From b3e5d25d0b5bb4f84432f21816bc7800c74e8d51 Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Fri, 17 Sep 2021 07:13:57 +0200 Subject: [PATCH] daily autocommit --- .etckeeper | 14 +- apache2/apache2.conf | 6 + apache2/apache2.conf.dpkg-dist | 227 ---------------- .../default-ssl.conf.dpkg-dist | 134 ---------- bind/named.conf.default-zones | 2 +- bind/named.conf.options | 6 +- ca-certificates.conf.dpkg-old | 248 ------------------ default/slapd | 2 +- dhcpcd.conf | 10 +- dhcpcd.conf.dpkg-dist | 41 --- logrotate.conf | 5 +- logrotate.d/.from-pkg/2021-02-03/apache2 | 20 ++ logrotate.d/.from-pkg/2021-02-03/chrony | 8 + logrotate.d/.from-pkg/2021-02-03/dpkg | 9 + logrotate.d/.from-pkg/2021-02-03/rsyslog | 37 +++ logrotate.d/.from-pkg/2021-02-03/ulogd2 | 14 + logrotate.d/.from-pkg/2021-09-15/apache2 | 20 ++ logrotate.d/.from-pkg/2021-09-15/fail2ban | 19 ++ .../.from-pkg/2021-09-15/logrotate.conf | 23 ++ logrotate.d/.from-pkg/2021-09-15/rsyslog | 25 ++ logrotate.d/apache2 | 16 +- network/interfaces | 9 +- 22 files changed, 219 insertions(+), 676 deletions(-) delete mode 100644 apache2/apache2.conf.dpkg-dist delete mode 100644 apache2/sites-available/default-ssl.conf.dpkg-dist delete mode 100644 ca-certificates.conf.dpkg-old delete mode 100644 dhcpcd.conf.dpkg-dist create mode 100644 logrotate.d/.from-pkg/2021-02-03/apache2 create mode 100644 logrotate.d/.from-pkg/2021-02-03/chrony create mode 100644 logrotate.d/.from-pkg/2021-02-03/dpkg create mode 100644 logrotate.d/.from-pkg/2021-02-03/rsyslog create mode 100644 logrotate.d/.from-pkg/2021-02-03/ulogd2 create mode 100644 logrotate.d/.from-pkg/2021-09-15/apache2 create mode 100644 logrotate.d/.from-pkg/2021-09-15/fail2ban create mode 100644 logrotate.d/.from-pkg/2021-09-15/logrotate.conf create mode 100644 logrotate.d/.from-pkg/2021-09-15/rsyslog diff --git a/.etckeeper b/.etckeeper index ba6fe66..a13c1ad 100755 --- a/.etckeeper +++ b/.etckeeper @@ -68,7 +68,6 @@ maybe chmod 0755 'alternatives' maybe chmod 0644 'alternatives/README' maybe chmod 0755 'apache2' maybe chmod 0644 'apache2/apache2.conf' -maybe chmod 0644 'apache2/apache2.conf.dpkg-dist' maybe chmod 0755 'apache2/conf-available' maybe chmod 0644 'apache2/conf-available/charset.conf' maybe chmod 0644 'apache2/conf-available/custom-log.conf' @@ -235,7 +234,6 @@ maybe chmod 0644 'apache2/sites-available/000-default-ssl.conf' maybe chmod 0644 'apache2/sites-available/000-default.conf' maybe chmod 0644 'apache2/sites-available/default-include.conf' maybe chmod 0644 'apache2/sites-available/default-ssl.conf' -maybe chmod 0644 'apache2/sites-available/default-ssl.conf.dpkg-dist' maybe chmod 0644 'apache2/sites-available/gitweb-le-ssl.conf' maybe chmod 0644 'apache2/sites-available/gitweb.conf' maybe chmod 0755 'apache2/sites-enabled' @@ -363,7 +361,6 @@ maybe chmod 0644 'bindresvport.blacklist' maybe chmod 0755 'binfmt.d' maybe chmod 0755 'ca-certificates' maybe chmod 0644 'ca-certificates.conf' -maybe chmod 0644 'ca-certificates.conf.dpkg-old' maybe chmod 0755 'ca-certificates/update.d' maybe chmod 0755 'calendar' maybe chmod 0644 'calendar/default' @@ -486,7 +483,6 @@ maybe chmod 0755 'dhcp/dhclient-exit-hooks.d' maybe chmod 0644 'dhcp/dhclient-exit-hooks.d/chrony' maybe chmod 0644 'dhcpcd.conf' maybe chmod 0644 'dhcpcd.conf.bak' -maybe chmod 0644 'dhcpcd.conf.dpkg-dist' maybe chmod 0644 'dhcpcd.duid' maybe chmod 0400 'dhcpcd.secret' maybe chmod 0755 'dictionaries-common' @@ -1394,6 +1390,16 @@ maybe chmod 0644 'logrotate.conf' maybe chmod 0755 'logrotate.d' maybe chmod 0755 'logrotate.d/.from-pkg' maybe chmod 0755 'logrotate.d/.from-pkg/2021-02-03' +maybe chmod 0644 'logrotate.d/.from-pkg/2021-02-03/apache2' +maybe chmod 0644 'logrotate.d/.from-pkg/2021-02-03/chrony' +maybe chmod 0644 'logrotate.d/.from-pkg/2021-02-03/dpkg' +maybe chmod 0644 'logrotate.d/.from-pkg/2021-02-03/rsyslog' +maybe chmod 0644 'logrotate.d/.from-pkg/2021-02-03/ulogd2' +maybe chmod 0755 'logrotate.d/.from-pkg/2021-09-15' +maybe chmod 0644 'logrotate.d/.from-pkg/2021-09-15/apache2' +maybe chmod 0644 'logrotate.d/.from-pkg/2021-09-15/fail2ban' +maybe chmod 0644 'logrotate.d/.from-pkg/2021-09-15/logrotate.conf' +maybe chmod 0644 'logrotate.d/.from-pkg/2021-09-15/rsyslog' maybe chmod 0644 'logrotate.d/alternatives' maybe chmod 0644 'logrotate.d/apache2' maybe chmod 0644 'logrotate.d/apt' diff --git a/apache2/apache2.conf b/apache2/apache2.conf index 2047dc1..97f5bd1 100644 --- a/apache2/apache2.conf +++ b/apache2/apache2.conf @@ -73,6 +73,12 @@ # Mutex file:${APACHE_LOCK_DIR} default +# +# The directory where shm and other runtime files will be stored. +# + +DefaultRuntimeDir ${APACHE_RUN_DIR} + # # PidFile: The file in which the server should record its process # identification number when it starts. diff --git a/apache2/apache2.conf.dpkg-dist b/apache2/apache2.conf.dpkg-dist deleted file mode 100644 index ae4b2c3..0000000 --- a/apache2/apache2.conf.dpkg-dist +++ /dev/null @@ -1,227 +0,0 @@ -# This is the main Apache server configuration file. It contains the -# configuration directives that give the server its instructions. -# See http://httpd.apache.org/docs/2.4/ for detailed information about -# the directives and /usr/share/doc/apache2/README.Debian about Debian specific -# hints. -# -# -# Summary of how the Apache 2 configuration works in Debian: -# The Apache 2 web server configuration in Debian is quite different to -# upstream's suggested way to configure the web server. This is because Debian's -# default Apache2 installation attempts to make adding and removing modules, -# virtual hosts, and extra configuration directives as flexible as possible, in -# order to make automating the changes and administering the server as easy as -# possible. - -# It is split into several files forming the configuration hierarchy outlined -# below, all located in the /etc/apache2/ directory: -# -# /etc/apache2/ -# |-- apache2.conf -# | `-- ports.conf -# |-- mods-enabled -# | |-- *.load -# | `-- *.conf -# |-- conf-enabled -# | `-- *.conf -# `-- sites-enabled -# `-- *.conf -# -# -# * apache2.conf is the main configuration file (this file). It puts the pieces -# together by including all remaining configuration files when starting up the -# web server. -# -# * ports.conf is always included from the main configuration file. It is -# supposed to determine listening ports for incoming connections which can be -# customized anytime. -# -# * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/ -# directories contain particular configuration snippets which manage modules, -# global configuration fragments, or virtual host configurations, -# respectively. -# -# They are activated by symlinking available configuration files from their -# respective *-available/ counterparts. These should be managed by using our -# helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See -# their respective man pages for detailed information. -# -# * The binary is called apache2. Due to the use of environment variables, in -# the default configuration, apache2 needs to be started/stopped with -# /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not -# work with the default configuration. - - -# Global configuration -# - -# -# ServerRoot: The top of the directory tree under which the server's -# configuration, error, and log files are kept. -# -# NOTE! If you intend to place this on an NFS (or otherwise network) -# mounted filesystem then please read the Mutex documentation (available -# at ); -# you will save yourself a lot of trouble. -# -# Do NOT add a slash at the end of the directory path. -# -#ServerRoot "/etc/apache2" - -# -# The accept serialization lock file MUST BE STORED ON A LOCAL DISK. -# -#Mutex file:${APACHE_LOCK_DIR} default - -# -# The directory where shm and other runtime files will be stored. -# - -DefaultRuntimeDir ${APACHE_RUN_DIR} - -# -# PidFile: The file in which the server should record its process -# identification number when it starts. -# This needs to be set in /etc/apache2/envvars -# -PidFile ${APACHE_PID_FILE} - -# -# Timeout: The number of seconds before receives and sends time out. -# -Timeout 300 - -# -# KeepAlive: Whether or not to allow persistent connections (more than -# one request per connection). Set to "Off" to deactivate. -# -KeepAlive On - -# -# MaxKeepAliveRequests: The maximum number of requests to allow -# during a persistent connection. Set to 0 to allow an unlimited amount. -# We recommend you leave this number high, for maximum performance. -# -MaxKeepAliveRequests 100 - -# -# KeepAliveTimeout: Number of seconds to wait for the next request from the -# same client on the same connection. -# -KeepAliveTimeout 5 - - -# These need to be set in /etc/apache2/envvars -User ${APACHE_RUN_USER} -Group ${APACHE_RUN_GROUP} - -# -# HostnameLookups: Log the names of clients or just their IP addresses -# e.g., www.apache.org (on) or 204.62.129.132 (off). -# The default is off because it'd be overall better for the net if people -# had to knowingly turn this feature on, since enabling it means that -# each client request will result in AT LEAST one lookup request to the -# nameserver. -# -HostnameLookups Off - -# ErrorLog: The location of the error log file. -# If you do not specify an ErrorLog directive within a -# container, error messages relating to that virtual host will be -# logged here. If you *do* define an error logfile for a -# container, that host's errors will be logged there and not here. -# -ErrorLog ${APACHE_LOG_DIR}/error.log - -# -# LogLevel: Control the severity of messages logged to the error_log. -# Available values: trace8, ..., trace1, debug, info, notice, warn, -# error, crit, alert, emerg. -# It is also possible to configure the log level for particular modules, e.g. -# "LogLevel info ssl:warn" -# -LogLevel warn - -# Include module configuration: -IncludeOptional mods-enabled/*.load -IncludeOptional mods-enabled/*.conf - -# Include list of ports to listen on -Include ports.conf - - -# Sets the default security model of the Apache2 HTTPD server. It does -# not allow access to the root filesystem outside of /usr/share and /var/www. -# The former is used by web applications packaged in Debian, -# the latter may be used for local directories served by the web server. If -# your system is serving content from a sub-directory in /srv you must allow -# access here, or in any related virtual host. - - Options FollowSymLinks - AllowOverride None - Require all denied - - - - AllowOverride None - Require all granted - - - - Options Indexes FollowSymLinks - AllowOverride None - Require all granted - - -# -# Options Indexes FollowSymLinks -# AllowOverride None -# Require all granted -# - - - - -# AccessFileName: The name of the file to look for in each directory -# for additional configuration directives. See also the AllowOverride -# directive. -# -AccessFileName .htaccess - -# -# The following lines prevent .htaccess and .htpasswd files from being -# viewed by Web clients. -# - - Require all denied - - - -# -# The following directives define some format nicknames for use with -# a CustomLog directive. -# -# These deviate from the Common Log Format definitions in that they use %O -# (the actual bytes sent including headers) instead of %b (the size of the -# requested file), because the latter makes it impossible to detect partial -# requests. -# -# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended. -# Use mod_remoteip instead. -# -LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined -LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined -LogFormat "%h %l %u %t \"%r\" %>s %O" common -LogFormat "%{Referer}i -> %U" referer -LogFormat "%{User-agent}i" agent - -# Include of directories ignores editors' and dpkg's backup files, -# see README.Debian for details. - -# Include generic snippets of statements -IncludeOptional conf-enabled/*.conf - -# Include the virtual host configurations: -IncludeOptional sites-enabled/*.conf - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/apache2/sites-available/default-ssl.conf.dpkg-dist b/apache2/sites-available/default-ssl.conf.dpkg-dist deleted file mode 100644 index 7e37a9c..0000000 --- a/apache2/sites-available/default-ssl.conf.dpkg-dist +++ /dev/null @@ -1,134 +0,0 @@ - - - ServerAdmin webmaster@localhost - - DocumentRoot /var/www/html - - # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, - # error, crit, alert, emerg. - # It is also possible to configure the loglevel for particular - # modules, e.g. - #LogLevel info ssl:warn - - ErrorLog ${APACHE_LOG_DIR}/error.log - CustomLog ${APACHE_LOG_DIR}/access.log combined - - # For most configuration files from conf-available/, which are - # enabled or disabled at a global level, it is possible to - # include a line for only one particular virtual host. For example the - # following line enables the CGI configuration for this host only - # after it has been globally disabled with "a2disconf". - #Include conf-available/serve-cgi-bin.conf - - # SSL Engine Switch: - # Enable/Disable SSL for this virtual host. - SSLEngine on - - # A self-signed (snakeoil) certificate can be created by installing - # the ssl-cert package. See - # /usr/share/doc/apache2/README.Debian.gz for more info. - # If both key and certificate are stored in the same file, only the - # SSLCertificateFile directive is needed. - SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem - SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key - - # Server Certificate Chain: - # Point SSLCertificateChainFile at a file containing the - # concatenation of PEM encoded CA certificates which form the - # certificate chain for the server certificate. Alternatively - # the referenced file can be the same as SSLCertificateFile - # when the CA certificates are directly appended to the server - # certificate for convinience. - #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt - - # Certificate Authority (CA): - # Set the CA certificate verification path where to find CA - # certificates for client authentication or alternatively one - # huge file containing all of them (file must be PEM encoded) - # Note: Inside SSLCACertificatePath you need hash symlinks - # to point to the certificate files. Use the provided - # Makefile to update the hash symlinks after changes. - #SSLCACertificatePath /etc/ssl/certs/ - #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt - - # Certificate Revocation Lists (CRL): - # Set the CA revocation path where to find CA CRLs for client - # authentication or alternatively one huge file containing all - # of them (file must be PEM encoded) - # Note: Inside SSLCARevocationPath you need hash symlinks - # to point to the certificate files. Use the provided - # Makefile to update the hash symlinks after changes. - #SSLCARevocationPath /etc/apache2/ssl.crl/ - #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl - - # Client Authentication (Type): - # Client certificate verification type and depth. Types are - # none, optional, require and optional_no_ca. Depth is a - # number which specifies how deeply to verify the certificate - # issuer chain before deciding the certificate is not valid. - #SSLVerifyClient require - #SSLVerifyDepth 10 - - # SSL Engine Options: - # Set various options for the SSL engine. - # o FakeBasicAuth: - # Translate the client X.509 into a Basic Authorisation. This means that - # the standard Auth/DBMAuth methods can be used for access control. The - # user name is the `one line' version of the client's X.509 certificate. - # Note that no password is obtained from the user. Every entry in the user - # file needs this password: `xxj31ZMTZzkVA'. - # o ExportCertData: - # This exports two additional environment variables: SSL_CLIENT_CERT and - # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the - # server (always existing) and the client (only existing when client - # authentication is used). This can be used to import the certificates - # into CGI scripts. - # o StdEnvVars: - # This exports the standard SSL/TLS related `SSL_*' environment variables. - # Per default this exportation is switched off for performance reasons, - # because the extraction step is an expensive operation and is usually - # useless for serving static content. So one usually enables the - # exportation for CGI and SSI requests only. - # o OptRenegotiate: - # This enables optimized SSL connection renegotiation handling when SSL - # directives are used in per-directory context. - #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire - - SSLOptions +StdEnvVars - - - SSLOptions +StdEnvVars - - - # SSL Protocol Adjustments: - # The safe and default but still SSL/TLS standard compliant shutdown - # approach is that mod_ssl sends the close notify alert but doesn't wait for - # the close notify alert from client. When you need a different shutdown - # approach you can use one of the following variables: - # o ssl-unclean-shutdown: - # This forces an unclean shutdown when the connection is closed, i.e. no - # SSL close notify alert is send or allowed to received. This violates - # the SSL/TLS standard but is needed for some brain-dead browsers. Use - # this when you receive I/O errors because of the standard approach where - # mod_ssl sends the close notify alert. - # o ssl-accurate-shutdown: - # This forces an accurate shutdown when the connection is closed, i.e. a - # SSL close notify alert is send and mod_ssl waits for the close notify - # alert of the client. This is 100% SSL/TLS standard compliant, but in - # practice often causes hanging connections with brain-dead browsers. Use - # this only for browsers where you know that their SSL implementation - # works correctly. - # Notice: Most problems of broken clients are also related to the HTTP - # keep-alive facility, so you usually additionally want to disable - # keep-alive for those clients, too. Use variable "nokeepalive" for this. - # Similarly, one has to force some clients to use HTTP/1.0 to workaround - # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and - # "force-response-1.0" for this. - # BrowserMatch "MSIE [2-6]" \ - # nokeepalive ssl-unclean-shutdown \ - # downgrade-1.0 force-response-1.0 - - - - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/bind/named.conf.default-zones b/bind/named.conf.default-zones index 952ae71..71b56c8 100644 --- a/bind/named.conf.default-zones +++ b/bind/named.conf.default-zones @@ -9,7 +9,7 @@ // prime the server with knowledge of the root servers zone "." { type hint; - file "/etc/bind/db.root"; + file "/usr/share/dns/root.hints"; }; // be authoritative for the localhost forward and reverse zones, and for diff --git a/bind/named.conf.options b/bind/named.conf.options index 1250674..fdd93b4 100644 --- a/bind/named.conf.options +++ b/bind/named.conf.options @@ -18,9 +18,9 @@ options { // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 - // If your ISP provided one or more IP addresses for stable - // nameservers, you probably want to use them as forwarders. - // Uncomment the following block, and insert the addresses replacing + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { diff --git a/ca-certificates.conf.dpkg-old b/ca-certificates.conf.dpkg-old deleted file mode 100644 index 786d9c7..0000000 --- a/ca-certificates.conf.dpkg-old +++ /dev/null @@ -1,248 +0,0 @@ -# This file lists certificates that you wish to use or to ignore to be -# installed in /etc/ssl/certs. -# update-ca-certificates(8) will update /etc/ssl/certs by reading this file. -# -# This is autogenerated by dpkg-reconfigure ca-certificates. -# Certificates should be installed under /usr/share/ca-certificates -# and files with extension '.crt' is recognized as available certs. -# -# line begins with # is comment. -# line begins with ! is certificate filename to be deselected. -# -mozilla/ACCVRAIZ1.crt -!mozilla/ACEDICOM_Root.crt -!mozilla/AC_Raíz_Certicámara_S.A..crt -mozilla/Actalis_Authentication_Root_CA.crt -!mozilla/AddTrust_External_Root.crt -!mozilla/AddTrust_Low-Value_Services_Root.crt -!mozilla/AddTrust_Public_Services_Root.crt -!mozilla/AddTrust_Qualified_Certificates_Root.crt -mozilla/AffirmTrust_Commercial.crt -mozilla/AffirmTrust_Networking.crt -mozilla/AffirmTrust_Premium.crt -mozilla/AffirmTrust_Premium_ECC.crt -!mozilla/America_Online_Root_Certification_Authority_1.crt -!mozilla/America_Online_Root_Certification_Authority_2.crt -!mozilla/ApplicationCA_-_Japanese_Government.crt -mozilla/Atos_TrustedRoot_2011.crt -!mozilla/A-Trust-nQual-03.crt -mozilla/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt -mozilla/Baltimore_CyberTrust_Root.crt -!mozilla/Buypass_Class_2_CA_1.crt -mozilla/Buypass_Class_2_Root_CA.crt -!mozilla/Buypass_Class_3_CA_1.crt -mozilla/Buypass_Class_3_Root_CA.crt -!mozilla/CA_Disig.crt -!mozilla/CA_Disig_Root_R1.crt -mozilla/CA_Disig_Root_R2.crt -!mozilla/Camerfirma_Chambers_of_Commerce_Root.crt -!mozilla/Camerfirma_Global_Chambersign_Root.crt -mozilla/Certigna.crt -!mozilla/Certinomis_-_Autorité_Racine.crt -!mozilla/Certplus_Class_2_Primary_CA.crt -mozilla/certSIGN_ROOT_CA.crt -!mozilla/Certum_Root_CA.crt -mozilla/Certum_Trusted_Network_CA.crt -mozilla/Chambers_of_Commerce_Root_-_2008.crt -!mozilla/China_Internet_Network_Information_Center_EV_Certificates_Root.crt -!mozilla/CNNIC_ROOT.crt -mozilla/Comodo_AAA_Services_root.crt -mozilla/COMODO_Certification_Authority.crt -mozilla/COMODO_ECC_Certification_Authority.crt -!mozilla/Comodo_Secure_Services_root.crt -!mozilla/Comodo_Trusted_Services_root.crt -!mozilla/ComSign_CA.crt -!mozilla/ComSign_Secured_CA.crt -mozilla/Cybertrust_Global_Root.crt -!mozilla/Deutsche_Telekom_Root_CA_2.crt -mozilla/DigiCert_Assured_ID_Root_CA.crt -mozilla/DigiCert_Assured_ID_Root_G2.crt -mozilla/DigiCert_Assured_ID_Root_G3.crt -mozilla/DigiCert_Global_Root_CA.crt -mozilla/DigiCert_Global_Root_G2.crt -mozilla/DigiCert_Global_Root_G3.crt -mozilla/DigiCert_High_Assurance_EV_Root_CA.crt -mozilla/DigiCert_Trusted_Root_G4.crt -!mozilla/Digital_Signature_Trust_Co._Global_CA_1.crt -!mozilla/Digital_Signature_Trust_Co._Global_CA_3.crt -!mozilla/DST_ACES_CA_X6.crt -mozilla/DST_Root_CA_X3.crt -mozilla/D-TRUST_Root_Class_3_CA_2_2009.crt -mozilla/D-TRUST_Root_Class_3_CA_2_EV_2009.crt -!mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt -mozilla/EC-ACC.crt -mozilla/EE_Certification_Centre_Root_CA.crt -!mozilla/E-Guven_Kok_Elektronik_Sertifika_Hizmet_Saglayicisi.crt -mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt -mozilla/Entrust_Root_Certification_Authority.crt -mozilla/ePKI_Root_Certification_Authority.crt -!mozilla/Equifax_Secure_CA.crt -!mozilla/Equifax_Secure_eBusiness_CA_1.crt -!mozilla/Equifax_Secure_Global_eBusiness_CA.crt -mozilla/E-Tugra_Certification_Authority.crt -!mozilla/GeoTrust_Global_CA_2.crt -!mozilla/GeoTrust_Global_CA.crt -!mozilla/GeoTrust_Primary_Certification_Authority.crt -!mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt -!mozilla/GeoTrust_Primary_Certification_Authority_-_G3.crt -mozilla/GeoTrust_Universal_CA_2.crt -!mozilla/GeoTrust_Universal_CA.crt -mozilla/Global_Chambersign_Root_-_2008.crt -mozilla/GlobalSign_Root_CA.crt -mozilla/GlobalSign_Root_CA_-_R2.crt -mozilla/GlobalSign_Root_CA_-_R3.crt -mozilla/Go_Daddy_Class_2_CA.crt -mozilla/Go_Daddy_Root_Certificate_Authority_-_G2.crt -!mozilla/GTE_CyberTrust_Global_Root.crt -mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt -mozilla/Hongkong_Post_Root_CA_1.crt -!mozilla/IGC_A.crt -mozilla/Izenpe.com.crt -!mozilla/Juur-SK.crt -mozilla/Microsec_e-Szigno_Root_CA_2009.crt -!mozilla/Microsec_e-Szigno_Root_CA.crt -mozilla/NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt -!mozilla/NetLock_Business_=Class_B=_Root.crt -!mozilla/NetLock_Express_=Class_C=_Root.crt -!mozilla/NetLock_Notary_=Class_A=_Root.crt -!mozilla/NetLock_Qualified_=Class_QA=_Root.crt -mozilla/Network_Solutions_Certificate_Authority.crt -mozilla/OISTE_WISeKey_Global_Root_GA_CA.crt -!mozilla/PSCProcert.crt -mozilla/QuoVadis_Root_CA_1_G3.crt -mozilla/QuoVadis_Root_CA_2.crt -mozilla/QuoVadis_Root_CA_2_G3.crt -mozilla/QuoVadis_Root_CA_3.crt -mozilla/QuoVadis_Root_CA_3_G3.crt -mozilla/QuoVadis_Root_CA.crt -!mozilla/Root_CA_Generalitat_Valenciana.crt -!mozilla/RSA_Security_2048_v3.crt -mozilla/Secure_Global_CA.crt -mozilla/SecureSign_RootCA11.crt -mozilla/SecureTrust_CA.crt -!mozilla/Security_Communication_EV_RootCA1.crt -mozilla/Security_Communication_RootCA2.crt -mozilla/Security_Communication_Root_CA.crt -!mozilla/SG_TRUST_SERVICES_RACINE.crt -!mozilla/Sonera_Class_1_Root_CA.crt -mozilla/Sonera_Class_2_Root_CA.crt -!mozilla/Staat_der_Nederlanden_Root_CA.crt -mozilla/Staat_der_Nederlanden_Root_CA_-_G2.crt -mozilla/Starfield_Class_2_CA.crt -mozilla/Starfield_Root_Certificate_Authority_-_G2.crt -mozilla/Starfield_Services_Root_Certificate_Authority_-_G2.crt -!mozilla/StartCom_Certification_Authority_2.crt -!mozilla/StartCom_Certification_Authority.crt -!mozilla/StartCom_Certification_Authority_G2.crt -!mozilla/S-TRUST_Authentication_and_Encryption_Root_CA_2005_PN.crt -!mozilla/Swisscom_Root_CA_1.crt -!mozilla/Swisscom_Root_CA_2.crt -!mozilla/Swisscom_Root_EV_CA_2.crt -mozilla/SwissSign_Gold_CA_-_G2.crt -!mozilla/SwissSign_Platinum_CA_-_G2.crt -mozilla/SwissSign_Silver_CA_-_G2.crt -mozilla/Taiwan_GRCA.crt -!mozilla/TC_TrustCenter_Class_2_CA_II.crt -!mozilla/TC_TrustCenter_Class_3_CA_II.crt -!mozilla/TC_TrustCenter_Universal_CA_I.crt -mozilla/TeliaSonera_Root_CA_v1.crt -!mozilla/Thawte_Premium_Server_CA.crt -!mozilla/thawte_Primary_Root_CA.crt -!mozilla/thawte_Primary_Root_CA_-_G2.crt -!mozilla/thawte_Primary_Root_CA_-_G3.crt -!mozilla/Thawte_Server_CA.crt -mozilla/Trustis_FPS_Root_CA.crt -mozilla/T-TeleSec_GlobalRoot_Class_2.crt -mozilla/T-TeleSec_GlobalRoot_Class_3.crt -!mozilla/TÜBİTAK_UEKAE_Kök_Sertifika_Hizmet_Sağlayıcısı_-_Sürüm_3.crt -!mozilla/TURKTRUST_Certificate_Services_Provider_Root_1.crt -!mozilla/TURKTRUST_Certificate_Services_Provider_Root_2007.crt -!mozilla/TURKTRUST_Certificate_Services_Provider_Root_2.crt -mozilla/TWCA_Global_Root_CA.crt -mozilla/TWCA_Root_Certification_Authority.crt -!mozilla/UTN_DATACorp_SGC_Root_CA.crt -!mozilla/UTN_USERFirst_Email_Root_CA.crt -!mozilla/UTN_USERFirst_Hardware_Root_CA.crt -!mozilla/Verisign_Class_1_Public_Primary_Certification_Authority.crt -!mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G2.crt -!mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt -!mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G2.crt -!mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt -!mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_2.crt -!mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt -!mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.crt -mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt -!mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt -!mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt -!mozilla/Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.crt -!mozilla/VeriSign_Universal_Root_Certification_Authority.crt -!mozilla/Visa_eCommerce_Root.crt -!mozilla/WellsSecure_Public_Root_Certificate_Authority.crt -!mozilla/WoSign_China.crt -!mozilla/WoSign.crt -mozilla/XRamp_Global_CA_Root.crt -!spi-inc.org/spi-cacert-2008.crt -!mozilla/CA_WoSign_ECC_Root.crt -!mozilla/Certification_Authority_of_WoSign_G2.crt -!mozilla/Certinomis_-_Root_CA.crt -mozilla/CFCA_EV_ROOT.crt -mozilla/COMODO_RSA_Certification_Authority.crt -mozilla/Entrust_Root_Certification_Authority_-_EC1.crt -mozilla/Entrust_Root_Certification_Authority_-_G2.crt -mozilla/GlobalSign_ECC_Root_CA_-_R4.crt -mozilla/GlobalSign_ECC_Root_CA_-_R5.crt -mozilla/IdenTrust_Commercial_Root_CA_1.crt -mozilla/IdenTrust_Public_Sector_Root_CA_1.crt -mozilla/OISTE_WISeKey_Global_Root_GB_CA.crt -mozilla/Staat_der_Nederlanden_EV_Root_CA.crt -mozilla/Staat_der_Nederlanden_Root_CA_-_G3.crt -!mozilla/S-TRUST_Universal_Root_CA.crt -!mozilla/TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H5.crt -!mozilla/TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H6.crt -mozilla/USERTrust_ECC_Certification_Authority.crt -mozilla/USERTrust_RSA_Certification_Authority.crt -!mozilla/Certplus_Root_CA_G1.crt -!mozilla/Certplus_Root_CA_G2.crt -mozilla/Certum_Trusted_Network_CA_2.crt -mozilla/Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.crt -mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt -mozilla/ISRG_Root_X1.crt -!mozilla/OpenTrust_Root_CA_G1.crt -!mozilla/OpenTrust_Root_CA_G2.crt -!mozilla/OpenTrust_Root_CA_G3.crt -mozilla/SZAFIR_ROOT_CA2.crt -mozilla/AC_RAIZ_FNMT-RCM.crt -mozilla/Amazon_Root_CA_1.crt -mozilla/Amazon_Root_CA_2.crt -mozilla/Amazon_Root_CA_3.crt -mozilla/Amazon_Root_CA_4.crt -!mozilla/D-TRUST_Root_CA_3_2013.crt -mozilla/GDCA_TrustAUTH_R5_ROOT.crt -mozilla/LuxTrust_Global_Root_2.crt -mozilla/SSL.com_EV_Root_Certification_Authority_ECC.crt -mozilla/SSL.com_EV_Root_Certification_Authority_RSA_R2.crt -mozilla/SSL.com_Root_Certification_Authority_ECC.crt -mozilla/SSL.com_Root_Certification_Authority_RSA.crt -!mozilla/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.crt -!mozilla/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.crt -!mozilla/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.crt -!mozilla/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.crt -mozilla/TrustCor_ECA-1.crt -mozilla/TrustCor_RootCert_CA-1.crt -mozilla/TrustCor_RootCert_CA-2.crt -mozilla/TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.crt -mozilla/GlobalSign_Root_CA_-_R6.crt -mozilla/OISTE_WISeKey_Global_Root_GC_CA.crt -mozilla/Certigna_Root_CA.crt -mozilla/emSign_ECC_Root_CA_-_C3.crt -mozilla/emSign_ECC_Root_CA_-_G3.crt -mozilla/emSign_Root_CA_-_C1.crt -mozilla/emSign_Root_CA_-_G1.crt -mozilla/Entrust_Root_Certification_Authority_-_G4.crt -mozilla/GTS_Root_R1.crt -mozilla/GTS_Root_R2.crt -mozilla/GTS_Root_R3.crt -mozilla/GTS_Root_R4.crt -mozilla/Hongkong_Post_Root_CA_3.crt -mozilla/UCA_Extended_Validation_Root.crt -mozilla/UCA_Global_G2_Root.crt diff --git a/default/slapd b/default/slapd index 3b257d9..8b94c32 100644 --- a/default/slapd +++ b/default/slapd @@ -12,7 +12,7 @@ SLAPD_USER="openldap" SLAPD_GROUP="openldap" # Path to the pid file of the slapd server. If not set the init.d script -# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf by +# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.d by # default) SLAPD_PIDFILE= diff --git a/dhcpcd.conf b/dhcpcd.conf index 5d0c447..c8fa2dc 100644 --- a/dhcpcd.conf +++ b/dhcpcd.conf @@ -31,17 +31,19 @@ option rapid_commit # A list of options to request from the DHCP server. option domain_name_servers, domain_name, domain_search, host_name option classless_static_routes -# Most distributions have NTP support. -option ntp_servers # Respect the network MTU. This is applied to DHCP routes. option interface_mtu +# Most distributions have NTP support. +option ntp_servers + # A ServerID is required by RFC2131. require dhcp_server_identifier -# Generate Stable Private IPv6 Addresses instead of hardware based ones -#slaac private +# Generate SLAAC address using the Hardware Address of the interface slaac hwaddr +# OR generate Stable Private IPv6 Addresses based from the DUID +#slaac private # A hook script is provided to lookup the hostname if not set by the DHCP # server, but it should not be run by default. diff --git a/dhcpcd.conf.dpkg-dist b/dhcpcd.conf.dpkg-dist deleted file mode 100644 index 537ed77..0000000 --- a/dhcpcd.conf.dpkg-dist +++ /dev/null @@ -1,41 +0,0 @@ -# A sample configuration for dhcpcd. -# See dhcpcd.conf(5) for details. - -# Allow users of this group to interact with dhcpcd via the control socket. -#controlgroup wheel - -# Inform the DHCP server of our hostname for DDNS. -hostname - -# Use the hardware address of the interface for the Client ID. -#clientid -# or -# Use the same DUID + IAID as set in DHCPv6 for DHCPv4 ClientID as per RFC4361. -# Some non-RFC compliant DHCP servers do not reply with this set. -# In this case, comment out duid and enable clientid above. -duid - -# Persist interface configuration when dhcpcd exits. -persistent - -# Rapid commit support. -# Safe to enable by default because it requires the equivalent option set -# on the server to actually work. -option rapid_commit - -# A list of options to request from the DHCP server. -option domain_name_servers, domain_name, domain_search, host_name -option classless_static_routes -# Respect the network MTU. This is applied to DHCP routes. -option interface_mtu - -# Most distributions have NTP support. -#option ntp_servers - -# A ServerID is required by RFC2131. -require dhcp_server_identifier - -# Generate SLAAC address using the Hardware Address of the interface -#slaac hwaddr -# OR generate Stable Private IPv6 Addresses based from the DUID -slaac private diff --git a/logrotate.conf b/logrotate.conf index 9634d7b..4f5a278 100644 --- a/logrotate.conf +++ b/logrotate.conf @@ -1,4 +1,7 @@ # see "man logrotate" for details + +# global options do not affect preceding include directives + # rotate log files weekly weekly @@ -21,4 +24,4 @@ delaycompress # packages drop log rotation information into this directory include /etc/logrotate.d -# system-specific logs may be configured here +# system-specific logs may also be configured here. diff --git a/logrotate.d/.from-pkg/2021-02-03/apache2 b/logrotate.d/.from-pkg/2021-02-03/apache2 new file mode 100644 index 0000000..37c5f22 --- /dev/null +++ b/logrotate.d/.from-pkg/2021-02-03/apache2 @@ -0,0 +1,20 @@ +/var/log/apache2/*.log { + daily + missingok + rotate 14 + compress + delaycompress + notifempty + create 640 root adm + sharedscripts + postrotate + if invoke-rc.d apache2 status > /dev/null 2>&1; then \ + invoke-rc.d apache2 reload > /dev/null 2>&1; \ + fi; + endscript + prerotate + if [ -d /etc/logrotate.d/httpd-prerotate ]; then \ + run-parts /etc/logrotate.d/httpd-prerotate; \ + fi; \ + endscript +} diff --git a/logrotate.d/.from-pkg/2021-02-03/chrony b/logrotate.d/.from-pkg/2021-02-03/chrony new file mode 100644 index 0000000..2823a1a --- /dev/null +++ b/logrotate.d/.from-pkg/2021-02-03/chrony @@ -0,0 +1,8 @@ +/var/log/chrony/*.log { + missingok + nocreate + sharedscripts + postrotate + /usr/bin/chronyc cyclelogs > /dev/null 2>&1 || true + endscript +} diff --git a/logrotate.d/.from-pkg/2021-02-03/dpkg b/logrotate.d/.from-pkg/2021-02-03/dpkg new file mode 100644 index 0000000..cf36f08 --- /dev/null +++ b/logrotate.d/.from-pkg/2021-02-03/dpkg @@ -0,0 +1,9 @@ +/var/log/dpkg.log { + monthly + rotate 12 + compress + delaycompress + missingok + notifempty + create 644 root root +} diff --git a/logrotate.d/.from-pkg/2021-02-03/rsyslog b/logrotate.d/.from-pkg/2021-02-03/rsyslog new file mode 100644 index 0000000..a69d4e5 --- /dev/null +++ b/logrotate.d/.from-pkg/2021-02-03/rsyslog @@ -0,0 +1,37 @@ +/var/log/syslog +{ + rotate 7 + daily + missingok + notifempty + delaycompress + compress + postrotate + /usr/lib/rsyslog/rsyslog-rotate + endscript +} + +/var/log/mail.info +/var/log/mail.warn +/var/log/mail.err +/var/log/mail.log +/var/log/daemon.log +/var/log/kern.log +/var/log/auth.log +/var/log/user.log +/var/log/lpr.log +/var/log/cron.log +/var/log/debug +/var/log/messages +{ + rotate 4 + weekly + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /usr/lib/rsyslog/rsyslog-rotate + endscript +} diff --git a/logrotate.d/.from-pkg/2021-02-03/ulogd2 b/logrotate.d/.from-pkg/2021-02-03/ulogd2 new file mode 100644 index 0000000..4d03ba9 --- /dev/null +++ b/logrotate.d/.from-pkg/2021-02-03/ulogd2 @@ -0,0 +1,14 @@ +/var/log/ulog/*.log /var/log/ulog/*.pcap { + missingok + compress + delaycompress + sharedscripts + create 640 ulog adm + postrotate + if [ -d /run/systemd/system ] && command systemctl >/dev/null 2>&1 && systemctl is-active --quiet ulogd2.service; then + systemctl kill --kill-who main --signal=SIGHUP ulogd2.service + else + invoke-rc.d ulogd2 reload > /dev/null + fi + endscript +} diff --git a/logrotate.d/.from-pkg/2021-09-15/apache2 b/logrotate.d/.from-pkg/2021-09-15/apache2 new file mode 100644 index 0000000..6da4ef8 --- /dev/null +++ b/logrotate.d/.from-pkg/2021-09-15/apache2 @@ -0,0 +1,20 @@ +/var/log/apache2/*.log { + daily + missingok + rotate 14 + compress + delaycompress + notifempty + create 640 root adm + sharedscripts + prerotate + if [ -d /etc/logrotate.d/httpd-prerotate ]; then + run-parts /etc/logrotate.d/httpd-prerotate + fi + endscript + postrotate + if pgrep -f ^/usr/sbin/apache2 > /dev/null; then + invoke-rc.d apache2 reload 2>&1 | logger -t apache2.logrotate + fi + endscript +} diff --git a/logrotate.d/.from-pkg/2021-09-15/fail2ban b/logrotate.d/.from-pkg/2021-09-15/fail2ban new file mode 100644 index 0000000..892f5d2 --- /dev/null +++ b/logrotate.d/.from-pkg/2021-09-15/fail2ban @@ -0,0 +1,19 @@ +/var/log/fail2ban.log { + + weekly + rotate 4 + compress + # Do not rotate if empty + notifempty + + delaycompress + missingok + postrotate + fail2ban-client flushlogs 1>/dev/null + endscript + + # If fail2ban runs as non-root it still needs to have write access + # to logfiles. + # create 640 fail2ban adm + create 640 root adm +} diff --git a/logrotate.d/.from-pkg/2021-09-15/logrotate.conf b/logrotate.d/.from-pkg/2021-09-15/logrotate.conf new file mode 100644 index 0000000..c99018c --- /dev/null +++ b/logrotate.d/.from-pkg/2021-09-15/logrotate.conf @@ -0,0 +1,23 @@ +# see "man logrotate" for details + +# global options do not affect preceding include directives + +# rotate log files weekly +weekly + +# keep 4 weeks worth of backlogs +rotate 4 + +# create new (empty) log files after rotating old ones +create + +# use date as a suffix of the rotated file +#dateext + +# uncomment this if you want your log files compressed +#compress + +# packages drop log rotation information into this directory +include /etc/logrotate.d + +# system-specific logs may also be configured here. diff --git a/logrotate.d/.from-pkg/2021-09-15/rsyslog b/logrotate.d/.from-pkg/2021-09-15/rsyslog new file mode 100644 index 0000000..8d521ca --- /dev/null +++ b/logrotate.d/.from-pkg/2021-09-15/rsyslog @@ -0,0 +1,25 @@ +/var/log/syslog +/var/log/mail.info +/var/log/mail.warn +/var/log/mail.err +/var/log/mail.log +/var/log/daemon.log +/var/log/kern.log +/var/log/auth.log +/var/log/user.log +/var/log/lpr.log +/var/log/cron.log +/var/log/debug +/var/log/messages +{ + rotate 4 + weekly + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /usr/lib/rsyslog/rsyslog-rotate + endscript +} diff --git a/logrotate.d/apache2 b/logrotate.d/apache2 index 2382132..ce7c808 100644 --- a/logrotate.d/apache2 +++ b/logrotate.d/apache2 @@ -9,15 +9,15 @@ size 4M create 640 root adm sharedscripts - postrotate - if invoke-rc.d apache2 status > /dev/null 2>&1; then \ - invoke-rc.d apache2 reload > /dev/null 2>&1; \ - fi; - endscript prerotate - if [ -d /etc/logrotate.d/httpd-prerotate ]; then \ - run-parts /etc/logrotate.d/httpd-prerotate; \ - fi; \ + if [ -d /etc/logrotate.d/httpd-prerotate ]; then + run-parts /etc/logrotate.d/httpd-prerotate + fi + endscript + postrotate + if pgrep -f ^/usr/sbin/apache2 > /dev/null; then + invoke-rc.d apache2 reload 2>&1 | logger -t apache2.logrotate + fi endscript } diff --git a/network/interfaces b/network/interfaces index c3670cf..d9dc749 100644 --- a/network/interfaces +++ b/network/interfaces @@ -12,7 +12,8 @@ auto eth0 allow-hotplug eth0 iface eth0 inet dhcp -iface eth0 inet6 dhcp -#iface eth0 inet6 static -# address 2a06:2380:0:1::3a/64 -# gateway 2a06:2380:0:1::1 +#iface eth0 inet6 dhcp +iface eth0 inet6 static + address 2a06:2380:0:1::3a/64 + # gateway 2a06:2380:0:1::1 + gateway fe80::800:385:fe:1 -- 2.39.5