Update fickit
[fic/server.git] / fickit-frontend.yml
1 kernel:
2   image: nemunaire/kernel:4.9.140-4080ab71159a0b09a0b2ce7d87a7cb7fd719e35d-dirty-amd64
3   cmdline: "console=ttyS0 console=tty0"
4
5 init:
6   - linuxkit/init:c563953a2277eb73a89d89f70e4b6dcdcfebc2d1
7   - linuxkit/runc:83d0edb4552b1a5df1f0976f05f442829eac38fe
8   - linuxkit/containerd:326b096cd5fbab0f864e52721d036cade67599d6
9   - linuxkit/ca-certificates:v0.6
10   - linuxkit/getty:2eb742cd7a68e14cf50577c02f30147bc406e478
11   - nemunaire/mdadm:18541ef20acd7e67e07bb2bde4f378239e67c42d
12
13 onboot:
14   - name: mod
15     image: linuxkit/modprobe:v0.6
16     command: ["/bin/sh", "-c", "modprobe r8169;"]
17
18 #  - name: sysctl
19 #    image: linuxkit/sysctl:v0.6
20
21     # Filesystem
22   - name: swap
23     image: linuxkit/swap:v0.6
24     command: ["/sbin/swapon", "/dev/sda2", "/dev/sdb2"]
25   - name: mount
26     image: linuxkit/mount:v0.6
27     command: ["/usr/bin/mountie", "-device", "/dev/md0", "/var/lib/fic" ]
28
29     # Network
30 #  - name: dhcpcd
31 #    image: linuxkit/dhcpcd:0d59a6cc03412289ef4313f2491ec666c1715cc9
32 #    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
33 #  - name: ntp
34 #    image: linuxkit/openntpd:536e5947607c9e6a6771957c2ff817230cba0d3c
35   - name: nginx-ip-setup
36     image: linuxkit/ip:v0.6
37     command: ["/bin/sh", "-c", "ip a add 172.17.1.2/24 dev vethin-nginx; ip link set vethin-nginx up;" ]
38     net: new
39     runtime:
40       interfaces:
41         - name: vethin-nginx
42           add: veth
43           peer: veth-nginx
44       bindNS:
45         net: /run/netns/nginx
46   - name: frontal-ip-setup # without bonding
47     image: linuxkit/ip:v0.6
48     command: ["/bin/sh", "-c", "ip link set eth1 up; ip a add 172.23.42.1/24 dev eth1; ip a add 163.5.55.58/32 dev eth1;" ]
49     net: /run/netns/nginx
50     runtime:
51       interfaces:
52         - name: eth1
53         - name: eth2
54         - name: eth3
55 #  - name: frontal-ip-setup # with bonding
56 #    image: linuxkit/ip:v0.6
57 #    command: ["/bin/sh", "-c", "ip link set bond-frontal up; ifenslave bond-frontal eth1 eth2 eth3; ip a add 172.23.42.1/24 dev bond-frontal; ip a add 163.5.55.58/32 dev bond-frontal;" ]
58 #    net: /run/netns/nginx
59 #    runtime:
60 #      interfaces:
61 #        - name: eth1
62 #        - name: eth2
63 #        - name: eth3
64 #        - name: bond-frontal
65 #          add: bond
66   - name: frontend-ip-setup
67     image: linuxkit/ip:v0.6
68     command: ["/bin/sh", "-c", "ip a add 172.17.1.3/24 dev vethin-frontend; ip link set vethin-frontend up;" ]
69     net: new
70     runtime:
71       interfaces:
72         - name: vethin-frontend
73           add: veth
74           peer: veth-frontend
75       bindNS:
76         net: /run/netns/fic-frontend
77   - name: sshd-ip-setup
78     image: linuxkit/ip:v0.6
79     command: ["/bin/sh", "-c", "ip a add 10.10.10.2/29 dev eth0; ip link set eth0 up;" ]
80     net: new
81     runtime:
82       interfaces:
83         - name: eth0
84       bindNS:
85         net: /run/netns/sshd
86   - name: bridge-setup
87     image: linuxkit/ip:v0.6
88     command: ["/bin/sh", "-c", "ip a add 172.17.1.1/24 dev br0; ip link set veth-nginx master br0; ip link set veth-frontend master br0; ip link set br0 up; ip link set veth-nginx up; ip link set veth-frontend up;" ]
89     runtime:
90       interfaces:
91         - name: br0
92           add: bridge
93
94   - name: firewall-frontal
95     image: linuxkit/ip:v0.6
96     command: ["/bin/bash", "-c", "/sbin/iptables-restore < /etc/iptables/rules-frontal.v4; /sbin/ip6tables-restore < /etc/iptables/rules.v6" ]
97     binds:
98       - /etc/iptables/rules-frontal.v4:/etc/iptables/rules-frontal.v4:ro
99       - /etc/iptables/rules.v6:/etc/iptables/rules.v6:ro
100     net: /run/netns/nginx
101   - name: firewall-sshd
102     image: linuxkit/ip:v0.6
103     command: ["/bin/bash", "-c", "/sbin/iptables-restore < /etc/iptables/rules-sshd.v4; /sbin/ip6tables-restore < /etc/iptables/rules.v6" ]
104     binds:
105       - /etc/iptables/rules-sshd.v4:/etc/iptables/rules-sshd.v4:ro
106       - /etc/iptables/rules.v6:/etc/iptables/rules.v6:ro
107     net: /run/netns/sshd
108
109 services:
110 #  - name: getty
111 #    image: linuxkit/getty:2eb742cd7a68e14cf50577c02f30147bc406e478
112 #    env:
113 #      - INSECURE=true
114   - name: rngd
115     image: linuxkit/rngd:v0.6
116   - name: nginx
117     image: nginx:alpine
118     capabilities:
119      - CAP_NET_BIND_SERVICE
120      - CAP_CHOWN
121      - CAP_SETUID
122      - CAP_SETGID
123      - CAP_DAC_OVERRIDE
124     binds:
125       - /etc/hosts:/etc/hosts:ro
126       - /etc/resolv.conf:/etc/resolv.conf:ro
127       - /etc/nginx/conf.d/default.conf:/etc/nginx/conf.d/default.conf:ro
128       - /etc/nginx/ssl/:/etc/nginx/ssl/:ro
129       - /etc/nginx/fic-auth.conf:/etc/nginx/fic-auth.conf:ro
130       - /www/htdocs-frontend:/srv/htdocs-frontend:ro
131       - /var/lib/fic/files:/srv/FILES:ro
132       - /var/lib/fic/pki:/srv/PKI:ro
133       - /var/lib/fic/settings:/srv/SETTINGS:ro
134       - /var/lib/fic/startingblock:/srv/startingblock:ro
135       - /var/lib/fic/teams:/srv/TEAMS:ro
136     net: /run/netns/nginx
137     pid: new
138     ipc: new
139     uts: new
140     runtime:
141       mkdir:
142         - /var/lib/fic/files
143         - /var/lib/fic/pki
144         - /var/lib/fic/startingblock
145         - /var/lib/fic/teams
146   - name: fic-frontend
147     image: nemunaire/fic-frontend:latest
148     command: ["/srv/frontend", "-bind=:8080", "-startedFile=/srv/startingblock/started"]
149     binds:
150       - /etc/hosts:/etc/hosts:ro
151       - /var/lib/fic/files:/srv/FILES:ro
152       - /var/lib/fic/settings:/srv/SETTINGS:ro
153       - /var/lib/fic/startingblock:/srv/startingblock
154       - /var/lib/fic/submissions:/srv/submissions
155       - /var/lib/fic/teams:/srv/TEAMS:ro
156     net: /run/netns/fic-frontend
157     runtime:
158       mkdir:
159         - /var/lib/fic/files
160         - /var/lib/fic/settings
161         - /var/lib/fic/startingblock
162         - /var/lib/fic/submissions
163         - /var/lib/fic/teams
164   - name: sshd
165     image: nemunaire/rsync:416df0e1fe1562d5d1c63461dacd1267b47a4f05
166     binds:
167       - /etc/hosts:/etc/hosts:ro
168       - /root/.ssh/id_synchro.pub:/root/.ssh/authorized_keys:ro
169       - /var/lib/fic/files:/srv/FILES
170       - /var/lib/fic/pki:/srv/PKI
171       - /var/lib/fic/settings:/srv/SETTINGS
172       - /var/lib/fic/submissions:/srv/submissions
173       - /var/lib/fic/teams:/srv/TEAMS
174     net: /run/netns/sshd
175     pid: new
176     ipc: new
177     uts: new
178     runtime:
179       mkdir:
180         - /var/lib/fic/files
181         - /var/lib/fic/pki
182         - /var/lib/fic/settings
183         - /var/lib/fic/submissions
184         - /var/lib/fic/teams
185
186   - name: dhcp-server
187     image: joebiellik/dhcpd
188     binds:
189       - /etc/dhcp/dhcpd.conf:/etc/dhcp/dhcpd.conf:ro
190     capabilities:
191      - CAP_NET_BIND_SERVICE
192      - CAP_NET_RAW
193      - CAP_DAC_OVERRIDE
194     net: /run/netns/nginx
195     pid: new
196     ipc: new
197     uts: new
198 #  - name: dns-server
199 #    image: sapcc/unbound
200 #    binds:
201 #      - /etc/unbound/unbound.conf:/etc/unbound/unbound.conf:ro
202 #    capabilities:
203 #     - CAP_NET_BIND_SERVICE
204 #    net: /run/netns/nginx
205 #    pid: new
206 #    ipc: new
207 #    uts: new
208
209
210 files:
211   - path: etc/nginx/ssl/dhparams-4096.pem
212     source: configs/dhparams-4096.pem
213     mode: "0444"
214   - path: etc/nginx/ssl/fullchain.pem
215     source: configs/fic.srs.epita.fr/fullchain.pem
216     mode: "0444"
217   - path: etc/nginx/ssl/privkey.pem
218     source: configs/fic.srs.epita.fr/privkey.pem
219     mode: "0440"
220
221   - path: etc/hosts
222     source: configs/hosts
223     mode: "0644"
224   - path: root/.ssh/authorized_keys
225     source: configs/authorized_keys
226     mode: "0400"
227   - path: root/.ssh/id_synchro.pub
228     source: configs/id_ed25519.pub
229     mode: "0400"
230
231   - path: etc/dhcp/dhcpd.conf
232     source: configs/dhcpd.conf
233     mode: "0400"
234   - path: etc/nginx/conf.d/default.conf
235     source: configs/nginx-demo.conf
236     mode: "0400"
237   - path: etc/nginx/fic-auth.conf
238     source: configs/fic-auth-demo.conf
239     mode: "0400"
240
241   - path: www/htdocs-frontend
242     directory: true
243     mode: "0755"
244   - path: www/htdocs-frontend/e500.html
245     source: frontend/static/e500.html
246     mode: "0644"
247   - path: www/htdocs-frontend/img/srs.png
248     source: frontend/static/img/srs.png
249     mode: "0644"
250   - path: www/htdocs-frontend/img/fic.png
251     source: frontend/static/img/fic.png
252     mode: "0644"
253   - path: www/htdocs-frontend/img/epita.png
254     source: frontend/static/img/epita.png
255     mode: "0644"
256   - path: www/htdocs-frontend/img/comcyber.png
257     source: frontend/static/img/comcyber.png
258     mode: "0644"
259   - path: www/htdocs-frontend/favicon.ico
260     source: frontend/static/favicon.ico
261     mode: "0644"
262   - path: www/htdocs-frontend/e404.html
263     source: frontend/static/e404.html
264     mode: "0644"
265   - path: www/htdocs-frontend/css/bootstrap.min.css
266     source: frontend/static/css/bootstrap.min.css
267     mode: "0644"
268   - path: www/htdocs-frontend/css/fic.css
269     source: frontend/static/css/fic.css
270     mode: "0644"
271   - path: www/htdocs-frontend/css/glyphicon.css
272     source: frontend/static/css/glyphicon.css
273     mode: "0644"
274   - path: www/htdocs-frontend/js/i18n/angular-locale_fr-fr.js
275     source: frontend/static/js/i18n/angular-locale_fr-fr.js
276     mode: "0644"
277   - path: www/htdocs-frontend/js/angular-sanitize.min.js
278     source: frontend/static/js/angular-sanitize.min.js
279     mode: "0644"
280   - path: www/htdocs-frontend/js/d3.v3.min.js
281     source: frontend/static/js/d3.v3.min.js
282     mode: "0644"
283   - path: www/htdocs-frontend/js/common.js
284     source: frontend/static/js/common.js
285     mode: "0644"
286   - path: www/htdocs-frontend/js/angular.min.js
287     source: frontend/static/js/angular.min.js
288     mode: "0644"
289   - path: www/htdocs-frontend/js/challenge.js
290     source: frontend/static/js/challenge.js
291     mode: "0644"
292   - path: www/htdocs-frontend/js/bootstrap.min.js
293     source: frontend/static/js/bootstrap.min.js
294     mode: "0644"
295   - path: www/htdocs-frontend/js/jquery.min.js
296     source: frontend/static/js/jquery.min.js
297     mode: "0644"
298   - path: www/htdocs-frontend/js/angular-route.min.js
299     source: frontend/static/js/angular-route.min.js
300     mode: "0644"
301   - path: www/htdocs-frontend/e413.html
302     source: frontend/static/e413.html
303     mode: "0644"
304   - path: www/htdocs-frontend/fonts/glyphicons-halflings-regular.woff2
305     source: frontend/static/fonts/glyphicons-halflings-regular.woff2
306     mode: "0644"
307   - path: www/htdocs-frontend/fonts/glyphicons-halflings-regular.woff
308     source: frontend/static/fonts/glyphicons-halflings-regular.woff
309     mode: "0644"
310   - path: www/htdocs-frontend/fonts/glyphicons-halflings-regular.eot
311     source: frontend/static/fonts/glyphicons-halflings-regular.eot
312     mode: "0644"
313   - path: www/htdocs-frontend/fonts/glyphicons-halflings-regular.ttf
314     source: frontend/static/fonts/glyphicons-halflings-regular.ttf
315     mode: "0644"
316   - path: www/htdocs-frontend/fonts/glyphicons-halflings-regular.svg
317     source: frontend/static/fonts/glyphicons-halflings-regular.svg
318     mode: "0644"
319   - path: www/htdocs-frontend/welcome.html
320     source: frontend/static/welcome.html
321     mode: "0644"
322   - path: www/htdocs-frontend/index.html
323     source: frontend/static/index.html
324     mode: "0644"
325   - path: www/htdocs-frontend/views/defi.html
326     source: frontend/static/views/defi.html
327     mode: "0644"
328   - path: www/htdocs-frontend/views/home.html
329     source: frontend/static/views/home.html
330     mode: "0644"
331   - path: www/htdocs-frontend/views/rank.html
332     source: frontend/static/views/rank.html
333     mode: "0644"
334   - path: www/htdocs-frontend/views/register.html
335     source: frontend/static/views/register.html
336     mode: "0644"
337   - path: www/htdocs-frontend/views/rules.html
338     source: frontend/static/views/rules.html
339     mode: "0644"
340   - path: www/htdocs-frontend/views/tags.html
341     source: frontend/static/views/tags.html
342     mode: "0644"
343   - path: www/htdocs-frontend/views/team-edit.html
344     source: frontend/static/views/team-edit.html
345     mode: "0644"
346   - path: www/htdocs-frontend/views/theme.html
347     source: frontend/static/views/theme.html
348     mode: "0644"
349   - path: www/htdocs-frontend/views/videos.html
350     source: frontend/static/views/videos.html
351     mode: "0644"
352   - path: www/htdocs-frontend/robots.txt
353     source: frontend/static/robots.txt
354     mode: "0644"
355
356   - path: etc/iptables/rules.v6
357     contents: |
358       *filter
359       :INPUT DROP [0:0]
360       :FORWARD DROP [0:0]
361       :OUTPUT DROP [0:0]
362       COMMIT
363     mode: "0440"
364   - path: etc/iptables/rules-sshd.v4
365     contents: |
366       *filter
367       :INPUT DROP [0:0]
368       :FORWARD DROP [0:0]
369       :OUTPUT DROP [0:0]
370       [0:0] -A INPUT -i lo -j ACCEPT
371       [0:0] -A INPUT -m conntrack --ctstate INVALID -j DROP
372       [0:0] -A INPUT -p icmp -j ACCEPT
373       [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
374       [0:0] -A INPUT -i eth0 -s 10.10.10.0/29 -p tcp -m conntrack --ctstate NEW -m tcp --dport ssh -j ACCEPT
375       [0:0] -A INPUT -j LOG
376       [0:0] -A FORWARD -j LOG
377       [0:0] -A OUTPUT -o lo -j ACCEPT
378       [0:0] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
379       [0:0] -A OUTPUT -j LOG
380       [0:0] -A OUTPUT -j REJECT
381       COMMIT
382     mode: "0440"
383   - path: etc/iptables/rules-frontal.v4
384     contents: |
385       *filter
386       :INPUT DROP [0:0]
387       :FORWARD DROP [0:0]
388       :OUTPUT DROP [0:0]
389       [0:0] -A INPUT -i lo -j ACCEPT
390       [0:0] -A INPUT -m conntrack --ctstate INVALID -j DROP
391       [0:0] -A INPUT -p icmp --icmp-type 8 -j ACCEPT
392       [0:0] -A INPUT -p icmp --icmp-type 0 -j ACCEPT
393       [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
394       [0:0] -A INPUT -i bond-frontal -p tcp -m conntrack --ctstate NEW -m tcp --dport http -j ACCEPT
395       [0:0] -A INPUT -i bond-frontal -p tcp -m conntrack --ctstate NEW -m tcp --dport https -j ACCEPT
396       [0:0] -A INPUT -j LOG
397       [0:0] -A FORWARD -j LOG
398       [0:0] -A OUTPUT -o lo -j ACCEPT
399       [0:0] -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
400       [0:0] -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
401       [0:0] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
402       [0:0] -A OUTPUT -i vethin-nginx -d 172.17.1.3 -p tcp -m conntrack --ctstate NEW -m tcp --dport 8080 -j ACCEPT
403       [0:0] -A OUTPUT -j LOG
404       [0:0] -A OUTPUT -j REJECT
405       COMMIT
406     mode: "0440"
407
408 trust:
409   org:
410     - linuxkit
411     - library