commit 2a2ff446af0dd2077d2e02826863b81a00e8750f Author: Mike Phares Date: Sun Apr 21 17:16:49 2024 -0700 Init diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..63c9e16 --- /dev/null +++ b/.gitignore @@ -0,0 +1,46 @@ +* + +!.gitignore +!*.ffs_gui + +!*/ + +!etc/.pihole/advanced/pihole-admin.conf +!etc/apt/sources.list +!etc/bash_history* +!etc/dhcpcd.conf +!etc/hosts +!etc/kea/kea-dhcp4.conf +!etc/lighttpd/lighttpd.conf +!etc/network/interfaces +!etc/passwd +!etc/pihole/dhcp.leases +!etc/pihole/index.nginx-debian.html +!etc/pihole/setupVars.conf +!etc/resolv.conf +!etc/snmp/snmpd.conf +!etc/sysctl.conf +!etc/systemd/resolved.conf +!etc/systemd/system/code-server.service +!etc/systemd/system/gogs-daemon.service +!etc/systemd/system/text-2-json.service +!etc/ufw/user.rules +!etc/unbound/unbound.conf +!etc/unbound/unbound.conf.d/pi-hole.conf + +!etc/dnsmasq.d/* +!etc/fstab/* +!etc/letsencrypt/* +!etc/netplan/* +!etc/nginx/sites-available/* +!etc/mysql/mariadb.conf.d/* +!etc/php/* +!etc/postgresql/* +!etc/wsl/* + +# !home/gogs/gogs/custom/conf/app.ini +# !home/syncthing/.config/syncthing/config.xml +# !usr/local/etc/gogs/conf/app.ini +# !usr/local/etc/no-ip2.conf +# !var/snap/nextcloud/current/nextcloud/config/* +# !var/www/html/.well-known/acme-challenge/* diff --git a/etc/apt/sources.list b/etc/apt/sources.list new file mode 100644 index 0000000..de7b3cf --- /dev/null +++ b/etc/apt/sources.list @@ -0,0 +1,42 @@ +# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to +# newer versions of the distribution. +deb http://us.archive.ubuntu.com/ubuntu/ mantic main restricted +# deb-src http://us.archive.ubuntu.com/ubuntu/ mantic main restricted + +## Major bug fix updates produced after the final release of the +## distribution. +deb http://us.archive.ubuntu.com/ubuntu/ mantic-updates main restricted +# deb-src http://us.archive.ubuntu.com/ubuntu/ mantic-updates main restricted + +## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu +## team. Also, please note that software in universe WILL NOT receive any +## review or updates from the Ubuntu security team. +deb http://us.archive.ubuntu.com/ubuntu/ mantic universe +# deb-src http://us.archive.ubuntu.com/ubuntu/ mantic universe +deb http://us.archive.ubuntu.com/ubuntu/ mantic-updates universe +# deb-src http://us.archive.ubuntu.com/ubuntu/ mantic-updates universe + +## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu +## team, and may not be under a free licence. Please satisfy yourself as to +## your rights to use the software. Also, please note that software in +## multiverse WILL NOT receive any review or updates from the Ubuntu +## security team. +deb http://us.archive.ubuntu.com/ubuntu/ mantic multiverse +# deb-src http://us.archive.ubuntu.com/ubuntu/ mantic multiverse +deb http://us.archive.ubuntu.com/ubuntu/ mantic-updates multiverse +# deb-src http://us.archive.ubuntu.com/ubuntu/ mantic-updates multiverse + +## N.B. software from this repository may not have been tested as +## extensively as that contained in the main release, although it includes +## newer versions of some applications which may provide useful features. +## Also, please note that software in backports WILL NOT receive any review +## or updates from the Ubuntu security team. +deb http://us.archive.ubuntu.com/ubuntu/ mantic-backports main restricted universe multiverse +# deb-src http://us.archive.ubuntu.com/ubuntu/ mantic-backports main restricted universe multiverse + +deb http://security.ubuntu.com/ubuntu/ mantic-security main restricted +# deb-src http://security.ubuntu.com/ubuntu/ mantic-security main restricted +deb http://security.ubuntu.com/ubuntu/ mantic-security universe +# deb-src http://security.ubuntu.com/ubuntu/ mantic-security universe +deb http://security.ubuntu.com/ubuntu/ mantic-security multiverse +# deb-src http://security.ubuntu.com/ubuntu/ mantic-security multiverse diff --git a/etc/dhcpcd.conf b/etc/dhcpcd.conf new file mode 100644 index 0000000..916e82d --- /dev/null +++ b/etc/dhcpcd.conf @@ -0,0 +1,48 @@ +# A sample configuration for dhcpcd. +# See dhcpcd.conf(5) for details. + +# Allow users of this group to interact with dhcpcd via the control socket. +#controlgroup wheel + +# Inform the DHCP server of our hostname for DDNS. +#hostname + +# Use the hardware address of the interface for the Client ID. +#clientid +# or +# Use the same DUID + IAID as set in DHCPv6 for DHCPv4 ClientID as per RFC4361. +# Some non-RFC compliant DHCP servers do not reply with this set. +# In this case, comment out duid and enable clientid above. +duid + +# Persist interface configuration when dhcpcd exits. +persistent + +# vendorclassid is set to blank to avoid sending the default of +# dhcpcd-::: +vendorclassid + +# A list of options to request from the DHCP server. +option domain_name_servers, domain_name, domain_search +option classless_static_routes +# Respect the network MTU. This is applied to DHCP routes. +option interface_mtu + +# Request a hostname from the network +option host_name + +# Most distributions have NTP support. +#option ntp_servers + +# Rapid commit support. +# Safe to enable by default because it requires the equivalent option set +# on the server to actually work. +option rapid_commit + +# A ServerID is required by RFC2131. +require dhcp_server_identifier + +# Generate SLAAC address using the Hardware Address of the interface +#slaac hwaddr +# OR generate Stable Private IPv6 Addresses based from the DUID +slaac private diff --git a/etc/hosts b/etc/hosts new file mode 100644 index 0000000..c7ba52d --- /dev/null +++ b/etc/hosts @@ -0,0 +1,9 @@ +127.0.0.1 localhost +127.0.1.1 server + +# The following lines are desirable for IPv6 capable hosts +::1 ip6-localhost ip6-loopback +fe00::0 ip6-localnet +ff00::0 ip6-mcastprefix +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters diff --git a/etc/netplan/50-cloud-init.yaml b/etc/netplan/50-cloud-init.yaml new file mode 100644 index 0000000..c65fbdb --- /dev/null +++ b/etc/netplan/50-cloud-init.yaml @@ -0,0 +1,11 @@ +# This file is generated from information provided by the datasource. Changes +# to it will not persist across an instance reboot. To disable cloud-init's +# network configuration capabilities, write a file +# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following: +# network: {config: disabled} +network: + ethernets: + enp2s0: + dhcp4: true + version: 2 + wifis: {} diff --git a/etc/nginx/sites-available/default b/etc/nginx/sites-available/default new file mode 100644 index 0000000..c5af914 --- /dev/null +++ b/etc/nginx/sites-available/default @@ -0,0 +1,91 @@ +## +# You should look at the following URL's in order to grasp a solid understanding +# of Nginx configuration files in order to fully unleash the power of Nginx. +# https://www.nginx.com/resources/wiki/start/ +# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ +# https://wiki.debian.org/Nginx/DirectoryStructure +# +# In most cases, administrators will remove this file from sites-enabled/ and +# leave it as reference inside of sites-available where it will continue to be +# updated by the nginx packaging team. +# +# This file will automatically load configuration files provided by other +# applications, such as Drupal or Wordpress. These applications will be made +# available underneath a path with that package name, such as /drupal8. +# +# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. +## + +# Default server configuration +# +server { + listen 80 default_server; + listen [::]:80 default_server; + + # SSL configuration + # + # listen 443 ssl default_server; + # listen [::]:443 ssl default_server; + # + # Note: You should disable gzip for SSL traffic. + # See: https://bugs.debian.org/773332 + # + # Read up on ssl_ciphers to ensure a secure configuration. + # See: https://bugs.debian.org/765782 + # + # Self signed certs generated by the ssl-cert package + # Don't use them in a production server! + # + # include snippets/snakeoil.conf; + + root /var/www/html; + + # Add index.php to the list if you are using PHP + index index.html index.htm index.nginx-debian.html; + + server_name _; + + location / { + # First attempt to serve request as file, then + # as directory, then fall back to displaying a 404. + try_files $uri $uri/ =404; + } + + # pass PHP scripts to FastCGI server + # + #location ~ \.php$ { + # include snippets/fastcgi-php.conf; + # + # # With php-fpm (or other unix sockets): + # fastcgi_pass unix:/run/php/php7.4-fpm.sock; + # # With php-cgi (or other tcp sockets): + # fastcgi_pass 127.0.0.1:9000; + #} + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + #location ~ /\.ht { + # deny all; + #} +} + + +# Virtual Host configuration for example.com +# +# You can move that to a different file under sites-available/ and symlink that +# to sites-enabled/ to enable it. +# +#server { +# listen 80; +# listen [::]:80; +# +# server_name example.com; +# +# root /var/www/example.com; +# index index.html; +# +# location / { +# try_files $uri $uri/ =404; +# } +#} diff --git a/etc/passwd b/etc/passwd new file mode 100644 index 0000000..530284f --- /dev/null +++ b/etc/passwd @@ -0,0 +1,28 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin +bin:x:2:2:bin:/bin:/usr/sbin/nologin +sys:x:3:3:sys:/dev:/usr/sbin/nologin +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/usr/sbin/nologin +man:x:6:12:man:/var/cache/man:/usr/sbin/nologin +lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin +mail:x:8:8:mail:/var/mail:/usr/sbin/nologin +news:x:9:9:news:/var/spool/news:/usr/sbin/nologin +uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin +proxy:x:13:13:proxy:/bin:/usr/sbin/nologin +www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin +backup:x:34:34:backup:/var/backups:/usr/sbin/nologin +list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin +irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin +_apt:x:42:65534::/nonexistent:/usr/sbin/nologin +nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin +systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin +systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin +dhcpcd:x:100:65534:DHCP Client Daemon,,,:/usr/lib/dhcpcd:/bin/false +messagebus:x:101:106::/nonexistent:/usr/sbin/nologin +systemd-resolve:x:996:996:systemd Resolver:/:/usr/sbin/nologin +pollinate:x:102:1::/var/cache/pollinate:/bin/false +polkitd:x:995:995:polkit:/nonexistent:/usr/sbin/nologin +usbmux:x:103:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin +sshd:x:104:65534::/run/sshd:/usr/sbin/nologin +mike:x:1000:1000:Mike Phares:/home/mike:/bin/bash diff --git a/etc/sysctl.conf b/etc/sysctl.conf new file mode 100644 index 0000000..eb96ed5 --- /dev/null +++ b/etc/sysctl.conf @@ -0,0 +1,68 @@ +# +# /etc/sysctl.conf - Configuration file for setting system variables +# See /etc/sysctl.d/ for additional system variables. +# See sysctl.conf (5) for information. +# + +#kernel.domainname = example.com + +# Uncomment the following to stop low-level messages on console +#kernel.printk = 3 4 1 3 + +################################################################### +# Functions previously found in netbase +# + +# Uncomment the next two lines to enable Spoof protection (reverse-path filter) +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks +#net.ipv4.conf.default.rp_filter=1 +#net.ipv4.conf.all.rp_filter=1 + +# Uncomment the next line to enable TCP/IP SYN cookies +# See http://lwn.net/Articles/277146/ +# Note: This may impact IPv6 TCP sessions too +#net.ipv4.tcp_syncookies=1 + +# Uncomment the next line to enable packet forwarding for IPv4 +#net.ipv4.ip_forward=1 + +# Uncomment the next line to enable packet forwarding for IPv6 +# Enabling this option disables Stateless Address Autoconfiguration +# based on Router Advertisements for this host +#net.ipv6.conf.all.forwarding=1 + + +################################################################### +# Additional settings - these settings can improve the network +# security of the host and prevent against some network attacks +# including spoofing attacks and man in the middle attacks through +# redirection. Some network environments, however, require that these +# settings are disabled so review and enable them as needed. +# +# Do not accept ICMP redirects (prevent MITM attacks) +#net.ipv4.conf.all.accept_redirects = 0 +#net.ipv6.conf.all.accept_redirects = 0 +# _or_ +# Accept ICMP redirects only for gateways listed in our default +# gateway list (enabled by default) +# net.ipv4.conf.all.secure_redirects = 1 +# +# Do not send ICMP redirects (we are not a router) +#net.ipv4.conf.all.send_redirects = 0 +# +# Do not accept IP source route packets (we are not a router) +#net.ipv4.conf.all.accept_source_route = 0 +#net.ipv6.conf.all.accept_source_route = 0 +# +# Log Martian Packets +#net.ipv4.conf.all.log_martians = 1 +# + +################################################################### +# Magic system request Key +# 0=disable, 1=enable all, >1 bitmask of sysrq functions +# See https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html +# for what other values do +#kernel.sysrq=438 + diff --git a/etc/systemd/resolved.conf b/etc/systemd/resolved.conf new file mode 100644 index 0000000..9f70947 --- /dev/null +++ b/etc/systemd/resolved.conf @@ -0,0 +1,34 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it under the +# terms of the GNU Lesser General Public License as published by the Free +# Software Foundation; either version 2.1 of the License, or (at your option) +# any later version. +# +# Entries in this file show the compile time defaults. Local configuration +# should be created by either modifying this file, or by creating "drop-ins" in +# the resolved.conf.d/ subdirectory. The latter is generally recommended. +# Defaults can be restored by simply deleting this file and all drop-ins. +# +# Use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config. +# +# See resolved.conf(5) for details. + +[Resolve] +# Some examples of DNS servers which may be used for DNS= and FallbackDNS=: +# Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com +# Google: 8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google +# Quad9: 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net +#DNS= +#FallbackDNS= +#Domains= +#DNSSEC=no +#DNSOverTLS=no +#MulticastDNS=no +#LLMNR=no +#Cache=no-negative +#CacheFromLocalhost=no +#DNSStubListener=yes +#DNSStubListenerExtra= +#ReadEtcHosts=yes +#ResolveUnicastSingleLabel=no diff --git a/etc/ufw/user.rules b/etc/ufw/user.rules new file mode 100644 index 0000000..7503fbb --- /dev/null +++ b/etc/ufw/user.rules @@ -0,0 +1,11 @@ +*filter +:ufw-user-input - [0:0] +:ufw-user-output - [0:0] +:ufw-user-forward - [0:0] +:ufw-user-limit - [0:0] +:ufw-user-limit-accept - [0:0] +### RULES ### +-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] " +-A ufw-user-limit -j REJECT +-A ufw-user-limit-accept -j ACCEPT +COMMIT