Add server configuration files.

2023-03-02 06:02:48 +00:00 · 2023-03-02 06:02:48 +00:00 · 8087c19704
commit 8087c19704
parent b818e89f2c
4 changed files with 473 additions and 0 deletions
--- a/server/xa000-0/nginx/gitea.conf
+++ b/server/xa000-0/nginx/gitea.conf
@ -0,0 +1,47 @@
+# Inferencium - xa000-0
+# Nginx - Configuration - Gitea
+
+# Copyright 2022-2023 Jake Winters
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Version: 0.0.2.2
+
+
+# Server (unencrypted)
+server {
+		# General
+        server_name    int.git.inferencium.net;
+        listen         80;
+        listen         [::]:80;
+
+		# Location
+        location / {
+                    return	301 https://$server_name$request_uri;
+		}
+}
+
+# Server (TLS)
+server {
+		# General
+		server_name int.git.inferencium.net;
+		listen 443 ssl http2;
+    	listen [::]:443 ssl http2;
+	
+		# Security
+		ssl_certificate /etc/ssl/int.git.inferencium.net/int.git.inferencium.net.crt;
+		ssl_certificate_key /etc/ssl/int.git.inferencium.net/privkey.pem;
+		ssl_protocols TLSv1.3;
+		ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305";
+		ssl_conf_command Ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256";
+		ssl_conf_command Options PrioritizeChaCha;
+		ssl_prefer_server_ciphers on;
+
+		# Location
+		location / {
+		proxy_pass http://unix:/run/gitea/gitea.socket;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		}
+}
--- a/server/xb000-0/ejabberd/ejabberd.yml
+++ b/server/xb000-0/ejabberd/ejabberd.yml
@ -0,0 +1,310 @@
+# Inferencium - xb000-0
+# ejabberd - Configuration
+
+# Copyright 2022-2023 Jake Winters
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Version: 4.0.1.6
+
+
+# Hosts
+hosts:
+  - inferencium.net
+  - dissensionclub.net
+
+# Hosts configuration
+host_config:
+  inferencium.net:
+    auth_method: internal
+  dissensionclub.net:
+    auth_method: internal
+
+# Language
+language: en
+
+# Security
+## Passwords
+auth_password_format: scram
+auth_scram_hash: sha256
+### Upgrade password hashes to SHA-512 when possible. Currently infeasible due to current users
+### having passwords created using SHA-256.
+#auth_scram_hash: sha512
+
+## Server-to-Server
+s2s_dhfile: "/etc/ssl/inferencium.net/dh-3072.pem"
+s2s_ciphers:
+  - "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"
+s2s_protocol_options:
+  - no_sslv2
+  - no_sslv3
+  - no_tlsv1
+  - no_tlsv1_1
+  - cipher_server_preferences
+s2s_use_starttls: required
+s2s_tls_compression: false
+s2s_zlib: false
+
+allow_multiple_connections: false
+
+# Logging
+loglevel: info
+hide_sensitive_log_data: true
+
+# Certificates
+ca_file: "/etc/ssl/certs/ca-certificates.crt"
+certfiles:
+  ## dissensionclub.net
+  - "/etc/ssl/dissensionclub.net/ejabberd.pem"
+  ## inferencium.net
+  - "/etc/ssl/inferencium.net/ejabberd.pem"
+  - "/etc/ssl/hfu.xmpp.inferencium.net/ejabberd.pem"
+  - "/etc/ssl/muc.xmpp.inferencium.net/ejabberd.pem"
+  - "/etc/ssl/xmpp.inferencium.net/ejabberd.pem"
+
+listen:
+  -
+    port: 5222
+    ip: "::"
+    module: ejabberd_c2s
+    dhfile: "/etc/ssl/inferencium.net/dh-3072.pem"
+    protocol_options:
+      - no_sslv2
+      - no_sslv3
+      - no_tlsv1
+      - no_tlsv1_1
+    ciphers: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"
+    starttls: true
+    starttls_required: true
+    tls_compression: false
+    max_stanza_size: 262144
+    shaper: c2s_shaper
+    access: c2s
+  -
+    port: 5223
+    ip: "::"
+    module: ejabberd_c2s
+    dhfile: "/etc/ssl/inferencium.net/dh-3072.pem"
+    tls: true
+    protocol_options:
+      - no_sslv2
+      - no_sslv3
+      - no_tlsv1
+      - no_tlsv1_1
+    ciphers: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"
+    tls_compression: false
+    max_stanza_size: 262144
+    shaper: c2s_shaper
+    access: c2s
+  -
+    port: 5269
+    ip: "::"
+    module: ejabberd_s2s_in
+    max_stanza_size: 524288
+  -
+    port: 5443
+    ip: "::"
+    module: ejabberd_http
+    tls: true
+    request_handlers:
+      /admin: ejabberd_web_admin
+      /api: mod_http_api
+      /bosh: mod_bosh
+      /captcha: ejabberd_captcha
+      /upload: mod_http_upload
+      /ws: ejabberd_http_ws
+    custom_headers:
+      "Access-Control-Allow-Origin": "*"
+      "Access-Control-Allow-Methods": "GET,HEAD,OPTIONS,PUT"
+      "Access-Control-Allow-Headers": "Authorization"
+      "Access-Control-Allow-Headers": "Content-Type, Origin, X-Requested-Width"
+      "Access-Control-Allow-Credentials": "true"
+  -
+    port: 5280
+    ip: "::"
+    module: ejabberd_http
+    request_handlers:
+      /admin: ejabberd_web_admin
+  -
+    port: 3478
+    ip: "::"
+    transport: udp
+    module: ejabberd_stun
+    use_turn: true
+    ## The server's public IPv4 address:
+    # turn_ipv4_address: "203.0.113.3"
+    ## The server's public IPv6 address:
+    # turn_ipv6_address: "2001:db8::3"
+
+acl:
+  local:
+    user_regexp: ""
+  loopback:
+    ip:
+      - 127.0.0.0/8
+      - ::1/128
+  admin:
+    user:
+      - "admin@inferencium.net"
+
+access_rules:
+  local:
+    allow: local
+  c2s:
+    deny: blocked
+    allow: all
+  announce:
+    allow: admin
+  configure:
+    allow: admin
+  muc_create:
+    allow: local
+  pubsub_createnode:
+    allow: local
+  trusted_network:
+    allow: loopback
+
+api_permissions:
+  "console commands":
+    from:
+      - ejabberd_ctl
+    who: all
+    what: "*"
+  "admin access":
+    who:
+      access:
+        allow:
+          - acl: loopback
+          - acl: admin
+      oauth:
+        scope: "ejabberd:admin"
+        access:
+          allow:
+            - acl: loopback
+            - acl: admin
+    what:
+      - "*"
+      - "!stop"
+      - "!start"
+  "public commands":
+    who:
+      ip: 127.0.0.1/8
+    what:
+      - status
+      - connected_users_number
+
+shaper:
+  normal:
+    rate: 3000
+    burst_size: 20000
+  fast: 100000
+
+shaper_rules:
+  max_user_sessions: 10
+  max_user_offline_messages:
+    5000: admin
+    100: all
+  c2s_shaper:
+    none: admin
+    normal: all
+  s2s_shaper: fast
+
+modules:
+  mod_adhoc: {}
+  mod_admin_extra: {}
+  mod_announce:
+    access: announce
+  mod_avatar: {}
+  mod_blocking: {}
+  mod_bosh: {}
+  mod_caps: {}
+  mod_carboncopy: {}
+  mod_client_state: {}
+  mod_configure: {}
+  mod_disco: {}
+  mod_fail2ban: {}
+  mod_http_api: {}
+  mod_http_upload:
+    name: HTTP File Upload
+    access: local
+    custom_headers:
+      "Access-Control-Allow-Origin": "*"
+        #"Access-Control-Allow-Origin": "https://@HOST@"
+      "Access-Control-Allow-Methods": "GET,HEAD,OPTIONS,PUT"
+      "Access-Control-Allow-Headers": "Content-Type"
+    docroot: /var/lib/ejabberd/upload/@HOST@
+    dir_mode: "2750"
+    file_mode: "0640"
+    max_size: 67108864
+    put_url: https://@HOST@:5443/upload
+    thumbnail: false
+  mod_last: {}
+  mod_mam:
+    assume_mam_usage: true
+    default: always
+  mod_mqtt: {}
+  mod_muc:
+    host: muc.xmpp.inferencium.net
+    access:
+      - allow
+    access_admin:
+      - allow: admin
+    access_create: muc_create
+    access_persistent: muc_create
+    access_mam:
+      - allow
+    default_room_options:
+      allow_private_messages: true
+#      allow_private_messages_from_visitors: nobody
+#      allow_voice_requests: false
+      anonymous: false
+      logging: false
+      mam: true
+#      members_only: true
+      persistent: true
+      public: false
+      public_list: false
+  mod_muc_admin: {}
+  mod_offline:
+    access_max_user_messages: max_user_offline_messages
+  mod_ping: {}
+  mod_privacy: {}
+  mod_private: {}
+  mod_proxy65:
+    access: local
+    max_connections: 5
+  mod_pubsub:
+    access_createnode: pubsub_createnode
+    plugins:
+      - flat
+      - pep
+    force_node_config:
+      ## Avoid buggy clients to make their bookmarks public
+      storage:bookmarks:
+        access_model: whitelist
+  mod_push: {}
+  mod_push_keepalive: {}
+  mod_register:
+    ip_access: trusted_network
+  mod_roster:
+    versioning: true
+  mod_s2s_dialback: {}
+  mod_shared_roster: {}
+  mod_stream_mgmt:
+    resend_on_timeout: if_offline
+  mod_stun_disco: {}
+  mod_vcard: {}
+  mod_vcard_xupdate: {}
+  mod_version:
+    show_os: false
+
+default_db: sql
+sql_type: pgsql
+sql_server: "localhost"
+sql_database: "ejabberd"
+sql_username: "ejabberd"
+sql_password: "[REDACTED]"
+
+### Local Variables:
+### mode: yaml
+### End:
+### vim: set filetype=yaml tabstop=8
--- a/server/xb000-0/nginx/gitea.conf
+++ b/server/xb000-0/nginx/gitea.conf
@ -0,0 +1,47 @@
+# Inferencium - xb000-0
+# Nginx - Configuration - Gitea
+
+# Copyright 2022-2023 Jake Winters
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Version: 0.0.1.1
+
+
+# Server (unencrypted)
+server {
+		# General
+        server_name    git.inferencium.net;
+        listen         80;
+        listen         [::]:80;
+
+		# Location
+        location / {
+                    return	301 https://$server_name$request_uri;
+		}
+}
+
+# Server (TLS)
+server {
+		# General
+		server_name git.inferencium.net;
+		listen 443 ssl http2;
+		listen [::]:443 ssl http2;
+	
+		# Security
+		ssl_certificate /etc/letsencrypt/live/git.inferencium.net/fullchain.pem;
+		ssl_certificate_key /etc/letsencrypt/live/git.inferencium.net/privkey.pem;
+		ssl_protocols TLSv1.3;
+		ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256";
+		ssl_conf_command Ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
+		ssl_conf_command Options PrioritizeChaCha;
+		ssl_prefer_server_ciphers on;
+
+		# Location
+		location / {
+		proxy_pass http://unix:/run/gitea/gitea.socket;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		}
+}
--- a/server/xb000-0/nginx/website.conf
+++ b/server/xb000-0/nginx/website.conf
@ -0,0 +1,69 @@
+# Inferencium - xb000-0
+# Nginx - Configuration - Website
+
+# Copyright 2022-2023 Jake Winters
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Version: 2.0.1.1
+
+
+# Server (unencrypted)
+server {
+		# General
+		server_name    inferencium.net;
+		listen         80;
+		listen         [::]:80;
+
+		# Location.
+		location / {
+                    return	301 https://$server_name$request_uri;
+		}
+}
+
+# Server (TLS)
+server {
+        # General.
+        server_name inferencium.net;
+        listen 443 ssl http2;
+        listen [::]:443 ssl http2;
+
+		# Location.
+		location / {
+				root /srv/www/inferencium;
+				index index.html;
+				try_files $uri.html $uri $uri/ =404;
+				rewrite ^(/.*)\.html(\?.*)?$ $1$2 permanent;
+				rewrite ^/(.*)/$ /$1 permanent;
+		}
+
+        # Security.
+        ssl_trusted_certificate   /etc/letsencrypt/live/inferencium.net/chain.pem;
+        ssl_certificate           /etc/letsencrypt/live/inferencium.net/fullchain.pem;
+        ssl_certificate_key       /etc/letsencrypt/live/inferencium.net/privkey.pem;
+        ssl_protocols TLSv1.3;
+        ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256";
+        ssl_conf_command Ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
+		ssl_conf_command Options PrioritizeChaCha;
+        ssl_prefer_server_ciphers on;
+#        ssl_ecdh_curve secp256k1;
+        ssl_stapling on;
+        ssl_stapling_verify on;
+		ssl_session_timeout 1d;
+        ssl_session_cache shared:MozSSL:10m;
+        ssl_session_cache shared:ssl_session_cache:10m;
+        ssl_session_tickets off;
+#        add_header Strict-Transport-Security "max-age=157680000; includeSubDomains; preload" always;
+        add_header X-Frame-Options "DENY";
+        add_header X-Content-Type-Options nosniff;
+#        add_header Content-Security-Policy "default-src 'self'";
+        add_header Referrer-Policy same-origin;
+
+        client_max_body_size 16m;
+        ignore_invalid_headers off;
+
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+}