etc: import from gh-pages

This commit is contained in:
Mikaela Suomalainen 2014-12-27 11:09:00 +02:00
parent 198481866f
commit 938247e19f
28 changed files with 948 additions and 0 deletions

View File

@ -0,0 +1,10 @@
[main]
plugins=ifupdown,keyfile,ofono
#dns=dnsmasq
[ifupdown]
managed=true
## Disable NM for this MAC address
#[keyfile]
#unmanaged-devices=mac:XX:XX:XX:XX:XX:XX

View File

@ -0,0 +1,37 @@
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb mirror://mirrors.ubuntu.com/mirrors.txt precise main restricted universe multiverse
## Major bug fix updates produced after the final precise of the
## distribution.
deb mirror://mirrors.ubuntu.com/mirrors.txt precise-updates main restricted universe multiverse
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main precise, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb mirror://mirrors.ubuntu.com/mirrors.txt precise-backports main restricted universe multiverse
deb mirror://mirrors.ubuntu.com/mirrors.txt precise-security main restricted universe multiverse
deb-src mirror://mirrors.ubuntu.com/mirrors.txt precise main restricted universe multiverse
deb-src mirror://mirrors.ubuntu.com/mirrors.txt precise-updates main restricted universe multiverse
deb-src mirror://mirrors.ubuntu.com/mirrors.txt precise-backports main restricted universe multiverse
deb-src mirror://mirrors.ubuntu.com/mirrors.txt precise-security main restricted universe multiverse
## Uncomment the following two lines to add software from Canonical's
## 'partner' repository.
## This software is not part of Ubuntu, but is offered by Canonical and the
## respective vendors as a service to Ubuntu users.
deb http://archive.canonical.com/ubuntu precise partner
deb-src http://archive.canonical.com/ubuntu precise partner
## This software is not part of Ubuntu, but is offered by third-party
## developers who want to ship their latest software.
deb http://extras.ubuntu.com/ubuntu precise main
deb-src http://extras.ubuntu.com/ubuntu precise main
## Ubuntu MATE https://ubuntu-mate.org/
deb http://ppa.launchpad.net/ubuntu-mate-dev/ppa/ubuntu precise main
deb http://ppa.launchpad.net/ubuntu-mate-dev/precise-mate/ubuntu precise main
deb-src http://ppa.launchpad.net/ubuntu-mate-dev/ppa/ubuntu precise main
deb-src http://ppa.launchpad.net/ubuntu-mate-dev/precise-mate/ubuntu precise main

View File

@ -0,0 +1,39 @@
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb mirror://mirrors.ubuntu.com/mirrors.txt trusty main restricted universe multiverse
## Major bug fix updates produced after the final trusty of the
## distribution.
deb mirror://mirrors.ubuntu.com/mirrors.txt trusty-updates main restricted universe multiverse
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main trusty, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb mirror://mirrors.ubuntu.com/mirrors.txt trusty-backports main restricted universe multiverse
deb mirror://mirrors.ubuntu.com/mirrors.txt trusty-security main restricted universe multiverse
deb-src mirror://mirrors.ubuntu.com/mirrors.txt trusty main restricted universe multiverse
deb-src mirror://mirrors.ubuntu.com/mirrors.txt trusty-updates main restricted universe multiverse
deb-src mirror://mirrors.ubuntu.com/mirrors.txt trusty-backports main restricted universe multiverse
deb-src mirror://mirrors.ubuntu.com/mirrors.txt trusty-security main restricted universe multiverse
## Uncomment the following two lines to add software from Canonical's
## 'partner' repository.
## This software is not part of Ubuntu, but is offered by Canonical and the
## respective vendors as a service to Ubuntu users.
deb http://archive.canonical.com/ubuntu trusty partner
deb-src http://archive.canonical.com/ubuntu trusty partner
## This software is not part of Ubuntu, but is offered by third-party
## developers who want to ship their latest software.
deb http://extras.ubuntu.com/ubuntu trusty main
deb-src http://extras.ubuntu.com/ubuntu trusty main
## Ubuntu MATE https://ubuntu-mate.org/
deb http://ppa.launchpad.net/ubuntu-mate-dev/ppa/ubuntu trusty main
deb http://ppa.launchpad.net/ubuntu-mate-dev/trusty-mate/ubuntu trusty main
deb http://ppa.launchpad.net/accessibility-dev/ppa/ubuntu trusty main
deb-src http://ppa.launchpad.net/ubuntu-mate-dev/ppa/ubuntu trusty main
deb-src http://ppa.launchpad.net/ubuntu-mate-dev/trusty-mate/ubuntu trusty main
deb-src http://ppa.launchpad.net/accessibility-dev/ppa/ubuntu trusty main

View File

@ -0,0 +1,35 @@
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb mirror://mirrors.ubuntu.com/mirrors.txt utopic main restricted universe multiverse
## Major bug fix updates produced after the final utopic of the
## distribution.
deb mirror://mirrors.ubuntu.com/mirrors.txt utopic-updates main restricted universe multiverse
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main utopic, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb mirror://mirrors.ubuntu.com/mirrors.txt utopic-backports main restricted universe multiverse
deb mirror://mirrors.ubuntu.com/mirrors.txt utopic-security main restricted universe multiverse
deb-src mirror://mirrors.ubuntu.com/mirrors.txt utopic main restricted universe multiverse
deb-src mirror://mirrors.ubuntu.com/mirrors.txt utopic-updates main restricted universe multiverse
deb-src mirror://mirrors.ubuntu.com/mirrors.txt utopic-backports main restricted universe multiverse
deb-src mirror://mirrors.ubuntu.com/mirrors.txt utopic-security main restricted universe multiverse
## Uncomment the following two lines to add software from Canonical's
## 'partner' repository.
## This software is not part of Ubuntu, but is offered by Canonical and the
## respective vendors as a service to Ubuntu users.
deb http://archive.canonical.com/ubuntu utopic partner
deb-src http://archive.canonical.com/ubuntu utopic partner
## This software is not part of Ubuntu, but is offered by third-party
## developers who want to ship their latest software.
deb http://extras.ubuntu.com/ubuntu utopic main
deb-src http://extras.ubuntu.com/ubuntu utopic main
## Ubuntu MATE https://ubuntu-mate.org/
deb http://ppa.launchpad.net/ubuntu-mate-dev/ppa/ubuntu utopic main
deb-src http://ppa.launchpad.net/ubuntu-mate-dev/ppa/ubuntu utopic main

View File

@ -0,0 +1,31 @@
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb mirror://mirrors.ubuntu.com/mirrors.txt vivid main restricted universe multiverse
## Major bug fix updates produced after the final vivid of the
## distribution.
deb mirror://mirrors.ubuntu.com/mirrors.txt vivid-updates main restricted universe multiverse
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main vivid, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb mirror://mirrors.ubuntu.com/mirrors.txt vivid-backports main restricted universe multiverse
deb mirror://mirrors.ubuntu.com/mirrors.txt vivid-security main restricted universe multiverse
deb-src mirror://mirrors.ubuntu.com/mirrors.txt vivid main restricted universe multiverse
deb-src mirror://mirrors.ubuntu.com/mirrors.txt vivid-updates main restricted universe multiverse
deb-src mirror://mirrors.ubuntu.com/mirrors.txt vivid-backports main restricted universe multiverse
deb-src mirror://mirrors.ubuntu.com/mirrors.txt vivid-security main restricted universe multiverse
## Uncomment the following two lines to add software from Canonical's
## 'partner' repository.
## This software is not part of Ubuntu, but is offered by Canonical and the
## respective vendors as a service to Ubuntu users.
deb http://archive.canonical.com/ubuntu vivid partner
deb-src http://archive.canonical.com/ubuntu vivid partner
## This software is not part of Ubuntu, but is offered by third-party
## developers who want to ship their latest software.
deb http://extras.ubuntu.com/ubuntu vivid main
deb-src http://extras.ubuntu.com/ubuntu vivid main

View File

@ -0,0 +1,13 @@
# debiant in this directory is for Debian Testing.
## Main Debian archives.
deb http://http.debian.net/debian stable main contrib non-free
deb-src http://http.debian.net/debian stable main contrib non-free
## Debian Security
deb http://security.debian.org/ stable/updates main contrib non-free
deb-src http://security.debian.org/ stable/updates main contrib non-free
## Debian Backports
deb http://http.debian.net/debian stable-backports main contrib non-free
deb-src http://http.debian.net/debian stable-backports main contrib non-free

View File

@ -0,0 +1,10 @@
# debian (without the t) in this directory is for Debian Stable.
## Main Debian archives.
deb http://http.debian.net/debian testing main contrib non-free
deb-src http://http.debian.net/debian testing main contrib non-free
## Debian Security
deb http://security.debian.org/ testing/updates main contrib non-free
deb-src http://security.debian.org/ testing/updates main contrib non-free

View File

@ -0,0 +1,35 @@
## Replace RELEASE on every line with your Ubuntu RELEASE which you can find out by running
# lsb_release -c
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb mirror://mirrors.ubuntu.com/mirrors.txt RELEASE main restricted universe multiverse
## Major bug fix updates produced after the final release of the
## distribution.
deb mirror://mirrors.ubuntu.com/mirrors.txt RELEASE-updates main restricted universe multiverse
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb mirror://mirrors.ubuntu.com/mirrors.txt RELEASE-backports main restricted universe multiverse
deb mirror://mirrors.ubuntu.com/mirrors.txt RELEASE-security main restricted universe multiverse
deb-src mirror://mirrors.ubuntu.com/mirrors.txt RELEASE main restricted universe multiverse
deb-src mirror://mirrors.ubuntu.com/mirrors.txt RELEASE-updates main restricted universe multiverse
deb-src mirror://mirrors.ubuntu.com/mirrors.txt RELEASE-backports main restricted universe multiverse
deb-src mirror://mirrors.ubuntu.com/mirrors.txt RELEASE-security main restricted universe multiverse
## Uncomment the following two lines to add software from Canonical's
## 'partner' repository.
## This software is not part of Ubuntu, but is offered by Canonical and the
## respective vendors as a service to Ubuntu users.
deb http://archive.canonical.com/ubuntu RELEASE partner
deb-src http://archive.canonical.com/ubuntu RELEASE partner
## This software is not part of Ubuntu, but is offered by third-party
## developers who want to ship their latest software.
deb http://extras.ubuntu.com/ubuntu RELEASE main
deb-src http://extras.ubuntu.com/ubuntu RELEASE main

111
etc/dhcp/dhcpd.conf Normal file
View File

@ -0,0 +1,111 @@
#
# Sample configuration file for ISC dhcpd for Debian
#
#
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
#ddns-update-style none;
# option definitions common to all supported networks...
#option dhcp6.domain-name "mikaela.info";
#option dhcp6.domain-name-servers 2001:4860:4860::8888, 2001:4860:4860::8844;
#option dhcp6.domain-search "mikaela.info";
option domain-name "example.org";
option domain-name-servers 2001:4860:4860::8888, 2001:4860:4860::8844;
option domain-search "mikaela.info"
#default-lease-time 600;
#max-lease-time 7200;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
#subnet 10.152.187.0 netmask 255.255.255.0 {
#}
# This is a very basic subnet declaration.
#subnet 10.254.239.0 netmask 255.255.255.224 {
# range 10.254.239.10 10.254.239.20;
# option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
#}
# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.
#subnet 10.254.239.32 netmask 255.255.255.224 {
# range dynamic-bootp 10.254.239.40 10.254.239.60;
# option broadcast-address 10.254.239.31;
# option routers rtr-239-32-1.example.org;
#}
# A slightly different configuration for an internal subnet.
#subnet 10.5.5.0 netmask 255.255.255.224 {
# range 10.5.5.26 10.5.5.30;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}
# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.
#host passacaglia {
# hardware ethernet 0:0:c0:5d:bd:95;
# filename "vmunix.passacaglia";
# server-name "toccata.fugue.com";
#}
# Fixed IP addresses can also be specified for hosts. These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
#host fantasia {
# hardware ethernet 08:00:07:26:c0:a5;
# fixed-address fantasia.fugue.com;
#}
# You can declare a class of clients and then do address allocation
# based on that. The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.
#class "foo" {
# match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
#}
#shared-network 224-29 {
# subnet 10.17.224.0 netmask 255.255.255.0 {
# option routers rtr-224.example.org;
# }
# subnet 10.0.29.0 netmask 255.255.255.0 {
# option routers rtr-29.example.org;
# }
# pool {
# allow members of "foo";
# range 10.17.224.10 10.17.224.250;
# }
# pool {
# deny members of "foo";
# range 10.0.29.10 10.0.29.230;
# }
#}

41
etc/dnsmasq.d/mikaela Normal file
View File

@ -0,0 +1,41 @@
## This file is for my own configuration that I wish to not get
## accidentally overwritten by package upgrades. This is based on Debian
## Testing (Jessie) dnsmasq.conf on 2014-12-23 08:50+0200
# Send everything to unbound listening on port 5353
no-resolv
server=127.0.0.1#2000 # unbound
# Be better netizen
# Never forward plain names (without a dot or domain part)
domain-needed
# Never forward addresses in the non-routed address spaces.
bogus-priv
# DNSSEC validation and caching:
conf-file=/usr/share/dnsmasq-base/trust-anchors.conf
dnssec
# Check that unsigned reply is OK (takes extra queries)
dnssec-check-unsigned
# Debugging, log all DNS queries
#log-queries
# Filter useless Windows-originated requests
# don't use with Kerberos, SIP, XMPP or Google Talk
#filterwin2k
# Enable dnsmasq's built-in TFTP server
#enable-tftp
# Set the root directory for files available via FTP.
#tftp-root=/var/ftpd
# Make the TFTP server more secure: with this set, only files owned by
# the user dnsmasq is running as will be send over the net.
#tftp-secure
# This option stops dnsmasq from negotiating a larger blocksize for TFTP
# transfers. It will slow things down, but may rescue some broken TFTP
# clients.
#tftp-no-blocksize

18
etc/fstab Normal file
View File

@ -0,0 +1,18 @@
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
## swap file creation and auto-mount
# # fallocate -l 4G /swap
# # chmod 600 /swap
# # mkswap /swap
# # swapon /swap
# and to /etc/fstab:
/swap none swap sw 0 0
# Don't mount Windows partition automatically, allow normal users to mount it without root
# noauto,user
UUID=105AB1525AB13576 /media/Windows ntfs defaults,rw,noauto,user 0 0
# Mount my external HDD automatically on boot.
UUID=2A2C535742C3A3D4 /media/Mikaelan ntfs defaults,rw 0 0

65
etc/gai.conf Normal file
View File

@ -0,0 +1,65 @@
# Configuration for getaddrinfo(3).
#
# So far only configuration for the destination address sorting is needed.
# RFC 3484 governs the sorting. But the RFC also says that system
# administrators should be able to overwrite the defaults. This can be
# achieved here.
#
# All lines have an initial identifier specifying the option followed by
# up to two values. Information specified in this file replaces the
# default information. Complete absence of data of one kind causes the
# appropriate default information to be used. The supported commands include:
#
# reload <yes|no>
# If set to yes, each getaddrinfo(3) call will check whether this file
# changed and if necessary reload. This option should not really be
# used. There are possible runtime problems. The default is no.
#
# label <mask> <value>
# Add another rule to the RFC 3484 label table. See section 2.1 in
# RFC 3484. The default is:
#
label ::1/128 0
label ::/0 1
label 2002::/16 2
label ::/96 3
label ::ffff:0:0/96 4
label fec0::/10 5
label fc00::/7 6
#label 2001:0::/32 7
#
# This default differs from the tables given in RFC 3484 by handling
# (now obsolete) site-local IPv6 addresses and Unique Local Addresses.
# The reason for this difference is that these addresses are never
# NATed while IPv4 site-local addresses most probably are. Given
# the precedence of IPv6 over IPv4 (see below) on machines having only
# site-local IPv4 and IPv6 addresses a lookup for a global address would
# see the IPv6 be preferred. The result is a long delay because the
# site-local IPv6 addresses cannot be used while the IPv4 address is
# (at least for the foreseeable future) NATed. We also treat Teredo
# tunnels special.
#
# precedence <mask> <value>
# Add another rule to the RFC 3484 precedence table. See section 2.1
# and 10.3 in RFC 3484. The default is:
#
#precedence ::1/128 50
#precedence ::/0 40
#precedence 2002::/16 30
#precedence ::/96 20
#precedence ::ffff:0:0/96 10
#
# For sites which prefer IPv4 connections change the last line to
#
#precedence ::ffff:0:0/96 100
#
# scopev4 <mask> <value>
# Add another rule to the RFC 6724 scope table for IPv4 addresses.
# By default the scope IDs described in section 3.2 in RFC 6724 are
# used. Changing these defaults should hardly ever be necessary.
# The defaults are equivalent to:
#
#scopev4 ::ffff:169.254.0.0/112 2
#scopev4 ::ffff:127.0.0.0/104 2
#scopev4 ::ffff:0.0.0.0/96 14

12
etc/hosts Normal file
View File

@ -0,0 +1,12 @@
::1 localhost
::1 FQDN UQDN
127.0.0.1 localhost
127.0.1.1 FQDN UQDN
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

41
etc/network/interfaces Normal file
View File

@ -0,0 +1,41 @@
# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback
auto eth0
allow-hotplug eth0
iface eth0 inet static
address 172.16.1.
netmask 255.255.0.0
gateway 172.16.0.1
## dns-nameservers is provided by resolvconf so you can specify nameservers
## there. Remember to install dnsmasq to get over the limit of being able
## to use only three DNS servers at time!
dns-nameservers ::1 8.8.8.8 8.8.4.4
dns-search DOMAIN.TLD
iface eth0 inet6 auto
## if radvd is announcing prefixes, IPs from them must be in this file
## see also https://www.sixxs.net/tools/grh/ula/
## radvd globally routable address
#iface eth0 inet6 static
#address RANGE::1
#netmask 64
## radvd ULA
#iface eth0 inet6 static
#address RANGE::1
#netmask64
## Manually adding IPv6 addresses: ip -6 addr add IPv6_ADDREsS/64 dev eth0
## REMEMBER TO CHANGE
## managed=false
## to
## managed=true
## in /etc/NetworkManager/NetworkManager.conf under "[ifupdown]" !
## And restart it!
## service network-manager restart

2
etc/nginx/README.md Normal file
View File

@ -0,0 +1,2 @@
Useful nginx files that I will probably need and which I will forget if I
cannot read them from here.

View File

@ -0,0 +1,20 @@
# Cloudflare
set_real_ip_from 199.27.128.0/21;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
real_ip_header CF-Connecting-IP;

View File

@ -0,0 +1,2 @@
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

View File

@ -0,0 +1,70 @@
server {
# default_server from default vhost must exist somewhere!
listen 80;
listen [::]:80;
server_name vhost.example.org;
return 301 https://$server_name$request_uri;
}
server {
listen 443;
listen [::]:443;
root /var/www/vhostdir;
index index.php index.html index.htm;
# vhost address
server_name vhost.example.org;
# SSL
#ssl_certificate /etc/nginx/ssl/nginx.crt;
#ssl_certificate_key /etc/nginx/ssl/nginx.key;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
autoindex on;
}
# Userdir
#ilocation ~ ^/~(.+?)(/.*)?$ {
# alias /home/$1/public_html$2;
# index index.html index.htm;
# autoindex on;
#}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
#error_page 500 502 503 504 /50x.html;
#location = /50x.html {
# root /usr/share/nginx/html;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
#
# # With php5-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php5-fpm:
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
#include fastcgi_params;
include fastcgi.conf;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
location ~ /\.ht {
deny all;
}
}

View File

@ -0,0 +1,91 @@
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
listen 443 default_server ssl;
listen [::]:443 default_server ssl ipv6only=on;
root /var/www/default/;
index index.php index.html index.htm;
### Generating SSL certificate:
## mkdir -p /etc/nginx/ssl && cd /etc/nginx/ssl
## openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout nginx.key -out nginx.crt
### this takes forever and is used on line 23.
## openssl dhparam -out dhparam.pem 4096
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
# ----- begin of Mozilla Server Side TLS recommendations -----
# **2014-11-07** https://wiki.mozilla.org/Security/Server_Side_TLS
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits
# See generation on line 14
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# Intermediate configuration. tweak to your needs.
# comment just for me, don't uncomment.
#ssl_ciphers '';
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
# Enable this if your want HSTS (recommended)
# HSTS = access only using HTTPS
# add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
#resolver ::1;
# ----- end of Mozilla Server Side TLS recommendations -----
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
autoindex on;
}
# Userdir
location ~ ^/~(.+?)(/.*)?$ {
alias /home/$1/public_html$2;
index index.html index.htm;
autoindex on;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
#error_page 500 502 503 504 /50x.html;
#location = /50x.html {
# root /usr/share/nginx/html;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
#
# # With php5-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php5-fpm:
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
#include fastcgi_params;
include fastcgi.conf;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
location ~ /\.ht {
deny all;
}
}

View File

@ -0,0 +1,16 @@
server {
listen 80;
listen [::]:80;
listen 443;
listen [::]:443;
server_name something.example.org;
# NOTE: For X-Real-IP & X-Forwarded-For see ../conf.d/rproxy.conf
# Behind CloudFlare see ../conf.d/cloudflare.conf
location / {
proxy_pass http://localhost:8080/;
}
}

View File

@ -0,0 +1,60 @@
server {
# default_server from default vhost must exist somewhere!
listen 80;
listen [::]:80;
listen 443;
listen [::]:443;
root /var/www/vhostdir;
index index.php index.html index.htm;
# vhost address
server_name vhost.example.org;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
autoindex off;
}
# Userdir
#ilocation ~ ^/~(.+?)(/.*)?$ {
# alias /home/$1/public_html$2;
# index index.html index.htm;
# autoindex on;
#}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
#error_page 500 502 503 504 /50x.html;
#location = /50x.html {
# root /usr/share/nginx/html;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
#
# # With php5-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php5-fpm:
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
#include fastcgi_params;
include fastcgi.conf;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
location ~ /\.ht {
deny all;
}
}

21
etc/polipo/config Normal file
View File

@ -0,0 +1,21 @@
# This file only needs to list configuration variables that deviate
# from the default values. See /usr/share/doc/polipo/examples/config.sample
# and "polipo -v" for variables you can tweak and further information.
# Defaults
logSyslog = true
logFile = /var/log/polipo/polipo.log
# Address to listen, allowed clients & port
#proxyAddress = ::0
#allowedClients = 172.16.0.0/16, fd6a:d4e8:95e6::/64
#proxyPort = 8123
proxyPort = 8080
# Tor
socksParentProxy = localhost:9050
diskCacheRoot=""
disableLocalInterface=true
censoredHeaders = from, accept-language
censorReferer = maybe

15
etc/radvd.conf Normal file
View File

@ -0,0 +1,15 @@
interface eth0
{
AdvSendAdvert on;
AdvOtherConfigFlag on;
prefix 2001:14b8:100:8397::/64
{
AdvOnLink on;
AdvAutonomous on;
};
prefix ULA::/64
{
AdvOnLink on;
AdvAutonomous on;
};
};

View File

@ -0,0 +1,13 @@
## Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
## DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
## Local DNS cache (dnsmasq)
nameserver ::1
## Google DNS IPv6
#nameserver 2001:4860:4860::8888
#nameserver 2001:4860:4860::8844
## Google DNS IPv4
#nameserver 8.8.8.8
#nameserver 8.8.4.4

View File

@ -0,0 +1,3 @@
# According to manual page for resolv.conf, the last search/domain entry
# wins
search DOMAIN.TLD

103
etc/ssh/sshd_config Executable file
View File

@ -0,0 +1,103 @@
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
# sshd default
Port 22
# https, usually not blocked by firewalls. Verify that there is nothing
# else listening on 443 before using this port.
Port 443
# personal port assigning system that I use to get around inability of
# my router to forward one WAN port to another LAN port
Port 10000
# Use these options to restrict which interfaces/protocols sshd will bind to
ListenAddress ::
ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
## IF THE HOST KEYS ARE MISSING, RUN THE FOLLOWING AS ROOT:
# ssh-keygen -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key
# ssh-keygen -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key
# ssh-keygen -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key
# ssh-keygen -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel VERBOSE
# Authentication:
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

View File

@ -0,0 +1,18 @@
# Forward queries to
forward-zone:
name: "."
# Google
forward-addr: 2001:4860:4860::8888
forward-addr: 2001:4860:4860::8844
forward-addr: 8.8.8.8
forward-addr: 8.8.4.4
# OpenDNS
forward-addr: 2620:0:ccc::2
forward-addr: 2620:0:ccd::2
forward-addr: 208.67.222.222
forward-addr: 208.67.220.220
# Yandex.DNS Basic
forward-addr: 2a02:6b8::feed:0ff
forward-addr: 2a02:6b8:0:1::feed:0ff
forward-addr: 77.88.8.8
forward-addr: 77.88.8.1

View File

@ -0,0 +1,16 @@
server:
# perform cryptographic DNSSEC validation using the root trust anchor.
# this should be in /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf
# auto-trust-anchor-file: "/var/lib/unbound/root.key"
interface: 127.0.0.1
access-control: 127.0.0.0/8 allow
interface: ::1
access-control: ::1 allow
port: 2000
# logging
chroot: ""
use-syslog: yes
log-time-ascii: yes
log-queries: yes
# 0 - 5, default 1, query information 3
verbosity: 1