From 938247e19f76eb799926d2ea0233b880bba5b85c Mon Sep 17 00:00:00 2001 From: Mikaela Suomalainen Date: Sat, 27 Dec 2014 11:09:00 +0200 Subject: [PATCH] etc: import from gh-pages --- etc/NetworkManager/NetworkManager.conf | 10 ++ etc/apt/sources.list/12.04 | 37 ++++++ etc/apt/sources.list/14.04 | 39 ++++++ etc/apt/sources.list/14.10 | 35 ++++++ etc/apt/sources.list/15.04 | 31 +++++ etc/apt/sources.list/debian | 13 ++ etc/apt/sources.list/debiant | 10 ++ etc/apt/sources.list/ubuntu | 35 ++++++ etc/dhcp/dhcpd.conf | 111 ++++++++++++++++++ etc/dnsmasq.d/mikaela | 41 +++++++ etc/fstab | 18 +++ etc/gai.conf | 65 ++++++++++ etc/hosts | 12 ++ etc/network/interfaces | 41 +++++++ etc/nginx/README.md | 2 + etc/nginx/conf.d/cloudflare.conf | 20 ++++ etc/nginx/conf.d/rproxy.conf | 2 + ...vhost_which_turns_http_to_https_DO.NOT.USE | 70 +++++++++++ etc/nginx/sites-enabled/host | 91 ++++++++++++++ etc/nginx/sites-enabled/rproxy | 16 +++ etc/nginx/sites-enabled/vhost | 60 ++++++++++ etc/polipo/config | 21 ++++ etc/radvd.conf | 15 +++ etc/resolvconf/resolv.conf.d/head | 13 ++ etc/resolvconf/resolv.conf.d/tail | 3 + etc/ssh/sshd_config | 103 ++++++++++++++++ etc/unbound/unbound.conf.d/forwards.conf | 18 +++ etc/unbound/unbound.conf.d/mikaela.conf | 16 +++ 28 files changed, 948 insertions(+) create mode 100644 etc/NetworkManager/NetworkManager.conf create mode 100644 etc/apt/sources.list/12.04 create mode 100644 etc/apt/sources.list/14.04 create mode 100644 etc/apt/sources.list/14.10 create mode 100644 etc/apt/sources.list/15.04 create mode 100644 etc/apt/sources.list/debian create mode 100644 etc/apt/sources.list/debiant create mode 100644 etc/apt/sources.list/ubuntu create mode 100644 etc/dhcp/dhcpd.conf create mode 100644 etc/dnsmasq.d/mikaela create mode 100644 etc/fstab create mode 100644 etc/gai.conf create mode 100644 etc/hosts create mode 100644 etc/network/interfaces create mode 100644 etc/nginx/README.md create mode 100644 etc/nginx/conf.d/cloudflare.conf create mode 100644 etc/nginx/conf.d/rproxy.conf create mode 100644 etc/nginx/sites-enabled/.untested_vhost_which_turns_http_to_https_DO.NOT.USE create mode 100644 etc/nginx/sites-enabled/host create mode 100644 etc/nginx/sites-enabled/rproxy create mode 100644 etc/nginx/sites-enabled/vhost create mode 100644 etc/polipo/config create mode 100644 etc/radvd.conf create mode 100644 etc/resolvconf/resolv.conf.d/head create mode 100644 etc/resolvconf/resolv.conf.d/tail create mode 100755 etc/ssh/sshd_config create mode 100644 etc/unbound/unbound.conf.d/forwards.conf create mode 100644 etc/unbound/unbound.conf.d/mikaela.conf diff --git a/etc/NetworkManager/NetworkManager.conf b/etc/NetworkManager/NetworkManager.conf new file mode 100644 index 00000000..57d3dbca --- /dev/null +++ b/etc/NetworkManager/NetworkManager.conf @@ -0,0 +1,10 @@ +[main] +plugins=ifupdown,keyfile,ofono +#dns=dnsmasq + +[ifupdown] +managed=true + +## Disable NM for this MAC address +#[keyfile] +#unmanaged-devices=mac:XX:XX:XX:XX:XX:XX diff --git a/etc/apt/sources.list/12.04 b/etc/apt/sources.list/12.04 new file mode 100644 index 00000000..ddeb2b84 --- /dev/null +++ b/etc/apt/sources.list/12.04 @@ -0,0 +1,37 @@ +# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to +# newer versions of the distribution. +deb mirror://mirrors.ubuntu.com/mirrors.txt precise main restricted universe multiverse + +## Major bug fix updates produced after the final precise of the +## distribution. +deb mirror://mirrors.ubuntu.com/mirrors.txt precise-updates main restricted universe multiverse + +## N.B. software from this repository may not have been tested as +## extensively as that contained in the main precise, although it includes +## newer versions of some applications which may provide useful features. +## Also, please note that software in backports WILL NOT receive any review +## or updates from the Ubuntu security team. +deb mirror://mirrors.ubuntu.com/mirrors.txt precise-backports main restricted universe multiverse +deb mirror://mirrors.ubuntu.com/mirrors.txt precise-security main restricted universe multiverse +deb-src mirror://mirrors.ubuntu.com/mirrors.txt precise main restricted universe multiverse +deb-src mirror://mirrors.ubuntu.com/mirrors.txt precise-updates main restricted universe multiverse +deb-src mirror://mirrors.ubuntu.com/mirrors.txt precise-backports main restricted universe multiverse +deb-src mirror://mirrors.ubuntu.com/mirrors.txt precise-security main restricted universe multiverse + +## Uncomment the following two lines to add software from Canonical's +## 'partner' repository. +## This software is not part of Ubuntu, but is offered by Canonical and the +## respective vendors as a service to Ubuntu users. +deb http://archive.canonical.com/ubuntu precise partner +deb-src http://archive.canonical.com/ubuntu precise partner + +## This software is not part of Ubuntu, but is offered by third-party +## developers who want to ship their latest software. +deb http://extras.ubuntu.com/ubuntu precise main +deb-src http://extras.ubuntu.com/ubuntu precise main + +## Ubuntu MATE https://ubuntu-mate.org/ +deb http://ppa.launchpad.net/ubuntu-mate-dev/ppa/ubuntu precise main +deb http://ppa.launchpad.net/ubuntu-mate-dev/precise-mate/ubuntu precise main +deb-src http://ppa.launchpad.net/ubuntu-mate-dev/ppa/ubuntu precise main +deb-src http://ppa.launchpad.net/ubuntu-mate-dev/precise-mate/ubuntu precise main diff --git a/etc/apt/sources.list/14.04 b/etc/apt/sources.list/14.04 new file mode 100644 index 00000000..49cbac88 --- /dev/null +++ b/etc/apt/sources.list/14.04 @@ -0,0 +1,39 @@ +# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to +# newer versions of the distribution. +deb mirror://mirrors.ubuntu.com/mirrors.txt trusty main restricted universe multiverse + +## Major bug fix updates produced after the final trusty of the +## distribution. +deb mirror://mirrors.ubuntu.com/mirrors.txt trusty-updates main restricted universe multiverse + +## N.B. software from this repository may not have been tested as +## extensively as that contained in the main trusty, although it includes +## newer versions of some applications which may provide useful features. +## Also, please note that software in backports WILL NOT receive any review +## or updates from the Ubuntu security team. +deb mirror://mirrors.ubuntu.com/mirrors.txt trusty-backports main restricted universe multiverse +deb mirror://mirrors.ubuntu.com/mirrors.txt trusty-security main restricted universe multiverse +deb-src mirror://mirrors.ubuntu.com/mirrors.txt trusty main restricted universe multiverse +deb-src mirror://mirrors.ubuntu.com/mirrors.txt trusty-updates main restricted universe multiverse +deb-src mirror://mirrors.ubuntu.com/mirrors.txt trusty-backports main restricted universe multiverse +deb-src mirror://mirrors.ubuntu.com/mirrors.txt trusty-security main restricted universe multiverse + +## Uncomment the following two lines to add software from Canonical's +## 'partner' repository. +## This software is not part of Ubuntu, but is offered by Canonical and the +## respective vendors as a service to Ubuntu users. +deb http://archive.canonical.com/ubuntu trusty partner +deb-src http://archive.canonical.com/ubuntu trusty partner + +## This software is not part of Ubuntu, but is offered by third-party +## developers who want to ship their latest software. +deb http://extras.ubuntu.com/ubuntu trusty main +deb-src http://extras.ubuntu.com/ubuntu trusty main + +## Ubuntu MATE https://ubuntu-mate.org/ +deb http://ppa.launchpad.net/ubuntu-mate-dev/ppa/ubuntu trusty main +deb http://ppa.launchpad.net/ubuntu-mate-dev/trusty-mate/ubuntu trusty main +deb http://ppa.launchpad.net/accessibility-dev/ppa/ubuntu trusty main +deb-src http://ppa.launchpad.net/ubuntu-mate-dev/ppa/ubuntu trusty main +deb-src http://ppa.launchpad.net/ubuntu-mate-dev/trusty-mate/ubuntu trusty main +deb-src http://ppa.launchpad.net/accessibility-dev/ppa/ubuntu trusty main diff --git a/etc/apt/sources.list/14.10 b/etc/apt/sources.list/14.10 new file mode 100644 index 00000000..4e841773 --- /dev/null +++ b/etc/apt/sources.list/14.10 @@ -0,0 +1,35 @@ +# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to +# newer versions of the distribution. +deb mirror://mirrors.ubuntu.com/mirrors.txt utopic main restricted universe multiverse + +## Major bug fix updates produced after the final utopic of the +## distribution. +deb mirror://mirrors.ubuntu.com/mirrors.txt utopic-updates main restricted universe multiverse + +## N.B. software from this repository may not have been tested as +## extensively as that contained in the main utopic, although it includes +## newer versions of some applications which may provide useful features. +## Also, please note that software in backports WILL NOT receive any review +## or updates from the Ubuntu security team. +deb mirror://mirrors.ubuntu.com/mirrors.txt utopic-backports main restricted universe multiverse +deb mirror://mirrors.ubuntu.com/mirrors.txt utopic-security main restricted universe multiverse +deb-src mirror://mirrors.ubuntu.com/mirrors.txt utopic main restricted universe multiverse +deb-src mirror://mirrors.ubuntu.com/mirrors.txt utopic-updates main restricted universe multiverse +deb-src mirror://mirrors.ubuntu.com/mirrors.txt utopic-backports main restricted universe multiverse +deb-src mirror://mirrors.ubuntu.com/mirrors.txt utopic-security main restricted universe multiverse + +## Uncomment the following two lines to add software from Canonical's +## 'partner' repository. +## This software is not part of Ubuntu, but is offered by Canonical and the +## respective vendors as a service to Ubuntu users. +deb http://archive.canonical.com/ubuntu utopic partner +deb-src http://archive.canonical.com/ubuntu utopic partner + +## This software is not part of Ubuntu, but is offered by third-party +## developers who want to ship their latest software. +deb http://extras.ubuntu.com/ubuntu utopic main +deb-src http://extras.ubuntu.com/ubuntu utopic main + +## Ubuntu MATE https://ubuntu-mate.org/ +deb http://ppa.launchpad.net/ubuntu-mate-dev/ppa/ubuntu utopic main +deb-src http://ppa.launchpad.net/ubuntu-mate-dev/ppa/ubuntu utopic main diff --git a/etc/apt/sources.list/15.04 b/etc/apt/sources.list/15.04 new file mode 100644 index 00000000..42132236 --- /dev/null +++ b/etc/apt/sources.list/15.04 @@ -0,0 +1,31 @@ +# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to +# newer versions of the distribution. +deb mirror://mirrors.ubuntu.com/mirrors.txt vivid main restricted universe multiverse + +## Major bug fix updates produced after the final vivid of the +## distribution. +deb mirror://mirrors.ubuntu.com/mirrors.txt vivid-updates main restricted universe multiverse + +## N.B. software from this repository may not have been tested as +## extensively as that contained in the main vivid, although it includes +## newer versions of some applications which may provide useful features. +## Also, please note that software in backports WILL NOT receive any review +## or updates from the Ubuntu security team. +deb mirror://mirrors.ubuntu.com/mirrors.txt vivid-backports main restricted universe multiverse +deb mirror://mirrors.ubuntu.com/mirrors.txt vivid-security main restricted universe multiverse +deb-src mirror://mirrors.ubuntu.com/mirrors.txt vivid main restricted universe multiverse +deb-src mirror://mirrors.ubuntu.com/mirrors.txt vivid-updates main restricted universe multiverse +deb-src mirror://mirrors.ubuntu.com/mirrors.txt vivid-backports main restricted universe multiverse +deb-src mirror://mirrors.ubuntu.com/mirrors.txt vivid-security main restricted universe multiverse + +## Uncomment the following two lines to add software from Canonical's +## 'partner' repository. +## This software is not part of Ubuntu, but is offered by Canonical and the +## respective vendors as a service to Ubuntu users. +deb http://archive.canonical.com/ubuntu vivid partner +deb-src http://archive.canonical.com/ubuntu vivid partner + +## This software is not part of Ubuntu, but is offered by third-party +## developers who want to ship their latest software. +deb http://extras.ubuntu.com/ubuntu vivid main +deb-src http://extras.ubuntu.com/ubuntu vivid main diff --git a/etc/apt/sources.list/debian b/etc/apt/sources.list/debian new file mode 100644 index 00000000..22871c0e --- /dev/null +++ b/etc/apt/sources.list/debian @@ -0,0 +1,13 @@ +# debiant in this directory is for Debian Testing. + +## Main Debian archives. +deb http://http.debian.net/debian stable main contrib non-free +deb-src http://http.debian.net/debian stable main contrib non-free + +## Debian Security +deb http://security.debian.org/ stable/updates main contrib non-free +deb-src http://security.debian.org/ stable/updates main contrib non-free + +## Debian Backports +deb http://http.debian.net/debian stable-backports main contrib non-free +deb-src http://http.debian.net/debian stable-backports main contrib non-free diff --git a/etc/apt/sources.list/debiant b/etc/apt/sources.list/debiant new file mode 100644 index 00000000..79e7fdde --- /dev/null +++ b/etc/apt/sources.list/debiant @@ -0,0 +1,10 @@ +# debian (without the t) in this directory is for Debian Stable. + +## Main Debian archives. +deb http://http.debian.net/debian testing main contrib non-free +deb-src http://http.debian.net/debian testing main contrib non-free + +## Debian Security +deb http://security.debian.org/ testing/updates main contrib non-free +deb-src http://security.debian.org/ testing/updates main contrib non-free + diff --git a/etc/apt/sources.list/ubuntu b/etc/apt/sources.list/ubuntu new file mode 100644 index 00000000..480ad4f3 --- /dev/null +++ b/etc/apt/sources.list/ubuntu @@ -0,0 +1,35 @@ + +## Replace RELEASE on every line with your Ubuntu RELEASE which you can find out by running +# lsb_release -c + +# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to +# newer versions of the distribution. +deb mirror://mirrors.ubuntu.com/mirrors.txt RELEASE main restricted universe multiverse + +## Major bug fix updates produced after the final release of the +## distribution. +deb mirror://mirrors.ubuntu.com/mirrors.txt RELEASE-updates main restricted universe multiverse + +## N.B. software from this repository may not have been tested as +## extensively as that contained in the main release, although it includes +## newer versions of some applications which may provide useful features. +## Also, please note that software in backports WILL NOT receive any review +## or updates from the Ubuntu security team. +deb mirror://mirrors.ubuntu.com/mirrors.txt RELEASE-backports main restricted universe multiverse +deb mirror://mirrors.ubuntu.com/mirrors.txt RELEASE-security main restricted universe multiverse +deb-src mirror://mirrors.ubuntu.com/mirrors.txt RELEASE main restricted universe multiverse +deb-src mirror://mirrors.ubuntu.com/mirrors.txt RELEASE-updates main restricted universe multiverse +deb-src mirror://mirrors.ubuntu.com/mirrors.txt RELEASE-backports main restricted universe multiverse +deb-src mirror://mirrors.ubuntu.com/mirrors.txt RELEASE-security main restricted universe multiverse + +## Uncomment the following two lines to add software from Canonical's +## 'partner' repository. +## This software is not part of Ubuntu, but is offered by Canonical and the +## respective vendors as a service to Ubuntu users. +deb http://archive.canonical.com/ubuntu RELEASE partner +deb-src http://archive.canonical.com/ubuntu RELEASE partner + +## This software is not part of Ubuntu, but is offered by third-party +## developers who want to ship their latest software. +deb http://extras.ubuntu.com/ubuntu RELEASE main +deb-src http://extras.ubuntu.com/ubuntu RELEASE main diff --git a/etc/dhcp/dhcpd.conf b/etc/dhcp/dhcpd.conf new file mode 100644 index 00000000..515160b6 --- /dev/null +++ b/etc/dhcp/dhcpd.conf @@ -0,0 +1,111 @@ +# +# Sample configuration file for ISC dhcpd for Debian +# +# + +# The ddns-updates-style parameter controls whether or not the server will +# attempt to do a DNS update when a lease is confirmed. We default to the +# behavior of the version 2 packages ('none', since DHCP v2 didn't +# have support for DDNS.) +#ddns-update-style none; + +# option definitions common to all supported networks... +#option dhcp6.domain-name "mikaela.info"; +#option dhcp6.domain-name-servers 2001:4860:4860::8888, 2001:4860:4860::8844; +#option dhcp6.domain-search "mikaela.info"; + +option domain-name "example.org"; +option domain-name-servers 2001:4860:4860::8888, 2001:4860:4860::8844; +option domain-search "mikaela.info" +#default-lease-time 600; +#max-lease-time 7200; + +# If this DHCP server is the official DHCP server for the local +# network, the authoritative directive should be uncommented. +#authoritative; + +# Use this to send dhcp log messages to a different log file (you also +# have to hack syslog.conf to complete the redirection). +log-facility local7; + +# No service will be given on this subnet, but declaring it helps the +# DHCP server to understand the network topology. + +#subnet 10.152.187.0 netmask 255.255.255.0 { +#} + +# This is a very basic subnet declaration. + +#subnet 10.254.239.0 netmask 255.255.255.224 { +# range 10.254.239.10 10.254.239.20; +# option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org; +#} + +# This declaration allows BOOTP clients to get dynamic addresses, +# which we don't really recommend. + +#subnet 10.254.239.32 netmask 255.255.255.224 { +# range dynamic-bootp 10.254.239.40 10.254.239.60; +# option broadcast-address 10.254.239.31; +# option routers rtr-239-32-1.example.org; +#} + +# A slightly different configuration for an internal subnet. +#subnet 10.5.5.0 netmask 255.255.255.224 { +# range 10.5.5.26 10.5.5.30; +# option domain-name-servers ns1.internal.example.org; +# option domain-name "internal.example.org"; +# option routers 10.5.5.1; +# option broadcast-address 10.5.5.31; +# default-lease-time 600; +# max-lease-time 7200; +#} + +# Hosts which require special configuration options can be listed in +# host statements. If no address is specified, the address will be +# allocated dynamically (if possible), but the host-specific information +# will still come from the host declaration. + +#host passacaglia { +# hardware ethernet 0:0:c0:5d:bd:95; +# filename "vmunix.passacaglia"; +# server-name "toccata.fugue.com"; +#} + +# Fixed IP addresses can also be specified for hosts. These addresses +# should not also be listed as being available for dynamic assignment. +# Hosts for which fixed IP addresses have been specified can boot using +# BOOTP or DHCP. Hosts for which no fixed address is specified can only +# be booted with DHCP, unless there is an address range on the subnet +# to which a BOOTP client is connected which has the dynamic-bootp flag +# set. +#host fantasia { +# hardware ethernet 08:00:07:26:c0:a5; +# fixed-address fantasia.fugue.com; +#} + +# You can declare a class of clients and then do address allocation +# based on that. The example below shows a case where all clients +# in a certain class get addresses on the 10.17.224/24 subnet, and all +# other clients get addresses on the 10.0.29/24 subnet. + +#class "foo" { +# match if substring (option vendor-class-identifier, 0, 4) = "SUNW"; +#} + +#shared-network 224-29 { +# subnet 10.17.224.0 netmask 255.255.255.0 { +# option routers rtr-224.example.org; +# } +# subnet 10.0.29.0 netmask 255.255.255.0 { +# option routers rtr-29.example.org; +# } +# pool { +# allow members of "foo"; +# range 10.17.224.10 10.17.224.250; +# } +# pool { +# deny members of "foo"; +# range 10.0.29.10 10.0.29.230; +# } +#} diff --git a/etc/dnsmasq.d/mikaela b/etc/dnsmasq.d/mikaela new file mode 100644 index 00000000..b82853eb --- /dev/null +++ b/etc/dnsmasq.d/mikaela @@ -0,0 +1,41 @@ +## This file is for my own configuration that I wish to not get +## accidentally overwritten by package upgrades. This is based on Debian +## Testing (Jessie) dnsmasq.conf on 2014-12-23 08:50+0200 + +# Send everything to unbound listening on port 5353 +no-resolv +server=127.0.0.1#2000 # unbound + +# Be better netizen +# Never forward plain names (without a dot or domain part) +domain-needed +# Never forward addresses in the non-routed address spaces. +bogus-priv + +# DNSSEC validation and caching: +conf-file=/usr/share/dnsmasq-base/trust-anchors.conf +dnssec +# Check that unsigned reply is OK (takes extra queries) +dnssec-check-unsigned + +# Debugging, log all DNS queries +#log-queries + +# Filter useless Windows-originated requests +# don't use with Kerberos, SIP, XMPP or Google Talk +#filterwin2k + +# Enable dnsmasq's built-in TFTP server +#enable-tftp + +# Set the root directory for files available via FTP. +#tftp-root=/var/ftpd + +# Make the TFTP server more secure: with this set, only files owned by +# the user dnsmasq is running as will be send over the net. +#tftp-secure + +# This option stops dnsmasq from negotiating a larger blocksize for TFTP +# transfers. It will slow things down, but may rescue some broken TFTP +# clients. +#tftp-no-blocksize diff --git a/etc/fstab b/etc/fstab new file mode 100644 index 00000000..93d40698 --- /dev/null +++ b/etc/fstab @@ -0,0 +1,18 @@ +# Use 'blkid' to print the universally unique identifier for a +# device; this may be used with UUID= as a more robust way to name devices +# that works even if disks are added and removed. See fstab(5). + +## swap file creation and auto-mount +# # fallocate -l 4G /swap +# # chmod 600 /swap +# # mkswap /swap +# # swapon /swap +# and to /etc/fstab: +/swap none swap sw 0 0 + +# Don't mount Windows partition automatically, allow normal users to mount it without root +# noauto,user +UUID=105AB1525AB13576 /media/Windows ntfs defaults,rw,noauto,user 0 0 + +# Mount my external HDD automatically on boot. +UUID=2A2C535742C3A3D4 /media/Mikaelan ntfs defaults,rw 0 0 diff --git a/etc/gai.conf b/etc/gai.conf new file mode 100644 index 00000000..6c0f06a1 --- /dev/null +++ b/etc/gai.conf @@ -0,0 +1,65 @@ +# Configuration for getaddrinfo(3). +# +# So far only configuration for the destination address sorting is needed. +# RFC 3484 governs the sorting. But the RFC also says that system +# administrators should be able to overwrite the defaults. This can be +# achieved here. +# +# All lines have an initial identifier specifying the option followed by +# up to two values. Information specified in this file replaces the +# default information. Complete absence of data of one kind causes the +# appropriate default information to be used. The supported commands include: +# +# reload +# If set to yes, each getaddrinfo(3) call will check whether this file +# changed and if necessary reload. This option should not really be +# used. There are possible runtime problems. The default is no. +# +# label +# Add another rule to the RFC 3484 label table. See section 2.1 in +# RFC 3484. The default is: +# +label ::1/128 0 +label ::/0 1 +label 2002::/16 2 +label ::/96 3 +label ::ffff:0:0/96 4 +label fec0::/10 5 +label fc00::/7 6 +#label 2001:0::/32 7 +# +# This default differs from the tables given in RFC 3484 by handling +# (now obsolete) site-local IPv6 addresses and Unique Local Addresses. +# The reason for this difference is that these addresses are never +# NATed while IPv4 site-local addresses most probably are. Given +# the precedence of IPv6 over IPv4 (see below) on machines having only +# site-local IPv4 and IPv6 addresses a lookup for a global address would +# see the IPv6 be preferred. The result is a long delay because the +# site-local IPv6 addresses cannot be used while the IPv4 address is +# (at least for the foreseeable future) NATed. We also treat Teredo +# tunnels special. +# +# precedence +# Add another rule to the RFC 3484 precedence table. See section 2.1 +# and 10.3 in RFC 3484. The default is: +# +#precedence ::1/128 50 +#precedence ::/0 40 +#precedence 2002::/16 30 +#precedence ::/96 20 +#precedence ::ffff:0:0/96 10 +# +# For sites which prefer IPv4 connections change the last line to +# +#precedence ::ffff:0:0/96 100 + +# +# scopev4 +# Add another rule to the RFC 6724 scope table for IPv4 addresses. +# By default the scope IDs described in section 3.2 in RFC 6724 are +# used. Changing these defaults should hardly ever be necessary. +# The defaults are equivalent to: +# +#scopev4 ::ffff:169.254.0.0/112 2 +#scopev4 ::ffff:127.0.0.0/104 2 +#scopev4 ::ffff:0.0.0.0/96 14 diff --git a/etc/hosts b/etc/hosts new file mode 100644 index 00000000..9af819e8 --- /dev/null +++ b/etc/hosts @@ -0,0 +1,12 @@ +::1 localhost +::1 FQDN UQDN + +127.0.0.1 localhost +127.0.1.1 FQDN UQDN + +# The following lines are desirable for IPv6 capable hosts +::1 ip6-localhost ip6-loopback +fe00::0 ip6-localnet +ff00::0 ip6-mcastprefix +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters diff --git a/etc/network/interfaces b/etc/network/interfaces new file mode 100644 index 00000000..25a21915 --- /dev/null +++ b/etc/network/interfaces @@ -0,0 +1,41 @@ +# interfaces(5) file used by ifup(8) and ifdown(8) + +auto lo +iface lo inet loopback + +auto eth0 +allow-hotplug eth0 +iface eth0 inet static +address 172.16.1. +netmask 255.255.0.0 +gateway 172.16.0.1 +## dns-nameservers is provided by resolvconf so you can specify nameservers +## there. Remember to install dnsmasq to get over the limit of being able +## to use only three DNS servers at time! +dns-nameservers ::1 8.8.8.8 8.8.4.4 +dns-search DOMAIN.TLD + +iface eth0 inet6 auto + +## if radvd is announcing prefixes, IPs from them must be in this file +## see also https://www.sixxs.net/tools/grh/ula/ + +## radvd globally routable address +#iface eth0 inet6 static +#address RANGE::1 +#netmask 64 + +## radvd ULA +#iface eth0 inet6 static +#address RANGE::1 +#netmask64 + +## Manually adding IPv6 addresses: ip -6 addr add IPv6_ADDREsS/64 dev eth0 + +## REMEMBER TO CHANGE +## managed=false +## to +## managed=true +## in /etc/NetworkManager/NetworkManager.conf under "[ifupdown]" ! +## And restart it! +## service network-manager restart diff --git a/etc/nginx/README.md b/etc/nginx/README.md new file mode 100644 index 00000000..3689eb38 --- /dev/null +++ b/etc/nginx/README.md @@ -0,0 +1,2 @@ +Useful nginx files that I will probably need and which I will forget if I +cannot read them from here. diff --git a/etc/nginx/conf.d/cloudflare.conf b/etc/nginx/conf.d/cloudflare.conf new file mode 100644 index 00000000..2bd8ab60 --- /dev/null +++ b/etc/nginx/conf.d/cloudflare.conf @@ -0,0 +1,20 @@ + # Cloudflare + set_real_ip_from 199.27.128.0/21; + set_real_ip_from 173.245.48.0/20; + set_real_ip_from 103.21.244.0/22; + set_real_ip_from 103.22.200.0/22; + set_real_ip_from 103.31.4.0/22; + set_real_ip_from 141.101.64.0/18; + set_real_ip_from 108.162.192.0/18; + set_real_ip_from 190.93.240.0/20; + set_real_ip_from 188.114.96.0/20; + set_real_ip_from 197.234.240.0/22; + set_real_ip_from 198.41.128.0/17; + set_real_ip_from 162.158.0.0/15; + set_real_ip_from 104.16.0.0/12; + set_real_ip_from 2400:cb00::/32; + set_real_ip_from 2606:4700::/32; + set_real_ip_from 2803:f800::/32; + set_real_ip_from 2405:b500::/32; + set_real_ip_from 2405:8100::/32; + real_ip_header CF-Connecting-IP; diff --git a/etc/nginx/conf.d/rproxy.conf b/etc/nginx/conf.d/rproxy.conf new file mode 100644 index 00000000..8ba2d2c4 --- /dev/null +++ b/etc/nginx/conf.d/rproxy.conf @@ -0,0 +1,2 @@ +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; diff --git a/etc/nginx/sites-enabled/.untested_vhost_which_turns_http_to_https_DO.NOT.USE b/etc/nginx/sites-enabled/.untested_vhost_which_turns_http_to_https_DO.NOT.USE new file mode 100644 index 00000000..9353dae9 --- /dev/null +++ b/etc/nginx/sites-enabled/.untested_vhost_which_turns_http_to_https_DO.NOT.USE @@ -0,0 +1,70 @@ +server { + + # default_server from default vhost must exist somewhere! + listen 80; + listen [::]:80; + + server_name vhost.example.org; + return 301 https://$server_name$request_uri; + } + + server { + listen 443; + listen [::]:443; + + root /var/www/vhostdir; + index index.php index.html index.htm; + + # vhost address + server_name vhost.example.org; + + # SSL + #ssl_certificate /etc/nginx/ssl/nginx.crt; + #ssl_certificate_key /etc/nginx/ssl/nginx.key; + + location / { + # First attempt to serve request as file, then + # as directory, then fall back to displaying a 404. + try_files $uri $uri/ =404; + autoindex on; + } + + # Userdir + #ilocation ~ ^/~(.+?)(/.*)?$ { + # alias /home/$1/public_html$2; + # index index.html index.htm; + # autoindex on; + #} + + + #error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + #error_page 500 502 503 504 /50x.html; + #location = /50x.html { + # root /usr/share/nginx/html; + #} + + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + # # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini + # + # # With php5-cgi alone: + # fastcgi_pass 127.0.0.1:9000; + # # With php5-fpm: + fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_index index.php; + #include fastcgi_params; + include fastcgi.conf; + } + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + location ~ /\.ht { + deny all; + } +} diff --git a/etc/nginx/sites-enabled/host b/etc/nginx/sites-enabled/host new file mode 100644 index 00000000..cdd57ddf --- /dev/null +++ b/etc/nginx/sites-enabled/host @@ -0,0 +1,91 @@ +server { + listen 80 default_server; + listen [::]:80 default_server ipv6only=on; + listen 443 default_server ssl; + listen [::]:443 default_server ssl ipv6only=on; + + root /var/www/default/; + index index.php index.html index.htm; + +### Generating SSL certificate: +## mkdir -p /etc/nginx/ssl && cd /etc/nginx/ssl +## openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout nginx.key -out nginx.crt +### this takes forever and is used on line 23. +## openssl dhparam -out dhparam.pem 4096 + ssl_certificate /etc/nginx/ssl/nginx.crt; + ssl_certificate_key /etc/nginx/ssl/nginx.key; +# ----- begin of Mozilla Server Side TLS recommendations ----- +# **2014-11-07** https://wiki.mozilla.org/Security/Server_Side_TLS + ssl_session_timeout 5m; + ssl_session_cache shared:SSL:50m; + + # Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits + # See generation on line 14 + ssl_dhparam /etc/nginx/ssl/dhparam.pem; + + # Intermediate configuration. tweak to your needs. + # comment just for me, don't uncomment. + #ssl_ciphers ''; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; + ssl_prefer_server_ciphers on; + + # Enable this if your want HSTS (recommended) + # HSTS = access only using HTTPS + # add_header Strict-Transport-Security max-age=15768000; + + # OCSP Stapling --- + # fetch OCSP records from URL in ssl_certificate and cache them + ssl_stapling on; + ssl_stapling_verify on; + ## verify chain of trust of OCSP response using Root CA and Intermediate certs + #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; + #resolver ::1; +# ----- end of Mozilla Server Side TLS recommendations ----- + + location / { + # First attempt to serve request as file, then + # as directory, then fall back to displaying a 404. + try_files $uri $uri/ =404; + autoindex on; + } + + # Userdir + location ~ ^/~(.+?)(/.*)?$ { + alias /home/$1/public_html$2; + index index.html index.htm; + autoindex on; + } + + + #error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + #error_page 500 502 503 504 /50x.html; + #location = /50x.html { + # root /usr/share/nginx/html; + #} + + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + # # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini + # + # # With php5-cgi alone: + # fastcgi_pass 127.0.0.1:9000; + # # With php5-fpm: + fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_index index.php; + #include fastcgi_params; + include fastcgi.conf; + } + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + location ~ /\.ht { + deny all; + } +} diff --git a/etc/nginx/sites-enabled/rproxy b/etc/nginx/sites-enabled/rproxy new file mode 100644 index 00000000..67587b9a --- /dev/null +++ b/etc/nginx/sites-enabled/rproxy @@ -0,0 +1,16 @@ +server { + listen 80; + listen [::]:80; + listen 443; + listen [::]:443; + + server_name something.example.org; + +# NOTE: For X-Real-IP & X-Forwarded-For see ../conf.d/rproxy.conf +# Behind CloudFlare see ../conf.d/cloudflare.conf + +location / { + proxy_pass http://localhost:8080/; + } +} + diff --git a/etc/nginx/sites-enabled/vhost b/etc/nginx/sites-enabled/vhost new file mode 100644 index 00000000..427866cd --- /dev/null +++ b/etc/nginx/sites-enabled/vhost @@ -0,0 +1,60 @@ +server { + + # default_server from default vhost must exist somewhere! + listen 80; + listen [::]:80; + listen 443; + listen [::]:443; + + root /var/www/vhostdir; + index index.php index.html index.htm; + + # vhost address + server_name vhost.example.org; + + location / { + # First attempt to serve request as file, then + # as directory, then fall back to displaying a 404. + try_files $uri $uri/ =404; + autoindex off; + } + + # Userdir + #ilocation ~ ^/~(.+?)(/.*)?$ { + # alias /home/$1/public_html$2; + # index index.html index.htm; + # autoindex on; + #} + + + #error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + #error_page 500 502 503 504 /50x.html; + #location = /50x.html { + # root /usr/share/nginx/html; + #} + + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + # # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini + # + # # With php5-cgi alone: + # fastcgi_pass 127.0.0.1:9000; + # # With php5-fpm: + fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_index index.php; + #include fastcgi_params; + include fastcgi.conf; + } + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + location ~ /\.ht { + deny all; + } +} diff --git a/etc/polipo/config b/etc/polipo/config new file mode 100644 index 00000000..e2b5b4a5 --- /dev/null +++ b/etc/polipo/config @@ -0,0 +1,21 @@ +# This file only needs to list configuration variables that deviate +# from the default values. See /usr/share/doc/polipo/examples/config.sample +# and "polipo -v" for variables you can tweak and further information. + +# Defaults +logSyslog = true +logFile = /var/log/polipo/polipo.log + +# Address to listen, allowed clients & port +#proxyAddress = ::0 +#allowedClients = 172.16.0.0/16, fd6a:d4e8:95e6::/64 +#proxyPort = 8123 +proxyPort = 8080 + +# Tor +socksParentProxy = localhost:9050 +diskCacheRoot="" +disableLocalInterface=true +censoredHeaders = from, accept-language +censorReferer = maybe + diff --git a/etc/radvd.conf b/etc/radvd.conf new file mode 100644 index 00000000..f0d21dbc --- /dev/null +++ b/etc/radvd.conf @@ -0,0 +1,15 @@ +interface eth0 +{ + AdvSendAdvert on; + AdvOtherConfigFlag on; + prefix 2001:14b8:100:8397::/64 + { + AdvOnLink on; + AdvAutonomous on; + }; + prefix ULA::/64 + { + AdvOnLink on; + AdvAutonomous on; + }; +}; diff --git a/etc/resolvconf/resolv.conf.d/head b/etc/resolvconf/resolv.conf.d/head new file mode 100644 index 00000000..02dfc12d --- /dev/null +++ b/etc/resolvconf/resolv.conf.d/head @@ -0,0 +1,13 @@ +## Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) +## DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN + +## Local DNS cache (dnsmasq) +nameserver ::1 + +## Google DNS IPv6 +#nameserver 2001:4860:4860::8888 +#nameserver 2001:4860:4860::8844 + +## Google DNS IPv4 +#nameserver 8.8.8.8 +#nameserver 8.8.4.4 diff --git a/etc/resolvconf/resolv.conf.d/tail b/etc/resolvconf/resolv.conf.d/tail new file mode 100644 index 00000000..3bc7014e --- /dev/null +++ b/etc/resolvconf/resolv.conf.d/tail @@ -0,0 +1,3 @@ +# According to manual page for resolv.conf, the last search/domain entry +# wins +search DOMAIN.TLD diff --git a/etc/ssh/sshd_config b/etc/ssh/sshd_config new file mode 100755 index 00000000..cc05edad --- /dev/null +++ b/etc/ssh/sshd_config @@ -0,0 +1,103 @@ +# Package generated configuration file +# See the sshd_config(5) manpage for details + +# What ports, IPs and protocols we listen for +# sshd default +Port 22 +# https, usually not blocked by firewalls. Verify that there is nothing +# else listening on 443 before using this port. +Port 443 +# personal port assigning system that I use to get around inability of +# my router to forward one WAN port to another LAN port +Port 10000 + +# Use these options to restrict which interfaces/protocols sshd will bind to +ListenAddress :: +ListenAddress 0.0.0.0 +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key + +## IF THE HOST KEYS ARE MISSING, RUN THE FOLLOWING AS ROOT: +# ssh-keygen -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key +# ssh-keygen -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key +# ssh-keygen -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key +# ssh-keygen -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key + +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 1024 + +# Logging +SyslogFacility AUTH +LogLevel VERBOSE + +# Authentication: +LoginGraceTime 120 +PermitRootLogin without-password +StrictModes yes + +RSAAuthentication yes +PubkeyAuthentication yes +#AuthorizedKeysFile %h/.ssh/authorized_keys + +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts yes +# For this to work you will also need host keys in /etc/ssh_known_hosts +RhostsRSAAuthentication no +# similar for protocol version 2 +HostbasedAuthentication no +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Change to no to disable tunnelled clear text passwords +PasswordAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosGetAFSToken no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +X11Forwarding yes +X11DisplayOffset 10 +PrintMotd no +PrintLastLog yes +TCPKeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +Banner /etc/issue.net + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +Subsystem sftp /usr/lib/openssh/sftp-server + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes diff --git a/etc/unbound/unbound.conf.d/forwards.conf b/etc/unbound/unbound.conf.d/forwards.conf new file mode 100644 index 00000000..08787738 --- /dev/null +++ b/etc/unbound/unbound.conf.d/forwards.conf @@ -0,0 +1,18 @@ +# Forward queries to +forward-zone: + name: "." + # Google + forward-addr: 2001:4860:4860::8888 + forward-addr: 2001:4860:4860::8844 + forward-addr: 8.8.8.8 + forward-addr: 8.8.4.4 + # OpenDNS + forward-addr: 2620:0:ccc::2 + forward-addr: 2620:0:ccd::2 + forward-addr: 208.67.222.222 + forward-addr: 208.67.220.220 + # Yandex.DNS Basic + forward-addr: 2a02:6b8::feed:0ff + forward-addr: 2a02:6b8:0:1::feed:0ff + forward-addr: 77.88.8.8 + forward-addr: 77.88.8.1 diff --git a/etc/unbound/unbound.conf.d/mikaela.conf b/etc/unbound/unbound.conf.d/mikaela.conf new file mode 100644 index 00000000..b133a184 --- /dev/null +++ b/etc/unbound/unbound.conf.d/mikaela.conf @@ -0,0 +1,16 @@ +server: + # perform cryptographic DNSSEC validation using the root trust anchor. + # this should be in /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf + # auto-trust-anchor-file: "/var/lib/unbound/root.key" + interface: 127.0.0.1 + access-control: 127.0.0.0/8 allow + interface: ::1 + access-control: ::1 allow + port: 2000 + # logging + chroot: "" + use-syslog: yes + log-time-ascii: yes + log-queries: yes + # 0 - 5, default 1, query information 3 + verbosity: 1