ooh

2022-10-24 02:44:00 +11:00 · 2022-10-24 02:44:00 +11:00 · 458796c78b
parent 786596d5cf
commit 458796c78b
19 changed files with 138 additions and 25 deletions
--- a/.task/checksum/f2b
+++ b/.task/checksum/f2b
@ -0,0 +1 @@
+6a228d1f7a874abb131df909a27910f4
--- a/.task/checksum/mailu
+++ b/.task/checksum/mailu
@ -0,0 +1 @@
+1e5b6349bfe1b1bef4c2859219c92b11
--- a/Taskfile.yml
+++ b/Taskfile.yml
@ -7,24 +7,14 @@ tasks:
      - if command -v task; then task -l else go-task -l; fi
    silent: true

-  install:
-    desc: Install software
-    cmds:
-      - mkdir -p ~/.local/bin
-      - stat ~/.local/bin/task > /dev/null || cp go-task/task ~/.local/bin
-      - sudo cp go-task/task.bash /etc/bash_completion.d
-      - sudo cp zerotier/zerotier.repo /etc/yum.repos.d
-      - sudo cp zerotier/zt-gpg-key /etc/pki/rpm-gpg
-      - sudo cp docker/docker-ce.repo /etc/yum.repos.d
-      - sudo rpm-ostree install --idempotent fail2ban zerotier-one docker-compose-plugin
-
  folders:
    desc: Make folders for server
    cmds:
-      - sudo mkdir -p /srv/{config,backup,gotask,rpdata,secret,srvtls,server,_pack_}
-      - sudo chmod 700 /srv/{config,backup,gotask,rpdata,secret,srvtls,server,_pack_}
-      - sudo chown 1000 /srv/{config,backup,gotask,rpdata,secret,srvtls,server,_pack_}
-      - cp -rn * /srv/server
+      - sudo mkdir -p ../{config,backup,srvtls}
+      - sudo chmod 700 ../{config,backup,srvtls,server}
+      - sudo chown 1000 ../{config,backup,srvtls,server}
+    preconditions:
+      - sh: "test ${PWD##*/} = 'server'"

  status:
    desc: Server Status
@ -35,9 +25,9 @@ tasks:

  f2bs:
    cmds:
-      - #sudo fail2ban-client get sshd banip --with-time
+      - sudo fail2ban-client get sshd banip --with-time
      - sudo fail2ban-client get bad-auth banip --with-time
-      - df
+      - tail -n 20 /var/log/fail2ban.log
    preconditions:
      - sh: 'command -v fail2ban-client'

@ -54,21 +44,24 @@ tasks:
      - sudo systemctl enable --now fail2ban
      - sudo cp mailu-f2b/fail2ban-bad-auth-filter.conf /etc/fail2ban/filter.d/bad-auth.conf
      - sudo cp mailu-f2b/fail2ban-bad-auth-jail.conf /etc/fail2ban/jail.d/bad-auth.conf
+      - sudo cp mailu-f2b/fail2ban-sshd-jail.conf /etc/fail2ban/jail.d/sshd.conf
      - sudo cp mailu-f2b/fail2ban-docker-action.conf /etc/fail2ban/action.d/docker-action.conf
      - sudo mkdir -p /etc/systemd/system/fail2ban.service.d
      - sudo cp mailu-f2b/fail2ban-override.conf /etc/systemd/system/fail2ban.service.d/override.conf
      - sudo sudo systemctl daemon-reload
      - sudo systemctl restart fail2ban
    sources:
-      - fmailu-f2b/ail2ban-bad-auth-filter.conf
-      - fmailu-f2b/ail2ban-bad-auth-jail.conf
-      - fmailu-f2b/ail2ban-docker-action.conf
-      - fmailu-f2b/ail2ban-override.conf
+      - mailu-f2b/fail2ban-bad-auth-filter.conf
+      - mailu-f2b/fail2ban-bad-auth-jail.conf
+      - mailu-f2b/fail2ban-sshd-jail.conf
+      - mailu-f2b/fail2ban-docker-action.conf
+      - mailu-f2b/fail2ban-override.conf
    generates:
      - /etc/fail2ban/filter.d/bad-auth.conf
      - /etc/fail2ban/jail.d/bad-auth.conf
+      - /etc/fail2ban/jail.d/sshd.conf
      - /etc/fail2ban/action.d/docker-action.conf
      - /etc/systemd/system/fail2ban.service.d/override.conf
    preconditions:
-      - sh: 'commmand -v fail2ban-server'
+      - sh: 'command -v fail2ban-server'

--- a/cockpit/install-debian.sh
+++ b/cockpit/install-debian.sh
@ -0,0 +1,18 @@
+#!/bin/bash
+
+. /etc/os-release
+echo "deb http://deb.debian.org/debian ${VERSION_CODENAME}-backports main" > \
+    /etc/apt/sources.list.d/backports.list
+apt update
+apt install -t ${VERSION_CODENAME}-backports cockpit
+exit
+
+ROOT="_cpt_"
+HOST="z-$(hostname)"
+cat << EOT | sudo tee /etc/cockpit/cockpit.conf
+[WebService]
+Origins = https://cor.cherished.me wss://cor.cherished.me https://${HOST}.cherished.me wss://${HOST}.cherished.me
+ProtocolHeader = X-Forwarded-Proto
+UrlRoot=/${ROOT}
+EOT
+sudo systemctl restart cockpit.socket
--- a/cockpit/install-fedora.sh
+++ b/cockpit/install-fedora.sh
@ -0,0 +1,10 @@
+#!/bin/bash
+
+cat << EOT | sudo tee /etc/cockpit/cockpit.conf
+[WebService]
+Origins = https://cor.cherished.me wss://cor.cherished.me
+ProtocolHeader = X-Forwarded-Proto
+UrlRoot=/cpt-$(hostname)
+EOT
+
+sudo systemctl restart cockpit.socket
--- a/cockpit/install-ubuntu.sh
+++ b/cockpit/install-ubuntu.sh
@ -0,0 +1,15 @@
+#!/bin/bash
+
+. /etc/os-release
+sudo apt install -t ${VERSION_CODENAME}-backports cockpit
+exit
+
+ROOT="_cpt_"
+HOST="z-$(hostname)"
+cat << EOT | sudo tee /etc/cockpit/cockpit.conf
+[WebService]
+Origins = https://cor.cherished.me wss://cor.cherished.me https://${HOST}.cherished.me wss://${HOST}.cherished.me
+ProtocolHeader = X-Forwarded-Proto
+UrlRoot=/${ROOT}
+EOT
+sudo systemctl restart cockpit.socket
--- a/coreos/docker-ce.repo
+++ b/coreos/docker-ce.repo
--- a/coreos/install.sh
+++ b/coreos/install.sh
@ -0,0 +1,7 @@
+#!/bin/bash
+
+sudo cp zerotier/zerotier.repo /etc/yum.repos.d \
+sudo cp zerotier/zt-gpg-key /etc/pki/rpm-gpg \
+sudo cp docker/docker-ce.repo /etc/yum.repos.d \
+sudo rpm-ostree install --idempotent fail2ban zerotier-one docker-compose-plugin \
+
--- a/zerotier/zerotier.repo
+++ b/zerotier/zerotier.repo
--- a/zerotier/zt-gpg-key
+++ b/zerotier/zt-gpg-key
--- a/docker/install-debian.sh
+++ b/docker/install-debian.sh
@ -0,0 +1,17 @@
+#!/bin/bash
+
+sudo apt-get remove docker docker-engine docker.io containerd runc
+sudo apt-get update
+sudo apt-get install -y \
+    ca-certificates \
+    curl \
+    gnupg \
+    lsb-release
+sudo mkdir -p /etc/apt/keyrings
+curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+echo \
+  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
+  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
+sudo apt-get update
+sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
+
--- a/docker/install-fedora.sh
+++ b/docker/install-fedora.sh
@ -0,0 +1,17 @@
+sudo dnf remove docker \
+                  docker-client \
+                  docker-client-latest \
+                  docker-common \
+                  docker-latest \
+                  docker-latest-logrotate \
+                  docker-logrotate \
+                  docker-selinux \
+                  docker-engine-selinux \
+                  docker-engine
+
+sudo dnf -y install dnf-plugins-core
+ sudo dnf config-manager \
+    --add-repo \
+    https://download.docker.com/linux/fedora/docker-ce.repo
+
+sudo dnf install docker-ce docker-ce-cli containerd.io docker-compose-plugin
--- a/docker/install-ubuntu.sh
+++ b/docker/install-ubuntu.sh
@ -0,0 +1,17 @@
+#!/bin/bash
+
+sudo apt-get remove docker docker-engine docker.io containerd runc
+sudo apt-get update
+sudo apt-get install -y \
+    ca-certificates \
+    curl \
+    gnupg \
+    lsb-release
+sudo mkdir -p /etc/apt/keyrings
+curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+echo \
+  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
+  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
+sudo apt-get update
+sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
+
--- a/go-task/install.sh
+++ b/go-task/install.sh
@ -0,0 +1,5 @@
+#!/bin/bash
+
+mkdir -p ~/.local/bin
+stat ~/.local/bin/task > /dev/null || cp task ~/.local/bin
+stat /etc/bash_completion.d/task.bash || sudo cp task.bash /etc/bash_completion.d/task.bash
--- a/mailu-f2b/fail2ban-bad-auth-filter.conf
+++ b/mailu-f2b/fail2ban-bad-auth-filter.conf
@ -2,4 +2,4 @@
 [Definition]
 failregex = .* client login failed: .+ client:\ <HOST>
 ignoreregex =
-journalmatch = CONTAINER_TAG=mailu-front
+journalmatch = CONTAINER_TAG=docker-front
--- a/mailu-f2b/fail2ban-bad-auth-jail.conf
+++ b/mailu-f2b/fail2ban-bad-auth-jail.conf
@ -6,6 +6,6 @@ bantime = 1w
 bantime.increment = true
 bantime.factor = 2
 bantime.maxtime = 128w
-findtime = 300
-maxretry = 5
+findtime = 86400
+maxretry = 3
 action = docker-action
--- a/mailu-f2b/fail2ban-sshd-jail.conf
+++ b/mailu-f2b/fail2ban-sshd-jail.conf
@ -0,0 +1,8 @@
+[sshd]
+enabled = true
+bantime = 1w
+bantime.increment = true
+bantime.factor = 2
+bantime.maxtime = 128w
+findtime = 86400
+maxretry = 3
--- a/zerotier/install-debian.sh
+++ b/zerotier/install-debian.sh
@ -0,0 +1,2 @@
+curl -s 'https://raw.githubusercontent.com/zerotier/ZeroTierOne/master/doc/contact%40zerotier.com.gpg' | gpg --import && \
+if z=$(curl -s 'https://install.zerotier.com/' | gpg); then echo "$z" | sudo bash; fi
--- a/zerotier/install-fedora.sh
+++ b/zerotier/install-fedora.sh
@ -0,0 +1,2 @@
+curl -s 'https://raw.githubusercontent.com/zerotier/ZeroTierOne/master/doc/contact%40zerotier.com.gpg' | gpg --import && \
+if z=$(curl -s 'https://install.zerotier.com/' | gpg); then echo "$z" | sudo bash; fi