diff --git a/.gitmodules b/.gitmodules index 9ab046b..9693a91 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,5 +1,5 @@ -[submodule "aufgabe4/gitolite-admin"] - path = aufgabe4/gitolite-admin +[submodule "aufgabe2.4/gitolite-admin"] + path = aufgabe2.4/gitolite-admin url = git@141.76.90.104:gitolite-admin.git [submodule "logs"] path = logs diff --git a/aufgabe2.2/computenode/internal b/aufgabe2.2/computenode/internal new file mode 100644 index 0000000..8947b8c --- /dev/null +++ b/aufgabe2.2/computenode/internal @@ -0,0 +1,6 @@ +Description='LAN Interface' +Interface=enp1s0 +Connection=ethernet +IP=static +Address=('10.20.0.101/24') +Gateway='10.20.0.1' diff --git a/aufgabe2.2/headnode/internal b/aufgabe2.2/headnode/internal new file mode 100644 index 0000000..06d343b --- /dev/null +++ b/aufgabe2.2/headnode/internal @@ -0,0 +1,17 @@ +Description='LAN Interface' +Interface=eth1 +Connection=ethernet +IP=static +Address=('10.20.0.1/24') +#Routes=('192.168.0.0/24 via 192.168.1.2') +#Gateway='141.76.90.1' +#DNS=('8.8.8.8') + +## For IPv6 autoconfiguration +#IP6=stateless + +## For IPv6 static address configuration +#IP6=static +#Address6=('1234:5678:9abc:def::1/64' '1234:3456::123/96') +#Routes6=('abcd::1234') +#Gateway6='1234:0:123::abcd' diff --git a/aufgabe2.2/headnode/network b/aufgabe2.2/headnode/network new file mode 100644 index 0000000..e8e6c01 --- /dev/null +++ b/aufgabe2.2/headnode/network @@ -0,0 +1,17 @@ +Description='A basic static ethernet connection' +Interface=eth0 +Connection=ethernet +IP=static +Address=('141.76.90.104/24') +#Routes=('192.168.0.0/24 via 192.168.1.2') +Gateway='141.76.90.1' +DNS=('8.8.8.8') + +## For IPv6 autoconfiguration +#IP6=stateless + +## For IPv6 static address configuration +#IP6=static +#Address6=('1234:5678:9abc:def::1/64' '1234:3456::123/96') +#Routes6=('abcd::1234') +#Gateway6='1234:0:123::abcd' diff --git a/aufgabe2.3/deleteuser b/aufgabe2.3/deleteuser new file mode 100755 index 0000000..ecd74e1 --- /dev/null +++ b/aufgabe2.3/deleteuser @@ -0,0 +1,9 @@ +#!/bin/bash + +# check for arguments +if [[ $# -ne 1 || -z "$1" ]]; then + echo "USAGE: $0 username" 1>&2 + exit 1 +fi + +userdel -r "$1" diff --git a/aufgabe2.3/iptables.rules b/aufgabe2.3/iptables.rules new file mode 100644 index 0000000..be48dd4 --- /dev/null +++ b/aufgabe2.3/iptables.rules @@ -0,0 +1,58 @@ +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] + +# allow established connections +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT + +# allow traffic from private LAN +-A INPUT -i eth1 -j ACCEPT +-A FORWARD -i eth1 -j ACCEPT + +# allow icmp +-A INPUT -p icmp -j ACCEPT + +# allow loopback +-A INPUT -i lo -j ACCEPT + +# uni subnets +:uni - [0:0] +-A INPUT -s 141.30.0.0/16 -j uni +-A INPUT -s 141.76.0.0/16 -j uni + +# reject unknown traffic with nice errors +-A INPUT -p tcp -j REJECT --reject-with tcp-reset +-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable +-A INPUT -j REJECT --reject-with icmp-proto-unreachable + +# --------------------------------------------------------------- +# internal traffic +# + +:internal - [0:0] +-A uni -j internal +-A internal -p tcp --dport 22 -j ACCEPT +-A internal -p tcp --dport 80 -j ACCEPT +-A internal -p tcp --dport 443 -j ACCEPT + +# --------------------------------------------------------------- +# public traffic + +:public - [0:0] +-A INPUT -j public + +# --------------------------------------------------------------- + +COMMIT + +*nat +:PREROUTING ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] + +# masquerading +-A POSTROUTING -o eth0 -j MASQUERADE + +COMMIT diff --git a/aufgabe2.3/newuser b/aufgabe2.3/newuser new file mode 100755 index 0000000..fe45a62 --- /dev/null +++ b/aufgabe2.3/newuser @@ -0,0 +1,48 @@ +#!/bin/bash +set -e + +# check for root +if [[ $EUID -ne 0 ]]; then + echo "This script must be run as root" 1>&2 + exit 1 +fi + +# check for arguments +if [[ $# -ne 1 ]]; then + echo "USAGE: $0 username" 1>&2 + exit 1 +fi + +# check if user already exists +if ! id "$1" &> /dev/null; then + echo "Adding user..." + useradd --base-dir /home --create-home "$1" +fi + +# check if SSH key for user already exists +if [[ ! -f "/home/$1/.ssh/id_ecdsa" ]]; then + echo "Generating SSH key for user..." + sudo --user "$1" ssh-keygen -t ecdsa -N "" -b 521 -f "/home/$1/.ssh/id_ecdsa" > /dev/null +fi + +# check if SSH key is already added to list of authorized keys +sudo -u "$1" touch /home/$1/.ssh/authorized_keys +if ! grep -q "`cat /home/$1/.ssh/id_ecdsa.pub`" /home/$1/.ssh/authorized_keys; then + echo "Adding SSH key to list of authorized keys for user..." + cat "/home/$1/.ssh/id_ecdsa.pub" | sudo --user "$1" tee "/home/$1/.ssh/authorized_keys" > /dev/null +fi + +export DIR="`mktemp -d`" +trap "cd /; rm -rf $DIR" EXIT +cd "$DIR" +export GIT_AUTHOR_NAME=$SUDO_USER +git clone "git@zotac0:gitolite-admin" "$DIR" > /dev/null + +# check if SSH key is already registered with git +if [[ ! -f "$DIR/keydir/$1@$HOSTNAME.pub" ]]; then + echo "Adding SSH key to git..." + cp "/home/$1/.ssh/id_ecdsa.pub" "$DIR/keydir/$1@$HOSTNAME.pub" + git add "$DIR/keydir/$1@$HOSTNAME.pub" + git commit --all --message="User \"$1\" added" > /dev/null + git push > /dev/null +fi diff --git a/aufgabe2.3/sshd_config b/aufgabe2.3/sshd_config new file mode 100644 index 0000000..5c9598f --- /dev/null +++ b/aufgabe2.3/sshd_config @@ -0,0 +1,130 @@ +# $OpenBSD: sshd_config,v 1.90 2013/05/16 04:09:14 dtucker Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +# The default requires explicit activation of protocol 1 +#Protocol 2 + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 1024 + +# Ciphers and keying +#RekeyLimit default none + +# Logging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin no +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#RSAAuthentication yes +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#RhostsRSAAuthentication no +# similar for protocol version 2 +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +PrintMotd no # pam does that +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +UsePrivilegeSeparation sandbox # Default for new installations. +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS yes +#PidFile /run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner /etc/motd + +# override default of no subsystems +Subsystem sftp /usr/lib/ssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# ForceCommand cvs server diff --git a/aufgabe2.4/cron.daily/etckeeper b/aufgabe2.4/cron.daily/etckeeper new file mode 100755 index 0000000..65d0c8b --- /dev/null +++ b/aufgabe2.4/cron.daily/etckeeper @@ -0,0 +1,20 @@ +#!/bin/sh +set -e +if [ -x /usr/bin/etckeeper ] && [ -e /etc/etckeeper/etckeeper.conf ]; then + . /etc/etckeeper/etckeeper.conf + if [ "$AVOID_DAILY_AUTOCOMMITS" != "1" ]; then + # avoid autocommit if an install run is in progress + lockfile=/var/cache/etckeeper/packagelist.pre-install + if [ -e "$lockfile" ] && [ -n "$(find "$lockfile" -mtime +1)" ]; +then + rm -f "$lockfile" # stale + fi + if [ ! -e "$lockfile" ]; then + AVOID_SPECIAL_FILE_WARNING=1 + export AVOID_SPECIAL_FILE_WARNING + if etckeeper unclean; then + etckeeper commit "daily autocommit" >/dev/null + fi + fi + fi +fi diff --git a/aufgabe2.4/cron.daily/git-log-rotate b/aufgabe2.4/cron.daily/git-log-rotate new file mode 100755 index 0000000..ffe89a2 --- /dev/null +++ b/aufgabe2.4/cron.daily/git-log-rotate @@ -0,0 +1,7 @@ +#!/bin/bash + +set -e +cd /var/log +find . -iname \*.log | xargs git add +git commit --all --message "daily autocommit" +git push --force origin master:logs diff --git a/aufgabe2.4/etckeeper.conf b/aufgabe2.4/etckeeper.conf new file mode 100644 index 0000000..94c07e4 --- /dev/null +++ b/aufgabe2.4/etckeeper.conf @@ -0,0 +1,42 @@ +# The VCS to use. +#VCS="hg" +VCS="git" +#VCS="bzr" +#VCS="darcs" + +# Options passed to git commit when run by etckeeper. +GIT_COMMIT_OPTIONS="" + +# Options passed to hg commit when run by etckeeper. +HG_COMMIT_OPTIONS="" + +# Options passed to bzr commit when run by etckeeper. +BZR_COMMIT_OPTIONS="" + +# Options passed to darcs record when run by etckeeper. +DARCS_COMMIT_OPTIONS="-a" + +# Uncomment to avoid etckeeper committing existing changes +# to /etc automatically once per day. +#AVOID_DAILY_AUTOCOMMITS=1 + +# Uncomment the following to avoid special file warning +# (the option is enabled automatically by cronjob regardless). +#AVOID_SPECIAL_FILE_WARNING=1 + +# Uncomment to avoid etckeeper committing existing changes to +# /etc before installation. It will cancel the installation, +# so you can commit the changes by hand. +#AVOID_COMMIT_BEFORE_INSTALL=1 + +# The high-level package manager that's being used. +# (apt, pacman-g2, yum, zypper etc) +HIGHLEVEL_PACKAGE_MANAGER=yaourt + +# The low-level package manager that's being used. +# (dpkg, rpm, pacman, pacman-g2, etc) +LOWLEVEL_PACKAGE_MANAGER=pacman + +# To push each commit to a remote, put the name of the remote here. +# (eg, "origin" for git). +PUSH_REMOTE="origin" diff --git a/aufgabe2.4/journald.conf b/aufgabe2.4/journald.conf new file mode 100644 index 0000000..233fe57 --- /dev/null +++ b/aufgabe2.4/journald.conf @@ -0,0 +1,33 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. +# +# See journald.conf(5) for details + +[Journal] +#Storage=auto +#Compress=yes +#Seal=yes +#SplitMode=login +#SyncIntervalSec=5m +#RateLimitInterval=30s +#RateLimitBurst=1000 +#SystemMaxUse= +#SystemKeepFree= +#SystemMaxFileSize= +#RuntimeMaxUse= +#RuntimeKeepFree= +#RuntimeMaxFileSize= +#MaxRetentionSec= +#MaxFileSec=1month +ForwardToSyslog=yes +#ForwardToKMsg=no +#ForwardToConsole=no +#TTYPath=/dev/console +#MaxLevelStore=debug +#MaxLevelSyslog=debug +#MaxLevelKMsg=notice +#MaxLevelConsole=info diff --git a/aufgabe2.4/pacman b/aufgabe2.4/pacman new file mode 100755 index 0000000..cbb9069 --- /dev/null +++ b/aufgabe2.4/pacman @@ -0,0 +1,14 @@ +#!/bin/bash + +if [[ "$1" != -S && "$1" != -S*u && "$1" != -U ]]; then + /usr/bin/pacman "$@" + exit $? +fi + +[[ $EUID -eq 0 ]] && etckeeper pre-install + +/usr/bin/pacman "$@" +EXIT_CODE=$? + +[[ $EUID -eq 0 ]] && etckeeper post-install +exit $EXIT_CODE diff --git a/aufgabe2.4/yaourt b/aufgabe2.4/yaourt new file mode 100755 index 0000000..11d75b9 --- /dev/null +++ b/aufgabe2.4/yaourt @@ -0,0 +1,9 @@ +#!/bin/bash + +sudo etckeeper pre-install + +/usr/bin/yaourt "$@" +EXIT_CODE=$? + +sudo etckeeper post-install +exit $EXIT_CODE diff --git a/aufgabe2.5/genders b/aufgabe2.5/genders new file mode 100644 index 0000000..d5b543a --- /dev/null +++ b/aufgabe2.5/genders @@ -0,0 +1,2 @@ +zotac0 headnode +zotac[1-4] computenode diff --git a/aufgabe2.5/pdsh b/aufgabe2.5/pdsh new file mode 100755 index 0000000..61ae267 --- /dev/null +++ b/aufgabe2.5/pdsh @@ -0,0 +1,3 @@ +#!/bin/sh + +PDSH_RCMD_TYPE="`cat /etc/pdsh/rcmd_default`" /usr/bin/pdsh $@ diff --git a/aufgabe2.5/rcmd_default b/aufgabe2.5/rcmd_default new file mode 100644 index 0000000..9ebb5ec --- /dev/null +++ b/aufgabe2.5/rcmd_default @@ -0,0 +1 @@ +ssh diff --git a/aufgabe2.6/munin-node.conf b/aufgabe2.6/munin-node.conf new file mode 100644 index 0000000..67226f9 --- /dev/null +++ b/aufgabe2.6/munin-node.conf @@ -0,0 +1,64 @@ +# +# Example config-file for munin-node +# + +log_level 4 +log_file /var/log/munin/munin-node.log +pid_file /run/munin/munin-node.pid + +background 1 +setsid 1 + +user root +group root + +# This is the timeout for the whole transaction. +# Units are in sec. Default is 15 min +# +# global_timeout 900 + +# This is the timeout for each plugin. +# Units are in sec. Default is 1 min +# +# timeout 60 + +# Regexps for files to ignore +ignore_file [\#~]$ +ignore_file DEADJOE$ +ignore_file \.bak$ +ignore_file %$ +ignore_file \.dpkg-(tmp|new|old|dist)$ +ignore_file \.rpm(save|new)$ +ignore_file \.pod$ + +# Set this if the client doesn't report the correct hostname when +# telnetting to localhost, port 4949 +# +#host_name myhostname + +# A list of addresses that are allowed to connect. This must be a +# regular expression, since Net::Server does not understand CIDR-style +# network notation unless the perl module Net::CIDR is installed. You +# may repeat the allow line as many times as you'd like + +allow ^127\.0\.0\.1$ +allow ^10\.42\.0 +allow ^::1$ + +# If you have installed the Net::CIDR perl module, you can use one or more +# cidr_allow and cidr_deny address/mask patterns. A connecting client must +# match any cidr_allow, and not match any cidr_deny. Note that a netmask +# *must* be provided, even if it's /32 +# +# Example: +# +# cidr_allow 127.0.0.1/32 +# cidr_allow 192.0.2.0/24 +# cidr_deny 192.0.2.42/32 + +# Which address to bind to; +host * +# host 127.0.0.1 + +# And which port +port 4949 diff --git a/aufgabe2.6/munin.conf b/aufgabe2.6/munin.conf new file mode 100644 index 0000000..1fabdb3 --- /dev/null +++ b/aufgabe2.6/munin.conf @@ -0,0 +1,149 @@ +# Example configuration file for Munin, generated by 'make build' + +# The next three variables specifies where the location of the RRD +# databases, the HTML output, logs and the lock/pid files. They all +# must be writable by the user running munin-cron. They are all +# defaulted to the values you see here. +# +#dbdir /var/lib/munin +htmldir /usr/share/munin/www +#logdir /var/log/munin +#rundir /run/munin + +# Where to look for the HTML templates +# +#tmpldir /etc/munin/templates + +# Where to look for the static www files +# +#staticdir /etc/munin/static + +# temporary cgi files are here. note that it has to be writable by +# the cgi user (usually nobody or httpd). +# +# cgitmpdir /var/lib/munin/cgi-tmp + +# (Exactly one) directory to include all files from. +includedir /etc/munin/munin-conf.d + +# You can choose the time reference for "DERIVE" like graphs, and show +# "per minute", "per hour" values instead of the default "per second" +# +#graph_period second + +# Graphics files are generated either via cron or by a CGI process. +# See http://munin-monitoring.org/wiki/CgiHowto2 for more +# documentation. +# Since 2.0, munin-graph has been rewritten to use the cgi code. +# It is single threaded *by design* now. +# +graph_strategy cgi + +# munin-cgi-graph is invoked by the web server up to very many times at the +# same time. This is not optimal since it results in high CPU and memory +# consumption to the degree that the system can thrash. Again the default is +# 6. Most likely the optimal number for max_cgi_graph_jobs is the same as +# max_graph_jobs. +# +#munin_cgi_graph_jobs 6 + +# If the automatic CGI url is wrong for your system override it here: +# +#cgiurl_graph /munin-cgi/munin-cgi-graph + +# max_size_x and max_size_y are the max size of images in pixel. +# Default is 4000. Do not make it too large otherwise RRD might use all +# RAM to generate the images. +# +#max_size_x 4000 +#max_size_y 4000 + +# HTML files are normally generated by munin-html, no matter if the +# files are used or not. You can change this to on-demand generation +# by following the instructions in http://munin-monitoring.org/wiki/CgiHowto2 +# +# Notes: +# - moving to CGI for HTML means you cannot have graph generated by cron. +# - cgi html has some bugs, mostly you still have to launch munin-html by hand +# +html_strategy cgi + +# munin-update runs in parallel. +# +# The default max number of processes is 16, and is probably ok for you. +# +# If set too high, it might hit some process/ram/filedesc limits. +# If set too low, munin-update might take more than 5 min. +# +# If you want munin-update to not be parallel set it to 0. +# +#max_processes 16 + +# RRD updates are per default, performed directly on the rrd files. +# To reduce IO and enable the use of the rrdcached, uncomment it and set it to +# the location of the socket that rrdcached uses. +# +#rrdcached_socket /var/run/rrdcached.sock + +# Drop somejuser@fnord.comm and anotheruser@blibb.comm an email everytime +# something changes (OK -> WARNING, CRITICAL -> OK, etc) +#contact.someuser.command mail -s "Munin notification" somejuser@fnord.comm +#contact.anotheruser.command mail -s "Munin notification" anotheruser@blibb.comm +# +# For those with Nagios, the following might come in handy. In addition, +# the services must be defined in the Nagios server as well. +#contact.nagios.command /usr/bin/send_nsca nagios.host.comm -c /etc/nsca.conf + +# a simple host tree +[zotac0] + address 127.0.0.1 + use_node_name yes + +[zotac1] + address 10.20.0.101 + use_node_name yes + +# +# A more complex example of a host tree +# +## First our "normal" host. +# [fii.foo.com] +# address foo +# +## Then our other host... +# [fay.foo.com] +# address fay +# +## IPv6 host. note that the ip adress has to be in brackets +# [ip6.foo.com] +# address [2001::1234:1] +# +## Then we want totals... +# [foo.com;Totals] #Force it into the "foo.com"-domain... +# update no # Turn off data-fetching for this "host". +# +# # The graph "load1". We want to see the loads of both machines... +# # "fii=fii.foo.com:load.load" means "label=machine:graph.field" +# load1.graph_title Loads side by side +# load1.graph_order fii=fii.foo.com:load.load fay=fay.foo.com:load.load +# +# # The graph "load2". Now we want them stacked on top of each other. +# load2.graph_title Loads on top of each other +# load2.dummy_field.stack fii=fii.foo.com:load.load fay=fay.foo.com:load.load +# load2.dummy_field.draw AREA # We want area instead the default LINE2. +# load2.dummy_field.label dummy # This is needed. Silly, really. +# +# # The graph "load3". Now we want them summarised into one field +# load3.graph_title Loads summarised +# load3.combined_loads.sum fii.foo.com:load.load fay.foo.com:load.load +# load3.combined_loads.label Combined loads # Must be set, as this is +# # not a dummy field! +# +## ...and on a side note, I want them listen in another order (default is +## alphabetically) +# +# # Since [foo.com] would be interpreted as a host in the domain "com", we +# # specify that this is a domain by adding a semicolon. +# [foo.com;] +# node_order Totals fii.foo.com fay.foo.com +# diff --git a/aufgabe2.6/nginx/fastcgi.conf b/aufgabe2.6/nginx/fastcgi.conf new file mode 100644 index 0000000..ac9ff92 --- /dev/null +++ b/aufgabe2.6/nginx/fastcgi.conf @@ -0,0 +1,25 @@ + +fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param HTTPS $https if_not_empty; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; diff --git a/aufgabe2.6/nginx/fastcgi_params b/aufgabe2.6/nginx/fastcgi_params new file mode 100644 index 0000000..71e2c2e --- /dev/null +++ b/aufgabe2.6/nginx/fastcgi_params @@ -0,0 +1,24 @@ + +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param HTTPS $https if_not_empty; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; diff --git a/aufgabe2.6/nginx/mime.types b/aufgabe2.6/nginx/mime.types new file mode 100644 index 0000000..8a218b2 --- /dev/null +++ b/aufgabe2.6/nginx/mime.types @@ -0,0 +1,80 @@ + +types { + text/html html htm shtml; + text/css css; + text/xml xml; + image/gif gif; + image/jpeg jpeg jpg; + application/x-javascript js; + application/atom+xml atom; + application/rss+xml rss; + + text/mathml mml; + text/plain txt; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/x-component htc; + + image/png png; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/x-icon ico; + image/x-jng jng; + image/x-ms-bmp bmp; + image/svg+xml svg svgz; + image/webp webp; + + application/java-archive jar war ear; + application/mac-binhex40 hqx; + application/msword doc; + application/pdf pdf; + application/postscript ps eps ai; + application/rtf rtf; + application/vnd.ms-excel xls; + application/vnd.ms-powerpoint ppt; + application/vnd.wap.wmlc wmlc; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; + application/x-7z-compressed 7z; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-perl pl pm; + application/x-pilot prc pdb; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert der pem crt; + application/x-xpinstall xpi; + application/xhtml+xml xhtml; + application/zip zip; + + application/octet-stream bin exe dll; + application/octet-stream deb; + application/octet-stream dmg; + application/octet-stream eot; + application/octet-stream iso img; + application/octet-stream msi msp msm; + + audio/midi mid midi kar; + audio/mpeg mp3; + audio/ogg ogg; + audio/x-m4a m4a; + audio/x-realaudio ra; + + video/3gpp 3gpp 3gp; + video/mp4 mp4; + video/mpeg mpeg mpg; + video/quicktime mov; + video/webm webm; + video/x-flv flv; + video/x-m4v m4v; + video/x-mng mng; + video/x-ms-asf asx asf; + video/x-ms-wmv wmv; + video/x-msvideo avi; +} diff --git a/aufgabe2.6/nginx/nginx.conf b/aufgabe2.6/nginx/nginx.conf new file mode 100644 index 0000000..c0d8949 --- /dev/null +++ b/aufgabe2.6/nginx/nginx.conf @@ -0,0 +1,59 @@ + +user http; +worker_processes 1; + +error_log /var/log/nginx/error.log; + +#pid logs/nginx.pid; + + +events { + worker_connections 1024; +} + +http { + include mime.types; + default_type application/octet-stream; + + access_log /var/log/nginx/access.log; + + sendfile on; + keepalive_timeout 65; + gzip on; + gzip_static on; + gzip_http_version 1.0; + gzip_comp_level 2; + gzip_vary on; + gzip_disable "msie6"; + gzip_min_length 1100; + gzip_buffers 4 8k; + gzip_proxied expired no-cache no-store private auth; + gzip_types + # text/html is always compressed by HttpGzipModule + text/css + text/javascript + text/xml + text/plain + text/x-component + application/javascript + application/x-javascript + application/json + application/xml + application/rss+xml + font/truetype + font/opentype + application/vnd.ms-fontobject + image/svg+xml; + + server_tokens off; + ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_session_timeout 5m; + ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:RC4-SHA; + ssl_session_cache builtin:1000 shared:SSL:10m; + + upstream backend { + server unix:/run/php-fpm/php-fpm.sock; + } + include sites/*.conf; +} diff --git a/aufgabe2.6/nginx/sites/default.conf b/aufgabe2.6/nginx/sites/default.conf new file mode 100644 index 0000000..5500fdf --- /dev/null +++ b/aufgabe2.6/nginx/sites/default.conf @@ -0,0 +1,27 @@ +server { + listen [::]:80; + listen 80; + #listen [::]:443 ssl; + #listen 443 ssl; + + root /srv/http/lctp; + + location ^~ /munin-cgi/munin-cgi-graph/ { + fastcgi_split_path_info ^(/munin-cgi/munin-cgi-graph)(.*); + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_pass unix:/var/run/munin/fcgi-graph.sock; + include fastcgi_params; + } + + location /munin/static/ { + alias /etc/munin/static/; + expires modified +1w; + } + + location /munin/ { + fastcgi_split_path_info ^(/munin)(.*); + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_pass unix:/var/run/munin/fcgi-html.sock; + include fastcgi_params; + } +} diff --git a/bericht/abschnitte/sv-dhcp_dns.tex b/bericht/abschnitte/sv-dhcp_dns.tex new file mode 100644 index 0000000..e69de29 diff --git a/bericht/abschnitte/sv-filesystems.tex b/bericht/abschnitte/sv-filesystems.tex new file mode 100644 index 0000000..0caf735 --- /dev/null +++ b/bericht/abschnitte/sv-filesystems.tex @@ -0,0 +1,3 @@ +%GlusterFS +%- fdisk /dev/sda -> extended partition -> 50G partition +%- mkfs.xfs -i size=512 /dev/sda5 diff --git a/bericht/abschnitte/sv-iptables.tex b/bericht/abschnitte/sv-iptables.tex new file mode 100644 index 0000000..e69de29 diff --git a/bericht/abschnitte/sv-ldap.tex b/bericht/abschnitte/sv-ldap.tex new file mode 100644 index 0000000..e69de29 diff --git a/bericht/abschnitte/sv-ntp.tex b/bericht/abschnitte/sv-ntp.tex new file mode 100644 index 0000000..e69de29 diff --git a/bericht/abschnitte/sv.tex b/bericht/abschnitte/sv.tex new file mode 100644 index 0000000..ea4c80b --- /dev/null +++ b/bericht/abschnitte/sv.tex @@ -0,0 +1,9 @@ +\section{Verteilte Dateisysteme und Dienste} + +\input{abschnitte/sv-iptables} + +\input{abschnitte/sv-dhcp_dns} + +\input{abschnitte/sv-filesystems} + +\input{abschnitte/sv-filesystems} diff --git a/bericht/bericht.tex b/bericht/bericht.tex index 5a17b4b..b26ef45 100644 --- a/bericht/bericht.tex +++ b/bericht/bericht.tex @@ -36,6 +36,8 @@ \input{abschnitte/bs} +\input{abschnitte/sv} + \input{abschnitte/burnin} \input{abschnitte/anhang}