commit 1b8ff80df2796e00679cfa8cd12c9bdf7ee0d2dc Author: inference Date: Mon Aug 7 17:24:05 2023 +0100 Add system "xb000-0" configuration files diff --git a/xb000-0/ejabberd/ejabberd.yml b/xb000-0/ejabberd/ejabberd.yml new file mode 100644 index 0000000..e9d8703 --- /dev/null +++ b/xb000-0/ejabberd/ejabberd.yml @@ -0,0 +1,310 @@ +# Inferencium - xb000-0 +# ejabberd - Configuration + +# Copyright 2022 Jake Winters +# SPDX-License-Identifier: BSD-3-Clause + +# Version: 6.0.0.11 + + +# Hosts +hosts: + - inferencium.net + - dissensionclub.net + +# Hosts configuration +host_config: + inferencium.net: + auth_method: internal + dissensionclub.net: + auth_method: internal + +# Language +language: en + +# Security +## Passwords +auth_password_format: scram +auth_scram_hash: sha256 +### Upgrade password hashes to SHA-512 when possible; currently infeasible due to current users +### having passwords created using SHA-256. +#auth_scram_hash: sha512 + +## Server-to-Server +s2s_dhfile: "/etc/ssl/inferencium.net/dh-3072.pem" +s2s_ciphers: + - "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256" +s2s_protocol_options: + - no_sslv2 + - no_sslv3 + - no_tlsv1 + - no_tlsv1_1 + - cipher_server_preferences +s2s_use_starttls: required +s2s_tls_compression: false +s2s_zlib: false + +allow_multiple_connections: false + +# Logging +loglevel: info +hide_sensitive_log_data: true + +# Certificates +ca_file: "/etc/ssl/certs/ca-certificates.crt" +certfiles: + ## dissensionclub.net + - "/etc/ssl/dissensionclub.net/ejabberd.pem" + ## inferencium.net + - "/etc/ssl/inferencium.net/ejabberd.pem" + - "/etc/ssl/hfu.xmpp.inferencium.net/ejabberd.pem" + - "/etc/ssl/muc.xmpp.inferencium.net/ejabberd.pem" + - "/etc/ssl/xmpp.inferencium.net/ejabberd.pem" + +listen: + - + port: 5222 + ip: "::" + module: ejabberd_c2s + dhfile: "/etc/ssl/inferencium.net/dh-3072.pem" + protocol_options: + - no_sslv2 + - no_sslv3 + - no_tlsv1 + - no_tlsv1_1 + ciphers: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256" + starttls: true + starttls_required: true + tls_compression: false + max_stanza_size: 262144 + shaper: c2s_shaper + access: c2s + - + port: 5223 + ip: "::" + module: ejabberd_c2s + dhfile: "/etc/ssl/inferencium.net/dh-3072.pem" + tls: true + protocol_options: + - no_sslv2 + - no_sslv3 + - no_tlsv1 + - no_tlsv1_1 + ciphers: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256" + tls_compression: false + max_stanza_size: 262144 + shaper: c2s_shaper + access: c2s + - + port: 5269 + ip: "::" + module: ejabberd_s2s_in + max_stanza_size: 524288 + - + port: 5443 + ip: "::" + module: ejabberd_http + tls: true + request_handlers: + /admin: ejabberd_web_admin + /api: mod_http_api + /bosh: mod_bosh + /captcha: ejabberd_captcha + /upload: mod_http_upload + /ws: ejabberd_http_ws + custom_headers: + "Access-Control-Allow-Origin": "*" + "Access-Control-Allow-Methods": "GET,HEAD,OPTIONS,PUT" + "Access-Control-Allow-Headers": "Authorization" + "Access-Control-Allow-Headers": "Content-Type, Origin, X-Requested-Width" + "Access-Control-Allow-Credentials": "true" + - + port: 5280 + ip: "::" + module: ejabberd_http + request_handlers: + /admin: ejabberd_web_admin + - + port: 3478 + ip: "::" + transport: udp + module: ejabberd_stun + use_turn: true + ## The server's public IPv4 address: + # turn_ipv4_address: "203.0.113.3" + ## The server's public IPv6 address: + # turn_ipv6_address: "2001:db8::3" + +acl: + local: + user_regexp: "" + loopback: + ip: + - 127.0.0.0/8 + - ::1/128 + admin: + user: + - "admin@inferencium.net" + +access_rules: + local: + allow: local + c2s: + deny: blocked + allow: all + announce: + allow: admin + configure: + allow: admin + muc_create: + allow: local + pubsub_createnode: + allow: local + trusted_network: + allow: loopback + +api_permissions: + "console commands": + from: + - ejabberd_ctl + who: all + what: "*" + "admin access": + who: + access: + allow: + - acl: loopback + - acl: admin + oauth: + scope: "ejabberd:admin" + access: + allow: + - acl: loopback + - acl: admin + what: + - "*" + - "!stop" + - "!start" + "public commands": + who: + ip: 127.0.0.1/8 + what: + - status + - connected_users_number + +shaper: + normal: + rate: 3000 + burst_size: 20000 + fast: 100000 + +shaper_rules: + max_user_sessions: 10 + max_user_offline_messages: + 5000: admin + 100: all + c2s_shaper: + none: admin + normal: all + s2s_shaper: fast + +modules: + mod_adhoc: {} + mod_admin_extra: {} + mod_announce: + access: announce + mod_avatar: {} + mod_blocking: {} + mod_bosh: {} + mod_caps: {} + mod_carboncopy: {} + mod_client_state: {} + mod_configure: {} + mod_disco: {} + mod_fail2ban: {} + mod_http_api: {} + mod_http_upload: + name: HTTP File Upload + access: local + custom_headers: + "Access-Control-Allow-Origin": "*" + #"Access-Control-Allow-Origin": "https://@HOST@" + "Access-Control-Allow-Methods": "GET,HEAD,OPTIONS,PUT" + "Access-Control-Allow-Headers": "Content-Type" + docroot: /var/lib/ejabberd/upload/@HOST@ + dir_mode: "2750" + file_mode: "0640" + max_size: 67108864 + put_url: https://@HOST@:5443/upload + thumbnail: false + mod_last: {} + mod_mam: + assume_mam_usage: true + default: always + mod_mqtt: {} + mod_muc: + host: muc.xmpp.inferencium.net + access: + - allow + access_admin: + - allow: admin + access_create: muc_create + access_persistent: muc_create + access_mam: + - allow + default_room_options: + allow_private_messages: true +# allow_private_messages_from_visitors: nobody +# allow_voice_requests: false + anonymous: false + logging: false + mam: true +# members_only: true + persistent: true + public: false + public_list: false + mod_muc_admin: {} + mod_offline: + access_max_user_messages: max_user_offline_messages + mod_ping: {} + mod_privacy: {} + mod_private: {} + mod_proxy65: + access: local + max_connections: 5 + mod_pubsub: + access_createnode: pubsub_createnode + plugins: + - flat + - pep + force_node_config: + ## Avoid buggy clients to make their bookmarks public + storage:bookmarks: + access_model: whitelist + mod_push: {} + mod_push_keepalive: {} + mod_register: + ip_access: trusted_network + mod_roster: + versioning: true + mod_s2s_dialback: {} + mod_shared_roster: {} + mod_stream_mgmt: + resend_on_timeout: if_offline + mod_stun_disco: {} + mod_vcard: {} + mod_vcard_xupdate: {} + mod_version: + show_os: false + +default_db: sql +sql_type: pgsql +sql_server: "localhost" +sql_database: "ejabberd" +sql_username: "ejabberd" +sql_password: "[REDACTED]" + +### Local Variables: +### mode: yaml +### End: +### vim: set filetype=yaml tabstop=8 diff --git a/xb000-0/nginx/gitea.conf b/xb000-0/nginx/gitea.conf new file mode 100644 index 0000000..f86baa3 --- /dev/null +++ b/xb000-0/nginx/gitea.conf @@ -0,0 +1,53 @@ +# Inferencium - xb000-0 +# Nginx - Configuration - Gitea + +# Copyright 2022 Jake Winters +# SPDX-License-Identifier: BSD-3-Clause + +# Version: 3.0.1.12 + + +# Server (unencrypted) +server { + # General + server_name git.inferencium.net; + listen 80; + listen [::]:80; + + # Location + location / { + return 301 https://$server_name$request_uri; + } +} + +# Server (TLS) +server { + # General + server_name git.inferencium.net; + listen 443 ssl http2; + listen [::]:443 ssl http2; + + # Security + ssl_certificate /etc/letsencrypt/live/git.inferencium.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/git.inferencium.net/privkey.pem; + ssl_protocols TLSv1.3; + ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256"; + ssl_conf_command Ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"; + ssl_conf_command Options PrioritizeChaCha; + ssl_prefer_server_ciphers on; + ssl_ecdh_curve X25519; + add_header Strict-Transport-Security "max-age=126200000; includeSubDomains; preload"; + add_header X-Frame-Options "DENY"; + add_header X-Content-Type-Options nosniff; +# add_header Content-Security-Policy "default-src 'self'; img-src 'self'; media-src 'self'; object-src 'none'; script-src 'none'; connect-src 'none'; frame-src 'none'; style-src 'self'; font-src 'self'"; + add_header Referrer-Policy no-referrer; + + # Location + location / { + proxy_pass http://unix:/run/gitea/gitea.socket; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +} diff --git a/xb000-0/nginx/redirect-git.conf b/xb000-0/nginx/redirect-git.conf new file mode 100644 index 0000000..6823ec7 --- /dev/null +++ b/xb000-0/nginx/redirect-git.conf @@ -0,0 +1,71 @@ +# Inferencium - xb000-0 +# Nginx - Configuration - Redirect - git.inferencium.net + +# Copyright 2023 Jake Winters +# SPDX-License-Identifier: BSD-3-Clause + +# Version: 0.0.2.3 + + +# Server (unencrypted) +server { + # General + server_name git.inferencium.net; + listen 80; +# listen [::]:80; + rewrite ^/(.*)$ https://inferencium.net/redirect-git.html permanent; + rewrite ^(/.*)\.html(\?.*)?$ $1$2 permanent; + rewrite ^/(.*)/$ /$1 permanent; +} + +# Server (TLS) +server { + # General + server_name git.inferencium.net; + listen 443 ssl http2; +# listen [::]:443 ssl http2; + rewrite ^/(.*)$ https://inferencium.net/redirect-git.html permanent; + rewrite ^(/.*)\.html(\?.*)?$ $1$2 permanent; + rewrite ^/(.*)/$ /$1 permanent; + + # Security + ssl_trusted_certificate /etc/letsencrypt/live/git.inferencium.net/chain.pem; + ssl_certificate /etc/letsencrypt/live/git.inferencium.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/git.inferencium.net/privkey.pem; + ssl_protocols TLSv1.3; + ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256"; + ssl_conf_command Ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"; + ssl_conf_command Options PrioritizeChaCha; + ssl_prefer_server_ciphers on; + ssl_ecdh_curve X25519; + ssl_stapling on; + ssl_stapling_verify on; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; + ssl_session_cache shared:ssl_session_cache:10m; + ssl_session_tickets off; + add_header Strict-Transport-Security "max-age=126200000; includeSubDomains; preload"; + add_header X-Frame-Options "DENY"; + add_header X-Content-Type-Options nosniff; + add_header Content-Security-Policy "default-src 'self'; img-src 'self'; media-src 'self'; object-src 'none'; script-src 'none'; connect-src 'none'; frame-src 'none'; style-src 'self'; font-src 'self'"; + add_header Referrer-Policy no-referrer; + + client_max_body_size 16m; + ignore_invalid_headers off; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +} + +# MIME types +types { + text/html html; + text/css css; + text/xml xml; + text/plain txt; + image/png png; + image/jpeg jpg; +} diff --git a/xb000-0/nginx/website.conf b/xb000-0/nginx/website.conf new file mode 100644 index 0000000..30174d8 --- /dev/null +++ b/xb000-0/nginx/website.conf @@ -0,0 +1,79 @@ +# Inferencium - xb000-0 +# Nginx - Configuration - Website + +# Copyright 2022 Jake Winters +# SPDX-License-Identifier: BSD-3-Clause + +# Version: 9.0.0.11 + + +# Server (unencrypted) +server { + # General + server_name inferencium.net; + listen 80; + listen [::]:80; + + # Location + location / { + return 301 https://$server_name$request_uri; + } +} + +# Server (TLS) +server { + # General + server_name inferencium.net; + listen 443 ssl http2; + listen [::]:443 ssl http2; + + # Location + location / { + root /srv/www/inferencium; + index index.html; + try_files $uri.html $uri $uri/ =404; + rewrite ^(/.*)\.html(\?.*)?$ $1$2 permanent; + rewrite ^/(.*)/$ /$1 permanent; + } + + # Security + ssl_trusted_certificate /etc/letsencrypt/live/inferencium.net/chain.pem; + ssl_certificate /etc/letsencrypt/live/inferencium.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/inferencium.net/privkey.pem; + ssl_protocols TLSv1.3; + ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256"; + ssl_conf_command Ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"; + ssl_conf_command Options PrioritizeChaCha; + ssl_prefer_server_ciphers on; + ssl_ecdh_curve X25519; + ssl_stapling on; + ssl_stapling_verify on; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; + ssl_session_cache shared:ssl_session_cache:10m; + ssl_session_tickets off; + add_header Strict-Transport-Security "max-age=126200000; includeSubDomains; preload"; + add_header X-Frame-Options "DENY"; + add_header X-Content-Type-Options nosniff; + add_header Content-Security-Policy "default-src 'self'; img-src 'self'; media-src 'self'; object-src 'none'; script-src 'none'; connect-src 'none'; frame-src 'none'; style-src 'self'; font-src 'self'"; + add_header Referrer-Policy no-referrer; + + client_max_body_size 16m; + ignore_invalid_headers off; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +} + +# MIME types +types { + text/html html; + text/css css; + text/xml xml; + text/plain txt; + image/png png; + image/jpeg jpg; +} diff --git a/xb000-0/portage/env/basic.conf b/xb000-0/portage/env/basic.conf new file mode 100644 index 0000000..7ff3f25 --- /dev/null +++ b/xb000-0/portage/env/basic.conf @@ -0,0 +1,16 @@ +# Inferencium - xb000-0 +# Portage - env - Clang - Basic + +# Copyright 2023 Jake Winters +# SPDX-License-Identifier: BSD-3-Clause + +# Version: 4.0.1.5 + + +# Flags +## Compiler flags +CFLAGS="-march=znver1 -mtune=znver1 --optimize=2 -pipe" +CXXFLAGS="-march=znver1 -mtune=znver1 --optimize=2 -pipe" +RUSTFLAGS="-C debuginfo=0 -C opt-level=2 -C target-cpu=znver1" +## Linker flags +LDFLAGS="-Wl,-O2 -Wl,--strip-all" diff --git a/xb000-0/portage/env/gcc-basic.conf b/xb000-0/portage/env/gcc-basic.conf new file mode 100644 index 0000000..2f016e0 --- /dev/null +++ b/xb000-0/portage/env/gcc-basic.conf @@ -0,0 +1,27 @@ +# Inferencium - xb000-0 +# Portage - env - GCC - Basic + +# Copyright 2023 Jake Winters +# SPDX-License-Identifier: BSD-3-Clause + +# Version: 7.0.0.10 + + +# Toolchain +AR="gcc-ar" +CC="gcc" +CPP="cpp" +CXX="g++" +LD="ld" +NM="gcc-nm" +RANLIB="gcc-ranlib" +READELF="readelf" +STRIP="strip" + +# Flags +## Compiler flags +CFLAGS="-march=znver1 -mtune=znver1 --optimize=2 -pipe" +CXXFLAGS="-march=znver1 -mtune=znver1 --optimize=2 -pipe" +RUSTFLAGS="-C debuginfo=0 -C opt-level=2 -C target-cpu=znver1" +## Linker flags +LDFLAGS="-Wl,-O2 -Wl,--strip-all" diff --git a/xb000-0/portage/env/gcc-nolto.conf b/xb000-0/portage/env/gcc-nolto.conf new file mode 100644 index 0000000..bbec200 --- /dev/null +++ b/xb000-0/portage/env/gcc-nolto.conf @@ -0,0 +1,19 @@ +# Inferencium - xb000-0 +# Portage - env - GCC - No LTO + +# Copyright 2023 Jake Winters +# SPDX-License-Identifier: BSD-3-Clause + +# Version: 8.0.0.12 + + +# Flags +# Hardening flags +C_SEC="-fstack-clash-protection -fstack-protector-strong -ftrivial-auto-var-init=zero -fwrapv" +LD_SEC="-Wl,-z,defs -Wl,-z,now -Wl,-z,relro" +## Compiler flags +CFLAGS="-march=znver1 -mtune=znver1 --optimize=2 -pipe ${C_SEC}" +CXXFLAGS="-march=znver1 -mtune=znver1 --optimize=2 -pipe ${C_SEC}" +RUSTFLAGS="-C debuginfo=0 -C opt-level=2 -C target-cpu=znver1" +## Linker flags +LDFLAGS="-Wl,-O2 -Wl,--strip-all ${LD_SEC}" diff --git a/xb000-0/portage/env/gcc.conf b/xb000-0/portage/env/gcc.conf new file mode 100644 index 0000000..bbed4bc --- /dev/null +++ b/xb000-0/portage/env/gcc.conf @@ -0,0 +1,19 @@ +# Inferencium - xb000-0 +# Portage - env - GCC + +# Copyright 2023 Jake Winters +# SPDX-License-Identifier: BSD-3-Clause + +# Version: 1.0.0.1 + + +# Flags +# Hardening flags +C_SEC="-fstack-clash-protection -fstack-protector-strong -ftrivial-auto-var-init=zero -fwrapv" +LD_SEC="-Wl,-z,defs -Wl,-z,now -Wl,-z,relro" +## Compiler flags +CFLAGS="-flto=2 -march=znver1 -mtune=znver1 --optimize=2 -pipe ${C_SEC}" +CXXFLAGS="-flto=2 -march=znver1 -mtune=znver1 --optimize=2 -pipe ${C_SEC}" +RUSTFLAGS="-C debuginfo=0 -C lto -C opt-level=2 -C target-cpu=znver1" +## Linker flags +LDFLAGS="-Wl,-O2 -Wl,--strip-all ${LD_SEC}" diff --git a/xb000-0/portage/env/nolto.conf b/xb000-0/portage/env/nolto.conf new file mode 100644 index 0000000..9c6d9dd --- /dev/null +++ b/xb000-0/portage/env/nolto.conf @@ -0,0 +1,19 @@ +# Inferencium - xb000-0 +# Portage - env - Clang - No LTO + +# Copyright 2023 Jake Winters +# SPDX-License-Identifier: BSD-3-Clause + +# Version: 3.0.1.5 + + +# Flags +## Hardening flags +C_SEC="-fstack-clash-protection -fstack-protector-strong -ftrivial-auto-var-init=zero -fwrapv" +LD_SEC="-Wl,-z,defs -Wl,-z,now -Wl,-z,relro" +## Compiler flags +CFLAGS="-march=znver1 -mtune=znver1 --optimize=2 -pipe ${C_SEC}" +CXXFLAGS="-march=znver1 -mtune=znver1 --optimize=2 -pipe ${C_SEC}" +RUSTFLAGS="-C debuginfo=0 -C opt-level=2 -C target-cpu=znver1" +## Linker flags +LDFLAGS="-Wl,-O2 -Wl,--strip-all ${LD_SEC}" diff --git a/xb000-0/portage/env/notmpfs.conf b/xb000-0/portage/env/notmpfs.conf new file mode 100644 index 0000000..69ce1ef --- /dev/null +++ b/xb000-0/portage/env/notmpfs.conf @@ -0,0 +1,11 @@ +# Inferencium - xb000-0 +# Portage - env - No tmpfs + +# Copyright 2023 Jake Winters +# SPDX-License-Identifier: BSD-3-Clause + +# Version: 2.0.0.3 + + +# Directories +PORTAGE_TMPDIR="/var/tmp/notmpfs/" diff --git a/xb000-0/portage/make.conf b/xb000-0/portage/make.conf new file mode 100644 index 0000000..1b09271 --- /dev/null +++ b/xb000-0/portage/make.conf @@ -0,0 +1,59 @@ +# Inferencium - xb000-0 +# Portage - make.conf + +# Copyright 2023 Jake Winters +# SPDX-License-Identifier: BSD-3-Clause + +# Version: 9.0.0.35 + + +# System +## Appearance +NOCOLOR="false" +## CHOST +CHOST="x86_64-gentoo-linux-musl" +## Directories +PORTAGE_LOGDIR="/var/log/portage/" +DISTDIR="/var/cache/distfile/" +PKGDIR="/var/cache/bin/" +## Language +LC_MESSAGES="C" +LINGUAS="en" +L10N="en-GB" +## Gentoo mirrors +## ONLY IPV4 + IPV6 DUAL-STACK MIRRORS SHOULD BE USED! IPV4 IS BEING PHASED OUT! +## IF IPV6-ONLY IS SUPPORTED BY ISP, IPV6-ONLY MIRRORS SHOULD BE PREFERRED! +#GENTOO_MIRRORS="rsync://mirror.bytemark.co.uk/gentoo/ rsync://rsync.mirrorservice.org/sites/distfiles.gentoo.org/ rsync://mirror.init7.net/gentoo/ rsync://ftp.iij.ad.jp/pub/linux/gentoo/ rsync://ftp.jaist.ac.jp/pub/Linux/gentoo/" +## Emerge +BINPKG_COMPRESS="zstd" +BINPKG_COMPRESS_FLAGS="-7" +CLEAN_DELAY="10" +EMERGE_DEFAULT_OPTS="--ask --jobs 1 --load-average 2 --verbose" +FEATURES="buildpkg ipc-sandbox merge-sync metadata-transfer network-sandbox pid-sandbox sandbox strict unknown-features-filter" +MAKEOPTS="--jobs 2" +PORTAGE_CHECKSUM_FILTER="-* sha256 sha512" +PORTAGE_RSYNC_EXTRA_OPTS="--progress --verbose" + + +# Flags +## Hardening flags +C_SEC="-fstack-clash-protection -fstack-protector-strong -ftrivial-auto-var-init=zero -fwrapv" +LD_SEC="-Wl,-z,defs -Wl,-z,now -Wl,-z,relro" +## Compiler flags +CFLAGS="-flto=thin -march=znver1 -mtune=znver1 --optimize=2 -pipe ${C_SEC}" +CXXFLAGS="-flto=thin -march=znver1 -mtune=znver1 --optimize=2 -pipe ${C_SEC}" +RUSTFLAGS="-C debuginfo=0 -C embed-bitcode=y -C lto -C opt-level=2 -C target-cpu=znver1" +## Linker flags +LDFLAGS="-Wl,-O2 -Wl,--strip-all -Wl,--thinlto-jobs=2 ${LD_SEC}" +## USE flags +USE="clang dbus llvm-libunwind lto nftables postgres system-av1 system-harfbuzz system-icu system-jpeg system-libvpx system-llvm system-png system-webp verify-sig" +USE="${USE} -jit -mysql -systemd -wayland -X" +## CPU flags +CPU_FLAGS_X86="aes avx avx2 f16c fma3 mmx mmxext pclmul popcnt rdrand sha sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3" +## ABI flags +ABI_X86="64" +## LLVM target flags +LLVM_TARGETS="X86" +## Nginx modules +NGINX_MODULES_HTTP="access addition auth_basic auth_request autoindex browser cach_purge charset degradation echo fastcgi headers_more limit_conn limit_req memcached push_stream random_index referer rewrite scgi secure_link gunzip gzip gzip_static proxy slice" +NGINX_MODULES_STREAM="access limit_conn ssl_preread return" diff --git a/xb000-0/ssh/sshd_config b/xb000-0/ssh/sshd_config new file mode 100644 index 0000000..2e88f73 --- /dev/null +++ b/xb000-0/ssh/sshd_config @@ -0,0 +1,122 @@ +# Inferencium +# SSH - sshd Configuration + +# Copyright 2023 Jake Winters +# SPDX-License-Identifier: BSD-3-Clause-Clear + +# Version: 0.0.1.1 + + +Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +# Keys +HostKey /etc/ssh/ssh-host-ed25519 +HostKeyAlgorithms ssh-ed25519 +KexAlgorithms sntrup761x25519-sha512@openssh.com +PubkeyAcceptedKeyTypes ssh-ed25519 + +# Ciphers +Ciphers chacha20-poly1305@openssh.com + +MACs -* + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication +LoginGraceTime 30s +PermitRootLogin yes +StrictModes yes +MaxAuthTries 1 +MaxSessions 5 + +PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +PermitEmptyPasswords no + +# Change to no to disable s/key passwords +KbdInteractiveAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the KbdInteractiveAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via KbdInteractiveAuthentication may bypass +# the setting of "PermitRootLogin prohibit-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and KbdInteractiveAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no +PrintLastLog no +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp /usr/lib/misc/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server + +# Allow client to pass locale environment variables. #367017 +AcceptEnv LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE + +# Allow client to pass COLORTERM to match TERM. #658540 +AcceptEnv COLORTERM