initial import

etc/apparmor.d/usr.sbin.nginx

@@ -0,0 +1,35 @@
+#include <tunables/global>
+
+/usr/sbin/nginx flags=(complain) {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/openssl>
+  #include <abstractions/ssl_certs>
+  #include <abstractions/ssl_keys>
+
+  # privilege drop
+  capability dac_override,
+  capability dac_read_search,
+  capability net_bind_service,
+  capability setgid,
+  capability setuid,
+
+  # abstractions/apache2-common
+  @{PROC}/@{pid}/attr/current rw,
+
+  # nginx operational
+  /etc/letsencrypt/options-ssl-nginx.conf r,
+  /etc/letsencrypt/ssl-dhparams.pem r,
+  /etc/nginx/** r,
+  /run/nginx.pid rw,
+  /usr/lib/nginx/** r,
+  /usr/sbin/nginx mr,
+  /usr/share/nginx/** r,
+  /var/lib/nginx/** rw,
+  /var/log/nginx/error.log w,
+  /var/log/nginx/access.log w,
+
+  # data
+  /var/xyzzy/html/** r,
+
+}

etc/apparmor.d/var.xyzzy.bin.gitea

@@ -0,0 +1,41 @@
+#include <tunables/global>
+
+/var/xyzzy/bin/gitea* flags=(complain) {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/user-tmp>
+
+  /dev/tty rw,
+  /etc/gitconfig r,
+  /etc/machine-id r,
+  /etc/mime.types r,
+  /proc/sys/net/core/somaxconn r,
+  /proc/version r,
+  /sys/devices/system/cpu/online r,
+  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+  /usr/bin/basename mrix,
+  /usr/bin/bash mrix,
+  /usr/bin/cat mrix,
+  /usr/bin/dash mrix,
+  /usr/bin/env rix,
+  /usr/bin/git mrix,
+  /usr/bin/gzip mrix,
+  /usr/lib/git-core/git mrix,
+  /usr/share/git-core/templates r,
+  /usr/share/mime/globs2 r,
+
+  /var/xyzzy/backup/* rw,
+  /var/xyzzy/bin/gitea* mrix,
+  /var/xyzzy/etc/gitea/app.ini r,
+  /var/xyzzy/gitea/** r,
+  /var/xyzzy/gitea/data/gitea-repositories/*/*.git/hooks/* mrix,
+  /var/xyzzy/gitea/data/gitea-repositories/*/*.git/hooks/*.d/* mrix,
+
+  owner /proc/*/cpuset r,
+  owner /var/xyzzy/git/.gitconfig rw,
+  owner /var/xyzzy/git/.gitconfig.lock rw,
+  owner /var/xyzzy/git/.ssh/* rw,
+  owner /var/xyzzy/gitea/data/** rwkl,
+  owner /var/xyzzy/gitea/log/* rw,
+
+}

etc/apt/apt.conf.d/02periodic

@@ -0,0 +1,5 @@
+APT::Periodic::Enable "1";
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Download-Upgradeable-Packages "1";
+APT::Periodic::AutocleanInterval "5";
+APT::Periodic::Unattended-Upgrade "1";

etc/cron.weekly/f2b-cleanup

@@ -0,0 +1,5 @@
+#!/bin/sh
+if [ -x /usr/bin/sqlite3 ]; then
+  sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 < /etc/fail2ban/dbpurge.sql
+fi
+systemctl restart fail2ban.service

etc/fail2ban/dbpurge.sql

@@ -0,0 +1,3 @@
+delete from bans where timeofban <= strftime('%s', date('now', '-7 days'));
+vacuum;
+.quit

etc/fail2ban/filter.d/nginx-4xx.conf

@@ -0,0 +1,3 @@
+[Definition]
+failregex = ^<HOST>.*"(GET|POST).*" (404|444|403|400) .*$
+ignoreregex =

etc/fail2ban/jail.local

@@ -0,0 +1,26 @@
+[DEFAULT]
+ignoreip  = 127.0.0.1/8
+bantime   = 3600
+maxretry  = 3
+backend   = systemd
+destemail = root@localhost
+
+# filter.d/nginx-4xx.conf
+#  [Definition]
+#  failregex = ^<HOST>.*"(GET|POST).*" (404|444|403|400) .*$
+#  ignoreregex =
+
+[nginx-4xx]
+enabled   = false
+port      = http,https
+logpath   = /var/log/nginx/access.log
+maxretry  = 10
+findtime  = 3600
+bantime   = 3600
+
+[nginx-limit-req]
+enabled   = false
+port      = http,https
+logpath   = /var/log/nginx/error.log
+findtime  = 3600
+bantime   = 3600

etc/iptables/rules.v4

@@ -0,0 +1,13 @@
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+COMMIT

etc/iptables/rules.v6

@@ -0,0 +1,13 @@
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p ipv6-icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
+-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
+COMMIT

etc/letsencrypt/cli.ini

@@ -0,0 +1,3 @@
+max-log-backups = 0
+preconfigured-renewal = True
+deploy-hook = systemctl reload nginx

etc/nginx/conf.d/security.conf

@@ -0,0 +1,14 @@
+
+# https://www.nginx.com/blog/rate-limiting-nginx/
+# https://nginx.org/en/docs/http/ngx_http_limit_req_module.html
+limit_req_zone $binary_remote_addr zone=normal:10m rate=20r/s;
+limit_req zone=normal burst=30 nodelay;
+limit_req_status 429;
+
+# https://nginx.org/en/docs/http/ngx_http_core_module.html
+server_tokens off;
+keepalive_requests 100;
+keepalive_timeout 15s;
+client_body_timeout 20s;
+client_header_timeout 20s;
+

etc/nginx/sites-available/git.xyzzy.ee.conf

@@ -0,0 +1,61 @@
+# git.xyzzy.ee
+
+server {
+    server_name git.xyzzy.ee;
+    root /var/xyzzy/html;
+    index index.html;
+
+    location ~ ^\/(robots\.txt|\.well-known\/security\.txt)$ {
+        try_files $uri $uri/ =404;
+    }
+
+    location / {
+        proxy_pass http://127.0.0.1:3000;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    listen [::]:443 ssl; # managed by Certbot
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/git.xyzzy.ee/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/git.xyzzy.ee/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+    # https://ssl-config.mozilla.org/
+    add_header Strict-Transport-Security "max-age=15724800" always;
+
+    # OCSP stapling
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_trusted_certificate /etc/letsencrypt/live/git.xyzzy.ee/chain.pem;
+    resolver 9.9.9.9 8.8.8.8 1.1.1.1;
+    resolver_timeout 5s;
+
+    # https://observatory.mozilla.org
+    #  gitea already adds X-Frame-Options SAMEORIGIN
+    add_header X-Content-Type-Options "nosniff";
+    add_header X-XSS-Protection "1; mode=block";
+    add_header Referrer-Policy "strict-origin-when-cross-origin";
+
+    # https://csp-evaluator.withgoogle.com/
+    # https://github.com/go-gitea/gitea/issues/305
+    # add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'self'; connect-src 'self'; font-src 'self' data:; form-action 'self'; img-src 'self' data:; object-src 'none'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; worker-src 'self'; frame-src 'self'; frame-ancestors 'self'; manifest-src 'self' data:;";
+
+}
+
+server {
+    if ($host = git.xyzzy.ee) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+    listen 80;
+    listen [::]:80;
+
+    server_name git.xyzzy.ee;
+    return 301 https://git.xyzzy.ee$request_uri;
+    return 404; # managed by Certbot
+}
+

etc/nginx/sites-available/git.xyzzy.ee.conf.bootstrap

@@ -0,0 +1,15 @@
+# git.xyzzy.ee
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name git.xyzzy.ee;
+    root /var/xyzzy/html;
+    index index.html;
+
+    location / {
+        try_files $uri $uri/ =404;
+    }
+
+}
+

etc/nginx/sites-available/xyzzy.ee.conf

@@ -0,0 +1,108 @@
+# xyzzy.ee
+# www.xyzzy.ee
+
+server {
+    server_name xyzzy.ee;
+    root /var/xyzzy/html;
+    index index.html;
+
+    location / {
+        try_files $uri $uri/ =404;
+    }
+
+    listen [::]:443 ssl default_server; # managed by Certbot
+    listen 443 ssl default_server; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/xyzzy.ee/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/xyzzy.ee/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+    # https://ssl-config.mozilla.org/
+    add_header Strict-Transport-Security "max-age=15724800" always;
+
+    # OCSP stapling
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_trusted_certificate /etc/letsencrypt/live/xyzzy.ee/chain.pem;
+    resolver 9.9.9.9 8.8.8.8 1.1.1.1;
+    resolver_timeout 5s;
+
+    # https://observatory.mozilla.org
+    add_header X-Frame-Options "SAMEORIGIN";
+    add_header X-Content-Type-Options "nosniff";
+    add_header X-XSS-Protection "1; mode=block";
+    add_header Referrer-Policy "strict-origin-when-cross-origin";
+    add_header Content-Security-Policy "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'self';";
+}
+
+server {
+    server_name www.xyzzy.ee;
+    root /var/xyzzy/html;
+    index index.html;
+
+    location ~ /\.well-known {
+        allow all;
+    }
+
+    location ~ / {
+        return 301 $scheme://xyzzy.ee$request_uri;
+    }
+
+    listen [::]:443 ssl; # managed by Certbot
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/xyzzy.ee/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/xyzzy.ee/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+    # https://ssl-config.mozilla.org/
+    add_header Strict-Transport-Security "max-age=15724800" always;
+
+    # OCSP stapling
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_trusted_certificate /etc/letsencrypt/live/xyzzy.ee/chain.pem;
+    resolver 9.9.9.9 8.8.8.8 1.1.1.1;
+    resolver_timeout 5s;
+
+    # https://observatory.mozilla.org
+    add_header X-Frame-Options "SAMEORIGIN";
+    add_header X-Content-Type-Options "nosniff";
+    add_header X-XSS-Protection "1; mode=block";
+    add_header Referrer-Policy "strict-origin-when-cross-origin";
+    add_header Content-Security-Policy "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'self';";
+}
+
+server {
+    if ($host = xyzzy.ee) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+    listen 80;
+    listen [::]:80;
+    server_name xyzzy.ee;
+    root /var/xyzzy/html;
+    index index.html;
+    return 404; # managed by Certbot
+}
+
+server {
+    if ($host = www.xyzzy.ee) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+    listen 80;
+    listen [::]:80;
+    server_name www.xyzzy.ee;
+    root /var/xyzzy/html;
+    index index.html;
+    return 404; # managed by Certbot
+}
+
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    server_name _;
+    return 301 https://xyzzy.ee$request_uri;
+}
+

etc/nginx/sites-available/xyzzy.ee.conf.bootstrap

@@ -0,0 +1,32 @@
+# xyzzy.ee
+# www.xyzzy.ee
+
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    server_name xyzzy.ee;
+    root /var/xyzzy/html;
+    index index.html;
+
+    location / {
+        try_files $uri $uri/ =404;
+    }
+
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name www.xyzzy.ee;
+    root /var/xyzzy/html;
+    index index.html;
+
+    location ~ /\.well-known {
+        allow all;
+    }
+
+    location ~ / {
+        return 301 $scheme://xyzzy.ee$request_uri;
+    }
+}
+

etc/nginx/sites-available/xyzzy.fi.conf

@@ -0,0 +1,101 @@
+# xyzzy.fi
+# www.xyzzy.fi
+
+server {
+    server_name xyzzy.fi;
+    root /var/xyzzy/html;
+    index index.html;
+
+    location / {
+        try_files $uri $uri/ =404;
+    }
+
+    listen [::]:443 ssl; # managed by Certbot
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/xyzzy.fi/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/xyzzy.fi/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+    # https://ssl-config.mozilla.org/
+    add_header Strict-Transport-Security "max-age=15724800" always;
+
+    # OCSP stapling
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_trusted_certificate /etc/letsencrypt/live/xyzzy.fi/chain.pem;
+    resolver 9.9.9.9 8.8.8.8 1.1.1.1;
+    resolver_timeout 5s;
+
+    # https://observatory.mozilla.org
+    add_header X-Frame-Options "SAMEORIGIN";
+    add_header X-Content-Type-Options "nosniff";
+    add_header X-XSS-Protection "1; mode=block";
+    add_header Referrer-Policy "strict-origin-when-cross-origin";
+    add_header Content-Security-Policy "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'self';";
+}
+
+server {
+    server_name www.xyzzy.fi;
+    root /var/xyzzy/html;
+    index index.html;
+
+    location ~ /\.well-known {
+        allow all;
+    }
+
+    location ~ / {
+        return 301 $scheme://xyzzy.fi$request_uri;
+    }
+
+    listen [::]:443 ssl; # managed by Certbot
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/xyzzy.fi/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/xyzzy.fi/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+    # https://ssl-config.mozilla.org/
+    add_header Strict-Transport-Security "max-age=15724800" always;
+
+    # OCSP stapling
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_trusted_certificate /etc/letsencrypt/live/xyzzy.fi/chain.pem;
+    resolver 9.9.9.9 8.8.8.8 1.1.1.1;
+    resolver_timeout 5s;
+
+    # https://observatory.mozilla.org
+    add_header X-Frame-Options "SAMEORIGIN";
+    add_header X-Content-Type-Options "nosniff";
+    add_header X-XSS-Protection "1; mode=block";
+    add_header Referrer-Policy "strict-origin-when-cross-origin";
+    add_header Content-Security-Policy "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'self';";
+}
+
+server {
+    if ($host = xyzzy.fi) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+    listen 80;
+    listen [::]:80;
+    server_name xyzzy.fi;
+    root /var/xyzzy/html;
+    index index.html;
+    return 404; # managed by Certbot
+}
+
+server {
+    if ($host = www.xyzzy.fi) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+    listen 80;
+    listen [::]:80;
+    server_name www.xyzzy.fi;
+    root /var/xyzzy/html;
+    index index.html;
+    return 404; # managed by Certbot
+}
+

etc/nginx/sites-available/xyzzy.fi.conf.bootstrap

@@ -0,0 +1,32 @@
+# xyzzy.fi
+# www.xyzzy.fi
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name xyzzy.fi;
+    root /var/xyzzy/html;
+    index index.html;
+
+    location / {
+        try_files $uri $uri/ =404;
+    }
+
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name www.xyzzy.fi;
+    root /var/xyzzy/html;
+    index index.html;
+
+    location ~ /\.well-known {
+        allow all;
+    }
+
+    location ~ / {
+        return 301 $scheme://xyzzy.fi$request_uri;
+    }
+}
+

etc/sysctl.d/local.conf

@@ -0,0 +1 @@
+vm.swappiness = 10

etc/systemd/journald.conf.d/local.conf

@@ -0,0 +1,2 @@
+[Journal]
+MaxRetentionSec=1week

etc/systemd/system/gitea.service

@@ -0,0 +1,31 @@
+[Unit]
+Description=Gitea
+After=syslog.target
+After=network.target
+
+[Service]
+# Modify these two values and uncomment them if you have
+# repos with lots of files and get an HTTP error 500 because
+# of that
+###
+#LimitMEMLOCK=infinity
+#LimitNOFILE=65535
+###
+RestartSec=2s
+Type=simple
+User=git
+Group=git
+WorkingDirectory=/var/xyzzy/gitea/
+ExecStart=/var/xyzzy/bin/gitea web --config /var/xyzzy/etc/gitea/app.ini
+Restart=always
+Environment=USER=git HOME=/var/xyzzy/git GITEA_WORK_DIR=/var/xyzzy/gitea
+Environment=PATH=/var/xyzzy/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+# If you want to bind Gitea to a port below 1024, uncomment
+# the two values below, or use socket activation to pass Gitea its ports as above
+###
+#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+#AmbientCapabilities=CAP_NET_BIND_SERVICE
+###
+
+[Install]
+WantedBy=multi-user.target

etc/systemd/system/nginx.service.d/override.conf

@@ -0,0 +1,3 @@
+# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876365
+[Service]
+ExecStartPost=/usr/bin/sleep 0.1

etc/systemd/system/teabak.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=Gitea Backup
+Wants=teabak.timer
+
+[Service]
+Type=oneshot
+ExecStart=/var/xyzzy/bin/teabak.sh
+
+[Install]
+WantedBy=multi-user.target

etc/systemd/system/teabak.timer

@@ -0,0 +1,10 @@
+[Unit]
+Description=Gitea Backup Timer
+Requires=teabak.service
+
+[Timer]
+Unit=teabak.service
+OnCalendar=*-*-* 00,08,16:00:00
+
+[Install]
+WantedBy=timers.target