twb
/
neatoDeploy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

podman

Browse Source
main
Robert 2 years ago
parent 1412fd6a41
commit ece03017fa
20 changed files with 92 additions and 929 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 3
      app/neato_fns.php
  2. 36
      build/install_neato.sh
  3. 72
      config_files/deploy_podman.php
  4. 0
      config_files/deploy_security_audit.php
  5. 2
      config_files/deploy_sshd.php
  6. 6
      templates/Ubuntu/apache2/000-default.conf
  7. 9
      templates/Ubuntu/apache2/allsites.conf
  8. 36
      templates/Ubuntu/apache2/default-ssl.conf
  9. 87
      templates/Ubuntu/apache2/security.conf
  10. 4
      templates/Ubuntu/apt.conf.d/10periodic
  11. 58
      templates/Ubuntu/keys/api.sh
  12. 45
      templates/Ubuntu/keys/ca.sh
  13. 10
      templates/Ubuntu/keys/how_to_move_certs.txt
  14. 166
      templates/Ubuntu/keys/workers.sh
  15. 67
      templates/Ubuntu/mysql.conf.d/mysqld.cnf
  16. 25
      templates/Ubuntu/notice.txt
  17. 247
      templates/Ubuntu/php/php.ini
  18. 94
      templates/Ubuntu/ssh/sshd_config
  19. 45
      templates/Ubuntu/ufw/sysctl.conf
  20. 9
      templates/podman_install.sh

3
app/neato_fns.php
Unescape View File

@ -44,9 +44,6 @@ function get_perms($kind): int {
if (is_numeric($kind) && (strlen($kind) == 3 || strlen($kind) == 4 )) {
return intval($kind);
}
// if (is_string_found($kind, '+') || is_string_found($kind, '-')) {
// return $kind;
// }
switch ($kind) {
case 'keydir': $perm = 0700;
break;

36
build/install_neato.sh
Unescape View File

@ -4,7 +4,7 @@ PHPCLI='php8.3-cli'
PHPMBString='php8.3-mbstring'
if [ "$EUID" -ne 0 ]; then
echo "Please run as root!"
/usr/bin/echo "Please run as root!"
exit
fi
@ -12,16 +12,16 @@ current_directory=$(pwd)
target_directory="/opt/neatoDeploy"
if [ "$current_directory" == "$target_directory" ]; then
echo "Do not run this script inside of source folder /opt/neatoDeploy/build!"
/usr/bin/echo "Do not run this script inside of source folder /opt/neatoDeploy/build!"
exit 1
fi
mkdir -p /opt/neatoDeployments
mv neato_deploy_php_cli.ini /opt/neatoDeployments/
mv neatoDeploy.phar /opt/neatoDeployments/
mv neato_deploy.sh /opt/neatoDeployments/
mv make-sums.sh /opt/neatoDeployments/
cp config_files/deploy_*.php /opt/neatoDeployments/
/usr/bin/mkdir -p /opt/neatoDeployments
/usr/bin/mv neato_deploy_php_cli.ini /opt/neatoDeployments/
/usr/bin/mv neatoDeploy.phar /opt/neatoDeployments/
/usr/bin/mv neato_deploy.sh /opt/neatoDeployments/
/usr/bin/mv make-sums.sh /opt/neatoDeployments/
/usr/bin/cp config_files/deploy_*.php /opt/neatoDeployments/
pushd /opt/neatoDeployments
@ -32,17 +32,17 @@ pushd /opt/neatoDeployments
/usr/bin/dpkg -s $PHPMBString 2>/dev/null >/dev/null || /usr/bin/apt-get install -y $PHPMBString
/usr/bin/dpkg -s curl 2>/dev/null >/dev/null || /usr/bin/apt-get install -y curl
chown www-data:www-data neato*
chown www-data:www-data make-sums.sh
chown www-data:www-data deploy_*.php
/usr/bin/chown www-data:www-data neato*
/usr/bin/chown www-data:www-data make-sums.sh
/usr/bin/chown www-data:www-data deploy_*.php
chmod 775 neatoDeploy.phar
chmod 775 neato_deploy.sh
chmod 775 make-sums.sh
chmod 664 neato_deploy_php_cli.ini
chmod 664 deploy_*.php
/usr/bin/chmod 775 neatoDeploy.phar
/usr/bin/chmod 775 neato_deploy.sh
/usr/bin/chmod 775 make-sums.sh
/usr/bin/chmod 664 neato_deploy_php_cli.ini
/usr/bin/chmod 664 deploy_*.php
popd
echo -e "\nRemove the install_neato.sh file!"
echo -e "\nRemove the neato_deploy.tar.gz.self file!"
/usr/bin/echo -e "\nRemove the install_neato.sh file!"
/usr/bin/echo -e "\nRemove the neato_deploy.tar.gz.self file!"

72
config_files/deploy_podman.php
Unescape View File

@ -0,0 +1,72 @@
<?php
Configure::set('display', true); // Show Output
Configure::set('logfile', false); // Save to log folder
Configure::set('syslog', false);
Configure::set('pre_actions', [
'make_dir' => ['/etc/containers'=>''],
'chmod_file_or_dir' =>
['/etc/containers' => 'dir'],
]);
force_root();
file_loop(Configure::get('pre_actions'));
$is_podman_installed = do_command('is_installed', "podman");
if ($is_podman_installed['installed'] === false) {
do_command('install', "software-properties-common");
//do_command("add_repo", "ppa:projectatomic/ppa");
do_command('update');
do_command('install', "podman");
}
$policy = '
{
"default": [
{
"type": "insecureAcceptAnything"
}
],
"transports":
{
"docker-daemon":
{
"": [{"type":"insecureAcceptAnything"}]
}
}
}';
if (! file_exists("/etc/containers/policy.json")) {
append_to_file("/etc/containers/policy.json", $policy);
chmod_file_or_dir("/etc/containers/policy.json", "config");
}
$reg = "# This is a system-wide configuration file used to
# keep track of registries for various container backends.
# It adheres to TOML format and does not support recursive
# lists of registries.
# The default location for this configuration file is /etc/containers/registries.conf.
# The only valid categories are: 'registries.search', 'registries.insecure',
# and 'registries.block'.
[registries.search]
registries = ['docker.io', 'registry.fedoraproject.org', 'registry.access.redhat.com']
# If you need to access insecure registries, add the registry's fully-qualified name.
# An insecure registry is one that does not have a valid SSL certificate or only does HTTP.
[registries.insecure]
registries = []
# If you need to block pull access from a registry, uncomment the section below
# and add the registries fully-qualified name.
#
# Docker only
[registries.block]
registries = []";
if (! file_exists("/etc/containers/registries.conf")) {
append_to_file("/etc/containers/registries.conf", $reg);
chmod_file_or_dir("/etc/containers/registries.conf", "config");
}

0
config_files/deploy_security.php → config_files/deploy_security_audit.php
Unescape View File

2
config_files/deploy_sshd.php
Unescape View File

@ -81,6 +81,8 @@ AllowUsers $AllowUsers
StrictModes yes
MaxAuthTries 6
MaxSessions 10
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys

6
templates/Ubuntu/apache2/000-default.conf
Unescape View File

@ -1,6 +0,0 @@
<VirtualHost *:80>
Include /etc/apache2/sites/allsites.conf
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

9
templates/Ubuntu/apache2/allsites.conf
Unescape View File

@ -1,9 +0,0 @@
ServerName dev
ServerAlias prod
ServerAdmin fake@localhost
Alias /www /var/www/html
Alias /tests /var/www/tests
DocumentRoot /var/www/toolz

36
templates/Ubuntu/apache2/default-ssl.conf
Unescape View File

@ -1,36 +0,0 @@
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
Include /etc/apache2/sites/allsites.conf
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/mainsite.crt
SSLCertificateKeyFile /etc/ssl/private/mainsite.key
SSLCACertificateFile /etc/apache2/ssl/mainsite_bundle.crt
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
#SSLCACertificatePath /etc/ssl/certs/
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
#SSLCARevocationPath /etc/apache2/ssl.crl/
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
#SSLVerifyClient require
#SSLVerifyDepth 10
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

87
templates/Ubuntu/apache2/security.conf
Unescape View File

@ -1,87 +0,0 @@
LimitRequestBody 204800
ServerTokens Prod
ServerSignature Off
TraceEnable Off
MaxClients 150
TimeOut 200
KeepAliveTimeout 3
LimitRequestFields 60
LimitRequestFieldSize 4094
Options -Includes
Options -ExecCGI
#Options -FollowSymLinks
HostnameLookups off
# <LimitExcept POST GET PUT UPDATE DELETE>
# deny from all
# </LimitExcept>
RewriteEngine ON
RewriteCond %{THE_REQUEST} !HTTP/1.1$
RewriteRule .* - [F]
# Forbid access to version control directories
#
# If you use version control systems in your document root, you should
# probably deny access to their directories. For example, for GIT:
#
<DirectoryMatch "^/.*/\.git">
Order deny,allow
Deny from all
</DirectoryMatch>
<FilesMatch "php_error_log">
Order deny,allow
Deny from all
</FilesMatch>
<Location /server-status>
SetHandler server-status
#AuthType basic
#AuthName "Apache status"
#AuthUserFile /etc/apache2/conf/server-status_htpasswd
#Require valid-user
Order deny,allow
Deny from all
Allow from none
</Location>
#
# Setting this header will prevent MSIE from interpreting files as something
# else than declared by the content type in the HTTP headers.
# Requires mod_headers to be enabled.
#
#Header set X-Content-Type-Options: "nosniff"
#
# Setting this header will prevent other sites from embedding pages from this
# site as frames. This defends against clickjacking attacks.
# Requires mod_headers to be enabled.
#
#Header set X-Frame-Options: "sameorigin"
ExtendedStatus Off
Header unset ETag
Header always unset X-Powered-By
FileETag None
Header always append X-Frame-Options SAMEORIGIN
#Header set X-XSS-Protection "1; mode=block"
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Header set Feature-Policy: "geolocation 'none'; microphone 'none'; camera 'self';"
Header set Referer-Policy: "strict-origin"
SSLProtocol -ALL +TLSv1.2
# +TLSv1.3
SSLOpenSSLConfCmd Protocol "-ALL, TLSv1.2"
# , TLSv1.3
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
Header set Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload;"
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

4
templates/Ubuntu/apt.conf.d/10periodic
Unescape View File

@ -1,4 +0,0 @@
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

58
templates/Ubuntu/keys/api.sh
Unescape View File

@ -1,58 +0,0 @@
#!/bin/bash
CERT_HOSTNAME=10.32.0.1,<controller node 1 Private IP>,<controller node 1 hostname>,<controller node 2 Private IP>,<controller node 2 hostname>,<API load balancer Private IP>,<API load balancer hostname>,127.0.0.1,localhost,kubernetes.default
cd ~/kthw
cat > kubernetes-csr.json << EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Flint",
"O": "Kubernetes",
"OU": "Kubernetes The Hard Way",
"ST": "Michigan"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-hostname=${CERT_HOSTNAME} \
-profile=kubernetes \
kubernetes-csr.json | cfssljson -bare kubernetes
cat > service-account-csr.json << EOF
{
"CN": "service-accounts",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Flint",
"O": "Kubernetes",
"OU": "Kubernetes The Hard Way",
"ST": "Michigan"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
service-account-csr.json | cfssljson -bare service-account

45
templates/Ubuntu/keys/ca.sh
Unescape View File

@ -1,45 +0,0 @@
#!/bin/bash
cd ~/
mkdir kthw
cd kthw
sudo curl -s -L -o /bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
sudo curl -s -L -o /bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
sudo curl -s -L -o /bin/cfssl-certinfo https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
sudo chmod +x /bin/cfssl*
cat > ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"kubernetes": {
"usages": ["signing", "key encipherment", "server auth", "client auth"],
"expiry": "8760h"
}
}
}
}
EOF
cat > ca-csr.json << EOF
{
"CN": "Kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Flint",
"O": "Kubernetes",
"OU": "CA",
"ST": "Michigan"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca

10
templates/Ubuntu/keys/how_to_move_certs.txt
Unescape View File

@ -1,10 +0,0 @@
Move certificate files to the worker nodes:
scp ca.pem <worker 1 hostname>-key.pem <worker 1 hostname>.pem user@<worker 1 public IP>:~/
scp ca.pem <worker 2 hostname>-key.pem <worker 2 hostname>.pem user@<worker 2 public IP>:~/
Move certificate files to the controller nodes:
scp ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \
service-account-key.pem service-account.pem user@<controller 1 public IP>:~/
scp ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \
service-account-key.pem service-account.pem user@<controller 2 public IP>:~/

166
templates/Ubuntu/keys/workers.sh
Unescape View File

@ -1,166 +0,0 @@
#!/bin/bash
#WORKER0_HOST=<Public hostname of your first worker node cloud server>
#WORKER0_IP=<Private IP of your first worker node cloud server>
#WORKER1_HOST=<Public hostname of your second worker node cloud server>
#WORKER1_IP=<Private IP of your second worker node cloud server>
cd ~/kthw
cat > admin-csr.json << EOF
{
"CN": "admin",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Flint",
"O": "system:masters",
"OU": "Kubernetes The Hard Way",
"ST": "Michigan"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
admin-csr.json | cfssljson -bare admin
cat > ${WORKER0_HOST}-csr.json << EOF
{
"CN": "system:node:${WORKER0_HOST}",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Flint",
"O": "system:nodes",
"OU": "Kubernetes The Hard Way",
"ST": "Oregon"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-hostname=${WORKER0_IP},${WORKER0_HOST} \
-profile=kubernetes \
${WORKER0_HOST}-csr.json | cfssljson -bare ${WORKER0_HOST}
cat > ${WORKER1_HOST}-csr.json << EOF
{
"CN": "system:node:${WORKER1_HOST}",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Flint",
"O": "system:nodes",
"OU": "Kubernetes The Hard Way",
"ST": "Michigan"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-hostname=${WORKER1_IP},${WORKER1_HOST} \
-profile=kubernetes \
${WORKER1_HOST}-csr.json | cfssljson -bare ${WORKER1_HOST}
cat > kube-controller-manager-csr.json << EOF
{
"CN": "system:kube-controller-manager",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Flint",
"O": "system:kube-controller-manager",
"OU": "Kubernetes The Hard Way",
"ST": "Michigan"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
cat > kube-proxy-csr.json << EOF
{
"CN": "system:kube-proxy",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Flint",
"O": "system:node-proxier",
"OU": "Kubernetes The Hard Way",
"ST": "Michigan"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
kube-proxy-csr.json | cfssljson -bare kube-proxy
cat > kube-scheduler-csr.json << EOF
{
"CN": "system:kube-scheduler",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Flint",
"O": "system:kube-scheduler",
"OU": "Kubernetes The Hard Way",
"ST": "Michigan"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
kube-scheduler-csr.json | cfssljson -bare kube-scheduler

67
templates/Ubuntu/mysql.conf.d/mysqld.cnf
Unescape View File

@ -1,67 +0,0 @@
[mysqld_safe]
socket = /var/run/mysqld/mysqld.sock
nice = 0
[mysqld]
user = mysql
basedir = /usr
tmpdir = /tmp
skip-external-locking
default-authentication-plugin = mysql_native_password
pid-file = /var/run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock
port = 3306
bind-address = 127.0.0.1
datadir = /var/lib/mysql
innodb_log_file_size = 128MB
max_connect_errors = 5
local-infile=0
skip-show-database
#
# * Fine Tuning
#
key_buffer_size = 16M
max_allowed_packet = 16M
thread_stack = 192K
thread_cache_size = 8
# This replaces the startup script and checks MyISAM tables if needed
# the first time they are touched
myisam-recover-options = BACKUP
#max_connections = 100
#table_open_cache = 64
#thread_concurrency = 10
#
#
# * Logging and Replication
#
# Both location gets rotated by the cronjob.
# Be aware that this log type is a performance killer.
# As of 5.1 you can enable the log at runtime!
#general_log_file = /var/log/mysql/mysql.log
#general_log = 1
#
# Error log - should be very few entries.
#
log_error = /var/log/mysql/error.log
#
# Here you can see queries with especially long duration
#slow_query_log = 1
#slow_query_log_file = /var/log/mysql/mysql-slow.log
#long_query_time = 2
#log-queries-not-using-indexes
#
# The following can be used as easy to replay backup logs or for replication.
# note: if you are setting up a replication slave, see README.Debian about
# other settings you may need to change.
#server-id = 1
#log_bin = /var/log/mysql/mysql-bin.log
max_binlog_size = 100M
#binlog_do_db = include_database_name
#binlog_ignore_db = include_database_name
# * Security Features
#
# Read the manual, too, if you want chroot!
# chroot = /var/lib/mysql/

25
templates/Ubuntu/notice.txt
Unescape View File

@ -1,25 +0,0 @@
***************************************************************************
NOTICE TO USERS
This computer system is the private property of its owner, whether
individual, corporate or government. It is for authorized use only.
Users (authorized or unauthorized) have no explicit or implicit
expectation of privacy.
Any or all uses of this system and all files on this system may be
intercepted, monitored, recorded, copied, audited, inspected, and
disclosed to your employer, to authorized site, government, and law
enforcement personnel, as well as authorized officials of government
agencies, both domestic and foreign.
By using this system, the user consents to such interception, monitoring,
recording, copying, auditing, inspection, and disclosure at the
discretion of such personnel or officials. Unauthorized or improper use
of this system may result in civil and criminal penalties and
administrative or disciplinary action, as appropriate. By continuing to
use this system you indicate your awareness of and consent to these terms
and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the
conditions stated in this warning.
****************************************************************************

247
templates/Ubuntu/php/php.ini
Unescape View File

@ -1,247 +0,0 @@
[PHP]
engine = On
short_open_tag = Off
precision = 14
output_buffering = 4096
zlib.output_compression = Off
implicit_flush = Off
unserialize_callback_func =
serialize_precision = -1
open_basedir = "/var/www:/var/lib/php/tmp_upload:/var/lib/php/sessions:/usr/share/phpmyadmin:/etc/phpmyadmin:/usr/share/php/php-php-gettext"
disable_functions = ini_set,php_uname,getmyuid,getmypid,passthru,leak,listen,diskfreespace,tmpfile,link,ignore_user_abord,shell_exec,dl,set_time_limit,exec,system,highlight_file,source,show_source,fpaththru,virtual,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid,posix,_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,posix_getsid,posix_getuid,posix_isatty,posix_kill,posix_mkfifo,posix_setegid,posix_seteuid,posix_setgid,posix_setpgid,posix_setsid,posix_setuid,posix_times,posix_ttyname,posix_uname,proc_open,proc_close,proc_get_status,proc_nice,proc_terminate,phpinfo,popen,curl_exec,curl_multi_exec,parse_ini_file,allow_url_fopen,allow_url_include,pcntl_exec,chgrp,chmod,chown,lchgrp,lchown,putenv
disable_classes =
zend.enable_gc = On
expose_php = Off
max_execution_time = 30
max_input_time = 60
memory_limit = 128M
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_errors = Off
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
track_errors = Off
html_errors = On
variables_order = "GPCS"
request_order = "GP"
register_argc_argv = Off
auto_globals_jit = On
post_max_size = 8M
auto_prepend_file =
auto_append_file =
default_mimetype = "text/html"
default_charset = "UTF-8"
doc_root =
user_dir =
enable_dl = Off
file_uploads = On
upload_max_filesize = 20M
max_file_uploads = 20
post_max_size = 20M
; 256K if no uploading files
max_input_vars = 100
allow_url_fopen = Off
allow_url_include = Off
default_socket_timeout = 60
error_log = /var/www/php_error_log
upload_tmp_dir = /var/lib/php/tmp_upload
[Session]
session.save_handler = files
session.hash_function = sha512
session.bug_compat_42 = 0
session.bug_compat_warn = 0
session.save_path = "/var/lib/php/sessions"
session.use_strict_mode = 1
session.use_cookies = 1
session.cookie_secure = 1
session.use_only_cookies = 1
session.name = ToolzID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.serialize_handler = php
session.gc_probability = 0
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.referer_check =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.sid_length = 26
session.trans_sid_tags = "a=href,area=href,frame=src,form="
session.sid_bits_per_character = 5
[CLI Server]
cli_server.color = On
[Date]
date.timezone = UTC
;date.default_latitude = 31.7667
;date.default_longitude = 35.2333
;date.sunrise_zenith = 90.583333
;date.sunset_zenith = 90.583333
[filter]
;filter.default = unsafe_raw
;filter.default_flags =
[intl]
;intl.default_locale =
; This directive allows you to produce PHP errors when some error
; happens within intl functions. The value is the level of the error produced.
; Default is 0, which does not produce any errors.
;intl.error_level = E_WARNING
;intl.use_exceptions = 0
[sqlite3]
;sqlite3.extension_dir =
[Pcre]
;PCRE library backtracking limit.
; http://php.net/pcre.backtrack-limit
;pcre.backtrack_limit=100000
;PCRE library recursion limit.
;Please note that if you set this value to a high number you may consume all
;the available process stack and eventually crash PHP (due to reaching the
;stack size limit imposed by the Operating System).
; http://php.net/pcre.recursion-limit
;pcre.recursion_limit=100000
;Enables or disables JIT compilation of patterns. This requires the PCRE
;library to be compiled with JIT support.
;pcre.jit=1
[Pdo]
; Whether to pool ODBC connections. Can be one of "strict", "relaxed" or "off"
; http://php.net/pdo-odbc.connection-pooling
;pdo_odbc.connection_pooling=strict
;pdo_odbc.db2_instance_name
[Pdo_mysql]
pdo_mysql.cache_size = 2000
pdo_mysql.default_socket=
[Phar]
; http://php.net/phar.readonly
;phar.readonly = On
; http://php.net/phar.require-hash
;phar.require_hash = On
;phar.cache_list =
[mail function]
; For Win32 only.
; http://php.net/smtp
SMTP = localhost
; http://php.net/smtp-port
smtp_port = 25
; For Unix only. You may supply arguments as well (default: "sendmail -t -i").
; http://php.net/sendmail-path
;sendmail_path =
; Add X-PHP-Originating-Script: that will include uid of the script followed by the filename
mail.add_x_header = On
[SQL]
; http://php.net/sql.safe-mode
sql.safe_mode = Off
[ODBC]
odbc.allow_persistent = On
odbc.check_persistent = On
odbc.max_persistent = -1
odbc.max_links = -1
odbc.defaultlrl = 4096
odbc.defaultbinmode = 1
[MySQLi]
mysqli.max_persistent = -1
;mysqli.allow_local_infile = On
mysqli.allow_persistent = On
mysqli.max_links = -1
mysqli.cache_size = 2000
mysqli.default_port = 3306
mysqli.default_socket =
mysqli.default_host =
mysqli.default_user =
mysqli.default_pw =
mysqli.reconnect = Off
[mysqlnd]
mysqlnd.collect_statistics = On
mysqlnd.collect_memory_statistics = Off
[bcmath]
bcmath.scale = 0
[Assertion]
zend.assertions = -1
[Tidy]
;tidy.default_config = /usr/local/lib/php/default.tcfg
tidy.clean_output = Off
[soap]
soap.wsdl_cache_enabled=1
soap.wsdl_cache_dir="/var/lib/php/soap_cache"
soap.wsdl_cache_ttl=86400
soap.wsdl_cache_limit = 5
[ldap]
; Sets the maximum number of open links or -1 for unlimited.
ldap.max_links = -1
[opcache]
;opcache.enable=1
;opcache.enable_cli=0
;opcache.memory_consumption=128
;opcache.interned_strings_buffer=8
;opcache.max_accelerated_files=10000
;opcache.max_wasted_percentage=5
;opcache.use_cwd=1
;opcache.validate_timestamps=1
;opcache.revalidate_freq=2
;opcache.revalidate_path=0
;opcache.save_comments=1
;opcache.fast_shutdown=0
;opcache.enable_file_override=0
;opcache.optimization_level=0xffffffff
;opcache.inherited_hack=1
;opcache.dups_fix=0
;opcache.blacklist_filename=
;opcache.max_file_size=0
;opcache.consistency_checks=0
;opcache.force_restart_timeout=180
;opcache.error_log=
;opcache.log_verbosity_level=1
;opcache.preferred_memory_model=
;opcache.protect_memory=0
;opcache.restrict_api=
;opcache.mmap_base=
;opcache.file_cache=
;opcache.file_cache_only=0
;opcache.file_cache_consistency_checks=1
;opcache.file_cache_fallback=1
;opcache.huge_code_pages=1
;opcache.validate_permission=0
;opcache.validate_root=0
[curl]
;curl.cainfo =
[openssl]
;openssl.cafile=
;openssl.capath=
; Local Variables:
; tab-width: 4
; End:

94
templates/Ubuntu/ssh/sshd_config
Unescape View File

@ -1,94 +0,0 @@
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 2299
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
AllowUsers bobs chrisa robot git
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AllowTcpForwarding no
AllowStreamLocalForwarding no
GatewayPorts no
PermitTunnel no
#UseLogin no
#MaxStartups 10:30:60
DebianBanner no
Banner /etc/notice.txt
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /bin/sh -c 'umask 0002; /usr/lib/openssh/sftp-server'
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

45
templates/Ubuntu/ufw/sysctl.conf
Unescape View File

@ -1,45 +0,0 @@
#
# Configuration file for setting network variables. Please note these settings
# override /etc/sysctl.conf and /etc/sysctl.d. If you prefer to use
# /etc/sysctl.conf, please adjust IPT_SYSCTL in /etc/default/ufw. See
# Documentation/networking/ip-sysctl.txt in the kernel source code for more
# information.
#
# Disable ICMP redirects. ICMP redirects are rarely used but can be used in
# MITM (man-in-the-middle) attacks. Disabling ICMP may disrupt legitimate
# traffic to those sites.
net/ipv4/conf/all/accept_redirects=0
net/ipv4/conf/default/accept_redirects=0
net/ipv6/conf/all/accept_redirects=0
net/ipv6/conf/default/accept_redirects=0
# Ignore bogus ICMP errors
net/ipv4/icmp_echo_ignore_broadcasts=1
net/ipv4/icmp_ignore_bogus_error_responses=1
net/ipv4/icmp_echo_ignore_all=0
# Don't log Martian Packets (impossible addresses)
# packets
net/ipv4/conf/all/log_martians=0
net/ipv4/conf/default/log_martians=0
net/ipv4/tcp/syncookies=1 # Enable syn flood protection
net/ipv4/conf/all/accept_source_route=0 # Ignore source-routed packets
net/ipv6/conf/all/accept_source_route=0 # IPv6 - Ignore ICMP redirects
net/ipv4/conf/default/accept_source_route=0 # Ignore source-routed packets
net/ipv6/conf/default/accept_source_route=0 # IPv6 - Ignore source-routed packets
net/ipv4/conf/all/secure_redirects=1 # Ignore ICMP redirects from non-GW hosts
net/ipv4/conf/default/secure_redirects=1 # Ignore ICMP redirects from non-GW hosts
net/ipv4/ip_forward=0 # Do not allow traffic between networks or act as a router
net/ipv6/conf/all/forwarding=0 # IPv6 - Do not allow traffic between networks or act as a router
net/ipv4/conf/all/send_redirects=0 # Don't allow traffic between networks or act as a router
net/ipv4/conf/default/send_redirects=0 # Don't allow traffic between networks or act as a router
net/ipv4/conf/all/rp_filter=1 # Reverse path filtering - IP spoofing protection
net/ipv4/conf/default/rp_filter=1 # Reverse path filtering - IP spoofing protection
net/ipv4/tcp_rfc1337=1 # Implement RFC 1337 fix
kernel/randomize_va_space=2 # Randomize addresses of mmap base, heap, stack and VDSO page
fs/protected_hardlinks=1 # Provide protection from ToCToU races
fs/protected_symlinks=1 # Provide protection from ToCToU races
kernel/kptr_restrict=1 # Make locating kernel addresses more difficult
kernel/perf_event_paranoid=2 # Set perf only available to root

9
templates/podman_install.sh
Unescape View File

@ -1,9 +0,0 @@
#!/bin/bash
sudo apt update
sudo apt -y install software-properties-common
sudo add-apt-repository -y ppa:projectatomic/ppa
sudo apt update
sudo apt -y install podman
sudo mkdir -p /etc/containers
sudo curl https://raw.githubusercontent.com/projectatomic/registries/master/registries.fedora -o /etc/containers/registries.conf
sudo curl https://raw.githubusercontent.com/containers/skopeo/master/default-policy.json -o /etc/containers/policy.json
Write Preview
Loading…
Cancel
Save