danwin1210/hosting
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add info about potentially breaking quota

Browse Source
This commit is contained in:
Daniel Winzen
2022-08-14 21:33:07 +02:00
parent 125c13dd3c
commit 1102c314ca
3 changed files with 10 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
README.md
View File

@ -90,7 +90,14 @@ To harden the system and hide pids from non-root users, also add the following:
proc /proc proc defaults,hidepid=2 0 0
```
As time syncronisation is important, you should configure ntp servers in `/etc/systemd/timesyncd.conf` and make them match with the entries in `/etc/rc.local` iptables configuration
And add the `noatime,usrjquota=aquota.user,jqfmt=vfsv1` options to the `/home` mountpoint (if not a separate partition, the `/` mointpoint and `noatime`to `/`. Then initialize quota (replace `/home` with `/`, if you do not have a separate partition):
```
mount -o remount /home
quotacheck -cMu /home
quotaon /home
```
In some cases, you might get an error, that quota is not supported. This is usually the case in virtual environments. Make sure you have the full kernel installed, not one with a `-virtual` package. They usually are `linux-image-amd64`, `linux-image-arm64` or `linux-image-generic`, depending on your distribution. Also make sure, you are running a real virtual machine (e.g. KVM). Some providers sell containerized VPSes (e.g. OpenVZ), which means you don't run your own kernel...
Enable the PHP-FPM default instances and nginx:
```
@ -99,13 +106,6 @@ systemctl enable php8.0-fpm@default
systemctl enable nginx
```
Edit `/etc/fstab` and add the `noatime,usrjquota=aquota.user,jqfmt=vfsv1` option to the `/home` mountpoint and `noatime`to `/`. Then initialize quota:
```
mount -o remount /home
quotacheck -cMu /home
quotaon /home
```
Install sodium_compat for v3 hidden_service support
```
cd /var/www && composer install

2
etc/rc.local
View File

@ -69,7 +69,7 @@ ip6tables -A OUTPUT -d $clearnet -j ACCEPT
#accet IPv6 ICMP packages required for SLAAC
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
ip6tables -A OUTPUT -p ipv6-icmp -j ACCEPT
#allow querriying ntp servers (must mach /etc/systemd/timesyncd.conf
#allow querriying ntp servers (must mach /etc/systemd/timesyncd.conf)
for clearnet in 164.68.124.74 185.244.195.159 78.46.53.2 88.99.86.9; do(
iptables -t nat -A OUTPUT -p udp --dport 123 -d $clearnet -j RETURN
iptables -A OUTPUT -p udp --dport 123 -d $clearnet -j ACCEPT

1
etc/systemd/timesyncd.conf
View File

@ -12,6 +12,7 @@
# See timesyncd.conf(5) for details.
[Time]
#These must mach with firewll config in /etc/systemd/timesyncd.conf
Servers=164.68.124.74 185.244.195.159 78.46.53.2 88.99.86.9 2a02:c207:3004:9819::1 2a03:4000:27:602:d4cf:50ff:fedb:b65a 2a01:4f8:110:12d5::2 2a01:4f8:c17:b041::1
#NTP=
#FallbackNTP=0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org