Up-to-date Howto(s) and Documentation(s) for Gentoo Linux.
The special thing of this is that the Documentation generates automatically from my running system, so it is every time up to date.
Further this Howto is build modular. The Howtos are sorted in alphabetical order. Every topic has its dependencies. For example: You have to finish Webserver Howto for building webbased statistics.
I hope to give something back to the community with this document.
Please enjoy and send any ideas, wishes or advancements to: doc<at>gabosh.net
Copyright (C) 2008-2021 Oliver Bohlen.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
A copy of the license is included in the section entitled "GNU Free Documentation License".
This documentation comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
File permissions:
Owner: root
Group: root
Permissions: -rwxr--r--
Click here for a download of the complete file: /etc/apcupsd/apccontrol
Changed on 16.05.18eMail notificvation
export SYSADMIN=rootAfter change
export SYSADMIN=root,user1
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/apcupsd/apcupsd.conf
Changed on 16.05.18Optional UPS name
#UPSNAMEAfter change
UPSNAME usvxgabo
System shutdown below battery level
BATTERYLEVEL 0After change
BATTERYLEVEL 5
System shutdown below remaining runtime on battery
MINUTES 0After change
MINUTES 5
File permissions:
Owner: root
Group: root
Permissions: -rwxr--r--
Click here for a download of the complete file: /etc/apcupsd/changeme
Changed on 16.05.18Battery Change Notification
( /sbin/apcaccess status echo " " echo "$MSG" ) | /usr/local/sbin/xmppsend mail@example.com
File permissions:
Owner: root
Group: root
Permissions: -rwxr--r--
Click here for a download of the complete file: /etc/apcupsd/commfailure
Changed on 16.05.18Communication failure Notification
( /sbin/apcaccess status echo " " echo "$MSG" ) | /usr/local/sbin/xmppsend mail@example.com
File permissions:
Owner: root
Group: root
Permissions: -rwxr--r--
Click here for a download of the complete file: /etc/apcupsd/commok
Changed on 16.05.18Communication OK Notification
( /sbin/apcaccess status echo " " echo "$MSG" ) | /usr/local/sbin/xmppsend mail@example.com
File permissions:
Owner: root
Group: root
Permissions: -rwxr--r--
Click here for a download of the complete file: /etc/apcupsd/offbattery
Changed on 16.05.18Power returned
( /sbin/apcaccess status echo " " echo "$MSG" ) | /usr/local/sbin/xmppsend mail@example.com
File permissions:
Owner: root
Group: root
Permissions: -rwxr--r--
Click here for a download of the complete file: /etc/apcupsd/onbattery
Changed on 16.05.18Power loss
( /sbin/apcaccess status echo " " echo "$MSG" ) | /usr/local/sbin/xmppsend mail@example.com
File permissions:
Owner: root
Group: root
Permissions: -rwx------
Click here for a download of the complete file: /usr/local/sbin/powerconsumption.sh
Changed on 16.05.18Powerconsumtion Statistics
#!/bin/bash usvpower=20 # 20 Watt selfconsumtion maxpower=`apcaccess status | perl -pe 's/ +/ /g;' | grep NOMPOWER | cut -d" " -f 3` while true do loadpct=`apcaccess status | perl -pe 's/ +/ /g;' | grep LOADPCT | cut -d" " -f 3` wattsconsumtion=`echo "scale=2; $loadpct/100*$maxpower+$usvpower" | bc -l | cut -d'.' -f1` echo "`date "+%Y-%m-%d %T"` $wattsconsumtion Watt" >>/var/log/powerconsumption-`date +%Y` sleep 60 done
Please send a feedback to: doc<at>gabosh.net
Howto listingIf you want to use this solution you need the following howto(s) finished:
emerge net-analyzer/arpwatch
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/conf.d/arpwatch
Changed on 09.03.08The interfaces arpwatch should watch.
ARPWATCH_IFACE=""After change
ARPWATCH_IFACE="eth0"
For starting the new service after system reboot you should add it to a runlevel with the following command(s):
rc-update add arpwatch
Please send a feedback to: doc<at>gabosh.net
Howto listingFile permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/asterisk/extensions.conf
Changed on 07.09.17Call routing / Action plans
; General settings
[general]
static=yes
writeprotect=no
[local]
; Internal calls ^3[0-9]$
exten => _3X,1,NoOp(${CALLERID})
exten => _3X,n,Dial(PJSIP/${EXTEN},120)
exten => _3X,n,Hangup
; Internal calls ^4[0-9]$
exten => _4X,1,NoOp(${CALLERID})
exten => _4X,n,Dial(PJSIP/${EXTEN},120)
exten => _4X,n,Hangup
[1und1_out]
; local area code calls
exten => _ZX.,1,NoOp(${CALLERID})
; Optional: look up in the Horde addressbook for the caller name
;exten => _ZX.,n,Set(CALLNAME=${SHELL(/etc/asterisk/hordelookup.sh ${CALLERID(dnid)})})
; Optional: Notify outgoing call per eMail
exten => _ZX.,n,System(echo "`date`: ${CALLERID(all)} ruft ${CALLNAME} <${CALLERID(dnid)}> an!" | mail -s "Telefonat nach draußen ${CALLERID(all)} -> ${CALLERID(dnid)}" mail@example.com )
; Optional: Record call
exten => _ZX.,n,System(mkdir -p "/home/asterisk/calls")
exten => _ZX.,n,Set(FILENAME=${STRFTIME(${EPOCH},,%Y-%m-%d-%H_%M_%S)}-${EXTEN})
exten => _ZX.,n,Set(MONITOR_EXEC_ARGS=&& mv "/var/spool/asterisk/monitor/${FILENAME}.wav" "/home/asterisk/calls/")
exten => _ZX.,n,Monitor(wav,${FILENAME},mb)
; Remove Name
exten => _ZX.,n,Set(CALLERID(all)="PHONENUMBER" <PHONENUMBER>)
; Route to PJSIP-Provider
exten => _ZX.,n,Set(VOLUME(RX,p)=4)
exten => _ZX.,n,Dial(PJSIP/PHONENUMBER/0DIALPREFIX${EXTEN},120)
exten => _ZX,n,Hangup
; Other Outgoing calls
exten => _[+0]XX.,1,NoOp(${CALLERID})
; Optional: Look up in the Horde addressbook for the caller name
;exten => _[+0]XX.,n,Set(CALLNAME=${SHELL(/etc/asterisk/hordelookup.sh ${CALLERID(dnid)})})
; Optional: Notify outgoing call per eMail
exten => _[+0]XX.,n,System(echo "`date`: ${CALLERID(all)} ruft ${CALLNAME} <${CALLERID(dnid)}> an!" | mail -s "Telefonat nach draußen ${CALLERID(all)} -> ${CALLERID(dnid)}" mail@example.com )
; Optional: Record call
exten => _[+0]XX.,n,System(mkdir -p "/home/asterisk/calls")
exten => _[+0]XX.,n,Set(FILENAME=${STRFTIME(${EPOCH},,%Y-%m-%d-%H_%M_%S)}-${EXTEN})
exten => _[+0]XX.,n,Set(MONITOR_EXEC_ARGS=&& mv "/var/spool/asterisk/monitor/${FILENAME}.wav" "/home/asterisk/calls/")
exten => _[+0]XX.,n,Monitor(wav,${FILENAME},mb)
; Remove Name
exten => _[+0]XX.,n,Set(CALLERID(all)="PHONENUMBER" <PHONENUMBER>)
; Route to PJSIP-Provider
exten => _[+0]XX.,n,Set(VOLUME(RX,p)=4)
exten => _[+0]XX.,n,Dial(PJSIP/PHONENUMBER/${EXTEN},120)
exten => _[+0]XX.,n,Hangup
[1und1_olb_out]
; local area code calls
exten => _ZX.,1,NoOp(${CALLERID})
; Optional: look up in the Horde addressbook for the caller name
;exten => _ZX.,n,Set(CALLNAME=${SHELL(/etc/asterisk/hordelookup.sh ${CALLERID(dnid)})})
; Optional: Notify outgoing call per eMail
exten => _ZX.,n,System(echo "`date`: ${CALLERID(all)} ruft ${CALLNAME} <${CALLERID(dnid)}> an!" | mail -s "OLB Telefonat nach draußen ${CALLERID(all)} -> ${CALLERID(dnid)}" mail@example.com )
; Optional: Record call
exten => _ZX.,n,System(mkdir -p "/home/asterisk/calls")
exten => _ZX.,n,Set(FILENAME=${STRFTIME(${EPOCH},,%Y-%m-%d-%H_%M_%S)}-${EXTEN})
exten => _ZX.,n,Set(MONITOR_EXEC_ARGS=&& mv "/var/spool/asterisk/monitor/${FILENAME}.wav" "/home/asterisk/calls/")
exten => _ZX.,n,Monitor(wav,${FILENAME},mb)
; Remove Name
exten => _ZX.,n,Set(CALLERID(all)="PHONENUMBER2" <PHONENUMBER2>)
; Route to PJSIP-Provider
exten => _ZX.,n,Set(VOLUME(RX,p)=4)
exten => _ZX.,n,Dial(PJSIP/PHONENUMBER2/0DIALPREFIX${EXTEN},120)
exten => _ZX,n,Hangup
; Other Outgoing calls
exten => _[+0]XX.,1,NoOp(${CALLERID})
; Optional: Look up in the Horde addressbook for the caller name
;exten => _[+0]XX.,n,Set(CALLNAME=${SHELL(/etc/asterisk/hordelookup.sh ${CALLERID(dnid)})})
; Optional: Notify outgoing call per eMail
exten => _[+0]XX.,n,System(echo "`date`: ${CALLERID(all)} ruft ${CALLNAME} <${CALLERID(dnid)}> an!" | mail -s "OLB Telefonat nach draußen ${CALLERID(all)} -> ${CALLERID(dnid)}" mail@example.com )
; Optional: Record call
exten => _[+0]XX.,n,System(mkdir -p "/home/asterisk/calls")
exten => _[+0]XX.,n,Set(FILENAME=${STRFTIME(${EPOCH},,%Y-%m-%d-%H_%M_%S)}-${EXTEN})
exten => _[+0]XX.,n,Set(MONITOR_EXEC_ARGS=&& mv "/var/spool/asterisk/monitor/${FILENAME}.wav" "/home/asterisk/calls/")
exten => _[+0]XX.,n,Monitor(wav,${FILENAME},mb)
; Remove Name
exten => _[+0]XX.,n,Set(CALLERID(all)="PHONENUMBER2" <PHONENUMBER2>)
; Route to PJSIP-Provider
exten => _[+0]XX.,n,Set(VOLUME(RX,p)=4)
exten => _[+0]XX.,n,Dial(PJSIP/PHONENUMBER2/${EXTEN},120)
exten => _[+0]XX.,n,Hangup
[incoming]
; Incoming calls to PHONENUMBER
exten => PHONENUMBER,1,NoOp(${CALLERID})
; Optional: Look up in the Horde addressbook for the caller name
;exten => PHONENUMBER,n,Set(CALLERID(name)=${SHELL(/etc/asterisk/hordelookup.sh ${CALLERID(num)})})
; Optional: Notify incoming call per eMail
exten => PHONENUMBER,n,System(echo "`date`: ${CALLERID(all)} ruft an." | mail -s 'Anrufbenachrichtigung ${CALLERID(all)}' mail@example.com)
; Optional: Block blackisted
; blacklist administrated ober CLI ("asterisk -r")
; Adding a number to be blocked
; *CLI> database put blacklist 1234 "TEST"
; Removing a number from being blocked
; *CLI> database del blacklist 1234
; Listing current blocks
; pbx*CLI> databse show blacklist
exten => PHONENUMBER,n,GotoIf(${BLACKLIST()}?blacklisted)
; Optional: Don't ring in night time excluding numbers in phonebook
exten => PHONENUMBER,n,GotoIf($["${CALLERID(name)}" != ""]?ring)
exten => PHONENUMBER,n,GotoIfTime(23:00-23:59,sun-sat,*,*?noring)
exten => PHONENUMBER,n,GotoIfTime(00:00-05:00,sun-sat,*,*?noring)
; Optional: Record call
exten => PHONENUMBER,n(ring),System(mkdir -p "/home/asterisk/calls")
exten => PHONENUMBER,n,Set(FILENAME=${STRFTIME(${EPOCH},,%Y-%m-%d-%H_%M_%S)}-${EXTEN})
exten => PHONENUMBER,n,Set(MONITOR_EXEC_ARGS=&& mv "/var/spool/asterisk/monitor/${FILENAME}.wav" "/home/asterisk/calls/")
exten => PHONENUMBER,n,Monitor(wav,${FILENAME},mb)
; Route the call to local PJSIP-Phones - ringing (try for 60 seconds)
exten => PHONENUMBER,n,Set(VOLUME(TX,p)=4)
exten => PHONENUMBER,n,Dial(PJSIP/30&PJSIP/31&PJSIP/32&PJSIP/33&PJSIP/34&PJSIP/40,60)
; Set Language for Voicemail-Answer
exten => PHONENUMBER,n(noring),Set(CHANNEL(language)=de)
; Start Voicemail
exten => PHONENUMBER,n,Voicemail(30&31)
exten => PHONENUMBER,n,Playback(vm-goodbye)
exten => PHONENUMBER,n(blacklisted),Hangup()
; hangup
exten => PHONENUMBER,n,Hangup
; Incoming calls to PHONENUMBER2
exten => PHONENUMBER2,1,NoOp(${CALLERID})
; Optional: Look up in the Horde addressbook for the caller name
;exten => PHONENUMBER2,n,Set(CALLERID(name)=${SHELL(/etc/asterisk/hordelookup.sh ${CALLERID(num)})})
; Optional: Notify incoming call per eMail
exten => PHONENUMBER2,n,System(echo "`date`: ${CALLERID(all)} ruft an." | mail -s 'Anrufbenachrichtigung ${CALLERID(all)}' mail@example.com)
; Optional: Block blackisted
; blacklist administrated ober CLI ("asterisk -r")
; Adding a number to be blocked
; *CLI> database put blacklist 1234 "TEST"
; Removing a number from being blocked
; *CLI> database del blacklist 1234
; Listing current blocks
; pbx*CLI> databse show blacklist
exten => PHONENUMBER2,n,GotoIf(${BLACKLIST()}?blacklisted)
; Optional: Don't ring in night time excluding numbers in phonebook
exten => PHONENUMBER2,n,GotoIf($["${CALLERID(name)}" != ""]?ring)
exten => PHONENUMBER2,n,GotoIfTime(23:00-23:59,sun-sat,*,*?noring)
exten => PHONENUMBER2,n,GotoIfTime(00:00-05:00,sun-sat,*,*?noring)
; Optional: Record call
exten => PHONENUMBER2,n(ring),System(mkdir -p "/home/asterisk/calls")
exten => PHONENUMBER2,n,Set(FILENAME=${STRFTIME(${EPOCH},,%Y-%m-%d-%H_%M_%S)}-${EXTEN})
exten => PHONENUMBER2,n,Set(MONITOR_EXEC_ARGS=&& mv "/var/spool/asterisk/monitor/${FILENAME}.wav" "/home/asterisk/calls/")
exten => PHONENUMBER2,n,Monitor(wav,${FILENAME},mb)
; Route the call to local PJSIP-Phones - ringing (try for 60 seconds)
exten => PHONENUMBER2,n,Set(VOLUME(TX,p)=4)
exten => PHONENUMBER2,n,Dial(PJSIP/40,60)
; hangup
exten => PHONENUMBER2,n,Hangup
; Default rules Be careful: You have to block all IPs expect these of your PJSIP-Provider to use this option in a most secure way
[default]
include => incoming
; Only for internal phones
[phones]
include => local
include => 1und1_out
[olbworkphones]
include => local
include => 1und1_olb_out
Please send a feedback to: doc<at>gabosh.net
Howto listingIf you want to use this solution you need the following howto(s) finished:
emerge net-misc/asterisk
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/asterisk/ari.conf
Changed on 07.09.17SIP Phone and Provider settings
enabled = yes ; When set to no, ARI support is disabled.After change
enabled = no
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/asterisk/extensions.conf.ok
Changed on 07.09.17Call routing / Action plans
; General settings
[general]
static=yes
writeprotect=no
[local]
; Internal calls ^3[0-9]$
exten => _3X,1,NoOp(${CALLERID})
exten => _3X,n,Dial(SIP/${EXTEN},120)
exten => _3X,n,Hangup
[1und1_out]
; local area code calls
exten => _ZX.,1,NoOp(${CALLERID})
; Optional: look up in the Horde addressbook for the caller name
exten => _ZX.,n,Set(CALLNAME=${SHELL(/etc/asterisk/hordelookup.sh ${CALLERID(dnid)})})
; Optional: Notify outgoing call per eMail
exten => _ZX.,n,System(echo "`date`: ${CALLERID(all)} ruft ${CALLNAME} <${CALLERID(dnid)}> an!" | mail -s "Telefonat nach draußen ${CALLERID(all)} -> ${CALLERID(dnid)}" mail@example.com )
; Optional: Record call
exten => _ZX.,n,System(mkdir -p "/home/asterisk/calls")
exten => _ZX.,n,Set(FILENAME=${STRFTIME(${EPOCH},,%Y-%m-%d-%H_%M_%S)}-${EXTEN})
exten => _ZX.,n,Set(MONITOR_EXEC_ARGS=&& mv "/var/spool/asterisk/monitor/${FILENAME}.wav" "/home/asterisk/calls/")
exten => _ZX.,n,Monitor(wav,${FILENAME},mb)
; Remove Name
exten => _ZX.,n,Set(CALLERID(all)="PHONENUMBER" <PHONENUMBER>)
; Route to SIP-Provider
exten => _ZX.,n,Set(VOLUME(RX,p)=4)
exten => _ZX.,n,Set(VOLUME(TX,p)=4)
exten => _ZX.,n,Dial(SIP/PHONENUMBER/0DIALPREFIX${EXTEN},120)
exten => _ZX,n,Hangup
; Other Outgoing calls
exten => _[+0]XX.,1,NoOp(${CALLERID})
; Optional: Look up in the Horde addressbook for the caller name
exten => _[+0]XX.,n,Set(CALLNAME=${SHELL(/etc/asterisk/hordelookup.sh ${CALLERID(dnid)})})
; Optional: Notify outgoing call per eMail
exten => _[+0]XX.,n,System(echo "`date`: ${CALLERID(all)} ruft ${CALLNAME} <${CALLERID(dnid)}> an!" | mail -s "Telefonat nach draußen ${CALLERID(all)} -> ${CALLERID(dnid)}" mail@example.com )
; Optional: Record call
exten => _[+0]XX.,n,System(mkdir -p "/home/asterisk/calls")
exten => _[+0]XX.,n,Set(FILENAME=${STRFTIME(${EPOCH},,%Y-%m-%d-%H_%M_%S)}-${EXTEN})
exten => _[+0]XX.,n,Set(MONITOR_EXEC_ARGS=&& mv "/var/spool/asterisk/monitor/${FILENAME}.wav" "/home/asterisk/calls/")
exten => _[+0]XX.,n,Monitor(wav,${FILENAME},mb)
; Remove Name
exten => _[+0]XX.,n,Set(CALLERID(all)="PHONENUMBER" <PHONENUMBER>)
; Route to SIP-Provider
exten => _[+0]XX.,n,Set(VOLUME(RX,p)=4)
exten => _[+0]XX.,n,Set(VOLUME(TX,p)=4)
exten => _[+0]XX.,n,Dial(SIP/PHONENUMBER/${EXTEN},120)
exten => _[+0]XX.,n,Hangup
[incoming]
; Incoming calls to PHONENUMBER
exten => PHONENUMBER,1,NoOp(${CALLERID})
; Optional: Look up in the Horde addressbook for the caller name
exten => PHONENUMBER,n,Set(CALLERID(name)=${SHELL(/etc/asterisk/hordelookup.sh ${CALLERID(num)})})
; Optional: Notify incoming call per eMail
exten => PHONENUMBER,n,System(echo "`date`: ${CALLERID(all)} ruft an." | mail -s 'Anrufbenachrichtigung ${CALLERID(all)}' mail@example.com)
; Optional: Block blackisted
; blacklist administrated ober CLI ("asterisk -r")
; Adding a number to be blocked
; *CLI> database put blacklist 1234 "TEST"
; Removing a number from being blocked
; *CLI> database del blacklist 1234
; Listing current blocks
; pbx*CLI> databse show blacklist
exten => PHONENUMBER,n,GotoIf(${BLACKLIST()}?blacklisted)
; Optional: Don't ring in night time excluding numbers in phonebook
exten => PHONENUMBER,n,GotoIf($["${CALLERID(name)}" != ""]?ring)
exten => PHONENUMBER,n,GotoIfTime(23:00-23:59,sun-sat,*,*?noring)
exten => PHONENUMBER,n,GotoIfTime(00:00-05:00,sun-sat,*,*?noring)
; Optional: Record call
exten => PHONENUMBER,n(ring),System(mkdir -p "/home/asterisk/calls")
exten => PHONENUMBER,n,Set(FILENAME=${STRFTIME(${EPOCH},,%Y-%m-%d-%H_%M_%S)}-${EXTEN})
exten => PHONENUMBER,n,Set(MONITOR_EXEC_ARGS=&& mv "/var/spool/asterisk/monitor/${FILENAME}.wav" "/home/asterisk/calls/")
exten => PHONENUMBER,n,Monitor(wav,${FILENAME},mb)
; Route the call to local SIP-Phones - ringing (try for 60 seconds)
;exten => PHONENUMBER,n,Set(VOLUME(RX,p)=4)
exten => PHONENUMBER,n,Set(VOLUME(TX,p)=4)
exten => PHONENUMBER,n,Dial(SIP/30&SIP/31&SIP/32&SIP/33,60)
; Set Language for Voicemail-Answer
exten => PHONENUMBER,n(noring),Set(CHANNEL(language)=de)
; Start Voicemail
exten => PHONENUMBER,n,Voicemail(30&31)
exten => PHONENUMBER,n,Playback(vm-goodbye)
exten => PHONENUMBER,n(blacklisted),Hangup()
exten => PHONENUMBER,n,Hangup
; Default rules Be careful: You have to block all IPs expect these of your SIP-Provider to use this option in a most secure way
[default]
include => incoming
; Only for internal phones
[phones]
include => local
include => 1und1_out
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/asterisk/extensions.conf.old-sip
Changed on 07.09.17Call routing / Action plans
; General settings
[general]
static=yes
writeprotect=no
[local]
; Internal calls ^3[0-9]$
exten => _3X,1,NoOp(${CALLERID})
exten => _3X,n,Dial(SIP/${EXTEN},120)
exten => _3X,n,Hangup
; Internal calls ^4[0-9]$
exten => _4X,1,NoOp(${CALLERID})
exten => _4X,n,Dial(SIP/${EXTEN},120)
exten => _4X,n,Hangup
[1und1_out]
; local area code calls
exten => _ZX.,1,NoOp(${CALLERID})
; Optional: look up in the Horde addressbook for the caller name
;exten => _ZX.,n,Set(CALLNAME=${SHELL(/etc/asterisk/hordelookup.sh ${CALLERID(dnid)})})
; Optional: Notify outgoing call per eMail
exten => _ZX.,n,System(echo "`date`: ${CALLERID(all)} ruft ${CALLNAME} <${CALLERID(dnid)}> an!" | mail -s "Telefonat nach draußen ${CALLERID(all)} -> ${CALLERID(dnid)}" mail@example.com )
; Optional: Record call
exten => _ZX.,n,System(mkdir -p "/home/asterisk/calls")
exten => _ZX.,n,Set(FILENAME=${STRFTIME(${EPOCH},,%Y-%m-%d-%H_%M_%S)}-${EXTEN})
exten => _ZX.,n,Set(MONITOR_EXEC_ARGS=&& mv "/var/spool/asterisk/monitor/${FILENAME}.wav" "/home/asterisk/calls/")
exten => _ZX.,n,Monitor(wav,${FILENAME},mb)
; Remove Name
exten => _ZX.,n,Set(CALLERID(all)="PHONENUMBER" <PHONENUMBER>)
; Route to SIP-Provider
exten => _ZX.,n,Set(VOLUME(RX,p)=4)
exten => _ZX.,n,Dial(SIP/PHONENUMBER/0DIALPREFIX${EXTEN},120)
exten => _ZX,n,Hangup
; Other Outgoing calls
exten => _[+0]XX.,1,NoOp(${CALLERID})
; Optional: Look up in the Horde addressbook for the caller name
;exten => _[+0]XX.,n,Set(CALLNAME=${SHELL(/etc/asterisk/hordelookup.sh ${CALLERID(dnid)})})
; Optional: Notify outgoing call per eMail
exten => _[+0]XX.,n,System(echo "`date`: ${CALLERID(all)} ruft ${CALLNAME} <${CALLERID(dnid)}> an!" | mail -s "Telefonat nach draußen ${CALLERID(all)} -> ${CALLERID(dnid)}" mail@example.com )
; Optional: Record call
exten => _[+0]XX.,n,System(mkdir -p "/home/asterisk/calls")
exten => _[+0]XX.,n,Set(FILENAME=${STRFTIME(${EPOCH},,%Y-%m-%d-%H_%M_%S)}-${EXTEN})
exten => _[+0]XX.,n,Set(MONITOR_EXEC_ARGS=&& mv "/var/spool/asterisk/monitor/${FILENAME}.wav" "/home/asterisk/calls/")
exten => _[+0]XX.,n,Monitor(wav,${FILENAME},mb)
; Remove Name
exten => _[+0]XX.,n,Set(CALLERID(all)="PHONENUMBER" <PHONENUMBER>)
; Route to SIP-Provider
exten => _[+0]XX.,n,Set(VOLUME(RX,p)=4)
exten => _[+0]XX.,n,Dial(SIP/PHONENUMBER/${EXTEN},120)
exten => _[+0]XX.,n,Hangup
[1und1_olb_out]
; local area code calls
exten => _ZX.,1,NoOp(${CALLERID})
; Optional: look up in the Horde addressbook for the caller name
;exten => _ZX.,n,Set(CALLNAME=${SHELL(/etc/asterisk/hordelookup.sh ${CALLERID(dnid)})})
; Optional: Notify outgoing call per eMail
exten => _ZX.,n,System(echo "`date`: ${CALLERID(all)} ruft ${CALLNAME} <${CALLERID(dnid)}> an!" | mail -s "OLB Telefonat nach draußen ${CALLERID(all)} -> ${CALLERID(dnid)}" mail@example.com )
; Optional: Record call
exten => _ZX.,n,System(mkdir -p "/home/asterisk/calls")
exten => _ZX.,n,Set(FILENAME=${STRFTIME(${EPOCH},,%Y-%m-%d-%H_%M_%S)}-${EXTEN})
exten => _ZX.,n,Set(MONITOR_EXEC_ARGS=&& mv "/var/spool/asterisk/monitor/${FILENAME}.wav" "/home/asterisk/calls/")
exten => _ZX.,n,Monitor(wav,${FILENAME},mb)
; Remove Name
exten => _ZX.,n,Set(CALLERID(all)="PHONENUMBER2" <PHONENUMBER2>)
; Route to SIP-Provider
exten => _ZX.,n,Set(VOLUME(RX,p)=4)
exten => _ZX.,n,Dial(SIP/PHONENUMBER2/0DIALPREFIX${EXTEN},120)
exten => _ZX,n,Hangup
; Other Outgoing calls
exten => _[+0]XX.,1,NoOp(${CALLERID})
; Optional: Look up in the Horde addressbook for the caller name
;exten => _[+0]XX.,n,Set(CALLNAME=${SHELL(/etc/asterisk/hordelookup.sh ${CALLERID(dnid)})})
; Optional: Notify outgoing call per eMail
exten => _[+0]XX.,n,System(echo "`date`: ${CALLERID(all)} ruft ${CALLNAME} <${CALLERID(dnid)}> an!" | mail -s "OLB Telefonat nach draußen ${CALLERID(all)} -> ${CALLERID(dnid)}" mail@example.com )
; Optional: Record call
exten => _[+0]XX.,n,System(mkdir -p "/home/asterisk/calls")
exten => _[+0]XX.,n,Set(FILENAME=${STRFTIME(${EPOCH},,%Y-%m-%d-%H_%M_%S)}-${EXTEN})
exten => _[+0]XX.,n,Set(MONITOR_EXEC_ARGS=&& mv "/var/spool/asterisk/monitor/${FILENAME}.wav" "/home/asterisk/calls/")
exten => _[+0]XX.,n,Monitor(wav,${FILENAME},mb)
; Remove Name
exten => _[+0]XX.,n,Set(CALLERID(all)="PHONENUMBER2" <PHONENUMBER2>)
; Route to SIP-Provider
exten => _[+0]XX.,n,Set(VOLUME(RX,p)=4)
exten => _[+0]XX.,n,Dial(SIP/PHONENUMBER2/${EXTEN},120)
exten => _[+0]XX.,n,Hangup
[incoming]
; Incoming calls to PHONENUMBER
exten => PHONENUMBER,1,NoOp(${CALLERID})
; Optional: Look up in the Horde addressbook for the caller name
;exten => PHONENUMBER,n,Set(CALLERID(name)=${SHELL(/etc/asterisk/hordelookup.sh ${CALLERID(num)})})
; Optional: Notify incoming call per eMail
exten => PHONENUMBER,n,System(echo "`date`: ${CALLERID(all)} ruft an." | mail -s 'Anrufbenachrichtigung ${CALLERID(all)}' mail@example.com)
; Optional: Block blackisted
; blacklist administrated ober CLI ("asterisk -r")
; Adding a number to be blocked
; *CLI> database put blacklist 1234 "TEST"
; Removing a number from being blocked
; *CLI> database del blacklist 1234
; Listing current blocks
; pbx*CLI> databse show blacklist
exten => PHONENUMBER,n,GotoIf(${BLACKLIST()}?blacklisted)
; Optional: Don't ring in night time excluding numbers in phonebook
exten => PHONENUMBER,n,GotoIf($["${CALLERID(name)}" != ""]?ring)
exten => PHONENUMBER,n,GotoIfTime(23:00-23:59,sun-sat,*,*?noring)
exten => PHONENUMBER,n,GotoIfTime(00:00-05:00,sun-sat,*,*?noring)
; Optional: Record call
exten => PHONENUMBER,n(ring),System(mkdir -p "/home/asterisk/calls")
exten => PHONENUMBER,n,Set(FILENAME=${STRFTIME(${EPOCH},,%Y-%m-%d-%H_%M_%S)}-${EXTEN})
exten => PHONENUMBER,n,Set(MONITOR_EXEC_ARGS=&& mv "/var/spool/asterisk/monitor/${FILENAME}.wav" "/home/asterisk/calls/")
exten => PHONENUMBER,n,Monitor(wav,${FILENAME},mb)
; Route the call to local SIP-Phones - ringing (try for 60 seconds)
exten => PHONENUMBER,n,Set(VOLUME(TX,p)=4)
exten => PHONENUMBER,n,Dial(SIP/30&SIP/31&SIP/32&SIP/33&SIP/34&SIP/40,60)
; Set Language for Voicemail-Answer
exten => PHONENUMBER,n(noring),Set(CHANNEL(language)=de)
; Start Voicemail
exten => PHONENUMBER,n,Voicemail(30&31)
exten => PHONENUMBER,n,Playback(vm-goodbye)
exten => PHONENUMBER,n(blacklisted),Hangup()
; hangup
exten => PHONENUMBER,n,Hangup
; Incoming calls to PHONENUMBER2
exten => PHONENUMBER2,1,NoOp(${CALLERID})
; Optional: Look up in the Horde addressbook for the caller name
;exten => PHONENUMBER2,n,Set(CALLERID(name)=${SHELL(/etc/asterisk/hordelookup.sh ${CALLERID(num)})})
; Optional: Notify incoming call per eMail
exten => PHONENUMBER2,n,System(echo "`date`: ${CALLERID(all)} ruft an." | mail -s 'Anrufbenachrichtigung ${CALLERID(all)}' mail@example.com)
; Optional: Block blackisted
; blacklist administrated ober CLI ("asterisk -r")
; Adding a number to be blocked
; *CLI> database put blacklist 1234 "TEST"
; Removing a number from being blocked
; *CLI> database del blacklist 1234
; Listing current blocks
; pbx*CLI> databse show blacklist
exten => PHONENUMBER2,n,GotoIf(${BLACKLIST()}?blacklisted)
; Optional: Don't ring in night time excluding numbers in phonebook
exten => PHONENUMBER2,n,GotoIf($["${CALLERID(name)}" != ""]?ring)
exten => PHONENUMBER2,n,GotoIfTime(23:00-23:59,sun-sat,*,*?noring)
exten => PHONENUMBER2,n,GotoIfTime(00:00-05:00,sun-sat,*,*?noring)
; Optional: Record call
exten => PHONENUMBER2,n(ring),System(mkdir -p "/home/asterisk/calls")
exten => PHONENUMBER2,n,Set(FILENAME=${STRFTIME(${EPOCH},,%Y-%m-%d-%H_%M_%S)}-${EXTEN})
exten => PHONENUMBER2,n,Set(MONITOR_EXEC_ARGS=&& mv "/var/spool/asterisk/monitor/${FILENAME}.wav" "/home/asterisk/calls/")
exten => PHONENUMBER2,n,Monitor(wav,${FILENAME},mb)
; Route the call to local SIP-Phones - ringing (try for 60 seconds)
exten => PHONENUMBER2,n,Set(VOLUME(TX,p)=4)
exten => PHONENUMBER2,n,Dial(SIP/40,60)
; hangup
exten => PHONENUMBER2,n,Hangup
; Default rules Be careful: You have to block all IPs expect these of your SIP-Provider to use this option in a most secure way
[default]
include => incoming
; Only for internal phones
[phones]
include => local
include => 1und1_out
[olbworkphones]
include => local
include => 1und1_olb_out
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/asterisk/rtp.conf
Changed on 04.03.17Only few rtp-Ports (Firewall has to be opened/forwarded for 5060/udp and these Ports/udp)
;rtpstart=10000 ;rtpend=20000After change
rtpstart=5000 rtpend=5040
File permissions:
Owner: asterisk
Group: root
Permissions: -rw-------
Click here for a download of the complete file: /etc/asterisk/sip.conf.old
Changed on 07.09.17SIP Phone and Provider settings
; general settings
[general]
context=default
; listen generally to all on Port 5060
bindaddr=0.0.0.0
bindport=5060
; seems to halp in some cases
srvlookup=yes
; Lang
; cd /var/lib/asterisk/sounds/de
; wget -O core.zip https://www.asterisksounds.org/de/download/asterisk-sounds-core-de-sln16.zip
; wget -O extra.zip https://www.asterisksounds.org/de/download/asterisk-sounds-extra-de-sln16.zip
; unzip core.zip
; unzip extra.zip
; chown -R asterisk:asterisk /var/lib/asterisk/sounds/de
; find /var/lib/asterisk/sounds/de -type d -exec chmod 0775 {} \;
; rm core.zip extra.zip
language=de
; NAT
nat=force_rport,comedia
; No NAT for localnet
localnet=my.lan.network.ip/XXX.XXX.XXX.XXX
localnet=XXX.XXX.XXX.XXX/XXX.XXX.XXX.XXX
; General Video Support
videosupport=yes
; Be careful: You have to block all IPs expect these of your SIP-Provider to use this option in a most secure way
allowguest=yes
rtpkeepalive=5
rtptimeout=15
rtpholdtimeout=20
; Codecs
disallow=all
allow=alaw
allow=ulaw
; Provider SIP Account
registerattempts=60
registerattempts=0
trustrpid=yes
sendrpid=yes
register_retry_403=yes
registertimeout=200
register => PHONENUMBER:PASSWORDC+zq@SIP-PROVIDER-HOSTNAME/PHONENUMBER
register => PHONENUMBER2:PASSWORD2TIXx@SIP-PROVIDER-HOSTNAME/PHONENUMBER2
; outgoing calls
[PHONENUMBER]
type=peer
defaultuser=PHONENUMBER
fromuser=PHONENUMBER
secret=PASSWORD
extension=sipuid
host=SIP-PROVIDER-HOSTNAME
qualify=yes
directmedia=no
dtmfmode=rfc2833
nat=force_rport,comedia
insecure=invite,port
register_retry_403=yes
rtpkeepalive=5
rtptimeout=15
rtpholdtimeout=20
[PHONENUMBER2]
type=peer
defaultuser=PHONENUMBER2
fromuser=PHONENUMBER2
secret=PASSWORD
extension=sipuid
host=SIP-PROVIDER-HOSTNAME
qualify=yes
directmedia=no
dtmfmode=rfc2833
nat=force_rport,comedia
insecure=invite,port
register_retry_403=yes
rtpkeepalive=5
rtptimeout=15
rtpholdtimeout=20
; incoming calls
[1und1_de_in]
type=peer
fromdomain=SIP-PROVIDER-HOSTNAME
allowguest=yes
qualify=yes
insecure=port,invite
context=incoming
nat=force_rport,comedia
allowguest=yes
rtpkeepalive=5
; local SIP-Phones
[30]
callerid=user1Phone <30>
host=dynamic
domain=my.lan.ip.addr
user=30
secret=PASSWORD
type=friend
language=de
canreinvite=no
context=phones
qualify=yes
rtpkeepalive=5
[31]
callerid=BeckyPhone <31>
host=dynamic
domain=my.lan.ip.addr
user=31
secret=PASSWORD
type=friend
language=de
canreinvite=no
context=phones
qualify=yes
rtpkeepalive=5
[32]
callerid=HomePhone <32>
host=dynamic
domain=my.lan.ip.addr
user=32
secret=PASSWORD
type=friend
language=de
canreinvite=no
context=phones
qualify=yes
rtpkeepalive=5
[33]
callerid=HeidiPhone <33>
host=dynamic
domain=my.lan.ip.addr
user=33
secret=PASSWORD
type=friend
language=de
canreinvite=no
context=phones
qualify=yes
rtpkeepalive=5
[40]
callerid=StationGabosh <40>
host=dynamic
domain=my.lan.ip.addr
user=40
secret=PASSWORD
type=friend
language=de
canreinvite=no
context=olbworkphones
qualify=yes
rtpkeepalive=5
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/asterisk/voicemail.conf
Changed on 07.09.17Voicemail setting
[general]
format=wav49
serveremail=asterisk
attach=yes
delete=yes
maxsilence=10
maxsecs=300
silencethreshold=128
maxlogins=3
emaildateformat=%A, %d %B %Y at %H:%M:%S
locale=de_DE.utf8
fromstring=GaboshPBX
emailsubject=Neue Sprachnachricht von ${VM_CALLERID} (Anrufbeantworter)
emailbody=Hallo ${VM_NAME},\n\nEs ist eine neue Sprachnachricht (Nummer ${VM_MSGNUM}) vom Anrufbeantworter eingetroffen.\n\nDatum: ${VM_DATE}\nAnrufer: ${VM_CALLERID}\nDauer: ${VM_DUR} Minuten\n\nDie Nachricht befindet sich im Anhang dieser eMail!
emaildateformat=%d.%m.%Y %H:%M:%S
[zonemessages]
eastern=America/New_York|'vm-received' Q 'digits/at' IMp
central=America/Chicago|'vm-received' Q 'digits/at' IMp
central24=America/Chicago|'vm-received' q 'digits/at' H N 'hours'
military=Zulu|'vm-received' q 'digits/at' H N 'hours' 'phonetic/z_p'
european=Europe/Copenhagen|'vm-received' a d b 'digits/at' HM
[default]
30 => 1234,user1,mail@example.com
31 => 1234,user2,mail@example.com
40 => 1234,user1,mail@example.com
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /usr/local/sbin/fire.sh
Changed on 07.09.17Allow incomming SIP Connections only from my SIP Provider (1und1 Calls)
#iptables -A gabosh-inet -p udp -s XXX.XXX.XXX.XXX/24 --dport 5060 -m conntrack --ctstate NEW -j ACCEPT #iptables -A gabosh-inet -p udp -s XXX.XXX.XXX.XXX/24 --dport $RTPRANGE -m conntrack --ctstate NEW -j ACCEPT #iptables -A gabosh-inet -p udp -s XXX.XXX.XXX.XXX/24 --dport 5060 -m conntrack --ctstate NEW -j ACCEPT #iptables -A gabosh-inet -p udp -s XXX.XXX.XXX.XXX/24 --dport $RTPRANGE -m conntrack --ctstate NEW -j ACCEPT #iptables -A gabosh-inet -p udp -s XXX.XXX.XXX.XXX/32 --dport 5060 -m conntrack --ctstate NEW -j ACCEPT #iptables -A gabosh-inet -p udp -s XXX.XXX.XXX.XXX/32 --dport $RTPRANGE -m conntrack --ctstate NEW -j ACCEPT #iptables -A gabosh-inet -p udp -s XXX.XXX.XXX.XXX/32 --dport 5060 -m conntrack --ctstate NEW -j ACCEPT #iptables -A gabosh-inet -p udp -s XXX.XXX.XXX.XXX/32 --dport $RTPRANGE -m conntrack --ctstate NEW -j ACCEPT #iptables -A gabosh-inet -p udp -s XXX.XXX.XXX.XXX/24 --dport 5060 -m conntrack --ctstate NEW -j ACCEPT #iptables -A gabosh-inet -p udp -s XXX.XXX.XXX.XXX/24 --dport $RTPRANGE -m conntrack --ctstate NEW -j ACCEPT iptables -A gabosh-lan -p udp --dport 5060 -m conntrack --ctstate NEW -j ACCEPT iptables -A gabosh-lan -p udp --dport $RTPRANGE -m conntrack --ctstate NEW -j ACCEPT
For starting the new service after system reboot you should add it to a runlevel with the following command(s):
rc-update add asterisk
Please send a feedback to: doc<at>gabosh.net
Howto listingIf you want to use this solution you need the following howto(s) finished:
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /etc/local.d/01_services.start
Changed on 13.01.09Start the changedocd-daemon at system boot.
#/usr/local/bin/changedocd.pl
File permissions:
Owner: root
Group: apache
Permissions: -rwxr-x---
Click here for a download of the complete file: /usr/local/bin/changedocd.pl
Changed on 27.04.10This is the daemon for getting the data from the CGI and changeing the Comments directly in the Config-Files
#!/usr/bin/perl
# Daemon start
use Proc::Daemon;
Proc::Daemon::Init;
use Net::SMTP;
while (1) {
$before="";
$after="";
$intro="";
if (-f "/tmp/changedoc") {
open(CHANGE, "</tmp/changedoc");
@change=<CHANGE>;
close(CHANGE);
if ($change[0] =~ /^[0-9]+$/) {
foreach $line (@change) {
chomp ($line);
}
$linenr=$change[0];
$file=$change[1];
$comment=$change[2];
open(FILE, "<$file");
@file=<FILE>;
close(FILE);
$linecount=1;
#print "<br>$linenr<br>";
foreach $line (@file) {
if (($line=~/\|\|\|/) && ($linenr==$linecount)) {
$found=1;
$before=$line;
$line=~s/(.+)\|\|\|.+$/$1|||$comment/;
$after=$line;
}
$linecount++;
}
#print "\n$file";
open(NFILE, ">$file");
print NFILE @file;
close(NFILE);
$mailtxt="Hi,
change in file $file on line $linenr
Before change:
$before
------------------------------------------
After change:
$after
Bye $0
";
$mail_pass=`gtc-crypt -a admin -p`;
chomp($mail_pass);
$smtp = Net::SMTP->new('localhost') || warn ("Could not connect to Mailserver on localhost\n$!");
$smtp->auth('admin', $mail_pass ) || warn ("Could not authenticate to Mailserver\n$!");
$mail_pass="";
$smtp->mail('mail@example.com') || warn ("Could not enter sender address\n$!");
$smtp->to('mail@example.com') || warn ("Could not enter recipient\n$!");
$smtp->data() || warn ("Could not open data channel\n$!");
$smtp->datasend("To: user1\@example.com\n") || warn ("Could not send header\n$!");
$smtp->datasend("Subject: Change in $file\n") || warn ("Could not send header\n$!");
$smtp->datasend("\n") || warn ("Could not send header\n$!");
$smtp->datasend("$mailtxt") || warn ("Could not send body\n$!");
$smtp->dataend() || warn ("Could not close data channel\n$!");
$smtp->quit || warn ("Could not close connection\n$!");
}
else {
$howto=$change[0];
chomp($howto);
$change[0]="";
foreach $line (@change) {
$intro=$intro . $line;
}
$after=$intro;
open(INTRO, "</usr/local/etc/sysdoc/topics");
@intro=<INTRO>;
close(INTRO);
$set=0;
$next=0;
$found=0;
#print "$howto";
foreach $line (@intro) {
if ($next) {
#print "Next gesetzt\n";
#print "Zeile: $line";
if ($line=~/\|\|\|/) {
#print "next wird unwahr\n";
$next=0;
next;
}
if ($set) {
#print "SET ist gesetzt\n";
$before="$before$line";
$line="";
next;
}
else {
#print "ELSE\n";
$found=1;
$before=$line;
$line="$intro\n";
#print "Zeile $line";
$set=1;
}
}
if ($line=~/^\|\|\|$howto\|\|\|/) {
$next=1;
#print "Howto gefunden";
}
}
if ($found) {
open(INTRO, ">/usr/local/etc/sysdoc/topics");
foreach $line (@intro) {
# while ($line =~ /\n$/) {
$line=~s/^\n//;
$line=~s/^\n$//;
# }
print INTRO $line;
}
close(INTRO);
}
$mailtxt="Hi,
change in Howto describtion for $howto
Before change:
$before
----------------------------
After change:
$after
Bye $0
";
$mail_pass=`gtc-crypt -a admin -p`;
chomp($mail_pass);
$smtp = Net::SMTP->new('localhost') || warn ("Could not connect to Mailserver on localhost\n$!");
$smtp->auth('admin', $mail_pass ) || warn ("Could not authenticate to Mailserver\n$!");
$mail_pass="";
$smtp->mail('mail@example.com') || warn ("Could not enter sender address\n$!");
$smtp->to('mail@example.com') || warn ("Could not enter recipient\n$!");
$smtp->data() || warn ("Could not open data channel\n$!");
$smtp->datasend("To: user1\@example.com\n") || warn ("Could not send header\n$!");
$smtp->datasend("Subject: Change in Howto describtion\n") || warn ("Could not send header\n$!");
$smtp->datasend("\n") || warn ("Could not send header\n$!");
$smtp->datasend("$mailtxt") || warn ("Could not send body\n$!");
$smtp->dataend() || warn ("Could not close data channel\n$!");
$smtp->quit || warn ("Could not close connection\n$!");
}
system("/usr/local/bin/sysdoc.pl fast");
unlink("/tmp/changedoc");
}
sleep 1;
}
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /usr/local/bin/sysdoc.pl
Changed on 27.04.10This is the script that creates the search engine optimized, W3C validated HTML-documentation incl. Google Sitemap, Meta-Tags from headline, robots.txt, complete.html with all docs in one page,...
#!/usr/bin/perl
# Pfad wo die Webseiten liegen sollen
$webpath="/var/www/doc.example.com/htdocs";
# Impressum:
$impr='<h1>About / Impressum</h1>
<a href="impr.html">Click here for About / Impressum</a>
<h1>Wishlist</h1>
If you want to support my work you can find my Amazon whishlist <a href="http://www.amazon.de/registry/wishlist/308SONKPDDDT2">here</a>
';
# Werbung
$ad="";
# Wenn als Argument fast übergeben wird, dann nur die Dateien neu einlesen, die schon eigelesen wurden.
if ($ARGV[0] eq "fast") {
print "Not searching for new files!!!\n";
# Kopien der beim letzen Mal analysierten Dateien liegen im Verzeichnis $webpath/files - Sortieren nach Alphabet
@files=`find $webpath/files/ -type f | sort`;
# $webpath/files/ aus dem @files-Elementen rausschneiden um dort nur die Dateinamen drin zu haben.
foreach $f (@files) {
$f=~s/^$webpath\/files//;
}
}
else {
# Wenn nicht fast übergeben wurde, dann diese Suchpfade benutzen - sortieren nach Alphabet:
@files=`find /boot/grub/grub.cfg /etc /var/bind /gtc/test/etc /usr/local/bin /usr/local/sbin /usr/local/etc /var/www/www.example.com/htdocs/intern/phpldapadmin/config /gtc/pxe/pxelinux.cfg /var/www/horde.example.com/htdocs/config /var/www/horde.example.com/htdocs/imp/config /var/www/horde.example.com/htdocs/ingo/config /var/www/horde.example.com/htdocs/kronolith/config /var/www/horde.example.com/htdocs/mnemo/config /var/www/horde.example.com/htdocs/nag/config /var/www/horde.example.com/htdocs/passwd/config /var/www/horde.example.com/htdocs/turba/config /var/www/doc.example.com/cgi-bin /var/www/doc.example.com/htdocs/howto.css /gtc/test/usr/lib64/thunderbird/distribution /gtc/test/usr/lib64/thunderbird/defaults/pref /gtc/test/usr/lib64/firefox/distribution /gtc/test/usr/lib64/firefox/defaults/pref -type f | grep -v 'etc/thinclient/profiles' | sort`;
}
# Daten für die Meta-Tags (Suchmaschinenoptimierung)
$metaauthor="Oliver Bohlen";
$metashortdescr="Up-to-date Howto(s) and Documentation(s) for Gentoo Linux.";
# URL über die die Webseite aufgerufen wird
$url="http://doc.example.com";
$jahr=`date +%Y`;
# Lizenz informationen
$license="
<h1>License</h1>
<p>Copyright (C) 2008-$jahr $metaauthor.</p>
<p>Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.</p><p>
A copy of the license is included in the section entitled \"<a href=\"/license/fdl.html\">GNU Free Documentation License</a>\".</p>
<h1>Introduction</h1>
<p>This documentation comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.</p>
";
# Datum für die Google-Sitemap im speziellen Format. (Suchmaschinenoptimierung)
$sitemapdate=`date +\%Y-\%m-\%d`;
chomp($sitemapdate);
# Header für die Sitemap
$sitemap='<?xml version="1.0" encoding="UTF-8"?>
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
';
$sitemap.=" <url>
<loc>$url/</loc>
<lastmod>$sitemapdate</lastmod>
<changefreq>monthly</changefreq>
<priority>0.2</priority>
</url>";
# Erstellungsdatum holen
$createdate=`date +\%Y-\%m-\%d`;
chomp($createdate);
# Erstellungsdatm für Metatags im speziellen Format (Suchmaschinenoptimierung)
$metadate=`date +\%Y-\%m-\%m:\%S\%:z`;
chomp($metadate);
# Ende des Titels für jede Seite
$htmltitle="for Gentoo Linux";
# Doctype für saubere HTML-Spezifikation
$doctype='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">';
# Löschen der "alten" Dateiversionen
`rm -rf $webpath/files/*`;
# Liste von Konfigurationsdateien durchgehen.
foreach $file (@files) {
chomp($file);
# libpicker.pl ignorieren ???
if ($file =~ /libpicker.pl/) { next }
# Dateien nur einlesen wenn der Dateityp am text, bzw. XML ist, also wenn es sich um Textdateien handelt
if (`file -b $file` =~ /[text|XML|text, with very long lines]\n$/) {
# Zeilenzähler auf 0 setzen. ( Wegen vorheriger durchläufe)
$linenr=0;
# Konfigurationsdatei öffnen und zeilenweise in Array @lines speichern
open(CONF, "<$file");
@lines=<CONF>;
close(CONF);
# Dateiinhaltsvariable initialisieren bzw. wegen ggf. vorheriger druchläufe löschen.
$filecontent="";
# Prüfvariable ob es sich um den Anfang einer Änderung (before-Markierung) vom default handelt wegen ggf. vorheriger Druchläufe auf false setzen.
$ischangefile=0;
# Zeilen der Konfigurationsdatei durchgehen.
foreach $line (@lines) {
# Wenn am Anfang der zeile keine before usw. -Markierung steht, dann bestimmte SchlüsselString filtern bzw. durch Dummy-Werte ersetzen
unless ($line=~/before\|\|\|.*\|\|\|.*\|\|\|/) {
# Filterungen von Passwörtern, Telefonnummern usw. aus den Konfigurationsdateien. - Diese Filterungen ggf. in Extra Datei speichern
#----------- FILTER -----------
$line=~s/dyndns.kontent.com\/ipchange.php\?domain=example.com.*$/URL/g;
$line=~s/PHONENUMBER:PASSWORD/PHONENUMBER:PASSWORD/g;
$line=~s/PHONENUMBER2:PASSWORD2/PHONENUMBER2:PASSWORD2/g;
$line=~s/SIP-PROVIDER-HOSTNAME/SIP-PROVIDER-HOSTNAME/g;
$line=~s/PHONENUMBER/PHONENUMBER/g;
$line=~s/PHONENUMBER2/PHONENUMBER2/g;
$line=~s/DIALPREFIX/DIALPREFIX/g;
$line=~s/PHONENUMBER/PHONENUMBER/g;
$line=~s/PHONENUMBER2/PHONENUMBER2/g;
$line=~s/MOBILEPHONENUMBER/MOBILEPHONENUMBER/g;
$line=~s/secret=PASSWORD
$line=~s/[a-z-]+\@[a-z-\.]+/mail\@example.com/g;
$line=~s/relay.mail.server/relay.mail.server/g;
$line=~s/DeviceURI smb\:\/\/.*$/DeviceURI smb\:\/\/user\:password\@server\/printername/;
$line=~s/ä/ä/g;
$line=~s/whitelist_from mail@example.com
$line=~s/ö/ö/g;
$line=~s/ü/ü/g;
$line=~s/Ä/Ä/g;
$line=~s/Ö/Ö/g;
$line=~s/Ü/Ü/g;
$line=~s/ß/ß/g;
$line=~s/&/&/g;
$line=~s/^HOTP.+$/HOTP\/T30\/6 username - XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/g;
$line=~s/gabosh\.net/example\.com/g;
$line=~s/dc=example,dc=com/dc=example,dc=com/g;
$line=~s/my.lan.ip.addr/my.lan.ip.addr/g;
$line=~s/my.lan.network.ip/my.lan.network.ip/g;
$line=~s/my.default.route.ip/my.default.route.ip/g;
$line=~s/my.dmz.ip.addr/my.dmz.ip.addr/g;
$line=~s/my.dmz.network.ip/my.dmz.network.ip/g;
$line=~s/conf_passwdkey="12345678901234567890123456789012";
$line=~s/conf_passwdfile="/path/for/passwd/dbfile";
$line=~s/conf_passwddiv='1234567890123456'
$line=~s/wpa_passphrase=secret
$line=~s/\{SSHA\}.*$/\{SSHA\}XXXXXXXXXXXXXXXXXXXXXXXXX/;
$line=~s/^\$key\=\"31894.*/\$key\=\"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\"\;/;
$line=~s/psk="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
$line=~s/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/g;
$line=~s/\/usr\/local\/sbin\/gentoolydyndns.sh/ez-ipupdate -q -a `wget -q -O - http:\/\/getip.dyndns.org | sed -e "s\/^.*: \/\/" -e "s\/<.*\$\/\/"` -S dyndns-custom -h yourhostname.dyndns.org -m yourmailmx.example.com -u dyndnsuser:dyndnspass`/g;
$line=~s/password'] = 'XXXXXXXX'
unless (($line=~/0.0.0.0/) || ($line=~/127.0.0.1/) || $line=~/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\./) {
$line=~s/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/XXX\.XXX\.XXX\.XXX/g;
}
$line=~s/23\.172/XXX.XXX/g;
$line=~s/1\.1\.10/XXX.XXX.XXX/g;
$line=~s/1\.168\.192/XXX.XXX.XXX/g;
if ($line=~/^[0-9]+\.[0-9]+.*IN.*PTR/) {
$line=~s/^[0-9]+\.[0-9]+/XXX.XXX\t/;
}
if ($line=~/^[0-9]+.*IN.*PTR/) {
$line=~s/^[0-9]+/XXX\t/;
}
if (($file=~/\/var\/bind\/zones\//) && ($line=~/^\;/) && ($line!~/^\; before/) && ($line!~/^\; after/) && ($line!~/^\; \-\-\-\-/)) { $line="" }
$line=~s/..\:..\:..\:..\:..\:../XX\:XX\:XX\:XX\:XX\:XX/g;
$line=~s/username_ppp0='provideruser'
$line=~s/password_ppp0='providerpass'
$line=~s/user1/user1/ig;
$line=~s/user2/user2/ig;
$line=~s/user3/user3/ig;
#----------- FILTER ENDE -----------
}
# Zeile an Variable für Dateiinhalt nach der Filterung anfügen.
$filecontent.=$line;
# Zeilennummer hochzählen
$linenr++;
# Newline (\n) von Zeile entfernen
chomp($line);
# Zeile für weitere Prüfungen kopieren...???
$cline=$line;
# Wenn es sim um eine Endmarkierung für eine Änderung handelt und die doc-Prüfvariable gesetzt ist, es sich also tatsächlich um eine Änderung handelt, dann die Ausgabe in der Doku hier beenden.
if ((($line =~ /# \----/) || ($line =~ /; \----/) || ($line =~ / \----$/) || ($line =~ /\<!-- END --\>/) || ($line =~ /\%\% \----$/)) && ($doc)) {
# HTML-Code zum beenden der Änderungsdarstellung.
$topics{$topic}.="</pre>\n <br>\n";
# Ab jetzt handelt es sich nicht mehr um einen Teil, der dokumentiert werden muss, da das Ende der Änderung erreicht ist.
$doc=0;
# Weiter mit der nächsten Zeile...
next;
}
# Wenn wir uns in einer Zeile, die zu einem zu dokumentierenden Bereich, also nach der before-Zeile befinden, dann...
if ($doc) {
# ... und wenn in der Zeile ein after ohne das dahinter steht ...
if ($line =~ / after$/) {
# ... und wenn es sich um eine Dateiänderung handelt, ohne dass sich eine vorhandene Zeile geändert hat ...
if ($noprintafterchange) {
# ... dann die After-Change-Markierung in die Doku einfügen
$topics{$topic}.="</pre>\n After change<pre class=\"after\">\n";
}
else {
# ansonsten ohne die After-Change-Markierung in die Doku einfügen
$topics{$topic}.=" <pre class=\"after\">\n";
}
# Prüfvariable setzen um zu markieren, dass die After-Zeile durchlaufen wurde - Jetzt kommt also das Geänderte, nicht mehr der alte Zustand.
$nachher=1;
# In der nächsten Zeile fortfahren...
next;
}
# Hier handelt es sich also um den Bereich zwischen before und ----, aber nicht die after-Zeile
# Ein paar HTML-Standarf-Konforme anpassungen für Sonderzeichen
$line =~ s/</\</g;
$line =~ s/>/\>/g;
# Wenn es sich um Inhalte zwischen before und after handelt, dann die zusätzlichen Kommentarzeichen am Zeilenanfang löschen.
unless ($nachher) {
$line=~s/^# //;
$line=~s/^; //;
}
# Zeile der Doku zu diesem Thema hinzufügen
$topics{$topic}.="$line\n";
# In der nächsten Zeile fortfahren....
next;
}
# Wenn in der Zeile echo<IRGENDWAS>before steht, dann mit der nächsten Zeile fortfahren...???
if ( $cline =~ /echo.*before/ ) {
# $topics{$topic}.="$line\n";
next;
}
# Wenn es sich um eine before-Zeile handelt.
if ( $cline =~ / before\|\|\|/) {
# Markierung für die veränderte Datei setzen.
$ischangefile=1;
# Markierung setzen, dass die After-Zeile noch nicht durchlaufen wurde.
$nachher=0;
# Die Zeile in an den |||-Trennern aufsplitten
@line=split(/\|\|\|/, $cline);
# Änderungsdatum dieser Änderung aus dem Split holen.
$date=$line[1];
# ggf. Leerzeichen in dem Datum entfernen
$date=~s/[ ]+//g;
# ggf. folgende Zeichen #, <!--, ; entfernen...?
$date=~s/^[#|<!--|;]//;
# Person die diese Änderung vorgenommen hat aus dem Split holen.
$editor=$line[2];
# Thema zu dem diese Änderung gehört aus dem Split holen.
$topic=$line[3];
# Kommentar zu dieser Änderung aus dem Split holen.
$comment=$line[4];
# Falls topic nicht gesetzt ist auf "not defined" setzen
$topic="not defined" unless $topic;
# Datei und Thema zusammenfügen um ...
$filetopic=$file . $topic;
# ... zu prüfen ob schon eine Änderung zu diesem Topic in dieser Datei gab, damit die Daten über die Datei selbst nicht mehrmals pro Thema aufgeführt werden
if ($oldfiletopic ne $filetopic) {
# ... Daten über die datei ermitteln und als HTML-Code der Doku hinzufügen
# Eigentümer/Gruppe und Zugriffsrechte der Dtaei besorgen
$rights=`ls -ld $file`;
@rights=split(/ /, $rights);
# Erstellen des Headers mit Infos über die Datei und dem link zur Ansicht der kompletten Datei
$topics{$topic}.=" <h2><a class=\"h2link\" name=\"$file-$topic\">Changes in $file</a></h2>
<p><i>File permissions:</i> <br>
<b>Owner</b>: $rights[2]<br>
<b>Group</b>: $rights[3]<br>
<b>Permissions</b>: $rights[0]<br>
</p>
<p><a download href=\"http://doc.example.com/files$file\">Click here for a download of the complete file: $file</a></p>\n";
# Erstelle einen File-Eintrag auf der Startseite für den File Index
$index .= " <a href=\"#$file-$topic\">$file ($topic)</a><br>\n";
# Da die HTML-Datei für das Thema wegen Suchmaschinenoptimierung möglichst so heissen sollte wie das Thema selbst wird der Topic-Name mit ein paar Einschränkungen (Sonderzeichen in internationalen-Browsern in Dateinamen sind ungünstig) übernommen
$topic_file=$topic;
# ggf. alle nicht latein-alphanummerischen Zeichen in _ umwandeln
$topic_file=~s/[^a-zA-Z0-9]/_/g;
# ggf. mehrere _ hintereinander durch ein _ ersetzen.
$topic_file=~s/_+/_/g;
# Markierung in HTML-Code für direkte Links von der Startseite (index.html) auf die Datei in der entsprechenden Doku/Howto
$pindex .= " <a href=\"http://doc.example.com/howto_$topic_file.html#$file-$topic\">$file ($topic)</a><br>\n";
}
# HTML-Code mit Infos über die Änderung.
$topics{$topic}.=" <i class=\"small\">Changed on $date</i><br>
<i class=\"small\">Issued by $editor</i><br>
<i class=\"small\">Beginning line $linenr</i><br>
<!-- $file|||$linenr --><p class=\"comment\">$comment</p>\n";
# Grundsätzlich davon ausgehen, dass es sich nicht um eine Änderung einer vorhandenen Zeile handelt
$noprintafterchange=0;
# Wenn in der nöchsten Zeile ein after steht, dann handelt es sich doch um eine hinzugefügte Zeile und nicht um eine änderung einer vorhandenen Zeile
unless ($lines[$linenr] =~ /after$/) {
# ... Die Before change Überschrift einfügen um die Zeile(n) die geändert wurden auszugeben.
$topics{$topic}.=" <br>Before change<pre class=\"before\">\n";
# entsprechende MArkierung setzen also dafür, dass es es sich un eine Änderung einer existierenden Zeile handelt.
$noprintafterchange=1;
}
# Oldfiletopic setzen um mit der nächsten Anderung zu vergleichen
$oldfiletopic=$file . $topic;
# Markierung, dass ab hier die Doku zur Änderung beginnt
$doc=1;
}
}
if ($ischangefile) {
print "$file\n";
$path=$file;
@pathparts=split(/\//, $path);
pop(@pathparts);
$path="";
foreach $pathpart (@pathparts) {
$path.="/$pathpart";
}
$path=~s/^\/\//\//;
`mkdir -p $webpath/files$path`;
open(FILE, ">$webpath/files$file") || warn "Konnte Datei $webpath/files$file nicht öffnen";
print FILE $filecontent;
close(FILE);
}
}
}
$topics=" <h1><a class=h1link name=howtos>Howto listing</a></h1>\n";
$itopics=" <h1><a class=h1link name=howtos>Howto listing</a></h1>\n";
#`rm -rf $webpath/howto_*`;
foreach $topic (sort keys %topics) {
$content .= " <h1><a class=\"h1link\" name=\"t-$topic\">$topic</a></h1>\n";
$metakeywords.="$topic, ";
$tfile="$doctype
<html>
<head>
<title>Howto: $topic $htmltitle</title>
<meta name=\"description\" content=\"$topic - $metashortdescr\">
<meta name=\"date\" content=\"$metadate\">
<meta name=\"author\" content=\"$metaauthor\">
<meta name=\"keywords\" content=\"$topic, howto, documentation, gentoo, linux, up to date, up-to-date, new\">
<meta http-equiv=\"Content-Type\" content=\"text/html; charset=US-ASCII\">
<meta name=\"robots\" content=\"all\">
<meta http-equiv=\"expires\" content=\"0\">
<link rel=\"stylesheet\" type=\"text/css\" href=\"/howto.css\">
</head>
<body><div class=\"frame\">
$ad
$license
<h1>Howto: $topic $htmltitle</h1>\n ";
open (TOPICSFILE, "</usr/local/etc/sysdoc/topics");
@topicsfile=<TOPICSFILE>;
close(TOPICSFILE);
$topicfile_desc=0;
$topicdesc="";
$topicfile_deps="";
$topicfile_hw="";
$topicfile_sw="";
$topicfile_service="";
$topicfile_topic="";
if ($topic =~ /^Thinclient - /) {
$prefix="chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && ";
$end="'";
}
else {
$prefix="";
$end="";
}
foreach $topicsfileline (@topicsfile) {
if ($topicsfileline =~ /^\#/) { next }
if ($topicsfileline =~ /^\|\|\|$topic/) {
chomp($topicsfileline);
@topicsfileline=split(/\|\|\|/, $topicsfileline);
$topicfile_topic = $topicsfileline[1];
$topicfile_deps = $topicsfileline[2];
$topicfile_sw = $topicsfileline[3];
$topicfile_service = $topicsfileline[4];
$topicfile_hw = $topicsfileline[5];
$topicfile_desc=1;
$topicsfileline="";
next;
}
if ($topicfile_desc) {
if ($topicsfileline =~ /^\|\|\|/) {
last;
}
$topicsfileline=~s/\n/\<br\>/g;
$topicdesc.=$topicsfileline;
}
}
$content .= $topicdesc;
$topicdesc=~s/\n/<br>/g;
$tfile .= "<!-- $topic --><p class=\"intro\">$topicdesc</p>\n";
if ($topicfile_deps) {
$content .= " <p>If you want to use this solution you need the following howto(s) finished:</p>\n <ul>";
$tfile .= " <p>If you want to use this solution you need the following howto(s) finished:</p>\n <ul>";
@needtopics=split(/\,/, $topicfile_deps);
foreach $topicdep (@needtopics) {
$content .= " <li><a href=\"#t-$topicdep\">$topicdep</a></li>\n";
$tfile .= " <li><a href=\"index.html#howtos\">$topicdep</a></li>\n";
}
$content .= " </ul>";
$tfile .= " </ul>";
}
if ($topicfile_hw) {
$content .= "<h2>Required hardware</h2>
For this topic you need the following hardware: $topicfile_hw";
$tfile .= "<h2>Required hardware</h2>
For this topic you need the following hardware: $topicfile_hw";
}
if ($topicfile_sw) {
$content .= "<h2>Required software</h2>
The required software has to be installed with the following command(s):<pre>";
$tfile .= "<h2>Required software</h2>
The required software has to be installed with the following command(s):<pre>";
@needsw=split(/ /, $topicfile_sw);
foreach $swdep (@needsw) {
$content .= $prefix."emerge $swdep"."$end\n";
$tfile .= $prefix."emerge $swdep"."$end\n";
}
$content .= "</pre>";
$tfile .= "</pre>";
}
$content .= $ad;
$content .= $topics{$topic};
$tfile .= $topics{$topic};
if ($topicfile_service) {
$content .= "<h2>Setting up services</h2>\n<p>For starting the new service after system reboot you should add it to a runlevel with the following command(s):</p>\n <pre>";
$tfile .= "<h2>Setting up services</h2>\n<p>For starting the new service after system reboot you should add it to a runlevel with the following command(s):</p>\n <pre>";
@needservice=split(/ /, $topicfile_service);
$runlevel="";
foreach $service (@needservice) {
$runlevel=`$prefix rc-update show | grep " $service |"$end`;
chomp($runlevel);
$runlevel=~s/^*.\|//;
$runlevel=~s/$service//g;
$runlevel=~s/ //g;
$content .= $prefix."rc-update add $service $runlevel"."$end\n";
$tfile .= $prefix."rc-update add $service $runlevel"."$end\n";
}
$content .= "</pre>";
$tfile .= "</pre>";
}
$topics .= " <a href=\"#t-$topic\">$topic</a><br>\n";
$itopic=$topic;
$itopic=~s/[^a-zA-Z0-9]/_/g;
$itopic=~s/_+/_/g;
$itopics .= " <a href=\"howto_$itopic.html\">$topic</a><br>\n";
$content .= " <p>
Please send a feedback to: <b>doc<at>example.com</b></p>
<a href=\"#howtos\">Howto listing</a><br>
<a href=\"#Index\">File Index</a>\n";
$tfile .= " $ad
<p>
Please send a feedback to: <b>doc<at>example.com</b></p>
<a href=\"index.html#howtos\">Howto listing</a><br>
<a href=\"index.html#Index\">File Index</a><br><br>
<p><a href=\"http://forums.gentoo.org\">Here</a> you can find the official Gentoo Linux Forums where you can find a lot of answers.</p>
<p><a href=\"http://www.gentoo.org\">Here</a> a link to the official Gentoo Linux Homepage.</p>
<p><a href=\"https://doc.example.com/edit/howto_$itopic.html\">Edit Howto</a></p>
$impr
</div>
</body>
</html>";
$tfilename=$topic;
$tfilename=~s/[^a-zA-Z0-9]/_/g;
$tfilename=~s/_+/_/g;
$tfilename .= ".html";
$oldtfile="";
open(OLDTFILE, "<$webpath/howto_$tfilename");
@oldtfile=<OLDTFILE>;
close(OLDTFILE);
foreach $line (@oldtfile) {
$oldtfile.=$line;
}
$newtfile=$tfile;
$oldtfile=~s/meta name=\"date\" content=.*\"\>//;
$newtfile=~s/meta name=\"date\" content=.*\"\>//;
open(TMP, ">/tmp/t1");
print TMP $oldtfile;
close(TMP);
open(TMP, ">/tmp/t2");
print TMP $newtfile;
close(TMP);
$diff=system("diff /tmp/t1 /tmp/t2");
if ($diff) {
print "Updateing $webpath/howto_$tfilename\n";
open(TFILE, ">$webpath/howto_$tfilename");
print TFILE $tfile;
close(TFILE);
}
push(@tfilelist,"howto_$tfilename");
$sitemap.="\n <url>
<loc>$url/howto_$tfilename</loc>
<lastmod>$sitemapdate</lastmod>
<changefreq>monthly</changefreq>
<priority>0.7</priority>
</url>";
}
@oldtfilelist=`ls $webpath/howto_*`;
foreach $checkoldfile (@oldtfilelist) {
chomp($checkoldfile);
$newtfile=0;
$createdtfile="";
foreach $createdtfile (@tfilelist) {
$createdtfiletest="$webpath/$createdtfile";
if ($checkoldfile eq $createdtfiletest) { $newtfile=1 }
}
unless ($newtfile) {
print "Deleting $checkoldfile\n";
`rm $checkoldfile`;
}
}
$html="$doctype
<html>
<head>
<title>Howtos $htmltitle</title>
<meta name=\"description\" content=\"$metashortdescr\">
<meta name=\"date\" content=\"$metadate\">
<meta name=\"author\" content=\"$metaauthor\">
<meta name=\"keywords\" content=\"gentoo, howto, documentation, linux, traffic, shaping, firewall, ldap, thin, up-to-date, up to date, new\">
<meta name=\"robots\" content=\"all\">
<meta http-equiv=\"Content-Type\" content=\"text/html; charset=US-ASCII\">
<meta http-equiv=\"expires\" content=\"0\">
<link rel=\"stylesheet\" type=\"text/css\" href=\"/howto.css\">
</head>
<body><div class=\"frame\">
<h1>Howtos $htmltitle (latest version created: $createdate)</h1>
<p>$metashortdescr</p>
<p>The special thing of this is that the Documentation generates automatically from my running system, so it is <b>every time up to date</b>.<br>Further this Howto is build <b>modular</b>. The Howtos are sorted in alphabetical order. Every topic has its dependencies. For example: You have to finish Webserver Howto for building webbased statistics.</p>
<p>I hope to give something back to the community with this document.</p>
<p>Please enjoy and send any ideas, wishes or advancements to: <b>doc<at>example.com</b>";
$hindex=$html;
$clicense="
<h1>License</h1>
<p>Copyright (C) 2008-$jahr $metaauthor.</p>
<p>Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.</p><p>
A copy of the license is included in the section entitled \"<a href=\"#FDL\">GNU Free Documentation License</a>\".</p>
<h1>Introduction</h1>
<p>This documentation comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.</p>
";
$html.=$clicense;
$html.=$topics;
$hindex.=$license;
$hindex.=$ad;
$hindex.="<h1>All in one page</h1>
<a href=complete.html>Here</a> you can find the complete documentation in one page<br>
$itopics";
$hindex.=$ad;
$html.=$content;
$html.=" <h1><a class=h1link name=Index>File Index</a></h1>" . $index . "\n";
open(LICENSE, "</usr/local/etc/sysdoc/license");
@license = <LICENSE>;
close(LICENSE);
$html .= "<h1><a class=h1link name=FDL>GNU Free Documentation License</a></h1>
@license";
$hindex .= "<h1><a class=h1link name=Index>File Index</a></h1>$pindex\n";
$html .= " </div></body>\n</html>";
$hindex .= "$impr\n</div></body>\n</html>";
open(DOC, ">$webpath/complete.html");
print DOC $html;
close(DOC);
$sitemap.="\n <url>
<loc>$url/complete.html</loc>
<lastmod>$sitemapdate</lastmod>
<changefreq>weekly</changefreq>
<priority>0.1</priority>
</url>
</urlset>\n";
$oldifile="";
open(OLDIFILE, "<$webpath/index.html");
@oldifile=<OLDIFILE>;
close(OLDIFILE);
foreach $line (@oldifile) {
$oldifile.=$line;
}
$newifile=$hindex;
$oldifile=~s/meta name=\"date\" content=.*\"\>//;
$newifile=~s/meta name=\"date\" content=.*\"\>//;
$oldifile=~s/created\:.*\>//;
$newifile=~s/created\:.*\>//;
open(TMP, ">/tmp/1");
print TMP $oldifile;
close(TMP);
open(TMP, ">/tmp/2");
print TMP $newifile;
close(TMP);
$diff=system("diff /tmp/1 /tmp/2");
if ($diff) {
print "Updateing $webpath/index.html\n";
open(IFILE, ">$webpath/index.html");
print IFILE $hindex;
close(IFILE);
}
`mkdir -p $webpath/license`;
open(LICENSE, ">$webpath/license/fdl.html");
print LICENSE "<html><head><title>FDL-License for example.com</title></head><body>@license</body></html>";
open(SITEMAP, ">$webpath/sitemap.xml");
print SITEMAP $sitemap;
close(SITEMAP);
# Create Editor
#system "/usr/local/bin/mkeditdoc.pl";
`rm $webpath/../edit/*`;
$howtodir=$webpath;
@howtos=`cd $howtodir; ls howto_*.html`;
foreach $howto (@howtos) {
print $howto;
chomp($howto);
open(HOWTO, "<$howtodir/$howto") || die "Failed to open $howtodir/$howto";
@howto=<HOWTO>;
close(HOWTO);
open(EHOWTO, ">$howtodir/../edit/$howto");
foreach $howtoline (@howto) {
if (($howtoline=~/<p class="comment"/) || ($howtoline=~/<p class="intro"/)) {
if ($howtoline=~/-- .+ --./) {
$target=$howtoline;
@target=split(/--/, $howtoline);
$target=$target[1];
$target=~s/^ +//;
$target=~s/ +$//;
}
$howtoline=~s/<br>/\n/g;
$howtoline=~s/<p class=\"comment\">/<form action=\"\/cgi-bin\/changedoc.pl\" method=\"POST\"><textarea name=\"comment\" cols=\"115\" rows=\"25\">/;
$howtoline=~s/<p class=\"intro\">/<form action=\"\/cgi-bin\/changedoc.pl\" method=\"POST\"><textarea name=\"intro\" cols=\"115\" rows=\"25\">/;
if ($howtoline=~/textarea name="comment"/) {
$howtoline=~s/<\/p>$/<\/textarea><input type="hidden" name="file" value="$target"><input type="submit" value="Submit"><\/form>/;
}
elsif ($howtoline=~/textarea name="intro"/) {
$howtoline=~s/<\/p>$/<\/textarea><input type="hidden" name="howto" value="$target"><input type="submit" value="Submit"><\/form>/;
}
else {$howtoline=~s/<\/p>$/<\/textarea>/ }
print EHOWTO $howtoline;
}
else {
print EHOWTO $howtoline;
}
}
close(EHOWTO);
}
`rsync -av --delete "$webpath"/ wlan-unten:/data/www/doc.example.com/htdocs/`;
unlink("/tmp/t1");
unlink("/tmp/t2");
unlink("/tmp/1");
unlink("/tmp/2");
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /var/www/doc.gabosh.net/cgi-bin/changedoc.pl
Changed on 27.04.10This is the CGI-script for editing the documentation
#!/usr/bin/perl
# Get the Data
read(STDIN, $line, $ENV{'CONTENT_LENGTH'});
@post = split(/&/, $line);
# Header for HTML output
print "Content-type:text/html\n\n";
$back=5;
if (-e "/tmp/changedoc") {
$text="Working...</div></body></html>";
$exit=1;
}
elsif ($ENV{HTTP_REFERER} !~ /https:\/\/doc\.gabosh\.net\/edit\/howto_/ ) {
$text="</div><body></html>";
$exit=1;
$back="0;http://doc.example.com";
}
print "<html>
<head>
<title>Data submitted</title>
<meta http-equiv=\"refresh\" content=\"$back\">
<link rel=\"stylesheet\" type=\"text/css\" href=\"/howto.css\">
</head>
<body><div class=\"frame\"><h1>
$text
";
if ($exit) {
exit 0;
}
print "Hi $ENV{AUTHENTICATE_UID}, Working... Please wait...";
foreach $post (@post) {
# Make + to Space
$post=~s/\+/ /g;
# Make Hex-Strings to ASCII
$post=~s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
if ($post=~/^intro\=/) {
$intro=1;
}
if ($post=~/^comment\=/) {
$comment=1;
}
}
if ($intro) {
$intro=$post[0];
$howto=$post[1];
$howto=~s/^howto\=//;
$intro=~s/^intro\=//;
$intro=~s/\r\n/\n/g;
open(FILE, ">/tmp/changedoc");
print FILE "$howto\n";
print FILE "$intro\n";
close(FILE);
}
if ($comment) {
$comment=$post[0];
$fileline=$post[1];
$fileline=~s/^file\=//;
@fileline=split(/\|\|\|/, $fileline);
$file=$fileline[0];
$linenr=$fileline[1];
$comment=~s/^comment\=//;
$comment=~s/[\r]//g;
$comment=~s/[\n]/<br>/g;
chomp($comment);
open(FILE, ">/tmp/changedoc");
print FILE "$linenr\n";
print FILE "$file\n";
print FILE "$comment";
close(FILE);
}
print "</div></body></html>\n";
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /var/www/doc.gabosh.net/htdocs/howto.css
Changed on 27.04.10The Cascading Style Sheet for the design of the sysdoc HTML Output
*/
body {
background-color:#dddaec;
font-family: sans-serif, Verdana, Arial, Helvetica;
font-size:small;
color:#000000;
}
h1 {
background-color:#7a5ada;
color:#ffffff;
padding-left:2px;
font-size:large;
}
h2 {
background-color:#dddaec;
padding-left:2px;
font-size:medium;
}
.h1link {
color:#ffffff;
text-decoration:none;
}
.h1link:visited {
color:#ffffff;
text-decoration:none;
}
.h1link:active {
color:#ffffff;
text-decoration:none;
}
.h1link:hover {
color:#ffffff;
text-decoration:underline;
}
.h2link:hover {
color:#000000;
text-decoration:none;
}
a:link {
color:#7a5ada;
text-decoration:none;
}
a:visited {
color:#7a5ada;
text-decoration:none;
}
a:active {
color:#7a5ada;
text-decoration:none;
}
a:hover {
color:#7a5ada;
text-decoration:underline;
}
.frame {
width:950px;
background-color:white;
padding:10px;
}
.before {
background-color:#FF8080;
}
.after {
background-color:#80FF80;
}
.small {
font-size:smaller;
}
pre {
overflow:visible;
background-color:#FFFF80;
font-size:larger;
}
/*
Please send a feedback to: doc<at>gabosh.net
Howto listingrm /etc/make.profile && ln -s /usr/portage/profiles/hardened/x86 /etc/make.profile && emerge -uDvN world
If you want to use this solution you need the following howto(s) finished:
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/crontab
Changed on 15.11.10Run backup daily at 2:15 am
15 2 * * * root /usr/local/sbin/backup.sh 2>&1 | cat -vT | ifne mail -s "Daily Backup `date`" user1
Please send a feedback to: doc<at>gabosh.net
Howto listingemerge -e world
emerge sys-process/vixie-cron emerge app-admin/rsyslog emerge sys-process/at emerge app-admin/logrotate emerge net-misc/whois emerge net-analyzer/nmap emerge net-misc/netkit-telnetd emerge app-editors/vim emerge media-video/mplayer emerge sys-apps/rename emerge media-sound/id3v2 emerge dev-perl/MP3-Tag emerge media-libs/exiftool emerge media-sound/vorbis-tools
File permissions:
Owner: root
Group: root
Permissions: -rw-------
Click here for a download of the complete file: /boot/grub/grub.cfg
Changed on 08.09.08The Grub-Bootloader configuration
set timeout=30
set default=0
menuentry 'Newest Kernel' {
set root='(hd0,msdos1)'
echo 'Loading kernel...'
linux /kernel root=/dev/sda2 rootfstype=ext4 lockd.udpport=32768 lockd.tcpport=32768 consoleblank=0 rt2800usb.nohwcrypt=1 cfg80211.ieee80211_regdom=DE
}
menuentry 'Last Kernel' {
set root='(hd0,msdos1)'
echo 'Loading kernel...'
linux /runningkernel root=/dev/sda2 rootfstype=ext4 lockd.udpport=32768 lockd.tcpport=32768 consoleblank=0 rt2800usb.nohwcrypt=1 cfg80211.ieee80211_regdom=DE
}
menuentry 'RAM Test' {
set root='(hd0,msdos1)'
linux16 /memtest86plus/memtest.bin
}
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/conf.d/consolefont
Changed on 06.09.08consolefont secifies the default font that you'd like Linux to use on the console
#consolefont="default8x16"After change
consolefont="lat9w-16"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/conf.d/dhcpd-vnet0
Changed on 28.03.20Virtual Networking DHCP
DHCPD_CONF="/etc/dhcp/dhcpd-vnet0.conf" DHCPD_IFACE="vnet0"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/conf.d/keymaps
Changed on 06.09.08This setting is to specify the default console keymap
keymap="us"After change
keymap="de-latin1"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/conf.d/local
Changed on 17.05.18Allow console input/output in local-services
rc_verbose=yes
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/conf.d/net
Changed on 06.09.08Network-Interface settings
#config_eth1="XXX.XXX.XXX.XXX/24" #routes_eth1="default via XXX.XXX.XXX.XXX" config_eth0="my.lan.ip.addr/16 fd23::200/64" dns_servers_eth0="XXX.XXX.XXX.XXX" dns_search_eth0="example.com" #dns_domain_eth0="example.com"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/conf.d/net
Changed on 28.03.20Virtual Networking Bridge
bridge_vnet0="" config_vnet0="XXX.XXX.XXX.XXX/24" bridge_forward_delay_vnet0=0 bridge_hello_time_vnet0=1000 enable_ipv6_vnet0="false" dad_timeout_vnet0=0
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/conf.d/net.bak
Changed on 06.09.08Network-Interface settings
#config_eth1="XXX.XXX.XXX.XXX/24" #routes_eth1="default via XXX.XXX.XXX.XXX" config_tap0="XXX.XXX.XXX.XXX/16" mac_tap0="XX:XX:XX:XX:XX:XX" rc_net_tap0_provide="!net" config_eth0="my.lan.ip.addr/16" dns_servers_eth0="127.0.0.1" dns_search_eth0="example.com dmz" dns_domain_eth0="example.com"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/conf.d/net.bak
Changed on 13.10.15Optional Internet Connection via PPPOE (rp-pppoe)
config_eth1="XXX.XXX.XXX.XXX/24" config_ppp0="ppp" link_ppp0="eth1" plugins_ppp0="pppoe" username_ppp0='provideruser' password_ppp0='providerpass' pppd_ppp0=" noauth defaultroute persist holdoff 10 child-timeout 60 lcp-echo-interval 15 lcp-echo-failure 3 maxfail 0 noaccomp noccp nobsdcomp nodeflate nopcomp novj novjccomp" rc_net_ppp0_need="net.eth1" #modules_wlan0="wpa_supplicant" #config_wlan0="XXX.XXX.XXX.XXX/24" #rc_net_wlan0_provide="!net"
File permissions:
Owner: root
Group: root
Permissions: -rwx------
Click here for a download of the complete file: /etc/cron.daily/clearat.sh
Changed on 17.08.09Delete at spools older then two weeks
#!/bin/bash
find /var/spool/at/atspool -ctime +14 -exec rm {} \;
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/default/btrfsmaintenance
Changed on 08.01.19Auto find btrfs-Volumes
BTRFS_BALANCE_MOUNTPOINTS="/"After change
BTRFS_BALANCE_MOUNTPOINTS="auto"
Auto find btrfs-Volumes
BTRFS_SCRUB_MOUNTPOINTS="/"After change
BTRFS_SCRUB_MOUNTPOINTS="auto"
Auto find btrfs-Volumes
BTRFS_TRIM_MOUNTPOINTS="/"After change
BTRFS_TRIM_MOUNTPOINTS="auto"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/dhcp/dhcpd-vnet0.conf
Changed on 28.03.20Virtual Networking DHCP
option domain-name "vnet0";
default-lease-time 600;
max-lease-time 7200;
option subnet-mask XXX.XXX.XXX.XXX;
option broadcast-address XXX.XXX.XXX.XXX;
option domain-name-servers XXX.XXX.XXX.XXX;
option routers XXX.XXX.XXX.XXX;
default-lease-time 7200;
max-lease-time 14400;
ddns-update-style none;
subnet XXX.XXX.XXX.XXX netmask XXX.XXX.XXX.XXX {
range XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX;
}
next-server XXX.XXX.XXX.XXX;
option architecture-type code 93 = unsigned integer 16;
if option architecture-type = 00:09 {
filename "bootx64.efi";
} elsif option architecture-type = 00:07 {
filename "bootx64.efi";
} else {
filename "pxelinux.0";
}
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/fstab
Changed on 06.09.08List of local filesystems and mount options which are required for system boot or other mount operations.
/dev/BOOT /boot ext2 noauto,noatime 1 2 /dev/ROOT / ext3 noatime 0 1 /dev/SWAP none swap sw 0 0 /dev/cdrom /mnt/cdrom auto noauto,ro 0 0After change
/dev/sda1 /boot ext4 noatime,noexec,acl,nosuid,discard,nofail 1 2 /dev/sda2 / ext4 noatime,acl,discard,nofail 0 1 /dev/sda3 /var ext4 noatime,acl,discard,nofail 0 1 /dev/sda5 /var/log ext4 noatime,acl,noexec,nosuid,discard,nofail 0 1 ## RAM FSs # Maximaler gesamter Speicher none /dev/shm tmpfs defaults,size=25G 0 0 # Einzelne Teile tmpfs /tmp tmpfs nodev,nosuid,size=2G,noatime 0 0 tmpfs /var/tmp tmpfs nodev,nosuid,size=20G,noatime 0 0 tmpfs /var/spool/asterisk/monitor tmpfs nodev,nosuid,size=2G,uid=asterisk,mode=0750,size=2G,noatime 0 0
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/hosts
Changed on 06.09.08This entry is for the LAN IP of the Server. If the DNS fails the server can resolf at least himself.
my.lan.ip.addr xgabosh xgabosh.example.com silent-gabosh.example.com silent-gabosh gabosh example.com # Some other Hostnames (VPNs/WLAN) #XXX.XXX.XXX.XXX xgabosh-wlan xgabosh-wlan.example.com silent-wlan-gabosh.example.com silent-wlan-gabosh wlan-gabosh
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/logrotate.conf
Changed on 13.01.15Logrotate daily
weeklyAfter change
daily
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/logrotate.d/gabosh
Changed on 19.09.14Logrotations
/opt/rsyncd.log {
compress
rotate 7
daily
notifempty
missingok
copytruncate
postrotate
/usr/local/sbin/rsyncwatch > /dev/null 2>&1 || true
endscript
}
/var/log/dmesgcron
/var/log/messages
/var/log/in.tftpd.log
/var/log/zyxelstatus.log
/var/log/arpwatch.log
/var/log/smartd.log
/var/log/sshd-rsyncbackup.log
/var/log/pppd.log
/var/log/backup-gabosh.log
/var/log/daemon.log
/var/log/maillog.log
/var/log/kontent.log
/var/log/nscd.log
/var/log/ntp.log
/var/log/bind.log
/var/log/xinetd.log
/var/log/cupsd.log
/var/log/usv-apcupsd.log
/var/log/backup-gabosh.sh.log
/var/log/docker.log
/var/log/user.log
/var/log/dms-inotifys.log
/var/log/emerge-fetch.log
/var/log/sshd.log
/var/log/slapd.log
/var/log/debug.log
/var/log/pulseaudio.log
/var/log/auth.log
/var/log/sa-update.log
/var/log/sshd-sftp.log
/var/log/hostapd.log
/var/log/emerge.log
/var/log/mail.log
/var/log/kern.log
/var/log/dyndns.log
/var/log/firewall.log
/var/log/GTC-Hosts.log
/var/log/cron.log
/var/log/nfs.log
/var/log/Raspberrys.log
/var/log/dhcpd.log
/var/log/gabosh-statushtml.log
/var/log/sshd-tunnel.log
/var/log/x.log
/var/log/lpr.log
/var/log/sshd-share.log
/var/log/nextcloud.log
/var/log/nextcloud-test.log
/var/log/auth-success.log
/var/log/g_bash-scripts.log
{
rotate 7
daily
missingok
notifempty
copytruncate
compress
postrotate
test -r /run/rsyslogd.pid && kill -HUP $(cat /run/rsyslogd.pid) &>/dev/null
endscript
}
/var/log/apache2/*log {
rotate 7
daily
missingok
notifempty
copytruncate
compress
postrotate
/etc/init.d/apache2 restart > /dev/null 2>&1 || true
endscript
}
/opt/sftpaccess.log {
compress
maxage 365
rotate 7
size=+1024k
notifempty
missingok
copytruncate
}
/opt/sftpuseraccess.log {
compress
maxage 365
rotate 7
size=+1024k
notifempty
missingok
copytruncate
}
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /etc/profile.d/root.sh
Changed on 30.11.10Some (personal) special settings for the root shell.
EDITOR="/usr/bin/vim" if [ "$EUID" = "0" ] || [ "$USER" = "root" ] then PATH=$PATH:/root/scripts HISTSIZE=10000 HISTFILESIZE=10000 fi
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/rc.conf
Changed on 05.03.17Network is up if one Interface starts
rc_depend_strict="NO"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/rsyslog.d/00-gtc.conf
Changed on 19.09.14Remote Logging
# Listen for remote Logging (UDP) module(load="imudp") input(type="imudp" port="514") # Hosts if $hostname startswith 'my.default.route.ip' and $msg contains 'User admin login from XXX.XXX.XXX.XXX successful' then stop if $hostname != 'xgabosh' and $msg contains 'wdGetDidSendCredentials not implemented' and $programname contains 'citrix-wfica' then stop if $hostname != 'xgabosh' and $msg contains 'CGPrecv: socket 0x' and $programname contains 'citrix-wfica' then stop if $hostname != 'xgabosh' and $msg contains 'doEncryptData inbuffersize: ' and $programname contains 'citrix-wfica' then stop if $hostname != 'xgabosh' and $msg contains 'SSLPutDataFn inbuffersize: ' and $programname contains 'citrix-wfica' then stop if $hostname != 'xgabosh' and $msg contains 'SRC=192.168.' and $programname contains 'kernel' then stop if $hostname startswith 'my.default.route.ip' then /var/log/zyxel.log if $hostname startswith 'my.default.route.ip' then stop if $hostname startswith 'raspberry-' then /var/log/Raspberrys.log if $hostname startswith 'raspberry-' then stop if $hostname != 'xgabosh' and $hostname != 'share' and $hostname != 'backup-chroot' and $hostname != 'share' then /var/log/GTC-Hosts.log if $hostname != 'xgabosh' and $hostname != 'share' and $hostname != 'backup-chroot' and $hostname != 'share' then stop
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/rsyslog.d/01-gabosh.conf
Changed on 19.09.14Logfile definitions
# Additional Socket from chroot input(type="imuxsock" HostName="backup-chroot" Socket="/srv/share/Backups/dev/log" CreatePath="on") input(type="imuxsock" HostName="vpn-share" Socket="/srv/dev/log" CreatePath="on") input(type="imuxsock" HostName="share" Socket="/srv/share/dev/log" CreatePath="on") # Auth success (for share-auth 2FA) if $programname == 'nextcloud-audit' and $msg contains 'Login successful:' then /var/log/auth-success.log if $programname == 'imaps' and $msg contains 'TLS User logged in' then /var/log/auth-success.log # Nextcloud if $msg contains '","level":0,"time":"' and $programname contains 'nextcloud' then stop if $msg contains '","level":1,"time":"' and $programname contains 'nextcloud' then stop if $programname == 'nextcloud' then /var/log/nextcloud.log if $programname == 'nextcloud' then stop if $programname == 'nextcloud-audit' then /var/log/nextcloud.log if $programname == 'nextcloud-audit' then stop if $programname == 'nextcloud-test' then /var/log/nextcloud-test.log if $programname == 'nextcloud-test' then stop if $programname == 'nextcloud-test-audit' then /var/log/nextcloud-test.log if $programname == 'nextcloud-test-audit' then stop # USV if $programname == 'apcupsd' and $syslogseverity <= '6' then /var/log/usv-apcupsd.log if $programname == 'apcupsd' then stop # SMART HDD Überwachung if $programname == 'smartd' and $syslogseverity <= '6' then /var/log/smartd.log if $programname == 'smartd' then stop # SSH TUNNEL if $programname == 'sshd-tunnel' and $syslogseverity <= '6' then /var/log/sshd-tunnel.log if $programname == 'sshd-tunnel' then stop # SSH SFTP if $programname == 'sshd-sftp' and $syslogseverity <= '6' then /var/log/sshd-sftp.log if $programname == 'sshd-sftp' then stop # SSH Share if $programname == 'sshd-share' then /var/log/sshd-share.log if $programname == 'sshd-share' then stop # SSH rsyncbackup if $programname == 'sshd-rsyncbackup' and $syslogseverity <= '6' then /var/log/sshd-rsyncbackup.log if $programname == 'sshd-rsyncbackup' then stop # SSH if $programname == 'sshd' and $syslogseverity <= '6' then /var/log/sshd.log if $programname == 'sshd' then stop # SFTP if $programname == 'internal-sftp' and $msg contains 'sent status ' then stop if $programname == 'internal-sftp' and $msg contains 'lstat name ' then stop if $programname == 'internal-sftp' and $msg contains '/.kodi/' then stop if $programname == 'internal-sftp' then /opt/sftpaccess.log if $programname == 'internal-sftp' then stop # Cron if $programname == 'cron' and $syslogseverity <= '6' then /var/log/cron.log if $programname == 'cron' then stop if $programname == 'run-crons' and $syslogseverity <= '6' then /var/log/cron.log if $programname == 'run-crons' then stop if $programname == 'crontab' and $syslogseverity <= '6' then /var/log/cron.log if $programname == 'crontab' then stop # rsync if $programname == 'rsyncd' and $syslogseverity <= '6' then /opt/rsyncd.log if $programname == 'rsyncd' then stop # DNS if $programname == 'named' and $msg contains ' 127.0.0.1#' then stop if $programname == 'named' and $msg contains ': sending notifies' then stop if $programname == 'named' and $msg contains ' loaded serial ' then stop if $programname == 'named' and $syslogseverity <= '6' then /var/log/bind.log if $programname == 'named' then stop # DHCP if $programname == 'dhcpd' and $syslogseverity <= '6' then /var/log/dhcpd.log if $programname == 'dhcpd' then stop # NFS if $programname == 'rpc.mountd' and $syslogseverity <= '6' then /var/log/nfs.log if $programname == 'rpc.mountd' then stop if $programname == 'rpc.idmapd' and $syslogseverity <= '6' then /var/log/nfs.log if $programname == 'rpc.idmapd' then stop if $programname == 'rpc.statd' and $syslogseverity <= '6' then /var/log/nfs.log if $programname == 'rpc.statd' then stop if $programname == 'rpcbind' and $syslogseverity <= '6' then /var/log/nfs.log if $programname == 'rpcbind' then stop # NTP if $programname == 'ntpd' and $syslogseverity <= '6' then /var/log/ntp.log if $programname == 'ntpd' then stop if $programname == 'ntpdate' and $syslogseverity <= '6' then /var/log/ntp.log if $programname == 'ntpdate' then stop # Mail if $msg contains 'auxpropfunc error invalid parameter supplied' then stop if $msg contains '_sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb' then stop if $msg contains 'seen_db: user ' then stop if $msg contains 'SQUAT ' then stop if $msg contains 'indexing mailbox ' then stop if $msg contains 'fetching user_deny.db' then stop if $programname == 'lmtpunix' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'lmtpunix' then stop if $programname == 'imap' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'imap' then stop if $programname == 'imaps' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'imaps' then stop if $programname == 'master' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'master' then stop if $programname == 'ctl_cyrusdb' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'ctl_cyrusdb' then stop if $programname == 'pop3' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'pop3' then stop if $programname == 'pop3s' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'pop3s' then stop if $programname == 'squatter' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'squatter' then stop if $programname == 'tls_prune' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'tls_prune' then stop if $programname == 'cyr_expire' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'cyr_expire' then stop if $programname == 'sieve' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'sieve' then stop if $programname == 'deliver' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'deliver' then stop if $programname == 'ipurge' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'ipurge' then stop if $programname == 'saslauthd' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'saslauthd' then stop if $programname == 'amavis' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'amavis' then stop if $programname == 'clamd' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'clamd' then stop if $programname == 'freshclam' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'freshclam' then stop if $programname == 'fetchmail' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'fetchmail' then stop if $programname == 'spamd' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'spamd' then stop if $programname contains 'postfix' and $syslogseverity <= '6' then /var/log/maillog.log if $programname contains 'postfix' then stop if $programname == 'reconstruct' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'reconstruct' then stop if $programname == 'policyd-spf' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'policyd-spf' then stop # slapd if $programname == 'slapd' then /var/log/slapd.log if $programname == 'slapd' then stop # firewall if $programname == 'kernel' and $msg contains 'fire.sh' then /var/log/firewall.log if $programname == 'kernel' and $msg contains 'fire.sh' then stop # PulseAudio if $programname == 'pulseaudio' and $msg contains 'Denied access to client with invalid authentication data' then stop if $programname == 'pulseaudio' then /var/log/pulseaudio.log if $programname == 'pulseaudio' then stop # hostapd if $programname == 'hostapd' then /var/log/hostapd.log if $programname == 'hostapd' then stop # nscd if $programname == 'nscd' then /var/log/nscd.log if $programname == 'nscd' then stop # arpwatch if $programname == 'arpwatch' then /var/log/arpwatch.log if $programname == 'arpwatch' then stop # X if $programname == 'mate-session' then /var/log/x.log if $programname == 'mate-session' then stop if $programname == 'Tor' then /var/log/x.log if $programname == 'Tor' then stop # xinetd if $programname == 'xinetd' then /var/log/xinetd.log if $programname == 'xinetd' then stop # in.tftp if $programname == 'in.tftpd' then /var/log/in.tftpd.log if $programname == 'in.tftpd' then stop # pppd if $programname == 'dhcpcd' then /var/log/pppd.log if $programname == 'dhcpcd' then stop if $programname == 'radvd' then /var/log/pppd.log if $programname == 'radvd' then stop if $programname == 'pppd' then /var/log/pppd.log if $programname == 'pppd' then stop # wlan if $programname == 'wpa_cli' then /var/log/messages if $programname == 'wpa_cli' then stop # cups if $programname == 'cupsd' then /var/log/cupsd.log if $programname == 'cupsd' then stop # bash scripts using g-lib if $programname contains 'g_bash-script' then /var/log/g_bash-scripts.log if $programname contains 'g_bash-script' then stop
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/ssh/ssh_config
Changed on 07.06.10Security settings fpr SSH Client
## Ciphers Check https://sshcheck.com/server/example.com/8081 KexAlgorithms curve25519-sha256@libssh.org HostKeyAlgorithms ssh-ed25519 Ciphers chacha20-poly1305@openssh.com,aes256mail@example.com,aes128mail@example.com,aes256-ctr MACs hmac-sha2-512mail@example.com,hmac-sha2-256mail@example.com,umac-128mail@example.com,hmac-sha1,umac-64@openssh.com #Ciphers chacha20-poly1305@openssh.com,aes256mail@example.com,aes128mail@example.com,aes256-ctr #MACs hmac-sha2-512mail@example.com,hmac-sha2-256mail@example.com,umac-128mail@example.com,umac-64@openssh.com Host * ConnectTimeout 10 StrictHostKeyChecking accept-new
File permissions:
Owner: root
Group: root
Permissions: -rw-------
Click here for a download of the complete file: /etc/ssh/sshd_config
Changed on 07.06.10List of users who are allowed to login and allow only save chipers over ssh
PermitRootLogin no PubkeyAuthentication no X11Forwarding no AllowAgentForwarding no AllowTcpForwarding no ## Ciphers Check https://sshcheck.com/server/example.com/ # nmap -p22 -n -sV --script ssh2-enum-algos localhost KexAlgorithms curve25519-sha256@libssh.org HostKeyAlgorithms ssh-ed25519 Ciphers chacha20-poly1305@openssh.com,aes256mail@example.com,aes128mail@example.com MACs hmac-sha2-512mail@example.com,hmac-sha2-256mail@example.com,umac-128mail@example.com IgnoreRhosts yes LogLevel VERBOSE AddressFamily inet AllowUsers root user1 user2 jonah # Login als Root aus lokalen Netzen und OLB/SFTP01+OLB-MAWLAN Match User root Address 172.23.*,172.24.*,172.25.*,212.6.102.*,85.16.65.139,127.0.0.1,185.232.103.115 PermitRootLogin yes # Needed by terraform/libvirt AllowTcpForwarding yes # Backup/Sync über unison/ssh Match User root,user1,user2,jonah Address 172.25.*,172.23.*,XXX.XXX.XXX.XXX,XXX.XXX.XXX.XXX PubkeyAuthentication yes
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/sysctl.conf
Changed on 06.09.08This reboots the computer 60 seconds after a kernel panic.
#kernel.panic = 3After change
kernel.panic = 60
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/sysctl.d/gabosh.conf
Changed on 06.09.17Network Optimazions for SSHFS/NFS
net.ipv4.tcp_rmem = 4096 87380 8388608 net.ipv4.tcp_wmem = 4096 87380 8388608 net.core.rmem_max = 8388608 net.core.wmem_max = 8388608 net.core.netdev_max_backlog = 5000 net.ipv4.tcp_window_scaling = 1
Allow many inotify-watches per user
fs.inotify.max_user_watches=999999999
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/bash/bashrc.d/gabosh
Changed on 30.11.10Some (personal) special settings for bash
# Eternal bash history.
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/profile.d/gtc.sh
Changed on 30.11.10Some (personal) special settings for bash
EDITOR="/usr/bin/vim" PATH=$PATH:/etc/thinclient/scripts HISTSIZE=10000 HISTFILESIZE=10000 PS1="GTC $PS1"
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /usr/local/sbin/msgwatch
Changed on 02.03.11This is an optional script which sends en eMail if a ssh-User logs in or out.
#!/usr/bin/perl -w
# Load modules
use strict;
use File::Tail;
use Proc::Daemon;
use File::Basename;
# Stop running daemon if exists
my $me=basename("$0");
if (-f "/var/run/$me") {
open(PID, "</var/run/$me");
my $pid=<PID>;
close(PID);
chomp($pid);
if (-d "/proc/$pid") {
print "Killing old daemon with PID: $pid\n";
kill 9, $pid;
}
}
# Daemonize
Proc::Daemon::Init();
# Write PID file
open(PID, ">/var/run/$me");
print PID $$;
close(PID);
# The address where notification mails should go to
my $mailto='mail@example.com';
# Targetlogfile
my $logfile="/var/log/sshd.log";
my $file=File::Tail->new(name => $logfile, maxinterval => 1, adjustafter => 1, reset_tail => 0);
while (defined(my $line=$file->read)) {
### SSHD ###
if ($line =~ / sshd.+ Accepted .+ for .+ from .+ port /) {
$line=~s/ +/ /g;
chomp($line);
sleep 5;
my $who=`who ; w`;
my @line=split(/ /,$line);
`echo "Hi,
$line[8] is logging in with $line[6] ($line[12]) from $line[10]:
# who ; w
$who
$line
Your $0 [$$]
" | mail -s "SSHWATCH: $line[8] is logging in from $line[10]" $mailto`;
}
if ($line =~ / sshd.+ session closed for user /) {
$line=~s/ +/ /g;
chomp($line);
sleep 5;
my $who=`who ; w`;
my @line=split(/ /,$line);
`echo "Hi,
$line[10] is closing the session:
# who ; w
$who
$line
Your $0 [$$]
" | mail -s "SSHWATCH: $line[10] is closing the session" $mailto`;
}
}
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /usr/local/sbin/rsyncwatch
Changed on 02.03.11This is an optional script which sends en eMail if there is a rsync connection.
#!/usr/bin/perl -w
# Load modules
use strict;
use File::Tail;
use Proc::Daemon;
use File::Basename;
# Stop running daemon if exists
my $me=basename("$0");
if (-f "/var/run/$me") {
open(PID, "</var/run/$me");
my $pid=<PID>;
close(PID);
chomp($pid);
if (-d "/proc/$pid") {
print "Killing old daemon with PID: $pid\n";
kill 9, $pid;
}
}
# Daemonize
Proc::Daemon::Init();
# Write PID file
open(PID, ">/var/run/$me");
print PID $$;
close(PID);
# The address where notification mails should go to
my $mailto='mail@example.com';
# Targetlogfile
my $logfile="/opt/rsyncd.log";
my $file=File::Tail->new(name => $logfile, maxinterval => 1, adjustafter => 1, reset_tail => 0);
while (defined(my $line=$file->read)) {
if ($line =~ / rsyncd.+ connect from .+172.23/) { next; }
if ($line =~ / rsyncd.+ connect from .+172.24/) { next; }
if ($line =~ / rsyncd.+ connect from .+172.25/) { next; }
if ($line =~ / rsyncd.+ connect from .+ewe-ip-backbone\.de/) { next; }
if ($line =~ / rsyncd.+ connect from .+versanet\.de/) { next; }
if ($line =~ / rsyncd.+ connect from .+dsl\.tropolys\.de/) { next; }
if ($line =~ / rsyncd.+ connect from .+dynamic.kabel-deutschland.de/) { next; }
if ($line =~ / rsyncd.+ connect from .+t-ipconnect.de./) { next; }
if ($line =~ / rsyncd.+ connect from .+gabosh\.net/) { next; }
### RSYNCD ###
if ($line =~ / rsyncd.+ connect from /) {
$line=~s/ +/ /g;
chomp($line);
my @line=split(/ /,$line);
$line[8]=~s/\(//g;
$line[8]=~s/\)//g;
my $country=`geoiplookup $line[8] | grep "GeoIP Country Edition"`;
unless ( $country =~ / Germany/ ) {
`iptables -I gabosh-inet -p tcp -s $line[8] -j DROP`;
`iptables -I gabosh-inet -p udp -s $line[8] -j DROP`;
`echo "Blocking $line[7] $line[8] $country" | mail -s "RSYNCDWATCH: blocking $line[8]" $mailto`
}
# `echo "Hi,
#
#rsync connection from $line[7] $line[8]:
#@line
#
#Your $0 [$$]
#" | mail -s "RSYNCDWATCH: rsync connection from $line[7] $line[8]" $mailto`;
}
}
For starting the new service after system reboot you should add it to a runlevel with the following command(s):
rc-update add sshd default rc-update add atd default rc-update add rsyslog default rc-update add vixie-cron
Please send a feedback to: doc<at>gabosh.net
Howto listingIf you want to use this solution you need the following howto(s) finished:
emerge net-misc/dhcp
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/conf.d/dhcpd
Changed on 17.11.09Only change this if you want to store your DHCP-Settings in your LDAP. This sets the configuration file for LDAP.
# DHCPD_CONF="/etc/dhcp/dhcpd.conf"After change
DHCPD_CONF="/etc/dhcp/dhcpd.conf"
The Listen Interface
# DHCPD_IFACE=""After change
DHCPD_IFACE="eth0"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/conf.d/dhcpd6
Changed on 17.11.09Config File fpr DHCP in WLAN Network
# DHCPD_CONF="/etc/dhcp/dhcpd.conf"After change
DHCPD_CONF="/etc/dhcp/dhcpd6.conf"
The Listen Interface
# DHCPD_IFACE=""After change
DHCPD_IFACE="eth0"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/conf.d/dhcpd-wlan
Changed on 17.11.09Config File fpr DHCP in WLAN Network
# DHCPD_CONF="/etc/dhcp/dhcpd.conf"After change
DHCPD_CONF="/etc/dhcp/dhcpd-wlan.conf"
The Listen Interface
# DHCPD_IFACE=""After change
DHCPD_IFACE="wlan0"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/dhcp/dhcpd.conf
Changed on 06.09.08DHCP Base settings only if you want to use DHCP without LDAP. After some default definitions like gateway, DNS Server, domain name,... it defines a range of IPs for clients. Change it according to your environment if you dont use DHCP over LDAP.
option domain-name "example.com";
default-lease-time 600;
max-lease-time 7200;
option subnet-mask XXX.XXX.XXX.XXX;
option broadcast-address XXX.XXX.XXX.XXX;
option domain-name-servers my.lan.ip.addr;
option ntp-servers XXX.XXX.XXX.XXX;
option routers XXX.XXX.XXX.XXX;
default-lease-time 7200;
max-lease-time 14400;
ddns-update-style none;
subnet my.lan.network.ip netmask XXX.XXX.XXX.XXX {
range XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX;
}
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/dhcp/dhcpd.conf
Changed on 06.09.08Here are some Examples for fixed IPs of some DHCP-Hosts. (only if you don't use DHCP over LDAP)
host heidiphone-wlan {
hardware ethernet XX:XX:XX:XX:XX:XX;
fixed-address XXX.XXX.XXX.XXX;
}
host homephone-wlan {
hardware ethernet XX:XX:XX:XX:XX:XX;
fixed-address XXX.XXX.XXX.XXX;
}
host beckyphone-wlan {
hardware ethernet XX:XX:XX:XX:XX:XX;
fixed-address XXX.XXX.XXX.XXX;
}
host user1phone-wlan {
hardware ethernet XX:XX:XX:XX:XX:XX;
fixed-address XXX.XXX.XXX.XXX;
}
host hometablet-wlan {
hardware ethernet XX:XX:XX:XX:XX:XX;
fixed-address XXX.XXX.XXX.XXX;
}
host beckykindle-wlan {
hardware ethernet XX:XX:XX:XX:XX:XX;
fixed-address XXX.XXX.XXX.XXX;
}
host small-gabosh-wlan {
hardware ethernet XX:XX:XX:XX:XX:XX;
fixed-address XXX.XXX.XXX.XXX;
}
host small-gabosh {
hardware ethernet XX:XX:XX:XX:XX:XX;
fixed-address XXX.XXX.XXX.XXX;
}
host knirps-wlan {
hardware ethernet XX:XX:XX:XX:XX:XX;
fixed-address XXX.XXX.XXX.XXX;
}
host ultra-gabosh-wlan {
hardware ethernet XX:XX:XX:XX:XX:XX;
fixed-address XXX.XXX.XXX.XXX;
}
host station-gabosh {
hardware ethernet XX:XX:XX:XX:XX:XX;
fixed-address XXX.XXX.XXX.XXX;
}
host epson-gabosh-wlan {
hardware ethernet XX:XX:XX:XX:XX:XX;
fixed-address XXX.XXX.XXX.XXX;
}
host gaboshberry {
hardware ethernet XX:XX:XX:XX:XX:XX;
fixed-address XXX.XXX.XXX.XXX;
}
host gaboshsleepberry {
hardware ethernet XX:XX:XX:XX:XX:XX;
fixed-address XXX.XXX.XXX.XXX;
}
host gaboshbeckyberry {
hardware ethernet XX:XX:XX:XX:XX:XX;
fixed-address XXX.XXX.XXX.XXX;
}
host lgtv {
hardware ethernet XX:XX:XX:XX:XX:XX;
fixed-address XXX.XXX.XXX.XXX;
}
host testberry {
hardware ethernet XX:XX:XX:XX:XX:XX;
fixed-address XXX.XXX.XXX.XXX;
}
host mirko-nas {
hardware ethernet XX:XX:XX:XX:XX:XX;
fixed-address XXX.XXX.XXX.XXX;
}
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/dhcp/dhcpd-ldap.conf
Changed on 17.11.09This are the settings for connecting to the LDAP Server. It is only needed if you want to use LDAP as DHCP-Storage.
ldap-server "localhost"; ldap-port 389; ldap-username ""; ldap-password ""; ldap-base-dn "ou=DHCP-Servers,dc=example,dc=com"; ldap-dhcp-server-cn "silent-gabosh.example.com"; ldap-method dynamic; ldap-debug-file "/tmp/dhcp-ldap-startup-config";
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/dhcp/dhcpd-ldap-wlan.conf
Changed on 17.11.09This are the settings for connecting to the LDAP Server. It is only needed if you want to use LDAP as DHCP-Storage.
ldap-server "localhost"; ldap-port 389; ldap-username ""; ldap-password ""; ldap-base-dn "ou=DHCP-Servers,dc=example,dc=com"; ldap-dhcp-server-cn "silent-gabosh.example.com-wlan"; ldap-method dynamic; ldap-debug-file "/tmp/dhcp-ldap-startup-config-wlan";
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/dhcp/dhcpd-wlan.conf
Changed on 06.09.08Configuration for DHCP in WLAN Network
option subnet-mask XXX.XXX.XXX.XXX;
option broadcast-address XXX.XXX.XXX.XXX;
option domain-name-servers my.lan.ip.addr;
option domain-name "example.com";
option ntp-servers my.lan.ip.addr;
option routers XXX.XXX.XXX.XXX;
default-lease-time 7200;
max-lease-time 14400;
ddns-update-style none;
subnet XXX.XXX.XXX.XXX netmask XXX.XXX.XXX.XXX {
range XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX;
}
next-server XXX.XXX.XXX.XXX;
filename "bootx64.efi";
Hosts with fixed IP
host epson-gabosh-wlan {
hardware ethernet XX:XX:XX:XX:XX:XX;
fixed-address XXX.XXX.XXX.XXX;
}
host small-gabosh {
hardware ethernet XX:XX:XX:XX:XX:XX;
fixed-address XXX.XXX.XXX.XXX;
}
host knirps {
hardware ethernet XX:XX:XX:XX:XX:XX;
fixed-address XXX.XXX.XXX.XXX;
}
host ultra-gabosh {
hardware ethernet XX:XX:XX:XX:XX:XX;
fixed-address XXX.XXX.XXX.XXX;
}
host heidiphone {
hardware ethernet XX:XX:XX:XX:XX:XX;
fixed-address XXX.XXX.XXX.XXX;
}
host homephone {
hardware ethernet XX:XX:XX:XX:XX:XX;
fixed-address XXX.XXX.XXX.XXX;
}
host beckyphone {
hardware ethernet XX:XX:XX:XX:XX:XX;
fixed-address XXX.XXX.XXX.XXX;
}
host user1phone {
hardware ethernet XX:XX:XX:XX:XX:XX;
fixed-address XXX.XXX.XXX.XXX;
}
host hometablet {
hardware ethernet XX:XX:XX:XX:XX:XX;
fixed-address XXX.XXX.XXX.XXX;
}
host beckykindle {
hardware ethernet XX:XX:XX:XX:XX:XX;
fixed-address XXX.XXX.XXX.XXX;
}
For starting the new service after system reboot you should add it to a runlevel with the following command(s):
rc-update add dhcpd
Please send a feedback to: doc<at>gabosh.net
Howto listingIf you want to use this solution you need the following howto(s) finished:
emerge net-dns/bind emerge net-dns/bind-tools
File permissions:
Owner: root
Group: named
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/bind/named.conf
Changed on 07.09.08Listen on localhost and the LAN and forward requests if they are not known by this DNS (for internet name resolution).
listen-on { 127.0.0.1; };
After change
// Listen
listen-on { 127.0.0.1;
my.lan.network.ip/16;
XXX.XXX.XXX.XXX/16;
XXX.XXX.XXX.XXX/24;
};
listen-on-v6 { none; };
// The way to the Internet (only for LAN/WLAN: my.lan.network.ip/24, XXX.XXX.XXX.XXX/24, XXX.XXX.XXX.XXX/24 and XXX.XXX.XXX.XXX/24)
allow-recursion { XXX.XXX.XXX.XXX/8;
my.lan.network.ip/24;
XXX.XXX.XXX.XXX/24;
XXX.XXX.XXX.XXX/24;
XXX.XXX.XXX.XXX/24;
XXX.XXX.XXX.XXX/24;
};
// Local zones
allow-query { XXX.XXX.XXX.XXX/8;
my.lan.network.ip/16;
XXX.XXX.XXX.XXX/16;
XXX.XXX.XXX.XXX/24;
};
allow-notify { none; };
allow-transfer {
/* Zone tranfers are denied by default. */
none;
};
allow-update {
/* Don't allow updates, e.g. via nsupdate. */
none;
};
Log DNS-Queries
logging {
channel queries {
#file "/var/log/bind/dns-queries" versions 2 size 1m;
syslog local1;
#print-time yes;
};
category queries {
queries;
};
};
Zone definitions for some domains
# This is an entry for an LDAP Zone. Use this only if you want to use Bind with LDAP
#zone "example.com" IN {
# type master;
# database "ldap ldap://127.0.0.1/dc=example,dc=com 172800";
# allow-update { none; };
#};
zone "example.com." IN {
type master;
file "zones/db.example.com";
allow-update { none; };
};
zone "XXX.XXX.in-addr.arpa" {
type master;
file "zones/db.172.23";
allow-update { none; };
};
zone "25.172.in-addr.arpa" {
type master;
file "zones/db.172.25";
allow-update { none; };
};
#include "/var/bind/blacklisted.zones";
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/conf.d/named
Changed on 02.08.21IPv4 only. Prevents "error (network unreachable) resolving" log entries.
OPTIONS=""After change
OPTIONS="-4"
For starting the new service after system reboot you should add it to a runlevel with the following command(s):
rc-update add named
Please send a feedback to: doc<at>gabosh.net
Howto listingIf you want to use this solution you need the following howto(s) finished:
emerge net-dns/ez-ipupdate
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/crontab
Changed on 07.09.08My Provider offers an easier way to update my dynamic IP with my domain. Here you don't need ez-ipupdate. It is enough to use wget on a specific URL.
#*/30 * * * * root /root/scripts/dyndns.sh 2>&1 # Internetverbindung aufbauen falls pppd nicht da #*/30 * * * * root if ! ps ax | grep -v grep | grep -q pppd; then /etc/init.d/net.ppp0 zap ; /etc/init.d/net.ppp0 start ; fi
Please send a feedback to: doc<at>gabosh.net
Howto listingIf you want to use this solution you need the following howto(s) finished:
emerge app-misc/fdupes
File permissions:
Owner: root
Group: root
Permissions: -rwx------
Click here for a download of the complete file: /usr/local/sbin/deduplicate.pl
Changed on 29.04.10This script finds duplicate files and creates hardlinks on them (file deduplication). Be very careful with this!
Think about that if you change one file the linked file will be changed too.
#!/usr/bin/perl -w
# Usage: deduplicate.pl <Dir1> [dir2] [...]
# ToDo: Add a DryRun (Print only the files which will be linked and not link them)
#foreach $a (@ARGV) {
# @dirlist=`find $a -type d`;
# foreach $b (@dirlist) {
# chomp($b);
# push(@list,$b);
# }
#}
@duplicates=`fdupes -q -r @ARGV`;
$new=1;
foreach $file (@duplicates) {
chomp($file);
unless ($file) {
$new=1;
next;
}
if ($new) {
$sourcefile=$file;
$new=0;
next;
}
print "ln -f $sourcefile $file\n";
`ln -f $sourcefile $file`;
}
Please send a feedback to: doc<at>gabosh.net
Howto listingsmbpasswd -a user1The usernames have to be identical with your system user names. This is necessary for mapping the UIDs to the Samba-users.
smbpasswd -a user2
If you want to use this solution you need the following howto(s) finished:
emerge net-fs/samba
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/pam.d/system-auth
Changed on 20.05.09Sync a changed User password changed with the passwd command with the Samba Password if the User exists in Samba
#password sufficient pam_smbpass.so use_authtok nullok use_first_pass
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/security/limits.d/samba.conf
Changed on 18.06.10Allow 16384 opened files. This is for preventing the following warning:rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
* - nofile 16384
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /usr/local/sbin/smbwatch
Changed on 02.03.11This is a daemon which sends an eMail when a user loggs in.
#!/usr/bin/perl -w
# Load modules
use strict;
use File::Tail;
use Proc::Daemon;
use File::Basename;
# Stop running daemon if exists
my $me=basename("$0");
if (-f "/var/run/$me") {
open(PID, "</var/run/$me");
my $pid=<PID>;
close(PID);
chomp($pid);
if (-d "/proc/$pid") {
print "Killing old daemon with PID: $pid\n";
kill 9, $pid;
}
}
# Daemonize
Proc::Daemon::Init();
# Write PID file
open(PID, ">/var/run/$me");
print PID $$;
close(PID);
# The address where notification mails should go to
my $mailto='mail@example.com';
# Targetlogfile
my $logfile="/var/log/samba/samba.log";
my $file=File::Tail->new(name => $logfile, maxinterval => 1, adjustafter => 1, reset_tail => 0);
while (defined(my $line=$file->read)) {
if ($line =~ /authentication for user/) {
$line=~s/ +/ /g;
$line=~s/\[//g;
$line=~s/\]//g;
$line=~s/^ +//;
my $smbstatus=`smbstatus`;
my @line=split(/ /,$line);
`echo "Hi,
$line[4] is logging in:
$smbstatus
$line
Your $0 [$$]
" | mail -s "SMBWATCH: $line[4] is logging in" $mailto`;
}
if ($line =~ /closed connection/) {
$line=~s/ +/ /g;
$line=~s/\[//g;
$line=~s/\]//g;
$line=~s/^ +//;
my $smbstatus=`smbstatus`;
my @line=split(/ /,$line);
`echo "Hi,
$line[0] is closing the connection to service $line[6]:
$line
$smbstatus
Your $0 [$$]
" | mail -s "SMBWATCH: $line[0] is closing the connection to service $line[6]" $mailto`;
}
$line="";
}
For starting the new service after system reboot you should add it to a runlevel with the following command(s):
rc-update add samba
Please send a feedback to: doc<at>gabosh.net
Howto listingIf you want to use this solution you need the following howto(s) finished:
emerge net-firewall/iptables emerge sys-apps/iproute2
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /etc/local.d/01_services.start
Changed on 06.10.08Starting the firewall after system boot.
/usr/local/sbin/fire.sh
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/sysctl.conf
Changed on 06.09.08This allows kernel routing.
#net.ipv4.ip_forward = 0After change
net.ipv4.ip_forward = 1 # IP spoofing protection net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.all.rp_filter = 1
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/sysctl.d/gabosh.conf
Changed on 06.09.08This ignores ipv4 ICMP-Broadcasts.
net.ipv4.icmp_echo_ignore_broadcasts = 1
File permissions:
Owner: root
Group: root
Permissions: -rwx------
Click here for a download of the complete file: /usr/local/sbin/fireoff.sh
Changed on 10.06.09With this script you can deactivate everything you counfigured with the fire.sh-Script. This could be helpful if you want to test something without a firewall.
#!/bin/bash # deactivate antispoofing for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f done # deactivate antispoofing logging for f in /proc/sys/net/ipv4/conf/*/log_martians; do echo 0 > $f done # allow ICMP redirects for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 1 > $f done for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 1 > $f done # allow source routed packets for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 1 > $f done # recive ICMP broadcast echos echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # don't ignore wrong ICMP-F echo 0 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # activate IP-Forwardig (routing) echo 1 > /proc/sys/net/ipv4/ip_forward #echo 1 > /proc/sys/net/ipv6/conf/all/forwarding echo 1 >/proc/sys/net/ipv4/tcp_timestamps echo 1 >/proc/sys/net/ipv4/tcp_window_scaling # reset/allow everything iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -F iptables -t nat -F iptables -t mangle -F iptables -X ip6tables -P INPUT ACCEPT ip6tables -P FORWARD ACCEPT ip6tables -P OUTPUT ACCEPT ip6tables -F ip6tables -X iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /usr/local/sbin/fire.sh
Changed on 21.04.12This is my firewall script.
#!/bin/bash /etc/init.d/fail2ban stop >/dev/null 2>&1 /etc/init.d/fail2ban zap >/dev/null 2>&1 sleep 2 while ps ax | grep -v grep | grep -q fail2ban do echo -n "." kill -9 $(pidof /usr/bin/python3.9 /usr/bin/fail2ban-server) sleep 1 done ### CONFIGURATION ### WANIF="eth1" WANUDP="123 514" # Internet Interface INETIF="ppp0" # Opened INET Ports TCP/UDP # ssh, smtp, http, https, smtps, smtp/submission, rsync, imaps, pop3s, turn/stun, xmpp, xmpp, ssh-tunnel INETTCP="22 25 28 80 443 465 587 873 993 995 3478 5222 5269 8081" # syslog, turn/stun INETUDP="514 3478" # Portforwarding(s) for connections from INET-Devices: # Syntax: "SourceIP:Sourceport1:Destinationip1:Destinationport1:Protocol1 SourceIP2:Sourceport2:Destinationip2:Destinationport2:Protocol2" # This enables routing on routed Networks too (but only for the destination-Port/IP) #INETPORTFW="0.0.0.0/0:82:192.168.178.1:80:tcp" INETPORTFW="" #INETPORTFW="0.0.0.0/0:465:my.lan.ip.addr:25:tcp 0.0.0.0/0:587:my.lan.ip.addr:25:tcp" # Here you can enter trusted IPs or whole networks for completely routing of them #INETROUTED="" # Deny (untrusted) MACs for ROUTING/FORWARDING to the Internet # EPSON-Printer NOINETMACS="XX:XX:XX:XX:XX:XX" # Here you can add Domains in the Internet to be not routed NOINETDOMAINS="" # Disallow Internet DNS requests NOINETDNS="no" # Block IPs coming from Internet BLOCKINETIPS="XXX.XXX.XXX.XXX/24 XXX.XXX.XXX.XXX/24 XXX.XXX.XXX.XXX/24 XXX.XXX.XXX.XXX/24 XXX.XXX.XXX.XXX/24 XXX.XXX.XXX.XXX/16 XXX.XXX.XXX.XXX/16 XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX" # LAN Interface LANIF="eth0" # Opened LAN Ports TCP/UDP # ssh-sftp, nfs, ldap, ipp-cups, ldaps, hugo-blog, nfs, nfs, pulseaudio, drbd , drbd LANTCP="$INETTCP 24 111 222 389 587 631 636 1313 2049 3000 3128 32765:32768 4713 5901 7788 7789 7790 10102 5950 " # dns, tftp, ntp, nfs-rpc, syslog, ipp-cups, nfs, squid, asterisk, asterisk, nfs LANUDP="$INETUDP 53 69 123 111 514 631 2049 5000:5040 5060 32765:32768" # Portforwarding(s): # Syntax: "SourceIP:Sourceport1:Destinationip1:Destinationport1:Protocol1 SourceIP2:Sourceport2:Destinationip2:Destinationport2:Protocol2" # This enables routing on routed Networks too (but only for the destination-Port/IP) LANPORTFW="" #LANPORTFW="0.0.0.0/0:10102:127.0.0.1:10102:tcp" #LANPORTFW="0.0.0.0/0:5901:my.lan.ip.addr:5900:tcp 0.0.0.0/0:587:my.lan.ip.addr:25:tcp" # WLAN Interface WLANIF="wlan0" WLANTCP="$LANTCP" WLANUDP="$LANUDP" # Portforwarding(s): # Syntax: "SourceIP:Sourceport1:Destinationip1:Destinationport1:Protocol1 SourceIP2:Sourceport2:Destinationip2:Destinationport2:Protocol2" # This enables routing on routed Networks too (but only for the destination-Port/IP) WLANPORTFW="" #WLANPORTFW="0.0.0.0/0:465:my.lan.ip.addr:25:tcp 0.0.0.0/0:587:my.lan.ip.addr:25:tcp" VNETIF="vnet0" VNETTCP="$LANTCP" VNETUDP="$LANUDP" DOCKERIF="docker0" DOCKERTCP="" DOCKERUDP="" # Optional SIP GW for incoming calls #SIPGWS="SIP-PROVIDER-HOSTNAME" RTPRANGE="5000:5040" ### CONFIGURATION END ### ### Some kernel parameters ### # Antispoofing for FILTER in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $FILTER done # Antispoofing Logging #for f in /proc/sys/net/ipv4/conf/*/log_martians; do # echo 1 > $f #done # ICMP Redirects Verweigern for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f done # Deny Source Routed Packets for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done # Ignore ICMP broadcast echos echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Ignore Bogus ICMP-Errors echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Disable WLAN Power saving iw dev $WLANIF set power_save off # activate IP-Forwardig (routing) echo 1 > /proc/sys/net/ipv4/ip_forward ### prepare iptables - Reset/Deny all ### iptables -F iptables -t nat -F iptables -t mangle -F iptables -X iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # Drop all zeroconf IPs iptables -A INPUT -s XXX.XXX.XXX.XXX/16 -j DROP iptables -A FORWARD -s XXX.XXX.XXX.XXX/16 -j DROP # No Internet DNS if echo $NOINETDNS | grep -q yes then iptables -A FORWARD -p udp -o $INETIF --dport 53 -j DROP iptables -A FORWARD -p tcp -o $INETIF --dport 53 -j DROP fi # Drop Reset Packages iptables -A INPUT -p tcp --tcp-flags ALL RST,ACK -j DROP ### Routing the IPv4 networks ### # Masquerade routing into the Internet iptables -t nat -A POSTROUTING -o $INETIF -j MASQUERADE # DOCKER will be routed everywhere iptables -A FORWARD -i $DOCKERIF -m conntrack --ctstate NEW -j ACCEPT # LAN will be routed everywhere iptables -A FORWARD -i $LANIF -m conntrack --ctstate NEW -j ACCEPT # VNET will be routed everywhere iptables -A FORWARD -i $VNETIF -m conntrack --ctstate NEW -j ACCEPT # WLAN will be routed everywhere iptables -A FORWARD -i $WLANIF -m conntrack --ctstate NEW -j ACCEPT # MACs not to be routed to the Internet for NOINETMAC in $NOINETMACS do iptables -A FORWARD -m mac --mac-source $NOINETMAC -o $INETIF -j DROP done # Block some domains to be routed to the Internet for NOINETDOMAIN in $NOINETDOMAINS do iptables -A FORWARD -m string --string "Host: $NOINETDOMAIN" --algo bm -o $INETIF -j REJECT done # Allow all routed-opened conections. This does not allow incomin/new connections to be routed. The connections has to be opened in the LAN or on a trusted/routed host iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # if you are using that node as a NAT router, the systems behind it have no way to know the real MTU of the PPPoE interface. Therefore the systems will try to use packets bigger than the maximum allowed, which will be dropped without warning by routers. # The solution for that, unless you want to configure all your devices with a reduced MTU, is to instruct the routing host to intercept all the TCP handshake packets and correct in-fly the wrong MSS value requested by internal hosts. iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # Allow trusted Hosts/Networks to be routed new connections from INETNET for INETNETIP in $INETROUTED do iptables -A FORWARD -i $INETIF -s $INETNETIP -m conntrack --ctstate NEW -j ACCEPT done ### Portforwarding ### # Portforwarding for INETLAN for PFW in $INETPORTFW do # Get DATA SRCIP=`echo "$PFW" | cut -d':' -f 1` SRCPORT=`echo "$PFW" | cut -d':' -f 2` DSTIP=`echo "$PFW" | cut -d':' -f 3` DSTPORT=`echo "$PFW" | cut -d':' -f 4` PROT=`echo "$PFW" | cut -d':' -f 5` # Rule for Portforwarding iptables -A PREROUTING -t nat -s $SRCIP -p $PROT -i $INETIF --dport $SRCPORT -j DNAT --to $DSTIP:$DSTPORT # Allow forwarding iptables -A FORWARD -s $SRCIP -p $PROT -i $INETIF -m conntrack --ctstate new -d $DSTIP --dport $DSTPORT -j ACCEPT done # Portforwarding for LAN for PFW in $LANPORTFW do # Get DATA SRCIP=`echo "$PFW" | cut -d':' -f 1` SRCPORT=`echo "$PFW" | cut -d':' -f 2` DSTIP=`echo "$PFW" | cut -d':' -f 3` DSTPORT=`echo "$PFW" | cut -d':' -f 4` PROT=`echo "$PFW" | cut -d':' -f 5` # Rule for Portorwarding iptables -A PREROUTING -t nat -s $SRCIP -p $PROT -i $LANIF --dport $SRCPORT -j DNAT --to $DSTIP:$DSTPORT # Allow forwarding iptables -A FORWARD -s $SRCIP -p $PROT -i $LANIF -m conntrack --ctstate new -d $DSTIP --dport $DSTPORT -j ACCEPT done # Portforwarding for WLAN for PFW in $WLANPORTFW do # Get DATA SRCIP=`echo "$PFW" | cut -d':' -f 1` SRCPORT=`echo "$PFW" | cut -d':' -f 2` DSTIP=`echo "$PFW" | cut -d':' -f 3` DSTPORT=`echo "$PFW" | cut -d':' -f 4` PROT=`echo "$PFW" | cut -d':' -f 5` # Rule for Portorwarding iptables -A PREROUTING -t nat -s $SRCIP -p $PROT -i $WLANIF --dport $SRCPORT -j DNAT --to $DSTIP:$DSTPORT # Allow forwarding iptables -A FORWARD -s $SRCIP -p $PROT -i $WLANIF -m conntrack --ctstate new -d $DSTIP --dport $DSTPORT -j ACCEPT done # Last forward rule is for logging. The policy is drop, so all traffig going through this rule are dropped packets iptables -A FORWARD -j LOG --log-prefix "fire.sh: FORWARD4 DROP: " ### Outgoing traffic from the Server ### # Allow all outgoing connections with valid state iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED,NEW -j ACCEPT # Allow pong from ipv6ping # Last output rule is for logging. The policy is drop, so all traffig going through this rule are dropped packets iptables -A OUTPUT -j LOG --log-prefix "fire.sh: OUTPUT4 DROP: " ### Incoming traffic into the Server ### # Hold built connections iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Allow all incoming connections from localhost iptables -A INPUT -i lo -j ACCEPT # Open Ports TCP/UDP # Create Chains iptables -N gabosh-inet iptables -N gabosh-wan iptables -N gabosh-lan iptables -N gabosh-wlan iptables -N gabosh-vnet iptables -N gabosh-docker # Predefine Chains iptables -A INPUT -i $INETIF -j gabosh-inet iptables -A INPUT -i $WANIF -j gabosh-wan iptables -A INPUT -i $LANIF -j gabosh-lan iptables -A INPUT -i $WLANIF -j gabosh-wlan iptables -A INPUT -i $VNETIF -j gabosh-vnet iptables -A INPUT -i $DOCKERIF -j gabosh-docker # INET/UDP for PORT in $INETUDP do iptables -A gabosh-inet -p udp --dport $PORT -m conntrack --ctstate NEW -j ACCEPT done # INET/TCP for PORT in $INETTCP do iptables -A gabosh-inet -p tcp --dport $PORT -m conntrack --ctstate NEW -j ACCEPT done # LAN/TCP for PORT in $LANTCP do iptables -A gabosh-lan -p tcp --dport $PORT -m conntrack --ctstate NEW -j ACCEPT done # LAN/UDP for PORT in $LANUDP do iptables -A gabosh-lan -p udp --dport $PORT -m conntrack --ctstate NEW -j ACCEPT done # WLAN/TCP for PORT in $WLANTCP do iptables -A gabosh-wlan -p tcp --dport $PORT -m conntrack --ctstate NEW -j ACCEPT done # WLAN/UDP for PORT in $WLANUDP do iptables -A gabosh-wlan -p udp --dport $PORT -m conntrack --ctstate NEW -j ACCEPT done # VNET/TCP for PORT in $VNETTCP do iptables -A gabosh-vnet -p tcp --dport $PORT -m conntrack --ctstate NEW -j ACCEPT done # VNET/UDP for PORT in $VNETUDP do iptables -A gabosh-vnet -p udp --dport $PORT -m conntrack --ctstate NEW -j ACCEPT done for PORT in $DOCKERTCP do iptables -A gabosh-docker -p tcp --dport $PORT -m conntrack --ctstate NEW -j ACCEPT done for PORT in $DOCKERUDP do iptables -A gabosh-docker -p udp --dport $PORT -m conntrack --ctstate NEW -j ACCEPT done # Allow ping from LAN iptables -A gabosh-lan -p icmp --icmp-type echo-request -j ACCEPT iptables -A gabosh-vnet -p icmp --icmp-type echo-request -j ACCEPT iptables -A gabosh-wlan -p icmp --icmp-type echo-request -j ACCEPT iptables -A gabosh-docker -p icmp --icmp-type echo-request -j ACCEPT #iptables -A gabosh-inet -p icmp --icmp-type echo-request -j ACCEPT # Last input rule is for logging. The policy is drop, so all traffig going through this rule are dropped packets iptables -A INPUT -j LOG --log-prefix "fire.sh: INPUT4 DROP: " # Fail2Ban restart for revert f2b iptables rules #/etc/init.d/fail2ban start >/dev/null 2>&1
Please send a feedback to: doc<at>gabosh.net
Howto listinghdparm -C /dev/diskPlease be caraful with this solution. If you set the timeout to low it is possible that your disk is spinning up an down very often which is noch very good for your hardware...
If you want to use this solution you need the following howto(s) finished:
emerge sys-apps/hdparm
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/crontab
Changed on 30.11.10Shutdown /dev/sdb if it is inactive
*/5 * * * * root /usr/local/sbin/hdspindown.sh sdb
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /usr/local/sbin/hdspindown.sh
Changed on 30.11.10This is a small script to observe the inactivity of given disk(s). If the given disks are longer then $inactive minutes inactive they will be spinned down and set to sleep (e.g. for powersaving). If a disk ist shutdown a mail will be sent to root.
#!/bin/bash
# Time of inactivity after which the disk is spinned down
inactive=30
# Get default profile
. /etc/profile
# Function for checking the disks state
function checkactive {
# If the disk is not spinned down - shutdown the disk
if hdparm -C /dev/$1 | grep active >/dev/null
then
echo "`date` Spinning down $1" >> /tmp/spinned-down
echo "1" >/tmp/spindown$1
spindown $1
# else
# echo "`date` Already spinned down $1" >> /tmp/spinned-down
fi
}
# Function for sending a mail and spindown the disk
function spindown {
echo "Issuing sleep on disk $1:
`ls -l /sys/block/$1/stat`
`cat /sys/block/$1/stat`
`ls -l /tmp/$1-stat`
`cat /tmp/$1-stat`
Date: `date`
Issuing command: hdparm -y /dev/$1:
`hdparm -y /dev/$1 2>&1`
" | mail -s "Spinning down $1" root
}
# Check commandline
if [ $# -eq 0 ]
then
echo "This is a small script to observe the inactivity of given disk(s). If the given disks are longer then $inactive minutes inactive they will be spinned down and set to sleep (e.g. for powersaving). If a disk ist shutdown a mail will be sent to root.
Please enter the disk(s) you want do observe seperated with space. E.g for observing /dev/hdb and /dev/sda:
$0 hdb sda"
exit 1
fi
# Go through the arguments
for disk in $*
do
# If the disk exists
if [ -L "/sys/block/$disk" ]
then
# Create diff-file if it dows not exist
[ -f /tmp/$disk-stat ] || touch /tmp/$disk-stat
# If there was nothing changed
if diff /sys/block/$disk/stat /tmp/$disk-stat >/dev/null 2>&1
then
# Check weather the disk is longer then $inactive inactive
find /tmp/$disk-stat -mmin -$inactive | grep $disk >/dev/null || checkactive $disk
# If the file is changed
else
# Save changed file
cat /sys/block/$disk/stat > /tmp/$disk-stat
if [ -f /tmp/spindown$disk ]
then
echo "Disk $disk active again" | mail -s "$disk active again" root
echo "`date` Disk active: $disk" >> /tmp/spinned-down
rm -f /tmp/spindown$disk
fi
# echo "`date` Disk active: $disk" >> /tmp/spinned-down
fi
# If the disk does not exist
else
echo "Disk $disk seems not to exist"
fi
done
Please send a feedback to: doc<at>gabosh.net
Howto listing# Set your paths
BASEDIR=/var/www/horde-test.gabosh.net
PEARDIR=$BASEDIR/pear
WEBDIR=$BASEDIR/htdocs
rm /usr/bin/phpize
ln -s /usr/lib/php*/bin/phpize /usr/bin/phpize
mkdir -p $PEARDIR/pear
mkdir -p $WEBDIR
pear config-create $PEARDIR $PEARDIR/pear.conf
pear -c $PEARDIR/pear.conf install pear
$PEARDIR/pear/pear -c $PEARDIR/pear.conf channel-discover pear.horde.org
$PEARDIR/pear/pear -c $PEARDIR/pear.conf install horde/horde_role
$PEARDIR/pear/pear -c $PEARDIR/pear.conf install run-scripts horde/Horde_Role
$PEARDIR/pear/pear -c $PEARDIR/pear.conf install -a -B horde/imp
$PEARDIR/pear/pear -c $PEARDIR/pear.conf install -a -B horde/kronolith
$PEARDIR/pear/pear -c $PEARDIR/pear.conf install -a -B horde/ingo
$PEARDIR/pear/pear -c $PEARDIR/pear.conf install -a -B horde/nag
$PEARDIR/pear/pear -c $PEARDIR/pear.conf install -a -B horde/turba
$PEARDIR/pear/pear -c $PEARDIR/pear.conf install -a -B horde/mnemo
$PEARDIR/pear/pear -c $PEARDIR/pear.conf install -a -B horde/passwd
$PEARDIR/pear/pear -c $PEARDIR/pear.conf install -a -B horde/gollem
$PEARDIR/pear/pear -c $PEARDIR/pear.conf install -a -B horde/wicked
chown -R root:root $BASEDIR
find $BASEDIR -type d -exec chmod 755 {} \;
find $BASEDIR -type f -exec chmod 644 {} \;
chown apache:root $WEBDIR/static
chown apache:root $WEBDIR/config
chown apache:root $WEBDIR/*/config
# Set yout paths
BASEDIR=/var/www/horde-test.gabosh.net
PEARDIR=$BASEDIR/pear
WEBDIR=$BASEDIR/htdocs
rm /usr/bin/phpize
ln -s /usr/lib/php*/bin/phpize /usr/bin/phpize
chmod 755 $PEARDIR/pear/pear
$PEARDIR/pear/pear -c $PEARDIR/pear.conf upgrade -a -B -c horde
chown -R root:root $BASEDIR
find $BASEDIR -type d -exec chmod 755 {} \;
find $BASEDIR -type f -exec chmod 644 {} \;
chown apache:root $WEBDIR/static
chown apache:root $WEBDIR/config
chown apache:root $WEBDIR/*/config
If you want to use this solution you need the following howto(s) finished:
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /usr/local/sbin/mkhordestable.sh
Changed on 04.10.11This is an optional script for syncing/copying a Horde-Installation into an new path. E.g. for moving a test Horde into production.
#!/bin/bash
# Set paths
set -x
PEARDIR=/var/www/horde.example.com/pear
WEBDIR=/var/www/horde.example.com
TESTWEBDIR=/var/www/horde-test.example.com
mkdir -p /var/www/horde.example.com
rsync -av --delete --exclude=.gtc-crypt $TESTWEBDIR/ $WEBDIR/
BASEDIR=$WEBDIR
WEBDIR=$WEBDIR/htdocs
# Set pear config
rm -f $PEARDIR/pear.conf
pear -c $PEARDIR/pear.conf config-set bin_dir /var/www/horde.example.com/pear/pear
pear -c $PEARDIR/pear.conf config-set doc_dir /var/www/horde.example.com/pear/pear/docs
pear -c $PEARDIR/pear.conf config-set ext_dir /var/www/horde.example.com/pear/pear/ext
pear -c $PEARDIR/pear.conf config-set php_dir /var/www/horde.example.com/pear/pear/php
pear -c $PEARDIR/pear.conf config-set cache_dir /var/www/horde.example.com/pear/pear/cache
pear -c $PEARDIR/pear.conf config-set cfg_dir /var/www/horde.example.com/pear/pear/cfg
pear -c $PEARDIR/pear.conf config-set data_dir /var/www/horde.example.com/pear/pear/data
pear -c $PEARDIR/pear.conf config-set download_dir /var/www/horde.example.com/pear/pear/download
pear -c $PEARDIR/pear.conf config-set temp_dir /var/www/horde.example.com/pear/pear/temp
pear -c $PEARDIR/pear.conf config-set test_dir /var/www/horde.example.com/pear/pear/tests
pear -c $PEARDIR/pear.conf config-set www_dir /var/www/horde.example.com/pear/pear/www
pear -c $PEARDIR/pear.conf config-set horde_dir /var/www/horde.example.com/htdocs
# Horde-Config
# DB
sed -e 's/hordetest/horde/g' -i $WEBDIR/config/conf.php
# LOG
sed -e 's/horde-test/horde/g' -i $WEBDIR/config/conf.php
# LOGLEVEL
sed -e 's/DEBUG/INFO/g' -i $WEBDIR/config/conf.php
# Set some rights
echo "Setting File rights"
chown -R root:root $BASEDIR
find $BASEDIR -type d -exec chmod 755 {} \;
find $BASEDIR -type f -exec chmod 644 {} \;
chown -R horde:root $WEBDIR/static
chown -R horde. /var/www/horde.example.com/.gtc-crypt
chown horde. /var/www/horde.example.com
#chown -R horde:root $WEBDIR/config
#chown -R horde:root $WEBDIR/*/config
# Clean up Pear Registry with correct paths
cd $PEARDIR/pear/php/.registry
ls -1 | while read file
do
echo "Cleaning up $file (horde-test -> horde)"
cat "$file" | perl -pe 's/\n/OOXXOO/; s/(s\:[0-9]+\:)/\n$1/g' | while read line
do
if echo $line | grep -q horde-test
then
line=`echo $line | perl -pe 's/horde-test/horde/'`
chars=`echo $line | cut -d'"' -f2 | wc -m`
let chars--
line=`echo $line | perl -pe "s/\:[0-9]+\:/:$chars:/;"`
fi
echo -n $line | perl -pe 's/OOXXOO/\n/g;'
done >/tmp/nfile
cat /tmp/nfile >"$file"
done
cd -
# Change paths in some pear files
for i in `grep -r horde-test $PEARDIR | cut -d: -f1`
do
echo "Changing horde-test to horde in $i"
sed -e 's/horde-test/horde/g' -i $i
done
# DB Update
cat /var/www/horde.example.com/pear/pear.conf >/etc/pear.conf
echo 'include_path="$include_path:/var/www/horde.example.com/pear/pear:/var/www/horde.example.com/pear/pear/php"' >/etc/php/cli-php7.3/ext-active/horde-cli.ini
chmod 644 /etc/php/cli-php7.3/ext-active/horde-cli.ini
su - horde -c "/usr/bin/php $PEARDIR/pear/horde-db-migrate"
Please send a feedback to: doc<at>gabosh.net
Howto listingIf you want to use this solution you need the following howto(s) finished:
emerge net-mail/cyrus-imapd
File permissions:
Owner: root
Group: root
Permissions: -rwx------
Click here for a download of the complete file: /etc/cron.daily/cyrus-purge.sh
Changed on 07.07.09This is a daily cron job that deletes all messages in of the admin-User older then 30 days.
#!/bin/bash ipurge -d30 -X -f user/admin >/dev/null ipurge -d30 -X -f user/admin/% >/dev/null ipurge -d90 -X -f user/%/Spam >/dev/null ipurge -d90 -X -f user/%/Junk >/dev/null ipurge -d90 -X -f user/%/Papierkorb >/dev/null ipurge -d90 -X -f user/%/Trash >/dev/null ipurge -d3650 -X -f user/%/Sent >/dev/null ipurge -d365 -X -f user/marco/Terminmails >/dev/null ipurge -d90 -X -f user/user1/Server >/dev/null find /var/spool/imap/*/user/*/Sent* -type f -name '*.' -size +1M -mtime +365 -delete cyr_expire -D 60 -X 60 /usr/sbin/reconstruct -fGRr % >/dev/null
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /etc/profile.d/cyrus.sh
Changed on 17.08.10Add the bin-path of the cyrus-progs to the default path-variable
PATH="$PATH:/usr/lib/cyrus"
File permissions:
Owner: root
Group: root
Permissions: -rwx------
Click here for a download of the complete file: /usr/local/sbin/cyr-create-mbox
Changed on 10.06.09This is a script for creating cyrus mailboxes.
#!/usr/bin/perl
unless ($ARGV[0]=~/^[a-zA-Z0-9\/\.]+$/) { error("Mit den übergebenen Daten stimmt was nicht!\n$ARGV[0] ist kein gültiger MBOX-Name\nAufruf: $0 MBOXNAME MBOXGRÖßE") }
#unless (($ARGV[1]=~/\d{2}/) && ($ARGV[1]<=9999)) { error("Mit den übergebenen Daten stimmt was nicht!\n$ARGV[1] ist kein erlaubter Wert (Minimal 10 / Maximal 9999)\nAufruf: $0 MBOXNAME MBOXGRÖßE") }
chomp($ARGV[0], $ARGV[1]);
$mbox=$ARGV[0];
$spaceusage=$ARGV[1];
$mboxspace=$ARGV[1]*1024;
$space=$ARGV[1];
use Cyrus::IMAP::Admin;
$cyrus = Cyrus::IMAP::Admin->new("localhost");
$cyrpass=`gtc-crypt -a admin -p`;
chomp($cyrpass);
$cyrus->authenticate('login','imap','','admin','0','10000',$cyrpass);
unless ($cyrus->listmailbox($mbox)) {
$cyrus->createmailbox($mbox) || error("Konnte Mailbox $mbox nicht erstellen: $!");
}
$recover=2;
if ($mbox=~/^user\/[a-zA-Z0-9]+$/) {
$cyrus->createmailbox("$mbox/Drafts") || error("Konnte Mailbox $mbox.Drafts nicht erstellen: $!") unless ($cyrus->listmailbox("$mbox/Drafts"));
$cyrus->createmailbox("$mbox/Sent") || error("Konnte Mailbox $mbox.Sent nicht erstellen: $!") unless ($cyrus->listmailbox("$mbox/Sent"));
$cyrus->createmailbox("$mbox/Trash") || error("Konnte Mailbox $mbox.Trash nicht erstellen: $!") unless ($cyrus->listmailbox("$mbox/Trash"));;
$cyrus->createmailbox("$mbox/Spam") || error("Konnte Mailbox $mbox.Spam nicht erstellen: $!") unless ($cyrus->listmailbox("$mbox/Spam"));
}
else {
$cyrus->setacl($mbox, anyone => none) || error("Kann die Rechte nicht setzen: $@");
}
if ($ARGV[1]) {
$cyrus->setquota($mbox, STORAGE, $mboxspace) || error("Konnte Quota von $mbox nicht auf $spaceusage setzen: $@");
}
exit 0;
sub error {
$message=shift;
if ($recover>=2) {
$cyrus = Cyrus::IMAP::Admin->new("localhost") || warn "Recovery: Keine Verbindung zu $cyrhost: $@";
$cyrus->authenticate('login','imap','','admin','0','10000',$cyrpass) || warn "Recovery: Keine Authentifizierung auf $cyrhost als $cyruser möglich: $@";
$cyrus->setaclmailbox($mbox, $cyruser => "c") || warn "Recovery: Fehler beim setzen der lösch Rechte auf $mbox: $@";
$cyrus->deletemailbox($mbox) || warn "Recovery: Konnte $mbox nicht wieder löschen: $@";
}
die "$message";
}
File permissions:
Owner: root
Group: root
Permissions: -rwx------
Click here for a download of the complete file: /usr/local/sbin/cyr-delete-mbox
Changed on 10.06.09This is a script for deleting cyrus mailboxes.
#!/usr/bin/perl
# Nötige Informationen:
# - MBOXName arg0
unless ($ARGV[0]=~/^[a-zA-Z0-9\/\.]+$/) { error("Mit den übergebenen Daten stimmt was nicht!\n$ARGV[0] ist kein gültiger MBOX-Name\nAufruf: $0 MBOXNAME") }
# Newlines entfernen
chomp($ARGV[0]);
# mbox setzen
$mbox=$ARGV[0];
## Jetzt gehts aber wirklich los ##
use Cyrus::IMAP::Admin;
# Connect to Cyrus
$cyrus = Cyrus::IMAP::Admin->new("localhost");
# Authentifizieren
$cyrpass=`gtc-crypt -a admin -p`;
chomp($cyrpass);
$cyrus->authenticate('login','imap','','admin','0','10000',$cyrpass);
$cyrpass="";
# Checken ob MBOX schon existiert existiert
unless ($cyrus->listmailbox($mbox)) { error("MBOX $mbox gibt es nicht") }
# Lösch-Rechte setzen
$cyrus->setaclmailbox($mbox, 'admin' => "c") || error("Konnte Mailboxrechte von $mbox nicht auf c ändern: $!");
# Mailbox löschen
$cyrus->deletemailbox($mbox) || error("Konnte Mailbox $mbox nicht löschen: $!");
exit 0;
sub error {
$message=shift;
die "$message";
}
File permissions:
Owner: root
Group: root
Permissions: -rwx------
Click here for a download of the complete file: /usr/local/sbin/cyr-resize-mailbox.pl
Changed on 10.06.09This is a script for changing quota on cyrus mailboxes.
#!/usr/bin/perl
##### Los gehts :-) #####
## Etwas Vorgeplänkel noch ##
# Übergabeparameter checken
unless ($ARGV[0]=~/^[a-zA-Z0-9\-\/\.]+$/) { error("Mit den übergebenen Daten stimmt was nicht!\n$ARGV[0] ist kein gültiger MBOX-Name\nAufruf: $0 MBOXNAME MBOXGRÖßE") }
unless (($ARGV[1]=~/\d{2}/) && ($ARGV[1]<=99999)) { error("Mit den übergebenen Daten stimmt was nicht!\n$ARGV[1] ist kein erlaubter Wert (Minimal 10 / Maximal 99999)\nAufruf: $0 MBOXNAME MBOXGRÖßE") }
# Newlines entfernen
chomp($ARGV[0], $ARGV[1]);
# mbox setzen
$mbox=$ARGV[0];
# Benötigter Speicherplatz der neuen MBOX
$spaceusage=$ARGV[1];
# MBox-Größe für DB-Eintrag
$space=$ARGV[1];
# Größe des mboxspaces für cyrus berechnen
$mboxspace=$ARGV[1]*1024;
## Jetzt gehts aber wirklich los ##
use Cyrus::IMAP::Admin;
# Connect to Cyrus
$cyrus = Cyrus::IMAP::Admin->new("localhost");
#
# # Authentifizieren
$cyrpass=`gtc-crypt -a admin -p`;
chomp($cyrpass);
$cyrus->authenticate('login','imap','','admin','0','10000',$cyrpass);
$cyrpass="";
#
# Checken ob MBOX existiert
unless ($cyrus->listmailbox($mbox)) { error("MBOX $mbox gibt es nicht") }
# Prüfen ob Quote nicht zu klein für die Datenmenge in der Mailbox ist
# Quota der MAilbox holen
%quota = $cyrus->listquota("$mbox");
# Schlüssel entsprechend durchgehen
foreach (keys(%quota)) {
if ($mboxspace < $quota{$_}[0]) {
error("Neues Quota ($mboxspace) zu klein für Mailbox ($quota{$_}[0])");
}
# Benötigten Speicherplatz ermitteln
$spaceusage=-$quota{$_}[1];
}
# Quota auf die Mailbox setzen
$cyrus->setquota($mbox, STORAGE, $mboxspace) || error("Konnte Quote von $mbox nicht auf $mboxspace setzen: $@");
exit 0;
sub error {
$message=shift;
die "$message";
}
File permissions:
Owner: root
Group: root
Permissions: -rwx------
Click here for a download of the complete file: /usr/local/sbin/cyr-set-acl
Changed on 10.06.09This is a script for changing rights on cyrus mailboxes.
#!/usr/bin/perl
unless ($ARGV[0]=~/^[a-zA-Z0-9\.\/\- \&]+$/) { error("Mit den übergebenen Daten stimmt was nicht!\n$ARGV[0] ist kein gültiger MBOX-Name\nAufruf: $0 MBOXNAME USER RECHT") }
unless ($ARGV[1]=~/^[a-zA-Z0-9\.]+$/) { error("Mit den übergebenen Daten stimmt was nicht!\n$ARGV[1] ist kein gültiger User-Name\nAufruf: $0 MBOXNAME USER RECHT") }
#unless ($ARGV[2]=~/^[lrswipkxtecdanoa]+$/) { error("Mit den übergebenen Daten stimmt was nicht!\n$ARGV[2] ist kein gültiges Recht\nAufruf: $0 MBOXNAME USER RECHT") }
# Newlines entfernen
chomp($ARGV[0], $ARGV[1], $ARGV[2]);
# mbox setzen
$mbox=$ARGV[0];
# User
$user=$ARGV[1];
# Recht
$right=$ARGV[2];
## Jetzt gehts aber wirklich los ##
use Cyrus::IMAP::Admin;
# Connect to Cyrus
$cyrus = Cyrus::IMAP::Admin->new("localhost");
# Authentifizieren
$cyrpass=`gtc-crypt -a admin -p`;
chomp($cyrpass);
$cyrus->authenticate('login','imap','','admin','0','10000',$cyrpass);
$cyrpass="";
# Checken ob MBOX existiert
unless ($cyrus->listmailbox($mbox)) { error("MBOX gibt es nicht") }
# Rechte setzen
$cyrus->setacl($mbox, $user => $right) || error("Kann die Rechte nicht setzen: $@");
exit 0;
sub error {
$message=shift;
# Je nach Fehlerzeitpunkt (recover-wert) Recovery starten, wenn nötig.
# Lockdatei löschen
# Mit Fehlermeldung beenden
die "$message";
}
File permissions:
Owner: root
Group: root
Permissions: -rwx------
Click here for a download of the complete file: /usr/local/sbin/cyr-set-sieve.sh
Changed on 10.06.09This is a script for setting the default sieve-filter-script for a user. The script which is set is /usr/local/etc/sieve.script.default which you have to create.
#!/bin/bash /usr/lib/cyrus/sievec /usr/local/etc/sieve.script.default /tmp/default.bc chmod 600 /tmp/default.bc chown cyrus:mail /tmp/default.bc INITIAL=`echo $1 | cut -c1` NAME=$1 cd /var/imap/sieve/$INITIAL/ mkdir -p $NAME chown cyrus:mail $NAME cd /var/imap/sieve/$INITIAL/$NAME/ cp /usr/local/etc/sieve.script.default default.script mv /tmp/default.bc . ln -sf default.bc defaultbc
File permissions:
Owner: root
Group: root
Permissions: -rwx------
Click here for a download of the complete file: /usr/local/sbin/cyr-show-dirs
Changed on 10.06.09This is a script for listing all your cyrus directories.
#!/usr/bin/perl
use Cyrus::IMAP::Admin;
# Connect to Cyrus
$cyrus = Cyrus::IMAP::Admin->new("localhost");
# Authentifizieren
$cyrpass=`gtc-crypt -a admin -p`;
chomp($cyrpass);
$cyrus->authenticate('login','imap','','admin','0','10000',$cyrpass);
$cyrpass="";
# Header ausgeben
print "Verzeichisse bzw. Mailboxes:\n\n";
# Mailbox- Infos holen
@acl=$cyrus->listmailbox('*');
# Ausgabe durchgehen
foreach (@acl) {
$i++;
if ($acl[$i][0]) {
# Variable zum angenehmeren Lesen setzen
$mbox=$acl[$i][0];
# ACLs vom Server holen
%acls = $cyrus->listacl("$mbox");
# Alte ACL-Variable loeschen
$acl="";
# ACL-Variable zusammenbauen
foreach (keys(%acls)) { $acl="$acl $_ -> $acls{$_} " }
# Quotas vom Server holen
%quota = $cyrus->listquota("$mbox");
# Ausgabe durchgehen
foreach (keys(%quota)) {
# Gibt es fuer die Box ein Quota?
if ($quota{$_}[1]) {
# in MB umrechnen
$benutzt=$quota{$_}[0]/1024;
$gesamt=$quota{$_}[1]/1024;
# Werte ohne , runden.
$benutzt=sprintf("%.0f", $benutzt);
$gesamt=sprintf("%.0f", $gesamt);
# % ausrechnen und %-Zeichen dran packen
$prozent=(100/$gesamt)*$benutzt . "%";
# Prozent runden
$prozent=sprintf("%.0f", $prozent);
}
}
# Dir mit Acl ausgeben
print "$mbox\n Quota: Benutzt: $benutzt\tGesamt: $gesamt\tProzent: $prozent\%\n Rechte: $acl\n";
}
# Kommt mix mehr dann beenden
else { last }
}
# LockDatei wieder loeschen
unlink $lockfile_file;
File permissions:
Owner: root
Group: root
Permissions: -rwx------
Click here for a download of the complete file: /usr/local/sbin/cyr-show-mailboxes
Changed on 10.06.09This is a script for listing all your cyrus mailboxes.
#!/usr/bin/perl
use Cyrus::IMAP::Admin;
# Connect to Cyrus
$cyrus = Cyrus::IMAP::Admin->new("localhost");
# Authentifizieren
$cyrpass=`gtc-crypt -a admin -p`;
chomp($cyrpass);
$cyrus->authenticate('login','imap','','admin','0','10000',$cyrpass);
$cyrpass="";
# Header ausgeben
print "Mailboxes und Quotas (in MB)\n";
print "Mailbox Used Free Percent Rights\n";
print "-------------------------------------------------------------------------------------------------------->\n";
# Mailbox- Infos holen
@mboxes=$cyrus->listmailbox('*');
# Ausgabe durchgehen
foreach (@mboxes) {
$i++;
if ($mboxes[$i][0]) {
# Variable zum angenehmeren Lesen setzen
$mbox=$mboxes[$i][0];
# Quotas vom Server holen
%quota = $cyrus->listquota("$mbox");
# Ausgabe durchgehen
foreach (keys(%quota)) {
#print "$mbox - $quota{$_}[1]\n";
# Gibt es fuer die Box ein Quota?
if ($quota{$_}[1]) {
# ACLs vom Server holen
%acls = $cyrus->listacl("$mbox");
# Alte ACL-Variable löschen
$acl="";
# ACL-Variable zusammenbauen
foreach (keys(%acls)) { $acl="$acl $_ -> $acls{$_} " }
# in MB umrechnen
$benutzt=$quota{$_}[0]/1024;
$gesamt=$quota{$_}[1]/1024;
# Werte ohne , runden.
$benutzt=sprintf("%.0f", $benutzt);
$gesamt=sprintf("%.0f", $gesamt);
# % ausrechnen und %-Zeichen dran packen
$prozent=(100/$gesamt)*$benutzt . "%";
# Prozent runden
$prozent=sprintf("%.0f", $prozent);
# Kram formatiert ausgeben
format STDOUT =
@<<<<<<<<<<<<<<<<<<<<<<< @<<<<<<<<< @<<<<<<<<< @<<<<<< @<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
$mbox, $benutzt, $gesamt, $prozent, $acl
.
write;
}
}
}
# Kommt mix mehr dann beenden
elsif ($i>=1000) { last }
}
# Quota der mailbox holen
@quota = $cyrus->listquota('*');
foreach $key (keys %quota) {
}
# LockDatei wieder loeschen
unlink $lockfile_file;
For starting the new service after system reboot you should add it to a runlevel with the following command(s):
rc-update add cyrus
Please send a feedback to: doc<at>gabosh.net
Howto listingIf you want to use this solution you need the following howto(s) finished:
emerge net-im/ejabberd
File permissions:
Owner: root
Group: jabber
Permissions: -rw-r-----
Click here for a download of the complete file: /etc/jabber/ejabberd.yml
Changed on 09.11.15The Hostname(s) of the Server
- localhostAfter change
- "example.com"
SSL-Encryption Chat Clients
- /etc/ssl/ejabberd/server.pemAfter change
- /etc/ssl/example.com/example.com.pem
Listen ipv4
ip: "::"After change
ip: "0.0.0.0"
SSL-Encryption Chat Clients
starttls: true
Listen ipv4
ip: "::"After change
ip: "0.0.0.0"
Listen ipv4
ip: "::"After change
ip: "0.0.0.0"
Listen ipv4
ip: "::"After change
ip: "0.0.0.0"
Listen ipv4
ip: "::"After change
ip: "0.0.0.0"
SSL-Encryption other Jabber Servers
s2s_use_starttls: optionalAfter change
s2s_use_starttls: required
The Admin-User
auth_method: internalAfter change
auth_method: pam pam_service: "system-auth" pam_userinfotype: "username"
The Admin-User
admin:
user:
- "admin": "example.com"
For starting the new service after system reboot you should add it to a runlevel with the following command(s):
rc-update add ejabberd default
Please send a feedback to: doc<at>gabosh.net
Howto listingIf you want to use this solution you need the following howto(s) finished:
emerge net-misc/dhcpcd emerge net-misc/radvd
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/dhcpcd.conf
Changed on 18.08.21dhcpcd will allocate a /64 prefix from ISP to specified Interfaces in the router from the delegated prefix - except the WAN interface.
# Debug Logging to rsyslog debug # DHCP UID as identifier duid # disable routing solicitation noipv6rs # Wait for an ipv6 ip waitip 6 # Only configure IPv6 ipv6only # Do not overwrite resolv.conf or wpa_supplicant nohook resolv.conf, wpa_supplicant # Subsequent options are only parsed for ppp0 interface ppp0 # enable routing solicitation fpr ppp0 ipv6rs # Set the Interface Association Identifier (Interface ID) of ppp0 to 1 iaid 1 # Request a DHCPv6 Delegated Prefix (IPv6 Prefix) from ppp0 (ID 1) for eth0 and wlan0 # so eth0 and wlan0 receive their own from/in the Internet available/routed IPv6-Subnet ia_pd 1 eth0 ia_pd 1 wlan0
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/radvd.conf
Changed on 18.08.21radvd allocates IPv6 addresses to the clients connected to the specified interfaces. ::/64 prefix for ISP and fd??::/64 prefix for ULA (Unique local addresses).
interface eth0
{
AdvSendAdvert on;
AdvLinkMTU 1280;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 300;
prefix ::/64 {
AdvOnLink on;
AdvAutonomous on;
};
prefix fd23::/64 {
AdvOnLink on;
AdvAutonomous on;
};
};
interface wlan0
{
AdvSendAdvert on;
AdvLinkMTU 1280;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
prefix ::/64 {
AdvOnLink on;
AdvAutonomous on;
};
prefix fd25::/64 {
AdvOnLink on;
AdvAutonomous on;
};
};
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/sysctl.d/gabosh.conf
Changed on 18.08.21Enable/Disable IPv6 on specific Interfaces
net.ipv6.conf.eth0.disable_ipv6=0 net.ipv6.conf.eth1.disable_ipv6=1 net.ipv6.conf.wlan0.disable_ipv6=0 net.ipv6.conf.vnet0.disable_ipv6=1 net.ipv6.conf.docker0.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=0 net.ipv6.conf.lo.disable_ipv6=0
Get IPv6 from ISP
net.ipv6.conf.ppp0.disable_ipv6=0 net.ipv6.conf.ppp0.autoconf=1 net.ipv6.conf.ppp0.accept_ra=2 net.ipv6.conf.all.forwarding=1
For starting the new service after system reboot you should add it to a runlevel with the following command(s):
rc-update add dhcpcd default rc-update add radvd default
Please send a feedback to: doc<at>gabosh.net
Howto listingFile permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/conf.d/net
Changed on 13.10.15Optional Internet Connection via PPPOE (rp-pppoe) e.g. with connected Zyxel VDSL-Bridge VMG1312-B30A to eth1
#config_eth1="XXX.XXX.XXX.XXX/24" #config_ppp0="ppp" #link_ppp0="eth1" #plugins_ppp0="pppoe" #username_ppp0='provideruser' #password_ppp0='providerpass' #pppd_ppp0=" #defaultroute #replacedefaultroute #+ipv6 #ipv6cp-accept-local #novjccomp #noccp #persist #holdoff 10 #child-timeout 60 #lcp-echo-interval 15 #lcp-echo-failure 3 #maxfail 0 ##noipx #" #rc_net_ppp0_need="net.eth1" #modules_wlan0="wpa_supplicant" #config_wlan0="XXX.XXX.XXX.XXX/24" #rc_net_wlan0_provide="!net"
Please send a feedback to: doc<at>gabosh.net
Howto listing/usr/lib/mailman/bin/mmsitepass
usermod -G cron,mailman,nobody mailman
/usr/lib/mailman/bin/check_perms -f
su - mailman -c 'crontab cron/crontab.in'
/usr/lib/mailman/bin/newlist mailman
/usr/lib/mailman/bin/config_list -i /var/lib/mailman/data/sitelist.cfg mailman
If you want to use this solution you need the following howto(s) finished:
emerge net-mail/mailman
File permissions:
Owner: mailman
Group: mailman
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/mailman/mm_cfg.py
Changed on 18.03.09Some Settings for MailMan environment
MTA = 'Postfix'
DEFAULT_EMAIL_HOST = 'example.com'
DEFAULT_URL_HOST = 'mailman.example.com'
DEFAULT_URL_PATTERN = 'https://%s/mailman/'
add_virtualhost('mailman.example.com')
POSTFIX_STYLE_VIRTUAL_DOMAINS = ['example.com']
DEFAULT_ARCHIVE_PRIVATE = 1
DEFAULT_CHARSET = 'UTF-8'
add_language('de', 'Deutsch', 'utf-8')
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /etc/profile.d/mailman.sh
Changed on 09.06.10Add the bin-path of the mailman-progs to the default path-variable
PATH="$PATH:/usr/lib/mailman/bin"
File permissions:
Owner: root
Group: root
Permissions: -rwx------
Click here for a download of the complete file: /usr/local/sbin/maillists-2.sh
Changed on 17.11.2014Script for syncing LDAP-Groups with Mailinglists
#!/bin/bash rm -f /tmp/liste-* getent group | grep "^maillist-" >/tmp/maillists cat /tmp/maillists | while read line do list=`echo $line | cut -d: -f1 | perl -pe 's/^maillist-//'` # Erstelle liste falls nicht vorhanden... if list_lists | grep -iq $list then echo "Liste $list existiert" >/dev/null else echo "Erstelle Liste $list" newlist -u mailman.example.com -l de -q $list mail@example.com `gtc-crypt -a mailman -p` config_list -i /etc/mailman/defaultlistconfig $list fi # Pflege User list_members $list >/tmp/maillistmembers for i in `cat /tmp/maillistmembers` do echo whitelist_from mail@example.com done cat /etc/spamassassin/maillist-whitelist | sort -u >/tmp/maillist-whitelist cat /tmp/maillist-whitelist >/etc/spamassassin/maillist-whitelist # User aufnehmen for user in `echo $line | cut -d: -f4 | perl -pe 's/\,/ /g' ; cat /root/maillist-nongabosh-$list 2>/dev/null` do if grep -qi "^$user" /tmp/maillistmembers then echo "User $user ist in der Liste $list" >/dev/null else echo "User $user wird in die Liste $list aufgenommen" echo $user | grep -q '@' || user="$mail@example.com" echo "$user" >/tmp/maillistnew add_members -r /tmp/maillistnew -a y $list fi done # User rauswerfen for user in `cat /tmp/maillistmembers | perl -pe 's/\@example.com$//'` do if echo $line | cut -d: -f4 | grep -qi "$user" then echo "User $user ist in der Liste $list" >/dev/null elif cat /root/maillist-nongabosh-$list 2>/dev/null | grep -qi "$user" then echo "User $user ist in der Liste $list" >/dev/null else echo $user | grep -q '@' || user="$mail@example.com" echo "User $user wird aus der Liste $list gelöscht" remove_members -n $list $user fi done # Alle Nicht example.com-Mailadressen erlauben an Mailingliste zu senden (nicht lesen) echo -n "accept_these_nonmembers = [ 'mail@example.com', " >/tmp/maillistsendok for mail in `cat /etc/spamassassin/* 2>/dev/null | egrep "^whitelist_from mail@example.com do echo -n " '$mail'," >>/tmp/maillistsendok done echo -n ' ]' >>/tmp/maillistsendok config_list -i /tmp/maillistsendok $list done # Aufräumen #rm -f /tmp/maillists /tmp/maillistmembers /tmp/maillistnew
File permissions:
Owner: mailman
Group: root
Permissions: -rwx------
Click here for a download of the complete file: /usr/local/sbin/maillists.sh
Changed on 17.11.2014Script for syncing LDAP-Groups with Mailinglists
#!/bin/bash
if ! whoami | grep -q mailman
then
echo "Dieses Skript muss als mailman-User ausgeführt werden"
exit 1
fi
rm -f /tmp/liste-*
getent group | grep "^maillist-" | perl -pe 's/$/,root,admin/' >/tmp/maillists
cat /tmp/maillists | while read line
do
list=`echo $line | cut -d: -f1 | perl -pe 's/^maillist-//'`
# Erstelle liste falls nicht vorhanden...
if mailman lists -q | grep -iq $list
then
echo "Liste $list existiert" >/dev/null
else
echo "Erstelle Liste $list"
mailman create --language de -o mail@example.com ${list}@example.com
#config_list -i /etc/mailman/defaultlistconfig $list
fi
# Pflege User
mailman members -e ${list}@example.com | grep '@' >/tmp/maillistmembers
for i in `cat /tmp/maillistmembers`
do
echo whitelist_from mail@example.com
done
cat /etc/spamassassin/maillist-whitelist | sort -u >/tmp/maillist-whitelist
cat /tmp/maillist-whitelist >/etc/spamassassin/maillist-whitelist
# User aufnehmen
for user in `echo $line | cut -d: -f4 | perl -pe 's/\,/ /g' ; cat ~/maillist-nongabosh-$list 2>/dev/null`
do
if grep -qi "^$user" /tmp/maillistmembers
then
echo "User $user ist in der Liste $list" >/dev/null
else
echo "User $user wird in die Liste $list aufgenommen"
echo $user | grep -q '@' || user="$mail@example.com"
echo "$user" >/tmp/maillistnew
mailman addmembers -W /tmp/maillistnew ${list}@example.com
fi
done
# User rauswerfen
for user in `cat /tmp/maillistmembers | perl -pe 's/\@example.com$//'`
do
if echo $line | cut -d: -f4 | egrep -qi "$user"
then
echo "User $user ist in der Liste $list" >/dev/null
elif cat ~/maillist-nongabosh-$list 2>/dev/null | egrep -qi "$user"
then
echo "User $user ist in der Liste $list" >/dev/null
else
echo $user | grep -q '@' || user="$mail@example.com"
echo "User $user wird aus der Liste $list gelöscht"
mailman delmembers -G -m $user -l ${list}@example.com
fi
done
# Alle Nicht example.com-Mailadressen erlauben an Mailingliste zu senden (nicht lesen)
# echo -n "accept_these_nonmembers = [ 'mail@example.com', " >/tmp/maillistsendok
# for mail in `cat /etc/spamassassin/* 2>/dev/null | egrep "^whitelist_from mail@example.com
# do
# echo -n " '$mail'," >>/tmp/maillistsendok
# done
# echo -n ' ]' >>/tmp/maillistsendok
# config_list -i /tmp/maillistsendok $list
done
# Aufräumen
#rm -f /tmp/maillists /tmp/maillistmembers /tmp/maillistnew
For starting the new service after system reboot you should add it to a runlevel with the following command(s):
rc-update add mailman
Please send a feedback to: doc<at>gabosh.net
Howto listingpostmap /etc/postfix/virtual_sender
postmap /etc/postfix/virtual_recipient
If you want to use this solution you need the following howto(s) finished:
emerge mail-mta/postfix emerge dev-libs/cyrus-sasl emerge mail-filter/amavisd-new emerge mail-filter/spamassassin emerge app-antivirus/clamav
File permissions:
Owner: root
Group: amavis
Permissions: -rw-r-----
Click here for a download of the complete file: /etc/amavisd.conf
Changed on 11.09.08Amavis Domain
$mydomain = 'example.com'; # a convenient default for other settingsAfter change
$mydomain = 'example.com'; @local_domains_maps = ( [".$mydomain", "olmusic.de", "ol-music.de", "drachenrachen.de", "sangesfolk.de", "rockfolk.de"] );
Some spamassassin settings
$sa_tag_level_deflt = -9999; $sa_kill_level_deflt = undef; $sa_dsn_cutoff_level = undef;
Deliver banned and spam mails.
$final_banned_destiny = D_PASS; $final_spam_destiny = D_PASS;
Warns the reciver of getting a mail with banned or virus content.
$warnvirusrecip = 1; $warnbannedrecip = 1; $undecipherable_subject_tag = ''; $sa_spam_subject_tag = '';
Address where virus mails are delivered to.
$virus_quarantine_to = "virus\@$mydomain"; $banned_quarantine_to = undef; $bad_header_quarantine_to = "virus\@$mydomain"; $spam_quarantine_to = undef;
ClamAV Socket settings.
['ClamAV-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"],
qr/\bOK$/m, qr/\bFOUND$/m,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
File permissions:
Owner: root
Group: root
Permissions: -rw-r-----
Click here for a download of the complete file: /etc/amavisd.conf.bak
Changed on 11.09.08Deliver banned and spam mails.
#$final_banned_destiny = D_BOUNCE; # (defaults to D_BOUNCE) #$final_spam_destiny = D_BOUNCE; # (defaults to D_BOUNCE)After change
$final_banned_destiny = D_PASS; $final_spam_destiny = D_PASS;
Warns the reciver of getting a mail with banned or virus content.
#$warnvirusrecip = 1; # (defaults to false (undef)) #$warnbannedrecip = 1; # (defaults to false (undef))After change
$warnvirusrecip = 1; $warnbannedrecip = 1;
Address where virus mails are delivered to.
$virus_quarantine_to = 'virus-quarantine'; # traditional local quarantineAfter change
$virus_quarantine_to = "virus\@$mydomain";
Only quaranteine virus mails.
$banned_quarantine_to = 'banned-quarantine'; # local quarantine $bad_header_quarantine_to = 'bad-header-quarantine'; # local quarantine $spam_quarantine_to = 'spam-quarantine'; # local quarantineAfter change
$banned_quarantine_to = undef; $bad_header_quarantine_to = "virus\@$mydomain"; $spam_quarantine_to = undef;
Some spamassassin settings
$sa_local_tests_only = 0; # only tests which do not require internet access?
#$sa_auto_whitelist = 1; # turn on AWL in SA 2.63 or older (irrelevant
# for SA 3.0, its cf option is use_auto_whitelist)
$sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger
# (less than 1% of spam is > 64k)
# default: undef, no limitations
# default values, customarily used in the @spam_*_level_maps as the last entry
$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level;
# undef is interpreted as lower than any spam level
$sa_tag2_level_deflt = 6.31;# add 'spam detected' headers at that level to
# passed mail, adding address extensions;
$sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions
# at or above that level: bounce/reject/drop,
# quarantine
$sa_dsn_cutoff_level = 9; # spam level beyond which a DSN is not sent,
# effectively turning D_BOUNCE into D_DISCARD;
# undef disables this feature and is a default;
# see also $sa_quarantine_cutoff_level above, which only controls quarantining
After change$sa_local_tests_only = 0; #$sa_auto_whitelist = 1; $sa_mail_body_size_limit = 257*1024; $sa_tag_level_deflt = -99; $sa_tag2_level_deflt = 6.31; $sa_kill_level_deflt = undef; $sa_dsn_cutoff_level = undef;
ClamAV Socket settings.
# ['ClamAV-clamd',
# \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
# qr/\bOK$/m, qr/\bFOUND$/m,
# qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
After change
['ClamAV-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"],
qr/\bOK$/m, qr/\bFOUND$/m,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/clamd.conf
Changed on 10.09.08Log ClamAV to syslog
LogSyslog yes
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /etc/cron.daily/spamassassinupdate
Changed on 15.09.14Daily Spamassassin Update
date >>/var/log/sa-update.log 2>&1 sa-update -v >>/var/log/sa-update.log 2>&1 /etc/init.d/spamd restart >>/var/log/sa-update.log 2>&1 /etc/init.d/amavisd restart >>/var/log/sa-update.log 2>&1
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/crontab
Changed on 04.06.13Update Mail addresses for each User.
30 * * * * root /usr/local/sbin/mailaddresses.sh 2>&1 | ifne mail -s "Mail Adresses Update" root
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/freshclam.conf
Changed on 10.09.08Log ClamAV to syslog
LogSyslog yes
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/mail/aliases
Changed on 11.09.08This sends mails to root or virusadmin so the admin Users (This user has to esxist with a mailbox). Change it to your personal needs.
root: admin mailman: admin virusalert: admin
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/postfix/master.cf
Changed on 10.09.08Allow Port 587 (submission)
#submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=$mua_client_restrictions -o smtpd_helo_restrictions=$mua_helo_restrictions -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATINGAfter change
submission inet n - n - - smtpd -o syslog_name=postfix/submission
Allow Port 465 (smtps)
smtps inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_security_level=encrypt -o smtpd_tls_wrappermode=yes -o smtpd_tls_auth_only=yes -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
Deliver local incoming mails to Cyrus
cyrus unix - n n - - pipe
user=cyrus argv=/usr/sbin/deliver -e -r ${sender} -m ${extension} ${user}
Receive mails scanned by amavis
# amavisd-new
postfix-policyd-spf unix - n n - 0 spawn user=nobody argv=/usr/bin/policyd-spf
smtp-amavis unix - - n - 2 smtp
-o smtp_data_done_timeout=1200
-o lmtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtpd_restriction_classes=
-o mynetworks=XXX.XXX.XXX.XXX/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings
-o local_header_rewrite_clients=
-o smtpd_milters=
-o local_recipient_maps=
-o relay_recipient_maps=
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/sasl2/smtpd.conf
Changed on 25.03.09Add LOGIN mech - Needed by some clients
mech_list: PLAINAfter change
mech_list: PLAIN LOGIN
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /usr/local/sbin/mailaddresses.sh
Changed on 04.06.13Update Mail addresses for each User.
#!/bin/bash
. /etc/profile
>/tmp/mailaddresses-$$
for i in `getent group users | cut -d: -f4 | perl -pe 's/\,/ /g'` weg
do
# Get Infos
USER=`getent passwd $i | cut -d":" -f 1`
LNAME="`getent passwd $i | cut -d':' -f 5`"
echo "$USER@example.com $USER" >>/tmp/mailaddresses-$$
LNAME=`echo "$LNAME" | tr '[A-Z]' '[a-z]' | perl -pe 's/ö/oe/g; s/ä/ae/g; s/ü/ue/g; s/ß/ss/g; s/[^a-zA-Z0-9\.]/\./g; s/\.+/\./g; s/^\.//; s/\.$//;'`
echo "$LNAME@example.com $USER" >>/tmp/mailaddresses-$$
if id $USER | grep -q '2023(dms)'
then
echo "${USER}mail@example.com ${USER}dms" >>/tmp/mailaddresses-$$
fi
done
find /tmp/mailaddresses-$$ -empty -delete
if [ -f /tmp/mailaddresses-$$ ]
then
if [ `cat /tmp/mailaddresses-$$ | wc -l` -gt 5 ]
then
cat /tmp/mailaddresses-$$ /etc/postfix/mailaddresses | sort -u > /etc/postfix/mailaddresses.tmp
cat /etc/postfix/mailaddresses.tmp >/etc/postfix/mailaddresses
postmap /etc/postfix/mailaddresses
rm /tmp/mailaddresses-$$ /etc/postfix/mailaddresses.tmp
else
echo "$0: /tmp/mailaddresses-$$ hat wegiger als 5 Zeilen: `cat /tmp/mailaddresses-$$` -> Breche Bearbeitung ab. " | mail -s "/tmp/mailaddresses-$$ hat weniger als 5 Zeilen" root
fi
else
echo "$0: Fehler beim Mailadressenupdate!!!"
fi
For starting the new service after system reboot you should add it to a runlevel with the following command(s):
rc-update add postfix rc-update add saslauthd default rc-update add amavisd rc-update add spamd rc-update add clamd default
Please send a feedback to: doc<at>gabosh.net
Howto listingIf you want to use this solution you need the following howto(s) finished:
emerge dev-db/mysql
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/logrotate.d/mysql
Changed on 09.09.08Optimazions
/var/log/mysql/mysql.err /var/log/mysql/mysql.log /var/log/mysql/mysqld.err {
After change
/var/log/mysql/mysql.err /var/log/mysql/mysql.log /var/log/mysql/mysqld.err /var/log/mysql/slow.log {
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/mysql/mysql.d/50-distro-server.cnf
Changed on 09.09.08MySQL should listen only on the socket
# skip-networking bind-address = 127.0.0.1After change
skip-networking #bind-address = 127.0.0.1
This deactivetes bin-logging, because we don't want to use a MySQL cluster. Backups are made with the Backup-Script. (see Backup topic)
log-bin server-id = 1After change
# log-bin # server-id = 1 skip-log-bin disable_log_bin
Optimazions
secure-file-priv=NULL default_authentication_plugin=mysql_native_password innodb_file_per_table=1 innodb_buffer_pool_size = 1024MiB innodb_log_file_size = 512MiB [server] skip_name_resolve = 1 innodb_buffer_pool_size = 128M innodb_buffer_pool_instances = 1 innodb_flush_log_at_trx_commit = 2 innodb_log_buffer_size = 32M innodb_max_dirty_pages_pct = 90 tmp_table_size= 64M max_heap_table_size= 64M slow_query_log = 1 slow_query_log_file = /var/log/mysql/slow.log long_query_time = 1
For starting the new service after system reboot you should add it to a runlevel with the following command(s):
rc-update add mysql
Please send a feedback to: doc<at>gabosh.net
Howto listingIf you want to use this solution you need the following howto(s) finished:
emerge media-sound/pulseaudio
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/conf.d/pulseaudio
Changed on 06.11.15Enable System Wide Startup for PulseAudio
PULSEAUDIO_SHOULD_NOT_GO_SYSTEMWIDE=1
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/portage/profile/use.mask
Changed on 06.11.15Enable System wide PulseAudio for init-Scripts
-system-wide
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/pulse/system.pa
Changed on 06.11.15Listen on Server
load-module module-native-protocol-tcp auth-anonymous=1 auth-ip-acl=127.0.0.1;172.25.0.0/16;my.lan.network.ip/16 #load-module module-alsa-sink
For starting the new service after system reboot you should add it to a runlevel with the following command(s):
rc-update add pulseaudio default
Please send a feedback to: doc<at>gabosh.net
Howto listingFile permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/crontab
Changed on 27.09.19CronJob for Nextcloud
*/5 * * * * root su - nextcloud -c "php -f /var/www/nextcloud.example.com/htdocs/cron.php" 15 0 * * * root su - nextcloud -c "/var/www/nextcloud.example.com/maintenance.sh" */5 * * * * root su - nextcloud-test -c "php -f /var/www/nextcloud-test.example.com/htdocs/cron.php" 15 0 * * * root su - nextcloud-test -c "/var/www/nextcloud-test.example.com/maintenance.sh" 15 1 * * * root scripts/nextcloud-test-update.sh 2>&1 | ifne mail -s "nextcloud-test Update" user1
Please send a feedback to: doc<at>gabosh.net
Howto listingslappasswdYou can create users, groups, computers,... with the WebGUI PHPLDAPAdmin. Have a look at the OpenLDAP WebGUI Howto.
New password: my-password
Re-enter new password: my-password
{SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
If you want to use this solution you need the following howto(s) finished:
emerge net-nds/openldap
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/openldap/ldap.ldif
Changed on 02.03.09LDAP DNs for basic structure. Insert this file with
ldapadd -x -D cn=Manager,dc=example,dc=com -W -f /etc/openldap/ldap.ldifwhen the slapd is started.
# Base DN dn: dc=example,dc=com dc: gabosh objectClass: top objectClass: domain # Group DN (/etc/group) dn: ou=Group,dc=example,dc=com ou: Group objectClass: top objectClass: organizationalUnit # User DN (/etc/passwd; /etc/shadow) dn: ou=People,dc=example,dc=com ou: People objectClass: top objectClass: organizationalUnit # User DN - Normal Users dn: ou=People,ou=Users,dc=example,dc=com ou: People objectClass: top objectClass: organizationalUnit # User DN - System Users dn: ou=People,ou=SystemUsers,dc=example,dc=com ou: People objectClass: top objectClass: organizationalUnit
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/openldap/schema/dlz.schema
Changed on 01.12.15This is the LDAP-Schema for BIND DLZ-LDAP.
#
# 1.3.6.1.4.1.18420.1.1.X is reserved for attribute types declared by the DLZ project.
# 1.3.6.1.4.1.18420.1.2.X is reserved for object classes declared by the DLZ project.
# 1.3.6.1.4.1.18420.1.3.X is reserved for PRIVATE extensions to the DLZ attribute
# types and object classes that may be needed by end users
# to add security, etc. Attributes and object classes using
# this OID MUST NOT be published outside of an organization
# except to offer them for consideration to become part of the
# standard attributes and object classes published by the DLZ project.
attributetype ( 1.3.6.1.4.1.18420.XXX.XXX.XXX
NAME 'dlzZoneName'
DESC 'DNS zone name - domain name not including host name'
SUP name
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.20
NAME 'dlzHostName'
DESC 'Host portion of a domain name'
SUP name
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.30
NAME 'dlzData'
DESC 'Data for the resource record'
SUP name
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.40
NAME 'dlzType'
DESC 'DNS record type - A, SOA, NS, MX, etc...'
SUP name
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.50
NAME 'dlzSerial'
DESC 'SOA record serial number'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.60
NAME 'dlzRefresh'
DESC 'SOA record refresh time in seconds'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.70
NAME 'dlzRetry'
DESC 'SOA retry time in seconds'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.80
NAME 'dlzExpire'
DESC 'SOA expire time in seconds'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.90
NAME 'dlzMinimum'
DESC 'SOA minimum time in seconds'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.XXX.XXX.XXX0
NAME 'dlzAdminEmail'
DESC 'E-mail address of person responsible for this zone - @ should be replaced with . (period)'
SUP name
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.110
NAME 'dlzPrimaryNS'
DESC 'Primary name server for this zone - should be host name not IP address'
SUP name
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.120
NAME 'dlzIPAddr'
DESC 'IP address - IPV4 should be in dot notation xxx.xxx.xxx.xxx IPV6 should be in colon notation xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{40}
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.130
NAME 'dlzCName'
DESC 'DNS cname'
SUP name
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.140
NAME 'dlzPreference'
DESC 'DNS MX record preference. Lower numbers have higher preference'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.150
NAME 'dlzTTL'
DESC 'DNS time to live - how long this record can be cached by caching DNS servers'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.160
NAME 'dlzRecordID'
DESC 'Unique ID for each DLZ resource record'
SUP name
SINGLE-VALUE )
#------------------------------------------------------------------------------
# Object class definitions
#------------------------------------------------------------------------------
objectclass ( 1.3.6.1.4.1.18420.1.2.10
NAME 'dlzZone'
DESC 'Zone name portion of a domain name'
SUP top STRUCTURAL
MUST ( objectclass $ dlzZoneName ) )
objectclass ( 1.3.6.1.4.1.18420.1.2.20
NAME 'dlzHost'
DESC 'Host name portion of a domain name'
SUP top STRUCTURAL
MUST ( objectclass $ dlzHostName ) )
objectclass ( 1.3.6.1.4.1.18420.1.2.30
NAME 'dlzAbstractRecord'
DESC 'Data common to all DNS record types'
SUP top ABSTRACT
MUST ( objectclass $ dlzRecordID $ dlzHostName $ dlzType $ dlzTTL ) )
objectclass ( 1.3.6.1.4.1.18420.1.2.40
NAME 'dlzGenericRecord'
DESC 'Generic DNS record - useful when a specific object class has not been defined for a DNS record'
SUP dlzAbstractRecord STRUCTURAL
MUST ( dlzData ) )
objectclass ( 1.3.6.1.4.1.18420.1.2.50
NAME 'dlzARecord'
DESC 'DNS A record'
SUP dlzAbstractrecord STRUCTURAL
MUST ( dlzIPAddr ) )
objectclass ( 1.3.6.1.4.1.18420.1.2.60
NAME 'dlzNSRecord'
DESC 'DNS NS record'
SUP dlzGenericRecord STRUCTURAL )
objectclass ( 1.3.6.1.4.1.18420.1.2.70
NAME 'dlzMXRecord'
DESC 'DNS MX record'
SUP dlzGenericRecord STRUCTURAL
MUST ( dlzPreference ) )
objectclass ( 1.3.6.1.4.1.18420.1.2.80
NAME 'dlzSOARecord'
DESC 'DNS SOA record'
SUP dlzAbstractRecord STRUCTURAL
MUST ( dlzSerial $ dlzRefresh $ dlzRetry
$ dlzExpire $ dlzMinimum $ dlzAdminEmail $ dlzPrimaryNS ) )
objectclass ( 1.3.6.1.4.1.18420.1.2.90
NAME 'dlzTextRecord'
DESC 'Text data with spaces should be wrapped in double quotes'
SUP dlzGenericRecord STRUCTURAL )
objectclass ( 1.3.6.1.4.1.18420.1.2.100
NAME 'dlzPTRRecord'
DESC 'DNS PTR record'
SUP dlzGenericRecord STRUCTURAL )
objectclass ( 1.3.6.1.4.1.18420.1.2.110
NAME 'dlzCNameRecord'
DESC 'DNS CName record'
SUP dlzGenericRecord STRUCTURAL )
objectclass ( 1.3.6.1.4.1.18420.1.2.120
NAME 'dlzXFR'
DESC 'Host allowed to perform zone transfer'
SUP top STRUCTURAL
MUST ( objectclass $ dlzRecordID $ dlzIPAddr ) )
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/openldap/schema/dnszone.schema
Changed on 02.04.10This is the LDAP-Schema for BIND SDB-LDAP.
# A schema for storing DNS zones in LDAP
#
attributetype ( 1.3.6.1.4.1.2428.20.0.0 NAME 'dNSTTL'
DESC 'An integer denoting time to live'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
attributetype ( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass'
DESC 'The class of a resource record'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.0.2 NAME 'zoneName'
DESC 'The name of a zone, i.e. the name of the highest node in the zone'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.0.3 NAME 'relativeDomainName'
DESC 'The starting labels of a domain name'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord'
DESC 'domain name pointer, RFC 1035'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord'
DESC 'host information, RFC 1035'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord'
DESC 'mailbox or mail list information, RFC 1035'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord'
DESC 'text string, RFC 1035'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.18 NAME 'aFSDBRecord'
DESC 'for AFS Data Base location, RFC 1183'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord'
DESC 'Signature, RFC 2535'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord'
DESC 'Key, RFC 2535'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord'
DESC 'IPv6 address, RFC 1886'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord'
DESC 'Location, RFC 1876'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord'
DESC 'non-existant, RFC 2535'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord'
DESC 'service location, RFC 2782'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord'
DESC 'Naming Authority Pointer, RFC 2915'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord'
DESC 'Key Exchange Delegation, RFC 2230'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord'
DESC 'certificate, RFC 2538'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record'
DESC 'A6 Record Type, RFC 2874'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord'
DESC 'Non-Terminal DNS Name Redirection, RFC 2672'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord'
DESC 'Delegation Signer, RFC 3658'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.44 NAME 'sSHFPRecord'
DESC 'SSH Key Fingerprint, draft-ietf-secsh-dns-05.txt'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord'
DESC 'RRSIG, RFC 3755'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord'
DESC 'NSEC, RFC 3755'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
objectclass ( 1.3.6.1.4.1.2428.20.3 NAME 'dNSZone'
SUP top STRUCTURAL
MUST ( zoneName $ relativeDomainName )
MAY ( DNSTTL $ DNSClass $
ARecord $ MDRecord $ MXRecord $ NSRecord $
SOARecord $ CNAMERecord $ PTRRecord $ HINFORecord $
MINFORecord $ TXTRecord $ AFSDBRecord $ SIGRecord $
KEYRecord $ AAAARecord $ LOCRecord $ NXTRecord $
SRVRecord $ NAPTRRecord $ KXRecord $ CERTRecord $
A6Record $ DNAMERecord $ DSRecord $ SSHFPRecord $
RRSIGRecord $ NSECRecord ) )
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
This is the LDAP-Schema for BIND SDB-LDAP.
# A schema for storing DNS zones in LDAP
#
attributetype ( 1.3.6.1.4.1.2428.20.0.0 NAME 'dNSTTL'
DESC 'An integer denoting time to live'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
attributetype ( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass'
DESC 'The class of a resource record'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.0.2 NAME 'zoneName'
DESC 'The name of a zone, i.e. the name of the highest node in the zone'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.0.3 NAME 'relativeDomainName'
DESC 'The starting labels of a domain name'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord'
DESC 'domain name pointer, RFC 1035'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord'
DESC 'host information, RFC 1035'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord'
DESC 'mailbox or mail list information, RFC 1035'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord'
DESC 'text string, RFC 1035'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.18 NAME 'aFSDBRecord'
DESC 'for AFS Data Base location, RFC 1183'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord'
DESC 'Signature, RFC 2535'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord'
DESC 'Key, RFC 2535'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord'
DESC 'IPv6 address, RFC 1886'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord'
DESC 'Location, RFC 1876'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord'
DESC 'non-existant, RFC 2535'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord'
DESC 'service location, RFC 2782'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord'
DESC 'Naming Authority Pointer, RFC 2915'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord'
DESC 'Key Exchange Delegation, RFC 2230'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord'
DESC 'certificate, RFC 2538'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record'
DESC 'A6 Record Type, RFC 2874'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord'
DESC 'Non-Terminal DNS Name Redirection, RFC 2672'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord'
DESC 'Delegation Signer, RFC 3658'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.44 NAME 'sSHFPRecord'
DESC 'SSH Key Fingerprint, draft-ietf-secsh-dns-05.txt'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord'
DESC 'RRSIG, RFC 3755'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord'
DESC 'NSEC, RFC 3755'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
objectclass ( 1.3.6.1.4.1.2428.20.3 NAME 'dNSZone'
SUP top STRUCTURAL
MUST ( zoneName $ relativeDomainName )
MAY ( DNSTTL $ DNSClass $
ARecord $ MDRecord $ MXRecord $ NSRecord $
SOARecord $ CNAMERecord $ PTRRecord $ HINFORecord $
MINFORecord $ TXTRecord $ AFSDBRecord $ SIGRecord $
KEYRecord $ AAAARecord $ LOCRecord $ NXTRecord $
SRVRecord $ NAPTRRecord $ KXRecord $ CERTRecord $
A6Record $ DNAMERecord $ DSRecord $ SSHFPRecord $
RRSIGRecord $ NSECRecord ) )
For starting the new service after system reboot you should add it to a runlevel with the following command(s):
rc-update add slapd default
Please send a feedback to: doc<at>gabosh.net
Howto listingIf you want to use this solution you need the following howto(s) finished:
emerge sys-auth/pam_ldap emerge sys-auth/nss_ldap
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/conf.d/saslauthd
Changed on 18.05.09If you are using SASL for some authentications you should point to a configuration file with your LDAP settings.
SASLAUTHD_OPTS="-a pam"After change
SASLAUTHD_OPTS="-O /etc/saslauthd.conf -a ldap"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/crontab
Changed on 02.12.09Run the checkusers-script hourly
42 * * * * root /usr/local/sbin/checkusers.sh 2>&1 | ifne mail -s "Checkusers-Script" root
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/ldap.conf.old
Changed on 18.05.09The LDAP BaesDN
base dc=padl,dc=comAfter change
base dc=example,dc=com
This is for accepting a self-signed SSL/TLS certificate
pam_login_attribute uid:caseExactMatch: tls_reqcert allow
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/nsswitch.conf
Changed on 18.05.09The order how to check for passwd, shadow and group
group: files gshadow: filesAfter change
group: files ldap #gshadow: files
The order how to check for passwd, shadow and group
#passwd: filesAfter change
passwd: files ldap
The order how to check for passwd, shadow and group
shadow: filesAfter change
shadow: files ldap
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/pam.d/system-auth
Changed on 18.05.09Authenticate with LDAP
auth required pam_unix.so try_first_pass likeauth nullokAfter change
auth sufficient pam_unix.so try_first_pass likeauth nullok auth sufficient pam_ldap.so use_first_pass #auth optional pam_smbpass.so migrate use_first_pass auth required pam_deny.so
Authenticate with LDAP
account sufficient pam_ldap.so
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/pam.d/system-auth
Changed on 18.05.09Authenticate with LDAP
password required pam_unix.so try_first_pass use_authtok nullok sha512 shadowAfter change
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow password sufficient pam_ldap.so use_authtok use_first_pass password required pam_deny.so
Authenticate with LDAP
session optional pam_ldap.so
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/saslauthd.conf
Changed on 18.05.09If you are using SASL for some authentications you should configure the LDAP access for SASL here.
ldap_servers: ldaps://127.0.0.1:636 ldap_search_base: ou=Users,ou=People,dc=example,dc=com ldap_scope: one ldap_uidattr: uid ldap_filter: uid:caseExactMatch:=%U
File permissions:
Owner: root
Group: root
Permissions: -rwx------
Click here for a download of the complete file: /usr/local/sbin/checkusers.sh
Changed on 02.12.09This is a script I use to create a HomeDir and a Mailbox if a new LDAP-User is created. I depends on your environment if you can use ist.
#!/bin/bash
. /etc/profile
nscd --invalidate=group
nscd --invalidate=passwd
for i in `getent passwd | cut -d":" -f 3`
do
if [ $i -gt 999 ]
then
if [ $i -lt 8999 ]
then
# Get Infos
USER=`getent passwd $i | cut -d":" -f 1`
USERID=`getent passwd $i | cut -d":" -f 3`
HOMEDIR=`getent passwd $i | cut -d":" -f 6`
GROUP=`getent passwd $i | cut -d":" -f 4`
LNAME="`getent passwd $i | cut -d':' -f 5`"
#echo "Checking User $USER"
# Check for non existing HomeDir
if ! [ -d $HOMEDIR ]
then
echo "Creating Homedir $HOMEDIR for $USER ($i)"
mkdir -p $HOMEDIR
chown $USER:$GROUP $HOMEDIR
chmod 0700 $HOMEDIR
fi
# Check for existing Backup-Dir
if ! [ -d /srv/share/Backups/home/$USER ]
then
echo "Creating BackupDir /srv/share/Backups/home/$USER for $USER ($i)"
mkdir -p /srv/share/Backups/home/$USER
chown $USER:$GROUP /srv/share/Backups/home/$USER
chmod 0700 /srv/share/Backups/home/$USER
fi
# SSH KEYs
if ! [ -e $HOMEDIR/.ssh/id_ed25519 ]
then
echo "Generating openssh-key $USER for pubkey Auth e.g. for backups"
su - $USER -c "ssh-keygen -q -t ed25519 -f $HOMEDIR/.ssh/id_ed25519 -N ''"
fi
# if ! [ -e $HOMEDIR/.ssh/dropbear.key ]
# then
# echo "Generating dropbear-key for pubkey Auth e.g. for syncopoli-backups"
# mkdir -p $HOMEDIR/.ssh
# su - $USER -c "dropbearkey -t ecdsa -f $HOMEDIR/.ssh/dropbear.key 2>/dev/null | grep ecdsa >>$HOMEDIR/.ssh/authorized_keys"
# chown -R $USER:$GROUP $HOMEDIR/.ssh
# chmod 644 $HOMEDIR/.ssh/authorized_keys
# chmod 600 $HOMEDIR/.ssh/dropbear.key
# chmod 700 $HOMEDIR/.ssh
# fi
# Check weather a mailbox exists
if ! [ $USER = "admin" ]
then
if /usr/local/sbin/cyr-show-mailboxes | grep "^user.$USER" >/dev/null
then
echo "Mailbox for User $USER OK" >/dev/null
else
echo "Creating Mailbox for $USER"
/usr/local/sbin/cyr-create-mbox user/$USER 100
fi
# Check/Recreate removed folders like Trash
/usr/local/sbin/cyr-create-mbox user/$USER
fi
# DMS User
if id $USER | grep -q '2023(dms)'
then
if ! [ -d /home/${USER}/DMS ]
then
echo "Creating DMS mailbox/dirs/files for $USER"
/usr/local/sbin/cyr-create-mbox user/${USER}dms
mkdir -p /home/${USER}/DMS/Upload /home/${USER}/DMS/.done
touch /home/${USER}/DMS/.dmsdel /home/${USER}/DMS/control
chown -R ${USER} /home/${USER}/DMS
fi
fi
fi
fi
done
chmod 700 /home/*
su - mailman -c "/usr/local/sbin/maillists.sh >/dev/null 2>&1"
Please send a feedback to: doc<at>gabosh.net
Howto listingIf you want to use this solution you need the following howto(s) finished:
emerge net-nds/phpldapadmin
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
The LDAP Base
// $servers->setValue('server','base',array(''));
After change
$servers->setValue('server','base',array('dc=example,dc=com'));
The LDAP Base
# $servers->setValue('login','bind_id','cn=Manager,dc=example,dc=com');
After change
$servers->setValue('login','bind_id','cn=Manager,dc=example,dc=com');
Please send a feedback to: doc<at>gabosh.net
Howto listingIf you want to use this solution you need the following howto(s) finished:
emerge net-print/cups
File permissions:
Owner: root
Group: lp
Permissions: -rw-r-----
Click here for a download of the complete file: /etc/cups/cupsd.conf
Changed on 18.11.13Allow connections over the network
Listen localhost:631After change
Listen *:631
Allow printing over the network
Allow localhost Allow from 172.23.* Allow from 172.24.* Allow from 172.25.*
Allow administration from local networks
Allow localhost Allow from 172.23.* Allow from 172.25.*
File permissions:
Owner: root
Group: lp
Permissions: -rw-r-----
Click here for a download of the complete file: /etc/cups/cups-files.conf
Changed on 29.11.11Logging to syslog
AccessLog /var/log/cups/access_logAfter change
AccessLog syslog
Logging to syslog
ErrorLog /var/log/cups/error_logAfter change
ErrorLog syslog
Logging to syslog
PageLog /var/log/cups/page_logAfter change
PageLog syslog
For starting the new service after system reboot you should add it to a runlevel with the following command(s):
rc-update add cupsd
Please send a feedback to: doc<at>gabosh.net
Howto listingIf you want to use this solution you need the following howto(s) finished:
emerge dev-perl/File-ReadBackwards
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /gtc/test/etc/thinclient/scripts/gtc-rename
Changed on 30.11.10This script renames all filesnames (and dirs) in a specified path with specified Regex'es in a specified regex-file.
For e.g. to rename change the character a in all filenames to b and y into z you can create a regex file e.g. /tmp/rename with the following lines:
s/a/b/g;
s/y/z/g;# Then you run this command with the following options:
# $0 -p /path/in/which/you/want/to/rename -r /tmp/rename
#!/usr/bin/perl -w
# === Strict Perl ===
use strict;
# === Initialize vars ===
use vars qw/*name *dir *opt_h *opt_p *path *opt_v *verb *opt_r *regex *sim *opt_s *files *opt_u/;
*name=*File::Find::name;
*dir=*File::Find::dir;
# === Parse Commandline ===
# Clear vars
$opt_p="";
$opt_r="";
$opt_u="";
# Get the Options
use Getopt::Std;
getopts('hvp:r:su:');
# Run help/usage?
usage() if ($opt_h);
# Be verbose?
$verb=1 if ($opt_v);
# Simulating?
$sim=0;
if ($opt_s) {
print "Only simulating - Not really renaming...\n";
$sim=1;
}
# Shall I undo something?
if ($opt_u) {
# Test if the undo-file is existing
if (-f $opt_u) {
# Open and read it
use File::ReadBackwards;
my $line = File::ReadBackwards->new($opt_u) || die "Could not open $opt_u: $!" ;
until ( $line->eof ) {
my $undo=$line->readline;
# ...remove newline
chomp($undo);
# Get the two filenames
my @undo=split(" \/\/\/ ", $undo);
my $source=$undo[0];
my $target=$undo[1];
# Rename it
print "Undo Renaming '$source' to '$target'\n";
rename($source, $target) || warn "Could not rename $source to $target: $!\n" unless $sim;
}
# End prof if there are no more renamings
exit 0 unless $opt_p;
}
else {
die "You have to specify a valid unod-file if you want to undo a action\n";
}
}
# Get path from cmdline
if (-d $opt_p) {
$path=$opt_p;
# Get absolute path
chdir($path) || die "Count not change to $path: $!";
use Cwd;
$path=getcwd;
print "Using path $path\n" if $verb;
}
else {
print "ERROR: No or non existing Path $opt_p specified...\n\n";
usage();
}
# Get regex file from cmdline
if (-f $opt_r) {
$regex=$opt_r;
print "Using regex-file $regex\n" if $verb;
}
else {
print "ERROR: No or non existing regexfile $opt_r specified...\n\n";
usage();
}
# === Prepare Undo/Log-File ===
# Create Undo/Log file
my $undo;
unless ($sim) {
mkdir($ENV{HOME} . "/.gtc-rename",0700) unless ( -d $ENV{HOME} . "/.gtc-rename" );
use POSIX qw/strftime/;
$undo=$ENV{HOME} . '/.gtc-rename/gtc-rename-undo-' . strftime('%Y-%m-%d-%H-%M-%S',localtime) . '-PID-' . $$;
open(UNDORENAME, ">$undo") || die "ERROR: Can't open Undo $undo file: $!";
}
# === Find files ===
use File::Find();
use File::Basename;
print "Searching files...\n" if $verb;
File::Find::find({wanted => \&files}, $path);
print "\n" if $verb;
@files=reverse(@files);
use File::Basename;
foreach my $file (@files) {
s_rename($file);
}
# === Close Undo-Log ===
unless ($sim) {
close(UNDORENAME);
# Remove undo-file if it is empty
unlink $undo unless (-s $undo);
}
# === Put files in array ===
sub files {
print "." if $verb;
return 0 if ($name eq $path);
push(@files,$name);
}
# === Rename files ===
sub s_rename {
# Get the name
my $name=shift;
print "thinking about '$name'...\n" if $verb;
# Get the file ($_) and the path ($d) name
$_=basename($name);
our $d=dirname($name);
# Run the regex-file
do $regex;
# Remove very bad newlines
s/\n/_/g;
# put the new path/name back together
my $n=$d . "/" . $_;
# If the filename has changed
unless ($n eq $name) {
# Check if the target file exists
if (-e $n) {
warn "ERROR: Can't rename file ($name) because the target ($n) already exists";
}
else {
# Rename file and write the log
print "Renaming '$name' to '$n'\n" if (($verb) || ($sim));
rename($name, $n) || warn "ERROR: Renaming from $name to $n failed: $!\n" unless $sim;
# remove bad newline in the old filename if exists
$name=~s/\n/_/g;
print UNDORENAME "$n /// $name\n" unless $sim;
}
}
}
# === Help ===
sub usage {
print "Overview:
=========
This renames all filesnames (and dirs) in a specified path with specified Regex'es in a specified regex-file.
For e.g. to rename change the character a in all filenames to b and y into z you can create a regex file e.g. /tmp/rename with the following lines:
s/a/b/g;
s/y/z/g;
Then you run this command with the following options:
$0 -p /path/in/which/you/want/to/rename -r /tmp/rename
To replace all special characters then the latin alphabet and numbers with _ you can put this in your regex-file:
s/[^a-zA-Z0-9]/_/g;
You can use all substitutions perl can do an of course your own per code in the regex file.
Options:
========
-h\t-> This help/usage
-p path\t-> The path in which you want to rename all files
-r file\t-> The file with your Substuitutions
-v\t-> Be verbose
-s\t-> Dry (simulation) run
-u file\t-> Undo a job. You have to specify an undo file. The undo-files are in the .gtc-rename in yout homedir: ~/.gtc-rename
";
exit 1;
}
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /usr/local/bin/gtc-rename
Changed on 30.11.10This script renames all filesnames (and dirs) in a specified path with specified Regex'es in a specified regex-file.
For e.g. to rename change the character a in all filenames to b and y into z you can create a regex file e.g. /tmp/rename with the following lines:
s/a/b/g;
s/y/z/g;# Then you run this command with the following options:
# $0 -p /path/in/which/you/want/to/rename -r /tmp/rename
#!/usr/bin/perl -w
# === Strict Perl ===
#use strict;
# === Initialize vars ===
use vars qw/*name *dir *opt_h *opt_p *path *opt_v *verb *opt_r *regex *sim *opt_s *files *opt_u/;
*name=*File::Find::name;
*dir=*File::Find::dir;
# === Parse Commandline ===
# Clear vars
$opt_p="";
$opt_r="";
$opt_u="";
# Get the Options
use Getopt::Std;
getopts('hvp:r:su:');
# Run help/usage?
usage() if ($opt_h);
# Be verbose?
$verb=1 if ($opt_v);
# Simulating?
$sim=0;
if ($opt_s) {
print "Only simulating - Not really renaming...\n";
$sim=1;
}
# Shall I undo something?
if ($opt_u) {
# Test if the undo-file is existing
if (-f $opt_u) {
# Open and read it
use File::ReadBackwards;
my $line = File::ReadBackwards->new($opt_u) || die "Could not open $opt_u: $!" ;
until ( $line->eof ) {
my $undo=$line->readline;
# ...remove newline
chomp($undo);
# Get the two filenames
my @undo=split(" \/\/\/ ", $undo);
my $source=$undo[0];
my $target=$undo[1];
# Rename it
print "Undo Renaming '$source' to '$target'\n";
rename($source, $target) || warn "Could not rename $source to $target: $!\n" unless $sim;
}
# End prof if there are no more renamings
exit 0 unless $opt_p;
}
else {
die "You have to specify a valid unod-file if you want to undo a action\n";
}
}
# Get path from cmdline
if (-d $opt_p) {
$path=$opt_p;
# Get absolute path
chdir($path) || die "Count not change to $path: $!";
use Cwd;
$path=getcwd;
print "Using path $path\n" if $verb;
}
else {
print "ERROR: No or non existing Path $opt_p specified...\n\n";
usage();
}
# Get regex file from cmdline
if (-f $opt_r) {
$regex=$opt_r;
print "Using regex-file $regex\n" if $verb;
}
else {
print "ERROR: No or non existing regexfile $opt_r specified...\n\n";
usage();
}
# === Prepare Undo/Log-File ===
# Create Undo/Log file
my $undo;
unless ($sim) {
$ENV{HOME}="/tmp" unless ($ENV{HOME});
mkdir($ENV{HOME} . "/.gtc-rename",0700) unless ( -d $ENV{HOME} . "/.gtc-rename" );
use POSIX qw/strftime/;
$undo=$ENV{HOME} . '/.gtc-rename/gtc-rename-undo-' . strftime('%Y-%m-%d-%H-%M-%S',localtime) . '-PID-' . $$;
open(UNDORENAME, ">$undo") || die "ERROR: Can't open Undo $undo file: $!";
}
# === Find files ===
use File::Find();
use File::Basename;
print "Searching files...\n" if $verb;
File::Find::find({wanted => \&files}, $path);
print "\n" if $verb;
@files=reverse(@files);
use File::Basename;
foreach my $file (@files) {
s_rename($file);
}
# === Close Undo-Log ===
unless ($sim) {
close(UNDORENAME);
# Remove undo-file if it is empty
unlink $undo unless (-s $undo);
}
# === Put files in array ===
sub files {
print "." if $verb;
return 0 if ($name eq $path);
push(@files,$name);
}
# === Rename files ===
sub s_rename {
# Get the name
my $name=shift;
print "thinking about '$name'...\n" if $verb;
# Get the file ($_) and the path ($d) name
$_=basename($name);
our $d=dirname($name);
# Run the regex-file
do $regex;
# Remove very bad newlines
s/\n/_/g;
# put the new path/name back together
my $n=$d . "/" . $_;
# If the filename has changed
unless ($n eq $name) {
# Check if the target file exists
if (-e $n) {
warn "ERROR: Can't rename file ($name) because the target ($n) already exists";
}
else {
# Rename file and write the log
print "Renaming '$name' to '$n'\n" if (($verb) || ($sim));
rename($name, $n) || warn "ERROR: Renaming from $name to $n failed: $!\n" unless $sim;
# remove bad newline in the old filename if exists
$name=~s/\n/_/g;
print UNDORENAME "$n /// $name\n" unless $sim;
}
}
}
# === Help ===
sub usage {
print "Overview:
=========
This renames all filesnames (and dirs) in a specified path with specified Regex'es in a specified regex-file.
For e.g. to rename change the character a in all filenames to b and y into z you can create a regex file e.g. /tmp/rename with the following lines:
s/a/b/g;
s/y/z/g;
Then you run this command with the following options:
$0 -p /path/in/which/you/want/to/rename -r /tmp/rename
To replace all special characters then the latin alphabet and numbers with _ you can put this in your regex-file:
s/[^a-zA-Z0-9]/_/g;
You can use all substitutions perl can do an of course your own per code in the regex file.
Options:
========
-h\t-> This help/usage
-p path\t-> The path in which you want to rename all files
-r file\t-> The file with your Substuitutions
-v\t-> Be verbose
-s\t-> Dry (simulation) run
-u file\t-> Undo a job. You have to specify an undo file. The undo-files are in the .gtc-rename in yout homedir: ~/.gtc-rename
";
exit 1;
}
Please send a feedback to: doc<at>gabosh.net
Howto listingmkdir -p /etc/ssl/gabosh.net
cd /etc/ssl/gabosh.net
openssl genrsa -out gabosh.net.key 4096
chmod 600 gabosh.net.key
openssl req -new -x509 -nodes -sha256 -days 3650 -key gabosh.net.key > gabosh.net.crt
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) :
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) :
--> !!!!! Next line is vital (for all gabosh.net subdomains)!!!!!!!!!
Common Name (eg, YOUR name) :*.gabosh.net
Email Address :
Please enter the following extra attributes
to be sent with your certificate request
A challenge password :
An optional company name :
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/gabosh.net/gabosh.net.crt
SSLCertificateKeyFile /etc/apache2/ssl/gabosh.net/gabosh.net.key
/etc/init.d/apache2 restart
If you want to use this solution you need the following howto(s) finished:
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/ssl/gabosh.net/readme
Changed on 13.03.09This is the directory for the SSL Certificates
To install and trust the Certificate run: cd /etc/ssl/certs ln -s ../example.com/example.com.crt `openssl x509 -hash -noout -in /etc/ssl/example.com/example.com.crt`.0
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/ssl/gabosh.net/readme
Changed on 13.03.09This is the directory for the SSL Certificates
To install and trust the Certificate run: cd /etc/ssl/certs ln -s ../example.com/example.com.crt `openssl x509 -hash -noout -in ../example.com/example.com.crt`.0
Please send a feedback to: doc<at>gabosh.net
Howto listingIf you want to use this solution you need the following howto(s) finished:
emerge media-gfx/sane-backends emerge sys-apps/xinetd
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/sane.d/saned.conf
Changed on 26.11.08This allows scanning over the network by saned
my.lan.network.ip/16
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/xinetd.conf
Changed on 26.11.08This allows my local network to connect the xinetd. Change the IP according to your network.
#only_from = XXX.XXX.XXX.XXX
After change
only_from = my.lan.network.ip
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/xinetd.d/sane-stream
Changed on 26.11.08This allows scanning over the network with xinetd.
service sane-port
{
socket_type = stream
server = /usr/sbin/saned
protocol = tcp
user = root
group = root
wait = no
disable = no
}
For starting the new service after system reboot you should add it to a runlevel with the following command(s):
rc-update add xinetd
Please send a feedback to: doc<at>gabosh.net
Howto listingIf you want to use this solution you need the following howto(s) finished:
emerge dev-perl/crypt-cbc emerge dev-perl/Crypt-DES
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /gtc/test/etc/thinclient/scripts/gtc-crypt
Changed on 30.11.10This is a small app for storing strings encrypted on your harddisk. E.g. for using passwords in scripts running without interaction in the background. It is not (very) save but maybe better then storing plain text passwords on the harddisk.
#!/usr/bin/perl -w
use strict;
use Getopt::Std;
use vars qw/*opt_h *opt_a *opt_p *opt_r *opt_d *opt_b/;
# ==== Parse the commandline ====
$opt_h="";
$opt_a="";
$opt_p="";
$opt_r="";
$opt_d="";
$opt_b="";
getopts('ha:prdb');
# Run help/usage?
usage() if ($opt_h);
my $alias="";
if ($opt_a) {
if ($opt_a=~/[ \:\n]/) {
print "ERROR: newlines, : or spaces are not supported in the alias\n";
exit 1;
}
else {
$alias=$opt_a;
}
}
else {
unless ($opt_d) {
print "ERROR: No alias (-a) specified\n\n";
usage();
}
}
unless ($ENV{HOME}) {
my $user=`whoami`;
chomp($user);
$ENV{HOME}=`getent passwd $user | cut -d: -f6`;
chomp($ENV{HOME});
}
# Get or encrypt the key
mkdir($ENV{HOME} . "/.gtc-crypt",0700) unless ( -d $ENV{HOME} . "/.gtc-crypt" );
# Get the key if it is existing
my $key;
if (-f "$ENV{HOME}/.gtc-crypt/.key") {
open(KEY, "<$ENV{HOME}/.gtc-crypt/.key") || die "Could not open the keyfile $ENV{HOME}/.gtc-crypt/.key for reading: $!";
$key=<KEY>;
close(KEY);
}
# Generate a random key if it is not existing
else {
my $i=1;
while ($i <= 32) {
$key=$key . int(rand(10));
$i++;
}
# write key to keyfile
open(KEY, ">$ENV{HOME}/.gtc-crypt/.key") || die "Could not open the keyfile $ENV{HOME}/.gtc-crypt/.key for writing: $!";
print KEY $key;
close(KEY);
chmod 0600, "$ENV{HOME}/.gtc-crypt/.key"
}
# Read the crypt file
my @crypt;
if (-f "$ENV{HOME}/.gtc-crypt/crypt") {
open(CRYPT, "<$ENV{HOME}/.gtc-crypt/crypt") || die "Could not open the cryptfile $ENV{HOME}/.gtc-crypt/crypt for reading: $!";
@crypt=<CRYPT>;
close(CRYPT);
}
# preparde en or decryption
use Crypt::CBC -pbkdf;
use MIME::Base64;
my $cipher=new Crypt::CBC(-key => $key,
-pbkdf => 'pbkdf2');
#-nodeprecate => '1');
# Decrypt the string and print it out if wished
if (($opt_p) || ($opt_d)) {
my $decrypt;
foreach my $line (@crypt) {
if ($opt_d) {
my $name=$line;
$name=~s/\:.+$//;
print $name;
}
if ($line=~/^$alias\:/) {
chomp($line);
$decrypt=$line;
$decrypt=~s/^$alias\://;
}
}
if ($opt_p) {
die "Alias not found in cryptfile" unless $decrypt;
print $cipher->decrypt(decode_base64($decrypt));
print "\n" unless $opt_b;
}
exit 0;
}
my $cstring="";
unless (($opt_p) || ($opt_r)) {
# Get the string
print "Please enter your string to encrypt: " unless $opt_b;
my $string=<STDIN>;
chomp($string);
die "ERROR: String is empty" unless ($string);
# Crypt it!
$cstring=encode_base64($cipher->encrypt($string));
# chomp($cstring);
$cstring=~s/\n//g;
}
# ==== Write to the cryptfile ====
# Open the crypt file for writing
open(CRYPT, ">$ENV{HOME}/.gtc-crypt/crypt") || die "Could not open the cryptfile $ENV{HOME}/.gtc-crypt/crypt for writing: $!";
my $changed=0;
foreach my $line (@crypt) {
chomp($line);
# Is the alias existing?
if ($line=~/^$alias\:/) {
# Remove / ignore alias if wanted
if ($opt_r) {
print "Removing Alias $alias\n";
$changed=1;
next;
}
# Shall the existing alias been overwritten?
else {
unless ($opt_b) {
print "A string for the alias $alias is already existing! Shall I overwrite it? [y/n] ";
my $yn=<STDIN>;
chomp($yn);
$line=$alias . ":" . $cstring if ($yn eq "y");
}
else {
$line=$alias . ":" . $cstring;
}
$changed=1;
}
}
# Write the line
print CRYPT $line . "\n" if $line;
}
# Write new line if the alias is new and should not be removed
print CRYPT $alias . ":" . $cstring . "\n" unless (($changed) || ($opt_r));
sub usage {
print "Overview:
=========
This is a small app for storing strings encrypted on your harddisk. E.g. for using passwords in scripts running without interaction in the background. It is not (very) save but maybe better then storing plain text passwords on the harddisk.
Options:
========
-h\t\t-> This help/usage.
-a alias\t-> The alias under which you store your string (No newlines, : or spaces supported).
-p\t\t-> Print out the decrypted string for the given alias (needs -a).
-r\t\t-> Remove the given alias (needs -a).
-d\t\t-> Dump all existing aliases
-b\t\t-> Batch mode\n";
exit 1;
}
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /usr/local/sbin/gtc-crypt
Changed on 30.11.10This is a small app for storing strings encrypted on your harddisk. E.g. for using passwords in scripts running without interaction in the background. It is not (very) save but maybe better then storing plain text passwords on the harddisk.
#!/usr/bin/perl -w
use strict;
use Getopt::Std;
use vars qw/*opt_h *opt_a *opt_p *opt_r *opt_d *opt_b/;
# ==== Parse the commandline ====
$opt_h="";
$opt_a="";
$opt_p="";
$opt_r="";
$opt_d="";
$opt_b="";
getopts('ha:prdb');
# Run help/usage?
usage() if ($opt_h);
my $alias="";
if ($opt_a) {
if ($opt_a=~/[ \:\n]/) {
print "ERROR: newlines, : or spaces are not supported in the alias\n";
exit 1;
}
else {
$alias=$opt_a;
}
}
else {
unless ($opt_d) {
print "ERROR: No alias (-a) specified\n\n";
usage();
}
}
unless ($ENV{HOME}) {
my $user=`whoami`;
chomp($user);
$ENV{HOME}=`getent passwd $user | cut -d: -f6`;
chomp($ENV{HOME});
}
# Get or encrypt the key
mkdir($ENV{HOME} . "/.gtc-crypt",0700) unless ( -d $ENV{HOME} . "/.gtc-crypt" );
# Get the key if it is existing
my $key;
if (-f "$ENV{HOME}/.gtc-crypt/.key") {
open(KEY, "<$ENV{HOME}/.gtc-crypt/.key") || die "Could not open the keyfile $ENV{HOME}/.gtc-crypt/.key for reading: $!";
$key=<KEY>;
close(KEY);
}
# Generate a random key if it is not existing
else {
my $i=1;
while ($i <= 32) {
$key=$key . int(rand(10));
$i++;
}
# write key to keyfile
open(KEY, ">$ENV{HOME}/.gtc-crypt/.key") || die "Could not open the keyfile $ENV{HOME}/.gtc-crypt/.key for writing: $!";
print KEY $key;
close(KEY);
chmod 0600, "$ENV{HOME}/.gtc-crypt/.key"
}
# Read the crypt file
my @crypt;
if (-f "$ENV{HOME}/.gtc-crypt/crypt") {
open(CRYPT, "<$ENV{HOME}/.gtc-crypt/crypt") || die "Could not open the cryptfile $ENV{HOME}/.gtc-crypt/crypt for reading: $!";
@crypt=<CRYPT>;
close(CRYPT);
}
# preparde en or decryption
use Crypt::CBC -pbkdf;
use MIME::Base64;
my $cipher=new Crypt::CBC(-key => $key,
-pbkdf => 'pbkdf2');
#-nodeprecate => '1');
# Decrypt the string and print it out if wished
if (($opt_p) || ($opt_d)) {
my $decrypt;
foreach my $line (@crypt) {
if ($opt_d) {
my $name=$line;
$name=~s/\:.+$//;
print $name;
}
if ($line=~/^$alias\:/) {
chomp($line);
$decrypt=$line;
$decrypt=~s/^$alias\://;
}
}
if ($opt_p) {
die "Alias not found in cryptfile" unless $decrypt;
print $cipher->decrypt(decode_base64($decrypt));
print "\n" unless $opt_b;
}
exit 0;
}
my $cstring="";
unless (($opt_p) || ($opt_r)) {
# Get the string
print "Please enter your string to encrypt: " unless $opt_b;
my $string=<STDIN>;
chomp($string);
die "ERROR: String is empty" unless ($string);
# Crypt it!
$cstring=encode_base64($cipher->encrypt($string));
# chomp($cstring);
$cstring=~s/\n//g;
}
# ==== Write to the cryptfile ====
# Open the crypt file for writing
open(CRYPT, ">$ENV{HOME}/.gtc-crypt/crypt") || die "Could not open the cryptfile $ENV{HOME}/.gtc-crypt/crypt for writing: $!";
my $changed=0;
foreach my $line (@crypt) {
chomp($line);
# Is the alias existing?
if ($line=~/^$alias\:/) {
# Remove / ignore alias if wanted
if ($opt_r) {
print "Removing Alias $alias\n";
$changed=1;
next;
}
# Shall the existing alias been overwritten?
else {
unless ($opt_b) {
print "A string for the alias $alias is already existing! Shall I overwrite it? [y/n] ";
my $yn=<STDIN>;
chomp($yn);
$line=$alias . ":" . $cstring if ($yn eq "y");
}
else {
$line=$alias . ":" . $cstring;
}
$changed=1;
}
}
# Write the line
print CRYPT $line . "\n" if $line;
}
# Write new line if the alias is new and should not be removed
print CRYPT $alias . ":" . $cstring . "\n" unless (($changed) || ($opt_r));
sub usage {
print "Overview:
=========
This is a small app for storing strings encrypted on your harddisk. E.g. for using passwords in scripts running without interaction in the background. It is not (very) save but maybe better then storing plain text passwords on the harddisk.
Options:
========
-h\t\t-> This help/usage.
-a alias\t-> The alias under which you store your string (No newlines, : or spaces supported).
-p\t\t-> Print out the decrypted string for the given alias (needs -a).
-r\t\t-> Remove the given alias (needs -a).
-d\t\t-> Dump all existing aliases
-b\t\t-> Batch mode\n";
exit 1;
}
Please send a feedback to: doc<at>gabosh.net
Howto listingcd /gtc/pxe ; grub-mkstandalone -d /usr/lib/grub/x86_64-efi/ -O x86_64-efi --fonts="unicode" -o bootx64.efi boot/grub/grub.cfg
If you want to use this solution you need the following howto(s) finished:
emerge net-fs/nfs-utils emerge sys-boot/syslinux emerge net-ftp/tftp-hpa
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/conf.d/in.tftpd
Changed on 04.04.10Path for PXE files and necessary bootoptions for tftpd.
INTFTPD_OPTS="-R 4096:32767 -s ${INTFTPD_PATH}"
After change
INTFTPD_PATH="/gtc/pxe"
#INTFTPD_OPTS="-R 4096:32767 -s ${INTFTPD_PATH} --refuse blksize --refuse tsize --refuse blksize2 --user nobody -vvv"
INTFTPD_OPTS="-p -u nobody -s ${INTFTPD_PATH} -vvv"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/dhcp/dhcpd.conf
Changed on 06.09.08This is for starting the syslinux (pxelinux) bootmanager for thinclients booting over pxe.
next-server my.lan.ip.addr;
option architecture-type code 93 = unsigned integer 16;
if option architecture-type = 00:09 {
filename "bootx64.efi";
} elsif option architecture-type = 00:07 {
filename "bootx64.efi";
} else {
filename "pxelinux.0";
}
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/exports
Changed on 23.12.08NFS4-configuration for test and production environment of the Thinclients.
#/gtc XXX.XXX.XXX.XXX/XXX.XXX.XXX.XXX(fsid=0,no_subtree_check,async,ro,no_root_squash,insecure) /gtc/test my.lan.network.ip/XXX.XXX.XXX.XXX(fsid=1,no_subtree_check,async,ro,no_root_squash,insecure) XXX.XXX.XXX.XXX/XXX.XXX.XXX.XXX(fsid=1,no_subtree_check,async,ro,no_root_squash,insecure) /gtc/stable my.lan.network.ip/XXX.XXX.XXX.XXX(fsid=2,no_subtree_check,async,ro,no_root_squash,insecure) XXX.XXX.XXX.XXX/XXX.XXX.XXX.XXX(fsid=1,no_subtree_check,async,ro,no_root_squash,insecure) /srv/vms XXX.XXX.XXX.XXX/XXX.XXX.XXX.XXX(fsid=3,no_subtree_check,async,rw,no_root_squash,insecure)
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/pxe/pxelinux.cfg/default
Changed on 06.09.08Boot menu configuration for PXE boots.
default menu.c32 prompt 0 menu title GTC-PXELinux Boot Menu NOESCAPE 1 ALLOWOPTIONS 1 MENU AUTOBOOT Starting Gentoo Thinclient in # seconds label stable timeout 100 menu default menu label ^Gentoo Stable Thinclient 5.10.61 kernel /kernel-genkernel-x86_64-5.10.61-gentoo append initrd=/initramfs-genkernel-x86_64-5.10.61-gentoo root=/dev/nfs nfsroot=my.lan.ip.addr:/gtc/stable ramdisk_size=256000 acpi_sleep=s3_bios real_root=/dev/nfs raid=noautodetect consoleblank=0 clocksource=hpet ipappend 3 label test menu label ^Gentoo Test Thinclient 5.10.76 kernel /kernel-genkernel-x86_64-5.10.76-gentoo-r1 append initrd=/initramfs-genkernel-x86_64-5.10.76-gentoo-r1 root=/dev/nfs nfsroot=my.lan.ip.addr:/gtc/test ramdisk_size=256000 acpi_sleep=s3_bios real_root=/dev/nfs raid=noautodetect consoleblank=0 clocksource=hpet ipappend 3 label bootlocal menu label ^Boot from local Disk localboot 0
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/conf.d/nfs
Changed on 23.12.08The rpc mountd should listen on port 32767 (needed for some firewall settings).
#OPTS_RPC_MOUNTD=""After change
OPTS_RPC_MOUNTD="-p 32767"
The rpc statd should listen on port 32765 and send outgoing connections over port 32766 (needed for some firewall settings).
#OPTS_RPC_STATD=""After change
OPTS_RPC_STATD="-p 32765 -o 32766"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/thinclient/server-profile/etc/exports
Changed on 23.12.08NFS(4)-configuration for test and production environment of the Thinclients.
/opt/gtcroot *(fsid=0,crossmnt,no_subtree_check,async,ro,no_root_squash,insecure,nohide)
File permissions:
Owner: root
Group: root
Permissions: -rwx------
Click here for a download of the complete file: /usr/local/sbin/mkgtcstable.sh
Changed on 29.06.09This is a small script for creating the stable environment from the test environment.
#!/bin/bash set -x /etc/init.d/rsyncd stop #mv /gtc/test/usr/portage/distfiles/jre* /srv/tmp rm -rf /gtc/test/usr/portage/distfiles/* #mv /srv/tmp/jre* /gtc/test/usr/portage/distfiles/ if mount | grep -q "on /gtc type btrfs" then btrfs subvolume delete /gtc/stable btrfs subvolume snapshot /gtc/test /gtc/stable btrfs property set /gtc/stable ro false rsync -aXAH --delete --exclude=distfiles /gtc/test/usr/portage/ /gtc/stable/usr/portage/ else rsync -aXAH --delete /gtc/test/ /gtc/stable/ --exclude=/_gtcroot/ --exclude=/gtcdvd/ --exclude=/proc/ --exclude=/sys/ --exclude=/tmp/ --exclude=/var/tmp --exclude=/root fi mkdir -p /gtc/stable/proc mkdir -p /gtc/stable/sys mkdir -p /gtc/stable/tmp mkdir -p /gtc/stable/root chmod 0700 /gtc/stable/root chmod 1777 /gtc/stable/tmp mkdir -p /gtc/stable/var/tmp/portage chmod 1777 /gtc/stable/var/tmp mkdir -p /gtc/stable/_gtcroot for i in `find /gtc/stable/var/log/ -type f` do >$i done rm -r /gtc/stable/usr/share/doc rm -r /gtc/stable/usr/share/gtk-doc for i in `find /gtc/stable/usr/src -maxdepth 1 -type d | grep linux` do cd $i # Rest needed for Kernel modules eg nvidia-drivers make clean cd - done btrfs property set /gtc/stable ro true /etc/init.d/rsyncd start /etc/init.d/nfs restart /gtc/pxe/linkkernel.sh
For starting the new service after system reboot you should add it to a runlevel with the following command(s):
rc-update add nfs rc-update add in.tftpd rc-update add rpc.idmapd default
Please send a feedback to: doc<at>gabosh.net
Howto listingIf you want to use this solution you need the following howto(s) finished:
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /gtc/test/etc/thinclient/scripts/az
Changed on 05.05.10This is a small script which sorts files (or directories) in directories called a-z and 0-9
#!/bin/bash
if [ -z "$1" ]
then
echo "No directory argument"
exit 1
fi
cd "$1" || exit 1
# Sort alphabetical
for i in A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9
do
ls -1d $i?* 2>/dev/null | while read j
do
mkdir -p "$i"
if [ -d "$i/$j" ]
then
cp -lr "$j"/* "$i/$j"/ && rm -r "$j"
else
echo "mv \"$j\" \"$i\"/"
mv "$j" "$i"/
fi
done
done
# Sort non-Alphabetical Characters to _
if [ -n "`ls ??* 2>/dev/null `" ]
then
mkdir -p _
mv ??* _
fi
# Ignore Case sensitive
if [ "$2" = "-i" ]
then
for i in a b c d e f g h i j k l m n o p q r s t u v w x y z
do
j=`echo "$i" | awk '{$1=toupper($1);print}'`
if [ -d "$i" ]
then
mv "$i"/* "$j"/
rmdir "$i"
fi
done
fi
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /usr/local/bin/az
Changed on 05.05.10This is a small script which sorts files (or directories) in directories called a-z and 0-9
#!/bin/bash
if [ -z "$1" ]
then
echo "No directory argument"
exit 1
fi
cd "$1" || exit 1
# Sort alphabetical
for i in A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9
do
ls -1d $i?* 2>/dev/null | while read j
do
mkdir -p "$i"
if [ -d "$i/$j" ]
then
cp -lr "$j"/* "$i/$j"/ && rm -r "$j"
else
# echo "mv \"$j\" \"$i\"/"
mv "$j" "$i"/
fi
done
done
# Sort non-Alphabetical Characters to _
if [ -n "`ls ??* 2>/dev/null `" ]
then
mkdir -p _
mv ??* _
fi
# Ignore Case sensitive
if [ "$2" = "-i" ]
then
for i in a b c d e f g h i j k l m n o p q r s t u v w x y z
do
j=`echo "$i" | awk '{$1=toupper($1);print}'`
if [ -d "$i" ]
then
mv "$i"/* "$j"/
rmdir "$i"
fi
done
fi
Please send a feedback to: doc<at>gabosh.net
Howto listingIf you want to use this solution you need the following howto(s) finished:
emerge net-www/awstats
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/awstats/awstats.gabosh.net.conf
Changed on 18.02.09This is the AWstats-configuration for my gabosh.net Apache-vHost
LogFile="/var/log/apache2/access_log" LogType=W LogFormat = "%virtualname %host %other %logname %time1 %methodurl %code %bytesd %refererquot %uaquot" LogSeparator=" " SiteDomain="example.com" HostAliases="example.com smtp.example.com pop.example.com pop3.example.com mail.example.com silent-gabosh.example.com silent.example.com gabosh.example.com imap.example.com ns1.example.com" DNSLookup=1 DirData="/var/lib/awstats" DirCgi="/cgi-bin" DirIcons="/intern/awstats/icon" AllowToUpdateStatsFromBrowser=0 AllowFullYearView=2 EnableLockForUpdate=0 DNSStaticCacheFile="dnscache.txt" DNSLastUpdateCacheFile="dnscachelastupdate.txt" SkipDNSLookupFor="" AllowAccessFromWebToAuthenticatedUsersOnly=0 AllowAccessFromWebToFollowingAuthenticatedUsers="" AllowAccessFromWebToFollowingIPAddresses="" CreateDirDataIfNotExists=0 BuildHistoryFormat=text BuildReportFormat=html SaveDatabaseFilesWithPermissionsForEveryone=0 PurgeLogFile=0 ArchiveLogRecords=0 KeepBackupOfHistoricFiles=0 DefaultFile="index.html" SkipHosts="194.127.8.17 194.127.8.18 194.127.8.19 194.127.8.20 172.23.0.50 my.lan.ip.addr 127.0.0.1" SkipUserAgents="" SkipFiles="" SkipReferrersBlackList="" OnlyHosts="" OnlyUserAgents="" OnlyUsers="" OnlyFiles="" NotPageList="css js class gif jpg jpeg png bmp ico rss xml swf" ValidHTTPCodes="200 304" ValidSMTPCodes="1 250" AuthenticatedUsersNotCaseSensitive=0 URLNotCaseSensitive=0 URLWithAnchor=0 URLWithQuery=0 URLWithQueryWithOnlyFollowingParameters="" URLWithQueryWithoutFollowingParameters="" URLReferrerWithQuery=0 WarningMessages=1 ErrorMessages="" DebugMessages=0 NbOfLinesForCorruptedLog=50 WrapperScript="" DecodeUA=0 MiscTrackerUrl="/js/awstats_misc_tracker.js" UseFramesWhenCGI=1 DetailedReportsOnNewWindows=1 Expires=0 MaxRowsInHTMLOutput=1000 Lang="auto" DirLang="./lang" ShowMenu=1 ShowSummary=UVPHB ShowMonthStats=UVPHB ShowDaysOfMonthStats=VPHB ShowDaysOfWeekStats=PHB ShowHoursStats=PHB ShowDomainsStats=PHB ShowHostsStats=PHBL ShowAuthenticatedUsers=0 ShowRobotsStats=HBL ShowWormsStats=0 ShowEMailSenders=0 ShowEMailReceivers=0 ShowSessionsStats=1 ShowPagesStats=PBEX ShowFileTypesStats=HB ShowFileSizesStats=0 ShowOSStats=1 ShowBrowsersStats=1 ShowScreenSizeStats=0 ShowOriginStats=PH ShowKeyphrasesStats=1 ShowKeywordsStats=1 ShowMiscStats=a ShowHTTPErrorsStats=1 ShowSMTPErrorsStats=0 ShowClusterStats=0 AddDataArrayMonthStats=1 AddDataArrayShowDaysOfMonthStats=1 AddDataArrayShowDaysOfWeekStats=1 AddDataArrayShowHoursStats=1 IncludeInternalLinksInOriginSection=0 MaxNbOfDomain = 10 MinHitDomain = 1 MaxNbOfHostsShown = 10 MinHitHost = 1 MaxNbOfLoginShown = 10 MinHitLogin = 1 MaxNbOfRobotShown = 10 MinHitRobot = 1 MaxNbOfPageShown = 10 MinHitFile = 1 MaxNbOfOsShown = 10 MinHitOs = 1 MaxNbOfBrowsersShown = 10 MinHitBrowser = 1 MaxNbOfScreenSizesShown = 5 MinHitScreenSize = 1 MaxNbOfWindowSizesShown = 5 MinHitWindowSize = 1 MaxNbOfRefererShown = 10 MinHitRefer = 1 MaxNbOfKeyphrasesShown = 10 MinHitKeyphrase = 1 MaxNbOfKeywordsShown = 10 MinHitKeyword = 1 MaxNbOfEMailsShown = 20 MinHitEMail = 1 FirstDayOfWeek=1 ShowFlagLinks="" ShowLinksOnUrl=1 UseHTTPSLinkForUrl="" MaxLengthOfShownURL=64 HTMLHeadSection="" HTMLEndSection="" Logo="awstats_logo6.png" LogoLink="http://awstats.sourceforge.net" BarWidth = 260 BarHeight = 90 StyleSheet="" ExtraTrackedRowsLimit=500
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/awstats/awstats.mailserver.conf
Changed on 18.02.09This is the AWstats-configuration for my Mailserver
SiteDomain="silent-gabosh.example.com" HostAliases="localhost 127.0.0.1 example.com" LogFile="/usr/bin/awstats_maillogconvert.pl standard < /var/log/maillog.log |" LogType=M LogFormat="%time2 %email %email_r %host %host_r %method %url %code %bytesd" DirIcons="/intern/awstats/icon" DirData="/var/lib/awstats" DNSLookup=1 LevelForBrowsersDetection=0 LevelForOSDetection=0 LevelForRefererAnalyze=0 LevelForRobotsDetection=0 LevelForWormsDetection=0 LevelForSearchEnginesDetection=0 LevelForFileTypesDetection=0 ShowMenu=1 ShowSummary=HB ShowMonthStats=HB ShowDaysOfMonthStats=HB ShowDaysOfWeekStats=HB ShowHoursStats=HB ShowDomainsStats=0 ShowHostsStats=HBL ShowAuthenticatedUsers=0 ShowRobotsStats=0 ShowEMailSenders=HBML ShowEMailReceivers=HBML ShowSessionsStats=0 ShowPagesStats=0 ShowFileTypesStats=0 ShowFileSizesStats=0 ShowBrowsersStats=0 ShowOSStats=0 ShowOriginStats=0 ShowKeyphrasesStats=0 ShowKeywordsStats=0 ShowMiscStats=0 ShowHTTPErrorsStats=0 ShowSMTPErrorsStats=1
File permissions:
Owner: root
Group: root
Permissions: -rwxr-x---
Click here for a download of the complete file: /usr/local/bin/awstats
Changed on 03.02.09Create statistics every day and write them into the webserver path
# Directory for static statistics #!/bin/bash WEBDIR=/var/www/www.example.com/htdocs/intern/awstats MONTH=$(date +%B-%Y) # Create Mailserverstatistics WPATH=$WEBDIR/mailserver/$MONTH mkdir -p $WPATH /usr/bin/awstats_buildstaticpages.pl -config=mailserver -update -dir=$WPATH >/dev/null ln -f $WPATH/awstats.mailserver.html $WPATH/index.html DOMS=`ls -1 /etc/apache2/vhosts.d/vhosts/ | perl -pe 's/\.vhost$//; s/\.sslvhost$//;' | sort -u` DOMS="$DOMS `getent group share | cut -d: -f4 | perl -pe 's/,/.example.com /g; s/$/.example.com/g;'`" for DOM in $DOMS do echo " LogFile=\"/var/log/apache2/access_log\" LogType=W LogFormat = \"%virtualname %host %other %logname %time1 %methodurl %code %bytesd %refererquot %uaquot\" LogSeparator=\" \" SiteDomain=\"$DOM\" DNSLookup=1 DirData=\"/var/lib/awstats\" DirCgi=\"/cgi-bin\" DirIcons=\"/intern/awstats/icon\" AllowToUpdateStatsFromBrowser=0 AllowFullYearView=2 EnableLockForUpdate=0 DNSStaticCacheFile=\"dnscache.txt\" DNSLastUpdateCacheFile=\"dnscachelastupdate.txt\" SkipDNSLookupFor=\"\" AllowAccessFromWebToAuthenticatedUsersOnly=0 AllowAccessFromWebToFollowingAuthenticatedUsers=\"\" AllowAccessFromWebToFollowingIPAddresses=\"\" CreateDirDataIfNotExists=0 BuildHistoryFormat=text BuildReportFormat=html SaveDatabaseFilesWithPermissionsForEveryone=0 PurgeLogFile=0 ArchiveLogRecords=0 KeepBackupOfHistoricFiles=0 DefaultFile=\"index.html\" SkipHosts=\"194.127.8.17 194.127.8.18 66.133.109.36 64.78.149.164 127.0.0.1 REGEX[^212\.6\.102\.] REGEX[^192\.168\.] REGEX[^10\.] REGEX[^172\.23\.] REGEX[^172\.25\.]\" SkipUserAgents=\"\" SkipFiles=\"\" SkipReferrersBlackList=\"\" OnlyHosts=\"\" OnlyUserAgents=\"\" OnlyUsers=\"\" OnlyFiles=\"\" NotPageList=\"css js class gif jpg jpeg png bmp ico rss xml swf\" ValidHTTPCodes=\"200 304\" ValidSMTPCodes=\"1 250\" AuthenticatedUsersNotCaseSensitive=0 URLNotCaseSensitive=0 URLWithAnchor=0 URLWithQuery=0 URLWithQueryWithOnlyFollowingParameters=\"\" URLWithQueryWithoutFollowingParameters=\"\" URLReferrerWithQuery=0 WarningMessages=1 ErrorMessages=\"\" DebugMessages=0 NbOfLinesForCorruptedLog=50 WrapperScript=\"\" DecodeUA=0 MiscTrackerUrl=\"/js/awstats_misc_tracker.js\" UseFramesWhenCGI=1 DetailedReportsOnNewWindows=1 Expires=0 MaxRowsInHTMLOutput=1000 Lang=\"auto\" DirLang=\"./lang\" ShowMenu=1 ShowSummary=UVPHB ShowMonthStats=UVPHB ShowDaysOfMonthStats=VPHB ShowDaysOfWeekStats=PHB ShowHoursStats=PHB ShowDomainsStats=PHB ShowHostsStats=PHBL ShowAuthenticatedUsers=0 ShowRobotsStats=HBL ShowWormsStats=0 ShowEMailSenders=0 ShowEMailReceivers=0 ShowSessionsStats=1 ShowPagesStats=PBEX ShowFileTypesStats=HB ShowFileSizesStats=0 ShowOSStats=1 ShowBrowsersStats=1 ShowScreenSizeStats=0 ShowOriginStats=PH ShowKeyphrasesStats=1 ShowKeywordsStats=1 ShowMiscStats=a ShowHTTPErrorsStats=1 ShowSMTPErrorsStats=0 ShowClusterStats=0 AddDataArrayMonthStats=1 AddDataArrayShowDaysOfMonthStats=1 AddDataArrayShowDaysOfWeekStats=1 AddDataArrayShowHoursStats=1 IncludeInternalLinksInOriginSection=0 MaxNbOfDomain = 10 MinHitDomain = 1 MaxNbOfHostsShown = 10 MinHitHost = 1 MaxNbOfLoginShown = 10 MinHitLogin = 1 MaxNbOfRobotShown = 10 MinHitRobot = 1 MaxNbOfPageShown = 10 MinHitFile = 1 MaxNbOfOsShown = 10 MinHitOs = 1 MaxNbOfBrowsersShown = 10 MinHitBrowser = 1 MaxNbOfScreenSizesShown = 5 MinHitScreenSize = 1 MaxNbOfWindowSizesShown = 5 MinHitWindowSize = 1 MaxNbOfRefererShown = 10 MinHitRefer = 1 MaxNbOfKeyphrasesShown = 10 MinHitKeyphrase = 1 MaxNbOfKeywordsShown = 10 MinHitKeyword = 1 MaxNbOfEMailsShown = 20 MinHitEMail = 1 FirstDayOfWeek=1 ShowFlagLinks=\"\" ShowLinksOnUrl=1 UseHTTPSLinkForUrl=\"\" MaxLengthOfShownURL=64 HTMLHeadSection=\"\" HTMLEndSection=\"\" Logo=\"awstats_logo6.png\" LogoLink=\"http://awstats.sourceforge.net\" BarWidth = 260 BarHeight = 90 StyleSheet=\"\" ExtraTrackedRowsLimit=500 " >/etc/awstats/awstats.$DOM.conf WPATH=$WEBDIR/$DOM/$MONTH mkdir -p $WPATH /usr/bin/awstats_buildstaticpages.pl -config=$DOM -update -dir=$WPATH >/dev/null ln -f $WPATH/awstats.$DOM.html $WPATH/index.html done
Please send a feedback to: doc<at>gabosh.net
Howto listing[...]
Jul 17 15:18:56 silent-gabosh sshd[4401]: Invalid user test4 from XXX.XXX.XXX.XXX
Jul 17 15:18:58 silent-gabosh sshd[4405]: Invalid user test5 from XXX.XXX.XXX.XXX
Jul 17 15:19:00 silent-gabosh sshd[4411]: Invalid user test6 from XXX.XXX.XXX.XXX
Jul 17 15:19:02 silent-gabosh sshd[4417]: Invalid user test7 from XXX.XXX.XXX.XXX
Jul 17 15:19:04 silent-gabosh sshd[4421]: Invalid user test8 from XXX.XXX.XXX.XXX
Jul 17 15:19:05 silent-gabosh sshd[4427]: Invalid user test9 from XXX.XXX.XXX.XXX
Jul 17 15:19:07 silent-gabosh sshd[4431]: Invalid user test10 from XXX.XXX.XXX.XXX
Jul 17 15:19:09 silent-gabosh sshd[4435]: Invalid user admin1 from XXX.XXX.XXX.XXX
Jul 17 15:19:11 silent-gabosh sshd[4439]: Invalid user admin2 from XXX.XXX.XXX.XXX
Jul 17 15:19:13 silent-gabosh sshd[4443]: Invalid user admin3 from XXX.XXX.XXX.XXX
Jul 17 15:19:15 silent-gabosh sshd[4447]: Invalid user admin4 from XXX.XXX.XXX.XXX
Jul 17 15:19:17 silent-gabosh sshd[4451]: Invalid user admin5 from XXX.XXX.XXX.XXX
Jul 17 15:19:19 silent-gabosh sshd[4455]: Invalid user admin6 from XXX.XXX.XXX.XXX
[...]
If you want to use this solution you need the following howto(s) finished:
emerge net-analyzer/fail2ban emerge net-firewall/iptables
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /etc/cron.hourly/f2bcheck
Changed on 07.06.10I realized that fail2ban stops working sometimes (why ever). So built this small check CronJob
#!/bin/bash if ! ps ax | grep fail2ban | grep -v grep >/dev/null then echo "NOT RUNNING `date`" >>/var/log/fail2bancheck.log /etc/init.d/fail2ban stop >/dev/null 2>/dev/null /etc/init.d/fail2ban zap >/dev/null 2>/dev/null sleep 2 while ps ax | grep -v grep | grep -q fail2ban do echo -n "." sleep 1 done rm -f /var/run/fail2ban/fail2ban.sock /etc/init.d/fail2ban start >/dev/null 2>/dev/null fi
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/fail2ban/action.d/sendmail-common.local
Changed on 25.02.14No mail at startup/shutdown
[Definition] actionstart = actionstop =
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/fail2ban/jail.conf
Changed on 25.02.14Ignore local Networks
#ignoreip = 127.0.0.1/8 ::1After change
ignoreip = 127.0.0.1/8 my.lan.network.ip/16 172.24.0.0/16 172.25.0.0/16 79.255.254.199 2003:f2:d7ff:a2:548f:10f7:f60f:6006
Destination eMail
destemail = mail@example.comAfter change
destemail = mail@example.com
Sender eMail
sender = root@<fq-hostname>After change
sender = fail2mail@example.com
Sets Default action to Mail, Whois, Logs
action = %(action_)sAfter change
action = %(action_mwl)s
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/fail2ban/jail.d/gabosh.conf
Changed on 25.02.14Some jails for different services
#### SSH #### [sshd] enabled = true port = ssh logpath = /var/log/sshd.log bantime = 5m #### MAIL #### #[postfix] #enabled = true #port = smtp,465,submission,imap3,imaps,pop3,pop3s,2000 #logpath = /var/log/maillog.log #bantime = 60m [postfix-rbl] enabled = true port = smtp,465,submission,imap3,imaps,pop3,pop3s,2000 logpath = /var/log/maillog.log maxretry = 1 bantime = 60m [postfix-sasl] enabled = true port = smtp,465,submission,imap3,imaps,pop3,pop3s,2000 logpath = /var/log/maillog.log bantime = 60m [cyrus-imap] enabled = true port = smtp,465,submission,imap3,imaps,pop3,pop3s,2000 logpath = /var/log/maillog.log bantime = 60m [sieve] port = smtp,465,submission,imap3,imaps,pop3,pop3s,2000 logpath = /var/log/maillog.log bantime = 60m #### WEB #### [apache-auth] enabled = true port = http,https logpath = /var/log/apache2/*log bantime = 60m [apache-badbots] enabled = true port = http,https logpath = /var/log/apache2/*log maxretry = 1 bantime = 60m [apache-botsearch] enabled = true port = http,https logpath = /var/log/apache2/*log maxretry = 1 bantime = 60m [apache-fakegooglebot] enabled = true port = http,https logpath = /var/log/apache2/*log maxretry = 1 bantime = 60m [apache-overflows] enabled = true port = http,https logpath = /var/log/apache2/*log maxretry = 1 bantime = 60m [apache-pass] enabled = true port = http,https logpath = /var/log/apache2/*log maxretry = 1 bantime = 60m [apache-shellshock] enabled = true port = http,https logpath = /var/log/apache2/*log maxretry = 1 bantime = 60m [php-url-fopen] enabled = true port = http,https logpath = /var/log/apache2/*log maxretry = 1 bantime = 60m [apache-noscript] enabled = true port = http,https logpath = /var/log/apache2/*log maxretry = 6 bantime = 60m #### CHAT #### [ejabberd-auth] enabled = true port = 5222 logpath = /var/log/jabber/ejabberd.log bantime = 60m
For starting the new service after system reboot you should add it to a runlevel with the following command(s):
rc-update add fail2ban
Please send a feedback to: doc<at>gabosh.net
Howto listingrm /etc/make.profile
ln -s /usr/portage/profiles/default/linux/x86/2008.0/desktop /etc/make.profile
chroot /srv/thinclient/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge app-arch/p7zip sys-apps/sdparm sys-apps/hdparm app-arch/unace app-arch/unarj app-arch/unlzx app-arch/rar app-arch/arj app-arch/lha app-arch/unadf app-misc/mc app-cdr/k3b app-editors/vim app-office/openoffice app-portage/genlop app-portage/gentoolkit app-text/acroread dev-util/strace media-sound/alsa-tools media-sound/alsa-utils media-sound/musescore media-sound/timidity++ media-video/dvdrip net-im/licq net-wireless/ipw2100-firmware net-wireless/ipw2200-firmware sys-kernel/gentoo-sources sys-libs/libstdc++-v3 sys-process/vixie-cron virtual/libstdc++ www-client/mozilla-firefox www-plugins/adobe-flash sys-power/acpid app-laptop/radeontool sys-fs/dosfstools app-text/unix2dos app-text/dos2unix net-analyzer/nmap net-misc/netkit-telnetd sys-apps/parted sys-block/gparted mail-client/mozilla-thunderbird net-wireless/bluez-firmware net-wireless/bluez-hcidump sys-apps/ethtool sys-kernel/linux-firmware media-gfx/gimp net-misc/rdate net-misc/ntp net-nds/yp-tools net-nds/ypbind app-emulation/wine sys-process/htop media-video/kino media-sound/audacity games-action/chromium net-print/foomatic-filters-ppds net-im/skype net-analyzer/iptraf app-mobilephone/wammu app-mobilephone/gnokii net-fs/curlftpfs sys-fs/sshfs-fuse net-fs/fusesmb sys-power/acpid app-office/qbankmanager app-office/grisbi app-cdr/xfburn x11-terms/terminal app-editors/mousepad app-office/orage media-gfx/ristretto media-sound/grip media-gfx/gqview media-plugins/mytharchive media-plugins/mythbrowser media-plugins/mythcontrols media-plugins/mythflix media-plugins/mythgallery media-plugins/mythgame media-plugins/mythmovies media-plugins/mythmusic media-plugins/mythnews media-plugins/mythphone media-plugins/mythvideo media-plugins/mythweather media-plugins/mythzoneminder dev-python/imdbpy net-im/pidgin media-sound/tagtool media-sound/audacious media-plugins/audacious-plugins media-plugins/audacious-xosd x11-themes/audacious-themes app-arch/xarchiver media-gfx/inkscape app-office/dia app-misc/fdupes dev-util/geany media-sound/id3v2 media-libs/exiftool dev-perl/MP3-Tag'
If you want to use this solution you need the following howto(s) finished:
chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge app-admin/rsyslog' chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge net-fs/nfs-utils'
File permissions:
Owner: root
Group: root
Permissions: -rwx------
Click here for a download of the complete file: /etc/cron.weekly/gtcupdate
Changed on 05.01.09Update the thinclient system automatically once a week
#!/bin/bash
. /etc/bash/gaboshlib.include
g_lockfile
g_nice
# Hibiscus
g_echo_ok "Hibiscus Update"
ARCH=`uname -m | grep -o '64'`
JAMEICAVERSION=`wget -q -O - http://www.willuhn.de/products/jameica/releases/version-nightly`
HIBISCUSVERSION=`wget -q -O - http://www.willuhn.de/products/hibiscus/releases/version-nightly`
cd $g_tmp
wget -q http://www.willuhn.de/products/jameica/releases/current/jameica/jameica-linux64.zip
wget -q http://www.willuhn.de/products/hibiscus/releases/current/hibiscus.zip
hibiscusfile="hibiscus.zip"
jameicafile="jameica-linux64.zip"
cd /opt
rm -rf /opt/jameica
unzip -q $g_tmp/${jameicafile}
cd jameica/plugins
unzip -q $g_tmp/${hibiscusfile}
umg=test
rm -rf /gtc/$umg/opt/jameica
cd /gtc/$umg/opt
unzip -q $g_tmp/${jameicafile}
cd jameica/plugins
unzip -q $g_tmp/${hibiscusfile}
echo -e "[Desktop Entry]\n"\
"Name=Hibiscus\n"\
"Comment=Hibiscus die freie Homebanking-Anwendung\n"\
"Exec=/opt/jameica/jameica.sh\n"\
"Terminal=false\n"\
"Encoding=UTF-8\n"\
"Type=Application\n"\
"Icon=/opt/jameica/jameica-icon.png\n"\
"Categories=Office;Finance\n"\
> /gtc/$umg/usr/share/applications/Hibiscus.desktop
cat /gtc/$umg/usr/share/applications/Hibiscus.desktop >/usr/share/applications/Hibiscus.desktop
rm $g_tmp/${jameicafile}
rm $g_tmp/${hibiscusfile}
# Apache Config
cp -p /etc/apache2/vhosts.d/00_gabosh.conf /gtc/test/etc/apache2/vhosts.d/
cp -p /etc/apache2/vhosts.d/letsencrypt.include /gtc/test/etc/apache2/vhosts.d/
# Update GTC
g_echo_ok "Gentoo-GTC-Update in detached tmux"
cp -p /etc/bash/gaboshlib.include /gtc/$umg/etc/bash/gaboshlib.include
cat <<EOF > /gtc/$umg/root/Gentoo-GTC-Update.sh
#!/bin/bash
. /etc/bash/gaboshlib.include
g_portagesync
# Kernel
emerge gentoo-sources
gtc-buildkernel
g_gentooupdate
# JavaScript dlc-decypter per npmjs.com (MIT License)
npm update -g decrypt-dlc-cli
# Icons
rm -f /usr/share/applications/hp-uiscan.desktop /etc/xdg/autostart/hplip-systray.desktop
rm -f /etc/xdg/autostart/._cfg0000_hplip-systray.desktop /usr/share/applications/._cfg0000_hp-uiscan.desktop
# Start(Sub)menu
echo '<!DOCTYPE Menu PUBLIC "-//freedesktop//DTD Menu 1.0//EN"
"http://www.freedesktop.org/standards/menu-spec/menu-1.0.dtd">
<Menu>
<Name>Applications</Name>
<Menu>
<Name>GTC</Name>
<Directory>GTC.directory</Directory>
<Include>
<Category>GTC</Category>
</Include>
<Menu>
<Name>GTC-System</Name>
<Directory>GTC.directory</Directory>
<Include>
<Category>GTC-System</Category>
</Include>
</Menu>
<Menu>
<Name>GTC-Tools</Name>
<Directory>GTC.directory</Directory>
<Include>
<Category>GTC-Programs-Accessories</Category>
</Include>
</Menu>
</Menu>
</Menu>
' >/etc/xdg/menus/applications-merged/gtc.menu
echo '[Desktop Entry]
Type=Directory
Name=GTC
Icon=/usr/share/icons/gentoo/64x64/gentoo.png
' >/usr/share/desktop-directories/GTC.directory
echo "[Desktop Entry]
Name=GTC Desktopfreigabe
Comment=X11VNC über SSH-Tunnel
Exec=mate-terminal --window --command=/etc/thinclient/scripts/gtc-x11vnc
Path=
Icon=help-browser
Terminal=false
StartupNotify=false
Type=Application
Categories=GTC;Network;
">/usr/share/applications/gtc-x11vnc.desktop
echo "[Desktop Entry]
Name=GTC Desktopfreigabe beenden
Comment=X11VNC über SSH-Tunnel
Exec=mate-terminal --window --command=\"/etc/thinclient/scripts/gtc-x11vnc STOP\"
Path=
Icon=help-browser
Terminal=false
StartupNotify=false
Type=Application
Categories=GTC;Network;
">/usr/share/applications/gtc-x11vnc-stop.desktop
echo "[Desktop Entry]
Name=GTC Config editieren
Comment=
Exec=mate-terminal --window --command=\"sudo -i leafpad /etc/current-gtc-profile/thinclient.conf\"
Path=
Icon=/usr/share/icons/gabosh/linux.png
Terminal=false
StartupNotify=false
Type=Application
Categories=GTC;Core;Utility;
">/usr/share/applications/gtc-editprofile.desktop
echo "[Desktop Entry]
Name=GTC Startscrit editieren
Comment=
Exec=mate-terminal --window --command=\"sudo -i leafpad /etc/current-gtc-profile/start.sh\"
Path=
Icon=/usr/share/icons/gabosh/linux.png
Terminal=false
StartupNotify=false
Type=Application
Categories=GTC;Core;Utility;
">/usr/share/applications/gtc-editstartsh.desktop
echo "[Desktop Entry]
Name=GTC NVIDIA Legacy Treiber aktivieren
Comment=
Exec=mate-terminal --window --command=\"sudo -i /etc/thinclient/scripts/gtc-nvidia-legacy-driver\"
Path=
Icon=nvidia-settings
Terminal=false
StartupNotify=false
Type=Application
Categories=GTC;Core;Utility;
">/usr/share/applications/gtc-nvidialegacy.desktop
echo "[Desktop Entry]
Name=GTC NVIDIA OpenSource Treiber aktivieren
Comment=
Exec=mate-terminal --window --command=\"sudo -i /etc/thinclient/scripts/gtc-nouveau\"
Path=
Icon=nvidia-settings
Terminal=false
StartupNotify=false
Type=Application
Categories=GTC;Core;Utility;
">/usr/share/applications/gtc-nvidianouveau.desktop
echo "[Desktop Entry]
Name=GTC NVIDIA Treiber aktivieren
Comment=
Exec=mate-terminal --window --command=\"sudo -i /etc/thinclient/scripts/gtc-nvidia\"
Path=
Icon=nvidia-settings
Terminal=false
StartupNotify=false
Type=Application
Categories=GTC;Core;Utility;
">/usr/share/applications/gtc-nvidia.desktop
echo "[Desktop Entry]
Name=GTC Druckerverwaltung
Comment=
Exec=firefox localhost:631
Path=
Icon=/usr/share/icons/gabosh/linux.png
Terminal=false
StartupNotify=false
Type=Application
Categories=GTC;Core;Utility;
">/usr/share/applications/gtc-printconfig.desktop
echo "[Desktop Entry]
Name=GTC Update
Comment=Linux Update
Exec=mate-terminal --window --command=\"sudo -i /etc/thinclient/scripts/gtc-update\"
Path=
Icon=/usr/share/icons/gabosh/linux.png
Terminal=false
StartupNotify=false
Type=Application
Categories=GTC;Core;Utility;
">/usr/share/applications/gtc-update.desktop
echo "[Desktop Entry]
Name=GTC Update erzwingen
Comment=Linux Update erzwingen
Exec=mate-terminal --window --command=\"sudo -i /etc/thinclient/scripts/gtc-update-force\"
Path=
Icon=/usr/share/icons/gabosh/linux.png
Terminal=false
StartupNotify=false
Type=Application
Categories=GTC;Core;Utility;
">/usr/share/applications/gtc-update-force.desktop
echo "[Desktop Entry]
Name=GTC Release Notes
Comment=GTC Release Notes
Exec=mate-terminal --window --command=\"leafpad /etc/thinclient/gtc-release-notes\"
Path=
Icon=/usr/share/icons/gabosh/linux.png
Terminal=false
StartupNotify=false
Type=Application
Categories=GTC;Core;Utility;
">/usr/share/applications/gtc-release-notes.desktop
echo "[Desktop Entry]
Name=GTC Passwort von root ändern
Comment=Root/Admin Passwort ändern
Exec=mate-terminal --window --command=\"sudo -i passwd || sleep 30\"
Path=
Icon=user-available
Terminal=false
StartupNotify=false
Type=Application
Categories=GTC;Core;Utility;
" >/usr/share/applications/gtc-rootpasswd.desktop
echo "[Desktop Entry]
Name=GTC Passwort von User ändern
Comment=Passwort ändern
Exec=mate-terminal --window --command=\"passwd || sleep 30\"
Path=
Icon=avatar-default
Terminal=false
StartupNotify=false
Type=Application
Categories=GTC;Core;Utility;
" >/usr/share/applications/gtc-passwd.desktop
echo "[Desktop Entry]
Name=GTC Samba Passwort von User ändern
Comment=Passwort ändern
Exec=mate-terminal --window --command=\"smbpasswd || sleep 30\"
Path=
Icon=avatar-default
Terminal=false
StartupNotify=false
Type=Application
Categories=GTC;Core;Utility;
" >/usr/share/applications/gtc-smbpasswd.desktop
echo "[Desktop Entry]
Name=Brave Browser
Comment=
Exec=/etc/thinclient/scripts/brave-browser.sh
Path=
Icon=/usr/share/icons/gabosh/brave-browser.png
Terminal=false
StartupNotify=false
Type=Application
Categories=GTC;Core;Utility;
" >/usr/share/applications/gtc-brave-browser.desktop
echo "[Desktop Entry]
Name=Geotag for Images
Comment=
Exec=/usr/bin/java -jar /usr/local/lib/geotag-0.103.jar
Path=
Icon=/usr/share/icons/gabosh/geotag.gif
Terminal=false
StartupNotify=false
Type=Application
Categories=Graphics;2DGraphics;RasterGraphics;GTK;
" >/usr/share/applications/geotag.desktop
echo "[Desktop Entry]
Name=GTC Speichermedium verschlüsseln
Comment=Device verschlüsseln
Exec=mate-terminal --window --command=\"/etc/thinclient/scripts/gtc-cryptdevice\"
Path=
Icon=/usr/share/icons/gabosh/linux.png
Terminal=false
StartupNotify=false
Type=Application
Categories=GTC;Core;Utility;
" >/usr/share/applications/gtc-cryptdevice.desktop
echo "[Desktop Entry]
Name=GTC Passwort von verschlüsseltem Speichermedium ändern
Comment=GTC Passwort von verschlüsseltem Speichermedium ändern
Exec=mate-terminal --window --command=\"/etc/thinclient/scripts/gtc-cryptdevice-chpass\"
Path=
Icon=avatar-default
Terminal=false
StartupNotify=false
Type=Application
Categories=GTC;Core;Utility;
" >/usr/share/applications/gtc-cryptdevice-chpass.desktop
echo "[Desktop Entry]
Name=Zippyshare DLC in Downloads
Comment=Decrypten und herunterladen von DLC-Dateien in Downloads mit plowdown
Exec=mate-terminal --window --command=\"/etc/thinclient/scripts/dlcdown.sh\"
Path=
Icon=/usr/share/icons/gabosh/linux.png
Terminal=false
StartupNotify=false
Type=Application
Categories=GTC;Network;
" >/usr/share/applications/gtc-dlcdown.desktop
echo "[Desktop Entry]
Name=Download Video per URL
Comment=Herunterladen von Videos per youtube-dl per URL nach Downloads
Exec=mate-terminal --window --command=\"/etc/thinclient/scripts/youtube-dl.sh --proxy localhost:8118\"
Path=
Icon=/usr/share/icons/gabosh/linux.png
Terminal=false
StartupNotify=false
Type=Application
Categories=GTC;Network;
" >/usr/share/applications/gtc-youtube-dl.desktop
echo "[Desktop Entry]
Name=Download Video per URL ohne Tor
Comment=Herunterladen von Videos per youtube-dl per URL nach Downloads ohne Tor
Exec=mate-terminal --window --command=\"/etc/thinclient/scripts/youtube-dl.sh\"
Path=
Icon=/usr/share/icons/gabosh/linux.png
Terminal=false
StartupNotify=false
Type=Application
Categories=GTC;Network;
" >/usr/share/applications/gtc-youtube-dl-wotor.desktop
echo "[Desktop Entry]
Name=Install/Update Nextcloud
Comment=Install/Update Nextcloud in docker container
Exec=mate-terminal --window --command=\"/etc/thinclient/scripts/docker-nextcloud.sh\"
Path=
Icon=/usr/share/icons/gabosh/nextcloud.ico
Terminal=false
StartupNotify=false
Type=Application
Categories=GTC;
" >/usr/share/applications/gtc-nextcloud.desktop
echo "[Desktop Entry]
Name=Install/Update Wordpress
Comment=Install/Update Wordpress in docker container
Exec=mate-terminal --window --command=\"/etc/thinclient/scripts/docker-wordpress.sh\"
Path=
Icon=/usr/share/icons/gabosh/linux.png
Terminal=false
StartupNotify=false
Type=Application
Categories=GTC;
" >/usr/share/applications/gtc-wordpress.desktop
echo "[Desktop Entry]
Name=Komprimiere Mediendateien
Comment=Komprimiere Videos, Audios, Bilder
Exec=mate-terminal --window --command=\"/etc/thinclient/scripts/media-compress.sh\"
Path=
Icon=/usr/share/icons/gabosh/linux.png
Terminal=false
StartupNotify=false
Type=Application
Categories=GTC;AudioVideo;Audio;Video;
" >/usr/share/applications/gtc-media-compress.desktop
echo "[Desktop Entry]
Name=Alfaview
Comment=Alfaview Conference Tool
Exec=/opt/alfaview/alfaview
Path=/opt/alfaview
Icon=/opt/alfaview/alfaview-Icon.jpg
Terminal=false
StartupNotify=false
Type=Application
Categories=Network;
" >/usr/share/applications/gtc-alfaview.desktop
# Netmount starts NetworkManager/Network whick should be startet by GTC-Scripts apfter Profile-Rollout
rc-update del netmount default
# Damit Bildschirm entsperren geht
chmod u+s /sbin/unix_chkpwd
# Steam Lib links
ln -sf /usr/lib/libva.so /usr/lib/libva.so.1
ln -sf /usr/lib/libva-x11.so /usr/lib/libva-x11.so.1
ln -sf /usr/lib/libva-glx.so /usr/lib/libva-glx.so.1
ln -sf /usr/lib/libva-drm.so /usr/lib/libva-drm.so.1
# Apache
rm -f /etc/apache2/vhosts.d/00_default_*vhost.conf
rm -f /etc/apache2/vhosts.d/._cfg0000_00_default_*vhost.conf
ln -sf /usr/lib64/apache2 /usr/lib/apache2
# PXE
mkdir -p /gtc/pxe
cp -p /usr/share/syslinux/pxelinux.0 /gtc/pxe/
cp -p /usr/share/syslinux/menu.c32 /gtc/pxe/
cp -p /usr/share/syslinux/ldlinux.c32 /gtc/pxe
cp -p /usr/share/syslinux/libutil.c32 /gtc/pxe
ln -f /boot/kernel /gtc/pxe/kernel
ln -f /boot/initrd /gtc/pxe/initrd
mkdir -p /gtc/pxe/pxelinux.cfg
echo '
default menu.c32
prompt 0
menu title GTC-PXELinux Boot Menu
NOESCAPE 1
ALLOWOPTIONS 1
MENU AUTOBOOT Starting GTC Linux in # seconds
label GTC
timeout 100
menu default
menu label ^GTC Linux
kernel /kernel
append initrd=/initrd root=/dev/nfs nfsroot=XXX.XXX.XXX.XXX:/_gtcroot ramdisk_size=256000 acpi_sleep=s3_bios real_root=/dev/nfs raid=noautodetect consoleblank=0 clocksource=hpet
ipappend 3
label bootlocal
menu label ^Boot from local Disk
localboot 0
' >/gtc/pxe/pxelinux.cfg/default
# Damit nicht überall die Nvidia Incons im Startmenü sind
etc-update --automode -3 /usr/share/applications/nvidia-settings.desktop
etc-update --automode -7 /etc/xdg/autostart/blueman.desktop
mv /usr/share/applications/nvidia-settings.desktop /usr/share/applications/nvidia-settings.gtc-unused >/dev/null 2>&1
EOF
chmod 700 /gtc/$umg/root/Gentoo-GTC-Update.sh
tmux new-session -d -s "Gentoo-GTC-Update" "chroot /gtc/$umg /bin/bash -c /root/Gentoo-GTC-Update.sh ; /gtc/pxe/linkkernel.sh"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/chromium/default
Changed on 29.06.20Default Start Options fpr Chromium
CHROMIUM_FLAGS=""After change
CHROMIUM_FLAGS="--password-store=basic --ignore-gpu-blacklist --enable-gpu-rasterization --enable-zero-copy"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/conf.d/apache2
Changed on 02.04.20Apache startoptions for enabling PHP5 and SSL
APACHE2_OPTS="-D DEFAULT_VHOST -D INFO -D SSL -D SSL_DEFAULT_VHOST -D LANGUAGE"After change
APACHE2_OPTS="-D DAV -D DAV_FS -D PHP -D SSL -D LANGUAGE -D PROXY -D MPM_ITK -D AUTHNZ_EXTERNAL"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/conf.d/dhcpd-tornet0
Changed on 28.03.20Tor Net DHCP
DHCPD_CONF="/etc/dhcp/dhcpd-tornet0.conf" DHCPD_IFACE="tornet0"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/conf.d/dhcpd-vnet0
Changed on 28.03.20Virtual Networking DHCP
DHCPD_CONF="/etc/dhcp/dhcpd-vnet0.conf" DHCPD_IFACE="vnet0"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/conf.d/display-manager
Changed on 09.10.09Configure the Thinclient
DISPLAYMANAGER="xdm"After change
DISPLAYMANAGER="lightdm"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/conf.d/docker
Changed on 28.03.20Docker Data Dir noch in RAMDISK
DOCKER_OPTS="-g /home/data/docker"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/conf.d/hwclock
Changed on 06.09.08Local Clock
clock="UTC"After change
clock="local"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/conf.d/in.tftpd
Changed on 09.10.09Configure the Thinclient
INTFTPD_OPTS="-R 4096:32767 -s ${INTFTPD_PATH}"
After change
INTFTPD_PATH="/gtc/pxe"
INTFTPD_OPTS="-p -u nobody -s ${INTFTPD_PATH} -vvv"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/conf.d/local
Changed on 09.10.09Allow console input/output in local-services
rc_verbose=yes
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/conf.d/net
Changed on 28.03.20Virtual Networking Bridge
bridge_vnet0="" config_vnet0="XXX.XXX.XXX.XXX netmask XXX.XXX.XXX.XXX" bridge_forward_delay_vnet0=0 bridge_hello_time_vnet0=1000 enable_ipv6_vnet0="false" dad_timeout_vnet0=0
Bridge for transparent Tor Proxy
bridge_tornet0="" config_tornet0="XXX.XXX.XXX.XXX netmask XXX.XXX.XXX.XXX" bridge_forward_delay_tornet0=0 bridge_hello_time_tornet0=1000 enable_ipv6_tornet0="false" dad_timeout_tornet0=0
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/conf.d/NetworkManager
Changed on 11.01.18Configure the Thinclient NetworkÃng
INACTIVE_TIMEOUT=1After change
INACTIVE_TIMEOUT=0 # --- # /etc/conf.d/nfs # If you wish to set the port numbers for lockd, # please see /etc/sysctl.conf # Optional services to include in default `/etc/init.d/nfs start` # For NFSv4 users, you'll want to add "rpc.idmapd" here. NFS_NEEDED_SERVICES="rpc.idmapd" # Options to pass to rpc.nfsd # before|||23.12.08|||olli|||Server for thinclients|||Allow a maximum of 20 Clients at the same time on your NFS Server #OPTS_RPC_NFSD="8"After change
OPTS_RPC_NFSD="-u 20"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/conf.d/sshd
Changed on 28.11.12Do not start dhcp at boot
rc_need="!net"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/conf.d/xdm
Changed on 09.10.09Configure the Thinclient
DISPLAYMANAGER="xdm"After change
DISPLAYMANAGER="lightdm"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/crontab
Changed on 19.07.13System health checks
# Check Disk Usage */5 * * * * root [ -e /etc/thinclient/scripts/check-hdd.sh ] && /etc/thinclient/scripts/check-hdd.sh 30 * * * * root rm -rf /tmp/df-?d?? # Check Memory */5 * * * * root [ -e /etc/thinclient/scripts/check-mem.sh ] && /etc/thinclient/scripts/check-mem.sh # Check Swap */5 * * * * root [ -e /etc/thinclient/scripts/check-swap.sh ] && /etc/thinclient/scripts/check-swap.sh # Check temperature */5 * * * * root [ -e /etc/thinclient/scripts/check-temperature.sh ] && /etc/thinclient/scripts/check-temperature.sh # Check time */5 * * * * root ntpdate -s 0.de.pool.ntp.org >/dev/null 2>&1 || ntpdate -s 1.de.pool.ntp.org >/dev/null 2>&1
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/default/btrfsmaintenance
Changed on 03.01.19Auto find btrfs-Volumes
BTRFS_LOG_OUTPUT="stdout"After change
BTRFS_LOG_OUTPUT="syslog"
Auto find btrfs-Volumes
BTRFS_BALANCE_MOUNTPOINTS="/"After change
BTRFS_BALANCE_MOUNTPOINTS="auto"
Auto find btrfs-Volumes
BTRFS_SCRUB_MOUNTPOINTS="/"After change
BTRFS_SCRUB_MOUNTPOINTS="auto"
Auto find btrfs-Volumes
BTRFS_TRIM_MOUNTPOINTS="/"After change
BTRFS_TRIM_MOUNTPOINTS="auto"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/dhcpcd.conf
Changed on 30.10.09Timeout for dhcpcd
timeout 20
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/dhcp/dhcpd-tornet0.conf
Changed on 28.03.20Tor Networking DHCP
option domain-name "tornet0";
default-lease-time 600;
max-lease-time 7200;
option subnet-mask XXX.XXX.XXX.XXX;
option broadcast-address XXX.XXX.XXX.XXX;
option domain-name-servers XXX.XXX.XXX.XXX;
option routers XXX.XXX.XXX.XXX;
default-lease-time 7200;
max-lease-time 14400;
ddns-update-style none;
subnet XXX.XXX.XXX.XXX netmask XXX.XXX.XXX.XXX {
range XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX;
}
next-server XXX.XXX.XXX.XXX;
option architecture-type code 93 = unsigned integer 16;
if option architecture-type = 00:09 {
filename "bootx64.efi";
} elsif option architecture-type = 00:07 {
filename "bootx64.efi";
} else {
filename "pxelinux.0";
}
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/dhcp/dhcpd-vnet0.conf
Changed on 28.03.20Virtual Networking DHCP
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/etc-update.conf
Changed on 28.03.20Automerge without asking
rm_opts="-i"After change
rm_opts=""
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/exports
Changed on 09.10.09Configure the Thinclient
/_gtcroot XXX.XXX.XXX.XXX/XXX.XXX.XXX.XXX(fsid=1,no_subtree_check,async,no_root_squash,ro,insecure)
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /gtc/test/etc/init.d/checkroot
Changed on 19.03.10This stops remounting/mounting the root. Mounting stuff for is done in the initrd.
if cat /proc/cmdline | grep -i root=/dev/nfs >/dev/null then exit 0 fi
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /gtc/test/etc/init.d/procfs
Changed on 17.11.19Get rid of "binfmt-misc module needs to be loaded" message on boot
# if ! grep -qs binfmt_misc /proc/filesystems && # modprobe -q binfmt-misc; then # ewarn "The binfmt-misc module needs to be loaded by" \ # "the modules service or built in." # fiAfter change
# if ! grep -qs binfmt_misc /proc/filesystems && # modprobe -q binfmt-misc; then # ewarn "The binfmt-misc module needs to be loaded by" \ # "the modules service or built in." # fi
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /gtc/test/etc/local.d/gtc.start
Changed on 09.10.09Configure the Thinclient
/etc/thinclient/startup/gtc-startupconfig 2>&1 | tee -a /var/log/thinclient.log /etc/init.d/xdm zap >/dev/null 2>&1
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /gtc/test/etc/local.d/gtc.stop
Changed on 19.09.12Store Passwords and Mixer settings if the BGTC is local
#!/bin/bash if mount | grep "/_gtcroot type nfs" >/dev/null then echo "This GTC is network booted" else echo "Savin printer settings" mkdir -p /_gtcroot/etc/thinclient/profiles/`hostname`/etc/cups [ -f /etc/cups/printers.conf ] && cp -p /etc/cups/printers.conf /_gtcroot/etc/thinclient/profiles/`hostname`/etc/cups/ [ -d /etc/cups/ppd ] && cp -rp /etc/cups/ppd /_gtcroot/etc/thinclient/profiles/`hostname`/etc/cups/ echo "Saving NetworkManager settings" mkdir -p /_gtcroot/etc/thinclient/profiles/`hostname`/etc/NetworkManager/ rsync -aXAh --delete /etc/NetworkManager/ /_gtcroot/etc/thinclient/profiles/`hostname`/etc/NetworkManager/ . /etc/thinclient/scripts/gtc-confs.sh mkdir -p /_gtcroot/etc/thinclient/profiles/`hostname`/local echo "Saving mixersettings" alsactl store -f /_gtcroot/etc/thinclient/profiles/`hostname`/local/mixersettings echo "Saving passwords" cat /etc/shadow | grep -a "^root" > /_gtcroot/etc/thinclient/profiles/`hostname`/local/shadow for LU in $LOCALUSER do cat -vT /etc/shadow | grep -a "^$LU" >> /_gtcroot/etc/thinclient/profiles/`hostname`/local/shadow done # sync sync fi
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/modprobe.d/iwl4965.conf
Changed on 09.10.09Speed UP WLAN
options iwl4965 swcrypto=1 11n_disable=1
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/modprobe.d/iwlagn.conf
Changed on 09.10.09Speed UP WLAN
after options iwlagn swcrypto=1 11n_disable=1
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/modprobe.d/iwlwifi.conf
Changed on 09.10.09Speed UP WLAN
#options iwlwifi swcrypto=1 options iwlwifi 11n_disable=8 options iwlwifi bt_coex_active=0 #options iwlwifi led_mode=2
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/modprobe.d/snd-hda-intel.conf
Changed on 09.10.09ThinkPad Sound
options snd_hda_intel model=thinkpad
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/NetworkManager/nm-system-settings.conf
Changed on 28.03.20Ignore vnet0 by NetworkManager
[keyfile] unmanaged-devices=interface-name:vnet0;interface-name:tornet0
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/pam.d/login
Changed on 03.01.19Start gnome-keyring-daemon at login
session optional pam_gnome_keyring.so auto_start auth optional pam_gnome_keyring.so
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/postfix/main.cf
Changed on 02.07.12Mailsettings
inet_protocols = ipv4 myorigin = $myhostname mydestination = mynetworks_style = subnet smtpd_relay_restrictions = permit_mynetworks, defer relay_domains = $myhostname relayhost = $mydomain local_recipient_maps = inet_interfaces = all local_transport = error:local delivery is disabled
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/profile
Changed on 09.10.09All in group should have gegerally rwx permission others none
umask 022After change
umask 007 if [ "$EUID" -eq 0 ] then umask 022 fi
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/ssh/ssh_config
Changed on 05.01.09Some SSH security settings
## Ciphers Check https://sshcheck.com/server/example.com/8081 KexAlgorithms curve25519-sha256@libssh.org HostKeyAlgorithms ssh-ed25519 Ciphers chacha20-poly1305@openssh.com,aes256mail@example.com,aes128mail@example.com MACs hmac-sha2-512mail@example.com,hmac-sha2-256mail@example.com,umac-128mail@example.com
File permissions:
Owner: root
Group: root
Permissions: -rw-------
Click here for a download of the complete file: /gtc/test/etc/ssh/sshd_config
Changed on 05.01.09Some SSH security settings
# Ciphers Check https://sshcheck.com/server/ # nmap -p22 -n -sV --script ssh2-enum-algos localhost KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 HostKeyAlgorithms ssh-ed25519 Ciphers chacha20-poly1305@openssh.com,aes256mail@example.com,aes128mail@example.com MACs hmac-sha2-512mail@example.com,hmac-sha2-256mail@example.com,umac-128mail@example.com PermitRootLogin yes
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/sysctl.conf
Changed on 06.09.08Network Optimazions for SSHFS/NFS
net.ipv4.tcp_rmem = 4096 87380 8388608 net.ipv4.tcp_wmem = 4096 87380 8388608 net.core.rmem_max = 8388608 net.core.wmem_max = 8388608 net.core.netdev_max_backlog = 5000 net.ipv4.tcp_window_scaling = 1
Virtual Networking Routing
net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.ip_dynaddr = 1
File permissions:
Owner: root
Group: root
Permissions: -rwxr-x---
Click here for a download of the complete file: /gtc/test/etc/thinclient/scripts/check-hdd.sh
Changed on 19.07.13Cron-Check Script for disk usage
#!/bin/bash df -l /dev/?d?? 2>/dev/null | grep "^/dev/" | perl -pe 's/[ \%]+/ /g' | cut -d" " -f1,5 2>/dev/null | while read i do disk=`echo $i | cut -d" " -f1 | cut -d"/" -f3` usa=`echo $i | cut -d" " -f2` lock="/tmp/df-$disk" if [ $usa -gt 95 ] then if [ -f $lock ] then date >>$lock else echo -e "Disk usage $disk at $usa%:\n`df -l /dev/?d?? | grep $usa\%`\n\n `ps aux`\n\n`free -m`" | mail -s "`hostname`: Disk usage $disk at $usa% - CRITICAL" `ls -1 /home/ | egrep -v 'lost.found|man|data'| while read m; do echo -n $m,; done`root date >$lock fi else if [ -f $lock ] then echo -e "Disk usage $disk at $usa%:\n`cat $lock`" | mail -s "`hostname`: Disk usage $disk at $usa% - OK" `ls -1 /home/ | egrep -v 'lost.found|man|data' | while read m; do echo -n $m,; done`root rm -f $lock fi fi done
File permissions:
Owner: root
Group: root
Permissions: -rwxr-x---
Click here for a download of the complete file: /gtc/test/etc/thinclient/scripts/check-mem.sh
Changed on 19.07.13Cron Check script for memory usage
#!/bin/bash mem=`free -m | grep "^Mem:" | perl -pe 's/[ ]+/ /g' | cut -d" " -f 6` if [ $mem -lt 32 ] then if [ -f "/tmp/memlow" ] then echo "`date` --> $mem" >>/tmp/memlow else echo -e "Free Mem low ($mem MB):\n`free -m`\n\n`ps aux`" | mail -s "`hostname`: Free mem low ($mem MB)" `ls -1 /home/ | egrep -v 'lost.found|man|data' | while read m; do echo -n $m,; done`root echo "`date` --> $mem" >>/tmp/memlow fi else rm -f /tmp/memlow fi
File permissions:
Owner: root
Group: root
Permissions: -rwxr-x---
Click here for a download of the complete file: /gtc/test/etc/thinclient/scripts/check-swap.sh
Changed on 19.07.13Cron Check script for swap usage
#!/bin/bash blkid | grep GTCSWAP >/dev/null || exit 0 if [ `free -m | grep "^Swap:" | perl -pe 's/[ ]+/ /g' | cut -d" " -f 4` -lt 64 ] then echo -e "Free Swap low:\n`free -m`\n\n`ps aux`" | mail -s "`hostname`: Free swap low (under 256MB)" `ls -1 /home/ | egrep -v 'lost.found|man|data' | while read m; do echo -n $m,; done`root fi
File permissions:
Owner: root
Group: root
Permissions: -rwxr-x---
Cron Check script for system temperature sensors
#!/bin/bash
ls -1 /sys/devices/platform/coretemp.*/hwmon/hwmon*/temp*_input >/dev/null 2>&1 || exit 0
for sensor in `ls -1 /sys/devices/platform/coretemp.*/hwmon/hwmon*/temp*_input`
do
sens=`basename $sensor`
if [ `cat $sensor` -gt 85000 ]
then
sleep 300
if [ `cat $sensor` -gt 85000 ]
then
if [ -f /tmp/sensor-$sens ]
then
date >>/tmp/sensor-$sens
else
let temp=`cat $sensor`/1000
echo -e "Temperature of $sens up to $temp degree Centigrade...\n\n`sensors`\n\n`ps aux`\n\n`free -m`\n\n`df -lh | cat -vT `" | cat -vT | mail -s "`hostname`: Temperature up to $temp degree Centigrade" `ls -1 /home/ | egrep -v 'lost.found|man|data' | while read m; do echo -n $m,; done`root
date >/tmp/sensor-$sens
fi
fi
else
if [ -f /tmp/sensor-$sens ]
then
let temp=`cat $sensor`/1000
echo -e "Temperature OK - $temp degree Centigrade...\n\n`cat /tmp/sensor-$sens`" | mail -s "`hostname`: Temperature OK again $temp" `ls -1 /home/ | egrep -v 'lost.found|man|data' | while read m; do echo -n $m,; done`root
rm -f /tmp/sensor-$sens
fi
fi
done
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
This script installs additional/optional software defined in the thinclient.conf[.local]
#!/bin/bash # Insert make.conf source /etc/portage/make.conf source /etc/thinclient/scripts/gtc-confs.sh if [ -z "$PACKAGES" ] then echo "No PACKAGES to install!" exit 0 fi # Mount proc for compiling mount -t proc proc /proc 2>/dev/null # Create /_additionalsw-Dir and remove possible old DB entries if [ ! -d /_additionalsw ] then mkdir -p /_additionalsw chmod 0755 /_additionalsw for i in `echo $PACKAGES` do if [ -d /var/db/pkg/$i* ] then rm -r /var/db/pkg/$i* fi done fi # Link package database if [ ! -L /_additionalsw/var/db/pkg ] then mkdir -p /_additionalsw/var/db/ ln -sf /var/db/pkg /_additionalsw/var/db/pkg fi mkdir -p /_additionalsw/var/cache/edb ln -sf /var/cache/edb/counter /_additionalsw/var/cache/edb/counter # Optionally source a user defined script for doing things before emerge if [ -f "/etc/gtc-preupdate.sh" ] then . /etc/gtc-preupdate.sh fi # Install the packages in an other root KERNEL_DIR="/usr/src/linux" ACCEPT_LICENSE="*" ROOT="/_additionalsw" emerge -uq --keep-going --config-root=/ $PACKAGES # Remove probably old links echo "Searching for old /_additionalsw-SymLinks" for i in `find / -xdev -type l -printf "%h/%f;%l\n" | grep ";/_additionalsw/" | cut -d";" -f1` do echo "Removing old /_additionalsw-SymLink $i" rm -f $i done # Search for nonexisting directories find /_additionalsw -type d | sed 's/^\/_additionalsw//' | while read i do if [ ! -e "$i" ] then echo "Linking Directory $i" ln -s "/_additionalsw$i" "$i" fi done # Search for nonexisting files find /_additionalsw -type f | sed 's/^\/_additionalsw//' | while read i do if [ ! -e "$i" ] then echo "Linking File $i" ln -s "/_additionalsw$i" "$i" fi done # Search for nonexisting links find /_additionalsw -type l | sed 's/^\/_additionalsw//' | while read i do if [ ! -e "$i" ] then echo "Linking Link $i" ln -s "/_additionalsw/$i" "$i" fi done echo "Running some environment-updates" env-update source /etc/profile depmod -a ldconfig echo "Putting the packages into the world-file" ACCEPT_LICENSE="*" emerge -nq $PACKAGES echo " The following packages have been linked in: $PACKAGES"
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
This script deletes all additional/optional installed software
#!/bin/bash source /etc/thinclient/scripts/gtc-confs.sh [ -n $PACKAGES ] && if ! [ -z "$PACKAGES" ] then echo "Cleaning world file" emerge --deselect $PACKAGES echo "Cleaning portage" emerge --depclean fi echo "Searching for /_additionalsw-SymLinks" find / -xdev -type l -printf "%h/%f;%l\n" | grep ";/_additionalsw" | cut -d";" -f1 | while read i do echo "Removing SymLink $i" rm -f "$i" done echo "Deleting /_additionalsw" rm -rf /_additionalsw
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /gtc/test/etc/thinclient/scripts/gtc-ieurl
Changed on 21.11.09Script for starting Firefox with URLs/Links/Bookmarks/Favorites from the Internet Explorer (*.url-files)
#!/bin/bash firefox `cat "$1" | grep "^URL" | cut -d"=" -f2`
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /gtc/test/etc/thinclient/scripts/gtc-info
Changed on 02.12.10Script for collecting systeminformations. This maybe for supportmails.
#!/bin/bash # # Script for getting system informations: echo ' set -x # boot and hardware cat /proc/cmdline cat /proc/cpuinfo dmesg -T free -m lspci lsusb # network ifconfig -a route -n brctl show brctl show | while read bridge do br=`echo $bridge | grep "8000\." | cut -d" " -f1` if [ -n "$br" ] then brctl showstp $br fi done # tasks and user who ps aux # time ls -ld /etc/localtime date # hdds mount df -h cat /proc/mounts # logs find /var/log -type f | grep -v emerge.log | while read log do if file $log | grep text then ls -l $log cat $log fi done # configs find /etc -type f | while read conf do if file -b $conf | grep text then ls -l $conf cat $conf fi done ' >/tmp/gtc-info date=`date +%Y-%m-%d-%H-%M-%S` sh /tmp/gtc-info > ~/gtc-info-$date-$$.log 2>&1 echo "Informations are in /root/gtc-info-*" echo -n "Please enter an eMail-Address to send the info: " read mail cat ~/gtc-info-$date-$$.log | mail -s "GTC-Info `hostname` $date-$$" $mail
File permissions:
Owner: root
Group: root
Permissions: -rwx------
Click here for a download of the complete file: /gtc/test/etc/thinclient/scripts/gtc-install
Changed on 08.11.10Userinteractive Installationscript for the GTC on a disk.
#!/bin/bash
echo "Welcome to the GTC installer!"
# Choosing a Disk
echo "
This will guide you through the installation on a local disk or USB device."
if blkid | grep 'LABEL="GTC"' >/dev/null
then
if blkid | grep 'LABEL="GTCDATA"' >/dev/null
then
if blkid | grep 'LABEL="GTCSWAP"' >/dev/null
then
gtcdisk=`blkid | grep 'LABEL="GTC"' | tail -n1 | cut -d ":" -f1`
gtcdata=`blkid | grep 'LABEL="GTCDATA"' | tail -n1 | cut -d ":" -f1`
gtcswap=`blkid | grep 'LABEL="GTCSWAP"' | tail -n1 | cut -d ":" -f1`
dev=`echo $gtcdisk | sed 's/[0-9]//g'`
echo "Found Partition-Labels for the GTC-Partitions:
GTC-Systemdisk is $gtcdisk
GTC-Datadisk is $gtcdata
GTC-Swapdisk is $gtcswap
Shall we install/update on this partitions and overwrite the bootsector (MBR) on $dev? If yes please enter \"yes\""
read partitions
fi
fi
fi
if [ "$partitions" = "yes" ]
then
umount -lf $gtcdata
umount -lf $gtcdisk
echo "Disks selected."
else
echo "Here is a list of devices the GTC can be installed:
"
fdisk -l | grep " /dev/" | egrep -v "t contain|ram"
echo "
WARNING: ALL DATA ON THE DISK YOU CHOOSE WILL BE DELETED!!!!
Please enter the devicname name e.g. /dev/sdb you want to install the GTC."
echo "Device: "
read dev
dev=`echo $dev | sed 's/^\/dev\///'`
dev="/dev/$dev"
if cat /proc/mounts | grep $dev
then
echo "
$dev is already mounted - Cannot install on a mounted disk"
exit 1
fi
if [ -b "$dev" ]
then
echo "WARNING: ALL DATA ON $dev WILL BE DELETED!!!!"
echo "If you are absolutely sure you want to delete all data in $dev and install the GTC in it enter \"yes\": "
read sure
if [ "$sure" = "yes" ]
then
echo "OK, so let's install GTC on $dev!"
else
echo "Installation canceld!"
exit 1
fi
else
echo "$dev does not exist or is not a valid block device!"
exit 1
fi
fi
for i in `cat /proc/mounts | grep $dev | cut -d" " -f1`
do
echo "
$i is already mounted - Umounting..."
umount -lf $i
done
# Choosing the systems role
echo "
What system role do you want to install?
- Server (A Server for the Gentoo ThinClients)
- Live (A Livesystem e.g.: for testing the GTC)
- Profile (A System with a specified profile)
Please enter Server, Profile or Live: "
read role
if echo "$role" | grep -i "^s"
then
inst="gtc-srvinst"
elif echo "$role" | grep -i "^p"
then
inst="gtc-profileinst"
elif echo "$role" | grep -i "^l"
then
inst="gtc-liveinst"
else
echo "No valid role entered!"
exit 1
fi
inst="/etc/thinclient/scripts/$inst"
if [ "$partitions" = "yes" ]
then
$inst $gtcdisk $dev
else
# Create a partition and a filesystem
echo "Preparing $dev"
echo "Creating partitions on $dev"
sfdisk --delete $dev
sfdisk $dev <<__EOF__
2048,81140000,L
,2480000,S
,,L
__EOF__
sleep 5
echo "Setting bootable flag on ${dev}1"
sfdisk -A ${dev} 1
sleep 5
echo "Formating partitions on $dev"
mkfs.ext4 -m1 -F -L "GTC" ${dev}1 || exit 1
mkswap ${dev}2 -f -L "GTCSWAP" || exit 1
mkfs.ext4 -m1 -F -L "GTCDATA" ${dev}3 || exit 1
# Start installation
echo "Starting the installation"
$inst ${dev}1 $dev
fi
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /gtc/test/etc/thinclient/scripts/gtc-mkiso
Changed on 08.11.09Script for creating the GTC DVD-Image
#!/bin/bash rm -rf /gtcdvd mkdir -p /gtcdvd/boot KERN=`basename \`ls -tr1 /boot/kernel-genkernel-* | tail -n1\`` INITRD=`basename \`ls -tr1 /boot/initramfs-genkernel-* | tail -n1\`` cp /boot/$KERN /gtcdvd/boot/kernel cp /boot/$INITRD /gtcdvd/boot/initrd cp /usr/share/syslinux/isolinux.bin /gtcdvd/ cp /usr/share/syslinux/menu.c32 /gtcdvd/ version=`head /etc/thinclient/gtc-release-notes -n1 | cut -d" " -f2` echo "default menu.c32 prompt 0 menu title GTC LiveDVD $version ALLOWOPTIONS 1 MENU AUTOBOOT Starting GTC DVD in # seconds label GTC-$KERN menu label ^GTC - Livesystem - $version timeout 150 kernel /boot/kernel append initrd=/boot/initrd ramdisk_size=256000 acpi_sleep=s3_bios real_root=/dev/nfs gtcdvd dokeymap i915.modeset=1 radeon.modeset=1 label GTC-$KERN menu label ^GTC - Server with XXX.XXX.XXX.XXX/24 - $version kernel /boot/kernel append initrd=/boot/initrd ramdisk_size=256000 acpi_sleep=s3_bios real_root=/dev/nfs gtcdvd gtcserver i915.modeset=1 radeon.modeset=1 dokeymap ip=XXX.XXX.XXX.XXX:XXX.XXX.XXX.XXX:XXX.XXX.XXX.XXX:XXX.XXX.XXX.XXX BOOTIF=eth label GTC-$KERN menu label ^GTC - Installation - $version kernel /boot/kernel append initrd=/boot/initrd ramdisk_size=256000 acpi_sleep=s3_bios real_root=/dev/nfs gtcdvd gtcinstall dokeymap i915.modeset=1 radeon.modeset=1 " > /gtcdvd/isolinux.cfg if [ -d "/_gtcroot" ] then echo "Using /_gtcroot" else mkdir -p /_gtcroot mount --bind / /_gtcroot fi cp /etc/thinclient/gtc-release-notes /gtcdvd/`date +%Y%m%d` mksquashfs /_gtcroot/ /gtcdvd/gtc -e gtcdvd.iso -e gtcdvd -e _gtcroot -e etc/thinclient/profiles -e _additionalsw -e usr/portage/distfiles -e usr/src -e etc/thinclient/thinclient.conf.local umount /_gtcroot 2>/dev/null ; rmdir /_gtcroot 2>/dev/null mkisofs -R -V "GTC DVD" -o /gtcdvd.iso -b isolinux.bin -c boot.catalog -no-emul-boot -boot-load-size 4 -boot-info-table /gtcdvd/
File permissions:
Owner: root
Group: root
Permissions: -rwx------
Click here for a download of the complete file: /gtc/test/etc/thinclient/scripts/gtc-update
Changed on 08.12.09GTC-Systemupdate Update script
#!/bin/bash
if mount | grep -q "/_gtcroot type nfs"
then
echo "No update on an NFS-Client possible!"
exit 1
fi
if ! mount | grep -q /_gtcroot
then
echo "No GTC System"
exit 1
fi
find /_gtcroot/update-down -mtime +3 -exec rm -f {} \; >/dev/null 2>&1
. /etc/thinclient/scripts/gtc-confs.sh
if [ "$UPDATECHANNEL" = "test" ]
then
chan="-test"
echo "WARNING: Using Test-Channel"
fi
rm -rf /var/log/emerge.log /var/log/portage
for syncpath in /etc/thinclient/scripts /etc/thinclient/share
do
until RSYNC_PASSWORD="UHexWfBzJjCfwgwTUaUPN2ryYmXIp92j" rsync -aH --timeout=300 rsync://mail@example.com/thinclient$chan/$syncpath/ /$syncpath/
do
echo "!!! ERROR downloading System-Update Update - Retrying in 30 seconds"
sleep 30
done
rsync -aH /$syncpath/ /_gtcroot/$syncpath/
done
cat /etc/thinclient/scripts/gaboshlib.include >/etc/bash/gaboshlib.include
RSYNC_PASSWORD="UHexWfBzJjCfwgwTUaUPN2ryYmXIp92j" rsync -aH --delete --timeout=300 rsync://mail@example.com/thinclient$chan/etc/thinclient/login/ /_gtcroot/etc/thinclient/login/
RSYNC_PASSWORD="UHexWfBzJjCfwgwTUaUPN2ryYmXIp92j" rsync -aH --timeout=300 rsync://mail@example.com/thinclient$chan/etc/thinclient/startup/ /_gtcroot/etc/thinclient/startup/
RSYNC_PASSWORD="UHexWfBzJjCfwgwTUaUPN2ryYmXIp92j" rsync -aH --timeout=300 rsync://mail@example.com/thinclient$chan/etc/local.d/ /_gtcroot/etc/local.d/
RSYNC_PASSWORD="UHexWfBzJjCfwgwTUaUPN2ryYmXIp92j" rsync -aH --timeout=300 rsync://mail@example.com/thinclient$chan/etc/bash/ /_gtcroot/etc/bash/
rsync -aH /_gtcroot/etc/local.d/ /etc/local.d/
rsync -aH /_gtcroot/etc/bash/ /etc/bash/
until RSYNC_PASSWORD="UHexWfBzJjCfwgwTUaUPN2ryYmXIp92j" rsync -aH --timeout=300 rsync://mail@example.com/thinclient$chan/etc/thinclient/gtc-release-notes /etc/thinclient/gtc-release-notes-new
do
echo "!!! ERROR downloading GTC Release-Information - Retrying"
sleep 30
done
if [ "`cat /_gtcroot/etc/thinclient/gtc-release-notes | head -n1`" = "`cat /etc/thinclient/gtc-release-notes-new | head -n1`" ]
then
echo "No Update from `cat /etc/thinclient/gtc-release-notes | head -n1` available"
exit 0
else
echo "Updateing from `cat /etc/thinclient/gtc-release-notes | head -n1` to `cat /etc/thinclient/gtc-release-notes-new | head -n1`"
fi
sync
echo ">>> System-Update Update successfully finished"
sh /etc/thinclient/scripts/gtc-update-fetch
File permissions:
Owner: root
Group: root
Permissions: -rwx------
Click here for a download of the complete file: /gtc/test/etc/thinclient/scripts/gtc-update-post
Changed on 02.01.12GTC-Systemupdate Update script
#!/bin/bash
if mount | grep "/_gtcroot type nfs"
then
echo "No update on an NFS-Client possible!"
exit 1
fi
. /etc/thinclient/scripts/gtc-confs.sh
if [ "$UPDATECHANNEL" = "test" ]
then
chan="-test"
fi
# Resync unimportant parts
mkdir -p /_gtcroot/usr/portage /_gtcroot/opt
echo ">>> Resyncing /opt"
RSYNC_PASSWORD="UHexWfBzJjCfwgwTUaUPN2ryYmXIp92j" rsync -aH --info=progress2 --no-i-r -h --timeout=300 --contimeout=300 --delete --numeric-ids rsync://mail@example.com/thinclient$chan/opt/ /_gtcroot/opt/
echo ">>> Resyncing /usr/portage"
RSYNC_PASSWORD="UHexWfBzJjCfwgwTUaUPN2ryYmXIp92j" rsync -aH --info=progress2 --no-i-r -h --timeout=300 --contimeout=300 --delete --numeric-ids --exclude=.tmp* --exclude=distfiles rsync://mail@example.com/thinclient$chan/usr/portage/ /_gtcroot/usr/portage/
echo ">>> Renewing additional Software"
mkdir -p /_gtcroot/proc /_gtcroot/dev
cp -p /etc/resolv.conf /_gtcroot/etc/resolv.conf
mount -t devtmpfs udev /_gtcroot/dev
mount -t proc proc /_gtcroot/proc
chroot /_gtcroot /bin/bash -c "env-update &>/dev/null && source /etc/profile && gtc-additional-sw-del ; gtc-additional-sw-add"
sudo umount /_gtcroot/dev /_gtcroot/proc
# Remove unwanted Software
if [ "$SWPROFILE" == "binredisonly" ]
then
/etc/thinclient/scripts/gtc-binredisonly
fi
if [ "$SWPROFILE" == "ossonly" ]
then
/etc/thinclient/scripts/gtc-ossonly
fi
if lspci | egrep -q "NVIDIA.+G86M"
then
/etc/thinclient/scripts/gtc-nvidia-legacy-driver
fi
if lspci | egrep -q "NVIDIA"
then
echo 'modules="nvidia nvidia-drm"' >>/_gtcroot/etc/conf.d/modules
fi
if ! grep -q "RAM Test" /boot/grub/grub.cfg
then
g_boot=$(grep "set uuid_root" /boot/grub/grub.cfg | head -n1)
echo "
menuentry 'RAM Test' {
$g_boot
search --no-floppy --fs-uuid \$uuid_root --set=root
set root=\$root
linux16 /boot/memtest86plus/memtest.bin
}
" >>/_gtcroot/boot/grub/grub.cfg
fi
sync
echo "
Update is finished!!! System will reboot now...
"
sleep 10
reboot
File permissions:
Owner: root
Group: root
Permissions: -r-x------
Click here for a download of the complete file: /gtc/test/etc/thinclient/startup/gtc-startupconfig
Changed on 27.10.09This runs all the scripts for configuring global and individual settings for all thinclients..
g_echo_ok "Loading VirtualBox modules"
modprobe vboxdrv >/dev/null 2>&1
modprobe vboxnetadp >/dev/null 2>&1
modprobe vboxnetflt >/dev/null 2>&1
modprobe vboxpci >/dev/null 2>&1
# Swappiness
echo 10 >/proc/sys/vm/swappiness
# Disable ipv6 for bridges (parameter in /etc/conf.d/net doesn't work)
echo 1 >/proc/sys/net/ipv6/conf/vnet0/disable_ipv6
echo 1 >/proc/sys/net/ipv6/conf/tornet0/disable_ipv6
#g_echo_ok "Loading snd-pcm-oss module for getting /dev/dsp i.e. for old games"
##modprobe snd-pcm-oss 2>/dev/null
#
#g_echo_ok "Loading snd_seq module needed e.g. by dosbox"
#modprobe snd_seq
g_echo_ok "Loading new microcode e.g. because of Spectre/Meltdown"
[ -e /sys/devices/system/cpu/microcode/reload ] && echo 1 > /sys/devices/system/cpu/microcode/reload
g_echo_ok "Disabling power_save of wlan0 if present"
iw dev wlan0 set power_save off >/dev/null 2>&1
g_echo_ok "Enabling ip_forward for network routing of spectial networks like vlan0 or tornet0"
echo 1 > /proc/sys/net/ipv4/ip_forward
g_echo_ok "Creating /dev/dvd,cdrom,cdrecorder Symlinks needed by some apps like xine"
ln -sf /dev/sr0 /dev/dvd
ln -sf /dev/sr0 /dev/cdrom
ln -sf /dev/sr0 /dev/cdrecorder
g_echo_ok "Setting rights of /"
chmod 755 /
g_echo_ok "Linking GTC-Profile"
ln -s /_gtcroot/etc/thinclient/profiles/`hostname` /etc/current-gtc-profile
# No log send?
if [ -f /etc/thinclient/profiles/`hostname`/local/send-no-log ]
then
g_echo_ok "Disabling Sending of Logs"
if [ -f /_gtcroot/etc/rsyslog.d/00-gtc.conf ]
then
rm -f /_gtcroot/etc/rsyslog.d/00-gtc.conf
/etc/init.d/rsyslog restart
fi
fi
g_echo_ok "Pipe Xorg log to syslog"
touch /var/log/Xorg.0.log
chown root:root /var/log/Xorg.0.log
chmod 644 /var/log/Xorg.0.log
echo 'tail -F /var/log/Xorg.0.log | logger -i -t "Xorg"' | at now >/dev/null 2>&1
g_echo_ok "Disabling console blanking"
setterm -blank 0
g_echo_ok "Cleaning up sudo-io logs"
rm -rf /var/log/sudo-io/*
g_echo_ok "Reset AccountsService"
rm -f /var/lib/AccountsService/users/*
g_echo_ok "Mounting GTCDATA and GTCSWAP-Partitions"
mkdir -p /srv
mount LABEL=GTCDATA /srv >/dev/null 2>&1 || rmdir /srv
swapon LABEL=GTCSWAP >/dev/null 2>&1
### GTC-Server?
#if [ -d /srv/config ]
#then
# rsync -a --exclude=thinclient.conf.local --exclude=profiles --exclude=global-profile --delete /etc/thinclient/ /srv/config/
# mount -B /srv/config /etc/thinclient
#fi
#if [ -d /srv/profiles ]
#then
# mount -B /srv/profiles /etc/thinclient/profiles
#fi
#if [ -d /srv/global-profile ]
#then
# mount -B /srv/global-profile /etc/thinclient/global-profile
#fi
#g_echo_ok "Adding `hostname` to /etc/hosts"
#echo "127.0.0.1 `hostname`" >>/etc/hosts
. /etc/thinclient/scripts/gtc-confs.sh
g_echo_ok "Create smb.conf needed by cups in some cases"
touch /etc/samba/smb.conf
# Check for enabled Debug-Mode
if [ $DEBUG == "yes" ]
then
g_echo_warn "Enabling Debug output"
set -x
fi
g_echo_ok "Enable wheel group for sudo to root"
echo '%wheel ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
g_echo_ok "Creating user(s)"
if [ -z "$LOCALUSER" ]
then
g_echo "Creating no local User"
else
for LU in $LOCALUSER
do
g_echo_ok "Creating user $LU"
cp -p /etc/shadow /etc/shadow.bak
useradd -g users -G wheel,root -d /home/$LU $LU 2>&1 | egrep -vi 'already exists|Not copying any file from skel directory into it'
for grp in docker games sambashare wheel root audio video cdrom vboxusers cdrw usb disk lpadmin lp scanner sys adm floppy plugdev dialout libvirt
do
usermod -aG $grp $LU
done
if grep -q -a "^$LU" /etc/thinclient/profiles/`hostname`/local/shadow
then
if [ -f /etc/thinclient/profiles/`hostname`/local/shadow ]
then
g_echo_ok "Restoring $LU password"
grep -a "^$LU" /etc/thinclient/profiles/`hostname`/local/shadow > /etc/shadow2
cat -vT /etc/shadow | grep -a -v "^$LU" >> /etc/shadow2
mv /etc/shadow2 /etc/shadow
chmod 0600 /etc/shadow
fi
else
g_echo_ok "Setting $LU password to default gtc"
echo $LU:GTCL1nux | chpasswd
fi
if ! [ -d /home/$LU ]
then
g_echo_ok "Creating homedir for $LU"
mkdir -p /home/$LU
chown $LU:users /home/$LU
chmod 0700 /home/$LU
fi
done
if [ -f /etc/thinclient/profiles/`hostname`/local/shadow ]
then
if grep -q -a "^root" /etc/thinclient/profiles/`hostname`/local/shadow
then
g_echo_ok "Restoring root password"
grep -a "^root" /etc/thinclient/profiles/`hostname`/local/shadow > /etc/shadow2
cat -vT /etc/shadow | grep -a -v "^root" >> /etc/shadow2
mv /etc/shadow2 /etc/shadow
chmod 0600 /etc/shadow
else
echo root:GTCL1nux | chpasswd
fi
fi
fi
# If this is a local GTC
if mount | grep "/_gtcroot type nfs" >/dev/null
then
g_echo_ok "This GTC seems to be network booted - doing network jobs"
g_echo_ok "NET: Disabling network and loop uounts and remount,ro during shutdown which may cause hangs"
echo '
stop()
{
return 0
}
' >> /etc/init.d/localmount
cat /etc/init.d/localmount >>/etc/init.d/netmount
# No remount,ro while shutdown:
echo "#!/bin/bash
exit 0
" > /etc/init.d/mount-ro
else
g_echo_ok "This GTC seems to be local booted - doing local jobs"
g_echo_ok "LOCAL: Creating Update Switch button depending on actual update channel"
if [ $UPDATECHANNEL = "test" ]
then
echo "[Desktop Entry]
Name=GTC Update von stable-Kanal
Comment=GTC Update von stable-Kanal
Exec=mate-terminal --window --command=\"sudo /etc/thinclient/scripts/gtc-update-switch-test-stable.sh\"
Path=
Icon=/usr/share/icons/gabosh/linux.png
Terminal=false
StartupNotify=false
Type=Application
Categories=GTC;Core;Utility;
">/usr/share/applications/gtc-update-switch-test-stable.desktop
else
echo "[Desktop Entry]
Name=GTC Update von test-Kanal
Comment=GTC Update von test-Kanal
Exec=mate-terminal --window --command=\"sudo /etc/thinclient/scripts/gtc-update-switch-test-stable.sh\"
Path=
Icon=/usr/share/icons/gabosh/linux.png
Terminal=false
StartupNotify=false
Type=Application
Categories=GTC;Core;Utility;
">/usr/share/applications/gtc-update-switch-test-stable.desktop
fi
g_echo_ok "LOCAL: Starting Firewall (UFW)"
/etc/init.d/ufw start
# Restore mixer settings
if [ -f /etc/thinclient/profiles/`hostname`/local/mixersettings ]
then
g_echo_ok "LOCAL: Restoring Mixer settings"
alsactl restore -f /etc/thinclient/profiles/`hostname`/local/mixersettings || rm -f /_gtcroot/etc/thinclient/profiles/`hostname`/local/mixersettings
fi
g_echo_ok "LOCAL: Use homedirs from disk"
mount --bind /_gtcroot/root /root
mkdir -p /srv/home /home
mount --bind /srv/home /home
g_echo_ok "LOCAL: Storing SSH keys"
mkdir -p /_gtcroot/etc/thinclient/profiles/`hostname`/etc/ssh
cp -p /etc/ssh/*_key* /_gtcroot/etc/thinclient/profiles/`hostname`/etc/ssh/
g_echo_ok "LOCAL: Copying this profiles thinclient.conf to default-profile for PXE boots"
cat /_gtcroot/etc/thinclient/profiles/`hostname`/thinclient.conf >/_gtcroot/etc/thinclient/default-profile/thinclient.conf
echo "LOCALUSER=gtc" >>/_gtcroot/etc/thinclient/default-profile/thinclient.conf
fi
## Now in initrd?
#g_echo_ok "====== Loading global profile ====="
## Sync global profile
#rsync -a$RSYNC_OPT /etc/thinclient/global-profile/etc/ /etc/
## Now in initrd?
#if [ -d "/etc/thinclient/profiles/`hostname`/etc" ]
#then
# g_echo_ok "====== Loading individual profile ====="
# rsync -a$RSYNC_OPT /etc/thinclient/profiles/`hostname`/etc/ /etc/
#fi
## Now in default runlevel becaus profile in initrd
#for service in rsyslog nscd haveged acpid sshd
#do
# g_echo_ok "Starting service $service"
# /etc/init.d/$service start >/dev/null 2>&1
#done
# Now in initrd 5 default runlevel
if ! ps ax | grep -v grep | grep -q NetworkManager
then
# Local Network?
if ! mount | grep "/_gtcroot type nfs" >/dev/null
then
echo -e "\n==============================\nLoading Network Manager\n==============================\n"
# NetworkManager
iw dev wlan0 set power_save off >/dev/null 2>&1
find /etc/thinclient/profiles/*/etc/NetworkManager/system-connections -type f ! -name '\.*' ! -iname "GTC*" ! -empty | while read netfile
do
if egrep -q "^ssid|^psk" "$netfile"
then
bnetfile=`basename $netfile`
egrep -v "^mac-address=" "$netfile" >"/etc/NetworkManager/system-connections/$bnetfile" 2>/dev/null
fi
done
sed -i 's/^permissions=.*/permissions=/;' /etc/NetworkManager/system-connections/*
fdupes -q -d -N /etc/NetworkManager/system-connections
chmod 600 /etc/NetworkManager/system-connections/*
/etc/init.d/NetworkManager start 2>&1 | egrep -iv '\.pid.: No such file or directory|dispatcher'
fi
fi
#sleep 5
if lsmod | grep -q bluetooth
then
echo '[Desktop Entry]
Name=Blueman Applet
Name[de]=Blueman Applet
Comment=Blueman Bluetooth Manager
Comment[de]=Blueman Bluetooth Manager
Icon=blueman
Exec=blueman-applet
Terminal=false
Type=Application
Categories=' >/etc/xdg/autostart/blueman.desktop
chmod 644 /etc/xdg/autostart/blueman.desktop
fi
for i in `find /etc/thinclient/startup/jobs/ -type f | sort`
do
g_echo_ok "Running $i"
. $i
done
File permissions:
Owner: root
Group: root
Permissions: -r--------
Click here for a download of the complete file: /gtc/test/etc/thinclient/startup/jobs/gtc-anonproxy
Changed on 30.10.09Start Privoxy/Tor Services
#!/bin/bash if [ $ANONPROXY == "yes" ] then echo ' listen-address 0.0.0.0:3128 forward-socks5t / 127.0.0.1:9050 . ' >> /etc/privoxy/config echo 'User tor PIDFile /var/run/tor/tor.pid Log notice syslog DataDirectory /var/lib/tor/data BridgeRelay 0 SOCKSPort 0.0.0.0:9050 ExitPolicy reject *:* ControlPort 9051 HashedControlPassword 16:F7222A0CBC254E536056DCBBD27A7D051D68BCF1E9020681C0A3656B84 # Seting up TOR transparent proxy for tor-router VirtualAddrNetwork XXX.XXX.XXX.XXX/10 AutomapHostsOnResolve 1 TransPort 0.0.0.0:9040 DNSPort 0.0.0.0:5353 ' >/etc/tor/torrc touch /var/run/tor.pid chmod 777 /var/run/tor.pid echo "/usr/bin/tor -f /etc/tor/torrc --runasdaemon 1 --PidFile /var/run/tor.pid >/dev/null" | at now >/dev/null 2>&1 echo "/usr/sbin/privoxy --pidfile /var/run/privoxy.pid --user privoxy.privoxy /etc/privoxy/config >/dev/null" | at now >/dev/null 2>&1 fi
File permissions:
Owner: root
Group: root
Permissions: -r--------
Click here for a download of the complete file: /gtc/test/etc/thinclient/startup/jobs/gtc-autologin
Changed on 30.10.09Script for enabling Autologin
#!/bin/bash # Check if AUTOLOGIN is set #if [ $AUTOLOGIN == "yes" ] #then # echo "Enabling Autologin for user gtc (Password: gtc)" # # Create gtc-User for Autologin # useradd gtc -d /var/gtcdummy -m -g users -G wheel,root,audio,video,cdrom,vboxusers,cdrw,usb,disk,lpadmin,lp,scanner,sys,adm,floppy,plugdev # echo "gtc:gtc" | chpasswd >/dev/null 2>&1 # echo "Starting X" # echo 'su - gtc -c "XSESSION=MATE startx ; init 0"' | at now >/dev/null 2>&1 #fi
File permissions:
Owner: root
Group: root
Permissions: -r--------
Click here for a download of the complete file: /gtc/test/etc/thinclient/startup/jobs/gtc-ldap
Changed on 13.10.09Script for enabling LDAP.
#!/bin/bash # Check LDAP # Check if LDAP is set if [ $LDAP == "yes" ] then # LDAP and NIS aren't allowed together if [ $NIS == "yes" ] then echo "You can not use LDAP and NIS! Please change your configuration in your thinclient.conf." exit 1 fi # Configuring LDAP echo "Configuring LDAP" if [ $LDAP_TLS == "yes" ] then LDAP_PORT=636 LDAP_CONNECT="ldaps://$LDAP_SERVER:636 tls_reqcert allow" else LDAP_PORT=389 LDAP_CONNECT="ldap://$LDAP_SERVER:389" fi echo "Setting up /etc/ldap.conf" echo "suffix $LDAP_BASEDN uri $LDAP_CONNECT pam_password exop #ldap_version 3 #pam_filter objectclass=posixAccount #pam_login_attribute uid #pam_member_attribute memberuid #nss_base_passwd ou=People,$LDAP_BASEDN #nss_base_shadow ou=People,$LDAP_BASEDN #nss_base_group ou=Group,$LDAP_BASEDN #scope one pam_login_attribute uid:caseExactMatch: tls_reqcert allow NETWORK_TIMEOUT 3 timeout 3 timelimit 3 bind_timelimit 3 nss_reconnect_tries 0 nss_reconnect_sleeptime 1 nss_reconnect_maxsleeptime 2 nss_reconnect_maxconntries 1 " > /etc/ldap.conf echo "Setting up /etc/openldap/ldap.conf" echo "BASE $LDAP_BASEDN URI $LDAP_CONNECT pam_login_attribute uid:caseExactMatch: TLS_REQCERT allow NETWORK_TIMEOUT 3 timeout 3 timelimit 3 bind_timelimit 3 nss_reconnect_tries 0 nss_reconnect_sleeptime 1 nss_reconnect_maxsleeptime 2 nss_reconnect_maxconntries 1 " > /etc/openldap/ldap.conf nmap -p $LDAP_PORT $LDAP_SERVER | grep open >/dev/null if [ $? == "0" ] then echo "Setting up /etc/nsswitch.conf" cp /etc/nsswitch.conf /tmp/nsswitch.conf.tcorig cat /tmp/nsswitch.conf.tcorig | \ sed 's/^passwd:.*/passwd: ldap files/' | \ sed 's/^shadow:.*/shadow: ldap files/' | \ sed 's/^group:.*/group: ldap files/' > /etc/nsswitch.conf echo "Setting up /etc/pam.d/system-auth" cp /etc/pam.d/system-auth /tmp/system-auth.tcorig cat /tmp/system-auth.tcorig | \ sed 's/^auth.*required.*pam_unix.so/auth sufficient pam_unix.so/' | \ sed 's/nullok $/nullok\nauth sufficient pam_ldap.so use_first_pass\nauth required pam_deny.so/' | \ sed 's/^account.*required.*pam_unix.so/account sufficient pam_ldap.so\naccount required pam_unix.so/' | \ sed 's/^password.*required.*pam_unix.so/password sufficient pam_unix.so/' | \ sed 's/shadow $/shadow\npassword sufficient pam_ldap.so use_authtok use_first_pass\npassword required pam_deny.so/' | \ sed 's/^session.*optional.*pam_permit.so/session optional pam_ldap.so\nsession optional pam_permit.so/' > /etc/pam.d/system-auth echo " auth include system-auth account include system-auth password include system-auth session include system-auth " >/etc/pam.d/lightdm # Restart nscd /etc/init.d/nscd restart >/dev/null 2>&1 # Workaround for programms which are searching directly in /etc/passwd and/or /etc/group (lightdm/dbus) getent passwd > /tmp/passwd getent group > /tmp/group cat /tmp/passwd > /etc/passwd cat /tmp/group > /etc/group else echo "LDAP-Server doesn't seem to be reachable. Skipping editing of nsswitch.conf" fi else echo "LDAP is not set to yes in your $conf" fi
File permissions:
Owner: root
Group: root
Permissions: -r--------
Click here for a download of the complete file: /gtc/test/etc/thinclient/startup/jobs/gtc-local
Changed on 25.10.09Script to run individual things on every thinclient
#!/bin/bash if [ -f $LOCAL_SCRIPT ] then echo "Running $LOCAL_SCRIPT" chmod 755 $LOCAL_SCRIPT $LOCAL_SCRIPT fi
File permissions:
Owner: root
Group: root
Permissions: -r--------
Script for localization
#!/bin/bash
if [ -n "$LOC_KEYMAP" ]
then
echo "Setting Keymap to $LOC_KEYMAP"
loadkeys --unicode $LOC_KEYMAP
#cp /etc/conf.d/keymaps /tmp/keymaps.tcorig
#cat /tmp/keymaps.tcorig | sed 's/^KEYMAP=.*/KEYMAP=$LOC_KEYMAP/' >/etc/conf.d/keymaps
#/etc/init.d/keymaps restart
fi
if [ -n "$LOC_LANG" ]
then
echo "Setting Language to $LOC_LANG"
echo "LANG=\"$LOC_LANG\"" >>/etc/env.d/02locale
echo "export LANG=\"$LOC_LANG\"" >>/etc/profile.env
fi
if [ -n "$LOC_TIMEZONE" ]
then
echo "Setting Timezone to $LOC_TIMEZONE"
rm /etc/localtime
ln -sf /usr/share/zoneinfo/$LOC_TIMEZONE /etc/localtime
fi
if [ -z "$LOC_HWCLOCK" ]
then
HWCKOCK=localtime
fi
#if [ "$LOC_MOZLANG" != "" ]
#then
# mkdir -p /etc/firefoxlang
# mkdir -p /etc/thunderbirdlang
# cp -rp "/usr/lib/firefox/extensions/langpack-$LOC_MOZLANG@firefox.mozilla.org" /etc/firefoxlang/
# mount --bind /etc/firefoxlang /usr/lib/firefox/extensions
# cp -rp "/usr/lib/thunderbird/extensions/langpack-$LOC_MOZLANG@thunderbird.mozilla.org" /etc/thunderbirdlang/
# mount --bind /etc/thunderbirdlang /usr/lib/thunderbird/extensions
#fi
# time
#hwclock --hctosys --$LOC_HWCLOCK >/dev/null 2>&1 &
#source /etc/profile
# xorg lang
if [ -z $LOC_XKBLANG ]
then
LOC_XKBLANG="us"
else
echo "
Section \"InputClass\"
Identifier \"Keyboard Defaults\"
MatchIsKeyboard \"yes\"
Option \"XkbLayout\" \"$LOC_XKBLANG\"
EndSection
" >> /etc/X11/xorg.conf
fi
File permissions:
Owner: root
Group: root
Permissions: -r--------
Click here for a download of the complete file: /gtc/test/etc/thinclient/startup/jobs/gtc-nfsmount
Changed on 30.10.09Script for mounting NFS-Share(s)
#!/bin/bash for i in $NFSMOUNT do SERVER=`echo "$i" | cut -d":" -f1` SHARE=`echo "$i" | cut -d":" -f2` MOUNTPOINT=`echo "$i" | cut -d":" -f3` echo "Mounting $SERVER:$SHARE to $MOUNTPOINT" mkdir -p $MOUNTPOINT mount -t nfs $SERVER:$SHARE $MOUNTPOINT done
File permissions:
Owner: root
Group: root
Permissions: -r--------
Click here for a download of the complete file: /gtc/test/etc/thinclient/startup/jobs/gtc-thinkpad
Changed on 20.02.18Special Things for ThinkPads
#!/bin/bash
if lshw | grep -q ThinkPad
then
echo "This seems to be a ThinkPad"
modprobe "thinkpad_acpi"
# ACPI SLEEP
echo '#Fn+F4 button/sleep SBTN 00000080 00000000 K
event=button/sleep
action=/etc/acpi/actions/FnF4-sleep.sh' >/etc/acpi/events/FnF4-sleep
echo '#!/bin/sh
hibernate-ram
/sbin/hwclock --adjust
/sbin/hwclock --hctosys
' >/etc/acpi/actions/FnF4-sleep.sh
# ACPI SLEEP DISPLAY/LID CLOSED
echo '#Display/LID close
event=button/lid
action=/etc/acpi/actions/LID-sleep.sh' >/etc/acpi/events/LID-sleep
echo '#!/bin/sh
sleep 5
cat /proc/acpi/button/lid/LID/state | grep -q open && exit 0
hibernate-ram
/sbin/hwclock --adjust
/sbin/hwclock --hctosys
' >/etc/acpi/actions/LID-sleep.sh
# ACPI HIBERNATE
echo '#Fn+F12 button/sleep SBTN 00000080 00000000 K
event=button/suspend
action=/etc/acpi/actions/FnF12-suspend.sh' >/etc/acpi/events/FnF12-suspend
echo '#!/bin/sh
logger "[ACPI] Fn+F12 pressed suspend to disk"
hibernate
/sbin/hwclock --adjust
/sbin/hwclock --hctosys
' >/etc/acpi/actions/FnF12-suspend.sh
# WIFI Button
echo '#Fn+F5 button/wlan WLAN 00000080 00000000 K
event=button/wlan
action=/etc/acpi/actions/FnF5-wifi.sh' >/etc/acpi/events/FnF5-wifi
echo '#!/bin/sh
logger "[ACPI] Fn+F5 pressed, WiFi rfkill state toggled"
rf=/sys/class/rfkill/rfkill0
case $(< $rf/state) in
0) echo 1 >$rf/state;;
1) echo 0 >$rf/state;;
esac
' >/etc/acpi/actions/FnF5-wifi.sh
chmod 755 /etc/acpi/actions/*.sh
/etc/init.d/acpid restart >/dev/null 2>&1
# GPS
echo '
DEVICES="ttyUSB2"
' >>/etc/conf.d/gpsd
/etc/init.d/gpsd start >/dev/null 2>&1
# WWAN
echo 'ttyUSB0
921600
lock
crtscts
modem
passive
novj
defaultroute
noipdefault
usepeerdns
noauth
hide-password
persist
holdoff 10
maxfail 0
debug
' >/etc/ppp/options-mobile
echo
# Fan
/etc/init.d/thinkfan start >/dev/null 2>&1
# Thermal-Control
/etc/init.d/thermald start >/dev/null 2>&1
# LMT
/etc/init.d/laptop_mode start >/dev/null 2>&1
fi
File permissions:
Owner: root
Group: root
Permissions: -r--------
Start Update
#!/bin/bash if mount | grep "/_gtcroot type nfs" >/dev/null then echo 'No update on network boot!' else echo " /etc/cron.daily/gtc-service" | at now+2minutes >/dev/null 2>&1 if [ $AUTOUPDATE == "yes" ] then if [ -f /_gtcroot/update-down ] then /etc/thinclient/scripts/gtc-update-do else echo "/etc/thinclient/scripts/gtc-update >/_gtcroot/tmp/gtc-update 2>&1" | at now+5minutes >/dev/null 2>&1 fi fi fi
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/thinclient/thinclient.conf.local
Changed on 13.10.09This is the local central configuration file for default thinclient settings. Settings of the thinclient.conf are overwritten.
# DNS Settings NAMESERVER=my.lan.ip.addr NAMESERVERBACKUP="" SEARCH="example.com" # Some localization settings LOC_LANG="de_DE.UTF-8" LOC_KEYMAP="de-latin1" LOC_TIMEZONE="Europe/Berlin" LOC_HWCLOCK="localtime" LOC_XKBLANG="de" # Autologin as gtc-User AUTOLOGIN="no" # Settings for LDAP Authentication LDAP=yes LDAP_SERVER=my.lan.ip.addr LDAP_TLS=yes LDAP_BASEDN="dc=example,dc=com" # Settings for NIS Authentication NIS=no NIS_SERVER=XXX.XXX.XXX.XXX NIS_DOMAIN=domainname # Run local script on all thinclients #LOCAL_SCRIPT="/path/to/my/local/script" #UPDATECHANNEL=test DEBUG=no #PACKAGES="www-plugins/adobe-flash dev-util/android-sdk-update-manager" PACKAGES=""
File permissions:
Owner: root
Group: root
Permissions: -rw-r-----
Click here for a download of the complete file: /gtc/test/etc/ufw/after.rules
Changed on 28.03.20Virtual/Tor Networking Routing vnet0 and tornet0
# Allow SSH -A ufw-after-input -p tcp --dport 22 -j ACCEPT -A ufw-after-input -p udp --dport 22 -j ACCEPT # Allow docker sending mails -A ufw-after-input -p tcp -d XXX.XXX.XXX.XXX --dport 25 -j ACCEPT -A ufw-after-input -p udp -d XXX.XXX.XXX.XXX --dport 25 -j ACCEPT # Allow DNS/TorDNS(5353) Requests from vnet0 and tornet0 -A ufw-after-input -p udp --dport 53 -i vnet0 -j ACCEPT -A ufw-after-input -p udp --dport 53 -i tornet0 -j ACCEPT -A ufw-after-input -p udp --dport 5353 -i tornet0 -j ACCEPT # Allow Tor/Privoxy Requests from tornet0,vnet0 (9040 for transparent proxy in tornet0 only) -A ufw-after-input -p tcp --dport 3128 -i tornet0 -j ACCEPT -A ufw-after-input -p tcp --dport 3128 -i vet0 -j ACCEPT -A ufw-after-input -p tcp --dport 9040 -i tornet0 -j ACCEPT -A ufw-after-input -p tcp --dport 9050 -i tornet0 -j ACCEPT -A ufw-after-input -p tcp --dport 9050 -i vnet0 -j ACCEPT # Allow NTP TFTP and NFS from vnet0 and tornet0 -A ufw-after-input -p udp --dport 69 -i vnet0 -j ACCEPT -A ufw-after-input -p udp --dport 69 -i tornet0 -j ACCEPT -A ufw-after-input -p tcp --dport 111 -i vnet0 -j ACCEPT -A ufw-after-input -p tcp --dport 111 -i tornet0 -j ACCEPT -A ufw-after-input -p udp --dport 111 -i vnet0 -j ACCEPT -A ufw-after-input -p udp --dport 111 -i tornet0 -j ACCEPT -A ufw-after-input -p udp --dport 123 -i vnet0 -j ACCEPT -A ufw-after-input -p udp --dport 123 -i tornet0 -j ACCEPT -A ufw-after-input -p tcp --dport 2049 -i vnet0 -j ACCEPT -A ufw-after-input -p tcp --dport 2049 -i tornet0 -j ACCEPT -A ufw-after-input -p udp --dport 2049 -i vnet0 -j ACCEPT -A ufw-after-input -p udp --dport 2049 -i tornet0 -j ACCEPT -A ufw-after-input -p tcp --dport 32765:32768 -i vnet0 -j ACCEPT -A ufw-after-input -p tcp --dport 32765:32768 -i tornet0 -j ACCEPT -A ufw-after-input -p udp --dport 32765:32768 -i vnet0 -j ACCEPT -A ufw-after-input -p udp --dport 32765:32768 -i tornet0 -j ACCEPT # Allow Samba -A ufw-after-input -p tcp --dport 445 -j ACCEPT -A ufw-after-input -p udp --dport 445 -j ACCEPT # Allow http/https -A ufw-after-input -p tcp --dport 443 -j ACCEPT -A ufw-after-input -p tcp --dport 80 -j ACCEPT
File permissions:
Owner: root
Group: root
Permissions: -rw-r-----
Click here for a download of the complete file: /gtc/test/etc/ufw/before.rules
Changed on 28.03.20Virtual/Tor Networking Routing vnet0 and tornet0
*nat :POSTROUTING ACCEPT - [0:0] # Route network XXX.XXX.XXX.XXX/24 (vnet0) -A POSTROUTING -s XXX.XXX.XXX.XXX/24 -j MASQUERADE # Route network XXX.XXX.XXX.XXX/24 (tornet0) to transparent Tor-Proxy (udp not supported by Tor) # Activate "normal" routing for non-Internet Networks -A POSTROUTING -s XXX.XXX.XXX.XXX/24 -j MASQUERADE -A PREROUTING -i tornet0 -d XXX.XXX.XXX.XXX/8 -j RETURN -A PREROUTING -i tornet0 -d 10.0.0.0/8 -j RETURN -A PREROUTING -i tornet0 -d XXX.XXX.XXX.XXX/16 -j RETURN -A PREROUTING -i tornet0 -d XXX.XXX.XXX.XXX/12 -j RETURN -A PREROUTING -i tornet0 -d 0.0.0.0/8 -j RETURN -A PREROUTING -i tornet0 -d XXX.XXX.XXX.XXX/10 -j RETURN -A PREROUTING -i tornet0 -d XXX.XXX.XXX.XXX/16 -j RETURN -A PREROUTING -i tornet0 -d XXX.XXX.XXX.XXX/24 -j RETURN -A PREROUTING -i tornet0 -d XXX.XXX.XXX.XXX/24 -j RETURN -A PREROUTING -i tornet0 -d XXX.XXX.XXX.XXX/24 -j RETURN -A PREROUTING -i tornet0 -d XXX.XXX.XXX.XXX/15 -j RETURN -A PREROUTING -i tornet0 -d XXX.XXX.XXX.XXX/24 -j RETURN -A PREROUTING -i tornet0 -d XXX.XXX.XXX.XXX/24 -j RETURN -A PREROUTING -i tornet0 -d XXX.XXX.XXX.XXX/4 -j RETURN -A PREROUTING -i tornet0 -d 240.0.0.0/4 -j RETURN -A PREROUTING -i tornet0 -d XXX.XXX.XXX.XXX/32 -j RETURN # Redirect all TCP-Connections to transparent Tor-Proxy -A PREROUTING -i tornet0 -s XXX.XXX.XXX.XXX/24 -p tcp --syn -j REDIRECT --to-ports 9040 # Redirect DNS to TorDNS -A PREROUTING -i tornet0 -s XXX.XXX.XXX.XXX/24 -d XXX.XXX.XXX.XXX -p udp --dport 53 -j REDIRECT --to-ports 5353 # Redirect all non TCP-Connections into nirvana because Tor only speaks TCP -A PREROUTING -i tornet0 -s 192.168.43.0/24 ! -p tcp -j DNAT --to 127.0.0.1:1 COMMIT
Virtual/Tor Networking Routing vnet0 and tornet0
-A ufw-before-forward -i vnet0 -m conntrack --ctstate NEW -j ACCEPT -A ufw-before-forward -i tornet0 -m conntrack --ctstate NEW -j ACCEPT
For starting the new service after system reboot you should add it to a runlevel with the following command(s):
chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && rc-update add sshd default' chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && rc-update add rsyslog default' chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && rc-update add nscd default' chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && rc-update add dbus default' chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && rc-update add hald ' chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && rc-update add udev-postmount '
Please send a feedback to: doc<at>gabosh.net
Howto listingqemu-img create /path/to/your/vmimage.img 10G
kvm -hda /path/to/your/vmimage.img -cdrom /dev/cdrom -m 1024 -net nic,macaddr=00:1d:92:ab:cd:ef -net tap,ifname=tap0,script=no,downscript=no -name myvm1 -boot d
kvm -hda /path/to/your/vmimage.img -cdrom /dev/cdrom -m 1024 -net nic,macaddr=00:1d:92:ab:cd:ef -net tap,ifname=tap0,script=no,downscript=no -name myvm1 -boot d -usb -usbdevice host:aaaa:bbbb
If you want to use this solution you need the following howto(s) finished:
chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge app-emulation/qemu-kvm'
File permissions:
Owner: root
Group: root
Permissions: -r-x------
Click here for a download of the complete file: /gtc/test/etc/thinclient/startup/gtc-startupconfig
Changed on 20.04.10This is for loading the KVM-Drivers automatically at system startup
g_echo_ok "Loading KVM modules" modprobe kvm >/dev/null 2>&1 modprobe kvm-amd >/dev/null 2>&1 modprobe kvm-intel >/dev/null 2>&1
Please send a feedback to: doc<at>gabosh.net
Howto listingFile permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/dconf/readme.txt
Changed on 14.10.19generate default configurations for Mate Desktop
# as user in clean $HOME dconf dump / >/etc/dconf/db/local.d/gabosh # as root rm /etc/dconf/db/local echo "user-db:user system-db:local " >/etc/dconf/profile/user dconf update
Please send a feedback to: doc<at>gabosh.net
Howto listingIf you want to use this solution you need the following howto(s) finished:
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /gtc/test/etc/thinclient/default-profile/start.sh
Changed on 13.10.09Default script for configuring, the system
chmod 755 /home
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /gtc/test/etc/thinclient/global-profile/start.sh
Changed on 13.10.09User defineable script for the global GTC profile
#!/bin/bash if ping -c1 gabosh | grep "64 bytes from" >/dev/null 2>&1 then echo "Netzwerkdrucker" lpadmin -p "EPSON_WF_4740" -E -v ipp://XXX.XXX.XXX.XXX/ipp/print -m lsb/usr/epson-inkjet-printer-escpr/Epson-WF-4640_Series-epson-escpr-en.ppd -D "EPSON WorkForce-4740" -L "bei Becky, user1 und Jonah" fi
File permissions:
Owner: root
Group: root
Permissions: -r-x------
Click here for a download of the complete file: /gtc/test/etc/thinclient/startup/gtc-startupconfig
Changed on 16.06.09Start the individual startscript for this host.
#if cat /proc/cmdline | grep " gtcserver" >/dev/null #then # echo -e "\n==============================\nLoading Server profile\n==============================\n" # rsync -a$RSYNC_OPT /etc/thinclient/server-profile/etc/ /etc/ # . /etc/thinclient/server-profile/start.sh #fi g_echo_ok "Running /etc/thinclient/global-profile/start.sh" # Switching from xdm -> display-manager sed -i 's/xdm start/display-manager start/' /etc/thinclient/profiles/*/start.sh /_gtcroot/etc/thinclient/profiles/*/start.sh >/dev/null 2>&1 # Run global Start script . /etc/thinclient/global-profile/start.sh if [ -d "/etc/thinclient/profiles/`hostname`" ] then # Run individual start-Script if exists if [ -f "/etc/thinclient/profiles/`hostname`/start.sh" ] then g_echo_ok "Running /etc/thinclient/profiles/`hostname`/start.sh" . /etc/thinclient/profiles/`hostname`/start.sh fi # # Don't run the default profile if this is a Server # if cat /proc/cmdline | grep " gtcserver" >/dev/null # then # exit 0 # fi else # # Don't run the default profile if this is a Server # if cat /proc/cmdline | grep " gtcserver" >/dev/null # then # exit 0 # fi # if cat /proc/cmdline | grep " gtcinstall" >/dev/null # then # echo -e "\n==============================\nStarting GTC installation\n==============================\n" # /etc/thinclient/scripts/gtc-install # else g_echo_ok "Running default profile start script" # now in initrd #rsync -a$RSYNC_OPT /etc/thinclient/default-profile/etc/ /etc/ . /etc/thinclient/default-profile/start.sh # fi fi
Please send a feedback to: doc<at>gabosh.net
Howto listingcp /etc/openldap/slapd.conf /etc/thinclient/server-profile/etc/openldap/slapd.conf
cp /usr/share/webapps/phpldapadmin/*/htdocs/config/config.php /etc/thinclient/server-profile/etc/phpldapadmin.conf
cp /etc/conf.d/nfs /etc/thinclient/server-profile/etc/conf.d/nfs
cp /etc/conf.d/in.tftpd /etc/thinclient/server-profile/etc/conf.d/in.tftpd
cp /etc/conf.d/apache2 /etc/thinclient/server-profile/etc/conf.d/apache2
cp /etc/bind/named.conf /etc/thinclient/server-profile/etc/bind/named.conf
If you want to use this solution you need the following howto(s) finished:
chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge net-fs/nfs-utils' chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge sys-boot/syslinux' chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge net-ftp/tftp-hpa' chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge net-misc/dhcp' chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge net-dns/bind' chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge net-dns/bind-tools' chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge net-nds/openldap' chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge net-fs/samba' chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge net-nds/phpldapadmin' chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge www-servers/apache'
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
The Webserver configuration fpr the GTC-Server
# Some default settings Listen 80 Listen 443 NameVirtualHost *:80 NameVirtualHost *:443 # ServerName ServerName localhost # Directory Index DirectoryIndex index.html # Some security settings Timeout 60 # Allow a maximum of 100MB for upload. LimitRequestBody 104857600 # Mallow a maximum of 50 headersites LimitRequestFields 50 # Sets maximum length of the from client sent HTTP-Request-Headers LimitRequestFieldsize 4094 # Maximum leght of HTTP request line LimitRequestLine 8190 # Allow a maximum of 100MB for upload. per webdav LimitXMLRequestBody 104857600 # VHost logging CustomLog /var/log/apache2/access_log vhost # Load LDAP Auth modules LoadModule ldap_module /usr/lib/apache2/modules/mod_ldap.so Loadmodule authnz_ldap_module /usr/lib/apache2/modules/mod_authnz_ldap.so <Directory /> Order Deny,Allow Deny from all Options None AllowOverride None </Directory> <Directory /var/www> Order Allow,Deny Allow from all Options None AllowOverride None </Directory> ServerSignature Off TraceEnable off # The default vHost <VirtualHost *:80> ServerName default ServerAdmin gtc DocumentRoot /var/www/default/htdocs </VirtualHost> <VirtualHost *:443> ServerName default ServerAdmin gtc DocumentRoot /var/www/default/htdocs SSLEngine on SSLCertificateFile /etc/ssl/apache2/server.crt SSLCertificateKeyFile /etc/ssl/apache2/server.key </VirtualHost>
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Listen on localhost and the LAN and forward requests if they are not known by this DNS (for internet name resolution).
listen-on { 127.0.0.1; };
After change
// Listen
listen-on { 127.0.0.1/8;
0.0.0.0/0;
};
// The way to the Internet
allow-recursion { 127.0.0.1/8;
0.0.0.0/0;
};
// Local zones
allow-query { 127.0.0.1/8;
0.0.0.0/0;
};
allow-notify { none; };
allow-transfer { none; };
Zone definitions for some domains
# This is an entry for an LDAP Zone. Use this only if you want to use Bind with LDAP
zone "gtc" IN {
type master;
database "ldap ldap://127.0.0.1/cn=Computers,dc=gtc 172800";
allow-update { none; };
};
zone "in-addr.arpa" {
type master;
database "ldap ldap://127.0.0.1/cn=Computers,dc=gtc 172800";
allow-update { none; };
};
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Apache startoptions for enabling PHP5 and SSL
APACHE2_OPTS="-D DEFAULT_VHOST -D INFO -D LANGUAGE -D SSL -D SSL_DEFAULT_VHOST -D PHP5"After change
APACHE2_OPTS="-D SSL -D PHP5"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
This are the DHCP settings for connecting to the LDAP Server.
ldap-server "127.0.0.1"; ldap-port 389; ldap-username ""; ldap-password ""; ldap-base-dn "ou=DHCP-Servers,dc=gtc"; ldap-dhcp-server-cn "gtc-server"; ldap-method dynamic; ldap-debug-file "/tmp/dhcp-ldap-startup-config";
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Basedn for phpldapadmin
// $servers->setValue('server','base',array(''));
After change
$servers->setValue('server','base',array('dc=gtc'));
Login for phpldapadmin
# $servers->setValue('login','bind_id','cn=Manager,dc=example,dc=com');
After change
$servers->setValue('login','bind_id','cn=Manager,dc=gtc');
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /gtc/test/etc/thinclient/server-profile/start.sh
Changed on 23.04.10Create data and start the Services
#!/bin/bash
# Get network informations
IP=`cat /proc/cmdline | perl -pe 's/^.+ip=//; s/ .+$//'`
SRV_IP=`echo $IP | cut -d: -f1`
SRV_GATEWAY=`echo $IP | cut -d: -f3`
SRV_SUBNET=`echo $IP | cut -d: -f4`
SRV_NETWORK=`ipcalc $SRV_IP/$SRV_SUBNET -b -n | grep Network | perl -pe 's/ +/ /g' | cut -d" " -f2 | cut -d"/" -f1`
SRV_BROADCAST=`ipcalc $SRV_IP/$SRV_SUBNET -b -n | grep Broadcast | perl -pe 's/ +/ /g' | cut -d" " -f2`
# Setup pxelinux-Bootloader-Files
mkdir -p /srv/pxe/pxelinux.cfg
cp /usr/share/syslinux/pxelinux.0 /srv/pxe/
cp /usr/share/syslinux/menu.c32 /srv/pxe/
cp /boot/kernel-genkernel-x86-`uname -r` /srv/pxe/
cp /boot/initramfs-genkernel-x86-`uname -r` /srv/pxe/
# LDAP
if [ -d "/srv/ldap" ]
then
rm -r /var/lib/openldap-data
ln -sf /srv/ldap /var/lib/openldap-data
/etc/init.d/slapd start
else
echo "Creating initial LDAP Database"
SRV_REVIP=`echo "$SRV_IP" | awk 'BEGIN{FS=".";ORS="."} {for (i = NF; i > 0; i--){print $i}}' | sed 's/\.$//'`
echo "
# Create LDAP DB and start it
# The basic structure
dn: dc=gtc
dc: gtc
objectClass: top
objectClass: domain
# The DHCP Object with some default settings. filename and next-server are only needed if you want to boot with PXE.
# The entriees for your DHCP-Server(s)
dn: ou=DHCP-Servers,dc=gtc
objectClass: organizationalUnit
objectClass: top
ou: DHCP-Servers
dn: cn=gtc-server,ou=DHCP-Servers,dc=gtc
objectClass: top
objectClass: dhcpServer
cn: gtc-server
dhcpServiceDN: cn=Computers,dc=gtc
dhcpStatements: next-server $SRV_IP
dhcpOption: routers $SRV_GATEWAY
dhcpOption: domain-name-servers $SRV_IP
dhcpOption: ntp-servers $SRV_IP
# The global settings for all your DHCP-Server(s)
dn: cn=Computers,dc=gtc
cn: Computers
dhcpOption: subnet-mask $SRV_SUBNET
dhcpOption: broadcast-address $SRV_BROADCAST
dhcpOption: domain-name \"gtc\"
dhcpStatements: ddns-update-style none
dhcpStatements: get-lease-hostnames true
dhcpStatements: use-host-decl-names true
dhcpStatements: filename \"/pxelinux.0\"
dhcpStatements: default-lease-time 7200
dhcpStatements: max-lease-time 14400
objectClass: dhcpService
objectClass: top
dhcpSecondaryDN: cn=gtc-server,ou=DHCP-Servers,dc=gtc
# The DHCP-Subnet entry:
dn: cn=$SRV_NETWORK,cn=Computers,dc=gtc
objectClass: top
objectClass: dhcpSubnet
objectClass: dhcpOptions
dhcpNetMask: 24
#dhcpRange: XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
cn: $SRV_NETWORK
# The GTC/DHCP-Server
dn: pTRRecord=gtc-server.gtc.,cn=Computers,dc=gtc
aRecord: $SRV_IP
pTRRecord: gtc-server.gtc.
zoneName: gtc
zoneName: in-addr.arpa
objectClass: dNSZone
objectClass: top
sOARecord: gtc hostmaster 2010033001 8H 4H 4W 3H
nSRecord: localhost.
relativeDomainName: $SRV_REVIP
relativeDomainName: @
# Gouups
dn: ou=Group,dc=gtc
objectclass: top
objectclass: organizationalUnit
ou: Group
# Admin group
dn: cn=admins,ou=Group,dc=gtc
cn: admins
gidnumber: 12345
objectclass: posixGroup
objectclass: top
objectclass: gaboshGroup
uniquemember: cn=Ad min,ou=Users,ou=People,dc=gtc
# System groups
dn: cn=audio,ou=Group,dc=gtc
cn: audio
gidnumber: 18
objectclass: posixGroup
objectclass: top
objectclass: gaboshGroup
uniquemember: cn=users,ou=Group,dc=gtc
dn: cn=cdrom,ou=Group,dc=gtc
cn: cdrom
gidnumber: 19
objectclass: posixGroup
objectclass: top
objectclass: gaboshGroup
uniquemember: cn=users,ou=Group,dc=gtc
dn: cn=cdrw,ou=Group,dc=gtc
cn: cdrw
gidnumber: 80
objectclass: posixGroup
objectclass: top
objectclass: gaboshGroup
uniquemember: cn=users,ou=Group,dc=gtc
dn: cn=disk,ou=Group,dc=gtc
cn: disk
gidnumber: 6
objectclass: posixGroup
objectclass: top
objectclass: gaboshGroup
uniquemember: cn=users,ou=Group,dc=gtc
dn: cn=games,ou=Group,dc=gtc
cn: games
gidnumber: 35
objectclass: posixGroup
objectclass: top
objectclass: gaboshGroup
uniquemember: cn=users,ou=Group,dc=gtc
dn: cn=root,ou=Group,dc=gtc
cn: root
gidnumber: 0
objectclass: posixGroup
objectclass: top
objectclass: gaboshGroup
uniquemember: cn=admins,ou=Group,dc=gtc
dn: cn=usb,ou=Group,dc=gtc
cn: usb
gidnumber: 85
objectclass: posixGroup
objectclass: top
objectclass: gaboshGroup
uniquemember: cn=users,ou=Group,dc=gtc
dn: cn=vboxusers,ou=Group,dc=gtc
cn: vboxusers
gidnumber: 1008
objectclass: posixGroup
objectclass: top
objectclass: gaboshGroup
uniquemember: cn=users,ou=Group,dc=gtc
dn: cn=video,ou=Group,dc=gtc
cn: video
gidnumber: 27
objectclass: posixGroup
objectclass: top
objectclass: gaboshGroup
uniquemember: cn=users,ou=Group,dc=gtc
dn: cn=wheel,ou=Group,dc=gtc
cn: wheel
gidnumber: 10
objectclass: posixGroup
objectclass: top
objectclass: gaboshGroup
uniquemember: cn=admins,ou=Group,dc=gtc
# Users group
dn: cn=users,ou=Group,dc=gtc
cn: users
gidnumber: 100
objectclass: gaboshGroup
objectclass: posixGroup
objectclass: top
uniquemember: cn=Ad min,ou=Users,ou=People,dc=gtc
uniquemember: cn=Te St,ou=Users,ou=People,dc=gtc
# Users section:
dn: ou=People,dc=gtc
objectclass: top
objectclass: organizationalUnit
ou: People
dn: ou=SystemUsers,ou=People,dc=gtc
objectclass: organizationalUnit
objectclass: top
ou: SystemUsers
dn: ou=Users,ou=People,dc=gtc
objectclass: organizationalUnit
objectclass: top
ou: Users
# Admin User
dn: cn=Ad Min,ou=Users,ou=People,dc=gtc
cn: Ad Min
gidnumber: 100
givenname: Ad
homedirectory: /home/admin
loginshell: /bin/bash
objectclass: inetOrgPerson
objectclass: sambaSamAccount
objectclass: posixAccount
objectclass: top
sambaacctflags: [U ]
sambalmpassword: 69B3E05FE457CAAAAAD3B435B51404EE
sambantpassword: 8F6D7AB8FE0B9B159A50FE4F1174AFAF
sambapasswordhistory: 000000000000000000000000000000000000000000000000000000
0000000000
sambaprimarygroupsid: S-1-5-21-130334517-3066763751-205333941-3002-
sambapwdlastset: 1243432646
sambasid: S-1-5-21-130334517-3066763751-205333941-3004
sn: Min
uid: admin
uidnumber: 1000
userpassword: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXX
# Test User
dn: cn=Te St,ou=Users,ou=People,dc=gtc
cn: Te St
gidnumber: 100
givenname: Te
homedirectory: /home/test
loginshell: /bin/false
objectclass: inetOrgPerson
objectclass: sambaSamAccount
objectclass: posixAccount
objectclass: top
sambaacctflags: [U ]
sambalmpassword: 69B3E05FE457CAAAAAD3B435B51404EE
sambantpassword: 8F6D7AB8FE0B9B159A50FE4F1174AFAF
sambapasswordhistory: 000000000000000000000000000000000000000000000000000000
0000000000
sambaprimarygroupsid: S-1-5-21-130334517-3066763751-205333941-3002-
sambapwdlastset: 1243432646
sambasid: S-1-5-21-130334517-3066763751-205333941-3005
sn: St
uid: test
uidnumber: 1001
userpassword: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXX
# Sambadomain
dn: sambaDomainName=GTCSERVER,dc=gtc
objectclass: sambaDomain
sambaalgorithmicridbase: 1000
sambadomainname: GTC
sambaforcelogoff: -1
sambalockoutduration: 30
sambalockoutobservationwindow: 30
sambalockoutthreshold: 0
sambalogontochgpwd: 0
sambamaxpwdage: -1
sambaminpwdage: 0
sambaminpwdlength: 5
sambanextuserrid: 1000
sambapwdhistorylength: 0
sambarefusemachinepwdchange: 0
sambasid: S-1-5-21-130334517-3066763751-205333941
" > /tmp/ldapinit.ldif
mv /var/lib/openldap-data /srv/ldap
ln -sf /srv/ldap /var/lib/openldap-data
mv /srv/ldap/DB_CONFIG.example /srv/ldap/DB_CONFIG
/etc/init.d/slapd start
/etc/init.d/slapd stop
slapadd < /tmp/ldapinit.ldif
chown -R ldap:ldap /srv/ldap
/etc/init.d/slapd start
fi
cp /etc/nsswitch.conf /tmp/nsswitch.conf.tcorig
cat /tmp/nsswitch.conf.tcorig | \
sed 's/^passwd:.*/passwd: ldap compat/' | \
sed 's/^shadow:.*/shadow: ldap compat/' | \
sed 's/^group:.*/group: ldap compat/' > /etc/nsswitch.conf
/etc/init.d/nscd restart
# Copy up-to-date default configs
if [ -d "/srv/config" ]
then
rsync -a --exclude=thinclient.conf.local --exclude=profiles --exclude=global-profile --delete /etc/thinclient/ /srv/config/
else
mkdir -p /srv/config
rsync -a /etc/thinclient/ /srv/config/
fi
# Prepare Server gtcroot
mkdir -p /opt/gtcroot
mount -B /_gtcroot /opt/gtcroot
mount -B /srv/config /opt/gtcroot/etc/thinclient
mkdir -p /opt/gtcroot/etc/thinclient/profiles
mkdir -p /srv/profiles
mount -B /srv/profiles /opt/gtcroot/etc/thinclient/profiles
mkdir -p /srv/global-profile
mount -B /srv/profiles /opt/gtcroot/etc/thinclient/global-profile
# Configure phpldapadmin
mkdir -p /var/www/default/htdocs/phpldapadmin
rsync -a --delete /usr/share/webapps/phpldapadmin/*/htdocs/ /var/www/default/htdocs/phpldapadmin
cp /etc/phpldapadmin.conf /var/www/default/htdocs/phpldapadmin/config/config.php
chown -R apache:apache /var/www/default/htdocs
# DNS
echo "nameserver 127.0.0.1
search gtc" >/etc/resolv.conf
chmod 644 /etc/resolv.conf
# Start the other Services
/etc/init.d/named start
/etc/init.d/dhcpd start
killall -9 portmap 2>/dev/null
umount -lf /var/lib/nfs/rpc_pipefs 2>/dev/null
sleep 5
/etc/init.d/portmap start
/etc/init.d/rpc.statd start
/etc/init.d/nfs start
/etc/init.d/atftp start
/etc/init.d/apache2 start
mkdir -p /srv/log /srv/share/home/test /srv/share/home/admin
chown test:users /srv/share/home/test
chown admin:admins /srv/share/home/admin
chmod 750 /srv/share/home/test
chmod 750 /srv/share/home/admin
mount -B /srv/share/home /home
/etc/init.d/samba start
# Write the Bootmanager-Config
mkdir -p /srv/pxe/pxelinux.cfg
echo "
default menu.c32
prompt 0
menu title GTC Boot Menu
NOESCAPE 1
ALLOWOPTIONS 0
MENU AUTOBOOT Starting Gentoo Stable Thinclient in # seconds
label gtc
menu default
menu label ^GTC
timeout 100
kernel /kernel-genkernel-x86-`uname -r`
append initrd=/initramfs-genkernel-x86-`uname -r` root=/dev/nfs nfsroot=$SRV_IP:/opt/gtcroot ramdisk_size=256000 acpi_sleep=s3_bios real_root=/dev/nfs
ipappend 3
label bootlocal
menu label ^Boot from local Disk
localboot 0
" > /srv/pxe/pxelinux.cfg/default
Please send a feedback to: doc<at>gabosh.net
Howto listingFile permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Default Configurations for Thunderbird
pref("mail.html_compose", false);
pref("mail.compose.default_to_paragraph", false);
pref("spellchecker.dictionary", "de-DE");
pref("mail.collect_email_address_outgoing", false);
pref("msgcompose.default_colors", false);
pref("mailnews.default_sort_order", 2);
Please send a feedback to: doc<at>gabosh.net
Howto listingIf you want to use this solution you need the following howto(s) finished:
chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge net-wireless/wpa_supplicant'
File permissions:
Owner: root
Group: root
Permissions: -rwxr--r--
Click here for a download of the complete file: /gtc/test/etc/wpa_supplicant/wpa_supplicant.conf
Changed on 24.09.09Configure these parameters to fit in your environment.
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
eapol_version=1
#ap_scan=2
fast_reauth=1
network={
ssid="home"
scan_ssid="0"
mode=0
#bssid=XX:XX:XX:XX:XX:XX
#bssid=XX:XX:XX:XX:XX:XX
proto=WPA RSN
key_mgmt=WPA-PSK
#phase1="peaplabel=1"
#phase2="auth=MSCHAPV2"
priority=10
pairwise=CCMP TKIP
group=CCMP TKIP
identity="username"
psk="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
}
Please send a feedback to: doc<at>gabosh.net
Howto listingIf you want to use this solution you need the following howto(s) finished:
chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge x11-base/xorg-x11' chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge mate-base/mate' chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge mate-base/mate-control-center' chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge mate-extra/caja-extensions' chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge ate-extra/mate-media' chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge mate-extra/mate-sensors-applet'
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/env.d/90xsession
Changed on 01.09.10Sets the default display manager which starts when you use startx for starting the X-Server. Possible Values can be found with:
ls /etc/X11/Sessions/
XSESSION="MATE"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/lightdm/lightdm.conf
Changed on 01.09.10LightDM-Settings
user-session=mate greeter-hide-users=false greeter-show-manual-login=true allow-guest=false xserver-command=X -core -dpi 96
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/lightdm/lightdm-gtk-greeter.conf
Changed on 01.09.10LightDM-Settings
disable_user_list=false
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /gtc/test/etc/thinclient/scripts/gtc-compiz
Changed on 01.09.10Startscript for Compiz-Fusion 3D-Desktop
#!/bin/bash LIBGL_ALWAYS_INDIRECT=true compiz --replace --ignore-desktop-hints ccp & emerald --replace
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /gtc/test/etc/thinclient/scripts/gtc-xconfig
Changed on 07.10.09A script for starting Xorg and setting XkbLayout
#!/bin/bash
. /etc/thinclient/thinclient.conf
if [ -f "/etc/thinclient/thinclient.conf.local" ]
then
. /etc/thinclient/thinclient.conf.local
fi
if [ -f "/etc/thinclient/profiles/`hostname`/thinclient.conf" ]
then
. /etc/thinclient/profiles/`hostname`/thinclient.conf
fi
if [ -z $LOC_XKBLANG ]
then
LOC_XKBLANG="us"
else
echo "
Section \"InputClass\"
Identifier \"Keyboard Defaults\"
MatchIsKeyboard \"yes\"
Option \"XkbLayout\" \"$LOC_XKBLANG\"
EndSection
" > /etc/X11/xorg.conf
fi
/etc/init.d/display-manager restart
Please send a feedback to: doc<at>gabosh.net
Howto listingIf you want to use this solution you need the following howto(s) finished:
emerge net-misc/ntp
File permissions:
Owner: root
Group: root
Permissions: -rwx------
Click here for a download of the complete file: /etc/cron.hourly/ntpdate.sh
Changed on 11.09.08Set the system and BIOS time/date daily from the internet.
#!/bin/bash ntpdate -us 0.de.pool.ntp.org || ntpdate -us 1.de.pool.ntp.org hwclock --systohc
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/ntp.conf
Changed on 08.09.08Allow the LAN to connect to the timeserver. Set this to your network ip and subnet mask.
restrict default nomodify nopeer noquery limited kod restrict 127.0.0.1After change
restrict default nomodify restrict my.lan.network.ip mask XXX.XXX.XXX.XXX restrict my.dmz.network.ip mask XXX.XXX.XXX.XXX restrict 127.0.0.1
For starting the new service after system reboot you should add it to a runlevel with the following command(s):
rc-update add ntpd default
Please send a feedback to: doc<at>gabosh.net
Howto listinghead -10 /dev/urandom | sha512sum | cut -b 1-30
oathtool -v -d6 GENERATED-SEED
qrencode -o qrcode.png 'otpauth://totp/user@machine?secret=BASE32-SECRET'
If you want to use this solution you need the following howto(s) finished:
emerge media-gfx/qrencode emerge sys-auth/oath-toolkit
File permissions:
Owner: root
Group: root
Permissions: -rw-------
Click here for a download of the complete file: /etc/otp.users
Changed on 19.09.2019File with Users and seed. Seed can be generated with "head -10 /dev/urandom | sha512sum | cut -b 1-30"
# Option User Prefix Seed HOTP/T30/6 username - XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX HOTP/T30/6 username - XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/pam.d/horde
Changed on 19.09.2019PAM-Config for pam_oath.so
#auth requisite pam_oath.so usersfile=/etc/otp.users window=30 digits=6
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/pam.d/sshd
Changed on 19.09.2019PAM-Config for pam_oath.so
auth sufficient pam_oath.so usersfile=/etc/otp.users window=30 digits=6
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/pam.d/su
Changed on 19.09.2019PAM-Config for pam_oath.so
auth requisite pam_oath.so usersfile=/etc/otp.users window=30 digits=6
File permissions:
Owner: root
Group: root
Permissions: -rw-------
Click here for a download of the complete file: /etc/ssh/sshd_config
Changed on 19.09.2019SSH needs
ChallengeResponseAuthentication yes UsePAM yes
Please send a feedback to: doc<at>gabosh.net
Howto listingln -s /etc/init.d/net.lo /etc/init.d/net.wlan0
If you want to use this solution you need the following howto(s) finished:
emerge net-wireless/hostapd emerge net-wireless/iw
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/conf.d/net
Changed on 13.10.15Configuration of the Interface
modules_wlan0="!iwconfig !wpa_supplicant" config_wlan0="XXX.XXX.XXX.XXX/16 fd25::200/64" #config_wlan0="XXX.XXX.XXX.XXX/16" rc_net_wlan0_provide="!net" #mtu_wlan0="2304"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/conf.d/net.bak
Changed on 13.10.15Configuration of the Interface
modules_wlan0="!iwconfig !wpa_supplicant" config_wlan0="XXX.XXX.XXX.XXX/16" rc_net_wlan0_provide="!net" #mtu_wlan0="2304"
File permissions:
Owner: root
Group: root
Permissions: -rw-------
Click here for a download of the complete file: /etc/hostapd/hostapd.conf
Changed on 13.10.15Config for a WLAN Access Point with hostapd
interface=wlan0 driver=nl80211 # g means 2.4GHz hw_mode=g # the channel to use, 0 means the AP will search for the channel with the least interferences channel=3 # limit the frequencies used to those allowed in the country ieee80211d=1 country_code=DE # 802.11n support ieee80211n=1 #ht_capab=[SHORT-GI-40][HT40+][HT40-][DSSS_CCK-40] # 802.11ac support #ieee80211ac=1 # QOS wme_enabled=1 # WLAN ssid=WLAN auth_algs=1 wpa=2 wpa_key_mgmt=WPA-PSK rsn_pairwise=CCMP wpa_passphrase=secret # MAC Filter #macaddr_acl=1 #accept_mac_file=/etc/hostapd/hostapd.macaccept # Logging logger_syslog=1 logger_syslog_level=1
File permissions:
Owner: root
Group: root
Permissions: -rw-------
Click here for a download of the complete file: /etc/hostapd/hostapd.conf-2.4
Changed on 13.10.15Config for a WLAN Access Point with hostapd
interface=wlan0 driver=nl80211 # g means 2.4GHz hw_mode=g # the channel to use, 0 means the AP will search for the channel with the least interferences channel=1 # limit the frequencies used to those allowed in the country ieee80211d=1 country_code=DE # 802.11n support ieee80211n=1 #ht_capab=[SHORT-GI-40][HT40+][HT40-][DSSS_CCK-40] # 802.11ac support #ieee80211ac=1 # QOS wme_enabled=1 # WLAN ssid=WLAN auth_algs=1 wpa=2 wpa_key_mgmt=WPA-PSK rsn_pairwise=CCMP wpa_passphrase=secret # MAC Filter #macaddr_acl=1 #accept_mac_file=/etc/hostapd/hostapd.macaccept # Logging logger_syslog=1 logger_syslog_level=1
File permissions:
Owner: root
Group: root
Permissions: -rw-------
Click here for a download of the complete file: /etc/hostapd/hostapd.conf-5
Changed on 13.10.15Config for a WLAN Access Point with hostapd
interface=wlan0 driver=nl80211 # g means 2.4GHz hw_mode=a # the channel to use, 0 means the AP will search for the channel with the least interferences channel=0 # limit the frequencies used to those allowed in the country ieee80211d=1 country_code=DE # 802.11n support ieee80211n=1 #ht_capab=[SHORT-GI-40][HT40+][HT40-][DSSS_CCK-40] # 802.11ac support ieee80211ac=1 # QOS wme_enabled=1 # WLAN ssid=WLAN auth_algs=1 wpa=2 wpa_key_mgmt=WPA-PSK rsn_pairwise=CCMP wpa_passphrase=secret # MAC Filter #macaddr_acl=1 #accept_mac_file=/etc/hostapd/hostapd.macaccept # Logging logger_syslog=1 logger_syslog_level=1
File permissions:
Owner: root
Group: root
Permissions: -rw-------
Click here for a download of the complete file: /etc/hostapd/hostapd.macaccept
Changed on 13.10.15List of allowed Client-MACs
# Epson Drucker XX:XX:XX:XX:XX:XX # gabosh-droid XX:XX:XX:XX:XX:XX # paddy XX:XX:XX:XX:XX:XX # luettje XX:XX:XX:XX:XX:XX # groot XX:XX:XX:XX:XX:XX # small-gabosh XX:XX:XX:XX:XX:XX # Eltern Smartphone XX:XX:XX:XX:XX:XX XX:XX:XX:XX:XX:XX # Pias Notebook XX:XX:XX:XX:XX:XX # user2s Nexus 5 XX:XX:XX:XX:XX:XX # think-gabosh XX:XX:XX:XX:XX:XX # Katrins (Flo) Smartphone XX:XX:XX:XX:XX:XX # TEST/BACKUP HTCs XX:XX:XX:XX:XX:XX XX:XX:XX:XX:XX:XX XX:XX:XX:XX:XX:XX # Flos Smartphone XX:XX:XX:XX:XX:XX # Ingo iPhone XX:XX:XX:XX:XX:XX # Philips Handy XX:XX:XX:XX:XX:XX # Stephan OLB XX:XX:XX:XX:XX:XX # Knirps XX:XX:XX:XX:XX:XX # Heike XX:XX:XX:XX:XX:XX # Tablet XX:XX:XX:XX:XX:XX # Nexus 5 user1 XX:XX:XX:XX:XX:XX # Nexus 5 XX:XX:XX:XX:XX:XX XX:XX:XX:XX:XX:XX XX:XX:XX:XX:XX:XX XX:XX:XX:XX:XX:XX XX:XX:XX:XX:XX:XX XX:XX:XX:XX:XX:XX XX:XX:XX:XX:XX:XX XX:XX:XX:XX:XX:XX XX:XX:XX:XX:XX:XX # Bettinas Nexus 5 XX:XX:XX:XX:XX:XX # Flos Horst Thinkpad XX:XX:XX:XX:XX:XX # Tim Smartphone XX:XX:XX:XX:XX:XX # delllaptop XX:XX:XX:XX:XX:XX # Janna iPhone XX:XX:XX:XX:XX:XX # Philip XX:XX:XX:XX:XX:XX # user1 Bremer Smartphone XX:XX:XX:XX:XX:XX # user1 Bremer Notebook XX:XX:XX:XX:XX:XX # LG v500 Tablet Bettina XX:XX:XX:XX:XX:XX # Nexus 5 am Server XX:XX:XX:XX:XX:XX # HomePhone XX:XX:XX:XX:XX:XX # Teresas Smartphone XX:XX:XX:XX:XX:XX # Becky Kindle XX:XX:XX:XX:XX:XX # Flos Nexus 5 XX:XX:XX:XX:XX:XX # Getrut Volkerts Smartphone XX:XX:XX:XX:XX:XX # Hero Notebook XX:XX:XX:XX:XX:XX XX:XX:XX:XX:XX:XX # Krey XX:XX:XX:XX:XX:XX # Krey Dell-Notebook Celina (erna) XX:XX:XX:XX:XX:XX # Krey Dell-Notebook Carolin (liselotte) XX:XX:XX:XX:XX:XX
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/udev/rules.d/10-wlan-stick.rules
Changed on 13.10.15Disable Power saving - May cause problems like "Warning - Data pending for entry X 4 in queue"
KERNEL=="wlan0", ACTION=="add", RUN+="/usr/sbiniw dev wlan0 set power_save off" KERNEL=="wlan1", ACTION=="add", RUN+="/usr/sbiniw dev wlan1 set power_save off"
For starting the new service after system reboot you should add it to a runlevel with the following command(s):
rc-update add hostapd default rc-update add net.wlan0
Please send a feedback to: doc<at>gabosh.net
Howto listingIf you want to use this solution you need the following howto(s) finished:
emerge www-servers/apache
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/apache2/modules.d/00_mod_log_config.conf
Changed on 13.01.09This activates apache logging for with vhost names in the log file
CustomLog /var/log/apache2/access_log commonAfter change
CustomLog /var/log/apache2/access_log vhost
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/apache2/vhosts.d/02_vhosts.conf
Changed on 13.01.09Here are some settings for name based virtual hosts and some security settings before.
# ServerName ServerName xgabosh.example.com # Generate VHosts from Macro Use VHost www.example.com Use VHost fbofl.example.com Use VHost drucker-ofl.example.com Use VHost get.example.com Use VHost doc.example.com Use VHost gtc.example.com Use VHost camofl.example.com Use VHost epson.example.com Use VHost status.example.com Use VHost www.olmusic.de Use VHost olmusic.example.com Use VHost www.drachenrachen.de Use VHost nextcloud.example.com Use VHost nextcloud-test.example.com Use VHost autoconfig.example.com Use VHost vnc.example.com Use VHost share.example.com Use VHost media.example.com Use VHost rss-bridge.example.com Use VHost nextcloud-talk-signaling.example.com Use VHost blog.example.com Use VHost phpmyadmin.example.com Use VHost shop.olmusic.de Use VHost friendica.example.com <Location /favicon.ico> Require all granted </Location>
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/conf.d/apache2
Changed on 09.09.08Apache startoptions for enabling PHP5 and SSL
APACHE2_OPTS="-D DEFAULT_VHOST -D INFO -D SSL -D SSL_DEFAULT_VHOST -D LANGUAGE"After change
APACHE2_OPTS="-D DAV -D DAV_FS -D PHP -D SSL -D LANGUAGE -D PROXY -D MPM_ITK -D AUTHNZ_EXTERNAL"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/php/gabosh-php.ini
Changed on 23.02.11PHP-Configuration
; Don't log deprecated errors error_reporting = E_ALL & ~E_NOTICE & ~E_DEPRECATED & ~E_STRICT ; Don't display errors display_errors = Off display_startup_errors = Off track_errors = Off html_errors = Off ; Log errors to file error_log = /var/log/apache2/php_errors.log ; Maximum post size of 20MB post_max_size = 100M ; Maximum of 20MB upload upload_max_filesize = 100M ; Default timezone for PHP date.timezone = "Europe/Berlin" ; Maximum of 200 MySQL active connections at the same time mysql.max_persistent = 200 ; Maximum of 300 MySQL connections at the same time mysql.max_links = 300 ; Set max memory memory_limit = 2048M ; INotify (pecl install inotify) extension=inotify.so ; enable APC-Cache in CLI apc.enable_cli=1 output_buffering = Off
For starting the new service after system reboot you should add it to a runlevel with the following command(s):
rc-update add apache2
Please send a feedback to: doc<at>gabosh.net
Howto listingVersion 1.3, 3 November 2008
Copyright © 2000, 2001, 2002, 2007, 2008 Free Software Foundation, Inc. <http://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
The purpose of this License is to make a manual, textbook, or other functional and useful document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without modifying it, either commercially or noncommercially. Secondarily, this License preserves for the author and publisher a way to get credit for their work, while not being considered responsible for modifications made by others.
This License is a kind of "copyleft", which means that derivative works of the document must themselves be free in the same sense. It complements the GNU General Public License, which is a copyleft license designed for free software.
We have designed this License in order to use it for manuals for free software, because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. But this License is not limited to software manuals; it can be used for any textual work, regardless of subject matter or whether it is published as a printed book. We recommend this License principally for works whose purpose is instruction or reference.
This License applies to any manual or other work, in any medium, that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. Such a notice grants a world-wide, royalty-free license, unlimited in duration, to use that work under the conditions stated herein. The "Document", below, refers to any such manual or work. Any member of the public is a licensee, and is addressed as "you". You accept the license if you copy, modify or distribute the work in a way requiring permission under copyright law.
A "Modified Version" of the Document means any work containing the Document or a portion of it, either copied verbatim, or with modifications and/or translated into another language.
A "Secondary Section" is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document's overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. (Thus, if the Document is in part a textbook of mathematics, a Secondary Section may not explain any mathematics.) The relationship could be a matter of historical connection with the subject or with related matters, or of legal, commercial, philosophical, ethical or political position regarding them.
The "Invariant Sections" are certain Secondary Sections whose titles are designated, as being those of Invariant Sections, in the notice that says that the Document is released under this License. If a section does not fit the above definition of Secondary then it is not allowed to be designated as Invariant. The Document may contain zero Invariant Sections. If the Document does not identify any Invariant Sections then there are none.
The "Cover Texts" are certain short passages of text that are listed, as Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document is released under this License. A Front-Cover Text may be at most 5 words, and a Back-Cover Text may be at most 25 words.
A "Transparent" copy of the Document means a machine-readable copy, represented in a format whose specification is available to the general public, that is suitable for revising the document straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor, and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters. A copy made in an otherwise Transparent file format whose markup, or absence of markup, has been arranged to thwart or discourage subsequent modification by readers is not Transparent. An image format is not Transparent if used for any substantial amount of text. A copy that is not "Transparent" is called "Opaque".
Examples of suitable formats for Transparent copies include plain ASCII without markup, Texinfo input format, LaTeX input format, SGML or XML using a publicly available DTD, and standard-conforming simple HTML, PostScript or PDF designed for human modification. Examples of transparent image formats include PNG, XCF and JPG. Opaque formats include proprietary formats that can be read and edited only by proprietary word processors, SGML or XML for which the DTD and/or processing tools are not generally available, and the machine-generated HTML, PostScript or PDF produced by some word processors for output purposes only.
The "Title Page" means, for a printed book, the title page itself, plus such following pages as are needed to hold, legibly, the material this License requires to appear in the title page. For works in formats which do not have any title page as such, "Title Page" means the text near the most prominent appearance of the work's title, preceding the beginning of the body of the text.
The "publisher" means any person or entity that distributes copies of the Document to the public.
A section "Entitled XYZ" means a named subunit of the Document whose title either is precisely XYZ or contains XYZ in parentheses following text that translates XYZ in another language. (Here XYZ stands for a specific section name mentioned below, such as "Acknowledgements", "Dedications", "Endorsements", or "History".) To "Preserve the Title" of such a section when you modify the Document means that it remains a section "Entitled XYZ" according to this definition.
The Document may include Warranty Disclaimers next to the notice which states that this License applies to the Document. These Warranty Disclaimers are considered to be included by reference in this License, but only as regards disclaiming warranties: any other implication that these Warranty Disclaimers may have is void and has no effect on the meaning of this License.
You may copy and distribute the Document in any medium, either commercially or noncommercially, provided that this License, the copyright notices, and the license notice saying this License applies to the Document are reproduced in all copies, and that you add no other conditions whatsoever to those of this License. You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute. However, you may accept compensation in exchange for copies. If you distribute a large enough number of copies you must also follow the conditions in section 3.
You may also lend copies, under the same conditions stated above, and you may publicly display copies.
If you publish printed copies (or copies in media that commonly have printed covers) of the Document, numbering more than 100, and the Document's license notice requires Cover Texts, you must enclose the copies in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover. Both covers must also clearly and legibly identify you as the publisher of these copies. The front cover must present the full title with all words of the title equally prominent and visible. You may add other material on the covers in addition. Copying with changes limited to the covers, as long as they preserve the title of the Document and satisfy these conditions, can be treated as verbatim copying in other respects.
If the required texts for either cover are too voluminous to fit legibly, you should put the first ones listed (as many as fit reasonably) on the actual cover, and continue the rest onto adjacent pages.
If you publish or distribute Opaque copies of the Document numbering more than 100, you must either include a machine-readable Transparent copy along with each Opaque copy, or state in or with each Opaque copy a computer-network location from which the general network-using public has access to download using public-standard network protocols a complete Transparent copy of the Document, free of added material. If you use the latter option, you must take reasonably prudent steps, when you begin distribution of Opaque copies in quantity, to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public.
It is requested, but not required, that you contact the authors of the Document well before redistributing any large number of copies, to give them a chance to provide you with an updated version of the Document.
You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above, provided that you release the Modified Version under precisely this License, with the Modified Version filling the role of the Document, thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. In addition, you must do these things in the Modified Version:
If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document, you may at your option designate some or all of these sections as invariant. To do this, add their titles to the list of Invariant Sections in the Modified Version's license notice. These titles must be distinct from any other section titles.
You may add a section Entitled "Endorsements", provided it contains nothing but endorsements of your Modified Version by various parties—for example, statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard.
You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. If the Document already includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one.
The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version.
You may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice, and that you preserve all their Warranty Disclaimers.
The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced with a single copy. If there are multiple Invariant Sections with the same name but different contents, make the title of each such section unique by adding at the end of it, in parentheses, the name of the original author or publisher of that section if known, or else a unique number. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work.
In the combination, you must combine any sections Entitled "History" in the various original documents, forming one section Entitled "History"; likewise combine any sections Entitled "Acknowledgements", and any sections Entitled "Dedications". You must delete all sections Entitled "Endorsements".
You may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects.
You may extract a single document from such a collection, and distribute it individually under this License, provided you insert a copy of this License into the extracted document, and follow this License in all other respects regarding verbatim copying of that document.
A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, is called an "aggregate" if the copyright resulting from the compilation is not used to limit the legal rights of the compilation's users beyond what the individual works permit. When the Document is included in an aggregate, this License does not apply to the other works in the aggregate which are not themselves derivative works of the Document.
If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the Document is less than one half of the entire aggregate, the Document's Cover Texts may be placed on covers that bracket the Document within the aggregate, or the electronic equivalent of covers if the Document is in electronic form. Otherwise they must appear on printed covers that bracket the whole aggregate.
Translation is considered a kind of modification, so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright holders, but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. You may include a translation of this License, and all the license notices in the Document, and any Warranty Disclaimers, provided that you also include the original English version of this License and the original versions of those notices and disclaimers. In case of a disagreement between the translation and the original version of this License or a notice or disclaimer, the original version will prevail.
If a section in the Document is Entitled "Acknowledgements", "Dedications", or "History", the requirement (section 4) to Preserve its Title (section 1) will typically require changing the actual title.
You may not copy, modify, sublicense, or distribute the Document except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, or distribute it is void, and will automatically terminate your rights under this License.
However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation.
Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice.
Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License. If your rights have been terminated and not permanently reinstated, receipt of a copy of some or all of the same material does not give you any rights to use it.
The Free Software Foundation may publish new, revised versions of the GNU Free Documentation License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. See http://www.gnu.org/copyleft/.
Each version of the License is given a distinguishing version number. If the Document specifies that a particular numbered version of this License "or any later version" applies to it, you have the option of following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. If the Document does not specify a version number of this License, you may choose any version ever published (not as a draft) by the Free Software Foundation. If the Document specifies that a proxy can decide which future versions of this License can be used, that proxy's public statement of acceptance of a version permanently authorizes you to choose that version for the Document.
"Massive Multiauthor Collaboration Site" (or "MMC Site") means any World Wide Web server that publishes copyrightable works and also provides prominent facilities for anybody to edit those works. A public wiki that anybody can edit is an example of such a server. A "Massive Multiauthor Collaboration" (or "MMC") contained in the site means any set of copyrightable works thus published on the MMC site.
"CC-BY-SA" means the Creative Commons Attribution-Share Alike 3.0 license published by Creative Commons Corporation, a not-for-profit corporation with a principal place of business in San Francisco, California, as well as future copyleft versions of that license published by that same organization.
"Incorporate" means to publish or republish a Document, in whole or in part, as part of another Document.
An MMC is "eligible for relicensing" if it is licensed under this License, and if all works that were first published under this License somewhere other than this MMC, and subsequently incorporated in whole or in part into the MMC, (1) had no cover texts or invariant sections, and (2) were thus incorporated prior to November 1, 2008.
The operator of an MMC Site may republish an MMC contained in the site under CC-BY-SA on the same site at any time before August 1, 2009, provided the MMC is eligible for relicensing.