kernel: image: linuxkit/kernel:4.9.82 cmdline: "console=tty0 console=ttyS0" init: - linuxkit/init:d899eee3560a40aa3b4bdd67b3bb82703714b2b9 - linuxkit/runc:7c39a68490a12cde830e1922f171c451fb08e731 - linuxkit/containerd:37e397ebfc6bd5d8e18695b121166ffd0cbfd9f0 - linuxkit/ca-certificates:v0.2 - linuxkit/firmware:v0.2 - linuxkit/getty:v0.2 onboot: - name: sysctl image: linuxkit/sysctl:v0.2 binds: - /etc/sysctl.d/:/etc/sysctl.d/:ro # Network: exposed - name: netvlan-iface-setup image: linuxkit/ip:v0.2 command: ["/bin/sh", "-c", "ip a add 172.23.191.254/18 dev eth0.7; ip link set eth0.7 up;" ] net: new runtime: interfaces: - name: eth0.7 add: vlan vlanid: 7 - name: ns-iface-setup image: linuxkit/ip:v0.2 command: ["/bin/sh", "-c", "ip a add 172.23.0.2/17 dev vethin-validator; ip link set vethin-validator up;" ] net: new runtime: interfaces: - name: vethin-validator add: veth peer: veth-validator bindNS: net: /run/netns/ns - name: bridge-ext-setup image: linuxkit/ip:v0.2 command: ["/bin/sh", "-c", "ip a add 192.168.0.46/24 dev br-ext; ip a add 172.23.0.1/17 dev br-ext; ip link set eth0 master br-ext; ip link set veth-validator master br-ext; ip link set br-ext up; ip link set veth-validator up; ip link set eth0 up" ] runtime: interfaces: - name: br-ext add: bridge - name: ns-iface-setup image: linuxkit/ip:v0.2 command: ["/bin/sh", "-c", "ip a add 172.23.200.2/24 dev vethin-ns; ip link set vethin-ns up;" ] net: new runtime: interfaces: - name: vethin-ns add: veth peer: veth-ns bindNS: net: /run/netns/ns - name: time-iface-setup image: linuxkit/ip:v0.2 command: ["/bin/sh", "-c", "ip a add 172.23.200.3/24 dev vethin-time; ip link set vethin-time up;" ] net: new runtime: interfaces: - name: vethin-time add: veth peer: veth-time bindNS: net: /run/netns/time - name: mail-iface-setup image: linuxkit/ip:v0.2 command: ["/bin/sh", "-c", "ip a add 172.23.200.3/24 dev vethin-mail; ip link set vethin-mail up;" ] net: new runtime: interfaces: - name: vethin-mail add: veth peer: veth-mail bindNS: net: /run/netns/mail - name: bridge-int-setup image: linuxkit/ip:v0.2 command: ["/bin/sh", "-c", "ip a add 172.23.200.254/24 dev br-int; ip link set veth-ns master br-int; ip link set veth-time master br-int; ip link set veth-mail master br-int; ip link set br-int up; ip link set veth-ns up; ip link set veth-time up; ip link set veth-mail up" ] runtime: interfaces: - name: br-int add: bridge - name: fw image: linuxkit/ip:v0.2 command: ["/bin/bash", "-c", "/sbin/iptables-restore < /etc/iptables/rules.v4; /sbin/ip6tables-restore < /etc/iptables/rules.v6" ] services: - name: rngd image: linuxkit/rngd:v0.2 - name: sshd image: linuxkit/sshd:v0.2 # - name: dhcpd # image: nemunaire/tftpd # binds: # - /srv/tftp:/srv/tftp:ro - name: tftpd image: nemunaire/tftpd:50bdb5c4e9f17b13d848fc474fd98d3639cb36e9 binds: - /srv/tftp:/srv/tftp:ro - name: nginx image: nginx:alpine capabilities: - CAP_NET_BIND_SERVICE - CAP_CHOWN - CAP_SETUID - CAP_SETGID - CAP_DAC_OVERRIDE binds: - /etc/resolv.conf:/etc/resolv.conf:ro - /etc/nginx/nginx.conf:/etc/nginx/nginx.conf:ro - name: login-validator image: nemunaire/adlin-login-validator:1bd441243a095180fd4058e6c7fc8fc38f850ab8-dirty command: ["/bin/login-validator", "-bind=:8081"] binds: - /srv/students.csv:/srv/students.csv:ro - name: ns image: nemunaire/unbound:999f99022b07a84063baa48b7143c90186c937d0 net: /run/netns/ns binds: - /etc/unbound:/etc/unbound:ro - name: time image: linuxkit/openntpd:v0.2 net: /run/netns/time binds: - /etc/ntpd.conf:/etc/ntpd.conf:ro files: - path: root/.ssh/authorized_keys source: ~/.ssh/id_ed25519.pub mode: "0400" - path: /srv/students.csv source: students.csv mode: "0400" - path: etc/iptables/rules.v6 contents: | *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] COMMIT mode: "0440" - path: etc/iptables/rules-admin.v4 contents: | *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT DROP [0:0] [0:0] -A INPUT -i lo -j ACCEPT [0:0] -A INPUT -m conntrack --ctstate INVALID -j DROP [0:0] -A INPUT -p icmp -j ACCEPT [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT [0:0] -A INPUT -i eth0 -s 172.23.0.0/17 -p tcp -m conntrack --ctstate NEW -m tcp --dport ssh -j ACCEPT [0:0] -A INPUT -j LOG [0:0] -A FORWARD -j LOG [0:0] -A OUTPUT -o lo -j ACCEPT [0:0] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT [0:0] -A OUTPUT -j LOG [0:0] -A OUTPUT -j REJECT COMMIT mode: "0440" - path: etc/unbound/unbound.conf contents: | server: verbosity: 1 interface: 0.0.0.0 interface: ::0 prefer-ip6: no access-control: 172.23.0.0/16 allow log-queries: yes log-replies: yes hide-identity: yes hide-version: yes qname-minimisation: yes domain-insecure: "." val-permissive-mode: yes root-hints: /etc/unbound/root.hints trust-anchor-file: "/usr/share/dnssec-root/trusted-key.key" remote-control: control-enable: no forward-zone: name: "." forward-addr: 192.168.0.1 mode: "0440" - path: etc/nginx/nginx.conf contents: | user nginx; worker_processes 2; error_log /var/log/nginxærror.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include ætc/nginx/mime.types; default_type applicationøctet-stream; log_format main '$remoteªddr - $remote_user [$time_local] "$request"' '$status $body_bytes_sent "$http_referer"' '"$http_userªgent""$http_x_forwarded_for"'; access_log /var/log/nginxåccess.log main; sendfile on; #tcp_nopush on; keepalive_timeout 65; #gzip on; server { listen 80 default; listen [::]:80 default; location = /{ return 403; } } } mode: "0440" - path: etc/ntpd.conf contents: | listen on * servers pool.ntp.org mode: "0440" - path: srv/tftp directory: true mode: "0755" trust: org: - linuxkit - library