teach
/
adlin
Archived
0
0
Fork 0
Code Issues 1 Pull Requests 4 Releases Activity
This repository has been archived on 2024-03-03. You can view files and clone it, but cannot push or open issues or pull requests.
adlin/server.yml

960 lines
34 KiB
YAML
Raw Permalink Blame History

kernel:
image: linuxkit/kernel:5.15.110
# cmdline: "console=tty0 console=ttyS0"
# cmdline: "console=tty0 adlin.network=alt"
cmdline: "console=tty0"
init:
- linuxkit/init:14df799bb3b9e0eb0491da9fda7f32a108a2e2a5
- linuxkit/runc:436357ce16dd663e24f595bcec26d5ae476c998e
- linuxkit/containerd:eeb3aaf497c0b3f6c67f3a245d61ea5a568ca718
- linuxkit/ca-certificates:4de36e93dc87f7ccebd20db616ed10d381911d32
# - linuxkit/firmware:a17106a98940006529c714a3783eb03238c335a7
- linuxkit/getty:06f34bce0facea79161566d67345c3ea49965437
- nemunaire/monit:8806445ad766fd013f60d620361655f956eb634e
# - nemunaire/iscsi-target:8872d1c5e0cefe3c36b60e873b8452aefb19d84d
onboot:
- name: sysctl
image: linuxkit/sysctl:e5959517fab7b44692ad63941eecf37486e73799
binds:
- /etc/sysctl.d/:/etc/sysctl.d/:ro
# Mount first drive to enable some persistance
- name: mount
image: linuxkit/mount:a8581e454f846690d09e2e7c6287d3c84ca53257
command: ["/usr/bin/mountie", "-device", "/dev/sda", "/var/lib/adlin" ]
# Network: interface for login-validator
- name: login-iface-setup
image: linuxkit/ip:c88e3272e3b12edec454e4720da8bb70a7655bc7
command: ["/bin/sh", "-c", "ip a add 172.23.255.2/24 dev vethin-login; ip link set vethin-login up; ip route add default via 172.23.255.1;" ]
net: new
runtime:
interfaces:
- name: vethin-login
add: veth
peer: veth-login
bindNS:
net: /run/netns/login
# Network: internet DMZ ###########################################
# wg-manager
- name: wg-iface-setup
image: linuxkit/ip:c88e3272e3b12edec454e4720da8bb70a7655bc7
command: ["/bin/sh", "-c", "ip a add 172.17.0.15/16 dev vethin-wg; ip a add 10.224.33.251/24 dev vethin-wg; ip link set vethin-wg address 0e:f2:7e:10:58:69; ip link set vethin-wg up; ip route add default via 10.224.33.252; wg-quick up wg0; /sbin/iptables-restore < /etc/iptables/rules.v4;" ]
net: new
binds:
- /etc/iptables/rules-wg.v4:/etc/iptables/rules.v4
- /etc/wireguard/wg0.conf:/etc/wireguard/wg0.conf
runtime:
interfaces:
- name: vethin-wg
add: veth
peer: veth-wg
bindNS:
net: /run/netns/dmzi-wg
# Network: services DMZ ###########################################
# token-validator
- name: validator-iface-setup
image: linuxkit/ip:c88e3272e3b12edec454e4720da8bb70a7655bc7
command: ["/bin/sh", "-c", "ip a add 172.23.200.1/24 dev vethin-vldtr; ip link set vethin-vldtr up; ip route add default via 172.23.200.254;" ]
net: new
runtime:
interfaces:
- name: vethin-vldtr
add: veth
peer: veth-validator
bindNS:
net: /run/netns/dmz-validator
# domain name
- name: ns-iface-setup
image: linuxkit/ip:c88e3272e3b12edec454e4720da8bb70a7655bc7
command: ["/bin/sh", "-c", "ip a add 172.23.200.2/24 dev vethin-ns; ip link set vethin-ns up; ip route add default via 172.23.200.254;" ]
net: new
runtime:
interfaces:
- name: vethin-ns
add: veth
peer: veth-ns
bindNS:
net: /run/netns/dmz-ns
# time server
- name: time-iface-setup
image: linuxkit/ip:c88e3272e3b12edec454e4720da8bb70a7655bc7
command: ["/bin/sh", "-c", "ip a add 172.23.200.3/24 dev vethin-time; ip link set vethin-time up; ip route add default via 172.23.200.254;" ]
net: new
runtime:
interfaces:
- name: vethin-time
add: veth
peer: veth-time
bindNS:
net: /run/netns/dmz-time
# mail server
- name: mail-iface-setup
image: linuxkit/ip:c88e3272e3b12edec454e4720da8bb70a7655bc7
command: ["/bin/sh", "-c", "ip a add 172.23.200.4/24 dev vethin-mail; ip link set vethin-mail up; ip route add default via 172.23.200.254;" ]
net: new
runtime:
interfaces:
- name: vethin-mail
add: veth
peer: veth-mail
bindNS:
net: /run/netns/dmz-mail
# Network: exposed ################################################
# See etc/init.d/011-adlin instead
services:
- name: rngd
image: linuxkit/rngd:331294919ba6d953d261a2694019b659a98535a4
- name: sshd
image: linuxkit/sshd:62036c2a279715d05e8298b9269a0659964f2619
binds.add:
- /root/.ssh/authorized_keys:/root/.ssh/authorized_keys:ro
- /var/lib/adlin:/var/lib/adlin
- name: dhcpd
image: joebiellik/dhcpd
capabilities:
- CAP_NET_BIND_SERVICE
- CAP_NET_RAW
- CAP_CHOWN
- CAP_SETUID
- CAP_SETGID
binds:
- /etc/dhcp/dhcpd.conf:/etc/dhcp/dhcpd.conf:ro
- /var/lib/adlin/dhcp:/var/lib/dhcp/
runtime:
mkdir:
- /var/lib/adlin/dhcp
- name: tftpd
image: nemunaire/tftpd:4fe95ed57b7eea7e5d6156ce069415b2e5f7f307
capabilities:
- all
binds:
- /srv/tftp:/srv/tftp:ro
- /var/lib/adlin/pxelinux.cfg:/srv/tftp/bios/pxelinux.cfg
- /var/lib/adlin/pxelinux.cfg:/srv/tftp/pxelinux.cfg
- /var/lib/adlin/shadows:/srv/tftp/s
- name: arp-spoofer
image: nemunaire/adlin-arp-spoofer:7ba6db0a5707c58f735a9a272be341ba5fffc5bf
command: ["/bin/arp-spoofer", "-iface=vethin-wg", "-ip-spoof=172.17.0.15"]
net: /run/netns/dmzi-wg
- name: login-validator
image: nemunaire/adlin-login-validator:7b6560b8ebf5d726ac1f2740621075dfb59b5e58
# command: ["/bin/login-validator", "-bind=:8081", "-auth=ldap", "-ldaphost=auth.cri.epita.net", "-ldapport=636", "-ldaptls", "-ldapbase=dc=epita,dc=net"]
command: ["/bin/login-validator", "-bind=:8081", "-auth=krb5", "-krb5realm=CRI.EPITA.FR"]
# command: ["/bin/login-validator", "-bind=:8081", "-auth=fwd", "-fwduri=https://adlin.nemunai.re/auth"]
# command: ["/bin/login-validator", "-bind=:8081", "-auth=none"]
net: /run/netns/login
binds:
- /etc/resolv.conf:/etc/resolv.conf:ro
- /var/lib/adlin/students:/data/:ro
- /var/lib/adlin/pxelinux.cfg:/var/tftp/pxelinux.cfg
- /var/lib/adlin/shadows:/var/tftp/shadows
- /srv/solver.sh:/var/solver.sh:ro
- /srv/tftp/challenge-initrd.img:/var/tftp/challenge-initrd.img:ro
- /etc/ssl/certs:/etc/ssl/certs:ro
- /usr/share/ca-certificates:/usr/share/ca-certificates:ro
runtime:
mkdir:
- /var/lib/adlin/students
- name: nginx-login
image: nginx:stable-alpine
capabilities:
- CAP_NET_BIND_SERVICE
- CAP_CHOWN
- CAP_SETUID
- CAP_SETGID
- CAP_DAC_OVERRIDE
net: /run/netns/login
binds:
- /etc/resolv.conf:/etc/resolv.conf:ro
- /etc/nginx/nginx-login.conf:/etc/nginx/nginx.conf:ro
- /etc/nginx/ssl/:/etc/nginx/ssl/:ro
- name: nginx-gw
image: nginx:stable-alpine
capabilities:
- CAP_NET_BIND_SERVICE
- CAP_CHOWN
- CAP_SETUID
- CAP_SETGID
- CAP_DAC_OVERRIDE
binds:
- /etc/resolv.conf:/etc/resolv.conf:ro
- /etc/nginx/nginx-gw.conf:/etc/nginx/nginx.conf:ro
- /etc/nginx/ssl/:/etc/nginx/ssl/:ro
- /etc/ssl/certs:/etc/ssl/certs:ro
- /usr/share/ca-certificates:/usr/share/ca-certificates:ro
- name: nginx-dmz
image: nginx:stable-alpine
capabilities:
- CAP_NET_BIND_SERVICE
- CAP_CHOWN
- CAP_SETUID
- CAP_SETGID
- CAP_DAC_OVERRIDE
net: /run/netns/dmz-validator
binds:
- /etc/resolv.conf:/etc/resolv.conf:ro
- /etc/nginx/nginx-dmz.conf:/etc/nginx/nginx.conf:ro
- /etc/nginx/ssl/:/etc/nginx/ssl/:ro
- /etc/ssl/certs:/etc/ssl/certs:ro
- /usr/share/ca-certificates:/usr/share/ca-certificates:ro
- name: wg
image: nemunaire/wg-manager:13779ec800f6d19dbaf7f6df8547c0b13f17a2e3
command: ["/bin/wg-manager", "-bind=:80" ]
capabilities:
- all
net: /run/netns/dmzi-wg
binds:
- /etc/resolv.conf:/etc/resolv.conf:ro
- name: ns
image: nemunaire/unbound:22c723d1573625a77fe28eeb067ca0d1491f6742
net: /run/netns/dmz-ns
capabilities:
- all
binds:
- /etc/unbound:/etc/unbound:ro
- name: time
image: nemunaire/chrony:cdcbb129ae520331e84a99c03850680fe0e4ea36
command: ["/usr/sbin/chronyd", "-d"]
net: /run/netns/dmz-time
capabilities:
- CAP_CHOWN
- CAP_DAC_OVERRIDE
- CAP_NET_BIND_SERVICE
- CAP_SYS_TIME
- CAP_SETUID
- CAP_SETGID
binds:
- /etc/resolv.conf:/etc/resolv.conf:ro
- /etc/chrony/chrony.conf:/etc/chrony/chrony.conf:ro
- name: postfix
image: nemunaire/postfix:e124ee4a989579997e4d73ac2346a132ff07be3c
net: /run/netns/dmz-mail
capabilities:
- CAP_CHOWN
- CAP_SYS_CHROOT
- CAP_DAC_OVERRIDE
- CAP_FOWNER
- CAP_NET_BIND_SERVICE
- CAP_SETGID
- CAP_SETUID
env:
- POSTFIX_myhostname=adlin.nemunai.re
- POSTFIX_mydestination=""
- POSTFIX_local_transport="error:local mail delivery is disabled"
- POSTFIX_mynetworks=172.23.200.0/24
- POSTFIX_relay_domains=nemunai.re
- POSTFIX_smtp_tls_security_level=may
- POSTFIX_smtpd_tls_security_level=none
- POSTFIX_maillog_file=/dev/stdout
- POSTFIX_transport_maps=texthash:/etc/postfix/transport
binds:
- /etc/resolv.conf:/etc/resolv.conf:ro
- /var/lib/adlin/postfix/mail:/var/mail
- /var/lib/adlin/postfix/lib:/var/lib/postfix
- /var/lib/adlin/postfix/spool:/var/spool/postfix
- /etc/postfix/transport:/etc/postfix/transport
runtime:
mkdir:
- /var/lib/adlin/postfix
- /var/lib/adlin/postfix/mail
- /var/lib/adlin/postfix/lib
- /var/lib/adlin/postfix/spool
files:
- path: etc/init.d/011-copy-to-var
contents: |
#!/bin/sh
mkdir -p /var/lib/adlin/shadows
cp -r /srv/tftp/pxelinux.cfg /var/lib/adlin/
touch /var/lib/adlin/dhcp/dhcpd.leases
mkdir -p /var/spool/cron/crontabs
cat <<EOF > /var/spool/cron/crontabs/root
* * * * * SECRET_KEY=felixfixit /usr/sbin/ping-checker
EOF
/usr/sbin/crond
mode: "0755"
- path: etc/init.d/032-update-std-initrd
contents: |
#!/bin/sh
for IRD in /var/lib/adlin/shadows/*/challenge-initrd.img
do
cat "/srv/tftp/challenge-initrd.img" > "${IRD}"
[ -f "${IRD%/challenge-initrd.img}/shadow" ] && cat "${IRD%/challenge-initrd.img}/shadow" >> "${IRD}"
done
mode: "0755"
- path: etc/init.d/021-nameserver
contents: |
#!/bin/sh
echo nameserver 172.23.200.2 > /etc/resolv.conf
mode: "0755"
- path: etc/init.d/011-adlin-net
contents: |
#!/bin/sh
ip l add br-int type bridge
ip a add 172.23.200.254/24 dev br-int;
ip link set veth-validator master br-int;
ip link set veth-ns master br-int;
ip link set veth-time master br-int;
ip link set veth-mail master br-int;
ip link set br-int up;
ip link set veth-validator up;
ip link set veth-ns up;
ip link set veth-time up;
ip link set veth-mail up;
ip l add br-ext type bridge
ip a add 172.23.255.1/24 dev br-ext;
ip a add 10.224.33.252/24 dev br-ext;
ip a add 172.23.0.1/17 dev br-ext;
ip link set br-ext address 0e:f2:7e:10:58:68;
ip link set eth0 master br-ext;
ip link set veth-login master br-ext;
ip link set veth-wg master br-ext;
ip link set br-ext up;
ip link set veth-login up;
ip link set veth-wg up;
ip link set eth0 up;
grep adlin.network=alt /proc/cmdline > /dev/null &&
ip route add default via 10.224.33.254 ||
ip route add default via 10.224.33.1
/sbin/iptables-restore < /etc/iptables/rules.v4;
mode: "0755"
- path: etc/sysctl.d/99-adlin-net.conf
contents: |
net.ipv4.ip_forward = 1
net.ipv4.conf.all.arp_ignore = 2
net.ipv6.conf.all.disable_ipv6 = 1
net.netfilter.nf_log_all_netns = 1
mode: "0644"
- path: etc/sysctl.d/00-linuxkit.conf
contents: |
# from Alpine defaults
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.ping_group_range=999 59999
# general limits
vm.max_map_count = 262144
vm.overcommit_memory = 1
net.core.somaxconn = 1024
net.ipv4.neigh.default.gc_thresh1 = 80000
net.ipv4.neigh.default.gc_thresh2 = 90000
net.ipv4.neigh.default.gc_thresh3 = 100000
fs.aio-max-nr = 1048576
fs.inotify.max_user_watches = 524288
fs.file-max = 524288
# for rngd
kernel.random.write_wakeup_threshold = 3072
# security restrictions
kernel.kptr_restrict = 2
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
kernel.dmesg_restrict = 1
kernel.perf_event_paranoid = 3
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
# Prevent ebpf privilege escalation
# see: https://lwn.net/Articles/742170
kernel.unprivileged_bpf_disabled=1
mode: "0644"
- path: root/.ssh/authorized_keys
source: ~/.ssh/id_ed25519.pub
mode: "0400"
- path: etc/iptables/rules.v4
contents: |
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
[0:0] -A POSTROUTING -o br-ext ! -d 172.23.0.0/12 -j MASQUERADE
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
[0:0] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -m conntrack --ctstate INVALID -j DROP
[0:0] -A INPUT -p icmp -j ACCEPT
[0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -i br-ext -p tcp --dport 22 -j ACCEPT
[0:0] -A INPUT -i br-ext -p udp --sport 68 --dport 67 -j ACCEPT
[0:0] -A INPUT -i br-ext -p udp --dport 69 -j ACCEPT
[0:0] -A INPUT -i br-ext -p tcp -d 172.23.0.1 --dport 80 -j ACCEPT
[0:0] -A INPUT -p udp --sport 7000 -j DROP
[0:0] -A INPUT -p udp --dport 7000 -j DROP
[0:0] -A INPUT -j LOG
[0:0] -A INPUT -j REJECT --reject-with icmp-port-unreachable
[0:0] -A FORWARD -i wg0 -o br-ext -j ACCEPT
[0:0] -A FORWARD -o wg0 -i br-ext -j ACCEPT
[0:0] -A FORWARD -i br-int -j ACCEPT
[0:0] -A FORWARD -o br-int -j ACCEPT
[0:0] -A FORWARD -i br-ext -d 172.23.200.0/24 -j ACCEPT
[0:0] -A FORWARD -i br-ext -d 172.23.255.0/24 -j ACCEPT
[0:0] -A FORWARD -o br-ext -d 172.23.200.0/24 -j ACCEPT
[0:0] -A FORWARD -o br-ext -d 172.23.255.0/24 -j ACCEPT
[0:0] -A FORWARD -i br-ext -o br-ext -s 172.23.255.2/24 -j ACCEPT
[0:0] -A FORWARD -i br-ext -p udp --sport 68 --dport 67 -j DROP
[0:0] -A FORWARD -i br-ext -p icmp -s 172.17.0.0/16 -d 172.17.0.15 -j ACCEPT
[0:0] -A FORWARD -o br-ext -p icmp -s 172.17.0.15 -d 172.17.0.0/16 -j ACCEPT
[0:0] -A FORWARD -i br-ext -p tcp -s 172.17.0.0/16 -d 172.17.0.15 --dport 80 -j ACCEPT
[0:0] -A FORWARD -i br-ext -p udp -s 172.17.0.0/16 -d 172.17.0.15 --dport 12912 -j ACCEPT
[0:0] -A FORWARD -o br-ext -p tcp -s 172.17.0.15 -d 172.17.0.0/16 -j ACCEPT
[0:0] -A FORWARD -o br-ext -p udp -s 172.17.0.15 -d 172.17.0.0/16 -j ACCEPT
[0:0] -A FORWARD -o br-ext -p icmp -s 10.224.33.251 -j ACCEPT
[0:0] -A FORWARD -i br-ext -p icmp -d 10.224.33.251 -j ACCEPT
[0:0] -A FORWARD -o br-ext -p tcp -s 10.224.33.251 -j ACCEPT
[0:0] -A FORWARD -i br-ext -p tcp -d 10.224.33.251 -j ACCEPT
[0:0] -A FORWARD -j LOG
[0:0] -A FORWARD -j REJECT --reject-with icmp-net-prohibited
COMMIT
mode: "0440"
- path: etc/unbound/unbound.conf
contents: |
server:
verbosity: 1
interface: 0.0.0.0
interface: ::0
prefer-ip6: no
access-control: 10.224.0.0/16 allow
access-control: 172.23.0.0/16 allow
log-queries: yes
log-replies: yes
use-syslog: no
hide-identity: yes
hide-version: yes
qname-minimisation: yes
domain-insecure: "."
val-permissive-mode: yes
trust-anchor-file: "/usr/share/dnssec-root/trusted-key.key"
local-zone: "adlin.nemunai.re" typetransparent
local-data: "adlin.nemunai.re TXT 8dde678132d6c558fc6adaeb9f1d53bf6ec7b876308cf98c48604caa9138523c1ce58b672c87c7e7d9b7248b81804d3940dbf20bf263eeb683244f7c1143712d"
local-data: "auth.adlin.nemunai.re A 172.23.255.2"
local-data: "wg.adlin.nemunai.re A 172.17.0.15"
remote-control:
control-enable: no
forward-zone:
name: "."
forward-addr: 8.8.8.8
mode: "0440"
- path: etc/nginx/ssl/fullchain.pem
source: ssl/fullchain.pem
mode: "0644"
- path: etc/nginx/ssl/privkey.pem
source: ssl/privkey.pem
mode: "0644"
- path: etc/nginx/ssl/ec_cert.pem
source: pkg/challenge/ssl/ec_cert.pem
mode: "0644"
- path: etc/nginx/ssl/ec_key.pem
source: pkg/challenge/ssl/ec_key.pem
mode: "0644"
- path: etc/nginx/nginx-gw.conf
contents: |
user nginx;
worker_processes 2;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request"'
'$status $body_bytes_sent "$http_referer"'
'"$http_user_agent""$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
server_tokens off;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
resolver 9.9.9.9;
server {
listen 172.23.0.1:80 default;
location = /{
return 403;
}
location /iamalive {
proxy_pass https://82.64.31.248/challenge;
proxy_ssl_server_name on;
proxy_ssl_name adlin.nemunai.re;
proxy_set_header Host adlin.nemunai.re;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-By 172.23.0.1;
proxy_redirect off;
}
location /api/students/ {
proxy_pass https://82.64.31.248;
proxy_ssl_server_name on;
proxy_ssl_name adlin.nemunai.re;
proxy_set_header Host adlin.nemunai.re;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-By 172.23.0.1;
proxy_redirect off;
}
}
}
mode: "0440"
- path: etc/nginx/nginx-login.conf
contents: |
user nginx;
worker_processes 2;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request"'
'$status $body_bytes_sent "$http_referer"'
'"$http_user_agent""$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
server_tokens off;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
server {
listen 443 default ssl;
listen [::]:443 default ssl;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
location = /{
return https://adlin.nemunai.re/;
}
location /login {
proxy_pass http://localhost:8081;
proxy_set_header X-Forwarded-For $remote_addr;
}
location /passwd {
proxy_pass http://localhost:8081;
proxy_set_header X-Forwarded-For $remote_addr;
}
location /logout {
proxy_pass http://localhost:8081;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
}
mode: "0440"
- path: etc/nginx/nginx-dmz.conf
contents: |
user nginx;
worker_processes 2;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type applicationøctet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request"'
'$status $body_bytes_sent "$http_referer"'
'"$http_user_agent""$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
server_tokens off;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
resolver 9.9.9.9;
server {
listen 80 default;
listen [::]:80 default;
location = /{
return https://adlin.nemunai.re/;
}
location /challenge {
proxy_pass https://82.64.31.248/challenge;
proxy_ssl_server_name on;
proxy_ssl_name adlin.nemunai.re;
proxy_set_header Host adlin.nemunai.re;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-By 172.23.200.1;
proxy_set_header X-Forwarded-Proto http;
proxy_redirect off;
}
location /toctoc {
proxy_pass https://82.64.31.248/toctoc;
proxy_ssl_server_name on;
proxy_ssl_name adlin.nemunai.re;
proxy_set_header Host adlin.nemunai.re;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-By 172.23.200.1;
proxy_set_header X-Forwarded-Proto http;
proxy_redirect off;
}
location /echorequest {
proxy_pass https://82.64.31.248/echorequest;
proxy_ssl_server_name on;
proxy_ssl_name adlin.nemunai.re;
proxy_set_header Host adlin.nemunai.re;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-By 172.23.200.1;
proxy_set_header X-Forwarded-Proto http;
proxy_redirect off;
}
location /testdisk {
proxy_pass https://82.64.31.248/testdisk;
proxy_ssl_server_name on;
proxy_ssl_name adlin.nemunai.re;
proxy_set_header Host adlin.nemunai.re;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-By 172.23.200.1;
proxy_set_header X-Forwarded-Proto http;
proxy_redirect off;
}
location /sshkeys {
return https://adlin.nemunai.re/sshkeys;
}
}
server {
listen 443 default ssl;
listen [::]:443 default ssl;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_certificate /etc/nginx/ssl/ec_cert.pem;
ssl_certificate_key /etc/nginx/ssl/ec_key.pem;
location = /{
return https://adlin.nemunai.re/;
}
location /challenge {
proxy_pass https://82.64.31.248/challenge;
proxy_ssl_server_name on;
proxy_ssl_name adlin.nemunai.re;
proxy_set_header Host adlin.nemunai.re;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-By 172.23.200.1;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
location /toctoc {
proxy_pass https://82.64.31.248/toctoc;
proxy_ssl_server_name on;
proxy_ssl_name adlin.nemunai.re;
proxy_set_header Host adlin.nemunai.re;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-By 172.23.200.1;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
location /echorequest {
proxy_pass https://82.64.31.248/echorequest;
proxy_ssl_server_name on;
proxy_ssl_name adlin.nemunai.re;
proxy_set_header Host adlin.nemunai.re;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-By 172.23.200.1;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
location /testdisk {
proxy_pass https://82.64.31.248/testdisk;
proxy_ssl_server_name on;
proxy_ssl_name adlin.nemunai.re;
proxy_set_header Host adlin.nemunai.re;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-By 172.23.200.1;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
location /sshkeys {
proxy_pass https://82.64.31.248/sshkeys;
proxy_ssl_server_name on;
proxy_ssl_name adlin.nemunai.re;
proxy_set_header Host adlin.nemunai.re;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-By 172.23.200.1;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
location /api/students {
proxy_pass https://82.64.31.248;
proxy_ssl_server_name on;
proxy_ssl_name adlin.nemunai.re;
proxy_set_header Host adlin.nemunai.re;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-By 172.23.200.1;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
server_name adlin.nemunai.re;
location = /{
return https://adlin.nemunai.re/;
}
location /challenge {
proxy_pass https://82.64.31.248/challenge;
proxy_ssl_server_name on;
proxy_ssl_name adlin.nemunai.re;
proxy_set_header Host adlin.nemunai.re;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-By 172.23.200.1;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
location /echorequest {
proxy_pass https://82.64.31.248/echorequest;
proxy_ssl_server_name on;
proxy_ssl_name adlin.nemunai.re;
proxy_set_header Host adlin.nemunai.re;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-By 172.23.200.1;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
location /testdisk {
proxy_pass https://82.64.31.248/testdisk;
proxy_ssl_server_name on;
proxy_ssl_name adlin.nemunai.re;
proxy_set_header Host adlin.nemunai.re;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-By 172.23.200.1;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
location /sshkeys {
proxy_pass https://82.64.31.248/sshkeys;
proxy_ssl_server_name on;
proxy_ssl_name adlin.nemunai.re;
proxy_set_header Host adlin.nemunai.re;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-By 172.23.200.1;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
location /api/students {
proxy_pass https://82.64.31.248;
proxy_ssl_server_name on;
proxy_ssl_name adlin.nemunai.re;
proxy_set_header Host adlin.nemunai.re;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-By 172.23.200.1;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
}
}
mode: "0440"
- path: etc/dhcp/dhcpd.conf
contents: |
authoritative;
default-lease-time 7200;
max-lease-time 7200;
option client-arch code 93 = unsigned integer 16;
subnet 172.23.255.0 netmask 255.255.255.0 {
range 172.23.255.10 172.23.255.254;
option subnet-mask 255.255.255.0;
option broadcast-address 172.23.255.255;
next-server 172.23.255.1;
if option client-arch != 00:00 {
filename "ipxe.efi";
} else {
filename "bios/pxelinux.0";
}
}
subnet 172.23.128.0 netmask 255.255.192.0 {
range 172.23.128.10 172.23.191.250;
option routers 172.23.191.254;
option subnet-mask 255.255.192.0;
option broadcast-address 172.23.191.255;
}
mode: "0440"
- path: etc/postfix/transport
contents: |
nemunai.re smtp:[82.64.31.248]
oupaout.ra.nemunai.re smtp:[82.64.151.41]
mode: "0440"
- path: etc/ntpd.conf
contents: |
listen on *
#server 10.224.4.2
server 51.15.180.229
server 51.75.141.62
server 193.200.43.105
#servers fr.pool.ntp.org
mode: "0440"
- path: etc/chrony/chrony.conf
contents: |
server 51.15.180.229 iburst
server 51.75.141.62 iburst
server 193.200.43.105 iburst
pool fr.pool.ntp.org iburst
# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift
# In first three updates step the system clock instead of slew
# if the adjustment is larger than 1 second.
makestep 10 3
# Allow synchronization of clients even if the server is not sync itself
local stratum 8
allow all
mode: "0440"
- path: etc/wireguard/wg0.conf
contents: |
[Interface]
PrivateKey = SCGCKDuTm4PMOw+LXdK/2s8mxnv145QHOohKRq3vc2A=
ListenPort = 12912
Address = 172.23.191.254/18
mode: "0644"
- path: etc/iptables/rules-wg.v4
contents: |
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
[0:0] -A POSTROUTING -o vethin-wg ! -d 172.17.0.0/16 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
[0:0] -A FORWARD -i wg0 -o vethin-wg -j ACCEPT
[0:0] -A FORWARD -o wg0 -i vethin-wg -j ACCEPT
[0:0] -A FORWARD -j LOG
[0:0] -A FORWARD -j REJECT --reject-with icmp-net-prohibited
COMMIT
mode: "0440"
- path: srv/tftp
directory: true
mode: "0755"
- path: srv/tftp/s
directory: true
mode: "0755"
- path: srv/tftp/bios/ldlinux.c32
source: /usr/share/syslinux/ldlinux.c32
mode: "0644"
- path: srv/tftp/bios/libcom32.c32
source: /usr/share/syslinux/libcom32.c32
mode: "0644"
- path: srv/tftp/bios/libutil.c32
source: /usr/share/syslinux/libutil.c32
mode: "0644"
- path: srv/tftp/bios/menu.c32
source: /usr/share/syslinux/menu.c32
mode: "0644"
- path: srv/tftp/bios/poweroff.c32
source: /usr/share/syslinux/poweroff.c32
mode: "0644"
- path: srv/tftp/bios/pxelinux.0
source: /usr/share/syslinux/pxelinux.0
mode: "0644"
- path: srv/tftp/bios/vesamenu.c32
source: /usr/share/syslinux/vesamenu.c32
mode: "0644"
- path: srv/tftp/bios/pxelinux.cfg
directory: true
mode: "0755"
- path: srv/tftp/pxelinux.cfg/default
source: tftp/pxelinux.cfg/default
mode: "0644"
- path: srv/tftp/pxelinux.cfg/tpl
source: tftp/pxelinux.cfg/tpl
mode: "0644"
- path: srv/tftp/pxelinux.cfg/tpl.ipxe
source: tftp/pxelinux.cfg/tpl.ipxe
mode: "0644"
- path: srv/tftp/ipxe.efi
source: tftp/ipxe.efi
mode: "0644"
- path: usr/sbin/ping-checker
source: ping-checker.sh
mode: "0755"
- path: srv/solver.sh
source: solver.sh
mode: "0755"
- path: srv/tftp/bzImage
source: /var/tftp/adlin/bzImage
mode: "0644"
- path: srv/tftp/login-initrd.img
source: login-initrd.img
mode: "0644"
- path: srv/tftp/challenge-initrd.img
source: challenge-initrd.img
mode: "0644"
- path: root/.ash_history
contents: |
tail -f /var/log/login-validator.log
ln -sf nemunaire.csv /var/lib/adlin/students/students.csv
ln -sf students2025.csv students.csv
pkill -HUP login-validator
cd /var/lib/adlin
mode: "0640"
trust:
org:
- linuxkit
- library
Reference in New Issue View Git Blame Copy Permalink