public
/
mirror-env
10
0
Fork 0
Code Issues 3 Pull Requests Projects Releases Wiki Activity

get configs from mirror

This commit is contained in:
Andrew Wang 2021-09-12 00:22:24 -04:00
parent 7d6a55e2c8
commit 38affd9371
23 changed files with 1382 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
post-install/ftp/README.md Normal file
View File

@ -0,0 +1,12 @@
make `/mirror/root` dir
this `include/` dir contains files used by the index.html from index
```
include/ ->
/mirror/root/include/
```
```
proftpd.conf ->
/etc/proftpd/proftpd.conf
```

BIN
post-install/ftp/include/favicon.ico Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.1 KiB

BIN
post-install/ftp/include/header.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

12
post-install/ftp/include/motd.msg Normal file
View File

@ -0,0 +1,12 @@
*
* Welcome to the University of Waterloo Computer Science Club Mirror
*
* https://csclub.uwaterloo.ca/
*
* Hardware funded by MEF (https://www.student.math.uwaterloo.ca/~mefcom/)
*
* Admin Contact: systems-committee@csclub.uwaterloo.ca
* Hostname: mirror.csclub.uwaterloo.ca
* IPv4 Address: 129.97.134.71
* IPv6 Address: 2620:101:f000:4901:c5c::f:1055
*

144
post-install/ftp/proftpd.conf Normal file
View File

@ -0,0 +1,144 @@
#
# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes reload proftpd after modifications.
#
# Includes DSO modules
Include /etc/proftpd/modules.conf
UseReverseDNS off
IdentLookups off
# dtbartle - limit resources used by an ftp session
#RLimitCPU session 10
#RLimitMemory session 4096K
# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6 on
ServerName "mirror.csclub"
ServerType standalone
DeferWelcome off
MultilineRFC2228 on
DefaultServer on
ShowSymlinks on
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
DisplayLogin /include/motd.msg
DisplayChdir .message
ListOptions "-l"
DenyFilter \*.*/
# Port 21 is the standard FTP port.
Port 21
# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
PassivePorts 49152 65534
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 500
# Set the user and group that the server normally runs at.
User proftpd
Group nogroup
# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022
# Normally, we want files to be overwriteable.
AllowOverwrite on
# Uncomment this if you are using NIS or LDAP to retrieve passwords:
# PersistentPasswd off
# Be warned: use of this directive impacts CPU average load!
#
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
# UseSendFile off
TransferLog /var/log/proftpd/xferlog
SystemLog /var/log/proftpd/proftpd.log
<IfModule mod_tls.c>
TLSEngine off
</IfModule>
<IfModule mod_quota.c>
QuotaEngine on
</IfModule>
<IfModule mod_ratio.c>
Ratios on
</IfModule>
# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
# It is on by default.
<IfModule mod_delay.c>
DelayEngine on
</IfModule>
<IfModule mod_ctrls.c>
ControlsEngine on
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>
<IfModule mod_ctrls_admin.c>
AdminControlsEngine on
</IfModule>
# A basic anonymous configuration, no upload directories.
<Anonymous /mirror/root>
User ftp
Group nogroup
# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp
# Cosmetic changes, all files belongs to ftp user
DirFakeUser on ftp
DirFakeGroup on ftp
RequireValidShell off
# Limit the maximum number of anonymous logins
MaxClients 500
# Limit WRITE everywhere in the anonymous chroot
<Directory *>
<Limit WRITE>
DenyAll
</Limit>
HideFiles "(\\.bak.html|lost\\+found|new-index.html|mirror-rootfs|mirror-highpriority)"
</Directory>
# # Uncomment this if you're brave.
# # <Directory incoming>
# # # Umask 022 is a good standard umask to prevent new files and dirs
# # # (second parm) from being group and world writable.
# # Umask 022 022
# # <Limit READ WRITE>
# # DenyAll
# # </Limit>
# # <Limit STOR>
# # AllowAll
# # </Limit>
# # </Directory>
#
</Anonymous>

9
post-install/index/README.md Normal file
View File

@ -0,0 +1,9 @@
```
csc-mirror ->
/etc/cron.d/csc-mirror
```
make the `/home/mirror` dir
```
mirror-index/ ->
/home/mirror/mirror-index/
```

30
post-install/index/csc-mirror Normal file
View File

@ -0,0 +1,30 @@
# /etc/cron.d/csc-mirror: mirror cron jobs
MAILTO=ztseguin@csclub.uwaterloo.ca
# m h dom mon dow user command
# UPS Health
* * * * * mirror /usr/bin/flock -w 0 /tmp/ups-status.lock /bin/bash -c "/usr/local/bin/ups-status >/mirror/root/ups 2>/dev/null" 2>/dev/null
# reprepro incoming
*/10 * * * * root /srv/debian/bin/rrr-incoming cron
# reprepro mirroring
5 */4 * * * root /srv/debian/bin/rrr-update cron
# regenerate mirror index at 5:40 am on 14th & 28th of every month
# feel free to run this manually if you've added or removed an
# archive or some such thing
#
# Documented here: http://wiki.csclub.uwaterloo.ca/Mirror#Index
#
# ztseguin - temporarilly disabled until script can be updated to handle symlink farm
# 40 5 */14 * * mirror cd /home/mirror/mirror-index && /home/mirror/mirror-index/make-index.py
#30 3 * * 0 mirror cd /home/mirror/mirror-index && /home/mirror/mirror-index/make-index.py
# Update index hourly
0 * * * * mirror cd /home/mirror/mirror-index && /home/mirror/mirror-index/make-index.py
0 * * * * mirror /home/mirror/bin/zfssync csclub >/home/mirror/merlin/logs/zfssync-csclub 2>/dev/null
0 * * * * mirror /home/mirror/bin/zfssync wics >/home/mirror/merlin/logs/zfssync-wics 2>/dev/null

299
post-install/index/mirror-index/config.yaml Normal file
View File

@ -0,0 +1,299 @@
docroot: /mirror/root
duflags: --max-depth=0 --dereference-args --exclude=/mirror/root/pub
output: /mirror/root/index.html
exclude:
- include
- lost+found
- pub
- uw-courseware
- wics
- mirror-rootfs
- mirror-highpriority
- ups
directories:
alpine:
site: alpinelinux.org
url: https://alpinelinux.org/
almalinux:
site: almalinux.org
url: https://almalinux.org
apache:
site: apache.org
url: https://www.apache.org/
archlinux:
site: archlinux.org
url: https://www.archlinux.org/
centos:
site: centos.org
url: https://www.centos.org/
ceph:
site: ceph.io
url: https://ceph.io
CPAN:
site: cpan.org
url: https://www.cpan.org/
CRAN:
site: r-project.org
url: https://cran.r-project.org/
csclub:
site: csclub.uwaterloo.ca
url: https://csclub.uwaterloo.ca/media/
CTAN:
site: ctan.org
url: https://www.ctan.org/
cygwin:
site: cygwin.com
url: https://www.cygwin.com/
damnsmalllinux:
site: damnsmalllinux.org
url: https://www.damnsmalllinux.org/
debian:
site: debian.org
url: https://www.debian.org/
debian-backports:
site: backports.debian.org
url: https://backports.debian.org/
debian-cd:
site: debian.org
url: https://www.debian.org/CD/
debian-multimedia:
site: debian-multimedia.org
url: https://www.debian-multimedia.org/
debian-ports:
site: debian-ports.org
url: https://www.debian-ports.org/
debian-security:
site: debian.org
url: https://www.debian.org/security/
debian-volatile:
site: debian.org
url: https://www.debian.org/volatile/
eclipse:
site: eclipse.org
url: https://www.eclipse.org/
emacsconf:
site: emacsconf.org
url: https://emacsconf.org
# this is no longer a project
# emdebian:
# site: emdebian.org
# url: https://www.emdebian.org/
fedora:
site: fedoraproject.org
url: https://www.fedoraproject.org/
FreeBSD:
site: freebsd.org
url: https://www.freebsd.org/
gentoo-distfiles:
site: gentoo.org
url: https://www.gentoo.org/
gentoo-portage:
site: gentoo.org
url: https://www.gentoo.org/
gnome:
site: gnome.org
url: https://www.gnome.org/
gnu:
site: gnu.org
url: https://www.gnu.org/
gutenberg:
site: gutenberg.org
url: https://www.gutenberg.org/
kali:
site: kali.org
url: https://www.kali.org/
kali-images:
site: kali.org
url: https://www.kali.org/
kde:
site: kde.org
url: https://www.kde.org/
kde-applicationdata:
site: kde.org
url: https://www.kde.org/
kernel.org:
site: kernel.org
url: https://www.kernel.org/
linuxmint:
site: linuxmint.com
url: https://www.linuxmint.com/
linuxmint-packages:
site: linuxmint.com
url: https://www.linuxmint.com/
MacPorts:
site: macports.org
url: https://www.macports.org/
mozdev:
site: mozdev.org
url: https://www.mozdev.org/
mozilla.org:
site: mozilla.org
url: https://www.mozilla.org/
mysql:
site: mysql.com
url: https://www.mysql.com/
nongnu:
site: nongnu.org
url: https://savannah.nongnu.org/
openoffice:
site: openoffice.org
url: https://www.openoffice.org/
opensuse:
site: opensuse.org
url: https://www.opensuse.org/
OpenBSD:
site: openbsd.org
url: https://www.openbsd.org/
puppylinux:
site: puppylinux.org
url: https://puppylinux.org/
qtproject:
site: qt-project.org
url: https://qt-project.org/
racket:
site: racket-lang.org
url: https://racket-lang.org/
sage:
site: sagemath.org
url: https://www.sagemath.org/
saltstack:
site: saltstack.com
url: https://saltstack.com/
slackware:
site: slackware.com
url: https://www.slackware.com/
tdf:
site: documentfoundation.org
url: https://www.documentfoundation.org/
ubuntu:
site: ubuntu.com
url: https://www.ubuntu.com/
ubuntu-ports:
site: ports.ubuntu.com
url: http://ports.ubuntu.com/ubuntu-ports/
ubuntu-ports-releases:
site: ports.ubuntu.com
url: https://cdimage.ubuntu.com/releases/
ubuntu-releases:
site: releases.ubuntu.com
url: https://releases.ubuntu.com/
vlc:
site: videolan.org
url: https://videolan.org/
xiph:
site: xiph.org
url: https://xiph.org/
x.org:
site: x.org
url: https://www.x.org/
xubuntu-releases:
site: xubuntu.org
url: https://www.xubuntu.org/
NetBSD:
site: netbsd.org
url: https://www.netbsd.org/
pkgsrc:
site: pkgsrc.org
url: https://pkgsrc.org/
raspberrypi:
site: raspberrypi.org
url: https://www.raspberrypi.org/
raspbian:
site: raspbian.org
url: https://www.raspbian.org/
ipfire:
site: ipfire.org
url: https://www.ipfire.org/
manjaro:
site: manjaro.org
url: https://manjaro.org/
scientific:
site: scientificlinux.org
url: https://www.scientificlinux.org/
mxlinux:
site: mxlinux.org
url: https://mxlinux.org
mxlinux-iso:
site: mxlinux.org
url: https://mxlinux.org
parabola:
site: parabola.nu
url: https://www.parabola.nu/
hyperbola:
site: hyperbola.info
url: https://www.hyperbola.info/
trisquel:
site: trisquel.info
url: https://trisquel.info/

43
post-install/index/mirror-index/index.css Normal file
View File

@ -0,0 +1,43 @@
img {
border: none;
}
html {
margin:0.5ex;
font-family: sans-serif;
font-size: 110%;
}
p {
margin: 1ex 0;
}
table {
border-collapse: collapse;
text-align: left;
width: 100%;
}
td {
border-top: 1px solid #aaa;
}
th, td {
padding: .4ex 2em .4ex 0;
}
h1 {
font-size: 110%;
}
#logo {
width: 100%;
text-align: center;
margin-bottom:1em;
}
#footer {
margin: 2em auto 0 auto;
width: 75%;
font-size: 70%;
text-align: center;
}
body {
max-width: 40em;
margin-top:0;
padding-top:0;
}
tr :last-child { text-align: right; }

49
post-install/index/mirror-index/index.mako Normal file
View File

@ -0,0 +1,49 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<link rel="stylesheet" type="text/css" href="index.css" />
<title>Computer Science Club Mirror</title>
</head>
<body>
<div id="logo">
<a href="/"><img src="/include/header.png" alt="Computer Science Club Mirror - The University of Waterloo - Funded by MEF" title="Computer Science Club Mirror - The University of Waterloo - Funded by MEF" /></a>
</div>
<div id="listing">
<table>
<tr><th>Directory</th><th>Project Site</th><th>Size</th></tr>
% for dir in directories:
<tr>
<td>
${h.link_to(dir['dir']+'/', '/'+dir['dir']+'/')}
</td>
<td>
% if 'site' in dir:
${h.link_to(dir['site'], dir['url'])}
% endif
</td>
<td>${dir['size'] | h}</td>
</tr>
% endfor \
<tr class="total">
<td>Total</td>
<td></td>
<td>${total_size}</td>
</tr>
</table>
</div>
<div id="footer">
<p>This service is run by the <a href="https://csclub.uwaterloo.ca/">Computer Science Club of the University of Waterloo</a>.<br />It is made possible by funding from the <a href="https://uwaterloo.ca/math-endowment-fund/">Mathematics Endowment Fund</a><br />and support from the <a href="https://cs.uwaterloo.ca">David R. Cheriton School of Computer Science</a>.</p>
<p>Report an issue or request we mirror a project by contacting <a href="mailto:systems-committee@csclub.uwaterloo.ca">systems-committee@csclub.uwaterloo.ca</a>.</p>
<p>Generated (local time): ${generated.strftime("%Y-%m-%d %-I:%M%p")}</p>
</div>
</body>
</html>

231
post-install/index/mirror-index/make-index.py Executable file
View File

@ -0,0 +1,231 @@
#!/usr/bin/env python2
"""make-index.py
Generates an nice index of the directories from a
template.
Original Author: Jeremy Roman <jbroman@csclub.uwaterloo.ca>
Modified by: Zachary Seguin <ztseguin@csclub.uwaterloo.ca>
So if you don't like how I did something,
I'm the person you get to complain to.
Please be gentle.
"""
import os, sys, time
from subprocess import Popen, PIPE
from optparse import OptionParser
import yaml, mako.exceptions, webhelpers.html.tags
from mako.template import Template
import humanize
import datetime
def parse_size(s):
if s.endswith("T"):
return float(s[:-1])*1000*1000*1000*1000
elif s.endswith("G"):
return float(s[:-1])*1000*1000*1000
elif s.endswith("M"):
return float(s[:-1])*1000*1000
elif s.endswith("K"):
return float(s[:-1])*1000
return float(size)
def reformat_size(size):
return humanize.naturalsize(size)
def atomic_write(filename, body):
"""Atomically write to a file by writing a
temporary file and then moving it to replace
the desired output file.
This ensures that partial files are never seen
by clients."""
# generate an appropriate temporary filename
# in the same directory
tmp_filename = "%s.%d.tmp" % (filename, os.getpid())
# open the directory so that we can fsync it
dir = os.open(os.path.realpath(os.path.dirname(filename)), \
os.O_DIRECTORY | os.O_RDONLY)
# write to the temporary file
tmp = open(tmp_filename, 'w')
print >>tmp, body
tmp.flush()
os.fsync(tmp.fileno())
tmp.close()
# atomically replace the actual file
os.rename(tmp_filename, filename)
os.fsync(dir)
os.close(dir)
def main():
# accept command-line arguments
parser = OptionParser()
parser.add_option("-c", "--config", dest="config", default="config.yaml",
help="configuration file to be used", metavar="FILE")
parser.add_option("-D", "--docroot", dest="docroot",
help="directory to be scanned", metavar="DIR")
parser.add_option("-F", "--duflags", dest="duflags",
help="flags to be passed to du, replaces any in config")
parser.add_option("-o", "--output", dest="output", metavar="FILE",
help="file to which index page will be written. "
"Use /dev/stdout to send to standard out.")
parser.add_option("-t", "--template", dest="template",
help="Mako template to render", metavar="FILE")
parser.add_option("--nonatomic", dest="nonatomic", action="store_true",
default=False, help="write the output to the path "
"given without creating a temporary file in between. "
"This is automatically set if the output appears "
"to be a character device, not a file.")
(options, args) = parser.parse_args()
# load config file
try:
config = yaml.load(file(options.config,'r'), Loader=yaml.FullLoader)
except:
config = None
if not config or type(config) != dict:
print >>sys.stderr, "Unable to load configuration '%s'." % options.config
sys.exit(-1)
# determine important variables based on an appropriate order of
# precedence (command-line flags first, then the config file,
# then built-in fallbacks)
#
# fallback value for nonatomic is used so that character devices
# (e.g. /dev/stdout, /dev/null) are written to in the regular way
docroot = options.docroot or config.get('docroot')
duflags = options.duflags or config.get('duflags') or "-h --max-depth=1 --exclude='.~tmp~'"
output = options.output or config.get('output')
template = options.template or config.get("template") or "index.mako"
nonatomic = options.nonatomic or config.get("nonatomic") or \
(os.path.exists(output) and not os.path.isfile(output))
# sanity checks
if not docroot:
print >>sys.stderr, "docroot not specified."
print >>sys.stderr, "Define it in the config file or pass -D on the command line."
sys.exit(-1)
elif not output:
print >>sys.stderr, "output not specified."
print >>sys.stderr, "Define it in the config file or pass -o on the command line."
elif not config.get('directories'):
print >>sys.stderr, "directories not specified."
print >>sys.stderr, "Define it in the config file."
sys.exit(-1)
elif not os.path.isdir(docroot):
print >>sys.stderr, "docroot '%s' not found or not a directory." % docroot
sys.exit(-1)
elif not os.path.exists(template) or os.path.isdir(template):
print >>sys.stderr, "template '%s' not found or is a directory." % template
sys.exit(-1)
generated = datetime.datetime.now()
directories = []
total_size = 0.0
ls = os.listdir(docroot)
for item in ls:
if item == "pub":
continue
path = os.path.join(docroot, item)
# If symlink, then this is a project
if os.path.islink(path):
dataset = os.readlink(path)[1:]
# Get the disk space used by that dataset
du = Popen(
"/usr/bin/sudo /sbin/zfs get -H -o value used %s" % dataset,
shell=True, stdout=PIPE, stderr=PIPE).communicate()
size = "-"
if len(du[1].strip()) > 0:
sys.stderr.write(du[1])
print >>sys.stderr, "zfs get terminated unsuccessfully for %s" % item
continue
else:
size = parse_size(du[0].strip())
total_size += size
info = {'dir':item, 'size':reformat_size(size)}
# use info from config.yaml, if found
# otherwise, skip this directory
if item in config['exclude']:
continue
elif item in config['directories']:
info.update(config['directories'][item])
else:
info.update({ 'site': '', 'url': '' })
directories.append(info)
# Sort the directories
directories.sort(key=lambda d : d['dir'].lower())
# Call du to compute size
#du = Popen(
# "/usr/bin/du %s/* %s | /usr/bin/sort -fk2" % (docroot, duflags),
# shell=True, stdout=PIPE, stderr=PIPE).communicate()
# du = []
# Check that du executed successfully
# If there's anything on stderr, send it
# out our own stderr and terminate.
#if len(du[1].strip()) > 0:
# sys.stderr.write(du[1])
# print >>sys.stderr, "du terminated unsuccessfully. Not generating index."
# sys.exit(-1)
# first one should be total, grab its size and format
#du = du[0].splitlines() # we only care about stdout now
#total_size = reformat_size(du[0].split(None,2)[0])
# the rest are the sizes we want
# directories = []
# total_size = 0
# for line in du:
# (size, path) = line.split(None, 2)
# dir = os.path.basename(path)
# total_size += int(size)
# info = {'dir':dir, 'size':reformat_size(int(size))}
# use info from config.yaml, if found
# otherwise, skip this directory
# if dir in config['exclude'] or not os.path.isdir(path):
# continue
# elif dir in config['directories']:
# info.update(config['directories'][dir])
# else:
# info.update({ 'site': '', 'url': '' })
# directories.append(info)
# render the template to a string
body = Template(filename=template).render(
total_size=reformat_size(total_size),
directories=directories,
generated=generated,
config=config,
h=webhelpers.html.tags)
# write the rendered output
if nonatomic:
print >>file(output,'w'), body
else:
atomic_write(output, body)
if __name__ == "__main__":
main()

22
post-install/nginx/README.md Normal file
View File

@ -0,0 +1,22 @@
Will not copy ssl certs (dev env will not support ssl?)
```
mime.types ->
/etc/nginx/mime.types
```
```
nginx.conf ->
/etc/nginx/nginx.conf
```
```
includes/ ->
/etc/nginx/includes/
```
```
sites-available/ ->
/etc/nginx/sites-available/
```
To enable the sites
```
ln -s /etc/nginx/sites-available/debian.conf /etc/nginx/sites-enabled/
ln -s /etc/nginx/sites-available/mirror.conf /etc/nginx/sites-enabled/
```

17
post-install/nginx/includes/ceph.conf Normal file
View File

@ -0,0 +1,17 @@
server_name ca.ceph.com;
access_log /var/log/nginx/access.ceph.log;
root /mirror/root/ceph;
index index.html;
location ^~ /.well-known/acme-challenge {
alias /var/www/dehydrated;
}
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
autoindex on;
autoindex_exact_size off;
}

12
post-install/nginx/includes/csc-debian.conf Normal file
View File

@ -0,0 +1,12 @@
server_name debian.csclub.uwaterloo.ca debian.csclub debian;
root /srv/debian/www;
index index.html;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
autoindex on;
autoindex_exact_size off;
}

56
post-install/nginx/includes/mirror.conf Normal file
View File

@ -0,0 +1,56 @@
server_name _;
root /mirror/root;
index index.html;
autoindex on;
autoindex_exact_size off;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# Server status
location /server-status {
stub_status on;
allow 127.0.0.1;
allow ::1;
allow 129.97.134.0/24;
allow 129.97.31.128/26;
allow 2620:101:f000:4901::/64;
allow 2620:101:f000:4902::/64;
deny all;
}
# Statistics
location ~ /stats/(?<ndpath>.*) {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://[::1]:19999/$ndpath$is_args$args;
proxy_http_version 1.1;
proxy_pass_request_headers on;
proxy_set_header Connection "keep-alive";
proxy_store off;
}
location = /stats {
return 301 /stats/;
}
# On behalf of WiCS, redirect all files
# from sarah_sharp to sage_sharp
location ~ /wics/sarah_sharp_(?<file>.*) {
return 301 /wics/sage_sharp_$file;
}
# Ceph has a special access log
location /ceph {
access_log /var/log/nginx/access.ceph.log;
}
# Removed projects
location ^~ /kali {return 410;}
location ^~ /kali-images {return 410;}
location ^~ /hyperbola {return 410;}

11
post-install/nginx/includes/ssl.conf Normal file
View File

@ -0,0 +1,11 @@
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_dhparam /etc/ssl/private/dhparam.pem;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 129.97.134.4 129.97.18.20 [2620:101:f000:4901:c5c::4] [2620:101:f000:7300:c5c::20] valid=300s;
resolver_timeout 5s;
ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;

13
post-install/nginx/includes/ubuntu.conf Normal file
View File

@ -0,0 +1,13 @@
server_name ca.releases.ubuntu.com;
root /mirror/root/ubuntu-releases;
index index.html;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
autoindex on;
autoindex_exact_size off;
}

89
post-install/nginx/mime.types Normal file
View File

@ -0,0 +1,89 @@
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}

101
post-install/nginx/nginx.conf Normal file
View File

@ -0,0 +1,101 @@
user www-data;
worker_processes 17;
pid /run/nginx.pid;
events {
worker_connections 1024;
multi_accept on;
use epoll;
}
http {
##
# Basic Settings
##
sendfile on;
sendfile_max_chunk 1m;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type text/plain;
##
# SSL Settings
##
ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Open File Cache
#
open_file_cache max=2000 inactive=20s;
open_file_cache_valid 60s;
open_file_cache_min_uses 5;
open_file_cache_errors off;
##
# File
##
output_buffers 1 1m;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}

17
post-install/nginx/sites-available/debian.conf Normal file
View File

@ -0,0 +1,17 @@
server {
listen 80;
listen [::]:80;
include includes/csc-debian.conf;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/ssl/private/csclub-wildcard-chain.crt;
ssl_certificate_key /etc/ssl/private/csclub-wildcard.key;
include includes/ssl.conf;
include includes/csc-debian.conf;
}

80
post-install/nginx/sites-available/default Normal file
View File

@ -0,0 +1,80 @@
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php5-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php5-fpm:
# fastcgi_pass unix:/var/run/php5-fpm.sock;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}

91
post-install/nginx/sites-available/default.dpkg-dist Normal file
View File

@ -0,0 +1,91 @@
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}

44
post-install/nginx/sites-available/mirror.conf Normal file
View File

@ -0,0 +1,44 @@
server {
listen 80 default_server reuseport;
listen [::]:80 default_server reuseport;
include includes/mirror.conf;
}
server {
listen 443 ssl default_server reuseport;
listen [::]:443 ssl default_server reuseport;
ssl_certificate /etc/ssl/private/csclub-wildcard-chain.crt;
ssl_certificate_key /etc/ssl/private/csclub-wildcard.key;
include includes/ssl.conf;
include includes/mirror.conf;
}
# ca.releases.ubuntu.com
server {
listen 80;
listen [::]:80;
include includes/ubuntu.conf;
}
# ca.ceph.com
server {
listen 80;
listen [::]:80;
include includes/ceph.conf;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/dehydrated/certs/ca.ceph.com/fullchain.pem;
ssl_certificate_key /etc/dehydrated/certs/ca.ceph.com/privkey.pem;
include includes/ssl.conf;
include includes/ceph.conf;
}