diff --git a/.task/checksum/f2b b/.task/checksum/f2b new file mode 100644 index 0000000..834d4a8 --- /dev/null +++ b/.task/checksum/f2b @@ -0,0 +1 @@ +6a228d1f7a874abb131df909a27910f4 diff --git a/.task/checksum/mailu b/.task/checksum/mailu new file mode 100644 index 0000000..4b632cb --- /dev/null +++ b/.task/checksum/mailu @@ -0,0 +1 @@ +1e5b6349bfe1b1bef4c2859219c92b11 diff --git a/Taskfile.yml b/Taskfile.yml index 67e5224..b296622 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -7,24 +7,14 @@ tasks: - if command -v task; then task -l else go-task -l; fi silent: true - install: - desc: Install software - cmds: - - mkdir -p ~/.local/bin - - stat ~/.local/bin/task > /dev/null || cp go-task/task ~/.local/bin - - sudo cp go-task/task.bash /etc/bash_completion.d - - sudo cp zerotier/zerotier.repo /etc/yum.repos.d - - sudo cp zerotier/zt-gpg-key /etc/pki/rpm-gpg - - sudo cp docker/docker-ce.repo /etc/yum.repos.d - - sudo rpm-ostree install --idempotent fail2ban zerotier-one docker-compose-plugin - folders: desc: Make folders for server cmds: - - sudo mkdir -p /srv/{config,backup,gotask,rpdata,secret,srvtls,server,_pack_} - - sudo chmod 700 /srv/{config,backup,gotask,rpdata,secret,srvtls,server,_pack_} - - sudo chown 1000 /srv/{config,backup,gotask,rpdata,secret,srvtls,server,_pack_} - - cp -rn * /srv/server + - sudo mkdir -p ../{config,backup,srvtls} + - sudo chmod 700 ../{config,backup,srvtls,server} + - sudo chown 1000 ../{config,backup,srvtls,server} + preconditions: + - sh: "test ${PWD##*/} = 'server'" status: desc: Server Status @@ -35,9 +25,9 @@ tasks: f2bs: cmds: - - #sudo fail2ban-client get sshd banip --with-time + - sudo fail2ban-client get sshd banip --with-time - sudo fail2ban-client get bad-auth banip --with-time - - df + - tail -n 20 /var/log/fail2ban.log preconditions: - sh: 'command -v fail2ban-client' @@ -54,21 +44,24 @@ tasks: - sudo systemctl enable --now fail2ban - sudo cp mailu-f2b/fail2ban-bad-auth-filter.conf /etc/fail2ban/filter.d/bad-auth.conf - sudo cp mailu-f2b/fail2ban-bad-auth-jail.conf /etc/fail2ban/jail.d/bad-auth.conf + - sudo cp mailu-f2b/fail2ban-sshd-jail.conf /etc/fail2ban/jail.d/sshd.conf - sudo cp mailu-f2b/fail2ban-docker-action.conf /etc/fail2ban/action.d/docker-action.conf - sudo mkdir -p /etc/systemd/system/fail2ban.service.d - sudo cp mailu-f2b/fail2ban-override.conf /etc/systemd/system/fail2ban.service.d/override.conf - sudo sudo systemctl daemon-reload - sudo systemctl restart fail2ban sources: - - fmailu-f2b/ail2ban-bad-auth-filter.conf - - fmailu-f2b/ail2ban-bad-auth-jail.conf - - fmailu-f2b/ail2ban-docker-action.conf - - fmailu-f2b/ail2ban-override.conf + - mailu-f2b/fail2ban-bad-auth-filter.conf + - mailu-f2b/fail2ban-bad-auth-jail.conf + - mailu-f2b/fail2ban-sshd-jail.conf + - mailu-f2b/fail2ban-docker-action.conf + - mailu-f2b/fail2ban-override.conf generates: - /etc/fail2ban/filter.d/bad-auth.conf - /etc/fail2ban/jail.d/bad-auth.conf + - /etc/fail2ban/jail.d/sshd.conf - /etc/fail2ban/action.d/docker-action.conf - /etc/systemd/system/fail2ban.service.d/override.conf preconditions: - - sh: 'commmand -v fail2ban-server' + - sh: 'command -v fail2ban-server' diff --git a/cockpit/install-debian.sh b/cockpit/install-debian.sh new file mode 100755 index 0000000..2aaf212 --- /dev/null +++ b/cockpit/install-debian.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +. /etc/os-release +echo "deb http://deb.debian.org/debian ${VERSION_CODENAME}-backports main" > \ + /etc/apt/sources.list.d/backports.list +apt update +apt install -t ${VERSION_CODENAME}-backports cockpit +exit + +ROOT="_cpt_" +HOST="z-$(hostname)" +cat << EOT | sudo tee /etc/cockpit/cockpit.conf +[WebService] +Origins = https://cor.cherished.me wss://cor.cherished.me https://${HOST}.cherished.me wss://${HOST}.cherished.me +ProtocolHeader = X-Forwarded-Proto +UrlRoot=/${ROOT} +EOT +sudo systemctl restart cockpit.socket diff --git a/cockpit/install-fedora.sh b/cockpit/install-fedora.sh new file mode 100755 index 0000000..ce1426b --- /dev/null +++ b/cockpit/install-fedora.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +cat << EOT | sudo tee /etc/cockpit/cockpit.conf +[WebService] +Origins = https://cor.cherished.me wss://cor.cherished.me +ProtocolHeader = X-Forwarded-Proto +UrlRoot=/cpt-$(hostname) +EOT + +sudo systemctl restart cockpit.socket diff --git a/cockpit/install-ubuntu.sh b/cockpit/install-ubuntu.sh new file mode 100755 index 0000000..aec36b1 --- /dev/null +++ b/cockpit/install-ubuntu.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +. /etc/os-release +sudo apt install -t ${VERSION_CODENAME}-backports cockpit +exit + +ROOT="_cpt_" +HOST="z-$(hostname)" +cat << EOT | sudo tee /etc/cockpit/cockpit.conf +[WebService] +Origins = https://cor.cherished.me wss://cor.cherished.me https://${HOST}.cherished.me wss://${HOST}.cherished.me +ProtocolHeader = X-Forwarded-Proto +UrlRoot=/${ROOT} +EOT +sudo systemctl restart cockpit.socket diff --git a/docker/docker-ce.repo b/coreos/docker-ce.repo similarity index 100% rename from docker/docker-ce.repo rename to coreos/docker-ce.repo diff --git a/coreos/install.sh b/coreos/install.sh new file mode 100644 index 0000000..91a502a --- /dev/null +++ b/coreos/install.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +sudo cp zerotier/zerotier.repo /etc/yum.repos.d \ +sudo cp zerotier/zt-gpg-key /etc/pki/rpm-gpg \ +sudo cp docker/docker-ce.repo /etc/yum.repos.d \ +sudo rpm-ostree install --idempotent fail2ban zerotier-one docker-compose-plugin \ + diff --git a/zerotier/zerotier.repo b/coreos/zerotier.repo similarity index 100% rename from zerotier/zerotier.repo rename to coreos/zerotier.repo diff --git a/zerotier/zt-gpg-key b/coreos/zt-gpg-key similarity index 100% rename from zerotier/zt-gpg-key rename to coreos/zt-gpg-key diff --git a/docker/install-debian.sh b/docker/install-debian.sh new file mode 100755 index 0000000..371ca0e --- /dev/null +++ b/docker/install-debian.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +sudo apt-get remove docker docker-engine docker.io containerd runc +sudo apt-get update +sudo apt-get install -y \ + ca-certificates \ + curl \ + gnupg \ + lsb-release +sudo mkdir -p /etc/apt/keyrings +curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg +echo \ + "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \ + $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null +sudo apt-get update +sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin + diff --git a/docker/install-fedora.sh b/docker/install-fedora.sh new file mode 100755 index 0000000..024db6f --- /dev/null +++ b/docker/install-fedora.sh @@ -0,0 +1,17 @@ +sudo dnf remove docker \ + docker-client \ + docker-client-latest \ + docker-common \ + docker-latest \ + docker-latest-logrotate \ + docker-logrotate \ + docker-selinux \ + docker-engine-selinux \ + docker-engine + +sudo dnf -y install dnf-plugins-core + sudo dnf config-manager \ + --add-repo \ + https://download.docker.com/linux/fedora/docker-ce.repo + +sudo dnf install docker-ce docker-ce-cli containerd.io docker-compose-plugin diff --git a/docker/install-ubuntu.sh b/docker/install-ubuntu.sh new file mode 100755 index 0000000..1b555c6 --- /dev/null +++ b/docker/install-ubuntu.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +sudo apt-get remove docker docker-engine docker.io containerd runc +sudo apt-get update +sudo apt-get install -y \ + ca-certificates \ + curl \ + gnupg \ + lsb-release +sudo mkdir -p /etc/apt/keyrings +curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg +echo \ + "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \ + $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null +sudo apt-get update +sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin + diff --git a/go-task/install.sh b/go-task/install.sh new file mode 100644 index 0000000..94ed10a --- /dev/null +++ b/go-task/install.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +mkdir -p ~/.local/bin +stat ~/.local/bin/task > /dev/null || cp task ~/.local/bin +stat /etc/bash_completion.d/task.bash || sudo cp task.bash /etc/bash_completion.d/task.bash diff --git a/mailu-f2b/fail2ban-bad-auth-filter.conf b/mailu-f2b/fail2ban-bad-auth-filter.conf index 78a530e..aefeed8 100644 --- a/mailu-f2b/fail2ban-bad-auth-filter.conf +++ b/mailu-f2b/fail2ban-bad-auth-filter.conf @@ -2,4 +2,4 @@ [Definition] failregex = .* client login failed: .+ client:\ ignoreregex = -journalmatch = CONTAINER_TAG=mailu-front +journalmatch = CONTAINER_TAG=docker-front diff --git a/mailu-f2b/fail2ban-bad-auth-jail.conf b/mailu-f2b/fail2ban-bad-auth-jail.conf index 0170d85..d2c76a7 100644 --- a/mailu-f2b/fail2ban-bad-auth-jail.conf +++ b/mailu-f2b/fail2ban-bad-auth-jail.conf @@ -6,6 +6,6 @@ bantime = 1w bantime.increment = true bantime.factor = 2 bantime.maxtime = 128w -findtime = 300 -maxretry = 5 +findtime = 86400 +maxretry = 3 action = docker-action diff --git a/mailu-f2b/fail2ban-sshd-jail.conf b/mailu-f2b/fail2ban-sshd-jail.conf new file mode 100644 index 0000000..c43f118 --- /dev/null +++ b/mailu-f2b/fail2ban-sshd-jail.conf @@ -0,0 +1,8 @@ +[sshd] +enabled = true +bantime = 1w +bantime.increment = true +bantime.factor = 2 +bantime.maxtime = 128w +findtime = 86400 +maxretry = 3 diff --git a/zerotier/install-debian.sh b/zerotier/install-debian.sh new file mode 100644 index 0000000..d26ce3b --- /dev/null +++ b/zerotier/install-debian.sh @@ -0,0 +1,2 @@ +curl -s 'https://raw.githubusercontent.com/zerotier/ZeroTierOne/master/doc/contact%40zerotier.com.gpg' | gpg --import && \ +if z=$(curl -s 'https://install.zerotier.com/' | gpg); then echo "$z" | sudo bash; fi diff --git a/zerotier/install-fedora.sh b/zerotier/install-fedora.sh new file mode 100644 index 0000000..d26ce3b --- /dev/null +++ b/zerotier/install-fedora.sh @@ -0,0 +1,2 @@ +curl -s 'https://raw.githubusercontent.com/zerotier/ZeroTierOne/master/doc/contact%40zerotier.com.gpg' | gpg --import && \ +if z=$(curl -s 'https://install.zerotier.com/' | gpg); then echo "$z" | sudo bash; fi