243 lines
6.8 KiB
YAML
243 lines
6.8 KiB
YAML
|
kernel:
|
||
|
image: linuxkit/kernel:4.9.82
|
||
|
cmdline: "console=tty0 console=ttyS0"
|
||
|
|
||
|
init:
|
||
|
- linuxkit/init:d899eee3560a40aa3b4bdd67b3bb82703714b2b9
|
||
|
- linuxkit/runc:7c39a68490a12cde830e1922f171c451fb08e731
|
||
|
- linuxkit/containerd:37e397ebfc6bd5d8e18695b121166ffd0cbfd9f0
|
||
|
- linuxkit/ca-certificates:v0.2
|
||
|
- linuxkit/firmware:v0.2
|
||
|
- linuxkit/getty:v0.2
|
||
|
|
||
|
onboot:
|
||
|
- name: sysctl
|
||
|
image: linuxkit/sysctl:v0.2
|
||
|
binds:
|
||
|
- /etc/sysctl.d/:/etc/sysctl.d/:ro
|
||
|
|
||
|
# Network: exposed
|
||
|
- name: netvlan-iface-setup
|
||
|
image: linuxkit/ip:v0.2
|
||
|
command: ["/bin/sh", "-c", "ip a add 172.23.191.254/18 dev eth0.7; ip link set eth0.7 up;" ]
|
||
|
net: new
|
||
|
runtime:
|
||
|
interfaces:
|
||
|
- name: eth0.7
|
||
|
add: vlan
|
||
|
vlanid: 7
|
||
|
- name: ns-iface-setup
|
||
|
image: linuxkit/ip:v0.2
|
||
|
command: ["/bin/sh", "-c", "ip a add 172.23.0.2/17 dev vethin-validator; ip link set vethin-validator up;" ]
|
||
|
net: new
|
||
|
runtime:
|
||
|
interfaces:
|
||
|
- name: vethin-validator
|
||
|
add: veth
|
||
|
peer: veth-validator
|
||
|
bindNS:
|
||
|
net: /run/netns/ns
|
||
|
- name: bridge-ext-setup
|
||
|
image: linuxkit/ip:v0.2
|
||
|
command: ["/bin/sh", "-c", "ip a add 192.168.0.46/24 dev br-ext; ip a add 172.23.0.1/17 dev br-ext; ip link set eth0 master br-ext; ip link set veth-validator master br-ext; ip link set br-ext up; ip link set veth-validator up; ip link set eth0 up" ]
|
||
|
runtime:
|
||
|
interfaces:
|
||
|
- name: br-ext
|
||
|
add: bridge
|
||
|
- name: ns-iface-setup
|
||
|
image: linuxkit/ip:v0.2
|
||
|
command: ["/bin/sh", "-c", "ip a add 172.23.200.2/24 dev vethin-ns; ip link set vethin-ns up;" ]
|
||
|
net: new
|
||
|
runtime:
|
||
|
interfaces:
|
||
|
- name: vethin-ns
|
||
|
add: veth
|
||
|
peer: veth-ns
|
||
|
bindNS:
|
||
|
net: /run/netns/ns
|
||
|
- name: time-iface-setup
|
||
|
image: linuxkit/ip:v0.2
|
||
|
command: ["/bin/sh", "-c", "ip a add 172.23.200.3/24 dev vethin-time; ip link set vethin-time up;" ]
|
||
|
net: new
|
||
|
runtime:
|
||
|
interfaces:
|
||
|
- name: vethin-time
|
||
|
add: veth
|
||
|
peer: veth-time
|
||
|
bindNS:
|
||
|
net: /run/netns/time
|
||
|
- name: mail-iface-setup
|
||
|
image: linuxkit/ip:v0.2
|
||
|
command: ["/bin/sh", "-c", "ip a add 172.23.200.3/24 dev vethin-mail; ip link set vethin-mail up;" ]
|
||
|
net: new
|
||
|
runtime:
|
||
|
interfaces:
|
||
|
- name: vethin-mail
|
||
|
add: veth
|
||
|
peer: veth-mail
|
||
|
bindNS:
|
||
|
net: /run/netns/mail
|
||
|
- name: bridge-int-setup
|
||
|
image: linuxkit/ip:v0.2
|
||
|
command: ["/bin/sh", "-c", "ip a add 172.23.200.254/24 dev br-int; ip link set veth-ns master br-int; ip link set veth-time master br-int; ip link set veth-mail master br-int; ip link set br-int up; ip link set veth-ns up; ip link set veth-time up; ip link set veth-mail up" ]
|
||
|
runtime:
|
||
|
interfaces:
|
||
|
- name: br-int
|
||
|
add: bridge
|
||
|
|
||
|
- name: fw
|
||
|
image: linuxkit/ip:v0.2
|
||
|
command: ["/bin/bash", "-c", "/sbin/iptables-restore < /etc/iptables/rules.v4; /sbin/ip6tables-restore < /etc/iptables/rules.v6" ]
|
||
|
|
||
|
services:
|
||
|
- name: rngd
|
||
|
image: linuxkit/rngd:v0.2
|
||
|
- name: sshd
|
||
|
image: linuxkit/sshd:v0.2
|
||
|
|
||
|
# - name: dhcpd
|
||
|
# image: nemunaire/tftpd
|
||
|
# binds:
|
||
|
# - /srv/tftp:/srv/tftp:ro
|
||
|
|
||
|
- name: tftpd
|
||
|
image: nemunaire/tftpd:50bdb5c4e9f17b13d848fc474fd98d3639cb36e9
|
||
|
binds:
|
||
|
- /srv/tftp:/srv/tftp:ro
|
||
|
|
||
|
- name: nginx
|
||
|
image: nginx:alpine
|
||
|
capabilities:
|
||
|
- CAP_NET_BIND_SERVICE
|
||
|
- CAP_CHOWN
|
||
|
- CAP_SETUID
|
||
|
- CAP_SETGID
|
||
|
- CAP_DAC_OVERRIDE
|
||
|
binds:
|
||
|
- /etc/resolv.conf:/etc/resolv.conf:ro
|
||
|
- /etc/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
|
||
|
|
||
|
- name: login-validator
|
||
|
image: nemunaire/adlin-login-validator:1bd441243a095180fd4058e6c7fc8fc38f850ab8-dirty
|
||
|
command: ["/bin/login-validator", "-bind=:8081"]
|
||
|
binds:
|
||
|
- /srv/students.csv:/srv/students.csv:ro
|
||
|
|
||
|
- name: ns
|
||
|
image: nemunaire/unbound:999f99022b07a84063baa48b7143c90186c937d0
|
||
|
net: /run/netns/ns
|
||
|
binds:
|
||
|
- /etc/unbound:/etc/unbound:ro
|
||
|
|
||
|
- name: time
|
||
|
image: linuxkit/openntpd:v0.2
|
||
|
net: /run/netns/time
|
||
|
binds:
|
||
|
- /etc/ntpd.conf:/etc/ntpd.conf:ro
|
||
|
|
||
|
files:
|
||
|
- path: root/.ssh/authorized_keys
|
||
|
source: ~/.ssh/id_ed25519.pub
|
||
|
mode: "0400"
|
||
|
|
||
|
- path: /srv/students.csv
|
||
|
source: students.csv
|
||
|
mode: "0400"
|
||
|
|
||
|
- path: etc/iptables/rules.v6
|
||
|
contents: |
|
||
|
*filter
|
||
|
:INPUT DROP [0:0]
|
||
|
:FORWARD DROP [0:0]
|
||
|
:OUTPUT DROP [0:0]
|
||
|
COMMIT
|
||
|
mode: "0440"
|
||
|
- path: etc/iptables/rules-admin.v4
|
||
|
contents: |
|
||
|
*filter
|
||
|
:INPUT DROP [0:0]
|
||
|
:FORWARD ACCEPT [0:0]
|
||
|
:OUTPUT DROP [0:0]
|
||
|
[0:0] -A INPUT -i lo -j ACCEPT
|
||
|
[0:0] -A INPUT -m conntrack --ctstate INVALID -j DROP
|
||
|
[0:0] -A INPUT -p icmp -j ACCEPT
|
||
|
[0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||
|
[0:0] -A INPUT -i eth0 -s 172.23.0.0/17 -p tcp -m conntrack --ctstate NEW -m tcp --dport ssh -j ACCEPT
|
||
|
[0:0] -A INPUT -j LOG
|
||
|
[0:0] -A FORWARD -j LOG
|
||
|
[0:0] -A OUTPUT -o lo -j ACCEPT
|
||
|
[0:0] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||
|
[0:0] -A OUTPUT -j LOG
|
||
|
[0:0] -A OUTPUT -j REJECT
|
||
|
COMMIT
|
||
|
mode: "0440"
|
||
|
|
||
|
- path: etc/unbound/unbound.conf
|
||
|
contents: |
|
||
|
server:
|
||
|
verbosity: 1
|
||
|
interface: 0.0.0.0
|
||
|
interface: ::0
|
||
|
prefer-ip6: no
|
||
|
access-control: 172.23.0.0/16 allow
|
||
|
log-queries: yes
|
||
|
log-replies: yes
|
||
|
hide-identity: yes
|
||
|
hide-version: yes
|
||
|
qname-minimisation: yes
|
||
|
domain-insecure: "."
|
||
|
val-permissive-mode: yes
|
||
|
root-hints: /etc/unbound/root.hints
|
||
|
trust-anchor-file: "/usr/share/dnssec-root/trusted-key.key"
|
||
|
remote-control:
|
||
|
control-enable: no
|
||
|
forward-zone:
|
||
|
name: "."
|
||
|
forward-addr: 192.168.0.1
|
||
|
mode: "0440"
|
||
|
|
||
|
- path: etc/nginx/nginx.conf
|
||
|
contents: |
|
||
|
user nginx;
|
||
|
worker_processes 2;
|
||
|
error_log /var/log/nginxærror.log warn;
|
||
|
pid /var/run/nginx.pid;
|
||
|
events {
|
||
|
worker_connections 1024;
|
||
|
}
|
||
|
http {
|
||
|
include ætc/nginx/mime.types;
|
||
|
default_type applicationøctet-stream;
|
||
|
log_format main '$remoteªddr - $remote_user [$time_local] "$request"'
|
||
|
'$status $body_bytes_sent "$http_referer"'
|
||
|
'"$http_userªgent""$http_x_forwarded_for"';
|
||
|
access_log /var/log/nginxåccess.log main;
|
||
|
sendfile on;
|
||
|
#tcp_nopush on;
|
||
|
keepalive_timeout 65;
|
||
|
#gzip on;
|
||
|
server {
|
||
|
listen 80 default;
|
||
|
listen [::]:80 default;
|
||
|
location = /{
|
||
|
return 403;
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
mode: "0440"
|
||
|
|
||
|
- path: etc/ntpd.conf
|
||
|
contents: |
|
||
|
listen on *
|
||
|
servers pool.ntp.org
|
||
|
mode: "0440"
|
||
|
|
||
|
- path: srv/tftp
|
||
|
directory: true
|
||
|
mode: "0755"
|
||
|
|
||
|
trust:
|
||
|
org:
|
||
|
- linuxkit
|
||
|
- library
|