diff --git a/DEPLOYMENT-NOTES b/DEPLOYMENT-NOTES index 0a5818a..8a94d77 100644 --- a/DEPLOYMENT-NOTES +++ b/DEPLOYMENT-NOTES @@ -5,6 +5,20 @@ General: - Every service needs to be started and enabled manually via openrc (custom services end in .redxen) ifupdown-ng: + - Public networks should be configured manually since RAs aren't usually configured + ``` HETZNER EXAMPLE + auto eth0 + iface eth0 inet static + address + netmask 255.255.255.255 + gateway 172.31.1.1 + pointopoint 172.31.1.1 + + iface eth0 inet6 static + address + netmask 64 + gateway fe80::1 + ``` - Private networks need this workaround for routing to work properly ``` auto eth1 @@ -31,3 +45,6 @@ OpenSSH SFTP Chroot (part of seedbox): Pleroma: - Migration might be needed between upgrades (/pleroma/bin/pleroma_ctl migrate) + +NGINX: + - It has to be added to the groups for the /http contents diff --git a/data-packages/data-redxen-haproxy-errorpages/APKBUILD b/data-packages/data-redxen-haproxy-errorpages/APKBUILD index 992fd0a..0b12f5e 100644 --- a/data-packages/data-redxen-haproxy-errorpages/APKBUILD +++ b/data-packages/data-redxen-haproxy-errorpages/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Alex Denes # Maintainer: Alex Denes pkgname=data-redxen-haproxy-errorpages -pkgver=1 +pkgver=2020.10.12 pkgrel=0 _commit="d2eafb66f5d082f0d492e21cc07bb6636767ff7c" pkgdesc="Errorpages for HAProxy" diff --git a/data-packages/data-redxen-homepage/APKBUILD b/data-packages/data-redxen-homepage/APKBUILD index bcd3a28..63bbee2 100644 --- a/data-packages/data-redxen-homepage/APKBUILD +++ b/data-packages/data-redxen-homepage/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Alex Denes # Maintainer: Alex Denes pkgname=data-redxen-homepage -pkgver=6 +pkgver=2020.10.12 pkgrel=0 _commit="ccffc104aeb298b8192b6d3174d4f8d9cccd3f3c" pkgdesc="Homepage files" diff --git a/lxc-configs/pleroma-redxen-lxc/APKBUILD b/lxc-configs/pleroma-redxen-lxc/APKBUILD index 0f0ac2c..4996c09 100644 --- a/lxc-configs/pleroma-redxen-lxc/APKBUILD +++ b/lxc-configs/pleroma-redxen-lxc/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Alex Denes # Maintainer: Alex Denes pkgname=pleroma-redxen-lxc -pkgver=1 +pkgver=2020.10.12 pkgrel=0 pkgdesc="Pleroma LXC configuration files" url="https://git.redxen.eu/RedXen" diff --git a/openrc-configs/darkhttpd-redxen-openrc/APKBUILD b/openrc-configs/darkhttpd-redxen-openrc/APKBUILD index 7dfd33e..30eabb5 100644 --- a/openrc-configs/darkhttpd-redxen-openrc/APKBUILD +++ b/openrc-configs/darkhttpd-redxen-openrc/APKBUILD @@ -1,13 +1,13 @@ # Contributor: Alex Denes # Maintainer: Alex Denes pkgname=darkhttpd-redxen-openrc -pkgver=2020.12.7 -pkgrel=1 +pkgver=2020.12.10 +pkgrel=2 pkgdesc="DarkHTTPD service files" url="https://git.redxen.eu/RedXen" arch="noarch" license="none" -depends="openrc" +depends="openrc darkhttpd" options="!check" source=" runfile @@ -21,4 +21,4 @@ package() { } sha512sums="dd792892588e03cef4a36bb8e81297990884298d8a2bc1c14ae2d8986a0a17af8d15bf3fb4e1830d22b154dc00591d884e20da915f51fd8ecf3b05b6c92dc7d4 runfile -094af8b7d1707ec9e85a614821262685dbdfc96538da6449970c231c3b8ecc0d9ac80002ed945d93c3a161321c9d85e51d5ef0ad44a03aaee547956a6bdad95b conffile" +33e9e16a4565ba821ca53615145465a6bc2d4d659c267ca5fb2dbbdaf24965d5474ef2b751b3e92f95f23dd19834351449494de4f40a1befd7114c4d11a4b281 conffile" diff --git a/openrc-configs/darkhttpd-redxen-openrc/conffile b/openrc-configs/darkhttpd-redxen-openrc/conffile index a648c49..d88bb2b 100644 --- a/openrc-configs/darkhttpd-redxen-openrc/conffile +++ b/openrc-configs/darkhttpd-redxen-openrc/conffile @@ -1,12 +1,11 @@ # darkhttpd web server config document_root="/http" -logdir="/var/log/\$SVCNAME" -addr=0.0.0.0 +logdir="/var/log/$SVCNAME" port=7574 run_as_user=darkhttpd run_as_group=www-data run_in_chroot=yes # extra arguments -# darkhttpd_args="" +darkhttpd_args="--ipv6" diff --git a/openrc-configs/dovecot-redxen-openrc/APKBUILD b/openrc-configs/dovecot-redxen-openrc/APKBUILD new file mode 100644 index 0000000..555aef5 --- /dev/null +++ b/openrc-configs/dovecot-redxen-openrc/APKBUILD @@ -0,0 +1,21 @@ +# Contributor: Alex Denes +# Maintainer: Alex Denes +pkgname=dovecot-redxen-openrc +pkgver=2020.12.7 +pkgrel=1 +pkgdesc="Dovecot OpenRC service files" +url="https://git.redxen.eu/RedXen" +arch="noarch" +license="none" +depends="openrc dovecot-openrc dovecot-redxen-config" +options="!check" +source=" + conffile +" +builddir="$srcdir" + +package() { + mkdir -p "$pkgdir"/etc/init.d + ln -s dovecot "$pkgdir"/etc/init.d/dovecot.redxen + install -Dm644 conffile "$pkgdir"/etc/conf.d/dovecot.redxen +} diff --git a/openrc-configs/lighttpd-redxen-openrc/APKBUILD b/openrc-configs/lighttpd-redxen-openrc/APKBUILD new file mode 100644 index 0000000..5f06539 --- /dev/null +++ b/openrc-configs/lighttpd-redxen-openrc/APKBUILD @@ -0,0 +1,23 @@ +# Contributor: Alex Denes +# Maintainer: Alex Denes +pkgname=lighttpd-redxen-openrc +pkgver=2020.12.11 +pkgrel=0 +pkgdesc="LigHTTPd service files" +url="https://git.redxen.eu/RedXen" +arch="noarch" +license="none" +depends="openrc lighttpd-openrc lighttpd-redxen-config" +options="!check" +source=" + conffile +" +builddir="$srcdir" + +package() { + mkdir -p "$pkgdir"/etc/init.d + ln -s lighttpd "$pkgdir"/etc/init.d/lighttpd.redxen + install -Dm644 conffile "$pkgdir"/etc/conf.d/lighttpd.redxen +} + +sha512sums="6a618a3d00df5cfc5e31b2f5f66edfbde4d6514c04df51f89162a42b8f1ad3ef3d06827a4cd46bee54e8ba91316354b510c49ebd873fb727e96b1c756895df7b conffile" diff --git a/openrc-configs/lighttpd-redxen-openrc/conffile b/openrc-configs/lighttpd-redxen-openrc/conffile new file mode 100644 index 0000000..74bfa41 --- /dev/null +++ b/openrc-configs/lighttpd-redxen-openrc/conffile @@ -0,0 +1,12 @@ +# /etc/conf.d/lighttpd + +# Location of a shell used by the 'include_shell' directive +# in the lighttpd's configuration file +#export SHELL="/bin/bash" + +# Location of the lighttpd configuration file +LIGHTTPD_CONF="/etc/lighttpd/redxen/main.conf" + +# Location of the lighttpd pid file +LIGHTTPD_PID="/run/lighttpd.pid" + diff --git a/openrc-configs/murmur-redxen-openrc/APKBUILD b/openrc-configs/murmur-redxen-openrc/APKBUILD index bb1e073..9299b8f 100644 --- a/openrc-configs/murmur-redxen-openrc/APKBUILD +++ b/openrc-configs/murmur-redxen-openrc/APKBUILD @@ -1,8 +1,8 @@ # Contributor: Alex Denes # Maintainer: Alex Denes pkgname=murmur-redxen-openrc -pkgver=2020.12.7 -pkgrel=1 +pkgver=2020.12.12 +pkgrel=0 pkgdesc="Murmur OpenRC service files" url="https://git.redxen.eu/RedXen" arch="noarch" diff --git a/openrc-configs/nginx-redxen-openrc/APKBUILD b/openrc-configs/nginx-redxen-openrc/APKBUILD new file mode 100644 index 0000000..ea2ff49 --- /dev/null +++ b/openrc-configs/nginx-redxen-openrc/APKBUILD @@ -0,0 +1,23 @@ +# Contributor: Alex Denes +# Maintainer: Alex Denes +pkgname=nginx-redxen-openrc +pkgver=2020.12.11 +pkgrel=0 +pkgdesc="NGINX service files" +url="https://git.redxen.eu/RedXen" +arch="noarch" +license="none" +depends="openrc nginx-openrc nginx-redxen-config" +options="!check" +source=" + conffile +" +builddir="$srcdir" + +package() { + mkdir -p "$pkgdir"/etc/init.d + ln -s nginx "$pkgdir"/etc/init.d/nginx.redxen + install -Dm644 conffile "$pkgdir"/etc/conf.d/nginx.redxen +} + +sha512sums="41b11e1be914b9a3c87fb1e98016ddd70e4fd5c6f80205f011cda44f5ca00359f14bdb40fc7225f8502ac6cd99e18578ae81ea4970fb53bd9b22403248b2d353 conffile" diff --git a/openrc-configs/nginx-redxen-openrc/conffile b/openrc-configs/nginx-redxen-openrc/conffile new file mode 100644 index 0000000..f3dbe39 --- /dev/null +++ b/openrc-configs/nginx-redxen-openrc/conffile @@ -0,0 +1 @@ +cfgfile="/etc/nginx/redxen.conf" diff --git a/openrc-configs/postfix-redxen-openrc/APKBUILD b/openrc-configs/postfix-redxen-openrc/APKBUILD new file mode 100644 index 0000000..e72461c --- /dev/null +++ b/openrc-configs/postfix-redxen-openrc/APKBUILD @@ -0,0 +1,22 @@ +# Contributor: Alex Denes +# Maintainer: Alex Denes +pkgname=postfix-redxen-openrc +pkgver=2020.12.10 +pkgrel=0 +pkgdesc="Postfix OpenRC service files" +url="https://git.redxen.eu/RedXen" +arch="noarch" +license="none" +depends="openrc postfix-openrc postfix-redxen-config" +options="!check" +source=" + conffile +" +builddir="$srcdir" + +package() { + mkdir -p "$pkgdir"/etc/init.d + ln -s postfix "$pkgdir"/etc/init.d/postfix.redxen + install -Dm644 conffile "$pkgdir"/etc/conf.d/postfix.redxen +} +sha512sums="cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e conffile" diff --git a/openrc-configs/postfix-redxen-openrc/conffile b/openrc-configs/postfix-redxen-openrc/conffile new file mode 100644 index 0000000..e69de29 diff --git a/openrc-configs/postgresql-redxen-openrc/APKBUILD b/openrc-configs/postgresql-redxen-openrc/APKBUILD index 0dee86a..9980c80 100644 --- a/openrc-configs/postgresql-redxen-openrc/APKBUILD +++ b/openrc-configs/postgresql-redxen-openrc/APKBUILD @@ -1,8 +1,8 @@ # Contributor: Alex Denes # Maintainer: Alex Denes pkgname=postgresql-redxen-openrc -pkgver=2020.12.07 -pkgrel=1 +pkgver=2020.12.7 +pkgrel=0 pkgdesc="PostgreSQL service files" url="https://git.redxen.eu/RedXen" arch="noarch" diff --git a/openrc-configs/rspamd-redxen-openrc/APKBUILD b/openrc-configs/rspamd-redxen-openrc/APKBUILD new file mode 100644 index 0000000..19d7a1f --- /dev/null +++ b/openrc-configs/rspamd-redxen-openrc/APKBUILD @@ -0,0 +1,22 @@ +# Contributor: Alex Denes +# Maintainer: Alex Denes +pkgname=unbound-redxen-openrc +pkgver=2020.12.7 +pkgrel=1 +pkgdesc="Unbound OpenRC service files" +url="https://git.redxen.eu/RedXen" +arch="noarch" +license="none" +depends="openrc unbound-openrc unbound-redxen-config" +options="!check" +source=" + conffile +" +builddir="$srcdir" + +package() { + mkdir -p "$pkgdir"/etc/init.d + ln -s unbound "$pkgdir"/etc/init.d/unbound.redxen + install -Dm644 conffile "$pkgdir"/etc/conf.d/unbound.redxen +} +sha512sums="27434e5134d39b74de08938b31a4b4b1672c058b0f48e9cbf3b03df6c890c476e664853b1b5e9173b04ec6859f36446d2a2bf0bfabcb4ed630f826db122ca07b conffile" diff --git a/openrc-configs/rspamd-redxen-openrc/conffile b/openrc-configs/rspamd-redxen-openrc/conffile new file mode 100644 index 0000000..364aab9 --- /dev/null +++ b/openrc-configs/rspamd-redxen-openrc/conffile @@ -0,0 +1,3 @@ +# Configuration file to start with +cfgfile="/etc/unbound/main.conf" +command_args="-c $cfgfile" diff --git a/openrc-configs/telegraf-redxen-openrc/APKBUILD b/openrc-configs/telegraf-redxen-openrc/APKBUILD index 682e351..281980d 100644 --- a/openrc-configs/telegraf-redxen-openrc/APKBUILD +++ b/openrc-configs/telegraf-redxen-openrc/APKBUILD @@ -1,8 +1,8 @@ # Contributor: Alex Denes # Maintainer: Alex Denes pkgname=telegraf-redxen-openrc -pkgver=2020.12.7 -pkgrel=1 +pkgver=2020.12.10 +pkgrel=0 pkgdesc="Telegraf service files" url="https://git.redxen.eu/RedXen" arch="noarch" @@ -10,14 +10,15 @@ license="none" depends="openrc telegraf-openrc telegraf-redxen-config" options="!check" source=" + runfile conffile " builddir="$srcdir" package() { - mkdir -p "$pkgdir"/etc/init.d - ln -s telegraf "$pkgdir"/etc/init.d/telegraf.redxen + install -Dm755 runfile "$pkgdir"/etc/init.d/telegraf.redxen install -Dm644 conffile "$pkgdir"/etc/conf.d/telegraf.redxen } -sha512sums="9bf080e445c9dbb1a8cab493dbf5d344be1cfe38164eb5fa84c8541f38a5506cddc797829dc51478215e06694c815b1174b134542116283e8bdaf07fa137466c conffile" +sha512sums="109a1cb53ba0d654efdb596b994010ac437d8c5fb172cb21f9c6ee53a84332d237909e4ab3e80018567b8abfd6dbdd0dd9fed5f25b550105df3626d13c5dd93e runfile +a7950b7fa3c5c8303c387a743591afb5d3b6a4d25c88e5d7522667b8cfdd8cdbad55251152efec352241ffd3d78ce56a5d3b6fbef03a2b02d0b23833547649c7 conffile" diff --git a/openrc-configs/telegraf-redxen-openrc/conffile b/openrc-configs/telegraf-redxen-openrc/conffile index 04fc584..6892244 100644 --- a/openrc-configs/telegraf-redxen-openrc/conffile +++ b/openrc-configs/telegraf-redxen-openrc/conffile @@ -1,4 +1,5 @@ -TELEGRAF_OPTS="-config /etc/telegraf/main.conf" +TELEGRAF_CONFIG="/etc/telegraf/main.conf" +TELEGRAF_OPTS="-config $TELEGRAF_CONFIG" # Uncomment to enable logging to syslog. error_logger="logger -t $RC_SVCNAME" diff --git a/openrc-configs/telegraf-redxen-openrc/runfile b/openrc-configs/telegraf-redxen-openrc/runfile new file mode 100644 index 0000000..a13e55d --- /dev/null +++ b/openrc-configs/telegraf-redxen-openrc/runfile @@ -0,0 +1,23 @@ +#!/sbin/openrc-run + +command="/usr/bin/telegraf" +command_args="$TELEGRAF_OPTS" +command_background=yes +command_user=telegraf:telegraf +pidfile="/run/$RC_SVCNAME.pid" +extra_started_commands="reload" + +depend() { + need net + after firewall +} + +start_pre() { + checkpath -f -o $command_user -m 640 ${TELEGRAF_CONFIG:-/etc/telegraf.conf} +} + +reload() { + ebegin "Reloading ${RC_SVCNAME}" + start-stop-daemon --signal HUP --pidfile "${pidfile}" + eend $? +} diff --git a/openrc-configs/transmission-redxen-openrc/APKBUILD b/openrc-configs/transmission-redxen-openrc/APKBUILD index fb20572..8489f21 100644 --- a/openrc-configs/transmission-redxen-openrc/APKBUILD +++ b/openrc-configs/transmission-redxen-openrc/APKBUILD @@ -1,23 +1,24 @@ # Contributor: Alex Denes # Maintainer: Alex Denes pkgname=transmission-redxen-openrc -pkgver=2020.12.7 -pkgrel=1 +pkgver=2020.12.10 +pkgrel=4 pkgdesc="Transmission service files" url="https://git.redxen.eu/RedXen" arch="noarch" license="none" -depends="openrc transmission-redxen-openrc transmission-redxen-config" +depends="openrc transmission-daemon transmission-redxen-config" options="!check" source=" + runfile conffile " builddir="$srcdir" package() { - mkdir -p "$pkgdir"/etc/init.d - ln -s transmission-daemon "$pkgdir"/etc/init.d/transmission-daemon.redxen + install -Dm755 runfile "$pkgdir"/etc/init.d/transmission-daemon.redxen install -Dm644 conffile "$pkgdir"/etc/conf.d/transmission-daemon.redxen } -sha512sums="c1df27bb036e28ea94c5fa18b40c99a96d9548c28ed8262ad753744a1737883c9fd75fbae2284ea9ad749bd9d4d5ee0b33a1876dccb3008e0ee327de29922ac7 conffile" +sha512sums="22c65c1b3a719107a486c1d62fc6321e6e775f08a00ed07c98a0b847bd02d14420fa79424011175a8a6eed1acea0ca832fdee00321999b771e556ce7b58ba2b7 runfile +c1df27bb036e28ea94c5fa18b40c99a96d9548c28ed8262ad753744a1737883c9fd75fbae2284ea9ad749bd9d4d5ee0b33a1876dccb3008e0ee327de29922ac7 conffile" diff --git a/openrc-configs/transmission-redxen-openrc/runfile b/openrc-configs/transmission-redxen-openrc/runfile new file mode 100644 index 0000000..e70f9cf --- /dev/null +++ b/openrc-configs/transmission-redxen-openrc/runfile @@ -0,0 +1,49 @@ +#!/sbin/openrc-run +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-p2p/transmission/files/transmission-daemon.initd.8,v 1.2 2011/12/04 10:35:07 swegener Exp $ + +extra_started_commands="reload" +description="Transmission is a fast, easy and free bittorrent client" +description_start="Start transmission-daemon server and web interface" +description_stop="Stop transmission-daemon server and web interface" +description_reload="Reload transmission-daemon settings" + +config_dir="${config_dir:-/var/lib/transmission/config}" +download_dir="${download_dir:-/var/lib/transmission/downloads}" +logfile="${logfile:-/var/log/transmission/transmission.log}" +rundir="${rundir:-/var/run/transmission}" + +command="/usr/bin/transmission-daemon" +command_user="${command_user:-transmission:transmission}" +pidfile="${pidfile:-${rundir}/transmission.pid}" +command_args="--pid-file ${pidfile}" + +depend() { + need net + after firewall +} + +check_config() { + command_args="${command_args} --config-dir ${config_dir}" + if [ ! -f "${config_dir}/settings.json" ]; then + command_args="${command_args} --download-dir ${download_dir}" + fi + if [ -n "${logfile}" ]; then + command_args="${command_args} --logfile ${logfile}" + fi +} + +start_pre() { + check_config + + checkpath -d -m 750 -o "$command_user" "$download_dir" "$config_dir" "$config_dir/resume" "$rundir" + checkpath -f -m 440 -o "$command_user" "$config_dir"/settings.json +} + +reload() { + ebegin "Reloading transmission configuration" + start-stop-daemon --signal HUP --pidfile ${pidfile} + eend $? +} + diff --git a/openrc-configs/wireguard-redxen-openrc/APKBUILD b/openrc-configs/wireguard-redxen-openrc/APKBUILD new file mode 100644 index 0000000..0af052c --- /dev/null +++ b/openrc-configs/wireguard-redxen-openrc/APKBUILD @@ -0,0 +1,24 @@ +# Contributor: Alex Denes +# Maintainer: Alex Denes +pkgname=wireguard-redxen-openrc +pkgver=2020.12.12 +pkgrel=0 +pkgdesc="Wireguard service files" +url="https://git.redxen.eu/RedXen" +arch="noarch" +license="none" +depends="openrc wireguard-redxen-config wireguard-tools-wg-quick" +options="!check" +source=" + runfile + conffile +" +builddir="$srcdir" + +package() { + install -Dm755 runfile "$pkgdir"/etc/init.d/wireguard.redxen + install -Dm644 conffile "$pkgdir"/etc/conf.d/wireguard.redxen +} + +sha512sums="e93f2603eb9c393183a4619dc54f5a794775c68b010e82e5f511b4136c5750f105ec5742bcbfcd01e873d1ee8d67c89153d43e02635d86fde9c9043848d0b60e runfile +543998954d42cc51677b37495d91436b3506dc4e92082a3eba6a0d3791d176ef98db52002bbb98022451b01f477c1dc36022697cd80f8d7a133e90736b624243 conffile" diff --git a/openrc-configs/wireguard-redxen-openrc/conffile b/openrc-configs/wireguard-redxen-openrc/conffile new file mode 100644 index 0000000..cdf27f0 --- /dev/null +++ b/openrc-configs/wireguard-redxen-openrc/conffile @@ -0,0 +1 @@ +WIREGUARD_INTERFACE="rxmain" diff --git a/openrc-configs/wireguard-redxen-openrc/runfile b/openrc-configs/wireguard-redxen-openrc/runfile new file mode 100644 index 0000000..240b87e --- /dev/null +++ b/openrc-configs/wireguard-redxen-openrc/runfile @@ -0,0 +1,41 @@ +#!/sbin/openrc-run + +description="Control wg-quick connections" + +check_interface() { + if [ -d /sys/class/net/"${WIREGUARD_INTERFACE:-wg0}" ]; then + mark_service_started + return 0 + fi + mark_service_stopped + return 1 +} + +start() { + check_interface || /usr/bin/wg-quick up "${WIREGUARD_INTERFACE:-wg0}" + /sbin/iptables -A INPUT -i eth0 -p udp --dport 51820 -j ACCEPT + /sbin/iptables -A FORWARD -i "${WIREGUARD_INTERFACE:-wg0}" -o eth0 -j ACCEPT + /sbin/iptables -A FORWARD -i eth0 -o "${WIREGUARD_INTERFACE:-wg0}" -j ACCEPT + /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE + /sbin/ip6tables -A INPUT -i eth0 -p udp --dport 51820 -j ACCEPT + /sbin/ip6tables -A FORWARD -i "${WIREGUARD_INTERFACE:-wg0}" -o eth0 -j ACCEPT + /sbin/ip6tables -A FORWARD -i eth0 -o "${WIREGUARD_INTERFACE:-wg0}" -j ACCEPT + /sbin/ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE +} + +stop() { + check_interface && /usr/bin/wg-quick down "${WIREGUARD_INTERFACE:-wg0}" + /sbin/iptables -D INPUT -i eth0 -p udp --dport 51820 -j ACCEPT + /sbin/iptables -D FORWARD -i "${WIREGUARD_INTERFACE:-wg0}" -o eth0 -j ACCEPT + /sbin/iptables -D FORWARD -i eth0 -o "${WIREGUARD_INTERFACE:-wg0}" -j ACCEPT + /sbin/iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE + /sbin/ip6tables -D INPUT -i eth0 -p udp --dport 51820 -j ACCEPT + /sbin/ip6tables -D FORWARD -i "${WIREGUARD_INTERFACE:-wg0}" -o eth0 -j ACCEPT + /sbin/ip6tables -D FORWARD -i eth0 -o "${WIREGUARD_INTERFACE:-wg0}" -j ACCEPT + /sbin/ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE +} + +restart() { + stop + start +} diff --git a/openrc-configs/yggdrasil-redxen-openrc/APKBUILD b/openrc-configs/yggdrasil-redxen-openrc/APKBUILD new file mode 100644 index 0000000..1d89906 --- /dev/null +++ b/openrc-configs/yggdrasil-redxen-openrc/APKBUILD @@ -0,0 +1,23 @@ +# Contributor: Alex Denes +# Maintainer: Alex Denes +pkgname=yggdrasil-redxen-openrc +pkgver=2020.12.10 +pkgrel=0 +pkgdesc="Yggdrasil service files" +url="https://git.redxen.eu/RedXen" +arch="noarch" +license="none" +depends="openrc yggdrasil-openrc yggdrasil-redxen-config" +options="!check" +source=" + conffile +" +builddir="$srcdir" + +package() { + mkdir -p "$pkgdir"/etc/init.d + ln -s yggdrasil "$pkgdir"/etc/init.d/yggdrasil.redxen + install -Dm644 conffile "$pkgdir"/etc/conf.d/yggdrasil.redxen +} + +sha512sums="80efc154b8371a06f69d30f13e285e2dbff7227381920400b1b497eafef3cb096c7748f158e6e18ff692e13452da8fc07a5e4738a025989202323303c5e1c04d conffile" diff --git a/openrc-configs/yggdrasil-redxen-openrc/conffile b/openrc-configs/yggdrasil-redxen-openrc/conffile new file mode 100644 index 0000000..ba0fe16 --- /dev/null +++ b/openrc-configs/yggdrasil-redxen-openrc/conffile @@ -0,0 +1,4 @@ +yggdrasil_config_file=/etc/yggdrasil/redxen.conf + +output_log=/var/log/yggdrasil.log +error_log=/var/log/yggdrasil.log diff --git a/software-configs/haproxy-redxen-config/APKBUILD b/software-configs/haproxy-redxen-config/APKBUILD index 93a15bc..3144df6 100644 --- a/software-configs/haproxy-redxen-config/APKBUILD +++ b/software-configs/haproxy-redxen-config/APKBUILD @@ -1,8 +1,8 @@ # Contributor: Alex Denes # Maintainer: Alex Denes pkgname=haproxy-redxen-config -pkgver=2020.12.7 -pkgrel=0 +pkgver=2020.12.12 +pkgrel=1 pkgdesc="HAProxy frontend configuration" url="https://git.redxen.eu/RedXen" arch="noarch" @@ -21,4 +21,4 @@ check() { haproxy -c -f main.cfg } -sha512sums="a64fbfc6304ee0bbe9c840b4368f4d3e098ffa4c74b8c047a22b4cadc7b2d8e32cc17e144754134f98960cd95abaab79f498b620e977a1e68ae14f0c2014ce40 main.cfg" +sha512sums="badcf29fb4647a1504e5f7c6e4aae21269cba6f85fe0953aa1cdf1a72efba77a5b0b84ce05feb1d30683b05f73367155fbf52067ec4489b8c431effdd87f4a1e main.cfg" diff --git a/software-configs/haproxy-redxen-config/main.cfg b/software-configs/haproxy-redxen-config/main.cfg index 83b9ff8..e0c7d3c 100644 --- a/software-configs/haproxy-redxen-config/main.cfg +++ b/software-configs/haproxy-redxen-config/main.cfg @@ -1,6 +1,8 @@ global maxconn 2048 maxconnrate 40 + stats socket /run/haproxy.sock mode 600 user telegraf + stats timeout 2m defaults mode http @@ -47,21 +49,18 @@ frontend http bind ipv4@:443,ipv6@:443 ssl crt /etc/ssl/redxen/letsencrypt/fullchain.crt alpn h2,http/1.1 bind ipv4@:80,ipv6@:80 - acl root url / - use_backend backend-root if { hdr(host) -i redxen.eu } + acl root path / + redirect prefix /web code 302 if { hdr_beg(host) -i seed } root use_backend backend-transmission if { hdr_beg(host) -i seed } - redirect prefix /web code 302 if { hdr_beg(host) -i seed } root + use_backend backend-root if { hdr(host) -i redxen.eu } use_backend backend-grafana if { hdr_beg(host) -i stats } - use_backend backend-pleroma if { hdr_beg(host) -i social } - use_backend backend-gitea if { hdr_beg(host) -i git } - use_backend backend-seedown if { hdr_beg(host) -i sd } - http-response add-header X-Forwarded-Proto https + http-response set-header X-Forwarded-Proto https http-response set-header X-XSS-Protection 1;\ mode=block http-response set-header X-Content-Type-Options nosniff http-response set-header Referrer-Policy no-referrer-when-downgrade @@ -73,20 +72,21 @@ frontend http backend backend-transmission server-template transmission 1 _transmission._tcp.routinginfo.redxen.localhost - option httpchk HEAD / HTTP/1.1 backend backend-grafana - server-template grafana 5 _grafana._tcp.routinginfo.redxen.localhost + server-template grafana 1 _grafana._tcp.routinginfo.redxen.localhost option httpchk HEAD / HTTP/1.1 http-check send hdr Host stats.redxen.eu backend backend-seedown server-template seedown 1 _seedown._tcp.routinginfo.redxen.localhost option httpchk HEAD / HTTP/1.1 + http-check send hdr Host sd.redxen.eu backend backend-pleroma server-template pleroma 1 _pleroma._tcp.routinginfo.redxen.localhost option httpchk HEAD / HTTP/1.1 + http-check send hdr Host social.redxen.eu backend backend-gitea server-template gitea 1 _gitea._tcp.routinginfo.redxen.localhost diff --git a/software-configs/iptables-redxen-config/rules-v4 b/software-configs/iptables-redxen-config/rules-v4 index 1cb028e..d1f67c8 100644 --- a/software-configs/iptables-redxen-config/rules-v4 +++ b/software-configs/iptables-redxen-config/rules-v4 @@ -7,19 +7,11 @@ -A INPUT -i lo -j ACCEPT -A INPUT -i tun0 -j ACCEPT -A INPUT -p icmp -j ACCEPT --A INPUT -i eth1 -p tcp -m tcp --dport 7521 -j ACCEPT -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP --A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i eth1 -p tcp -m tcp --dport 7521 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT --A INPUT -p tcp -m tcp --dport 53 -j ACCEPT --A INPUT -p udp -m udp --dport 53 -j ACCEPT --A INPUT -p tcp -m tcp --dport 80 -j ACCEPT --A INPUT -p tcp -m tcp --dport 443 -j ACCEPT --A INPUT -p tcp -m tcp --dport 2442 -j ACCEPT --A INPUT -p tcp -m tcp --dport 7777 -j ACCEPT --A INPUT -p tcp -m tcp --dport 25565 -j ACCEPT --A INPUT -p tcp -m tcp --dport 64738 -j ACCEPT +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT COMMIT # Mangle *mangle diff --git a/software-configs/iptables-redxen-config/rules-v6 b/software-configs/iptables-redxen-config/rules-v6 index 96f8960..5cd7034 100644 --- a/software-configs/iptables-redxen-config/rules-v6 +++ b/software-configs/iptables-redxen-config/rules-v6 @@ -10,16 +10,8 @@ -A INPUT -i eth1 -p tcp -m tcp --dport 7521 -j ACCEPT -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP --A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT --A INPUT -p tcp -m tcp --dport 53 -j ACCEPT --A INPUT -p udp -m udp --dport 53 -j ACCEPT --A INPUT -p tcp -m tcp --dport 80 -j ACCEPT --A INPUT -p tcp -m tcp --dport 443 -j ACCEPT --A INPUT -p tcp -m tcp --dport 2442 -j ACCEPT --A INPUT -p tcp -m tcp --dport 7777 -j ACCEPT --A INPUT -p tcp -m tcp --dport 25565 -j ACCEPT --A INPUT -p tcp -m tcp --dport 64738 -j ACCEPT +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT COMMIT # Mangle *mangle diff --git a/software-configs/lighttpd-redxen-config/APKBUILD b/software-configs/lighttpd-redxen-config/APKBUILD new file mode 100644 index 0000000..ce5895e --- /dev/null +++ b/software-configs/lighttpd-redxen-config/APKBUILD @@ -0,0 +1,24 @@ +# Contributor: Alex Denes +# Maintainer: Alex Denes +pkgname=lighttpd-redxen-config +pkgver=2020.12.11 +pkgrel=0 +pkgdesc="LigHTTPd configuration" +url="https://git.redxen.eu/RedXen" +arch="noarch" +license="none" +depends="lighttpd" +source=" + main.conf +" + +package() { + install -dm755 "$pkgdir"/http + install -Dm440 main.conf "$pkgdir"/etc/lighttpd/redxen/main.conf +} + +check() { + lighttpd -f main.conf -t +} + +sha512sums="c6157585741c20022f7cd520db0c1066aae9e6d59be165d49bfd9d3b57fdc1abed681ba067470d01f2b4f22c8c99da466976e4bf28d9d881811aac2d04494cca main.conf" diff --git a/software-configs/lighttpd-redxen-config/main.conf b/software-configs/lighttpd-redxen-config/main.conf new file mode 100644 index 0000000..ae619fe --- /dev/null +++ b/software-configs/lighttpd-redxen-config/main.conf @@ -0,0 +1,28 @@ +var.basedir = "/http" +var.logdir = "/var/log/lighttpd" +var.statedir = "/run/lighttpd" + +include "/etc/lighttpd/mime-types.conf" + +server.bind = "[::]" +server.modules = ( "mod_access", "mod_deflate", "mod_webdav", "mod_dirlisting" ) +server.username = "lighttpd" +server.groupname = "lighttpd" +server.document-root = var.basedir +server.pid-file = "/run/lighttpd.pid" +server.indexfiles = ("index.html") +server.follow-symlink = "disable" +server.event-handler = "linux-sysepoll" +server.chroot = var.basedir +server.port = 7574 +server.upload-dirs = ("") +server.use-ipv6 = "enable" + +dir-listing.activate = "enable" + +url.access-deny = ("~") + +deflate.filetypes = ("text/", "application/javascript") + +webdav.activate = "enable" +webdav.is-readonly = "enable" diff --git a/software-configs/murmur-redxen-config/APKBUILD b/software-configs/murmur-redxen-config/APKBUILD index b1a2a16..acb4eb7 100644 --- a/software-configs/murmur-redxen-config/APKBUILD +++ b/software-configs/murmur-redxen-config/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Alex Denes # Maintainer: Alex Denes pkgname=murmur-redxen-config -pkgver=2020.12.7 +pkgver=2020.12.12 pkgrel=0 pkgdesc="Murmur configuration files" url="https://git.redxen.eu/RedXen" @@ -18,4 +18,4 @@ package() { } -sha512sums="43a8ca7f16b0b39f08e35aebe77e7dd9ca5a779733d0e981c07db81c15785b74d3e60baf4b7ea87313e678bfcfbed1329436dcf1df9404b6f4b835a26235e53e murmur.ini" +sha512sums="0bc394f306a4ece3115bc0c5948fec251d763b8ef166ce26fbd6b44f8ca906c608ac5c0d3cd79fffdb42146b1ab374092ef92db46e4e453782acc046b21925ba murmur.ini" diff --git a/software-configs/nginx-redxen-config/APKBUILD b/software-configs/nginx-redxen-config/APKBUILD new file mode 100644 index 0000000..f654865 --- /dev/null +++ b/software-configs/nginx-redxen-config/APKBUILD @@ -0,0 +1,26 @@ +# Contributor: Alex Denes +# Maintainer: Alex Denes +pkgname=nginx-redxen-config +pkgver=2020.12.11 +pkgrel=0 +pkgdesc="NGINX configuration" +url="https://git.redxen.eu/RedXen" +arch="noarch" +license="none" +depends="nginx nginx-mod-http-zip" +source=" + main.conf +" +options="!check" + +package() { + + install -dm755 "$pkgdir"/http + install -Dm400 main.conf "$pkgdir"/etc/nginx/redxen.conf +} + +check() { + nginx -p / -c main.conf -t +} + +sha512sums="acb7c066a734e040c876985ee74de473918194d87e2a6d565238ef4a9894ad8ab9bf2c35d79c3ef2445131731efdb7a999f834f16c34e445a5c899ef689f393a main.conf" diff --git a/software-configs/nginx-redxen-config/main.conf b/software-configs/nginx-redxen-config/main.conf new file mode 100644 index 0000000..6aa53e5 --- /dev/null +++ b/software-configs/nginx-redxen-config/main.conf @@ -0,0 +1,26 @@ +user nginx www-data; + +events { + worker_connections 1024; +} + +http { + gzip on; + gzip_vary on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 300; + include /etc/nginx/mime.types; + default_type application/octet-stream; + root /http; + server { + listen *:7574 reuseport so_keepalive=on; + listen [::]:7574 reuseport so_keepalive=on; + location / { + autoindex on; + limit_except GET HEAD { + deny all; + } + } + } +} diff --git a/software-configs/postgresql-redxen-config/APKBUILD b/software-configs/postgresql-redxen-config/APKBUILD index 2b8590a..a3fb1d6 100644 --- a/software-configs/postgresql-redxen-config/APKBUILD +++ b/software-configs/postgresql-redxen-config/APKBUILD @@ -1,13 +1,13 @@ # Contributor: Alex Denes # Maintainer: Alex Denes pkgname=postgresql-redxen-config -pkgver=2020.12.7 -pkgrel=0 +pkgver=2020.12.12 +pkgrel=1 pkgdesc="PostgreSQL configuration files" url="https://git.redxen.eu/RedXen" arch="noarch" license="none" -depends="postgresql" +depends="postgresql postgresql-contrib" options="!check" # PostgreSQL doesn't have configuration checks source=" postgresql.conf @@ -22,6 +22,6 @@ package() { install -Dm644 pg_ident.conf "$pkgdir"/etc/postgresql/redxen/pg_ident.conf } -sha512sums="4888ad8feb31f9957935753cff19c1ba801b297cb1f214ddd02ba5a4a116fafe544f7fcd5553c754c333adfabcf121f8134dd129e6d9d8d378247fae0d23ca9c postgresql.conf -914d64b5c4876b38633aef6a8eca968dbb789ec36ea5592c731f526f2f2530d9be8d724cf238ca8f966584abfbb6047ce739b9180b3ce2d60e984af5e7788d8b pg_hba.conf +sha512sums="f48d721b03a7dd483fc7f0c016a75a13d121e3d105b0874fc21e7cf5fdec11b5deeb2d0607e258499f303c2a4974d3ead17a25b51594c509c86ce5ef016d2cee postgresql.conf +2af9c5acacaa2f82e15931d676bac4b89ade6ff91503e09583a35da36d69d0370a314db1de78665ba5cdb8f98cc7f09684efe9c97caa9385541159d170254cd6 pg_hba.conf cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e pg_ident.conf" diff --git a/software-configs/postgresql-redxen-config/pg_hba.conf b/software-configs/postgresql-redxen-config/pg_hba.conf index 3270b43..d38b051 100644 --- a/software-configs/postgresql-redxen-config/pg_hba.conf +++ b/software-configs/postgresql-redxen-config/pg_hba.conf @@ -1,3 +1,5 @@ local all postgres trust host murmur murmur 0200::/7 md5 host grafana grafana 0200::/7 md5 +host all telegraf 127.0.0.1/32 md5 +host all telegraf ::1/128 md5 diff --git a/software-configs/postgresql-redxen-config/postgresql.conf b/software-configs/postgresql-redxen-config/postgresql.conf index 5285fd1..71e3754 100644 --- a/software-configs/postgresql-redxen-config/postgresql.conf +++ b/software-configs/postgresql-redxen-config/postgresql.conf @@ -25,6 +25,24 @@ ssl = off shared_buffers = 128MB dynamic_shared_memory_type = posix +vacuum_cost_delay = 0 +vacuum_cost_page_hit = 1 +vacuum_cost_page_miss = 10 +vacuum_cost_page_dirty = 20 +vacuum_cost_limit = 200 + +bgwriter_delay = 200ms +bgwriter_lru_maxpages = 100 +bgwriter_lru_multiplier = 2.0 +bgwriter_flush_after = 512kB + +effective_io_concurrency = 1 +max_worker_processes = 8 +max_parallel_maintenance_workers = 2 +max_parallel_workers_per_gather = 2 +parallel_leader_participation = on +max_parallel_workers = 8 + #------------------------------------------------------------------------------ # WRITE-AHEAD LOG #------------------------------------------------------------------------------ @@ -57,12 +75,20 @@ cluster_name = 'redxen-main' # STATISTICS #------------------------------------------------------------------------------ -stats_temp_directory = '/run/postgresql/12-main.pg_stat_tmp' +track_activities = on +track_counts = on +track_io_timing = on +track_functions = all +track_activity_query_size = 1024 +stats_temp_directory = '/run/postgresql/main.pg_stat_tmp' #------------------------------------------------------------------------------ # AUTOVACUUM #------------------------------------------------------------------------------ +autovacuum = on +autovacuum_naptime = 1min + #------------------------------------------------------------------------------ # CLIENT CONNECTION DEFAULTS #------------------------------------------------------------------------------ diff --git a/software-configs/sysctl-redxen-config/10-memory.conf b/software-configs/sysctl-redxen-config/10-memory.conf new file mode 100644 index 0000000..f787310 --- /dev/null +++ b/software-configs/sysctl-redxen-config/10-memory.conf @@ -0,0 +1,7 @@ +vm.overcommit_memory = 2 +vm.overcommit_ratio = 95 + +vm.zone_reclaim_mode = 3 + +vm.dirty_ratio = 10 +vm.dirty_background_ratio = 5 diff --git a/software-configs/sysctl-redxen-config/20-network.conf b/software-configs/sysctl-redxen-config/20-network.conf new file mode 100644 index 0000000..5b819f5 --- /dev/null +++ b/software-configs/sysctl-redxen-config/20-network.conf @@ -0,0 +1,29 @@ +# IPV4 +net.ipv4.icmp_echo_ignore_broadcasts = 1 + +net.ipv4.conf.all.log_martians = 1 +net.ipv4.conf.all.rp_filter = 1 +net.ipv4.conf.default.rp_filter = 1 + +# TCP Tweaks +net.ipv4.tcp_ecn = 1 +net.ipv4.tcp_tw_reuse = 1 +net.ipv4.tcp_mtu_probing = 1 +net.ipv4.tcp_slow_start_after_idle = 1 + +net.ipv4.tcp_syncookies = 1 +net.ipv4.tcp_synack_retries = 5 + +net.ipv4.tcp_keepalive_time = 60 +net.ipv4.tcp_keepalive_intvl = 10 +net.ipv4.tcp_keepalive_probes = 6 + +net.ipv4.tcp_rfc1337 = 1 + +# UDP Tweaks +net.ipv4.udp_rmem_min = 8192 +net.ipv4.udp_wmem_min = 8192 + +# Misc +net.core.netdev_max_backlog = 16384 +net.core.somaxconn = 8192 diff --git a/software-configs/sysctl-redxen-config/30-kernel.conf b/software-configs/sysctl-redxen-config/30-kernel.conf new file mode 100644 index 0000000..3aeec54 --- /dev/null +++ b/software-configs/sysctl-redxen-config/30-kernel.conf @@ -0,0 +1,10 @@ +kernel.sysrq = 0 + +# Memory execution prevention +#kernel.exec-shield = 2 +kernel.randomize_va_space=2 + +kernel.dmesg_restrict = 1 +kernel.kptr_restrict = 2 + +#kernel.kexec_load_disabled = 1 diff --git a/software-configs/sysctl-redxen-config/APKBUILD b/software-configs/sysctl-redxen-config/APKBUILD new file mode 100644 index 0000000..5d6356e --- /dev/null +++ b/software-configs/sysctl-redxen-config/APKBUILD @@ -0,0 +1,26 @@ +# Contributor: Alex Denes +# Maintainer: Alex Denes +pkgname=sysctl-redxen-config +pkgver=2020.12.10 +pkgrel=0 +pkgdesc="sysctl settings for servers" +url="https://git.redxen.eu/RedXen" +arch="noarch" +license="none" +depends="openrc" +source=" + 10-memory.conf + 20-network.conf + 30-kernel.conf +" +options="!check" + +package() { + install -Dm644 10-memory.conf "$pkgdir"/etc/sysctl.d/10-memory.conf + install -Dm644 20-network.conf "$pkgdir"/etc/sysctl.d/20-network.conf + install -Dm644 30-kernel.conf "$pkgdir"/etc/sysctl.d/30-kernel.conf +} + +sha512sums="8043d419de52d0a8e75ed50643bd73ef3b3e2633d9064c6f6695b796834bc162f6b3c0e28082bb601e1a6c582e92ca90aa3dd626973c741c2ff0d3e1749521b1 10-memory.conf +117648c1a0ee1a2d554eee2a0f8584097c66300dfda945a4ac0cb52f24160ae673abe3de964d419ddca4e0822a605c7b1d4f8d8e3f85d5f7c582b9803ffa21fc 20-network.conf +a67a62adddcc0389eef167f390d948ce69488f5755fbd19ca16d9d626511229e7dd7f03fcf0f4731fa867a45417e9554f65b5ccca7fcacc2e51f056d4152031a 30-kernel.conf" diff --git a/software-configs/telegraf-redxen-config/APKBUILD b/software-configs/telegraf-redxen-config/APKBUILD index 48f4294..7e1b61b 100644 --- a/software-configs/telegraf-redxen-config/APKBUILD +++ b/software-configs/telegraf-redxen-config/APKBUILD @@ -21,4 +21,4 @@ check() { telegraf --config main.conf --test >/dev/null } -sha512sums="7f5c6d5fb4b3fa9e44fff7bf5fd600abad615ce00bd7e77977042f4a5f9729da0b5118b9d30e4ee1629c060ceef298a45c9dfa0ab503380599d0d77b77374804 main.conf" +sha512sums="9a50d6b90693fe991be5a99dc3d31f34137894620cf1023a00ee8d8ad3bd1e8c71c4b136d40d42dc663c8719f4f8ee8bd44b51ba3a5fc5d781d6b956ddb03d0c main.conf" diff --git a/software-configs/telegraf-redxen-config/main.conf b/software-configs/telegraf-redxen-config/main.conf index 2b4747f..85a2f34 100644 --- a/software-configs/telegraf-redxen-config/main.conf +++ b/software-configs/telegraf-redxen-config/main.conf @@ -3,9 +3,7 @@ round_interval = true metric_batch_size = 1000 metric_buffer_limit = 10000 - collection_jitter = "5s" flush_interval = "30s" - flush_jitter = "0s" precision = "" debug = false quiet = false diff --git a/software-configs/unbound-redxen-config/APKBUILD b/software-configs/unbound-redxen-config/APKBUILD index f534eff..1db8f2b 100644 --- a/software-configs/unbound-redxen-config/APKBUILD +++ b/software-configs/unbound-redxen-config/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Alex Denes # Maintainer: Alex Denes pkgname=unbound-redxen-config -pkgver=2020.12.7 +pkgver=2020.12.12 pkgrel=0 pkgdesc="Unbound configurations and some other stuff." url="https://git.redxen.eu/RedXen" @@ -29,6 +29,6 @@ package() { sha512sums="0741bc9c6e94a656f35ae452288f0212a2a2df9eda3688a2d3f04012d686adee5f03e3e9f4c72685626f672baaacbd00be71ee0d8699989f47abfd34b72b2b3d main.conf -598ad87d4dfed44d9711fb8164610306907454a3aea3333dc16a098839d9217e86d65075d9a4c3b0ca03d283059d05e99cbd7e9fba9a61b706f99ed356fffb08 base.conf -14eaa203361d5b5c25c21796ca0ace6aaa89d6cdae464d51dc6896868c27c0e973d346c027f501b407157ebec247752cf3287e3cbd53c8b1cc6eaf11335d4a57 internal.conf -9d4ee8a276c6b16f0a034cb0ff989b3f2589eef4c59f14f2f431a9a3e3136e9d648506547cee13f97cdd2d92d4bb84b0098b72511fc851f700c2e2a0208884f3 redxen-dns.conf" +d7b03d004ddfe4d7ee1b1c4a6d6200635ee385f68034b3ff10c624d3e6fc1fc9e906efddd20ba0bd54638534f17d7800ff49b4c0c8ddea4564cc4e936851b692 base.conf +b812d66a3682f56bd5ec38f56ebf1b9abbf6b3019ab2f867e5177ded0bf1540c49f88462cff7c17e8293f5ec4324405b0268e7f748d89612ddd9866a04d6e0ba internal.conf +b1c40b398877571861edbef8b3c236034f0a19d53485df276318738a53949dfa3b9e7428bd6d13b96cd228a0a76fb467dc44395ef064638c0eaf90b359e33e59 redxen-dns.conf" diff --git a/software-configs/unbound-redxen-config/base.conf b/software-configs/unbound-redxen-config/base.conf index d69ce1f..bebca11 100644 --- a/software-configs/unbound-redxen-config/base.conf +++ b/software-configs/unbound-redxen-config/base.conf @@ -1,9 +1,8 @@ server: access-control: 0.0.0.0/0 refuse_non_local access-control: ::/0 refuse_non_local - - # Local Host access-control: 127.0.0.0/8 allow + access-control: ::/128 allow #log-replies: yes interface: 0.0.0.0 interface: ::0 @@ -28,7 +27,7 @@ server: remote-control: control-enable: yes control-use-cert: no - control-interface: 127.0.0.1 + control-interface: ::1 forward-zone: name: "." forward-tls-upstream: yes diff --git a/software-configs/unbound-redxen-config/internal.conf b/software-configs/unbound-redxen-config/internal.conf index 6dc4f61..8fdd1ed 100644 --- a/software-configs/unbound-redxen-config/internal.conf +++ b/software-configs/unbound-redxen-config/internal.conf @@ -4,16 +4,19 @@ server: # Machines local-data: "8101153.nbg1-dc3.hetzner.redxen.localhost. 86400 IN AAAA 201:5d63:154:f0c6:9789:1899:6acb:1805" local-data: "8201371.fsn1-dc14.hetzner.redxen.localhost. 86400 IN AAAA 200:8656:aa4:dc68:888:d92c:914b:866b" + local-data: "9013723.fsn1-dc14.hetzner.redxen.localhost. 86400 IN AAAA 200:2749:8af:bdf9:f011:997e:7bbb:35f3" # Familiar names - local-data: "lain.nurnberg.redxen.localhost. 86400 IN CNAME 8101153.nbg1-dc3.hetzner.redxen.localhost." - local-data: "arisu.falkenstein.redxen.localhost. 86400 IN CNAME 8201371.fsn1-dc14.hetzner.redxen.localhost." + local-data: "lain.nurnberg.hetzner.redxen.localhost. 86400 IN CNAME 8101153.nbg1-dc3.hetzner.redxen.localhost." + local-data: "arisu.falkenstein.hetzner.redxen.localhost. 86400 IN CNAME 8201371.fsn1-dc14.hetzner.redxen.localhost." + local-data: "chisa.falkenstein.hetzner.redxen.localhost. 86400 IN CNAME 9013723.fsn1-dc14.hetzner.redxen.localhost." # Services local-data: "_murmur._tcp.routinginfo.redxen.localhost. 60 IN SRV 0 5 7573 8201371.fsn1-dc14.hetzner.redxen.localhost." - local-data: "_root._tcp.routinginfo.redxen.localhost. 60 IN SRV 0 5 7574 8201371.fsn1-dc14.hetzner.redxen.localhost." - local-data: "_transmission._tcp.routinginfo.redxen.localhost. 60 IN SRV 0 5 7572 8201371.fsn1-dc14.hetzner.redxen.localhost." local-data: "_grafana._tcp.routinginfo.redxen.localhost. 60 IN SRV 0 5 7577 8201371.fsn1-dc14.hetzner.redxen.localhost." + local-data: "_transmission._tcp.routinginfo.redxen.localhost. 60 IN SRV 0 5 7572 9013723.fsn1-dc14.hetzner.redxen.localhost." + local-data: "_root._tcp.routinginfo.redxen.localhost. 60 IN SRV 0 5 7574 9013723.fsn1-dc14.hetzner.redxen.localhost." + local-data: "_seedown._tcp.routinginfo.redxen.localhost. 60 IN SRV 0 5 7574 9013723.fsn1-dc14.hetzner.redxen.localhost." # Services (no CNAME/SRV support) local-data: "postgresql.routinginfo.redxen.localhost. 86400 IN AAAA 201:5d63:154:f0c6:9789:1899:6acb:1805" diff --git a/software-configs/unbound-redxen-config/redxen-dns.conf b/software-configs/unbound-redxen-config/redxen-dns.conf index b8df13d..cf0648d 100644 --- a/software-configs/unbound-redxen-config/redxen-dns.conf +++ b/software-configs/unbound-redxen-config/redxen-dns.conf @@ -11,22 +11,42 @@ server: local-data: "8101153.nbg1-dc3.hetzner.redxen.eu. 86400 IN AAAA 2a01:4f8:c0c:9a10::1" local-data: "8201371.fsn1-dc14.hetzner.redxen.eu. 86400 IN A 78.46.207.237" local-data: "8201371.fsn1-dc14.hetzner.redxen.eu. 86400 IN AAAA 2a01:4f8:c17:436e::1" + local-data: "9013723.fsn1-dc14.hetzner.redxen.eu. 86400 IN A 168.119.99.213" + local-data: "9013723.fsn1-dc14.hetzner.redxen.eu. 86400 IN AAAA 2a01:4f8:c17:fd5e::1" # Familiar records - local-data: "lain.nurnberg.redxen.eu. 86400 IN CNAME 8101153.nbg1-dc3.hetzner.redxen.eu." - local-data: "arisu.falkenstein.redxen.eu. 86400 IN CNAME 8201371.fsn1-dc14.hetzner.redxen.eu." + local-data: "lain.nurnberg.hetzner.redxen.eu. 86400 IN CNAME 8101153.nbg1-dc3.hetzner.redxen.eu." + local-data: "arisu.falkenstein.hetzner.redxen.eu. 86400 IN CNAME 8201371.fsn1-dc14.hetzner.redxen.eu." + local-data: "chisa.falkenstein.hetzner.redxen.eu. 86400 IN CNAME 9013723.fsn1-dc14.hetzner.redxen.eu." # Services - local-data: "stats.redxen.eu. 86400 IN CNAME 8201371.fsn1-dc14.hetzner.redxen.eu." + + # Grafana + local-data: "stats.redxen.eu. 86400 IN A 94.130.110.3" + local-data: "stats.redxen.eu. 86400 IN A 78.46.207.237" local-data: "stats.redxen.eu. 86400 IN CNAME 8101153.nbg1-dc3.hetzner.redxen.eu." - local-data: "git.redxen.eu. 86400 IN CNAME 8201371.fsn1-dc14.hetzner.redxen.eu." - local-data: "git.redxen.eu. 86400 IN CNAME 8101153.nbg1-dc3.hetzner.redxen.eu." - local-data: "seed.redxen.eu. 86400 IN CNAME 8201371.fsn1-dc14.hetzner.redxen.eu." - local-data: "seed.redxen.eu. 86400 IN CNAME 8101153.nbg1-dc3.hetzner.redxen.eu." - local-data: "sd.redxen.eu. 86400 IN CNAME 8201371.fsn1-dc14.hetzner.redxen.eu." + + local-data: "stats.redxen.eu. 86400 IN AAAA 2a01:4f8:c0c:9a10::1" + local-data: "stats.redxen.eu. 86400 IN AAAA 2a01:4f8:c17:436e::1" + local-data: "stats.redxen.eu. 86400 IN CNAME 8201371.fsn1-dc14.hetzner.redxen.eu." + + # Seedbox HTTP + local-data: "sd.redxen.eu. 86400 IN A 94.130.110.3" + local-data: "sd.redxen.eu. 86400 IN A 78.46.207.237" local-data: "sd.redxen.eu. 86400 IN CNAME 8101153.nbg1-dc3.hetzner.redxen.eu." - local-data: "social.redxen.eu. 86400 IN CNAME 8201371.fsn1-dc14.hetzner.redxen.eu." - local-data: "social.redxen.eu. 86400 IN CNAME 8101153.nbg1-dc3.hetzner.redxen.eu." + + local-data: "sd.redxen.eu. 86400 IN AAAA 2a01:4f8:c0c:9a10::1" + local-data: "sd.redxen.eu. 86400 IN AAAA 2a01:4f8:c17:436e::1" + local-data: "sd.redxen.eu. 86400 IN CNAME 8201371.fsn1-dc14.hetzner.redxen.eu." + + # Transmission + local-data: "seed.redxen.eu. 86400 IN A 94.130.110.3" + local-data: "seed.redxen.eu. 86400 IN A 78.46.207.237" + local-data: "seed.redxen.eu. 86400 IN CNAME 8101153.nbg1-dc3.hetzner.redxen.eu." + + local-data: "seed.redxen.eu. 86400 IN AAAA 2a01:4f8:c0c:9a10::1" + local-data: "seed.redxen.eu. 86400 IN AAAA 2a01:4f8:c17:436e::1" + local-data: "seed.redxen.eu. 86400 IN CNAME 8201371.fsn1-dc14.hetzner.redxen.eu." # Services SRV local-data: "_mumble._tcp.redxen.eu. 86400 IN SRV 0 5 64738 8101153.nbg1-dc3.hetzner.redxen.eu." @@ -61,3 +81,36 @@ server: local-data: "n3.redxen.eu. 86400 IN AAAA 2a01:4f8:c0c:8b23::1" local-data: "n4.redxen.eu. 86400 IN A 94.130.107.187" local-data: "n4.redxen.eu. 86400 IN AAAA 2a01:4f8:c0c:8990::1" + + local-data: "redxen.eu. 86400 IN A 78.46.197.89" + local-data: "redxen.eu. 86400 IN AAAA 2a01:4f8:c0c:6ed1::1" + local-data: "redxen.eu. 86400 IN A 94.130.108.207" + local-data: "redxen.eu. 86400 IN AAAA 2a01:4f8:c0c:8d8d::1" + local-data: "redxen.eu. 86400 IN A 116.203.235.73" + local-data: "redxen.eu. 86400 IN AAAA 2a01:4f8:c0c:e8b9::1" + local-data: "redxen.eu. 86400 IN A 94.130.108.81" + local-data: "redxen.eu. 86400 IN AAAA 2a01:4f8:c0c:8b23::1" + local-data: "redxen.eu. 86400 IN A 94.130.107.187" + local-data: "redxen.eu. 86400 IN AAAA 2a01:4f8:c0c:8990::1" + + local-data: "git.redxen.eu. 86400 IN A 78.46.197.89" + local-data: "git.redxen.eu. 86400 IN AAAA 2a01:4f8:c0c:6ed1::1" + local-data: "git.redxen.eu. 86400 IN A 94.130.108.207" + local-data: "git.redxen.eu. 86400 IN AAAA 2a01:4f8:c0c:8d8d::1" + local-data: "git.redxen.eu. 86400 IN A 116.203.235.73" + local-data: "git.redxen.eu. 86400 IN AAAA 2a01:4f8:c0c:e8b9::1" + local-data: "git.redxen.eu. 86400 IN A 94.130.108.81" + local-data: "git.redxen.eu. 86400 IN AAAA 2a01:4f8:c0c:8b23::1" + local-data: "git.redxen.eu. 86400 IN A 94.130.107.187" + local-data: "git.redxen.eu. 86400 IN AAAA 2a01:4f8:c0c:8990::1" + + local-data: "social.redxen.eu. 86400 IN A 78.46.197.89" + local-data: "social.redxen.eu. 86400 IN AAAA 2a01:4f8:c0c:6ed1::1" + local-data: "social.redxen.eu. 86400 IN A 94.130.108.207" + local-data: "social.redxen.eu. 86400 IN AAAA 2a01:4f8:c0c:8d8d::1" + local-data: "social.redxen.eu. 86400 IN A 116.203.235.73" + local-data: "social.redxen.eu. 86400 IN AAAA 2a01:4f8:c0c:e8b9::1" + local-data: "social.redxen.eu. 86400 IN A 94.130.108.81" + local-data: "social.redxen.eu. 86400 IN AAAA 2a01:4f8:c0c:8b23::1" + local-data: "social.redxen.eu. 86400 IN A 94.130.107.187" + local-data: "social.redxen.eu. 86400 IN AAAA 2a01:4f8:c0c:8990::1" diff --git a/software-configs/wireguard-redxen-config/APKBUILD b/software-configs/wireguard-redxen-config/APKBUILD index 8046d4e..30f8638 100644 --- a/software-configs/wireguard-redxen-config/APKBUILD +++ b/software-configs/wireguard-redxen-config/APKBUILD @@ -10,11 +10,14 @@ license="none" depends="wireguard-tools-wg wireguard-tools-wg-quick" source=" main.conf + sysctl.conf " options="!check" package() { - install -Dm400 main.conf "$pkgdir"/etc/wireguard/wg0.conf + install -Dm400 main.conf "$pkgdir"/etc/wireguard/rxmain.conf + install -Dm644 sysctl.conf "$pkgdir"/etc/sysctl.d/90-wireguard.conf } -sha512sums="46c6f9939e42f1f3f56df7780446738dae5c92798c9ee8f714c29cac192cb3799c818fe40a0c53d32b1513879b1a579db899988a26f5387c377925af2d2908c4 main.conf" +sha512sums="658dcc9ae4e2e5e7b667d36952143d5986f267ceac3a4053493e92bbef8388cae2fb3f0db4ff2779d09caaae34b35a5712a7b791cb409be83975c084cdb839e8 main.conf +b79ffbc64f2e193dc9402f7506b56b66892aa5387d13ac209ae344f9ce0f17aec3fdc503bf6855650d413dba3b66ffa3f937dd803850028579f5f5ed747c56b0 sysctl.conf" diff --git a/software-configs/wireguard-redxen-config/sysctl.conf b/software-configs/wireguard-redxen-config/sysctl.conf new file mode 100644 index 0000000..f501eb9 --- /dev/null +++ b/software-configs/wireguard-redxen-config/sysctl.conf @@ -0,0 +1,2 @@ +net.ipv4.ip_forward = 1 +net.ipv6.conf.all.forwarding = 1 diff --git a/software-configs/yggdrasil-redxen-config/APKBUILD b/software-configs/yggdrasil-redxen-config/APKBUILD index 5fb4627..012e26d 100644 --- a/software-configs/yggdrasil-redxen-config/APKBUILD +++ b/software-configs/yggdrasil-redxen-config/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Alex Denes # Maintainer: Alex Denes pkgname=yggdrasil-redxen-config -pkgver=2020.12.7 +pkgver=2020.12.10 pkgrel=0 pkgdesc="Yggdrasil tunnel configuration" url="https://git.redxen.eu/RedXen" @@ -14,7 +14,7 @@ source=" options="!check" package() { - install -Dm600 redxen.conf "$pkgdir"/etc/yggdrasil.conf + install -Dm600 redxen.conf "$pkgdir"/etc/yggdrasil/redxen.conf } -sha512sums="84b36afbbdc68e595df65ab2321284ee615415ab7ce00c1fd81988a595959cebc1b18f5f0998876fb106f4220dce8ef8e2ffb9f822f2341e276f2d1643c4e7e0 redxen.conf" +sha512sums="630d13a1256257b804c37e167a08fa96e622d393bca1b2ec2f8f6f60f286b00954fa3ff07cd215e5835b18ef7fc8bedfc1d881303af80625936302f5d72b6496 redxen.conf" diff --git a/software-configs/yggdrasil-redxen-config/redxen.conf b/software-configs/yggdrasil-redxen-config/redxen.conf index 9bdd96b..b57390d 100644 --- a/software-configs/yggdrasil-redxen-config/redxen.conf +++ b/software-configs/yggdrasil-redxen-config/redxen.conf @@ -2,7 +2,7 @@ Peers: [ ] Listen: [ - tcp://0.0.0.0:7521 + tls://0.0.0.0:7521 ] MulticastInterfaces: [] AllowedEncryptionPublicKeys: [