Initial commit

Asterisk/README.md

@@ -0,0 +1,13 @@
+# Asterisk
+*PBX - Private Branch Exchange*
+
+## Accounts
+- root
+- asterisk
+
+## Protocols
+- PJSIP [5060-UDP]
+- PJSIP over TLS [5061-UDP]
+- SIP [5160-UDP]
+- SIP over TLS [5161-UDP]
+- IAX2 [4569-UDP]

Dovecot/README.md

@@ -0,0 +1,15 @@
+# Dovecot
+*MDA - Mail Delivery Agent*
+
+## Accounts
+- root
+- dovecot
+- dovenull
+- mail
+
+## Protocols
+- IMAP [143-TCP]
+- IMAPS [993-TCP]
+
+## Locations
+- `/etc/dovecot`: Configuration directory

Dovecot/dovecot.conf

@@ -0,0 +1,102 @@
+## Dovecot configuration file
+
+# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration
+
+# "doveconf -n" command gives a clean output of the changed settings. Use it
+# instead of copy&pasting files when posting to the Dovecot mailing list.
+
+# '#' character and everything after it is treated as comments. Extra spaces
+# and tabs are ignored. If you want to use either of these explicitly, put the
+# value inside quotes, eg.: key = "# char and trailing whitespace  "
+
+# Most (but not all) settings can be overridden by different protocols and/or
+# source/destination IPs by placing the settings inside sections, for example:
+# protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { }
+
+# Default values are shown for each setting, it's not required to uncomment
+# those. These are exceptions to this though: No sections (e.g. namespace {})
+# or plugin settings are added by default, they're listed only as examples.
+# Paths are also just examples with the real defaults being based on configure
+# options. The paths listed here are for configure --prefix=/usr
+# --sysconfdir=/etc --localstatedir=/var
+
+# Enable installed protocols
+!include_try /usr/share/dovecot/protocols.d/*.protocol
+
+# A comma separated list of IPs or hosts where to listen in for connections.
+# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
+# If you want to specify non-default ports or anything more complex,
+# edit conf.d/master.conf.
+#listen = *, ::
+
+# Base directory where to store runtime data.
+#base_dir = /var/run/dovecot/
+
+# Name of this instance. In multi-instance setup doveadm and other commands
+# can use -i <instance_name> to select which instance is used (an alternative
+# to -c <config_path>). The instance name is also added to Dovecot processes
+# in ps output.
+#instance_name = dovecot
+
+# Greeting message for clients.
+#login_greeting = Dovecot ready.
+
+# Space separated list of trusted network ranges. Connections from these
+# IPs are allowed to override their IP addresses and ports (for logging and
+# for authentication checks). disable_plaintext_auth is also ignored for
+# these networks. Typically you'd specify your IMAP proxy servers here.
+#login_trusted_networks =
+
+# Space separated list of login access check sockets (e.g. tcpwrap)
+#login_access_sockets =
+
+# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
+# proxying. This isn't necessary normally, but may be useful if the destination
+# IP is e.g. a load balancer's IP.
+#auth_proxy_self =
+
+# Show more verbose process titles (in ps). Currently shows user name and
+# IP address. Useful for seeing who are actually using the IMAP processes
+# (eg. shared mailboxes or if same uid is used for multiple accounts).
+#verbose_proctitle = no
+
+# Should all processes be killed when Dovecot master process shuts down.
+# Setting this to "no" means that Dovecot can be upgraded without
+# forcing existing client connections to close (although that could also be
+# a problem if the upgrade is e.g. because of a security fix).
+#shutdown_clients = yes
+
+# If non-zero, run mail commands via this many connections to doveadm server,
+# instead of running them directly in the same process.
+#doveadm_worker_count = 0
+# UNIX socket or host:port used for connecting to doveadm server
+#doveadm_socket_path = doveadm-server
+
+# Space separated list of environment variables that are preserved on Dovecot
+# startup and passed down to all of its child processes. You can also give
+# key=value pairs to always set specific settings.
+#import_environment = TZ
+
+##
+## Dictionary server settings
+##
+
+# Dictionary can be used to store key=value lists. This is used by several
+# plugins. The dictionary can be accessed either directly or though a
+# dictionary server. The following dict block maps dictionary names to URIs
+# when the server is used. These can then be referenced using URIs in format
+# "proxy::<name>".
+
+dict {
+  #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
+  #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
+}
+
+# Most of the actual configuration gets included below. The filenames are
+# first sorted by their ASCII value and parsed in that order. The 00-prefixes
+# in filenames are intended to make it easier to understand the ordering.
+!include conf.d/*.conf
+
+# A config file can also tried to be included without giving an error if
+# it's not found:
+!include_try local.conf

Nginx/README.md

@@ -0,0 +1,15 @@
+# Nginx
+*HTTP/SMTP/IMAP/POP3 Proxy Server*
+
+## Accounts
+- root
+- www-data
+
+## Protocols
+- HTTP [80-TCP]
+- HTTPS [443-TCP]
+
+## Locations
+- `/etc/nginx` - Configuration directory
+
+

Nginx/Server Blocks/auth.libraryofcode.org.conf

@@ -0,0 +1,38 @@
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name auth.libraryofcode.org;
+
+    ssl_certificate /etc/nginx/ssl/org.chain.crt;
+    ssl_certificate_key /etc/nginx/ssl/org.key.pem;
+
+    ssl_session_cache builtin:1000 shared:SSL:10m;
+    ssl_protocols TLSv1.2;
+
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+
+    ssl_prefer_server_ciphers on;
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    location / {
+
+      proxy_set_header Host $host;
+
+      proxy_set_header X-Real-IP $remote_addr;
+
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+      proxy_set_header X-Forwarded-Proto $scheme;
+
+      proxy_set_header X-Frame-Options SAMEORIGIN;
+
+      proxy_pass http://localhost:8200;
+
+      proxy_read_timeout 90;
+
+      proxy_redirect http://localhost:8200  https://auth.libraryofcode.org;
+
+  }
+}

Nginx/Server Blocks/bin.libraryofcode.org.conf

@@ -0,0 +1,23 @@
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  server_name bin.libraryofcode.org;
+
+  ssl_certificate /etc/nginx/ssl/org.chain.crt;
+  ssl_certificate_key /etc/nginx/ssl/org.key.pem;
+
+  ssl_session_cache builtin:1000 shared:SSL:10m;
+  ssl_protocols TLSv1.2;
+
+  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+
+  ssl_prefer_server_ciphers on;
+
+  ssl_stapling on;
+  ssl_stapling_verify on;
+
+  root /var/binary;
+  location / {
+    autoindex on;
+  }
+}

Nginx/Server Blocks/board.ins.conf

@@ -0,0 +1,64 @@
+server {
+    listen 10.8.0.1:443 ssl http2;
+    #listen [::]:443 ssl http2;
+    server_name board.ins;
+
+    ssl_certificate /etc/nginx/ssl/board-ins.chain.crt;
+    ssl_certificate_key /etc/nginx/ssl/board-ins.key.pem;
+
+    ssl_session_cache builtin:1000 shared:SSL:10m;
+    #include /etc/nginx/error/502;
+    #include /etc/nginx/error/504;
+    #include /etc/nginx/error/500;
+    #include /etc/nginx/error/404;
+    #include /etc/nginx/error/429;
+    ssl_protocols TLSv1.2;
+
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+
+    ssl_prefer_server_ciphers on;
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    #limit_req zone=one burst=15;
+    location / {
+
+      proxy_set_header Host $host;
+
+      proxy_set_header X-Real-IP $remote_addr;
+
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+      proxy_set_header X-Forwarded-Proto $scheme;
+
+      proxy_set_header X-Frame-Options SAMEORIGIN;
+
+      proxy_pass http://localhost:3121;
+
+      proxy_read_timeout 90;
+
+      proxy_redirect http://localhost:3121  https://board.ins;
+
+  }
+
+    location /api {
+
+      proxy_set_header Host $host;
+
+      proxy_set_header X-Real-IP $remote_addr;
+
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+      proxy_set_header X-Forwarded-Proto $scheme;
+
+      proxy_set_header X-Frame-Options SAMEORIGIN;
+
+      proxy_pass http://localhost:3892;
+
+      proxy_read_timeout 90;
+
+      proxy_redirect http://localhost:3892  https://board.ins/api;
+
+  }
+}

Nginx/Server Blocks/certapi.libraryofcode.org.conf

@@ -0,0 +1,44 @@
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name certapi.libraryofcode.org;
+
+    ssl_certificate /etc/nginx/ssl/org.chain.crt;
+    ssl_certificate_key /etc/nginx/ssl/org.key.pem;
+
+    ssl_session_cache builtin:1000 shared:SSL:10m;
+    #include /etc/nginx/error/502;
+    #include /etc/nginx/error/504;
+    #include /etc/nginx/error/500;
+    #include /etc/nginx/error/404;
+    #include /etc/nginx/error/429;
+    ssl_protocols TLSv1.2;
+
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+
+    ssl_prefer_server_ciphers on;
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    #limit_req zone=one burst=15;
+    location / {
+
+      proxy_set_header Host $host;
+
+      proxy_set_header X-Real-IP $remote_addr;
+
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+      proxy_set_header X-Forwarded-Proto $scheme;
+
+      proxy_set_header X-Frame-Options SAMEORIGIN;
+
+      proxy_pass http://localhost:3030;
+
+      proxy_read_timeout 90;
+
+      proxy_redirect http://localhost:3030  https://certapi.libraryofcode.org;
+
+  }
+}

Nginx/Server Blocks/cloud.libraryofcode.org.conf

@@ -0,0 +1,33 @@
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name cloud.libraryofcode.org;
+
+    ssl_certificate /etc/nginx/ssl/org.chain.crt;
+    ssl_certificate_key /etc/nginx/ssl/org.key.pem;
+
+    ssl_session_cache builtin:1000 shared:SSL:10m;
+    #include /etc/nginx/error/502;
+    #include /etc/nginx/error/504;
+    #include /etc/nginx/error/500;
+    #include /etc/nginx/error/404;
+    #include /etc/nginx/error/429;
+    ssl_protocols TLSv1.2;
+
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+
+    ssl_prefer_server_ciphers on;
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    client_max_body_size 1G;
+    #limit_req zone=one burst=15;
+
+
+    location / {
+      return 307 $scheme://www.libraryofcode.org/;
+    }
+    location ~ /(.*)$ {
+      rewrite https://$1.cloud.libraryofcode.org temporary;
+    }
+}

Nginx/nginx.conf

@@ -0,0 +1,98 @@
+# Main Nginx Configuration File
+
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+        worker_connections 768;
+        # multi_accept on;
+}
+
+http {
+
+        ##
+        # Basic Settings
+        ##
+
+        sendfile on;
+        tcp_nopush on;
+        tcp_nodelay on;
+        keepalive_timeout 65;
+        types_hash_max_size 2048;
+        server_tokens off;
+        more_set_headers 'Server: Library of Code Staff Command (https://www.libraryofcode.org)';
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
+        # server_names_hash_bucket_size 64;
+        # server_name_in_redirect off;
+
+        include /etc/nginx/mime.types;
+        default_type application/octet-stream;
+
+        ##
+        # SSL Settings
+        ##
+
+        ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+        ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m;
+        ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
+        ssl_dhparam /etc/nginx/dhparam.pem
+        ;ssl_ecdh_curve secp384r1;
+
+        ##
+        # Logging Settings
+        ##
+
+        #access_log /var/log/nginx/access.log;
+        #error_log /var/log/nginx/error.log;
+
+
+        log_format main_ext '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" ' '"$host" sn="$server_name" ' 'rt=$request_time ' 'ua="$upstream_addr" us="$upstream_status" ' 'ut="$upstream_response_time" ul="$upstream_response_length" ' 'cs=$upstream_cache_status' ;
+
+        access_log /var/log/nginx/access.log main_ext;
+        error_log /var/log/nginx/error.log warn;
+        ##
+        # Gzip Settings
+        ##
+
+        gzip on;
+        gzip_disable "msie6";
+
+        # gzip_vary on;
+        # gzip_proxied any;
+        # gzip_comp_level 6;
+        # gzip_buffers 16 8k;
+        # gzip_http_version 1.1;
+        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+        ##
+        # Virtual Host Configs
+        ##
+
+        include /etc/nginx/conf.d/*.conf;
+        include /etc/nginx/sites-enabled/*;
+}
+
+
+#mail {
+#       # See sample authentication script at:
+#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
+#
+#       # auth_http localhost/auth.php;
+#       # pop3_capabilities "TOP" "USER";
+#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
+#
+#       server {
+#               listen     localhost:110;
+#               protocol   pop3;
+#               proxy      on;
+#       }
+#
+#       server {
+#               listen     localhost:143;
+#               protocol   imap;
+#               proxy      on;
+#       }
+#}

Postfix/README.md

@@ -0,0 +1,15 @@
+# Postfix
+*MTA - Mail Transfer Agent*
+
+## Accounts
+- root
+- postfix
+
+## Protocols
+- SMTP (MTA <-> MTA) [25-TCP]
+- SMTP (MUA <-> MTA) [587-TCP]
+- SMTPS (MUA <-> MTA) [467-TCP]
+
+## Locations
+- `/etc/postfix` - Configuration directory
+

Postfix/master.conf

@@ -0,0 +1,98 @@
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+
+# Debian specific:  Specifying a file name will cause the first
+# line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+
+smtpd_banner = $myhostname Library of Code sp-us Staff Services | ESMTP (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
+# fresh installs.
+compatibility_level = 2
+
+# TLS parameters
+smtpd_tls_cert_file=/etc/postfix/ssl/globalsign.crt
+smtpd_tls_key_file=/etc/postfix/ssl/globalsign.key.pem
+smtpd_use_tls=yes
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+smtp_tls_security_level = may
+smtpd_tls_security_level = may
+smtp_tls_note_starttls_offer = yes
+smtpd_tls_CAfile = /etc/postfix/ssl/globalsign.ca.crt
+smtpd_tls_loglevel = 1
+smtpd_tls_received_header = yes
+smtpd_tls_session_cache_timeout = 3600s
+tls_random_source = dev:/dev/urandom
+
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+
+# RESTRICTIONS
+smtpd_relay_restrictions = 
+  permit_mynetworks, 
+  permit_sasl_authenticated, 
+  defer_unauth_destination,
+smtpd_helo_restrictions = 
+  permit_mynetworks,
+  reject_non_fqdn_helo_hostname,
+  reject_invalid_helo_hostname,
+  reject_unknown_helo_hostname,
+  permit,
+smtpd_sender_restrictions = 
+  reject_unknown_sender_domain,
+  reject_unknown_reverse_client_hostname,
+  reject_unknown_client_hostname,
+  reject_sender_login_mismatch,
+  permit_mynetworks,
+  permit_sasl_authenticated,
+  permit,
+smtpd_recipient_restrictions = 
+  reject_unauth_pipelining,
+  reject_non_fqdn_recipient,
+  reject_unknown_recipient_domain,
+  permit_mynetworks,
+  check_policy_service inet:127.0.0.1:10023
+  permit,
+
+myhostname = staff.libraryofcode.org
+alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
+alias_database = hash:/etc/aliases
+smtpd_sender_login_maps = hash:/etc/postfix/virtual-mailbox-users
+
+myorigin = /etc/mailname
+mydestination = $myhostname, libraryofcode.org, libraryofcode.us staff.libraryofcode.us, staff-libraryofcode.staff.libraryofcode.us, localhost.staff.libraryofcode.us, localhost, libraryofcode.us
+relayhost =
+relay_domains = lists.libraryofcode.org
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 63.141.252.130
+mailbox_size_limit = 0
+mailbox_command = procmail -a "$EXTENSION" DEFAULT=/var/mail/$USER
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = all
+smtpd_sasl_auth_enable = yes
+broken_sasl_auth_clients = yes
+milter_default_action = accept
+milter_protocol = 6
+smtpd_milters = inet:localhost:8891, local:/opendmarc/opendmarc.sock
+non_smtpd_milters = $smtpd_milters
+mail_name = Library of Code sp-us | Staff Command
+virtual_alias_maps = hash:/etc/postfix/virtual
+
+#authorized_submit_users = !boss, !test, static:all
+message_size_limit = 1073741824
+transport_maps = hash:/etc/postfix/transport
+unknown_local_recipient_reject_code = 550
+mailman_destination_recipient_limit = 1
+#local_recipient_maps = hash:/var/lib/mailman3/data/postfix_lmtp