Refonte documentation
This commit is contained in:
parent
b3e2e5ffc7
commit
dcee60bbdf
|
@ -0,0 +1,58 @@
|
|||
# anthea, machine physique (fontainebleau)
|
||||
|
||||
## Matériel
|
||||
|
||||
Carte mère : 1 × Asus KGPN-D16 Rev 1.03G
|
||||
CPU : 2 × AMD Opteron 6280SE
|
||||
RAM : *(à compléter)*
|
||||
Alimentation : *(à compléter)*
|
||||
Onduleur : (non)
|
||||
Casier : *(à compléter)*
|
||||
Stockage de masse : *(à compléter)*
|
||||
|
||||
## Logiciel
|
||||
|
||||
Micro-programme : Coreboot 4.6 + SeaBIOS, sans blob privateur
|
||||
Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
|
||||
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)
|
||||
Virtualisation : QEMU/KVM (`libvirt`)
|
||||
Audit des paquets mensuel : `vrms`
|
||||
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `tig`, `lm-sensors`, `fancontrol`, `screen`
|
||||
Mail Transfer Agent : `postfix`
|
||||
|
||||
## Caractéristiques notables
|
||||
|
||||
Domaine : anthea.libre-en-communs.org
|
||||
Adresse ipv4 publique : *(à compléter)*
|
||||
Adresse ipv4 locale : *(à compléter)*
|
||||
Adresse ipv6 publique : *(à compléter)*
|
||||
|
||||
### Configuration réseau
|
||||
|
||||
#### /etc/network/interfaces
|
||||
<details>
|
||||
|
||||
*(à compléter)*
|
||||
|
||||
</details>
|
||||
|
||||
## Configuration SSH
|
||||
|
||||
### /etc/ssh/sshd_config
|
||||
<details>
|
||||
|
||||
*(à compléter)*
|
||||
|
||||
</details>
|
||||
|
||||
## Configuration MTA
|
||||
|
||||
### /etc/postfix/transport
|
||||
|
||||
a-lec.org :
|
||||
* discard:
|
||||
|
||||
### /etc/postfix/virtual
|
||||
|
||||
@localhost admin@a-lec.org
|
||||
@mother.libre-en-communs.org admin@a-lec.org
|
|
@ -0,0 +1,198 @@
|
|||
# aunt, machine physique (leparc)
|
||||
|
||||
## Matériel
|
||||
|
||||
Carte mère : 1 × Asus KGPN-D16 Rev 1.03G
|
||||
CPU : 2 × AMD Opteron 6282SE
|
||||
RAM : *(à compléter)*
|
||||
Alimentation : *(à compléter)*
|
||||
Onduleur : 1 × EATON Ellipse PRO 1200 VA
|
||||
Casier : 1 × Inter-Tech IPC 4U-4129-N SSI-EEB (Rack)
|
||||
Stockage de masse : 2 × KINGSTON SEDC500M1920G
|
||||
|
||||
## Logiciel
|
||||
|
||||
Micro-programme : Coreboot 4.6 + SeaBIOS, sans blob privateur
|
||||
Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
|
||||
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)
|
||||
Virtualisation : QEMU/KVM (`libvirt`)
|
||||
Gestion du onduleur : NUT/UPS
|
||||
Audit des paquets mensuel : `vrms`
|
||||
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `tig`, `lm-sensors`, `fancontrol`, `screen`
|
||||
Mail Transfer Agent : `postfix`
|
||||
Réplication de stockage (vm) : `drbd`, `ocfs2`
|
||||
|
||||
## Caractéristiques notables
|
||||
|
||||
Domaine : aunt.libre-en-communs.org
|
||||
Adresse ipv4 publique : 80.67.176.33
|
||||
Adresse ipv4 locale : 192.168.1.3
|
||||
Adresse ipv4 interne DRBD : 192.168.254.3
|
||||
Adresse ipv6 publique : 2001:910:1021::3
|
||||
|
||||
### Configuration réseau
|
||||
|
||||
#### /etc/network/interfaces
|
||||
<details>
|
||||
|
||||
# The loopback network interface
|
||||
auto lo
|
||||
iface lo inet loopback
|
||||
|
||||
# The primary network interface
|
||||
allow-hotplug ens9
|
||||
allow-hotplug ens10
|
||||
allow-hotplug ens13f0
|
||||
allow-hotplug ens13f1
|
||||
|
||||
# mother!
|
||||
iface ens13f1 inet static
|
||||
address 192.168.254.3
|
||||
|
||||
post-up /usr/bin/ip link set ens13f1 mtu 9000
|
||||
|
||||
# bridge for vm
|
||||
auto br0
|
||||
iface br0 inet static
|
||||
bridge_ports ens13f0
|
||||
address 192.168.1.3
|
||||
gateway 192.168.0.1
|
||||
broadcast 192.168.255.255
|
||||
netmask 255.255.0.0
|
||||
|
||||
iface br0 inet6 static
|
||||
bridge_ports ens13f0
|
||||
address 2001:910:1021::3/128
|
||||
gateway 2001:910:1021::
|
||||
|
||||
</details>
|
||||
|
||||
## Configuration SSH
|
||||
|
||||
### /etc/ssh/sshd_config
|
||||
<details>
|
||||
|
||||
Port 223
|
||||
AddressFamily any
|
||||
ListenAddress 0.0.0.0
|
||||
ListenAddress ::
|
||||
|
||||
PubkeyAuthentication yes
|
||||
|
||||
PasswordAuthentication no
|
||||
PermitEmptyPasswords no
|
||||
|
||||
ChallengeResponseAuthentication no
|
||||
|
||||
UsePAM yes
|
||||
|
||||
AllowAgentForwarding yes
|
||||
AllowTcpForwarding yes
|
||||
GatewayPorts yes
|
||||
X11Forwarding no
|
||||
|
||||
PrintMotd no
|
||||
|
||||
TCPKeepAlive yes
|
||||
|
||||
PermitTunnel yes
|
||||
|
||||
AcceptEnv LANG LC_* GIT_*
|
||||
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
|
||||
Match User admin666 Address *,!127.0.0.1,!::1
|
||||
DenyUsers admin666
|
||||
|
||||
</details>
|
||||
|
||||
## Configuration DRBD
|
||||
|
||||
### /etc/drbd.d/drbd1.res
|
||||
<details>
|
||||
|
||||
resource drbd1 {
|
||||
meta-disk internal;
|
||||
device /dev/drbd1;
|
||||
|
||||
startup {
|
||||
become-primary-on both;
|
||||
}
|
||||
net {
|
||||
verify-alg sha256;
|
||||
allow-two-primaries yes;
|
||||
#fencing resource-and-stonith;
|
||||
after-sb-0pri discard-zero-changes;
|
||||
after-sb-1pri discard-secondary;
|
||||
protocol C;
|
||||
ko-count 0;
|
||||
timeout 119;
|
||||
ping-int 120;
|
||||
connect-int 120;
|
||||
#max-epoch-size 20000;
|
||||
max-buffers 36k;
|
||||
sndbuf-size 0;
|
||||
rcvbuf-size 0;
|
||||
}
|
||||
handlers {
|
||||
pri-lost-after-sb "killall virt-backup && umount /opt/sharedfs && drbdadm secondary drbd1";
|
||||
}
|
||||
disk {
|
||||
on-io-error pass_on;
|
||||
md-flushes;
|
||||
c-fill-target 10M;
|
||||
c-max-rate 700M;
|
||||
c-plan-ahead 0;
|
||||
c-min-rate 4M;
|
||||
resync-rate 500M;
|
||||
}
|
||||
|
||||
on mother { # hostname must match `uname -n` output
|
||||
disk /dev/md1; # Logical Volume on the provided host
|
||||
address 192.168.254.2:7789; # IP Address to be used to connect to the node with port
|
||||
}
|
||||
|
||||
on aunt { # hostname must match `uname -n` output
|
||||
disk /dev/md1; # Logical Volume on the provided host
|
||||
address 192.168.254.3:7789; # IP Address to be used to connect to the node with port
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
</details>
|
||||
|
||||
### /etc/ocfs2/cluster.conf
|
||||
<details>
|
||||
|
||||
cluster:
|
||||
name = sharedfs
|
||||
heartbeat_mode = local
|
||||
node_count = 2
|
||||
|
||||
node:
|
||||
cluster = sharedfs
|
||||
number = 0
|
||||
ip_port = 7777
|
||||
ip_address = 192.169.254.3
|
||||
name = aunt
|
||||
|
||||
node:
|
||||
cluster = sharedfs
|
||||
number = 1
|
||||
ip_port = 7777
|
||||
ip_address = 192.169.254.2
|
||||
name = mother
|
||||
|
||||
</details>
|
||||
|
||||
## Configuration MTA
|
||||
|
||||
### /etc/postfix/transport
|
||||
|
||||
a-lec.org :
|
||||
* discard:
|
||||
|
||||
### /etc/postfix/virtual
|
||||
|
||||
@localhost admin@a-lec.org
|
||||
@aunt.libre-en-communs.org admin@a-lec.org
|
|
@ -0,0 +1,58 @@
|
|||
# britt, machine physique (gisors)
|
||||
|
||||
## Matériel
|
||||
|
||||
Carte mère : 1 × Asus KGPN-D16 Rev 1.03G
|
||||
CPU : 1 × AMD Opteron 6280SE
|
||||
RAM : *(à compléter)*
|
||||
Alimentation : *(à compléter)*
|
||||
Onduleur : (non)
|
||||
Casier : *(à compléter)*
|
||||
Stockage de masse : *(à compléter)*
|
||||
|
||||
## Logiciel
|
||||
|
||||
Micro-programme : Coreboot 4.6 + SeaBIOS, sans blob privateur
|
||||
Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
|
||||
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)
|
||||
Virtualisation : QEMU/KVM (`libvirt`)
|
||||
Audit des paquets mensuel : `vrms`
|
||||
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `tig`, `lm-sensors`, `fancontrol`, `screen`
|
||||
Mail Transfer Agent : `postfix`
|
||||
|
||||
## Caractéristiques notables
|
||||
|
||||
Domaine : britt.libre-en-communs.org
|
||||
Adresse ipv4 publique : *(à compléter)*
|
||||
Adresse ipv4 locale : *(à compléter)*
|
||||
Adresse ipv6 publique : *(à compléter)*
|
||||
|
||||
### Configuration réseau
|
||||
|
||||
#### /etc/network/interfaces
|
||||
<details>
|
||||
|
||||
*(à compléter)*
|
||||
|
||||
</details>
|
||||
|
||||
## Configuration SSH
|
||||
|
||||
### /etc/ssh/sshd_config
|
||||
<details>
|
||||
|
||||
*(à compléter)*
|
||||
|
||||
</details>
|
||||
|
||||
## Configuration MTA
|
||||
|
||||
### /etc/postfix/transport
|
||||
|
||||
a-lec.org :
|
||||
* discard:
|
||||
|
||||
### /etc/postfix/virtual
|
||||
|
||||
@localhost admin@a-lec.org
|
||||
@mother.libre-en-communs.org admin@a-lec.org
|
|
@ -0,0 +1,194 @@
|
|||
# mother, machine physique (leparc)
|
||||
|
||||
## Matériel
|
||||
|
||||
Carte mère : 1 × Asus KGPN-D16 Rev 1.03G
|
||||
CPU : 2 × AMD Opteron 6282SE
|
||||
RAM : 4 × Crucial RDIMM 16Go CT2K16G3ERSLD4160B
|
||||
Alimentation : 1 × Antec NE700G ZEN EC
|
||||
Onduleur : 1 × EATON Ellipse PRO 1600 VA
|
||||
Casier : 1 × Inter-Tech IPC 4U-4129-N SSI-EEB (Rack)
|
||||
Stockage de masse : 2 × KINGSTON SEDC500M1920G 2 To
|
||||
|
||||
## Logiciel
|
||||
|
||||
Micro-programme : Coreboot 4.6 + SeaBIOS, sans blob privateur
|
||||
Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
|
||||
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)
|
||||
Virtualisation : QEMU/KVM (`libvirt`)
|
||||
Gestion du onduleur : NUT/UPS
|
||||
Audit des paquets mensuel : `vrms`
|
||||
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `tig`, `lm-sensors`, `fancontrol`, `screen`
|
||||
Mail Transfer Agent : `postfix`
|
||||
Réplication de stockage (vm) : `drbd`, `ocfs2`
|
||||
|
||||
## Caractéristiques notables
|
||||
|
||||
Domaine : mother.libre-en-communs.org
|
||||
Adresse ipv4 publique : 80.67.176.33
|
||||
Adresse ipv4 locale : 192.168.1.2
|
||||
Adresse ipv4 interne DRBD : 192.168.254.2
|
||||
Adresse ipv6 publique : 2001:910:1021::2
|
||||
|
||||
### Configuration réseau
|
||||
|
||||
#### /etc/network/interfaces
|
||||
<details>
|
||||
|
||||
auto lo br0
|
||||
iface lo inet loopback
|
||||
|
||||
# The primary network interface
|
||||
allow-hotplug ens10
|
||||
allow-hotplug ens9
|
||||
allow-hotplug ens13f0
|
||||
allow-hotplug ens13f1
|
||||
|
||||
# aunt
|
||||
iface ens13f1 inet static
|
||||
address 192.168.254.2
|
||||
|
||||
post-up /usr/bin/ip link set ens13f1 mtu 9000
|
||||
|
||||
# bridge for vm
|
||||
iface br0 inet static
|
||||
bridge_ports ens13f0
|
||||
address 192.168.1.2
|
||||
gateway 192.168.0.1
|
||||
broadcast 192.168.255.255
|
||||
netmask 255.255.0.0
|
||||
|
||||
iface br0 inet6 static
|
||||
bridge_ports ens13f0
|
||||
address 2001:910:1021:0::2/128
|
||||
gateway 2001:910:1021::1
|
||||
|
||||
</details>
|
||||
|
||||
## Configuration SSH
|
||||
|
||||
### /etc/ssh/sshd_config
|
||||
<details>
|
||||
|
||||
Port 222
|
||||
AddressFamily any
|
||||
ListenAddress 0.0.0.0
|
||||
ListenAddress ::
|
||||
|
||||
PubkeyAuthentication yes
|
||||
|
||||
PasswordAuthentication no
|
||||
PermitEmptyPasswords no
|
||||
|
||||
ChallengeResponseAuthentication no
|
||||
|
||||
UsePAM yes
|
||||
|
||||
AllowAgentForwarding yes
|
||||
AllowTcpForwarding yes
|
||||
GatewayPorts yes
|
||||
X11Forwarding no
|
||||
|
||||
PrintMotd no
|
||||
|
||||
TCPKeepAlive yes
|
||||
|
||||
PermitTunnel yes
|
||||
|
||||
AcceptEnv LANG LC_* GIT_*
|
||||
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
|
||||
Match User admin666 Address *,!127.0.0.1,!::1
|
||||
DenyUsers admin666
|
||||
|
||||
</details>
|
||||
|
||||
## Configuration DRBD
|
||||
|
||||
### /etc/drbd.d/drbd1.res
|
||||
<details>
|
||||
|
||||
resource drbd1 {
|
||||
meta-disk internal;
|
||||
device /dev/drbd1;
|
||||
|
||||
startup {
|
||||
become-primary-on both;
|
||||
}
|
||||
net {
|
||||
verify-alg sha256;
|
||||
allow-two-primaries yes;
|
||||
after-sb-0pri discard-zero-changes;
|
||||
after-sb-1pri discard-secondary;
|
||||
protocol C;
|
||||
ko-count 0;
|
||||
timeout 119;
|
||||
ping-int 120;
|
||||
connect-int 120;
|
||||
max-buffers 36k;
|
||||
sndbuf-size 0;
|
||||
rcvbuf-size 0;
|
||||
}
|
||||
handlers {
|
||||
pri-lost-after-sb "killall virt-backup";
|
||||
}
|
||||
disk {
|
||||
on-io-error pass_on;
|
||||
md-flushes;
|
||||
c-fill-target 10M;
|
||||
c-max-rate 700M;
|
||||
c-plan-ahead 0;
|
||||
c-min-rate 4M;
|
||||
resync-rate 500M;
|
||||
}
|
||||
|
||||
on mother { # hostname must match `uname -n` output
|
||||
disk /dev/md1; # Logical Volume on the provided host
|
||||
address 192.168.254.2:7789; # IP Address to be used to connect to the node with port
|
||||
}
|
||||
|
||||
on aunt { # hostname must match `uname -n` output
|
||||
disk /dev/md1; # Logical Volume on the provided host
|
||||
address 192.168.254.3:7789; # IP Address to be used to connect to the node with port
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
</details>
|
||||
|
||||
### /etc/ocfs2/cluster.conf
|
||||
<details>
|
||||
|
||||
cluster:
|
||||
name = sharedfs
|
||||
heartbeat_mode = local
|
||||
node_count = 2
|
||||
|
||||
node:
|
||||
cluster = sharedfs
|
||||
number = 0
|
||||
ip_port = 7777
|
||||
ip_address = 192.168.254.3
|
||||
name = aunt
|
||||
|
||||
node:
|
||||
cluster = sharedfs
|
||||
number = 1
|
||||
ip_port = 7777
|
||||
ip_address = 192.168.254.2
|
||||
name = mother
|
||||
|
||||
</details>
|
||||
|
||||
## Configuration MTA
|
||||
|
||||
### /etc/postfix/transport
|
||||
|
||||
a-lec.org :
|
||||
* discard:
|
||||
|
||||
### /etc/postfix/virtual
|
||||
|
||||
@localhost admin@a-lec.org
|
||||
@mother.libre-en-communs.org admin@a-lec.org
|
|
@ -21,8 +21,12 @@ IPv6 : 2001:910:1021::/48
|
|||
```
|
||||
|
||||
Il accueille les machines physiques suivantes :
|
||||
- [`mother.libre-en-communs.org`]() ;
|
||||
- [`aunt.libre-en-communs.org`]().
|
||||
- [`mother.libre-en-communs.org`](../pm/mother.md) ;
|
||||
- [`aunt.libre-en-communs.org`](../pm/aunt.md).
|
||||
|
||||
Ces machines physiques sont couplées pour permettre une migration transparente
|
||||
des machines virtuelles. Nous utilisons l'hyperviseur `KVM/libvirt` et `DRBD`
|
||||
pour ce faire.
|
||||
|
||||
## Matériel annexe
|
||||
|
||||
|
|
|
@ -0,0 +1,118 @@
|
|||
# Machine virtuelle AUDIO
|
||||
|
||||
## Système
|
||||
|
||||
### Matériel virtuel
|
||||
|
||||
CPU : 1
|
||||
RAM : 957384 KB
|
||||
Stockage de masse : 50 Gio
|
||||
Swap : désactivé
|
||||
|
||||
### Logiciel
|
||||
|
||||
Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
|
||||
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)
|
||||
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen`
|
||||
Mail Transfer Agent : `postfix`
|
||||
|
||||
### Caractéristiques notables
|
||||
|
||||
Domaine : dns.libre-en-communs.org
|
||||
Adresse ipv4 publique : 80.67.176.33
|
||||
Adresse ipv4 interne : 192.168.1.186
|
||||
Adresse ipv6 publique : 2001:910:1021::186
|
||||
|
||||
## Serveur web (installation basique)
|
||||
Installation d'un service nginx pour :
|
||||
- la gestion des certificats SSL ;
|
||||
- l'installation d'une page d'information sur comment se connecter au Mumble ;
|
||||
- la possible installation d'un service client web pour Mumble ;
|
||||
- l'éventuel déploiement de StatoolInfos ;
|
||||
- …
|
||||
|
||||
Installer les paquets :
|
||||
```
|
||||
apt-get install nginx python3-certbot-nginx
|
||||
```
|
||||
|
||||
Ouvrir les ports http (80) et https (443) :
|
||||
```
|
||||
ufw allow 'Nginx HTTP'
|
||||
ufw allow 'Nginx HTTPS'
|
||||
```
|
||||
|
||||
Configurer a minima le site web dans `/etc/nginx/sites-available/audio.a-lec.org` :
|
||||
```
|
||||
server
|
||||
{
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
server_name audio.a-lec.org;
|
||||
|
||||
access_log /var/log/nginx/audio.a-lec.org-access.log;
|
||||
error_log /var/log/nginx/audio.a-lec.org-error.log;
|
||||
}
|
||||
```
|
||||
|
||||
Activer la configuration :
|
||||
```
|
||||
cd /etc/nginx/sites-enabled/
|
||||
ln -s ../sites-available/audio.a-lec.org
|
||||
```
|
||||
|
||||
Vérifier que c'est bon et recharger :
|
||||
```
|
||||
nginx -t && systemctl reload nginx
|
||||
```
|
||||
|
||||
Configurer le certificat SSl :
|
||||
```
|
||||
certbot --nginx
|
||||
```
|
||||
|
||||
Mettre beau le fichier `/etc/nginx/sites-enabled/audio.a-lec.org` :
|
||||
```
|
||||
server
|
||||
{
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
server_name audio.a-lec.org;
|
||||
|
||||
access_log /var/log/nginx/audio.a-lec.org-access.log;
|
||||
error_log /var/log/nginx/audio.a-lec.org-error.log;
|
||||
|
||||
return 302 https://$host$request_uri;
|
||||
}
|
||||
|
||||
server
|
||||
{
|
||||
set_real_ip_from 192.169.1.1;
|
||||
real_ip_header proxy_protocol;
|
||||
listen [::]:443 ssl ipv6only=on;
|
||||
listen 443 ssl;
|
||||
|
||||
server_name audio.a-lec.org;
|
||||
|
||||
access_log /var/log/nginx/audio.a-lec.org-access.log;
|
||||
error_log /var/log/nginx/audio.a-lec.org-error.log;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/audio.a-lec.org/fullchain.pem; # managed by Certbot
|
||||
ssl_certificate_key /etc/letsencrypt/live/audio.a-lec.org/privkey.pem; # managed by Certbot
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
||||
|
||||
root /var/www/audio.a-lec.org;
|
||||
location = /
|
||||
{
|
||||
index index.xhtml;
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
Vérifier que c'est bon et recharger :
|
||||
```
|
||||
nginx -t && systemctl reload nginx
|
||||
```
|
|
@ -0,0 +1,33 @@
|
|||
## Machine virtuelle DNS
|
||||
|
||||
Cette machine est le serveur DNS autorité de l'association.
|
||||
|
||||
### Matériel virtuel
|
||||
|
||||
CPU : xxx
|
||||
RAM : xxx Mio
|
||||
Stockage de masse : 10 Gio
|
||||
|
||||
### Logiciel
|
||||
|
||||
Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
|
||||
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)
|
||||
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen`
|
||||
DNS : `bind`
|
||||
Mail Transfer Agent : `postfix`
|
||||
|
||||
### Caractéristiques notables
|
||||
|
||||
Domaine : dns.libre-en-communs.org
|
||||
Adresse ipv4 publique : 80.67.176.33
|
||||
Adresse ipv4 interne : 192.168.1.242
|
||||
Adresse ipv6 publique : 2001:910:1021::242
|
||||
|
||||
### Configuration système de fichier partagé en écriture
|
||||
|
||||
#### /etc/fstab (extrait)
|
||||
<details>
|
||||
|
||||
/vm_sharedfs /opt/vm_sharedfs 9p trans=virtio,version=9p2000.L,rw 0 0
|
||||
|
||||
</details>
|
|
@ -0,0 +1,328 @@
|
|||
## Machine virtuelle GENERIC
|
||||
|
||||
#### (c'est-à-dire le modèle de toutes les machines virtuelles)
|
||||
|
||||
...
|
||||
|
||||
### Matériel virtuel
|
||||
|
||||
CPU : 1
|
||||
RAM : 1000 Mio
|
||||
Stockage de masse : 50 Gio (fichier `sparse` i.e les zéros ne sont pas écrits sur le disque)
|
||||
|
||||
### Logiciel
|
||||
|
||||
Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
|
||||
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)
|
||||
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen`
|
||||
Mail Transfer Agent : `postfix`
|
||||
|
||||
### Caractéristiques notables
|
||||
|
||||
Domaine : dns.libre-en-communs.org
|
||||
Adresse ipv4 publique : 80.67.176.33
|
||||
Adresse ipv4 interne : 192.168.1.4
|
||||
Adresse ipv6 publique : 2001:910:1021::4
|
||||
|
||||
### Configuration réseau
|
||||
|
||||
#### /etc/network/interfaces
|
||||
<details>
|
||||
|
||||
# This file describes the network interfaces available on your system
|
||||
# and how to activate them. For more information, see interfaces(5).
|
||||
|
||||
source /etc/network/interfaces.d/*
|
||||
|
||||
# The loopback network interface
|
||||
auto lo
|
||||
iface lo inet loopback
|
||||
|
||||
# The primary network interface
|
||||
allow-hotplug enp1s0
|
||||
iface enp1s0 inet static
|
||||
address 192.168.1.4/32
|
||||
broadcast 192.168.255.255
|
||||
gateway 192.168.0.1
|
||||
netmask 255.255.0.0
|
||||
|
||||
iface enp1s0 inet6 static
|
||||
address 2001:910:1021::4/128
|
||||
gateway 2001:910:1021::
|
||||
|
||||
</details>
|
||||
|
||||
### Configuration SSH
|
||||
|
||||
#### /etc/ssh/sshd_config
|
||||
<details>
|
||||
|
||||
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
|
||||
|
||||
# This is the sshd server system-wide configuration file. See
|
||||
# sshd_config(5) for more information.
|
||||
|
||||
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
|
||||
|
||||
Port 22
|
||||
AddressFamily any
|
||||
ListenAddress 0.0.0.0
|
||||
ListenAddress ::
|
||||
|
||||
PubkeyAuthentication yes
|
||||
|
||||
PasswordAuthentication no
|
||||
PermitEmptyPasswords no
|
||||
|
||||
ChallengeResponseAuthentication no
|
||||
|
||||
UsePAM yes
|
||||
|
||||
PrintMotd no
|
||||
|
||||
AcceptEnv LANG LC_* GIT_*
|
||||
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
|
||||
Match Group ssh-login
|
||||
PasswordAuthentication yes
|
||||
|
||||
</details>
|
||||
|
||||
#### /etc/hosts.allow
|
||||
|
||||
sshd: 192.168.1.0/24, [2001:910:1021::]/48
|
||||
|
||||
#### /etc/hosts.deny
|
||||
|
||||
sshd: ALL
|
||||
|
||||
### Pare-feu
|
||||
|
||||
Installation :
|
||||
```
|
||||
apt-get install ufw
|
||||
```
|
||||
|
||||
Ouvrir le port SSH :
|
||||
```
|
||||
ufw allow SSH
|
||||
ufw enable
|
||||
systemclt enable ufw
|
||||
```
|
||||
### Configuration SUDO
|
||||
|
||||
#### /etc/sudoers
|
||||
<details>
|
||||
|
||||
#
|
||||
# This file MUST be edited with the 'visudo' command as root.
|
||||
#
|
||||
# Please consider adding local content in /etc/sudoers.d/ instead of
|
||||
# directly modifying this file.
|
||||
#
|
||||
# See the man page for details on how to write a sudoers file.
|
||||
#
|
||||
Defaults env_reset
|
||||
Defaults env_keep += "GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL"
|
||||
Defaults mail_badpass, insults
|
||||
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||
|
||||
# Host alias specification
|
||||
|
||||
# User alias specification
|
||||
|
||||
# Cmnd alias specification
|
||||
|
||||
# User privilege specification
|
||||
root ALL=(ALL:ALL) ALL
|
||||
|
||||
# Allow members of group sudo to execute any command
|
||||
%sudo ALL=(ALL:ALL) NOPASSWD:ALL
|
||||
|
||||
# See sudoers(5) for more information on "#include" directives:
|
||||
|
||||
#includedir /etc/sudoers.d
|
||||
|
||||
|
||||
</details>
|
||||
|
||||
### Configuration MTA
|
||||
|
||||
#### /etc/postfix/transport
|
||||
|
||||
a-lec.org :
|
||||
* discard:
|
||||
|
||||
#### /etc/postfix/virtual
|
||||
|
||||
@localhost admin@a-lec.org
|
||||
@generic.a-lec.org admin@a-lec.org
|
||||
|
||||
### Configuration système de fichier partagé
|
||||
|
||||
#### /etc/fstab (extrait)
|
||||
<details>
|
||||
|
||||
tmpfs /tmp tmpfs mode=1777,nosuid,nodev 0 0
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
### Configurations bashrc
|
||||
|
||||
#### /etc/skel/.bashrc (et /home/admin666/.bashrc)
|
||||
<details>
|
||||
|
||||
# ~/.bashrc: executed by bash(1) for non-login shells.
|
||||
# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
|
||||
# for examples
|
||||
|
||||
# If not running interactively, don't do anything
|
||||
case $- in
|
||||
*i*) ;;
|
||||
*) return;;
|
||||
esac
|
||||
|
||||
# don't put duplicate lines or lines starting with space in the history.
|
||||
# See bash(1) for more options
|
||||
HISTCONTROL=ignoreboth
|
||||
|
||||
# append to the history file, don't overwrite it
|
||||
shopt -s histappend
|
||||
|
||||
# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
|
||||
HISTSIZE=1000
|
||||
HISTFILESIZE=2000
|
||||
|
||||
# check the window size after each command and, if necessary,
|
||||
# update the values of LINES and COLUMNS.
|
||||
shopt -s checkwinsize
|
||||
|
||||
# If set, the pattern "**" used in a pathname expansion context will
|
||||
# match all files and zero or more directories and subdirectories.
|
||||
#shopt -s globstar
|
||||
|
||||
# make less more friendly for non-text input files, see lesspipe(1)
|
||||
#[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
|
||||
|
||||
# set variable identifying the chroot you work in (used in the prompt below)
|
||||
if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
|
||||
debian_chroot=$(cat /etc/debian_chroot)
|
||||
fi
|
||||
|
||||
# set a fancy prompt (non-color, unless we know we "want" color)
|
||||
case "$TERM" in
|
||||
xterm-color|*-256color) color_prompt=yes;;
|
||||
esac
|
||||
|
||||
# uncomment for a colored prompt, if the terminal has the capability; turned
|
||||
# off by default to not distract the user: the focus in a terminal window
|
||||
# should be on the output of commands, not on the prompt
|
||||
#force_color_prompt=yes
|
||||
|
||||
if [ -n "$force_color_prompt" ]; then
|
||||
if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
|
||||
# We have color support; assume it's compliant with Ecma-48
|
||||
# (ISO/IEC-6429). (Lack of such support is extremely rare, and such
|
||||
# a case would tend to support setf rather than setaf.)
|
||||
color_prompt=yes
|
||||
else
|
||||
color_prompt=
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$color_prompt" = yes ]; then
|
||||
PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\H\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
|
||||
else
|
||||
PS1='${debian_chroot:+($debian_chroot)}\u@\H:\w\$ '
|
||||
fi
|
||||
unset color_prompt force_color_prompt
|
||||
|
||||
# If this is an xterm set the title to user@host:dir
|
||||
case "$TERM" in
|
||||
xterm*|rxvt*)
|
||||
PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\H: \w\a\]$PS1"
|
||||
;;
|
||||
*)
|
||||
;;
|
||||
esac
|
||||
|
||||
# enable color support of ls and also add handy aliases
|
||||
if [ -x /usr/bin/dircolors ]; then
|
||||
test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
|
||||
alias ls='ls --color=auto'
|
||||
alias dir='dir --color=auto'
|
||||
alias vdir='vdir --color=auto'
|
||||
|
||||
alias grep='grep --color=auto'
|
||||
alias fgrep='fgrep --color=auto'
|
||||
alias egrep='egrep --color=auto'
|
||||
fi
|
||||
|
||||
# colored GCC warnings and errors
|
||||
#export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'
|
||||
|
||||
# some more ls aliases
|
||||
alias ll='ls -l'
|
||||
alias la='ls -A'
|
||||
#alias l='ls -CF'
|
||||
|
||||
# Alias definitions.
|
||||
# You may want to put all your additions into a separate file like
|
||||
# ~/.bash_aliases, instead of adding them here directly.
|
||||
# See /usr/share/doc/bash-doc/examples in the bash-doc package.
|
||||
|
||||
if [ -f ~/.bash_aliases ]; then
|
||||
. ~/.bash_aliases
|
||||
fi
|
||||
|
||||
# enable programmable completion features (you don't need to enable
|
||||
# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
|
||||
# sources /etc/bash.bashrc).
|
||||
if ! shopt -oq posix; then
|
||||
if [ -f /usr/share/bash-completion/bash_completion ]; then
|
||||
. /usr/share/bash-completion/bash_completion
|
||||
elif [ -f /etc/bash_completion ]; then
|
||||
. /etc/bash_completion
|
||||
fi
|
||||
fi
|
||||
|
||||
</details>
|
||||
|
||||
#### /root/.bashrc
|
||||
<details>
|
||||
|
||||
# ~/.bashrc: executed by bash(1) for non-login shells.
|
||||
|
||||
# Note: PS1 and umask are already set in /etc/profile. You should not
|
||||
# need this unless you want different defaults for root.
|
||||
# PS1='${debian_chroot:+($debian_chroot)}\h:\w\$ '
|
||||
PS1='\[\033[01;32m\]=(^-^)=${debian_chroot:+($debian_chroot)}\[\033[01;31m\]\u@\H\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
|
||||
# umask 022
|
||||
|
||||
# You may uncomment the following lines if you want `ls' to be colorized:
|
||||
export LS_OPTIONS='--color=auto'
|
||||
# eval "`dircolors`"
|
||||
alias ls='ls $LS_OPTIONS'
|
||||
alias ll='ls $LS_OPTIONS -l'
|
||||
alias l='ls $LS_OPTIONS -lA'
|
||||
#
|
||||
# Some more alias to avoid making mistakes:
|
||||
# alias rm='rm -i'
|
||||
# alias cp='cp -i'
|
||||
# alias mv='mv -i'
|
||||
|
||||
# enable programmable completion features (you don't need to enable
|
||||
# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
|
||||
# sources /etc/bash.bashrc).
|
||||
if ! shopt -oq posix; then
|
||||
if [ -f /usr/share/bash-completion/bash_completion ]; then
|
||||
. /usr/share/bash-completion/bash_completion
|
||||
elif [ -f /etc/bash_completion ]; then
|
||||
. /etc/bash_completion
|
||||
fi
|
||||
fi
|
||||
|
||||
</details>
|
||||
|
|
@ -0,0 +1,117 @@
|
|||
## Machine virtuelle GESTION
|
||||
|
||||
Cette machine est destinée à accueillir le logiciel de comptabilité et gestion des membres de l'association.
|
||||
|
||||
### Matériel virtuel
|
||||
|
||||
CPU : 4
|
||||
RAM : 3000 Mio
|
||||
Stockage de masse : 50 Gio
|
||||
|
||||
### Logiciel
|
||||
|
||||
Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
|
||||
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)
|
||||
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen`
|
||||
Compta et gestion des membres : `garradin`
|
||||
Mail Transfer Agent : `postfix`
|
||||
|
||||
### Caractéristiques notables
|
||||
|
||||
Domaine : gestion.a-lec.org
|
||||
Adresse ipv4 publique : 80.67.176.33
|
||||
Adresse ipv4 interne : 192.168.1.236
|
||||
Adresse ipv6 publique : 2001:910:1021::236
|
||||
|
||||
### Configuration serveur web (nginx)
|
||||
<details>
|
||||
|
||||
server {
|
||||
server_name coffre.a-lec.org;
|
||||
|
||||
set_real_ip_from 192.169.1.1;
|
||||
real_ip_header proxy_protocol;
|
||||
|
||||
# Allow large attachments
|
||||
client_max_body_size 128M;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:8000;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
|
||||
location /notifications/hub {
|
||||
proxy_pass http://127.0.0.1:3012;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
}
|
||||
|
||||
location /notifications/hub/negotiate {
|
||||
proxy_pass http://127.0.0.1:8000;
|
||||
}
|
||||
|
||||
listen 443 ssl http2 proxy_protocol; # managed by Certbot
|
||||
listen [::]:443 ssl http2; # managed by Certbot
|
||||
ssl_certificate /etc/letsencrypt/live/coffre.a-lec.org/fullchain.pem; # managed by Certbot
|
||||
ssl_certificate_key /etc/letsencrypt/live/coffre.a-lec.org/privkey.pem; # managed by Certbot
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
||||
|
||||
}
|
||||
|
||||
server {
|
||||
if ($host = coffre.a-lec.org) {
|
||||
return 302 https://$host$request_uri;
|
||||
} # managed by Certbot
|
||||
|
||||
server_name coffre.a-lec.org;
|
||||
|
||||
listen 80;
|
||||
return 404; # managed by Certbot
|
||||
}
|
||||
|
||||
server {
|
||||
|
||||
root /usr/share/garradin/www; # Remplacer par le chemin adéquat vers le dossier public de garradin (ici c'est le défaut du paquet Debian)
|
||||
|
||||
server_name gestion.a-lec.org; # Remplacer par votre nom de domaine
|
||||
|
||||
set_real_ip_from 192.169.1.1;
|
||||
real_ip_header proxy_protocol;
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ /_route.php?$query_string;
|
||||
index index.php /_route.php;
|
||||
}
|
||||
|
||||
location ~ \.php {
|
||||
try_files $uri $uri/ /_route.php?$query_string;
|
||||
include fastcgi.conf;
|
||||
#fastcgi_pass 127.0.0.1:9000; # Si vous utilisez PHP-FPM (ou autre) en mode TCP et non sur une socket
|
||||
fastcgi_pass unix:/var/run/php/php7.4-garradin.sock; # Si vous utilisez PHP-FPM en mode socket
|
||||
}
|
||||
|
||||
listen 443 ssl proxy_protocol; # managed by Certbot
|
||||
listen [::]:443 ssl;
|
||||
ssl_certificate /etc/letsencrypt/live/gestion.a-lec.org/fullchain.pem; # managed by Certbot
|
||||
ssl_certificate_key /etc/letsencrypt/live/gestion.a-lec.org/privkey.pem; # managed by Certbot
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
||||
|
||||
}
|
||||
|
||||
server {
|
||||
if ($host = gestion.a-lec.org) {
|
||||
return 302 https://$host$request_uri;
|
||||
} # managed by Certbot
|
||||
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
server_name gestion.a-lec.org;
|
||||
return 404; # managed by Certbot
|
||||
}
|
||||
</details>
|
|
@ -0,0 +1,96 @@
|
|||
## Machine virtuelle GIT
|
||||
|
||||
Cette machine est destinée à accueillir la forge logicielle de l'association, qui permet à différents projets de bénéficier d'un outil de travail supportant des fonctions avancées (comme la CI et les hooks avancés), mais également à l'association de publier différents documents nécessaire à son activité.
|
||||
|
||||
### Matériel virtuel
|
||||
|
||||
CPU : 2
|
||||
RAM : 4096 Mio
|
||||
Stockage de masse : 50 Gio
|
||||
|
||||
### Logiciel
|
||||
|
||||
Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
|
||||
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)
|
||||
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen`
|
||||
Forge logicielle : `gitlab-ce`
|
||||
Mail Transfer Agent : `postfix`
|
||||
|
||||
### Caractéristiques notables
|
||||
|
||||
Domaine : git.a-lec.org
|
||||
Adresse ipv4 publique : 80.67.176.33
|
||||
Adresse ipv4 interne : 192.168.1.131
|
||||
Adresse ipv6 publique : 2001:910:1021::131
|
||||
|
||||
### Configuration serveur web (nginx)
|
||||
<details>
|
||||
|
||||
# GITLAB
|
||||
|
||||
upstream gitlab-workhorse {
|
||||
# On GitLab versions before 13.5, the location is
|
||||
# `/var/opt/gitlab/gitlab-workhorse/socket`. Change the following line
|
||||
# accordingly.
|
||||
server unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket fail_timeout=0;
|
||||
}
|
||||
|
||||
## Redirects all HTTP traffic to the HTTPS host
|
||||
server {
|
||||
## Either remove "default_server" from the listen line below,
|
||||
## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab
|
||||
## to be served if you visit any address that your server responds to, eg.
|
||||
## the ip address of the server (http://x.x.x.x/)
|
||||
listen 0.0.0.0:80;
|
||||
listen [::]:80 ipv6only=on default_server;
|
||||
server_name git.a-lec.org; ## Replace this with something like gitlab.example.com
|
||||
server_tokens off; ## Don't show the nginx version number, a security best practice
|
||||
return 302 https://git.a-lec.org$request_uri;
|
||||
access_log /var/log/nginx/gitlab_access.log;
|
||||
error_log /var/log/nginx/gitlab_error.log;
|
||||
}
|
||||
|
||||
## HTTPS host
|
||||
server {
|
||||
set_real_ip_from 192.169.1.1;
|
||||
real_ip_header proxy_protocol;
|
||||
listen 0.0.0.0:443 ssl proxy_protocol;
|
||||
listen [::]:443 ipv6only=on ssl default_server;
|
||||
server_name git.a-lec.org; ## Replace this with something like gitlab.example.com
|
||||
server_tokens off; ## Don't show the nginx version number, a security best practice
|
||||
root /opt/gitlab/embedded/service/gitlab-rails/public;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/git.a-lec.org/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/git.a-lec.org/privkey.pem;
|
||||
|
||||
## [Optional] Enable HTTP Strict Transport Security
|
||||
## HSTS is a feature improving protection against MITM attacks
|
||||
## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
|
||||
|
||||
## Individual nginx logs for this GitLab vhost
|
||||
access_log /var/log/nginx/gitlab_access.log;
|
||||
error_log /var/log/nginx/gitlab_error.log;
|
||||
|
||||
location / {
|
||||
client_max_body_size 0;
|
||||
gzip off;
|
||||
|
||||
## https://github.com/gitlabhq/gitlabhq/issues/694
|
||||
## Some requests take more than 30 seconds.
|
||||
proxy_read_timeout 300;
|
||||
proxy_connect_timeout 300;
|
||||
proxy_redirect off;
|
||||
|
||||
proxy_http_version 1.1;
|
||||
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-Ssl on;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_pass http://gitlab-workhorse;
|
||||
}
|
||||
}
|
||||
|
||||
</details>
|
|
@ -0,0 +1,163 @@
|
|||
## Machine virtuelle MAIL
|
||||
|
||||
Cette machine est destinée à accueillir le serveur d'envoi, réception et consultation de courriel de l'association.
|
||||
|
||||
### Matériel virtuel
|
||||
|
||||
CPU : 2
|
||||
RAM : 1000 Mio
|
||||
Stockage de masse : 50 Gio
|
||||
|
||||
### Logiciel
|
||||
|
||||
Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
|
||||
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)
|
||||
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen`
|
||||
Serveur IMAP (et authentification) : `courier`
|
||||
Mail Transfer Agent : `postfix`
|
||||
Webmail : `roundcube` (**upstream**)
|
||||
Serveur http : `nginx`
|
||||
|
||||
### Caractéristiques notables
|
||||
|
||||
Domaine : mail.a-lec.org
|
||||
Adresse ipv4 publique : 80.67.176.33
|
||||
Adresse ipv4 interne : 192.168.1.201
|
||||
Adresse ipv6 publique : 2001:910:1021::201
|
||||
|
||||
### Configuration MTA
|
||||
|
||||
<details>
|
||||
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
|
||||
|
||||
|
||||
\# Debian specific: Specifying a file name will cause the first
|
||||
\# line of that file to be used as the name. The Debian default
|
||||
\# is /etc/mailname.
|
||||
\#myorigin = /etc/mailname
|
||||
|
||||
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
|
||||
biff = no
|
||||
|
||||
\# appending .domain is the MUA's job.
|
||||
append_dot_mydomain = no
|
||||
|
||||
\# Uncomment the next line to generate "delayed mail" warnings
|
||||
\#delay_warning_time = 4h
|
||||
|
||||
readme_directory = no
|
||||
|
||||
\# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
|
||||
\# fresh installs.
|
||||
compatibility_level = 2
|
||||
|
||||
|
||||
|
||||
\# TLS parameters
|
||||
smtpd_tls_cert_file=/etc/letsencrypt/live/mail.a-lec.org/fullchain.pem
|
||||
smtpd_tls_key_file=/etc/letsencrypt/live/mail.a-lec.org/privkey.pem
|
||||
smtpd_tls_security_level = may
|
||||
smtpd_tls_auth_only = yes
|
||||
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
|
||||
smtpd_tls_protocols=!SSLv2,!SSLv3
|
||||
smtpd_tls_loglevel = 1
|
||||
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
||||
|
||||
smtp_tls_cert_file=/etc/letsencrypt/live/mail.a-lec.org/fullchain.pem
|
||||
smtp_tls_key_file=/etc/letsencrypt/live/mail.a-lec.org/privkey.pem
|
||||
smtp_tls_security_level = may
|
||||
smtp_tls_note_starttls_offer = yes
|
||||
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
|
||||
smtp_tls_protocols=!SSLv2,!SSLv3
|
||||
smtp_tls_loglevel = 1
|
||||
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
||||
|
||||
|
||||
\# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
|
||||
\# information on enabling SSL in the smtp client.
|
||||
|
||||
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
|
||||
smtpd_sender_restrictions = reject_unknown_sender_domain
|
||||
myhostname = mail.a-lec.org
|
||||
alias_maps = hash:/etc/aliases
|
||||
alias_database = hash:/etc/aliases
|
||||
myorigin = /etc/mailname
|
||||
mydestination = $myhostname, a-lec.org, mail.a-lec.org, localhost, os-k.eu
|
||||
relayhost =
|
||||
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.169.1.0/24
|
||||
mailbox_size_limit = 0
|
||||
recipient_delimiter = +
|
||||
inet_interfaces = all
|
||||
inet_protocols = all
|
||||
home_mailbox = Maildir/
|
||||
virtual_alias_maps = hash:/etc/postfix/virtual
|
||||
mailbox_command =
|
||||
|
||||
\## DKIM
|
||||
smtpd_milters = unix:var/run/opendkim/opendkim.sock
|
||||
non_smtpd_milters = unix:var/run/opendkim/opendkim.sock
|
||||
|
||||
\## Ralentissement pour les serveurs problématiques
|
||||
transport_maps = hash:/etc/postfix/transport
|
||||
slow_destination_concurrency_limit = 3
|
||||
slow_destination_rate_delay = 3s
|
||||
|
||||
maximal_queue_lifetime = 1d
|
||||
|
||||
\## Forwarding pour mails du bureau
|
||||
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
|
||||
message_size_limit = 524288000
|
||||
|
||||
smtp_helo_name = $mydomain
|
||||
</details>
|
||||
|
||||
### Configuration serveur web (nginx)
|
||||
<details>
|
||||
|
||||
server {
|
||||
set_real_ip_from 192.169.1.1;
|
||||
real_ip_header proxy_protocol;
|
||||
|
||||
listen 443 ssl proxy_protocol;
|
||||
listen [::]:443 ssl;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/mail.a-lec.org/fullchain.pem; # managed by Certbot
|
||||
ssl_certificate_key /etc/letsencrypt/live/mail.a-lec.org/privkey.pem; # managed by Certbot
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
||||
|
||||
# Add index.php to the list if you are using PHP
|
||||
root /var/www/html/roundcube;
|
||||
|
||||
server_name mail.a-lec.org;
|
||||
|
||||
client_max_body_size 100M;
|
||||
|
||||
# Add index.php to the list if you are using PHP
|
||||
index index.html index.htm index.php;
|
||||
|
||||
|
||||
location / {
|
||||
# First attempt to serve request as file, then
|
||||
# as directory, then fall back to displaying a 404.
|
||||
try_files $uri $uri/ /index.php?q=$uri&$args;
|
||||
}
|
||||
|
||||
# pass PHP scripts to FastCGI server
|
||||
#
|
||||
location ~ \.php$ {
|
||||
include snippets/fastcgi-php.conf;
|
||||
# # With php-fpm (or other unix sockets):
|
||||
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
|
||||
# # With php-cgi (or other tcp sockets):
|
||||
# fastcgi_pass 127.0.0.1:9000;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
include fastcgi_params;
|
||||
}
|
||||
|
||||
location ^~ /data {
|
||||
deny all;
|
||||
}
|
||||
}
|
||||
|
||||
</details>
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,130 @@
|
|||
## Machine virtuelle TOOT
|
||||
|
||||
Cette machine est destinée à accueillir l'instance Mastodon de l'association.
|
||||
|
||||
### Matériel virtuel
|
||||
|
||||
CPU : 3
|
||||
RAM : 2048 Mio
|
||||
Stockage de masse : 50 Gio
|
||||
|
||||
### Logiciel
|
||||
|
||||
Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
|
||||
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)
|
||||
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen`
|
||||
Mail Transfer Agent : `postfix`
|
||||
Base do donnée : PostgreSQL
|
||||
Serveur Web: NGINX
|
||||
|
||||
### Caractéristiques notables
|
||||
|
||||
Domaine : toot.a-lec.org
|
||||
Adresse ipv4 publique : 80.67.176.33
|
||||
Adresse ipv4 interne : 192.168.1.173
|
||||
Adresse ipv6 publique : 2001:910:1021::173
|
||||
|
||||
### Comptes
|
||||
|
||||
Administrateur: admin
|
||||
Modérateurs: neox, echolib
|
||||
Ouverture de compte: tout membre de l'association
|
||||
|
||||
### Visibilité
|
||||
|
||||
Instance publique
|
||||
|
||||
### Configuration serveur web (nginx)
|
||||
<details>
|
||||
|
||||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
'' close;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name toot.a-lec.org;
|
||||
return 302 https://$host$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl proxy_protocol default_server;
|
||||
listen [::]:443 ssl http2 default_server;
|
||||
server_name toot.a-lec.org;
|
||||
|
||||
set_real_ip_from 192.169.1.1;
|
||||
real_ip_header proxy_protocol;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/toot.a-lec.org/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/toot.a-lec.org/privkey.pem;
|
||||
ssl_protocols TLSv1.2;
|
||||
ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
|
||||
keepalive_timeout 70;
|
||||
sendfile on;
|
||||
client_max_body_size 0;
|
||||
|
||||
root /home/mastodon/live/public;
|
||||
|
||||
gzip on;
|
||||
gzip_disable "msie6";
|
||||
gzip_vary on;
|
||||
gzip_proxied any;
|
||||
gzip_comp_level 6;
|
||||
gzip_buffers 16 8k;
|
||||
gzip_http_version 1.1;
|
||||
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=31536000";
|
||||
|
||||
location / {
|
||||
try_files $uri @proxy;
|
||||
}
|
||||
|
||||
location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
|
||||
add_header Cache-Control "public, max-age=31536000, immutable";
|
||||
try_files $uri @proxy;
|
||||
}
|
||||
|
||||
location @proxy {
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header Proxy "";
|
||||
proxy_pass_header Server;
|
||||
|
||||
proxy_pass http://127.0.0.1:3000;
|
||||
proxy_buffering off;
|
||||
proxy_redirect off;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
|
||||
tcp_nodelay on;
|
||||
}
|
||||
|
||||
location /api/v1/streaming {
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header Proxy "";
|
||||
|
||||
proxy_pass http://127.0.0.1:4000;
|
||||
proxy_buffering off;
|
||||
proxy_redirect off;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
|
||||
tcp_nodelay on;
|
||||
}
|
||||
|
||||
error_page 500 501 502 503 504 /500.html;
|
||||
}
|
||||
</details>
|
|
@ -0,0 +1,25 @@
|
|||
## Machine virtuelle TOOTEST
|
||||
|
||||
Cette machine est destinée à accueillir l'instance Mastodon de test.
|
||||
|
||||
### Matériel virtuel
|
||||
|
||||
CPU : x
|
||||
RAM : xxx Mio
|
||||
Stockage de masse : 50 Gio
|
||||
|
||||
### Logiciel
|
||||
|
||||
Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
|
||||
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)
|
||||
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen`
|
||||
Mail Transfer Agent : `postfix`
|
||||
Base do donnée : PostgreSQL
|
||||
Serveur Web: NGINX
|
||||
|
||||
### Caractéristiques notables
|
||||
|
||||
Domaine : toot.a-lec.org
|
||||
Adresse ipv4 publique : 80.67.176.33
|
||||
Adresse ipv4 interne : 192.168.1.232
|
||||
Adresse ipv6 publique : 2001:910:1021::232
|
|
@ -0,0 +1,117 @@
|
|||
## Machine virtuelle WWW
|
||||
|
||||
Cette machine est destinée à accueillir le site web de l'association
|
||||
|
||||
### Matériel virtuel
|
||||
|
||||
CPU : 1
|
||||
RAM : 1000 Mio
|
||||
Stockage de masse : 50 Gio
|
||||
|
||||
### Logiciel
|
||||
|
||||
Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
|
||||
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)
|
||||
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen`
|
||||
Mail Transfer Agent : `postfix`
|
||||
Serveur http : `nginx`
|
||||
Gestionnaire FastCGI : `php-fpm` version 7.4
|
||||
|
||||
### Caractéristiques notables
|
||||
|
||||
Domaine : www.a-lec.org
|
||||
Adresse ipv4 publique : 80.67.176.33
|
||||
Adresse ipv4 interne : 192.168.1.188
|
||||
Adresse ipv6 publique : 2001:910:1021::188
|
||||
|
||||
### Configuration du serveur web (nginx)
|
||||
<details>
|
||||
|
||||
server {
|
||||
set_real_ip_from 192.169.1.1;
|
||||
real_ip_header proxy_protocol;
|
||||
|
||||
# SSL configuration
|
||||
#
|
||||
listen 443 ssl proxy_protocol default_server;
|
||||
listen [::]:443 ssl default_server;
|
||||
|
||||
root /var/www/html;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/www.a-lec.org/fullchain.pem; # managed by Certbot
|
||||
ssl_certificate_key /etc/letsencrypt/live/www.a-lec.org/privkey.pem; # managed by Certbot
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
||||
|
||||
|
||||
# Add index.php to the list if you are using PHP
|
||||
index index.html index.htm index.php;
|
||||
|
||||
server_name www.a-lec.org;
|
||||
|
||||
location /.well-known/host-meta {
|
||||
default_type 'application/xrd+xml';
|
||||
add_header Access-Control-Allow-Origin '*' always;
|
||||
}
|
||||
|
||||
location /.well-known/host-meta.json {
|
||||
default_type 'application/jrd+json';
|
||||
add_header Access-Control-Allow-Origin '*' always;
|
||||
}
|
||||
|
||||
location / {
|
||||
# First attempt to serve request as file, then
|
||||
# as directory, then fall back to displaying a 404.
|
||||
try_files $uri $uri/ $uri.html $uri/index.php?q=$uri&$args =404;
|
||||
}
|
||||
|
||||
ssi on;
|
||||
ssi_last_modified on;
|
||||
|
||||
# pass PHP scripts to FastCGI server
|
||||
|
||||
location ~ \.php$ {
|
||||
include snippets/fastcgi-php.conf;
|
||||
# With php-fpm (or other unix sockets):
|
||||
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
|
||||
# With php-cgi (or other tcp sockets):
|
||||
# fastcgi_pass 127.0.0.1:9000;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
include fastcgi_params;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
server_name www.a-lec.org;
|
||||
|
||||
return 302 https://www.a-lec.org$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
server_name a-lec.org;
|
||||
|
||||
return 302 https://www.a-lec.org$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl proxy_protocol;
|
||||
listen [::]:443 ssl;
|
||||
|
||||
server_name a-lec.org;
|
||||
|
||||
return 302 https://www.a-lec.org$request_uri;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/a-lec.org-0001/fullchain.pem; # managed by Certbot
|
||||
ssl_certificate_key /etc/letsencrypt/live/a-lec.org-0001/privkey.pem; # managed by Certbot
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
||||
}
|
||||
|
||||
</details>
|
|
@ -0,0 +1,24 @@
|
|||
## Machine virtuelle XMPP
|
||||
|
||||
Cette machine est destinée à accueillir le service XMPP
|
||||
|
||||
### Matériel virtuel
|
||||
|
||||
CPU : 1
|
||||
RAM : 1000 Mio
|
||||
Stockage de masse : 50 Gio
|
||||
|
||||
### Logiciel
|
||||
|
||||
Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
|
||||
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)
|
||||
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen`
|
||||
Mail Transfer Agent : `postfix`
|
||||
Serveur XMPP : `ejabberd`
|
||||
|
||||
### Caractéristiques notables
|
||||
|
||||
Domaine : xmpp.a-lec.org
|
||||
Adresse ipv4 publique : 80.67.176.33
|
||||
Adresse ipv4 interne : 192.168.1.211
|
||||
Adresse ipv6 publique : 2001:910:1021::211
|
Loading…
Reference in New Issue