Slackware/bootstrap
1
0
Fork 0
Code Releases Wiki Activity

Initial commit.

Browse source
This commit is contained in:
Darren 'Tadgy' Austin 2020-09-29 16:40:13 +01:00
commit 3d665e5e11
72 changed files with 3200 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

40
01-install-base-files Executable file
View file

@ -0,0 +1,40 @@
#!/bin/bash
umask 022
# Install the LetsEncrypt CA bundles, to stop wget moaning.
cp -R ca-certificates /usr/local/share
update-ca-certificates
# Install memtest86 into /boot.
# Only install if /boot exists, so we are container compatible.
[ -e /boot ] && cp memtest86+ /boot
# Install root's new crontab.
cat root.crontab >/var/spool/cron/crontabs/root
/etc/rc.d/rc.crond restart
# Install the /etc files.
cd base-files
IFS=$'\n'
for dir in $(find . -type d | sort | sed -re 's/^\.\///'); do
mkdir -p -m 755 /etc/$dir
done
for file in $(find . -type f | sort | sed -re 's/^\.\///'); do
cat "$file" >"/etc/$file"
done
# Correct file/directory specific permissions.
chmod 755 /etc/cron.daily/update-slackpkg-template
chmod 755 /etc/cron.daily/warn-git-status
chmod 755 /etc/cron.hourly/log-acls
chmod 755 /etc/initscript
chmod 755 /etc/profile.d/biff.csh
chmod 755 /etc/profile.d/biff.sh
chmod 755 /etc/profile.d/lang.csh
chmod 755 /etc/profile.d/lang.sh
chmod 755 /etc/profile.d/less.csh
chmod 755 /etc/profile.d/less.sh
chmod 755 /etc/profile.d/optpaths.csh
chmod 755 /etc/profile.d/optpaths.sh
chmod 750 /etc/sudoers.d

110
02-system-setup Executable file
View file

@ -0,0 +1,110 @@
#!/bin/bash
# Re-generate root's password for longer hash.
passwd root
# Make Tadgy's account.
adduser tadgy
# Move the 'console' group. I dislike it above 100.
grep "^console:x:101:" /etc/group >/dev/null && groupmod -g 97 console
grpconv
# Add group 'admin', and make root and Tadgy a member.
grep "^admin:" /etc/group >/dev/null || groupadd -g 101 admin
usermod -aG admin root
usermod -aG admin tadgy
# Restrict access to 'logger', since it can be used to spam the logs.
chown root:admin /usr/bin/logger
chmod 750 /usr/bin/logger
# Copy ssh keys into place for root and tadgy.
mkdir -p -m 0700 /root/.ssh
cp authorized_keys /root/.ssh
mkdir -p -m 0700 /home/tadgy/.ssh
cp authorized_keys /home/tadgy/.ssh
chown -R tadgy:users /home/tadgy/.ssh
# Encrypt the databases so they can be checked into git.
echo "Encrypting /etc/shadow..."
gpg -c -o /etc/shadow.gpg /etc/shadow
echo "Encrypting /etc/gshadow..."
gpg -c -o /etc/gshadow.gpg /etc/gshadow
# Create /opt directories.
mkdir -p -m 755 {/opt,/opt/{bin,include,info,lib64,man,man/man{0..8},sbin,share}}
# Create log archive directories and move old log files.
[ ! -d /var/log/Archived/pre-sysconfig ] && {
mkdir -p -m 750 /var/log/Archived
mkdir -p -m 750 /var/log/Archived/pre-sysconfig
mv /var/log/{btmp.*,{cron,debug,maillog,messages,secure,spooler,syslog}{,.*}} /var/log/Archived/pre-sysconfig/ 2>/dev/null
}
# Stop syslog from producing a "MARK" every 20 minutes.
# -current 20200626 uses /etc/default now, this is not required.
# sed -i /etc/rc.d/rc.syslog -r -e '/^#SYSLOGD_OPTIONS/ s/#//' -e '/^SYSLOGD_OPTIONS/ s/"-c "$/"-c -m 0"/'
# Restart syslogd.
/etc/rc.d/rc.syslog restart
# Restart ntpd.
[ -x /etc/rc.d/rc.ntpd ] && /etc/rc.d/rc.ntpd restart
# Restart sshd.
/etc/rc.d/rc.sshd restart
# Keep an su'ers log.
touch /var/log/sulog
# Keep fail2ban logs.
touch /var/log/fail2ban
# Add an rc.local_shutdown script if it doesn't exist already.
[ ! -e /etc/rc.d/rc.local_shutdown ] && {
echo "#!/bin/sh" >/etc/rc.d/rc.local_shutdown
echo "# /etc/rc.d/rc.local_shutdown - Local system shutdown script." >>/etc/rc.d/rc.local_shutdown
echo "# This script will be run when the system is shutdown or rebooted." >>/etc/rc.d/rc.local_shutdown
chmod 755 /etc/rc.d/rc.local_shutdown
}
# To clear all ACLs:
# setfacl -Rk /path
# setfacl -Rd group:admin: /path
# setfacl -Rx mask:: /path
# Secure /var/log
# Set standard access perms for directories
setfacl -m user::rwx,group::rx,other::x /var/log/
setfacl -m user::rwx,group::rx,other::- /var/log/*/ /var/log/*/*/
# Set standard access perms for files
find /var/log -type f -exec setfacl -Rm user::rw,group::r,other::- {} \;
# Allow group 'admin' read access to all directories/files
setfacl -m group:admin:rX /var/log/ /var/log/*/ /var/log/*/*/
find /var/log -type f -exec setfacl -m group:admin:r {} \;
# Set default access for new files in directories.
setfacl -dm user::rwX,group::rX,other::- /var/log/ /var/log/*/ /var/log/*/*/
setfacl -dm group:admin:rX /var/log/ /var/log/*/ /var/log/*/*/
# /var/log/wtmp needs to be readable by everyone
setfacl -m user::rw,group::r,other::r /var/log/wtmp
# Secure /root
# Set standard access perms for directories
find /root -type d -exec setfacl -m user::rwx,group::rx,other::- {} \;
# Set standard access perms for files
find /root -type f -exec setfacl -m user::rwX,group::rX,other::- {} \;
# Allow group 'admin' read access to all files/dirs
find /root -type d -exec setfacl -m group:admin:rX {} \;
find /root -type f -exec setfacl -m group:admin:rX {} \;
# Set default access for new files/dirs
find /root -type d -exec setfacl -dm user::rwX,group::rX,other::- {} \;
find /root -type d -exec setfacl -dm group:admin:rX {} \;
# Clean up some cruft.
rm -rf /etc/nntpserver /etc/lilo.conf_example
rm -rf /usr/{local/games,local/man/cat*,man/cat*} /var/man
# Finally, check for FIXMEs.
echo "There may be some FIXMEs to attend to:"
grep -R FIXME /etc | egrep -v "^/etc/(\.git|file|magic|misc)"

2
authorized_keys Normal file
View file

@ -0,0 +1,2 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICsx4EY4vbDt0TXGZsW9UjOxj+s/mVeytJ7lW5rAu0gS Darren 'Tadgy' Austin <darren@afterdark.org.uk>
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCtsRUCRcju+l1TrfwGQ/PCcXBwN8bTCcmS0PYbdu13XJQ9DijTZsU7m2k8pi2fFU0VG5+C57i4FhkV3J7Ngpu0XDM4CPuoq2agRTEMXZlHu0aO8mEaPBli5oEkx/m1yinL0FapDfxMkeLDp3eHL0Gw2I0G6Kg8j4jl0pz4uYPLrrMbcWgEin+ijUE71lRXXJ2U6whCFBz991XDTkyX9a3CMAKIjYq0qTMyBGWUzHVNVPCXXa1bcK6Jj6jlkW1oowfccof3mDtm5Tef54pFAWS6yYSM+XkmCStknDInKI/fL54LnH6PZxEz2wdRXArMNk80gNyzLbOqEddnaoTaSowTIcXOUyzMrgyf/c2WZp9Ss05kgt6e+sTFqEREt1oslGP8s2rtvhRCyAaQM0X5TutqycLeNbm7duKmb4FuYvRqbi6ECqrUZ5roz5ushrtEvUY74xmo3Wt5/6piDV7VTCLUqNJNcB+rPFLG+LYUS+G1w4HZGXXgIERcHHDdvt4LQm0= Darren 'Tadgy' Austin <darren@afterdark.org.uk>

161
base-files/.gitignore vendored Normal file
View file

@ -0,0 +1,161 @@
# Files which should never be tracked, for security.
gshadow
shadow
ssh/*_key
# Temporary, backup, sample and dist files.
*.swp
.pwd.lock
group-
gshadow-
passwd-
shadow-
*.example
*-example
*_example
*.sample
*-sample
*_sample
*.dist
# Dynamically created files.
adjtime
ca-certificates.conf
ld.so.cache
random-seed
# Files that don't need to be tracked.
DIR_COLORS
X11/
bind.keys
bindresvport.blacklist
cgconfig.conf
cgred.conf
cgrules.conf
cgsnapshot_blacklist.conf
cron.daily/certwatch
cron.daily/logrotate
cron.daily/man-db
cron.daily/mlocate
dbus-1/
default/cpufreq
default/crond
default/kadmind
default/kpropd
default/krb5kdc
default/lxc
default/sshd
default/useradd
dhcpcd.conf
dnsmasq.conf
e2scrub.conf
ethertypes
fail2ban/*.conf
fail2ban/action.d/*.conf
fail2ban/action.d/*.py
fail2ban/filter.d/ignorecommands
fail2ban/filter.d/*.conf
fb.modes
file/
host.conf
hosts.allow
hosts.deny
hosts.equiv
init.d
inputrc
iproute2/
issue
issue.net
ld.so.conf
libnl/
localtime
localtime-copied-from
login.access
lxc/default.conf
lynx.cfg
lynx.lss
man_db.conf
mcelog/mcelog.conf
mcelog/*-trigger
misc
mke2fs.conf
modprobe.d/README
mtab
named.conf
nanorc
netconfig
nntpserver
nsswitch.conf
ntp.keys
os-release
profile.d/coreutils-dircolors.*
profile.d/gawk.*
profile.d/glibc.*
profile.d/man-db.*
profile.d/z-dot-in-non-root-path.*
protocols
!rc.d/init.d/
rc.d/init.d/README.functions
rc.d/init.d/functions
rc.d/rc.0
rc.d/rc.4
rc.d/rc.6
rc.d/rc.K
rc.d/rc.M
rc.d/rc.S
rc.d/rc.bind
rc.d/rc.cgconfig
rc.d/rc.cgmanager
rc.d/rc.cgproxy
rc.d/rc.cgred
rc.d/rc.cpufreq
rc.d/rc.crond
rc.d/rc.dnsmasq
rc.d/rc.fail2ban
rc.d/rc.font
rc.d/rc.haveged
rc.d/rc.inet1
rc.d/rc.inet2
rc.d/rc.ip_forward
rc.d/rc.kadmind
rc.d/rc.kpropd
rc.d/rc.krb5kdc
rc.d/rc.libvirt
rc.d/rc.loop
rc.d/rc.lxc
rc.d/rc.mcelog
rc.d/rc.messagebus
rc.d/rc.modules
rc.d/rc.ntpd
rc.d/rc.qemu-ga
rc.d/rc.saslauthd
rc.d/rc.serial
rc.d/rc.setterm
rc.d/rc.smartd
rc.d/rc.sshd
rc.d/rc.sysstat
rc.d/rc.sysvinit
rc.d/rc.udev
rc.d/rc.vnstat
rc?.d
!rc.d/rc?.d/
request-key.conf
rmt
screenrc
sensors3.conf
serial.conf
services
shells
skel/.screenrc
slackware-version
smartd_warning.sh
ssh/moduli
ssl/
sudoers
sysstat/
termcap
udev/
updatedb.conf
vi.exrc
wgetrc
xattr.conf

3
base-files/cron.daily/update-slackpkg-template Executable file
View file

@ -0,0 +1,3 @@
#!/bin/bash
slackpkg -batch=on -default_answer=y generate-template "$HOSTNAME" >/dev/null

9
base-files/cron.daily/warn-git-status Executable file
View file

@ -0,0 +1,9 @@
#!/bin/bash
source /etc/mail.conf "etc-git" || exit 1
cd /etc
OUTPUT="$(git status | egrep -ve "^(On branch|Your branch|No commits|nothing|$)" -e "\(use")"
[[ ! -z "$OUTPUT" ]] && mailx "${MAILX_ARGS[@]}" -r "$EMAIL_FROM" -s "/etc git status" "${EMAIL_TO[@]}" <<< "$OUTPUT"

24
base-files/cron.hourly/log-acls Executable file
View file

@ -0,0 +1,24 @@
#!/bin/bash
# Sleep for a couple of minutes to prevent a race condition with other cron jobs.
sleep 120
# Secure /var/log
# Set standard access perms for directories
setfacl -m user::rwx,group::rx,other::x /var/log/
find /var/log/*/ -type d -exec setfacl -m user::rwx,group::rx,other::- {} \;
# Set standard access perms for files
find /var/log -type f -exec setfacl -Rm user::rw,group::r,other::- {} \;
# Allow group 'admin' read access to all directories/files
find /var/log -type d -exec setfacl -m group:admin:rX {} \;
find /var/log -type f -exec setfacl -m group:admin:r {} \;
# Set default access for new files in directories.
find /var/log -type d -exec setfacl -dm user::rwX,group::rX,other::- {} \;
find /var/log -type d -exec setfacl -dm group:admin:rX {} \;
# /var/log/wtmp needs to be readable by everyone
setfacl -m user::rw,group::r,other::r /var/log/wtmp
# To clear above ACL settings:
# setfacl -Rk /path
# setfacl -Rx group:admin: /path
# setfacl -Rx mask:: /path

45
base-files/csh.login Normal file
View file

@ -0,0 +1,45 @@
# System wide set up for the csh and tcsh shells.
# The default search path.
set path = ( /usr/bin /bin /usr/local/bin )
# Add sbin paths for root users.
if ( { [ "`id -u`" = "0" -o "`id -g`" = "0" ] } ) \
set path = ( /usr/sbin /sbin /usr/local/sbin $path )
# Set path to include a user's private bin if it exists.
if ( -d ~/bin ) set path = ( ~/bin $path )
# Append /usr/games to path if it exists.
if ( -d /usr/games ) set path = ( $path /usr/games )
# Set a default terminal type if none was detected.
if ! $?TERM setenv TERM linux
if ( "$TERM" == "" ) setenv TERM linux
if ( "$TERM" == "unknown" ) setenv TERM linux
# Use the system inputrc if the user does not have their own.
if ( ! -r ~/.inputrc ) setenv INPUTRC /etc/inputrc
# Set an empty MANPATH if none exists (this prevents some profile.d scripts from exiting from trying to access an unset variable):
if ! $?MANPATH setenv MANPATH ""
# Set the HOSTNAME environment variable.
setenv HOSTNAME "`cat /etc/HOSTNAME`"
# Shell prompt.
set prompt = "%n@%m:%~%# "
# Use a reasonable create mask.
umask 022
# Set up any further environment from files in /etc/profile.d/.
if ( -d /etc/profile.d ) then
set nonomatch
foreach file ( /etc/profile.d/*.csh )
if ( -x $file ) then
source $file
endif
end
unset file nonomatch
endif

4
base-files/default/syslogd Normal file
View file

@ -0,0 +1,4 @@
# Options for the syslog daemon.
# Default is "-s" to run in secure mode - not accepting network connections.
# For other options, see syslog(8).
SYSLOGD_OPTS="-s -k -m 0"

1
base-files/dialogrc Normal file
View file

@ -0,0 +1 @@
# This file is intentionally empty.

75
base-files/fail2ban/fail2ban.local Normal file
View file

@ -0,0 +1,75 @@
[DEFAULT]
# Option: loglevel
# Notes.: Set the log level output.
# CRITICAL
# ERROR
# WARNING
# NOTICE
# INFO
# DEBUG
# Values: [ LEVEL ] Default: ERROR
#
loglevel = INFO
# Option: logtarget
# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
# Only one log target can be specified.
# If you change logtarget from the default value and you are
# using logrotate -- also adjust or disable rotation in the
# corresponding configuration file
# (e.g. /etc/logrotate.d/fail2ban on Debian systems)
# Values: [ STDOUT | STDERR | SYSLOG | SYSOUT | FILE ] Default: STDERR
#
logtarget = syslog[facility=LOCAL0]
# Option: syslogsocket
# Notes: Set the syslog socket file. Only used when logtarget is SYSLOG
# auto uses platform.system() to determine predefined paths
# Values: [ auto | FILE ] Default: auto
#syslogsocket = auto
# Option: socket
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
# not remove this file when Fail2ban runs. It will not be possible to
# communicate with the server afterwards.
# Values: [ FILE ] Default: /var/run/fail2ban/fail2ban.sock
#
socket = /var/run/fail2ban.sock
# Option: pidfile
# Notes.: Set the PID file. This is used to store the process ID of the
# fail2ban server.
# Values: [ FILE ] Default: /var/run/fail2ban/fail2ban.pid
#
pidfile = /var/run/fail2ban.pid
# Options: dbfile
# Notes.: Set the file for the fail2ban persistent data to be stored.
# A value of ":memory:" means database is only stored in memory
# and data is lost when fail2ban is stopped.
# A value of "None" disables the database.
# Values: [ None :memory: FILE ] Default: /var/lib/fail2ban/fail2ban.sqlite3
# dbfile = /var/lib/fail2ban/fail2ban.sqlite3
# Options: dbpurgeage
# Notes.: Sets age at which bans should be purged from the database
# Values: [ SECONDS ] Default: 86400 (24hours)
#dbpurgeage = 1d
# Options: dbmaxmatches
# Notes.: Number of matches stored in database per ticket (resolvable via
# tags <ipmatches>/<ipjailmatches> in actions)
# Values: [ INT ] Default: 10
#dbmaxmatches = 10
[Definition]
[Thread]
# Options: stacksize
# Notes.: Specifies the stack size (in KiB) to be used for subsequently created threads,
# and must be 0 or a positive integer value of at least 32.
# Values: [ SIZE ] Default: 0 (use platform or configured default)
#stacksize = 0

61
base-files/fail2ban/jail.local Normal file
View file

@ -0,0 +1,61 @@
[DEFAULT]
#
# MISCELLANEOUS OPTIONS
#
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8 91.109.244.0/24 ::1 2a02:2498:1:227::/64 afterdark.org.uk
# "bantime" is the number of seconds that a host is banned.
bantime = 12h
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 2h
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
# "usedns" specifies if jails should trust hostnames in logs,
# warn when DNS lookups are performed, or ignore all hostnames in logs
#
# yes: if a hostname is encountered, a DNS lookup will be performed.
# warn: if a hostname is encountered, a DNS lookup will be performed,
# but it will be logged as a warning.
# no: if a hostname is encountered, will not be used for banning,
# but it will be logged as info.
# raw: use raw value (no hostname), allow use it for no-host filters/actions (example user)
usedns = warn
#
# ACTIONS
#
# Some options used for actions
# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
destemail = root@localhost
# Sender email address used solely for some actions
sender = root@<fq-hostname>
#
# JAILS
#
[sshd]
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode = normal
enabled = yes
port = 9922
#[apache-auth]
#enabled = yes
#

25
base-files/fail2ban/paths-overrides.local Normal file
View file

@ -0,0 +1,25 @@
[DEFAULT]
syslog_mail = /var/log/smtpd
syslog_mail_warn = /var/log/smtpd
syslog_authpriv = /var/log/messages
syslog_auth = /var/log/messages
syslog_user = /var/log/messages
syslog_ftp = /var/log/ftpd
syslog_daemon = /var/log/messages
syslog_local0 = /var/log/messages
apache_error_log = /var/log/httpd/*error.log
apache_access_log = /var/log/httpd/*access.log
# Default for Slackware provided below,
# please change according to your proftpd config file.
proftpd_log = /var/log/ftpd

15
base-files/filesystems Normal file
View file

@ -0,0 +1,15 @@
ext4
ext3
ext2
iso9660
vfat
ntfs
msdos
reiserfs
btrfs
jfs
xfs
romfs
udf
minix
*

6
base-files/hardwareclock Normal file
View file

@ -0,0 +1,6 @@
# /etc/hardwareclock
#
# Tells how the hardware clock time is stored.
# You should run timeconfig to edit this file.
UTC

7
base-files/initscript Executable file
View file

@ -0,0 +1,7 @@
PATH="/opt/sbin:/usr/local/sbin:/usr/sbin:/sbin:/opt/bin:/usr/local/bin:/usr/bin:/bin"
PERL5LIB="/opt/lib64/perl5:/opt/lib64/perl5/site_perl"
PYTHONPATH="/opt/lib64/python2.7/site-packages"
export PATH PERL5LIB PYTHONPATH
eval exec "$4"

63
base-files/inittab Normal file
View file

@ -0,0 +1,63 @@
# These are the default runlevels in Slackware:
# 0 = halt
# 1 = single user mode
# 2 = unused (but configured the same as runlevel 3)
# 3 = multiuser mode (default Slackware runlevel)
# 4 = X11 with KDM/GDM/XDM (session managers)
# 5 = unused (but configured the same as runlevel 3)
# 6 = reboot
# Default runlevel. Do not set to 0 or 6.
id:3:initdefault:
# System initialization (runs when system boots).
si:S:sysinit:/etc/rc.d/rc.S
# Script to run when going single user (runlevel 1).
su:1S:wait:/etc/rc.d/rc.K
# Script to run when going multi user.
rc:2345:wait:/etc/rc.d/rc.M
# What to do at the "Three Finger Salute".
ca::ctrlaltdel:/sbin/shutdown -t5 -r now
# Runlevel 0 halts the system.
l0:0:wait:/etc/rc.d/rc.0
# Runlevel 6 reboots the system.
l6:6:wait:/etc/rc.d/rc.6
# What to do when power fails.
pf::powerfail:/sbin/genpowerfail start
# FIXME: If running in a LXC container, use this.
# pf::powerfail:/sbin/shutdown -h now
# If power is back, cancel the running shutdown.
pg::powerokwait:/sbin/genpowerfail stop
# FIXME: If running in a LXC container, use this.
# pg::powerokwait:/sbin/shutdown -c
# These are the standard console login getties in multiuser mode.
c1:12345:respawn:/sbin/agetty --noclear 38400 tty1 linux
c2:12345:respawn:/sbin/agetty 38400 tty2 linux
#c3:12345:respawn:/sbin/agetty 38400 tty3 linux
#c4:12345:respawn:/sbin/agetty 38400 tty4 linux
#c5:12345:respawn:/sbin/agetty 38400 tty5 linux
#c6:12345:respawn:/sbin/agetty 38400 tty6 linux
#c7:12345:respawn:/sbin/agetty 38400 tty7 linux
#c8:12345:respawn:/sbin/agetty 38400 tty8 linux
#c9:12345:respawn:/sbin/agetty 38400 tty9 linux
#c10:12345:respawn:/sbin/agetty 38400 tty10 linux
# Local serial lines.
#s1:12345:respawn:/sbin/agetty -L ttyS0 9600 vt100
#s2:12345:respawn:/sbin/agetty -L ttyS1 9600 vt100
# Dialup lines.
#d1:12345:respawn:/sbin/agetty -mt60 38400,19200,9600,2400,1200 ttyS0 vt100
#d2:12345:respawn:/sbin/agetty -mt60 38400,19200,9600,2400,1200 ttyS1 vt100
# Runlevel 4 also starts /etc/rc.d/rc.4 to run a display manager for X.
# Display managers are preferred in this order: gdm, kdm, xdm.
x1:4:respawn:/etc/rc.d/rc.4

1
base-files/ld.so.conf.d/opt.conf Normal file
View file

@ -0,0 +1 @@
/opt/lib64

287
base-files/login.defs Normal file
View file

@ -0,0 +1,287 @@
#
# /etc/login.defs - Configuration control definitions for the shadow package.
#
# $Id: login.defs 3038 2009-07-23 20:41:35Z nekral-guest $
#
#
# Delay in seconds before being allowed another attempt after a login failure
#
FAIL_DELAY 1
#
# Enable display of unknown usernames when login failures are recorded.
#
LOG_UNKFAIL_ENAB yes
#
# Enable logging of successful logins
#
LOG_OK_LOGINS no
#
# Enable "syslog" logging of su activity - in addition to sulog file logging.
# SYSLOG_SG_ENAB does the same for newgrp and sg.
#
SYSLOG_SU_ENAB yes
SYSLOG_SG_ENAB yes
#
# If defined, either full pathname of a file containing device names or
# a ":" delimited list of device names. Root logins will be allowed only
# upon these devices.
#
CONSOLE /etc/securetty
#CONSOLE console:tty01:tty02:tty03:tty04
#
# If defined, all su activity is logged to this file.
#
SULOG_FILE /var/log/sulog
#
# If defined, file which maps tty line to TERM environment parameter.
# Each line of the file is in a format something like "vt100 tty01".
#
#TTYTYPE_FILE /etc/ttytype
#
# If defined, the command name to display when running "su -". For
# example, if this is defined as "su" then a "ps" will display the
# command is "-su". If not defined, then "ps" would display the
# name of the shell actually being run, e.g. something like "-sh".
#
SU_NAME su
#
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
#
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
#
# If defined, file which inhibits all the usual chatter during the login
# sequence. If a full pathname, then hushed mode will be enabled if the
# user's name or shell are found in the file. If not a full pathname, then
# hushed mode will be enabled if the file exists in the user's home directory.
#
HUSHLOGIN_FILE .hushlogin
#HUSHLOGIN_FILE /etc/hushlogins
#
# *REQUIRED* The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/sbin:/usr/sbin:/bin:/usr/bin
ENV_PATH PATH=/usr/local/bin:/bin:/usr/bin
#
# Terminal permissions
#
# TTYGROUP Login tty will be assigned this group ownership.
# TTYPERM Login tty will be set to this permission.
#
# If you have a "write" program which is "setgid" to a special group
# which owns the terminals, define TTYGROUP to the group number and
# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign
# TTYPERM to either 622 or 600.
#
TTYGROUP tty
TTYPERM 0620
#
# Login configuration initializations:
#
# ERASECHAR Terminal ERASE character ('\010' = backspace).
# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
#
# The ERASECHAR and KILLCHAR are used only on System V machines.
# (now it works with setrlimit too; ulimit is in 512-byte units)
#
# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
#
ERASECHAR 0177
KILLCHAR 025
#
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
# home directories if HOME_MODE is not set.
# 022 is the default value, but 027, or even 077, could be considered
# for increased privacy. There is no One True Answer here: each sysadmin
# must make up their mind.
UMASK 022
#
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
# home directories.
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
#HOME_MODE 0700
#
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
#
# Min/max values for automatic uid selection in useradd
#
UID_MIN 1000
UID_MAX 60000
# System accounts
SYS_UID_MIN 101
SYS_UID_MAX 999
#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN 1000
GID_MAX 60000
# System accounts
SYS_GID_MIN 101
SYS_GID_MAX 999
#
# Max number of login retries if password is bad
#
LOGIN_RETRIES 5
#
# Max time in seconds for login
#
LOGIN_TIMEOUT 60
#
# Which fields may be changed by regular users using chfn - use
# any combination of letters "frwh" (full name, room number, work
# phone, home phone). If not defined, no changes are allowed.
# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
#
CHFN_RESTRICT rwh
#
# Only works if compiled with MD5_CRYPT defined:
# If set to "yes", new passwords will be encrypted using the MD5-based
# algorithm compatible with the one used by recent releases of FreeBSD.
# It supports passwords of unlimited length and longer salt strings.
# Set to "no" if you need to copy encrypted passwords to other systems
# which don't understand the new algorithm. Default is "no".
#
# This variable is deprecated. You should use ENCRYPT_METHOD.
#
#MD5_CRYPT_ENAB no
#
# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
# If set to MD5 , MD5-based algorithm will be used for encrypting password
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
# If set to DES, DES-based algorithm will be used for encrypting password (default)
# Overrides the MD5_CRYPT_ENAB option
#
ENCRYPT_METHOD SHA512
#
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
#
# Define the number of SHA rounds.
# With a lot of rounds, it is more difficult to brute forcing the password.
# But note also that it more CPU resources will be needed to authenticate
# users.
#
# If not specified, the libc will choose the default number of rounds (5000).
# The values must be inside the 1000-999999999 range.
# If only one of the MIN or MAX values is set, then this value will be used.
# If MIN > MAX, the highest value will be used.
#
#SHA_CRYPT_MIN_ROUNDS 5000
#SHA_CRYPT_MAX_ROUNDS 5000
#
# Only works if ENCRYPT_METHOD is set to BCRYPT.
#
# Define the number of BCRYPT rounds.
# With a lot of rounds, it is more difficult to brute-force the password.
# However, more CPU resources will be needed to authenticate users if
# this value is increased.
#
# If not specified, 13 rounds will be attempted.
# If only one of the MIN or MAX values is set, then this value will be used.
# If MIN > MAX, the highest value will be used.
#
#BCRYPT_MIN_ROUNDS 13
#BCRYPT_MAX_ROUNDS 13
#
# List of groups to add to the user's supplementary group set
# when logging in on the console (as determined by the CONSOLE
# setting). Default is none.
#
# Use with caution - it is possible for users to gain permanent
# access to these groups, even when not logged in on the console.
# How to do it is left as an exercise for the reader...
#
# Most of these groups are self-explanatory, but in the case of
# "lp", it is because group lp is needed to use a scanner that
# is part of a multifunction printer.
#
# Note that users are added to these default groups only when
# logging into a shell with /bin/login, not when using a login
# manager such as kdm. In that case, users who should have
# hardware access must be added to the appropriate groups
# when the user is added with adduser or useradd, or by editing
# /etc/group directly, preferably using "vigr"
#
CONSOLE_GROUPS floppy:audio:cdrom:video:lp:scanner
#
# Should login be allowed if we can't cd to the home directory?
# Default in no.
#
DEFAULT_HOME yes
#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD /usr/sbin/userdel_local
#
# Enable setting of the umask group bits to be the same as owner bits
# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
# the same as gid, and username is the same as the primary group name.
#
# This also enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes
#
# If set to a non-nul number, the shadow utilities will make sure that
# groups never have more than this number of users on one line.
# This permit to support split groups (groups split into multiple lines,
# with the same group ID, to avoid limitation of the line length in the
# group file).
#
# 0 is the default value and disables this feature.
#
#MAX_MEMBERS_PER_GROUP 0
#
# If useradd should create home directories for users by default (non
# system users only)
# This option is overridden with the -M or -m flags on the useradd command
# line.
#
#CREATE_HOME yes

25
base-files/logrotate.conf Normal file
View file

@ -0,0 +1,25 @@
# Rotate log files on a monthly basis.
monthly
# Name files based upon the year/month they are rotated.
dateext
dateformat -%Y-%m
dateyesterday
# Compress rotated logs.
compress
# Keep 5 years of old logs (just to be sure).
rotate 60
# Move rotated logs to this directory.
olddir /var/log/Archived
# After rotating, create new (empty) files with the same owner/perms.
create
# E-mail logs which are about to be deleted to this address.
# mail root@example.com
# Read log specific configurations.
include /etc/logrotate.d

6
base-files/logrotate.d/btmp Normal file
View file

@ -0,0 +1,6 @@
# The btmp login failure records are not rotated by default.
# Uncomment the lines below to enable rotation of btmp.
# /var/log/btmp {
# # No specific options.
# }

2
base-files/logrotate.d/lastlog Normal file
View file

@ -0,0 +1,2 @@
# This file is for information only.
# /var/log/lastlog should not be rotated as it is a database, not a log file.

7
base-files/logrotate.d/ntp Normal file
View file

@ -0,0 +1,7 @@
/var/log/ntp {
notifempty
missingok
postrotate
[ -x /etc/rc.d/rc.ntpd ] && /etc/rc.d/rc.ntpd restart || true
endscript
}

3
base-files/logrotate.d/sulog Normal file
View file

@ -0,0 +1,3 @@
/var/log/sulog {
# No specific options.
}

6
base-files/logrotate.d/syslog Normal file
View file

@ -0,0 +1,6 @@
/var/log/messages /var/log/fail2ban {
sharedscripts
postrotate
/bin/kill -HUP $(cat /var/run/syslogd.pid) >/dev/null 2>&1 || true
endscript
}

6
base-files/logrotate.d/wtmp Normal file
View file

@ -0,0 +1,6 @@
# The wtmp login records are not rotated by default.
# Uncomment the lines below to enable rotation of wtmp.
# /var/log/wtmp {
# # No specific options.
# }

24
base-files/mail.conf Normal file
View file

@ -0,0 +1,24 @@
# This file is sourced by various scripts that need to send emails.
case "${HOSTNAME#*.}" in
slackware.uk)
EMAIL_DOMAIN="slackware.uk"
;;
*)
EMAIL_DOMAIN="opensourcerers.uk"
;;
esac
EMAIL_FROM="${HOSTNAME%%.*} <noreply@$EMAIL_DOMAIN>"
case "$1" in
sbosrcarch)
EMAIL_TO=("Systems Administrator <sysadmin@$EMAIL_DOMAIN>")
MAILX_ARGS=("-c" "Urchlay <yalhcru@gmail.com>")
;;
*)
EMAIL_TO=("Systems Administrator <sysadmin@$EMAIL_DOMAIN>")
;;
esac
true

101
base-files/motd Normal file
View file

@ -0,0 +1,101 @@
# FIXME: choose correct motd banner.
____ _
| __ ) ___ _ __ __| | ___ _ __
| _ \ / _ \| '_ \ / _` | / _ \| '__|
| |_) || __/| | | || (_| || __/| |
|____/ \___||_| |_| \__,_| \___||_|
_____
| ___|_ __ _ _
| |_ | '__|| | | |
| _| | | | |_| |
|_| |_| \__, |
|___/
_ _
| | ___ ___ | | __ _
| | / _ \ / _ \| | / _` |
| |___| __/| __/| || (_| |
|_____|\___| \___||_| \__,_|
_
/ \ _ __ ___ _ _
/ _ \ | '_ ` _ \ | | | |
/ ___ \ | | | | | || |_| |
/_/ \_\|_| |_| |_| \__, |
|___/
____ __
| _ \ _ __ ___ / _| ___ ___ ___ ___ _ __
| |_) || '__|/ _ \ | |_ / _ \/ __|/ __| / _ \ | '__|
| __/ | | | (_) || _|| __/\__ \\__ \| (_) || |
|_| |_| \___/ |_| \___||___/|___/ \___/ |_|
_____ _ _ _
|__ / ___ (_) __| || |__ ___ _ __ __ _
/ / / _ \ | | / _` || '_ \ / _ \| '__|/ _` |
/ /_| (_) || || (_| || |_) || __/| | | (_| |
/____|\___/ |_| \__,_||_.__/ \___||_| \__, |
|___/
_ _
| | | | ___ _ __ _ __ ___ ___ ___
| |_| | / _ \| '__|| '_ ` _ \ / _ \/ __|
| _ || __/| | | | | | | || __/\__ \
|_| |_| \___||_| |_| |_| |_| \___||___/
_____
|__ / __ _ _ __ _ __
/ / / _` || '_ \ | '_ \
/ /_| (_| || |_) || |_) |
/____|\__,_|| .__/ | .__/
|_| |_|
_ __ _ __
| |/ /(_) / _|
| ' / | || |_
| . \ | || _|
|_|\_\|_||_|
_ _ _ _ _ _
| \ | |(_)| |__ | |__ | | ___ _ __
| \| || || '_ \ | '_ \ | | / _ \| '__|
| |\ || || |_) || |_) || || __/| |
|_| \_||_||_.__/ |_.__/ |_| \___||_|
____ __ __
/ ___| ___ _ __ _ _ / _| / _| _ _
\___ \ / __|| '__|| | | || |_ | |_ | | | |
___) || (__ | | | |_| || _|| _|| |_| |
|____/ \___||_| \__,_||_| |_| \__, |
|___/
_ _
__ |``: __ ___. | , __ __ __ _ ___
(__` |`` __) / ` |.( | | __) |'` /___)
| .__) _|_ (__|_ '.__. _| \_ \_/\_/ (__|_ _|_ '.__.
|
|__________________________________________________ | | |_/
\_/ | \
_ _
__ |``: __ ___. | , __ __ __ _ ___
(__` |`` __) / ` |.( | | __) |'` /___)
| .__) _|_ (__|_ '.__. _| \_ \_/\_/ (__|_ _|_ '.__.
| _ _ _ _ _ _ _ _
|___________________________________ |V| | |_) |_) / \ |_)
| | _|_ | \ | \ \_/ | \
_ _
__ |``: __ ___. | , __ __ __ _ ___
(__` |`` __) / ` |.( | | __) |'` /___)
| .__) _|_ (__|_ '.__. _| \_ \_/\_/ (__|_ _|_ '.__.
| __ __ __ _ _ _
|_______________________________ (_ |_ |_ | \ |_) / \ \_/
__} |__ |__ |_/ |_) \_/ / \
_ _
__ |``: __ ___. | , __ __ __ _ ___
(__` |`` __) / ` |.( | | __) |'` /___)
| .__) _|_ (__|_ '.__. _| \_ \_/\_/ (__|_ _|_ '.__.
| _ _ _ _
|____________________________________ |_) /_\ / |_/ | | |_)
|_) | | \_ | \ \_/ |

1
base-files/msmtp/aliases Normal file
View file

@ -0,0 +1 @@
default: sysadmin@opensourcerers.uk

16
base-files/msmtp/msmtprc Normal file
View file

@ -0,0 +1,16 @@
account default
host mail.opensourcerers.net
timeout 300
# FIXME: Set domain
domain host.opensourcerers.net
# FIXME: Enable TLS.
# tls on
# tls_starttls on
# tls_trust_file /path/to/ca-certificate.pem
# tls_cert_file /path/to/server-certificate.pem
# tls_key_file /path/to/server-key.pem
# tls_certcheck on
auto_from on
maildomain opensourcerers.uk
syslog LOG_MAIL
aliases /etc/msmtp/aliases

110
base-files/nail.rc Normal file
View file

@ -0,0 +1,110 @@
# Configuration file for Mailx (formerly "nail").
# See mailx(1) for further options.
# Do not move messages from the system mailbox to a local mbox.
set hold
# Messages will be appended (rather than prepended) to mboxes.
# This should usually always be set.
# This has no effect unless 'hold' is unset again.
set append
# Always ask for a subject when composing a message interactively.
set ask
# Assume a CRT-like terminal and invoke a pager.
set crt
# Messages may be terminated by a dot.
set dot
# Do not remove empty mail folders in the spool directory.
# This may be relevant for privacy since other users could
# otherwise create them with different permissions.
set keep
# Do not remove empty mail folders.
set emptybox
# Quote the original message in replies by "> " as usual on the Internet.
set indentprefix="> "
# Automatically quote the text of the message that is responded to.
set quote
# Outgoing messages are sent in UTF-8 if possible, otherwise LATIN1.
set sendcharsets=utf-8,iso-8859-1
# Display sender's real names in header summaries.
set showname
# Display the recipients of messages sent by the user himself in
# header summaries.
set showto
# Automatically check for new messages at each prompt, but avoid polling
# of IMAP servers or maildir folders.
set newmail=nopoll
# If threaded mode is activated, automatically collapse thread.
set autocollapse
# Mark messages that have been answered.
set markanswered
# Hide some header fields which are uninteresting for most human readers.
ignore received in-reply-to message-id references
ignore mime-version content-transfer-encoding
# Only include selected header fields when forwarding messages.
headerpick forward retain subject date from to cc
# Use a directory named 'mail' in the users homedir to hold mailboxes.
set folder=mail/
# Keep the comment/name part of email addresses when replying.
set fullnames
# Use 'less' for paged output.
set PAGER=/usr/bin/less
# When spawning an editor in compose mode, allow editing of headers.
set editheaders
# Startup into interactive mode even if the (given) mailbox is empty.
set emptystart
# Add more entries to the history as is done by default.
# The latter will cause the built-in editor to save those entries, too.
set history-gabby all history-gabby-persist
# Try to circumvent false or missing MIME Content-Type descriptions.
# Do set a value for extended behaviour (see the manual).
#set mime-counter-evidence
set mime-counter-evidence=0b1111
# Do not move `save'd or `write'n message to $MBOX by default since this is
# likely to be irritating for most users today.
set keepsave
# When replying, do not merge From: and To: of the original message
# into To:. Instead old From: -> new To:, old To: -> merge Cc:.
set recipients-in-cc
# Whether a Mail-Followup-To: header is honoured when group-replying.
set followup-to-honour=ask-yes
# Whether a Reply-To: header is honoured when replying.
set reply-to-honour=ask-yes
# When sending a message, wait until the MTA (including the built-in SMTP one)
# exits before accepting further commands. Only with this variable set are
# errors reported by the MTA recognised!
set sendwait
# Only include these selected header fields when printing messages.
retain date sender from to cc subject message-id mail-followup-to reply-to
# Use an SMTP server rather than 'sendmail' to deliver mail.
# Set to the IP/Name of an SMTP server which will accept mail from this host.
# set smtp=mail.example.com

34
base-files/ntp.conf Normal file
View file

@ -0,0 +1,34 @@
# NTP servers to sync to.
server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst
# Sync to local clock if no servers are available.
server 127.127.1.0
fudge 127.127.1.0 stratum 10
# By default, restrict access to the service.
restrict -4 default limited nomodify noquery nopeer notrap kod
restrict -6 default limited nomodify noquery nopeer notrap kod
# Allow localhost to query the service, but nothing else.
restrict -4 127.0.0.1 limited nomodify nopeer notrap kod
restrict -6 ::1 limited nomodify nopeer notrap kod
# Allow local networks to sync with us.
# Edit the network address and mask below, and uncomment.
# restrict 192.168.1.0 mask 255.255.255.0 limited nomodify nopeer notrap kod
# Where to store the drift calculation.
driftfile /var/lib/ntp/drift
# Stats should be written here.
statsdir /var/lib/ntp/stats
# PID file location.
pidfile /var/run/ntpd.pid
# Disable the ntpdc -c monlist command, which is insecure and can be used
# to cause a denial of service attack (CVE-2013-5211).
disable monitor

52
base-files/profile Normal file
View file

@ -0,0 +1,52 @@
# System wide environment set up for the ash, bash, ksh and zsh shells.
# The default search path.
PATH=/usr/bin:/bin:/usr/local/bin
# Add sbin paths for root users.
[ "$(id -u)" = "0" -o "$(id -g)" = "0" ] && \
PATH=/usr/sbin:/sbin:/usr/local/sbin:$PATH
# Set PATH to include a user's private bin if it exists.
[ -d "~/bin" ] && PATH="~/bin:$PATH"
# Append /usr/games to PATH if it exists.
[ -d /usr/games ] && PATH=$PATH:/usr/games
# Set a default terminal type if none was detected.
[ "$TERM" = "" -o "$TERM" = "unknown" ] && TERM=linux
# Use the system inputrc if the user does not have their own.
[ ! -r ~/.inputrc ] && INPUTRC=/etc/inputrc
# Set the HOSTNAME environment variable.
HOSTNAME="$(cat /etc/HOSTNAME)"
# Shell prompts.
PS2='> '
PS3='#? '
PS4='+ '
# Custom setup for specific shells.
if [ -n "$ZSH_VERSION" ]; then # Zsh
PS1='%n@%m:%~%# '
elif ([ -n "${.sh.version}" ]) 2>/dev/null; then # Ksh
PS1='! ${PWD/#$HOME/~}$ '
alias hash='whence'
elif [ -n "$BASH_VERSION" ]; then # Bash
PS1='\u@\h:\w\$ '
else # Anything else
PS1='$ '
fi
# Use a reasonable create mask.
umask 022
# Set up any further environment from files in /etc/profile.d/.
for FILE in /etc/profile.d/*.sh; do
[ -x $FILE ] && . $FILE
done
unset FILE
# Export the environment just set up.
export PATH TERM INPUTRC MANPATH HOSTNAME PS1 PS2 PS3 PS4

1
base-files/profile.d/biff.csh Executable file
View file

@ -0,0 +1 @@
if ( -X biff ) biff y

3
base-files/profile.d/biff.sh Executable file
View file

@ -0,0 +1,3 @@
hash biff >/dev/null 2>&1 && {
biff y 2>/dev/null
}

28
base-files/profile.d/lang.csh Executable file
View file

@ -0,0 +1,28 @@
#!/bin/csh
# Set the system locale. (no, we don't have a menu for this ;-)
# For a list of locales which are supported by this machine, type:
# locale -a
# en_US.UTF-8 is the Slackware default locale. If you're looking for
# a different UTF-8 locale, be aware that some of them do not include
# UTF-8 or utf8 in the name. To test if a locale is UTF-8, use this
# command:
# LANG=<locale> locale -k charmap
# UTF-8 locales will include "UTF-8" in the output.
# If there are problems with certain programs and a UTF-8 locale, you
# can set LANG=C before starting them.
if ( "$LANG" == "" ) setenv LANG "en_GB-UTF8"
# 'C' is the old Slackware (and UNIX) default, which is 127-bit
# ASCII with a charmap setting of ANSI_X3.4-1968. These days,
# it's better to use en_US or another modern $LANG setting to
# support extended character sets.
# if ( "$LANG" == "" ) setenv LANG "C"
# One side effect of the newer locales is that the sort order
# is no longer according to ASCII values, so the sort order will
# change in many places. Since this isn't usually expected and
# can break scripts, we'll stick with traditional ASCII sorting.
# If you'd prefer the sort algorithm that goes with your $LANG
# setting, comment this out.
if ( "$LC_COLLATE" == "" ) setenv LC_COLLATE "C"

28
base-files/profile.d/lang.sh Executable file
View file

@ -0,0 +1,28 @@
#!/bin/sh
# Set the system locale. (no, we don't have a menu for this ;-)
# For a list of locales which are supported by this machine, type:
# locale -a
# en_US.UTF-8 is the Slackware default locale. If you're looking for
# a different UTF-8 locale, be aware that some of them do not include
# UTF-8 or utf8 in the name. To test if a locale is UTF-8, use this
# command:
# LANG=<locale> locale -k charmap
# UTF-8 locales will include "UTF-8" in the output.
# If there are problems with certain programs and a UTF-8 locale, you
# can set LANG=C before starting them.
export LANG="${LANG:-en_GB.UTF-8}"
# 'C' is the old Slackware (and UNIX) default, which is 127-bit
# ASCII with a charmap setting of ANSI_X3.4-1968. These days,
# it's better to use en_US or another modern $LANG setting to
# support extended character sets.
# export LANG=${LANG:-C}
# One side effect of the newer locales is that the sort order
# is no longer according to ASCII values, so the sort order will
# change in many places. Since this isn't usually expected and
# can break scripts, we'll stick with traditional ASCII sorting.
# If you'd prefer the sort algorithm that goes with your $LANG
# setting, comment this out.
export LC_COLLATE="${LC_COLLATE:-C}"

10
base-files/profile.d/less.csh Executable file
View file

@ -0,0 +1,10 @@
if ( -X less ) then
# Default options for less.
setenv LESS "-M"
# Pre-process some files for less to display them correctly.
setenv LESSOPEN "|lesspipe.sh %s"
# Use less as the man page viewer.
setenv MANPAGER "less -M"
endif

10
base-files/profile.d/less.sh Executable file
View file

@ -0,0 +1,10 @@
hash less >/dev/null 2>&1 && {
# Default options for less.
export LESS="-M"
# Pre-process some files for less to display them correctly.
export LESSOPEN="|lesspipe.sh %s"
# Use less as the man page viewer.
export MANPAGER="less -M"
}

35
base-files/profile.d/optpaths.csh Executable file
View file

@ -0,0 +1,35 @@
if ( { [ "`id -u`" = "0" -o "`id -g`" = "0" ] } ) then
set path = ( $path /opt/sbin /opt/bin )
else
set path = ( $path /opt/bin )
endif
if ( ! $?CPATH ) then
setenv CPATH "/opt/include"
else
setenv CPATH "/opt/include:$CPATH"
endif
if ( ! $?INFOPATH ) then
setenv INFOPATH "/opt/info"
else
setenv INFOPATH "/opt/info:$INFOPATH"
endif
if ( ! $?PERL5LIB ) then
setenv PERL5LIB "/opt/lib64/perl5:/opt/lib64/perl5/site_perl"
else
setenv PERL5LIB "/opt/lib64/perl5:/opt/lib64/perl5/site_perl:$PERL5LIB"
endif
if ( ! $?PKG_CONFIG_PATH ) then
setenv PKG_CONFIG_PATH "/opt/lib64/pkgconfig:/opt/share/pkgconfig"
else
setenv PKG_CONFIG_PATH "/opt/lib64/pkgconfig:/opt/share/pkgconfig:$PKG_CONFIG_PATH"
endif
if ( ! $?PYTHONPATH ) then
setenv PYTHONPATH "/opt/lib64/python2.7/site-packages"
else
setenv PYTHONPATH "/opt/lib64/python2.7/site-packages:$PYTHONPATH"
endif

37
base-files/profile.d/optpaths.sh Executable file
View file

@ -0,0 +1,37 @@
if [ "$(id -u)" = "0" -o "$(id -g)" = "0" ]; then
PATH="$PATH:/opt/sbin:/opt/bin"
else
PATH="$PATH:/opt/bin"
fi
if [ ! -n "$CPATH" ]; then
CPATH="/opt/include"
else
CPATH="/opt/include:$CPATH"
fi
if [ ! -n "$INFOPATH" ]; then
INFOPATH="/opt/info"
else
INFOPATH="/opt/info:$INFOPATH"
fi
if [ ! -n "$PERL5LIB" ]; then
PERL5LIB="/opt/lib64/perl5:/opt/lib64/perl5/site_perl"
else
PERL5LIB="/opt/lib64/perl5:/opt/lib64/perl5/site_perl:$PERL5LIB"
fi
if [ ! -n "$PKG_CONFIG_PATH" ]; then
PKG_CONFIG_PATH="/opt/lib64/pkgconfig:/opt/share/pkgconfig"
else
PKG_CONFIG_PATH="/opt/lib64/pkgconfig:/opt/share/pkgconfig:$PKG_CONFIG_PATH"
fi
if [ ! -n "$PYTHONPATH" ]; then
PYTHONPATH="/opt/lib64/python2.7/site-packages"
else
PYTHONPATH="/opt/lib64/python2.7/site-packages:$PYTHONPATH"
fi
export PATH CPATH INFOPATH PERL5LIB PKG_CONFIG_PATH PYTHONPATH

8
base-files/resolv.conf Normal file
View file

@ -0,0 +1,8 @@
options timeout:1 edns0
search opensourcerers.net
nameserver 91.109.244.8
nameserver 2a02:2498:1:227::8
nameserver 91.109.244.239
nameserver 2a02:2498:1:227::239
nameserver 185.176.90.169
nameserver 2a07:4580:b0d:57f::169

25
base-files/securetty Normal file
View file

@ -0,0 +1,25 @@
# Console tty's:
console
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
# Pseudo TTYs (not recommended):
# pts/0
# pts/1
# pts/2
# pts/3
# pts/4
# pts/5
# pts/6
# pts/7
# pts/8
# pts/9
# pts/10

11
base-files/skel/.bash_logout Normal file
View file

@ -0,0 +1,11 @@
if (( $SHLVL == 1 )); then
if [ -x /usr/bin/clear_console ]; then
/usr/bin/clear_console -q
elif [ -x /usr/bin/clear ]; then
/usr/bin/clear
elif [ -x /usr/bin/tput ]; then
/usr/bin/tput clear
else
echo -ne "\E[2J"
fi
fi

4
base-files/skel/.bash_profile Normal file
View file

@ -0,0 +1,4 @@
# Source the personal bash set up.
[ -e ~/.bashrc ] && . ~/.bashrc
# Add general environment set up here.

1
base-files/skel/.bashrc Normal file
View file

@ -0,0 +1 @@
# Add bash personalisation set up here.

45
base-files/slackpkg/blacklist Normal file
View file

@ -0,0 +1,45 @@
# /etc/slackpkg/blacklist
#
# This is a blacklist file. Any packages listed here won't be
# upgraded, removed, or installed by slackpkg.
# aaa_elflibs should NOT be blacklisted!
#
# You can blacklist using regular expressions.
#
# Don't use *full* regex here, because all of the following will be checked
# for the regex: series, name, version, arch, build, and fullname.
# When blacklisting packages, you can use extended regex on package names
# (such as xorg-.* instead of xorg-server, xorg-docs, etc), and a trailing
# slash for package series ("n/", "ap/", "xap/", etc).
#
# To blacklist *only* the "xorg-server" package, use this:
# xorg-server
#
# To blacklist *all* of the "xorg-server-*" packages, use this:
# xorg-server.*
#
# To blacklist the entire KDE package set, use this:
# kde/
#
# You will need to escape any special characters that are present in the
# package name. For example, to blacklist the gcc-g++ package, use this:
# gcc-g\+\+
#
# DON'T put any space(s) before or after the package name or regex.
# Automated upgrade of kernel packages may not be wanted in some situations;
# uncomment the lines below if that fits your circumstances:
kernel-generic
kernel-huge
kernel-modules
kernel-source
# This one will blacklist all SBo packages:
[0-9]+_SBo
# This will blacklist Robby's testing packages:
[0-9]+_rlw
# This will blacklist Tadgy's custom packages:
[0-9]+_tadgy

360
base-files/slackpkg/mirrors Normal file
View file

@ -0,0 +1,360 @@
# mirrors - List of Slackware Linux mirrors.
#
# SlackPkg - An Automated packaging tool for Slackware Linux
# Copyright (C) 2003-2011 Roberto F. Batista, Evaldo Gardenali
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# Project Page: http://slackpkg.org/
# Roberto F. Batista (aka PiterPunk) piterpunk@slackware.com
# Evaldo Gardenali (aka UdontKnow) evaldogardenali@fasternet.com.br
#
# END OF LEGAL NOTICE
#
#
# You only need to select one mirror and uncomment it.
# ONLY ONE mirror can be uncommented.
#
# You can use a mirror not included in this file. Many people have mirrors
# in their local networks. A list of all official Slackware mirrors
# (not version-specific, so some mirrors may not have all files) is here:
# https://mirrors.slackware.com/mirrorlist/
#
# Slackpkg only needs to point to the directory that contains
# "ChangeLog.txt", and don't forget the trailing slash.
#
#----------------------------------------------------------------
# Local CD/DVD drive
#----------------------------------------------------------------
# cdrom://media/cdrom/
#
#----------------------------------------------------------------
# Local Directory
#----------------------------------------------------------------
# file://path/to/some/directory/
#
#----------------------------------------------------------------
# Slackware64-14.2
#----------------------------------------------------------------
# USE MIRRORS.SLACKWARE.COM (DO NOT USE FTP - ONLY HTTP FINDS A NEARBY MIRROR)
# https://mirrors.slackware.com/slackware/slackware64-14.2/
#
#
# Here are some individual mirrors that can be used instead of the
# redirector at mirrors.slackware.com if necessary ; note that this
# list is not guaranteed to be up-to-date
#
# AUSTRALIA (AU)
# ftp://ftp.cc.swin.edu.au/slackware/slackware64-14.2/
# http://ftp.cc.swin.edu.au/slackware/slackware64-14.2/
# ftp://ftp.iinet.net.au/pub/slackware/slackware64-14.2/
# http://ftp.iinet.net.au/pub/slackware/slackware64-14.2/
# ftp://mirror.as24220.net/pub/slackware/slackware64-14.2/
# http://mirror.as24220.net/pub/slackware/slackware64-14.2/
# ftp://mirror.internode.on.net/.pub2/slackware/slackware64-14.2/
# http://mirror.internode.on.net/pub/slackware/slackware64-14.2/
# AUSTRIA (AT)
# http://gd.tuwien.ac.at/opsys/linux/freesoftware.com/slackware64-14.2/
# BELARUS (BY)
# ftp://mirror.datacenter.by/pub/slackware/slackware64-14.2/
# http://mirror.datacenter.by/pub/slackware/slackware64-14.2/
# BRAZIL (BR)
# ftp://ftp.slackware-brasil.com.br/slackware64-14.2/
# http://ftp.slackware-brasil.com.br/slackware64-14.2/
# BULGARIA (BG)
# ftp://mirrors.unixsol.org/slackware/slackware64-14.2/
# http://mirrors.unixsol.org/slackware/slackware64-14.2/
# CANADA (CA)
# ftp://mirror.csclub.uwaterloo.ca/slackware/slackware64-14.2/
# http://mirror.csclub.uwaterloo.ca/slackware/slackware64-14.2/
# ftp://mirror.its.dal.ca/slackware/slackware64-14.2/
# http://mirror.its.dal.ca/slackware/slackware64-14.2/
# CHINA (CN)
# http://mirrors.163.com/slackware/slackware64-14.2/
# http://mirrors.ustc.edu.cn/slackware/slackware64-14.2/
# COSTA RICA (CR)
# ftp://mirrors.ucr.ac.cr/slackware/pub/slackware/slackware64-14.2/
# http://mirrors.ucr.ac.cr/slackware/pub/slackware/slackware64-14.2/
# CZECH REPUBLIC (CZ)
# ftp://odysseus.linux.cz/pub/linux/slackware/slackware64-14.2/
# http://odysseus.linux.cz/pub/linux/slackware/slackware64-14.2/
# DENMARK (DK)
# ftp://mirrors.dotsrc.org/slackware/slackware64-14.2/
# https://mirrors.dotsrc.org/slackware/slackware64-14.2/
# FINLAND (FI)
# ftp://elektroni.phys.tut.fi/slackware64-14.2/
# FRANCE (FR)
# ftp://nephtys.lip6.fr/pub/linux/distributions/slackware/slackware64-14.2/
# http://nephtys.lip6.fr/pub/linux/distributions/slackware/slackware64-14.2/
# GERMANY (DE)
# ftp://ftp.gwdg.de/pub/linux/slackware/slackware64-14.2/
# http://ftp.gwdg.de/pub/linux/slackware/slackware64-14.2/
# ftp://ftp.tu-chemnitz.de/pub/linux/slackware/slackware64-14.2/
# http://ftp.tu-chemnitz.de/pub/linux/slackware/slackware64-14.2/
# ftp://sunsite.informatik.rwth-aachen.de/pub/comp/Linux/slackware/slackware64-14.2/
# http://sunsite.informatik.rwth-aachen.de/ftp/pub/comp/Linux/slackware/slackware64-14.2/
# GREECE (GR)
# ftp://ftp.cc.uoc.gr/mirrors/linux/slackware/slackware64-14.2/
# http://ftp.cc.uoc.gr/mirrors/linux/slackware/slackware64-14.2/
# ftp://ftp.otenet.gr/pub/linux/slackware/slackware64-14.2/
# http://ftp.otenet.gr/linux/slackware/slackware64-14.2/
# ftp://patroklos.noc.ntua.gr/pub/linux/slackware/slackware64-14.2/
# http://patroklos.noc.ntua.gr/pub/linux/slackware/slackware64-14.2/
# INDONESIA (ID)
# http://kambing.ui.ac.id/slackware/slackware64-14.2/
# https://repo.ukdw.ac.id/slackware/slackware64-14.2/
# IRELAND (IE)
# ftp://ftp.heanet.ie/mirrors/ftp.slackware.com/pub/slackware/slackware64-14.2/
# http://ftp.heanet.ie/mirrors/ftp.slackware.com/pub/slackware/slackware64-14.2/
# ITALY (IT)
# ftp://ba.mirror.garr.it/mirrors/Slackware/slackware64-14.2/
# http://ba.mirror.garr.it/mirrors/Slackware/slackware64-14.2/
# JAPAN (JP)
# ftp://ftp.nara.wide.ad.jp/pub/Linux/slackware/slackware64-14.2/
# http://ftp.nara.wide.ad.jp/pub/Linux/slackware/slackware64-14.2/
# ftp://ftp.kddilabs.jp/Linux/distributions/Slackware/slackware64-14.2/
# http://ftp.kddilabs.jp/Linux/distributions/Slackware/slackware64-14.2/
# ftp://riksun.riken.go.jp/Linux/slackware/slackware64-14.2/
# http://riksun.riken.go.jp/Linux/slackware/slackware64-14.2/
# NETHERLANDS (NL)
# ftp://ftp.nluug.nl/pub/os/Linux/distr/slackware/slackware64-14.2/
# http://ftp.nluug.nl/os/Linux/distr/slackware/slackware64-14.2/
# ftp://mirror.nl.leaseweb.net/slackware/slackware64-14.2/
# http://mirror.nl.leaseweb.net/slackware/slackware64-14.2/
# NORWAY (NO)
# ftp://ftp.slackware.no/slackware/slackware64-14.2/
# http://ftp.slackware.no/slackware/slackware64-14.2/
# POLAND (PL)
# ftp://ftp.pwr.wroc.pl/pub/linux/slackware/slackware64-14.2/
# http://ftp.pwr.wroc.pl/pub/linux/slackware/slackware64-14.2/
# ftp://ftp.slackware.pl/pub/slackware/slackware64-14.2/
# http://ftp.slackware.pl/pub/slackware/slackware64-14.2/
# ftp://sunsite.icm.edu.pl/vol/rzm1/linux-slackware/slackware64-14.2/
# http://sunsite.icm.edu.pl/packages/linux-slackware/slackware64-14.2/
# ftp://z-ftp.wcss.wroc.pl/pub/linux/slackware/slackware64-14.2/
# http://z-ftp.wcss.wroc.pl/pub/linux/slackware/slackware64-14.2/
# RUSSIA (RU)
# http://mirror.rol.ru/slackware/slackware64-14.2/
# ftp://mirror.yandex.ru/slackware/slackware64-14.2/
# http://mirror.yandex.ru/slackware/slackware64-14.2/
# SOUTH AFRICA (ZA)
# ftp://ftp.is.co.za/mirror/ftp.slackware.com/pub/slackware64-14.2/
# http://ftp.is.co.za/mirror/ftp.slackware.com/pub/slackware64-14.2/
# ftp://ftp.wa.co.za/pub/slackware/slackware64-14.2/
# http://ftp.wa.co.za/pub/slackware/slackware64-14.2/
# ftp://slackware.mirror.ac.za/slackware64-14.2/
# http://slackware.mirror.ac.za/slackware64-14.2/
# SWEDEN (SE)
# ftp://ftp.sunet.se/mirror/slackware.com/slackware64-14.2/
# http://ftp.sunet.se/mirror/slackware.com/slackware64-14.2/
# TAIWAN (TW)
# ftp://ftp.isu.edu.tw/pub/Linux/Slackware/slackware64-14.2/
# http://ftp.isu.edu.tw/pub/Linux/Slackware/slackware64-14.2/
# ftp://ftp.twaren.net/pub/Linux/Slackware/slackware64-14.2/
# http://ftp.twaren.net/Linux/Slackware/slackware64-14.2/
# TURKEY (TR)
# ftp://ftp.linux.org.tr/slackware/slackware64-14.2/
# http://ftp.linux.org.tr/slackware/slackware64-14.2/
# UKRAINE (UA)
# ftp://mirrors.mithril.org.ua/linux/slackware/slackware64-14.2/
# http://mirrors.mithril.org.ua/linux/slackware/slackware64-14.2/
# UNITED KINGDOM (UK)
# http://slackware.uk/slackware/slackware64-14.2/
# ftp://slackware.uk/slackware/slackware64-14.2/
# ftp://ftp.mirrorservice.org/sites/ftp.slackware.com/pub/slackware/slackware64-14.2/
# http://ftp.mirrorservice.org/sites/ftp.slackware.com/pub/slackware/slackware64-14.2/
# ftp://mirror.bytemark.co.uk/slackware/slackware64-14.2/
# http://mirror.bytemark.co.uk/slackware/slackware64-14.2/
# UNITED STATES (US)
# ftp://ftp.gtlib.gatech.edu/nv/ao2/lxmirror/ftp.slackware.com/slackware64-14.2/
# ftp://mirror.cs.princeton.edu/pub/mirrors/slackware/slackware64-14.2/
# ftp://mirrors.easynews.com/linux/slackware/slackware64-14.2/
# http://mirrors.easynews.com/linux/slackware/slackware64-14.2/
# ftp://mirrors.us.kernel.org/slackware/slackware64-14.2/
# http://mirrors.us.kernel.org/slackware/slackware64-14.2/
# ftp://mirrors.xmission.com/slackware/slackware64-14.2/
# http://mirrors.xmission.com/slackware/slackware64-14.2/
# https://mirror.slackbuilds.org/slackware/slackware64-14.2/
# http://slackware.cs.utah.edu/pub/slackware/slackware64-14.2/
# http://slackware.mirrors.pair.com/slackware64-14.2/
# ftp://slackware.mirrors.tds.net/pub/slackware/slackware64-14.2/
# http://slackware.mirrors.tds.net/pub/slackware/slackware64-14.2/
# ftp://spout.ussg.indiana.edu/linux/slackware/slackware64-14.2/
# http://spout.ussg.indiana.edu/linux/slackware/slackware64-14.2/
# ftp://teewurst.cc.columbia.edu/pub/linux/slackware/slackware64-14.2/
# http://teewurst.cc.columbia.edu/pub/linux/slackware/slackware64-14.2/
#
#----------------------------------------------------------------
# Slackware64-current
#----------------------------------------------------------------
# USE MIRRORS.SLACKWARE.COM (DO NOT USE FTP - ONLY HTTP FINDS A NEARBY MIRROR)
# https://mirrors.slackware.com/slackware/slackware64-current/
#
#
# Here are some individual mirrors that can be used instead of the
# redirector at mirrors.slackware.com if necessary ; note that this
# list is not guaranteed to be up-to-date
#
# AUSTRALIA (AU)
# ftp://ftp.cc.swin.edu.au/slackware/slackware64-current/
# http://ftp.cc.swin.edu.au/slackware/slackware64-current/
# ftp://ftp.iinet.net.au/pub/slackware/slackware64-current/
# http://ftp.iinet.net.au/pub/slackware/slackware64-current/
# ftp://mirror.aarnet.edu.au/pub/slackware/slackware64-current/
# http://mirror.aarnet.edu.au/pub/slackware/slackware64-current/
# ftp://mirror.as24220.net/pub/slackware/slackware64-current/
# http://mirror.as24220.net/pub/slackware/slackware64-current/
# ftp://mirror.internode.on.net/.pub2/slackware/slackware64-current/
# http://mirror.internode.on.net/pub/slackware/slackware64-current/
# http://mirror.primusdatacentre.com.au/slackware/slackware64-current/
# AUSTRIA (AT)
# ftp://ftp.slackware.at/slackware64-current/
# http://ftp.slackware.at/data/slackware64-current/
# ftp://gd.tuwien.ac.at/opsys/linux/freesoftware.com/slackware64-current/
# http://gd.tuwien.ac.at/opsys/linux/freesoftware.com/slackware64-current/
# BELARUS (BY)
# ftp://mirror.datacenter.by/pub/slackware/slackware64-current/
# http://mirror.datacenter.by/pub/slackware/slackware64-current/
# BRAZIL (BR)
# ftp://ftp.slackware-brasil.com.br/slackware64-current/
# http://ftp.slackware-brasil.com.br/slackware64-current/
# BULGARIA (BG)
# ftp://mirrors.unixsol.org/slackware/slackware64-current/
# http://mirrors.unixsol.org/slackware/slackware64-current/
# CANADA (CA)
# ftp://mirror.csclub.uwaterloo.ca/slackware/slackware64-current/
# http://mirror.csclub.uwaterloo.ca/slackware/slackware64-current/
# ftp://mirror.its.dal.ca/slackware/slackware64-current/
# http://mirror.its.dal.ca/slackware/slackware64-current/
# CHINA (CN)
# http://mirrors.163.com/slackware/slackware64-current/
# http://mirrors.ustc.edu.cn/slackware/slackware64-current/
# COSTA RICA (CR)
# ftp://mirrors.ucr.ac.cr/slackware/pub/slackware/slackware64-current/
# http://mirrors.ucr.ac.cr/slackware/pub/slackware/slackware64-current/
# CZECH REPUBLIC (CZ)
# ftp://odysseus.linux.cz/pub/linux/slackware/slackware64-current/
# http://odysseus.linux.cz/pub/linux/slackware/slackware64-current/
# DENMARK (DK)
# ftp://mirrors.dotsrc.org/slackware/slackware64-current/
# https://mirrors.dotsrc.org/slackware/slackware64-current/
# FINLAND (FI)
# ftp://elektroni.phys.tut.fi/slackware64-current/
# FRANCE (FR)
# ftp://mirror.ovh.net/mirrors/ftp.slackware.com/slackware64-current/
# http://mirror.ovh.net/mirrors/ftp.slackware.com/slackware64-current/
# ftp://nephtys.lip6.fr/pub/linux/distributions/slackware/slackware64-current/
# http://nephtys.lip6.fr/pub/linux/distributions/slackware/slackware64-current/
# GERMANY (DE)
# ftp://ftp.fu-berlin.de/unix/linux/slackware/slackware64-current/
# ftp://ftp.gwdg.de/pub/linux/slackware/slackware64-current/
# http://ftp.gwdg.de/pub/linux/slackware/slackware64-current/
# ftp://ftp.tu-chemnitz.de/pub/linux/slackware/slackware64-current/
# http://ftp.tu-chemnitz.de/pub/linux/slackware/slackware64-current/
# ftp://sunsite.informatik.rwth-aachen.de/pub/comp/Linux/slackware/slackware64-current/
# http://sunsite.informatik.rwth-aachen.de/ftp/pub/comp/Linux/slackware/slackware64-current/
# ftp://wrz1013.rz.uni-wuerzburg.de/pub/MIRROR/slackware/slackware64-current/
# http://wrz1013.rz.uni-wuerzburg.de/pub/MIRROR/slackware/slackware64-current/
# GREECE (GR)
# ftp://ftp.cc.uoc.gr/mirrors/linux/slackware/slackware64-current/
# http://ftp.cc.uoc.gr/mirrors/linux/slackware/slackware64-current/
# ftp://ftp.otenet.gr/pub/linux/slackware/slackware64-current/
# http://ftp.otenet.gr/linux/slackware/slackware64-current/
# ftp://patroklos.noc.ntua.gr/pub/linux/slackware/slackware64-current/
# http://patroklos.noc.ntua.gr/pub/linux/slackware/slackware64-current/
# INDONESIA (ID)
# http://kambing.ui.ac.id/slackware/slackware64-current/
# https://repo.ukdw.ac.id/slackware/slackware64-current/
# IRELAND (IE)
# ftp://ftp.heanet.ie/mirrors/ftp.slackware.com/pub/slackware/slackware64-current/
# http://ftp.heanet.ie/mirrors/ftp.slackware.com/pub/slackware/slackware64-current/
# ITALY (IT)
# ftp://ba.mirror.garr.it/mirrors/Slackware/slackware64-current/
# http://ba.mirror.garr.it/mirrors/Slackware/slackware64-current/
# JAPAN (JP)
# ftp://ftp.nara.wide.ad.jp/pub/Linux/slackware/slackware64-current/
# http://ftp.nara.wide.ad.jp/pub/Linux/slackware/slackware64-current/
# ftp://ftp.kddilabs.jp/Linux/distributions/Slackware/slackware64-current/
# http://ftp.kddilabs.jp/Linux/distributions/Slackware/slackware64-current/
# ftp://riksun.riken.go.jp/Linux/slackware/slackware64-current/
# http://riksun.riken.go.jp/Linux/slackware/slackware64-current/
# NETHERLANDS (NL)
# ftp://ftp.nluug.nl/pub/os/Linux/distr/slackware/slackware64-current/
# http://ftp.nluug.nl/os/Linux/distr/slackware/slackware64-current/
# ftp://mirror.nl.leaseweb.net/slackware/slackware64-current/
# http://mirror.nl.leaseweb.net/slackware/slackware64-current/
# NORWAY (NO)
# ftp://ftp.slackware.no/slackware/slackware64-current/
# http://ftp.slackware.no/slackware/slackware64-current/
# POLAND (PL)
# ftp://ftp.pwr.wroc.pl/pub/linux/slackware/slackware64-current/
# http://ftp.pwr.wroc.pl/pub/linux/slackware/slackware64-current/
# ftp://ftp.slackware.pl/pub/slackware/slackware64-current/
# http://ftp.slackware.pl/pub/slackware/slackware64-current/
# ftp://sunsite.icm.edu.pl/vol/rzm1/linux-slackware/slackware64-current/
# http://sunsite.icm.edu.pl/packages/linux-slackware/slackware64-current/
# ftp://z-ftp.wcss.wroc.pl/pub/linux/slackware/slackware64-current/
# http://z-ftp.wcss.wroc.pl/pub/linux/slackware/slackware64-current/
# RUSSIA (RU)
# http://mirror.rol.ru/slackware/slackware64-current/
# ftp://mirror.yandex.ru/slackware/slackware64-current/
# http://mirror.yandex.ru/slackware/slackware64-current/
# SOUTH AFRICA (ZA)
# ftp://ftp.is.co.za/mirror/ftp.slackware.com/pub/slackware64-current/
# http://ftp.is.co.za/mirror/ftp.slackware.com/pub/slackware64-current/
# ftp://ftp.wa.co.za/pub/slackware/slackware64-current/
# http://ftp.wa.co.za/pub/slackware/slackware64-current/
# ftp://slackware.mirror.ac.za/slackware64-current/
# http://slackware.mirror.ac.za/slackware64-current/
# SWEDEN (SE)
# ftp://ftp.sunet.se/mirror/slackware.com/slackware64-current/
# http://ftp.sunet.se/mirror/slackware.com/slackware64-current/
# TAIWAN (TW)
# ftp://ftp.isu.edu.tw/pub/Linux/Slackware/slackware64-current/
# http://ftp.isu.edu.tw/pub/Linux/Slackware/slackware64-current/
# ftp://ftp.twaren.net/pub/Linux/Slackware/slackware64-current/
# http://ftp.twaren.net/Linux/Slackware/slackware64-current/
# TURKEY (TR)
# ftp://ftp.linux.org.tr/slackware/slackware64-current/
# http://ftp.linux.org.tr/slackware/slackware64-current/
# UKRAINE (UA)
# ftp://mirrors.mithril.org.ua/linux/slackware/slackware64-current/
# http://mirrors.mithril.org.ua/linux/slackware/slackware64-current/
# UNITED KINGDOM (UK)
# http://slackware.uk/slackware/slackware64-current/
# ftp://slackware.uk/slackware/slackware64-current/
# ftp://ftp.mirrorservice.org/sites/ftp.slackware.com/pub/slackware/slackware64-current/
# http://ftp.mirrorservice.org/sites/ftp.slackware.com/pub/slackware/slackware64-current/
# ftp://mirror.bytemark.co.uk/slackware/slackware64-current/
# http://mirror.bytemark.co.uk/slackware/slackware64-current/
# UNITED STATES (US)
# ftp://ftp.gtlib.gatech.edu/nv/ao2/lxmirror/ftp.slackware.com/slackware64-current/
# ftp://mirror.cs.princeton.edu/pub/mirrors/slackware/slackware64-current/
# ftp://mirrors.easynews.com/linux/slackware/slackware64-current/
# http://mirrors.easynews.com/linux/slackware/slackware64-current/
# ftp://mirrors.us.kernel.org/slackware/slackware64-current/
# http://mirrors.us.kernel.org/slackware/slackware64-current/
# ftp://mirrors.xmission.com/slackware/slackware64-current/
# http://mirrors.xmission.com/slackware/slackware64-current/
# https://mirror.slackbuilds.org/slackware/slackware64-current/
# http://slackware.cs.utah.edu/pub/slackware/slackware64-current/
# http://slackware.mirrors.pair.com/slackware64-current/
# ftp://slackware.mirrors.tds.net/pub/slackware/slackware64-current/
# http://slackware.mirrors.tds.net/pub/slackware/slackware64-current/
# ftp://spout.ussg.indiana.edu/linux/slackware/slackware64-current/
# http://spout.ussg.indiana.edu/linux/slackware/slackware64-current/
# ftp://teewurst.cc.columbia.edu/pub/linux/slackware/slackware64-current/
# http://teewurst.cc.columbia.edu/pub/linux/slackware/slackware64-current/
https://slackware.uk/slackware/slackware64-current/

156
base-files/slackpkg/slackpkg.conf Normal file
View file

@ -0,0 +1,156 @@
#
# /etc/slackpkg/slackpkg.conf
# Configuration for SlackPkg
# v2.8
#
# SlackPkg - An Automated packaging tool for Slackware Linux
# Copyright (C) 2003-2011 Roberto F. Batista, Evaldo Gardenali
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# Project Page: http://slackpkg.org/
# Roberto F. Batista (aka PiterPunk) piterpunk@slackware.com
# Evaldo Gardenali (aka UdontKnow) evaldogardenali@fasternet.com.br
# For configuration options that have only two states, possible values are
# either "on" or "off"
# Remember, the only official Slackware ports are x86, s390, and arm, and
# slackpkg developers don't have s390 boxes for testing. If you are
# testing/using other architectures and have suggestions or patches,
# please let us know (email rworkman@slackware.com)
#
# Select the architecture of your system. Valid values are:
# i#86 (where # is 3, 4, 5 or 6)
# x86_64
# s390
# arm* (* can be v4, v5tejl, and other ARM versions)
# powerpc
#
# The line is commented because slackpkg will try to find your
# architecture automagically. If you want to override what slackpkg
# finds, put the value after the = and uncomment this line
#ARCH=
# The default PKGMAIN is "slackware", but some derived distros use other
# names as the main directory. PKGMAIN is the place with the slackware
# package series (a, ap, n, ... ).
#
# Usually slackpkg can automagically discover this variable. If you want
# to override the discovered variable, then uncomment this line and change
# it to reflect the correct value of PKGMAIN
#PKGMAIN=slackware
# Slackware packages are signed by project key. Slackpkg uses this key
# to check if the packages downloaded are valid, so remember to set
# CHECKGPG to "on".
#
# Usually slackpkg can automagically discover this variable. If you want
# to override the discovered variable, then uncomment this line and edit
# as needed
#SLACKKEY="Slackware Linux Project <security@slackware.com>"
# Downloaded files will be in the TEMP directory:
TEMP=/var/cache/packages
# Package lists, file lists, and others will be stored in WORKDIR:
WORKDIR=/var/lib/slackpkg
# Special options for wget (default is WGETFLAGS="--passive-ftp")
WGETFLAGS="--passive-ftp"
# If DELALL is "on", all downloaded files will be removed after install.
DELALL=on
# If CHECKMD5 is "on", the system will check the md5sums of all packages before
# install/upgrade/reinstall is performed.
CHECKMD5=on
# If CHECKGPG is "on", the system will verify the GPG signature of each package
# before install/upgrade/reinstall is performed.
CHECKGPG=on
# If CHECKSIZE is "on", the system will check if we have sufficient disk
# space to install selected package. This make upgrade/install safer, but
# will also slow down the upgrade/install process.
CHECKSIZE=off
# PRIORITY sets the download priority. slackpkg will try to found the
# package first in the first value, then the second one, through all
# values in list.
#
# Default value: patches %PKGMAIN extra pasture testing
PRIORITY=( patches %PKGMAIN extra pasture testing )
# Enables (on) or disables (off) slackpkg's post-installation features, such
# as checking for new (*.new) configuration files and new kernel images, and
# prompts you for what it should do. Default=on
POSTINST=on
# Post-installation features, by default, search all of /etc and a few other
# predefined locations for .new files. This is the safe option: with it,
# you won't have any unmerged .new files to cause problems. Even so, some
# people prefer that only the .new files installed by the current slackpkg
# session be checked. If this is your case, change ONLY_NEW_DOTNEW to "on".
# Default=off
ONLY_NEW_DOTNEW=off
# Whether to backup files overwritten by their .new counterparts with a
# .orig extension.
ORIG_BACKUPS=off
# The ONOFF variable sets the initial behavior of the dialog interface.
# If you set this to "on" then all packages will be selected by default.
# If you prefer the opposite option (all unchecked), then set this to "off".
ONOFF=on
# If this variable is set to "on", all files will be downloaded before the
# requested operation (install or upgrade) is performed. If set to "off",
# then the files will be downloaded and the operation (install/upgrade)
# performed one by one. Default=on
DOWNLOAD_ALL=on
# Enables (on) or disables (off) the dialog interface in slackpkg. Default=on
DIALOG=on
# Enables (on) or disables (off) the non-interactive mode. If set to "on",
# slackpkg will run without asking the user anything, and answer all questions
# with DEFAULT_ANSWER. If you do any upgrades using this mode, you'll need to
# run "slackpkg new-config" later to find and merge any .new files.
BATCH=off
# Default answer to slackpkg questions. Can be "y" or "n".
DEFAULT_ANSWER=n
# Slackpkg allows a template to "include" the packages specified in another
# template. This option enables (on) or disables (off) the parsing of
# any "#include" directives in template files. Default=on
USE_INCLUDES=on
# Enables a spinning bar as visual feedback when slackpkg is making its
# internal lists and some other operations. Default=on
SPINNING=on
# Max number of characters that "dialog" command can handle.
# If unset, this variable will be 19500 (the number that works on
# Slackware 10.2)
DIALOG_MAXARGS=139000
#
# The MIRROR is set from /etc/slackpkg/mirrors
# You only need to uncomment the selected mirror.
# Uncomment one mirror only.
#

5
base-files/ssh/ssh_config Normal file
View file

@ -0,0 +1,5 @@
Host *
ControlPath ~/.ssh/%u@%l->%r@%h:%p
SendEnv LANG LC_*
VerifyHostKeyDNS yes
VisualHostKey yes

17
base-files/ssh/sshd_config Normal file
View file

@ -0,0 +1,17 @@
# FIXME: Set sshd IP addresses.
# ListenAddress 91.109.244.X
# ListenAddress [2a02:2498:1:227::X]
Port 9922
AcceptEnv LANG LC_*
LoginGraceTime 30
MaxStartups 5
# FIXME: Change PermitRootLogin to 'prohibit-password' once a key is in place.
PermitRootLogin yes
Subsystem sftp /usr/libexec/sftp-server
UsePAM yes
X11Forwarding no
Match Address 10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16
PermitRootLogin yes
X11Forwarding yes

2
base-files/sudoers.d/defaults Normal file
View file

@ -0,0 +1,2 @@
## Set the password prompting timeout to 30 mins.
Defaults timestamp_timeout = 30

2
base-files/sysctl.d/fs.conf Normal file
View file

@ -0,0 +1,2 @@
# Increase the maximum number of file handles (2^18).
fs.file-max = 262144

15
base-files/sysctl.d/kernel.conf Normal file
View file

@ -0,0 +1,15 @@
# Append the PID to a 'core' dump's filename.
kernel.core_uses_pid = 1
# The contents of /proc/<pid>/{maps,smaps} should only visible to processes
# that are allowed to ptrace() the process.
kernel.maps_protect = 1
# Reboot after 10 seconds when the kernel panics.
kernel.panic = 10
# Allow more PIDs (2^17).
kernel.pid_max = 131072
# Disable 'magic' SysRq functionallity.
kernel.sysrq = 0

3
base-files/sysctl.d/vm.conf Normal file
View file

@ -0,0 +1,3 @@
# Do a minimal amount of swapping.
# See: https://en.wikipedia.org/wiki/Swappiness
vm.swappiness = 10

42
base-files/syslog.conf Normal file
View file

@ -0,0 +1,42 @@
# Notes:
# When changing log file options, remember to:
# * 'touch' the logfile into existance
# * Set the correct ownership+permissions on the file
# * Update /etc/logrotate.d/syslog with the changes
auth.* /var/log/messages
authpriv.* /var/log/messages
cron.* /var/log/messages
daemon.* /var/log/messages
ftp.* /var/log/messages
kern.* /var/log/messages
lpr.* /var/log/messages
mail.* /var/log/messages
news.* /var/log/messages
syslog.* /var/log/messages
# lumberjack uses user by default.
user.* /var/log/messages
uucp.* /var/log/messages
# fail2ban (custom configuration) uses local0.
local0.* /var/log/fail2ban
# named (custom configuration) uses local1.
local1.* /var/log/messages
# spamd is started with '-s local2'.
local2.* /var/log/messages
# dovecot (custom configuration) uses local3.
local3.* /var/log/messages
# Unused. Note: slapd (from OpenLDAP) uses local4 by default.
local4.* /var/log/messages
# rsyncd (custom configuration) uses local5.
local5.* /var/log/messages
# php-fpm (custom configuration) uses local6.
local6.* /var/log/messages
# httpd (custom configuration) uses local7.
local7.* /var/log/messages
# *.* /dev/tty12
# *.* /var/log/all
# Include all config files in /etc/syslog.d/:
include /etc/syslog.d/*.conf

186
base-files/vnstat.conf Normal file
View file

@ -0,0 +1,186 @@
# vnStat 2.6 config file
##
# default interface (leave empty for automatic selection)
Interface "eth0"
# location of the database directory
DatabaseDir "/var/lib/vnstat"
# locale (LC_ALL) ("-" = use system locale)
Locale "-"
# date output formats for -d, -m, -t and -w
DayFormat "%Y-%m-%d"
MonthFormat "%Y-%m"
TopFormat "%Y-%m-%d"
# characters used for visuals
RXCharacter "%"
TXCharacter ":"
RXHourCharacter "r"
TXHourCharacter "t"
# how units are prefixed when traffic is shown
# 0 = IEC standard prefixes (KiB/MiB/GiB...)
# 1 = old style binary prefixes (KB/MB/GB...)
# 2 = SI decimal prefixes (kB/MB/GB...)
UnitMode 0
# used rate unit (0 = bytes, 1 = bits)
RateUnit 1
# how units are prefixed when traffic rate is shown in bits
# 0 = IEC binary prefixes (Kibit/s...)
# 1 = SI decimal prefixes (kbit/s...)
RateUnitMode 1
# output style
# 0 = minimal & narrow, 1 = bar column visible
# 2 = same as 1 except rate in summary
# 3 = rate column visible
OutputStyle 3
# number of decimals to use in outputs
DefaultDecimals 2
HourlyDecimals 1
# spacer for separating hourly sections (0 = none, 1 = '|', 2 = '][', 3 = '[ ]')
HourlySectionStyle 2
# how many seconds should sampling for -tr take by default
Sampletime 5
# default query mode
# 0 = normal, 1 = days, 2 = months, 3 = top, 5 = short
# 7 = hours, 8 = xml, 9 = one line, 10 = json
QueryMode 0
# default list output entry limits (0 = all)
List5Mins 24
ListHours 24
ListDays 30
ListMonths 12
ListYears 0
ListTop 10
# vnstatd
##
# switch to given user when started as root (leave empty to disable)
DaemonUser ""
# switch to given group when started as root (leave empty to disable)
DaemonGroup ""
# try to detect interface maximum bandwidth, 0 = disable feature
# MaxBandwidth will be used as fallback value when enabled
BandwidthDetection 1
# maximum bandwidth (Mbit) for all interfaces, 0 = disable feature
# (unless interface specific limit is given)
MaxBandwidth 1000
# interface specific limits
# example 8Mbit limit for eth0 (remove # to activate):
#MaxBWeth0 8
# data retention durations (-1 = unlimited, 0 = feature disabled)
5MinuteHours 48
HourlyDays 4
DailyDays 62
MonthlyMonths 25
YearlyYears -1
TopDayEntries 20
# how often (in seconds) interface data is updated
UpdateInterval 20
# how often (in seconds) interface status changes are checked
PollInterval 5
# how often (in minutes) data is saved to database
SaveInterval 5
# how often (in minutes) data is saved when all interface are offline
OfflineSaveInterval 30
# on which day should months change
MonthRotate 1
MonthRotateAffectsYears 0
# filesystem disk space check (1 = enabled, 0 = disabled)
CheckDiskSpace 1
# how much the boot time can variate between updates (seconds)
BootVariation 15
# create database entries even when there is no traffic (1 = enabled, 0 = disabled)
TrafficlessEntries 1
# how many minutes to wait during daemon startup for system clock to
# sync time if most recent database update appears to be in the future
TimeSyncWait 5
# how often (in minutes) bandwidth detection is done when
# BandwidthDetection is enabled (0 = disabled)
BandwidthDetectionInterval 5
# force data save when interface status changes (1 = enabled, 0 = disabled)
SaveOnStatusChange 1
# enable / disable logging (0 = disabled, 1 = logfile, 2 = syslog)
UseLogging 2
# create dirs if needed (1 = enabled, 0 = disabled)
CreateDirs 1
# update ownership of files if needed (1 = enabled, 0 = disabled)
UpdateFileOwner 1
# file used for logging if UseLogging is set to 1
LogFile "/var/log/vnstat.log"
# file used as daemon pid / lock file
PidFile "/var/run/vnstat.pid"
# 1 = 64-bit, 0 = 32-bit, -1 = old style logic, -2 = automatic detection
64bitInterfaceCounters -2
# use SQLite Write-Ahead Logging mode (1 = enabled, 0 = disabled)
DatabaseWriteAheadLogging 0
# change the setting of the SQLite "synchronous" flag
# (-1 = auto, 0 = off, 1, = normal, 2 = full, 3 = extra)
DatabaseSynchronous -1
# vnstati
##
# title timestamp format
HeaderFormat "%Y-%m-%d %H:%M"
# show hours with rate (1 = enabled, 0 = disabled)
HourlyRate 1
# show rate in summary (1 = enabled, 0 = disabled)
SummaryRate 1
# transparent background (1 = enabled, 0 = disabled)
TransparentBg 0
# image colors
CBackground "FFFFFF"
CEdge "AEAEAE"
CHeader "606060"
CHeaderTitle "FFFFFF"
CHeaderDate "FFFFFF"
CText "000000"
CLine "B0B0B0"
CLineL "-"
CRx "92CF00"
CTx "606060"
CRxD "-"
CTxD "-"

31
ca-certificates/isrgrootx1.crt Normal file
View file

@ -0,0 +1,31 @@
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----

27
ca-certificates/lets-encrypt-x3-cross-signed.crt Normal file
View file

@ -0,0 +1,27 @@
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

32
ca-certificates/letsencryptauthorityx3.crt Normal file
View file

@ -0,0 +1,32 @@
-----BEGIN CERTIFICATE-----
MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0MzU1
WhcNMjExMDA2MTU0MzU1WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc0wzwWuUuR7dyXTeDs2hjMOrX
NSYZJeG9vjXxcJIvt7hLQQWrqZ41CFjssSrEaIcLo+N15Obzp2JxunmBYB/XkZqf
89B4Z3HIaQ6Vkc/+5pnpYDxIzH7KTXcSJJ1HG1rrueweNwAcnKx7pwXqzkrrvUHl
Npi5y/1tPJZo3yMqQpAMhnRnyH+lmrhSYRQTP2XpgofL2/oOVvaGifOFP5eGr7Dc
Gu9rDZUWfcQroGWymQQ2dYBrrErzG5BJeC+ilk8qICUpBMZ0wNAxzY8xOJUWuqgz
uEPxsR/DMH+ieTETPS02+OP88jNquTkxxa/EjQ0dZBYzqvqEKbbUC8DYfcOTAgMB
AAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBU
BgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIB
FiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBSo
SmpjBH3duubRObemRWXv86jsoTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3Js
LnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEF
BQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsG
AQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYD
VR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIB
ABnPdSA0LTqmRf/Q1eaM2jLonG4bQdEnqOJQ8nCqxOeTRrToEKtwT++36gTSlBGx
A/5dut82jJQ2jxN8RI8L9QFXrWi4xXnA2EqA10yjHiR6H9cj6MFiOnb5In1eWsRM
UM2v3e9tNsCAgBukPHAg1lQh07rvFKm/Bz9BCjaxorALINUfZ9DD64j2igLIxle2
DPxW8dI/F2loHMjXZjqG8RkqZUdoxtID5+90FgsGIfkMpqgRS05f4zPbCEHqCXl1
eO5HyELTgcVlLXXQDgAWnRzut1hFJeczY1tjQQno6f6s+nMydLN26WuU4s3UYvOu
OsUxRlJu7TSRHqDC3lSE5XggVkzdaPkuKGQbGpny+01/47hfXXNB7HntWNZ6N2Vw
p7G6OfY+YQrZwIaQmhrIqJZuigsrbe3W+gdn5ykE9+Ky0VgVUsfxo52mwFYs1JKY
2PGDuWx8M6DlS6qQkvHaRUo0FMd8TsSlbF0/v965qGFKhSDeQoMpYnwcmQilRh/0
ayLThlHLN81gSkJjVrPI0Y8xCVPB4twb1PFUd2fPM3sA1tJ83sZ5v8vgFv2yofKR
PB0t6JzUA81mSqM3kxl5e+IZwhYAyO0OTg3/fs8HqGTNKd9BqoUwSRBzp06JMg5b
rUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt
-----END CERTIFICATE-----

BIN
memtest86+ Normal file
View file

Binary file not shown.

5
root.crontab Normal file
View file

@ -0,0 +1,5 @@
# Run the hourly, daily, weekly, and monthly cron jobs.
0 * * * * /usr/bin/run-parts /etc/cron.hourly >/dev/null
0 0 * * * /usr/bin/run-parts /etc/cron.daily >/dev/null
0 0 * * 0 /usr/bin/run-parts /etc/cron.weekly >/dev/null
0 0 1 * * /usr/bin/run-parts /etc/cron.monthly >/dev/null

137
sample-rc.d/rc.firewall-guests Executable file
View file

@ -0,0 +1,137 @@
#!/bin/bash
# The name of the main external interface.
EX_IF="eth0"
# The name of the VM-Private network interface.
VM_IF="eth1"
# Disable ICMP redirects.
# Note: Redirects are used when a router believes a packet is being routed sub optimally and it would like to inform
# the sending host that it should forward subsequent packets to that same destination through a different gateway.
echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects"
echo 0 >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects"
echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects"
# Flush old rules.
iptables -F
ip6tables -F
iptables -t nat -F
ip6tables -t nat -F
iptables -t mangle -F
ip6tables -t mangle -F
# Delete any custom chains.
iptables -X
ip6tables -X
iptables -t nat -X
ip6tables -t nat -X
iptables -t mangle -X
ip6tables -t mangle -X
# Drop invalid packets on all interfaces.
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
# Drop unroutable IPs on the external interface.
iptables -A INPUT -i "$EX_IF" -s 127.0.0.0/8 -j DROP
ip6tables -A INPUT -i "$EX_IF" -s ::1/128 -j DROP
iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP
# Allow all loopback traffic.
iptables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
# Allow all VM-Private network traffic.
iptables -A INPUT -i "$VM_IF" -j ACCEPT
ip6tables -A INPUT -i "$VM_IF" -j ACCEPT
# Allow unrestricted access from our IPs.
iptables -A INPUT -i "$EX_IF" -m iprange --src-range 91.109.244.7-91.109.244.11 -j ACCEPT
iptables -A INPUT -i "$EX_IF" -m iprange --src-range 91.109.244.78-91.109.244.79 -j ACCEPT
iptables -A INPUT -i "$EX_IF" -m iprange --src-range 91.109.244.239-91.109.244.243 -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -s 2a02:2498:1:227::/64 -j ACCEPT
iptables -A INPUT -i "$EX_IF" -s 185.176.90.169 -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -s 2a07:4580:b0d:57f::/64 -j ACCEPT
# Allow packets of established connections and those related to them.
iptables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow pings, but ratelimited.
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type echo-request -m limit --limit 1/sec --limit-burst 5 -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-request -m limit --limit 1/sec --limit-burst 5 -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type echo-reply -m limit --limit 1/sec --limit-burst 5 -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-reply -m limit --limit 1/sec --limit-burst 5 -j ACCEPT
# Allow certain types of ICMP informational packets.
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type destination-unreachable -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type time-exceeded -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type parameter-problem -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
# Always allow SSH.
# Note: We never want to be locked out of the system, so also accept on the standard ssh port, just in case things accidently get
# set back to defaults. Any connections to the standard port will just get a 'connection refused' message, unless this happens.
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
# Service: DNS.
iptables -A INPUT -i "$EX_IF" -p tcp --syn --dport 53 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
# Service: HTTP{,S}.
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT
# Service: FTP{,S}.
# Note: This is a very permissive configuration - it leaves the high ports completely open. To close it down,
# change the last two rules to "ESTABLISHED,RELATED" state; but this will prevent ftps passive from working.
modprobe nf_conntrack_ftp
echo 1 >/proc/sys/net/netfilter/nf_conntrack_helper # Required to allow nf_conntrack_ftp to actually work.
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 21,990 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 21,990 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 20,989 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 20,989 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p tcp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
# Service: rsync.
iptables -A INPUT -i "$EX_IF" -p tcp --syn --dport 873 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn --dport 873 -m conntrack --ctstate NEW -j ACCEPT
# Service: SMTP and submission.
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 25,587 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 25,587 -m conntrack --ctstate NEW -j ACCEPT
# Service: IMAP{,S}.
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 143,993 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 143,993 -m conntrack --ctstate NEW -j ACCEPT
# Service: POP3{,S}.
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 110,995 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 110,995 -m conntrack --ctstate NEW -j ACCEPT
# Service: Bittorrent.
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
# Set default policies.
iptables -P INPUT DROP
ip6tables -P INPUT DROP
iptables -P OUTPUT ACCEPT # We don't firewall outgoing connections.
ip6tables -P OUTPUT ACCEPT # We don't firewall outgoing connections.
iptables -P FORWARD DROP
ip6tables -P FORWARD DROP

83
sample-rc.d/rc.firewall-hosts Executable file
View file

@ -0,0 +1,83 @@
#!/bin/bash
# The name of the main external interface.
EX_IF="br0"
# Disable ICMP redirects.
# Note: Redirects are used when a router believes a packet is being routed sub optimally and it would like to inform
# the sending host that it should forward subsequent packets to that same destination through a different gateway.
echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects"
echo 0 >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects"
echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects"
# Flush old rules.
iptables -F
ip6tables -F
iptables -t nat -F
ip6tables -t nat -F
iptables -t mangle -F
ip6tables -t mangle -F
# Delete any custom chains.
iptables -X
ip6tables -X
iptables -t nat -X
ip6tables -t nat -X
iptables -t mangle -X
ip6tables -t mangle -X
# Drop invalid packets on all interfaces.
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
# Drop unroutable IPs on the external interface.
iptables -A INPUT -i "$EX_IF" -s 127.0.0.0/8 -j DROP
ip6tables -A INPUT -i "$EX_IF" -s ::1/128 -j DROP
iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP
# Allow all loopback traffic.
iptables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
# Allow unrestricted access from our IPs.
iptables -A INPUT -i "$EX_IF" -m iprange --src-range 91.109.244.7-91.109.244.11 -j ACCEPT
iptables -A INPUT -i "$EX_IF" -m iprange --src-range 91.109.244.78-91.109.244.79 -j ACCEPT
iptables -A INPUT -i "$EX_IF" -m iprange --src-range 91.109.244.239-91.109.244.243 -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -s 2a02:2498:1:227::/64 -j ACCEPT
iptables -A INPUT -i "$EX_IF" -s 185.176.90.169 -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -s 2a07:4580:b0d:57f::/64 -j ACCEPT
# Allow packets of established connections and those related to them.
iptables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow pings, but ratelimited.
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type echo-request -m limit --limit 1/sec --limit-burst 5 -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-request -m limit --limit 1/sec --limit-burst 5 -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type echo-reply -m limit --limit 1/sec --limit-burst 5 -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-reply -m limit --limit 1/sec --limit-burst 5 -j ACCEPT
# Allow certain types of ICMP informational packets.
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type destination-unreachable -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type time-exceeded -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type parameter-problem -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
# Always allow SSH.
# Note: We never want to be locked out of the system, so also accept on the standard ssh port, just in case things accidently get
# set back to defaults. Any connections to the standard port will just get a 'connection refused' message, unless this happens.
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
# Set default policies.
iptables -P INPUT DROP
ip6tables -P INPUT DROP
iptables -P OUTPUT ACCEPT # We don't firewall outgoing connections.
ip6tables -P OUTPUT ACCEPT # We don't firewall outgoing connections.
iptables -P FORWARD DROP
ip6tables -P FORWARD DROP

14
sample-rc.d/rc.firewall-old Executable file
View file

@ -0,0 +1,14 @@
#!/bin/bash
IPTABLES=/usr/sbin/iptables
# Flush the tables.
$IPTABLES -F
# Drop bootp ports.
$IPTABLES -m multiport -A INPUT -p tcp --dports 67,68 -j DROP
$IPTABLES -m multiport -A INPUT -p udp --dports 67,68 -j DROP
# Drop netbios ports.
$IPTABLES -m multiport -A INPUT -p tcp --dports 137,138,139 -j DROP
$IPTABLES -m multiport -A INPUT -p udp --dports 137,138,139 -j DROP

66
sample-rc.d/rc.local Executable file
View file

@ -0,0 +1,66 @@
#!/bin/bash
# /etc/rc.d/rc.local - Local system startup script.
# This script will be run when the system is first booted.
# Start the MCE daemon.
[ -x /etc/rc.d/rc.mcelog ] && /etc/rc.d/rc.mcelog start
# Start the qemu guest additions agent.
[ -x /etc/rc.d/rc.qemu-ga ] && /etc/rc.d/rc.qemu-ga start
# Start GlusterFS daemon.
[ -x /etc/rc.d/rc.glusterd ] && /etc/rc.d/rc.glusterd start
# Mount glusterfs volumes.
for MOUNT in $(grep -v "^#" /etc/fstab | awk '/[[:blank:]]glusterfs[[:blank:]]/ {print $2}'); do mount $MOUNT; done
# Start the vnstat daemon.
[ -x /etc/rc.d/rc.vnstat ] && /etc/rc.d/rc.vnstat start
# Start fail2ban.
[ -x /etc/rc.d/rc.fail2ban ] && /etc/rc.d/rc.fail2ban start
# Start the php-fpm FastCGI daemon.
[ -x /etc/rc.d/rc.php-fpm ] && /etc/rc.d/rc.php-fpm start
# Start SpamAssassin.
[ -x /etc/rc.d/rc.spamd ] && /etc/rc.d/rc.spamd start
# Start proftpd.
[ -x /etc/rc.d/rc.proftpd ] && {
/opt/bin/lumberjack -u logger -z -r -i /run/slackware.uk-ftpd.log -o logger:ftp -mp 006 -l logs/ftpd-transfers.log \
/data/sites/slackware.uk logs/%Y/%m/ftpd-transfers.log &
/etc/rc.d/rc.proftpd start
}
# Start the rsync daemon.
[ -x /etc/rc.d/rc.rsyncd ] && {
/opt/bin/lumberjack -u logger -z -r -i /run/rsyncd.log -o logger:mirror -mp 006 -l logs/rsyncd-transfers.log \
/data/sites/slackware.uk logs/%Y/%m/rsyncd-transfers.log &
/etc/rc.d/rc.rsyncd start
}
# Start netdata.
[ -x /etc/rc.d/rc.netdata ] && rm -f /var/lock/subsys/netdata && /etc/rc.d/rc.netdata start
# Start the bandwidth bar generator.
[ -x /opt/bin/bwbar ] && sudo -b /opt/bin/bwbar -f /run/bwbar.txt -p /run/bwbar.png -t 1 -x 800 -y 8 -b 2 eth0 1000
# Start seeding the torrents.
grep "^seeder:" /etc/passwd >/dev/null 2>&1 && su - seeder -c /home/seeder/start-seeding
# Start libvirt.
[ -x /etc/rc.d/rc.libvirt ] && /etc/rc.d/rc.libvirt start
# Start the lxcfs fuse module.
[ -x /etc/rc.d/rc.lxcfs ] && /etc/rc.d/rc.lxcfs start
# Start containers.
[ -x /etc/rc.d/rc.lxc ] && {
# Proxy ARP is required for the LXC bridge to function correctly.
echo 1 >/proc/sys/net/ipv4/conf/br0/proxy_arp
/etc/rc.d/rc.lxc start
}
# Notify that the server has booted.
/opt/bin/pushover -a server -t "Successful boot up: ${HOSTNAME%%.*}" -p 1 -m "$(printf '%(%d %b %Y - %H:%M:%S)T')" >/dev/null

73
sample-rc.d/rc.local_shutdown Executable file
View file

@ -0,0 +1,73 @@
#!/bin/bash
# /etc/rc.d/rc.local_shutdown - Local system shutdown script.
# This script will be run when the system is shutdown or rebooted.
# Notify that the server is shutting down.
/opt/bin/pushover -a server -t "Shutting down: ${HOSTNAME%%.*}" -p 1 -m "$(printf '%(%d %b %Y - %H:%M:%S)T')" >/dev/null
# Stop containers.
[ -x /etc/rc.d/rc.lxc ] && /etc/rc.d/rc.lxc stop
# Stop lxcfs.
[ -x /etc/rc.d/rc.lxcfs ] && /etc/rc.d/rc.lxcfs stop
# Stop libvirt.
[ -x /etc/rc.d/rc.libvirt ] && {
/etc/rc.d/rc.libvirt guests_shutdown
/etc/rc.d/rc.libvirt stop
}
# Shut down netdata.
[ -x /etc/rc.d/rc.netdata ] && /etc/rc.d/rc.netdata stop
# Stop the rtorrent instances started at boot.
grep "^seeder:" /etc/passwd >/dev/null 2>&1 && {
pkill -INT -u seeder '^rtorrent .*$'
printf "%s" "Waiting up to 30 seconds for rtorrent to exit"
for ((i=0; i <= 59; i++)); do
if pgrep -u seeder '^rtorrent .*$' >/dev/null 2>&1; then
printf "%s" "."
sleep 0.5
else
break
fi
done
if ! pgrep -u seeder '^rtorrent .*$' >/dev/null 2>&1; then
printf "%s\n" " clean exit."
else
printf "%s\n" " failed - terminating."
pkill -TERM -u seeder '^rtorrent .*$'
sleep 2
pkill -KILL -u seeder '^rtorrent .*$'
fi
}
# Stop rsyncd.
[ -x /etc/rc.d/rc.rsyncd ] && /etc/rc.d/rc.rsyncd stop
# Stop proftpd.
[ -x /etc/rc.d/rc.proftpd ] && /etc/rc.d/rc.proftpd stop
# Stop SpamAssassin.
[ -x /etc/rc.d/rc.spamd ] && /etc/rc.d/rc.spamd stop
# Stop the php-fpm FastCGI daemon.
[ -x /etc/rc.d/rc.php-fpm ] && /etc/rc.d/rc.php-fpm stop
# Stop fail2ban.
[ -x /etc/rc.d/rc.fail2ban ] && /etc/rc.d/rc.fail2ban stop
# Stop the vnstat daemon.
[ -x /etc/rc.d/rc.vnstat ] && /etc/rc.d/rc.vnstat stop
# Unmount glusterfs volumes.
for MOUNT in $(mount | awk '/fuse\.glusterfs/ {print $3}'); do umount -v $MOUNT; done
# Stop GlusterFS daemon.
[ -x /etc/rc.d/rc.glusterd ] && /etc/rc.d/rc.glusterd stop
# Stop the qemu guest additions agent.
[ -x /etc/rc.d/rc.qemu-ga ] && /etc/rc.d/rc.qemu-ga stop
# Stop the MCE daemon.
[ -x /etc/rc.d/rc.mcelog ] && /etc/rc.d/rc.mcelog stop

24
sample-rc.d/rc.modules.local Executable file
View file

@ -0,0 +1,24 @@
#!/bin/sh
# /etc/rc.d/rc.modules.local
# The Linux kernel source is the best place to look for documentation
# for the many available kernel modules. This can be found under
# /usr/src/linux-$VERSION/Documentation/.
# Almost all necessary modules are automatically loaded when needed,
# but there are a few exceptions. Here's a (not all-inclusive) list,
# so uncomment any of the below entries or add others as needed:
# Note that you could also create/edit rc.modules-$version if you
# only wanted specific modules loaded for particular kernels.
#/sbin/modprobe tun # Universal TUN/TAP device driver
#/sbin/modprobe sg # Generic SCSI support for SATA DVD-RW
# Load sensor modules.
if [ -e /etc/sysconfig/lm_sensors ]; then
. /etc/sysconfig/lm_sensors
for MOD in $HWMON_MODULES; do
/sbin/modprobe "$MOD"
done
fi

108
sample-rc.d/rc.proftpd Executable file
View file

@ -0,0 +1,108 @@
#!/bin/bash
# Version: 0.2.9
# Copyright (c) 2005-2017:
# Darren 'Tadgy' Austin <darren (at) afterdark.org.uk>
# Licensed under the terms of the GNU General Public License version 3.
EXEC="/usr/sbin/proftpd"
ARGS=()
PIDFILE="/var/run/proftpd.pid"
checkconfigured() {
# This function can be used to perform any pre-start tests; hopfully to insure the daemon
# can start correctly, before actually trying to start it. A return value of 0 means the
# tests were passed and the daemon should be started. Any other value prevents the
# daemon from being started and an error message will be emitted.
return 0
}
checkstatus() {
# Note: this has been changed from the standard 'pgrep -f "$EXEC"' as pgrep doesn't match
# the process because proftp changes its argv0.
local RUNPIDS="$(pgrep -F "$PIDFILE" 2>/dev/null)"
if [ ! -z "$RUNPIDS" ]; then
echo -n "${BASH_SOURCE##*/}: ${EXEC##*/}: running"
if [ ! -z "$PIDFILE" ]; then
if [ ! -e "$PIDFILE" ]; then
echo -n ", but .pid file does not exist"
elif ! echo "$RUNPIDS" | grep "\<$(cat "$PIDFILE")\>" >/dev/null 2>&1; then
echo -n ", but .pid file is stale"
fi
fi
echo
else
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: stopped"
return 1
fi
return 0
}
startdaemon() {
if ! checkconfigured; then
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: not started - pre-start checks failed" >&2
return 1
elif [ ! -e "$EXEC" ]; then
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: not found" >&2
return 1
elif [ ! -x "$EXEC" ]; then
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: not executable" >&2
return 1
fi
env -i -S "$EXEC" "${ARGS[@]}"
return $?
}
stopdaemon() {
# Note: this has been changed from the standard way of doing things because we can't use
# 'pgrep -f' to match the process since proftpd changes its argv0.
if ! kill -TERM "$(cat "$PIDFILE" 2>/dev/null)" >/dev/null 2>&1; then
sleep 2
if checkstatus >/dev/null; then
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: failed to stop gracefully - slaying" >&2
kill -KILL "$(pgrep "${EXEC##*/}")" >/dev/null 2>&1
fi
fi
return 0
}
case "$1" in
'start')
if checkstatus >/dev/null; then
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: already running" >&2
echo " Try: $BASH_SOURCE status" >&2
ERR=1
else
startdaemon
ERR=$?
fi
;;
'stop')
if ! checkstatus >/dev/null; then
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: not running" >&2
echo " Try: $BASH_SOURCE status" >&2
ERR=1
else
stopdaemon
ERR=$?
fi
;;
'restart')
if checkstatus >/dev/null; then
stopdaemon && sleep 2 && startdaemon
ERR=$?
else
startdaemon
ERR=$?
fi
;;
'status')
checkstatus
ERR=$?
;;
*)
echo "Usage: $BASH_SOURCE <start|stop|restart|status>" >&2
ERR=1
;;
esac
return $ERR 2>/dev/null || exit $ERR

105
sample-rc.d/rc.rsyncd Executable file
View file

@ -0,0 +1,105 @@
#!/bin/bash
# Version: 0.2.9
# Copyright (c) 2005-2017:
# Darren 'Tadgy' Austin <darren (at) afterdark.org.uk>
# Licensed under the terms of the GNU General Public License version 3.
EXEC="/usr/bin/rsync"
ARGS=(--daemon --config=/etc/rsyncd/rsyncd.conf)
PIDFILE="/var/run/rsyncd.pid"
checkconfigured() {
# This function can be used to perform any pre-start tests; hopfully to insure the daemon
# can start correctly, before actually trying to start it. A return value of 0 means the
# tests were passed and the daemon should be started. Any other value prevents the
# daemon from being started and an error message will be emitted.
return 0
}
checkstatus() {
local RUNPIDS="$(pgrep -f "$EXEC")"
if [ ! -z "$RUNPIDS" ]; then
echo -n "${BASH_SOURCE##*/}: ${EXEC##*/}: running"
if [ ! -z "$PIDFILE" ]; then
if [ ! -e "$PIDFILE" ]; then
echo -n ", but .pid file does not exist"
elif ! echo "$RUNPIDS" | grep "\<$(cat "$PIDFILE")\>" >/dev/null 2>&1; then
echo -n ", but .pid file is stale"
fi
fi
echo
else
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: stopped"
return 1
fi
return 0
}
startdaemon() {
if ! checkconfigured; then
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: not started - pre-start checks failed" >&2
return 1
elif [ ! -e "$EXEC" ]; then
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: not found" >&2
return 1
elif [ ! -x "$EXEC" ]; then
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: not executable" >&2
return 1
fi
"$EXEC" "${ARGS[@]}"
return $?
}
stopdaemon() {
if ! kill -TERM "$(cat "$PIDFILE" 2>/dev/null)" >/dev/null 2>&1; then
kill -TERM "$(pgrep -f "$EXEC")" >/dev/null 2>&1
fi
sleep 2
if checkstatus >/dev/null; then
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: failed to stop gracefully - slaying" >&2
kill -KILL "$(pgrep -f "$EXEC")" >/dev/null 2>&1
fi
return 0
}
case "$1" in
'start')
if checkstatus >/dev/null; then
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: already running" >&2
echo " Try: $BASH_SOURCE status" >&2
ERR=1
else
startdaemon
ERR=$?
fi
;;
'stop')
if ! checkstatus >/dev/null; then
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: not running" >&2
echo " Try: $BASH_SOURCE status" >&2
ERR=1
else
stopdaemon
ERR=$?
fi
;;
'restart')
if checkstatus >/dev/null; then
stopdaemon && sleep 2 && startdaemon
ERR=$?
else
startdaemon
ERR=$?
fi
;;
'status')
checkstatus
ERR=$?
;;
*)
echo "Usage: $BASH_SOURCE <start|stop|restart|status>" >&2
ERR=1
;;
esac
return $ERR 2>/dev/null || exit $ERR

105
sample-rc.d/rc.tftpd Executable file
View file

@ -0,0 +1,105 @@
#!/bin/bash
# Version: 0.2.9
# Copyright (c) 2005-2017:
# Darren 'Tadgy' Austin <darren (at) afterdark.org.uk>
# Licensed under the terms of the GNU General Public License version 3.
EXEC="/usr/sbin/in.tftpd"
ARGS=(--listen --address=FIXME --user tftp --secure /data/tftpboot)
PIDFILE=""
checkconfigured() {
# This function can be used to perform any pre-start tests; hopfully to insure the daemon
# can start correctly, before actually trying to start it. A return value of 0 means the
# tests were passed and the daemon should be started. Any other value prevents the
# daemon from being started and an error message will be emitted.
return 0
}
checkstatus() {
local RUNPIDS="$(pgrep -f "$EXEC")"
if [ ! -z "$RUNPIDS" ]; then
echo -n "${BASH_SOURCE##*/}: ${EXEC##*/}: running"
if [ ! -z "$PIDFILE" ]; then
if [ ! -e "$PIDFILE" ]; then
echo -n ", but .pid file does not exist"
elif ! echo "$RUNPIDS" | grep "\<$(cat "$PIDFILE")\>" >/dev/null 2>&1; then
echo -n ", but .pid file is stale"
fi
fi
echo
else
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: stopped"
return 1
fi
return 0
}
startdaemon() {
if ! checkconfigured; then
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: not started - pre-start checks failed" >&2
return 1
elif [ ! -e "$EXEC" ]; then
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: not found" >&2
return 1
elif [ ! -x "$EXEC" ]; then
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: not executable" >&2
return 1
fi
"$EXEC" "${ARGS[@]}"
return $?
}
stopdaemon() {
if ! kill -TERM "$(cat "$PIDFILE" 2>/dev/null)" >/dev/null 2>&1; then
kill -TERM "$(pgrep -f "$EXEC")" >/dev/null 2>&1
fi
sleep 2
if checkstatus >/dev/null; then
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: failed to stop gracefully - slaying" >&2
kill -KILL "$(pgrep -f "$EXEC")" >/dev/null 2>&1
fi
return 0
}
case "$1" in
'start')
if checkstatus >/dev/null; then
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: already running" >&2
echo " Try: $BASH_SOURCE status" >&2
ERR=1
else
startdaemon
ERR=$?
fi
;;
'stop')
if ! checkstatus >/dev/null; then
echo "${BASH_SOURCE##*/}: ${EXEC##*/}: not running" >&2
echo " Try: $BASH_SOURCE status" >&2
ERR=1
else
stopdaemon
ERR=$?
fi
;;
'restart')
if checkstatus >/dev/null; then
stopdaemon && sleep 2 && startdaemon
ERR=$?
else
startdaemon
ERR=$?
fi
;;
'status')
checkstatus
ERR=$?
;;
*)
echo "Usage: $BASH_SOURCE <start|stop|restart|status>" >&2
ERR=1
;;
esac
return $ERR 2>/dev/null || exit $ERR

24
utils/check_dependancies Executable file
View file

@ -0,0 +1,24 @@
#!/bin/bash
# Version: 0.0.2
# Copyright (c) 2007 - 2017:
# Darren 'Tadgy' Austin <darren (at) afterdark.org.uk>
# Licensed under the terms of the GNU General Public License version 3.
#
# This is a quick^Wslow dirty hack to check binaries and libraries for missing
# dependancies using ldd. Only those files with missing dependancies (along
# with the missing library information itself) will be written to stderr.
# Redirecting stderr to a file is advised, since this can produce a large
# volume of output on a system with many missing libraries.
echo "This will take a while..."
{ find -P ${1:-/} -regextype posix-extended \
\( -regex "^/(boot|data|dev|etc|home|lost\+found|media|mnt|proc|root|run|srv|sys|tmp|var)" -a -prune \) -o \
\( -regex "^/lib(64)?/ld-.*" -a -prune \) -o \
\( -regex "^/lib/(dhcpcd|firmware|modprobe\.d|modules)" -a -prune \) -o \
\( -regex "^/(opt|usr|usr/local)/(doc|etc|include|info|man|share|src)" -a -prune \) -o \
\( -regex "^/usr/lib(64)?/(firefox|java|jdk|jre|seamonkey|thunderbird)-.*" -a -prune \) -o \
\( -regex "^/usr/lib(64)?/(locale|qt/plugins/.*.debug)" -a -prune \) -o \
-type f -print0 | \
xargs -0 -r file -N -0 | egrep -a ".*ELF.*(executable|shared object).*dynamically" | cut -d $'\0' -f1 | sort | \
xargs -r ldd 2>/dev/null | egrep "(^/|not found)" | egrep -B 1 "^[[:space:]]" | egrep -v "^--" ; } >&2