- Added configuration files

jailspaces/js.conf

@@ -0,0 +1,74 @@
+_USER_LIST_CMD="members webspaceuser | tr \" \" \"\n\""
+_NGINX_CONF="/etc/nginx/conf.d/@USERNAME@.conf"
+_NGINX_USER="nginx"
+_NGINX_USERGROUP="nginx"
+_PHP_FPM_CONF="/etc/php5/fpm/pool.d/@USERNAME@.conf"
+_PHP_FPM_CHROOT="/home/www/@USERNAME@/chroot"
+_PHP_FPM_CHROOT_DIRS="\
+	/,0010,root:@USERNAME@,d \
+	/data-@USERNAME@,0070,root:@USERNAME@,d \
+	/log,0030,root:@USERNAME@,d  \
+	/tmp,0010,root:@USERNAME@,d \
+	/tmp/misc,0030,root:@USERNAME@,d \
+	/tmp/session,0030,root:@USERNAME@,d \
+	/tmp/wsdl,0030,root:@USERNAME@,d \
+	/tmp/upload,0030,root:@USERNAME@,d \
+	/log/php5-fpm.log,0600,root:@USERNAME@,f \
+	/log/php5-fpm-slow.log,0600,root:@USERNAME@,f"
+
+_PHP_FPM_CHROOT_BIND="\
+	/usr/share/zoneinfo \
+	/dev/urandom \
+	/dev/zero \
+	/dev/null \
+	/etc/resolv.conf \
+	/lib/x86_64-linux-gnu/libnss_dns.so.2 \
+	/usr/share/ca-certificates \
+	/etc/ssl/certs"
+_PHP_FPM_CHROOT_BIND_LOCAL="/home/www/@USERNAME@/bind.conf"
+_SYSTEMD_UNIT_DIR="/etc/systemd/system"
+_SYSTEMD_ENABLE=true
+
+_NGINX_CONF_TEMPLATE="/etc/jailspaces/template/nginx.conf.template"
+_NGINX_CONF_TEMPLATE_OWNER="$_NGINX_USER:$_NGINX_USERGROUP"
+_NGINX_CONF_TEMPLATE_MODE="0644"
+
+_PHP_FPM_CONF_TEMPLATE="/etc/jailspaces/template/php5-fpm.conf.template"
+_PHP_FPM_CONF_TEMPLATE_OWNER="root:root"
+_PHP_FPM_CONF_TEMPLATE_MODE="0660"
+
+_LETS_ENCRYPT_ENABLE=true
+_LETS_ENCRYPT_USER="certmanager"
+_LETS_ENCRYPT_USERGROUP="certmanager" # $_NGINX_USER and $_LETS_ENCRYPT_USER must be member of this group
+_LETS_ENCRYPT_ACCOUNT_KEY="/home/certmanager/account.key"
+_LETS_ENCRYPT_SERVER_KEY="/home/certmanager/service.key"
+_LETS_ENCRYPT_DHPARAMS="/home/certmanager/service.dhparam"
+_LETS_ENCRYPT_DHPARAMS_LENGTH=4096 # DHParam length
+_LETS_ENCRYPT_CHALLENGE_DIR="/home/certmanager/acme-challenge"
+_LETS_ENCRYPT_ACME_TINY="/home/certmanager/acme-tiny/acme_tiny.py"
+_LETS_ENCRYPT_EXPIRY=$((60*60*24*2))
+_LETS_ENCRYPT_KEYLENGTH=4096 # RSA keylength
+_LETS_ENCRYPT_INTERMEDIATE="/home/certmanager/intermediate.pem"
+_LETS_ENCRYPT_INTERMEDIATE_URL="https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem"
+
+_LETS_ENCRYPT_CSR_DIR="/home/certmanager/csr"
+_LETS_ENCRYPT_CSR_MODE="0640"
+_LETS_ENCRYPT_CRT_DIR="/home/certmanager/crt"
+_LETS_ENCRYPT_CRT_MODE="0644"
+
+# Command to add new users. @USERNAME@ will be replaced by the new username. 
+# The username is allowed to contain [A-Za-z0-9] and 4 to 10 character
+# After this command is executed.
+# 	+ The new user must be present to the system (id <username>).
+#	+ The new user must belong to a system group with same name.
+# 	+ The command specified in $_USER_LIST_CMD must list the new user.
+#	+ The exitcode must be 0 on success and !=0 on failure
+_USER_CREATE_CMD="useradd -b /home/www -k /dev/null -G webspaceuser -m  \"@USERNAME@\""
+
+
+_USER_DELETE_CMD="deluser \"@USERNAME@\"; delgroup \"@USERNAME@\"; rm -rf \"/home/www/@USERNAME@\""
+_POST_CREATE_CMD="install_template \"/etc/jailspaces/template/index.php.template\" \"$_PHP_FPM_CHROOT/data-@USERNAME@/index.php\" @USERNAME@:@USERNAME@ 0440 USERNAME @USERNAME@"
+
+_NGINX_ADD_GROUP_CMD="usermod -a -G \"@USERNAME@\" \"$_NGINX_USER\""
+_RELOAD_NGINX_CMD="systemctl reload-or-restart nginx" # This command must be in sudoers file for _LETS_ENCRYPT_USER with NOPASSWD:
+_RELOAD_PHP_FPM_CMD="systemctl reload-or-restart php5-fpm"

jailspaces/nginx/acme.conf

@@ -0,0 +1,4 @@
+location /.well-known/acme-challenge/ {
+	alias /home/certmanager/acme-challenge/;
+	try_files $uri =404;
+}

jailspaces/nginx/tls.conf

@@ -0,0 +1,23 @@
+listen 0.0.0.0:443 ssl;
+listen [::]:443 ssl;
+
+keepalive_timeout 70;
+ssl_session_cache shared:SSL:20m;
+ssl_session_timeout 10m;
+
+ssl_stapling on;
+ssl_stapling_verify on;
+resolver [::1] 127.0.0.1;
+resolver_timeout 2s;
+
+ssl_dhparam /home/certmanager/service.dhparam;
+ssl_certificate_key /home/certmanager/service.key;
+
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_prefer_server_ciphers on;
+
+# Ciphersuite "Modern compatibility" by Mozilla OpSec team
+# See https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
+ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;
+
+add_header Strict-Transport-Security max-age=15768000;

jailspaces/template/index.php.template

@@ -0,0 +1,24 @@
+<?php
+	isset($_GET['PHPINFO']) && phpinfo() && die;
+?>
+<html>
+	<head>
+		<title>@USERNAME@</title>
+	</head>
+
+	<body>
+		<h1>JailSpace @USERNAME@</h1>
+		
+		<p>
+		This webspace was just created.
+		</p>
+
+
+		<ul>
+			<li><a href="?PHPINFO">Inspect PHP configuration</a></li>
+			<li><a href="https://www.ssllabs.com/ssltest/analyze.html?d=<?php echo urlencode($_SERVER['HTTP_HOST']); ?>&amp;hideResults=on&amp;clearCache=on">Test SSL configuration</a></li>
+		<ul>
+
+	</body>
+
+</html>

jailspaces/template/nginx.conf.template

@@ -0,0 +1,33 @@
+server {
+        listen 0.0.0.0:80;
+        listen [::]:80;
+	server_name  @DOMAINS@;
+        include /etc/jailspaces/nginx/acme.conf;
+        location / {
+                return 301 https://$host$request_uri;
+        }
+}
+
+
+server {
+	include /etc/wss/nginx/tls.conf;
+	ssl_certificate /home/certmanager/crt/@USERNAME@.crt;
+        server_name  @DOMAINS@;
+
+        root /home/www/@USERNAME@/chroot/data-@USERNAME@;
+        index index.html index.htm index.php;
+
+        location / {
+                try_files $uri $uri/ =404;
+        }
+
+        location ~ \.php$ {
+		try_files  $uri =404;
+                include /etc/nginx/fastcgi_params;
+                fastcgi_pass unix:/var/run/php5-fpm-@USERNAME@.sock;
+                fastcgi_param SCRIPT_FILENAME /data-@USERNAME@$fastcgi_script_name;
+        }
+
+        include /etc/jailspaces/nginx/acme.conf;
+}
+

jailspaces/template/php5-fpm.conf.template

@@ -0,0 +1,56 @@
+[@USERNAME@]
+user = $pool
+group = $pool
+
+listen = /var/run/php5-fpm-$pool.sock
+listen.owner = nginx
+listen.group = nginx
+
+pm = ondemand
+pm.process_idle_timeout = 10
+pm.max_children = 5
+;pm = dynamic
+;pm.max_children = 5
+;pm.start_servers = 2
+;pm.min_spare_servers = 1
+;pm.max_spare_servers = 3
+ 
+pm.status_path = /php5-fpm-status 
+ping.path = /php5-fpm-ping
+
+access.log = /home/www/$pool/chroot/log/php5-fpm-pool.log 
+slowlog = /home/www/$pool/chroot/log/php5-fpm-slow.log
+request_slowlog_timeout = 15s
+
+chroot = /home/www/$pool/chroot/
+ 
+chdir = /
+
+# Flags & limits
+php_flag[display_errors] = off
+php_admin_flag[log_errors] = on
+php_admin_flag[expose_php] = off
+php_admin_value[memory_limit] = 32M
+php_admin_value[post_max_size] = 24M
+php_admin_value[upload_max_filesize] = 20M
+php_admin_value[cgi.fix_pathinfo] = 0
+
+# Session
+php_admin_value[session.entropy_length] = 1024
+php_admin_value[session.cookie_httponly] = on
+php_admin_value[session.hash_function] = sha512
+php_admin_value[session.hash_bits_per_character] = 6
+php_admin_value[session.gc_probability] = 1
+php_admin_value[session.gc_divisor] = 1000
+php_admin_value[session.gc_maxlifetime] = 1440
+
+# Pathes
+php_admin_value[include_path] = .
+php_admin_value[open_basedir] = /data-$pool/:/tmp/misc/:/tmp/upload/
+php_admin_value[sys_temp-dir] = /tmp/misc
+php_admin_value[upload_tmp_dir] = /tmp/upload
+php_admin_value[session.save_path] = /tmp/session
+php_admin_value[soap.wsdl_cache_dir] = /tmp/wsdl
+php_admin_value[sendmail_path] = /bin/sendmail -f -i
+php_admin_value[session.entropy_file] = /dev/urandom
+php_admin_value[openssl.capath] = /etc/ssl/certs