kernel: image: linuxkit/kernel:4.20.3 # cmdline: "console=tty0 console=ttyS0" cmdline: "console=tty0" init: - linuxkit/init:a2166a6048ce041eebe005ab99454cfdeaa5c848 - linuxkit/runc:069d5cd3cc4f0aec70e4af53aed5d27a21c79c35 - linuxkit/containerd:2aff4d486220667364b2971b5fc6225bf165a069 - linuxkit/ca-certificates:v0.6 # - linuxkit/firmware:v0.6 - linuxkit/getty:2eb742cd7a68e14cf50577c02f30147bc406e478 - nemunaire/monit:39c75d3e1dbccfed7e6ebfb826cd28e018be7117 # - nemunaire/iscsi-target:8872d1c5e0cefe3c36b60e873b8452aefb19d84d onboot: - name: sysctl image: linuxkit/sysctl:v0.6 binds: - /etc/sysctl.d/:/etc/sysctl.d/:ro # Mount first drive to enable some persistance - name: mount image: linuxkit/mount:v0.6 command: ["/usr/bin/mountie", "-device", "/dev/sda", "/var/lib/adlin" ] # Network: interface for login-validator - name: login-iface-setup image: linuxkit/ip:v0.6 command: ["/bin/sh", "-c", "ip a add 172.23.255.2/24 dev vethin-login; ip link set vethin-login up; ip route add default via 172.23.255.1;" ] net: new runtime: interfaces: - name: vethin-login add: veth peer: veth-login bindNS: net: /run/netns/login # Network: exposed ################################################ # VLAN7, path to internet - name: netvlan-iface-setup image: linuxkit/ip:v0.6 command: ["/bin/sh", "-c", "ip link add link eth0 name eth0.7 type vlan id 7; ip a add 172.23.191.254/18 dev eth0.7; ip link set eth0.7 up;" ] # Bridge between std LAN, PXE LAN services (login-validator) and default route (as it uses the same wire) - name: bridge-ext-setup image: linuxkit/ip:v0.6 command: ["/bin/sh", "-c", "ip a add 172.23.255.1/24 dev br-ext; ip a add 172.17.0.16/16 dev br-ext; ip a add 10.224.32.252/24 dev br-ext; ip a add 172.23.0.1/17 dev br-ext; ip link set eth0 master br-ext; ip link set veth-login master br-ext; ip link set br-ext up; ip link set veth-login up; ip link set eth0 up; ip route add default via 10.224.32.1;" ] runtime: interfaces: - name: br-ext add: bridge # Network: DMZ #################################################### # token-validator - name: validator-iface-setup image: linuxkit/ip:v0.6 command: ["/bin/sh", "-c", "ip a add 172.23.200.1/24 dev vethin-vldtr; ip link set vethin-vldtr up; ip route add default via 172.23.200.254;" ] net: new runtime: interfaces: - name: vethin-vldtr add: veth peer: veth-validator bindNS: net: /run/netns/dmz-validator # domain name - name: ns-iface-setup image: linuxkit/ip:v0.6 command: ["/bin/sh", "-c", "ip a add 172.23.200.2/24 dev vethin-ns; ip link set vethin-ns up; ip route add default via 172.23.200.254;" ] net: new runtime: interfaces: - name: vethin-ns add: veth peer: veth-ns bindNS: net: /run/netns/dmz-ns # time server - name: time-iface-setup image: linuxkit/ip:v0.6 command: ["/bin/sh", "-c", "ip a add 172.23.200.3/24 dev vethin-time; ip link set vethin-time up; ip route add default via 172.23.200.254;" ] net: new runtime: interfaces: - name: vethin-time add: veth peer: veth-time bindNS: net: /run/netns/dmz-time # mail server - name: mail-iface-setup image: linuxkit/ip:v0.6 command: ["/bin/sh", "-c", "ip a add 172.23.200.4/24 dev vethin-mail; ip link set vethin-mail up; ip route add default via 172.23.200.254;" ] net: new runtime: interfaces: - name: vethin-mail add: veth peer: veth-mail bindNS: net: /run/netns/dmz-mail # Bridge for DMZ services - name: bridge-int-setup image: linuxkit/ip:v0.6 command: ["/bin/sh", "-c", "ip a add 172.23.200.254/24 dev br-int; ip link set veth-validator master br-int; ip link set veth-ns master br-int; ip link set veth-time master br-int; ip link set veth-mail master br-int; ip link set br-int up; ip link set veth-validator up; ip link set veth-ns up; ip link set veth-time up; ip link set veth-mail up" ] runtime: interfaces: - name: br-int add: bridge - name: fw image: linuxkit/ip:v0.6 command: ["/bin/bash", "-c", "/sbin/iptables-restore < /etc/iptables/rules.v4" ] binds: - /etc/iptables/rules.v4:/etc/iptables/rules.v4:ro services: - name: rngd image: linuxkit/rngd:v0.6 - name: sshd image: linuxkit/sshd:c4bc89cf0d66733c923ab9cb46198b599eb99320 - name: dhcpd image: joebiellik/dhcpd capabilities: - CAP_NET_BIND_SERVICE - CAP_NET_RAW - CAP_CHOWN - CAP_SETUID - CAP_SETGID binds: - /etc/dhcp/dhcpd.conf:/etc/dhcp/dhcpd.conf:ro - /var/lib/adlin/dhcp:/var/lib/dhcp/ runtime: mkdir: - /var/lib/adlin/dhcp - name: tftpd image: nemunaire/tftpd:5340825352f9af28f5ac77bbe3243bdb70176903 capabilities: - all binds: - /srv/tftp:/srv/tftp:ro - /var/lib/adlin/pxelinux.cfg:/srv/tftp/bios/pxelinux.cfg - /var/lib/adlin/pxelinux.cfg:/srv/tftp/pxelinux.cfg - name: login-validator image: nemunaire/adlin-login-validator:87f1cf05e8037b934d293a48704bd3f8ee678d41 # command: ["/bin/login-validator", "-bind=:8081", "-auth=ldap", "-ldaphost=auth.cri.epita.net", "-ldapport=636", "-ldaptls", "-ldapbase=dc=epita,dc=net"] command: ["/bin/login-validator", "-bind=:8081", "-auth=none"] net: /run/netns/login binds: - /etc/resolv.conf:/etc/resolv.conf:ro - /var/lib/adlin/students.csv:/students.csv:ro - /var/lib/adlin/pxelinux.cfg:/var/tftp/pxelinux.cfg - /etc/ssl/certs:/etc/ssl/certs:ro - /usr/share/ca-certificates:/usr/share/ca-certificates:ro - name: nginx-login image: nginx:stable-alpine capabilities: - CAP_NET_BIND_SERVICE - CAP_CHOWN - CAP_SETUID - CAP_SETGID - CAP_DAC_OVERRIDE net: /run/netns/login binds: - /etc/resolv.conf:/etc/resolv.conf:ro - /etc/nginx/nginx-login.conf:/etc/nginx/nginx.conf:ro - /etc/nginx/ssl/:/etc/nginx/ssl/:ro - name: nginx-gw image: nginx:stable-alpine capabilities: - CAP_NET_BIND_SERVICE - CAP_CHOWN - CAP_SETUID - CAP_SETGID - CAP_DAC_OVERRIDE binds: - /etc/resolv.conf:/etc/resolv.conf:ro - /etc/nginx/nginx-gw.conf:/etc/nginx/nginx.conf:ro - /etc/nginx/ssl/:/etc/nginx/ssl/:ro - /etc/ssl/certs:/etc/ssl/certs:ro - /usr/share/ca-certificates:/usr/share/ca-certificates:ro - name: nginx-dmz image: nginx:stable-alpine capabilities: - CAP_NET_BIND_SERVICE - CAP_CHOWN - CAP_SETUID - CAP_SETGID - CAP_DAC_OVERRIDE net: /run/netns/dmz-validator binds: - /etc/resolv.conf:/etc/resolv.conf:ro - /etc/nginx/nginx-dmz.conf:/etc/nginx/nginx.conf:ro - /etc/nginx/ssl/:/etc/nginx/ssl/:ro - /etc/ssl/certs:/etc/ssl/certs:ro - /usr/share/ca-certificates:/usr/share/ca-certificates:ro - name: ns image: nemunaire/unbound:7fa2ef501be79db472de64f451b250173ace5ecf net: /run/netns/dmz-ns capabilities: - all binds: - /etc/unbound:/etc/unbound:ro - name: time image: linuxkit/openntpd:v0.6 net: /run/netns/dmz-time capabilities: - CAP_NET_BIND_SERVICE - CAP_SYS_TIME - CAP_SYS_CHROOT - CAP_SYS_NICE - CAP_SETUID - CAP_SETGID binds: - /etc/resolv.conf:/etc/resolv.conf:ro - /etc/ntpd.conf:/etc/ntpd.conf:ro - name: postfix image: mwader/postfix-relay net: /run/netns/dmz-mail capabilities: - CAP_CHOWN - CAP_SYS_CHROOT - CAP_DAC_OVERRIDE - CAP_FOWNER - CAP_NET_BIND_SERVICE - CAP_SETGID - CAP_SETUID env: - POSTFIX_myhostname=adlin.nemunai.re - POSTFIX_mydestination=localhost - POSTFIX_mynetworks=172.23.0.0/16 - POSTFIX_smtp_tls_security_level=may - POSTFIX_smtpd_tls_security_level=none binds: - /etc/resolv.conf:/etc/resolv.conf:ro - /var/lib/adlin/postfix/mail:/var/mail - /var/lib/adlin/postfix/lib:/var/lib/postfix - /var/lib/adlin/postfix/spool:/var/spool/postfix runtime: mkdir: - /var/lib/adlin/postfix - /var/lib/adlin/postfix/mail - /var/lib/adlin/postfix/lib - /var/lib/adlin/postfix/spool files: - path: etc/init.d/011-copy-to-var contents: | #!/bin/sh cp -r /srv/tftp/pxelinux.cfg /var/lib/adlin/ touch /var/lib/adlin/dhcp/dhcpd.leases mkdir -p /var/spool/cron/crontabs cat < /var/spool/cron/crontabs/root * * * * * SECRET_KEY=felixfixit /usr/sbin/ping-checker EOF /usr/sbin/crond mode: "0755" - path: etc/init.d/021-nameserver contents: | #!/bin/sh echo nameserver 172.23.200.2 > /etc/resolv.conf mode: "0755" # - path: etc/init.d/011-adlin # contents: | # #!/bin/sh # ip route add default via 172.17.0.1 # /sbin/sysctl -w net.ipv4.ip_forward=1 # echo nameserver 8.8.8.8 > /etc/resolv.conf # mkdir /tmp/newroot # mount -t tmpfs none /tmp/newroot # mkdir /tmp/newroot/etc # cp -r /etc/apk /tmp/newroot/etc # apk add --no-cache --initdb -p /tmp/newroot iptables nftables # LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/sbin/iptables-restore < /etc/iptables/rules.v4 # LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/sbin/ip6tables-restore < /etc/iptables/rules.v6 # LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/usr/sbin/nft add table nat # LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/usr/sbin/nft add chain nat postrouting { type nat hook postrouting priority 100 \; } # LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/usr/sbin/nft add rule nat postrouting oif br-ext masquerade # mode: "0755" - path: etc/sysctl.d/99-ipfwd.conf contents: | net.ipv4.ip_forward = 1 net.ipv6.conf.all.disable_ipv6 = 1 mode: "0644" - path: etc/sysctl.d/00-linuxkit.conf contents: | # from Alpine defaults net.ipv4.tcp_syncookies = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.ping_group_range=999 59999 # general limits vm.max_map_count = 262144 vm.overcommit_memory = 1 net.core.somaxconn = 1024 net.ipv4.neigh.default.gc_thresh1 = 80000 net.ipv4.neigh.default.gc_thresh2 = 90000 net.ipv4.neigh.default.gc_thresh3 = 100000 fs.aio-max-nr = 1048576 fs.inotify.max_user_watches = 524288 fs.file-max = 524288 # for rngd kernel.random.write_wakeup_threshold = 3072 # security restrictions kernel.kptr_restrict = 2 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 kernel.dmesg_restrict = 1 kernel.perf_event_paranoid = 3 fs.protected_hardlinks = 1 fs.protected_symlinks = 1 # Prevent ebpf privilege escalation # see: https://lwn.net/Articles/742170 kernel.unprivileged_bpf_disabled=1 mode: "0644" - path: root/.ssh/authorized_keys source: ~/.ssh/id_ed25519.pub mode: "0400" - path: etc/iptables/rules.v4 contents: | *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] [0:0] -A POSTROUTING -o br-ext ! -d 172.23.0.0/16 -j MASQUERADE COMMIT *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] [0:0] -A INPUT -i lo -j ACCEPT [0:0] -A INPUT -m conntrack --ctstate INVALID -j DROP [0:0] -A INPUT -p icmp -j ACCEPT [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT [0:0] -A INPUT -i br-ext -m tcp --dport ssh -j ACCEPT [0:0] -A INPUT -i br-ext -p udp --sport 68 --dport 67 -j ACCEPT [0:0] -A INPUT -i br-ext -p udp --dport 69 -j ACCEPT [0:0] -A INPUT -i br-ext -p tcp --dport 80 -j ACCEPT [0:0] -A INPUT -p udp --sport 7000 -j DROP [0:0] -A INPUT -p udp --dport 7000 -j DROP [0:0] -A INPUT -j LOG [0:0] -A FORWARD -i eth0.7 -o br-ext -j ACCEPT [0:0] -A FORWARD -o eth0.7 -i br-ext -j ACCEPT [0:0] -A FORWARD -i br-int -j ACCEPT [0:0] -A FORWARD -o br-int -j ACCEPT [0:0] -A FORWARD -i br-ext -d 172.23.200.0/24 -j ACCEPT [0:0] -A FORWARD -i br-ext -d 172.23.255.0/24 -j ACCEPT [0:0] -A FORWARD -o br-ext -d 172.23.200.0/24 -j ACCEPT [0:0] -A FORWARD -o br-ext -d 172.23.255.0/24 -j ACCEPT [0:0] -A FORWARD -i br-ext -o br-ext -s 172.23.255.2/24 -j ACCEPT [0:0] -A FORWARD -i br-ext -p udp --sport 68 --dport 67 -j DROP [0:0] -A FORWARD -j LOG COMMIT mode: "0440" - path: etc/unbound/unbound.conf contents: | server: verbosity: 1 interface: 0.0.0.0 interface: ::0 prefer-ip6: no access-control: 172.23.0.0/16 allow log-queries: yes log-replies: yes use-syslog: no hide-identity: yes hide-version: yes qname-minimisation: yes domain-insecure: "." val-permissive-mode: yes trust-anchor-file: "/usr/share/dnssec-root/trusted-key.key" local-zone: "adlin.nemunai.re" typetransparent local-data: "adlin.nemunai.re TXT \"8dde678132d6c558fc6adaeb9f1d53bf6ec7b876308cf98c48604caa9138523c1ce58b672c87c7e7d9b7248b81804d3940dbf20bf263eeb683244f7c1143712d\"" local-data: "auth.adlin.nemunai.re A 172.23.255.2" remote-control: control-enable: no forward-zone: name: "." forward-addr: 8.8.8.8 mode: "0440" - path: etc/postfix/main.cf contents: | myorigin = adlin.nemunai.re mydestination = local_recipient_maps = local_transport = error:local mail delivery is disabled mynetworks = 127.0.0.0/8 relay_domains = nemunai.re parent_domain_matches_subdomains = debug_peer_list smtpd_access_maps mode: "0440" - path: etc/nginx/ssl/fullchain.pem source: ssl/fullchain.pem mode: "0644" - path: etc/nginx/ssl/privkey.pem source: ssl/privkey.pem mode: "0644" - path: etc/nginx/nginx-gw.conf contents: | user nginx; worker_processes 2; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request"' '$status $body_bytes_sent "$http_referer"' '"$http_user_agent""$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; server_tokens off; #tcp_nopush on; keepalive_timeout 65; #gzip on; resolver 9.9.9.9; server { listen 80 default; listen [::]:80 default; location = /{ return 403; } location /iamalive { proxy_pass https://82.64.31.248/challenge; proxy_set_header Host adlin.nemunai.re; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-By 172.23.0.1; proxy_redirect off; } } } mode: "0440" - path: etc/nginx/nginx-login.conf contents: | user nginx; worker_processes 2; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request"' '$status $body_bytes_sent "$http_referer"' '"$http_user_agent""$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; server_tokens off; #tcp_nopush on; keepalive_timeout 65; #gzip on; server { listen 443 default ssl; listen [::]:443 default ssl; ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_certificate /etc/nginx/ssl/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/privkey.pem; location = /{ return https://adlin.nemunai.re/; } location /login { proxy_pass http://localhost:8081/login; proxy_set_header X-Forwarded-For $remote_addr; proxy_redirect off; } } } mode: "0440" - path: etc/nginx/nginx-dmz.conf contents: | user nginx; worker_processes 2; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type applicationøctet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request"' '$status $body_bytes_sent "$http_referer"' '"$http_user_agent""$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; server_tokens off; #tcp_nopush on; keepalive_timeout 65; #gzip on; resolver 9.9.9.9; server { listen 80 default; listen [::]:80 default; location = /{ return https://adlin.nemunai.re/; } location /challenge { proxy_pass https://82.64.31.248/challenge; proxy_set_header Host adlin.nemunai.re; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-By 172.23.200.1; proxy_set_header X-Forwarded-Proto http; proxy_redirect off; } location /echorequest { proxy_pass https://82.64.31.248/echorequest; proxy_set_header Host adlin.nemunai.re; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-By 172.23.200.1; proxy_set_header X-Forwarded-Proto http; proxy_redirect off; } location /testdisk { proxy_pass https://82.64.31.248/testdisk; proxy_set_header Host adlin.nemunai.re; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-By 172.23.200.1; proxy_set_header X-Forwarded-Proto http; proxy_redirect off; } location /sshkeys { return https://adlin.nemunai.re/sshkeys; } } server { listen 443 default ssl; listen [::]:443 default ssl; ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_certificate /etc/nginx/ssl/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/privkey.pem; location = /{ return https://adlin.nemunai.re/; } location /challenge { proxy_pass https://82.64.31.248/challenge; proxy_set_header Host adlin.nemunai.re; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-By 172.23.200.1; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; } location /echorequest { proxy_pass https://82.64.31.248/echorequest; proxy_set_header Host adlin.nemunai.re; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-By 172.23.200.1; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; } location /testdisk { proxy_pass https://82.64.31.248/testdisk; proxy_set_header Host adlin.nemunai.re; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-By 172.23.200.1; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; } location /sshkeys { proxy_pass https://82.64.31.248/sshkeys; proxy_set_header Host adlin.nemunai.re; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-By 172.23.200.1; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; } location /api/students { proxy_pass https://82.64.31.248; proxy_set_header Host adlin.nemunai.re; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-By 172.23.200.1; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; } } } mode: "0440" - path: etc/dhcp/dhcpd.conf contents: | authoritative; default-lease-time 7200; max-lease-time 7200; option client-arch code 93 = unsigned integer 16; subnet 172.23.255.0 netmask 255.255.255.0 { range 172.23.255.10 172.23.255.254; option subnet-mask 255.255.255.0; option broadcast-address 172.23.255.255; next-server 172.23.255.1; if option client-arch != 00:00 { filename "ipxe.efi"; } else { filename "bios/pxelinux.0"; } } subnet 172.23.128.0 netmask 255.255.192.0 { range 172.23.128.10 172.23.191.250; option routers 172.23.191.254; option subnet-mask 255.255.192.0; option broadcast-address 172.23.191.255; } mode: "0440" - path: etc/ntpd.conf contents: | listen on * server 95.81.173.8 server 95.81.173.74 server 95.81.173.155 server 51.15.180.229 mode: "0440" - path: srv/tftp directory: true mode: "0755" - path: srv/tftp/bios/ldlinux.c32 source: /usr/share/syslinux/ldlinux.c32 mode: "0644" - path: srv/tftp/bios/libcom32.c32 source: /usr/share/syslinux/libcom32.c32 mode: "0644" - path: srv/tftp/bios/libutil.c32 source: /usr/share/syslinux/libutil.c32 mode: "0644" - path: srv/tftp/bios/menu.c32 source: /usr/share/syslinux/menu.c32 mode: "0644" - path: srv/tftp/bios/poweroff.c32 source: /usr/share/syslinux/poweroff.c32 mode: "0644" - path: srv/tftp/bios/pxelinux.0 source: /usr/share/syslinux/pxelinux.0 mode: "0644" - path: srv/tftp/bios/vesamenu.c32 source: /usr/share/syslinux/vesamenu.c32 mode: "0644" - path: srv/tftp/bios/pxelinux.cfg directory: true mode: "0755" - path: srv/tftp/pxelinux.cfg/default source: tftp/pxelinux.cfg/default mode: "0644" - path: srv/tftp/pxelinux.cfg/tpl source: tftp/pxelinux.cfg/tpl mode: "0644" - path: srv/tftp/pxelinux.cfg/tpl.ipxe source: tftp/pxelinux.cfg/tpl.ipxe mode: "0644" - path: srv/tftp/ipxe.efi source: tftp/ipxe.efi mode: "0644" - path: usr/sbin/ping-checker source: ping-checker.sh mode: "0755" - path: srv/tftp/bzImage source: challenge-kernel mode: "0644" - path: srv/tftp/login-initrd.img source: tftp/login-initrd.img mode: "0644" - path: srv/tftp/challenge-initrd.img source: challenge-initrd.img mode: "0644" trust: org: - linuxkit - library