From 0733aa3ae826fc6f655b5cd0856cf59542ef30c5 Mon Sep 17 00:00:00 2001 From: Francois Lesueur Date: Thu, 22 Dec 2022 17:25:05 +0100 Subject: [PATCH] snster bootstrap --- files/provision.sh | 126 +----------------- files/snster-kaz/isp-a/group.yml | 61 +++++++++ files/snster-kaz/isp-a/infra/dns.conf | 9 ++ files/snster-kaz/isp-a/infra/provision.sh | 21 +++ files/snster-kaz/kaz/group.yml | 48 +++++++ files/snster-kaz/kaz/prod/dns.conf | 22 +++ files/snster-kaz/kaz/prod/kaz.sh | 77 +++++++++++ .../kaz/prod/kaz/config/container-mail.list | 3 + .../kaz/prod/kaz/config/container-orga.list | 1 + .../kaz/prod/kaz/config/container-proxy.list | 1 + .../prod/kaz/config/container-withMail.list | 9 ++ .../kaz/config/container-withoutMail.list | 10 ++ .../kaz/prod/kaz/config/dockers.env | 120 +++++++++++++++++ files/snster-kaz/kaz/prod/provision.sh | 76 +++++++++++ files/snster-kaz/main.yml | 33 +++++ files/snster-kaz/mica/group.yml | 42 ++++++ files/snster-kaz/mica/infra/dns.conf | 8 ++ files/snster-kaz/mica/infra/provision.sh | 34 +++++ files/snster-kaz/milxc/group.yml | 42 ++++++ files/snster-kaz/milxc/ns/provision.sh | 41 ++++++ files/snster-kaz/opendns/group.yml | 43 ++++++ files/snster-kaz/root-p/group.yml | 43 ++++++ files/snster-kaz/transit-a/group.yml | 27 ++++ .../snster-kaz/transit-a/router/provision.sh | 38 ++++++ .../templates/debian/resolverns/provision.sh | 40 ++++++ files/templates/debian/rootns/provision.sh | 42 ++++++ 26 files changed, 898 insertions(+), 119 deletions(-) create mode 100644 files/snster-kaz/isp-a/group.yml create mode 100644 files/snster-kaz/isp-a/infra/dns.conf create mode 100644 files/snster-kaz/isp-a/infra/provision.sh create mode 100644 files/snster-kaz/kaz/group.yml create mode 100644 files/snster-kaz/kaz/prod/dns.conf create mode 100755 files/snster-kaz/kaz/prod/kaz.sh create mode 100644 files/snster-kaz/kaz/prod/kaz/config/container-mail.list create mode 100644 files/snster-kaz/kaz/prod/kaz/config/container-orga.list create mode 100644 files/snster-kaz/kaz/prod/kaz/config/container-proxy.list create mode 100644 files/snster-kaz/kaz/prod/kaz/config/container-withMail.list create mode 100644 files/snster-kaz/kaz/prod/kaz/config/container-withoutMail.list create mode 100644 files/snster-kaz/kaz/prod/kaz/config/dockers.env create mode 100644 files/snster-kaz/kaz/prod/provision.sh create mode 100644 files/snster-kaz/main.yml create mode 100644 files/snster-kaz/mica/group.yml create mode 100644 files/snster-kaz/mica/infra/dns.conf create mode 100644 files/snster-kaz/mica/infra/provision.sh create mode 100644 files/snster-kaz/milxc/group.yml create mode 100644 files/snster-kaz/milxc/ns/provision.sh create mode 100644 files/snster-kaz/opendns/group.yml create mode 100644 files/snster-kaz/root-p/group.yml create mode 100644 files/snster-kaz/transit-a/group.yml create mode 100755 files/snster-kaz/transit-a/router/provision.sh create mode 100644 files/templates/debian/resolverns/provision.sh create mode 100644 files/templates/debian/rootns/provision.sh diff --git a/files/provision.sh b/files/provision.sh index 3035181..bea1e46 100755 --- a/files/provision.sh +++ b/files/provision.sh @@ -21,9 +21,7 @@ export DebugLog="${VAGRANT_SRC_DIR}/log/log-vagrant-$(date +%y-%m-%d-%T)-" # Copie de qques fichiers cp "${VAGRANT_SRC_DIR}/keyboard" /etc/default/keyboard - # Lock grub (https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1758060.html) sysctl -w net.ipv4.ip_forward=1 - DEBIAN_FRONTEND=noninteractive apt-mark hold grub* # MAJ et install sed -i -e 's/main.*/main contrib non-free/' /etc/apt/sources.list @@ -42,7 +40,7 @@ export DebugLog="${VAGRANT_SRC_DIR}/log/log-vagrant-$(date +%y-%m-%d-%T)-" DEBIAN_FRONTEND=noninteractive apt-get --allow-releaseinfo-change update DEBIAN_FRONTEND=noninteractive apt-get -y upgrade DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade - DEBIAN_FRONTEND=noninteractive apt-get install -y apg curl git sudo unzip rsync firefox-esr tcpdump net-tools mousepad wireshark swapspace whois ldap-utils # could be with --no-install-recommends + DEBIAN_FRONTEND=noninteractive apt-get install -y apg curl git sudo unzip rsync firefox-esr tcpdump net-tools mousepad wireshark swapspace whois ldap-utils python3-lxc lxc python3-pygraphviz python3-pil python3-yaml imagemagick # could be with --no-install-recommends DEBIAN_FRONTEND=noninteractive apt-get install -y xfce4 lightdm xfce4-terminal xserver-xorg gitk # needs to install recommends ssh-keygen -t rsa -b 4096 -N '' <<<$'\ny' @@ -110,7 +108,6 @@ export DebugLog="${VAGRANT_SRC_DIR}/log/log-vagrant-$(date +%y-%m-%d-%T)-" # enable bash autocompletion - if ! grep -q "/usr/share/bash-completion/bash_completion" /etc/bash.bashrc 2>/dev/null; then cat >> /etc/bash.bashrc </dev/null; then - cat >> /root/.bashrc </dev/null; then - echo "127.0.0.1 kaz.local" >>/etc/hosts - fi - if ! grep -q "\slistes.kaz.local\b" /etc/hosts 2>/dev/null; then - echo "127.0.0.2 listes.kaz.local" >>/etc/hosts - fi - for SERVICE in ${SERVICES_LIST}; do - if ! grep -q "\s${SERVICE}.kaz.local\b" /etc/hosts 2>/dev/null; then - sed -i /etc/hosts \ - -e "/\skaz.local\b/ s/$/ ${SERVICE}.kaz.local/" - fi - done + # SNSTER + cd + git clone https://framagit.org/flesueur/snster.git + cd snster + ./install.sh - echo -e "\n #### clawsmail\n" - # les scripts de créations de BAL pour clawsmail - cp -ar "${VAGRANT_SRC_DIR}/clawsmail" / - cd /clawsmail - chmod +x addclawsuser.sh - chmod +x genpasswd - - #client pour tester la messagerie - DEBIAN_FRONTEND=noninteractive apt-get install -y claws-mail - - # On met le KAZGUARD pour la mise au point - echo "export KAZGUARD='true'" >> /root/.bashrc - - - # echo -e "\n #### rsync download\n" - # [ -d "${VAGRANT_SRC_DIR}/kaz/download" ] && - # rsync -a "${VAGRANT_SRC_DIR}/kaz/download/" /kaz/download/ - # [ -d "${VAGRANT_SRC_DIR}/kaz/git" ] && - # rsync -a "${VAGRANT_SRC_DIR}/kaz/git/" /kaz/git/ - # [ -f "${VAGRANT_SRC_DIR}/kaz/config/dockers.env" ] && - # [ ! -f "/kaz/config/dockers.env" ] && - # rsync -a "${VAGRANT_SRC_DIR}/kaz/config/dockers.env" /kaz/config/dockers.env - # for type in mail orga proxy withMail withoutMail ; do - # [ -f "${VAGRANT_SRC_DIR}/kaz/config/container-${type}.list" ] && - # [ ! -f "/kaz/config/config/container-${type}.list" ] && - # rsync -a "${VAGRANT_SRC_DIR}/kaz/config/container-${type}.list" /kaz/config/ - # done - # - # echo -e "\n #### secretGen\n" - # /kaz/bin/secretGen.sh - # - # #possibilité de lancer vagrant up NOKAZ="true" quand on construit la machine - # if [ "${NOKAZ}" == "true" ]; then - # echo "on ne lance pas install.sh" - # else - # echo "on lance install.sh" - # /kaz/bin/install.sh - # fi - - ${VAGRANT_SRC_DIR}/kaz.sh # clear apt cache DEBIAN_FRONTEND=noninteractive apt-get autoremove -y diff --git a/files/snster-kaz/isp-a/group.yml b/files/snster-kaz/isp-a/group.yml new file mode 100644 index 0000000..a728fec --- /dev/null +++ b/files/snster-kaz/isp-a/group.yml @@ -0,0 +1,61 @@ +version: 1 + +header: + name: ISP-A AS + comment: An ISP + +hosts: + router: + master: alpine + network: + interfaces: + eth0: + bridge: transit-a + ipv4: 100.64.0.110/24 + ipv6: 2001:db8:b000::110/48 + eth1: + bridge: isp-a-cust + ipv4: 100.120.0.1/24 + eth2: + bridge: isp-a-infra + ipv4: 100.120.1.1/24 + ipv6: 2001:db8:120:1::1/64 + templates: + - bgprouter: + asn: 20 + asdev: eth1;eth2 + neighbors4: 100.64.1.1 as 31 + neighbors6: 2001:db8:b001::1 as 31 + - resolv: + nameserver: 100.100.100.100 + domain: isp-a.milxc + + infra: + network: + interfaces: + eth0: + bridge: isp-a-infra + ipv4: 100.120.1.2/24 + ipv6: 2001:db8:120:1::2/64 + gatewayv4: 100.120.1.1 + gatewayv6: 2001:db8:120:1::1 + templates: + - mailserver: + domain: isp-a.milxc + - resolverns: + - resolv: + domain: isp-a.milxc + ns: 100.120.1.2 + + home: + network: + interfaces: + eth0: + bridge: isp-a-cust + ipv4: 100.120.0.3/24 + gatewayv4: 100.120.0.1 + templates: + - updatecaroots: + - resolv: + domain: isp-a.milxc + ns: 100.120.1.2 diff --git a/files/snster-kaz/isp-a/infra/dns.conf b/files/snster-kaz/isp-a/infra/dns.conf new file mode 100644 index 0000000..4e4ef45 --- /dev/null +++ b/files/snster-kaz/isp-a/infra/dns.conf @@ -0,0 +1,9 @@ +server: + interface: 0.0.0.0 + access-control: 100.64.0.0/10 allow + + local-zone: "isp-a.milxc." static + local-data: "smtp.isp-a.milxc. IN A 100.120.1.2" + local-data: "imap.isp-a.milxc. IN A 100.120.1.2" + local-data: "ns.isp-a.milxc. IN A 100.120.1.2" + local-data: "isp-a.milxc. IN MX 10 smtp.isp-a.milxc." diff --git a/files/snster-kaz/isp-a/infra/provision.sh b/files/snster-kaz/isp-a/infra/provision.sh new file mode 100644 index 0000000..26685a7 --- /dev/null +++ b/files/snster-kaz/isp-a/infra/provision.sh @@ -0,0 +1,21 @@ +#!/bin/bash +# ISP-A infra +set -e +if [ -z $MILXCGUARD ] ; then exit 1; fi +DIR=`dirname $0` +cd `dirname $0` + +# Email's mail account email@isp-a.milxc +useradd -m -s "/bin/bash" -p `mkpasswd --method=sha-512 email` email || true +addgroup email mail +#mkdir /home/hacker/mail +#touch /home/hacker/mail/Drafts /home/hacker/mail/Queue /home/hacker/mail/Sent /home/hacker/mail/Trash + +# disable systemd-resolved which conflicts with nsd +echo "DNSStubListener=no" >> /etc/systemd/resolved.conf +systemctl stop systemd-resolved + +# manage isp-a.milxc zone +apt-get update +DEBIAN_FRONTEND=noninteractive apt-get install -y unbound +cp dns.conf /etc/unbound/unbound.conf.d/ diff --git a/files/snster-kaz/kaz/group.yml b/files/snster-kaz/kaz/group.yml new file mode 100644 index 0000000..7dd4c88 --- /dev/null +++ b/files/snster-kaz/kaz/group.yml @@ -0,0 +1,48 @@ +version: 1 + +header: + name: Target AS + comment: AS of the Target organization + +hosts: + router: + master: alpine + network: + interfaces: + eth0: + bridge: transit-a + ipv4: 100.64.0.10/24 + ipv6: 2001:db8:b000::10/48 + eth1: + bridge: kaz-lan1 + ipv4: 100.80.0.1/24 + eth2: + bridge: kaz-lan2 + ipv4: 100.80.1.1/24 + templates: + - bgprouter: + asn: 10 + asdev: eth1;eth2 + neighbors4: 100.64.0.1 as 30 + neighbors6: 2001:db8:b000::1 as 30 + - resolv: + nameserver: 100.100.100.100 + domain: kaz.milxc + + prod: + network: + interfaces: + eth0: + bridge: kaz-lan1 + ipv4: 100.80.0.2/24 + eth1: + bridge: kaz-lan2 + ipv4: 100.80.1.2/24 + gatewayv4: 100.80.0.1 + templates: + - updatecaroots: + - authns: + zonefile: dns.conf + - resolv: + domain: kaz.milxc + ns: 100.100.100.100 diff --git a/files/snster-kaz/kaz/prod/dns.conf b/files/snster-kaz/kaz/prod/dns.conf new file mode 100644 index 0000000..1bc1c41 --- /dev/null +++ b/files/snster-kaz/kaz/prod/dns.conf @@ -0,0 +1,22 @@ +$TTL 86400 +$ORIGIN kaz.milxc. +@ 1D IN SOA ns.kaz.milxc. hostmaster.kaz.milxc. ( + 2002022401 ; serial + 3H ; refresh + 15 ; retry + 1w ; expire + 3h ; nxdomain ttl + ) + IN NS ns.kaz.milxc. + IN MX 10 smtp.kaz.milxc. +ns IN A 100.80.0.2 +dmz IN A 100.80.0.2 +smtp IN CNAME dmz +imap IN CNAME dmz +www IN CNAME dmz +listes IN MX listes +listes IN A 100.80.1.2 +firewall IN A 100.80.0.1 +firewall IN AAAA 2001:db8:80::0:1 +router IN A 100.80.0.1 +router IN AAAA 2001:db8:80::0:1 diff --git a/files/snster-kaz/kaz/prod/kaz.sh b/files/snster-kaz/kaz/prod/kaz.sh new file mode 100755 index 0000000..fd0d54f --- /dev/null +++ b/files/snster-kaz/kaz/prod/kaz.sh @@ -0,0 +1,77 @@ +#!/bin/bash +if [ -z "${SNSTERGUARD}" ] ; then + exit 1 +fi + +DIR=$(cd "$(dirname $0)"; pwd) +cd "${DIR}" +set -e +export OUTPUT_DIR="/root/install" + + +mkdir -p "${OUTPUT_DIR}/log/" +export DebugLog="${OUTPUT_DIR}/log/log-kaz-$(date +%y-%m-%d-%T)-" +( + echo "########## ********** Start kaz.sh $(date +%D-%T)" + + docker-clean -a + rm -rf /kaz + + if [ -z "${KAZBRANCH}" ] ; then + KAZBRANCH="master" + fi + echo -e "\n #### git checkout ${KAZBRANCH}\n" + + + # copie des sources + cd / + [ -f kaz ] || git clone https://git.kaz.bzh/KAZ/kaz.git + (cd /kaz ; git checkout "${KAZBRANCH}" ) + find /kaz -name \*.sh -exec chmod a+x {} \; + + # pour ceux qui disposent d'un cache apt local et pas la fibre + if [ -f "${DIR}/.apt-mirror-config" ]; then + rsync -a "${DIR}/.apt-mirror-config" /kaz/ + fi + if [ -f "${DIR}/.proxy-config" ]; then + rsync -a "${DIR}/.proxy-config" /etc/profile.d/proxy.sh + rsync -a "${DIR}/.proxy-config" /kaz/ + fi + if [ -f "${DIR}/.docker-config.json" ]; then + mkdir -p /root/.docker + rsync -a "${DIR}/.docker-config.json" /root/.docker/config.json + fi + + + + echo -e "\n #### rsync download\n" + [ -d "${DIR}/kaz/download" ] && + rsync -a "${DIR}/kaz/download/" /kaz/download/ + [ -d "${DIR}/kaz/git" ] && + rsync -a "${DIR}/kaz/git/" /kaz/git/ + [ -f "${DIR}/kaz/config/dockers.env" ] && + [ ! -f "/kaz/config/dockers.env" ] && + rsync -a "${DIR}/kaz/config/dockers.env" /kaz/config/dockers.env + for type in mail orga proxy withMail withoutMail ; do + [ -f "${DIR}/kaz/config/container-${type}.list" ] && + [ ! -f "/kaz/config/config/container-${type}.list" ] && + rsync -a "${DIR}/kaz/config/container-${type}.list" /kaz/config/ + done + + echo -e "\n #### secretGen\n" + /kaz/bin/secretGen.sh + + #possibilité de lancer vagrant up NOKAZ="true" quand on construit la machine + if [ "${NOKAZ}" == "true" ]; then + echo "on ne lance pas install.sh" + else + echo "on lance install.sh" + /kaz/bin/install.sh + fi + + # clear apt cache + DEBIAN_FRONTEND=noninteractive apt-get autoremove -y + DEBIAN_FRONTEND=noninteractive apt-get clean + + echo "########## ********** End kaz.sh $(date +%D-%T)" +) > >(tee ${DebugLog}stdout.log) 2> >(tee ${DebugLog}stderr.log >&2) diff --git a/files/snster-kaz/kaz/prod/kaz/config/container-mail.list b/files/snster-kaz/kaz/prod/kaz/config/container-mail.list new file mode 100644 index 0000000..921c9f5 --- /dev/null +++ b/files/snster-kaz/kaz/prod/kaz/config/container-mail.list @@ -0,0 +1,3 @@ +# e-mail server composer +postfix +sympa diff --git a/files/snster-kaz/kaz/prod/kaz/config/container-orga.list b/files/snster-kaz/kaz/prod/kaz/config/container-orga.list new file mode 100644 index 0000000..799bea5 --- /dev/null +++ b/files/snster-kaz/kaz/prod/kaz/config/container-orga.list @@ -0,0 +1 @@ +# orga composer diff --git a/files/snster-kaz/kaz/prod/kaz/config/container-proxy.list b/files/snster-kaz/kaz/prod/kaz/config/container-proxy.list new file mode 100644 index 0000000..125f526 --- /dev/null +++ b/files/snster-kaz/kaz/prod/kaz/config/container-proxy.list @@ -0,0 +1 @@ +proxy diff --git a/files/snster-kaz/kaz/prod/kaz/config/container-withMail.list b/files/snster-kaz/kaz/prod/kaz/config/container-withMail.list new file mode 100644 index 0000000..79a3639 --- /dev/null +++ b/files/snster-kaz/kaz/prod/kaz/config/container-withMail.list @@ -0,0 +1,9 @@ +cloud +dokuwiki +#framadate +garradin +gitea +jirafeau +#mattermost +roundcube +#keycloak diff --git a/files/snster-kaz/kaz/prod/kaz/config/container-withoutMail.list b/files/snster-kaz/kaz/prod/kaz/config/container-withoutMail.list new file mode 100644 index 0000000..7d87ccc --- /dev/null +++ b/files/snster-kaz/kaz/prod/kaz/config/container-withoutMail.list @@ -0,0 +1,10 @@ +cachet +jirafeau +ethercalc +collabora +ethercalc +etherpad +ldap +quotas +web +#vigilo diff --git a/files/snster-kaz/kaz/prod/kaz/config/dockers.env b/files/snster-kaz/kaz/prod/kaz/config/dockers.env new file mode 100644 index 0000000..9321c7d --- /dev/null +++ b/files/snster-kaz/kaz/prod/kaz/config/dockers.env @@ -0,0 +1,120 @@ +# Les variables d'environnements utilisées +# par les dockers via le lien : +# .env -> ../../config/dockers.env + +####################################### +# prod / dev / local +mode=prod + +######################################## +# choix du domaine +# prod=kaz.bzh / dev=dev.kaz.bzh / local=kaz.local +domain=kaz.milxc + +######################################## +# choix du domaine des mails sympa +# prod=kaz.bzh / dev=kaz2.ovh / local=kaz.local +domain_sympa=kaz.milxc + +######################################## +# choix d'un serveur partiel +# site=site-2 +site= + +######################################## +# Pour garradin qui met en "dure" dans +# sa config l'URL pour l'atteindre + +# prod=https (gandi) / dev=https (letsencrypt) / local=http +httpProto=https + +# prod=89.234.186.111 / dev=192.168.57.1 / local=127.0.0.1 +MAIN_IP=100.80.0.2 + +# prod=89.234.186.151 / dev=192.168.57.2 / local=127.0.0.2 +SYMPA_IP=100.80.1.2 + +######################################## +# noms des services + +# ou www (mais bof) +webHost= + +cachetHost=cachet +calcHost=tableur +cloudHost=cloud +dateHost=sondage +dokuwikiHost=wiki +fileHost=depot +garHost=garradin +gitHost=git +gravHost=grav +ldapHost=ldap +matterHost=agora +officeHost=office +padHost=pad +quotasHost=quotas +smtpHost=smtp +sympaHost=listes +vigiloHost=vigilo +webmailHost=webmail +wordpressHost=wp + +######################################## +# noms des containers + +cachetServName=cachetServ +dokuwikiServName=dokuwikiServ +ethercalcServName=ethercalcServ +etherpadServName=etherpadServ +framadateServName=framadateServ +garradinServName=garradinServ +gitServName=gitServ +gravServName=gravServ +jirafeauServName=jirafeauServ +ldapServName=ldapServ +mattermostServName=mattermostServ +nextcloudServName=nextcloudServ +officeServName=officeServ +proxyServName=proxyServ +quotasServName=quotasServ +roundcubeServName=roundcubeServ +smtpServName=mailServ +sympaServName=sympaServ +vigiloServName=vigiloServ +webServName=webServ +wordpressServName=wpServ + +cachetDBName=cachetDB +ethercalcDBName=ethercalcDB +etherpadDBName=etherpadDB +framadateDBName=framadateDB +gitDBName=gitDB +mattermostDBName=mattermostDB +nextcloudDBName=nextcloudDB +quotasDBName=quotasDB +roundcubeDBName=roundcubeDB +sympaDBName=sympaDB +vigiloDBName=vigiloDB +wordpressDBName=wpDB + +ldapIUName=ldapIU + +######################################## +# politique de redémarrage +# prod=always / test=unless-stopped / local=no +restartPolicy=no + +######################################## +# devrait être dans env-jirafeauServ +# mais seuls les variables de ".env" sont +# utilisables pour le montage des volumes + +jirafeauDir=/var/jirafeauData/lkuDM16R5Sp4QHr/ + +ldapRoot=dc=kaz,dc=milxc + +######################################## +# services activés par container.sh +# variables d'environneements utilisées +# pour le tmpl du mandataire (proxy) diff --git a/files/snster-kaz/kaz/prod/provision.sh b/files/snster-kaz/kaz/prod/provision.sh new file mode 100644 index 0000000..5aaf4be --- /dev/null +++ b/files/snster-kaz/kaz/prod/provision.sh @@ -0,0 +1,76 @@ +#!/bin/bash +# Target DMZ +set -e +if [ -z $MILXCGUARD ] ; then exit 1; fi +DIR=`dirname $0` +cd `dirname $0` + +# disable systemd-resolved which conflicts with nsd +echo "DNSStubListener=no" >> /etc/systemd/resolved.conf +systemctl stop systemd-resolved + +apt-get update +DEB_VERSION=`cat /etc/debian_version | cut -d'.' -f1` +if [ $DEB_VERSION -eq "11" ] # DEB 11 aka Bullseye +then + DEBIAN_FRONTEND=noninteractive apt-get install -y certbot python3-certbot-apache +else + echo "Unsupported Debian version" + exit 1 +fi + + +# preconfig TLS and certbot +a2enmod ssl +a2ensite default-ssl.conf +echo -e " +email=admin@kaz.milxc +agree-tos=1 +no-verify-ssl=1 +" >> /etc/letsencrypt/cli.ini + +# Go KAZ ! +# KAZ specific things +#installation de docker, docker-compose et on y fourre le user debian dans le groupe idoine + +DEBIAN_FRONTEND=noninteractive apt-get install -y docker.io docker-compose docker-clean git apg curl sudo unzip rsync fuse-overlayfs +usermod -G docker debian +# activation dans alias dans /root/.bashrc +sed -i \ +-e 's/^\# alias/alias/g' \ +-e 's/^\# export/export/g' \ +-e 's/^\# eval/eval/g' \ +/root/.bashrc + +if ! grep -q "for file in /dockers" /root/.bashrc 2>/dev/null; then +cat >> /root/.bashrc <> /root/.bashrc + +# On active fuse-overlayfs pour docker +cat >> /etc/docker/daemon.json <> /etc/systemd/resolved.conf +systemctl stop systemd-resolved + +# manage isp-a.milxc zone +apt-get update +DEBIAN_FRONTEND=noninteractive apt-get install -y unbound +cp dns.conf /etc/unbound/unbound.conf.d/ + + +# Install smallstep CA / ACME server +cd /tmp +wget https://github.com/smallstep/cli/releases/download/v0.17.2/step-cli_0.17.2_amd64.deb +dpkg -i step-cli_0.17.2_amd64.deb +wget https://github.com/smallstep/certificates/releases/download/v0.17.2/step-ca_0.17.2_amd64.deb +dpkg -i step-ca_0.17.2_amd64.deb + +# step ca init +# step ca root root.crt +# step ca provisioner add acme --type ACME +# certbot certonly -n --standalone -d www.target.milxc --server https://www.mica.milxc/acme/acme/directory --agree-tos --email "fr@fr.fr" diff --git a/files/snster-kaz/milxc/group.yml b/files/snster-kaz/milxc/group.yml new file mode 100644 index 0000000..daf4b36 --- /dev/null +++ b/files/snster-kaz/milxc/group.yml @@ -0,0 +1,42 @@ +version: 1 + +header: + name: MILXC AS + comment: The .milxc TLD auth NS + +hosts: + router: + master: alpine + network: + interfaces: + eth0: + bridge: transit-a + ipv4: 100.64.0.40/24 + ipv6: 2001:db8:b000::40/48 + eth1: + bridge: milxc-lan + ipv4: 100.100.20.1/24 + ipv6: 2001:db8:a020::1/48 + templates: + - bgprouter: + asn: 8 + asdev: eth1 + neighbors4: 100.64.0.1 as 30 + neighbors6: 2001:db8:b000::1 as 30 + - resolv: + nameserver: 100.100.100.100 + domain: milxc.milxc + + ns: + network: + interfaces: + eth0: + bridge: milxc-lan + ipv4: 100.100.20.10/24 + ipv6: 2001:db8:a020::10/48 + gatewayv4: 100.100.20.1 + gatewayv6: 2001:db8:a020::1 + templates: + - resolv: + domain: milxc.milxc + ns: 100.100.100.100 diff --git a/files/snster-kaz/milxc/ns/provision.sh b/files/snster-kaz/milxc/ns/provision.sh new file mode 100644 index 0000000..e7f23c2 --- /dev/null +++ b/files/snster-kaz/milxc/ns/provision.sh @@ -0,0 +1,41 @@ +#!/bin/bash +# .milxc registry + +set -e +if [ -z $MILXCGUARD ] ; then exit 1; fi +DIR=`dirname $0` +cd `dirname $0` + +# disable systemd-resolved which conflicts with nsd +echo "DNSStubListener=no" >> /etc/systemd/resolved.conf +systemctl stop systemd-resolved + +apt-get update +DEBIAN_FRONTEND=noninteractive apt-get install -y nsd + +echo -e "zone: + name: \"milxc.\" + zonefile: \"milxc.zone\" +" > /etc/nsd/nsd.conf + +echo -e "\$TTL 86400 +\$ORIGIN milxc. +@ 1D IN SOA ns.milxc. hostmaster.milxc. ( + 2002022401 ; serial + 3H ; refresh + 15 ; retry + 1w ; expire + 3h ; nxdomain ttl + ) + IN NS ns.milxc. +ns IN A 100.100.20.10 ;name server definition +ns IN AAAA 2001:db8:a020::10 +kaz.milxc. IN NS ns.kaz.milxc. +ns.kaz.milxc. IN A 100.80.0.2 +isp-a.milxc. IN NS ns.isp-a.milxc. +ns.isp-a.milxc. IN A 100.120.1.2 +ns.isp-a.milxc. IN AAAA 2001:db8:120:1::2 +mica.milxc. IN NS ns.mica.milxc. +ns.mica.milxc. IN A 100.82.0.2 +ns.mica.milxc. IN AAAA 2001:db8:82::2 +" >> /etc/nsd/milxc.zone diff --git a/files/snster-kaz/opendns/group.yml b/files/snster-kaz/opendns/group.yml new file mode 100644 index 0000000..2da0cac --- /dev/null +++ b/files/snster-kaz/opendns/group.yml @@ -0,0 +1,43 @@ +version: 1 + +header: + name: open DNS service AS + comment: an open DNS resolver + +hosts: + router: + master: alpine + network: + interfaces: + eth0: + bridge: transit-a + ipv4: 100.64.0.30/24 + ipv6: 2001:db8:b000::30/48 + eth2: + bridge: opendns-lan + ipv4: 100.100.100.1/24 + ipv6: 2001:db8:a100::1/48 + templates: + - bgprouter: + asn: 7 + asdev: eth2 + neighbors4: 100.64.0.1 as 30;100.64.1.1 as 31 + neighbors6: 2001:db8:b000::1 as 30;2001:db8:b001::1 as 31 + - resolv: + nameserver: 100.100.100.100 + domain: opendns.milxc + + resolver: + network: + interfaces: + eth0: + bridge: opendns-lan + ipv4: 100.100.100.100/24 + ipv6: 2001:db8:a100::100/48 + gatewayv4: 100.100.100.1 + gatewayv6: 2001:db8:a100::1 + templates: + - resolverns: + - resolv: + domain: opendns.milxc + ns: 100.100.100.100 diff --git a/files/snster-kaz/root-p/group.yml b/files/snster-kaz/root-p/group.yml new file mode 100644 index 0000000..0793937 --- /dev/null +++ b/files/snster-kaz/root-p/group.yml @@ -0,0 +1,43 @@ +version: 1 + +header: + name: Root-P AS + comment: A DNS Root server + +hosts: + router: + master: alpine + network: + interfaces: + eth0: + bridge: transit-a + ipv4: 100.64.0.20/24 + ipv6: 2001:db8:b000::20/48 + eth1: + bridge: root-p-lan + ipv4: 100.100.1.1/24 + ipv6: 2001:db8:a001::1/48 + templates: + - bgprouter: + asn: 6 + asdev: eth1 + neighbors4: 100.64.0.1 as 30 + neighbors6: 2001:db8:b000::1 as 30 + - resolv: + nameserver: 100.100.100.100 + domain: ns-root-p.milxc + + rootns: + network: + interfaces: + eth0: + bridge: root-p-lan + ipv4: 100.100.1.10/24 + ipv6: 2001:db8:a001::10/48 + gatewayv4: 100.100.1.1 + gatewayv6: 2001:db8:a001::1 + templates: + - rootns: + - resolv: + domain: ns-root-p.milxc + ns: 100.100.100.100 diff --git a/files/snster-kaz/transit-a/group.yml b/files/snster-kaz/transit-a/group.yml new file mode 100644 index 0000000..660c194 --- /dev/null +++ b/files/snster-kaz/transit-a/group.yml @@ -0,0 +1,27 @@ +version: 1 + +header: + name: Transit-A + comment: Transit-A IXP + +hosts: + router: + master: alpine + network: + interfaces: + eth0: + bridge: nat-bridge + ipv4: dhcp + eth1: + bridge: transit-a + ipv4: 100.64.0.1/24 + ipv6: 2001:db8:b000::1/48 + templates: + - bgprouter: + asn: 30 + asdev: eth1 + neighbors4: 100.64.0.10 as 10;100.64.0.30 as 7;100.64.0.40 as 8; 100.64.0.2 as 31; 100.64.0.20 as 6; 100.64.0.50 as 13; 100.64.0.110 as 20; 100.64.1.140 as 12 + neighbors6: 2001:db8:b000::10 as 10; 2001:db8:b000::30 as 7;2001:db8:b000::40 as 8; 2001:db8:b000::2 as 31; 2001:db8:b000::20 as 6; 2001:db8:b000::50 as 13; 2001:db8:b000::110 as 20; 2001:db8:b001::140 as 12 + - resolv: + nameserver: 100.100.100.100 + domain: transit-a.milxc diff --git a/files/snster-kaz/transit-a/router/provision.sh b/files/snster-kaz/transit-a/router/provision.sh new file mode 100755 index 0000000..452efcb --- /dev/null +++ b/files/snster-kaz/transit-a/router/provision.sh @@ -0,0 +1,38 @@ +#!/bin/sh +# Transit A with alpine +set -e +if [ -z $MILXCGUARD ] ; then exit 1; fi +DIR=`dirname $0` +cd `dirname $0` + +echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories +apk update +apk add bird iptables +rc-update add bird + +# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf +echo -e '#!/bin/sh\niptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE' > /etc/local.d/iptables.start +chmod +x /etc/local.d/iptables.start +rc-update add local + +# keep DHCP on eth0 +touch /etc/network/keepdhcp + +# Force lxc bridged interface metric (else, it grows to 200+interface_index, which can be large with successive stop/start) +# This metric must be lower than the one exported by BGP for the default route (static part below) +mkdir /etc/udhcpc +echo "IF_METRIC=200" > /etc/udhcpc/udhcpc.conf + +#echo "supersede domain-name-servers 10.10.10.10;" >> /etc/dhcp/dhclient.conf +#echo "supersede domain-name \"internet.milxc\";" >> /etc/dhcp/dhclient.conf + + +# customize bird config (BGP) +sed -i "s/protocol kernel {/protocol kernel { metric 2000;/" /etc/bird.conf +# sed -i "s/\#.*export all/\texport all/" /etc/bird/bird.conf +echo -e " +protocol static { + ipv4; + route 0.0.0.0/0 via 100.64.0.1; +} +" >> /etc/bird.conf diff --git a/files/templates/debian/resolverns/provision.sh b/files/templates/debian/resolverns/provision.sh new file mode 100644 index 0000000..02b63ed --- /dev/null +++ b/files/templates/debian/resolverns/provision.sh @@ -0,0 +1,40 @@ +#!/bin/bash +# Root NS template +set -e +if [ -z $SNSTERGUARD ] ; then exit 1; fi +DIR=`dirname $0` +cd `dirname $0` + +# disable systemd-resolved which conflicts with nsd +echo "DNSStubListener=no" >> /etc/systemd/resolved.conf +systemctl stop systemd-resolved + +apt-get update +DEBIAN_FRONTEND=noninteractive apt-get install -y unbound dnsutils + +# get root hints +#wget "http://www.internic.net/domain/named.root" -O /etc/unbound/root.hints +echo -e ". 3600000 NS P.ROOT-SERVERS.NET. +P.ROOT-SERVERS.NET. 3600000 A 100.100.1.10 +P.ROOT-SERVERS.NET. 3600000 AAAA 2001:db8:a001::10 +" > /etc/unbound/root.hints + +# customize unbound config +#echo -e "server: +# ip-address: 127.0.0.1 +echo -e "server: + root-hints: root.hints +" > /etc/unbound/unbound.conf.d/root.conf + +# no DNSSEC validation for now +sed -i "s/auto/\#auto/" /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf + +# Be an open dns resolver -- TO CHANGE LATER +echo -e "server: + interface: 0.0.0.0 + access-control: 0.0.0.0/0 allow + cache-max-ttl: 20 + cache-max-negative-ttl: 20 +" > /etc/unbound/unbound.conf.d/listen.conf + +service unbound restart diff --git a/files/templates/debian/rootns/provision.sh b/files/templates/debian/rootns/provision.sh new file mode 100644 index 0000000..7657a21 --- /dev/null +++ b/files/templates/debian/rootns/provision.sh @@ -0,0 +1,42 @@ +#!/bin/bash +# Root NS template +set -e +if [ -z $SNSTERGUARD ] ; then exit 1; fi +DIR=`dirname $0` +cd `dirname $0` + +# disable systemd-resolved which conflicts with nsd +echo "DNSStubListener=no" >> /etc/systemd/resolved.conf +systemctl stop systemd-resolved + +apt-get update +DEBIAN_FRONTEND=noninteractive apt-get install -y nsd + +# get root zone +wget "http://www.internic.net/domain/root.zone" -O /etc/nsd/root.zone + +# customize root zone +# remove official roots +sed -i -e 's/^\.\s.*NS.*[a-m].root-servers.net.*//' /etc/nsd/root.zone +# add alternative milxc root + +echo -e ". 518400 IN NS p.root-servers.net +p.root-servers.net 518400 IN A 100.100.1.10 +p.root-servers.net 518400 IN AAAA 2001:db8:a001::10 +" >> /etc/nsd/root.zone + + +# add .milxc TLD served by 100.100.20.10 +echo -e "milxc. 518400 IN NS ns.milxc. +ns.milxc. 518400 IN A 100.100.20.10 +ns.milxc. 518400 IN AAAA 2001:db8:a020::10" >> /etc/nsd/root.zone + +# customize nsd config +#echo -e "server: +# ip-address: 127.0.0.1 +echo -e "zone: + name: \".\" + zonefile: \"root.zone\" +" > /etc/nsd/nsd.conf + +#service nsd restart