maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity
Files
854c930696ad1706a10caacc591d06c87936e133
Froxlor/lib/configfiles/gentoo.xml

2891 lines
93 KiB
XML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<?xml version="1.0" encoding="UTF-8"?>
<froxlor>
<distribution name="Gentoo" version="3.0"
defaulteditor="/usr/bin/nano" deprecated="true">
<!-- OS defaults to be loaded on installation -->
<defaults>
<default settinggroup="system" varname="nssextrausers" value="1"></default>
<default settinggroup="system" varname="awstats_path" value="/usr/bin/"></default>
<default settinggroup="system" varname="awstats_awstatspath" value="/usr/share/awstats/wwwroot/cgi-bin/"></default>
<default for="apache24" settinggroup="system" varname="apacheconf_vhost" value="/etc/apache2/vhosts.d/"></default>
<default for="apache24" settinggroup="system" varname="apacheconf_diroptions" value="/etc/apache2/vhosts.d/"></default>
<default for="apache24" settinggroup="system" varname="apacheconf_htpasswddir" value="/etc/apache2/froxlor-htpasswd/"></default>
<default for="apache24" settinggroup="system" varname="apachereload_command" value="/etc/init.d/apache2 reload"></default>
<!-- TODO how does this work on gentoo? -->
<default for="apache24" settinggroup="system" varname="letsencryptacmeconf" value="/etc/apache2/acme.conf"></default>
<default for="lighttpd" settinggroup="system" varname="apacheconf_vhost" value="/etc/lighttpd/vhosts.d/"></default>
<default for="lighttpd" settinggroup="system" varname="apacheconf_diroptions" value="/etc/lighttpd/diropts.d/"></default>
<default for="lighttpd" settinggroup="system" varname="apacheconf_htpasswddir" value="/etc/lighttpd/froxlor-htpasswd/"></default>
<default for="lighttpd" settinggroup="system" varname="apachereload_command" value="/etc/init.d/lighttpd reload"></default>
<default for="lighttpd" settinggroup="phpfpm" varname="fastcgi_ipcdir" value="/var/run/lighttpd/"></default>
<default for="nginx" settinggroup="system" varname="apacheconf_vhost" value="/etc/nginx/sites-enabled/"></default>
<default for="nginx" settinggroup="system" varname="apacheconf_diroptions" value="/etc/nginx/sites-enabled/"></default>
<default for="nginx" settinggroup="system" varname="apacheconf_htpasswddir" value="/etc/nginx/froxlor-htpasswd/"></default>
<default for="nginx" settinggroup="system" varname="apachereload_command" value="/etc/init.d/nginx reload"></default>
<default for="nginx" settinggroup="system" varname="letsencryptacmeconf" value="/etc/nginx/acme.conf"></default>
<default for="nginx" settinggroup="phpfpm" varname="fastcgi_ipcdir" value="/var/run/nginx/"></default>
<default settinggroup="system" varname="bindreload_command" value="/etc/init.d/named restart"></default>
<default settinggroup="system" varname="crondreload" value="/etc/init.d/cronie restart"></default>
<default settinggroup="antispam" varname="reload_command" value="/etc/init.d/rspamd restart"></default>
</defaults>
<services>
<!-- HTTP -->
<service type="http" title="{{lng.admin.configfiles.http}}">
<!-- general HTTP commands -->
<general>
<commands index="1">
<command>
<visibility mode="isdir">{{settings.system.apacheconf_vhost}}
</visibility>
<content><![CDATA[mkdir -p {{settings.system.apacheconf_vhost}}]]></content>
</command>
<command>
<visibility mode="isfile">{{settings.system.apacheconf_vhost}}
</visibility>
<content><![CDATA[touch {{settings.system.apacheconf_vhost}}]]></content>
</command>
<command><![CDATA[chown root:0 {{settings.system.apacheconf_vhost}}]]></command>
<command><![CDATA[chmod 0600 {{settings.system.apacheconf_vhost}}]]></command>
<command>
<visibility mode="isdir">{{settings.system.apacheconf_diroptions}}
</visibility>
<content><![CDATA[mkdir -p {{settings.system.apacheconf_diroptions}}]]></content>
</command>
<command>
<visibility mode="isfile">{{settings.system.apacheconf_diroptions}}
</visibility>
<content><![CDATA[touch {{settings.system.apacheconf_diroptions}}]]></content>
</command>
<command><![CDATA[chown root:0 {{settings.system.apacheconf_diroptions}}]]></command>
<command><![CDATA[chmod 0600 {{settings.system.apacheconf_diroptions}}]]></command>
<command><![CDATA[mkdir -p {{settings.system.documentroot_prefix}}]]></command>
<command><![CDATA[mkdir -p {{settings.system.logfiles_directory}}]]></command>
<command>
<visibility mode="notempty">{{settings.system.deactivateddocroot}}
</visibility>
<content><![CDATA[mkdir -p {{settings.system.deactivateddocroot}}]]></content>
</command>
</commands>
</general>
<!-- HTTP Apache -->
<daemon name="apache" version="2.4" title="Apache 2.4">
<install><![CDATA[emerge www-servers/apache]]></install>
<include>//service[@type='http']/general/commands</include>
<file name="/etc/apache2/modules.d/70_fastcgi.conf">
<visibility mode="true">{{settings.phpfpm.enabled}}
</visibility>
<content><![CDATA[
<IfModule mod_fastcgi.c>
FastCgiIpcDir <FPM_IPCDIR>
<Location "/fastcgiphp">
Require all granted
Require env REDIRECT_STATUS
</Location>
</IfModule>
]]>
</content>
</file>
<file name="{{settings.system.letsencryptacmeconf}}">
<visibility mode="true">{{settings.system.leenabled}}
</visibility>
<content><![CDATA[
Alias "/.well-known/acme-challenge" "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge"
<Directory "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge">
Require all granted
</Directory>
]]>
</content>
</file>
<command><![CDATA[rc-update add apache2 default]]></command>
<command><![CDATA[{{settings.system.apachereload_command}}]]></command>
</daemon>
<!-- HTTP Lighttpd -->
<daemon name="lighttpd" title="LigHTTPd (deprecated)">
<install><![CDATA[emerge www-servers/lighttpd]]></install>
<file name="/etc/lighttpd/lighttpd.conf">
<content><![CDATA[
###############################################################################
# Default lighttpd.conf for Froxlor.
###############################################################################
var.basedir = "/var/www"
var.logdir = "/var/log/lighttpd"
var.statedir = "/var/lib/lighttpd"
server.modules = (
"mod_rewrite",
"mod_redirect",
"mod_alias",
"mod_access",
"mod_auth",
"mod_fastcgi",
"mod_cgi",
"mod_setenv",
"mod_accesslog"
)
server.username = "lighttpd"
server.groupname = "lighttpd"
server.document-root = var.basedir
server.pid-file = "/var/run/lighttpd.pid"
accesslog.filename = var.logdir + "/access.log"
server.errorlog = var.logdir + "/error.log"
server.indexfiles = ("index.php", "index.html",
"index.htm", "default.htm")
server.name = "<SERVERNAME>"
server.port = 80
server.bind = "<SERVERIP>"
url.access-deny = ("~", ".inc")
include "mime-types.conf"
#include "mod_cgi.conf"
fastcgi.server = (
".php" => (
"localhost" => (
"socket" => "/tmp/lighttpd-fcgi-sock-lighttpd",
"broken-scriptfilename" => "enable",
"bin-path" => "/usr/bin/php-cgi",
"min-procs" => 1,
"max-procs" => 1,
"max-load-per-proc" => 4,
"idle-timeout" => 60,
"bin-environment" => (
"UID" => "lighttpd",
"GID" => "lighttpd",
"PHP_FCGI_CHILDREN" => "0",
"PHP_FCGI_MAX_REQUESTS" => "10000"
),
"bin-copy-environment" => ( "" )
)
)
)
alias.url += ("/.well-known/acme-challenge/" => "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge/")
]]>
</content>
</file>
<include>//service[@type='http']/general/commands</include>
<command>
<visibility mode="isdir">{{settings.system.apacheconf_vhost}}
</visibility>
<content><![CDATA[echo -e '\\ninclude_shell "cat {{settings.system.apacheconf_vhost}}*.conf"' >> /etc/lighttpd/lighttpd.conf]]></content>
</command>
<command>
<visibility mode="isfile">{{settings.system.apacheconf_vhost}}
</visibility>
<content><![CDATA[echo -e '\\ninclude "{{settings.system.apacheconf_vhost}}"' >> /etc/lighttpd/lighttpd.conf]]></content>
</command>
<command>
<visibility mode="isdir">{{settings.system.apacheconf_diroptions}}
</visibility>
<content><![CDATA[echo -e '\\ninclude_shell "cat {{settings.system.apacheconf_diroptions}}*.conf"' >> /etc/lighttpd/lighttpd.conf]]></content>
</command>
<command>
<visibility mode="isfile">{{settings.system.apacheconf_diroptions}}
</visibility>
<content><![CDATA[echo -e '\\ninclude "{{settings.system.apacheconf_diroptions}}"' >> /etc/lighttpd/lighttpd.conf]]></content>
</command>
<command><![CDATA[rc-update add lighttpd default]]></command>
<command><![CDATA[{{settings.system.apachereload_command}}]]></command>
</daemon>
<!-- HTTP Nginx -->
<daemon name="nginx" title="nginx">
<install><![CDATA[emerge www-servers/nginx]]></install>
<file name="/etc/nginx/nginx.conf" backup="true">
<content><![CDATA[
user nginx;
worker_processes 4;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
sendfile on;
tcp_nodelay on;
keepalive_timeout 65;
gzip on;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
]]>
</content>
</file>
<file name="/etc/nginx/fastcgi_params" backup="true">
<content><![CDATA[
fastcgi_connect_timeout 65;
fastcgi_send_timeout 180;
fastcgi_read_timeout 180;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
]]>
</content>
</file>
<file name="{{settings.system.letsencryptacmeconf}}">
<visibility mode="true">{{settings.system.leenabled}}
</visibility>
<content><![CDATA[
location /.well-known/acme-challenge {
alias {{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge;
location ~ /.well-known/acme-challenge/(.*) {
default_type text/plain;
}
}
]]>
</content>
</file>
<file name="/etc/init.d/php-fcgi" backup="true" chmod="u+x">
<visibility mode="false">{{settings.phpfpm.enabled}}
</visibility>
<visibility mode="false">{{settings.system.mod_fcgid}}
</visibility>
<content><![CDATA[
#!/bin/bash
BIND="127.0.0.1:8888"
USER="nginx"
PHP_FCGI_CHILDREN="15"
PHP_FCGI_MAX_REQUESTS="1000"
PHP_CGI="/usr/bin/php-cgi"
PHP_CGI_NAME="$(basename ${PHP_CGI})"
PHP_CGI_ARGS="- USER=${USER} PATH=/usr/bin PHP_FCGI_CHILDREN=${PHP_FCGI_CHILDREN} PHP_FCGI_MAX_REQUESTS=${PHP_FCGI_MAX_REQUESTS} ${PHP_CGI} -b ${BIND}"
RETVAL="0"
start() {
echo -n "Starting PHP FastCGI: "
start-stop-daemon --quiet --start --background --chuid "$USER" --exec /usr/bin/env -- $PHP_CGI_ARGS
RETVAL="$?"
echo "${PHP_CGI_NAME}."
}
stop() {
echo -n "Stopping PHP FastCGI: "
killall -q -w -u ${USER} ${PHP_CGI}
RETVAL="$?"
echo "${PHP_CGI_NAME}."
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
*)
echo "Usage: php-fastcgi {start|stop|restart}"
exit 1
;;
esac
exit "$RETVAL"
]]>
</content>
</file>
<include>//service[@type='http']/general/commands</include>
<command>
<visibility mode="false">{{settings.phpfpm.enabled}}
</visibility>
<visibility mode="false">{{settings.system.mod_fcgid}}
</visibility>
<content><![CDATA[rc-update add php-fcgi default]]></content>
</command>
<command>
<visibility mode="false">{{settings.phpfpm.enabled}}
</visibility>
<visibility mode="false">{{settings.system.mod_fcgid}}
</visibility>
<content><![CDATA[/etc/init.d/php-fcgi restart]]></content>
</command>
<command><![CDATA[rc-update add nginx default]]></command>
<command><![CDATA[{{settings.system.apachereload_command}}]]></command>
</daemon>
</service>
<!--DNS -->
<service type="dns" title="{{lng.admin.configfiles.dns}}">
<!--Bind9 -->
<daemon name="bind" title="Bind9 nameserver" default="true">
<install><![CDATA[emerge net-dns/bind]]></install>
<file name="/etc/bind/default.zone">
<content><![CDATA[
$TTL 1W
@ IN SOA ns root (
2015020101 ; serial
8H ; refresh
2H ; retry
1W ; expiry
11h) ; minimum
IN NS ns
IN MX 10 mail
IN A <SERVERIP>
IN MX 10 mail
* IN A <SERVERIP>
IN MX 10 mail
ns IN A <SERVERIP>
mail IN A <SERVERIP>
IN MX 10 mail
]]>
</content>
</file>
<command><![CDATA[echo "include \"{{settings.system.bindconf_directory}}froxlor_bind.conf\";" >> /etc/bind/named.conf]]></command>
<command><![CDATA[touch {{settings.system.bindconf_directory}}froxlor_bind.conf]]></command>
<command><![CDATA[chown named:0 {{settings.system.bindconf_directory}}froxlor_bind.conf]]></command>
<command><![CDATA[chmod 0644 {{settings.system.bindconf_directory}}froxlor_bind.conf]]></command>
<command><![CDATA[rc-update add named default]]></command>
<command><![CDATA[/etc/init.d/named restart]]></command>
</daemon>
<daemon name="powerdns" title="PowerDNS (standalone)">
<install><![CDATA[emerge net-dns/pdns]]></install>
<file name="/etc/powerdns/pdns.conf" backup="true" chown="root:pdns" chmod="640">
<content><![CDATA[
# Autogenerated configuration file template
#################################
# allow-axfr-ips Allow zonetransfers only to these subnets
#
allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
#################################
# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges.
#
# allow-dnsupdate-from=127.0.0.0/8,::1
#################################
# also-notify When notifying a domain, also notify these nameservers
#
# also-notify=
#################################
# any-to-tcp Answer ANY queries with tc=1, shunting to TCP
#
# any-to-tcp=no
#################################
# cache-ttl Seconds to store packets in the PacketCache
#
# cache-ttl=20
#################################
# carbon-interval Number of seconds between carbon (graphite) updates
#
# carbon-interval=30
#################################
# carbon-ourname If set, overrides our reported hostname for carbon stats
#
# carbon-ourname=
#################################
# carbon-server If set, send metrics in carbon (graphite) format to this server
#
# carbon-server=
#################################
# chroot If set, chroot to this directory for more security
#
# chroot=
#################################
# config-dir Location of configuration directory (pdns.conf)
#
config-dir=/etc/powerdns
#################################
# config-name Name of this virtual configuration - will rename the binary image
#
# config-name=
#################################
# control-console Debugging switch - don't use
#
# control-console=no
#################################
# daemon Operate as a daemon
#
daemon=yes
#################################
# default-ksk-algorithms Default KSK algorithms
#
# default-ksk-algorithms=rsasha256
#################################
# default-ksk-size Default KSK size (0 means default)
#
# default-ksk-size=0
#################################
# default-soa-mail mail address to insert in the SOA record if none set in the backend
#
# default-soa-mail=
#################################
# default-soa-name name to insert in the SOA record if none set in the backend
#
# default-soa-name=a.misconfigured.powerdns.server
#################################
# default-ttl Seconds a result is valid if not set otherwise
#
# default-ttl=3600
#################################
# default-zsk-algorithms Default ZSK algorithms
#
# default-zsk-algorithms=rsasha256
#################################
# default-zsk-size Default ZSK size (0 means default)
#
# default-zsk-size=0
#################################
# direct-dnskey Fetch DNSKEY RRs from backend during DNSKEY synthesis
#
# direct-dnskey=no
#################################
# disable-axfr Disable zonetransfers but do allow TCP queries
#
# disable-axfr=no
#################################
# disable-axfr-rectify Disable the rectify step during an outgoing AXFR. Only required for regression testing.
#
# disable-axfr-rectify=no
#################################
# disable-tcp Do not listen to TCP queries
#
# disable-tcp=no
#################################
# distributor-threads Default number of Distributor (backend) threads to start
#
# distributor-threads=3
#################################
# do-ipv6-additional-processing Do AAAA additional processing
#
# do-ipv6-additional-processing=yes
#################################
# edns-subnet-processing If we should act on EDNS Subnet options
#
# edns-subnet-processing=no
#################################
# entropy-source If set, read entropy from this file
#
# entropy-source=/dev/urandom
#################################
# experimental-api-key REST API Static authentication key (required for API use)
#
# experimental-api-key=
#################################
# experimental-api-readonly If the JSON API should disallow data modification
#
# experimental-api-readonly=no
#################################
# experimental-dname-processing If we should support DNAME records
#
# experimental-dname-processing=no
#################################
# experimental-dnsupdate Enable/Disable DNS update (RFC2136) support. Default is no.
#
# experimental-dnsupdate=no
#################################
# experimental-json-interface If the webserver should serve JSON data
#
# experimental-json-interface=no
#################################
# experimental-logfile Filename of the log file for JSON parser
#
# experimental-logfile=/var/log/pdns.log
#################################
# forward-dnsupdate A global setting to allow DNS update packages that are for a Slave domain, to be forwarded to the master.
#
# forward-dnsupdate=yes
#################################
# guardian Run within a guardian process
#
guardian=yes
#################################
# include-dir Include *.conf files from this directory
#
# include-dir=
#################################
# launch Which backends to launch and order to query them in
#
# launch=
#################################
# load-modules Load this module - supply absolute or relative path
#
# load-modules=
#################################
# local-address Local IP addresses to which we bind
#
local-address=<SERVERIP>,127.0.0.1
#################################
# local-address-nonexist-fail Fail to start if one or more of the local-address's do not exist on this server
#
# local-address-nonexist-fail=yes
#################################
# local-ipv6 Local IP address to which we bind
#
# local-ipv6=
#################################
# local-ipv6-nonexist-fail Fail to start if one or more of the local-ipv6 addresses do not exist on this server
#
# local-ipv6-nonexist-fail=yes
#################################
# local-port The port on which we listen
#
local-port=53
#################################
# log-dns-details If PDNS should log DNS non-erroneous details
#
log-dns-details=yes
#################################
# log-dns-queries If PDNS should log all incoming DNS queries
#
# log-dns-queries=no
#################################
# logging-facility Log under a specific facility
#
# logging-facility=
#################################
# loglevel Amount of logging. Higher is more. Do not set below 3
#
# loglevel=4
#################################
# lua-prequery-script Lua script with prequery handler
#
# lua-prequery-script=
#################################
# master Act as a master
#
master=yes
#################################
# max-cache-entries Maximum number of cache entries
#
# max-cache-entries=1000000
#################################
# max-ent-entries Maximum number of empty non-terminals in a zone
#
# max-ent-entries=100000
#################################
# max-nsec3-iterations Limit the number of NSEC3 hash iterations
#
# max-nsec3-iterations=500
#################################
# max-queue-length Maximum queuelength before considering situation lost
#
# max-queue-length=5000
#################################
# max-signature-cache-entries Maximum number of signatures cache entries
#
# max-signature-cache-entries=
#################################
# max-tcp-connections Maximum number of TCP connections
#
# max-tcp-connections=10
#################################
# module-dir Default directory for modules
#
module-dir=/usr/lib/powerdns/pdns/
#################################
# negquery-cache-ttl Seconds to store negative query results in the QueryCache
#
# negquery-cache-ttl=60
#################################
# no-shuffle Set this to prevent random shuffling of answers - for regression testing
#
# no-shuffle=off
#################################
# only-notify Only send AXFR NOTIFY to these IP addresses or netmasks
#
# only-notify=0.0.0.0/0,::/0
#################################
# out-of-zone-additional-processing Do out of zone additional processing
#
# out-of-zone-additional-processing=yes
#################################
# overload-queue-length Maximum queuelength moving to packetcache only
#
# overload-queue-length=0
#################################
# pipebackend-abi-version Version of the pipe backend ABI
#
# pipebackend-abi-version=1
#################################
# prevent-self-notification Don't send notifications to what we think is ourself
#
# prevent-self-notification=yes
#################################
# query-cache-ttl Seconds to store query results in the QueryCache
#
# query-cache-ttl=20
#################################
# query-local-address Source IP address for sending queries
#
# query-local-address=0.0.0.0
#################################
# query-local-address6 Source IPv6 address for sending queries
#
# query-local-address6=::
#################################
# query-logging Hint backends that queries should be logged
#
# query-logging=no
#################################
# queue-limit Maximum number of milliseconds to queue a query
#
# queue-limit=1500
#################################
# receiver-threads Default number of receiver threads to start
#
# receiver-threads=1
#################################
# retrieval-threads Number of AXFR-retrieval threads for slave operation
#
# retrieval-threads=2
#################################
# reuseport Enable higher performance on compliant kernels by using SO_REUSEPORT allowing each receiver thread to open its own socket
#
# reuseport=no
#################################
# security-poll-suffix Domain name from which to query security update notifications
#
# security-poll-suffix=secpoll.powerdns.com.
#################################
# send-root-referral Send out old-fashioned root-referral instead of ServFail in case of no authority
#
# send-root-referral=no
#################################
# server-id Returned when queried for 'server.id' TXT or NSID, defaults to hostname - disabled or custom
#
# server-id=
#################################
# setgid If set, change group id to this gid for more security
#
setgid=pdns
#################################
# setuid If set, change user id to this uid for more security
#
setuid=pdns
#################################
# signing-threads Default number of signer threads to start
#
# signing-threads=3
#################################
# slave Act as a slave
#
# slave=no
#################################
# slave-cycle-interval Reschedule failed SOA serial checks once every .. seconds
#
# slave-cycle-interval=60
#################################
# slave-renotify If we should send out notifications for slaved updates
#
# slave-renotify=no
#################################
# soa-expire-default Default SOA expire
#
# soa-expire-default=604800
#################################
# soa-minimum-ttl Default SOA minimum ttl
#
# soa-minimum-ttl=3600
#################################
# soa-refresh-default Default SOA refresh
#
# soa-refresh-default=10800
#################################
# soa-retry-default Default SOA retry
#
# soa-retry-default=3600
#################################
# socket-dir Where the controlsocket will live
#
socket-dir=/var/run
#################################
# tcp-control-address If set, PowerDNS can be controlled over TCP on this address
#
# tcp-control-address=
#################################
# tcp-control-port If set, PowerDNS can be controlled over TCP on this address
#
# tcp-control-port=53000
#################################
# tcp-control-range If set, remote control of PowerDNS is possible over these networks only
#
# tcp-control-range=127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10
#################################
# tcp-control-secret If set, PowerDNS can be controlled over TCP after passing this secret
#
# tcp-control-secret=
#################################
# traceback-handler Enable the traceback handler (Linux only)
#
# traceback-handler=yes
#################################
# trusted-notification-proxy IP address of incoming notification proxy
#
# trusted-notification-proxy=
#################################
# udp-truncation-threshold Maximum UDP response size before we truncate
#
# udp-truncation-threshold=1680
#################################
# version-string PowerDNS version in packets - full, anonymous, powerdns or custom
#
version-string=powerdns
#################################
# webserver Start a webserver for monitoring
#
# webserver=no
#################################
# webserver-address IP Address of webserver to listen on
#
# webserver-address=127.0.0.1
#################################
# webserver-allow-from Webserver access is only allowed from these subnets
#
# webserver-allow-from=0.0.0.0/0,::/0
#################################
# webserver-password Password required for accessing the webserver
#
# webserver-password=
#################################
# webserver-port Port of webserver to listen on
#
# webserver-port=8081
#################################
# webserver-print-arguments If the webserver should print arguments
#
# webserver-print-arguments=no
# include froxlor-specific config
include-dir=/etc/powerdns/froxlor/
]]>
</content>
</file>
<command><![CDATA[mkdir -p /etc/powerdns/froxlor/]]></command>
<file name="/etc/powerdns/froxlor/pdns_froxlor.conf"
chown="root:pdns" chmod="640">
<content><![CDATA[
# mysql-settings / you need to create the power-dns database for yourself!
launch=gmysql
gmysql-host=127.0.0.1
gmysql-port=3306
gmysql-dbname=pdns
gmysql-user=powerdns
gmysql-group=client
gmysql-password=
#gmysql-ssl-ca-file=
#gmysql-ssl-verify-server-certificate=0
]]>
</content>
</file>
<command><![CDATA[/etc/init.d/pdns restart]]></command>
</daemon>
<daemon name="powerdns_bind"
title="PowerDNS via bind-backend">
<install><![CDATA[emerge net-dns/pdns]]></install>
<file name="/etc/powerdns/pdns.conf" backup="true" chown="root:pdns" chmod="640">
<content><![CDATA[
# Autogenerated configuration file template
#################################
# allow-axfr-ips Allow zonetransfers only to these subnets
#
allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
#################################
# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges.
#
# allow-dnsupdate-from=127.0.0.0/8,::1
#################################
# also-notify When notifying a domain, also notify these nameservers
#
# also-notify=
#################################
# any-to-tcp Answer ANY queries with tc=1, shunting to TCP
#
# any-to-tcp=no
#################################
# cache-ttl Seconds to store packets in the PacketCache
#
# cache-ttl=20
#################################
# carbon-interval Number of seconds between carbon (graphite) updates
#
# carbon-interval=30
#################################
# carbon-ourname If set, overrides our reported hostname for carbon stats
#
# carbon-ourname=
#################################
# carbon-server If set, send metrics in carbon (graphite) format to this server
#
# carbon-server=
#################################
# chroot If set, chroot to this directory for more security
#
# chroot=
#################################
# config-dir Location of configuration directory (pdns.conf)
#
config-dir=/etc/powerdns
#################################
# config-name Name of this virtual configuration - will rename the binary image
#
# config-name=
#################################
# control-console Debugging switch - don't use
#
# control-console=no
#################################
# daemon Operate as a daemon
#
daemon=yes
#################################
# default-ksk-algorithms Default KSK algorithms
#
# default-ksk-algorithms=rsasha256
#################################
# default-ksk-size Default KSK size (0 means default)
#
# default-ksk-size=0
#################################
# default-soa-mail mail address to insert in the SOA record if none set in the backend
#
# default-soa-mail=
#################################
# default-soa-name name to insert in the SOA record if none set in the backend
#
# default-soa-name=a.misconfigured.powerdns.server
#################################
# default-ttl Seconds a result is valid if not set otherwise
#
# default-ttl=3600
#################################
# default-zsk-algorithms Default ZSK algorithms
#
# default-zsk-algorithms=rsasha256
#################################
# default-zsk-size Default ZSK size (0 means default)
#
# default-zsk-size=0
#################################
# direct-dnskey Fetch DNSKEY RRs from backend during DNSKEY synthesis
#
# direct-dnskey=no
#################################
# disable-axfr Disable zonetransfers but do allow TCP queries
#
disable-axfr=yes
#################################
# disable-axfr-rectify Disable the rectify step during an outgoing AXFR. Only required for regression testing.
#
# disable-axfr-rectify=no
#################################
# disable-tcp Do not listen to TCP queries
#
# disable-tcp=no
#################################
# distributor-threads Default number of Distributor (backend) threads to start
#
# distributor-threads=3
#################################
# do-ipv6-additional-processing Do AAAA additional processing
#
# do-ipv6-additional-processing=yes
#################################
# edns-subnet-processing If we should act on EDNS Subnet options
#
# edns-subnet-processing=no
#################################
# entropy-source If set, read entropy from this file
#
# entropy-source=/dev/urandom
#################################
# experimental-api-key REST API Static authentication key (required for API use)
#
# experimental-api-key=
#################################
# experimental-api-readonly If the JSON API should disallow data modification
#
# experimental-api-readonly=no
#################################
# experimental-dname-processing If we should support DNAME records
#
# experimental-dname-processing=no
#################################
# experimental-dnsupdate Enable/Disable DNS update (RFC2136) support. Default is no.
#
# experimental-dnsupdate=no
#################################
# experimental-json-interface If the webserver should serve JSON data
#
# experimental-json-interface=no
#################################
# experimental-logfile Filename of the log file for JSON parser
#
# experimental-logfile=/var/log/pdns.log
#################################
# forward-dnsupdate A global setting to allow DNS update packages that are for a Slave domain, to be forwarded to the master.
#
# forward-dnsupdate=yes
#################################
# guardian Run within a guardian process
#
guardian=yes
#################################
# include-dir Include *.conf files from this directory
#
# include-dir=
#################################
# launch Which backends to launch and order to query them in
#
launch=bind
#################################
# load-modules Load this module - supply absolute or relative path
#
# load-modules=
#################################
# local-address Local IP addresses to which we bind
#
local-address=<SERVERIP>,127.0.0.1
#################################
# local-address-nonexist-fail Fail to start if one or more of the local-address's do not exist on this server
#
# local-address-nonexist-fail=yes
#################################
# local-ipv6 Local IP address to which we bind
#
# local-ipv6=
#################################
# local-ipv6-nonexist-fail Fail to start if one or more of the local-ipv6 addresses do not exist on this server
#
# local-ipv6-nonexist-fail=yes
#################################
# local-port The port on which we listen
#
local-port=53
#################################
# log-dns-details If PDNS should log DNS non-erroneous details
#
log-dns-details=yes
#################################
# log-dns-queries If PDNS should log all incoming DNS queries
#
# log-dns-queries=no
#################################
# logging-facility Log under a specific facility
#
# logging-facility=
#################################
# loglevel Amount of logging. Higher is more. Do not set below 3
#
# loglevel=4
#################################
# lua-prequery-script Lua script with prequery handler
#
# lua-prequery-script=
#################################
# master Act as a master
#
master=yes
#################################
# max-cache-entries Maximum number of cache entries
#
# max-cache-entries=1000000
#################################
# max-ent-entries Maximum number of empty non-terminals in a zone
#
# max-ent-entries=100000
#################################
# max-nsec3-iterations Limit the number of NSEC3 hash iterations
#
# max-nsec3-iterations=500
#################################
# max-queue-length Maximum queuelength before considering situation lost
#
# max-queue-length=5000
#################################
# max-signature-cache-entries Maximum number of signatures cache entries
#
# max-signature-cache-entries=
#################################
# max-tcp-connections Maximum number of TCP connections
#
# max-tcp-connections=10
#################################
# module-dir Default directory for modules
#
module-dir=/usr/lib/powerdns/pdns/
#################################
# negquery-cache-ttl Seconds to store negative query results in the QueryCache
#
# negquery-cache-ttl=60
#################################
# no-shuffle Set this to prevent random shuffling of answers - for regression testing
#
# no-shuffle=off
#################################
# only-notify Only send AXFR NOTIFY to these IP addresses or netmasks
#
# only-notify=0.0.0.0/0,::/0
#################################
# out-of-zone-additional-processing Do out of zone additional processing
#
# out-of-zone-additional-processing=yes
#################################
# overload-queue-length Maximum queuelength moving to packetcache only
#
# overload-queue-length=0
#################################
# pipebackend-abi-version Version of the pipe backend ABI
#
# pipebackend-abi-version=1
#################################
# prevent-self-notification Don't send notifications to what we think is ourself
#
# prevent-self-notification=yes
#################################
# query-cache-ttl Seconds to store query results in the QueryCache
#
# query-cache-ttl=20
#################################
# query-local-address Source IP address for sending queries
#
# query-local-address=0.0.0.0
#################################
# query-local-address6 Source IPv6 address for sending queries
#
# query-local-address6=::
#################################
# query-logging Hint backends that queries should be logged
#
# query-logging=no
#################################
# queue-limit Maximum number of milliseconds to queue a query
#
# queue-limit=1500
#################################
# receiver-threads Default number of receiver threads to start
#
# receiver-threads=1
#################################
# retrieval-threads Number of AXFR-retrieval threads for slave operation
#
# retrieval-threads=2
#################################
# reuseport Enable higher performance on compliant kernels by using SO_REUSEPORT allowing each receiver thread to open its own socket
#
# reuseport=no
#################################
# security-poll-suffix Domain name from which to query security update notifications
#
# security-poll-suffix=secpoll.powerdns.com.
#################################
# send-root-referral Send out old-fashioned root-referral instead of ServFail in case of no authority
#
# send-root-referral=no
#################################
# server-id Returned when queried for 'server.id' TXT or NSID, defaults to hostname - disabled or custom
#
# server-id=
#################################
# setgid If set, change group id to this gid for more security
#
setgid=pdns
#################################
# setuid If set, change user id to this uid for more security
#
setuid=pdns
#################################
# signing-threads Default number of signer threads to start
#
# signing-threads=3
#################################
# slave Act as a slave
#
# slave=no
#################################
# slave-cycle-interval Reschedule failed SOA serial checks once every .. seconds
#
# slave-cycle-interval=60
#################################
# slave-renotify If we should send out notifications for slaved updates
#
# slave-renotify=no
#################################
# soa-expire-default Default SOA expire
#
# soa-expire-default=604800
#################################
# soa-minimum-ttl Default SOA minimum ttl
#
# soa-minimum-ttl=3600
#################################
# soa-refresh-default Default SOA refresh
#
# soa-refresh-default=10800
#################################
# soa-retry-default Default SOA retry
#
# soa-retry-default=3600
#################################
# socket-dir Where the controlsocket will live
#
socket-dir=/var/run
#################################
# tcp-control-address If set, PowerDNS can be controlled over TCP on this address
#
# tcp-control-address=
#################################
# tcp-control-port If set, PowerDNS can be controlled over TCP on this address
#
# tcp-control-port=53000
#################################
# tcp-control-range If set, remote control of PowerDNS is possible over these networks only
#
# tcp-control-range=127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10
#################################
# tcp-control-secret If set, PowerDNS can be controlled over TCP after passing this secret
#
# tcp-control-secret=
#################################
# traceback-handler Enable the traceback handler (Linux only)
#
# traceback-handler=yes
#################################
# trusted-notification-proxy IP address of incoming notification proxy
#
# trusted-notification-proxy=
#################################
# udp-truncation-threshold Maximum UDP response size before we truncate
#
# udp-truncation-threshold=1680
#################################
# version-string PowerDNS version in packets - full, anonymous, powerdns or custom
#
version-string=powerdns
#################################
# webserver Start a webserver for monitoring
#
# webserver=no
#################################
# webserver-address IP Address of webserver to listen on
#
# webserver-address=127.0.0.1
#################################
# webserver-allow-from Webserver access is only allowed from these subnets
#
# webserver-allow-from=0.0.0.0/0,::/0
#################################
# webserver-password Password required for accessing the webserver
#
# webserver-password=
#################################
# webserver-port Port of webserver to listen on
#
# webserver-port=8081
#################################
# webserver-print-arguments If the webserver should print arguments
#
# webserver-print-arguments=no
# include froxlor-bind-specific config
include-dir=/etc/powerdns/froxlor/
]]>
</content>
</file>
<command><![CDATA[mkdir -p /etc/powerdns/froxlor/]]></command>
<file name="/etc/powerdns/froxlor/pdns_froxlor.conf"
chown="root:pdns" chmod="640">
<content><![CDATA[
#local-ipv6=YOUR_IPv6_(if_any)
bind-config=<BIND_CONFIG_PATH>named.conf
bind-check-interval=180
]]>
</content>
</file>
<command><![CDATA[/etc/init.d/pdns restart]]></command>
</daemon>
</service>
<!-- SMTP services -->
<service type="smtp" title="{{lng.admin.configfiles.smtp}}">
<!-- general SMTP commands -->
<general>
<commands index="1">
<command>
<visibility mode="groupnotexists">{{settings.system.vmail_gid}}
</visibility>
<content><![CDATA[groupadd -g {{settings.system.vmail_gid}} vmail]]></content>
</command>
<command>
<visibility mode="usernotexists">{{settings.system.vmail_uid}}
</visibility>
<content><![CDATA[useradd -u {{settings.system.vmail_uid}} -g vmail vmail]]></content>
</command>
</commands>
<installs index="1">
<install><![CDATA[emerge mail-mta/postfix]]></install>
</installs>
<commands index="2">
<command><![CDATA[mkdir -p {{settings.system.vmail_homedir}}]]></command>
<command><![CDATA[chown -R {{settings.system.vmail_uid}}:{{settings.system.vmail_gid}} {{settings.system.vmail_homedir}}]]></command>
<command><![CDATA[chmod 0750 {{settings.system.vmail_homedir}}]]></command>
</commands>
<files index="0">
<file name="/etc/postfix/mysql-virtual_alias_maps.cf"
chown="root:postfix" chmod="0640">
<content><![CDATA[
user = <SQL_UNPRIVILEGED_USER>
password = <SQL_UNPRIVILEGED_PASSWORD>
dbname = <SQL_DB>
hosts = <SQL_HOST>
query = SELECT destination FROM mail_virtual AS v, panel_customers AS c WHERE c.customerid = v.customerid AND c.deactivated = 0 AND v.email = '%s' AND trim(v.destination) <> ''
]]>
</content>
</file>
<file name="/etc/postfix/mysql-virtual_mailbox_domains.cf"
chown="root:postfix" chmod="0640">
<content><![CDATA[
user = <SQL_UNPRIVILEGED_USER>
password = <SQL_UNPRIVILEGED_PASSWORD>
dbname = <SQL_DB>
hosts = <SQL_HOST>
query = SELECT domain FROM panel_domains WHERE domain = '%s' AND isemaildomain = '1' AND deactivated = 0
]]>
</content>
</file>
<file name="/etc/postfix/mysql-virtual_mailbox_maps.cf"
chown="root:postfix" chmod="0640">
<content><![CDATA[
user = <SQL_UNPRIVILEGED_USER>
password = <SQL_UNPRIVILEGED_PASSWORD>
dbname = <SQL_DB>
expansion_limit = 1
hosts = <SQL_HOST>
query = SELECT CONCAT(homedir,maildir) FROM mail_users WHERE email = '%s'
]]>
</content>
</file>
<file name="/etc/postfix/mysql-virtual_sender_permissions.cf"
chown="root:postfix" chmod="0640">
<content><![CDATA[
user = <SQL_UNPRIVILEGED_USER>
password = <SQL_UNPRIVILEGED_PASSWORD>
dbname = <SQL_DB>
hosts = <SQL_HOST>
query = SELECT DISTINCT username FROM mail_users WHERE email in ((SELECT mail_virtual.email_full FROM mail_virtual WHERE mail_virtual.email = '%s' UNION SELECT mail_virtual.destination FROM mail_virtual WHERE mail_virtual.email = '%s'));
]]>
</content>
</file>
<file name="/etc/postfix/mysql-virtual_uid_maps.cf"
chown="root:postfix" chmod="0640">
<content><![CDATA[
user = <SQL_UNPRIVILEGED_USER>
password = <SQL_UNPRIVILEGED_PASSWORD>
dbname = <SQL_DB>
expansion_limit = 1
hosts = <SQL_HOST>
query = SELECT uid FROM mail_users WHERE email = '%s'
]]>
</content>
</file>
<file name="/etc/postfix/mysql-virtual_gid_maps.cf"
chown="root:postfix" chmod="0640">
<content><![CDATA[
user = <SQL_UNPRIVILEGED_USER>
password = <SQL_UNPRIVILEGED_PASSWORD>
dbname = <SQL_DB>
expansion_limit = 1
hosts = <SQL_HOST>
query = SELECT gid FROM mail_users WHERE email = '%s'
]]>
</content>
</file>
<file name="/etc/mail/aliases" backup="true">
<content><![CDATA[
# /etc/aliases
mailer-daemon: postmaster
postmaster: root
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root
# change this to a valid e-mail address you can access
root: <ADMIN_MAIL>
]]>
</content>
</file>
</files>
<commands index="3">
<command><![CDATA[newaliases]]></command>
<command><![CDATA[rc-update add postfix default]]></command>
<command><![CDATA[/etc/init.d/postfix restart]]></command>
</commands>
</general>
<!-- postfix with dovecot -->
<daemon name="postfix_dovecot" version="2"
title="Postfix 2 with dovecot">
<include>//service[@type='smtp']/general/commands[@index=1]
</include>
<command><![CDATA[echo "mail-mta/postfix dovecot-sasl -sasl" >> /etc/portage/package.use/froxlor]]></command>
<include>//service[@type='smtp']/general/installs[@index=1]
</include>
<include>//service[@type='smtp']/general/commands[@index=2]
</include>
<file name="/etc/postfix/main.cf" chown="root:root"
chmod="0644" backup="true">
<content><![CDATA[
# Postfix programs paths settings
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
program_directory = /usr/libexec/postfix
sendmail_path = /usr/sbin/sendmail
## General Postfix configuration
# FQDN from Froxlor
mydomain = <SERVERNAME>
# set myhostname to $mydomain because Froxlor already uses a FQDN
myhostname = $mydomain
mydestination = $myhostname,
$mydomain,
localhost.$myhostname,
localhost.$mydomain,
localhost
mynetworks = 127.0.0.0/8
inet_interfaces = all
append_dot_mydomain = no
biff = no
# Postfix performance settings
default_destination_concurrency_limit = 20
local_destination_concurrency_limit = 2
# SMTPD Settings
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unauth_pipelining,
reject_non_fqdn_recipient
smtpd_sender_restrictions = permit_mynetworks,
reject_sender_login_mismatch,
permit_sasl_authenticated,
reject_unknown_hostname,
reject_unknown_recipient_domain,
reject_unknown_sender_domain
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_client
smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated,
defer_unauth_destination
# Maximum size of Message in bytes (512MB)
message_size_limit = 536870912
## SASL Auth Settings
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
## Dovecot Settings for deliver, SASL Auth and virtual transport
mailbox_command = /usr/libexec/dovecot/deliver
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
# Virtual delivery settings
virtual_mailbox_base = /
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_maps.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_domains.cf
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_permissions.cf
virtual_uid_maps = proxy:mysql:/etc/postfix/mysql-virtual_uid_maps.cf
virtual_gid_maps = proxy:mysql:/etc/postfix/mysql-virtual_gid_maps.cf
# Local delivery settings
local_transport = local
alias_database = hash:/etc/mail/aliases
alias_maps = $alias_database
# Default Mailbox size, is set to 0 which means unlimited!
mailbox_size_limit = 0
virtual_mailbox_limit = 0
### TLS settings
###
## TLS for outgoing mails from the server to another server
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
## TLS for incoming connections (clients or other mail servers)
smtpd_tls_security_level = may
smtpd_tls_cert_file = <SSL_CERT_FILE>
smtpd_tls_key_file = <SSL_KEY_FILE>
#smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_session_cache_timeout = 3600s
#tls_random_source = dev:/dev/urandom
### Quota Settings with vda useflag
## I use only virtual as localdelivery... This permits me to have full
## virtual domain hosting without using a lot of maps
#virtual_transport = virtual
## Generate maildirsize files or not
#virtual_create_maildirsize = yes
#virtual_mailbox_extended = yes
## Limits only INBOX part (useful when
## using when you have IMAP users)
#virtual_mailbox_limit_inbox = yes
## maps of soft disk quotas
#virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf
#virtual_mailbox_limit_override = yes
#virtual_maildir_limit_message = Sorry, this user has overdrawn their diskspace quota. Please try again later.
#virtual_overquota_bounce = yes
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
]]>
</content>
</file>
<include>//service[@type='smtp']/general/files[@index=0]</include>
<file name="/etc/postfix/master.cf" chown="root:root"
chmod="0644" backup="true" mode="append">
<content><![CDATA[
# Add this lines to be able to use dovecot as delivery agent
# Dovecot LDA
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -d ${recipient}
]]>
</content>
</file>
<include>//service[@type='smtp']/general/commands[@index=3]
</include>
</daemon>
<!-- postfix with dovecot -->
<daemon name="postfix_dovecot" version="3"
title="Postfix 3 with dovecot" default="true">
<include>//service[@type='smtp']/general/commands[@index=1]
</include>
<command><![CDATA[echo "mail-mta/postfix dovecot-sasl -sasl" >> /etc/portage/package.use/froxlor]]></command>
<include>//service[@type='smtp']/general/installs[@index=1]
</include>
<include>//service[@type='smtp']/general/commands[@index=2]
</include>
<file name="/etc/postfix/main.cf" chown="root:root"
chmod="0644" backup="true">
<content><![CDATA[
# Postfix programs paths settings
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
program_directory = /usr/libexec/postfix
sendmail_path = /usr/sbin/sendmail
meta_directory = /etc/postfix
shlib_directory = /usr/lib64/postfix/${mail_version}
compatibility_level = 2
## General Postfix configuration
# should be the default domain from your provider eg. "server100.provider.tld"
mydomain = <SERVERNAME>
myhostname = $mydomain
mydestination = $myhostname,
localhost.$myhostname,
localhost.$mydomain,
localhost
mynetworks = 127.0.0.0/8
inet_interfaces = all
append_dot_mydomain = no
biff = no
# Postfix performance settings
default_destination_concurrency_limit = 20
local_destination_concurrency_limit = 2
# SMTPD Settings
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unauth_pipelining,
reject_non_fqdn_recipient
smtpd_sender_restrictions = permit_mynetworks,
reject_sender_login_mismatch,
permit_sasl_authenticated,
reject_unknown_hostname,
reject_unknown_recipient_domain,
reject_unknown_sender_domain
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_client
smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated,
defer_unauth_destination
# Maximum size of Message in bytes (512MB)
message_size_limit = 536870912
## SASL Auth Settings
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
## Dovecot Settings for deliver, SASL Auth and virtual transport
mailbox_command = /usr/libexec/dovecot/deliver
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
# Virtual delivery settings
virtual_mailbox_base = /
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_maps.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_domains.cf
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_permissions.cf
virtual_uid_maps = proxy:mysql:/etc/postfix/mysql-virtual_uid_maps.cf
virtual_gid_maps = proxy:mysql:/etc/postfix/mysql-virtual_gid_maps.cf
# Local delivery settings
local_transport = local
alias_database = hash:/etc/mail/aliases
alias_maps = $alias_database
# Default Mailbox size, is set to 0 which means unlimited!
mailbox_size_limit = 0
virtual_mailbox_limit = 0
### TLS settings
###
## TLS for outgoing mails from the server to another server
#smtp_use_tls = yes
#smtp_tls_note_starttls_offer = yes
## TLS for email client
#smtpd_tls_cert_file = /etc/ssl/server/server.pem
#smtpd_tls_key_file = /etc/ssl/server/server.key
#smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
#smtpd_tls_CAfile = /etc/ssl/cacert.class3.crt # Just an example for CACert.org
#smtpd_tls_auth_only = no
#smtpd_tls_loglevel = 1
#smtpd_tls_received_header = yes
#smtpd_tls_session_cache_timeout = 3600s
#tls_random_source = dev:/dev/urandom
### Quota Settings with vda useflag
## I use only virtual as localdelivery... This permits me to have full
## virtual domain hosting without using a lot of maps
#virtual_transport = virtual
## Generate maildirsize files or not
#virtual_create_maildirsize = yes
#virtual_mailbox_extended = yes
## Limits only INBOX part (useful when
## using when you have IMAP users)
#virtual_mailbox_limit_inbox = yes
## maps of soft disk quotas
#virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf
#virtual_mailbox_limit_override = yes
#virtual_maildir_limit_message = Sorry, this user has overdrawn their diskspace quota. Please try again later.
#virtual_overquota_bounce = yes
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
]]>
</content>
</file>
<include>//service[@type='smtp']/general/files[@index=0]</include>
<file name="/etc/postfix/master.cf" chown="root:root"
chmod="0644" backup="true" mode="append">
<content><![CDATA[
# Add this lines to be able to use dovecot as delivery agent
# Dovecot LDA
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -d ${recipient}
]]>
</content>
</file>
<include>//service[@type='smtp']/general/commands[@index=3]
</include>
</daemon>
</service>
<!-- IMAP/POP3 services -->
<service type="mail" title="{{lng.admin.configfiles.mail}}">
<!-- Dovecot -->
<daemon name="dovecot_postfix" version="2" title="Dovecot"
default="true">
<command><![CDATA[echo "net-mail/dovecot argon2 mysql managesieve sieve" >> /etc/portage/package.use/froxlor]]></command>
<install><![CDATA[emerge net-mail/dovecot]]></install>
<file name="/etc/dovecot/dovecot.conf" chown="root:root"
chmod="0640" backup="true">
<content><![CDATA[
auth_mechanisms = plain login
## allow Plaintext Logins from foreign IP if the Connection doesn't use TLS
disable_plaintext_auth = no
listen = *
mail_access_groups = vmail
mail_debug = no
protocols = imap pop3 sieve
### SSL Settings
### After you obtained an SSL-certificate enable ssl here and
### set disable_plaintext_auth to yes (see above)
ssl = yes
ssl_cert = <<SSL_CERT_FILE>
ssl_key = <<SSL_KEY_FILE>
ssl_dh = </etc/dovecot/dh.pem
passdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}
plugin {
quota = maildir:User Quota
# Sieve-Configuration
sieve = ~/sieve/.dovecot.sieve
sieve_dir = ~/sieve
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-master {
group = vmail
mode = 0660
user = vmail
}
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
}
service managesieve {
}
userdb {
driver = prefetch
}
userdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}
protocol imap {
mail_plugins = quota imap_quota
# IMAP logout format string:
# %i - total number of bytes read from client
# %o - total number of bytes sent to client
imap_logout_format = in=%i out=%o
}
protocol pop3 {
mail_plugins = quota
pop3_uidl_format = UID%u-%v
# POP3 logout format string:
# %i - total number of bytes read from client
# %o - total number of bytes sent to client
# %t - number of TOP commands
# %p - number of bytes sent to client as a result of TOP command
# %r - number of RETR commands
# %b - number of bytes sent to client as a result of RETR command
# %d - number of deleted messages
# %m - number of messages (before deletion)
# %s - mailbox size in bytes (before deletion)
# %u - old/new UIDL hash. may help finding out if UIDLs changed unexpectedly
pop3_logout_format = in=%i out=%o top=%t/%p retr=%r/%b del=%d/%m size=%s
}
protocol sieve {
}
lda_mailbox_autocreate = yes
protocol lda {
auth_socket_path = /var/run/dovecot/auth-master
mail_plugins = quota sieve
# postmaster is the one in charge of the mail system. MUST be set to a valid address!
postmaster_address = postmaster@<SERVERNAME>
sendmail_path = /usr/sbin/sendmail
lda_mailbox_autocreate = 1
}
]]>
</content>
</file>
<file name="/etc/dovecot/dovecot-sql.conf.ext"
chown="root:root" chmod="0600" backup="true">
<content><![CDATA[
driver = mysql
connect = "host=<SQL_HOST> dbname=<SQL_DB> user=<SQL_UNPRIVILEGED_USER> password=<SQL_UNPRIVILEGED_PASSWORD>"
#default_pass_scheme = CRYPT
password_query = "SELECT username AS user, password_enc AS password, CONCAT(homedir, maildir) AS userdb_home, uid AS userdb_uid, gid AS userdb_gid, CONCAT('maildir:', homedir, maildir) AS userdb_mail, CONCAT('*:storage=', quota,'M') AS userdb_quota_rule FROM mail_users WHERE (username = '%u' OR email = '%u') AND ((imap = 1 AND '%Ls' = 'imap') OR (pop3 = 1 AND '%Ls' = 'pop3') OR ((postfix = 'Y' AND '%Ls' = 'smtp') OR (postfix = 'Y' AND '%Ls' = 'sieve')))"
user_query = "SELECT CONCAT(homedir, maildir) AS home, CONCAT('maildir:', homedir, maildir) AS mail, uid, gid, CONCAT('*:storage=', quota,'M') AS quota_rule FROM mail_users WHERE (username = '%u' OR email = '%u')"
iterate_query = "SELECT username AS user FROM mail_users WHERE (imap = 1 OR pop3 = 1)"
]]>
</content>
</file>
<file name="/etc/dovecot/conf.d/20-managesieve.conf"
chown="root:root" chmod="0644" backup="true">
<content><![CDATA[
##
## ManageSieve specific settings
##
# Uncomment to enable managesieve protocol:
protocols = $protocols sieve
# Service definitions
service managesieve-login {
inet_listener sieve {
port = 4190
}
#inet_listener sieve_deprecated {
# port = 2000
#}
# Number of connections to handle before starting a new process. Typically
# the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
# is faster. <doc/wiki/LoginProcess.txt>
#service_count = 1
# Number of processes to always keep waiting for more connections.
#process_min_avail = 0
# If you set service_count=0, you probably need to grow this.
#vsz_limit = 64M
}
#service managesieve {
# Max. number of ManageSieve processes (connections)
#process_limit = 1024
#}
# Service configuration
protocol sieve {
# Maximum ManageSieve command line length in bytes. ManageSieve usually does
# not involve overly long command lines, so this setting will not normally
# need adjustment
#managesieve_max_line_length = 65536
# Maximum number of ManageSieve connections allowed for a user from each IP
# address.
# NOTE: The username is compared case-sensitively.
#mail_max_userip_connections = 10
# Space separated list of plugins to load (none known to be useful so far).
# Do NOT try to load IMAP plugins here.
#mail_plugins =
# MANAGESIEVE logout format string:
# %i - total number of bytes read from client
# %o - total number of bytes sent to client
#managesieve_logout_format = bytes=%i/%o
# To fool ManageSieve clients that are focused on CMU's timesieved you can
# specify the IMPLEMENTATION capability that Dovecot reports to clients.
# For example: 'Cyrus timsieved v2.2.13'
#managesieve_implementation_string = Dovecot Pigeonhole
# Explicitly specify the SIEVE and NOTIFY capability reported by the server
# before login. If left unassigned these will be reported dynamically
# according to what the Sieve interpreter supports by default (after login
# this may differ depending on the user).
#managesieve_sieve_capability =
#managesieve_notify_capability =
# The maximum number of compile errors that are returned to the client upon
# script upload or script verification.
#managesieve_max_compile_errors = 5
# Refer to 90-sieve.conf for script quota configuration and configuration of
# Sieve execution limits.
}
]]>
</content>
</file>
<file name="/etc/dovecot/conf.d/90-sieve.conf"
chown="root:root" chmod="0644" backup="true">
<content><![CDATA[
##
## Settings for the Sieve interpreter
##
# Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf
# by adding it to the respective mail_plugins= settings.
# The Sieve interpreter can retrieve Sieve scripts from several types of
# locations. The default `file' location type is a local filesystem path
# pointing to a Sieve script file or a directory containing multiple Sieve
# script files. More complex setups can use other location types such as
# `ldap' or `dict' to fetch Sieve scripts from remote databases.
#
# All settings that specify the location of one ore more Sieve scripts accept
# the following syntax:
#
# location = [<type>:]path[;<option>[=<value>][;...]]
#
# If the type prefix is omitted, the script location type is 'file' and the
# location is interpreted as a local filesystem path pointing to a Sieve script
# file or directory. Refer to Pigeonhole wiki or INSTALL file for more
# information.
plugin {
# The location of the user's main Sieve script or script storage. The LDA
# Sieve plugin uses this to find the active script for Sieve filtering at
# delivery. The "include" extension uses this location for retrieving
# :personal" scripts. This is also where the ManageSieve service will store
# the user's scripts, if supported.
#
# Currently only the 'file:' location type supports ManageSieve operation.
# Other location types like 'dict:' and 'ldap:' can currently only
# be used as a read-only script source ().
#
# For the 'file:' type: use the ';active=' parameter to specify where the
# active script symlink is located.
# For other types: use the ';name=' parameter to specify the name of the
# default/active script.
sieve = file:~/sieve;active=~/sieve/.dovecot.sieve
# The default Sieve script when the user has none. This is the location of a
# global sieve script file, which gets executed ONLY if user's personal Sieve
# script doesn't exist. Be sure to pre-compile this script manually using the
# sievec command line tool if the binary is not stored in a global location.
# --> See sieve_before for executing scripts before the user's personal
# script.
#sieve_default = /var/lib/dovecot/sieve/default.sieve
# The name by which the default Sieve script (as configured by the
# sieve_default setting) is visible to the user through ManageSieve.
#sieve_default_name =
# Location for ":global" include scripts as used by the "include" extension.
#sieve_global =
# Location Sieve of scripts that need to be executed before the user's
# personal script. If a 'file' location path points to a directory, all the
# Sieve scripts contained therein (with the proper `.sieve' extension) are
# executed. The order of execution within that directory is determined by the
# file names, using a normal 8bit per-character comparison.
#
# Multiple script locations can be specified by appending an increasing number
# to the setting name. The Sieve scripts found from these locations are added
# to the script execution sequence in the specified order. Reading the
# numbered sieve_before settings stops at the first missing setting, so no
# numbers may be skipped.
#sieve_before = /var/lib/dovecot/sieve.d/
#sieve_before2 = ldap:/etc/sieve-ldap.conf;name=ldap-domain
#sieve_before3 = (etc...)
# Identical to sieve_before, only the specified scripts are executed after the
# user's script (only when keep is still in effect!). Multiple script
# locations can be specified by appending an increasing number.
#sieve_after =
#sieve_after2 =
#sieve_after2 = (etc...)
# Which Sieve language extensions are available to users. By default, all
# supported extensions are available, except for deprecated extensions or
# those that are still under development. Some system administrators may want
# to disable certain Sieve extensions or enable those that are not available
# by default. This setting can use '+' and '-' to specify differences relative
# to the default. For example `sieve_extensions = +imapflags' will enable the
# deprecated imapflags extension in addition to all extensions were already
# enabled by default.
#sieve_extensions = +notify +imapflags
# Which Sieve language extensions are ONLY available in global scripts. This
# can be used to restrict the use of certain Sieve extensions to administrator
# control, for instance when these extensions can cause security concerns.
# This setting has higher precedence than the `sieve_extensions' setting
# (above), meaning that the extensions enabled with this setting are never
# available to the user's personal script no matter what is specified for the
# `sieve_extensions' setting. The syntax of this setting is similar to the
# `sieve_extensions' setting, with the difference that extensions are
# enabled or disabled for exclusive use in global scripts. Currently, no
# extensions are marked as such by default.
#sieve_global_extensions =
# The Pigeonhole Sieve interpreter can have plugins of its own. Using this
# setting, the used plugins can be specified. Check the Dovecot wiki
# (wiki2.dovecot.org) or the pigeonhole website
# (http://pigeonhole.dovecot.org) for available plugins.
# The sieve_extprograms plugin is included in this release.
#sieve_plugins =
# The separator that is expected between the :user and :detail
# address parts introduced by the subaddress extension. This may
# also be a sequence of characters (e.g. '--'). The current
# implementation looks for the separator from the left of the
# localpart and uses the first one encountered. The :user part is
# left of the separator and the :detail part is right. This setting
# is also used by Dovecot's LMTP service.
#recipient_delimiter = +
# The maximum size of a Sieve script. The compiler will refuse to compile any
# script larger than this limit. If set to 0, no limit on the script size is
# enforced.
#sieve_max_script_size = 1M
# The maximum number of actions that can be performed during a single script
# execution. If set to 0, no limit on the total number of actions is enforced.
#sieve_max_actions = 32
# The maximum number of redirect actions that can be performed during a single
# script execution. If set to 0, no redirect actions are allowed.
#sieve_max_redirects = 4
# The maximum number of personal Sieve scripts a single user can have. If set
# to 0, no limit on the number of scripts is enforced.
# (Currently only relevant for ManageSieve)
#sieve_quota_max_scripts = 0
# The maximum amount of disk storage a single user's scripts may occupy. If
# set to 0, no limit on the used amount of disk storage is enforced.
# (Currently only relevant for ManageSieve)
#sieve_quota_max_storage = 0
}
]]>
</content>
</file>
<file name="/etc/dovecot/conf.d/90-quota.conf" chown="root:0"
chmod="0644" backup="true">
<content><![CDATA[
plugin {
quota = maildir:User quota
}
]]>
</content>
</file>
<command><![CDATA[openssl dhparam -out /etc/dovecot/dh.pem 3072]]></command>
<command><![CDATA[rc-update add dovecot default]]></command>
<command><![CDATA[/etc/init.d/dovecot restart]]></command>
</daemon>
</service>
<!-- Antispam services -->
<service type="antispam" title="Antispam">
<!-- general RSpamd commands -->
<general>
<installs index="1">
<install><![CDATA[emerge mail-filter/rspamd]]></install>
</installs>
<commands index="2">
<command><![CDATA[mkdir -p /etc/rspamd/local.d/]]></command>
<command><![CDATA[mkdir -p /etc/rspamd/override.d/]]></command>
<command><![CDATA[mkdir -p mkdir /var/lib/rspamd/dkim/]]></command>
</commands>
<files index="1">
<file name="/etc/rspamd/local.d/actions.conf"
chown="root:root" chmod="0644" backup="true">
<content><![CDATA[
# Set rewrite subject to this value (%s is replaced by the original subject)
subject = "***SPAM*** %s"
]]>
</content>
</file>
<file name="/etc/rspamd/local.d/arc.conf"
chown="root:root" chmod="0644" backup="true">
<content><![CDATA[
try_fallback = true;
### Enable DKIM signing for alias sender addresses
allow_username_mismatch = true;
path = "/var/lib/rspamd/dkim/$domain.$selector.key";
selector_map = "/etc/rspamd/dkim_selectors.map";
]]>
</content>
</file>
<file name="/etc/rspamd/local.d/milter_headers.conf"
chown="root:root" chmod="0644" backup="true">
<content><![CDATA[
use = ["x-spamd-bar", "x-spam-level", "authentication-results"];
authenticated_headers = ["authentication-results"];
extended_spam_headers = true
skip_local = false
skip_authenticated = false
]]>
</content>
</file>
<file name="/etc/rspamd/local.d/replies.conf"
chown="root:root" chmod="0644" backup="true">
<content><![CDATA[
## If a user has replied to an email, dont mark other emails in the same thread as spam
action = "no action";
]]>
</content>
</file>
<file name="/etc/rspamd/local.d/settings.conf"
chown="root:root" chmod="0644" backup="true">
<content><![CDATA[
## Feel free to include your own settings or adjustments here, for example:
#whitelist {
# priority = low;
# rcpt = "postmaster@example.com";
# want_spam = yes;
#}
## Include froxlor generated settings
.include(try=true,priority=1,duplicate=merge) "{{settings.antispam.config_file}}"
]]>
</content>
</file>
</files>
<commands index="3">
<command><![CDATA[cp /etc/rspamd/local.d/arc.conf /etc/rspamd/local.d/dkim_signing.conf]]></command>
<command><![CDATA[postconf -e "milter_protocol = 6"]]></command>
<command><![CDATA[postconf -e "milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}"]]></command>
<command><![CDATA[postconf -e "milter_default_action = accept"]]></command>
<command><![CDATA[postconf -e "smtpd_milters = inet:127.0.0.1:11332"]]></command>
<command><![CDATA[postconf -e "non_smtpd_milters = inet:127.0.0.1:11332"]]></command>
<command><![CDATA[chown -R _rspamd:_rspamd /var/lib/rspamd/dkim]]></command>
<command><![CDATA[rc-update add rspamd default]]></command>
<command><![CDATA[/etc/init.d/rspamd restart]]></command>
</commands>
</general>
<!-- rspamd -->
<daemon name="rspamd" title="Rspamd" default="true">
<include>//service[@type='antispam']/general/installs[@index=1]
</include>
<include>//service[@type='antispam']/general/commands[@index=2]
</include>
<include>//service[@type='antispam']/general/files[@index=1]
</include>
<include>//service[@type='antispam']/general/commands[@index=3]
</include>
</daemon>
</service>
<!-- FTP services -->
<service type="ftp" title="{{lng.admin.configfiles.ftp}}">
<!-- Proftpd -->
<daemon name="proftpd" title="ProFTPd" default="true">
<command><![CDATA[echo "net-ftp/proftpd mysql" >> /etc/portage/package.use/froxlor]]></command>
<install><![CDATA[emerge net-ftp/proftpd]]></install>
<file name="/etc/proftpd/create-cert.sh" chown="root:0"
chmod="0700">
<content><![CDATA[#!/bin/bash
[ -f /etc/ssl/certs/proftpd.crt ] || openssl req -new -x509 -newkey rsa:4096 -days 3650 -nodes -out /etc/ssl/certs/proftpd.crt -keyout /etc/ssl/private/proftpd.key -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=<SERVERNAME>"
[ -f /etc/ssl/certs/proftpd_ec.crt ] || openssl req -new -x509 -nodes -newkey ec:<(openssl ecparam -name secp521r1) -keyout /etc/ssl/private/proftpd_ec.key -out /etc/ssl/certs/proftpd_ec.crt -days 3650 -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=<SERVERNAME>"
chmod 0600 /etc/ssl/private/proftpd.key /etc/ssl/private/proftpd_ec.key
]]>
</content>
</file>
<commands index="1">
<command><![CDATA[/etc/proftpd/create-cert.sh]]></command>
<command><![CDATA[rm -f /etc/proftpd/create-cert.sh]]></command>
</commands>
<file name="/etc/proftpd/proftpd.conf" chown="root:0"
chmod="0600" backup="true">
<content><![CDATA[
# Server settings
ServerName "<SERVERNAME> FTP Server"
ServerType standalone
ServerIdent off
DefaultServer on
Port 21
MaxInstances 50
# General settings
DeferWelcome on
ShowSymlinks on
AllowOverwrite on
AllowStoreRestart on
AllowRetrieveRestart on
ListOptions "-al"
DisplayChdir .message
UseIPv6 off
# Modules settings
#DelayEngine off
# Timeout settings
TimeoutLogin 120
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 600
# Security settings
RootLogin off
RequireValidShell off
User nobody
Group nogroup
Umask 133 022
DefaultRoot ~
DenyFilter \*.*/
# Per-Directory settings
<Directory /*>
Umask 133 022
AllowOverwrite on
</Directory>
# SQL settings
SQLAuthTypes Crypt OpenSSL
SQLAuthenticate users* groups*
SQLConnectInfo <SQL_DB>@<SQL_HOST> <SQL_UNPRIVILEGED_USER> <SQL_UNPRIVILEGED_PASSWORD>
SQLUserInfo ftp_users username password uid gid homedir shell
SQLGroupInfo ftp_groups groupname gid members
SQLUserWhereClause "login_enabled = 'y'"
SQLLog PASS login
SQLNamedQuery login UPDATE "last_login=now(), login_count=login_count+1 WHERE username='%u'" ftp_users
SQLLog RETR download
SQLNamedQuery download UPDATE "down_count=down_count+1, down_bytes=down_bytes+%b WHERE username='%u'" ftp_users
SQLLog STOR upload
SQLNamedQuery upload UPDATE "up_count=up_count+1, up_bytes=up_bytes+%b WHERE username='%u'" ftp_users
# Quota settings
QuotaEngine on
QuotaShowQuotas on
QuotaDisplayUnits Mb
QuotaLock /var/lock/ftpd.quotatab.lock
QuotaLimitTable sql:/get-quota-limit
QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally
SQLNamedQuery get-quota-limit SELECT "ftp_users.username AS name, ftp_quotalimits.quota_type, ftp_quotalimits.per_session, ftp_quotalimits.limit_type, panel_customers.diskspace*1024 AS bytes_in_avail, ftp_quotalimits.bytes_out_avail, ftp_quotalimits.bytes_xfer_avail, ftp_quotalimits.files_in_avail, ftp_quotalimits.files_out_avail, ftp_quotalimits.files_xfer_avail FROM ftp_users, ftp_quotalimits, panel_customers WHERE ftp_users.username = '%{0}' AND panel_customers.loginname = SUBSTRING_INDEX('%{0}', 'ftp', 1) AND quota_type ='%{1}'"
SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used,bytes_out_used, bytes_xfer_used, files_in_used, files_out_used,files_xfer_used FROM ftp_quotatallies WHERE name = '%{0}' AND quota_type = '%{1}'"
SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used= files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name= '%{6}' AND quota_type = '%{7}'" ftp_quotatallies
SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6}, %{7}" ftp_quotatallies
# TLS settings
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd-tls.log
TLSProtocol TLSv1.2 TLSv1.3
#TLSTimeoutHandshake 120
# Really important for WinClients and some clients
TLSOptions NoSessionReuseRequired
TLSRSACertificateFile /etc/ssl/certs/proftpd.crt
TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key
TLSECCertificateFile /etc/ssl/certs/proftpd_ec.crt
TLSECCertificateKeyFile /etc/ssl/private/proftpd_ec.key
# Authenticate client that want to use FTP over TLS?
TLSVerifyClient off
# Uncomment the following line to force tls login
TLSRequired on
</IfModule>
# LOG settings
# Logging Formats
LogFormat default "%h %1 %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"
LogFormat write "%h %l %u %t \"%r\" %s %b"
# Activate Logging
# all logins
ExtendedLog /var/log/proftpd-auth.log AUTH auth
# file/dir access
ExtendedLog /var/log/proftpd-access.log WRITE,READ write
# everything (be careful, generates_ very_ big logfiles)
#ExtendedLog /var/log/proftpd-all.log ALL default
# make proftpd faster / do not perform ident and reverse dns lookup
UseReverseDNS off
<Class whitelist>
From 127.0.0.1
</Class>
MaxLoginAttempts 3
<IfModule mod_ban.c>
<IfClass whitelist>
BanEngine off
</IfClass>
<IfClass !whitelist>
BanEngine on
</IfClass>
BanLog /var/log/proftpd-ban.log
BanTable /etc/proftpd/ban.tab
BanMessage "User %u was banned."
BanOnEvent ClientConnectRate 5/00:00:02 12:00:00 "Stop connecting frequently"
BanOnEvent MaxLoginAttempts 3/00:30:00 12:00:00
BanOnEvent AnonRejectPasswords 1/01:00:00 99:99:99
BanControlsACLs all allow user root
</IfModule>
<IfClass whitelist>
BanEngine off
DelayEngine off
</IfClass>
]]>
</content>
</file>
<command><![CDATA[rc-update add proftpd default]]></command>
<command><![CDATA[/etc/init.d/proftpd restart]]></command>
</daemon>
<!-- Pureftpd -->
<daemon name="pureftpd" title="PureFTPd">
<command><![CDATA[echo "net-ftp/pure-ftpd mysql" >> /etc/portage/package.use/froxlor]]></command>
<install><![CDATA[emerge net-ftp/pure-ftpd]]></install>
<file name="/etc/pure-ftpd/create-cert.sh" chown="root:0"
chmod="0700">
<content><![CDATA[#!/bin/bash
[ -f /etc/ssl/private/pure-ftpd.pem ] || openssl req -x509 -nodes -days 7300 -newkey rsa:4096 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=<SERVERNAME>"
openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 3072
chmod 0600 /etc/ssl/private/pure-ftpd.pem /etc/ssl/private/pure-ftpd-dhparams.pem
]]>
</content>
</file>
<commands index="1">
<command><![CDATA[/etc/pure-ftpd/create-cert.sh]]></command>
<command><![CDATA[rm -f /etc/pure-ftpd/create-cert.sh]]></command>
</commands>
<file name="/etc/conf.d/pure-ftpd" chown="root:0" chmod="0644"
backup="true">
<content><![CDATA[
# Config file for /etc/init.d/pure-ftpd
# Configuration-template by Froxlor
IS_CONFIGURED="yes"
# Server/Port
SERVER="-S 21"
## Number of simultaneous connections in total, and per IP ##
MAX_CONN="-c 30"
MAX_CONN_IP="-C 10"
## Start daemonized in background ##
DAEMON="-B"
## Don't allow uploads if the partition is more full then this var ##
DISK_FULL="-k 90%"
## Authentication mechanism
AUTH="-l mysql:/etc/pureftpd-mysql.conf"
## Misc. Others ##
MISC_OTHER="-A -x -j -Z -Y 1"
]]>
</content>
</file>
<file name="/etc/pureftpd-mysql.conf" chown="root:0"
chmod="0600" backup="true">
<content><![CDATA[
MYSQLServer <SQL_HOST>
#MYSQLPort 3306
MYSQLSocket /var/run/mysqld/mysqld.sock
MYSQLUser <SQL_UNPRIVILEGED_USER>
MYSQLPassword <SQL_UNPRIVILEGED_PASSWORD>
MYSQLDatabase <SQL_DB>
MYSQLCrypt any
MYSQLGetPW SELECT password FROM ftp_users WHERE username="\L" AND login_enabled="y"
MYSQLGetUID SELECT uid FROM ftp_users WHERE username="\L" AND login_enabled="y"
MYSQLGetGID SELECT gid FROM ftp_users WHERE username="\L" AND login_enabled="y"
MYSQLGetDir SELECT homedir FROM ftp_users WHERE username="\L" AND login_enabled="y"
MySQLGetQTASZ SELECT CASE WHEN panel_customers.diskspace = 0 THEN -1 WHEN panel_customers.diskspace <= -1 THEN 0 ELSE panel_customers.diskspace/1024 END AS QuotaSize FROM panel_customers, ftp_users WHERE username = "\L" AND panel_customers.loginname = SUBSTRING_INDEX('\L', 'ftp', 1)
]]>
</content>
</file>
<command><![CDATA[rc-update add pure-ftpd default]]></command>
<command><![CDATA[/etc/init.d/pure-ftpd restart]]></command>
</daemon>
<!-- Vsftpd -->
<daemon name="vsftpd" title="vsftpd">
<command><![CDATA[echo "net-ftp/vsftpd pam" >> /etc/portage/package.use/froxlor]]></command>
<install><![CDATA[emerge net-ftp/vsftpd sys-auth/pam_mysql]]></install>
<file name="/etc/vsftpd/vsftpd.conf" chown="root:root"
chmod="0644" backup="true">
<content><![CDATA[
listen=YES
#listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
#anon_upload_enable=YES
#anon_mkdir_write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
#chown_uploads=YES
#chown_username=whoever
#xferlog_file=/var/log/vsftpd.log
#xferlog_std_format=YES
idle_session_timeout=600
#data_connection_timeout=120
#nopriv_user=ftpsecure
#async_abor_enable=YES
#ascii_upload_enable=YES
#ascii_download_enable=YES
ftpd_banner=Welcome to <SERVERNAME> FTP service.
#deny_email_enable=YES
#banned_email_file=/etc/vsftpd.banned_emails
# chroot_list_enable below.
chroot_local_user=YES
chroot_list_enable=YES
allow_writeable_chroot=YES
#chroot_list_file=/etc/vsftpd.chroot_list
#ls_recurse_enable=YES
secure_chroot_dir=/run/vsftpd/empty
pam_service_name=vsftpd
#rsa_cert_file=/etc/vsftpd/ssl/<SERVERNAME>.pem
#rsa_private_key_file=/etc/vsftpd/ssl/<SERVERNAME>.pem
#ssl_enable=YES
#ssl_tlsv1=YES
#ssl_sslv2=NO
#ssl_sslv3=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
allow_anon_ssl=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
]]></content>
</file>
<file name="/etc/pam.d/vsftpd" chown="root:root" chmod="0644">
<content><![CDATA[
# Standard behaviour for ftpd(8).
auth required pam_mysql.so user=<SQL_UNPRIVILEGED_USER> passwd=<SQL_UNPRIVILEGED_PASSWORD> host=<SQL_HOST> db=<SQL_DB> table=ftp_users usercolumn=username passwdcolumn=password [where=login_enabled="Y"] crypt=1
account required pam_mysql.so user=<SQL_UNPRIVILEGED_USER> passwd=<SQL_UNPRIVILEGED_PASSWORD> host=<SQL_HOST> db=<SQL_DB> table=ftp_users usercolumn=username passwdcolumn=password [where=login_enabled="Y"] crypt=1
#auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
# Note: vsftpd handles anonymous logins on its own. Do not enable pam_ftp.so.
# Standard pam includes
#@include common-account
#@include common-session
#@include common-auth
#auth required pam_shells.so
]]></content>
</file>
<command><![CDATA[rc-update add vsftpd default]]></command>
<command><![CDATA[/etc/init.d/vsftpd restart]]></command>
</daemon>
</service>
<!-- System tools/services -->
<service type="system" title="{{lng.admin.configfiles.etc}}">
<!-- Webalizer -->
<daemon name="webalizer"
title="Webalizer (traffic analyzer)">
<install><![CDATA[emerge app-admin/webalizer]]></install>
</daemon>
<!-- goaccess -->
<daemon name="goaccess"
title="goaccess (traffic analyzer)" default="true">
<install><![CDATA[emerge net-analyzer/goaccess app-misc/jq]]></install>
</daemon>
<!-- AWstats -->
<daemon name="awstats"
title="Awstats (traffic analyzer)">
<install><![CDATA[emerge www-misc/awstats]]></install>
<command><![CDATA[sed -i.bak 's/^DirData/# DirData/' {{settings.system.awstats_conf}}/awstats.model.conf]]></command>
<command><![CDATA[sed -i.bak 's|^\\(DirIcons=\\).*$|\\1\\"/awstats-icon\\"|' {{settings.system.awstats_conf}}/awstats.model.conf]]></command>
<command><![CDATA[rm /etc/cron.d/awstats]]></command>
</daemon>
<!-- libnss-mysql -->
<daemon name="libnss"
title="libnss-mysql">
<install><![CDATA[emerge sys-auth/libnss-mysql]]></install>
<file name="/etc/libnss-mysql.cfg" chown="root:root"
chmod="0600" backup="true">
<content><![CDATA[
getpwnam SELECT username,'x',uid,gid,'Froxlor Customer',homedir,shell \
FROM ftp_users \
WHERE username='%1$s' \
AND login_enabled = 'Y' \
ORDER BY LENGTH(username) \
LIMIT 1
getpwuid SELECT username,'x',uid,gid,'Froxlor Customer',homedir,shell \
FROM ftp_users \
WHERE uid='%1$u' \
AND login_enabled = 'Y' \
ORDER BY LENGTH(username) \
LIMIT 1
getspnam SELECT username,password,FLOOR(UNIX_TIMESTAMP()/86400-1),'1','99999','7','-1','-1','0' \
FROM ftp_users \
WHERE username='%1$s' \
AND login_enabled = 'Y' \
ORDER BY LENGTH(username) \
LIMIT 1
getpwent SELECT username,'x',uid,gid,'Froxlor Customer',homedir,shell \
FROM ftp_users
getspent SELECT username,password,FLOOR(UNIX_TIMESTAMP()/86400-1),'1','99999','7','-1','-1','0' \
FROM ftp_users
getgrnam SELECT groupname,'x',gid \
FROM ftp_groups \
WHERE groupname='%1$s' \
LIMIT 1
getgrgid SELECT groupname,'x',gid \
FROM ftp_groups \
WHERE gid='%1$u' \
LIMIT 1
getgrent SELECT groupname,'x',gid \
FROM ftp_groups
memsbygid SELECT members \
FROM ftp_groups \
WHERE gid='%1$u'
gidsbymem SELECT CONCAT_WS(',', gid) as gid \
FROM ftp_groups \
WHERE FIND_IN_SET('%1$s', members)
host <SQL_HOST>
database <SQL_DB>
username <SQL_UNPRIVILEGED_USER>
password <SQL_UNPRIVILEGED_PASSWORD>
socket /var/run/mysqld/mysqld.sock
]]>
</content>
</file>
<command>
<!-- if a socket is set for the db-server use it -->
<visibility mode="notempty">{{sql.socket}}</visibility>
<content><![CDATA[sed -i.bak 's|^\\(socket\\).*$|\\1\\"{{sql.socket}}\\"|' /etc/libnss-mysql.cfg]]></content>
</command>
<file name="/etc/libnss-mysql-root.cfg" chown="root:root"
chmod="0600" backup="true">
<content><![CDATA[
username <SQL_UNPRIVILEGED_USER>
password <SQL_UNPRIVILEGED_PASSWORD>
]]>
</content>
</file>
<file name="/etc/nsswitch.conf" backup="true">
<content><![CDATA[
# Make sure that `passwd`, `group` and `shadow` have mysql in their lines
# You should place mysql at the end, so that it is queried after the other mechanisams
#
passwd: compat mysql
group: compat mysql
shadow: compat mysql
hosts: files dns
networks: files dns
services: db files
protocols: db files
rpc: db files
ethers: db files
netmasks: files
netgroup: files
bootparams: files
automount: files
aliases: files
]]>
</content>
</file>
<command><![CDATA[rc-update add nscd default]]></command>
<command><![CDATA[/etc/init.d/nscd restart]]></command>
<!-- clear group cache -->
<command><![CDATA[nscd --invalidate=group]]></command>
</daemon>
<!-- Logrotate -->
<daemon name="logrotate" title="Logrotate">
<install><![CDATA[emerge app-admin/logrotate]]></install>
<file name="/etc/logrotate.d/froxlor" chown="root:root"
chmod="0644">
<content><![CDATA[
#
# Froxlor logrotate snippet
#
<CUSTOMER_LOGS>*.log {
missingok
daily
rotate 7
compress
delaycompress
notifempty
create
sharedscripts
postrotate
<WEBSERVER_RELOAD_CMD> > /dev/null 2>&1 || true
endscript
}
]]>
</content>
</file>
</daemon>
<!-- libnss-extrausers -->
<daemon name="libnssextrausers"
title="libnss-extrausers">
<install><![CDATA[emerge app-eselect/eselect-repository]]></install>
<install><![CDATA[mkdir -p /etc/portage/repos.conf]]></install>
<install><![CDATA[eselect repository add froxlor git https://github.com/Froxlor/Gentoo-Ebuild.git]]></install>
<install><![CDATA[emaint sync -r froxlor]]></install>
<install><![CDATA[emerge sys-auth/libnss-extrausers]]></install>
<commands index="1">
<command><![CDATA[mkdir -p /var/lib/extrausers]]></command>
<command><![CDATA[touch /var/lib/extrausers/passwd]]></command>
<command><![CDATA[touch /var/lib/extrausers/group]]></command>
<command><![CDATA[touch /var/lib/extrausers/shadow]]></command>
</commands>
<file name="/etc/nsswitch.conf" backup="true">
<content><![CDATA[
# Make sure that `passwd`, `group` and `shadow` have extrausers in their lines
# You should place extrausers at the end, so that it is queried after the other mechanisams
#
passwd: compat extrausers
group: compat extrausers
shadow: compat extrausers
hosts: files dns
networks: files dns
services: db files
protocols: db files
rpc: db files
ethers: db files
netmasks: files
netgroup: files
bootparams: files
automount: files
aliases: files
]]>
</content>
</file>
</daemon>
<!-- FCGID -->
<daemon name="fcgid" title="FCGID">
<command><![CDATA[echo "dev-lang/php cgi" >> /etc/portage/package.use/froxlor]]></command>
<install><![CDATA[emerge dev-lang/php]]></install>
<commands index="1">
<visibility mode="equals" value="apache2">{{settings.system.webserver}}
</visibility>
<command><![CDATA[echo "www-servers/apache suexec" >> /etc/portage/package.use/froxlor]]></command>
</commands>
<install>
<visibility mode="true">{{settings.system.mod_fcgid}}
</visibility>
<command><![CDATA[echo "www-servers/apache apache2_modules_proxy_fcgi" >> /etc/portage/package.use/froxlor]]></command>
</install>
<install>
<visibility mode="equals" value="apache2">{{settings.system.webserver}}
</visibility>
<content><![CDATA[emerge www-servers/apache]]></content>
</install>
<commands index="2">
<visibility mode="equals" value="apache2">{{settings.system.webserver}}
</visibility>
<command><![CDATA[# add "-D SUEXEC -D FCGID" to /etc/conf.d/apache2]]></command>
</commands>
<commands index="3">
<visibility mode="true">{{settings.system.mod_fcgid_ownvhost}}
</visibility>
<command><![CDATA[groupadd -f {{settings.system.mod_fcgid_httpgroup}}]]></command>
<command><![CDATA[useradd -s /bin/false -g {{settings.system.mod_fcgid_httpgroup}} {{settings.system.mod_fcgid_httpuser}}]]></command>
<command><![CDATA[mkdir -p {{settings.system.mod_fcgid_configdir}}]]></command>
<command><![CDATA[mkdir -p {{settings.system.mod_fcgid_tmpdir}}]]></command>
<command><![CDATA[chmod 1777 {{settings.system.mod_fcgid_tmpdir}}]]></command>
<command>
<visibility mode="equals" value="apache2">{{settings.system.webserver}}
</visibility>
<content><![CDATA[# remove "-D PHP5" from /etc/conf.d/apache2]]></content>
</command>
</commands>
<!-- instead of just restarting apache, we let the cronjob do all the
dirty work -->
<command><![CDATA[php {{const.install_dir}}bin/froxlor-cli froxlor:cron --force]]></command>
</daemon>
<!-- PHP-FPM -->
<daemon name="php-fpm"
title="PHP-FPM">
<command><![CDATA[echo "dev-lang/php fpm" >> /etc/portage/package.use/froxlor]]></command>
<install><![CDATA[emerge dev-lang/php]]></install>
<commands index="1">
<visibility mode="equals" value="apache2">{{settings.system.webserver}}
</visibility>
<command><![CDATA[echo "www-servers/apache suexec" >> /etc/portage/package.use/froxlor]]></command>
</commands>
<install>
<visibility mode="equals" value="apache2">{{settings.system.webserver}}
</visibility>
<content><![CDATA[emerge www-servers/apache www-apache/mod_fastcgi_handler]]></content>
</install>
<install>
<visibility mode="true">{{settings.phpfpm.enabled}}
</visibility>
<command><![CDATA[echo "www-servers/apache apache2_modules_proxy_fcgi" >> /etc/portage/package.use/froxlor]]></command>
</install>
<commands index="2">
<visibility mode="equals" value="apache2">{{settings.system.webserver}}
</visibility>
<command><![CDATA[# add "-D FASTCGI -D SUEXEC" to /etc/conf.d/apache2]]></command>
</commands>
<commands index="3">
<visibility mode="true">{{settings.phpfpm.enabled_ownvhost}}
</visibility>
<visibility mode="usernamenotexists">{{settings.phpfpm.vhost_httpuser}}
</visibility>
<command><![CDATA[groupadd -f {{settings.phpfpm.vhost_httpgroup}}]]></command>
<command><![CDATA[useradd -s /bin/false -g {{settings.phpfpm.vhost_httpgroup}} {{settings.phpfpm.vhost_httpuser}}]]></command>
</commands>
<commands index="4">
<visibility mode="equals" value="apache2">{{settings.system.webserver}}
</visibility>
<visibility mode="true">{{settings.phpfpm.enabled_ownvhost}}
</visibility>
<command><![CDATA[# remove "-D PHP5" from /etc/conf.d/apache2]]></command>
</commands>
<!-- instead of just restarting apache, we let the cronjob do all the
dirty work -->
<command><![CDATA[php {{const.install_dir}}bin/froxlor-cli froxlor:cron --force]]></command>
</daemon>
<!-- Cronjob -->
<daemon name="cron" title="Cronjob for froxlor"
mandatory="true">
<install><![CDATA[emerge sys-process/cronie app-crypt/gnupg]]></install>
<command><![CDATA[ln -s <BASE_PATH>bin/froxlor-cli /usr/local/bin/froxlor-cli]]></command>
<command><![CDATA[/usr/bin/php <BASE_PATH>bin/froxlor-cli froxlor:cron --run-task 99]]></command>
<command><![CDATA[{{settings.system.crondreload}}]]></command>
</daemon>
</service>
</services>
</distribution>
</froxlor>
View Git Blame Copy Permalink