Add system "xa000-0" configuration files

xa000-0/nginx/gitea.conf

@@ -0,0 +1,47 @@
+# Inferencium - xa000-0
+# Nginx - Configuration - Gitea
+
+# Copyright 2022-2023 Jake Winters
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
+# Version: 1.0.0.3
+
+
+# Server (unencrypted)
+server {
+		# General
+        server_name    int.git.inferencium.net;
+        listen         80;
+        listen         [::]:80;
+
+		# Location
+        location / {
+                    return	301 https://$server_name$request_uri;
+		}
+}
+
+# Server (TLS)
+server {
+		# General
+		server_name int.git.inferencium.net;
+		listen 443 ssl http2;
+    	listen [::]:443 ssl http2;
+	
+		# Security
+		ssl_certificate /etc/ssl/int.git.inferencium.net/int.git.inferencium.net.crt;
+		ssl_certificate_key /etc/ssl/int.git.inferencium.net/privkey.pem;
+		ssl_protocols TLSv1.3;
+		ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305";
+		ssl_conf_command Ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256";
+		ssl_conf_command Options PrioritizeChaCha;
+		ssl_prefer_server_ciphers on;
+
+		# Location
+		location / {
+		proxy_pass http://unix:/run/gitea/gitea.socket;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		}
+}

xa000-0/ssh/sshd_config

@@ -0,0 +1,122 @@
+# Inferencium
+# SSH - sshd Configuration
+
+# Copyright 2023 Jake Winters
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
+# Version: 0.0.1.1
+
+
+Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+# Keys
+HostKey /etc/ssh/ssh-host-ed25519
+HostKeyAlgorithms ssh-ed25519
+KexAlgorithms sntrup761x25519-sha512@openssh.com
+PubkeyAcceptedKeyTypes ssh-ed25519
+
+# Ciphers
+Ciphers chacha20-poly1305@openssh.com
+
+MACs -*
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication
+LoginGraceTime 30s
+PermitRootLogin yes
+StrictModes yes
+MaxAuthTries 1
+MaxSessions 5
+
+PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile .ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+PermitEmptyPasswords no
+
+# Change to no to disable s/key passwords
+KbdInteractiveAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the KbdInteractiveAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin prohibit-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and KbdInteractiveAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+PrintLastLog no
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/misc/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server
+
+# Allow client to pass locale environment variables. #367017
+AcceptEnv LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
+
+# Allow client to pass COLORTERM to match TERM. #658540
+AcceptEnv COLORTERM