CI: Add event on tag to compile tuto subjects

.drone.yml

@@ -76,3 +76,57 @@ steps:
 trigger:
   event:
   - push
+---
+kind: pipeline
+type: docker
+name: build-tutorial-2-subject
+
+platform:
+  os: linux
+  arch: amd64
+
+steps:
+- name: render subject
+  image: pandoc/latex:2.17.1
+  commands:
+  - sed -i s/v3.12/v3.14/ /etc/apk/repositories
+  - apk add --no-cache make ttf-linux-libertine
+  - tlmgr update --self
+  - tlmgr install enumitem environ etoolbox preprint sectsty selnolig tcolorbox titling
+  - wget -O /tmp/FantasqueSansMono-Normal.tar.gz https://github.com/belluzj/fantasque-sans/releases/download/v1.8.0/FantasqueSansMono-Normal.tar.gz
+  - mkdir /usr/share/fonts/fantasque-sans-mono
+  - tar xf /tmp/FantasqueSansMono-Normal.tar.gz -C /usr/share/fonts/fantasque-sans-mono OTF/ TTF/ --strip-component=1
+  - mkdir dist
+  - make -C tutorial/ansible
+  - mv tutorial/ansible/tutorial.pdf dist/tutorial-2.pdf
+
+trigger:
+  ref:
+  - refs/tags/tutorial2-*
+---
+kind: pipeline
+type: docker
+name: build-tutorial-3-subject
+
+platform:
+  os: linux
+  arch: amd64
+
+steps:
+- name: render subject
+  image: pandoc/latex:2.17.1
+  commands:
+  - sed -i s/v3.12/v3.14/ /etc/apk/repositories
+  - apk add --no-cache make ttf-linux-libertine
+  - tlmgr update --self
+  - tlmgr install enumitem environ etoolbox preprint sectsty selnolig tcolorbox titling
+  - wget -O /tmp/FantasqueSansMono-Normal.tar.gz https://github.com/belluzj/fantasque-sans/releases/download/v1.8.0/FantasqueSansMono-Normal.tar.gz
+  - mkdir /usr/share/fonts/fantasque-sans-mono
+  - tar xf /tmp/FantasqueSansMono-Normal.tar.gz -C /usr/share/fonts/fantasque-sans-mono OTF/ TTF/ --strip-component=1
+  - mkdir dist
+  - make -C tutorial/nat
+  - mv tutorial/nat/tutorial.pdf dist/tutorial-3.pdf
+
+trigger:
+  ref:
+  - refs/tags/tutorial3-*

.gitignore

@@ -23,3 +23,4 @@ tuto3-kernel
 tuto3-state/
 fonts/
 students*.csv
+vendor/

Makefile

@@ -1,84 +1,86 @@
+LINUXKIT ?= $(GOPATH)/bin/linuxkit
+
 tuto1: token-validator/token-validator server.iso
 
 pkg/login-app: pkg/login-app/cmd/login.go pkg/login-app/cmd/dialog-checklogin.go pkg/login-app/cmd/cmd pkg/login-app/cmd/dialog-login.go pkg/login-app/cmd/login-app pkg/login-app/cmd/dialog-errmsg.go pkg/login-app/cmd/main.go pkg/login-app/cmd/stream.go pkg/login-app/cmd/cinematic.go pkg/login-app/build.yml pkg/login-app/Dockerfile
-	linuxkit pkg build -org nemunaire pkg/login-app/
-	#linuxkit pkg push -org nemunaire --sign=false pkg/login-app/
+	$(LINUXKIT) pkg build --platforms linux/amd64 -org nemunaire pkg/login-app/
+	#$(LINUXKIT) pkg push -org nemunaire --sign=false pkg/login-app/
 	touch pkg/login-app
 
 login-initrd.img: login.yml pkg/login-app
-	linuxkit build -docker $<
+	$(LINUXKIT) build -docker $<
 
 token-validator/token-validator: token-validator/*.go
 	go generate ./token-validator
 	GOOS=linux GOARM=5 GOARCH=arm go build -tags netgo -ldflags '-w -extldflags "-static"' -o $@ ./token-validator
 
 challenge: pkg/challenge/adlin pkg/challenge/issue pkg/challenge/init
-	linuxkit pkg build -org nemunaire pkg/challenge/
+	$(LINUXKIT) pkg build --platforms linux/amd64 -org nemunaire pkg/challenge/
 
 challenge-initrd.img: challenge.yml subject/adlin.6.gz subject/adlin-TP1-topologie.png
-	linuxkit build -docker $<
+	$(LINUXKIT) build -docker $<
 
 
 pkg/arp-spoofer: pkg/arp-spoofer/cmd/main.go pkg/arp-spoofer/cmd/arp.go pkg/arp-spoofer/build.yml pkg/arp-spoofer/Dockerfile
-	linuxkit pkg build -org nemunaire $@
+	$(LINUXKIT) pkg build --platforms linux/amd64 -org nemunaire $@
 	touch $@
 
 pkg/login-validator: pkg/login-validator/cmd/login.go pkg/login-validator/cmd/main.go pkg/login-validator/cmd/pxetpl.go pkg/login-validator/cmd/logout.go pkg/login-validator/cmd/auth.go pkg/login-validator/cmd/arp.go pkg/login-validator/cmd/auth_krb5.go pkg/login-validator/cmd/auth_ldap.go pkg/login-validator/cmd/students.go pkg/login-validator/cmd/auth_fwd.go pkg/login-validator/cmd/ssh.go pkg/login-validator/build.yml pkg/login-validator/Dockerfile
-	linuxkit pkg build -org nemunaire pkg/login-validator/
+	$(LINUXKIT) pkg build --platforms linux/amd64 -org nemunaire pkg/login-validator/
 	touch pkg/login-validator
 
 pkg/monit: pkg/monit/build.yml pkg/monit/Dockerfile
-	linuxkit pkg build -org nemunaire pkg/monit/
+	$(LINUXKIT) pkg build --platforms linux/amd64 -org nemunaire pkg/monit/
 	touch pkg/monit
 
 pkg/postfix: pkg/postfix/build.yml pkg/postfix/docker-entrypoint.sh pkg/postfix/Dockerfile
-	linuxkit pkg build -org nemunaire pkg/postfix/
+	$(LINUXKIT) pkg build --platforms linux/amd64 -org nemunaire pkg/postfix/
 	touch pkg/postfix
 
 pkg/tftpd: pkg/tftpd/build.yml pkg/tftpd/Dockerfile
-	linuxkit pkg build -org nemunaire pkg/tftpd/
+	$(LINUXKIT) pkg build --platforms linux/amd64 -org nemunaire pkg/tftpd/
 	touch pkg/tftpd
 
 pkg/unbound: pkg/unbound/build.yml pkg/unbound/docker-entrypoint.sh pkg/unbound/Dockerfile
-	linuxkit pkg build -org nemunaire pkg/unbound/
+	$(LINUXKIT) pkg build --platforms linux/amd64 -org nemunaire pkg/unbound/
 	touch pkg/unbound
 
 pkg/wg-manager: pkg/wg-manager/cmd/register.go pkg/wg-manager/cmd/main.go pkg/wg-manager/build.yml pkg/wg-manager/Dockerfile
-	linuxkit pkg build -org nemunaire pkg/wg-manager/
+	$(LINUXKIT) pkg build --platforms linux/amd64 -org nemunaire pkg/wg-manager/
 	touch pkg/wg-manager
 
 server.iso: server.yml students.csv ssl/fullchain.pem ssl/privkey.pem challenge-initrd.img pkg/arp-spoofer pkg/login-validator pkg/monit pkg/postfix pkg/tftpd pkg/unbound pkg/wg-manager challenge-kernel login-initrd.img
-	linuxkit build -docker -format iso-bios $<
+	$(LINUXKIT) build -docker -format iso-bios $<
 
 pkg/debian-tuto2: pkg/debian-tuto2/sshd_config pkg/debian-tuto2/gai.conf pkg/debian-tuto2/isolinux.cfg pkg/debian-tuto2/build.yml pkg/debian-tuto2/default.script pkg/debian-tuto2/issue pkg/debian-tuto2/Dockerfile
-	linuxkit pkg build -org nemunaire pkg/debian-tuto2/
+	$(LINUXKIT) pkg build --platforms linux/amd64 -org nemunaire pkg/debian-tuto2/
 	touch pkg/debian-tuto2
 
 pkg/debian-tuto3: pkg/debian-tuto3/sshd_config pkg/debian-tuto3/build.yml pkg/debian-tuto3/issue pkg/debian-tuto3/Dockerfile
-	linuxkit pkg build -org nemunaire pkg/debian-tuto3/
+	$(LINUXKIT) pkg build --platforms linux/amd64 -org nemunaire pkg/debian-tuto3/
 	touch pkg/debian-tuto3
 
 pkg/router-tuto3: pkg/router-tuto3/build.yml pkg/router-tuto3/Dockerfile
-	linuxkit pkg build -org nemunaire pkg/router-tuto3/
+	$(LINUXKIT) pkg build --platforms linux/amd64 -org nemunaire pkg/router-tuto3/
 	touch pkg/router-tuto3
 
 pkg/tinydeb: pkg/tinydeb/sshd_config pkg/tinydeb/gai.conf pkg/tinydeb/build.yml pkg/tinydeb/Dockerfile
-	linuxkit pkg build -org nemunaire pkg/tinydeb/
+	$(LINUXKIT) pkg build --platforms linux/amd64 -org nemunaire pkg/tinydeb/
 	touch pkg/tinydeb
 
 pkg/nsd: pkg/nsd/sshd_config pkg/nsd/build.yml pkg/nsd/init pkg/nsd/Dockerfile
-	linuxkit pkg build -org nemunaire pkg/tinydeb/
+	$(LINUXKIT) pkg build --platforms linux/amd64 -org nemunaire pkg/tinydeb/
 	touch pkg/nsd
 
 tuto2-kernel: tuto2.yml
-	linuxkit build -docker $<
+	$(LINUXKIT) build -docker $<
 tuto2-initrd.img: tuto2.yml
-	linuxkit build -docker $<
+	$(LINUXKIT) build -docker $<
 tuto2-cmdline: tuto2.yml
-	linuxkit build -docker $<
+	$(LINUXKIT) build -docker $<
 
 tuto2.iso: tuto2.yml pkg/debian-tuto2 tuto2-kernel tuto2-initrd.img tuto2-cmdline
-	linuxkit build -docker -format iso-bios $<
+	$(LINUXKIT) build -docker -format iso-bios $<
 
 tuto2-srs.iso: tuto2.iso pkg/debian-tuto2/isolinux.cfg
 	$(eval TDIR := $(shell mktemp -d))
@@ -93,14 +95,14 @@ tuto2-srs.iso: tuto2.iso pkg/debian-tuto2/isolinux.cfg
 
 
 tuto3-kernel: tuto3.yml
-	linuxkit build -docker $<
+	$(LINUXKIT) build -docker $<
 tuto3-initrd.img: tuto3.yml
-	linuxkit build -docker $<
+	$(LINUXKIT) build -docker $<
 tuto3-cmdline: tuto3.yml
-	linuxkit build -docker $<
+	$(LINUXKIT) build -docker $<
 
 tuto3.iso: tuto3.yml pkg/debian-tuto3 pkg/router-tuto3 pkg/tinydeb pkg/unbound pkg/nsd
-	linuxkit build -docker -format iso-bios $<
+	$(LINUXKIT) build -docker -format iso-bios $<
 
 
 %.gz: %

login.yml

@@ -1,6 +1,6 @@
 init:
   - busybox
-  - nemunaire/adlin-login-app:c71f57c845cd1e26df4a95143c86c98699bf7b6c
+  - nemunaire/adlin-login-app:a6ceb3829e7c6e65187654eb212fbd0e888b9dd4
 
 files:
   - path: /etc/ssl/certs/DST_Root_CA_X3.pem

pkg/adlin-tuto1/build.yml

@@ -1,2 +1,4 @@
 image: adlin-tuto1
 network: true
+arches:
+- x86_64

pkg/arp-spoofer/build.yml

@@ -1,2 +1,4 @@
 image: adlin-arp-spoofer
 network: true
+arches:
+- x86_64

pkg/arp-spoofer/cmd/go.mod

@@ -0,0 +1,12 @@
+module git.nemunai.re/srs/adlin/pkg/arp-spoofer
+
+go 1.16
+
+require github.com/mdlayher/arp v0.0.0-20191213142603-f72070a231fc
+
+require (
+	github.com/mdlayher/ethernet v0.0.0-20190313224307-5b5fc417d966 // indirect
+	github.com/mdlayher/raw v0.0.0-20190313224157-43dbcdd7739d // indirect
+	golang.org/x/net v0.0.0-20190313220215-9f648a60d977 // indirect
+	golang.org/x/sys v0.0.0-20190312061237-fead79001313 // indirect
+)

pkg/arp-spoofer/cmd/go.sum

@@ -0,0 +1,15 @@
+github.com/google/go-cmp v0.2.0 h1:+dTQ8DZQJz0Mb/HjFlkptS1FeQ4cWSnN941F8aEG4SQ=
+github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/mdlayher/arp v0.0.0-20191213142603-f72070a231fc h1:m7rJJJeXrYCFpsxXYapkDW53wJCDmf9bsIXUg0HoeQY=
+github.com/mdlayher/arp v0.0.0-20191213142603-f72070a231fc/go.mod h1:eOj1DDj3NAZ6yv+WafaKzY37MFZ58TdfIhQ+8nQbiis=
+github.com/mdlayher/ethernet v0.0.0-20190313224307-5b5fc417d966 h1:O3p5UmisBhl3V6lgs4Vdfg8HpjzbWJPyOfGLdwVJSmI=
+github.com/mdlayher/ethernet v0.0.0-20190313224307-5b5fc417d966/go.mod h1:5s5p/sMJ6sNsFl6uCh85lkFGV8kLuIYJCRJLavVJwvg=
+github.com/mdlayher/raw v0.0.0-20190313224157-43dbcdd7739d h1:rjAS0af7FIYCScTtEU5KjIldC6qVaEScUJhABHC+ccM=
+github.com/mdlayher/raw v0.0.0-20190313224157-43dbcdd7739d/go.mod h1:r1fbeITl2xL/zLbVnNHFyOzQJTgr/3fpf1lJX/cjzR8=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/net v0.0.0-20190313220215-9f648a60d977 h1:actzWV6iWn3GLqN8dZjzsB+CLt+gaV2+wsxroxiQI8I=
+golang.org/x/net v0.0.0-20190313220215-9f648a60d977/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190312061237-fead79001313 h1:pczuHS43Cp2ktBEEmLwScxgjWsBSzdaQiKzUyf3DTTc=
+golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

pkg/awx_web/build.yml

@@ -1,2 +1,4 @@
 image: awx_web
 network: true
+arches:
+- x86_64

pkg/challenge/build.yml

@@ -1,2 +1,4 @@
 image: challenge
 network: true
+arches:
+- x86_64

pkg/debian-tuto2/build.yml

@@ -1,2 +1,4 @@
 image: adlin-tuto2
 network: true
+arches:
+- x86_64

pkg/debian-tuto3/build.yml

@@ -1,2 +1,4 @@
 image: adlin-tuto3
 network: true
+arches:
+- x86_64

pkg/debug/build.yml

@@ -1,2 +1,4 @@
 image: debug
 network: true
+arches:
+- x86_64

pkg/iscsi-target/build.yml

@@ -1,2 +1,4 @@
 image: iscsi-target
 network: true
+arches:
+- x86_64

pkg/login-app/build.yml

@@ -1,2 +1,4 @@
 image: adlin-login-app
 network: true
+arches:
+- x86_64

pkg/login-app/cmd/.gitignore

@@ -0,0 +1 @@
+cmd

pkg/login-validator/build.yml

@@ -1,2 +1,4 @@
 image: adlin-login-validator
 network: true
+arches:
+- x86_64

pkg/login-validator/cmd/auth_krb5.go

@@ -49,9 +49,9 @@ func (f *Krb5Auth) checkAuth(username, password string) (res bool, err error) {
 	if err := c.Login(); err != nil {
 		if errk, ok := err.(krberror.Krberror); ok {
 			if errk.RootCause == krberror.NetworkingError {
-				return false, errors.New(`{"status": "Authentication system unavailable, please retry."}`)
+				return false, errors.New("Authentication system unavailable, please retry")
 			} else if errk.RootCause == krberror.KDCError {
-				return false, errors.New(`{"status": "Invalid username or password"}`)
+				return false, errors.New("Invalid username or password")
 			}
 		}
 		return false, err

pkg/login-validator/cmd/go.mod

@@ -0,0 +1,20 @@
+module git.nemunai.re/srs/adlin/pkg/login-validator
+
+go 1.17
+
+require (
+	github.com/go-ldap/ldap/v3 v3.4.2
+	github.com/jcmturner/gokrb5/v8 v8.4.2
+)
+
+require (
+	github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c // indirect
+	github.com/go-asn1-ber/asn1-ber v1.5.1 // indirect
+	github.com/hashicorp/go-uuid v1.0.2 // indirect
+	github.com/jcmturner/aescts/v2 v2.0.0 // indirect
+	github.com/jcmturner/dnsutils/v2 v2.0.0 // indirect
+	github.com/jcmturner/gofork v1.0.0 // indirect
+	github.com/jcmturner/rpc/v2 v2.0.3 // indirect
+	golang.org/x/crypto v0.0.0-20201112155050-0c6587e931a9 // indirect
+	golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa // indirect
+)

pkg/login-validator/cmd/go.sum

@@ -0,0 +1,44 @@
+github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c h1:/IBSNwUN8+eKzUzbJPqhK839ygXJ82sde8x3ogr6R28=
+github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
+github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/go-asn1-ber/asn1-ber v1.5.1 h1:pDbRAunXzIUXfx4CB2QJFv5IuPiuoW+sWvr/Us009o8=
+github.com/go-asn1-ber/asn1-ber v1.5.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
+github.com/go-ldap/ldap/v3 v3.4.2 h1:zFZKcXKLqZpFMrMQGHeHWKXbDTdNCmhGY9AK41zPh+8=
+github.com/go-ldap/ldap/v3 v3.4.2/go.mod h1:iYS1MdmrmceOJ1QOTnRXrIs7i3kloqtmGQjRvjKpyMg=
+github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
+github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
+github.com/hashicorp/go-uuid v1.0.2 h1:cfejS+Tpcp13yd5nYHWDI6qVCny6wyX2Mt5SGur2IGE=
+github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
+github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
+github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
+github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM=
+github.com/jcmturner/gofork v1.0.0 h1:J7uCkflzTEhUZ64xqKnkDxq3kzc96ajM1Gli5ktUem8=
+github.com/jcmturner/gofork v1.0.0/go.mod h1:MK8+TM0La+2rjBD4jE12Kj1pCCxK7d2LK/UM3ncEo0o=
+github.com/jcmturner/goidentity/v6 v6.0.1 h1:VKnZd2oEIMorCTsFBnJWbExfNN7yZr3EhJAxwOkZg6o=
+github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg=
+github.com/jcmturner/gokrb5/v8 v8.4.2 h1:6ZIM6b/JJN0X8UM43ZOM6Z4SJzla+a/u7scXFJzodkA=
+github.com/jcmturner/gokrb5/v8 v8.4.2/go.mod h1:sb+Xq/fTY5yktf/VxLsE3wlfPqQjp0aWNYyvBVK62bc=
+github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
+github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20201112155050-0c6587e931a9 h1:umElSU9WZirRdgu2yFHY0ayQkEnKiOC1TtM3fWXFnoU=
+golang.org/x/crypto v0.0.0-20201112155050-0c6587e931a9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa h1:F+8P+gmewFQYRk6JoLQLwjBCTu3mcIURZfNkVweuRKA=
+golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

pkg/login-validator/cmd/login.go

@@ -15,7 +15,10 @@ import (
 	"time"
 )
 
-var loginSalt string
+var (
+	loginSalt string
+	justLogin bool
+)
 
 type loginChecker struct {
 	students   []Student
@@ -81,6 +84,12 @@ func (l loginChecker) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if justLogin {
+		log.Println("Successful login of", lu.Username, "at", r.RemoteAddr)
+		http.Error(w, "You're now successfully logged.", http.StatusOK)
+		return
+	}
+
 	// Find corresponding MAC
 	var ip net.IP
 	spl := strings.SplitN(r.RemoteAddr, ":", 2)

pkg/login-validator/cmd/main.go

@@ -18,6 +18,8 @@ var tftpDir string
 func main() {
 	var studentsFile string
 
+	flag.BoolVar(&justLogin, "just-login", justLogin, "Don't perform MAC assignation and remote registration")
+
 	var bind = flag.String("bind", ":8081", "Bind port/socket")
 	flag.StringVar(&studentsFile, "students", "./students.csv", "Path to a CSV file containing students list")
 	flag.StringVar(&ARPTable, "arp", ARPTable, "Path to ARP table")

pkg/minichecker/build.yml

@@ -1,2 +1,4 @@
 image: minichecker
 network: true
+arches:
+- x86_64

pkg/monit/build.yml

@@ -1,2 +1,4 @@
 image: monit
 network: true
+arches:
+- x86_64

pkg/nsd/build.yml

@@ -1,2 +1,4 @@
 image: nsd
 network: true
+arches:
+- x86_64

pkg/postfix/build.yml

@@ -1,2 +1,4 @@
 image: postfix
 network: true
+arches:
+- x86_64

pkg/router-tuto3/build.yml

@@ -1,2 +1,4 @@
 image: router-tuto3
 network: true
+arches:
+- x86_64

pkg/tftpd/build.yml

@@ -1,2 +1,4 @@
 image: tftpd
 network: true
+arches:
+- x86_64

pkg/tinydeb/build.yml

@@ -1,2 +1,4 @@
 image: tinydeb
 network: true
+arches:
+- x86_64

pkg/unbound/build.yml

@@ -1,2 +1,4 @@
 image: unbound
 network: true
+arches:
+- x86_64

pkg/wg-manager/build.yml

@@ -1,2 +1,4 @@
 image: wg-manager
 network: true
+arches:
+- x86_64

pkg/wg-manager/cmd/go.mod

@@ -0,0 +1,3 @@
+module git.nemunai.re/srs/adlin/pkg/wg-manager
+
+go 1.16

pkg/wg/build.yml

@@ -1,5 +1,7 @@
 image: wg
 network: true
+arches:
+- x86_64
 config:
   capabilities:
     - CAP_NET_ADMIN

renovate.json

@@ -2,7 +2,14 @@
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "packageRules": [
     {
-      "matchPackageNames": ["github.com/rivo/tview", "github.com/go-sql-driver/mysql", "github.com/julienschmidt/httprouter", "github.com/miekg/dns", "golang.org/x/oauth2", "gopkg.in/asn1-ber.v1"],
+      "matchPackageNames": [
+        "github.com/julienschmidt/httprouter",
+        "github.com/go-sql-driver/mysql",
+        "github.com/miekg/dns",
+        "github.com/rivo/tview",
+        "golang.org/x/oauth2",
+        "gopkg.in/asn1-ber.v1"
+      ],
       "automerge": true,
       "automergeType": "branch"
     }

server.yml

@@ -5,29 +5,29 @@ kernel:
   cmdline: "console=tty0"
 
 init:
-  - linuxkit/init:a68f9fa0c1d9dbfc9c23663749a0b7ac510cbe1c
-  - linuxkit/runc:v0.8
-  - linuxkit/containerd:1ae8f054e9fe792d1dbdb9a65f1b5e14491cb106
-  - linuxkit/ca-certificates:v0.8
+  - linuxkit/init:7e3d51e6ab5896ecb36a4829450f7430f2878927
+  - linuxkit/runc:9f7aad4eb5e4360cc9ed8778a5c501cce6e21601
+  - linuxkit/containerd:2f0907913dd54ab5186006034eb224a0da12443e
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
 #  - linuxkit/firmware:v0.7
-  - linuxkit/getty:v0.8
-  - nemunaire/monit:efb921ff9d2e564dfa43880c608e87dce6ad22b1
+  - linuxkit/getty:3c6e89681a988c3d4e2610fcd7aaaa0247ded3ec
+  - nemunaire/monit:90a16ed909ca82b5a2a277cb290301e97ee36063
 #  - nemunaire/iscsi-target:8872d1c5e0cefe3c36b60e873b8452aefb19d84d
 
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:v0.8
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
     binds:
       - /etc/sysctl.d/:/etc/sysctl.d/:ro
 
     # Mount first drive to enable some persistance
   - name: mount
-    image: linuxkit/mount:v0.8
+    image: linuxkit/mount:422b219bb1c7051096126ac83e6dcc8b2f3f1176
     command: ["/usr/bin/mountie", "-device", "/dev/sda", "/var/lib/adlin" ]
 
     # Network: interface for login-validator
   - name: login-iface-setup
-    image: linuxkit/ip:v0.8
+    image: linuxkit/ip:6cc44dd4e18ddb02de01bc4b34b5799971b6a7bf
     command: ["/bin/sh", "-c", "ip a add 172.23.255.2/24 dev vethin-login; ip link set vethin-login up; ip route add default via 172.23.255.1;" ]
     net: new
     runtime:
@@ -42,7 +42,7 @@ onboot:
 
     # wg-manager
   - name: wg-iface-setup
-    image: linuxkit/ip:v0.8
+    image: linuxkit/ip:6cc44dd4e18ddb02de01bc4b34b5799971b6a7bf
     command: ["/bin/sh", "-c", "ip a add 172.17.0.15/16 dev vethin-wg; ip a add 10.224.33.251/24 dev vethin-wg; ip link set vethin-wg address 0e:f2:7e:10:58:69; ip link set vethin-wg up; ip route add default via 10.224.33.252; wg-quick up wg0; /sbin/iptables-restore < /etc/iptables/rules.v4;" ]
     net: new
     binds:
@@ -60,7 +60,7 @@ onboot:
 
     # token-validator
   - name: validator-iface-setup
-    image: linuxkit/ip:v0.8
+    image: linuxkit/ip:6cc44dd4e18ddb02de01bc4b34b5799971b6a7bf
     command: ["/bin/sh", "-c", "ip a add 172.23.200.1/24 dev vethin-vldtr; ip link set vethin-vldtr up; ip route add default via 172.23.200.254;" ]
     net: new
     runtime:
@@ -73,7 +73,7 @@ onboot:
 
     # domain name
   - name: ns-iface-setup
-    image: linuxkit/ip:v0.8
+    image: linuxkit/ip:6cc44dd4e18ddb02de01bc4b34b5799971b6a7bf
     command: ["/bin/sh", "-c", "ip a add 172.23.200.2/24 dev vethin-ns; ip link set vethin-ns up; ip route add default via 172.23.200.254;" ]
     net: new
     runtime:
@@ -86,7 +86,7 @@ onboot:
 
     # time server
   - name: time-iface-setup
-    image: linuxkit/ip:v0.8
+    image: linuxkit/ip:6cc44dd4e18ddb02de01bc4b34b5799971b6a7bf
     command: ["/bin/sh", "-c", "ip a add 172.23.200.3/24 dev vethin-time; ip link set vethin-time up; ip route add default via 172.23.200.254;" ]
     net: new
     runtime:
@@ -99,7 +99,7 @@ onboot:
 
     # mail server
   - name: mail-iface-setup
-    image: linuxkit/ip:v0.8
+    image: linuxkit/ip:6cc44dd4e18ddb02de01bc4b34b5799971b6a7bf
     command: ["/bin/sh", "-c", "ip a add 172.23.200.4/24 dev vethin-mail; ip link set vethin-mail up; ip route add default via 172.23.200.254;" ]
     net: new
     runtime:
@@ -116,9 +116,9 @@ onboot:
 
 services:
   - name: rngd
-    image: linuxkit/rngd:v0.8
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
   - name: sshd
-    image: linuxkit/sshd:v0.8
+    image: linuxkit/sshd:4696ba61c3ec091328e1c14857d77e675802342f
 
   - name: dhcpd
     image: joebiellik/dhcpd
@@ -136,7 +136,7 @@ services:
         - /var/lib/adlin/dhcp
 
   - name: tftpd
-    image: nemunaire/tftpd:b0d2e1de2660e81c329ecb49966c32aab8982f11
+    image: nemunaire/tftpd:de6fcc89d7cbaa46aa5e37821aeac24136f84761
     capabilities:
      - all
     binds:
@@ -145,11 +145,11 @@ services:
      - /var/lib/adlin/pxelinux.cfg:/srv/tftp/pxelinux.cfg
 
   - name: arp-spoofer
-    image: nemunaire/adlin-arp-spoofer:5c78e97a8c90b9faf8395f7084a05d0fb44c779a
+    image: nemunaire/adlin-arp-spoofer:9cfd4b106e4a70281fad33fb36df1a189f846cb6
     command: ["/bin/arp-spoofer", "-iface=br-ext", "-ip-spoof=172.17.0.15"]
 
   - name: login-validator
-    image: nemunaire/adlin-login-validator:5e8ae6a40d2764d66a0e65f7ebd68961729f3a90-dirty
+    image: nemunaire/adlin-login-validator:29c8b8434f26e7f0e0b02e19992bf67c90da3675
 #    command: ["/bin/login-validator", "-bind=:8081", "-auth=ldap", "-ldaphost=auth.cri.epita.net", "-ldapport=636", "-ldaptls", "-ldapbase=dc=epita,dc=net"]
 #    command: ["/bin/login-validator", "-bind=:8081", "-auth=krb5", "-krb5realm=CRI.EPITA.FR"]
     command: ["/bin/login-validator", "-bind=:8081", "-auth=fwd", "-fwduri=https://adlin.nemunai.re/auth"]
@@ -207,7 +207,7 @@ services:
      - /usr/share/ca-certificates:/usr/share/ca-certificates:ro
 
   - name: wg
-    image: nemunaire/wg-manager:13a3c9000f68327b3051d089f86cd5a136ec48e4
+    image: nemunaire/wg-manager:5f60162cc1d934a209bbac8d963a2d9f6ba10c04
     command: ["/bin/wg-manager", "-bind=:80" ]
     capabilities:
      - all
@@ -216,7 +216,7 @@ services:
      - /etc/resolv.conf:/etc/resolv.conf:ro
 
   - name: ns
-    image: nemunaire/unbound:57b1e5e6d435a27af880036aed2c320073f7dffb
+    image: nemunaire/unbound:bd37359b69eb87eb5764fc18d9842cf78afc656c
     net: /run/netns/dmz-ns
     capabilities:
      - all
@@ -224,7 +224,7 @@ services:
      - /etc/unbound:/etc/unbound:ro
 
   - name: time
-    image: linuxkit/openntpd:v0.8
+    image: linuxkit/openntpd:d6c36ac367ed26a6eeffd8db78334d9f8041b038
     command: ["/bin/sh", "-c", "sleep 10; /usr/sbin/ntpd -d -s" ]
     net: /run/netns/dmz-time
     capabilities:
@@ -239,7 +239,7 @@ services:
      - /etc/ntpd.conf:/etc/ntpd.conf:ro
 
   - name: postfix
-    image: nemunaire/postfix:34430347e3a1221fd743774dc566420f748f3839
+    image: nemunaire/postfix:6c556b4517ddb596ae0d084ec9783de9eba6534d
     net: /run/netns/dmz-mail
     capabilities:
      - CAP_CHOWN

tuto2.yml

@@ -1,5 +1,5 @@
 kernel:
-  image: linuxkit/kernel:4.19.121
+  image: linuxkit/kernel:5.10.92
   cmdline: "console=tty0 console=ttyS0 root=/dev/sda1 root=/dev/sr0 adlin.format=/dev/sda quiet"
 
 init:

tuto3.yml

@@ -1,36 +1,36 @@
 kernel:
-  image: linuxkit/kernel:4.19.121
+  image: linuxkit/kernel:5.10.92
 #  cmdline: "console=ttyS0 root=/dev/sda1 root=/dev/sr0 adlin.token=LqCdJDfniA"
   cmdline: "console=tty0"
 
 init:
-  - linuxkit/init:a68f9fa0c1d9dbfc9c23663749a0b7ac510cbe1c
-  - linuxkit/runc:v0.8
-  - linuxkit/containerd:1ae8f054e9fe792d1dbdb9a65f1b5e14491cb106
-  - linuxkit/ca-certificates:v0.8
-  - linuxkit/getty:v0.8
+  - linuxkit/init:7e3d51e6ab5896ecb36a4829450f7430f2878927
+  - linuxkit/runc:9f7aad4eb5e4360cc9ed8778a5c501cce6e21601
+  - linuxkit/containerd:2f0907913dd54ab5186006034eb224a0da12443e
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+  - linuxkit/getty:3c6e89681a988c3d4e2610fcd7aaaa0247ded3ec
 
 onboot:
   - name: format
-    image: linuxkit/format:v0.8
+    image: linuxkit/format:7efa07559dd23cb4dbebfd3ab48c50fd33625918
     command: ["/usr/bin/format", "/dev/sda"]
 
   - name: mount
-    image: linuxkit/mount:v0.8
+    image: linuxkit/mount:422b219bb1c7051096126ac83e6dcc8b2f3f1176
     command: ["/usr/bin/mountie", "/dev/sda1", "/var/lib/adlin"]
 
   - name: sysctl
-    image: linuxkit/sysctl:v0.8
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
     binds:
       - /etc/sysctl.d/:/etc/sysctl.d/:ro
 
   - name: rngd1
-    image: linuxkit/rngd:v0.8
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
     command: ["/sbin/rngd", "-1"]
 
     # Network: external
   - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.8
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1", "eth0"]
     net: new
     runtime:
@@ -41,7 +41,7 @@ onboot:
 
 services:
   - name: dhcpcd-wks-dg1
-    image: linuxkit/dhcpcd:v0.8
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
     hostname: wks-dg1
     net: new
     pid: new
@@ -57,7 +57,7 @@ services:
       - /var/lib/adlin/wks-dg1resolv.conf:/etc/resolv.conf
 
   - name: dhcpcd-wks-rh1
-    image: linuxkit/dhcpcd:v0.8
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
     hostname: wks-rh1
     net: new
     pid: new
@@ -74,7 +74,7 @@ services:
       - /var/lib/adlin/wks-rh1resolv.conf:/etc/resolv.conf
 
   - name: dhcpcd-wks-rh2
-    image: linuxkit/dhcpcd:v0.8
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
     hostname: wks-rh2
     net: new
     pid: new
@@ -90,7 +90,7 @@ services:
       - /var/lib/adlin/wks-rh2resolv.conf:/etc/resolv.conf
 
   - name: dhcpcd-wks-cm1
-    image: linuxkit/dhcpcd:v0.8
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
     hostname: wks-cm1
     net: new
     pid: new
@@ -106,7 +106,7 @@ services:
       - /var/lib/adlin/wks-cm1resolv.conf:/etc/resolv.conf
 
   - name: sshd-wks-dg1
-    image: linuxkit/sshd:v0.8
+    image: linuxkit/sshd:4696ba61c3ec091328e1c14857d77e675802342f
     net: /run/netns/wks-dg1
     uts: /run/utsns/wks-dg1
     pid: new
@@ -118,7 +118,7 @@ services:
       - /var/lib/adlin/wks-dg1resolv.conf:/etc/resolv.conf
 
   - name: sshd-wks-rh1
-    image: linuxkit/sshd:v0.8
+    image: linuxkit/sshd:4696ba61c3ec091328e1c14857d77e675802342f
     net: /run/netns/wks-rh1
     uts: /run/utsns/wks-rh1
     pid: new
@@ -145,6 +145,7 @@ services:
         options: ["rw","nosuid","noexec","nodev","relatime"]
     binds:
       - /var/lib/adlin/wrt-etc:/etc
+      - /var/lib/adlin/wireguard/ansible.fact:/etc/ansible/facts.d/maatma.fact
       - /etc/rinittab:/etc/inittab
       - /etc/hosts:/etc/hosts:ro
       - /etc/dresolv.conf:/etc/resolv.conf
@@ -564,8 +565,11 @@ files:
           # Avoid listening on IPv6
           sed -r -i '/list\s+listen_http\s+\[::\]:80/d;/list\s+listen_https\s+\[::\]:443/d' /var/lib/adlin/wrt-etc/config/uhttpd
 
-          # Configure networking
-          cat > /var/lib/adlin/wrt-etc/config/network <<EOF
+          rm /var/lib/adlin/wrt-etc/config/network
+      }
+
+      # Configure networking
+      [ -f /var/lib/adlin/wrt-etc/config/network ] || cat > /var/lib/adlin/wrt-etc/config/network <<EOF
 
       config interface 'loopback'
           option ifname 'lo'
@@ -578,7 +582,6 @@ files:
           option proto 'dhcp'
 
       EOF
-      }
 
       [ -e /var/lib/adlin/wrt-config ] && {
         mv /var/lib/adlin/wrt-config/* /var/lib/adlin/wrt-etc/config/
@@ -594,6 +597,7 @@ files:
       EOF
 
       [ -f /var/lib/adlin/wireguard/adlin.conf ] && /usr/bin/update-wg-conf
+      [ -f /var/lib/adlin/wireguard/ansible.fact ] || touch /var/lib/adlin/wireguard/ansible.fact
     mode: "0755"
 
   - path: usr/bin/update-wg-conf
@@ -605,7 +609,7 @@ files:
       WKSIP=$(echo "${TUNIP}" | sed "s#:[^:/]*/.*\$#1::1/96#")
 
       grep -q wireguard /var/lib/adlin/wrt-etc/config/network && {
-          sed -i -r "s#list addresses '[^']+'#list addresses '${TUNIP}'#;s#option private_key '[^']+'#option private_key '${TUNPVKEY}'#;" /var/lib/adlin/wrt-etc/config/network
+          sed -i -r "s#list addresses '[^']*'#list addresses '${TUNIP}'#;s#option private_key '[^']*'#option private_key '${TUNPVKEY}'#;" /var/lib/adlin/wrt-etc/config/network
       }
 
       grep -q wireguard /var/lib/adlin/wrt-etc/config/network || cat >> /var/lib/adlin/wrt-etc/config/network <<EOF
@@ -636,6 +640,14 @@ files:
           option interface 'wg0'
 
       EOF
+
+      cat <<EOF > /var/lib/adlin/wireguard/ansible.fact
+      [tun]
+      pvkey=${TUNPVKEY}
+      ip6=${TUNIP}
+      srvip6=${SRVIP}
+      wksip6=${WKSIP}
+      EOF
     mode: "0755"
 
   - path: etc/init.d/014-get-ssh-keys
@@ -673,7 +685,7 @@ files:
   - path: /etc/init.d/800-rw-passwd.sh
     contents: |
       #!/bin/sh
-      sed -ri '/^root/s@^root:x:.*$@root:$1$ChIJgCib$1IYTTG.wKCXqbo1RMEQCc0:18706:0:99999:7:::@' /var/lib/adlin/wrt-etc/shadow
+      sed -ri '/^root/s@^root::.*$@root:$1$ChIJgCib$1IYTTG.wKCXqbo1RMEQCc0:18706:0:99999:7:::@' /var/lib/adlin/wrt-etc/shadow
       mkdir -p /var/lib/adlin/wrt-etc/dropbear/
       [ -f /var/lib/adlin/authorized_keys ] && ! [ -f /var/lib/adlin/wrt-etc/dropbear/authorized_keys ] && cp /var/lib/adlin/authorized_keys /var/lib/adlin/wrt-etc/dropbear/authorized_keys
 
@@ -689,7 +701,7 @@ files:
           cp /etc/services /containers/services/${svc}/rootfs/etc/services
           mkdir -p /containers/services/${svc}/rootfs/root/.ssh
           [ -f /var/lib/adlin/authorized_keys ] && cp /var/lib/adlin/authorized_keys /containers/services/${svc}/rootfs/root/.ssh/authorized_keys
-          nsenter -t $(ctr -n services.linuxkit t ls | grep ${svc} | awk '{ print $2 }') -a ssh-keygen -A
+          nsenter -t $(ctr -n services.linuxkit t ls | grep ${svc} | awk '{ print $2 }') -a -- ssh-keygen -A
       done
 
       exit 0

tutorial/nat/rendu.md

@@ -55,19 +55,23 @@ login_x-TP3/roles/revproxy/templates/nginx.conf.j2
 - votre routeur filtre les paquets entrants (IPv4, IPv6) selon la politique que vous avez défini,
 - votre routeur bloque les connexions entrantes vers le réseau des stations de travail,
 - votre routeur effectue du NAT en IPv4 pour les serveurs et les stations de travail.
-
+\
 - Votre vitrine est exposée en HTTP et HTTPS,
 - les options HTTPS ont été choisies avec soin, selon les recommandations de l'ANSSI,
 - le visiteur est redirigé systématiquement vers la version HTTPS,
 - le visiteur est redirigé vers `www.login_x.srs.p0m.fr` lorsqu'il visite `login_x.srs.p0m.fr`,
 - `news.login_x.srs.p0m.fr` affiche miniflux,
 - `matrix.login_x.srs.p0m.fr` est prêt.
-
+\
 - Votre serveur de nom de domaines est accessible en TCP et UDP,
 - votre nom de domaine se résout depuis un résolveur public,
-
+\
 - La configuration de tous les serveurs accessibles respectent les recommandations de l'ANSSI,
 - votre IPv6 publique peut évoluer en changeant simplement une variable `group_vars/all`.
+\
+- Vous avez utilisé des
+  [rôles](https://docs.ansible.com/ansible/latest/user_guide/playbooks_reuse_roles.html)
+  pour rendre vos recettes Ansible réutilisables.
 
 
 ## Signature du rendu

tutorial/nat/what.md

@@ -85,8 +85,8 @@ celles-ci sont automatiquement ajoutées aux différents serveurs. Cependant,
 seuls les clefs RSA et DSA sont utilisables pour se connecter sur le routeur,
 le serveur SSH ne gère pas les courbes éliptiques.
 
-Notez que vous n'avez pas accès à la machine hébergeant la base de données, le
-lecteur de flux RSS, ni à celle du résolveur DNS.
+Notez que vous n'avez pas accès à la machine hébergeant la base de données, ni
+à celle hébergeant le lecteur de flux RSS.
 
 
 Objectif du TP
@@ -103,6 +103,20 @@ s'assurer que ce soit également le cas des stations de travail).
 *Playbook* Ansible semble plutôt adaptée !
 
 
+### Mots de passes
+
+Tous les mots de passes sont `adlin2022` pour tous les services.
+
+3 bases de données Postgres sont à votre disposition pour vos différents
+services :
+
+  - `matrix`
+  - `miniflux`
+  - `website`
+
+Pour chacune, un utilisateur du même nom existe pour s'y connecter à distance.
+
+
 Au secours ça ne marche pas !
 -----------------------------