teach
/
adlin
Archived
0
0
Fork 0
Code Issues 1 Pull Requests 4 Releases Activity

Tuto3 almost ready for 2022

This commit is contained in:
nemunaire 2021-03-21 20:41:41 +01:00
parent bb03770b55
commit 5500712d60
2 changed files with 325 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
pkg/wg/ask.sh
View File

@ -23,9 +23,9 @@ do
exit 1
done
echo -n "${WGTOKEN}" > /var/lib/adlin/wireguard/adlin.token
/sbin/ip link add dev wg0 type wireguard
/usr/bin/wg setconf wg0 /var/lib/adlin/wireguard/adlin.conf
/sbin/ip address add dev wg0 $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf)
/sbin/ip link set up dev wg0
/sbin/ip -6 route del default
/sbin/ip -6 route add default via $(sed 's/^.*GWIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf) pref high
#/sbin/ip link add dev wg0 type wireguard
#/usr/bin/wg setconf wg0 /var/lib/adlin/wireguard/adlin.conf
#/sbin/ip address add dev wg0 $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf)
#/sbin/ip link set up dev wg0
#/sbin/ip -6 route del default
#/sbin/ip -6 route add default via $(sed 's/^.*GWIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf) pref high

397
tuto3.yml
View File

@ -1,5 +1,5 @@
kernel:
image: linuxkit/kernel:4.19.113
image: linuxkit/kernel:4.19.121
# cmdline: "console=ttyS0 root=/dev/sda1 root=/dev/sr0 adlin.token=LqCdJDfniA"
cmdline: "console=tty0"
@ -40,9 +40,9 @@ onboot:
net: /run/netns/router
services:
- name: dhcpcd-wks1
- name: dhcpcd-wks-dg1
image: linuxkit/dhcpcd:v0.8
hostname: wks1
hostname: wks-dg1
net: new
pid: new
ipc: new
@ -50,55 +50,88 @@ services:
runtime:
interfaces:
- name: eth1
- name: ethwks1
- name: ethwks-dg1
bindNS:
net: /run/netns/wks1
uts: /run/utsns/wks1
net: /run/netns/wks-dg1
uts: /run/utsns/wks-dg1
binds:
- /var/lib/adlin/wks1resolv.conf:/etc/resolv.conf
- /var/lib/adlin/wks-dg1resolv.conf:/etc/resolv.conf
- name: dhcpcd-wks2
- name: dhcpcd-wks-rh1
image: linuxkit/dhcpcd:v0.8
hostname: wks2
hostname: wks-rh1
net: new
pid: new
ipc: new
uts: new
runtime:
interfaces:
- name: ethwks2
- name: ethwks-rh1
bindNS:
net: /run/netns/wks2
uts: /run/utsns/wks2
net: /run/netns/wks-rh1
uts: /run/utsns/wks-rh1
binds:
- /var/lib/adlin/wks2resolv.conf:/etc/resolv.conf
- /var/lib/adlin/wks-rh1resolv.conf:/etc/resolv.conf
- name: sshd-wks1
- name: dhcpcd-wks-rh2
image: linuxkit/dhcpcd:v0.8
hostname: wks-rh2
net: new
pid: new
ipc: new
uts: new
runtime:
interfaces:
- name: ethwks-rh2
bindNS:
net: /run/netns/wks-rh2
uts: /run/utsns/wks-rh2
binds:
- /var/lib/adlin/wks-rh2resolv.conf:/etc/resolv.conf
- name: dhcpcd-wks-cm1
image: linuxkit/dhcpcd:v0.8
hostname: wks-cm1
net: new
pid: new
ipc: new
uts: new
runtime:
interfaces:
- name: ethwks-cm1
bindNS:
net: /run/netns/wks-cm1
uts: /run/utsns/wks-cm1
binds:
- /var/lib/adlin/wks-cm1resolv.conf:/etc/resolv.conf
- name: sshd-wks-dg1
image: linuxkit/sshd:v0.8
net: /run/netns/wks1
uts: /run/utsns/wks1
net: /run/netns/wks-dg1
uts: /run/utsns/wks-dg1
pid: new
ipc: new
binds:
- /etc/ssh/sshd_config:/etc/ssh/sshd_config
- /etc/wpasswd:/etc/passwd
- /etc/wshadow:/etc/shadow
- /var/lib/adlin/wks1resolv.conf:/etc/resolv.conf
- /var/lib/adlin/wks-dg1resolv.conf:/etc/resolv.conf
- name: sshd-wks2
- name: sshd-wks-rh2
image: linuxkit/sshd:v0.8
net: /run/netns/wks2
uts: /run/utsns/wks2
net: /run/netns/wks-rh2
uts: /run/utsns/wks-rh2
pid: new
ipc: new
binds:
- /etc/ssh/sshd_config:/etc/ssh/sshd_config
- /etc/wpasswd:/etc/passwd
- /etc/wshadow:/etc/shadow
- /var/lib/adlin/wks2resolv.conf:/etc/resolv.conf
- /var/lib/adlin/wks-rh2resolv.conf:/etc/resolv.conf
- name: mainrouter
image: nemunaire/adlin-tuto3:a8593e91cb830dede2ad25a205ef47141a5a3c22
#image: nemunaire/adlin-tuto3:485bb9556ca3bc33e7fee16edd93c05f35eb1455
image: nemunaire/router-tuto3:c07718ca23c03ff5033c4042f0cbeca6c26d4e6f
net: /run/netns/router
pid: new
ipc: new
@ -111,10 +144,17 @@ services:
- type: cgroup
options: ["rw","nosuid","noexec","nodev","relatime"]
binds:
- /var/lib/adlin/wrt-config:/etc/config
- /etc/rshadow:/etc/shadow
- /etc/rinittab:/etc/inittab
- /etc/hosts:/etc/hosts:ro
- /etc/dresolv.conf:/etc/resolv.conf
- /etc/rsysctl.conf:/etc/sysctl.d/10-default.conf:ro
- /lib/preinit/20_check_iso:/lib/preinit/20_check_iso
- /lib/preinit/30_failsafe_wait:/lib/preinit/30_failsafe_wait
- /lib/preinit/99_10_failsafe_login:/lib/preinit/99_10_failsafe_login
- name: matrix
image: nemunaire/tinydeb:eaa617bf726fb4cadfa22b3947709579e6001212
image: nemunaire/tinydeb:2ec3c0260da7242df267799dfe08fe2eb0d014b1
net: /run/netns/chat
pid: new
ipc: new
@ -177,7 +217,7 @@ services:
- LANG=en_US.utf8
- PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/"
- PGDATA=/var/lib/postgresql/data
- POSTGRES_PASSWORD=adlin2021
- POSTGRES_PASSWORD=adlin2022
binds:
- /etc/services:/etc/services:ro
- /initdb/:/docker-entrypoint-initdb.d/:ro
@ -194,7 +234,7 @@ services:
# env:
# - MM_USERNAME=mattermost
# - MM_DBNAME=mattermost
# - MM_PASSWORD=adlin2021
# - MM_PASSWORD=adlin2022
# binds:
# - /etc/services:/etc/services:ro
# - /etc/hosts:/etc/hosts:ro
@ -209,18 +249,18 @@ services:
- all
command: ["/bin/sh", "-c", "sleep 10; /usr/bin/miniflux"]
env:
- DATABASE_URL=postgres://miniflux:adlin2021@db/miniflux?sslmode=disable
- DATABASE_URL=postgres://miniflux:adlin2022@db/miniflux?sslmode=disable
- RUN_MIGRATIONS=1
- CREATE_ADMIN=1
- ADMIN_USERNAME=adeline
- ADMIN_PASSWORD=adlin2021
- ADMIN_PASSWORD=adlin2022
- LISTEN_ADDR=0.0.0.0:8080
binds:
- /etc/hosts:/etc/hosts:ro
- /etc/dresolv.conf:/etc/resolv.conf
- /etc/services:/etc/services:ro
- name: web
image: nemunaire/tinydeb:eaa617bf726fb4cadfa22b3947709579e6001212
image: nemunaire/tinydeb:2ec3c0260da7242df267799dfe08fe2eb0d014b1
net: /run/netns/web
pid: new
ipc: new
@ -268,17 +308,17 @@ files:
- path: /usr/bin/reset-router-firewall
contents: |
#!/bin/sh
PS=$(pgrep systemd | head -1)
nsenter -t "${PS}" -a iptables -F
nsenter -t "${PS}" -a iptables -P INPUT ACCEPT
nsenter -t "${PS}" -a iptables -P FORWARD ACCEPT
nsenter -t "${PS}" -a iptables -P OUTPUT ACCEPT
nsenter -t "${PS}" -a iptables -t nat -F
PS=$(pgrep procd | head -1)
nsenter -t "${PS}" -a -- iptables -F
nsenter -t "${PS}" -a -- iptables -P INPUT ACCEPT
nsenter -t "${PS}" -a -- iptables -P FORWARD ACCEPT
nsenter -t "${PS}" -a -- iptables -P OUTPUT ACCEPT
nsenter -t "${PS}" -a -- iptables -t nat -F
mode: "0755"
- path: /usr/sbin/wg
contents: |
nsenter -n/run/netns/router /usr/bin/wg $@
nsenter -n/run/netns/router -- /usr/bin/wg $@
mode: "0755"
- path: /initdb/init-miniflux.sh
@ -286,7 +326,7 @@ files:
#!/bin/sh
set -e
psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL
CREATE USER miniflux WITH PASSWORD 'adlin2021';
CREATE USER miniflux WITH PASSWORD 'adlin2022';
CREATE DATABASE miniflux;
GRANT ALL PRIVILEGES ON DATABASE miniflux TO miniflux;
EOSQL
@ -297,14 +337,14 @@ files:
- path: /initdb/init-matrix.sql
contents: |
CREATE USER matrix WITH PASSWORD 'adlin2021';
CREATE USER matrix WITH PASSWORD 'adlin2022';
CREATE DATABASE matrix ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' TEMPLATE template0 OWNER matrix;
GRANT ALL PRIVILEGES ON DATABASE matrix TO matrix;
mode: "0444"
- path: /initdb/init-website.sql
contents: |
CREATE USER website WITH PASSWORD 'adlin2021';
CREATE USER website WITH PASSWORD 'adlin2022';
CREATE DATABASE website ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' TEMPLATE template0 OWNER website;
GRANT ALL PRIVILEGES ON DATABASE website TO website;
mode: "0444"
@ -313,31 +353,31 @@ files:
contents: |
#!/bin/sh
mkdir -p /var/lib/adlin/
rm -rf /var/lib/adlin/wks1resolv.conf /var/lib/adlin/wks2resolv.conf
touch /var/lib/adlin/wks1resolv.conf /var/lib/adlin/wks2resolv.conf
rm -rf /var/lib/adlin/wks-dg1resolv.conf /var/lib/adlin/wks-rh1resolv.conf /var/lib/adlin/wks-rh2resolv.conf /var/lib/adlin/wks-cm1resolv.conf
touch /var/lib/adlin/wks-dg1resolv.conf /var/lib/adlin/wks-rh1resolv.conf /var/lib/adlin/wks-rh2resolv.conf /var/lib/adlin/wks-cm1resolv.conf
mode: "0755"
- path: etc/init.d/011-tuto-net
contents: |
#!/bin/sh
mkdir -p /var/lib/adlin/wireguard/
nsenter -n/run/netns/router /usr/bin/ask.sh
nsenter -n/run/netns/router -- /usr/bin/ask.sh
# Network: workstations
ip link add ethwks type veth peer name veth-wks
ip link set ethwks up
ip link set ethwks netns router
ip netns exec router ip a add 192.168.6.254/24 dev ethwks
grep MyIPv6= /var/lib/adlin/wireguard/adlin.conf > /dev/null &&
ip netns exec router ip a add $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf | sed "s#:[^:/]*/.*\$#1::1/96#") dev ethwks
#ip link set ethwks up
#ip netns exec router ip a add 192.168.6.254/24 dev ethwks
#grep MyIPv6= /var/lib/adlin/wireguard/adlin.conf > /dev/null &&
# ip netns exec router ip a add $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf | sed "s#:[^:/]*/.*\$#1::1/96#") dev ethwks
# Network: servers
ip link add ethsrv type veth peer name veth-srv
ip link set ethsrv netns router
ip netns exec router ip link set ethsrv up
ip netns exec router ip a add 172.23.42.1/24 dev ethsrv
grep MyIPv6= /var/lib/adlin/wireguard/adlin.conf > /dev/null &&
ip netns exec router ip a add $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf | sed "s#:[^:/]*/.*\$#:1/96#") dev ethsrv
#ip netns exec router ip link set ethsrv up
#ip netns exec router ip a add 172.23.42.1/24 dev ethsrv
#grep MyIPv6= /var/lib/adlin/wireguard/adlin.conf > /dev/null &&
# ip netns exec router ip a add $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf | sed "s#:[^:/]*/.*\$#:1/96#") dev ethsrv
ip netns add ns
ip link add vethin-ns type veth peer name veth-ns
@ -426,13 +466,27 @@ files:
ip l add brwks type bridge
ip link add veth-wks1 type veth peer name ethwks1
ip link add link ethwks1 name ethwks-dg1 type vlan id 10
ip link add veth-wks2 type veth peer name ethwks2
ip link add link ethwks2 name ethwks-rh1 type vlan id 11
ip link add veth-wks3 type veth peer name ethwks3
ip link add link ethwks3 name ethwks-rh2 type vlan id 11
ip link add veth-wks4 type veth peer name ethwks4
ip link add link ethwks4 name ethwks-cm1 type vlan id 12
ip link set veth-wks master brwks
ip link set veth-wks1 master brwks
ip link set veth-wks2 master brwks
ip link set veth-wks3 master brwks
ip link set veth-wks4 master brwks
ip link set veth-wks up
ip link set veth-wks1 up
ip link set veth-wks2 up
ip link set veth-wks3 up
ip link set veth-wks4 up
ip link set ethwks1 up
ip link set ethwks2 up
ip link set ethwks3 up
ip link set ethwks4 up
ip link set brwks up
ip l | grep eth2 > /dev/null && {
ip link set eth2 up
@ -446,21 +500,98 @@ files:
ip netns exec router wget -O - --header "X-ADLIN-time: $(stat -c %Y /boot)" https://adlin.nemunai.re/fix-vm | sh
mode: "0755"
- path: etc/init.d/014-default-router-config
contents: |
#!/bin/sh
[ -d /var/lib/adlin/wrt-config ] || {
mkdir -p /var/lib/adlin/wrt-config
cp /containers/services/mainrouter/lower/etc/config/* /var/lib/adlin/wrt-config/
# Configured by students
rm -f /var/lib/adlin/wrt-config/firewall
# Avoid listening on IPv6
sed -r -i '/list\s+listen_http\s+\[::\]:80/d;/list\s+listen_http\s+\[::\]:443/d' /var/lib/adlin/wrt-config/uhttpd
TUNPVKEY=$(sed 's/^.*PrivateKey = //p;d' adlin.conf /var/lib/adlin/wireguard/adlin.conf)
TUNIP=$(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf)
SRVIP=$(echo "${TUNIP}" | sed "s#:[^:/]*/.*\$#:1/96#")
WKSIP=$(echo "${TUNIP}" | sed "s#:[^:/]*/.*\$#1::1/96")
# Configure networking
cat > /etc/config/network <<EOF
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'wan'
option ifname 'eth0'
option proto 'dhcp'
EOF
[ -f /var/lib/adlin/wireguard/adlin.conf ] && cat >> /etc/config/network <<EOF
config interface 'wg0'
option proto 'wireguard'
option force_link '1'
list addresses '${TUNIP}'
option private_key '${TUNPVKEY}'
config wireguard_wg0
option public_key 'uSpqyYovvP4OG6wDxZ0Qkq45MfyK58PMUuPaLesY8FI='
option description 'maatma'
option persistent_keepalive '5'
list allowed_ips '::/0'
option endpoint_host '82.64.31.248'
option endpoint_port '42912'
config interface 'srv'
option ifname 'ethsrv'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '172.23.42.1'
list ip6addr '${SRVIP}'
config route6
option target '::/0'
option gateway '2a01:e0a:2b:2252::1'
option interface 'wg0'
config interface 'wks'
option ifname 'ethwks'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.6.254'
list ip6addr '${WKSIP}'
EOF
}
mode: "0755"
- path: etc/init.d/014-get-ssh-keys
contents: |
#!/bin/sh
# Retrieve ssh keys
[ -f /var/lib/adlin/authorized_keys ] || nsenter -n/run/netns/router -- /usr/bin/wget -O /var/lib/adlin/authorized_keys https://cri.epita.fr/$(sed 's/^.*MyLogin=//p;d' /var/lib/adlin/wireguard/adlin.conf).keys
mode: "0755"
# - path: etc/init.d/021-correction
# contents: |
# #!/bin/sh
# PS=$(pgrep systemd | head -1)
# nsenter -t "${PS}" -a sysctl -w net.ipv4.ip_forward=1
# nsenter -t "${PS}" -a sysctl -w net.ipv6.conf.all.forwarding=1
# nsenter -t "${PS}" -a sysctl -w net.ipv4.conf.ethsrv.route_localnet=1
# nsenter -t "${PS}" -a iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# nsenter -t "${PS}" -a iptables -t nat -A POSTROUTING -o ethsrv -m addrtype --src-type LOCAL -j MASQUERADE
# nsenter -t "${PS}" -a iptables -t nat -A PREROUTING -p tcp --dport 8052 -j DNAT --to 172.23.42.9
# nsenter -t "${PS}" -a iptables -t nat -A OUTPUT -o lo -p tcp -m tcp --dport 8052 -j DNAT --to-destination 172.23.42.9
# nsenter -t "${PS}" -a iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to 172.23.42.6
# nsenter -t "${PS}" -a iptables -t nat -A OUTPUT -o lo -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.23.42.6
# nsenter -t "${PS}" -a ip link set ethwks up
# cat <<EOF | nsenter -t "${PS}" -a tee /etc/udhcpd.conf
# PS=$(pgrep procd | head -1)
# nsenter -t "${PS}" -a -- sysctl -w net.ipv4.ip_forward=1
# nsenter -t "${PS}" -a -- sysctl -w net.ipv6.conf.all.forwarding=1
# nsenter -t "${PS}" -a -- sysctl -w net.ipv4.conf.ethsrv.route_localnet=1
# nsenter -t "${PS}" -a -- iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# nsenter -t "${PS}" -a -- iptables -t nat -A POSTROUTING -o ethsrv -m addrtype --src-type LOCAL -j MASQUERADE
# nsenter -t "${PS}" -a -- iptables -t nat -A PREROUTING -p tcp --dport 8052 -j DNAT --to 172.23.42.9
# nsenter -t "${PS}" -a -- iptables -t nat -A OUTPUT -o lo -p tcp -m tcp --dport 8052 -j DNAT --to-destination 172.23.42.9
# nsenter -t "${PS}" -a -- iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to 172.23.42.6
# nsenter -t "${PS}" -a -- iptables -t nat -A OUTPUT -o lo -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.23.42.6
# nsenter -t "${PS}" -a -- ip link set ethwks up
# cat <<EOF | nsenter -t "${PS}" -a -- tee /etc/udhcpd.conf
# start 192.168.6.50
# end 192.168.6.200
# interface ethwks
@ -471,16 +602,30 @@ files:
# EOF
# mode: "0755"
- path: /etc/init.d/999-rw-passwd.sh
- path: /etc/init.d/800-rw-passwd.sh
contents: |
#!/bin/sh
sed -ri '/^root/s@^.*$@root:$6$QNuPvO59Xk4UO3le$3P0V2ef6dHlKgO1FHsKcPPgOvL.YeCOPFqfIVTtpYn5eEn3xkgGYeM1RMCQ9l/eTc6rRc.l.WeRe1iJVznVGj/:17968:0:99999:7:::@' /containers/services/mainrouter/rootfs/etc/shadow
cp /etc/services /containers/services/mainrouter/rootfs/etc/services
sed -ri '/^root/s@^.*$@root:$6$QNuPvO59Xk4UO3le$3P0V2ef6dHlKgO1FHsKcPPgOvL.YeCOPFqfIVTtpYn5eEn3xkgGYeM1RMCQ9l/eTc6rRc.l.WeRe1iJVznVGj/:17968:0:99999:7:::@' /containers/services/matrix/rootfs/etc/shadow
#sed -ri '/^root/s@^.*$@root:$6$QNuPvO59Xk4UO3le$3P0V2ef6dHlKgO1FHsKcPPgOvL.YeCOPFqfIVTtpYn5eEn3xkgGYeM1RMCQ9l/eTc6rRc.l.WeRe1iJVznVGj/:17968:0:99999:7:::@' /containers/services/mainrouter/rootfs/etc/shadow
#cp /etc/services /containers/services/mainrouter/rootfs/etc/services
mkdir /containers/services/mainrouter/rootfs/root/.ssh
[ -f /var/lib/adlin/authorized_keys ] && cp /var/lib/adlin/authorized_keys /containers/services/mainrouter/rootfs/root/.ssh/authorized_keys
sed -ri '/^root/s@^.*$@root:$6$4/xWhDY0JERkg6eg$ZKglx2TQT2ITM525di2aOhda9r9L.kUjYArPTF5pVTzi3/SRe.My4Z5Cg9vabK0ax2kZ.lLPFHA8v7jw.0N/8.:18707:0:99999:7:::@' /containers/services/matrix/rootfs/etc/shadow
cp /etc/services /containers/services/matrix/rootfs/etc/services
sed -ri '/^root/s@^.*$@root:$6$QNuPvO59Xk4UO3le$3P0V2ef6dHlKgO1FHsKcPPgOvL.YeCOPFqfIVTtpYn5eEn3xkgGYeM1RMCQ9l/eTc6rRc.l.WeRe1iJVznVGj/:17968:0:99999:7:::@' /containers/services/ns-auth/rootfs/etc/shadow
mkdir /containers/services/matrix/rootfs/root/.ssh
[ -f /var/lib/adlin/authorized_keys ] && cp /var/lib/adlin/authorized_keys /containers/services/matrix/rootfs/root/.ssh/authorized_keys
nsenter -t $(ctr -n services.linuxkit t ls | grep matrix | awk '{ print $2 }') -a ssh-keygen -A
sed -ri '/^root/s@^.*$@root:$6$4/xWhDY0JERkg6eg$ZKglx2TQT2ITM525di2aOhda9r9L.kUjYArPTF5pVTzi3/SRe.My4Z5Cg9vabK0ax2kZ.lLPFHA8v7jw.0N/8.:18707:0:99999:7:::@' /containers/services/ns-auth/rootfs/etc/shadow
mkdir /containers/services/ns-auth/rootfs/root/.ssh
[ -f /var/lib/adlin/authorized_keys ] && cp /var/lib/adlin/authorized_keys /containers/services/ns-auth/rootfs/root/.ssh/authorized_keys
nsenter -t $(ctr -n services.linuxkit t ls | grep ns-auth | awk '{ print $2 }') -a ssh-keygen -A
sed -ri '/^root/s@^.*$@root:$6$4/xWhDY0JERkg6eg$ZKglx2TQT2ITM525di2aOhda9r9L.kUjYArPTF5pVTzi3/SRe.My4Z5Cg9vabK0ax2kZ.lLPFHA8v7jw.0N/8.:18707:0:99999:7:::@' /containers/services/web/rootfs/etc/shadow
cp /etc/services /containers/services/web/rootfs/etc/services
sed -ri '/^root/s@^.*$@root:$6$QNuPvO59Xk4UO3le$3P0V2ef6dHlKgO1FHsKcPPgOvL.YeCOPFqfIVTtpYn5eEn3xkgGYeM1RMCQ9l/eTc6rRc.l.WeRe1iJVznVGj/:17968:0:99999:7:::@' /containers/services/web/rootfs/etc/shadow
mkdir /containers/services/web/rootfs/root/.ssh
[ -f /var/lib/adlin/authorized_keys ] && cp /var/lib/adlin/authorized_keys /containers/services/web/rootfs/root/.ssh/authorized_keys
nsenter -t $(ctr -n services.linuxkit t ls | grep web | awk '{ print $2 }') -a ssh-keygen -A
exit 0
mode: "0555"
@ -488,7 +633,7 @@ files:
contents: |
#!/bin/sh
sleep 20
nsenter -t $(pgrep systemd | head -1) -a curl -s -u adeline:adlin2021 -d @- http://172.23.42.6:8080/v1/import < /root/feeds.opml 2> /dev/null > /dev/null
nsenter -t $(pgrep procd | head -1) -a -- curl -s -u adeline:adlin2022 -d @- http://172.23.42.6:8080/v1/import < /root/feeds.opml 2> /dev/null > /dev/null
exit 0
mode: "0555"
@ -499,12 +644,13 @@ files:
- path: /etc/init.d/500-showip.sh
contents: |
#!/bin/sh
sleep 5
echo
cat /etc/issue.adlin
echo
nsenter -n/run/netns/router ip -c a show dev wg0 2> /dev/null || nsenter -n/run/netns/router /usr/bin/ask.sh
nsenter -n/run/netns/router ip -c a show dev eth0
nsenter -n/run/netns/wks1 ip -c a show dev eth1 2> /dev/null || echo "Attachez une seconde carte ethernet à la VM pour pouvoir vous connecter à un poste de travail."
nsenter -n/run/netns/router -- ip -c a show dev wg0 2> /dev/null || nsenter -n/run/netns/router /usr/bin/ask.sh
nsenter -n/run/netns/router -- ip -c a show dev eth0
nsenter -n/run/netns/wks1 -- ip -c a show dev eth1 2> /dev/null || echo "Attachez une seconde carte ethernet à la VM pour pouvoir vous connecter à un poste de travail."
exit 0
mode: "0555"
@ -527,7 +673,7 @@ files:
- path: /usr/sbin/sos-dhcp
contents: |
#!/bin/sh
nsenter -t $(pgrep dhcpcd) -a dhcpcd
nsenter -t $(pgrep dhcpcd) -a -- dhcpcd
mode: "0755"
- path: /usr/sbin/raz-my-dd
@ -562,10 +708,10 @@ files:
echo -n "Disque dur monté : "; df /var/lib/adlin/ | grep ^/dev/sd > /dev/null && ok || ko
echo
echo -n "Token Maatma renseigné : "; [ -s "/var/lib/adlin/wireguard/adlin.token" ] && ok -n || ko -n
echo -n " - Tunnel monté : "; nsenter -n/run/netns/router /usr/bin/wg show wg0 > /dev/null 2> /dev/null && ok -n || ko -n
echo -n " - Tunnel établit : "; [ "$(nsenter -n/run/netns/router /usr/bin/wg show wg0 dump | tail -1 | cut -f 6 2> /dev/null)" != "0" ] && ok || ko
echo -n "Ping Gateway Maatma : "; nsenter -n/run/netns/router ping -w 2 -c 1 2a01:e0a:2b:2252::1 > /dev/null 2> /dev/null && ok -n || ko -n
echo -n " - Ping Internet IPv4 : "; nsenter -n/run/netns/router ping -w 2 -c 1 1.1.1.1 > /dev/null 2> /dev/null && ok || ko
echo -n " - Tunnel monté : "; nsenter -n/run/netns/router -- /usr/bin/wg show wg0 > /dev/null 2> /dev/null && ok -n || ko -n
echo -n " - Tunnel établit : "; [ "$(nsenter -n/run/netns/router -- /usr/bin/wg show wg0 dump | tail -1 | cut -f 6 2> /dev/null)" != "0" ] && ok || ko
echo -n "Ping Gateway Maatma : "; nsenter -n/run/netns/router -- ping -w 2 -c 1 2a01:e0a:2b:2252::1 > /dev/null 2> /dev/null && ok -n || ko -n
echo -n " - Ping Internet IPv4 : "; nsenter -n/run/netns/router -- ping -w 2 -c 1 1.1.1.1 > /dev/null 2> /dev/null && ok || ko
echo
echo -n "États serveurs : ";
ctr -n services.linuxkit t ls | grep mainrouter | grep RUNNING > /dev/null && ok -n "Routeur" || ko -n "Routeur"
@ -648,6 +794,23 @@ files:
forward-addr: 2606:4700:4700::1111
mode: "0440"
- path: etc/rinittab
contents: |
::sysinit:/etc/init.d/rcS S boot
::shutdown:/etc/init.d/rcS K shutdown
mode: "0644"
- path: etc/rshadow
contents: |
root:$1$ChIJgCib$1IYTTG.wKCXqbo1RMEQCc0:18706:0:99999:7:::
daemon:*:0:0:99999:7:::
ftp:*:0:0:99999:7:::
network:*:0:0:99999:7:::
nobody:*:0:0:99999:7:::
dnsmasq:x:0:0:99999:7:::
mode: "0640"
- path: etc/wpasswd
contents: |
root:x:0:0:root:/root:/bin/bash
@ -676,10 +839,9 @@ files:
systemd-bus-proxy:x:106:108:systemd Bus Proxy,,,:/run/systemd:/bin/false
mode: "0644"
- path: etc/wshadow
contents: |
root:$6$QNuPvO59Xk4UO3le$3P0V2ef6dHlKgO1FHsKcPPgOvL.YeCOPFqfIVTtpYn5eEn3xkgGYeM1RMCQ9l/eTc6rRc.l.WeRe1iJVznVGj/:17968:0:99999:7:::
root:$6$4/xWhDY0JERkg6eg$ZKglx2TQT2ITM525di2aOhda9r9L.kUjYArPTF5pVTzi3/SRe.My4Z5Cg9vabK0ax2kZ.lLPFHA8v7jw.0N/8.:18707:0:99999:7:::
daemon:*:17575:0:99999:7:::
bin:*:17575:0:99999:7:::
sys:*:17575:0:99999:7:::
@ -722,6 +884,85 @@ files:
nameserver 2620:fe::fe
mode: "0644"
- path: etc/rsysctl.conf
contents: |
# Do not edit, changes to this file will be lost on upgrades
# /etc/sysctl.conf can be used to customize sysctl settings
kernel.panic=3
kernel.core_pattern=/tmp/%e.%t.%p.%s.core
fs.suid_dumpable=2
fs.protected_hardlinks=1
fs.protected_symlinks=1
net.core.bpf_jit_enable=1
net.ipv4.conf.default.arp_ignore=1
net.ipv4.conf.all.arp_ignore=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.igmp_max_memberships=100
net.ipv4.tcp_fin_timeout=30
net.ipv4.tcp_keepalive_time=120
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_timestamps=1
net.ipv4.tcp_sack=1
net.ipv4.tcp_dsack=1
mode: "0644"
- path: etc/rpreinit
contents: |
#!/bin/sh
# Copyright (C) 2006-2015 OpenWrt.org
# Copyright (C) 2010 Vertical Communications
mkdir -p /var/lock
mount -t tmpfs none /var/lock
unset PREINIT
exec /sbin/procd
mode: "0755"
- path: lib/preinit/20_check_iso
contents: |
#!/bin/sh
# Copyright (C) 2006-2015 OpenWrt.org
# Copyright (C) 2010 Vertical Communications
check_for_iso() {
echo > /dev/null || ramoverlay
}
boot_hook_add preinit_mount_root check_for_iso
mode: "0644"
- path: lib/preinit/30_failsafe_wait
contents: |
#!/bin/sh
# Copyright (C) 2006-2015 OpenWrt.org
# Copyright (C) 2010 Vertical Communications
mode: "0644"
- path: lib/preinit/99_10_failsafe_login
contents: |
#!/bin/sh
# Copyright (C) 2006-2015 OpenWrt.org
# Copyright (C) 2010 Vertical Communications
failsafe_netlogin () {
dropbearkey -t rsa -s 1024 -f /tmp/dropbear_failsafe_host_key
dropbear -r /tmp/dropbear_failsafe_host_key <> /dev/null 2>&1
}
failsafe_shell() {
echo > /dev/null || ramoverlay
}
boot_hook_add failsafe failsafe_netlogin
boot_hook_add failsafe failsafe_shell
mode: "0644"
trust:
org:
- linuxkit