server image done
This commit is contained in:
parent
7ba307e9b3
commit
eb5b8cdbce
|
@ -7,3 +7,4 @@ login-kernel
|
|||
server-cmdline
|
||||
server-initrd.img
|
||||
server-kernel
|
||||
fonts/
|
||||
|
|
10
Makefile
10
Makefile
|
@ -1,4 +1,14 @@
|
|||
all: login-app/login-app
|
||||
|
||||
fonts: fonts/Inconsolata-16b.psf fonts/Inconsolata-16r.psf fonts/Inconsolata-32b.psf fonts/Inconsolata-32r.psf
|
||||
fonts/Inconsolata-16b.psf:
|
||||
wget https://github.com/xeechou/Inconsolata-psf/raw/master/Inconsolata-16b.psf
|
||||
fonts/Inconsolata-16r.psf:
|
||||
wget https://github.com/xeechou/Inconsolata-psf/raw/master/Inconsolata-16r.psf
|
||||
fonts/Inconsolata-32b.psf:
|
||||
wget https://github.com/xeechou/Inconsolata-psf/raw/master/Inconsolata-32b.psf
|
||||
fonts/Inconsolata-32r.psf:
|
||||
wget https://github.com/xeechou/Inconsolata-psf/raw/master/Inconsolata-32r.psf
|
||||
|
||||
login-app/login-app: login-app/*.go
|
||||
GOOS=linux GOARCH=amd64 go build -tags netgo -ldflags '-w -extldflags "-static -lncurses"' -o $@ ./login-app
|
||||
|
|
|
@ -38,26 +38,28 @@ done
|
|||
/bin/rm -f /init /linuxrc
|
||||
|
||||
# Randomize time at boot
|
||||
/bin/date -s 19$((70 + $RANDOM % 30))0$((1 + $RANDOM % 9))0$((1 + $RANDOM % 9))0$((1 + $RANDOM % 9))0$((1 + $RANDOM % 9))01 > /dev/null
|
||||
/bin/date -s 19$((70 + $RANDOM % 30))0$((1 + $RANDOM % 9))0$((1 + $RANDOM % 9))0$((1 + $RANDOM % 9)).0$((1 + $RANDOM % 9))01 > /dev/null
|
||||
/sbin/sysctl -w net.ipv4.ip_default_ttl=4 > /dev/null
|
||||
|
||||
# Launch some daemons
|
||||
/usr/bin/setsid /usr/sbin/crond > /dev/null &
|
||||
|
||||
# Change font
|
||||
zcat /usr/share/consolefonts/Inconsolata-16r.psf.gz | loadfont
|
||||
|
||||
# Prepare token 4
|
||||
mkdir -p /mnt
|
||||
|
||||
for l in a b c d e f g h i j k l m n o p q r s t u v w x y z zz; do
|
||||
[ -b /dev/sd$l ] || break
|
||||
done
|
||||
echo /dev/sd$l
|
||||
|
||||
/bin/dd if=/dev/zero of=/dev/sd${l} count=1 > /dev/null
|
||||
/bin/dd if=/dev/zero of=/dev/sd${l}1 count=1 bs=10240000 > /dev/null
|
||||
/sbin/mkfs.ext4 /dev/sd${l}1 > /dev/null
|
||||
mount /dev/sd${l}1 /mnt > /dev/null
|
||||
N1=$((125 - $RANDOM % 50))
|
||||
N2=$((25 + $RANDOM % 50))
|
||||
/bin/dd if=/dev/zero of=/dev/sd${l} count=1 > /dev/null 2> /dev/null
|
||||
/bin/dd if=/dev/zero of=/dev/sd${l}1 count=1 bs=10240000 > /dev/null 2> /dev/null
|
||||
/sbin/mkfs.ext4 /dev/sd${l}1 > /dev/null 2> /dev/null
|
||||
mount /dev/sd${l}1 /mnt > /dev/null 2> /dev/null
|
||||
N1=$((72 - $RANDOM % 35))
|
||||
N2=$((25 + $RANDOM % 35))
|
||||
{
|
||||
echo -n $N1
|
||||
echo -n $N2
|
||||
|
|
489
server.yml
489
server.yml
|
@ -19,34 +19,41 @@ onboot:
|
|||
# Network: exposed
|
||||
- name: netvlan-iface-setup
|
||||
image: linuxkit/ip:v0.2
|
||||
command: ["/bin/sh", "-c", "ip a add 172.23.191.254/18 dev eth0.7; ip link set eth0.7 up;" ]
|
||||
net: new
|
||||
runtime:
|
||||
interfaces:
|
||||
- name: eth0.7
|
||||
add: vlan
|
||||
vlanid: 7
|
||||
- name: ns-iface-setup
|
||||
command: ["/bin/sh", "-c", "ip link add link eth0 name eth0.7 type vlan id 7; ip a add 172.23.191.254/18 dev eth0.7; ip link set eth0.7 up;" ]
|
||||
- name: login-iface-setup
|
||||
image: linuxkit/ip:v0.2
|
||||
command: ["/bin/sh", "-c", "ip a add 172.23.0.2/17 dev vethin-validator; ip link set vethin-validator up;" ]
|
||||
command: ["/bin/sh", "-c", "ip a add 172.23.255.2/24 dev vethin-login; ip link set vethin-login up; ip route add default via 172.23.255.1;" ]
|
||||
net: new
|
||||
runtime:
|
||||
interfaces:
|
||||
- name: vethin-validator
|
||||
- name: vethin-login
|
||||
add: veth
|
||||
peer: veth-validator
|
||||
peer: veth-login
|
||||
bindNS:
|
||||
net: /run/netns/ns
|
||||
net: /run/netns/login
|
||||
- name: bridge-ext-setup
|
||||
image: linuxkit/ip:v0.2
|
||||
command: ["/bin/sh", "-c", "ip a add 192.168.0.46/24 dev br-ext; ip a add 172.23.0.1/17 dev br-ext; ip link set eth0 master br-ext; ip link set veth-validator master br-ext; ip link set br-ext up; ip link set veth-validator up; ip link set eth0 up" ]
|
||||
command: ["/bin/sh", "-c", "ip a add 172.23.255.1/24 dev br-ext; ip a add 172.17.0.16/16 dev br-ext; ip a add 172.23.0.1/17 dev br-ext; ip link set eth0 master br-ext; ip link set veth-login master br-ext; ip link set br-ext up; ip link set veth-login up; ip link set eth0 up; ip route add default via 172.17.0.1;" ]
|
||||
runtime:
|
||||
interfaces:
|
||||
- name: br-ext
|
||||
add: bridge
|
||||
|
||||
# Network: DMZ
|
||||
- name: validator-iface-setup
|
||||
image: linuxkit/ip:v0.2
|
||||
command: ["/bin/sh", "-c", "ip a add 172.23.200.1/24 dev vethin-vldtr; ip link set vethin-vldtr up; ip route add default via 172.23.200.254;" ]
|
||||
net: new
|
||||
runtime:
|
||||
interfaces:
|
||||
- name: vethin-vldtr
|
||||
add: veth
|
||||
peer: veth-validator
|
||||
bindNS:
|
||||
net: /run/netns/dmz-validator
|
||||
- name: ns-iface-setup
|
||||
image: linuxkit/ip:v0.2
|
||||
command: ["/bin/sh", "-c", "ip a add 172.23.200.2/24 dev vethin-ns; ip link set vethin-ns up;" ]
|
||||
command: ["/bin/sh", "-c", "ip a add 172.23.200.2/24 dev vethin-ns; ip link set vethin-ns up; ip route add default via 172.23.200.254;" ]
|
||||
net: new
|
||||
runtime:
|
||||
interfaces:
|
||||
|
@ -54,10 +61,10 @@ onboot:
|
|||
add: veth
|
||||
peer: veth-ns
|
||||
bindNS:
|
||||
net: /run/netns/ns
|
||||
net: /run/netns/dmz-ns
|
||||
- name: time-iface-setup
|
||||
image: linuxkit/ip:v0.2
|
||||
command: ["/bin/sh", "-c", "ip a add 172.23.200.3/24 dev vethin-time; ip link set vethin-time up;" ]
|
||||
command: ["/bin/sh", "-c", "ip a add 172.23.200.3/24 dev vethin-time; ip link set vethin-time up; ip route add default via 172.23.200.254;" ]
|
||||
net: new
|
||||
runtime:
|
||||
interfaces:
|
||||
|
@ -65,21 +72,21 @@ onboot:
|
|||
add: veth
|
||||
peer: veth-time
|
||||
bindNS:
|
||||
net: /run/netns/time
|
||||
- name: mail-iface-setup
|
||||
image: linuxkit/ip:v0.2
|
||||
command: ["/bin/sh", "-c", "ip a add 172.23.200.3/24 dev vethin-mail; ip link set vethin-mail up;" ]
|
||||
net: new
|
||||
runtime:
|
||||
interfaces:
|
||||
- name: vethin-mail
|
||||
add: veth
|
||||
peer: veth-mail
|
||||
bindNS:
|
||||
net: /run/netns/mail
|
||||
net: /run/netns/dmz-time
|
||||
# - name: mail-iface-setup
|
||||
# image: linuxkit/ip:v0.2
|
||||
# command: ["/bin/sh", "-c", "ip a add 172.23.200.4/24 dev vethin-mail; ip link set vethin-mail up; ip route add default via 172.23.200.254;" ]
|
||||
# net: new
|
||||
# runtime:
|
||||
# interfaces:
|
||||
# - name: vethin-mail
|
||||
# add: veth
|
||||
# peer: veth-mail
|
||||
# bindNS:
|
||||
# net: /run/netns/dmz-mail
|
||||
- name: bridge-int-setup
|
||||
image: linuxkit/ip:v0.2
|
||||
command: ["/bin/sh", "-c", "ip a add 172.23.200.254/24 dev br-int; ip link set veth-ns master br-int; ip link set veth-time master br-int; ip link set veth-mail master br-int; ip link set br-int up; ip link set veth-ns up; ip link set veth-time up; ip link set veth-mail up" ]
|
||||
command: ["/bin/sh", "-c", "ip a add 172.23.200.254/24 dev br-int; ip link set veth-validator master br-int; ip link set veth-ns master br-int; ip link set veth-time master br-int; ip link set veth-mail master br-int; ip link set br-int up; ip link set veth-validator up; ip link set veth-ns up; ip link set veth-time up; ip link set veth-mail up" ]
|
||||
runtime:
|
||||
interfaces:
|
||||
- name: br-int
|
||||
|
@ -87,26 +94,62 @@ onboot:
|
|||
|
||||
- name: fw
|
||||
image: linuxkit/ip:v0.2
|
||||
command: ["/bin/bash", "-c", "/sbin/iptables-restore < /etc/iptables/rules.v4; /sbin/ip6tables-restore < /etc/iptables/rules.v6" ]
|
||||
command: ["/bin/bash", "-c", "/sbin/iptables-restore < /etc/iptables/rules.v4" ]
|
||||
binds:
|
||||
- /etc/iptables/rules.v4:/etc/iptables/rules.v4:ro
|
||||
|
||||
services:
|
||||
- name: rngd
|
||||
image: linuxkit/rngd:v0.2
|
||||
- name: sshd
|
||||
image: linuxkit/sshd:v0.2
|
||||
# - name: sshd
|
||||
# image: linuxkit/sshd:v0.2
|
||||
|
||||
# - name: dhcpd
|
||||
# image: nemunaire/tftpd
|
||||
# binds:
|
||||
# - /srv/tftp:/srv/tftp:ro
|
||||
- name: dhcpd
|
||||
image: joebiellik/dhcpd
|
||||
capabilities:
|
||||
- CAP_NET_BIND_SERVICE
|
||||
- CAP_NET_RAW
|
||||
- CAP_CHOWN
|
||||
- CAP_SETUID
|
||||
- CAP_SETGID
|
||||
binds:
|
||||
- /etc/dhcp/dhcpd.conf:/etc/dhcp/dhcpd.conf:ro
|
||||
|
||||
- name: tftpd
|
||||
image: nemunaire/tftpd:50bdb5c4e9f17b13d848fc474fd98d3639cb36e9
|
||||
image: nemunaire/tftpd:50bdb5c4e9f17b13d848fc474fd98d3639cb36e9-dirty
|
||||
capabilities:
|
||||
- all
|
||||
binds:
|
||||
- /srv/tftp:/srv/tftp:ro
|
||||
- /var/tftp/pxelinux.cfg:/srv/tftp/pxelinux.cfg
|
||||
|
||||
- name: nginx
|
||||
image: nginx:alpine
|
||||
- name: login-validator
|
||||
image: nemunaire/adlin-login-validator:6d341b97fc44723ea121c1f9a145fc7d7e7b17ca
|
||||
# command: ["/bin/login-validator", "-bind=:8081", "-ldaphost=auth.cri.epita.fr", "-ldapport=636", "-ldaptls", "-ldapbase=dc=epita,dc=net"]
|
||||
command: ["/bin/login-validator", "-bind=:8081", "-noauth"]
|
||||
net: /run/netns/login
|
||||
binds:
|
||||
- /etc/resolv.conf:/etc/resolv.conf:ro
|
||||
- /srv/students.csv:/students.csv:ro
|
||||
- /var/tftp/pxelinux.cfg:/var/tftp/pxelinux.cfg
|
||||
- /etc/ssl/certs:/etc/ssl/certs:ro
|
||||
- /usr/share/ca-certificates:/usr/share/ca-certificates:ro
|
||||
- name: nginx-login
|
||||
image: nginx:stable-alpine
|
||||
capabilities:
|
||||
- CAP_NET_BIND_SERVICE
|
||||
- CAP_CHOWN
|
||||
- CAP_SETUID
|
||||
- CAP_SETGID
|
||||
- CAP_DAC_OVERRIDE
|
||||
net: /run/netns/login
|
||||
binds:
|
||||
- /etc/resolv.conf:/etc/resolv.conf:ro
|
||||
- /etc/nginx/nginx-login.conf:/etc/nginx/nginx.conf:ro
|
||||
- /etc/nginx/ssl/:/etc/nginx/ssl/:ro
|
||||
|
||||
- name: nginx-gw
|
||||
image: nginx:stable-alpine
|
||||
capabilities:
|
||||
- CAP_NET_BIND_SERVICE
|
||||
- CAP_CHOWN
|
||||
|
@ -115,27 +158,127 @@ services:
|
|||
- CAP_DAC_OVERRIDE
|
||||
binds:
|
||||
- /etc/resolv.conf:/etc/resolv.conf:ro
|
||||
- /etc/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
|
||||
- /etc/nginx/nginx-gw.conf:/etc/nginx/nginx.conf:ro
|
||||
- /etc/nginx/ssl/:/etc/nginx/ssl/:ro
|
||||
- /etc/ssl/certs:/etc/ssl/certs:ro
|
||||
- /usr/share/ca-certificates:/usr/share/ca-certificates:ro
|
||||
|
||||
- name: login-validator
|
||||
image: nemunaire/adlin-login-validator:1bd441243a095180fd4058e6c7fc8fc38f850ab8-dirty
|
||||
command: ["/bin/login-validator", "-bind=:8081"]
|
||||
- name: nginx-dmz
|
||||
image: nginx:stable-alpine
|
||||
capabilities:
|
||||
- CAP_NET_BIND_SERVICE
|
||||
- CAP_CHOWN
|
||||
- CAP_SETUID
|
||||
- CAP_SETGID
|
||||
- CAP_DAC_OVERRIDE
|
||||
net: /run/netns/dmz-validator
|
||||
binds:
|
||||
- /srv/students.csv:/srv/students.csv:ro
|
||||
- /etc/resolv.conf:/etc/resolv.conf:ro
|
||||
- /etc/nginx/nginx-dmz.conf:/etc/nginx/nginx.conf:ro
|
||||
- /etc/nginx/ssl/:/etc/nginx/ssl/:ro
|
||||
- /etc/ssl/certs:/etc/ssl/certs:ro
|
||||
- /usr/share/ca-certificates:/usr/share/ca-certificates:ro
|
||||
|
||||
- name: ns
|
||||
image: nemunaire/unbound:999f99022b07a84063baa48b7143c90186c937d0
|
||||
net: /run/netns/ns
|
||||
image: nemunaire/unbound:999f99022b07a84063baa48b7143c90186c937d0-dirty
|
||||
net: /run/netns/dmz-ns
|
||||
capabilities:
|
||||
- all
|
||||
binds:
|
||||
- /etc/unbound:/etc/unbound:ro
|
||||
|
||||
- name: time
|
||||
image: linuxkit/openntpd:v0.2
|
||||
net: /run/netns/time
|
||||
net: /run/netns/dmz-time
|
||||
capabilities:
|
||||
- CAP_NET_BIND_SERVICE
|
||||
- CAP_SYS_TIME
|
||||
- CAP_SYS_CHROOT
|
||||
- CAP_SYS_NICE
|
||||
- CAP_SETUID
|
||||
- CAP_SETGID
|
||||
binds:
|
||||
- /etc/resolv.conf:/etc/resolv.conf:ro
|
||||
- /etc/ntpd.conf:/etc/ntpd.conf:ro
|
||||
|
||||
# - name: postfix
|
||||
# image: TBD
|
||||
# net: /run/netns/dmz-mail
|
||||
# binds:
|
||||
# - /etc/postfix/main.cf:/etc/postfix/main.cf:ro
|
||||
|
||||
files:
|
||||
- path: etc/init.d/011-copy-to-var
|
||||
contents: |
|
||||
#!/bin/sh
|
||||
mkdir -p /var/tftp/
|
||||
cp -r /srv/tftp/pxelinux.cfg /var/tftp/pxelinux.cfg
|
||||
mode: "0755"
|
||||
|
||||
- path: etc/init.d/021-nameserver
|
||||
contents: |
|
||||
#!/bin/sh
|
||||
echo nameserver 172.23.200.2 > /etc/resolv.conf
|
||||
mode: "0755"
|
||||
|
||||
# - path: etc/init.d/011-adlin
|
||||
# contents: |
|
||||
# #!/bin/sh
|
||||
# ip route add default via 172.17.0.1
|
||||
# /sbin/sysctl -w net.ipv4.ip_forward=1
|
||||
# echo nameserver 8.8.8.8 > /etc/resolv.conf
|
||||
# mkdir /tmp/newroot
|
||||
# mount -t tmpfs none /tmp/newroot
|
||||
# mkdir /tmp/newroot/etc
|
||||
# cp -r /etc/apk /tmp/newroot/etc
|
||||
# apk add --no-cache --initdb -p /tmp/newroot iptables nftables
|
||||
# LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/sbin/iptables-restore < /etc/iptables/rules.v4
|
||||
# LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/sbin/ip6tables-restore < /etc/iptables/rules.v6
|
||||
# LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/usr/sbin/nft add table nat
|
||||
# LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/usr/sbin/nft add chain nat postrouting { type nat hook postrouting priority 100 \; }
|
||||
# LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/usr/sbin/nft add rule nat postrouting oif br-ext masquerade
|
||||
# mode: "0755"
|
||||
|
||||
- path: etc/sysctl.d/99-ipfwd.conf
|
||||
contents: |
|
||||
net.ipv4.ip_forward = 1
|
||||
net.ipv6.conf.all.disable_ipv6 = 1
|
||||
mode: "0644"
|
||||
- path: etc/sysctl.d/00-linuxkit.conf
|
||||
contents: |
|
||||
# from Alpine defaults
|
||||
net.ipv4.tcp_syncookies = 1
|
||||
net.ipv4.conf.default.rp_filter = 1
|
||||
net.ipv4.conf.all.rp_filter = 1
|
||||
net.ipv4.ping_group_range=999 59999
|
||||
# general limits
|
||||
vm.max_map_count = 262144
|
||||
vm.overcommit_memory = 1
|
||||
net.core.somaxconn = 1024
|
||||
net.ipv4.neigh.default.gc_thresh1 = 80000
|
||||
net.ipv4.neigh.default.gc_thresh2 = 90000
|
||||
net.ipv4.neigh.default.gc_thresh3 = 100000
|
||||
fs.aio-max-nr = 1048576
|
||||
fs.inotify.max_user_watches = 524288
|
||||
fs.file-max = 524288
|
||||
# for rngd
|
||||
kernel.random.write_wakeup_threshold = 3072
|
||||
# security restrictions
|
||||
kernel.kptr_restrict = 2
|
||||
net.ipv4.conf.all.send_redirects = 0
|
||||
net.ipv4.conf.default.accept_redirects = 0
|
||||
net.ipv4.conf.default.accept_source_route = 0
|
||||
net.ipv6.conf.all.accept_redirects = 0
|
||||
net.ipv6.conf.default.accept_redirects = 0
|
||||
kernel.dmesg_restrict = 1
|
||||
kernel.perf_event_paranoid = 3
|
||||
fs.protected_hardlinks = 1
|
||||
fs.protected_symlinks = 1
|
||||
# Prevent ebpf privilege escalation
|
||||
# see: https://lwn.net/Articles/742170
|
||||
kernel.unprivileged_bpf_disabled=1
|
||||
mode: "0644"
|
||||
|
||||
- path: root/.ssh/authorized_keys
|
||||
source: ~/.ssh/id_ed25519.pub
|
||||
mode: "0400"
|
||||
|
@ -144,31 +287,39 @@ files:
|
|||
source: students.csv
|
||||
mode: "0400"
|
||||
|
||||
- path: etc/iptables/rules.v6
|
||||
- path: etc/iptables/rules.v4
|
||||
contents: |
|
||||
*filter
|
||||
:INPUT DROP [0:0]
|
||||
:FORWARD DROP [0:0]
|
||||
:OUTPUT DROP [0:0]
|
||||
*nat
|
||||
:PREROUTING ACCEPT [0:0]
|
||||
:INPUT ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
:POSTROUTING ACCEPT [0:0]
|
||||
[0:0] -A POSTROUTING -o br-ext ! -d 172.23.0.0/16 -j MASQUERADE
|
||||
COMMIT
|
||||
mode: "0440"
|
||||
- path: etc/iptables/rules-admin.v4
|
||||
contents: |
|
||||
*filter
|
||||
:INPUT DROP [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT DROP [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
[0:0] -A INPUT -i lo -j ACCEPT
|
||||
[0:0] -A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
[0:0] -A INPUT -p icmp -j ACCEPT
|
||||
[0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
[0:0] -A INPUT -i eth0 -s 172.23.0.0/17 -p tcp -m conntrack --ctstate NEW -m tcp --dport ssh -j ACCEPT
|
||||
[0:0] -A INPUT -i br-ext -p udp --sport 68 --dport 67 -j ACCEPT
|
||||
[0:0] -A INPUT -i br-ext -p udp --dport 69 -j ACCEPT
|
||||
[0:0] -A INPUT -i br-ext -p tcp --dport 80 -j ACCEPT
|
||||
[0:0] -A INPUT -j LOG
|
||||
[0:0] -A FORWARD -i eth0.7 -o br-ext -j ACCEPT
|
||||
[0:0] -A FORWARD -o eth0.7 -i br-ext -j ACCEPT
|
||||
[0:0] -A FORWARD -i br-int -j ACCEPT
|
||||
[0:0] -A FORWARD -o br-int -j ACCEPT
|
||||
[0:0] -A FORWARD -i br-ext -d 172.23.200.0/24 -j ACCEPT
|
||||
[0:0] -A FORWARD -i br-ext -d 172.23.255.0/24 -j ACCEPT
|
||||
[0:0] -A FORWARD -o br-ext -d 172.23.200.0/24 -j ACCEPT
|
||||
[0:0] -A FORWARD -o br-ext -d 172.23.255.0/24 -j ACCEPT
|
||||
[0:0] -A FORWARD -i br-ext -o br-ext -s 172.23.255.2/24 -j ACCEPT
|
||||
[0:0] -A FORWARD -i br-ext -p udp --sport 68 --dport 67 -j DROP
|
||||
[0:0] -A FORWARD -j LOG
|
||||
[0:0] -A OUTPUT -o lo -j ACCEPT
|
||||
[0:0] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
[0:0] -A OUTPUT -j LOG
|
||||
[0:0] -A OUTPUT -j REJECT
|
||||
COMMIT
|
||||
mode: "0440"
|
||||
|
||||
|
@ -182,60 +333,258 @@ files:
|
|||
access-control: 172.23.0.0/16 allow
|
||||
log-queries: yes
|
||||
log-replies: yes
|
||||
use-syslog: no
|
||||
hide-identity: yes
|
||||
hide-version: yes
|
||||
qname-minimisation: yes
|
||||
domain-insecure: "."
|
||||
val-permissive-mode: yes
|
||||
root-hints: /etc/unbound/root.hints
|
||||
trust-anchor-file: "/usr/share/dnssec-root/trusted-key.key"
|
||||
local-zone: "adlin.nemunai.re" typetransparent
|
||||
local-data: "adlin.nemunai.re TXT \"8dde678132d6c558fc6adaeb9f1d53bf6ec7b876308cf98c48604caa9138523c1ce58b672c87c7e7d9b7248b81804d3940dbf20bf263eeb683244f7c1143712d\""
|
||||
local-data: "auth.adlin.nemunai.re A 172.23.255.2"
|
||||
remote-control:
|
||||
control-enable: no
|
||||
forward-zone:
|
||||
name: "."
|
||||
forward-addr: 192.168.0.1
|
||||
forward-addr: 8.8.8.8
|
||||
mode: "0440"
|
||||
|
||||
- path: etc/nginx/nginx.conf
|
||||
- path: etc/postfix/main.cf
|
||||
contents: |
|
||||
myorigin = adlin.nemunai.re
|
||||
mydestination =
|
||||
local_recipient_maps =
|
||||
local_transport = error:local mail delivery is disabled
|
||||
mynetworks = 127.0.0.0/8
|
||||
relay_domains = nemunai.re
|
||||
parent_domain_matches_subdomains = debug_peer_list smtpd_access_maps
|
||||
mode: "0440"
|
||||
|
||||
- path: etc/nginx/ssl/fullchain.pem
|
||||
source: ssl/fullchain.pem
|
||||
mode: "0644"
|
||||
- path: etc/nginx/ssl/privkey.pem
|
||||
source: ssl/privkey.pem
|
||||
mode: "0644"
|
||||
- path: etc/nginx/nginx-gw.conf
|
||||
contents: |
|
||||
user nginx;
|
||||
worker_processes 2;
|
||||
error_log /var/log/nginxærror.log warn;
|
||||
error_log /var/log/nginx/error.log warn;
|
||||
pid /var/run/nginx.pid;
|
||||
events {
|
||||
worker_connections 1024;
|
||||
}
|
||||
http {
|
||||
include ætc/nginx/mime.types;
|
||||
default_type applicationøctet-stream;
|
||||
log_format main '$remoteªddr - $remote_user [$time_local] "$request"'
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
log_format main '$remote_addr - $remote_user [$time_local] "$request"'
|
||||
'$status $body_bytes_sent "$http_referer"'
|
||||
'"$http_userªgent""$http_x_forwarded_for"';
|
||||
access_log /var/log/nginxåccess.log main;
|
||||
'"$http_user_agent""$http_x_forwarded_for"';
|
||||
access_log /var/log/nginx/access.log main;
|
||||
sendfile on;
|
||||
server_tokens off;
|
||||
#tcp_nopush on;
|
||||
keepalive_timeout 65;
|
||||
#gzip on;
|
||||
resolver 9.9.9.9;
|
||||
server {
|
||||
listen 80 default;
|
||||
listen [::]:80 default;
|
||||
location = /{
|
||||
return 403;
|
||||
}
|
||||
location /iamalive {
|
||||
proxy_pass https://82.64.31.248/challenge;
|
||||
proxy_set_header Host adlin.nemunai.re;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-By 172.23.0.1;
|
||||
proxy_redirect off;
|
||||
}
|
||||
}
|
||||
}
|
||||
mode: "0440"
|
||||
|
||||
- path: etc/nginx/nginx-login.conf
|
||||
contents: |
|
||||
user nginx;
|
||||
worker_processes 2;
|
||||
error_log /var/log/nginx/error.log warn;
|
||||
pid /var/run/nginx.pid;
|
||||
events {
|
||||
worker_connections 1024;
|
||||
}
|
||||
http {
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
log_format main '$remote_addr - $remote_user [$time_local] "$request"'
|
||||
'$status $body_bytes_sent "$http_referer"'
|
||||
'"$http_user_agent""$http_x_forwarded_for"';
|
||||
access_log /var/log/nginx/access.log main;
|
||||
sendfile on;
|
||||
server_tokens off;
|
||||
#tcp_nopush on;
|
||||
keepalive_timeout 65;
|
||||
#gzip on;
|
||||
server {
|
||||
listen 443 default ssl;
|
||||
listen [::]:443 default ssl;
|
||||
ssl_protocols TLSv1.2;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_certificate /etc/nginx/ssl/fullchain.pem;
|
||||
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
|
||||
location = /{
|
||||
return https://adlin.nemunai.re/;
|
||||
}
|
||||
location /login {
|
||||
proxy_pass http://localhost:8081/login;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_redirect off;
|
||||
}
|
||||
}
|
||||
}
|
||||
mode: "0440"
|
||||
|
||||
- path: etc/nginx/nginx-dmz.conf
|
||||
contents: |
|
||||
user nginx;
|
||||
worker_processes 2;
|
||||
error_log /var/log/nginx/error.log warn;
|
||||
pid /var/run/nginx.pid;
|
||||
events {
|
||||
worker_connections 1024;
|
||||
}
|
||||
http {
|
||||
include /etc/nginx/mime.types;
|
||||
default_type applicationøctet-stream;
|
||||
log_format main '$remote_addr - $remote_user [$time_local] "$request"'
|
||||
'$status $body_bytes_sent "$http_referer"'
|
||||
'"$http_user_agent""$http_x_forwarded_for"';
|
||||
access_log /var/log/nginx/access.log main;
|
||||
sendfile on;
|
||||
server_tokens off;
|
||||
#tcp_nopush on;
|
||||
keepalive_timeout 65;
|
||||
#gzip on;
|
||||
resolver 9.9.9.9;
|
||||
server {
|
||||
listen 80 default;
|
||||
listen [::]:80 default;
|
||||
location = /{
|
||||
return https://adlin.nemunai.re/;
|
||||
}
|
||||
location /challenge {
|
||||
proxy_pass https://82.64.31.248/challenge;
|
||||
proxy_set_header Host adlin.nemunai.re;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-By 172.23.200.1;
|
||||
proxy_set_header X-Forwarded-Proto http;
|
||||
proxy_redirect off;
|
||||
}
|
||||
location /sshkeys {
|
||||
return https://adlin.nemunai.re/sshkeys;
|
||||
}
|
||||
}
|
||||
server {
|
||||
listen 443 default ssl;
|
||||
listen [::]:443 default ssl;
|
||||
ssl_protocols TLSv1.2;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_certificate /etc/nginx/ssl/fullchain.pem;
|
||||
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
|
||||
location = /{
|
||||
return https://adlin.nemunai.re/;
|
||||
}
|
||||
location /challenge {
|
||||
proxy_pass https://82.64.31.248/challenge;
|
||||
proxy_set_header Host adlin.nemunai.re;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-By 172.23.200.1;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_redirect off;
|
||||
}
|
||||
location /sshkeys {
|
||||
proxy_pass https://82.64.31.248/sshkeys;
|
||||
proxy_set_header Host adlin.nemunai.re;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-By 172.23.200.1;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_redirect off;
|
||||
}
|
||||
}
|
||||
}
|
||||
mode: "0440"
|
||||
|
||||
- path: etc/dhcp/dhcpd.conf
|
||||
contents: |
|
||||
authoritative;
|
||||
default-lease-time 7200;
|
||||
max-lease-time 7200;
|
||||
subnet 172.23.255.0 netmask 255.255.255.0 {
|
||||
range 172.23.255.10 172.23.255.254;
|
||||
option routers 172.23.255.1;
|
||||
option subnet-mask 255.255.255.0;
|
||||
option broadcast-address 172.23.255.255;
|
||||
next-server 172.23.255.1;
|
||||
filename "pxelinux.0";
|
||||
}
|
||||
mode: "0440"
|
||||
|
||||
- path: etc/ntpd.conf
|
||||
contents: |
|
||||
listen on *
|
||||
servers pool.ntp.org
|
||||
server 95.81.173.8
|
||||
server 95.81.173.74
|
||||
server 95.81.173.155
|
||||
server 51.15.180.229
|
||||
mode: "0440"
|
||||
|
||||
- path: srv/tftp
|
||||
directory: true
|
||||
mode: "0755"
|
||||
|
||||
- path: srv/tftp/ldlinux.c32
|
||||
source: /usr/share/syslinux/ldlinux.c32
|
||||
mode: "0644"
|
||||
- path: srv/tftp/libcom32.c32
|
||||
source: /usr/share/syslinux/libcom32.c32
|
||||
mode: "0644"
|
||||
- path: srv/tftp/libutil.c32
|
||||
source: /usr/share/syslinux/libutil.c32
|
||||
mode: "0644"
|
||||
- path: srv/tftp/menu.c32
|
||||
source: /usr/share/syslinux/menu.c32
|
||||
mode: "0644"
|
||||
- path: srv/tftp/poweroff.c32
|
||||
source: /usr/share/syslinux/poweroff.c32
|
||||
mode: "0644"
|
||||
- path: srv/tftp/pxelinux.0
|
||||
source: /usr/share/syslinux/pxelinux.0
|
||||
mode: "0644"
|
||||
- path: srv/tftp/pxelinux.cfg
|
||||
directory: true
|
||||
mode: "0755"
|
||||
- path: srv/tftp/pxelinux.cfg/default
|
||||
source: tftp/pxelinux.cfg/default
|
||||
mode: "0644"
|
||||
- path: srv/tftp/pxelinux.cfg/tpl
|
||||
source: tftp/pxelinux.cfg/tpl
|
||||
mode: "0644"
|
||||
- path: srv/tftp/vesamenu.c32
|
||||
source: /usr/share/syslinux/vesamenu.c32
|
||||
mode: "0644"
|
||||
|
||||
- path: srv/tftp/bzImage
|
||||
source: tftp/bzImage
|
||||
mode: "0644"
|
||||
- path: srv/tftp/initramfs-login.img
|
||||
source: tftp/initramfs-login.img
|
||||
mode: "0644"
|
||||
- path: srv/tftp/initramfs-challenge.img
|
||||
source: challenge-initrd.img
|
||||
mode: "0644"
|
||||
|
||||
trust:
|
||||
org:
|
||||
- linuxkit
|
||||
|
|
Reference in New Issue