Compare commits
8 Commits
dda6a06454
...
7ecabeaadc
Author | SHA1 | Date |
---|---|---|
Egor Savkin | 7ecabeaadc | |
Egor Savkin | ad02ee3bda | |
Egor Savkin | 138b1ea45e | |
Egor Savkin | 4b36c5a610 | |
Egor Savkin | c67bc6e033 | |
Egor Savkin | be6cee2bb8 | |
Egor Savkin | 49e8dda365 | |
Egor Savkin | 3587f3b65d |
|
@ -0,0 +1,81 @@
|
|||
upstream rfq_server {
|
||||
server 127.0.0.1:5000;
|
||||
}
|
||||
|
||||
server {
|
||||
limit_conn addr 5;
|
||||
|
||||
root /var/www/m-labs-intl.com/html;
|
||||
index index.html index.htm index.nginx-debian.html;
|
||||
|
||||
server_name m-labs-intl.com;
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
|
||||
listen [::]:443 ssl ipv6only=on; # managed by Certbot
|
||||
listen 443 ssl; # managed by Certbot
|
||||
ssl_certificate /etc/letsencrypt/live/m-labs-intl.com/fullchain.pem; # managed by Certbot
|
||||
ssl_certificate_key /etc/letsencrypt/live/m-labs-intl.com/privkey.pem; # managed by Certbot
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
||||
}
|
||||
|
||||
server {
|
||||
server_name www.m-labs-intl.com;
|
||||
return 301 https://m-labs-intl.com$request_uri;
|
||||
|
||||
listen [::]:443 ssl; # managed by Certbot
|
||||
listen 443 ssl; # managed by Certbot
|
||||
ssl_certificate /etc/letsencrypt/live/m-labs-intl.com/fullchain.pem; # managed by Certbot
|
||||
ssl_certificate_key /etc/letsencrypt/live/m-labs-intl.com/privkey.pem; # managed by Certbot
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
||||
}
|
||||
|
||||
server {
|
||||
server_name hooks.m-labs-intl.com;
|
||||
limit_conn addr 5;
|
||||
|
||||
location /rfq {
|
||||
proxy_pass http://rfq_server/rfq;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_read_timeout 30;
|
||||
proxy_connect_timeout 30;
|
||||
proxy_send_timeout 30;
|
||||
}
|
||||
|
||||
location / {
|
||||
return 418;
|
||||
}
|
||||
|
||||
listen [::]:443 ssl; # managed by Certbot
|
||||
listen 443 ssl; # managed by Certbot
|
||||
ssl_certificate /etc/letsencrypt/live/m-labs-intl.com/fullchain.pem; # managed by Certbot
|
||||
ssl_certificate_key /etc/letsencrypt/live/m-labs-intl.com/privkey.pem; # managed by Certbot
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
||||
}
|
||||
|
||||
server {
|
||||
limit_conn addr 5;
|
||||
if ($host = m-labs-intl.com) {
|
||||
return 301 https://$host$request_uri;
|
||||
} # managed by Certbot
|
||||
|
||||
|
||||
if ($host = www.m-labs-intl.com) {
|
||||
return 301 https://m-labs-intl.com$request_uri;
|
||||
} # managed by Certbot
|
||||
|
||||
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
server_name m-labs-intl.com www.m-labs-intl.com hooks.m-labs-intl.com;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
|
@ -0,0 +1,63 @@
|
|||
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
|
||||
|
||||
|
||||
# Debian specific: Specifying a file name will cause the first
|
||||
# line of that file to be used as the name. The Debian default
|
||||
# is /etc/mailname.
|
||||
#myorigin = /etc/mailname
|
||||
|
||||
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
|
||||
biff = no
|
||||
|
||||
# appending .domain is the MUA's job.
|
||||
append_dot_mydomain = no
|
||||
|
||||
# Uncomment the next line to generate "delayed mail" warnings
|
||||
#delay_warning_time = 4h
|
||||
|
||||
readme_directory = no
|
||||
|
||||
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
|
||||
# fresh installs.
|
||||
compatibility_level = 3.6
|
||||
|
||||
|
||||
|
||||
# TLS parameters
|
||||
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
|
||||
smtpd_tls_security_level=may
|
||||
|
||||
smtp_tls_CApath=/etc/ssl/certs
|
||||
smtp_tls_security_level=may
|
||||
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
||||
|
||||
|
||||
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
|
||||
myhostname = mail.m-labs-intl.com
|
||||
mydomain = m-labs-intl.com
|
||||
alias_maps = hash:/etc/aliases
|
||||
alias_database = hash:/etc/aliases
|
||||
myorigin = $mydomain
|
||||
#mydestination = $myhostname, m-labs-intl.com, localhost.localdomain, localhost
|
||||
mydestination =
|
||||
relayhost = mail.m-labs.hk
|
||||
#relay_domains = $mydomain
|
||||
local_transport = error:local delivery disabled
|
||||
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
|
||||
mailbox_size_limit = 0
|
||||
recipient_delimiter = +
|
||||
inet_interfaces = all
|
||||
inet_protocols = all
|
||||
|
||||
|
||||
|
||||
virtual_alias_maps = hash:/etc/postfix/virtual
|
||||
virtual_alias_domains = $mydomain m-labs.hk
|
||||
|
||||
|
||||
# DKIM
|
||||
milter_default_action = accept
|
||||
milter_protocol = 2
|
||||
smtpd_milters = inet:localhost:8891
|
||||
non_smtpd_milters = inet:localhost:8891
|
|
@ -0,0 +1,90 @@
|
|||
user www-data;
|
||||
worker_processes auto;
|
||||
pid /run/nginx.pid;
|
||||
error_log /var/log/nginx/error.log;
|
||||
include /etc/nginx/modules-enabled/*.conf;
|
||||
|
||||
events {
|
||||
worker_connections 768;
|
||||
# multi_accept on;
|
||||
}
|
||||
|
||||
http {
|
||||
|
||||
##
|
||||
# Basic Settings
|
||||
##
|
||||
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
types_hash_max_size 2048;
|
||||
# server_tokens off;
|
||||
|
||||
server_names_hash_bucket_size 64;
|
||||
# server_name_in_redirect off;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
##
|
||||
# SSL Settings
|
||||
##
|
||||
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
# Rate limiting
|
||||
limit_conn_zone $binary_remote_addr zone=addr:10m;
|
||||
|
||||
##
|
||||
# Logging Settings
|
||||
##
|
||||
|
||||
access_log /var/log/nginx/access.log;
|
||||
|
||||
##
|
||||
# Gzip Settings
|
||||
##
|
||||
|
||||
gzip on;
|
||||
|
||||
# gzip_vary on;
|
||||
# gzip_proxied any;
|
||||
# gzip_comp_level 6;
|
||||
# gzip_buffers 16 8k;
|
||||
# gzip_http_version 1.1;
|
||||
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
|
||||
|
||||
##
|
||||
# Virtual Host Configs
|
||||
##
|
||||
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
}
|
||||
|
||||
|
||||
stream {
|
||||
# Upstream mail servers
|
||||
upstream smtp_backend {
|
||||
server mail.m-labs.hk:25;
|
||||
}
|
||||
|
||||
upstream submission_backend {
|
||||
server mail.m-labs.hk:587;
|
||||
}
|
||||
|
||||
# SMTP
|
||||
server {
|
||||
listen 25;
|
||||
proxy_protocol on;
|
||||
proxy_pass smtp_backend;
|
||||
}
|
||||
|
||||
# Submission (Authenticated SMTP)
|
||||
server {
|
||||
listen 587;
|
||||
proxy_protocol on;
|
||||
proxy_pass submission_backend;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,32 @@
|
|||
# NOTE: This is a legacy configuration file. It is not used by the opendkim
|
||||
# systemd service. Please use the corresponding configuration parameters in
|
||||
# /etc/opendkim.conf instead.
|
||||
#
|
||||
# Previously, one would edit the default settings here, and then execute
|
||||
# /lib/opendkim/opendkim.service.generate to generate systemd override files at
|
||||
# /etc/systemd/system/opendkim.service.d/override.conf and
|
||||
# /etc/tmpfiles.d/opendkim.conf. While this is still possible, it is now
|
||||
# recommended to adjust the settings directly in /etc/opendkim.conf.
|
||||
#
|
||||
#DAEMON_OPTS=""
|
||||
# Change to /var/spool/postfix/run/opendkim to use a Unix socket with
|
||||
# postfix in a chroot:
|
||||
#RUNDIR=/var/spool/postfix/run/opendkim
|
||||
RUNDIR=/run/opendkim
|
||||
#
|
||||
# Uncomment to specify an alternate socket
|
||||
# Note that setting this will override any Socket value in opendkim.conf
|
||||
# default:
|
||||
SOCKET=local:$RUNDIR/opendkim.sock
|
||||
# listen on all interfaces on port 54321:
|
||||
#SOCKET=inet:54321
|
||||
# listen on loopback on port 12345:
|
||||
#SOCKET=inet:12345@localhost
|
||||
# listen on 192.0.2.1 on port 12345:
|
||||
#SOCKET=inet:12345@192.0.2.1
|
||||
USER=opendkim
|
||||
GROUP=opendkim
|
||||
PIDFILE=$RUNDIR/$NAME.pid
|
||||
EXTRAAFTER=
|
||||
|
||||
SOCKET="inet:8891@localhost"
|
|
@ -0,0 +1,57 @@
|
|||
# This is a basic configuration for signing and verifying. It can easily be
|
||||
# adapted to suit a basic installation. See opendkim.conf(5) and
|
||||
# /usr/share/doc/opendkim/examples/opendkim.conf.sample for complete
|
||||
# documentation of available configuration parameters.
|
||||
|
||||
Syslog yes
|
||||
SyslogSuccess yes
|
||||
#LogWhy no
|
||||
|
||||
# Common signing and verification parameters. In Debian, the "From" header is
|
||||
# oversigned, because it is often the identity key used by reputation systems
|
||||
# and thus somewhat security sensitive.
|
||||
Canonicalization relaxed/simple
|
||||
#Mode sv
|
||||
#SubDomains no
|
||||
OversignHeaders From
|
||||
|
||||
# Signing domain, selector, and key (required). For example, perform signing
|
||||
# for domain "example.com" with selector "2020" (2020._domainkey.example.com),
|
||||
# using the private key stored in /etc/dkimkeys/example.private. More granular
|
||||
# setup options can be found in /usr/share/doc/opendkim/README.opendkim.
|
||||
#Domain example.com
|
||||
#Selector 2020
|
||||
#KeyFile /etc/dkimkeys/example.private
|
||||
|
||||
# In Debian, opendkim runs as user "opendkim". A umask of 007 is required when
|
||||
# using a local socket with MTAs that access the socket as a non-privileged
|
||||
# user (for example, Postfix). You may need to add user "postfix" to group
|
||||
# "opendkim" in that case.
|
||||
UserID opendkim
|
||||
UMask 007
|
||||
|
||||
# Socket for the MTA connection (required). If the MTA is inside a chroot jail,
|
||||
# it must be ensured that the socket is accessible. In Debian, Postfix runs in
|
||||
# a chroot in /var/spool/postfix, therefore a Unix socket would have to be
|
||||
# configured as shown on the last line below.
|
||||
Socket local:/run/opendkim/opendkim.sock
|
||||
#Socket inet:8891@localhost
|
||||
#Socket inet:8891
|
||||
#Socket local:/var/spool/postfix/opendkim/opendkim.sock
|
||||
|
||||
PidFile /run/opendkim/opendkim.pid
|
||||
|
||||
# Hosts for which to sign rather than verify, default is 127.0.0.1. See the
|
||||
# OPERATION section of opendkim(8) for more information.
|
||||
#InternalHosts 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12
|
||||
|
||||
# The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided
|
||||
# by the package dns-root-data.
|
||||
TrustAnchorFile /usr/share/dns/root.key
|
||||
#Nameservers 127.0.0.1
|
||||
|
||||
|
||||
Domain m-labs-intl.com
|
||||
KeyFile /etc/postfix/dkim.key
|
||||
Selector mail
|
||||
SOCKET inet:8891@localhost
|
|
@ -0,0 +1,12 @@
|
|||
[Unit]
|
||||
Description=RFQ service
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=rfqserver
|
||||
ExecStart=/home/rfqserver/runrfq.sh
|
||||
Restart=on-failure
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -0,0 +1,14 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
export FLASK_DEBUG=0
|
||||
export FLASK_MAIL_SERVER=mail.m-labs.hk
|
||||
export FLASK_MAIL_PORT=465
|
||||
export FLASK_MAIL_USE_SSL=True
|
||||
export FLASK_MAIL_USERNAME=sysop-intl@m-labs-intl.com
|
||||
export FLASK_MAIL_PASSWORD_FILE=/home/rfqserver/mail.secret
|
||||
export FLASK_MAIL_RECIPIENT=sales@m-labs.hk
|
||||
export FLASK_MAIL_SENDER=sysop-intl@m-labs-intl.com
|
||||
|
||||
cd /home/rfqserver/web2019/server
|
||||
source venv/bin/activate
|
||||
python3 -m flask --app rfq run --port=5000
|
|
@ -0,0 +1,68 @@
|
|||
# Setup m-labs-intl.com server
|
||||
|
||||
```shell
|
||||
apt install git nginx-full python3 python3.12-venv python3-pip
|
||||
snap install --classic certbot
|
||||
ln -s /snap/bin/certbot /usr/bin/certbot
|
||||
useradd -m rfqserver
|
||||
useradd -m zolaupd
|
||||
|
||||
cp m-labs-intl.com /etc/nginx/sites-available/
|
||||
cp nginx.conf /etc/nginx/
|
||||
ln -s /etc/nginx/sites-available/m-labs-intl.com /etc/nginx/sites-enabled/
|
||||
|
||||
mkdir -p /var/www/m-labs-intl.com/html
|
||||
chown -R zolaupd /var/www/m-labs-intl.com/
|
||||
|
||||
cp runrfq.sh /home/rfqserver/
|
||||
cp mail.secret /home/rfqserver/
|
||||
chown rfqserver /home/rfqserver/runrfq.sh
|
||||
chmod +x /home/rfqserver/runrfq.sh
|
||||
chown rfqserver /home/rfqserver/mail.secret
|
||||
|
||||
|
||||
sudo -u zolaupd sh -c '
|
||||
cd /home/zolaupd;
|
||||
mkdir /home/zolaupd/.ssh;
|
||||
echo -n "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP1OJJM8g/1ffxDjN31XKEfGmrYaW03lwpyTa1UGWqVx
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6R6XK0IiuAKxVKvSABm4m9bfOlvfJcMvTpjenuXUPv" > /home/zolaupd/.ssh/authorized_keys
|
||||
chmod 700 .ssh/
|
||||
chmod 600 .ssh/authorized_keys
|
||||
'
|
||||
|
||||
sudo -u rfqserver sh -c '
|
||||
cd /home/rfqserver;
|
||||
git clone https://git.m-labs.hk/M-Labs/web2019.git;
|
||||
cd web2019;
|
||||
python3 -m venv ./venv;
|
||||
source venv/bin/activate;
|
||||
pip install -r requirements.txt;
|
||||
'
|
||||
|
||||
cp rfq.service /etc/systemd/system/
|
||||
|
||||
systemctl daemon-reload
|
||||
systemctl enable rfq.service
|
||||
systemctl start rfq.service
|
||||
systemctl enable danted.service
|
||||
|
||||
service nginx restart
|
||||
|
||||
certbot --nginx
|
||||
|
||||
service nginx restart
|
||||
|
||||
ufw default deny
|
||||
ufw allow from 94.190.212.123
|
||||
ufw allow from 2001:470:f891:1:5999:5529:5d:f71d
|
||||
ufw allow from 202.77.7.238
|
||||
ufw allow from 2001:470:18:390::2
|
||||
ufw allow "Nginx HTTP"
|
||||
ufw allow "Nginx HTTPS"
|
||||
ufw limit OpenSSH
|
||||
ufw default allow outgoing
|
||||
ufw limit 25/tcp
|
||||
ufw limit 587/tcp
|
||||
ufw show added
|
||||
ufw enable
|
||||
```
|
|
@ -1176,6 +1176,32 @@ in
|
|||
ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=${pkgs.rt}/bin HOME=/tmp ${pkgs.fetchmail}/bin/fetchmail -f /etc/nixos/secret/rt_fetchmailrc'";
|
||||
};
|
||||
};
|
||||
systemd.services.ssh-tunnel-intl = {
|
||||
description = "SSH Tunnel to Intl";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "sockets.service" ];
|
||||
serviceConfig = {
|
||||
Restart = "on-failure";
|
||||
User = "hydra-queue-runner"; # TODO needs new user both here and there
|
||||
Group = "hydra";
|
||||
ExecStart = "${pkgs.openssh}/bin/ssh -N -L 127.0.0.1:1587:5.78.86.156:1587 zolaupd@5.78.86.156";
|
||||
};
|
||||
};
|
||||
|
||||
environment.etc."postfix/sender_relay".text = ''
|
||||
@m-labs-intl.com [localhost]:1587
|
||||
@m-labs.hk :
|
||||
@m-labs.ph :
|
||||
@193thz.com :
|
||||
@malloctech.fr :
|
||||
'';
|
||||
systemd.services.postfix-rebuild-sender-relay = {
|
||||
description = "Postfix Rebuild Sender Dependent Relayhost Maps";
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.postfix}/sbin/postmap /etc/postfix/sender_relay";
|
||||
};
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
};
|
||||
|
||||
mailserver = {
|
||||
enable = true;
|
||||
|
@ -1185,8 +1211,14 @@ in
|
|||
enablePop3 = true;
|
||||
enablePop3Ssl = true;
|
||||
certificateScheme = "acme-nginx";
|
||||
policydSPFExtraConfig = "skip_addresses = 5.78.86.156,2a01:4ff:1f0:83de::1";
|
||||
} // (import /etc/nixos/secret/email_settings.nix);
|
||||
services.postfix = {
|
||||
config = {
|
||||
sender_dependent_relayhost_maps = "hash:/etc/postfix/sender_relay";
|
||||
postscreen_upstream_proxy_protocol = "haproxy";
|
||||
postscreen_upstream_proxy_timeout = "5s";
|
||||
};
|
||||
};
|
||||
services.roundcube = {
|
||||
enable = true;
|
||||
hostName = "mail.m-labs.hk";
|
||||
|
|
Loading…
Reference in New Issue