2018-02-20 09:32:15 +00:00
kernel :
2019-02-24 04:18:29 +00:00
image : linuxkit/kernel:4.20.3
2019-03-04 08:00:22 +00:00
# cmdline: "console=tty0 console=ttyS0"
cmdline : "console=tty0"
2018-02-20 09:32:15 +00:00
init :
2019-02-24 04:18:29 +00:00
- linuxkit/init:a2166a6048ce041eebe005ab99454cfdeaa5c848
- linuxkit/runc:069d5cd3cc4f0aec70e4af53aed5d27a21c79c35
- linuxkit/containerd:2aff4d486220667364b2971b5fc6225bf165a069
- linuxkit/ca-certificates:v0.6
2019-03-04 08:00:22 +00:00
# - linuxkit/firmware:v0.6
2019-02-24 04:18:29 +00:00
- linuxkit/getty:2eb742cd7a68e14cf50577c02f30147bc406e478
2019-03-04 08:00:22 +00:00
- nemunaire/monit:39c75d3e1dbccfed7e6ebfb826cd28e018be7117
# - nemunaire/iscsi-target:8872d1c5e0cefe3c36b60e873b8452aefb19d84d
2018-02-20 09:32:15 +00:00
onboot :
- name : sysctl
2019-02-24 04:18:29 +00:00
image : linuxkit/sysctl:v0.6
2018-02-20 09:32:15 +00:00
binds :
- /etc/sysctl.d/:/etc/sysctl.d/:ro
2019-02-26 16:44:01 +00:00
# Mount first drive to enable some persistance
2019-02-24 19:32:24 +00:00
- name : mount
image : linuxkit/mount:v0.6
command : [ "/usr/bin/mountie" , "-device" , "/dev/sda" , "/var/lib/adlin" ]
2019-02-26 16:44:01 +00:00
# Network: interface for login-validator
2018-03-05 16:39:56 +00:00
- name : login-iface-setup
2019-02-24 04:18:29 +00:00
image : linuxkit/ip:v0.6
2018-03-05 16:39:56 +00:00
command : [ "/bin/sh" , "-c" , "ip a add 172.23.255.2/24 dev vethin-login; ip link set vethin-login up; ip route add default via 172.23.255.1;" ]
2018-02-20 09:32:15 +00:00
net : new
runtime :
interfaces :
2018-03-05 16:39:56 +00:00
- name : vethin-login
2018-02-20 09:32:15 +00:00
add : veth
2018-03-05 16:39:56 +00:00
peer : veth-login
2018-02-20 09:32:15 +00:00
bindNS :
2018-03-05 16:39:56 +00:00
net : /run/netns/login
2019-02-26 16:44:01 +00:00
# Network: exposed ################################################
# VLAN7, path to internet
- name : netvlan-iface-setup
image : linuxkit/ip:v0.6
command : [ "/bin/sh" , "-c" , "ip link add link eth0 name eth0.7 type vlan id 7; ip a add 172.23.191.254/18 dev eth0.7; ip link set eth0.7 up;" ]
# Bridge between std LAN, PXE LAN services (login-validator) and default route (as it uses the same wire)
2018-02-20 09:32:15 +00:00
- name : bridge-ext-setup
2019-02-24 04:18:29 +00:00
image : linuxkit/ip:v0.6
2019-03-04 08:00:22 +00:00
command : [ "/bin/sh" , "-c" , "ip a add 172.23.255.1/24 dev br-ext; ip a add 172.17.0.16/16 dev br-ext; ip a add 10.224.32.252/24 dev br-ext; ip a add 172.23.0.1/17 dev br-ext; ip link set eth0 master br-ext; ip link set veth-login master br-ext; ip link set br-ext up; ip link set veth-login up; ip link set eth0 up; ip route add default via 10.224.32.1;" ]
2018-02-20 09:32:15 +00:00
runtime :
interfaces :
- name : br-ext
add : bridge
2018-03-05 16:39:56 +00:00
2019-02-26 16:44:01 +00:00
# Network: DMZ ####################################################
# token-validator
2018-03-05 16:39:56 +00:00
- name : validator-iface-setup
2019-02-24 04:18:29 +00:00
image : linuxkit/ip:v0.6
2018-03-05 16:39:56 +00:00
command : [ "/bin/sh" , "-c" , "ip a add 172.23.200.1/24 dev vethin-vldtr; ip link set vethin-vldtr up; ip route add default via 172.23.200.254;" ]
2018-02-20 09:32:15 +00:00
net : new
runtime :
interfaces :
2018-03-05 16:39:56 +00:00
- name : vethin-vldtr
2018-02-20 09:32:15 +00:00
add : veth
2018-03-05 16:39:56 +00:00
peer : veth-validator
2018-02-20 09:32:15 +00:00
bindNS :
2018-03-05 16:39:56 +00:00
net : /run/netns/dmz-validator
2019-02-26 16:44:01 +00:00
# domain name
2018-03-05 16:39:56 +00:00
- name : ns-iface-setup
2019-02-24 04:18:29 +00:00
image : linuxkit/ip:v0.6
2018-03-05 16:39:56 +00:00
command : [ "/bin/sh" , "-c" , "ip a add 172.23.200.2/24 dev vethin-ns; ip link set vethin-ns up; ip route add default via 172.23.200.254;" ]
2018-02-20 09:32:15 +00:00
net : new
runtime :
interfaces :
2018-03-05 16:39:56 +00:00
- name : vethin-ns
2018-02-20 09:32:15 +00:00
add : veth
2018-03-05 16:39:56 +00:00
peer : veth-ns
2018-02-20 09:32:15 +00:00
bindNS :
2018-03-05 16:39:56 +00:00
net : /run/netns/dmz-ns
2019-02-26 16:44:01 +00:00
# time server
2018-03-05 16:39:56 +00:00
- name : time-iface-setup
2019-02-24 04:18:29 +00:00
image : linuxkit/ip:v0.6
2018-03-05 16:39:56 +00:00
command : [ "/bin/sh" , "-c" , "ip a add 172.23.200.3/24 dev vethin-time; ip link set vethin-time up; ip route add default via 172.23.200.254;" ]
2018-02-20 09:32:15 +00:00
net : new
runtime :
interfaces :
2018-03-05 16:39:56 +00:00
- name : vethin-time
2018-02-20 09:32:15 +00:00
add : veth
2018-03-05 16:39:56 +00:00
peer : veth-time
2018-02-20 09:32:15 +00:00
bindNS :
2018-03-05 16:39:56 +00:00
net : /run/netns/dmz-time
2019-02-26 16:44:01 +00:00
# mail server
2019-03-04 08:00:22 +00:00
- name : mail-iface-setup
image : linuxkit/ip:v0.6
command : [ "/bin/sh" , "-c" , "ip a add 172.23.200.4/24 dev vethin-mail; ip link set vethin-mail up; ip route add default via 172.23.200.254;" ]
net : new
runtime :
interfaces :
- name : vethin-mail
add : veth
peer : veth-mail
bindNS :
net : /run/netns/dmz-mail
2019-02-26 16:44:01 +00:00
# Bridge for DMZ services
2018-02-20 09:32:15 +00:00
- name : bridge-int-setup
2019-02-24 04:18:29 +00:00
image : linuxkit/ip:v0.6
2018-03-05 16:39:56 +00:00
command : [ "/bin/sh" , "-c" , "ip a add 172.23.200.254/24 dev br-int; ip link set veth-validator master br-int; ip link set veth-ns master br-int; ip link set veth-time master br-int; ip link set veth-mail master br-int; ip link set br-int up; ip link set veth-validator up; ip link set veth-ns up; ip link set veth-time up; ip link set veth-mail up" ]
2018-02-20 09:32:15 +00:00
runtime :
interfaces :
- name : br-int
add : bridge
- name : fw
2019-02-24 04:18:29 +00:00
image : linuxkit/ip:v0.6
2018-03-05 16:39:56 +00:00
command : [ "/bin/bash" , "-c" , "/sbin/iptables-restore < /etc/iptables/rules.v4" ]
binds :
- /etc/iptables/rules.v4:/etc/iptables/rules.v4:ro
2018-02-20 09:32:15 +00:00
services :
- name : rngd
2019-02-24 04:18:29 +00:00
image : linuxkit/rngd:v0.6
- name : sshd
image : linuxkit/sshd:c4bc89cf0d66733c923ab9cb46198b599eb99320
2018-02-20 09:32:15 +00:00
2018-03-05 16:39:56 +00:00
- name : dhcpd
image : joebiellik/dhcpd
capabilities :
- CAP_NET_BIND_SERVICE
- CAP_NET_RAW
- CAP_CHOWN
- CAP_SETUID
- CAP_SETGID
binds :
- /etc/dhcp/dhcpd.conf:/etc/dhcp/dhcpd.conf:ro
2019-02-24 19:32:24 +00:00
- /var/lib/adlin/dhcp:/var/lib/dhcp/
2019-03-04 08:00:22 +00:00
runtime :
mkdir :
- /var/lib/adlin/dhcp
2018-02-20 09:32:15 +00:00
- name : tftpd
2019-02-24 04:18:29 +00:00
image : nemunaire/tftpd:5340825352f9af28f5ac77bbe3243bdb70176903
2018-03-05 16:39:56 +00:00
capabilities :
- all
2018-02-20 09:32:15 +00:00
binds :
- /srv/tftp:/srv/tftp:ro
2019-02-24 18:54:08 +00:00
- /var/lib/adlin/pxelinux.cfg:/srv/tftp/bios/pxelinux.cfg
2019-03-04 08:00:22 +00:00
- /var/lib/adlin/pxelinux.cfg:/srv/tftp/pxelinux.cfg
2018-02-20 09:32:15 +00:00
2018-03-05 16:39:56 +00:00
- name : login-validator
2020-02-20 23:18:56 +00:00
image : nemunaire/adlin-login-validator:87f1cf05e8037b934d293a48704bd3f8ee678d41
# command: ["/bin/login-validator", "-bind=:8081", "-auth=ldap", "-ldaphost=auth.cri.epita.net", "-ldapport=636", "-ldaptls", "-ldapbase=dc=epita,dc=net"]
2020-02-21 00:05:53 +00:00
command : [ "/bin/login-validator" , "-bind=:8081" , "-auth=fwd" , "-fwduri=https://adlin.nemunai.re/auth" ]
# command: ["/bin/login-validator", "-bind=:8081", "-auth=none"]
2018-03-05 16:39:56 +00:00
net : /run/netns/login
binds :
- /etc/resolv.conf:/etc/resolv.conf:ro
2019-02-24 18:54:08 +00:00
- /var/lib/adlin/students.csv:/students.csv:ro
- /var/lib/adlin/pxelinux.cfg:/var/tftp/pxelinux.cfg
2018-03-05 16:39:56 +00:00
- /etc/ssl/certs:/etc/ssl/certs:ro
- /usr/share/ca-certificates:/usr/share/ca-certificates:ro
- name : nginx-login
image : nginx:stable-alpine
2018-02-20 09:32:15 +00:00
capabilities :
- CAP_NET_BIND_SERVICE
- CAP_CHOWN
- CAP_SETUID
- CAP_SETGID
- CAP_DAC_OVERRIDE
2018-03-05 16:39:56 +00:00
net : /run/netns/login
2018-02-20 09:32:15 +00:00
binds :
- /etc/resolv.conf:/etc/resolv.conf:ro
2018-03-05 16:39:56 +00:00
- /etc/nginx/nginx-login.conf:/etc/nginx/nginx.conf:ro
- /etc/nginx/ssl/:/etc/nginx/ssl/:ro
2018-02-20 09:32:15 +00:00
2018-03-05 16:39:56 +00:00
- name : nginx-gw
image : nginx:stable-alpine
capabilities :
- CAP_NET_BIND_SERVICE
- CAP_CHOWN
- CAP_SETUID
- CAP_SETGID
- CAP_DAC_OVERRIDE
2018-02-20 09:32:15 +00:00
binds :
2018-03-05 16:39:56 +00:00
- /etc/resolv.conf:/etc/resolv.conf:ro
- /etc/nginx/nginx-gw.conf:/etc/nginx/nginx.conf:ro
- /etc/nginx/ssl/:/etc/nginx/ssl/:ro
- /etc/ssl/certs:/etc/ssl/certs:ro
- /usr/share/ca-certificates:/usr/share/ca-certificates:ro
- name : nginx-dmz
image : nginx:stable-alpine
capabilities :
- CAP_NET_BIND_SERVICE
- CAP_CHOWN
- CAP_SETUID
- CAP_SETGID
- CAP_DAC_OVERRIDE
net : /run/netns/dmz-validator
binds :
- /etc/resolv.conf:/etc/resolv.conf:ro
- /etc/nginx/nginx-dmz.conf:/etc/nginx/nginx.conf:ro
- /etc/nginx/ssl/:/etc/nginx/ssl/:ro
- /etc/ssl/certs:/etc/ssl/certs:ro
- /usr/share/ca-certificates:/usr/share/ca-certificates:ro
2018-02-20 09:32:15 +00:00
- name : ns
2019-02-24 04:18:29 +00:00
image : nemunaire/unbound:7fa2ef501be79db472de64f451b250173ace5ecf
2018-03-05 16:39:56 +00:00
net : /run/netns/dmz-ns
capabilities :
- all
2018-02-20 09:32:15 +00:00
binds :
- /etc/unbound:/etc/unbound:ro
- name : time
2019-02-24 04:18:29 +00:00
image : linuxkit/openntpd:v0.6
2018-03-05 16:39:56 +00:00
net : /run/netns/dmz-time
capabilities :
- CAP_NET_BIND_SERVICE
- CAP_SYS_TIME
- CAP_SYS_CHROOT
- CAP_SYS_NICE
- CAP_SETUID
- CAP_SETGID
2018-02-20 09:32:15 +00:00
binds :
2018-03-05 16:39:56 +00:00
- /etc/resolv.conf:/etc/resolv.conf:ro
2018-02-20 09:32:15 +00:00
- /etc/ntpd.conf:/etc/ntpd.conf:ro
2019-03-04 08:00:22 +00:00
- name : postfix
image : mwader/postfix-relay
net : /run/netns/dmz-mail
capabilities :
- CAP_CHOWN
- CAP_SYS_CHROOT
- CAP_DAC_OVERRIDE
- CAP_FOWNER
- CAP_NET_BIND_SERVICE
- CAP_SETGID
- CAP_SETUID
env :
- POSTFIX_myhostname=adlin.nemunai.re
- POSTFIX_mydestination=localhost
- POSTFIX_mynetworks=172.23.0.0/16
- POSTFIX_smtp_tls_security_level=may
- POSTFIX_smtpd_tls_security_level=none
binds :
- /etc/resolv.conf:/etc/resolv.conf:ro
- /var/lib/adlin/postfix/mail:/var/mail
- /var/lib/adlin/postfix/lib:/var/lib/postfix
- /var/lib/adlin/postfix/spool:/var/spool/postfix
runtime :
mkdir :
- /var/lib/adlin/postfix
- /var/lib/adlin/postfix/mail
- /var/lib/adlin/postfix/lib
- /var/lib/adlin/postfix/spool
2018-03-05 16:39:56 +00:00
2018-02-20 09:32:15 +00:00
files :
2018-03-05 16:39:56 +00:00
- path : etc/init.d/011-copy-to-var
contents : |
#!/bin/sh
2019-03-04 08:00:22 +00:00
cp -r /srv/tftp/pxelinux.cfg /var/lib/adlin/
touch /var/lib/adlin/dhcp/dhcpd.leases
mkdir -p /var/spool/cron/crontabs
cat <<EOF > /var/spool/cron/crontabs/root
* * * * * SECRET_KEY=felixfixit /usr/sbin/ping-checker
EOF
/usr/sbin/crond
2018-03-05 16:39:56 +00:00
mode : "0755"
- path : etc/init.d/021-nameserver
contents : |
#!/bin/sh
echo nameserver 172.23.200.2 > /etc/resolv.conf
mode : "0755"
# - path: etc/init.d/011-adlin
# contents: |
# #!/bin/sh
# ip route add default via 172.17.0.1
# /sbin/sysctl -w net.ipv4.ip_forward=1
# echo nameserver 8.8.8.8 > /etc/resolv.conf
# mkdir /tmp/newroot
# mount -t tmpfs none /tmp/newroot
# mkdir /tmp/newroot/etc
# cp -r /etc/apk /tmp/newroot/etc
# apk add --no-cache --initdb -p /tmp/newroot iptables nftables
# LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/sbin/iptables-restore < /etc/iptables/rules.v4
# LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/sbin/ip6tables-restore < /etc/iptables/rules.v6
# LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/usr/sbin/nft add table nat
# LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/usr/sbin/nft add chain nat postrouting { type nat hook postrouting priority 100 \; }
# LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/usr/sbin/nft add rule nat postrouting oif br-ext masquerade
# mode: "0755"
- path : etc/sysctl.d/99-ipfwd.conf
contents : |
net.ipv4.ip_forward = 1
net.ipv6.conf.all.disable_ipv6 = 1
mode : "0644"
- path : etc/sysctl.d/00-linuxkit.conf
contents : |
# from Alpine defaults
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.ping_group_range=999 59999
# general limits
vm.max_map_count = 262144
vm.overcommit_memory = 1
net.core.somaxconn = 1024
net.ipv4.neigh.default.gc_thresh1 = 80000
net.ipv4.neigh.default.gc_thresh2 = 90000
net.ipv4.neigh.default.gc_thresh3 = 100000
fs.aio-max-nr = 1048576
fs.inotify.max_user_watches = 524288
fs.file-max = 524288
# for rngd
kernel.random.write_wakeup_threshold = 3072
# security restrictions
kernel.kptr_restrict = 2
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
kernel.dmesg_restrict = 1
kernel.perf_event_paranoid = 3
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
# Prevent ebpf privilege escalation
# see: https://lwn.net/Articles/742170
kernel.unprivileged_bpf_disabled=1
mode : "0644"
2018-02-20 09:32:15 +00:00
- path : root/.ssh/authorized_keys
source : ~/.ssh/id_ed25519.pub
mode : "0400"
2018-03-05 16:39:56 +00:00
- path : etc/iptables/rules.v4
2018-02-20 09:32:15 +00:00
contents : |
2018-03-05 16:39:56 +00:00
*nat
: PREROUTING ACCEPT [0:0]
: INPUT ACCEPT [0:0]
: OUTPUT ACCEPT [0:0]
: POSTROUTING ACCEPT [0:0]
[ 0 : 0 ] -A POSTROUTING -o br-ext ! -d 172.23.0.0/16 -j MASQUERADE
2018-02-20 09:32:15 +00:00
COMMIT
*filter
: INPUT DROP [0:0]
: FORWARD ACCEPT [0:0]
2018-03-05 16:39:56 +00:00
: OUTPUT ACCEPT [0:0]
2018-02-20 09:32:15 +00:00
[ 0 : 0 ] -A INPUT -i lo -j ACCEPT
[ 0 : 0 ] -A INPUT -m conntrack --ctstate INVALID -j DROP
[ 0 : 0 ] -A INPUT -p icmp -j ACCEPT
[ 0 : 0 ] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
2019-03-04 08:00:22 +00:00
[ 0 : 0 ] -A INPUT -i br-ext -m tcp --dport ssh -j ACCEPT
2018-03-05 16:39:56 +00:00
[ 0 : 0 ] -A INPUT -i br-ext -p udp --sport 68 --dport 67 -j ACCEPT
[ 0 : 0 ] -A INPUT -i br-ext -p udp --dport 69 -j ACCEPT
[ 0 : 0 ] -A INPUT -i br-ext -p tcp --dport 80 -j ACCEPT
2019-03-04 08:00:22 +00:00
[ 0 : 0 ] -A INPUT -p udp --sport 7000 -j DROP
[ 0 : 0 ] -A INPUT -p udp --dport 7000 -j DROP
2018-02-20 09:32:15 +00:00
[ 0 : 0 ] -A INPUT -j LOG
2018-03-05 16:39:56 +00:00
[ 0 : 0 ] -A FORWARD -i eth0.7 -o br-ext -j ACCEPT
[ 0 : 0 ] -A FORWARD -o eth0.7 -i br-ext -j ACCEPT
[ 0 : 0 ] -A FORWARD -i br-int -j ACCEPT
[ 0 : 0 ] -A FORWARD -o br-int -j ACCEPT
[ 0 : 0 ] -A FORWARD -i br-ext -d 172.23.200.0/24 -j ACCEPT
[ 0 : 0 ] -A FORWARD -i br-ext -d 172.23.255.0/24 -j ACCEPT
[ 0 : 0 ] -A FORWARD -o br-ext -d 172.23.200.0/24 -j ACCEPT
[ 0 : 0 ] -A FORWARD -o br-ext -d 172.23.255.0/24 -j ACCEPT
[ 0 : 0 ] -A FORWARD -i br-ext -o br-ext -s 172.23.255.2/24 -j ACCEPT
[ 0 : 0 ] -A FORWARD -i br-ext -p udp --sport 68 --dport 67 -j DROP
2018-02-20 09:32:15 +00:00
[ 0 : 0 ] -A FORWARD -j LOG
COMMIT
mode : "0440"
- path : etc/unbound/unbound.conf
contents : |
server :
verbosity : 1
interface : 0.0 .0 .0
interface : : : 0
prefer-ip6 : no
access-control : 172.23 .0 .0 /16 allow
log-queries : yes
log-replies : yes
2018-03-05 16:39:56 +00:00
use-syslog : no
2018-02-20 09:32:15 +00:00
hide-identity : yes
hide-version : yes
qname-minimisation : yes
domain-insecure : "."
val-permissive-mode : yes
trust-anchor-file : "/usr/share/dnssec-root/trusted-key.key"
2018-03-05 16:39:56 +00:00
local-zone : "adlin.nemunai.re" typetransparent
local-data : "adlin.nemunai.re TXT \"8dde678132d6c558fc6adaeb9f1d53bf6ec7b876308cf98c48604caa9138523c1ce58b672c87c7e7d9b7248b81804d3940dbf20bf263eeb683244f7c1143712d\""
local-data : "auth.adlin.nemunai.re A 172.23.255.2"
2018-02-20 09:32:15 +00:00
remote-control :
control-enable : no
forward-zone :
name : "."
2018-03-05 16:39:56 +00:00
forward-addr : 8.8 .8 .8
mode : "0440"
- path : etc/postfix/main.cf
contents : |
myorigin = adlin.nemunai.re
mydestination =
local_recipient_maps =
local_transport = error:local mail delivery is disabled
mynetworks = 127.0.0.0/8
relay_domains = nemunai.re
parent_domain_matches_subdomains = debug_peer_list smtpd_access_maps
2018-02-20 09:32:15 +00:00
mode : "0440"
2018-03-05 16:39:56 +00:00
- path : etc/nginx/ssl/fullchain.pem
source : ssl/fullchain.pem
mode : "0644"
- path : etc/nginx/ssl/privkey.pem
source : ssl/privkey.pem
mode : "0644"
- path : etc/nginx/nginx-gw.conf
2018-02-20 09:32:15 +00:00
contents : |
user nginx;
worker_processes 2;
2018-03-05 16:39:56 +00:00
error_log /var/log/nginx/error.log warn;
2018-02-20 09:32:15 +00:00
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
2018-03-05 16:39:56 +00:00
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request"'
2018-02-20 09:32:15 +00:00
'$status $body_bytes_sent "$http_referer"'
2018-03-05 16:39:56 +00:00
'"$http_user_agent""$http_x_forwarded_for"' ;
access_log /var/log/nginx/access.log main;
2018-02-20 09:32:15 +00:00
sendfile on;
2018-03-05 16:39:56 +00:00
server_tokens off;
2018-02-20 09:32:15 +00:00
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
2018-03-05 16:39:56 +00:00
resolver 9.9.9.9;
2018-02-20 09:32:15 +00:00
server {
listen 80 default;
listen [::]:80 default;
location = /{
return 403;
}
2018-03-05 16:39:56 +00:00
location /iamalive {
proxy_pass https://82.64.31.248/challenge;
proxy_set_header Host adlin.nemunai.re;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-By 172.23.0.1;
proxy_redirect off;
}
}
}
mode : "0440"
- path : etc/nginx/nginx-login.conf
contents : |
user nginx;
worker_processes 2;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request"'
'$status $body_bytes_sent "$http_referer"'
'"$http_user_agent""$http_x_forwarded_for"' ;
access_log /var/log/nginx/access.log main;
sendfile on;
server_tokens off;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
server {
listen 443 default ssl;
listen [::]:443 default ssl;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
location = /{
return https://adlin.nemunai.re/;
}
location /login {
proxy_pass http://localhost:8081/login;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_redirect off;
}
2018-02-20 09:32:15 +00:00
}
}
mode : "0440"
2018-03-05 16:39:56 +00:00
- path : etc/nginx/nginx-dmz.conf
contents : |
user nginx;
worker_processes 2;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type applicationøctet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request"'
'$status $body_bytes_sent "$http_referer"'
'"$http_user_agent""$http_x_forwarded_for"' ;
access_log /var/log/nginx/access.log main;
sendfile on;
server_tokens off;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
resolver 9.9.9.9;
server {
listen 80 default;
listen [::]:80 default;
location = /{
return https://adlin.nemunai.re/;
}
location /challenge {
proxy_pass https://82.64.31.248/challenge;
proxy_set_header Host adlin.nemunai.re;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-By 172.23.200.1;
proxy_set_header X-Forwarded-Proto http;
proxy_redirect off;
}
2019-03-04 08:00:22 +00:00
location /echorequest {
proxy_pass https://82.64.31.248/echorequest;
proxy_set_header Host adlin.nemunai.re;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-By 172.23.200.1;
proxy_set_header X-Forwarded-Proto http;
proxy_redirect off;
}
location /testdisk {
proxy_pass https://82.64.31.248/testdisk;
proxy_set_header Host adlin.nemunai.re;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-By 172.23.200.1;
proxy_set_header X-Forwarded-Proto http;
proxy_redirect off;
}
2018-03-05 16:39:56 +00:00
location /sshkeys {
return https://adlin.nemunai.re/sshkeys;
}
}
server {
listen 443 default ssl;
listen [::]:443 default ssl;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
location = /{
return https://adlin.nemunai.re/;
}
location /challenge {
proxy_pass https://82.64.31.248/challenge;
proxy_set_header Host adlin.nemunai.re;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-By 172.23.200.1;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
2019-03-04 08:00:22 +00:00
location /echorequest {
proxy_pass https://82.64.31.248/echorequest;
proxy_set_header Host adlin.nemunai.re;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-By 172.23.200.1;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
location /testdisk {
proxy_pass https://82.64.31.248/testdisk;
proxy_set_header Host adlin.nemunai.re;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-By 172.23.200.1;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
2018-03-05 16:39:56 +00:00
location /sshkeys {
proxy_pass https://82.64.31.248/sshkeys;
proxy_set_header Host adlin.nemunai.re;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-By 172.23.200.1;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
2019-03-04 08:00:22 +00:00
location /api/students {
proxy_pass https://82.64.31.248;
proxy_set_header Host adlin.nemunai.re;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-By 172.23.200.1;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
2018-03-05 16:39:56 +00:00
}
}
mode : "0440"
- path : etc/dhcp/dhcpd.conf
contents : |
authoritative;
default-lease-time 7200;
max-lease-time 7200;
2019-02-27 01:09:33 +00:00
option client-arch code 93 = unsigned integer 16;
2018-03-05 16:39:56 +00:00
subnet 172.23.255.0 netmask 255.255.255.0 {
range 172.23.255.10 172.23.255.254;
option subnet-mask 255.255.255.0;
option broadcast-address 172.23.255.255;
next-server 172.23.255.1;
2019-02-27 01:09:33 +00:00
if option client-arch != 00:00 {
filename "ipxe.efi";
} else {
filename "bios/pxelinux.0";
}
2018-03-05 16:39:56 +00:00
}
2019-03-04 08:00:22 +00:00
subnet 172.23.128.0 netmask 255.255.192.0 {
range 172.23.128.10 172.23.191.250;
option routers 172.23.191.254;
option subnet-mask 255.255.192.0;
option broadcast-address 172.23.191.255;
}
2018-03-05 16:39:56 +00:00
mode : "0440"
2018-02-20 09:32:15 +00:00
- path : etc/ntpd.conf
contents : |
listen on *
2018-03-05 16:39:56 +00:00
server 95.81.173.8
server 95.81.173.74
server 95.81.173.155
server 51.15.180.229
2018-02-20 09:32:15 +00:00
mode : "0440"
2019-03-04 08:00:22 +00:00
2018-02-20 09:32:15 +00:00
- path : srv/tftp
directory : true
mode : "0755"
2019-02-24 18:54:08 +00:00
- path : srv/tftp/bios/ldlinux.c32
2018-03-05 16:39:56 +00:00
source : /usr/share/syslinux/ldlinux.c32
mode : "0644"
2019-02-24 18:54:08 +00:00
- path : srv/tftp/bios/libcom32.c32
2018-03-05 16:39:56 +00:00
source : /usr/share/syslinux/libcom32.c32
mode : "0644"
2019-02-24 18:54:08 +00:00
- path : srv/tftp/bios/libutil.c32
2018-03-05 16:39:56 +00:00
source : /usr/share/syslinux/libutil.c32
mode : "0644"
2019-02-24 18:54:08 +00:00
- path : srv/tftp/bios/menu.c32
2018-03-05 16:39:56 +00:00
source : /usr/share/syslinux/menu.c32
mode : "0644"
2019-02-24 18:54:08 +00:00
- path : srv/tftp/bios/poweroff.c32
2018-03-05 16:39:56 +00:00
source : /usr/share/syslinux/poweroff.c32
mode : "0644"
2019-02-24 18:54:08 +00:00
- path : srv/tftp/bios/pxelinux.0
2018-03-05 16:39:56 +00:00
source : /usr/share/syslinux/pxelinux.0
mode : "0644"
2019-02-24 18:54:08 +00:00
- path : srv/tftp/bios/vesamenu.c32
source : /usr/share/syslinux/vesamenu.c32
mode : "0644"
- path : srv/tftp/bios/pxelinux.cfg
2018-03-05 16:39:56 +00:00
directory : true
mode : "0755"
2019-02-24 18:54:08 +00:00
2018-03-05 16:39:56 +00:00
- path : srv/tftp/pxelinux.cfg/default
source : tftp/pxelinux.cfg/default
mode : "0644"
- path : srv/tftp/pxelinux.cfg/tpl
source : tftp/pxelinux.cfg/tpl
mode : "0644"
2019-02-27 01:09:33 +00:00
- path : srv/tftp/pxelinux.cfg/tpl.ipxe
source : tftp/pxelinux.cfg/tpl.ipxe
mode : "0644"
- path : srv/tftp/ipxe.efi
source : tftp/ipxe.efi
mode : "0644"
2018-03-05 16:39:56 +00:00
2019-03-04 08:00:22 +00:00
- path : usr/sbin/ping-checker
source : ping-checker.sh
mode : "0755"
2018-03-05 16:39:56 +00:00
- path : srv/tftp/bzImage
2019-02-27 01:09:33 +00:00
source : challenge-kernel
2018-03-05 16:39:56 +00:00
mode : "0644"
2019-02-24 04:18:29 +00:00
- path : srv/tftp/login-initrd.img
source : tftp/login-initrd.img
2018-03-05 16:39:56 +00:00
mode : "0644"
2019-02-24 04:18:29 +00:00
- path : srv/tftp/challenge-initrd.img
2018-03-05 16:39:56 +00:00
source : challenge-initrd.img
mode : "0644"
2018-02-20 09:32:15 +00:00
trust :
org :
- linuxkit
- library