snster bootstrap

files/provision.sh

@@ -21,9 +21,7 @@ export DebugLog="${VAGRANT_SRC_DIR}/log/log-vagrant-$(date +%y-%m-%d-%T)-"
     # Copie de qques fichiers
     cp "${VAGRANT_SRC_DIR}/keyboard" /etc/default/keyboard
 
-    # Lock grub (https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1758060.html)
     sysctl -w net.ipv4.ip_forward=1
-    DEBIAN_FRONTEND=noninteractive apt-mark hold grub*
 
     # MAJ et install
     sed -i -e 's/main.*/main contrib non-free/' /etc/apt/sources.list
@@ -42,7 +40,7 @@ export DebugLog="${VAGRANT_SRC_DIR}/log/log-vagrant-$(date +%y-%m-%d-%T)-"
     DEBIAN_FRONTEND=noninteractive apt-get --allow-releaseinfo-change update
     DEBIAN_FRONTEND=noninteractive apt-get -y upgrade
     DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade
-    DEBIAN_FRONTEND=noninteractive apt-get install -y apg curl git sudo unzip rsync firefox-esr tcpdump net-tools mousepad wireshark swapspace whois ldap-utils # could be with --no-install-recommends
+    DEBIAN_FRONTEND=noninteractive apt-get install -y apg curl git sudo unzip rsync firefox-esr tcpdump net-tools mousepad wireshark swapspace whois ldap-utils python3-lxc lxc python3-pygraphviz python3-pil python3-yaml imagemagick # could be with --no-install-recommends
     DEBIAN_FRONTEND=noninteractive apt-get install -y xfce4 lightdm xfce4-terminal xserver-xorg gitk # needs to install recommends
 
     ssh-keygen -t rsa -b 4096 -N '' <<<$'\ny'
@@ -110,7 +108,6 @@ export DebugLog="${VAGRANT_SRC_DIR}/log/log-vagrant-$(date +%y-%m-%d-%T)-"
 
 
     # enable bash autocompletion
-    if ! grep -q "/usr/share/bash-completion/bash_completion" /etc/bash.bashrc 2>/dev/null; then
 	cat >> /etc/bash.bashrc <<EOF
 # enable bash completion in interactive shells
 if ! shopt -oq posix; then
@@ -121,7 +118,6 @@ if ! shopt -oq posix; then
   fi
 fi
 EOF
-    fi
 
     # XFCE4 panel: use default config
     # source: https://forum.xfce.org/viewtopic.php?pid=36585#p36585
@@ -150,65 +146,6 @@ SystemMaxFileSize=2M
 EOF
     fi
 
-    # KAZ specific things
-    #installation de docker, docker-compose et on y fourre le user debian dans le groupe idoine
-
-    DEBIAN_FRONTEND=noninteractive apt-get install -y docker.io docker-compose docker-clean
-    usermod -G docker debian
-    # activation dans alias dans /root/.bashrc
-    sed -i \
-	-e 's/^\# alias/alias/g' \
-	-e 's/^\# export/export/g' \
-	-e 's/^\# eval/eval/g' \
-	/root/.bashrc
-
-    if ! grep -q "for file in /dockers" /root/.bashrc 2>/dev/null; then
-	cat >> /root/.bashrc <<EOF
-
-# enable bash completion in interactive shells
-if ! shopt -oq posix; then
-  if [ -f /usr/share/bash-completion/bash_completion ]; then
-    . /usr/share/bash-completion/bash_completion
-  elif [ -f /etc/bash_completion ]; then
-    . /etc/bash_completion
-  fi
-fi
-
-for file in /kaz/bin/.*-completion.bash ; do
-    source "\${file}"
-done
-EOF
-    fi
-
-  #   # Localisation du $LANG, en par défaut, timezone Paris
-  #   if [ -z "${KAZBRANCH}" ] ; then
-	#      KAZBRANCH="develop-vm"
-  #   fi
-  #   echo -e "\n    #### git checkout ${KAZBRANCH}\n"
-  #
-  #   # copie des sources
-  #   cd /
-  #   [ -f kaz ] || git clone https://git.kaz.bzh/KAZ/kaz.git
-  #   (cd /kaz ; git checkout "${KAZBRANCH}" )
-  #   find /kaz -name \*.sh -exec chmod a+x {} \;
-  #
-  #   # pour ceux qui disposent d'un cache apt local et pas la fibre
-  #   if [ -f "${VAGRANT_SRC_DIR}/.apt-mirror-config" ]; then
-	# rsync -a "${VAGRANT_SRC_DIR}/.apt-mirror-config" /kaz/
-  #   fi
-  #   if [ -f "${VAGRANT_SRC_DIR}/.proxy-config" ]; then
-	# rsync -a "${VAGRANT_SRC_DIR}/.proxy-config" /etc/profile.d/proxy.sh
-	# rsync -a "${VAGRANT_SRC_DIR}/.proxy-config" /kaz/
-  #   fi
-  #   if [ -f "${VAGRANT_SRC_DIR}/.docker-config.json" ]; then
-	# mkdir -p /root/.docker
-	# rsync -a "${VAGRANT_SRC_DIR}/.docker-config.json" /root/.docker/config.json
-  #   fi
-
-    # Ajout d'un serveur DNS sur la VM
-    #*****************ATTENTION: semble inutile. peut-être privilégié les entrées dans /etc/hosts tout simplement ?
-    DEBIAN_FRONTEND=noninteractive apt-get install -y dnsmasq
-
     #***********DEBUT CERTIF*******************
     #*****************ATTENTION:  MARCHE PAS (il faut accepter toutes les exceptions de sécurité
 
@@ -225,7 +162,7 @@ EOF
 	export CAROOT=/etc/letsencrypt/local/
 	/root/mkcert/mkcert -install      # CA dans /etc/letsencrypt/local/
 	cd "${CAROOT}"
-	/root/mkcert/mkcert "*.kaz.local" # cert et clé dans /etc/letsencrypt/local/
+	/root/mkcert/mkcert "*.kaz.milxc" # cert et clé dans /etc/letsencrypt/local/
 
 	mkdir -p /etc/letsencrypt/live/kaz.local/
 	ln -s ../../local/_wildcard.kaz.local.pem /etc/letsencrypt/live/kaz.local/fullchain.pem
@@ -249,61 +186,12 @@ EOF
 
     #***********FIN CERTIF*******************
 
-    #ajout des services dans le host
+    # SNSTER
-    echo -e "\n    #### update /etc/hosts\n"
+    cd
-    if ! grep -q "\skaz.local\b" /etc/hosts 2>/dev/null; then
+    git clone https://framagit.org/flesueur/snster.git
-	echo "127.0.0.1	kaz.local" >>/etc/hosts
+    cd snster
-    fi
+    ./install.sh
-    if ! grep -q "\slistes.kaz.local\b" /etc/hosts 2>/dev/null; then
-	echo "127.0.0.2	listes.kaz.local" >>/etc/hosts
-    fi
-    for SERVICE in ${SERVICES_LIST}; do
-	if ! grep -q "\s${SERVICE}.kaz.local\b" /etc/hosts 2>/dev/null; then
-	    sed -i /etc/hosts \
-		-e "/\skaz.local\b/ s/$/ ${SERVICE}.kaz.local/"
-	fi
-    done
 
-    echo -e "\n    #### clawsmail\n"
-    # les scripts de créations de BAL pour clawsmail
-    cp -ar "${VAGRANT_SRC_DIR}/clawsmail" /
-    cd /clawsmail
-    chmod +x addclawsuser.sh
-    chmod +x genpasswd
-
-    #client pour tester la messagerie
-    DEBIAN_FRONTEND=noninteractive apt-get install -y claws-mail
-
-    # On met le KAZGUARD pour la mise au point
-    echo "export KAZGUARD='true'" >> /root/.bashrc
-
-
-  #   echo -e "\n    #### rsync download\n"
-  #   [ -d "${VAGRANT_SRC_DIR}/kaz/download" ] &&
-	# rsync -a "${VAGRANT_SRC_DIR}/kaz/download/" /kaz/download/
-  #   [ -d "${VAGRANT_SRC_DIR}/kaz/git" ] &&
-	# rsync -a "${VAGRANT_SRC_DIR}/kaz/git/" /kaz/git/
-  #   [ -f "${VAGRANT_SRC_DIR}/kaz/config/dockers.env" ] &&
-	# [ ! -f "/kaz/config/dockers.env" ] &&
-	# rsync -a "${VAGRANT_SRC_DIR}/kaz/config/dockers.env" /kaz/config/dockers.env
-  #   for type in mail orga proxy withMail withoutMail ; do
-	# [ -f "${VAGRANT_SRC_DIR}/kaz/config/container-${type}.list" ] &&
-	#     [ ! -f "/kaz/config/config/container-${type}.list" ] &&
-	#     rsync -a  "${VAGRANT_SRC_DIR}/kaz/config/container-${type}.list" /kaz/config/
-  #   done
-  #
-  #   echo -e "\n    #### secretGen\n"
-  #   /kaz/bin/secretGen.sh
-  #
-  #   #possibilité de lancer vagrant up NOKAZ="true" quand on construit la machine
-  #   if [ "${NOKAZ}" == "true" ]; then
-	# echo "on ne lance pas install.sh"
-  #   else
-	# echo "on lance install.sh"
-	# /kaz/bin/install.sh
-  #   fi
-
-    ${VAGRANT_SRC_DIR}/kaz.sh
 
     # clear apt cache
     DEBIAN_FRONTEND=noninteractive apt-get autoremove -y

files/snster-kaz/isp-a/group.yml

@@ -0,0 +1,61 @@
+version: 1
+
+header:
+  name: ISP-A AS
+  comment: An ISP
+
+hosts:
+  router:
+    master: alpine
+    network:
+      interfaces:
+        eth0:
+          bridge: transit-a
+          ipv4: 100.64.0.110/24
+          ipv6: 2001:db8:b000::110/48
+        eth1:
+          bridge: isp-a-cust
+          ipv4: 100.120.0.1/24
+        eth2:
+          bridge: isp-a-infra
+          ipv4: 100.120.1.1/24
+          ipv6: 2001:db8:120:1::1/64
+    templates:
+      - bgprouter:
+          asn: 20
+          asdev: eth1;eth2
+          neighbors4: 100.64.1.1 as 31
+          neighbors6: 2001:db8:b001::1 as 31
+      - resolv:
+          nameserver: 100.100.100.100
+          domain: isp-a.milxc
+
+  infra:
+    network:
+      interfaces:
+        eth0:
+          bridge: isp-a-infra
+          ipv4: 100.120.1.2/24
+          ipv6: 2001:db8:120:1::2/64
+      gatewayv4: 100.120.1.1
+      gatewayv6: 2001:db8:120:1::1
+    templates:
+      - mailserver:
+          domain: isp-a.milxc
+      - resolverns:
+      - resolv:
+          domain: isp-a.milxc
+          ns: 100.120.1.2
+
+  home:
+    network:
+      interfaces:
+        eth0:
+          bridge: isp-a-cust
+          ipv4: 100.120.0.3/24
+      gatewayv4: 100.120.0.1
+    templates:
+      - updatecaroots:
+      - resolv:
+          domain: isp-a.milxc
+          ns: 100.120.1.2

files/snster-kaz/isp-a/infra/dns.conf

@@ -0,0 +1,9 @@
+server:
+  interface: 0.0.0.0
+  access-control: 100.64.0.0/10 allow
+	
+  local-zone: "isp-a.milxc." static
+  local-data: "smtp.isp-a.milxc. IN A 100.120.1.2"
+  local-data: "imap.isp-a.milxc. IN A 100.120.1.2"
+  local-data: "ns.isp-a.milxc. IN A 100.120.1.2"
+  local-data: "isp-a.milxc. IN MX 10 smtp.isp-a.milxc."

files/snster-kaz/isp-a/infra/provision.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+# ISP-A infra
+set -e
+if [ -z $MILXCGUARD ] ; then exit 1; fi
+DIR=`dirname $0`
+cd `dirname $0`
+
+# Email's mail account email@isp-a.milxc
+useradd -m -s "/bin/bash" -p `mkpasswd --method=sha-512 email` email || true
+addgroup email mail
+#mkdir /home/hacker/mail
+#touch /home/hacker/mail/Drafts /home/hacker/mail/Queue /home/hacker/mail/Sent /home/hacker/mail/Trash
+
+# disable systemd-resolved which conflicts with nsd
+echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
+systemctl stop systemd-resolved
+
+# manage isp-a.milxc zone
+apt-get update
+DEBIAN_FRONTEND=noninteractive apt-get install -y unbound
+cp dns.conf /etc/unbound/unbound.conf.d/

files/snster-kaz/kaz/group.yml

@@ -0,0 +1,48 @@
+version: 1
+
+header:
+  name: Target AS
+  comment: AS of the Target organization
+
+hosts:
+  router:
+    master: alpine
+    network:
+      interfaces:
+        eth0:
+          bridge: transit-a
+          ipv4: 100.64.0.10/24
+          ipv6: 2001:db8:b000::10/48
+        eth1:
+          bridge: kaz-lan1
+          ipv4: 100.80.0.1/24
+        eth2:
+          bridge: kaz-lan2
+          ipv4: 100.80.1.1/24
+    templates:
+      - bgprouter:
+          asn: 10
+          asdev: eth1;eth2
+          neighbors4: 100.64.0.1 as 30
+          neighbors6: 2001:db8:b000::1 as 30
+      - resolv:
+          nameserver: 100.100.100.100
+          domain: kaz.milxc
+
+  prod:
+    network:
+      interfaces:
+        eth0:
+          bridge: kaz-lan1
+          ipv4: 100.80.0.2/24
+        eth1:
+          bridge: kaz-lan2
+          ipv4: 100.80.1.2/24
+      gatewayv4: 100.80.0.1
+    templates:
+      - updatecaroots:
+      - authns:
+          zonefile: dns.conf
+      - resolv:
+          domain: kaz.milxc
+          ns: 100.100.100.100

files/snster-kaz/kaz/prod/dns.conf

@@ -0,0 +1,22 @@
+$TTL	86400
+$ORIGIN kaz.milxc.
+@  1D  IN  SOA ns.kaz.milxc. hostmaster.kaz.milxc. (
+			      2002022401 ; serial
+			      3H ; refresh
+			      15 ; retry
+			      1w ; expire
+			      3h ; nxdomain ttl
+			     )
+       IN  NS     ns.kaz.milxc.
+       IN  MX  10 smtp.kaz.milxc.
+ns    IN  A      100.80.0.2
+dmz   IN A 100.80.0.2
+smtp  IN CNAME 	dmz
+imap  IN CNAME 	dmz
+www   IN CNAME 	dmz
+listes	IN	MX	listes
+listes	IN	A	100.80.1.2
+firewall   IN A 100.80.0.1
+firewall	IN	AAAA	2001:db8:80::0:1
+router		IN	A	100.80.0.1
+router		IN	AAAA	2001:db8:80::0:1

files/snster-kaz/kaz/prod/kaz.sh

@@ -0,0 +1,77 @@
+#!/bin/bash
+if [ -z "${SNSTERGUARD}" ] ; then
+    exit 1
+fi
+
+DIR=$(cd "$(dirname $0)"; pwd)
+cd "${DIR}"
+set -e
+export OUTPUT_DIR="/root/install"
+
+
+mkdir -p "${OUTPUT_DIR}/log/"
+export DebugLog="${OUTPUT_DIR}/log/log-kaz-$(date +%y-%m-%d-%T)-"
+(
+    echo "########## ********** Start kaz.sh $(date +%D-%T)"
+
+    docker-clean -a
+    rm -rf /kaz
+
+    if [ -z "${KAZBRANCH}" ] ; then
+	     KAZBRANCH="master"
+    fi
+    echo -e "\n    #### git checkout ${KAZBRANCH}\n"
+
+
+    # copie des sources
+    cd /
+    [ -f kaz ] || git clone https://git.kaz.bzh/KAZ/kaz.git
+    (cd /kaz ; git checkout "${KAZBRANCH}" )
+    find /kaz -name \*.sh -exec chmod a+x {} \;
+
+    # pour ceux qui disposent d'un cache apt local et pas la fibre
+    if [ -f "${DIR}/.apt-mirror-config" ]; then
+	rsync -a "${DIR}/.apt-mirror-config" /kaz/
+    fi
+    if [ -f "${DIR}/.proxy-config" ]; then
+	rsync -a "${DIR}/.proxy-config" /etc/profile.d/proxy.sh
+	rsync -a "${DIR}/.proxy-config" /kaz/
+    fi
+    if [ -f "${DIR}/.docker-config.json" ]; then
+	mkdir -p /root/.docker
+	rsync -a "${DIR}/.docker-config.json" /root/.docker/config.json
+    fi
+
+
+
+    echo -e "\n    #### rsync download\n"
+    [ -d "${DIR}/kaz/download" ] &&
+	rsync -a "${DIR}/kaz/download/" /kaz/download/
+    [ -d "${DIR}/kaz/git" ] &&
+	rsync -a "${DIR}/kaz/git/" /kaz/git/
+    [ -f "${DIR}/kaz/config/dockers.env" ] &&
+	[ ! -f "/kaz/config/dockers.env" ] &&
+	rsync -a "${DIR}/kaz/config/dockers.env" /kaz/config/dockers.env
+    for type in mail orga proxy withMail withoutMail ; do
+	[ -f "${DIR}/kaz/config/container-${type}.list" ] &&
+	    [ ! -f "/kaz/config/config/container-${type}.list" ] &&
+	    rsync -a  "${DIR}/kaz/config/container-${type}.list" /kaz/config/
+    done
+
+    echo -e "\n    #### secretGen\n"
+    /kaz/bin/secretGen.sh
+
+    #possibilité de lancer vagrant up NOKAZ="true" quand on construit la machine
+    if [ "${NOKAZ}" == "true" ]; then
+	echo "on ne lance pas install.sh"
+    else
+	echo "on lance install.sh"
+	/kaz/bin/install.sh
+    fi
+
+    # clear apt cache
+    DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
+    DEBIAN_FRONTEND=noninteractive apt-get clean
+
+    echo "########## ********** End kaz.sh $(date +%D-%T)"
+)  > >(tee ${DebugLog}stdout.log) 2> >(tee ${DebugLog}stderr.log >&2)

files/snster-kaz/kaz/prod/kaz/config/container-mail.list

@@ -0,0 +1,3 @@
+# e-mail server composer
+postfix
+sympa

files/snster-kaz/kaz/prod/kaz/config/container-orga.list

@@ -0,0 +1 @@
+# orga composer

files/snster-kaz/kaz/prod/kaz/config/container-proxy.list

@@ -0,0 +1 @@
+proxy

files/snster-kaz/kaz/prod/kaz/config/container-withMail.list

@@ -0,0 +1,9 @@
+cloud
+dokuwiki
+#framadate
+garradin
+gitea
+jirafeau
+#mattermost
+roundcube
+#keycloak

files/snster-kaz/kaz/prod/kaz/config/container-withoutMail.list

@@ -0,0 +1,10 @@
+cachet
+jirafeau
+ethercalc
+collabora
+ethercalc
+etherpad
+ldap
+quotas
+web
+#vigilo

files/snster-kaz/kaz/prod/kaz/config/dockers.env

@@ -0,0 +1,120 @@
+# Les variables d'environnements utilisées
+# par les dockers via le lien :
+# .env -> ../../config/dockers.env
+
+#######################################
+# prod / dev / local
+mode=prod
+
+########################################
+# choix du domaine
+# prod=kaz.bzh / dev=dev.kaz.bzh / local=kaz.local
+domain=kaz.milxc
+
+########################################
+# choix du domaine des mails sympa
+# prod=kaz.bzh / dev=kaz2.ovh / local=kaz.local
+domain_sympa=kaz.milxc
+
+########################################
+# choix d'un serveur partiel
+# site=site-2
+site=
+
+########################################
+# Pour garradin qui met en "dure" dans
+# sa config l'URL pour l'atteindre
+
+# prod=https (gandi) / dev=https (letsencrypt) / local=http
+httpProto=https
+
+# prod=89.234.186.111 / dev=192.168.57.1 / local=127.0.0.1
+MAIN_IP=100.80.0.2
+
+# prod=89.234.186.151 / dev=192.168.57.2 / local=127.0.0.2
+SYMPA_IP=100.80.1.2
+
+########################################
+# noms des services
+
+# ou www (mais bof)
+webHost=
+
+cachetHost=cachet
+calcHost=tableur
+cloudHost=cloud
+dateHost=sondage
+dokuwikiHost=wiki
+fileHost=depot
+garHost=garradin
+gitHost=git
+gravHost=grav
+ldapHost=ldap
+matterHost=agora
+officeHost=office
+padHost=pad
+quotasHost=quotas
+smtpHost=smtp
+sympaHost=listes
+vigiloHost=vigilo
+webmailHost=webmail
+wordpressHost=wp
+
+########################################
+# noms des containers
+
+cachetServName=cachetServ
+dokuwikiServName=dokuwikiServ
+ethercalcServName=ethercalcServ
+etherpadServName=etherpadServ
+framadateServName=framadateServ
+garradinServName=garradinServ
+gitServName=gitServ
+gravServName=gravServ
+jirafeauServName=jirafeauServ
+ldapServName=ldapServ
+mattermostServName=mattermostServ
+nextcloudServName=nextcloudServ
+officeServName=officeServ
+proxyServName=proxyServ
+quotasServName=quotasServ
+roundcubeServName=roundcubeServ
+smtpServName=mailServ
+sympaServName=sympaServ
+vigiloServName=vigiloServ
+webServName=webServ
+wordpressServName=wpServ
+
+cachetDBName=cachetDB
+ethercalcDBName=ethercalcDB
+etherpadDBName=etherpadDB
+framadateDBName=framadateDB
+gitDBName=gitDB
+mattermostDBName=mattermostDB
+nextcloudDBName=nextcloudDB
+quotasDBName=quotasDB
+roundcubeDBName=roundcubeDB
+sympaDBName=sympaDB
+vigiloDBName=vigiloDB
+wordpressDBName=wpDB
+
+ldapIUName=ldapIU
+
+########################################
+# politique de redémarrage
+# prod=always / test=unless-stopped / local=no
+restartPolicy=no
+
+########################################
+# devrait être dans env-jirafeauServ
+# mais seuls les variables de ".env" sont
+# utilisables pour le montage des volumes
+
+jirafeauDir=/var/jirafeauData/lkuDM16R5Sp4QHr/
+
+ldapRoot=dc=kaz,dc=milxc
+
+########################################
+# services activés par container.sh
+# variables d'environneements utilisées
+# pour le tmpl du mandataire (proxy)

files/snster-kaz/kaz/prod/provision.sh

@@ -0,0 +1,76 @@
+#!/bin/bash
+# Target DMZ
+set -e
+if [ -z $MILXCGUARD ] ; then exit 1; fi
+DIR=`dirname $0`
+cd `dirname $0`
+
+# disable systemd-resolved which conflicts with nsd
+echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
+systemctl stop systemd-resolved
+
+apt-get update
+DEB_VERSION=`cat /etc/debian_version | cut -d'.' -f1`
+if [ $DEB_VERSION -eq "11" ] # DEB 11 aka Bullseye
+then
+  DEBIAN_FRONTEND=noninteractive apt-get install -y  certbot python3-certbot-apache
+else
+  echo "Unsupported Debian version"
+  exit 1
+fi
+
+
+# preconfig TLS and certbot
+a2enmod ssl
+a2ensite default-ssl.conf
+echo -e "
+email=admin@kaz.milxc
+agree-tos=1
+no-verify-ssl=1
+" >> /etc/letsencrypt/cli.ini
+
+# Go KAZ !
+# KAZ specific things
+#installation de docker, docker-compose et on y fourre le user debian dans le groupe idoine
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y docker.io docker-compose docker-clean git apg curl sudo unzip rsync fuse-overlayfs
+usermod -G docker debian
+# activation dans alias dans /root/.bashrc
+sed -i \
+-e 's/^\# alias/alias/g' \
+-e 's/^\# export/export/g' \
+-e 's/^\# eval/eval/g' \
+/root/.bashrc
+
+if ! grep -q "for file in /dockers" /root/.bashrc 2>/dev/null; then
+cat >> /root/.bashrc <<EOF
+# enable bash completion in interactive shells
+if ! shopt -oq posix; then
+if [ -f /usr/share/bash-completion/bash_completion ]; then
+. /usr/share/bash-completion/bash_completion
+elif [ -f /etc/bash_completion ]; then
+. /etc/bash_completion
+fi
+fi
+for file in /kaz/bin/.*-completion.bash ; do
+source "\${file}"
+done
+EOF
+fi
+
+
+# On met le KAZGUARD pour la mise au point
+echo "export KAZGUARD='true'" >> /root/.bashrc
+
+# On active fuse-overlayfs pour docker
+cat >> /etc/docker/daemon.json <<EOF
+{ "storage-driver": "fuse-overlayfs" }
+EOF
+service docker restart
+mknod -m 666 /dev/fuse c 10 229 # + dans le rc.local ? + modprobe fuse sur l'ĥôte ?
+
+./kaz.sh
+
+# clear apt cache
+DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
+DEBIAN_FRONTEND=noninteractive apt-get clean

files/snster-kaz/main.yml

@@ -0,0 +1,33 @@
+version: 1
+
+header:
+  name: KAZ
+  comment: KAZ development environment
+
+config:
+  prefix: kaz
+  nat-bridge: lxcbr0
+  default-master: bullseye
+
+masters:
+  bullseye:
+    backend: lxc
+    template: debian
+    parameters:
+      release: bullseye
+      arch: amd64
+    family: debian
+
+  alpine:
+    backend: lxc
+    template: download
+    parameters:
+      dist: alpine
+      release: 3.14
+      arch: amd64
+      no-validate: true
+    family: alpine
+
+disabled-groups:
+  #- target
+  #- root-o

files/snster-kaz/mica/group.yml

@@ -0,0 +1,42 @@
+version: 1
+
+header:
+  name: MICA AS
+  comment: An ACME Certification Authority
+
+hosts:
+  router:
+    master: alpine
+    network:
+      interfaces:
+        eth0:
+          bridge: transit-a
+          ipv4: 100.64.1.140/24
+          ipv6: 2001:db8:b001::140/48
+        eth1:
+          bridge: mica-lan
+          ipv4: 100.82.0.1/16
+          ipv6: 2001:db8:82::1/48
+    templates:
+      - bgprouter:
+          asn: 12
+          asdev: eth1
+          neighbors4: 100.64.1.1 as 31
+          neighbors6: 2001:db8:b001::1 as 31
+      - resolv:
+          nameserver: 100.100.100.100
+          domain: mica.milxc
+
+  infra:
+    network:
+      interfaces:
+        eth0:
+          bridge: mica-lan
+          ipv4: 100.82.0.2/16
+          ipv6: 2001:db8:82::2/48
+      gatewayv4: 100.82.0.1
+      gatewayv6: 2001:db8:82::1
+    templates:
+      - resolv:
+          domain: mica.milxc
+          ns: 100.100.100.100

files/snster-kaz/mica/infra/dns.conf

@@ -0,0 +1,8 @@
+server:
+  interface: 0.0.0.0
+  access-control: 100.64.0.0/10 allow
+
+	local-zone: "mica.milxc." static
+	local-data: "ns.mica.milxc. IN A 100.82.0.2"
+  local-data: "www.mica.milxc. IN A 100.82.0.2"
+  local-data: "ca.mica.milxc. IN A 100.82.0.2"

files/snster-kaz/mica/infra/provision.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+# MICA infra
+set -e
+if [ -z $MILXCGUARD ] ; then exit 1; fi
+DIR=`dirname $0`
+cd `dirname $0`
+
+# Hacker's mail account hacker@isp-a.milxc
+useradd -m -s "/bin/bash" -p `mkpasswd --method=sha-512 ca` ca || true
+addgroup ca mail
+#mkdir /home/hacker/mail
+#touch /home/hacker/mail/Drafts /home/hacker/mail/Queue /home/hacker/mail/Sent /home/hacker/mail/Trash
+
+# disable systemd-resolved which conflicts with nsd
+echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
+systemctl stop systemd-resolved
+
+# manage isp-a.milxc zone
+apt-get update
+DEBIAN_FRONTEND=noninteractive apt-get install -y unbound
+cp dns.conf /etc/unbound/unbound.conf.d/
+
+
+# Install smallstep CA / ACME server
+cd /tmp
+wget https://github.com/smallstep/cli/releases/download/v0.17.2/step-cli_0.17.2_amd64.deb
+dpkg -i step-cli_0.17.2_amd64.deb
+wget https://github.com/smallstep/certificates/releases/download/v0.17.2/step-ca_0.17.2_amd64.deb
+dpkg -i step-ca_0.17.2_amd64.deb
+
+# step ca init
+# step ca root root.crt
+# step ca provisioner add acme --type ACME
+# certbot certonly -n --standalone -d www.target.milxc   --server https://www.mica.milxc/acme/acme/directory --agree-tos --email "fr@fr.fr"

files/snster-kaz/milxc/group.yml

@@ -0,0 +1,42 @@
+version: 1
+
+header:
+  name: MILXC AS
+  comment: The .milxc TLD auth NS
+
+hosts:
+  router:
+    master: alpine
+    network:
+      interfaces:
+        eth0:
+          bridge: transit-a
+          ipv4: 100.64.0.40/24
+          ipv6: 2001:db8:b000::40/48
+        eth1:
+          bridge: milxc-lan
+          ipv4: 100.100.20.1/24
+          ipv6: 2001:db8:a020::1/48
+    templates:
+      - bgprouter:
+          asn: 8
+          asdev: eth1
+          neighbors4: 100.64.0.1 as 30
+          neighbors6: 2001:db8:b000::1 as 30
+      - resolv:
+          nameserver: 100.100.100.100
+          domain: milxc.milxc
+
+  ns:
+    network:
+      interfaces:
+        eth0:
+          bridge: milxc-lan
+          ipv4: 100.100.20.10/24
+          ipv6: 2001:db8:a020::10/48
+      gatewayv4: 100.100.20.1
+      gatewayv6: 2001:db8:a020::1
+    templates:
+      - resolv:
+          domain: milxc.milxc
+          ns: 100.100.100.100

files/snster-kaz/milxc/ns/provision.sh

@@ -0,0 +1,41 @@
+#!/bin/bash
+# .milxc registry
+
+set -e
+if [ -z $MILXCGUARD ] ; then exit 1; fi
+DIR=`dirname $0`
+cd `dirname $0`
+
+# disable systemd-resolved which conflicts with nsd
+echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
+systemctl stop systemd-resolved
+
+apt-get update
+DEBIAN_FRONTEND=noninteractive apt-get install -y nsd
+
+echo -e "zone:
+	name: \"milxc.\"
+	zonefile: \"milxc.zone\"
+" > /etc/nsd/nsd.conf
+
+echo -e "\$TTL	86400
+\$ORIGIN milxc.
+@  1D  IN  SOA ns.milxc. hostmaster.milxc. (
+			      2002022401 ; serial
+			      3H ; refresh
+			      15 ; retry
+			      1w ; expire
+			      3h ; nxdomain ttl
+			     )
+       IN  NS     ns.milxc.
+ns    IN  A      100.100.20.10  ;name server definition
+ns	IN	AAAA	2001:db8:a020::10
+kaz.milxc.		IN	NS	ns.kaz.milxc.
+ns.kaz.milxc.	IN	A 100.80.0.2
+isp-a.milxc.	IN	NS	ns.isp-a.milxc.
+ns.isp-a.milxc.	IN	A 100.120.1.2
+ns.isp-a.milxc.	IN	AAAA 2001:db8:120:1::2
+mica.milxc.	IN	NS	ns.mica.milxc.
+ns.mica.milxc.	IN	A 100.82.0.2
+ns.mica.milxc.	IN	AAAA 2001:db8:82::2
+" >> /etc/nsd/milxc.zone

files/snster-kaz/opendns/group.yml

@@ -0,0 +1,43 @@
+version: 1
+
+header:
+  name: open DNS service AS
+  comment: an open DNS resolver
+
+hosts:
+  router:
+    master: alpine
+    network:
+      interfaces:
+        eth0:
+          bridge: transit-a
+          ipv4: 100.64.0.30/24
+          ipv6: 2001:db8:b000::30/48
+        eth2:
+          bridge: opendns-lan
+          ipv4: 100.100.100.1/24
+          ipv6: 2001:db8:a100::1/48
+    templates:
+      - bgprouter:
+          asn: 7
+          asdev: eth2
+          neighbors4: 100.64.0.1 as 30;100.64.1.1 as 31
+          neighbors6: 2001:db8:b000::1 as 30;2001:db8:b001::1 as 31
+      - resolv:
+          nameserver: 100.100.100.100
+          domain: opendns.milxc
+
+  resolver:
+    network:
+      interfaces:
+        eth0:
+          bridge: opendns-lan
+          ipv4: 100.100.100.100/24
+          ipv6: 2001:db8:a100::100/48
+      gatewayv4: 100.100.100.1
+      gatewayv6: 2001:db8:a100::1
+    templates:
+      - resolverns:
+      - resolv:
+          domain: opendns.milxc
+          ns: 100.100.100.100

files/snster-kaz/root-p/group.yml

@@ -0,0 +1,43 @@
+version: 1
+
+header:
+  name: Root-P AS
+  comment: A DNS Root server
+
+hosts:
+  router:
+    master: alpine
+    network:
+      interfaces:
+        eth0:
+          bridge: transit-a
+          ipv4: 100.64.0.20/24
+          ipv6: 2001:db8:b000::20/48
+        eth1:
+          bridge: root-p-lan
+          ipv4: 100.100.1.1/24
+          ipv6: 2001:db8:a001::1/48
+    templates:
+      - bgprouter:
+          asn: 6
+          asdev: eth1
+          neighbors4: 100.64.0.1 as 30
+          neighbors6: 2001:db8:b000::1 as 30
+      - resolv:
+          nameserver: 100.100.100.100
+          domain: ns-root-p.milxc
+
+  rootns:
+    network:
+      interfaces:
+        eth0:
+          bridge: root-p-lan
+          ipv4: 100.100.1.10/24
+          ipv6: 2001:db8:a001::10/48
+      gatewayv4: 100.100.1.1
+      gatewayv6: 2001:db8:a001::1
+    templates:
+      - rootns:
+      - resolv:
+          domain: ns-root-p.milxc
+          ns: 100.100.100.100

files/snster-kaz/transit-a/group.yml

@@ -0,0 +1,27 @@
+version: 1
+
+header:
+  name: Transit-A
+  comment: Transit-A IXP
+
+hosts:
+  router:
+    master: alpine
+    network:
+      interfaces:
+        eth0:
+          bridge: nat-bridge
+          ipv4: dhcp
+        eth1:
+          bridge: transit-a
+          ipv4: 100.64.0.1/24
+          ipv6: 2001:db8:b000::1/48
+    templates:
+      - bgprouter:
+          asn: 30
+          asdev: eth1
+          neighbors4: 100.64.0.10 as 10;100.64.0.30 as 7;100.64.0.40 as 8; 100.64.0.2 as 31; 100.64.0.20 as 6; 100.64.0.50 as 13; 100.64.0.110 as 20; 100.64.1.140 as 12
+          neighbors6: 2001:db8:b000::10 as 10; 2001:db8:b000::30 as 7;2001:db8:b000::40 as 8; 2001:db8:b000::2 as 31; 2001:db8:b000::20 as 6; 2001:db8:b000::50 as 13; 2001:db8:b000::110 as 20; 2001:db8:b001::140 as 12
+      - resolv:
+          nameserver: 100.100.100.100
+          domain: transit-a.milxc

files/snster-kaz/transit-a/router/provision.sh

@@ -0,0 +1,38 @@
+#!/bin/sh
+# Transit A with alpine
+set -e
+if [ -z $MILXCGUARD ] ; then exit 1; fi
+DIR=`dirname $0`
+cd `dirname $0`
+
+echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories
+apk update
+apk add bird iptables
+rc-update add bird
+
+# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
+echo -e '#!/bin/sh\niptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE' > /etc/local.d/iptables.start
+chmod +x /etc/local.d/iptables.start
+rc-update add local
+
+# keep DHCP on eth0
+touch /etc/network/keepdhcp
+
+# Force lxc bridged interface metric (else, it grows to 200+interface_index, which can be large with successive  stop/start)
+# This metric must be lower than the one exported by BGP for the default route (static part below)
+mkdir /etc/udhcpc
+echo "IF_METRIC=200" > /etc/udhcpc/udhcpc.conf
+
+#echo "supersede domain-name-servers 10.10.10.10;" >> /etc/dhcp/dhclient.conf
+#echo "supersede domain-name \"internet.milxc\";" >> /etc/dhcp/dhclient.conf
+
+
+# customize bird config (BGP)
+sed -i "s/protocol kernel {/protocol kernel { metric 2000;/" /etc/bird.conf
+# sed -i "s/\#.*export all/\texport all/" /etc/bird/bird.conf
+echo -e "
+protocol static {
+	ipv4;
+	route 0.0.0.0/0 via 100.64.0.1;
+}
+" >> /etc/bird.conf

files/templates/debian/resolverns/provision.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+# Root NS template
+set -e
+if [ -z $SNSTERGUARD ] ; then exit 1; fi
+DIR=`dirname $0`
+cd `dirname $0`
+
+# disable systemd-resolved which conflicts with nsd
+echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
+systemctl stop systemd-resolved
+
+apt-get update
+DEBIAN_FRONTEND=noninteractive apt-get install -y unbound dnsutils
+
+# get root hints
+#wget "http://www.internic.net/domain/named.root" -O /etc/unbound/root.hints
+echo -e ".												3600000      NS    P.ROOT-SERVERS.NET.
+P.ROOT-SERVERS.NET.      3600000      A     100.100.1.10
+P.ROOT-SERVERS.NET.      3600000      AAAA     2001:db8:a001::10
+" > /etc/unbound/root.hints
+
+# customize unbound config
+#echo -e "server:
+#	ip-address: 127.0.0.1
+echo -e "server:
+	root-hints: root.hints
+" > /etc/unbound/unbound.conf.d/root.conf
+
+# no DNSSEC validation for now
+sed -i "s/auto/\#auto/" /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf
+
+# Be an open dns resolver -- TO CHANGE LATER
+echo -e "server:
+	interface: 0.0.0.0
+  access-control: 0.0.0.0/0 allow
+	cache-max-ttl: 20
+	cache-max-negative-ttl: 20
+" > /etc/unbound/unbound.conf.d/listen.conf
+
+service unbound restart

files/templates/debian/rootns/provision.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+# Root NS template
+set -e
+if [ -z $SNSTERGUARD ] ; then exit 1; fi
+DIR=`dirname $0`
+cd `dirname $0`
+
+# disable systemd-resolved which conflicts with nsd
+echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
+systemctl stop systemd-resolved
+
+apt-get update
+DEBIAN_FRONTEND=noninteractive apt-get install -y nsd
+
+# get root zone
+wget "http://www.internic.net/domain/root.zone" -O /etc/nsd/root.zone
+
+# customize root zone
+# remove official roots
+sed -i -e 's/^\.\s.*NS.*[a-m].root-servers.net.*//' /etc/nsd/root.zone
+# add alternative milxc root
+
+echo -e ".	518400	IN	NS	p.root-servers.net
+p.root-servers.net	518400	IN	A 100.100.1.10
+p.root-servers.net	518400	IN	AAAA     2001:db8:a001::10
+" >> /etc/nsd/root.zone
+
+
+# add .milxc TLD served by 100.100.20.10
+echo -e "milxc.	518400	IN	NS	ns.milxc.
+ns.milxc.	518400	IN	A 100.100.20.10
+ns.milxc.	518400	IN	AAAA 2001:db8:a020::10" >> /etc/nsd/root.zone
+
+# customize nsd config
+#echo -e "server:
+#	ip-address: 127.0.0.1
+echo -e "zone:
+	name: \".\"
+	zonefile: \"root.zone\"
+" > /etc/nsd/nsd.conf
+
+#service nsd restart