From 8087c1970437a354f4dbe6502cc3a0332d0af938 Mon Sep 17 00:00:00 2001 From: inference Date: Thu, 2 Mar 2023 06:02:48 +0000 Subject: [PATCH] Add server configuration files. --- server/xa000-0/nginx/gitea.conf | 47 ++++ server/xb000-0/ejabberd/ejabberd.yml | 310 +++++++++++++++++++++++++++ server/xb000-0/nginx/gitea.conf | 47 ++++ server/xb000-0/nginx/website.conf | 69 ++++++ 4 files changed, 473 insertions(+) create mode 100644 server/xa000-0/nginx/gitea.conf create mode 100644 server/xb000-0/ejabberd/ejabberd.yml create mode 100644 server/xb000-0/nginx/gitea.conf create mode 100644 server/xb000-0/nginx/website.conf diff --git a/server/xa000-0/nginx/gitea.conf b/server/xa000-0/nginx/gitea.conf new file mode 100644 index 0000000..e6dbdcf --- /dev/null +++ b/server/xa000-0/nginx/gitea.conf @@ -0,0 +1,47 @@ +# Inferencium - xa000-0 +# Nginx - Configuration - Gitea + +# Copyright 2022-2023 Jake Winters +# SPDX-License-Identifier: GPL-3.0-or-later + +# Version: 0.0.2.2 + + +# Server (unencrypted) +server { + # General + server_name int.git.inferencium.net; + listen 80; + listen [::]:80; + + # Location + location / { + return 301 https://$server_name$request_uri; + } +} + +# Server (TLS) +server { + # General + server_name int.git.inferencium.net; + listen 443 ssl http2; + listen [::]:443 ssl http2; + + # Security + ssl_certificate /etc/ssl/int.git.inferencium.net/int.git.inferencium.net.crt; + ssl_certificate_key /etc/ssl/int.git.inferencium.net/privkey.pem; + ssl_protocols TLSv1.3; + ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305"; + ssl_conf_command Ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"; + ssl_conf_command Options PrioritizeChaCha; + ssl_prefer_server_ciphers on; + + # Location + location / { + proxy_pass http://unix:/run/gitea/gitea.socket; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +} diff --git a/server/xb000-0/ejabberd/ejabberd.yml b/server/xb000-0/ejabberd/ejabberd.yml new file mode 100644 index 0000000..2ac5fbe --- /dev/null +++ b/server/xb000-0/ejabberd/ejabberd.yml @@ -0,0 +1,310 @@ +# Inferencium - xb000-0 +# ejabberd - Configuration + +# Copyright 2022-2023 Jake Winters +# SPDX-License-Identifier: GPL-3.0-or-later + +# Version: 4.0.1.6 + + +# Hosts +hosts: + - inferencium.net + - dissensionclub.net + +# Hosts configuration +host_config: + inferencium.net: + auth_method: internal + dissensionclub.net: + auth_method: internal + +# Language +language: en + +# Security +## Passwords +auth_password_format: scram +auth_scram_hash: sha256 +### Upgrade password hashes to SHA-512 when possible. Currently infeasible due to current users +### having passwords created using SHA-256. +#auth_scram_hash: sha512 + +## Server-to-Server +s2s_dhfile: "/etc/ssl/inferencium.net/dh-3072.pem" +s2s_ciphers: + - "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256" +s2s_protocol_options: + - no_sslv2 + - no_sslv3 + - no_tlsv1 + - no_tlsv1_1 + - cipher_server_preferences +s2s_use_starttls: required +s2s_tls_compression: false +s2s_zlib: false + +allow_multiple_connections: false + +# Logging +loglevel: info +hide_sensitive_log_data: true + +# Certificates +ca_file: "/etc/ssl/certs/ca-certificates.crt" +certfiles: + ## dissensionclub.net + - "/etc/ssl/dissensionclub.net/ejabberd.pem" + ## inferencium.net + - "/etc/ssl/inferencium.net/ejabberd.pem" + - "/etc/ssl/hfu.xmpp.inferencium.net/ejabberd.pem" + - "/etc/ssl/muc.xmpp.inferencium.net/ejabberd.pem" + - "/etc/ssl/xmpp.inferencium.net/ejabberd.pem" + +listen: + - + port: 5222 + ip: "::" + module: ejabberd_c2s + dhfile: "/etc/ssl/inferencium.net/dh-3072.pem" + protocol_options: + - no_sslv2 + - no_sslv3 + - no_tlsv1 + - no_tlsv1_1 + ciphers: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256" + starttls: true + starttls_required: true + tls_compression: false + max_stanza_size: 262144 + shaper: c2s_shaper + access: c2s + - + port: 5223 + ip: "::" + module: ejabberd_c2s + dhfile: "/etc/ssl/inferencium.net/dh-3072.pem" + tls: true + protocol_options: + - no_sslv2 + - no_sslv3 + - no_tlsv1 + - no_tlsv1_1 + ciphers: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256" + tls_compression: false + max_stanza_size: 262144 + shaper: c2s_shaper + access: c2s + - + port: 5269 + ip: "::" + module: ejabberd_s2s_in + max_stanza_size: 524288 + - + port: 5443 + ip: "::" + module: ejabberd_http + tls: true + request_handlers: + /admin: ejabberd_web_admin + /api: mod_http_api + /bosh: mod_bosh + /captcha: ejabberd_captcha + /upload: mod_http_upload + /ws: ejabberd_http_ws + custom_headers: + "Access-Control-Allow-Origin": "*" + "Access-Control-Allow-Methods": "GET,HEAD,OPTIONS,PUT" + "Access-Control-Allow-Headers": "Authorization" + "Access-Control-Allow-Headers": "Content-Type, Origin, X-Requested-Width" + "Access-Control-Allow-Credentials": "true" + - + port: 5280 + ip: "::" + module: ejabberd_http + request_handlers: + /admin: ejabberd_web_admin + - + port: 3478 + ip: "::" + transport: udp + module: ejabberd_stun + use_turn: true + ## The server's public IPv4 address: + # turn_ipv4_address: "203.0.113.3" + ## The server's public IPv6 address: + # turn_ipv6_address: "2001:db8::3" + +acl: + local: + user_regexp: "" + loopback: + ip: + - 127.0.0.0/8 + - ::1/128 + admin: + user: + - "admin@inferencium.net" + +access_rules: + local: + allow: local + c2s: + deny: blocked + allow: all + announce: + allow: admin + configure: + allow: admin + muc_create: + allow: local + pubsub_createnode: + allow: local + trusted_network: + allow: loopback + +api_permissions: + "console commands": + from: + - ejabberd_ctl + who: all + what: "*" + "admin access": + who: + access: + allow: + - acl: loopback + - acl: admin + oauth: + scope: "ejabberd:admin" + access: + allow: + - acl: loopback + - acl: admin + what: + - "*" + - "!stop" + - "!start" + "public commands": + who: + ip: 127.0.0.1/8 + what: + - status + - connected_users_number + +shaper: + normal: + rate: 3000 + burst_size: 20000 + fast: 100000 + +shaper_rules: + max_user_sessions: 10 + max_user_offline_messages: + 5000: admin + 100: all + c2s_shaper: + none: admin + normal: all + s2s_shaper: fast + +modules: + mod_adhoc: {} + mod_admin_extra: {} + mod_announce: + access: announce + mod_avatar: {} + mod_blocking: {} + mod_bosh: {} + mod_caps: {} + mod_carboncopy: {} + mod_client_state: {} + mod_configure: {} + mod_disco: {} + mod_fail2ban: {} + mod_http_api: {} + mod_http_upload: + name: HTTP File Upload + access: local + custom_headers: + "Access-Control-Allow-Origin": "*" + #"Access-Control-Allow-Origin": "https://@HOST@" + "Access-Control-Allow-Methods": "GET,HEAD,OPTIONS,PUT" + "Access-Control-Allow-Headers": "Content-Type" + docroot: /var/lib/ejabberd/upload/@HOST@ + dir_mode: "2750" + file_mode: "0640" + max_size: 67108864 + put_url: https://@HOST@:5443/upload + thumbnail: false + mod_last: {} + mod_mam: + assume_mam_usage: true + default: always + mod_mqtt: {} + mod_muc: + host: muc.xmpp.inferencium.net + access: + - allow + access_admin: + - allow: admin + access_create: muc_create + access_persistent: muc_create + access_mam: + - allow + default_room_options: + allow_private_messages: true +# allow_private_messages_from_visitors: nobody +# allow_voice_requests: false + anonymous: false + logging: false + mam: true +# members_only: true + persistent: true + public: false + public_list: false + mod_muc_admin: {} + mod_offline: + access_max_user_messages: max_user_offline_messages + mod_ping: {} + mod_privacy: {} + mod_private: {} + mod_proxy65: + access: local + max_connections: 5 + mod_pubsub: + access_createnode: pubsub_createnode + plugins: + - flat + - pep + force_node_config: + ## Avoid buggy clients to make their bookmarks public + storage:bookmarks: + access_model: whitelist + mod_push: {} + mod_push_keepalive: {} + mod_register: + ip_access: trusted_network + mod_roster: + versioning: true + mod_s2s_dialback: {} + mod_shared_roster: {} + mod_stream_mgmt: + resend_on_timeout: if_offline + mod_stun_disco: {} + mod_vcard: {} + mod_vcard_xupdate: {} + mod_version: + show_os: false + +default_db: sql +sql_type: pgsql +sql_server: "localhost" +sql_database: "ejabberd" +sql_username: "ejabberd" +sql_password: "[REDACTED]" + +### Local Variables: +### mode: yaml +### End: +### vim: set filetype=yaml tabstop=8 diff --git a/server/xb000-0/nginx/gitea.conf b/server/xb000-0/nginx/gitea.conf new file mode 100644 index 0000000..01da314 --- /dev/null +++ b/server/xb000-0/nginx/gitea.conf @@ -0,0 +1,47 @@ +# Inferencium - xb000-0 +# Nginx - Configuration - Gitea + +# Copyright 2022-2023 Jake Winters +# SPDX-License-Identifier: GPL-3.0-or-later + +# Version: 0.0.1.1 + + +# Server (unencrypted) +server { + # General + server_name git.inferencium.net; + listen 80; + listen [::]:80; + + # Location + location / { + return 301 https://$server_name$request_uri; + } +} + +# Server (TLS) +server { + # General + server_name git.inferencium.net; + listen 443 ssl http2; + listen [::]:443 ssl http2; + + # Security + ssl_certificate /etc/letsencrypt/live/git.inferencium.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/git.inferencium.net/privkey.pem; + ssl_protocols TLSv1.3; + ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"; + ssl_conf_command Ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"; + ssl_conf_command Options PrioritizeChaCha; + ssl_prefer_server_ciphers on; + + # Location + location / { + proxy_pass http://unix:/run/gitea/gitea.socket; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +} diff --git a/server/xb000-0/nginx/website.conf b/server/xb000-0/nginx/website.conf new file mode 100644 index 0000000..8f1d9af --- /dev/null +++ b/server/xb000-0/nginx/website.conf @@ -0,0 +1,69 @@ +# Inferencium - xb000-0 +# Nginx - Configuration - Website + +# Copyright 2022-2023 Jake Winters +# SPDX-License-Identifier: GPL-3.0-or-later + +# Version: 2.0.1.1 + + +# Server (unencrypted) +server { + # General + server_name inferencium.net; + listen 80; + listen [::]:80; + + # Location. + location / { + return 301 https://$server_name$request_uri; + } +} + +# Server (TLS) +server { + # General. + server_name inferencium.net; + listen 443 ssl http2; + listen [::]:443 ssl http2; + + # Location. + location / { + root /srv/www/inferencium; + index index.html; + try_files $uri.html $uri $uri/ =404; + rewrite ^(/.*)\.html(\?.*)?$ $1$2 permanent; + rewrite ^/(.*)/$ /$1 permanent; + } + + # Security. + ssl_trusted_certificate /etc/letsencrypt/live/inferencium.net/chain.pem; + ssl_certificate /etc/letsencrypt/live/inferencium.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/inferencium.net/privkey.pem; + ssl_protocols TLSv1.3; + ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256"; + ssl_conf_command Ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"; + ssl_conf_command Options PrioritizeChaCha; + ssl_prefer_server_ciphers on; +# ssl_ecdh_curve secp256k1; + ssl_stapling on; + ssl_stapling_verify on; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; + ssl_session_cache shared:ssl_session_cache:10m; + ssl_session_tickets off; +# add_header Strict-Transport-Security "max-age=157680000; includeSubDomains; preload" always; + add_header X-Frame-Options "DENY"; + add_header X-Content-Type-Options nosniff; +# add_header Content-Security-Policy "default-src 'self'"; + add_header Referrer-Policy same-origin; + + client_max_body_size 16m; + ignore_invalid_headers off; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +}