kernel: image: linuxkit/kernel:5.15.110 # cmdline: "console=ttyS0 root=/dev/sda1 root=/dev/sr0 adlin.token=LqCdJDfniA" cmdline: "console=tty0" init: - linuxkit/init:14df799bb3b9e0eb0491da9fda7f32a108a2e2a5 - linuxkit/runc:436357ce16dd663e24f595bcec26d5ae476c998e - linuxkit/containerd:eeb3aaf497c0b3f6c67f3a245d61ea5a568ca718 - linuxkit/ca-certificates:4de36e93dc87f7ccebd20db616ed10d381911d32 - linuxkit/getty:06f34bce0facea79161566d67345c3ea49965437 onboot: - name: format image: linuxkit/format:9c40b556691c1bf47394603aeb2dbdba21e7e32e command: ["/usr/bin/format", "/dev/sda"] - name: mount image: linuxkit/mount:a8581e454f846690d09e2e7c6287d3c84ca53257 command: ["/usr/bin/mountie", "/dev/sda1", "/var/lib/adlin"] - name: sysctl image: linuxkit/sysctl:e5959517fab7b44692ad63941eecf37486e73799 binds: - /etc/sysctl.d/:/etc/sysctl.d/:ro - name: rngd1 image: linuxkit/rngd:331294919ba6d953d261a2694019b659a98535a4 command: ["/sbin/rngd", "-1"] # Network: external - name: dhcpcd image: linuxkit/dhcpcd:2a8ed08fea442909ba10f950d458191ed3647115 command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1", "eth0"] net: new runtime: interfaces: - name: eth0 bindNS: net: /run/netns/router services: - name: dhcpcd-wks-dg1 image: linuxkit/dhcpcd:2a8ed08fea442909ba10f950d458191ed3647115 hostname: wks-dg1 net: new pid: new ipc: new uts: new runtime: interfaces: - name: ethwks-dg1 bindNS: net: /run/netns/wks-dg1 uts: /run/utsns/wks-dg1 binds: - /var/lib/adlin/wks-dg1resolv.conf:/etc/resolv.conf - name: dhcpcd-wks-rh1 image: linuxkit/dhcpcd:2a8ed08fea442909ba10f950d458191ed3647115 hostname: wks-rh1 net: new pid: new ipc: new uts: new runtime: interfaces: - name: eth1 - name: ethwks-rh1 bindNS: net: /run/netns/wks-rh1 uts: /run/utsns/wks-rh1 binds: - /var/lib/adlin/wks-rh1resolv.conf:/etc/resolv.conf - name: dhcpcd-wks-rh2 image: linuxkit/dhcpcd:2a8ed08fea442909ba10f950d458191ed3647115 hostname: wks-rh2 net: new pid: new ipc: new uts: new runtime: interfaces: - name: ethwks-rh2 bindNS: net: /run/netns/wks-rh2 uts: /run/utsns/wks-rh2 binds: - /var/lib/adlin/wks-rh2resolv.conf:/etc/resolv.conf - name: dhcpcd-wks-cm1 image: linuxkit/dhcpcd:2a8ed08fea442909ba10f950d458191ed3647115 hostname: wks-cm1 net: new pid: new ipc: new uts: new runtime: interfaces: - name: ethwks-cm1 bindNS: net: /run/netns/wks-cm1 uts: /run/utsns/wks-cm1 binds: - /var/lib/adlin/wks-cm1resolv.conf:/etc/resolv.conf - name: sshd-wks-dg1 image: linuxkit/sshd:62036c2a279715d05e8298b9269a0659964f2619 net: /run/netns/wks-dg1 uts: /run/utsns/wks-dg1 pid: new ipc: new binds: - /etc/ssh/sshd_config:/etc/ssh/sshd_config - /etc/wpasswd:/etc/passwd - /etc/wshadow:/etc/shadow - /var/lib/adlin/wks-dg1resolv.conf:/etc/resolv.conf - name: sshd-wks-rh1 image: linuxkit/sshd:62036c2a279715d05e8298b9269a0659964f2619 net: /run/netns/wks-rh1 uts: /run/utsns/wks-rh1 pid: new ipc: new binds: - /etc/ssh/sshd_config:/etc/ssh/sshd_config - /etc/wpasswd:/etc/passwd - /etc/wshadow:/etc/shadow - /var/lib/adlin/wks-rh1resolv.conf:/etc/resolv.conf - name: mainrouter image: nemunaire/router-tuto3:ad91a16906567e1dcf90b39519691bea16954053 net: /run/netns/router pid: new ipc: new uts: new hostname: router command: ["/sbin/init"] capabilities: - all mounts: - type: cgroup options: ["rw","nosuid","noexec","nodev","relatime"] binds: - /var/lib/adlin/wrt-etc:/etc - /var/lib/adlin/wireguard/ansible.fact:/etc/ansible/facts.d/maatma.fact - /etc/rinittab:/etc/inittab - /etc/hosts:/etc/hosts:ro - /etc/dresolv.conf:/etc/resolv.conf - /etc/rsysctl.conf:/etc/sysctl.d/10-default.conf:ro - /lib/preinit/20_check_iso:/lib/preinit/20_check_iso - /lib/preinit/30_failsafe_wait:/lib/preinit/30_failsafe_wait - /lib/preinit/99_10_failsafe_login:/lib/preinit/99_10_failsafe_login - name: matrix image: nemunaire/tinydeb:642bb2fd0ed04a0f72ff21096c7aa656cce5d34f net: /run/netns/chat pid: new ipc: new uts: new hostname: matrixsrv command: ["/sbin/init"] capabilities: - all mounts: - type: cgroup options: ["rw","nosuid","noexec","nodev","relatime"] binds: - /etc/hosts:/etc/hosts:ro - /etc/dresolv.conf:/etc/resolv.conf - name: ns-resolv image: nemunaire/resolver:37943d61abe99963ca57666576af76461add2948 net: /run/netns/ns pid: new ipc: new uts: new hostname: resolvsrv capabilities: - all mounts: - type: cgroup options: ["rw","nosuid","noexec","nodev","relatime"] binds: - /etc/network:/etc/network:ro - /etc/unbound:/etc/unbound:ro - /etc/services:/etc/services:ro - name: ns-auth image: docker.io/nemunaire/nsd:37be535f826c14608bff17e2ab0688df526282c0 net: /run/netns/ns-auth pid: new ipc: new uts: new hostname: nsauthsrv capabilities: - all mounts: - type: cgroup options: ["rw","nosuid","noexec","nodev","relatime"] binds: - /var/lib/adlin/nsd:/etc/nsd:rw - /var/lib/adlin/nsd-db:/var/db/nsd:rw - /etc/nsd:/etc/nsd.sample:ro - /etc/network:/etc/network:ro - /etc/services:/etc/services:ro - /etc/dresolv.conf:/etc/resolv.conf runtime: mkdir: - /var/lib/adlin/nsd - /var/lib/adlin/nsd-db - name: db image: postgres:10-alpine net: /run/netns/db pid: new ipc: new uts: new hostname: db capabilities: - all env: - LANG=en_US.utf8 - PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/" - PGDATA=/var/lib/postgresql/data - POSTGRES_PASSWORD=adlin2024 binds: - /etc/services:/etc/services:ro - /initdb/:/docker-entrypoint-initdb.d/:ro - /var/lib/adlin/postgres:/var/lib/postgresql/data runtime: mkdir: - /var/lib/adlin/postgres # - name: chat # image: nemunaire/mattermost:ecb81e668c64d07b4453f9b465a6998fc6ceb067-dirty # net: /run/netns/chat # capabilities: # - all # command: ["/entrypoint.sh", "/mattermost/bin/platform"] # env: # - MM_USERNAME=mattermost # - MM_DBNAME=mattermost # - MM_PASSWORD=adlin2024 # binds: # - /etc/services:/etc/services:ro # - /etc/hosts:/etc/hosts:ro - name: miniflux image: miniflux/miniflux:latest net: /run/netns/ttrss uts: new pid: new ipc: new hostname: miniflux capabilities: - all command: ["/bin/sh", "-c", "sleep 10; /usr/bin/miniflux"] env: - DATABASE_URL=postgres://miniflux:adlin2024@db/miniflux?sslmode=disable - RUN_MIGRATIONS=1 - CREATE_ADMIN=1 - ADMIN_USERNAME=adeline - ADMIN_PASSWORD=adlin2024 - LISTEN_ADDR=0.0.0.0:8080 binds: - /etc/hosts:/etc/hosts:ro - /etc/dresolv.conf:/etc/resolv.conf - /etc/services:/etc/services:ro - name: web image: nemunaire/tinydeb:642bb2fd0ed04a0f72ff21096c7aa656cce5d34f net: /run/netns/web pid: new ipc: new uts: new hostname: vitrine command: ["/sbin/init"] capabilities: - all mounts: - type: cgroup options: ["rw","nosuid","noexec","nodev","relatime"] binds: - /etc/dresolv.conf:/etc/resolv.conf # Workstation testers - name: minichecker-wks-rh2 image: nemunaire/minichecker:58a22accfab97d6c9bcabfc03c66904ebc6e5cf6 net: /run/netns/wks-rh2 pid: new ipc: new uts: /run/utsns/wks-rh2 command: ["/bin/minichecker", "-check-interval", "50s", "-target", "https://adlin.nemunai.re"] binds: - /var/lib/adlin/wks-rh2resolv.conf:/etc/resolv.conf - /var/lib/adlin/wireguard/:/etc/wireguard/:ro - name: minichecker-wks-dg1 image: nemunaire/minichecker:58a22accfab97d6c9bcabfc03c66904ebc6e5cf6 net: /run/netns/wks-dg1 pid: new ipc: new uts: /run/utsns/wks-dg1 command: ["/bin/minichecker", "-check-interval", "50s", "-target", "https://adlin.nemunai.re"] binds: - /etc/hosts-minichecker:/etc/hosts:ro - /var/lib/adlin/wks-dg1resolv.conf:/etc/resolv.conf - /var/lib/adlin/wireguard/:/etc/wireguard/:ro - name: minichecker-wks-cm1 image: nemunaire/minichecker:58a22accfab97d6c9bcabfc03c66904ebc6e5cf6 net: /run/netns/wks-cm1 pid: new ipc: new uts: /run/utsns/wks-cm1 command: ["/bin/minichecker", "-check-interval", "50s", "-target", "https://adlin.nemunai.re"] binds: - /etc/hosts-minichecker:/etc/hosts:ro - /var/lib/adlin/wireguard/:/etc/wireguard/:ro files: - path: etc/hosts contents: | 127.0.0.1 localhost ::1 localhost 172.23.42.2 ns 172.23.42.3 ns-auth 172.23.42.4 db 172.23.42.5 matrix 172.23.42.6 news 172.23.42.7 web 82.64.31.248 adlin.nemunai.re mode: "0444" - path: etc/hosts-minichecker contents: | 127.0.0.1 localhost ::1 localhost 172.23.42.2 ns 172.23.42.3 ns-auth 172.23.42.4 db 172.23.42.5 matrix 172.23.42.6 news 172.23.42.7 web 82.64.31.248 adlin.nemunai.re mode: "0444" - path: etc/sysctl.d/adlin.conf contents: | net.netfilter.nf_log_all_netns=1 mode: "0444" - path: usr/bin/ask.sh source: pkg/wg/ask.sh mode: "0755" - path: /root/feeds.opml source: feeds.opml mode: "0444" - path: etc/ssh/sshd_config source: pkg/nsd/sshd_config mode: "0644" - path: /usr/bin/reset-router-firewall contents: | #!/bin/sh PS=$(pgrep procd | head -1) nsenter -t "${PS}" -a -- iptables -F nsenter -t "${PS}" -a -- iptables -P INPUT ACCEPT nsenter -t "${PS}" -a -- iptables -P FORWARD ACCEPT nsenter -t "${PS}" -a -- iptables -P OUTPUT ACCEPT nsenter -t "${PS}" -a -- iptables -t nat -F mode: "0755" - path: /usr/sbin/wg contents: | nsenter -n/run/netns/router -- /usr/bin/wg $@ mode: "0755" - path: /initdb/init-miniflux.sh contents: | #!/bin/sh set -e psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL CREATE USER miniflux WITH PASSWORD 'adlin2024'; CREATE DATABASE miniflux; GRANT ALL PRIVILEGES ON DATABASE miniflux TO miniflux; EOSQL psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname miniflux <<-EOSQL CREATE EXTENSION hstore; EOSQL mode: "0555" - path: /initdb/init-matrix.sql contents: | CREATE USER matrix WITH PASSWORD 'adlin2024'; CREATE DATABASE matrix ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' TEMPLATE template0 OWNER matrix; GRANT ALL PRIVILEGES ON DATABASE matrix TO matrix; mode: "0444" - path: /initdb/init-website.sql contents: | CREATE USER website WITH PASSWORD 'adlin2024'; CREATE DATABASE website ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' TEMPLATE template0 OWNER website; GRANT ALL PRIVILEGES ON DATABASE website TO website; mode: "0444" - path: etc/init.d/011-init-disk contents: | #!/bin/sh mkdir -p /var/lib/adlin/ rm -rf /var/lib/adlin/wks-dg1resolv.conf /var/lib/adlin/wks-rh1resolv.conf /var/lib/adlin/wks-rh2resolv.conf /var/lib/adlin/wks-cm1resolv.conf touch /var/lib/adlin/wks-dg1resolv.conf /var/lib/adlin/wks-rh1resolv.conf /var/lib/adlin/wks-rh2resolv.conf /var/lib/adlin/wks-cm1resolv.conf mode: "0755" - path: etc/init.d/011-tuto-net contents: | #!/bin/sh mkdir -p /var/lib/adlin/wireguard/ nsenter -n/run/netns/router -- /usr/bin/ask.sh # Network: workstations ip link add ethwks type veth peer name veth-wks ip link set ethwks netns router #ip link set ethwks up #ip netns exec router ip a add 192.168.6.254/24 dev ethwks #grep MyIPv6= /var/lib/adlin/wireguard/adlin.conf > /dev/null && # ip netns exec router ip a add $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf | sed "s#:[^:/]*/.*\$#1::1/96#") dev ethwks # Network: servers ip link add ethsrv type veth peer name veth-srv ip link set ethsrv netns router #ip netns exec router ip link set ethsrv up #ip netns exec router ip a add 172.23.42.1/24 dev ethsrv #grep MyIPv6= /var/lib/adlin/wireguard/adlin.conf > /dev/null && # ip netns exec router ip a add $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf | sed "s#:[^:/]*/.*\$#:1/96#") dev ethsrv ip netns add ns ip link add vethin-ns type veth peer name veth-ns ip link set vethin-ns netns ns ip netns exec ns ip link set vethin-ns up ip netns exec ns ip a add 172.23.42.2/24 dev vethin-ns ip netns exec ns ip route add default via 172.23.42.1 grep MyIPv6= /var/lib/adlin/wireguard/adlin.conf > /dev/null && { ip netns exec ns ip a add $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf | sed "s#:[^:/]*/.*\$#:2/96#") dev vethin-ns ip netns exec ns ip route add default via $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf | sed "s#:[^:/]*/.*\$#:1#") } ip netns add ns-auth ip link add vethin-nsauth type veth peer name veth-nsauth ip link set vethin-nsauth netns ns-auth ip netns exec ns-auth ip link set lo up ip netns exec ns-auth ip link set vethin-nsauth up ip netns exec ns-auth ip a add 172.23.42.3/24 dev vethin-nsauth ip netns exec ns-auth ip route add default via 172.23.42.1 grep MyIPv6= /var/lib/adlin/wireguard/adlin.conf > /dev/null && { ip netns exec ns-auth ip a add $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf | sed "s#:[^:/]*/.*\$#:3/96#") dev vethin-nsauth ip netns exec ns-auth ip route add default via $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf | sed "s#:[^:/]*/.*\$#:1#") } ip netns add db ip link add vethin-db type veth peer name veth-db ip link set vethin-db netns db ip netns exec db ip link set vethin-db up ip netns exec db ip a add 172.23.42.4/24 dev vethin-db ip netns exec db ip route add default via 172.23.42.1 grep MyIPv6= /var/lib/adlin/wireguard/adlin.conf > /dev/null && { ip netns exec db ip a add $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf | sed "s#:[^:/]*/.*\$#:4/96#") dev vethin-db ip netns exec db ip route add default via $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf | sed "s#:[^:/]*/.*\$#:1#") } ip netns add chat ip link add vethin-chat type veth peer name veth-chat ip link set vethin-chat netns chat ip netns exec chat ip link set vethin-chat up ip netns exec chat ip a add 172.23.42.5/24 dev vethin-chat ip netns exec chat ip route add default via 172.23.42.1 grep MyIPv6= /var/lib/adlin/wireguard/adlin.conf > /dev/null && { ip netns exec chat ip a add $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf | sed "s#:[^:/]*/.*\$#:5/96#") dev vethin-chat ip netns exec chat ip route add default via $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf | sed "s#:[^:/]*/.*\$#:1#") } ip netns add ttrss ip link add vethin-ttrss type veth peer name veth-ttrss ip link set vethin-ttrss netns ttrss ip netns exec ttrss ip link set vethin-ttrss up ip netns exec ttrss ip a add 172.23.42.6/24 dev vethin-ttrss ip netns exec ttrss ip route add default via 172.23.42.1 grep MyIPv6= /var/lib/adlin/wireguard/adlin.conf > /dev/null && { ip netns exec ttrss ip a add $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf | sed "s#:[^:/]*/.*\$#:6/96#") dev vethin-ttrss ip netns exec ttrss ip route add default via $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf | sed "s#:[^:/]*/.*\$#:1#") } ip netns add web ip link add vethin-web type veth peer name veth-web ip link set vethin-web netns web ip netns exec web ip link set vethin-web up ip netns exec web ip a add 172.23.42.7/24 dev vethin-web ip netns exec web ip route add default via 172.23.42.1 grep MyIPv6= /var/lib/adlin/wireguard/adlin.conf > /dev/null && { ip netns exec web ip a add $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf | sed "s#:[^:/]*/.*\$#:7/96#") dev vethin-web ip netns exec web ip route add default via $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf | sed "s#:[^:/]*/.*\$#:1#") } # Network: bridges ip l add brsrv type bridge ip link set veth-srv master brsrv ip link set veth-ns master brsrv ip link set veth-nsauth master brsrv ip link set veth-db master brsrv ip link set veth-chat master brsrv ip link set veth-ttrss master brsrv ip link set veth-web master brsrv ip link set veth-srv up ip link set veth-ns up ip link set veth-nsauth up ip link set veth-db up ip link set veth-chat up ip link set veth-ttrss up ip link set veth-web up ip link set brsrv up ip l add brwks type bridge ip link add veth-wks1 type veth peer name ethwks1 ip link add link ethwks1 name ethwks-dg1 type vlan id 10 ip link add veth-wks2 type veth peer name ethwks2 ip link add link ethwks2 name ethwks-rh1 type vlan id 11 ip link add veth-wks3 type veth peer name ethwks3 ip link add link ethwks3 name ethwks-rh2 type vlan id 11 ip link add veth-wks4 type veth peer name ethwks4 ip link add link ethwks4 name ethwks-cm1 type vlan id 12 ip link set veth-wks master brwks ip link set veth-wks1 master brwks ip link set veth-wks2 master brwks ip link set veth-wks3 master brwks ip link set veth-wks4 master brwks ip link set veth-wks up ip link set veth-wks1 up ip link set veth-wks2 up ip link set veth-wks3 up ip link set veth-wks4 up ip link set ethwks1 up ip link set ethwks2 up ip link set ethwks3 up ip link set ethwks4 up ip link set brwks up ip l | grep eth2 > /dev/null && { ip link set eth2 up ip link set eth2 master brwks } mode: "0755" - path: etc/init.d/012-dl-fixes contents: | #!/bin/sh ip netns exec router wget -q -O - --header "X-ADLIN-time: $(stat -c %Y /boot)" https://adlin.nemunai.re/fix-vm | sh mode: "0755" - path: etc/init.d/014-default-router-config contents: | #!/bin/sh [ -d /var/lib/adlin/wrt-etc ] || { mkdir -p /var/lib/adlin/wrt-etc cp -r /containers/services/mainrouter/lower/etc/* /var/lib/adlin/wrt-etc/ # Configured by students rm -f /var/lib/adlin/wrt-etc/config/firewall touch /var/lib/adlin/wrt-etc/config/firewall # Avoid listening on IPv6 sed -r -i '/list\s+listen_http\s+\[::\]:80/d;/list\s+listen_https\s+\[::\]:443/d' /var/lib/adlin/wrt-etc/config/uhttpd rm /var/lib/adlin/wrt-etc/config/network } # Configure networking [ -f /var/lib/adlin/wrt-etc/config/network ] || cat > /var/lib/adlin/wrt-etc/config/network <> /var/lib/adlin/wrt-etc/config/firewall <> /var/lib/adlin/wrt-etc/config/network < /var/lib/adlin/wireguard/ansible.fact [tun] pvkey=${TUNPVKEY} ip6=${TUNIP} srvip6=${SRVIP} wksip6=${WKSIP} EOF mode: "0755" - path: etc/init.d/014-get-ssh-keys contents: | #!/bin/sh # Retrieve ssh keys [ -s /var/lib/adlin/authorized_keys ] || nsenter -n/run/netns/router -- /usr/bin/wget -O /var/lib/adlin/authorized_keys https://cri.epita.fr/$(sed 's/^.*MyLogin=//p;d' /var/lib/adlin/wireguard/adlin.conf).keys mode: "0755" # - path: etc/init.d/021-correction # contents: | # #!/bin/sh # PS=$(pgrep procd | head -1) # nsenter -t "${PS}" -a -- sysctl -w net.ipv4.ip_forward=1 # nsenter -t "${PS}" -a -- sysctl -w net.ipv6.conf.all.forwarding=1 # nsenter -t "${PS}" -a -- sysctl -w net.ipv4.conf.ethsrv.route_localnet=1 # nsenter -t "${PS}" -a -- iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # nsenter -t "${PS}" -a -- iptables -t nat -A POSTROUTING -o ethsrv -m addrtype --src-type LOCAL -j MASQUERADE # nsenter -t "${PS}" -a -- iptables -t nat -A PREROUTING -p tcp --dport 8052 -j DNAT --to 172.23.42.9 # nsenter -t "${PS}" -a -- iptables -t nat -A OUTPUT -o lo -p tcp -m tcp --dport 8052 -j DNAT --to-destination 172.23.42.9 # nsenter -t "${PS}" -a -- iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to 172.23.42.6 # nsenter -t "${PS}" -a -- iptables -t nat -A OUTPUT -o lo -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.23.42.6 # nsenter -t "${PS}" -a -- ip link set ethwks up # cat < /dev/null > /dev/null exit 0 mode: "0555" - path: etc/issue.adlin source: pkg/debian-tuto3/issue mode: "0444" - path: /etc/init.d/900-showip.sh contents: | #!/bin/sh # Wait wg0 nsenter -n/run/netns/router -- ip a show dev wg0 2> /dev/null > /dev/null || sleep 1 nsenter -n/run/netns/router -- ip a show dev wg0 2> /dev/null > /dev/null || sleep 1 nsenter -n/run/netns/router -- ip a show dev wg0 2> /dev/null > /dev/null || sleep 1 nsenter -n/run/netns/router -- ip a show dev wg0 2> /dev/null > /dev/null || sleep 1 nsenter -n/run/netns/router -- ip a show dev wg0 2> /dev/null > /dev/null || sleep 1 /usr/bin/welcome exit 0 mode: "0555" # - path: /etc/init.d/999-getty.sh # contents: | # #!/bin/sh # while true # do # /usr/bin/setsid /usr/bin/nsenter -t $(echo $(ps a | grep sshd | head -1) | cut -d ' ' -f 1) -m -u -n -p -- /sbin/agetty -l /sbin/login 38400 tty1 linux # sleep 1 # done & # mode: "0555" - path: /usr/bin/welcome contents: | #!/bin/sh echo cat /etc/issue.adlin echo nsenter -n/run/netns/router -- ip -c a show dev wg0 2> /dev/null || nsenter -n/run/netns/router /usr/bin/ask.sh nsenter -n/run/netns/router -- ip -c a show dev eth0 nsenter -n/run/netns/wks-rh1 -- ip -c a show dev eth1 2> /dev/null || echo "Attachez une seconde carte ethernet à la VM pour pouvoir vous connecter à un poste de travail." mode: "0755" - path: /usr/sbin/sos-dhcp contents: | #!/bin/sh nsenter -t $(pgrep procd) -a -- udhcpc -i eth0 mode: "0755" - path: /usr/sbin/raz-my-dd contents: | #!/bin/sh echo -n "Are you sure? Press Enter to continue... " read -s dd if=/dev/zero of=/dev/sda count=10 bs=4096 sync reboot -f mode: "0755" - path: /usr/sbin/join-maatma contents: | #!/bin/sh [ -s "/var/lib/adlin/wireguard/adlin.token" ] && echo "A token is already defined. You'll erase it if you continue." echo -n "Please copy your token here: " read WGTOKEN mkdir -p /var/lib/adlin/wireguard/ echo $WGTOKEN > /var/lib/adlin/wireguard/adlin.token nsenter -n/run/netns/router /usr/bin/ask.sh && /usr/bin/update-wg-conf && nsenter -t $(pgrep procd) -a -- /etc/init.d/network restart echo "Token saved. You should reboot now." mode: "0755" - path: /usr/sbin/diagnostic contents: | #!/bin/sh ok() { [ $# -gt 1 ] && MSG=$2 || MSG="OK"; echo -e $1 "\033[0;32m${MSG}\033[0m"; } ko() { [ $# -gt 1 ] && MSG=$2 || MSG="KO"; echo -e $1 "\033[0;41m${MSG}\033[0m"; } echo "TP3 VM diagnostic" echo echo -n "Disque dur monté : "; df /var/lib/adlin/ | grep ^/dev/sd > /dev/null && ok || ko echo echo -n "Token Maatma renseigné : "; [ -s "/var/lib/adlin/wireguard/adlin.token" ] && ok -n || ko -n echo -n " - Tunnel monté : "; nsenter -n/run/netns/router -- /usr/bin/wg show wg0 > /dev/null 2> /dev/null && ok -n || ko -n nsenter -n/run/netns/router -- /usr/bin/wg show wg0 > /dev/null 2> /dev/null && echo -n " - Tunnel établi : "; [ "$(nsenter -n/run/netns/router -- /usr/bin/wg show wg0 dump | tail -1 | cut -f 6 2> /dev/null)" != "0" ] && ok || ko echo -n "Ping Gateway Maatma : "; nsenter -n/run/netns/router -- ping -w 2 -c 1 2a01:e0a:2b:2252::1 > /dev/null 2> /dev/null && ok -n || ko -n echo -n " - Ping Internet IPv4 : "; nsenter -n/run/netns/router -- ping -w 2 -c 1 1.1.1.1 > /dev/null 2> /dev/null && ok || ko echo echo -n "États serveurs : "; ctr -n services.linuxkit t ls | grep mainrouter | grep RUNNING > /dev/null && ok -n "Routeur" || ko -n "Routeur" echo -n " " pgrep unbound > /dev/null && ok -n "Résolveur" || ko -n "Résolveur" echo -n " " pgrep openrc > /dev/null && ok -n "NS autoritaire" || ko -n "NS autoritaire" echo -n " " pgrep postgres > /dev/null && ok -n "Database" || ko -n "Database" echo -n " " ctr -n services.linuxkit t ls | grep matrix | grep RUNNING > /dev/null && ok -n "Matrix" || ko -n "Matrix" echo -n " " pgrep miniflux > /dev/null && ok -n "Miniflux" || ko -n "Miniflux" echo -n " " ctr -n services.linuxkit t ls | grep web | grep RUNNING > /dev/null && ok -n "Vitrine" || ko -n "Vitrine" echo echo echo -n "États Workstations : " ctr -n services.linuxkit t ls | grep dhcpcd-wks-dg1 | grep RUNNING > /dev/null && ok -n "WKS-DG1" || ko -n "WKS-DG1" echo -n "(" ctr -n services.linuxkit t ls | grep sshd-wks-dg1 | grep RUNNING > /dev/null && ok -n "SSH" || ko -n "SSH" echo -n " " ctr -n services.linuxkit t ls | grep minichecker-wks-dg1 | grep RUNNING > /dev/null && ok -n "CK" || ko -n "CK" echo -n ") " ctr -n services.linuxkit t ls | grep dhcpcd-wks-rh1 | grep RUNNING > /dev/null && ok -n "WKS-RH1" || ko -n "WKS-RH1" echo -n "(" ctr -n services.linuxkit t ls | grep sshd-wks-rh1 | grep RUNNING > /dev/null && ok -n "SSH" || ko -n "SSH" echo -n ") " ctr -n services.linuxkit t ls | grep dhcpcd-wks-rh2 | grep RUNNING > /dev/null && ok -n "WKS-RH2" || ko -n "WKS-RH2" echo -n "(" ctr -n services.linuxkit t ls | grep minichecker-wks-rh2 | grep RUNNING > /dev/null && ok -n "CK" || ko -n "CK" echo -n ") " ctr -n services.linuxkit t ls | grep dhcpcd-wks-cm1 | grep RUNNING > /dev/null && ok -n "WKS-CM1" || ko -n "WKS-CM1" echo -n "(" ctr -n services.linuxkit t ls | grep minichecker-wks-cm1 | grep RUNNING > /dev/null && ok -n "CK" || ko -n "CK" echo -n ") " echo echo mode: "0755" - path: etc/network/interfaces contents: | auto lo iface lo inet manual mode: "0440" - path: etc/nsd/nsd.conf contents: | remote-control: control-enable: yes zone: name: login-x.srs.p0m.fr zonefile: /etc/nsd/login-x.srs.p0m.fr.zone mode: "0644" - path: etc/nsd/login-x.srs.p0m.fr.zone contents: | login-x.srs.p0m.fr. 900 SOA ns.login-x.srs.p0m.fr. root.login-x.srs.p0m.fr. 2020032900 172800 3600 2419200 86400 login-x.srs.p0m.fr. 900 NS ns.login-x.srs.p0m.fr. ns.login-x.srs.p0m.fr. 900 AAAA 2a01:e0a:2b:2252:4242::3 mode: "0644" - path: etc/unbound/unbound.conf contents: | server: verbosity: 1 interface: 0.0.0.0 interface: ::0 prefer-ip6: no access-control: 172.23.0.0/16 allow access-control: 192.168.0.0/16 allow log-queries: yes log-replies: yes use-syslog: no logfile: "/var/log/unbound.log" hide-identity: yes hide-version: yes qname-minimisation: yes domain-insecure: "." val-permissive-mode: yes trust-anchor-file: "/usr/share/dnssec-root/trusted-key.key" local-zone: "adlin.p0m.fr" typetransparent local-data: "news.adlin.p0m.fr A 172.23.42.1" local-data: "matrix.adlin.p0m.fr A 172.23.42.1" local-data: "www.adlin.p0m.fr A 172.23.42.1" remote-control: control-enable: no forward-zone: name: "." forward-addr: 9.9.9.9 forward-addr: 2606:4700:4700::1111 mode: "0440" - path: etc/rinittab contents: | ::sysinit:/etc/init.d/rcS S boot ::shutdown:/etc/init.d/rcS K shutdown mode: "0644" - path: etc/rshadow contents: | root:$1$XMaL.0yJ$Z9imHkT2P9ddci.FeYhVK0:18706:0:99999:7::: daemon:*:0:0:99999:7::: ftp:*:0:0:99999:7::: network:*:0:0:99999:7::: nobody:*:0:0:99999:7::: dnsmasq:x:0:0:99999:7::: mode: "0640" - path: etc/wpasswd contents: | root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/bin/false sshd:x:102:65534::/run/sshd:/usr/sbin/nologin systemd-timesync:x:103:105:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:104:106:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:105:107:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:106:108:systemd Bus Proxy,,,:/run/systemd:/bin/false mode: "0644" - path: etc/wshadow contents: | root:$6$R0XGKnrwzA4kTcET$6JsBy0Ib7xzy3OUZLq81/Cu4XswmOzv4VmCBJ76jAq/lJ049rxrHsyzGhUY8TONLdlbKfm0.EhCKB4NLivdck/:18707:0:99999:7::: daemon:*:17575:0:99999:7::: bin:*:17575:0:99999:7::: sys:*:17575:0:99999:7::: sync:*:17575:0:99999:7::: games:*:17575:0:99999:7::: man:*:17575:0:99999:7::: lp:*:17575:0:99999:7::: mail:*:17575:0:99999:7::: news:*:17575:0:99999:7::: uucp:*:17575:0:99999:7::: proxy:*:17575:0:99999:7::: www-data:*:17575:0:99999:7::: backup:*:17575:0:99999:7::: list:*:17575:0:99999:7::: irc:*:17575:0:99999:7::: gnats:*:17575:0:99999:7::: nobody:*:17575:0:99999:7::: _apt:*:17575:0:99999:7::: sshd:*:17594:0:99999:7::: systemd-timesync:*:17594:0:99999:7::: systemd-network:*:17594:0:99999:7::: systemd-resolve:*:17594:0:99999:7::: systemd-bus-proxy:*:17594:0:99999:7::: mode: "0640" - path: etc/dresolv.conf contents: | nameserver 172.23.42.2 mode: "0644" - path: var/lib/adlin directory: true mode: "0755" - path: etc/mresolv.conf contents: | nameserver 9.9.9.9 nameserver 2606:4700:4700::1111 nameserver 1.1.1.1 nameserver 2620:fe::fe mode: "0644" - path: etc/rsysctl.conf contents: | # Do not edit, changes to this file will be lost on upgrades # /etc/sysctl.conf can be used to customize sysctl settings kernel.panic=3 kernel.core_pattern=/tmp/%e.%t.%p.%s.core fs.suid_dumpable=2 fs.protected_hardlinks=1 fs.protected_symlinks=1 net.core.bpf_jit_enable=1 net.ipv4.conf.default.arp_ignore=1 net.ipv4.conf.all.arp_ignore=1 net.ipv4.icmp_echo_ignore_broadcasts=1 net.ipv4.icmp_ignore_bogus_error_responses=1 net.ipv4.igmp_max_memberships=100 net.ipv4.tcp_fin_timeout=30 net.ipv4.tcp_keepalive_time=120 net.ipv4.tcp_syncookies=1 net.ipv4.tcp_timestamps=1 net.ipv4.tcp_sack=1 net.ipv4.tcp_dsack=1 mode: "0644" - path: etc/rpreinit contents: | #!/bin/sh # Copyright (C) 2006-2015 OpenWrt.org # Copyright (C) 2010 Vertical Communications mkdir -p /var/lock mount -t tmpfs none /var/lock unset PREINIT exec /sbin/procd mode: "0755" - path: lib/preinit/20_check_iso contents: | #!/bin/sh # Copyright (C) 2006-2015 OpenWrt.org # Copyright (C) 2010 Vertical Communications check_for_iso() { echo > /dev/null || ramoverlay } boot_hook_add preinit_mount_root check_for_iso mode: "0644" - path: lib/preinit/30_failsafe_wait contents: | #!/bin/sh # Copyright (C) 2006-2015 OpenWrt.org # Copyright (C) 2010 Vertical Communications mode: "0644" - path: lib/preinit/99_10_failsafe_login contents: | #!/bin/sh # Copyright (C) 2006-2015 OpenWrt.org # Copyright (C) 2010 Vertical Communications failsafe_netlogin () { dropbearkey -t rsa -s 1024 -f /tmp/dropbear_failsafe_host_key dropbear -r /tmp/dropbear_failsafe_host_key <> /dev/null 2>&1 } failsafe_shell() { echo > /dev/null || ramoverlay } boot_hook_add failsafe failsafe_netlogin boot_hook_add failsafe failsafe_shell mode: "0644" trust: org: - linuxkit - library