split services by directory

- markdown formatting
- turn soft-serve.md into soft-serve/README.md

.gitignore

@@ -0,0 +1 @@
+*.txt

Makefile

@@ -0,0 +1,52 @@
+.PHONY: help
+
+help: ## Print the help message
+	@awk 'BEGIN {FS = ":.*?## "} /^[0-9a-zA-Z._-]+:.*?## / {printf "\033[36m%s\033[0m : %s\n", $$1, $$2}' $(MAKEFILE_LIST) | \
+		sort | \
+		column -s ':' -t
+
+map.txt: map.ge ## Making map.txt
+	grep -v '# unimportant' $< | graph-easy --boxart > $@
+	cat $@
+
+full_map.txt: map.ge ## Generating full_map.txt with graph-easy
+	graph-easy --boxart < $< > $@
+	cat $@
+
+########## Man Pages ##########
+
+mandir = $(HOME)/.local/man/man6
+
+kralizec_docs != grep -rl "^section:" kralizec 
+kralmans = $(kralizec_docs:kralizec/%/README.md=$(mandir)/%.6)
+
+$(mandir)/%.6: kralizec/%/README.md
+	lowdown -stman $< > $@
+
+krov_docs != grep -rl "^section:" krov 
+krovmans = $(krov_docs:krov/%/README.md=$(mandir)/%.6)
+
+$(mandir)/%.6: krov/%/README.md
+	lowdown -stman $< > $@
+
+setup_docs != grep -rl "^section:" setup 
+setupmans = $(setup_docs:setup/%.md=$(mandir)/%.6)
+
+$(mandir)/%.6: setup/%.md
+	lowdown -stman $< > $@
+
+$(mandir):
+	mkdir -p $@
+
+$(kralmans) $(krovmans) $(setupmans) :| $(mandir)
+
+.PHONY: pages
+pages: $(kralmans) $(krovmans) $(setupmans)
+	$(info $(kralmans))
+	@test ! $(command -v mandb) || mandb --user-db
+	$(info Open DMZ's man pages with 'man 6 <tab>')
+
+##########
+
+clean:
+	$(RM) $(kralmans) $(krovmans)

Network.md

@@ -13,5 +13,7 @@
 ## http11
 
 - Function: dmz.rs website (nginx)
-- Access: `ssh -J $USER@rmvm4vrp352yhgtr73w5nafbrtsrsdgj2x7jolpy7b4czqxstt5abfid.onion root@192.168.1.41`
+- Access:
+    1. Start `tor` service.
+    2. `torsocks ssh -J $USER@rmvm4vrp352yhgtr73w5nafbrtsrsdgj2x7jolpy7b4czqxstt5abfid.onion root@192.168.1.41`
 - IP: 192.168.1.41

README.md

@@ -13,5 +13,5 @@ These setup files provide the text-only configurations for DMZ.
     - Idempotency.
 - All secrets stored elsewhere (probably in the `dmzadmin` repo)
 - Any maintenance scripts.
-- Configurations should reside in shadow-directories, e.g. a backup of `/etc/soft/config` should reside in this repo under `etc/soft/config`.
+- Configurations should reside in shadow-directories, e.g. a backup `soft-serve`'s `config.yaml` should reside in this repo under `splint.rs/soft-serve/etc/soft/config.yaml`.
 

docs/dmzrs/README.md

@@ -1,26 +0,0 @@
-Add this configuration to ~/.ssh/config file
-
-Host dmzkrovdmzrs12
-  Hostname veyxphzuqnooc7wb7utfza3joaoopgqgwp6l6d4en5yfmyr7kxvminqd.onion
-  User root 
-  IdentityFile ~/.ssh/id_rsa
-  PasswordAuthentication no
-
-Now you can log in by typing:
-torsocks ssh dmzkrovdmzrs12
-
-Install all needed packages
-apt install rsync git nginx
-git clone https://gitea.dmz.rs/Decentrala/website
-
-Run updatewebsite.sh script every minute using crontab (run "crontab -e")
-This fill automaticlly pull from git repo and regenerate events page
-
-Add nginx-dmz.rs.conf to /etc/nginx/sites-available/dmz.rs and create a symlink
-from /etc/nginx/sites-enabled/dmz.rs to that file
-You can do this by running:
-ln -s /etc/nginx/sites-available/dmz.rs /etc/nginx/sites-enabled/dmz.rs
-
-Increase server_names_hash_bucket_size to 256 in /etc/nginx/nginx.conf in order to support onion addresses.
-
-In the nginx configuration /account/ is redirected to luser (https://gitea.dmz.rs/fram3d/luser) instance running at 192.168.1.211

kralizec/README.md

@@ -0,0 +1,27 @@
+# List of containers
+
+VMID Name  
+101  tor11  
+102  xmppmirror11  
+104  http11  
+105  postgresql11  
+106  ejabberd11  
+108  nginx  
+109  flaskldap11  
+111  dynamicdns11  
+112  sshfs11  
+113  postfix11  
+114  ssh11  
+115  cgit11  
+116  radionice11  
+117  gitea11  
+118  dmzrsflask11  
+119  elinearch  
+120  wiki11  
+121  krovhttp11  
+122  dmzrs12  
+123  roundcube12  
+124  donationcalc12  
+125  webring12  
+126  cryptpad-deb-12  
+127  openldap12  

kralizec/cgit11/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 115
+---

kralizec/cryptpad-deb-12/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 126
+---

kralizec/dmzrs/README.md

@@ -0,0 +1,40 @@
+Add this configuration to `~/.ssh/config` file
+
+```
+Host dmzkrovdmzrs12
+  Hostname veyxphzuqnooc7wb7utfza3joaoopgqgwp6l6d4en5yfmyr7kxvminqd.onion
+  User root 
+  IdentityFile ~/.ssh/id_rsa
+  PasswordAuthentication no
+
+```
+
+Now you can log in by typing:
+
+
+```bash
+torsocks ssh dmzkrovdmzrs12
+```
+
+Install all needed packages:
+
+
+```bash
+apt install rsync git nginx
+git clone https://gitea.dmz.rs/Decentrala/website
+```
+
+Run `updatewebsite.sh` script every minute using `crontab` (run "`crontab -e`")
+This fill automatically pull from git repo and regenerate events page
+
+Add `nginx-dmz.rs.conf` to `/etc/nginx/sites-available/dmz.rs` and create a symlink
+from `/etc/nginx/sites-enabled/dmz.rs` to that file.
+You can do this by running:
+
+```bash
+ln -s /etc/nginx/sites-available/dmz.rs /etc/nginx/sites-enabled/dmz.rs
+```
+
+Increase `server_names_hash_bucket_size` to 256 in `/etc/nginx/nginx.conf` in order to support onion addresses.
+
+In the `nginx` configuration /account/ is redirected to the `luser` [instance](https://gitea.dmz.rs/fram3d/luser)  running at `192.168.1.211`.

kralizec/dmzrs12/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 122
+---

kralizec/dmzrsaccount/README.md

@@ -0,0 +1,13 @@
+install luser.deb
+change /var/luser/luser/config.ini
+
+add ldap.krov.dmz.rs to /etc/hosts with the IP address op slapd vm by adding a line like "192.168.1.205 ldap.krov.dmz.rs"
+
+config.ini should contain following:
+
+LDAPHOST = ldap.krov.dmz.rs
+LDAPADMINNAME = cn=admin,dc=dmz,dc=rs
+LDAPPASS = <admin password set during installation of slapd program and dpkg-reconfigure on slapd vm>
+USERBASE = ou=Users,dc=dmz,dc=rs
+
+run prepare.py

kralizec/dmzrsaccount/listuserskralizec.py

@@ -0,0 +1,12 @@
+#!/usr/bin/env python3
+import ldap3
+
+LDAPADMINNAME='uid=krovslapd,ou=xmpp,dc=dmz,dc=rs'
+LDAPPASS='<krovslapd password>'
+USERATTRIBUTES=['cn' , 'sn', 'givenName', 'uid', 'uidNumber' , 'gidNumber', 'homeDirectory', 'loginShell', 'gecos' , 'shadowLastChange', 'shadowMax', 'userPassword', 'mail']
+
+
+ldapserver=ldap3.Server('2001:470:1f1a:1a4:0:1:0:1d',use_ssl=True)
+ldapconnection = ldap3.Connection(ldapserver, LDAPADMINNAME,LDAPPASS, auto_bind=True)
+ldapconnection.search(search_base=f'ou=xmpp,dc=dmz,dc=rs',search_filter='(objectClass=person)', attributes=USERATTRIBUTES)
+print(str(ldapconnection.response))

kralizec/dmzrsaccount/listuserskrov.py

@@ -0,0 +1,17 @@
+#!/usr/bin/env python3
+import ldap3
+import configparser
+
+CONFIG_PATH = '/var/luser/luser/config.ini'
+config = configparser.ConfigParser()
+config.read(CONFIG_PATH)
+LDAPHOST = config.get('credentials', 'LDAPHOST')
+LDAPADMINNAME = config.get('credentials', 'LDAPADMINNAME')
+LDAPPASS = config.get('credentials', 'LDAPPASS')
+USERBASE = config.get('credentials', 'USERBASE')
+USERATTRIBUTES=['cn' , 'sn', 'givenName', 'uid', 'uidNumber' , 'gidNumber', 'homeDirectory', 'loginShell', 'gecos' , 'shadowLastChange', 'shadowMax', 'userPassword', 'mail']
+
+ldapserver=ldap3.Server(LDAPHOST,use_ssl=True)
+ldapconnection = ldap3.Connection(ldapserver, LDAPADMINNAME,LDAPPASS, auto_bind=True)
+ldapconnection.search(search_base=f'{USERBASE}',search_filter='(objectClass=person)', attributes=USERATTRIBUTES)
+print(str(ldapconnection.response))

kralizec/dmzrsaccount/prepare.py

@@ -0,0 +1,18 @@
+#!/usr/bin/env python3
+import ldap3
+import configparser
+
+CONFIG_PATH = "/var/luser/luser/config.ini"
+config = configparser.ConfigParser()
+config.read(CONFIG_PATH)
+LDAPHOST = config.get('credentials', 'LDAPHOST')
+LDAPADMINNAME = config.get('credentials', 'LDAPADMINNAME')
+LDAPPASS = config.get('credentials', 'LDAPPASS')
+USERBASE = config.get('credentials', 'USERBASE')
+
+ldapserver=ldap3.Server(LDAPHOST,use_ssl=True)
+ldapconnection = ldap3.Connection(ldapserver, LDAPADMINNAME, LDAPPASS, auto_bind=True)
+rcode1=ldapconnection.add(f'{USERBASE}', ['dcObject', 'organization'], {'o' : "dmz", 'dc' : "dmz"})
+rcode2=ldapconnection.add(USERBASE, ['top', 'organizationalUnit'], {'ou' : "Users"})
+print(str(rcode1))
+print(str(rcode2))

kralizec/dmzrsaccount/testanon.py

@@ -0,0 +1,18 @@
+#!/usr/bin/env python3
+import ldap3
+import configparser
+
+CONFIG_PATH = '/var/luser/luser/config.ini'
+config = configparser.ConfigParser()
+config.read(CONFIG_PATH)
+LDAPHOST = config.get('credentials', 'LDAPHOST')
+USERBASE = config.get('credentials', 'USERBASE')
+USERATTRIBUTES=['cn' , 'sn', 'givenName', 'uid', 'uidNumber' , 'gidNumber', 'homeDirectory', 'loginShell', 'gecos' , 'shadowLastChange', 'shadowMax', 'userPassword', 'mail']
+
+LDAPADMINNAME=''
+LDAPPASS=""
+
+ldapserver=ldap3.Server(LDAPHOST,use_ssl=True)
+ldapconnection = ldap3.Connection(ldapserver, LDAPADMINNAME,LDAPPASS, auto_bind=True)
+ldapconnection.search(search_base=f'{USERBASE}',search_filter='(objectClass=person)', attributes=USERATTRIBUTES)
+print(str(ldapconnection.response))

kralizec/dmzrsaccount/testuser.py

@@ -0,0 +1,18 @@
+#!/usr/bin/env python3
+import ldap3
+import configparser
+
+CONFIG_PATH = '/var/luser/luser/config.ini'
+config = configparser.ConfigParser()
+config.read(CONFIG_PATH)
+LDAPHOST = config.get('credentials', 'LDAPHOST')
+USERBASE = config.get('credentials', 'USERBASE')
+USERATTRIBUTES=['cn' , 'sn', 'givenName', 'uid', 'uidNumber' , 'gidNumber', 'homeDirectory', 'loginShell', 'gecos' , 'shadowLastChange', 'shadowMax', 'userPassword', 'mail']
+
+LDAPADMINNAME="uid=korisnik,ou=Users,dc=dmz,dc=rs"
+LDAPPASS="<password of korisnik>"
+
+ldapserver=ldap3.Server(LDAPHOST,use_ssl=True)
+ldapconnection = ldap3.Connection(ldapserver, LDAPADMINNAME,LDAPPASS, auto_bind=True)
+ldapconnection.search(search_base=f'{USERBASE}',search_filter='(objectClass=person)', attributes=USERATTRIBUTES)
+print(str(ldapconnection.response))

kralizec/dmzrsflask11/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 118
+---

kralizec/donationcalc12/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 124
+---

kralizec/dynamicdns11/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 111
+---

kralizec/ejabberd/README.md

@@ -1,3 +1,9 @@
+---
+title: ejabberd configurations
+section: 6
+source: Decentrala
+---
+
 #On your PC
 Add this configuration to ~/.ssh/config
 

kralizec/ejabberd11/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 106
+---

kralizec/elinearch/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 119
+---

kralizec/flaskldap11/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 109
+---

kralizec/gitea11/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 117
+---

kralizec/http11/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 104
+---

kralizec/krovhttp11/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 121
+---

kralizec/nginx/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 108
+---

kralizec/openldap12/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 127
+---

kralizec/postfix11/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 113
+---

kralizec/postgresql11/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 105
+---

kralizec/radionice11/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 116
+---

kralizec/roundcube12/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 123
+---

kralizec/slapd/.gitignore

@@ -0,0 +1,2 @@
+acladd.ldif
+*gpg

kralizec/slapd/README.md

@@ -0,0 +1,18 @@
+Create ldap users at dmz.rs/account for users in the servicesaccounts.txt
+these accounts should be listed in /root/ldifs/addacl.ldif
+to generate addacl.ldif run generateacl.sh
+
+add tls keys in /etc/ssl/certs/ldap.krov.dmz.rs
+
+# Generate password for admin user on this server only and add it when asked during installation
+apt install slapd
+
+# For domain set dmz.rs for Organization set Users for admin password use previously generated password
+dpkg-reconfigure slapd
+
+# change /etc/default/slapd to replace ldap:// with ldaps:// under SLAPD_SERVICES
+service slapd restart
+./setup.sh
+
+dmzrsaccount vm should run prepare.py 
+ldapsync vm should run sync.py

kralizec/slapd/acladd-template.ldif

@@ -0,0 +1,18 @@
+dn: olcDatabase={1}mdb,cn=config
+add: olcAccess
+olcAccess: {1}to attrs=userPassword by self write by anonymous auth
+
+dn: olcDatabase={1}mdb,cn=config
+add: olcAccess
+#olcAccess: {2}to * by * none
+olcAccess: {2}to * by self write READUSERS by anonymous none
+
+dn: olcDatabase={-1}frontend,cn=config
+add: olcAccess
+olcAccess: {1}to attrs=userPassword by self write by anonymous auth
+
+dn: olcDatabase={-1}frontend,cn=config
+add: olcAccess
+#olcAccess: {2}to * by * none
+olcAccess: {2}to * by self READUSERS by anonymous none
+

kralizec/slapd/generateacl.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+READUSERS=""
+for i in $(cat servicesaccounts.txt); do READUSERS="$READUSERS by dn=\"$i\" read" ; done
+
+sed 's/READUSERS/'"$READUSERS"'/g' acladd-template.ldif > acladd.ldif
+

kralizec/slapd/generatecreds.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+function genpass(){
+echo $(shuf ../../scripts/shared/english.txt | head) | sed "s/ //g"
+}
+
+for i in $(cat servicesaccounts.txt) ; do printf "%s\n" $(echo -n $i | cut -d"," -f 1 | cut -d"=" -f2 ; genpass) | gpg -e -r fram3d@dmz.rs -r sienna@dmz.rs --output creds/$(echo -n $i | cut -d"," -f 1 | cut -d"=" -f2).gpg ; done
+

kralizec/slapd/servicesaccounts.txt

@@ -0,0 +1,9 @@
+uid=readonlykrov,ou=Users,dc=dmz,dc=rs
+uid=wikildapkrov,ou=Users,dc=dmz,dc=rs
+uid=forumldapkrov,ou=Users,dc=dmz,dc=rs
+uid=gitealdapkrov,ou=Users,dc=dmz,dc=rs
+uid=xmppldapkrov,ou=Users,dc=dmz,dc=rs
+uid=dovecotldapkrov,ou=Users,dc=dmz,dc=rs
+uid=postfixldapkrov,ou=Users,dc=dmz,dc=rs
+uid=smtpdldapkrov,ou=Users,dc=dmz,dc=rs
+uid=kralizecslapd,ou=Users,dc=dmz,dc=rs

kralizec/ssh11/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 114
+---

kralizec/sshfs11/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 112
+---

kralizec/tor11/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 101
+---

kralizec/webring12/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 125
+---

kralizec/wiki11/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 120
+---

kralizec/xmppmirror11/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 102
+---

krov/serverko/README.md

@@ -0,0 +1,19 @@
+# List of containers
+
+## serverko
+
+VMID Name  
+100  nginx12  
+101  ddns12  
+102  dmzrs12  
+103  tor12  
+104  slapd12  
+105  wireguard12  
+106  opensmptd12  
+107  ipv6tunnel12  
+108  postgres12  
+109  ejabberd12  
+110  dmzrsaccount  
+111  taskmanager12  
+112  stopreklamama12  
+

krov/serverko/ddns12/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 101
+---

krov/serverko/dmzrs12/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 102
+---

krov/serverko/dmzrsaccount/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 110
+---

krov/serverko/ejabberd12/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 109
+---

krov/serverko/ipv6tunnel12/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 107
+---

krov/serverko/nginx12/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 100
+---

krov/serverko/opensmptd12/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 106
+---

krov/serverko/postgres12/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 108
+---

krov/serverko/slapd12/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 104
+---

krov/serverko/slapd12/etc/default/slapd

@@ -0,0 +1,45 @@
+# Default location of the slapd.conf file or slapd.d cn=config directory. If
+# empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to
+# /etc/ldap/slapd.conf).
+SLAPD_CONF=
+
+# System account to run the slapd server under. If empty the server
+# will run as root.
+SLAPD_USER="openldap"
+
+# System group to run the slapd server under. If empty the server will
+# run in the primary group of its user.
+SLAPD_GROUP="openldap"
+
+# Path to the pid file of the slapd server. If not set the init.d script
+# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.d by
+# default)
+SLAPD_PIDFILE=
+
+# slapd normally serves ldap only on all TCP-ports 389. slapd can also
+# service requests on TCP-port 636 (ldaps) and requests via unix
+# sockets.
+# Example usage:
+# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
+SLAPD_SERVICES="ldaps:/// ldapi:///"
+
+# If SLAPD_NO_START is set, the init script will not start or restart
+# slapd (but stop will still work).  Uncomment this if you are
+# starting slapd via some other means or if you don't want slapd normally
+# started at boot.
+#SLAPD_NO_START=1
+
+# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
+# the init script will not start or restart slapd (but stop will still
+# work).  Use this for temporarily disabling startup of slapd (when doing
+# maintenance, for example, or through a configuration management system)
+# when you don't want to edit a configuration file.
+SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
+
+# For Kerberos authentication (via SASL), slapd by default uses the system
+# keytab file (/etc/krb5.keytab).  To use a different keytab file,
+# uncomment this line and change the path.
+#export KRB5_KTNAME=/etc/krb5.keytab
+
+# Additional options to pass to slapd
+SLAPD_OPTIONS=""

krov/serverko/slapd12/root/aclupdate.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+./modify.sh ldifs/acldel.ldif
+./modify.sh ldifs/acladd.ldif

krov/serverko/slapd12/root/ldifs/acladd.ldif

@@ -0,0 +1,18 @@
+dn: olcDatabase={1}mdb,cn=config
+add: olcAccess
+olcAccess: {1}to attrs=userPassword by self write by anonymous auth
+
+dn: olcDatabase={1}mdb,cn=config
+add: olcAccess
+#olcAccess: {2}to * by * none
+olcAccess: {2}to * by self write by dn="uid=readonlykrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=wikildapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=forumldapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=gitealdapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=xmppldapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=dovecotldapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=postfixldapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=smtpdldapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=kralizecslapd,ou=Users,dc=dmz,dc=rs" read by anonymous none
+
+dn: olcDatabase={-1}frontend,cn=config
+add: olcAccess
+olcAccess: {1}to attrs=userPassword by self write by anonymous auth
+
+dn: olcDatabase={-1}frontend,cn=config
+add: olcAccess
+#olcAccess: {2}to * by * none
+olcAccess: {2}to * by self write by dn="uid=readonlykrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=wikildapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=forumldapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=gitealdapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=xmppldapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=dovecotldapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=postfixldapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=smtpdldapkrov,ou=Users,dc=dmz,dc=rs" read by dn="uid=kralizecslapd,ou=Users,dc=dmz,dc=rs" read by anonymous none
+

krov/serverko/slapd12/root/ldifs/acldel.ldif

@@ -0,0 +1,5 @@
+dn: olcDatabase={-1}frontend,cn=config
+delete: olcAccess
+
+dn: olcDatabase={1}mdb,cn=config
+delete: olcAccess

krov/serverko/slapd12/root/ldifs/tls.ldif

@@ -0,0 +1,10 @@
+dn: cn=config
+changetype: modify
+replace: olcTLSCertificateFile
+olcTLSCertificateFile: /etc/ssl/certs/ldap.krov.dmz.rs/cert.pem
+-
+replace: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: /etc/ssl/certs/ldap.krov.dmz.rs/privkey.pem
+-
+replace: olcTLSCACertificateFile
+olcTLSCACertificateFile: /etc/ssl/certs/ldap.krov.dmz.rs/chain.pem

krov/serverko/slapd12/root/modify.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+ldapmodify -H ldapi:/// -Y EXTERNAL -f $1

krov/serverko/slapd12/root/setup.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+./modify.sh ldifs/tls.ldif
+./aclupdate.sh

krov/serverko/stopreklamama12/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 112
+---

krov/serverko/taskmanager12/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 111
+---

krov/serverko/tor12/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 103
+---

krov/serverko/wireguard12/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 105
+---

krov/srv1/README.md

@@ -0,0 +1,15 @@
+# List of containers
+
+## srv1
+
+VMID Name  
+102  tor12  
+103  dendrite  
+106  icecast12  
+107  mariadb12  
+108  mpd12  
+109  ympd  
+111  sshfs11
+113  ollama12  
+114  chatbot12  
+115  goodvibes12  

krov/srv1/chatbot12/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 114
+---

krov/srv1/dendrite/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 103
+---

krov/srv1/goodvibes12/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 115
+---

krov/srv1/icecast12/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 106
+---

krov/srv1/mariadb12/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 107
+---

krov/srv1/mpd12/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 108
+---

krov/srv1/ollama12/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 113
+---

krov/srv1/sshfs11/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 111
+---

krov/srv1/tor12/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 102
+---

krov/srv1/ympd/README.md

@@ -0,0 +1,3 @@
+---
+VMID: 109
+---

map.ge

@@ -0,0 +1,39 @@
+# Network map of Decentrala.  Use with:
+# graph-easy --boxart < netmap.txt
+
+(Mox
+	[ m_router ]{label: router ;}
+	[ wireguard ] --> [ m_nginx ]{label: nginx-11 ;}
+	[ wiki ] --> [ m_nginx ]
+	[ gitea ] --> [ m_nginx ]
+	[ tor11 ] --> [ m_nginx ] --> [ m_router ]
+	[ smtp ]
+)
+
+(Serverko
+	[ s_nginx ]{label: nginx-12 ;}
+	[ s_router ]{label: router ;}
+	[ s_nginx ] --> [ nextcloud ]
+	[ s_nginx ] --> [ tor12 ]
+	[ s_nginx ] --> [ s_router ]
+)
+
+(splint.rs # unimportant
+	[ soft-serve ] # unimportant
+	[ mail-cache ]# unimportant
+) # unimportant
+
+[ tor12 ] <..> [ onions ] <..> [ tor11 ]
+[ m_router ] <..> [ BGP ] <..> [ madness ] <..> [ s_router ]
+[ smtp ] <..> [ madness ]
+[ madness ] <..> [  mail-cache ]# unimportant
+[ A ]{label: "" ;}
+[ B ]{label: "" ;}
+[ C ]{label: "" ;}
+[ D ]{label: "" ;}
+[ onions ] <..> [ A ]
+[ onions ] <..> [ B ]
+[ A ] <..> [ C ]
+[ B ] <..> [ D ]
+
+(Sharks! [ D ])

scripts/addsubdomain/addsub.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+## Generate TLS certificate for a new subdomain
+
+DMZKEYFILE=$(echo -n ~)"/.ssh/dmz"
+
+NGINXHOST=$1
+SUBDOMAIN=$2
+CTIPADDRESS=$3
+
+if [[ -z "$NGINXHOST" ]]; then 
+	echo "Set Nginx Host"
+        exit 1
+fi
+
+if [[ -z "$SUBDOMAIN" ]]; then 
+	echo "Set subdomain"
+        exit 1
+fi
+
+
+ssh-add -t 200 $DMZKEYFILE
+torsocks scp ./remotecmd $NGINXHOST:/root/remotecmd.sh
+torsocks scp ./subdomain.dmz.rs.http $NGINXHOST:/etc/nginx/sites-available/
+torsocks scp ./subdomain.dmz.rs.https $NGINXHOST:/etc/nginx/sites-available/
+
+if [[ -z "$CTIPADDRESS" ]]; then 
+	torsocks scp ./subdomain.dmz.rs.proxy $NGINXHOST:/etc/nginx/sites-available/
+fi
+
+torsocks ssh $NGINXHOST "chmod +x /root/remotecmd.sh; /root/remotecmd.sh $SUBDOMAIN"
+

scripts/addsubdomain/remotecmd

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+SUBDOMAIN=$1
+SUBNODOT=$(echo -n $1 | cut -d"." -f1- --output-delimiter="" )
+
+if [[ -z "$SUBDOMAIN" ]]; then 
+	echo "Set subdomain"
+        exit 1
+fi
+
+if [[ -z "$CTIPADDRESS" ]]; then 
+	sed -i 's/CTIPADDRESS/'$CTIPADDRESS'/g' /etc/nginx/sites-available/subdomain.dmz.rs.proxy
+        mv /etc/nginx/sites-available/subdomain.dmz.rs.proxy /etc/nginx/sites-available/subdomain.dmz.rs.https
+fi
+
+sed -i 's/subdomain/'$SUBDOMAIN'/g' /etc/nginx/sites-available/subdomain.dmz.rs.http
+sed -i 's/subdomain/'$SUBDOMAIN'/g' /etc/nginx/sites-available/subdomain.dmz.rs.https
+sed -i 's/subnodot/'$SUBNODOT'/g' /etc/nginx/sites-available/subdomain.dmz.rs.http
+sed -i 's/subnodot/'$SUBNODOT'/g' /etc/nginx/sites-available/subdomain.dmz.rs.https
+
+
+mkdir /var/www/"$SUBNODOT"dmzrs/
+mv /etc/nginx/sites-available/subdomain.dmz.rs.http /etc/nginx/sites-available/"$SUBDOMAIN".dmz.rs.http
+mv /etc/nginx/sites-available/subdomain.dmz.rs.https /etc/nginx/sites-available/"$SUBDOMAIN".dmz.rs.https
+ln -s /etc/nginx/sites-available/"$SUBDOMAIN".dmz.rs.http /etc/nginx/sites-enabled/"$SUBDOMAIN".dmz.rs.http
+service nginx reload
+certbot certonly -d "$SUBDOMAIN".dmz.rs,"$SUBDOMAIN".decentrala.org --webroot -w /var/www/"$SUBNODOT"dmzrs
+unlink /etc/nginx/sites-enabled/"$SUBDOMAIN".dmz.rs.http
+cat /etc/nginx/sites-available/"$SUBDOMAIN".dmz.rs.http /etc/nginx/sites-available/"$SUBDOMAIN".dmz.rs.https > /etc/nginx/sites-available/"$SUBDOMAIN".dmz.rs.all
+mv /etc/nginx/sites-available/"$SUBDOMAIN".dmz.rs.all /etc/nginx/sites-available/"$SUBDOMAIN".dmz.rs
+ln -s /etc/nginx/sites-available/"$SUBDOMAIN".dmz.rs /etc/nginx/sites-enabled/"$SUBDOMAIN".dmz.rs
+rm /etc/nginx/sites-available/"$SUBDOMAIN".dmz.rs.https
+rm /etc/nginx/sites-available/"$SUBDOMAIN".dmz.rs.http
+service nginx reload
+rm /root/remotecmd.sh

scripts/addsubdomain/subdomain.dmz.rs.http

@@ -0,0 +1,10 @@
+server {
+	listen 80;
+	listen [::]:80;
+
+	index index.html index.htm index.nginx-debian.html;
+
+	server_name subdomain.dmz.rs subdomain.decentrala.org;
+
+	root /var/www/subnodotdmzrs;
+}

scripts/addsubdomain/subdomain.dmz.rs.https

@@ -0,0 +1,18 @@
+server {
+	listen 443 ssl ;
+	listen [::]:443 ssl ;
+
+	index index.html index.htm index.nginx-debian.html;
+
+	server_name subdomain.dmz.rs subdomain.decentrala.org;
+
+	ssl_certificate /etc/letsencrypt/live/subdomain.dmz.rs/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/subdomain.dmz.rs/privkey.pem;
+	ssl_dhparam /etc/ssl/dhparam.pem;
+	ssl_protocols TLSv1.2 TLSv1.3;
+	ssl_ciphers HIGH:!aNULL:!MD5;
+
+	root /var/www/subnodotdmzrs;
+
+	resolver 9.9.9.9;
+}

scripts/addsubdomain/subdomain.dmz.rs.proxy

@@ -0,0 +1,29 @@
+server {
+	listen 443 ssl ;
+	listen [::]:443 ssl ;
+
+	index index.html index.htm index.nginx-debian.html;
+
+	server_name subdomain.dmz.rs subdomain.decentrala.org;
+
+	ssl_certificate /etc/letsencrypt/live/subdomain.dmz.rs/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/subdomain.dmz.rs/privkey.pem;
+	ssl_dhparam /etc/ssl/dhparam.pem;
+	ssl_protocols TLSv1.2 TLSv1.3;
+	ssl_ciphers HIGH:!aNULL:!MD5;
+
+
+	location / {
+       		proxy_set_header Host subdomain.dmz.rs;
+       		proxy_set_header X-Real-IP $remote_addr;
+       		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+       		proxy_pass http://CTIPADDRESS$request_uri;
+       }
+
+	location /.well-known/acme-challenge/ {
+		root /var/www/subnodotdmzrs;
+	}
+
+	resolver 9.9.9.9;
+}

scripts/ctcreate/ctcreate.sh

@@ -0,0 +1,52 @@
+#!/bin/bash
+## Create new Linux contanier at a proxmox host
+
+DMZKEYFILE=$(echo -n ~)"/.ssh/dmz"
+USER=$(cut -d" " -f3 $DMZKEYFILE.pub | cut -d "@" -f1)
+USEREMAIL=$(cut -d" " -f3 $DMZKEYFILE.pub)
+
+PROXMOXHOST=$1
+CTHOST=$2
+
+GENPASS=$( echo $(shuf ../shared/english.txt | head) | sed "s/ //g")
+
+if [[ -z "$PROXMOXHOST" ]]; then 
+	echo "Set Proxmox Host"
+        exit 1
+fi
+
+if [[ -z "$CTHOST" ]]; then 
+	echo "Set CT hostname"
+        exit 1
+fi
+
+if [[ -z "$GENPASS" ]]; then 
+	echo "Set CT password"
+        exit 1
+fi
+
+ssh-add -t 600 $DMZKEYFILE
+torsocks scp ./remotecmd $PROXMOXHOST:/root/ctcreate.sh
+torsocks scp $DMZKEYFILE.pub $PROXMOXHOST:/root/.ssh/$USER.pub
+
+torsocks ssh $PROXMOXHOST "chmod +x /root/ctcreate.sh; /root/ctcreate.sh $CTHOST $GENPASS $USER" >> cmdoutput.txt
+
+CREDS=$( tail -3 cmdoutput.txt)
+
+rm cmdoutput.txt
+
+printf "$CREDS\n" | gpg -e -r $USEREMAIL --output $CTHOST.gpg
+
+CTIP=$(printf "$CREDS" | head -1 | cut -d'@' -f 2)
+
+echo "Host dmzkrov"$CTHOST >> ~/.ssh/autoconfig
+echo "  Hostname "$CTIP >> ~/.ssh/autoconfig
+echo "  ProxyJump dmzkrovtor12" >> ~/.ssh/autoconfig
+echo "  User root" >> ~/.ssh/autoconfig
+echo "  IdentityFile "$DMZKEYFILE >> ~/.ssh/autoconfig
+echo "  PasswordAuthentication no" >> ~/.ssh/autoconfig
+
+ssh -R $CTIP
+torsocks scp ./newct dmzkrov$CTHOST:/root/newct.sh
+torsocks ssh dmzkrov$CTHOST "bash newct.sh; rm newct.sh"
+torsocks ssh dmzkrov$CTHOST

scripts/ctcreate/newct

@@ -0,0 +1,5 @@
+#!/bin/bash
+apt update
+apt -y dist-upgrade 
+apt -y install unattended-upgrades 
+dpkg-reconfigure unattended-upgrades 

scripts/ctcreate/remotecmd

@@ -0,0 +1,47 @@
+#!/bin/bash
+CTHOSTNAME=$1
+CTPASS=$2
+USER=$3
+
+echo Creating $CTHOSTNAME ...
+
+# Find last CT and get its ID
+LASTID=$(pct list | cut -d" " -f1 | tail -1)
+
+if [[ -z "$CTHOSTNAME" ]]; then 
+	echo "CT hostname not set"
+        exit 1
+fi
+
+if [[ -z "$CTPASS" ]]; then 
+	echo "CT password not set"
+        exit 1
+fi
+
+if [[ -z "$USER" ]]; then 
+	echo "USER not set"
+        exit 1
+fi
+
+if [[ -z "$LASTID" ]]; then 
+	LASTID=99
+fi
+
+NEWID=$(($LASTID + 1))
+
+echo ID of new CT is: $NEWID
+
+## Find the biggest free IP
+for i in $(seq $((NEWID + 101)) 254); do ping -W 3 -c 3 192.168.1.$i || break; done
+CTIP="192.168.1.$i"
+
+pct create $NEWID local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst --arch amd64 --cores 2 --features nesting=1 --hostname $CTHOSTNAME --memory 2048 --net0 name=eth0,bridge=vmbr0,firewall=1,gw=192.168.1.1,gw6=2001:470:1f1a:1a4::5,ip=$CTIP/24,ip6=2001:470:1f1a:1a4::$(printf '%x'  $((NEWID - 87)))/96,type=veth --onboot 1 --ostype debian  --swap 1024 --unprivileged 1 --storage local-lvm --ssh-public-keys /root/.ssh/fram3d.pub --password $CTPASS
+
+pct set $NEWID --rootfs local-lvm:vm-$NEWID-disk-0,size=32G
+
+pct start $NEWID
+
+echo "Creds:"
+echo "root@$CTIP"
+echo "root@2001:470:1f1a:1a4::$(printf '%x'  $((NEWID - 87)))"
+echo $CTPASS

scripts/installdeb/installdeb.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+## Install luser.deb to remote host
+
+DMZKEYFILE=$(echo -n ~)"/.ssh/dmz"
+
+HOST="$1"
+DEB="$2"
+
+if [[ -z "$HOST" ]]; then 
+	echo "Set Luser Host"
+	echo "Usage: ./installdeb.sh HOSTNAME DEB_FILE"
+        exit 1
+fi
+
+if [[ -z "$DEB" ]]; then 
+	echo "Set Deb package name"
+	echo "Usage: ./installdeb.sh HOSTNAME DEB_FILE"
+        exit 1
+fi
+
+cd ~/src/$DEB/build-deb
+make
+ssh-add -t 100 $DMZKEYFILE
+torsocks scp $DEB.deb $HOST:~/
+torsocks ssh $HOST "apt install -y /root/$DEB.deb ; rm /root/$DEB.deb"

scripts/onionadd/cmdoutput.txt

@@ -0,0 +1 @@
+j3kztfnedlfhikhr7uro7uxzf35xbrtcu4omzbl2bqb6ygakipcw62yd.onion

scripts/onionadd/onionadd.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+## Create new Linux contanier at a proxmox host
+
+DMZKEYFILE=$(echo -n ~)"/.ssh/dmz"
+
+TORHOST=$1
+CTHOST=$2
+CTIP=$3
+
+if [[ -z "$TORHOST" ]]; then 
+	echo "Set Tor Host"
+        exit 1
+fi
+
+if [[ -z "$CTHOST" ]]; then 
+	echo "Set CT hostname"
+        exit 1
+fi
+
+if [[ -z "$CTIP" ]]; then 
+	CTIP=$(grep -C 1 $CTHOST ~/.ssh/autoconfig | tail -1 | cut -d" " -f4)
+fi
+
+ssh-add -t 600 $DMZKEYFILE
+torsocks scp ./remotecmd $TORHOST:/root/onionadd.sh
+
+torsocks ssh $TORHOST "chmod +x /root/onionadd.sh; /root/onionadd.sh $CTHOST $CTIP" >> cmdoutput.txt
+torsocks ssh $TORHOST "rm /root/onionadd.sh"
+
+HOSTNAME=$(tail -1 cmdoutput.txt)
+
+echo "Host "$CTHOST"onion" >> ~/.ssh/autoconfig
+echo "  Hostname "$HOSTNAME >> ~/.ssh/autoconfig
+echo "  User root" >> ~/.ssh/autoconfig
+echo "  IdentityFile "$DMZKEYFILE >> ~/.ssh/autoconfig
+echo "  PasswordAuthentication no" >> ~/.ssh/autoconfig

scripts/onionadd/remotecmd

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+CTHOST=$1
+CTIP=$2
+
+if [[ -z "$CTHOST" ]]; then 
+	echo "Set CT hostname"
+        exit 1
+fi
+
+if [[ -z "$CTIP" ]]; then 
+	echo "Set CT IP"
+        exit 1
+fi
+
+echo "" >> /etc/tor/onions/dmz
+echo "HiddenServiceDir /var/lib/tor/"$CTHOST"/" >> /etc/tor/onions/dmz
+echo "HiddenServicePort 22 "$CTIP":22" >> /etc/tor/onions/dmz
+
+service tor reload
+sleep 30
+
+cat "/var/lib/tor/"$CTHOST"/hostname"

scripts/showpass.sh

@@ -0,0 +1,62 @@
+#!/bin/sh
+
+# If you want to add these passwords to the `pass` program, you can
+# symlink all the passwords which you can open, then open the
+# passwords with a script like this.
+
+pass_store=~/.password-store
+
+# THIS_PLACE="$PWD"
+# mkdir $pass_store/dmz
+# cd !$
+# find  "$THIS_PLACE" -type f -name "*.gpg" | \ 
+#     sed "s#/home/ghost#../..#" | \ 
+#     while read -r line; do
+#         gpg -d "$line" && ln -sf "$line" .
+#     done
+ 
+
+sanity_check(){
+    command -v $1 >/dev/null || (
+        echo "You must install $1"
+        exit 1
+    )
+}
+
+set_selector_if_program_exists(){
+    command -v "$1" > /dev/null  && selector="$1 $2"
+}
+
+if [ -z "$DISPLAY" ]; then
+    set_selector_if_program_exists sk || \
+        set_selector_if_program_exists fzy || \
+        set_selector_if_program_exists fzf
+    fail_sender='echo'
+else
+    set_selector_if_program_exists "rofi" 'rofi -dmenu "$@"' || \
+        set_selector_if_program_exists dmenu || \
+        (
+            echo "Cannot find anything to select a key. Install dmenu." 
+            exit 1
+        )
+    fail_sender='notify-send'
+fi
+
+list_keys(){
+    find -L . -mindepth 1 -type f -name "*.gpg" | \
+        sed 's/\.\///' | \
+        sed 's/.gpg//'
+}
+
+####################
+
+set -e
+
+sanity_check pass
+
+cd "$pass_store"
+
+password="$(list_keys | $selector)"
+
+pass -c "$password" || $fail_sender 'Cannot decrypt'
+