diff --git a/.gitattributes b/.gitattributes index 171c31e..34e73c0 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1 +1,2 @@ neovim/*.conf gitlab-language=vim +emacs/*.conf gitlab-language=elisp diff --git a/README.md b/README.md index f899c6c..6e6c127 100644 --- a/README.md +++ b/README.md @@ -23,5 +23,15 @@ edit the .gitattributes file accordingly: ```txt neovim/*.conf gitlab-language=vim -spacemacs/*.conf gitlab-language=elisp +emacs/*.conf gitlab-language=elisp ``` + +## Support + +Donate using Liberapay + +--- + +> [unitoo.it](https://www.unitoo.it)  ·  +> Mastodon [@unitoo](https://mastodon.uno/@unitoo)  ·  +> GitHub [@UnitooTeam](https://github.com/UnitooTeam) diff --git a/apache/etc/httpd/conf.d/virtualhost-example.conf b/apache/etc/httpd/conf.d/virtualhost-example.conf new file mode 100644 index 0000000..e08d0f4 --- /dev/null +++ b/apache/etc/httpd/conf.d/virtualhost-example.conf @@ -0,0 +1,18 @@ + + # YOUR CONFIG + + # Redirect all request to a 503 return code when in maintenance mode + ErrorDocument 503 /maintenance/index.html + RewriteEngine on + RewriteCond /var/www/maintenance/ALL -f [OR] + RewriteCond /var/www/maintenance/%{SERVER_NAME} -f + RewriteCond %{REQUEST_URI} !=/maintenance/index.html + RewriteCond %{REQUEST_URI} !=/maintenance/index.png + RewriteRule ^ - [R=503,L] + + # Redirect away from the maintenance page if not in maintenance mode + RewriteCond /var/www/maintenance/ALL !-f + RewriteCond /var/www/maintenance/%{SERVER_NAME} !-f + RewriteRule ^/maintenance/index.html$ / [R,L] + + diff --git a/apache/etc/httpd/conf/httpd-maintenance.conf b/apache/etc/httpd/conf/httpd-maintenance.conf new file mode 100644 index 0000000..d3fbced --- /dev/null +++ b/apache/etc/httpd/conf/httpd-maintenance.conf @@ -0,0 +1,7 @@ +## YOUR CONFIG HERE + + + ## OTHER CONFIG HERE + + Alias "/maintenance" "/var/www/maintenance" + diff --git a/apache/etc/httpd/conf/httpd-no-signature.conf b/apache/etc/httpd/conf/httpd-no-signature.conf new file mode 100644 index 0000000..09cafd0 --- /dev/null +++ b/apache/etc/httpd/conf/httpd-no-signature.conf @@ -0,0 +1,4 @@ +## MAIN CONFIG HERE + +ServerTokens Prod +ServerSignature Off diff --git a/apache/etc/httpd/conf/httpd-server-status.conf b/apache/etc/httpd/conf/httpd-server-status.conf new file mode 100644 index 0000000..8a8a49d --- /dev/null +++ b/apache/etc/httpd/conf/httpd-server-status.conf @@ -0,0 +1,8 @@ +## MAIN CONFIG HERE + + + SetHandler server-status + Order deny,allow + Deny from all + Allow from 127.0.0.1 + diff --git a/apache/var/www/maintenance/index.html b/apache/var/www/maintenance/index.html new file mode 100644 index 0000000..16fe47f --- /dev/null +++ b/apache/var/www/maintenance/index.html @@ -0,0 +1,20 @@ + +Site Maintenance + + +
+ +

We’ll be back soon!

+
+

We’re performing some hacks at the moment. +
You can always contact us!

+

— Your best friend 😎

+
+
diff --git a/apache/var/www/maintenance/index.png b/apache/var/www/maintenance/index.png new file mode 100644 index 0000000..c99efd2 Binary files /dev/null and b/apache/var/www/maintenance/index.png differ diff --git a/emacs/spacemacs.conf b/emacs/spacemacs.conf new file mode 100644 index 0000000..8e6cc74 --- /dev/null +++ b/emacs/spacemacs.conf @@ -0,0 +1,327 @@ +;; -*- mode: emacs-lisp -*- +;; This file is loaded by Spacemacs at startup. +;; It must be stored in your home directory. + +(defun dotspacemacs/layers () + "Configuration Layers declaration. +You should not put any user code in this function besides modifying the variable +values." + (setq-default + ;; Base distribution to use. This is a layer contained in the directory + ;; `+distribution'. For now available distributions are `spacemacs-base' + ;; or `spacemacs'. (default 'spacemacs) + dotspacemacs-distribution 'spacemacs + ;; Lazy installation of layers (i.e. layers are installed only when a file + ;; with a supported type is opened). Possible values are `all', `unused' + ;; and `nil'. `unused' will lazy install only unused layers (i.e. layers + ;; not listed in variable `dotspacemacs-configuration-layers'), `all' will + ;; lazy install any layer that support lazy installation even the layers + ;; listed in `dotspacemacs-configuration-layers'. `nil' disable the lazy + ;; installation feature and you have to explicitly list a layer in the + ;; variable `dotspacemacs-configuration-layers' to install it. + ;; (default 'unused) + dotspacemacs-enable-lazy-installation 'unused + ;; If non-nil then Spacemacs will ask for confirmation before installing + ;; a layer lazily. (default t) + dotspacemacs-ask-for-lazy-installation t + ;; If non-nil layers with lazy install support are lazy installed. + ;; List of additional paths where to look for configuration layers. + ;; Paths must have a trailing slash (i.e. `~/.mycontribs/') + dotspacemacs-configuration-layer-path '() + ;; List of configuration layers to load. + dotspacemacs-configuration-layers + '(systemd + ;; ---------------------------------------------------------------- + ;; Example of useful layers you may want to use right away. + ;; Uncomment some layer names and press (Vim style) or + ;; (Emacs style) to install them. + ;; ---------------------------------------------------------------- + (ruby :variables ruby-version-manager 'rbenv ruby-enable-enh-ruby-mode t) + yaml + html + javascript + coffeescript + markdown + sql + ruby-on-rails + helm + (colors :variables colors-enable-nyan-cat-progress-bar t) + better-defaults + emacs-lisp + syntax-checking + semantic + shell + php + ) + ;; List of additional packages that will be installed without being + ;; wrapped in a layer. If you need some configuration for these + ;; packages, then consider creating a layer. You can also put the + ;; configuration in `dotspacemacs/user-config'. + dotspacemacs-additional-packages '(xclip base16-theme) + ;; A list of packages that cannot be updated. + dotspacemacs-frozen-packages '() + ;; A list of packages that will not be installed and loaded. + dotspacemacs-excluded-packages '() + ;; Defines the behaviour of Spacemacs when installing packages. + ;; Possible values are `used-only', `used-but-keep-unused' and `all'. + ;; `used-only' installs only explicitly used packages and uninstall any + ;; unused packages as well as their unused dependencies. + ;; `used-but-keep-unused' installs only the used packages but won't uninstall + ;; them if they become unused. `all' installs *all* packages supported by + ;; Spacemacs and never uninstall them. (default is `used-only') + dotspacemacs-install-packages 'used-only)) + +(defun dotspacemacs/init () + "Initialization function. +This function is called at the very startup of Spacemacs initialization +before layers configuration. +You should not put any user code in there besides modifying the variable +values." + ;; This setq-default sexp is an exhaustive list of all the supported + ;; spacemacs settings. + (setq-default + ;; If non nil ELPA repositories are contacted via HTTPS whenever it's + ;; possible. Set it to nil if you have no way to use HTTPS in your + ;; environment, otherwise it is strongly recommended to let it set to t. + ;; This variable has no effect if Emacs is launched with the parameter + ;; `--insecure' which forces the value of this variable to nil. + ;; (default t) + dotspacemacs-elpa-https t + ;; Maximum allowed time in seconds to contact an ELPA repository. + dotspacemacs-elpa-timeout 5 + ;; If non nil then spacemacs will check for updates at startup + ;; when the current branch is not `develop'. Note that checking for + ;; new versions works via git commands, thus it calls GitHub services + ;; whenever you start Emacs. (default nil) + dotspacemacs-check-for-update nil + ;; If non-nil, a form that evaluates to a package directory. For example, to + ;; use different package directories for different Emacs versions, set this + ;; to `emacs-version'. + dotspacemacs-elpa-subdirectory nil + ;; One of `vim', `emacs' or `hybrid'. + ;; `hybrid' is like `vim' except that `insert state' is replaced by the + ;; `hybrid state' with `emacs' key bindings. The value can also be a list + ;; with `:variables' keyword (similar to layers). Check the editing styles + ;; section of the documentation for details on available variables. + ;; (default 'vim) + dotspacemacs-editing-style 'vim + ;; If non nil output loading progress in `*Messages*' buffer. (default nil) + dotspacemacs-verbose-loading nil + ;; Specify the startup banner. Default value is `official', it displays + ;; the official spacemacs logo. An integer value is the index of text + ;; banner, `random' chooses a random text banner in `core/banners' + ;; directory. A string value must be a path to an image format supported + ;; by your Emacs build. + ;; If the value is nil then no banner is displayed. (default 'official) + dotspacemacs-startup-banner nil + ;; List of items to show in startup buffer or an association list of + ;; the form `(list-type . list-size)`. If nil then it is disabled. + ;; Possible values for list-type are: + ;; `recents' `bookmarks' `projects' `agenda' `todos'." + ;; List sizes may be nil, in which case + ;; `spacemacs-buffer-startup-lists-length' takes effect. + dotspacemacs-startup-lists '((bookmarks . 5) + (recents . 5) + (projects . 7)) + ;; True if the home buffer should respond to resize events. + dotspacemacs-startup-buffer-responsive t + ;; Default major mode of the scratch buffer (default `text-mode') + dotspacemacs-scratch-mode 'text-mode + ;; List of themes, the first of the list is loaded when spacemacs starts. + ;; Press T n to cycle to the next theme in the list (works great + ;; with 2 themes variants, one dark and one light) + dotspacemacs-themes '(base16-one-light + spacemacs-light + spacemacs-dark) + dotspacemacs-colorize-cursor-according-to-state t + ;; Default font, or prioritized list of fonts. `powerline-scale' allows to + ;; quickly tweak the mode-line size to make separators look not too crappy. + dotspacemacs-default-font '("Anonymous Pro for Powerline" + :size 18 + :powerline-scale 1.4) + ;; The leader key + dotspacemacs-leader-key "SPC" + ;; The key used for Emacs commands (M-x) (after pressing on the leader key). + ;; (default "SPC") + dotspacemacs-emacs-command-key "SPC" + ;; The key used for Vim Ex commands (default ":") + dotspacemacs-ex-command-key ":" + ;; The leader key accessible in `emacs state' and `insert state' + ;; (default "M-m") + dotspacemacs-emacs-leader-key "M-m" + ;; Major mode leader key is a shortcut key which is the equivalent of + ;; pressing ` m`. Set it to `nil` to disable it. (default ",") + dotspacemacs-major-mode-leader-key "," + ;; Major mode leader key accessible in `emacs state' and `insert state'. + ;; (default "C-M-m") + dotspacemacs-major-mode-emacs-leader-key "C-M-m" + ;; These variables control whether separate commands are bound in the GUI to + ;; the key pairs C-i, TAB and C-m, RET. + ;; Setting it to a non-nil value, allows for separate commands under + ;; and TAB or and RET. + ;; In the terminal, these pairs are generally indistinguishable, so this only + ;; works in the GUI. (default nil) + dotspacemacs-distinguish-gui-tab nil + ;; If non nil `Y' is remapped to `y$' in Evil states. (default nil) + dotspacemacs-remap-Y-to-y$ nil + ;; If non-nil, the shift mappings `<' and `>' retain visual state if used + ;; there. (default t) + dotspacemacs-retain-visual-state-on-shift t + ;; If non-nil, J and K move lines up and down when in visual mode. + ;; (default nil) + dotspacemacs-visual-line-move-text nil + ;; If non nil, inverse the meaning of `g' in `:substitute' Evil ex-command. + ;; (default nil) + dotspacemacs-ex-substitute-global nil + ;; Name of the default layout (default "Default") + dotspacemacs-default-layout-name "Default" + ;; If non nil the default layout name is displayed in the mode-line. + ;; (default nil) + dotspacemacs-display-default-layout nil + ;; If non nil then the last auto saved layouts are resume automatically upon + ;; start. (default nil) + dotspacemacs-auto-resume-layouts nil + ;; Size (in MB) above which spacemacs will prompt to open the large file + ;; literally to avoid performance issues. Opening a file literally means that + ;; no major mode or minor modes are active. (default is 1) + dotspacemacs-large-file-size 1 + ;; Location where to auto-save files. Possible values are `original' to + ;; auto-save the file in-place, `cache' to auto-save the file to another + ;; file stored in the cache directory and `nil' to disable auto-saving. + ;; (default 'cache) + dotspacemacs-auto-save-file-location 'cache + ;; Maximum number of rollback slots to keep in the cache. (default 5) + dotspacemacs-max-rollback-slots 5 + ;; If non nil, `helm' will try to minimize the space it uses. (default nil) + dotspacemacs-helm-resize nil + ;; if non nil, the helm header is hidden when there is only one source. + ;; (default nil) + dotspacemacs-helm-no-header nil + ;; define the position to display `helm', options are `bottom', `top', + ;; `left', or `right'. (default 'bottom) + dotspacemacs-helm-position 'bottom + ;; Controls fuzzy matching in helm. If set to `always', force fuzzy matching + ;; in all non-asynchronous sources. If set to `source', preserve individual + ;; source settings. Else, disable fuzzy matching in all sources. + ;; (default 'always) + dotspacemacs-helm-use-fuzzy 'always + ;; If non nil the paste micro-state is enabled. When enabled pressing `p` + ;; several times cycle between the kill ring content. (default nil) + dotspacemacs-enable-paste-transient-state nil + ;; Which-key delay in seconds. The which-key buffer is the popup listing + ;; the commands bound to the current keystroke sequence. (default 0.4) + dotspacemacs-which-key-delay 0.4 + ;; Which-key frame position. Possible values are `right', `bottom' and + ;; `right-then-bottom'. right-then-bottom tries to display the frame to the + ;; right; if there is insufficient space it displays it at the bottom. + ;; (default 'bottom) + dotspacemacs-which-key-position 'bottom + ;; If non nil a progress bar is displayed when spacemacs is loading. This + ;; may increase the boot time on some systems and emacs builds, set it to + ;; nil to boost the loading time. (default t) + dotspacemacs-loading-progress-bar nil + ;; If non nil the frame is fullscreen when Emacs starts up. (default nil) + ;; (Emacs 24.4+ only) + dotspacemacs-fullscreen-at-startup nil + ;; If non nil `spacemacs/toggle-fullscreen' will not use native fullscreen. + ;; Use to disable fullscreen animations in OSX. (default nil) + dotspacemacs-fullscreen-use-non-native nil + ;; If non nil the frame is maximized when Emacs starts up. + ;; Takes effect only if `dotspacemacs-fullscreen-at-startup' is nil. + ;; (default nil) (Emacs 24.4+ only) + dotspacemacs-maximized-at-startup t + ;; A value from the range (0..100), in increasing opacity, which describes + ;; the transparency level of a frame when it's active or selected. + ;; Transparency can be toggled through `toggle-transparency'. (default 90) + dotspacemacs-active-transparency 90 + ;; A value from the range (0..100), in increasing opacity, which describes + ;; the transparency level of a frame when it's inactive or deselected. + ;; Transparency can be toggled through `toggle-transparency'. (default 90) + dotspacemacs-inactive-transparency 90 + ;; If non nil show the titles of transient states. (default t) + dotspacemacs-show-transient-state-title t + ;; If non nil show the color guide hint for transient state keys. (default t) + dotspacemacs-show-transient-state-color-guide t + ;; If non nil unicode symbols are displayed in the mode line. (default t) + dotspacemacs-mode-line-unicode-symbols t + ;; If non nil smooth scrolling (native-scrolling) is enabled. Smooth + ;; scrolling overrides the default behavior of Emacs which recenters point + ;; when it reaches the top or bottom of the screen. (default t) + dotspacemacs-smooth-scrolling t + ;; Control line numbers activation. + ;; If set to `t' or `relative' line numbers are turned on in all `prog-mode' and + ;; `text-mode' derivatives. If set to `relative', line numbers are relative. + ;; This variable can also be set to a property list for finer control: + ;; '(:relative nil + ;; :disabled-for-modes dired-mode + ;; doc-view-mode + ;; markdown-mode + ;; org-mode + ;; pdf-view-mode + ;; text-mode + ;; :size-limit-kb 1000) + ;; (default nil) + dotspacemacs-line-numbers t + ;; Code folding method. Possible values are `evil' and `origami'. + ;; (default 'evil) + dotspacemacs-folding-method 'evil + ;; If non-nil smartparens-strict-mode will be enabled in programming modes. + ;; (default nil) + dotspacemacs-smartparens-strict-mode nil + ;; If non-nil pressing the closing parenthesis `)' key in insert mode passes + ;; over any automatically added closing parenthesis, bracket, quote, etc… + ;; This can be temporary disabled by pressing `C-q' before `)'. (default nil) + dotspacemacs-smart-closing-parenthesis nil + ;; Select a scope to highlight delimiters. Possible values are `any', + ;; `current', `all' or `nil'. Default is `all' (highlight any scope and + ;; emphasis the current one). (default 'all) + dotspacemacs-highlight-delimiters 'all + ;; If non nil, advise quit functions to keep server open when quitting. + ;; (default nil) + dotspacemacs-persistent-server nil + ;; List of search tool executable names. Spacemacs uses the first installed + ;; tool of the list. Supported tools are `ag', `pt', `ack' and `grep'. + ;; (default '("ag" "pt" "ack" "grep")) + dotspacemacs-search-tools '("ag" "pt" "ack" "grep") + ;; The default package repository used if no explicit repository has been + ;; specified with an installed package. + ;; Not used for now. (default nil) + dotspacemacs-default-package-repository nil + ;; Delete whitespace while saving buffer. Possible values are `all' + ;; to aggressively delete empty line and long sequences of whitespace, + ;; `trailing' to delete only the whitespace at end of lines, `changed'to + ;; delete only whitespace for changed lines or `nil' to disable cleanup. + ;; (default nil) + dotspacemacs-whitespace-cleanup nil + )) + +(defun dotspacemacs/user-init () + "Initialization function for user code. +It is called immediately after `dotspacemacs/init', before layer configuration +executes. + This function is mostly useful for variables that need to be set +before packages are loaded. If you are unsure, you should try in setting them in +`dotspacemacs/user-config' first." + ) + +(defun dotspacemacs/user-config () + "Configuration function for user code. +This function is called at the very end of Spacemacs initialization after +layers configuration. +This is the place where most of your configurations should be done. Unless it is +explicitly specified that a variable should be set before a package is loaded, +you should place your code here." + (add-hook 'before-save-hook 'delete-trailing-whitespace) + + ;; Activate column indicator in prog-mode and text-mode + ;; (add-hook 'prog-mode-hook 'turn-on-fci-mode) + ;; (add-hook 'text-mode-hook 'turn-on-fci-mode) + + (setq enh-ruby-add-encoding-comment-on-save nil) + (setq powerline-default-separator 'arrow) + (cancel-timer recentf-auto-save-timer) + (xclip-mode 1) + ) + +;; Do not write anything past this comment. This is where Emacs will +;; auto-generate custom variable definitions. diff --git a/emacs/spacemacs.md b/emacs/spacemacs.md new file mode 100644 index 0000000..bd86889 --- /dev/null +++ b/emacs/spacemacs.md @@ -0,0 +1,28 @@ +# Spacemacs configuration + +![spacemacs example](spacemacs.png "Emacs with this Spacemacs configuration") + +# Quick setup + +1. Copy the `spacemacs.conf` file in your $HOME directory and rename as `.spacemacs` +2. Adapt the file for your needs +3. Install dependecies, for each layer in `dotspacemacs-configuration-layers` function following respective documentation, starting here: [spacemacs layers](https://github.com/syl20bnr/spacemacs/tree/develop/layers) +4. Install your font; in this conf we are using "Anonymous Pro for Powerline" +5. Execute this: +```bash +git clone https://github.com/syl20bnr/spacemacs ~/.emacs.d +``` + + +## Extra features + +* https Elpa enabled +* Base16 Light Theme +* xclip is working +* arrow as powerline separator +* automatic trailing whitespaces deletion + + +## Power features + +* Nyan cat scroll bar diff --git a/emacs/spacemacs.png b/emacs/spacemacs.png new file mode 100644 index 0000000..6af81ac Binary files /dev/null and b/emacs/spacemacs.png differ diff --git a/iptables/iptables-http-full-f2b.fw b/iptables/iptables-http-full-f2b.fw new file mode 100644 index 0000000..45db85a --- /dev/null +++ b/iptables/iptables-http-full-f2b.fw @@ -0,0 +1,22 @@ +*filter +:INPUT DROP [4414218:211789180] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [17973:1146056] +:f2b-sshd - [0:0] +-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd +-A INPUT -i lo -j ACCEPT +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A INPUT -m conntrack --ctstate INVALID -j DROP +-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --dport 587 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -o lo -j ACCEPT +-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable +-A OUTPUT -p tcp -m tcp --sport 587 -m conntrack --ctstate ESTABLISHED -j ACCEPT +-A f2b-sshd -j RETURN +COMMIT diff --git a/iptables/iptables-http-full.fw b/iptables/iptables-http-full.fw new file mode 100644 index 0000000..6b2a30b --- /dev/null +++ b/iptables/iptables-http-full.fw @@ -0,0 +1,20 @@ +*filter +:INPUT DROP [4414218:211789180] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [17973:1146056] +-A INPUT -i lo -j ACCEPT +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A INPUT -m conntrack --ctstate INVALID -j DROP +-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --dport 587 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -o lo -j ACCEPT +-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable +-A OUTPUT -p tcp -m tcp --sport 587 -m conntrack --ctstate ESTABLISHED -j ACCEPT +COMMIT + diff --git a/iptables/iptables-ssh-only.fw b/iptables/iptables-ssh-only.fw new file mode 100644 index 0000000..42ec8dc --- /dev/null +++ b/iptables/iptables-ssh-only.fw @@ -0,0 +1,14 @@ +*filter +:INPUT DROP [4414218:211789180] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [17973:1146056] +-A INPUT -i lo -j ACCEPT +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A INPUT -m conntrack --ctstate INVALID -j DROP +-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -o lo -j ACCEPT +-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable +COMMIT + diff --git a/iptables/iptables.md b/iptables/iptables.md new file mode 100644 index 0000000..85a508f --- /dev/null +++ b/iptables/iptables.md @@ -0,0 +1,16 @@ +# Configurations +All configurations includes: +* INPUT DROP +* SSH port on 22. +* SMTP port 25 as `--reject-with icmp-port-unreachable` + +- [ssh-only](iptables-ssh-only.fw) -> SSH +- [http-full](iptables-http-full.fw) -> HTTP/ HTTPS/ SMTPS +- [http-full-f2b](iptables-http-full-f2b.fw) -> HTTP/ HTTPS/ SMTPS/ fail2ban + +## Usage + +Simply: +```bash +iptables-restore < file.fw +``` diff --git a/postgresql/etc/postgresql/pg_hba.conf b/postgresql/etc/postgresql/pg_hba.conf new file mode 100644 index 0000000..6254116 --- /dev/null +++ b/postgresql/etc/postgresql/pg_hba.conf @@ -0,0 +1,99 @@ +# PostgreSQL Client Authentication Configuration File +# =================================================== +# +# Refer to the "Client Authentication" section in the PostgreSQL +# documentation for a complete description of this file. A short +# synopsis follows. +# +# This file controls: which hosts are allowed to connect, how clients +# are authenticated, which PostgreSQL user names they can use, which +# databases they can access. Records take one of these forms: +# +# local DATABASE USER METHOD [OPTIONS] +# host DATABASE USER ADDRESS METHOD [OPTIONS] +# hostssl DATABASE USER ADDRESS METHOD [OPTIONS] +# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS] +# +# (The uppercase items must be replaced by actual values.) +# +# The first field is the connection type: "local" is a Unix-domain +# socket, "host" is either a plain or SSL-encrypted TCP/IP socket, +# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a +# plain TCP/IP socket. +# +# DATABASE can be "all", "sameuser", "samerole", "replication", a +# database name, or a comma-separated list thereof. The "all" +# keyword does not match "replication". Access to replication +# must be enabled in a separate record (see example below). +# +# USER can be "all", a user name, a group name prefixed with "+", or a +# comma-separated list thereof. In both the DATABASE and USER fields +# you can also write a file name prefixed with "@" to include names +# from a separate file. +# +# ADDRESS specifies the set of hosts the record matches. It can be a +# host name, or it is made up of an IP address and a CIDR mask that is +# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that +# specifies the number of significant bits in the mask. A host name +# that starts with a dot (.) matches a suffix of the actual host name. +# Alternatively, you can write an IP address and netmask in separate +# columns to specify the set of hosts. Instead of a CIDR-address, you +# can write "samehost" to match any of the server's own IP addresses, +# or "samenet" to match any address in any subnet that the server is +# directly connected to. +# +# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256", +# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert". +# Note that "password" sends passwords in clear text; "md5" or +# "scram-sha-256" are preferred since they send encrypted passwords. +# +# OPTIONS are a set of options for the authentication in the format +# NAME=VALUE. The available options depend on the different +# authentication methods -- refer to the "Client Authentication" +# section in the documentation for a list of which options are +# available for which authentication methods. +# +# Database and user names containing spaces, commas, quotes and other +# special characters must be quoted. Quoting one of the keywords +# "all", "sameuser", "samerole" or "replication" makes the name lose +# its special character, and just match a database or username with +# that name. +# +# This file is read on server startup and when the server receives a +# SIGHUP signal. If you edit the file on a running system, you have to +# SIGHUP the server for the changes to take effect, run "pg_ctl reload", +# or execute "SELECT pg_reload_conf()". +# +# Put your actual configuration here +# ---------------------------------- +# +# If you want to allow non-local connections, you need to add more +# "host" records. In that case you will also need to make PostgreSQL +# listen on a non-local interface via the listen_addresses +# configuration parameter, or via the -i or -h command line switches. + + + + +# DO NOT DISABLE! +# If you change this first entry you will need to make sure that the +# database superuser can access the database using some other method. +# Noninteractive access to all databases is required during automatic +# maintenance (custom daily cronjobs, replication, and similar tasks). +# +# Database administrative login by Unix domain socket +local all postgres peer + +# TYPE DATABASE USER ADDRESS METHOD + +# "local" is for Unix domain socket connections only +local all all scram-sha-256 +# IPv4 local connections: +host all all 127.0.0.1/32 scram-sha-256 +# IPv6 local connections: +host all all ::1/128 scram-sha-256 +# Allow replication connections from localhost, by a user with the +# replication privilege. +local replication all peer +host replication all 127.0.0.1/32 scram-sha-256 +host replication all ::1/128 scram-sha-256 diff --git a/postgresql/etc/postgresql/postgresql.conf b/postgresql/etc/postgresql/postgresql.conf new file mode 100644 index 0000000..e9efbc1 --- /dev/null +++ b/postgresql/etc/postgresql/postgresql.conf @@ -0,0 +1,5 @@ +## OTHER CONFIG + +password_encryption = scram-sha-256 + +## END CONFIG diff --git a/prometheus/exporters/etc/default/prometheus-apache-exporter b/prometheus/exporters/etc/default/prometheus-apache-exporter new file mode 100644 index 0000000..a8e2ad2 --- /dev/null +++ b/prometheus/exporters/etc/default/prometheus-apache-exporter @@ -0,0 +1 @@ +ARGS='--scrape_uri="http://127.0.0.1/server-status?auto"' diff --git a/prometheus/exporters/etc/default/prometheus-nginx-exporter b/prometheus/exporters/etc/default/prometheus-nginx-exporter new file mode 100644 index 0000000..3068016 --- /dev/null +++ b/prometheus/exporters/etc/default/prometheus-nginx-exporter @@ -0,0 +1 @@ +ARGS="-nginx.scrape-uri http://127.0.0.1:80/stub_status" diff --git a/prometheus/exporters/etc/default/prometheus-postgresql-exporter b/prometheus/exporters/etc/default/prometheus-postgresql-exporter new file mode 100644 index 0000000..afb72f4 --- /dev/null +++ b/prometheus/exporters/etc/default/prometheus-postgresql-exporter @@ -0,0 +1,2 @@ +# peer mode +DATA_SOURCE_NAME='host=/var/run/postgresql sslmode=disable' diff --git a/prometheus/exporters/etc/systemd/system/prometheus-apache-exporter.service b/prometheus/exporters/etc/systemd/system/prometheus-apache-exporter.service new file mode 100644 index 0000000..fbf05b1 --- /dev/null +++ b/prometheus/exporters/etc/systemd/system/prometheus-apache-exporter.service @@ -0,0 +1,15 @@ +[Unit] +Description=Prometheus exporter for Apache +Documentation=https://github.com/Lusitaniae/apache_exporter +Wants=network-online.target +After=network-online.target + +[Service] +User=root +Group=root +Type=simple +EnvironmentFile=/etc/default/prometheus-apache-exporter +ExecStart=/usr/bin/apache_exporter $ARGS + +[Install] +WantedBy=multi-user.target diff --git a/prometheus/exporters/etc/systemd/system/prometheus-mysqld-exporter.service b/prometheus/exporters/etc/systemd/system/prometheus-mysqld-exporter.service new file mode 100644 index 0000000..0b9436c --- /dev/null +++ b/prometheus/exporters/etc/systemd/system/prometheus-mysqld-exporter.service @@ -0,0 +1,15 @@ +[Unit] +Description=Prometheus exporter for MariaDB +Documentation=https://github.com/prometheus/mysqld_exporter +Wants=network-online.target +After=network-online.target + +[Service] +User=root +Group=root +Type=simple +EnvironmentFile=/etc/default/prometheus-mariadb-exporter +ExecStart=/usr/bin/mysqld_exporter $ARGS + +[Install] +WantedBy=multi-user.target