1062 lines
37 KiB
YAML
1062 lines
37 KiB
YAML
kernel:
|
|
image: linuxkit/kernel:4.19.121
|
|
# cmdline: "console=ttyS0 root=/dev/sda1 root=/dev/sr0 adlin.token=LqCdJDfniA"
|
|
cmdline: "console=tty0"
|
|
|
|
init:
|
|
- linuxkit/init:a68f9fa0c1d9dbfc9c23663749a0b7ac510cbe1c
|
|
- linuxkit/runc:v0.8
|
|
- linuxkit/containerd:1ae8f054e9fe792d1dbdb9a65f1b5e14491cb106
|
|
- linuxkit/ca-certificates:v0.8
|
|
- linuxkit/getty:v0.8
|
|
|
|
onboot:
|
|
- name: format
|
|
image: linuxkit/format:v0.8
|
|
command: ["/usr/bin/format", "/dev/sda"]
|
|
|
|
- name: mount
|
|
image: linuxkit/mount:v0.8
|
|
command: ["/usr/bin/mountie", "/dev/sda1", "/var/lib/adlin"]
|
|
|
|
- name: sysctl
|
|
image: linuxkit/sysctl:v0.8
|
|
binds:
|
|
- /etc/sysctl.d/:/etc/sysctl.d/:ro
|
|
|
|
- name: rngd1
|
|
image: linuxkit/rngd:v0.8
|
|
command: ["/sbin/rngd", "-1"]
|
|
|
|
# Network: external
|
|
- name: dhcpcd
|
|
image: linuxkit/dhcpcd:v0.8
|
|
command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1", "eth0"]
|
|
net: new
|
|
runtime:
|
|
interfaces:
|
|
- name: eth0
|
|
bindNS:
|
|
net: /run/netns/router
|
|
|
|
services:
|
|
- name: dhcpcd-wks-dg1
|
|
image: linuxkit/dhcpcd:v0.8
|
|
hostname: wks-dg1
|
|
net: new
|
|
pid: new
|
|
ipc: new
|
|
uts: new
|
|
runtime:
|
|
interfaces:
|
|
- name: ethwks-dg1
|
|
bindNS:
|
|
net: /run/netns/wks-dg1
|
|
uts: /run/utsns/wks-dg1
|
|
binds:
|
|
- /var/lib/adlin/wks-dg1resolv.conf:/etc/resolv.conf
|
|
|
|
- name: dhcpcd-wks-rh1
|
|
image: linuxkit/dhcpcd:v0.8
|
|
hostname: wks-rh1
|
|
net: new
|
|
pid: new
|
|
ipc: new
|
|
uts: new
|
|
runtime:
|
|
interfaces:
|
|
- name: eth1
|
|
- name: ethwks-rh1
|
|
bindNS:
|
|
net: /run/netns/wks-rh1
|
|
uts: /run/utsns/wks-rh1
|
|
binds:
|
|
- /var/lib/adlin/wks-rh1resolv.conf:/etc/resolv.conf
|
|
|
|
- name: dhcpcd-wks-rh2
|
|
image: linuxkit/dhcpcd:v0.8
|
|
hostname: wks-rh2
|
|
net: new
|
|
pid: new
|
|
ipc: new
|
|
uts: new
|
|
runtime:
|
|
interfaces:
|
|
- name: ethwks-rh2
|
|
bindNS:
|
|
net: /run/netns/wks-rh2
|
|
uts: /run/utsns/wks-rh2
|
|
binds:
|
|
- /var/lib/adlin/wks-rh2resolv.conf:/etc/resolv.conf
|
|
|
|
- name: dhcpcd-wks-cm1
|
|
image: linuxkit/dhcpcd:v0.8
|
|
hostname: wks-cm1
|
|
net: new
|
|
pid: new
|
|
ipc: new
|
|
uts: new
|
|
runtime:
|
|
interfaces:
|
|
- name: ethwks-cm1
|
|
bindNS:
|
|
net: /run/netns/wks-cm1
|
|
uts: /run/utsns/wks-cm1
|
|
binds:
|
|
- /var/lib/adlin/wks-cm1resolv.conf:/etc/resolv.conf
|
|
|
|
- name: sshd-wks-dg1
|
|
image: linuxkit/sshd:v0.8
|
|
net: /run/netns/wks-dg1
|
|
uts: /run/utsns/wks-dg1
|
|
pid: new
|
|
ipc: new
|
|
binds:
|
|
- /etc/ssh/sshd_config:/etc/ssh/sshd_config
|
|
- /etc/wpasswd:/etc/passwd
|
|
- /etc/wshadow:/etc/shadow
|
|
- /var/lib/adlin/wks-dg1resolv.conf:/etc/resolv.conf
|
|
|
|
- name: sshd-wks-rh1
|
|
image: linuxkit/sshd:v0.8
|
|
net: /run/netns/wks-rh1
|
|
uts: /run/utsns/wks-rh1
|
|
pid: new
|
|
ipc: new
|
|
binds:
|
|
- /etc/ssh/sshd_config:/etc/ssh/sshd_config
|
|
- /etc/wpasswd:/etc/passwd
|
|
- /etc/wshadow:/etc/shadow
|
|
- /var/lib/adlin/wks-rh1resolv.conf:/etc/resolv.conf
|
|
|
|
- name: mainrouter
|
|
#image: nemunaire/adlin-tuto3:485bb9556ca3bc33e7fee16edd93c05f35eb1455
|
|
image: nemunaire/router-tuto3:c07718ca23c03ff5033c4042f0cbeca6c26d4e6f
|
|
net: /run/netns/router
|
|
pid: new
|
|
ipc: new
|
|
uts: new
|
|
hostname: router
|
|
command: ["/sbin/init"]
|
|
capabilities:
|
|
- all
|
|
mounts:
|
|
- type: cgroup
|
|
options: ["rw","nosuid","noexec","nodev","relatime"]
|
|
binds:
|
|
- /var/lib/adlin/wrt-etc:/etc
|
|
- /etc/rinittab:/etc/inittab
|
|
- /etc/hosts:/etc/hosts:ro
|
|
- /etc/dresolv.conf:/etc/resolv.conf
|
|
- /etc/rsysctl.conf:/etc/sysctl.d/10-default.conf:ro
|
|
- /lib/preinit/20_check_iso:/lib/preinit/20_check_iso
|
|
- /lib/preinit/30_failsafe_wait:/lib/preinit/30_failsafe_wait
|
|
- /lib/preinit/99_10_failsafe_login:/lib/preinit/99_10_failsafe_login
|
|
- name: matrix
|
|
image: nemunaire/tinydeb:2ec3c0260da7242df267799dfe08fe2eb0d014b1
|
|
net: /run/netns/chat
|
|
pid: new
|
|
ipc: new
|
|
uts: new
|
|
hostname: matrixsrv
|
|
command: ["/sbin/init"]
|
|
capabilities:
|
|
- all
|
|
mounts:
|
|
- type: cgroup
|
|
options: ["rw","nosuid","noexec","nodev","relatime"]
|
|
binds:
|
|
- /etc/hosts:/etc/hosts:ro
|
|
- /etc/dresolv.conf:/etc/resolv.conf
|
|
- name: ns-resolv
|
|
image: nemunaire/unbound:4988e30d81f3b1782e7bc520d2d24123930d72a6
|
|
net: /run/netns/ns
|
|
pid: new
|
|
ipc: new
|
|
uts: new
|
|
hostname: resolvsrv
|
|
capabilities:
|
|
- all
|
|
mounts:
|
|
- type: cgroup
|
|
options: ["rw","nosuid","noexec","nodev","relatime"]
|
|
binds:
|
|
- /etc/network:/etc/network:ro
|
|
- /etc/unbound:/etc/unbound:ro
|
|
- /etc/services:/etc/services:ro
|
|
- name: ns-auth
|
|
image: nemunaire/nsd:b96e6b002e08afd42e4c77ee71766264c42cac57
|
|
net: /run/netns/ns-auth
|
|
pid: new
|
|
ipc: new
|
|
uts: new
|
|
hostname: nsauthsrv
|
|
capabilities:
|
|
- all
|
|
mounts:
|
|
- type: cgroup
|
|
options: ["rw","nosuid","noexec","nodev","relatime"]
|
|
binds:
|
|
- /var/lib/adlin/nsd:/etc/nsd:rw
|
|
- /var/lib/adlin/nsd-db:/var/db/nsd:rw
|
|
- /etc/nsd:/etc/nsd.sample:ro
|
|
- /etc/network:/etc/network:ro
|
|
- /etc/services:/etc/services:ro
|
|
- /etc/dresolv.conf:/etc/resolv.conf
|
|
runtime:
|
|
mkdir:
|
|
- /var/lib/adlin/nsd
|
|
- /var/lib/adlin/nsd-db
|
|
- name: db
|
|
image: postgres:alpine
|
|
net: /run/netns/db
|
|
pid: new
|
|
ipc: new
|
|
uts: new
|
|
hostname: db
|
|
capabilities:
|
|
- all
|
|
env:
|
|
- LANG=en_US.utf8
|
|
- PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/"
|
|
- PGDATA=/var/lib/postgresql/data
|
|
- POSTGRES_PASSWORD=adlin2022
|
|
binds:
|
|
- /etc/services:/etc/services:ro
|
|
- /initdb/:/docker-entrypoint-initdb.d/:ro
|
|
- /var/lib/adlin/postgres:/var/lib/postgresql/data
|
|
runtime:
|
|
mkdir:
|
|
- /var/lib/adlin/postgres
|
|
# - name: chat
|
|
# image: nemunaire/mattermost:ecb81e668c64d07b4453f9b465a6998fc6ceb067-dirty
|
|
# net: /run/netns/chat
|
|
# capabilities:
|
|
# - all
|
|
# command: ["/entrypoint.sh", "/mattermost/bin/platform"]
|
|
# env:
|
|
# - MM_USERNAME=mattermost
|
|
# - MM_DBNAME=mattermost
|
|
# - MM_PASSWORD=adlin2022
|
|
# binds:
|
|
# - /etc/services:/etc/services:ro
|
|
# - /etc/hosts:/etc/hosts:ro
|
|
- name: miniflux
|
|
image: miniflux/miniflux:latest
|
|
net: /run/netns/ttrss
|
|
uts: new
|
|
pid: new
|
|
ipc: new
|
|
hostname: miniflux
|
|
capabilities:
|
|
- all
|
|
command: ["/bin/sh", "-c", "sleep 10; /usr/bin/miniflux"]
|
|
env:
|
|
- DATABASE_URL=postgres://miniflux:adlin2022@db/miniflux?sslmode=disable
|
|
- RUN_MIGRATIONS=1
|
|
- CREATE_ADMIN=1
|
|
- ADMIN_USERNAME=adeline
|
|
- ADMIN_PASSWORD=adlin2022
|
|
- LISTEN_ADDR=0.0.0.0:8080
|
|
binds:
|
|
- /etc/hosts:/etc/hosts:ro
|
|
- /etc/dresolv.conf:/etc/resolv.conf
|
|
- /etc/services:/etc/services:ro
|
|
- name: web
|
|
image: nemunaire/tinydeb:2ec3c0260da7242df267799dfe08fe2eb0d014b1
|
|
net: /run/netns/web
|
|
pid: new
|
|
ipc: new
|
|
uts: new
|
|
hostname: vitrine
|
|
command: ["/sbin/init"]
|
|
capabilities:
|
|
- all
|
|
mounts:
|
|
- type: cgroup
|
|
options: ["rw","nosuid","noexec","nodev","relatime"]
|
|
binds:
|
|
- /etc/dresolv.conf:/etc/resolv.conf
|
|
|
|
# Workstation testers
|
|
- name: minichecker-wks-rh2
|
|
image: nemunaire/minichecker:a5d37bb2ebed6df0e586184582763eb0cf727b51
|
|
net: /run/netns/wks-rh2
|
|
pid: new
|
|
ipc: new
|
|
uts: /run/utsns/wks-rh2
|
|
command: ["/bin/minichecker", "-check-interval", "50s", "-target", "https://adlin.nemunai.re"]
|
|
binds:
|
|
- /var/lib/adlin/wks-rh2resolv.conf:/etc/resolv.conf
|
|
- /var/lib/adlin/wireguard/:/etc/wireguard/:ro
|
|
- name: minichecker-wks-dg1
|
|
image: nemunaire/minichecker:a5d37bb2ebed6df0e586184582763eb0cf727b51
|
|
net: /run/netns/wks-dg1
|
|
pid: new
|
|
ipc: new
|
|
uts: /run/utsns/wks-dg1
|
|
command: ["/bin/minichecker", "-check-interval", "50s", "-target", "https://adlin.nemunai.re"]
|
|
binds:
|
|
- /etc/hosts-minichecker:/etc/hosts:ro
|
|
- /var/lib/adlin/wks-dg1resolv.conf:/etc/resolv.conf
|
|
- /var/lib/adlin/wireguard/:/etc/wireguard/:ro
|
|
- name: minichecker-wks-cm1
|
|
image: nemunaire/minichecker:a5d37bb2ebed6df0e586184582763eb0cf727b51
|
|
net: /run/netns/wks-cm1
|
|
pid: new
|
|
ipc: new
|
|
uts: /run/utsns/wks-cm1
|
|
command: ["/bin/minichecker", "-check-interval", "50s", "-target", "https://adlin.nemunai.re"]
|
|
binds:
|
|
- /etc/hosts-minichecker:/etc/hosts:ro
|
|
- /var/lib/adlin/wireguard/:/etc/wireguard/:ro
|
|
|
|
files:
|
|
- path: etc/hosts
|
|
contents: |
|
|
127.0.0.1 localhost
|
|
::1 localhost
|
|
172.23.42.2 ns
|
|
172.23.42.3 ns-auth
|
|
172.23.42.4 db
|
|
172.23.42.5 matrix
|
|
172.23.42.6 news
|
|
172.23.42.7 web
|
|
82.64.31.248 adlin.nemunai.re
|
|
mode: "0444"
|
|
|
|
- path: etc/hosts-minichecker
|
|
contents: |
|
|
127.0.0.1 localhost
|
|
::1 localhost
|
|
172.23.42.2 ns
|
|
172.23.42.3 ns-auth
|
|
172.23.42.4 db
|
|
172.23.42.5 matrix
|
|
172.23.42.6 news
|
|
172.23.42.7 web
|
|
82.64.31.248 adlin.nemunai.re
|
|
mode: "0444"
|
|
|
|
- path: etc/sysctl.d/adlin.conf
|
|
contents: |
|
|
net.netfilter.nf_log_all_netns=1
|
|
mode: "0444"
|
|
|
|
- path: usr/bin/ask.sh
|
|
source: pkg/wg/ask.sh
|
|
mode: "0755"
|
|
|
|
- path: /root/feeds.opml
|
|
source: feeds.opml
|
|
mode: "0444"
|
|
|
|
- path: etc/ssh/sshd_config
|
|
source: pkg/nsd/sshd_config
|
|
mode: "0644"
|
|
|
|
- path: /usr/bin/reset-router-firewall
|
|
contents: |
|
|
#!/bin/sh
|
|
PS=$(pgrep procd | head -1)
|
|
nsenter -t "${PS}" -a -- iptables -F
|
|
nsenter -t "${PS}" -a -- iptables -P INPUT ACCEPT
|
|
nsenter -t "${PS}" -a -- iptables -P FORWARD ACCEPT
|
|
nsenter -t "${PS}" -a -- iptables -P OUTPUT ACCEPT
|
|
nsenter -t "${PS}" -a -- iptables -t nat -F
|
|
mode: "0755"
|
|
|
|
- path: /usr/sbin/wg
|
|
contents: |
|
|
nsenter -n/run/netns/router -- /usr/bin/wg $@
|
|
mode: "0755"
|
|
|
|
- path: /initdb/init-miniflux.sh
|
|
contents: |
|
|
#!/bin/sh
|
|
set -e
|
|
psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL
|
|
CREATE USER miniflux WITH PASSWORD 'adlin2022';
|
|
CREATE DATABASE miniflux;
|
|
GRANT ALL PRIVILEGES ON DATABASE miniflux TO miniflux;
|
|
EOSQL
|
|
psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname miniflux <<-EOSQL
|
|
CREATE EXTENSION hstore;
|
|
EOSQL
|
|
mode: "0555"
|
|
|
|
- path: /initdb/init-matrix.sql
|
|
contents: |
|
|
CREATE USER matrix WITH PASSWORD 'adlin2022';
|
|
CREATE DATABASE matrix ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' TEMPLATE template0 OWNER matrix;
|
|
GRANT ALL PRIVILEGES ON DATABASE matrix TO matrix;
|
|
mode: "0444"
|
|
|
|
- path: /initdb/init-website.sql
|
|
contents: |
|
|
CREATE USER website WITH PASSWORD 'adlin2022';
|
|
CREATE DATABASE website ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' TEMPLATE template0 OWNER website;
|
|
GRANT ALL PRIVILEGES ON DATABASE website TO website;
|
|
mode: "0444"
|
|
|
|
- path: etc/init.d/011-init-disk
|
|
contents: |
|
|
#!/bin/sh
|
|
mkdir -p /var/lib/adlin/
|
|
rm -rf /var/lib/adlin/wks-dg1resolv.conf /var/lib/adlin/wks-rh1resolv.conf /var/lib/adlin/wks-rh2resolv.conf /var/lib/adlin/wks-cm1resolv.conf
|
|
touch /var/lib/adlin/wks-dg1resolv.conf /var/lib/adlin/wks-rh1resolv.conf /var/lib/adlin/wks-rh2resolv.conf /var/lib/adlin/wks-cm1resolv.conf
|
|
mode: "0755"
|
|
|
|
- path: etc/init.d/011-tuto-net
|
|
contents: |
|
|
#!/bin/sh
|
|
mkdir -p /var/lib/adlin/wireguard/
|
|
nsenter -n/run/netns/router -- /usr/bin/ask.sh
|
|
|
|
# Network: workstations
|
|
ip link add ethwks type veth peer name veth-wks
|
|
ip link set ethwks netns router
|
|
#ip link set ethwks up
|
|
#ip netns exec router ip a add 192.168.6.254/24 dev ethwks
|
|
#grep MyIPv6= /var/lib/adlin/wireguard/adlin.conf > /dev/null &&
|
|
# ip netns exec router ip a add $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf | sed "s#:[^:/]*/.*\$#1::1/96#") dev ethwks
|
|
|
|
# Network: servers
|
|
ip link add ethsrv type veth peer name veth-srv
|
|
ip link set ethsrv netns router
|
|
#ip netns exec router ip link set ethsrv up
|
|
#ip netns exec router ip a add 172.23.42.1/24 dev ethsrv
|
|
#grep MyIPv6= /var/lib/adlin/wireguard/adlin.conf > /dev/null &&
|
|
# ip netns exec router ip a add $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf | sed "s#:[^:/]*/.*\$#:1/96#") dev ethsrv
|
|
|
|
ip netns add ns
|
|
ip link add vethin-ns type veth peer name veth-ns
|
|
ip link set vethin-ns netns ns
|
|
ip netns exec ns ip link set vethin-ns up
|
|
ip netns exec ns ip a add 172.23.42.2/24 dev vethin-ns
|
|
ip netns exec ns ip route add default via 172.23.42.1
|
|
grep MyIPv6= /var/lib/adlin/wireguard/adlin.conf > /dev/null && {
|
|
ip netns exec ns ip a add $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf | sed "s#:[^:/]*/.*\$#:2/96#") dev vethin-ns
|
|
ip netns exec ns ip route add default via $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf | sed "s#:[^:/]*/.*\$#:1#")
|
|
}
|
|
|
|
ip netns add ns-auth
|
|
ip link add vethin-nsauth type veth peer name veth-nsauth
|
|
ip link set vethin-nsauth netns ns-auth
|
|
ip netns exec ns-auth ip link set lo up
|
|
ip netns exec ns-auth ip link set vethin-nsauth up
|
|
ip netns exec ns-auth ip a add 172.23.42.3/24 dev vethin-nsauth
|
|
ip netns exec ns-auth ip route add default via 172.23.42.1
|
|
grep MyIPv6= /var/lib/adlin/wireguard/adlin.conf > /dev/null && {
|
|
ip netns exec ns-auth ip a add $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf | sed "s#:[^:/]*/.*\$#:3/96#") dev vethin-nsauth
|
|
ip netns exec ns-auth ip route add default via $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf | sed "s#:[^:/]*/.*\$#:1#")
|
|
}
|
|
|
|
ip netns add db
|
|
ip link add vethin-db type veth peer name veth-db
|
|
ip link set vethin-db netns db
|
|
ip netns exec db ip link set vethin-db up
|
|
ip netns exec db ip a add 172.23.42.4/24 dev vethin-db
|
|
ip netns exec db ip route add default via 172.23.42.1
|
|
grep MyIPv6= /var/lib/adlin/wireguard/adlin.conf > /dev/null && {
|
|
ip netns exec db ip a add $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf | sed "s#:[^:/]*/.*\$#:4/96#") dev vethin-db
|
|
ip netns exec db ip route add default via $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf | sed "s#:[^:/]*/.*\$#:1#")
|
|
}
|
|
|
|
ip netns add chat
|
|
ip link add vethin-chat type veth peer name veth-chat
|
|
ip link set vethin-chat netns chat
|
|
ip netns exec chat ip link set vethin-chat up
|
|
ip netns exec chat ip a add 172.23.42.5/24 dev vethin-chat
|
|
ip netns exec chat ip route add default via 172.23.42.1
|
|
grep MyIPv6= /var/lib/adlin/wireguard/adlin.conf > /dev/null && {
|
|
ip netns exec chat ip a add $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf | sed "s#:[^:/]*/.*\$#:5/96#") dev vethin-chat
|
|
ip netns exec chat ip route add default via $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf | sed "s#:[^:/]*/.*\$#:1#")
|
|
}
|
|
|
|
ip netns add ttrss
|
|
ip link add vethin-ttrss type veth peer name veth-ttrss
|
|
ip link set vethin-ttrss netns ttrss
|
|
ip netns exec ttrss ip link set vethin-ttrss up
|
|
ip netns exec ttrss ip a add 172.23.42.6/24 dev vethin-ttrss
|
|
ip netns exec ttrss ip route add default via 172.23.42.1
|
|
grep MyIPv6= /var/lib/adlin/wireguard/adlin.conf > /dev/null && {
|
|
ip netns exec ttrss ip a add $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf | sed "s#:[^:/]*/.*\$#:6/96#") dev vethin-ttrss
|
|
ip netns exec ttrss ip route add default via $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf | sed "s#:[^:/]*/.*\$#:1#")
|
|
}
|
|
|
|
ip netns add web
|
|
ip link add vethin-web type veth peer name veth-web
|
|
ip link set vethin-web netns web
|
|
ip netns exec web ip link set vethin-web up
|
|
ip netns exec web ip a add 172.23.42.7/24 dev vethin-web
|
|
ip netns exec web ip route add default via 172.23.42.1
|
|
grep MyIPv6= /var/lib/adlin/wireguard/adlin.conf > /dev/null && {
|
|
ip netns exec web ip a add $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf | sed "s#:[^:/]*/.*\$#:7/96#") dev vethin-web
|
|
ip netns exec web ip route add default via $(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf | sed "s#:[^:/]*/.*\$#:1#")
|
|
}
|
|
|
|
# Network: bridges
|
|
ip l add brsrv type bridge
|
|
ip link set veth-srv master brsrv
|
|
ip link set veth-ns master brsrv
|
|
ip link set veth-nsauth master brsrv
|
|
ip link set veth-db master brsrv
|
|
ip link set veth-chat master brsrv
|
|
ip link set veth-ttrss master brsrv
|
|
ip link set veth-web master brsrv
|
|
ip link set veth-srv up
|
|
ip link set veth-ns up
|
|
ip link set veth-nsauth up
|
|
ip link set veth-db up
|
|
ip link set veth-chat up
|
|
ip link set veth-ttrss up
|
|
ip link set veth-web up
|
|
ip link set brsrv up
|
|
|
|
ip l add brwks type bridge
|
|
ip link add veth-wks1 type veth peer name ethwks1
|
|
ip link add link ethwks1 name ethwks-dg1 type vlan id 10
|
|
ip link add veth-wks2 type veth peer name ethwks2
|
|
ip link add link ethwks2 name ethwks-rh1 type vlan id 11
|
|
ip link add veth-wks3 type veth peer name ethwks3
|
|
ip link add link ethwks3 name ethwks-rh2 type vlan id 11
|
|
ip link add veth-wks4 type veth peer name ethwks4
|
|
ip link add link ethwks4 name ethwks-cm1 type vlan id 12
|
|
ip link set veth-wks master brwks
|
|
ip link set veth-wks1 master brwks
|
|
ip link set veth-wks2 master brwks
|
|
ip link set veth-wks3 master brwks
|
|
ip link set veth-wks4 master brwks
|
|
ip link set veth-wks up
|
|
ip link set veth-wks1 up
|
|
ip link set veth-wks2 up
|
|
ip link set veth-wks3 up
|
|
ip link set veth-wks4 up
|
|
ip link set ethwks1 up
|
|
ip link set ethwks2 up
|
|
ip link set ethwks3 up
|
|
ip link set ethwks4 up
|
|
ip link set brwks up
|
|
ip l | grep eth2 > /dev/null && {
|
|
ip link set eth2 up
|
|
ip link set eth2 master brwks
|
|
}
|
|
mode: "0755"
|
|
|
|
- path: etc/init.d/012-dl-fixes
|
|
contents: |
|
|
#!/bin/sh
|
|
ip netns exec router wget -q -O - --header "X-ADLIN-time: $(stat -c %Y /boot)" https://adlin.nemunai.re/fix-vm | sh
|
|
mode: "0755"
|
|
|
|
- path: etc/init.d/014-default-router-config
|
|
contents: |
|
|
#!/bin/sh
|
|
[ -d /var/lib/adlin/wrt-etc ] || {
|
|
mkdir -p /var/lib/adlin/wrt-etc
|
|
cp -r /containers/services/mainrouter/lower/etc/* /var/lib/adlin/wrt-etc/
|
|
|
|
# Configured by students
|
|
rm -f /var/lib/adlin/wrt-etc/config/firewall
|
|
touch /var/lib/adlin/wrt-etc/config/firewall
|
|
|
|
# Avoid listening on IPv6
|
|
sed -r -i '/list\s+listen_http\s+\[::\]:80/d;/list\s+listen_https\s+\[::\]:443/d' /var/lib/adlin/wrt-etc/config/uhttpd
|
|
|
|
# Configure networking
|
|
cat > /var/lib/adlin/wrt-etc/config/network <<EOF
|
|
|
|
config interface 'loopback'
|
|
option ifname 'lo'
|
|
option proto 'static'
|
|
option ipaddr '127.0.0.1'
|
|
option netmask '255.0.0.0'
|
|
|
|
config interface 'wan'
|
|
option ifname 'eth0'
|
|
option proto 'dhcp'
|
|
|
|
EOF
|
|
}
|
|
|
|
[ -e /var/lib/adlin/wrt-config ] && {
|
|
mv /var/lib/adlin/wrt-config/* /var/lib/adlin/wrt-etc/config/
|
|
rmdir /var/lib/adlin/wrt-config
|
|
}
|
|
[ -f /var/lib/adlin/wrt-firewall.user ] && mv /var/lib/adlin/wrt-firewall.user /var/lib/adlin/wrt-etc/firewall.user
|
|
[ -f /var/lib/adlin/wrt-sysctl.conf ] && mv /var/lib/adlin/wrt-sysctl.conf /var/lib/adlin/wrt-etc/sysctl.conf
|
|
|
|
# Ensure custom rules are applied
|
|
grep -q /etc/firewall.user /var/lib/adlin/wrt-etc/config/firewall || cat >> /var/lib/adlin/wrt-etc/config/firewall <<EOF
|
|
config include
|
|
option path /etc/firewall.user
|
|
EOF
|
|
|
|
[ -f /var/lib/adlin/wireguard/adlin.conf ] && /usr/bin/update-wg-conf
|
|
mode: "0755"
|
|
|
|
- path: usr/bin/update-wg-conf
|
|
contents: |
|
|
#!/bin/sh
|
|
TUNPVKEY=$(sed 's/^.*PrivateKey = //p;d' /var/lib/adlin/wireguard/adlin.conf)
|
|
TUNIP=$(sed 's/^.*MyIPv6=//p;d' /var/lib/adlin/wireguard/adlin.conf)
|
|
SRVIP=$(echo "${TUNIP}" | sed "s#:[^:/]*/.*\$#:1/96#")
|
|
WKSIP=$(echo "${TUNIP}" | sed "s#:[^:/]*/.*\$#1::1/96#")
|
|
|
|
grep -q wireguard /var/lib/adlin/wrt-etc/config/network && {
|
|
sed -i -r "s#list addresses '[^']+'#list addresses '${TUNIP}'#;s#option private_key '[^']+'#option private_key '${TUNPVKEY}'#;" /var/lib/adlin/wrt-etc/config/network
|
|
}
|
|
|
|
grep -q wireguard /var/lib/adlin/wrt-etc/config/network || cat >> /var/lib/adlin/wrt-etc/config/network <<EOF
|
|
config interface 'wg0'
|
|
option proto 'wireguard'
|
|
option force_link '1'
|
|
list addresses '${TUNIP}'
|
|
option private_key '${TUNPVKEY}'
|
|
|
|
config wireguard_wg0
|
|
option public_key 'uSpqyYovvP4OG6wDxZ0Qkq45MfyK58PMUuPaLesY8FI='
|
|
option description 'maatma'
|
|
option persistent_keepalive '5'
|
|
list allowed_ips '::/0'
|
|
option endpoint_host '82.64.31.248'
|
|
option endpoint_port '42912'
|
|
|
|
config interface 'srv'
|
|
option ifname 'ethsrv'
|
|
option proto 'static'
|
|
option netmask '255.255.255.0'
|
|
option ipaddr '172.23.42.1'
|
|
list ip6addr '${SRVIP}'
|
|
|
|
config route6
|
|
option target '::/0'
|
|
option gateway '2a01:e0a:2b:2252::1'
|
|
option interface 'wg0'
|
|
|
|
EOF
|
|
mode: "0755"
|
|
|
|
- path: etc/init.d/014-get-ssh-keys
|
|
contents: |
|
|
#!/bin/sh
|
|
# Retrieve ssh keys
|
|
[ -f /var/lib/adlin/authorized_keys ] || nsenter -n/run/netns/router -- /usr/bin/wget -O /var/lib/adlin/authorized_keys https://cri.epita.fr/$(sed 's/^.*MyLogin=//p;d' /var/lib/adlin/wireguard/adlin.conf).keys
|
|
mode: "0755"
|
|
|
|
# - path: etc/init.d/021-correction
|
|
# contents: |
|
|
# #!/bin/sh
|
|
# PS=$(pgrep procd | head -1)
|
|
# nsenter -t "${PS}" -a -- sysctl -w net.ipv4.ip_forward=1
|
|
# nsenter -t "${PS}" -a -- sysctl -w net.ipv6.conf.all.forwarding=1
|
|
# nsenter -t "${PS}" -a -- sysctl -w net.ipv4.conf.ethsrv.route_localnet=1
|
|
# nsenter -t "${PS}" -a -- iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
|
# nsenter -t "${PS}" -a -- iptables -t nat -A POSTROUTING -o ethsrv -m addrtype --src-type LOCAL -j MASQUERADE
|
|
# nsenter -t "${PS}" -a -- iptables -t nat -A PREROUTING -p tcp --dport 8052 -j DNAT --to 172.23.42.9
|
|
# nsenter -t "${PS}" -a -- iptables -t nat -A OUTPUT -o lo -p tcp -m tcp --dport 8052 -j DNAT --to-destination 172.23.42.9
|
|
# nsenter -t "${PS}" -a -- iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to 172.23.42.6
|
|
# nsenter -t "${PS}" -a -- iptables -t nat -A OUTPUT -o lo -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.23.42.6
|
|
# nsenter -t "${PS}" -a -- ip link set ethwks up
|
|
# cat <<EOF | nsenter -t "${PS}" -a -- tee /etc/udhcpd.conf
|
|
# start 192.168.6.50
|
|
# end 192.168.6.200
|
|
# interface ethwks
|
|
# opt dns 172.23.42.2
|
|
# option subnet 255.255.255.0
|
|
# opt router 192.168.6.254
|
|
# option lease 3600
|
|
# EOF
|
|
# mode: "0755"
|
|
|
|
- path: /etc/init.d/800-rw-passwd.sh
|
|
contents: |
|
|
#!/bin/sh
|
|
sed -ri '/^root/s@^root:x:.*$@root:$1$ChIJgCib$1IYTTG.wKCXqbo1RMEQCc0:18706:0:99999:7:::@' /var/lib/adlin/wrt-etc/shadow
|
|
mkdir -p /var/lib/adlin/wrt-etc/dropbear/
|
|
[ -f /var/lib/adlin/authorized_keys ] && ! [ -f /var/lib/adlin/wrt-etc/dropbear/authorized_keys ] && cp /var/lib/adlin/authorized_keys /var/lib/adlin/wrt-etc/dropbear/authorized_keys
|
|
|
|
for svc in sshd-wks-rh1 sshd-wks-dg1
|
|
do
|
|
mkdir -p /containers/services/${svc}/rootfs/root/.ssh
|
|
[ -f /var/lib/adlin/authorized_keys ] && cp /var/lib/adlin/authorized_keys /containers/services/${svc}/rootfs/root/.ssh/authorized_keys
|
|
done
|
|
|
|
for svc in matrix ns-auth ns-resolv web
|
|
do
|
|
sed -ri '/^root/s@^.*$@root:$6$4/xWhDY0JERkg6eg$ZKglx2TQT2ITM525di2aOhda9r9L.kUjYArPTF5pVTzi3/SRe.My4Z5Cg9vabK0ax2kZ.lLPFHA8v7jw.0N/8.:18707:0:99999:7:::@' /containers/services/${svc}/rootfs/etc/shadow
|
|
cp /etc/services /containers/services/${svc}/rootfs/etc/services
|
|
mkdir -p /containers/services/${svc}/rootfs/root/.ssh
|
|
[ -f /var/lib/adlin/authorized_keys ] && cp /var/lib/adlin/authorized_keys /containers/services/${svc}/rootfs/root/.ssh/authorized_keys
|
|
nsenter -t $(ctr -n services.linuxkit t ls | grep ${svc} | awk '{ print $2 }') -a ssh-keygen -A
|
|
done
|
|
|
|
exit 0
|
|
mode: "0555"
|
|
|
|
- path: /etc/init.d/850-later-use.sh
|
|
contents: |
|
|
#!/bin/sh
|
|
|
|
# This file is currently not used and is reserved for future use.
|
|
mode: "0755"
|
|
|
|
- path: /etc/init.d/999-import-feeds.sh
|
|
contents: |
|
|
#!/bin/sh
|
|
sleep 20
|
|
nsenter -t $(pgrep procd | head -1) -a -- curl -s -u adeline:adlin2022 -d @- http://172.23.42.6:8080/v1/import < /root/feeds.opml 2> /dev/null > /dev/null
|
|
exit 0
|
|
mode: "0555"
|
|
|
|
- path: etc/issue.adlin
|
|
source: pkg/debian-tuto3/issue
|
|
mode: "0444"
|
|
|
|
- path: /etc/init.d/900-showip.sh
|
|
contents: |
|
|
#!/bin/sh
|
|
|
|
# Wait wg0
|
|
nsenter -n/run/netns/router -- ip a show dev wg0 2> /dev/null > /dev/null || sleep 1
|
|
nsenter -n/run/netns/router -- ip a show dev wg0 2> /dev/null > /dev/null || sleep 1
|
|
nsenter -n/run/netns/router -- ip a show dev wg0 2> /dev/null > /dev/null || sleep 1
|
|
nsenter -n/run/netns/router -- ip a show dev wg0 2> /dev/null > /dev/null || sleep 1
|
|
nsenter -n/run/netns/router -- ip a show dev wg0 2> /dev/null > /dev/null || sleep 1
|
|
|
|
/usr/bin/welcome
|
|
exit 0
|
|
mode: "0555"
|
|
|
|
# - path: /etc/init.d/999-getty.sh
|
|
# contents: |
|
|
# #!/bin/sh
|
|
# while true
|
|
# do
|
|
# /usr/bin/setsid /usr/bin/nsenter -t $(echo $(ps a | grep sshd | head -1) | cut -d ' ' -f 1) -m -u -n -p -- /sbin/agetty -l /sbin/login 38400 tty1 linux
|
|
# sleep 1
|
|
# done &
|
|
# mode: "0555"
|
|
|
|
- path: /usr/bin/welcome
|
|
contents: |
|
|
#!/bin/sh
|
|
echo
|
|
cat /etc/issue.adlin
|
|
echo
|
|
nsenter -n/run/netns/router -- ip -c a show dev wg0 2> /dev/null || nsenter -n/run/netns/router /usr/bin/ask.sh
|
|
nsenter -n/run/netns/router -- ip -c a show dev eth0
|
|
nsenter -n/run/netns/wks-rh1 -- ip -c a show dev eth1 2> /dev/null || echo "Attachez une seconde carte ethernet à la VM pour pouvoir vous connecter à un poste de travail."
|
|
mode: "0755"
|
|
|
|
- path: /usr/sbin/sos-dhcp
|
|
contents: |
|
|
#!/bin/sh
|
|
nsenter -t $(pgrep procd) -a -- udhcpc -i eth0
|
|
mode: "0755"
|
|
|
|
- path: /usr/sbin/raz-my-dd
|
|
contents: |
|
|
#!/bin/sh
|
|
echo -n "Are you sure? Press Enter to continue... "
|
|
read -s
|
|
dd if=/dev/zero of=/dev/sda count=10 bs=4096
|
|
sync
|
|
reboot -f
|
|
mode: "0755"
|
|
|
|
- path: /usr/sbin/join-maatma
|
|
contents: |
|
|
#!/bin/sh
|
|
[ -s "/var/lib/adlin/wireguard/adlin.token" ] && echo "A token is already defined. You'll erase it it you continue."
|
|
echo -n "Please copy your token here: "
|
|
read WGTOKEN
|
|
mkdir -p /var/lib/adlin/wireguard/
|
|
echo $WGTOKEN > /var/lib/adlin/wireguard/adlin.token
|
|
nsenter -n/run/netns/router /usr/bin/ask.sh && /usr/bin/update-wg-conf && nsenter -t $(pgrep procd) -a -- /etc/init.d/network restart
|
|
echo "Token saved. You should reboot now."
|
|
mode: "0755"
|
|
|
|
- path: /usr/sbin/diagnostic
|
|
contents: |
|
|
#!/bin/sh
|
|
ok() { [ $# -gt 1 ] && MSG=$2 || MSG="OK"; echo -e $1 "\033[0;32m${MSG}\033[0m"; }
|
|
ko() { [ $# -gt 1 ] && MSG=$2 || MSG="KO"; echo -e $1 "\033[0;41m${MSG}\033[0m"; }
|
|
|
|
echo "TP3 VM diagnostic"
|
|
echo
|
|
echo -n "Disque dur monté : "; df /var/lib/adlin/ | grep ^/dev/sd > /dev/null && ok || ko
|
|
echo
|
|
echo -n "Token Maatma renseigné : "; [ -s "/var/lib/adlin/wireguard/adlin.token" ] && ok -n || ko -n
|
|
echo -n " - Tunnel monté : "; nsenter -n/run/netns/router -- /usr/bin/wg show wg0 > /dev/null 2> /dev/null && ok -n || ko -n
|
|
nsenter -n/run/netns/router -- /usr/bin/wg show wg0 > /dev/null 2> /dev/null && echo -n " - Tunnel établi : "; [ "$(nsenter -n/run/netns/router -- /usr/bin/wg show wg0 dump | tail -1 | cut -f 6 2> /dev/null)" != "0" ] && ok || ko
|
|
echo -n "Ping Gateway Maatma : "; nsenter -n/run/netns/router -- ping -w 2 -c 1 2a01:e0a:2b:2252::1 > /dev/null 2> /dev/null && ok -n || ko -n
|
|
echo -n " - Ping Internet IPv4 : "; nsenter -n/run/netns/router -- ping -w 2 -c 1 1.1.1.1 > /dev/null 2> /dev/null && ok || ko
|
|
echo
|
|
echo -n "États serveurs : ";
|
|
ctr -n services.linuxkit t ls | grep mainrouter | grep RUNNING > /dev/null && ok -n "Routeur" || ko -n "Routeur"
|
|
echo -n " "
|
|
pgrep unbound > /dev/null && ok -n "Résolveur" || ko -n "Résolveur"
|
|
echo -n " "
|
|
pgrep openrc > /dev/null && ok -n "NS autoritaire" || ko -n "NS autoritaire"
|
|
echo -n " "
|
|
pgrep postgres > /dev/null && ok -n "Database" || ko -n "Database"
|
|
echo -n " "
|
|
ctr -n services.linuxkit t ls | grep matrix | grep RUNNING > /dev/null && ok -n "Matrix" || ko -n "Matrix"
|
|
echo -n " "
|
|
pgrep miniflux > /dev/null && ok -n "Miniflux" || ko -n "Miniflux"
|
|
echo -n " "
|
|
ctr -n services.linuxkit t ls | grep web | grep RUNNING > /dev/null && ok -n "Vitrine" || ko -n "Vitrine"
|
|
echo
|
|
echo
|
|
echo -n "États Workstations : "
|
|
ctr -n services.linuxkit t ls | grep dhcpcd-wks-dg1 | grep RUNNING > /dev/null && ok -n "WKS-DG1" || ko -n "WKS-DG1"
|
|
echo -n "("
|
|
ctr -n services.linuxkit t ls | grep sshd-wks-dg1 | grep RUNNING > /dev/null && ok -n "SSH" || ko -n "SSH"
|
|
echo -n " "
|
|
ctr -n services.linuxkit t ls | grep minichecker-wks-dg1 | grep RUNNING > /dev/null && ok -n "CK" || ko -n "CK"
|
|
echo -n ") "
|
|
ctr -n services.linuxkit t ls | grep dhcpcd-wks-rh1 | grep RUNNING > /dev/null && ok -n "WKS-RH1" || ko -n "WKS-RH1"
|
|
echo -n "("
|
|
ctr -n services.linuxkit t ls | grep sshd-wks-rh1 | grep RUNNING > /dev/null && ok -n "SSH" || ko -n "SSH"
|
|
echo -n ") "
|
|
ctr -n services.linuxkit t ls | grep dhcpcd-wks-rh2 | grep RUNNING > /dev/null && ok -n "WKS-RH2" || ko -n "WKS-RH2"
|
|
echo -n "("
|
|
ctr -n services.linuxkit t ls | grep minichecker-wks-rh2 | grep RUNNING > /dev/null && ok -n "CK" || ko -n "CK"
|
|
echo -n ") "
|
|
ctr -n services.linuxkit t ls | grep dhcpcd-wks-cm1 | grep RUNNING > /dev/null && ok -n "WKS-CM1" || ko -n "WKS-CM1"
|
|
echo -n "("
|
|
ctr -n services.linuxkit t ls | grep minichecker-wks-cm1 | grep RUNNING > /dev/null && ok -n "CK" || ko -n "CK"
|
|
echo -n ") "
|
|
echo
|
|
echo
|
|
mode: "0755"
|
|
|
|
- path: etc/network/interfaces
|
|
contents: |
|
|
auto lo
|
|
iface lo inet manual
|
|
mode: "0440"
|
|
|
|
- path: etc/nsd/nsd.conf
|
|
contents: |
|
|
remote-control:
|
|
control-enable: yes
|
|
zone:
|
|
name: login-x.srs.p0m.fr
|
|
zonefile: /etc/nsd/login-x.srs.p0m.fr.zone
|
|
mode: "0644"
|
|
|
|
- path: etc/nsd/login-x.srs.p0m.fr.zone
|
|
contents: |
|
|
login-x.srs.p0m.fr. 900 SOA ns.login-x.srs.p0m.fr. root.login-x.srs.p0m.fr. 2020032900 172800 3600 2419200 86400
|
|
login-x.srs.p0m.fr. 900 NS ns.login-x.srs.p0m.fr.
|
|
ns.login-x.srs.p0m.fr. 900 AAAA 2a01:e0a:2b:2252:4242::3
|
|
mode: "0644"
|
|
|
|
- path: etc/unbound/unbound.conf
|
|
contents: |
|
|
server:
|
|
verbosity: 1
|
|
interface: 0.0.0.0
|
|
interface: ::0
|
|
prefer-ip6: no
|
|
access-control: 172.23.0.0/16 allow
|
|
access-control: 192.168.0.0/16 allow
|
|
log-queries: yes
|
|
log-replies: yes
|
|
use-syslog: no
|
|
logfile: "/var/log/unbound.log"
|
|
hide-identity: yes
|
|
hide-version: yes
|
|
qname-minimisation: yes
|
|
domain-insecure: "."
|
|
val-permissive-mode: yes
|
|
trust-anchor-file: "/usr/share/dnssec-root/trusted-key.key"
|
|
local-zone: "adlin.p0m.fr" typetransparent
|
|
local-data: "news.adlin.p0m.fr A 172.23.42.1"
|
|
local-data: "matrix.adlin.p0m.fr A 172.23.42.1"
|
|
local-data: "www.adlin.p0m.fr A 172.23.42.1"
|
|
remote-control:
|
|
control-enable: no
|
|
forward-zone:
|
|
name: "."
|
|
forward-addr: 9.9.9.9
|
|
forward-addr: 2606:4700:4700::1111
|
|
mode: "0440"
|
|
|
|
- path: etc/rinittab
|
|
contents: |
|
|
::sysinit:/etc/init.d/rcS S boot
|
|
::shutdown:/etc/init.d/rcS K shutdown
|
|
|
|
mode: "0644"
|
|
|
|
- path: etc/rshadow
|
|
contents: |
|
|
root:$1$ChIJgCib$1IYTTG.wKCXqbo1RMEQCc0:18706:0:99999:7:::
|
|
daemon:*:0:0:99999:7:::
|
|
ftp:*:0:0:99999:7:::
|
|
network:*:0:0:99999:7:::
|
|
nobody:*:0:0:99999:7:::
|
|
dnsmasq:x:0:0:99999:7:::
|
|
mode: "0640"
|
|
|
|
- path: etc/wpasswd
|
|
contents: |
|
|
root:x:0:0:root:/root:/bin/bash
|
|
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
|
|
bin:x:2:2:bin:/bin:/usr/sbin/nologin
|
|
sys:x:3:3:sys:/dev:/usr/sbin/nologin
|
|
sync:x:4:65534:sync:/bin:/bin/sync
|
|
games:x:5:60:games:/usr/games:/usr/sbin/nologin
|
|
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
|
|
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
|
|
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
|
|
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
|
|
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
|
|
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
|
|
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
|
|
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
|
|
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
|
|
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
|
|
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
|
|
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
|
|
_apt:x:100:65534::/nonexistent:/bin/false
|
|
sshd:x:102:65534::/run/sshd:/usr/sbin/nologin
|
|
systemd-timesync:x:103:105:systemd Time Synchronization,,,:/run/systemd:/bin/false
|
|
systemd-network:x:104:106:systemd Network Management,,,:/run/systemd/netif:/bin/false
|
|
systemd-resolve:x:105:107:systemd Resolver,,,:/run/systemd/resolve:/bin/false
|
|
systemd-bus-proxy:x:106:108:systemd Bus Proxy,,,:/run/systemd:/bin/false
|
|
mode: "0644"
|
|
|
|
- path: etc/wshadow
|
|
contents: |
|
|
root:$6$4/xWhDY0JERkg6eg$ZKglx2TQT2ITM525di2aOhda9r9L.kUjYArPTF5pVTzi3/SRe.My4Z5Cg9vabK0ax2kZ.lLPFHA8v7jw.0N/8.:18707:0:99999:7:::
|
|
daemon:*:17575:0:99999:7:::
|
|
bin:*:17575:0:99999:7:::
|
|
sys:*:17575:0:99999:7:::
|
|
sync:*:17575:0:99999:7:::
|
|
games:*:17575:0:99999:7:::
|
|
man:*:17575:0:99999:7:::
|
|
lp:*:17575:0:99999:7:::
|
|
mail:*:17575:0:99999:7:::
|
|
news:*:17575:0:99999:7:::
|
|
uucp:*:17575:0:99999:7:::
|
|
proxy:*:17575:0:99999:7:::
|
|
www-data:*:17575:0:99999:7:::
|
|
backup:*:17575:0:99999:7:::
|
|
list:*:17575:0:99999:7:::
|
|
irc:*:17575:0:99999:7:::
|
|
gnats:*:17575:0:99999:7:::
|
|
nobody:*:17575:0:99999:7:::
|
|
_apt:*:17575:0:99999:7:::
|
|
sshd:*:17594:0:99999:7:::
|
|
systemd-timesync:*:17594:0:99999:7:::
|
|
systemd-network:*:17594:0:99999:7:::
|
|
systemd-resolve:*:17594:0:99999:7:::
|
|
systemd-bus-proxy:*:17594:0:99999:7:::
|
|
mode: "0640"
|
|
|
|
- path: etc/dresolv.conf
|
|
contents: |
|
|
nameserver 172.23.42.2
|
|
mode: "0644"
|
|
|
|
- path: var/lib/adlin
|
|
directory: true
|
|
mode: "0755"
|
|
|
|
- path: etc/mresolv.conf
|
|
contents: |
|
|
nameserver 9.9.9.9
|
|
nameserver 2606:4700:4700::1111
|
|
nameserver 1.1.1.1
|
|
nameserver 2620:fe::fe
|
|
mode: "0644"
|
|
|
|
- path: etc/rsysctl.conf
|
|
contents: |
|
|
# Do not edit, changes to this file will be lost on upgrades
|
|
# /etc/sysctl.conf can be used to customize sysctl settings
|
|
|
|
kernel.panic=3
|
|
kernel.core_pattern=/tmp/%e.%t.%p.%s.core
|
|
fs.suid_dumpable=2
|
|
|
|
fs.protected_hardlinks=1
|
|
fs.protected_symlinks=1
|
|
|
|
net.core.bpf_jit_enable=1
|
|
|
|
net.ipv4.conf.default.arp_ignore=1
|
|
net.ipv4.conf.all.arp_ignore=1
|
|
net.ipv4.icmp_echo_ignore_broadcasts=1
|
|
net.ipv4.icmp_ignore_bogus_error_responses=1
|
|
net.ipv4.igmp_max_memberships=100
|
|
net.ipv4.tcp_fin_timeout=30
|
|
net.ipv4.tcp_keepalive_time=120
|
|
net.ipv4.tcp_syncookies=1
|
|
net.ipv4.tcp_timestamps=1
|
|
net.ipv4.tcp_sack=1
|
|
net.ipv4.tcp_dsack=1
|
|
mode: "0644"
|
|
|
|
- path: etc/rpreinit
|
|
contents: |
|
|
#!/bin/sh
|
|
# Copyright (C) 2006-2015 OpenWrt.org
|
|
# Copyright (C) 2010 Vertical Communications
|
|
|
|
mkdir -p /var/lock
|
|
mount -t tmpfs none /var/lock
|
|
|
|
unset PREINIT
|
|
exec /sbin/procd
|
|
mode: "0755"
|
|
|
|
- path: lib/preinit/20_check_iso
|
|
contents: |
|
|
#!/bin/sh
|
|
# Copyright (C) 2006-2015 OpenWrt.org
|
|
# Copyright (C) 2010 Vertical Communications
|
|
|
|
check_for_iso() {
|
|
echo > /dev/null || ramoverlay
|
|
}
|
|
|
|
boot_hook_add preinit_mount_root check_for_iso
|
|
mode: "0644"
|
|
|
|
- path: lib/preinit/30_failsafe_wait
|
|
contents: |
|
|
#!/bin/sh
|
|
# Copyright (C) 2006-2015 OpenWrt.org
|
|
# Copyright (C) 2010 Vertical Communications
|
|
mode: "0644"
|
|
|
|
- path: lib/preinit/99_10_failsafe_login
|
|
contents: |
|
|
#!/bin/sh
|
|
# Copyright (C) 2006-2015 OpenWrt.org
|
|
# Copyright (C) 2010 Vertical Communications
|
|
|
|
failsafe_netlogin () {
|
|
dropbearkey -t rsa -s 1024 -f /tmp/dropbear_failsafe_host_key
|
|
dropbear -r /tmp/dropbear_failsafe_host_key <> /dev/null 2>&1
|
|
}
|
|
|
|
failsafe_shell() {
|
|
echo > /dev/null || ramoverlay
|
|
}
|
|
|
|
boot_hook_add failsafe failsafe_netlogin
|
|
boot_hook_add failsafe failsafe_shell
|
|
mode: "0644"
|
|
|
|
trust:
|
|
org:
|
|
- linuxkit
|
|
- library
|