snster bootstrap

This commit is contained in:
Francois Lesueur 2022-12-22 17:25:05 +01:00
parent 5545db5891
commit 0733aa3ae8
26 changed files with 898 additions and 119 deletions

View File

@ -21,9 +21,7 @@ export DebugLog="${VAGRANT_SRC_DIR}/log/log-vagrant-$(date +%y-%m-%d-%T)-"
# Copie de qques fichiers # Copie de qques fichiers
cp "${VAGRANT_SRC_DIR}/keyboard" /etc/default/keyboard cp "${VAGRANT_SRC_DIR}/keyboard" /etc/default/keyboard
# Lock grub (https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1758060.html)
sysctl -w net.ipv4.ip_forward=1 sysctl -w net.ipv4.ip_forward=1
DEBIAN_FRONTEND=noninteractive apt-mark hold grub*
# MAJ et install # MAJ et install
sed -i -e 's/main.*/main contrib non-free/' /etc/apt/sources.list sed -i -e 's/main.*/main contrib non-free/' /etc/apt/sources.list
@ -42,7 +40,7 @@ export DebugLog="${VAGRANT_SRC_DIR}/log/log-vagrant-$(date +%y-%m-%d-%T)-"
DEBIAN_FRONTEND=noninteractive apt-get --allow-releaseinfo-change update DEBIAN_FRONTEND=noninteractive apt-get --allow-releaseinfo-change update
DEBIAN_FRONTEND=noninteractive apt-get -y upgrade DEBIAN_FRONTEND=noninteractive apt-get -y upgrade
DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade
DEBIAN_FRONTEND=noninteractive apt-get install -y apg curl git sudo unzip rsync firefox-esr tcpdump net-tools mousepad wireshark swapspace whois ldap-utils # could be with --no-install-recommends DEBIAN_FRONTEND=noninteractive apt-get install -y apg curl git sudo unzip rsync firefox-esr tcpdump net-tools mousepad wireshark swapspace whois ldap-utils python3-lxc lxc python3-pygraphviz python3-pil python3-yaml imagemagick # could be with --no-install-recommends
DEBIAN_FRONTEND=noninteractive apt-get install -y xfce4 lightdm xfce4-terminal xserver-xorg gitk # needs to install recommends DEBIAN_FRONTEND=noninteractive apt-get install -y xfce4 lightdm xfce4-terminal xserver-xorg gitk # needs to install recommends
ssh-keygen -t rsa -b 4096 -N '' <<<$'\ny' ssh-keygen -t rsa -b 4096 -N '' <<<$'\ny'
@ -110,7 +108,6 @@ export DebugLog="${VAGRANT_SRC_DIR}/log/log-vagrant-$(date +%y-%m-%d-%T)-"
# enable bash autocompletion # enable bash autocompletion
if ! grep -q "/usr/share/bash-completion/bash_completion" /etc/bash.bashrc 2>/dev/null; then
cat >> /etc/bash.bashrc <<EOF cat >> /etc/bash.bashrc <<EOF
# enable bash completion in interactive shells # enable bash completion in interactive shells
if ! shopt -oq posix; then if ! shopt -oq posix; then
@ -121,7 +118,6 @@ if ! shopt -oq posix; then
fi fi
fi fi
EOF EOF
fi
# XFCE4 panel: use default config # XFCE4 panel: use default config
# source: https://forum.xfce.org/viewtopic.php?pid=36585#p36585 # source: https://forum.xfce.org/viewtopic.php?pid=36585#p36585
@ -150,65 +146,6 @@ SystemMaxFileSize=2M
EOF EOF
fi fi
# KAZ specific things
#installation de docker, docker-compose et on y fourre le user debian dans le groupe idoine
DEBIAN_FRONTEND=noninteractive apt-get install -y docker.io docker-compose docker-clean
usermod -G docker debian
# activation dans alias dans /root/.bashrc
sed -i \
-e 's/^\# alias/alias/g' \
-e 's/^\# export/export/g' \
-e 's/^\# eval/eval/g' \
/root/.bashrc
if ! grep -q "for file in /dockers" /root/.bashrc 2>/dev/null; then
cat >> /root/.bashrc <<EOF
# enable bash completion in interactive shells
if ! shopt -oq posix; then
if [ -f /usr/share/bash-completion/bash_completion ]; then
. /usr/share/bash-completion/bash_completion
elif [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
fi
for file in /kaz/bin/.*-completion.bash ; do
source "\${file}"
done
EOF
fi
# # Localisation du $LANG, en par défaut, timezone Paris
# if [ -z "${KAZBRANCH}" ] ; then
# KAZBRANCH="develop-vm"
# fi
# echo -e "\n #### git checkout ${KAZBRANCH}\n"
#
# # copie des sources
# cd /
# [ -f kaz ] || git clone https://git.kaz.bzh/KAZ/kaz.git
# (cd /kaz ; git checkout "${KAZBRANCH}" )
# find /kaz -name \*.sh -exec chmod a+x {} \;
#
# # pour ceux qui disposent d'un cache apt local et pas la fibre
# if [ -f "${VAGRANT_SRC_DIR}/.apt-mirror-config" ]; then
# rsync -a "${VAGRANT_SRC_DIR}/.apt-mirror-config" /kaz/
# fi
# if [ -f "${VAGRANT_SRC_DIR}/.proxy-config" ]; then
# rsync -a "${VAGRANT_SRC_DIR}/.proxy-config" /etc/profile.d/proxy.sh
# rsync -a "${VAGRANT_SRC_DIR}/.proxy-config" /kaz/
# fi
# if [ -f "${VAGRANT_SRC_DIR}/.docker-config.json" ]; then
# mkdir -p /root/.docker
# rsync -a "${VAGRANT_SRC_DIR}/.docker-config.json" /root/.docker/config.json
# fi
# Ajout d'un serveur DNS sur la VM
#*****************ATTENTION: semble inutile. peut-être privilégié les entrées dans /etc/hosts tout simplement ?
DEBIAN_FRONTEND=noninteractive apt-get install -y dnsmasq
#***********DEBUT CERTIF******************* #***********DEBUT CERTIF*******************
#*****************ATTENTION: MARCHE PAS (il faut accepter toutes les exceptions de sécurité #*****************ATTENTION: MARCHE PAS (il faut accepter toutes les exceptions de sécurité
@ -225,7 +162,7 @@ EOF
export CAROOT=/etc/letsencrypt/local/ export CAROOT=/etc/letsencrypt/local/
/root/mkcert/mkcert -install # CA dans /etc/letsencrypt/local/ /root/mkcert/mkcert -install # CA dans /etc/letsencrypt/local/
cd "${CAROOT}" cd "${CAROOT}"
/root/mkcert/mkcert "*.kaz.local" # cert et clé dans /etc/letsencrypt/local/ /root/mkcert/mkcert "*.kaz.milxc" # cert et clé dans /etc/letsencrypt/local/
mkdir -p /etc/letsencrypt/live/kaz.local/ mkdir -p /etc/letsencrypt/live/kaz.local/
ln -s ../../local/_wildcard.kaz.local.pem /etc/letsencrypt/live/kaz.local/fullchain.pem ln -s ../../local/_wildcard.kaz.local.pem /etc/letsencrypt/live/kaz.local/fullchain.pem
@ -249,61 +186,12 @@ EOF
#***********FIN CERTIF******************* #***********FIN CERTIF*******************
#ajout des services dans le host # SNSTER
echo -e "\n #### update /etc/hosts\n" cd
if ! grep -q "\skaz.local\b" /etc/hosts 2>/dev/null; then git clone https://framagit.org/flesueur/snster.git
echo "127.0.0.1 kaz.local" >>/etc/hosts cd snster
fi ./install.sh
if ! grep -q "\slistes.kaz.local\b" /etc/hosts 2>/dev/null; then
echo "127.0.0.2 listes.kaz.local" >>/etc/hosts
fi
for SERVICE in ${SERVICES_LIST}; do
if ! grep -q "\s${SERVICE}.kaz.local\b" /etc/hosts 2>/dev/null; then
sed -i /etc/hosts \
-e "/\skaz.local\b/ s/$/ ${SERVICE}.kaz.local/"
fi
done
echo -e "\n #### clawsmail\n"
# les scripts de créations de BAL pour clawsmail
cp -ar "${VAGRANT_SRC_DIR}/clawsmail" /
cd /clawsmail
chmod +x addclawsuser.sh
chmod +x genpasswd
#client pour tester la messagerie
DEBIAN_FRONTEND=noninteractive apt-get install -y claws-mail
# On met le KAZGUARD pour la mise au point
echo "export KAZGUARD='true'" >> /root/.bashrc
# echo -e "\n #### rsync download\n"
# [ -d "${VAGRANT_SRC_DIR}/kaz/download" ] &&
# rsync -a "${VAGRANT_SRC_DIR}/kaz/download/" /kaz/download/
# [ -d "${VAGRANT_SRC_DIR}/kaz/git" ] &&
# rsync -a "${VAGRANT_SRC_DIR}/kaz/git/" /kaz/git/
# [ -f "${VAGRANT_SRC_DIR}/kaz/config/dockers.env" ] &&
# [ ! -f "/kaz/config/dockers.env" ] &&
# rsync -a "${VAGRANT_SRC_DIR}/kaz/config/dockers.env" /kaz/config/dockers.env
# for type in mail orga proxy withMail withoutMail ; do
# [ -f "${VAGRANT_SRC_DIR}/kaz/config/container-${type}.list" ] &&
# [ ! -f "/kaz/config/config/container-${type}.list" ] &&
# rsync -a "${VAGRANT_SRC_DIR}/kaz/config/container-${type}.list" /kaz/config/
# done
#
# echo -e "\n #### secretGen\n"
# /kaz/bin/secretGen.sh
#
# #possibilité de lancer vagrant up NOKAZ="true" quand on construit la machine
# if [ "${NOKAZ}" == "true" ]; then
# echo "on ne lance pas install.sh"
# else
# echo "on lance install.sh"
# /kaz/bin/install.sh
# fi
${VAGRANT_SRC_DIR}/kaz.sh
# clear apt cache # clear apt cache
DEBIAN_FRONTEND=noninteractive apt-get autoremove -y DEBIAN_FRONTEND=noninteractive apt-get autoremove -y

View File

@ -0,0 +1,61 @@
version: 1
header:
name: ISP-A AS
comment: An ISP
hosts:
router:
master: alpine
network:
interfaces:
eth0:
bridge: transit-a
ipv4: 100.64.0.110/24
ipv6: 2001:db8:b000::110/48
eth1:
bridge: isp-a-cust
ipv4: 100.120.0.1/24
eth2:
bridge: isp-a-infra
ipv4: 100.120.1.1/24
ipv6: 2001:db8:120:1::1/64
templates:
- bgprouter:
asn: 20
asdev: eth1;eth2
neighbors4: 100.64.1.1 as 31
neighbors6: 2001:db8:b001::1 as 31
- resolv:
nameserver: 100.100.100.100
domain: isp-a.milxc
infra:
network:
interfaces:
eth0:
bridge: isp-a-infra
ipv4: 100.120.1.2/24
ipv6: 2001:db8:120:1::2/64
gatewayv4: 100.120.1.1
gatewayv6: 2001:db8:120:1::1
templates:
- mailserver:
domain: isp-a.milxc
- resolverns:
- resolv:
domain: isp-a.milxc
ns: 100.120.1.2
home:
network:
interfaces:
eth0:
bridge: isp-a-cust
ipv4: 100.120.0.3/24
gatewayv4: 100.120.0.1
templates:
- updatecaroots:
- resolv:
domain: isp-a.milxc
ns: 100.120.1.2

View File

@ -0,0 +1,9 @@
server:
interface: 0.0.0.0
access-control: 100.64.0.0/10 allow
local-zone: "isp-a.milxc." static
local-data: "smtp.isp-a.milxc. IN A 100.120.1.2"
local-data: "imap.isp-a.milxc. IN A 100.120.1.2"
local-data: "ns.isp-a.milxc. IN A 100.120.1.2"
local-data: "isp-a.milxc. IN MX 10 smtp.isp-a.milxc."

View File

@ -0,0 +1,21 @@
#!/bin/bash
# ISP-A infra
set -e
if [ -z $MILXCGUARD ] ; then exit 1; fi
DIR=`dirname $0`
cd `dirname $0`
# Email's mail account email@isp-a.milxc
useradd -m -s "/bin/bash" -p `mkpasswd --method=sha-512 email` email || true
addgroup email mail
#mkdir /home/hacker/mail
#touch /home/hacker/mail/Drafts /home/hacker/mail/Queue /home/hacker/mail/Sent /home/hacker/mail/Trash
# disable systemd-resolved which conflicts with nsd
echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
systemctl stop systemd-resolved
# manage isp-a.milxc zone
apt-get update
DEBIAN_FRONTEND=noninteractive apt-get install -y unbound
cp dns.conf /etc/unbound/unbound.conf.d/

View File

@ -0,0 +1,48 @@
version: 1
header:
name: Target AS
comment: AS of the Target organization
hosts:
router:
master: alpine
network:
interfaces:
eth0:
bridge: transit-a
ipv4: 100.64.0.10/24
ipv6: 2001:db8:b000::10/48
eth1:
bridge: kaz-lan1
ipv4: 100.80.0.1/24
eth2:
bridge: kaz-lan2
ipv4: 100.80.1.1/24
templates:
- bgprouter:
asn: 10
asdev: eth1;eth2
neighbors4: 100.64.0.1 as 30
neighbors6: 2001:db8:b000::1 as 30
- resolv:
nameserver: 100.100.100.100
domain: kaz.milxc
prod:
network:
interfaces:
eth0:
bridge: kaz-lan1
ipv4: 100.80.0.2/24
eth1:
bridge: kaz-lan2
ipv4: 100.80.1.2/24
gatewayv4: 100.80.0.1
templates:
- updatecaroots:
- authns:
zonefile: dns.conf
- resolv:
domain: kaz.milxc
ns: 100.100.100.100

View File

@ -0,0 +1,22 @@
$TTL 86400
$ORIGIN kaz.milxc.
@ 1D IN SOA ns.kaz.milxc. hostmaster.kaz.milxc. (
2002022401 ; serial
3H ; refresh
15 ; retry
1w ; expire
3h ; nxdomain ttl
)
IN NS ns.kaz.milxc.
IN MX 10 smtp.kaz.milxc.
ns IN A 100.80.0.2
dmz IN A 100.80.0.2
smtp IN CNAME dmz
imap IN CNAME dmz
www IN CNAME dmz
listes IN MX listes
listes IN A 100.80.1.2
firewall IN A 100.80.0.1
firewall IN AAAA 2001:db8:80::0:1
router IN A 100.80.0.1
router IN AAAA 2001:db8:80::0:1

View File

@ -0,0 +1,77 @@
#!/bin/bash
if [ -z "${SNSTERGUARD}" ] ; then
exit 1
fi
DIR=$(cd "$(dirname $0)"; pwd)
cd "${DIR}"
set -e
export OUTPUT_DIR="/root/install"
mkdir -p "${OUTPUT_DIR}/log/"
export DebugLog="${OUTPUT_DIR}/log/log-kaz-$(date +%y-%m-%d-%T)-"
(
echo "########## ********** Start kaz.sh $(date +%D-%T)"
docker-clean -a
rm -rf /kaz
if [ -z "${KAZBRANCH}" ] ; then
KAZBRANCH="master"
fi
echo -e "\n #### git checkout ${KAZBRANCH}\n"
# copie des sources
cd /
[ -f kaz ] || git clone https://git.kaz.bzh/KAZ/kaz.git
(cd /kaz ; git checkout "${KAZBRANCH}" )
find /kaz -name \*.sh -exec chmod a+x {} \;
# pour ceux qui disposent d'un cache apt local et pas la fibre
if [ -f "${DIR}/.apt-mirror-config" ]; then
rsync -a "${DIR}/.apt-mirror-config" /kaz/
fi
if [ -f "${DIR}/.proxy-config" ]; then
rsync -a "${DIR}/.proxy-config" /etc/profile.d/proxy.sh
rsync -a "${DIR}/.proxy-config" /kaz/
fi
if [ -f "${DIR}/.docker-config.json" ]; then
mkdir -p /root/.docker
rsync -a "${DIR}/.docker-config.json" /root/.docker/config.json
fi
echo -e "\n #### rsync download\n"
[ -d "${DIR}/kaz/download" ] &&
rsync -a "${DIR}/kaz/download/" /kaz/download/
[ -d "${DIR}/kaz/git" ] &&
rsync -a "${DIR}/kaz/git/" /kaz/git/
[ -f "${DIR}/kaz/config/dockers.env" ] &&
[ ! -f "/kaz/config/dockers.env" ] &&
rsync -a "${DIR}/kaz/config/dockers.env" /kaz/config/dockers.env
for type in mail orga proxy withMail withoutMail ; do
[ -f "${DIR}/kaz/config/container-${type}.list" ] &&
[ ! -f "/kaz/config/config/container-${type}.list" ] &&
rsync -a "${DIR}/kaz/config/container-${type}.list" /kaz/config/
done
echo -e "\n #### secretGen\n"
/kaz/bin/secretGen.sh
#possibilité de lancer vagrant up NOKAZ="true" quand on construit la machine
if [ "${NOKAZ}" == "true" ]; then
echo "on ne lance pas install.sh"
else
echo "on lance install.sh"
/kaz/bin/install.sh
fi
# clear apt cache
DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
DEBIAN_FRONTEND=noninteractive apt-get clean
echo "########## ********** End kaz.sh $(date +%D-%T)"
) > >(tee ${DebugLog}stdout.log) 2> >(tee ${DebugLog}stderr.log >&2)

View File

@ -0,0 +1,3 @@
# e-mail server composer
postfix
sympa

View File

@ -0,0 +1 @@
# orga composer

View File

@ -0,0 +1 @@
proxy

View File

@ -0,0 +1,9 @@
cloud
dokuwiki
#framadate
garradin
gitea
jirafeau
#mattermost
roundcube
#keycloak

View File

@ -0,0 +1,10 @@
cachet
jirafeau
ethercalc
collabora
ethercalc
etherpad
ldap
quotas
web
#vigilo

View File

@ -0,0 +1,120 @@
# Les variables d'environnements utilisées
# par les dockers via le lien :
# .env -> ../../config/dockers.env
#######################################
# prod / dev / local
mode=prod
########################################
# choix du domaine
# prod=kaz.bzh / dev=dev.kaz.bzh / local=kaz.local
domain=kaz.milxc
########################################
# choix du domaine des mails sympa
# prod=kaz.bzh / dev=kaz2.ovh / local=kaz.local
domain_sympa=kaz.milxc
########################################
# choix d'un serveur partiel
# site=site-2
site=
########################################
# Pour garradin qui met en "dure" dans
# sa config l'URL pour l'atteindre
# prod=https (gandi) / dev=https (letsencrypt) / local=http
httpProto=https
# prod=89.234.186.111 / dev=192.168.57.1 / local=127.0.0.1
MAIN_IP=100.80.0.2
# prod=89.234.186.151 / dev=192.168.57.2 / local=127.0.0.2
SYMPA_IP=100.80.1.2
########################################
# noms des services
# ou www (mais bof)
webHost=
cachetHost=cachet
calcHost=tableur
cloudHost=cloud
dateHost=sondage
dokuwikiHost=wiki
fileHost=depot
garHost=garradin
gitHost=git
gravHost=grav
ldapHost=ldap
matterHost=agora
officeHost=office
padHost=pad
quotasHost=quotas
smtpHost=smtp
sympaHost=listes
vigiloHost=vigilo
webmailHost=webmail
wordpressHost=wp
########################################
# noms des containers
cachetServName=cachetServ
dokuwikiServName=dokuwikiServ
ethercalcServName=ethercalcServ
etherpadServName=etherpadServ
framadateServName=framadateServ
garradinServName=garradinServ
gitServName=gitServ
gravServName=gravServ
jirafeauServName=jirafeauServ
ldapServName=ldapServ
mattermostServName=mattermostServ
nextcloudServName=nextcloudServ
officeServName=officeServ
proxyServName=proxyServ
quotasServName=quotasServ
roundcubeServName=roundcubeServ
smtpServName=mailServ
sympaServName=sympaServ
vigiloServName=vigiloServ
webServName=webServ
wordpressServName=wpServ
cachetDBName=cachetDB
ethercalcDBName=ethercalcDB
etherpadDBName=etherpadDB
framadateDBName=framadateDB
gitDBName=gitDB
mattermostDBName=mattermostDB
nextcloudDBName=nextcloudDB
quotasDBName=quotasDB
roundcubeDBName=roundcubeDB
sympaDBName=sympaDB
vigiloDBName=vigiloDB
wordpressDBName=wpDB
ldapIUName=ldapIU
########################################
# politique de redémarrage
# prod=always / test=unless-stopped / local=no
restartPolicy=no
########################################
# devrait être dans env-jirafeauServ
# mais seuls les variables de ".env" sont
# utilisables pour le montage des volumes
jirafeauDir=/var/jirafeauData/lkuDM16R5Sp4QHr/
ldapRoot=dc=kaz,dc=milxc
########################################
# services activés par container.sh
# variables d'environneements utilisées
# pour le tmpl du mandataire (proxy)

View File

@ -0,0 +1,76 @@
#!/bin/bash
# Target DMZ
set -e
if [ -z $MILXCGUARD ] ; then exit 1; fi
DIR=`dirname $0`
cd `dirname $0`
# disable systemd-resolved which conflicts with nsd
echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
systemctl stop systemd-resolved
apt-get update
DEB_VERSION=`cat /etc/debian_version | cut -d'.' -f1`
if [ $DEB_VERSION -eq "11" ] # DEB 11 aka Bullseye
then
DEBIAN_FRONTEND=noninteractive apt-get install -y certbot python3-certbot-apache
else
echo "Unsupported Debian version"
exit 1
fi
# preconfig TLS and certbot
a2enmod ssl
a2ensite default-ssl.conf
echo -e "
email=admin@kaz.milxc
agree-tos=1
no-verify-ssl=1
" >> /etc/letsencrypt/cli.ini
# Go KAZ !
# KAZ specific things
#installation de docker, docker-compose et on y fourre le user debian dans le groupe idoine
DEBIAN_FRONTEND=noninteractive apt-get install -y docker.io docker-compose docker-clean git apg curl sudo unzip rsync fuse-overlayfs
usermod -G docker debian
# activation dans alias dans /root/.bashrc
sed -i \
-e 's/^\# alias/alias/g' \
-e 's/^\# export/export/g' \
-e 's/^\# eval/eval/g' \
/root/.bashrc
if ! grep -q "for file in /dockers" /root/.bashrc 2>/dev/null; then
cat >> /root/.bashrc <<EOF
# enable bash completion in interactive shells
if ! shopt -oq posix; then
if [ -f /usr/share/bash-completion/bash_completion ]; then
. /usr/share/bash-completion/bash_completion
elif [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
fi
for file in /kaz/bin/.*-completion.bash ; do
source "\${file}"
done
EOF
fi
# On met le KAZGUARD pour la mise au point
echo "export KAZGUARD='true'" >> /root/.bashrc
# On active fuse-overlayfs pour docker
cat >> /etc/docker/daemon.json <<EOF
{ "storage-driver": "fuse-overlayfs" }
EOF
service docker restart
mknod -m 666 /dev/fuse c 10 229 # + dans le rc.local ? + modprobe fuse sur l'ĥôte ?
./kaz.sh
# clear apt cache
DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
DEBIAN_FRONTEND=noninteractive apt-get clean

33
files/snster-kaz/main.yml Normal file
View File

@ -0,0 +1,33 @@
version: 1
header:
name: KAZ
comment: KAZ development environment
config:
prefix: kaz
nat-bridge: lxcbr0
default-master: bullseye
masters:
bullseye:
backend: lxc
template: debian
parameters:
release: bullseye
arch: amd64
family: debian
alpine:
backend: lxc
template: download
parameters:
dist: alpine
release: 3.14
arch: amd64
no-validate: true
family: alpine
disabled-groups:
#- target
#- root-o

View File

@ -0,0 +1,42 @@
version: 1
header:
name: MICA AS
comment: An ACME Certification Authority
hosts:
router:
master: alpine
network:
interfaces:
eth0:
bridge: transit-a
ipv4: 100.64.1.140/24
ipv6: 2001:db8:b001::140/48
eth1:
bridge: mica-lan
ipv4: 100.82.0.1/16
ipv6: 2001:db8:82::1/48
templates:
- bgprouter:
asn: 12
asdev: eth1
neighbors4: 100.64.1.1 as 31
neighbors6: 2001:db8:b001::1 as 31
- resolv:
nameserver: 100.100.100.100
domain: mica.milxc
infra:
network:
interfaces:
eth0:
bridge: mica-lan
ipv4: 100.82.0.2/16
ipv6: 2001:db8:82::2/48
gatewayv4: 100.82.0.1
gatewayv6: 2001:db8:82::1
templates:
- resolv:
domain: mica.milxc
ns: 100.100.100.100

View File

@ -0,0 +1,8 @@
server:
interface: 0.0.0.0
access-control: 100.64.0.0/10 allow
local-zone: "mica.milxc." static
local-data: "ns.mica.milxc. IN A 100.82.0.2"
local-data: "www.mica.milxc. IN A 100.82.0.2"
local-data: "ca.mica.milxc. IN A 100.82.0.2"

View File

@ -0,0 +1,34 @@
#!/bin/bash
# MICA infra
set -e
if [ -z $MILXCGUARD ] ; then exit 1; fi
DIR=`dirname $0`
cd `dirname $0`
# Hacker's mail account hacker@isp-a.milxc
useradd -m -s "/bin/bash" -p `mkpasswd --method=sha-512 ca` ca || true
addgroup ca mail
#mkdir /home/hacker/mail
#touch /home/hacker/mail/Drafts /home/hacker/mail/Queue /home/hacker/mail/Sent /home/hacker/mail/Trash
# disable systemd-resolved which conflicts with nsd
echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
systemctl stop systemd-resolved
# manage isp-a.milxc zone
apt-get update
DEBIAN_FRONTEND=noninteractive apt-get install -y unbound
cp dns.conf /etc/unbound/unbound.conf.d/
# Install smallstep CA / ACME server
cd /tmp
wget https://github.com/smallstep/cli/releases/download/v0.17.2/step-cli_0.17.2_amd64.deb
dpkg -i step-cli_0.17.2_amd64.deb
wget https://github.com/smallstep/certificates/releases/download/v0.17.2/step-ca_0.17.2_amd64.deb
dpkg -i step-ca_0.17.2_amd64.deb
# step ca init
# step ca root root.crt
# step ca provisioner add acme --type ACME
# certbot certonly -n --standalone -d www.target.milxc --server https://www.mica.milxc/acme/acme/directory --agree-tos --email "fr@fr.fr"

View File

@ -0,0 +1,42 @@
version: 1
header:
name: MILXC AS
comment: The .milxc TLD auth NS
hosts:
router:
master: alpine
network:
interfaces:
eth0:
bridge: transit-a
ipv4: 100.64.0.40/24
ipv6: 2001:db8:b000::40/48
eth1:
bridge: milxc-lan
ipv4: 100.100.20.1/24
ipv6: 2001:db8:a020::1/48
templates:
- bgprouter:
asn: 8
asdev: eth1
neighbors4: 100.64.0.1 as 30
neighbors6: 2001:db8:b000::1 as 30
- resolv:
nameserver: 100.100.100.100
domain: milxc.milxc
ns:
network:
interfaces:
eth0:
bridge: milxc-lan
ipv4: 100.100.20.10/24
ipv6: 2001:db8:a020::10/48
gatewayv4: 100.100.20.1
gatewayv6: 2001:db8:a020::1
templates:
- resolv:
domain: milxc.milxc
ns: 100.100.100.100

View File

@ -0,0 +1,41 @@
#!/bin/bash
# .milxc registry
set -e
if [ -z $MILXCGUARD ] ; then exit 1; fi
DIR=`dirname $0`
cd `dirname $0`
# disable systemd-resolved which conflicts with nsd
echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
systemctl stop systemd-resolved
apt-get update
DEBIAN_FRONTEND=noninteractive apt-get install -y nsd
echo -e "zone:
name: \"milxc.\"
zonefile: \"milxc.zone\"
" > /etc/nsd/nsd.conf
echo -e "\$TTL 86400
\$ORIGIN milxc.
@ 1D IN SOA ns.milxc. hostmaster.milxc. (
2002022401 ; serial
3H ; refresh
15 ; retry
1w ; expire
3h ; nxdomain ttl
)
IN NS ns.milxc.
ns IN A 100.100.20.10 ;name server definition
ns IN AAAA 2001:db8:a020::10
kaz.milxc. IN NS ns.kaz.milxc.
ns.kaz.milxc. IN A 100.80.0.2
isp-a.milxc. IN NS ns.isp-a.milxc.
ns.isp-a.milxc. IN A 100.120.1.2
ns.isp-a.milxc. IN AAAA 2001:db8:120:1::2
mica.milxc. IN NS ns.mica.milxc.
ns.mica.milxc. IN A 100.82.0.2
ns.mica.milxc. IN AAAA 2001:db8:82::2
" >> /etc/nsd/milxc.zone

View File

@ -0,0 +1,43 @@
version: 1
header:
name: open DNS service AS
comment: an open DNS resolver
hosts:
router:
master: alpine
network:
interfaces:
eth0:
bridge: transit-a
ipv4: 100.64.0.30/24
ipv6: 2001:db8:b000::30/48
eth2:
bridge: opendns-lan
ipv4: 100.100.100.1/24
ipv6: 2001:db8:a100::1/48
templates:
- bgprouter:
asn: 7
asdev: eth2
neighbors4: 100.64.0.1 as 30;100.64.1.1 as 31
neighbors6: 2001:db8:b000::1 as 30;2001:db8:b001::1 as 31
- resolv:
nameserver: 100.100.100.100
domain: opendns.milxc
resolver:
network:
interfaces:
eth0:
bridge: opendns-lan
ipv4: 100.100.100.100/24
ipv6: 2001:db8:a100::100/48
gatewayv4: 100.100.100.1
gatewayv6: 2001:db8:a100::1
templates:
- resolverns:
- resolv:
domain: opendns.milxc
ns: 100.100.100.100

View File

@ -0,0 +1,43 @@
version: 1
header:
name: Root-P AS
comment: A DNS Root server
hosts:
router:
master: alpine
network:
interfaces:
eth0:
bridge: transit-a
ipv4: 100.64.0.20/24
ipv6: 2001:db8:b000::20/48
eth1:
bridge: root-p-lan
ipv4: 100.100.1.1/24
ipv6: 2001:db8:a001::1/48
templates:
- bgprouter:
asn: 6
asdev: eth1
neighbors4: 100.64.0.1 as 30
neighbors6: 2001:db8:b000::1 as 30
- resolv:
nameserver: 100.100.100.100
domain: ns-root-p.milxc
rootns:
network:
interfaces:
eth0:
bridge: root-p-lan
ipv4: 100.100.1.10/24
ipv6: 2001:db8:a001::10/48
gatewayv4: 100.100.1.1
gatewayv6: 2001:db8:a001::1
templates:
- rootns:
- resolv:
domain: ns-root-p.milxc
ns: 100.100.100.100

View File

@ -0,0 +1,27 @@
version: 1
header:
name: Transit-A
comment: Transit-A IXP
hosts:
router:
master: alpine
network:
interfaces:
eth0:
bridge: nat-bridge
ipv4: dhcp
eth1:
bridge: transit-a
ipv4: 100.64.0.1/24
ipv6: 2001:db8:b000::1/48
templates:
- bgprouter:
asn: 30
asdev: eth1
neighbors4: 100.64.0.10 as 10;100.64.0.30 as 7;100.64.0.40 as 8; 100.64.0.2 as 31; 100.64.0.20 as 6; 100.64.0.50 as 13; 100.64.0.110 as 20; 100.64.1.140 as 12
neighbors6: 2001:db8:b000::10 as 10; 2001:db8:b000::30 as 7;2001:db8:b000::40 as 8; 2001:db8:b000::2 as 31; 2001:db8:b000::20 as 6; 2001:db8:b000::50 as 13; 2001:db8:b000::110 as 20; 2001:db8:b001::140 as 12
- resolv:
nameserver: 100.100.100.100
domain: transit-a.milxc

View File

@ -0,0 +1,38 @@
#!/bin/sh
# Transit A with alpine
set -e
if [ -z $MILXCGUARD ] ; then exit 1; fi
DIR=`dirname $0`
cd `dirname $0`
echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories
apk update
apk add bird iptables
rc-update add bird
# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
echo -e '#!/bin/sh\niptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE' > /etc/local.d/iptables.start
chmod +x /etc/local.d/iptables.start
rc-update add local
# keep DHCP on eth0
touch /etc/network/keepdhcp
# Force lxc bridged interface metric (else, it grows to 200+interface_index, which can be large with successive stop/start)
# This metric must be lower than the one exported by BGP for the default route (static part below)
mkdir /etc/udhcpc
echo "IF_METRIC=200" > /etc/udhcpc/udhcpc.conf
#echo "supersede domain-name-servers 10.10.10.10;" >> /etc/dhcp/dhclient.conf
#echo "supersede domain-name \"internet.milxc\";" >> /etc/dhcp/dhclient.conf
# customize bird config (BGP)
sed -i "s/protocol kernel {/protocol kernel { metric 2000;/" /etc/bird.conf
# sed -i "s/\#.*export all/\texport all/" /etc/bird/bird.conf
echo -e "
protocol static {
ipv4;
route 0.0.0.0/0 via 100.64.0.1;
}
" >> /etc/bird.conf

View File

@ -0,0 +1,40 @@
#!/bin/bash
# Root NS template
set -e
if [ -z $SNSTERGUARD ] ; then exit 1; fi
DIR=`dirname $0`
cd `dirname $0`
# disable systemd-resolved which conflicts with nsd
echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
systemctl stop systemd-resolved
apt-get update
DEBIAN_FRONTEND=noninteractive apt-get install -y unbound dnsutils
# get root hints
#wget "http://www.internic.net/domain/named.root" -O /etc/unbound/root.hints
echo -e ". 3600000 NS P.ROOT-SERVERS.NET.
P.ROOT-SERVERS.NET. 3600000 A 100.100.1.10
P.ROOT-SERVERS.NET. 3600000 AAAA 2001:db8:a001::10
" > /etc/unbound/root.hints
# customize unbound config
#echo -e "server:
# ip-address: 127.0.0.1
echo -e "server:
root-hints: root.hints
" > /etc/unbound/unbound.conf.d/root.conf
# no DNSSEC validation for now
sed -i "s/auto/\#auto/" /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf
# Be an open dns resolver -- TO CHANGE LATER
echo -e "server:
interface: 0.0.0.0
access-control: 0.0.0.0/0 allow
cache-max-ttl: 20
cache-max-negative-ttl: 20
" > /etc/unbound/unbound.conf.d/listen.conf
service unbound restart

View File

@ -0,0 +1,42 @@
#!/bin/bash
# Root NS template
set -e
if [ -z $SNSTERGUARD ] ; then exit 1; fi
DIR=`dirname $0`
cd `dirname $0`
# disable systemd-resolved which conflicts with nsd
echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
systemctl stop systemd-resolved
apt-get update
DEBIAN_FRONTEND=noninteractive apt-get install -y nsd
# get root zone
wget "http://www.internic.net/domain/root.zone" -O /etc/nsd/root.zone
# customize root zone
# remove official roots
sed -i -e 's/^\.\s.*NS.*[a-m].root-servers.net.*//' /etc/nsd/root.zone
# add alternative milxc root
echo -e ". 518400 IN NS p.root-servers.net
p.root-servers.net 518400 IN A 100.100.1.10
p.root-servers.net 518400 IN AAAA 2001:db8:a001::10
" >> /etc/nsd/root.zone
# add .milxc TLD served by 100.100.20.10
echo -e "milxc. 518400 IN NS ns.milxc.
ns.milxc. 518400 IN A 100.100.20.10
ns.milxc. 518400 IN AAAA 2001:db8:a020::10" >> /etc/nsd/root.zone
# customize nsd config
#echo -e "server:
# ip-address: 127.0.0.1
echo -e "zone:
name: \".\"
zonefile: \"root.zone\"
" > /etc/nsd/nsd.conf
#service nsd restart