From: Shane Jaroch Date: Sat, 27 Dec 2025 19:15:22 +0000 (-0500) Subject: [dev filter] encrypt & re-add X-Git-Url: https://git.nutra.tk/v2?a=commitdiff_plain;h=bf992098a7873e1d68f650213afaaa7c5b88bd1c;p=nutratech%2Fvps-root.git [dev filter] encrypt & re-add --- diff --git a/.git-crypt/.gitattributes b/.git-crypt/.gitattributes new file mode 100644 index 0000000..665b10e --- /dev/null +++ b/.git-crypt/.gitattributes @@ -0,0 +1,4 @@ +# Do not edit this file. To specify the files to encrypt, create your own +# .gitattributes file in the directory where your files are. +* !filter !diff +*.gpg binary diff --git a/.git-crypt/keys/default/0/A203106C7B035A2793076ADBC96CF8D69243BDFD.gpg b/.git-crypt/keys/default/0/A203106C7B035A2793076ADBC96CF8D69243BDFD.gpg new file mode 100644 index 0000000..8dc34b1 Binary files /dev/null and b/.git-crypt/keys/default/0/A203106C7B035A2793076ADBC96CF8D69243BDFD.gpg differ diff --git a/.git-crypt/keys/default/0/C5235971BD1493F85AFA66E3CC4EBE9F2784B4AD.gpg b/.git-crypt/keys/default/0/C5235971BD1493F85AFA66E3CC4EBE9F2784B4AD.gpg new file mode 100644 index 0000000..1c266d9 Binary files /dev/null and b/.git-crypt/keys/default/0/C5235971BD1493F85AFA66E3CC4EBE9F2784B4AD.gpg differ diff --git a/.git-crypt/keys/default/0/C6662F132E169C4802627B1ECDBCCB44A608363E.gpg b/.git-crypt/keys/default/0/C6662F132E169C4802627B1ECDBCCB44A608363E.gpg new file mode 100644 index 0000000..d56a8a9 Binary files /dev/null and b/.git-crypt/keys/default/0/C6662F132E169C4802627B1ECDBCCB44A608363E.gpg differ diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..079d43c --- /dev/null +++ b/.gitattributes @@ -0,0 +1,8 @@ +etc/matrix-synapse/homeserver.yaml filter=git-crypt diff=git-crypt +etc/matrix-synapse/homeserver.signing.key filter=git-crypt diff=git-crypt +etc/nutra.env filter=git-crypt diff=git-crypt +etc/nginx/conf.d/secrets.conf filter=git-crypt diff=git-crypt +etc/postgresql/**/*.conf filter=git-crypt diff=git-crypt +etc/postgresql/**/pg_hba.conf filter=git-crypt diff=git-crypt +etc/systemd/system/*.service filter=git-crypt diff=git-crypt +etc/postfix/main.cf filter=git-crypt diff=git-crypt diff --git a/etc/letsencrypt/options-ssl-nginx.conf b/etc/letsencrypt/options-ssl-nginx.conf new file mode 100644 index 0000000..a4cea14 --- /dev/null +++ b/etc/letsencrypt/options-ssl-nginx.conf @@ -0,0 +1,14 @@ +# This file contains important security parameters. If you modify this file +# manually, Certbot will be unable to automatically provide future security +# updates. Instead, Certbot will print and log an error message with a path to +# the up-to-date file that you will need to refer to when manually updating +# this file. Contents are based on https://ssl-config.mozilla.org + +ssl_session_cache shared:le_nginx_SSL:10m; +ssl_session_timeout 1440m; +ssl_session_tickets off; + +ssl_protocols TLSv1.2 TLSv1.3; +ssl_prefer_server_ciphers on; + +ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA"; diff --git a/etc/matrix-synapse/homeserver.signing.key b/etc/matrix-synapse/homeserver.signing.key new file mode 100644 index 0000000..dd76cf1 Binary files /dev/null and b/etc/matrix-synapse/homeserver.signing.key differ diff --git a/etc/matrix-synapse/homeserver.yaml b/etc/matrix-synapse/homeserver.yaml new file mode 100644 index 0000000..39052f5 Binary files /dev/null and b/etc/matrix-synapse/homeserver.yaml differ diff --git a/etc/nginx/conf.d/default.conf b/etc/nginx/conf.d/default.conf index caa0d31..68b154b 100644 --- a/etc/nginx/conf.d/default.conf +++ b/etc/nginx/conf.d/default.conf @@ -23,7 +23,8 @@ server { proxy_request_buffering off; proxy_buffering off; # Proxy forwarding (password configured in app.config.FORWARDED_SECRET) - proxy_set_header forwarded "$proxy_forwarded;secret=\"REDACTED\""; + # and stored in: /etc/nginx/conf.d/secrets.conf + proxy_set_header forwarded "$proxy_forwarded;secret=\"$proxy_secret_key\""; # Allow websockets and keep-alive (avoid connection: close) proxy_set_header connection "upgrade"; proxy_set_header upgrade $http_upgrade; diff --git a/etc/nginx/conf.d/secrets.conf b/etc/nginx/conf.d/secrets.conf new file mode 100644 index 0000000..b8928ab Binary files /dev/null and b/etc/nginx/conf.d/secrets.conf differ diff --git a/etc/nutra.env b/etc/nutra.env new file mode 100644 index 0000000..8a237c5 Binary files /dev/null and b/etc/nutra.env differ diff --git a/etc/postfix/main.cf b/etc/postfix/main.cf index f904ecd..e2d7e9a 100644 Binary files a/etc/postfix/main.cf and b/etc/postfix/main.cf differ diff --git a/etc/postgresql/14/main/pg_hba.conf b/etc/postgresql/14/main/pg_hba.conf index ac32ace..07a0d76 100644 Binary files a/etc/postgresql/14/main/pg_hba.conf and b/etc/postgresql/14/main/pg_hba.conf differ diff --git a/etc/postgresql/14/main/postgresql.conf b/etc/postgresql/14/main/postgresql.conf index 28fcb9c..e5df3ab 100644 Binary files a/etc/postgresql/14/main/postgresql.conf and b/etc/postgresql/14/main/postgresql.conf differ diff --git a/etc/ssh/sshd_config b/etc/ssh/sshd_config new file mode 100644 index 0000000..6c4d755 Binary files /dev/null and b/etc/ssh/sshd_config differ diff --git a/etc/sudoers b/etc/sudoers new file mode 100644 index 0000000..1384373 --- /dev/null +++ b/etc/sudoers @@ -0,0 +1,54 @@ +# +# This file MUST be edited with the 'visudo' command as root. +# +# Please consider adding local content in /etc/sudoers.d/ instead of +# directly modifying this file. +# +# See the man page for details on how to write a sudoers file. +# +Defaults env_reset +Defaults mail_badpass +Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin" +Defaults use_pty + +# This preserves proxy settings from user environments of root +# equivalent users (group sudo) +#Defaults:%sudo env_keep += "http_proxy https_proxy ftp_proxy all_proxy no_proxy" + +# This allows running arbitrary commands, but so does ALL, and it means +# different sudoers have their choice of editor respected. +#Defaults:%sudo env_keep += "EDITOR" + +# Completely harmless preservation of a user preference. +#Defaults:%sudo env_keep += "GREP_COLOR" + +# While you shouldn't normally run git as root, you need to with etckeeper +#Defaults:%sudo env_keep += "GIT_AUTHOR_* GIT_COMMITTER_*" + +# Per-user preferences; root won't have sensible values for them. +#Defaults:%sudo env_keep += "EMAIL DEBEMAIL DEBFULLNAME" + +# "sudo scp" or "sudo rsync" should be able to use your SSH agent. +#Defaults:%sudo env_keep += "SSH_AGENT_PID SSH_AUTH_SOCK" + +# Ditto for GPG agent +#Defaults:%sudo env_keep += "GPG_AGENT_INFO" + +# Host alias specification + +# User alias specification + +# Cmnd alias specification + +# User privilege specification +root ALL=(ALL:ALL) ALL + +# Members of the admin group may gain root privileges +%admin ALL=(ALL) ALL + +# Allow members of group sudo to execute any command +%sudo ALL=(ALL:ALL) ALL + +# See sudoers(5) for more information on "@include" directives: + +@includedir /etc/sudoers.d diff --git a/etc/sudoers.d/private-rules b/etc/sudoers.d/private-rules new file mode 100644 index 0000000..82580c6 --- /dev/null +++ b/etc/sudoers.d/private-rules @@ -0,0 +1,4 @@ +# Allow GitHub action to restart systemctl without entering password +#shane ALL = NOPASSWD: /bin/systemctl +github ALL = NOPASSWD: /bin/systemctl + diff --git a/etc/systemd/system/ghrunner.service b/etc/systemd/system/ghrunner.service index 07d5f66..5dfdc07 100644 Binary files a/etc/systemd/system/ghrunner.service and b/etc/systemd/system/ghrunner.service differ diff --git a/etc/systemd/system/minio.service b/etc/systemd/system/minio.service index d63a300..2fb4578 100644 Binary files a/etc/systemd/system/minio.service and b/etc/systemd/system/minio.service differ diff --git a/etc/systemd/system/ntserv.service b/etc/systemd/system/ntserv.service index ad798ee..1d3ef9d 100644 Binary files a/etc/systemd/system/ntserv.service and b/etc/systemd/system/ntserv.service differ