From: Frank Brehm Date: Tue, 18 Jul 2017 10:36:00 +0000 (+0200) Subject: Aktueller Stand nach Upgrade auf Stretch X-Git-Url: https://git.uhu-banane.org/?a=commitdiff_plain;h=27a7eac621919f829d5aa3dea7226c57aaff27f9;p=config%2Fns2%2Fetc.git Aktueller Stand nach Upgrade auf Stretch --- diff --git a/NetworkManager/dispatcher.d/20-chrony b/NetworkManager/dispatcher.d/20-chrony new file mode 100755 index 0000000..084aed6 --- /dev/null +++ b/NetworkManager/dispatcher.d/20-chrony @@ -0,0 +1,17 @@ +#!/bin/sh +# This is a NetworkManager dispatcher script for chronyd to set its NTP sources +# online/offline when a default route is configured/removed on the system. + +export LC_ALL=C + +if [ "$2" = "up" ]; then + /sbin/ip route list dev "$1" | grep -q '^default' && + /usr/bin/chronyc online > /dev/null 2>&1 +fi + +if [ "$2" = "down" ]; then + /sbin/ip route list | grep -q '^default' || + /usr/bin/chronyc offline > /dev/null 2>&1 +fi + +exit 0 diff --git a/X11/Xsession.d/90gpg-agent b/X11/Xsession.d/90gpg-agent new file mode 100644 index 0000000..8b45b05 --- /dev/null +++ b/X11/Xsession.d/90gpg-agent @@ -0,0 +1,22 @@ +# On systems with systemd running, we expect the agent to be launched +# via systemd's user mode (see +# /usr/lib/systemd/user/gpg-agent.{socket,service} and +# systemd.unit(5)). This allows systemd to clean up the agent +# automatically at logout. + +# If systemd is absent from your system, or you do not permit it to +# run in user mode, then you may need to manually launch gpg-agent +# from your session initialization with something like "gpgconf +# --launch gpg-agent" + +# Nonetheless, ssh and older versions of gpg require environment +# variables to be set in order to find the agent, so we will set those +# here. + +agent_sock=$(gpgconf --list-dirs agent-socket) +export GPG_AGENT_INFO=${agent_sock}:0:1 +if [ -n "$(gpgconf --list-options gpg-agent | \ + awk -F: '/^enable-ssh-support:/{ print $10 }')" ]; then + export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) +fi + diff --git a/aliases.db b/aliases.db index 20cbdfe..9613072 100644 Binary files a/aliases.db and b/aliases.db differ diff --git a/alternatives/Mail b/alternatives/Mail deleted file mode 120000 index 3d47966..0000000 --- a/alternatives/Mail +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/heirloom-mailx \ No newline at end of file diff --git a/alternatives/Mail.1.gz b/alternatives/Mail.1.gz deleted file mode 120000 index 1917ecf..0000000 --- a/alternatives/Mail.1.gz +++ /dev/null @@ -1 +0,0 @@ -/usr/share/man/man1/heirloom-mailx.1.gz \ No newline at end of file diff --git a/alternatives/dotlock b/alternatives/dotlock new file mode 120000 index 0000000..423e888 --- /dev/null +++ b/alternatives/dotlock @@ -0,0 +1 @@ +/usr/bin/dotlock.mailutils \ No newline at end of file diff --git a/alternatives/dotlock.1.gz b/alternatives/dotlock.1.gz new file mode 120000 index 0000000..48fb595 --- /dev/null +++ b/alternatives/dotlock.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/dotlock.mailutils.1.gz \ No newline at end of file diff --git a/alternatives/frm b/alternatives/frm new file mode 120000 index 0000000..def5353 --- /dev/null +++ b/alternatives/frm @@ -0,0 +1 @@ +/usr/bin/frm.mailutils \ No newline at end of file diff --git a/alternatives/frm.1.gz b/alternatives/frm.1.gz new file mode 120000 index 0000000..ec4c491 --- /dev/null +++ b/alternatives/frm.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/frm.mailutils.1.gz \ No newline at end of file diff --git a/alternatives/from b/alternatives/from index 3ee6643..f4e6cdc 120000 --- a/alternatives/from +++ b/alternatives/from @@ -1 +1 @@ -/usr/bin/bsd-from \ No newline at end of file +/usr/bin/from.mailutils \ No newline at end of file diff --git a/alternatives/from.1.gz b/alternatives/from.1.gz index 9c0d8d3..d20001a 120000 --- a/alternatives/from.1.gz +++ b/alternatives/from.1.gz @@ -1 +1 @@ -/usr/share/man/man1/bsd-from.1.gz \ No newline at end of file +/usr/share/man/man1/from.mailutils.1.gz \ No newline at end of file diff --git a/alternatives/mail b/alternatives/mail index 3d47966..e4c7643 120000 --- a/alternatives/mail +++ b/alternatives/mail @@ -1 +1 @@ -/usr/bin/heirloom-mailx \ No newline at end of file +/usr/bin/mail.mailutils \ No newline at end of file diff --git a/alternatives/mail.1.gz b/alternatives/mail.1.gz index 1917ecf..b8055c8 120000 --- a/alternatives/mail.1.gz +++ b/alternatives/mail.1.gz @@ -1 +1 @@ -/usr/share/man/man1/heirloom-mailx.1.gz \ No newline at end of file +/usr/share/man/man1/mail.mailutils.1.gz \ No newline at end of file diff --git a/alternatives/mailx b/alternatives/mailx index 3d47966..e4c7643 120000 --- a/alternatives/mailx +++ b/alternatives/mailx @@ -1 +1 @@ -/usr/bin/heirloom-mailx \ No newline at end of file +/usr/bin/mail.mailutils \ No newline at end of file diff --git a/alternatives/mailx.1.gz b/alternatives/mailx.1.gz index 1917ecf..b8055c8 120000 --- a/alternatives/mailx.1.gz +++ b/alternatives/mailx.1.gz @@ -1 +1 @@ -/usr/share/man/man1/heirloom-mailx.1.gz \ No newline at end of file +/usr/share/man/man1/mail.mailutils.1.gz \ No newline at end of file diff --git a/alternatives/messages b/alternatives/messages new file mode 120000 index 0000000..e66edd3 --- /dev/null +++ b/alternatives/messages @@ -0,0 +1 @@ +/usr/bin/messages.mailutils \ No newline at end of file diff --git a/alternatives/messages.1.gz b/alternatives/messages.1.gz new file mode 120000 index 0000000..8884760 --- /dev/null +++ b/alternatives/messages.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/messages.mailutils.1.gz \ No newline at end of file diff --git a/alternatives/movemail b/alternatives/movemail new file mode 120000 index 0000000..8d4efb3 --- /dev/null +++ b/alternatives/movemail @@ -0,0 +1 @@ +/usr/bin/movemail.mailutils \ No newline at end of file diff --git a/alternatives/movemail.1.gz b/alternatives/movemail.1.gz new file mode 120000 index 0000000..32b3520 --- /dev/null +++ b/alternatives/movemail.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/movemail.mailutils.1.gz \ No newline at end of file diff --git a/alternatives/my.cnf b/alternatives/my.cnf new file mode 120000 index 0000000..d16fc1d --- /dev/null +++ b/alternatives/my.cnf @@ -0,0 +1 @@ +/etc/mysql/my.cnf.fallback \ No newline at end of file diff --git a/alternatives/netrc.5.gz b/alternatives/netrc.5.gz new file mode 120000 index 0000000..5702a2c --- /dev/null +++ b/alternatives/netrc.5.gz @@ -0,0 +1 @@ +/usr/share/man/man5/netkit-netrc.5.gz \ No newline at end of file diff --git a/alternatives/pftp b/alternatives/pftp new file mode 120000 index 0000000..f0ae93f --- /dev/null +++ b/alternatives/pftp @@ -0,0 +1 @@ +/usr/bin/netkit-ftp \ No newline at end of file diff --git a/alternatives/pftp.1.gz b/alternatives/pftp.1.gz new file mode 120000 index 0000000..5b3a00b --- /dev/null +++ b/alternatives/pftp.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/netkit-ftp.1.gz \ No newline at end of file diff --git a/alternatives/pinentry b/alternatives/pinentry new file mode 120000 index 0000000..01990a3 --- /dev/null +++ b/alternatives/pinentry @@ -0,0 +1 @@ +/usr/bin/pinentry-curses \ No newline at end of file diff --git a/alternatives/pinentry.1.gz b/alternatives/pinentry.1.gz new file mode 120000 index 0000000..8e9ab4f --- /dev/null +++ b/alternatives/pinentry.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/pinentry-curses.1.gz \ No newline at end of file diff --git a/alternatives/readmsg b/alternatives/readmsg new file mode 120000 index 0000000..99bcf73 --- /dev/null +++ b/alternatives/readmsg @@ -0,0 +1 @@ +/usr/bin/readmsg.mailutils \ No newline at end of file diff --git a/alternatives/readmsg.1.gz b/alternatives/readmsg.1.gz new file mode 120000 index 0000000..322d3a6 --- /dev/null +++ b/alternatives/readmsg.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/readmsg.mailutils.1.gz \ No newline at end of file diff --git a/alternatives/rzsh b/alternatives/rzsh deleted file mode 120000 index 3b005e7..0000000 --- a/alternatives/rzsh +++ /dev/null @@ -1 +0,0 @@ -/bin/zsh5 \ No newline at end of file diff --git a/alternatives/rzsh.1.gz b/alternatives/rzsh.1.gz deleted file mode 120000 index 15dffb2..0000000 --- a/alternatives/rzsh.1.gz +++ /dev/null @@ -1 +0,0 @@ -/usr/share/man/man1/zsh.1.gz \ No newline at end of file diff --git a/alternatives/updatedb.8.gz b/alternatives/updatedb.8.gz new file mode 120000 index 0000000..d48060b --- /dev/null +++ b/alternatives/updatedb.8.gz @@ -0,0 +1 @@ +/usr/share/man/man8/updatedb.mlocate.8.gz \ No newline at end of file diff --git a/alternatives/zsh b/alternatives/zsh deleted file mode 120000 index 3b005e7..0000000 --- a/alternatives/zsh +++ /dev/null @@ -1 +0,0 @@ -/bin/zsh5 \ No newline at end of file diff --git a/alternatives/zsh-usrbin b/alternatives/zsh-usrbin deleted file mode 120000 index 3b005e7..0000000 --- a/alternatives/zsh-usrbin +++ /dev/null @@ -1 +0,0 @@ -/bin/zsh5 \ No newline at end of file diff --git a/apache2/apache2.conf b/apache2/apache2.conf index baf6d8a..ae4b2c3 100644 --- a/apache2/apache2.conf +++ b/apache2/apache2.conf @@ -71,7 +71,13 @@ # # The accept serialization lock file MUST BE STORED ON A LOCAL DISK. # -Mutex file:${APACHE_LOCK_DIR} default +#Mutex file:${APACHE_LOCK_DIR} default + +# +# The directory where shm and other runtime files will be stored. +# + +DefaultRuntimeDir ${APACHE_RUN_DIR} # # PidFile: The file in which the server should record its process diff --git a/apache2/conf-available/custom-log.conf b/apache2/conf-available/custom-log.conf old mode 100755 new mode 100644 diff --git a/apache2/conf-available/security.conf b/apache2/conf-available/security.conf index 599333b..f9f69d4 100644 --- a/apache2/conf-available/security.conf +++ b/apache2/conf-available/security.conf @@ -7,8 +7,7 @@ # # # AllowOverride None -# Order Deny,Allow -# Deny from all +# Require all denied # diff --git a/apache2/envvars b/apache2/envvars index 91328ac..708d170 100644 --- a/apache2/envvars +++ b/apache2/envvars @@ -16,7 +16,7 @@ fi export APACHE_RUN_USER=www-data export APACHE_RUN_GROUP=www-data # temporary state file location. This might be changed to /run in Wheezy+1 -export APACHE_PID_FILE=/var/run/apache2/apache2$SUFFIX.pid +export APACHE_PID_FILE=/var/run/apache2$SUFFIX/apache2.pid export APACHE_RUN_DIR=/var/run/apache2$SUFFIX export APACHE_LOCK_DIR=/var/lock/apache2$SUFFIX # Only /var/log/apache2 is handled by /etc/logrotate.d/apache2. diff --git a/apache2/info_users_passwd b/apache2/info_users_passwd new file mode 100644 index 0000000..a9cf5ab --- /dev/null +++ b/apache2/info_users_passwd @@ -0,0 +1,3 @@ +monitoring:$apr1$rq/i6DzS$Qk6YAABQSeIgXe5Z0cc7K0 +uhu:$apr1$cFagqyiq$T2azAWwszStOUz/mmfONd/ +frank:$apr1$q0RMdmRi$5egjyB4c32Ts/swS3hkuN0 diff --git a/apache2/mods-available/cern_meta.load b/apache2/mods-available/cern_meta.load new file mode 100644 index 0000000..bcc7546 --- /dev/null +++ b/apache2/mods-available/cern_meta.load @@ -0,0 +1 @@ +LoadModule cern_meta_module /usr/lib/apache2/modules/mod_cern_meta.so diff --git a/apache2/mods-available/http2.load b/apache2/mods-available/http2.load new file mode 100644 index 0000000..e5c769f --- /dev/null +++ b/apache2/mods-available/http2.load @@ -0,0 +1 @@ +LoadModule http2_module /usr/lib/apache2/modules/mod_http2.so diff --git a/apache2/mods-available/imagemap.load b/apache2/mods-available/imagemap.load new file mode 100644 index 0000000..0fd55f8 --- /dev/null +++ b/apache2/mods-available/imagemap.load @@ -0,0 +1 @@ +LoadModule imagemap_module /usr/lib/apache2/modules/mod_imagemap.so diff --git a/apache2/mods-available/info.conf b/apache2/mods-available/info.conf index 78a0649..b3e5f59 100644 --- a/apache2/mods-available/info.conf +++ b/apache2/mods-available/info.conf @@ -2,12 +2,17 @@ # Allow remote server configuration reports, with the URL of # http://servername/server-info (requires that mod_info.c be loaded). - # Uncomment and change the "192.0.2.0/24" to allow access from other hosts. # SetHandler server-info - Require local - #Require ip 192.0.2.0/24 + AuthName "Server Status Access" + AuthType Basic + AuthBasicProvider file + AuthUserFile /etc/apache2/info_users_passwd + + Require local + Require valid-user + diff --git a/apache2/mods-available/proxy_hcheck.load b/apache2/mods-available/proxy_hcheck.load new file mode 100644 index 0000000..b70f421 --- /dev/null +++ b/apache2/mods-available/proxy_hcheck.load @@ -0,0 +1,2 @@ +# Depends: proxy +LoadModule proxy_hcheck_module /usr/lib/apache2/modules/mod_proxy_hcheck.so diff --git a/apache2/mods-available/proxy_html.load b/apache2/mods-available/proxy_html.load index d8b248e..50f1a2c 100644 --- a/apache2/mods-available/proxy_html.load +++ b/apache2/mods-available/proxy_html.load @@ -1,2 +1,2 @@ -# Depends: proxy +# Depends: proxy xml2enc LoadModule proxy_html_module /usr/lib/apache2/modules/mod_proxy_html.so diff --git a/apache2/mods-available/proxy_http2.load b/apache2/mods-available/proxy_http2.load new file mode 100644 index 0000000..b251d0c --- /dev/null +++ b/apache2/mods-available/proxy_http2.load @@ -0,0 +1,2 @@ +# Depends: proxy http2 +LoadModule proxy_http2_module /usr/lib/apache2/modules/mod_proxy_http2.so diff --git a/apache2/mods-available/status.conf b/apache2/mods-available/status.conf index 5f53ba7..b61bb58 100644 --- a/apache2/mods-available/status.conf +++ b/apache2/mods-available/status.conf @@ -1,12 +1,18 @@ # Allow server status reports generated by mod_status, # with the URL of http://servername/server-status - # Uncomment and change the "192.0.2.0/24" to allow access from other hosts. SetHandler server-status - Require local - #Require ip 192.0.2.0/24 + AuthName "Server Status Access" + AuthType Basic + AuthBasicProvider file + AuthUserFile /etc/apache2/info_users_passwd + + Require local + Require valid-user + + # Keep track of extended status information for each request diff --git a/apache2/mods-available/userdir.conf b/apache2/mods-available/userdir.conf index a6c0da6..2c334ec 100644 --- a/apache2/mods-available/userdir.conf +++ b/apache2/mods-available/userdir.conf @@ -5,12 +5,7 @@ AllowOverride FileInfo AuthConfig Limit Indexes Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec - - Require all granted - - - Require all denied - + Require method GET POST OPTIONS diff --git a/apache2/mods-enabled/info.conf b/apache2/mods-enabled/info.conf new file mode 120000 index 0000000..432cc88 --- /dev/null +++ b/apache2/mods-enabled/info.conf @@ -0,0 +1 @@ +../mods-available/info.conf \ No newline at end of file diff --git a/apache2/mods-enabled/reqtimeout.conf b/apache2/mods-enabled/reqtimeout.conf new file mode 120000 index 0000000..093b41d --- /dev/null +++ b/apache2/mods-enabled/reqtimeout.conf @@ -0,0 +1 @@ +../mods-available/reqtimeout.conf \ No newline at end of file diff --git a/apache2/mods-enabled/reqtimeout.load b/apache2/mods-enabled/reqtimeout.load new file mode 120000 index 0000000..979fab9 --- /dev/null +++ b/apache2/mods-enabled/reqtimeout.load @@ -0,0 +1 @@ +../mods-available/reqtimeout.load \ No newline at end of file diff --git a/apache2/sites-available/000-default-ssl.conf b/apache2/sites-available/000-default-ssl.conf new file mode 100644 index 0000000..081c837 --- /dev/null +++ b/apache2/sites-available/000-default-ssl.conf @@ -0,0 +1,46 @@ + + + + + + Include sites-available/default-include.conf + + SSLEngine on + + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem + SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key + + #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt + + #SSLCACertificatePath /etc/ssl/certs/ + #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt + + #SSLCARevocationPath /etc/apache2/ssl.crl/ + #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl + + #SSLVerifyClient require + #SSLVerifyDepth 10 + + #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire + + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + + BrowserMatch "MSIE [2-6]" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + # MSIE 7 and newer should be able to use keepalive + BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown + + ServerName ns2.uhu-banane.de + ServerAlias ns2 + ServerAlias ns2.brehm-online.com + + + + +# vim: filetype=apache ts=8 sw=4 sts=4 sr noet diff --git a/apache2/sites-available/default-ssl.conf.dpkg-dist b/apache2/sites-available/default-ssl.conf.dpkg-dist new file mode 100644 index 0000000..7e37a9c --- /dev/null +++ b/apache2/sites-available/default-ssl.conf.dpkg-dist @@ -0,0 +1,134 @@ + + + ServerAdmin webmaster@localhost + + DocumentRoot /var/www/html + + # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, + # error, crit, alert, emerg. + # It is also possible to configure the loglevel for particular + # modules, e.g. + #LogLevel info ssl:warn + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + # For most configuration files from conf-available/, which are + # enabled or disabled at a global level, it is possible to + # include a line for only one particular virtual host. For example the + # following line enables the CGI configuration for this host only + # after it has been globally disabled with "a2disconf". + #Include conf-available/serve-cgi-bin.conf + + # SSL Engine Switch: + # Enable/Disable SSL for this virtual host. + SSLEngine on + + # A self-signed (snakeoil) certificate can be created by installing + # the ssl-cert package. See + # /usr/share/doc/apache2/README.Debian.gz for more info. + # If both key and certificate are stored in the same file, only the + # SSLCertificateFile directive is needed. + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem + SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key + + # Server Certificate Chain: + # Point SSLCertificateChainFile at a file containing the + # concatenation of PEM encoded CA certificates which form the + # certificate chain for the server certificate. Alternatively + # the referenced file can be the same as SSLCertificateFile + # when the CA certificates are directly appended to the server + # certificate for convinience. + #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt + + # Certificate Authority (CA): + # Set the CA certificate verification path where to find CA + # certificates for client authentication or alternatively one + # huge file containing all of them (file must be PEM encoded) + # Note: Inside SSLCACertificatePath you need hash symlinks + # to point to the certificate files. Use the provided + # Makefile to update the hash symlinks after changes. + #SSLCACertificatePath /etc/ssl/certs/ + #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt + + # Certificate Revocation Lists (CRL): + # Set the CA revocation path where to find CA CRLs for client + # authentication or alternatively one huge file containing all + # of them (file must be PEM encoded) + # Note: Inside SSLCARevocationPath you need hash symlinks + # to point to the certificate files. Use the provided + # Makefile to update the hash symlinks after changes. + #SSLCARevocationPath /etc/apache2/ssl.crl/ + #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl + + # Client Authentication (Type): + # Client certificate verification type and depth. Types are + # none, optional, require and optional_no_ca. Depth is a + # number which specifies how deeply to verify the certificate + # issuer chain before deciding the certificate is not valid. + #SSLVerifyClient require + #SSLVerifyDepth 10 + + # SSL Engine Options: + # Set various options for the SSL engine. + # o FakeBasicAuth: + # Translate the client X.509 into a Basic Authorisation. This means that + # the standard Auth/DBMAuth methods can be used for access control. The + # user name is the `one line' version of the client's X.509 certificate. + # Note that no password is obtained from the user. Every entry in the user + # file needs this password: `xxj31ZMTZzkVA'. + # o ExportCertData: + # This exports two additional environment variables: SSL_CLIENT_CERT and + # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the + # server (always existing) and the client (only existing when client + # authentication is used). This can be used to import the certificates + # into CGI scripts. + # o StdEnvVars: + # This exports the standard SSL/TLS related `SSL_*' environment variables. + # Per default this exportation is switched off for performance reasons, + # because the extraction step is an expensive operation and is usually + # useless for serving static content. So one usually enables the + # exportation for CGI and SSI requests only. + # o OptRenegotiate: + # This enables optimized SSL connection renegotiation handling when SSL + # directives are used in per-directory context. + #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + + # SSL Protocol Adjustments: + # The safe and default but still SSL/TLS standard compliant shutdown + # approach is that mod_ssl sends the close notify alert but doesn't wait for + # the close notify alert from client. When you need a different shutdown + # approach you can use one of the following variables: + # o ssl-unclean-shutdown: + # This forces an unclean shutdown when the connection is closed, i.e. no + # SSL close notify alert is send or allowed to received. This violates + # the SSL/TLS standard but is needed for some brain-dead browsers. Use + # this when you receive I/O errors because of the standard approach where + # mod_ssl sends the close notify alert. + # o ssl-accurate-shutdown: + # This forces an accurate shutdown when the connection is closed, i.e. a + # SSL close notify alert is send and mod_ssl waits for the close notify + # alert of the client. This is 100% SSL/TLS standard compliant, but in + # practice often causes hanging connections with brain-dead browsers. Use + # this only for browsers where you know that their SSL implementation + # works correctly. + # Notice: Most problems of broken clients are also related to the HTTP + # keep-alive facility, so you usually additionally want to disable + # keep-alive for those clients, too. Use variable "nokeepalive" for this. + # Similarly, one has to force some clients to use HTTP/1.0 to workaround + # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and + # "force-response-1.0" for this. + # BrowserMatch "MSIE [2-6]" \ + # nokeepalive ssl-unclean-shutdown \ + # downgrade-1.0 force-response-1.0 + + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/apache2/sites-enabled/000-default-ssl.conf b/apache2/sites-enabled/000-default-ssl.conf new file mode 120000 index 0000000..596612a --- /dev/null +++ b/apache2/sites-enabled/000-default-ssl.conf @@ -0,0 +1 @@ +../sites-available/000-default-ssl.conf \ No newline at end of file diff --git a/apm/event.d/01chrony b/apm/event.d/01chrony deleted file mode 100755 index df52908..0000000 --- a/apm/event.d/01chrony +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/sh - -# Placed in /etc/apm/event.d by the chrony package at the instruction of -# the apmd maintainer. If you don't have apm and don't intend to install -# apmd you may remove it. It needs to run after 00hwclock but before any -# other scripts. - - -[ -x /usr/sbin/chronyd ] || exit 0 - -if [ "$1" = suspend ]; then - invoke-rc.d chrony stop -elif [ "$1" = standby ]; then - invoke-rc.d chrony stop -elif [ "$1" = resume ]; then - invoke-rc.d chrony start -fi diff --git a/apparmor.d/local/usr.sbin.haveged b/apparmor.d/local/usr.sbin.haveged new file mode 100644 index 0000000..07c2960 --- /dev/null +++ b/apparmor.d/local/usr.sbin.haveged @@ -0,0 +1,2 @@ +# Site-specific additions and overrides for usr.sbin.haveged. +# For more details, please see /etc/apparmor.d/local/README. diff --git a/apparmor.d/usr.sbin.haveged b/apparmor.d/usr.sbin.haveged new file mode 100644 index 0000000..0e61138 --- /dev/null +++ b/apparmor.d/usr.sbin.haveged @@ -0,0 +1,23 @@ +# Last Modified: Fri Aug 21 15:23:17 2015 +#include + +/usr/sbin/haveged { + #include + + # Required for ioctl RNDADDENTROPY + capability sys_admin, + + owner @{PROC}/@{pid}/status r, + + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/random/poolsize r, + @{PROC}/sys/kernel/random/write_wakeup_threshold w, + /dev/random w, + + /sys/devices/system/cpu/ r, + /sys/devices/system/cpu/cpu*/cache/ r, + /sys/devices/system/cpu/cpu*/cache/index*/{type,size,level} r, + /usr/sbin/haveged mr, + + #include +} diff --git a/apparmor.d/usr.sbin.named b/apparmor.d/usr.sbin.named index 35df558..43e27c0 100644 --- a/apparmor.d/usr.sbin.named +++ b/apparmor.d/usr.sbin.named @@ -35,8 +35,9 @@ # dnscvsutil package /var/lib/dnscvsutil/compiled/** rw, - /proc/net/if_inet6 r, - /proc/*/net/if_inet6 r, + @{PROC}/net/if_inet6 r, + @{PROC}/*/net/if_inet6 r, + @{PROC}/sys/net/ipv4/ip_local_port_range r, /usr/sbin/named mr, /{,var/}run/named/named.pid w, /{,var/}run/named/session.key w, @@ -48,6 +49,19 @@ /var/log/named/** rw, /var/log/named/ rw, + # gssapi + /var/lib/sss/pubconf/krb5.include.d/** r, + /var/lib/sss/pubconf/krb5.include.d/ r, + /var/lib/sss/mc/initgroups r, + /etc/gss/mech.d/ r, + + # ldap + /etc/ldap/ldap.conf r, + /{,var/}run/slapd-*.socket rw, + + # dynamic updates + /var/tmp/DNS_* rw, + # Site-specific additions and overrides. See local/README for details. #include } diff --git a/apt/apt.conf.d/01autoremove b/apt/apt.conf.d/01autoremove index fc02350..3609ca4 100644 --- a/apt/apt.conf.d/01autoremove +++ b/apt/apt.conf.d/01autoremove @@ -29,10 +29,18 @@ APT Never-MarkAuto-Sections { "metapackages"; + "contrib/metapackages"; + "non-free/metapackages"; "restricted/metapackages"; "universe/metapackages"; "multiverse/metapackages"; + }; + + Move-Autobit-Sections + { "oldlibs"; + "contrib/oldlibs"; + "non-free/oldlibs"; "restricted/oldlibs"; "universe/oldlibs"; "multiverse/oldlibs"; diff --git a/apt/apt.conf.d/01autoremove-kernels b/apt/apt.conf.d/01autoremove-kernels index 8387a49..fd7609c 100644 --- a/apt/apt.conf.d/01autoremove-kernels +++ b/apt/apt.conf.d/01autoremove-kernels @@ -1,26 +1,54 @@ // DO NOT EDIT! File autogenerated by /etc/kernel/postinst.d/apt-auto-removal APT::NeverAutoRemove { - "^linux-image-4\.6\.0-0\.bpo\.1-amd64$"; - "^linux-image-4\.7\.0-0\.bpo\.1-amd64$"; - "^linux-headers-4\.6\.0-0\.bpo\.1-amd64$"; - "^linux-headers-4\.7\.0-0\.bpo\.1-amd64$"; - "^linux-image-extra-4\.6\.0-0\.bpo\.1-amd64$"; - "^linux-image-extra-4\.7\.0-0\.bpo\.1-amd64$"; - "^linux-signed-image-4\.6\.0-0\.bpo\.1-amd64$"; - "^linux-signed-image-4\.7\.0-0\.bpo\.1-amd64$"; - "^kfreebsd-image-4\.6\.0-0\.bpo\.1-amd64$"; - "^kfreebsd-image-4\.7\.0-0\.bpo\.1-amd64$"; - "^kfreebsd-headers-4\.6\.0-0\.bpo\.1-amd64$"; - "^kfreebsd-headers-4\.7\.0-0\.bpo\.1-amd64$"; - "^gnumach-image-4\.6\.0-0\.bpo\.1-amd64$"; - "^gnumach-image-4\.7\.0-0\.bpo\.1-amd64$"; - "^.*-modules-4\.6\.0-0\.bpo\.1-amd64$"; - "^.*-modules-4\.7\.0-0\.bpo\.1-amd64$"; - "^.*-kernel-4\.6\.0-0\.bpo\.1-amd64$"; - "^.*-kernel-4\.7\.0-0\.bpo\.1-amd64$"; - "^linux-backports-modules-.*-4\.6\.0-0\.bpo\.1-amd64$"; - "^linux-backports-modules-.*-4\.7\.0-0\.bpo\.1-amd64$"; - "^linux-tools-4\.6\.0-0\.bpo\.1-amd64$"; - "^linux-tools-4\.7\.0-0\.bpo\.1-amd64$"; + "^linux-image-4\.9\.0-0\.bpo\.3-amd64$"; + "^linux-image-4\.9\.0-3-amd64$"; + "^linux-headers-4\.9\.0-0\.bpo\.3-amd64$"; + "^linux-headers-4\.9\.0-3-amd64$"; + "^linux-image-extra-4\.9\.0-0\.bpo\.3-amd64$"; + "^linux-image-extra-4\.9\.0-3-amd64$"; + "^linux-signed-image-4\.9\.0-0\.bpo\.3-amd64$"; + "^linux-signed-image-4\.9\.0-3-amd64$"; + "^kfreebsd-image-4\.9\.0-0\.bpo\.3-amd64$"; + "^kfreebsd-image-4\.9\.0-3-amd64$"; + "^kfreebsd-headers-4\.9\.0-0\.bpo\.3-amd64$"; + "^kfreebsd-headers-4\.9\.0-3-amd64$"; + "^gnumach-image-4\.9\.0-0\.bpo\.3-amd64$"; + "^gnumach-image-4\.9\.0-3-amd64$"; + "^.*-modules-4\.9\.0-0\.bpo\.3-amd64$"; + "^.*-modules-4\.9\.0-3-amd64$"; + "^.*-kernel-4\.9\.0-0\.bpo\.3-amd64$"; + "^.*-kernel-4\.9\.0-3-amd64$"; + "^linux-backports-modules-.*-4\.9\.0-0\.bpo\.3-amd64$"; + "^linux-backports-modules-.*-4\.9\.0-3-amd64$"; + "^linux-tools-4\.9\.0-0\.bpo\.3-amd64$"; + "^linux-tools-4\.9\.0-3-amd64$"; }; +/* Debug information: +# dpkg list: +rc linux-image-4.7.0-0.bpo.1-amd64 4.7.8-1~bpo8+1 amd64 Linux 4.7 for 64-bit PCs (signed) +rc linux-image-4.8.0-0.bpo.2-amd64 4.8.15-2~bpo8+2 amd64 Linux 4.8 for 64-bit PCs (signed) +rc linux-image-4.9.0-0.bpo.1-amd64 4.9.2-2~bpo8+1 amd64 Linux 4.9 for 64-bit PCs (signed) +ii linux-image-4.9.0-0.bpo.2-amd64 4.9.18-1~bpo8+1 amd64 Linux 4.9 for 64-bit PCs (signed) +ii linux-image-4.9.0-0.bpo.3-amd64 4.9.30-2+deb9u2~bpo8+1 amd64 Linux 4.9 for 64-bit PCs +iF linux-image-4.9.0-3-amd64 4.9.30-2+deb9u2 amd64 Linux 4.9 for 64-bit PCs +iU linux-image-amd64 4.9+80 amd64 Linux for 64-bit PCs (meta-package) +# list of installed kernel packages: +4.9.0-0.bpo.2-amd64 4.9.18-1~bpo8+1 +4.9.0-0.bpo.3-amd64 4.9.30-2+deb9u2~bpo8+1 +4.9.0-3-amd64 4.9.30-2+deb9u2 +# list of different kernel versions: +4.9.30-2+deb9u2 +4.9.30-2+deb9u2~bpo8+1 +4.9.18-1~bpo8+1 +# Installing kernel: 4.9.30-2+deb9u2 (4.9.0-3-amd64) +# Running kernel: 4.9.30-2+deb9u2~bpo8+1 (4.9.0-0.bpo.3-amd64) +# Last kernel: 4.9.30-2+deb9u2 +# Previous kernel: 4.9.30-2+deb9u2~bpo8+1 +# Kernel versions list to keep: +4.9.30-2+deb9u2 +4.9.30-2+deb9u2~bpo8+1 +# Kernel packages (version part) to protect: +4\.9\.0-0\.bpo\.3-amd64 +4\.9\.0-3-amd64 +*/ diff --git a/apt/sources.list b/apt/sources.list index 5f2de8d..58afeda 100644 --- a/apt/sources.list +++ b/apt/sources.list @@ -1,19 +1,23 @@ -# deb http://ftp.us.debian.org/debian jessie main +# -# main jessie repositories -deb http://ftp.us.debian.org/debian jessie main contrib non-free -deb-src http://ftp.us.debian.org/debian jessie main contrib non-free +# deb cdrom:[Debian GNU/Linux stretch-DI-alpha7 _Stretch_ - Official Snapshot amd64 NETINST Binary-1 20160630-14:29]/ stretch main -# jessie security updates -deb http://security.debian.org/ jessie/updates main contrib non-free -deb-src http://security.debian.org/ jessie/updates main contrib non-free +# deb http://ftp.us.debian.org/debian stretch main -# jessie-updates, previously known as 'volatile' -deb http://ftp.us.debian.org/debian jessie-updates main contrib non-free -deb-src http://ftp.us.debian.org/debian jessie-updates main contrib non-free +# main stretch repositories +deb http://ftp.us.debian.org/debian stretch main contrib non-free +deb-src http://ftp.us.debian.org/debian stretch main contrib non-free -# jessie-backports, previously on backports.debian.org -deb http://ftp.us.debian.org/debian/ jessie-backports main contrib non-free -deb-src http://ftp.us.debian.org/debian/ jessie-backports main contrib non-free +# stretch security updates +deb http://security.debian.org/ stretch/updates main contrib non-free +deb-src http://security.debian.org/ stretch/updates main contrib non-free + +# stretch-updates, previously known as 'volatile' +deb http://ftp.us.debian.org/debian stretch-updates main contrib non-free +deb-src http://ftp.us.debian.org/debian stretch-updates main contrib non-free + +# stretch-backports, previously on backports.debian.org +deb http://ftp.us.debian.org/debian/ stretch-backports main contrib non-free +deb-src http://ftp.us.debian.org/debian/ stretch-backports main contrib non-free # vim: noet ts=8 diff --git a/apt/sources.list.d/fbrehm.list b/apt/sources.list.d/fbrehm.list index d773712..7e43b75 100644 --- a/apt/sources.list.d/fbrehm.list +++ b/apt/sources.list.d/fbrehm.list @@ -1,6 +1,6 @@ # Packages Frank Brehm # --------------------- -#deb http://www.brehm-online.com/debian/jessie ./ -deb http://repo.uhu-banane.de/Debian/jessie ./ +#deb http://www.brehm-online.com/debian/stretch ./ +deb http://repo.uhu-banane.de/Debian/stretch ./ deb-src http://repo.uhu-banane.de/Sources ./ diff --git a/apt/sources.list.d/salt.list b/apt/sources.list.d/salt.list index 846108d..9383dc2 100644 --- a/apt/sources.list.d/salt.list +++ b/apt/sources.list.d/salt.list @@ -1 +1 @@ -deb http://repo.saltstack.com/apt/debian/8/amd64/latest jessie main +deb http://repo.saltstack.com/apt/debian/9/amd64/latest stretch main diff --git a/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg b/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg deleted file mode 100644 index 02fbddc..0000000 Binary files a/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg and /dev/null differ diff --git a/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg b/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg deleted file mode 100644 index ca93dba..0000000 Binary files a/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg and /dev/null differ diff --git a/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg b/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg new file mode 100644 index 0000000..7dc19c5 Binary files /dev/null and b/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg differ diff --git a/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg b/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg new file mode 100644 index 0000000..79542e0 Binary files /dev/null and b/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg differ diff --git a/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg b/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg new file mode 100644 index 0000000..2c3f78f Binary files /dev/null and b/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg differ diff --git a/apticron/apticron.conf b/apticron/apticron.conf index f6c2db9..b61120d 100644 --- a/apticron/apticron.conf +++ b/apticron/apticron.conf @@ -95,6 +95,6 @@ EMAIL="root" # # Set CUSTOM_FROM if you want to replace the default sender by changing the # 'From:' field used in the notification e-mails. Your default sender will -# be something like root@ns2. +# be something like root@ns2.uhu-banane.de. # # CUSTOM_FROM="" diff --git a/at.deny b/at.deny new file mode 100644 index 0000000..0d5a382 --- /dev/null +++ b/at.deny @@ -0,0 +1,24 @@ +alias +backup +bin +daemon +ftp +games +gnats +guest +irc +lp +mail +man +nobody +operator +proxy +qmaild +qmaill +qmailp +qmailq +qmailr +qmails +sync +sys +www-data diff --git a/bash_completion.d/apache2 b/bash_completion.d/apache2 deleted file mode 100644 index e57c100..0000000 --- a/bash_completion.d/apache2 +++ /dev/null @@ -1,89 +0,0 @@ -# bash completion for Debian apache2 configuration tools - -_apache2_allcomp() -{ - command ls /etc/apache2/$1 2>/dev/null -} - -_apache2_mods() -{ - COMPREPLY=( $( compgen -W '$( _apache2_allcomp $1 \ - | sed -e 's/[.]load$//' -e 's/[.]conf$//' )' -- $cur ) ) -} - -_apache2_sites() -{ - COMPREPLY=( $( compgen -W '$( _apache2_allcomp $1 )' -- $cur ) ) -} - -_apache2_conf() -{ - COMPREPLY=( $( compgen -W '$( _apache2_allcomp $1 \ - | sed -e 's/[.]conf$//' )' -- $cur ) ) -} - -_a2enmod() -{ - local cur - - COMPREPLY=() - cur=${COMP_WORDS[COMP_CWORD]} - - _apache2_mods mods-available -} -complete -F _a2enmod a2enmod - -_a2ensite() -{ - local cur - - COMPREPLY=() - cur=${COMP_WORDS[COMP_CWORD]} - - _apache2_sites sites-available -} -complete -F _a2ensite a2ensite - -_a2enconf() -{ - local cur - - COMPREPLY=() - cur=${COMP_WORDS[COMP_CWORD]} - - _apache2_conf conf-available -} -complete -F _a2enconf a2enconf - -_a2dismod() -{ - local cur - - COMPREPLY=() - cur=${COMP_WORDS[COMP_CWORD]} - - _apache2_mods mods-enabled -} -complete -F _a2dismod a2dismod - -_a2dissite() -{ - local cur - - COMPREPLY=() - cur=${COMP_WORDS[COMP_CWORD]} - - _apache2_sites sites-enabled -} -complete -F _a2dissite a2dissite - -_a2disconf() -{ - local cur - - COMPREPLY=() - cur=${COMP_WORDS[COMP_CWORD]} - - _apache2_conf conf-enabled -} -complete -F _a2disconf a2disconf diff --git a/bash_completion.d/debconf b/bash_completion.d/debconf deleted file mode 100644 index 1880689..0000000 --- a/bash_completion.d/debconf +++ /dev/null @@ -1,12 +0,0 @@ -have debconf-show && -_debconf_show() -{ - local cur - - COMPREPLY=() - cur=${COMP_WORDS[COMP_CWORD]} - COMPREPLY=($( compgen -W '--listowners --listdbs --db=' -- $cur ) \ - $( apt-cache pkgnames -- $cur ) ) -} -complete -F _debconf_show debconf-show - diff --git a/bash_completion.d/fail2ban b/bash_completion.d/fail2ban index 7a42bd1..36e0cbb 100644 --- a/bash_completion.d/fail2ban +++ b/bash_completion.d/fail2ban @@ -19,10 +19,19 @@ __fail2ban_jails () { "$1" status 2>/dev/null | awk -F"\t+" '/Jail list/{print $2}' | sed 's/, / /g' } +__fail2ban_jail_actions () { + "$1" get "$2" actions 2>/dev/null | sed -n '$s/\([^,]\+\),\?/\1/gp' +} +__fail2ban_jail_action_properties () { + "$1" get "$2" actionproperties "$3" 2>/dev/null | sed -n '$s/\([^,]\+\),\?/\1/gp' +} +__fail2ban_jail_action_methods () { + "$1" get "$2" actionmethods "$3" 2>/dev/null | sed -n '$s/\([^,]\+\),\?/\1/gp' +} _fail2ban () { local cur prev words cword - _init_completion || return + _init_completion || return case $prev in -V|--version|-h|--help) @@ -50,7 +59,7 @@ _fail2ban () { _filedir return 0 elif [[ "$1" == *"fail2ban-client" ]];then - local cmd jail + local cmd jail action case $prev in "$1") COMPREPLY=( $( compgen -W \ @@ -71,7 +80,7 @@ _fail2ban () { ;; *) if [[ "${words[$cword-2]}" == "add" ]];then - COMPREPLY=( $( compgen -W "auto polling gamin pyinotify" -- "$cur" ) ) + COMPREPLY=( $( compgen -W "auto polling gamin pyinotify systemd" -- "$cur" ) ) return 0 elif [[ "${words[$cword-2]}" == "set" || "${words[$cword-2]}" == "get" ]];then cmd="${words[cword-2]}" @@ -80,6 +89,11 @@ _fail2ban () { cmd="${words[$cword-3]}" jail="${words[$cword-2]}" # Handle in section below + elif [[ "${words[$cword-4]}" == "set" || "${words[$cword-4]}" == "get" && ${words[$cword-2]} == action* ]];then + cmd="${words[$cword-4]}" + jail="${words[$cword-3]}" + action="${words[$cword-1]}" + # Handle in section below fi ;; esac @@ -88,7 +102,7 @@ _fail2ban () { case $prev in loglevel) if [[ "$cmd" == "set" ]];then - COMPREPLY=( $( compgen -W "0 1 2 3 4" -- "$cur" ) ) + COMPREPLY=( $( compgen -W "CRITICAL ERROR WARNING NOTICE INFO DEBUG" -- "$cur" ) ) fi return 0 ;; @@ -106,6 +120,25 @@ _fail2ban () { return 0 ;; esac + elif [[ -n "$jail" && -n "$action" ]];then + case ${words[$cwords-3]} in + action) + COMPREPLY=( $( compgen -W \ + "$( __fail2ban_jail_action_properties "$1" "$jail" "$action")" \ + -- "$cur" ) ) + if [[ "$cmd" == "set" ]];then + COMPREPLY+=( $(compgen -W "$(__fail2ban_jail_action_methods "$1" "$jail" "$action")" -- "$cur" ) ) + fi + return 0 + ;; + esac + elif [[ -n "$jail" && $prev == action* ]];then + case $prev in + action|actionproperties|actionmethods) + COMPREPLY=( $(compgen -W "$(__fail2ban_jail_actions "$1" "$jail")" -- "$cur" ) ) + return 0 + ;; + esac elif [[ -n "$jail" && "$cmd" == "set" ]];then case $prev in addlogpath) @@ -121,7 +154,7 @@ _fail2ban () { fi return 0 ;; - delfailregex|delignoregex) + delfailregex|delignoreregex) COMPREPLY=( $( compgen -W \ "$( "$1" get "$jail" "${prev/del/}" 2>/dev/null | awk -F"[][]" '{print $2}')" \ -- "$cur" ) ) diff --git a/bash_completion.d/initramfs-tools b/bash_completion.d/initramfs-tools deleted file mode 100644 index a52074f..0000000 --- a/bash_completion.d/initramfs-tools +++ /dev/null @@ -1,26 +0,0 @@ -# update-initramfs(8) completion - -_update_initramfs() -{ - local cur prev valid_options - - # TODO: this can be "_get_comp_words_by_ref cur prev" once - # bash-completion >= 1.2 is available, see #537139 - cur=$(_get_cword) - prev=${COMP_WORDS[COMP_CWORD-1]} - - # The only option that takes an argument is -k - if [[ "$prev" == '-k' ]]; then - # Complete with kernel versions - _kernel_versions - COMPREPLY=( $( compgen -W '${COMPREPLY[@]} all' -- "$cur" ) ) - return; - fi - - # Complete with available options (obtained from -h) - valid_options=$( update-initramfs -h 2>&1 | \ - sed -e '/^ -/!d;s/^ \(-\w\+\).*/\1/' ) - COMPREPLY=( $( compgen -W "$valid_options" -- $cur ) ) -} - -complete -F _update_initramfs update-initramfs diff --git a/bash_completion.d/isoquery b/bash_completion.d/isoquery deleted file mode 100644 index c27ed05..0000000 --- a/bash_completion.d/isoquery +++ /dev/null @@ -1,45 +0,0 @@ -# /etc/bash_completion.d/isoquery -# Programmable Bash command completion for the ‘isoquery’ command. - -shopt -s progcomp - -_isoquery_completion () { - local cur prev opts - - COMPREPLY=() - cur="${COMP_WORDS[COMP_CWORD]}" - prev="${COMP_WORDS[COMP_CWORD-1]}" - - opts="-h --help -v --version" - opts="${opts} -i --iso -x --xmlfile -l --locale -0 --null" - opts="${opts} -n --name -o --official_name -c --common_name" - - case "${prev}" in - -i|--iso) - local standards=(639 639-3 639-5 3166 3166-2 4217 15924) - COMPREPLY=( $(compgen -W "${standards[*]}" -- ${cur}) ) - ;; - - -x|--xmlfile) - COMPREPLY=( $(compgen -A file -- ${cur}) ) - ;; - - -l|--locale) - local locale_names=$(locale --all-locales) - COMPREPLY=( $(compgen -W "${locale_names}" -- ${cur}) ) - ;; - - *) - COMPREPLY=($(compgen -W "${opts}" -- ${cur})) - ;; - esac -} - -complete -F _isoquery_completion isoquery - - -# Local variables: -# coding: utf-8 -# mode: shell-script -# End: -# vim: fileencoding=utf-8 filetype=bash : diff --git a/bash_completion.d/whiptail b/bash_completion.d/whiptail deleted file mode 100644 index 6826e56..0000000 --- a/bash_completion.d/whiptail +++ /dev/null @@ -1,6 +0,0 @@ -complete -W "--msgbox --yesno --infobox --inputbox --passwordbox --textbox --menu --checklist \ - --radiochecklist --gauge --clear --defaultno --default-item \ - --fb --nocancel --yes-button --no-button --ok-button \ - --cancel-button -noitem --separate-output --output-fd \ - --title --backtitle -scrolltext --toplefti \ - --help" -f whiptail diff --git a/bind/named-sec.conf b/bind/named-sec.conf index aceeb28..ebc6b5a 100644 --- a/bind/named-sec.conf +++ b/bind/named-sec.conf @@ -32,6 +32,17 @@ zone "0.0.0.1.6.0.0.3.1.7.1.0.8.f.4.0.1.0.a.2.ip6.arpa" { }; }; +zone "0.0.0.2.6.0.0.3.1.7.1.0.8.f.4.0.1.0.a.2.ip6.arpa" { + type slave; + file "rev.2a01-4f8-171-3006-2000.zone"; + masters { + 138.201.28.135; + }; + allow-transfer { + common-allow-transfer; + }; +}; + zone "0.29.172.in-addr.arpa" { type slave; file "rev.172.29.0.zone"; @@ -54,6 +65,17 @@ zone "0.31.172.in-addr.arpa" { }; }; +zone "0.32.172.in-addr.arpa" { + type slave; + file "rev.172.32.0.zone"; + masters { + 138.201.28.135; + }; + allow-transfer { + common-allow-transfer; + }; +}; + zone "11.12.10.in-addr.arpa" { type slave; file "rev.10.12.11.zone"; @@ -175,6 +197,28 @@ zone "planetec.de" { }; }; +zone "pontilus.com" { + type slave; + file "pontilus.com.zone"; + masters { + 138.201.28.135; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +zone "pontilus.de" { + type slave; + file "pontilus.de.zone"; + masters { + 138.201.28.135; + }; + allow-transfer { + common-allow-transfer; + }; +}; + zone "uhu-banane.com" { type slave; file "uhu-banane.com.zone"; diff --git a/ca-certificates.conf b/ca-certificates.conf index e58c45f..374fe97 100644 --- a/ca-certificates.conf +++ b/ca-certificates.conf @@ -28,13 +28,13 @@ mozilla/Baltimore_CyberTrust_Root.crt mozilla/Buypass_Class_2_CA_1.crt mozilla/Buypass_Class_2_Root_CA.crt mozilla/Buypass_Class_3_Root_CA.crt -mozilla/CA_Disig.crt +!mozilla/CA_Disig.crt mozilla/CA_Disig_Root_R1.crt mozilla/CA_Disig_Root_R2.crt mozilla/Camerfirma_Chambers_of_Commerce_Root.crt mozilla/Camerfirma_Global_Chambersign_Root.crt -mozilla/CA_WoSign_ECC_Root.crt -mozilla/Certification_Authority_of_WoSign_G2.crt +!mozilla/CA_WoSign_ECC_Root.crt +!mozilla/Certification_Authority_of_WoSign_G2.crt mozilla/Certigna.crt mozilla/Certinomis_-_Autorité_Racine.crt mozilla/Certinomis_-_Root_CA.crt @@ -104,10 +104,10 @@ mozilla/Juur-SK.crt mozilla/Microsec_e-Szigno_Root_CA_2009.crt mozilla/Microsec_e-Szigno_Root_CA.crt mozilla/NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt -mozilla/NetLock_Business_=Class_B=_Root.crt -mozilla/NetLock_Express_=Class_C=_Root.crt -mozilla/NetLock_Notary_=Class_A=_Root.crt -mozilla/NetLock_Qualified_=Class_QA=_Root.crt +!mozilla/NetLock_Business_=Class_B=_Root.crt +!mozilla/NetLock_Express_=Class_C=_Root.crt +!mozilla/NetLock_Notary_=Class_A=_Root.crt +!mozilla/NetLock_Qualified_=Class_QA=_Root.crt mozilla/Network_Solutions_Certificate_Authority.crt mozilla/OISTE_WISeKey_Global_Root_GA_CA.crt mozilla/OISTE_WISeKey_Global_Root_GB_CA.crt @@ -126,18 +126,18 @@ mozilla/SecureTrust_CA.crt mozilla/Security_Communication_EV_RootCA1.crt mozilla/Security_Communication_RootCA2.crt mozilla/Security_Communication_Root_CA.crt -mozilla/Sonera_Class_1_Root_CA.crt +!mozilla/Sonera_Class_1_Root_CA.crt mozilla/Sonera_Class_2_Root_CA.crt mozilla/Staat_der_Nederlanden_EV_Root_CA.crt -mozilla/Staat_der_Nederlanden_Root_CA.crt +!mozilla/Staat_der_Nederlanden_Root_CA.crt mozilla/Staat_der_Nederlanden_Root_CA_-_G2.crt mozilla/Staat_der_Nederlanden_Root_CA_-_G3.crt mozilla/Starfield_Class_2_CA.crt mozilla/Starfield_Root_Certificate_Authority_-_G2.crt mozilla/Starfield_Services_Root_Certificate_Authority_-_G2.crt -mozilla/StartCom_Certification_Authority_2.crt -mozilla/StartCom_Certification_Authority.crt -mozilla/StartCom_Certification_Authority_G2.crt +!mozilla/StartCom_Certification_Authority_2.crt +!mozilla/StartCom_Certification_Authority.crt +!mozilla/StartCom_Certification_Authority_G2.crt mozilla/S-TRUST_Authentication_and_Encryption_Root_CA_2005_PN.crt mozilla/S-TRUST_Universal_Root_CA.crt mozilla/Swisscom_Root_CA_1.crt @@ -166,20 +166,30 @@ mozilla/USERTrust_RSA_Certification_Authority.crt mozilla/UTN_USERFirst_Email_Root_CA.crt mozilla/UTN_USERFirst_Hardware_Root_CA.crt mozilla/Verisign_Class_1_Public_Primary_Certification_Authority.crt -mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G2.crt +!mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G2.crt mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G2.crt mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt -mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_2.crt +!mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_2.crt mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt -mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.crt +!mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.crt mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt mozilla/VeriSign_Universal_Root_Certification_Authority.crt mozilla/Visa_eCommerce_Root.crt mozilla/WellsSecure_Public_Root_Certificate_Authority.crt -mozilla/WoSign_China.crt -mozilla/WoSign.crt +!mozilla/WoSign_China.crt +!mozilla/WoSign.crt mozilla/XRamp_Global_CA_Root.crt -spi-inc.org/spi-cacert-2008.crt +!spi-inc.org/spi-cacert-2008.crt +mozilla/Certplus_Root_CA_G1.crt +mozilla/Certplus_Root_CA_G2.crt +mozilla/Certum_Trusted_Network_CA_2.crt +mozilla/Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.crt +mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt +mozilla/ISRG_Root_X1.crt +mozilla/OpenTrust_Root_CA_G1.crt +mozilla/OpenTrust_Root_CA_G2.crt +mozilla/OpenTrust_Root_CA_G3.crt +mozilla/SZAFIR_ROOT_CA2.crt diff --git a/ca-certificates.conf.dpkg-old b/ca-certificates.conf.dpkg-old new file mode 100644 index 0000000..657c928 --- /dev/null +++ b/ca-certificates.conf.dpkg-old @@ -0,0 +1,195 @@ +# This file lists certificates that you wish to use or to ignore to be +# installed in /etc/ssl/certs. +# update-ca-certificates(8) will update /etc/ssl/certs by reading this file. +# +# This is autogenerated by dpkg-reconfigure ca-certificates. +# Certificates should be installed under /usr/share/ca-certificates +# and files with extension '.crt' is recognized as available certs. +# +# line begins with # is comment. +# line begins with ! is certificate filename to be deselected. +# +mozilla/ACCVRAIZ1.crt +mozilla/ACEDICOM_Root.crt +mozilla/AC_Raíz_Certicámara_S.A..crt +mozilla/Actalis_Authentication_Root_CA.crt +mozilla/AddTrust_External_Root.crt +mozilla/AddTrust_Low-Value_Services_Root.crt +mozilla/AddTrust_Public_Services_Root.crt +mozilla/AddTrust_Qualified_Certificates_Root.crt +mozilla/AffirmTrust_Commercial.crt +mozilla/AffirmTrust_Networking.crt +mozilla/AffirmTrust_Premium.crt +mozilla/AffirmTrust_Premium_ECC.crt +mozilla/ApplicationCA_-_Japanese_Government.crt +mozilla/Atos_TrustedRoot_2011.crt +mozilla/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt +mozilla/Baltimore_CyberTrust_Root.crt +mozilla/Buypass_Class_2_CA_1.crt +mozilla/Buypass_Class_2_Root_CA.crt +mozilla/Buypass_Class_3_Root_CA.crt +!mozilla/CA_Disig.crt +mozilla/CA_Disig_Root_R1.crt +mozilla/CA_Disig_Root_R2.crt +mozilla/Camerfirma_Chambers_of_Commerce_Root.crt +mozilla/Camerfirma_Global_Chambersign_Root.crt +mozilla/CA_WoSign_ECC_Root.crt +mozilla/Certification_Authority_of_WoSign_G2.crt +mozilla/Certigna.crt +mozilla/Certinomis_-_Autorité_Racine.crt +mozilla/Certinomis_-_Root_CA.crt +mozilla/Certplus_Class_2_Primary_CA.crt +mozilla/certSIGN_ROOT_CA.crt +mozilla/Certum_Root_CA.crt +mozilla/Certum_Trusted_Network_CA.crt +mozilla/CFCA_EV_ROOT.crt +mozilla/Chambers_of_Commerce_Root_-_2008.crt +mozilla/China_Internet_Network_Information_Center_EV_Certificates_Root.crt +mozilla/CNNIC_ROOT.crt +mozilla/Comodo_AAA_Services_root.crt +mozilla/COMODO_Certification_Authority.crt +mozilla/COMODO_ECC_Certification_Authority.crt +mozilla/COMODO_RSA_Certification_Authority.crt +mozilla/Comodo_Secure_Services_root.crt +mozilla/Comodo_Trusted_Services_root.crt +mozilla/ComSign_CA.crt +mozilla/Cybertrust_Global_Root.crt +mozilla/Deutsche_Telekom_Root_CA_2.crt +mozilla/DigiCert_Assured_ID_Root_CA.crt +mozilla/DigiCert_Assured_ID_Root_G2.crt +mozilla/DigiCert_Assured_ID_Root_G3.crt +mozilla/DigiCert_Global_Root_CA.crt +mozilla/DigiCert_Global_Root_G2.crt +mozilla/DigiCert_Global_Root_G3.crt +mozilla/DigiCert_High_Assurance_EV_Root_CA.crt +mozilla/DigiCert_Trusted_Root_G4.crt +mozilla/DST_ACES_CA_X6.crt +mozilla/DST_Root_CA_X3.crt +mozilla/D-TRUST_Root_Class_3_CA_2_2009.crt +mozilla/D-TRUST_Root_Class_3_CA_2_EV_2009.crt +mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt +mozilla/EC-ACC.crt +mozilla/EE_Certification_Centre_Root_CA.crt +mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt +mozilla/Entrust_Root_Certification_Authority.crt +mozilla/Entrust_Root_Certification_Authority_-_EC1.crt +mozilla/Entrust_Root_Certification_Authority_-_G2.crt +mozilla/ePKI_Root_Certification_Authority.crt +mozilla/Equifax_Secure_CA.crt +mozilla/Equifax_Secure_eBusiness_CA_1.crt +mozilla/Equifax_Secure_Global_eBusiness_CA.crt +mozilla/E-Tugra_Certification_Authority.crt +mozilla/GeoTrust_Global_CA_2.crt +mozilla/GeoTrust_Global_CA.crt +mozilla/GeoTrust_Primary_Certification_Authority.crt +mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt +mozilla/GeoTrust_Primary_Certification_Authority_-_G3.crt +mozilla/GeoTrust_Universal_CA_2.crt +mozilla/GeoTrust_Universal_CA.crt +mozilla/Global_Chambersign_Root_-_2008.crt +mozilla/GlobalSign_ECC_Root_CA_-_R4.crt +mozilla/GlobalSign_ECC_Root_CA_-_R5.crt +mozilla/GlobalSign_Root_CA.crt +mozilla/GlobalSign_Root_CA_-_R2.crt +mozilla/GlobalSign_Root_CA_-_R3.crt +mozilla/Go_Daddy_Class_2_CA.crt +mozilla/Go_Daddy_Root_Certificate_Authority_-_G2.crt +mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt +mozilla/Hongkong_Post_Root_CA_1.crt +mozilla/IdenTrust_Commercial_Root_CA_1.crt +mozilla/IdenTrust_Public_Sector_Root_CA_1.crt +mozilla/IGC_A.crt +mozilla/Izenpe.com.crt +mozilla/Juur-SK.crt +mozilla/Microsec_e-Szigno_Root_CA_2009.crt +mozilla/Microsec_e-Szigno_Root_CA.crt +mozilla/NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt +!mozilla/NetLock_Business_=Class_B=_Root.crt +!mozilla/NetLock_Express_=Class_C=_Root.crt +!mozilla/NetLock_Notary_=Class_A=_Root.crt +!mozilla/NetLock_Qualified_=Class_QA=_Root.crt +mozilla/Network_Solutions_Certificate_Authority.crt +mozilla/OISTE_WISeKey_Global_Root_GA_CA.crt +mozilla/OISTE_WISeKey_Global_Root_GB_CA.crt +mozilla/PSCProcert.crt +mozilla/QuoVadis_Root_CA_1_G3.crt +mozilla/QuoVadis_Root_CA_2.crt +mozilla/QuoVadis_Root_CA_2_G3.crt +mozilla/QuoVadis_Root_CA_3.crt +mozilla/QuoVadis_Root_CA_3_G3.crt +mozilla/QuoVadis_Root_CA.crt +mozilla/Root_CA_Generalitat_Valenciana.crt +mozilla/RSA_Security_2048_v3.crt +mozilla/Secure_Global_CA.crt +mozilla/SecureSign_RootCA11.crt +mozilla/SecureTrust_CA.crt +mozilla/Security_Communication_EV_RootCA1.crt +mozilla/Security_Communication_RootCA2.crt +mozilla/Security_Communication_Root_CA.crt +!mozilla/Sonera_Class_1_Root_CA.crt +mozilla/Sonera_Class_2_Root_CA.crt +mozilla/Staat_der_Nederlanden_EV_Root_CA.crt +!mozilla/Staat_der_Nederlanden_Root_CA.crt +mozilla/Staat_der_Nederlanden_Root_CA_-_G2.crt +mozilla/Staat_der_Nederlanden_Root_CA_-_G3.crt +mozilla/Starfield_Class_2_CA.crt +mozilla/Starfield_Root_Certificate_Authority_-_G2.crt +mozilla/Starfield_Services_Root_Certificate_Authority_-_G2.crt +mozilla/StartCom_Certification_Authority_2.crt +mozilla/StartCom_Certification_Authority.crt +mozilla/StartCom_Certification_Authority_G2.crt +mozilla/S-TRUST_Authentication_and_Encryption_Root_CA_2005_PN.crt +mozilla/S-TRUST_Universal_Root_CA.crt +mozilla/Swisscom_Root_CA_1.crt +mozilla/Swisscom_Root_CA_2.crt +mozilla/Swisscom_Root_EV_CA_2.crt +mozilla/SwissSign_Gold_CA_-_G2.crt +mozilla/SwissSign_Platinum_CA_-_G2.crt +mozilla/SwissSign_Silver_CA_-_G2.crt +mozilla/Taiwan_GRCA.crt +mozilla/TC_TrustCenter_Class_3_CA_II.crt +mozilla/TeliaSonera_Root_CA_v1.crt +mozilla/thawte_Primary_Root_CA.crt +mozilla/thawte_Primary_Root_CA_-_G2.crt +mozilla/thawte_Primary_Root_CA_-_G3.crt +mozilla/Trustis_FPS_Root_CA.crt +mozilla/T-TeleSec_GlobalRoot_Class_2.crt +mozilla/T-TeleSec_GlobalRoot_Class_3.crt +mozilla/TÜBÄ°TAK_UEKAE_Kök_Sertifika_Hizmet_Sağlayıcısı_-_Sürüm_3.crt +mozilla/TURKTRUST_Certificate_Services_Provider_Root_2007.crt +mozilla/TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H5.crt +mozilla/TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H6.crt +mozilla/TWCA_Global_Root_CA.crt +mozilla/TWCA_Root_Certification_Authority.crt +mozilla/USERTrust_ECC_Certification_Authority.crt +mozilla/USERTrust_RSA_Certification_Authority.crt +mozilla/UTN_USERFirst_Email_Root_CA.crt +mozilla/UTN_USERFirst_Hardware_Root_CA.crt +mozilla/Verisign_Class_1_Public_Primary_Certification_Authority.crt +!mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G2.crt +mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt +mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G2.crt +mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt +!mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_2.crt +mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt +!mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.crt +mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt +mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt +mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt +mozilla/VeriSign_Universal_Root_Certification_Authority.crt +mozilla/Visa_eCommerce_Root.crt +mozilla/WellsSecure_Public_Root_Certificate_Authority.crt +mozilla/WoSign_China.crt +mozilla/WoSign.crt +mozilla/XRamp_Global_CA_Root.crt +spi-inc.org/spi-cacert-2008.crt +mozilla/Certplus_Root_CA_G1.crt +mozilla/Certplus_Root_CA_G2.crt +mozilla/Certum_Trusted_Network_CA_2.crt +mozilla/Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.crt +mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt +mozilla/ISRG_Root_X1.crt +mozilla/OpenTrust_Root_CA_G1.crt +mozilla/OpenTrust_Root_CA_G2.crt +mozilla/OpenTrust_Root_CA_G3.crt +mozilla/SZAFIR_ROOT_CA2.crt diff --git a/chrony/chrony.conf.ucf-dist b/chrony/chrony.conf.ucf-dist index ac848e5..c9ffc4b 100644 --- a/chrony/chrony.conf.ucf-dist +++ b/chrony/chrony.conf.ucf-dist @@ -1,95 +1,32 @@ -# This the default chrony.conf file for the Debian chrony package. After -# editing this file use the command 'invoke-rc.d chrony restart' to make -# your changes take effect. John Hasler 1998-2008 - -# See www.pool.ntp.org for an explanation of these servers. Please -# consider joining the project if possible. If you can't or don't want to -# use these servers I suggest that you try your ISP's nameservers. We mark -# the servers 'offline' so that chronyd won't try to connect when the link -# is down. Scripts in /etc/ppp/ip-up.d and /etc/ppp/ip-down.d use chronyc -# commands to switch it on when a dialup link comes up and off when it goes -# down. Code in /etc/init.d/chrony attempts to determine whether or not -# the link is up at boot time and set the online status accordingly. If -# you have an always-on connection such as cable omit the 'offline' -# directive and chronyd will default to online. -# -# Note that if Chrony tries to go "online" and dns lookup of the servers -# fails they will be discarded. Thus under some circumstances it is -# better to use IP numbers than host names. - -server 0.debian.pool.ntp.org offline minpoll 8 -server 1.debian.pool.ntp.org offline minpoll 8 -server 2.debian.pool.ntp.org offline minpoll 8 -server 3.debian.pool.ntp.org offline minpoll 8 - - -# Look here for the admin password needed for chronyc. The initial -# password is generated by a random process at install time. You may -# change it if you wish. +# Welcome to the chrony configuration file. See chrony.conf(5) for more +# information about usuable directives. +pool 2.debian.pool.ntp.org iburst +# This directive specify the location of the file containing ID/key pairs for +# NTP authentication. keyfile /etc/chrony/chrony.keys -# Set runtime command key. Note that if you change the key (not the -# password) to anything other than 1 you will need to edit -# /etc/ppp/ip-up.d/chrony, /etc/ppp/ip-down.d/chrony, /etc/init.d/chrony -# and /etc/cron.weekly/chrony as these scripts use it to get the password. - -commandkey 1 - -# I moved the driftfile to /var/lib/chrony to comply with the Debian -# filesystem standard. - +# This directive specify the file into which chronyd will store the rate +# information. driftfile /var/lib/chrony/chrony.drift -# Comment this line out to turn off logging. +# Uncomment the following line to turn logging on. +#log tracking measurements statistics -log tracking measurements statistics +# Log files location. logdir /var/log/chrony # Stop bad estimates upsetting machine clock. - maxupdateskew 100.0 -# Dump measurements when daemon exits. - -dumponexit - -# Specify directory for dumping measurements. - -dumpdir /var/lib/chrony - -# Let computer be a server when it is unsynchronised. - -local stratum 10 - -# Allow computers on the unrouted nets to use the server. - -allow 10/8 -allow 192.168/16 -allow 172.16/12 - -# This directive forces `chronyd' to send a message to syslog if it -# makes a system clock adjustment larger than a threshold value in seconds. - -logchange 0.5 - -# This directive defines an email address to which mail should be sent -# if chronyd applies a correction exceeding a particular threshold to the -# system clock. - -# mailonchange root@localhost 0.5 - -# This directive tells chrony to regulate the real-time clock and tells it -# Where to store related data. It may not work on some newer motherboards -# that use the HPET real-time clock. It requires enhanced real-time -# support in the kernel. I've commented it out because with certain -# combinations of motherboard and kernel it is reported to cause lockups. +# This directive tells 'chronyd' to parse the 'adjtime' file to find out if the +# real-time clock keeps local time or UTC. It overrides the 'rtconutc' directive. +hwclockfile /etc/adjtime -# rtcfile /var/lib/chrony/chrony.rtc +# This directive enables kernel synchronisation (every 11 minutes) of the +# real-time clock. Note that it can’t be used along with the 'rtcfile' directive. +rtcsync -# If the last line of this file reads 'rtconutc' chrony will assume that -# the CMOS clock is on UTC (GMT). If it reads '# rtconutc' or is absent -# chrony will assume local time. The line (if any) was written by the -# chrony postinst based on what it found in /etc/default/rcS. You may -# change it if necessary. -rtconutc +# Step the system clock instead of slewing it if the adjustment is larger than +# one second, but only in the first three clock updates. +makestep 1 3 diff --git a/chrony/chrony.keys b/chrony/chrony.keys index e99f8aa..cee70b3 100644 --- a/chrony/chrony.keys +++ b/chrony/chrony.keys @@ -1 +1,10 @@ -1 2DiH7BB# +# This file is solely used for NTP authentication with symmetric keys +# as defined by RFC 1305 and RFC 5905. +# +# It can contain ID/key pairs which can be generated using the “keygen” option +# from “chronyc”; for example: +# chronyc keygen 1 SHA256 256 >> /etc/chrony/chrony.keys +# would generate a 256-bit SHA-256 key using ID 1. +# +# A list of supported hash functions and output encoding can be found in +# the "keyfile" section from the "/usr/share/doc/chrony/chrony.txt.gz" file. diff --git a/colordiffrc b/colordiffrc index 4bcb02d..1ac1a17 100644 --- a/colordiffrc +++ b/colordiffrc @@ -23,7 +23,7 @@ diff_cmd=diff # this, use the default output colour" # plain=off -newtext=blue -oldtext=red -diffstuff=magenta -cvsstuff=green +newtext=darkgreen +oldtext=darkred +diffstuff=darkcyan +cvsstuff=cyan diff --git a/console-setup/cached_UTF-8_del.kmap.gz b/console-setup/cached_UTF-8_del.kmap.gz index a3d1039..477370a 100644 Binary files a/console-setup/cached_UTF-8_del.kmap.gz and b/console-setup/cached_UTF-8_del.kmap.gz differ diff --git a/console-setup/cached_setup_font.sh b/console-setup/cached_setup_font.sh new file mode 100755 index 0000000..3939676 --- /dev/null +++ b/console-setup/cached_setup_font.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +setfont '/etc/console-setup/cached_Lat15-Fixed16.psf.gz' + +if ls /dev/fb* >/dev/null 2>/dev/null; then + for i in /dev/vcs[0-9]*; do + { : + setfont '/etc/console-setup/cached_Lat15-Fixed16.psf.gz' + } < /dev/tty${i#/dev/vcs} > /dev/tty${i#/dev/vcs} + done +fi + +mkdir -p /run/console-setup +> /run/console-setup/font-loaded +for i in /dev/vcs[0-9]*; do + { : +printf '\033%%G' + } < /dev/tty${i#/dev/vcs} > /dev/tty${i#/dev/vcs} +done diff --git a/console-setup/cached_setup_keyboard.sh b/console-setup/cached_setup_keyboard.sh new file mode 100755 index 0000000..30b46c1 --- /dev/null +++ b/console-setup/cached_setup_keyboard.sh @@ -0,0 +1,13 @@ +#!/bin/sh + +if [ -f /run/console-setup/keymap_loaded ]; then + rm /run/console-setup/keymap_loaded + exit 0 +fi +kbd_mode '-u' < '/dev/tty1' +kbd_mode '-u' < '/dev/tty2' +kbd_mode '-u' < '/dev/tty3' +kbd_mode '-u' < '/dev/tty4' +kbd_mode '-u' < '/dev/tty5' +kbd_mode '-u' < '/dev/tty6' +loadkeys '/etc/console-setup/cached_UTF-8_del.kmap.gz' > '/dev/null' diff --git a/console-setup/cached_setup_terminal.sh b/console-setup/cached_setup_terminal.sh new file mode 100755 index 0000000..494e363 --- /dev/null +++ b/console-setup/cached_setup_terminal.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +{ : +printf '\033%%G' +} < /dev/tty${1#vcs} > /dev/tty${1#vcs} diff --git a/console-setup/compose.ISO-8859-1.inc b/console-setup/compose.ISO-8859-1.inc index c568ba8..a285ddf 100644 --- a/console-setup/compose.ISO-8859-1.inc +++ b/console-setup/compose.ISO-8859-1.inc @@ -56,13 +56,8 @@ compose '/' '^' to '|' compose '/' 'c' to '¢' compose '/' 'o' to 'ø' compose '/' 'u' to 'µ' -compose '0' 'c' to '©' -compose '0' 's' to '§' -compose '0' 'x' to '¤' compose '1' '2' to '½' compose '1' '4' to '¼' -compose '1' 's' to '¹' -compose '2' 's' to '²' compose '3' '4' to '¾' compose ':' '-' to '÷' compose '<' '/' to '\\' @@ -135,21 +130,21 @@ compose '`' 'u' to ' compose 'a' 'e' to 'æ' compose 'a' 'o' to 'å' compose 'a' 't' to '@' -compose 'b' 'v' to '¦' compose 'c' '0' to '©' compose 'c' 'o' to '©' -compose 'l' 'v' to '|' compose 'o' 'c' to '©' -compose 'o' 'r' to '®' -compose 'o' 's' to '§' compose 'o' 'x' to '¤' +compose 'r' 'o' to '®' compose 's' '0' to '§' +compose 's' '1' to '¹' compose 's' '2' to '²' compose 's' '3' to '³' compose 's' 'o' to '§' compose 't' 'h' to 'þ' compose 'v' 'b' to '¦' +compose 'v' 'l' to '|' compose 'x' '0' to '¤' +compose 'x' 'o' to '¤' compose '|' 'c' to '¢' compose '|' '|' to '¦' compose '~' 'A' to 'Ã' @@ -158,16 +153,3 @@ compose '~' 'O' to ' compose '~' 'a' to 'ã' compose '~' 'n' to 'ñ' compose '~' 'o' to 'õ' -compose '¨' 'A' to 'Ä' -compose '¨' 'E' to 'Ë' -compose '¨' 'I' to 'Ï' -compose '¨' 'O' to 'Ö' -compose '¨' 'U' to 'Ü' -compose '¨' 'a' to 'ä' -compose '¨' 'e' to 'ë' -compose '¨' 'i' to 'ï' -compose '¨' 'o' to 'ö' -compose '¨' 'u' to 'ü' -compose '¨' 'y' to 'ÿ' -compose '°' 'A' to 'Å' -compose '°' 'a' to 'å' diff --git a/console-setup/compose.ISO-8859-13.inc b/console-setup/compose.ISO-8859-13.inc index a867a9e..5b45a26 100644 --- a/console-setup/compose.ISO-8859-13.inc +++ b/console-setup/compose.ISO-8859-13.inc @@ -76,12 +76,8 @@ compose '/' 'c' to ' compose '/' 'l' to 'ù' compose '/' 'o' to '¸' compose '/' 'u' to 'µ' -compose '0' 'c' to '©' -compose '0' 's' to '§' -compose '0' 'x' to '¤' compose '1' '2' to '½' compose '1' '4' to '¼' -compose '2' 's' to '²' compose '3' '4' to '¾' compose ':' '-' to '÷' compose ';' 'A' to 'À' @@ -145,25 +141,21 @@ compose '_' 'u' to ' compose 'a' 'e' to '¿' compose 'a' 'o' to 'å' compose 'a' 't' to '@' -compose 'b' 'v' to '¦' +compose 'c' '0' to '©' compose 'c' 'o' to '©' compose 'm' 'u' to 'µ' compose 'o' 'c' to '©' -compose 'o' 'r' to '®' -compose 'o' 's' to '§' +compose 'o' 'x' to '¤' +compose 'r' 'o' to '®' compose 's' '0' to '§' compose 's' '1' to '¹' compose 's' '2' to '²' compose 's' '3' to '³' +compose 's' 'o' to '§' +compose 'v' 'b' to '¦' compose 'x' '0' to '¤' compose 'x' 'o' to '¤' compose '|' 'c' to '¢' compose '|' '|' to '¦' compose '~' 'O' to 'Õ' compose '~' 'o' to 'õ' -compose '°' 'A' to 'Å' -compose '°' 'E' to 'Ë' -compose '°' 'Z' to 'Ý' -compose '°' 'a' to 'å' -compose '°' 'e' to 'ë' -compose '°' 'z' to 'ý' diff --git a/console-setup/compose.ISO-8859-14.inc b/console-setup/compose.ISO-8859-14.inc index 21f29ee..e2835df 100644 --- a/console-setup/compose.ISO-8859-14.inc +++ b/console-setup/compose.ISO-8859-14.inc @@ -56,9 +56,6 @@ compose '/' '<' to '\\' compose '/' 'O' to 'Ø' compose '/' '^' to '|' compose '/' 'o' to 'ø' -compose '0' 'c' to '©' -compose '0' 'r' to '®' -compose '0' 's' to '§' compose '<' '/' to '\\' compose '=' 'l' to '£' compose '>' 'A' to 'Â' @@ -117,14 +114,14 @@ compose '`' 'w' to ' compose '`' 'y' to '¼' compose 'a' 'e' to 'æ' compose 'a' 't' to '@' +compose 'c' '0' to '©' compose 'c' 'o' to '©' -compose 'l' 'v' to '|' compose 'o' 'c' to '©' -compose 'o' 'r' to '®' -compose 'o' 's' to '§' compose 'r' '0' to '®' +compose 'r' 'o' to '®' compose 's' '0' to '§' compose 's' 'o' to '§' +compose 'v' 'l' to '|' compose '~' 'A' to 'Ã' compose '~' 'N' to 'Ñ' compose '~' 'O' to 'Õ' diff --git a/console-setup/compose.ISO-8859-15.inc b/console-setup/compose.ISO-8859-15.inc index 63c89db..79c92ed 100644 --- a/console-setup/compose.ISO-8859-15.inc +++ b/console-setup/compose.ISO-8859-15.inc @@ -55,9 +55,6 @@ compose '/' '^' to '|' compose '/' 'c' to '¢' compose '/' 'o' to 'ø' compose '/' 'u' to 'µ' -compose '0' 'c' to '©' -compose '0' 's' to '§' -compose '1' 's' to '¹' compose ':' '-' to '÷' compose '<' '/' to '\\' compose '<' '<' to '«' @@ -139,8 +136,7 @@ compose 'c' 'o' to ' compose 'e' '=' to '¤' compose 'o' 'c' to '©' compose 'o' 'e' to '½' -compose 'o' 'r' to '®' -compose 'o' 's' to '§' +compose 'r' 'o' to '®' compose 's' '0' to '§' compose 's' '1' to '¹' compose 's' '2' to '²' @@ -155,5 +151,3 @@ compose '~' 'O' to ' compose '~' 'a' to 'ã' compose '~' 'n' to 'ñ' compose '~' 'o' to 'õ' -compose '°' 'A' to 'Å' -compose '°' 'a' to 'å' diff --git a/console-setup/compose.ISO-8859-2.inc b/console-setup/compose.ISO-8859-2.inc index 40734c3..6692ee3 100644 --- a/console-setup/compose.ISO-8859-2.inc +++ b/console-setup/compose.ISO-8859-2.inc @@ -46,13 +46,9 @@ compose '.' 'e' to ' compose '.' 'i' to '¹' compose '.' 'u' to 'ù' compose '.' 'z' to '¿' -compose '.' ' ' to 'ÿ' -compose '.' 'ÿ' to 'ÿ' compose '/' '/' to '\\' compose '/' '<' to '\\' compose '/' '^' to '|' -compose '0' 's' to '§' -compose '0' 'x' to '¤' compose ':' '-' to '÷' compose '<' '/' to '\\' compose '<' '<' to '·' @@ -116,7 +112,6 @@ compose '^' 'O' to ' compose '^' 'a' to 'â' compose '^' 'i' to 'î' compose '^' 'o' to 'ô' -compose '_' ' ' to '¯' compose 'a' 'U' to 'ã' compose 'l' '-' to '³' compose 'o' 'e' to '½' @@ -127,39 +122,3 @@ compose 'v' 'l' to '|' compose 'x' '0' to '¤' compose 'x' 'o' to '¤' compose 'z' '.' to '¿' -compose '¢' 'A' to 'Ã' -compose '¢' 'a' to 'ã' -compose '°' 'A' to 'Å' -compose '°' 'U' to 'Ù' -compose '°' 'a' to 'å' -compose '°' 'u' to 'ù' -compose '°' ' ' to '°' -compose '°' '°' to '°' -compose '²' 'A' to '¡' -compose '²' 'E' to 'Ê' -compose '²' 'a' to '±' -compose '²' 'e' to 'ê' -compose '·' 'C' to 'È' -compose '·' 'D' to 'Ï' -compose '·' 'E' to 'Ì' -compose '·' 'L' to '¥' -compose '·' 'N' to 'Ò' -compose '·' 'R' to 'Ø' -compose '·' 'S' to '©' -compose '·' 'T' to '«' -compose '·' 'Z' to '®' -compose '·' 'c' to 'è' -compose '·' 'd' to 'ï' -compose '·' 'e' to 'ì' -compose '·' 'l' to 'µ' -compose '·' 'n' to 'ò' -compose '·' 'r' to 'ø' -compose '·' 's' to '¹' -compose '·' 't' to '»' -compose '·' 'z' to '¾' -compose '¸' 'C' to 'Ç' -compose '¸' 'S' to 'ª' -compose '¸' 'T' to 'Þ' -compose '¸' 'c' to 'ç' -compose '¸' 's' to 'º' -compose '¸' 't' to 'þ' diff --git a/console-setup/compose.ISO-8859-3.inc b/console-setup/compose.ISO-8859-3.inc index 5e0daef..7e50b6c 100644 --- a/console-setup/compose.ISO-8859-3.inc +++ b/console-setup/compose.ISO-8859-3.inc @@ -57,9 +57,6 @@ compose '/' '/' to '\\' compose '/' '<' to '\\' compose '/' '^' to '|' compose '/' 'u' to 'µ' -compose '0' 's' to '§' -compose '2' 's' to '²' -compose '3' 's' to '³' compose ':' '-' to '÷' compose '<' '/' to '\\' compose '=' 'c' to '¤' @@ -136,8 +133,10 @@ compose '`' 'i' to ' compose '`' 'o' to 'ò' compose '`' 'u' to 'ù' compose 'g' 'U' to '»' -compose 'o' 'r' to '®' +compose 'r' 'o' to '®' compose 's' '0' to '§' +compose 's' '2' to '²' +compose 's' '3' to '³' compose 's' 'o' to '§' compose 'u' 'u' to 'ý' compose 'v' 'l' to '|' @@ -145,23 +144,3 @@ compose '~' 'A' to ' compose '~' 'O' to 'Õ' compose '~' 'a' to 'ã' compose '~' 'o' to 'õ' -compose '¢' 'G' to '«' -compose '¢' 'U' to 'Ý' -compose '¢' 'g' to '»' -compose '¢' 'u' to 'ý' -compose '¨' 'A' to 'Ä' -compose '¨' 'E' to 'Ë' -compose '¨' 'I' to 'Ï' -compose '¨' 'O' to 'Ö' -compose '¨' 'U' to 'Ü' -compose '¨' 'Y' to '¾' -compose '¨' 'a' to 'ä' -compose '¨' 'e' to 'ë' -compose '¨' 'i' to 'ï' -compose '¨' 'o' to 'ö' -compose '¨' 'u' to 'ü' -compose '¨' 'y' to 'ÿ' -compose '°' 'A' to 'Å' -compose '°' 'a' to 'å' -compose '¸' 'S' to 'ª' -compose '¸' 's' to 'º' diff --git a/console-setup/compose.ISO-8859-4.inc b/console-setup/compose.ISO-8859-4.inc index c95e946..4598a22 100644 --- a/console-setup/compose.ISO-8859-4.inc +++ b/console-setup/compose.ISO-8859-4.inc @@ -49,12 +49,10 @@ compose '-' 'u' to ' compose '.' '.' to 'ÿ' compose '.' 'E' to 'Ì' compose '.' 'e' to 'ì' -compose '.' 'ÿ' to 'ÿ' compose '/' 'O' to 'Ø' compose '/' 'T' to '¬' compose '/' 'o' to 'ø' compose '/' 't' to '¼' -compose '0' 's' to '§' compose ':' '-' to '÷' compose '<' '<' to '·' compose '<' 'C' to 'È' @@ -105,10 +103,10 @@ compose '_' 'e' to ' compose '_' 'i' to 'ï' compose '_' 'o' to 'ò' compose '_' 'u' to 'þ' -compose '_' '¯' to '¯' compose 'a' 'e' to 'æ' compose 'n' 'g' to '¿' compose 'o' 'x' to '¤' +compose 's' '0' to '§' compose 's' 'o' to '§' compose 't' '-' to '¼' compose 'x' '0' to '¤' @@ -121,5 +119,3 @@ compose '~' 'a' to ' compose '~' 'i' to 'µ' compose '~' 'o' to 'õ' compose '~' 'u' to 'ý' -compose '°' 'A' to 'Å' -compose '°' 'a' to 'å' diff --git a/console-setup/compose.ISO-8859-7.inc b/console-setup/compose.ISO-8859-7.inc index 6142e6c..1aa936a 100644 --- a/console-setup/compose.ISO-8859-7.inc +++ b/console-setup/compose.ISO-8859-7.inc @@ -2,10 +2,6 @@ compose '!' '^' to '¦' compose '!' 's' to '§' compose '"' '"' to '¨' -compose '"' 'É' to 'Ú' -compose '"' 'Õ' to 'Û' -compose '"' 'é' to 'ú' -compose '"' 'õ' to 'û' compose '(' '(' to '[' compose '(' '-' to '{' compose '(' 'c' to '©' @@ -26,9 +22,7 @@ compose '.' '^' to ' compose '/' '/' to '\\' compose '/' '<' to '\\' compose '/' '^' to '|' -compose '0' 's' to '§' compose '1' '2' to '½' -compose '2' 's' to '²' compose '<' '/' to '\\' compose '<' '<' to '«' compose '<' '\'' to '¡' @@ -38,20 +32,6 @@ compose '>' '\'' to ' compose '\'' '<' to '¡' compose '\'' '>' to '¢' compose '\'' '\'' to '´' -compose '\'' 'Á' to '¶' -compose '\'' 'Å' to '¸' -compose '\'' 'Ç' to '¹' -compose '\'' 'É' to 'º' -compose '\'' 'Ï' to '¼' -compose '\'' 'Õ' to '¾' -compose '\'' 'Ù' to '¿' -compose '\'' 'á' to 'Ü' -compose '\'' 'å' to 'Ý' -compose '\'' 'ç' to 'Þ' -compose '\'' 'é' to 'ß' -compose '\'' 'ï' to 'ü' -compose '\'' 'õ' to 'ý' -compose '\'' 'ù' to 'þ' compose '^' '!' to '¦' compose '^' '.' to '·' compose '^' '/' to '|' @@ -59,33 +39,14 @@ compose '^' '0' to ' compose '^' '2' to '²' compose '^' '3' to '³' compose 'a' 't' to '@' -compose 'b' 'v' to '¦' compose 'c' '0' to '©' compose 'c' 'o' to '©' compose 'o' 'c' to '©' -compose 'o' 's' to '§' compose 's' '0' to '§' +compose 's' '2' to '²' compose 's' '3' to '³' compose 's' 'o' to '§' compose 'v' 'b' to '¦' compose 'v' 'l' to '|' compose '|' '|' to '¦' compose '~' '~' to '¯' -compose 'Á' '\'' to '¶' -compose 'Å' '\'' to '¸' -compose 'Ç' '\'' to '¹' -compose 'É' '"' to 'Ú' -compose 'É' '\'' to 'º' -compose 'Ï' '\'' to '¼' -compose 'Õ' '"' to 'Û' -compose 'Õ' '\'' to '¾' -compose 'Ù' '\'' to '¿' -compose 'á' '\'' to 'Ü' -compose 'å' '\'' to 'Ý' -compose 'ç' '\'' to 'Þ' -compose 'é' '"' to 'ú' -compose 'é' '\'' to 'ß' -compose 'ï' '\'' to 'ü' -compose 'õ' '"' to 'û' -compose 'õ' '\'' to 'ý' -compose 'ù' '\'' to 'þ' diff --git a/console-setup/compose.ISO-8859-9.inc b/console-setup/compose.ISO-8859-9.inc index 54738d7..e642e1b 100644 --- a/console-setup/compose.ISO-8859-9.inc +++ b/console-setup/compose.ISO-8859-9.inc @@ -62,9 +62,6 @@ compose '/' '^' to '|' compose '/' 'c' to '¢' compose '/' 'o' to 'ø' compose '/' 'u' to 'µ' -compose '0' 'c' to '©' -compose '0' 's' to '§' -compose '3' 's' to '³' compose ':' '-' to '÷' compose '<' '/' to '\\' compose '<' '<' to '«' @@ -138,12 +135,13 @@ compose 'a' 'e' to ' compose 'c' '0' to '©' compose 'c' 'o' to '©' compose 'g' 'U' to 'ð' -compose 'l' 'v' to '|' compose 'o' 'c' to '©' compose 'o' 'e' to '¼' compose 'r' 'o' to '®' +compose 's' '0' to '§' compose 's' '1' to '¹' compose 's' '2' to '²' +compose 's' '3' to '³' compose 's' 'o' to '§' compose 't' 'h' to 'þ' compose 'v' 'Z' to '´' @@ -156,19 +154,3 @@ compose '~' 'O' to ' compose '~' 'a' to 'ã' compose '~' 'n' to 'ñ' compose '~' 'o' to 'õ' -compose '¨' 'A' to 'Ä' -compose '¨' 'E' to 'Ë' -compose '¨' 'I' to 'Ï' -compose '¨' 'O' to 'Ö' -compose '¨' 'U' to 'Ü' -compose '¨' 'Y' to '¾' -compose '¨' 'a' to 'ä' -compose '¨' 'e' to 'ë' -compose '¨' 'i' to 'ï' -compose '¨' 'o' to 'ö' -compose '¨' 'u' to 'ü' -compose '¨' 'y' to 'ÿ' -compose '°' 'A' to 'Å' -compose '°' 'a' to 'å' -compose '¸' 'S' to 'Þ' -compose '¸' 's' to 'þ' diff --git a/cron.daily/apache2 b/cron.daily/apache2 index d5f9cbc..6461f07 100755 --- a/cron.daily/apache2 +++ b/cron.daily/apache2 @@ -1,30 +1,25 @@ #!/bin/sh -# run htcacheclean +# run htcacheclean if set to 'cron' mode set -e set -u type htcacheclean > /dev/null 2>&1 || exit 0 -[ -e /etc/default/apache2 ] || exit 0 +[ -e /etc/default/apache-htcacheclean ] || exit 0 -# edit /etc/default/apache2 to change this +# edit /etc/default/apache-htcacheclean to change this HTCACHECLEAN_MODE=daemon HTCACHECLEAN_RUN=auto HTCACHECLEAN_SIZE=300M HTCACHECLEAN_PATH=/var/cache/apache2/mod_cache_disk HTCACHECLEAN_OPTIONS="" -. /etc/default/apache2 +. /etc/default/apache-htcacheclean [ "$HTCACHECLEAN_MODE" = "cron" ] || exit 0 -[ "$HTCACHECLEAN_RUN" = "yes" ] || -( [ "$HTCACHECLEAN_RUN" = "auto" ] && \ - [ -e /etc/apache2/mods-enabled/cache_disk.load ] ) || exit 0 - htcacheclean ${HTCACHECLEAN_OPTIONS} \ -p${HTCACHECLEAN_PATH} \ -l${HTCACHECLEAN_SIZE} - diff --git a/cron.daily/apt b/cron.daily/apt deleted file mode 100755 index ee0761b..0000000 --- a/cron.daily/apt +++ /dev/null @@ -1,507 +0,0 @@ -#!/bin/sh -#set -e -# -# This file understands the following apt configuration variables: -# Values here are the default. -# Create /etc/apt/apt.conf.d/02periodic file to set your preference. -# -# Dir "/"; -# - RootDir for all configuration files -# -# Dir::Cache "var/cache/apt/"; -# - Set apt package cache directory -# -# Dir::Cache::Archives "archives/"; -# - Set package archive directory -# -# APT::Periodic::Enable "1"; -# - Enable the update/upgrade script (0=disable) -# -# APT::Periodic::BackupArchiveInterval "0"; -# - Backup after n-days if archive contents changed.(0=disable) -# -# APT::Periodic::BackupLevel "3"; -# - Backup level.(0=disable), 1 is invalid. -# -# Dir::Cache::Backup "backup/"; -# - Set periodic package backup directory -# -# APT::Archives::MaxAge "0"; (old, deprecated) -# APT::Periodic::MaxAge "0"; (new) -# - Set maximum allowed age of a cache package file. If a cache -# package file is older it is deleted (0=disable) -# -# APT::Archives::MinAge "2"; (old, deprecated) -# APT::Periodic::MinAge "2"; (new) -# - Set minimum age of a package file. If a file is younger it -# will not be deleted (0=disable). Useful to prevent races -# and to keep backups of the packages for emergency. -# -# APT::Archives::MaxSize "0"; (old, deprecated) -# APT::Periodic::MaxSize "0"; (new) -# - Set maximum size of the cache in MB (0=disable). If the cache -# is bigger, cached package files are deleted until the size -# requirement is met (the oldest packages will be deleted -# first). -# -# APT::Periodic::Update-Package-Lists "0"; -# - Do "apt-get update" automatically every n-days (0=disable) -# -# APT::Periodic::Download-Upgradeable-Packages "0"; -# - Do "apt-get upgrade --download-only" every n-days (0=disable) -# -# APT::Periodic::Download-Upgradeable-Packages-Debdelta "1"; -# - Use debdelta-upgrade to download updates if available (0=disable) -# -# APT::Periodic::Unattended-Upgrade "0"; -# - Run the "unattended-upgrade" security upgrade script -# every n-days (0=disabled) -# Requires the package "unattended-upgrades" and will write -# a log in /var/log/unattended-upgrades -# -# APT::Periodic::AutocleanInterval "0"; -# - Do "apt-get autoclean" every n-days (0=disable) -# -# APT::Periodic::Verbose "0"; -# - Send report mail to root -# 0: no report (or null string) -# 1: progress report (actually any string) -# 2: + command outputs (remove -qq, remove 2>/dev/null, add -d) -# 3: + trace on - -check_stamp() -{ - stamp="$1" - interval="$2" - - if [ $interval -eq 0 ]; then - debug_echo "check_stamp: interval=0" - # treat as no time has passed - return 1 - fi - - if [ ! -f $stamp ]; then - debug_echo "check_stamp: missing time stamp file: $stamp." - # treat as enough time has passed - return 0 - fi - - # compare midnight today to midnight the day the stamp was updated - stamp_file="$stamp" - stamp=$(date --date=$(date -r $stamp_file --iso-8601) +%s 2>/dev/null) - if [ "$?" != "0" ]; then - # Due to some timezones returning 'invalid date' for midnight on - # certain dates (e.g. America/Sao_Paulo), if date returns with error - # remove the stamp file and return 0. See coreutils bug: - # http://lists.gnu.org/archive/html/bug-coreutils/2007-09/msg00176.html - rm -f "$stamp_file" - return 0 - fi - - now=$(date --date=$(date --iso-8601) +%s 2>/dev/null) - if [ "$?" != "0" ]; then - # As above, due to some timezones returning 'invalid date' for midnight - # on certain dates (e.g. America/Sao_Paulo), if date returns with error - # return 0. - return 0 - fi - - delta=$(($now-$stamp)) - - # interval is in days, convert to sec. - interval=$(($interval*60*60*24)) - debug_echo "check_stamp: interval=$interval, now=$now, stamp=$stamp, delta=$delta (sec)" - - # remove timestamps a day (or more) in the future and force re-check - if [ $stamp -gt $(($now+86400)) ]; then - echo "WARNING: file $stamp_file has a timestamp in the future: $stamp" - rm -f "$stamp_file" - return 0 - fi - - if [ $delta -ge $interval ]; then - return 0 - fi - - return 1 -} - -update_stamp() -{ - stamp="$1" - touch $stamp -} - -# we check here if autoclean was enough sizewise -check_size_constraints() -{ - MaxAge=0 - eval $(apt-config shell MaxAge APT::Archives::MaxAge) - eval $(apt-config shell MaxAge APT::Periodic::MaxAge) - - MinAge=2 - eval $(apt-config shell MinAge APT::Archives::MinAge) - eval $(apt-config shell MinAge APT::Periodic::MinAge) - - MaxSize=0 - eval $(apt-config shell MaxSize APT::Archives::MaxSize) - eval $(apt-config shell MaxSize APT::Periodic::MaxSize) - - Cache="/var/cache/apt/archives/" - eval $(apt-config shell Cache Dir::Cache::archives/d) - - # sanity check - if [ -z "$Cache" ]; then - echo "empty Dir::Cache::archives, exiting" - exit - fi - - # check age - if [ ! $MaxAge -eq 0 ] && [ ! $MinAge -eq 0 ]; then - debug_echo "aged: ctime <$MaxAge and mtime <$MaxAge and ctime>$MinAge and mtime>$MinAge" - find $Cache -name "*.deb" \( -mtime +$MaxAge -and -ctime +$MaxAge \) -and -not \( -mtime -$MinAge -or -ctime -$MinAge \) -print0 | xargs -r -0 rm -f - elif [ ! $MaxAge -eq 0 ]; then - debug_echo "aged: ctime <$MaxAge and mtime <$MaxAge only" - find $Cache -name "*.deb" -ctime +$MaxAge -and -mtime +$MaxAge -print0 | xargs -r -0 rm -f - else - debug_echo "skip aging since MaxAge is 0" - fi - - # check size - if [ ! $MaxSize -eq 0 ]; then - # maxSize is in MB - MaxSize=$(($MaxSize*1024)) - - #get current time - now=$(date --date=$(date --iso-8601) +%s) - MinAge=$(($MinAge*24*60*60)) - - # reverse-sort by mtime - for file in $(ls -rt $Cache/*.deb 2>/dev/null); do - du=$(du -s $Cache) - size=${du%%/*} - # check if the cache is small enough - if [ $size -lt $MaxSize ]; then - debug_echo "end remove by archive size: size=$size < $MaxSize" - break - fi - - # check for MinAge of the file - if [ $MinAge -ne 0 ]; then - # check both ctime and mtime - mtime=$(stat -c %Y $file) - ctime=$(stat -c %Z $file) - if [ $mtime -gt $ctime ]; then - delta=$(($now-$mtime)) - else - delta=$(($now-$ctime)) - fi - if [ $delta -le $MinAge ]; then - debug_echo "skip remove by archive size: $file, delta=$delta < $MinAge" - break - else - # delete oldest file - debug_echo "remove by archive size: $file, delta=$delta >= $MinAge (sec), size=$size >= $MaxSize" - rm -f $file - fi - fi - done - fi -} - -# deal with the Apt::Periodic::BackupArchiveInterval -do_cache_backup() -{ - BackupArchiveInterval="$1" - if [ $BackupArchiveInterval -eq 0 ]; then - return - fi - - # Set default values and normalize - CacheDir="/var/cache/apt" - eval $(apt-config shell CacheDir Dir::Cache/d) - CacheDir=${CacheDir%/} - if [ -z "$CacheDir" ]; then - debug_echo "practically empty Dir::Cache, exiting" - return 0 - fi - - Cache="${CacheDir}/archives/" - eval $(apt-config shell Cache Dir::Cache::Archives/d) - if [ -z "$Cache" ]; then - debug_echo "practically empty Dir::Cache::archives, exiting" - return 0 - fi - - BackupLevel=3 - eval $(apt-config shell BackupLevel APT::Periodic::BackupLevel) - if [ $BackupLevel -le 1 ]; then - BackupLevel=2 ; - fi - - Back="${CacheDir}/backup/" - eval $(apt-config shell Back Dir::Cache::Backup/d) - if [ -z "$Back" ]; then - echo "practically empty Dir::Cache::Backup, exiting" 1>&2 - return - fi - - CacheArchive="$(basename "${Cache}")" - test -n "${CacheArchive}" || CacheArchive="archives" - BackX="${Back}${CacheArchive}/" - for x in $(seq 0 1 $((${BackupLevel}-1))); do - eval "Back${x}=${Back}${x}/" - done - - # backup after n-days if archive contents changed. - # (This uses hardlink to save disk space) - BACKUP_ARCHIVE_STAMP=/var/lib/apt/periodic/backup-archive-stamp - if check_stamp $BACKUP_ARCHIVE_STAMP $BackupArchiveInterval; then - if [ $({(cd $Cache 2>/dev/null; find . -name "*.deb"); (cd $Back0 2>/dev/null;find . -name "*.deb") ;}| sort|uniq -u|wc -l) -ne 0 ]; then - mkdir -p $Back - rm -rf $Back$((${BackupLevel}-1)) - for y in $(seq $((${BackupLevel}-1)) -1 1); do - eval BackY=${Back}$y - eval BackZ=${Back}$(($y-1)) - if [ -e $BackZ ]; then - mv -f $BackZ $BackY ; - fi - done - cp -la $Cache $Back ; mv -f $BackX $Back0 - update_stamp $BACKUP_ARCHIVE_STAMP - debug_echo "backup with hardlinks. (success)" - else - debug_echo "skip backup since same content." - fi - else - debug_echo "skip backup since too new." - fi -} - -# sleep for a random interval of time (default 30min) -# (some code taken from cron-apt, thanks) -random_sleep() -{ - RandomSleep=1800 - eval $(apt-config shell RandomSleep APT::Periodic::RandomSleep) - if [ $RandomSleep -eq 0 ]; then - return - fi - if [ -z "$RANDOM" ] ; then - # A fix for shells that do not have this bash feature. - RANDOM=$(( $(dd if=/dev/urandom bs=2 count=1 2> /dev/null | cksum | cut -d' ' -f1) % 32767 )) - fi - TIME=$(($RANDOM % $RandomSleep)) - debug_echo "sleeping for $TIME seconds" - sleep $TIME -} - - -debug_echo() -{ - # Display message if $VERBOSE >= 1 - if [ "$VERBOSE" -ge 1 ]; then - echo $1 1>&2 - fi -} - -check_power(){ - # laptop check, on_ac_power returns: - # 0 (true) System is on main power - # 1 (false) System is not on main power - # 255 (false) Power status could not be determined - # Desktop systems always return 255 it seems - if which on_ac_power >/dev/null; then - on_ac_power - POWER=$? - if [ $POWER -eq 1 ]; then - debug_echo "exit: system NOT on main power" - return 1 - elif [ $POWER -ne 0 ]; then - debug_echo "power status ($POWER) undetermined, continuing" - fi - debug_echo "system is on main power." - fi - return 0 -} - -# ------------------------ main ---------------------------- - -if test -r /var/lib/apt/extended_states; then - # Backup the 7 last versions of APT's extended_states file - # shameless copy from dpkg cron - if cd /var/backups ; then - if ! cmp -s apt.extended_states.0 /var/lib/apt/extended_states; then - cp -p /var/lib/apt/extended_states apt.extended_states - savelog -c 7 apt.extended_states >/dev/null - fi - fi -fi - -# check apt-config existence -if ! which apt-config >/dev/null ; then - exit 0 -fi - -# check if the user really wants to do something -AutoAptEnable=1 # default is yes -eval $(apt-config shell AutoAptEnable APT::Periodic::Enable) - -if [ $AutoAptEnable -eq 0 ]; then - exit 0 -fi - -# Set VERBOSE mode from apt-config (or inherit from environment) -VERBOSE=0 -eval $(apt-config shell VERBOSE APT::Periodic::Verbose) -debug_echo "verbose level $VERBOSE" -if [ "$VERBOSE" -le 2 ]; then - # quiet for 0,1,2 - XSTDOUT=">/dev/null" - XSTDERR="2>/dev/null" - XAPTOPT="-qq" - XUUPOPT="" -else - XSTDOUT="" - XSTDERR="" - XAPTOPT="" - XUUPOPT="-d" -fi -if [ "$VERBOSE" -ge 3 ]; then - # trace output - set -x -fi - -check_power || exit 0 - -# check if we can lock the cache and if the cache is clean -if which apt-get >/dev/null && ! eval apt-get check $XAPTOPT $XSTDERR ; then - debug_echo "error encountered in cron job with \"apt-get check\"." - exit 0 -fi - -# Global current time in seconds since 1970-01-01 00:00:00 UTC -now=$(date +%s) - -# Support old Archive for compatibility. -# Document only Periodic for all controlling parameters of this script. - -UpdateInterval=0 -eval $(apt-config shell UpdateInterval APT::Periodic::Update-Package-Lists) - -DownloadUpgradeableInterval=0 -eval $(apt-config shell DownloadUpgradeableInterval APT::Periodic::Download-Upgradeable-Packages) - -UnattendedUpgradeInterval=0 -eval $(apt-config shell UnattendedUpgradeInterval APT::Periodic::Unattended-Upgrade) - -AutocleanInterval=0 -eval $(apt-config shell AutocleanInterval APT::Periodic::AutocleanInterval) - -BackupArchiveInterval=0 -eval $(apt-config shell BackupArchiveInterval APT::Periodic::BackupArchiveInterval) - -Debdelta=1 -eval $(apt-config shell Debdelta APT::Periodic::Download-Upgradeable-Packages-Debdelta) - -# check if we actually have to do anything that requires locking the cache -if [ $UpdateInterval -eq 0 ] && - [ $DownloadUpgradeableInterval -eq 0 ] && - [ $UnattendedUpgradeInterval -eq 0 ] && - [ $BackupArchiveInterval -eq 0 ] && - [ $AutocleanInterval -eq 0 ]; then - - # check cache size - check_size_constraints - - exit 0 -fi - -# deal with BackupArchiveInterval -do_cache_backup $BackupArchiveInterval - -# sleep random amount of time to avoid hitting the -# mirrors at the same time -random_sleep -check_power || exit 0 - -# include default system language so that "apt-get update" will -# fetch the right translated package descriptions -if [ -r /etc/default/locale ]; then - . /etc/default/locale - export LANG LANGUAGE LC_MESSAGES LC_ALL -fi - -# update package lists -UPDATED=0 -UPDATE_STAMP=/var/lib/apt/periodic/update-stamp -if check_stamp $UPDATE_STAMP $UpdateInterval; then - if eval apt-get $XAPTOPT -y update $XSTDERR; then - debug_echo "download updated metadata (success)." - if which dbus-send >/dev/null && pidof dbus-daemon >/dev/null; then - if dbus-send --system / app.apt.dbus.updated boolean:true ; then - debug_echo "send dbus signal (success)" - else - debug_echo "send dbus signal (error)" - fi - else - debug_echo "dbus signal not send (command not available)" - fi - update_stamp $UPDATE_STAMP - UPDATED=1 - else - debug_echo "download updated metadata (error)" - fi -else - debug_echo "download updated metadata (not run)." -fi - -# download all upgradeable packages (if it is requested) -DOWNLOAD_UPGRADEABLE_STAMP=/var/lib/apt/periodic/download-upgradeable-stamp -if [ $UPDATED -eq 1 ] && check_stamp $DOWNLOAD_UPGRADEABLE_STAMP $DownloadUpgradeableInterval; then - if [ $Debdelta -eq 1 ]; then - debdelta-upgrade >/dev/null 2>&1 || true - fi - if eval apt-get $XAPTOPT -y -d dist-upgrade $XSTDERR; then - update_stamp $DOWNLOAD_UPGRADEABLE_STAMP - debug_echo "download upgradable (success)" - else - debug_echo "download upgradable (error)" - fi -else - debug_echo "download upgradable (not run)" -fi - -# auto upgrade all upgradeable packages -UPGRADE_STAMP=/var/lib/apt/periodic/upgrade-stamp -if which unattended-upgrade >/dev/null && check_stamp $UPGRADE_STAMP $UnattendedUpgradeInterval; then - if unattended-upgrade $XUUPOPT; then - update_stamp $UPGRADE_STAMP - debug_echo "unattended-upgrade (success)" - else - debug_echo "unattended-upgrade (error)" - fi -else - debug_echo "unattended-upgrade (not run)" -fi - -# autoclean package archive -AUTOCLEAN_STAMP=/var/lib/apt/periodic/autoclean-stamp -if check_stamp $AUTOCLEAN_STAMP $AutocleanInterval; then - if eval apt-get $XAPTOPT -y autoclean $XSTDERR; then - debug_echo "autoclean (success)." - update_stamp $AUTOCLEAN_STAMP - else - debug_echo "autoclean (error)" - fi -else - debug_echo "autoclean (not run)" -fi - -# check cache size -check_size_constraints - -# -# vim: set sts=4 ai : -# - diff --git a/cron.daily/apt-compat b/cron.daily/apt-compat new file mode 100755 index 0000000..095a44c --- /dev/null +++ b/cron.daily/apt-compat @@ -0,0 +1,55 @@ +#!/bin/sh + +set -e + +# Systemd systems use a systemd timer unit which is preferable to +# run. We want to randomize the apt update and unattended-upgrade +# runs as much as possible to avoid hitting the mirrors all at the +# same time. The systemd time is better at this than the fixed +# cron.daily time +if [ -d /run/systemd/system ]; then + exit 0 +fi + +check_power() +{ + # laptop check, on_ac_power returns: + # 0 (true) System is on main power + # 1 (false) System is not on main power + # 255 (false) Power status could not be determined + # Desktop systems always return 255 it seems + if which on_ac_power >/dev/null 2>&1; then + on_ac_power + POWER=$? + if [ $POWER -eq 1 ]; then + return 1 + fi + fi + return 0 +} + +# sleep for a random interval of time (default 30min) +# (some code taken from cron-apt, thanks) +random_sleep() +{ + RandomSleep=1800 + eval $(apt-config shell RandomSleep APT::Periodic::RandomSleep) + if [ $RandomSleep -eq 0 ]; then + return + fi + if [ -z "$RANDOM" ] ; then + # A fix for shells that do not have this bash feature. + RANDOM=$(( $(dd if=/dev/urandom bs=2 count=1 2> /dev/null | cksum | cut -d' ' -f1) % 32767 )) + fi + TIME=$(($RANDOM % $RandomSleep)) + sleep $TIME +} + +# delay the job execution by a random amount of time +random_sleep + +# ensure we don't do this on battery +check_power || exit 0 + +# run daily job +exec /usr/lib/apt/apt.systemd.daily diff --git a/cron.daily/man-db b/cron.daily/man-db index c374604..0aeb8a5 100755 --- a/cron.daily/man-db +++ b/cron.daily/man-db @@ -13,18 +13,12 @@ fi if ! [ -d /var/cache/man ]; then # Recover from deletion, per FHS. - mkdir -p /var/cache/man - chown man:root /var/cache/man || true - chmod 2755 /var/cache/man + install -d -o man -g man -m 0755 /var/cache/man fi # expunge old catman pages which have not been read in a week if [ ! -d /run/systemd/system ] && [ -d /var/cache/man ]; then cd / - if ! dpkg-statoverride --list /var/cache/man >/dev/null 2>&1; then - find /var/cache/man -ignore_readdir_race ! -user man -print0 | \ - xargs -r0 chown -f man || true - fi start-stop-daemon --start --pidfile /dev/null --startas /bin/sh \ --oknodo --chuid man $iosched_idle -- -c \ "find /var/cache/man -type f -name '*.gz' -atime +6 -print0 | \ diff --git a/cron.daily/mlocate b/cron.daily/mlocate index aeb1a88..331d063 100755 --- a/cron.daily/mlocate +++ b/cron.daily/mlocate @@ -18,4 +18,10 @@ if [ -x /usr/bin/ionice ] && IONICE="/usr/bin/ionice -c3" fi -flock --nonblock /run/mlocate.daily.lock $IONICE /usr/bin/updatedb.mlocate +# See nocache(1) +NOCACHE= +if [ -x /usr/bin/nocache ]; then + NOCACHE="/usr/bin/nocache" +fi + +flock --nonblock /run/mlocate.daily.lock $NOCACHE $IONICE /usr/bin/updatedb.mlocate diff --git a/cron.weekly/man-db b/cron.weekly/man-db index b890d38..87da3b8 100755 --- a/cron.weekly/man-db +++ b/cron.weekly/man-db @@ -13,9 +13,7 @@ fi if ! [ -d /var/cache/man ]; then # Recover from deletion, per FHS. - mkdir -p /var/cache/man - chown man:root /var/cache/man || true - chmod 2755 /var/cache/man + install -d -o man -g man -m 0755 /var/cache/man fi # regenerate man database diff --git a/dbus-1/session.conf b/dbus-1/session.conf new file mode 120000 index 0000000..b4a3252 --- /dev/null +++ b/dbus-1/session.conf @@ -0,0 +1 @@ +/usr/share/dbus-1/session.conf \ No newline at end of file diff --git a/dbus-1/system.conf b/dbus-1/system.conf new file mode 120000 index 0000000..f22bf8f --- /dev/null +++ b/dbus-1/system.conf @@ -0,0 +1 @@ +/usr/share/dbus-1/system.conf \ No newline at end of file diff --git a/dbus-1/system.d/org.freedesktop.login1.conf b/dbus-1/system.d/org.freedesktop.login1.conf index 1318328..c89e404 100644 --- a/dbus-1/system.d/org.freedesktop.login1.conf +++ b/dbus-1/system.d/org.freedesktop.login1.conf @@ -88,6 +88,42 @@ send_interface="org.freedesktop.login1.Manager" send_member="ActivateSessionOnSeat"/> + + + + + + + + + + + + + + + + + + @@ -128,6 +164,26 @@ send_interface="org.freedesktop.login1.Manager" send_member="CanHybridSleep"/> + + + + + + + + + + @@ -136,6 +192,10 @@ send_interface="org.freedesktop.login1.Manager" send_member="FlushDevices"/> + + @@ -152,14 +212,34 @@ send_interface="org.freedesktop.login1.Seat" send_member="SwitchToNext"/> + + + + + + + + + + @@ -180,6 +260,14 @@ send_interface="org.freedesktop.login1.Session" send_member="PauseDeviceComplete"/> + + + + diff --git a/dbus-1/system.d/org.freedesktop.machine1.conf b/dbus-1/system.d/org.freedesktop.machine1.conf deleted file mode 100644 index 3a77c70..0000000 --- a/dbus-1/system.d/org.freedesktop.machine1.conf +++ /dev/null @@ -1,66 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/dbus-1/system.d/org.freedesktop.network1.conf b/dbus-1/system.d/org.freedesktop.network1.conf new file mode 100644 index 0000000..52dad33 --- /dev/null +++ b/dbus-1/system.d/org.freedesktop.network1.conf @@ -0,0 +1,42 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/dbus-1/system.d/org.freedesktop.resolve1.conf b/dbus-1/system.d/org.freedesktop.resolve1.conf new file mode 100644 index 0000000..25b0977 --- /dev/null +++ b/dbus-1/system.d/org.freedesktop.resolve1.conf @@ -0,0 +1,27 @@ + + + + + + + + + + + + + + + + + + + diff --git a/dbus-1/system.d/org.freedesktop.systemd1.conf b/dbus-1/system.d/org.freedesktop.systemd1.conf index 9dfca81..a61677e 100644 --- a/dbus-1/system.d/org.freedesktop.systemd1.conf +++ b/dbus-1/system.d/org.freedesktop.systemd1.conf @@ -28,6 +28,8 @@ + + @@ -50,6 +52,10 @@ send_interface="org.freedesktop.systemd1.Manager" send_member="GetUnitByPID"/> + + @@ -66,14 +72,30 @@ send_interface="org.freedesktop.systemd1.Manager" send_member="ListUnitsFiltered"/> + + + + + + + + @@ -94,6 +116,140 @@ send_interface="org.freedesktop.systemd1.Manager" send_member="GetDefaultTarget"/> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/debian_version b/debian_version index 48c26da..dd98ee6 100644 --- a/debian_version +++ b/debian_version @@ -1 +1 @@ -8.6 +9.0 diff --git a/default/apache-htcacheclean b/default/apache-htcacheclean new file mode 100644 index 0000000..73637fc --- /dev/null +++ b/default/apache-htcacheclean @@ -0,0 +1,22 @@ +# This file must only contain KEY=VALUE lines. Do not use advanced +# shell script constructs! + +## run mode: cron, daemon +## run in daemon mode or as daily cron job +## default: daemon +HTCACHECLEAN_MODE=daemon + +## cache size +HTCACHECLEAN_SIZE=300M + +## interval: if in daemon mode, clean cache every x minutes +HTCACHECLEAN_DAEMON_INTERVAL=120 + +## path to cache +## must be the same as in CacheRoot directive +#HTCACHECLEAN_PATH=/var/cache/apache2/mod_cache_disk + +## additional options: +## -n : be nice +## -t : remove empty directories +HTCACHECLEAN_OPTIONS="-n" diff --git a/default/apache2 b/default/apache2 deleted file mode 100644 index 020f079..0000000 --- a/default/apache2 +++ /dev/null @@ -1,26 +0,0 @@ -### htcacheclean settings ### - -## run htcacheclean: yes, no, auto -## auto means run if /etc/apache2/mods-enabled/cache_disk.load exists -## default: auto -HTCACHECLEAN_RUN=auto - -## run mode: cron, daemon -## run in daemon mode or as daily cron job -## default: daemon -HTCACHECLEAN_MODE=daemon - -## cache size -HTCACHECLEAN_SIZE=300M - -## interval: if in daemon mode, clean cache every x minutes -HTCACHECLEAN_DAEMON_INTERVAL=120 - -## path to cache -## must be the same as in CacheRoot directive -HTCACHECLEAN_PATH=/var/cache/apache2/mod_cache_disk - -## additional options: -## -n : be nice -## -t : remove empty directories -HTCACHECLEAN_OPTIONS="-n" diff --git a/default/chrony b/default/chrony new file mode 100644 index 0000000..929dea0 --- /dev/null +++ b/default/chrony @@ -0,0 +1,5 @@ +# This is a configuration file for /etc/init.d/chrony; it allows you to +# pass various options to the chrony daemon without editing the init script. + +# Options to pass to chrony. +DAEMON_OPTS="" diff --git a/default/dbus b/default/dbus new file mode 100644 index 0000000..4bc8e1b --- /dev/null +++ b/default/dbus @@ -0,0 +1,7 @@ +# This is a configuration file for /etc/init.d/dbus; it allows you to +# perform common modifications to the behavior of the dbus daemon +# startup without editing the init script (and thus getting prompted +# by dpkg on upgrades). We all love dpkg prompts. + +# Parameters to pass to dbus. +PARAMS="" diff --git a/default/grub b/default/grub index c216928..74a23b6 100644 --- a/default/grub +++ b/default/grub @@ -6,7 +6,8 @@ GRUB_DEFAULT=0 GRUB_TIMEOUT=2 GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian` -GRUB_CMDLINE_LINUX_DEFAULT="quiet" +#GRUB_CMDLINE_LINUX_DEFAULT="quiet" +GRUB_CMDLINE_LINUX_DEFAULT="" GRUB_CMDLINE_LINUX="" # Uncomment to enable BadRAM filtering, modify to suit your needs diff --git a/default/grub.ucf-dist b/default/grub.ucf-dist new file mode 100644 index 0000000..014e256 --- /dev/null +++ b/default/grub.ucf-dist @@ -0,0 +1,32 @@ +# If you change this file, run 'update-grub' afterwards to update +# /boot/grub/grub.cfg. +# For full documentation of the options in this file, see: +# info -f grub -n 'Simple configuration' + +GRUB_DEFAULT=0 +GRUB_TIMEOUT=2 +GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian` +GRUB_CMDLINE_LINUX_DEFAULT="" +GRUB_CMDLINE_LINUX="" + +# Uncomment to enable BadRAM filtering, modify to suit your needs +# This works with Linux (no patch required) and with any kernel that obtains +# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...) +#GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef" + +# Uncomment to disable graphical terminal (grub-pc only) +#GRUB_TERMINAL=console + +# The resolution used on graphical terminal +# note that you can use only modes which your graphic card supports via VBE +# you can see them in real GRUB with the command `vbeinfo' +#GRUB_GFXMODE=640x480 + +# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux +#GRUB_DISABLE_LINUX_UUID=true + +# Uncomment to disable generation of recovery mode menu entries +#GRUB_DISABLE_RECOVERY="true" + +# Uncomment to get a beep at grub start +#GRUB_INIT_TUNE="480 440 1" diff --git a/default/rcS b/default/rcS index 694ffc7..b60cf6b 100644 --- a/default/rcS +++ b/default/rcS @@ -1,3 +1,6 @@ +################################################################## +# NOTE: This file is ignored when systemd is used as init system # +################################################################## # # /etc/default/rcS # diff --git a/default/rsync b/default/rsync index 13780c2..424b1c0 100644 --- a/default/rsync +++ b/default/rsync @@ -1,4 +1,10 @@ # defaults file for rsync daemon mode +# +# This file is only used for init.d based systems! +# If this system uses systemd, you can specify options etc. for rsync +# in daemon mode by copying /lib/systemd/system/rsync.service to +# /etc/systemd/system/rsync.service and modifying the copy; add required +# options to the ExecStart line. # start rsync in daemon mode from init.d script? # only allowed values are "true", "false", and "inetd" diff --git a/default/tmpfs b/default/tmpfs index a19ba71..80e60a6 100644 --- a/default/tmpfs +++ b/default/tmpfs @@ -1,3 +1,7 @@ +################################################################## +# NOTE: This file is ignored when systemd is used as init system # +################################################################## +# # Configuration for tmpfs filesystems mounted in early boot, before # filesystems from /etc/fstab are mounted. For information about # these variables see the tmpfs(5) manual page. diff --git a/dhcp/debug b/dhcp/debug new file mode 100644 index 0000000..593e7df --- /dev/null +++ b/dhcp/debug @@ -0,0 +1,38 @@ +# +# The purpose of this script is just to show the variables that are +# available to all the scripts in this directory. All these scripts are +# called from dhclient-script, which exports all the variables shown +# before. If you want to debug a problem with your DHCP setup you can +# enable this script and take a look at /tmp/dhclient-script.debug. + +# To enable this script set the following variable to "yes" +RUN="no" + +if [ "$RUN" = "yes" ]; then + echo "$(date): entering ${1%/*}, dumping variables." \ + >> /tmp/dhclient-script.debug + + # loop over the 4 possible prefixes: (empty), cur_, new_, old_ + for prefix in '' 'cur_' 'new_' 'old_'; do + # loop over the DHCP variables passed to dhclient-script + for basevar in reason interface medium alias_ip_address \ + ip_address host_name network_number subnet_mask \ + broadcast_address routers static_routes \ + rfc3442_classless_static_routes \ + domain_name domain_search domain_name_servers \ + netbios_name_servers netbios_scope \ + ntp_servers \ + ip6_address ip6_prefix ip6_prefixlen \ + dhcp6_domain_search dhcp6_name_servers ; do + var="${prefix}${basevar}" + eval "content=\$$var" + + # show only variables with values set + if [ -n "${content}" ]; then + echo "$var='${content}'" >> /tmp/dhclient-script.debug + fi + done + done + + echo '--------------------------' >> /tmp/dhclient-script.debug +fi diff --git a/dhcp/dhclient-enter-hooks.d/debug b/dhcp/dhclient-enter-hooks.d/debug deleted file mode 100644 index 5785a97..0000000 --- a/dhcp/dhclient-enter-hooks.d/debug +++ /dev/null @@ -1,39 +0,0 @@ -# -# The purpose of this script is just to show the variables that are -# available to all the scripts in this directory. All these scripts -# are called from /etc/dhcp3/dhclient-script, which exports all the -# variables shown before. If you want to debug a problem with your DHCP -# setup you can enable this script and take a look at -# /tmp/dhclient-script.debug. - -# To enable this script set the following variable to "yes" -RUN="no" - -if [ "$RUN" = "yes" ]; then - echo $(date): entering ${0%/*}, dumping variables. \ - >> /tmp/dhclient-script.debug - - # loop over the 4 possible prefixes: (empty), cur_, new_, old_ - for prefix in '' 'cur_' 'new_' 'old_'; do - # loop over the DHCP variables passed to dhclient-script - for basevar in reason interface medium alias_ip_address \ - ip_address host_name network_number subnet_mask \ - broadcast_address routers static_routes \ - rfc3442_classless_static_routes \ - domain_name domain_search domain_name_servers \ - netbios_name_servers netbios_scope \ - ntp_servers \ - ip6_address ip6_prefix ip6_prefixlen \ - dhcp6_domain_search dhcp6_name_servers ; do - var="${prefix}${basevar}" - eval "content=\$var" - - # show only variables with values set - if [ -n "${content}" ]; then - echo "$var='${content}'" >> /tmp/dhclient-script.debug - fi - done - done - - echo '--------------------------' >> /tmp/dhclient-script.debug -fi diff --git a/dhcp/dhclient-enter-hooks.d/debug b/dhcp/dhclient-enter-hooks.d/debug new file mode 120000 index 0000000..ee34fdc --- /dev/null +++ b/dhcp/dhclient-enter-hooks.d/debug @@ -0,0 +1 @@ +../debug \ No newline at end of file diff --git a/dhcp/dhclient-exit-hooks.d/debug b/dhcp/dhclient-exit-hooks.d/debug deleted file mode 100644 index 5785a97..0000000 --- a/dhcp/dhclient-exit-hooks.d/debug +++ /dev/null @@ -1,39 +0,0 @@ -# -# The purpose of this script is just to show the variables that are -# available to all the scripts in this directory. All these scripts -# are called from /etc/dhcp3/dhclient-script, which exports all the -# variables shown before. If you want to debug a problem with your DHCP -# setup you can enable this script and take a look at -# /tmp/dhclient-script.debug. - -# To enable this script set the following variable to "yes" -RUN="no" - -if [ "$RUN" = "yes" ]; then - echo $(date): entering ${0%/*}, dumping variables. \ - >> /tmp/dhclient-script.debug - - # loop over the 4 possible prefixes: (empty), cur_, new_, old_ - for prefix in '' 'cur_' 'new_' 'old_'; do - # loop over the DHCP variables passed to dhclient-script - for basevar in reason interface medium alias_ip_address \ - ip_address host_name network_number subnet_mask \ - broadcast_address routers static_routes \ - rfc3442_classless_static_routes \ - domain_name domain_search domain_name_servers \ - netbios_name_servers netbios_scope \ - ntp_servers \ - ip6_address ip6_prefix ip6_prefixlen \ - dhcp6_domain_search dhcp6_name_servers ; do - var="${prefix}${basevar}" - eval "content=\$var" - - # show only variables with values set - if [ -n "${content}" ]; then - echo "$var='${content}'" >> /tmp/dhclient-script.debug - fi - done - done - - echo '--------------------------' >> /tmp/dhclient-script.debug -fi diff --git a/dhcp/dhclient-exit-hooks.d/debug b/dhcp/dhclient-exit-hooks.d/debug new file mode 120000 index 0000000..ee34fdc --- /dev/null +++ b/dhcp/dhclient-exit-hooks.d/debug @@ -0,0 +1 @@ +../debug \ No newline at end of file diff --git a/dhcp/dhclient-exit-hooks.d/rfc3442-classless-routes b/dhcp/dhclient-exit-hooks.d/rfc3442-classless-routes index 462fb46..1ef7b8a 100644 --- a/dhcp/dhclient-exit-hooks.d/rfc3442-classless-routes +++ b/dhcp/dhclient-exit-hooks.d/rfc3442-classless-routes @@ -20,26 +20,41 @@ if [ "$RUN" = "yes" ]; then case $net_length in 32|31|30|29|28|27|26|25) + if [ $# -lt 9 ]; then + return 1 + fi net_address="${2}.${3}.${4}.${5}" gateway="${6}.${7}.${8}.${9}" shift 9 ;; 24|23|22|21|20|19|18|17) + if [ $# -lt 8 ]; then + return 1 + fi net_address="${2}.${3}.${4}.0" gateway="${5}.${6}.${7}.${8}" shift 8 ;; 16|15|14|13|12|11|10|9) + if [ $# -lt 7 ]; then + return 1 + fi net_address="${2}.${3}.0.0" gateway="${4}.${5}.${6}.${7}" shift 7 ;; 8|7|6|5|4|3|2|1) + if [ $# -lt 6 ]; then + return 1 + fi net_address="${2}.0.0.0" gateway="${3}.${4}.${5}.${6}" shift 6 ;; 0) # default route + if [ $# -lt 5 ]; then + return 1 + fi net_address="0.0.0.0" gateway="${2}.${3}.${4}.${5}" shift 5 diff --git a/dhcp/dhclient-exit-hooks.d/timesyncd b/dhcp/dhclient-exit-hooks.d/timesyncd new file mode 100644 index 0000000..3cde992 --- /dev/null +++ b/dhcp/dhclient-exit-hooks.d/timesyncd @@ -0,0 +1,42 @@ +TIMESYNCD_CONF=/run/systemd/timesyncd.conf.d/01-dhclient.conf + +timesyncd_servers_setup_remove() { + if [ -e $TIMESYNCD_CONF ]; then + rm -f $TIMESYNCD_CONF + systemctl try-restart systemd-timesyncd.service || true + fi +} + +timesyncd_servers_setup_add() { + if [ ! -d /run/systemd/system ]; then + return + fi + + if [ -e $TIMESYNCD_CONF ] && [ "$new_ntp_servers" = "$old_ntp_servers" ]; then + return + fi + + if [ -z "$new_ntp_servers" ]; then + timesyncd_servers_setup_remove + return + fi + + mkdir -p $(dirname $TIMESYNCD_CONF) + cat < ${TIMESYNCD_CONF}.new +# NTP server entries received from DHCP server +[Time] +NTP=$new_ntp_servers +EOF + mv ${TIMESYNCD_CONF}.new ${TIMESYNCD_CONF} + systemctl try-restart systemd-timesyncd.service || true +} + + +case $reason in + BOUND|RENEW|REBIND|REBOOT) + timesyncd_servers_setup_add + ;; + EXPIRE|FAIL|RELEASE|STOP) + timesyncd_servers_setup_remove + ;; +esac diff --git a/dhcp/dhclient.conf b/dhcp/dhclient.conf index 431fafd..b85301b 100644 --- a/dhcp/dhclient.conf +++ b/dhcp/dhclient.conf @@ -1,5 +1,4 @@ -# Configuration file for /sbin/dhclient, which is included in Debian's -# dhcp3-client package. +# Configuration file for /sbin/dhclient. # # This is a sample configuration file for dhclient. See dhclient.conf's # man page for more information about the syntax of this file @@ -13,24 +12,24 @@ option rfc3442-classless-static-routes code 121 = array of unsigned integer 8; -#send host-name "andare.fugue.com"; send host-name = gethostname(); -#send dhcp-client-identifier 1:0:a0:24:ab:fb:9c; -#send dhcp-lease-time 3600; -#supersede domain-name "fugue.com home.vix.com"; -#prepend domain-name-servers 127.0.0.1; request subnet-mask, broadcast-address, time-offset, routers, domain-name, domain-name-servers, domain-search, host-name, - dhcp6.name-servers, dhcp6.domain-search, + dhcp6.name-servers, dhcp6.domain-search, dhcp6.fqdn, dhcp6.sntp-servers, netbios-name-servers, netbios-scope, interface-mtu, rfc3442-classless-static-routes, ntp-servers; + +#send dhcp-client-identifier 1:0:a0:24:ab:fb:9c; +#send dhcp-lease-time 3600; +#supersede domain-name "fugue.com home.vix.com"; +#prepend domain-name-servers 127.0.0.1; #require subnet-mask, domain-name-servers; #timeout 60; #retry 60; #reboot 10; #select-timeout 5; #initial-interval 2; -#script "/etc/dhcp3/dhclient-script"; +#script "/sbin/dhclient-script"; #media "-link0 -link1 -link2", "link0 link1"; #reject 192.33.137.209; diff --git a/fail2ban/action.d/badips.conf b/fail2ban/action.d/badips.conf index 4a5c0f9..6f9513f 100644 --- a/fail2ban/action.d/badips.conf +++ b/fail2ban/action.d/badips.conf @@ -1,6 +1,6 @@ # Fail2ban reporting to badips.com # -# Note: This reports and IP only and does not actually ban traffic. Use +# Note: This reports an IP only and does not actually ban traffic. Use # another action in the same jail if you want bans to occur. # # Set the category to the appropriate value before use. @@ -10,7 +10,7 @@ [Definition] -actionban = curl --fail --user-agent "fail2ban v0.8.12" http://www.badips.com/add// +actionban = curl --fail --user-agent "" http://www.badips.com/add// [Init] diff --git a/fail2ban/action.d/badips.py b/fail2ban/action.d/badips.py new file mode 100644 index 0000000..4bc879a --- /dev/null +++ b/fail2ban/action.d/badips.py @@ -0,0 +1,377 @@ +# emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*- +# vi: set ft=python sts=4 ts=4 sw=4 noet : + +# This file is part of Fail2Ban. +# +# Fail2Ban is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Fail2Ban is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Fail2Ban; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +import sys +if sys.version_info < (2, 7): + raise ImportError("badips.py action requires Python >= 2.7") +import json +import threading +import logging +if sys.version_info >= (3, ): + from urllib.request import Request, urlopen + from urllib.parse import urlencode + from urllib.error import HTTPError +else: + from urllib2 import Request, urlopen, HTTPError + from urllib import urlencode + +from fail2ban.server.actions import ActionBase + + +class BadIPsAction(ActionBase): + """Fail2Ban action which reports bans to badips.com, and also + blacklist bad IPs listed on badips.com by using another action's + ban method. + + Parameters + ---------- + jail : Jail + The jail which the action belongs to. + name : str + Name assigned to the action. + category : str + Valid badips.com category for reporting failures. + score : int, optional + Minimum score for bad IPs. Default 3. + age : str, optional + Age of last report for bad IPs, per badips.com syntax. + Default "24h" (24 hours) + key : str, optional + Key issued by badips.com to report bans, for later retrieval + of personalised content. + banaction : str, optional + Name of banaction to use for blacklisting bad IPs. If `None`, + no blacklist of IPs will take place. + Default `None`. + bancategory : str, optional + Name of category to use for blacklisting, which can differ + from category used for reporting. e.g. may want to report + "postfix", but want to use whole "mail" category for blacklist. + Default `category`. + bankey : str, optional + Key issued by badips.com to blacklist IPs reported with the + associated key. + updateperiod : int, optional + Time in seconds between updating bad IPs blacklist. + Default 900 (15 minutes) + agent : str, optional + User agent transmitted to server. + Default `Fail2Ban/ver.` + + Raises + ------ + ValueError + If invalid `category`, `score`, `banaction` or `updateperiod`. + """ + + TIMEOUT = 10 + _badips = "http://www.badips.com" + def _Request(self, url, **argv): + return Request(url, headers={'User-Agent': self.agent}, **argv) + + def __init__(self, jail, name, category, score=3, age="24h", key=None, + banaction=None, bancategory=None, bankey=None, updateperiod=900, agent="Fail2Ban", + timeout=TIMEOUT): + super(BadIPsAction, self).__init__(jail, name) + + self.timeout = timeout + self.agent = agent + self.category = category + self.score = score + self.age = age + self.key = key + self.banaction = banaction + self.bancategory = bancategory or category + self.bankey = bankey + self.updateperiod = updateperiod + + self._bannedips = set() + # Used later for threading.Timer for updating badips + self._timer = None + + def getCategories(self, incParents=False): + """Get badips.com categories. + + Returns + ------- + set + Set of categories. + + Raises + ------ + HTTPError + Any issues with badips.com request. + ValueError + If badips.com response didn't contain necessary information + """ + try: + response = urlopen( + self._Request("/".join([self._badips, "get", "categories"])), timeout=self.timeout) + except HTTPError as response: + messages = json.loads(response.read().decode('utf-8')) + self._logSys.error( + "Failed to fetch categories. badips.com response: '%s'", + messages['err']) + raise + else: + response_json = json.loads(response.read().decode('utf-8')) + if not 'categories' in response_json: + err = "badips.com response lacked categories specification. Response was: %s" \ + % (response_json,) + self._logSys.error(err) + raise ValueError(err) + categories = response_json['categories'] + categories_names = set( + value['Name'] for value in categories) + if incParents: + categories_names.update(set( + value['Parent'] for value in categories + if "Parent" in value)) + return categories_names + + def getList(self, category, score, age, key=None): + """Get badips.com list of bad IPs. + + Parameters + ---------- + category : str + Valid badips.com category. + score : int + Minimum score for bad IPs. + age : str + Age of last report for bad IPs, per badips.com syntax. + key : str, optional + Key issued by badips.com to fetch IPs reported with the + associated key. + + Returns + ------- + set + Set of bad IPs. + + Raises + ------ + HTTPError + Any issues with badips.com request. + """ + try: + url = "?".join([ + "/".join([self._badips, "get", "list", category, str(score)]), + urlencode({'age': age})]) + if key: + url = "&".join([url, urlencode({'key': key})]) + response = urlopen(self._Request(url), timeout=self.timeout) + except HTTPError as response: + messages = json.loads(response.read().decode('utf-8')) + self._logSys.error( + "Failed to fetch bad IP list. badips.com response: '%s'", + messages['err']) + raise + else: + return set(response.read().decode('utf-8').split()) + + @property + def category(self): + """badips.com category for reporting IPs. + """ + return self._category + + @category.setter + def category(self, category): + if category not in self.getCategories(): + self._logSys.error("Category name '%s' not valid. " + "see badips.com for list of valid categories", + category) + raise ValueError("Invalid category: %s" % category) + self._category = category + + @property + def bancategory(self): + """badips.com bancategory for fetching IPs. + """ + return self._bancategory + + @bancategory.setter + def bancategory(self, bancategory): + if bancategory not in self.getCategories(incParents=True): + self._logSys.error("Category name '%s' not valid. " + "see badips.com for list of valid categories", + bancategory) + raise ValueError("Invalid bancategory: %s" % bancategory) + self._bancategory = bancategory + + @property + def score(self): + """badips.com minimum score for fetching IPs. + """ + return self._score + + @score.setter + def score(self, score): + score = int(score) + if 0 <= score <= 5: + self._score = score + else: + raise ValueError("Score must be 0-5") + + @property + def banaction(self): + """Jail action to use for banning/unbanning. + """ + return self._banaction + + @banaction.setter + def banaction(self, banaction): + if banaction is not None and banaction not in self._jail.actions: + self._logSys.error("Action name '%s' not in jail '%s'", + banaction, self._jail.name) + raise ValueError("Invalid banaction") + self._banaction = banaction + + @property + def updateperiod(self): + """Period in seconds between banned bad IPs will be updated. + """ + return self._updateperiod + + @updateperiod.setter + def updateperiod(self, updateperiod): + updateperiod = int(updateperiod) + if updateperiod > 0: + self._updateperiod = updateperiod + else: + raise ValueError("Update period must be integer greater than 0") + + def _banIPs(self, ips): + for ip in ips: + try: + self._jail.actions[self.banaction].ban({ + 'ip': ip, + 'failures': 0, + 'matches': "", + 'ipmatches': "", + 'ipjailmatches': "", + }) + except Exception as e: + self._logSys.error( + "Error banning IP %s for jail '%s' with action '%s': %s", + ip, self._jail.name, self.banaction, e, + exc_info=self._logSys.getEffectiveLevel()<=logging.DEBUG) + else: + self._bannedips.add(ip) + self._logSys.info( + "Banned IP %s for jail '%s' with action '%s'", + ip, self._jail.name, self.banaction) + + def _unbanIPs(self, ips): + for ip in ips: + try: + self._jail.actions[self.banaction].unban({ + 'ip': ip, + 'failures': 0, + 'matches': "", + 'ipmatches': "", + 'ipjailmatches': "", + }) + except Exception as e: + self._logSys.info( + "Error unbanning IP %s for jail '%s' with action '%s': %s", + ip, self._jail.name, self.banaction, e, + exc_info=self._logSys.getEffectiveLevel()<=logging.DEBUG) + else: + self._logSys.info( + "Unbanned IP %s for jail '%s' with action '%s'", + ip, self._jail.name, self.banaction) + finally: + self._bannedips.remove(ip) + + def start(self): + """If `banaction` set, blacklists bad IPs. + """ + if self.banaction is not None: + self.update() + + def update(self): + """If `banaction` set, updates blacklisted IPs. + + Queries badips.com for list of bad IPs, removing IPs from the + blacklist if no longer present, and adds new bad IPs to the + blacklist. + """ + if self.banaction is not None: + if self._timer: + self._timer.cancel() + self._timer = None + + try: + ips = self.getList( + self.bancategory, self.score, self.age, self.bankey) + # Remove old IPs no longer listed + self._unbanIPs(self._bannedips - ips) + # Add new IPs which are now listed + self._banIPs(ips - self._bannedips) + + self._logSys.info( + "Updated IPs for jail '%s'. Update again in %i seconds", + self._jail.name, self.updateperiod) + finally: + self._timer = threading.Timer(self.updateperiod, self.update) + self._timer.start() + + def stop(self): + """If `banaction` set, clears blacklisted IPs. + """ + if self.banaction is not None: + if self._timer: + self._timer.cancel() + self._timer = None + self._unbanIPs(self._bannedips.copy()) + + def ban(self, aInfo): + """Reports banned IP to badips.com. + + Parameters + ---------- + aInfo : dict + Dictionary which includes information in relation to + the ban. + + Raises + ------ + HTTPError + Any issues with badips.com request. + """ + try: + url = "/".join([self._badips, "add", self.category, aInfo['ip']]) + if self.key: + url = "?".join([url, urlencode({'key': self.key})]) + response = urlopen(self._Request(url), timeout=self.timeout) + except HTTPError as response: + messages = json.loads(response.read().decode('utf-8')) + self._logSys.error( + "Response from badips.com report: '%s'", + messages['err']) + raise + else: + messages = json.loads(response.read().decode('utf-8')) + self._logSys.info( + "Response from badips.com report: '%s'", + messages['suc']) + +Action = BadIPsAction diff --git a/fail2ban/action.d/blocklist_de.conf b/fail2ban/action.d/blocklist_de.conf index d4170ca..2f31d8b 100644 --- a/fail2ban/action.d/blocklist_de.conf +++ b/fail2ban/action.d/blocklist_de.conf @@ -7,13 +7,13 @@ # Action to report IP address to blocklist.de # Blocklist.de must be signed up to at www.blocklist.de # Once registered, one or more servers can be added. -# This action requires the server 'email address' and the assoicate apikey. +# This action requires the server 'email address' and the associated apikey. # # From blocklist.de: # www.blocklist.de is a free and voluntary service provided by a # Fraud/Abuse-specialist, whose servers are often attacked on SSH-, # Mail-Login-, FTP-, Webserver- and other services. -# The mission is to report all attacks to the abuse deparments of the +# The mission is to report all attacks to the abuse departments of the # infected PCs/servers to ensure that the responsible provider can inform # the customer about the infection and disable them # @@ -25,7 +25,7 @@ # * The recidive where the IP has been banned multiple times # * Where maxretry has been set quite high, beyond the normal user typing # password incorrectly. -# * For filters that have a low likelyhood of receiving human errors +# * For filters that have a low likelihood of receiving human errors # [Definition] @@ -54,7 +54,7 @@ actioncheck = # Tags: See jail.conf(5) man page # Values: CMD # -actionban = curl --fail --data-urlencode 'server=' --data 'apikey=' --data 'service=' --data 'ip=' --data-urlencode 'logs=' --data 'format=text' --user-agent "fail2ban v0.8.12" "https://www.blocklist.de/en/httpreports.html" +actionban = curl --fail --data-urlencode 'server=' --data 'apikey=' --data 'service=' --data 'ip=' --data-urlencode 'logs=' --data 'format=text' --user-agent "" "https://www.blocklist.de/en/httpreports.html" # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the diff --git a/fail2ban/action.d/bsd-ipfw.conf b/fail2ban/action.d/bsd-ipfw.conf index 1285361..8b0a51a 100644 --- a/fail2ban/action.d/bsd-ipfw.conf +++ b/fail2ban/action.d/bsd-ipfw.conf @@ -38,7 +38,7 @@ actioncheck = # Values: CMD # # requires an ipfw rule like "deny ip from table(1) to me" -actionban = ipfw table add +actionban = e=`ipfw table
add 2>&1`; x=$?; [ $x -eq 0 -o "$e" = 'ipfw: setsockopt(IP_FW_TABLE_XADD): File exists' ] || { echo "$e" 1>&2; exit $x; } # Option: actionunban @@ -47,7 +47,7 @@ actionban = ipfw table
add # Tags: See jail.conf(5) man page # Values: CMD # -actionunban = ipfw table
delete +actionunban = e=`ipfw table
delete 2>&1`; x=$?; [ $x -eq 0 -o "$e" = 'ipfw: setsockopt(IP_FW_TABLE_XDEL): No such process' ] || { echo "$e" 1>&2; exit $x; } [Init] # Option: table diff --git a/fail2ban/action.d/cloudflare.conf b/fail2ban/action.d/cloudflare.conf new file mode 100644 index 0000000..aa87163 --- /dev/null +++ b/fail2ban/action.d/cloudflare.conf @@ -0,0 +1,68 @@ +# +# Author: Mike Rushton +# +# IMPORTANT +# +# Please set jail.local's permission to 640 because it contains your CF API key. +# +# This action depends on curl. +# Referenced from http://www.normyee.net/blog/2012/02/02/adding-cloudflare-support-to-fail2ban by NORM YEE +# +# To get your CloudFlare API Key: https://www.cloudflare.com/a/account/my-account +# +# CloudFlare API error codes: https://www.cloudflare.com/docs/host-api.html#s4.2 + +[Definition] + +# Option: actionstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD +# +actionstart = + +# Option: actionstop +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD +# +actionstop = + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: IP address +# number of failures +#