Update page 'Installation de base du système'
commit
e14677905d
|
@ -0,0 +1,670 @@
|
|||
# Installation de base du système
|
||||
|
||||
## SSH
|
||||
|
||||
`/etc/ssh/sshd_config` :
|
||||
|
||||
```
|
||||
# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
|
||||
|
||||
# This is the sshd server system-wide configuration file. See
|
||||
# sshd_config(5) for more information.
|
||||
|
||||
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
|
||||
|
||||
# The strategy used for options in the default sshd_config shipped with
|
||||
# OpenSSH is to specify options with their default value where
|
||||
# possible, but leave them commented. Uncommented options override the
|
||||
# default value.
|
||||
|
||||
#Port 22
|
||||
#AddressFamily any
|
||||
#ListenAddress 0.0.0.0
|
||||
#ListenAddress ::
|
||||
|
||||
#HostKey /etc/ssh/ssh_host_rsa_key
|
||||
#HostKey /etc/ssh/ssh_host_dsa_key
|
||||
#HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
|
||||
# Ciphers and keying
|
||||
#RekeyLimit default none
|
||||
Ciphers chacha20-poly1305@openssh.com
|
||||
KexAlgorithms curve25519-sha256@libssh.org
|
||||
MACs umac-128-etm@openssh.com
|
||||
|
||||
# Logging
|
||||
#SyslogFacility AUTH
|
||||
#LogLevel INFO
|
||||
|
||||
# Authentication:
|
||||
|
||||
#LoginGraceTime 2m
|
||||
PermitRootLogin prohibit-password
|
||||
#StrictModes yes
|
||||
#MaxAuthTries 6
|
||||
#MaxSessions 10
|
||||
|
||||
#PubkeyAuthentication yes
|
||||
|
||||
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
||||
# but this is overridden so installations will only check .ssh/authorized_keys
|
||||
AuthorizedKeysFile .ssh/authorized_keys
|
||||
|
||||
#AuthorizedPrincipalsFile none
|
||||
|
||||
#AuthorizedKeysCommand none
|
||||
#AuthorizedKeysCommandUser nobody
|
||||
|
||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||
#HostbasedAuthentication no
|
||||
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
||||
# HostbasedAuthentication
|
||||
#IgnoreUserKnownHosts no
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
#IgnoreRhosts yes
|
||||
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
PasswordAuthentication yes
|
||||
#PermitEmptyPasswords no
|
||||
|
||||
# Change to no to disable s/key passwords
|
||||
ChallengeResponseAuthentication no
|
||||
|
||||
# Kerberos options
|
||||
#KerberosAuthentication no
|
||||
#KerberosOrLocalPasswd yes
|
||||
#KerberosTicketCleanup yes
|
||||
#KerberosGetAFSToken no
|
||||
|
||||
# GSSAPI options
|
||||
#GSSAPIAuthentication no
|
||||
#GSSAPICleanupCredentials yes
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
# be allowed through the ChallengeResponseAuthentication and
|
||||
# PasswordAuthentication. Depending on your PAM configuration,
|
||||
# PAM authentication via ChallengeResponseAuthentication may bypass
|
||||
# the setting of "PermitRootLogin without-password".
|
||||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
UsePAM yes
|
||||
|
||||
#AllowAgentForwarding yes
|
||||
#AllowTcpForwarding yes
|
||||
#GatewayPorts no
|
||||
#X11Forwarding no
|
||||
#X11DisplayOffset 10
|
||||
#X11UseLocalhost yes
|
||||
#PermitTTY yes
|
||||
PrintMotd no # pam does that
|
||||
#PrintLastLog yes
|
||||
#TCPKeepAlive yes
|
||||
#UseLogin no
|
||||
#PermitUserEnvironment no
|
||||
#Compression delayed
|
||||
#ClientAliveInterval 0
|
||||
#ClientAliveCountMax 3
|
||||
#UseDNS no
|
||||
#PidFile /run/sshd.pid
|
||||
#MaxStartups 10:30:100
|
||||
#PermitTunnel no
|
||||
#ChrootDirectory none
|
||||
#VersionAddendum none
|
||||
|
||||
# no default banner path
|
||||
#Banner none
|
||||
|
||||
# override default of no subsystems
|
||||
Subsystem sftp /usr/lib/ssh/sftp-server
|
||||
|
||||
# Example of overriding settings on a per-user basis
|
||||
#Match User anoncvs
|
||||
# X11Forwarding no
|
||||
# AllowTcpForwarding no
|
||||
# PermitTTY no
|
||||
# ForceCommand cvs server
|
||||
|
||||
AllowUsers breizh darks lephe
|
||||
|
||||
```
|
||||
|
||||
```bash
|
||||
systemctl reload sshd
|
||||
```
|
||||
|
||||
## Locale
|
||||
|
||||
```bash
|
||||
cat > /etc/locale.gen <<<EOF
|
||||
en_US.UTF-8 UTF-8
|
||||
fr_FR.UTF-8 UTF-8
|
||||
|
||||
EOF
|
||||
|
||||
locale-gen
|
||||
|
||||
echo "LANG=fr_FR.UTF-8" > /etc/locale.conf
|
||||
```
|
||||
|
||||
## Heure
|
||||
|
||||
```bash
|
||||
timedatectl set-ntp true
|
||||
ln -sf /usr/share/zoneinfo/Europe/Paris /etc/localtime
|
||||
```
|
||||
|
||||
## Pacman
|
||||
|
||||
```bash
|
||||
yay -S reflector
|
||||
reflector -c FR --sort rate --save /etc/pacman.d/mirrorlist
|
||||
```
|
||||
|
||||
Dans `/etc/pacman.conf`, décommenter `UseDelta = 0.7`, `Color`,
|
||||
`TotalDownload`, `CheckSpace` et `VerbosePkgLists`.
|
||||
|
||||
Mettre à jour dépôts et paquets :
|
||||
|
||||
```bash
|
||||
yay -Syyu
|
||||
```
|
||||
|
||||
## IPTables
|
||||
|
||||
`/etc/iptables/iptables.rules` :
|
||||
|
||||
```
|
||||
# DDOS
|
||||
*mangle
|
||||
:PREROUTING ACCEPT [176:18588]
|
||||
:INPUT ACCEPT [176:18588]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [157:27472]
|
||||
:POSTROUTING ACCEPT [157:27472]
|
||||
-A PREROUTING -f -j DROP
|
||||
-A PREROUTING -m conntrack --ctstate INVALID -j DROP
|
||||
-A PREROUTING -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP
|
||||
-A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
|
||||
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
|
||||
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
|
||||
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||||
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
|
||||
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
|
||||
-A PREROUTING -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
|
||||
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
|
||||
-A PREROUTING -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP
|
||||
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
|
||||
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
|
||||
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
|
||||
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH,URG -j DROP
|
||||
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
|
||||
COMMIT
|
||||
|
||||
*filter
|
||||
:INPUT ACCEPT [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [155:26977]
|
||||
|
||||
# Réponses
|
||||
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
|
||||
# Localhost
|
||||
-A INPUT -i lo -j ACCEPT
|
||||
|
||||
# Ping
|
||||
-A INPUT -p icmp -j ACCEPT
|
||||
|
||||
# SSH
|
||||
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
|
||||
|
||||
# HTTP(S)
|
||||
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
|
||||
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
|
||||
|
||||
-A INPUT -i eth0 -j DROP
|
||||
|
||||
# DDOS bis
|
||||
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
|
||||
-A INPUT -p tcp -m tcp --tcp-flags RST RST -j DROP
|
||||
COMMIT
|
||||
|
||||
```
|
||||
|
||||
`/etc/iptables/ip6tables.rules` :
|
||||
|
||||
```
|
||||
*filter
|
||||
:INPUT ACCEPT [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [155:26977]
|
||||
|
||||
# Réponses
|
||||
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
|
||||
# Localhost
|
||||
-A INPUT -i lo -j ACCEPT
|
||||
|
||||
# Ping
|
||||
-A INPUT -p ipv6-icmp -j ACCEPT
|
||||
|
||||
# SSH
|
||||
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
|
||||
|
||||
# HTTP(S)
|
||||
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
|
||||
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
|
||||
|
||||
# Tout le reste
|
||||
-A INPUT -i eth0 -j DROP
|
||||
|
||||
# DDOS
|
||||
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
|
||||
-A INPUT -p tcp -m tcp --tcp-flags RST RST -j DROP
|
||||
COMMIT
|
||||
|
||||
```
|
||||
|
||||
```bash
|
||||
systemctl enable --now iptables
|
||||
systemctl enable --now ip6tables
|
||||
```
|
||||
|
||||
## Réseau
|
||||
|
||||
```
|
||||
rename '.network' '.network.bak' /etc/systemd/network/*.network
|
||||
cat > /etc/systemd/network/eth0.network <<<EOF
|
||||
[Match]
|
||||
Name=eth0
|
||||
|
||||
[Address]
|
||||
Address=2001:41d0:305:2100::8930/128
|
||||
|
||||
[Address]
|
||||
Address=51.83.79.246/32
|
||||
|
||||
[Route]
|
||||
Gateway=2001:41d0:305:2100::1
|
||||
GatewayOnlink=true
|
||||
|
||||
[Route]
|
||||
Gateway=51.83.72.1
|
||||
GatewayOnlink=true
|
||||
|
||||
[Network]
|
||||
DNS=2001:41d0:3:163::1
|
||||
DNS=2001:910:800::12
|
||||
DNS=2001:910:800::40
|
||||
DNS=213.186.33.99
|
||||
DNS=80.67.169.12
|
||||
DNS=80.67.169.40
|
||||
|
||||
EOF
|
||||
```
|
||||
|
||||
Adapter selon usage (IPs, interface…)
|
||||
|
||||
## Postfix
|
||||
|
||||
```bash
|
||||
yay -S postfix
|
||||
cp -a /etc/postfix/main.cf /etc/postfix/.main.cf.orig
|
||||
cp -a /etc/postfix/master.cf /etc/postfix/.master.cf.orig
|
||||
echo "planet-casio.com" > /etc/mailname
|
||||
cat > /etc/postfix/main.cf <<<\EOF
|
||||
smtpd_banner = $myhostname ESMTP
|
||||
biff = no
|
||||
append_dot_mydomain = no
|
||||
readme_directory = no
|
||||
|
||||
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
|
||||
smtpd_use_tls=yes
|
||||
smtpd_tls_security_level = may
|
||||
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
||||
|
||||
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
||||
smtp_tls_security_level = may
|
||||
smtp_tls_loglevel = 1
|
||||
|
||||
myhostname = planet-casio.com
|
||||
alias_maps = hash:/etc/aliases
|
||||
alias_database = hash:/etc/aliases
|
||||
myorigin = /etc/mailname
|
||||
mydestination = $myhostname, localhost
|
||||
relayhost =
|
||||
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
|
||||
mailbox_size_limit = 0
|
||||
recipient_delimiter = +
|
||||
inet_interfaces = 127.0.0.1
|
||||
inet_protocols = ipv4
|
||||
|
||||
slow_destination_recipient_limit = 20
|
||||
slow_destination_concurrency_limit = 2
|
||||
|
||||
transport_maps = hash:/etc/postfix/transport
|
||||
EOF
|
||||
|
||||
cat > /etc/postfix/master.cf <<\EOF
|
||||
smtp inet n - - - - smtpd
|
||||
pickup fifo n - - 60 1 pickup
|
||||
cleanup unix n - - - 0 cleanup
|
||||
qmgr fifo n - n 300 1 qmgr
|
||||
tlsmgr unix - - - 1000? 1 tlsmgr
|
||||
rewrite unix - - - - - trivial-rewrite
|
||||
bounce unix - - - - 0 bounce
|
||||
defer unix - - - - 0 bounce
|
||||
trace unix - - - - 0 bounce
|
||||
verify unix - - - - 1 verify
|
||||
flush unix n - - 1000? 0 flush
|
||||
proxymap unix - - n - - proxymap
|
||||
proxywrite unix - - n - 1 proxymap
|
||||
smtp unix - - - - - smtp
|
||||
relay unix - - - - - smtp
|
||||
-o smtp_fallback_relay=
|
||||
showq unix n - - - - showq
|
||||
error unix - - - - - error
|
||||
retry unix - - - - - error
|
||||
discard unix - - - - - discard
|
||||
local unix - n n - - local
|
||||
virtual unix - n n - - virtual
|
||||
lmtp unix - - - - - lmtp
|
||||
anvil unix - - - - 1 anvil
|
||||
scache unix - - - - 1 scache
|
||||
maildrop unix - n n - - pipe
|
||||
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
|
||||
uucp unix - n n - - pipe
|
||||
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
|
||||
ifmail unix - n n - - pipe
|
||||
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
|
||||
bsmtp unix - n n - - pipe
|
||||
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
|
||||
scalemail-backend unix - n n - 2 pipe
|
||||
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
|
||||
mailman unix - n n - - pipe
|
||||
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
|
||||
slow unix - - n - 5 smtp
|
||||
-o syslog_name=postfix-slow
|
||||
-o smtp_destination_concurrency_limit=3
|
||||
-o slow_destination_rate_delay=1
|
||||
EOF
|
||||
|
||||
> /etc/postfix/transport
|
||||
cat > /etc/postfix/transport <<\EOF
|
||||
laposte.net slow:
|
||||
orange.fr slow:
|
||||
wanadoo.fr slow:
|
||||
free.fr slow:
|
||||
EOF
|
||||
|
||||
postmap /etc/postfix/transport
|
||||
systemctl restart postfix
|
||||
systemctl enable postfix
|
||||
```
|
||||
|
||||
## Fail2ban (WIP)
|
||||
|
||||
```bash
|
||||
yay -S fail2ban
|
||||
systemctl enable --now fail2ban
|
||||
```
|
||||
|
||||
## Nginx
|
||||
|
||||
```
|
||||
yay -S dehydrated nginx
|
||||
```
|
||||
|
||||
```bash
|
||||
cp -a /etc/nginx/nginx.conf /etc/nginx/.nginx.conf.orig
|
||||
|
||||
> /etc/nginx/nginx.conf
|
||||
cat > /etc/nginx/nginx.conf <<\EOF
|
||||
pid /var/run/nginx.pid;
|
||||
user www-data;
|
||||
worker_processes 12;
|
||||
error_log /var/log/nginx/error.log;
|
||||
include /etc/nginx/modules-enabled/*.conf;
|
||||
|
||||
events {
|
||||
multi_accept on;
|
||||
use epoll;
|
||||
worker_connections 256;
|
||||
}
|
||||
|
||||
http {
|
||||
|
||||
index index.html index.htm index.php;
|
||||
|
||||
server_tokens off;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
charset_types text/css text/plain text/vnd.wap.wml application/javascript application/json application/rss+xml application/xml;
|
||||
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
}
|
||||
EOF
|
||||
|
||||
cat > /etc/nginx/conf.d/buffer.conf <<\EOF
|
||||
# Buffer Overflow Protection
|
||||
client_body_buffer_size 100K;
|
||||
client_header_buffer_size 1k;
|
||||
client_max_body_size 100k;
|
||||
large_client_header_buffers 2 1k;
|
||||
EOF
|
||||
|
||||
cat > /etc/nginx/conf.d/ddos.conf <<\EOF
|
||||
# Slow DDOS Protection
|
||||
client_body_timeout 10;
|
||||
client_header_timeout 10;
|
||||
keepalive_timeout 5 5;
|
||||
send_timeout 10;
|
||||
|
||||
# DDOS Protection
|
||||
# Maximum request per IP // 100 per seconde
|
||||
limit_req_zone $binary_remote_addr zone=flood:10m rate=100r/s;
|
||||
limit_req zone=flood burst=100 nodelay;
|
||||
|
||||
# Maximum Connection per IP // 100 per seconde
|
||||
limit_conn_zone $binary_remote_addr zone=ddos:10m;
|
||||
limit_conn ddos 100;
|
||||
EOF
|
||||
|
||||
cat > /etc/nginx/conf.d/header.conf <<\EOF
|
||||
# Bad Header Protection
|
||||
add_header X-Frame-Options SAMEORIGIN;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin";
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
|
||||
EOF
|
||||
|
||||
cat > /etc/nginx/conf.d/blockuseragents.conf <<\EOF
|
||||
map $http_user_agent $blockedagent {
|
||||
default 0;
|
||||
~*malicious 1;
|
||||
~*backdoor 1;
|
||||
~*crawler 1;
|
||||
~*spider 1;
|
||||
}
|
||||
EOF
|
||||
|
||||
cat > /etc/logrotate.d/nginx <<\EOF
|
||||
/var/log/nginx/*.log {
|
||||
daily
|
||||
missingok
|
||||
rotate 14
|
||||
compress
|
||||
delaycompress
|
||||
notifempty
|
||||
create 0644 www-data adm
|
||||
sharedscripts
|
||||
prerotate
|
||||
if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
|
||||
run-parts /etc/logrotate.d/httpd-prerotate; \
|
||||
fi \
|
||||
endscript
|
||||
postrotate
|
||||
invoke-rc.d nginx rotate >/dev/null 2>&1
|
||||
endscript
|
||||
}
|
||||
EOF
|
||||
|
||||
> /etc/nginx/ssl.conf
|
||||
cat > /etc/nginx/ssl.conf <<EOF
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers 'EECDH+CHACHA20:EECDH+AES';
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
ssl_session_timeout 5m;
|
||||
ssl_dhparam /etc/ssl/ssl.dh/dhparam.pem;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
EOF
|
||||
|
||||
> /etc/nginx/common.conf
|
||||
cat > /etc/nginx/common.conf <<EOF
|
||||
location ^~ /.well-known/acme-challenge {
|
||||
alias /var/www/dehydrated;
|
||||
}
|
||||
|
||||
if ($blockedagent) {
|
||||
return 403;
|
||||
}
|
||||
|
||||
if ($request_method !~ ^(GET|PUT|POST)$ ) {
|
||||
return 444;
|
||||
}
|
||||
EOF
|
||||
```
|
||||
|
||||
## Monitoring
|
||||
|
||||
```
|
||||
yay -S grafana telegraf influxdb goaccess
|
||||
```
|
||||
|
||||
### InfluxDB
|
||||
|
||||
```
|
||||
systemctl enable --now influxdb
|
||||
influx
|
||||
```
|
||||
|
||||
```
|
||||
CREATE DATABASE telegraf
|
||||
CREATE USER telegraf WITH PASSWORD 'un_joli_password'
|
||||
GRANT ALL ON telegraf TO telegraf
|
||||
CREATE RETENTION POLICY thirty_days ON telegraf DURATION 30d REPLICATION 1 DEFAULT
|
||||
```
|
||||
|
||||
### Telegraf
|
||||
|
||||
```
|
||||
cat > /etc/telegraf/telegraf.d/outputs.conf <<EOF
|
||||
[[outputs.influxdb]]
|
||||
database = "telegraf"
|
||||
precision = "s"
|
||||
urls = [ "http://127.0.0.1:8086" ]
|
||||
username = "telegraf"
|
||||
password = "un_joli_password"
|
||||
EOF
|
||||
```
|
||||
|
||||
```
|
||||
cat > /etc/telegraf/telegraf.conf <<EOF
|
||||
[tags]
|
||||
|
||||
# Configuration for telegraf agent
|
||||
[agent]
|
||||
debug = false
|
||||
flush_buffer_when_full = true
|
||||
flush_interval = "15s"
|
||||
flush_jitter = "0s"
|
||||
hostname = "planet-casio.com"
|
||||
interval = "15s"
|
||||
round_interval = true
|
||||
EOF
|
||||
```
|
||||
|
||||
```
|
||||
cat > /etc/telegraf/telegraf.d/inputs_cpu.conf <<EOF
|
||||
# Read metrics about CPU usage
|
||||
[[inputs.cpu]]
|
||||
percpu = false
|
||||
totalcpu = true
|
||||
fieldpass = [ "usage*" ]
|
||||
EOF
|
||||
|
||||
cat > /etc/telegraf/telegraf.d/inputs_disk.conf <<EOF
|
||||
# Read metrics about disk usagee
|
||||
[[inputs.disk]]
|
||||
mount_points=["/"]
|
||||
EOF
|
||||
|
||||
cat > /etc/telegraf/telegraf.d/inputs_diskio.conf <<EOF
|
||||
# Read metrics about diskio usage
|
||||
[[inputs.diskio]]
|
||||
devices = ["vda1"]
|
||||
skip_serial_number = true
|
||||
EOF
|
||||
|
||||
cat > /etc/telegraf/telegraf.d/inputs_net.conf <<EOF
|
||||
# Read metrics about network usage
|
||||
[[inputs.net]]
|
||||
interfaces = [ "eth0" ]
|
||||
fielddrop = [ "icmp*", "ip*", "tcp*", "udp*" ]
|
||||
EOF
|
||||
|
||||
cat > /etc/telegraf/telegraf.d/inputs_memory.conf <<EOF
|
||||
# Read metrics about memory usage
|
||||
[[inputs.mem]]
|
||||
# no configuration
|
||||
EOF
|
||||
|
||||
cat > /etc/telegraf/telegraf.d/inputs_swap.conf <<EOF
|
||||
# Read metrics about swap memory usage
|
||||
[[inputs.swap]]
|
||||
# no configuration
|
||||
EOF
|
||||
|
||||
cat > /etc/telegraf/telegraf.d/inputs_system.conf <<EOF
|
||||
# Read metrics about system load & uptime
|
||||
[[inputs.system]]
|
||||
# no configuration
|
||||
EOF
|
||||
|
||||
cat > /etc/telegraf/telegraf.d/inputs_nginx.conf <<EOF
|
||||
[[inputs.nginx]]
|
||||
urls = ["http://127.0.0.1:8080/nginx-status"]
|
||||
EOF
|
||||
|
||||
systemctl enable --now telegraf
|
||||
```
|
||||
|
||||
### Grafana
|
||||
|
||||
```
|
||||
yay -S grafana
|
||||
systemctl enable --now grafana
|
||||
```
|
||||
|
||||
## Gitea
|
||||
|
||||
```
|
||||
yay -S gitea
|
||||
```
|
||||
|
||||
## LDAP
|
||||
|
||||
```
|
||||
yay -S openldap
|
||||
```
|
Loading…
Reference in New Issue