output' always; + + proxy_pass_header Server; + proxy_read_timeout 1800s; + + error_page 403 /403.html; + + location /403.html { + root /var/www/html; + allow all; + } + + location /403.png { + root /var/www/html; + allow all; + } + + location /400.html { + root /var/www/html; + allow all; + } + + location /ipns { + proxy_pass http://gateway; + proxy_set_header Host unitoo.it; + proxy_cache_bypass $http_upgrade; + + proxy_intercept_errors on; + + allow all; + + error_page 400 /400.html; + } + + location /ipfs { + proxy_pass http://gateway; + proxy_set_header Host unitoo.it; + proxy_cache_bypass $http_upgrade; + + proxy_intercept_errors on; + + allow all; + + error_page 400 /400.html; + } + + location / { + proxy_pass http://localhost:5001; + proxy_set_header Host $host; + proxy_cache_bypass $http_upgrade; + deny all; # <- Deny other traffic + } + + ssl_certificate /etc/letsencrypt/live/ipfs.unitoo.it/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/ipfs.unitoo.it/privkey.pem; # managed by Certbot + + include snippets/denylist.conf; +} + +server { + server_name *.ipfs.unitoo.it *.ipns.unitoo.it; + listen 443 ssl; + + proxy_read_timeout 1800s; + + error_page 403 /403.html; + + location /403.html { + root /var/www/html; + allow all; + } + + location /403.png { + root /var/www/html; + allow all; + } + + location /400.html { + root /var/www/html; + allow all; + } + + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always; + add_header 'Access-Control-Allow-Headers' 'X-Requested-With, Range, Content-Range, X-Chunked-Output, X-Stream-Output' always; + add_header 'Access-Control-Expose-Headers' 'Content-Range, X-Chunked-Output, X-Stream-Output' always; + + include snippets/denylist.conf; + + location / { + proxy_set_header Host $host; + proxy_set_header X-Ipfs-Gateway-Prefix ""; + proxy_pass http://gateway; + } +} + +server { + server_name ipfs.unitoo.it ipns.unitoo.it; + listen 80; + + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always; + add_header 'Access-Control-Allow-Headers' 'X-Requested-With, Range, Content-Range, X-Chunked-Output, X-Stream-Output' always; + add_header 'Access-Control-Expose-Headers' 'Content-Range, X-Chunked-Output, X-Stream-Output' always; + + proxy_pass_header Server; + proxy_read_timeout 1800s; + + include snippets/denylist.conf; + + location ~ "^/(ipfs|ipns|api)(/|$)" { + proxy_set_header Host unitoo.it; + proxy_set_header X-Ipfs-Gateway-Prefix ""; + proxy_pass http://gateway; + } + + return 404; +} diff --git a/ipfs/lib/systemd/system/ipfs.service b/ipfs/lib/systemd/system/ipfs.service new file mode 100644 index 0000000..6661590 --- /dev/null +++ b/ipfs/lib/systemd/system/ipfs.service @@ -0,0 +1,26 @@ +[Unit] +Description=IPFS Daemon +After=network.target + +[Service] +#Runtime +Environment="IPFS_PATH=/mnt/ipfs" +Environment=IPFS_LOGGING="error" +ExecStart=/home/ipfs/.local/bin/ipfs daemon --enable-gc --migrate +User=ipfs +Restart=on-failure +RestartSec=10s +KillSignal=SIGINT + +#Accounting +LimitNOFILE=10240 +#LimitNice=10 +MemoryAccounting=true +MemoryHigh=512M +MemoryMax=768M +MemorySwapMax=512M +CPUAccounting=true +CPUQuota=40% + +[Install] +WantedBy=multi-user.target diff --git a/nextcloud/var/www/html/nextcloud/config/config.s3.php b/nextcloud/var/www/html/nextcloud/config/config.s3.php index 0790fd8..6273db2 100644 --- a/nextcloud/var/www/html/nextcloud/config/config.s3.php +++ b/nextcloud/var/www/html/nextcloud/config/config.s3.php @@ -9,7 +9,7 @@ $CONFIG = array ( ), 'datadirectory' => '/var/www/html/nextcloud/data', 'dbtype' => 'mysql', - 'version' => '21.0.3.1', + 'version' => '23.0.3.2', 'overwrite.cli.url' => 'http://your_domain/', 'htaccess.RewriteBase' => '/', 'dbname' => 'nextcloud', @@ -61,4 +61,5 @@ $CONFIG = array ( 'mail_smtppassword' => '', 'maintenance' => false, 'default_phone_region' => 'IT', + 'preview_max_memory' => 768, ); -- 2.45.2 From 4234e4b50563ffe28544a7a1888867e04b19f301 Mon Sep 17 00:00:00 2001 From: Claudio Maradonna Date: Sun, 24 Apr 2022 10:21:28 +0200 Subject: [PATCH 3/6] ipfs: hardened ipfs config --- ipfs/lib/systemd/system/ipfs.service | 55 +++++++++++++++++++++------- 1 file changed, 42 insertions(+), 13 deletions(-) diff --git a/ipfs/lib/systemd/system/ipfs.service b/ipfs/lib/systemd/system/ipfs.service index 6661590..20ac290 100644 --- a/ipfs/lib/systemd/system/ipfs.service +++ b/ipfs/lib/systemd/system/ipfs.service @@ -1,26 +1,55 @@ [Unit] Description=IPFS Daemon +Documentation=https://docs.ipfs.io/ After=network.target [Service] -#Runtime -Environment="IPFS_PATH=/mnt/ipfs" -Environment=IPFS_LOGGING="error" -ExecStart=/home/ipfs/.local/bin/ipfs daemon --enable-gc --migrate -User=ipfs -Restart=on-failure -RestartSec=10s -KillSignal=SIGINT +# hardening +ReadWritePaths=/home/ipfs /mnt/ipfs +NoNewPrivileges=true +ProtectSystem=strict +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +PrivateDevices=true +DevicePolicy=closed +ProtectControlGroups=true +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +ProtectHostname=true +PrivateTmp=true +ProtectClock=true +LockPersonality=true +RestrictNamespaces=true +RestrictRealtime=true +MemoryDenyWriteExecute=true +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@privileged +#ProtectHome=true +RemoveIPC=true +RestrictSUIDSGID=true +CapabilityBoundingSet=CAP_NET_BIND_SERVICE -#Accounting -LimitNOFILE=10240 +LimitNOFILE=8192 #LimitNice=10 MemoryAccounting=true -MemoryHigh=512M -MemoryMax=768M -MemorySwapMax=512M +MemoryHigh=768M +MemoryMax=1024M +MemorySwapMax=0 CPUAccounting=true CPUQuota=40% +TimeoutStartSec=infinity + +Type=notify +Environment="IPFS_PATH=/mnt/ipfs" +Environment=IPFS_LOGGING="error" +Environment=IPFS_FD_MAX=8192 +ExecStart=/home/ipfs/.local/bin/ipfs daemon --init --enable-gc --migrate +User=ipfs +Group=ipfs +StateDirectory=ipfs +Restart=on-failure +KillSignal=SIGINT [Install] WantedBy=multi-user.target -- 2.45.2 From 8612dc3a68326494b04a0ace5dfbf3fc839050b1 Mon Sep 17 00:00:00 2001 From: Claudio Maradonna Date: Sun, 24 Apr 2022 11:24:30 +0200 Subject: [PATCH 4/6] update fediverse account --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ff3c172..7d09b4a 100644 --- a/README.md +++ b/README.md @@ -25,5 +25,5 @@ In order to display the proper syntax highlighting on Gitea, you should use the --- > [unitoo.it](https://www.unitoo.it)  ·  -> Mastodon [@unitoo](https://mastodon.uno/@unitoo)  ·  +> Fediverse [admin@social.unitoo.it](https://social.unitoo.it/admin)  ·  > GitHub [@UnitooTeam](https://github.com/UnitooTeam) -- 2.45.2 From 93cbb1c341e7e568c3b434ab8cb4dd025404ae2e Mon Sep 17 00:00:00 2001 From: Claudio Maradonna Date: Fri, 20 May 2022 12:18:22 +0200 Subject: [PATCH 5/6] add matrix cleanup instructions. add preview config for nextcloud --- matrix/database_vacuum_instructions.md | 5 +++++ .../www/html/nextcloud/config/config.s3.php | 20 ++++++++++++++++++- 2 files changed, 24 insertions(+), 1 deletion(-) create mode 100644 matrix/database_vacuum_instructions.md diff --git a/matrix/database_vacuum_instructions.md b/matrix/database_vacuum_instructions.md new file mode 100644 index 0000000..26fc683 --- /dev/null +++ b/matrix/database_vacuum_instructions.md @@ -0,0 +1,5 @@ +1. Activate `synapse-admin` following instructions provided by playbook +2. Use `synapse-admin` to clean rooms or what you don't need +3. Stop `synapse` +3. Run `REINDEX (VERBOSE) DATABASE dbnamehere;` from your db client +4. Run `VACUUM FULL VERBOSE;` from your db client diff --git a/nextcloud/var/www/html/nextcloud/config/config.s3.php b/nextcloud/var/www/html/nextcloud/config/config.s3.php index 6273db2..369b99d 100644 --- a/nextcloud/var/www/html/nextcloud/config/config.s3.php +++ b/nextcloud/var/www/html/nextcloud/config/config.s3.php @@ -61,5 +61,23 @@ $CONFIG = array ( 'mail_smtppassword' => '', 'maintenance' => false, 'default_phone_region' => 'IT', - 'preview_max_memory' => 768, + 'enable_previews' => true, + 'preview_max_x' => 4096, + 'preview_max_y' => 4096, + 'preview_max_memory' => 768, + 'preview_max_filesize_image' => 50, + 'enabledPreviewProviders' => [ + 'OC\Preview\PNG', + 'OC\Preview\JPEG', + 'OC\Preview\GIF', + 'OC\Preview\HEIC', + 'OC\Preview\BMP', + 'OC\Preview\XBitmap', + 'OC\Preview\MP3', + 'OC\Preview\TXT', + 'OC\Preview\MarkDown', + 'OC\Preview\OpenDocument', + 'OC\Preview\Krita', + 'OC\Preview\PDF', + ], ); -- 2.45.2 From dbca83ff52e08dec8e9eeee81614bb7c17818358 Mon Sep 17 00:00:00 2001 From: Claudio Maradonna Date: Wed, 3 Aug 2022 16:29:06 +0200 Subject: [PATCH 6/6] fix iptables rules. update ipfs.service. init cloud-init folder with first sample configuration --- cloud-init/swarm-manager.yml | 65 ++++++++++++++++++++++++++++ ipfs/lib/systemd/system/ipfs.service | 8 ++-- iptables/iptables-http-full-f2b.fw | 6 +-- iptables/iptables-http-full.fw | 6 +-- iptables/iptables-ssh-only.fw | 6 +-- 5 files changed, 79 insertions(+), 12 deletions(-) create mode 100644 cloud-init/swarm-manager.yml diff --git a/cloud-init/swarm-manager.yml b/cloud-init/swarm-manager.yml new file mode 100644 index 0000000..b27d58d --- /dev/null +++ b/cloud-init/swarm-manager.yml @@ -0,0 +1,65 @@ +#cloud-config + +ssh_genkeytypes: [ecdsa, ed25519] + +# upgrade system +package_update: true +package_upgrade: true + +# various dependencies +packages: + - ca-certificates + - curl + - gnupg + - lsb-release + +write_files: + - path: /etc/iptables/rules.v4 + permissions: 0644 + owner: root:root + content: | + *filter + :INPUT DROP [0:0] + :FORWARD DROP [0:0] + :OUTPUT ACCEPT [0:0] + -A INPUT -i lo -j ACCEPT + -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + -A INPUT -m conntrack --ctstate INVALID -j DROP + -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT + -A OUTPUT -o lo -j ACCEPT + -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT + -A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT + -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable + COMMIT + - path: /etc/iptables/rules.v6 + permissions: 0644 + owner: root:root + content: | + *filter + :INPUT DROP [0:0] + :FORWARD DROP [0:0] + :OUTPUT ACCEPT [0:0] + -A INPUT -i tun0 -j ACCEPT + -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + -A INPUT -m conntrack --ctstate INVALID -j DROP + -A OUTPUT -o tun0 -j ACCEPT + -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT + -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp6-port-unreachable + COMMIT + +runcmd: + - [mkdir, -p, /usr/local/apt-keys] + - [gpg, --fetch-keys, https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt] + - 'gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | tee /usr/local/apt-keys/yggdrasil-keyring.gpg > /dev/null' + - "echo 'deb [signed-by=/usr/local/apt-keys/yggdrasil-keyring.gpg] http://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/ debian yggdrasil' | tee /etc/apt/sources.list.d/yggdrasil.list" + - [apt-get, update] + - [apt-get, install, -y, yggdrasil] + - [sed, -r, -i, 's/Peers:\s\[\]/Peers: [\n\ttls:\/\/[2001:470:1f13:e56::64]:39575\n\ttls:\/\/s2.i2pd.xyz:39575\n\ttls:\/\/51.255.223.60:54232\n\ttls:\/\/45.147.198.155:6010\n\ttls:\/\/ygg1.ezdomain.ru:11130\n\ttls:\/\/ygg.mkg20001.io:443\n ]/', /etc/yggdrasil.conf] + - [systemctl, enable, --now, yggdrasil] + + - [mkdir, -p, /etc/apt/keyrings] + - "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg" + - 'echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null' + - [chmod, a+r, /etc/apt/keyrings/docker.gpg] + - [apt-get, update] + - 'apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin' diff --git a/ipfs/lib/systemd/system/ipfs.service b/ipfs/lib/systemd/system/ipfs.service index 20ac290..e256157 100644 --- a/ipfs/lib/systemd/system/ipfs.service +++ b/ipfs/lib/systemd/system/ipfs.service @@ -33,8 +33,8 @@ CapabilityBoundingSet=CAP_NET_BIND_SERVICE LimitNOFILE=8192 #LimitNice=10 MemoryAccounting=true -MemoryHigh=768M -MemoryMax=1024M +#MemoryHigh=768M +#MemoryMax=1024M MemorySwapMax=0 CPUAccounting=true CPUQuota=40% @@ -48,7 +48,9 @@ ExecStart=/home/ipfs/.local/bin/ipfs daemon --init --enable-gc --migrate User=ipfs Group=ipfs StateDirectory=ipfs -Restart=on-failure +Restart=always +RestartSec=60 +KillMode=process KillSignal=SIGINT [Install] diff --git a/iptables/iptables-http-full-f2b.fw b/iptables/iptables-http-full-f2b.fw index 45db85a..377d871 100644 --- a/iptables/iptables-http-full-f2b.fw +++ b/iptables/iptables-http-full-f2b.fw @@ -1,7 +1,7 @@ *filter -:INPUT DROP [4414218:211789180] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [17973:1146056] +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] :f2b-sshd - [0:0] -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd -A INPUT -i lo -j ACCEPT diff --git a/iptables/iptables-http-full.fw b/iptables/iptables-http-full.fw index 6b2a30b..b1a0ad2 100644 --- a/iptables/iptables-http-full.fw +++ b/iptables/iptables-http-full.fw @@ -1,7 +1,7 @@ *filter -:INPUT DROP [4414218:211789180] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [17973:1146056] +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP diff --git a/iptables/iptables-ssh-only.fw b/iptables/iptables-ssh-only.fw index 42ec8dc..a0ae6e0 100644 --- a/iptables/iptables-ssh-only.fw +++ b/iptables/iptables-ssh-only.fw @@ -1,7 +1,7 @@ *filter -:INPUT DROP [4414218:211789180] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [17973:1146056] +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP -- 2.45.2