From b4dcdd78c2f56f770ed1b882cdb27fb0711ea8be Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Fri, 25 Mar 2016 09:29:33 +0100 Subject: [PATCH] Current state --- alternatives/locate | 1 + alternatives/locate.1.gz | 1 + alternatives/rzsh | 1 + alternatives/rzsh.1.gz | 1 + alternatives/updatedb | 1 + alternatives/zsh | 1 + alternatives/zsh-usrbin | 1 + apparmor.d/local/usr.sbin.named | 2 + apparmor.d/usr.sbin.named | 53 ++ ...blicKey => repo.uhu-banane.de.gpg-key.pub} | 0 apt/sources.list | 15 +- apt/sources.list.d/salt.list | 2 +- bind/bind.keys | 46 + bind/db.0 | 12 + bind/db.127 | 13 + bind/db.255 | 12 + bind/db.empty | 14 + bind/db.local | 14 + bind/db.root | 88 ++ bind/dnssec/Kdns-uhu-banane.+157+21915.key | 1 + .../dnssec/Kdns-uhu-banane.+157+21915.private | 7 + bind/dnssec/Kdyn-dns-updater.+157+29290.key | 1 + .../Kdyn-dns-updater.+157+29290.private | 4 + bind/dyn/dyn.brehm-online.com.zone | 17 + bind/dyn/dyn.brehm-online.com.zone.default | 17 + bind/dyn/dyn.uhu-banane.de.zone | 17 + bind/dyn/dyn.uhu-banane.de.zone.default | 17 + bind/named-acl.conf | 145 +++ bind/named-dyn.conf | 41 + bind/named-log.conf | 87 ++ bind/named-pri.conf | 92 ++ bind/named-sec.conf | 663 +++++++++++++ bind/named.conf | 43 + bind/named.conf.default-zones | 38 + bind/named.conf.local | 18 + bind/named.conf.options | 90 ++ bind/rndc.key | 4 + bind/zones.rfc1918 | 30 + bind/zones/home.brehm-online.com.zone | 68 ++ bind/zones/rev.10.12.11.zone | 64 ++ bind/zones/rev.2001-6f8-1db7-0.zone | 55 ++ bind/zones/rev.2001-6f8-1db7.zone | 22 + bind/zones/uhu-banane.eu.zone | 22 + bind/zones/uhu-banane.org.zone | 22 + chrony/chrony.conf | 2 +- cron.daily/logrotate | 9 +- cron.daily/mlocate | 21 + default/bind9 | 5 + default/locale | 2 +- default/locale.bak | 3 + fail2ban/jail.conf | 558 ++++++----- fail2ban/jail.conf.bak | 556 +++++++++++ fail2ban/jail.d/postfix.conf | 11 + fail2ban/jail.d/ssh.conf | 12 + group | 2 + group- | 2 + gshadow | 2 + gshadow- | 2 + hosts | 2 +- init.d/bind9 | 145 +++ inittabminion | 69 ++ lftp.conf | 94 ++ logrotate.d/bind | 35 + logrotate.d/chrony | 8 +- logrotate.d/rsyslog | 2 +- logrotate.d/salt-common | 6 + modules-load.d/modules.conf | 1 - network/if-down.d/bind9 | 15 + network/if-up.d/bind9 | 15 + passwd | 1 + passwd- | 1 + postfix/main-new.cf | 99 ++ postfix/main.cf | 88 +- postfix/main.cf.bak | 57 ++ postfix/mkpostfixcert | 28 +- postfix/postfix-cert.cnf | 2 +- postfix/postfix-cert.cnf.bak | 23 + postfix/smtp_auth | 9 +- postfix/smtp_auth.db | Bin 12288 -> 12288 bytes ppp/ip-down.d/bind9 | 15 + ppp/ip-up.d/bind9 | 15 + rc0.d/K02bind9 | 1 + rc0.d/{K02sendsigs => K03sendsigs} | 0 rc0.d/{K03rsyslog => K04rsyslog} | 0 rc0.d/{K04hwclock.sh => K05hwclock.sh} | 0 rc0.d/{K04umountnfs.sh => K05umountnfs.sh} | 0 rc0.d/{K05networking => K06networking} | 0 rc0.d/{K06umountfs => K07umountfs} | 0 rc0.d/{K07umountroot => K08umountroot} | 0 rc0.d/{K08halt => K09halt} | 0 rc1.d/K02bind9 | 1 + rc1.d/{K03rsyslog => K04rsyslog} | 0 rc2.d/S02bind9 | 1 + rc2.d/{S02chrony => S03chrony} | 0 rc2.d/{S02cron => S03cron} | 0 rc2.d/{S02postfix => S03postfix} | 0 rc2.d/{S02rsync => S03rsync} | 0 rc3.d/S02bind9 | 1 + rc3.d/{S02chrony => S03chrony} | 0 rc3.d/{S02cron => S03cron} | 0 rc3.d/{S02postfix => S03postfix} | 0 rc3.d/{S02rsync => S03rsync} | 0 rc4.d/S02bind9 | 1 + rc4.d/{S02chrony => S03chrony} | 0 rc4.d/{S02cron => S03cron} | 0 rc4.d/{S02postfix => S03postfix} | 0 rc4.d/{S02rsync => S03rsync} | 0 rc5.d/S02bind9 | 1 + rc5.d/{S02chrony => S03chrony} | 0 rc5.d/{S02cron => S03cron} | 0 rc5.d/{S02postfix => S03postfix} | 0 rc5.d/{S02rsync => S03rsync} | 0 rc6.d/K02bind9 | 1 + rc6.d/{K02sendsigs => K03sendsigs} | 0 rc6.d/{K03rsyslog => K04rsyslog} | 0 rc6.d/{K04hwclock.sh => K05hwclock.sh} | 0 rc6.d/{K04umountnfs.sh => K05umountnfs.sh} | 0 rc6.d/{K05networking => K06networking} | 0 rc6.d/{K06umountfs => K07umountfs} | 0 rc6.d/{K07umountroot => K08umountroot} | 0 rc6.d/{K08reboot => K09reboot} | 0 resolv.conf | 7 +- resolv.conf.bak | 7 + salt/.master.bak | 781 ++++++++++++++++ salt/.master.dpkg-new.bak | 869 ++++++++++++++++++ salt/master | 78 +- salt/minion | 14 +- salt/minion.d/_schedule.conf | 2 + salt/minion_id | 2 +- salt/pki/master/minions/ns1.uhu-banane.de | 9 + salt/pki/master/minions/ns2.uhu-banane.de | 9 + salt/pki/master/minions/ns3.uhu-banane.de | 9 + .../master/minions_pre/builder.gridserver.io | 9 - salt/pki/minion/minion.pem | 50 +- salt/pki/minion/minion.pub | 14 +- salt/pki/minion/minion_master.pub | 9 + salt/proxy | 11 +- shadow | 1 + shadow- | 1 + shells | 2 + skel/.bashrc | 92 +- ssh/ssh_config | 2 +- subgid | 1 + subgid- | 1 + subuid | 1 + subuid- | 1 + sysctl.d/99-sysctl.conf | 1 - .../multi-user.target.wants/bind9.service | 1 + ufw/applications.d/bind9 | 5 + updatedb.conf | 4 + xdg/systemd/user | 1 - zsh/newuser.zshrc.recommended | 37 + zsh/zlogin | 9 + zsh/zlogout | 1 + zsh/zprofile | 7 + zsh/zshenv | 18 + zsh/zshrc | 104 +++ 157 files changed, 5469 insertions(+), 488 deletions(-) create mode 120000 alternatives/locate create mode 120000 alternatives/locate.1.gz create mode 120000 alternatives/rzsh create mode 120000 alternatives/rzsh.1.gz create mode 120000 alternatives/updatedb create mode 120000 alternatives/zsh create mode 120000 alternatives/zsh-usrbin create mode 100644 apparmor.d/local/usr.sbin.named create mode 100644 apparmor.d/usr.sbin.named rename apt/{repo.uhu-deb8-1.PublicKey => repo.uhu-banane.de.gpg-key.pub} (100%) create mode 100644 bind/bind.keys create mode 100644 bind/db.0 create mode 100644 bind/db.127 create mode 100644 bind/db.255 create mode 100644 bind/db.empty create mode 100644 bind/db.local create mode 100644 bind/db.root create mode 100644 bind/dnssec/Kdns-uhu-banane.+157+21915.key create mode 100644 bind/dnssec/Kdns-uhu-banane.+157+21915.private create mode 100644 bind/dnssec/Kdyn-dns-updater.+157+29290.key create mode 100644 bind/dnssec/Kdyn-dns-updater.+157+29290.private create mode 100644 bind/dyn/dyn.brehm-online.com.zone create mode 100644 bind/dyn/dyn.brehm-online.com.zone.default create mode 100644 bind/dyn/dyn.uhu-banane.de.zone create mode 100644 bind/dyn/dyn.uhu-banane.de.zone.default create mode 100644 bind/named-acl.conf create mode 100644 bind/named-dyn.conf create mode 100644 bind/named-log.conf create mode 100644 bind/named-pri.conf create mode 100644 bind/named-sec.conf create mode 100644 bind/named.conf create mode 100644 bind/named.conf.default-zones create mode 100644 bind/named.conf.local create mode 100644 bind/named.conf.options create mode 100644 bind/rndc.key create mode 100644 bind/zones.rfc1918 create mode 100644 bind/zones/home.brehm-online.com.zone create mode 100644 bind/zones/rev.10.12.11.zone create mode 100644 bind/zones/rev.2001-6f8-1db7-0.zone create mode 100644 bind/zones/rev.2001-6f8-1db7.zone create mode 100644 bind/zones/uhu-banane.eu.zone create mode 100644 bind/zones/uhu-banane.org.zone create mode 100755 cron.daily/mlocate create mode 100644 default/bind9 create mode 100644 default/locale.bak create mode 100644 fail2ban/jail.conf.bak create mode 100644 fail2ban/jail.d/postfix.conf create mode 100644 fail2ban/jail.d/ssh.conf create mode 100755 init.d/bind9 create mode 100644 inittabminion create mode 100644 lftp.conf create mode 100644 logrotate.d/bind delete mode 120000 modules-load.d/modules.conf create mode 100755 network/if-down.d/bind9 create mode 100755 network/if-up.d/bind9 create mode 100644 postfix/main-new.cf create mode 100644 postfix/main.cf.bak create mode 100644 postfix/postfix-cert.cnf.bak create mode 100755 ppp/ip-down.d/bind9 create mode 100755 ppp/ip-up.d/bind9 create mode 120000 rc0.d/K02bind9 rename rc0.d/{K02sendsigs => K03sendsigs} (100%) rename rc0.d/{K03rsyslog => K04rsyslog} (100%) rename rc0.d/{K04hwclock.sh => K05hwclock.sh} (100%) rename rc0.d/{K04umountnfs.sh => K05umountnfs.sh} (100%) rename rc0.d/{K05networking => K06networking} (100%) rename rc0.d/{K06umountfs => K07umountfs} (100%) rename rc0.d/{K07umountroot => K08umountroot} (100%) rename rc0.d/{K08halt => K09halt} (100%) create mode 120000 rc1.d/K02bind9 rename rc1.d/{K03rsyslog => K04rsyslog} (100%) create mode 120000 rc2.d/S02bind9 rename rc2.d/{S02chrony => S03chrony} (100%) rename rc2.d/{S02cron => S03cron} (100%) rename rc2.d/{S02postfix => S03postfix} (100%) rename rc2.d/{S02rsync => S03rsync} (100%) create mode 120000 rc3.d/S02bind9 rename rc3.d/{S02chrony => S03chrony} (100%) rename rc3.d/{S02cron => S03cron} (100%) rename rc3.d/{S02postfix => S03postfix} (100%) rename rc3.d/{S02rsync => S03rsync} (100%) create mode 120000 rc4.d/S02bind9 rename rc4.d/{S02chrony => S03chrony} (100%) rename rc4.d/{S02cron => S03cron} (100%) rename rc4.d/{S02postfix => S03postfix} (100%) rename rc4.d/{S02rsync => S03rsync} (100%) create mode 120000 rc5.d/S02bind9 rename rc5.d/{S02chrony => S03chrony} (100%) rename rc5.d/{S02cron => S03cron} (100%) rename rc5.d/{S02postfix => S03postfix} (100%) rename rc5.d/{S02rsync => S03rsync} (100%) create mode 120000 rc6.d/K02bind9 rename rc6.d/{K02sendsigs => K03sendsigs} (100%) rename rc6.d/{K03rsyslog => K04rsyslog} (100%) rename rc6.d/{K04hwclock.sh => K05hwclock.sh} (100%) rename rc6.d/{K04umountnfs.sh => K05umountnfs.sh} (100%) rename rc6.d/{K05networking => K06networking} (100%) rename rc6.d/{K06umountfs => K07umountfs} (100%) rename rc6.d/{K07umountroot => K08umountroot} (100%) rename rc6.d/{K08reboot => K09reboot} (100%) mode change 120000 => 100644 resolv.conf create mode 100644 resolv.conf.bak create mode 100644 salt/.master.bak create mode 100644 salt/.master.dpkg-new.bak create mode 100644 salt/minion.d/_schedule.conf create mode 100644 salt/pki/master/minions/ns1.uhu-banane.de create mode 100644 salt/pki/master/minions/ns2.uhu-banane.de create mode 100644 salt/pki/master/minions/ns3.uhu-banane.de delete mode 100644 salt/pki/master/minions_pre/builder.gridserver.io create mode 100644 salt/pki/minion/minion_master.pub delete mode 120000 sysctl.d/99-sysctl.conf create mode 120000 systemd/system/multi-user.target.wants/bind9.service create mode 100644 ufw/applications.d/bind9 create mode 100644 updatedb.conf delete mode 120000 xdg/systemd/user create mode 100644 zsh/newuser.zshrc.recommended create mode 100644 zsh/zlogin create mode 100644 zsh/zlogout create mode 100644 zsh/zprofile create mode 100644 zsh/zshenv create mode 100644 zsh/zshrc diff --git a/alternatives/locate b/alternatives/locate new file mode 120000 index 0000000..b33f6cf --- /dev/null +++ b/alternatives/locate @@ -0,0 +1 @@ +/usr/bin/mlocate \ No newline at end of file diff --git a/alternatives/locate.1.gz b/alternatives/locate.1.gz new file mode 120000 index 0000000..8d4857d --- /dev/null +++ b/alternatives/locate.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/mlocate.1.gz \ No newline at end of file diff --git a/alternatives/rzsh b/alternatives/rzsh new file mode 120000 index 0000000..3b005e7 --- /dev/null +++ b/alternatives/rzsh @@ -0,0 +1 @@ +/bin/zsh5 \ No newline at end of file diff --git a/alternatives/rzsh.1.gz b/alternatives/rzsh.1.gz new file mode 120000 index 0000000..15dffb2 --- /dev/null +++ b/alternatives/rzsh.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/zsh.1.gz \ No newline at end of file diff --git a/alternatives/updatedb b/alternatives/updatedb new file mode 120000 index 0000000..a7598ba --- /dev/null +++ b/alternatives/updatedb @@ -0,0 +1 @@ +/usr/bin/updatedb.mlocate \ No newline at end of file diff --git a/alternatives/zsh b/alternatives/zsh new file mode 120000 index 0000000..3b005e7 --- /dev/null +++ b/alternatives/zsh @@ -0,0 +1 @@ +/bin/zsh5 \ No newline at end of file diff --git a/alternatives/zsh-usrbin b/alternatives/zsh-usrbin new file mode 120000 index 0000000..3b005e7 --- /dev/null +++ b/alternatives/zsh-usrbin @@ -0,0 +1 @@ +/bin/zsh5 \ No newline at end of file diff --git a/apparmor.d/local/usr.sbin.named b/apparmor.d/local/usr.sbin.named new file mode 100644 index 0000000..c72fe2d --- /dev/null +++ b/apparmor.d/local/usr.sbin.named @@ -0,0 +1,2 @@ +# Site-specific additions and overrides for usr.sbin.named. +# For more details, please see /etc/apparmor.d/local/README. diff --git a/apparmor.d/usr.sbin.named b/apparmor.d/usr.sbin.named new file mode 100644 index 0000000..35df558 --- /dev/null +++ b/apparmor.d/usr.sbin.named @@ -0,0 +1,53 @@ +# vim:syntax=apparmor +# Last Modified: Fri Jun 1 16:43:22 2007 +#include + +/usr/sbin/named { + #include + #include + + capability net_bind_service, + capability setgid, + capability setuid, + capability sys_chroot, + capability sys_resource, + + # /etc/bind should be read-only for bind + # /var/lib/bind is for dynamically updated zone (and journal) files. + # /var/cache/bind is for slave/stub data, since we're not the origin of it. + # See /usr/share/doc/bind9/README.Debian.gz + /etc/bind/** r, + /var/lib/bind/** rw, + /var/lib/bind/ rw, + /var/cache/bind/** lrw, + /var/cache/bind/ rw, + + # gssapi + /etc/krb5.keytab kr, + /etc/bind/krb5.keytab kr, + + # ssl + /etc/ssl/openssl.cnf r, + + # GeoIP data files for GeoIP ACLs + /usr/share/GeoIP/** r, + + # dnscvsutil package + /var/lib/dnscvsutil/compiled/** rw, + + /proc/net/if_inet6 r, + /proc/*/net/if_inet6 r, + /usr/sbin/named mr, + /{,var/}run/named/named.pid w, + /{,var/}run/named/session.key w, + # support for resolvconf + /{,var/}run/named/named.options r, + + # some people like to put logs in /var/log/named/ instead of having + # syslog do the heavy lifting. + /var/log/named/** rw, + /var/log/named/ rw, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apt/repo.uhu-deb8-1.PublicKey b/apt/repo.uhu-banane.de.gpg-key.pub similarity index 100% rename from apt/repo.uhu-deb8-1.PublicKey rename to apt/repo.uhu-banane.de.gpg-key.pub diff --git a/apt/sources.list b/apt/sources.list index e630c48..e182e93 100644 --- a/apt/sources.list +++ b/apt/sources.list @@ -1,11 +1,14 @@ -deb http://ftp.plusline.de/debian/ jessie main contrib non-free -deb-src http://ftp.plusline.de/debian/ jessie main contrib non-free +# deb http://ftp.plusline.de/debian jessie main -deb http://security.debian.org/ jessie/updates main contrib non-free -deb-src http://security.debian.org/ jessie/updates main contrib non-free +deb http://ftp.plusline.de/debian jessie main contrib non-free +deb-src http://ftp.plusline.de/debian jessie main contrib non-free -deb http://ftp.plusline.de/debian/ jessie-updates main contrib non-free -deb-src http://ftp.plusline.de/debian/ jessie-updates main contrib non-free +deb http://security.debian.org/ jessie/updates main contrib non-free +deb-src http://security.debian.org/ jessie/updates main contrib non-free + +# jessie-updates, previously known as 'volatile' +deb http://ftp.plusline.de/debian jessie-updates main contrib non-free +deb-src http://ftp.plusline.de/debian jessie-updates main contrib non-free # jessie-backports, previously on backports.debian.org deb http://ftp.plusline.de/debian/ jessie-backports main contrib non-free diff --git a/apt/sources.list.d/salt.list b/apt/sources.list.d/salt.list index 398af39..846108d 100644 --- a/apt/sources.list.d/salt.list +++ b/apt/sources.list.d/salt.list @@ -1 +1 @@ -deb http://repo.saltstack.com/apt/debian/8/amd64/latest jessie main +deb http://repo.saltstack.com/apt/debian/8/amd64/latest jessie main diff --git a/bind/bind.keys b/bind/bind.keys new file mode 100644 index 0000000..068a8ce --- /dev/null +++ b/bind/bind.keys @@ -0,0 +1,46 @@ +/* $Id: bind.keys,v 1.7 2011/01/03 23:45:07 each Exp $ */ +# The bind.keys file is used to override the built-in DNSSEC trust anchors +# which are included as part of BIND 9. As of the current release, the only +# trust anchors it contains are those for the DNS root zone ("."), and for +# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org"). Trust anchors +# for any other zones MUST be configured elsewhere; if they are configured +# here, they will not be recognized or used by named. +# +# The built-in trust anchors are provided for convenience of configuration. +# They are not activated within named.conf unless specifically switched on. +# To use the built-in root key, set "dnssec-validation auto;" in +# named.conf options. To use the built-in DLV key, set +# "dnssec-lookaside auto;". Without these options being set, +# the keys in this file are ignored. +# +# This file is NOT expected to be user-configured. +# +# These keys are current as of January 2011. If any key fails to +# initialize correctly, it may have expired. In that event you should +# replace this file with a current version. The latest version of +# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys. + +managed-keys { + # ISC DLV: See https://www.isc.org/solutions/dlv for details. + # NOTE: This key is activated by setting "dnssec-lookaside auto;" + # in named.conf. + dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 + brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ + 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 + ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk + Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM + QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt + TDN0YUuWrBNh"; + + # ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml + # for current trust anchor information. + # NOTE: This key is activated by setting "dnssec-validation auto;" + # in named.conf. + . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF + FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX + bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD + X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz + W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS + Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq + QxA+Uk1ihz0="; +}; diff --git a/bind/db.0 b/bind/db.0 new file mode 100644 index 0000000..e3aabdb --- /dev/null +++ b/bind/db.0 @@ -0,0 +1,12 @@ +; +; BIND reverse data file for broadcast zone +; +$TTL 604800 +@ IN SOA localhost. root.localhost. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS localhost. diff --git a/bind/db.127 b/bind/db.127 new file mode 100644 index 0000000..cd05bef --- /dev/null +++ b/bind/db.127 @@ -0,0 +1,13 @@ +; +; BIND reverse data file for local loopback interface +; +$TTL 604800 +@ IN SOA localhost. root.localhost. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS localhost. +1.0.0 IN PTR localhost. diff --git a/bind/db.255 b/bind/db.255 new file mode 100644 index 0000000..e3aabdb --- /dev/null +++ b/bind/db.255 @@ -0,0 +1,12 @@ +; +; BIND reverse data file for broadcast zone +; +$TTL 604800 +@ IN SOA localhost. root.localhost. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS localhost. diff --git a/bind/db.empty b/bind/db.empty new file mode 100644 index 0000000..8a12858 --- /dev/null +++ b/bind/db.empty @@ -0,0 +1,14 @@ +; BIND reverse data file for empty rfc1918 zone +; +; DO NOT EDIT THIS FILE - it is used for multiple zones. +; Instead, copy it, edit named.conf, and use that copy. +; +$TTL 86400 +@ IN SOA localhost. root.localhost. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 86400 ) ; Negative Cache TTL +; +@ IN NS localhost. diff --git a/bind/db.local b/bind/db.local new file mode 100644 index 0000000..2f272d4 --- /dev/null +++ b/bind/db.local @@ -0,0 +1,14 @@ +; +; BIND data file for local loopback interface +; +$TTL 604800 +@ IN SOA localhost. root.localhost. ( + 2 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS localhost. +@ IN A 127.0.0.1 +@ IN AAAA ::1 diff --git a/bind/db.root b/bind/db.root new file mode 100644 index 0000000..6c19741 --- /dev/null +++ b/bind/db.root @@ -0,0 +1,88 @@ +; This file holds the information on root name servers needed to +; initialize cache of Internet domain name servers +; (e.g. reference this file in the "cache . " +; configuration file of BIND domain name servers). +; +; This file is made available by InterNIC +; under anonymous FTP as +; file /domain/named.cache +; on server FTP.INTERNIC.NET +; -OR- RS.INTERNIC.NET +; +; last update: Jan 3, 2013 +; related version of root zone: 2013010300 +; +; formerly NS.INTERNIC.NET +; +. 3600000 IN NS A.ROOT-SERVERS.NET. +A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 +A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30 +; +; FORMERLY NS1.ISI.EDU +; +. 3600000 NS B.ROOT-SERVERS.NET. +B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201 +; +; FORMERLY C.PSI.NET +; +. 3600000 NS C.ROOT-SERVERS.NET. +C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 +; +; FORMERLY TERP.UMD.EDU +; +. 3600000 NS D.ROOT-SERVERS.NET. +D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13 +D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2D::D +; +; FORMERLY NS.NASA.GOV +; +. 3600000 NS E.ROOT-SERVERS.NET. +E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 +; +; FORMERLY NS.ISC.ORG +; +. 3600000 NS F.ROOT-SERVERS.NET. +F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 +F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2F::F +; +; FORMERLY NS.NIC.DDN.MIL +; +. 3600000 NS G.ROOT-SERVERS.NET. +G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 +; +; FORMERLY AOS.ARL.ARMY.MIL +; +. 3600000 NS H.ROOT-SERVERS.NET. +H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53 +H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::803F:235 +; +; FORMERLY NIC.NORDU.NET +; +. 3600000 NS I.ROOT-SERVERS.NET. +I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 +I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FE::53 +; +; OPERATED BY VERISIGN, INC. +; +. 3600000 NS J.ROOT-SERVERS.NET. +J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 +J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:C27::2:30 +; +; OPERATED BY RIPE NCC +; +. 3600000 NS K.ROOT-SERVERS.NET. +K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 +K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FD::1 +; +; OPERATED BY ICANN +; +. 3600000 NS L.ROOT-SERVERS.NET. +L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42 +L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42 +; +; OPERATED BY WIDE +; +. 3600000 NS M.ROOT-SERVERS.NET. +M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 +M.ROOT-SERVERS.NET. 3600000 AAAA 2001:DC3::35 +; End of File diff --git a/bind/dnssec/Kdns-uhu-banane.+157+21915.key b/bind/dnssec/Kdns-uhu-banane.+157+21915.key new file mode 100644 index 0000000..2d24110 --- /dev/null +++ b/bind/dnssec/Kdns-uhu-banane.+157+21915.key @@ -0,0 +1 @@ +dns-uhu-banane. IN KEY 512 3 157 eMhLmrsWxS28+oUnhbjwE6xYhMCvDKtsEBEc6TzD62mPMQ3R57xDb6McBAduXo56/a1xOtrX/tFs4CVnDnYdMw== diff --git a/bind/dnssec/Kdns-uhu-banane.+157+21915.private b/bind/dnssec/Kdns-uhu-banane.+157+21915.private new file mode 100644 index 0000000..66faaf0 --- /dev/null +++ b/bind/dnssec/Kdns-uhu-banane.+157+21915.private @@ -0,0 +1,7 @@ +Private-key-format: v1.3 +Algorithm: 157 (HMAC_MD5) +Key: eMhLmrsWxS28+oUnhbjwE6xYhMCvDKtsEBEc6TzD62mPMQ3R57xDb6McBAduXo56/a1xOtrX/tFs4CVnDnYdMw== +Bits: AAA= +Created: 20160308220200 +Publish: 20160308220200 +Activate: 20160308220200 diff --git a/bind/dnssec/Kdyn-dns-updater.+157+29290.key b/bind/dnssec/Kdyn-dns-updater.+157+29290.key new file mode 100644 index 0000000..564d8a3 --- /dev/null +++ b/bind/dnssec/Kdyn-dns-updater.+157+29290.key @@ -0,0 +1 @@ +dyn-dns-updater. IN KEY 0 3 157 gi69Yjzo1OSPVQ/oTTgw+Q== diff --git a/bind/dnssec/Kdyn-dns-updater.+157+29290.private b/bind/dnssec/Kdyn-dns-updater.+157+29290.private new file mode 100644 index 0000000..8ce7689 --- /dev/null +++ b/bind/dnssec/Kdyn-dns-updater.+157+29290.private @@ -0,0 +1,4 @@ +Private-key-format: v1.2 +Algorithm: 157 (HMAC_MD5) +Key: gi69Yjzo1OSPVQ/oTTgw+Q== +Bits: AAA= diff --git a/bind/dyn/dyn.brehm-online.com.zone b/bind/dyn/dyn.brehm-online.com.zone new file mode 100644 index 0000000..9a65b73 --- /dev/null +++ b/bind/dyn/dyn.brehm-online.com.zone @@ -0,0 +1,17 @@ +$ORIGIN . +$TTL 86400 ; 1 day +dyn.brehm-online.com IN SOA ns3.uhu-banane.de. frank.brehm-online.com. ( + 1000 ; serial + 10800 ; refresh (3 hours) + 3600 ; retry (1 hour) + 604800 ; expire (1 week) + 86400 ; minimum (1 day) + ) + NS ns1.uhu-banane.de. + NS ns2.uhu-banane.de. + NS ns3.uhu-banane.de. + A 185.102.95.107 + MX 10 mail.brehm-online.com. +$ORIGIN dyn.brehm-online.com. +$TTL 120 ; 2 minutes +home A 91.65.126.22 diff --git a/bind/dyn/dyn.brehm-online.com.zone.default b/bind/dyn/dyn.brehm-online.com.zone.default new file mode 100644 index 0000000..9a65b73 --- /dev/null +++ b/bind/dyn/dyn.brehm-online.com.zone.default @@ -0,0 +1,17 @@ +$ORIGIN . +$TTL 86400 ; 1 day +dyn.brehm-online.com IN SOA ns3.uhu-banane.de. frank.brehm-online.com. ( + 1000 ; serial + 10800 ; refresh (3 hours) + 3600 ; retry (1 hour) + 604800 ; expire (1 week) + 86400 ; minimum (1 day) + ) + NS ns1.uhu-banane.de. + NS ns2.uhu-banane.de. + NS ns3.uhu-banane.de. + A 185.102.95.107 + MX 10 mail.brehm-online.com. +$ORIGIN dyn.brehm-online.com. +$TTL 120 ; 2 minutes +home A 91.65.126.22 diff --git a/bind/dyn/dyn.uhu-banane.de.zone b/bind/dyn/dyn.uhu-banane.de.zone new file mode 100644 index 0000000..b6373f6 --- /dev/null +++ b/bind/dyn/dyn.uhu-banane.de.zone @@ -0,0 +1,17 @@ +$ORIGIN . +$TTL 86400 ; 1 day +dyn.uhu-banane.de IN SOA ns3.uhu-banane.de. frank.brehm-online.com. ( + 1000 ; serial + 10800 ; refresh (3 hours) + 3600 ; retry (1 hour) + 604800 ; expire (1 week) + 86400 ; minimum (1 day) + ) + NS ns1.uhu-banane.de. + NS ns2.uhu-banane.de. + NS ns3.uhu-banane.de. + A 185.102.95.107 + MX 10 mail.brehm-online.com. +$ORIGIN dyn.uhu-banane.de. +$TTL 120 ; 2 minutes +home A 91.65.126.22 diff --git a/bind/dyn/dyn.uhu-banane.de.zone.default b/bind/dyn/dyn.uhu-banane.de.zone.default new file mode 100644 index 0000000..b6373f6 --- /dev/null +++ b/bind/dyn/dyn.uhu-banane.de.zone.default @@ -0,0 +1,17 @@ +$ORIGIN . +$TTL 86400 ; 1 day +dyn.uhu-banane.de IN SOA ns3.uhu-banane.de. frank.brehm-online.com. ( + 1000 ; serial + 10800 ; refresh (3 hours) + 3600 ; retry (1 hour) + 604800 ; expire (1 week) + 86400 ; minimum (1 day) + ) + NS ns1.uhu-banane.de. + NS ns2.uhu-banane.de. + NS ns3.uhu-banane.de. + A 185.102.95.107 + MX 10 mail.brehm-online.com. +$ORIGIN dyn.uhu-banane.de. +$TTL 120 ; 2 minutes +home A 91.65.126.22 diff --git a/bind/named-acl.conf b/bind/named-acl.conf new file mode 100644 index 0000000..e9a0c49 --- /dev/null +++ b/bind/named-acl.conf @@ -0,0 +1,145 @@ +//############################################################### +//# Bind9-Konfigurationsdatei - Access-Control-Listen +//# /etc/bind/named-acl.conf +//# +//# Host ns3.uhu-banane.de +//# +//############################################################### + +//############################################################### +//# Access-Control-Listen + +#---------------------------------------- +acl allow-dyn-update { + 46.16.73.175; + 2001:4dd0:ff00:cd3::2; + 85.214.134.152; + 2a01:238:4225:6e00:8f8c:808a:7fb8:88df; + 144.76.221.169; + 2a01:4f8:200:94a8::2; + 138.201.28.135; + 2a01:4f8:171:3006::2; + 185.48.118.128; + 162.254.24.33; + 185.102.95.107; + 2a06:2380:0:1::3a; + 2a02:8109:ae3f:fa04:5604:a6ff:fe38:99f9; + 127.0.0.1; + ::1; +}; + +#---------------------------------------- +acl allow-notify { + 46.16.73.175; + 2001:4dd0:ff00:cd3::2; + 85.214.134.152; + 2a01:238:4225:6e00:8f8c:808a:7fb8:88df; + 144.76.221.169; + 2a01:4f8:200:94a8::2; + 138.201.28.135; + 2a01:4f8:171:3006::2; + 185.48.118.128; + 162.254.24.33; + 185.102.95.107; + 2a06:2380:0:1::3a; + 2a02:8109:ae3f:fa04:5604:a6ff:fe38:99f9; + 127.0.0.1; + ::1; +}; + +#---------------------------------------- +acl allow-recursion { + 46.16.73.175; + 2001:4dd0:ff00:cd3::2; + 85.214.134.152; + 2a01:238:4225:6e00:8f8c:808a:7fb8:88df; + 144.76.221.169; + 2a01:4f8:200:94a8::2; + 185.48.118.128; + 162.254.24.33; + 185.102.95.107; + 2a06:2380:0:1::3a; + 2a02:8109:ae3f:fa04:5604:a6ff:fe38:99f9; + 138.201.28.135; + 138.201.28.184; + 138.201.28.185; + 138.201.28.186; + 2a01:4f8:171:3006::/64; + 127.0.0.0/8; + ::1/128; + fe80::/10; +}; + +#---------------------------------------- +acl also-notify-acwain { + 144.76.221.169; + 2a01:4f8:200:94a8::2; + 2a02:8109:ae3f:fa04:5604:a6ff:fe38:99f9; + 138.201.28.135; + 2a01:4f8:171:3006::2; +}; + +#---------------------------------------- +acl also-notify-boreus { + 85.199.64.7; + 46.189.56.7; + 85.199.64.7; +}; + +#---------------------------------------- +acl also-notify-uhu-banane { + 185.48.118.128; + 162.254.24.33; +}; + +#---------------------------------------- +acl common-allow-transfer { + 85.199.64.7; + 46.189.56.7; + 85.199.64.7; + 46.16.73.175; + 2001:4dd0:ff00:cd3::2; + 85.214.134.152; + 2a01:238:4225:6e00:8f8c:808a:7fb8:88df; + 144.76.221.169; + 2a01:4f8:200:94a8::2; + 138.201.28.135; + 2a01:4f8:171:3006::2; + 185.48.118.128; + 162.254.24.33; + 185.102.95.107; + 2a06:2380:0:1::3a; + 2a02:8109:ae3f:fa04:5604:a6ff:fe38:99f9; + 127.0.0.1; + ::1; +}; + +#---------------------------------------- +acl local-host-ips { + 127.0.0.1/8; + ::1/128; +}; + +#---------------------------------------- +acl local-net-ips { + 127.0.0.0/8; + 10.0.0.0/8; + 172.16.0.0/12; + 192.168.0.0/16; + ::1/128; + fe80::/10; +}; + +#---------------------------------------- +acl private-net-ips { + 10.12.11.0/24; + 46.16.73.175; + 2001:4dd0:ff00:cd3::2; + 2a02:8109:ae3f:fa04:5604:a6ff:fe38:99f9; + 85.214.134.152; + 2a01:238:4225:6e00:8f8c:808a:7fb8:88df; + 185.102.95.107; + 2a06:2380:0:1::3a; +}; + +# vim: ts=4 filetype=named noai diff --git a/bind/named-dyn.conf b/bind/named-dyn.conf new file mode 100644 index 0000000..f6d831f --- /dev/null +++ b/bind/named-dyn.conf @@ -0,0 +1,41 @@ +//############################################################### +//# Bind9-Konfigurationsdatei - Dynamische Zonen +//# /etc/bind/named-dyn.conf +//# +//# Host ns3.uhu-banane.de +//# +//############################################################### + + +zone "dyn.brehm-online.com" { + type master; + file "/etc/bind/dyn/dyn.brehm-online.com.zone"; + allow-update { + allow-dyn-update; + key dyn-dns-updater; + }; + allow-transfer { + common-allow-transfer; + }; + also-notify { + 185.48.118.128; + 162.254.24.33; + }; +}; +zone "dyn.uhu-banane.de" { + type master; + file "/etc/bind/dyn/dyn.uhu-banane.de.zone"; + allow-update { + allow-dyn-update; + key dyn-dns-updater; + }; + allow-transfer { + common-allow-transfer; + }; + also-notify { + 185.48.118.128; + 162.254.24.33; + }; +}; + +# vim: ts=4 filetype=named noai diff --git a/bind/named-log.conf b/bind/named-log.conf new file mode 100644 index 0000000..2aaf2fe --- /dev/null +++ b/bind/named-log.conf @@ -0,0 +1,87 @@ +//############################################################### +//# Bind9-Konfigurationsdatei Logging +//# /etc/bind/named-log.conf +//# +//# Host ns3.uhu-banane.de +//# +//############################################################### + +//############################################################### +//# Angaben zum Logging + +logging { + + //--------------------------------------- + // Channels + + channel complete_debug { + file "/var/log/bind/complete-debug.log"; + print-category yes; + print-severity yes; + print-time yes; + severity debug 99; + }; + + channel logtofile { + file "/var/log/bind/named.log"; + print-category yes; + print-severity yes; + print-time yes; + severity info; + }; + + channel moderate_debug { + file "/var/log/bind/debug.log"; + print-category yes; + print-severity yes; + print-time yes; + severity debug 1; + }; + + channel query_logging { + file "/var/log/bind/query.log"; + print-time yes; + }; + + channel security_file { + file "/var/log/bind/security.log"; + print-category yes; + print-severity yes; + print-time yes; + severity dynamic; + }; + + channel syslog-warning { + syslog daemon; + severity warning; + }; + + + //--------------------------------------- + // Categories + + category default { + default_debug; + logtofile; + }; + + category general { + logtofile; + syslog-warning; + }; + + category lame-servers { + null; + }; + + category queries { + query_logging; + }; + + category security { + security_file; + }; + +}; + +# vim: ts=4 filetype=named noai diff --git a/bind/named-pri.conf b/bind/named-pri.conf new file mode 100644 index 0000000..44b86d1 --- /dev/null +++ b/bind/named-pri.conf @@ -0,0 +1,92 @@ +//############################################################### +//# Bind9-Konfigurationsdatei - Primaere Zonen +//# /etc/bind/named-pri.conf +//# +//# Host ns3.uhu-banane.de +//# +//############################################################### + +//############################################################### +//# Master-Zonen (Primary) + + +zone "uhu-banane.eu" { + type master; + file "/etc/bind/zones/uhu-banane.eu.zone"; + allow-update { none; }; + allow-transfer { + common-allow-transfer; + }; + also-notify { + 185.48.118.128; + 162.254.24.33; + }; +}; + +zone "0.0.0.0.7.b.d.1.8.f.6.0.1.0.0.2.ip6.arpa" { + type master; + file "/etc/bind/zones/rev.2001-6f8-1db7-0.zone"; + allow-update { none; }; + allow-transfer { + common-allow-transfer; + }; + also-notify { + 185.48.118.128; + 162.254.24.33; + }; +}; + +zone "11.12.10.in-addr.arpa" { + type master; + file "/etc/bind/zones/rev.10.12.11.zone"; + allow-update { none; }; + allow-transfer { + common-allow-transfer; + }; + also-notify { + 185.48.118.128; + 162.254.24.33; + }; +}; + +zone "7.b.d.1.8.f.6.0.1.0.0.2.ip6.arpa" { + type master; + file "/etc/bind/zones/rev.2001-6f8-1db7.zone"; + allow-update { none; }; + allow-transfer { + common-allow-transfer; + }; + also-notify { + 185.48.118.128; + 162.254.24.33; + }; +}; + +zone "home.brehm-online.com" { + type master; + file "/etc/bind/zones/home.brehm-online.com.zone"; + allow-update { none; }; + allow-transfer { + common-allow-transfer; + }; + also-notify { + 185.48.118.128; + 162.254.24.33; + }; +}; + +zone "uhu-banane.org" { + type master; + file "/etc/bind/zones/uhu-banane.org.zone"; + allow-update { none; }; + allow-transfer { + common-allow-transfer; + }; + also-notify { + 185.48.118.128; + 162.254.24.33; + }; +}; + + +# vim: ts=4 filetype=named noai diff --git a/bind/named-sec.conf b/bind/named-sec.conf new file mode 100644 index 0000000..4e4c790 --- /dev/null +++ b/bind/named-sec.conf @@ -0,0 +1,663 @@ +//############################################################### +//# Bind9-Konfigurationsdatei - Sekundaere Zonen +//# /etc/bind/named-sec +//# +//# Host ns3.uhu-banane.de +//# +//############################################################### + +//############################################################### +//# Slave-Zonen (Secondary) + + +zone "0.29.172.in-addr.arpa" { + type slave; + file "rev.172.29.0.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "acwain.com" { + type slave; + file "acwain.com.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "acwain.de" { + type slave; + file "acwain.de.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "acwain.net" { + type slave; + file "acwain.net.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "acwain.org" { + type slave; + file "acwain.org.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "dkn-die-zahnaerzte.de" { + type slave; + file "dkn-die-zahnaerzte.de.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "domaniecki.com" { + type slave; + file "domaniecki.com.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "dyn.acwain.net" { + type slave; + file "dyn.acwain.net.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "e-nergieplus.de" { + type slave; + file "e-nergieplus.de.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "ereda.de" { + type slave; + file "ereda.de.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "gl-versicherungsmakler.de" { + type slave; + file "gl-versicherungsmakler.de.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "haemato-onkologie-hamburg.de" { + type slave; + file "haemato-onkologie-hamburg.de.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "haemato-onkologie-hh.de" { + type slave; + file "haemato-onkologie-hh.de.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "hajo-doehring.de" { + type slave; + file "hajo-doehring.de.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "hausarztpraxis-hoheluft.de" { + type slave; + file "hausarztpraxis-hoheluft.de.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "ihrezahnaerzte.com" { + type slave; + file "ihrezahnaerzte.com.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "irtk.de" { + type slave; + file "irtk.de.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "kleinanzeigen-mv.de" { + type slave; + file "kleinanzeigen-mv.de.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "krebszentrum-hoheluft.de" { + type slave; + file "krebszentrum-hoheluft.de.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "krebszentrum-laack.de" { + type slave; + file "krebszentrum-laack.de.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "krebszentrum-suederelbe.de" { + type slave; + file "krebszentrum-suederelbe.de.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "mexico-language-school.com" { + type slave; + file "mexico-language-school.com.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "mexico-travel-and-tours.com" { + type slave; + file "mexico-travel-and-tours.com.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "mexventure.com" { + type slave; + file "mexventure.com.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "mexventure.de" { + type slave; + file "mexventure.de.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "mexventures.com" { + type slave; + file "mexventures.com.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "mexventures.de" { + type slave; + file "mexventures.de.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "mypettown.com" { + type slave; + file "mypettown.com.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "mypettown.de" { + type slave; + file "mypettown.de.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "nexunus.com" { + type slave; + file "nexunus.com.zone"; + masters { + 138.201.28.135; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "nexunus.de" { + type slave; + file "nexunus.de.zone"; + masters { + 138.201.28.135; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "nexunus.net" { + type slave; + file "nexunus.net.zone"; + masters { + 138.201.28.135; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "onkologie-hoheluft.de" { + type slave; + file "onkologie-hoheluft.de.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "onkologie-laack.de" { + type slave; + file "onkologie-laack.de.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "onkologie-suederelbe.de" { + type slave; + file "onkologie-suederelbe.de.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "planetec.de" { + type slave; + file "planetec.de.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "saeger.cc" { + type slave; + file "saeger.cc.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "saeger.net" { + type slave; + file "saeger.net.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "sg-hohh.de" { + type slave; + file "sg-hohh.de.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "shop-yoo.com" { + type slave; + file "shop-yoo.com.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "shop-yoo.de" { + type slave; + file "shop-yoo.de.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "shop-you.de" { + type slave; + file "shop-you.de.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "shopyoo.com" { + type slave; + file "shopyoo.com.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "shopyoo.de" { + type slave; + file "shopyoo.de.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "shopyou.com" { + type slave; + file "shopyou.com.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "shopyou.de" { + type slave; + file "shopyou.de.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "spanish-school-mexico.com" { + type slave; + file "spanish-school-mexico.com.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "sprachreisen-mexiko.com" { + type slave; + file "sprachreisen-mexiko.com.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "sprachschule-mexiko.com" { + type slave; + file "sprachschule-mexiko.com.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "spridget-register.com" { + type slave; + file "spridget-register.com.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "spridgets.net" { + type slave; + file "spridgets.net.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "timo-adam.de" { + type slave; + file "timo-adam.de.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "timoadam.de" { + type slave; + file "timoadam.de.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "vital-beauty.net" { + type slave; + file "vital-beauty.net.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "vitalbeauty.net" { + type slave; + file "vitalbeauty.net.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "xn--hmato-onkologie-hamburg-v7b.de" { + type slave; + file "xn--hmato-onkologie-hamburg-v7b.de.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "xn--hmato-onkologie-hh-ltb.de" { + type slave; + file "xn--hmato-onkologie-hh-ltb.de.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "zahnpiraten-hamburg.com" { + type slave; + file "zahnpiraten-hamburg.com.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "zahnpiraten.com" { + type slave; + file "zahnpiraten.com.zone"; + masters { + 144.76.221.169; + }; + allow-transfer { + common-allow-transfer; + }; +}; + + +# vim: ts=4 filetype=named noai diff --git a/bind/named.conf b/bind/named.conf new file mode 100644 index 0000000..85f6159 --- /dev/null +++ b/bind/named.conf @@ -0,0 +1,43 @@ +//############################################################### +//# Bind9-Konfigurationsdatei +//# /etc/bind/named.conf +//# +//# Host ns3.uhu-banane.de +//# +//############################################################### + +// This is the primary configuration file for the BIND DNS server named. +// +// Please read /usr/share/doc/bind9/README.Debian.gz for information on the +// structure of BIND configuration files in Debian, *BEFORE* you customize +// this configuration file. +// +// If you are just adding zones, please do that in /etc/bind/named.conf.local + +// access control lists +include "/etc/bind/named-acl.conf"; + +// global options +include "/etc/bind/named.conf.options"; + +// logging configuration +include "/etc/bind/named-log.conf"; + +// local configuration +include "/etc/bind/named.conf.local"; + +// Default zones +include "/etc/bind/named.conf.default-zones"; + +// master zones +include "/etc/bind/named-pri.conf"; + +// dynamic zones +include "/etc/bind/named-dyn.conf"; + +// slave zones +include "/etc/bind/named-sec.conf"; + + + +# vim: ts=4 filetype=named noai diff --git a/bind/named.conf.default-zones b/bind/named.conf.default-zones new file mode 100644 index 0000000..952ae71 --- /dev/null +++ b/bind/named.conf.default-zones @@ -0,0 +1,38 @@ +//############################################################### +//# Bind9-Konfigurationsdatei Default zones +//# /etc/bind/named.conf.default-zones +//# +//# Host ns3.uhu-banane.de +//# +//############################################################### + +// prime the server with knowledge of the root servers +zone "." { + type hint; + file "/etc/bind/db.root"; +}; + +// be authoritative for the localhost forward and reverse zones, and for +// broadcast zones as per RFC 1912 + +zone "localhost" { + type master; + file "/etc/bind/db.local"; +}; + +zone "127.in-addr.arpa" { + type master; + file "/etc/bind/db.127"; +}; + +zone "0.in-addr.arpa" { + type master; + file "/etc/bind/db.0"; +}; + +zone "255.in-addr.arpa" { + type master; + file "/etc/bind/db.255"; +}; + +# vim: ts=4 filetype=named noai diff --git a/bind/named.conf.local b/bind/named.conf.local new file mode 100644 index 0000000..de99d4d --- /dev/null +++ b/bind/named.conf.local @@ -0,0 +1,18 @@ +//############################################################### +//# Bind9-Konfigurationsdatei Lokeles Geruempel +//# /etc/bind/named.conf.local +//# +//# Host ns3.uhu-banane.de +//# +//############################################################### + +// +// Do any local configuration here +// + +// Consider adding the 1918 zones here, if they are not used in your +// organization +include "/etc/bind/zones.rfc1918"; + + +# vim: ts=4 filetype=named noai diff --git a/bind/named.conf.options b/bind/named.conf.options new file mode 100644 index 0000000..582317f --- /dev/null +++ b/bind/named.conf.options @@ -0,0 +1,90 @@ +//############################################################### +//# Bind9-Konfigurationsdatei for general options +//# /etc/bind/named.conf.options +//# +//# Host ns3.uhu-banane.de +//# +//############################################################### + + +//############################################################### +//# Allgemeine Optionen + +options { + + directory "/var/cache/bind"; + + // If there is a firewall between you and nameservers you want + // to talk to, you may need to fix the firewall to allow multiple + // ports to talk. See http://www.kb.cert.org/vuls/id/800113 + + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing + // the all-0's placeholder. + + // forwarders { + // 0.0.0.0; + // }; + + /* https://www.isc.org/solutions/dlv >=bind-9.7.x only */ + //bindkeys-file "/etc/bind/bind.keys"; + + listen-on-v6 { any; }; + listen-on { any; }; + + allow-notify { + allow-notify; + }; + + allow-recursion { + allow-recursion; + }; + + //======================================================================== + // If BIND logs error messages about the root key being expired, + // you will need to update your keys. See https://www.isc.org/bind-keys + //======================================================================== + //dnssec-enable yes; + dnssec-validation auto; + + /* + * As of bind 9.8.0: + * "If the root key provided has expired, + * named will log the expiration and validation will not work." + */ + //dnssec-validation auto; + + /* if you have problems and are behind a firewall: */ + //query-source address * port 53; + + // pid-file "/var/run/named/named.pid"; + + version "none"; + +}; + +// Managed Keys +include "/etc/bind/bind.keys"; + +key "dyn-dns-updater" { + algorithm hmac-md5; + secret "gi69Yjzo1OSPVQ/oTTgw+Q=="; +}; + +//############################################################### +//# Kontrollkanäle für RNDC + +include "/etc/bind/rndc.key"; + +controls { + inet 127.0.0.1 port 953 allow { + 127.0.0.1; + ::1/128; + } keys { + "rndc-key"; + }; +}; + + +# vim: ts=4 filetype=named noai diff --git a/bind/rndc.key b/bind/rndc.key new file mode 100644 index 0000000..402f164 --- /dev/null +++ b/bind/rndc.key @@ -0,0 +1,4 @@ +key "rndc-key" { + algorithm hmac-md5; + secret "eMhLmrsWxS28+oUnhbjwE6xYhMCvDKtsEBEc6TzD62mPMQ3R57xDb6McBAduXo56/a1xOtrX/tFs4CVnDnYdMw=="; +}; diff --git a/bind/zones.rfc1918 b/bind/zones.rfc1918 new file mode 100644 index 0000000..8185fc0 --- /dev/null +++ b/bind/zones.rfc1918 @@ -0,0 +1,30 @@ +//############################################################### +//# Bind9-Konfigurationsdatei Default zones RFC 1918 +//# /etc/bind/zones.rfc1918 +//# +//# Host ns3.uhu-banane.de +//# +//############################################################### + +zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; + +zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; + +zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; + +# vim: ts=4 filetype=named noai diff --git a/bind/zones/home.brehm-online.com.zone b/bind/zones/home.brehm-online.com.zone new file mode 100644 index 0000000..868abab --- /dev/null +++ b/bind/zones/home.brehm-online.com.zone @@ -0,0 +1,68 @@ +$ORIGIN brehm-online.com. +$TTL 86400 ; 1 day +;$TTL 900 + +home SOA ns3.uhu-banane.de. hostmaster.brehm-online.com. ( + 2016031300 ; Serial + 28800 ; Refresh + 14400 ; Retry + 604800 ; Expire - 1 week + 86400 ; Minimum + ) + NS ns3.uhu-banane.de. + NS ns2.uhu-banane.de. + NS ns1.uhu-banane.de. +; NS ns.brehm-online.com. +; NS home-gw.brehm-online.com. + AAAA 2a02:8109:9300:488:5604:a6ff:fe38:99f9 + +$ORIGIN home.brehm-online.com. +bruni A 10.12.11.2 + AAAA 2a02:8109:9300:488:5604:a6ff:fe38:99f9 + TXT "Franks Linux-Buechse@home" +else A 10.12.11.22 +FranksGalaxy A 10.12.11.10 +gunner A 10.12.11.9 +gw A 10.12.11.1 + TXT "Der Buffalo-Router" +heike A 10.12.11.5 +; AAAA 2001:6f8:1db7:0:7dc4:7800:49f5:767a +; AAAA 2001:6f8:1db7:0:d889:4a7:aa76:278c + TXT "Heikos Spiele-Buechse" +;leela A 10.12.11.3 +;localhost A 127.0.0.1 +;laptop-uwe AAAA 2001:6f8:1db7:0:224:54ff:fea9:8d2c +;luci A 10.12.11.30 +; AAAA 2001:6f8:1db7:0:6071:d376:4e3e:3e2c +; TXT "Franks Windows-Buechse@home" +lena A 10.12.11.28 +; AAAA 2001:6f8:1db7::28 +; AAAA 2001:6f8:1db7::a00:27ff:fede:40 + TXT "Wheezy-VM auf Bruni" +karla A 10.12.11.29 +; AAAA 2001:6f8:1db7::29 +; AAAA 2001:6f8:1db7:0:a00:27ff:fe4c:1a2a + TXT "Wheezy-VM auf Bruni" +olga A 10.12.11.3 + A 10.12.11.4 + AAAA 2a02:8109:9300:488:4a5b:39ff:fe9b:d309 +; AAAA 2001:6f8:1db7:0:4a5d:60ff:fe5f:d07d + TXT "Franks Laptop" +olga-eth A 10.12.11.3 + AAAA 2a02:8109:9300:488:4a5b:39ff:fe9b:d309 + TXT "Franks Laptop ueber Ethernet" +olga-wifi A 10.12.11.4 +; AAAA 2001:6f8:1db7:0:4a5d:60ff:fe5f:d07d + TXT "Franks Laptop ueber WLAN" +;olga A 10.12.11.8 +; AAAA 2001:6f8:1db7:0:6427:950:1606:3be0 +; TXT "Windows-VM auf Bruni" +;PatricksWildfire A 10.12.11.11 +ps-kyocera A 10.12.11.32 + TXT "Der Printserver fuer den Kyocera-Drucker" +xanthippe A 10.12.11.33 + AAAA 2001:6f8:1db7:0:f66d:4ff:fe2f:621b + TXT "Heikos neue Spiele-Buechse" +;xena A 10.12.11.4 + +; vim: filetype=bindzone ts=8 fileencoding=utf-8 diff --git a/bind/zones/rev.10.12.11.zone b/bind/zones/rev.10.12.11.zone new file mode 100644 index 0000000..e41c0df --- /dev/null +++ b/bind/zones/rev.10.12.11.zone @@ -0,0 +1,64 @@ +$ORIGIN 12.10.in-addr.arpa. + +$TTL 7200 + +11 SOA ns3.uhu-banane.de. hostmaster.brehm-online.com. ( + 2016031300 ; serial + 10800 ; refresh (3 hours) + 3600 ; retry (1 hour) + 604800 ; expire (1 week) + 86400 ; minimum (1 day) + ) + + NS ns1.uhu-banane.de. + NS ns2.uhu-banane.de. + NS ns3.uhu-banane.de. + +$ORIGIN 11.12.10.in-addr.arpa. + +;0 PTR g.home.brehm-online.com. +1 PTR gw.home.brehm-online.com. +2 PTR bruni.home.brehm-online.com. +3 PTR olga-eth.home.brehm-online.com. +4 PTR olga-wifi.home.brehm-online.com. +5 PTR heike.home.brehm-online.com. +;6 PTR g.home.brehm-online.com. +;7 PTR g.home.brehm-online.com. +;8 PTR olga.home.brehm-online.com. +9 PTR gunner.home.brehm-online.com. + +10 PTR FranksGalaxy.home.brehm-online.com. +11 PTR PatricksWildfire.home.brehm-online.com. +;12 PTR g.home.brehm-online.com. +;13 PTR g.home.brehm-online.com. +;14 PTR g.home.brehm-online.com. +;15 PTR g.home.brehm-online.com. +;16 PTR g.home.brehm-online.com. +;17 PTR g.home.brehm-online.com. +;18 PTR g.home.brehm-online.com. +;19 PTR g.home.brehm-online.com. + +;20 PTR g.home.brehm-online.com. +;21 PTR g.home.brehm-online.com. +22 PTR else.home.brehm-online.com. +;23 PTR g.home.brehm-online.com. +;24 PTR g.home.brehm-online.com. +;25 PTR g.home.brehm-online.com. +;26 PTR g.home.brehm-online.com. +;27 PTR g.home.brehm-online.com. +28 PTR lena.home.brehm-online.com. +29 PTR karla.home.brehm-online.com. + +30 PTR luci.home.brehm-online.com. +;31 PTR g.home.brehm-online.com. +32 PTR ps-kyocera.home.brehm-online.com. +33 PTR xanthippe.home.brehm-online.com. +;34 PTR g.home.brehm-online.com. +;35 PTR g.home.brehm-online.com. +;36 PTR g.home.brehm-online.com. +;37 PTR g.home.brehm-online.com. +;38 PTR g.home.brehm-online.com. +;39 PTR g.home.brehm-online.com. + + +; vim: ts=8 filetype=bindzone diff --git a/bind/zones/rev.2001-6f8-1db7-0.zone b/bind/zones/rev.2001-6f8-1db7-0.zone new file mode 100644 index 0000000..dfa52a5 --- /dev/null +++ b/bind/zones/rev.2001-6f8-1db7-0.zone @@ -0,0 +1,55 @@ +$ORIGIN 0.0.0.7.b.d.1.8.f.6.0.1.0.0.2.ip6.arpa. + +$TTL 7200 +0 SOA ns3.uhu-banane.de. hostmaster.brehm-online.com. ( + 2016031300 ; serial + 10800 ; refresh (3 hours) + 3600 ; retry (1 hour) + 604800 ; expire (1 week) + 86400 ; minimum (1 day) + ) + + NS ns1.uhu-banane.de. + NS ns2.uhu-banane.de. + NS ns3.uhu-banane.de. + +$ORIGIN 0.0.0.0.7.b.d.1.8.f.6.0.1.0.0.2.ip6.arpa. + +; 2001:6f8:1db7::1 +1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR bruni.home.brehm-online.com. + +; 2001:6f8:1db7::28 +8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR lena.home.brehm-online.com. +; 2001:6f8:1db7::a00:27ff:fede:40 +0.4.0.0.e.d.e.f.f.f.7.2.0.0.a.0 PTR lena.home.brehm-online.com. + +; 2001:6f8:1db7::29 +9.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR karla.home.brehm-online.com. +; 2001:6f8:1db7:0:a00:27ff:fe4c:1a2a +a.2.a.1.c.4.e.f.f.f.7.2.0.0.a.0 PTR karla.home.brehm-online.com. + +; 2001:6f8:1db7:0:224:54ff:fea9:8d2c +c.2.d.8.9.a.e.f.f.f.4.5.4.2.2.0 PTR laptop-uwe.home.brehm-online.com. + +; 2001:6f8:1db7:0:6071:d376:4e3e:3e2c +c.2.e.3.e.3.e.4.6.7.3.d.1.7.0.6 PTR luci.home.brehm-online.com. + +; 2001:6f8:1db7:0:7dc4:7800:49f5:767a +a.7.6.7.5.f.9.4.0.0.8.7.4.c.d.7 PTR heike.home.brehm-online.com. + +; 2001:6f8:1db7:0:d889:4a7:aa76:278c +c.8.7.2.6.7.a.a.7.a.4.0.9.8.8.d PTR heike.home.brehm-online.com. + +; 2001:6f8:1db7:0:f66d:4ff:fe2f:621b +b.1.2.6.f.2.e.f.f.f.4.0.d.6.6.f PTR xanthippe.home.brehm-online.com. + +;2001:6f8:1db7:0:4a5b:39ff:fe9b:d306 +6.0.3.d.b.9.e.f.f.f.9.3.b.5.a.4 PTR olga-eth.home.brehm-online.com. +;2001:6f8:1db7:0:4a5d:60ff:fe5f:d07d +d.7.0.d.f.5.e.f.f.f.0.6.d.5.a.4 PTR olga-wifi.home.brehm-online.com. + +;2001:6f8:1db7:0:6427:950:1606:3be0 +;0.e.b.3.6.0.6.1.0.5.9.0.7.2.4.6 PTR olga.home.brehm-online.com. + + +; vim: ts=8 filetype=bindzone diff --git a/bind/zones/rev.2001-6f8-1db7.zone b/bind/zones/rev.2001-6f8-1db7.zone new file mode 100644 index 0000000..ce63f70 --- /dev/null +++ b/bind/zones/rev.2001-6f8-1db7.zone @@ -0,0 +1,22 @@ +$ORIGIN b.d.1.8.f.6.0.1.0.0.2.ip6.arpa. +$TTL 7200 ; 2 hours + +7 SOA ns3.uhu-banane.de. hostmaster.brehm-online.com. ( + 2016031300 ; serial + 10800 ; refresh (3 hours) + 3600 ; retry (1 hour) + 604800 ; expire (1 week) + 86400 ; minimum (1 day) + ) + + NS ns1.uhu-banane.de. + NS ns2.uhu-banane.de. + NS ns3.uhu-banane.de. + +$ORIGIN 7.b.d.1.8.f.6.0.1.0.0.2.ip6.arpa. + +0.0.0.0 NS ns1.uhu-banane.de. +0.0.0.0 NS ns2.uhu-banane.de. +0.0.0.0 NS ns3.uhu-banane.de. + +; vim: ts=4 filetype=bindzone diff --git a/bind/zones/uhu-banane.eu.zone b/bind/zones/uhu-banane.eu.zone new file mode 100644 index 0000000..647d25b --- /dev/null +++ b/bind/zones/uhu-banane.eu.zone @@ -0,0 +1,22 @@ +$ORIGIN . +;$TTL 86400 ; 1 day +$TTL 900 +uhu-banane.eu IN SOA ns3.uhu-banane.de. hostmaster.uhu-banane.de. ( + 2016030900 ; serial + 10800 ; refresh (3 hours) + 3600 ; retry (1 hour) + 604800 ; expire (1 week) + 86400 ; minimum (1 day) + ) + NS ns1.uhu-banane.de. + NS ns2.uhu-banane.de. + NS ns3.uhu-banane.de. + A 185.102.95.107 + AAAA 2a06:2380:0:1::3a + MX 10 mail.uhu-banane.de. + +$ORIGIN uhu-banane.eu. +mail A 85.214.134.152 +mail AAAA 2a01:238:4225:6e00:8f8c:808a:7fb8:88df +git CNAME git.uhu-banane.de. +www CNAME www.uhu-banane.de. diff --git a/bind/zones/uhu-banane.org.zone b/bind/zones/uhu-banane.org.zone new file mode 100644 index 0000000..2ad64bc --- /dev/null +++ b/bind/zones/uhu-banane.org.zone @@ -0,0 +1,22 @@ +$ORIGIN . +;$TTL 86400 ; 1 day +$TTL 900 +uhu-banane.org IN SOA ns3.uhu-banane.de. hostmaster.uhu-banane.de. ( + 2016030900 ; serial + 10800 ; refresh (3 hours) + 3600 ; retry (1 hour) + 604800 ; expire (1 week) + 86400 ; minimum (1 day) + ) + NS ns1.uhu-banane.de. + NS ns2.uhu-banane.de. + NS ns3.uhu-banane.de. + A 185.102.95.107 + AAAA 2a06:2380:0:1::3a + MX 10 mail.uhu-banane.de. + +$ORIGIN uhu-banane.org. +mail A 85.214.134.152 +mail AAAA 2a01:238:4225:6e00:8f8c:808a:7fb8:88df +git CNAME git.uhu-banane.de. +www CNAME www.uhu-banane.de. diff --git a/chrony/chrony.conf b/chrony/chrony.conf index 7009d10..edbcf16 100644 --- a/chrony/chrony.conf +++ b/chrony/chrony.conf @@ -66,7 +66,7 @@ bindcmdaddress 127.0.0.1 bindcmdaddress ::1 port 0 -# GRIDSCALE - Allow steppign the clock. Normally, it’s recommended to allow the step only in +# GRIDSCALE - Allow stepping the clock. Normally, it’s recommended to allow the step only in # the first few updates, but in some cases (a virtual machine which can be suspended and resumed # with incorrect time) it may be necessary to allow the step at any clock update. makestep 1 -1 diff --git a/cron.daily/logrotate b/cron.daily/logrotate index f4f56a9..c4eab7b 100755 --- a/cron.daily/logrotate +++ b/cron.daily/logrotate @@ -1,4 +1,9 @@ -#!/bin/sh +#!/bin/bash test -x /usr/sbin/logrotate || exit 0 -/usr/sbin/logrotate /etc/logrotate.conf +LOG=/var/log/logrotate.log +echo >> ${LOG} +echo "################################################" >> ${LOG} +echo "[$(date --rfc-3339=seconds )]: Start Logrotating" >> ${LOG} +/usr/sbin/logrotate -v /etc/logrotate.conf >> ${LOG} 2>&1 +echo "[$(date --rfc-3339=seconds )]: End Logrotating" >> ${LOG} diff --git a/cron.daily/mlocate b/cron.daily/mlocate new file mode 100755 index 0000000..aeb1a88 --- /dev/null +++ b/cron.daily/mlocate @@ -0,0 +1,21 @@ +#! /bin/bash + +set -e + +[ -x /usr/bin/updatedb.mlocate ] || exit 0 + +if which on_ac_power >/dev/null 2>&1; then + ON_BATTERY=0 + on_ac_power >/dev/null 2>&1 || ON_BATTERY=$? + if [ "$ON_BATTERY" -eq 1 ]; then + exit 0 + fi +fi + +# See ionice(1) +if [ -x /usr/bin/ionice ] && + /usr/bin/ionice -c3 true 2>/dev/null; then + IONICE="/usr/bin/ionice -c3" +fi + +flock --nonblock /run/mlocate.daily.lock $IONICE /usr/bin/updatedb.mlocate diff --git a/default/bind9 b/default/bind9 new file mode 100644 index 0000000..866a94e --- /dev/null +++ b/default/bind9 @@ -0,0 +1,5 @@ +# run resolvconf? +RESOLVCONF=no + +# startup options for the server +OPTIONS="-u bind" diff --git a/default/locale b/default/locale index ffcbf47..89dd692 100644 --- a/default/locale +++ b/default/locale @@ -1,3 +1,3 @@ # File generated by update-locale -LANG=en_US.UTF-8 +LANG="de_DE.UTF-8" LANGUAGE="en_US:en" diff --git a/default/locale.bak b/default/locale.bak new file mode 100644 index 0000000..ffcbf47 --- /dev/null +++ b/default/locale.bak @@ -0,0 +1,3 @@ +# File generated by update-locale +LANG=en_US.UTF-8 +LANGUAGE="en_US:en" diff --git a/fail2ban/jail.conf b/fail2ban/jail.conf index 7d99912..e419014 100644 --- a/fail2ban/jail.conf +++ b/fail2ban/jail.conf @@ -126,155 +126,154 @@ action = %(action_)s # Optionally you may override any other parameter (e.g. banaction, # action, port, logpath, etc) in that section within jail.local -[ssh] - -enabled = true -port = ssh -filter = sshd -logpath = /var/log/syslog.d/auth.log -action = %(action_mw)s -maxretry = 6 - -[dropbear] +#[ssh] +# +#enabled = true +#port = ssh +#filter = sshd +#logpath = /var/log/auth.log +#maxretry = 6 -enabled = false -port = ssh -filter = dropbear -logpath = /var/log/auth.log -maxretry = 6 +#[dropbear] +# +#enabled = false +#port = ssh +#filter = dropbear +#logpath = /var/log/auth.log +#maxretry = 6 # Generic filter for pam. Has to be used with action which bans all ports # such as iptables-allports, shorewall -[pam-generic] - -enabled = false -# pam-generic filter can be customized to monitor specific subset of 'tty's -filter = pam-generic -# port actually must be irrelevant but lets leave it all for some possible uses -port = all -banaction = iptables-allports -port = anyport -logpath = /var/log/auth.log -maxretry = 6 - -[xinetd-fail] - -enabled = false -filter = xinetd-fail -port = all -banaction = iptables-multiport-log -logpath = /var/log/daemon.log -maxretry = 2 - +#[pam-generic] +# +#enabled = false +## pam-generic filter can be customized to monitor specific subset of 'tty's +#filter = pam-generic +## port actually must be irrelevant but lets leave it all for some possible uses +#port = all +#banaction = iptables-allports +#port = anyport +#logpath = /var/log/auth.log +#maxretry = 6 + +#[xinetd-fail] +# +#enabled = false +#filter = xinetd-fail +#port = all +#banaction = iptables-multiport-log +#logpath = /var/log/daemon.log +#maxretry = 2 -[ssh-ddos] -enabled = false -port = ssh -filter = sshd-ddos -logpath = /var/log/auth.log -maxretry = 6 +#[ssh-ddos] +# +#enabled = false +#port = ssh +#filter = sshd-ddos +#logpath = /var/log/auth.log +#maxretry = 6 # Here we use blackhole routes for not requiring any additional kernel support # to store large volumes of banned IPs -[ssh-route] - -enabled = false -filter = sshd -action = route -logpath = /var/log/sshd.log -maxretry = 6 +#[ssh-route] +# +#enabled = false +#filter = sshd +#action = route +#logpath = /var/log/sshd.log +#maxretry = 6 # Here we use a combination of Netfilter/Iptables and IPsets # for storing large volumes of banned IPs # # IPset comes in two versions. See ipset -V for which one to use # requires the ipset package and kernel support. -[ssh-iptables-ipset4] - -enabled = false -port = ssh -filter = sshd -banaction = iptables-ipset-proto4 -logpath = /var/log/sshd.log -maxretry = 6 - -[ssh-iptables-ipset6] +#[ssh-iptables-ipset4] +# +#enabled = false +#port = ssh +#filter = sshd +#banaction = iptables-ipset-proto4 +#logpath = /var/log/sshd.log +#maxretry = 6 -enabled = false -port = ssh -filter = sshd -banaction = iptables-ipset-proto6 -logpath = /var/log/sshd.log -maxretry = 6 +#[ssh-iptables-ipset6] +# +#enabled = false +#port = ssh +#filter = sshd +#banaction = iptables-ipset-proto6 +#logpath = /var/log/sshd.log +#maxretry = 6 # # HTTP servers # -[apache] - -enabled = false -port = http,https -filter = apache-auth -logpath = /var/log/apache*/*error.log -maxretry = 6 +#[apache] +# +#enabled = false +#port = http,https +#filter = apache-auth +#logpath = /var/log/apache*/*error.log +#maxretry = 6 # default action is now multiport, so apache-multiport jail was left # for compatibility with previous (<0.7.6-2) releases -[apache-multiport] - -enabled = false -port = http,https -filter = apache-auth -logpath = /var/log/apache*/*error.log -maxretry = 6 - -[apache-noscript] - -enabled = false -port = http,https -filter = apache-noscript -logpath = /var/log/apache*/*error.log -maxretry = 6 - -[apache-overflows] - -enabled = false -port = http,https -filter = apache-overflows -logpath = /var/log/apache*/*error.log -maxretry = 2 +#[apache-multiport] +# +#enabled = false +#port = http,https +#filter = apache-auth +#logpath = /var/log/apache*/*error.log +#maxretry = 6 -[apache-modsecurity] +#[apache-noscript] +# +#enabled = false +#port = http,https +#filter = apache-noscript +#logpath = /var/log/apache*/*error.log +#maxretry = 6 -enabled = false -filter = apache-modsecurity -port = http,https -logpath = /var/log/apache*/*error.log -maxretry = 2 +#[apache-overflows] +# +#enabled = false +#port = http,https +#filter = apache-overflows +#logpath = /var/log/apache*/*error.log +#maxretry = 2 -[apache-nohome] +#[apache-modsecurity] +# +#enabled = false +#filter = apache-modsecurity +#port = http,https +#logpath = /var/log/apache*/*error.log +#maxretry = 2 -enabled = false -filter = apache-nohome -port = http,https -logpath = /var/log/apache*/*error.log -maxretry = 2 +#[apache-nohome] +# +#enabled = false +#filter = apache-nohome +#port = http,https +#logpath = /var/log/apache*/*error.log +#maxretry = 2 # Ban attackers that try to use PHP's URL-fopen() functionality # through GET/POST variables. - Experimental, with more than a year # of usage in production environments. -[php-url-fopen] - -enabled = false -port = http,https -filter = php-url-fopen -logpath = /var/www/*/logs/access_log +#[php-url-fopen] +# +#enabled = false +#port = http,https +#filter = php-url-fopen +#logpath = /var/www/*/logs/access_log # A simple PHP-fastcgi jail which works with lighttpd. # If you run a lighttpd server, then you probably will @@ -282,113 +281,112 @@ logpath = /var/www/*/logs/access_log # ALERT – tried to register forbidden variable ‘GLOBALS’ # through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php') -[lighttpd-fastcgi] - -enabled = false -port = http,https -filter = lighttpd-fastcgi -logpath = /var/log/lighttpd/error.log +#[lighttpd-fastcgi] +# +#enabled = false +#port = http,https +#filter = lighttpd-fastcgi +#logpath = /var/log/lighttpd/error.log # Same as above for mod_auth # It catches wrong authentifications -[lighttpd-auth] - -enabled = false -port = http,https -filter = suhosin -logpath = /var/log/lighttpd/error.log - -[nginx-http-auth] +#[lighttpd-auth] +# +#enabled = false +#port = http,https +#filter = suhosin +#logpath = /var/log/lighttpd/error.log -enabled = false -filter = nginx-http-auth -port = http,https -logpath = /var/log/nginx/error.log +#[nginx-http-auth] +# +#enabled = false +#filter = nginx-http-auth +#port = http,https +#logpath = /var/log/nginx/error.log # Monitor roundcube server -[roundcube-auth] - -enabled = false -filter = roundcube-auth -port = http,https -logpath = /var/log/roundcube/userlogins - +#[roundcube-auth] +# +#enabled = false +#filter = roundcube-auth +#port = http,https +#logpath = /var/log/roundcube/userlogins -[sogo-auth] -enabled = false -filter = sogo-auth -port = http, https -# without proxy this would be: -# port = 20000 -logpath = /var/log/sogo/sogo.log +#[sogo-auth] +# +#enabled = false +#filter = sogo-auth +#port = http, https +## without proxy this would be: +## port = 20000 +#logpath = /var/log/sogo/sogo.log # # FTP servers # -[vsftpd] - -enabled = false -port = ftp,ftp-data,ftps,ftps-data -filter = vsftpd -logpath = /var/log/vsftpd.log -# or overwrite it in jails.local to be -# logpath = /var/log/auth.log -# if you want to rely on PAM failed login attempts -# vsftpd's failregex should match both of those formats -maxretry = 6 - - -[proftpd] - -enabled = false -port = ftp,ftp-data,ftps,ftps-data -filter = proftpd -logpath = /var/log/proftpd/proftpd.log -maxretry = 6 +#[vsftpd] +# +#enabled = false +#port = ftp,ftp-data,ftps,ftps-data +#filter = vsftpd +#logpath = /var/log/vsftpd.log +## or overwrite it in jails.local to be +## logpath = /var/log/auth.log +## if you want to rely on PAM failed login attempts +## vsftpd's failregex should match both of those formats +#maxretry = 6 -[pure-ftpd] +#[proftpd] +# +#enabled = false +#port = ftp,ftp-data,ftps,ftps-data +#filter = proftpd +#logpath = /var/log/proftpd/proftpd.log +#maxretry = 6 -enabled = false -port = ftp,ftp-data,ftps,ftps-data -filter = pure-ftpd -logpath = /var/log/syslog -maxretry = 6 +#[pure-ftpd] +# +#enabled = false +#port = ftp,ftp-data,ftps,ftps-data +#filter = pure-ftpd +#logpath = /var/log/syslog +#maxretry = 6 -[wuftpd] -enabled = false -port = ftp,ftp-data,ftps,ftps-data -filter = wuftpd -logpath = /var/log/syslog -maxretry = 6 +#[wuftpd] +# +#enabled = false +#port = ftp,ftp-data,ftps,ftps-data +#filter = wuftpd +#logpath = /var/log/syslog +#maxretry = 6 # # Mail servers # -[postfix] - -enabled = true -port = smtp,ssmtp,submission -filter = postfix -logpath = /var/log/syslog.d/mail.log -action = %(action_mw)s - +#[postfix] +# +#enabled = false +#port = smtp,ssmtp,submission +#filter = postfix +#logpath = /var/log/mail.log -[couriersmtp] -enabled = false -port = smtp,ssmtp,submission -filter = couriersmtp -logpath = /var/log/mail.log +#[couriersmtp] +# +#enabled = false +#port = smtp,ssmtp,submission +#filter = couriersmtp +#logpath = /var/log/mail.log # @@ -396,40 +394,40 @@ logpath = /var/log/mail.log # all relevant ports get banned # -[courierauth] - -enabled = false -port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s -filter = courierlogin -logpath = /var/log/mail.log - - -[sasl] - -enabled = false -port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s -filter = postfix-sasl -# You might consider monitoring /var/log/mail.warn instead if you are -# running postfix since it would provide the same log lines at the -# "warn" level but overall at the smaller filesize. -logpath = /var/log/mail.log +#[courierauth] +# +#enabled = false +#port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s +#filter = courierlogin +#logpath = /var/log/mail.log -[dovecot] -enabled = false -port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s -filter = dovecot -logpath = /var/log/mail.log +#[sasl] +# +#enabled = false +#port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s +#filter = postfix-sasl +## You might consider monitoring /var/log/mail.warn instead if you are +## running postfix since it would provide the same log lines at the +## "warn" level but overall at the smaller filesize. +#logpath = /var/log/mail.log + +#[dovecot] +# +#enabled = false +#port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s +#filter = dovecot +#logpath = /var/log/mail.log # To log wrong MySQL access attempts add to /etc/my.cnf: # log-error=/var/log/mysqld.log # log-warning = 2 -[mysqld-auth] - -enabled = false -filter = mysqld-auth -port = 3306 -logpath = /var/log/mysqld.log +#[mysqld-auth] +# +#enabled = false +#filter = mysqld-auth +#port = 3306 +#logpath = /var/log/mysqld.log # DNS Servers @@ -466,49 +464,49 @@ logpath = /var/log/mysqld.log #filter = named-refused #logpath = /var/log/named/security.log -[named-refused-tcp] - -enabled = false -port = domain,953 -protocol = tcp -filter = named-refused -logpath = /var/log/named/security.log - -[freeswitch] - -enabled = false -filter = freeswitch -logpath = /var/log/freeswitch.log -maxretry = 10 -action = iptables-multiport[name=freeswitch-tcp, port="5060,5061,5080,5081", protocol=tcp] - iptables-multiport[name=freeswitch-udp, port="5060,5061,5080,5081", protocol=udp] +#[named-refused-tcp] +# +#enabled = false +#port = domain,953 +#protocol = tcp +#filter = named-refused +#logpath = /var/log/named/security.log -[ejabberd-auth] +#[freeswitch] +# +#enabled = false +#filter = freeswitch +#logpath = /var/log/freeswitch.log +#maxretry = 10 +#action = iptables-multiport[name=freeswitch-tcp, port="5060,5061,5080,5081", protocol=tcp] +# iptables-multiport[name=freeswitch-udp, port="5060,5061,5080,5081", protocol=udp] -enabled = false -filter = ejabberd-auth -port = xmpp-client -protocol = tcp -logpath = /var/log/ejabberd/ejabberd.log +#[ejabberd-auth] +# +#enabled = false +#filter = ejabberd-auth +#port = xmpp-client +#protocol = tcp +#logpath = /var/log/ejabberd/ejabberd.log # Multiple jails, 1 per protocol, are necessary ATM: # see https://github.com/fail2ban/fail2ban/issues/37 -[asterisk-tcp] - -enabled = false -filter = asterisk -port = 5060,5061 -protocol = tcp -logpath = /var/log/asterisk/messages - -[asterisk-udp] +#[asterisk-tcp] +# +#enabled = false +#filter = asterisk +#port = 5060,5061 +#protocol = tcp +#logpath = /var/log/asterisk/messages -enabled = false -filter = asterisk -port = 5060,5061 -protocol = udp -logpath = /var/log/asterisk/messages +#[asterisk-udp] +# +#enabled = false +#filter = asterisk +#port = 5060,5061 +#protocol = udp +#logpath = /var/log/asterisk/messages # Jail for more extended banning of persistent abusers @@ -516,41 +514,41 @@ logpath = /var/log/asterisk/messages # Make sure that your loglevel specified in fail2ban.conf/.local # is not at DEBUG level -- which might then cause fail2ban to fall into # an infinite loop constantly feeding itself with non-informative lines -[recidive] - -enabled = false -filter = recidive -logpath = /var/log/fail2ban.log -action = iptables-allports[name=recidive] - sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log] -bantime = 604800 ; 1 week -findtime = 86400 ; 1 day -maxretry = 5 +#[recidive] +# +#enabled = false +#filter = recidive +#logpath = /var/log/fail2ban.log +#action = iptables-allports[name=recidive] +# sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log] +#bantime = 604800 ; 1 week +#findtime = 86400 ; 1 day +#maxretry = 5 # See the IMPORTANT note in action.d/blocklist_de.conf for when to # use this action # # Report block via blocklist.de fail2ban reporting service API # See action.d/blocklist_de.conf for more information -[ssh-blocklist] - -enabled = false -filter = sshd -action = iptables[name=SSH, port=ssh, protocol=tcp] - sendmail-whois[name=SSH, dest="%(destemail)s", sender="%(sender)s", sendername="%(sendername)s"] - blocklist_de[email="%(sender)s", apikey="xxxxxx", service="%(filter)s"] -logpath = /var/log/sshd.log -maxretry = 20 +#[ssh-blocklist] +# +#enabled = false +#filter = sshd +#action = iptables[name=SSH, port=ssh, protocol=tcp] +# sendmail-whois[name=SSH, dest="%(destemail)s", sender="%(sender)s", sendername="%(sendername)s"] +# blocklist_de[email="%(sender)s", apikey="xxxxxx", service="%(filter)s"] +#logpath = /var/log/sshd.log +#maxretry = 20 # consider low maxretry and a long bantime # nobody except your own Nagios server should ever probe nrpe -[nagios] -enabled = false -filter = nagios -action = iptables[name=Nagios, port=5666, protocol=tcp] - sendmail-whois[name=Nagios, dest="%(destemail)s", sender="%(sender)s", sendername="%(sendername)s"] -logpath = /var/log/messages ; nrpe.cfg may define a different log_facility -maxretry = 1 +#[nagios] +#enabled = false +#filter = nagios +#action = iptables[name=Nagios, port=5666, protocol=tcp] +# sendmail-whois[name=Nagios, dest="%(destemail)s", sender="%(sender)s", sendername="%(sendername)s"] +#logpath = /var/log/messages ; nrpe.cfg may define a different log_facility +#maxretry = 1 # vim: filetype=dosini diff --git a/fail2ban/jail.conf.bak b/fail2ban/jail.conf.bak new file mode 100644 index 0000000..7d99912 --- /dev/null +++ b/fail2ban/jail.conf.bak @@ -0,0 +1,556 @@ +# Fail2Ban configuration file. +# +# This file was composed for Debian systems from the original one +# provided now under /usr/share/doc/fail2ban/examples/jail.conf +# for additional examples. +# +# Comments: use '#' for comment lines and ';' for inline comments +# +# To avoid merges during upgrades DO NOT MODIFY THIS FILE +# and rather provide your changes in /etc/fail2ban/jail.local +# + +# The DEFAULT allows a global definition of the options. They can be overridden +# in each jail afterwards. + +[DEFAULT] + +# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not +# ban a host which matches an address in this list. Several addresses can be +# defined using space separator. +ignoreip = 127.0.0.1/8 + +# External command that will take an tagged arguments to ignore, e.g. , +# and return true if the IP is to be ignored. False otherwise. +# +# ignorecommand = /path/to/command +ignorecommand = + +# "bantime" is the number of seconds that a host is banned. +bantime = 600 + +# A host is banned if it has generated "maxretry" during the last "findtime" +# seconds. +findtime = 600 +maxretry = 3 + +# "backend" specifies the backend used to get files modification. +# Available options are "pyinotify", "gamin", "polling" and "auto". +# This option can be overridden in each jail as well. +# +# pyinotify: requires pyinotify (a file alteration monitor) to be installed. +# If pyinotify is not installed, Fail2ban will use auto. +# gamin: requires Gamin (a file alteration monitor) to be installed. +# If Gamin is not installed, Fail2ban will use auto. +# polling: uses a polling algorithm which does not require external libraries. +# auto: will try to use the following backends, in order: +# pyinotify, gamin, polling. +backend = auto + +# "usedns" specifies if jails should trust hostnames in logs, +# warn when reverse DNS lookups are performed, or ignore all hostnames in logs +# +# yes: if a hostname is encountered, a reverse DNS lookup will be performed. +# warn: if a hostname is encountered, a reverse DNS lookup will be performed, +# but it will be logged as a warning. +# no: if a hostname is encountered, will not be used for banning, +# but it will be logged as info. +usedns = warn + +# +# Destination email address used solely for the interpolations in +# jail.{conf,local} configuration files. +destemail = frank@brehm-online.com + +# +# Name of the sender for mta actions +sendername = Fail2Ban + +# Email address of the sender +sender = fail2ban+ns3@brehm-online.com + +# +# ACTIONS +# + +# Default banning action (e.g. iptables, iptables-new, +# iptables-multiport, shorewall, etc) It is used to define +# action_* variables. Can be overridden globally or per +# section within jail.local file +banaction = iptables-multiport + +# email action. Since 0.8.1 upstream fail2ban uses sendmail +# MTA for the mailing. Change mta configuration parameter to mail +# if you want to revert to conventional 'mail'. +mta = sendmail + +# Default protocol +protocol = tcp + +# Specify chain where jumps would need to be added in iptables-* actions +chain = INPUT + +# +# Action shortcuts. To be used to define action parameter + +# The simplest action to take: ban only +action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + +# ban & send an e-mail with whois report to the destemail. +action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sender="%(sender)s", sendername="%(sendername)s"] + +# ban & send an e-mail with whois report and relevant log lines +# to the destemail. +action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"] + +# Choose default action. To change, just override value of 'action' with the +# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local +# globally (section [DEFAULT]) or per specific section +action = %(action_)s + +# +# JAILS +# + +# Next jails corresponds to the standard configuration in Fail2ban 0.6 which +# was shipped in Debian. Enable any defined here jail by including +# +# [SECTION_NAME] +# enabled = true + +# +# in /etc/fail2ban/jail.local. +# +# Optionally you may override any other parameter (e.g. banaction, +# action, port, logpath, etc) in that section within jail.local + +[ssh] + +enabled = true +port = ssh +filter = sshd +logpath = /var/log/syslog.d/auth.log +action = %(action_mw)s +maxretry = 6 + +[dropbear] + +enabled = false +port = ssh +filter = dropbear +logpath = /var/log/auth.log +maxretry = 6 + +# Generic filter for pam. Has to be used with action which bans all ports +# such as iptables-allports, shorewall +[pam-generic] + +enabled = false +# pam-generic filter can be customized to monitor specific subset of 'tty's +filter = pam-generic +# port actually must be irrelevant but lets leave it all for some possible uses +port = all +banaction = iptables-allports +port = anyport +logpath = /var/log/auth.log +maxretry = 6 + +[xinetd-fail] + +enabled = false +filter = xinetd-fail +port = all +banaction = iptables-multiport-log +logpath = /var/log/daemon.log +maxretry = 2 + + +[ssh-ddos] + +enabled = false +port = ssh +filter = sshd-ddos +logpath = /var/log/auth.log +maxretry = 6 + + +# Here we use blackhole routes for not requiring any additional kernel support +# to store large volumes of banned IPs + +[ssh-route] + +enabled = false +filter = sshd +action = route +logpath = /var/log/sshd.log +maxretry = 6 + +# Here we use a combination of Netfilter/Iptables and IPsets +# for storing large volumes of banned IPs +# +# IPset comes in two versions. See ipset -V for which one to use +# requires the ipset package and kernel support. +[ssh-iptables-ipset4] + +enabled = false +port = ssh +filter = sshd +banaction = iptables-ipset-proto4 +logpath = /var/log/sshd.log +maxretry = 6 + +[ssh-iptables-ipset6] + +enabled = false +port = ssh +filter = sshd +banaction = iptables-ipset-proto6 +logpath = /var/log/sshd.log +maxretry = 6 + + +# +# HTTP servers +# + +[apache] + +enabled = false +port = http,https +filter = apache-auth +logpath = /var/log/apache*/*error.log +maxretry = 6 + +# default action is now multiport, so apache-multiport jail was left +# for compatibility with previous (<0.7.6-2) releases +[apache-multiport] + +enabled = false +port = http,https +filter = apache-auth +logpath = /var/log/apache*/*error.log +maxretry = 6 + +[apache-noscript] + +enabled = false +port = http,https +filter = apache-noscript +logpath = /var/log/apache*/*error.log +maxretry = 6 + +[apache-overflows] + +enabled = false +port = http,https +filter = apache-overflows +logpath = /var/log/apache*/*error.log +maxretry = 2 + +[apache-modsecurity] + +enabled = false +filter = apache-modsecurity +port = http,https +logpath = /var/log/apache*/*error.log +maxretry = 2 + +[apache-nohome] + +enabled = false +filter = apache-nohome +port = http,https +logpath = /var/log/apache*/*error.log +maxretry = 2 + +# Ban attackers that try to use PHP's URL-fopen() functionality +# through GET/POST variables. - Experimental, with more than a year +# of usage in production environments. + +[php-url-fopen] + +enabled = false +port = http,https +filter = php-url-fopen +logpath = /var/www/*/logs/access_log + +# A simple PHP-fastcgi jail which works with lighttpd. +# If you run a lighttpd server, then you probably will +# find these kinds of messages in your error_log: +# ALERT – tried to register forbidden variable ‘GLOBALS’ +# through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php') + +[lighttpd-fastcgi] + +enabled = false +port = http,https +filter = lighttpd-fastcgi +logpath = /var/log/lighttpd/error.log + +# Same as above for mod_auth +# It catches wrong authentifications + +[lighttpd-auth] + +enabled = false +port = http,https +filter = suhosin +logpath = /var/log/lighttpd/error.log + +[nginx-http-auth] + +enabled = false +filter = nginx-http-auth +port = http,https +logpath = /var/log/nginx/error.log + +# Monitor roundcube server + +[roundcube-auth] + +enabled = false +filter = roundcube-auth +port = http,https +logpath = /var/log/roundcube/userlogins + + +[sogo-auth] + +enabled = false +filter = sogo-auth +port = http, https +# without proxy this would be: +# port = 20000 +logpath = /var/log/sogo/sogo.log + + +# +# FTP servers +# + +[vsftpd] + +enabled = false +port = ftp,ftp-data,ftps,ftps-data +filter = vsftpd +logpath = /var/log/vsftpd.log +# or overwrite it in jails.local to be +# logpath = /var/log/auth.log +# if you want to rely on PAM failed login attempts +# vsftpd's failregex should match both of those formats +maxretry = 6 + + +[proftpd] + +enabled = false +port = ftp,ftp-data,ftps,ftps-data +filter = proftpd +logpath = /var/log/proftpd/proftpd.log +maxretry = 6 + + +[pure-ftpd] + +enabled = false +port = ftp,ftp-data,ftps,ftps-data +filter = pure-ftpd +logpath = /var/log/syslog +maxretry = 6 + + +[wuftpd] + +enabled = false +port = ftp,ftp-data,ftps,ftps-data +filter = wuftpd +logpath = /var/log/syslog +maxretry = 6 + + +# +# Mail servers +# + +[postfix] + +enabled = true +port = smtp,ssmtp,submission +filter = postfix +logpath = /var/log/syslog.d/mail.log +action = %(action_mw)s + + +[couriersmtp] + +enabled = false +port = smtp,ssmtp,submission +filter = couriersmtp +logpath = /var/log/mail.log + + +# +# Mail servers authenticators: might be used for smtp,ftp,imap servers, so +# all relevant ports get banned +# + +[courierauth] + +enabled = false +port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s +filter = courierlogin +logpath = /var/log/mail.log + + +[sasl] + +enabled = false +port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s +filter = postfix-sasl +# You might consider monitoring /var/log/mail.warn instead if you are +# running postfix since it would provide the same log lines at the +# "warn" level but overall at the smaller filesize. +logpath = /var/log/mail.log + +[dovecot] + +enabled = false +port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s +filter = dovecot +logpath = /var/log/mail.log + +# To log wrong MySQL access attempts add to /etc/my.cnf: +# log-error=/var/log/mysqld.log +# log-warning = 2 +[mysqld-auth] + +enabled = false +filter = mysqld-auth +port = 3306 +logpath = /var/log/mysqld.log + + +# DNS Servers + + +# These jails block attacks against named (bind9). By default, logging is off +# with bind9 installation. You will need something like this: +# +# logging { +# channel security_file { +# file "/var/log/named/security.log" versions 3 size 30m; +# severity dynamic; +# print-time yes; +# }; +# category security { +# security_file; +# }; +# }; +# +# in your named.conf to provide proper logging + +# !!! WARNING !!! +# Since UDP is connection-less protocol, spoofing of IP and imitation +# of illegal actions is way too simple. Thus enabling of this filter +# might provide an easy way for implementing a DoS against a chosen +# victim. See +# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html +# Please DO NOT USE this jail unless you know what you are doing. +#[named-refused-udp] +# +#enabled = false +#port = domain,953 +#protocol = udp +#filter = named-refused +#logpath = /var/log/named/security.log + +[named-refused-tcp] + +enabled = false +port = domain,953 +protocol = tcp +filter = named-refused +logpath = /var/log/named/security.log + +[freeswitch] + +enabled = false +filter = freeswitch +logpath = /var/log/freeswitch.log +maxretry = 10 +action = iptables-multiport[name=freeswitch-tcp, port="5060,5061,5080,5081", protocol=tcp] + iptables-multiport[name=freeswitch-udp, port="5060,5061,5080,5081", protocol=udp] + +[ejabberd-auth] + +enabled = false +filter = ejabberd-auth +port = xmpp-client +protocol = tcp +logpath = /var/log/ejabberd/ejabberd.log + + +# Multiple jails, 1 per protocol, are necessary ATM: +# see https://github.com/fail2ban/fail2ban/issues/37 +[asterisk-tcp] + +enabled = false +filter = asterisk +port = 5060,5061 +protocol = tcp +logpath = /var/log/asterisk/messages + +[asterisk-udp] + +enabled = false +filter = asterisk +port = 5060,5061 +protocol = udp +logpath = /var/log/asterisk/messages + + +# Jail for more extended banning of persistent abusers +# !!! WARNING !!! +# Make sure that your loglevel specified in fail2ban.conf/.local +# is not at DEBUG level -- which might then cause fail2ban to fall into +# an infinite loop constantly feeding itself with non-informative lines +[recidive] + +enabled = false +filter = recidive +logpath = /var/log/fail2ban.log +action = iptables-allports[name=recidive] + sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log] +bantime = 604800 ; 1 week +findtime = 86400 ; 1 day +maxretry = 5 + +# See the IMPORTANT note in action.d/blocklist_de.conf for when to +# use this action +# +# Report block via blocklist.de fail2ban reporting service API +# See action.d/blocklist_de.conf for more information +[ssh-blocklist] + +enabled = false +filter = sshd +action = iptables[name=SSH, port=ssh, protocol=tcp] + sendmail-whois[name=SSH, dest="%(destemail)s", sender="%(sender)s", sendername="%(sendername)s"] + blocklist_de[email="%(sender)s", apikey="xxxxxx", service="%(filter)s"] +logpath = /var/log/sshd.log +maxretry = 20 + + +# consider low maxretry and a long bantime +# nobody except your own Nagios server should ever probe nrpe +[nagios] +enabled = false +filter = nagios +action = iptables[name=Nagios, port=5666, protocol=tcp] + sendmail-whois[name=Nagios, dest="%(destemail)s", sender="%(sender)s", sendername="%(sendername)s"] +logpath = /var/log/messages ; nrpe.cfg may define a different log_facility +maxretry = 1 + +# vim: filetype=dosini diff --git a/fail2ban/jail.d/postfix.conf b/fail2ban/jail.d/postfix.conf new file mode 100644 index 0000000..3b1751a --- /dev/null +++ b/fail2ban/jail.d/postfix.conf @@ -0,0 +1,11 @@ + +[postfix] + +enabled = true +port = smtp,ssmtp,submission +filter = postfix +logpath = /var/log/syslog.d/mail.log +action = %(action_mw)s + + +# vim: filetype=dosini diff --git a/fail2ban/jail.d/ssh.conf b/fail2ban/jail.d/ssh.conf new file mode 100644 index 0000000..fe58df8 --- /dev/null +++ b/fail2ban/jail.d/ssh.conf @@ -0,0 +1,12 @@ + +[ssh] + +enabled = true +port = ssh +filter = sshd +logpath = /var/log/syslog.d/auth.log +action = %(action_mw)s +maxretry = 6 + + +# vim: filetype=dosini diff --git a/group b/group index d5ee13f..fd3f113 100644 --- a/group +++ b/group @@ -49,3 +49,5 @@ ssh:x:109: ssl-cert:x:110: postfix:x:111: postdrop:x:112: +mlocate:x:113: +bind:x:114: diff --git a/group- b/group- index 8d72bbb..7b19737 100644 --- a/group- +++ b/group- @@ -48,3 +48,5 @@ netdev:x:108: ssh:x:109: ssl-cert:x:110: postfix:x:111: +postdrop:x:112: +mlocate:x:113: diff --git a/gshadow b/gshadow index 8231bfe..b8081b7 100644 --- a/gshadow +++ b/gshadow @@ -49,3 +49,5 @@ ssh:!:: ssl-cert:!:: postfix:!:: postdrop:!:: +mlocate:!:: +bind:!:: diff --git a/gshadow- b/gshadow- index 5d8a251..70a179a 100644 --- a/gshadow- +++ b/gshadow- @@ -48,3 +48,5 @@ netdev:!:: ssh:!:: ssl-cert:!:: postfix:!:: +postdrop:!:: +mlocate:!:: diff --git a/hosts b/hosts index 1d6bb2e..4564856 100644 --- a/hosts +++ b/hosts @@ -1,5 +1,5 @@ 127.0.0.1 localhost -127.0.1.1 builder.gridserver.io builder +127.0.1.1 ns3.uhu-banane.de ns3 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback diff --git a/init.d/bind9 b/init.d/bind9 new file mode 100755 index 0000000..d38986f --- /dev/null +++ b/init.d/bind9 @@ -0,0 +1,145 @@ +#!/bin/sh -e + +### BEGIN INIT INFO +# Provides: bind9 +# Required-Start: $remote_fs +# Required-Stop: $remote_fs +# Should-Start: $network $syslog +# Should-Stop: $network $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Start and stop bind9 +# Description: bind9 is a Domain Name Server (DNS) +# which translates ip addresses to and from internet names +### END INIT INFO + +PATH=/sbin:/bin:/usr/sbin:/usr/bin + +# for a chrooted server: "-u bind -t /var/lib/named" +# Don't modify this line, change or create /etc/default/bind9. +OPTIONS="" +RESOLVCONF=no + +test -f /etc/default/bind9 && . /etc/default/bind9 + +test -x /usr/sbin/rndc || exit 0 + +. /lib/lsb/init-functions +PIDFILE=/var/run/named/named.pid + +check_network() { + if [ -x /usr/bin/uname ] && [ "X$(/usr/bin/uname -o)" = XSolaris ]; then + IFCONFIG_OPTS="-au" + else + IFCONFIG_OPTS="" + fi + if [ -z "$(/sbin/ifconfig $IFCONFIG_OPTS)" ]; then + #log_action_msg "No networks configured." + return 1 + fi + return 0 +} + +case "$1" in + start) + log_daemon_msg "Starting domain name service..." "bind9" + + modprobe capability >/dev/null 2>&1 || true + + # dirs under /var/run can go away on reboots. + mkdir -p /var/run/named + chmod 775 /var/run/named + chown root:bind /var/run/named >/dev/null 2>&1 || true + + if [ ! -x /usr/sbin/named ]; then + log_action_msg "named binary missing - not starting" + log_end_msg 1 + fi + + if ! check_network; then + log_action_msg "no networks configured" + log_end_msg 1 + fi + + if start-stop-daemon --start --oknodo --quiet --exec /usr/sbin/named \ + --pidfile ${PIDFILE} -- $OPTIONS; then + if [ "X$RESOLVCONF" != "Xno" ] && [ -x /sbin/resolvconf ] ; then + echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo.named + fi + log_end_msg 0 + else + log_end_msg 1 + fi + ;; + + stop) + log_daemon_msg "Stopping domain name service..." "bind9" + if ! check_network; then + log_action_msg "no networks configured" + log_end_msg 1 + fi + + if [ "X$RESOLVCONF" != "Xno" ] && [ -x /sbin/resolvconf ] ; then + /sbin/resolvconf -d lo.named + fi + pid=$(/usr/sbin/rndc stop -p | awk '/^pid:/ {print $2}') || true + if [ -z "$pid" ]; then # no pid found, so either not running, or error + pid=$(pgrep -f ^/usr/sbin/named) || true + start-stop-daemon --stop --oknodo --quiet --exec /usr/sbin/named \ + --pidfile ${PIDFILE} -- $OPTIONS + fi + if [ -n "$pid" ]; then + sig=0 + n=1 + while kill -$sig $pid 2>/dev/null; do + if [ $n -eq 1 ]; then + echo "waiting for pid $pid to die" + fi + if [ $n -eq 11 ]; then + echo "giving up on pid $pid with kill -0; trying -9" + sig=9 + fi + if [ $n -gt 20 ]; then + echo "giving up on pid $pid" + break + fi + n=$(($n+1)) + sleep 1 + done + fi + log_end_msg 0 + ;; + + reload|force-reload) + log_daemon_msg "Reloading domain name service..." "bind9" + if ! check_network; then + log_action_msg "no networks configured" + log_end_msg 1 + fi + + /usr/sbin/rndc reload >/dev/null && log_end_msg 0 || log_end_msg 1 + ;; + + restart) + if ! check_network; then + log_action_msg "no networks configured" + exit 1 + fi + + $0 stop + $0 start + ;; + + status) + ret=0 + status_of_proc -p ${PIDFILE} /usr/sbin/named bind9 2>/dev/null || ret=$? + exit $ret + ;; + + *) + log_action_msg "Usage: /etc/init.d/bind9 {start|stop|reload|restart|force-reload|status}" + exit 1 + ;; +esac + +exit 0 diff --git a/inittabminion b/inittabminion new file mode 100644 index 0000000..ddc59b8 --- /dev/null +++ b/inittabminion @@ -0,0 +1,69 @@ +# /etc/inittab: init(8) configuration. +# $Id: inittab,v 1.91 2002/01/25 13:35:21 miquels Exp $ + +# The default runlevel. +id:2:initdefault: + +# Boot-time system configuration/initialization script. +# This is run first except when booting in emergency (-b) mode. +si::sysinit:/etc/init.d/rcS + +# What to do in single-user mode. +~~:S:wait:/sbin/sulogin + +# /etc/init.d executes the S and K scripts upon change +# of runlevel. +# +# Runlevel 0 is halt. +# Runlevel 1 is single-user. +# Runlevels 2-5 are multi-user. +# Runlevel 6 is reboot. + +l0:0:wait:/etc/init.d/rc 0 +l1:1:wait:/etc/init.d/rc 1 +l2:2:wait:/etc/init.d/rc 2 +l3:3:wait:/etc/init.d/rc 3 +l4:4:wait:/etc/init.d/rc 4 +l5:5:wait:/etc/init.d/rc 5 +l6:6:wait:/etc/init.d/rc 6 +# Normally not reached, but fallthrough in case of emergency. +z6:6:respawn:/sbin/sulogin + +# What to do when CTRL-ALT-DEL is pressed. +ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now + +# Action on special keypress (ALT-UpArrow). +#kb::kbrequest:/bin/echo "Keyboard Request--edit /etc/inittab to let this work." + +# What to do when the power fails/returns. +pf::powerwait:/etc/init.d/powerfail start +pn::powerfailnow:/etc/init.d/powerfail now +po::powerokwait:/etc/init.d/powerfail stop + +# /sbin/getty invocations for the runlevels. +# +# The "id" field MUST be the same as the last +# characters of the device (after "tty"). +# +# Format: +# ::: +# +# Note that on most Debian systems tty7 is used by the X Window System, +# so if you want to add more getty's go ahead but skip tty7 if you run X. +# +1:2345:respawn:/sbin/getty --noclear 38400 tty1 +2:23:respawn:/sbin/getty 38400 tty2 +3:23:respawn:/sbin/getty 38400 tty3 +4:23:respawn:/sbin/getty 38400 tty4 +5:23:respawn:/sbin/getty 38400 tty5 +6:23:respawn:/sbin/getty 38400 tty6 + +# Example how to put a getty on a serial line (for a terminal) +# +#T0:23:respawn:/sbin/getty -L ttyS0 9600 vt100 +#T1:23:respawn:/sbin/getty -L ttyS1 9600 vt100 + +# Example how to put a getty on a modem line. +# +#T3:23:respawn:/sbin/mgetty -x0 -s 57600 ttyS3 + diff --git a/lftp.conf b/lftp.conf new file mode 100644 index 0000000..a14796c --- /dev/null +++ b/lftp.conf @@ -0,0 +1,94 @@ +## some useful aliases +alias dir ls +alias less more +alias zless zmore +alias bzless bzmore +alias reconnect "close; cache flush; cd ." +alias edit "eval -f \"get $0 -o ~/.lftp/edit.tmp.$$ && shell \\\"cp -p ~/.lftp/edit.tmp.$$ ~/.lftp/edit.tmp.$$.orig && $EDITOR ~/.lftp/edit.tmp.$$ && test ~/.lftp/edit.tmp.$$ -nt ~/.lftp/edit.tmp.$$.orig\\\" && put ~/.lftp/edit.tmp.$$ -o $0; shell rm -f ~/.lftp/edit.tmp.$$*\"" + +## make prompt look better +set prompt "lftp \S\? \u\@\h:\w> " +## some may prefer colors (contributed by Matthew ) +#set prompt "\[\e[1;30m\][\[\e[0;34m\]f\[\e[1m\]t\[\e[37m\]p\[\e[30m\]] \[\e[34m\]\u\[\e[0;34m\]\@\[\e[1m\]\h\[\e[1;30m\]:\[\e[1;34m\]\w\[\e[1;30m\]>\[\e[0m\] " +## Uncomment the following two lines to make switch cls and ls, making +## cls the default. +#alias ls command cls +#alias hostls command ls + +## default protocol selection +#set default-protocol/ftp.* ftp +#set default-protocol/www.* http +#set default-protocol/localhost file + +## this makes lftp faster but doesn't work with some sites/routers +#set ftp:sync-mode off + +## synchronous mode for broken servers and/or routers +set sync-mode/ftp.idsoftware.com on +set sync-mode/ftp.microsoft.com on +set sync-mode/sunsolve.sun.com on +## extended regex to match first server message for automatic sync-mode. +set auto-sync-mode "icrosoft FTP Service|MadGoat|MikroTik" + +## if default ftp passive mode does not work, try this: +# set ftp:passive-mode off + +## Set this to follow http redirections +set xfer:max-redirections 10 + +## Proxy can help to pass a firewall +## Environment variables ftp_proxy, http_proxy and no_proxy are used to +## initialize the below variables automatically. You can set them here too. +## +## ftp:proxy must communicate with client over ftp protocol, squid won't do. +## This can be e.g. TIS-FWTK or rftpd. User and password are optional. +# set ftp:proxy ftp://[user:pass@]your_ftp_proxy:port +## ...but squid still can be used to access ftp servers, using hftp protocol: +# set ftp:proxy http://your.squid.address:port +## ...if squid allows CONNECT to arbitrary ports, then you can use CONNECT +## instead of hftp: +# set ftp:use-hftp no +## +## no proxy for host +# set ftp:proxy/local_host "" +## or domain +# set ftp:proxy/*.domain.com ... +## +## http:proxy must communicate with client over http protocol, e.g. squid. +## Default port is 3128. +# set http:proxy your_http_proxy[:port] +## hftp:proxy must also be an http proxy. It is used for FTP over HTTP access. +# set hftp:proxy your_http_proxy[:port] +## +## net:no-proxy disables proxy usage for list of domains. +# set net:no-proxy .domain.com,.otherdom.net + +## If you don't have direct ftp access, this setting can be useful to select +## hftp instead of ftp automatically. +# set ftp:proxy http://your.http.proxy:port + +## This can be used for automatic saving of configuration +# set at-exit "set > ~/.lftp/settings" +# source ~/.lftp/settings + +## and this is for remembring last site +## (combine with previous rule if you want) +# set at-exit "bo a last" +# open last + +## Terminal strings to set titlebars for terminals that don't +## properly specify tsl and fsl capabilities. +## Use cmd:set-term-status to enable this. +set cmd:term-status/*screen* "\e_\T\e\\" +set cmd:term-status/*xterm* "\e[11;0]\e]2;\T\007\e[11]" +set cmd:term-status/*rxvt* "\e[11;0]\e]2;\T\007\e[11]" +# set cmd:set-term-status on + +## If you don't like advertising lftp or servers hate it, set this: +# set ftp:anon-pass "mozilla@" +# set ftp:client "" +# set http:user-agent "Mozilla/4.7 [en] (WinNT; I)" + +# try inet6 before inet +set dns:order "inet6 inet" + diff --git a/logrotate.d/bind b/logrotate.d/bind new file mode 100644 index 0000000..75637e8 --- /dev/null +++ b/logrotate.d/bind @@ -0,0 +1,35 @@ +/var/log/bind/complete-debug.log /var/log/bind/debug.log /var/log/bind/query.log /var/log/bind/security.log { + daily + olddir /var/log/bind/.old + dateext + size 4M + rotate 10 + notifempty + missingok + compress + delaycompress + sharedscripts + postrotate + /usr/sbin/rndc reload + endscript +} + +/var/log/bind/named.log { + daily + olddir /var/log/bind/.old + dateext + size 10M + rotate 20 + notifempty + missingok + compress + delaycompress + sharedscripts + postrotate + /usr/sbin/rndc reload + endscript +} + + +# vim: ts=4 filetype=conf + diff --git a/logrotate.d/chrony b/logrotate.d/chrony index 68f4518..5b3758e 100644 --- a/logrotate.d/chrony +++ b/logrotate.d/chrony @@ -5,13 +5,11 @@ notifempty compress delaycompress + dateext + size 4M sharedscripts create 644 postrotate - PASSWORD=`awk '$1 ~ /^1$/ {print $2; exit}' /etc/chrony/chrony.keys` - cat << EOF | /usr/bin/chronyc | sed '/^200 OK$/d' - password $PASSWORD - cyclelogs - EOF + /usr/local/bin/rotate-chrony endscript } diff --git a/logrotate.d/rsyslog b/logrotate.d/rsyslog index c86adeb..814421a 100644 --- a/logrotate.d/rsyslog +++ b/logrotate.d/rsyslog @@ -52,7 +52,7 @@ olddir /var/log/syslog.d/.old sharedscripts postrotate - reload rsyslog >/dev/null 2>&1 || true + invoke-rc.d rsyslog rotate > /dev/null endscript } diff --git a/logrotate.d/salt-common b/logrotate.d/salt-common index 3cd0023..79ae46c 100644 --- a/logrotate.d/salt-common +++ b/logrotate.d/salt-common @@ -1,23 +1,29 @@ /var/log/salt/master { weekly missingok + dateext rotate 7 compress notifempty + size +1M } /var/log/salt/minion { weekly missingok + dateext rotate 7 compress notifempty + size +1M } /var/log/salt/key { weekly missingok + dateext rotate 7 compress notifempty + size +1M } diff --git a/modules-load.d/modules.conf b/modules-load.d/modules.conf deleted file mode 120000 index 464b823..0000000 --- a/modules-load.d/modules.conf +++ /dev/null @@ -1 +0,0 @@ -../modules \ No newline at end of file diff --git a/network/if-down.d/bind9 b/network/if-down.d/bind9 new file mode 100755 index 0000000..68a02c6 --- /dev/null +++ b/network/if-down.d/bind9 @@ -0,0 +1,15 @@ +#!/bin/sh -e +# Called when an interface disconnects +# Written by LaMont Jones + +# kick named as needed + +# If /usr isn't mounted yet, silently bail. +if [ ! -d /usr/sbin ]; then + exit 0 +fi + +# if named is running, reconfig it. +rndc reconfig >/dev/null 2>&1 & + +exit 0 diff --git a/network/if-up.d/bind9 b/network/if-up.d/bind9 new file mode 100755 index 0000000..d17195a --- /dev/null +++ b/network/if-up.d/bind9 @@ -0,0 +1,15 @@ +#!/bin/sh -e +# Called when a new interface comes up +# Written by LaMont Jones + +# kick named as needed + +# If /usr isn't mounted yet, silently bail. +if [ ! -d /usr/sbin ]; then + exit 0 +fi + +# if named is running, reconfig it. +rndc reconfig >/dev/null 2>&1 & + +exit 0 diff --git a/passwd b/passwd index c3531a0..97d87f0 100644 --- a/passwd +++ b/passwd @@ -22,3 +22,4 @@ systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin postfix:x:105:111::/var/spool/postfix:/bin/false +bind:x:106:114:Bind daemon user,,,:/var/cache/bind:/bin/false diff --git a/passwd- b/passwd- index c3531a0..bf24283 100644 --- a/passwd- +++ b/passwd- @@ -22,3 +22,4 @@ systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin postfix:x:105:111::/var/spool/postfix:/bin/false +bind:x:106:114::/var/cache/bind:/bin/false diff --git a/postfix/main-new.cf b/postfix/main-new.cf new file mode 100644 index 0000000..8869e13 --- /dev/null +++ b/postfix/main-new.cf @@ -0,0 +1,99 @@ +# Managed by config management +# See /usr/share/postfix/main.cf.dist for a commented, more complete version + + +# Debian specific: Specifying a file name will cause the first +# line of that file to be used as the name. The Debian default +# is /etc/mailname. +myorigin = /etc/mailname + +smtpd_banner = $myhostname ESMTP Frank Brehms Mail Service $mail_name ($mail_version) (Debian/GNU) +biff = no + + +# appending .domain is the MUA's job. +append_dot_mydomain = yes + +# Uncomment the next line to generate "delayed mail" warnings +#delay_warning_time = 4h + +readme_directory = no +# SASL parameters (http://www.postfix.org/SASL_README.html) +smtpd_sasl_auth_enable = yes +smtpd_sasl_path = smtpd +smtpd_sasl_type = cyrus +smtpd_sasl_local_domain = $myhostname +smtpd_sasl_security_options = + noanonymous, + noplaintext, +smtpd_sasl_tls_security_options = + noanonymous, +smtpd_tls_auth_only = no +# TLS parameters (http://www.postfix.org/TLS_README.html) +# Recipient settings +smtpd_use_tls = yes +smtpd_tls_loglevel = 1 +smtpd_tls_security_level = may +smtpd_tls_cert_file = /etc/postfix/postfix.pem +smtpd_tls_key_file = /etc/postfix/postfix.pem +smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache +smtpd_tls_mandatory_ciphers = high +smtpd_tls_mandatory_exclude_ciphers = + aNULL, + MD5, +smtpd_tls_mandatory_protocols = + !SSLv2, + !SSLv3, +tls_preempt_cipherlist = yes +# Relay/Sender settings +smtp_tls_loglevel = 1 +smtp_tls_security_level = may +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache +smtpd_tls_received_header = yes +smtpd_tls_session_cache_timeout = 3600s + +myhostname = ns3.uhu-banane.de +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +mydestination = + ns3.uhu-banane.de, + ns3.brehm-online.com, + localhost.uhu-banane.de, + localhost, + localhost.localdomain, +relayhost = [mail.brehm-online.com] +mynetworks = + 127.0.0.0/8, + [::ffff:127.0.0.0]/104, + [::1]/128, + 185.102.95.107/32, + 2a06:2380:0:1::3a/128, + fe80::1c4a:7fff:fe34:7101/128, +mailbox_command = procmail -a "$EXTENSION" +mailbox_size_limit = 0 +recipient_delimiter = + +inet_interfaces = loopback-only +inet_protocols = all + +message_size_limit = 41943040 + +smtpd_relay_restrictions = + permit_mynetworks, + permit_sasl_authenticated, + defer_unauth_destination, +smtpd_recipient_restrictions = + permit_mynetworks, + permit_sasl_authenticated, + reject_unauth_destination, +smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd +smtp_tls_enforce_peername = no +smtp_tls_key_file = /etc/postfix/postfix.pem +smtp_tls_cert_file = /etc/postfix/postfix.pem +smtp_use_tls = yes +smtp_sasl_security_options = noanonymous +smtp_sasl_auth_enable = yes +smtp_tls_CApath = + +unknown_local_recipient_reject_code = 550 + +# vim: filetype=pfmain diff --git a/postfix/main.cf b/postfix/main.cf index 9c72183..2cdcfdf 100644 --- a/postfix/main.cf +++ b/postfix/main.cf @@ -1,14 +1,16 @@ +# Managed by config management # See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. -#myorigin = /etc/mailname +myorigin = /etc/mailname -smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +smtpd_banner = $myhostname ESMTP Frank Brehms Mail Service $mail_name ($mail_version) (Debian/GNU) biff = no + # appending .domain is the MUA's job. append_dot_mydomain = yes @@ -16,42 +18,82 @@ append_dot_mydomain = yes #delay_warning_time = 4h readme_directory = no - -# TLS parameters +# SASL parameters (http://www.postfix.org/SASL_README.html) +smtpd_sasl_auth_enable = yes +smtpd_sasl_path = smtpd +smtpd_sasl_type = cyrus +smtpd_sasl_local_domain = $myhostname +smtpd_sasl_security_options = + noanonymous, + noplaintext, +smtpd_sasl_tls_security_options = + noanonymous, +smtpd_tls_auth_only = no +# TLS parameters (http://www.postfix.org/TLS_README.html) +# Recipient settings +smtpd_use_tls = yes +smtpd_tls_loglevel = 1 +smtpd_tls_security_level = may smtpd_tls_cert_file = /etc/postfix/postfix.pem smtpd_tls_key_file = /etc/postfix/postfix.pem -smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache +smtpd_tls_mandatory_ciphers = high +smtpd_tls_mandatory_exclude_ciphers = + aNULL, + MD5, +smtpd_tls_mandatory_protocols = + !SSLv2, + !SSLv3, +tls_preempt_cipherlist = yes +# Relay/Sender settings +smtp_tls_loglevel = 1 +smtp_tls_security_level = may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache +smtpd_tls_received_header = yes +smtpd_tls_session_cache_timeout = 3600s -# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for -# information on enabling SSL in the smtp client. - -smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination myhostname = ns3.uhu-banane.de alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases -myorigin = /etc/mailname -mydestination = ns3.uhu-banane.de, ns3.brehm-online.com, localhost.uhu-banane.de, localhost +mydestination = + ns3.uhu-banane.de, + ns3.brehm-online.com, + localhost.uhu-banane.de, + localhost, + localhost.localdomain, relayhost = [mail.brehm-online.com] -mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 185.102.95.107/32 2a06:2380:0:1::3a/128 +mynetworks = + 127.0.0.0/8, + [::ffff:127.0.0.0]/104, + [::1]/128, + 185.102.95.107/32, + 2a06:2380:0:1::3a/128, + fe80::1c4a:7fff:fe34:7101/128, mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 recipient_delimiter = + -# inet_interfaces = loopback-only +inet_interfaces = loopback-only inet_protocols = all -mydomain = uhu-banane.de -smtp_sasl_auth_enable = yes + +message_size_limit = 41943040 + +smtpd_relay_restrictions = + permit_mynetworks, + permit_sasl_authenticated, + defer_unauth_destination, +smtpd_recipient_restrictions = + permit_mynetworks, + permit_sasl_authenticated, + reject_unauth_destination, smtp_sasl_password_maps = hash:/etc/postfix/smtp_auth -smtp_sasl_security_options = noanonymous -smtp_tls_cert_file = /etc/postfix/postfix.pem smtp_tls_enforce_peername = no smtp_tls_key_file = /etc/postfix/postfix.pem +smtp_tls_cert_file = /etc/postfix/postfix.pem smtp_use_tls = yes -smtpd_sasl_auth_enable = yes -smtpd_sasl_local_domain = $myhostname -smtpd_sasl_security_options = noanonymous -smtpd_tls_loglevel = 1 -smtpd_tls_received_header = yes -smtpd_tls_session_cache_timeout = 3600s +smtp_sasl_security_options = noanonymous +smtp_sasl_auth_enable = yes +smtp_tls_CApath = + unknown_local_recipient_reject_code = 550 + +# vim: filetype=pfmain diff --git a/postfix/main.cf.bak b/postfix/main.cf.bak new file mode 100644 index 0000000..9c72183 --- /dev/null +++ b/postfix/main.cf.bak @@ -0,0 +1,57 @@ +# See /usr/share/postfix/main.cf.dist for a commented, more complete version + + +# Debian specific: Specifying a file name will cause the first +# line of that file to be used as the name. The Debian default +# is /etc/mailname. +#myorigin = /etc/mailname + +smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +biff = no + +# appending .domain is the MUA's job. +append_dot_mydomain = yes + +# Uncomment the next line to generate "delayed mail" warnings +#delay_warning_time = 4h + +readme_directory = no + +# TLS parameters +smtpd_tls_cert_file = /etc/postfix/postfix.pem +smtpd_tls_key_file = /etc/postfix/postfix.pem +smtpd_use_tls=yes +smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache + +# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for +# information on enabling SSL in the smtp client. + +smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination +myhostname = ns3.uhu-banane.de +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +myorigin = /etc/mailname +mydestination = ns3.uhu-banane.de, ns3.brehm-online.com, localhost.uhu-banane.de, localhost +relayhost = [mail.brehm-online.com] +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 185.102.95.107/32 2a06:2380:0:1::3a/128 +mailbox_command = procmail -a "$EXTENSION" +mailbox_size_limit = 0 +recipient_delimiter = + +# inet_interfaces = loopback-only +inet_protocols = all +mydomain = uhu-banane.de +smtp_sasl_auth_enable = yes +smtp_sasl_password_maps = hash:/etc/postfix/smtp_auth +smtp_sasl_security_options = noanonymous +smtp_tls_cert_file = /etc/postfix/postfix.pem +smtp_tls_enforce_peername = no +smtp_tls_key_file = /etc/postfix/postfix.pem +smtp_use_tls = yes +smtpd_sasl_auth_enable = yes +smtpd_sasl_local_domain = $myhostname +smtpd_sasl_security_options = noanonymous +smtpd_tls_loglevel = 1 +smtpd_tls_received_header = yes +smtpd_tls_session_cache_timeout = 3600s +unknown_local_recipient_reject_code = 550 diff --git a/postfix/mkpostfixcert b/postfix/mkpostfixcert index 9a2522b..067735c 100755 --- a/postfix/mkpostfixcert +++ b/postfix/mkpostfixcert @@ -11,30 +11,30 @@ pemfile="/etc/postfix/postfix.pem" randfile="/etc/postfix/postfix.rand" conffile="/etc/postfix/postfix-cert.cnf" -if [ -f $pemfile ]; then - echo "$pemfile already exists." +if [[ -f "${pemfile}" ]]; then + echo "${pemfile} already exists." exit 1 fi -if [ ! -f $conffile ] ; then - echo "$conffile does not exists!" +if [[ ! -f "${conffile}" [] ; then + echo "${conffile} does not exists!" exit 2 fi -cp /dev/null $pemfile -chmod 600 $pemfile -chown root $pemfile +cp /dev/null "${pemfile}" +chmod 600 "${pemfile}" +chown root "${pemfile}" cleanup() { - rm -f $pemfile - rm -f $randfile + rm -f "${pemfile}" + rm -f "${randfile}" exit 1 } -dd if=/dev/urandom of=$randfile count=1 2>/dev/null +dd if=/dev/urandom of="${randfile}" count=1 2>/dev/null /usr/bin/openssl req -new -x509 -days 3650 -nodes \ - -config $conffile -out $pemfile -keyout $pemfile || cleanup -/usr/bin/openssl gendh -rand $randfile 512 >> $pemfile || cleanup -/usr/bin/openssl x509 -subject -dates -fingerprint -noout -in $pemfile || cleanup -rm -f $randfile + -config "${conffile}" -out "${pemfile}" -keyout "${pemfile}" || cleanup +/usr/bin/openssl gendh -rand "${randfile}" 512 >> "${pemfile}" || cleanup +/usr/bin/openssl x509 -subject -dates -fingerprint -noout -in "${pemfile}" || cleanup +rm -f "${randfile}" diff --git a/postfix/postfix-cert.cnf b/postfix/postfix-cert.cnf index c0f0cfc..f5ecad0 100644 --- a/postfix/postfix-cert.cnf +++ b/postfix/postfix-cert.cnf @@ -1,4 +1,3 @@ - RANDFILE = /usr/share/postfix.rand [ req ] @@ -21,3 +20,4 @@ emailAddress=postmaster@brehm-online.com [ cert_type ] nsCertType = server +# vim: filetype=dosini diff --git a/postfix/postfix-cert.cnf.bak b/postfix/postfix-cert.cnf.bak new file mode 100644 index 0000000..c0f0cfc --- /dev/null +++ b/postfix/postfix-cert.cnf.bak @@ -0,0 +1,23 @@ + +RANDFILE = /usr/share/postfix.rand + +[ req ] +default_bits = 1024 +encrypt_key = yes +distinguished_name = req_dn +x509_extensions = cert_type +prompt = no + +[ req_dn ] +C=DE +ST=Berlin +L=Berlin +O=Frank Brehm +OU=Mail Server Postfix SSL key +CN=ns3.uhu-banane.de +emailAddress=postmaster@brehm-online.com + + +[ cert_type ] +nsCertType = server + diff --git a/postfix/smtp_auth b/postfix/smtp_auth index 8d104f5..9b59a07 100644 --- a/postfix/smtp_auth +++ b/postfix/smtp_auth @@ -1,2 +1,9 @@ -mail.brehm-online.com vmail:uhu +# Managed by config management +# Don't change it manually +# + +mail.brehm-online.com vmail:uhu helga-six.brehm-online.com vmail:uhu + + +# vim: syntax=conf ts=8 diff --git a/postfix/smtp_auth.db b/postfix/smtp_auth.db index 76e88dcc341a8dc2bc8587c8b05fdd8e4aa20811..65fa8278430737a7f61950f041120e4856d8eefe 100644 GIT binary patch delta 37 lcmZojXh@h~!)AM=^52oGlmGFHZ;X5_kKl@Jj!;;^4**-L5*7de delta 37 lcmZojXh@h~!&b4yTkY* diff --git a/ppp/ip-down.d/bind9 b/ppp/ip-down.d/bind9 new file mode 100755 index 0000000..68a02c6 --- /dev/null +++ b/ppp/ip-down.d/bind9 @@ -0,0 +1,15 @@ +#!/bin/sh -e +# Called when an interface disconnects +# Written by LaMont Jones + +# kick named as needed + +# If /usr isn't mounted yet, silently bail. +if [ ! -d /usr/sbin ]; then + exit 0 +fi + +# if named is running, reconfig it. +rndc reconfig >/dev/null 2>&1 & + +exit 0 diff --git a/ppp/ip-up.d/bind9 b/ppp/ip-up.d/bind9 new file mode 100755 index 0000000..d17195a --- /dev/null +++ b/ppp/ip-up.d/bind9 @@ -0,0 +1,15 @@ +#!/bin/sh -e +# Called when a new interface comes up +# Written by LaMont Jones + +# kick named as needed + +# If /usr isn't mounted yet, silently bail. +if [ ! -d /usr/sbin ]; then + exit 0 +fi + +# if named is running, reconfig it. +rndc reconfig >/dev/null 2>&1 & + +exit 0 diff --git a/rc0.d/K02bind9 b/rc0.d/K02bind9 new file mode 120000 index 0000000..63fcfdd --- /dev/null +++ b/rc0.d/K02bind9 @@ -0,0 +1 @@ +../init.d/bind9 \ No newline at end of file diff --git a/rc0.d/K02sendsigs b/rc0.d/K03sendsigs similarity index 100% rename from rc0.d/K02sendsigs rename to rc0.d/K03sendsigs diff --git a/rc0.d/K03rsyslog b/rc0.d/K04rsyslog similarity index 100% rename from rc0.d/K03rsyslog rename to rc0.d/K04rsyslog diff --git a/rc0.d/K04hwclock.sh b/rc0.d/K05hwclock.sh similarity index 100% rename from rc0.d/K04hwclock.sh rename to rc0.d/K05hwclock.sh diff --git a/rc0.d/K04umountnfs.sh b/rc0.d/K05umountnfs.sh similarity index 100% rename from rc0.d/K04umountnfs.sh rename to rc0.d/K05umountnfs.sh diff --git a/rc0.d/K05networking b/rc0.d/K06networking similarity index 100% rename from rc0.d/K05networking rename to rc0.d/K06networking diff --git a/rc0.d/K06umountfs b/rc0.d/K07umountfs similarity index 100% rename from rc0.d/K06umountfs rename to rc0.d/K07umountfs diff --git a/rc0.d/K07umountroot b/rc0.d/K08umountroot similarity index 100% rename from rc0.d/K07umountroot rename to rc0.d/K08umountroot diff --git a/rc0.d/K08halt b/rc0.d/K09halt similarity index 100% rename from rc0.d/K08halt rename to rc0.d/K09halt diff --git a/rc1.d/K02bind9 b/rc1.d/K02bind9 new file mode 120000 index 0000000..63fcfdd --- /dev/null +++ b/rc1.d/K02bind9 @@ -0,0 +1 @@ +../init.d/bind9 \ No newline at end of file diff --git a/rc1.d/K03rsyslog b/rc1.d/K04rsyslog similarity index 100% rename from rc1.d/K03rsyslog rename to rc1.d/K04rsyslog diff --git a/rc2.d/S02bind9 b/rc2.d/S02bind9 new file mode 120000 index 0000000..63fcfdd --- /dev/null +++ b/rc2.d/S02bind9 @@ -0,0 +1 @@ +../init.d/bind9 \ No newline at end of file diff --git a/rc2.d/S02chrony b/rc2.d/S03chrony similarity index 100% rename from rc2.d/S02chrony rename to rc2.d/S03chrony diff --git a/rc2.d/S02cron b/rc2.d/S03cron similarity index 100% rename from rc2.d/S02cron rename to rc2.d/S03cron diff --git a/rc2.d/S02postfix b/rc2.d/S03postfix similarity index 100% rename from rc2.d/S02postfix rename to rc2.d/S03postfix diff --git a/rc2.d/S02rsync b/rc2.d/S03rsync similarity index 100% rename from rc2.d/S02rsync rename to rc2.d/S03rsync diff --git a/rc3.d/S02bind9 b/rc3.d/S02bind9 new file mode 120000 index 0000000..63fcfdd --- /dev/null +++ b/rc3.d/S02bind9 @@ -0,0 +1 @@ +../init.d/bind9 \ No newline at end of file diff --git a/rc3.d/S02chrony b/rc3.d/S03chrony similarity index 100% rename from rc3.d/S02chrony rename to rc3.d/S03chrony diff --git a/rc3.d/S02cron b/rc3.d/S03cron similarity index 100% rename from rc3.d/S02cron rename to rc3.d/S03cron diff --git a/rc3.d/S02postfix b/rc3.d/S03postfix similarity index 100% rename from rc3.d/S02postfix rename to rc3.d/S03postfix diff --git a/rc3.d/S02rsync b/rc3.d/S03rsync similarity index 100% rename from rc3.d/S02rsync rename to rc3.d/S03rsync diff --git a/rc4.d/S02bind9 b/rc4.d/S02bind9 new file mode 120000 index 0000000..63fcfdd --- /dev/null +++ b/rc4.d/S02bind9 @@ -0,0 +1 @@ +../init.d/bind9 \ No newline at end of file diff --git a/rc4.d/S02chrony b/rc4.d/S03chrony similarity index 100% rename from rc4.d/S02chrony rename to rc4.d/S03chrony diff --git a/rc4.d/S02cron b/rc4.d/S03cron similarity index 100% rename from rc4.d/S02cron rename to rc4.d/S03cron diff --git a/rc4.d/S02postfix b/rc4.d/S03postfix similarity index 100% rename from rc4.d/S02postfix rename to rc4.d/S03postfix diff --git a/rc4.d/S02rsync b/rc4.d/S03rsync similarity index 100% rename from rc4.d/S02rsync rename to rc4.d/S03rsync diff --git a/rc5.d/S02bind9 b/rc5.d/S02bind9 new file mode 120000 index 0000000..63fcfdd --- /dev/null +++ b/rc5.d/S02bind9 @@ -0,0 +1 @@ +../init.d/bind9 \ No newline at end of file diff --git a/rc5.d/S02chrony b/rc5.d/S03chrony similarity index 100% rename from rc5.d/S02chrony rename to rc5.d/S03chrony diff --git a/rc5.d/S02cron b/rc5.d/S03cron similarity index 100% rename from rc5.d/S02cron rename to rc5.d/S03cron diff --git a/rc5.d/S02postfix b/rc5.d/S03postfix similarity index 100% rename from rc5.d/S02postfix rename to rc5.d/S03postfix diff --git a/rc5.d/S02rsync b/rc5.d/S03rsync similarity index 100% rename from rc5.d/S02rsync rename to rc5.d/S03rsync diff --git a/rc6.d/K02bind9 b/rc6.d/K02bind9 new file mode 120000 index 0000000..63fcfdd --- /dev/null +++ b/rc6.d/K02bind9 @@ -0,0 +1 @@ +../init.d/bind9 \ No newline at end of file diff --git a/rc6.d/K02sendsigs b/rc6.d/K03sendsigs similarity index 100% rename from rc6.d/K02sendsigs rename to rc6.d/K03sendsigs diff --git a/rc6.d/K03rsyslog b/rc6.d/K04rsyslog similarity index 100% rename from rc6.d/K03rsyslog rename to rc6.d/K04rsyslog diff --git a/rc6.d/K04hwclock.sh b/rc6.d/K05hwclock.sh similarity index 100% rename from rc6.d/K04hwclock.sh rename to rc6.d/K05hwclock.sh diff --git a/rc6.d/K04umountnfs.sh b/rc6.d/K05umountnfs.sh similarity index 100% rename from rc6.d/K04umountnfs.sh rename to rc6.d/K05umountnfs.sh diff --git a/rc6.d/K05networking b/rc6.d/K06networking similarity index 100% rename from rc6.d/K05networking rename to rc6.d/K06networking diff --git a/rc6.d/K06umountfs b/rc6.d/K07umountfs similarity index 100% rename from rc6.d/K06umountfs rename to rc6.d/K07umountfs diff --git a/rc6.d/K07umountroot b/rc6.d/K08umountroot similarity index 100% rename from rc6.d/K07umountroot rename to rc6.d/K08umountroot diff --git a/rc6.d/K08reboot b/rc6.d/K09reboot similarity index 100% rename from rc6.d/K08reboot rename to rc6.d/K09reboot diff --git a/resolv.conf b/resolv.conf deleted file mode 120000 index ae228ef..0000000 --- a/resolv.conf +++ /dev/null @@ -1 +0,0 @@ -/etc/resolvconf/run/resolv.conf \ No newline at end of file diff --git a/resolv.conf b/resolv.conf new file mode 100644 index 0000000..8a46692 --- /dev/null +++ b/resolv.conf @@ -0,0 +1,6 @@ +domain uhu-banane.de +search uhu-banane.de brehm-online.com hennig-berlin.org +nameserver 127.0.0.1 +nameserver 8.8.8.8 +nameserver 8.8.4.4 +nameserver 2001:4860:4860::8888 diff --git a/resolv.conf.bak b/resolv.conf.bak new file mode 100644 index 0000000..d1909c2 --- /dev/null +++ b/resolv.conf.bak @@ -0,0 +1,7 @@ +# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) +# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN +nameserver 8.8.8.8 +nameserver 8.8.4.4 +nameserver 2001:4860:4860::8888 +domain uhu-banane.de +search uhu-banane.de brehm-online.com hennig-berlin.org diff --git a/salt/.master.bak b/salt/.master.bak new file mode 100644 index 0000000..3cde84d --- /dev/null +++ b/salt/.master.bak @@ -0,0 +1,781 @@ +##### Primary configuration settings ##### +########################################## +# This configuration file is used to manage the behavior of the Salt Master. +# Values that are commented out but have an empty line after the comment are +# defaults that do not need to be set in the config. If there is no blank line +# after the comment then the value is presented as an example and is not the +# default. + +# Per default, the master will automatically include all config files +# from master.d/*.conf (master.d is a directory in the same directory +# as the main master config file). +#default_include: master.d/*.conf + +# The address of the interface to bind to: +#interface: 0.0.0.0 + +# Whether the master should listen for IPv6 connections. If this is set to True, +# the interface option must be adjusted, too. (For example: "interface: '::'") +#ipv6: False + +# The tcp port used by the publisher: +#publish_port: 4505 + +# The user under which the salt master will run. Salt will update all +# permissions to allow the specified user to run the master. The exception is +# the job cache, which must be deleted if this user is changed. If the +# modified files cause conflicts, set verify_env to False. +#user: root + +# Max open files +# +# Each minion connecting to the master uses AT LEAST one file descriptor, the +# master subscription connection. If enough minions connect you might start +# seeing on the console (and then salt-master crashes): +# Too many open files (tcp_listener.cpp:335) +# Aborted (core dumped) +# +# By default this value will be the one of `ulimit -Hn`, ie, the hard limit for +# max open files. +# +# If you wish to set a different value than the default one, uncomment and +# configure this setting. Remember that this value CANNOT be higher than the +# hard limit. Raising the hard limit depends on your OS and/or distribution, +# a good way to find the limit is to search the internet. For example: +# raise max open files hard limit debian +# +#max_open_files: 100000 + +# The number of worker threads to start. These threads are used to manage +# return calls made from minions to the master. If the master seems to be +# running slowly, increase the number of threads. This setting can not be +# set lower than 3. +#worker_threads: 5 + +# The port used by the communication interface. The ret (return) port is the +# interface used for the file server, authentication, job returns, etc. +#ret_port: 4506 + +# Specify the location of the daemon process ID file: +#pidfile: /var/run/salt-master.pid + +# The root directory prepended to these options: pki_dir, cachedir, +# sock_dir, log_file, autosign_file, autoreject_file, extension_modules, +# key_logfile, pidfile: +#root_dir: / + +# Directory used to store public key data: +#pki_dir: /etc/salt/pki/master + +# Directory to store job and cache data: +# This directory may contain sensitive data and should be protected accordingly. +# +#cachedir: /var/cache/salt/master + +# Directory for custom modules. This directory can contain subdirectories for +# each of Salt's module types such as "runners", "output", "wheel", "modules", +# "states", "returners", etc. +#extension_modules: + +# Directory for custom modules. This directory can contain subdirectories for +# each of Salt's module types such as "runners", "output", "wheel", "modules", +# "states", "returners", etc. +# Like 'extension_modules' but can take an array of paths +#module_dirs: +# - /var/cache/salt/minion/extmods + +# Verify and set permissions on configuration directories at startup: +#verify_env: True + +# Set the number of hours to keep old job information in the job cache: +#keep_jobs: 24 + +# Set the default timeout for the salt command and api. The default is 5 +# seconds. +#timeout: 5 + +# The loop_interval option controls the seconds for the master's maintenance +# process check cycle. This process updates file server backends, cleans the +# job cache and executes the scheduler. +#loop_interval: 60 + +# Set the default outputter used by the salt command. The default is "nested". +#output: nested + +# Return minions that timeout when running commands like test.ping +#show_timeout: True + +# By default, output is colored. To disable colored output, set the color value +# to False. +#color: True + +# Do not strip off the colored output from nested results and state outputs +# (true by default). +# strip_colors: False + +# Set the directory used to hold unix sockets: +#sock_dir: /var/run/salt/master + +# The master can take a while to start up when lspci and/or dmidecode is used +# to populate the grains for the master. Enable if you want to see GPU hardware +# data for your master. +# enable_gpu_grains: False + +# The master maintains a job cache. While this is a great addition, it can be +# a burden on the master for larger deployments (over 5000 minions). +# Disabling the job cache will make previously executed jobs unavailable to +# the jobs system and is not generally recommended. +#job_cache: True + +# Cache minion grains and pillar data in the cachedir. +#minion_data_cache: True + +# Store all returns in the given returner. +# Setting this option requires that any returner-specific configuration also +# be set. See various returners in salt/returners for details on required +# configuration values. (See also, event_return_queue below.) +# +#event_return: mysql + +# On busy systems, enabling event_returns can cause a considerable load on +# the storage system for returners. Events can be queued on the master and +# stored in a batched fashion using a single transaction for multiple events. +# By default, events are not queued. +#event_return_queue: 0 + +# Only events returns matching tags in a whitelist +# event_return_whitelist: +# - salt/master/a_tag +# - salt/master/another_tag + +# Store all event returns _except_ the tags in a blacklist +# event_return_blacklist: +# - salt/master/not_this_tag +# - salt/master/or_this_one + +# Passing very large events can cause the minion to consume large amounts of +# memory. This value tunes the maximum size of a message allowed onto the +# master event bus. The value is expressed in bytes. +#max_event_size: 1048576 + +# By default, the master AES key rotates every 24 hours. The next command +# following a key rotation will trigger a key refresh from the minion which may +# result in minions which do not respond to the first command after a key refresh. +# +# To tell the master to ping all minions immediately after an AES key refresh, set +# ping_on_rotate to True. This should mitigate the issue where a minion does not +# appear to initially respond after a key is rotated. +# +# Note that ping_on_rotate may cause high load on the master immediately after +# the key rotation event as minions reconnect. Consider this carefully if this +# salt master is managing a large number of minions. +# +# If disabled, it is recommended to handle this event by listening for the +# 'aes_key_rotate' event with the 'key' tag and acting appropriately. +# ping_on_rotate: False + +# By default, the master deletes its cache of minion data when the key for that +# minion is removed. To preserve the cache after key deletion, set +# 'preserve_minion_cache' to True. +# +# WARNING: This may have security implications if compromised minions auth with +# a previous deleted minion ID. +#preserve_minion_cache: False + +# If max_minions is used in large installations, the master might experience +# high-load situations because of having to check the number of connected +# minions for every authentication. This cache provides the minion-ids of +# all connected minions to all MWorker-processes and greatly improves the +# performance of max_minions. +# con_cache: False + +# The master can include configuration from other files. To enable this, +# pass a list of paths to this option. The paths can be either relative or +# absolute; if relative, they are considered to be relative to the directory +# the main master configuration file lives in (this file). Paths can make use +# of shell-style globbing. If no files are matched by a path passed to this +# option, then the master will log a warning message. +# +# Include a config file from some other path: +# include: /etc/salt/extra_config +# +# Include config from several files and directories: +# include: +# - /etc/salt/extra_config + + +##### Security settings ##### +########################################## +# Enable "open mode", this mode still maintains encryption, but turns off +# authentication, this is only intended for highly secure environments or for +# the situation where your keys end up in a bad state. If you run in open mode +# you do so at your own risk! +#open_mode: False + +# Enable auto_accept, this setting will automatically accept all incoming +# public keys from the minions. Note that this is insecure. +#auto_accept: False + +# Time in minutes that a incoming public key with a matching name found in +# pki_dir/minion_autosign/keyid is automatically accepted. Expired autosign keys +# are removed when the master checks the minion_autosign directory. +# 0 equals no timeout +# autosign_timeout: 120 + +# If the autosign_file is specified, incoming keys specified in the +# autosign_file will be automatically accepted. This is insecure. Regular +# expressions as well as globing lines are supported. +#autosign_file: /etc/salt/autosign.conf + +# Works like autosign_file, but instead allows you to specify minion IDs for +# which keys will automatically be rejected. Will override both membership in +# the autosign_file and the auto_accept setting. +#autoreject_file: /etc/salt/autoreject.conf + +# Enable permissive access to the salt keys. This allows you to run the +# master or minion as root, but have a non-root group be given access to +# your pki_dir. To make the access explicit, root must belong to the group +# you've given access to. This is potentially quite insecure. If an autosign_file +# is specified, enabling permissive_pki_access will allow group access to that +# specific file. +#permissive_pki_access: False + +# Allow users on the master access to execute specific commands on minions. +# This setting should be treated with care since it opens up execution +# capabilities to non root users. By default this capability is completely +# disabled. +#client_acl: +# larry: +# - test.ping +# - network.* +# +# Blacklist any of the following users or modules +# +# This example would blacklist all non sudo users, including root from +# running any commands. It would also blacklist any use of the "cmd" +# module. This is completely disabled by default. +# +#client_acl_blacklist: +# users: +# - root +# - '^(?!sudo_).*$' # all non sudo users +# modules: +# - cmd + +# Enforce client_acl & client_acl_blacklist when users have sudo +# access to the salt command. +# +#sudo_acl: False + +# The external auth system uses the Salt auth modules to authenticate and +# validate users to access areas of the Salt system. +#external_auth: +# pam: +# fred: +# - test.* +# +# Time (in seconds) for a newly generated token to live. Default: 12 hours +#token_expire: 43200 + +# Allow minions to push files to the master. This is disabled by default, for +# security purposes. +#file_recv: False + +# Set a hard-limit on the size of the files that can be pushed to the master. +# It will be interpreted as megabytes. Default: 100 +#file_recv_max_size: 100 + +# Signature verification on messages published from the master. +# This causes the master to cryptographically sign all messages published to its event +# bus, and minions then verify that signature before acting on the message. +# +# This is False by default. +# +# Note that to facilitate interoperability with masters and minions that are different +# versions, if sign_pub_messages is True but a message is received by a minion with +# no signature, it will still be accepted, and a warning message will be logged. +# Conversely, if sign_pub_messages is False, but a minion receives a signed +# message it will be accepted, the signature will not be checked, and a warning message +# will be logged. This behavior went away in Salt 2014.1.0 and these two situations +# will cause minion to throw an exception and drop the message. +# sign_pub_messages: False + +##### Salt-SSH Configuration ##### +########################################## + +# Pass in an alternative location for the salt-ssh roster file +#roster_file: /etc/salt/roster + +# Pass in minion option overrides that will be inserted into the SHIM for +# salt-ssh calls. The local minion config is not used for salt-ssh. Can be +# overridden on a per-minion basis in the roster (`minion_opts`) +#ssh_minion_opts: +# gpg_keydir: /root/gpg + +##### Master Module Management ##### +########################################## +# Manage how master side modules are loaded. + +# Add any additional locations to look for master runners: +#runner_dirs: [] + +# Enable Cython for master side modules: +#cython_enable: False + + +##### State System settings ##### +########################################## +# The state system uses a "top" file to tell the minions what environment to +# use and what modules to use. The state_top file is defined relative to the +# root of the base environment as defined in "File Server settings" below. +#state_top: top.sls + +# The master_tops option replaces the external_nodes option by creating +# a plugable system for the generation of external top data. The external_nodes +# option is deprecated by the master_tops option. +# +# To gain the capabilities of the classic external_nodes system, use the +# following configuration: +# master_tops: +# ext_nodes: +# +#master_tops: {} + +# The external_nodes option allows Salt to gather data that would normally be +# placed in a top file. The external_nodes option is the executable that will +# return the ENC data. Remember that Salt will look for external nodes AND top +# files and combine the results if both are enabled! +#external_nodes: None + +# The renderer to use on the minions to render the state data +#renderer: yaml_jinja + +# The Jinja renderer can strip extra carriage returns and whitespace +# See http://jinja.pocoo.org/docs/api/#high-level-api +# +# If this is set to True the first newline after a Jinja block is removed +# (block, not variable tag!). Defaults to False, corresponds to the Jinja +# environment init variable "trim_blocks". +#jinja_trim_blocks: False +# +# If this is set to True leading spaces and tabs are stripped from the start +# of a line to a block. Defaults to False, corresponds to the Jinja +# environment init variable "lstrip_blocks". +#jinja_lstrip_blocks: False + +# The failhard option tells the minions to stop immediately after the first +# failure detected in the state execution, defaults to False +#failhard: False + +# The state_verbose and state_output settings can be used to change the way +# state system data is printed to the display. By default all data is printed. +# The state_verbose setting can be set to True or False, when set to False +# all data that has a result of True and no changes will be suppressed. +#state_verbose: True + +# The state_output setting changes if the output is the full multi line +# output for each changed state if set to 'full', but if set to 'terse' +# the output will be shortened to a single line. If set to 'mixed', the output +# will be terse unless a state failed, in which case that output will be full. +# If set to 'changes', the output will be full unless the state didn't change. +#state_output: full + +# Automatically aggregate all states that have support for mod_aggregate by +# setting to 'True'. Or pass a list of state module names to automatically +# aggregate just those types. +# +# state_aggregate: +# - pkg +# +#state_aggregate: False + +# Send progress events as each function in a state run completes execution +# by setting to 'True'. Progress events are in the format +# 'salt/job//prog//'. +#state_events: False + +##### File Server settings ##### +########################################## +# Salt runs a lightweight file server written in zeromq to deliver files to +# minions. This file server is built into the master daemon and does not +# require a dedicated port. + +# The file server works on environments passed to the master, each environment +# can have multiple root directories, the subdirectories in the multiple file +# roots cannot match, otherwise the downloaded files will not be able to be +# reliably ensured. A base environment is required to house the top file. +# Example: +file_roots: + base: + - /var/lib/salt/states +# qa: +# - /srv/salt-qa + +# dev: +# - /srv/salt/dev/services +# - /srv/salt/dev/states +# prod: +# - /srv/salt/prod/services +# - /srv/salt/prod/states +# +#file_roots: +# base: +# - /srv/salt +# + +# When using multiple environments, each with their own top file, the +# default behaviour is an unordered merge. To prevent top files from +# being merged together and instead to only use the top file from the +# requested environment, set this value to 'same'. +#top_file_merging_strategy: merge + +# To specify the order in which environments are merged, set the ordering +# in the env_order option. Given a conflict, the last matching value will +# win. +#env_order: ['base', 'dev', 'prod'] + +# If top_file_merging_strategy is set to 'same' and an environment does not +# contain a top file, the top file in the environment specified by default_top +# will be used instead. +#default_top: base + +# The hash_type is the hash to use when discovering the hash of a file on +# the master server. The default is md5, but sha1, sha224, sha256, sha384 +# and sha512 are also supported. +# +# Prior to changing this value, the master should be stopped and all Salt +# caches should be cleared. +#hash_type: md5 + +# The buffer size in the file server can be adjusted here: +#file_buffer_size: 1048576 + +# A regular expression (or a list of expressions) that will be matched +# against the file path before syncing the modules and states to the minions. +# This includes files affected by the file.recurse state. +# For example, if you manage your custom modules and states in subversion +# and don't want all the '.svn' folders and content synced to your minions, +# you could set this to '/\.svn($|/)'. By default nothing is ignored. +#file_ignore_regex: +# - '/\.svn($|/)' +# - '/\.git($|/)' + +# A file glob (or list of file globs) that will be matched against the file +# path before syncing the modules and states to the minions. This is similar +# to file_ignore_regex above, but works on globs instead of regex. By default +# nothing is ignored. +# file_ignore_glob: +# - '*.pyc' +# - '*/somefolder/*.bak' +# - '*.swp' + +# File Server Backend +# +# Salt supports a modular fileserver backend system, this system allows +# the salt master to link directly to third party systems to gather and +# manage the files available to minions. Multiple backends can be +# configured and will be searched for the requested file in the order in which +# they are defined here. The default setting only enables the standard backend +# "roots" which uses the "file_roots" option. +#fileserver_backend: +# - roots +# +# To use multiple backends list them in the order they are searched: +#fileserver_backend: +# - git +# - roots +# +# Uncomment the line below if you do not want the file_server to follow +# symlinks when walking the filesystem tree. This is set to True +# by default. Currently this only applies to the default roots +# fileserver_backend. +#fileserver_followsymlinks: False +# +# Uncomment the line below if you do not want symlinks to be +# treated as the files they are pointing to. By default this is set to +# False. By uncommenting the line below, any detected symlink while listing +# files on the Master will not be returned to the Minion. +#fileserver_ignoresymlinks: True +# +# By default, the Salt fileserver recurses fully into all defined environments +# to attempt to find files. To limit this behavior so that the fileserver only +# traverses directories with SLS files and special Salt directories like _modules, +# enable the option below. This might be useful for installations where a file root +# has a very large number of files and performance is impacted. Default is False. +# fileserver_limit_traversal: False +# +# The fileserver can fire events off every time the fileserver is updated, +# these are disabled by default, but can be easily turned on by setting this +# flag to True +#fileserver_events: False + +# Git File Server Backend Configuration +# +# Gitfs can be provided by one of two python modules: GitPython or pygit2. If +# using pygit2, both libgit2 and git must also be installed. +#gitfs_provider: gitpython +# +# When using the git fileserver backend at least one git remote needs to be +# defined. The user running the salt master will need read access to the repo. +# +# The repos will be searched in order to find the file requested by a client +# and the first repo to have the file will return it. +# When using the git backend branches and tags are translated into salt +# environments. +# Note: file:// repos will be treated as a remote, so refs you want used must +# exist in that repo as *local* refs. +#gitfs_remotes: +# - git://github.com/saltstack/salt-states.git +# - file:///var/git/saltmaster +# +# The gitfs_ssl_verify option specifies whether to ignore ssl certificate +# errors when contacting the gitfs backend. You might want to set this to +# false if you're using a git backend that uses a self-signed certificate but +# keep in mind that setting this flag to anything other than the default of True +# is a security concern, you may want to try using the ssh transport. +#gitfs_ssl_verify: True +# +# The gitfs_root option gives the ability to serve files from a subdirectory +# within the repository. The path is defined relative to the root of the +# repository and defaults to the repository root. +#gitfs_root: somefolder/otherfolder +# +# +##### Pillar settings ##### +########################################## +# Salt Pillars allow for the building of global data that can be made selectively +# available to different minions based on minion grain filtering. The Salt +# Pillar is laid out in the same fashion as the file server, with environments, +# a top file and sls files. However, pillar data does not need to be in the +# highstate format, and is generally just key/value pairs. +#pillar_roots: +# base: +# - /srv/pillar +pillar_roots: + base: + - /var/lib/salt/pillar + +# +#ext_pillar: +# - hiera: /etc/hiera.yaml +# - cmd_yaml: cat /etc/salt/yaml + +# The ext_pillar_first option allows for external pillar sources to populate +# before file system pillar. This allows for targeting file system pillar from +# ext_pillar. +#ext_pillar_first: False + +# The pillar_gitfs_ssl_verify option specifies whether to ignore ssl certificate +# errors when contacting the pillar gitfs backend. You might want to set this to +# false if you're using a git backend that uses a self-signed certificate but +# keep in mind that setting this flag to anything other than the default of True +# is a security concern, you may want to try using the ssh transport. +#pillar_gitfs_ssl_verify: True + +# The pillar_opts option adds the master configuration file data to a dict in +# the pillar called "master". This is used to set simple configurations in the +# master config file that can then be used on minions. +#pillar_opts: False + +# The pillar_safe_render_error option prevents the master from passing pillar +# render errors to the minion. This is set on by default because the error could +# contain templating data which would give that minion information it shouldn't +# have, like a password! When set true the error message will only show: +# Rendering SLS 'my.sls' failed. Please see master log for details. +#pillar_safe_render_error: True + +# The pillar_source_merging_strategy option allows you to configure merging strategy +# between different sources. It accepts four values: recurse, aggregate, overwrite, +# or smart. Recurse will merge recursively mapping of data. Aggregate instructs +# aggregation of elements between sources that use the #!yamlex renderer. Overwrite +# will verwrite elements according the order in which they are processed. This is +# behavior of the 2014.1 branch and earlier. Smart guesses the best strategy based +# on the "renderer" setting and is the default value. +#pillar_source_merging_strategy: smart + + +##### Syndic settings ##### +########################################## +# The Salt syndic is used to pass commands through a master from a higher +# master. Using the syndic is simple. If this is a master that will have +# syndic servers(s) below it, then set the "order_masters" setting to True. +# +# If this is a master that will be running a syndic daemon for passthrough, then +# the "syndic_master" setting needs to be set to the location of the master server +# to receive commands from. + +# Set the order_masters setting to True if this master will command lower +# masters' syndic interfaces. +#order_masters: False + +# If this master will be running a salt syndic daemon, syndic_master tells +# this master where to receive commands from. +#syndic_master: masterofmaster + +# This is the 'ret_port' of the MasterOfMaster: +#syndic_master_port: 4506 + +# PID file of the syndic daemon: +#syndic_pidfile: /var/run/salt-syndic.pid + +# LOG file of the syndic daemon: +#syndic_log_file: syndic.log + + +##### Peer Publish settings ##### +########################################## +# Salt minions can send commands to other minions, but only if the minion is +# allowed to. By default "Peer Publication" is disabled, and when enabled it +# is enabled for specific minions and specific commands. This allows secure +# compartmentalization of commands based on individual minions. + +# The configuration uses regular expressions to match minions and then a list +# of regular expressions to match functions. The following will allow the +# minion authenticated as foo.example.com to execute functions from the test +# and pkg modules. +#peer: +# foo.example.com: +# - test.* +# - pkg.* +# +# This will allow all minions to execute all commands: +#peer: +# .*: +# - .* +# +# This is not recommended, since it would allow anyone who gets root on any +# single minion to instantly have root on all of the minions! + +# Minions can also be allowed to execute runners from the salt master. +# Since executing a runner from the minion could be considered a security risk, +# it needs to be enabled. This setting functions just like the peer setting +# except that it opens up runners instead of module functions. +# +# All peer runner support is turned off by default and must be enabled before +# using. This will enable all peer runners for all minions: +#peer_run: +# .*: +# - .* +# +# To enable just the manage.up runner for the minion foo.example.com: +#peer_run: +# foo.example.com: +# - manage.up +# +# +##### Mine settings ##### +########################################## +# Restrict mine.get access from minions. By default any minion has a full access +# to get all mine data from master cache. In acl definion below, only pcre matches +# are allowed. +# mine_get: +# .*: +# - .* +# +# The example below enables minion foo.example.com to get 'network.interfaces' mine +# data only, minions web* to get all network.* and disk.* mine data and all other +# minions won't get any mine data. +# mine_get: +# foo.example.com: +# - network.interfaces +# web.*: +# - network.* +# - disk.* + + +##### Logging settings ##### +########################################## +# The location of the master log file +# The master log can be sent to a regular file, local path name, or network +# location. Remote logging works best when configured to use rsyslogd(8) (e.g.: +# ``file:///dev/log``), with rsyslogd(8) configured for network logging. The URI +# format is: ://:/ +#log_file: /var/log/salt/master +#log_file: file:///dev/log +#log_file: udp://loghost:10514 + +#log_file: /var/log/salt/master +#key_logfile: /var/log/salt/key + +# The level of messages to send to the console. +# One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. +# +# The following log levels are considered INSECURE and may log sensitive data: +# ['garbage', 'trace', 'debug'] +# +#log_level: warning +log_level: debug + +# The level of messages to send to the log file. +# One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. +# If using 'log_granular_levels' this must be set to the highest desired level. +#log_level_logfile: warning +log_level_logfile: debug + +# The date and time format used in log messages. Allowed date/time formating +# can be seen here: http://docs.python.org/library/time.html#time.strftime +#log_datefmt: '%H:%M:%S' +#log_datefmt_logfile: '%Y-%m-%d %H:%M:%S' + +# The format of the console logging messages. Allowed formatting options can +# be seen here: http://docs.python.org/library/logging.html#logrecord-attributes +# +# Console log colors are specified by these additional formatters: +# +# %(colorlevel)s +# %(colorname)s +# %(colorprocess)s +# %(colormsg)s +# +# Since it is desirable to include the surrounding brackets, '[' and ']', in +# the coloring of the messages, these color formatters also include padding as +# well. Color LogRecord attributes are only available for console logging. +# +#log_fmt_console: '%(colorlevel)s %(colormsg)s' +#log_fmt_console: '[%(levelname)-8s] %(message)s' +# +#log_fmt_logfile: '%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s' + +# This can be used to control logging levels more specificically. This +# example sets the main salt library at the 'warning' level, but sets +# 'salt.modules' to log at the 'debug' level: +# log_granular_levels: +# 'salt': 'warning' +# 'salt.modules': 'debug' +# +#log_granular_levels: {} + + +##### Node Groups ##### +########################################## +# Node groups allow for logical groupings of minion nodes. A group consists of a group +# name and a compound target. +#nodegroups: +# group1: 'L@foo.domain.com,bar.domain.com,baz.domain.com and bl*.domain.com' +# group2: 'G@os:Debian and foo.domain.com' + + +##### Range Cluster settings ##### +########################################## +# The range server (and optional port) that serves your cluster information +# https://github.com/ytoolshed/range/wiki/%22yamlfile%22-module-file-spec +# +#range_server: range:80 + + +##### Windows Software Repo settings ##### +############################################## +# Location of the repo on the master: +#win_repo: '/srv/salt/win/repo' +# +# Location of the master's repo cache file: +#win_repo_mastercachefile: '/srv/salt/win/repo/winrepo.p' +# +# List of git repositories to include with the local repo: +#win_gitrepos: +# - 'https://github.com/saltstack/salt-winrepo.git' + +##### Returner settings ###### +############################################ +# Which returner(s) will be used for minion's result: +#return: mysql diff --git a/salt/.master.dpkg-new.bak b/salt/.master.dpkg-new.bak new file mode 100644 index 0000000..aae46ef --- /dev/null +++ b/salt/.master.dpkg-new.bak @@ -0,0 +1,869 @@ +##### Primary configuration settings ##### +########################################## +# This configuration file is used to manage the behavior of the Salt Master. +# Values that are commented out but have an empty line after the comment are +# defaults that do not need to be set in the config. If there is no blank line +# after the comment then the value is presented as an example and is not the +# default. + +# Per default, the master will automatically include all config files +# from master.d/*.conf (master.d is a directory in the same directory +# as the main master config file). +#default_include: master.d/*.conf + +# The address of the interface to bind to: +#interface: 0.0.0.0 + +# Whether the master should listen for IPv6 connections. If this is set to True, +# the interface option must be adjusted, too. (For example: "interface: '::'") +#ipv6: False + +# The tcp port used by the publisher: +#publish_port: 4505 + +# The user under which the salt master will run. Salt will update all +# permissions to allow the specified user to run the master. The exception is +# the job cache, which must be deleted if this user is changed. If the +# modified files cause conflicts, set verify_env to False. +#user: root + +# The port used by the communication interface. The ret (return) port is the +# interface used for the file server, authentication, job returns, etc. +#ret_port: 4506 + +# Specify the location of the daemon process ID file: +#pidfile: /var/run/salt-master.pid + +# The root directory prepended to these options: pki_dir, cachedir, +# sock_dir, log_file, autosign_file, autoreject_file, extension_modules, +# key_logfile, pidfile: +#root_dir: / + +# Directory used to store public key data: +#pki_dir: /etc/salt/pki/master + +# Directory to store job and cache data: +# This directory may contain sensitive data and should be protected accordingly. +# +#cachedir: /var/cache/salt/master + +# Directory for custom modules. This directory can contain subdirectories for +# each of Salt's module types such as "runners", "output", "wheel", "modules", +# "states", "returners", etc. +#extension_modules: + +# Directory for custom modules. This directory can contain subdirectories for +# each of Salt's module types such as "runners", "output", "wheel", "modules", +# "states", "returners", etc. +# Like 'extension_modules' but can take an array of paths +#module_dirs: +# - /var/cache/salt/minion/extmods + +# Verify and set permissions on configuration directories at startup: +#verify_env: True + +# Set the number of hours to keep old job information in the job cache: +#keep_jobs: 24 + +# Set the default timeout for the salt command and api. The default is 5 +# seconds. +#timeout: 5 + +# The loop_interval option controls the seconds for the master's maintenance +# process check cycle. This process updates file server backends, cleans the +# job cache and executes the scheduler. +#loop_interval: 60 + +# Set the default outputter used by the salt command. The default is "nested". +#output: nested + +# Return minions that timeout when running commands like test.ping +#show_timeout: True + +# By default, output is colored. To disable colored output, set the color value +# to False. +#color: True + +# Do not strip off the colored output from nested results and state outputs +# (true by default). +# strip_colors: False + +# Set the directory used to hold unix sockets: +#sock_dir: /var/run/salt/master + +# The master can take a while to start up when lspci and/or dmidecode is used +# to populate the grains for the master. Enable if you want to see GPU hardware +# data for your master. +# enable_gpu_grains: False + +# The master maintains a job cache. While this is a great addition, it can be +# a burden on the master for larger deployments (over 5000 minions). +# Disabling the job cache will make previously executed jobs unavailable to +# the jobs system and is not generally recommended. +#job_cache: True + +# Cache minion grains and pillar data in the cachedir. +#minion_data_cache: True + +# Store all returns in the given returner. +# Setting this option requires that any returner-specific configuration also +# be set. See various returners in salt/returners for details on required +# configuration values. (See also, event_return_queue below.) +# +#event_return: mysql + +# On busy systems, enabling event_returns can cause a considerable load on +# the storage system for returners. Events can be queued on the master and +# stored in a batched fashion using a single transaction for multiple events. +# By default, events are not queued. +#event_return_queue: 0 + +# Only events returns matching tags in a whitelist +# event_return_whitelist: +# - salt/master/a_tag +# - salt/master/another_tag + +# Store all event returns _except_ the tags in a blacklist +# event_return_blacklist: +# - salt/master/not_this_tag +# - salt/master/or_this_one + +# Passing very large events can cause the minion to consume large amounts of +# memory. This value tunes the maximum size of a message allowed onto the +# master event bus. The value is expressed in bytes. +#max_event_size: 1048576 + +# By default, the master AES key rotates every 24 hours. The next command +# following a key rotation will trigger a key refresh from the minion which may +# result in minions which do not respond to the first command after a key refresh. +# +# To tell the master to ping all minions immediately after an AES key refresh, set +# ping_on_rotate to True. This should mitigate the issue where a minion does not +# appear to initially respond after a key is rotated. +# +# Note that ping_on_rotate may cause high load on the master immediately after +# the key rotation event as minions reconnect. Consider this carefully if this +# salt master is managing a large number of minions. +# +# If disabled, it is recommended to handle this event by listening for the +# 'aes_key_rotate' event with the 'key' tag and acting appropriately. +# ping_on_rotate: False + +# By default, the master deletes its cache of minion data when the key for that +# minion is removed. To preserve the cache after key deletion, set +# 'preserve_minion_cache' to True. +# +# WARNING: This may have security implications if compromised minions auth with +# a previous deleted minion ID. +#preserve_minion_cache: False + +# If max_minions is used in large installations, the master might experience +# high-load situations because of having to check the number of connected +# minions for every authentication. This cache provides the minion-ids of +# all connected minions to all MWorker-processes and greatly improves the +# performance of max_minions. +# con_cache: False + +# The master can include configuration from other files. To enable this, +# pass a list of paths to this option. The paths can be either relative or +# absolute; if relative, they are considered to be relative to the directory +# the main master configuration file lives in (this file). Paths can make use +# of shell-style globbing. If no files are matched by a path passed to this +# option, then the master will log a warning message. +# +# Include a config file from some other path: +# include: /etc/salt/extra_config +# +# Include config from several files and directories: +# include: +# - /etc/salt/extra_config + + +##### Large-scale tuning settings ##### +########################################## +# Max open files +# +# Each minion connecting to the master uses AT LEAST one file descriptor, the +# master subscription connection. If enough minions connect you might start +# seeing on the console (and then salt-master crashes): +# Too many open files (tcp_listener.cpp:335) +# Aborted (core dumped) +# +# By default this value will be the one of `ulimit -Hn`, ie, the hard limit for +# max open files. +# +# If you wish to set a different value than the default one, uncomment and +# configure this setting. Remember that this value CANNOT be higher than the +# hard limit. Raising the hard limit depends on your OS and/or distribution, +# a good way to find the limit is to search the internet. For example: +# raise max open files hard limit debian +# +#max_open_files: 100000 + +# The number of worker threads to start. These threads are used to manage +# return calls made from minions to the master. If the master seems to be +# running slowly, increase the number of threads. This setting can not be +# set lower than 3. +#worker_threads: 5 + +# Set the ZeroMQ high water marks +# http://api.zeromq.org/3-2:zmq-setsockopt + +# The publisher interface ZeroMQPubServerChannel +#pub_hwm: 1000 + +# These two ZMQ HWM settings, salt_event_pub_hwm and event_publisher_pub_hwm +# are significant for masters with thousands of minions. When these are +# insufficiently high it will manifest in random responses missing in the CLI +# and even missing from the job cache. Masters that have fast CPUs and many +# cores with appropriate worker_threads will not need these set as high. + +# On deployment with 8,000 minions, 2.4GHz CPUs, 24 cores, 32GiB memory has +# these settings: +# +# salt_event_pub_hwm: 128000 +# event_publisher_pub_hwm: 64000 + +# ZMQ high-water-mark for SaltEvent pub socket +#salt_event_pub_hwm: 20000 + +# ZMQ high-water-mark for EventPublisher pub socket +#event_publisher_pub_hwm: 10000 + + + +##### Security settings ##### +########################################## +# Enable "open mode", this mode still maintains encryption, but turns off +# authentication, this is only intended for highly secure environments or for +# the situation where your keys end up in a bad state. If you run in open mode +# you do so at your own risk! +#open_mode: False + +# Enable auto_accept, this setting will automatically accept all incoming +# public keys from the minions. Note that this is insecure. +#auto_accept: False + +# Time in minutes that a incoming public key with a matching name found in +# pki_dir/minion_autosign/keyid is automatically accepted. Expired autosign keys +# are removed when the master checks the minion_autosign directory. +# 0 equals no timeout +# autosign_timeout: 120 + +# If the autosign_file is specified, incoming keys specified in the +# autosign_file will be automatically accepted. This is insecure. Regular +# expressions as well as globing lines are supported. +#autosign_file: /etc/salt/autosign.conf + +# Works like autosign_file, but instead allows you to specify minion IDs for +# which keys will automatically be rejected. Will override both membership in +# the autosign_file and the auto_accept setting. +#autoreject_file: /etc/salt/autoreject.conf + +# Enable permissive access to the salt keys. This allows you to run the +# master or minion as root, but have a non-root group be given access to +# your pki_dir. To make the access explicit, root must belong to the group +# you've given access to. This is potentially quite insecure. If an autosign_file +# is specified, enabling permissive_pki_access will allow group access to that +# specific file. +#permissive_pki_access: False + +# Allow users on the master access to execute specific commands on minions. +# This setting should be treated with care since it opens up execution +# capabilities to non root users. By default this capability is completely +# disabled. +#client_acl: +# larry: +# - test.ping +# - network.* +# +# Blacklist any of the following users or modules +# +# This example would blacklist all non sudo users, including root from +# running any commands. It would also blacklist any use of the "cmd" +# module. This is completely disabled by default. +# +#client_acl_blacklist: +# users: +# - root +# - '^(?!sudo_).*$' # all non sudo users +# modules: +# - cmd + +# Enforce client_acl & client_acl_blacklist when users have sudo +# access to the salt command. +# +#sudo_acl: False + +# The external auth system uses the Salt auth modules to authenticate and +# validate users to access areas of the Salt system. +#external_auth: +# pam: +# fred: +# - test.* +# +# Time (in seconds) for a newly generated token to live. Default: 12 hours +#token_expire: 43200 + +# Allow minions to push files to the master. This is disabled by default, for +# security purposes. +#file_recv: False + +# Set a hard-limit on the size of the files that can be pushed to the master. +# It will be interpreted as megabytes. Default: 100 +#file_recv_max_size: 100 + +# Signature verification on messages published from the master. +# This causes the master to cryptographically sign all messages published to its event +# bus, and minions then verify that signature before acting on the message. +# +# This is False by default. +# +# Note that to facilitate interoperability with masters and minions that are different +# versions, if sign_pub_messages is True but a message is received by a minion with +# no signature, it will still be accepted, and a warning message will be logged. +# Conversely, if sign_pub_messages is False, but a minion receives a signed +# message it will be accepted, the signature will not be checked, and a warning message +# will be logged. This behavior went away in Salt 2014.1.0 and these two situations +# will cause minion to throw an exception and drop the message. +# sign_pub_messages: False + +##### Salt-SSH Configuration ##### +########################################## + +# Pass in an alternative location for the salt-ssh roster file +#roster_file: /etc/salt/roster + +# Pass in minion option overrides that will be inserted into the SHIM for +# salt-ssh calls. The local minion config is not used for salt-ssh. Can be +# overridden on a per-minion basis in the roster (`minion_opts`) +#ssh_minion_opts: +# gpg_keydir: /root/gpg + +##### Master Module Management ##### +########################################## +# Manage how master side modules are loaded. + +# Add any additional locations to look for master runners: +#runner_dirs: [] + +# Enable Cython for master side modules: +#cython_enable: False + + +##### State System settings ##### +########################################## +# The state system uses a "top" file to tell the minions what environment to +# use and what modules to use. The state_top file is defined relative to the +# root of the base environment as defined in "File Server settings" below. +#state_top: top.sls + +# The master_tops option replaces the external_nodes option by creating +# a plugable system for the generation of external top data. The external_nodes +# option is deprecated by the master_tops option. +# +# To gain the capabilities of the classic external_nodes system, use the +# following configuration: +# master_tops: +# ext_nodes: +# +#master_tops: {} + +# The external_nodes option allows Salt to gather data that would normally be +# placed in a top file. The external_nodes option is the executable that will +# return the ENC data. Remember that Salt will look for external nodes AND top +# files and combine the results if both are enabled! +#external_nodes: None + +# The renderer to use on the minions to render the state data +#renderer: yaml_jinja + +# The Jinja renderer can strip extra carriage returns and whitespace +# See http://jinja.pocoo.org/docs/api/#high-level-api +# +# If this is set to True the first newline after a Jinja block is removed +# (block, not variable tag!). Defaults to False, corresponds to the Jinja +# environment init variable "trim_blocks". +#jinja_trim_blocks: False +# +# If this is set to True leading spaces and tabs are stripped from the start +# of a line to a block. Defaults to False, corresponds to the Jinja +# environment init variable "lstrip_blocks". +#jinja_lstrip_blocks: False + +# The failhard option tells the minions to stop immediately after the first +# failure detected in the state execution, defaults to False +#failhard: False + +# The state_verbose and state_output settings can be used to change the way +# state system data is printed to the display. By default all data is printed. +# The state_verbose setting can be set to True or False, when set to False +# all data that has a result of True and no changes will be suppressed. +#state_verbose: True + +# The state_output setting changes if the output is the full multi line +# output for each changed state if set to 'full', but if set to 'terse' +# the output will be shortened to a single line. If set to 'mixed', the output +# will be terse unless a state failed, in which case that output will be full. +# If set to 'changes', the output will be full unless the state didn't change. +#state_output: full + +# Automatically aggregate all states that have support for mod_aggregate by +# setting to 'True'. Or pass a list of state module names to automatically +# aggregate just those types. +# +# state_aggregate: +# - pkg +# +#state_aggregate: False + +# Send progress events as each function in a state run completes execution +# by setting to 'True'. Progress events are in the format +# 'salt/job//prog//'. +#state_events: False + +##### File Server settings ##### +########################################## +# Salt runs a lightweight file server written in zeromq to deliver files to +# minions. This file server is built into the master daemon and does not +# require a dedicated port. + +# The file server works on environments passed to the master, each environment +# can have multiple root directories, the subdirectories in the multiple file +# roots cannot match, otherwise the downloaded files will not be able to be +# reliably ensured. A base environment is required to house the top file. +# Example: +# file_roots: +# base: +# - /srv/salt/ +# dev: +# - /srv/salt/dev/services +# - /srv/salt/dev/states +# prod: +# - /srv/salt/prod/services +# - /srv/salt/prod/states +# +#file_roots: +# base: +# - /srv/salt +# + +# When using multiple environments, each with their own top file, the +# default behaviour is an unordered merge. To prevent top files from +# being merged together and instead to only use the top file from the +# requested environment, set this value to 'same'. +#top_file_merging_strategy: merge + +# To specify the order in which environments are merged, set the ordering +# in the env_order option. Given a conflict, the last matching value will +# win. +#env_order: ['base', 'dev', 'prod'] + +# If top_file_merging_strategy is set to 'same' and an environment does not +# contain a top file, the top file in the environment specified by default_top +# will be used instead. +#default_top: base + +# The hash_type is the hash to use when discovering the hash of a file on +# the master server. The default is md5 but sha1, sha224, sha256, sha384 +# and sha512 are also supported. +# +# WARNING: While md5 is supported, do not use it due to the high chance +# of possible collisions and thus security breach. +# +# Prior to changing this value, the master should be stopped and all Salt +# caches should be cleared. +#hash_type: md5 + +# The buffer size in the file server can be adjusted here: +#file_buffer_size: 1048576 + +# A regular expression (or a list of expressions) that will be matched +# against the file path before syncing the modules and states to the minions. +# This includes files affected by the file.recurse state. +# For example, if you manage your custom modules and states in subversion +# and don't want all the '.svn' folders and content synced to your minions, +# you could set this to '/\.svn($|/)'. By default nothing is ignored. +#file_ignore_regex: +# - '/\.svn($|/)' +# - '/\.git($|/)' + +# A file glob (or list of file globs) that will be matched against the file +# path before syncing the modules and states to the minions. This is similar +# to file_ignore_regex above, but works on globs instead of regex. By default +# nothing is ignored. +# file_ignore_glob: +# - '*.pyc' +# - '*/somefolder/*.bak' +# - '*.swp' + +# File Server Backend +# +# Salt supports a modular fileserver backend system, this system allows +# the salt master to link directly to third party systems to gather and +# manage the files available to minions. Multiple backends can be +# configured and will be searched for the requested file in the order in which +# they are defined here. The default setting only enables the standard backend +# "roots" which uses the "file_roots" option. +#fileserver_backend: +# - roots +# +# To use multiple backends list them in the order they are searched: +#fileserver_backend: +# - git +# - roots +# +# Uncomment the line below if you do not want the file_server to follow +# symlinks when walking the filesystem tree. This is set to True +# by default. Currently this only applies to the default roots +# fileserver_backend. +#fileserver_followsymlinks: False +# +# Uncomment the line below if you do not want symlinks to be +# treated as the files they are pointing to. By default this is set to +# False. By uncommenting the line below, any detected symlink while listing +# files on the Master will not be returned to the Minion. +#fileserver_ignoresymlinks: True +# +# By default, the Salt fileserver recurses fully into all defined environments +# to attempt to find files. To limit this behavior so that the fileserver only +# traverses directories with SLS files and special Salt directories like _modules, +# enable the option below. This might be useful for installations where a file root +# has a very large number of files and performance is impacted. Default is False. +# fileserver_limit_traversal: False +# +# The fileserver can fire events off every time the fileserver is updated, +# these are disabled by default, but can be easily turned on by setting this +# flag to True +#fileserver_events: False + +# Git File Server Backend Configuration +# +# Gitfs can be provided by one of two python modules: GitPython or pygit2. If +# using pygit2, both libgit2 and git must also be installed. +#gitfs_provider: gitpython +# +# When using the git fileserver backend at least one git remote needs to be +# defined. The user running the salt master will need read access to the repo. +# +# The repos will be searched in order to find the file requested by a client +# and the first repo to have the file will return it. +# When using the git backend branches and tags are translated into salt +# environments. +# Note: file:// repos will be treated as a remote, so refs you want used must +# exist in that repo as *local* refs. +#gitfs_remotes: +# - git://github.com/saltstack/salt-states.git +# - file:///var/git/saltmaster +# +# The gitfs_ssl_verify option specifies whether to ignore ssl certificate +# errors when contacting the gitfs backend. You might want to set this to +# false if you're using a git backend that uses a self-signed certificate but +# keep in mind that setting this flag to anything other than the default of True +# is a security concern, you may want to try using the ssh transport. +#gitfs_ssl_verify: True +# +# The gitfs_root option gives the ability to serve files from a subdirectory +# within the repository. The path is defined relative to the root of the +# repository and defaults to the repository root. +#gitfs_root: somefolder/otherfolder +# +# +##### Pillar settings ##### +########################################## +# Salt Pillars allow for the building of global data that can be made selectively +# available to different minions based on minion grain filtering. The Salt +# Pillar is laid out in the same fashion as the file server, with environments, +# a top file and sls files. However, pillar data does not need to be in the +# highstate format, and is generally just key/value pairs. +#pillar_roots: +# base: +# - /srv/pillar +# +#ext_pillar: +# - hiera: /etc/hiera.yaml +# - cmd_yaml: cat /etc/salt/yaml + +# The ext_pillar_first option allows for external pillar sources to populate +# before file system pillar. This allows for targeting file system pillar from +# ext_pillar. +#ext_pillar_first: False + +# The pillar_gitfs_ssl_verify option specifies whether to ignore ssl certificate +# errors when contacting the pillar gitfs backend. You might want to set this to +# false if you're using a git backend that uses a self-signed certificate but +# keep in mind that setting this flag to anything other than the default of True +# is a security concern, you may want to try using the ssh transport. +#pillar_gitfs_ssl_verify: True + +# The pillar_opts option adds the master configuration file data to a dict in +# the pillar called "master". This is used to set simple configurations in the +# master config file that can then be used on minions. +#pillar_opts: False + +# The pillar_safe_render_error option prevents the master from passing pillar +# render errors to the minion. This is set on by default because the error could +# contain templating data which would give that minion information it shouldn't +# have, like a password! When set true the error message will only show: +# Rendering SLS 'my.sls' failed. Please see master log for details. +#pillar_safe_render_error: True + +# The pillar_source_merging_strategy option allows you to configure merging strategy +# between different sources. It accepts four values: recurse, aggregate, overwrite, +# or smart. Recurse will merge recursively mapping of data. Aggregate instructs +# aggregation of elements between sources that use the #!yamlex renderer. Overwrite +# will verwrite elements according the order in which they are processed. This is +# behavior of the 2014.1 branch and earlier. Smart guesses the best strategy based +# on the "renderer" setting and is the default value. +#pillar_source_merging_strategy: smart + +# Recursively merge lists by aggregating them instead of replacing them. +#pillar_merge_lists: False + +# A master can cache pillars locally to bypass the expense of having to render them +# for each minion on every request. This feature should only be enabled in cases +# where pillar rendering time is known to be unsatisfactory and any attendent security +# concerns about storing pillars in a master cache have been addressed. +# +# When enabling this feature, be certain to read through the additional pillar_cache_* +# configuration options to fully understand the tuneable parameters and their implications. +# +#pillar_cache: False + +# If and only if a master has set `pillar_cache: True`, the cache TTL controls the amount +# of time, in seconds, before the cache is considered invalid by a master and a fresh +# pillar is recompiled and stored. +# +# pillar_cache_ttl: 3600 + +# If an only if a master has set `pillar_cache: True`, one of several storage providers +# can be utililzed. +# +# `disk`: The default storage backend. This caches rendered pillars to the master cache. +# Rendered pillars are serialized and deserialized as msgpack structures for speed. +# Note that pillars are stored UNENCRYPTED. Ensure that the master cache +# has permissions set appropriately. (Sane defaults are provided.) +# +#`memory`: [EXPERIMENTAL] An optional backend for pillar caches which uses a pure-Python +# in-memory data structure for maximal performance. There are several cavaets, +# however. First, because each master worker contains its own in-memory cache, +# there is no guarantee of cache consistency between minion requests. This +# works best in situations where the pillar rarely if ever changes. Secondly, +# and perhaps more importantly, this means that unencrypted pillars will +# be accessible to any process which can examine the memory of the salt-master! +# This may represent a substantial security risk. +# +#pillar_cache_backend: disk + + + + +##### Syndic settings ##### +########################################## +# The Salt syndic is used to pass commands through a master from a higher +# master. Using the syndic is simple. If this is a master that will have +# syndic servers(s) below it, then set the "order_masters" setting to True. +# +# If this is a master that will be running a syndic daemon for passthrough, then +# the "syndic_master" setting needs to be set to the location of the master server +# to receive commands from. + +# Set the order_masters setting to True if this master will command lower +# masters' syndic interfaces. +#order_masters: False + +# If this master will be running a salt syndic daemon, syndic_master tells +# this master where to receive commands from. +#syndic_master: masterofmaster + +# This is the 'ret_port' of the MasterOfMaster: +#syndic_master_port: 4506 + +# PID file of the syndic daemon: +#syndic_pidfile: /var/run/salt-syndic.pid + +# LOG file of the syndic daemon: +#syndic_log_file: syndic.log + + +##### Peer Publish settings ##### +########################################## +# Salt minions can send commands to other minions, but only if the minion is +# allowed to. By default "Peer Publication" is disabled, and when enabled it +# is enabled for specific minions and specific commands. This allows secure +# compartmentalization of commands based on individual minions. + +# The configuration uses regular expressions to match minions and then a list +# of regular expressions to match functions. The following will allow the +# minion authenticated as foo.example.com to execute functions from the test +# and pkg modules. +#peer: +# foo.example.com: +# - test.* +# - pkg.* +# +# This will allow all minions to execute all commands: +#peer: +# .*: +# - .* +# +# This is not recommended, since it would allow anyone who gets root on any +# single minion to instantly have root on all of the minions! + +# Minions can also be allowed to execute runners from the salt master. +# Since executing a runner from the minion could be considered a security risk, +# it needs to be enabled. This setting functions just like the peer setting +# except that it opens up runners instead of module functions. +# +# All peer runner support is turned off by default and must be enabled before +# using. This will enable all peer runners for all minions: +#peer_run: +# .*: +# - .* +# +# To enable just the manage.up runner for the minion foo.example.com: +#peer_run: +# foo.example.com: +# - manage.up +# +# +##### Mine settings ##### +##################################### +# Restrict mine.get access from minions. By default any minion has a full access +# to get all mine data from master cache. In acl definion below, only pcre matches +# are allowed. +# mine_get: +# .*: +# - .* +# +# The example below enables minion foo.example.com to get 'network.interfaces' mine +# data only, minions web* to get all network.* and disk.* mine data and all other +# minions won't get any mine data. +# mine_get: +# foo.example.com: +# - network.interfaces +# web.*: +# - network.* +# - disk.* + + +##### Logging settings ##### +########################################## +# The location of the master log file +# The master log can be sent to a regular file, local path name, or network +# location. Remote logging works best when configured to use rsyslogd(8) (e.g.: +# ``file:///dev/log``), with rsyslogd(8) configured for network logging. The URI +# format is: ://:/ +#log_file: /var/log/salt/master +#log_file: file:///dev/log +#log_file: udp://loghost:10514 + +#log_file: /var/log/salt/master +#key_logfile: /var/log/salt/key + +# The level of messages to send to the console. +# One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. +# +# The following log levels are considered INSECURE and may log sensitive data: +# ['garbage', 'trace', 'debug'] +# +#log_level: warning + +# The level of messages to send to the log file. +# One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. +# If using 'log_granular_levels' this must be set to the highest desired level. +#log_level_logfile: warning + +# The date and time format used in log messages. Allowed date/time formatting +# can be seen here: http://docs.python.org/library/time.html#time.strftime +#log_datefmt: '%H:%M:%S' +#log_datefmt_logfile: '%Y-%m-%d %H:%M:%S' + +# The format of the console logging messages. Allowed formatting options can +# be seen here: http://docs.python.org/library/logging.html#logrecord-attributes +# +# Console log colors are specified by these additional formatters: +# +# %(colorlevel)s +# %(colorname)s +# %(colorprocess)s +# %(colormsg)s +# +# Since it is desirable to include the surrounding brackets, '[' and ']', in +# the coloring of the messages, these color formatters also include padding as +# well. Color LogRecord attributes are only available for console logging. +# +#log_fmt_console: '%(colorlevel)s %(colormsg)s' +#log_fmt_console: '[%(levelname)-8s] %(message)s' +# +#log_fmt_logfile: '%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s' + +# This can be used to control logging levels more specificically. This +# example sets the main salt library at the 'warning' level, but sets +# 'salt.modules' to log at the 'debug' level: +# log_granular_levels: +# 'salt': 'warning' +# 'salt.modules': 'debug' +# +#log_granular_levels: {} + + +##### Node Groups ###### +########################################## +# Node groups allow for logical groupings of minion nodes. A group consists of +# a group name and a compound target. Nodgroups can reference other nodegroups +# with 'N@' classifier. Ensure that you do not have circular references. +# +#nodegroups: +# group1: 'L@foo.domain.com,bar.domain.com,baz.domain.com or bl*.domain.com' +# group2: 'G@os:Debian and foo.domain.com' +# group3: 'G@os:Debian and N@group1' +# group4: +# - 'G@foo:bar' +# - 'or' +# - 'G@foo:baz' + + +##### Range Cluster settings ##### +########################################## +# The range server (and optional port) that serves your cluster information +# https://github.com/ytoolshed/range/wiki/%22yamlfile%22-module-file-spec +# +#range_server: range:80 + + +##### Windows Software Repo settings ##### +########################################### +# Location of the repo on the master: +#winrepo_dir_ng: '/srv/salt/win/repo-ng' +# +# List of git repositories to include with the local repo: +#winrepo_remotes_ng: +# - 'https://github.com/saltstack/salt-winrepo-ng.git' + + +##### Windows Software Repo settings - Pre 2015.8 ##### +######################################################## +# Legacy repo settings for pre-2015.8 Windows minions. +# +# Location of the repo on the master: +#winrepo_dir: '/srv/salt/win/repo' +# +# Location of the master's repo cache file: +#winrepo_mastercachefile: '/srv/salt/win/repo/winrepo.p' +# +# List of git repositories to include with the local repo: +#winrepo_remotes: +# - 'https://github.com/saltstack/salt-winrepo.git' + + +##### Returner settings ###### +############################################ +# Which returner(s) will be used for minion's result: +#return: mysql + + +###### Miscellaneous settings ###### +############################################ +# Default match type for filtering events tags: startswith, endswith, find, regex, fnmatch +#event_match_type: startswith diff --git a/salt/master b/salt/master index 643b5f4..22c599b 100644 --- a/salt/master +++ b/salt/master @@ -44,7 +44,7 @@ # Directory to store job and cache data: # This directory may contain sensitive data and should be protected accordingly. -# +# #cachedir: /var/cache/salt/master # Directory for custom modules. This directory can contain subdirectories for @@ -106,7 +106,7 @@ #minion_data_cache: True # Store all returns in the given returner. -# Setting this option requires that any returner-specific configuration also +# Setting this option requires that any returner-specific configuration also # be set. See various returners in salt/returners for details on required # configuration values. (See also, event_return_queue below.) # @@ -145,12 +145,12 @@ # the key rotation event as minions reconnect. Consider this carefully if this # salt master is managing a large number of minions. # -# If disabled, it is recommended to handle this event by listening for the +# If disabled, it is recommended to handle this event by listening for the # 'aes_key_rotate' event with the 'key' tag and acting appropriately. # ping_on_rotate: False # By default, the master deletes its cache of minion data when the key for that -# minion is removed. To preserve the cache after key deletion, set +# minion is removed. To preserve the cache after key deletion, set # 'preserve_minion_cache' to True. # # WARNING: This may have security implications if compromised minions auth with @@ -291,7 +291,7 @@ # - cmd # Enforce client_acl & client_acl_blacklist when users have sudo -# access to the salt command. +# access to the salt command. # #sudo_acl: False @@ -447,11 +447,14 @@ # base: # - /srv/salt # +file_roots: + base: + - /var/lib/salt/states # When using multiple environments, each with their own top file, the # default behaviour is an unordered merge. To prevent top files from # being merged together and instead to only use the top file from the -# requested environment, set this value to 'same'. +# requested environment, set this value to 'same'. #top_file_merging_strategy: merge # To specify the order in which environments are merged, set the ordering @@ -465,9 +468,12 @@ #default_top: base # The hash_type is the hash to use when discovering the hash of a file on -# the master server. The default is md5, but sha1, sha224, sha256, sha384 +# the master server. The default is md5 but sha1, sha224, sha256, sha384 # and sha512 are also supported. # +# WARNING: While md5 is supported, do not use it due to the high chance +# of possible collisions and thus security breach. +# # Prior to changing this value, the master should be stopped and all Salt # caches should be cleared. #hash_type: md5 @@ -577,6 +583,10 @@ # base: # - /srv/pillar # +pillar_roots: + base: + - /var/lib/salt/pillar + #ext_pillar: # - hiera: /etc/hiera.yaml # - cmd_yaml: cat /etc/salt/yaml @@ -617,6 +627,43 @@ # Recursively merge lists by aggregating them instead of replacing them. #pillar_merge_lists: False +# A master can cache pillars locally to bypass the expense of having to render them +# for each minion on every request. This feature should only be enabled in cases +# where pillar rendering time is known to be unsatisfactory and any attendent security +# concerns about storing pillars in a master cache have been addressed. +# +# When enabling this feature, be certain to read through the additional pillar_cache_* +# configuration options to fully understand the tuneable parameters and their implications. +# +#pillar_cache: False + +# If and only if a master has set `pillar_cache: True`, the cache TTL controls the amount +# of time, in seconds, before the cache is considered invalid by a master and a fresh +# pillar is recompiled and stored. +# +# pillar_cache_ttl: 3600 + +# If an only if a master has set `pillar_cache: True`, one of several storage providers +# can be utililzed. +# +# `disk`: The default storage backend. This caches rendered pillars to the master cache. +# Rendered pillars are serialized and deserialized as msgpack structures for speed. +# Note that pillars are stored UNENCRYPTED. Ensure that the master cache +# has permissions set appropriately. (Sane defaults are provided.) +# +#`memory`: [EXPERIMENTAL] An optional backend for pillar caches which uses a pure-Python +# in-memory data structure for maximal performance. There are several cavaets, +# however. First, because each master worker contains its own in-memory cache, +# there is no guarantee of cache consistency between minion requests. This +# works best in situations where the pillar rarely if ever changes. Secondly, +# and perhaps more importantly, this means that unencrypted pillars will +# be accessible to any process which can examine the memory of the salt-master! +# This may represent a substantial security risk. +# +#pillar_cache_backend: disk + + + ##### Syndic settings ##### ########################################## @@ -728,13 +775,15 @@ # ['garbage', 'trace', 'debug'] # #log_level: warning +log_level: warning # The level of messages to send to the log file. # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. # If using 'log_granular_levels' this must be set to the highest desired level. #log_level_logfile: warning +log_level_logfile: debug -# The date and time format used in log messages. Allowed date/time formating +# The date and time format used in log messages. Allowed date/time formatting # can be seen here: http://docs.python.org/library/time.html#time.strftime #log_datefmt: '%H:%M:%S' #log_datefmt_logfile: '%Y-%m-%d %H:%M:%S' @@ -770,11 +819,18 @@ ##### Node Groups ###### ########################################## -# Node groups allow for logical groupings of minion nodes. A group consists of a group -# name and a compound target. +# Node groups allow for logical groupings of minion nodes. A group consists of +# a group name and a compound target. Nodgroups can reference other nodegroups +# with 'N@' classifier. Ensure that you do not have circular references. +# #nodegroups: -# group1: 'L@foo.domain.com,bar.domain.com,baz.domain.com and bl*.domain.com' +# group1: 'L@foo.domain.com,bar.domain.com,baz.domain.com or bl*.domain.com' # group2: 'G@os:Debian and foo.domain.com' +# group3: 'G@os:Debian and N@group1' +# group4: +# - 'G@foo:bar' +# - 'or' +# - 'G@foo:baz' ##### Range Cluster settings ##### diff --git a/salt/minion b/salt/minion index 2307f70..b408942 100644 --- a/salt/minion +++ b/salt/minion @@ -372,6 +372,10 @@ # environments is to isolate via the top file. #environment: None # +# Isolates the pillar environment on the minion side. This functions the same +# as the environment setting, but for pillar instead of states. +#pillarenv: None +# # If using the local file directory, then the state top file name needs to be # defined, by default this is top.sls. #state_top: top.sls @@ -440,12 +444,14 @@ #fileserver_limit_traversal: False # The hash_type is the hash to use when discovering the hash of a file in -# the local fileserver. The default is md5, but sha1, sha224, sha256, sha384 -# and sha512 are also supported. +# the local fileserver. The default is sha256, sha224, sha384 and sha512 are also supported. +# +# WARNING: While md5 and sha1 are also supported, do not use it due to the high chance +# of possible collisions and thus security breach. # # Warning: Prior to changing this value, the minion should be stopped and all # Salt caches should be cleared. -#hash_type: md5 +#hash_type: sha256 # The Salt pillar is searched for locally if file_client is set to local. If # this is the case, and pillar data is defined, then the pillar_roots need to @@ -531,7 +537,7 @@ # Default: 'warning' #log_level_logfile: -# The date and time format used in log messages. Allowed date/time formating +# The date and time format used in log messages. Allowed date/time formatting # can be seen here: http://docs.python.org/library/time.html#time.strftime #log_datefmt: '%H:%M:%S' #log_datefmt_logfile: '%Y-%m-%d %H:%M:%S' diff --git a/salt/minion.d/_schedule.conf b/salt/minion.d/_schedule.conf new file mode 100644 index 0000000..84f5a73 --- /dev/null +++ b/salt/minion.d/_schedule.conf @@ -0,0 +1,2 @@ +schedule: + __mine_interval: {function: mine.update, jid_include: true, maxrunning: 2, minutes: 60} diff --git a/salt/minion_id b/salt/minion_id index 3ff8e1e..0424e45 100644 --- a/salt/minion_id +++ b/salt/minion_id @@ -1 +1 @@ -builder.gridserver.io \ No newline at end of file +ns3.uhu-banane.de \ No newline at end of file diff --git a/salt/pki/master/minions/ns1.uhu-banane.de b/salt/pki/master/minions/ns1.uhu-banane.de new file mode 100644 index 0000000..39104a3 --- /dev/null +++ b/salt/pki/master/minions/ns1.uhu-banane.de @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn3mFqkDH0/UkVWBOFLx1 +zkgYGA4YntQjpcYcKas7+3IrZ9V4Os/DHtfTLIC5FuZgL0T6/FYx/RxnZa9nyJ90 +NJyb8QFlUPAFsIGMxfF78oed0vkE+y6TjYsiKMYvVCBhq0U9pH7w4a3ZjAmouQSd +qrmq6017GnFUU9nYGd3tSP8Y0ke1W7FwhOAgR7BNjSIV6uYR177NtHab2fprvfRR +lNiYAd97GI+m8E+/+c4Y3LwweKK8lQo+btnalUzWXD7RhfMgWAWKP4lDqBL5/zDp +5r3VxMA7rlrVp3vSPmSPgQAb1nwxO1AJ1JvMBQB0Hd7UcOmYgMjzCcxNDUYRnwnr +QQIDAQAB +-----END PUBLIC KEY----- \ No newline at end of file diff --git a/salt/pki/master/minions/ns2.uhu-banane.de b/salt/pki/master/minions/ns2.uhu-banane.de new file mode 100644 index 0000000..cbcc430 --- /dev/null +++ b/salt/pki/master/minions/ns2.uhu-banane.de @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtmZt+k+dcN+sYElPfzKw +zrxiLpyk3h2i5c0SRmaFNXVDcBC5mN/Xvpuv0yxQ/z1D4GXDyLkiXM+49eXEPlgo +iQ9lRtBf3kLG8cOjIbNOioAyAnUHZNwT5iHdRPL2aAu/WFk4fZet9j6w0aeXJoZn +L07WxhzJ5kHNB9LEF9H4mGpBi6D/s+xmP6to4zaIOCoa9NRhUf/LiU0oAvhoxyOU +MXjzutnCIW+ixJTu6an95n4Ybp+pEkXvgfRaVenfysMONx/98Ay9moI5xZB7VEGe +C9SO5E4YsqCN0VZcVrzrjVsJYKYk0rtsN6vLRgi4zMoRt+wqxZfz8qJQmwsKVNmj +fwIDAQAB +-----END PUBLIC KEY----- \ No newline at end of file diff --git a/salt/pki/master/minions/ns3.uhu-banane.de b/salt/pki/master/minions/ns3.uhu-banane.de new file mode 100644 index 0000000..7272007 --- /dev/null +++ b/salt/pki/master/minions/ns3.uhu-banane.de @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoHER8PrEKSGTS95ySUT6 +jWT0wD6jrkYy+utJn0rC+xJaHJ7d5MzjTB8+PMdcB8ApeROFGfXmJu/20UBc+NZa +LoR9/v32UErDD2YwYcuFx5wQA5H0EwLi63YqvYY7ucQB60lczlRg6oBEHfTkyOHf +u6j8yI3vRoH5DJ/zf8sFhopfpEly0b/EUOphR1OUGpJO9J/80EqPVpYvplVryMiN +WH3DeVQR+idF3r962aIz3a2y0yYO6MV3lXim4WMbXQ9FP62bbrlLnzdIj0riEkv/ +jtW9EZNScw3zmUE7HHLGmMBnVAwEL5gKMahkBkdt/FejAPdBNlfN1NuVCBPKgo/U +zQIDAQAB +-----END PUBLIC KEY----- \ No newline at end of file diff --git a/salt/pki/master/minions_pre/builder.gridserver.io b/salt/pki/master/minions_pre/builder.gridserver.io deleted file mode 100644 index a860f86..0000000 --- a/salt/pki/master/minions_pre/builder.gridserver.io +++ /dev/null @@ -1,9 +0,0 @@ ------BEGIN PUBLIC KEY----- -MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr58/IZJ1sDnwGsfZ/22Z -U+rRclEeWb5K/krJ25kf9FwcZ8A65KkR8PcO7v/yvv1noGLLa57/oUScd2fBZW70 -N0PZljj4hGlyKjE7TpjCN9gqQ9VFdhQuuJ79sGzAYCMT89tHtAJ5rK8xseG1qFQM -LIGyqM+QKuQw40b45FMwkZgXJzhETpJ0mS03A/ET1+4503DNJXEQHU3yJwo0T2wE -hbkNZ7wAhsz6zaIHtsxu6ium3BNAgjqXAE/PvpR3TNRryQrIwad1OLsDM+QPlzdP -PsLkpXk4mSsMgpK4YiahJ391MuVb7S79JvhMD3FwxFubwLJmP9B1GHKNxVxbyQsb -xQIDAQAB ------END PUBLIC KEY----- \ No newline at end of file diff --git a/salt/pki/minion/minion.pem b/salt/pki/minion/minion.pem index a6ff3f2..7aa5574 100644 --- a/salt/pki/minion/minion.pem +++ b/salt/pki/minion/minion.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAr58/IZJ1sDnwGsfZ/22ZU+rRclEeWb5K/krJ25kf9FwcZ8A6 -5KkR8PcO7v/yvv1noGLLa57/oUScd2fBZW70N0PZljj4hGlyKjE7TpjCN9gqQ9VF -dhQuuJ79sGzAYCMT89tHtAJ5rK8xseG1qFQMLIGyqM+QKuQw40b45FMwkZgXJzhE -TpJ0mS03A/ET1+4503DNJXEQHU3yJwo0T2wEhbkNZ7wAhsz6zaIHtsxu6ium3BNA -gjqXAE/PvpR3TNRryQrIwad1OLsDM+QPlzdPPsLkpXk4mSsMgpK4YiahJ391MuVb -7S79JvhMD3FwxFubwLJmP9B1GHKNxVxbyQsbxQIDAQABAoIBACH2h/z0F/Jmofpr -38q35UkHRk33RglQ9avLxtHDARz+mzetQzZpQ+D3xlmOAeHRm7K2qGQ9sW38mM22 -sP3uwSfW5UNZ7SWeRsfGEZQXkqe+FB5eJjq5mHd3t9PglCuDXR5xr6IuQF2W2+Ns -pPbSmjAZPPXMfjLtQk8RsJxnQiNFlky3lGjAAfbi3EnibzuWWz4Wu12SQ1htxyTg -ccHj7+ksUMkA1eHSv3OGa7o5GlQ8eTXKxfhWIVWY3aX0BeWWohipJpAokp1zW2jW -uud5AmJOdVt7dTywKu9xgBUOM+D1JNp+J0rs809Ez6CNQF6D0mS5m9iJFCQWBLb0 -TdHhNUECgYEAyr48sSiEJZNk54u/0gFAG1xF1quGAWjkxeryXiFen2f3lTXB/T0e -cT/0OAUqoN1hTaHtEDFu4NI+JUJrpfMy7YtwED9eExSwhe9sP1iaSCBFO16anq6t -hblN6siWioiIO8CwQZeQMk9j1pEnLdjFN8G2G+z8/Uzu9bVHkk98pvkCgYEA3cE2 -sbkYUBhjnZ+6JG28Pc4apzW8BBtH7yPnObaFlQFkWo6dugiWovVC2neQV4lcUQVj -4XozilBIIyLjIoRSCYvKAG5EUWpqDYYH1hkgSGAKDMcI7Gex2V3sYdkaRRhhZK3Q -ZVTEW4BwkVcWK5M74amBBoiJSL+iR7E09+NWUi0CgYAqNjOSuxnQbQDMSMd2ZPZA -/BQ6Xtn2vy0qnAE8Yfw+ejoNIfUy0Z/d+m/RnhnDBnS04irmfTRVsNBpl4usMJeA -59A8QcVHeb5LFI9YHQ16SOXBN7A/q6TLO8qiQIM/cq/SqQrJjVHjd64UxYH/xKtD -MZzF8bC22GbEV6sAJnaQmQKBgQC0Qs3NJqNm6IyBo0fTOQjeTN5JslqGFA8jjFH4 -DjEEcT88hdYdVcHt8eVIZg0Fu3k5u2H39jhTZPNe7IsqkdmGPQYV14zdid1v5NYV -6hLeAoPo4xqT4a8m/TycRbkfFbSF/Oz8ki2UHBJlcx9oiKUSyZFC2FaQtoaaNKjU -IQ8YeQKBgFHSlYHS4rQjbTiS3bzgglJQHRmLwHHe0NHzrj/huTwIzkSI80AZTGOb -UT2L8bHFGcVJMj1bPem6iHUIRQVEf2JxWHmt6fMpQ9WjyxtQau27qGgoZ/k235uK -tq0SJhFm0i+k1CtY4gU7r0bLpcHZORWO9eU8ueorVuHsL2Y7Ound +MIIEpAIBAAKCAQEAoHER8PrEKSGTS95ySUT6jWT0wD6jrkYy+utJn0rC+xJaHJ7d +5MzjTB8+PMdcB8ApeROFGfXmJu/20UBc+NZaLoR9/v32UErDD2YwYcuFx5wQA5H0 +EwLi63YqvYY7ucQB60lczlRg6oBEHfTkyOHfu6j8yI3vRoH5DJ/zf8sFhopfpEly +0b/EUOphR1OUGpJO9J/80EqPVpYvplVryMiNWH3DeVQR+idF3r962aIz3a2y0yYO +6MV3lXim4WMbXQ9FP62bbrlLnzdIj0riEkv/jtW9EZNScw3zmUE7HHLGmMBnVAwE +L5gKMahkBkdt/FejAPdBNlfN1NuVCBPKgo/UzQIDAQABAoIBAQCOoHWmmAZR2jsr +MvC+GcfyclDxpb20a0terFOie7+hmsroroHrqAhX315ggYlaioVT0Pp9/Y9ABgqQ +Mntz6nn46GdpizKwZgXJZrqT9W1T6XSC9/jV/bbkQwPzv6TQm2JpW6pY8cHGNYhY +aSAJRGK0XKF7WFHhiCFyC69XZ4/d7TQm673PwQg1sTft8qFT3uIjTj9K1LOqmf1y +yMNi8E1XD6dlTyNuI2PtJmG2Otn3CWd6elydrgjmVHEVYE2Eh8H9vIxlf7zX9/dI +pSieCfbtCRR/UObAPe2g/8fzMPuS3osqypJlCE1oRKxfoTmHl3sDOwsi/TjNyid2 +1ufMqsixAoGBAMFfLZlv7mTNitpGROpdL+9Y7LU/mGgQ7c9Y7Kh9Wcs/N9e3srSy ++fiOIFen3QE4NkyiChruLxtsjcF/h2SOgY+uhMatci7p9d+Boh2Th59gpHKxAac2 +KYcAe9ds42H9gyYCoyOI693zuJWZJE/RlGFfRR7ExEs5bl3iFSfT5LtrAoGBANRn +mBfnTEju4bDf7p/eUkzBt2GJ0tWiA6rtpLTUop/32ya0DNu3h8ax7pH1RRmt+eSM +iI+9le1E0q2oOl4l3g6wtyw9wMz7nDaWwMn3B+rhS7x7Oesj+8rmFVcWiTqm+JNF +U7palxIIddLNL2GNIh9LBIWwRQPVQetWTT43szanAoGAKvmhI7mZjLOViV8Wj9N4 +BMSJjtp8X5xrjapgpi19mEsLeRitUbV5EoFbtL9swYmhn7RfdI68z2Z3tqpGB9YX ++zu47IK9nqmGaE7iHZqdCJGs2oR2Lpg98G/uFflwK2XxELCDWzFh4ij5O94WENsu +E9ndfbITQfiYi6rkMr7H1dMCgYEA1GRGfNiHuoJMYe56EZhhGWm3sqv7jC32luwM +/9mESIuys2/lT6uk9HWmBoOItlX2hKhWQc2k5t4kAQwwWUZqVqw0bePOL+sFWLzE +SPBhFWh1sCJUVyHjPQ93lV7umBywgasYP0couxqEnucYEubqkPoVqo0JZfzQbsAc +ezN9XA8CgYAOFH1No0xgFexzjzaLMJ5yOf3yGnxTRP7O1l0zz/FaASqmRSPFI0rt +F24LQ0UGb93rBin73DTlvbj178dDQikc9SwtwRd/yLkuR/ctxM1OoSb7JfFE2sw7 +VyKzaVTOYVIKl6D/bnnvA9YXR6tx2k75tNWOF8oAzSLN1gxZo72q6A== -----END RSA PRIVATE KEY----- \ No newline at end of file diff --git a/salt/pki/minion/minion.pub b/salt/pki/minion/minion.pub index a860f86..7272007 100644 --- a/salt/pki/minion/minion.pub +++ b/salt/pki/minion/minion.pub @@ -1,9 +1,9 @@ -----BEGIN PUBLIC KEY----- -MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr58/IZJ1sDnwGsfZ/22Z -U+rRclEeWb5K/krJ25kf9FwcZ8A65KkR8PcO7v/yvv1noGLLa57/oUScd2fBZW70 -N0PZljj4hGlyKjE7TpjCN9gqQ9VFdhQuuJ79sGzAYCMT89tHtAJ5rK8xseG1qFQM -LIGyqM+QKuQw40b45FMwkZgXJzhETpJ0mS03A/ET1+4503DNJXEQHU3yJwo0T2wE -hbkNZ7wAhsz6zaIHtsxu6ium3BNAgjqXAE/PvpR3TNRryQrIwad1OLsDM+QPlzdP -PsLkpXk4mSsMgpK4YiahJ391MuVb7S79JvhMD3FwxFubwLJmP9B1GHKNxVxbyQsb -xQIDAQAB +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoHER8PrEKSGTS95ySUT6 +jWT0wD6jrkYy+utJn0rC+xJaHJ7d5MzjTB8+PMdcB8ApeROFGfXmJu/20UBc+NZa +LoR9/v32UErDD2YwYcuFx5wQA5H0EwLi63YqvYY7ucQB60lczlRg6oBEHfTkyOHf +u6j8yI3vRoH5DJ/zf8sFhopfpEly0b/EUOphR1OUGpJO9J/80EqPVpYvplVryMiN +WH3DeVQR+idF3r962aIz3a2y0yYO6MV3lXim4WMbXQ9FP62bbrlLnzdIj0riEkv/ +jtW9EZNScw3zmUE7HHLGmMBnVAwEL5gKMahkBkdt/FejAPdBNlfN1NuVCBPKgo/U +zQIDAQAB -----END PUBLIC KEY----- \ No newline at end of file diff --git a/salt/pki/minion/minion_master.pub b/salt/pki/minion/minion_master.pub new file mode 100644 index 0000000..b677f0b --- /dev/null +++ b/salt/pki/minion/minion_master.pub @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwUbxQYMDoCPQTWHREbbu +lTBJ+BNLjeUalhTgXjaR7uNiGryiOoLGtSiQFwiYClJ/7QqUoSG7A9c5Xw1Qv6CI +H73sBAdniAFaC9jeY+4Pe22QlrIuE9AoWGNw9X2gDQ1/9MHGaFnlumDW5pLNvP+i +nd3DRVNuhSR+S0/sTJUbFpzXXIzN0WijIBLA+oqlR/ANPc89Y+XhXUaVje48yW0l +oEiedhRzHPGS5mGwyDs9MqLano1LeRdu4kdyhboljqX3c/SsVgc/Q3oD42+XerI1 +rz+mkLBNzHhNQWn6k6W8PdiYTnRXH6WUyMMxniBR/5QPWx3Owu5aeSy23Dhl6SRc +EQIDAQAB +-----END PUBLIC KEY----- \ No newline at end of file diff --git a/salt/proxy b/salt/proxy index 472df35..e6ca631 100644 --- a/salt/proxy +++ b/salt/proxy @@ -419,12 +419,15 @@ #fileserver_limit_traversal: False # The hash_type is the hash to use when discovering the hash of a file in -# the local fileserver. The default is md5, but sha1, sha224, sha256, sha384 -# and sha512 are also supported. +# the local fileserver. The default is sha256 but sha224, sha384 and sha512 +# are also supported. +# +# WARNING: While md5 and sha1 are also supported, do not use it due to the high chance +# of possible collisions and thus security breach. # # Warning: Prior to changing this value, the minion should be stopped and all # Salt caches should be cleared. -#hash_type: md5 +#hash_type: sha256 # The Salt pillar is searched for locally if file_client is set to local. If # this is the case, and pillar data is defined, then the pillar_roots need to @@ -510,7 +513,7 @@ # Default: 'warning' #log_level_logfile: -# The date and time format used in log messages. Allowed date/time formating +# The date and time format used in log messages. Allowed date/time formatting # can be seen here: http://docs.python.org/library/time.html#time.strftime #log_datefmt: '%H:%M:%S' #log_datefmt_logfile: '%Y-%m-%d %H:%M:%S' diff --git a/shadow b/shadow index b8298b3..a60b13a 100644 --- a/shadow +++ b/shadow @@ -22,3 +22,4 @@ systemd-resolve:*:16625:0:99999:7::: systemd-bus-proxy:*:16625:0:99999:7::: sshd:*:16625:0:99999:7::: postfix:*:16854:0:99999:7::: +bind:*:16869:0:99999:7::: diff --git a/shadow- b/shadow- index b8298b3..a60b13a 100644 --- a/shadow- +++ b/shadow- @@ -22,3 +22,4 @@ systemd-resolve:*:16625:0:99999:7::: systemd-bus-proxy:*:16625:0:99999:7::: sshd:*:16625:0:99999:7::: postfix:*:16854:0:99999:7::: +bind:*:16869:0:99999:7::: diff --git a/shells b/shells index 21bbba0..29b2701 100644 --- a/shells +++ b/shells @@ -3,3 +3,5 @@ /bin/dash /bin/bash /bin/rbash +/bin/zsh +/usr/bin/zsh diff --git a/skel/.bashrc b/skel/.bashrc index 9346dd0..6d42d5f 100644 --- a/skel/.bashrc +++ b/skel/.bashrc @@ -8,21 +8,6 @@ case $- in *) return;; esac -# don't put duplicate lines or lines starting with space in the history. -# See bash(1) for more options -HISTCONTROL=ignoreboth - -# append to the history file, don't overwrite it -shopt -s histappend - -# for setting history length see HISTSIZE and HISTFILESIZE in bash(1) -HISTSIZE=1000 -HISTFILESIZE=2000 - -# check the window size after each command and, if necessary, -# update the values of LINES and COLUMNS. -shopt -s checkwinsize - # If set, the pattern "**" used in a pathname expansion context will # match all files and zero or more directories and subdirectories. #shopt -s globstar @@ -30,67 +15,14 @@ shopt -s checkwinsize # make less more friendly for non-text input files, see lesspipe(1) #[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)" -# set variable identifying the chroot you work in (used in the prompt below) -if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then - debian_chroot=$(cat /etc/debian_chroot) -fi - -# set a fancy prompt (non-color, unless we know we "want" color) -case "$TERM" in - xterm-color) color_prompt=yes;; -esac - -# uncomment for a colored prompt, if the terminal has the capability; turned -# off by default to not distract the user: the focus in a terminal window -# should be on the output of commands, not on the prompt -#force_color_prompt=yes - -if [ -n "$force_color_prompt" ]; then - if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then - # We have color support; assume it's compliant with Ecma-48 - # (ISO/IEC-6429). (Lack of such support is extremely rare, and such - # a case would tend to support setf rather than setaf.) - color_prompt=yes - else - color_prompt= - fi -fi - -if [ "$color_prompt" = yes ]; then - PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ ' -else - PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ ' -fi -unset color_prompt force_color_prompt - # If this is an xterm set the title to user@host:dir -case "$TERM" in -xterm*|rxvt*) - PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1" - ;; -*) - ;; -esac - -# enable color support of ls and also add handy aliases -if [ -x /usr/bin/dircolors ]; then - test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)" - alias ls='ls --color=auto' - #alias dir='dir --color=auto' - #alias vdir='vdir --color=auto' - - #alias grep='grep --color=auto' - #alias fgrep='fgrep --color=auto' - #alias egrep='egrep --color=auto' -fi - -# colored GCC warnings and errors -#export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01' - -# some more ls aliases -#alias ll='ls -l' -#alias la='ls -A' -#alias l='ls -CF' +#case "$TERM" in +#xterm*|rxvt*) +# PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1" +# ;; +#*) +# ;; +#esac # Alias definitions. # You may want to put all your additions into a separate file like @@ -101,13 +33,3 @@ if [ -f ~/.bash_aliases ]; then . ~/.bash_aliases fi -# enable programmable completion features (you don't need to enable -# this, if it's already enabled in /etc/bash.bashrc and /etc/profile -# sources /etc/bash.bashrc). -if ! shopt -oq posix; then - if [ -f /usr/share/bash-completion/bash_completion ]; then - . /usr/share/bash-completion/bash_completion - elif [ -f /etc/bash_completion ]; then - . /etc/bash_completion - fi -fi diff --git a/ssh/ssh_config b/ssh/ssh_config index 3810e13..ceb6e71 100644 --- a/ssh/ssh_config +++ b/ssh/ssh_config @@ -49,6 +49,6 @@ Host * # ProxyCommand ssh -q -W %h:%p gateway.example.com # RekeyLimit 1G 1h SendEnv LANG LC_* - HashKnownHosts yes + HashKnownHosts no GSSAPIAuthentication yes GSSAPIDelegateCredentials no diff --git a/subgid b/subgid index 20ad0e3..adbdeca 100644 --- a/subgid +++ b/subgid @@ -4,3 +4,4 @@ systemd-resolve:231072:65536 systemd-bus-proxy:296608:65536 sshd:362144:65536 postfix:427680:65536 +bind:493216:65536 diff --git a/subgid- b/subgid- index b6d2427..20ad0e3 100644 --- a/subgid- +++ b/subgid- @@ -3,3 +3,4 @@ systemd-network:165536:65536 systemd-resolve:231072:65536 systemd-bus-proxy:296608:65536 sshd:362144:65536 +postfix:427680:65536 diff --git a/subuid b/subuid index 20ad0e3..adbdeca 100644 --- a/subuid +++ b/subuid @@ -4,3 +4,4 @@ systemd-resolve:231072:65536 systemd-bus-proxy:296608:65536 sshd:362144:65536 postfix:427680:65536 +bind:493216:65536 diff --git a/subuid- b/subuid- index b6d2427..20ad0e3 100644 --- a/subuid- +++ b/subuid- @@ -3,3 +3,4 @@ systemd-network:165536:65536 systemd-resolve:231072:65536 systemd-bus-proxy:296608:65536 sshd:362144:65536 +postfix:427680:65536 diff --git a/sysctl.d/99-sysctl.conf b/sysctl.d/99-sysctl.conf deleted file mode 120000 index 2b0036b..0000000 --- a/sysctl.d/99-sysctl.conf +++ /dev/null @@ -1 +0,0 @@ -../sysctl.conf \ No newline at end of file diff --git a/systemd/system/multi-user.target.wants/bind9.service b/systemd/system/multi-user.target.wants/bind9.service new file mode 120000 index 0000000..d7c8ee4 --- /dev/null +++ b/systemd/system/multi-user.target.wants/bind9.service @@ -0,0 +1 @@ +/lib/systemd/system/bind9.service \ No newline at end of file diff --git a/ufw/applications.d/bind9 b/ufw/applications.d/bind9 new file mode 100644 index 0000000..6cd6fca --- /dev/null +++ b/ufw/applications.d/bind9 @@ -0,0 +1,5 @@ +[Bind9] +title=Internet Domain Name Server +description=The Berkeley Internet Name Domain (BIND) implements an Internet domain name server. +ports=53 + diff --git a/updatedb.conf b/updatedb.conf new file mode 100644 index 0000000..d0aed08 --- /dev/null +++ b/updatedb.conf @@ -0,0 +1,4 @@ +PRUNE_BIND_MOUNTS="yes" +# PRUNENAMES=".git .bzr .hg .svn" +PRUNEPATHS="/tmp /var/spool /media" +PRUNEFS="NFS nfs nfs4 rpc_pipefs afs binfmt_misc proc smbfs autofs iso9660 ncpfs coda devpts ftpfs devfs mfs shfs sysfs cifs lustre tmpfs usbfs udf fuse.glusterfs fuse.sshfs curlftpfs" diff --git a/xdg/systemd/user b/xdg/systemd/user deleted file mode 120000 index 1c75bd3..0000000 --- a/xdg/systemd/user +++ /dev/null @@ -1 +0,0 @@ -../../systemd/user \ No newline at end of file diff --git a/zsh/newuser.zshrc.recommended b/zsh/newuser.zshrc.recommended new file mode 100644 index 0000000..55be3ab --- /dev/null +++ b/zsh/newuser.zshrc.recommended @@ -0,0 +1,37 @@ +# Set up the prompt + +autoload -Uz promptinit +promptinit +prompt adam1 + +setopt histignorealldups sharehistory + +# Use emacs keybindings even if our EDITOR is set to vi +bindkey -e + +# Keep 1000 lines of history within the shell and save it to ~/.zsh_history: +HISTSIZE=1000 +SAVEHIST=1000 +HISTFILE=~/.zsh_history + +# Use modern completion system +autoload -Uz compinit +compinit + +zstyle ':completion:*' auto-description 'specify: %d' +zstyle ':completion:*' completer _expand _complete _correct _approximate +zstyle ':completion:*' format 'Completing %d' +zstyle ':completion:*' group-name '' +zstyle ':completion:*' menu select=2 +eval "$(dircolors -b)" +zstyle ':completion:*:default' list-colors ${(s.:.)LS_COLORS} +zstyle ':completion:*' list-colors '' +zstyle ':completion:*' list-prompt %SAt %p: Hit TAB for more, or the character to insert%s +zstyle ':completion:*' matcher-list '' 'm:{a-z}={A-Z}' 'm:{a-zA-Z}={A-Za-z}' 'r:|[._-]=* r:|=* l:|=*' +zstyle ':completion:*' menu select=long +zstyle ':completion:*' select-prompt %SScrolling active: current selection at %p%s +zstyle ':completion:*' use-compctl false +zstyle ':completion:*' verbose true + +zstyle ':completion:*:*:kill:*:processes' list-colors '=(#b) #([0-9]#)*=0=01;31' +zstyle ':completion:*:kill:*' command 'ps -u $USER -o pid,%cpu,tty,cputime,cmd' diff --git a/zsh/zlogin b/zsh/zlogin new file mode 100644 index 0000000..f6cd2f2 --- /dev/null +++ b/zsh/zlogin @@ -0,0 +1,9 @@ +# /etc/zsh/zlogin: system-wide .zlogin file for zsh(1). +# +# This file is sourced only for login shells. It +# should contain commands that should be executed only +# in login shells. It should be used to set the terminal +# type and run a series of external commands (fortune, +# msgs, from, etc.) +# +# Global Order: zshenv, zprofile, zshrc, zlogin diff --git a/zsh/zlogout b/zsh/zlogout new file mode 100644 index 0000000..22d842f --- /dev/null +++ b/zsh/zlogout @@ -0,0 +1 @@ +# /etc/zsh/zlogout: system-wide .zlogout file for zsh(1). diff --git a/zsh/zprofile b/zsh/zprofile new file mode 100644 index 0000000..09db6f5 --- /dev/null +++ b/zsh/zprofile @@ -0,0 +1,7 @@ +# /etc/zsh/zprofile: system-wide .zprofile file for zsh(1). +# +# This file is sourced only for login shells (i.e. shells +# invoked with "-" as the first character of argv[0], and +# shells invoked with the -l flag.) +# +# Global Order: zshenv, zprofile, zshrc, zlogin diff --git a/zsh/zshenv b/zsh/zshenv new file mode 100644 index 0000000..e2613c3 --- /dev/null +++ b/zsh/zshenv @@ -0,0 +1,18 @@ +# /etc/zsh/zshenv: system-wide .zshenv file for zsh(1). +# +# This file is sourced on all invocations of the shell. +# If the -f flag is present or if the NO_RCS option is +# set within this file, all other initialization files +# are skipped. +# +# This file should contain commands to set the command +# search path, plus other important environment variables. +# This file should not contain commands that produce +# output or assume the shell is attached to a tty. +# +# Global Order: zshenv, zprofile, zshrc, zlogin + +if [[ -z "$PATH" || "$PATH" == "/bin:/usr/bin" ]] +then + export PATH="/usr/local/bin:/usr/bin:/bin:/usr/games" +fi diff --git a/zsh/zshrc b/zsh/zshrc new file mode 100644 index 0000000..84d644d --- /dev/null +++ b/zsh/zshrc @@ -0,0 +1,104 @@ +# /etc/zsh/zshrc: system-wide .zshrc file for zsh(1). +# +# This file is sourced only for interactive shells. It +# should contain commands to set up aliases, functions, +# options, key bindings, etc. +# +# Global Order: zshenv, zprofile, zshrc, zlogin + +READNULLCMD=${PAGER:-/usr/bin/pager} + +# An array to note missing features to ease diagnosis in case of problems. +typeset -ga debian_missing_features + +if [[ -z "$DEBIAN_PREVENT_KEYBOARD_CHANGES" ]] && + [[ "$TERM" != 'emacs' ]] +then + + typeset -A key + key=( + BackSpace "${terminfo[kbs]}" + Home "${terminfo[khome]}" + End "${terminfo[kend]}" + Insert "${terminfo[kich1]}" + Delete "${terminfo[kdch1]}" + Up "${terminfo[kcuu1]}" + Down "${terminfo[kcud1]}" + Left "${terminfo[kcub1]}" + Right "${terminfo[kcuf1]}" + PageUp "${terminfo[kpp]}" + PageDown "${terminfo[knp]}" + ) + + function bind2maps () { + local i sequence widget + local -a maps + + while [[ "$1" != "--" ]]; do + maps+=( "$1" ) + shift + done + shift + + sequence="${key[$1]}" + widget="$2" + + [[ -z "$sequence" ]] && return 1 + + for i in "${maps[@]}"; do + bindkey -M "$i" "$sequence" "$widget" + done + } + + bind2maps emacs -- BackSpace backward-delete-char + bind2maps viins -- BackSpace vi-backward-delete-char + bind2maps vicmd -- BackSpace vi-backward-char + bind2maps emacs -- Home beginning-of-line + bind2maps viins vicmd -- Home vi-beginning-of-line + bind2maps emacs -- End end-of-line + bind2maps viins vicmd -- End vi-end-of-line + bind2maps emacs viins -- Insert overwrite-mode + bind2maps vicmd -- Insert vi-insert + bind2maps emacs -- Delete delete-char + bind2maps viins vicmd -- Delete vi-delete-char + bind2maps emacs viins vicmd -- Up up-line-or-history + bind2maps emacs viins vicmd -- Down down-line-or-history + bind2maps emacs -- Left backward-char + bind2maps viins vicmd -- Left vi-backward-char + bind2maps emacs -- Right forward-char + bind2maps viins vicmd -- Right vi-forward-char + + # Make sure the terminal is in application mode, when zle is + # active. Only then are the values from $terminfo valid. + if (( ${+terminfo[smkx]} )) && (( ${+terminfo[rmkx]} )); then + function zle-line-init () { + emulate -L zsh + printf '%s' ${terminfo[smkx]} + } + function zle-line-finish () { + emulate -L zsh + printf '%s' ${terminfo[rmkx]} + } + zle -N zle-line-init + zle -N zle-line-finish + else + for i in {s,r}mkx; do + (( ${+terminfo[$i]} )) || debian_missing_features+=($i) + done + unset i + fi + + unfunction bind2maps + +fi # [[ -z "$DEBIAN_PREVENT_KEYBOARD_CHANGES" ]] && [[ "$TERM" != 'emacs' ]] + +zstyle ':completion:*:sudo:*' command-path /usr/local/sbin \ + /usr/local/bin \ + /usr/sbin \ + /usr/bin \ + /sbin \ + /bin \ + /usr/X11R6/bin + +(( ${+aliases[run-help]} )) && unalias run-help +autoload -Uz run-help -- 2.39.5