diff options
Diffstat (limited to 'packages/crashbox-config')
27 files changed, 488 insertions, 0 deletions
diff --git a/packages/crashbox-config/base/20auto-upgrades b/packages/crashbox-config/base/20auto-upgrades new file mode 100644 index 0000000..8d6d7c8 --- /dev/null +++ b/packages/crashbox-config/base/20auto-upgrades @@ -0,0 +1,2 @@ +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Unattended-Upgrade "1"; diff --git a/packages/crashbox-config/debian/changelog b/packages/crashbox-config/debian/changelog new file mode 100644 index 0000000..4991b8d --- /dev/null +++ b/packages/crashbox-config/debian/changelog @@ -0,0 +1,5 @@ +crashbox-config (1) unstable; urgency=medium + + * Initial Release. + + -- Jakob Odersky <infra@crashbox.io> Tue, 28 Aug 2018 21:47:21 -0700 diff --git a/packages/crashbox-config/debian/compat b/packages/crashbox-config/debian/compat new file mode 100644 index 0000000..b4de394 --- /dev/null +++ b/packages/crashbox-config/debian/compat @@ -0,0 +1 @@ +11 diff --git a/packages/crashbox-config/debian/control b/packages/crashbox-config/debian/control new file mode 100644 index 0000000..aacca52 --- /dev/null +++ b/packages/crashbox-config/debian/control @@ -0,0 +1,38 @@ +Source: crashbox-config +Section: admin +Priority: optional +Maintainer: Jakob Odersky <infra@crashbox.io> +Build-Depends: debhelper (>= 11) +Standards-Version: 4.1.3 + +Package: crashbox-base-config +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, apt-listchanges, ca-certificates, curl, jq, openssl, rsync, ufw, unattended-upgrades, wget, sudo +Provides: ${diverted-files} +Conflicts: ${diverted-files} +Description: configuration for base system + Adds local customizations to the base system configuration. + +Package: crashbox-nginx-config +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, ssl-cert, nginx, crashbox-base-config +Provides: ${diverted-files} +Conflicts: ${diverted-files} +Description: local nginx configuration + Adds local customizations to nginx config + +Package: crashbox-ip-config +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, crashbox-nginx-config +Provides: ${diverted-files} +Conflicts: ${diverted-files} +Description: what-is-my-ip website + Adds an nginx site that echoes back a remote IP address + +Package: crashbox-git-config +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, crashbox-nginx-config, cgit, python3-pygments, python3-markdown, git-core, fcgiwrap, adduser +Provides: ${diverted-files} +Conflicts: ${diverted-files} +Description: cgit web interface + Adds an nginx site that serves a CGit instance
\ No newline at end of file diff --git a/packages/crashbox-config/debian/copyright b/packages/crashbox-config/debian/copyright new file mode 100644 index 0000000..ac7fbf4 --- /dev/null +++ b/packages/crashbox-config/debian/copyright @@ -0,0 +1,27 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: crashbox-config + +Files: * +Copyright: 2018 Jakob Odersky <jakob@odersky.com> +License: GPL-3.0+ + +Files: debian/* +Copyright: 2018 Jakob Odersky <jakob@odersky.com> +License: GPL-3.0+ + +License: GPL-3.0+ + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + . + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + . + On Debian systems, the complete text of the GNU General + Public License version 3 can be found in "/usr/share/common-licenses/GPL-3".
\ No newline at end of file diff --git a/packages/crashbox-config/debian/crashbox-base-config.install b/packages/crashbox-config/debian/crashbox-base-config.install new file mode 100644 index 0000000..ef80655 --- /dev/null +++ b/packages/crashbox-config/debian/crashbox-base-config.install @@ -0,0 +1 @@ +base/20auto-upgrades etc/apt/apt.conf.d/ diff --git a/packages/crashbox-config/debian/crashbox-base-config.postinst b/packages/crashbox-config/debian/crashbox-base-config.postinst new file mode 100644 index 0000000..b48f01f --- /dev/null +++ b/packages/crashbox-config/debian/crashbox-base-config.postinst @@ -0,0 +1,42 @@ +#!/bin/sh +# postinst script for crashbox-base-config +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * <postinst> `configure' <most-recently-configured-version> +# * <old-postinst> `abort-upgrade' <new version> +# * <conflictor's-postinst> `abort-remove' `in-favour' <package> +# <new-version> +# * <postinst> `abort-remove' +# * <deconfigured's-postinst> `abort-deconfigure' `in-favour' +# <failed-install-package> <version> `removing' +# <conflicting-package> <version> +# for details, see https://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + configure) + ufw allow 22/tcp || true + ufw default deny || true + ufw --force enable || true + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/packages/crashbox-config/debian/crashbox-git-config.cron.d b/packages/crashbox-config/debian/crashbox-git-config.cron.d new file mode 100644 index 0000000..d9cadfd --- /dev/null +++ b/packages/crashbox-config/debian/crashbox-git-config.cron.d @@ -0,0 +1 @@ +0 0 * * * git /usr/bin/gh-mirror-all
\ No newline at end of file diff --git a/packages/crashbox-config/debian/crashbox-git-config.install b/packages/crashbox-config/debian/crashbox-git-config.install new file mode 100644 index 0000000..a7d3e36 --- /dev/null +++ b/packages/crashbox-config/debian/crashbox-git-config.install @@ -0,0 +1,3 @@ +git/etc/* etc +git/usr/* usr +git/var/* var diff --git a/packages/crashbox-config/debian/crashbox-git-config.postinst b/packages/crashbox-config/debian/crashbox-git-config.postinst new file mode 100644 index 0000000..774869e --- /dev/null +++ b/packages/crashbox-config/debian/crashbox-git-config.postinst @@ -0,0 +1,45 @@ +#!/bin/sh +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * <postinst> `configure' <most-recently-configured-version> +# * <old-postinst> `abort-upgrade' <new version> +# * <conflictor's-postinst> `abort-remove' `in-favour' <package> +# <new-version> +# * <postinst> `abort-remove' +# * <deconfigured's-postinst> `abort-deconfigure' `in-favour' +# <failed-install-package> <version> `removing' +# <conflicting-package> <version> +# for details, see https://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + configure) + adduser --group --system --home /var/lib/git git + mkdir -p /srv/git + chown -R git:git /srv/git + mkdir -p /var/lib/git/www/ + ln -s /usr/share/cgit/cgit.css /var/lib/git/www/cgit.css + ln -s /usr/share/cgit/robots.txt /var/lib/git/www/robots.txt + deb-systemd-invoke restart nginx + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/packages/crashbox-config/debian/crashbox-ip-config.install b/packages/crashbox-config/debian/crashbox-ip-config.install new file mode 100644 index 0000000..2646928 --- /dev/null +++ b/packages/crashbox-config/debian/crashbox-ip-config.install @@ -0,0 +1 @@ +ip/ip.conf etc/nginx/sites-enabled/ diff --git a/packages/crashbox-config/debian/crashbox-ip-config.postinst b/packages/crashbox-config/debian/crashbox-ip-config.postinst new file mode 100644 index 0000000..90e58d6 --- /dev/null +++ b/packages/crashbox-config/debian/crashbox-ip-config.postinst @@ -0,0 +1,40 @@ +#!/bin/sh +# postinst script for crashbox-ip-config +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * <postinst> `configure' <most-recently-configured-version> +# * <old-postinst> `abort-upgrade' <new version> +# * <conflictor's-postinst> `abort-remove' `in-favour' <package> +# <new-version> +# * <postinst> `abort-remove' +# * <deconfigured's-postinst> `abort-deconfigure' `in-favour' +# <failed-install-package> <version> `removing' +# <conflicting-package> <version> +# for details, see https://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + configure) + deb-systemd-invoke restart nginx + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/packages/crashbox-config/debian/crashbox-nginx-config.install b/packages/crashbox-config/debian/crashbox-nginx-config.install new file mode 100644 index 0000000..f2ed0d3 --- /dev/null +++ b/packages/crashbox-config/debian/crashbox-nginx-config.install @@ -0,0 +1 @@ +nginx/etc/* etc diff --git a/packages/crashbox-config/debian/crashbox-nginx-config.postinst b/packages/crashbox-config/debian/crashbox-nginx-config.postinst new file mode 100644 index 0000000..7a22244 --- /dev/null +++ b/packages/crashbox-config/debian/crashbox-nginx-config.postinst @@ -0,0 +1,54 @@ +#!/bin/sh +# postinst script for crashbox-nginx-config +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * <postinst> `configure' <most-recently-configured-version> +# * <old-postinst> `abort-upgrade' <new version> +# * <conflictor's-postinst> `abort-remove' `in-favour' <package> +# <new-version> +# * <postinst> `abort-remove' +# * <deconfigured's-postinst> `abort-deconfigure' `in-favour' +# <failed-install-package> <version> `removing' +# <conflicting-package> <version> +# for details, see https://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + configure) + ln -f -s /etc/nginx/sites-available/default.conf /etc/nginx/sites-enabled/default + usermod --append --groups ssl-cert www-data + ufw allow 80/tcp + ufw allow 443/tcp + + if [ ! -r /etc/ssl/private/server.key.pem ] \ + || [ ! -r /etc/ssl/server.cert.pem ] \ + || [ ! -r /etc/ssl/issuer.cert.pem ]; then + ln -f -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/server.key.pem + ln -f -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/server.cert.pem + ln -f -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/issuer.cert.pem + echo "WARNING: no certificates found, falling back to snakeoil certificates!" >&2 + fi + + deb-systemd-invoke restart nginx + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/packages/crashbox-config/debian/rules b/packages/crashbox-config/debian/rules new file mode 100755 index 0000000..9946432 --- /dev/null +++ b/packages/crashbox-config/debian/rules @@ -0,0 +1,18 @@ +#!/usr/bin/make -f +# See debhelper(7) (uncomment to enable) +# output every command that modifies files on the build system. +#export DH_VERBOSE = 1 + + +# see FEATURE AREAS in dpkg-buildflags(1) +#export DEB_BUILD_MAINT_OPTIONS = hardening=+all + +# see ENVIRONMENT in dpkg-buildflags(1) +# package maintainers to append CFLAGS +#export DEB_CFLAGS_MAINT_APPEND = -Wall -pedantic +# package maintainers to append LDFLAGS +#export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed + + +%: + dh $@ diff --git a/packages/crashbox-config/debian/source/format b/packages/crashbox-config/debian/source/format new file mode 100644 index 0000000..89ae9db --- /dev/null +++ b/packages/crashbox-config/debian/source/format @@ -0,0 +1 @@ +3.0 (native) diff --git a/packages/crashbox-config/git/etc/cgitrc.d/crashbox b/packages/crashbox-config/git/etc/cgitrc.d/crashbox new file mode 100644 index 0000000..e95ff11 --- /dev/null +++ b/packages/crashbox-config/git/etc/cgitrc.d/crashbox @@ -0,0 +1,63 @@ +# +# cgit config +# see cgitrc(5) for details +# +# https://git.zx2c4.com/cgit/tree/cgitrc.5.txt + +favicon=/crashbox.png +logo=/crashbox.png +root-title=git.crashbox.io +root-desc=Git repositories hosted at crashbox.io +root-readme=/var/lib/git/www/about.md +clone-url=https://git.crashbox.io/$CGIT_REPO_URL + +## List of common mimetypes +mimetype.gif=image/gif +mimetype.html=text/html +mimetype.jpg=image/jpeg +mimetype.jpeg=image/jpeg +mimetype.pdf=application/pdf +mimetype.png=image/png +mimetype.svg=image/svg+xml +mimetype-file=/etc/mime.types + +# Don't show owner on index page +enable-index-owner=0 + +# Enable blame page and create links to it from tree page +enable-blame=1 + +# Enable ASCII art commit history graph on the log pages +enable-commit-graph=1 + +# Show extra links for each repository on the index page +enable-index-links=1 + +# Show number of affected files per commit on the log pages +enable-log-filecount=1 + +# Show number of added/removed lines per commit on the log pages +enable-log-linecount=1 + +# Allow download of tar.gz, tar.bz2 and zip-files +snapshots=tar.gz tar.bz2 zip + +# Highlight code +source-filter=/usr/lib/cgit/filters/syntax-highlighting.py + +# Format "about" files such as markdown readmes +about-filter=/usr/lib/cgit/filters/about-formatting.sh +readme=master:README.md + +# nginx handles negotiating git clones +enable-http-clone=0 + +section-from-path=-1 + +# Remove ".git" suffix in listings +remove-suffix=1 + +# Base URL +virtual-root=/ + +scan-path=/srv/git diff --git a/packages/crashbox-config/git/etc/gh-mirror b/packages/crashbox-config/git/etc/gh-mirror new file mode 100644 index 0000000..4fc987b --- /dev/null +++ b/packages/crashbox-config/git/etc/gh-mirror @@ -0,0 +1,4 @@ +users jodersky /srv/git/mirrors/github/jodersky +orgs project-condor /srv/git/mirrors/github/project-condor +orgs driver-oss /srv/git/mirrors/github/driver-oss +orgs johnandjohn /srv/git/mirrors/github/johnandjohn diff --git a/packages/crashbox-config/git/etc/nginx/sites-enabled/git.conf b/packages/crashbox-config/git/etc/nginx/sites-enabled/git.conf new file mode 100644 index 0000000..7210dbc --- /dev/null +++ b/packages/crashbox-config/git/etc/nginx/sites-enabled/git.conf @@ -0,0 +1,33 @@ +server { + server_name git.*; + listen 80; + listen [::]:80; + listen 443 ssl; + listen [::]:443 ssl; + + root /var/lib/git/www; + + # requests that should to go to git-http-backend + location ~ ^.*/(HEAD|info/refs|objects/info/.*|git-(upload|receive)-pack)$ { + root /srv/git; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend; + fastcgi_param GIT_PROJECT_ROOT /srv/git; + fastcgi_param GIT_HTTP_EXPORT_ALL ""; + fastcgi_param PATH_INFO $uri; + fastcgi_pass unix:/run/fcgiwrap.socket; + } + + location @cgit { + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /usr/lib/cgit/cgit.cgi; + fastcgi_param CGIT_CONFIG /etc/cgitrc.d/crashbox; + fastcgi_param PATH_INFO $uri; + fastcgi_pass unix:/run/fcgiwrap.socket; + } + + location / { + try_files $uri @cgit; + } + +} diff --git a/packages/crashbox-config/git/usr/bin/gh-mirror b/packages/crashbox-config/git/usr/bin/gh-mirror new file mode 100755 index 0000000..54985cb --- /dev/null +++ b/packages/crashbox-config/git/usr/bin/gh-mirror @@ -0,0 +1,59 @@ +#!/bin/bash +# Mirror repositories from GitHub +# +# Arguments: (users|orgs) <name> <output_directory> +# +# Clones (or updates) all repositories of a GitHub user or +# organization. Repositories are created as children of the given +# output directory. +# +# Example: +# gh-mirror users jodersky mirrors/github/jodersky +# +# This script uses GitHub's API, version 3 +# https://developer.github.com/v3/repos/#list-user-repositories +set -o errexit + +account_type="$1" +account_name="$2" +out_dir="${3:-.}" +mkdir -p "$out_dir" + +if [[ -z $account_type ]] || [[ -z $account_name ]]; then + echo "Usage: (users|orgs) <name> <output_directory>" >&2 + exit 1 +fi + +tmp="$(mktemp /tmp/mirror-XXXXXXXXXXXX)" +url="https://api.github.com/$account_type/$account_name/repos?per_page=100" + +function finish { + echo "An error was encountered." >&2 + echo "curl headers are saved in $tmp" >&2 +} +trap finish ERR + +while [[ ! -z "$url" ]]; do + echo "Fetching $url..." >&2 + + mapfile -t repo_data < <(curl --dump-header "$tmp" "$url" | jq --compact-output '.[]') + url="$(< "$tmp" grep Link | grep -oE "[a-zA-Z0-9:/?=.&_]*>; rel=.next" | cut -d'>' -f1)" + + for repo in "${repo_data[@]}"; do + clone_url="$(echo "$repo" | jq -r .clone_url)" + project="$(basename "$clone_url")" + description=$(echo "$repo" | jq -r .description) + + git_dir="$out_dir/$project" + + if [ -d "$git_dir" ]; then + echo "updating $project" >&2 + git -C "$git_dir" fetch --prune + else + echo "mirroring new $project" >&2 + git clone --mirror "$clone_url" "$git_dir" + fi + echo "$description" > "$git_dir/description" + done +done +rm "$tmp" diff --git a/packages/crashbox-config/git/usr/bin/gh-mirror-all b/packages/crashbox-config/git/usr/bin/gh-mirror-all new file mode 100755 index 0000000..fa9054f --- /dev/null +++ b/packages/crashbox-config/git/usr/bin/gh-mirror-all @@ -0,0 +1,7 @@ +#!/bin/bash +mapfile -t lines < /etc/gh-mirror + +for line in "${lines[@]}"; do + read -r type name dir <<< "$line" + gh-mirror "$type" "$name" "$dir" +done diff --git a/packages/crashbox-config/git/var/lib/git/www/about.md b/packages/crashbox-config/git/var/lib/git/www/about.md new file mode 100644 index 0000000..55e68fa --- /dev/null +++ b/packages/crashbox-config/git/var/lib/git/www/about.md @@ -0,0 +1,5 @@ +Tracking of various git repositories. + + + +<https://xkcd.com/1150/> diff --git a/packages/crashbox-config/git/var/lib/git/www/crashbox.png b/packages/crashbox-config/git/var/lib/git/www/crashbox.png Binary files differnew file mode 100644 index 0000000..632118e --- /dev/null +++ b/packages/crashbox-config/git/var/lib/git/www/crashbox.png diff --git a/packages/crashbox-config/git/var/lib/git/www/instagram.png b/packages/crashbox-config/git/var/lib/git/www/instagram.png Binary files differnew file mode 100644 index 0000000..dcaff14 --- /dev/null +++ b/packages/crashbox-config/git/var/lib/git/www/instagram.png diff --git a/packages/crashbox-config/ip/ip.conf b/packages/crashbox-config/ip/ip.conf new file mode 100644 index 0000000..2f3ab1e --- /dev/null +++ b/packages/crashbox-config/ip/ip.conf @@ -0,0 +1,13 @@ +# Echo remote IP address +# https://michael.lustfield.net/nginx/simple-ip-echo +server { + server_name ip.*; + listen 80; + listen [::]:80; + listen 443 ssl; + listen [::]:443 ssl; + location = / { + default_type text/plain; + echo $remote_addr; + } +}
\ No newline at end of file diff --git a/packages/crashbox-config/nginx/etc/nginx/conf.d/ssl.conf b/packages/crashbox-config/nginx/etc/nginx/conf.d/ssl.conf new file mode 100644 index 0000000..bb96ec7 --- /dev/null +++ b/packages/crashbox-config/nginx/etc/nginx/conf.d/ssl.conf @@ -0,0 +1,15 @@ +# The configuration below can be obtained with the Mozilla SSL +# Configuration Generator at +# https://mozilla.github.io/server-side-tls/ssl-config-generator/ + +ssl_certificate /etc/ssl/server.cert.pem; +ssl_certificate_key /etc/ssl/private/server.key.pem; +ssl_session_timeout 1d; +ssl_session_cache shared:SSL:50m; +ssl_session_tickets off; + +ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + +ssl_stapling on; +ssl_stapling_verify on; +ssl_trusted_certificate /etc/ssl/issuer.cert.pem; diff --git a/packages/crashbox-config/nginx/etc/nginx/sites-available/default.conf b/packages/crashbox-config/nginx/etc/nginx/sites-available/default.conf new file mode 100644 index 0000000..e10725d --- /dev/null +++ b/packages/crashbox-config/nginx/etc/nginx/sites-available/default.conf @@ -0,0 +1,9 @@ +# Default catch-all configuration, applied when no other configuration matches +server { + server_name _; + listen 80 default_server; + listen [::]:80 default_server; + + # close the connection without sending a response + return 444; +}
\ No newline at end of file |
