teach/adlin
Archived
0
0
Fork 0
Code Issues 1 Pull Requests 4 Releases Activity

Tuto3 almost ready for 2022

Browse Source
This commit is contained in:
nemunaire 2021-03-21 20:41:41 +01:00
parent bb03770b55
commit 5500712d60
2 changed files with 325 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
pkg/wg/ask.sh
View File

@ -23,9 +23,9 @@ do
exit 1 exit 1
done done
echo -n "${WGTOKEN}" > /var/lib/adlin/wireguard/adlin.token echo -n "${WGTOKEN}" > /var/lib/adlin/wireguard/adlin.token
/sbin/ip link add dev wg0 type wireguard #/sbin/ip link add dev wg0 type wireguard
/usr/bin/wg setconf wg0 /var/lib/adlin/wireguard/adlin.conf #/usr/bin/wg setconf wg0 /var/lib/adlin/wireguard/adlin.conf
/sbin/ip address add dev wg0 $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf) #/sbin/ip address add dev wg0 $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf)
/sbin/ip link set up dev wg0 #/sbin/ip link set up dev wg0
/sbin/ip -6 route del default #/sbin/ip -6 route del default
/sbin/ip -6 route add default via $(sed 's/^.*GWIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf) pref high #/sbin/ip -6 route add default via $(sed 's/^.*GWIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf) pref high

397
tuto3.yml
View File

@ -1,5 +1,5 @@
kernel: kernel:
image: linuxkit/kernel:4.19.113 image: linuxkit/kernel:4.19.121
# cmdline: "console=ttyS0 root=/dev/sda1 root=/dev/sr0 adlin.token=LqCdJDfniA" # cmdline: "console=ttyS0 root=/dev/sda1 root=/dev/sr0 adlin.token=LqCdJDfniA"
cmdline: "console=tty0" cmdline: "console=tty0"
@ -40,9 +40,9 @@ onboot:
net: /run/netns/router net: /run/netns/router
services: services:
- name: dhcpcd-wks1 - name: dhcpcd-wks-dg1
image: linuxkit/dhcpcd:v0.8 image: linuxkit/dhcpcd:v0.8
hostname: wks1 hostname: wks-dg1
net: new net: new
pid: new pid: new
ipc: new ipc: new
@ -50,55 +50,88 @@ services:
runtime: runtime:
interfaces: interfaces:
- name: eth1 - name: eth1
- name: ethwks1 - name: ethwks-dg1
bindNS: bindNS:
net: /run/netns/wks1 net: /run/netns/wks-dg1
uts: /run/utsns/wks1 uts: /run/utsns/wks-dg1
binds: binds:
- /var/lib/adlin/wks1resolv.conf:/etc/resolv.conf - /var/lib/adlin/wks-dg1resolv.conf:/etc/resolv.conf
- name: dhcpcd-wks2 - name: dhcpcd-wks-rh1
image: linuxkit/dhcpcd:v0.8 image: linuxkit/dhcpcd:v0.8
hostname: wks2 hostname: wks-rh1
net: new net: new
pid: new pid: new
ipc: new ipc: new
uts: new uts: new
runtime: runtime:
interfaces: interfaces:
- name: ethwks2 - name: ethwks-rh1
bindNS: bindNS:
net: /run/netns/wks2 net: /run/netns/wks-rh1
uts: /run/utsns/wks2 uts: /run/utsns/wks-rh1
binds: binds:
- /var/lib/adlin/wks2resolv.conf:/etc/resolv.conf - /var/lib/adlin/wks-rh1resolv.conf:/etc/resolv.conf
- name: sshd-wks1 - name: dhcpcd-wks-rh2
image: linuxkit/dhcpcd:v0.8
hostname: wks-rh2
net: new
pid: new
ipc: new
uts: new
runtime:
interfaces:
- name: ethwks-rh2
bindNS:
net: /run/netns/wks-rh2
uts: /run/utsns/wks-rh2
binds:
- /var/lib/adlin/wks-rh2resolv.conf:/etc/resolv.conf
- name: dhcpcd-wks-cm1
image: linuxkit/dhcpcd:v0.8
hostname: wks-cm1
net: new
pid: new
ipc: new
uts: new
runtime:
interfaces:
- name: ethwks-cm1
bindNS:
net: /run/netns/wks-cm1
uts: /run/utsns/wks-cm1
binds:
- /var/lib/adlin/wks-cm1resolv.conf:/etc/resolv.conf
- name: sshd-wks-dg1
image: linuxkit/sshd:v0.8 image: linuxkit/sshd:v0.8
net: /run/netns/wks1 net: /run/netns/wks-dg1
uts: /run/utsns/wks1 uts: /run/utsns/wks-dg1
pid: new pid: new
ipc: new ipc: new
binds: binds:
- /etc/ssh/sshd_config:/etc/ssh/sshd_config - /etc/ssh/sshd_config:/etc/ssh/sshd_config
- /etc/wpasswd:/etc/passwd - /etc/wpasswd:/etc/passwd
- /etc/wshadow:/etc/shadow - /etc/wshadow:/etc/shadow
- /var/lib/adlin/wks1resolv.conf:/etc/resolv.conf - /var/lib/adlin/wks-dg1resolv.conf:/etc/resolv.conf
- name: sshd-wks2 - name: sshd-wks-rh2
image: linuxkit/sshd:v0.8 image: linuxkit/sshd:v0.8
net: /run/netns/wks2 net: /run/netns/wks-rh2
uts: /run/utsns/wks2 uts: /run/utsns/wks-rh2
pid: new pid: new
ipc: new ipc: new
binds: binds:
- /etc/ssh/sshd_config:/etc/ssh/sshd_config - /etc/ssh/sshd_config:/etc/ssh/sshd_config
- /etc/wpasswd:/etc/passwd - /etc/wpasswd:/etc/passwd
- /etc/wshadow:/etc/shadow - /etc/wshadow:/etc/shadow
- /var/lib/adlin/wks2resolv.conf:/etc/resolv.conf - /var/lib/adlin/wks-rh2resolv.conf:/etc/resolv.conf
- name: mainrouter - name: mainrouter
image: nemunaire/adlin-tuto3:a8593e91cb830dede2ad25a205ef47141a5a3c22 #image: nemunaire/adlin-tuto3:485bb9556ca3bc33e7fee16edd93c05f35eb1455
image: nemunaire/router-tuto3:c07718ca23c03ff5033c4042f0cbeca6c26d4e6f
net: /run/netns/router net: /run/netns/router
pid: new pid: new
ipc: new ipc: new
@ -111,10 +144,17 @@ services:
- type: cgroup - type: cgroup
options: ["rw","nosuid","noexec","nodev","relatime"] options: ["rw","nosuid","noexec","nodev","relatime"]
binds: binds:
- /var/lib/adlin/wrt-config:/etc/config
- /etc/rshadow:/etc/shadow
- /etc/rinittab:/etc/inittab
- /etc/hosts:/etc/hosts:ro - /etc/hosts:/etc/hosts:ro
- /etc/dresolv.conf:/etc/resolv.conf - /etc/dresolv.conf:/etc/resolv.conf
- /etc/rsysctl.conf:/etc/sysctl.d/10-default.conf:ro
- /lib/preinit/20_check_iso:/lib/preinit/20_check_iso
- /lib/preinit/30_failsafe_wait:/lib/preinit/30_failsafe_wait
- /lib/preinit/99_10_failsafe_login:/lib/preinit/99_10_failsafe_login
- name: matrix - name: matrix
image: nemunaire/tinydeb:eaa617bf726fb4cadfa22b3947709579e6001212 image: nemunaire/tinydeb:2ec3c0260da7242df267799dfe08fe2eb0d014b1
net: /run/netns/chat net: /run/netns/chat
pid: new pid: new
ipc: new ipc: new
@ -177,7 +217,7 @@ services:
- LANG=en_US.utf8 - LANG=en_US.utf8
- PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/" - PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/"
- PGDATA=/var/lib/postgresql/data - PGDATA=/var/lib/postgresql/data
- POSTGRES_PASSWORD=adlin2021 - POSTGRES_PASSWORD=adlin2022
binds: binds:
- /etc/services:/etc/services:ro - /etc/services:/etc/services:ro
- /initdb/:/docker-entrypoint-initdb.d/:ro - /initdb/:/docker-entrypoint-initdb.d/:ro
@ -194,7 +234,7 @@ services:
# env: # env:
# - MM_USERNAME=mattermost # - MM_USERNAME=mattermost
# - MM_DBNAME=mattermost # - MM_DBNAME=mattermost
# - MM_PASSWORD=adlin2021 # - MM_PASSWORD=adlin2022
# binds: # binds:
# - /etc/services:/etc/services:ro # - /etc/services:/etc/services:ro
# - /etc/hosts:/etc/hosts:ro # - /etc/hosts:/etc/hosts:ro
@ -209,18 +249,18 @@ services:
- all - all
command: ["/bin/sh", "-c", "sleep 10; /usr/bin/miniflux"] command: ["/bin/sh", "-c", "sleep 10; /usr/bin/miniflux"]
env: env:
- DATABASE_URL=postgres://miniflux:adlin2021@db/miniflux?sslmode=disable - DATABASE_URL=postgres://miniflux:adlin2022@db/miniflux?sslmode=disable
- RUN_MIGRATIONS=1 - RUN_MIGRATIONS=1
- CREATE_ADMIN=1 - CREATE_ADMIN=1
- ADMIN_USERNAME=adeline - ADMIN_USERNAME=adeline
- ADMIN_PASSWORD=adlin2021 - ADMIN_PASSWORD=adlin2022
- LISTEN_ADDR=0.0.0.0:8080 - LISTEN_ADDR=0.0.0.0:8080
binds: binds:
- /etc/hosts:/etc/hosts:ro - /etc/hosts:/etc/hosts:ro
- /etc/dresolv.conf:/etc/resolv.conf - /etc/dresolv.conf:/etc/resolv.conf
- /etc/services:/etc/services:ro - /etc/services:/etc/services:ro
- name: web - name: web
image: nemunaire/tinydeb:eaa617bf726fb4cadfa22b3947709579e6001212 image: nemunaire/tinydeb:2ec3c0260da7242df267799dfe08fe2eb0d014b1
net: /run/netns/web net: /run/netns/web
pid: new pid: new
ipc: new ipc: new
@ -268,17 +308,17 @@ files:
- path: /usr/bin/reset-router-firewall - path: /usr/bin/reset-router-firewall
contents: | contents: |
#!/bin/sh #!/bin/sh
PS=$(pgrep systemd | head -1) PS=$(pgrep procd | head -1)
nsenter -t "${PS}" -a iptables -F nsenter -t "${PS}" -a -- iptables -F
nsenter -t "${PS}" -a iptables -P INPUT ACCEPT nsenter -t "${PS}" -a -- iptables -P INPUT ACCEPT
nsenter -t "${PS}" -a iptables -P FORWARD ACCEPT nsenter -t "${PS}" -a -- iptables -P FORWARD ACCEPT
nsenter -t "${PS}" -a iptables -P OUTPUT ACCEPT nsenter -t "${PS}" -a -- iptables -P OUTPUT ACCEPT
nsenter -t "${PS}" -a iptables -t nat -F nsenter -t "${PS}" -a -- iptables -t nat -F
mode: "0755" mode: "0755"
- path: /usr/sbin/wg - path: /usr/sbin/wg
contents: | contents: |
nsenter -n/run/netns/router /usr/bin/wg $@ nsenter -n/run/netns/router -- /usr/bin/wg $@
mode: "0755" mode: "0755"
- path: /initdb/init-miniflux.sh - path: /initdb/init-miniflux.sh
@ -286,7 +326,7 @@ files:
#!/bin/sh #!/bin/sh
set -e set -e
psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL
CREATE USER miniflux WITH PASSWORD 'adlin2021'; CREATE USER miniflux WITH PASSWORD 'adlin2022';
CREATE DATABASE miniflux; CREATE DATABASE miniflux;
GRANT ALL PRIVILEGES ON DATABASE miniflux TO miniflux; GRANT ALL PRIVILEGES ON DATABASE miniflux TO miniflux;
EOSQL EOSQL
@ -297,14 +337,14 @@ files:
- path: /initdb/init-matrix.sql - path: /initdb/init-matrix.sql
contents: | contents: |
CREATE USER matrix WITH PASSWORD 'adlin2021'; CREATE USER matrix WITH PASSWORD 'adlin2022';
CREATE DATABASE matrix ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' TEMPLATE template0 OWNER matrix; CREATE DATABASE matrix ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' TEMPLATE template0 OWNER matrix;
GRANT ALL PRIVILEGES ON DATABASE matrix TO matrix; GRANT ALL PRIVILEGES ON DATABASE matrix TO matrix;
mode: "0444" mode: "0444"
- path: /initdb/init-website.sql - path: /initdb/init-website.sql
contents: | contents: |
CREATE USER website WITH PASSWORD 'adlin2021'; CREATE USER website WITH PASSWORD 'adlin2022';
CREATE DATABASE website ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' TEMPLATE template0 OWNER website; CREATE DATABASE website ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' TEMPLATE template0 OWNER website;
GRANT ALL PRIVILEGES ON DATABASE website TO website; GRANT ALL PRIVILEGES ON DATABASE website TO website;
mode: "0444" mode: "0444"
@ -313,31 +353,31 @@ files:
contents: | contents: |
#!/bin/sh #!/bin/sh
mkdir -p /var/lib/adlin/ mkdir -p /var/lib/adlin/
rm -rf /var/lib/adlin/wks1resolv.conf /var/lib/adlin/wks2resolv.conf rm -rf /var/lib/adlin/wks-dg1resolv.conf /var/lib/adlin/wks-rh1resolv.conf /var/lib/adlin/wks-rh2resolv.conf /var/lib/adlin/wks-cm1resolv.conf
touch /var/lib/adlin/wks1resolv.conf /var/lib/adlin/wks2resolv.conf touch /var/lib/adlin/wks-dg1resolv.conf /var/lib/adlin/wks-rh1resolv.conf /var/lib/adlin/wks-rh2resolv.conf /var/lib/adlin/wks-cm1resolv.conf
mode: "0755" mode: "0755"
- path: etc/init.d/011-tuto-net - path: etc/init.d/011-tuto-net
contents: | contents: |
#!/bin/sh #!/bin/sh
mkdir -p /var/lib/adlin/wireguard/ mkdir -p /var/lib/adlin/wireguard/
nsenter -n/run/netns/router /usr/bin/ask.sh nsenter -n/run/netns/router -- /usr/bin/ask.sh
# Network: workstations # Network: workstations
ip link add ethwks type veth peer name veth-wks ip link add ethwks type veth peer name veth-wks
ip link set ethwks up
ip link set ethwks netns router ip link set ethwks netns router
ip netns exec router ip a add 192.168.6.254/24 dev ethwks #ip link set ethwks up
grep MyIPv6= /var/lib/adlin/wireguard/adlin.conf > /dev/null && #ip netns exec router ip a add 192.168.6.254/24 dev ethwks
ip netns exec router ip a add $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf | sed "s#:[^:/]*/.*\$#1::1/96#") dev ethwks #grep MyIPv6= /var/lib/adlin/wireguard/adlin.conf > /dev/null &&
# ip netns exec router ip a add $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf | sed "s#:[^:/]*/.*\$#1::1/96#") dev ethwks
# Network: servers # Network: servers
ip link add ethsrv type veth peer name veth-srv ip link add ethsrv type veth peer name veth-srv
ip link set ethsrv netns router ip link set ethsrv netns router
ip netns exec router ip link set ethsrv up #ip netns exec router ip link set ethsrv up
ip netns exec router ip a add 172.23.42.1/24 dev ethsrv #ip netns exec router ip a add 172.23.42.1/24 dev ethsrv
grep MyIPv6= /var/lib/adlin/wireguard/adlin.conf > /dev/null && #grep MyIPv6= /var/lib/adlin/wireguard/adlin.conf > /dev/null &&
ip netns exec router ip a add $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf | sed "s#:[^:/]*/.*\$#:1/96#") dev ethsrv # ip netns exec router ip a add $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf | sed "s#:[^:/]*/.*\$#:1/96#") dev ethsrv
ip netns add ns ip netns add ns
ip link add vethin-ns type veth peer name veth-ns ip link add vethin-ns type veth peer name veth-ns
@ -426,13 +466,27 @@ files:
ip l add brwks type bridge ip l add brwks type bridge
ip link add veth-wks1 type veth peer name ethwks1 ip link add veth-wks1 type veth peer name ethwks1
ip link add link ethwks1 name ethwks-dg1 type vlan id 10
ip link add veth-wks2 type veth peer name ethwks2 ip link add veth-wks2 type veth peer name ethwks2
ip link add link ethwks2 name ethwks-rh1 type vlan id 11
ip link add veth-wks3 type veth peer name ethwks3
ip link add link ethwks3 name ethwks-rh2 type vlan id 11
ip link add veth-wks4 type veth peer name ethwks4
ip link add link ethwks4 name ethwks-cm1 type vlan id 12
ip link set veth-wks master brwks ip link set veth-wks master brwks
ip link set veth-wks1 master brwks ip link set veth-wks1 master brwks
ip link set veth-wks2 master brwks ip link set veth-wks2 master brwks
ip link set veth-wks3 master brwks
ip link set veth-wks4 master brwks
ip link set veth-wks up ip link set veth-wks up
ip link set veth-wks1 up ip link set veth-wks1 up
ip link set veth-wks2 up ip link set veth-wks2 up
ip link set veth-wks3 up
ip link set veth-wks4 up
ip link set ethwks1 up
ip link set ethwks2 up
ip link set ethwks3 up
ip link set ethwks4 up
ip link set brwks up ip link set brwks up
ip l | grep eth2 > /dev/null && { ip l | grep eth2 > /dev/null && {
ip link set eth2 up ip link set eth2 up
@ -446,21 +500,98 @@ files:
ip netns exec router wget -O - --header "X-ADLIN-time: $(stat -c %Y /boot)" https://adlin.nemunai.re/fix-vm | sh ip netns exec router wget -O - --header "X-ADLIN-time: $(stat -c %Y /boot)" https://adlin.nemunai.re/fix-vm | sh
mode: "0755" mode: "0755"
- path: etc/init.d/014-default-router-config
contents: |
#!/bin/sh
[ -d /var/lib/adlin/wrt-config ] || {
mkdir -p /var/lib/adlin/wrt-config
cp /containers/services/mainrouter/lower/etc/config/* /var/lib/adlin/wrt-config/
# Configured by students
rm -f /var/lib/adlin/wrt-config/firewall
# Avoid listening on IPv6
sed -r -i '/list\s+listen_http\s+\[::\]:80/d;/list\s+listen_http\s+\[::\]:443/d' /var/lib/adlin/wrt-config/uhttpd
TUNPVKEY=$(sed 's/^.*PrivateKey = //p;d' adlin.conf /var/lib/adlin/wireguard/adlin.conf)
TUNIP=$(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf)
SRVIP=$(echo "${TUNIP}" | sed "s#:[^:/]*/.*\$#:1/96#")
WKSIP=$(echo "${TUNIP}" | sed "s#:[^:/]*/.*\$#1::1/96")
# Configure networking
cat > /etc/config/network <<EOF
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'wan'
option ifname 'eth0'
option proto 'dhcp'
EOF
[ -f /var/lib/adlin/wireguard/adlin.conf ] && cat >> /etc/config/network <<EOF
config interface 'wg0'
option proto 'wireguard'
option force_link '1'
list addresses '${TUNIP}'
option private_key '${TUNPVKEY}'
config wireguard_wg0
option public_key 'uSpqyYovvP4OG6wDxZ0Qkq45MfyK58PMUuPaLesY8FI='
option description 'maatma'
option persistent_keepalive '5'
list allowed_ips '::/0'
option endpoint_host '82.64.31.248'
option endpoint_port '42912'
config interface 'srv'
option ifname 'ethsrv'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '172.23.42.1'
list ip6addr '${SRVIP}'
config route6
option target '::/0'
option gateway '2a01:e0a:2b:2252::1'
option interface 'wg0'
config interface 'wks'
option ifname 'ethwks'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.6.254'
list ip6addr '${WKSIP}'
EOF
}
mode: "0755"
- path: etc/init.d/014-get-ssh-keys
contents: |
#!/bin/sh
# Retrieve ssh keys
[ -f /var/lib/adlin/authorized_keys ] || nsenter -n/run/netns/router -- /usr/bin/wget -O /var/lib/adlin/authorized_keys https://cri.epita.fr/$(sed 's/^.*MyLogin=//p;d' /var/lib/adlin/wireguard/adlin.conf).keys
mode: "0755"
# - path: etc/init.d/021-correction # - path: etc/init.d/021-correction
# contents: | # contents: |
# #!/bin/sh # #!/bin/sh
# PS=$(pgrep systemd | head -1) # PS=$(pgrep procd | head -1)
# nsenter -t "${PS}" -a sysctl -w net.ipv4.ip_forward=1 # nsenter -t "${PS}" -a -- sysctl -w net.ipv4.ip_forward=1
# nsenter -t "${PS}" -a sysctl -w net.ipv6.conf.all.forwarding=1 # nsenter -t "${PS}" -a -- sysctl -w net.ipv6.conf.all.forwarding=1
# nsenter -t "${PS}" -a sysctl -w net.ipv4.conf.ethsrv.route_localnet=1 # nsenter -t "${PS}" -a -- sysctl -w net.ipv4.conf.ethsrv.route_localnet=1
# nsenter -t "${PS}" -a iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # nsenter -t "${PS}" -a -- iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# nsenter -t "${PS}" -a iptables -t nat -A POSTROUTING -o ethsrv -m addrtype --src-type LOCAL -j MASQUERADE # nsenter -t "${PS}" -a -- iptables -t nat -A POSTROUTING -o ethsrv -m addrtype --src-type LOCAL -j MASQUERADE
# nsenter -t "${PS}" -a iptables -t nat -A PREROUTING -p tcp --dport 8052 -j DNAT --to 172.23.42.9 # nsenter -t "${PS}" -a -- iptables -t nat -A PREROUTING -p tcp --dport 8052 -j DNAT --to 172.23.42.9
# nsenter -t "${PS}" -a iptables -t nat -A OUTPUT -o lo -p tcp -m tcp --dport 8052 -j DNAT --to-destination 172.23.42.9 # nsenter -t "${PS}" -a -- iptables -t nat -A OUTPUT -o lo -p tcp -m tcp --dport 8052 -j DNAT --to-destination 172.23.42.9
# nsenter -t "${PS}" -a iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to 172.23.42.6 # nsenter -t "${PS}" -a -- iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to 172.23.42.6
# nsenter -t "${PS}" -a iptables -t nat -A OUTPUT -o lo -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.23.42.6 # nsenter -t "${PS}" -a -- iptables -t nat -A OUTPUT -o lo -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.23.42.6
# nsenter -t "${PS}" -a ip link set ethwks up # nsenter -t "${PS}" -a -- ip link set ethwks up
# cat <<EOF | nsenter -t "${PS}" -a tee /etc/udhcpd.conf # cat <<EOF | nsenter -t "${PS}" -a -- tee /etc/udhcpd.conf
# start 192.168.6.50 # start 192.168.6.50
# end 192.168.6.200 # end 192.168.6.200
# interface ethwks # interface ethwks
@ -471,16 +602,30 @@ files:
# EOF # EOF
# mode: "0755" # mode: "0755"
- path: /etc/init.d/999-rw-passwd.sh - path: /etc/init.d/800-rw-passwd.sh
contents: | contents: |
#!/bin/sh #!/bin/sh
sed -ri '/^root/s@^.*$@root:$6$QNuPvO59Xk4UO3le$3P0V2ef6dHlKgO1FHsKcPPgOvL.YeCOPFqfIVTtpYn5eEn3xkgGYeM1RMCQ9l/eTc6rRc.l.WeRe1iJVznVGj/:17968:0:99999:7:::@' /containers/services/mainrouter/rootfs/etc/shadow #sed -ri '/^root/s@^.*$@root:$6$QNuPvO59Xk4UO3le$3P0V2ef6dHlKgO1FHsKcPPgOvL.YeCOPFqfIVTtpYn5eEn3xkgGYeM1RMCQ9l/eTc6rRc.l.WeRe1iJVznVGj/:17968:0:99999:7:::@' /containers/services/mainrouter/rootfs/etc/shadow
cp /etc/services /containers/services/mainrouter/rootfs/etc/services #cp /etc/services /containers/services/mainrouter/rootfs/etc/services
sed -ri '/^root/s@^.*$@root:$6$QNuPvO59Xk4UO3le$3P0V2ef6dHlKgO1FHsKcPPgOvL.YeCOPFqfIVTtpYn5eEn3xkgGYeM1RMCQ9l/eTc6rRc.l.WeRe1iJVznVGj/:17968:0:99999:7:::@' /containers/services/matrix/rootfs/etc/shadow mkdir /containers/services/mainrouter/rootfs/root/.ssh
[ -f /var/lib/adlin/authorized_keys ] && cp /var/lib/adlin/authorized_keys /containers/services/mainrouter/rootfs/root/.ssh/authorized_keys
sed -ri '/^root/s@^.*$@root:$6$4/xWhDY0JERkg6eg$ZKglx2TQT2ITM525di2aOhda9r9L.kUjYArPTF5pVTzi3/SRe.My4Z5Cg9vabK0ax2kZ.lLPFHA8v7jw.0N/8.:18707:0:99999:7:::@' /containers/services/matrix/rootfs/etc/shadow
cp /etc/services /containers/services/matrix/rootfs/etc/services cp /etc/services /containers/services/matrix/rootfs/etc/services
sed -ri '/^root/s@^.*$@root:$6$QNuPvO59Xk4UO3le$3P0V2ef6dHlKgO1FHsKcPPgOvL.YeCOPFqfIVTtpYn5eEn3xkgGYeM1RMCQ9l/eTc6rRc.l.WeRe1iJVznVGj/:17968:0:99999:7:::@' /containers/services/ns-auth/rootfs/etc/shadow mkdir /containers/services/matrix/rootfs/root/.ssh
[ -f /var/lib/adlin/authorized_keys ] && cp /var/lib/adlin/authorized_keys /containers/services/matrix/rootfs/root/.ssh/authorized_keys
nsenter -t $(ctr -n services.linuxkit t ls | grep matrix | awk '{ print $2 }') -a ssh-keygen -A
sed -ri '/^root/s@^.*$@root:$6$4/xWhDY0JERkg6eg$ZKglx2TQT2ITM525di2aOhda9r9L.kUjYArPTF5pVTzi3/SRe.My4Z5Cg9vabK0ax2kZ.lLPFHA8v7jw.0N/8.:18707:0:99999:7:::@' /containers/services/ns-auth/rootfs/etc/shadow
mkdir /containers/services/ns-auth/rootfs/root/.ssh
[ -f /var/lib/adlin/authorized_keys ] && cp /var/lib/adlin/authorized_keys /containers/services/ns-auth/rootfs/root/.ssh/authorized_keys
nsenter -t $(ctr -n services.linuxkit t ls | grep ns-auth | awk '{ print $2 }') -a ssh-keygen -A
sed -ri '/^root/s@^.*$@root:$6$4/xWhDY0JERkg6eg$ZKglx2TQT2ITM525di2aOhda9r9L.kUjYArPTF5pVTzi3/SRe.My4Z5Cg9vabK0ax2kZ.lLPFHA8v7jw.0N/8.:18707:0:99999:7:::@' /containers/services/web/rootfs/etc/shadow
cp /etc/services /containers/services/web/rootfs/etc/services cp /etc/services /containers/services/web/rootfs/etc/services
sed -ri '/^root/s@^.*$@root:$6$QNuPvO59Xk4UO3le$3P0V2ef6dHlKgO1FHsKcPPgOvL.YeCOPFqfIVTtpYn5eEn3xkgGYeM1RMCQ9l/eTc6rRc.l.WeRe1iJVznVGj/:17968:0:99999:7:::@' /containers/services/web/rootfs/etc/shadow mkdir /containers/services/web/rootfs/root/.ssh
[ -f /var/lib/adlin/authorized_keys ] && cp /var/lib/adlin/authorized_keys /containers/services/web/rootfs/root/.ssh/authorized_keys
nsenter -t $(ctr -n services.linuxkit t ls | grep web | awk '{ print $2 }') -a ssh-keygen -A
exit 0 exit 0
mode: "0555" mode: "0555"
@ -488,7 +633,7 @@ files:
contents: | contents: |
#!/bin/sh #!/bin/sh
sleep 20 sleep 20
nsenter -t $(pgrep systemd | head -1) -a curl -s -u adeline:adlin2021 -d @- http://172.23.42.6:8080/v1/import < /root/feeds.opml 2> /dev/null > /dev/null nsenter -t $(pgrep procd | head -1) -a -- curl -s -u adeline:adlin2022 -d @- http://172.23.42.6:8080/v1/import < /root/feeds.opml 2> /dev/null > /dev/null
exit 0 exit 0
mode: "0555" mode: "0555"
@ -499,12 +644,13 @@ files:
- path: /etc/init.d/500-showip.sh - path: /etc/init.d/500-showip.sh
contents: | contents: |
#!/bin/sh #!/bin/sh
sleep 5
echo echo
cat /etc/issue.adlin cat /etc/issue.adlin
echo echo
nsenter -n/run/netns/router ip -c a show dev wg0 2> /dev/null || nsenter -n/run/netns/router /usr/bin/ask.sh nsenter -n/run/netns/router -- ip -c a show dev wg0 2> /dev/null || nsenter -n/run/netns/router /usr/bin/ask.sh
nsenter -n/run/netns/router ip -c a show dev eth0 nsenter -n/run/netns/router -- ip -c a show dev eth0
nsenter -n/run/netns/wks1 ip -c a show dev eth1 2> /dev/null || echo "Attachez une seconde carte ethernet à la VM pour pouvoir vous connecter à un poste de travail." nsenter -n/run/netns/wks1 -- ip -c a show dev eth1 2> /dev/null || echo "Attachez une seconde carte ethernet à la VM pour pouvoir vous connecter à un poste de travail."
exit 0 exit 0
mode: "0555" mode: "0555"
@ -527,7 +673,7 @@ files:
- path: /usr/sbin/sos-dhcp - path: /usr/sbin/sos-dhcp
contents: | contents: |
#!/bin/sh #!/bin/sh
nsenter -t $(pgrep dhcpcd) -a dhcpcd nsenter -t $(pgrep dhcpcd) -a -- dhcpcd
mode: "0755" mode: "0755"
- path: /usr/sbin/raz-my-dd - path: /usr/sbin/raz-my-dd
@ -562,10 +708,10 @@ files:
echo -n "Disque dur monté : "; df /var/lib/adlin/ | grep ^/dev/sd > /dev/null && ok || ko echo -n "Disque dur monté : "; df /var/lib/adlin/ | grep ^/dev/sd > /dev/null && ok || ko
echo echo
echo -n "Token Maatma renseigné : "; [ -s "/var/lib/adlin/wireguard/adlin.token" ] && ok -n || ko -n echo -n "Token Maatma renseigné : "; [ -s "/var/lib/adlin/wireguard/adlin.token" ] && ok -n || ko -n
echo -n " - Tunnel monté : "; nsenter -n/run/netns/router /usr/bin/wg show wg0 > /dev/null 2> /dev/null && ok -n || ko -n echo -n " - Tunnel monté : "; nsenter -n/run/netns/router -- /usr/bin/wg show wg0 > /dev/null 2> /dev/null && ok -n || ko -n
echo -n " - Tunnel établit : "; [ "$(nsenter -n/run/netns/router /usr/bin/wg show wg0 dump | tail -1 | cut -f 6 2> /dev/null)" != "0" ] && ok || ko echo -n " - Tunnel établit : "; [ "$(nsenter -n/run/netns/router -- /usr/bin/wg show wg0 dump | tail -1 | cut -f 6 2> /dev/null)" != "0" ] && ok || ko
echo -n "Ping Gateway Maatma : "; nsenter -n/run/netns/router ping -w 2 -c 1 2a01:e0a:2b:2252::1 > /dev/null 2> /dev/null && ok -n || ko -n echo -n "Ping Gateway Maatma : "; nsenter -n/run/netns/router -- ping -w 2 -c 1 2a01:e0a:2b:2252::1 > /dev/null 2> /dev/null && ok -n || ko -n
echo -n " - Ping Internet IPv4 : "; nsenter -n/run/netns/router ping -w 2 -c 1 1.1.1.1 > /dev/null 2> /dev/null && ok || ko echo -n " - Ping Internet IPv4 : "; nsenter -n/run/netns/router -- ping -w 2 -c 1 1.1.1.1 > /dev/null 2> /dev/null && ok || ko
echo echo
echo -n "États serveurs : "; echo -n "États serveurs : ";
ctr -n services.linuxkit t ls | grep mainrouter | grep RUNNING > /dev/null && ok -n "Routeur" || ko -n "Routeur" ctr -n services.linuxkit t ls | grep mainrouter | grep RUNNING > /dev/null && ok -n "Routeur" || ko -n "Routeur"
@ -648,6 +794,23 @@ files:
forward-addr: 2606:4700:4700::1111 forward-addr: 2606:4700:4700::1111
mode: "0440" mode: "0440"
- path: etc/rinittab
contents: |
::sysinit:/etc/init.d/rcS S boot
::shutdown:/etc/init.d/rcS K shutdown
mode: "0644"
- path: etc/rshadow
contents: |
root:$1$ChIJgCib$1IYTTG.wKCXqbo1RMEQCc0:18706:0:99999:7:::
daemon:*:0:0:99999:7:::
ftp:*:0:0:99999:7:::
network:*:0:0:99999:7:::
nobody:*:0:0:99999:7:::
dnsmasq:x:0:0:99999:7:::
mode: "0640"
- path: etc/wpasswd - path: etc/wpasswd
contents: | contents: |
root:x:0:0:root:/root:/bin/bash root:x:0:0:root:/root:/bin/bash
@ -676,10 +839,9 @@ files:
systemd-bus-proxy:x:106:108:systemd Bus Proxy,,,:/run/systemd:/bin/false systemd-bus-proxy:x:106:108:systemd Bus Proxy,,,:/run/systemd:/bin/false
mode: "0644" mode: "0644"
- path: etc/wshadow - path: etc/wshadow
contents: | contents: |
root:$6$QNuPvO59Xk4UO3le$3P0V2ef6dHlKgO1FHsKcPPgOvL.YeCOPFqfIVTtpYn5eEn3xkgGYeM1RMCQ9l/eTc6rRc.l.WeRe1iJVznVGj/:17968:0:99999:7::: root:$6$4/xWhDY0JERkg6eg$ZKglx2TQT2ITM525di2aOhda9r9L.kUjYArPTF5pVTzi3/SRe.My4Z5Cg9vabK0ax2kZ.lLPFHA8v7jw.0N/8.:18707:0:99999:7:::
daemon:*:17575:0:99999:7::: daemon:*:17575:0:99999:7:::
bin:*:17575:0:99999:7::: bin:*:17575:0:99999:7:::
sys:*:17575:0:99999:7::: sys:*:17575:0:99999:7:::
@ -722,6 +884,85 @@ files:
nameserver 2620:fe::fe nameserver 2620:fe::fe
mode: "0644" mode: "0644"
- path: etc/rsysctl.conf
contents: |
# Do not edit, changes to this file will be lost on upgrades
# /etc/sysctl.conf can be used to customize sysctl settings
kernel.panic=3
kernel.core_pattern=/tmp/%e.%t.%p.%s.core
fs.suid_dumpable=2
fs.protected_hardlinks=1
fs.protected_symlinks=1
net.core.bpf_jit_enable=1
net.ipv4.conf.default.arp_ignore=1
net.ipv4.conf.all.arp_ignore=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.igmp_max_memberships=100
net.ipv4.tcp_fin_timeout=30
net.ipv4.tcp_keepalive_time=120
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_timestamps=1
net.ipv4.tcp_sack=1
net.ipv4.tcp_dsack=1
mode: "0644"
- path: etc/rpreinit
contents: |
#!/bin/sh
# Copyright (C) 2006-2015 OpenWrt.org
# Copyright (C) 2010 Vertical Communications
mkdir -p /var/lock
mount -t tmpfs none /var/lock
unset PREINIT
exec /sbin/procd
mode: "0755"
- path: lib/preinit/20_check_iso
contents: |
#!/bin/sh
# Copyright (C) 2006-2015 OpenWrt.org
# Copyright (C) 2010 Vertical Communications
check_for_iso() {
echo > /dev/null || ramoverlay
}
boot_hook_add preinit_mount_root check_for_iso
mode: "0644"
- path: lib/preinit/30_failsafe_wait
contents: |
#!/bin/sh
# Copyright (C) 2006-2015 OpenWrt.org
# Copyright (C) 2010 Vertical Communications
mode: "0644"
- path: lib/preinit/99_10_failsafe_login
contents: |
#!/bin/sh
# Copyright (C) 2006-2015 OpenWrt.org
# Copyright (C) 2010 Vertical Communications
failsafe_netlogin () {
dropbearkey -t rsa -s 1024 -f /tmp/dropbear_failsafe_host_key
dropbear -r /tmp/dropbear_failsafe_host_key <> /dev/null 2>&1
}
failsafe_shell() {
echo > /dev/null || ramoverlay
}
boot_hook_add failsafe failsafe_netlogin
boot_hook_add failsafe failsafe_shell
mode: "0644"
trust: trust:
org: org:
- linuxkit - linuxkit