Init

2021-01-30 20:11:28 +09:00 · 2021-01-30 20:11:28 +09:00 · 3847f18792
commit 3847f18792
parent fa80d14dba
11 changed files with 536 additions and 1 deletions
--- a/files/haproxy.cfg
+++ b/files/haproxy.cfg
@ -0,0 +1,89 @@
+global
+        log /dev/log    local0
+        log /dev/log    local1 notice
+        chroot /var/lib/haproxy
+        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
+        stats timeout 30s
+        user haproxy
+        group haproxy
+        daemon
+
+        # Default SSL material locations
+        ca-base /etc/ssl/certs
+        crt-base /etc/ssl/private
+
+        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+        ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+        ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+        ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+        ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+        # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/haproxy/dhparam
+        ssl-dh-param-file /etc/haproxy/dhparam
+
+
+defaults
+        log     global
+        mode    http
+        option  httplog
+        option  dontlognull
+        timeout connect 5000
+        timeout client  50000
+        timeout server  50000
+        errorfile 400 /etc/haproxy/errors/400.http
+        errorfile 403 /etc/haproxy/errors/403.http
+        errorfile 408 /etc/haproxy/errors/408.http
+        errorfile 500 /etc/haproxy/errors/500.http
+        errorfile 502 /etc/haproxy/errors/502.http
+        errorfile 503 /etc/haproxy/errors/503.http
+        errorfile 504 /etc/haproxy/errors/504.http
+
+frontend gitea-ssh
+        mode tcp
+        bind :22
+        bind :::22 v6only
+        default_backend gitea-ssh
+
+backend gitea-ssh
+        mode tcp
+        server gitea 127.0.0.1:2222 check send-proxy
+
+frontend default
+
+    bind :80
+    bind :::80 v6only
+    bind :443 ssl crt /etc/ssl/haproxy/ strict-sni alpn h2,http/1.1
+    bind :::443 v6only ssl crt /etc/ssl/haproxy/ strict-sni alpn h2,http/1.1
+    
+    # HSTS (15768000 seconds = 6 months)
+    http-response set-header Strict-Transport-Security max-age=15768000
+    reqadd X-Forwarded-Proto:\ https if { ssl_fc }
+
+    # Let's Encrypt
+    acl letsencrypt path_dir -i /.well-known/acme-challenge
+    use_backend localhost if letsencrypt 
+
+    # mo-f.fr
+    acl mof hdr_end(host) -i mo-f.fr
+    use_backend mof if mof
+
+    # play.benpro.fr
+    acl play hdr(host) -i play.benpro.fr
+    use_backend play if play
+
+    #default_backend             localhost
+
+backend localhost
+    option forwardfor
+    server localhost 127.0.0.1:8080 check send-proxy
+
+backend mof
+    # Benhind CloudFlare, X-Forwarded-For always setted, do not override
+    option forwardfor if-none
+    redirect scheme https if !{ ssl_fc }
+    server mof 127.0.0.1:8081 check
+
+backend play
+    option forwardfor
+    redirect scheme https if !{ ssl_fc }
+    server play 127.0.0.1:8096 check
--- a/files/lxd.yml
+++ b/files/lxd.yml
@ -0,0 +1,29 @@
+config: {}
+networks:
+- config:
+    ipv4.address: auto
+    ipv6.address: auto
+  description: ""
+  name: lxdbr0
+  type: ""
+  project: default
+storage_pools:
+- config:
+    source: local
+  description: ""
+  name: default
+  driver: zfs
+profiles:
+- config: {}
+  description: ""
+  devices:
+    eth0:
+      name: eth0
+      network: lxdbr0
+      type: nic
+    root:
+      path: /
+      pool: default
+      type: disk
+  name: default
+cluster: null
--- a/files/nginx.default
+++ b/files/nginx.default
@ -0,0 +1,53 @@
+server {
+        listen 127.0.0.1:8080 default_server proxy_protocol;
+        set_real_ip_from 127.0.0.1;
+        real_ip_header proxy_protocol;
+
+        # SSL configuration
+        #
+        # listen 443 ssl default_server;
+        # listen [::]:443 ssl default_server;
+        #
+        # Note: You should disable gzip for SSL traffic.
+        # See: https://bugs.debian.org/773332
+        #
+        # Read up on ssl_ciphers to ensure a secure configuration.
+        # See: https://bugs.debian.org/765782
+        #
+        # Self signed certs generated by the ssl-cert package
+        # Don't use them in a production server!
+        #
+        # include snippets/snakeoil.conf;
+
+        root /var/www/html;
+
+        # Add index.php to the list if you are using PHP
+        index index.html index.htm index.nginx-debian.html;
+
+        server_name _;
+
+        location / {
+                # First attempt to serve request as file, then
+                # as directory, then fall back to displaying a 404.
+                try_files $uri $uri/ =404;
+        }
+
+        # pass PHP scripts to FastCGI server
+        #
+        #location ~ \.php$ {
+        #       include snippets/fastcgi-php.conf;
+        #
+        #       # With php-fpm (or other unix sockets):
+        #       fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
+        #       # With php-cgi (or other tcp sockets):
+        #       fastcgi_pass 127.0.0.1:9000;
+        #}
+
+        # deny access to .htaccess files, if Apache's document root
+        # concurs with nginx's one
+        #
+        #location ~ /\.ht {
+        #       deny all;
+        #}
+}
+
--- a/files/ondemand.service
+++ b/files/ondemand.service
@ -0,0 +1,14 @@
+[Unit]
+Description=Set the CPU Frequency Scaling governor
+ConditionVirtualization=no
+ConditionPathExists=/sys/devices/system/cpu/online
+# Don't run if we're going to start an Android LXC container on Ubuntu Touch
+ConditionPathExists=!/etc/init/lxc-android-config.conf
+
+[Service]
+Type=idle
+ExecStart=/lib/systemd/set-cpufreq-performance
+
+[Install]
+WantedBy=multi-user.target
+
--- a/files/set-cpufreq-performance
+++ b/files/set-cpufreq-performance
@ -0,0 +1,38 @@
+#! /bin/sh
+# Set the CPU Frequency Scaling governor to "performance"/"powersave" where available
+set -eu
+
+FIRSTCPU=`cut -f1 -d- /sys/devices/system/cpu/online`
+AVAILABLE="/sys/devices/system/cpu/cpu$FIRSTCPU/cpufreq/scaling_available_governors"
+DOWN_FACTOR="/sys/devices/system/cpu/cpufreq/performance/sampling_down_factor"
+
+[ -f $AVAILABLE ] || exit 0
+
+read governors < $AVAILABLE
+case $governors in
+        *performance*)
+                GOVERNOR="performance"
+                case $(uname -m) in
+                        ppc64*)
+                                SAMPLING=100
+                        ;;
+                esac
+                break
+                ;;
+        *)
+                exit 0
+                ;;
+esac
+
+[ -n "${GOVERNOR:-}" ] || exit 0
+
+echo "Setting $GOVERNOR scheduler for all CPUs"
+
+for CPUFREQ in /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor
+do
+        [ -f $CPUFREQ ] || continue
+        echo -n $GOVERNOR > $CPUFREQ
+done
+if [ -n "${SAMPLING:-}" ] && [ -f $DOWN_FACTOR ]; then
+        echo -n $SAMPLING > $DOWN_FACTOR
+fi