adlin/tuto3.yml

kernel:
  image: linuxkit/kernel:4.19.104
  cmdline: "console=ttyS0 root=/dev/sda1 root=/dev/sr0 adlin.token=LqCdJDfniA"
#  cmdline: "console=tty0"

init:
  - linuxkit/init:a4fcf333298f644dfac6adf680b83140927aa85e
  - linuxkit/runc:69b4a35eaa22eba4990ee52cccc8f48f6c08ed03
  - linuxkit/containerd:09553963ed9da626c25cf8acdf6d62ec37645412
  - linuxkit/ca-certificates:v0.7
  - linuxkit/getty:v0.7

onboot:
  - name: format
    image: linuxkit/format:65b9e0a76d0b9fb8ac5c5f3bc8d3131109290f56
    command: ["/usr/bin/format", "/dev/sda"]

  - name: mount
    image: linuxkit/mount:v0.7
    command: ["/usr/bin/mountie", "/dev/sda1", "/var/lib/adlin"]

  - name: sysctl
    image: linuxkit/sysctl:v0.7
    binds:
      - /etc/sysctl.d/:/etc/sysctl.d/:ro

  - name: rngd1
    image: linuxkit/rngd:02c555b50cd1887aa628836662d2eec54c0d7e81
    command: ["/sbin/rngd", "-1"]

    # Network: external
  - name: dhcpcd
    image: linuxkit/dhcpcd:v0.7
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
    net: new
    runtime:
      interfaces:
        - name: eth0
      bindNS:
        net: /run/netns/router

  - name: wg
    image: linuxkit/ip:7b1cf3150bf5d9a0df7ef07572e2d81fe3c0c3d3
    net: /run/netns/router
    binds:
      - /etc/ssl:/etc/ssl:ro
      - /etc/mresolv.conf:/etc/resolv.conf
      - /usr/bin/ask.sh:/usr/bin/ask.sh:ro
      - /usr/bin/ssl_client:/usr/bin/ssl_client:ro
      - /lib/libcrypto.so.1.1:/lib/libcrypto.so.1.1:ro
      - /lib/libssl.so.1.1:/lib/libssl.so.1.1:ro
      - /usr/lib/libcrypto.so.1.1:/usr/lib/libcrypto.so.1.1:ro
      - /usr/lib/libssl.so.1.1:/usr/lib/libssl.so.1.1:ro
      - /usr/lib/libtls-standalone.so.1:/usr/lib/libtls-standalone.so.1:ro
      - /usr/lib/libtls-standalone.so.1.0.0:/usr/lib/libtls-standalone.so.1.0.0:ro
      - /usr/share/ca-certificates:/usr/share/ca-certificates:ro
      - /var/lib/adlin/wireguard:/etc/wireguard
    command: ["/bin/ash", "-c", "/usr/bin/ask.sh"]
    runtime:
      mkdir:
        - /var/lib/adlin/wireguard

    # Network: workstations
  - name: net-wks-setup
    image: linuxkit/ip:7b1cf3150bf5d9a0df7ef07572e2d81fe3c0c3d3
    command: ["/bin/sh", "-c", "ip a add 192.168.6.254/24 dev ethwks; ip link set ethwks up; grep MyIPv6= /etc/wireguard/adlin.conf > /dev/null && ip a add $(sed 's/^.*MyIPv6=//p;d' /etc/wireguard/adlin.conf | sed \"s#:[^:/]*/.*\\$#1::1/96#\") dev ethwks;" ]
    net: /run/netns/router
    runtime:
      interfaces:
        - name: ethwks
          add: veth
          peer: veth-wks

#    # Network: servers
  - name: net-srv-setup
    image: linuxkit/ip:7b1cf3150bf5d9a0df7ef07572e2d81fe3c0c3d3
    command: ["/bin/sh", "-c", "ip a add 172.23.42.1/24 dev ethsrv; ip link set ethsrv up; grep MyIPv6= /etc/wireguard/adlin.conf > /dev/null && ip a add $(sed 's/^.*MyIPv6=//p;d' /etc/wireguard/adlin.conf | sed \"s#:[^:/]*/.*\\$#:1/96#\") dev ethsrv;" ]
    net: /run/netns/router
    runtime:
      interfaces:
        - name: ethsrv
          add: veth
          peer: veth-srv
  - name: net-srvns-setup
    image: linuxkit/ip:7b1cf3150bf5d9a0df7ef07572e2d81fe3c0c3d3
    command: ["/bin/sh", "-c", "ip a add 172.23.42.2/24 dev vethin-ns; ip link set vethin-ns up; ip route add default via 172.23.42.1; grep MyIPv6= /etc/wireguard/adlin.conf > /dev/null && { ip a add $(sed 's/^.*MyIPv6=//p;d' /etc/wireguard/adlin.conf | sed \"s#:[^:/]*/.*\\$#:2/96#\") dev vethin-ns; ip route add default via $(sed 's/^.*MyIPv6=//p;d' /etc/wireguard/adlin.conf | sed \"s#:[^:/]*/.*\\$#:1#\"); }" ]
    net: new
    runtime:
      interfaces:
        - name: vethin-ns
          add: veth
          peer: veth-ns
      bindNS:
        net: /run/netns/ns
  - name: net-srvnsauth-setup
    image: linuxkit/ip:7b1cf3150bf5d9a0df7ef07572e2d81fe3c0c3d3
    command: ["/bin/sh", "-c", "ip a add 172.23.42.3/24 dev vethin-nsauth; ip link set vethin-nsauth up; ip route add default via 172.23.42.1; grep MyIPv6= /etc/wireguard/adlin.conf > /dev/null && { ip a add $(sed 's/^.*MyIPv6=//p;d' /etc/wireguard/adlin.conf | sed \"s#:[^:/]*/.*\\$#:3/96#\") dev vethin-nsauth; ip route add default via $(sed 's/^.*MyIPv6=//p;d' /etc/wireguard/adlin.conf | sed \"s#:[^:/]*/.*\\$#:1#\"); }" ]
    net: new
    runtime:
      interfaces:
        - name: vethin-nsauth
          add: veth
          peer: veth-nsauth
      bindNS:
        net: /run/netns/ns-auth
  - name: net-srvdb-setup
    image: linuxkit/ip:7b1cf3150bf5d9a0df7ef07572e2d81fe3c0c3d3
    command: ["/bin/sh", "-c", "ip a add 172.23.42.4/24 dev vethin-db; ip link set vethin-db up; ip route add default via 172.23.42.1; grep MyIPv6= /etc/wireguard/adlin.conf > /dev/null && { ip a add $(sed 's/^.*MyIPv6=//p;d' /etc/wireguard/adlin.conf | sed \"s#:[^:/]*/.*\\$#:4/96#\") dev vethin-db; ip route add default via $(sed 's/^.*MyIPv6=//p;d' /etc/wireguard/adlin.conf | sed \"s#:[^:/]*/.*\\$#:1#\"); }" ]
    net: new
    runtime:
      interfaces:
        - name: vethin-db
          add: veth
          peer: veth-db
      bindNS:
        net: /run/netns/db
  - name: net-srvchat-setup
    image: linuxkit/ip:7b1cf3150bf5d9a0df7ef07572e2d81fe3c0c3d3
    command: ["/bin/sh", "-c", "ip a add 172.23.42.5/24 dev vethin-chat; ip link set vethin-chat up; ip route add default via 172.23.42.1; grep MyIPv6= /etc/wireguard/adlin.conf > /dev/null && { ip a add $(sed 's/^.*MyIPv6=//p;d' /etc/wireguard/adlin.conf | sed \"s#:[^:/]*/.*\\$#:5/96#\") dev vethin-chat; ip route add default via $(sed 's/^.*MyIPv6=//p;d' /etc/wireguard/adlin.conf | sed \"s#:[^:/]*/.*\\$#:1#\"); }" ]
    net: new
    runtime:
      interfaces:
        - name: vethin-chat
          add: veth
          peer: veth-chat
      bindNS:
        net: /run/netns/chat
  - name: net-srvttrss-setup
    image: linuxkit/ip:7b1cf3150bf5d9a0df7ef07572e2d81fe3c0c3d3
    command: ["/bin/sh", "-c", "ip a add 172.23.42.6/24 dev vethin-ttrss; ip link set vethin-ttrss up; ip route add default via 172.23.42.1; grep MyIPv6= /etc/wireguard/adlin.conf > /dev/null && { ip a add $(sed 's/^.*MyIPv6=//p;d' /etc/wireguard/adlin.conf | sed \"s#:[^:/]*/.*\\$#:6/96#\") dev vethin-ttrss; ip route add default via $(sed 's/^.*MyIPv6=//p;d' /etc/wireguard/adlin.conf | sed \"s#:[^:/]*/.*\\$#:1#\"); }" ]
    net: new
    runtime:
      interfaces:
        - name: vethin-ttrss
          add: veth
          peer: veth-ttrss
      bindNS:
        net: /run/netns/miniflux

    # Network: bridges
  - name: bridges-setup
    image: linuxkit/ip:7b1cf3150bf5d9a0df7ef07572e2d81fe3c0c3d3
    command: ["/bin/sh", "-c", "ip link set veth-srv master brsrv; ip link set veth-ns master brsrv; ip link set veth-nsauth master brsrv; ip link set veth-db master brsrv; ip link set veth-chat master brsrv; ip link set veth-ttrss master brsrv; ip link set veth-srv up; ip link set veth-ns up; ip link set veth-nsauth up; ip link set veth-db up; ip link set veth-chat up; ip link set veth-ttrss up; ip link set brsrv up; ip link set veth-wks master brwks; ip link set veth-wks1 master brwks; ip link set veth-wks2 master brwks; ip link set veth-wks up; ip link set veth-wks1 up; ip link set veth-wks2 up; ip link set brwks up; ip l | grep eth2 > /dev/null && { ip link set eth2 up; ip link set eth2 master brwks; }" ]
    runtime:
      interfaces:
        - name: brsrv
          add: bridge
        - name: brwks
          add: bridge
        - name: veth-wks1
          add: veth
          peer: ethwks1
        - name: veth-wks2
          add: veth
          peer: ethwks2

services:
  - name: dhcpcd-wks1
    image: linuxkit/dhcpcd:v0.7
    net: new
    runtime:
      interfaces:
        - name: eth1
        - name: ethwks1
      bindNS:
        net: /run/netns/wks1

  - name: dhcpcd-wks2
    image: linuxkit/dhcpcd:v0.7
    net: new
    runtime:
      interfaces:
        - name: ethwks2
      bindNS:
        net: /run/netns/wks2

  - name: sshd-wks1
    image: linuxkit/sshd:v0.7
    net: /run/netns/wks1
    binds:
      - /etc/ssh/sshd_config:/etc/ssh/sshd_config
      - /etc/wpasswd:/etc/passwd
      - /etc/wshadow:/etc/shadow

  - name: sshd-wks2
    image: linuxkit/sshd:v0.7
    net: /run/netns/wks2
    binds:
      - /etc/ssh/sshd_config:/etc/ssh/sshd_config
      - /etc/wpasswd:/etc/passwd
      - /etc/wshadow:/etc/shadow

  - name: mainrouter
    image: nemunaire/adlin-tuto3:a8593e91cb830dede2ad25a205ef47141a5a3c22
    net: /run/netns/router
    command: ["/sbin/init"]
    capabilities:
     - all
    mounts:
      - type: cgroup
        options: ["rw","nosuid","noexec","nodev","relatime"]
    binds:
      - /etc/dresolv.conf:/etc/resolv.conf
  - name: matrix
    image: nemunaire/tinydeb:eaa617bf726fb4cadfa22b3947709579e6001212
    net: /run/netns/chat
    command: ["/sbin/init"]
    capabilities:
     - all
    mounts:
      - type: cgroup
        options: ["rw","nosuid","noexec","nodev","relatime"]
    binds:
      - /etc/dresolv.conf:/etc/resolv.conf
  - name: ns-resolv
    image: nemunaire/unbound:ed3ccbb5340aefd48c53a97743fdc6edc7011103
    net: /run/netns/ns
    capabilities:
      - all
    binds:
      - /etc/unbound:/etc/unbound:ro
      - /etc/services:/etc/services:ro
  - name: ns-auth
    image: nemunaire/nsd:8d1277be1eb28748ed7441ac82ac04edbacc3b5d
    net: /run/netns/ns-auth
    capabilities:
      - all
    mounts:
      - type: cgroup
        options: ["rw","nosuid","noexec","nodev","relatime"]
    binds:
      - /var/lib/adlin/nsd:/etc/nsd:rw
      - /var/lib/adlin/nsd-db:/var/db/nsd:rw
      - /etc/nsd:/etc/nsd.sample:ro
      - /etc/network:/etc/network:ro
      - /etc/services:/etc/services:ro
    runtime:
      mkdir:
        - /var/lib/adlin/nsd
        - /var/lib/adlin/nsd-db
  - name: db
    image: postgres:alpine
    net: /run/netns/db
    capabilities:
      - all
    env:
      - LANG=en_US.utf8
      - PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/"
      - PGDATA=/var/lib/postgresql/data
      - POSTGRES_PASSWORD=adlin2021
    binds:
      - /etc/services:/etc/services:ro
      - /initdb/:/docker-entrypoint-initdb.d/:ro
      - /var/lib/adlin/postgres:/var/lib/postgresql/data
    runtime:
      mkdir:
        - /var/lib/adlin/postgres
#  - name: chat
#    image: nemunaire/mattermost:ecb81e668c64d07b4453f9b465a6998fc6ceb067-dirty
#    net: /run/netns/chat
#    capabilities:
#      - all
#    command: ["/entrypoint.sh", "/mattermost/bin/platform"]
#    env:
#      - MM_USERNAME=mattermost
#      - MM_DBNAME=mattermost
#      - MM_PASSWORD=adlin2021
#    binds:
#      - /etc/services:/etc/services:ro
#      - /etc/hosts:/etc/hosts:ro
  - name: miniflux
    image: miniflux/miniflux:latest
    net: /run/netns/miniflux
    capabilities:
      - all
    command: ["/bin/sh", "-c", "sleep 5; /usr/bin/miniflux"]
    env:
      - DATABASE_URL=postgres://miniflux:adlin2021@db/miniflux?sslmode=disable
      - RUN_MIGRATIONS=1
      - CREATE_ADMIN=1
      - ADMIN_USERNAME=adeline
      - ADMIN_PASSWORD=adlin2021
      - LISTEN_ADDR=0.0.0.0:8080
    binds:
      - /etc/hosts:/etc/hosts:ro
      - /etc/services:/etc/services:ro

files:
  - path: etc/hosts
    contents: |
      127.0.0.1   localhost
      ::1         localhost
      172.23.42.4 db
    mode: "0444"

  - path: usr/bin/ask.sh
    source: pkg/wg/ask.sh
    mode: "0755"

  - path: etc/ssh/sshd_config
    source: pkg/nsd/sshd_config
    mode: "0644"

  - path: /usr/bin/reset-router-firewall
    contents: |
      #!/bin/sh
      PS=$(pgrep systemd | head -1)
      nsenter -t "${PS}" -a iptables -F
      nsenter -t "${PS}" -a iptables -P INPUT ACCEPT
      nsenter -t "${PS}" -a iptables -P FORWARD ACCEPT
      nsenter -t "${PS}" -a iptables -P OUTPUT ACCEPT
      nsenter -t "${PS}" -a iptables -t nat -F
    mode: "0755"

  - path: /usr/sbin/wg
    contents: |
      nsenter -n/run/netns/router /usr/bin/wg $@
    mode: "0755"

  - path: /initdb/init-miniflux.sh
    contents: |
      #!/bin/sh
      set -e
      psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL
          CREATE USER miniflux WITH PASSWORD 'adlin2021';
          CREATE DATABASE miniflux;
          GRANT ALL PRIVILEGES ON DATABASE miniflux TO miniflux;
      EOSQL
      psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname miniflux <<-EOSQL
          CREATE EXTENSION hstore;
      EOSQL
    mode: "0555"

  - path: /initdb/init-matrix.sql
    contents: |
      CREATE USER matrix WITH PASSWORD 'adlin2021';
      CREATE DATABASE matrix;
      GRANT ALL PRIVILEGES ON DATABASE matrix TO matrix;
    mode: "0444"

  - path: /etc/init.d/999-rw-passwd.sh
    contents: |
      #!/bin/sh
      sed -ri '/^root/s@^.*$@root:$6$QNuPvO59Xk4UO3le$3P0V2ef6dHlKgO1FHsKcPPgOvL.YeCOPFqfIVTtpYn5eEn3xkgGYeM1RMCQ9l/eTc6rRc.l.WeRe1iJVznVGj/:17968:0:99999:7:::@' /containers/services/mainrouter/rootfs/etc/shadow
      cp /etc/services /containers/services/mainrouter/rootfs/etc/services
      sed -ri '/^root/s@^.*$@root:$6$QNuPvO59Xk4UO3le$3P0V2ef6dHlKgO1FHsKcPPgOvL.YeCOPFqfIVTtpYn5eEn3xkgGYeM1RMCQ9l/eTc6rRc.l.WeRe1iJVznVGj/:17968:0:99999:7:::@' /containers/services/matrix/rootfs/etc/shadow
      cp /etc/services /containers/services/matrix/rootfs/etc/services
      sed -ri '/^root/s@^.*$@root:$6$QNuPvO59Xk4UO3le$3P0V2ef6dHlKgO1FHsKcPPgOvL.YeCOPFqfIVTtpYn5eEn3xkgGYeM1RMCQ9l/eTc6rRc.l.WeRe1iJVznVGj/:17968:0:99999:7:::@' /containers/services/ns-auth/rootfs/etc/shadow
      exit 0
    mode: "0555"

  - path: etc/issue.adlin
    source: pkg/debian-tuto3/issue
    mode: "0444"

  - path: /etc/init.d/500-showip.sh
    contents: |
      #!/bin/sh
      echo
      cat /etc/issue.adlin
      echo
      nsenter -n/run/netns/router ip -c a show dev wg0 2> /dev/null || echo "You didn't define your token to connect the network. Please run here `join-p0m` and then reboot."
      nsenter -n/run/netns/router ip -c a show dev eth0
      nsenter -n/run/netns/wks1 ip -c a show dev eth1 2> /dev/null || echo "Attachez une seconde carte ethernet à la VM pour pouvoir vous connecter à un poste de travail."
      exit 0
    mode: "0555"

#  - path: /etc/init.d/999-getty.sh
#    contents: |
#      #!/bin/sh
#      while true
#      do
#          /usr/bin/setsid /usr/bin/nsenter -t $(echo $(ps a | grep sshd | head -1) | cut -d ' ' -f 1) -m -u -n -p -- /sbin/agetty -l /sbin/login 38400 tty1 linux
#          sleep 1
#      done &
#    mode: "0555"

  - path: /usr/sbin/join-p0m
    contents: |
      [ -f "/var/lib/adlin/wireguard/adlin.token" ] && echo "A token is already defined. You'll erase it it you continue."
      echo -n "Please copy your token here: "
      read WGTOKEN
      mkdir -p /var/lib/adlin/wireguard/
      echo $WGTOKEN > /var/lib/adlin/wireguard/adlin.token
      echo "Token saved. You need to reboot now."
    mode: "0755"

  - path: etc/network/interfaces
    contents: |

    mode: "0440"

  - path: etc/nsd/nsd.conf
    contents: |
      remote-control:
             control-enable: yes
      zone:
             name: login-x.srs.p0m.fr
             zonefile: /etc/nsd/login-x.srs.p0m.fr.zone
    mode: "0644"

  - path: etc/nsd/login-x.srs.p0m.fr.zone
    contents: |
      login-x.srs.p0m.fr.         900  SOA     ns.login-x.srs.p0m.fr. root.login-x.srs.p0m.fr. 2020032900 172800 3600 2419200 86400
      login-x.srs.p0m.fr.         900  NS      ns.login-x.srs.p0m.fr.
      ns.login-x.srs.p0m.fr.      900  AAAA    2a01:e0a:2b:2252:4242::3
    mode: "0644"

  - path: etc/unbound/unbound.conf
    contents: |
      server:
              verbosity: 1
              interface: 0.0.0.0
              interface: ::0
              prefer-ip6: no
              access-control: 172.23.0.0/16 allow
              access-control: 192.168.0.0/16 allow
              log-queries: yes
              log-replies: yes
              use-syslog: no
              hide-identity: yes
              hide-version: yes
              qname-minimisation: yes
              domain-insecure: "."
              val-permissive-mode: yes
              trust-anchor-file: "/usr/share/dnssec-root/trusted-key.key"
              local-zone: "adlin.p0m.fr" typetransparent
              local-data: "news.adlin.p0m.fr A 172.23.42.1"
              local-data: "matrix.adlin.p0m.fr A 172.23.42.1"
      remote-control:
             control-enable: no
      forward-zone:
             name: "."
             forward-addr: 9.9.9.9
    mode: "0440"

  - path: etc/wpasswd
    contents: |
      root:x:0:0:root:/root:/bin/bash
      daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
      bin:x:2:2:bin:/bin:/usr/sbin/nologin
      sys:x:3:3:sys:/dev:/usr/sbin/nologin
      sync:x:4:65534:sync:/bin:/bin/sync
      games:x:5:60:games:/usr/games:/usr/sbin/nologin
      man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
      lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
      mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
      news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
      uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
      proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
      www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
      backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
      list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
      irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
      gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
      nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
      _apt:x:100:65534::/nonexistent:/bin/false
      sshd:x:102:65534::/run/sshd:/usr/sbin/nologin
      systemd-timesync:x:103:105:systemd Time Synchronization,,,:/run/systemd:/bin/false
      systemd-network:x:104:106:systemd Network Management,,,:/run/systemd/netif:/bin/false
      systemd-resolve:x:105:107:systemd Resolver,,,:/run/systemd/resolve:/bin/false
      systemd-bus-proxy:x:106:108:systemd Bus Proxy,,,:/run/systemd:/bin/false
    mode: "0644"


  - path: etc/wshadow
    contents: |
      root:$6$B0qzwsEh$vfWGpIFUrKGrkT0PVtGhhomBwc.60IBIxjMLyG8mz.NJLFRryjqLK9sA/mzxNSaQViiHsYYrsgmcWVHblfdHg1:17968:0:99999:7:::
      daemon:*:17575:0:99999:7:::
      bin:*:17575:0:99999:7:::
      sys:*:17575:0:99999:7:::
      sync:*:17575:0:99999:7:::
      games:*:17575:0:99999:7:::
      man:*:17575:0:99999:7:::
      lp:*:17575:0:99999:7:::
      mail:*:17575:0:99999:7:::
      news:*:17575:0:99999:7:::
      uucp:*:17575:0:99999:7:::
      proxy:*:17575:0:99999:7:::
      www-data:*:17575:0:99999:7:::
      backup:*:17575:0:99999:7:::
      list:*:17575:0:99999:7:::
      irc:*:17575:0:99999:7:::
      gnats:*:17575:0:99999:7:::
      nobody:*:17575:0:99999:7:::
      _apt:*:17575:0:99999:7:::
      sshd:*:17594:0:99999:7:::
      systemd-timesync:*:17594:0:99999:7:::
      systemd-network:*:17594:0:99999:7:::
      systemd-resolve:*:17594:0:99999:7:::
      systemd-bus-proxy:*:17594:0:99999:7:::
    mode: "0640"

  - path: etc/dresolv.conf
    contents: |
      nameserver 172.23.42.2
    mode: "0644"

  - path: var/lib/adlin
    directory: true
    mode: "0755"

  - path: etc/mresolv.conf
    contents: |
      nameserver 9.9.9.9
      nameserver 1.1.1.1
    mode: "0644"

trust:
  org:
    - linuxkit
    - library