commit 3d665e5e11a0eb79ea17aec8c5b31f7bcbe335cf Author: Darren 'Tadgy' Austin Date: Tue Sep 29 16:40:13 2020 +0100 Initial commit. diff --git a/01-install-base-files b/01-install-base-files new file mode 100755 index 0000000..d1fac5f --- /dev/null +++ b/01-install-base-files @@ -0,0 +1,40 @@ +#!/bin/bash + +umask 022 + +# Install the LetsEncrypt CA bundles, to stop wget moaning. +cp -R ca-certificates /usr/local/share +update-ca-certificates + +# Install memtest86 into /boot. +# Only install if /boot exists, so we are container compatible. +[ -e /boot ] && cp memtest86+ /boot + +# Install root's new crontab. +cat root.crontab >/var/spool/cron/crontabs/root +/etc/rc.d/rc.crond restart + +# Install the /etc files. +cd base-files +IFS=$'\n' +for dir in $(find . -type d | sort | sed -re 's/^\.\///'); do + mkdir -p -m 755 /etc/$dir +done +for file in $(find . -type f | sort | sed -re 's/^\.\///'); do + cat "$file" >"/etc/$file" +done + +# Correct file/directory specific permissions. +chmod 755 /etc/cron.daily/update-slackpkg-template +chmod 755 /etc/cron.daily/warn-git-status +chmod 755 /etc/cron.hourly/log-acls +chmod 755 /etc/initscript +chmod 755 /etc/profile.d/biff.csh +chmod 755 /etc/profile.d/biff.sh +chmod 755 /etc/profile.d/lang.csh +chmod 755 /etc/profile.d/lang.sh +chmod 755 /etc/profile.d/less.csh +chmod 755 /etc/profile.d/less.sh +chmod 755 /etc/profile.d/optpaths.csh +chmod 755 /etc/profile.d/optpaths.sh +chmod 750 /etc/sudoers.d diff --git a/02-system-setup b/02-system-setup new file mode 100755 index 0000000..4924f0c --- /dev/null +++ b/02-system-setup @@ -0,0 +1,110 @@ +#!/bin/bash + +# Re-generate root's password for longer hash. +passwd root + +# Make Tadgy's account. +adduser tadgy + +# Move the 'console' group. I dislike it above 100. +grep "^console:x:101:" /etc/group >/dev/null && groupmod -g 97 console +grpconv + +# Add group 'admin', and make root and Tadgy a member. +grep "^admin:" /etc/group >/dev/null || groupadd -g 101 admin +usermod -aG admin root +usermod -aG admin tadgy + +# Restrict access to 'logger', since it can be used to spam the logs. +chown root:admin /usr/bin/logger +chmod 750 /usr/bin/logger + +# Copy ssh keys into place for root and tadgy. +mkdir -p -m 0700 /root/.ssh +cp authorized_keys /root/.ssh +mkdir -p -m 0700 /home/tadgy/.ssh +cp authorized_keys /home/tadgy/.ssh +chown -R tadgy:users /home/tadgy/.ssh + +# Encrypt the databases so they can be checked into git. +echo "Encrypting /etc/shadow..." +gpg -c -o /etc/shadow.gpg /etc/shadow +echo "Encrypting /etc/gshadow..." +gpg -c -o /etc/gshadow.gpg /etc/gshadow + +# Create /opt directories. +mkdir -p -m 755 {/opt,/opt/{bin,include,info,lib64,man,man/man{0..8},sbin,share}} + +# Create log archive directories and move old log files. +[ ! -d /var/log/Archived/pre-sysconfig ] && { + mkdir -p -m 750 /var/log/Archived + mkdir -p -m 750 /var/log/Archived/pre-sysconfig + mv /var/log/{btmp.*,{cron,debug,maillog,messages,secure,spooler,syslog}{,.*}} /var/log/Archived/pre-sysconfig/ 2>/dev/null +} + +# Stop syslog from producing a "MARK" every 20 minutes. +# -current 20200626 uses /etc/default now, this is not required. +# sed -i /etc/rc.d/rc.syslog -r -e '/^#SYSLOGD_OPTIONS/ s/#//' -e '/^SYSLOGD_OPTIONS/ s/"-c "$/"-c -m 0"/' + +# Restart syslogd. +/etc/rc.d/rc.syslog restart + +# Restart ntpd. +[ -x /etc/rc.d/rc.ntpd ] && /etc/rc.d/rc.ntpd restart + +# Restart sshd. +/etc/rc.d/rc.sshd restart + +# Keep an su'ers log. +touch /var/log/sulog + +# Keep fail2ban logs. +touch /var/log/fail2ban + +# Add an rc.local_shutdown script if it doesn't exist already. +[ ! -e /etc/rc.d/rc.local_shutdown ] && { + echo "#!/bin/sh" >/etc/rc.d/rc.local_shutdown + echo "# /etc/rc.d/rc.local_shutdown - Local system shutdown script." >>/etc/rc.d/rc.local_shutdown + echo "# This script will be run when the system is shutdown or rebooted." >>/etc/rc.d/rc.local_shutdown + chmod 755 /etc/rc.d/rc.local_shutdown +} + +# To clear all ACLs: +# setfacl -Rk /path +# setfacl -Rd group:admin: /path +# setfacl -Rx mask:: /path + +# Secure /var/log +# Set standard access perms for directories +setfacl -m user::rwx,group::rx,other::x /var/log/ +setfacl -m user::rwx,group::rx,other::- /var/log/*/ /var/log/*/*/ +# Set standard access perms for files +find /var/log -type f -exec setfacl -Rm user::rw,group::r,other::- {} \; +# Allow group 'admin' read access to all directories/files +setfacl -m group:admin:rX /var/log/ /var/log/*/ /var/log/*/*/ +find /var/log -type f -exec setfacl -m group:admin:r {} \; +# Set default access for new files in directories. +setfacl -dm user::rwX,group::rX,other::- /var/log/ /var/log/*/ /var/log/*/*/ +setfacl -dm group:admin:rX /var/log/ /var/log/*/ /var/log/*/*/ +# /var/log/wtmp needs to be readable by everyone +setfacl -m user::rw,group::r,other::r /var/log/wtmp + +# Secure /root +# Set standard access perms for directories +find /root -type d -exec setfacl -m user::rwx,group::rx,other::- {} \; +# Set standard access perms for files +find /root -type f -exec setfacl -m user::rwX,group::rX,other::- {} \; +# Allow group 'admin' read access to all files/dirs +find /root -type d -exec setfacl -m group:admin:rX {} \; +find /root -type f -exec setfacl -m group:admin:rX {} \; +# Set default access for new files/dirs +find /root -type d -exec setfacl -dm user::rwX,group::rX,other::- {} \; +find /root -type d -exec setfacl -dm group:admin:rX {} \; + +# Clean up some cruft. +rm -rf /etc/nntpserver /etc/lilo.conf_example +rm -rf /usr/{local/games,local/man/cat*,man/cat*} /var/man + +# Finally, check for FIXMEs. +echo "There may be some FIXMEs to attend to:" +grep -R FIXME /etc | egrep -v "^/etc/(\.git|file|magic|misc)" diff --git a/authorized_keys b/authorized_keys new file mode 100644 index 0000000..acb11ca --- /dev/null +++ b/authorized_keys @@ -0,0 +1,2 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICsx4EY4vbDt0TXGZsW9UjOxj+s/mVeytJ7lW5rAu0gS Darren 'Tadgy' Austin +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCtsRUCRcju+l1TrfwGQ/PCcXBwN8bTCcmS0PYbdu13XJQ9DijTZsU7m2k8pi2fFU0VG5+C57i4FhkV3J7Ngpu0XDM4CPuoq2agRTEMXZlHu0aO8mEaPBli5oEkx/m1yinL0FapDfxMkeLDp3eHL0Gw2I0G6Kg8j4jl0pz4uYPLrrMbcWgEin+ijUE71lRXXJ2U6whCFBz991XDTkyX9a3CMAKIjYq0qTMyBGWUzHVNVPCXXa1bcK6Jj6jlkW1oowfccof3mDtm5Tef54pFAWS6yYSM+XkmCStknDInKI/fL54LnH6PZxEz2wdRXArMNk80gNyzLbOqEddnaoTaSowTIcXOUyzMrgyf/c2WZp9Ss05kgt6e+sTFqEREt1oslGP8s2rtvhRCyAaQM0X5TutqycLeNbm7duKmb4FuYvRqbi6ECqrUZ5roz5ushrtEvUY74xmo3Wt5/6piDV7VTCLUqNJNcB+rPFLG+LYUS+G1w4HZGXXgIERcHHDdvt4LQm0= Darren 'Tadgy' Austin diff --git a/base-files/.gitignore b/base-files/.gitignore new file mode 100644 index 0000000..1b0faf7 --- /dev/null +++ b/base-files/.gitignore @@ -0,0 +1,161 @@ +# Files which should never be tracked, for security. +gshadow +shadow +ssh/*_key + +# Temporary, backup, sample and dist files. +*.swp +.pwd.lock +group- +gshadow- +passwd- +shadow- +*.example +*-example +*_example +*.sample +*-sample +*_sample +*.dist + +# Dynamically created files. +adjtime +ca-certificates.conf +ld.so.cache +random-seed + +# Files that don't need to be tracked. +DIR_COLORS +X11/ +bind.keys +bindresvport.blacklist +cgconfig.conf +cgred.conf +cgrules.conf +cgsnapshot_blacklist.conf +cron.daily/certwatch +cron.daily/logrotate +cron.daily/man-db +cron.daily/mlocate +dbus-1/ +default/cpufreq +default/crond +default/kadmind +default/kpropd +default/krb5kdc +default/lxc +default/sshd +default/useradd +dhcpcd.conf +dnsmasq.conf +e2scrub.conf +ethertypes +fail2ban/*.conf +fail2ban/action.d/*.conf +fail2ban/action.d/*.py +fail2ban/filter.d/ignorecommands +fail2ban/filter.d/*.conf +fb.modes +file/ +host.conf +hosts.allow +hosts.deny +hosts.equiv +init.d +inputrc +iproute2/ +issue +issue.net +ld.so.conf +libnl/ +localtime +localtime-copied-from +login.access +lxc/default.conf +lynx.cfg +lynx.lss +man_db.conf +mcelog/mcelog.conf +mcelog/*-trigger +misc +mke2fs.conf +modprobe.d/README +mtab +named.conf +nanorc +netconfig +nntpserver +nsswitch.conf +ntp.keys +os-release +profile.d/coreutils-dircolors.* +profile.d/gawk.* +profile.d/glibc.* +profile.d/man-db.* +profile.d/z-dot-in-non-root-path.* +protocols +!rc.d/init.d/ +rc.d/init.d/README.functions +rc.d/init.d/functions +rc.d/rc.0 +rc.d/rc.4 +rc.d/rc.6 +rc.d/rc.K +rc.d/rc.M +rc.d/rc.S +rc.d/rc.bind +rc.d/rc.cgconfig +rc.d/rc.cgmanager +rc.d/rc.cgproxy +rc.d/rc.cgred +rc.d/rc.cpufreq +rc.d/rc.crond +rc.d/rc.dnsmasq +rc.d/rc.fail2ban +rc.d/rc.font +rc.d/rc.haveged +rc.d/rc.inet1 +rc.d/rc.inet2 +rc.d/rc.ip_forward +rc.d/rc.kadmind +rc.d/rc.kpropd +rc.d/rc.krb5kdc +rc.d/rc.libvirt +rc.d/rc.loop +rc.d/rc.lxc +rc.d/rc.mcelog +rc.d/rc.messagebus +rc.d/rc.modules +rc.d/rc.ntpd +rc.d/rc.qemu-ga +rc.d/rc.saslauthd +rc.d/rc.serial +rc.d/rc.setterm +rc.d/rc.smartd +rc.d/rc.sshd +rc.d/rc.sysstat +rc.d/rc.sysvinit +rc.d/rc.udev +rc.d/rc.vnstat +rc?.d +!rc.d/rc?.d/ +request-key.conf +rmt +screenrc +sensors3.conf +serial.conf +services +shells +skel/.screenrc +slackware-version +smartd_warning.sh +ssh/moduli +ssl/ +sudoers +sysstat/ +termcap +udev/ +updatedb.conf +vi.exrc +wgetrc +xattr.conf diff --git a/base-files/cron.daily/update-slackpkg-template b/base-files/cron.daily/update-slackpkg-template new file mode 100755 index 0000000..dbebce9 --- /dev/null +++ b/base-files/cron.daily/update-slackpkg-template @@ -0,0 +1,3 @@ +#!/bin/bash + +slackpkg -batch=on -default_answer=y generate-template "$HOSTNAME" >/dev/null diff --git a/base-files/cron.daily/warn-git-status b/base-files/cron.daily/warn-git-status new file mode 100755 index 0000000..5475ad4 --- /dev/null +++ b/base-files/cron.daily/warn-git-status @@ -0,0 +1,9 @@ +#!/bin/bash + +source /etc/mail.conf "etc-git" || exit 1 + +cd /etc + +OUTPUT="$(git status | egrep -ve "^(On branch|Your branch|No commits|nothing|$)" -e "\(use")" + +[[ ! -z "$OUTPUT" ]] && mailx "${MAILX_ARGS[@]}" -r "$EMAIL_FROM" -s "/etc git status" "${EMAIL_TO[@]}" <<< "$OUTPUT" diff --git a/base-files/cron.hourly/log-acls b/base-files/cron.hourly/log-acls new file mode 100755 index 0000000..e5d11c9 --- /dev/null +++ b/base-files/cron.hourly/log-acls @@ -0,0 +1,24 @@ +#!/bin/bash + +# Sleep for a couple of minutes to prevent a race condition with other cron jobs. +sleep 120 + +# Secure /var/log +# Set standard access perms for directories +setfacl -m user::rwx,group::rx,other::x /var/log/ +find /var/log/*/ -type d -exec setfacl -m user::rwx,group::rx,other::- {} \; +# Set standard access perms for files +find /var/log -type f -exec setfacl -Rm user::rw,group::r,other::- {} \; +# Allow group 'admin' read access to all directories/files +find /var/log -type d -exec setfacl -m group:admin:rX {} \; +find /var/log -type f -exec setfacl -m group:admin:r {} \; +# Set default access for new files in directories. +find /var/log -type d -exec setfacl -dm user::rwX,group::rX,other::- {} \; +find /var/log -type d -exec setfacl -dm group:admin:rX {} \; +# /var/log/wtmp needs to be readable by everyone +setfacl -m user::rw,group::r,other::r /var/log/wtmp + +# To clear above ACL settings: +# setfacl -Rk /path +# setfacl -Rx group:admin: /path +# setfacl -Rx mask:: /path diff --git a/base-files/csh.login b/base-files/csh.login new file mode 100644 index 0000000..02c8c7b --- /dev/null +++ b/base-files/csh.login @@ -0,0 +1,45 @@ +# System wide set up for the csh and tcsh shells. + +# The default search path. +set path = ( /usr/bin /bin /usr/local/bin ) + +# Add sbin paths for root users. +if ( { [ "`id -u`" = "0" -o "`id -g`" = "0" ] } ) \ + set path = ( /usr/sbin /sbin /usr/local/sbin $path ) + +# Set path to include a user's private bin if it exists. +if ( -d ~/bin ) set path = ( ~/bin $path ) + +# Append /usr/games to path if it exists. +if ( -d /usr/games ) set path = ( $path /usr/games ) + +# Set a default terminal type if none was detected. +if ! $?TERM setenv TERM linux +if ( "$TERM" == "" ) setenv TERM linux +if ( "$TERM" == "unknown" ) setenv TERM linux + +# Use the system inputrc if the user does not have their own. +if ( ! -r ~/.inputrc ) setenv INPUTRC /etc/inputrc + +# Set an empty MANPATH if none exists (this prevents some profile.d scripts from exiting from trying to access an unset variable): +if ! $?MANPATH setenv MANPATH "" + +# Set the HOSTNAME environment variable. +setenv HOSTNAME "`cat /etc/HOSTNAME`" + +# Shell prompt. +set prompt = "%n@%m:%~%# " + +# Use a reasonable create mask. +umask 022 + +# Set up any further environment from files in /etc/profile.d/. +if ( -d /etc/profile.d ) then + set nonomatch + foreach file ( /etc/profile.d/*.csh ) + if ( -x $file ) then + source $file + endif + end + unset file nonomatch +endif diff --git a/base-files/default/syslogd b/base-files/default/syslogd new file mode 100644 index 0000000..36c0f41 --- /dev/null +++ b/base-files/default/syslogd @@ -0,0 +1,4 @@ +# Options for the syslog daemon. +# Default is "-s" to run in secure mode - not accepting network connections. +# For other options, see syslog(8). +SYSLOGD_OPTS="-s -k -m 0" diff --git a/base-files/dialogrc b/base-files/dialogrc new file mode 100644 index 0000000..75f17d4 --- /dev/null +++ b/base-files/dialogrc @@ -0,0 +1 @@ +# This file is intentionally empty. diff --git a/base-files/fail2ban/fail2ban.local b/base-files/fail2ban/fail2ban.local new file mode 100644 index 0000000..a92c9e5 --- /dev/null +++ b/base-files/fail2ban/fail2ban.local @@ -0,0 +1,75 @@ +[DEFAULT] + +# Option: loglevel +# Notes.: Set the log level output. +# CRITICAL +# ERROR +# WARNING +# NOTICE +# INFO +# DEBUG +# Values: [ LEVEL ] Default: ERROR +# +loglevel = INFO + +# Option: logtarget +# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT. +# Only one log target can be specified. +# If you change logtarget from the default value and you are +# using logrotate -- also adjust or disable rotation in the +# corresponding configuration file +# (e.g. /etc/logrotate.d/fail2ban on Debian systems) +# Values: [ STDOUT | STDERR | SYSLOG | SYSOUT | FILE ] Default: STDERR +# +logtarget = syslog[facility=LOCAL0] + +# Option: syslogsocket +# Notes: Set the syslog socket file. Only used when logtarget is SYSLOG +# auto uses platform.system() to determine predefined paths +# Values: [ auto | FILE ] Default: auto +#syslogsocket = auto + +# Option: socket +# Notes.: Set the socket file. This is used to communicate with the daemon. Do +# not remove this file when Fail2ban runs. It will not be possible to +# communicate with the server afterwards. +# Values: [ FILE ] Default: /var/run/fail2ban/fail2ban.sock +# +socket = /var/run/fail2ban.sock + +# Option: pidfile +# Notes.: Set the PID file. This is used to store the process ID of the +# fail2ban server. +# Values: [ FILE ] Default: /var/run/fail2ban/fail2ban.pid +# +pidfile = /var/run/fail2ban.pid + +# Options: dbfile +# Notes.: Set the file for the fail2ban persistent data to be stored. +# A value of ":memory:" means database is only stored in memory +# and data is lost when fail2ban is stopped. +# A value of "None" disables the database. +# Values: [ None :memory: FILE ] Default: /var/lib/fail2ban/fail2ban.sqlite3 +# dbfile = /var/lib/fail2ban/fail2ban.sqlite3 + +# Options: dbpurgeage +# Notes.: Sets age at which bans should be purged from the database +# Values: [ SECONDS ] Default: 86400 (24hours) +#dbpurgeage = 1d + +# Options: dbmaxmatches +# Notes.: Number of matches stored in database per ticket (resolvable via +# tags / in actions) +# Values: [ INT ] Default: 10 +#dbmaxmatches = 10 + +[Definition] + + +[Thread] + +# Options: stacksize +# Notes.: Specifies the stack size (in KiB) to be used for subsequently created threads, +# and must be 0 or a positive integer value of at least 32. +# Values: [ SIZE ] Default: 0 (use platform or configured default) +#stacksize = 0 diff --git a/base-files/fail2ban/jail.local b/base-files/fail2ban/jail.local new file mode 100644 index 0000000..525abe8 --- /dev/null +++ b/base-files/fail2ban/jail.local @@ -0,0 +1,61 @@ +[DEFAULT] + +# +# MISCELLANEOUS OPTIONS +# + +# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban +# will not ban a host which matches an address in this list. Several addresses +# can be defined using space (and/or comma) separator. +ignoreip = 127.0.0.1/8 91.109.244.0/24 ::1 2a02:2498:1:227::/64 afterdark.org.uk + +# "bantime" is the number of seconds that a host is banned. +bantime = 12h + +# A host is banned if it has generated "maxretry" during the last "findtime" +# seconds. +findtime = 2h + +# "maxretry" is the number of failures before a host get banned. +maxretry = 3 + +# "usedns" specifies if jails should trust hostnames in logs, +# warn when DNS lookups are performed, or ignore all hostnames in logs +# +# yes: if a hostname is encountered, a DNS lookup will be performed. +# warn: if a hostname is encountered, a DNS lookup will be performed, +# but it will be logged as a warning. +# no: if a hostname is encountered, will not be used for banning, +# but it will be logged as info. +# raw: use raw value (no hostname), allow use it for no-host filters/actions (example user) +usedns = warn + +# +# ACTIONS +# + +# Some options used for actions + +# Destination email address used solely for the interpolations in +# jail.{conf,local,d/*} configuration files. +destemail = root@localhost + +# Sender email address used solely for some actions +sender = root@ + +# +# JAILS +# + +[sshd] + +# To use more aggressive sshd modes set filter parameter "mode" in jail.local: +# normal (default), ddos, extra or aggressive (combines all). +# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details. +#mode = normal +enabled = yes +port = 9922 + +#[apache-auth] +#enabled = yes +# diff --git a/base-files/fail2ban/paths-overrides.local b/base-files/fail2ban/paths-overrides.local new file mode 100644 index 0000000..4c91b09 --- /dev/null +++ b/base-files/fail2ban/paths-overrides.local @@ -0,0 +1,25 @@ +[DEFAULT] + +syslog_mail = /var/log/smtpd + +syslog_mail_warn = /var/log/smtpd + +syslog_authpriv = /var/log/messages + +syslog_auth = /var/log/messages + +syslog_user = /var/log/messages + +syslog_ftp = /var/log/ftpd + +syslog_daemon = /var/log/messages + +syslog_local0 = /var/log/messages + +apache_error_log = /var/log/httpd/*error.log + +apache_access_log = /var/log/httpd/*access.log + +# Default for Slackware provided below, +# please change according to your proftpd config file. +proftpd_log = /var/log/ftpd diff --git a/base-files/filesystems b/base-files/filesystems new file mode 100644 index 0000000..6de0d73 --- /dev/null +++ b/base-files/filesystems @@ -0,0 +1,15 @@ +ext4 +ext3 +ext2 +iso9660 +vfat +ntfs +msdos +reiserfs +btrfs +jfs +xfs +romfs +udf +minix +* diff --git a/base-files/hardwareclock b/base-files/hardwareclock new file mode 100644 index 0000000..d9c2e5c --- /dev/null +++ b/base-files/hardwareclock @@ -0,0 +1,6 @@ +# /etc/hardwareclock +# +# Tells how the hardware clock time is stored. +# You should run timeconfig to edit this file. + +UTC diff --git a/base-files/initscript b/base-files/initscript new file mode 100755 index 0000000..b78d2a7 --- /dev/null +++ b/base-files/initscript @@ -0,0 +1,7 @@ +PATH="/opt/sbin:/usr/local/sbin:/usr/sbin:/sbin:/opt/bin:/usr/local/bin:/usr/bin:/bin" +PERL5LIB="/opt/lib64/perl5:/opt/lib64/perl5/site_perl" +PYTHONPATH="/opt/lib64/python2.7/site-packages" + +export PATH PERL5LIB PYTHONPATH + +eval exec "$4" diff --git a/base-files/inittab b/base-files/inittab new file mode 100644 index 0000000..e7b1ed7 --- /dev/null +++ b/base-files/inittab @@ -0,0 +1,63 @@ +# These are the default runlevels in Slackware: +# 0 = halt +# 1 = single user mode +# 2 = unused (but configured the same as runlevel 3) +# 3 = multiuser mode (default Slackware runlevel) +# 4 = X11 with KDM/GDM/XDM (session managers) +# 5 = unused (but configured the same as runlevel 3) +# 6 = reboot + +# Default runlevel. Do not set to 0 or 6. +id:3:initdefault: + +# System initialization (runs when system boots). +si:S:sysinit:/etc/rc.d/rc.S + +# Script to run when going single user (runlevel 1). +su:1S:wait:/etc/rc.d/rc.K + +# Script to run when going multi user. +rc:2345:wait:/etc/rc.d/rc.M + +# What to do at the "Three Finger Salute". +ca::ctrlaltdel:/sbin/shutdown -t5 -r now + +# Runlevel 0 halts the system. +l0:0:wait:/etc/rc.d/rc.0 + +# Runlevel 6 reboots the system. +l6:6:wait:/etc/rc.d/rc.6 + +# What to do when power fails. +pf::powerfail:/sbin/genpowerfail start +# FIXME: If running in a LXC container, use this. +# pf::powerfail:/sbin/shutdown -h now + +# If power is back, cancel the running shutdown. +pg::powerokwait:/sbin/genpowerfail stop +# FIXME: If running in a LXC container, use this. +# pg::powerokwait:/sbin/shutdown -c + +# These are the standard console login getties in multiuser mode. +c1:12345:respawn:/sbin/agetty --noclear 38400 tty1 linux +c2:12345:respawn:/sbin/agetty 38400 tty2 linux +#c3:12345:respawn:/sbin/agetty 38400 tty3 linux +#c4:12345:respawn:/sbin/agetty 38400 tty4 linux +#c5:12345:respawn:/sbin/agetty 38400 tty5 linux +#c6:12345:respawn:/sbin/agetty 38400 tty6 linux +#c7:12345:respawn:/sbin/agetty 38400 tty7 linux +#c8:12345:respawn:/sbin/agetty 38400 tty8 linux +#c9:12345:respawn:/sbin/agetty 38400 tty9 linux +#c10:12345:respawn:/sbin/agetty 38400 tty10 linux + +# Local serial lines. +#s1:12345:respawn:/sbin/agetty -L ttyS0 9600 vt100 +#s2:12345:respawn:/sbin/agetty -L ttyS1 9600 vt100 + +# Dialup lines. +#d1:12345:respawn:/sbin/agetty -mt60 38400,19200,9600,2400,1200 ttyS0 vt100 +#d2:12345:respawn:/sbin/agetty -mt60 38400,19200,9600,2400,1200 ttyS1 vt100 + +# Runlevel 4 also starts /etc/rc.d/rc.4 to run a display manager for X. +# Display managers are preferred in this order: gdm, kdm, xdm. +x1:4:respawn:/etc/rc.d/rc.4 diff --git a/base-files/ld.so.conf.d/opt.conf b/base-files/ld.so.conf.d/opt.conf new file mode 100644 index 0000000..6cb323f --- /dev/null +++ b/base-files/ld.so.conf.d/opt.conf @@ -0,0 +1 @@ +/opt/lib64 diff --git a/base-files/login.defs b/base-files/login.defs new file mode 100644 index 0000000..6975138 --- /dev/null +++ b/base-files/login.defs @@ -0,0 +1,287 @@ +# +# /etc/login.defs - Configuration control definitions for the shadow package. +# +# $Id: login.defs 3038 2009-07-23 20:41:35Z nekral-guest $ +# + +# +# Delay in seconds before being allowed another attempt after a login failure +# +FAIL_DELAY 1 + +# +# Enable display of unknown usernames when login failures are recorded. +# +LOG_UNKFAIL_ENAB yes + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +CONSOLE /etc/securetty +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# If defined, all su activity is logged to this file. +# +SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# *REQUIRED* +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define both, MAIL_DIR takes precedence. +# +MAIL_DIR /var/spool/mail +#MAIL_FILE .mail + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/sbin:/usr/sbin:/bin:/usr/bin +ENV_PATH PATH=/usr/local/bin:/bin:/usr/bin + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +TTYGROUP tty +TTYPERM 0620 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# (now it works with setrlimit too; ulimit is in 512-byte units) +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 + +# +# Default initial "umask" value used by login(1) on non-PAM enabled systems. +# Default "umask" value for pam_umask(8) on PAM enabled systems. +# UMASK is also used by useradd(8) and newusers(8) to set the mode for new +# home directories if HOME_MODE is not set. +# 022 is the default value, but 027, or even 077, could be considered +# for increased privacy. There is no One True Answer here: each sysadmin +# must make up their mind. +UMASK 022 + +# +# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new +# home directories. +# If HOME_MODE is not set, the value of UMASK is used to create the mode. +#HOME_MODE 0700 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +SYS_UID_MIN 101 +SYS_UID_MAX 999 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +SYS_GID_MIN 101 +SYS_GID_MAX 999 + +# +# Max number of login retries if password is bad +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Only works if compiled with MD5_CRYPT defined: +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# +#MD5_CRYPT_ENAB no + +# +# Only works if compiled with ENCRYPTMETHOD_SELECT defined: +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +ENCRYPT_METHOD SHA512 + +# +# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +#SHA_CRYPT_MIN_ROUNDS 5000 +#SHA_CRYPT_MAX_ROUNDS 5000 + +# +# Only works if ENCRYPT_METHOD is set to BCRYPT. +# +# Define the number of BCRYPT rounds. +# With a lot of rounds, it is more difficult to brute-force the password. +# However, more CPU resources will be needed to authenticate users if +# this value is increased. +# +# If not specified, 13 rounds will be attempted. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +#BCRYPT_MIN_ROUNDS 13 +#BCRYPT_MAX_ROUNDS 13 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# Most of these groups are self-explanatory, but in the case of +# "lp", it is because group lp is needed to use a scanner that +# is part of a multifunction printer. +# +# Note that users are added to these default groups only when +# logging into a shell with /bin/login, not when using a login +# manager such as kdm. In that case, users who should have +# hardware access must be added to the appropriate groups +# when the user is added with adduser or useradd, or by editing +# /etc/group directly, preferably using "vigr" +# +CONSOLE_GROUPS floppy:audio:cdrom:video:lp:scanner + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# Enable setting of the umask group bits to be the same as owner bits +# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is +# the same as gid, and username is the same as the primary group name. +# +# This also enables userdel to remove user groups if no members exist. +# +USERGROUPS_ENAB yes + +# +# If set to a non-nul number, the shadow utilities will make sure that +# groups never have more than this number of users on one line. +# This permit to support split groups (groups split into multiple lines, +# with the same group ID, to avoid limitation of the line length in the +# group file). +# +# 0 is the default value and disables this feature. +# +#MAX_MEMBERS_PER_GROUP 0 + +# +# If useradd should create home directories for users by default (non +# system users only) +# This option is overridden with the -M or -m flags on the useradd command +# line. +# +#CREATE_HOME yes + diff --git a/base-files/logrotate.conf b/base-files/logrotate.conf new file mode 100644 index 0000000..bca22a5 --- /dev/null +++ b/base-files/logrotate.conf @@ -0,0 +1,25 @@ +# Rotate log files on a monthly basis. +monthly + +# Name files based upon the year/month they are rotated. +dateext +dateformat -%Y-%m +dateyesterday + +# Compress rotated logs. +compress + +# Keep 5 years of old logs (just to be sure). +rotate 60 + +# Move rotated logs to this directory. +olddir /var/log/Archived + +# After rotating, create new (empty) files with the same owner/perms. +create + +# E-mail logs which are about to be deleted to this address. +# mail root@example.com + +# Read log specific configurations. +include /etc/logrotate.d diff --git a/base-files/logrotate.d/btmp b/base-files/logrotate.d/btmp new file mode 100644 index 0000000..1eb67ae --- /dev/null +++ b/base-files/logrotate.d/btmp @@ -0,0 +1,6 @@ +# The btmp login failure records are not rotated by default. +# Uncomment the lines below to enable rotation of btmp. + +# /var/log/btmp { +# # No specific options. +# } diff --git a/base-files/logrotate.d/lastlog b/base-files/logrotate.d/lastlog new file mode 100644 index 0000000..72d09f9 --- /dev/null +++ b/base-files/logrotate.d/lastlog @@ -0,0 +1,2 @@ +# This file is for information only. +# /var/log/lastlog should not be rotated as it is a database, not a log file. diff --git a/base-files/logrotate.d/ntp b/base-files/logrotate.d/ntp new file mode 100644 index 0000000..22965c9 --- /dev/null +++ b/base-files/logrotate.d/ntp @@ -0,0 +1,7 @@ +/var/log/ntp { + notifempty + missingok + postrotate + [ -x /etc/rc.d/rc.ntpd ] && /etc/rc.d/rc.ntpd restart || true + endscript +} diff --git a/base-files/logrotate.d/sulog b/base-files/logrotate.d/sulog new file mode 100644 index 0000000..4af6449 --- /dev/null +++ b/base-files/logrotate.d/sulog @@ -0,0 +1,3 @@ +/var/log/sulog { + # No specific options. +} diff --git a/base-files/logrotate.d/syslog b/base-files/logrotate.d/syslog new file mode 100644 index 0000000..cfb748b --- /dev/null +++ b/base-files/logrotate.d/syslog @@ -0,0 +1,6 @@ +/var/log/messages /var/log/fail2ban { + sharedscripts + postrotate + /bin/kill -HUP $(cat /var/run/syslogd.pid) >/dev/null 2>&1 || true + endscript +} diff --git a/base-files/logrotate.d/wtmp b/base-files/logrotate.d/wtmp new file mode 100644 index 0000000..5a56ad7 --- /dev/null +++ b/base-files/logrotate.d/wtmp @@ -0,0 +1,6 @@ +# The wtmp login records are not rotated by default. +# Uncomment the lines below to enable rotation of wtmp. + +# /var/log/wtmp { +# # No specific options. +# } diff --git a/base-files/mail.conf b/base-files/mail.conf new file mode 100644 index 0000000..c3bc0f7 --- /dev/null +++ b/base-files/mail.conf @@ -0,0 +1,24 @@ +# This file is sourced by various scripts that need to send emails. + +case "${HOSTNAME#*.}" in + slackware.uk) + EMAIL_DOMAIN="slackware.uk" + ;; + *) + EMAIL_DOMAIN="opensourcerers.uk" + ;; +esac + +EMAIL_FROM="${HOSTNAME%%.*} " + +case "$1" in + sbosrcarch) + EMAIL_TO=("Systems Administrator ") + MAILX_ARGS=("-c" "Urchlay ") + ;; + *) + EMAIL_TO=("Systems Administrator ") + ;; +esac + +true diff --git a/base-files/motd b/base-files/motd new file mode 100644 index 0000000..44f7557 --- /dev/null +++ b/base-files/motd @@ -0,0 +1,101 @@ +# FIXME: choose correct motd banner. + ____ _ +| __ ) ___ _ __ __| | ___ _ __ +| _ \ / _ \| '_ \ / _` | / _ \| '__| +| |_) || __/| | | || (_| || __/| | +|____/ \___||_| |_| \__,_| \___||_| + + _____ +| ___|_ __ _ _ +| |_ | '__|| | | | +| _| | | | |_| | +|_| |_| \__, | + |___/ + + _ _ +| | ___ ___ | | __ _ +| | / _ \ / _ \| | / _` | +| |___| __/| __/| || (_| | +|_____|\___| \___||_| \__,_| + + _ + / \ _ __ ___ _ _ + / _ \ | '_ ` _ \ | | | | + / ___ \ | | | | | || |_| | +/_/ \_\|_| |_| |_| \__, | + |___/ + + ____ __ +| _ \ _ __ ___ / _| ___ ___ ___ ___ _ __ +| |_) || '__|/ _ \ | |_ / _ \/ __|/ __| / _ \ | '__| +| __/ | | | (_) || _|| __/\__ \\__ \| (_) || | +|_| |_| \___/ |_| \___||___/|___/ \___/ |_| + + _____ _ _ _ +|__ / ___ (_) __| || |__ ___ _ __ __ _ + / / / _ \ | | / _` || '_ \ / _ \| '__|/ _` | + / /_| (_) || || (_| || |_) || __/| | | (_| | +/____|\___/ |_| \__,_||_.__/ \___||_| \__, | + |___/ + + _ _ +| | | | ___ _ __ _ __ ___ ___ ___ +| |_| | / _ \| '__|| '_ ` _ \ / _ \/ __| +| _ || __/| | | | | | | || __/\__ \ +|_| |_| \___||_| |_| |_| |_| \___||___/ + + _____ +|__ / __ _ _ __ _ __ + / / / _` || '_ \ | '_ \ + / /_| (_| || |_) || |_) | +/____|\__,_|| .__/ | .__/ + |_| |_| + + _ __ _ __ +| |/ /(_) / _| +| ' / | || |_ +| . \ | || _| +|_|\_\|_||_| + + _ _ _ _ _ _ +| \ | |(_)| |__ | |__ | | ___ _ __ +| \| || || '_ \ | '_ \ | | / _ \| '__| +| |\ || || |_) || |_) || || __/| | +|_| \_||_||_.__/ |_.__/ |_| \___||_| + + ____ __ __ +/ ___| ___ _ __ _ _ / _| / _| _ _ +\___ \ / __|| '__|| | | || |_ | |_ | | | | + ___) || (__ | | | |_| || _|| _|| |_| | +|____/ \___||_| \__,_||_| |_| \__, | + |___/ + + _ _ + __ |``: __ ___. | , __ __ __ _ ___ + (__` |`` __) / ` |.( | | __) |'` /___) + | .__) _|_ (__|_ '.__. _| \_ \_/\_/ (__|_ _|_ '.__. + | + |__________________________________________________ | | |_/ + \_/ | \ + _ _ + __ |``: __ ___. | , __ __ __ _ ___ + (__` |`` __) / ` |.( | | __) |'` /___) + | .__) _|_ (__|_ '.__. _| \_ \_/\_/ (__|_ _|_ '.__. + | _ _ _ _ _ _ _ _ + |___________________________________ |V| | |_) |_) / \ |_) + | | _|_ | \ | \ \_/ | \ + _ _ + __ |``: __ ___. | , __ __ __ _ ___ + (__` |`` __) / ` |.( | | __) |'` /___) + | .__) _|_ (__|_ '.__. _| \_ \_/\_/ (__|_ _|_ '.__. + | __ __ __ _ _ _ + |_______________________________ (_ |_ |_ | \ |_) / \ \_/ + __} |__ |__ |_/ |_) \_/ / \ + _ _ + __ |``: __ ___. | , __ __ __ _ ___ + (__` |`` __) / ` |.( | | __) |'` /___) + | .__) _|_ (__|_ '.__. _| \_ \_/\_/ (__|_ _|_ '.__. + | _ _ _ _ + |____________________________________ |_) /_\ / |_/ | | |_) + |_) | | \_ | \ \_/ | + diff --git a/base-files/msmtp/aliases b/base-files/msmtp/aliases new file mode 100644 index 0000000..a238c8f --- /dev/null +++ b/base-files/msmtp/aliases @@ -0,0 +1 @@ +default: sysadmin@opensourcerers.uk diff --git a/base-files/msmtp/msmtprc b/base-files/msmtp/msmtprc new file mode 100644 index 0000000..f90f118 --- /dev/null +++ b/base-files/msmtp/msmtprc @@ -0,0 +1,16 @@ +account default +host mail.opensourcerers.net +timeout 300 +# FIXME: Set domain +domain host.opensourcerers.net +# FIXME: Enable TLS. +# tls on +# tls_starttls on +# tls_trust_file /path/to/ca-certificate.pem +# tls_cert_file /path/to/server-certificate.pem +# tls_key_file /path/to/server-key.pem +# tls_certcheck on +auto_from on +maildomain opensourcerers.uk +syslog LOG_MAIL +aliases /etc/msmtp/aliases diff --git a/base-files/nail.rc b/base-files/nail.rc new file mode 100644 index 0000000..c366df2 --- /dev/null +++ b/base-files/nail.rc @@ -0,0 +1,110 @@ +# Configuration file for Mailx (formerly "nail"). +# See mailx(1) for further options. + +# Do not move messages from the system mailbox to a local mbox. +set hold + +# Messages will be appended (rather than prepended) to mboxes. +# This should usually always be set. +# This has no effect unless 'hold' is unset again. +set append + +# Always ask for a subject when composing a message interactively. +set ask + +# Assume a CRT-like terminal and invoke a pager. +set crt + +# Messages may be terminated by a dot. +set dot + +# Do not remove empty mail folders in the spool directory. +# This may be relevant for privacy since other users could +# otherwise create them with different permissions. +set keep + +# Do not remove empty mail folders. +set emptybox + +# Quote the original message in replies by "> " as usual on the Internet. +set indentprefix="> " + +# Automatically quote the text of the message that is responded to. +set quote + +# Outgoing messages are sent in UTF-8 if possible, otherwise LATIN1. +set sendcharsets=utf-8,iso-8859-1 + +# Display sender's real names in header summaries. +set showname + +# Display the recipients of messages sent by the user himself in +# header summaries. +set showto + +# Automatically check for new messages at each prompt, but avoid polling +# of IMAP servers or maildir folders. +set newmail=nopoll + +# If threaded mode is activated, automatically collapse thread. +set autocollapse + +# Mark messages that have been answered. +set markanswered + +# Hide some header fields which are uninteresting for most human readers. +ignore received in-reply-to message-id references +ignore mime-version content-transfer-encoding + +# Only include selected header fields when forwarding messages. +headerpick forward retain subject date from to cc + +# Use a directory named 'mail' in the users homedir to hold mailboxes. +set folder=mail/ + +# Keep the comment/name part of email addresses when replying. +set fullnames + +# Use 'less' for paged output. +set PAGER=/usr/bin/less + +# When spawning an editor in compose mode, allow editing of headers. +set editheaders + +# Startup into interactive mode even if the (given) mailbox is empty. +set emptystart + +# Add more entries to the history as is done by default. +# The latter will cause the built-in editor to save those entries, too. +set history-gabby all history-gabby-persist + +# Try to circumvent false or missing MIME Content-Type descriptions. +# Do set a value for extended behaviour (see the manual). +#set mime-counter-evidence +set mime-counter-evidence=0b1111 + +# Do not move `save'd or `write'n message to $MBOX by default since this is +# likely to be irritating for most users today. +set keepsave + +# When replying, do not merge From: and To: of the original message +# into To:. Instead old From: -> new To:, old To: -> merge Cc:. +set recipients-in-cc + +# Whether a ‘Mail-Followup-To:’ header is honoured when group-replying. +set followup-to-honour=ask-yes + +# Whether a ‘Reply-To:’ header is honoured when replying. +set reply-to-honour=ask-yes + +# When sending a message, wait until the MTA (including the built-in SMTP one) +# exits before accepting further commands. Only with this variable set are +# errors reported by the MTA recognised! +set sendwait + +# Only include these selected header fields when printing messages. +retain date sender from to cc subject message-id mail-followup-to reply-to + +# Use an SMTP server rather than 'sendmail' to deliver mail. +# Set to the IP/Name of an SMTP server which will accept mail from this host. +# set smtp=mail.example.com diff --git a/base-files/ntp.conf b/base-files/ntp.conf new file mode 100644 index 0000000..9674ecc --- /dev/null +++ b/base-files/ntp.conf @@ -0,0 +1,34 @@ +# NTP servers to sync to. +server 0.pool.ntp.org iburst +server 1.pool.ntp.org iburst +server 2.pool.ntp.org iburst +server 3.pool.ntp.org iburst + +# Sync to local clock if no servers are available. +server 127.127.1.0 +fudge 127.127.1.0 stratum 10 + +# By default, restrict access to the service. +restrict -4 default limited nomodify noquery nopeer notrap kod +restrict -6 default limited nomodify noquery nopeer notrap kod + +# Allow localhost to query the service, but nothing else. +restrict -4 127.0.0.1 limited nomodify nopeer notrap kod +restrict -6 ::1 limited nomodify nopeer notrap kod + +# Allow local networks to sync with us. +# Edit the network address and mask below, and uncomment. +# restrict 192.168.1.0 mask 255.255.255.0 limited nomodify nopeer notrap kod + +# Where to store the drift calculation. +driftfile /var/lib/ntp/drift + +# Stats should be written here. +statsdir /var/lib/ntp/stats + +# PID file location. +pidfile /var/run/ntpd.pid + +# Disable the ntpdc -c monlist command, which is insecure and can be used +# to cause a denial of service attack (CVE-2013-5211). +disable monitor diff --git a/base-files/profile b/base-files/profile new file mode 100644 index 0000000..c0560ae --- /dev/null +++ b/base-files/profile @@ -0,0 +1,52 @@ +# System wide environment set up for the ash, bash, ksh and zsh shells. + +# The default search path. +PATH=/usr/bin:/bin:/usr/local/bin + +# Add sbin paths for root users. +[ "$(id -u)" = "0" -o "$(id -g)" = "0" ] && \ + PATH=/usr/sbin:/sbin:/usr/local/sbin:$PATH + +# Set PATH to include a user's private bin if it exists. +[ -d "~/bin" ] && PATH="~/bin:$PATH" + +# Append /usr/games to PATH if it exists. +[ -d /usr/games ] && PATH=$PATH:/usr/games + +# Set a default terminal type if none was detected. +[ "$TERM" = "" -o "$TERM" = "unknown" ] && TERM=linux + +# Use the system inputrc if the user does not have their own. +[ ! -r ~/.inputrc ] && INPUTRC=/etc/inputrc + +# Set the HOSTNAME environment variable. +HOSTNAME="$(cat /etc/HOSTNAME)" + +# Shell prompts. +PS2='> ' +PS3='#? ' +PS4='+ ' + +# Custom setup for specific shells. +if [ -n "$ZSH_VERSION" ]; then # Zsh + PS1='%n@%m:%~%# ' +elif ([ -n "${.sh.version}" ]) 2>/dev/null; then # Ksh + PS1='! ${PWD/#$HOME/~}$ ' + alias hash='whence' +elif [ -n "$BASH_VERSION" ]; then # Bash + PS1='\u@\h:\w\$ ' +else # Anything else + PS1='$ ' +fi + +# Use a reasonable create mask. +umask 022 + +# Set up any further environment from files in /etc/profile.d/. +for FILE in /etc/profile.d/*.sh; do + [ -x $FILE ] && . $FILE +done +unset FILE + +# Export the environment just set up. +export PATH TERM INPUTRC MANPATH HOSTNAME PS1 PS2 PS3 PS4 diff --git a/base-files/profile.d/biff.csh b/base-files/profile.d/biff.csh new file mode 100755 index 0000000..9a84f8b --- /dev/null +++ b/base-files/profile.d/biff.csh @@ -0,0 +1 @@ +if ( -X biff ) biff y diff --git a/base-files/profile.d/biff.sh b/base-files/profile.d/biff.sh new file mode 100755 index 0000000..554b2f9 --- /dev/null +++ b/base-files/profile.d/biff.sh @@ -0,0 +1,3 @@ +hash biff >/dev/null 2>&1 && { + biff y 2>/dev/null +} diff --git a/base-files/profile.d/lang.csh b/base-files/profile.d/lang.csh new file mode 100755 index 0000000..76d6714 --- /dev/null +++ b/base-files/profile.d/lang.csh @@ -0,0 +1,28 @@ +#!/bin/csh +# Set the system locale. (no, we don't have a menu for this ;-) +# For a list of locales which are supported by this machine, type: +# locale -a + +# en_US.UTF-8 is the Slackware default locale. If you're looking for +# a different UTF-8 locale, be aware that some of them do not include +# UTF-8 or utf8 in the name. To test if a locale is UTF-8, use this +# command: +# LANG= locale -k charmap +# UTF-8 locales will include "UTF-8" in the output. +# If there are problems with certain programs and a UTF-8 locale, you +# can set LANG=C before starting them. +if ( "$LANG" == "" ) setenv LANG "en_GB-UTF8" + +# 'C' is the old Slackware (and UNIX) default, which is 127-bit +# ASCII with a charmap setting of ANSI_X3.4-1968. These days, +# it's better to use en_US or another modern $LANG setting to +# support extended character sets. +# if ( "$LANG" == "" ) setenv LANG "C" + +# One side effect of the newer locales is that the sort order +# is no longer according to ASCII values, so the sort order will +# change in many places. Since this isn't usually expected and +# can break scripts, we'll stick with traditional ASCII sorting. +# If you'd prefer the sort algorithm that goes with your $LANG +# setting, comment this out. +if ( "$LC_COLLATE" == "" ) setenv LC_COLLATE "C" diff --git a/base-files/profile.d/lang.sh b/base-files/profile.d/lang.sh new file mode 100755 index 0000000..80b2e09 --- /dev/null +++ b/base-files/profile.d/lang.sh @@ -0,0 +1,28 @@ +#!/bin/sh +# Set the system locale. (no, we don't have a menu for this ;-) +# For a list of locales which are supported by this machine, type: +# locale -a + +# en_US.UTF-8 is the Slackware default locale. If you're looking for +# a different UTF-8 locale, be aware that some of them do not include +# UTF-8 or utf8 in the name. To test if a locale is UTF-8, use this +# command: +# LANG= locale -k charmap +# UTF-8 locales will include "UTF-8" in the output. +# If there are problems with certain programs and a UTF-8 locale, you +# can set LANG=C before starting them. +export LANG="${LANG:-en_GB.UTF-8}" + +# 'C' is the old Slackware (and UNIX) default, which is 127-bit +# ASCII with a charmap setting of ANSI_X3.4-1968. These days, +# it's better to use en_US or another modern $LANG setting to +# support extended character sets. +# export LANG=${LANG:-C} + +# One side effect of the newer locales is that the sort order +# is no longer according to ASCII values, so the sort order will +# change in many places. Since this isn't usually expected and +# can break scripts, we'll stick with traditional ASCII sorting. +# If you'd prefer the sort algorithm that goes with your $LANG +# setting, comment this out. +export LC_COLLATE="${LC_COLLATE:-C}" diff --git a/base-files/profile.d/less.csh b/base-files/profile.d/less.csh new file mode 100755 index 0000000..6e7b8a4 --- /dev/null +++ b/base-files/profile.d/less.csh @@ -0,0 +1,10 @@ +if ( -X less ) then + # Default options for less. + setenv LESS "-M" + + # Pre-process some files for less to display them correctly. + setenv LESSOPEN "|lesspipe.sh %s" + + # Use less as the man page viewer. + setenv MANPAGER "less -M" +endif diff --git a/base-files/profile.d/less.sh b/base-files/profile.d/less.sh new file mode 100755 index 0000000..6be21c4 --- /dev/null +++ b/base-files/profile.d/less.sh @@ -0,0 +1,10 @@ +hash less >/dev/null 2>&1 && { + # Default options for less. + export LESS="-M" + + # Pre-process some files for less to display them correctly. + export LESSOPEN="|lesspipe.sh %s" + + # Use less as the man page viewer. + export MANPAGER="less -M" +} diff --git a/base-files/profile.d/optpaths.csh b/base-files/profile.d/optpaths.csh new file mode 100755 index 0000000..a5aae94 --- /dev/null +++ b/base-files/profile.d/optpaths.csh @@ -0,0 +1,35 @@ +if ( { [ "`id -u`" = "0" -o "`id -g`" = "0" ] } ) then + set path = ( $path /opt/sbin /opt/bin ) +else + set path = ( $path /opt/bin ) +endif + +if ( ! $?CPATH ) then + setenv CPATH "/opt/include" +else + setenv CPATH "/opt/include:$CPATH" +endif + +if ( ! $?INFOPATH ) then + setenv INFOPATH "/opt/info" +else + setenv INFOPATH "/opt/info:$INFOPATH" +endif + +if ( ! $?PERL5LIB ) then + setenv PERL5LIB "/opt/lib64/perl5:/opt/lib64/perl5/site_perl" +else + setenv PERL5LIB "/opt/lib64/perl5:/opt/lib64/perl5/site_perl:$PERL5LIB" +endif + +if ( ! $?PKG_CONFIG_PATH ) then + setenv PKG_CONFIG_PATH "/opt/lib64/pkgconfig:/opt/share/pkgconfig" +else + setenv PKG_CONFIG_PATH "/opt/lib64/pkgconfig:/opt/share/pkgconfig:$PKG_CONFIG_PATH" +endif + +if ( ! $?PYTHONPATH ) then + setenv PYTHONPATH "/opt/lib64/python2.7/site-packages" +else + setenv PYTHONPATH "/opt/lib64/python2.7/site-packages:$PYTHONPATH" +endif diff --git a/base-files/profile.d/optpaths.sh b/base-files/profile.d/optpaths.sh new file mode 100755 index 0000000..74095ed --- /dev/null +++ b/base-files/profile.d/optpaths.sh @@ -0,0 +1,37 @@ +if [ "$(id -u)" = "0" -o "$(id -g)" = "0" ]; then + PATH="$PATH:/opt/sbin:/opt/bin" +else + PATH="$PATH:/opt/bin" +fi + +if [ ! -n "$CPATH" ]; then + CPATH="/opt/include" +else + CPATH="/opt/include:$CPATH" +fi + +if [ ! -n "$INFOPATH" ]; then + INFOPATH="/opt/info" +else + INFOPATH="/opt/info:$INFOPATH" +fi + +if [ ! -n "$PERL5LIB" ]; then + PERL5LIB="/opt/lib64/perl5:/opt/lib64/perl5/site_perl" +else + PERL5LIB="/opt/lib64/perl5:/opt/lib64/perl5/site_perl:$PERL5LIB" +fi + +if [ ! -n "$PKG_CONFIG_PATH" ]; then + PKG_CONFIG_PATH="/opt/lib64/pkgconfig:/opt/share/pkgconfig" +else + PKG_CONFIG_PATH="/opt/lib64/pkgconfig:/opt/share/pkgconfig:$PKG_CONFIG_PATH" +fi + +if [ ! -n "$PYTHONPATH" ]; then + PYTHONPATH="/opt/lib64/python2.7/site-packages" +else + PYTHONPATH="/opt/lib64/python2.7/site-packages:$PYTHONPATH" +fi + +export PATH CPATH INFOPATH PERL5LIB PKG_CONFIG_PATH PYTHONPATH diff --git a/base-files/resolv.conf b/base-files/resolv.conf new file mode 100644 index 0000000..29a0525 --- /dev/null +++ b/base-files/resolv.conf @@ -0,0 +1,8 @@ +options timeout:1 edns0 +search opensourcerers.net +nameserver 91.109.244.8 +nameserver 2a02:2498:1:227::8 +nameserver 91.109.244.239 +nameserver 2a02:2498:1:227::239 +nameserver 185.176.90.169 +nameserver 2a07:4580:b0d:57f::169 diff --git a/base-files/securetty b/base-files/securetty new file mode 100644 index 0000000..e3667da --- /dev/null +++ b/base-files/securetty @@ -0,0 +1,25 @@ +# Console tty's: +console +tty1 +tty2 +tty3 +tty4 +tty5 +tty6 +tty7 +tty8 +tty9 +tty10 + +# Pseudo TTYs (not recommended): +# pts/0 +# pts/1 +# pts/2 +# pts/3 +# pts/4 +# pts/5 +# pts/6 +# pts/7 +# pts/8 +# pts/9 +# pts/10 diff --git a/base-files/skel/.bash_logout b/base-files/skel/.bash_logout new file mode 100644 index 0000000..fdd2014 --- /dev/null +++ b/base-files/skel/.bash_logout @@ -0,0 +1,11 @@ +if (( $SHLVL == 1 )); then + if [ -x /usr/bin/clear_console ]; then + /usr/bin/clear_console -q + elif [ -x /usr/bin/clear ]; then + /usr/bin/clear + elif [ -x /usr/bin/tput ]; then + /usr/bin/tput clear + else + echo -ne "\E[2J" + fi +fi diff --git a/base-files/skel/.bash_profile b/base-files/skel/.bash_profile new file mode 100644 index 0000000..86d2b37 --- /dev/null +++ b/base-files/skel/.bash_profile @@ -0,0 +1,4 @@ +# Source the personal bash set up. +[ -e ~/.bashrc ] && . ~/.bashrc + +# Add general environment set up here. diff --git a/base-files/skel/.bashrc b/base-files/skel/.bashrc new file mode 100644 index 0000000..a0b3f63 --- /dev/null +++ b/base-files/skel/.bashrc @@ -0,0 +1 @@ +# Add bash personalisation set up here. diff --git a/base-files/slackpkg/blacklist b/base-files/slackpkg/blacklist new file mode 100644 index 0000000..f418b43 --- /dev/null +++ b/base-files/slackpkg/blacklist @@ -0,0 +1,45 @@ +# /etc/slackpkg/blacklist +# +# This is a blacklist file. Any packages listed here won't be +# upgraded, removed, or installed by slackpkg. + +# aaa_elflibs should NOT be blacklisted! +# +# You can blacklist using regular expressions. +# +# Don't use *full* regex here, because all of the following will be checked +# for the regex: series, name, version, arch, build, and fullname. +# When blacklisting packages, you can use extended regex on package names +# (such as xorg-.* instead of xorg-server, xorg-docs, etc), and a trailing +# slash for package series ("n/", "ap/", "xap/", etc). +# +# To blacklist *only* the "xorg-server" package, use this: +# xorg-server +# +# To blacklist *all* of the "xorg-server-*" packages, use this: +# xorg-server.* +# +# To blacklist the entire KDE package set, use this: +# kde/ +# +# You will need to escape any special characters that are present in the +# package name. For example, to blacklist the gcc-g++ package, use this: +# gcc-g\+\+ +# +# DON'T put any space(s) before or after the package name or regex. + +# Automated upgrade of kernel packages may not be wanted in some situations; +# uncomment the lines below if that fits your circumstances: +kernel-generic +kernel-huge +kernel-modules +kernel-source + +# This one will blacklist all SBo packages: +[0-9]+_SBo + +# This will blacklist Robby's testing packages: +[0-9]+_rlw + +# This will blacklist Tadgy's custom packages: +[0-9]+_tadgy diff --git a/base-files/slackpkg/mirrors b/base-files/slackpkg/mirrors new file mode 100644 index 0000000..ad8dccc --- /dev/null +++ b/base-files/slackpkg/mirrors @@ -0,0 +1,360 @@ +# mirrors - List of Slackware Linux mirrors. +# +# SlackPkg - An Automated packaging tool for Slackware Linux +# Copyright (C) 2003-2011 Roberto F. Batista, Evaldo Gardenali +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +# Project Page: http://slackpkg.org/ +# Roberto F. Batista (aka PiterPunk) piterpunk@slackware.com +# Evaldo Gardenali (aka UdontKnow) evaldogardenali@fasternet.com.br +# +# END OF LEGAL NOTICE +# +# +# You only need to select one mirror and uncomment it. +# ONLY ONE mirror can be uncommented. +# +# You can use a mirror not included in this file. Many people have mirrors +# in their local networks. A list of all official Slackware mirrors +# (not version-specific, so some mirrors may not have all files) is here: +# https://mirrors.slackware.com/mirrorlist/ +# +# Slackpkg only needs to point to the directory that contains +# "ChangeLog.txt", and don't forget the trailing slash. +# +#---------------------------------------------------------------- +# Local CD/DVD drive +#---------------------------------------------------------------- +# cdrom://media/cdrom/ +# +#---------------------------------------------------------------- +# Local Directory +#---------------------------------------------------------------- +# file://path/to/some/directory/ +# +#---------------------------------------------------------------- +# Slackware64-14.2 +#---------------------------------------------------------------- +# USE MIRRORS.SLACKWARE.COM (DO NOT USE FTP - ONLY HTTP FINDS A NEARBY MIRROR) +# https://mirrors.slackware.com/slackware/slackware64-14.2/ +# +# +# Here are some individual mirrors that can be used instead of the +# redirector at mirrors.slackware.com if necessary ; note that this +# list is not guaranteed to be up-to-date +# +# AUSTRALIA (AU) +# ftp://ftp.cc.swin.edu.au/slackware/slackware64-14.2/ +# http://ftp.cc.swin.edu.au/slackware/slackware64-14.2/ +# ftp://ftp.iinet.net.au/pub/slackware/slackware64-14.2/ +# http://ftp.iinet.net.au/pub/slackware/slackware64-14.2/ +# ftp://mirror.as24220.net/pub/slackware/slackware64-14.2/ +# http://mirror.as24220.net/pub/slackware/slackware64-14.2/ +# ftp://mirror.internode.on.net/.pub2/slackware/slackware64-14.2/ +# http://mirror.internode.on.net/pub/slackware/slackware64-14.2/ +# AUSTRIA (AT) +# http://gd.tuwien.ac.at/opsys/linux/freesoftware.com/slackware64-14.2/ +# BELARUS (BY) +# ftp://mirror.datacenter.by/pub/slackware/slackware64-14.2/ +# http://mirror.datacenter.by/pub/slackware/slackware64-14.2/ +# BRAZIL (BR) +# ftp://ftp.slackware-brasil.com.br/slackware64-14.2/ +# http://ftp.slackware-brasil.com.br/slackware64-14.2/ +# BULGARIA (BG) +# ftp://mirrors.unixsol.org/slackware/slackware64-14.2/ +# http://mirrors.unixsol.org/slackware/slackware64-14.2/ +# CANADA (CA) +# ftp://mirror.csclub.uwaterloo.ca/slackware/slackware64-14.2/ +# http://mirror.csclub.uwaterloo.ca/slackware/slackware64-14.2/ +# ftp://mirror.its.dal.ca/slackware/slackware64-14.2/ +# http://mirror.its.dal.ca/slackware/slackware64-14.2/ +# CHINA (CN) +# http://mirrors.163.com/slackware/slackware64-14.2/ +# http://mirrors.ustc.edu.cn/slackware/slackware64-14.2/ +# COSTA RICA (CR) +# ftp://mirrors.ucr.ac.cr/slackware/pub/slackware/slackware64-14.2/ +# http://mirrors.ucr.ac.cr/slackware/pub/slackware/slackware64-14.2/ +# CZECH REPUBLIC (CZ) +# ftp://odysseus.linux.cz/pub/linux/slackware/slackware64-14.2/ +# http://odysseus.linux.cz/pub/linux/slackware/slackware64-14.2/ +# DENMARK (DK) +# ftp://mirrors.dotsrc.org/slackware/slackware64-14.2/ +# https://mirrors.dotsrc.org/slackware/slackware64-14.2/ +# FINLAND (FI) +# ftp://elektroni.phys.tut.fi/slackware64-14.2/ +# FRANCE (FR) +# ftp://nephtys.lip6.fr/pub/linux/distributions/slackware/slackware64-14.2/ +# http://nephtys.lip6.fr/pub/linux/distributions/slackware/slackware64-14.2/ +# GERMANY (DE) +# ftp://ftp.gwdg.de/pub/linux/slackware/slackware64-14.2/ +# http://ftp.gwdg.de/pub/linux/slackware/slackware64-14.2/ +# ftp://ftp.tu-chemnitz.de/pub/linux/slackware/slackware64-14.2/ +# http://ftp.tu-chemnitz.de/pub/linux/slackware/slackware64-14.2/ +# ftp://sunsite.informatik.rwth-aachen.de/pub/comp/Linux/slackware/slackware64-14.2/ +# http://sunsite.informatik.rwth-aachen.de/ftp/pub/comp/Linux/slackware/slackware64-14.2/ +# GREECE (GR) +# ftp://ftp.cc.uoc.gr/mirrors/linux/slackware/slackware64-14.2/ +# http://ftp.cc.uoc.gr/mirrors/linux/slackware/slackware64-14.2/ +# ftp://ftp.otenet.gr/pub/linux/slackware/slackware64-14.2/ +# http://ftp.otenet.gr/linux/slackware/slackware64-14.2/ +# ftp://patroklos.noc.ntua.gr/pub/linux/slackware/slackware64-14.2/ +# http://patroklos.noc.ntua.gr/pub/linux/slackware/slackware64-14.2/ +# INDONESIA (ID) +# http://kambing.ui.ac.id/slackware/slackware64-14.2/ +# https://repo.ukdw.ac.id/slackware/slackware64-14.2/ +# IRELAND (IE) +# ftp://ftp.heanet.ie/mirrors/ftp.slackware.com/pub/slackware/slackware64-14.2/ +# http://ftp.heanet.ie/mirrors/ftp.slackware.com/pub/slackware/slackware64-14.2/ +# ITALY (IT) +# ftp://ba.mirror.garr.it/mirrors/Slackware/slackware64-14.2/ +# http://ba.mirror.garr.it/mirrors/Slackware/slackware64-14.2/ +# JAPAN (JP) +# ftp://ftp.nara.wide.ad.jp/pub/Linux/slackware/slackware64-14.2/ +# http://ftp.nara.wide.ad.jp/pub/Linux/slackware/slackware64-14.2/ +# ftp://ftp.kddilabs.jp/Linux/distributions/Slackware/slackware64-14.2/ +# http://ftp.kddilabs.jp/Linux/distributions/Slackware/slackware64-14.2/ +# ftp://riksun.riken.go.jp/Linux/slackware/slackware64-14.2/ +# http://riksun.riken.go.jp/Linux/slackware/slackware64-14.2/ +# NETHERLANDS (NL) +# ftp://ftp.nluug.nl/pub/os/Linux/distr/slackware/slackware64-14.2/ +# http://ftp.nluug.nl/os/Linux/distr/slackware/slackware64-14.2/ +# ftp://mirror.nl.leaseweb.net/slackware/slackware64-14.2/ +# http://mirror.nl.leaseweb.net/slackware/slackware64-14.2/ +# NORWAY (NO) +# ftp://ftp.slackware.no/slackware/slackware64-14.2/ +# http://ftp.slackware.no/slackware/slackware64-14.2/ +# POLAND (PL) +# ftp://ftp.pwr.wroc.pl/pub/linux/slackware/slackware64-14.2/ +# http://ftp.pwr.wroc.pl/pub/linux/slackware/slackware64-14.2/ +# ftp://ftp.slackware.pl/pub/slackware/slackware64-14.2/ +# http://ftp.slackware.pl/pub/slackware/slackware64-14.2/ +# ftp://sunsite.icm.edu.pl/vol/rzm1/linux-slackware/slackware64-14.2/ +# http://sunsite.icm.edu.pl/packages/linux-slackware/slackware64-14.2/ +# ftp://z-ftp.wcss.wroc.pl/pub/linux/slackware/slackware64-14.2/ +# http://z-ftp.wcss.wroc.pl/pub/linux/slackware/slackware64-14.2/ +# RUSSIA (RU) +# http://mirror.rol.ru/slackware/slackware64-14.2/ +# ftp://mirror.yandex.ru/slackware/slackware64-14.2/ +# http://mirror.yandex.ru/slackware/slackware64-14.2/ +# SOUTH AFRICA (ZA) +# ftp://ftp.is.co.za/mirror/ftp.slackware.com/pub/slackware64-14.2/ +# http://ftp.is.co.za/mirror/ftp.slackware.com/pub/slackware64-14.2/ +# ftp://ftp.wa.co.za/pub/slackware/slackware64-14.2/ +# http://ftp.wa.co.za/pub/slackware/slackware64-14.2/ +# ftp://slackware.mirror.ac.za/slackware64-14.2/ +# http://slackware.mirror.ac.za/slackware64-14.2/ +# SWEDEN (SE) +# ftp://ftp.sunet.se/mirror/slackware.com/slackware64-14.2/ +# http://ftp.sunet.se/mirror/slackware.com/slackware64-14.2/ +# TAIWAN (TW) +# ftp://ftp.isu.edu.tw/pub/Linux/Slackware/slackware64-14.2/ +# http://ftp.isu.edu.tw/pub/Linux/Slackware/slackware64-14.2/ +# ftp://ftp.twaren.net/pub/Linux/Slackware/slackware64-14.2/ +# http://ftp.twaren.net/Linux/Slackware/slackware64-14.2/ +# TURKEY (TR) +# ftp://ftp.linux.org.tr/slackware/slackware64-14.2/ +# http://ftp.linux.org.tr/slackware/slackware64-14.2/ +# UKRAINE (UA) +# ftp://mirrors.mithril.org.ua/linux/slackware/slackware64-14.2/ +# http://mirrors.mithril.org.ua/linux/slackware/slackware64-14.2/ +# UNITED KINGDOM (UK) +# http://slackware.uk/slackware/slackware64-14.2/ +# ftp://slackware.uk/slackware/slackware64-14.2/ +# ftp://ftp.mirrorservice.org/sites/ftp.slackware.com/pub/slackware/slackware64-14.2/ +# http://ftp.mirrorservice.org/sites/ftp.slackware.com/pub/slackware/slackware64-14.2/ +# ftp://mirror.bytemark.co.uk/slackware/slackware64-14.2/ +# http://mirror.bytemark.co.uk/slackware/slackware64-14.2/ +# UNITED STATES (US) +# ftp://ftp.gtlib.gatech.edu/nv/ao2/lxmirror/ftp.slackware.com/slackware64-14.2/ +# ftp://mirror.cs.princeton.edu/pub/mirrors/slackware/slackware64-14.2/ +# ftp://mirrors.easynews.com/linux/slackware/slackware64-14.2/ +# http://mirrors.easynews.com/linux/slackware/slackware64-14.2/ +# ftp://mirrors.us.kernel.org/slackware/slackware64-14.2/ +# http://mirrors.us.kernel.org/slackware/slackware64-14.2/ +# ftp://mirrors.xmission.com/slackware/slackware64-14.2/ +# http://mirrors.xmission.com/slackware/slackware64-14.2/ +# https://mirror.slackbuilds.org/slackware/slackware64-14.2/ +# http://slackware.cs.utah.edu/pub/slackware/slackware64-14.2/ +# http://slackware.mirrors.pair.com/slackware64-14.2/ +# ftp://slackware.mirrors.tds.net/pub/slackware/slackware64-14.2/ +# http://slackware.mirrors.tds.net/pub/slackware/slackware64-14.2/ +# ftp://spout.ussg.indiana.edu/linux/slackware/slackware64-14.2/ +# http://spout.ussg.indiana.edu/linux/slackware/slackware64-14.2/ +# ftp://teewurst.cc.columbia.edu/pub/linux/slackware/slackware64-14.2/ +# http://teewurst.cc.columbia.edu/pub/linux/slackware/slackware64-14.2/ +# +#---------------------------------------------------------------- +# Slackware64-current +#---------------------------------------------------------------- +# USE MIRRORS.SLACKWARE.COM (DO NOT USE FTP - ONLY HTTP FINDS A NEARBY MIRROR) +# https://mirrors.slackware.com/slackware/slackware64-current/ +# +# +# Here are some individual mirrors that can be used instead of the +# redirector at mirrors.slackware.com if necessary ; note that this +# list is not guaranteed to be up-to-date +# +# AUSTRALIA (AU) +# ftp://ftp.cc.swin.edu.au/slackware/slackware64-current/ +# http://ftp.cc.swin.edu.au/slackware/slackware64-current/ +# ftp://ftp.iinet.net.au/pub/slackware/slackware64-current/ +# http://ftp.iinet.net.au/pub/slackware/slackware64-current/ +# ftp://mirror.aarnet.edu.au/pub/slackware/slackware64-current/ +# http://mirror.aarnet.edu.au/pub/slackware/slackware64-current/ +# ftp://mirror.as24220.net/pub/slackware/slackware64-current/ +# http://mirror.as24220.net/pub/slackware/slackware64-current/ +# ftp://mirror.internode.on.net/.pub2/slackware/slackware64-current/ +# http://mirror.internode.on.net/pub/slackware/slackware64-current/ +# http://mirror.primusdatacentre.com.au/slackware/slackware64-current/ +# AUSTRIA (AT) +# ftp://ftp.slackware.at/slackware64-current/ +# http://ftp.slackware.at/data/slackware64-current/ +# ftp://gd.tuwien.ac.at/opsys/linux/freesoftware.com/slackware64-current/ +# http://gd.tuwien.ac.at/opsys/linux/freesoftware.com/slackware64-current/ +# BELARUS (BY) +# ftp://mirror.datacenter.by/pub/slackware/slackware64-current/ +# http://mirror.datacenter.by/pub/slackware/slackware64-current/ +# BRAZIL (BR) +# ftp://ftp.slackware-brasil.com.br/slackware64-current/ +# http://ftp.slackware-brasil.com.br/slackware64-current/ +# BULGARIA (BG) +# ftp://mirrors.unixsol.org/slackware/slackware64-current/ +# http://mirrors.unixsol.org/slackware/slackware64-current/ +# CANADA (CA) +# ftp://mirror.csclub.uwaterloo.ca/slackware/slackware64-current/ +# http://mirror.csclub.uwaterloo.ca/slackware/slackware64-current/ +# ftp://mirror.its.dal.ca/slackware/slackware64-current/ +# http://mirror.its.dal.ca/slackware/slackware64-current/ +# CHINA (CN) +# http://mirrors.163.com/slackware/slackware64-current/ +# http://mirrors.ustc.edu.cn/slackware/slackware64-current/ +# COSTA RICA (CR) +# ftp://mirrors.ucr.ac.cr/slackware/pub/slackware/slackware64-current/ +# http://mirrors.ucr.ac.cr/slackware/pub/slackware/slackware64-current/ +# CZECH REPUBLIC (CZ) +# ftp://odysseus.linux.cz/pub/linux/slackware/slackware64-current/ +# http://odysseus.linux.cz/pub/linux/slackware/slackware64-current/ +# DENMARK (DK) +# ftp://mirrors.dotsrc.org/slackware/slackware64-current/ +# https://mirrors.dotsrc.org/slackware/slackware64-current/ +# FINLAND (FI) +# ftp://elektroni.phys.tut.fi/slackware64-current/ +# FRANCE (FR) +# ftp://mirror.ovh.net/mirrors/ftp.slackware.com/slackware64-current/ +# http://mirror.ovh.net/mirrors/ftp.slackware.com/slackware64-current/ +# ftp://nephtys.lip6.fr/pub/linux/distributions/slackware/slackware64-current/ +# http://nephtys.lip6.fr/pub/linux/distributions/slackware/slackware64-current/ +# GERMANY (DE) +# ftp://ftp.fu-berlin.de/unix/linux/slackware/slackware64-current/ +# ftp://ftp.gwdg.de/pub/linux/slackware/slackware64-current/ +# http://ftp.gwdg.de/pub/linux/slackware/slackware64-current/ +# ftp://ftp.tu-chemnitz.de/pub/linux/slackware/slackware64-current/ +# http://ftp.tu-chemnitz.de/pub/linux/slackware/slackware64-current/ +# ftp://sunsite.informatik.rwth-aachen.de/pub/comp/Linux/slackware/slackware64-current/ +# http://sunsite.informatik.rwth-aachen.de/ftp/pub/comp/Linux/slackware/slackware64-current/ +# ftp://wrz1013.rz.uni-wuerzburg.de/pub/MIRROR/slackware/slackware64-current/ +# http://wrz1013.rz.uni-wuerzburg.de/pub/MIRROR/slackware/slackware64-current/ +# GREECE (GR) +# ftp://ftp.cc.uoc.gr/mirrors/linux/slackware/slackware64-current/ +# http://ftp.cc.uoc.gr/mirrors/linux/slackware/slackware64-current/ +# ftp://ftp.otenet.gr/pub/linux/slackware/slackware64-current/ +# http://ftp.otenet.gr/linux/slackware/slackware64-current/ +# ftp://patroklos.noc.ntua.gr/pub/linux/slackware/slackware64-current/ +# http://patroklos.noc.ntua.gr/pub/linux/slackware/slackware64-current/ +# INDONESIA (ID) +# http://kambing.ui.ac.id/slackware/slackware64-current/ +# https://repo.ukdw.ac.id/slackware/slackware64-current/ +# IRELAND (IE) +# ftp://ftp.heanet.ie/mirrors/ftp.slackware.com/pub/slackware/slackware64-current/ +# http://ftp.heanet.ie/mirrors/ftp.slackware.com/pub/slackware/slackware64-current/ +# ITALY (IT) +# ftp://ba.mirror.garr.it/mirrors/Slackware/slackware64-current/ +# http://ba.mirror.garr.it/mirrors/Slackware/slackware64-current/ +# JAPAN (JP) +# ftp://ftp.nara.wide.ad.jp/pub/Linux/slackware/slackware64-current/ +# http://ftp.nara.wide.ad.jp/pub/Linux/slackware/slackware64-current/ +# ftp://ftp.kddilabs.jp/Linux/distributions/Slackware/slackware64-current/ +# http://ftp.kddilabs.jp/Linux/distributions/Slackware/slackware64-current/ +# ftp://riksun.riken.go.jp/Linux/slackware/slackware64-current/ +# http://riksun.riken.go.jp/Linux/slackware/slackware64-current/ +# NETHERLANDS (NL) +# ftp://ftp.nluug.nl/pub/os/Linux/distr/slackware/slackware64-current/ +# http://ftp.nluug.nl/os/Linux/distr/slackware/slackware64-current/ +# ftp://mirror.nl.leaseweb.net/slackware/slackware64-current/ +# http://mirror.nl.leaseweb.net/slackware/slackware64-current/ +# NORWAY (NO) +# ftp://ftp.slackware.no/slackware/slackware64-current/ +# http://ftp.slackware.no/slackware/slackware64-current/ +# POLAND (PL) +# ftp://ftp.pwr.wroc.pl/pub/linux/slackware/slackware64-current/ +# http://ftp.pwr.wroc.pl/pub/linux/slackware/slackware64-current/ +# ftp://ftp.slackware.pl/pub/slackware/slackware64-current/ +# http://ftp.slackware.pl/pub/slackware/slackware64-current/ +# ftp://sunsite.icm.edu.pl/vol/rzm1/linux-slackware/slackware64-current/ +# http://sunsite.icm.edu.pl/packages/linux-slackware/slackware64-current/ +# ftp://z-ftp.wcss.wroc.pl/pub/linux/slackware/slackware64-current/ +# http://z-ftp.wcss.wroc.pl/pub/linux/slackware/slackware64-current/ +# RUSSIA (RU) +# http://mirror.rol.ru/slackware/slackware64-current/ +# ftp://mirror.yandex.ru/slackware/slackware64-current/ +# http://mirror.yandex.ru/slackware/slackware64-current/ +# SOUTH AFRICA (ZA) +# ftp://ftp.is.co.za/mirror/ftp.slackware.com/pub/slackware64-current/ +# http://ftp.is.co.za/mirror/ftp.slackware.com/pub/slackware64-current/ +# ftp://ftp.wa.co.za/pub/slackware/slackware64-current/ +# http://ftp.wa.co.za/pub/slackware/slackware64-current/ +# ftp://slackware.mirror.ac.za/slackware64-current/ +# http://slackware.mirror.ac.za/slackware64-current/ +# SWEDEN (SE) +# ftp://ftp.sunet.se/mirror/slackware.com/slackware64-current/ +# http://ftp.sunet.se/mirror/slackware.com/slackware64-current/ +# TAIWAN (TW) +# ftp://ftp.isu.edu.tw/pub/Linux/Slackware/slackware64-current/ +# http://ftp.isu.edu.tw/pub/Linux/Slackware/slackware64-current/ +# ftp://ftp.twaren.net/pub/Linux/Slackware/slackware64-current/ +# http://ftp.twaren.net/Linux/Slackware/slackware64-current/ +# TURKEY (TR) +# ftp://ftp.linux.org.tr/slackware/slackware64-current/ +# http://ftp.linux.org.tr/slackware/slackware64-current/ +# UKRAINE (UA) +# ftp://mirrors.mithril.org.ua/linux/slackware/slackware64-current/ +# http://mirrors.mithril.org.ua/linux/slackware/slackware64-current/ +# UNITED KINGDOM (UK) +# http://slackware.uk/slackware/slackware64-current/ +# ftp://slackware.uk/slackware/slackware64-current/ +# ftp://ftp.mirrorservice.org/sites/ftp.slackware.com/pub/slackware/slackware64-current/ +# http://ftp.mirrorservice.org/sites/ftp.slackware.com/pub/slackware/slackware64-current/ +# ftp://mirror.bytemark.co.uk/slackware/slackware64-current/ +# http://mirror.bytemark.co.uk/slackware/slackware64-current/ +# UNITED STATES (US) +# ftp://ftp.gtlib.gatech.edu/nv/ao2/lxmirror/ftp.slackware.com/slackware64-current/ +# ftp://mirror.cs.princeton.edu/pub/mirrors/slackware/slackware64-current/ +# ftp://mirrors.easynews.com/linux/slackware/slackware64-current/ +# http://mirrors.easynews.com/linux/slackware/slackware64-current/ +# ftp://mirrors.us.kernel.org/slackware/slackware64-current/ +# http://mirrors.us.kernel.org/slackware/slackware64-current/ +# ftp://mirrors.xmission.com/slackware/slackware64-current/ +# http://mirrors.xmission.com/slackware/slackware64-current/ +# https://mirror.slackbuilds.org/slackware/slackware64-current/ +# http://slackware.cs.utah.edu/pub/slackware/slackware64-current/ +# http://slackware.mirrors.pair.com/slackware64-current/ +# ftp://slackware.mirrors.tds.net/pub/slackware/slackware64-current/ +# http://slackware.mirrors.tds.net/pub/slackware/slackware64-current/ +# ftp://spout.ussg.indiana.edu/linux/slackware/slackware64-current/ +# http://spout.ussg.indiana.edu/linux/slackware/slackware64-current/ +# ftp://teewurst.cc.columbia.edu/pub/linux/slackware/slackware64-current/ +# http://teewurst.cc.columbia.edu/pub/linux/slackware/slackware64-current/ +https://slackware.uk/slackware/slackware64-current/ diff --git a/base-files/slackpkg/slackpkg.conf b/base-files/slackpkg/slackpkg.conf new file mode 100644 index 0000000..d1e3757 --- /dev/null +++ b/base-files/slackpkg/slackpkg.conf @@ -0,0 +1,156 @@ +# +# /etc/slackpkg/slackpkg.conf +# Configuration for SlackPkg +# v2.8 +# + +# SlackPkg - An Automated packaging tool for Slackware Linux +# Copyright (C) 2003-2011 Roberto F. Batista, Evaldo Gardenali +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +# Project Page: http://slackpkg.org/ +# Roberto F. Batista (aka PiterPunk) piterpunk@slackware.com +# Evaldo Gardenali (aka UdontKnow) evaldogardenali@fasternet.com.br + +# For configuration options that have only two states, possible values are +# either "on" or "off" + +# Remember, the only official Slackware ports are x86, s390, and arm, and +# slackpkg developers don't have s390 boxes for testing. If you are +# testing/using other architectures and have suggestions or patches, +# please let us know (email rworkman@slackware.com) +# +# Select the architecture of your system. Valid values are: +# i#86 (where # is 3, 4, 5 or 6) +# x86_64 +# s390 +# arm* (* can be v4, v5tejl, and other ARM versions) +# powerpc +# +# The line is commented because slackpkg will try to find your +# architecture automagically. If you want to override what slackpkg +# finds, put the value after the = and uncomment this line +#ARCH= + +# The default PKGMAIN is "slackware", but some derived distros use other +# names as the main directory. PKGMAIN is the place with the slackware +# package series (a, ap, n, ... ). +# +# Usually slackpkg can automagically discover this variable. If you want +# to override the discovered variable, then uncomment this line and change +# it to reflect the correct value of PKGMAIN +#PKGMAIN=slackware + +# Slackware packages are signed by project key. Slackpkg uses this key +# to check if the packages downloaded are valid, so remember to set +# CHECKGPG to "on". +# +# Usually slackpkg can automagically discover this variable. If you want +# to override the discovered variable, then uncomment this line and edit +# as needed +#SLACKKEY="Slackware Linux Project " + +# Downloaded files will be in the TEMP directory: +TEMP=/var/cache/packages + +# Package lists, file lists, and others will be stored in WORKDIR: +WORKDIR=/var/lib/slackpkg + +# Special options for wget (default is WGETFLAGS="--passive-ftp") +WGETFLAGS="--passive-ftp" + +# If DELALL is "on", all downloaded files will be removed after install. +DELALL=on + +# If CHECKMD5 is "on", the system will check the md5sums of all packages before +# install/upgrade/reinstall is performed. +CHECKMD5=on + +# If CHECKGPG is "on", the system will verify the GPG signature of each package +# before install/upgrade/reinstall is performed. +CHECKGPG=on + +# If CHECKSIZE is "on", the system will check if we have sufficient disk +# space to install selected package. This make upgrade/install safer, but +# will also slow down the upgrade/install process. +CHECKSIZE=off + +# PRIORITY sets the download priority. slackpkg will try to found the +# package first in the first value, then the second one, through all +# values in list. +# +# Default value: patches %PKGMAIN extra pasture testing +PRIORITY=( patches %PKGMAIN extra pasture testing ) + +# Enables (on) or disables (off) slackpkg's post-installation features, such +# as checking for new (*.new) configuration files and new kernel images, and +# prompts you for what it should do. Default=on +POSTINST=on + +# Post-installation features, by default, search all of /etc and a few other +# predefined locations for .new files. This is the safe option: with it, +# you won't have any unmerged .new files to cause problems. Even so, some +# people prefer that only the .new files installed by the current slackpkg +# session be checked. If this is your case, change ONLY_NEW_DOTNEW to "on". +# Default=off +ONLY_NEW_DOTNEW=off + +# Whether to backup files overwritten by their .new counterparts with a +# .orig extension. +ORIG_BACKUPS=off + +# The ONOFF variable sets the initial behavior of the dialog interface. +# If you set this to "on" then all packages will be selected by default. +# If you prefer the opposite option (all unchecked), then set this to "off". +ONOFF=on + +# If this variable is set to "on", all files will be downloaded before the +# requested operation (install or upgrade) is performed. If set to "off", +# then the files will be downloaded and the operation (install/upgrade) +# performed one by one. Default=on +DOWNLOAD_ALL=on + +# Enables (on) or disables (off) the dialog interface in slackpkg. Default=on +DIALOG=on + +# Enables (on) or disables (off) the non-interactive mode. If set to "on", +# slackpkg will run without asking the user anything, and answer all questions +# with DEFAULT_ANSWER. If you do any upgrades using this mode, you'll need to +# run "slackpkg new-config" later to find and merge any .new files. +BATCH=off + +# Default answer to slackpkg questions. Can be "y" or "n". +DEFAULT_ANSWER=n + +# Slackpkg allows a template to "include" the packages specified in another +# template. This option enables (on) or disables (off) the parsing of +# any "#include" directives in template files. Default=on +USE_INCLUDES=on + +# Enables a spinning bar as visual feedback when slackpkg is making its +# internal lists and some other operations. Default=on +SPINNING=on + +# Max number of characters that "dialog" command can handle. +# If unset, this variable will be 19500 (the number that works on +# Slackware 10.2) +DIALOG_MAXARGS=139000 + +# +# The MIRROR is set from /etc/slackpkg/mirrors +# You only need to uncomment the selected mirror. +# Uncomment one mirror only. +# diff --git a/base-files/ssh/ssh_config b/base-files/ssh/ssh_config new file mode 100644 index 0000000..0c27d9f --- /dev/null +++ b/base-files/ssh/ssh_config @@ -0,0 +1,5 @@ +Host * + ControlPath ~/.ssh/%u@%l->%r@%h:%p + SendEnv LANG LC_* + VerifyHostKeyDNS yes + VisualHostKey yes diff --git a/base-files/ssh/sshd_config b/base-files/ssh/sshd_config new file mode 100644 index 0000000..a4f35a7 --- /dev/null +++ b/base-files/ssh/sshd_config @@ -0,0 +1,17 @@ +# FIXME: Set sshd IP addresses. +# ListenAddress 91.109.244.X +# ListenAddress [2a02:2498:1:227::X] +Port 9922 + +AcceptEnv LANG LC_* +LoginGraceTime 30 +MaxStartups 5 +# FIXME: Change PermitRootLogin to 'prohibit-password' once a key is in place. +PermitRootLogin yes +Subsystem sftp /usr/libexec/sftp-server +UsePAM yes +X11Forwarding no + +Match Address 10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16 + PermitRootLogin yes + X11Forwarding yes diff --git a/base-files/sudoers.d/defaults b/base-files/sudoers.d/defaults new file mode 100644 index 0000000..e34d298 --- /dev/null +++ b/base-files/sudoers.d/defaults @@ -0,0 +1,2 @@ +## Set the password prompting timeout to 30 mins. +Defaults timestamp_timeout = 30 diff --git a/base-files/sysctl.d/fs.conf b/base-files/sysctl.d/fs.conf new file mode 100644 index 0000000..ca7320e --- /dev/null +++ b/base-files/sysctl.d/fs.conf @@ -0,0 +1,2 @@ +# Increase the maximum number of file handles (2^18). +fs.file-max = 262144 diff --git a/base-files/sysctl.d/kernel.conf b/base-files/sysctl.d/kernel.conf new file mode 100644 index 0000000..bfe129d --- /dev/null +++ b/base-files/sysctl.d/kernel.conf @@ -0,0 +1,15 @@ +# Append the PID to a 'core' dump's filename. +kernel.core_uses_pid = 1 + +# The contents of /proc//{maps,smaps} should only visible to processes +# that are allowed to ptrace() the process. +kernel.maps_protect = 1 + +# Reboot after 10 seconds when the kernel panics. +kernel.panic = 10 + +# Allow more PIDs (2^17). +kernel.pid_max = 131072 + +# Disable 'magic' SysRq functionallity. +kernel.sysrq = 0 diff --git a/base-files/sysctl.d/vm.conf b/base-files/sysctl.d/vm.conf new file mode 100644 index 0000000..db99eb4 --- /dev/null +++ b/base-files/sysctl.d/vm.conf @@ -0,0 +1,3 @@ +# Do a minimal amount of swapping. +# See: https://en.wikipedia.org/wiki/Swappiness +vm.swappiness = 10 diff --git a/base-files/syslog.conf b/base-files/syslog.conf new file mode 100644 index 0000000..c027c80 --- /dev/null +++ b/base-files/syslog.conf @@ -0,0 +1,42 @@ +# Notes: +# When changing log file options, remember to: +# * 'touch' the logfile into existance +# * Set the correct ownership+permissions on the file +# * Update /etc/logrotate.d/syslog with the changes + +auth.* /var/log/messages +authpriv.* /var/log/messages +cron.* /var/log/messages +daemon.* /var/log/messages +ftp.* /var/log/messages +kern.* /var/log/messages +lpr.* /var/log/messages +mail.* /var/log/messages +news.* /var/log/messages +syslog.* /var/log/messages +# lumberjack uses user by default. +user.* /var/log/messages +uucp.* /var/log/messages + +# fail2ban (custom configuration) uses local0. +local0.* /var/log/fail2ban +# named (custom configuration) uses local1. +local1.* /var/log/messages +# spamd is started with '-s local2'. +local2.* /var/log/messages +# dovecot (custom configuration) uses local3. +local3.* /var/log/messages +# Unused. Note: slapd (from OpenLDAP) uses local4 by default. +local4.* /var/log/messages +# rsyncd (custom configuration) uses local5. +local5.* /var/log/messages +# php-fpm (custom configuration) uses local6. +local6.* /var/log/messages +# httpd (custom configuration) uses local7. +local7.* /var/log/messages + +# *.* /dev/tty12 +# *.* /var/log/all + +# Include all config files in /etc/syslog.d/: +include /etc/syslog.d/*.conf diff --git a/base-files/vnstat.conf b/base-files/vnstat.conf new file mode 100644 index 0000000..f7ab29d --- /dev/null +++ b/base-files/vnstat.conf @@ -0,0 +1,186 @@ +# vnStat 2.6 config file +## + +# default interface (leave empty for automatic selection) +Interface "eth0" + +# location of the database directory +DatabaseDir "/var/lib/vnstat" + +# locale (LC_ALL) ("-" = use system locale) +Locale "-" + +# date output formats for -d, -m, -t and -w +DayFormat "%Y-%m-%d" +MonthFormat "%Y-%m" +TopFormat "%Y-%m-%d" + +# characters used for visuals +RXCharacter "%" +TXCharacter ":" +RXHourCharacter "r" +TXHourCharacter "t" + +# how units are prefixed when traffic is shown +# 0 = IEC standard prefixes (KiB/MiB/GiB...) +# 1 = old style binary prefixes (KB/MB/GB...) +# 2 = SI decimal prefixes (kB/MB/GB...) +UnitMode 0 + +# used rate unit (0 = bytes, 1 = bits) +RateUnit 1 + +# how units are prefixed when traffic rate is shown in bits +# 0 = IEC binary prefixes (Kibit/s...) +# 1 = SI decimal prefixes (kbit/s...) +RateUnitMode 1 + +# output style +# 0 = minimal & narrow, 1 = bar column visible +# 2 = same as 1 except rate in summary +# 3 = rate column visible +OutputStyle 3 + +# number of decimals to use in outputs +DefaultDecimals 2 +HourlyDecimals 1 + +# spacer for separating hourly sections (0 = none, 1 = '|', 2 = '][', 3 = '[ ]') +HourlySectionStyle 2 + +# how many seconds should sampling for -tr take by default +Sampletime 5 + +# default query mode +# 0 = normal, 1 = days, 2 = months, 3 = top, 5 = short +# 7 = hours, 8 = xml, 9 = one line, 10 = json +QueryMode 0 + +# default list output entry limits (0 = all) +List5Mins 24 +ListHours 24 +ListDays 30 +ListMonths 12 +ListYears 0 +ListTop 10 + + +# vnstatd +## + +# switch to given user when started as root (leave empty to disable) +DaemonUser "" + +# switch to given group when started as root (leave empty to disable) +DaemonGroup "" + +# try to detect interface maximum bandwidth, 0 = disable feature +# MaxBandwidth will be used as fallback value when enabled +BandwidthDetection 1 + +# maximum bandwidth (Mbit) for all interfaces, 0 = disable feature +# (unless interface specific limit is given) +MaxBandwidth 1000 + +# interface specific limits +# example 8Mbit limit for eth0 (remove # to activate): +#MaxBWeth0 8 + +# data retention durations (-1 = unlimited, 0 = feature disabled) +5MinuteHours 48 +HourlyDays 4 +DailyDays 62 +MonthlyMonths 25 +YearlyYears -1 +TopDayEntries 20 + +# how often (in seconds) interface data is updated +UpdateInterval 20 + +# how often (in seconds) interface status changes are checked +PollInterval 5 + +# how often (in minutes) data is saved to database +SaveInterval 5 + +# how often (in minutes) data is saved when all interface are offline +OfflineSaveInterval 30 + +# on which day should months change +MonthRotate 1 +MonthRotateAffectsYears 0 + +# filesystem disk space check (1 = enabled, 0 = disabled) +CheckDiskSpace 1 + +# how much the boot time can variate between updates (seconds) +BootVariation 15 + +# create database entries even when there is no traffic (1 = enabled, 0 = disabled) +TrafficlessEntries 1 + +# how many minutes to wait during daemon startup for system clock to +# sync time if most recent database update appears to be in the future +TimeSyncWait 5 + +# how often (in minutes) bandwidth detection is done when +# BandwidthDetection is enabled (0 = disabled) +BandwidthDetectionInterval 5 + +# force data save when interface status changes (1 = enabled, 0 = disabled) +SaveOnStatusChange 1 + +# enable / disable logging (0 = disabled, 1 = logfile, 2 = syslog) +UseLogging 2 + +# create dirs if needed (1 = enabled, 0 = disabled) +CreateDirs 1 + +# update ownership of files if needed (1 = enabled, 0 = disabled) +UpdateFileOwner 1 + +# file used for logging if UseLogging is set to 1 +LogFile "/var/log/vnstat.log" + +# file used as daemon pid / lock file +PidFile "/var/run/vnstat.pid" + +# 1 = 64-bit, 0 = 32-bit, -1 = old style logic, -2 = automatic detection +64bitInterfaceCounters -2 + +# use SQLite Write-Ahead Logging mode (1 = enabled, 0 = disabled) +DatabaseWriteAheadLogging 0 + +# change the setting of the SQLite "synchronous" flag +# (-1 = auto, 0 = off, 1, = normal, 2 = full, 3 = extra) +DatabaseSynchronous -1 + + +# vnstati +## + +# title timestamp format +HeaderFormat "%Y-%m-%d %H:%M" + +# show hours with rate (1 = enabled, 0 = disabled) +HourlyRate 1 + +# show rate in summary (1 = enabled, 0 = disabled) +SummaryRate 1 + +# transparent background (1 = enabled, 0 = disabled) +TransparentBg 0 + +# image colors +CBackground "FFFFFF" +CEdge "AEAEAE" +CHeader "606060" +CHeaderTitle "FFFFFF" +CHeaderDate "FFFFFF" +CText "000000" +CLine "B0B0B0" +CLineL "-" +CRx "92CF00" +CTx "606060" +CRxD "-" +CTxD "-" diff --git a/ca-certificates/isrgrootx1.crt b/ca-certificates/isrgrootx1.crt new file mode 100644 index 0000000..b85c803 --- /dev/null +++ b/ca-certificates/isrgrootx1.crt @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw +TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh +cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4 +WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu +ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY +MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc +h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+ +0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U +A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW +T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH +B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC +B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv +KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn +OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn +jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw +qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI +rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV +HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq +hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL +ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ +3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK +NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5 +ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur +TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC +jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc +oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq +4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA +mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d +emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= +-----END CERTIFICATE----- diff --git a/ca-certificates/lets-encrypt-x3-cross-signed.crt b/ca-certificates/lets-encrypt-x3-cross-signed.crt new file mode 100644 index 0000000..0002462 --- /dev/null +++ b/ca-certificates/lets-encrypt-x3-cross-signed.crt @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ +MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT +DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow +SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT +GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF +q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8 +SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0 +Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA +a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj +/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T +AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG +CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv +bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k +c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw +VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC +ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz +MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu +Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF +AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo +uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/ +wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu +X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG +PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 +KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== +-----END CERTIFICATE----- diff --git a/ca-certificates/letsencryptauthorityx3.crt b/ca-certificates/letsencryptauthorityx3.crt new file mode 100644 index 0000000..4e82cb5 --- /dev/null +++ b/ca-certificates/letsencryptauthorityx3.crt @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQELBQAw +TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh +cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0MzU1 +WhcNMjExMDA2MTU0MzU1WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg +RW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc0wzwWuUuR7dyXTeDs2hjMOrX +NSYZJeG9vjXxcJIvt7hLQQWrqZ41CFjssSrEaIcLo+N15Obzp2JxunmBYB/XkZqf +89B4Z3HIaQ6Vkc/+5pnpYDxIzH7KTXcSJJ1HG1rrueweNwAcnKx7pwXqzkrrvUHl +Npi5y/1tPJZo3yMqQpAMhnRnyH+lmrhSYRQTP2XpgofL2/oOVvaGifOFP5eGr7Dc +Gu9rDZUWfcQroGWymQQ2dYBrrErzG5BJeC+ilk8qICUpBMZ0wNAxzY8xOJUWuqgz +uEPxsR/DMH+ieTETPS02+OP88jNquTkxxa/EjQ0dZBYzqvqEKbbUC8DYfcOTAgMB +AAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBU +BgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIB +FiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBSo +SmpjBH3duubRObemRWXv86jsoTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3Js +LnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEF +BQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsG +AQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYD +VR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIB +ABnPdSA0LTqmRf/Q1eaM2jLonG4bQdEnqOJQ8nCqxOeTRrToEKtwT++36gTSlBGx +A/5dut82jJQ2jxN8RI8L9QFXrWi4xXnA2EqA10yjHiR6H9cj6MFiOnb5In1eWsRM +UM2v3e9tNsCAgBukPHAg1lQh07rvFKm/Bz9BCjaxorALINUfZ9DD64j2igLIxle2 +DPxW8dI/F2loHMjXZjqG8RkqZUdoxtID5+90FgsGIfkMpqgRS05f4zPbCEHqCXl1 +eO5HyELTgcVlLXXQDgAWnRzut1hFJeczY1tjQQno6f6s+nMydLN26WuU4s3UYvOu +OsUxRlJu7TSRHqDC3lSE5XggVkzdaPkuKGQbGpny+01/47hfXXNB7HntWNZ6N2Vw +p7G6OfY+YQrZwIaQmhrIqJZuigsrbe3W+gdn5ykE9+Ky0VgVUsfxo52mwFYs1JKY +2PGDuWx8M6DlS6qQkvHaRUo0FMd8TsSlbF0/v965qGFKhSDeQoMpYnwcmQilRh/0 +ayLThlHLN81gSkJjVrPI0Y8xCVPB4twb1PFUd2fPM3sA1tJ83sZ5v8vgFv2yofKR +PB0t6JzUA81mSqM3kxl5e+IZwhYAyO0OTg3/fs8HqGTNKd9BqoUwSRBzp06JMg5b +rUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt +-----END CERTIFICATE----- diff --git a/memtest86+ b/memtest86+ new file mode 100644 index 0000000..affaaab Binary files /dev/null and b/memtest86+ differ diff --git a/root.crontab b/root.crontab new file mode 100644 index 0000000..924f67b --- /dev/null +++ b/root.crontab @@ -0,0 +1,5 @@ +# Run the hourly, daily, weekly, and monthly cron jobs. +0 * * * * /usr/bin/run-parts /etc/cron.hourly >/dev/null +0 0 * * * /usr/bin/run-parts /etc/cron.daily >/dev/null +0 0 * * 0 /usr/bin/run-parts /etc/cron.weekly >/dev/null +0 0 1 * * /usr/bin/run-parts /etc/cron.monthly >/dev/null diff --git a/sample-rc.d/rc.firewall-guests b/sample-rc.d/rc.firewall-guests new file mode 100755 index 0000000..45bb749 --- /dev/null +++ b/sample-rc.d/rc.firewall-guests @@ -0,0 +1,137 @@ +#!/bin/bash + +# The name of the main external interface. +EX_IF="eth0" +# The name of the VM-Private network interface. +VM_IF="eth1" + +# Disable ICMP redirects. +# Note: Redirects are used when a router believes a packet is being routed sub optimally and it would like to inform +# the sending host that it should forward subsequent packets to that same destination through a different gateway. +echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects" +echo 0 >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects" +echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects" + +# Flush old rules. +iptables -F +ip6tables -F +iptables -t nat -F +ip6tables -t nat -F +iptables -t mangle -F +ip6tables -t mangle -F + +# Delete any custom chains. +iptables -X +ip6tables -X +iptables -t nat -X +ip6tables -t nat -X +iptables -t mangle -X +ip6tables -t mangle -X + +# Drop invalid packets on all interfaces. +iptables -A INPUT -m conntrack --ctstate INVALID -j DROP +ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP + +# Drop unroutable IPs on the external interface. +iptables -A INPUT -i "$EX_IF" -s 127.0.0.0/8 -j DROP +ip6tables -A INPUT -i "$EX_IF" -s ::1/128 -j DROP +iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j DROP +iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP +iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP + +# Allow all loopback traffic. +iptables -A INPUT -i lo -j ACCEPT +ip6tables -A INPUT -i lo -j ACCEPT + +# Allow all VM-Private network traffic. +iptables -A INPUT -i "$VM_IF" -j ACCEPT +ip6tables -A INPUT -i "$VM_IF" -j ACCEPT + +# Allow unrestricted access from our IPs. +iptables -A INPUT -i "$EX_IF" -m iprange --src-range 91.109.244.7-91.109.244.11 -j ACCEPT +iptables -A INPUT -i "$EX_IF" -m iprange --src-range 91.109.244.78-91.109.244.79 -j ACCEPT +iptables -A INPUT -i "$EX_IF" -m iprange --src-range 91.109.244.239-91.109.244.243 -j ACCEPT +ip6tables -A INPUT -i "$EX_IF" -s 2a02:2498:1:227::/64 -j ACCEPT +iptables -A INPUT -i "$EX_IF" -s 185.176.90.169 -j ACCEPT +ip6tables -A INPUT -i "$EX_IF" -s 2a07:4580:b0d:57f::/64 -j ACCEPT + +# Allow packets of established connections and those related to them. +iptables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +ip6tables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + +# Allow pings, but ratelimited. +iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type echo-request -m limit --limit 1/sec --limit-burst 5 -j ACCEPT +ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-request -m limit --limit 1/sec --limit-burst 5 -j ACCEPT +iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type echo-reply -m limit --limit 1/sec --limit-burst 5 -j ACCEPT +ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-reply -m limit --limit 1/sec --limit-burst 5 -j ACCEPT + +# Allow certain types of ICMP informational packets. +iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type destination-unreachable -j ACCEPT +ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT +iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type time-exceeded -j ACCEPT +ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT +iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type parameter-problem -j ACCEPT +ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT +ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT + +# Always allow SSH. +# Note: We never want to be locked out of the system, so also accept on the standard ssh port, just in case things accidently get +# set back to defaults. Any connections to the standard port will just get a 'connection refused' message, unless this happens. +iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT +ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT + +# Service: DNS. +iptables -A INPUT -i "$EX_IF" -p tcp --syn --dport 53 -m conntrack --ctstate NEW -j ACCEPT +ip6tables -A INPUT -i "$EX_IF" -p tcp --syn --dport 53 -m conntrack --ctstate NEW -j ACCEPT +iptables -A INPUT -i "$EX_IF" -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT +ip6tables -A INPUT -i "$EX_IF" -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT + +# Service: HTTP{,S}. +iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT +ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT + +# Service: FTP{,S}. +# Note: This is a very permissive configuration - it leaves the high ports completely open. To close it down, +# change the last two rules to "ESTABLISHED,RELATED" state; but this will prevent ftps passive from working. +modprobe nf_conntrack_ftp +echo 1 >/proc/sys/net/netfilter/nf_conntrack_helper # Required to allow nf_conntrack_ftp to actually work. +iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 21,990 -m conntrack --ctstate NEW -j ACCEPT +ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 21,990 -m conntrack --ctstate NEW -j ACCEPT +iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 20,989 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 20,989 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +iptables -A INPUT -i "$EX_IF" -p tcp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT +ip6tables -A INPUT -i "$EX_IF" -p tcp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT + +# Service: rsync. +iptables -A INPUT -i "$EX_IF" -p tcp --syn --dport 873 -m conntrack --ctstate NEW -j ACCEPT +ip6tables -A INPUT -i "$EX_IF" -p tcp --syn --dport 873 -m conntrack --ctstate NEW -j ACCEPT + +# Service: SMTP and submission. +iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 25,587 -m conntrack --ctstate NEW -j ACCEPT +ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 25,587 -m conntrack --ctstate NEW -j ACCEPT + +# Service: IMAP{,S}. +iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 143,993 -m conntrack --ctstate NEW -j ACCEPT +ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 143,993 -m conntrack --ctstate NEW -j ACCEPT + +# Service: POP3{,S}. +iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 110,995 -m conntrack --ctstate NEW -j ACCEPT +ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 110,995 -m conntrack --ctstate NEW -j ACCEPT + +# Service: Bittorrent. +iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT +ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT +iptables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT +ip6tables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT +iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT +ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT +iptables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT +ip6tables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT + +# Set default policies. +iptables -P INPUT DROP +ip6tables -P INPUT DROP +iptables -P OUTPUT ACCEPT # We don't firewall outgoing connections. +ip6tables -P OUTPUT ACCEPT # We don't firewall outgoing connections. +iptables -P FORWARD DROP +ip6tables -P FORWARD DROP diff --git a/sample-rc.d/rc.firewall-hosts b/sample-rc.d/rc.firewall-hosts new file mode 100755 index 0000000..905629b --- /dev/null +++ b/sample-rc.d/rc.firewall-hosts @@ -0,0 +1,83 @@ +#!/bin/bash + +# The name of the main external interface. +EX_IF="br0" + +# Disable ICMP redirects. +# Note: Redirects are used when a router believes a packet is being routed sub optimally and it would like to inform +# the sending host that it should forward subsequent packets to that same destination through a different gateway. +echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects" +echo 0 >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects" +echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects" + +# Flush old rules. +iptables -F +ip6tables -F +iptables -t nat -F +ip6tables -t nat -F +iptables -t mangle -F +ip6tables -t mangle -F + +# Delete any custom chains. +iptables -X +ip6tables -X +iptables -t nat -X +ip6tables -t nat -X +iptables -t mangle -X +ip6tables -t mangle -X + +# Drop invalid packets on all interfaces. +iptables -A INPUT -m conntrack --ctstate INVALID -j DROP +ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP + +# Drop unroutable IPs on the external interface. +iptables -A INPUT -i "$EX_IF" -s 127.0.0.0/8 -j DROP +ip6tables -A INPUT -i "$EX_IF" -s ::1/128 -j DROP +iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j DROP +iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP +iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP + +# Allow all loopback traffic. +iptables -A INPUT -i lo -j ACCEPT +ip6tables -A INPUT -i lo -j ACCEPT + +# Allow unrestricted access from our IPs. +iptables -A INPUT -i "$EX_IF" -m iprange --src-range 91.109.244.7-91.109.244.11 -j ACCEPT +iptables -A INPUT -i "$EX_IF" -m iprange --src-range 91.109.244.78-91.109.244.79 -j ACCEPT +iptables -A INPUT -i "$EX_IF" -m iprange --src-range 91.109.244.239-91.109.244.243 -j ACCEPT +ip6tables -A INPUT -i "$EX_IF" -s 2a02:2498:1:227::/64 -j ACCEPT +iptables -A INPUT -i "$EX_IF" -s 185.176.90.169 -j ACCEPT +ip6tables -A INPUT -i "$EX_IF" -s 2a07:4580:b0d:57f::/64 -j ACCEPT + +# Allow packets of established connections and those related to them. +iptables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +ip6tables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + +# Allow pings, but ratelimited. +iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type echo-request -m limit --limit 1/sec --limit-burst 5 -j ACCEPT +ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-request -m limit --limit 1/sec --limit-burst 5 -j ACCEPT +iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type echo-reply -m limit --limit 1/sec --limit-burst 5 -j ACCEPT +ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-reply -m limit --limit 1/sec --limit-burst 5 -j ACCEPT + +# Allow certain types of ICMP informational packets. +iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type destination-unreachable -j ACCEPT +ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT +iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type time-exceeded -j ACCEPT +ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT +iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type parameter-problem -j ACCEPT +ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT +ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT + +# Always allow SSH. +# Note: We never want to be locked out of the system, so also accept on the standard ssh port, just in case things accidently get +# set back to defaults. Any connections to the standard port will just get a 'connection refused' message, unless this happens. +iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT +ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT + +# Set default policies. +iptables -P INPUT DROP +ip6tables -P INPUT DROP +iptables -P OUTPUT ACCEPT # We don't firewall outgoing connections. +ip6tables -P OUTPUT ACCEPT # We don't firewall outgoing connections. +iptables -P FORWARD DROP +ip6tables -P FORWARD DROP diff --git a/sample-rc.d/rc.firewall-old b/sample-rc.d/rc.firewall-old new file mode 100755 index 0000000..7b020f8 --- /dev/null +++ b/sample-rc.d/rc.firewall-old @@ -0,0 +1,14 @@ +#!/bin/bash + +IPTABLES=/usr/sbin/iptables + +# Flush the tables. +$IPTABLES -F + +# Drop bootp ports. +$IPTABLES -m multiport -A INPUT -p tcp --dports 67,68 -j DROP +$IPTABLES -m multiport -A INPUT -p udp --dports 67,68 -j DROP + +# Drop netbios ports. +$IPTABLES -m multiport -A INPUT -p tcp --dports 137,138,139 -j DROP +$IPTABLES -m multiport -A INPUT -p udp --dports 137,138,139 -j DROP diff --git a/sample-rc.d/rc.local b/sample-rc.d/rc.local new file mode 100755 index 0000000..d4e6c24 --- /dev/null +++ b/sample-rc.d/rc.local @@ -0,0 +1,66 @@ +#!/bin/bash +# /etc/rc.d/rc.local - Local system startup script. +# This script will be run when the system is first booted. + +# Start the MCE daemon. +[ -x /etc/rc.d/rc.mcelog ] && /etc/rc.d/rc.mcelog start + +# Start the qemu guest additions agent. +[ -x /etc/rc.d/rc.qemu-ga ] && /etc/rc.d/rc.qemu-ga start + +# Start GlusterFS daemon. +[ -x /etc/rc.d/rc.glusterd ] && /etc/rc.d/rc.glusterd start + +# Mount glusterfs volumes. +for MOUNT in $(grep -v "^#" /etc/fstab | awk '/[[:blank:]]glusterfs[[:blank:]]/ {print $2}'); do mount $MOUNT; done + +# Start the vnstat daemon. +[ -x /etc/rc.d/rc.vnstat ] && /etc/rc.d/rc.vnstat start + +# Start fail2ban. +[ -x /etc/rc.d/rc.fail2ban ] && /etc/rc.d/rc.fail2ban start + +# Start the php-fpm FastCGI daemon. +[ -x /etc/rc.d/rc.php-fpm ] && /etc/rc.d/rc.php-fpm start + +# Start SpamAssassin. +[ -x /etc/rc.d/rc.spamd ] && /etc/rc.d/rc.spamd start + +# Start proftpd. +[ -x /etc/rc.d/rc.proftpd ] && { + /opt/bin/lumberjack -u logger -z -r -i /run/slackware.uk-ftpd.log -o logger:ftp -mp 006 -l logs/ftpd-transfers.log \ + /data/sites/slackware.uk logs/%Y/%m/ftpd-transfers.log & + /etc/rc.d/rc.proftpd start +} + +# Start the rsync daemon. +[ -x /etc/rc.d/rc.rsyncd ] && { + /opt/bin/lumberjack -u logger -z -r -i /run/rsyncd.log -o logger:mirror -mp 006 -l logs/rsyncd-transfers.log \ + /data/sites/slackware.uk logs/%Y/%m/rsyncd-transfers.log & + /etc/rc.d/rc.rsyncd start +} + +# Start netdata. +[ -x /etc/rc.d/rc.netdata ] && rm -f /var/lock/subsys/netdata && /etc/rc.d/rc.netdata start + +# Start the bandwidth bar generator. +[ -x /opt/bin/bwbar ] && sudo -b /opt/bin/bwbar -f /run/bwbar.txt -p /run/bwbar.png -t 1 -x 800 -y 8 -b 2 eth0 1000 + +# Start seeding the torrents. +grep "^seeder:" /etc/passwd >/dev/null 2>&1 && su - seeder -c /home/seeder/start-seeding + +# Start libvirt. +[ -x /etc/rc.d/rc.libvirt ] && /etc/rc.d/rc.libvirt start + +# Start the lxcfs fuse module. +[ -x /etc/rc.d/rc.lxcfs ] && /etc/rc.d/rc.lxcfs start + +# Start containers. +[ -x /etc/rc.d/rc.lxc ] && { + # Proxy ARP is required for the LXC bridge to function correctly. + echo 1 >/proc/sys/net/ipv4/conf/br0/proxy_arp + /etc/rc.d/rc.lxc start +} + +# Notify that the server has booted. +/opt/bin/pushover -a server -t "Successful boot up: ${HOSTNAME%%.*}" -p 1 -m "$(printf '%(%d %b %Y - %H:%M:%S)T')" >/dev/null diff --git a/sample-rc.d/rc.local_shutdown b/sample-rc.d/rc.local_shutdown new file mode 100755 index 0000000..0629673 --- /dev/null +++ b/sample-rc.d/rc.local_shutdown @@ -0,0 +1,73 @@ +#!/bin/bash +# /etc/rc.d/rc.local_shutdown - Local system shutdown script. +# This script will be run when the system is shutdown or rebooted. + +# Notify that the server is shutting down. +/opt/bin/pushover -a server -t "Shutting down: ${HOSTNAME%%.*}" -p 1 -m "$(printf '%(%d %b %Y - %H:%M:%S)T')" >/dev/null + +# Stop containers. +[ -x /etc/rc.d/rc.lxc ] && /etc/rc.d/rc.lxc stop + +# Stop lxcfs. +[ -x /etc/rc.d/rc.lxcfs ] && /etc/rc.d/rc.lxcfs stop + +# Stop libvirt. +[ -x /etc/rc.d/rc.libvirt ] && { + /etc/rc.d/rc.libvirt guests_shutdown + /etc/rc.d/rc.libvirt stop +} + +# Shut down netdata. +[ -x /etc/rc.d/rc.netdata ] && /etc/rc.d/rc.netdata stop + +# Stop the rtorrent instances started at boot. +grep "^seeder:" /etc/passwd >/dev/null 2>&1 && { + pkill -INT -u seeder '^rtorrent .*$' + printf "%s" "Waiting up to 30 seconds for rtorrent to exit" + for ((i=0; i <= 59; i++)); do + if pgrep -u seeder '^rtorrent .*$' >/dev/null 2>&1; then + printf "%s" "." + sleep 0.5 + else + break + fi + done + if ! pgrep -u seeder '^rtorrent .*$' >/dev/null 2>&1; then + printf "%s\n" " clean exit." + else + printf "%s\n" " failed - terminating." + pkill -TERM -u seeder '^rtorrent .*$' + sleep 2 + pkill -KILL -u seeder '^rtorrent .*$' + fi +} + +# Stop rsyncd. +[ -x /etc/rc.d/rc.rsyncd ] && /etc/rc.d/rc.rsyncd stop + +# Stop proftpd. +[ -x /etc/rc.d/rc.proftpd ] && /etc/rc.d/rc.proftpd stop + +# Stop SpamAssassin. +[ -x /etc/rc.d/rc.spamd ] && /etc/rc.d/rc.spamd stop + +# Stop the php-fpm FastCGI daemon. +[ -x /etc/rc.d/rc.php-fpm ] && /etc/rc.d/rc.php-fpm stop + +# Stop fail2ban. +[ -x /etc/rc.d/rc.fail2ban ] && /etc/rc.d/rc.fail2ban stop + +# Stop the vnstat daemon. +[ -x /etc/rc.d/rc.vnstat ] && /etc/rc.d/rc.vnstat stop + +# Unmount glusterfs volumes. +for MOUNT in $(mount | awk '/fuse\.glusterfs/ {print $3}'); do umount -v $MOUNT; done + +# Stop GlusterFS daemon. +[ -x /etc/rc.d/rc.glusterd ] && /etc/rc.d/rc.glusterd stop + +# Stop the qemu guest additions agent. +[ -x /etc/rc.d/rc.qemu-ga ] && /etc/rc.d/rc.qemu-ga stop + +# Stop the MCE daemon. +[ -x /etc/rc.d/rc.mcelog ] && /etc/rc.d/rc.mcelog stop diff --git a/sample-rc.d/rc.modules.local b/sample-rc.d/rc.modules.local new file mode 100755 index 0000000..08581c2 --- /dev/null +++ b/sample-rc.d/rc.modules.local @@ -0,0 +1,24 @@ +#!/bin/sh + +# /etc/rc.d/rc.modules.local + +# The Linux kernel source is the best place to look for documentation +# for the many available kernel modules. This can be found under +# /usr/src/linux-$VERSION/Documentation/. + +# Almost all necessary modules are automatically loaded when needed, +# but there are a few exceptions. Here's a (not all-inclusive) list, +# so uncomment any of the below entries or add others as needed: +# Note that you could also create/edit rc.modules-$version if you +# only wanted specific modules loaded for particular kernels. + +#/sbin/modprobe tun # Universal TUN/TAP device driver +#/sbin/modprobe sg # Generic SCSI support for SATA DVD-RW + +# Load sensor modules. +if [ -e /etc/sysconfig/lm_sensors ]; then + . /etc/sysconfig/lm_sensors + for MOD in $HWMON_MODULES; do + /sbin/modprobe "$MOD" + done +fi diff --git a/sample-rc.d/rc.proftpd b/sample-rc.d/rc.proftpd new file mode 100755 index 0000000..fa5ad37 --- /dev/null +++ b/sample-rc.d/rc.proftpd @@ -0,0 +1,108 @@ +#!/bin/bash +# Version: 0.2.9 +# Copyright (c) 2005-2017: +# Darren 'Tadgy' Austin +# Licensed under the terms of the GNU General Public License version 3. + +EXEC="/usr/sbin/proftpd" +ARGS=() +PIDFILE="/var/run/proftpd.pid" + +checkconfigured() { + # This function can be used to perform any pre-start tests; hopfully to insure the daemon + # can start correctly, before actually trying to start it. A return value of 0 means the + # tests were passed and the daemon should be started. Any other value prevents the + # daemon from being started and an error message will be emitted. + return 0 +} + +checkstatus() { + # Note: this has been changed from the standard 'pgrep -f "$EXEC"' as pgrep doesn't match + # the process because proftp changes its argv0. + local RUNPIDS="$(pgrep -F "$PIDFILE" 2>/dev/null)" + if [ ! -z "$RUNPIDS" ]; then + echo -n "${BASH_SOURCE##*/}: ${EXEC##*/}: running" + if [ ! -z "$PIDFILE" ]; then + if [ ! -e "$PIDFILE" ]; then + echo -n ", but .pid file does not exist" + elif ! echo "$RUNPIDS" | grep "\<$(cat "$PIDFILE")\>" >/dev/null 2>&1; then + echo -n ", but .pid file is stale" + fi + fi + echo + else + echo "${BASH_SOURCE##*/}: ${EXEC##*/}: stopped" + return 1 + fi + return 0 +} + +startdaemon() { + if ! checkconfigured; then + echo "${BASH_SOURCE##*/}: ${EXEC##*/}: not started - pre-start checks failed" >&2 + return 1 + elif [ ! -e "$EXEC" ]; then + echo "${BASH_SOURCE##*/}: ${EXEC##*/}: not found" >&2 + return 1 + elif [ ! -x "$EXEC" ]; then + echo "${BASH_SOURCE##*/}: ${EXEC##*/}: not executable" >&2 + return 1 + fi + env -i -S "$EXEC" "${ARGS[@]}" + return $? +} + +stopdaemon() { + # Note: this has been changed from the standard way of doing things because we can't use + # 'pgrep -f' to match the process since proftpd changes its argv0. + if ! kill -TERM "$(cat "$PIDFILE" 2>/dev/null)" >/dev/null 2>&1; then + sleep 2 + if checkstatus >/dev/null; then + echo "${BASH_SOURCE##*/}: ${EXEC##*/}: failed to stop gracefully - slaying" >&2 + kill -KILL "$(pgrep "${EXEC##*/}")" >/dev/null 2>&1 + fi + fi + return 0 +} + +case "$1" in + 'start') + if checkstatus >/dev/null; then + echo "${BASH_SOURCE##*/}: ${EXEC##*/}: already running" >&2 + echo " Try: $BASH_SOURCE status" >&2 + ERR=1 + else + startdaemon + ERR=$? + fi + ;; + 'stop') + if ! checkstatus >/dev/null; then + echo "${BASH_SOURCE##*/}: ${EXEC##*/}: not running" >&2 + echo " Try: $BASH_SOURCE status" >&2 + ERR=1 + else + stopdaemon + ERR=$? + fi + ;; + 'restart') + if checkstatus >/dev/null; then + stopdaemon && sleep 2 && startdaemon + ERR=$? + else + startdaemon + ERR=$? + fi + ;; + 'status') + checkstatus + ERR=$? + ;; + *) + echo "Usage: $BASH_SOURCE " >&2 + ERR=1 + ;; +esac + +return $ERR 2>/dev/null || exit $ERR diff --git a/sample-rc.d/rc.rsyncd b/sample-rc.d/rc.rsyncd new file mode 100755 index 0000000..1e2cb16 --- /dev/null +++ b/sample-rc.d/rc.rsyncd @@ -0,0 +1,105 @@ +#!/bin/bash +# Version: 0.2.9 +# Copyright (c) 2005-2017: +# Darren 'Tadgy' Austin +# Licensed under the terms of the GNU General Public License version 3. + +EXEC="/usr/bin/rsync" +ARGS=(--daemon --config=/etc/rsyncd/rsyncd.conf) +PIDFILE="/var/run/rsyncd.pid" + +checkconfigured() { + # This function can be used to perform any pre-start tests; hopfully to insure the daemon + # can start correctly, before actually trying to start it. A return value of 0 means the + # tests were passed and the daemon should be started. Any other value prevents the + # daemon from being started and an error message will be emitted. + return 0 +} + +checkstatus() { + local RUNPIDS="$(pgrep -f "$EXEC")" + if [ ! -z "$RUNPIDS" ]; then + echo -n "${BASH_SOURCE##*/}: ${EXEC##*/}: running" + if [ ! -z "$PIDFILE" ]; then + if [ ! -e "$PIDFILE" ]; then + echo -n ", but .pid file does not exist" + elif ! echo "$RUNPIDS" | grep "\<$(cat "$PIDFILE")\>" >/dev/null 2>&1; then + echo -n ", but .pid file is stale" + fi + fi + echo + else + echo "${BASH_SOURCE##*/}: ${EXEC##*/}: stopped" + return 1 + fi + return 0 +} + +startdaemon() { + if ! checkconfigured; then + echo "${BASH_SOURCE##*/}: ${EXEC##*/}: not started - pre-start checks failed" >&2 + return 1 + elif [ ! -e "$EXEC" ]; then + echo "${BASH_SOURCE##*/}: ${EXEC##*/}: not found" >&2 + return 1 + elif [ ! -x "$EXEC" ]; then + echo "${BASH_SOURCE##*/}: ${EXEC##*/}: not executable" >&2 + return 1 + fi + "$EXEC" "${ARGS[@]}" + return $? +} + +stopdaemon() { + if ! kill -TERM "$(cat "$PIDFILE" 2>/dev/null)" >/dev/null 2>&1; then + kill -TERM "$(pgrep -f "$EXEC")" >/dev/null 2>&1 + fi + sleep 2 + if checkstatus >/dev/null; then + echo "${BASH_SOURCE##*/}: ${EXEC##*/}: failed to stop gracefully - slaying" >&2 + kill -KILL "$(pgrep -f "$EXEC")" >/dev/null 2>&1 + fi + return 0 +} + +case "$1" in + 'start') + if checkstatus >/dev/null; then + echo "${BASH_SOURCE##*/}: ${EXEC##*/}: already running" >&2 + echo " Try: $BASH_SOURCE status" >&2 + ERR=1 + else + startdaemon + ERR=$? + fi + ;; + 'stop') + if ! checkstatus >/dev/null; then + echo "${BASH_SOURCE##*/}: ${EXEC##*/}: not running" >&2 + echo " Try: $BASH_SOURCE status" >&2 + ERR=1 + else + stopdaemon + ERR=$? + fi + ;; + 'restart') + if checkstatus >/dev/null; then + stopdaemon && sleep 2 && startdaemon + ERR=$? + else + startdaemon + ERR=$? + fi + ;; + 'status') + checkstatus + ERR=$? + ;; + *) + echo "Usage: $BASH_SOURCE " >&2 + ERR=1 + ;; +esac + +return $ERR 2>/dev/null || exit $ERR diff --git a/sample-rc.d/rc.tftpd b/sample-rc.d/rc.tftpd new file mode 100755 index 0000000..0e56d2d --- /dev/null +++ b/sample-rc.d/rc.tftpd @@ -0,0 +1,105 @@ +#!/bin/bash +# Version: 0.2.9 +# Copyright (c) 2005-2017: +# Darren 'Tadgy' Austin +# Licensed under the terms of the GNU General Public License version 3. + +EXEC="/usr/sbin/in.tftpd" +ARGS=(--listen --address=FIXME --user tftp --secure /data/tftpboot) +PIDFILE="" + +checkconfigured() { + # This function can be used to perform any pre-start tests; hopfully to insure the daemon + # can start correctly, before actually trying to start it. A return value of 0 means the + # tests were passed and the daemon should be started. Any other value prevents the + # daemon from being started and an error message will be emitted. + return 0 +} + +checkstatus() { + local RUNPIDS="$(pgrep -f "$EXEC")" + if [ ! -z "$RUNPIDS" ]; then + echo -n "${BASH_SOURCE##*/}: ${EXEC##*/}: running" + if [ ! -z "$PIDFILE" ]; then + if [ ! -e "$PIDFILE" ]; then + echo -n ", but .pid file does not exist" + elif ! echo "$RUNPIDS" | grep "\<$(cat "$PIDFILE")\>" >/dev/null 2>&1; then + echo -n ", but .pid file is stale" + fi + fi + echo + else + echo "${BASH_SOURCE##*/}: ${EXEC##*/}: stopped" + return 1 + fi + return 0 +} + +startdaemon() { + if ! checkconfigured; then + echo "${BASH_SOURCE##*/}: ${EXEC##*/}: not started - pre-start checks failed" >&2 + return 1 + elif [ ! -e "$EXEC" ]; then + echo "${BASH_SOURCE##*/}: ${EXEC##*/}: not found" >&2 + return 1 + elif [ ! -x "$EXEC" ]; then + echo "${BASH_SOURCE##*/}: ${EXEC##*/}: not executable" >&2 + return 1 + fi + "$EXEC" "${ARGS[@]}" + return $? +} + +stopdaemon() { + if ! kill -TERM "$(cat "$PIDFILE" 2>/dev/null)" >/dev/null 2>&1; then + kill -TERM "$(pgrep -f "$EXEC")" >/dev/null 2>&1 + fi + sleep 2 + if checkstatus >/dev/null; then + echo "${BASH_SOURCE##*/}: ${EXEC##*/}: failed to stop gracefully - slaying" >&2 + kill -KILL "$(pgrep -f "$EXEC")" >/dev/null 2>&1 + fi + return 0 +} + +case "$1" in + 'start') + if checkstatus >/dev/null; then + echo "${BASH_SOURCE##*/}: ${EXEC##*/}: already running" >&2 + echo " Try: $BASH_SOURCE status" >&2 + ERR=1 + else + startdaemon + ERR=$? + fi + ;; + 'stop') + if ! checkstatus >/dev/null; then + echo "${BASH_SOURCE##*/}: ${EXEC##*/}: not running" >&2 + echo " Try: $BASH_SOURCE status" >&2 + ERR=1 + else + stopdaemon + ERR=$? + fi + ;; + 'restart') + if checkstatus >/dev/null; then + stopdaemon && sleep 2 && startdaemon + ERR=$? + else + startdaemon + ERR=$? + fi + ;; + 'status') + checkstatus + ERR=$? + ;; + *) + echo "Usage: $BASH_SOURCE " >&2 + ERR=1 + ;; +esac + +return $ERR 2>/dev/null || exit $ERR diff --git a/utils/check_dependancies b/utils/check_dependancies new file mode 100755 index 0000000..29e71ea --- /dev/null +++ b/utils/check_dependancies @@ -0,0 +1,24 @@ +#!/bin/bash +# Version: 0.0.2 +# Copyright (c) 2007 - 2017: +# Darren 'Tadgy' Austin +# Licensed under the terms of the GNU General Public License version 3. +# +# This is a quick^Wslow dirty hack to check binaries and libraries for missing +# dependancies using ldd. Only those files with missing dependancies (along +# with the missing library information itself) will be written to stderr. +# Redirecting stderr to a file is advised, since this can produce a large +# volume of output on a system with many missing libraries. + +echo "This will take a while..." + +{ find -P ${1:-/} -regextype posix-extended \ + \( -regex "^/(boot|data|dev|etc|home|lost\+found|media|mnt|proc|root|run|srv|sys|tmp|var)" -a -prune \) -o \ + \( -regex "^/lib(64)?/ld-.*" -a -prune \) -o \ + \( -regex "^/lib/(dhcpcd|firmware|modprobe\.d|modules)" -a -prune \) -o \ + \( -regex "^/(opt|usr|usr/local)/(doc|etc|include|info|man|share|src)" -a -prune \) -o \ + \( -regex "^/usr/lib(64)?/(firefox|java|jdk|jre|seamonkey|thunderbird)-.*" -a -prune \) -o \ + \( -regex "^/usr/lib(64)?/(locale|qt/plugins/.*.debug)" -a -prune \) -o \ + -type f -print0 | \ + xargs -0 -r file -N -0 | egrep -a ".*ELF.*(executable|shared object).*dynamically" | cut -d $'\0' -f1 | sort | \ + xargs -r ldd 2>/dev/null | egrep "(^/|not found)" | egrep -B 1 "^[[:space:]]" | egrep -v "^--" ; } >&2