From 3792612e41649738053ff29f84fea07f0dc0cb17 Mon Sep 17 00:00:00 2001 From: Dominic Ricottone Date: Tue, 30 Aug 2022 20:45:37 -0500 Subject: [PATCH] Initial commit Site not yet working. Cannot reach meta.intra.dominic-ricottone.com (502 Bad Gateway). Cannot get CGI or PHP FastCGI test scripts to work reliably (502 Bad Gateway or 403 Forbidden). But static HTML is working great, so the NGINX server is at least minimally working. postgres database is working, though no migrations have been tested. redis database is unknown. postfix service is working within the container. Whether the sourcehut services are configured to use it properly or not is unknown. Need to find a better way to redact sensitive information than manual edits. --- .gitignore | 4 + Dockerfile | 56 ++ Makefile | 20 + README.md | 39 ++ etc/apk/repositories | 3 + etc/nginx/graphql.conf | 18 + etc/nginx/headers.conf | 3 + etc/nginx/http.d/default.conf | 0 etc/nginx/http.d/git.conf | 45 ++ etc/nginx/http.d/lists.conf | 25 + etc/nginx/http.d/meta.conf | 29 ++ etc/nginx/http.d/test.conf | 39 ++ etc/nginx/http.d/todo.conf | 26 + etc/nginx/nginx.conf | 35 ++ etc/nginx/web.conf | 5 + etc/postfix/generic | 2 + etc/postfix/main.cf | 678 +++++++++++++++++++++++++ etc/postfix/master.cf | 137 +++++ etc/postfix/sasl/sasl_passwd | 1 + etc/postfix/transport | 3 + etc/postgresql/postgresql.conf | 619 ++++++++++++++++++++++ etc/sr.ht/config.ini | 210 ++++++++ etc/supervisor/conf.d/supervisord.conf | 50 ++ usr/share/nginx/html/index.html | 12 + usr/share/nginx/html/test.cgi | 4 + usr/share/nginx/html/test.php | 2 + 26 files changed, 2065 insertions(+) create mode 100644 .gitignore create mode 100644 Dockerfile create mode 100644 Makefile create mode 100644 README.md create mode 100644 etc/apk/repositories create mode 100644 etc/nginx/graphql.conf create mode 100644 etc/nginx/headers.conf create mode 100644 etc/nginx/http.d/default.conf create mode 100644 etc/nginx/http.d/git.conf create mode 100644 etc/nginx/http.d/lists.conf create mode 100644 etc/nginx/http.d/meta.conf create mode 100644 etc/nginx/http.d/test.conf create mode 100644 etc/nginx/http.d/todo.conf create mode 100644 etc/nginx/nginx.conf create mode 100644 etc/nginx/web.conf create mode 100644 etc/postfix/generic create mode 100644 etc/postfix/main.cf create mode 100644 etc/postfix/master.cf create mode 100644 etc/postfix/sasl/sasl_passwd create mode 100644 etc/postfix/transport create mode 100644 etc/postgresql/postgresql.conf create mode 100644 etc/sr.ht/config.ini create mode 100644 etc/supervisor/conf.d/supervisord.conf create mode 100644 usr/share/nginx/html/index.html create mode 100644 usr/share/nginx/html/test.cgi create mode 100644 usr/share/nginx/html/test.php diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..7e73b0e --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +etc/sr.ht/pgp.key +etc/sr.ht/pgp.pubkey +postgresql-data +redis-data diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..38aab1f --- /dev/null +++ b/Dockerfile @@ -0,0 +1,56 @@ +FROM alpine:3.15 +COPY etc/apk/repositories /etc/apk/repositories +RUN wget --quiet --output-document=/etc/apk/keys/alpine@sr.ht.rsa.pub https://mirror.sr.ht/alpine/alpine@sr.ht.rsa.pub +RUN apk update +RUN apk add redis postgresql14 postfix meta.sr.ht git.sr.ht todo.sr.ht supervisor nginx fcgiwrap spawn-fcgi py3-gunicorn celery + +# setup directories +RUN mkdir /etc/postfix/sasl && chmod 700 /etc/postfix/sasl +RUN mkdir /data +RUN mkdir /var/lib/postgresql/data && chown postgres:postgres /var/lib/postgresql/data && chmod 750 /var/lib/postgresql/data +RUN mkdir /run/postgresql && chown postgres:postgres /run/postgresql +RUN mkdir /var/log/supervisord + +# setup nginx +COPY etc/nginx/nginx.conf /etc/nginx/nginx.conf +COPY etc/nginx/graphql.conf /etc/nginx/graphql.conf +COPY etc/nginx/headers.conf /etc/nginx/headers.conf +COPY etc/nginx/web.conf /etc/nginx/web.conf +COPY etc/nginx/http.d/test.conf /etc/nginx/http.d/test.conf +COPY --chown=nginx:nginx usr/share/nginx/html/index.html /usr/share/nginx/html/index.html +COPY --chown=nginx:nginx usr/share/nginx/html/test.cgi /usr/share/nginx/html/test.cgi +COPY --chown=nginx:nginx usr/share/nginx/html/test.php /usr/share/nginx/html/test.php +COPY etc/nginx/http.d/default.conf /etc/nginx/http.d/default.conf +COPY etc/nginx/http.d/git.conf /etc/nginx/http.d/git.conf +COPY etc/nginx/http.d/lists.conf /etc/nginx/http.d/lists.conf +COPY etc/nginx/http.d/meta.conf /etc/nginx/http.d/meta.conf +COPY etc/nginx/http.d/todo.conf /etc/nginx/http.d/todo.conf + +# setup postfix +COPY etc/postfix/main.cf /etc/postfix/main.cf +COPY etc/postfix/master.cf /etc/postfix/master.cf +COPY etc/postfix/transport /etc/postfix/transport +RUN postmap /etc/postfix/transport +COPY etc/postfix/generic /etc/postfix/generic +RUN postmap /etc/postfix/generic +COPY etc/postfix/sasl/sasl_passwd /etc/postfix/sasl/sasl_passwd +RUN postmap /etc/postfix/sasl/sasl_passwd + +# setup redis +VOLUME /data + +# setup postgresql +VOLUME /var/lib/postgresql/data +COPY --chown=postgres:postgres etc/postgresql/postgresql.conf /etc/postgresql/postgresql.conf + +# setup sourcehut +COPY etc/sr.ht/config.ini /etc/sr.ht/config.ini +COPY etc/sr.ht/pgp.key /etc/sr.ht/pgp.key +COPY etc/sr.ht/pgp.pubkey /etc/sr.ht/pgp.pubkey + +# setup supervisor +USER root +EXPOSE 8080 +COPY etc/supervisor/conf.d/supervisord.conf /etc/supervisor/conf.d/supervisord.conf +CMD ["/usr/bin/supervisord","-c","/etc/supervisor/conf.d/supervisord.conf"] + diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..3adb176 --- /dev/null +++ b/Makefile @@ -0,0 +1,20 @@ +image: + docker build . --tag tatooine + +clean: + docker rm --force tatooine-dev + +run: + docker run -it --name tatooine-dev \ + --hostname tatooine -p 80:8080 \ + --mount type=bind,src=/home/al_dente/dev/huttese/redis-data,dst=/data \ + --mount type=bind,src=/home/al_dente/dev/huttese/postgresql-data,dst=/var/lib/postgresql/data \ + tatooine + +start: + docker run --detach --name tatooine-dev \ + --hostname tatooine -p 80:8080 \ + --mount type=bind,src=/home/al_dente/dev/huttese/redis-data,dst=/data \ + --mount type=bind,src=/home/al_dente/dev/huttese/postgresql-data,dst=/var/lib/postgresql/data \ + tatooine + diff --git a/README.md b/README.md new file mode 100644 index 0000000..91de504 --- /dev/null +++ b/README.md @@ -0,0 +1,39 @@ +## Usage + +Disable the haproxy docker container. + +Paste the following into the hosts file: + +``` +127.0.0.1 git.intra.dominic-ricottone.com lists.intra.dominic-ricottone.com meta.intra.dominic-ricottone.com todo.intra.dominic-ricottone.com +``` + +Run `make clean && make run`. + + +## To-Do + +nginx proxying is not working + +need metasrht service to become accessible so that i can register oauth for git, lists, todo services + +should also setup the metasrht-webhook process (celery -A metasrht.webhooks worker --loglevel=info) + +maybe should run migration (metasrht-migrate -a upgrade head) every time? + +most importantly, need to figure out how to secure pgp keys, worker private key, network private key, and webhook private key + + +## Installation + +Run `make image && make start`. + +On first run, these need to be done manually. Or at least after the postgres database is running. + +``` +su - postgres +initdb /var/lib/postgresql/data +createdb -U postgres meta.sr.ht +metasrht-initdb +``` + diff --git a/etc/apk/repositories b/etc/apk/repositories new file mode 100644 index 0000000..f818e7b --- /dev/null +++ b/etc/apk/repositories @@ -0,0 +1,3 @@ +https://mirror.sr.ht/alpine/v3.15/sr.ht +https://dl-cdn.alpinelinux.org/alpine/v3.15/main +https://dl-cdn.alpinelinux.org/alpine/v3.15/community diff --git a/etc/nginx/graphql.conf b/etc/nginx/graphql.conf new file mode 100644 index 0000000..619fb3e --- /dev/null +++ b/etc/nginx/graphql.conf @@ -0,0 +1,18 @@ +real_ip_header X-Forwarded-For; +real_ip_recursive on; +proxy_set_header Host $host; +proxy_set_header X-Forwarded-Proto https; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +if ($request_method = 'OPTIONS') { + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; + add_header 'Access-Control-Max-Age' 1728000; + add_header 'Content-Type' 'text/plain; charset=utf-8'; + add_header 'Content-Length' 0; + return 204; +} +add_header 'Access-Control-Allow-Origin' '*'; +add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; +add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; +add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'; diff --git a/etc/nginx/headers.conf b/etc/nginx/headers.conf new file mode 100644 index 0000000..45e8bcb --- /dev/null +++ b/etc/nginx/headers.conf @@ -0,0 +1,3 @@ +add_header X-Clacks-Overhead "GNU Terry Pratchett"; +add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; +add_header Permissions-Policy interest-cohort=(); diff --git a/etc/nginx/http.d/default.conf b/etc/nginx/http.d/default.conf new file mode 100644 index 0000000..e69de29 diff --git a/etc/nginx/http.d/git.conf b/etc/nginx/http.d/git.conf new file mode 100644 index 0000000..8ad15f2 --- /dev/null +++ b/etc/nginx/http.d/git.conf @@ -0,0 +1,45 @@ +server { + listen 8080; + gzip on; + gzip_types text/css text/html; + server_name git.intra.dominic-ricottone.com; + + client_max_body_size 100M; + + location / { + proxy_pass http://localhost:5001; + include headers.conf; + add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self' 'unsafe-inline'" always; + include web.conf; + } + + location /query { + proxy_pass http://localhost:5101; + include graphql.conf; + } + + location /static { + root /usr/lib/python3.9/site-packages/gitsrht; + expires 30d; + } + + location = /authorize { + proxy_pass http://localhost:5001; + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + proxy_set_header X-Original-URI $request_uri; + } + + location ~ ^/([^/]+)/([^/]+)/(HEAD|info/refs|objects/info/.*|git-upload-pack).*$ { + auth_request /authorize; + root /var/lib/git; + fastcgi_pass localhost:9000; + fastcgi_param SCRIPT_FILENAME /usr/libexec/git-core/git-http-backend; + fastcgi_param PATH_INFO $uri; + fastcgi_param GIT_PROJECT_ROOT $document_root; + fastcgi_read_timeout 500s; + include fastcgi_params; + gzip off; + } +} + diff --git a/etc/nginx/http.d/lists.conf b/etc/nginx/http.d/lists.conf new file mode 100644 index 0000000..7ee5187 --- /dev/null +++ b/etc/nginx/http.d/lists.conf @@ -0,0 +1,25 @@ +server { + listen 8080; + gzip on; + gzip_types text/css text/html; + server_name lists.intra.dominic-ricottone.com; + client_max_body_size 100M; + + location / { + proxy_pass http://localhost:5006; + include headers.conf; + add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'"; + include web.conf; + } + + location /query { + proxy_pass http://localhost:5106; + include graphql.conf; + } + + location /static { + root /usr/lib/python3.9/site-packages/listssrht; + expires 30d; + } +} + diff --git a/etc/nginx/http.d/meta.conf b/etc/nginx/http.d/meta.conf new file mode 100644 index 0000000..1a82db6 --- /dev/null +++ b/etc/nginx/http.d/meta.conf @@ -0,0 +1,29 @@ +server { + listen 8080; + gzip on; + gzip_types text/css text/html; + server_name meta.intra.dominic-ricottone.com; + + location / { + proxy_pass http://localhost:5000; + include headers.conf; + add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline' *.stripe.com *.stripe.network; frame-src *.stripe.com *.stripe.network" always; + include web.conf; + } + + location /register { + proxy_pass http://localhost:5000; + add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline' *.stripe.com *.stripe.network; frame-src *.stripe.com *.stripe.network" always; + } + + location /query { + proxy_pass http://localhost:5100; + include graphql.conf; + } + + location /static { + root /usr/lib/python3.9/site-packages/metasrht; + expires 30d; + } +} + diff --git a/etc/nginx/http.d/test.conf b/etc/nginx/http.d/test.conf new file mode 100644 index 0000000..8ff742d --- /dev/null +++ b/etc/nginx/http.d/test.conf @@ -0,0 +1,39 @@ +server { + listen 8080 default_server; + server_name _; + + root /usr/share/nginx/html; + + location ~ [^/]\.cgi(/|$) { + fastcgi_split_path_info ^(.+?\.cgi)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + fastcgi_param HTTP_PROXY ""; + + fastcgi_pass localhost:9000; + fastcgi_index index.php; + + include fastcgi_params; + + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + } + + location ~ [^/]\.php(/|$) { + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + fastcgi_param HTTP_PROXY ""; + + fastcgi_pass localhost:9000; + fastcgi_index index.php; + + include fastcgi_params; + + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + } +} + diff --git a/etc/nginx/http.d/todo.conf b/etc/nginx/http.d/todo.conf new file mode 100644 index 0000000..10c1771 --- /dev/null +++ b/etc/nginx/http.d/todo.conf @@ -0,0 +1,26 @@ +server { + listen 8080; + gzip on; + gzip_types text/css text/html; + server_name todo.intra.dominic-ricottone.com; + + client_max_body_size 100M; + + location / { + proxy_pass http://localhost:5003; + include headers.conf; + add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self' 'unsafe-inline'" always; + include web.conf; + } + + location /query { + proxy_pass http://localhost:5103; + include graphql.conf; + } + + location /static { + root /usr/lib/python3.9/site-packages/todosrht; + expires 30d; + } +} + diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf new file mode 100644 index 0000000..b8a52de --- /dev/null +++ b/etc/nginx/nginx.conf @@ -0,0 +1,35 @@ +user nginx; +worker_processes auto; +pcre_jit on; +error_log /var/log/nginx/error.log warn; +include /etc/nginx/modules/*.conf; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + server_tokens off; + client_max_body_size 1m; + sendfile on; + tcp_nopush on; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:2m; + ssl_session_timeout 1h; + ssl_session_tickets off; + gzip_vary on; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + include /etc/nginx/http.d/*.conf; +} + + diff --git a/etc/nginx/web.conf b/etc/nginx/web.conf new file mode 100644 index 0000000..a89f03b --- /dev/null +++ b/etc/nginx/web.conf @@ -0,0 +1,5 @@ +real_ip_header X-Forwarded-For; +real_ip_recursive on; +proxy_set_header Host $host; +proxy_set_header X-Forwarded-Proto https; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; diff --git a/etc/postfix/generic b/etc/postfix/generic new file mode 100644 index 0000000..309f3ca --- /dev/null +++ b/etc/postfix/generic @@ -0,0 +1,2 @@ +@tatooine.localdomain REDACTED +@tatooine REDACTED diff --git a/etc/postfix/main.cf b/etc/postfix/main.cf new file mode 100644 index 0000000..8bdda57 --- /dev/null +++ b/etc/postfix/main.cf @@ -0,0 +1,678 @@ +# Global Postfix configuration file. This file lists only a subset +# of all parameters. For the syntax, and for a complete parameter +# list, see the postconf(5) manual page (command: "man 5 postconf"). +# +# For common configuration examples, see BASIC_CONFIGURATION_README +# and STANDARD_CONFIGURATION_README. To find these documents, use +# the command "postconf html_directory readme_directory", or go to +# http://www.postfix.org/BASIC_CONFIGURATION_README.html etc. +# +# For best results, change no more than 2-3 parameters at a time, +# and test if Postfix still works after every change. + +# COMPATIBILITY +# +# The compatibility_level determines what default settings Postfix +# will use for main.cf and master.cf settings. These defaults will +# change over time. +# +# To avoid breaking things, Postfix will use backwards-compatible +# default settings and log where it uses those old backwards-compatible +# default settings, until the system administrator has determined +# if any backwards-compatible default settings need to be made +# permanent in main.cf or master.cf. +# +# When this review is complete, update the compatibility_level setting +# below as recommended in the RELEASE_NOTES file. +# +# The level below is what should be used with new (not upgrade) installs. + +compatibility_level = 3.6 + +# SOFT BOUNCE +# +# The soft_bounce parameter provides a limited safety net for +# testing. When soft_bounce is enabled, mail will remain queued that +# would otherwise bounce. This parameter disables locally-generated +# bounces, and prevents the SMTP server from rejecting mail permanently +# (by changing 5xx replies into 4xx replies). However, soft_bounce +# is no cure for address rewriting mistakes or mail routing mistakes. +# +#soft_bounce = no + +# LOCAL PATHNAME INFORMATION +# +# The queue_directory specifies the location of the Postfix queue. +# This is also the root directory of Postfix daemons that run chrooted. +# See the files in examples/chroot-setup for setting up Postfix chroot +# environments on different UNIX systems. + +queue_directory = /var/spool/postfix + +# The command_directory parameter specifies the location of all +# postXXX commands. + +command_directory = /usr/sbin + +# The daemon_directory parameter specifies the location of all Postfix +# daemon programs (i.e. programs listed in the master.cf file). This +# directory must be owned by root. + +daemon_directory = /usr/libexec/postfix + +# The data_directory parameter specifies the location of Postfix-writable +# data files (caches, random numbers). This directory must be owned +# by the mail_owner account (see below). + +data_directory = /var/lib/postfix + +# QUEUE AND PROCESS OWNERSHIP +# +# The mail_owner parameter specifies the owner of the Postfix queue +# and of most Postfix daemon processes. Specify the name of a user +# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS +# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In +# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED +# USER. + +mail_owner = postfix + +# The default_privs parameter specifies the default rights used by +# the local delivery agent for delivery to external file or command. +# These rights are used in the absence of a recipient user context. +# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER. +# +#default_privs = nobody + +# INTERNET HOST AND DOMAIN NAMES +# +# The myhostname parameter specifies the internet hostname of this +# mail system. The default is to use the fully-qualified domain name +# from gethostname(). $myhostname is used as a default value for many +# other configuration parameters. + +myhostname = tatooine + +# The mydomain parameter specifies the local internet domain name. +# The default is to use $myhostname minus the first component. +# $mydomain is used as a default value for many other configuration +# parameters. + +mydomain = tatooine + +# SENDING MAIL +# +# The myorigin parameter specifies the domain that locally-posted +# mail appears to come from. The default is to append $myhostname, +# which is fine for small sites. If you run a domain with multiple +# machines, you should (1) change this to $mydomain and (2) set up +# a domain-wide alias database that aliases each user to +# user@that.users.mailhost. +# +# For the sake of consistency between sender and recipient addresses, +# myorigin also specifies the default domain name that is appended +# to recipient addresses that have no @domain part. +# +#myorigin = $myhostname +#myorigin = $mydomain + +# RECEIVING MAIL + +# The inet_interfaces parameter specifies the network interface +# addresses that this mail system receives mail on. By default, +# the software claims all active interfaces on the machine. The +# parameter also controls delivery of mail to user@[ip.address]. +# +# See also the proxy_interfaces parameter, for network addresses that +# are forwarded to us via a proxy or network address translator. +# +# Note: you need to stop/start Postfix when this parameter changes. +# +#inet_interfaces = all +#inet_interfaces = $myhostname +#inet_interfaces = $myhostname, localhost + +# The proxy_interfaces parameter specifies the network interface +# addresses that this mail system receives mail on by way of a +# proxy or network address translation unit. This setting extends +# the address list specified with the inet_interfaces parameter. +# +# You must specify your proxy/NAT addresses when your system is a +# backup MX host for other domains, otherwise mail delivery loops +# will happen when the primary MX host is down. +# +#proxy_interfaces = +#proxy_interfaces = 1.2.3.4 + +# The mydestination parameter specifies the list of domains that this +# machine considers itself the final destination for. +# +# These domains are routed to the delivery agent specified with the +# local_transport parameter setting. By default, that is the UNIX +# compatible delivery agent that lookups all recipients in /etc/passwd +# and /etc/aliases or their equivalent. +# +# The default is $myhostname + localhost.$mydomain + localhost. On +# a mail domain gateway, you should also include $mydomain. +# +# Do not specify the names of virtual domains - those domains are +# specified elsewhere (see VIRTUAL_README). +# +# Do not specify the names of domains that this machine is backup MX +# host for. Specify those names via the relay_domains settings for +# the SMTP server, or use permit_mx_backup if you are lazy (see +# STANDARD_CONFIGURATION_README). +# +# The local machine is always the final destination for mail addressed +# to user@[the.net.work.address] of an interface that the mail system +# receives mail on (see the inet_interfaces parameter). +# +# Specify a list of host or domain names, /file/name or type:table +# patterns, separated by commas and/or whitespace. A /file/name +# pattern is replaced by its contents; a type:table is matched when +# a name matches a lookup key (the right-hand side is ignored). +# Continue long lines by starting the next line with whitespace. +# +# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS". + +mydestination = $myhostname, localhost.$mydomain, localhost + +# REJECTING MAIL FOR UNKNOWN LOCAL USERS +# +# The local_recipient_maps parameter specifies optional lookup tables +# with all names or addresses of users that are local with respect +# to $mydestination, $inet_interfaces or $proxy_interfaces. +# +# If this parameter is defined, then the SMTP server will reject +# mail for unknown local users. This parameter is defined by default. +# +# To turn off local recipient checking in the SMTP server, specify +# local_recipient_maps = (i.e. empty). +# +# The default setting assumes that you use the default Postfix local +# delivery agent for local delivery. You need to update the +# local_recipient_maps setting if: +# +# - You define $mydestination domain recipients in files other than +# /etc/passwd, /etc/aliases, or the $virtual_alias_maps files. +# For example, you define $mydestination domain recipients in +# the $virtual_mailbox_maps files. +# +# - You redefine the local delivery agent in master.cf. +# +# - You redefine the "local_transport" setting in main.cf. +# +# - You use the "luser_relay", "mailbox_transport", or "fallback_transport" +# feature of the Postfix local delivery agent (see local(8)). +# +# Details are described in the LOCAL_RECIPIENT_README file. +# +# Beware: if the Postfix SMTP server runs chrooted, you probably have +# to access the passwd file via the proxymap service, in order to +# overcome chroot restrictions. The alternative, having a copy of +# the system passwd file in the chroot jail is just not practical. +# +# The right-hand side of the lookup tables is conveniently ignored. +# In the left-hand side, specify a bare username, an @domain.tld +# wild-card, or specify a user@domain.tld address. +# +#local_recipient_maps = unix:passwd.byname $alias_maps +#local_recipient_maps = proxy:unix:passwd.byname $alias_maps +#local_recipient_maps = + +# The unknown_local_recipient_reject_code specifies the SMTP server +# response code when a recipient domain matches $mydestination or +# ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty +# and the recipient address or address local-part is not found. +# +# The default setting is 550 (reject mail) but it is safer to start +# with 450 (try again later) until you are certain that your +# local_recipient_maps settings are OK. + +unknown_local_recipient_reject_code = 550 + +# TRUST AND RELAY CONTROL + +# The mynetworks parameter specifies the list of "trusted" SMTP +# clients that have more privileges than "strangers". +# +# In particular, "trusted" SMTP clients are allowed to relay mail +# through Postfix. See the smtpd_recipient_restrictions parameter +# in postconf(5). +# +# You can specify the list of "trusted" network addresses by hand +# or you can let Postfix do it for you (which is the default). +# +# By default (mynetworks_style = subnet), Postfix "trusts" SMTP +# clients in the same IP subnetworks as the local machine. +# On Linux, this works correctly only with interfaces specified +# with the "ifconfig" command. +# +# Specify "mynetworks_style = class" when Postfix should "trust" SMTP +# clients in the same IP class A/B/C networks as the local machine. +# Don't do this with a dialup site - it would cause Postfix to "trust" +# your entire provider's network. Instead, specify an explicit +# mynetworks list by hand, as described below. +# +# Specify "mynetworks_style = host" when Postfix should "trust" +# only the local machine. +# +#mynetworks_style = class +#mynetworks_style = subnet +#mynetworks_style = host + +# Alternatively, you can specify the mynetworks list by hand, in +# which case Postfix ignores the mynetworks_style setting. +# +# Specify an explicit list of network/netmask patterns, where the +# mask specifies the number of bits in the network part of a host +# address. +# +# You can also specify the absolute pathname of a pattern file instead +# of listing the patterns here. Specify type:table for table-based lookups +# (the value on the table right-hand side is not used). + +mynetworks = 127.0.0.0/8 + +# The relay_domains parameter restricts what destinations this system will +# relay mail to. See the smtpd_recipient_restrictions description in +# postconf(5) for detailed information. +# +# By default, Postfix relays mail +# - from "trusted" clients (IP address matches $mynetworks) to any destination, +# - from "untrusted" clients to destinations that match $relay_domains or +# subdomains thereof, except addresses with sender-specified routing. +# The default relay_domains value is $mydestination. +# +# In addition to the above, the Postfix SMTP server by default accepts mail +# that Postfix is final destination for: +# - destinations that match $inet_interfaces or $proxy_interfaces, +# - destinations that match $mydestination +# - destinations that match $virtual_alias_domains, +# - destinations that match $virtual_mailbox_domains. +# These destinations do not need to be listed in $relay_domains. +# +# Specify a list of hosts or domains, /file/name patterns or type:name +# lookup tables, separated by commas and/or whitespace. Continue +# long lines by starting the next line with whitespace. A file name +# is replaced by its contents; a type:name table is matched when a +# (parent) domain appears as lookup key. +# +# NOTE: Postfix will not automatically forward mail for domains that +# list this system as their primary or backup MX host. See the +# permit_mx_backup restriction description in postconf(5). +# +#relay_domains = $mydestination + +# INTERNET OR INTRANET + +# The relayhost parameter specifies the default host to send mail to +# when no entry is matched in the optional transport(5) table. When +# no relayhost is given, mail is routed directly to the destination. +# +# On an intranet, specify the organizational domain name. If your +# internal DNS uses no MX records, specify the name of the intranet +# gateway host instead. +# +# In the case of SMTP, specify a domain, host, host:port, [host]:port, +# [address] or [address]:port; the form [host] turns off MX lookups. +# +# If you're connected via UUCP, see also the default_transport parameter. + +relayhost = [smtp.gmail.com]:587 +smtp_sasl_auth_enable = yes +smtp_sasl_security_options = noanonymous +smtp_sasl_password_maps = lmdb:/etc/postfix/sasl/sasl_passwd +smtp_tls_security_level = encrypt +smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt + +# REJECTING UNKNOWN RELAY USERS +# +# The relay_recipient_maps parameter specifies optional lookup tables +# with all addresses in the domains that match $relay_domains. +# +# If this parameter is defined, then the SMTP server will reject +# mail for unknown relay users. This feature is off by default. +# +# The right-hand side of the lookup tables is conveniently ignored. +# In the left-hand side, specify an @domain.tld wild-card, or specify +# a user@domain.tld address. +# +#relay_recipient_maps = hash:/etc/postfix/relay_recipients + +# INPUT RATE CONTROL +# +# The in_flow_delay configuration parameter implements mail input +# flow control. This feature is turned on by default, although it +# still needs further development (it's disabled on SCO UNIX due +# to an SCO bug). +# +# A Postfix process will pause for $in_flow_delay seconds before +# accepting a new message, when the message arrival rate exceeds the +# message delivery rate. With the default 100 SMTP server process +# limit, this limits the mail inflow to 100 messages a second more +# than the number of messages delivered per second. +# +# Specify 0 to disable the feature. Valid delays are 0..10. +# +#in_flow_delay = 1s + +# ADDRESS REWRITING +# +# The ADDRESS_REWRITING_README document gives information about +# address masquerading or other forms of address rewriting including +# username->Firstname.Lastname mapping. + +smtp_generic_maps = lmdb:/etc/postfix/generic + +# ADDRESS REDIRECTION (VIRTUAL DOMAIN) +# +# The VIRTUAL_README document gives information about the many forms +# of domain hosting that Postfix supports. + +# "USER HAS MOVED" BOUNCE MESSAGES +# +# See the discussion in the ADDRESS_REWRITING_README document. + +# TRANSPORT MAP +# +# See the discussion in the ADDRESS_REWRITING_README document. + +local_transport = local:$myhostname +transport_maps = lmdb:/etc/postfix/transport + +# ALIAS DATABASE +# +# The alias_maps parameter specifies the list of alias databases used +# by the local delivery agent. The default list is system dependent. +# +# On systems with NIS, the default is to search the local alias +# database, then the NIS alias database. See aliases(5) for syntax +# details. +# +# If you change the alias database, run "postalias /etc/aliases" (or +# wherever your system stores the mail alias file), or simply run +# "newaliases" to build the necessary DBM or DB file. +# +# It will take a minute or so before changes become visible. Use +# "postfix reload" to eliminate the delay. +# +#alias_maps = dbm:/etc/aliases +#alias_maps = hash:/etc/aliases +#alias_maps = hash:/etc/aliases, nis:mail.aliases +#alias_maps = netinfo:/aliases + +# The alias_database parameter specifies the alias database(s) that +# are built with "newaliases" or "sendmail -bi". This is a separate +# configuration parameter, because alias_maps (see above) may specify +# tables that are not necessarily all under control by Postfix. +# +#alias_database = dbm:/etc/aliases +#alias_database = dbm:/etc/mail/aliases +#alias_database = hash:/etc/aliases +#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases + +# ADDRESS EXTENSIONS (e.g., user+foo) +# +# The recipient_delimiter parameter specifies the separator between +# user names and address extensions (user+foo). See canonical(5), +# local(8), relocated(5) and virtual(5) for the effects this has on +# aliases, canonical, virtual, relocated and .forward file lookups. +# Basically, the software tries user+foo and .forward+foo before +# trying user and .forward. +# +#recipient_delimiter = + + +# DELIVERY TO MAILBOX +# +# The home_mailbox parameter specifies the optional pathname of a +# mailbox file relative to a user's home directory. The default +# mailbox file is /var/spool/mail/user or /var/mail/user. Specify +# "Maildir/" for qmail-style delivery (the / is required). + +home_mailbox = Maildir/ + +# The mail_spool_directory parameter specifies the directory where +# UNIX-style mailboxes are kept. The default setting depends on the +# system type. +# +#mail_spool_directory = /var/mail +#mail_spool_directory = /var/spool/mail + +# The mailbox_command parameter specifies the optional external +# command to use instead of mailbox delivery. The command is run as +# the recipient with proper HOME, SHELL and LOGNAME environment settings. +# Exception: delivery for root is done as $default_user. +# +# Other environment variables of interest: USER (recipient username), +# EXTENSION (address extension), DOMAIN (domain part of address), +# and LOCAL (the address localpart). +# +# Unlike other Postfix configuration parameters, the mailbox_command +# parameter is not subjected to $parameter substitutions. This is to +# make it easier to specify shell syntax (see example below). +# +# Avoid shell meta characters because they will force Postfix to run +# an expensive shell process. Procmail alone is expensive enough. +# +# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN +# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER. +# +#mailbox_command = /some/where/procmail +#mailbox_command = /some/where/procmail -a "$EXTENSION" + +# The mailbox_transport specifies the optional transport in master.cf +# to use after processing aliases and .forward files. This parameter +# has precedence over the mailbox_command, fallback_transport and +# luser_relay parameters. +# +# Specify a string of the form transport:nexthop, where transport is +# the name of a mail delivery transport defined in master.cf. The +# :nexthop part is optional. For more details see the sample transport +# configuration file. +# +# NOTE: if you use this feature for accounts not in the UNIX password +# file, then you must update the "local_recipient_maps" setting in +# the main.cf file, otherwise the SMTP server will reject mail for +# non-UNIX accounts with "User unknown in local recipient table". +# +# Cyrus IMAP over LMTP. Specify ``lmtpunix cmd="lmtpd" +# listen="/var/imap/socket/lmtp" prefork=0'' in cyrus.conf. +#mailbox_transport = lmtp:unix:/var/imap/socket/lmtp +# +# Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and +# subsequent line in master.cf. +#mailbox_transport = cyrus + +# The fallback_transport specifies the optional transport in master.cf +# to use for recipients that are not found in the UNIX passwd database. +# This parameter has precedence over the luser_relay parameter. +# +# Specify a string of the form transport:nexthop, where transport is +# the name of a mail delivery transport defined in master.cf. The +# :nexthop part is optional. For more details see the sample transport +# configuration file. +# +# NOTE: if you use this feature for accounts not in the UNIX password +# file, then you must update the "local_recipient_maps" setting in +# the main.cf file, otherwise the SMTP server will reject mail for +# non-UNIX accounts with "User unknown in local recipient table". +# +#fallback_transport = lmtp:unix:/file/name +#fallback_transport = cyrus +#fallback_transport = + +# The luser_relay parameter specifies an optional destination address +# for unknown recipients. By default, mail for unknown@$mydestination, +# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned +# as undeliverable. +# +# The following expansions are done on luser_relay: $user (recipient +# username), $shell (recipient shell), $home (recipient home directory), +# $recipient (full recipient address), $extension (recipient address +# extension), $domain (recipient domain), $local (entire recipient +# localpart), $recipient_delimiter. Specify ${name?value} or +# ${name:value} to expand value only when $name does (does not) exist. +# +# luser_relay works only for the default Postfix local delivery agent. +# +# NOTE: if you use this feature for accounts not in the UNIX password +# file, then you must specify "local_recipient_maps =" (i.e. empty) in +# the main.cf file, otherwise the SMTP server will reject mail for +# non-UNIX accounts with "User unknown in local recipient table". +# +#luser_relay = $user@other.host +#luser_relay = $local@other.host +#luser_relay = admin+$local + +# JUNK MAIL CONTROLS +# +# The controls listed here are only a very small subset. The file +# SMTPD_ACCESS_README provides an overview. + +# The header_checks parameter specifies an optional table with patterns +# that each logical message header is matched against, including +# headers that span multiple physical lines. +# +# By default, these patterns also apply to MIME headers and to the +# headers of attached messages. With older Postfix versions, MIME and +# attached message headers were treated as body text. +# +# For details, see "man header_checks". +# +#header_checks = regexp:/etc/postfix/header_checks + +# FAST ETRN SERVICE +# +# Postfix maintains per-destination logfiles with information about +# deferred mail, so that mail can be flushed quickly with the SMTP +# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld". +# See the ETRN_README document for a detailed description. +# +# The fast_flush_domains parameter controls what destinations are +# eligible for this service. By default, they are all domains that +# this server is willing to relay mail to. +# +#fast_flush_domains = $relay_domains + +# SHOW SOFTWARE VERSION OR NOT +# +# The smtpd_banner parameter specifies the text that follows the 220 +# code in the SMTP server's greeting banner. Some people like to see +# the mail version advertised. By default, Postfix shows no version. +# +# You MUST specify $myhostname at the start of the text. That is an +# RFC requirement. Postfix itself does not care. +# +#smtpd_banner = $myhostname ESMTP $mail_name +#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) + +# PARALLEL DELIVERY TO THE SAME DESTINATION +# +# How many parallel deliveries to the same user or domain? With local +# delivery, it does not make sense to do massively parallel delivery +# to the same user, because mailbox updates must happen sequentially, +# and expensive pipelines in .forward files can cause disasters when +# too many are run at the same time. With SMTP deliveries, 10 +# simultaneous connections to the same domain could be sufficient to +# raise eyebrows. +# +# Each message delivery transport has its XXX_destination_concurrency_limit +# parameter. The default is $default_destination_concurrency_limit for +# most delivery transports. For the local delivery agent the default is 2. + +#local_destination_concurrency_limit = 2 +#default_destination_concurrency_limit = 20 + +# DEBUGGING CONTROL +# +# The debug_peer_level parameter specifies the increment in verbose +# logging level when an SMTP client or server host name or address +# matches a pattern in the debug_peer_list parameter. + +debug_peer_level = 2 + +# The debug_peer_list parameter specifies an optional list of domain +# or network patterns, /file/name patterns or type:name tables. When +# an SMTP client or server host name or address matches a pattern, +# increase the verbose logging level by the amount specified in the +# debug_peer_level parameter. +# +#debug_peer_list = 127.0.0.1 +#debug_peer_list = some.domain + +# The debugger_command specifies the external command that is executed +# when a Postfix daemon program is run with the -D option. +# +# Use "command .. & sleep 5" so that the debugger can attach before +# the process marches on. If you use an X-based debugger, be sure to +# set up your XAUTHORITY environment variable before starting Postfix. + +debugger_command = + PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin + ddd $daemon_directory/$process_name $process_id & sleep 5 + +# If you can't use X, use this to capture the call stack when a +# daemon crashes. The result is in a file in the configuration +# directory, and is named after the process name and the process ID. +# +# debugger_command = +# PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont; +# echo where) | gdb $daemon_directory/$process_name $process_id 2>&1 +# >$config_directory/$process_name.$process_id.log & sleep 5 +# +# Another possibility is to run gdb under a detached screen session. +# To attach to the screen session, su root and run "screen -r +# " where uniquely matches one of the detached +# sessions (from "screen -list"). +# +# debugger_command = +# PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen +# -dmS $process_name gdb $daemon_directory/$process_name +# $process_id & sleep 1 + +# INSTALL-TIME CONFIGURATION INFORMATION +# +# The following parameters are used when installing a new Postfix version. +# +# sendmail_path: The full pathname of the Postfix sendmail command. +# This is the Sendmail-compatible mail posting interface. + +sendmail_path = /usr/sbin/sendmail + +# newaliases_path: The full pathname of the Postfix newaliases command. +# This is the Sendmail-compatible command to build alias databases. + +newaliases_path = /usr/bin/newaliases + +# mailq_path: The full pathname of the Postfix mailq command. This +# is the Sendmail-compatible mail queue listing command. + +mailq_path = /usr/bin/mailq + +# setgid_group: The group for mail submission and queue management +# commands. This must be a group name with a numerical group ID that +# is not shared with other accounts, not even with the Postfix account. + +setgid_group = postdrop + +# html_directory: The location of the Postfix HTML documentation. + +html_directory = no + +# manpage_directory: The location of the Postfix on-line manual pages. + +manpage_directory = /usr/share/man + +# sample_directory: The location of the Postfix sample configuration files. +# This parameter is obsolete as of Postfix 2.1. + +sample_directory = /etc/postfix + +# readme_directory: The location of the Postfix README files. + +readme_directory = /usr/share/doc/postfix/readme +inet_protocols = ipv4 +meta_directory = /etc/postfix +shlib_directory = /usr/lib/postfix + diff --git a/etc/postfix/master.cf b/etc/postfix/master.cf new file mode 100644 index 0000000..1f63265 --- /dev/null +++ b/etc/postfix/master.cf @@ -0,0 +1,137 @@ +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master" or +# on-line: http://www.postfix.org/master.5.html). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (no) (never) (100) +# ========================================================================== +smtp inet n - n - - smtpd +#smtp inet n - n - 1 postscreen +#smtpd pass - - n - - smtpd +#dnsblog unix - - n - 0 dnsblog +#tlsproxy unix - - n - 0 tlsproxy +# Choose one: enable submission for loopback clients only, or for any client. +127.0.0.1:submission inet n - n - - smtpd +#submission inet n - n - - smtpd +# -o syslog_name=postfix/submission +# -o smtpd_tls_security_level=encrypt +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_tls_auth_only=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions= + -o smtpd_relay_restrictions=permit +# -o milter_macro_daemon_name=ORIGINATING +# Choose one: enable smtps for loopback clients only, or for any client. +#127.0.0.1:smtps inet n - n - - smtpd +#smtps inet n - n - - smtpd +# -o syslog_name=postfix/smtps +# -o smtpd_tls_wrappermode=yes +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions= +# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#628 inet n - n - - qmqpd +pickup unix n - n 60 1 pickup +cleanup unix n - n - 0 cleanup +qmgr unix n - n 300 1 qmgr +#qmgr unix n - n 300 1 oqmgr +tlsmgr unix - - n 1000? 1 tlsmgr +rewrite unix - - n - - trivial-rewrite +bounce unix - - n - 0 bounce +defer unix - - n - 0 bounce +trace unix - - n - 0 bounce +verify unix - - n - 1 verify +flush unix n - n 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - n - - smtp +relay unix - - n - - smtp + -o syslog_name=postfix/$service_name +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - n - - showq +error unix - - n - - error +retry unix - - n - - error +discard unix - - n - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - n - - lmtp +anvil unix - - n - 1 anvil +scache unix - - n - 1 scache +postlog unix-dgram n - n - 1 postlogd +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +#maildrop unix - n n - - pipe +# flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# +# Old example of delivery via Cyrus. +# +#old-cyrus unix - n n - - pipe +# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} +# +# ==================================================================== +# +# See the Postfix UUCP_README file for configuration details. +# +#uucp unix - n n - - pipe +# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# ==================================================================== +# +# Other external delivery methods. +# +#ifmail unix - n n - - pipe +# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +# +#bsmtp unix - n n - - pipe +# flags=Fq. user=bsmtp argv=/usr/sbin/bsmtp -f $sender $nexthop $recipient +# +#scalemail-backend unix - n n - 2 pipe +# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store +# ${nexthop} ${user} ${extension} +# +#mailman unix - n n - - pipe +# flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py +# ${nexthop} ${user} diff --git a/etc/postfix/sasl/sasl_passwd b/etc/postfix/sasl/sasl_passwd new file mode 100644 index 0000000..5d235be --- /dev/null +++ b/etc/postfix/sasl/sasl_passwd @@ -0,0 +1 @@ +[smtp.gmail.com]:587 REDACTED diff --git a/etc/postfix/transport b/etc/postfix/transport new file mode 100644 index 0000000..61d8495 --- /dev/null +++ b/etc/postfix/transport @@ -0,0 +1,3 @@ +lists.tatooine.localdomain lmtp:unix:/tmp/lists.sr.ht-lmtp.sock +tatooine.localdomain local:tatooine +tatooine local:tatooine diff --git a/etc/postgresql/postgresql.conf b/etc/postgresql/postgresql.conf new file mode 100644 index 0000000..963ca63 --- /dev/null +++ b/etc/postgresql/postgresql.conf @@ -0,0 +1,619 @@ +# ----------------------------- +# PostgreSQL configuration file +# ----------------------------- +# +# This file consists of lines of the form: +# +# name = value +# +# (The "=" is optional.) Whitespace may be used. Comments are introduced with +# "#" anywhere on a line. The complete list of parameter names and allowed +# values can be found in the PostgreSQL documentation. +# +# The commented-out settings shown in this file represent the default values. +# Re-commenting a setting is NOT sufficient to revert it to the default value; +# you need to reload the server. +# +# This file is read on server startup and when the server receives a SIGHUP +# signal. If you edit the file on a running system, you have to SIGHUP the +# server for the changes to take effect, run "pg_ctl reload", or execute +# "SELECT pg_reload_conf()". Some parameters, which are marked below, +# require a server shutdown and restart to take effect. +# +# Any parameter can also be given as a command-line option to the server, e.g., +# "postgres -c log_connections=on". Some parameters can be changed at run time +# with the "SET" SQL command. +# +# Memory units: B = bytes Time units: us = microseconds +# kB = kilobytes ms = milliseconds +# MB = megabytes s = seconds +# GB = gigabytes min = minutes +# TB = terabytes h = hours +# d = days + + +#------------------------------------------------------------------------------ +# FILE LOCATIONS +#------------------------------------------------------------------------------ + +# The default values of these variables are driven from the -D command-line +# option or PGDATA environment variable + +data_directory = '/var/lib/postgresql/data' # use data in another directory +hba_file = '/var/lib/postgresql/data/pg_hba.conf' # host-based authentication file +ident_file = '/var/lib/postgresql/data/pg_ident.conf' # ident configuration file + +# If external_pid_file is not explicitly set, no extra PID file is written. +#external_pid_file = '' # write an extra PID file + + +#------------------------------------------------------------------------------ +# CONNECTIONS AND AUTHENTICATION +#------------------------------------------------------------------------------ + +# - Connection Settings - + +listen_addresses = 'localhost' # comma-separated list of addresses; defaults to 'localhost'; use '*' for all +port = 5432 +#max_connections = 100 +#superuser_reserved_connections = 3 +unix_socket_directories = '/run/postgresql' # comma-separated list of directories +#unix_socket_group = '' +#unix_socket_permissions = 0777 # begin with 0 to use octal notation +bonjour = off +#bonjour_name = '' # defaults to the computer name + +# - TCP settings - +# see "man tcp" for details + +tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds; 0 selects the system default +tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds; 0 selects the system default +tcp_keepalives_count = 0 # TCP_KEEPCNT; 0 selects the system default +tcp_user_timeout = 0 # TCP_USER_TIMEOUT, in milliseconds; 0 selects the system default + +client_connection_check_interval = 0 # time between checks for client disconnection while running queries; 0 for never + +# - Authentication - + +#authentication_timeout = 1min # 1s-600s +#password_encryption = scram-sha-256 # scram-sha-256 or md5 +#db_user_namespace = off + +# GSSAPI using Kerberos +#krb_server_keyfile = 'FILE:${sysconfdir}/krb5.keytab' +#krb_caseins_users = off + +# - SSL - + +#ssl = off +#ssl_ca_file = '' +#ssl_cert_file = 'server.crt' +#ssl_crl_file = '' +#ssl_crl_dir = '' +#ssl_key_file = 'server.key' +#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers +#ssl_prefer_server_ciphers = on +#ssl_ecdh_curve = 'prime256v1' +#ssl_min_protocol_version = 'TLSv1.2' +#ssl_max_protocol_version = '' +#ssl_dh_params_file = '' +#ssl_passphrase_command = '' +#ssl_passphrase_command_supports_reload = off + + +#------------------------------------------------------------------------------ +# RESOURCE USAGE (except WAL) +#------------------------------------------------------------------------------ + +# - Memory - + +#shared_buffers = 32MB # min 128kB +#huge_pages = try # on, off, or try +#huge_page_size = 0 # zero for system default +#temp_buffers = 8MB # min 800kB +#max_prepared_transactions = 0 # zero disables the feature; it is not advisable to set nonzero unless you actively intend to use prepared transactions +#work_mem = 4MB # min 64kB +#hash_mem_multiplier = 1.0 # 1-1000.0 multiplier on hash table work_mem +#maintenance_work_mem = 64MB # min 1MB +#autovacuum_work_mem = -1 # min 1MB, or -1 to use maintenance_work_mem +#logical_decoding_work_mem = 64MB # min 64kB +#max_stack_depth = 2MB # min 100kB +#shared_memory_type = mmap # the default is the first option supported by the operating system: mmap, sysv, windows +#dynamic_shared_memory_type = posix # the default is the first option supported by the operating system: posix, sysv, windows, mmap +#min_dynamic_shared_memory = 0MB + +# - Disk - + +#temp_file_limit = -1 # limits per-process temp file space in kilobytes, or -1 for no limit + +# - Kernel Resources - + +#max_files_per_process = 1000 # min 64 + +# - Cost-Based Vacuum Delay - + +#vacuum_cost_delay = 0 # 0-100 milliseconds (0 disables) +#vacuum_cost_page_hit = 1 # 0-10000 credits +#vacuum_cost_page_miss = 2 # 0-10000 credits +#vacuum_cost_page_dirty = 20 # 0-10000 credits +#vacuum_cost_limit = 200 # 1-10000 credits + +# - Background Writer - + +#bgwriter_delay = 200ms # 10-10000ms between rounds +#bgwriter_lru_maxpages = 100 # max buffers written/round, 0 disables +#bgwriter_lru_multiplier = 2.0 # 0-10.0 multiplier on buffers scanned/round +#bgwriter_flush_after = 0 # measured in pages, 0 disables + +# - Asynchronous Behavior - + +#backend_flush_after = 0 # measured in pages, 0 disables +#effective_io_concurrency = 1 # 1-1000; 0 disables prefetching +#maintenance_io_concurrency = 10 # 1-1000; 0 disables prefetching +#max_worker_processes = 8 # (change requires restart) +#max_parallel_workers_per_gather = 2 # taken from max_parallel_workers +#max_parallel_maintenance_workers = 2 # taken from max_parallel_workers +#max_parallel_workers = 8 # maximum number of max_worker_processes that can be used in parallel operations +#parallel_leader_participation = on +#old_snapshot_threshold = -1 # 1min-60d; -1 disables; 0 is immediate + + +#------------------------------------------------------------------------------ +# WRITE-AHEAD LOG +#------------------------------------------------------------------------------ + +# - Settings - + +#wal_level = replica # minimal, replica, or logical +#fsync = on # flush data to disk for crash safety (turning this off can cause unrecoverable data corruption) +#synchronous_commit = on # synchronization level; off, local, remote_write, remote_apply, on +#wal_sync_method = fsync # the default is the first option supported by the operating system: open_datasync, fdatasync (default on Linux and FreeBSD), fsync, fsync_writethrough, open_sync +#full_page_writes = on # recover from partial page writes +#wal_log_hints = off # also do full page writes of non-critical updates +#wal_compression = off # enable compression of full-page writes +#wal_init_zero = on # zero-fill new WAL files +#wal_recycle = on # recycle WAL files +#wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers +#wal_writer_delay = 200ms # 1-10000 milliseconds +#wal_writer_flush_after = 1MB # measured in pages, 0 disables +#wal_skip_threshold = 2MB + +#commit_delay = 0 # range 0-100000, in microseconds +#commit_siblings = 5 # range 1-1000 + +# - Checkpoints - + +#checkpoint_timeout = 5min # range 30s-1d +#checkpoint_completion_target = 0.9 # checkpoint target duration, 0.0 - 1.0 +#checkpoint_flush_after = 0 # measured in pages, 0 disables +#checkpoint_warning = 30s # 0 disables +#max_wal_size = 1GB +#min_wal_size = 80MB + +# - Archiving - + +#archive_mode = off # enables archiving; off, on, or always +#Placeholders for archive_command and restore_command: +# %p = path of file to archive +# %f = file name only +#archive_command = '' # command to use to archive a logfile segment; placeholders: %p = path of file to archive, %f = file name only +#archive_timeout = 0 # force a logfile segment switch after this number of seconds; 0 disables + +# - Archive Recovery - + +# These are only used in recovery mode. + +#restore_command = '' # command to use to restore an archived logfile segment +#archive_cleanup_command = '' # command to execute at every restartpoint; see placeholders on line 198 +#recovery_end_command = '' # command to execute at completion of recovery + +# - Recovery Target - + +# Set these only when performing a targeted recovery. + +#recovery_target = '' # 'immediate' to end recovery as soon as a consistent state is reached +#recovery_target_name = '' # the named restore point to which recovery will proceed +#recovery_target_time = '' # the time stamp up to which recovery will proceed +#recovery_target_xid = '' # the transaction ID up to which recovery will proceed +#recovery_target_lsn = '' # the WAL LSN up to which recovery will proceed +#recovery_target_inclusive = on # Specifies whether to stop: just after the specified recovery target (on), or just before the recovery target (off) +#recovery_target_timeline = 'latest' # 'current', 'latest', or timeline ID +#recovery_target_action = 'pause' # 'pause', 'promote', 'shutdown' + + +#------------------------------------------------------------------------------ +# REPLICATION +#------------------------------------------------------------------------------ + +# - Sending Servers - + +# Set these on the primary and on any standby that will send replication data. + +#max_wal_senders = 10 # max number of walsender processes +#max_replication_slots = 10 # max number of replication slots +#wal_keep_size = 0 # in megabytes; 0 disables +#max_slot_wal_keep_size = -1 # in megabytes; -1 disables +#wal_sender_timeout = 60s # in milliseconds; 0 disables +#track_commit_timestamp = off # collect timestamp of transaction commit + +# - Primary Server - + +# These settings are ignored on a standby server. + +#synchronous_standby_names = '' # standby servers that provide sync rep method to choose sync standbys, number of sync standbys, and comma-separated list of application_name from standby(s); '*' = all +#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed + +# - Standby Servers - + +# These settings are ignored on a primary server. + +#primary_conninfo = '' # connection string to sending server +#primary_slot_name = '' # replication slot on sending server +#promote_trigger_file = '' # file name whose presence ends recovery +#hot_standby = on # "off" disallows queries during recovery +#max_standby_archive_delay = 30s # max delay before canceling queries when reading WAL from archive; -1 allows indefinite delay +#max_standby_streaming_delay = 30s # max delay before canceling queries when reading streaming WAL; -1 allows indefinite delay +#wal_receiver_create_temp_slot = off # create temp slot if primary_slot_name is not set +#wal_receiver_status_interval = 10s # send replies at least this often; 0 disables +#hot_standby_feedback = off # send info from standby to prevent query conflicts +#wal_receiver_timeout = 60s # time that receiver waits for communication from primary in milliseconds; 0 disables +#wal_retrieve_retry_interval = 5s # time to wait before retrying to retrieve WAL after a failed attempt +#recovery_min_apply_delay = 0 # minimum delay for applying changes during recovery + +# - Subscribers - + +# These settings are ignored on a publisher. + +#max_logical_replication_workers = 4 # taken from max_worker_processes +#max_sync_workers_per_subscription = 2 # taken from max_logical_replication_workers + + +#------------------------------------------------------------------------------ +# QUERY TUNING +#------------------------------------------------------------------------------ + +# - Planner Method Configuration - + +#enable_async_append = on +#enable_bitmapscan = on +#enable_gathermerge = on +#enable_hashagg = on +#enable_hashjoin = on +#enable_incremental_sort = on +#enable_indexscan = on +#enable_indexonlyscan = on +#enable_material = on +#enable_memoize = on +#enable_mergejoin = on +#enable_nestloop = on +#enable_parallel_append = on +#enable_parallel_hash = on +#enable_partition_pruning = on +#enable_partitionwise_join = off +#enable_partitionwise_aggregate = off +#enable_seqscan = on +#enable_sort = on +#enable_tidscan = on + +# - Planner Cost Constants - + +#seq_page_cost = 1.0 # measured on an arbitrary scale +#random_page_cost = 4.0 # same scale as above +#cpu_tuple_cost = 0.01 # same scale as above +#cpu_index_tuple_cost = 0.005 # same scale as above +#cpu_operator_cost = 0.0025 # same scale as above +#parallel_setup_cost = 1000.0 # same scale as above +#parallel_tuple_cost = 0.1 # same scale as above +#min_parallel_table_scan_size = 8MB +#min_parallel_index_scan_size = 512kB +#effective_cache_size = 4GB + +#jit_above_cost = 100000 # perform JIT compilation if available and query more expensive than this; -1 disables +#jit_inline_above_cost = 500000 # inline small functions if query is more expensive than this; -1 disables +#jit_optimize_above_cost = 500000 # use expensive JIT optimizations if query is more expensive than this; -1 disables + +# - Genetic Query Optimizer - + +#geqo = on +#geqo_threshold = 12 +#geqo_effort = 5 # range 1-10 +#geqo_pool_size = 0 # selects default based on effort +#geqo_generations = 0 # selects default based on effort +#geqo_selection_bias = 2.0 # range 1.5-2.0 +#geqo_seed = 0.0 # range 0.0-1.0 + +# - Other Planner Options - + +#default_statistics_target = 100 # range 1-10000 +#constraint_exclusion = partition # on, off, or partition +#cursor_tuple_fraction = 0.1 # range 0.0-1.0 +#from_collapse_limit = 8 +#jit = on # allow JIT compilation +#join_collapse_limit = 8 # 1 disables collapsing of explicit JOIN clauses +#plan_cache_mode = auto # auto, force_generic_plan or force_custom_plan + + +#------------------------------------------------------------------------------ +# REPORTING AND LOGGING +#------------------------------------------------------------------------------ + +# - Where to Log - + +log_destination = 'stderr' # Valid values are combinations of stderr, csvlog, syslog, and eventlog, depending on platform. csvlog requires logging_collector to be on. + +# This is used when logging to stderr: +logging_collector = off # Enable capturing of stderr and csvlog into log files. Required to be on for csvlogs. + +# These are only used if logging_collector is on: +#log_directory = 'log' # directory where log files are written, can be absolute or relative to PGDATA +#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern, can include strftime() escapes +#log_file_mode = 0600 # creation mode for log files, begin with 0 to use octal notation +#log_rotation_age = 1d # Automatic rotation of logfiles will happen after that time. 0 disables. +#log_rotation_size = 10MB # Automatic rotation of logfiles will happen after that much log output. 0 disables. +#log_truncate_on_rotation = off # If on, an existing log file with the same name as the new log file will be truncated rather than appended to. But such truncation only occurs on time-driven rotation, not on restarts or size-driven rotation. Default is off, meaning append to existing files in all cases. + +# These are relevant when logging to syslog: +#syslog_facility = 'LOCAL0' +#syslog_ident = 'postgres' +#syslog_sequence_numbers = on +#syslog_split_messages = on + +# This is only relevant when logging to eventlog (Windows): +#event_source = 'PostgreSQL' + +# - When to Log - + +# Values for log_min_messages and log_min_error_statement: +# debug5 +# debug4 +# debug3 +# debug2 +# debug1 +# info +# notice +# warning +# error +# log +# fatal +# panic +log_min_messages = info + +log_min_error_statement = info # see values on line 368; panic = effectively off + +#log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements and their durations, > 0 logs only statements running at least this number of milliseconds + +#log_min_duration_sample = -1 # -1 is disabled, 0 logs a sample of statements and their durations, > 0 logs only a sample of statements running at least this number of milliseconds; sample fraction is determined by log_statement_sample_rate + +#log_statement_sample_rate = 1.0 # fraction of logged statements exceeding log_min_duration_sample to be logged; 1.0 logs all such statements, 0.0 never logs + + +#log_transaction_sample_rate = 0.0 # fraction of transactions whose statements are logged regardless of their duration; 1.0 logs all statements from all transactions, 0.0 never logs + +# - What to Log - + +#debug_print_parse = off +#debug_print_rewritten = off +#debug_print_plan = off +#debug_pretty_print = on +#log_autovacuum_min_duration = -1 # log autovacuum activity; -1 disables, 0 logs all actions and their durations, > 0 logs only actions running at least this number of milliseconds. +#log_checkpoints = off +#log_connections = off +#log_disconnections = off +#log_duration = off +#log_error_verbosity = default # terse, default, or verbose messages +#log_hostname = off +# Placeholders for log_line_prefix: +# %a = application name +# %u = user name +# %d = database name +# %r = remote host and port +# %h = remote host +# %b = backend type +# %p = process ID +# %P = process ID of parallel group leader +# %t = timestamp without milliseconds +# %m = timestamp with milliseconds +# %n = timestamp with milliseconds (as a Unix epoch) +# %Q = query ID (0 if none or not computed) +# %i = command tag +# %e = SQL state +# %c = session ID +# %l = session line number +# %s = session start timestamp +# %v = virtual transaction ID +# %x = transaction ID (0 if none) +# %q = stop here in non-session processes +# %% = '%' +#log_line_prefix = '%m [%p] ' +#log_lock_waits = off # log lock waits >= deadlock_timeout +#log_recovery_conflict_waits = off # log standby recovery conflict waits >= deadlock_timeout +#log_parameter_max_length = -1 # when logging statements, limit logged bind-parameter values to N bytes; -1 means print in full, 0 disables +#log_parameter_max_length_on_error = 0 # when logging an error, limit logged bind-parameter values to N bytes; -1 means print in full, 0 disables +#log_statement = 'none' # none, ddl, mod, all +#log_replication_commands = off +#log_temp_files = -1 # log temporary files equal or larger than the specified size in kilobytes; -1 disables, 0 logs all temp files +#log_timezone = 'GMT' + + +#------------------------------------------------------------------------------ +# PROCESS TITLE +#------------------------------------------------------------------------------ + +#cluster_name = '' # added to process titles if nonempty +#update_process_title = on + + +#------------------------------------------------------------------------------ +# STATISTICS +#------------------------------------------------------------------------------ + +# - Query and Index Statistics Collector - + +#track_activities = on +#track_activity_query_size = 1024 +#track_counts = on +#track_io_timing = off +#track_wal_io_timing = off +#track_functions = none # none, pl, all +#stats_temp_directory = 'pg_stat_tmp' + + +# - Monitoring - + +#compute_query_id = auto +#log_statement_stats = off +#log_parser_stats = off +#log_planner_stats = off +#log_executor_stats = off + + +#------------------------------------------------------------------------------ +# AUTOVACUUM +#------------------------------------------------------------------------------ + +#autovacuum = on # Enable autovacuum subprocess? 'on' requires track_counts to also be on. +#autovacuum_max_workers = 3 # max number of autovacuum subprocesses +#autovacuum_naptime = 1min # time between autovacuum runs +#autovacuum_vacuum_threshold = 50 # min number of row updates before vacuum +#autovacuum_vacuum_insert_threshold = 1000 # min number of row inserts before vacuum; -1 disables insert vacuums +#autovacuum_analyze_threshold = 50 # min number of row updates before analyze +#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum +#autovacuum_vacuum_insert_scale_factor = 0.2 # fraction of inserts over table size before insert vacuum +#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze +#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum +#autovacuum_multixact_freeze_max_age = 400000000 # maximum multixact age before forced vacuum +#autovacuum_vacuum_cost_delay = 2ms # default vacuum cost delay for autovacuum, in milliseconds; -1 means use vacuum_cost_delay +#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for autovacuum, -1 means use vacuum_cost_limit + + +#------------------------------------------------------------------------------ +# CLIENT CONNECTION DEFAULTS +#------------------------------------------------------------------------------ + +# - Statement Behavior - + +# Values for client_min_messages: +# debug5 +# debug4 +# debug3 +# debug2 +# debug1 +# log +# notice +# warning +# error +#client_min_messages = notice +#search_path = '"$user", public' # schema names +#row_security = on +#default_table_access_method = 'heap' +#default_tablespace = '' # a tablespace name, '' uses the default +#default_toast_compression = 'pglz' # 'pglz' or 'lz4' +#temp_tablespaces = '' # a list of tablespace names, '' uses only default tablespace +#check_function_bodies = on +#default_transaction_isolation = 'read committed' +#default_transaction_read_only = off +#default_transaction_deferrable = off +#session_replication_role = 'origin' +#statement_timeout = 0 # in milliseconds, 0 is disabled +#lock_timeout = 0 # in milliseconds, 0 is disabled +#idle_in_transaction_session_timeout = 0 # in milliseconds, 0 is disabled +#idle_session_timeout = 0 # in milliseconds, 0 is disabled +#vacuum_freeze_table_age = 150000000 +#vacuum_freeze_min_age = 50000000 +#vacuum_failsafe_age = 1600000000 +#vacuum_multixact_freeze_table_age = 150000000 +#vacuum_multixact_freeze_min_age = 5000000 +#vacuum_multixact_failsafe_age = 1600000000 +#bytea_output = 'hex' # hex, escape +#xmlbinary = 'base64' +#xmloption = 'content' +#gin_pending_list_limit = 4MB + +# - Locale and Formatting - + +#datestyle = 'iso, mdy' +#intervalstyle = 'postgres' +#timezone = 'GMT' +#timezone_abbreviations = 'Default' # Select the set of available time zone abbreviations; Default, Australia (historical usage), India; You can create your own file in share/timezonesets/. +#extra_float_digits = 1 # min -15, max 3; any value >0 actually selects precise output mode +#client_encoding = sql_ascii # actually, defaults to database encoding + +# These settings are initialized by initdb, but they can be changed. +#lc_messages = 'C' # locale for system error message strings +#lc_monetary = 'C' # locale for monetary formatting +#lc_numeric = 'C' # locale for number formatting +#lc_time = 'C' # locale for time formatting + +# default configuration for text search +#default_text_search_config = 'pg_catalog.simple' + +# - Shared Library Preloading - + +#local_preload_libraries = '' +#session_preload_libraries = '' +#shared_preload_libraries = '' # (change requires restart) +#jit_provider = 'llvmjit' # JIT library to use + +# - Other Defaults - + +#dynamic_library_path = '$libdir' +#gin_fuzzy_search_limit = 0 + + +#------------------------------------------------------------------------------ +# LOCK MANAGEMENT +#------------------------------------------------------------------------------ + +#deadlock_timeout = 1s +#max_locks_per_transaction = 64 # min 10 +#max_pred_locks_per_transaction = 64 # min 10 +#max_pred_locks_per_relation = -2 # negative values mean; (max_pred_locks_per_transaction / -max_pred_locks_per_relation) - 1 +#max_pred_locks_per_page = 2 # min 0 + + +#------------------------------------------------------------------------------ +# VERSION AND PLATFORM COMPATIBILITY +#------------------------------------------------------------------------------ + +# - Previous PostgreSQL Versions - + +#array_nulls = on +#backslash_quote = safe_encoding # on, off, or safe_encoding +#escape_string_warning = on +#lo_compat_privileges = off +#quote_all_identifiers = off +#standard_conforming_strings = on +#synchronize_seqscans = on + +# - Other Platforms and Clients - + +#transform_null_equals = off + + +#------------------------------------------------------------------------------ +# ERROR HANDLING +#------------------------------------------------------------------------------ + +#exit_on_error = off # terminate session on any error? +#restart_after_crash = on # reinitialize after backend crash? +#data_sync_retry = off # retry or panic on failure to fsync data? +#recovery_init_sync_method = fsync # fsync, syncfs (Linux 5.8+) + + +#------------------------------------------------------------------------------ +# CONFIG FILE INCLUDES +#------------------------------------------------------------------------------ + +# These options allow settings to be loaded from files other than the +# default postgresql.conf. Note that these are directives, not variable +# assignments, so they can usefully be given more than once. + +#include_dir = '...' # include files ending in '.conf' from a directory, e.g., 'conf.d' +#include_if_exists = '...' # include file only if it exists +#include = '...' # include file + + +#------------------------------------------------------------------------------ +# CUSTOMIZED OPTIONS +#------------------------------------------------------------------------------ + diff --git a/etc/sr.ht/config.ini b/etc/sr.ht/config.ini new file mode 100644 index 0000000..b9ffc9b --- /dev/null +++ b/etc/sr.ht/config.ini @@ -0,0 +1,210 @@ +[sr.ht] +site-name=tatooine +site-info=https://dominic-ricottone.com +site-blurb=hutt +owner-name=Dominic Ricottone +owner-email=me@dominic-ricottone.com + +#environment=production +environment=development + +# URL for source code? +source-url=https://git.sr.ht/~sircmpwn/srht +# URL for privacy policy? +privacy-policy= +# Email address to contact regarding security? +security-address= + +# try: `srht-keygen service` +service-key=REDACTED +# try: `srht-keygen network` +network-key=REDACTED + +redis-host=redis://localhost + + +[objects] +s3-upstream= +s3-access-key= +s3-secret-key= + +[mail] +smtp-host=tatooine +smtp-port=25 +smtp-from=hutt@tatooine +smtp-encryption=insecure +smtp-auth=none +smtp-user= +smtp-password= + +# Email address to dump exceptions at? +error-to=me@dominic-ricottone.com +error-from=hutt@tatooine + +pgp-privkey=/etc/sr.ht/pgp.key +pgp-pubkey=/etc/sr.ht/pgp.pubkey +pgp-key-id=REDACTED + + +[webhooks] +# try: `srht-keygen webhook` +private-key=REDACTED + + +[git.sr.ht] +origin=http://git.intra.dominic-ricottone.com +debug-host=0.0.0.0 +debug-port=5001 +api-origin=http://localhost:5101 +# try: meta.localhost/oauth +oauth-client-id=CHANGEME +oauth-client-secret=CHANGEME +repos=/rar/lib/git/ +post-update-script=/usr/bin/gitsrht-update-hook +outgoing-domain=tatooine + +# SQLAlchemy connection string +#connection-string=postgresql://postgres@localhost/git.sr.ht +connection-string=postgresql://postgres@localhost/git.sr.ht?sslmode=disable +migrate-on-upgrade=yes + +# Webhooks connection string +webhooks=redis://localhost:6379/1 + +s3-bucket= +s3-prefix= + + + +[git.sr.ht::api] +max-complexity=200 +max-duration=3s +internal-ipnet=127.0.0.0/8,::1/128,192.168.0.0/16,10.0.0.0/8 + + +[git.sr.ht::dispatch] +/usr/bin/gitsrht-keys=git:git +#/usr/bin/buildsrht-keys=builds:builds + + +[lists.sr.ht] +origin=http://localhost:5006 +# try: meta.localhost/oauth +oauth-client-id= +oauth-client-secret= +api-origin=http://localhost:5106 +posting-domain=lists.tatooine +allow-new-lists=no + +# debug host +debug-host=0.0.0.0 +debug-port=5006 + +# SQLAlchemy connection string +#connection-string=postgresql://postgres@localhost/lists.sr.ht +connection-string=postgresql://postgres@localhost/lists.sr.ht?sslmode=disable +migrate-on-upgrade=yes + +# Webhooks connection string +webhooks=redis://localhost:6379/1 + +# Celery connection string +redis=redis://localhost:6379/0 + +# Trusted upstream SMTP server generating Authentication-Results header fields +msgauth-server=tatooine + + +[lists.sr.ht::worker] +protocol=lmtp +sock=/tmp/lists.sr.ht-lmtp.sock +sock-group=postfix + +# Content types to reject? +reject-mimetypes=text/html + +# URL for rejection notice? +reject-url=https://man.sr.ht/lists.sr.ht/etiquette.md + + +[lists.sr.ht::api] +max-complexity=200 +max-duration=90s +internal-ipnet=127.0.0.0/8,::1/128,192.168.0.0/16,10.0.0.0/8 + + +[lists.sr.ht::redirects] + + +[meta.sr.ht] +origin=http://localhost:5000 +welcome-emails=no +api-origin=http://localhost:5100 + +# Debug host +debug-host=0.0.0.0 +debug-port=5000 + +# SQLAlchemy connection string +#connection-string=postgresql://postgres@localhost/meta.sr.ht +connection-string=postgresql://postgres@localhost/meta.sr.ht?sslmode=disable +migrate-on-upgrade=yes + +# Webhooks connection string +webhooks=redis://localhost:6379/1 + + +[meta.sr.ht::api] +max-complexity=200 +max-duration=3s +internal-ipnet=127.0.0.0/8,::1/128,192.168.0.0/16,10.0.0.0/8 + + +[meta.sr.ht::settings] +registration=no +onboarding-redirect=https://dominic-ricottone.com +user-invites=0 + + +[meta.sr.ht::aliases] + + +[meta.sr.ht::billing] +enabled=no + +# Stripe API +stripe-public-key= +stripe-secret-key= + + +[meta.sr.ht::auth] +#auth-method=unix-pam +auth-method=builtin + + +[meta.sr.ht::auth::unix-pam] +email-default-domain=dominic-ricottone.com +service=sshd +admin-group=wheel +create-users=no +user-group=srht + + +[todo.sr.ht] +origin=http://localhost:5003 +debug-host=0.0.0.0 +debug-port=5003 +# try: meta.localhost/oauth +oauth-client-id= +oauth-client-secret= +notify-from=hutt@tatooine + +# SQLAlchemy connection string +#connection-string=postgresql://postgres@localhost/todo.sr.ht +connection-string=postgresql://postgres@localhost/todo.sr.ht?sslmode=disable +migrate-on-upgrade=yes + +# Webhooks connection string +webhooks=redis://localhost:6379/1 + + diff --git a/etc/supervisor/conf.d/supervisord.conf b/etc/supervisor/conf.d/supervisord.conf new file mode 100644 index 0000000..88103f1 --- /dev/null +++ b/etc/supervisor/conf.d/supervisord.conf @@ -0,0 +1,50 @@ +[supervisord] +childlogdir=/var/log/supervisord +logfile=/dev/stderr +logfile_maxbytes=0 +nodaemon=true +user=root + +[program:crond] +autostart=true +command=crond -f -l 2 +redirect_stderr=true + +[program:postfix] +autorestart=false +command=postfix start +startsecs=0 +redirect_stderr=true + +[program:postgresql] +autorestart=true +command=postgres -c config_file=/etc/postgresql/postgresql.conf +redirect_stderr=true +user=postgres + +[program:redis] +autorestart=true +command=redis-server --save 60 1 --loglevel warning +redirect_stderr=true + +[program:spawn-fcgi] +autorestart=true +command=spawn-fcgi -n -u nginx -p 9000 -- /usr/bin/fcgiwrap -f +redirect_stderr=true + +[program:metasrht] +autorestart=true +command=gunicorn metasrht.app:app -b 127.0.0.1:5000 -c /etc/sr.ht/meta.sr.ht.gunicorn.conf.py +redirect_stderr=true + +[program:metasrht-api] +autorestart=true +command=metasrht-api +redirect_stderr=true + +[program:nginx] +autostart=true +command=nginx -g 'daemon off;' +redirect_stderr=true + + diff --git a/usr/share/nginx/html/index.html b/usr/share/nginx/html/index.html new file mode 100644 index 0000000..e7f63e9 --- /dev/null +++ b/usr/share/nginx/html/index.html @@ -0,0 +1,12 @@ + + + + +Hello world + + +

Hello world

+

This is a test page.

+ + + diff --git a/usr/share/nginx/html/test.cgi b/usr/share/nginx/html/test.cgi new file mode 100644 index 0000000..250f882 --- /dev/null +++ b/usr/share/nginx/html/test.cgi @@ -0,0 +1,4 @@ +#!/bin/sh +echo "

Hello world

" +echo "

This is a really dumb CGI script

" + diff --git a/usr/share/nginx/html/test.php b/usr/share/nginx/html/test.php new file mode 100644 index 0000000..b7cc18c --- /dev/null +++ b/usr/share/nginx/html/test.php @@ -0,0 +1,2 @@ + + -- 2.45.2