snster bootstrap
This commit is contained in:
parent
5545db5891
commit
0733aa3ae8
@ -21,9 +21,7 @@ export DebugLog="${VAGRANT_SRC_DIR}/log/log-vagrant-$(date +%y-%m-%d-%T)-"
|
|||||||
# Copie de qques fichiers
|
# Copie de qques fichiers
|
||||||
cp "${VAGRANT_SRC_DIR}/keyboard" /etc/default/keyboard
|
cp "${VAGRANT_SRC_DIR}/keyboard" /etc/default/keyboard
|
||||||
|
|
||||||
# Lock grub (https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1758060.html)
|
|
||||||
sysctl -w net.ipv4.ip_forward=1
|
sysctl -w net.ipv4.ip_forward=1
|
||||||
DEBIAN_FRONTEND=noninteractive apt-mark hold grub*
|
|
||||||
|
|
||||||
# MAJ et install
|
# MAJ et install
|
||||||
sed -i -e 's/main.*/main contrib non-free/' /etc/apt/sources.list
|
sed -i -e 's/main.*/main contrib non-free/' /etc/apt/sources.list
|
||||||
@ -42,7 +40,7 @@ export DebugLog="${VAGRANT_SRC_DIR}/log/log-vagrant-$(date +%y-%m-%d-%T)-"
|
|||||||
DEBIAN_FRONTEND=noninteractive apt-get --allow-releaseinfo-change update
|
DEBIAN_FRONTEND=noninteractive apt-get --allow-releaseinfo-change update
|
||||||
DEBIAN_FRONTEND=noninteractive apt-get -y upgrade
|
DEBIAN_FRONTEND=noninteractive apt-get -y upgrade
|
||||||
DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade
|
DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade
|
||||||
DEBIAN_FRONTEND=noninteractive apt-get install -y apg curl git sudo unzip rsync firefox-esr tcpdump net-tools mousepad wireshark swapspace whois ldap-utils # could be with --no-install-recommends
|
DEBIAN_FRONTEND=noninteractive apt-get install -y apg curl git sudo unzip rsync firefox-esr tcpdump net-tools mousepad wireshark swapspace whois ldap-utils python3-lxc lxc python3-pygraphviz python3-pil python3-yaml imagemagick # could be with --no-install-recommends
|
||||||
DEBIAN_FRONTEND=noninteractive apt-get install -y xfce4 lightdm xfce4-terminal xserver-xorg gitk # needs to install recommends
|
DEBIAN_FRONTEND=noninteractive apt-get install -y xfce4 lightdm xfce4-terminal xserver-xorg gitk # needs to install recommends
|
||||||
|
|
||||||
ssh-keygen -t rsa -b 4096 -N '' <<<$'\ny'
|
ssh-keygen -t rsa -b 4096 -N '' <<<$'\ny'
|
||||||
@ -110,7 +108,6 @@ export DebugLog="${VAGRANT_SRC_DIR}/log/log-vagrant-$(date +%y-%m-%d-%T)-"
|
|||||||
|
|
||||||
|
|
||||||
# enable bash autocompletion
|
# enable bash autocompletion
|
||||||
if ! grep -q "/usr/share/bash-completion/bash_completion" /etc/bash.bashrc 2>/dev/null; then
|
|
||||||
cat >> /etc/bash.bashrc <<EOF
|
cat >> /etc/bash.bashrc <<EOF
|
||||||
# enable bash completion in interactive shells
|
# enable bash completion in interactive shells
|
||||||
if ! shopt -oq posix; then
|
if ! shopt -oq posix; then
|
||||||
@ -121,7 +118,6 @@ if ! shopt -oq posix; then
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
EOF
|
EOF
|
||||||
fi
|
|
||||||
|
|
||||||
# XFCE4 panel: use default config
|
# XFCE4 panel: use default config
|
||||||
# source: https://forum.xfce.org/viewtopic.php?pid=36585#p36585
|
# source: https://forum.xfce.org/viewtopic.php?pid=36585#p36585
|
||||||
@ -150,65 +146,6 @@ SystemMaxFileSize=2M
|
|||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# KAZ specific things
|
|
||||||
#installation de docker, docker-compose et on y fourre le user debian dans le groupe idoine
|
|
||||||
|
|
||||||
DEBIAN_FRONTEND=noninteractive apt-get install -y docker.io docker-compose docker-clean
|
|
||||||
usermod -G docker debian
|
|
||||||
# activation dans alias dans /root/.bashrc
|
|
||||||
sed -i \
|
|
||||||
-e 's/^\# alias/alias/g' \
|
|
||||||
-e 's/^\# export/export/g' \
|
|
||||||
-e 's/^\# eval/eval/g' \
|
|
||||||
/root/.bashrc
|
|
||||||
|
|
||||||
if ! grep -q "for file in /dockers" /root/.bashrc 2>/dev/null; then
|
|
||||||
cat >> /root/.bashrc <<EOF
|
|
||||||
|
|
||||||
# enable bash completion in interactive shells
|
|
||||||
if ! shopt -oq posix; then
|
|
||||||
if [ -f /usr/share/bash-completion/bash_completion ]; then
|
|
||||||
. /usr/share/bash-completion/bash_completion
|
|
||||||
elif [ -f /etc/bash_completion ]; then
|
|
||||||
. /etc/bash_completion
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
for file in /kaz/bin/.*-completion.bash ; do
|
|
||||||
source "\${file}"
|
|
||||||
done
|
|
||||||
EOF
|
|
||||||
fi
|
|
||||||
|
|
||||||
# # Localisation du $LANG, en par défaut, timezone Paris
|
|
||||||
# if [ -z "${KAZBRANCH}" ] ; then
|
|
||||||
# KAZBRANCH="develop-vm"
|
|
||||||
# fi
|
|
||||||
# echo -e "\n #### git checkout ${KAZBRANCH}\n"
|
|
||||||
#
|
|
||||||
# # copie des sources
|
|
||||||
# cd /
|
|
||||||
# [ -f kaz ] || git clone https://git.kaz.bzh/KAZ/kaz.git
|
|
||||||
# (cd /kaz ; git checkout "${KAZBRANCH}" )
|
|
||||||
# find /kaz -name \*.sh -exec chmod a+x {} \;
|
|
||||||
#
|
|
||||||
# # pour ceux qui disposent d'un cache apt local et pas la fibre
|
|
||||||
# if [ -f "${VAGRANT_SRC_DIR}/.apt-mirror-config" ]; then
|
|
||||||
# rsync -a "${VAGRANT_SRC_DIR}/.apt-mirror-config" /kaz/
|
|
||||||
# fi
|
|
||||||
# if [ -f "${VAGRANT_SRC_DIR}/.proxy-config" ]; then
|
|
||||||
# rsync -a "${VAGRANT_SRC_DIR}/.proxy-config" /etc/profile.d/proxy.sh
|
|
||||||
# rsync -a "${VAGRANT_SRC_DIR}/.proxy-config" /kaz/
|
|
||||||
# fi
|
|
||||||
# if [ -f "${VAGRANT_SRC_DIR}/.docker-config.json" ]; then
|
|
||||||
# mkdir -p /root/.docker
|
|
||||||
# rsync -a "${VAGRANT_SRC_DIR}/.docker-config.json" /root/.docker/config.json
|
|
||||||
# fi
|
|
||||||
|
|
||||||
# Ajout d'un serveur DNS sur la VM
|
|
||||||
#*****************ATTENTION: semble inutile. peut-être privilégié les entrées dans /etc/hosts tout simplement ?
|
|
||||||
DEBIAN_FRONTEND=noninteractive apt-get install -y dnsmasq
|
|
||||||
|
|
||||||
#***********DEBUT CERTIF*******************
|
#***********DEBUT CERTIF*******************
|
||||||
#*****************ATTENTION: MARCHE PAS (il faut accepter toutes les exceptions de sécurité
|
#*****************ATTENTION: MARCHE PAS (il faut accepter toutes les exceptions de sécurité
|
||||||
|
|
||||||
@ -225,7 +162,7 @@ EOF
|
|||||||
export CAROOT=/etc/letsencrypt/local/
|
export CAROOT=/etc/letsencrypt/local/
|
||||||
/root/mkcert/mkcert -install # CA dans /etc/letsencrypt/local/
|
/root/mkcert/mkcert -install # CA dans /etc/letsencrypt/local/
|
||||||
cd "${CAROOT}"
|
cd "${CAROOT}"
|
||||||
/root/mkcert/mkcert "*.kaz.local" # cert et clé dans /etc/letsencrypt/local/
|
/root/mkcert/mkcert "*.kaz.milxc" # cert et clé dans /etc/letsencrypt/local/
|
||||||
|
|
||||||
mkdir -p /etc/letsencrypt/live/kaz.local/
|
mkdir -p /etc/letsencrypt/live/kaz.local/
|
||||||
ln -s ../../local/_wildcard.kaz.local.pem /etc/letsencrypt/live/kaz.local/fullchain.pem
|
ln -s ../../local/_wildcard.kaz.local.pem /etc/letsencrypt/live/kaz.local/fullchain.pem
|
||||||
@ -249,61 +186,12 @@ EOF
|
|||||||
|
|
||||||
#***********FIN CERTIF*******************
|
#***********FIN CERTIF*******************
|
||||||
|
|
||||||
#ajout des services dans le host
|
# SNSTER
|
||||||
echo -e "\n #### update /etc/hosts\n"
|
cd
|
||||||
if ! grep -q "\skaz.local\b" /etc/hosts 2>/dev/null; then
|
git clone https://framagit.org/flesueur/snster.git
|
||||||
echo "127.0.0.1 kaz.local" >>/etc/hosts
|
cd snster
|
||||||
fi
|
./install.sh
|
||||||
if ! grep -q "\slistes.kaz.local\b" /etc/hosts 2>/dev/null; then
|
|
||||||
echo "127.0.0.2 listes.kaz.local" >>/etc/hosts
|
|
||||||
fi
|
|
||||||
for SERVICE in ${SERVICES_LIST}; do
|
|
||||||
if ! grep -q "\s${SERVICE}.kaz.local\b" /etc/hosts 2>/dev/null; then
|
|
||||||
sed -i /etc/hosts \
|
|
||||||
-e "/\skaz.local\b/ s/$/ ${SERVICE}.kaz.local/"
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
echo -e "\n #### clawsmail\n"
|
|
||||||
# les scripts de créations de BAL pour clawsmail
|
|
||||||
cp -ar "${VAGRANT_SRC_DIR}/clawsmail" /
|
|
||||||
cd /clawsmail
|
|
||||||
chmod +x addclawsuser.sh
|
|
||||||
chmod +x genpasswd
|
|
||||||
|
|
||||||
#client pour tester la messagerie
|
|
||||||
DEBIAN_FRONTEND=noninteractive apt-get install -y claws-mail
|
|
||||||
|
|
||||||
# On met le KAZGUARD pour la mise au point
|
|
||||||
echo "export KAZGUARD='true'" >> /root/.bashrc
|
|
||||||
|
|
||||||
|
|
||||||
# echo -e "\n #### rsync download\n"
|
|
||||||
# [ -d "${VAGRANT_SRC_DIR}/kaz/download" ] &&
|
|
||||||
# rsync -a "${VAGRANT_SRC_DIR}/kaz/download/" /kaz/download/
|
|
||||||
# [ -d "${VAGRANT_SRC_DIR}/kaz/git" ] &&
|
|
||||||
# rsync -a "${VAGRANT_SRC_DIR}/kaz/git/" /kaz/git/
|
|
||||||
# [ -f "${VAGRANT_SRC_DIR}/kaz/config/dockers.env" ] &&
|
|
||||||
# [ ! -f "/kaz/config/dockers.env" ] &&
|
|
||||||
# rsync -a "${VAGRANT_SRC_DIR}/kaz/config/dockers.env" /kaz/config/dockers.env
|
|
||||||
# for type in mail orga proxy withMail withoutMail ; do
|
|
||||||
# [ -f "${VAGRANT_SRC_DIR}/kaz/config/container-${type}.list" ] &&
|
|
||||||
# [ ! -f "/kaz/config/config/container-${type}.list" ] &&
|
|
||||||
# rsync -a "${VAGRANT_SRC_DIR}/kaz/config/container-${type}.list" /kaz/config/
|
|
||||||
# done
|
|
||||||
#
|
|
||||||
# echo -e "\n #### secretGen\n"
|
|
||||||
# /kaz/bin/secretGen.sh
|
|
||||||
#
|
|
||||||
# #possibilité de lancer vagrant up NOKAZ="true" quand on construit la machine
|
|
||||||
# if [ "${NOKAZ}" == "true" ]; then
|
|
||||||
# echo "on ne lance pas install.sh"
|
|
||||||
# else
|
|
||||||
# echo "on lance install.sh"
|
|
||||||
# /kaz/bin/install.sh
|
|
||||||
# fi
|
|
||||||
|
|
||||||
${VAGRANT_SRC_DIR}/kaz.sh
|
|
||||||
|
|
||||||
# clear apt cache
|
# clear apt cache
|
||||||
DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
|
DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
|
||||||
|
61
files/snster-kaz/isp-a/group.yml
Normal file
61
files/snster-kaz/isp-a/group.yml
Normal file
@ -0,0 +1,61 @@
|
|||||||
|
version: 1
|
||||||
|
|
||||||
|
header:
|
||||||
|
name: ISP-A AS
|
||||||
|
comment: An ISP
|
||||||
|
|
||||||
|
hosts:
|
||||||
|
router:
|
||||||
|
master: alpine
|
||||||
|
network:
|
||||||
|
interfaces:
|
||||||
|
eth0:
|
||||||
|
bridge: transit-a
|
||||||
|
ipv4: 100.64.0.110/24
|
||||||
|
ipv6: 2001:db8:b000::110/48
|
||||||
|
eth1:
|
||||||
|
bridge: isp-a-cust
|
||||||
|
ipv4: 100.120.0.1/24
|
||||||
|
eth2:
|
||||||
|
bridge: isp-a-infra
|
||||||
|
ipv4: 100.120.1.1/24
|
||||||
|
ipv6: 2001:db8:120:1::1/64
|
||||||
|
templates:
|
||||||
|
- bgprouter:
|
||||||
|
asn: 20
|
||||||
|
asdev: eth1;eth2
|
||||||
|
neighbors4: 100.64.1.1 as 31
|
||||||
|
neighbors6: 2001:db8:b001::1 as 31
|
||||||
|
- resolv:
|
||||||
|
nameserver: 100.100.100.100
|
||||||
|
domain: isp-a.milxc
|
||||||
|
|
||||||
|
infra:
|
||||||
|
network:
|
||||||
|
interfaces:
|
||||||
|
eth0:
|
||||||
|
bridge: isp-a-infra
|
||||||
|
ipv4: 100.120.1.2/24
|
||||||
|
ipv6: 2001:db8:120:1::2/64
|
||||||
|
gatewayv4: 100.120.1.1
|
||||||
|
gatewayv6: 2001:db8:120:1::1
|
||||||
|
templates:
|
||||||
|
- mailserver:
|
||||||
|
domain: isp-a.milxc
|
||||||
|
- resolverns:
|
||||||
|
- resolv:
|
||||||
|
domain: isp-a.milxc
|
||||||
|
ns: 100.120.1.2
|
||||||
|
|
||||||
|
home:
|
||||||
|
network:
|
||||||
|
interfaces:
|
||||||
|
eth0:
|
||||||
|
bridge: isp-a-cust
|
||||||
|
ipv4: 100.120.0.3/24
|
||||||
|
gatewayv4: 100.120.0.1
|
||||||
|
templates:
|
||||||
|
- updatecaroots:
|
||||||
|
- resolv:
|
||||||
|
domain: isp-a.milxc
|
||||||
|
ns: 100.120.1.2
|
9
files/snster-kaz/isp-a/infra/dns.conf
Normal file
9
files/snster-kaz/isp-a/infra/dns.conf
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
server:
|
||||||
|
interface: 0.0.0.0
|
||||||
|
access-control: 100.64.0.0/10 allow
|
||||||
|
|
||||||
|
local-zone: "isp-a.milxc." static
|
||||||
|
local-data: "smtp.isp-a.milxc. IN A 100.120.1.2"
|
||||||
|
local-data: "imap.isp-a.milxc. IN A 100.120.1.2"
|
||||||
|
local-data: "ns.isp-a.milxc. IN A 100.120.1.2"
|
||||||
|
local-data: "isp-a.milxc. IN MX 10 smtp.isp-a.milxc."
|
21
files/snster-kaz/isp-a/infra/provision.sh
Normal file
21
files/snster-kaz/isp-a/infra/provision.sh
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# ISP-A infra
|
||||||
|
set -e
|
||||||
|
if [ -z $MILXCGUARD ] ; then exit 1; fi
|
||||||
|
DIR=`dirname $0`
|
||||||
|
cd `dirname $0`
|
||||||
|
|
||||||
|
# Email's mail account email@isp-a.milxc
|
||||||
|
useradd -m -s "/bin/bash" -p `mkpasswd --method=sha-512 email` email || true
|
||||||
|
addgroup email mail
|
||||||
|
#mkdir /home/hacker/mail
|
||||||
|
#touch /home/hacker/mail/Drafts /home/hacker/mail/Queue /home/hacker/mail/Sent /home/hacker/mail/Trash
|
||||||
|
|
||||||
|
# disable systemd-resolved which conflicts with nsd
|
||||||
|
echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
|
||||||
|
systemctl stop systemd-resolved
|
||||||
|
|
||||||
|
# manage isp-a.milxc zone
|
||||||
|
apt-get update
|
||||||
|
DEBIAN_FRONTEND=noninteractive apt-get install -y unbound
|
||||||
|
cp dns.conf /etc/unbound/unbound.conf.d/
|
48
files/snster-kaz/kaz/group.yml
Normal file
48
files/snster-kaz/kaz/group.yml
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
version: 1
|
||||||
|
|
||||||
|
header:
|
||||||
|
name: Target AS
|
||||||
|
comment: AS of the Target organization
|
||||||
|
|
||||||
|
hosts:
|
||||||
|
router:
|
||||||
|
master: alpine
|
||||||
|
network:
|
||||||
|
interfaces:
|
||||||
|
eth0:
|
||||||
|
bridge: transit-a
|
||||||
|
ipv4: 100.64.0.10/24
|
||||||
|
ipv6: 2001:db8:b000::10/48
|
||||||
|
eth1:
|
||||||
|
bridge: kaz-lan1
|
||||||
|
ipv4: 100.80.0.1/24
|
||||||
|
eth2:
|
||||||
|
bridge: kaz-lan2
|
||||||
|
ipv4: 100.80.1.1/24
|
||||||
|
templates:
|
||||||
|
- bgprouter:
|
||||||
|
asn: 10
|
||||||
|
asdev: eth1;eth2
|
||||||
|
neighbors4: 100.64.0.1 as 30
|
||||||
|
neighbors6: 2001:db8:b000::1 as 30
|
||||||
|
- resolv:
|
||||||
|
nameserver: 100.100.100.100
|
||||||
|
domain: kaz.milxc
|
||||||
|
|
||||||
|
prod:
|
||||||
|
network:
|
||||||
|
interfaces:
|
||||||
|
eth0:
|
||||||
|
bridge: kaz-lan1
|
||||||
|
ipv4: 100.80.0.2/24
|
||||||
|
eth1:
|
||||||
|
bridge: kaz-lan2
|
||||||
|
ipv4: 100.80.1.2/24
|
||||||
|
gatewayv4: 100.80.0.1
|
||||||
|
templates:
|
||||||
|
- updatecaroots:
|
||||||
|
- authns:
|
||||||
|
zonefile: dns.conf
|
||||||
|
- resolv:
|
||||||
|
domain: kaz.milxc
|
||||||
|
ns: 100.100.100.100
|
22
files/snster-kaz/kaz/prod/dns.conf
Normal file
22
files/snster-kaz/kaz/prod/dns.conf
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
$TTL 86400
|
||||||
|
$ORIGIN kaz.milxc.
|
||||||
|
@ 1D IN SOA ns.kaz.milxc. hostmaster.kaz.milxc. (
|
||||||
|
2002022401 ; serial
|
||||||
|
3H ; refresh
|
||||||
|
15 ; retry
|
||||||
|
1w ; expire
|
||||||
|
3h ; nxdomain ttl
|
||||||
|
)
|
||||||
|
IN NS ns.kaz.milxc.
|
||||||
|
IN MX 10 smtp.kaz.milxc.
|
||||||
|
ns IN A 100.80.0.2
|
||||||
|
dmz IN A 100.80.0.2
|
||||||
|
smtp IN CNAME dmz
|
||||||
|
imap IN CNAME dmz
|
||||||
|
www IN CNAME dmz
|
||||||
|
listes IN MX listes
|
||||||
|
listes IN A 100.80.1.2
|
||||||
|
firewall IN A 100.80.0.1
|
||||||
|
firewall IN AAAA 2001:db8:80::0:1
|
||||||
|
router IN A 100.80.0.1
|
||||||
|
router IN AAAA 2001:db8:80::0:1
|
77
files/snster-kaz/kaz/prod/kaz.sh
Executable file
77
files/snster-kaz/kaz/prod/kaz.sh
Executable file
@ -0,0 +1,77 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
if [ -z "${SNSTERGUARD}" ] ; then
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
DIR=$(cd "$(dirname $0)"; pwd)
|
||||||
|
cd "${DIR}"
|
||||||
|
set -e
|
||||||
|
export OUTPUT_DIR="/root/install"
|
||||||
|
|
||||||
|
|
||||||
|
mkdir -p "${OUTPUT_DIR}/log/"
|
||||||
|
export DebugLog="${OUTPUT_DIR}/log/log-kaz-$(date +%y-%m-%d-%T)-"
|
||||||
|
(
|
||||||
|
echo "########## ********** Start kaz.sh $(date +%D-%T)"
|
||||||
|
|
||||||
|
docker-clean -a
|
||||||
|
rm -rf /kaz
|
||||||
|
|
||||||
|
if [ -z "${KAZBRANCH}" ] ; then
|
||||||
|
KAZBRANCH="master"
|
||||||
|
fi
|
||||||
|
echo -e "\n #### git checkout ${KAZBRANCH}\n"
|
||||||
|
|
||||||
|
|
||||||
|
# copie des sources
|
||||||
|
cd /
|
||||||
|
[ -f kaz ] || git clone https://git.kaz.bzh/KAZ/kaz.git
|
||||||
|
(cd /kaz ; git checkout "${KAZBRANCH}" )
|
||||||
|
find /kaz -name \*.sh -exec chmod a+x {} \;
|
||||||
|
|
||||||
|
# pour ceux qui disposent d'un cache apt local et pas la fibre
|
||||||
|
if [ -f "${DIR}/.apt-mirror-config" ]; then
|
||||||
|
rsync -a "${DIR}/.apt-mirror-config" /kaz/
|
||||||
|
fi
|
||||||
|
if [ -f "${DIR}/.proxy-config" ]; then
|
||||||
|
rsync -a "${DIR}/.proxy-config" /etc/profile.d/proxy.sh
|
||||||
|
rsync -a "${DIR}/.proxy-config" /kaz/
|
||||||
|
fi
|
||||||
|
if [ -f "${DIR}/.docker-config.json" ]; then
|
||||||
|
mkdir -p /root/.docker
|
||||||
|
rsync -a "${DIR}/.docker-config.json" /root/.docker/config.json
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
echo -e "\n #### rsync download\n"
|
||||||
|
[ -d "${DIR}/kaz/download" ] &&
|
||||||
|
rsync -a "${DIR}/kaz/download/" /kaz/download/
|
||||||
|
[ -d "${DIR}/kaz/git" ] &&
|
||||||
|
rsync -a "${DIR}/kaz/git/" /kaz/git/
|
||||||
|
[ -f "${DIR}/kaz/config/dockers.env" ] &&
|
||||||
|
[ ! -f "/kaz/config/dockers.env" ] &&
|
||||||
|
rsync -a "${DIR}/kaz/config/dockers.env" /kaz/config/dockers.env
|
||||||
|
for type in mail orga proxy withMail withoutMail ; do
|
||||||
|
[ -f "${DIR}/kaz/config/container-${type}.list" ] &&
|
||||||
|
[ ! -f "/kaz/config/config/container-${type}.list" ] &&
|
||||||
|
rsync -a "${DIR}/kaz/config/container-${type}.list" /kaz/config/
|
||||||
|
done
|
||||||
|
|
||||||
|
echo -e "\n #### secretGen\n"
|
||||||
|
/kaz/bin/secretGen.sh
|
||||||
|
|
||||||
|
#possibilité de lancer vagrant up NOKAZ="true" quand on construit la machine
|
||||||
|
if [ "${NOKAZ}" == "true" ]; then
|
||||||
|
echo "on ne lance pas install.sh"
|
||||||
|
else
|
||||||
|
echo "on lance install.sh"
|
||||||
|
/kaz/bin/install.sh
|
||||||
|
fi
|
||||||
|
|
||||||
|
# clear apt cache
|
||||||
|
DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
|
||||||
|
DEBIAN_FRONTEND=noninteractive apt-get clean
|
||||||
|
|
||||||
|
echo "########## ********** End kaz.sh $(date +%D-%T)"
|
||||||
|
) > >(tee ${DebugLog}stdout.log) 2> >(tee ${DebugLog}stderr.log >&2)
|
3
files/snster-kaz/kaz/prod/kaz/config/container-mail.list
Normal file
3
files/snster-kaz/kaz/prod/kaz/config/container-mail.list
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
# e-mail server composer
|
||||||
|
postfix
|
||||||
|
sympa
|
1
files/snster-kaz/kaz/prod/kaz/config/container-orga.list
Normal file
1
files/snster-kaz/kaz/prod/kaz/config/container-orga.list
Normal file
@ -0,0 +1 @@
|
|||||||
|
# orga composer
|
@ -0,0 +1 @@
|
|||||||
|
proxy
|
@ -0,0 +1,9 @@
|
|||||||
|
cloud
|
||||||
|
dokuwiki
|
||||||
|
#framadate
|
||||||
|
garradin
|
||||||
|
gitea
|
||||||
|
jirafeau
|
||||||
|
#mattermost
|
||||||
|
roundcube
|
||||||
|
#keycloak
|
@ -0,0 +1,10 @@
|
|||||||
|
cachet
|
||||||
|
jirafeau
|
||||||
|
ethercalc
|
||||||
|
collabora
|
||||||
|
ethercalc
|
||||||
|
etherpad
|
||||||
|
ldap
|
||||||
|
quotas
|
||||||
|
web
|
||||||
|
#vigilo
|
120
files/snster-kaz/kaz/prod/kaz/config/dockers.env
Normal file
120
files/snster-kaz/kaz/prod/kaz/config/dockers.env
Normal file
@ -0,0 +1,120 @@
|
|||||||
|
# Les variables d'environnements utilisées
|
||||||
|
# par les dockers via le lien :
|
||||||
|
# .env -> ../../config/dockers.env
|
||||||
|
|
||||||
|
#######################################
|
||||||
|
# prod / dev / local
|
||||||
|
mode=prod
|
||||||
|
|
||||||
|
########################################
|
||||||
|
# choix du domaine
|
||||||
|
# prod=kaz.bzh / dev=dev.kaz.bzh / local=kaz.local
|
||||||
|
domain=kaz.milxc
|
||||||
|
|
||||||
|
########################################
|
||||||
|
# choix du domaine des mails sympa
|
||||||
|
# prod=kaz.bzh / dev=kaz2.ovh / local=kaz.local
|
||||||
|
domain_sympa=kaz.milxc
|
||||||
|
|
||||||
|
########################################
|
||||||
|
# choix d'un serveur partiel
|
||||||
|
# site=site-2
|
||||||
|
site=
|
||||||
|
|
||||||
|
########################################
|
||||||
|
# Pour garradin qui met en "dure" dans
|
||||||
|
# sa config l'URL pour l'atteindre
|
||||||
|
|
||||||
|
# prod=https (gandi) / dev=https (letsencrypt) / local=http
|
||||||
|
httpProto=https
|
||||||
|
|
||||||
|
# prod=89.234.186.111 / dev=192.168.57.1 / local=127.0.0.1
|
||||||
|
MAIN_IP=100.80.0.2
|
||||||
|
|
||||||
|
# prod=89.234.186.151 / dev=192.168.57.2 / local=127.0.0.2
|
||||||
|
SYMPA_IP=100.80.1.2
|
||||||
|
|
||||||
|
########################################
|
||||||
|
# noms des services
|
||||||
|
|
||||||
|
# ou www (mais bof)
|
||||||
|
webHost=
|
||||||
|
|
||||||
|
cachetHost=cachet
|
||||||
|
calcHost=tableur
|
||||||
|
cloudHost=cloud
|
||||||
|
dateHost=sondage
|
||||||
|
dokuwikiHost=wiki
|
||||||
|
fileHost=depot
|
||||||
|
garHost=garradin
|
||||||
|
gitHost=git
|
||||||
|
gravHost=grav
|
||||||
|
ldapHost=ldap
|
||||||
|
matterHost=agora
|
||||||
|
officeHost=office
|
||||||
|
padHost=pad
|
||||||
|
quotasHost=quotas
|
||||||
|
smtpHost=smtp
|
||||||
|
sympaHost=listes
|
||||||
|
vigiloHost=vigilo
|
||||||
|
webmailHost=webmail
|
||||||
|
wordpressHost=wp
|
||||||
|
|
||||||
|
########################################
|
||||||
|
# noms des containers
|
||||||
|
|
||||||
|
cachetServName=cachetServ
|
||||||
|
dokuwikiServName=dokuwikiServ
|
||||||
|
ethercalcServName=ethercalcServ
|
||||||
|
etherpadServName=etherpadServ
|
||||||
|
framadateServName=framadateServ
|
||||||
|
garradinServName=garradinServ
|
||||||
|
gitServName=gitServ
|
||||||
|
gravServName=gravServ
|
||||||
|
jirafeauServName=jirafeauServ
|
||||||
|
ldapServName=ldapServ
|
||||||
|
mattermostServName=mattermostServ
|
||||||
|
nextcloudServName=nextcloudServ
|
||||||
|
officeServName=officeServ
|
||||||
|
proxyServName=proxyServ
|
||||||
|
quotasServName=quotasServ
|
||||||
|
roundcubeServName=roundcubeServ
|
||||||
|
smtpServName=mailServ
|
||||||
|
sympaServName=sympaServ
|
||||||
|
vigiloServName=vigiloServ
|
||||||
|
webServName=webServ
|
||||||
|
wordpressServName=wpServ
|
||||||
|
|
||||||
|
cachetDBName=cachetDB
|
||||||
|
ethercalcDBName=ethercalcDB
|
||||||
|
etherpadDBName=etherpadDB
|
||||||
|
framadateDBName=framadateDB
|
||||||
|
gitDBName=gitDB
|
||||||
|
mattermostDBName=mattermostDB
|
||||||
|
nextcloudDBName=nextcloudDB
|
||||||
|
quotasDBName=quotasDB
|
||||||
|
roundcubeDBName=roundcubeDB
|
||||||
|
sympaDBName=sympaDB
|
||||||
|
vigiloDBName=vigiloDB
|
||||||
|
wordpressDBName=wpDB
|
||||||
|
|
||||||
|
ldapIUName=ldapIU
|
||||||
|
|
||||||
|
########################################
|
||||||
|
# politique de redémarrage
|
||||||
|
# prod=always / test=unless-stopped / local=no
|
||||||
|
restartPolicy=no
|
||||||
|
|
||||||
|
########################################
|
||||||
|
# devrait être dans env-jirafeauServ
|
||||||
|
# mais seuls les variables de ".env" sont
|
||||||
|
# utilisables pour le montage des volumes
|
||||||
|
|
||||||
|
jirafeauDir=/var/jirafeauData/lkuDM16R5Sp4QHr/
|
||||||
|
|
||||||
|
ldapRoot=dc=kaz,dc=milxc
|
||||||
|
|
||||||
|
########################################
|
||||||
|
# services activés par container.sh
|
||||||
|
# variables d'environneements utilisées
|
||||||
|
# pour le tmpl du mandataire (proxy)
|
76
files/snster-kaz/kaz/prod/provision.sh
Normal file
76
files/snster-kaz/kaz/prod/provision.sh
Normal file
@ -0,0 +1,76 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# Target DMZ
|
||||||
|
set -e
|
||||||
|
if [ -z $MILXCGUARD ] ; then exit 1; fi
|
||||||
|
DIR=`dirname $0`
|
||||||
|
cd `dirname $0`
|
||||||
|
|
||||||
|
# disable systemd-resolved which conflicts with nsd
|
||||||
|
echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
|
||||||
|
systemctl stop systemd-resolved
|
||||||
|
|
||||||
|
apt-get update
|
||||||
|
DEB_VERSION=`cat /etc/debian_version | cut -d'.' -f1`
|
||||||
|
if [ $DEB_VERSION -eq "11" ] # DEB 11 aka Bullseye
|
||||||
|
then
|
||||||
|
DEBIAN_FRONTEND=noninteractive apt-get install -y certbot python3-certbot-apache
|
||||||
|
else
|
||||||
|
echo "Unsupported Debian version"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
# preconfig TLS and certbot
|
||||||
|
a2enmod ssl
|
||||||
|
a2ensite default-ssl.conf
|
||||||
|
echo -e "
|
||||||
|
email=admin@kaz.milxc
|
||||||
|
agree-tos=1
|
||||||
|
no-verify-ssl=1
|
||||||
|
" >> /etc/letsencrypt/cli.ini
|
||||||
|
|
||||||
|
# Go KAZ !
|
||||||
|
# KAZ specific things
|
||||||
|
#installation de docker, docker-compose et on y fourre le user debian dans le groupe idoine
|
||||||
|
|
||||||
|
DEBIAN_FRONTEND=noninteractive apt-get install -y docker.io docker-compose docker-clean git apg curl sudo unzip rsync fuse-overlayfs
|
||||||
|
usermod -G docker debian
|
||||||
|
# activation dans alias dans /root/.bashrc
|
||||||
|
sed -i \
|
||||||
|
-e 's/^\# alias/alias/g' \
|
||||||
|
-e 's/^\# export/export/g' \
|
||||||
|
-e 's/^\# eval/eval/g' \
|
||||||
|
/root/.bashrc
|
||||||
|
|
||||||
|
if ! grep -q "for file in /dockers" /root/.bashrc 2>/dev/null; then
|
||||||
|
cat >> /root/.bashrc <<EOF
|
||||||
|
# enable bash completion in interactive shells
|
||||||
|
if ! shopt -oq posix; then
|
||||||
|
if [ -f /usr/share/bash-completion/bash_completion ]; then
|
||||||
|
. /usr/share/bash-completion/bash_completion
|
||||||
|
elif [ -f /etc/bash_completion ]; then
|
||||||
|
. /etc/bash_completion
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
for file in /kaz/bin/.*-completion.bash ; do
|
||||||
|
source "\${file}"
|
||||||
|
done
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
# On met le KAZGUARD pour la mise au point
|
||||||
|
echo "export KAZGUARD='true'" >> /root/.bashrc
|
||||||
|
|
||||||
|
# On active fuse-overlayfs pour docker
|
||||||
|
cat >> /etc/docker/daemon.json <<EOF
|
||||||
|
{ "storage-driver": "fuse-overlayfs" }
|
||||||
|
EOF
|
||||||
|
service docker restart
|
||||||
|
mknod -m 666 /dev/fuse c 10 229 # + dans le rc.local ? + modprobe fuse sur l'ĥôte ?
|
||||||
|
|
||||||
|
./kaz.sh
|
||||||
|
|
||||||
|
# clear apt cache
|
||||||
|
DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
|
||||||
|
DEBIAN_FRONTEND=noninteractive apt-get clean
|
33
files/snster-kaz/main.yml
Normal file
33
files/snster-kaz/main.yml
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
version: 1
|
||||||
|
|
||||||
|
header:
|
||||||
|
name: KAZ
|
||||||
|
comment: KAZ development environment
|
||||||
|
|
||||||
|
config:
|
||||||
|
prefix: kaz
|
||||||
|
nat-bridge: lxcbr0
|
||||||
|
default-master: bullseye
|
||||||
|
|
||||||
|
masters:
|
||||||
|
bullseye:
|
||||||
|
backend: lxc
|
||||||
|
template: debian
|
||||||
|
parameters:
|
||||||
|
release: bullseye
|
||||||
|
arch: amd64
|
||||||
|
family: debian
|
||||||
|
|
||||||
|
alpine:
|
||||||
|
backend: lxc
|
||||||
|
template: download
|
||||||
|
parameters:
|
||||||
|
dist: alpine
|
||||||
|
release: 3.14
|
||||||
|
arch: amd64
|
||||||
|
no-validate: true
|
||||||
|
family: alpine
|
||||||
|
|
||||||
|
disabled-groups:
|
||||||
|
#- target
|
||||||
|
#- root-o
|
42
files/snster-kaz/mica/group.yml
Normal file
42
files/snster-kaz/mica/group.yml
Normal file
@ -0,0 +1,42 @@
|
|||||||
|
version: 1
|
||||||
|
|
||||||
|
header:
|
||||||
|
name: MICA AS
|
||||||
|
comment: An ACME Certification Authority
|
||||||
|
|
||||||
|
hosts:
|
||||||
|
router:
|
||||||
|
master: alpine
|
||||||
|
network:
|
||||||
|
interfaces:
|
||||||
|
eth0:
|
||||||
|
bridge: transit-a
|
||||||
|
ipv4: 100.64.1.140/24
|
||||||
|
ipv6: 2001:db8:b001::140/48
|
||||||
|
eth1:
|
||||||
|
bridge: mica-lan
|
||||||
|
ipv4: 100.82.0.1/16
|
||||||
|
ipv6: 2001:db8:82::1/48
|
||||||
|
templates:
|
||||||
|
- bgprouter:
|
||||||
|
asn: 12
|
||||||
|
asdev: eth1
|
||||||
|
neighbors4: 100.64.1.1 as 31
|
||||||
|
neighbors6: 2001:db8:b001::1 as 31
|
||||||
|
- resolv:
|
||||||
|
nameserver: 100.100.100.100
|
||||||
|
domain: mica.milxc
|
||||||
|
|
||||||
|
infra:
|
||||||
|
network:
|
||||||
|
interfaces:
|
||||||
|
eth0:
|
||||||
|
bridge: mica-lan
|
||||||
|
ipv4: 100.82.0.2/16
|
||||||
|
ipv6: 2001:db8:82::2/48
|
||||||
|
gatewayv4: 100.82.0.1
|
||||||
|
gatewayv6: 2001:db8:82::1
|
||||||
|
templates:
|
||||||
|
- resolv:
|
||||||
|
domain: mica.milxc
|
||||||
|
ns: 100.100.100.100
|
8
files/snster-kaz/mica/infra/dns.conf
Normal file
8
files/snster-kaz/mica/infra/dns.conf
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
server:
|
||||||
|
interface: 0.0.0.0
|
||||||
|
access-control: 100.64.0.0/10 allow
|
||||||
|
|
||||||
|
local-zone: "mica.milxc." static
|
||||||
|
local-data: "ns.mica.milxc. IN A 100.82.0.2"
|
||||||
|
local-data: "www.mica.milxc. IN A 100.82.0.2"
|
||||||
|
local-data: "ca.mica.milxc. IN A 100.82.0.2"
|
34
files/snster-kaz/mica/infra/provision.sh
Normal file
34
files/snster-kaz/mica/infra/provision.sh
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# MICA infra
|
||||||
|
set -e
|
||||||
|
if [ -z $MILXCGUARD ] ; then exit 1; fi
|
||||||
|
DIR=`dirname $0`
|
||||||
|
cd `dirname $0`
|
||||||
|
|
||||||
|
# Hacker's mail account hacker@isp-a.milxc
|
||||||
|
useradd -m -s "/bin/bash" -p `mkpasswd --method=sha-512 ca` ca || true
|
||||||
|
addgroup ca mail
|
||||||
|
#mkdir /home/hacker/mail
|
||||||
|
#touch /home/hacker/mail/Drafts /home/hacker/mail/Queue /home/hacker/mail/Sent /home/hacker/mail/Trash
|
||||||
|
|
||||||
|
# disable systemd-resolved which conflicts with nsd
|
||||||
|
echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
|
||||||
|
systemctl stop systemd-resolved
|
||||||
|
|
||||||
|
# manage isp-a.milxc zone
|
||||||
|
apt-get update
|
||||||
|
DEBIAN_FRONTEND=noninteractive apt-get install -y unbound
|
||||||
|
cp dns.conf /etc/unbound/unbound.conf.d/
|
||||||
|
|
||||||
|
|
||||||
|
# Install smallstep CA / ACME server
|
||||||
|
cd /tmp
|
||||||
|
wget https://github.com/smallstep/cli/releases/download/v0.17.2/step-cli_0.17.2_amd64.deb
|
||||||
|
dpkg -i step-cli_0.17.2_amd64.deb
|
||||||
|
wget https://github.com/smallstep/certificates/releases/download/v0.17.2/step-ca_0.17.2_amd64.deb
|
||||||
|
dpkg -i step-ca_0.17.2_amd64.deb
|
||||||
|
|
||||||
|
# step ca init
|
||||||
|
# step ca root root.crt
|
||||||
|
# step ca provisioner add acme --type ACME
|
||||||
|
# certbot certonly -n --standalone -d www.target.milxc --server https://www.mica.milxc/acme/acme/directory --agree-tos --email "fr@fr.fr"
|
42
files/snster-kaz/milxc/group.yml
Normal file
42
files/snster-kaz/milxc/group.yml
Normal file
@ -0,0 +1,42 @@
|
|||||||
|
version: 1
|
||||||
|
|
||||||
|
header:
|
||||||
|
name: MILXC AS
|
||||||
|
comment: The .milxc TLD auth NS
|
||||||
|
|
||||||
|
hosts:
|
||||||
|
router:
|
||||||
|
master: alpine
|
||||||
|
network:
|
||||||
|
interfaces:
|
||||||
|
eth0:
|
||||||
|
bridge: transit-a
|
||||||
|
ipv4: 100.64.0.40/24
|
||||||
|
ipv6: 2001:db8:b000::40/48
|
||||||
|
eth1:
|
||||||
|
bridge: milxc-lan
|
||||||
|
ipv4: 100.100.20.1/24
|
||||||
|
ipv6: 2001:db8:a020::1/48
|
||||||
|
templates:
|
||||||
|
- bgprouter:
|
||||||
|
asn: 8
|
||||||
|
asdev: eth1
|
||||||
|
neighbors4: 100.64.0.1 as 30
|
||||||
|
neighbors6: 2001:db8:b000::1 as 30
|
||||||
|
- resolv:
|
||||||
|
nameserver: 100.100.100.100
|
||||||
|
domain: milxc.milxc
|
||||||
|
|
||||||
|
ns:
|
||||||
|
network:
|
||||||
|
interfaces:
|
||||||
|
eth0:
|
||||||
|
bridge: milxc-lan
|
||||||
|
ipv4: 100.100.20.10/24
|
||||||
|
ipv6: 2001:db8:a020::10/48
|
||||||
|
gatewayv4: 100.100.20.1
|
||||||
|
gatewayv6: 2001:db8:a020::1
|
||||||
|
templates:
|
||||||
|
- resolv:
|
||||||
|
domain: milxc.milxc
|
||||||
|
ns: 100.100.100.100
|
41
files/snster-kaz/milxc/ns/provision.sh
Normal file
41
files/snster-kaz/milxc/ns/provision.sh
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# .milxc registry
|
||||||
|
|
||||||
|
set -e
|
||||||
|
if [ -z $MILXCGUARD ] ; then exit 1; fi
|
||||||
|
DIR=`dirname $0`
|
||||||
|
cd `dirname $0`
|
||||||
|
|
||||||
|
# disable systemd-resolved which conflicts with nsd
|
||||||
|
echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
|
||||||
|
systemctl stop systemd-resolved
|
||||||
|
|
||||||
|
apt-get update
|
||||||
|
DEBIAN_FRONTEND=noninteractive apt-get install -y nsd
|
||||||
|
|
||||||
|
echo -e "zone:
|
||||||
|
name: \"milxc.\"
|
||||||
|
zonefile: \"milxc.zone\"
|
||||||
|
" > /etc/nsd/nsd.conf
|
||||||
|
|
||||||
|
echo -e "\$TTL 86400
|
||||||
|
\$ORIGIN milxc.
|
||||||
|
@ 1D IN SOA ns.milxc. hostmaster.milxc. (
|
||||||
|
2002022401 ; serial
|
||||||
|
3H ; refresh
|
||||||
|
15 ; retry
|
||||||
|
1w ; expire
|
||||||
|
3h ; nxdomain ttl
|
||||||
|
)
|
||||||
|
IN NS ns.milxc.
|
||||||
|
ns IN A 100.100.20.10 ;name server definition
|
||||||
|
ns IN AAAA 2001:db8:a020::10
|
||||||
|
kaz.milxc. IN NS ns.kaz.milxc.
|
||||||
|
ns.kaz.milxc. IN A 100.80.0.2
|
||||||
|
isp-a.milxc. IN NS ns.isp-a.milxc.
|
||||||
|
ns.isp-a.milxc. IN A 100.120.1.2
|
||||||
|
ns.isp-a.milxc. IN AAAA 2001:db8:120:1::2
|
||||||
|
mica.milxc. IN NS ns.mica.milxc.
|
||||||
|
ns.mica.milxc. IN A 100.82.0.2
|
||||||
|
ns.mica.milxc. IN AAAA 2001:db8:82::2
|
||||||
|
" >> /etc/nsd/milxc.zone
|
43
files/snster-kaz/opendns/group.yml
Normal file
43
files/snster-kaz/opendns/group.yml
Normal file
@ -0,0 +1,43 @@
|
|||||||
|
version: 1
|
||||||
|
|
||||||
|
header:
|
||||||
|
name: open DNS service AS
|
||||||
|
comment: an open DNS resolver
|
||||||
|
|
||||||
|
hosts:
|
||||||
|
router:
|
||||||
|
master: alpine
|
||||||
|
network:
|
||||||
|
interfaces:
|
||||||
|
eth0:
|
||||||
|
bridge: transit-a
|
||||||
|
ipv4: 100.64.0.30/24
|
||||||
|
ipv6: 2001:db8:b000::30/48
|
||||||
|
eth2:
|
||||||
|
bridge: opendns-lan
|
||||||
|
ipv4: 100.100.100.1/24
|
||||||
|
ipv6: 2001:db8:a100::1/48
|
||||||
|
templates:
|
||||||
|
- bgprouter:
|
||||||
|
asn: 7
|
||||||
|
asdev: eth2
|
||||||
|
neighbors4: 100.64.0.1 as 30;100.64.1.1 as 31
|
||||||
|
neighbors6: 2001:db8:b000::1 as 30;2001:db8:b001::1 as 31
|
||||||
|
- resolv:
|
||||||
|
nameserver: 100.100.100.100
|
||||||
|
domain: opendns.milxc
|
||||||
|
|
||||||
|
resolver:
|
||||||
|
network:
|
||||||
|
interfaces:
|
||||||
|
eth0:
|
||||||
|
bridge: opendns-lan
|
||||||
|
ipv4: 100.100.100.100/24
|
||||||
|
ipv6: 2001:db8:a100::100/48
|
||||||
|
gatewayv4: 100.100.100.1
|
||||||
|
gatewayv6: 2001:db8:a100::1
|
||||||
|
templates:
|
||||||
|
- resolverns:
|
||||||
|
- resolv:
|
||||||
|
domain: opendns.milxc
|
||||||
|
ns: 100.100.100.100
|
43
files/snster-kaz/root-p/group.yml
Normal file
43
files/snster-kaz/root-p/group.yml
Normal file
@ -0,0 +1,43 @@
|
|||||||
|
version: 1
|
||||||
|
|
||||||
|
header:
|
||||||
|
name: Root-P AS
|
||||||
|
comment: A DNS Root server
|
||||||
|
|
||||||
|
hosts:
|
||||||
|
router:
|
||||||
|
master: alpine
|
||||||
|
network:
|
||||||
|
interfaces:
|
||||||
|
eth0:
|
||||||
|
bridge: transit-a
|
||||||
|
ipv4: 100.64.0.20/24
|
||||||
|
ipv6: 2001:db8:b000::20/48
|
||||||
|
eth1:
|
||||||
|
bridge: root-p-lan
|
||||||
|
ipv4: 100.100.1.1/24
|
||||||
|
ipv6: 2001:db8:a001::1/48
|
||||||
|
templates:
|
||||||
|
- bgprouter:
|
||||||
|
asn: 6
|
||||||
|
asdev: eth1
|
||||||
|
neighbors4: 100.64.0.1 as 30
|
||||||
|
neighbors6: 2001:db8:b000::1 as 30
|
||||||
|
- resolv:
|
||||||
|
nameserver: 100.100.100.100
|
||||||
|
domain: ns-root-p.milxc
|
||||||
|
|
||||||
|
rootns:
|
||||||
|
network:
|
||||||
|
interfaces:
|
||||||
|
eth0:
|
||||||
|
bridge: root-p-lan
|
||||||
|
ipv4: 100.100.1.10/24
|
||||||
|
ipv6: 2001:db8:a001::10/48
|
||||||
|
gatewayv4: 100.100.1.1
|
||||||
|
gatewayv6: 2001:db8:a001::1
|
||||||
|
templates:
|
||||||
|
- rootns:
|
||||||
|
- resolv:
|
||||||
|
domain: ns-root-p.milxc
|
||||||
|
ns: 100.100.100.100
|
27
files/snster-kaz/transit-a/group.yml
Normal file
27
files/snster-kaz/transit-a/group.yml
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
version: 1
|
||||||
|
|
||||||
|
header:
|
||||||
|
name: Transit-A
|
||||||
|
comment: Transit-A IXP
|
||||||
|
|
||||||
|
hosts:
|
||||||
|
router:
|
||||||
|
master: alpine
|
||||||
|
network:
|
||||||
|
interfaces:
|
||||||
|
eth0:
|
||||||
|
bridge: nat-bridge
|
||||||
|
ipv4: dhcp
|
||||||
|
eth1:
|
||||||
|
bridge: transit-a
|
||||||
|
ipv4: 100.64.0.1/24
|
||||||
|
ipv6: 2001:db8:b000::1/48
|
||||||
|
templates:
|
||||||
|
- bgprouter:
|
||||||
|
asn: 30
|
||||||
|
asdev: eth1
|
||||||
|
neighbors4: 100.64.0.10 as 10;100.64.0.30 as 7;100.64.0.40 as 8; 100.64.0.2 as 31; 100.64.0.20 as 6; 100.64.0.50 as 13; 100.64.0.110 as 20; 100.64.1.140 as 12
|
||||||
|
neighbors6: 2001:db8:b000::10 as 10; 2001:db8:b000::30 as 7;2001:db8:b000::40 as 8; 2001:db8:b000::2 as 31; 2001:db8:b000::20 as 6; 2001:db8:b000::50 as 13; 2001:db8:b000::110 as 20; 2001:db8:b001::140 as 12
|
||||||
|
- resolv:
|
||||||
|
nameserver: 100.100.100.100
|
||||||
|
domain: transit-a.milxc
|
38
files/snster-kaz/transit-a/router/provision.sh
Executable file
38
files/snster-kaz/transit-a/router/provision.sh
Executable file
@ -0,0 +1,38 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# Transit A with alpine
|
||||||
|
set -e
|
||||||
|
if [ -z $MILXCGUARD ] ; then exit 1; fi
|
||||||
|
DIR=`dirname $0`
|
||||||
|
cd `dirname $0`
|
||||||
|
|
||||||
|
echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories
|
||||||
|
apk update
|
||||||
|
apk add bird iptables
|
||||||
|
rc-update add bird
|
||||||
|
|
||||||
|
# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
|
||||||
|
echo -e '#!/bin/sh\niptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE' > /etc/local.d/iptables.start
|
||||||
|
chmod +x /etc/local.d/iptables.start
|
||||||
|
rc-update add local
|
||||||
|
|
||||||
|
# keep DHCP on eth0
|
||||||
|
touch /etc/network/keepdhcp
|
||||||
|
|
||||||
|
# Force lxc bridged interface metric (else, it grows to 200+interface_index, which can be large with successive stop/start)
|
||||||
|
# This metric must be lower than the one exported by BGP for the default route (static part below)
|
||||||
|
mkdir /etc/udhcpc
|
||||||
|
echo "IF_METRIC=200" > /etc/udhcpc/udhcpc.conf
|
||||||
|
|
||||||
|
#echo "supersede domain-name-servers 10.10.10.10;" >> /etc/dhcp/dhclient.conf
|
||||||
|
#echo "supersede domain-name \"internet.milxc\";" >> /etc/dhcp/dhclient.conf
|
||||||
|
|
||||||
|
|
||||||
|
# customize bird config (BGP)
|
||||||
|
sed -i "s/protocol kernel {/protocol kernel { metric 2000;/" /etc/bird.conf
|
||||||
|
# sed -i "s/\#.*export all/\texport all/" /etc/bird/bird.conf
|
||||||
|
echo -e "
|
||||||
|
protocol static {
|
||||||
|
ipv4;
|
||||||
|
route 0.0.0.0/0 via 100.64.0.1;
|
||||||
|
}
|
||||||
|
" >> /etc/bird.conf
|
40
files/templates/debian/resolverns/provision.sh
Normal file
40
files/templates/debian/resolverns/provision.sh
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# Root NS template
|
||||||
|
set -e
|
||||||
|
if [ -z $SNSTERGUARD ] ; then exit 1; fi
|
||||||
|
DIR=`dirname $0`
|
||||||
|
cd `dirname $0`
|
||||||
|
|
||||||
|
# disable systemd-resolved which conflicts with nsd
|
||||||
|
echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
|
||||||
|
systemctl stop systemd-resolved
|
||||||
|
|
||||||
|
apt-get update
|
||||||
|
DEBIAN_FRONTEND=noninteractive apt-get install -y unbound dnsutils
|
||||||
|
|
||||||
|
# get root hints
|
||||||
|
#wget "http://www.internic.net/domain/named.root" -O /etc/unbound/root.hints
|
||||||
|
echo -e ". 3600000 NS P.ROOT-SERVERS.NET.
|
||||||
|
P.ROOT-SERVERS.NET. 3600000 A 100.100.1.10
|
||||||
|
P.ROOT-SERVERS.NET. 3600000 AAAA 2001:db8:a001::10
|
||||||
|
" > /etc/unbound/root.hints
|
||||||
|
|
||||||
|
# customize unbound config
|
||||||
|
#echo -e "server:
|
||||||
|
# ip-address: 127.0.0.1
|
||||||
|
echo -e "server:
|
||||||
|
root-hints: root.hints
|
||||||
|
" > /etc/unbound/unbound.conf.d/root.conf
|
||||||
|
|
||||||
|
# no DNSSEC validation for now
|
||||||
|
sed -i "s/auto/\#auto/" /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf
|
||||||
|
|
||||||
|
# Be an open dns resolver -- TO CHANGE LATER
|
||||||
|
echo -e "server:
|
||||||
|
interface: 0.0.0.0
|
||||||
|
access-control: 0.0.0.0/0 allow
|
||||||
|
cache-max-ttl: 20
|
||||||
|
cache-max-negative-ttl: 20
|
||||||
|
" > /etc/unbound/unbound.conf.d/listen.conf
|
||||||
|
|
||||||
|
service unbound restart
|
42
files/templates/debian/rootns/provision.sh
Normal file
42
files/templates/debian/rootns/provision.sh
Normal file
@ -0,0 +1,42 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# Root NS template
|
||||||
|
set -e
|
||||||
|
if [ -z $SNSTERGUARD ] ; then exit 1; fi
|
||||||
|
DIR=`dirname $0`
|
||||||
|
cd `dirname $0`
|
||||||
|
|
||||||
|
# disable systemd-resolved which conflicts with nsd
|
||||||
|
echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
|
||||||
|
systemctl stop systemd-resolved
|
||||||
|
|
||||||
|
apt-get update
|
||||||
|
DEBIAN_FRONTEND=noninteractive apt-get install -y nsd
|
||||||
|
|
||||||
|
# get root zone
|
||||||
|
wget "http://www.internic.net/domain/root.zone" -O /etc/nsd/root.zone
|
||||||
|
|
||||||
|
# customize root zone
|
||||||
|
# remove official roots
|
||||||
|
sed -i -e 's/^\.\s.*NS.*[a-m].root-servers.net.*//' /etc/nsd/root.zone
|
||||||
|
# add alternative milxc root
|
||||||
|
|
||||||
|
echo -e ". 518400 IN NS p.root-servers.net
|
||||||
|
p.root-servers.net 518400 IN A 100.100.1.10
|
||||||
|
p.root-servers.net 518400 IN AAAA 2001:db8:a001::10
|
||||||
|
" >> /etc/nsd/root.zone
|
||||||
|
|
||||||
|
|
||||||
|
# add .milxc TLD served by 100.100.20.10
|
||||||
|
echo -e "milxc. 518400 IN NS ns.milxc.
|
||||||
|
ns.milxc. 518400 IN A 100.100.20.10
|
||||||
|
ns.milxc. 518400 IN AAAA 2001:db8:a020::10" >> /etc/nsd/root.zone
|
||||||
|
|
||||||
|
# customize nsd config
|
||||||
|
#echo -e "server:
|
||||||
|
# ip-address: 127.0.0.1
|
||||||
|
echo -e "zone:
|
||||||
|
name: \".\"
|
||||||
|
zonefile: \"root.zone\"
|
||||||
|
" > /etc/nsd/nsd.conf
|
||||||
|
|
||||||
|
#service nsd restart
|
Loading…
Reference in New Issue
Block a user