neue Abschnitte für Teil 3

This commit is contained in:
Jörg Thalheim 2013-11-13 15:48:57 +01:00
parent d54efc0358
commit 30eca44b33
31 changed files with 860 additions and 2 deletions

4
.gitmodules vendored
View File

@ -1,5 +1,5 @@
[submodule "aufgabe4/gitolite-admin"]
path = aufgabe4/gitolite-admin
[submodule "aufgabe2.4/gitolite-admin"]
path = aufgabe2.4/gitolite-admin
url = git@141.76.90.104:gitolite-admin.git
[submodule "logs"]
path = logs

View File

@ -0,0 +1,6 @@
Description='LAN Interface'
Interface=enp1s0
Connection=ethernet
IP=static
Address=('10.20.0.101/24')
Gateway='10.20.0.1'

View File

@ -0,0 +1,17 @@
Description='LAN Interface'
Interface=eth1
Connection=ethernet
IP=static
Address=('10.20.0.1/24')
#Routes=('192.168.0.0/24 via 192.168.1.2')
#Gateway='141.76.90.1'
#DNS=('8.8.8.8')
## For IPv6 autoconfiguration
#IP6=stateless
## For IPv6 static address configuration
#IP6=static
#Address6=('1234:5678:9abc:def::1/64' '1234:3456::123/96')
#Routes6=('abcd::1234')
#Gateway6='1234:0:123::abcd'

View File

@ -0,0 +1,17 @@
Description='A basic static ethernet connection'
Interface=eth0
Connection=ethernet
IP=static
Address=('141.76.90.104/24')
#Routes=('192.168.0.0/24 via 192.168.1.2')
Gateway='141.76.90.1'
DNS=('8.8.8.8')
## For IPv6 autoconfiguration
#IP6=stateless
## For IPv6 static address configuration
#IP6=static
#Address6=('1234:5678:9abc:def::1/64' '1234:3456::123/96')
#Routes6=('abcd::1234')
#Gateway6='1234:0:123::abcd'

9
aufgabe2.3/deleteuser Executable file
View File

@ -0,0 +1,9 @@
#!/bin/bash
# check for arguments
if [[ $# -ne 1 || -z "$1" ]]; then
echo "USAGE: $0 username" 1>&2
exit 1
fi
userdel -r "$1"

58
aufgabe2.3/iptables.rules Normal file
View File

@ -0,0 +1,58 @@
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# allow established connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# allow traffic from private LAN
-A INPUT -i eth1 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
# allow icmp
-A INPUT -p icmp -j ACCEPT
# allow loopback
-A INPUT -i lo -j ACCEPT
# uni subnets
:uni - [0:0]
-A INPUT -s 141.30.0.0/16 -j uni
-A INPUT -s 141.76.0.0/16 -j uni
# reject unknown traffic with nice errors
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
# ---------------------------------------------------------------
# internal traffic
#
:internal - [0:0]
-A uni -j internal
-A internal -p tcp --dport 22 -j ACCEPT
-A internal -p tcp --dport 80 -j ACCEPT
-A internal -p tcp --dport 443 -j ACCEPT
# ---------------------------------------------------------------
# public traffic
:public - [0:0]
-A INPUT -j public
# ---------------------------------------------------------------
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# masquerading
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT

48
aufgabe2.3/newuser Executable file
View File

@ -0,0 +1,48 @@
#!/bin/bash
set -e
# check for root
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root" 1>&2
exit 1
fi
# check for arguments
if [[ $# -ne 1 ]]; then
echo "USAGE: $0 username" 1>&2
exit 1
fi
# check if user already exists
if ! id "$1" &> /dev/null; then
echo "Adding user..."
useradd --base-dir /home --create-home "$1"
fi
# check if SSH key for user already exists
if [[ ! -f "/home/$1/.ssh/id_ecdsa" ]]; then
echo "Generating SSH key for user..."
sudo --user "$1" ssh-keygen -t ecdsa -N "" -b 521 -f "/home/$1/.ssh/id_ecdsa" > /dev/null
fi
# check if SSH key is already added to list of authorized keys
sudo -u "$1" touch /home/$1/.ssh/authorized_keys
if ! grep -q "`cat /home/$1/.ssh/id_ecdsa.pub`" /home/$1/.ssh/authorized_keys; then
echo "Adding SSH key to list of authorized keys for user..."
cat "/home/$1/.ssh/id_ecdsa.pub" | sudo --user "$1" tee "/home/$1/.ssh/authorized_keys" > /dev/null
fi
export DIR="`mktemp -d`"
trap "cd /; rm -rf $DIR" EXIT
cd "$DIR"
export GIT_AUTHOR_NAME=$SUDO_USER
git clone "git@zotac0:gitolite-admin" "$DIR" > /dev/null
# check if SSH key is already registered with git
if [[ ! -f "$DIR/keydir/$1@$HOSTNAME.pub" ]]; then
echo "Adding SSH key to git..."
cp "/home/$1/.ssh/id_ecdsa.pub" "$DIR/keydir/$1@$HOSTNAME.pub"
git add "$DIR/keydir/$1@$HOSTNAME.pub"
git commit --all --message="User \"$1\" added" > /dev/null
git push > /dev/null
fi

130
aufgabe2.3/sshd_config Normal file
View File

@ -0,0 +1,130 @@
# $OpenBSD: sshd_config,v 1.90 2013/05/16 04:09:14 dtucker Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# The default requires explicit activation of protocol 1
#Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Ciphers and keying
#RekeyLimit default none
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
PrintMotd no # pam does that
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner /etc/motd
# override default of no subsystems
Subsystem sftp /usr/lib/ssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server

20
aufgabe2.4/cron.daily/etckeeper Executable file
View File

@ -0,0 +1,20 @@
#!/bin/sh
set -e
if [ -x /usr/bin/etckeeper ] && [ -e /etc/etckeeper/etckeeper.conf ]; then
. /etc/etckeeper/etckeeper.conf
if [ "$AVOID_DAILY_AUTOCOMMITS" != "1" ]; then
# avoid autocommit if an install run is in progress
lockfile=/var/cache/etckeeper/packagelist.pre-install
if [ -e "$lockfile" ] && [ -n "$(find "$lockfile" -mtime +1)" ];
then
rm -f "$lockfile" # stale
fi
if [ ! -e "$lockfile" ]; then
AVOID_SPECIAL_FILE_WARNING=1
export AVOID_SPECIAL_FILE_WARNING
if etckeeper unclean; then
etckeeper commit "daily autocommit" >/dev/null
fi
fi
fi
fi

View File

@ -0,0 +1,7 @@
#!/bin/bash
set -e
cd /var/log
find . -iname \*.log | xargs git add
git commit --all --message "daily autocommit"
git push --force origin master:logs

42
aufgabe2.4/etckeeper.conf Normal file
View File

@ -0,0 +1,42 @@
# The VCS to use.
#VCS="hg"
VCS="git"
#VCS="bzr"
#VCS="darcs"
# Options passed to git commit when run by etckeeper.
GIT_COMMIT_OPTIONS=""
# Options passed to hg commit when run by etckeeper.
HG_COMMIT_OPTIONS=""
# Options passed to bzr commit when run by etckeeper.
BZR_COMMIT_OPTIONS=""
# Options passed to darcs record when run by etckeeper.
DARCS_COMMIT_OPTIONS="-a"
# Uncomment to avoid etckeeper committing existing changes
# to /etc automatically once per day.
#AVOID_DAILY_AUTOCOMMITS=1
# Uncomment the following to avoid special file warning
# (the option is enabled automatically by cronjob regardless).
#AVOID_SPECIAL_FILE_WARNING=1
# Uncomment to avoid etckeeper committing existing changes to
# /etc before installation. It will cancel the installation,
# so you can commit the changes by hand.
#AVOID_COMMIT_BEFORE_INSTALL=1
# The high-level package manager that's being used.
# (apt, pacman-g2, yum, zypper etc)
HIGHLEVEL_PACKAGE_MANAGER=yaourt
# The low-level package manager that's being used.
# (dpkg, rpm, pacman, pacman-g2, etc)
LOWLEVEL_PACKAGE_MANAGER=pacman
# To push each commit to a remote, put the name of the remote here.
# (eg, "origin" for git).
PUSH_REMOTE="origin"

33
aufgabe2.4/journald.conf Normal file
View File

@ -0,0 +1,33 @@
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
#
# See journald.conf(5) for details
[Journal]
#Storage=auto
#Compress=yes
#Seal=yes
#SplitMode=login
#SyncIntervalSec=5m
#RateLimitInterval=30s
#RateLimitBurst=1000
#SystemMaxUse=
#SystemKeepFree=
#SystemMaxFileSize=
#RuntimeMaxUse=
#RuntimeKeepFree=
#RuntimeMaxFileSize=
#MaxRetentionSec=
#MaxFileSec=1month
ForwardToSyslog=yes
#ForwardToKMsg=no
#ForwardToConsole=no
#TTYPath=/dev/console
#MaxLevelStore=debug
#MaxLevelSyslog=debug
#MaxLevelKMsg=notice
#MaxLevelConsole=info

14
aufgabe2.4/pacman Executable file
View File

@ -0,0 +1,14 @@
#!/bin/bash
if [[ "$1" != -S && "$1" != -S*u && "$1" != -U ]]; then
/usr/bin/pacman "$@"
exit $?
fi
[[ $EUID -eq 0 ]] && etckeeper pre-install
/usr/bin/pacman "$@"
EXIT_CODE=$?
[[ $EUID -eq 0 ]] && etckeeper post-install
exit $EXIT_CODE

9
aufgabe2.4/yaourt Executable file
View File

@ -0,0 +1,9 @@
#!/bin/bash
sudo etckeeper pre-install
/usr/bin/yaourt "$@"
EXIT_CODE=$?
sudo etckeeper post-install
exit $EXIT_CODE

2
aufgabe2.5/genders Normal file
View File

@ -0,0 +1,2 @@
zotac0 headnode
zotac[1-4] computenode

3
aufgabe2.5/pdsh Executable file
View File

@ -0,0 +1,3 @@
#!/bin/sh
PDSH_RCMD_TYPE="`cat /etc/pdsh/rcmd_default`" /usr/bin/pdsh $@

1
aufgabe2.5/rcmd_default Normal file
View File

@ -0,0 +1 @@
ssh

View File

@ -0,0 +1,64 @@
#
# Example config-file for munin-node
#
log_level 4
log_file /var/log/munin/munin-node.log
pid_file /run/munin/munin-node.pid
background 1
setsid 1
user root
group root
# This is the timeout for the whole transaction.
# Units are in sec. Default is 15 min
#
# global_timeout 900
# This is the timeout for each plugin.
# Units are in sec. Default is 1 min
#
# timeout 60
# Regexps for files to ignore
ignore_file [\#~]$
ignore_file DEADJOE$
ignore_file \.bak$
ignore_file %$
ignore_file \.dpkg-(tmp|new|old|dist)$
ignore_file \.rpm(save|new)$
ignore_file \.pod$
# Set this if the client doesn't report the correct hostname when
# telnetting to localhost, port 4949
#
#host_name myhostname
# A list of addresses that are allowed to connect. This must be a
# regular expression, since Net::Server does not understand CIDR-style
# network notation unless the perl module Net::CIDR is installed. You
# may repeat the allow line as many times as you'd like
allow ^127\.0\.0\.1$
allow ^10\.42\.0
allow ^::1$
# If you have installed the Net::CIDR perl module, you can use one or more
# cidr_allow and cidr_deny address/mask patterns. A connecting client must
# match any cidr_allow, and not match any cidr_deny. Note that a netmask
# *must* be provided, even if it's /32
#
# Example:
#
# cidr_allow 127.0.0.1/32
# cidr_allow 192.0.2.0/24
# cidr_deny 192.0.2.42/32
# Which address to bind to;
host *
# host 127.0.0.1
# And which port
port 4949

149
aufgabe2.6/munin.conf Normal file
View File

@ -0,0 +1,149 @@
# Example configuration file for Munin, generated by 'make build'
# The next three variables specifies where the location of the RRD
# databases, the HTML output, logs and the lock/pid files. They all
# must be writable by the user running munin-cron. They are all
# defaulted to the values you see here.
#
#dbdir /var/lib/munin
htmldir /usr/share/munin/www
#logdir /var/log/munin
#rundir /run/munin
# Where to look for the HTML templates
#
#tmpldir /etc/munin/templates
# Where to look for the static www files
#
#staticdir /etc/munin/static
# temporary cgi files are here. note that it has to be writable by
# the cgi user (usually nobody or httpd).
#
# cgitmpdir /var/lib/munin/cgi-tmp
# (Exactly one) directory to include all files from.
includedir /etc/munin/munin-conf.d
# You can choose the time reference for "DERIVE" like graphs, and show
# "per minute", "per hour" values instead of the default "per second"
#
#graph_period second
# Graphics files are generated either via cron or by a CGI process.
# See http://munin-monitoring.org/wiki/CgiHowto2 for more
# documentation.
# Since 2.0, munin-graph has been rewritten to use the cgi code.
# It is single threaded *by design* now.
#
graph_strategy cgi
# munin-cgi-graph is invoked by the web server up to very many times at the
# same time. This is not optimal since it results in high CPU and memory
# consumption to the degree that the system can thrash. Again the default is
# 6. Most likely the optimal number for max_cgi_graph_jobs is the same as
# max_graph_jobs.
#
#munin_cgi_graph_jobs 6
# If the automatic CGI url is wrong for your system override it here:
#
#cgiurl_graph /munin-cgi/munin-cgi-graph
# max_size_x and max_size_y are the max size of images in pixel.
# Default is 4000. Do not make it too large otherwise RRD might use all
# RAM to generate the images.
#
#max_size_x 4000
#max_size_y 4000
# HTML files are normally generated by munin-html, no matter if the
# files are used or not. You can change this to on-demand generation
# by following the instructions in http://munin-monitoring.org/wiki/CgiHowto2
#
# Notes:
# - moving to CGI for HTML means you cannot have graph generated by cron.
# - cgi html has some bugs, mostly you still have to launch munin-html by hand
#
html_strategy cgi
# munin-update runs in parallel.
#
# The default max number of processes is 16, and is probably ok for you.
#
# If set too high, it might hit some process/ram/filedesc limits.
# If set too low, munin-update might take more than 5 min.
#
# If you want munin-update to not be parallel set it to 0.
#
#max_processes 16
# RRD updates are per default, performed directly on the rrd files.
# To reduce IO and enable the use of the rrdcached, uncomment it and set it to
# the location of the socket that rrdcached uses.
#
#rrdcached_socket /var/run/rrdcached.sock
# Drop somejuser@fnord.comm and anotheruser@blibb.comm an email everytime
# something changes (OK -> WARNING, CRITICAL -> OK, etc)
#contact.someuser.command mail -s "Munin notification" somejuser@fnord.comm
#contact.anotheruser.command mail -s "Munin notification" anotheruser@blibb.comm
#
# For those with Nagios, the following might come in handy. In addition,
# the services must be defined in the Nagios server as well.
#contact.nagios.command /usr/bin/send_nsca nagios.host.comm -c /etc/nsca.conf
# a simple host tree
[zotac0]
address 127.0.0.1
use_node_name yes
[zotac1]
address 10.20.0.101
use_node_name yes
#
# A more complex example of a host tree
#
## First our "normal" host.
# [fii.foo.com]
# address foo
#
## Then our other host...
# [fay.foo.com]
# address fay
#
## IPv6 host. note that the ip adress has to be in brackets
# [ip6.foo.com]
# address [2001::1234:1]
#
## Then we want totals...
# [foo.com;Totals] #Force it into the "foo.com"-domain...
# update no # Turn off data-fetching for this "host".
#
# # The graph "load1". We want to see the loads of both machines...
# # "fii=fii.foo.com:load.load" means "label=machine:graph.field"
# load1.graph_title Loads side by side
# load1.graph_order fii=fii.foo.com:load.load fay=fay.foo.com:load.load
#
# # The graph "load2". Now we want them stacked on top of each other.
# load2.graph_title Loads on top of each other
# load2.dummy_field.stack fii=fii.foo.com:load.load fay=fay.foo.com:load.load
# load2.dummy_field.draw AREA # We want area instead the default LINE2.
# load2.dummy_field.label dummy # This is needed. Silly, really.
#
# # The graph "load3". Now we want them summarised into one field
# load3.graph_title Loads summarised
# load3.combined_loads.sum fii.foo.com:load.load fay.foo.com:load.load
# load3.combined_loads.label Combined loads # Must be set, as this is
# # not a dummy field!
#
## ...and on a side note, I want them listen in another order (default is
## alphabetically)
#
# # Since [foo.com] would be interpreted as a host in the domain "com", we
# # specify that this is a domain by adding a semicolon.
# [foo.com;]
# node_order Totals fii.foo.com fay.foo.com
#

View File

@ -0,0 +1,25 @@
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;

View File

@ -0,0 +1,24 @@
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;

View File

@ -0,0 +1,80 @@
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/x-javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/java-archive jar war ear;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.ms-excel xls;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream eot;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}

View File

@ -0,0 +1,59 @@
user http;
worker_processes 1;
error_log /var/log/nginx/error.log;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
sendfile on;
keepalive_timeout 65;
gzip on;
gzip_static on;
gzip_http_version 1.0;
gzip_comp_level 2;
gzip_vary on;
gzip_disable "msie6";
gzip_min_length 1100;
gzip_buffers 4 8k;
gzip_proxied expired no-cache no-store private auth;
gzip_types
# text/html is always compressed by HttpGzipModule
text/css
text/javascript
text/xml
text/plain
text/x-component
application/javascript
application/x-javascript
application/json
application/xml
application/rss+xml
font/truetype
font/opentype
application/vnd.ms-fontobject
image/svg+xml;
server_tokens off;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:RC4-SHA;
ssl_session_cache builtin:1000 shared:SSL:10m;
upstream backend {
server unix:/run/php-fpm/php-fpm.sock;
}
include sites/*.conf;
}

View File

@ -0,0 +1,27 @@
server {
listen [::]:80;
listen 80;
#listen [::]:443 ssl;
#listen 443 ssl;
root /srv/http/lctp;
location ^~ /munin-cgi/munin-cgi-graph/ {
fastcgi_split_path_info ^(/munin-cgi/munin-cgi-graph)(.*);
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass unix:/var/run/munin/fcgi-graph.sock;
include fastcgi_params;
}
location /munin/static/ {
alias /etc/munin/static/;
expires modified +1w;
}
location /munin/ {
fastcgi_split_path_info ^(/munin)(.*);
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass unix:/var/run/munin/fcgi-html.sock;
include fastcgi_params;
}
}

View File

View File

@ -0,0 +1,3 @@
%GlusterFS
%- fdisk /dev/sda -> extended partition -> 50G partition
%- mkfs.xfs -i size=512 /dev/sda5

View File

View File

View File

View File

@ -0,0 +1,9 @@
\section{Verteilte Dateisysteme und Dienste}
\input{abschnitte/sv-iptables}
\input{abschnitte/sv-dhcp_dns}
\input{abschnitte/sv-filesystems}
\input{abschnitte/sv-filesystems}

View File

@ -36,6 +36,8 @@
\input{abschnitte/bs}
\input{abschnitte/sv}
\input{abschnitte/burnin}
\input{abschnitte/anhang}