Update fickit
[fic/server.git] / fickit-backend.yml
1 kernel:
2   image: nemunaire/kernel:4.9.140-4080ab71159a0b09a0b2ce7d87a7cb7fd719e35d-dirty-amd64
3   cmdline: "console=ttyS0 console=tty0"
4
5 init:
6   - linuxkit/init:c563953a2277eb73a89d89f70e4b6dcdcfebc2d1
7   - linuxkit/runc:83d0edb4552b1a5df1f0976f05f442829eac38fe
8   - linuxkit/containerd:326b096cd5fbab0f864e52721d036cade67599d6
9   - linuxkit/ca-certificates:v0.6
10   - linuxkit/getty:2eb742cd7a68e14cf50577c02f30147bc406e478
11   - nemunaire/mdadm:18541ef20acd7e67e07bb2bde4f378239e67c42d
12
13 onboot:
14   - name: mod
15     image: linuxkit/modprobe:v0.6
16     command: ["/bin/sh", "-c", "modprobe e1000e"]
17
18 #  - name: sysctl
19 #    image: linuxkit/sysctl:v0.6
20 #    command: ["/usr/bin/sysctl", "-w", "net.ipv6.conf.all.disable_ipv6=1"]
21
22     # Filesystem
23   - name: swap
24     image: linuxkit/swap:v0.6
25     command: ["/sbin/swapon", "/dev/sda2", "/dev/sdb2"]
26   - name: mount
27     image: linuxkit/mount:v0.6
28     command: ["/usr/bin/mountie", "-device", "/dev/md0", "/var/lib/fic" ]
29
30     # Network
31 #  - name: dhcpcd
32 #    image: linuxkit/dhcpcd:0d59a6cc03412289ef4313f2491ec666c1715cc9
33 #    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
34 #  - name: ntp
35 #    image: linuxkit/openntpd:536e5947607c9e6a6771957c2ff817230cba0d3c
36   - name: synchro-ip-setup
37     image: linuxkit/ip:v0.6
38     command: ["/bin/sh", "-c", "ip a add 10.10.10.1/29 dev eth0; ip link set eth0 up;" ]
39     net: new
40     runtime:
41       interfaces:
42         - name: eth0
43       bindNS:
44         net: /run/netns/synchro
45   - name: admin-ip-setup
46     image: linuxkit/ip:v0.6
47     command: ["/bin/sh", "-c", "ip a add 192.168.23.1/24 dev eth1; ip link set eth1 up; ip a add 172.17.0.2/24 dev vethin-admin; ip link set vethin-admin up;" ]
48     net: new
49     runtime:
50       interfaces:
51         - name: eth1
52         - name: vethin-admin
53           add: veth
54           peer: veth-admin
55       bindNS:
56         net: /run/netns/fic-admin
57   - name: backend-ip-setup
58     image: linuxkit/ip:v0.6
59     command: ["/bin/sh", "-c", "ip a add 172.17.0.3/24 dev vethin-backend; ip link set vethin-backend up;" ]
60     net: new
61     runtime:
62       interfaces:
63         - name: vethin-backend
64           add: veth
65           peer: veth-backend
66       bindNS:
67         net: /run/netns/fic-backend
68   - name: mysql-ip-setup
69     image: linuxkit/ip:v0.6
70     command: ["/bin/sh", "-c", "ip a add 172.17.0.4/24 dev vethin-db; ip link set vethin-db up;" ]
71     net: new
72     runtime:
73       interfaces:
74         - name: vethin-db
75           add: veth
76           peer: veth-db
77       bindNS:
78         net: /run/netns/db
79   - name: bridge-setup
80     image: linuxkit/ip:v0.6
81     command: ["/bin/sh", "-c", "ip a add 172.17.0.1/24 dev br0; ip link set veth-admin master br0; ip link set veth-backend master br0; ip link set veth-db master br0; ip link set br0 up; ip link set veth-admin up; ip link set veth-backend up; ip link set veth-db up;" ]
82     runtime:
83       interfaces:
84         - name: br0
85           add: bridge
86
87   - name: firewall-synchro
88     image: linuxkit/ip:v0.6
89     command: ["/bin/bash", "-c", "/sbin/iptables-restore < /etc/iptables/rules-synchro.v4; /sbin/ip6tables-restore < /etc/iptables/rules.v6" ]
90     binds:
91       - /etc/iptables/rules-synchro.v4:/etc/iptables/rules-synchro.v4:ro
92       - /etc/iptables/rules.v6:/etc/iptables/rules.v6:ro
93     net: /run/netns/synchro
94     runtime:
95       mkdir:
96         - /var/lib/fic/teams
97   - name: firewall-admin
98     image: linuxkit/ip:v0.6
99     command: ["/bin/bash", "-c", "/sbin/iptables-restore < /etc/iptables/rules-admin.v4; /sbin/ip6tables-restore < /etc/iptables/rules.v6" ]
100     binds:
101       - /etc/iptables/rules-admin.v4:/etc/iptables/rules-admin.v4:ro
102       - /etc/iptables/rules.v6:/etc/iptables/rules.v6:ro
103     net: /run/netns/fic-admin
104
105 services:
106 #  - name: getty
107 #    image: linuxkit/getty:2eb742cd7a68e14cf50577c02f30147bc406e478
108 #    env:
109 #      - INSECURE=true
110   - name: rngd
111     image: linuxkit/rngd:v0.6
112   - name: db
113     image: mariadb:latest
114     command: ["/bin/bash", "/usr/local/bin/docker-entrypoint.sh", "mysqld"]
115     capabilities:
116      - CAP_CHOWN
117      - CAP_SETUID
118      - CAP_SETGID
119      - CAP_DAC_OVERRIDE
120     env:
121       - MYSQL_DATABASE=fic
122       - MYSQL_USER=fic
123       - MYSQL_PASSWORD=fic
124       - MYSQL_RANDOM_ROOT_PASSWORD=yes
125     binds:
126       - /etc/hosts:/etc/hosts:ro
127       - /var/lib/fic/mysql:/var/lib/mysql
128     net: /run/netns/db
129     pid: new
130     ipc: new
131     uts: new
132     runtime:
133       mkdir:
134         - /var/lib/fic/mysql
135   - name: fic-admin
136     image: nemunaire/fic-admin:latest
137     command: ["/srv/admin", "-bind=:8081", "-baseurl=/admin/", "-localimport=/mnt/fic"]
138     env:
139       - MYSQL_HOST=tcp(db:3306)
140       - FICCA_PASS=jee8AhloAith1aesCeQu5ahgIegaeM4K
141     binds:
142       - /etc/hosts:/etc/hosts:ro
143       - /var/lib/fic/raw_files:/mnt/fic
144       - /var/lib/fic/dashboard:/srv/DASHBOARD
145       - /var/lib/fic/files:/srv/FILES
146       - /var/lib/fic/pki:/srv/PKI
147       - /var/lib/fic/teams:/srv/TEAMS
148       - /var/lib/fic/settings:/srv/SETTINGS
149     net: /run/netns/fic-admin
150     pid: new
151     ipc: new
152     uts: new
153     runtime:
154       mkdir:
155         - /var/lib/fic/dashboard
156         - /var/lib/fic/files
157         - /var/lib/fic/raw_files
158         - /var/lib/fic/pki
159         - /var/lib/fic/settings
160         - /var/lib/fic/teams
161   - name: fic-backend
162     image: nemunaire/fic-backend:latest
163     env:
164       - MYSQL_HOST=tcp(db:3306)
165     binds:
166       - /etc/hosts:/etc/hosts:ro
167       - /var/lib/fic/teams:/srv/TEAMS
168       - /var/lib/fic/settings:/srv/SETTINGS:ro
169       - /var/lib/fic/submissions:/srv/submissions
170     net: /run/netns/fic-backend
171     pid: new
172     ipc: new
173     uts: new
174     runtime:
175       mkdir:
176         - /var/lib/fic/settings
177         - /var/lib/fic/submissions
178         - /var/lib/fic/teams
179   - name: fic-dashboard
180     image: nemunaire/fic-dashboard:latest
181     binds:
182       - /etc/hosts:/etc/hosts:ro
183       - /var/lib/fic/dashboard:/srv/DASHBOARD
184       - /var/lib/fic/teams:/srv/TEAMS:ro
185       - /var/lib/fic/settings:/srv/SETTINGS:ro
186     net: /run/netns/fic-admin
187     pid: new
188     ipc: new
189     uts: new
190     runtime:
191       mkdir:
192         - /var/lib/fic/dashboard
193         - /var/lib/fic/teams
194         - /var/lib/fic/settings
195   - name: fic-synchro
196     image: nemunaire/rsync:416df0e1fe1562d5d1c63461dacd1267b47a4f05
197     command: ["/bin/ash", "/root/synchro.sh"]
198     binds:
199       - /etc/hosts:/etc/hosts:ro
200       - /root/.ssh/id_ed25519:/root/.ssh/id_ed25519:ro
201       - /root/synchro.sh:/root/synchro.sh:ro
202       - /var/lib/fic/files:/srv/FILES:ro
203       #- /var/lib/fic/pki/ca.key:/srv/PKI/ca.key:ro
204       - /var/lib/fic/pki/shared:/srv/PKI/shared:ro
205       - /var/lib/fic/settings:/srv/SETTINGS:ro
206       - /var/lib/fic/submissions:/srv/submissions
207       - /var/lib/fic/teams:/srv/TEAMS:ro
208     net: /run/netns/synchro
209     pid: new
210     ipc: new
211     uts: new
212     runtime:
213       mkdir:
214         - /var/lib/fic/files
215         - /var/lib/fic/pki/shared
216         - /var/lib/fic/settings
217         - /var/lib/fic/submissions
218         - /var/lib/fic/teams
219   - name: sshd
220     image: nemunaire/rsync:416df0e1fe1562d5d1c63461dacd1267b47a4f05
221     binds:
222       - /etc/hosts:/etc/hosts:ro
223       - /root/.ssh/authorized_keys:/root/.ssh/authorized_keys:ro
224       - /var/lib/fic/outofsync:/var/lib/fic/outofsync
225       - /var/lib/fic/raw_files:/mnt/fic
226     net: /run/netns/fic-admin
227     runtime:
228       mkdir:
229         - /var/lib/fic/outofsync
230
231 files:
232   - path: root/synchro.sh
233     source: configs/synchro.sh
234     mode: "0755"
235   - path: etc/hosts
236     source: configs/hosts
237     mode: "0644"
238   - path: root/.ssh/authorized_keys
239     source: configs/authorized_keys
240     mode: "0400"
241   - path: root/.ssh/id_ed25519
242     source: configs/id_ed25519
243     mode: "0400"
244
245   - path: etc/iptables/rules.v6
246     contents: |
247       *filter
248       :INPUT DROP [0:0]
249       :FORWARD DROP [0:0]
250       :OUTPUT DROP [0:0]
251       COMMIT
252     mode: "0440"
253   - path: etc/iptables/rules-admin.v4
254     contents: |
255       *filter
256       :INPUT DROP [0:0]
257       :FORWARD DROP [0:0]
258       :OUTPUT DROP [0:0]
259       [0:0] -A INPUT -i lo -j ACCEPT
260       [0:0] -A INPUT -m conntrack --ctstate INVALID -j DROP
261       [0:0] -A INPUT -p icmp -j ACCEPT
262       [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
263       [0:0] -A INPUT -i eth1 -s 192.168.23.0/24 -p tcp -m conntrack --ctstate NEW -m tcp --dport ssh -j ACCEPT
264       [0:0] -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 8081 -j ACCEPT
265       [0:0] -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 8082 -j ACCEPT
266       [0:0] -A INPUT -i vethin-admin -s 172.17.0.0/24 -p tcp -m conntrack --ctstate NEW -j ACCEPT
267       [0:0] -A INPUT -j LOG
268       [0:0] -A FORWARD -j LOG
269       [0:0] -A OUTPUT -o lo -j ACCEPT
270       [0:0] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
271       [0:0] -A OUTPUT -p icmp -j ACCEPT
272       [0:0] -A OUTPUT -o vethin-admin -d 172.17.0.0/24 -p tcp -m conntrack --ctstate NEW -j ACCEPT
273       [0:0] -A OUTPUT -j LOG
274       [0:0] -A OUTPUT -j REJECT
275       COMMIT
276     mode: "0440"
277   - path: etc/iptables/rules-synchro.v4
278     contents: |
279       *filter
280       :INPUT DROP [0:0]
281       :FORWARD DROP [0:0]
282       :OUTPUT DROP [0:0]
283       [0:0] -A INPUT -i lo -j ACCEPT
284       [0:0] -A INPUT -m conntrack --ctstate INVALID -j DROP
285       [0:0] -A INPUT -p icmp --icmp-type 8 -j ACCEPT
286       [0:0] -A INPUT -p icmp --icmp-type 0 -j ACCEPT
287       [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
288       [0:0] -A INPUT -j LOG
289       [0:0] -A FORWARD -j LOG
290       [0:0] -A OUTPUT -o lo -j ACCEPT
291       [0:0] -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
292       [0:0] -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
293       [0:0] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
294       [0:0] -A OUTPUT -o eth0 -d 10.10.10.2 -p tcp -m conntrack --ctstate NEW -m tcp --dport ssh -j ACCEPT
295       [0:0] -A OUTPUT -j LOG
296       [0:0] -A OUTPUT -j REJECT
297       COMMIT
298     mode: "0440"
299
300 trust:
301   org:
302     - linuxkit
303     - library