Compare commits
8 commits
8eca961a57
...
caaf44cfd9
Author | SHA1 | Date | |
---|---|---|---|
Julien Oculi | caaf44cfd9 | ||
Julien Oculi | b1f2ebaaa1 | ||
Julien Oculi | 764974bd6e | ||
Julien Oculi | d176825393 | ||
Julien Oculi | 4240f764cb | ||
Julien Oculi | 5b26a1055a | ||
Julien Oculi | 272fdcca19 | ||
Julien Oculi | aaabd915f5 |
11
caddy/_deploy.sh
Normal file
11
caddy/_deploy.sh
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
# Setup caddy config
|
||||||
|
mkdir /etc/caddy
|
||||||
|
cp -R ./caddy/* /etc/caddy
|
||||||
|
|
||||||
|
# Setup caddy service
|
||||||
|
cp ./caddy/systemd/caddy.service /etc/systemd/system
|
||||||
|
|
||||||
|
# Start caddy
|
||||||
|
systemctl deamon-reload
|
||||||
|
systemctl enable caddy
|
||||||
|
systemctl start caddy
|
9
caddy/_install.sh
Normal file
9
caddy/_install.sh
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
# Install prerequistes
|
||||||
|
nala install -y debian-keyring debian-archive-keyring apt-transport-https curl
|
||||||
|
|
||||||
|
# Install sources and keys
|
||||||
|
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
|
||||||
|
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
|
||||||
|
|
||||||
|
# Install caddy
|
||||||
|
nala install -y caddy
|
|
@ -23,8 +23,8 @@ Requires=network-online.target
|
||||||
Type=notify
|
Type=notify
|
||||||
User=caddy
|
User=caddy
|
||||||
Group=caddy
|
Group=caddy
|
||||||
ExecStart=/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile
|
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
|
||||||
ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile --force
|
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
|
||||||
TimeoutStopSec=5s
|
TimeoutStopSec=5s
|
||||||
LimitNOFILE=1048576
|
LimitNOFILE=1048576
|
||||||
PrivateTmp=true
|
PrivateTmp=true
|
||||||
|
|
14
deploy.sh
Normal file
14
deploy.sh
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
APPS=$@
|
||||||
|
|
||||||
|
if [[ $1 == "*" && $# -eq 1 ]]; then
|
||||||
|
APPS=$(ls .)
|
||||||
|
fi
|
||||||
|
|
||||||
|
for app in "$APPS"
|
||||||
|
do
|
||||||
|
echo "[server_config] > Deploying: $app"
|
||||||
|
|
||||||
|
source "./$app/_deploy.sh" \
|
||||||
|
&& echo "[server_config] > Deploy done" \
|
||||||
|
|| echo "[server_config] > Deploy failed"
|
||||||
|
done
|
14
install.sh
Normal file
14
install.sh
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
APPS=$@
|
||||||
|
|
||||||
|
if [[ $1 == "*" && $# -eq 1 ]]; then
|
||||||
|
APPS=$(ls .)
|
||||||
|
fi
|
||||||
|
|
||||||
|
for app in "$APPS"
|
||||||
|
do
|
||||||
|
echo "[server_config] > Installing: $app"
|
||||||
|
|
||||||
|
source "./$app/_install.sh" \
|
||||||
|
&& echo "[server_config] > Install done" \
|
||||||
|
|| echo "[server_config] > Install failed"
|
||||||
|
done
|
2
iptables/_deploy.sh
Normal file
2
iptables/_deploy.sh
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
iptables -F
|
||||||
|
source ./iptables/rules.sh
|
1
iptables/_install.sh
Normal file
1
iptables/_install.sh
Normal file
|
@ -0,0 +1 @@
|
||||||
|
nala install iptables
|
29
iptables/iptables/rules.sh
Normal file
29
iptables/iptables/rules.sh
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
# General rules
|
||||||
|
iptables -P INPUT DROP
|
||||||
|
iptables -P FORWARD DROP
|
||||||
|
iptables -P OUTPUT DROP
|
||||||
|
|
||||||
|
# Fail2Ban
|
||||||
|
iptables -N f2b-sshd
|
||||||
|
iptables -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
|
||||||
|
iptables -A INPUT -p tcp -m multiport --dports 55555 -j f2b-sshd
|
||||||
|
|
||||||
|
# LoopBack
|
||||||
|
iptables -A INPUT -i lo -j ACCEPT
|
||||||
|
|
||||||
|
# Keep Opened connection
|
||||||
|
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
|
||||||
|
# Anti DDOS
|
||||||
|
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -m limit --limit 1/sec --limit-burst 1 -j ACCEPT
|
||||||
|
|
||||||
|
# SSH
|
||||||
|
iptables -A INPUT -p tcp -m tcp --dport 55555 -j ACCEPT
|
||||||
|
|
||||||
|
# Main proxy
|
||||||
|
iptables -A INPUT -p tcp --dport 80 -j ACCEPT # HTTP
|
||||||
|
iptables -A INPUT -p tcp --dport 443 -j ACCEPT # HTTPS
|
||||||
|
iptables -A INPUT -p udp --dport 443 -j ACCEPT # QUIC
|
||||||
|
|
||||||
|
# Fail2Ban -Return-
|
||||||
|
iptables -A f2b-sshd -j RETURN
|
11
website/_deploy.sh
Normal file
11
website/_deploy.sh
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
# Pull website sources
|
||||||
|
cd /srv/www
|
||||||
|
git pull origin main
|
||||||
|
|
||||||
|
# Setup website service
|
||||||
|
cp /srv/www/website.service /etc/systemd/system
|
||||||
|
|
||||||
|
# Start website
|
||||||
|
systemctl deamon-reload
|
||||||
|
systemctl enable website
|
||||||
|
systemctl start website
|
17
website/_install.sh
Normal file
17
website/_install.sh
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
# Install deno
|
||||||
|
curl -fsSL https://deno.land/install.sh | DENO_INSTALL=/usr/local sh
|
||||||
|
|
||||||
|
# Create group and user
|
||||||
|
groupadd --system deno
|
||||||
|
|
||||||
|
useradd --system \
|
||||||
|
--gid deno
|
||||||
|
--create-home \
|
||||||
|
--home-dir /var/lib/deno \
|
||||||
|
--shell /usr/sbin/nologin \
|
||||||
|
--comment "Deno js engine" \
|
||||||
|
deno
|
||||||
|
|
||||||
|
# Clone website repo
|
||||||
|
mkdir -p /srv/www
|
||||||
|
git clone -b main --depth 1 https://git.cohabit.fr/cohabit/website.git /srv/www
|
Loading…
Reference in a new issue