5740366894c9630297452756ede658e04fd051c9
[fic/server.git] / fickit-backend.yml
1 kernel:
2   image: nemunaire/kernel:4.9.77
3   cmdline: "console=tty0"
4
5 init:
6   - linuxkit/init:be8756f0a6005279d2409a8790b4dd8b2ac11df9
7   - linuxkit/runc:7b15b00b4e3507d62e3ed8d44dfe650561cd35ff
8   - linuxkit/containerd:78706a05d00a7385ff2b6b7db280041338e4b34a
9   - linuxkit/ca-certificates:de21b84d9b055ad9dcecc57965b654a7a24ef8e0
10   - linuxkit/getty:22e27189b6b354e1d5d38fc0536a5af3f2adb79f
11   - nemunaire/mdadm:0ac2a0d3e7be84f1aad852c906d54cbff4d1668f
12
13 onboot:
14   - name: sysctl
15     image: linuxkit/sysctl:4c1ef93bb5eb1a877318db4b2daa6768ed002e21
16   - name: sysctl
17     image: linuxkit/sysctl:4c1ef93bb5eb1a877318db4b2daa6768ed002e21
18     command: ["/usr/bin/sysctl", "-w", "net.ipv6.conf.all.disable_ipv6=1"]
19
20     # Filesystem
21   - name: swap
22     image: linuxkit/swap:b3d5db11b14168874a01b5ea4398186321be836f
23     command: ["/sbin/swapon", "/dev/sda3", "/dev/sdb3"]
24   - name: mount
25     image: linuxkit/mount:b346ec277b7074e5c9986128a879c10a1d18742b
26     command: ["/usr/bin/mountie", "-device", "/dev/md127", "/var/lib/fic" ]
27
28     # Network
29 #  - name: dhcpcd
30 #    image: linuxkit/dhcpcd:0d59a6cc03412289ef4313f2491ec666c1715cc9
31 #    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
32 #  - name: ntp
33 #    image: linuxkit/openntpd:536e5947607c9e6a6771957c2ff817230cba0d3c
34   - name: synchro-ip-setup
35     image: linuxkit/ip:284c21791d8c05c49eccbd8e8cc2fb97bbd61842
36     command: ["/bin/sh", "-c", "ip a add 10.10.10.1/29 dev eth0; ip link set eth0 up;" ]
37     net: new
38     runtime:
39       interfaces:
40         - name: eth0
41       bindNS:
42         net: /run/netns/synchro
43   - name: admin-ip-setup
44     image: linuxkit/ip:284c21791d8c05c49eccbd8e8cc2fb97bbd61842
45     command: ["/bin/sh", "-c", "ip a add 192.168.0.1/24 dev eth1; ip link set eth1 up; ip a add 172.17.0.2/24 dev vethin-admin; ip link set vethin-admin up;" ]
46     net: new
47     runtime:
48       interfaces:
49         - name: eth1
50         - name: vethin-admin
51           add: veth
52           peer: veth-admin
53       bindNS:
54         net: /run/netns/fic-admin
55   - name: backend-ip-setup
56     image: linuxkit/ip:284c21791d8c05c49eccbd8e8cc2fb97bbd61842
57     command: ["/bin/sh", "-c", "ip a add 172.17.0.3/24 dev vethin-backend; ip link set vethin-backend up;" ]
58     net: new
59     runtime:
60       interfaces:
61         - name: vethin-backend
62           add: veth
63           peer: veth-backend
64       bindNS:
65         net: /run/netns/fic-backend
66   - name: mysql-ip-setup
67     image: linuxkit/ip:284c21791d8c05c49eccbd8e8cc2fb97bbd61842
68     command: ["/bin/sh", "-c", "ip a add 172.17.0.4/24 dev vethin-db; ip link set vethin-db up;" ]
69     net: new
70     runtime:
71       interfaces:
72         - name: vethin-db
73           add: veth
74           peer: veth-db
75       bindNS:
76         net: /run/netns/db
77   - name: bridge-setup
78     image: linuxkit/ip:284c21791d8c05c49eccbd8e8cc2fb97bbd61842
79     command: ["/bin/sh", "-c", "ip a add 172.17.0.1/24 dev br0; ip link set veth-admin master br0; ip link set veth-backend master br0; ip link set veth-db master br0; ip link set br0 up; ip link set veth-admin up; ip link set veth-backend up; ip link set veth-db up;" ]
80     runtime:
81       interfaces:
82         - name: br0
83           add: bridge
84
85   - name: firewall-synchro
86     image: linuxkit/ip:284c21791d8c05c49eccbd8e8cc2fb97bbd61842
87     command: ["/bin/bash", "-c", "/sbin/iptables-restore < /etc/iptables/rules-synchro.v4; /sbin/ip6tables-restore < /etc/iptables/rules.v6" ]
88     binds:
89       - /etc/iptables/rules-synchro.v4:/etc/iptables/rules-synchro.v4:ro
90       - /etc/iptables/rules.v6:/etc/iptables/rules.v6:ro
91     net: /run/netns/synchro
92     runtime:
93       mkdir:
94         - /var/lib/fic/teams
95   - name: firewall-admin
96     image: linuxkit/ip:284c21791d8c05c49eccbd8e8cc2fb97bbd61842
97     command: ["/bin/bash", "-c", "/sbin/iptables-restore < /etc/iptables/rules-admin.v4; /sbin/ip6tables-restore < /etc/iptables/rules.v6" ]
98     binds:
99       - /etc/iptables/rules-admin.v4:/etc/iptables/rules-admin.v4:ro
100       - /etc/iptables/rules.v6:/etc/iptables/rules.v6:ro
101     net: /run/netns/fic-admin
102
103 services:
104   - name: rngd
105     image: linuxkit/rngd:94e01a4b16fadb053455cdc2269c4eb0b39199cd
106   - name: db
107     image: mariadb:latest
108     command: ["/bin/bash", "/usr/local/bin/docker-entrypoint.sh", "mysqld"]
109     capabilities:
110      - CAP_CHOWN
111      - CAP_SETUID
112      - CAP_SETGID
113      - CAP_DAC_OVERRIDE
114     env:
115       - MYSQL_DATABASE=fic
116       - MYSQL_USER=fic
117       - MYSQL_PASSWORD=fic
118       - MYSQL_RANDOM_ROOT_PASSWORD=yes
119     binds:
120       - /etc/hosts:/etc/hosts:ro
121       - /var/lib/fic/mysql:/var/lib/mysql
122     net: /run/netns/db
123     pid: new
124     ipc: new
125     uts: new
126     runtime:
127       mkdir:
128         - /var/lib/fic/mysql
129   - name: fic-admin
130     image: nemunaire/fic-admin:latest
131     command: ["/srv/admin", "-bind=:8081", "-baseurl=/admin/", "-localimport=/mnt/fic"]
132     env:
133       - MYSQL_HOST=tcp(db:3306)
134       - FICCA_PASS=jee8AhloAith1aesCeQu5ahgIegaeM4K
135     binds:
136       - /etc/hosts:/etc/hosts:ro
137       - /var/lib/fic/files:/srv/FILES
138       - /var/lib/fic/raw_files:/mnt/fic
139       - /var/lib/fic/pki:/srv/PKI
140       - /var/lib/fic/settings:/srv/SETTINGS
141       - /var/lib/fic/teams:/srv/TEAMS
142     net: /run/netns/fic-admin
143     pid: new
144     ipc: new
145     uts: new
146     runtime:
147       mkdir:
148         - /var/lib/fic/files
149         - /var/lib/fic/raw_files
150         - /var/lib/fic/pki
151         - /var/lib/fic/settings
152         - /var/lib/fic/teams
153   - name: fic-backend
154     image: nemunaire/fic-backend:latest
155     env:
156       - MYSQL_HOST=tcp(db:3306)
157     binds:
158       - /etc/hosts:/etc/hosts:ro
159       - /var/lib/fic/settings:/srv/SETTINGS:ro
160       - /var/lib/fic/submissions:/srv/submissions
161       - /var/lib/fic/teams:/srv/TEAMS
162     net: /run/netns/fic-backend
163     pid: new
164     ipc: new
165     uts: new
166     runtime:
167       mkdir:
168         - /var/lib/fic/settings
169         - /var/lib/fic/submissions
170         - /var/lib/fic/teams
171   - name: fic-synchro
172     image: nemunaire/rsync:f8a6d2b0b1064ea3cb3601a159bb886c47a76ce3
173     command: ["/bin/ash", "/root/synchro.sh"]
174     binds:
175       - /etc/hosts:/etc/hosts:ro
176       - /root/.ssh/id_ed25519:/root/.ssh/id_ed25519:ro
177       - /root/synchro.sh:/root/synchro.sh:ro
178       - /var/lib/fic/files:/srv/FILES:ro
179       - /var/lib/fic/pki/ca.key:/srv/PKI/ca.key:ro
180       - /var/lib/fic/pki/shared:/srv/PKI/shared:ro
181       - /var/lib/fic/settings:/srv/SETTINGS:ro
182       - /var/lib/fic/submissions:/srv/submissions
183       - /var/lib/fic/teams:/srv/TEAMS:ro
184     net: /run/netns/synchro
185     pid: new
186     ipc: new
187     uts: new
188     runtime:
189       mkdir:
190         - /var/lib/fic/files
191         - /var/lib/fic/pki/shared
192         - /var/lib/fic/settings
193         - /var/lib/fic/submissions
194         - /var/lib/fic/teams
195   - name: sshd
196     image: nemunaire/rsync:f8a6d2b0b1064ea3cb3601a159bb886c47a76ce3
197     binds:
198       - /etc/hosts:/etc/hosts:ro
199       - /root/.ssh/authorized_keys:/root/.ssh/authorized_keys:ro
200       - /var/lib/fic/outofsync:/var/lib/fic/outofsync
201     net: /run/netns/fic-admin
202     runtime:
203       mkdir:
204         - /var/lib/fic/outofsync
205
206 files:
207   - path: root/synchro.sh
208     source: configs/synchro.sh
209     mode: "0755"
210   - path: etc/hosts
211     source: configs/hosts
212     mode: "0644"
213   - path: root/.ssh/authorized_keys
214     source: configs/authorized_keys
215     mode: "0400"
216   - path: root/.ssh/id_ed25519
217     source: configs/id_ed25519
218     mode: "0400"
219
220   - path: etc/iptables/rules.v6
221     contents: |
222       *filter
223       :INPUT DROP [0:0]
224       :FORWARD DROP [0:0]
225       :OUTPUT DROP [0:0]
226       COMMIT
227     mode: "0440"
228   - path: etc/iptables/rules-admin.v4
229     contents: |
230       *filter
231       :INPUT DROP [0:0]
232       :FORWARD DROP [0:0]
233       :OUTPUT DROP [0:0]
234       [0:0] -A INPUT -i lo -j ACCEPT
235       [0:0] -A INPUT -m conntrack --ctstate INVALID -j DROP
236       [0:0] -A INPUT -p icmp -j ACCEPT
237       [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
238       [0:0] -A INPUT -i eth1 -s 192.168.0.0/24 -p tcp -m conntrack --ctstate NEW -m tcp --dport ssh -j ACCEPT
239       [0:0] -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 8081 -j ACCEPT
240       [0:0] -A INPUT -i vethin-admin -s 172.17.0.0/24 -p tcp -m conntrack --ctstate NEW -j ACCEPT
241       [0:0] -A INPUT -j LOG
242       [0:0] -A FORWARD -j LOG
243       [0:0] -A OUTPUT -o lo -j ACCEPT
244       [0:0] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
245       [0:0] -A OUTPUT -p icmp -j ACCEPT
246       [0:0] -A OUTPUT -o vethin-admin -d 172.17.0.0/24 -p tcp -m conntrack --ctstate NEW -j ACCEPT
247       [0:0] -A OUTPUT -j LOG
248       [0:0] -A OUTPUT -j REJECT
249       COMMIT
250     mode: "0440"
251   - path: etc/iptables/rules-synchro.v4
252     contents: |
253       *filter
254       :INPUT DROP [0:0]
255       :FORWARD DROP [0:0]
256       :OUTPUT DROP [0:0]
257       [0:0] -A INPUT -i lo -j ACCEPT
258       [0:0] -A INPUT -m conntrack --ctstate INVALID -j DROP
259       [0:0] -A INPUT -p icmp --icmp-type 8 -j ACCEPT
260       [0:0] -A INPUT -p icmp --icmp-type 0 -j ACCEPT
261       [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
262       [0:0] -A INPUT -j LOG
263       [0:0] -A FORWARD -j LOG
264       [0:0] -A OUTPUT -o lo -j ACCEPT
265       [0:0] -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
266       [0:0] -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
267       [0:0] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
268       [0:0] -A OUTPUT -o eth0 -d 10.10.10.2 -p tcp -m conntrack --ctstate NEW -m tcp --dport ssh -j ACCEPT
269       [0:0] -A OUTPUT -j LOG
270       [0:0] -A OUTPUT -j REJECT
271       COMMIT
272     mode: "0440"
273
274 trust:
275   org:
276     - linuxkit
277     - library