snster bootstrap
This commit is contained in:
parent
5545db5891
commit
0733aa3ae8
@ -21,9 +21,7 @@ export DebugLog="${VAGRANT_SRC_DIR}/log/log-vagrant-$(date +%y-%m-%d-%T)-"
|
||||
# Copie de qques fichiers
|
||||
cp "${VAGRANT_SRC_DIR}/keyboard" /etc/default/keyboard
|
||||
|
||||
# Lock grub (https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1758060.html)
|
||||
sysctl -w net.ipv4.ip_forward=1
|
||||
DEBIAN_FRONTEND=noninteractive apt-mark hold grub*
|
||||
|
||||
# MAJ et install
|
||||
sed -i -e 's/main.*/main contrib non-free/' /etc/apt/sources.list
|
||||
@ -42,7 +40,7 @@ export DebugLog="${VAGRANT_SRC_DIR}/log/log-vagrant-$(date +%y-%m-%d-%T)-"
|
||||
DEBIAN_FRONTEND=noninteractive apt-get --allow-releaseinfo-change update
|
||||
DEBIAN_FRONTEND=noninteractive apt-get -y upgrade
|
||||
DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade
|
||||
DEBIAN_FRONTEND=noninteractive apt-get install -y apg curl git sudo unzip rsync firefox-esr tcpdump net-tools mousepad wireshark swapspace whois ldap-utils # could be with --no-install-recommends
|
||||
DEBIAN_FRONTEND=noninteractive apt-get install -y apg curl git sudo unzip rsync firefox-esr tcpdump net-tools mousepad wireshark swapspace whois ldap-utils python3-lxc lxc python3-pygraphviz python3-pil python3-yaml imagemagick # could be with --no-install-recommends
|
||||
DEBIAN_FRONTEND=noninteractive apt-get install -y xfce4 lightdm xfce4-terminal xserver-xorg gitk # needs to install recommends
|
||||
|
||||
ssh-keygen -t rsa -b 4096 -N '' <<<$'\ny'
|
||||
@ -110,7 +108,6 @@ export DebugLog="${VAGRANT_SRC_DIR}/log/log-vagrant-$(date +%y-%m-%d-%T)-"
|
||||
|
||||
|
||||
# enable bash autocompletion
|
||||
if ! grep -q "/usr/share/bash-completion/bash_completion" /etc/bash.bashrc 2>/dev/null; then
|
||||
cat >> /etc/bash.bashrc <<EOF
|
||||
# enable bash completion in interactive shells
|
||||
if ! shopt -oq posix; then
|
||||
@ -121,7 +118,6 @@ if ! shopt -oq posix; then
|
||||
fi
|
||||
fi
|
||||
EOF
|
||||
fi
|
||||
|
||||
# XFCE4 panel: use default config
|
||||
# source: https://forum.xfce.org/viewtopic.php?pid=36585#p36585
|
||||
@ -150,65 +146,6 @@ SystemMaxFileSize=2M
|
||||
EOF
|
||||
fi
|
||||
|
||||
# KAZ specific things
|
||||
#installation de docker, docker-compose et on y fourre le user debian dans le groupe idoine
|
||||
|
||||
DEBIAN_FRONTEND=noninteractive apt-get install -y docker.io docker-compose docker-clean
|
||||
usermod -G docker debian
|
||||
# activation dans alias dans /root/.bashrc
|
||||
sed -i \
|
||||
-e 's/^\# alias/alias/g' \
|
||||
-e 's/^\# export/export/g' \
|
||||
-e 's/^\# eval/eval/g' \
|
||||
/root/.bashrc
|
||||
|
||||
if ! grep -q "for file in /dockers" /root/.bashrc 2>/dev/null; then
|
||||
cat >> /root/.bashrc <<EOF
|
||||
|
||||
# enable bash completion in interactive shells
|
||||
if ! shopt -oq posix; then
|
||||
if [ -f /usr/share/bash-completion/bash_completion ]; then
|
||||
. /usr/share/bash-completion/bash_completion
|
||||
elif [ -f /etc/bash_completion ]; then
|
||||
. /etc/bash_completion
|
||||
fi
|
||||
fi
|
||||
|
||||
for file in /kaz/bin/.*-completion.bash ; do
|
||||
source "\${file}"
|
||||
done
|
||||
EOF
|
||||
fi
|
||||
|
||||
# # Localisation du $LANG, en par défaut, timezone Paris
|
||||
# if [ -z "${KAZBRANCH}" ] ; then
|
||||
# KAZBRANCH="develop-vm"
|
||||
# fi
|
||||
# echo -e "\n #### git checkout ${KAZBRANCH}\n"
|
||||
#
|
||||
# # copie des sources
|
||||
# cd /
|
||||
# [ -f kaz ] || git clone https://git.kaz.bzh/KAZ/kaz.git
|
||||
# (cd /kaz ; git checkout "${KAZBRANCH}" )
|
||||
# find /kaz -name \*.sh -exec chmod a+x {} \;
|
||||
#
|
||||
# # pour ceux qui disposent d'un cache apt local et pas la fibre
|
||||
# if [ -f "${VAGRANT_SRC_DIR}/.apt-mirror-config" ]; then
|
||||
# rsync -a "${VAGRANT_SRC_DIR}/.apt-mirror-config" /kaz/
|
||||
# fi
|
||||
# if [ -f "${VAGRANT_SRC_DIR}/.proxy-config" ]; then
|
||||
# rsync -a "${VAGRANT_SRC_DIR}/.proxy-config" /etc/profile.d/proxy.sh
|
||||
# rsync -a "${VAGRANT_SRC_DIR}/.proxy-config" /kaz/
|
||||
# fi
|
||||
# if [ -f "${VAGRANT_SRC_DIR}/.docker-config.json" ]; then
|
||||
# mkdir -p /root/.docker
|
||||
# rsync -a "${VAGRANT_SRC_DIR}/.docker-config.json" /root/.docker/config.json
|
||||
# fi
|
||||
|
||||
# Ajout d'un serveur DNS sur la VM
|
||||
#*****************ATTENTION: semble inutile. peut-être privilégié les entrées dans /etc/hosts tout simplement ?
|
||||
DEBIAN_FRONTEND=noninteractive apt-get install -y dnsmasq
|
||||
|
||||
#***********DEBUT CERTIF*******************
|
||||
#*****************ATTENTION: MARCHE PAS (il faut accepter toutes les exceptions de sécurité
|
||||
|
||||
@ -225,7 +162,7 @@ EOF
|
||||
export CAROOT=/etc/letsencrypt/local/
|
||||
/root/mkcert/mkcert -install # CA dans /etc/letsencrypt/local/
|
||||
cd "${CAROOT}"
|
||||
/root/mkcert/mkcert "*.kaz.local" # cert et clé dans /etc/letsencrypt/local/
|
||||
/root/mkcert/mkcert "*.kaz.milxc" # cert et clé dans /etc/letsencrypt/local/
|
||||
|
||||
mkdir -p /etc/letsencrypt/live/kaz.local/
|
||||
ln -s ../../local/_wildcard.kaz.local.pem /etc/letsencrypt/live/kaz.local/fullchain.pem
|
||||
@ -249,61 +186,12 @@ EOF
|
||||
|
||||
#***********FIN CERTIF*******************
|
||||
|
||||
#ajout des services dans le host
|
||||
echo -e "\n #### update /etc/hosts\n"
|
||||
if ! grep -q "\skaz.local\b" /etc/hosts 2>/dev/null; then
|
||||
echo "127.0.0.1 kaz.local" >>/etc/hosts
|
||||
fi
|
||||
if ! grep -q "\slistes.kaz.local\b" /etc/hosts 2>/dev/null; then
|
||||
echo "127.0.0.2 listes.kaz.local" >>/etc/hosts
|
||||
fi
|
||||
for SERVICE in ${SERVICES_LIST}; do
|
||||
if ! grep -q "\s${SERVICE}.kaz.local\b" /etc/hosts 2>/dev/null; then
|
||||
sed -i /etc/hosts \
|
||||
-e "/\skaz.local\b/ s/$/ ${SERVICE}.kaz.local/"
|
||||
fi
|
||||
done
|
||||
# SNSTER
|
||||
cd
|
||||
git clone https://framagit.org/flesueur/snster.git
|
||||
cd snster
|
||||
./install.sh
|
||||
|
||||
echo -e "\n #### clawsmail\n"
|
||||
# les scripts de créations de BAL pour clawsmail
|
||||
cp -ar "${VAGRANT_SRC_DIR}/clawsmail" /
|
||||
cd /clawsmail
|
||||
chmod +x addclawsuser.sh
|
||||
chmod +x genpasswd
|
||||
|
||||
#client pour tester la messagerie
|
||||
DEBIAN_FRONTEND=noninteractive apt-get install -y claws-mail
|
||||
|
||||
# On met le KAZGUARD pour la mise au point
|
||||
echo "export KAZGUARD='true'" >> /root/.bashrc
|
||||
|
||||
|
||||
# echo -e "\n #### rsync download\n"
|
||||
# [ -d "${VAGRANT_SRC_DIR}/kaz/download" ] &&
|
||||
# rsync -a "${VAGRANT_SRC_DIR}/kaz/download/" /kaz/download/
|
||||
# [ -d "${VAGRANT_SRC_DIR}/kaz/git" ] &&
|
||||
# rsync -a "${VAGRANT_SRC_DIR}/kaz/git/" /kaz/git/
|
||||
# [ -f "${VAGRANT_SRC_DIR}/kaz/config/dockers.env" ] &&
|
||||
# [ ! -f "/kaz/config/dockers.env" ] &&
|
||||
# rsync -a "${VAGRANT_SRC_DIR}/kaz/config/dockers.env" /kaz/config/dockers.env
|
||||
# for type in mail orga proxy withMail withoutMail ; do
|
||||
# [ -f "${VAGRANT_SRC_DIR}/kaz/config/container-${type}.list" ] &&
|
||||
# [ ! -f "/kaz/config/config/container-${type}.list" ] &&
|
||||
# rsync -a "${VAGRANT_SRC_DIR}/kaz/config/container-${type}.list" /kaz/config/
|
||||
# done
|
||||
#
|
||||
# echo -e "\n #### secretGen\n"
|
||||
# /kaz/bin/secretGen.sh
|
||||
#
|
||||
# #possibilité de lancer vagrant up NOKAZ="true" quand on construit la machine
|
||||
# if [ "${NOKAZ}" == "true" ]; then
|
||||
# echo "on ne lance pas install.sh"
|
||||
# else
|
||||
# echo "on lance install.sh"
|
||||
# /kaz/bin/install.sh
|
||||
# fi
|
||||
|
||||
${VAGRANT_SRC_DIR}/kaz.sh
|
||||
|
||||
# clear apt cache
|
||||
DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
|
||||
|
61
files/snster-kaz/isp-a/group.yml
Normal file
61
files/snster-kaz/isp-a/group.yml
Normal file
@ -0,0 +1,61 @@
|
||||
version: 1
|
||||
|
||||
header:
|
||||
name: ISP-A AS
|
||||
comment: An ISP
|
||||
|
||||
hosts:
|
||||
router:
|
||||
master: alpine
|
||||
network:
|
||||
interfaces:
|
||||
eth0:
|
||||
bridge: transit-a
|
||||
ipv4: 100.64.0.110/24
|
||||
ipv6: 2001:db8:b000::110/48
|
||||
eth1:
|
||||
bridge: isp-a-cust
|
||||
ipv4: 100.120.0.1/24
|
||||
eth2:
|
||||
bridge: isp-a-infra
|
||||
ipv4: 100.120.1.1/24
|
||||
ipv6: 2001:db8:120:1::1/64
|
||||
templates:
|
||||
- bgprouter:
|
||||
asn: 20
|
||||
asdev: eth1;eth2
|
||||
neighbors4: 100.64.1.1 as 31
|
||||
neighbors6: 2001:db8:b001::1 as 31
|
||||
- resolv:
|
||||
nameserver: 100.100.100.100
|
||||
domain: isp-a.milxc
|
||||
|
||||
infra:
|
||||
network:
|
||||
interfaces:
|
||||
eth0:
|
||||
bridge: isp-a-infra
|
||||
ipv4: 100.120.1.2/24
|
||||
ipv6: 2001:db8:120:1::2/64
|
||||
gatewayv4: 100.120.1.1
|
||||
gatewayv6: 2001:db8:120:1::1
|
||||
templates:
|
||||
- mailserver:
|
||||
domain: isp-a.milxc
|
||||
- resolverns:
|
||||
- resolv:
|
||||
domain: isp-a.milxc
|
||||
ns: 100.120.1.2
|
||||
|
||||
home:
|
||||
network:
|
||||
interfaces:
|
||||
eth0:
|
||||
bridge: isp-a-cust
|
||||
ipv4: 100.120.0.3/24
|
||||
gatewayv4: 100.120.0.1
|
||||
templates:
|
||||
- updatecaroots:
|
||||
- resolv:
|
||||
domain: isp-a.milxc
|
||||
ns: 100.120.1.2
|
9
files/snster-kaz/isp-a/infra/dns.conf
Normal file
9
files/snster-kaz/isp-a/infra/dns.conf
Normal file
@ -0,0 +1,9 @@
|
||||
server:
|
||||
interface: 0.0.0.0
|
||||
access-control: 100.64.0.0/10 allow
|
||||
|
||||
local-zone: "isp-a.milxc." static
|
||||
local-data: "smtp.isp-a.milxc. IN A 100.120.1.2"
|
||||
local-data: "imap.isp-a.milxc. IN A 100.120.1.2"
|
||||
local-data: "ns.isp-a.milxc. IN A 100.120.1.2"
|
||||
local-data: "isp-a.milxc. IN MX 10 smtp.isp-a.milxc."
|
21
files/snster-kaz/isp-a/infra/provision.sh
Normal file
21
files/snster-kaz/isp-a/infra/provision.sh
Normal file
@ -0,0 +1,21 @@
|
||||
#!/bin/bash
|
||||
# ISP-A infra
|
||||
set -e
|
||||
if [ -z $MILXCGUARD ] ; then exit 1; fi
|
||||
DIR=`dirname $0`
|
||||
cd `dirname $0`
|
||||
|
||||
# Email's mail account email@isp-a.milxc
|
||||
useradd -m -s "/bin/bash" -p `mkpasswd --method=sha-512 email` email || true
|
||||
addgroup email mail
|
||||
#mkdir /home/hacker/mail
|
||||
#touch /home/hacker/mail/Drafts /home/hacker/mail/Queue /home/hacker/mail/Sent /home/hacker/mail/Trash
|
||||
|
||||
# disable systemd-resolved which conflicts with nsd
|
||||
echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
|
||||
systemctl stop systemd-resolved
|
||||
|
||||
# manage isp-a.milxc zone
|
||||
apt-get update
|
||||
DEBIAN_FRONTEND=noninteractive apt-get install -y unbound
|
||||
cp dns.conf /etc/unbound/unbound.conf.d/
|
48
files/snster-kaz/kaz/group.yml
Normal file
48
files/snster-kaz/kaz/group.yml
Normal file
@ -0,0 +1,48 @@
|
||||
version: 1
|
||||
|
||||
header:
|
||||
name: Target AS
|
||||
comment: AS of the Target organization
|
||||
|
||||
hosts:
|
||||
router:
|
||||
master: alpine
|
||||
network:
|
||||
interfaces:
|
||||
eth0:
|
||||
bridge: transit-a
|
||||
ipv4: 100.64.0.10/24
|
||||
ipv6: 2001:db8:b000::10/48
|
||||
eth1:
|
||||
bridge: kaz-lan1
|
||||
ipv4: 100.80.0.1/24
|
||||
eth2:
|
||||
bridge: kaz-lan2
|
||||
ipv4: 100.80.1.1/24
|
||||
templates:
|
||||
- bgprouter:
|
||||
asn: 10
|
||||
asdev: eth1;eth2
|
||||
neighbors4: 100.64.0.1 as 30
|
||||
neighbors6: 2001:db8:b000::1 as 30
|
||||
- resolv:
|
||||
nameserver: 100.100.100.100
|
||||
domain: kaz.milxc
|
||||
|
||||
prod:
|
||||
network:
|
||||
interfaces:
|
||||
eth0:
|
||||
bridge: kaz-lan1
|
||||
ipv4: 100.80.0.2/24
|
||||
eth1:
|
||||
bridge: kaz-lan2
|
||||
ipv4: 100.80.1.2/24
|
||||
gatewayv4: 100.80.0.1
|
||||
templates:
|
||||
- updatecaroots:
|
||||
- authns:
|
||||
zonefile: dns.conf
|
||||
- resolv:
|
||||
domain: kaz.milxc
|
||||
ns: 100.100.100.100
|
22
files/snster-kaz/kaz/prod/dns.conf
Normal file
22
files/snster-kaz/kaz/prod/dns.conf
Normal file
@ -0,0 +1,22 @@
|
||||
$TTL 86400
|
||||
$ORIGIN kaz.milxc.
|
||||
@ 1D IN SOA ns.kaz.milxc. hostmaster.kaz.milxc. (
|
||||
2002022401 ; serial
|
||||
3H ; refresh
|
||||
15 ; retry
|
||||
1w ; expire
|
||||
3h ; nxdomain ttl
|
||||
)
|
||||
IN NS ns.kaz.milxc.
|
||||
IN MX 10 smtp.kaz.milxc.
|
||||
ns IN A 100.80.0.2
|
||||
dmz IN A 100.80.0.2
|
||||
smtp IN CNAME dmz
|
||||
imap IN CNAME dmz
|
||||
www IN CNAME dmz
|
||||
listes IN MX listes
|
||||
listes IN A 100.80.1.2
|
||||
firewall IN A 100.80.0.1
|
||||
firewall IN AAAA 2001:db8:80::0:1
|
||||
router IN A 100.80.0.1
|
||||
router IN AAAA 2001:db8:80::0:1
|
77
files/snster-kaz/kaz/prod/kaz.sh
Executable file
77
files/snster-kaz/kaz/prod/kaz.sh
Executable file
@ -0,0 +1,77 @@
|
||||
#!/bin/bash
|
||||
if [ -z "${SNSTERGUARD}" ] ; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
DIR=$(cd "$(dirname $0)"; pwd)
|
||||
cd "${DIR}"
|
||||
set -e
|
||||
export OUTPUT_DIR="/root/install"
|
||||
|
||||
|
||||
mkdir -p "${OUTPUT_DIR}/log/"
|
||||
export DebugLog="${OUTPUT_DIR}/log/log-kaz-$(date +%y-%m-%d-%T)-"
|
||||
(
|
||||
echo "########## ********** Start kaz.sh $(date +%D-%T)"
|
||||
|
||||
docker-clean -a
|
||||
rm -rf /kaz
|
||||
|
||||
if [ -z "${KAZBRANCH}" ] ; then
|
||||
KAZBRANCH="master"
|
||||
fi
|
||||
echo -e "\n #### git checkout ${KAZBRANCH}\n"
|
||||
|
||||
|
||||
# copie des sources
|
||||
cd /
|
||||
[ -f kaz ] || git clone https://git.kaz.bzh/KAZ/kaz.git
|
||||
(cd /kaz ; git checkout "${KAZBRANCH}" )
|
||||
find /kaz -name \*.sh -exec chmod a+x {} \;
|
||||
|
||||
# pour ceux qui disposent d'un cache apt local et pas la fibre
|
||||
if [ -f "${DIR}/.apt-mirror-config" ]; then
|
||||
rsync -a "${DIR}/.apt-mirror-config" /kaz/
|
||||
fi
|
||||
if [ -f "${DIR}/.proxy-config" ]; then
|
||||
rsync -a "${DIR}/.proxy-config" /etc/profile.d/proxy.sh
|
||||
rsync -a "${DIR}/.proxy-config" /kaz/
|
||||
fi
|
||||
if [ -f "${DIR}/.docker-config.json" ]; then
|
||||
mkdir -p /root/.docker
|
||||
rsync -a "${DIR}/.docker-config.json" /root/.docker/config.json
|
||||
fi
|
||||
|
||||
|
||||
|
||||
echo -e "\n #### rsync download\n"
|
||||
[ -d "${DIR}/kaz/download" ] &&
|
||||
rsync -a "${DIR}/kaz/download/" /kaz/download/
|
||||
[ -d "${DIR}/kaz/git" ] &&
|
||||
rsync -a "${DIR}/kaz/git/" /kaz/git/
|
||||
[ -f "${DIR}/kaz/config/dockers.env" ] &&
|
||||
[ ! -f "/kaz/config/dockers.env" ] &&
|
||||
rsync -a "${DIR}/kaz/config/dockers.env" /kaz/config/dockers.env
|
||||
for type in mail orga proxy withMail withoutMail ; do
|
||||
[ -f "${DIR}/kaz/config/container-${type}.list" ] &&
|
||||
[ ! -f "/kaz/config/config/container-${type}.list" ] &&
|
||||
rsync -a "${DIR}/kaz/config/container-${type}.list" /kaz/config/
|
||||
done
|
||||
|
||||
echo -e "\n #### secretGen\n"
|
||||
/kaz/bin/secretGen.sh
|
||||
|
||||
#possibilité de lancer vagrant up NOKAZ="true" quand on construit la machine
|
||||
if [ "${NOKAZ}" == "true" ]; then
|
||||
echo "on ne lance pas install.sh"
|
||||
else
|
||||
echo "on lance install.sh"
|
||||
/kaz/bin/install.sh
|
||||
fi
|
||||
|
||||
# clear apt cache
|
||||
DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
|
||||
DEBIAN_FRONTEND=noninteractive apt-get clean
|
||||
|
||||
echo "########## ********** End kaz.sh $(date +%D-%T)"
|
||||
) > >(tee ${DebugLog}stdout.log) 2> >(tee ${DebugLog}stderr.log >&2)
|
3
files/snster-kaz/kaz/prod/kaz/config/container-mail.list
Normal file
3
files/snster-kaz/kaz/prod/kaz/config/container-mail.list
Normal file
@ -0,0 +1,3 @@
|
||||
# e-mail server composer
|
||||
postfix
|
||||
sympa
|
1
files/snster-kaz/kaz/prod/kaz/config/container-orga.list
Normal file
1
files/snster-kaz/kaz/prod/kaz/config/container-orga.list
Normal file
@ -0,0 +1 @@
|
||||
# orga composer
|
@ -0,0 +1 @@
|
||||
proxy
|
@ -0,0 +1,9 @@
|
||||
cloud
|
||||
dokuwiki
|
||||
#framadate
|
||||
garradin
|
||||
gitea
|
||||
jirafeau
|
||||
#mattermost
|
||||
roundcube
|
||||
#keycloak
|
@ -0,0 +1,10 @@
|
||||
cachet
|
||||
jirafeau
|
||||
ethercalc
|
||||
collabora
|
||||
ethercalc
|
||||
etherpad
|
||||
ldap
|
||||
quotas
|
||||
web
|
||||
#vigilo
|
120
files/snster-kaz/kaz/prod/kaz/config/dockers.env
Normal file
120
files/snster-kaz/kaz/prod/kaz/config/dockers.env
Normal file
@ -0,0 +1,120 @@
|
||||
# Les variables d'environnements utilisées
|
||||
# par les dockers via le lien :
|
||||
# .env -> ../../config/dockers.env
|
||||
|
||||
#######################################
|
||||
# prod / dev / local
|
||||
mode=prod
|
||||
|
||||
########################################
|
||||
# choix du domaine
|
||||
# prod=kaz.bzh / dev=dev.kaz.bzh / local=kaz.local
|
||||
domain=kaz.milxc
|
||||
|
||||
########################################
|
||||
# choix du domaine des mails sympa
|
||||
# prod=kaz.bzh / dev=kaz2.ovh / local=kaz.local
|
||||
domain_sympa=kaz.milxc
|
||||
|
||||
########################################
|
||||
# choix d'un serveur partiel
|
||||
# site=site-2
|
||||
site=
|
||||
|
||||
########################################
|
||||
# Pour garradin qui met en "dure" dans
|
||||
# sa config l'URL pour l'atteindre
|
||||
|
||||
# prod=https (gandi) / dev=https (letsencrypt) / local=http
|
||||
httpProto=https
|
||||
|
||||
# prod=89.234.186.111 / dev=192.168.57.1 / local=127.0.0.1
|
||||
MAIN_IP=100.80.0.2
|
||||
|
||||
# prod=89.234.186.151 / dev=192.168.57.2 / local=127.0.0.2
|
||||
SYMPA_IP=100.80.1.2
|
||||
|
||||
########################################
|
||||
# noms des services
|
||||
|
||||
# ou www (mais bof)
|
||||
webHost=
|
||||
|
||||
cachetHost=cachet
|
||||
calcHost=tableur
|
||||
cloudHost=cloud
|
||||
dateHost=sondage
|
||||
dokuwikiHost=wiki
|
||||
fileHost=depot
|
||||
garHost=garradin
|
||||
gitHost=git
|
||||
gravHost=grav
|
||||
ldapHost=ldap
|
||||
matterHost=agora
|
||||
officeHost=office
|
||||
padHost=pad
|
||||
quotasHost=quotas
|
||||
smtpHost=smtp
|
||||
sympaHost=listes
|
||||
vigiloHost=vigilo
|
||||
webmailHost=webmail
|
||||
wordpressHost=wp
|
||||
|
||||
########################################
|
||||
# noms des containers
|
||||
|
||||
cachetServName=cachetServ
|
||||
dokuwikiServName=dokuwikiServ
|
||||
ethercalcServName=ethercalcServ
|
||||
etherpadServName=etherpadServ
|
||||
framadateServName=framadateServ
|
||||
garradinServName=garradinServ
|
||||
gitServName=gitServ
|
||||
gravServName=gravServ
|
||||
jirafeauServName=jirafeauServ
|
||||
ldapServName=ldapServ
|
||||
mattermostServName=mattermostServ
|
||||
nextcloudServName=nextcloudServ
|
||||
officeServName=officeServ
|
||||
proxyServName=proxyServ
|
||||
quotasServName=quotasServ
|
||||
roundcubeServName=roundcubeServ
|
||||
smtpServName=mailServ
|
||||
sympaServName=sympaServ
|
||||
vigiloServName=vigiloServ
|
||||
webServName=webServ
|
||||
wordpressServName=wpServ
|
||||
|
||||
cachetDBName=cachetDB
|
||||
ethercalcDBName=ethercalcDB
|
||||
etherpadDBName=etherpadDB
|
||||
framadateDBName=framadateDB
|
||||
gitDBName=gitDB
|
||||
mattermostDBName=mattermostDB
|
||||
nextcloudDBName=nextcloudDB
|
||||
quotasDBName=quotasDB
|
||||
roundcubeDBName=roundcubeDB
|
||||
sympaDBName=sympaDB
|
||||
vigiloDBName=vigiloDB
|
||||
wordpressDBName=wpDB
|
||||
|
||||
ldapIUName=ldapIU
|
||||
|
||||
########################################
|
||||
# politique de redémarrage
|
||||
# prod=always / test=unless-stopped / local=no
|
||||
restartPolicy=no
|
||||
|
||||
########################################
|
||||
# devrait être dans env-jirafeauServ
|
||||
# mais seuls les variables de ".env" sont
|
||||
# utilisables pour le montage des volumes
|
||||
|
||||
jirafeauDir=/var/jirafeauData/lkuDM16R5Sp4QHr/
|
||||
|
||||
ldapRoot=dc=kaz,dc=milxc
|
||||
|
||||
########################################
|
||||
# services activés par container.sh
|
||||
# variables d'environneements utilisées
|
||||
# pour le tmpl du mandataire (proxy)
|
76
files/snster-kaz/kaz/prod/provision.sh
Normal file
76
files/snster-kaz/kaz/prod/provision.sh
Normal file
@ -0,0 +1,76 @@
|
||||
#!/bin/bash
|
||||
# Target DMZ
|
||||
set -e
|
||||
if [ -z $MILXCGUARD ] ; then exit 1; fi
|
||||
DIR=`dirname $0`
|
||||
cd `dirname $0`
|
||||
|
||||
# disable systemd-resolved which conflicts with nsd
|
||||
echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
|
||||
systemctl stop systemd-resolved
|
||||
|
||||
apt-get update
|
||||
DEB_VERSION=`cat /etc/debian_version | cut -d'.' -f1`
|
||||
if [ $DEB_VERSION -eq "11" ] # DEB 11 aka Bullseye
|
||||
then
|
||||
DEBIAN_FRONTEND=noninteractive apt-get install -y certbot python3-certbot-apache
|
||||
else
|
||||
echo "Unsupported Debian version"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
||||
# preconfig TLS and certbot
|
||||
a2enmod ssl
|
||||
a2ensite default-ssl.conf
|
||||
echo -e "
|
||||
email=admin@kaz.milxc
|
||||
agree-tos=1
|
||||
no-verify-ssl=1
|
||||
" >> /etc/letsencrypt/cli.ini
|
||||
|
||||
# Go KAZ !
|
||||
# KAZ specific things
|
||||
#installation de docker, docker-compose et on y fourre le user debian dans le groupe idoine
|
||||
|
||||
DEBIAN_FRONTEND=noninteractive apt-get install -y docker.io docker-compose docker-clean git apg curl sudo unzip rsync fuse-overlayfs
|
||||
usermod -G docker debian
|
||||
# activation dans alias dans /root/.bashrc
|
||||
sed -i \
|
||||
-e 's/^\# alias/alias/g' \
|
||||
-e 's/^\# export/export/g' \
|
||||
-e 's/^\# eval/eval/g' \
|
||||
/root/.bashrc
|
||||
|
||||
if ! grep -q "for file in /dockers" /root/.bashrc 2>/dev/null; then
|
||||
cat >> /root/.bashrc <<EOF
|
||||
# enable bash completion in interactive shells
|
||||
if ! shopt -oq posix; then
|
||||
if [ -f /usr/share/bash-completion/bash_completion ]; then
|
||||
. /usr/share/bash-completion/bash_completion
|
||||
elif [ -f /etc/bash_completion ]; then
|
||||
. /etc/bash_completion
|
||||
fi
|
||||
fi
|
||||
for file in /kaz/bin/.*-completion.bash ; do
|
||||
source "\${file}"
|
||||
done
|
||||
EOF
|
||||
fi
|
||||
|
||||
|
||||
# On met le KAZGUARD pour la mise au point
|
||||
echo "export KAZGUARD='true'" >> /root/.bashrc
|
||||
|
||||
# On active fuse-overlayfs pour docker
|
||||
cat >> /etc/docker/daemon.json <<EOF
|
||||
{ "storage-driver": "fuse-overlayfs" }
|
||||
EOF
|
||||
service docker restart
|
||||
mknod -m 666 /dev/fuse c 10 229 # + dans le rc.local ? + modprobe fuse sur l'ĥôte ?
|
||||
|
||||
./kaz.sh
|
||||
|
||||
# clear apt cache
|
||||
DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
|
||||
DEBIAN_FRONTEND=noninteractive apt-get clean
|
33
files/snster-kaz/main.yml
Normal file
33
files/snster-kaz/main.yml
Normal file
@ -0,0 +1,33 @@
|
||||
version: 1
|
||||
|
||||
header:
|
||||
name: KAZ
|
||||
comment: KAZ development environment
|
||||
|
||||
config:
|
||||
prefix: kaz
|
||||
nat-bridge: lxcbr0
|
||||
default-master: bullseye
|
||||
|
||||
masters:
|
||||
bullseye:
|
||||
backend: lxc
|
||||
template: debian
|
||||
parameters:
|
||||
release: bullseye
|
||||
arch: amd64
|
||||
family: debian
|
||||
|
||||
alpine:
|
||||
backend: lxc
|
||||
template: download
|
||||
parameters:
|
||||
dist: alpine
|
||||
release: 3.14
|
||||
arch: amd64
|
||||
no-validate: true
|
||||
family: alpine
|
||||
|
||||
disabled-groups:
|
||||
#- target
|
||||
#- root-o
|
42
files/snster-kaz/mica/group.yml
Normal file
42
files/snster-kaz/mica/group.yml
Normal file
@ -0,0 +1,42 @@
|
||||
version: 1
|
||||
|
||||
header:
|
||||
name: MICA AS
|
||||
comment: An ACME Certification Authority
|
||||
|
||||
hosts:
|
||||
router:
|
||||
master: alpine
|
||||
network:
|
||||
interfaces:
|
||||
eth0:
|
||||
bridge: transit-a
|
||||
ipv4: 100.64.1.140/24
|
||||
ipv6: 2001:db8:b001::140/48
|
||||
eth1:
|
||||
bridge: mica-lan
|
||||
ipv4: 100.82.0.1/16
|
||||
ipv6: 2001:db8:82::1/48
|
||||
templates:
|
||||
- bgprouter:
|
||||
asn: 12
|
||||
asdev: eth1
|
||||
neighbors4: 100.64.1.1 as 31
|
||||
neighbors6: 2001:db8:b001::1 as 31
|
||||
- resolv:
|
||||
nameserver: 100.100.100.100
|
||||
domain: mica.milxc
|
||||
|
||||
infra:
|
||||
network:
|
||||
interfaces:
|
||||
eth0:
|
||||
bridge: mica-lan
|
||||
ipv4: 100.82.0.2/16
|
||||
ipv6: 2001:db8:82::2/48
|
||||
gatewayv4: 100.82.0.1
|
||||
gatewayv6: 2001:db8:82::1
|
||||
templates:
|
||||
- resolv:
|
||||
domain: mica.milxc
|
||||
ns: 100.100.100.100
|
8
files/snster-kaz/mica/infra/dns.conf
Normal file
8
files/snster-kaz/mica/infra/dns.conf
Normal file
@ -0,0 +1,8 @@
|
||||
server:
|
||||
interface: 0.0.0.0
|
||||
access-control: 100.64.0.0/10 allow
|
||||
|
||||
local-zone: "mica.milxc." static
|
||||
local-data: "ns.mica.milxc. IN A 100.82.0.2"
|
||||
local-data: "www.mica.milxc. IN A 100.82.0.2"
|
||||
local-data: "ca.mica.milxc. IN A 100.82.0.2"
|
34
files/snster-kaz/mica/infra/provision.sh
Normal file
34
files/snster-kaz/mica/infra/provision.sh
Normal file
@ -0,0 +1,34 @@
|
||||
#!/bin/bash
|
||||
# MICA infra
|
||||
set -e
|
||||
if [ -z $MILXCGUARD ] ; then exit 1; fi
|
||||
DIR=`dirname $0`
|
||||
cd `dirname $0`
|
||||
|
||||
# Hacker's mail account hacker@isp-a.milxc
|
||||
useradd -m -s "/bin/bash" -p `mkpasswd --method=sha-512 ca` ca || true
|
||||
addgroup ca mail
|
||||
#mkdir /home/hacker/mail
|
||||
#touch /home/hacker/mail/Drafts /home/hacker/mail/Queue /home/hacker/mail/Sent /home/hacker/mail/Trash
|
||||
|
||||
# disable systemd-resolved which conflicts with nsd
|
||||
echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
|
||||
systemctl stop systemd-resolved
|
||||
|
||||
# manage isp-a.milxc zone
|
||||
apt-get update
|
||||
DEBIAN_FRONTEND=noninteractive apt-get install -y unbound
|
||||
cp dns.conf /etc/unbound/unbound.conf.d/
|
||||
|
||||
|
||||
# Install smallstep CA / ACME server
|
||||
cd /tmp
|
||||
wget https://github.com/smallstep/cli/releases/download/v0.17.2/step-cli_0.17.2_amd64.deb
|
||||
dpkg -i step-cli_0.17.2_amd64.deb
|
||||
wget https://github.com/smallstep/certificates/releases/download/v0.17.2/step-ca_0.17.2_amd64.deb
|
||||
dpkg -i step-ca_0.17.2_amd64.deb
|
||||
|
||||
# step ca init
|
||||
# step ca root root.crt
|
||||
# step ca provisioner add acme --type ACME
|
||||
# certbot certonly -n --standalone -d www.target.milxc --server https://www.mica.milxc/acme/acme/directory --agree-tos --email "fr@fr.fr"
|
42
files/snster-kaz/milxc/group.yml
Normal file
42
files/snster-kaz/milxc/group.yml
Normal file
@ -0,0 +1,42 @@
|
||||
version: 1
|
||||
|
||||
header:
|
||||
name: MILXC AS
|
||||
comment: The .milxc TLD auth NS
|
||||
|
||||
hosts:
|
||||
router:
|
||||
master: alpine
|
||||
network:
|
||||
interfaces:
|
||||
eth0:
|
||||
bridge: transit-a
|
||||
ipv4: 100.64.0.40/24
|
||||
ipv6: 2001:db8:b000::40/48
|
||||
eth1:
|
||||
bridge: milxc-lan
|
||||
ipv4: 100.100.20.1/24
|
||||
ipv6: 2001:db8:a020::1/48
|
||||
templates:
|
||||
- bgprouter:
|
||||
asn: 8
|
||||
asdev: eth1
|
||||
neighbors4: 100.64.0.1 as 30
|
||||
neighbors6: 2001:db8:b000::1 as 30
|
||||
- resolv:
|
||||
nameserver: 100.100.100.100
|
||||
domain: milxc.milxc
|
||||
|
||||
ns:
|
||||
network:
|
||||
interfaces:
|
||||
eth0:
|
||||
bridge: milxc-lan
|
||||
ipv4: 100.100.20.10/24
|
||||
ipv6: 2001:db8:a020::10/48
|
||||
gatewayv4: 100.100.20.1
|
||||
gatewayv6: 2001:db8:a020::1
|
||||
templates:
|
||||
- resolv:
|
||||
domain: milxc.milxc
|
||||
ns: 100.100.100.100
|
41
files/snster-kaz/milxc/ns/provision.sh
Normal file
41
files/snster-kaz/milxc/ns/provision.sh
Normal file
@ -0,0 +1,41 @@
|
||||
#!/bin/bash
|
||||
# .milxc registry
|
||||
|
||||
set -e
|
||||
if [ -z $MILXCGUARD ] ; then exit 1; fi
|
||||
DIR=`dirname $0`
|
||||
cd `dirname $0`
|
||||
|
||||
# disable systemd-resolved which conflicts with nsd
|
||||
echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
|
||||
systemctl stop systemd-resolved
|
||||
|
||||
apt-get update
|
||||
DEBIAN_FRONTEND=noninteractive apt-get install -y nsd
|
||||
|
||||
echo -e "zone:
|
||||
name: \"milxc.\"
|
||||
zonefile: \"milxc.zone\"
|
||||
" > /etc/nsd/nsd.conf
|
||||
|
||||
echo -e "\$TTL 86400
|
||||
\$ORIGIN milxc.
|
||||
@ 1D IN SOA ns.milxc. hostmaster.milxc. (
|
||||
2002022401 ; serial
|
||||
3H ; refresh
|
||||
15 ; retry
|
||||
1w ; expire
|
||||
3h ; nxdomain ttl
|
||||
)
|
||||
IN NS ns.milxc.
|
||||
ns IN A 100.100.20.10 ;name server definition
|
||||
ns IN AAAA 2001:db8:a020::10
|
||||
kaz.milxc. IN NS ns.kaz.milxc.
|
||||
ns.kaz.milxc. IN A 100.80.0.2
|
||||
isp-a.milxc. IN NS ns.isp-a.milxc.
|
||||
ns.isp-a.milxc. IN A 100.120.1.2
|
||||
ns.isp-a.milxc. IN AAAA 2001:db8:120:1::2
|
||||
mica.milxc. IN NS ns.mica.milxc.
|
||||
ns.mica.milxc. IN A 100.82.0.2
|
||||
ns.mica.milxc. IN AAAA 2001:db8:82::2
|
||||
" >> /etc/nsd/milxc.zone
|
43
files/snster-kaz/opendns/group.yml
Normal file
43
files/snster-kaz/opendns/group.yml
Normal file
@ -0,0 +1,43 @@
|
||||
version: 1
|
||||
|
||||
header:
|
||||
name: open DNS service AS
|
||||
comment: an open DNS resolver
|
||||
|
||||
hosts:
|
||||
router:
|
||||
master: alpine
|
||||
network:
|
||||
interfaces:
|
||||
eth0:
|
||||
bridge: transit-a
|
||||
ipv4: 100.64.0.30/24
|
||||
ipv6: 2001:db8:b000::30/48
|
||||
eth2:
|
||||
bridge: opendns-lan
|
||||
ipv4: 100.100.100.1/24
|
||||
ipv6: 2001:db8:a100::1/48
|
||||
templates:
|
||||
- bgprouter:
|
||||
asn: 7
|
||||
asdev: eth2
|
||||
neighbors4: 100.64.0.1 as 30;100.64.1.1 as 31
|
||||
neighbors6: 2001:db8:b000::1 as 30;2001:db8:b001::1 as 31
|
||||
- resolv:
|
||||
nameserver: 100.100.100.100
|
||||
domain: opendns.milxc
|
||||
|
||||
resolver:
|
||||
network:
|
||||
interfaces:
|
||||
eth0:
|
||||
bridge: opendns-lan
|
||||
ipv4: 100.100.100.100/24
|
||||
ipv6: 2001:db8:a100::100/48
|
||||
gatewayv4: 100.100.100.1
|
||||
gatewayv6: 2001:db8:a100::1
|
||||
templates:
|
||||
- resolverns:
|
||||
- resolv:
|
||||
domain: opendns.milxc
|
||||
ns: 100.100.100.100
|
43
files/snster-kaz/root-p/group.yml
Normal file
43
files/snster-kaz/root-p/group.yml
Normal file
@ -0,0 +1,43 @@
|
||||
version: 1
|
||||
|
||||
header:
|
||||
name: Root-P AS
|
||||
comment: A DNS Root server
|
||||
|
||||
hosts:
|
||||
router:
|
||||
master: alpine
|
||||
network:
|
||||
interfaces:
|
||||
eth0:
|
||||
bridge: transit-a
|
||||
ipv4: 100.64.0.20/24
|
||||
ipv6: 2001:db8:b000::20/48
|
||||
eth1:
|
||||
bridge: root-p-lan
|
||||
ipv4: 100.100.1.1/24
|
||||
ipv6: 2001:db8:a001::1/48
|
||||
templates:
|
||||
- bgprouter:
|
||||
asn: 6
|
||||
asdev: eth1
|
||||
neighbors4: 100.64.0.1 as 30
|
||||
neighbors6: 2001:db8:b000::1 as 30
|
||||
- resolv:
|
||||
nameserver: 100.100.100.100
|
||||
domain: ns-root-p.milxc
|
||||
|
||||
rootns:
|
||||
network:
|
||||
interfaces:
|
||||
eth0:
|
||||
bridge: root-p-lan
|
||||
ipv4: 100.100.1.10/24
|
||||
ipv6: 2001:db8:a001::10/48
|
||||
gatewayv4: 100.100.1.1
|
||||
gatewayv6: 2001:db8:a001::1
|
||||
templates:
|
||||
- rootns:
|
||||
- resolv:
|
||||
domain: ns-root-p.milxc
|
||||
ns: 100.100.100.100
|
27
files/snster-kaz/transit-a/group.yml
Normal file
27
files/snster-kaz/transit-a/group.yml
Normal file
@ -0,0 +1,27 @@
|
||||
version: 1
|
||||
|
||||
header:
|
||||
name: Transit-A
|
||||
comment: Transit-A IXP
|
||||
|
||||
hosts:
|
||||
router:
|
||||
master: alpine
|
||||
network:
|
||||
interfaces:
|
||||
eth0:
|
||||
bridge: nat-bridge
|
||||
ipv4: dhcp
|
||||
eth1:
|
||||
bridge: transit-a
|
||||
ipv4: 100.64.0.1/24
|
||||
ipv6: 2001:db8:b000::1/48
|
||||
templates:
|
||||
- bgprouter:
|
||||
asn: 30
|
||||
asdev: eth1
|
||||
neighbors4: 100.64.0.10 as 10;100.64.0.30 as 7;100.64.0.40 as 8; 100.64.0.2 as 31; 100.64.0.20 as 6; 100.64.0.50 as 13; 100.64.0.110 as 20; 100.64.1.140 as 12
|
||||
neighbors6: 2001:db8:b000::10 as 10; 2001:db8:b000::30 as 7;2001:db8:b000::40 as 8; 2001:db8:b000::2 as 31; 2001:db8:b000::20 as 6; 2001:db8:b000::50 as 13; 2001:db8:b000::110 as 20; 2001:db8:b001::140 as 12
|
||||
- resolv:
|
||||
nameserver: 100.100.100.100
|
||||
domain: transit-a.milxc
|
38
files/snster-kaz/transit-a/router/provision.sh
Executable file
38
files/snster-kaz/transit-a/router/provision.sh
Executable file
@ -0,0 +1,38 @@
|
||||
#!/bin/sh
|
||||
# Transit A with alpine
|
||||
set -e
|
||||
if [ -z $MILXCGUARD ] ; then exit 1; fi
|
||||
DIR=`dirname $0`
|
||||
cd `dirname $0`
|
||||
|
||||
echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories
|
||||
apk update
|
||||
apk add bird iptables
|
||||
rc-update add bird
|
||||
|
||||
# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
|
||||
echo -e '#!/bin/sh\niptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE' > /etc/local.d/iptables.start
|
||||
chmod +x /etc/local.d/iptables.start
|
||||
rc-update add local
|
||||
|
||||
# keep DHCP on eth0
|
||||
touch /etc/network/keepdhcp
|
||||
|
||||
# Force lxc bridged interface metric (else, it grows to 200+interface_index, which can be large with successive stop/start)
|
||||
# This metric must be lower than the one exported by BGP for the default route (static part below)
|
||||
mkdir /etc/udhcpc
|
||||
echo "IF_METRIC=200" > /etc/udhcpc/udhcpc.conf
|
||||
|
||||
#echo "supersede domain-name-servers 10.10.10.10;" >> /etc/dhcp/dhclient.conf
|
||||
#echo "supersede domain-name \"internet.milxc\";" >> /etc/dhcp/dhclient.conf
|
||||
|
||||
|
||||
# customize bird config (BGP)
|
||||
sed -i "s/protocol kernel {/protocol kernel { metric 2000;/" /etc/bird.conf
|
||||
# sed -i "s/\#.*export all/\texport all/" /etc/bird/bird.conf
|
||||
echo -e "
|
||||
protocol static {
|
||||
ipv4;
|
||||
route 0.0.0.0/0 via 100.64.0.1;
|
||||
}
|
||||
" >> /etc/bird.conf
|
40
files/templates/debian/resolverns/provision.sh
Normal file
40
files/templates/debian/resolverns/provision.sh
Normal file
@ -0,0 +1,40 @@
|
||||
#!/bin/bash
|
||||
# Root NS template
|
||||
set -e
|
||||
if [ -z $SNSTERGUARD ] ; then exit 1; fi
|
||||
DIR=`dirname $0`
|
||||
cd `dirname $0`
|
||||
|
||||
# disable systemd-resolved which conflicts with nsd
|
||||
echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
|
||||
systemctl stop systemd-resolved
|
||||
|
||||
apt-get update
|
||||
DEBIAN_FRONTEND=noninteractive apt-get install -y unbound dnsutils
|
||||
|
||||
# get root hints
|
||||
#wget "http://www.internic.net/domain/named.root" -O /etc/unbound/root.hints
|
||||
echo -e ". 3600000 NS P.ROOT-SERVERS.NET.
|
||||
P.ROOT-SERVERS.NET. 3600000 A 100.100.1.10
|
||||
P.ROOT-SERVERS.NET. 3600000 AAAA 2001:db8:a001::10
|
||||
" > /etc/unbound/root.hints
|
||||
|
||||
# customize unbound config
|
||||
#echo -e "server:
|
||||
# ip-address: 127.0.0.1
|
||||
echo -e "server:
|
||||
root-hints: root.hints
|
||||
" > /etc/unbound/unbound.conf.d/root.conf
|
||||
|
||||
# no DNSSEC validation for now
|
||||
sed -i "s/auto/\#auto/" /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf
|
||||
|
||||
# Be an open dns resolver -- TO CHANGE LATER
|
||||
echo -e "server:
|
||||
interface: 0.0.0.0
|
||||
access-control: 0.0.0.0/0 allow
|
||||
cache-max-ttl: 20
|
||||
cache-max-negative-ttl: 20
|
||||
" > /etc/unbound/unbound.conf.d/listen.conf
|
||||
|
||||
service unbound restart
|
42
files/templates/debian/rootns/provision.sh
Normal file
42
files/templates/debian/rootns/provision.sh
Normal file
@ -0,0 +1,42 @@
|
||||
#!/bin/bash
|
||||
# Root NS template
|
||||
set -e
|
||||
if [ -z $SNSTERGUARD ] ; then exit 1; fi
|
||||
DIR=`dirname $0`
|
||||
cd `dirname $0`
|
||||
|
||||
# disable systemd-resolved which conflicts with nsd
|
||||
echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
|
||||
systemctl stop systemd-resolved
|
||||
|
||||
apt-get update
|
||||
DEBIAN_FRONTEND=noninteractive apt-get install -y nsd
|
||||
|
||||
# get root zone
|
||||
wget "http://www.internic.net/domain/root.zone" -O /etc/nsd/root.zone
|
||||
|
||||
# customize root zone
|
||||
# remove official roots
|
||||
sed -i -e 's/^\.\s.*NS.*[a-m].root-servers.net.*//' /etc/nsd/root.zone
|
||||
# add alternative milxc root
|
||||
|
||||
echo -e ". 518400 IN NS p.root-servers.net
|
||||
p.root-servers.net 518400 IN A 100.100.1.10
|
||||
p.root-servers.net 518400 IN AAAA 2001:db8:a001::10
|
||||
" >> /etc/nsd/root.zone
|
||||
|
||||
|
||||
# add .milxc TLD served by 100.100.20.10
|
||||
echo -e "milxc. 518400 IN NS ns.milxc.
|
||||
ns.milxc. 518400 IN A 100.100.20.10
|
||||
ns.milxc. 518400 IN AAAA 2001:db8:a020::10" >> /etc/nsd/root.zone
|
||||
|
||||
# customize nsd config
|
||||
#echo -e "server:
|
||||
# ip-address: 127.0.0.1
|
||||
echo -e "zone:
|
||||
name: \".\"
|
||||
zonefile: \"root.zone\"
|
||||
" > /etc/nsd/nsd.conf
|
||||
|
||||
#service nsd restart
|
Loading…
Reference in New Issue
Block a user