diff --git a/Ansible/Skripty/ipv6dis b/Ansible/Skripty/ipv6dis new file mode 100755 index 0000000..1d039ad --- /dev/null +++ b/Ansible/Skripty/ipv6dis @@ -0,0 +1,3 @@ +#!/bin/bash + +sed -i 's/quiet/quiet\ ipv6\.disable\=1/' /etc/default/grub diff --git a/Ansible/Skripty/name_nginx b/Ansible/Skripty/name_nginx new file mode 100755 index 0000000..a429602 --- /dev/null +++ b/Ansible/Skripty/name_nginx @@ -0,0 +1,4 @@ +#!/bin/bash +hostname=`hostname` +hostname=$hostname.czech-tv.cz +echo "$hostname" | sed -i "s/servername/$hostname/" /etc/nginx/sites-available/default diff --git a/Ansible/Skripty/php_enabled_status b/Ansible/Skripty/php_enabled_status new file mode 100755 index 0000000..52cd0e1 --- /dev/null +++ b/Ansible/Skripty/php_enabled_status @@ -0,0 +1,5 @@ +#!/bin/bash + +phpversion=`systemctl | grep running | grep php | grep fpm | cut -d "-" -f 1 | cut -b 6-8` +sed -i 's/\;ping.path/ping.path/' /etc/php/`echo $phpversion`/fpm/pool.d/www.conf +sed -i 's/\;pm.status/pm.status/' /etc/php/`echo $phpversion`/fpm/pool.d/www.conf diff --git a/Ansible/first_install.yaml b/Ansible/first_install.yaml new file mode 100755 index 0000000..a34707f --- /dev/null +++ b/Ansible/first_install.yaml @@ -0,0 +1,33 @@ +- name: Provotni instalace serveru + hosts: all + become: true + gather_facts: yes + tasks: + - name: Install NGINX + apt: + name: nginx-full + state: present + - name: Copy config file status + copy: + src: status_nginx + dest: /etc/nginx/sites-available/status + owner: root + group: root + mode: 0644 + - name: Add value for nginx + local_action: + module: zabbix_hostmacro + server_url: http://zabbix.czech-tv.cz + login_user: sm233387 + login_password: JaNa1975 + host_name: "{{inventory_hostname}}" + macro_name: "{$NGINX.STUB_STATUS.PORT}" + macro_value: 8080 + state: present + - name: Check system information + shell: "ln -sf /etc/nginx/sites-available/status /etc/nginx/sites-enabled/" + - name: NGINX restart + ansible.builtin.service: + name: nginx + state: restarted + enabled: true diff --git a/Ansible/install_chrony.yaml b/Ansible/install_chrony.yaml new file mode 100755 index 0000000..567b6de --- /dev/null +++ b/Ansible/install_chrony.yaml @@ -0,0 +1,21 @@ +- name: Playbook to install chrony + hosts: all + become: true + gather_facts: false + tasks: + - name: Install Chrony + apt: + name: chrony + state: present + - name: Copy config file + copy: + src: chrony.conf + dest: /etc/chrony/chrony.conf + owner: root + group: root + mode: 0644 + - name: chorny restart + ansible.builtin.service: + name: chrony + state: restarted + enabled: true diff --git a/Ansible/install_nginx_zabbix.yaml b/Ansible/install_nginx_zabbix.yaml new file mode 100755 index 0000000..d27dede --- /dev/null +++ b/Ansible/install_nginx_zabbix.yaml @@ -0,0 +1,71 @@ +- name: NGINX + hosts: all + become: true + gather_facts: yes + tasks: + - name: Install NGINX + apt: + name: nginx-full + state: present + - name: Copy config file status + copy: + src: status_nginx + dest: /etc/nginx/sites-available/status + owner: root + group: root + mode: 0644 + - name: Copy config file status + copy: + src: name_nginx + dest: /tmp/name + owner: root + group: root + mode: 0755 + - name: Copy config file default + copy: + src: default_nginx + dest: /etc/nginx/sites-available/default + owner: root + group: root + mode: 0644 + - name: Rename hostname + shell: + "/tmp/name" + - name: Delete files name + shell: + "rm -f /tmp/name" + - name: Add value for nginx + local_action: + module: zabbix_hostmacro + server_url: https://zabbix.czech-tv.cz + login_user: ansict + login_password: Sojka123456 + host_name: "{{inventory_hostname}}" + macro_name: "{$NGINX.STUB_STATUS.PORT}" + macro_value: 8080 + state: present + - name: Symlink na status + shell: + "ln -sf /etc/nginx/sites-available/status /etc/nginx/sites-enabled/" + - name: Create CERT dir + shell: + "mkdir -p /etc/nginx/cert" + - name: Copy key file + copy: + src: CT.key + dest: /etc/nginx/cert/CT.key + owner: root + group: root + mode: 0644 + - name: Copy cert file + copy: + src: CT.crt + dest: /etc/nginx/cert/CT.crt + owner: root + group: root + mode: 0644 + - name: NGINX restart + ansible.builtin.service: + name: nginx + state: restarted + enabled: true diff --git a/Ansible/install_php-fpm_zabbix.yaml b/Ansible/install_php-fpm_zabbix.yaml new file mode 100755 index 0000000..1af646d --- /dev/null +++ b/Ansible/install_php-fpm_zabbix.yaml @@ -0,0 +1,91 @@ +- name: PHP + hosts: all + become: true + gather_facts: yes + tasks: + - name: Install PHP + apt: + name: php-fpm + state: present + - name: Copy config file status + copy: + src: status_nginx_php + dest: /etc/nginx/sites-available/status + owner: root + group: root + mode: 0644 + - name: Copy config file index.php + copy: + src: index.php + dest: /var/www/html/ + owner: www-data + group: www-data + mode: 0644 + - name: Copy config file default + copy: + src: default_php_nginx + dest: /etc/nginx/sites-available/default + owner: root + group: root + mode: 0644 + - name: Copy php enabled status + copy: + src: php_enabled_status + dest: /tmp/php_enabled_status + owner: root + group: root + mode: 0755 + - name: Run php enabled status + shell: + "/tmp/php_enabled_status" + - name: Create a new host or update an existing host's info + local_action: + module: zabbix_host + server_url: https://zabbix.czech-tv.cz + login_user: ansict + login_password: Sojka123456 + host_name: '{{inventory_hostname}}' + host_groups: + - Linux servers + link_templates: + - PHP-FPM by Zabbix agent + - Linux by Zabbix agent + - SSH Service + - Nginx by Zabbix agent + interfaces: + - type: 1 + main: 1 + useip: 1 + ip: "{{hostvars[inventory_hostname]['ansible_default_ipv4']['address']}}" + dns: "{{inventory_hostname}}" + port: 10050 + - name: Add value for PHP + local_action: + module: zabbix_hostmacro + server_url: https://zabbix.czech-tv.cz + login_user: ansict + login_password: Sojka123456 + host_name: "{{inventory_hostname}}" + macro_name: "{$PHP_FPM.PORT}" + macro_value: 8080 + state: present + - name: Add value for PHP + local_action: + module: zabbix_hostmacro + server_url: https://zabbix.czech-tv.cz + login_user: ansict + login_password: Sojka123456 + host_name: "{{inventory_hostname}}" + macro_name: "{$PHP_FPM.PROCESS_NAME}" + macro_value: php-fpm7.4 + state: present + - name: PHP-FPM restart + ansible.builtin.service: + name: php7.4-fpm + state: restarted + enabled: true + - name: NGINX restart + ansible.builtin.service: + name: nginx +c state: restarted + enabled: true diff --git a/Ansible/install_vmtools.yaml b/Ansible/install_vmtools.yaml new file mode 100755 index 0000000..e8edb94 --- /dev/null +++ b/Ansible/install_vmtools.yaml @@ -0,0 +1,9 @@ +- name: First install + hosts: all + become: true + gather_facts: yes + tasks: + - name: Install open-vm-tools + apt: + name: open-vm-tools + state: presentcat diff --git a/Ansible/install_zabbix_agent.yaml b/Ansible/install_zabbix_agent.yaml new file mode 100755 index 0000000..976ca8b --- /dev/null +++ b/Ansible/install_zabbix_agent.yaml @@ -0,0 +1,43 @@ +- name: Playbook to install zabbix + hosts: all + vars: + ipa: "hostvars[inventory_hostname]['ansible_default_ipv4']['address']" + become: true + gather_facts: yes + tasks: + - name: Install zabbix + apt: + name: zabbix-agent + state: present + - name: Copy agent config file + copy: + src: zabbix_agentd.conf + dest: /etc/zabbix/zabbix_agentd.conf + owner: root + group: root + mode: 0644 + - name: zabbix restart + ansible.builtin.service: + name: zabbix-agent + state: restarted + enabled: true + - debug: var=hostvars[inventory_hostname]['ansible_default_ipv4']['address'] + - name: Create a new host or update an existing host's info + local_action: + module: zabbix_host + server_url: https://zabbix.czech-tv.cz + login_user: ansict + login_password: Sojka123456 + host_name: '{{inventory_hostname}}' + host_groups: + - Linux servers + link_templates: + - Linux by Zabbix agent + - SSH Service + interfaces: + - type: 1 + main: 1 + useip: 1 + ip: "{{hostvars[inventory_hostname]['ansible_default_ipv4']['address']}}" + dns: "{{inventory_hostname}}" + port: 10050 diff --git a/Ansible/last_install.yaml b/Ansible/last_install.yaml new file mode 100755 index 0000000..709b6b5 --- /dev/null +++ b/Ansible/last_install.yaml @@ -0,0 +1,23 @@ +- name: Last install + hosts: all + become: true + gather_facts: yes + tasks: + - name: Copy file disable IPV6 + copy: + src: ipv6dis + dest: /tmp/ipv6dis + owner: root + group: root + mode: 0755 + - name: Run script disable IPV6 + shell: + "/tmp/ipv6dis" + - name: Regenerate grub + shell: + "update-grub" + - name: Restart machine + command: shutdown -r now + async: 1 + poll: 0 + ignore_errors: true diff --git a/Ansible/mysql.txt b/Ansible/mysql.txt new file mode 100755 index 0000000..1db38e6 --- /dev/null +++ b/Ansible/mysql.txt @@ -0,0 +1,2 @@ +CREATE USER 'zbx_monitor'@'%' IDENTIFIED BY 'datel1234'; +GRANT REPLICATION CLIENT,PROCESS,SHOW DATABASES,SHOW VIEW ON *.* TO 'zbx_monitor'@'%'; diff --git a/Ansible/postgresql.txt b/Ansible/postgresql.txt new file mode 100755 index 0000000..c1bced3 --- /dev/null +++ b/Ansible/postgresql.txt @@ -0,0 +1,11 @@ +# Databaze +CREATE USER zbx_monitor WITH PASSWORD 'datel1234' INHERIT; +GRANT pg_monitor TO zbx_monitor; + +# Test pripojeni +psql -h 127.0.0.1 --username=zbx_monitor postgres + +# konfiguracni sobory +mkdir /var/lib/zabbix/ +cp -a postgresql/ /var/lib/zabbix/ +cp template_db_postgresql.conf /etc/zabbix/zabbix_agentd.conf.d/ diff --git a/Ansible/variables.txt b/Ansible/variables.txt new file mode 100755 index 0000000..450725d --- /dev/null +++ b/Ansible/variables.txt @@ -0,0 +1,3 @@ +{$NGINX.STUB_STATUS.PORT} +{$PHP_FPM.PORT} +{$PHP_FPM.PROCESS_NAME} diff --git a/Aplikace/Authelia/auth.conf b/Aplikace/Authelia/auth.conf new file mode 100755 index 0000000..470a98d --- /dev/null +++ b/Aplikace/Authelia/auth.conf @@ -0,0 +1,23 @@ +# Basic Authelia Config +# Send a subsequent request to Authelia to verify if the user is authenticated +# and has the right permissions to access the resource. +auth_request /authelia; +# Set the `target_url` variable based on the request. It will be used to build the portal +# URL with the correct redirection parameter. +auth_request_set $target_url $scheme://$http_host$request_uri; +# Set the X-Forwarded-User and X-Forwarded-Groups with the headers +# returned by Authelia for the backends which can consume them. +# This is not safe, as the backend must make sure that they come from the +# proxy. In the future, it's gonna be safe to just use OAuth. +auth_request_set $user $upstream_http_remote_user; +auth_request_set $groups $upstream_http_remote_groups; +auth_request_set $name $upstream_http_remote_name; +auth_request_set $email $upstream_http_remote_email; +proxy_set_header Remote-User $user; +proxy_set_header Remote-Groups $groups; +proxy_set_header Remote-Name $name; +proxy_set_header Remote-Email $email; +# If Authelia returns 401, then nginx redirects the user to the login portal. +# If it returns 200, then the request pass through to the backend. +# For other type of errors, nginx will handle them as usual. +error_page 401 =302 https://authelia.czech-tv.cz/?rd=$target_url; diff --git a/Aplikace/Authelia/authelia.conf b/Aplikace/Authelia/authelia.conf new file mode 100755 index 0000000..6d25ada --- /dev/null +++ b/Aplikace/Authelia/authelia.conf @@ -0,0 +1,38 @@ +# Virtual endpoint created by nginx to forward auth requests. +location /authelia { + internal; + set $upstream_authelia https://127.0.0.1:9091/api/verify; + proxy_pass_request_body off; + proxy_pass $upstream_authelia; + proxy_set_header Content-Length ""; + + # Timeout if the real server is dead + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; + + # [REQUIRED] Needed by Authelia to check authorizations of the resource. + # Provide either X-Original-URL and X-Forwarded-Proto or + # X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Uri or both. + # Those headers will be used by Authelia to deduce the target url of the user. + # Basic Proxy Config + client_body_buffer_size 128k; + proxy_set_header Host $host; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Uri $request_uri; + proxy_set_header X-Forwarded-Ssl on; + proxy_redirect http:// $scheme://; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_cache_bypass $cookie_session; + proxy_no_cache $cookie_session; + proxy_buffers 4 32k; + + # Advanced Proxy Config + send_timeout 5m; + proxy_read_timeout 240; + proxy_send_timeout 240; + proxy_connect_timeout 240; +} diff --git a/Aplikace/Authelia/authelia_nginx.conf b/Aplikace/Authelia/authelia_nginx.conf new file mode 100755 index 0000000..a543c7b --- /dev/null +++ b/Aplikace/Authelia/authelia_nginx.conf @@ -0,0 +1,53 @@ +server { + server_name authelia.czech-tv.cz; + listen 80; + return 301 https://$server_name$request_uri; +} + +server { + server_name authelia.czech-tv.cz; + listen 443 ssl http2; + + + ssl_certificate /etc/nginx/cert/CT.crt; + ssl_certificate_key /etc/nginx/cert/CT.key; + + location / { + set $upstream_authelia https://127.0.0.1:9091; + proxy_pass $upstream_authelia; + + client_body_buffer_size 128k; + + #Timeout if the real server is dead + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; + + # Advanced Proxy Config + send_timeout 5m; + proxy_read_timeout 360; + proxy_send_timeout 360; + proxy_connect_timeout 360; + + # Basic Proxy Config + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Uri $request_uri; + proxy_set_header X-Forwarded-Ssl on; + proxy_redirect http:// $scheme://; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_cache_bypass $cookie_session; + proxy_no_cache $cookie_session; + proxy_buffers 64 256k; + + # If behind reverse proxy, forwards the correct IP + set_real_ip_from 10.0.0.0/8; + set_real_ip_from 172.0.0.0/8; + set_real_ip_from 192.168.0.0/16; + set_real_ip_from fc00::/7; + real_ip_header X-Forwarded-For; + real_ip_recursive on; + } +} diff --git a/Aplikace/Authelia/configuration.yaml b/Aplikace/Authelia/configuration.yaml new file mode 100755 index 0000000..da4eb70 --- /dev/null +++ b/Aplikace/Authelia/configuration.yaml @@ -0,0 +1,130 @@ +--- +theme: dark +jwt_secret: tHJQyNgBaULdQDQEAMFeduKa +default_redirection_url: https://ceskatelevize.cz/ +default_2fa_method: "totp" +server: + host: 0.0.0.0 +# port: 9091 + port: 443 + tls: + key: "/home/ct/CT.key" + certificate: "/home/ct/CT.pem" + client_certificates: [] +log: + level: info + file_path: /var/log/authelia.log +telemetry: + metrics: + enabled: true + address: tcp://172.30.29.119:9902 +totp: + disable: false + issuer: authelia.com + algorithm: sha1 + digits: 6 + period: 30 + skew: 1 + secret_size: 32 +webauthn: + disable: false + timeout: 60s + display_name: Authelia + attestation_conveyance_preference: indirect + user_verification: preferred +ntp: + address: "time.czech-tv.cz:123" + version: 4 + max_desync: 3s + disable_startup_check: false + disable_failure: false +authentication_backend: + password_reset: + disable: true + refresh_interval: 5m + ldap: + implementation: custom + url: ldap://ct.czech-tv.cz + timeout: 5s + start_tls: false + base_dn: DC=ct,DC=czech-tv,DC=cz + username_attribute: sAMAccountName + users_filter: (&({username_attribute}={input})(objectClass=person)) + groups_filter: (&(member={dn})(objectClass=groupOfNames)) + group_name_attribute: cn + mail_attribute: mail + display_name_attribute: displayName + user: "CN=Ldap ADReader,OU=ServisniUzivatele,OU=Admins,DC=ct,DC=czech-tv,DC=cz" + password: Buchtickyses0do +password_policy: + standard: + enabled: false + min_length: 8 + max_length: 0 + require_uppercase: true + require_lowercase: true + require_number: true + require_special: true + zxcvbn: + enabled: false + min_score: 3 +access_control: + default_policy: deny + rules: + - domain: 'authelia.czech-tv.cz' + policy: bypass + - domain: + - 'ctcloud1.czech-tv.cz' + policy: two_factor + - domain: + - 'secure.czech-tv.cz' + policy: two_factor + - domain: + - 'ctcloud2.czech-tv.cz' + policy: two_factor + - domain: + - 'zabbix.czech-tv.cz' + policy: two_factor + - domain: + - 'public.czech-tv.cz' + policy: one_factor + - domain: + - 'ctclouduit.czech-tv.cz' + policy: two_factor + - domain: + - 'pha-mail1.ct.czech-tv.cz' + policy: two_factor + +session: + name: authelia_session + domain: czech-tv.cz + same_site: lax + secret: dCdvLKWytdP66qqHpycVk6TuGK5m + expiration: 1h + inactivity: 1m + remember_me_duration: 1M + +regulation: + max_retries: 3 + find_time: 2m + ban_time: 10m + +storage: + encryption_key: dCdvLKWytdP66qqHpycVk6TuGK5m + mysql: + host: 172.30.29.119 + port: 3306 + database: authelia + username: authelia + password: sojka123 + timeout: 5s + +notifier: + disable_startup_check: false + smtp: + host: mail.czech-tv.cz + port: 25 + sender: "Authelia " + subject: "[Authelia] {title}" + disable_require_tls: true +... diff --git a/Aplikace/Authelia/nginx.conf b/Aplikace/Authelia/nginx.conf new file mode 100755 index 0000000..e4fe63a --- /dev/null +++ b/Aplikace/Authelia/nginx.conf @@ -0,0 +1,50 @@ +server { + listen 443; + server_name ctclouduit.czech-tv.cz; + + ssl on; + ssl_session_cache builtin:1000 shared:SSL:10m; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + + client_max_body_size 10240M; + + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + + + ssl_certificate /etc/nginx/cert/CT.crt; + ssl_certificate_key /etc/nginx/cert/CT.key; + + access_log /var/log/nginx/ctclouduit_access.log; + error_log /var/log/nginx/ctclouduit_error.log; + + include snippets/authelia.conf; # Authelia auth endpoint + + location / { + proxy_pass https://172.30.26.252; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + include snippets/auth.conf; # Protect this endpoint + proxy_http_version 1.1; + } + + +} + + +server { + if ($host = ctclouduit.czech-tv.cz) { + return 301 https://$host$request_uri; + } + + + +listen 80; + +server_name ctclouduit.czech-tv.cz; + return 404; + + +} diff --git a/Aplikace/LibreNMS/mysql.txt b/Aplikace/LibreNMS/mysql.txt new file mode 100755 index 0000000..36e092d --- /dev/null +++ b/Aplikace/LibreNMS/mysql.txt @@ -0,0 +1,2 @@ +CREATE USER 'librenms'@'192.168.1.2' IDENTIFIED BY 'Sojka123456'; +GRANT ALL PRIVILEGES ON *.* TO 'librenms'@'192.168.1.2'; diff --git a/Aplikace/OwnCloud/config.php b/Aplikace/OwnCloud/config.php new file mode 100755 index 0000000..41e5ad0 --- /dev/null +++ b/Aplikace/OwnCloud/config.php @@ -0,0 +1,85 @@ + 'oc95n97fgwc9', + 'passwordsalt' => 'u8+3d4tygzltPf5KORNIxUA/f7uBZ3', + 'secret' => 'bhCsFhQRhx62fasvykG7uOuOtvCy+EeAj9DLnuLOKO7pWlQA', + 'trusted_domains' => + array ( + 0 => 'ctcloud3.czech-tv.cz', + ), + 'datadirectory' => '/var/www/html/owncloud/data', + 'overwrite.cli.url' => 'https://ctcloud3.czech-tv.cz', + 'dbtype' => 'pgsql', + 'version' => '10.9.0.3', + 'dbname' => 'owncloud', + 'dbhost' => 'localhost', + 'dbtableprefix' => 'oc_', + 'dbuser' => 'oc_admin', + 'dbpassword' => 'jj23snerzgkbxamh5dcjeuq10s1xz9', + 'logtimezone' => 'UTC', + 'apps_paths' => + array ( + 0 => + array ( + 'path' => '/var/www/html/owncloud/apps', + 'url' => '/apps', + 'writable' => false, + ), + 1 => + array ( + 'path' => '/var/www/html/owncloud/apps-external', + 'url' => '/apps-external', + 'writable' => true, + ), + ), + 'installed' => true, + 'theme' => '', + 'ldapIgnoreNamingRules' => false, + 'mail_domain' => 'czech-tv.cz', + 'mail_from_address' => 'ctcloud3', + 'mail_smtpmode' => 'smtp', + 'mail_smtphost' => 'mail.czech-tv.cz', + 'mail_smtpport' => '25', + 'default_language' => 'cs_CZ', + 'trashbin_retention_obligation' => 0, + 'log_type' => 'owncloud', + 'logfile' => '/var/log/owncloud.log', + 'loglevel' => 4, + 'logdateformat' => 'F d, Y H:i:s', + 'enable_previews' => true, + 'preview_max_x' => 1024, + 'preview_max_y' => 1024, + 'preview_max_scale_factor' => 1, + 'enabledPreviewProviders' => + array ( + 0 => 'OC\\Preview\\PNG', + 1 => 'OC\\Preview\\JPEG', + 2 => 'OC\\Preview\\GIF', + 10 => 'OC\\Preview\\BMP', + 11 => 'OC\\Preview\\XBitmap', + 12 => 'OC\\Preview\\MP3', + 15 => 'OC\\Preview\\TXT', + 20 => 'OC\\Preview\\MarkDown', + 25 => 'OC\\Preview\\OpenDocument', + 30 => 'OC\\Preview\\TIFF', + 35 => 'OC\\Preview\\Movie', + ), + 'enable_movie_transcode' => true, + 'versions_retention_obligation' => 'enable', + 'maintenance' => false, + 'updatechecker' => false, + 'memcache.local' => '\\OC\\Memcache\\Redis', + 'memcache.locking' => '\\OC\\Memcache\\Redis', + 'filelocking.enabled' => true, + 'redis' => + array ( + 'host' => 'localhost', + 'port' => 6379, + 'dbindex' => 0, + 'timeout' => 0, + 0 => 0, + ), + 'upgrade.automatic-app-update' => false, + 'skeletondirectory' => '/var/www/html/skeleteon_dir_woncloud', + 'allow_user_to_change_mail_address' => '', +); diff --git a/Aplikace/OwnCloud/occ.txt b/Aplikace/OwnCloud/occ.txt new file mode 100755 index 0000000..a61d943 --- /dev/null +++ b/Aplikace/OwnCloud/occ.txt @@ -0,0 +1,13 @@ +sudo -u www-data ./occ app:disable activity +sudo -u www-data ./occ app:disable customgroups +sudo -u www-data ./occ app:disable guest +sudo -u www-data ./occ app:disable guests +sudo -u www-data ./occ app:enabled guests +sudo -u www-data ./occ app:enable guests +sudo -u www-data ./occ app:list +sudo -u www-data ./occ app:list +sudo -u www-data ./occ upgrade +sudo -u www-data ./occ user:sync "OCA\User_LDAP\User_Proxy" +sudo -u www-data php occ ldap:show-config + + diff --git a/Aplikace/OwnCloud/psql b/Aplikace/OwnCloud/psql new file mode 100755 index 0000000..8c7e408 --- /dev/null +++ b/Aplikace/OwnCloud/psql @@ -0,0 +1,23 @@ +postgres@ctcloud:/var/www/html$ psql +psql (13.11 (Debian 13.11-0+deb11u1)) +Type "help" for help. + +postgres=# create database owncloud; +CREATE DATABASE +postgres=# create user owncloud with encrypted password 'Datel123456'; +CREATE ROLE +postgres=# grant all privileges on database owncloud to owncloud; +GRANT +postgres=# CREATE USER zbx_monitor WITH PASSWORD 'datel1234' INHERIT; +CREATE ROLE +postgres=# ^[[200~GRANT pg_monitor TO zbx_monitor;~ +ERROR: syntax error at or near " +INE 1: GRANT pg_monitor TO zbx_monitor; + ^ +postgres-# GRANT pg_monitor TO zbx_monitor; +ERROR: syntax error at or near "~" +LINE 1: ~ + ^ +postgres=# GRANT pg_monitor TO zbx_monitor; +GRANT ROLE +postgres=# diff --git a/Aplikace/ValutWarden/config.json b/Aplikace/ValutWarden/config.json new file mode 100755 index 0000000..432a680 --- /dev/null +++ b/Aplikace/ValutWarden/config.json @@ -0,0 +1,46 @@ +{ + "domain": "https://heslovnik.czech-tv.cz", + "sends_allowed": true, + "hibp_api_key": "jdvpetsk12", + "incomplete_2fa_time_limit": 3, + "disable_icon_download": false, + "signups_allowed": true, + "signups_verify": true, + "signups_verify_resend_time": 3600, + "signups_verify_resend_limit": 6, + "signups_domains_whitelist": "czech-tv.cz,ct.czech-tv.cz,ceskatelevize.cz", + "invitations_allowed": true, + "emergency_access_allowed": true, + "password_iterations": 100000, + "password_hints_allowed": true, + "show_password_hint": false, + "admin_token": " 2DcKWJtshWQejDL6ZPELxXeY", + "invitation_org_name": "ceskatelevize.cz", + "ip_header": "X-Real-IP", + "icon_redirect_code": 302, + "icon_cache_ttl": 2592000, + "icon_cache_negttl": 259200, + "icon_download_timeout": 10, + "icon_blacklist_non_global_ips": true, + "disable_2fa_remember": false, + "authenticator_disable_time_drift": false, + "require_device_email": false, + "reload_templates": false, + "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", + "_enable_yubico": true, + "_enable_duo": false, + "_enable_smtp": true, + "smtp_host": "mail.czech-tv.cz", + "smtp_security": "off", + "smtp_port": 25, + "smtp_from": "vaultwarden@ceskatelevize.cz", + "smtp_from_name": "vaultwarden", + "smtp_timeout": 30, + "smtp_embed_images": true, + "smtp_accept_invalid_certs": false, + "smtp_accept_invalid_hostnames": false, + "_enable_email_2fa": true, + "email_token_size": 6, + "email_expiration_time": 600, + "email_attempts_limit": 3 +} diff --git a/Aplikace/ValutWarden/config.toml b/Aplikace/ValutWarden/config.toml new file mode 100755 index 0000000..9c3cfb8 --- /dev/null +++ b/Aplikace/ValutWarden/config.toml @@ -0,0 +1,8 @@ +vaultwarden_url = "https://passbolt.czech-tv.cz" +vaultwarden_admin_token = "admin" +ldap_host = "ct.czech-tv.cz" +ldap_bind_dn = "CN=Ldap ADReader,OU=ServisniUzivatele,OU=Admins,DC=ct,DC=czech-tv,DC=cz" +ldap_bind_password = "Buchtickyses0do" +ldap_search_base_dn = "DC=ct,DC=czech-tv,DC=cz" +ldap_search_filter = "(&(objectClass=*)(uid=*))" +ldap_sync_interval_seconds = 10 diff --git a/Aplikace/ValutWarden/docer-compose.yaml b/Aplikace/ValutWarden/docer-compose.yaml new file mode 100755 index 0000000..22774bb --- /dev/null +++ b/Aplikace/ValutWarden/docer-compose.yaml @@ -0,0 +1,34 @@ +version: '3' +services: + vaultwarden: + restart: always + container_name: vaultwarden + image: vaultwarden/server:latest + volumes: + - /var/lib/valutwarden/:/data/ + - /var/lib/valutwarden/:/data/logs + ports: + - 8080:80 + environment: + - SMTP_HOST=mail.czech-tv.cz + - SMTP_FROM=vaultwarden@ceskatelevize.cz + - SMTP_FROM_NAME=vaultwarden + - SMTP_PORT=25 + - SMTP_TIMEOUT=30 + - LOGIN_RATELIMIT_MAX_BURST=10 + - LOGIN_RATELIMIT_SECONDS=60 + - SMTP_SECURITY=off + - DOMAIN=https://heslovnik.czech-tv.cz + - INVITATION_ORG_NAME=ceskatelevize.cz + - INVITATIONS_ALLOWED=true + - ADMIN_TOKEN= 2DcKWJtshWQejDL6ZPELxXeY + - SIGNUPS_ALLOWED=true + - SIGNUPS_DOMAINS_WHITELIST=czech-tv.cz,ct.czech-tv.cz,ceskatelevize.cz + - SIGNUPS_VERIFY=true + - SIGNUPS_VERIFY_RESEND_TIME=3600 + - SIGNUPS_VERIFY_RESEND_LIMIT=6 + - EMERGENCY_ACCESS_ALLOWED=true + - SENDS_ALLOWED=true + - WEB_VAULT_ENABLED=true + - TIME_ZONE="Europe/Prague" + - RUST_BACKTRACE=full diff --git a/Aplikace/ValutWarden/docker_compose_ldap.yaml b/Aplikace/ValutWarden/docker_compose_ldap.yaml new file mode 100755 index 0000000..62afcb5 --- /dev/null +++ b/Aplikace/ValutWarden/docker_compose_ldap.yaml @@ -0,0 +1,47 @@ +--- +version: '3' +services: + ldap_sync: + build: + context: . + dockerfile: Dockerfile + volumes: + - ./example.config.toml:/config.toml:ro + # ./root.cert:/usr/src/vaultwarden_ldap/root.cert:ro + environment: + CONFIG_PATH: /config.toml + RUST_BACKTRACE: 1 + depends_on: + - vaultwarden + - ldap + restart: always + + vaultwarden: + image: vaultwarden/server + ports: + - 8000:80 + environment: + ADMIN_TOKEN: admin + SIGNUPS_ALLOWED: 'false' + INVITATIONS_ALLOWED: 'true' + I_REALLY_WANT_VOLATILE_STORAGE: 'true' + + ldap: + image: osixia/openldap + volumes: + - /var/lib/ldap + - /etc/ldap/slapd.d + environment: + LDAP_READONLY_USER: 'true' + LDAP_READONLY_USER_USERNAME: readonly + LDAP_READONLY_USER_PASSWORD: readonly + + ldap_admin: + image: osixia/phpldapadmin + ports: + - 8001:80 + environment: + PHPLDAPADMIN_HTTPS: 'false' + PHPLDAPADMIN_LDAP_HOSTS: ldap + depends_on: + - ldap diff --git a/Aplikace/Zabbix/Huawei/BGP_valuemaps.xml b/Aplikace/Zabbix/Huawei/BGP_valuemaps.xml new file mode 100755 index 0000000..449967d --- /dev/null +++ b/Aplikace/Zabbix/Huawei/BGP_valuemaps.xml @@ -0,0 +1,49 @@ + + + 5.0 + 2020-09-09T18:18:33Z + + + bgpPeerAdminStatus + + + 1 + Stop + + + 2 + Start + + + + + BgpPeerState + + + 1 + idle + + + 2 + connect + + + 3 + active + + + 4 + opensent + + + 5 + openconfirm + + + 6 + established + + + + + diff --git a/Aplikace/Zabbix/Huawei/Template Net Huawei VRP SNMPv2 - BGP.xml b/Aplikace/Zabbix/Huawei/Template Net Huawei VRP SNMPv2 - BGP.xml new file mode 100755 index 0000000..0e0ee2b --- /dev/null +++ b/Aplikace/Zabbix/Huawei/Template Net Huawei VRP SNMPv2 - BGP.xml @@ -0,0 +1,284 @@ + + + 5.0 + 2020-09-09T18:10:32Z + + + Templates + + + Templates/Network devices + + + + + + + + FIB - IPv4 + + + 1 + FILLED_REGION + 00EE00 + + Template Net Huawei VRP SNMPv2 - BGP + hwIPv4FibRoutes + + + + + + FIB - IPv6 + + + 1 + F63100 + + Template Net Huawei VRP SNMPv2 - BGP + hwIPv6FibRoutes + + + + + + RIB - IPv4 + + + 1 + FILLED_REGION + EE0000 + + Template Net Huawei VRP SNMPv2 - BGP + hwIPv4RibRoutes + + + + + + RIB x FIB - IPv4 + + + 1 + BOLD_LINE + 00EE00 + + Template Net Huawei VRP SNMPv2 - BGP + hwIPv4FibRoutes + + + + 2 + BOLD_LINE + EE0000 + + Template Net Huawei VRP SNMPv2 - BGP + hwIPv4RibRoutes + + + + + + + + BgpPeerState + + + 1 + idle + + + 2 + connect + + + 3 + active + + + 4 + opensent + + + 5 + openconfirm + + + 6 + established + + + + + diff --git a/Aplikace/Zabbix/Huawei/Template Net Huawei VRP SNMPv2 - Extra Inventory.xml b/Aplikace/Zabbix/Huawei/Template Net Huawei VRP SNMPv2 - Extra Inventory.xml new file mode 100755 index 0000000..65538c1 --- /dev/null +++ b/Aplikace/Zabbix/Huawei/Template Net Huawei VRP SNMPv2 - Extra Inventory.xml @@ -0,0 +1,96 @@ + + + 5.0 + 2020-09-09T18:11:55Z + + + Templates + + + Templates/Network devices + + + + + + diff --git a/Aplikace/Zabbix/Huawei/Template Net Huawei VRP SNMPv2 - Optical Modules Info.xml b/Aplikace/Zabbix/Huawei/Template Net Huawei VRP SNMPv2 - Optical Modules Info.xml new file mode 100755 index 0000000..4c7b56a --- /dev/null +++ b/Aplikace/Zabbix/Huawei/Template Net Huawei VRP SNMPv2 - Optical Modules Info.xml @@ -0,0 +1,495 @@ + + + 5.0 + 2020-09-09T18:12:23Z + + + Templates + + + Templates/Network devices + + + + + + diff --git a/Aplikace/Zulip/aktualizace.txt b/Aplikace/Zulip/aktualizace.txt new file mode 100755 index 0000000..e8b64ba --- /dev/null +++ b/Aplikace/Zulip/aktualizace.txt @@ -0,0 +1,5 @@ +# Stazeni dat +curl -fLO https://download.zulip.com/server/zulip-server-6.1.tar.gz + +# Instalace +/home/zulip/deployments/current/scripts/upgrade-zulip /home/ct/zulip-server-6.1.tar.gz diff --git a/Aplikace/Zulip/nginx.conf b/Aplikace/Zulip/nginx.conf new file mode 100755 index 0000000..29920db --- /dev/null +++ b/Aplikace/Zulip/nginx.conf @@ -0,0 +1,31 @@ +server { + listen 80; + listen [::]:80; + + location / { + return 301 https://$host$request_uri; + } + + + + include /etc/nginx/zulip-include/certbot; +} + +include /etc/nginx/zulip-include/upstreams; +include /etc/zulip/nginx_sharding_map.conf; + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + ssl_certificate /etc/nginx/cert/CT.crt; + ssl_certificate_key /etc/nginx/cert/CT.key; + + + location /local-static { + alias /home/zulip/local-static; + } + + include /etc/nginx/zulip-include/certbot; + include /etc/nginx/zulip-include/app; +} diff --git a/Aplikace/snap.txt b/Aplikace/snap.txt new file mode 100755 index 0000000..08f8634 --- /dev/null +++ b/Aplikace/snap.txt @@ -0,0 +1,6 @@ +# Informace o balicku +snap info termius-app +# Informace o aktualizacich +snap refresh --list +# Aktualizace SNAP balicku +snap refresh diff --git a/Certifikaty a SSL/PfxFromCertbot b/Certifikaty a SSL/PfxFromCertbot new file mode 100755 index 0000000..a34fe38 --- /dev/null +++ b/Certifikaty a SSL/PfxFromCertbot @@ -0,0 +1 @@ +openssl pkcs12 -export -out cert.pfx -inkey privkey1.pem -in fullchain1.pem -certfile fullchain1.pem diff --git a/Certifikaty a SSL/openssl.cnf b/Certifikaty a SSL/openssl.cnf new file mode 100755 index 0000000..981e3d4 --- /dev/null +++ b/Certifikaty a SSL/openssl.cnf @@ -0,0 +1,393 @@ +# +# OpenSSL example configuration file. +# See doc/man5/config.pod for more info. +# +# This is mostly being used for generation of certificate requests, +# but may be used for auto loading of providers + +# Note that you can include other files from the main configuration +# file using the .include directive. +#.include filename + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . + + # Use this in order to automatically load providers. +openssl_conf = openssl_init + +# Comment out the next line to ignore configuration errors +config_diagnostics = 1 + +# Extra OBJECT IDENTIFIER info: +# oid_file = $ENV::HOME/.oid +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] +# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +# Policies used by the TSA examples. +tsa_policy1 = 1.2.3.4.1 +tsa_policy2 = 1.2.3.4.5.6 +tsa_policy3 = 1.2.3.4.5.7 + +# For FIPS +# Optionally include a file that is generated by the OpenSSL fipsinstall +# application. This file contains configuration data required by the OpenSSL +# fips provider. It contains a named section e.g. [fips_sect] which is +# referenced from the [provider_sect] below. +# Refer to the OpenSSL security policy for more information. +# .include fipsmodule.cnf + +[openssl_init] +providers = provider_sect + +# List of providers to load +[provider_sect] +default = default_sect +legacy = legacy_sect + +# The fips section name should match the section name inside the +# included fipsmodule.cnf. +# fips = fips_sect + +# If no providers are activated explicitly, the default one is activated implicitly. +# See man 7 OSSL_PROVIDER-default for more details. +# +# If you add a section explicitly activating any other provider(s), you most +# probably need to explicitly activate the default provider, otherwise it +# becomes unavailable in openssl. As a consequence applications depending on +# OpenSSL may not work correctly which could lead to significant system +# problems including inability to remotely access the system. +[default_sect] +activate = 1 + +[legacy_sect] +activate = 1 +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = ./demoCA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +#unique_subject = no # Set to 'no' to allow creation of + # several certs with same subject. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/cakey.pem# The private key + +x509_extensions = usr_cert # The extensions to add to the cert + +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 365 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = default # use public key default MD +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = 2048 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extensions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString (PKIX recommendation before 2004) +# utf8only: only UTF8Strings (PKIX recommendation after 2004). +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. +string_mask = utf8only + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = AU +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Some-State + +localityName = Locality Name (eg, city) + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Internet Widgits Pty Ltd + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (e.g. server FQDN or YOUR name) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_max = 64 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +# This is required for TSA certificates. +# extendedKeyUsage = critical,timeStamping + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer + +basicConstraints = critical,CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo + +#################################################################### +[ tsa ] + +default_tsa = tsa_config1 # the default TSA section + +[ tsa_config1 ] + +# These are used by the TSA reply generation only. +dir = ./demoCA # TSA root directory +serial = $dir/tsaserial # The current serial number (mandatory) +crypto_device = builtin # OpenSSL engine to use for signing +signer_cert = $dir/tsacert.pem # The TSA signing certificate + # (optional) +certs = $dir/cacert.pem # Certificate chain to include in reply + # (optional) +signer_key = $dir/private/tsakey.pem # The TSA private key (optional) +signer_digest = sha256 # Signing digest to use. (Optional) +default_policy = tsa_policy1 # Policy if request did not specify it + # (optional) +other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) +digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) +accuracy = secs:1, millisecs:500, microsecs:100 # (optional) +clock_precision_digits = 0 # number of digits after dot. (optional) +ordering = yes # Is ordering defined for timestamps? + # (optional, default: no) +tsa_name = yes # Must the TSA name be included in the reply? + # (optional, default: no) +ess_cert_id_chain = no # Must the ESS cert id chain be included? + # (optional, default: no) +ess_cert_id_alg = sha1 # algorithm to compute certificate + # identifier (optional, default: sha1) + +[insta] # CMP using Insta Demo CA +# Message transfer +server = pki.certificate.fi:8700 +# proxy = # set this as far as needed, e.g., http://192.168.1.1:8080 +# tls_use = 0 +path = pkix/ + +# Server authentication +recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA" # or set srvcert or issuer +ignore_keyusage = 1 # potentially needed quirk +unprotected_errors = 1 # potentially needed quirk +extracertsout = insta.extracerts.pem + +# Client authentication +ref = 3078 # user identification +secret = pass:insta # can be used for both client and server side + +# Generic message options +cmd = ir # default operation, can be overridden on cmd line with, e.g., kur + +# Certificate enrollment +subject = "/CN=openssl-cmp-test" +newkey = insta.priv.pem +out_trusted = apps/insta.ca.crt # does not include keyUsage digitalSignature +certout = insta.cert.pem + +[pbm] # Password-based protection for Insta CA +# Server and client authentication +ref = $insta::ref # 3078 +secret = $insta::secret # pass:insta + +[signature] # Signature-based protection for Insta CA +# Server authentication +trusted = $insta::out_trusted # apps/insta.ca.crt + +# Client authentication +secret = # disable PBM +key = $insta::newkey # insta.priv.pem +cert = $insta::certout # insta.cert.pem + +[ir] +cmd = ir + +[cr] +cmd = cr + +[kur] +# Certificate update +cmd = kur +oldcert = $insta::certout # insta.cert.pem + +[rr] +# Certificate revocation +cmd = rr +oldcert = $insta::certout # insta.cert.pem diff --git a/Docker/DockerRun.txt b/Docker/DockerRun.txt new file mode 100755 index 0000000..b3d80a8 --- /dev/null +++ b/Docker/DockerRun.txt @@ -0,0 +1,2 @@ +docker run -ti -d poler_librenms "/sbin/init" +docker exec -ti 1f9f38dcf28e /bin/bash diff --git a/Linux/2xEtherne_config.txt b/Linux/2xEtherne_config.txt new file mode 100755 index 0000000..9bb0192 --- /dev/null +++ b/Linux/2xEtherne_config.txt @@ -0,0 +1,13 @@ +auto ens192 +allow-hotplug ens224 +iface ens224 inet static + address 172.30.6.112 + netmask 255.255.254.0 + +auto ens224 +allow-hotplug ens256 +iface ens256 inet static + address 172.30.6.113 + netmask 255.255.254.0 +# gateway 172.30.7.254 + up route add 172.30.6.0/23 via 172.30.7.254 diff --git a/Linux/ActiveDirectory/AD_linux,txt b/Linux/ActiveDirectory/AD_linux,txt new file mode 100755 index 0000000..e6719c8 --- /dev/null +++ b/Linux/ActiveDirectory/AD_linux,txt @@ -0,0 +1,7 @@ +sm233387 ALL=(ALL) ALL +%CYBER_ROOT ALL=(ALL:ALL) ALL + +apt install sssd-ad sssd-tools realmd adcli +pam-auth-update --enable mkhomedir +realm join -U sm233387adm ct.czech-tv.cz + diff --git a/Linux/ActiveDirectory/sssd.conf b/Linux/ActiveDirectory/sssd.conf new file mode 100755 index 0000000..15caff5 --- /dev/null +++ b/Linux/ActiveDirectory/sssd.conf @@ -0,0 +1,21 @@ + +[sssd] +domains = ct.czech-tv.cz +config_file_version = 2 +services = nss, pam + +[domain/ct.czech-tv.cz] +default_shell = /bin/bash +krb5_store_password_if_offline = True +cache_credentials = True +krb5_realm = CT.CZECH-TV.CZ +realmd_tags = manages-system joined-with-adcli +id_provider = ad +fallback_homedir = /home/%u@%d +ad_domain = ct.czech-tv.cz +#use_fully_qualified_names = True +use_fully_qualified_names = False +ldap_id_mapping = True +access_provider = simple +simple_allow_users = sm233387 +simple_allow_groups = APP_ROOT diff --git a/Linux/Konfigurace/chrony.conf b/Linux/Konfigurace/chrony.conf new file mode 100755 index 0000000..0cdd91c --- /dev/null +++ b/Linux/Konfigurace/chrony.conf @@ -0,0 +1,15 @@ +server time.czech-tv.cz +server time2.czech-tv.cz + +keyfile /etc/chrony/chrony.keys + +driftfile /var/lib/chrony/chrony.drift + +logdir /var/log/chrony + +maxupdateskew 100.0 + +rtcsync + +makestep 1 3 + diff --git a/Linux/NetPlanIP.yaml b/Linux/NetPlanIP.yaml new file mode 100755 index 0000000..4f131ac --- /dev/null +++ b/Linux/NetPlanIP.yaml @@ -0,0 +1,14 @@ +network: + version: 2 + renderer: networkd + ethernets: + ens160: + dhcp4: false + addresses: + - 172.30.29.194/24 + nameservers: + addresses: [172.30.5.160, 172.31.26.160] + search: [czech-tv.cz, ct.czech-tv.cz] + routes: + - to: default + via: 172.30.29.254 diff --git a/Linux/PevnaIP.txt b/Linux/PevnaIP.txt new file mode 100755 index 0000000..478ef6c --- /dev/null +++ b/Linux/PevnaIP.txt @@ -0,0 +1,6 @@ +allow-hotplug ens192 +iface ens192 inet static + address 172.30.29.193 + netmask 255.255.255.0 + gateway 172.30.29.254 + dns-nameservers 172.30.5.160 172.31.26.160 diff --git a/Linux/UserAdd.txt b/Linux/UserAdd.txt new file mode 100755 index 0000000..125ec45 --- /dev/null +++ b/Linux/UserAdd.txt @@ -0,0 +1,16 @@ +useradd -m -d /home/hua -s /bin/bash -c "HuaTech" -U hua +2YQs8kqmcRSV8cJe +echo "hua ALL = (root) NOPASSWD:ALL" | sudo tee /etc/sudoers.d/hua +sudo chmod 0440 /etc/sudoers.d/hua + + +useradd -m -d /home/compunet -s /bin/bash -c "compunet" -U compunet +passwd compunet +usermod -aG sudo compunet +9eWikV31oftps + +useradd -m -d /home/sj232987 -s /bin/bash -c "Sulc Jan" -U sj232987 +passwd sj232987 +usermod -aG sudo sj232987 + +9eWikV31oftps diff --git a/Linux/bash_debug.txt b/Linux/bash_debug.txt new file mode 100755 index 0000000..673bd24 --- /dev/null +++ b/Linux/bash_debug.txt @@ -0,0 +1,3 @@ +exec 3>&1 1>"/tmp/log.log" 2>&1 +set -x +echo "creating a temporary directory and some files" >&3 diff --git a/Linux/disable_ipv6.txt b/Linux/disable_ipv6.txt new file mode 100755 index 0000000..ca2b1e6 --- /dev/null +++ b/Linux/disable_ipv6.txt @@ -0,0 +1 @@ +GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1" diff --git a/Linux/lvm.txt b/Linux/lvm.txt new file mode 100755 index 0000000..a3b11c2 --- /dev/null +++ b/Linux/lvm.txt @@ -0,0 +1,6 @@ +pvcreate /dev/sdx +vgextend name_of_extend /dev/sdx +lvextend -l +100%FREE /dev/mapper/owncloud2_data-owncloud2_data_1 + + +echo '/dev/mapper/data-synaman--data /mnt/data ext4 defaults 0 0' | sudo tee -a /etc/fstab diff --git a/Linux/thefirstrun_1.0_all/DEBIAN/control b/Linux/thefirstrun_1.0_all/DEBIAN/control new file mode 100755 index 0000000..eced96a --- /dev/null +++ b/Linux/thefirstrun_1.0_all/DEBIAN/control @@ -0,0 +1,14 @@ +Source: thefirstrun +Section: devel +Priority: optional +Maintainer: Stefl Martin +Build-Depends: curl sudo +Homepage: https://debian.czech-tv.cz + +Package: thefirstrun +Version: 1.0 +Architecture: all +Essential: no +Priority: optional +Maintainer: flavienbwk +Description: A sample package creating a shortcut that triggers a bash script opening a link to the official Ubuntu website diff --git a/Linux/thefirstrun_1.0_all/DEBIAN/postinst b/Linux/thefirstrun_1.0_all/DEBIAN/postinst new file mode 100755 index 0000000..51064d9 --- /dev/null +++ b/Linux/thefirstrun_1.0_all/DEBIAN/postinst @@ -0,0 +1,13 @@ +#!/bin/bash + +apt install sudo -y +useradd -m -d /home/ansict -s /bin/bash -c "Ansible CT" -U ansict +sudo usermod -aG sudo ansict +echo "ansict ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers +mkdir /home/ansict/.ssh +echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQD7GiVOT4oUwFXsRyAmu5LJx2imW0zMpbVSZg5sa3WDvRLHUk10e7Ch+9SzvusbljlLV31M685cmHzZhSxrGqZR9R7TnhEdZb2QVKTRLBEmL4C2o6wOF+4FKEkOrSr7msDHcwvKN9lDib0MGyvLqZd2MXclAtE+yCvwvvbwOpLztPwyFKvFuBW9PtZ0KFYYxMIxwjOMrzCmb0hlWCnhnmNh08PTR1AT7Sdz8YlMIOYEjTxzRCW8nemjtrpydoBH05q8luqS6LxB4yj2kscSBB10eOviQ6FUQBg3ob0xe3KdCUPq7o2eUah+HDAZOy3MVd+uAuogzCMnpot0VGX+vmWAcV0iwBU0CEHJl12dK6CsMCETX3cjVQqQOueCh9biav9XzbbWDkIfrx871+os15izK03o3LcTZU7sDxkzeYha6/U1Z+5wPGXHTwcwMLsxn98W04rBor2ugVs+j+iKo9P8nTiOXO1Ngq4YrLuBqgJytJScoU72l4DN+CDpl0mP2K0= ansict@ansitest" > /home/ansict/.ssh/authorized_keys2 +chown -R ansict:ansict /home/ansict +cp /etc/ssh/sshd_config /etc/ssh/sshd_config_backup +sed -i 's/#PubkeyAuthentication/PubkeyAuthentication/' /etc/ssh/sshd_config +sed -i 's/#AuthorizedKeysFile/AuthorizedKeysFile/' /etc/ssh/sshd_config +systemctl restart sshd diff --git a/Nginx/GitWeb.txt b/Nginx/GitWeb.txt new file mode 100755 index 0000000..688c2c2 --- /dev/null +++ b/Nginx/GitWeb.txt @@ -0,0 +1,33 @@ +server { + listen 443 ssl http2; + server_name gitsys.czech-tv.cz; + + + location / { + proxy_pass http://127.0.0.1:8000; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header Host $host; + proxy_cache_bypass $http_upgrade; + } + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + ssl_certificate /etc/nginx/cert/CT.crt; + ssl_certificate_key /etc/nginx/cert/CT.key; + ssl_session_timeout 5m; + ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; + ssl_protocols TLSv1.2; + ssl_prefer_server_ciphers on; + +} + +server { + listen 80; + server_name gitsys.czech-tv.cz; + if ($host = gitsys.czech-tv.cz) { + return 301 https://$host$request_uri; + } +} diff --git a/Nginx/Redirect_to_https.txt b/Nginx/Redirect_to_https.txt new file mode 100755 index 0000000..a0d4595 --- /dev/null +++ b/Nginx/Redirect_to_https.txt @@ -0,0 +1,7 @@ +server { + listen 80; + server_name ctcloud9.czech-tv.cz; + if ($host = ctcloud9.czech-tv.cz) { + return 301 https://$host$request_uri; + } +} diff --git a/Readme.txt b/Readme.txt new file mode 100755 index 0000000..b902038 --- /dev/null +++ b/Readme.txt @@ -0,0 +1,2 @@ +Repository sm233387 , je to dokonale, test z cronu + diff --git a/Skripty/PHP/SensorData.php b/Skripty/PHP/SensorData.php new file mode 100755 index 0000000..91d0584 --- /dev/null +++ b/Skripty/PHP/SensorData.php @@ -0,0 +1,155 @@ +connect_error) { + die("Connection failed: " . $conn->connect_error); + } + + $sqlnew = "select location as light from SensorData where sensor like '$sensor' ORDER BY id DESC LIMIT 1"; + if ($result = $conn->query($sqlnew)) { + while ($row = $result->fetch_assoc()) { + $row_light = $row["light"]; + } + $result->free(); + } + + + + $percent = (1 - $location / $row_light) * 100; + + //$percent = 0 - $percent; + + $anone = number_format($percent, 0); + $anone = 0 - $anone; +// echo $location."
"; +// echo $row_light."
"; +// echo $anone; + + + if($anone >=80 ){ + $location = $row_light; + } + +//echo "konec:".$location; + + $sql = "INSERT INTO SensorData (sensor, location, value1, value2, value3) + VALUES ('" . $sensor . "', '" . $location . "', '" . $value1 . "', '" . $value2 . "', '" . $value3 . "')"; + + if ($conn->query($sql) === TRUE) { + echo "New record created successfully"; + } + else { + echo "Error: " . $sql . "
" . $conn->error; + } + + $conn->close(); + } + else { + echo "Wrong API Key provided."; + } + +} +else { + echo "No data posted with HTTP POST."; +} +} + +else { + + $sql = "SELECT id, sensor, location, value1, value2, value3, reading_time FROM SensorData order by reading_time desc limit 10"; + + echo ' + + + + + + + + '; + +if ($result = $conn->query($sql)) { + while ($row = $result->fetch_assoc()) { + // $row_id = $row["id"]; + $row_sensor = $row["sensor"]; + $row_location = $row["location"]; + $row_value1 = $row["value1"]; + $row_value2 = $row["value2"]; + $row_value3 = $row["value3"]; + $row_reading_time = $row["reading_time"]; + //$row_reading_time = date("Y-m-d H:i:s", strtotime("$row_reading_time + 4 hours")); + +if($row_sensor == "Byt"){ + echo ' + + + + + + + '; +} else { + echo ' + + + + + + + '; +} +} + $result->free(); +} + +$conn->close(); +} + + + +function test_input($data) { + $data = trim($data); + $data = stripslashes($data); + $data = htmlspecialchars($data); + return $data; +} diff --git a/Skripty/PowerShell/CheckServices.ps1 b/Skripty/PowerShell/CheckServices.ps1 new file mode 100755 index 0000000..3a7bd5e --- /dev/null +++ b/Skripty/PowerShell/CheckServices.ps1 @@ -0,0 +1,5 @@ +$MyVariable="CZC94881W3" +echo $MyVariable +Get-Service -Name klnagent -ComputerName $MyVariable +Get-Service -Name klnagent -ComputerName $MyVariable | Set-Service -Status Running +Get-Service -Name klnagent -ComputerName $MyVariable diff --git a/Skripty/PowerShell/InstallTrendMicro.ps1 b/Skripty/PowerShell/InstallTrendMicro.ps1 new file mode 100755 index 0000000..1124199 --- /dev/null +++ b/Skripty/PowerShell/InstallTrendMicro.ps1 @@ -0,0 +1,50 @@ +$FOLDER = 'C:\TMP' +$MICRO = 'C:\Program Files (x86)\Trend Micro\Security Agent\PccNTMon.exe' +$FOLDERS = 'C:\Sony\Sonaps' + +if (Test-Path -Path $FOLDER) { + "Adresar TMP existuje" +} else { + mkdir c:\TMP +} + +Get-WmiObject -Class Win32_Product | where Name -like ("Kaspersky Endpoint Security*") |select IdentifyingNumber | ft -hide > C:\TMP\uuid_kasp.txt +(gc C:\TMP\uuid_kasp.txt ) | ? {$_.trim() -ne "" } | set-content C:\TMP\uuid_kasp.txt +$KES = Get-Content -Path C:\TMP\uuid_kasp.txt -TotalCount 1 +if ($KES) { + start-Process -FilePath "$env:systemroot\system32\msiexec.exe" -ArgumentList '/x', $KES, 'KLLOGIN=KLAdmin', 'KLPASSWD=I.*nform1976', '/qn' -Wait +} else { + "Nenalezen : Kaspersky Endpoint Security pro systém Windows" +} + +Get-WmiObject -Class Win32_Product | where Name -eq "Kaspersky Security Center Network Agent" |select IdentifyingNumber | ft -hide > C:\TMP\uuid_netagent.txt +(gc C:\TMP\uuid_netagent.txt ) | ? {$_.trim() -ne "" } | set-content C:\TMP\uuid_netagent.txt +$AGENT = Get-Content -Path C:\TMP\uuid_netagent.txt -TotalCount 1 + +if ($AGENT) { + cp \\pn03\Instalace\Kaspersky\Cleaner\cleaner.exe c:\TMP\ + start-Process -FilePath "C:\TMP\cleaner.exe" -ArgumentList '/pc', $AGENT +} else { + "Nenalezen : Kaspersky Security Center Network Agent" +} + + +if (Test-Path -Path $MICRO ) { + "Antivir je jiz naistalovany" +} else { + + if (Test-Path -Path $FOLDERS) { + Write-Output "Počítč má adresáč $FOLDERS" + $parms=@("/quiet", "/norestart" , "/lv", "C:\ApexOne.log";"/i";"\\pn03\Instalace\TrendMicro\Agents\AgentsApexCentral\Standalone\sonaps_agent_cloud_x64.msi") + (Start-Process -FilePath "$env:systemroot\system32\msiexec.exe" -ArgumentList $parms -Wait -Passthru).ExitCode + + }else{ + Write-Output "Počítč NEmá adresáč $FOLDERS" + $parms=@("/quiet", "/norestart" , "/lv", "C:\ApexOne.log";"/i";"\\pn03\Instalace\TrendMicro\Agents\AgentsApexCentral\Standalone\agent_cloud_x64.msi") + (Start-Process -FilePath "$env:systemroot\system32\msiexec.exe" -ArgumentList $parms -Wait -Passthru).ExitCode + } + + +} + +Wait-Event -SourceIdentifier "ProcessStarted" -Timeout 30 diff --git a/Skripty/PowerShell/KontrolaPCprotiAD.ps1 b/Skripty/PowerShell/KontrolaPCprotiAD.ps1 new file mode 100755 index 0000000..e595c71 --- /dev/null +++ b/Skripty/PowerShell/KontrolaPCprotiAD.ps1 @@ -0,0 +1,13 @@ +$serverlist = get-content ServerList.txt +#$file = debug.txt +foreach ($server in $serverlist) { + if (@(Get-ADComputer $server -ErrorAction SilentlyContinue).Count) { + $errorActionPreference = "SilentlyContinue" + + } + else { + Write-Host $server + #$server | Out-File $file + write-output $server | add-content $home\Desktop\NejsouVAD.txt + } +} diff --git a/Skripty/PowerShell/VypisTypuPC.ps1 b/Skripty/PowerShell/VypisTypuPC.ps1 new file mode 100755 index 0000000..0e2da78 --- /dev/null +++ b/Skripty/PowerShell/VypisTypuPC.ps1 @@ -0,0 +1,37 @@ +function check-chassis { +BEGIN {} +PROCESS { + #Write-Output "Processing $_ which is a:-" + $computer = "$_" + $chassis = Get-WmiObject win32_systemenclosure -computer $computer | select chassistypes + if ($chassis.chassistypes -contains '3'){Write-Output "Desktop"} + elseif ($chassis.chassistypes -contains '4'){Write-Output "Low Profile Desktop"} + elseif ($chassis.chassistypes -contains '5'){Write-Output "Pizza Box"} + elseif ($chassis.chassistypes -contains '6'){Write-Output "Mini Tower"} + elseif ($chassis.chassistypes -contains '7'){Write-Output "Tower"} + elseif ($chassis.chassistypes -contains '8'){Write-Output "Portable"} + elseif ($chassis.chassistypes -contains '9'){Write-Output "Laptop"} + elseif ($chassis.chassistypes -contains '10'){Write-Output "Notebook"} + elseif ($chassis.chassistypes -contains '11'){Write-Output "Hand Held"} + elseif ($chassis.chassistypes -contains '12'){Write-Output "Docking Station"} + elseif ($chassis.chassistypes -contains '13'){Write-Output "All in One"} + elseif ($chassis.chassistypes -contains '14'){Write-Output "Sub Notebook"} + elseif ($chassis.chassistypes -contains '15'){Write-Output "Space-Saving"} + elseif ($chassis.chassistypes -contains '16'){Write-Output "Lunch Box"} + elseif ($chassis.chassistypes -contains '17'){Write-Output "Main System Chassis"} + elseif ($chassis.chassistypes -contains '18'){Write-Output "Expansion Chassis"} + elseif ($chassis.chassistypes -contains '19'){Write-Output "Sub Chassis"} + elseif ($chassis.chassistypes -contains '20'){Write-Output "Bus Expansion Chassis"} + elseif ($chassis.chassistypes -contains '21'){Write-Output "Peripheral Chassis"} + elseif ($chassis.chassistypes -contains '22'){Write-Output "Storage Chassis"} + elseif ($chassis.chassistypes -contains '23'){Write-Output "Rack Mount Chassis"} + elseif ($chassis.chassistypes -contains '24'){Write-Output "Sealed-Case PC"} + else {Write-output "Unknown"} + + } +END{} + } + +$a = "localhost" | check-chassis + +Write-output $a diff --git a/Skripty/Python/Broadlink.txt b/Skripty/Python/Broadlink.txt new file mode 100755 index 0000000..57b58cf --- /dev/null +++ b/Skripty/Python/Broadlink.txt @@ -0,0 +1,10 @@ +# Instalace +# pip install broadlink +# pip install cryptography + +import broadlink + +devices1 = broadlink.sp2(devtype = 0x7547, host=("192.168.15.109",80), mac=bytearray.fromhex("34 EA 34 BD 75 02")) +devices1.auth() +devices1.set_power(True) +# OFF - devices1.set_power(False) diff --git a/Skripty/Python/DatumCas.py b/Skripty/Python/DatumCas.py new file mode 100755 index 0000000..bd204ff --- /dev/null +++ b/Skripty/Python/DatumCas.py @@ -0,0 +1,13 @@ +#!/usr/bin/python3 +from datetime import datetime, time +now = datetime.now() +now_time = now.time() + + + +if now_time >= time(6,00) and now_time <= time(22,00): + print ('0') +else: + print ('1') + + diff --git a/Skripty/SSH/Bind_replace.sh b/Skripty/SSH/Bind_replace.sh new file mode 100755 index 0000000..8bbe2e1 --- /dev/null +++ b/Skripty/SSH/Bind_replace.sh @@ -0,0 +1,8 @@ +#!/bin/bash + + + + +ls | while read line; do sed -i 's/85.239.69.9/85.239.69.7/g' $line; done + +grep -rnw * -e "85.239.69.7" | awk '{ print $1 }' | cut -d ":" -f 1 | sort | uniq | while read line; do sed -i 's/[0-9]\{10\}/2022080301/' $line; done diff --git a/Skripty/SSH/Energetika.sh b/Skripty/SSH/Energetika.sh new file mode 100755 index 0000000..d3e3842 --- /dev/null +++ b/Skripty/SSH/Energetika.sh @@ -0,0 +1,27 @@ +#!/bin/bash + + +hodina=`date +%H` +datum=`date +%y%m%d` +cd /root/energetika +EXISTUJE=`find /var/www/html/cloud.mstefl.cz/data/jana/files -iname "*$datum*" | wc -l` + + + +if [ "$hodina" = "08" ] || [ "$hodina" = "09" ]; then +# echo "Hodna pro spusteni"; + if [ $EXISTUJE -eq 0 ] + then + #echo "Budu stahovat soubor"; + wget --user=newton --password=HESLO ftp://ftp.newtonit.cz/"/zce/vstup/Nová energetika/ČEZ - medan interně-"$datum"-0830-Přehled.zip" > /dev/null 2>&1 + if [ -f "/root/energetika/ČEZ - medan interně-$datum-0830-Přehled.zip" ]; + then + mv "ČEZ - medan interně-$datum-0830-Přehled.zip" /var/www/html/cloud.mstefl.cz/data/jana/files/Energetika/Updates/ + chown www-data:www-data /var/www/html/cloud.mstefl.cz/data/jana/files/Energetika/Updates/*.zip + cd /var/www/html/cloud.mstefl.cz + sudo -u www-data php occ files:scan jana + wget https://api.pushover.net/1/messages.json --post-data="token=aserhn7trotowcj2xpqowwgyhvmwfi&user=uty4zaivtntn4wuazi724hy18p961u&message=Jsou nahrana nova data&title=Energetika" -qO- > /dev/null 2>&1 & + fi + + fi +fi diff --git a/Skripty/SSH/NewServer.sh b/Skripty/SSH/NewServer.sh new file mode 100755 index 0000000..2c0634b --- /dev/null +++ b/Skripty/SSH/NewServer.sh @@ -0,0 +1,16 @@ +#!/bin/sh + +apt -y install sudo + +useradd -m -d /home/ansict -s /bin/bash -c "Ansible CT" -U ansict +sudo usermod -aG sudo ansict +echo "ansict ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers +mkdir /home/ansict/.ssh +echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQD7GiVOT4oUwFXsRyAmu5LJx2imW0zMpbVSZg5sa3WDvRLHUk10e7Ch+9SzvusbljlLV31M685cmHzZhSxrGqZR9R7TnhEdZb2QVKTRLBEmL4C2o6wOF+4FKEkOrSr7msDHcwvKN9lDib0MGyvLqZd2MXclAtE+yCvwvvbwOpLztPwyFKvFuBW9PtZ0KFYYxMIxwjOMrzCmb0hlWCnhnmNh08PTR1AT7Sdz8YlMIOYEjTxzRCW8nemjtrpydoBH05q8luqS6LxB4yj2kscSBB10eOviQ6FUQBg3ob0xe3KdCUPq7o2eUah+HDAZOy3MVd+uAuogzCMnpot0VGX+vmWAcV0iwBU0CEHJl12dK6CsMCETX3cjVQqQOueCh9biav9XzbbWDkIfrx871+os15izK03o3LcTZU7sDxkzeYha6/U1Z+5wPGXHTwcwMLsxn98W04rBor2ugVs+j+iKo9P8nTiOXO1Ngq4YrLuBqgJytJScoU72l4DN+CDpl0mP2K0= ansict@ansitest" > /home/ansict/.ssh/authorized_keys2 +chown -R ansict:ansict /home/ansict +cp /etc/ssh/sshd_config /etc/ssh/sshd_config_backup + +echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config +echo "AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2" >> /etc/ssh/sshd_config + +systemctl restart sshd diff --git a/Skripty/SSH/ZalohaCloud.sh b/Skripty/SSH/ZalohaCloud.sh new file mode 100755 index 0000000..27178a2 --- /dev/null +++ b/Skripty/SSH/ZalohaCloud.sh @@ -0,0 +1,36 @@ +#!/bin/bash + +JANA=`find /var/www/html/cloud.mstefl.cz/data/jana/files/ -mtime -1 | wc -l` +JEIBICHOVA=`find /var/www/html/cloud.mstefl.cz/data/jeibichova/files/ -mtime -1 | wc -l` + +find /var/www/html/cloud.mstefl.cz/data/jana/files/ -mtime -1 | wc -l > /mnt/backup/pocty_jana.txt +find /var/www/html/cloud.mstefl.cz/data/jeibichova/files/ -mtime -1 | wc -l > /mnt/backup/pocty_jeibichova.txt + +DATUM=`date +%d%m%Y`; +DEN=`date +%d` + + +if [ "$DEN" = "01" ]; then + tar -cf /mnt/backup/jana_$DATUM.tar --absolute-names /var/www/html/cloud.mstefl.cz/data/jana/files/ > /dev/null 2>&1 & + tar -cf /mnt/backup/jeibichova_$DATUM.tar --absolute-names /var/www/html/cloud.mstefl.cz/data/jeibichova/files/ > /dev/null 2>&1 & + echo "1" > /mnt/backup/pocty_jana.txt + echo "1" > /mnt/backup/pocty_jeibichova.txt + wget https://api.pushover.net/1/messages.json --post-data="token=aserhn7trotowcj2xpqowwgyhvmwfi&user=uty4zaivtntn4wuazi724hy18p961u&message=Probehla pla mesicni zaloha&title=Zaloha na cloudU" -qO- > /dev/null 2>&1 & +else + if [[ $JANA != 0 ]]; then + find /var/www/html/cloud.mstefl.cz/data/jana/files/ -mtime -1 -type f -print0 | xargs -0 tar -cvzf /mnt/backup/jana_$DATUM.tar --absolute-names > /dev/null 2>&1 & + wget https://api.pushover.net/1/messages.json --post-data="token=aserhn7trotowcj2xpqowwgyhvmwfi&user=uty4zaivtntn4wuazi724hy18p961u&message=Probehla inkrementalni zaloha Jana&title=Zaloha na cloudU" -qO- > /dev/null 2>&1 & + else + wget https://api.pushover.net/1/messages.json --post-data="token=aserhn7trotowcj2xpqowwgyhvmwfi&user=uty4zaivtntn4wuazi724hy18p961u&message=U uzivatele Jana nedoslo ke zmene&title=Zaloha na cloudU" -qO- > /dev/null 2>&1 & + fi + + if [[ $JEIBICHOVA != 0 ]]; then + find /var/www/html/cloud.mstefl.cz/data/jeibichova/files/ -mtime -1 -type f -print0 | xargs -0 tar -cvzf /mnt/backup/jeibichova_$DATUM.tar --absolute-names > /dev/null 2>&1 & + wget https://api.pushover.net/1/messages.json --post-data="token=aserhn7trotowcj2xpqowwgyhvmwfi&user=uty4zaivtntn4wuazi724hy18p961u&message=Probehla inkrementalni zaloha Jeibichova&title=Zaloha na cloudU" -qO- > /dev/null 2>&1 & + else + + wget https://api.pushover.net/1/messages.json --post-data="token=aserhn7trotowcj2xpqowwgyhvmwfi&user=uty4zaivtntn4wuazi724hy18p961u&message=U uzivatele Jeibichova nedoslo ke zmene&title=Zaloha na cloudU" -qO- > /dev/null 2>&1 & + fi +fi + +find /mnt/backup/ -type f -mtime +15 -exec rm -f {} + diff --git a/Skripty/SSH/ZalohaCloudPrace.sh b/Skripty/SSH/ZalohaCloudPrace.sh new file mode 100755 index 0000000..a33ed71 --- /dev/null +++ b/Skripty/SSH/ZalohaCloudPrace.sh @@ -0,0 +1,24 @@ +#!/bin/bash + + +DATUM=`date +%d%m%Y` + + +scp -P 2282 mstefl@cloud.eibichova.cz:/mnt/backup/pocty_jana.txt /var/samba/backup/cloud/jana +scp -P 2282 mstefl@cloud.eibichova.cz:/mnt/backup/pocty_jeibichova.txt /var/samba/backup/cloud/jana + +JANA=`cat /var/samba/backup/cloud/jana/pocty_jana.txt` +JEIBICHOVA=`cat /var/samba/backup/cloud/jana/pocty_jeibichova.txt` + + +if [[ $JANA != 0 ]]; then + scp -P 2282 mstefl@cloud.eibichova.cz:/mnt/backup/jana_$DATUM.tar /var/samba/backup/cloud/jana + wget https://api.pushover.net/1/messages.json --post-data="token=aserhn7trotowcj2xpqowwgyhvmwfi&user=uty4zaivtntn4wuazi724hy18p961u&message=Byla stazena data Jana&title=Stazeni zalohy" -qO- > /dev/null 2>&1 & +fi + +if [[ $JEIBICHOVA != 0 ]]; then + scp -P 2282 mstefl@cloud.eibichova.cz:/mnt/backup/jeibichova_$DATUM.tar /var/samba/backup/cloud/jeibichova + wget https://api.pushover.net/1/messages.json --post-data="token=aserhn7trotowcj2xpqowwgyhvmwfi&user=uty4zaivtntn4wuazi724hy18p961u&message=Byla stazena data Jeibichova&title=Stazeni zalohy" -qO- > /dev/null 2>&1 & +fi + +find /var/samba/backup/cloud/ -type f -mtime +30 -exec rm -f {} + diff --git a/Skripty/SSH/ZalohaCloudStupice.sh b/Skripty/SSH/ZalohaCloudStupice.sh new file mode 100755 index 0000000..a8b8df6 --- /dev/null +++ b/Skripty/SSH/ZalohaCloudStupice.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +python /usr/local/bin/disk_on.py +sleep 10 +sudo mount UUID=570d6099-accd-41e6-8870-0c1fbee5198f /mnt/usbdisk/ + +DATUM=`date +%d%m%Y` + +scp -P 2282 mstefl@cloud.eibichova.cz:/mnt/backup/pocty_jana.txt /mnt/usbdisk/backup/ +scp -P 2282 mstefl@cloud.eibichova.cz:/mnt/backup/pocty_jeibichova.txt /mnt/usbdisk/backup/ + +JANA=`cat /mnt/usbdisk/backup/pocty_jana.txt` +JEIBICHOVA=`cat /mnt/usbdisk/backup/pocty_jeibichova.txt` + +if [[ $JANA != 0 ]]; then + scp -P 2282 mstefl@cloud.eibichova.cz:/mnt/backup/jana_$DATUM.tar /mnt/usbdisk/backup/cloud/jana/ + wget https://api.pushover.net/1/messages.json --post-data="token=aserhn7trotowcj2xpqowwgyhvmwfi&user=uty4zaivtntn4wuazi724hy18p961u&message=Byla stazena data Jana&title=Stazeni zalohy" -qO- > /dev/null 2>&1 & +fi + +if [[ $JEIBICHOVA != 0 ]]; then + scp -P 2282 mstefl@cloud.eibichova.cz:/mnt/backup/jeibichova_$DATUM.tar /mnt/usbdisk/backup/cloud/jeibichova/ + wget https://api.pushover.net/1/messages.json --post-data="token=aserhn7trotowcj2xpqowwgyhvmwfi&user=uty4zaivtntn4wuazi724hy18p961u&message=Byla stazena data Jeibichova&title=Stazeni zalohy" -qO- > /dev/null 2>&1 & +fi + +sudo umount /mnt/usbdisk/ +sleep 10 + +python /usr/local/bin/disk_off.py diff --git a/Skripty/SSH/ldap_search.sh b/Skripty/SSH/ldap_search.sh new file mode 100755 index 0000000..bd0fe23 --- /dev/null +++ b/Skripty/SSH/ldap_search.sh @@ -0,0 +1,5 @@ +# Pro jednoho +ldapsearch -LLL -b "DC=ct,DC=czech-tv,DC=cz" -D "CN=Ldap ADReader,OU=ServisniUzivatele,OU=Admins,DC=ct,DC=czech-tv,DC=cz" -H "ldap://ct.czech-tv.cz" -w Buchtickyses0do "(&(objectClass=Person)(sAMAccountName=sm233387))" + +# Smycka +cat users.txt | while read line; do ldapsearch -LLL -b "DC=ct,DC=czech-tv,DC=cz" -D "CN=Ldap ADReader,OU=ServisniUzivatele,OU=Admins,DC=ct,DC=czech-tv,DC=cz" -H "ldap://ct.czech-tv.cz" -w Buchtickyses0do "(&(objectClass=Person)(sAMAccountName=$line))" | grep "mail:"; done diff --git a/Trac/TracStart.sh b/Trac/TracStart.sh new file mode 100755 index 0000000..13a7e7d --- /dev/null +++ b/Trac/TracStart.sh @@ -0,0 +1,42 @@ +sudo -u www-data etctracd -p 5544 --pidfile=/var/etctrac.5544 --protocol=http -s /var/www/html/etctrac --basic-auth="*,/etc/nginx/htaccess/etctrac,Restricted" + +Install +mysql://etctrac:sojka123@localhost:3306/etctrac + + +CREATE DATABASE etctrac COLLATE = 'utf8mb4_bin'; +grant all privileges on etctrac.* to etctrac@'localhost' identified by 'sojka123'; +FLUSH PRIVILEGES; + + + +nginx +server { + listen 443 ssl; + server_name etctrac.czech-tv.cz; + error_log /var/log/nginx/etctrac.log; + access_log /var/log/nginx/etctrac.log; + ssl_certificate /etc/nginx/cert/CT.crt; + ssl_certificate_key /etc/nginx/cert/CT.key; + + location / { + proxy_pass http://127.0.0.1:5544; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $http_connection; + } +} + + + +server { + if ($host = etctrac.czech-tv.cz) { + return 301 https://$host$request_uri; + } + +listen 80; + +server_name etctrac.czech-tv.cz; + return 404; + +} diff --git a/Trac/trac.conf b/Trac/trac.conf new file mode 100755 index 0000000..0bf528e --- /dev/null +++ b/Trac/trac.conf @@ -0,0 +1,374 @@ +# -*- coding: utf-8 -*- + +[account-manager] +allow_delete_account = enabled +authentication_url = +db_htdigest_realm = +db_htpasswd_hash_type = crypt +force_passwd_change = enabled +hash_method = HtDigestHashMethod +htdigest_file = +htdigest_realm = +htpasswd_file = +htpasswd_hash_type = crypt +login_attempt_max_count = 0 +password_file = +password_store = +persistent_sessions = disabled +refresh_passwd = disabled +register_check = BasicCheck,EmailCheck,BotTrapCheck,RegExpCheck,UsernamePermCheck +user_lock_max_time = 86400 +user_lock_time = 0 +user_lock_time_progression = 1 +username_char_blacklist = :[] + +[attachment] +max_size = 262144 +max_zip_size = 2097152 +render_unsafe_content = disabled + +[authz_policy] +authz_file = + +[browser] +color_scale = enabled +downloadable_paths = /trunk,/branches/*,/tags/* +hide_properties = svk:merge +intermediate_color = +intermediate_point = +newest_color = (255, 136, 136) +oldest_color = (136, 136, 255) +oneliner_properties = trac:summary +render_unsafe_content = disabled +wiki_properties = trac:description + +[changeset] +max_diff_bytes = 10000000 +max_diff_files = 0 +wiki_format_messages = enabled + +[components] +trac.db.sqlite_backend.sqliteconnector = disabled +trac.prefs.web_ui.advancedpreferencepanel = disabled +trac.prefs.web_ui.generalpreferencepanel = disabled +trac.prefs.web_ui.keybindingspreferencepanel = disabled +trac.prefs.web_ui.localizationpreferencepanel = disabled +trac.prefs.web_ui.preferencesmodule = disabled +trac.prefs.web_ui.userinterfacepreferencepanel = disabled +trac.search.web_ui.searchmodule = disabled +trac.ticket.admin.componentadminpanel = disabled +trac.ticket.admin.milestoneadminpanel = disabled +trac.ticket.admin.priorityadminpanel = disabled +trac.ticket.admin.resolutionadminpanel = disabled +trac.ticket.admin.severityadminpanel = disabled +trac.ticket.admin.ticketadmin = disabled +trac.ticket.admin.tickettypeadminpanel = disabled +trac.ticket.api.ticketsystem = disabled +trac.ticket.query.querymodule = disabled +trac.ticket.query.ticketquerymacro = disabled +trac.ticket.report.reportmodule = disabled +trac.ticket.roadmap.defaultticketgroupstatsprovider = disabled +trac.ticket.roadmap.milestonemodule = disabled +trac.ticket.roadmap.roadmapmodule = disabled +trac.ticket.web_ui.ticketmodule = disabled +trac.timeline.web_ui.timelinemodule = disabled +trac.wiki.api.wikisystem = disabled +trac.wiki.web_ui.wikimodule = enabled +tracmenus.web_ui.menumanagermodule = enabled +tracopt.perm.authz_policy.authzpolicy = enabled +tracopt.perm.config_perm_provider.extrapermissionsprovider = enabled +tracopt.ticket.clone.ticketclonebutton = enabled +tracopt.ticket.commit_updater.committicketreferencemacro = enabled +tracopt.ticket.commit_updater.committicketupdater = enabled +tracopt.ticket.deleter.ticketdeleter = enabled +tracopt.versioncontrol.git.* = enabled +tracopt.versioncontrol.git.git_fs.csetpropertyrenderer = enabled +tracopt.versioncontrol.git.git_fs.gitconnector = enabled +tracopt.versioncontrol.git.git_fs.gitwebprojectsrepositoryprovider = enabled +tracopt.versioncontrol.svn.svn_fs.subversionconnector = enabled +tracopt.versioncontrol.svn.svn_prop.subversionmergepropertydiffrenderer = enabled +tracopt.versioncontrol.svn.svn_prop.subversionmergepropertyrenderer = enabled +tracopt.versioncontrol.svn.svn_prop.subversionpropertyrenderer = enabled +trac.db.api.DatabaseManager = enabled + +[git] +cached_repository = enabled +git_bin = git +git_fs_encoding = utf-8 +persistent_cache = disabled +shortrev_len = 7 +trac_user_rlookup = disabled +use_committer_id = enabled +use_committer_time = enabled +wikishortrev_len = 40 + +[gitweb-repositories] +projects_base = http://etectrac.czech-tv.cz:4321 +projects_list = +projects_url = +sync_per_request = + +[header_logo] +alt = (please configure the [header_logo] section in trac.ini) +height = -1 +link = https://etctrac.czech-tv.cz/browser +src = site/Logo_login.png +width = -1 + +[inherit] +htdocs_dir = +plugins_dir = +templates_dir = + +[ldap] +basedn = DC=ct,DC=czech-tv,DC=cz +bind_passwd = Buchtickyses0do +bind_user = Ldap ADReader,OU=ServisniUzivatele,OU=Admins,DC=ct,DC=czech-tv,DC=cz +enable = true +global_perms = true +store_bind = true + +[logging] +log_file = /var/log/trac.log +log_format = +log_level = DEBUG +log_type = file + +[mainnav] +admin.order = 8.0 +browser.order = 4.0 +newticket.order = 6.0 +roadmap.order = 3.0 +search.order = 7.0 +tickets.order = 5.0 +timeline.order = 2.0 +wiki.order = 1.0 + +[menu-custom] +managed_menus = mainnav,metanav + +[metanav] +about.order = 5.0 +help.order = 4.0 +login.order = 1.0 +logout.order = 2.0 +logout.redirect = about +prefs.order = 3.0 + +[milestone] +default_group_by = component +default_retarget_to = +stats_provider = DefaultTicketGroupStatsProvider + +[mimeviewer] +max_preview_size = 262144 +mime_map = text/x-dylan:dylan,text/x-idl:ice,text/x-ada:ads:adb +mime_map_patterns = text/plain:README(?!\.rst)|INSTALL(?!\.rst)|COPYING.* +pygments_default_style = trac +pygments_modes = +tab_width = 8 +treat_as_binary = application/octet-stream,application/pdf,application/postscript,application/msword,application/rtf + +[notification] +admit_domains = +ambiguous_char_width = single +batch_subject_template = ${prefix} Batch modify: ${tickets_descr} +default_format.email = text/plain +email_address_resolvers = SessionEmailResolver +email_sender = SmtpEmailSender +ignore_domains = +message_id_hash = md5 +mime_encoding = none +sendmail_path = mailx +smtp_always_bcc = +smtp_always_cc = +smtp_default_domain = +smtp_enabled = disabled +smtp_from = trac@localhost +smtp_from_author = disabled +smtp_from_name = +smtp_password = +smtp_port = 25 +smtp_replyto = Martin.Stefl@ceskatelevize.cz +smtp_server = mail.czech-tv.cz +smtp_subject_prefix = __default__ +smtp_user = +ticket_subject_template = ${prefix} #${ticket.id}: ${summary} +use_public_cc = disabled +use_short_addr = disabled +use_tls = disabled + +[notification-subscriber] +always_notify_cc = CarbonCopySubscriber +always_notify_previous_updater = TicketPreviousUpdatersSubscriber +always_notify_updater = TicketUpdaterSubscriber + +[project] +admin = +admin_trac_url = . +descr = SVN pro name servery +footer = Visit the Trac open source project at
http://trac.edgewall.org/ +icon = common/trac.ico +name = CT Trac +url = http://etctrac.czech-tv.cz/browser + +[query] +default_anonymous_query = status!=closed&cc~=$USER +default_query = status!=closed&owner=$USER +items_per_page = 100 +ticketlink_query = ?status=!closed + +[report] +items_per_page = 100 +items_per_page_rss = 0 + +[repositories] +.dir = /var/lib/git/oxidized.git +.type = git +ns_servery.dir = /var/www/svn/ +project.description = This is the ''main'' project repository. +project.type = svn + +[revisionlog] +default_log_limit = 100 +graph_colors = #cc0,#0c0,#0cc,#00c,#c0c,#c00 + +[roadmap] +stats_provider = DefaultTicketGroupStatsProvider + +[search] +default_disabled_filters = +min_query_length = 3 + +[sqlite] +extensions = + +[svn] +authz_file = +authz_module_name = +branches = trunk,branches/* +eol_style = native +tags = tags/* + +[theme] +enable_css = disabled +theme = default + +[ticket] +allowed_empty_fields = milestone,version +commit_ticket_update_check_perms = enabled +commit_ticket_update_commands.close = close closed closes fix fixed fixes +commit_ticket_update_commands.refs = addresses re references refs see +commit_ticket_update_envelope = +commit_ticket_update_notify = enabled +default_cc = +default_component = +default_description = +default_keywords = +default_milestone = +default_owner = < default > +default_priority = major +default_resolution = fixed +default_severity = +default_summary = +default_type = defect +default_version = +max_comment_size = 262144 +max_description_size = 262144 +max_summary_size = 262144 +preserve_newlines = default +restrict_owner = disabled +workflow = ConfigurableTicketWorkflow + +[ticket-workflow] +accept = new,assigned,accepted,reopened -> accepted +accept.operations = set_owner_to_self +accept.permissions = TICKET_MODIFY +create = -> new +create.default = 1 +create_and_assign = -> assigned +create_and_assign.label = assign +create_and_assign.operations = may_set_owner +create_and_assign.permissions = TICKET_MODIFY +leave = * -> * +leave.default = 1 +leave.operations = leave_status +reassign = new,assigned,accepted,reopened -> assigned +reassign.operations = set_owner +reassign.permissions = TICKET_MODIFY +reopen = closed -> reopened +reopen.operations = del_resolution +reopen.permissions = TICKET_CREATE +resolve = new,assigned,accepted,reopened -> closed +resolve.operations = set_resolution +resolve.permissions = TICKET_MODIFY + +[timeline] +abbreviated_messages = enabled +changeset_collapse_events = disabled +changeset_long_messages = disabled +changeset_show_files = 0 +default_daysback = 30 +max_daysback = 90 +newticket_formatter = oneliner +ticket_show_component = disabled +ticket_show_details = disabled + +[trac] +anonymous_session_lifetime = 90 +auth_cookie_domain = +auth_cookie_lifetime = 0 +auth_cookie_path = +auto_preview_timeout = 2.0 +auto_reload = disabled +backup_dir = db +base_url = +check_auth_ip = disabled +database = mysql://trac:sojka123@localhost:3306/trac +debug_sql = disabled +default_charset = utf-8 +default_date_format = +default_dateinfo_format = relative +default_handler = BrowserModule +default_language = cs +default_timezone = Europe/Prague +genshi_cache_size = 128 +htdocs_location = +ignore_auth_case = disabled +jquery_location = +jquery_ui_location = +jquery_ui_theme_location = +mysqldump_path = mysqldump +never_obfuscate_mailto = disabled +permission_policies = DefaultWikiPolicy,DefaultTicketPolicy,DefaultPermissionPolicy,LegacyAttachmentPolicy +permission_store = DefaultPermissionStore +request_filters = +resizable_textareas = enabled +secure_cookies = disabled +show_email_addresses = disabled +show_full_names = enabled +show_ip_addresses = disabled +timeout = 20 +use_base_url_for_redirect = disabled +use_chunked_encoding = disabled +use_xsendfile = disabled +wiki_toolbars = enabled +xsendfile_header = X-Sendfile + +[tracnav] +provide_jpnav = disabled + +[versioncontrol] +allowed_repository_dir_prefixes = +default_repository_type = svn + +[wiki] +default_edit_area_height = 20 +ignore_missing_pages = disabled +max_size = 262144 +render_unsafe_content = disabled +safe_origins = data: +safe_schemes = cvs,file,ftp,git,irc,http,https,news,sftp,smb,ssh,svn,svn+ssh +split_page_names = disabled + +ct@wikisystemaci:~$ diff --git a/TrendMicro/PHA_WIN_DETECT.ps1 b/TrendMicro/PHA_WIN_DETECT.ps1 new file mode 100755 index 0000000..cdc6a85 --- /dev/null +++ b/TrendMicro/PHA_WIN_DETECT.ps1 @@ -0,0 +1,62 @@ + +#requires -version 4.0 + +# PowerShell 4 or up is required to run this script +# This script detects platform and architecture. It then downloads and installs the relevant Deep Security Agent package + +if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { + Write-Warning "You are not running as an Administrator. Please try again with admin privileges." + exit 1 +} + +$managerUrl="https://workload.de-1.cloudone.trendmicro.com:443/" + +$env:LogPath = "$env:appdata\Trend Micro\Deep Security Agent\installer" +New-Item -path $env:LogPath -type directory +Start-Transcript -path "$env:LogPath\dsa_deploy.log" -append + +echo "$(Get-Date -format T) - DSA download started" +if ( [intptr]::Size -eq 8 ) { + $sourceUrl=-join($managerUrl, "software/agent/Windows/x86_64/agent.msi") } +else { + $sourceUrl=-join($managerUrl, "software/agent/Windows/i386/agent.msi") } +echo "$(Get-Date -format T) - Download Deep Security Agent Package" $sourceUrl + +$ACTIVATIONURL="dsm://agents.workload.de-1.cloudone.trendmicro.com:443/" + +$WebClient = New-Object System.Net.WebClient + +# Add agent version control info +$WebClient.Headers.Add("Agent-Version-Control", "on") +$WebClient.QueryString.Add("tenantID", "16055") +$WebClient.QueryString.Add("windowsVersion", (Get-CimInstance Win32_OperatingSystem).Version) +$WebClient.QueryString.Add("windowsProductType", (Get-CimInstance Win32_OperatingSystem).ProductType) + +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; + +Try +{ + $WebClient.DownloadFile($sourceUrl, "$env:temp\agent.msi") +} Catch [System.Net.WebException] +{ + echo " Please check that your Workload Security Manager TLS certificate is signed by a trusted root certificate authority." + exit 2; +} + +if ( (Get-Item "$env:temp\agent.msi").length -eq 0 ) { + echo "Failed to download the Deep Security Agent. Please check if the package is imported into the Workload Security Manager. " + exit 1 +} +echo "$(Get-Date -format T) - Downloaded File Size:" (Get-Item "$env:temp\agent.msi").length + +echo "$(Get-Date -format T) - DSA install started" +echo "$(Get-Date -format T) - Installer Exit Code:" (Start-Process -FilePath msiexec -ArgumentList "/i $env:temp\agent.msi /qn ADDLOCAL=ALL /l*v `"$env:LogPath\dsa_install.log`"" -Wait -PassThru).ExitCode +echo "$(Get-Date -format T) - DSA activation started" + +Start-Sleep -s 50 +& $Env:ProgramFiles"\Trend Micro\Deep Security Agent\dsa_control" -r +& $Env:ProgramFiles"\Trend Micro\Deep Security Agent\dsa_control" -a $ACTIVATIONURL "tenantID:A81DBFF5-5CDE-EB5F-8F5D-EF3F75B718A1" "token:30F394D6-2CAB-DA5A-911D-62AD64593936" "policyid:35" "groupid:34" +#& $Env:ProgramFiles"\Trend Micro\Deep Security Agent\dsa_control" -a dsm://agents.workload.de-1.cloudone.trendmicro.com:443/ "tenantID:A81DBFF5-5CDE-EB5F-8F5D-EF3F75B718A1" "token:30F394D6-2CAB-DA5A-911D-62AD64593936" "policyid:35" "groupid:34" +Stop-Transcript +echo "$(Get-Date -format T) - DSA Deployment Finished" + diff --git a/TrendMicro/PHA_WIN_PROTECT.ps1 b/TrendMicro/PHA_WIN_PROTECT.ps1 new file mode 100755 index 0000000..6d5dfe3 --- /dev/null +++ b/TrendMicro/PHA_WIN_PROTECT.ps1 @@ -0,0 +1,62 @@ + +#requires -version 4.0 + +# PowerShell 4 or up is required to run this script +# This script detects platform and architecture. It then downloads and installs the relevant Deep Security Agent package + +if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { + Write-Warning "You are not running as an Administrator. Please try again with admin privileges." + exit 1 +} + +$managerUrl="https://workload.de-1.cloudone.trendmicro.com:443/" + +$env:LogPath = "$env:appdata\Trend Micro\Deep Security Agent\installer" +New-Item -path $env:LogPath -type directory +Start-Transcript -path "$env:LogPath\dsa_deploy.log" -append + +echo "$(Get-Date -format T) - DSA download started" +if ( [intptr]::Size -eq 8 ) { + $sourceUrl=-join($managerUrl, "software/agent/Windows/x86_64/agent.msi") } +else { + $sourceUrl=-join($managerUrl, "software/agent/Windows/i386/agent.msi") } +echo "$(Get-Date -format T) - Download Deep Security Agent Package" $sourceUrl + +$ACTIVATIONURL="dsm://agents.workload.de-1.cloudone.trendmicro.com:443/" + +$WebClient = New-Object System.Net.WebClient + +# Add agent version control info +$WebClient.Headers.Add("Agent-Version-Control", "on") +$WebClient.QueryString.Add("tenantID", "16055") +$WebClient.QueryString.Add("windowsVersion", (Get-CimInstance Win32_OperatingSystem).Version) +$WebClient.QueryString.Add("windowsProductType", (Get-CimInstance Win32_OperatingSystem).ProductType) + +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; + +Try +{ + $WebClient.DownloadFile($sourceUrl, "$env:temp\agent.msi") +} Catch [System.Net.WebException] +{ + echo " Please check that your Workload Security Manager TLS certificate is signed by a trusted root certificate authority." + exit 2; +} + +if ( (Get-Item "$env:temp\agent.msi").length -eq 0 ) { + echo "Failed to download the Deep Security Agent. Please check if the package is imported into the Workload Security Manager. " + exit 1 +} +echo "$(Get-Date -format T) - Downloaded File Size:" (Get-Item "$env:temp\agent.msi").length + +echo "$(Get-Date -format T) - DSA install started" +echo "$(Get-Date -format T) - Installer Exit Code:" (Start-Process -FilePath msiexec -ArgumentList "/i $env:temp\agent.msi /qn ADDLOCAL=ALL /l*v `"$env:LogPath\dsa_install.log`"" -Wait -PassThru).ExitCode +echo "$(Get-Date -format T) - DSA activation started" + +Start-Sleep -s 50 +& $Env:ProgramFiles"\Trend Micro\Deep Security Agent\dsa_control" -r +& $Env:ProgramFiles"\Trend Micro\Deep Security Agent\dsa_control" -a $ACTIVATIONURL "tenantID:A81DBFF5-5CDE-EB5F-8F5D-EF3F75B718A1" "token:30F394D6-2CAB-DA5A-911D-62AD64593936" "policyid:35" "groupid:35" +#& $Env:ProgramFiles"\Trend Micro\Deep Security Agent\dsa_control" -a dsm://agents.workload.de-1.cloudone.trendmicro.com:443/ "tenantID:A81DBFF5-5CDE-EB5F-8F5D-EF3F75B718A1" "token:30F394D6-2CAB-DA5A-911D-62AD64593936" "policyid:35" "groupid:35" +Stop-Transcript +echo "$(Get-Date -format T) - DSA Deployment Finished" + diff --git a/mqtt/mqtt_pub.txt b/mqtt/mqtt_pub.txt new file mode 100755 index 0000000..43896ae --- /dev/null +++ b/mqtt/mqtt_pub.txt @@ -0,0 +1,2 @@ +mosquitto_pub -h 192.168.1.20 -t "node/dvere/relay/set" -m "2" +
KdeSvetloVlhkostTeplotaTlakTimestamp
' . $row_sensor . '' . $row_location . '' . $row_value1 . '' . $row_value2 . '' . $row_value3 . '' . date("l dS \o\f F Y h:i:s A",strtotime("$row_reading_time")) . '
' . $row_sensor . '' . $row_location . '' . $row_value1 . '' . $row_value2 . '' . $row_value3 . '' . date("l dS \o\f F Y h:i:s A",strtotime("$row_reading_time")) . '