From eb5b8cdbcedd0b354f00ec05827d598db535f0f9 Mon Sep 17 00:00:00 2001 From: nemunaire Date: Mon, 5 Mar 2018 17:39:56 +0100 Subject: [PATCH] server image done --- .gitignore | 1 + Makefile | 10 + challenge/init | 18 +- server.yml | 489 ++++++++++++++++++++++++++++++++++++++++++------- 4 files changed, 440 insertions(+), 78 deletions(-) diff --git a/.gitignore b/.gitignore index 3d4c135..8b1818b 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,4 @@ login-kernel server-cmdline server-initrd.img server-kernel +fonts/ diff --git a/Makefile b/Makefile index b723422..0e9e607 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,14 @@ all: login-app/login-app +fonts: fonts/Inconsolata-16b.psf fonts/Inconsolata-16r.psf fonts/Inconsolata-32b.psf fonts/Inconsolata-32r.psf +fonts/Inconsolata-16b.psf: + wget https://github.com/xeechou/Inconsolata-psf/raw/master/Inconsolata-16b.psf +fonts/Inconsolata-16r.psf: + wget https://github.com/xeechou/Inconsolata-psf/raw/master/Inconsolata-16r.psf +fonts/Inconsolata-32b.psf: + wget https://github.com/xeechou/Inconsolata-psf/raw/master/Inconsolata-32b.psf +fonts/Inconsolata-32r.psf: + wget https://github.com/xeechou/Inconsolata-psf/raw/master/Inconsolata-32r.psf + login-app/login-app: login-app/*.go GOOS=linux GOARCH=amd64 go build -tags netgo -ldflags '-w -extldflags "-static -lncurses"' -o $@ ./login-app diff --git a/challenge/init b/challenge/init index 4e64d87..ac2cdb6 100755 --- a/challenge/init +++ b/challenge/init @@ -38,26 +38,28 @@ done /bin/rm -f /init /linuxrc # Randomize time at boot -/bin/date -s 19$((70 + $RANDOM % 30))0$((1 + $RANDOM % 9))0$((1 + $RANDOM % 9))0$((1 + $RANDOM % 9))0$((1 + $RANDOM % 9))01 > /dev/null +/bin/date -s 19$((70 + $RANDOM % 30))0$((1 + $RANDOM % 9))0$((1 + $RANDOM % 9))0$((1 + $RANDOM % 9)).0$((1 + $RANDOM % 9))01 > /dev/null /sbin/sysctl -w net.ipv4.ip_default_ttl=4 > /dev/null # Launch some daemons /usr/bin/setsid /usr/sbin/crond > /dev/null & +# Change font +zcat /usr/share/consolefonts/Inconsolata-16r.psf.gz | loadfont + # Prepare token 4 mkdir -p /mnt for l in a b c d e f g h i j k l m n o p q r s t u v w x y z zz; do [ -b /dev/sd$l ] || break done -echo /dev/sd$l -/bin/dd if=/dev/zero of=/dev/sd${l} count=1 > /dev/null -/bin/dd if=/dev/zero of=/dev/sd${l}1 count=1 bs=10240000 > /dev/null -/sbin/mkfs.ext4 /dev/sd${l}1 > /dev/null -mount /dev/sd${l}1 /mnt > /dev/null -N1=$((125 - $RANDOM % 50)) -N2=$((25 + $RANDOM % 50)) +/bin/dd if=/dev/zero of=/dev/sd${l} count=1 > /dev/null 2> /dev/null +/bin/dd if=/dev/zero of=/dev/sd${l}1 count=1 bs=10240000 > /dev/null 2> /dev/null +/sbin/mkfs.ext4 /dev/sd${l}1 > /dev/null 2> /dev/null +mount /dev/sd${l}1 /mnt > /dev/null 2> /dev/null +N1=$((72 - $RANDOM % 35)) +N2=$((25 + $RANDOM % 35)) { echo -n $N1 echo -n $N2 diff --git a/server.yml b/server.yml index 626ed51..e04b6e5 100644 --- a/server.yml +++ b/server.yml @@ -19,34 +19,41 @@ onboot: # Network: exposed - name: netvlan-iface-setup image: linuxkit/ip:v0.2 - command: ["/bin/sh", "-c", "ip a add 172.23.191.254/18 dev eth0.7; ip link set eth0.7 up;" ] - net: new - runtime: - interfaces: - - name: eth0.7 - add: vlan - vlanid: 7 - - name: ns-iface-setup + command: ["/bin/sh", "-c", "ip link add link eth0 name eth0.7 type vlan id 7; ip a add 172.23.191.254/18 dev eth0.7; ip link set eth0.7 up;" ] + - name: login-iface-setup image: linuxkit/ip:v0.2 - command: ["/bin/sh", "-c", "ip a add 172.23.0.2/17 dev vethin-validator; ip link set vethin-validator up;" ] + command: ["/bin/sh", "-c", "ip a add 172.23.255.2/24 dev vethin-login; ip link set vethin-login up; ip route add default via 172.23.255.1;" ] net: new runtime: interfaces: - - name: vethin-validator + - name: vethin-login add: veth - peer: veth-validator + peer: veth-login bindNS: - net: /run/netns/ns + net: /run/netns/login - name: bridge-ext-setup image: linuxkit/ip:v0.2 - command: ["/bin/sh", "-c", "ip a add 192.168.0.46/24 dev br-ext; ip a add 172.23.0.1/17 dev br-ext; ip link set eth0 master br-ext; ip link set veth-validator master br-ext; ip link set br-ext up; ip link set veth-validator up; ip link set eth0 up" ] + command: ["/bin/sh", "-c", "ip a add 172.23.255.1/24 dev br-ext; ip a add 172.17.0.16/16 dev br-ext; ip a add 172.23.0.1/17 dev br-ext; ip link set eth0 master br-ext; ip link set veth-login master br-ext; ip link set br-ext up; ip link set veth-login up; ip link set eth0 up; ip route add default via 172.17.0.1;" ] runtime: interfaces: - name: br-ext add: bridge + + # Network: DMZ + - name: validator-iface-setup + image: linuxkit/ip:v0.2 + command: ["/bin/sh", "-c", "ip a add 172.23.200.1/24 dev vethin-vldtr; ip link set vethin-vldtr up; ip route add default via 172.23.200.254;" ] + net: new + runtime: + interfaces: + - name: vethin-vldtr + add: veth + peer: veth-validator + bindNS: + net: /run/netns/dmz-validator - name: ns-iface-setup image: linuxkit/ip:v0.2 - command: ["/bin/sh", "-c", "ip a add 172.23.200.2/24 dev vethin-ns; ip link set vethin-ns up;" ] + command: ["/bin/sh", "-c", "ip a add 172.23.200.2/24 dev vethin-ns; ip link set vethin-ns up; ip route add default via 172.23.200.254;" ] net: new runtime: interfaces: @@ -54,10 +61,10 @@ onboot: add: veth peer: veth-ns bindNS: - net: /run/netns/ns + net: /run/netns/dmz-ns - name: time-iface-setup image: linuxkit/ip:v0.2 - command: ["/bin/sh", "-c", "ip a add 172.23.200.3/24 dev vethin-time; ip link set vethin-time up;" ] + command: ["/bin/sh", "-c", "ip a add 172.23.200.3/24 dev vethin-time; ip link set vethin-time up; ip route add default via 172.23.200.254;" ] net: new runtime: interfaces: @@ -65,21 +72,21 @@ onboot: add: veth peer: veth-time bindNS: - net: /run/netns/time - - name: mail-iface-setup - image: linuxkit/ip:v0.2 - command: ["/bin/sh", "-c", "ip a add 172.23.200.3/24 dev vethin-mail; ip link set vethin-mail up;" ] - net: new - runtime: - interfaces: - - name: vethin-mail - add: veth - peer: veth-mail - bindNS: - net: /run/netns/mail + net: /run/netns/dmz-time +# - name: mail-iface-setup +# image: linuxkit/ip:v0.2 +# command: ["/bin/sh", "-c", "ip a add 172.23.200.4/24 dev vethin-mail; ip link set vethin-mail up; ip route add default via 172.23.200.254;" ] +# net: new +# runtime: +# interfaces: +# - name: vethin-mail +# add: veth +# peer: veth-mail +# bindNS: +# net: /run/netns/dmz-mail - name: bridge-int-setup image: linuxkit/ip:v0.2 - command: ["/bin/sh", "-c", "ip a add 172.23.200.254/24 dev br-int; ip link set veth-ns master br-int; ip link set veth-time master br-int; ip link set veth-mail master br-int; ip link set br-int up; ip link set veth-ns up; ip link set veth-time up; ip link set veth-mail up" ] + command: ["/bin/sh", "-c", "ip a add 172.23.200.254/24 dev br-int; ip link set veth-validator master br-int; ip link set veth-ns master br-int; ip link set veth-time master br-int; ip link set veth-mail master br-int; ip link set br-int up; ip link set veth-validator up; ip link set veth-ns up; ip link set veth-time up; ip link set veth-mail up" ] runtime: interfaces: - name: br-int @@ -87,26 +94,62 @@ onboot: - name: fw image: linuxkit/ip:v0.2 - command: ["/bin/bash", "-c", "/sbin/iptables-restore < /etc/iptables/rules.v4; /sbin/ip6tables-restore < /etc/iptables/rules.v6" ] + command: ["/bin/bash", "-c", "/sbin/iptables-restore < /etc/iptables/rules.v4" ] + binds: + - /etc/iptables/rules.v4:/etc/iptables/rules.v4:ro services: - name: rngd image: linuxkit/rngd:v0.2 - - name: sshd - image: linuxkit/sshd:v0.2 +# - name: sshd +# image: linuxkit/sshd:v0.2 -# - name: dhcpd -# image: nemunaire/tftpd -# binds: -# - /srv/tftp:/srv/tftp:ro + - name: dhcpd + image: joebiellik/dhcpd + capabilities: + - CAP_NET_BIND_SERVICE + - CAP_NET_RAW + - CAP_CHOWN + - CAP_SETUID + - CAP_SETGID + binds: + - /etc/dhcp/dhcpd.conf:/etc/dhcp/dhcpd.conf:ro - name: tftpd - image: nemunaire/tftpd:50bdb5c4e9f17b13d848fc474fd98d3639cb36e9 + image: nemunaire/tftpd:50bdb5c4e9f17b13d848fc474fd98d3639cb36e9-dirty + capabilities: + - all binds: - /srv/tftp:/srv/tftp:ro + - /var/tftp/pxelinux.cfg:/srv/tftp/pxelinux.cfg - - name: nginx - image: nginx:alpine + - name: login-validator + image: nemunaire/adlin-login-validator:6d341b97fc44723ea121c1f9a145fc7d7e7b17ca +# command: ["/bin/login-validator", "-bind=:8081", "-ldaphost=auth.cri.epita.fr", "-ldapport=636", "-ldaptls", "-ldapbase=dc=epita,dc=net"] + command: ["/bin/login-validator", "-bind=:8081", "-noauth"] + net: /run/netns/login + binds: + - /etc/resolv.conf:/etc/resolv.conf:ro + - /srv/students.csv:/students.csv:ro + - /var/tftp/pxelinux.cfg:/var/tftp/pxelinux.cfg + - /etc/ssl/certs:/etc/ssl/certs:ro + - /usr/share/ca-certificates:/usr/share/ca-certificates:ro + - name: nginx-login + image: nginx:stable-alpine + capabilities: + - CAP_NET_BIND_SERVICE + - CAP_CHOWN + - CAP_SETUID + - CAP_SETGID + - CAP_DAC_OVERRIDE + net: /run/netns/login + binds: + - /etc/resolv.conf:/etc/resolv.conf:ro + - /etc/nginx/nginx-login.conf:/etc/nginx/nginx.conf:ro + - /etc/nginx/ssl/:/etc/nginx/ssl/:ro + + - name: nginx-gw + image: nginx:stable-alpine capabilities: - CAP_NET_BIND_SERVICE - CAP_CHOWN @@ -115,27 +158,127 @@ services: - CAP_DAC_OVERRIDE binds: - /etc/resolv.conf:/etc/resolv.conf:ro - - /etc/nginx/nginx.conf:/etc/nginx/nginx.conf:ro + - /etc/nginx/nginx-gw.conf:/etc/nginx/nginx.conf:ro + - /etc/nginx/ssl/:/etc/nginx/ssl/:ro + - /etc/ssl/certs:/etc/ssl/certs:ro + - /usr/share/ca-certificates:/usr/share/ca-certificates:ro - - name: login-validator - image: nemunaire/adlin-login-validator:1bd441243a095180fd4058e6c7fc8fc38f850ab8-dirty - command: ["/bin/login-validator", "-bind=:8081"] + - name: nginx-dmz + image: nginx:stable-alpine + capabilities: + - CAP_NET_BIND_SERVICE + - CAP_CHOWN + - CAP_SETUID + - CAP_SETGID + - CAP_DAC_OVERRIDE + net: /run/netns/dmz-validator binds: - - /srv/students.csv:/srv/students.csv:ro + - /etc/resolv.conf:/etc/resolv.conf:ro + - /etc/nginx/nginx-dmz.conf:/etc/nginx/nginx.conf:ro + - /etc/nginx/ssl/:/etc/nginx/ssl/:ro + - /etc/ssl/certs:/etc/ssl/certs:ro + - /usr/share/ca-certificates:/usr/share/ca-certificates:ro - name: ns - image: nemunaire/unbound:999f99022b07a84063baa48b7143c90186c937d0 - net: /run/netns/ns + image: nemunaire/unbound:999f99022b07a84063baa48b7143c90186c937d0-dirty + net: /run/netns/dmz-ns + capabilities: + - all binds: - /etc/unbound:/etc/unbound:ro - name: time image: linuxkit/openntpd:v0.2 - net: /run/netns/time + net: /run/netns/dmz-time + capabilities: + - CAP_NET_BIND_SERVICE + - CAP_SYS_TIME + - CAP_SYS_CHROOT + - CAP_SYS_NICE + - CAP_SETUID + - CAP_SETGID binds: + - /etc/resolv.conf:/etc/resolv.conf:ro - /etc/ntpd.conf:/etc/ntpd.conf:ro +# - name: postfix +# image: TBD +# net: /run/netns/dmz-mail +# binds: +# - /etc/postfix/main.cf:/etc/postfix/main.cf:ro + files: + - path: etc/init.d/011-copy-to-var + contents: | + #!/bin/sh + mkdir -p /var/tftp/ + cp -r /srv/tftp/pxelinux.cfg /var/tftp/pxelinux.cfg + mode: "0755" + + - path: etc/init.d/021-nameserver + contents: | + #!/bin/sh + echo nameserver 172.23.200.2 > /etc/resolv.conf + mode: "0755" + +# - path: etc/init.d/011-adlin +# contents: | +# #!/bin/sh +# ip route add default via 172.17.0.1 +# /sbin/sysctl -w net.ipv4.ip_forward=1 +# echo nameserver 8.8.8.8 > /etc/resolv.conf +# mkdir /tmp/newroot +# mount -t tmpfs none /tmp/newroot +# mkdir /tmp/newroot/etc +# cp -r /etc/apk /tmp/newroot/etc +# apk add --no-cache --initdb -p /tmp/newroot iptables nftables +# LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/sbin/iptables-restore < /etc/iptables/rules.v4 +# LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/sbin/ip6tables-restore < /etc/iptables/rules.v6 +# LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/usr/sbin/nft add table nat +# LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/usr/sbin/nft add chain nat postrouting { type nat hook postrouting priority 100 \; } +# LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/usr/sbin/nft add rule nat postrouting oif br-ext masquerade +# mode: "0755" + + - path: etc/sysctl.d/99-ipfwd.conf + contents: | + net.ipv4.ip_forward = 1 + net.ipv6.conf.all.disable_ipv6 = 1 + mode: "0644" + - path: etc/sysctl.d/00-linuxkit.conf + contents: | + # from Alpine defaults + net.ipv4.tcp_syncookies = 1 + net.ipv4.conf.default.rp_filter = 1 + net.ipv4.conf.all.rp_filter = 1 + net.ipv4.ping_group_range=999 59999 + # general limits + vm.max_map_count = 262144 + vm.overcommit_memory = 1 + net.core.somaxconn = 1024 + net.ipv4.neigh.default.gc_thresh1 = 80000 + net.ipv4.neigh.default.gc_thresh2 = 90000 + net.ipv4.neigh.default.gc_thresh3 = 100000 + fs.aio-max-nr = 1048576 + fs.inotify.max_user_watches = 524288 + fs.file-max = 524288 + # for rngd + kernel.random.write_wakeup_threshold = 3072 + # security restrictions + kernel.kptr_restrict = 2 + net.ipv4.conf.all.send_redirects = 0 + net.ipv4.conf.default.accept_redirects = 0 + net.ipv4.conf.default.accept_source_route = 0 + net.ipv6.conf.all.accept_redirects = 0 + net.ipv6.conf.default.accept_redirects = 0 + kernel.dmesg_restrict = 1 + kernel.perf_event_paranoid = 3 + fs.protected_hardlinks = 1 + fs.protected_symlinks = 1 + # Prevent ebpf privilege escalation + # see: https://lwn.net/Articles/742170 + kernel.unprivileged_bpf_disabled=1 + mode: "0644" + - path: root/.ssh/authorized_keys source: ~/.ssh/id_ed25519.pub mode: "0400" @@ -144,31 +287,39 @@ files: source: students.csv mode: "0400" - - path: etc/iptables/rules.v6 + - path: etc/iptables/rules.v4 contents: | - *filter - :INPUT DROP [0:0] - :FORWARD DROP [0:0] - :OUTPUT DROP [0:0] + *nat + :PREROUTING ACCEPT [0:0] + :INPUT ACCEPT [0:0] + :OUTPUT ACCEPT [0:0] + :POSTROUTING ACCEPT [0:0] + [0:0] -A POSTROUTING -o br-ext ! -d 172.23.0.0/16 -j MASQUERADE COMMIT - mode: "0440" - - path: etc/iptables/rules-admin.v4 - contents: | *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] - :OUTPUT DROP [0:0] + :OUTPUT ACCEPT [0:0] [0:0] -A INPUT -i lo -j ACCEPT [0:0] -A INPUT -m conntrack --ctstate INVALID -j DROP [0:0] -A INPUT -p icmp -j ACCEPT [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT [0:0] -A INPUT -i eth0 -s 172.23.0.0/17 -p tcp -m conntrack --ctstate NEW -m tcp --dport ssh -j ACCEPT + [0:0] -A INPUT -i br-ext -p udp --sport 68 --dport 67 -j ACCEPT + [0:0] -A INPUT -i br-ext -p udp --dport 69 -j ACCEPT + [0:0] -A INPUT -i br-ext -p tcp --dport 80 -j ACCEPT [0:0] -A INPUT -j LOG + [0:0] -A FORWARD -i eth0.7 -o br-ext -j ACCEPT + [0:0] -A FORWARD -o eth0.7 -i br-ext -j ACCEPT + [0:0] -A FORWARD -i br-int -j ACCEPT + [0:0] -A FORWARD -o br-int -j ACCEPT + [0:0] -A FORWARD -i br-ext -d 172.23.200.0/24 -j ACCEPT + [0:0] -A FORWARD -i br-ext -d 172.23.255.0/24 -j ACCEPT + [0:0] -A FORWARD -o br-ext -d 172.23.200.0/24 -j ACCEPT + [0:0] -A FORWARD -o br-ext -d 172.23.255.0/24 -j ACCEPT + [0:0] -A FORWARD -i br-ext -o br-ext -s 172.23.255.2/24 -j ACCEPT + [0:0] -A FORWARD -i br-ext -p udp --sport 68 --dport 67 -j DROP [0:0] -A FORWARD -j LOG - [0:0] -A OUTPUT -o lo -j ACCEPT - [0:0] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - [0:0] -A OUTPUT -j LOG - [0:0] -A OUTPUT -j REJECT COMMIT mode: "0440" @@ -182,60 +333,258 @@ files: access-control: 172.23.0.0/16 allow log-queries: yes log-replies: yes + use-syslog: no hide-identity: yes hide-version: yes qname-minimisation: yes domain-insecure: "." val-permissive-mode: yes - root-hints: /etc/unbound/root.hints trust-anchor-file: "/usr/share/dnssec-root/trusted-key.key" + local-zone: "adlin.nemunai.re" typetransparent + local-data: "adlin.nemunai.re TXT \"8dde678132d6c558fc6adaeb9f1d53bf6ec7b876308cf98c48604caa9138523c1ce58b672c87c7e7d9b7248b81804d3940dbf20bf263eeb683244f7c1143712d\"" + local-data: "auth.adlin.nemunai.re A 172.23.255.2" remote-control: control-enable: no forward-zone: name: "." - forward-addr: 192.168.0.1 + forward-addr: 8.8.8.8 mode: "0440" - - path: etc/nginx/nginx.conf + - path: etc/postfix/main.cf + contents: | + myorigin = adlin.nemunai.re + mydestination = + local_recipient_maps = + local_transport = error:local mail delivery is disabled + mynetworks = 127.0.0.0/8 + relay_domains = nemunai.re + parent_domain_matches_subdomains = debug_peer_list smtpd_access_maps + mode: "0440" + + - path: etc/nginx/ssl/fullchain.pem + source: ssl/fullchain.pem + mode: "0644" + - path: etc/nginx/ssl/privkey.pem + source: ssl/privkey.pem + mode: "0644" + - path: etc/nginx/nginx-gw.conf contents: | user nginx; worker_processes 2; - error_log /var/log/nginxærror.log warn; + error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { - include ætc/nginx/mime.types; - default_type applicationøctet-stream; - log_format main '$remoteªddr - $remote_user [$time_local] "$request"' + include /etc/nginx/mime.types; + default_type application/octet-stream; + log_format main '$remote_addr - $remote_user [$time_local] "$request"' '$status $body_bytes_sent "$http_referer"' - '"$http_userªgent""$http_x_forwarded_for"'; - access_log /var/log/nginxåccess.log main; + '"$http_user_agent""$http_x_forwarded_for"'; + access_log /var/log/nginx/access.log main; sendfile on; + server_tokens off; #tcp_nopush on; keepalive_timeout 65; #gzip on; + resolver 9.9.9.9; server { listen 80 default; listen [::]:80 default; location = /{ return 403; } + location /iamalive { + proxy_pass https://82.64.31.248/challenge; + proxy_set_header Host adlin.nemunai.re; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-By 172.23.0.1; + proxy_redirect off; + } } } mode: "0440" + - path: etc/nginx/nginx-login.conf + contents: | + user nginx; + worker_processes 2; + error_log /var/log/nginx/error.log warn; + pid /var/run/nginx.pid; + events { + worker_connections 1024; + } + http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + log_format main '$remote_addr - $remote_user [$time_local] "$request"' + '$status $body_bytes_sent "$http_referer"' + '"$http_user_agent""$http_x_forwarded_for"'; + access_log /var/log/nginx/access.log main; + sendfile on; + server_tokens off; + #tcp_nopush on; + keepalive_timeout 65; + #gzip on; + server { + listen 443 default ssl; + listen [::]:443 default ssl; + ssl_protocols TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_certificate /etc/nginx/ssl/fullchain.pem; + ssl_certificate_key /etc/nginx/ssl/privkey.pem; + location = /{ + return https://adlin.nemunai.re/; + } + location /login { + proxy_pass http://localhost:8081/login; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_redirect off; + } + } + } + mode: "0440" + + - path: etc/nginx/nginx-dmz.conf + contents: | + user nginx; + worker_processes 2; + error_log /var/log/nginx/error.log warn; + pid /var/run/nginx.pid; + events { + worker_connections 1024; + } + http { + include /etc/nginx/mime.types; + default_type applicationøctet-stream; + log_format main '$remote_addr - $remote_user [$time_local] "$request"' + '$status $body_bytes_sent "$http_referer"' + '"$http_user_agent""$http_x_forwarded_for"'; + access_log /var/log/nginx/access.log main; + sendfile on; + server_tokens off; + #tcp_nopush on; + keepalive_timeout 65; + #gzip on; + resolver 9.9.9.9; + server { + listen 80 default; + listen [::]:80 default; + location = /{ + return https://adlin.nemunai.re/; + } + location /challenge { + proxy_pass https://82.64.31.248/challenge; + proxy_set_header Host adlin.nemunai.re; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-By 172.23.200.1; + proxy_set_header X-Forwarded-Proto http; + proxy_redirect off; + } + location /sshkeys { + return https://adlin.nemunai.re/sshkeys; + } + } + server { + listen 443 default ssl; + listen [::]:443 default ssl; + ssl_protocols TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_certificate /etc/nginx/ssl/fullchain.pem; + ssl_certificate_key /etc/nginx/ssl/privkey.pem; + location = /{ + return https://adlin.nemunai.re/; + } + location /challenge { + proxy_pass https://82.64.31.248/challenge; + proxy_set_header Host adlin.nemunai.re; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-By 172.23.200.1; + proxy_set_header X-Forwarded-Proto https; + proxy_redirect off; + } + location /sshkeys { + proxy_pass https://82.64.31.248/sshkeys; + proxy_set_header Host adlin.nemunai.re; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-By 172.23.200.1; + proxy_set_header X-Forwarded-Proto https; + proxy_redirect off; + } + } + } + mode: "0440" + + - path: etc/dhcp/dhcpd.conf + contents: | + authoritative; + default-lease-time 7200; + max-lease-time 7200; + subnet 172.23.255.0 netmask 255.255.255.0 { + range 172.23.255.10 172.23.255.254; + option routers 172.23.255.1; + option subnet-mask 255.255.255.0; + option broadcast-address 172.23.255.255; + next-server 172.23.255.1; + filename "pxelinux.0"; + } + mode: "0440" + - path: etc/ntpd.conf contents: | listen on * - servers pool.ntp.org + server 95.81.173.8 + server 95.81.173.74 + server 95.81.173.155 + server 51.15.180.229 mode: "0440" - path: srv/tftp directory: true mode: "0755" + - path: srv/tftp/ldlinux.c32 + source: /usr/share/syslinux/ldlinux.c32 + mode: "0644" + - path: srv/tftp/libcom32.c32 + source: /usr/share/syslinux/libcom32.c32 + mode: "0644" + - path: srv/tftp/libutil.c32 + source: /usr/share/syslinux/libutil.c32 + mode: "0644" + - path: srv/tftp/menu.c32 + source: /usr/share/syslinux/menu.c32 + mode: "0644" + - path: srv/tftp/poweroff.c32 + source: /usr/share/syslinux/poweroff.c32 + mode: "0644" + - path: srv/tftp/pxelinux.0 + source: /usr/share/syslinux/pxelinux.0 + mode: "0644" + - path: srv/tftp/pxelinux.cfg + directory: true + mode: "0755" + - path: srv/tftp/pxelinux.cfg/default + source: tftp/pxelinux.cfg/default + mode: "0644" + - path: srv/tftp/pxelinux.cfg/tpl + source: tftp/pxelinux.cfg/tpl + mode: "0644" + - path: srv/tftp/vesamenu.c32 + source: /usr/share/syslinux/vesamenu.c32 + mode: "0644" + + - path: srv/tftp/bzImage + source: tftp/bzImage + mode: "0644" + - path: srv/tftp/initramfs-login.img + source: tftp/initramfs-login.img + mode: "0644" + - path: srv/tftp/initramfs-challenge.img + source: challenge-initrd.img + mode: "0644" + trust: org: - linuxkit