592 lines
20 KiB
YAML
592 lines
20 KiB
YAML
kernel:
|
|
image: linuxkit/kernel:4.9.82
|
|
cmdline: "console=tty0 console=ttyS0"
|
|
|
|
init:
|
|
- linuxkit/init:d899eee3560a40aa3b4bdd67b3bb82703714b2b9
|
|
- linuxkit/runc:7c39a68490a12cde830e1922f171c451fb08e731
|
|
- linuxkit/containerd:37e397ebfc6bd5d8e18695b121166ffd0cbfd9f0
|
|
- linuxkit/ca-certificates:v0.2
|
|
- linuxkit/firmware:v0.2
|
|
- linuxkit/getty:v0.2
|
|
|
|
onboot:
|
|
- name: sysctl
|
|
image: linuxkit/sysctl:v0.2
|
|
binds:
|
|
- /etc/sysctl.d/:/etc/sysctl.d/:ro
|
|
|
|
# Network: exposed
|
|
- name: netvlan-iface-setup
|
|
image: linuxkit/ip:v0.2
|
|
command: ["/bin/sh", "-c", "ip link add link eth0 name eth0.7 type vlan id 7; ip a add 172.23.191.254/18 dev eth0.7; ip link set eth0.7 up;" ]
|
|
- name: login-iface-setup
|
|
image: linuxkit/ip:v0.2
|
|
command: ["/bin/sh", "-c", "ip a add 172.23.255.2/24 dev vethin-login; ip link set vethin-login up; ip route add default via 172.23.255.1;" ]
|
|
net: new
|
|
runtime:
|
|
interfaces:
|
|
- name: vethin-login
|
|
add: veth
|
|
peer: veth-login
|
|
bindNS:
|
|
net: /run/netns/login
|
|
- name: bridge-ext-setup
|
|
image: linuxkit/ip:v0.2
|
|
command: ["/bin/sh", "-c", "ip a add 172.23.255.1/24 dev br-ext; ip a add 172.17.0.16/16 dev br-ext; ip a add 172.23.0.1/17 dev br-ext; ip link set eth0 master br-ext; ip link set veth-login master br-ext; ip link set br-ext up; ip link set veth-login up; ip link set eth0 up; ip route add default via 172.17.0.1;" ]
|
|
runtime:
|
|
interfaces:
|
|
- name: br-ext
|
|
add: bridge
|
|
|
|
# Network: DMZ
|
|
- name: validator-iface-setup
|
|
image: linuxkit/ip:v0.2
|
|
command: ["/bin/sh", "-c", "ip a add 172.23.200.1/24 dev vethin-vldtr; ip link set vethin-vldtr up; ip route add default via 172.23.200.254;" ]
|
|
net: new
|
|
runtime:
|
|
interfaces:
|
|
- name: vethin-vldtr
|
|
add: veth
|
|
peer: veth-validator
|
|
bindNS:
|
|
net: /run/netns/dmz-validator
|
|
- name: ns-iface-setup
|
|
image: linuxkit/ip:v0.2
|
|
command: ["/bin/sh", "-c", "ip a add 172.23.200.2/24 dev vethin-ns; ip link set vethin-ns up; ip route add default via 172.23.200.254;" ]
|
|
net: new
|
|
runtime:
|
|
interfaces:
|
|
- name: vethin-ns
|
|
add: veth
|
|
peer: veth-ns
|
|
bindNS:
|
|
net: /run/netns/dmz-ns
|
|
- name: time-iface-setup
|
|
image: linuxkit/ip:v0.2
|
|
command: ["/bin/sh", "-c", "ip a add 172.23.200.3/24 dev vethin-time; ip link set vethin-time up; ip route add default via 172.23.200.254;" ]
|
|
net: new
|
|
runtime:
|
|
interfaces:
|
|
- name: vethin-time
|
|
add: veth
|
|
peer: veth-time
|
|
bindNS:
|
|
net: /run/netns/dmz-time
|
|
# - name: mail-iface-setup
|
|
# image: linuxkit/ip:v0.2
|
|
# command: ["/bin/sh", "-c", "ip a add 172.23.200.4/24 dev vethin-mail; ip link set vethin-mail up; ip route add default via 172.23.200.254;" ]
|
|
# net: new
|
|
# runtime:
|
|
# interfaces:
|
|
# - name: vethin-mail
|
|
# add: veth
|
|
# peer: veth-mail
|
|
# bindNS:
|
|
# net: /run/netns/dmz-mail
|
|
- name: bridge-int-setup
|
|
image: linuxkit/ip:v0.2
|
|
command: ["/bin/sh", "-c", "ip a add 172.23.200.254/24 dev br-int; ip link set veth-validator master br-int; ip link set veth-ns master br-int; ip link set veth-time master br-int; ip link set veth-mail master br-int; ip link set br-int up; ip link set veth-validator up; ip link set veth-ns up; ip link set veth-time up; ip link set veth-mail up" ]
|
|
runtime:
|
|
interfaces:
|
|
- name: br-int
|
|
add: bridge
|
|
|
|
- name: fw
|
|
image: linuxkit/ip:v0.2
|
|
command: ["/bin/bash", "-c", "/sbin/iptables-restore < /etc/iptables/rules.v4" ]
|
|
binds:
|
|
- /etc/iptables/rules.v4:/etc/iptables/rules.v4:ro
|
|
|
|
services:
|
|
- name: rngd
|
|
image: linuxkit/rngd:v0.2
|
|
# - name: sshd
|
|
# image: linuxkit/sshd:v0.2
|
|
|
|
- name: dhcpd
|
|
image: joebiellik/dhcpd
|
|
capabilities:
|
|
- CAP_NET_BIND_SERVICE
|
|
- CAP_NET_RAW
|
|
- CAP_CHOWN
|
|
- CAP_SETUID
|
|
- CAP_SETGID
|
|
binds:
|
|
- /etc/dhcp/dhcpd.conf:/etc/dhcp/dhcpd.conf:ro
|
|
|
|
- name: tftpd
|
|
image: nemunaire/tftpd:50bdb5c4e9f17b13d848fc474fd98d3639cb36e9-dirty
|
|
capabilities:
|
|
- all
|
|
binds:
|
|
- /srv/tftp:/srv/tftp:ro
|
|
- /var/tftp/pxelinux.cfg:/srv/tftp/pxelinux.cfg
|
|
|
|
- name: login-validator
|
|
image: nemunaire/adlin-login-validator:6d341b97fc44723ea121c1f9a145fc7d7e7b17ca
|
|
# command: ["/bin/login-validator", "-bind=:8081", "-ldaphost=auth.cri.epita.fr", "-ldapport=636", "-ldaptls", "-ldapbase=dc=epita,dc=net"]
|
|
command: ["/bin/login-validator", "-bind=:8081", "-noauth"]
|
|
net: /run/netns/login
|
|
binds:
|
|
- /etc/resolv.conf:/etc/resolv.conf:ro
|
|
- /srv/students.csv:/students.csv:ro
|
|
- /var/tftp/pxelinux.cfg:/var/tftp/pxelinux.cfg
|
|
- /etc/ssl/certs:/etc/ssl/certs:ro
|
|
- /usr/share/ca-certificates:/usr/share/ca-certificates:ro
|
|
- name: nginx-login
|
|
image: nginx:stable-alpine
|
|
capabilities:
|
|
- CAP_NET_BIND_SERVICE
|
|
- CAP_CHOWN
|
|
- CAP_SETUID
|
|
- CAP_SETGID
|
|
- CAP_DAC_OVERRIDE
|
|
net: /run/netns/login
|
|
binds:
|
|
- /etc/resolv.conf:/etc/resolv.conf:ro
|
|
- /etc/nginx/nginx-login.conf:/etc/nginx/nginx.conf:ro
|
|
- /etc/nginx/ssl/:/etc/nginx/ssl/:ro
|
|
|
|
- name: nginx-gw
|
|
image: nginx:stable-alpine
|
|
capabilities:
|
|
- CAP_NET_BIND_SERVICE
|
|
- CAP_CHOWN
|
|
- CAP_SETUID
|
|
- CAP_SETGID
|
|
- CAP_DAC_OVERRIDE
|
|
binds:
|
|
- /etc/resolv.conf:/etc/resolv.conf:ro
|
|
- /etc/nginx/nginx-gw.conf:/etc/nginx/nginx.conf:ro
|
|
- /etc/nginx/ssl/:/etc/nginx/ssl/:ro
|
|
- /etc/ssl/certs:/etc/ssl/certs:ro
|
|
- /usr/share/ca-certificates:/usr/share/ca-certificates:ro
|
|
|
|
- name: nginx-dmz
|
|
image: nginx:stable-alpine
|
|
capabilities:
|
|
- CAP_NET_BIND_SERVICE
|
|
- CAP_CHOWN
|
|
- CAP_SETUID
|
|
- CAP_SETGID
|
|
- CAP_DAC_OVERRIDE
|
|
net: /run/netns/dmz-validator
|
|
binds:
|
|
- /etc/resolv.conf:/etc/resolv.conf:ro
|
|
- /etc/nginx/nginx-dmz.conf:/etc/nginx/nginx.conf:ro
|
|
- /etc/nginx/ssl/:/etc/nginx/ssl/:ro
|
|
- /etc/ssl/certs:/etc/ssl/certs:ro
|
|
- /usr/share/ca-certificates:/usr/share/ca-certificates:ro
|
|
|
|
- name: ns
|
|
image: nemunaire/unbound:999f99022b07a84063baa48b7143c90186c937d0-dirty
|
|
net: /run/netns/dmz-ns
|
|
capabilities:
|
|
- all
|
|
binds:
|
|
- /etc/unbound:/etc/unbound:ro
|
|
|
|
- name: time
|
|
image: linuxkit/openntpd:v0.2
|
|
net: /run/netns/dmz-time
|
|
capabilities:
|
|
- CAP_NET_BIND_SERVICE
|
|
- CAP_SYS_TIME
|
|
- CAP_SYS_CHROOT
|
|
- CAP_SYS_NICE
|
|
- CAP_SETUID
|
|
- CAP_SETGID
|
|
binds:
|
|
- /etc/resolv.conf:/etc/resolv.conf:ro
|
|
- /etc/ntpd.conf:/etc/ntpd.conf:ro
|
|
|
|
# - name: postfix
|
|
# image: TBD
|
|
# net: /run/netns/dmz-mail
|
|
# binds:
|
|
# - /etc/postfix/main.cf:/etc/postfix/main.cf:ro
|
|
|
|
files:
|
|
- path: etc/init.d/011-copy-to-var
|
|
contents: |
|
|
#!/bin/sh
|
|
mkdir -p /var/tftp/
|
|
cp -r /srv/tftp/pxelinux.cfg /var/tftp/pxelinux.cfg
|
|
mode: "0755"
|
|
|
|
- path: etc/init.d/021-nameserver
|
|
contents: |
|
|
#!/bin/sh
|
|
echo nameserver 172.23.200.2 > /etc/resolv.conf
|
|
mode: "0755"
|
|
|
|
# - path: etc/init.d/011-adlin
|
|
# contents: |
|
|
# #!/bin/sh
|
|
# ip route add default via 172.17.0.1
|
|
# /sbin/sysctl -w net.ipv4.ip_forward=1
|
|
# echo nameserver 8.8.8.8 > /etc/resolv.conf
|
|
# mkdir /tmp/newroot
|
|
# mount -t tmpfs none /tmp/newroot
|
|
# mkdir /tmp/newroot/etc
|
|
# cp -r /etc/apk /tmp/newroot/etc
|
|
# apk add --no-cache --initdb -p /tmp/newroot iptables nftables
|
|
# LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/sbin/iptables-restore < /etc/iptables/rules.v4
|
|
# LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/sbin/ip6tables-restore < /etc/iptables/rules.v6
|
|
# LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/usr/sbin/nft add table nat
|
|
# LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/usr/sbin/nft add chain nat postrouting { type nat hook postrouting priority 100 \; }
|
|
# LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/usr/sbin/nft add rule nat postrouting oif br-ext masquerade
|
|
# mode: "0755"
|
|
|
|
- path: etc/sysctl.d/99-ipfwd.conf
|
|
contents: |
|
|
net.ipv4.ip_forward = 1
|
|
net.ipv6.conf.all.disable_ipv6 = 1
|
|
mode: "0644"
|
|
- path: etc/sysctl.d/00-linuxkit.conf
|
|
contents: |
|
|
# from Alpine defaults
|
|
net.ipv4.tcp_syncookies = 1
|
|
net.ipv4.conf.default.rp_filter = 1
|
|
net.ipv4.conf.all.rp_filter = 1
|
|
net.ipv4.ping_group_range=999 59999
|
|
# general limits
|
|
vm.max_map_count = 262144
|
|
vm.overcommit_memory = 1
|
|
net.core.somaxconn = 1024
|
|
net.ipv4.neigh.default.gc_thresh1 = 80000
|
|
net.ipv4.neigh.default.gc_thresh2 = 90000
|
|
net.ipv4.neigh.default.gc_thresh3 = 100000
|
|
fs.aio-max-nr = 1048576
|
|
fs.inotify.max_user_watches = 524288
|
|
fs.file-max = 524288
|
|
# for rngd
|
|
kernel.random.write_wakeup_threshold = 3072
|
|
# security restrictions
|
|
kernel.kptr_restrict = 2
|
|
net.ipv4.conf.all.send_redirects = 0
|
|
net.ipv4.conf.default.accept_redirects = 0
|
|
net.ipv4.conf.default.accept_source_route = 0
|
|
net.ipv6.conf.all.accept_redirects = 0
|
|
net.ipv6.conf.default.accept_redirects = 0
|
|
kernel.dmesg_restrict = 1
|
|
kernel.perf_event_paranoid = 3
|
|
fs.protected_hardlinks = 1
|
|
fs.protected_symlinks = 1
|
|
# Prevent ebpf privilege escalation
|
|
# see: https://lwn.net/Articles/742170
|
|
kernel.unprivileged_bpf_disabled=1
|
|
mode: "0644"
|
|
|
|
- path: root/.ssh/authorized_keys
|
|
source: ~/.ssh/id_ed25519.pub
|
|
mode: "0400"
|
|
|
|
- path: /srv/students.csv
|
|
source: students.csv
|
|
mode: "0400"
|
|
|
|
- path: etc/iptables/rules.v4
|
|
contents: |
|
|
*nat
|
|
:PREROUTING ACCEPT [0:0]
|
|
:INPUT ACCEPT [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
:POSTROUTING ACCEPT [0:0]
|
|
[0:0] -A POSTROUTING -o br-ext ! -d 172.23.0.0/16 -j MASQUERADE
|
|
COMMIT
|
|
*filter
|
|
:INPUT DROP [0:0]
|
|
:FORWARD ACCEPT [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
[0:0] -A INPUT -i lo -j ACCEPT
|
|
[0:0] -A INPUT -m conntrack --ctstate INVALID -j DROP
|
|
[0:0] -A INPUT -p icmp -j ACCEPT
|
|
[0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
[0:0] -A INPUT -i eth0 -s 172.23.0.0/17 -p tcp -m conntrack --ctstate NEW -m tcp --dport ssh -j ACCEPT
|
|
[0:0] -A INPUT -i br-ext -p udp --sport 68 --dport 67 -j ACCEPT
|
|
[0:0] -A INPUT -i br-ext -p udp --dport 69 -j ACCEPT
|
|
[0:0] -A INPUT -i br-ext -p tcp --dport 80 -j ACCEPT
|
|
[0:0] -A INPUT -j LOG
|
|
[0:0] -A FORWARD -i eth0.7 -o br-ext -j ACCEPT
|
|
[0:0] -A FORWARD -o eth0.7 -i br-ext -j ACCEPT
|
|
[0:0] -A FORWARD -i br-int -j ACCEPT
|
|
[0:0] -A FORWARD -o br-int -j ACCEPT
|
|
[0:0] -A FORWARD -i br-ext -d 172.23.200.0/24 -j ACCEPT
|
|
[0:0] -A FORWARD -i br-ext -d 172.23.255.0/24 -j ACCEPT
|
|
[0:0] -A FORWARD -o br-ext -d 172.23.200.0/24 -j ACCEPT
|
|
[0:0] -A FORWARD -o br-ext -d 172.23.255.0/24 -j ACCEPT
|
|
[0:0] -A FORWARD -i br-ext -o br-ext -s 172.23.255.2/24 -j ACCEPT
|
|
[0:0] -A FORWARD -i br-ext -p udp --sport 68 --dport 67 -j DROP
|
|
[0:0] -A FORWARD -j LOG
|
|
COMMIT
|
|
mode: "0440"
|
|
|
|
- path: etc/unbound/unbound.conf
|
|
contents: |
|
|
server:
|
|
verbosity: 1
|
|
interface: 0.0.0.0
|
|
interface: ::0
|
|
prefer-ip6: no
|
|
access-control: 172.23.0.0/16 allow
|
|
log-queries: yes
|
|
log-replies: yes
|
|
use-syslog: no
|
|
hide-identity: yes
|
|
hide-version: yes
|
|
qname-minimisation: yes
|
|
domain-insecure: "."
|
|
val-permissive-mode: yes
|
|
trust-anchor-file: "/usr/share/dnssec-root/trusted-key.key"
|
|
local-zone: "adlin.nemunai.re" typetransparent
|
|
local-data: "adlin.nemunai.re TXT \"8dde678132d6c558fc6adaeb9f1d53bf6ec7b876308cf98c48604caa9138523c1ce58b672c87c7e7d9b7248b81804d3940dbf20bf263eeb683244f7c1143712d\""
|
|
local-data: "auth.adlin.nemunai.re A 172.23.255.2"
|
|
remote-control:
|
|
control-enable: no
|
|
forward-zone:
|
|
name: "."
|
|
forward-addr: 8.8.8.8
|
|
mode: "0440"
|
|
|
|
- path: etc/postfix/main.cf
|
|
contents: |
|
|
myorigin = adlin.nemunai.re
|
|
mydestination =
|
|
local_recipient_maps =
|
|
local_transport = error:local mail delivery is disabled
|
|
mynetworks = 127.0.0.0/8
|
|
relay_domains = nemunai.re
|
|
parent_domain_matches_subdomains = debug_peer_list smtpd_access_maps
|
|
mode: "0440"
|
|
|
|
- path: etc/nginx/ssl/fullchain.pem
|
|
source: ssl/fullchain.pem
|
|
mode: "0644"
|
|
- path: etc/nginx/ssl/privkey.pem
|
|
source: ssl/privkey.pem
|
|
mode: "0644"
|
|
- path: etc/nginx/nginx-gw.conf
|
|
contents: |
|
|
user nginx;
|
|
worker_processes 2;
|
|
error_log /var/log/nginx/error.log warn;
|
|
pid /var/run/nginx.pid;
|
|
events {
|
|
worker_connections 1024;
|
|
}
|
|
http {
|
|
include /etc/nginx/mime.types;
|
|
default_type application/octet-stream;
|
|
log_format main '$remote_addr - $remote_user [$time_local] "$request"'
|
|
'$status $body_bytes_sent "$http_referer"'
|
|
'"$http_user_agent""$http_x_forwarded_for"';
|
|
access_log /var/log/nginx/access.log main;
|
|
sendfile on;
|
|
server_tokens off;
|
|
#tcp_nopush on;
|
|
keepalive_timeout 65;
|
|
#gzip on;
|
|
resolver 9.9.9.9;
|
|
server {
|
|
listen 80 default;
|
|
listen [::]:80 default;
|
|
location = /{
|
|
return 403;
|
|
}
|
|
location /iamalive {
|
|
proxy_pass https://82.64.31.248/challenge;
|
|
proxy_set_header Host adlin.nemunai.re;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-By 172.23.0.1;
|
|
proxy_redirect off;
|
|
}
|
|
}
|
|
}
|
|
mode: "0440"
|
|
|
|
- path: etc/nginx/nginx-login.conf
|
|
contents: |
|
|
user nginx;
|
|
worker_processes 2;
|
|
error_log /var/log/nginx/error.log warn;
|
|
pid /var/run/nginx.pid;
|
|
events {
|
|
worker_connections 1024;
|
|
}
|
|
http {
|
|
include /etc/nginx/mime.types;
|
|
default_type application/octet-stream;
|
|
log_format main '$remote_addr - $remote_user [$time_local] "$request"'
|
|
'$status $body_bytes_sent "$http_referer"'
|
|
'"$http_user_agent""$http_x_forwarded_for"';
|
|
access_log /var/log/nginx/access.log main;
|
|
sendfile on;
|
|
server_tokens off;
|
|
#tcp_nopush on;
|
|
keepalive_timeout 65;
|
|
#gzip on;
|
|
server {
|
|
listen 443 default ssl;
|
|
listen [::]:443 default ssl;
|
|
ssl_protocols TLSv1.2;
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_certificate /etc/nginx/ssl/fullchain.pem;
|
|
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
|
|
location = /{
|
|
return https://adlin.nemunai.re/;
|
|
}
|
|
location /login {
|
|
proxy_pass http://localhost:8081/login;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_redirect off;
|
|
}
|
|
}
|
|
}
|
|
mode: "0440"
|
|
|
|
- path: etc/nginx/nginx-dmz.conf
|
|
contents: |
|
|
user nginx;
|
|
worker_processes 2;
|
|
error_log /var/log/nginx/error.log warn;
|
|
pid /var/run/nginx.pid;
|
|
events {
|
|
worker_connections 1024;
|
|
}
|
|
http {
|
|
include /etc/nginx/mime.types;
|
|
default_type applicationøctet-stream;
|
|
log_format main '$remote_addr - $remote_user [$time_local] "$request"'
|
|
'$status $body_bytes_sent "$http_referer"'
|
|
'"$http_user_agent""$http_x_forwarded_for"';
|
|
access_log /var/log/nginx/access.log main;
|
|
sendfile on;
|
|
server_tokens off;
|
|
#tcp_nopush on;
|
|
keepalive_timeout 65;
|
|
#gzip on;
|
|
resolver 9.9.9.9;
|
|
server {
|
|
listen 80 default;
|
|
listen [::]:80 default;
|
|
location = /{
|
|
return https://adlin.nemunai.re/;
|
|
}
|
|
location /challenge {
|
|
proxy_pass https://82.64.31.248/challenge;
|
|
proxy_set_header Host adlin.nemunai.re;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-By 172.23.200.1;
|
|
proxy_set_header X-Forwarded-Proto http;
|
|
proxy_redirect off;
|
|
}
|
|
location /sshkeys {
|
|
return https://adlin.nemunai.re/sshkeys;
|
|
}
|
|
}
|
|
server {
|
|
listen 443 default ssl;
|
|
listen [::]:443 default ssl;
|
|
ssl_protocols TLSv1.2;
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_certificate /etc/nginx/ssl/fullchain.pem;
|
|
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
|
|
location = /{
|
|
return https://adlin.nemunai.re/;
|
|
}
|
|
location /challenge {
|
|
proxy_pass https://82.64.31.248/challenge;
|
|
proxy_set_header Host adlin.nemunai.re;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-By 172.23.200.1;
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
proxy_redirect off;
|
|
}
|
|
location /sshkeys {
|
|
proxy_pass https://82.64.31.248/sshkeys;
|
|
proxy_set_header Host adlin.nemunai.re;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-By 172.23.200.1;
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
proxy_redirect off;
|
|
}
|
|
}
|
|
}
|
|
mode: "0440"
|
|
|
|
- path: etc/dhcp/dhcpd.conf
|
|
contents: |
|
|
authoritative;
|
|
default-lease-time 7200;
|
|
max-lease-time 7200;
|
|
subnet 172.23.255.0 netmask 255.255.255.0 {
|
|
range 172.23.255.10 172.23.255.254;
|
|
option routers 172.23.255.1;
|
|
option subnet-mask 255.255.255.0;
|
|
option broadcast-address 172.23.255.255;
|
|
next-server 172.23.255.1;
|
|
filename "pxelinux.0";
|
|
}
|
|
mode: "0440"
|
|
|
|
- path: etc/ntpd.conf
|
|
contents: |
|
|
listen on *
|
|
server 95.81.173.8
|
|
server 95.81.173.74
|
|
server 95.81.173.155
|
|
server 51.15.180.229
|
|
mode: "0440"
|
|
|
|
- path: srv/tftp
|
|
directory: true
|
|
mode: "0755"
|
|
|
|
- path: srv/tftp/ldlinux.c32
|
|
source: /usr/share/syslinux/ldlinux.c32
|
|
mode: "0644"
|
|
- path: srv/tftp/libcom32.c32
|
|
source: /usr/share/syslinux/libcom32.c32
|
|
mode: "0644"
|
|
- path: srv/tftp/libutil.c32
|
|
source: /usr/share/syslinux/libutil.c32
|
|
mode: "0644"
|
|
- path: srv/tftp/menu.c32
|
|
source: /usr/share/syslinux/menu.c32
|
|
mode: "0644"
|
|
- path: srv/tftp/poweroff.c32
|
|
source: /usr/share/syslinux/poweroff.c32
|
|
mode: "0644"
|
|
- path: srv/tftp/pxelinux.0
|
|
source: /usr/share/syslinux/pxelinux.0
|
|
mode: "0644"
|
|
- path: srv/tftp/pxelinux.cfg
|
|
directory: true
|
|
mode: "0755"
|
|
- path: srv/tftp/pxelinux.cfg/default
|
|
source: tftp/pxelinux.cfg/default
|
|
mode: "0644"
|
|
- path: srv/tftp/pxelinux.cfg/tpl
|
|
source: tftp/pxelinux.cfg/tpl
|
|
mode: "0644"
|
|
- path: srv/tftp/vesamenu.c32
|
|
source: /usr/share/syslinux/vesamenu.c32
|
|
mode: "0644"
|
|
|
|
- path: srv/tftp/bzImage
|
|
source: tftp/bzImage
|
|
mode: "0644"
|
|
- path: srv/tftp/initramfs-login.img
|
|
source: tftp/initramfs-login.img
|
|
mode: "0644"
|
|
- path: srv/tftp/initramfs-challenge.img
|
|
source: challenge-initrd.img
|
|
mode: "0644"
|
|
|
|
trust:
|
|
org:
|
|
- linuxkit
|
|
- library
|