kernel: image: linuxkit/kernel:5.15.110 # cmdline: "console=tty0 console=ttyS0" # cmdline: "console=tty0 adlin.network=alt" cmdline: "console=tty0" init: - linuxkit/init:14df799bb3b9e0eb0491da9fda7f32a108a2e2a5 - linuxkit/runc:436357ce16dd663e24f595bcec26d5ae476c998e - linuxkit/containerd:eeb3aaf497c0b3f6c67f3a245d61ea5a568ca718 - linuxkit/ca-certificates:4de36e93dc87f7ccebd20db616ed10d381911d32 # - linuxkit/firmware:a17106a98940006529c714a3783eb03238c335a7 - linuxkit/getty:06f34bce0facea79161566d67345c3ea49965437 - nemunaire/monit:8806445ad766fd013f60d620361655f956eb634e # - nemunaire/iscsi-target:8872d1c5e0cefe3c36b60e873b8452aefb19d84d onboot: - name: sysctl image: linuxkit/sysctl:e5959517fab7b44692ad63941eecf37486e73799 binds: - /etc/sysctl.d/:/etc/sysctl.d/:ro # Mount first drive to enable some persistance - name: mount image: linuxkit/mount:a8581e454f846690d09e2e7c6287d3c84ca53257 command: ["/usr/bin/mountie", "-device", "/dev/sda", "/var/lib/adlin" ] # Network: interface for login-validator - name: login-iface-setup image: linuxkit/ip:c88e3272e3b12edec454e4720da8bb70a7655bc7 command: ["/bin/sh", "-c", "ip a add 172.23.255.2/24 dev vethin-login; ip link set vethin-login up; ip route add default via 172.23.255.1;" ] net: new runtime: interfaces: - name: vethin-login add: veth peer: veth-login bindNS: net: /run/netns/login # Network: internet DMZ ########################################### # wg-manager - name: wg-iface-setup image: linuxkit/ip:c88e3272e3b12edec454e4720da8bb70a7655bc7 command: ["/bin/sh", "-c", "ip a add 172.17.0.15/16 dev vethin-wg; ip a add 10.224.33.251/24 dev vethin-wg; ip link set vethin-wg address 0e:f2:7e:10:58:69; ip link set vethin-wg up; ip route add default via 10.224.33.252; wg-quick up wg0; /sbin/iptables-restore < /etc/iptables/rules.v4;" ] net: new binds: - /etc/iptables/rules-wg.v4:/etc/iptables/rules.v4 - /etc/wireguard/wg0.conf:/etc/wireguard/wg0.conf runtime: interfaces: - name: vethin-wg add: veth peer: veth-wg bindNS: net: /run/netns/dmzi-wg # Network: services DMZ ########################################### # token-validator - name: validator-iface-setup image: linuxkit/ip:c88e3272e3b12edec454e4720da8bb70a7655bc7 command: ["/bin/sh", "-c", "ip a add 172.23.200.1/24 dev vethin-vldtr; ip link set vethin-vldtr up; ip route add default via 172.23.200.254;" ] net: new runtime: interfaces: - name: vethin-vldtr add: veth peer: veth-validator bindNS: net: /run/netns/dmz-validator # domain name - name: ns-iface-setup image: linuxkit/ip:c88e3272e3b12edec454e4720da8bb70a7655bc7 command: ["/bin/sh", "-c", "ip a add 172.23.200.2/24 dev vethin-ns; ip link set vethin-ns up; ip route add default via 172.23.200.254;" ] net: new runtime: interfaces: - name: vethin-ns add: veth peer: veth-ns bindNS: net: /run/netns/dmz-ns # time server - name: time-iface-setup image: linuxkit/ip:c88e3272e3b12edec454e4720da8bb70a7655bc7 command: ["/bin/sh", "-c", "ip a add 172.23.200.3/24 dev vethin-time; ip link set vethin-time up; ip route add default via 172.23.200.254;" ] net: new runtime: interfaces: - name: vethin-time add: veth peer: veth-time bindNS: net: /run/netns/dmz-time # mail server - name: mail-iface-setup image: linuxkit/ip:c88e3272e3b12edec454e4720da8bb70a7655bc7 command: ["/bin/sh", "-c", "ip a add 172.23.200.4/24 dev vethin-mail; ip link set vethin-mail up; ip route add default via 172.23.200.254;" ] net: new runtime: interfaces: - name: vethin-mail add: veth peer: veth-mail bindNS: net: /run/netns/dmz-mail # Network: exposed ################################################ # See etc/init.d/011-adlin instead services: - name: rngd image: linuxkit/rngd:331294919ba6d953d261a2694019b659a98535a4 - name: sshd image: linuxkit/sshd:62036c2a279715d05e8298b9269a0659964f2619 binds.add: - /root/.ssh/authorized_keys:/root/.ssh/authorized_keys:ro - /var/lib/adlin:/var/lib/adlin - name: dhcpd image: joebiellik/dhcpd capabilities: - CAP_NET_BIND_SERVICE - CAP_NET_RAW - CAP_CHOWN - CAP_SETUID - CAP_SETGID binds: - /etc/dhcp/dhcpd.conf:/etc/dhcp/dhcpd.conf:ro - /var/lib/adlin/dhcp:/var/lib/dhcp/ runtime: mkdir: - /var/lib/adlin/dhcp - name: tftpd image: nemunaire/tftpd:4fe95ed57b7eea7e5d6156ce069415b2e5f7f307 capabilities: - all binds: - /srv/tftp:/srv/tftp:ro - /var/lib/adlin/pxelinux.cfg:/srv/tftp/bios/pxelinux.cfg - /var/lib/adlin/pxelinux.cfg:/srv/tftp/pxelinux.cfg - /var/lib/adlin/shadows:/srv/tftp/s - name: arp-spoofer image: nemunaire/adlin-arp-spoofer:7ba6db0a5707c58f735a9a272be341ba5fffc5bf command: ["/bin/arp-spoofer", "-iface=vethin-wg", "-ip-spoof=172.17.0.15"] net: /run/netns/dmzi-wg - name: login-validator image: nemunaire/adlin-login-validator:7b6560b8ebf5d726ac1f2740621075dfb59b5e58 # command: ["/bin/login-validator", "-bind=:8081", "-auth=ldap", "-ldaphost=auth.cri.epita.net", "-ldapport=636", "-ldaptls", "-ldapbase=dc=epita,dc=net"] command: ["/bin/login-validator", "-bind=:8081", "-auth=krb5", "-krb5realm=CRI.EPITA.FR"] # command: ["/bin/login-validator", "-bind=:8081", "-auth=fwd", "-fwduri=https://adlin.nemunai.re/auth"] # command: ["/bin/login-validator", "-bind=:8081", "-auth=none"] net: /run/netns/login binds: - /etc/resolv.conf:/etc/resolv.conf:ro - /var/lib/adlin/students:/data/:ro - /var/lib/adlin/pxelinux.cfg:/var/tftp/pxelinux.cfg - /var/lib/adlin/shadows:/var/tftp/shadows - /srv/solver.sh:/var/solver.sh:ro - /srv/tftp/challenge-initrd.img:/var/tftp/challenge-initrd.img:ro - /etc/ssl/certs:/etc/ssl/certs:ro - /usr/share/ca-certificates:/usr/share/ca-certificates:ro runtime: mkdir: - /var/lib/adlin/students - name: nginx-login image: nginx:stable-alpine capabilities: - CAP_NET_BIND_SERVICE - CAP_CHOWN - CAP_SETUID - CAP_SETGID - CAP_DAC_OVERRIDE net: /run/netns/login binds: - /etc/resolv.conf:/etc/resolv.conf:ro - /etc/nginx/nginx-login.conf:/etc/nginx/nginx.conf:ro - /etc/nginx/ssl/:/etc/nginx/ssl/:ro - name: nginx-gw image: nginx:stable-alpine capabilities: - CAP_NET_BIND_SERVICE - CAP_CHOWN - CAP_SETUID - CAP_SETGID - CAP_DAC_OVERRIDE binds: - /etc/resolv.conf:/etc/resolv.conf:ro - /etc/nginx/nginx-gw.conf:/etc/nginx/nginx.conf:ro - /etc/nginx/ssl/:/etc/nginx/ssl/:ro - /etc/ssl/certs:/etc/ssl/certs:ro - /usr/share/ca-certificates:/usr/share/ca-certificates:ro - name: nginx-dmz image: nginx:stable-alpine capabilities: - CAP_NET_BIND_SERVICE - CAP_CHOWN - CAP_SETUID - CAP_SETGID - CAP_DAC_OVERRIDE net: /run/netns/dmz-validator binds: - /etc/resolv.conf:/etc/resolv.conf:ro - /etc/nginx/nginx-dmz.conf:/etc/nginx/nginx.conf:ro - /etc/nginx/ssl/:/etc/nginx/ssl/:ro - /etc/ssl/certs:/etc/ssl/certs:ro - /usr/share/ca-certificates:/usr/share/ca-certificates:ro - name: wg image: nemunaire/wg-manager:13779ec800f6d19dbaf7f6df8547c0b13f17a2e3 command: ["/bin/wg-manager", "-bind=:80" ] capabilities: - all net: /run/netns/dmzi-wg binds: - /etc/resolv.conf:/etc/resolv.conf:ro - name: ns image: nemunaire/unbound:22c723d1573625a77fe28eeb067ca0d1491f6742 net: /run/netns/dmz-ns capabilities: - all binds: - /etc/unbound:/etc/unbound:ro - name: time image: nemunaire/chrony:cdcbb129ae520331e84a99c03850680fe0e4ea36 command: ["/usr/sbin/chronyd", "-d"] net: /run/netns/dmz-time capabilities: - CAP_CHOWN - CAP_DAC_OVERRIDE - CAP_NET_BIND_SERVICE - CAP_SYS_TIME - CAP_SETUID - CAP_SETGID binds: - /etc/resolv.conf:/etc/resolv.conf:ro - /etc/chrony/chrony.conf:/etc/chrony/chrony.conf:ro - name: postfix image: nemunaire/postfix:e124ee4a989579997e4d73ac2346a132ff07be3c net: /run/netns/dmz-mail capabilities: - CAP_CHOWN - CAP_SYS_CHROOT - CAP_DAC_OVERRIDE - CAP_FOWNER - CAP_NET_BIND_SERVICE - CAP_SETGID - CAP_SETUID env: - POSTFIX_myhostname=adlin.nemunai.re - POSTFIX_mydestination="" - POSTFIX_local_transport="error:local mail delivery is disabled" - POSTFIX_mynetworks=172.23.200.0/24 - POSTFIX_relay_domains=nemunai.re - POSTFIX_smtp_tls_security_level=may - POSTFIX_smtpd_tls_security_level=none - POSTFIX_maillog_file=/dev/stdout - POSTFIX_transport_maps=texthash:/etc/postfix/transport binds: - /etc/resolv.conf:/etc/resolv.conf:ro - /var/lib/adlin/postfix/mail:/var/mail - /var/lib/adlin/postfix/lib:/var/lib/postfix - /var/lib/adlin/postfix/spool:/var/spool/postfix - /etc/postfix/transport:/etc/postfix/transport runtime: mkdir: - /var/lib/adlin/postfix - /var/lib/adlin/postfix/mail - /var/lib/adlin/postfix/lib - /var/lib/adlin/postfix/spool files: - path: etc/init.d/011-copy-to-var contents: | #!/bin/sh mkdir -p /var/lib/adlin/shadows cp -r /srv/tftp/pxelinux.cfg /var/lib/adlin/ touch /var/lib/adlin/dhcp/dhcpd.leases mkdir -p /var/spool/cron/crontabs cat < /var/spool/cron/crontabs/root * * * * * SECRET_KEY=felixfixit /usr/sbin/ping-checker EOF /usr/sbin/crond mode: "0755" - path: etc/init.d/032-update-std-initrd contents: | #!/bin/sh for IRD in /var/lib/adlin/shadows/*/challenge-initrd.img do cat "/srv/tftp/challenge-initrd.img" > "${IRD}" [ -f "${IRD%/challenge-initrd.img}/shadow" ] && cat "${IRD%/challenge-initrd.img}/shadow" >> "${IRD}" done mode: "0755" - path: etc/init.d/021-nameserver contents: | #!/bin/sh echo nameserver 172.23.200.2 > /etc/resolv.conf mode: "0755" - path: etc/init.d/011-adlin-net contents: | #!/bin/sh ip l add br-int type bridge ip a add 172.23.200.254/24 dev br-int; ip link set veth-validator master br-int; ip link set veth-ns master br-int; ip link set veth-time master br-int; ip link set veth-mail master br-int; ip link set br-int up; ip link set veth-validator up; ip link set veth-ns up; ip link set veth-time up; ip link set veth-mail up; ip l add br-ext type bridge ip a add 172.23.255.1/24 dev br-ext; ip a add 10.224.33.252/24 dev br-ext; ip a add 172.23.0.1/17 dev br-ext; ip link set br-ext address 0e:f2:7e:10:58:68; ip link set eth0 master br-ext; ip link set veth-login master br-ext; ip link set veth-wg master br-ext; ip link set br-ext up; ip link set veth-login up; ip link set veth-wg up; ip link set eth0 up; grep adlin.network=alt /proc/cmdline > /dev/null && ip route add default via 10.224.33.254 || ip route add default via 10.224.33.1 /sbin/iptables-restore < /etc/iptables/rules.v4; mode: "0755" - path: etc/sysctl.d/99-adlin-net.conf contents: | net.ipv4.ip_forward = 1 net.ipv4.conf.all.arp_ignore = 2 net.ipv6.conf.all.disable_ipv6 = 1 net.netfilter.nf_log_all_netns = 1 mode: "0644" - path: etc/sysctl.d/00-linuxkit.conf contents: | # from Alpine defaults net.ipv4.tcp_syncookies = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.ping_group_range=999 59999 # general limits vm.max_map_count = 262144 vm.overcommit_memory = 1 net.core.somaxconn = 1024 net.ipv4.neigh.default.gc_thresh1 = 80000 net.ipv4.neigh.default.gc_thresh2 = 90000 net.ipv4.neigh.default.gc_thresh3 = 100000 fs.aio-max-nr = 1048576 fs.inotify.max_user_watches = 524288 fs.file-max = 524288 # for rngd kernel.random.write_wakeup_threshold = 3072 # security restrictions kernel.kptr_restrict = 2 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 kernel.dmesg_restrict = 1 kernel.perf_event_paranoid = 3 fs.protected_hardlinks = 1 fs.protected_symlinks = 1 # Prevent ebpf privilege escalation # see: https://lwn.net/Articles/742170 kernel.unprivileged_bpf_disabled=1 mode: "0644" - path: root/.ssh/authorized_keys source: ~/.ssh/id_ed25519.pub mode: "0400" - path: etc/iptables/rules.v4 contents: | *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] [0:0] -A POSTROUTING -o br-ext ! -d 172.23.0.0/12 -j MASQUERADE COMMIT *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] [0:0] -A INPUT -i lo -j ACCEPT [0:0] -A INPUT -m conntrack --ctstate INVALID -j DROP [0:0] -A INPUT -p icmp -j ACCEPT [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT [0:0] -A INPUT -i br-ext -p tcp --dport 22 -j ACCEPT [0:0] -A INPUT -i br-ext -p udp --sport 68 --dport 67 -j ACCEPT [0:0] -A INPUT -i br-ext -p udp --dport 69 -j ACCEPT [0:0] -A INPUT -i br-ext -p tcp -d 172.23.0.1 --dport 80 -j ACCEPT [0:0] -A INPUT -p udp --sport 7000 -j DROP [0:0] -A INPUT -p udp --dport 7000 -j DROP [0:0] -A INPUT -j LOG [0:0] -A INPUT -j REJECT --reject-with icmp-port-unreachable [0:0] -A FORWARD -i wg0 -o br-ext -j ACCEPT [0:0] -A FORWARD -o wg0 -i br-ext -j ACCEPT [0:0] -A FORWARD -i br-int -j ACCEPT [0:0] -A FORWARD -o br-int -j ACCEPT [0:0] -A FORWARD -i br-ext -d 172.23.200.0/24 -j ACCEPT [0:0] -A FORWARD -i br-ext -d 172.23.255.0/24 -j ACCEPT [0:0] -A FORWARD -o br-ext -d 172.23.200.0/24 -j ACCEPT [0:0] -A FORWARD -o br-ext -d 172.23.255.0/24 -j ACCEPT [0:0] -A FORWARD -i br-ext -o br-ext -s 172.23.255.2/24 -j ACCEPT [0:0] -A FORWARD -i br-ext -p udp --sport 68 --dport 67 -j DROP [0:0] -A FORWARD -i br-ext -p icmp -s 172.17.0.0/16 -d 172.17.0.15 -j ACCEPT [0:0] -A FORWARD -o br-ext -p icmp -s 172.17.0.15 -d 172.17.0.0/16 -j ACCEPT [0:0] -A FORWARD -i br-ext -p tcp -s 172.17.0.0/16 -d 172.17.0.15 --dport 80 -j ACCEPT [0:0] -A FORWARD -i br-ext -p udp -s 172.17.0.0/16 -d 172.17.0.15 --dport 12912 -j ACCEPT [0:0] -A FORWARD -o br-ext -p tcp -s 172.17.0.15 -d 172.17.0.0/16 -j ACCEPT [0:0] -A FORWARD -o br-ext -p udp -s 172.17.0.15 -d 172.17.0.0/16 -j ACCEPT [0:0] -A FORWARD -o br-ext -p icmp -s 10.224.33.251 -j ACCEPT [0:0] -A FORWARD -i br-ext -p icmp -d 10.224.33.251 -j ACCEPT [0:0] -A FORWARD -o br-ext -p tcp -s 10.224.33.251 -j ACCEPT [0:0] -A FORWARD -i br-ext -p tcp -d 10.224.33.251 -j ACCEPT [0:0] -A FORWARD -j LOG [0:0] -A FORWARD -j REJECT --reject-with icmp-net-prohibited COMMIT mode: "0440" - path: etc/unbound/unbound.conf contents: | server: verbosity: 1 interface: 0.0.0.0 interface: ::0 prefer-ip6: no access-control: 10.224.0.0/16 allow access-control: 172.23.0.0/16 allow log-queries: yes log-replies: yes use-syslog: no hide-identity: yes hide-version: yes qname-minimisation: yes domain-insecure: "." val-permissive-mode: yes trust-anchor-file: "/usr/share/dnssec-root/trusted-key.key" local-zone: "adlin.nemunai.re" typetransparent local-data: "adlin.nemunai.re TXT 8dde678132d6c558fc6adaeb9f1d53bf6ec7b876308cf98c48604caa9138523c1ce58b672c87c7e7d9b7248b81804d3940dbf20bf263eeb683244f7c1143712d" local-data: "auth.adlin.nemunai.re A 172.23.255.2" local-data: "wg.adlin.nemunai.re A 172.17.0.15" remote-control: control-enable: no forward-zone: name: "." forward-addr: 8.8.8.8 mode: "0440" - path: etc/nginx/ssl/fullchain.pem source: ssl/fullchain.pem mode: "0644" - path: etc/nginx/ssl/privkey.pem source: ssl/privkey.pem mode: "0644" - path: etc/nginx/ssl/ec_cert.pem source: pkg/challenge/ssl/ec_cert.pem mode: "0644" - path: etc/nginx/ssl/ec_key.pem source: pkg/challenge/ssl/ec_key.pem mode: "0644" - path: etc/nginx/nginx-gw.conf contents: | user nginx; worker_processes 2; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request"' '$status $body_bytes_sent "$http_referer"' '"$http_user_agent""$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; server_tokens off; #tcp_nopush on; keepalive_timeout 65; #gzip on; resolver 9.9.9.9; server { listen 172.23.0.1:80 default; location = /{ return 403; } location /iamalive { proxy_pass https://82.64.31.248/challenge; proxy_ssl_server_name on; proxy_ssl_name adlin.nemunai.re; proxy_set_header Host adlin.nemunai.re; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-By 172.23.0.1; proxy_redirect off; } location /api/students/ { proxy_pass https://82.64.31.248; proxy_ssl_server_name on; proxy_ssl_name adlin.nemunai.re; proxy_set_header Host adlin.nemunai.re; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-By 172.23.0.1; proxy_redirect off; } } } mode: "0440" - path: etc/nginx/nginx-login.conf contents: | user nginx; worker_processes 2; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request"' '$status $body_bytes_sent "$http_referer"' '"$http_user_agent""$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; server_tokens off; #tcp_nopush on; keepalive_timeout 65; #gzip on; server { listen 443 default ssl; listen [::]:443 default ssl; ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_certificate /etc/nginx/ssl/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/privkey.pem; location = /{ return https://adlin.nemunai.re/; } location /login { proxy_pass http://localhost:8081; proxy_set_header X-Forwarded-For $remote_addr; } location /passwd { proxy_pass http://localhost:8081; proxy_set_header X-Forwarded-For $remote_addr; } location /logout { proxy_pass http://localhost:8081; proxy_set_header X-Forwarded-For $remote_addr; } } } mode: "0440" - path: etc/nginx/nginx-dmz.conf contents: | user nginx; worker_processes 2; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type applicationøctet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request"' '$status $body_bytes_sent "$http_referer"' '"$http_user_agent""$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; server_tokens off; #tcp_nopush on; keepalive_timeout 65; #gzip on; resolver 9.9.9.9; server { listen 80 default; listen [::]:80 default; location = /{ return https://adlin.nemunai.re/; } location /challenge { proxy_pass https://82.64.31.248/challenge; proxy_ssl_server_name on; proxy_ssl_name adlin.nemunai.re; proxy_set_header Host adlin.nemunai.re; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-By 172.23.200.1; proxy_set_header X-Forwarded-Proto http; proxy_redirect off; } location /toctoc { proxy_pass https://82.64.31.248/toctoc; proxy_ssl_server_name on; proxy_ssl_name adlin.nemunai.re; proxy_set_header Host adlin.nemunai.re; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-By 172.23.200.1; proxy_set_header X-Forwarded-Proto http; proxy_redirect off; } location /echorequest { proxy_pass https://82.64.31.248/echorequest; proxy_ssl_server_name on; proxy_ssl_name adlin.nemunai.re; proxy_set_header Host adlin.nemunai.re; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-By 172.23.200.1; proxy_set_header X-Forwarded-Proto http; proxy_redirect off; } location /testdisk { proxy_pass https://82.64.31.248/testdisk; proxy_ssl_server_name on; proxy_ssl_name adlin.nemunai.re; proxy_set_header Host adlin.nemunai.re; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-By 172.23.200.1; proxy_set_header X-Forwarded-Proto http; proxy_redirect off; } location /sshkeys { return https://adlin.nemunai.re/sshkeys; } } server { listen 443 default ssl; listen [::]:443 default ssl; ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_certificate /etc/nginx/ssl/ec_cert.pem; ssl_certificate_key /etc/nginx/ssl/ec_key.pem; location = /{ return https://adlin.nemunai.re/; } location /challenge { proxy_pass https://82.64.31.248/challenge; proxy_ssl_server_name on; proxy_ssl_name adlin.nemunai.re; proxy_set_header Host adlin.nemunai.re; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-By 172.23.200.1; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; } location /toctoc { proxy_pass https://82.64.31.248/toctoc; proxy_ssl_server_name on; proxy_ssl_name adlin.nemunai.re; proxy_set_header Host adlin.nemunai.re; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-By 172.23.200.1; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; } location /echorequest { proxy_pass https://82.64.31.248/echorequest; proxy_ssl_server_name on; proxy_ssl_name adlin.nemunai.re; proxy_set_header Host adlin.nemunai.re; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-By 172.23.200.1; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; } location /testdisk { proxy_pass https://82.64.31.248/testdisk; proxy_ssl_server_name on; proxy_ssl_name adlin.nemunai.re; proxy_set_header Host adlin.nemunai.re; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-By 172.23.200.1; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; } location /sshkeys { proxy_pass https://82.64.31.248/sshkeys; proxy_ssl_server_name on; proxy_ssl_name adlin.nemunai.re; proxy_set_header Host adlin.nemunai.re; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-By 172.23.200.1; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; } location /api/students { proxy_pass https://82.64.31.248; proxy_ssl_server_name on; proxy_ssl_name adlin.nemunai.re; proxy_set_header Host adlin.nemunai.re; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-By 172.23.200.1; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; } } server { listen 443 ssl; listen [::]:443 ssl; ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_certificate /etc/nginx/ssl/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/privkey.pem; server_name adlin.nemunai.re; location = /{ return https://adlin.nemunai.re/; } location /challenge { proxy_pass https://82.64.31.248/challenge; proxy_ssl_server_name on; proxy_ssl_name adlin.nemunai.re; proxy_set_header Host adlin.nemunai.re; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-By 172.23.200.1; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; } location /echorequest { proxy_pass https://82.64.31.248/echorequest; proxy_ssl_server_name on; proxy_ssl_name adlin.nemunai.re; proxy_set_header Host adlin.nemunai.re; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-By 172.23.200.1; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; } location /testdisk { proxy_pass https://82.64.31.248/testdisk; proxy_ssl_server_name on; proxy_ssl_name adlin.nemunai.re; proxy_set_header Host adlin.nemunai.re; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-By 172.23.200.1; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; } location /sshkeys { proxy_pass https://82.64.31.248/sshkeys; proxy_ssl_server_name on; proxy_ssl_name adlin.nemunai.re; proxy_set_header Host adlin.nemunai.re; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-By 172.23.200.1; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; } location /api/students { proxy_pass https://82.64.31.248; proxy_ssl_server_name on; proxy_ssl_name adlin.nemunai.re; proxy_set_header Host adlin.nemunai.re; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-By 172.23.200.1; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; } } } mode: "0440" - path: etc/dhcp/dhcpd.conf contents: | authoritative; default-lease-time 7200; max-lease-time 7200; option client-arch code 93 = unsigned integer 16; subnet 172.23.255.0 netmask 255.255.255.0 { range 172.23.255.10 172.23.255.254; option subnet-mask 255.255.255.0; option broadcast-address 172.23.255.255; next-server 172.23.255.1; if option client-arch != 00:00 { filename "ipxe.efi"; } else { filename "bios/pxelinux.0"; } } subnet 172.23.128.0 netmask 255.255.192.0 { range 172.23.128.10 172.23.191.250; option routers 172.23.191.254; option subnet-mask 255.255.192.0; option broadcast-address 172.23.191.255; } mode: "0440" - path: etc/postfix/transport contents: | nemunai.re smtp:[82.64.31.248] oupaout.ra.nemunai.re smtp:[82.64.151.41] mode: "0440" - path: etc/ntpd.conf contents: | listen on * #server 10.224.4.2 server 51.15.180.229 server 51.75.141.62 server 193.200.43.105 #servers fr.pool.ntp.org mode: "0440" - path: etc/chrony/chrony.conf contents: | server 51.15.180.229 iburst server 51.75.141.62 iburst server 193.200.43.105 iburst pool fr.pool.ntp.org iburst # Record the rate at which the system clock gains/losses time. driftfile /var/lib/chrony/drift # In first three updates step the system clock instead of slew # if the adjustment is larger than 1 second. makestep 10 3 # Allow synchronization of clients even if the server is not sync itself local stratum 8 allow all mode: "0440" - path: etc/wireguard/wg0.conf contents: | [Interface] PrivateKey = SCGCKDuTm4PMOw+LXdK/2s8mxnv145QHOohKRq3vc2A= ListenPort = 12912 Address = 172.23.191.254/18 mode: "0644" - path: etc/iptables/rules-wg.v4 contents: | *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] [0:0] -A POSTROUTING -o vethin-wg ! -d 172.17.0.0/16 -j MASQUERADE COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] [0:0] -A FORWARD -i wg0 -o vethin-wg -j ACCEPT [0:0] -A FORWARD -o wg0 -i vethin-wg -j ACCEPT [0:0] -A FORWARD -j LOG [0:0] -A FORWARD -j REJECT --reject-with icmp-net-prohibited COMMIT mode: "0440" - path: srv/tftp directory: true mode: "0755" - path: srv/tftp/s directory: true mode: "0755" - path: srv/tftp/bios/ldlinux.c32 source: /usr/share/syslinux/ldlinux.c32 mode: "0644" - path: srv/tftp/bios/libcom32.c32 source: /usr/share/syslinux/libcom32.c32 mode: "0644" - path: srv/tftp/bios/libutil.c32 source: /usr/share/syslinux/libutil.c32 mode: "0644" - path: srv/tftp/bios/menu.c32 source: /usr/share/syslinux/menu.c32 mode: "0644" - path: srv/tftp/bios/poweroff.c32 source: /usr/share/syslinux/poweroff.c32 mode: "0644" - path: srv/tftp/bios/pxelinux.0 source: /usr/share/syslinux/pxelinux.0 mode: "0644" - path: srv/tftp/bios/vesamenu.c32 source: /usr/share/syslinux/vesamenu.c32 mode: "0644" - path: srv/tftp/bios/pxelinux.cfg directory: true mode: "0755" - path: srv/tftp/pxelinux.cfg/default source: tftp/pxelinux.cfg/default mode: "0644" - path: srv/tftp/pxelinux.cfg/tpl source: tftp/pxelinux.cfg/tpl mode: "0644" - path: srv/tftp/pxelinux.cfg/tpl.ipxe source: tftp/pxelinux.cfg/tpl.ipxe mode: "0644" - path: srv/tftp/ipxe.efi source: tftp/ipxe.efi mode: "0644" - path: usr/sbin/ping-checker source: ping-checker.sh mode: "0755" - path: srv/solver.sh source: solver.sh mode: "0755" - path: srv/tftp/bzImage source: /var/tftp/adlin/bzImage mode: "0644" - path: srv/tftp/login-initrd.img source: login-initrd.img mode: "0644" - path: srv/tftp/challenge-initrd.img source: challenge-initrd.img mode: "0644" - path: root/.ash_history contents: | tail -f /var/log/login-validator.log ln -sf nemunaire.csv /var/lib/adlin/students/students.csv ln -sf students2025.csv students.csv pkill -HUP login-validator cd /var/lib/adlin mode: "0640" trust: org: - linuxkit - library