server image done

.gitignore

@@ -7,3 +7,4 @@ login-kernel
 server-cmdline
 server-initrd.img
 server-kernel
+fonts/

Makefile

@@ -1,4 +1,14 @@
 all: login-app/login-app
 
+fonts: fonts/Inconsolata-16b.psf fonts/Inconsolata-16r.psf fonts/Inconsolata-32b.psf fonts/Inconsolata-32r.psf
+fonts/Inconsolata-16b.psf:
+	wget https://github.com/xeechou/Inconsolata-psf/raw/master/Inconsolata-16b.psf
+fonts/Inconsolata-16r.psf:
+	wget https://github.com/xeechou/Inconsolata-psf/raw/master/Inconsolata-16r.psf
+fonts/Inconsolata-32b.psf:
+	wget https://github.com/xeechou/Inconsolata-psf/raw/master/Inconsolata-32b.psf
+fonts/Inconsolata-32r.psf:
+	wget https://github.com/xeechou/Inconsolata-psf/raw/master/Inconsolata-32r.psf
+
 login-app/login-app: login-app/*.go
 	GOOS=linux GOARCH=amd64 go build -tags netgo -ldflags '-w -extldflags "-static -lncurses"' -o $@ ./login-app

challenge/init

@@ -38,26 +38,28 @@ done
 /bin/rm -f /init /linuxrc
 
 # Randomize time at boot
-/bin/date -s 19$((70 + $RANDOM % 30))0$((1 + $RANDOM % 9))0$((1 + $RANDOM % 9))0$((1 + $RANDOM % 9))0$((1 + $RANDOM % 9))01 > /dev/null
+/bin/date -s 19$((70 + $RANDOM % 30))0$((1 + $RANDOM % 9))0$((1 + $RANDOM % 9))0$((1 + $RANDOM % 9)).0$((1 + $RANDOM % 9))01 > /dev/null
 /sbin/sysctl -w net.ipv4.ip_default_ttl=4 > /dev/null
 
 # Launch some daemons
 /usr/bin/setsid /usr/sbin/crond > /dev/null &
 
+# Change font
+zcat /usr/share/consolefonts/Inconsolata-16r.psf.gz | loadfont
+
 # Prepare token 4
 mkdir -p /mnt
 
 for l in a b c d e f g h i j k l m n o p q r s t u v w x y z zz; do
     [ -b /dev/sd$l ] || break
 done
-echo /dev/sd$l
 
-/bin/dd if=/dev/zero of=/dev/sd${l} count=1 > /dev/null
-/bin/dd if=/dev/zero of=/dev/sd${l}1 count=1 bs=10240000 > /dev/null
-/sbin/mkfs.ext4 /dev/sd${l}1 > /dev/null
-mount /dev/sd${l}1 /mnt > /dev/null
-N1=$((125 - $RANDOM % 50))
-N2=$((25 + $RANDOM % 50))
+/bin/dd if=/dev/zero of=/dev/sd${l} count=1 > /dev/null 2> /dev/null
+/bin/dd if=/dev/zero of=/dev/sd${l}1 count=1 bs=10240000 > /dev/null 2> /dev/null
+/sbin/mkfs.ext4 /dev/sd${l}1 > /dev/null 2> /dev/null
+mount /dev/sd${l}1 /mnt > /dev/null 2> /dev/null
+N1=$((72 - $RANDOM % 35))
+N2=$((25 + $RANDOM % 35))
 {
     echo -n $N1
     echo -n $N2

server.yml

@@ -19,34 +19,41 @@ onboot:
     # Network: exposed
   - name: netvlan-iface-setup
     image: linuxkit/ip:v0.2
-    command: ["/bin/sh", "-c", "ip a add 172.23.191.254/18 dev eth0.7; ip link set eth0.7 up;" ]
-    net: new
-    runtime:
-      interfaces:
-        - name: eth0.7
-          add: vlan
-          vlanid: 7
-  - name: ns-iface-setup
+    command: ["/bin/sh", "-c", "ip link add link eth0 name eth0.7 type vlan id 7; ip a add 172.23.191.254/18 dev eth0.7; ip link set eth0.7 up;" ]
+  - name: login-iface-setup
     image: linuxkit/ip:v0.2
-    command: ["/bin/sh", "-c", "ip a add 172.23.0.2/17 dev vethin-validator; ip link set vethin-validator up;" ]
+    command: ["/bin/sh", "-c", "ip a add 172.23.255.2/24 dev vethin-login; ip link set vethin-login up; ip route add default via 172.23.255.1;" ]
     net: new
     runtime:
       interfaces:
-        - name: vethin-validator
+        - name: vethin-login
           add: veth
-          peer: veth-validator
+          peer: veth-login
       bindNS:
-        net: /run/netns/ns
+        net: /run/netns/login
   - name: bridge-ext-setup
     image: linuxkit/ip:v0.2
-    command: ["/bin/sh", "-c", "ip a add 192.168.0.46/24 dev br-ext; ip a add 172.23.0.1/17 dev br-ext; ip link set eth0 master br-ext; ip link set veth-validator master br-ext; ip link set br-ext up; ip link set veth-validator up; ip link set eth0 up" ]
+    command: ["/bin/sh", "-c", "ip a add 172.23.255.1/24 dev br-ext; ip a add 172.17.0.16/16 dev br-ext; ip a add 172.23.0.1/17 dev br-ext; ip link set eth0 master br-ext; ip link set veth-login master br-ext; ip link set br-ext up; ip link set veth-login up; ip link set eth0 up; ip route add default via 172.17.0.1;" ]
     runtime:
       interfaces:
         - name: br-ext
           add: bridge
+
+    # Network: DMZ
+  - name: validator-iface-setup
+    image: linuxkit/ip:v0.2
+    command: ["/bin/sh", "-c", "ip a add 172.23.200.1/24 dev vethin-vldtr; ip link set vethin-vldtr up; ip route add default via 172.23.200.254;" ]
+    net: new
+    runtime:
+      interfaces:
+        - name: vethin-vldtr
+          add: veth
+          peer: veth-validator
+      bindNS:
+        net: /run/netns/dmz-validator
   - name: ns-iface-setup
     image: linuxkit/ip:v0.2
-    command: ["/bin/sh", "-c", "ip a add 172.23.200.2/24 dev vethin-ns; ip link set vethin-ns up;" ]
+    command: ["/bin/sh", "-c", "ip a add 172.23.200.2/24 dev vethin-ns; ip link set vethin-ns up; ip route add default via 172.23.200.254;" ]
     net: new
     runtime:
       interfaces:
@@ -54,10 +61,10 @@ onboot:
           add: veth
           peer: veth-ns
       bindNS:
-        net: /run/netns/ns
+        net: /run/netns/dmz-ns
   - name: time-iface-setup
     image: linuxkit/ip:v0.2
-    command: ["/bin/sh", "-c", "ip a add 172.23.200.3/24 dev vethin-time; ip link set vethin-time up;" ]
+    command: ["/bin/sh", "-c", "ip a add 172.23.200.3/24 dev vethin-time; ip link set vethin-time up; ip route add default via 172.23.200.254;" ]
     net: new
     runtime:
       interfaces:
@@ -65,21 +72,21 @@ onboot:
           add: veth
           peer: veth-time
       bindNS:
-        net: /run/netns/time
-  - name: mail-iface-setup
-    image: linuxkit/ip:v0.2
-    command: ["/bin/sh", "-c", "ip a add 172.23.200.3/24 dev vethin-mail; ip link set vethin-mail up;" ]
-    net: new
-    runtime:
-      interfaces:
-        - name: vethin-mail
-          add: veth
-          peer: veth-mail
-      bindNS:
-        net: /run/netns/mail
+        net: /run/netns/dmz-time
+#  - name: mail-iface-setup
+#    image: linuxkit/ip:v0.2
+#    command: ["/bin/sh", "-c", "ip a add 172.23.200.4/24 dev vethin-mail; ip link set vethin-mail up; ip route add default via 172.23.200.254;" ]
+#    net: new
+#    runtime:
+#      interfaces:
+#        - name: vethin-mail
+#          add: veth
+#          peer: veth-mail
+#      bindNS:
+#        net: /run/netns/dmz-mail
   - name: bridge-int-setup
     image: linuxkit/ip:v0.2
-    command: ["/bin/sh", "-c", "ip a add 172.23.200.254/24 dev br-int; ip link set veth-ns master br-int; ip link set veth-time master br-int; ip link set veth-mail master br-int; ip link set br-int up; ip link set veth-ns up; ip link set veth-time up; ip link set veth-mail up" ]
+    command: ["/bin/sh", "-c", "ip a add 172.23.200.254/24 dev br-int; ip link set veth-validator master br-int; ip link set veth-ns master br-int; ip link set veth-time master br-int; ip link set veth-mail master br-int; ip link set br-int up; ip link set veth-validator up; ip link set veth-ns up; ip link set veth-time up; ip link set veth-mail up" ]
     runtime:
       interfaces:
         - name: br-int
@@ -87,26 +94,62 @@ onboot:
 
   - name: fw
     image: linuxkit/ip:v0.2
-    command: ["/bin/bash", "-c", "/sbin/iptables-restore < /etc/iptables/rules.v4; /sbin/ip6tables-restore < /etc/iptables/rules.v6" ]
+    command: ["/bin/bash", "-c", "/sbin/iptables-restore < /etc/iptables/rules.v4" ]
+    binds:
+      - /etc/iptables/rules.v4:/etc/iptables/rules.v4:ro
 
 services:
   - name: rngd
     image: linuxkit/rngd:v0.2
-  - name: sshd
-    image: linuxkit/sshd:v0.2
+#  - name: sshd
+#    image: linuxkit/sshd:v0.2
 
-#  - name: dhcpd
-#    image: nemunaire/tftpd
-#    binds:
-#     - /srv/tftp:/srv/tftp:ro
+  - name: dhcpd
+    image: joebiellik/dhcpd
+    capabilities:
+     - CAP_NET_BIND_SERVICE
+     - CAP_NET_RAW
+     - CAP_CHOWN
+     - CAP_SETUID
+     - CAP_SETGID
+    binds:
+     - /etc/dhcp/dhcpd.conf:/etc/dhcp/dhcpd.conf:ro
 
   - name: tftpd
-    image: nemunaire/tftpd:50bdb5c4e9f17b13d848fc474fd98d3639cb36e9
+    image: nemunaire/tftpd:50bdb5c4e9f17b13d848fc474fd98d3639cb36e9-dirty
+    capabilities:
+     - all
     binds:
      - /srv/tftp:/srv/tftp:ro
+     - /var/tftp/pxelinux.cfg:/srv/tftp/pxelinux.cfg
 
-  - name: nginx
-    image: nginx:alpine
+  - name: login-validator
+    image: nemunaire/adlin-login-validator:6d341b97fc44723ea121c1f9a145fc7d7e7b17ca
+#    command: ["/bin/login-validator", "-bind=:8081", "-ldaphost=auth.cri.epita.fr", "-ldapport=636", "-ldaptls", "-ldapbase=dc=epita,dc=net"]
+    command: ["/bin/login-validator", "-bind=:8081", "-noauth"]
+    net: /run/netns/login
+    binds:
+     - /etc/resolv.conf:/etc/resolv.conf:ro
+     - /srv/students.csv:/students.csv:ro
+     - /var/tftp/pxelinux.cfg:/var/tftp/pxelinux.cfg
+     - /etc/ssl/certs:/etc/ssl/certs:ro
+     - /usr/share/ca-certificates:/usr/share/ca-certificates:ro
+  - name: nginx-login
+    image: nginx:stable-alpine
+    capabilities:
+     - CAP_NET_BIND_SERVICE
+     - CAP_CHOWN
+     - CAP_SETUID
+     - CAP_SETGID
+     - CAP_DAC_OVERRIDE
+    net: /run/netns/login
+    binds:
+     - /etc/resolv.conf:/etc/resolv.conf:ro
+     - /etc/nginx/nginx-login.conf:/etc/nginx/nginx.conf:ro
+     - /etc/nginx/ssl/:/etc/nginx/ssl/:ro
+
+  - name: nginx-gw
+    image: nginx:stable-alpine
     capabilities:
      - CAP_NET_BIND_SERVICE
      - CAP_CHOWN
@@ -115,27 +158,127 @@ services:
      - CAP_DAC_OVERRIDE
     binds:
      - /etc/resolv.conf:/etc/resolv.conf:ro
-     - /etc/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
+     - /etc/nginx/nginx-gw.conf:/etc/nginx/nginx.conf:ro
+     - /etc/nginx/ssl/:/etc/nginx/ssl/:ro
+     - /etc/ssl/certs:/etc/ssl/certs:ro
+     - /usr/share/ca-certificates:/usr/share/ca-certificates:ro
 
-  - name: login-validator
-    image: nemunaire/adlin-login-validator:1bd441243a095180fd4058e6c7fc8fc38f850ab8-dirty
-    command: ["/bin/login-validator", "-bind=:8081"]
+  - name: nginx-dmz
+    image: nginx:stable-alpine
+    capabilities:
+     - CAP_NET_BIND_SERVICE
+     - CAP_CHOWN
+     - CAP_SETUID
+     - CAP_SETGID
+     - CAP_DAC_OVERRIDE
+    net: /run/netns/dmz-validator
     binds:
-     - /srv/students.csv:/srv/students.csv:ro
+     - /etc/resolv.conf:/etc/resolv.conf:ro
+     - /etc/nginx/nginx-dmz.conf:/etc/nginx/nginx.conf:ro
+     - /etc/nginx/ssl/:/etc/nginx/ssl/:ro
+     - /etc/ssl/certs:/etc/ssl/certs:ro
+     - /usr/share/ca-certificates:/usr/share/ca-certificates:ro
 
   - name: ns
-    image: nemunaire/unbound:999f99022b07a84063baa48b7143c90186c937d0
-    net: /run/netns/ns
+    image: nemunaire/unbound:999f99022b07a84063baa48b7143c90186c937d0-dirty
+    net: /run/netns/dmz-ns
+    capabilities:
+     - all
     binds:
      - /etc/unbound:/etc/unbound:ro
 
   - name: time
     image: linuxkit/openntpd:v0.2
-    net: /run/netns/time
+    net: /run/netns/dmz-time
+    capabilities:
+     - CAP_NET_BIND_SERVICE
+     - CAP_SYS_TIME
+     - CAP_SYS_CHROOT
+     - CAP_SYS_NICE
+     - CAP_SETUID
+     - CAP_SETGID
     binds:
+     - /etc/resolv.conf:/etc/resolv.conf:ro
      - /etc/ntpd.conf:/etc/ntpd.conf:ro
 
+#  - name: postfix
+#    image: TBD
+#    net: /run/netns/dmz-mail
+#    binds:
+#     - /etc/postfix/main.cf:/etc/postfix/main.cf:ro
+
 files:
+  - path: etc/init.d/011-copy-to-var
+    contents: |
+      #!/bin/sh
+      mkdir -p /var/tftp/
+      cp -r /srv/tftp/pxelinux.cfg /var/tftp/pxelinux.cfg
+    mode: "0755"
+
+  - path: etc/init.d/021-nameserver
+    contents: |
+      #!/bin/sh
+      echo nameserver 172.23.200.2 > /etc/resolv.conf
+    mode: "0755"
+
+#  - path: etc/init.d/011-adlin
+#    contents: |
+#      #!/bin/sh
+#      ip route add default via 172.17.0.1
+#      /sbin/sysctl -w net.ipv4.ip_forward=1
+#      echo nameserver 8.8.8.8 > /etc/resolv.conf
+#      mkdir /tmp/newroot
+#      mount -t tmpfs none /tmp/newroot
+#      mkdir /tmp/newroot/etc
+#      cp -r /etc/apk /tmp/newroot/etc
+#      apk add --no-cache --initdb -p /tmp/newroot iptables nftables
+#      LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/sbin/iptables-restore < /etc/iptables/rules.v4
+#      LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/sbin/ip6tables-restore < /etc/iptables/rules.v6
+#      LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/usr/sbin/nft add table nat
+#      LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/usr/sbin/nft add chain nat postrouting { type nat hook postrouting priority 100 \; }
+#      LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/usr/sbin/nft add rule nat postrouting oif br-ext masquerade
+#    mode: "0755"
+
+  - path: etc/sysctl.d/99-ipfwd.conf
+    contents: |
+      net.ipv4.ip_forward = 1
+      net.ipv6.conf.all.disable_ipv6 = 1
+    mode: "0644"
+  - path: etc/sysctl.d/00-linuxkit.conf
+    contents: |
+      # from Alpine defaults
+      net.ipv4.tcp_syncookies = 1
+      net.ipv4.conf.default.rp_filter = 1
+      net.ipv4.conf.all.rp_filter = 1
+      net.ipv4.ping_group_range=999 59999
+      # general limits
+      vm.max_map_count = 262144
+      vm.overcommit_memory = 1
+      net.core.somaxconn = 1024
+      net.ipv4.neigh.default.gc_thresh1 = 80000
+      net.ipv4.neigh.default.gc_thresh2 = 90000
+      net.ipv4.neigh.default.gc_thresh3 = 100000
+      fs.aio-max-nr = 1048576
+      fs.inotify.max_user_watches = 524288
+      fs.file-max = 524288
+      # for rngd
+      kernel.random.write_wakeup_threshold = 3072
+      # security restrictions
+      kernel.kptr_restrict = 2
+      net.ipv4.conf.all.send_redirects = 0
+      net.ipv4.conf.default.accept_redirects = 0
+      net.ipv4.conf.default.accept_source_route = 0
+      net.ipv6.conf.all.accept_redirects = 0
+      net.ipv6.conf.default.accept_redirects = 0
+      kernel.dmesg_restrict = 1
+      kernel.perf_event_paranoid = 3
+      fs.protected_hardlinks = 1
+      fs.protected_symlinks = 1
+      # Prevent ebpf privilege escalation
+      # see: https://lwn.net/Articles/742170
+      kernel.unprivileged_bpf_disabled=1
+    mode: "0644"
+
   - path: root/.ssh/authorized_keys
     source: ~/.ssh/id_ed25519.pub
     mode: "0400"
@@ -144,31 +287,39 @@ files:
     source: students.csv
     mode: "0400"
 
-  - path: etc/iptables/rules.v6
+  - path: etc/iptables/rules.v4
     contents: |
-      *filter
-      :INPUT DROP [0:0]
-      :FORWARD DROP [0:0]
-      :OUTPUT DROP [0:0]
+      *nat
+      :PREROUTING ACCEPT [0:0]
+      :INPUT ACCEPT [0:0]
+      :OUTPUT ACCEPT [0:0]
+      :POSTROUTING ACCEPT [0:0]
+      [0:0] -A POSTROUTING -o br-ext ! -d 172.23.0.0/16 -j MASQUERADE
       COMMIT
-    mode: "0440"
-  - path: etc/iptables/rules-admin.v4
-    contents: |
       *filter
       :INPUT DROP [0:0]
       :FORWARD ACCEPT [0:0]
-      :OUTPUT DROP [0:0]
+      :OUTPUT ACCEPT [0:0]
       [0:0] -A INPUT -i lo -j ACCEPT
       [0:0] -A INPUT -m conntrack --ctstate INVALID -j DROP
       [0:0] -A INPUT -p icmp -j ACCEPT
       [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
       [0:0] -A INPUT -i eth0 -s 172.23.0.0/17 -p tcp -m conntrack --ctstate NEW -m tcp --dport ssh -j ACCEPT
+      [0:0] -A INPUT -i br-ext -p udp --sport 68 --dport 67 -j ACCEPT
+      [0:0] -A INPUT -i br-ext -p udp --dport 69 -j ACCEPT
+      [0:0] -A INPUT -i br-ext -p tcp --dport 80 -j ACCEPT
       [0:0] -A INPUT -j LOG
+      [0:0] -A FORWARD -i eth0.7 -o br-ext -j ACCEPT
+      [0:0] -A FORWARD -o eth0.7 -i br-ext -j ACCEPT
+      [0:0] -A FORWARD -i br-int -j ACCEPT
+      [0:0] -A FORWARD -o br-int -j ACCEPT
+      [0:0] -A FORWARD -i br-ext -d 172.23.200.0/24 -j ACCEPT
+      [0:0] -A FORWARD -i br-ext -d 172.23.255.0/24 -j ACCEPT
+      [0:0] -A FORWARD -o br-ext -d 172.23.200.0/24 -j ACCEPT
+      [0:0] -A FORWARD -o br-ext -d 172.23.255.0/24 -j ACCEPT
+      [0:0] -A FORWARD -i br-ext -o br-ext -s 172.23.255.2/24 -j ACCEPT
+      [0:0] -A FORWARD -i br-ext -p udp --sport 68 --dport 67 -j DROP
       [0:0] -A FORWARD -j LOG
-      [0:0] -A OUTPUT -o lo -j ACCEPT
-      [0:0] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-      [0:0] -A OUTPUT -j LOG
-      [0:0] -A OUTPUT -j REJECT
       COMMIT
     mode: "0440"
 
@@ -182,60 +333,258 @@ files:
               access-control: 172.23.0.0/16 allow
               log-queries: yes
               log-replies: yes
+              use-syslog: no
               hide-identity: yes
               hide-version: yes
               qname-minimisation: yes
               domain-insecure: "."
               val-permissive-mode: yes
-              root-hints: /etc/unbound/root.hints
               trust-anchor-file: "/usr/share/dnssec-root/trusted-key.key"
+              local-zone: "adlin.nemunai.re" typetransparent
+              local-data: "adlin.nemunai.re TXT \"8dde678132d6c558fc6adaeb9f1d53bf6ec7b876308cf98c48604caa9138523c1ce58b672c87c7e7d9b7248b81804d3940dbf20bf263eeb683244f7c1143712d\""
+              local-data: "auth.adlin.nemunai.re A 172.23.255.2"
       remote-control:
              control-enable: no
       forward-zone:
              name: "."
-             forward-addr: 192.168.0.1
+             forward-addr: 8.8.8.8
     mode: "0440"
 
-  - path: etc/nginx/nginx.conf
+  - path: etc/postfix/main.cf
+    contents: |
+      myorigin = adlin.nemunai.re
+      mydestination =
+      local_recipient_maps =
+      local_transport = error:local mail delivery is disabled
+      mynetworks = 127.0.0.0/8
+      relay_domains = nemunai.re
+      parent_domain_matches_subdomains = debug_peer_list smtpd_access_maps
+    mode: "0440"
+
+  - path: etc/nginx/ssl/fullchain.pem
+    source: ssl/fullchain.pem
+    mode: "0644"
+  - path: etc/nginx/ssl/privkey.pem
+    source: ssl/privkey.pem
+    mode: "0644"
+  - path: etc/nginx/nginx-gw.conf
     contents: |
       user nginx;
       worker_processes 2;
-      error_log /var/log/nginxærror.log warn;
+      error_log /var/log/nginx/error.log warn;
       pid /var/run/nginx.pid;
       events {
           worker_connections  1024;
       }
       http {
-          include ætc/nginx/mime.types;
-          default_type applicationøctet-stream;
-          log_format  main  '$remoteªddr - $remote_user [$time_local] "$request"'
+          include /etc/nginx/mime.types;
+          default_type application/octet-stream;
+          log_format  main  '$remote_addr - $remote_user [$time_local] "$request"'
               '$status $body_bytes_sent "$http_referer"'
-              '"$http_userªgent""$http_x_forwarded_for"';
-          access_log /var/log/nginxåccess.log  main;
+              '"$http_user_agent""$http_x_forwarded_for"';
+          access_log /var/log/nginx/access.log  main;
           sendfile  on;
+          server_tokens off;
           #tcp_nopush     on;
           keepalive_timeout 65;
           #gzip  on;
+          resolver 9.9.9.9;
           server {
               listen 80 default;
               listen [::]:80 default;
               location = /{
                   return 403;
               }
+              location /iamalive {
+                  proxy_pass        https://82.64.31.248/challenge;
+                  proxy_set_header  Host             adlin.nemunai.re;
+                  proxy_set_header  X-Forwarded-For  $remote_addr;
+                  proxy_set_header  X-Forwarded-By   172.23.0.1;
+                  proxy_redirect    off;
+              }
           }
       }
     mode: "0440"
 
+  - path: etc/nginx/nginx-login.conf
+    contents: |
+      user nginx;
+      worker_processes 2;
+      error_log /var/log/nginx/error.log warn;
+      pid /var/run/nginx.pid;
+      events {
+          worker_connections  1024;
+      }
+      http {
+          include /etc/nginx/mime.types;
+          default_type application/octet-stream;
+          log_format  main  '$remote_addr - $remote_user [$time_local] "$request"'
+              '$status $body_bytes_sent "$http_referer"'
+              '"$http_user_agent""$http_x_forwarded_for"';
+          access_log /var/log/nginx/access.log  main;
+          sendfile  on;
+          server_tokens off;
+          #tcp_nopush     on;
+          keepalive_timeout 65;
+          #gzip  on;
+          server {
+              listen 443 default ssl;
+              listen [::]:443 default ssl;
+              ssl_protocols TLSv1.2;
+              ssl_prefer_server_ciphers on;
+              ssl_certificate /etc/nginx/ssl/fullchain.pem;
+              ssl_certificate_key /etc/nginx/ssl/privkey.pem;
+              location = /{
+                  return https://adlin.nemunai.re/;
+              }
+              location /login {
+                  proxy_pass        http://localhost:8081/login;
+                  proxy_set_header  X-Forwarded-For  $remote_addr;
+                  proxy_redirect    off;
+              }
+          }
+      }
+    mode: "0440"
+
+  - path: etc/nginx/nginx-dmz.conf
+    contents: |
+      user nginx;
+      worker_processes 2;
+      error_log /var/log/nginx/error.log warn;
+      pid /var/run/nginx.pid;
+      events {
+          worker_connections  1024;
+      }
+      http {
+          include /etc/nginx/mime.types;
+          default_type applicationøctet-stream;
+          log_format  main  '$remote_addr - $remote_user [$time_local] "$request"'
+              '$status $body_bytes_sent "$http_referer"'
+              '"$http_user_agent""$http_x_forwarded_for"';
+          access_log /var/log/nginx/access.log  main;
+          sendfile  on;
+          server_tokens off;
+          #tcp_nopush     on;
+          keepalive_timeout 65;
+          #gzip  on;
+          resolver 9.9.9.9;
+          server {
+              listen 80 default;
+              listen [::]:80 default;
+              location = /{
+                  return https://adlin.nemunai.re/;
+              }
+              location /challenge {
+                  proxy_pass        https://82.64.31.248/challenge;
+                  proxy_set_header  Host             adlin.nemunai.re;
+                  proxy_set_header  X-Forwarded-For  $remote_addr;
+                  proxy_set_header  X-Forwarded-By   172.23.200.1;
+                  proxy_set_header  X-Forwarded-Proto http;
+                  proxy_redirect    off;
+              }
+              location /sshkeys {
+                  return https://adlin.nemunai.re/sshkeys;
+              }
+          }
+          server {
+              listen 443 default ssl;
+              listen [::]:443 default ssl;
+              ssl_protocols TLSv1.2;
+              ssl_prefer_server_ciphers on;
+              ssl_certificate /etc/nginx/ssl/fullchain.pem;
+              ssl_certificate_key /etc/nginx/ssl/privkey.pem;
+              location = /{
+                  return https://adlin.nemunai.re/;
+              }
+              location /challenge {
+                  proxy_pass        https://82.64.31.248/challenge;
+                  proxy_set_header  Host             adlin.nemunai.re;
+                  proxy_set_header  X-Forwarded-For  $remote_addr;
+                  proxy_set_header  X-Forwarded-By   172.23.200.1;
+                  proxy_set_header  X-Forwarded-Proto https;
+                  proxy_redirect    off;
+              }
+              location /sshkeys {
+                  proxy_pass        https://82.64.31.248/sshkeys;
+                  proxy_set_header  Host             adlin.nemunai.re;
+                  proxy_set_header  X-Forwarded-For  $remote_addr;
+                  proxy_set_header  X-Forwarded-By   172.23.200.1;
+                  proxy_set_header  X-Forwarded-Proto https;
+                  proxy_redirect    off;
+              }
+          }
+      }
+    mode: "0440"
+
+  - path: etc/dhcp/dhcpd.conf
+    contents: |
+      authoritative;
+      default-lease-time 7200;
+      max-lease-time 7200;
+      subnet 172.23.255.0 netmask 255.255.255.0 {
+          range 172.23.255.10 172.23.255.254;
+          option routers 172.23.255.1;
+          option subnet-mask 255.255.255.0;
+          option broadcast-address 172.23.255.255;
+          next-server 172.23.255.1;
+          filename "pxelinux.0";
+      }
+    mode: "0440"
+
   - path: etc/ntpd.conf
     contents: |
       listen on *
-      servers pool.ntp.org
+      server 95.81.173.8
+      server 95.81.173.74
+      server 95.81.173.155
+      server 51.15.180.229
     mode: "0440"
 
   - path: srv/tftp
     directory: true
     mode: "0755"
 
+  - path: srv/tftp/ldlinux.c32
+    source: /usr/share/syslinux/ldlinux.c32
+    mode: "0644"
+  - path: srv/tftp/libcom32.c32
+    source: /usr/share/syslinux/libcom32.c32
+    mode: "0644"
+  - path: srv/tftp/libutil.c32
+    source: /usr/share/syslinux/libutil.c32
+    mode: "0644"
+  - path: srv/tftp/menu.c32
+    source: /usr/share/syslinux/menu.c32
+    mode: "0644"
+  - path: srv/tftp/poweroff.c32
+    source: /usr/share/syslinux/poweroff.c32
+    mode: "0644"
+  - path: srv/tftp/pxelinux.0
+    source: /usr/share/syslinux/pxelinux.0
+    mode: "0644"
+  - path: srv/tftp/pxelinux.cfg
+    directory: true
+    mode: "0755"
+  - path: srv/tftp/pxelinux.cfg/default
+    source: tftp/pxelinux.cfg/default
+    mode: "0644"
+  - path: srv/tftp/pxelinux.cfg/tpl
+    source: tftp/pxelinux.cfg/tpl
+    mode: "0644"
+  - path: srv/tftp/vesamenu.c32
+    source: /usr/share/syslinux/vesamenu.c32
+    mode: "0644"
+
+  - path: srv/tftp/bzImage
+    source: tftp/bzImage
+    mode: "0644"
+  - path: srv/tftp/initramfs-login.img
+    source: tftp/initramfs-login.img
+    mode: "0644"
+  - path: srv/tftp/initramfs-challenge.img
+    source: challenge-initrd.img
+    mode: "0644"
+
 trust:
   org:
     - linuxkit