kernel: image: linuxkit/kernel:4.19.104 cmdline: "console=ttyS0 root=/dev/sda1 root=/dev/sr0 adlin.token=LqCdJDfniA" # cmdline: "console=tty0" init: - linuxkit/init:a4fcf333298f644dfac6adf680b83140927aa85e - linuxkit/runc:69b4a35eaa22eba4990ee52cccc8f48f6c08ed03 - linuxkit/containerd:09553963ed9da626c25cf8acdf6d62ec37645412 - linuxkit/ca-certificates:v0.7 - linuxkit/getty:v0.7 onboot: - name: format image: linuxkit/format:65b9e0a76d0b9fb8ac5c5f3bc8d3131109290f56 command: ["/usr/bin/format", "/dev/sda"] - name: mount image: linuxkit/mount:v0.7 command: ["/usr/bin/mountie", "/dev/sda1", "/var/lib/adlin"] - name: sysctl image: linuxkit/sysctl:v0.7 binds: - /etc/sysctl.d/:/etc/sysctl.d/:ro - name: rngd1 image: linuxkit/rngd:02c555b50cd1887aa628836662d2eec54c0d7e81 command: ["/sbin/rngd", "-1"] # Network: external - name: dhcpcd image: linuxkit/dhcpcd:v0.7 command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] net: new runtime: interfaces: - name: eth0 bindNS: net: /run/netns/router - name: wg image: linuxkit/ip:7b1cf3150bf5d9a0df7ef07572e2d81fe3c0c3d3 net: /run/netns/router binds: - /etc/ssl:/etc/ssl:ro - /etc/mresolv.conf:/etc/resolv.conf - /usr/bin/ask.sh:/usr/bin/ask.sh:ro - /usr/bin/ssl_client:/usr/bin/ssl_client:ro - /lib/libcrypto.so.1.1:/lib/libcrypto.so.1.1:ro - /lib/libssl.so.1.1:/lib/libssl.so.1.1:ro - /usr/lib/libcrypto.so.1.1:/usr/lib/libcrypto.so.1.1:ro - /usr/lib/libssl.so.1.1:/usr/lib/libssl.so.1.1:ro - /usr/lib/libtls-standalone.so.1:/usr/lib/libtls-standalone.so.1:ro - /usr/lib/libtls-standalone.so.1.0.0:/usr/lib/libtls-standalone.so.1.0.0:ro - /usr/share/ca-certificates:/usr/share/ca-certificates:ro - /var/lib/adlin/wireguard:/etc/wireguard command: ["/bin/ash", "-c", "/usr/bin/ask.sh"] runtime: mkdir: - /var/lib/adlin/wireguard # Network: workstations - name: net-wks-setup image: linuxkit/ip:7b1cf3150bf5d9a0df7ef07572e2d81fe3c0c3d3 command: ["/bin/sh", "-c", "ip a add 192.168.6.254/24 dev ethwks; ip link set ethwks up; grep MyIPv6= /etc/wireguard/adlin.conf > /dev/null && ip a add $(sed 's/^.*MyIPv6=//p;d' /etc/wireguard/adlin.conf | sed \"s#:[^:/]*/.*\\$#1::1/96#\") dev ethwks;" ] net: /run/netns/router runtime: interfaces: - name: ethwks add: veth peer: veth-wks # # Network: servers - name: net-srv-setup image: linuxkit/ip:7b1cf3150bf5d9a0df7ef07572e2d81fe3c0c3d3 command: ["/bin/sh", "-c", "ip a add 172.23.42.1/24 dev ethsrv; ip link set ethsrv up; grep MyIPv6= /etc/wireguard/adlin.conf > /dev/null && ip a add $(sed 's/^.*MyIPv6=//p;d' /etc/wireguard/adlin.conf | sed \"s#:[^:/]*/.*\\$#:1/96#\") dev ethsrv;" ] net: /run/netns/router runtime: interfaces: - name: ethsrv add: veth peer: veth-srv - name: net-srvns-setup image: linuxkit/ip:7b1cf3150bf5d9a0df7ef07572e2d81fe3c0c3d3 command: ["/bin/sh", "-c", "ip a add 172.23.42.2/24 dev vethin-ns; ip link set vethin-ns up; ip route add default via 172.23.42.1; grep MyIPv6= /etc/wireguard/adlin.conf > /dev/null && { ip a add $(sed 's/^.*MyIPv6=//p;d' /etc/wireguard/adlin.conf | sed \"s#:[^:/]*/.*\\$#:2/96#\") dev vethin-ns; ip route add default via $(sed 's/^.*MyIPv6=//p;d' /etc/wireguard/adlin.conf | sed \"s#:[^:/]*/.*\\$#:1#\"); }" ] net: new runtime: interfaces: - name: vethin-ns add: veth peer: veth-ns bindNS: net: /run/netns/ns - name: net-srvnsauth-setup image: linuxkit/ip:7b1cf3150bf5d9a0df7ef07572e2d81fe3c0c3d3 command: ["/bin/sh", "-c", "ip a add 172.23.42.3/24 dev vethin-nsauth; ip link set vethin-nsauth up; ip route add default via 172.23.42.1; grep MyIPv6= /etc/wireguard/adlin.conf > /dev/null && { ip a add $(sed 's/^.*MyIPv6=//p;d' /etc/wireguard/adlin.conf | sed \"s#:[^:/]*/.*\\$#:3/96#\") dev vethin-nsauth; ip route add default via $(sed 's/^.*MyIPv6=//p;d' /etc/wireguard/adlin.conf | sed \"s#:[^:/]*/.*\\$#:1#\"); }" ] net: new runtime: interfaces: - name: vethin-nsauth add: veth peer: veth-nsauth bindNS: net: /run/netns/ns-auth - name: net-srvdb-setup image: linuxkit/ip:7b1cf3150bf5d9a0df7ef07572e2d81fe3c0c3d3 command: ["/bin/sh", "-c", "ip a add 172.23.42.4/24 dev vethin-db; ip link set vethin-db up; ip route add default via 172.23.42.1; grep MyIPv6= /etc/wireguard/adlin.conf > /dev/null && { ip a add $(sed 's/^.*MyIPv6=//p;d' /etc/wireguard/adlin.conf | sed \"s#:[^:/]*/.*\\$#:4/96#\") dev vethin-db; ip route add default via $(sed 's/^.*MyIPv6=//p;d' /etc/wireguard/adlin.conf | sed \"s#:[^:/]*/.*\\$#:1#\"); }" ] net: new runtime: interfaces: - name: vethin-db add: veth peer: veth-db bindNS: net: /run/netns/db - name: net-srvchat-setup image: linuxkit/ip:7b1cf3150bf5d9a0df7ef07572e2d81fe3c0c3d3 command: ["/bin/sh", "-c", "ip a add 172.23.42.5/24 dev vethin-chat; ip link set vethin-chat up; ip route add default via 172.23.42.1; grep MyIPv6= /etc/wireguard/adlin.conf > /dev/null && { ip a add $(sed 's/^.*MyIPv6=//p;d' /etc/wireguard/adlin.conf | sed \"s#:[^:/]*/.*\\$#:5/96#\") dev vethin-chat; ip route add default via $(sed 's/^.*MyIPv6=//p;d' /etc/wireguard/adlin.conf | sed \"s#:[^:/]*/.*\\$#:1#\"); }" ] net: new runtime: interfaces: - name: vethin-chat add: veth peer: veth-chat bindNS: net: /run/netns/chat - name: net-srvttrss-setup image: linuxkit/ip:7b1cf3150bf5d9a0df7ef07572e2d81fe3c0c3d3 command: ["/bin/sh", "-c", "ip a add 172.23.42.6/24 dev vethin-ttrss; ip link set vethin-ttrss up; ip route add default via 172.23.42.1; grep MyIPv6= /etc/wireguard/adlin.conf > /dev/null && { ip a add $(sed 's/^.*MyIPv6=//p;d' /etc/wireguard/adlin.conf | sed \"s#:[^:/]*/.*\\$#:6/96#\") dev vethin-ttrss; ip route add default via $(sed 's/^.*MyIPv6=//p;d' /etc/wireguard/adlin.conf | sed \"s#:[^:/]*/.*\\$#:1#\"); }" ] net: new runtime: interfaces: - name: vethin-ttrss add: veth peer: veth-ttrss bindNS: net: /run/netns/miniflux # Network: bridges - name: bridges-setup image: linuxkit/ip:7b1cf3150bf5d9a0df7ef07572e2d81fe3c0c3d3 command: ["/bin/sh", "-c", "ip link set veth-srv master brsrv; ip link set veth-ns master brsrv; ip link set veth-nsauth master brsrv; ip link set veth-db master brsrv; ip link set veth-chat master brsrv; ip link set veth-ttrss master brsrv; ip link set veth-srv up; ip link set veth-ns up; ip link set veth-nsauth up; ip link set veth-db up; ip link set veth-chat up; ip link set veth-ttrss up; ip link set brsrv up; ip link set veth-wks master brwks; ip link set veth-wks1 master brwks; ip link set veth-wks2 master brwks; ip link set veth-wks up; ip link set veth-wks1 up; ip link set veth-wks2 up; ip link set brwks up; ip l | grep eth2 > /dev/null && { ip link set eth2 up; ip link set eth2 master brwks; }" ] runtime: interfaces: - name: brsrv add: bridge - name: brwks add: bridge - name: veth-wks1 add: veth peer: ethwks1 - name: veth-wks2 add: veth peer: ethwks2 services: - name: dhcpcd-wks1 image: linuxkit/dhcpcd:v0.7 net: new runtime: interfaces: - name: eth1 - name: ethwks1 bindNS: net: /run/netns/wks1 - name: dhcpcd-wks2 image: linuxkit/dhcpcd:v0.7 net: new runtime: interfaces: - name: ethwks2 bindNS: net: /run/netns/wks2 - name: sshd-wks1 image: linuxkit/sshd:v0.7 net: /run/netns/wks1 binds: - /etc/ssh/sshd_config:/etc/ssh/sshd_config - /etc/wpasswd:/etc/passwd - /etc/wshadow:/etc/shadow - name: sshd-wks2 image: linuxkit/sshd:v0.7 net: /run/netns/wks2 binds: - /etc/ssh/sshd_config:/etc/ssh/sshd_config - /etc/wpasswd:/etc/passwd - /etc/wshadow:/etc/shadow - name: mainrouter image: nemunaire/adlin-tuto3:a8593e91cb830dede2ad25a205ef47141a5a3c22 net: /run/netns/router command: ["/sbin/init"] capabilities: - all mounts: - type: cgroup options: ["rw","nosuid","noexec","nodev","relatime"] binds: - /etc/dresolv.conf:/etc/resolv.conf - name: matrix image: nemunaire/tinydeb:eaa617bf726fb4cadfa22b3947709579e6001212 net: /run/netns/chat command: ["/sbin/init"] capabilities: - all mounts: - type: cgroup options: ["rw","nosuid","noexec","nodev","relatime"] binds: - /etc/dresolv.conf:/etc/resolv.conf - name: ns-resolv image: nemunaire/unbound:ed3ccbb5340aefd48c53a97743fdc6edc7011103 net: /run/netns/ns capabilities: - all binds: - /etc/unbound:/etc/unbound:ro - /etc/services:/etc/services:ro - name: ns-auth image: nemunaire/nsd:8d1277be1eb28748ed7441ac82ac04edbacc3b5d net: /run/netns/ns-auth capabilities: - all mounts: - type: cgroup options: ["rw","nosuid","noexec","nodev","relatime"] binds: - /var/lib/adlin/nsd:/etc/nsd:rw - /var/lib/adlin/nsd-db:/var/db/nsd:rw - /etc/nsd:/etc/nsd.sample:ro - /etc/network:/etc/network:ro - /etc/services:/etc/services:ro runtime: mkdir: - /var/lib/adlin/nsd - /var/lib/adlin/nsd-db - name: db image: postgres:alpine net: /run/netns/db capabilities: - all env: - LANG=en_US.utf8 - PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/" - PGDATA=/var/lib/postgresql/data - POSTGRES_PASSWORD=adlin2021 binds: - /etc/services:/etc/services:ro - /initdb/:/docker-entrypoint-initdb.d/:ro - /var/lib/adlin/postgres:/var/lib/postgresql/data runtime: mkdir: - /var/lib/adlin/postgres # - name: chat # image: nemunaire/mattermost:ecb81e668c64d07b4453f9b465a6998fc6ceb067-dirty # net: /run/netns/chat # capabilities: # - all # command: ["/entrypoint.sh", "/mattermost/bin/platform"] # env: # - MM_USERNAME=mattermost # - MM_DBNAME=mattermost # - MM_PASSWORD=adlin2021 # binds: # - /etc/services:/etc/services:ro # - /etc/hosts:/etc/hosts:ro - name: miniflux image: miniflux/miniflux:latest net: /run/netns/miniflux capabilities: - all command: ["/bin/sh", "-c", "sleep 5; /usr/bin/miniflux"] env: - DATABASE_URL=postgres://miniflux:adlin2021@db/miniflux?sslmode=disable - RUN_MIGRATIONS=1 - CREATE_ADMIN=1 - ADMIN_USERNAME=adeline - ADMIN_PASSWORD=adlin2021 - LISTEN_ADDR=0.0.0.0:8080 binds: - /etc/hosts:/etc/hosts:ro - /etc/services:/etc/services:ro files: - path: etc/hosts contents: | 127.0.0.1 localhost ::1 localhost 172.23.42.4 db mode: "0444" - path: usr/bin/ask.sh source: pkg/wg/ask.sh mode: "0755" - path: etc/ssh/sshd_config source: pkg/nsd/sshd_config mode: "0644" - path: /usr/bin/reset-router-firewall contents: | #!/bin/sh PS=$(pgrep systemd | head -1) nsenter -t "${PS}" -a iptables -F nsenter -t "${PS}" -a iptables -P INPUT ACCEPT nsenter -t "${PS}" -a iptables -P FORWARD ACCEPT nsenter -t "${PS}" -a iptables -P OUTPUT ACCEPT nsenter -t "${PS}" -a iptables -t nat -F mode: "0755" - path: /usr/sbin/wg contents: | nsenter -n/run/netns/router /usr/bin/wg $@ mode: "0755" - path: /initdb/init-miniflux.sh contents: | #!/bin/sh set -e psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL CREATE USER miniflux WITH PASSWORD 'adlin2021'; CREATE DATABASE miniflux; GRANT ALL PRIVILEGES ON DATABASE miniflux TO miniflux; EOSQL psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname miniflux <<-EOSQL CREATE EXTENSION hstore; EOSQL mode: "0555" - path: /initdb/init-matrix.sql contents: | CREATE USER matrix WITH PASSWORD 'adlin2021'; CREATE DATABASE matrix; GRANT ALL PRIVILEGES ON DATABASE matrix TO matrix; mode: "0444" - path: /etc/init.d/999-rw-passwd.sh contents: | #!/bin/sh sed -ri '/^root/s@^.*$@root:$6$QNuPvO59Xk4UO3le$3P0V2ef6dHlKgO1FHsKcPPgOvL.YeCOPFqfIVTtpYn5eEn3xkgGYeM1RMCQ9l/eTc6rRc.l.WeRe1iJVznVGj/:17968:0:99999:7:::@' /containers/services/mainrouter/rootfs/etc/shadow cp /etc/services /containers/services/mainrouter/rootfs/etc/services sed -ri '/^root/s@^.*$@root:$6$QNuPvO59Xk4UO3le$3P0V2ef6dHlKgO1FHsKcPPgOvL.YeCOPFqfIVTtpYn5eEn3xkgGYeM1RMCQ9l/eTc6rRc.l.WeRe1iJVznVGj/:17968:0:99999:7:::@' /containers/services/matrix/rootfs/etc/shadow cp /etc/services /containers/services/matrix/rootfs/etc/services sed -ri '/^root/s@^.*$@root:$6$QNuPvO59Xk4UO3le$3P0V2ef6dHlKgO1FHsKcPPgOvL.YeCOPFqfIVTtpYn5eEn3xkgGYeM1RMCQ9l/eTc6rRc.l.WeRe1iJVznVGj/:17968:0:99999:7:::@' /containers/services/ns-auth/rootfs/etc/shadow exit 0 mode: "0555" - path: etc/issue.adlin source: pkg/debian-tuto3/issue mode: "0444" - path: /etc/init.d/500-showip.sh contents: | #!/bin/sh echo cat /etc/issue.adlin echo nsenter -n/run/netns/router ip -c a show dev wg0 2> /dev/null || echo "You didn't define your token to connect the network. Please run here `join-p0m` and then reboot." nsenter -n/run/netns/router ip -c a show dev eth0 nsenter -n/run/netns/wks1 ip -c a show dev eth1 2> /dev/null || echo "Attachez une seconde carte ethernet à la VM pour pouvoir vous connecter à un poste de travail." exit 0 mode: "0555" # - path: /etc/init.d/999-getty.sh # contents: | # #!/bin/sh # while true # do # /usr/bin/setsid /usr/bin/nsenter -t $(echo $(ps a | grep sshd | head -1) | cut -d ' ' -f 1) -m -u -n -p -- /sbin/agetty -l /sbin/login 38400 tty1 linux # sleep 1 # done & # mode: "0555" - path: /usr/sbin/join-p0m contents: | [ -f "/var/lib/adlin/wireguard/adlin.token" ] && echo "A token is already defined. You'll erase it it you continue." echo -n "Please copy your token here: " read WGTOKEN mkdir -p /var/lib/adlin/wireguard/ echo $WGTOKEN > /var/lib/adlin/wireguard/adlin.token echo "Token saved. You need to reboot now." mode: "0755" - path: etc/network/interfaces contents: | mode: "0440" - path: etc/nsd/nsd.conf contents: | remote-control: control-enable: yes zone: name: login-x.srs.p0m.fr zonefile: /etc/nsd/login-x.srs.p0m.fr.zone mode: "0644" - path: etc/nsd/login-x.srs.p0m.fr.zone contents: | login-x.srs.p0m.fr. 900 SOA ns.login-x.srs.p0m.fr. root.login-x.srs.p0m.fr. 2020032900 172800 3600 2419200 86400 login-x.srs.p0m.fr. 900 NS ns.login-x.srs.p0m.fr. ns.login-x.srs.p0m.fr. 900 AAAA 2a01:e0a:2b:2252:4242::3 mode: "0644" - path: etc/unbound/unbound.conf contents: | server: verbosity: 1 interface: 0.0.0.0 interface: ::0 prefer-ip6: no access-control: 172.23.0.0/16 allow access-control: 192.168.0.0/16 allow log-queries: yes log-replies: yes use-syslog: no hide-identity: yes hide-version: yes qname-minimisation: yes domain-insecure: "." val-permissive-mode: yes trust-anchor-file: "/usr/share/dnssec-root/trusted-key.key" local-zone: "adlin.p0m.fr" typetransparent local-data: "news.adlin.p0m.fr A 172.23.42.1" local-data: "matrix.adlin.p0m.fr A 172.23.42.1" remote-control: control-enable: no forward-zone: name: "." forward-addr: 9.9.9.9 mode: "0440" - path: etc/wpasswd contents: | root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/bin/false sshd:x:102:65534::/run/sshd:/usr/sbin/nologin systemd-timesync:x:103:105:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:104:106:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:105:107:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:106:108:systemd Bus Proxy,,,:/run/systemd:/bin/false mode: "0644" - path: etc/wshadow contents: | root:$6$B0qzwsEh$vfWGpIFUrKGrkT0PVtGhhomBwc.60IBIxjMLyG8mz.NJLFRryjqLK9sA/mzxNSaQViiHsYYrsgmcWVHblfdHg1:17968:0:99999:7::: daemon:*:17575:0:99999:7::: bin:*:17575:0:99999:7::: sys:*:17575:0:99999:7::: sync:*:17575:0:99999:7::: games:*:17575:0:99999:7::: man:*:17575:0:99999:7::: lp:*:17575:0:99999:7::: mail:*:17575:0:99999:7::: news:*:17575:0:99999:7::: uucp:*:17575:0:99999:7::: proxy:*:17575:0:99999:7::: www-data:*:17575:0:99999:7::: backup:*:17575:0:99999:7::: list:*:17575:0:99999:7::: irc:*:17575:0:99999:7::: gnats:*:17575:0:99999:7::: nobody:*:17575:0:99999:7::: _apt:*:17575:0:99999:7::: sshd:*:17594:0:99999:7::: systemd-timesync:*:17594:0:99999:7::: systemd-network:*:17594:0:99999:7::: systemd-resolve:*:17594:0:99999:7::: systemd-bus-proxy:*:17594:0:99999:7::: mode: "0640" - path: etc/dresolv.conf contents: | nameserver 172.23.42.2 mode: "0644" - path: var/lib/adlin directory: true mode: "0755" - path: etc/mresolv.conf contents: | nameserver 9.9.9.9 nameserver 1.1.1.1 mode: "0644" trust: org: - linuxkit - library