From 98737ad12db892778ad93a57e900887eb7114e83 Mon Sep 17 00:00:00 2001 From: Darren 'Tadgy' Austin Date: Mon, 6 Nov 2023 19:37:32 +0000 Subject: [PATCH] Update configs for Phil. --- etc/.gitignore | 37 +---- etc/cron.daily/warn-git-status | 37 ++++- etc/cron.weekly/fstrim | 3 + etc/default/.gitignore | 7 + etc/default/syslogd | 1 + etc/iptables/.gitignore | 2 + etc/login.defs | 90 +++++++++++ etc/logrotate.d/btmp | 6 + etc/logrotate.d/lastlog | 2 + etc/logrotate.d/sulog | 3 + etc/logrotate.d/syslog | 6 + etc/logrotate.d/wtmp | 6 + etc/mcelog/.gitignore | 1 + etc/mcelog/mcelog.conf | 198 ++++++++++++++++++++++++ etc/papersize | 2 + etc/pkglist | 2 + etc/rc.firewall | 108 ------------- etc/rc.local | 7 +- etc/rc.shutdown | 11 ++ etc/runit/.gitignore | 1 - etc/runit/runsvdir/default/.gitignore | 21 +-- etc/runit/runsvdir/default/gpm-custom | 1 + etc/runit/runsvdir/default/ip6tables | 1 + etc/runit/runsvdir/default/iptables | 1 + etc/runit/shutdown.d/.gitignore | 9 ++ etc/runit/shutdown.d/00-rc-shutdown.sh | 1 + etc/sv/.gitignore | 59 +++---- etc/sv/gpm-custom/supervise/.gitignore | 6 + etc/sv/syslogd/log/run | 2 + etc/sv/syslogd/log/supervise/.gitignore | 6 + etc/sv/syslogd/run | 4 + etc/sv/syslogd/supervise/.gitignore | 6 + etc/sysconfig/lm_sensors | 9 ++ 33 files changed, 455 insertions(+), 201 deletions(-) create mode 100755 etc/cron.weekly/fstrim create mode 100644 etc/default/.gitignore create mode 100644 etc/default/syslogd create mode 100644 etc/iptables/.gitignore create mode 100644 etc/login.defs create mode 100644 etc/logrotate.d/btmp create mode 100644 etc/logrotate.d/lastlog create mode 100644 etc/logrotate.d/sulog create mode 100644 etc/logrotate.d/syslog create mode 100644 etc/logrotate.d/wtmp create mode 100644 etc/mcelog/.gitignore create mode 100644 etc/mcelog/mcelog.conf create mode 100644 etc/papersize delete mode 100755 etc/rc.firewall create mode 100755 etc/rc.shutdown create mode 120000 etc/runit/runsvdir/default/gpm-custom create mode 120000 etc/runit/runsvdir/default/ip6tables create mode 120000 etc/runit/runsvdir/default/iptables create mode 100644 etc/runit/shutdown.d/.gitignore create mode 100644 etc/runit/shutdown.d/00-rc-shutdown.sh create mode 100644 etc/sv/gpm-custom/supervise/.gitignore create mode 100755 etc/sv/syslogd/log/run create mode 100644 etc/sv/syslogd/log/supervise/.gitignore create mode 100755 etc/sv/syslogd/run create mode 100644 etc/sv/syslogd/supervise/.gitignore create mode 100644 etc/sysconfig/lm_sensors diff --git a/etc/.gitignore b/etc/.gitignore index 4c3c9b1..66c256c 100644 --- a/etc/.gitignore +++ b/etc/.gitignore @@ -1,3 +1,4 @@ +*.swp /*~ /*.lock /*.orig @@ -5,6 +6,7 @@ /UPower/ /X11/ /acpi/ +/adjtime /apparmor.d/ /asound.conf /bash/ @@ -16,16 +18,12 @@ /cron.d/ /cron.hourly/ /cron.monthly/ -/cron.weekly/ /crypttab /cupshelpers/ /dbus-1/ -/default/ /depmod.d/ -/dhcpcd.conf /dkms/ /dns/ -/dnsmasq.conf /dracut.conf /dracut.conf.d/ /e2scrub.conf @@ -34,10 +32,8 @@ /exports /exports.d/ /fonts/ -/fuse.conf /gai.conf /gimp/ -/gprofng.rc /group- /grub.d/ /gshadow @@ -49,22 +45,15 @@ /idmapd.conf /inputrc /iproute2/ -/iptables/ /irssi.conf /issue /kernel.d/ /ld.so.cache /ld.so.conf /ld.so.conf.d/ -/libblockdev/ /libnl/ -/libpaper.d/ -/libvirt/ /localtime -/login.defs -/logrotate.d/ /lvm/ -/lxdm/ /lynx.cfg /lynx.lss /mail.rc @@ -75,31 +64,21 @@ /mtab /netconfig /nsswitch.conf -/openldap/ /os-release /pam.d/ -/papersize /passwd- /pinforc /pkcs11/ -/polkit-1/ /profile /profile.d/ /protocols -/pulse/ -/rc.shutdown -/rc_maps.cfg /resolv.conf /rpc -/rsyncd.conf -/samba/ -/sane.d/ -/sasl2/ /screenrc +/securetty /security/ /sensors3.conf /services -/sgml/ /shadow /shadow- /shells @@ -110,21 +89,15 @@ /sudo.conf /sudoers /sudoers.dist -/sysconfig/ /sysctl.conf -/s-nail.rc -/tigervnc/ -/ts.conf +/sysctl.d/ +/syslog.d/ /udev/ -/udisks2/ -/vbox/ -/vdpau_wrapper.cfg /wgetrc /wpa_supplicant/ /xattr.conf /xbps.d/ /xdg/ /xinetd.d/ -/xml/ /xtables.conf /zzz.d/ diff --git a/etc/cron.daily/warn-git-status b/etc/cron.daily/warn-git-status index 7645bea..641ec13 100755 --- a/etc/cron.daily/warn-git-status +++ b/etc/cron.daily/warn-git-status @@ -1,9 +1,38 @@ #!/bin/bash -source /etc/mail.conf "git-status" || exit 1 +CHECK_DIRS=( '/' '/etc/slackpkg/templates' ) +OUTPUT_FILE="/tmp/${0##*/}-$$-$RANDOM" -CONFIGSTATUS="$(cd / && git status | egrep -ve "^(On branch|Your branch|No commits|nothing|$)" -e "\(use")" +# Remove the OUTPUT_FILE when done. +trap 'rm -f "$OUTPUT_FILE"' EXIT -[[ -z "$CONFIGSTATUS" ]] && exit 0 +# Source the mail configuration. +source /etc/mail.conf "git-status" 2>/dev/null || { + printf "%s: %s\\n" "${0##*/}" "Failed to source /etc/mail.conf" >&2 + exit 1 +} -mailx "${MAILX_ARGS[@]}" -S from="$EMAIL_FROM" -s "git statuses" "${EMAIL_TO[@]}" <<<"$CONFIGSTATUS" +# Loop through the list and process. +for DIR in "${CHECK_DIRS[@]}"; do + [[ ! -e "$DIR" ]] || [[ ! -d "$DIR" ]] && continue + TMP_OUTPUT="$(cd "$DIR" && [[ "$(git rev-parse --show-toplevel)" == "$PWD" ]] && git status | grep -E -ve "^(On branch|Your branch|No commits|nothing|$)" -e "\(use")" + [[ -n "$TMP_OUTPUT" ]] && printf "%s:\\n%s\\n\\n" "$DIR" "$TMP_OUTPUT" >>"$OUTPUT_FILE" + unset TMP_OUTPUT +done + +[[ ! -s "$OUTPUT_FILE" ]] && { + exit 0 +} + +# Send the message. +if [[ -n "${EMAIL_TO[*]}" ]]; then + mailx "${MAILX_ARGS[@]}" -S "from=$EMAIL_FROM" -s "Git statuses" "${EMAIL_TO[@]}" <<<"$(cat "$OUTPUT_FILE")" 2>/dev/null || { + printf "%s: %s\\n" "${0##*/}" "mailx command failed" >&2 + exit 1 + } +else + printf "%s: %s\\n" "${0##*/}" "no recipient configured for mail delivery" >&2 + exit 1 +fi + +exit 0 diff --git a/etc/cron.weekly/fstrim b/etc/cron.weekly/fstrim new file mode 100755 index 0000000..cef8892 --- /dev/null +++ b/etc/cron.weekly/fstrim @@ -0,0 +1,3 @@ +#!/bin/sh + +fstrim / diff --git a/etc/default/.gitignore b/etc/default/.gitignore new file mode 100644 index 0000000..ce7e4ae --- /dev/null +++ b/etc/default/.gitignore @@ -0,0 +1,7 @@ +/cdrecord +/efibootmgr-kernel-hook +/grub +/libc-locales +/live.conf +/rscsi +/useradd diff --git a/etc/default/syslogd b/etc/default/syslogd new file mode 100644 index 0000000..30c3680 --- /dev/null +++ b/etc/default/syslogd @@ -0,0 +1 @@ +SYSLOGD_ARGS=('--rcdir=/etc/syslog.d' '--rcfile=/etc/syslog.conf' '--ipany' '--mark=0' '--no-detach' '--pidfile=/run/syslogd.pid' '--inet' '-s' 'afterdark.org.uk') diff --git a/etc/iptables/.gitignore b/etc/iptables/.gitignore new file mode 100644 index 0000000..f283fb2 --- /dev/null +++ b/etc/iptables/.gitignore @@ -0,0 +1,2 @@ +/empty.rules +/simple_firewall.rules diff --git a/etc/login.defs b/etc/login.defs new file mode 100644 index 0000000..6f215fc --- /dev/null +++ b/etc/login.defs @@ -0,0 +1,90 @@ +# Configuration file for login(1). For more information see +# login.defs(5). + +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you do define both, MAIL_DIR takes precedence. +# +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_MIN_LEN Minimum acceptable password length. +# PASS_WARN_AGE Number of days warning given before a password expires. +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# Min/max values for automatic uid selection in useradd +UID_MIN 1000 +UID_MAX 60000 +# System accounts +SYS_UID_MIN 100 +SYS_UID_MAX 999 + +# Min/max values for automatic gid selection in groupadd +GID_MIN 1000 +GID_MAX 60000 +# System accounts +SYS_GID_MIN 100 +SYS_GID_MAX 999 + +# If useradd should create home directories for users by default +CREATE_HOME yes + +# This enables userdel to remove user groups if no members exist. +USERGROUPS_ENAB yes + +# Disable MOTD_FILE (empty); use pam_motd(8) instead. +MOTD_FILE + + +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +CONSOLE /etc/securetty + +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +TTYGROUP tty +TTYPERM 0600 + +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# The ULIMIT is used only if the system supports it. +# (now it works with setrlimit too; ulimit is in 512-byte units) +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +UMASK 022 +HOME_MODE 0700 + +# Max number of login retries if password is bad +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# Log su usage. +SULOG_FILE /var/log/sulog diff --git a/etc/logrotate.d/btmp b/etc/logrotate.d/btmp new file mode 100644 index 0000000..1eb67ae --- /dev/null +++ b/etc/logrotate.d/btmp @@ -0,0 +1,6 @@ +# The btmp login failure records are not rotated by default. +# Uncomment the lines below to enable rotation of btmp. + +# /var/log/btmp { +# # No specific options. +# } diff --git a/etc/logrotate.d/lastlog b/etc/logrotate.d/lastlog new file mode 100644 index 0000000..72d09f9 --- /dev/null +++ b/etc/logrotate.d/lastlog @@ -0,0 +1,2 @@ +# This file is for information only. +# /var/log/lastlog should not be rotated as it is a database, not a log file. diff --git a/etc/logrotate.d/sulog b/etc/logrotate.d/sulog new file mode 100644 index 0000000..4af6449 --- /dev/null +++ b/etc/logrotate.d/sulog @@ -0,0 +1,3 @@ +/var/log/sulog { + # No specific options. +} diff --git a/etc/logrotate.d/syslog b/etc/logrotate.d/syslog new file mode 100644 index 0000000..770d6b9 --- /dev/null +++ b/etc/logrotate.d/syslog @@ -0,0 +1,6 @@ +/var/log/messages /var/log/smtp /var/log/sshd { + sharedscripts + postrotate + /bin/kill -HUP $(cat /run/syslogd.pid) >/dev/null 2>&1 || true + endscript +} diff --git a/etc/logrotate.d/wtmp b/etc/logrotate.d/wtmp new file mode 100644 index 0000000..5a56ad7 --- /dev/null +++ b/etc/logrotate.d/wtmp @@ -0,0 +1,6 @@ +# The wtmp login records are not rotated by default. +# Uncomment the lines below to enable rotation of wtmp. + +# /var/log/wtmp { +# # No specific options. +# } diff --git a/etc/mcelog/.gitignore b/etc/mcelog/.gitignore new file mode 100644 index 0000000..51c17f5 --- /dev/null +++ b/etc/mcelog/.gitignore @@ -0,0 +1 @@ +/*-trigger diff --git a/etc/mcelog/mcelog.conf b/etc/mcelog/mcelog.conf new file mode 100644 index 0000000..4a01380 --- /dev/null +++ b/etc/mcelog/mcelog.conf @@ -0,0 +1,198 @@ +# mcelog is the user space backend that decodes and process machine check events +# (cpu hardware errors) reported by the CPU to the kernel +# + +# general format +#optionname = value +# white space is not allowed in value currently, except at the end where it is dropped +# + +# In general all command line options that are not commands work here. +# See man mcelog or mcelog --help for a list. +# e.g. to enable the --no-syslog option use +#no-syslog = yes (or no to disable) +# when the option has a argument +#logfile = /tmp/logfile +# below are the options which are not command line options. + +# Set CPU type for which mcelog decodes events: +#cpu = type +# For valid values for type please see mcelog --help. +# If this value is set incorrectly the decoded output will be likely incorrect. +# By default when this parameter is not set mcelog uses the CPU it is running on +# on very new kernels the mcelog events reported by the kernel also carry +# the CPU type which is used too when available and not overridden. + +# Enable daemon mode: +daemon = yes +# By default mcelog just processes the currently pending events and exits. +# In daemon mode it will keep running as a daemon in the background and poll +# the kernel for events and then decode them. + +# Filter out known broken events by default. +filter = yes +# Don't log memory errors individually. +# They still get accounted if that is enabled. +#filter-memory-errors = yes + +# output in undecoded raw format to be easier machine readable +# (default is decoded). +#raw = yes + +# Set CPU Mhz to decode uptime from time stamp counter (output +# unreliable, not needed on new kernels which report the event time +# directly. A lot of systems don't have a linear time stamp clock +# and the output is wrong then. +# Normally mcelog tries to figure out if it the TSC is reliable +# and only uses the current frequency then. +# Setting a frequency forces timestamp decoding. +# This setting is obsolete with modern kernels which report the time +# directly. +#cpumhz = 1800.00 + +# log output options +# Log decoded machine checks in syslog (default stdout or syslog for daemon) +syslog = yes +# Log decoded machine checks in syslog with error level +syslog-error = yes +# Never log anything to syslog +#no-syslog = yes +# Append log output to logfile instead of stdout. Only when no syslog logging is active +#logfile = filename + +# Use SMBIOS information to decode DIMMs (needs root). +# This function is not recommended to use right now and generally not needed. +# The exception is memdb prepopulation, which is configured separately below. +#dmi = no + +# When in daemon mode run as this user after set up. +# Note that the triggers will run as this user too. +# Setting this to non root will mean that triggers cannot take some corrective +# action, like offlining objects. +#run-credentials-user = root + +# group to run as daemon with +# default to the group of the run-credentials-user +#run-credentials-group = nobody + +[server] +# user allowed to access client socket. +# when set to * match any +# root is always allowed to access. +# default: root only +client-user = root +# group allowed to access mcelog +# When no group is configured any group matches (but still user checking). +# when set to * match any +#client-group = root +# Path to the unix socket for client<->server communication. +# When no socket-path is configured the server will not start +#socket-path = /var/run/mcelog-client +# When mcelog starts it checks if a server is already running. This configures the timeout +# for this check. +#initial-ping-timeout = 2 + +[dimm] +# Is the in memory DIMM error tracking enabled? +# Only works on systems with integrated memory controller and +# which are supported. +# Only takes effect in daemon mode. +dimm-tracking-enabled = yes +# Use DMI information from the BIOS to prepopulate DIMM database. +# Note this might not work with all BIOS and requires mcelog to run as root. +# Alternative is to let mcelog create DIMM objects on demand. +dmi-prepopulate = yes +# +# Execute these triggers when the rate of corrected or uncorrected +# Errors per DIMM exceeds the threshold. +# Note when the hardware does not report DIMMs this might also +# be per channel. +# The default of 10/24h was reasonable for server quality +# DDR3 DIMMs as of 2009/10. Newer systems can benefit from +# more aggressive page offline when corrected errors are seen +# See: +# https://www.intel.com/content/dam/www/public/us/en/documents/intel-and-samsung-mrt-improving-memory-reliability-at-data-centers.pdf +# for details. +#uc-error-trigger = dimm-error-trigger +uc-error-threshold = 1 / 24h +#ce-error-trigger = dimm-error-trigger +ce-error-threshold = 2 / 24h + +[socket] +# Enable memory error accounting per socket. +socket-tracking-enabled = yes + +# Threshold and trigger for uncorrected memory errors on a socket. +# mem-uc-error-trigger = socket-memory-error-trigger + +mem-uc-error-threshold = 100 / 24h + +# Trigger script for corrected memory errors on a socket. +mem-ce-error-trigger = socket-memory-error-trigger + +# Threshold on when to trigger a correct error for the socket. + +mem-ce-error-threshold = 100 / 24h + +# Log socket error threshold explicitly? +mem-ce-error-log = yes + +# Trigger script for uncorrected bus error events +bus-uc-threshold-trigger = bus-error-trigger + +# Trigger script for uncorrected IOMCA erors +iomca-threshold-trigger = iomca-error-trigger + +# Trigger script for other uncategorized errors +unknown-threshold-trigger = unknown-error-trigger + +[cache] +# Processing of cache error thresholds reported by Intel CPUs. +cache-threshold-trigger = cache-error-trigger + +# Should cache threshold events be logged explicitly? +cache-threshold-log = yes + +[page] +# Memory error accouting per 4K memory page. +# Threshold for the correct memory errors trigger script. +memory-ce-threshold = 10 / 24h + +# Trigger script for corrected errors. +# memory-ce-trigger = page-error-trigger + +# Memory error counter per 4K memory page. +# Threshold for the counter replacements trigger script. +memory-ce-counter-replacement-threshold = 20 / 24h + +# Trigger script for counter replacements. +memory-ce-counter-replacement-trigger = page-error-counter-replacement-trigger + +# Should page threshold events be logged explicitly? +memory-ce-log = yes + +# specify the internal action in mcelog to exceeding a page error threshold +# this is done in addition to executing the trigger script if available +# off no action +# account only account errors +# soft try to soft-offline page without killing any processes +# This requires an uptodate kernel. Might not be successfull. +# hard try to hard-offline page by killing processes +# Requires an uptodate kernel. Might not be successfull. +# soft-then-hard First try to soft offline, then try hard offlining +#memory-ce-action = off|account|soft|hard|soft-then-hard +memory-ce-action = soft + +# Trigger script before doing soft memory offline +# this trigger will scan and run all the scipts in the page-error-pre-soft-trigger.extern +memory-pre-sync-soft-ce-trigger = page-error-pre-sync-soft-trigger + +# Trigger script after completing soft memory offline +# this trigger will scan and run all the scipts in the page-error-post-soft-trigger.extern +memory-post-sync-soft-ce-trigger = page-error-post-sync-soft-trigger + +[trigger] +# Maximum number of running triggers +children-max = 2 +# execute triggers in this directory +directory = /etc/mcelog diff --git a/etc/papersize b/etc/papersize new file mode 100644 index 0000000..ade92dc --- /dev/null +++ b/etc/papersize @@ -0,0 +1,2 @@ +# Simply write the paper name. See papersize(5) for possible values +A4 diff --git a/etc/pkglist b/etc/pkglist index 70d689b..7a456c3 100644 --- a/etc/pkglist +++ b/etc/pkglist @@ -215,6 +215,7 @@ iftop imath imlib2 inetutils-ftp +inetutils-syslog inetutils-telnet inih inkscape @@ -626,6 +627,7 @@ man-pages-devel man-pages-posix matio mbedtls +mcelog mcpp mdadm mdocml diff --git a/etc/rc.firewall b/etc/rc.firewall deleted file mode 100755 index 3550c8b..0000000 --- a/etc/rc.firewall +++ /dev/null @@ -1,108 +0,0 @@ -#!/bin/bash - -# The name of the main external interface. -EX_IF="enp11s0" - - -start_firewall() { - # Flush old rules. - iptables -F - ip6tables -F - iptables -t nat -F - ip6tables -t nat -F - iptables -t mangle -F - ip6tables -t mangle -F - - # Delete any custom chains. - iptables -X - ip6tables -X - iptables -t nat -X - ip6tables -t nat -X - iptables -t mangle -X - ip6tables -t mangle -X - - # Allow all loopback traffic. - iptables -A INPUT -i lo -j ACCEPT - ip6tables -A INPUT -i lo -j ACCEPT - - # Drop invalid packets on all interfaces. - iptables -A INPUT -m conntrack --ctstate INVALID -j DROP - ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP - - # Allow packets of established connections and those related to them. - iptables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT - - # Allow pings. - iptables -A INPUT -i "$EX_IF" -p icmp -m icmp --icmp-type echo-request -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-request -j ACCEPT - iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type echo-reply -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-reply -j ACCEPT - - # Allow certain types of ICMP informational packets. - iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type destination-unreachable -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT - iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type time-exceeded -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT - iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type parameter-problem -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT - - # Allow SSH. - iptables -A INPUT -i "$EX_IF" -p tcp --syn --dport 22 -m conntrack --ctstate NEW -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p tcp --syn --dport 22 -m conntrack --ctstate NEW -j ACCEPT - - # Set default policies. - iptables -P INPUT DROP - ip6tables -P INPUT DROP - iptables -P OUTPUT ACCEPT # We don't firewall outgoing connections. - ip6tables -P OUTPUT ACCEPT # We don't firewall outgoing connections. - iptables -P FORWARD DROP - ip6tables -P FORWARD DROP -} - -stop_firewall() { - # Set default policies to ACCEPT. - iptables -P INPUT ACCEPT - ip6tables -P INPUT ACCEPT - iptables -P OUTPUT ACCEPT - ip6tables -P OUTPUT ACCEPT - iptables -P FORWARD ACCEPT - ip6tables -P FORWARD ACCEPT - - # Flush rules. - iptables -F - ip6tables -F - iptables -t nat -F - ip6tables -t nat -F - iptables -t mangle -F - ip6tables -t mangle -F - - # Delete any custom chains. - iptables -X - ip6tables -X - iptables -t nat -X - ip6tables -t nat -X - iptables -t mangle -X - ip6tables -t mangle -X -} - - -case "$1" in - 'start') - start_firewall - ;; - 'stop') - stop_firewall - ;; - 'restart') - stop_firewall - start_firewall - ;; - *) - echo "Usage: $BASH_SOURCE " >&2 - ERR=1 - ;; -esac diff --git a/etc/rc.local b/etc/rc.local index 619cdba..db73b3c 100755 --- a/etc/rc.local +++ b/etc/rc.local @@ -1,10 +1,9 @@ +#!/bin/bash # Default rc.local for void; add your custom commands here. # # This is run by runit in stage 2 before the services are executed # (see /etc/runit/2). -[ -x /etc/rc.firewall ] && /etc/rc.firewall start +[[ -x /sbin/setcolors ]] && /sbin/setcolors /etc/setcolors.conf -echo 5000 >/sys/class/backlight/intel_backlight/brightness - -/sbin/setcolors /etc/setcolors.conf +( sleep 10; [[ -x /opt/bin/pushover-client ]] && /opt/bin/pushover-client -p -1 -m "Boot up: ${HOSTNAME%%.*}" ) & diff --git a/etc/rc.shutdown b/etc/rc.shutdown new file mode 100755 index 0000000..51e9383 --- /dev/null +++ b/etc/rc.shutdown @@ -0,0 +1,11 @@ +#!/bin/bash +# Default rc.shutdown for void; add your custom commands here. +# +# This is run by runit in stage 3 after the services are stopped +# (see /etc/runit/3). + +[[ ! -e /run/rc-shutdown-ran ]] && { + [[ -x /opt/bin/pushover-client ]] && /opt/bin/pushover-client -p -1 -m "Shutting down: ${HOSTNAME%%.*}" + + toch /run/rc-shutdown-ran +} diff --git a/etc/runit/.gitignore b/etc/runit/.gitignore index f8c4f83..5790808 100644 --- a/etc/runit/.gitignore +++ b/etc/runit/.gitignore @@ -6,5 +6,4 @@ /ctrlaltdel /functions /reboot -/shutdown.d/ /stopit diff --git a/etc/runit/runsvdir/default/.gitignore b/etc/runit/runsvdir/default/.gitignore index 78ed279..ea20f6b 100644 --- a/etc/runit/runsvdir/default/.gitignore +++ b/etc/runit/runsvdir/default/.gitignore @@ -1,19 +1,10 @@ /acpid -/agetty-* -!/agetty-tty7 -!/agetty-tty8 -!/agetty-tty9 -!/agetty-tty10 -/alsa -/cupsd -/dbus +/agetty-tty1 +/agetty-tty2 +/agetty-tty3 +/agetty-tty4 +/agetty-tty5 +/agetty-tty6 /dhcpcd -/gpm-custom -/lxdm -/nanoklogd -/polkitd -/rtkit -/socklog-unix /sshd /udevd -/uuidd diff --git a/etc/runit/runsvdir/default/gpm-custom b/etc/runit/runsvdir/default/gpm-custom new file mode 120000 index 0000000..6003a10 --- /dev/null +++ b/etc/runit/runsvdir/default/gpm-custom @@ -0,0 +1 @@ +/etc/sv/gpm-custom \ No newline at end of file diff --git a/etc/runit/runsvdir/default/ip6tables b/etc/runit/runsvdir/default/ip6tables new file mode 120000 index 0000000..ca411f1 --- /dev/null +++ b/etc/runit/runsvdir/default/ip6tables @@ -0,0 +1 @@ +/etc/sv/ip6tables \ No newline at end of file diff --git a/etc/runit/runsvdir/default/iptables b/etc/runit/runsvdir/default/iptables new file mode 120000 index 0000000..f0eee04 --- /dev/null +++ b/etc/runit/runsvdir/default/iptables @@ -0,0 +1 @@ +/etc/sv/iptables \ No newline at end of file diff --git a/etc/runit/shutdown.d/.gitignore b/etc/runit/shutdown.d/.gitignore new file mode 100644 index 0000000..5a38622 --- /dev/null +++ b/etc/runit/shutdown.d/.gitignore @@ -0,0 +1,9 @@ +/10-sv-stop.sh +/20-rc-shutdown.sh +/30-seedrng.sh +/40-hwclock.sh +/50-wtmp.sh +/60-udev.sh +/70-pkill.sh +/80-filesystems.sh +/90-kexec.sh diff --git a/etc/runit/shutdown.d/00-rc-shutdown.sh b/etc/runit/shutdown.d/00-rc-shutdown.sh new file mode 100644 index 0000000..1df105b --- /dev/null +++ b/etc/runit/shutdown.d/00-rc-shutdown.sh @@ -0,0 +1 @@ +[ -x /etc/rc.shutdown ] && /etc/rc.shutdown diff --git a/etc/sv/.gitignore b/etc/sv/.gitignore index c566b9f..2e7d59f 100644 --- a/etc/sv/.gitignore +++ b/etc/sv/.gitignore @@ -1,64 +1,49 @@ -/NetworkManager/ /acpid/ -/agetty-*/ -/!agetty-tty7/ -/!agetty-tty8/ -/!agetty-tty9/ -/!agetty-tty10/ +/agetty-console/ +/agetty-generic/ +/agetty-hvc0/ +/agetty-hvsi0/ +/agetty-serial/ +/agetty-tty1/ +/agetty-tty2/ +/agetty-tty3/ +/agetty-tty4/ +/agetty-tty5/ +/agetty-tty6/ +/agetty-ttyAMA0/ +/agetty-ttyS0/ +/agetty-ttyUSB0/ /alsa/ +/apache/ /autofs/ +/brltty/ /crond -/cupsd/ -/cups-browsed/ -/dbus/ /dcron/ /dhcpcd/ /dhcpcd-eth0/ /dmeventd/ -/dnsmasq/ -/fancontrol/ -/gpm/ -/gpm-custom/supervise/ -/!gpm-custom/supervise/.empty +/espeakup/ +/gitea/ /ip6tables/ /iptables/ /isc-ntpd/ -/libvirtd*/ /lvmetad/ -/lxdm/ /mdadm/ -/nanoklogd/ /nfs-server/ /ntpd -/polkitd/ +/php-fpm8.2/ /rpcbind/ /rpcblkmapd/ /rpcgssd/ /rpcidmapd/ /rpcsvcgssd/ /rsyncd/ -/rsyncd/ -/rtkit/ -/saned/ -/smartd/ -/socklog-unix/ /sshd/ +/sshguard-socklog/ /statd/ /sulogin/ /udevd/ /uuidd/ -/vboxwebsrv/ -/virtinterfaced/ -/virtlockd/ -/virtlogd/ -/virtlxcd/ -/virtnetworkd/ -/virtnodedevd/ -/virtnwfilterd/ -/virtproxyd/ -/virtqemud/ -/virtsecretd/ -/virtstoraged/ -/virtvboxd/ -/virtxend/ +/vmtoolsd/ +/vmware-vmblock-fuse/ /wpa_supplicant/ diff --git a/etc/sv/gpm-custom/supervise/.gitignore b/etc/sv/gpm-custom/supervise/.gitignore new file mode 100644 index 0000000..a8a148e --- /dev/null +++ b/etc/sv/gpm-custom/supervise/.gitignore @@ -0,0 +1,6 @@ +/control +/lock +/ok +/pid +/stat +/status diff --git a/etc/sv/syslogd/log/run b/etc/sv/syslogd/log/run new file mode 100755 index 0000000..fcef0c7 --- /dev/null +++ b/etc/sv/syslogd/log/run @@ -0,0 +1,2 @@ +#!/bin/sh +exec vlogger -t syslogd -p syslog.err diff --git a/etc/sv/syslogd/log/supervise/.gitignore b/etc/sv/syslogd/log/supervise/.gitignore new file mode 100644 index 0000000..a8a148e --- /dev/null +++ b/etc/sv/syslogd/log/supervise/.gitignore @@ -0,0 +1,6 @@ +/control +/lock +/ok +/pid +/stat +/status diff --git a/etc/sv/syslogd/run b/etc/sv/syslogd/run new file mode 100755 index 0000000..86ae312 --- /dev/null +++ b/etc/sv/syslogd/run @@ -0,0 +1,4 @@ +#!/bin/bash + +[[ -r /etc/default/syslogd ]] && . /etc/default/syslogd +exec syslogd "${SYSLOGD_ARGS[@]}" diff --git a/etc/sv/syslogd/supervise/.gitignore b/etc/sv/syslogd/supervise/.gitignore new file mode 100644 index 0000000..a8a148e --- /dev/null +++ b/etc/sv/syslogd/supervise/.gitignore @@ -0,0 +1,6 @@ +/control +/lock +/ok +/pid +/stat +/status diff --git a/etc/sysconfig/lm_sensors b/etc/sysconfig/lm_sensors new file mode 100644 index 0000000..77bed60 --- /dev/null +++ b/etc/sysconfig/lm_sensors @@ -0,0 +1,9 @@ +# Generated by sensors-detect on Mon Nov 6 18:51:00 2023 +# This file is sourced by /etc/init.d/lm_sensors and defines the modules to +# be loaded/unloaded. +# +# The format of this file is a shell script that simply defines variables: +# HWMON_MODULES for hardware monitoring driver modules, and optionally +# BUS_MODULES for any required bus driver module (for example for I2C or SPI). + +HWMON_MODULES="coretemp"