maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity
Files
bb2db0fed0ec1927b1f318b88ce1d75fb7bdd020
Froxlor/lib/configfiles/gentoo.xml

2802 lines
90 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<froxlor>
<distribution name="Gentoo" version="3.0"
defaulteditor="/usr/bin/nano" deprecated="true">
<!-- OS defaults to be loaded on installation -->
<defaults>
<default settinggroup="system" varname="nssextrausers" value="1"></default>
<default settinggroup="system" varname="awstats_path" value="/usr/bin/"></default>
<default settinggroup="system" varname="awstats_awstatspath" value="/usr/share/awstats/wwwroot/cgi-bin/"></default>
<default for="apache24" settinggroup="system" varname="apacheconf_vhost" value="/etc/apache2/vhosts.d/"></default>
<default for="apache24" settinggroup="system" varname="apacheconf_diroptions" value="/etc/apache2/vhosts.d/"></default>
<default for="apache24" settinggroup="system" varname="apacheconf_htpasswddir" value="/etc/apache2/froxlor-htpasswd/"></default>
<default for="apache24" settinggroup="system" varname="apachereload_command" value="/etc/init.d/apache2 reload"></default>
<!-- TODO how does this work on gentoo? -->
<default for="apache24" settinggroup="system" varname="letsencryptacmeconf" value="/etc/apache2/acme.conf"></default>
<default for="lighttpd" settinggroup="system" varname="apacheconf_vhost" value="/etc/lighttpd/vhosts.d/"></default>
<default for="lighttpd" settinggroup="system" varname="apacheconf_diroptions" value="/etc/lighttpd/diropts.d/"></default>
<default for="lighttpd" settinggroup="system" varname="apacheconf_htpasswddir" value="/etc/lighttpd/froxlor-htpasswd/"></default>
<default for="lighttpd" settinggroup="system" varname="apachereload_command" value="/etc/init.d/lighttpd reload"></default>
<default for="lighttpd" settinggroup="phpfpm" varname="fastcgi_ipcdir" value="/var/run/lighttpd/"></default>
<default for="nginx" settinggroup="system" varname="apacheconf_vhost" value="/etc/nginx/sites-enabled/"></default>
<default for="nginx" settinggroup="system" varname="apacheconf_diroptions" value="/etc/nginx/sites-enabled/"></default>
<default for="nginx" settinggroup="system" varname="apacheconf_htpasswddir" value="/etc/nginx/froxlor-htpasswd/"></default>
<default for="nginx" settinggroup="system" varname="apachereload_command" value="/etc/init.d/nginx reload"></default>
<default for="nginx" settinggroup="system" varname="letsencryptacmeconf" value="/etc/nginx/acme.conf"></default>
<default for="nginx" settinggroup="phpfpm" varname="fastcgi_ipcdir" value="/var/run/nginx/"></default>
<default settinggroup="system" varname="bindreload_command" value="/etc/init.d/named restart"></default>
<default settinggroup="system" varname="crondreload" value="/etc/init.d/cronie restart"></default>
</defaults>
<services>
<!-- HTTP -->
<service type="http" title="{{lng.admin.configfiles.http}}">
<!-- general HTTP commands -->
<general>
<commands index="1">
<command>
<visibility mode="isdir">{{settings.system.apacheconf_vhost}}
</visibility>
<content><![CDATA[mkdir -p {{settings.system.apacheconf_vhost}}]]></content>
</command>
<command>
<visibility mode="isfile">{{settings.system.apacheconf_vhost}}
</visibility>
<content><![CDATA[touch {{settings.system.apacheconf_vhost}}]]></content>
</command>
<command><![CDATA[chown root:0 {{settings.system.apacheconf_vhost}}]]></command>
<command><![CDATA[chmod 0600 {{settings.system.apacheconf_vhost}}]]></command>
<command>
<visibility mode="isdir">{{settings.system.apacheconf_diroptions}}
</visibility>
<content><![CDATA[mkdir -p {{settings.system.apacheconf_diroptions}}]]></content>
</command>
<command>
<visibility mode="isfile">{{settings.system.apacheconf_diroptions}}
</visibility>
<content><![CDATA[touch {{settings.system.apacheconf_diroptions}}]]></content>
</command>
<command><![CDATA[chown root:0 {{settings.system.apacheconf_diroptions}}]]></command>
<command><![CDATA[chmod 0600 {{settings.system.apacheconf_diroptions}}]]></command>
<command><![CDATA[mkdir -p {{settings.system.documentroot_prefix}}]]></command>
<command><![CDATA[mkdir -p {{settings.system.logfiles_directory}}]]></command>
<command>
<visibility mode="notempty">{{settings.system.deactivateddocroot}}
</visibility>
<content><![CDATA[mkdir -p {{settings.system.deactivateddocroot}}]]></content>
</command>
</commands>
</general>
<!-- HTTP Apache -->
<daemon name="apache" version="2.4" title="Apache 2.4">
<install><![CDATA[emerge www-servers/apache]]></install>
<include>//service[@type='http']/general/commands</include>
<file name="/etc/apache2/modules.d/70_fastcgi.conf">
<visibility mode="true">{{settings.phpfpm.enabled}}
</visibility>
<content><![CDATA[
<IfModule mod_fastcgi.c>
FastCgiIpcDir <FPM_IPCDIR>
<Location "/fastcgiphp">
Require all granted
Require env REDIRECT_STATUS
</Location>
</IfModule>
]]>
</content>
</file>
<file name="{{settings.system.letsencryptacmeconf}}">
<visibility mode="true">{{settings.system.leenabled}}
</visibility>
<content><![CDATA[
Alias "/.well-known/acme-challenge" "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge"
<Directory "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge">
Require all granted
</Directory>
]]>
</content>
</file>
<command><![CDATA[rc-update add apache2 default]]></command>
<command><![CDATA[{{settings.system.apachereload_command}}]]></command>
</daemon>
<!-- HTTP Lighttpd -->
<daemon name="lighttpd" title="LigHTTPd (deprecated)">
<install><![CDATA[emerge www-servers/lighttpd]]></install>
<file name="/etc/lighttpd/lighttpd.conf">
<content><![CDATA[
###############################################################################
# Default lighttpd.conf for Froxlor.
###############################################################################
var.basedir = "/var/www"
var.logdir = "/var/log/lighttpd"
var.statedir = "/var/lib/lighttpd"
server.modules = (
"mod_rewrite",
"mod_redirect",
"mod_alias",
"mod_access",
"mod_auth",
"mod_fastcgi",
"mod_cgi",
"mod_setenv",
"mod_accesslog"
)
server.username = "lighttpd"
server.groupname = "lighttpd"
server.document-root = var.basedir
server.pid-file = "/var/run/lighttpd.pid"
accesslog.filename = var.logdir + "/access.log"
server.errorlog = var.logdir + "/error.log"
server.indexfiles = ("index.php", "index.html",
"index.htm", "default.htm")
server.name = "<SERVERNAME>"
server.port = 80
server.bind = "<SERVERIP>"
url.access-deny = ("~", ".inc")
include "mime-types.conf"
#include "mod_cgi.conf"
fastcgi.server = (
".php" => (
"localhost" => (
"socket" => "/tmp/lighttpd-fcgi-sock-lighttpd",
"broken-scriptfilename" => "enable",
"bin-path" => "/usr/bin/php-cgi",
"min-procs" => 1,
"max-procs" => 1,
"max-load-per-proc" => 4,
"idle-timeout" => 60,
"bin-environment" => (
"UID" => "lighttpd",
"GID" => "lighttpd",
"PHP_FCGI_CHILDREN" => "0",
"PHP_FCGI_MAX_REQUESTS" => "10000"
),
"bin-copy-environment" => ( "" )
)
)
)
alias.url += ("/.well-known/acme-challenge/" => "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge/")
]]>
</content>
</file>
<include>//service[@type='http']/general/commands</include>
<command>
<visibility mode="isdir">{{settings.system.apacheconf_vhost}}
</visibility>
<content><![CDATA[echo -e '\\ninclude_shell "cat {{settings.system.apacheconf_vhost}}*.conf"' >> /etc/lighttpd/lighttpd.conf]]></content>
</command>
<command>
<visibility mode="isfile">{{settings.system.apacheconf_vhost}}
</visibility>
<content><![CDATA[echo -e '\\ninclude "{{settings.system.apacheconf_vhost}}"' >> /etc/lighttpd/lighttpd.conf]]></content>
</command>
<command>
<visibility mode="isdir">{{settings.system.apacheconf_diroptions}}
</visibility>
<content><![CDATA[echo -e '\\ninclude_shell "cat {{settings.system.apacheconf_diroptions}}*.conf"' >> /etc/lighttpd/lighttpd.conf]]></content>
</command>
<command>
<visibility mode="isfile">{{settings.system.apacheconf_diroptions}}
</visibility>
<content><![CDATA[echo -e '\\ninclude "{{settings.system.apacheconf_diroptions}}"' >> /etc/lighttpd/lighttpd.conf]]></content>
</command>
<command><![CDATA[rc-update add lighttpd default]]></command>
<command><![CDATA[{{settings.system.apachereload_command}}]]></command>
</daemon>
<!-- HTTP Nginx -->
<daemon name="nginx" title="nginx">
<install><![CDATA[emerge www-servers/nginx]]></install>
<file name="/etc/nginx/nginx.conf" backup="true">
<content><![CDATA[
user nginx;
worker_processes 4;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
sendfile on;
tcp_nodelay on;
keepalive_timeout 65;
gzip on;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
]]>
</content>
</file>
<file name="/etc/nginx/fastcgi_params" backup="true">
<content><![CDATA[
fastcgi_connect_timeout 65;
fastcgi_send_timeout 180;
fastcgi_read_timeout 180;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
]]>
</content>
</file>
<file name="{{settings.system.letsencryptacmeconf}}">
<visibility mode="true">{{settings.system.leenabled}}
</visibility>
<content><![CDATA[
location /.well-known/acme-challenge {
alias {{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge;
location ~ /.well-known/acme-challenge/(.*) {
default_type text/plain;
}
}
]]>
</content>
</file>
<file name="/etc/init.d/php-fcgi" backup="true" chmod="u+x">
<visibility mode="false">{{settings.phpfpm.enabled}}
</visibility>
<visibility mode="false">{{settings.system.mod_fcgid}}
</visibility>
<content><![CDATA[
#!/bin/bash
BIND="127.0.0.1:8888"
USER="nginx"
PHP_FCGI_CHILDREN="15"
PHP_FCGI_MAX_REQUESTS="1000"
PHP_CGI="/usr/bin/php-cgi"
PHP_CGI_NAME="$(basename ${PHP_CGI})"
PHP_CGI_ARGS="- USER=${USER} PATH=/usr/bin PHP_FCGI_CHILDREN=${PHP_FCGI_CHILDREN} PHP_FCGI_MAX_REQUESTS=${PHP_FCGI_MAX_REQUESTS} ${PHP_CGI} -b ${BIND}"
RETVAL="0"
start() {
echo -n "Starting PHP FastCGI: "
start-stop-daemon --quiet --start --background --chuid "$USER" --exec /usr/bin/env -- $PHP_CGI_ARGS
RETVAL="$?"
echo "${PHP_CGI_NAME}."
}
stop() {
echo -n "Stopping PHP FastCGI: "
killall -q -w -u ${USER} ${PHP_CGI}
RETVAL="$?"
echo "${PHP_CGI_NAME}."
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
*)
echo "Usage: php-fastcgi {start|stop|restart}"
exit 1
;;
esac
exit "$RETVAL"
]]>
</content>
</file>
<include>//service[@type='http']/general/commands</include>
<command>
<visibility mode="false">{{settings.phpfpm.enabled}}
</visibility>
<visibility mode="false">{{settings.system.mod_fcgid}}
</visibility>
<content><![CDATA[rc-update add php-fcgi default]]></content>
</command>
<command>
<visibility mode="false">{{settings.phpfpm.enabled}}
</visibility>
<visibility mode="false">{{settings.system.mod_fcgid}}
</visibility>
<content><![CDATA[/etc/init.d/php-fcgi restart]]></content>
</command>
<command><![CDATA[rc-update add nginx default]]></command>
<command><![CDATA[{{settings.system.apachereload_command}}]]></command>
</daemon>
</service>
<!--DNS -->
<service type="dns" title="{{lng.admin.configfiles.dns}}">
<!--Bind9 -->
<daemon name="bind" title="Bind9 nameserver" default="true">
<install><![CDATA[emerge net-dns/bind]]></install>
<file name="/etc/bind/default.zone">
<content><![CDATA[
$TTL 1W
@ IN SOA ns root (
2015020101 ; serial
8H ; refresh
2H ; retry
1W ; expiry
11h) ; minimum
IN NS ns
IN MX 10 mail
IN A <SERVERIP>
IN MX 10 mail
* IN A <SERVERIP>
IN MX 10 mail
ns IN A <SERVERIP>
mail IN A <SERVERIP>
IN MX 10 mail
]]>
</content>
</file>
<command><![CDATA[echo "include \"{{settings.system.bindconf_directory}}froxlor_bind.conf\";" >> /etc/bind/named.conf]]></command>
<command><![CDATA[touch {{settings.system.bindconf_directory}}froxlor_bind.conf]]></command>
<command><![CDATA[chown named:0 {{settings.system.bindconf_directory}}froxlor_bind.conf]]></command>
<command><![CDATA[chmod 0644 {{settings.system.bindconf_directory}}froxlor_bind.conf]]></command>
<command><![CDATA[rc-update add named default]]></command>
<command><![CDATA[/etc/init.d/named restart]]></command>
</daemon>
<daemon name="powerdns" title="PowerDNS (standalone)">
<install><![CDATA[emerge net-dns/pdns]]></install>
<file name="/etc/powerdns/pdns.conf" backup="true" chown="root:pdns" chmod="640">
<content><![CDATA[
# Autogenerated configuration file template
#################################
# allow-axfr-ips Allow zonetransfers only to these subnets
#
allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
#################################
# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges.
#
# allow-dnsupdate-from=127.0.0.0/8,::1
#################################
# also-notify When notifying a domain, also notify these nameservers
#
# also-notify=
#################################
# any-to-tcp Answer ANY queries with tc=1, shunting to TCP
#
# any-to-tcp=no
#################################
# cache-ttl Seconds to store packets in the PacketCache
#
# cache-ttl=20
#################################
# carbon-interval Number of seconds between carbon (graphite) updates
#
# carbon-interval=30
#################################
# carbon-ourname If set, overrides our reported hostname for carbon stats
#
# carbon-ourname=
#################################
# carbon-server If set, send metrics in carbon (graphite) format to this server
#
# carbon-server=
#################################
# chroot If set, chroot to this directory for more security
#
# chroot=
#################################
# config-dir Location of configuration directory (pdns.conf)
#
config-dir=/etc/powerdns
#################################
# config-name Name of this virtual configuration - will rename the binary image
#
# config-name=
#################################
# control-console Debugging switch - don't use
#
# control-console=no
#################################
# daemon Operate as a daemon
#
daemon=yes
#################################
# default-ksk-algorithms Default KSK algorithms
#
# default-ksk-algorithms=rsasha256
#################################
# default-ksk-size Default KSK size (0 means default)
#
# default-ksk-size=0
#################################
# default-soa-mail mail address to insert in the SOA record if none set in the backend
#
# default-soa-mail=
#################################
# default-soa-name name to insert in the SOA record if none set in the backend
#
# default-soa-name=a.misconfigured.powerdns.server
#################################
# default-ttl Seconds a result is valid if not set otherwise
#
# default-ttl=3600
#################################
# default-zsk-algorithms Default ZSK algorithms
#
# default-zsk-algorithms=rsasha256
#################################
# default-zsk-size Default ZSK size (0 means default)
#
# default-zsk-size=0
#################################
# direct-dnskey Fetch DNSKEY RRs from backend during DNSKEY synthesis
#
# direct-dnskey=no
#################################
# disable-axfr Disable zonetransfers but do allow TCP queries
#
# disable-axfr=no
#################################
# disable-axfr-rectify Disable the rectify step during an outgoing AXFR. Only required for regression testing.
#
# disable-axfr-rectify=no
#################################
# disable-tcp Do not listen to TCP queries
#
# disable-tcp=no
#################################
# distributor-threads Default number of Distributor (backend) threads to start
#
# distributor-threads=3
#################################
# do-ipv6-additional-processing Do AAAA additional processing
#
# do-ipv6-additional-processing=yes
#################################
# edns-subnet-processing If we should act on EDNS Subnet options
#
# edns-subnet-processing=no
#################################
# entropy-source If set, read entropy from this file
#
# entropy-source=/dev/urandom
#################################
# experimental-api-key REST API Static authentication key (required for API use)
#
# experimental-api-key=
#################################
# experimental-api-readonly If the JSON API should disallow data modification
#
# experimental-api-readonly=no
#################################
# experimental-dname-processing If we should support DNAME records
#
# experimental-dname-processing=no
#################################
# experimental-dnsupdate Enable/Disable DNS update (RFC2136) support. Default is no.
#
# experimental-dnsupdate=no
#################################
# experimental-json-interface If the webserver should serve JSON data
#
# experimental-json-interface=no
#################################
# experimental-logfile Filename of the log file for JSON parser
#
# experimental-logfile=/var/log/pdns.log
#################################
# forward-dnsupdate A global setting to allow DNS update packages that are for a Slave domain, to be forwarded to the master.
#
# forward-dnsupdate=yes
#################################
# guardian Run within a guardian process
#
guardian=yes
#################################
# include-dir Include *.conf files from this directory
#
# include-dir=
#################################
# launch Which backends to launch and order to query them in
#
# launch=
#################################
# load-modules Load this module - supply absolute or relative path
#
# load-modules=
#################################
# local-address Local IP addresses to which we bind
#
local-address=<SERVERIP>,127.0.0.1
#################################
# local-address-nonexist-fail Fail to start if one or more of the local-address's do not exist on this server
#
# local-address-nonexist-fail=yes
#################################
# local-ipv6 Local IP address to which we bind
#
# local-ipv6=
#################################
# local-ipv6-nonexist-fail Fail to start if one or more of the local-ipv6 addresses do not exist on this server
#
# local-ipv6-nonexist-fail=yes
#################################
# local-port The port on which we listen
#
local-port=53
#################################
# log-dns-details If PDNS should log DNS non-erroneous details
#
log-dns-details=yes
#################################
# log-dns-queries If PDNS should log all incoming DNS queries
#
# log-dns-queries=no
#################################
# logging-facility Log under a specific facility
#
# logging-facility=
#################################
# loglevel Amount of logging. Higher is more. Do not set below 3
#
# loglevel=4
#################################
# lua-prequery-script Lua script with prequery handler
#
# lua-prequery-script=
#################################
# master Act as a master
#
master=yes
#################################
# max-cache-entries Maximum number of cache entries
#
# max-cache-entries=1000000
#################################
# max-ent-entries Maximum number of empty non-terminals in a zone
#
# max-ent-entries=100000
#################################
# max-nsec3-iterations Limit the number of NSEC3 hash iterations
#
# max-nsec3-iterations=500
#################################
# max-queue-length Maximum queuelength before considering situation lost
#
# max-queue-length=5000
#################################
# max-signature-cache-entries Maximum number of signatures cache entries
#
# max-signature-cache-entries=
#################################
# max-tcp-connections Maximum number of TCP connections
#
# max-tcp-connections=10
#################################
# module-dir Default directory for modules
#
module-dir=/usr/lib/powerdns/pdns/
#################################
# negquery-cache-ttl Seconds to store negative query results in the QueryCache
#
# negquery-cache-ttl=60
#################################
# no-shuffle Set this to prevent random shuffling of answers - for regression testing
#
# no-shuffle=off
#################################
# only-notify Only send AXFR NOTIFY to these IP addresses or netmasks
#
# only-notify=0.0.0.0/0,::/0
#################################
# out-of-zone-additional-processing Do out of zone additional processing
#
# out-of-zone-additional-processing=yes
#################################
# overload-queue-length Maximum queuelength moving to packetcache only
#
# overload-queue-length=0
#################################
# pipebackend-abi-version Version of the pipe backend ABI
#
# pipebackend-abi-version=1
#################################
# prevent-self-notification Don't send notifications to what we think is ourself
#
# prevent-self-notification=yes
#################################
# query-cache-ttl Seconds to store query results in the QueryCache
#
# query-cache-ttl=20
#################################
# query-local-address Source IP address for sending queries
#
# query-local-address=0.0.0.0
#################################
# query-local-address6 Source IPv6 address for sending queries
#
# query-local-address6=::
#################################
# query-logging Hint backends that queries should be logged
#
# query-logging=no
#################################
# queue-limit Maximum number of milliseconds to queue a query
#
# queue-limit=1500
#################################
# receiver-threads Default number of receiver threads to start
#
# receiver-threads=1
#################################
# retrieval-threads Number of AXFR-retrieval threads for slave operation
#
# retrieval-threads=2
#################################
# reuseport Enable higher performance on compliant kernels by using SO_REUSEPORT allowing each receiver thread to open its own socket
#
# reuseport=no
#################################
# security-poll-suffix Domain name from which to query security update notifications
#
# security-poll-suffix=secpoll.powerdns.com.
#################################
# send-root-referral Send out old-fashioned root-referral instead of ServFail in case of no authority
#
# send-root-referral=no
#################################
# server-id Returned when queried for 'server.id' TXT or NSID, defaults to hostname - disabled or custom
#
# server-id=
#################################
# setgid If set, change group id to this gid for more security
#
setgid=pdns
#################################
# setuid If set, change user id to this uid for more security
#
setuid=pdns
#################################
# signing-threads Default number of signer threads to start
#
# signing-threads=3
#################################
# slave Act as a slave
#
# slave=no
#################################
# slave-cycle-interval Reschedule failed SOA serial checks once every .. seconds
#
# slave-cycle-interval=60
#################################
# slave-renotify If we should send out notifications for slaved updates
#
# slave-renotify=no
#################################
# soa-expire-default Default SOA expire
#
# soa-expire-default=604800
#################################
# soa-minimum-ttl Default SOA minimum ttl
#
# soa-minimum-ttl=3600
#################################
# soa-refresh-default Default SOA refresh
#
# soa-refresh-default=10800
#################################
# soa-retry-default Default SOA retry
#
# soa-retry-default=3600
#################################
# socket-dir Where the controlsocket will live
#
socket-dir=/var/run
#################################
# tcp-control-address If set, PowerDNS can be controlled over TCP on this address
#
# tcp-control-address=
#################################
# tcp-control-port If set, PowerDNS can be controlled over TCP on this address
#
# tcp-control-port=53000
#################################
# tcp-control-range If set, remote control of PowerDNS is possible over these networks only
#
# tcp-control-range=127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10
#################################
# tcp-control-secret If set, PowerDNS can be controlled over TCP after passing this secret
#
# tcp-control-secret=
#################################
# traceback-handler Enable the traceback handler (Linux only)
#
# traceback-handler=yes
#################################
# trusted-notification-proxy IP address of incoming notification proxy
#
# trusted-notification-proxy=
#################################
# udp-truncation-threshold Maximum UDP response size before we truncate
#
# udp-truncation-threshold=1680
#################################
# version-string PowerDNS version in packets - full, anonymous, powerdns or custom
#
version-string=powerdns
#################################
# webserver Start a webserver for monitoring
#
# webserver=no
#################################
# webserver-address IP Address of webserver to listen on
#
# webserver-address=127.0.0.1
#################################
# webserver-allow-from Webserver access is only allowed from these subnets
#
# webserver-allow-from=0.0.0.0/0,::/0
#################################
# webserver-password Password required for accessing the webserver
#
# webserver-password=
#################################
# webserver-port Port of webserver to listen on
#
# webserver-port=8081
#################################
# webserver-print-arguments If the webserver should print arguments
#
# webserver-print-arguments=no
# include froxlor-specific config
include-dir=/etc/powerdns/froxlor/
]]>
</content>
</file>
<command><![CDATA[mkdir -p /etc/powerdns/froxlor/]]></command>
<file name="/etc/powerdns/froxlor/pdns_froxlor.conf"
chown="root:pdns" chmod="640">
<content><![CDATA[
# mysql-settings / you need to create the power-dns database for yourself!
launch=gmysql
gmysql-host=127.0.0.1
gmysql-port=3306
gmysql-dbname=pdns
gmysql-user=powerdns
gmysql-group=client
gmysql-password=
#gmysql-ssl-ca-file=
#gmysql-ssl-verify-server-certificate=0
]]>
</content>
</file>
<command><![CDATA[/etc/init.d/pdns restart]]></command>
</daemon>
<daemon name="powerdns_bind"
title="PowerDNS via bind-backend">
<install><![CDATA[emerge net-dns/pdns]]></install>
<file name="/etc/powerdns/pdns.conf" backup="true" chown="root:pdns" chmod="640">
<content><![CDATA[
# Autogenerated configuration file template
#################################
# allow-axfr-ips Allow zonetransfers only to these subnets
#
allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
#################################
# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges.
#
# allow-dnsupdate-from=127.0.0.0/8,::1
#################################
# also-notify When notifying a domain, also notify these nameservers
#
# also-notify=
#################################
# any-to-tcp Answer ANY queries with tc=1, shunting to TCP
#
# any-to-tcp=no
#################################
# cache-ttl Seconds to store packets in the PacketCache
#
# cache-ttl=20
#################################
# carbon-interval Number of seconds between carbon (graphite) updates
#
# carbon-interval=30
#################################
# carbon-ourname If set, overrides our reported hostname for carbon stats
#
# carbon-ourname=
#################################
# carbon-server If set, send metrics in carbon (graphite) format to this server
#
# carbon-server=
#################################
# chroot If set, chroot to this directory for more security
#
# chroot=
#################################
# config-dir Location of configuration directory (pdns.conf)
#
config-dir=/etc/powerdns
#################################
# config-name Name of this virtual configuration - will rename the binary image
#
# config-name=
#################################
# control-console Debugging switch - don't use
#
# control-console=no
#################################
# daemon Operate as a daemon
#
daemon=yes
#################################
# default-ksk-algorithms Default KSK algorithms
#
# default-ksk-algorithms=rsasha256
#################################
# default-ksk-size Default KSK size (0 means default)
#
# default-ksk-size=0
#################################
# default-soa-mail mail address to insert in the SOA record if none set in the backend
#
# default-soa-mail=
#################################
# default-soa-name name to insert in the SOA record if none set in the backend
#
# default-soa-name=a.misconfigured.powerdns.server
#################################
# default-ttl Seconds a result is valid if not set otherwise
#
# default-ttl=3600
#################################
# default-zsk-algorithms Default ZSK algorithms
#
# default-zsk-algorithms=rsasha256
#################################
# default-zsk-size Default ZSK size (0 means default)
#
# default-zsk-size=0
#################################
# direct-dnskey Fetch DNSKEY RRs from backend during DNSKEY synthesis
#
# direct-dnskey=no
#################################
# disable-axfr Disable zonetransfers but do allow TCP queries
#
disable-axfr=yes
#################################
# disable-axfr-rectify Disable the rectify step during an outgoing AXFR. Only required for regression testing.
#
# disable-axfr-rectify=no
#################################
# disable-tcp Do not listen to TCP queries
#
# disable-tcp=no
#################################
# distributor-threads Default number of Distributor (backend) threads to start
#
# distributor-threads=3
#################################
# do-ipv6-additional-processing Do AAAA additional processing
#
# do-ipv6-additional-processing=yes
#################################
# edns-subnet-processing If we should act on EDNS Subnet options
#
# edns-subnet-processing=no
#################################
# entropy-source If set, read entropy from this file
#
# entropy-source=/dev/urandom
#################################
# experimental-api-key REST API Static authentication key (required for API use)
#
# experimental-api-key=
#################################
# experimental-api-readonly If the JSON API should disallow data modification
#
# experimental-api-readonly=no
#################################
# experimental-dname-processing If we should support DNAME records
#
# experimental-dname-processing=no
#################################
# experimental-dnsupdate Enable/Disable DNS update (RFC2136) support. Default is no.
#
# experimental-dnsupdate=no
#################################
# experimental-json-interface If the webserver should serve JSON data
#
# experimental-json-interface=no
#################################
# experimental-logfile Filename of the log file for JSON parser
#
# experimental-logfile=/var/log/pdns.log
#################################
# forward-dnsupdate A global setting to allow DNS update packages that are for a Slave domain, to be forwarded to the master.
#
# forward-dnsupdate=yes
#################################
# guardian Run within a guardian process
#
guardian=yes
#################################
# include-dir Include *.conf files from this directory
#
# include-dir=
#################################
# launch Which backends to launch and order to query them in
#
launch=bind
#################################
# load-modules Load this module - supply absolute or relative path
#
# load-modules=
#################################
# local-address Local IP addresses to which we bind
#
local-address=<SERVERIP>,127.0.0.1
#################################
# local-address-nonexist-fail Fail to start if one or more of the local-address's do not exist on this server
#
# local-address-nonexist-fail=yes
#################################
# local-ipv6 Local IP address to which we bind
#
# local-ipv6=
#################################
# local-ipv6-nonexist-fail Fail to start if one or more of the local-ipv6 addresses do not exist on this server
#
# local-ipv6-nonexist-fail=yes
#################################
# local-port The port on which we listen
#
local-port=53
#################################
# log-dns-details If PDNS should log DNS non-erroneous details
#
log-dns-details=yes
#################################
# log-dns-queries If PDNS should log all incoming DNS queries
#
# log-dns-queries=no
#################################
# logging-facility Log under a specific facility
#
# logging-facility=
#################################
# loglevel Amount of logging. Higher is more. Do not set below 3
#
# loglevel=4
#################################
# lua-prequery-script Lua script with prequery handler
#
# lua-prequery-script=
#################################
# master Act as a master
#
master=yes
#################################
# max-cache-entries Maximum number of cache entries
#
# max-cache-entries=1000000
#################################
# max-ent-entries Maximum number of empty non-terminals in a zone
#
# max-ent-entries=100000
#################################
# max-nsec3-iterations Limit the number of NSEC3 hash iterations
#
# max-nsec3-iterations=500
#################################
# max-queue-length Maximum queuelength before considering situation lost
#
# max-queue-length=5000
#################################
# max-signature-cache-entries Maximum number of signatures cache entries
#
# max-signature-cache-entries=
#################################
# max-tcp-connections Maximum number of TCP connections
#
# max-tcp-connections=10
#################################
# module-dir Default directory for modules
#
module-dir=/usr/lib/powerdns/pdns/
#################################
# negquery-cache-ttl Seconds to store negative query results in the QueryCache
#
# negquery-cache-ttl=60
#################################
# no-shuffle Set this to prevent random shuffling of answers - for regression testing
#
# no-shuffle=off
#################################
# only-notify Only send AXFR NOTIFY to these IP addresses or netmasks
#
# only-notify=0.0.0.0/0,::/0
#################################
# out-of-zone-additional-processing Do out of zone additional processing
#
# out-of-zone-additional-processing=yes
#################################
# overload-queue-length Maximum queuelength moving to packetcache only
#
# overload-queue-length=0
#################################
# pipebackend-abi-version Version of the pipe backend ABI
#
# pipebackend-abi-version=1
#################################
# prevent-self-notification Don't send notifications to what we think is ourself
#
# prevent-self-notification=yes
#################################
# query-cache-ttl Seconds to store query results in the QueryCache
#
# query-cache-ttl=20
#################################
# query-local-address Source IP address for sending queries
#
# query-local-address=0.0.0.0
#################################
# query-local-address6 Source IPv6 address for sending queries
#
# query-local-address6=::
#################################
# query-logging Hint backends that queries should be logged
#
# query-logging=no
#################################
# queue-limit Maximum number of milliseconds to queue a query
#
# queue-limit=1500
#################################
# receiver-threads Default number of receiver threads to start
#
# receiver-threads=1
#################################
# retrieval-threads Number of AXFR-retrieval threads for slave operation
#
# retrieval-threads=2
#################################
# reuseport Enable higher performance on compliant kernels by using SO_REUSEPORT allowing each receiver thread to open its own socket
#
# reuseport=no
#################################
# security-poll-suffix Domain name from which to query security update notifications
#
# security-poll-suffix=secpoll.powerdns.com.
#################################
# send-root-referral Send out old-fashioned root-referral instead of ServFail in case of no authority
#
# send-root-referral=no
#################################
# server-id Returned when queried for 'server.id' TXT or NSID, defaults to hostname - disabled or custom
#
# server-id=
#################################
# setgid If set, change group id to this gid for more security
#
setgid=pdns
#################################
# setuid If set, change user id to this uid for more security
#
setuid=pdns
#################################
# signing-threads Default number of signer threads to start
#
# signing-threads=3
#################################
# slave Act as a slave
#
# slave=no
#################################
# slave-cycle-interval Reschedule failed SOA serial checks once every .. seconds
#
# slave-cycle-interval=60
#################################
# slave-renotify If we should send out notifications for slaved updates
#
# slave-renotify=no
#################################
# soa-expire-default Default SOA expire
#
# soa-expire-default=604800
#################################
# soa-minimum-ttl Default SOA minimum ttl
#
# soa-minimum-ttl=3600
#################################
# soa-refresh-default Default SOA refresh
#
# soa-refresh-default=10800
#################################
# soa-retry-default Default SOA retry
#
# soa-retry-default=3600
#################################
# socket-dir Where the controlsocket will live
#
socket-dir=/var/run
#################################
# tcp-control-address If set, PowerDNS can be controlled over TCP on this address
#
# tcp-control-address=
#################################
# tcp-control-port If set, PowerDNS can be controlled over TCP on this address
#
# tcp-control-port=53000
#################################
# tcp-control-range If set, remote control of PowerDNS is possible over these networks only
#
# tcp-control-range=127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10
#################################
# tcp-control-secret If set, PowerDNS can be controlled over TCP after passing this secret
#
# tcp-control-secret=
#################################
# traceback-handler Enable the traceback handler (Linux only)
#
# traceback-handler=yes
#################################
# trusted-notification-proxy IP address of incoming notification proxy
#
# trusted-notification-proxy=
#################################
# udp-truncation-threshold Maximum UDP response size before we truncate
#
# udp-truncation-threshold=1680
#################################
# version-string PowerDNS version in packets - full, anonymous, powerdns or custom
#
version-string=powerdns
#################################
# webserver Start a webserver for monitoring
#
# webserver=no
#################################
# webserver-address IP Address of webserver to listen on
#
# webserver-address=127.0.0.1
#################################
# webserver-allow-from Webserver access is only allowed from these subnets
#
# webserver-allow-from=0.0.0.0/0,::/0
#################################
# webserver-password Password required for accessing the webserver
#
# webserver-password=
#################################
# webserver-port Port of webserver to listen on
#
# webserver-port=8081
#################################
# webserver-print-arguments If the webserver should print arguments
#
# webserver-print-arguments=no
# include froxlor-bind-specific config
include-dir=/etc/powerdns/froxlor/
]]>
</content>
</file>
<command><![CDATA[mkdir -p /etc/powerdns/froxlor/]]></command>
<file name="/etc/powerdns/froxlor/pdns_froxlor.conf"
chown="root:pdns" chmod="640">
<content><![CDATA[
#local-ipv6=YOUR_IPv6_(if_any)
bind-config=<BIND_CONFIG_PATH>named.conf
bind-check-interval=180
]]>
</content>
</file>
<command><![CDATA[/etc/init.d/pdns restart]]></command>
</daemon>
</service>
<!-- SMTP services -->
<service type="smtp" title="{{lng.admin.configfiles.smtp}}">
<!-- general SMTP commands -->
<general>
<commands index="1">
<command>
<visibility mode="groupnotexists">{{settings.system.vmail_gid}}
</visibility>
<content><![CDATA[groupadd -g {{settings.system.vmail_gid}} vmail]]></content>
</command>
<command>
<visibility mode="usernotexists">{{settings.system.vmail_uid}}
</visibility>
<content><![CDATA[useradd -u {{settings.system.vmail_uid}} -g vmail vmail]]></content>
</command>
</commands>
<installs index="1">
<install><![CDATA[emerge mail-mta/postfix]]></install>
</installs>
<commands index="2">
<command><![CDATA[mkdir -p {{settings.system.vmail_homedir}}]]></command>
<command><![CDATA[chown -R {{settings.system.vmail_uid}}:{{settings.system.vmail_gid}} {{settings.system.vmail_homedir}}]]></command>
<command><![CDATA[chmod 0750 {{settings.system.vmail_homedir}}]]></command>
</commands>
<files index="0">
<file name="/etc/postfix/mysql-virtual_alias_maps.cf"
chown="root:postfix" chmod="0640">
<content><![CDATA[
user = <SQL_UNPRIVILEGED_USER>
password = <SQL_UNPRIVILEGED_PASSWORD>
dbname = <SQL_DB>
hosts = <SQL_HOST>
query = SELECT destination FROM mail_virtual AS v, panel_customers AS c WHERE c.customerid = v.customerid AND c.deactivated = 0 AND v.email = '%s' AND trim(v.destination) <> ''
]]>
</content>
</file>
<file name="/etc/postfix/mysql-virtual_mailbox_domains.cf"
chown="root:postfix" chmod="0640">
<content><![CDATA[
user = <SQL_UNPRIVILEGED_USER>
password = <SQL_UNPRIVILEGED_PASSWORD>
dbname = <SQL_DB>
hosts = <SQL_HOST>
query = SELECT domain FROM panel_domains WHERE domain = '%s' AND isemaildomain = '1' AND deactivated = 0
]]>
</content>
</file>
<file name="/etc/postfix/mysql-virtual_mailbox_maps.cf"
chown="root:postfix" chmod="0640">
<content><![CDATA[
user = <SQL_UNPRIVILEGED_USER>
password = <SQL_UNPRIVILEGED_PASSWORD>
dbname = <SQL_DB>
expansion_limit = 1
hosts = <SQL_HOST>
query = SELECT CONCAT(homedir,maildir) FROM mail_users WHERE email = '%s'
]]>
</content>
</file>
<file name="/etc/postfix/mysql-virtual_sender_permissions.cf"
chown="root:postfix" chmod="0640">
<content><![CDATA[
user = <SQL_UNPRIVILEGED_USER>
password = <SQL_UNPRIVILEGED_PASSWORD>
dbname = <SQL_DB>
hosts = <SQL_HOST>
query = SELECT DISTINCT username FROM mail_users WHERE email in ((SELECT mail_virtual.email_full FROM mail_virtual WHERE mail_virtual.email = '%s' UNION SELECT mail_virtual.destination FROM mail_virtual WHERE mail_virtual.email = '%s'));
]]>
</content>
</file>
<file name="/etc/postfix/mysql-virtual_uid_maps.cf"
chown="root:postfix" chmod="0640">
<content><![CDATA[
user = <SQL_UNPRIVILEGED_USER>
password = <SQL_UNPRIVILEGED_PASSWORD>
dbname = <SQL_DB>
expansion_limit = 1
hosts = <SQL_HOST>
query = SELECT uid FROM mail_users WHERE email = '%s'
]]>
</content>
</file>
<file name="/etc/postfix/mysql-virtual_gid_maps.cf"
chown="root:postfix" chmod="0640">
<content><![CDATA[
user = <SQL_UNPRIVILEGED_USER>
password = <SQL_UNPRIVILEGED_PASSWORD>
dbname = <SQL_DB>
expansion_limit = 1
hosts = <SQL_HOST>
query = SELECT gid FROM mail_users WHERE email = '%s'
]]>
</content>
</file>
<file name="/etc/mail/aliases" backup="true">
<content><![CDATA[
# /etc/aliases
mailer-daemon: postmaster
postmaster: root
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root
# change this to a valid e-mail address you can access
root: <ADMIN_MAIL>
]]>
</content>
</file>
</files>
<commands index="3">
<command><![CDATA[newaliases]]></command>
<command><![CDATA[rc-update add postfix default]]></command>
<command><![CDATA[/etc/init.d/postfix restart]]></command>
</commands>
</general>
<!-- postfix with dovecot -->
<daemon name="postfix_dovecot" version="2"
title="Postfix 2 with dovecot">
<include>//service[@type='smtp']/general/commands[@index=1]
</include>
<command><![CDATA[echo "mail-mta/postfix dovecot-sasl -sasl" >> /etc/portage/package.use/froxlor]]></command>
<include>//service[@type='smtp']/general/installs[@index=1]
</include>
<include>//service[@type='smtp']/general/commands[@index=2]
</include>
<file name="/etc/postfix/main.cf" chown="root:root"
chmod="0644" backup="true">
<content><![CDATA[
# Postfix programs paths settings
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
program_directory = /usr/libexec/postfix
sendmail_path = /usr/sbin/sendmail
## General Postfix configuration
# FQDN from Froxlor
mydomain = <SERVERNAME>
# set myhostname to $mydomain because Froxlor already uses a FQDN
myhostname = $mydomain
mydestination = $myhostname,
$mydomain,
localhost.$myhostname,
localhost.$mydomain,
localhost
mynetworks = 127.0.0.0/8
inet_interfaces = all
append_dot_mydomain = no
biff = no
# Postfix performance settings
default_destination_concurrency_limit = 20
local_destination_concurrency_limit = 2
# SMTPD Settings
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unauth_pipelining,
reject_non_fqdn_recipient
smtpd_sender_restrictions = permit_mynetworks,
reject_sender_login_mismatch,
permit_sasl_authenticated,
reject_unknown_hostname,
reject_unknown_recipient_domain,
reject_unknown_sender_domain
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_client
smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated,
defer_unauth_destination
# Maximum size of Message in bytes (512MB)
message_size_limit = 536870912
## SASL Auth Settings
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
## Dovecot Settings for deliver, SASL Auth and virtual transport
mailbox_command = /usr/libexec/dovecot/deliver
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
# Virtual delivery settings
virtual_mailbox_base = /
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_maps.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_domains.cf
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_permissions.cf
virtual_uid_maps = proxy:mysql:/etc/postfix/mysql-virtual_uid_maps.cf
virtual_gid_maps = proxy:mysql:/etc/postfix/mysql-virtual_gid_maps.cf
# Local delivery settings
local_transport = local
alias_database = hash:/etc/mail/aliases
alias_maps = $alias_database
# Default Mailbox size, is set to 0 which means unlimited!
mailbox_size_limit = 0
virtual_mailbox_limit = 0
### TLS settings
###
## TLS for outgoing mails from the server to another server
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
## TLS for incoming connections (clients or other mail servers)
smtpd_tls_security_level = may
smtpd_tls_cert_file = <SSL_CERT_FILE>
smtpd_tls_key_file = <SSL_KEY_FILE>
#smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_session_cache_timeout = 3600s
#tls_random_source = dev:/dev/urandom
### Quota Settings with vda useflag
## I use only virtual as localdelivery... This permits me to have full
## virtual domain hosting without using a lot of maps
#virtual_transport = virtual
## Generate maildirsize files or not
#virtual_create_maildirsize = yes
#virtual_mailbox_extended = yes
## Limits only INBOX part (useful when
## using when you have IMAP users)
#virtual_mailbox_limit_inbox = yes
## maps of soft disk quotas
#virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf
#virtual_mailbox_limit_override = yes
#virtual_maildir_limit_message = Sorry, this user has overdrawn their diskspace quota. Please try again later.
#virtual_overquota_bounce = yes
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
]]>
</content>
</file>
<include>//service[@type='smtp']/general/files[@index=0]</include>
<file name="/etc/postfix/master.cf" chown="root:root"
chmod="0644" backup="true" mode="append">
<content><![CDATA[
# Add this lines to be able to use dovecot as delivery agent
# Dovecot LDA
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -d ${recipient}
]]>
</content>
</file>
<include>//service[@type='smtp']/general/commands[@index=3]
</include>
</daemon>
<!-- postfix with dovecot -->
<daemon name="postfix_dovecot"
title="Postfix 3 with dovecot" default="true">
<include>//service[@type='smtp']/general/commands[@index=1]
</include>
<command><![CDATA[echo "mail-mta/postfix dovecot-sasl -sasl" >> /etc/portage/package.use/froxlor]]></command>
<include>//service[@type='smtp']/general/installs[@index=1]
</include>
<include>//service[@type='smtp']/general/commands[@index=2]
</include>
<file name="/etc/postfix/main.cf" chown="root:root"
chmod="0644" backup="true">
<content><![CDATA[
# Postfix programs paths settings
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
program_directory = /usr/libexec/postfix
sendmail_path = /usr/sbin/sendmail
meta_directory = /etc/postfix
shlib_directory = /usr/lib64/postfix/${mail_version}
compatibility_level = 2
## General Postfix configuration
# should be the default domain from your provider eg. "server100.provider.tld"
mydomain = <SERVERNAME>
# should be different from $mydomain eg. "mail.$mydomain"
myhostname = mail.$mydomain
mydestination = $myhostname,
$mydomain,
localhost.$myhostname,
localhost.$mydomain,
localhost
mynetworks = 127.0.0.0/8
inet_interfaces = all
append_dot_mydomain = no
biff = no
# Postfix performance settings
default_destination_concurrency_limit = 20
local_destination_concurrency_limit = 2
# SMTPD Settings
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unauth_pipelining,
reject_non_fqdn_recipient
smtpd_sender_restrictions = permit_mynetworks,
reject_sender_login_mismatch,
permit_sasl_authenticated,
reject_unknown_hostname,
reject_unknown_recipient_domain,
reject_unknown_sender_domain
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_client
smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated,
defer_unauth_destination
# Maximum size of Message in bytes (512MB)
message_size_limit = 536870912
## SASL Auth Settings
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
## Dovecot Settings for deliver, SASL Auth and virtual transport
mailbox_command = /usr/libexec/dovecot/deliver
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
# Virtual delivery settings
virtual_mailbox_base = /
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_maps.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_domains.cf
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_permissions.cf
virtual_uid_maps = proxy:mysql:/etc/postfix/mysql-virtual_uid_maps.cf
virtual_gid_maps = proxy:mysql:/etc/postfix/mysql-virtual_gid_maps.cf
# Local delivery settings
local_transport = local
alias_database = hash:/etc/mail/aliases
alias_maps = $alias_database
# Default Mailbox size, is set to 0 which means unlimited!
mailbox_size_limit = 0
virtual_mailbox_limit = 0
### TLS settings
###
## TLS for outgoing mails from the server to another server
#smtp_use_tls = yes
#smtp_tls_note_starttls_offer = yes
## TLS for email client
#smtpd_tls_cert_file = /etc/ssl/server/server.pem
#smtpd_tls_key_file = /etc/ssl/server/server.key
#smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
#smtpd_tls_CAfile = /etc/ssl/cacert.class3.crt # Just an example for CACert.org
#smtpd_tls_auth_only = no
#smtpd_tls_loglevel = 1
#smtpd_tls_received_header = yes
#smtpd_tls_session_cache_timeout = 3600s
#tls_random_source = dev:/dev/urandom
### Quota Settings with vda useflag
## I use only virtual as localdelivery... This permits me to have full
## virtual domain hosting without using a lot of maps
#virtual_transport = virtual
## Generate maildirsize files or not
#virtual_create_maildirsize = yes
#virtual_mailbox_extended = yes
## Limits only INBOX part (useful when
## using when you have IMAP users)
#virtual_mailbox_limit_inbox = yes
## maps of soft disk quotas
#virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf
#virtual_mailbox_limit_override = yes
#virtual_maildir_limit_message = Sorry, this user has overdrawn their diskspace quota. Please try again later.
#virtual_overquota_bounce = yes
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
]]>
</content>
</file>
<include>//service[@type='smtp']/general/files[@index=0]</include>
<file name="/etc/postfix/master.cf" chown="root:root"
chmod="0644" backup="true" mode="append">
<content><![CDATA[
# Add this lines to be able to use dovecot as delivery agent
# Dovecot LDA
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -d ${recipient}
]]>
</content>
</file>
<include>//service[@type='smtp']/general/commands[@index=3]
</include>
</daemon>
</service>
<!-- IMAP/POP3 services -->
<service type="mail" title="{{lng.admin.configfiles.mail}}">
<!-- Dovecot -->
<daemon name="dovecot_postfix" version="2" title="Dovecot"
default="true">
<command><![CDATA[echo "net-mail/dovecot argon2 mysql managesieve sieve" >> /etc/portage/package.use/froxlor]]></command>
<install><![CDATA[emerge net-mail/dovecot]]></install>
<file name="/etc/dovecot/dovecot.conf" chown="root:root"
chmod="0640" backup="true">
<content><![CDATA[
auth_mechanisms = plain login
## allow Plaintext Logins from foreign IP if the Connection doesn't use TLS
disable_plaintext_auth = no
listen = *
mail_access_groups = vmail
mail_debug = no
protocols = imap pop3 sieve
### SSL Settings
### After you obtained an SSL-certificate enable ssl here and
### set disable_plaintext_auth to yes (see above)
ssl = yes
ssl_cert = <<SSL_CERT_FILE>
ssl_key = <<SSL_KEY_FILE>
ssl_dh = </etc/dovecot/dh.pem
passdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}
plugin {
quota = maildir:User Quota
# Sieve-Configuration
sieve = ~/sieve/.dovecot.sieve
sieve_dir = ~/sieve
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-master {
group = vmail
mode = 0660
user = vmail
}
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
}
service managesieve {
}
userdb {
driver = prefetch
}
userdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}
protocol imap {
mail_plugins = quota imap_quota
# IMAP logout format string:
# %i - total number of bytes read from client
# %o - total number of bytes sent to client
imap_logout_format = in=%i out=%o
}
protocol pop3 {
mail_plugins = quota
pop3_uidl_format = UID%u-%v
# POP3 logout format string:
# %i - total number of bytes read from client
# %o - total number of bytes sent to client
# %t - number of TOP commands
# %p - number of bytes sent to client as a result of TOP command
# %r - number of RETR commands
# %b - number of bytes sent to client as a result of RETR command
# %d - number of deleted messages
# %m - number of messages (before deletion)
# %s - mailbox size in bytes (before deletion)
# %u - old/new UIDL hash. may help finding out if UIDLs changed unexpectedly
pop3_logout_format = in=%i out=%o top=%t/%p retr=%r/%b del=%d/%m size=%s
}
protocol sieve {
}
lda_mailbox_autocreate = yes
protocol lda {
auth_socket_path = /var/run/dovecot/auth-master
mail_plugins = quota sieve
# postmaster is the one in charge of the mail system. MUST be set to a valid address!
postmaster_address = postmaster@<SERVERNAME>
sendmail_path = /usr/sbin/sendmail
lda_mailbox_autocreate = 1
}
]]>
</content>
</file>
<file name="/etc/dovecot/dovecot-sql.conf.ext"
chown="root:root" chmod="0600" backup="true">
<content><![CDATA[
driver = mysql
connect = "host=<SQL_HOST> dbname=<SQL_DB> user=<SQL_UNPRIVILEGED_USER> password=<SQL_UNPRIVILEGED_PASSWORD>"
#default_pass_scheme = CRYPT
password_query = "SELECT username AS user, password_enc AS password, CONCAT(homedir, maildir) AS userdb_home, uid AS userdb_uid, gid AS userdb_gid, CONCAT('maildir:', homedir, maildir) AS userdb_mail, CONCAT('*:storage=', quota,'M') AS userdb_quota_rule FROM mail_users WHERE (username = '%u' OR email = '%u') AND ((imap = 1 AND '%Ls' = 'imap') OR (pop3 = 1 AND '%Ls' = 'pop3') OR ((postfix = 'Y' AND '%Ls' = 'smtp') OR (postfix = 'Y' AND '%Ls' = 'sieve')))"
user_query = "SELECT CONCAT(homedir, maildir) AS home, CONCAT('maildir:', homedir, maildir) AS mail, uid, gid, CONCAT('*:storage=', quota,'M') AS quota_rule FROM mail_users WHERE (username = '%u' OR email = '%u')"
iterate_query = "SELECT username AS user FROM mail_users WHERE (imap = 1 OR pop3 = 1)"
]]>
</content>
</file>
<file name="/etc/dovecot/conf.d/20-managesieve.conf"
chown="root:root" chmod="0644" backup="true">
<content><![CDATA[
##
## ManageSieve specific settings
##
# Uncomment to enable managesieve protocol:
protocols = $protocols sieve
# Service definitions
service managesieve-login {
inet_listener sieve {
port = 4190
}
#inet_listener sieve_deprecated {
# port = 2000
#}
# Number of connections to handle before starting a new process. Typically
# the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
# is faster. <doc/wiki/LoginProcess.txt>
#service_count = 1
# Number of processes to always keep waiting for more connections.
#process_min_avail = 0
# If you set service_count=0, you probably need to grow this.
#vsz_limit = 64M
}
#service managesieve {
# Max. number of ManageSieve processes (connections)
#process_limit = 1024
#}
# Service configuration
protocol sieve {
# Maximum ManageSieve command line length in bytes. ManageSieve usually does
# not involve overly long command lines, so this setting will not normally
# need adjustment
#managesieve_max_line_length = 65536
# Maximum number of ManageSieve connections allowed for a user from each IP
# address.
# NOTE: The username is compared case-sensitively.
#mail_max_userip_connections = 10
# Space separated list of plugins to load (none known to be useful so far).
# Do NOT try to load IMAP plugins here.
#mail_plugins =
# MANAGESIEVE logout format string:
# %i - total number of bytes read from client
# %o - total number of bytes sent to client
#managesieve_logout_format = bytes=%i/%o
# To fool ManageSieve clients that are focused on CMU's timesieved you can
# specify the IMPLEMENTATION capability that Dovecot reports to clients.
# For example: 'Cyrus timsieved v2.2.13'
#managesieve_implementation_string = Dovecot Pigeonhole
# Explicitly specify the SIEVE and NOTIFY capability reported by the server
# before login. If left unassigned these will be reported dynamically
# according to what the Sieve interpreter supports by default (after login
# this may differ depending on the user).
#managesieve_sieve_capability =
#managesieve_notify_capability =
# The maximum number of compile errors that are returned to the client upon
# script upload or script verification.
#managesieve_max_compile_errors = 5
# Refer to 90-sieve.conf for script quota configuration and configuration of
# Sieve execution limits.
}
]]>
</content>
</file>
<file name="/etc/dovecot/conf.d/90-sieve.conf"
chown="root:root" chmod="0644" backup="true">
<content><![CDATA[
##
## Settings for the Sieve interpreter
##
# Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf
# by adding it to the respective mail_plugins= settings.
# The Sieve interpreter can retrieve Sieve scripts from several types of
# locations. The default `file' location type is a local filesystem path
# pointing to a Sieve script file or a directory containing multiple Sieve
# script files. More complex setups can use other location types such as
# `ldap' or `dict' to fetch Sieve scripts from remote databases.
#
# All settings that specify the location of one ore more Sieve scripts accept
# the following syntax:
#
# location = [<type>:]path[;<option>[=<value>][;...]]
#
# If the type prefix is omitted, the script location type is 'file' and the
# location is interpreted as a local filesystem path pointing to a Sieve script
# file or directory. Refer to Pigeonhole wiki or INSTALL file for more
# information.
plugin {
# The location of the user's main Sieve script or script storage. The LDA
# Sieve plugin uses this to find the active script for Sieve filtering at
# delivery. The "include" extension uses this location for retrieving
# :personal" scripts. This is also where the ManageSieve service will store
# the user's scripts, if supported.
#
# Currently only the 'file:' location type supports ManageSieve operation.
# Other location types like 'dict:' and 'ldap:' can currently only
# be used as a read-only script source ().
#
# For the 'file:' type: use the ';active=' parameter to specify where the
# active script symlink is located.
# For other types: use the ';name=' parameter to specify the name of the
# default/active script.
sieve = file:~/sieve;active=~/sieve/.dovecot.sieve
# The default Sieve script when the user has none. This is the location of a
# global sieve script file, which gets executed ONLY if user's personal Sieve
# script doesn't exist. Be sure to pre-compile this script manually using the
# sievec command line tool if the binary is not stored in a global location.
# --> See sieve_before for executing scripts before the user's personal
# script.
#sieve_default = /var/lib/dovecot/sieve/default.sieve
# The name by which the default Sieve script (as configured by the
# sieve_default setting) is visible to the user through ManageSieve.
#sieve_default_name =
# Location for ":global" include scripts as used by the "include" extension.
#sieve_global =
# Location Sieve of scripts that need to be executed before the user's
# personal script. If a 'file' location path points to a directory, all the
# Sieve scripts contained therein (with the proper `.sieve' extension) are
# executed. The order of execution within that directory is determined by the
# file names, using a normal 8bit per-character comparison.
#
# Multiple script locations can be specified by appending an increasing number
# to the setting name. The Sieve scripts found from these locations are added
# to the script execution sequence in the specified order. Reading the
# numbered sieve_before settings stops at the first missing setting, so no
# numbers may be skipped.
#sieve_before = /var/lib/dovecot/sieve.d/
#sieve_before2 = ldap:/etc/sieve-ldap.conf;name=ldap-domain
#sieve_before3 = (etc...)
# Identical to sieve_before, only the specified scripts are executed after the
# user's script (only when keep is still in effect!). Multiple script
# locations can be specified by appending an increasing number.
#sieve_after =
#sieve_after2 =
#sieve_after2 = (etc...)
# Which Sieve language extensions are available to users. By default, all
# supported extensions are available, except for deprecated extensions or
# those that are still under development. Some system administrators may want
# to disable certain Sieve extensions or enable those that are not available
# by default. This setting can use '+' and '-' to specify differences relative
# to the default. For example `sieve_extensions = +imapflags' will enable the
# deprecated imapflags extension in addition to all extensions were already
# enabled by default.
#sieve_extensions = +notify +imapflags
# Which Sieve language extensions are ONLY available in global scripts. This
# can be used to restrict the use of certain Sieve extensions to administrator
# control, for instance when these extensions can cause security concerns.
# This setting has higher precedence than the `sieve_extensions' setting
# (above), meaning that the extensions enabled with this setting are never
# available to the user's personal script no matter what is specified for the
# `sieve_extensions' setting. The syntax of this setting is similar to the
# `sieve_extensions' setting, with the difference that extensions are
# enabled or disabled for exclusive use in global scripts. Currently, no
# extensions are marked as such by default.
#sieve_global_extensions =
# The Pigeonhole Sieve interpreter can have plugins of its own. Using this
# setting, the used plugins can be specified. Check the Dovecot wiki
# (wiki2.dovecot.org) or the pigeonhole website
# (http://pigeonhole.dovecot.org) for available plugins.
# The sieve_extprograms plugin is included in this release.
#sieve_plugins =
# The separator that is expected between the :user and :detail
# address parts introduced by the subaddress extension. This may
# also be a sequence of characters (e.g. '--'). The current
# implementation looks for the separator from the left of the
# localpart and uses the first one encountered. The :user part is
# left of the separator and the :detail part is right. This setting
# is also used by Dovecot's LMTP service.
#recipient_delimiter = +
# The maximum size of a Sieve script. The compiler will refuse to compile any
# script larger than this limit. If set to 0, no limit on the script size is
# enforced.
#sieve_max_script_size = 1M
# The maximum number of actions that can be performed during a single script
# execution. If set to 0, no limit on the total number of actions is enforced.
#sieve_max_actions = 32
# The maximum number of redirect actions that can be performed during a single
# script execution. If set to 0, no redirect actions are allowed.
#sieve_max_redirects = 4
# The maximum number of personal Sieve scripts a single user can have. If set
# to 0, no limit on the number of scripts is enforced.
# (Currently only relevant for ManageSieve)
#sieve_quota_max_scripts = 0
# The maximum amount of disk storage a single user's scripts may occupy. If
# set to 0, no limit on the used amount of disk storage is enforced.
# (Currently only relevant for ManageSieve)
#sieve_quota_max_storage = 0
}
]]>
</content>
</file>
<file name="/etc/dovecot/conf.d/90-quota.conf" chown="root:0"
chmod="0644" backup="true">
<content><![CDATA[
plugin {
quota = maildir:User quota
}
]]>
</content>
</file>
<command><![CDATA[openssl dhparam -out /etc/dovecot/dh.pem 3072]]></command>
<command><![CDATA[rc-update add dovecot default]]></command>
<command><![CDATA[/etc/init.d/dovecot restart]]></command>
</daemon>
</service>
<!-- FTP services -->
<service type="ftp" title="{{lng.admin.configfiles.ftp}}">
<!-- Proftpd -->
<daemon name="proftpd" title="ProFTPd" default="true">
<command><![CDATA[echo "net-ftp/proftpd mysql" >> /etc/portage/package.use/froxlor]]></command>
<install><![CDATA[emerge net-ftp/proftpd]]></install>
<file name="/etc/proftpd/create-cert.sh" chown="root:0"
chmod="0700">
<content><![CDATA[#!/bin/bash
[ -f /etc/ssl/certs/proftpd.crt ] || openssl req -new -x509 -newkey rsa:4096 -days 3650 -nodes -out /etc/ssl/certs/proftpd.crt -keyout /etc/ssl/private/proftpd.key -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=<SERVERNAME>"
[ -f /etc/ssl/certs/proftpd_ec.crt ] || openssl req -new -x509 -nodes -newkey ec:<(openssl ecparam -name secp521r1) -keyout /etc/ssl/private/proftpd_ec.key -out /etc/ssl/certs/proftpd_ec.crt -days 3650 -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=<SERVERNAME>"
chmod 0600 /etc/ssl/private/proftpd.key /etc/ssl/private/proftpd_ec.key
]]>
</content>
</file>
<commands index="1">
<command><![CDATA[/etc/proftpd/create-cert.sh]]></command>
<command><![CDATA[rm -f /etc/proftpd/create-cert.sh]]></command>
</commands>
<file name="/etc/proftpd/proftpd.conf" chown="root:0"
chmod="0600" backup="true">
<content><![CDATA[
# Server settings
ServerName "<SERVERNAME> FTP Server"
ServerType standalone
ServerIdent off
DefaultServer on
Port 21
MaxInstances 50
# General settings
DeferWelcome on
ShowSymlinks on
AllowOverwrite on
AllowStoreRestart on
AllowRetrieveRestart on
ListOptions "-al"
DisplayChdir .message
UseIPv6 off
# Modules settings
#DelayEngine off
# Timeout settings
TimeoutLogin 120
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 600
# Security settings
RootLogin off
RequireValidShell off
User nobody
Group nogroup
Umask 133 022
DefaultRoot ~
DenyFilter \*.*/
# Per-Directory settings
<Directory /*>
Umask 133 022
AllowOverwrite on
</Directory>
# SQL settings
SQLAuthTypes Crypt OpenSSL
SQLAuthenticate users* groups*
SQLConnectInfo <SQL_DB>@<SQL_HOST> <SQL_UNPRIVILEGED_USER> <SQL_UNPRIVILEGED_PASSWORD>
SQLUserInfo ftp_users username password uid gid homedir shell
SQLGroupInfo ftp_groups groupname gid members
SQLUserWhereClause "login_enabled = 'y'"
SQLLog PASS login
SQLNamedQuery login UPDATE "last_login=now(), login_count=login_count+1 WHERE username='%u'" ftp_users
SQLLog RETR download
SQLNamedQuery download UPDATE "down_count=down_count+1, down_bytes=down_bytes+%b WHERE username='%u'" ftp_users
SQLLog STOR upload
SQLNamedQuery upload UPDATE "up_count=up_count+1, up_bytes=up_bytes+%b WHERE username='%u'" ftp_users
# Quota settings
QuotaEngine on
QuotaShowQuotas on
QuotaDisplayUnits Mb
QuotaLock /var/lock/ftpd.quotatab.lock
QuotaLimitTable sql:/get-quota-limit
QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally
SQLNamedQuery get-quota-limit SELECT "ftp_users.username AS name, ftp_quotalimits.quota_type, ftp_quotalimits.per_session, ftp_quotalimits.limit_type, panel_customers.diskspace*1024 AS bytes_in_avail, ftp_quotalimits.bytes_out_avail, ftp_quotalimits.bytes_xfer_avail, ftp_quotalimits.files_in_avail, ftp_quotalimits.files_out_avail, ftp_quotalimits.files_xfer_avail FROM ftp_users, ftp_quotalimits, panel_customers WHERE ftp_users.username = '%{0}' AND panel_customers.loginname = SUBSTRING_INDEX('%{0}', 'ftp', 1) AND quota_type ='%{1}'"
SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used,bytes_out_used, bytes_xfer_used, files_in_used, files_out_used,files_xfer_used FROM ftp_quotatallies WHERE name = '%{0}' AND quota_type = '%{1}'"
SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used= files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name= '%{6}' AND quota_type = '%{7}'" ftp_quotatallies
SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6}, %{7}" ftp_quotatallies
# TLS settings
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd-tls.log
TLSProtocol TLSv1.2 TLSv1.3
#TLSTimeoutHandshake 120
# Really important for WinClients and some clients
TLSOptions NoSessionReuseRequired
TLSRSACertificateFile /etc/ssl/certs/proftpd.crt
TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key
TLSECCertificateFile /etc/ssl/certs/proftpd_ec.crt
TLSECCertificateKeyFile /etc/ssl/private/proftpd_ec.key
# Authenticate client that want to use FTP over TLS?
TLSVerifyClient off
# Uncomment the following line to force tls login
TLSRequired on
</IfModule>
# LOG settings
# Logging Formats
LogFormat default "%h %1 %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"
LogFormat write "%h %l %u %t \"%r\" %s %b"
# Activate Logging
# all logins
ExtendedLog /var/log/proftpd-auth.log AUTH auth
# file/dir access
ExtendedLog /var/log/proftpd-access.log WRITE,READ write
# everything (be careful, generates_ very_ big logfiles)
#ExtendedLog /var/log/proftpd-all.log ALL default
# make proftpd faster / do not perform ident and reverse dns lookup
UseReverseDNS off
<Class whitelist>
From 127.0.0.1
</Class>
MaxLoginAttempts 3
<IfModule mod_ban.c>
<IfClass whitelist>
BanEngine off
</IfClass>
<IfClass !whitelist>
BanEngine on
</IfClass>
BanLog /var/log/proftpd-ban.log
BanTable /etc/proftpd/ban.tab
BanMessage "User %u was banned."
BanOnEvent ClientConnectRate 5/00:00:02 12:00:00 "Stop connecting frequently"
BanOnEvent MaxLoginAttempts 3/00:30:00 12:00:00
BanOnEvent AnonRejectPasswords 1/01:00:00 99:99:99
BanControlsACLs all allow user root
</IfModule>
<IfClass whitelist>
BanEngine off
DelayEngine off
</IfClass>
]]>
</content>
</file>
<command><![CDATA[rc-update add proftpd default]]></command>
<command><![CDATA[/etc/init.d/proftpd restart]]></command>
</daemon>
<!-- Pureftpd -->
<daemon name="pureftpd" title="PureFTPd">
<command><![CDATA[echo "net-ftp/pure-ftpd mysql" >> /etc/portage/package.use/froxlor]]></command>
<install><![CDATA[emerge net-ftp/pure-ftpd]]></install>
<file name="/etc/pure-ftpd/create-cert.sh" chown="root:0"
chmod="0700">
<content><![CDATA[#!/bin/bash
[ -f /etc/ssl/private/pure-ftpd.pem ] || openssl req -x509 -nodes -days 7300 -newkey rsa:4096 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=<SERVERNAME>"
openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 3072
chmod 0600 /etc/ssl/private/pure-ftpd.pem /etc/ssl/private/pure-ftpd-dhparams.pem
]]>
</content>
</file>
<commands index="1">
<command><![CDATA[/etc/pure-ftpd/create-cert.sh]]></command>
<command><![CDATA[rm -f /etc/pure-ftpd/create-cert.sh]]></command>
</commands>
<file name="/etc/conf.d/pure-ftpd" chown="root:0" chmod="0644"
backup="true">
<content><![CDATA[
# Config file for /etc/init.d/pure-ftpd
# Configuration-template by Froxlor
IS_CONFIGURED="yes"
# Server/Port
SERVER="-S 21"
## Number of simultaneous connections in total, and per IP ##
MAX_CONN="-c 30"
MAX_CONN_IP="-C 10"
## Start daemonized in background ##
DAEMON="-B"
## Don't allow uploads if the partition is more full then this var ##
DISK_FULL="-k 90%"
## Authentication mechanism
AUTH="-l mysql:/etc/pureftpd-mysql.conf"
## Misc. Others ##
MISC_OTHER="-A -x -j -Z -Y 1"
]]>
</content>
</file>
<file name="/etc/pureftpd-mysql.conf" chown="root:0"
chmod="0600" backup="true">
<content><![CDATA[
MYSQLServer <SQL_HOST>
#MYSQLPort 3306
MYSQLSocket /var/run/mysqld/mysqld.sock
MYSQLUser <SQL_UNPRIVILEGED_USER>
MYSQLPassword <SQL_UNPRIVILEGED_PASSWORD>
MYSQLDatabase <SQL_DB>
MYSQLCrypt any
MYSQLGetPW SELECT password FROM ftp_users WHERE username="\L" AND login_enabled="y"
MYSQLGetUID SELECT uid FROM ftp_users WHERE username="\L" AND login_enabled="y"
MYSQLGetGID SELECT gid FROM ftp_users WHERE username="\L" AND login_enabled="y"
MYSQLGetDir SELECT homedir FROM ftp_users WHERE username="\L" AND login_enabled="y"
MySQLGetQTASZ SELECT CASE WHEN panel_customers.diskspace = 0 THEN -1 WHEN panel_customers.diskspace <= -1 THEN 0 ELSE panel_customers.diskspace/1024 END AS QuotaSize FROM panel_customers, ftp_users WHERE username = "\L" AND panel_customers.loginname = SUBSTRING_INDEX('\L', 'ftp', 1)
]]>
</content>
</file>
<command><![CDATA[rc-update add pure-ftpd default]]></command>
<command><![CDATA[/etc/init.d/pure-ftpd restart]]></command>
</daemon>
<!-- Vsftpd -->
<daemon name="vsftpd" title="vsftpd">
<command><![CDATA[echo "net-ftp/vsftpd pam" >> /etc/portage/package.use/froxlor]]></command>
<install><![CDATA[emerge net-ftp/vsftpd sys-auth/pam_mysql]]></install>
<file name="/etc/vsftpd/vsftpd.conf" chown="root:root"
chmod="0644" backup="true">
<content><![CDATA[
listen=YES
#listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
#anon_upload_enable=YES
#anon_mkdir_write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
#chown_uploads=YES
#chown_username=whoever
#xferlog_file=/var/log/vsftpd.log
#xferlog_std_format=YES
idle_session_timeout=600
#data_connection_timeout=120
#nopriv_user=ftpsecure
#async_abor_enable=YES
#ascii_upload_enable=YES
#ascii_download_enable=YES
ftpd_banner=Welcome to <SERVERNAME> FTP service.
#deny_email_enable=YES
#banned_email_file=/etc/vsftpd.banned_emails
# chroot_list_enable below.
chroot_local_user=YES
chroot_list_enable=YES
allow_writeable_chroot=YES
#chroot_list_file=/etc/vsftpd.chroot_list
#ls_recurse_enable=YES
secure_chroot_dir=/run/vsftpd/empty
pam_service_name=vsftpd
#rsa_cert_file=/etc/vsftpd/ssl/<SERVERNAME>.pem
#rsa_private_key_file=/etc/vsftpd/ssl/<SERVERNAME>.pem
#ssl_enable=YES
#ssl_tlsv1=YES
#ssl_sslv2=NO
#ssl_sslv3=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
allow_anon_ssl=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
]]></content>
</file>
<file name="/etc/pam.d/vsftpd" chown="root:root" chmod="0644">
<content><![CDATA[
# Standard behaviour for ftpd(8).
auth required pam_mysql.so user=<SQL_UNPRIVILEGED_USER> passwd=<SQL_UNPRIVILEGED_PASSWORD> host=<SQL_HOST> db=<SQL_DB> table=ftp_users usercolumn=username passwdcolumn=password [where=login_enabled="Y"] crypt=1
account required pam_mysql.so user=<SQL_UNPRIVILEGED_USER> passwd=<SQL_UNPRIVILEGED_PASSWORD> host=<SQL_HOST> db=<SQL_DB> table=ftp_users usercolumn=username passwdcolumn=password [where=login_enabled="Y"] crypt=1
#auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
# Note: vsftpd handles anonymous logins on its own. Do not enable pam_ftp.so.
# Standard pam includes
#@include common-account
#@include common-session
#@include common-auth
#auth required pam_shells.so
]]></content>
</file>
<command><![CDATA[rc-update add vsftpd default]]></command>
<command><![CDATA[/etc/init.d/vsftpd restart]]></command>
</daemon>
</service>
<!-- System tools/services -->
<service type="system" title="{{lng.admin.configfiles.etc}}">
<!-- Webalizer -->
<daemon name="webalizer"
title="Webalizer (traffic analyzer)">
<install><![CDATA[emerge app-admin/webalizer]]></install>
</daemon>
<!-- goaccess -->
<daemon name="goaccess"
title="goaccess (traffic analyzer)" default="true">
<install><![CDATA[emerge net-analyzer/goaccess app-misc/jq]]></install>
</daemon>
<!-- AWstats -->
<daemon name="awstats"
title="Awstats (traffic analyzer)">
<install><![CDATA[emerge www-misc/awstats]]></install>
<command><![CDATA[sed -i.bak 's/^DirData/# DirData/' {{settings.system.awstats_conf}}/awstats.model.conf]]></command>
<command><![CDATA[sed -i.bak 's|^\\(DirIcons=\\).*$|\\1\\"/awstats-icon\\"|' {{settings.system.awstats_conf}}/awstats.model.conf]]></command>
<command><![CDATA[rm /etc/cron.d/awstats]]></command>
</daemon>
<!-- libnss-mysql -->
<daemon name="libnss"
title="libnss-mysql">
<install><![CDATA[emerge sys-auth/libnss-mysql]]></install>
<file name="/etc/libnss-mysql.cfg" chown="root:root"
chmod="0600" backup="true">
<content><![CDATA[
getpwnam SELECT username,'x',uid,gid,'Froxlor Customer',homedir,shell \
FROM ftp_users \
WHERE username='%1$s' \
AND login_enabled = 'Y' \
ORDER BY LENGTH(username) \
LIMIT 1
getpwuid SELECT username,'x',uid,gid,'Froxlor Customer',homedir,shell \
FROM ftp_users \
WHERE uid='%1$u' \
AND login_enabled = 'Y' \
ORDER BY LENGTH(username) \
LIMIT 1
getspnam SELECT username,password,FLOOR(UNIX_TIMESTAMP()/86400-1),'1','99999','7','-1','-1','0' \
FROM ftp_users \
WHERE username='%1$s' \
AND login_enabled = 'Y' \
ORDER BY LENGTH(username) \
LIMIT 1
getpwent SELECT username,'x',uid,gid,'Froxlor Customer',homedir,shell \
FROM ftp_users
getspent SELECT username,password,FLOOR(UNIX_TIMESTAMP()/86400-1),'1','99999','7','-1','-1','0' \
FROM ftp_users
getgrnam SELECT groupname,'x',gid \
FROM ftp_groups \
WHERE groupname='%1$s' \
LIMIT 1
getgrgid SELECT groupname,'x',gid \
FROM ftp_groups \
WHERE gid='%1$u' \
LIMIT 1
getgrent SELECT groupname,'x',gid \
FROM ftp_groups
memsbygid SELECT members \
FROM ftp_groups \
WHERE gid='%1$u'
gidsbymem SELECT CONCAT_WS(',', gid) as gid \
FROM ftp_groups \
WHERE FIND_IN_SET('%1$s', members)
host <SQL_HOST>
database <SQL_DB>
username <SQL_UNPRIVILEGED_USER>
password <SQL_UNPRIVILEGED_PASSWORD>
socket /var/run/mysqld/mysqld.sock
]]>
</content>
</file>
<command>
<!-- if a socket is set for the db-server use it -->
<visibility mode="notempty">{{sql.socket}}</visibility>
<content><![CDATA[sed -i.bak 's|^\\(socket\\).*$|\\1\\"{{sql.socket}}\\"|' /etc/libnss-mysql.cfg]]></content>
</command>
<file name="/etc/libnss-mysql-root.cfg" chown="root:root"
chmod="0600" backup="true">
<content><![CDATA[
username <SQL_UNPRIVILEGED_USER>
password <SQL_UNPRIVILEGED_PASSWORD>
]]>
</content>
</file>
<file name="/etc/nsswitch.conf" backup="true">
<content><![CDATA[
# Make sure that `passwd`, `group` and `shadow` have mysql in their lines
# You should place mysql at the end, so that it is queried after the other mechanisams
#
passwd: compat mysql
group: compat mysql
shadow: compat mysql
hosts: files dns
networks: files dns
services: db files
protocols: db files
rpc: db files
ethers: db files
netmasks: files
netgroup: files
bootparams: files
automount: files
aliases: files
]]>
</content>
</file>
<command><![CDATA[rc-update add nscd default]]></command>
<command><![CDATA[/etc/init.d/nscd restart]]></command>
<!-- clear group cache -->
<command><![CDATA[nscd --invalidate=group]]></command>
</daemon>
<!-- Logrotate -->
<daemon name="logrotate" title="Logrotate">
<install><![CDATA[emerge app-admin/logrotate]]></install>
<file name="/etc/logrotate.d/froxlor" chown="root:root"
chmod="0644">
<content><![CDATA[
#
# Froxlor logrotate snippet
#
<CUSTOMER_LOGS>*.log {
missingok
daily
rotate 7
compress
delaycompress
notifempty
create
sharedscripts
postrotate
<WEBSERVER_RELOAD_CMD> > /dev/null 2>&1 || true
endscript
}
]]>
</content>
</file>
</daemon>
<!-- libnss-extrausers -->
<daemon name="libnssextrausers"
title="libnss-extrausers">
<install><![CDATA[emerge app-eselect/eselect-repository]]></install>
<install><![CDATA[mkdir -p /etc/portage/repos.conf]]></install>
<install><![CDATA[eselect repository add froxlor git https://github.com/Froxlor/Gentoo-Ebuild.git]]></install>
<install><![CDATA[emaint sync -r froxlor]]></install>
<install><![CDATA[emerge sys-auth/libnss-extrausers]]></install>
<commands index="1">
<command><![CDATA[mkdir -p /var/lib/extrausers]]></command>
<command><![CDATA[touch /var/lib/extrausers/passwd]]></command>
<command><![CDATA[touch /var/lib/extrausers/group]]></command>
<command><![CDATA[touch /var/lib/extrausers/shadow]]></command>
</commands>
<file name="/etc/nsswitch.conf" backup="true">
<content><![CDATA[
# Make sure that `passwd`, `group` and `shadow` have extrausers in their lines
# You should place extrausers at the end, so that it is queried after the other mechanisams
#
passwd: compat extrausers
group: compat extrausers
shadow: compat extrausers
hosts: files dns
networks: files dns
services: db files
protocols: db files
rpc: db files
ethers: db files
netmasks: files
netgroup: files
bootparams: files
automount: files
aliases: files
]]>
</content>
</file>
</daemon>
<!-- FCGID -->
<daemon name="fcgid" title="FCGID">
<command><![CDATA[echo "dev-lang/php cgi" >> /etc/portage/package.use/froxlor]]></command>
<install><![CDATA[emerge dev-lang/php]]></install>
<commands index="1">
<visibility mode="equals" value="apache2">{{settings.system.webserver}}
</visibility>
<command><![CDATA[echo "www-servers/apache suexec" >> /etc/portage/package.use/froxlor]]></command>
</commands>
<install>
<visibility mode="true">{{settings.system.mod_fcgid}}
</visibility>
<command><![CDATA[echo "www-servers/apache apache2_modules_proxy_fcgi" >> /etc/portage/package.use/froxlor]]></command>
</install>
<install>
<visibility mode="equals" value="apache2">{{settings.system.webserver}}
</visibility>
<content><![CDATA[emerge www-servers/apache]]></content>
</install>
<commands index="2">
<visibility mode="equals" value="apache2">{{settings.system.webserver}}
</visibility>
<command><![CDATA[# add "-D SUEXEC -D FCGID" to /etc/conf.d/apache2]]></command>
</commands>
<commands index="3">
<visibility mode="true">{{settings.system.mod_fcgid_ownvhost}}
</visibility>
<command><![CDATA[groupadd -f {{settings.system.mod_fcgid_httpgroup}}]]></command>
<command><![CDATA[useradd -s /bin/false -g {{settings.system.mod_fcgid_httpgroup}} {{settings.system.mod_fcgid_httpuser}}]]></command>
<command><![CDATA[mkdir -p {{settings.system.mod_fcgid_configdir}}]]></command>
<command><![CDATA[mkdir -p {{settings.system.mod_fcgid_tmpdir}}]]></command>
<command><![CDATA[chmod 1777 {{settings.system.mod_fcgid_tmpdir}}]]></command>
<command>
<visibility mode="equals" value="apache2">{{settings.system.webserver}}
</visibility>
<content><![CDATA[# remove "-D PHP5" from /etc/conf.d/apache2]]></content>
</command>
</commands>
<!-- instead of just restarting apache, we let the cronjob do all the
dirty work -->
<command><![CDATA[php {{const.install_dir}}bin/froxlor-cli froxlor:cron --force]]></command>
</daemon>
<!-- PHP-FPM -->
<daemon name="php-fpm"
title="PHP-FPM">
<command><![CDATA[echo "dev-lang/php fpm" >> /etc/portage/package.use/froxlor]]></command>
<install><![CDATA[emerge dev-lang/php]]></install>
<commands index="1">
<visibility mode="equals" value="apache2">{{settings.system.webserver}}
</visibility>
<command><![CDATA[echo "www-servers/apache suexec" >> /etc/portage/package.use/froxlor]]></command>
</commands>
<install>
<visibility mode="equals" value="apache2">{{settings.system.webserver}}
</visibility>
<content><![CDATA[emerge www-servers/apache www-apache/mod_fastcgi_handler]]></content>
</install>
<install>
<visibility mode="true">{{settings.phpfpm.enabled}}
</visibility>
<command><![CDATA[echo "www-servers/apache apache2_modules_proxy_fcgi" >> /etc/portage/package.use/froxlor]]></command>
</install>
<commands index="2">
<visibility mode="equals" value="apache2">{{settings.system.webserver}}
</visibility>
<command><![CDATA[# add "-D FASTCGI -D SUEXEC" to /etc/conf.d/apache2]]></command>
</commands>
<commands index="3">
<visibility mode="true">{{settings.phpfpm.enabled_ownvhost}}
</visibility>
<visibility mode="usernamenotexists">{{settings.phpfpm.vhost_httpuser}}
</visibility>
<command><![CDATA[groupadd -f {{settings.phpfpm.vhost_httpgroup}}]]></command>
<command><![CDATA[useradd -s /bin/false -g {{settings.phpfpm.vhost_httpgroup}} {{settings.phpfpm.vhost_httpuser}}]]></command>
</commands>
<commands index="4">
<visibility mode="equals" value="apache2">{{settings.system.webserver}}
</visibility>
<visibility mode="true">{{settings.phpfpm.enabled_ownvhost}}
</visibility>
<command><![CDATA[# remove "-D PHP5" from /etc/conf.d/apache2]]></command>
</commands>
<!-- instead of just restarting apache, we let the cronjob do all the
dirty work -->
<command><![CDATA[php {{const.install_dir}}bin/froxlor-cli froxlor:cron --force]]></command>
</daemon>
<!-- Cronjob -->
<daemon name="cron" title="Cronjob for froxlor"
mandatory="true">
<install><![CDATA[emerge sys-process/cronie app-crypt/gnupg]]></install>
<command><![CDATA[ln -s <BASE_PATH>bin/froxlor-cli /usr/local/bin/froxlor-cli]]></command>
<command><![CDATA[/usr/bin/php <BASE_PATH>bin/froxlor-cli froxlor:cron --run-task 99]]></command>
<command><![CDATA[{{settings.system.crondreload}}]]></command>
</daemon>
</service>
</services>
</distribution>
</froxlor>
View Git Blame Copy Permalink