From dcee60bbdf9c8929052559e9e9985ec821dabe12 Mon Sep 17 00:00:00 2001 From: Adrien Bourmault Date: Mon, 19 Dec 2022 18:09:26 +0100 Subject: [PATCH] Refonte documentation --- pm/anthea.md | 58 ++ pm/aunt.md | 198 ++++++ pm/britt.md | 58 ++ pm/mother.md | 194 ++++++ sites/leparc.md | 8 +- vm/audio.md | 118 ++++ vm/dns.md | 33 + vm/generic.md | 328 ++++++++++ vm/gestion.md | 117 ++++ vm/git.md | 96 +++ vm/mail.md | 163 +++++ vm/routeur.md | 1673 +++++++++++++++++++++++++++++++++++++++++++++++ vm/toot.md | 130 ++++ vm/tootest.md | 25 + vm/www.md | 117 ++++ vm/xmpp.md | 24 + 16 files changed, 3338 insertions(+), 2 deletions(-) create mode 100644 pm/anthea.md create mode 100644 pm/aunt.md create mode 100644 pm/britt.md create mode 100644 pm/mother.md create mode 100644 vm/audio.md create mode 100644 vm/dns.md create mode 100644 vm/generic.md create mode 100644 vm/gestion.md create mode 100644 vm/git.md create mode 100644 vm/mail.md create mode 100644 vm/routeur.md create mode 100644 vm/toot.md create mode 100644 vm/tootest.md create mode 100644 vm/www.md create mode 100644 vm/xmpp.md diff --git a/pm/anthea.md b/pm/anthea.md new file mode 100644 index 0000000..3dba1de --- /dev/null +++ b/pm/anthea.md @@ -0,0 +1,58 @@ +# anthea, machine physique (fontainebleau) + +## Matériel + +Carte mère : 1 × Asus KGPN-D16 Rev 1.03G +CPU : 2 × AMD Opteron 6280SE +RAM : *(à compléter)* +Alimentation : *(à compléter)* +Onduleur : (non) +Casier : *(à compléter)* +Stockage de masse : *(à compléter)* + +## Logiciel + +Micro-programme : Coreboot 4.6 + SeaBIOS, sans blob privateur +Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye) +Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org) +Virtualisation : QEMU/KVM (`libvirt`) +Audit des paquets mensuel : `vrms` +Sécurités de la maintenance : `etckeeper`, `mollyguard`, `tig`, `lm-sensors`, `fancontrol`, `screen` +Mail Transfer Agent : `postfix` + +## Caractéristiques notables + +Domaine : anthea.libre-en-communs.org +Adresse ipv4 publique : *(à compléter)* +Adresse ipv4 locale : *(à compléter)* +Adresse ipv6 publique : *(à compléter)* + +### Configuration réseau + +#### /etc/network/interfaces +
+ + *(à compléter)* + +
+ +## Configuration SSH + +### /etc/ssh/sshd_config +
+ + *(à compléter)* + +
+ +## Configuration MTA + +### /etc/postfix/transport + + a-lec.org : + * discard: + +### /etc/postfix/virtual + + @localhost admin@a-lec.org + @mother.libre-en-communs.org admin@a-lec.org diff --git a/pm/aunt.md b/pm/aunt.md new file mode 100644 index 0000000..0acd6e2 --- /dev/null +++ b/pm/aunt.md @@ -0,0 +1,198 @@ +# aunt, machine physique (leparc) + +## Matériel + +Carte mère : 1 × Asus KGPN-D16 Rev 1.03G +CPU : 2 × AMD Opteron 6282SE +RAM : *(à compléter)* +Alimentation : *(à compléter)* +Onduleur : 1 × EATON Ellipse PRO 1200 VA +Casier : 1 × Inter-Tech IPC 4U-4129-N SSI-EEB (Rack) +Stockage de masse : 2 × KINGSTON SEDC500M1920G + +## Logiciel + +Micro-programme : Coreboot 4.6 + SeaBIOS, sans blob privateur +Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye) +Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org) +Virtualisation : QEMU/KVM (`libvirt`) +Gestion du onduleur : NUT/UPS +Audit des paquets mensuel : `vrms` +Sécurités de la maintenance : `etckeeper`, `mollyguard`, `tig`, `lm-sensors`, `fancontrol`, `screen` +Mail Transfer Agent : `postfix` +Réplication de stockage (vm) : `drbd`, `ocfs2` + +## Caractéristiques notables + +Domaine : aunt.libre-en-communs.org +Adresse ipv4 publique : 80.67.176.33 +Adresse ipv4 locale : 192.168.1.3 +Adresse ipv4 interne DRBD : 192.168.254.3 +Adresse ipv6 publique : 2001:910:1021::3 + +### Configuration réseau + +#### /etc/network/interfaces +
+ + # The loopback network interface + auto lo + iface lo inet loopback + + # The primary network interface + allow-hotplug ens9 + allow-hotplug ens10 + allow-hotplug ens13f0 + allow-hotplug ens13f1 + + # mother! + iface ens13f1 inet static + address 192.168.254.3 + + post-up /usr/bin/ip link set ens13f1 mtu 9000 + + # bridge for vm + auto br0 + iface br0 inet static + bridge_ports ens13f0 + address 192.168.1.3 + gateway 192.168.0.1 + broadcast 192.168.255.255 + netmask 255.255.0.0 + + iface br0 inet6 static + bridge_ports ens13f0 + address 2001:910:1021::3/128 + gateway 2001:910:1021:: + +
+ +## Configuration SSH + +### /etc/ssh/sshd_config +
+ + Port 223 + AddressFamily any + ListenAddress 0.0.0.0 + ListenAddress :: + + PubkeyAuthentication yes + + PasswordAuthentication no + PermitEmptyPasswords no + + ChallengeResponseAuthentication no + + UsePAM yes + + AllowAgentForwarding yes + AllowTcpForwarding yes + GatewayPorts yes + X11Forwarding no + + PrintMotd no + + TCPKeepAlive yes + + PermitTunnel yes + + AcceptEnv LANG LC_* GIT_* + + Subsystem sftp /usr/lib/openssh/sftp-server + + Match User admin666 Address *,!127.0.0.1,!::1 + DenyUsers admin666 + +
+ +## Configuration DRBD + +### /etc/drbd.d/drbd1.res +
+ + resource drbd1 { + meta-disk internal; + device /dev/drbd1; + + startup { + become-primary-on both; + } + net { + verify-alg sha256; + allow-two-primaries yes; + #fencing resource-and-stonith; + after-sb-0pri discard-zero-changes; + after-sb-1pri discard-secondary; + protocol C; + ko-count 0; + timeout 119; + ping-int 120; + connect-int 120; + #max-epoch-size 20000; + max-buffers 36k; + sndbuf-size 0; + rcvbuf-size 0; + } + handlers { + pri-lost-after-sb "killall virt-backup && umount /opt/sharedfs && drbdadm secondary drbd1"; + } + disk { + on-io-error pass_on; + md-flushes; + c-fill-target 10M; + c-max-rate 700M; + c-plan-ahead 0; + c-min-rate 4M; + resync-rate 500M; + } + + on mother { # hostname must match `uname -n` output + disk /dev/md1; # Logical Volume on the provided host + address 192.168.254.2:7789; # IP Address to be used to connect to the node with port + } + + on aunt { # hostname must match `uname -n` output + disk /dev/md1; # Logical Volume on the provided host + address 192.168.254.3:7789; # IP Address to be used to connect to the node with port + } + + } + +
+ +### /etc/ocfs2/cluster.conf +
+ + cluster: + name = sharedfs + heartbeat_mode = local + node_count = 2 + + node: + cluster = sharedfs + number = 0 + ip_port = 7777 + ip_address = 192.169.254.3 + name = aunt + + node: + cluster = sharedfs + number = 1 + ip_port = 7777 + ip_address = 192.169.254.2 + name = mother + +
+ +## Configuration MTA + +### /etc/postfix/transport + + a-lec.org : + * discard: + +### /etc/postfix/virtual + + @localhost admin@a-lec.org + @aunt.libre-en-communs.org admin@a-lec.org diff --git a/pm/britt.md b/pm/britt.md new file mode 100644 index 0000000..26ef785 --- /dev/null +++ b/pm/britt.md @@ -0,0 +1,58 @@ +# britt, machine physique (gisors) + +## Matériel + +Carte mère : 1 × Asus KGPN-D16 Rev 1.03G +CPU : 1 × AMD Opteron 6280SE +RAM : *(à compléter)* +Alimentation : *(à compléter)* +Onduleur : (non) +Casier : *(à compléter)* +Stockage de masse : *(à compléter)* + +## Logiciel + +Micro-programme : Coreboot 4.6 + SeaBIOS, sans blob privateur +Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye) +Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org) +Virtualisation : QEMU/KVM (`libvirt`) +Audit des paquets mensuel : `vrms` +Sécurités de la maintenance : `etckeeper`, `mollyguard`, `tig`, `lm-sensors`, `fancontrol`, `screen` +Mail Transfer Agent : `postfix` + +## Caractéristiques notables + +Domaine : britt.libre-en-communs.org +Adresse ipv4 publique : *(à compléter)* +Adresse ipv4 locale : *(à compléter)* +Adresse ipv6 publique : *(à compléter)* + +### Configuration réseau + +#### /etc/network/interfaces +
+ + *(à compléter)* + +
+ +## Configuration SSH + +### /etc/ssh/sshd_config +
+ + *(à compléter)* + +
+ +## Configuration MTA + +### /etc/postfix/transport + + a-lec.org : + * discard: + +### /etc/postfix/virtual + + @localhost admin@a-lec.org + @mother.libre-en-communs.org admin@a-lec.org diff --git a/pm/mother.md b/pm/mother.md new file mode 100644 index 0000000..9b20b00 --- /dev/null +++ b/pm/mother.md @@ -0,0 +1,194 @@ +# mother, machine physique (leparc) + +## Matériel + +Carte mère : 1 × Asus KGPN-D16 Rev 1.03G +CPU : 2 × AMD Opteron 6282SE +RAM : 4 × Crucial RDIMM 16Go CT2K16G3ERSLD4160B +Alimentation : 1 × Antec NE700G ZEN EC +Onduleur : 1 × EATON Ellipse PRO 1600 VA +Casier : 1 × Inter-Tech IPC 4U-4129-N SSI-EEB (Rack) +Stockage de masse : 2 × KINGSTON SEDC500M1920G 2 To + +## Logiciel + +Micro-programme : Coreboot 4.6 + SeaBIOS, sans blob privateur +Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye) +Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org) +Virtualisation : QEMU/KVM (`libvirt`) +Gestion du onduleur : NUT/UPS +Audit des paquets mensuel : `vrms` +Sécurités de la maintenance : `etckeeper`, `mollyguard`, `tig`, `lm-sensors`, `fancontrol`, `screen` +Mail Transfer Agent : `postfix` +Réplication de stockage (vm) : `drbd`, `ocfs2` + +## Caractéristiques notables + +Domaine : mother.libre-en-communs.org +Adresse ipv4 publique : 80.67.176.33 +Adresse ipv4 locale : 192.168.1.2 +Adresse ipv4 interne DRBD : 192.168.254.2 +Adresse ipv6 publique : 2001:910:1021::2 + +### Configuration réseau + +#### /etc/network/interfaces +
+ + auto lo br0 + iface lo inet loopback + + # The primary network interface + allow-hotplug ens10 + allow-hotplug ens9 + allow-hotplug ens13f0 + allow-hotplug ens13f1 + + # aunt + iface ens13f1 inet static + address 192.168.254.2 + + post-up /usr/bin/ip link set ens13f1 mtu 9000 + + # bridge for vm + iface br0 inet static + bridge_ports ens13f0 + address 192.168.1.2 + gateway 192.168.0.1 + broadcast 192.168.255.255 + netmask 255.255.0.0 + + iface br0 inet6 static + bridge_ports ens13f0 + address 2001:910:1021:0::2/128 + gateway 2001:910:1021::1 + +
+ +## Configuration SSH + +### /etc/ssh/sshd_config +
+ + Port 222 + AddressFamily any + ListenAddress 0.0.0.0 + ListenAddress :: + + PubkeyAuthentication yes + + PasswordAuthentication no + PermitEmptyPasswords no + + ChallengeResponseAuthentication no + + UsePAM yes + + AllowAgentForwarding yes + AllowTcpForwarding yes + GatewayPorts yes + X11Forwarding no + + PrintMotd no + + TCPKeepAlive yes + + PermitTunnel yes + + AcceptEnv LANG LC_* GIT_* + + Subsystem sftp /usr/lib/openssh/sftp-server + + Match User admin666 Address *,!127.0.0.1,!::1 + DenyUsers admin666 + +
+ +## Configuration DRBD + +### /etc/drbd.d/drbd1.res +
+ + resource drbd1 { + meta-disk internal; + device /dev/drbd1; + + startup { + become-primary-on both; + } + net { + verify-alg sha256; + allow-two-primaries yes; + after-sb-0pri discard-zero-changes; + after-sb-1pri discard-secondary; + protocol C; + ko-count 0; + timeout 119; + ping-int 120; + connect-int 120; + max-buffers 36k; + sndbuf-size 0; + rcvbuf-size 0; + } + handlers { + pri-lost-after-sb "killall virt-backup"; + } + disk { + on-io-error pass_on; + md-flushes; + c-fill-target 10M; + c-max-rate 700M; + c-plan-ahead 0; + c-min-rate 4M; + resync-rate 500M; + } + + on mother { # hostname must match `uname -n` output + disk /dev/md1; # Logical Volume on the provided host + address 192.168.254.2:7789; # IP Address to be used to connect to the node with port + } + + on aunt { # hostname must match `uname -n` output + disk /dev/md1; # Logical Volume on the provided host + address 192.168.254.3:7789; # IP Address to be used to connect to the node with port + } + + } + +
+ +### /etc/ocfs2/cluster.conf +
+ + cluster: + name = sharedfs + heartbeat_mode = local + node_count = 2 + + node: + cluster = sharedfs + number = 0 + ip_port = 7777 + ip_address = 192.168.254.3 + name = aunt + + node: + cluster = sharedfs + number = 1 + ip_port = 7777 + ip_address = 192.168.254.2 + name = mother + +
+ +## Configuration MTA + +### /etc/postfix/transport + + a-lec.org : + * discard: + +### /etc/postfix/virtual + + @localhost admin@a-lec.org + @mother.libre-en-communs.org admin@a-lec.org diff --git a/sites/leparc.md b/sites/leparc.md index db733c1..8344a0f 100644 --- a/sites/leparc.md +++ b/sites/leparc.md @@ -21,8 +21,12 @@ IPv6 : 2001:910:1021::/48 ``` Il accueille les machines physiques suivantes : -- [`mother.libre-en-communs.org`]() ; -- [`aunt.libre-en-communs.org`](). +- [`mother.libre-en-communs.org`](../pm/mother.md) ; +- [`aunt.libre-en-communs.org`](../pm/aunt.md). + +Ces machines physiques sont couplées pour permettre une migration transparente +des machines virtuelles. Nous utilisons l'hyperviseur `KVM/libvirt` et `DRBD` +pour ce faire. ## Matériel annexe diff --git a/vm/audio.md b/vm/audio.md new file mode 100644 index 0000000..0e09928 --- /dev/null +++ b/vm/audio.md @@ -0,0 +1,118 @@ +# Machine virtuelle AUDIO + +## Système + +### Matériel virtuel + +CPU : 1 +RAM : 957384 KB +Stockage de masse : 50 Gio +Swap : désactivé + +### Logiciel + +Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye) +Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org) +Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen` +Mail Transfer Agent : `postfix` + +### Caractéristiques notables + +Domaine : dns.libre-en-communs.org +Adresse ipv4 publique : 80.67.176.33 +Adresse ipv4 interne : 192.168.1.186 +Adresse ipv6 publique : 2001:910:1021::186 + +## Serveur web (installation basique) +Installation d'un service nginx pour : +- la gestion des certificats SSL ; +- l'installation d'une page d'information sur comment se connecter au Mumble ; +- la possible installation d'un service client web pour Mumble ; +- l'éventuel déploiement de StatoolInfos ; +- … + +Installer les paquets : +``` +apt-get install nginx python3-certbot-nginx +``` + +Ouvrir les ports http (80) et https (443) : +``` +ufw allow 'Nginx HTTP' +ufw allow 'Nginx HTTPS' +``` + +Configurer a minima le site web dans `/etc/nginx/sites-available/audio.a-lec.org` : +``` +server +{ + listen 80; + listen [::]:80; + + server_name audio.a-lec.org; + + access_log /var/log/nginx/audio.a-lec.org-access.log; + error_log /var/log/nginx/audio.a-lec.org-error.log; +} +``` + +Activer la configuration : +``` +cd /etc/nginx/sites-enabled/ +ln -s ../sites-available/audio.a-lec.org +``` + +Vérifier que c'est bon et recharger : +``` +nginx -t && systemctl reload nginx +``` + +Configurer le certificat SSl : +``` +certbot --nginx +``` + +Mettre beau le fichier `/etc/nginx/sites-enabled/audio.a-lec.org` : +``` +server +{ + listen 80; + listen [::]:80; + + server_name audio.a-lec.org; + + access_log /var/log/nginx/audio.a-lec.org-access.log; + error_log /var/log/nginx/audio.a-lec.org-error.log; + + return 302 https://$host$request_uri; +} + +server +{ + set_real_ip_from 192.169.1.1; + real_ip_header proxy_protocol; + listen [::]:443 ssl ipv6only=on; + listen 443 ssl; + + server_name audio.a-lec.org; + + access_log /var/log/nginx/audio.a-lec.org-access.log; + error_log /var/log/nginx/audio.a-lec.org-error.log; + + ssl_certificate /etc/letsencrypt/live/audio.a-lec.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/audio.a-lec.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + root /var/www/audio.a-lec.org; + location = / + { + index index.xhtml; + } +} +``` + +Vérifier que c'est bon et recharger : +``` +nginx -t && systemctl reload nginx +``` diff --git a/vm/dns.md b/vm/dns.md new file mode 100644 index 0000000..3ab5d73 --- /dev/null +++ b/vm/dns.md @@ -0,0 +1,33 @@ +## Machine virtuelle DNS + +Cette machine est le serveur DNS autorité de l'association. + +### Matériel virtuel + +CPU : xxx +RAM : xxx Mio +Stockage de masse : 10 Gio + +### Logiciel + +Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye) +Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org) +Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen` +DNS : `bind` +Mail Transfer Agent : `postfix` + +### Caractéristiques notables + +Domaine : dns.libre-en-communs.org +Adresse ipv4 publique : 80.67.176.33 +Adresse ipv4 interne : 192.168.1.242 +Adresse ipv6 publique : 2001:910:1021::242 + +### Configuration système de fichier partagé en écriture + +#### /etc/fstab (extrait) +
+ + /vm_sharedfs /opt/vm_sharedfs 9p trans=virtio,version=9p2000.L,rw 0 0 + +
diff --git a/vm/generic.md b/vm/generic.md new file mode 100644 index 0000000..d54fd85 --- /dev/null +++ b/vm/generic.md @@ -0,0 +1,328 @@ +## Machine virtuelle GENERIC + +#### (c'est-à-dire le modèle de toutes les machines virtuelles) + +... + +### Matériel virtuel + +CPU : 1 +RAM : 1000 Mio +Stockage de masse : 50 Gio (fichier `sparse` i.e les zéros ne sont pas écrits sur le disque) + +### Logiciel + +Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye) +Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org) +Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen` +Mail Transfer Agent : `postfix` + +### Caractéristiques notables + +Domaine : dns.libre-en-communs.org +Adresse ipv4 publique : 80.67.176.33 +Adresse ipv4 interne : 192.168.1.4 +Adresse ipv6 publique : 2001:910:1021::4 + +### Configuration réseau + +#### /etc/network/interfaces +
+ + # This file describes the network interfaces available on your system + # and how to activate them. For more information, see interfaces(5). + + source /etc/network/interfaces.d/* + + # The loopback network interface + auto lo + iface lo inet loopback + + # The primary network interface + allow-hotplug enp1s0 + iface enp1s0 inet static + address 192.168.1.4/32 + broadcast 192.168.255.255 + gateway 192.168.0.1 + netmask 255.255.0.0 + + iface enp1s0 inet6 static + address 2001:910:1021::4/128 + gateway 2001:910:1021:: + +
+ +### Configuration SSH + +#### /etc/ssh/sshd_config +
+ + # $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ + + # This is the sshd server system-wide configuration file. See + # sshd_config(5) for more information. + + # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + + Port 22 + AddressFamily any + ListenAddress 0.0.0.0 + ListenAddress :: + + PubkeyAuthentication yes + + PasswordAuthentication no + PermitEmptyPasswords no + + ChallengeResponseAuthentication no + + UsePAM yes + + PrintMotd no + + AcceptEnv LANG LC_* GIT_* + + Subsystem sftp /usr/lib/openssh/sftp-server + + Match Group ssh-login + PasswordAuthentication yes + +
+ +#### /etc/hosts.allow + + sshd: 192.168.1.0/24, [2001:910:1021::]/48 + +#### /etc/hosts.deny + + sshd: ALL + +### Pare-feu + +Installation : +``` +apt-get install ufw +``` + +Ouvrir le port SSH : +``` +ufw allow SSH +ufw enable +systemclt enable ufw +``` +### Configuration SUDO + +#### /etc/sudoers +
+ + # + # This file MUST be edited with the 'visudo' command as root. + # + # Please consider adding local content in /etc/sudoers.d/ instead of + # directly modifying this file. + # + # See the man page for details on how to write a sudoers file. + # + Defaults env_reset + Defaults env_keep += "GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL" + Defaults mail_badpass, insults + Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + + # Host alias specification + + # User alias specification + + # Cmnd alias specification + + # User privilege specification + root ALL=(ALL:ALL) ALL + + # Allow members of group sudo to execute any command + %sudo ALL=(ALL:ALL) NOPASSWD:ALL + + # See sudoers(5) for more information on "#include" directives: + + #includedir /etc/sudoers.d + + +
+ +### Configuration MTA + +#### /etc/postfix/transport + + a-lec.org : + * discard: + +#### /etc/postfix/virtual + + @localhost admin@a-lec.org + @generic.a-lec.org admin@a-lec.org + +### Configuration système de fichier partagé + +#### /etc/fstab (extrait) +
+ + tmpfs /tmp tmpfs mode=1777,nosuid,nodev 0 0 + +
+ + +### Configurations bashrc + +#### /etc/skel/.bashrc (et /home/admin666/.bashrc) +
+ + # ~/.bashrc: executed by bash(1) for non-login shells. + # see /usr/share/doc/bash/examples/startup-files (in the package bash-doc) + # for examples + + # If not running interactively, don't do anything + case $- in + *i*) ;; + *) return;; + esac + + # don't put duplicate lines or lines starting with space in the history. + # See bash(1) for more options + HISTCONTROL=ignoreboth + + # append to the history file, don't overwrite it + shopt -s histappend + + # for setting history length see HISTSIZE and HISTFILESIZE in bash(1) + HISTSIZE=1000 + HISTFILESIZE=2000 + + # check the window size after each command and, if necessary, + # update the values of LINES and COLUMNS. + shopt -s checkwinsize + + # If set, the pattern "**" used in a pathname expansion context will + # match all files and zero or more directories and subdirectories. + #shopt -s globstar + + # make less more friendly for non-text input files, see lesspipe(1) + #[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)" + + # set variable identifying the chroot you work in (used in the prompt below) + if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then + debian_chroot=$(cat /etc/debian_chroot) + fi + + # set a fancy prompt (non-color, unless we know we "want" color) + case "$TERM" in + xterm-color|*-256color) color_prompt=yes;; + esac + + # uncomment for a colored prompt, if the terminal has the capability; turned + # off by default to not distract the user: the focus in a terminal window + # should be on the output of commands, not on the prompt + #force_color_prompt=yes + + if [ -n "$force_color_prompt" ]; then + if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then + # We have color support; assume it's compliant with Ecma-48 + # (ISO/IEC-6429). (Lack of such support is extremely rare, and such + # a case would tend to support setf rather than setaf.) + color_prompt=yes + else + color_prompt= + fi + fi + + if [ "$color_prompt" = yes ]; then + PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\H\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ ' + else + PS1='${debian_chroot:+($debian_chroot)}\u@\H:\w\$ ' + fi + unset color_prompt force_color_prompt + + # If this is an xterm set the title to user@host:dir + case "$TERM" in + xterm*|rxvt*) + PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\H: \w\a\]$PS1" + ;; + *) + ;; + esac + + # enable color support of ls and also add handy aliases + if [ -x /usr/bin/dircolors ]; then + test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)" + alias ls='ls --color=auto' + alias dir='dir --color=auto' + alias vdir='vdir --color=auto' + + alias grep='grep --color=auto' + alias fgrep='fgrep --color=auto' + alias egrep='egrep --color=auto' + fi + + # colored GCC warnings and errors + #export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01' + + # some more ls aliases + alias ll='ls -l' + alias la='ls -A' + #alias l='ls -CF' + + # Alias definitions. + # You may want to put all your additions into a separate file like + # ~/.bash_aliases, instead of adding them here directly. + # See /usr/share/doc/bash-doc/examples in the bash-doc package. + + if [ -f ~/.bash_aliases ]; then + . ~/.bash_aliases + fi + + # enable programmable completion features (you don't need to enable + # this, if it's already enabled in /etc/bash.bashrc and /etc/profile + # sources /etc/bash.bashrc). + if ! shopt -oq posix; then + if [ -f /usr/share/bash-completion/bash_completion ]; then + . /usr/share/bash-completion/bash_completion + elif [ -f /etc/bash_completion ]; then + . /etc/bash_completion + fi + fi + +
+ +#### /root/.bashrc +
+ + # ~/.bashrc: executed by bash(1) for non-login shells. + + # Note: PS1 and umask are already set in /etc/profile. You should not + # need this unless you want different defaults for root. + # PS1='${debian_chroot:+($debian_chroot)}\h:\w\$ ' + PS1='\[\033[01;32m\]=(^-^)=${debian_chroot:+($debian_chroot)}\[\033[01;31m\]\u@\H\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ ' + # umask 022 + + # You may uncomment the following lines if you want `ls' to be colorized: + export LS_OPTIONS='--color=auto' + # eval "`dircolors`" + alias ls='ls $LS_OPTIONS' + alias ll='ls $LS_OPTIONS -l' + alias l='ls $LS_OPTIONS -lA' + # + # Some more alias to avoid making mistakes: + # alias rm='rm -i' + # alias cp='cp -i' + # alias mv='mv -i' + + # enable programmable completion features (you don't need to enable + # this, if it's already enabled in /etc/bash.bashrc and /etc/profile + # sources /etc/bash.bashrc). + if ! shopt -oq posix; then + if [ -f /usr/share/bash-completion/bash_completion ]; then + . /usr/share/bash-completion/bash_completion + elif [ -f /etc/bash_completion ]; then + . /etc/bash_completion + fi + fi + +
+ diff --git a/vm/gestion.md b/vm/gestion.md new file mode 100644 index 0000000..059a3fa --- /dev/null +++ b/vm/gestion.md @@ -0,0 +1,117 @@ +## Machine virtuelle GESTION + +Cette machine est destinée à accueillir le logiciel de comptabilité et gestion des membres de l'association. + +### Matériel virtuel + +CPU : 4 +RAM : 3000 Mio +Stockage de masse : 50 Gio + +### Logiciel + +Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye) +Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org) +Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen` +Compta et gestion des membres : `garradin` +Mail Transfer Agent : `postfix` + +### Caractéristiques notables + +Domaine : gestion.a-lec.org +Adresse ipv4 publique : 80.67.176.33 +Adresse ipv4 interne : 192.168.1.236 +Adresse ipv6 publique : 2001:910:1021::236 + +### Configuration serveur web (nginx) +
+ + server { + server_name coffre.a-lec.org; + + set_real_ip_from 192.169.1.1; + real_ip_header proxy_protocol; + + # Allow large attachments + client_max_body_size 128M; + + location / { + proxy_pass http://127.0.0.1:8000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /notifications/hub { + proxy_pass http://127.0.0.1:3012; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + + location /notifications/hub/negotiate { + proxy_pass http://127.0.0.1:8000; + } + + listen 443 ssl http2 proxy_protocol; # managed by Certbot + listen [::]:443 ssl http2; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/coffre.a-lec.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/coffre.a-lec.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + } + + server { + if ($host = coffre.a-lec.org) { + return 302 https://$host$request_uri; + } # managed by Certbot + + server_name coffre.a-lec.org; + + listen 80; + return 404; # managed by Certbot + } + + server { + + root /usr/share/garradin/www; # Remplacer par le chemin adéquat vers le dossier public de garradin (ici c'est le défaut du paquet Debian) + + server_name gestion.a-lec.org; # Remplacer par votre nom de domaine + + set_real_ip_from 192.169.1.1; + real_ip_header proxy_protocol; + + location / { + try_files $uri $uri/ /_route.php?$query_string; + index index.php /_route.php; + } + + location ~ \.php { + try_files $uri $uri/ /_route.php?$query_string; + include fastcgi.conf; + #fastcgi_pass 127.0.0.1:9000; # Si vous utilisez PHP-FPM (ou autre) en mode TCP et non sur une socket + fastcgi_pass unix:/var/run/php/php7.4-garradin.sock; # Si vous utilisez PHP-FPM en mode socket + } + + listen 443 ssl proxy_protocol; # managed by Certbot + listen [::]:443 ssl; + ssl_certificate /etc/letsencrypt/live/gestion.a-lec.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/gestion.a-lec.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + } + + server { + if ($host = gestion.a-lec.org) { + return 302 https://$host$request_uri; + } # managed by Certbot + + listen 80; + listen [::]:80; + + server_name gestion.a-lec.org; + return 404; # managed by Certbot + } +
diff --git a/vm/git.md b/vm/git.md new file mode 100644 index 0000000..372ffc4 --- /dev/null +++ b/vm/git.md @@ -0,0 +1,96 @@ +## Machine virtuelle GIT + +Cette machine est destinée à accueillir la forge logicielle de l'association, qui permet à différents projets de bénéficier d'un outil de travail supportant des fonctions avancées (comme la CI et les hooks avancés), mais également à l'association de publier différents documents nécessaire à son activité. + +### Matériel virtuel + +CPU : 2 +RAM : 4096 Mio +Stockage de masse : 50 Gio + +### Logiciel + +Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye) +Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org) +Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen` +Forge logicielle : `gitlab-ce` +Mail Transfer Agent : `postfix` + +### Caractéristiques notables + +Domaine : git.a-lec.org +Adresse ipv4 publique : 80.67.176.33 +Adresse ipv4 interne : 192.168.1.131 +Adresse ipv6 publique : 2001:910:1021::131 + +### Configuration serveur web (nginx) +
+ + # GITLAB + + upstream gitlab-workhorse { + # On GitLab versions before 13.5, the location is + # `/var/opt/gitlab/gitlab-workhorse/socket`. Change the following line + # accordingly. + server unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket fail_timeout=0; + } + + ## Redirects all HTTP traffic to the HTTPS host + server { + ## Either remove "default_server" from the listen line below, + ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab + ## to be served if you visit any address that your server responds to, eg. + ## the ip address of the server (http://x.x.x.x/) + listen 0.0.0.0:80; + listen [::]:80 ipv6only=on default_server; + server_name git.a-lec.org; ## Replace this with something like gitlab.example.com + server_tokens off; ## Don't show the nginx version number, a security best practice + return 302 https://git.a-lec.org$request_uri; + access_log /var/log/nginx/gitlab_access.log; + error_log /var/log/nginx/gitlab_error.log; + } + + ## HTTPS host + server { + set_real_ip_from 192.169.1.1; + real_ip_header proxy_protocol; + listen 0.0.0.0:443 ssl proxy_protocol; + listen [::]:443 ipv6only=on ssl default_server; + server_name git.a-lec.org; ## Replace this with something like gitlab.example.com + server_tokens off; ## Don't show the nginx version number, a security best practice + root /opt/gitlab/embedded/service/gitlab-rails/public; + + ssl_certificate /etc/letsencrypt/live/git.a-lec.org/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/git.a-lec.org/privkey.pem; + + ## [Optional] Enable HTTP Strict Transport Security + ## HSTS is a feature improving protection against MITM attacks + ## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/ + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + + ## Individual nginx logs for this GitLab vhost + access_log /var/log/nginx/gitlab_access.log; + error_log /var/log/nginx/gitlab_error.log; + + location / { + client_max_body_size 0; + gzip off; + + ## https://github.com/gitlabhq/gitlabhq/issues/694 + ## Some requests take more than 30 seconds. + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + + proxy_http_version 1.1; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://gitlab-workhorse; + } + } + +
diff --git a/vm/mail.md b/vm/mail.md new file mode 100644 index 0000000..9f54774 --- /dev/null +++ b/vm/mail.md @@ -0,0 +1,163 @@ +## Machine virtuelle MAIL + +Cette machine est destinée à accueillir le serveur d'envoi, réception et consultation de courriel de l'association. + +### Matériel virtuel + +CPU : 2 +RAM : 1000 Mio +Stockage de masse : 50 Gio + +### Logiciel + +Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye) +Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org) +Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen` +Serveur IMAP (et authentification) : `courier` +Mail Transfer Agent : `postfix` +Webmail : `roundcube` (**upstream**) +Serveur http : `nginx` + +### Caractéristiques notables + +Domaine : mail.a-lec.org +Adresse ipv4 publique : 80.67.176.33 +Adresse ipv4 interne : 192.168.1.201 +Adresse ipv6 publique : 2001:910:1021::201 + +### Configuration MTA + +
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version + + +\# Debian specific: Specifying a file name will cause the first +\# line of that file to be used as the name. The Debian default +\# is /etc/mailname. +\#myorigin = /etc/mailname + +smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +biff = no + +\# appending .domain is the MUA's job. +append_dot_mydomain = no + +\# Uncomment the next line to generate "delayed mail" warnings +\#delay_warning_time = 4h + +readme_directory = no + +\# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on +\# fresh installs. +compatibility_level = 2 + + + +\# TLS parameters +smtpd_tls_cert_file=/etc/letsencrypt/live/mail.a-lec.org/fullchain.pem +smtpd_tls_key_file=/etc/letsencrypt/live/mail.a-lec.org/privkey.pem +smtpd_tls_security_level = may +smtpd_tls_auth_only = yes +smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3 +smtpd_tls_protocols=!SSLv2,!SSLv3 +smtpd_tls_loglevel = 1 +smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache + +smtp_tls_cert_file=/etc/letsencrypt/live/mail.a-lec.org/fullchain.pem +smtp_tls_key_file=/etc/letsencrypt/live/mail.a-lec.org/privkey.pem +smtp_tls_security_level = may +smtp_tls_note_starttls_offer = yes +smtp_tls_mandatory_protocols=!SSLv2,!SSLv3 +smtp_tls_protocols=!SSLv2,!SSLv3 +smtp_tls_loglevel = 1 +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache + + +\# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for +\# information on enabling SSL in the smtp client. + +smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination +smtpd_sender_restrictions = reject_unknown_sender_domain +myhostname = mail.a-lec.org +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +myorigin = /etc/mailname +mydestination = $myhostname, a-lec.org, mail.a-lec.org, localhost, os-k.eu +relayhost = +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.169.1.0/24 +mailbox_size_limit = 0 +recipient_delimiter = + +inet_interfaces = all +inet_protocols = all +home_mailbox = Maildir/ +virtual_alias_maps = hash:/etc/postfix/virtual +mailbox_command = + +\## DKIM +smtpd_milters = unix:var/run/opendkim/opendkim.sock +non_smtpd_milters = unix:var/run/opendkim/opendkim.sock + +\## Ralentissement pour les serveurs problématiques +transport_maps = hash:/etc/postfix/transport +slow_destination_concurrency_limit = 3 +slow_destination_rate_delay = 3s + +maximal_queue_lifetime = 1d + +\## Forwarding pour mails du bureau +recipient_bcc_maps = hash:/etc/postfix/recipient_bcc +message_size_limit = 524288000 + +smtp_helo_name = $mydomain +
+ +### Configuration serveur web (nginx) +
+ + server { + set_real_ip_from 192.169.1.1; + real_ip_header proxy_protocol; + + listen 443 ssl proxy_protocol; + listen [::]:443 ssl; + + ssl_certificate /etc/letsencrypt/live/mail.a-lec.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/mail.a-lec.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + # Add index.php to the list if you are using PHP + root /var/www/html/roundcube; + + server_name mail.a-lec.org; + + client_max_body_size 100M; + + # Add index.php to the list if you are using PHP + index index.html index.htm index.php; + + + location / { + # First attempt to serve request as file, then + # as directory, then fall back to displaying a 404. + try_files $uri $uri/ /index.php?q=$uri&$args; + } + + # pass PHP scripts to FastCGI server + # + location ~ \.php$ { + include snippets/fastcgi-php.conf; + # # With php-fpm (or other unix sockets): + fastcgi_pass unix:/run/php/php7.4-fpm.sock; + # # With php-cgi (or other tcp sockets): + # fastcgi_pass 127.0.0.1:9000; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + } + + location ^~ /data { + deny all; + } + } + +
diff --git a/vm/routeur.md b/vm/routeur.md new file mode 100644 index 0000000..3944615 --- /dev/null +++ b/vm/routeur.md @@ -0,0 +1,1673 @@ +# Routeur `routeur` : routeur principal de l'infrastructure de Libre en Communs + + +### Matériel + +Turris Omnia 2019 (Argenté), architecture ARMv7 Processor rev 1 (v7l) +SSD KINGSTON SKC600M 256Gio + +### Logiciel + +Système d'exploitation : OpenWrt 21.02 / LuCI openwrt-21.02 avec patch (voir plus loin) +Reverse proxy HTTP(S) : `nginx` +Interface graphique : `luci` +Certificats SSL : `acme` +Autres logiciels utilisés : `fail2ban`, `htop`, `bash`, `vpn-policy-routing` + + +#### Patch de block-mount pour montage partition SSD + + --- a/block.c + +++ b/block.c + @@ -747,7 +747,7 @@ static void check_filesystem(struct prob + pid = fork(); + if (!pid) { + if(!strncmp(pr->type, "f2fs", 4)) { + - execl(ckfs, ckfs, "-f", pr->dev, NULL); + + execl(ckfs, ckfs, "-p", "2", "-f", pr->dev, NULL); + exit(EXIT_FAILURE); + } else if(!strncmp(pr->type, "btrfs", 5)) { + execl(ckfs, ckfs, "--repair", pr->dev, NULL); + @@ -1591,7 +1591,7 @@ static int main_extroot(int argc, char * + #endif + + /* As a last resort look for /etc/config/fstab on "rootfs" partition */ + - return mount_extroot(NULL); + + return mount_extroot("/tmp/overlay"); + } + + static int main_mount(int argc, char **argv) + +### Caractéristiques réseau + +Domaine : routeur.libre-en-communs.org +Adresses ipv4 publiques : 80.67.176.33, 80.67.179.96 +Adresse ipv4 locale : 192.168.0.1 +Adresse ipv6 publique : 2001:910:1021::1 + +#### Configuration des interfaces + +Les interfaces sont configurées pour connexion à la fibre FDN en PPPoE sur le port WAN. Il y a deux IPs publiques à récupérer et on utilise donc une interface virtuelle (wan2) utilisant le port de l'interface principale (wan) avec configuration de la seconde IP en statique. La première IP est récupérée automatiquement par l'interface principale. + +Le préfixe public IPv6 du routeur (et donc du réseau) est récupéré automatiquement à la connexion, créant une interface virtuelle à la volée (nommée wan_6 et dont le bloc n'est pas visible dans le fichier de configuration, donc). + +##### /etc/config/network +
+ + config interface 'loopback' + option device 'lo' + option proto 'static' + option ipaddr '127.0.0.1' + option netmask '255.0.0.0' + + config globals 'globals' + option ula_prefix 'fd22:fc53:0a5d::/48' + + config device + option name 'br-lan' + option type 'bridge' + list ports 'lan0' + list ports 'lan1' + list ports 'lan2' + list ports 'lan3' + list ports 'lan4' + + config interface 'lan' + option device 'br-lan' + option proto 'static' + option ipaddr '192.168.0.1' + option netmask '255.255.0.0' + option ip6assign '64' + list ip6class 'wan_6' + + config interface 'wan' + option device 'eth2' + option proto 'pppoe' + option username 'association.libre.en.comm@fdn.ilf.kosc' + option password 'INFORMATION CACHEE' + list ip6class 'wan_6' + option ipv6 'auto' + + config interface 'wan2' + option proto 'static' + option device 'eth2' + option ipaddr '80.67.179.96' + option netmask '255.255.255.255' + + +
+ +#### Configuration DHCP (IP statiques allouées aux VM et serveurs) + +##### /etc/config/dhcp +
+ + config dnsmasq + option localise_queries '1' + option local '/lan/' + option domain 'lan' + option authoritative '1' + option readethers '1' + option leasefile '/tmp/dhcp.leases' + option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto' + option ednspacket_max '1232' + option rebind_protection '0' + option localservice '0' + list interface 'lan' + list notinterface 'wan' + list notinterface 'wan6' + list notinterface 'wan_6' + list notinterface 'wan2' + option allservers '1' + + config dhcp 'lan' + option interface 'lan' + option start '100' + option limit '150' + option leasetime '12h' + option dhcpv4 'server' + option ra 'hybrid' + option dhcpv6 'hybrid' + option ndp 'hybrid' + list ra_flags 'none' + + config dhcp 'wan' + option interface 'wan' + option ignore '1' + list ra_flags 'none' + + config odhcpd 'odhcpd' + option maindhcp '0' + option leasefile '/tmp/hosts/odhcpd' + option leasetrigger '/usr/sbin/odhcpd-update' + option loglevel '4' + + config domain + option name 'routeur' + option ip '2001:910:1021::1' + + config domain + option name 'routeur.libre-en-communs.org' + option ip '192.168.0.1' + + config domain + option name 'routeur.libre-en-communs.org' + option ip '2001:910:1021::1' + + config domain + option name 'mother.libre-en-communs.org' + option ip '192.168.1.2' + + config domain + option name 'mother' + option ip '2001:910:1021::2' + + config domain + option name 'aunt.libre-en-communs.org' + option ip '192.168.1.3' + + config domain + option name 'aunt' + option ip '2001:910:1021::3' + + config host + option name 'mother' + option dns '1' + option mac '52:C6:86:7C:8F:7E' + option ip '192.168.1.2' + + config host + option name 'aunt' + option dns '1' + option mac 'F2:8A:D8:B6:5D:60' + option ip '192.168.1.3' + + config host + option mac '52:54:00:C1:D0:69' + option name 'dns' + option dns '1' + option ip '192.168.1.242' + + config host + option name 'gestion' + option dns '1' + option mac '52:54:00:C8:83:EC' + option ip '192.168.1.236' + + config domain + option name 'gestion.a-lec.org' + option ip '192.168.1.236' + + config host + option name 'git' + option dns '1' + option mac '52:54:00:FD:63:1C' + option ip '192.168.1.131' + + config host + option mac '52:54:00:12:BC:CF' + option name 'mail' + option dns '1' + option ip '192.168.1.201' + + config host + option name 'toot' + option dns '1' + option mac '52:54:00:E4:2A:97' + option ip '192.168.1.179' + + config host + option mac '52:54:00:07:F1:3C' + option name 'www' + option dns '1' + option ip '192.168.1.188' + + config host + option name 'xmpp' + option dns '1' + option mac '52:54:00:0B:A6:ED' + option ip '192.168.1.211' + + config host + option name 'audio' + option dns '1' + option mac '52:54:00:EE:93:E0' + option ip '192.168.1.186' + + config host + option mac '52:54:00:F2:BB:55' + option name 'tootest' + option dns '1' + option ip '192.168.1.232' + + config host + option mac '52:54:00:86:69:5F' + option name 'generic' + option dns '1' + option ip '192.168.1.195' + + config domain + option name 'mail.a-lec.org' + option ip '192.168.1.201' + + config domain + option name 'git.a-lec.org' + option ip '192.168.1.131' + + config domain + option name 'audio.a-lec.org' + option ip '192.168.1.186' + + config domain + option name 'sharedfs.a-lec.org' + option ip '192.168.0.148' + + config domain + option name 'isengard.libre-en-communs.org' + option ip '192.168.1.155' + + config domain + option name 'mother.libre-en-communs.org' + option ip '192.168.1.2' + + config domain + option name 'isengard.libre-en-communs.org' + option ip '192.168.1.155' + + config domain + option name 'aunt.libre-en-communs.org' + option ip '192.168.1.3' + + config domain + option name 'xmpp.a-lec.org' + option ip '192.168.1.211' + + config domain + option name 'dns.libre-en-communs.org' + option ip '192.168.1.242' + + config host + option name 'libreboot' + option dns '1' + option mac '52:54:00:1D:0A:65' + option ip '192.168.1.120' + + config host + option name 'isengard' + option dns '1' + option mac '52:54:00:C3:51:4D' + option ip '192.168.1.155' + + config host + option name 'sharedfs' + option dns '1' + option mac '52:54:00:54:5A:B8' + option ip '192.168.0.148' + + config host + option name 'ghn' + option dns '1' + option ip '192.168.1.224' + option mac '52:54:00:e2:13:4f' + + config host + option name 'xmpp.chalec.org' + option dns '1' + option mac '52:54:00:FC:74:4C' + option ip '192.168.2.204' + + config host + option name 'audio.chalec.org' + option dns '1' + option mac '52:54:00:88:F7:2F' + option ip '192.168.2.114' + + config host + option ip '192.168.2.189' + option name 'generic.chalec.org' + option dns '1' + option mac '52:54:00:C9:16:7A' + + config host + option mac '52:54:00:CA:E8:51' + option ip '192.168.2.193' + option name 'nuage.chalec.org' + option dns '1' + + config host + option name 'toot.chalec.org' + option dns '1' + option mac '52:54:00:AB:41:92' + option ip '192.168.2.220' + + config domain + option name 'toot.chalec.org' + option ip '192.168.2.220' + + config domain + option name 'audio.chalec.org' + option ip '192.168.2.114' + + config domain + option name 'nuage.chalec.org' + option ip '192.168.2.193' + + config domain + option ip '192.168.2.204' + option name 'xmpp.chalec.org' + + config host + option name 'forge.chalec.org' + option dns '1' + option mac '52:54:00:73:A2:F2' + option ip '192.168.2.239' + + config domain + option name 'forge.chalec.org' + option ip '192.168.2.239' + + config host + option name 'visio.chalec.org' + option dns '1' + option mac '52:54:00:46:87:63' + option ip '192.168.2.198' + + config domain + option name 'visio.chalec.org' + option ip '192.168.2.198' + + config host + option mac '52:54:00:5A:EE:F3' + option ip '192.168.2.139' + option name 'libreverse.chalec.org' + option dns '1' + + config domain + option name 'libreverse.chalec.org' + option ip '192.168.2.139' + + config host + option name 'video.chalec.org' + option dns '1' + option mac '52:54:00:0E:9F:9A' + option ip '192.168.2.199' + + config domain + option name 'video.chalec.org' + option ip '192.168.2.199' + + config domain + option name 'sharedfs.a-lec.org' + option ip '192.168.0.148' + + config domain + option ip '192.168.0.206' + option name 'coreboot' + + config host + option name 'ctrlv.chalec.org' + option dns '1' + option mac '52:54:00:C0:45:7A' + option ip '192.168.2.240' + + config host + option name 'sondage.chalec.org' + option dns '1' + option mac '52:54:00:E5:F0:F8' + option ip '192.168.2.137' + + config host + option name 'pad.chalec.org' + option dns '1' + option mac '52:54:00:50:56:54' + option ip '192.168.2.182' + + config host + option name 'stats.chalec.org' + option dns '1' + option mac '52:54:00:87:E2:D5' + option ip '192.168.2.196' + + config domain + option name 'stats.chalec.org' + option ip '192.168.2.196' + + config domain + option name 'nuage.chalec.org' + option ip '192.168.2.193' + + config domain + option name 'visio.chalec.org' + option ip '192.168.2.198' + + config host + option name 'www.chalec.org' + option dns '1' + option mac '52:54:00:A6:FD:72' + option ip '192.168.2.225' + + config host + option name 'petition.chalec.org' + option dns '1' + option mac '52:54:00:bd:21:03' + option ip '192.168.2.67' + + config domain + option name 'www.chalec.org' + option ip '192.168.2.225' + + config domain + option name 'ghn.a-lec.org' + option ip '192.168.1.224' + + +
+ +#### Configuration du pare-feu (et redirections de ports pour IPV4) + +##### /etc/config/firewall +
+ + config defaults + option input 'ACCEPT' + option output 'ACCEPT' + option synflood_protect '1' + option drop_invalid '1' + option forward 'DROP' + + config zone + option name 'lan' + option input 'ACCEPT' + option output 'ACCEPT' + option forward 'ACCEPT' + list network 'lan' + + config zone + option name 'wan' + option output 'ACCEPT' + option masq '1' + option input 'ACCEPT' + option forward 'ACCEPT' + list device 'eth2' + option log '1' + list network 'wan' + list network 'wan2' + + config forwarding + option src 'lan' + option dest 'wan' + + config rule + option name 'Allow-DHCP-Renew' + option src 'wan' + option proto 'udp' + option dest_port '68' + option target 'ACCEPT' + option family 'ipv4' + + config rule + option name 'Allow-Ping' + option src 'wan' + option proto 'icmp' + option icmp_type 'echo-request' + option family 'ipv4' + option target 'ACCEPT' + + config rule + option name 'Allow-IGMP' + option src 'wan' + option proto 'igmp' + option family 'ipv4' + option target 'ACCEPT' + + config rule + option name 'Allow-DHCPv6' + option src 'wan' + option proto 'udp' + option dest_port '546' + option family 'ipv6' + option target 'ACCEPT' + + config rule + option name 'Allow-MLD' + option src 'wan' + option proto 'icmp' + option src_ip 'fe80::/10' + list icmp_type '130/0' + list icmp_type '131/0' + list icmp_type '132/0' + list icmp_type '143/0' + option family 'ipv6' + option target 'ACCEPT' + + config rule + option name 'Allow-ICMPv6-Input' + option src 'wan' + option proto 'icmp' + list icmp_type 'echo-request' + list icmp_type 'echo-reply' + list icmp_type 'destination-unreachable' + list icmp_type 'packet-too-big' + list icmp_type 'time-exceeded' + list icmp_type 'bad-header' + list icmp_type 'unknown-header-type' + list icmp_type 'router-solicitation' + list icmp_type 'neighbour-solicitation' + list icmp_type 'router-advertisement' + list icmp_type 'neighbour-advertisement' + option limit '1000/sec' + option family 'ipv6' + option target 'ACCEPT' + + config rule + option name 'Allow-ICMPv6-Forward' + option src 'wan' + option dest '*' + option proto 'icmp' + list icmp_type 'echo-request' + list icmp_type 'echo-reply' + list icmp_type 'destination-unreachable' + list icmp_type 'packet-too-big' + list icmp_type 'time-exceeded' + list icmp_type 'bad-header' + list icmp_type 'unknown-header-type' + option limit '1000/sec' + option family 'ipv6' + option target 'ACCEPT' + + config rule + option name 'Allow-IPSec-ESP' + option src 'wan' + option dest 'lan' + option proto 'esp' + option target 'ACCEPT' + + config rule + option name 'Allow-ISAKMP' + option src 'wan' + option dest 'lan' + option dest_port '500' + option proto 'udp' + option target 'ACCEPT' + + config rule + option name 'Support-UDP-Traceroute' + option src 'wan' + option dest_port '33434:33689' + option proto 'udp' + option family 'ipv4' + option target 'REJECT' + option enabled 'false' + + config include + option path '/etc/firewall.user' + + config include + option path '/etc/firewall.fail2ban' + option enabled '1' + option reload '1' + + config redirect + option target 'DNAT' + option name 'ssh 222 -> mother' + option src 'wan' + option src_dport '222' + option dest 'lan' + option dest_port '222' + option src_dip '80.67.176.33' + option dest_ip '192.168.1.2' + + config redirect + option target 'DNAT' + option name 'ssh 223 -> aunt' + option src 'wan' + option src_dport '223' + option dest 'lan' + option dest_port '223' + option src_dip '80.67.176.33' + option dest_ip '192.168.1.3' + + config redirect + option target 'DNAT' + option name 'dns 53 -> dns' + option src 'wan' + option src_dport '53' + option dest 'lan' + option dest_port '53' + option dest_ip '192.168.1.242' + option src_dip '80.67.176.33' + + config redirect + option target 'DNAT' + option src 'wan' + option src_dport '25' + option dest 'lan' + option dest_port '25' + option name 'smtp -> mail' + option dest_ip '192.168.1.201' + option src_dip '80.67.176.33' + + config redirect + option target 'DNAT' + option src 'wan' + option src_dport '587' + option dest 'lan' + option dest_port '587' + option name 'smtps -> mail' + option dest_ip '192.168.1.201' + option src_dip '80.67.176.33' + + config redirect + option target 'DNAT' + option src 'wan' + option src_dport '993' + option dest 'lan' + option dest_port '993' + option name 'imaps -> mail' + option dest_ip '192.168.1.201' + option src_dip '80.67.176.33' + + config redirect + option target 'DNAT' + option src 'wan' + option src_dip '80.67.176.33' + option src_dport '4190' + option dest 'lan' + option dest_ip '192.168.1.201' + option dest_port '4190' + option reflection_src 'external' + option name 'sieve -> mail' + + config redirect + option target 'DNAT' + option name 'ssh 666 -> mail' + option src 'wan' + option src_dport '666' + option dest 'lan' + option dest_port '22' + option dest_ip '192.168.1.201' + option src_dip '80.67.176.33' + + config redirect + option target 'DNAT' + option name 'ssh 22 -> git' + option src 'wan' + option src_dport '22' + option dest 'lan' + option dest_port '22' + option dest_ip '192.168.1.131' + option src_dip '80.67.176.33' + + config redirect + option target 'DNAT' + option name 'ssh 777 -> www' + option src 'wan' + option src_dport '777' + option dest 'lan' + option dest_port '22' + option dest_ip '192.168.1.188' + option src_dip '80.67.176.33' + + config redirect + option target 'DNAT' + option name 'xmpp c2s' + option src 'wan' + option src_dport '5222' + option dest 'lan' + option dest_port '5222' + option dest_ip '192.168.1.211' + option src_dip '80.67.176.33' + + config redirect + option target 'DNAT' + option src 'wan' + option src_dport '5223' + option dest 'lan' + option dest_port '5223' + option name 'xmpp c2s tls' + option dest_ip '192.168.1.211' + option src_dip '80.67.176.33' + + config redirect + option target 'DNAT' + option name 'xmpp s2s' + option src 'wan' + option src_dport '5269' + option dest 'lan' + option dest_port '5269' + option dest_ip '192.168.1.211' + option src_dip '80.67.176.33' + + config redirect + option target 'DNAT' + option name 'xmpp https' + option src 'wan' + option src_dport '5443' + option dest 'lan' + option dest_port '5443' + option dest_ip '192.168.1.211' + option src_dip '80.67.176.33' + + config redirect + option target 'DNAT' + option name 'xmpp http' + option src 'wan' + option src_dport '5280' + option dest 'lan' + option dest_port '5280' + option dest_ip '192.168.1.211' + option src_dip '80.67.176.33' + + config redirect + option target 'DNAT' + option name 'xmpp stun' + option src 'wan' + option src_dport '3478' + option dest 'lan' + option dest_port '3478' + option dest_ip '192.168.1.211' + option src_dip '80.67.176.33' + + config redirect + option target 'DNAT' + option name 'mumble -> audio' + option src 'wan' + option src_dport '64738' + option dest 'lan' + option dest_ip '192.168.1.186' + option dest_port '64738' + option src_dip '80.67.176.33' + + config redirect + option target 'DNAT' + option src 'wan' + option src_dport '113' + option dest 'lan' + option dest_ip '192.168.2.204' + option name 'Chalec xmpp (IRC sortant) identd' + + config redirect + option target 'DNAT' + option name 'chalec xmpp c2s' + option src 'wan' + option src_dip '80.67.179.96' + option dest 'lan' + option dest_ip '192.168.2.204' + option src_dport '5222' + + config redirect + option target 'DNAT' + option name 'chalec xmpp c2s tls' + option src 'wan' + option src_dport '5223' + option dest 'lan' + option dest_ip '192.168.2.204' + option src_dip '80.67.179.96' + + config redirect + option target 'DNAT' + option name 'chalec xmpp s2s' + option src 'wan' + option src_dip '80.67.179.96' + option dest 'lan' + option dest_ip '192.168.2.204' + option src_dport '5269' + + config redirect + option target 'DNAT' + option name 'chalec xmpp https' + option src 'wan' + option src_dip '80.67.179.96' + option dest 'lan' + option dest_ip '192.168.2.204' + option src_dport '5443-5444' + + config redirect + option target 'DNAT' + option name 'chalec xmpp http' + option src 'wan' + option src_dip '80.67.179.96' + option src_dport '5280' + option dest 'lan' + option dest_ip '192.168.2.204' + + config redirect + option target 'DNAT' + option name 'chalec xmpp stun' + option src 'wan' + option src_dip '80.67.179.96' + option dest 'lan' + option dest_ip '192.168.2.204' + option src_dport '3475-3478' + + config redirect + option target 'DNAT' + option name 'chalec mumble' + option src 'wan' + option src_dip '80.67.179.96' + option src_dport '64738' + option dest 'lan' + option dest_ip '192.168.2.114' + + config redirect + option target 'DNAT' + option name 'Chalec Libreverse' + option src 'wan' + option src_dip '80.67.179.96' + option src_dport '30000' + option dest 'lan' + option dest_ip '192.168.2.139' + + config include + option path '/etc/firewall.fail2ban' + option enabled '1' + option reload '1' + + config redirect + option target 'DNAT' + option name 'Isengard Grafana' + option src 'wan' + option src_dip '80.67.176.33' + option src_dport '3000' + option dest 'lan' + option dest_ip '192.168.1.155' + option dest_port '3000' + + config redirect + option target 'DNAT' + option src 'wan' + option src_dip '80.67.179.96' + option src_dport '1935' + option dest 'lan' + option dest_ip '192.168.2.199' + option dest_port '1935' + option name '1935 -> video' + + config redirect + option target 'DNAT' + option name '10000 -> visio' + option src 'wan' + option src_dip '80.67.179.96' + option src_dport '10000' + option dest 'lan' + option dest_ip '192.168.2.198' + + config redirect + option target 'DNAT' + option name 'chalec ssh 22 -> forge' + option src 'wan' + option src_dip '80.67.179.96' + option src_dport '22' + option dest 'lan' + option dest_ip '192.168.2.239' + option dest_port '22' + option reflection_src 'external' + + config redirect + option target 'DNAT' + option name 'icinga 5665-> isengard' + option src 'wan' + option src_dport '5665' + option dest 'lan' + option dest_ip '192.168.1.155' + option dest_port '5665' + + config forwarding + option src 'wan' + option dest 'lan' + +
+ +#### Configuration du routage des IPs publiques en sortie + +##### /etc/config/vpn-policy-routing +
+ + config vpn-policy-routing 'config' + option verbosity '2' + option strict_enforcement '1' + option src_ipset '0' + option dest_ipset '0' + option resolver_ipset 'dnsmasq.ipset' + option ipv6_enabled '0' + list ignored_interface 'vpnserver wgserver' + option boot_timeout '30' + option iptables_rule_option 'append' + option procd_reload_delay '1' + option webui_show_ignore_target '0' + option webui_sorting '1' + list webui_supported_protocol 'tcp' + list webui_supported_protocol 'udp' + list webui_supported_protocol 'tcp udp' + list webui_supported_protocol 'icmp' + list webui_supported_protocol 'all' + option enabled '1' + option webui_enable_column '1' + option webui_protocol_column '1' + option webui_chain_column '1' + + config policy + option name 'sortie chalec' + option src_addr '192.168.2.0/24' + option proto 'all' + option chain 'OUTPUT' + option interface 'wan2' + +
+ +### Configuration des certificats SSL + +Configuration classique d'acme pour la génération de certificats SSL pour le routeur. + +##### /etc/config/acme +
+ + config acme + option state_dir '/etc/acme' + option account_email 'cominfra@a-lec.org' + option debug '0' + + config cert 'example_wildcard' + option update_nginx '1' + option enabled '1' + list domains 'routeur.libre-en-communs.org' + option update_uhttpd '0' + option validation_method 'webroot' + option webroot '/www' + option keylength 'ec-384' + option use_staging '0' + + +
+ +### Configuration Reverse Proxy (nginx) + +Le Reverse Proxy a pour mission de rediriger les connexions HTTP(S) qui arrivent en IPv4 sur le routeur vers les machines associées à ces connexions. Il n'est donc pas utilisé pour IPv6 puisque chaque machine a sa propre IP publique accessible depuis Internet. Nous utilisons le logiciel `nginx`. + +Pour HTTP (port 80), on utilise la méthode `proxy_pass` en http dans des blocs `server` de la section `http`. Afin d'éviter d'avoir des IPs à configurer ici, nous utilisons les noms d'hôte des machines qui sont donc résolus en "runtime". La redirection vers la machine s'effectue sur le port 80, avec les headers `X-Real-IP` et `X-Forwarded-For` à destination de la machine cible. La configuration du Reverse Proxy HTTP est dans le fichier `/etc/nginx/reverse_proxy.conf`. + +Pour HTTPS (port 443), en raison de notre volonté de ne pas centraliser les certificats SSL en un seul endroit, nous avons fait le choix de ne pas déchiffrer les requêtes sur le routeur. Ainsi, nous utilisons la méthode `proxy_pass` avec le `proxy_protocol` et `ssl_preread` dans la section `stream`. Cela permet de lire le nom d'hôte dans l'en-tête SSL et de transmettre directement la requête non traitée à la machine correspondante. Afin de ne pas gêner des requêtes en IPv4 sur le port 443 internes au réseau, la redirection vers la machine s'effectue sur le port 444 en `proxy_protocol` permettant de récupérer l'IP de la machine ayant émis la requête. La configuration du Reverse Proxy HTTPS est dans le fichier `/etc/nginx/reverse_proxy_ssl.conf`. + +Enfin, la configuration générale de nginx ainsi que le bloc pour le serveur correspondant à la page de configuration du routeur se trouve dans `/etc/nginx/nginx.conf`. + +##### /etc/nginx/nginx.conf (fichier principal de configuration) +
+ + worker_processes auto; + + user root; + + events { + worker_connections 1024; + } + + #error_log /var/log/nginx/error.log debug; + + stream { + include reverse_proxy_ssl.conf; + } + + http { + + resolver 127.0.0.1 ipv6=off; + + include mime.types; + default_type application/octet-stream; + sendfile on; + + client_max_body_size 128M; + large_client_header_buffers 2 1k; + server_names_hash_bucket_size 64; + + gzip on; + gzip_vary on; + gzip_proxied any; + + include reverse_proxy.conf; + + #include conf.d/*.conf; + + server { + + listen 0.0.0.0:444 ssl proxy_protocol; + server_name routeur.libre-en-communs.org; + + ssl_certificate /etc/acme/routeur.libre-en-communs.org_ecc/fullchain.cer; + ssl_certificate_key /etc/acme/routeur.libre-en-communs.org_ecc/routeur.libre-en-communs.org.key; + + location /cgi-bin/luci { + index index.html; + include uwsgi_params; + uwsgi_param SERVER_ADDR $server_addr; + uwsgi_modifier1 9; + uwsgi_pass unix:///var/run/luci-webui.socket; + } + + location ~ /cgi-bin/cgi-(backup|download|upload|exec) { + include uwsgi_params; + uwsgi_param SERVER_ADDR $server_addr; + uwsgi_modifier1 9; + uwsgi_pass unix:///var/run/luci-cgi_io.socket; + } + + location /luci-static { + error_log stderr crit; + } + + location /ubus { + ubus_interpreter; + ubus_socket_path /var/run/ubus/ubus.sock; + ubus_parallel_req 2; + } + + root /www; + ssl_session_cache shared:SSL:32k; + ssl_session_timeout 64m; + } + } + +
+ +##### /etc/nginx/reverse_proxy.conf (reverse proxy HTTP) +
+ + #### INFRA + + server { + server_name isengard.libre-en-communs.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + set $target "http://isengard.libre-en-communs.org:80"; + proxy_pass $target; + } + } + + server { + server_name gestion.a-lec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + set $target "http://gestion.a-lec.org:80"; + proxy_pass $target; + } + } + + server { + server_name don.a-lec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + set $target "http://gestion.a-lec.org:80"; + proxy_pass $target; + } + + } + + server { + server_name adhesion.a-lec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + set $target "http://gestion.a-lec.org:80"; + proxy_pass $target; + } + } + + server { + server_name audio.a-lec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP + $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + set $target "http://audio.a-lec.org:80"; + proxy_pass $target; + } + } + + server { + server_name coffre.a-lec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + set $target "http://gestion.a-lec.org:80"; + proxy_pass $target; + } + } + + server { + server_name git.a-lec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + set $target "http://git.a-lec.org:80"; + proxy_pass $target; + } + } + + server { + server_name www.a-lec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + set $target "http://www.a-lec.org:80"; + proxy_pass $target; + } + } + + server { + server_name a-lec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + set $target "http://www.a-lec.org:80"; + proxy_pass $target; + } + } + + server { + server_name toot.a-lec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + set $target "http://toot.a-lec.org:80"; + proxy_pass $target; + } + } + + server { + server_name mail.a-lec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + set $target "http://mail.a-lec.org:80"; + proxy_pass $target; + } + } + + server { + server_name autoconfig.a-lec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + set $target "http://mail.a-lec.org:80"; + proxy_pass $target; + } + } + + server { + server_name xmpp.a-lec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + set $target "http://xmpp.a-lec.org:80"; + proxy_pass $target; + } + } + server { + server_name salons.a-lec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + set $target "http://xmpp.a-lec.org:80"; + proxy_pass $target; + } + } + server { + server_name pubsub.a-lec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + set $target "http://xmpp.a-lec.org:80"; + proxy_pass $target; + } + } + server { + server_name proxy.a-lec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + set $target "http://proxy.a-lec.org:80"; + proxy_pass $target; + } + } + + server { + server_name ghn.a-lec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + set $target "http://ghn.a-lec.org:80"; + proxy_pass $target; + } + } + + ### CHALEC + + server { + server_name audio.chalec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + set $target "http://audio.chalec.org:80"; + proxy_pass $target; + } + } + + server { + server_name toot.chalec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + location / { + set $target "http://toot.chalec.org:80"; + proxy_pass $target; + } + } + + server { + server_name nuage.chalec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + location / { + set $target "http://nuage.chalec.org:80"; + proxy_pass $target; + } + } + + server { + server_name forge.chalec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + set $target "http://forge.chalec.org:80"; + proxy_pass $target; + } + } + + server { + server_name ctrlv.chalec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + set $target "http://ctrlv.chalec.org:80"; + proxy_pass $target; + } + } + + server { + server_name sondage.chalec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + set $target "http://sondage.chalec.org:80"; + proxy_pass $target; + } + } + + server { + server_name visio.chalec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + set $target "http://visio.chalec.org:80"; + proxy_pass $target; + } + } + + server { + server_name video.chalec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + set $target "http://video.chalec.org:80"; + proxy_pass $target; + } + } + + server { + server_name libreverse.chalec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + set $target "http://libreverse.chalec.org:80"; + proxy_pass $target; + } + } + + server { + server_name xmpp.chalec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + set $target "http://xmpp.chalec.org:80"; + proxy_pass $target; + } + } + + server { + server_name pad.chalec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + set $target "http://pad.chalec.org:80"; + proxy_pass $target; + } + } + + server { + server_name stats.chalec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + set $target "http://stats.chalec.org:80"; + proxy_pass $target; + } + } + + server { + server_name www.chalec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + set $target "http://www.chalec.org:80"; + proxy_pass $target; + } + } + + server { + server_name www-wip.chalec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + set $target "http://www.chalec.org:80"; + proxy_pass $target; + } + } + + server { + server_name petition.chalec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + location / { + set $target "http://petition.chalec.org:80"; + proxy_pass $target; + } + } + + server { + server_name chalec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + set $target "http://www.chalec.org:80"; + proxy_pass $target; + } + } + + server { + server_name xmpp.chalec.org; + listen 80; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + set $target "http://xmpp.chalec.org:80"; + proxy_pass $target; + } + } + + + + +
+ +##### /etc/nginx/reverse_proxy_ssl.conf (reverse proxy HTTPS) +
+ + map_hash_max_size 64; + map_hash_bucket_size 64; + map $ssl_preread_server_name $name_444 { + gestion.a-lec.org gestion_a-lec_444; + don.a-lec.org gestion_a-lec_444; + adhesion.a-lec.org gestion_a-lec_444; + coffre.a-lec.org gestion_a-lec_444; + git.a-lec.org git_a-lec_444; + www.a-lec.org www_a-lec_444; + www-wip.a-lec.org www_a-lec_444; + a-lec.org www_a-lec_444; + mail.a-lec.org mail_a-lec_444; + autoconfig.a-lec.org mail_a-lec_444; + toot.a-lec.org toot_a-lec_444; + routeur.libre-en-communs.org routeur_444; + isengard.libre-en-communs.org isengard_444; + audio.a-lec.org audio_a-lec_444; + tootest.a-lec.org tootest_a-lec_444; + ghn.a-lec.org ghn_a-lec_444; + + ### CHALEC + audio.chalec.org audio_chalec_444; + nuage.chalec.org nuage_chalec_444; + toot.chalec.org toot_chalec_444; + forge.chalec.org forge_chalec_444; + pad.chalec.org pad_chalec_444; + ctrlv.chalec.org ctrlv_chalec_444; + sondage.chalec.org sondage_chalec_444; + stats.chalec.org stats_chalec_444; + visio.chalec.org visio_chalec_444; + video.chalec.org video_chalec_444; + libreverse.chalec.org libreverse_chalec_444; + www.chalec.org www_chalec_444; + chalec.org www_chalec_444; + www-wip.chalec.org www_chalec_444; + petition.chalec.org petition_chalec_444; + xmpp.chalec.org xmpp_chalec_444; + } + + upstream gestion_a-lec_444 { + server gestion.a-lec.org:444; + } + + upstream ghn_a-lec_444 { + server ghn.a-lec.org:444; + } + + upstream tootest_a-lec_444 { + server tootest.a-lec.org:444; + } + + upstream audio_a-lec_444 { + server audio.a-lec.org:444; + } + + upstream git_a-lec_444 { + server git.a-lec.org:444; + } + + upstream mail_a-lec_444 { + server mail.a-lec.org:444; + } + + upstream www_a-lec_444 { + server www.a-lec.org:444; + } + + upstream toot_a-lec_444 { + server toot.a-lec.org:444; + } + + upstream routeur_444 { + server 127.0.0.1:444; + } + + upstream isengard_444 { + server isengard.libre-en-communs.org:444; + } + + + ### CHALEC + + upstream audio_chalec_444 { + server audio.chalec.org:444; + } + + upstream nuage_chalec_444 { + server nuage.chalec.org:444; + } + + upstream toot_chalec_444 { + server toot.chalec.org:444; + } + + upstream forge_chalec_444 { + server forge.chalec.org:444; + } + + upstream ctrlv_chalec_444 { + server ctrlv.chalec.org:444; + } + + upstream pad_chalec_444 { + server pad.chalec.org:444; + } + + upstream sondage_chalec_444 { + server sondage.chalec.org:444; + } + + upstream stats_chalec_444 { + server stats.chalec.org:444; + } + + upstream visio_chalec_444 { + server visio.chalec.org:444; + } + + upstream video_chalec_444 { + server video.chalec.org:444; + } + + upstream libreverse_chalec_444 { + server libreverse.chalec.org:444; + } + + upstream xmpp_chalec_444 { + server xmpp.chalec.org:444; + } + + upstream petition_chalec_444 { + server petition.chalec.org:444; + } + + + upstream www_chalec_444 { + server www.chalec.org:444; + } + + ### SERVER + + server { + listen 443; + proxy_pass $name_444; + proxy_protocol on; + ssl_preread on; + } + + +
diff --git a/vm/toot.md b/vm/toot.md new file mode 100644 index 0000000..8c9a9d2 --- /dev/null +++ b/vm/toot.md @@ -0,0 +1,130 @@ +## Machine virtuelle TOOT + +Cette machine est destinée à accueillir l'instance Mastodon de l'association. + +### Matériel virtuel + +CPU : 3 +RAM : 2048 Mio +Stockage de masse : 50 Gio + +### Logiciel + +Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye) +Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org) +Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen` +Mail Transfer Agent : `postfix` +Base do donnée : PostgreSQL +Serveur Web: NGINX + +### Caractéristiques notables + +Domaine : toot.a-lec.org +Adresse ipv4 publique : 80.67.176.33 +Adresse ipv4 interne : 192.168.1.173 +Adresse ipv6 publique : 2001:910:1021::173 + +### Comptes + +Administrateur: admin +Modérateurs: neox, echolib +Ouverture de compte: tout membre de l'association + +### Visibilité + +Instance publique + +### Configuration serveur web (nginx) +
+ + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + server { + listen 80; + listen [::]:80; + server_name toot.a-lec.org; + return 302 https://$host$request_uri; + } + + server { + listen 443 ssl proxy_protocol default_server; + listen [::]:443 ssl http2 default_server; + server_name toot.a-lec.org; + + set_real_ip_from 192.169.1.1; + real_ip_header proxy_protocol; + + ssl_certificate /etc/letsencrypt/live/toot.a-lec.org/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/toot.a-lec.org/privkey.pem; + ssl_protocols TLSv1.2; + ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + keepalive_timeout 70; + sendfile on; + client_max_body_size 0; + + root /home/mastodon/live/public; + + gzip on; + gzip_disable "msie6"; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + add_header Strict-Transport-Security "max-age=31536000"; + + location / { + try_files $uri @proxy; + } + + location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) { + add_header Cache-Control "public, max-age=31536000, immutable"; + try_files $uri @proxy; + } + + location @proxy { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Proxy ""; + proxy_pass_header Server; + + proxy_pass http://127.0.0.1:3000; + proxy_buffering off; + proxy_redirect off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + tcp_nodelay on; + } + + location /api/v1/streaming { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Proxy ""; + + proxy_pass http://127.0.0.1:4000; + proxy_buffering off; + proxy_redirect off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + tcp_nodelay on; + } + + error_page 500 501 502 503 504 /500.html; + } +
diff --git a/vm/tootest.md b/vm/tootest.md new file mode 100644 index 0000000..25f8163 --- /dev/null +++ b/vm/tootest.md @@ -0,0 +1,25 @@ +## Machine virtuelle TOOTEST + +Cette machine est destinée à accueillir l'instance Mastodon de test. + +### Matériel virtuel + +CPU : x +RAM : xxx Mio +Stockage de masse : 50 Gio + +### Logiciel + +Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye) +Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org) +Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen` +Mail Transfer Agent : `postfix` +Base do donnée : PostgreSQL +Serveur Web: NGINX + +### Caractéristiques notables + +Domaine : toot.a-lec.org +Adresse ipv4 publique : 80.67.176.33 +Adresse ipv4 interne : 192.168.1.232 +Adresse ipv6 publique : 2001:910:1021::232 diff --git a/vm/www.md b/vm/www.md new file mode 100644 index 0000000..7767f74 --- /dev/null +++ b/vm/www.md @@ -0,0 +1,117 @@ +## Machine virtuelle WWW + +Cette machine est destinée à accueillir le site web de l'association + +### Matériel virtuel + +CPU : 1 +RAM : 1000 Mio +Stockage de masse : 50 Gio + +### Logiciel + +Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye) +Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org) +Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen` +Mail Transfer Agent : `postfix` +Serveur http : `nginx` +Gestionnaire FastCGI : `php-fpm` version 7.4 + +### Caractéristiques notables + +Domaine : www.a-lec.org +Adresse ipv4 publique : 80.67.176.33 +Adresse ipv4 interne : 192.168.1.188 +Adresse ipv6 publique : 2001:910:1021::188 + +### Configuration du serveur web (nginx) +
+ + server { + set_real_ip_from 192.169.1.1; + real_ip_header proxy_protocol; + + # SSL configuration + # + listen 443 ssl proxy_protocol default_server; + listen [::]:443 ssl default_server; + + root /var/www/html; + + ssl_certificate /etc/letsencrypt/live/www.a-lec.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/www.a-lec.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + + # Add index.php to the list if you are using PHP + index index.html index.htm index.php; + + server_name www.a-lec.org; + + location /.well-known/host-meta { + default_type 'application/xrd+xml'; + add_header Access-Control-Allow-Origin '*' always; + } + + location /.well-known/host-meta.json { + default_type 'application/jrd+json'; + add_header Access-Control-Allow-Origin '*' always; + } + + location / { + # First attempt to serve request as file, then + # as directory, then fall back to displaying a 404. + try_files $uri $uri/ $uri.html $uri/index.php?q=$uri&$args =404; + } + + ssi on; + ssi_last_modified on; + + # pass PHP scripts to FastCGI server + + location ~ \.php$ { + include snippets/fastcgi-php.conf; + # With php-fpm (or other unix sockets): + fastcgi_pass unix:/run/php/php7.4-fpm.sock; + # With php-cgi (or other tcp sockets): + # fastcgi_pass 127.0.0.1:9000; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + } + + } + + server { + listen 80; + listen [::]:80; + + server_name www.a-lec.org; + + return 302 https://www.a-lec.org$request_uri; + } + + server { + listen 80; + listen [::]:80; + + server_name a-lec.org; + + return 302 https://www.a-lec.org$request_uri; + } + + server { + listen 443 ssl proxy_protocol; + listen [::]:443 ssl; + + server_name a-lec.org; + + return 302 https://www.a-lec.org$request_uri; + + ssl_certificate /etc/letsencrypt/live/a-lec.org-0001/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/a-lec.org-0001/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + } + +
diff --git a/vm/xmpp.md b/vm/xmpp.md new file mode 100644 index 0000000..0b5e814 --- /dev/null +++ b/vm/xmpp.md @@ -0,0 +1,24 @@ +## Machine virtuelle XMPP + +Cette machine est destinée à accueillir le service XMPP + +### Matériel virtuel + +CPU : 1 +RAM : 1000 Mio +Stockage de masse : 50 Gio + +### Logiciel + +Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye) +Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org) +Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen` +Mail Transfer Agent : `postfix` +Serveur XMPP : `ejabberd` + +### Caractéristiques notables + +Domaine : xmpp.a-lec.org +Adresse ipv4 publique : 80.67.176.33 +Adresse ipv4 interne : 192.168.1.211 +Adresse ipv6 publique : 2001:910:1021::211