127 lines
5.4 KiB
YAML
127 lines
5.4 KiB
YAML
|
#cloud-config
|
||
|
|
users:
|
||
|
|
- default
|
||
|
|
package_update: true
|
||
|
|
|
||
|
|
packages:
|
||
|
|
- ca-certificates
|
||
|
|
- cron
|
||
|
|
- docker.io
|
||
|
|
- nginx-light
|
||
|
|
- syslog-ng
|
||
|
|
|
||
|
|
write_files:
|
||
|
|
- content: |
|
||
|
|
path: /etc/nginx/sites-available/default
|
||
|
|
- content: |
|
||
|
|
@version:3.30
|
||
|
|
@include "scl.conf"
|
||
|
|
|
||
|
|
# syslog-ng configuration file.
|
||
|
|
#
|
||
|
|
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
|
||
|
|
#
|
||
|
|
# Note: It also sources additional configuration files (*.conf)
|
||
|
|
# located in /etc/syslog-ng/conf.d/.
|
||
|
|
|
||
|
|
#
|
||
|
|
# Options
|
||
|
|
#
|
||
|
|
options {
|
||
|
|
# Create destination directories if missing.
|
||
|
|
create_dirs(yes);
|
||
|
|
|
||
|
|
# The default action of syslog-ng is to log a MARK line to the file every
|
||
|
|
# 20 minutes. That's seems high for most people so turn it down to once an
|
||
|
|
# hour. Set it to zero if you don't want the functionality at all.
|
||
|
|
mark_freq(3600);
|
||
|
|
|
||
|
|
# The default action of syslog-ng is to log a STATS line to the file every
|
||
|
|
# 10 minutes. That's pretty ugly after a while. Change it to every 12 hours
|
||
|
|
# so you get a nice daily update of how many messages syslog-ng missed (0).
|
||
|
|
stats_freq(43200);
|
||
|
|
|
||
|
|
# Time to wait before a died connection is re-established (default is 60).
|
||
|
|
time_reopen(5);
|
||
|
|
|
||
|
|
# Disable DNS usage.
|
||
|
|
# syslog-ng blocks on DNS queries, so enabling DNS may lead to a DoS attack.
|
||
|
|
use_dns(no);
|
||
|
|
dns-cache(no);
|
||
|
|
|
||
|
|
# Default owner, group, and permissions for log files.
|
||
|
|
owner(root);
|
||
|
|
group(adm);
|
||
|
|
perm(0640);
|
||
|
|
|
||
|
|
# Default permissions for created directories.
|
||
|
|
dir_perm(0755);
|
||
|
|
};
|
||
|
|
|
||
|
|
source src { system(); internal(); };
|
||
|
|
|
||
|
|
filter f_auth { facility(auth, authpriv); };
|
||
|
|
filter f_syslog { not facility(authpriv, mail) and not message("^grsec:( From [^:]+:)? exec of.*") and not (program("named") and message("^client ")); };
|
||
|
|
filter f_cron { facility(cron); };
|
||
|
|
filter f_daemon { facility(daemon); };
|
||
|
|
filter f_kern { facility(kern); };
|
||
|
|
filter f_mail { facility(mail, news); };
|
||
|
|
filter f_user { facility(user); };
|
||
|
|
filter f_debug { not facility(auth, authpriv, news, mail); };
|
||
|
|
filter f_messages { level(info..warn) and not facility(auth, authpriv, mail, news) and not message("^grsec:( From [^:]+:)? exec of.*"); };
|
||
|
|
filter f_emergency { level(emerg); };
|
||
|
|
|
||
|
|
filter f_info { level(info); };
|
||
|
|
|
||
|
|
filter f_notice { level(notice); };
|
||
|
|
filter f_warn { level(warn); };
|
||
|
|
filter f_crit { level(crit); };
|
||
|
|
filter f_err { level(err); };
|
||
|
|
|
||
|
|
filter f_audit { message("^audit.*"); };
|
||
|
|
filter f_history { message(".*HISTORY*"); };
|
||
|
|
|
||
|
|
destination authlog { file("/var/log/auth.log"); };
|
||
|
|
destination syslog { file("/var/log/syslog"); };
|
||
|
|
destination kern { file("/var/log/kern.log"); };
|
||
|
|
destination user { file("/var/log/user.log"); };
|
||
|
|
|
||
|
|
destination mailinfo { file("/var/log/mail/mail.info"); };
|
||
|
|
destination mailwarn { file("/var/log/mail/mail.warn"); };
|
||
|
|
destination mailerr { file("/var/log/mail/mail.err"); };
|
||
|
|
|
||
|
|
destination audit { file("/var/log/audit.log"); };
|
||
|
|
destination messages { file("/var/log/messages"); };
|
||
|
|
destination emergency { file("/var/log/emergency"); };
|
||
|
|
|
||
|
|
log { source(src); filter(f_auth); destination(authlog); };
|
||
|
|
|
||
|
|
log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };
|
||
|
|
|
||
|
|
#log { source(src); filter(f_messages); destination(messages); };
|
||
|
|
log { source(src); filter(f_emergency); destination(emergency); };
|
||
|
|
|
||
|
|
# Remote loghost
|
||
|
|
destination loghost1 { tcp6("geb.ra.nemunai.re"); };
|
||
|
|
log { source(src); destination(loghost1); };
|
||
|
|
destination loghost2 { tcp6("jizah.masr.nemunai.re"); };
|
||
|
|
log { source(src); destination(loghost2); };
|
||
|
|
|
||
|
|
# Source additional configuration files (.conf extension only)
|
||
|
|
@include "/etc/syslog-ng/conf.d/*.conf"
|
||
|
|
path: /etc/syslog-ng/syslog-ng.conf
|
||
|
|
|
||
|
|
runcmd:
|
||
|
|
# Allow traffic in IPv4
|
||
|
|
- sed -i '/-A INPUT -j REJECT/i-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT\n-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT\n-A INPUT -p tcp -m state --state NEW -m tcp --dport 8443 -j ACCEPT\n-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT\n-A INPUT -p tcp -m state --state NEW -m tcp --dport 2375 -j ACCEPT\n-A INPUT -p tcp -m state --state NEW -m tcp --match multiport --dports 23000:23030 -j ACCEPT' /etc/iptables/rules.v4
|
||
|
|
- iptables -I INPUT 5 -p tcp -m state --state NEW -m tcp --match multiport --dports 23000:23030 -j ACCEPT
|
||
|
|
- iptables -I INPUT 5 -p tcp -m state --state NEW -m tcp --dport 8443 -j ACCEPT
|
||
|
|
- iptables -I INPUT 5 -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
|
||
|
|
- iptables -I INPUT 5 -p tcp -m state --state NEW -m tcp --dport 2375 -j ACCEPT
|
||
|
|
- iptables -I INPUT 5 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
|
||
|
|
- iptables -I INPUT 5 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
|
||
|
|
|
||
|
|
# Launch container
|
||
|
|
- docker volume create nextcloud_aio_mastercontainer
|
||
|
|
- docker run -d --init --restart unless-stopped -p 80:80 -p 8080:8080 -p 8443:8443 -v nextcloud_aio_mastercontainer:/mnt/docker-aio-config -v "/var/run/docker.sock:/var/run/docker.sock" --log-driver syslog --log-opt "syslog-address=unixgram:///dev/log" --log-opt syslog-facility=daemon --log-opt tag=nextcloud-aio-mastercontainer --name nextcloud-aio-mastercontainer --pull always nextcloud/all-in-one:latest
|