yamabiiko/dot-files
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: yamabiiko:31ff66c2d2577c9e42a49b8d55817cce669822f1
Branches Tags
yamabiiko:master
..
compare: yamabiiko:master
Branches Tags
yamabiiko:master

14 Commits
31ff66c2d2 ... master

Author SHA1 Message Date
Lorenzo Tucci
0e6b8eb810 change sshd_config 2022-02-28 20:41:57 +01:00
yamabiiko
44e8da2c7f Merge pull request 'merge from master' (#1) from Unitoo/dot-files:master into master 
Reviewed-on: #1
 2022-02-22 10:44:14 +01:00
Claudio Maradonna
e3b23120ca Merge pull request 'Add certbot service/timer + synapse grafan dashboard' (#10) from yamabiiko/dot-files:master into master 
Reviewed-on: Unitoo/dot-files#10
 2021-11-05 12:11:08 +01:00
Lorenzo Tucci
304ba5ca0b feat: adding certbot renewal service and timer 2021-11-05 10:49:28 +01:00
Claudio Maradonna
43a480b032 Merge pull request 'add print formats for erpnext' (#9) from claudiomaradonna/dot-files:master into master 
Reviewed-on: Unitoo/dot-files#9
 2021-10-09 14:56:55 +02:00
Claudio Maradonna
ff89f858e9 Merge remote-tracking branch 'unitoo/master' 2021-10-09 14:56:40 +02:00
Claudio Maradonna
aa65822cc8 add print formats for erpnext 2021-10-09 14:51:40 +02:00
Lorenzo Tucci
889c38c944 feat: add synapse grafana dashboard 2021-09-12 10:39:22 +02:00
Claudio Maradonna
0c4c8d0ad7 Merge pull request 'fix: give warning for some grub options' (#7) from yamabiiko/dot-files:master into master 
Reviewed-on: Unitoo/dot-files#7
 2021-09-11 12:52:07 +02:00
Lorenzo Tucci
a70c5cdc4f fix: give warning for some grub options 2021-09-05 09:39:23 +02:00
Claudio Maradonna
a5db3ed3fc Add pamd, grub security options, update modprobe (#6) 2021-08-26 23:14:38 +02:00
Lorenzo Tucci
dddf1a381c feat: add pam.d restricting su binary, add more modules to be disabled, add grub commandline options for security 2021-08-26 22:32:11 +02:00
Claudio Maradonna
81aac6d6bd Merge pull request 'Add hardening/security related confs' (#5) from yamabiko/dot-files:master into master 
Reviewed-on: Unitoo/dot-files#5
 2021-08-24 11:41:23 +02:00
Claudio Maradonna
91f34f9b87 Merge pull request 'feat: add emacs.service for Emacs server' (#4) from yamabiko/dot-files:master into master 
Reviewed-on: Unitoo/dot-files#4
 2021-08-20 16:52:28 +02:00
17 changed files with 11354 additions and 29 deletions
Expand all files Collapse all files

82
erpnext/print-formats/print-style.css Normal file
View File

@@ -0,0 +1,82 @@
.print-format {
font-size: 12px;
background: white;
}
.print-heading {
border-bottom: none;
padding-bottom: 5px;
margin-bottom: 10px;
}
.print-format .letter-head {
margin-bottom: 30px;
}
.print-format label {
font-weight: normal;
font-size: 13px;
color: #4C5A67;
margin-bottom: 0;
}
.print-format .data-field {
margin-top: 0;
margin-bottom: 0;
}
.print-format .value {
color: #192734;
line-height: 1.8;
}
.print-format .section-break:not(:last-child) {
margin-bottom: 0;
}
.print-format .row:not(.section-break) {
line-height: 1.6;
margin-top: 15px !important;
}
.print-format .important .value {
font-size: 13px;
font-weight: 600;
}
.print-format th {
color: #74808b;
font-weight: normal;
border-bottom-width: 1px !important;
}
.print-format .table-bordered td, .print-format .table-bordered th {
border: 1px solid #f4f5f6;
}
.print-format .table-bordered {
border: 1px solid #f4f5f6;
}
.print-format .table-bordered thead {
text-transform: uppercase;
font-size: 8px;
}
.print-format .table-sr {
display: none;
}
.print-format td, .print-format th {
padding: 5px 10px !important;
}
.print-format .primary.compact-item {
font-weight: normal;
}
.print-format table td .value {
font-size: 12px;
line-height: 1.8;
}

164
erpnext/print-formats/quotations.html Normal file
View File

@@ -0,0 +1,164 @@
<!-- HEADING SECTION -->
<div class="print-heading row">
<div class="col-xs-4">
<a href=""> <img src="" alt="logo" style="font-family: 'Oxygen', 'Helvetica Neue', 'Arial', 'sans-serif' !important;max-width: 600px;outline: none;text-decoration: none;-ms-interpolation-mode: bicubic;border: none;"></a>
</div>
<div class="col-xs-8 text-right">
{% set u_company = frappe.get_doc('Company', doc.company) %}
{% set links = frappe.get_all('Dynamic Link', filters={'link_doctype': 'Company', 'link_name': doc.company, 'parenttype': 'Address'}, fields=['parent']) %}
<div class="strong">{{ doc.company }}</div>
{% if links %}
<div>
{{frappe.db.get_value("Address", links[0].parent, "address_line1")}} -
{{frappe.db.get_value("Address", links[0].parent, "pincode")}} -
{{frappe.db.get_value("Address", links[0].parent, "city")}}
{% set province = frappe.db.get_value("Address", links[0].parent, "state") %}
{% if province %}
({{ province }})
{% endif %}
</div>
{% endif %}
VAT: {{ u_company.tax_id }} - F.C.: {{ u_company.fiscal_code }}
<br>
<div class="h5"><strong>QUOTATION</strong> nr. <strong>{{ doc.name }}</strong> of <strong>{{ frappe.utils.formatdate(doc.get('transaction_date'),"dd-mm-yyyy") }}</strong></div>
</div>
</div>
<hr>
<!-- END SECTION -->
<!-- SECTION 2 COLUMNS -->
<!-- FIRST COLUMN -->
{% set customer = frappe.get_list('Customer', filters = { 'customer_name': doc.customer_name}, fields = ['tax_id', 'fiscal_code']) %}
{% set contacts = frappe.get_all('Dynamic Link', filters={'link_doctype': 'Customer', 'link_name': doc.customer_name, 'parenttype': 'Contact'}, fields=['parent']) %}
{% if customer %}
<div><strong>VAT</strong> {{ customer[0].tax_id }}</div>
<div><strong>F.C.</strong> {{ customer[0].fiscal_code }}</div>
{% endif %}
{% if contacts %}
<div>
<strong>EMAIL </strong>
{% set break = false %}
{% for contact_id in contacts if not break %}
{% set contact = frappe.get_doc('Contact', contact_id.parent) %}
{% if contact.is_billing_contact %}
{{ contact.email_id }}
{% set break = true %}
{% endif %}
{% endfor %}
</div>
{% endif %}
<!-- SECOND COLUMN -->
<div><small>RECIPIENT</small></div>
<div><strong>{{ doc.customer_name }}</strong></div>
{% set links = frappe.get_all('Dynamic Link', filters={'link_doctype': 'Customer', 'link_name': doc.customer_name, 'parenttype': 'Address'}, fields=['parent']) %}
{% if links %}
<div>
{{frappe.db.get_value("Address", links[0].parent, "address_line1")}}
</div>
<div>
{{frappe.db.get_value("Address", links[0].parent, "state_code")}} {{frappe.db.get_value("Address", links[0].parent, "city")}} ({{ frappe.db.get_value("Address", links[0].parent, "state") }})
</div>
<div>
{{frappe.db.get_value("Address", links[0].parent, "country")}}
</div>
{% endif %}
<!-- END SECTION -->
<!-- SECTION 1 COLUMN -->
<hr>
<!-- END SECTION -->
<!-- SECTION 1 COLUMN -->
<!-- ADD ITEMS (TABLE): Description, Amount, Tax Amount -->
<hr>
<!-- END SECTION -->
<!-- SECTION 1 COLUMN -->
<div><small>PAYMENT TERMS</small></div>
{% set bank_account = frappe.get_doc('Bank Account', 'BANK NAME') %}
{% if bank_account %}
<div>IBAN: <strong>{{ bank_account.iban }}</strong></div>
<div>Holder: <strong>{{ bank_account.company }}</strong></div>
<div>Bank: <strong>{{ bank_account.bank }}</strong></div>
{% endif %}
<hr>
<!-- END SECTION -->
<!-- SECTION 1 COLUMN -->
{% set quotation_items = doc.items %}
{% set total_without_stamp = [] %}
{% set stamp = [0] %}
{% for item in quotation_items %}
{% if item.item_name != 'MARCADABOLLO' %}
{% set __ = total_without_stamp.append(item.base_amount) %}
{% else %}
{% set __ = stamp.append(1) %}
{% endif %}
{% endfor %}
{% set total = ("€ %.2f"|format(total_without_stamp|sum)).replace('.', ',') %}
<div class="row" style="margin-top: 0">
<div class="col-xs-7" style="border-right: 1px solid #ddd;">
<table class="table table-borderless table-condensed">
<thead>
<tr>
<th>VAT Summary</th>
<th class="text-right" width=100>Taxable</th>
<th class="text-right" width=75>Taxes</th>
</tr>
</thead>
<tbody>
<tr>
<td>
0% - <span class="font-italic">Operazione non soggetta a IVA ai sensi dell'art. 1, commi 54-89, Legge n. 190/2014 e succ. modifiche/ integrazioni</span>
</td>
<td class="text-right">{{ total }}</td>
<td class="text-right">€ 0,00</td>
</tr>
{% if (stamp|sum) > 0 %}
<tr>
<td>0% - <span class="font-italic">Escluso Art. 15</span></td>
<td class="text-right">2,00</td>
<td class="text-right">€ 0,00</td>
</tr>
{% endif %}
</tbody>
</table>
</div>
<div class="col-xs-5 text-right">
<div>Taxable {{ total }}</div>
{% if (stamp|sum) > 0 %}
<div>Not taxable € 2,00</div>
{% endif %}
<h1>{{ ("€ %.2f"|format(doc.grand_total)).replace('.', ',') }}</h1>
</div>
</div>
<hr>
<!-- END SECTION -->
<!-- SECTION 1 COLUMN -->
<div class="col-xs-12">
{% if not no_letterhead and footer %}
{{ footer }}
{% endif %}
</div>
<!-- END SECTION -->

6
etc/systemd/system/certbot-renewal.service Normal file
View File

@@ -0,0 +1,6 @@
[Unit]
Description=Automatically renews SSL certificates obtained with certbot
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew -q --post-hook /usr/local/bin/certbot-restart-nginx

10
etc/systemd/system/certbot-renewal.timer Normal file
View File

@@ -0,0 +1,10 @@
[Unit]
Description=This is the timer schedule Automatic renewals of SSL certificates obtained with certbot
[Timer]
OnCalendar=daily
RandomizedDelaySec=6hours
Persistent=true
[Install]
WantedBy=timers.target

10892
grafana/dashboards/synapse.json Normal file
View File

File diff suppressed because it is too large Load Diff

9
grub/grub Normal file
View File

@@ -0,0 +1,9 @@
# These rules are not meant to be copied and pasted as there will
# likely be other options enabled on your machine.
# Instead add them to the already existing ones in your /etc/default/grub
#
# NOTE: remove ipv6 disable at the end if needed
# NOTE: remove module.sig_enforce=1 and lockdown=confidentiality on some systems to enable loading
# of wireguard module
GRUB_CMDLINE_LINUX="slab_nomerge slub_debug=FZ init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on vsyscall=none debugfs=off oops=panic module.sig_enforce=1 lockdown=confidentiality mce=0 quiet loglevel=0 ipv6.disable=1"

6
modprobe/etc/modprobe.d/disable-network-filesystems.conf Normal file
View File

@@ -0,0 +1,6 @@
# Disable only if not used
install cifs /bin/true
install nfs /bin/true
install nfsv3 /bin/true
install nfsv4 /bin/true
install gfs2 /bin/true

7
modprobe/etc/modprobe.d/disable-rare-filesystems.conf Normal file
View File

@@ -0,0 +1,7 @@
install cramfs /bin/false
install freevxfs /bin/false
install jffs2 /bin/false
install hfs /bin/false
install hfsplus /bin/false
install squashfs /bin/false
install udf /bin/false

23
modprobe/etc/modprobe.d/disable-rare-protocols.conf
View File

@@ -1,4 +1,19 @@
install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true
install dccp /bin/false
install sctp /bin/false
install rds /bin/false
install tipc /bin/false
install n-hdlc /bin/false
install ax25 /bin/false
install netrom /bin/false
install x25 /bin/false
install rose /bin/false
install decnet /bin/false
install econet /bin/false
install af_802154 /bin/false
install ipx /bin/false
install appletalk /bin/false
install psnap /bin/false
install p8023 /bin/false
install p8022 /bin/false
install can /bin/false
install atm /bin/false

1
modprobe/etc/modprobe.d/disable-vivid.conf Normal file
View File

@@ -0,0 +1 @@
install vivid /bin/false

13
pam/etc/pam.d/rocky-linux/su Normal file
View File

@@ -0,0 +1,13 @@
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_rootok.so
# Uncomment the following line to require a user to be in the "wheel" group.
auth required pam_wheel.so use_uid
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.so

7
pam/etc/pam.d/rocky-linux/su-l Normal file
View File

@@ -0,0 +1,7 @@
#%PAM-1.0
auth include su
account include su
password include su
session optional pam_keyinit.so force revoke
session include su
auth required pam_wheel.so use_uid

59
pam/etc/pam.d/ubuntu/su Normal file
View File

@@ -0,0 +1,59 @@
#
# The PAM configuration file for the Shadow `su' service
#
# This allows root to su without passwords (normal operation)
auth sufficient pam_rootok.so
# Uncomment this to force users to be a member of group root
# before they can use `su'. You can also add "group=foo"
# to the end of this line if you want to use a group other
# than the default "root" (but this may have side effect of
# denying "root" user, unless she's a member of "foo" or explicitly
# permitted earlier by e.g. "sufficient pam_rootok.so").
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
auth required pam_wheel.so
# Uncomment this if you want wheel members to be able to
# su without a password.
# auth sufficient pam_wheel.so trust
# Uncomment this if you want members of a specific group to not
# be allowed to use su at all.
# auth required pam_wheel.so deny group=nosu
# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on su usage.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account requisite pam_time.so
# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
#
# parsing /etc/environment needs "readenv=1"
session required pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session required pam_env.so readenv=1 envfile=/etc/default/locale
# Defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user
# also removes the user's mail spool file.
# See comments in /etc/login.defs
#
# "nopen" stands to avoid reporting new mail when su'ing to another user
session optional pam_mail.so nopen
# Sets up user limits according to /etc/security/limits.conf
# (Replaces the use of /etc/limits in old login)
session required pam_limits.so
# The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.
@include common-auth
@include common-account
@include common-session

7
pam/etc/pam.d/ubuntu/su-l Normal file
View File

@@ -0,0 +1,7 @@
#%PAM-1.0
auth include su
account include su
password include su
session optional pam_keyinit.so force revoke
session include su
auth required pam_wheel.so

73
ssh/etc/ssh/sshd_config
View File

@@ -1,27 +1,52 @@
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
Protocol 2 # Protocol 1 is fundamentally broken
StrictModes yes # Protects from misconfiguration
SyslogFacility AUTHPRIV
#ListenAddress [ip-here] # Listening address
Port 22 # Listening port. Normal 22
AllowGroups sshlogin
PermitRootLogin WITHOUT-PASSWORD
PubkeyAuthentication yes
AuthenticationMethods publickey # Only public key authentication allowed
AuthorizedKeysFile .ssh/authorized_keys
IgnoreRhosts yes
MaxSessions 4
MaxAuthTries 4
ClientAliveCountMax 2
LogLevel VERBOSE
PasswordAuthentication no
ChallengeResponseAuthentication no
GSSAPIAuthentication no
UsePAM yes
PrintMotd no
X11Forwarding no
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/lib/openssh/sftp-server
PubkeyAuthentication yes # Allow public key authentication
HostKey /etc/ssh/ssh_host_ed25519_key # Only allow ECDSA pubic key authentication
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 # Host keys the client should accepts
KexAlgorithms curve25519-sha256 # Specifies the available KEX (Key Exchange) algorithms
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com # Specifies the ciphers allowed
MACs hmac-sha2-512-etm@openssh.com # Specifies the available MAC alg.
#Only allow incoming ECDSA and ed25519 sessions:
HostbasedAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
PubkeyAcceptedKeyTypes sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,ssh-ed25519
#CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
PermitRootLogin WITHOUT-PASSWORD # Enable/disable root login
#AllowUsers [username] # Authorized SSH users are inside the admin group
MaxAuthTries 5 # Maximum allowed authentication attempts
MaxSessions 2 # Maximum allowed sessions by the user
PasswordAuthentication no # No username password authentication
PermitEmptyPasswords no # No empty password authentcation allowed
IgnoreRhosts yes # Dont read users rhost files
HostbasedAuthentication no # Disable host-based authentication
ChallengeResponseAuthentication no # Unused authentication scheme
X11Forwarding no # Disable X11 forwarding
LogLevel VERBOSE # Fingerprint details of failed login attempts
SyslogFacility AUTH # Logging authentication and authorization related commands
UseDNS no # Client from a location without proper DNS generate a warning in the logs
PermitTunnel no # Only SSH connection and nothing else
AllowTcpForwarding no # Disablow tunneling out via SSH
AllowStreamLocalForwarding no # Disablow tunneling out via SSH
GatewayPorts no # Disablow tunneling out via SSH
AllowAgentForwarding no # Do not allow agent forwarding
#Banner /etc/issue.net # Show legal login banner
PrintLastLog yes # Show last login
ClientAliveInterval 900 # Client timeout (15 minutes)
ClientAliveCountMax 0 # This way enforces timeouts on the server side
LoginGraceTime 30 # Authenticatin must happen within 30 seconds
MaxStartups 2 # Max concurrent SSH sessions
TCPKeepAlive yes # Do not use TCP keep-alive
AcceptEnv LANG LC_* # Allow client to pass locale environment variables

19
sysctl/etc/sysctl.conf
View File

@@ -23,18 +23,35 @@ net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.tcp_rfc1337=1
net.ipv4.tcp_sack=0
net.ipv4.tcp_dsack=0
net.ipv4.tcp_fack=0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_timestamps = 1
dev.tty.ldisc_autoload=0
vm.unprivileged_userfaultfd=0
kernel.kexec_load_disabled=1
kernel.perf_event_paranoid=2
kernel.yama.ptrace_scope=2
vm.mmap_rnd_bits=32
vm.mmap_rnd_compat_bits=16
# Uncomment do disable ipv6
#net.ipv6.conf.all.disable_ipv6=1
#net.ipv6.conf.default.disable_ipv6=1

5
usr/local/bin/certbot-restart-nginx Normal file
View File

@@ -0,0 +1,5 @@
#!/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
nginx -tq && systemctl restart nginx