From d78a720b55f653451c4f90e176216fd73724bfdc Mon Sep 17 00:00:00 2001 From: Jakub Czajka Date: Wed, 27 Sep 2023 23:53:27 +0200 Subject: [PATCH] Remove instructions covered by automation from documentation. --- README | 13 ---------- ca/README | 5 ---- dovecot/README | 69 +++---------------------------------------------- fail2ban/README | 16 ------------ git/README | 56 +-------------------------------------- matrix/README | 21 --------------- nginx/README | 42 ------------------------------ opendkim/README | 15 ----------- postfix/README | 28 -------------------- postgres/README | 42 ------------------------------ sshd/README | 17 ------------ 11 files changed, 4 insertions(+), 320 deletions(-) delete mode 100644 README diff --git a/README b/README deleted file mode 100644 index 62479e6..0000000 --- a/README +++ /dev/null @@ -1,13 +0,0 @@ -server -====== - -Configuration files for services deployed on a server. Each directory contains -files for a single service. For example, - -sshd -- Configuration for the SSH server service. -| -|-> README -- Instructions for working with the service. -|-> sshd_config -- Configuration of the service. -`-> ssh.service -- systemd [1] unit file for the service. - -[1] systemd :: https://www.freedesktop.org/software/systemd/man/systemd.html diff --git a/ca/README b/ca/README index ae17dc8..d3d6c81 100644 --- a/ca/README +++ b/ca/README @@ -6,11 +6,6 @@ A private certificate authority (CA) for signing own certificates. Install ------- -``` -$ mkdir certs -$ mkdir --mode=700 private certs/private -``` - Answer "." to each option except for `commonName`. Enter a password. `.pem` is an instance of `.crt` [1]. diff --git a/dovecot/README b/dovecot/README index dc0bc80..f5f8f45 100644 --- a/dovecot/README +++ b/dovecot/README @@ -10,39 +10,7 @@ Verify configuration: dovecot -n ``` -Files ------ - -dovecot -| -|-> dovecot.conf -- /etc/dovecot/ -|-> dovecot-dict-auth.conf.ext -- /etc/dovecot/ -|-> dovecot-dict-sql.conf.ext -- /etc/dovecot/ -|-> dovecot-sql.conf.ext -- /etc/dovecot/ -|-> 10-auth.conf -- /etc/dovecot/conf.d/ -|-> 10-director.conf -- /etc/dovecot/conf.d/ -|-> 10-logging.conf -- /etc/dovecot/conf.d/ -|-> 10-mail.conf -- /etc/dovecot/conf.d/ -|-> 10-master.conf -- /etc/dovecot/conf.d/ -|-> 10-ssl.conf -- /etc/dovecot/conf.d/ -|-> 10-tcpwrapper.conf -- /etc/dovecot/conf.d/ -|-> 15-lda.conf -- /etc/dovecot/conf.d/ -|-> 15-mailboxes.conf -- /etc/dovecot/conf.d/ -|-> 20-imap.conf -- /etc/dovecot/conf.d/ -|-> 20-lmtp.conf -- /etc/dovecot/conf.d/ -|-> 90-acl.conf -- /etc/dovecot/conf.d/ -|-> 90-plugin.conf -- /etc/dovecot/conf.d/ -|-> 90-quota.conf -- /etc/dovecot/conf.d/ -|-> auth-checkpassword.conf.ext -- /etc/dovecot/conf.d/ -|-> auth-deny.conf.ext -- /etc/dovecot/conf.d/ -|-> auth-dict.conf.ext -- /etc/dovecot/conf.d/ -|-> auth-master.conf.ext -- /etc/dovecot/conf.d/ -|-> auth-passwdfile.conf.ext -- /etc/dovecot/conf.d/ -|-> auth-sql.conf.ext -- /etc/dovecot/conf.d/ -|-> auth-static.conf.ext -- /etc/dovecot/conf.d/ -`-> auth-system.conf.ext -- /etc/dovecot/conf.d/ - -SSL +DNS --- Add DNS records. If no MX record is present, mail servers fall back to the A @@ -57,30 +25,8 @@ example.com. 0 TXT v=spf1 ip4= ip6= ~all _dmarc.example.com. 0 TXT v=DMARC1; p=none; rua=mailto: ``` -Install `certbot`. - -``` -$ apt install certbot -``` - -Create a certificate with a generic name and add all domains under it. - -``` -$ certbot certonly --manual --preferred-challenges dns --cert-name mail \ - -d mail. -d mail. -``` - -Install -------- - -Each package corresponds to a plugin: - -``` -$ apt install dovecot-imapd dovecot-lmtpd dovecot-pgsql -``` - -Tables ------- +Database +-------- Create database `mail_db`. @@ -97,15 +43,6 @@ psql --dbname=mail_db --file=databases/mail/mail_db_create.sql Mailbox ------- -Use `vmail` user for virtual mailboxes. - -``` -$ useradd --home-dir /var/vmail --shell /usr/sbin/nologin --lock \ - --create-home vmail -$ touch /var/log/dovecot.log /var/log/dovecot-info.log -$ chown vmail:vmail /var/log/{dovecot.log,dovecot-info.log} -``` - Create mailboxes. ``` diff --git a/fail2ban/README b/fail2ban/README index 5663cb8..56fdfc2 100644 --- a/fail2ban/README +++ b/fail2ban/README @@ -5,22 +5,6 @@ fail2ban clients. If the frequency of failed logins increases sharply (DDoS attack), `fail2ban` will temporarly ban the specific IP address for that service. -Files ------ - -fail2ban -| -|-> paths-common.conf -- /etc/fail2ban/ -|-> fail2ban.local -- /etc/fail2ban/ -`-> jail.local -- /etc/fail2ban/ - -Install -------- - -``` -$ apt install fail2ban -``` - Programs -------- diff --git a/git/README b/git/README index c287b6e..400a658 100644 --- a/git/README +++ b/git/README @@ -1,13 +1,6 @@ git === -Files ------ - -gitweb -| -`-> gitweb.conf -- /etc - DNS --- @@ -17,64 +10,17 @@ Set up and git.. AAAA git. CNAME -SSL ---- - -Obtain a certificate with `certbot-nginx`. - -Install -------- - -Install packages. - -``` -$ apt install fcgiwrap gitweb -``` - -Start services. - -``` -$ systemctl start fcgiwrap -``` - Notes ----- -Create a new user. - -``` -$ apt install git -$ adduser git # -``` - -Allow connection only with SSH keys. - -``` -$ chmod 400 ${SSH_DIR}/id_rsa* -$ ssh-copy-id -i ${SSH_DIR}/id_rsa git@ -``` - -Login with SSH key. - -``` -$ ssh -i ${SSH_DIR}/id_rsa git@ -``` - -Disable login with password. - -``` -$ passwd --lock git -``` - Create new bare repository. ``` -$ mkdir $ git init --bare ``` Put repositories under `/srv/git` and change ownership. ``` -$ chgrp -R www-data /srv/git +$ chown -R git:www-data /srv/git ``` diff --git a/matrix/README b/matrix/README index 315bc49..68afbee 100644 --- a/matrix/README +++ b/matrix/README @@ -14,27 +14,6 @@ Set up and matrix.. AAAA matrix. CNAME -SSL ---- - -Obtain a certificate with `certbot-nginx`. - -Files ------ - -matrix -| -|-> homeserver.yaml -- /etc/matrix-synapse/ :: server configuration -|-> server_name.yaml -- /etc/matrix-synapse/conf.d/ :: server name -`-> report_stats.yaml -- /etc/matrix-synapse/conf.d/ - -Install -------- - -``` -$ apt install matrix-synapse -``` - Users ----- diff --git a/nginx/README b/nginx/README index 3fa51ef..7b6f2ef 100644 --- a/nginx/README +++ b/nginx/README @@ -3,45 +3,3 @@ nginx Load balancer and reverse proxy. Listens on ports and forwards requests according to rules. Protects connections with SSL. - -Files ------ - -nginx -| -|-> nginx.conf -- /etc/nginx/ :: Main configuration. -|-> mime.types -- /etc/nginx/ :: Available mime types. -|-> .template -- /etc/nginx/sites-available/. -`-> matrix..template -- /etc/nginx/sites-available. - -SSL ---- - -`certbot` integrates with `nginx`. - -``` -$ apt install python3-certbot-nginx -``` - -Obtain a certificate for domains. - -``` -$ certbot certonly --nginx -d -d -``` - -Install -------- - -``` -$ apt install nginx -``` - -Sites ------ - -Substitute `<...>` patterns in `*.template` files. Create symbolic links for -files in /etc/nginx/sites-available. - -``` -$ ln -s /etc/nginx/sites-available/{...} /etc/nginx/sites-enabled -``` diff --git a/opendkim/README b/opendkim/README index e111608..a8fa145 100644 --- a/opendkim/README +++ b/opendkim/README @@ -6,14 +6,6 @@ allows recipients to verify if an email message truly came from the domain that it claims to have come from. It uses the /milter/ interface to provide DKIM signing. -Files ------ - -opendkim -| -|-> opendkim -- /etc/default :: service configuration -`-> opendkim.conf -- /etc/ :: configuration parameters - Notes ----- @@ -35,10 +27,3 @@ psql -U postgres -d mail_db \ ``` Add `/etc/opendkim/keys//.txt` as a DNS record. - -Install -------- - -``` -$ apt install opendkim libopendbx1-pgsql -``` diff --git a/postfix/README b/postfix/README index ae1d999..979bcf4 100644 --- a/postfix/README +++ b/postfix/README @@ -4,34 +4,6 @@ postfix MTA (Mail Transfer Agent) server. Clients or other email servers connect to `postfix` to transfer their email with Simple Mail Transfer Protocol (SMTP). -Files ------ - -`master.cf` configures the postfix daemon and `main.cf` configures the MTA -server. Only root should have write permissions to these files. - -postfix -| -|-> main.cf -- /etc/postfix/ :: configuration parameters -|-> master.cf -- /etc/postfix/ :: postfix daemon -`-> address_book.cf -- /etc/postfix/ :: FROM query - -Install -------- - -``` -$ apt install postfix -``` - -Notes ------ - -Set MTA server hostname, which is used by `$myhostname`. - -``` -$ hostname -``` - Resources --------- diff --git a/postgres/README b/postgres/README index ada20c2..a496f00 100644 --- a/postgres/README +++ b/postgres/README @@ -3,14 +3,6 @@ postgres Relational database. -Files ------ - -postgres -| -|-> pg_hba.conf -- /etc/postgresql/$(version)/main/ -`-> postgresql.conf -- /etc/postgresql/$(version)/main/ - DNS --- @@ -20,33 +12,6 @@ Set up and psql.. AAAA psql. CNAME -SSL ---- - -Postgres uses both server- and client-side certificates. Whenever a client tries -to connect, verifies server's certificate and then presents their certificate. - -SSL (server) ------------- - -Obtain a certificate with `certbot`. - -``` -$ certbot certonly --standalone -d psql. -``` - -Copy the certificate to a directory owned by `postgres`. Change its ownership and -permissions. - -``` -$ mkdir /etc/postgresql//main/private -$ chmod 700 /etc/postgresql//main/private -$ cp /etc/letsencrypt/live/psql./{fullchain.pem,privkey.pem} \ - /etc/postgresql//main/private/ -$ chmod 600 /etc/postgresql//main/private/{fullchain.pem,privkey.pem} -$ chown postgres:postgres -R /etc/postgresql//main/private -``` - SSL (client) ------------ @@ -76,10 +41,3 @@ psql "host=psql. sslcert=.crt sslkey=.key user= \ dbname= sslrootcert=/etc/ssl/certs/ca-certificates.crt \ sslmode=verify-full" ``` - -Install -------- - -``` -$ apt install postgresql -``` diff --git a/sshd/README b/sshd/README index d2ae1eb..a1bcfef 100644 --- a/sshd/README +++ b/sshd/README @@ -3,23 +3,6 @@ sshd SSH server [1]. -Files ------ - -sshd -| -|-> sshd_config -- /etc/ssh/ -`-> ssh.service -- /etc/systemd/system/ - -Updates -------- - -After updating `/etc/ssh/sshd_config`, reload the service. - -``` -$ systemctl reload ssh -``` - SSL --- -- 2.39.5