KAZ/kaz-vagrant
12
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

Compare commits

base: KAZ:500556c31dacb32c459109796d9ac9d1abaa62fa
Branches Tags
KAZ:master
KAZ:v1.0.0
...
compare: KAZ:v1.0.0
Branches Tags
KAZ:master
KAZ:v1.0.0

31 Commits
500556c31d ... v1.0.0

Author SHA1 Message Date
Francois Lesueur
66a965e466 Merge branch 'master' into develop-snster 2023-02-09 16:43:12 +01:00
Francois Lesueur
2feb7f1ee3 ajout ldap-utils 2023-02-09 16:42:45 +01:00
Francois Lesueur
7b1d549fcb ajout du trim_enable.sh 2023-02-08 12:40:52 +01:00
Francois Lesueur
41cf9fc93f fix sparsify 2023-02-08 12:26:39 +01:00
Francois Lesueur
e10d3e66bc Merge branch 'develop-snster' of ssh://git.kaz.bzh:2202/KAZ/kaz-vagrant into develop-snster 2023-02-07 22:11:11 +01:00
Francois Lesueur
66dd827628 passage à btrfs 2023-02-07 22:11:03 +01:00
fab
f96016be61 Mise à jour de 'README.md' 2023-02-06 15:39:32 +01:00
Francois Lesueur
5389b2eee7 upgrade snster version 2023-02-06 12:26:55 +01:00
Francois Lesueur
148911bdad ajout dnsmasq a tranit-a-router 2023-02-03 16:57:49 +01:00
Francois Lesueur
7506ee8b34 crypto keys dans le vm-upggrade 2023-02-03 16:36:58 +01:00
Francois Lesueur
5a2b90e18f ajout d'un vm-upgrade.sh 2023-02-03 16:35:24 +01:00
Francois Lesueur
c4fa09044d fix reverse dns 2023-02-03 15:40:19 +01:00
Francois Lesueur
7ef54ff691 fix ns pour les router 2023-02-03 15:16:18 +01:00
Francois Lesueur
ca87b04797 Merge branch 'develop-snster' of ssh://git.kaz.bzh:2202/KAZ/kaz-vagrant into develop-snster 2023-02-03 15:12:12 +01:00
Francois Lesueur
e619c4375f contourne les filtrages DNS 2023-02-03 15:11:51 +01:00
fab
835397e973 Mise à jour de 'README.md' 2023-02-02 10:27:34 +01:00
fab
8e5e9e2e74 Mise à jour de 'README.md' 2023-02-02 10:26:12 +01:00
fab
1cad566b24 Mise à jour de 'README.md' 2023-02-02 10:26:00 +01:00
fab
4f206ba138 Mise à jour de 'README.md' 2023-02-01 18:31:49 +01:00
fab
0d1c0de450 Mise à jour de 'README.md' 2023-02-01 11:43:40 +01:00
fab
80f34e21a8 Mise à jour de 'README.md' 2023-02-01 10:21:23 +01:00
Francois Lesueur
037fc70452 update readme 2023-01-31 14:52:38 +01:00
Francois Lesueur
aa11ace0bc modifs pour ldap 2023-01-31 14:38:45 +01:00
Francois Lesueur
e531939a6d ajout ldap au dns 2023-01-30 20:59:19 +01:00
Francois Lesueur
c7ba96ea2e ajout reverse dns 2023-01-30 17:49:53 +01:00
Francois Lesueur
e1ac42525b passage a snster 1.1.0 2023-01-27 21:15:36 +01:00
Francois Lesueur
91c982ff1c root.hints 2023-01-25 14:51:13 +01:00
Francois Lesueur
1f63e688b3 reverse DNS ok 2023-01-18 20:09:29 +01:00
Francois Lesueur
2968582a74 ajout option NOKAZ 2023-01-18 12:13:48 +01:00
Francois Lesueur
08390feb38 petit sleep pour être sûr que kaz-prod est prêt 2023-01-17 11:51:38 +01:00
fab
8f74fb9dd8 Mise à jour de 'README.md' 2023-01-13 11:31:00 +01:00
26 changed files with 238 additions and 142 deletions
Expand all files Collapse all files

24
README.md
View File

@ -20,18 +20,24 @@ Nous utilisons :
Vous avez besoin de [vagrant](https://www.vagrantup.com/), [VirtualBox](https://www.virtualbox.org/) et éventuellement git. Vous avez besoin de [vagrant](https://www.vagrantup.com/), [VirtualBox](https://www.virtualbox.org/) et éventuellement git.
UDP/53 ne doit pas être filtré depuis votre poste (par un firewall d'entreprise par exemple). Pour tester:
```bash
# dig @80.67.169.12 www.kaz.bzh
```
## Installation ## Installation
* Télécharger le dépôt kaz-vagrant, branche develop-snster, ou utilisez la commande git : * Télécharger le dépôt kaz-vagrant, branche develop-snster, ou utilisez la commande git :
```bash ```bash
git clone https://git.kaz.bzh/KAZ/kaz-vagrant.git # pour essayer git clone https://git.kaz.bzh/KAZ/kaz-vagrant.git # pour essayer
git clone git+ssh://git@git.kaz.bzh:2202/KAZ/kaz-vagrant.git # pour contribuer git clone git+ssh://git@git.kaz.bzh:2202/KAZ/kaz-vagrant.git # pour contribuer
git switch develop-snster # dans les 2 cas
cd kaz-vagrant/ cd kaz-vagrant/
git switch develop-snster # dans les 2 cas
``` ```
* Personalisez votre simulateur avec la commande (au besoin ajustez la mémoire et les cpus utilisés dans Vagrantfile) : * Personalisez votre simulateur avec la commande (au besoin ajustez la mémoire et les cpus utilisés dans Vagrantfile) :
```bash ```bash
vagrant plugin install vagrant-disksize vagrant plugin install vagrant-disksize
vagrant plugin install vagrant-vbguest
./init.sh # vous pouvez laisser les choix par défaut ./init.sh # vous pouvez laisser les choix par défaut
``` ```
* Pour créer tout l'univers Kaz il faut se placer dans le répertoire et lancer la commande : * Pour créer tout l'univers Kaz il faut se placer dans le répertoire et lancer la commande :
@ -44,19 +50,14 @@ Cette étape peut-être (très) longue. Notamment, la construction de kaz-prod s
## Mise au point ## Mise au point
(Non implémenté) Il est possible d'interrompre la création à la coquille vide (juste la VM sans les services KAZ) pour des question de mise au point avec la commande : Il est possible d'interrompre la création à la coquille vide (juste la VM sans les services KAZ) pour des question de mise au point avec la commande :
```bash ```bash
NOKAZ="true" vagrant up NOKAZ="true" vagrant up
``` ```
(Non implémenté) Dans ce cas, il faudra ensuite lancer dans la VM : Dans ce cas, il faudra ensuite lancer dans la VM :
```bash ```bash
snster -c /root/snster-kaz -t /root/templates attach kaz-prod -x /mnt/snster/root/snster-kaz/kaz/prod/kaz.sh KAZGUARD="true" /root/vm-install-kaz.sh
SETUP_MAIL="docker exec mailServ setup"
snster -c /root/snster-kaz -t /root/templates attach kaz-prod -x "${SETUP_MAIL} email add contact1@kaz.sns toto"
snster -c /root/snster-kaz -t /root/templates attach kaz-prod -x "${SETUP_MAIL} email add contact2@kaz.sns toto"
snster -c /root/snster-kaz -t /root/templates attach kaz-prod -x "${SETUP_MAIL} email add contact3@kaz.sns toto"
snster -c /root/snster-kaz -t /root/templates attach kaz-prod -x "${SETUP_MAIL} email add contact4@kaz.sns toto"
``` ```
Pour détruire la VM et recommencer : Pour détruire la VM et recommencer :
@ -95,7 +96,10 @@ Vous pouvez alors (toutes les commandes snster doivent être exécutées dans `/
* `email@isp-a.sns`, hébergé dans le conteneur LXC isp-a-infra * `email@isp-a.sns`, hébergé dans le conteneur LXC isp-a-infra
* Travailler sur kaz-prod : `snster attach kaz-prod` * Travailler sur kaz-prod : `snster attach kaz-prod`
* Afficher un plan de réseau : `snster print` * Afficher un plan de réseau : `snster print`
* Il est probablement pratique d'installer son environnement de développement sur la VM, avec ses clés SSH et son éditeur favori. Les fichiers de kaz-prod sont accessibles, depuis la VM, dans le dossier `/var/lib/lxc/kaz-kaz-prod/overlay/delta/` (à confirmer que c'est 100% synchronisé entre VM et conteneur LXC) * Le système de fichiers de kaz-prod est accessible directement dans la VM:
* `/kaz-prod/` [VM] correspond à `/` [kaz-prod]
* `/kaz` [VM] correspond à `/kaz` [kaz-prod]
* Il est probablement pratique d'installer son environnement de développement sur la VM, avec ses clés SSH et son éditeur favori.
Il y a un aperçu de l'état des services avec l'url https://kaz.sns/status/allServices.html Il y a un aperçu de l'état des services avec l'url https://kaz.sns/status/allServices.html

3
Vagrantfile.dist
View File

@ -86,9 +86,10 @@ Vagrant.configure("2") do |config|
#permet d'avoir un répertoire partagé entre la VM et le host #permet d'avoir un répertoire partagé entre la VM et le host
config.vm.synced_folder "/tmp/", "/tmp_host" config.vm.synced_folder "/tmp/", "/tmp_host"
config.vm.synced_folder "files/", "/root/kaz-vagrant"
config.vm.provision "shell" do |s| config.vm.provision "shell" do |s|
s.inline = "/vagrant/files/provision.sh" s.inline = "/vagrant/files/vm-provision.sh"
s.env = {"KAZGUARD" => "true", "HOSTLANG" => ENV['LANG'], "NOKAZ" => ENV['NOKAZ'], "KAZBRANCH" => ENV['KAZBRANCH']} s.env = {"KAZGUARD" => "true", "HOSTLANG" => ENV['LANG'], "NOKAZ" => ENV['NOKAZ'], "KAZBRANCH" => ENV['KAZBRANCH']}
end end
end end

7
files/snster-kaz/isp-a/group.yml
View File

@ -27,7 +27,7 @@ hosts:
neighbors4: 100.64.0.1 as 30 neighbors4: 100.64.0.1 as 30
neighbors6: 2001:db8:b000::1 as 30 neighbors6: 2001:db8:b000::1 as 30
- resolv: - resolv:
nameserver: 100.100.100.100 ns: 100.100.100.100
domain: isp-a.sns domain: isp-a.sns
infra: infra:
@ -43,9 +43,10 @@ hosts:
- mailserver: - mailserver:
domain: isp-a.sns domain: isp-a.sns
- resolverns: - resolverns:
roots: p,100.100.1.10,2001:db8:a001::10
- resolv: - resolv:
domain: isp-a.sns domain: isp-a.sns
ns: 100.120.1.2 ns: 100.100.100.100
home: home:
network: network:
@ -58,4 +59,4 @@ hosts:
- updatecaroots: - updatecaroots:
- resolv: - resolv:
domain: isp-a.sns domain: isp-a.sns
ns: 100.120.1.2 ns: 100.100.100.100

6
files/snster-kaz/isp-a/infra/dns.conf
View File

@ -7,3 +7,9 @@ server:
local-data: "mail.isp-a.sns. IN A 100.120.1.2" local-data: "mail.isp-a.sns. IN A 100.120.1.2"
local-data: "ns.isp-a.sns. IN A 100.120.1.2" local-data: "ns.isp-a.sns. IN A 100.120.1.2"
local-data: "isp-a.sns. IN MX 10 smtp.isp-a.sns." local-data: "isp-a.sns. IN MX 10 smtp.isp-a.sns."
local-zone: "120.100.in-addr.arpa." static
local-data: "2.1.120.100.in-addr.arpa. IN PTR smtp.isp-a.sns"
local-data: "2.0.120.100.in-addr.arpa. IN PTR home.isp-a.sns"
local-data: "1.1.120.100.in-addr.arpa. IN PTR router.isp-a.sns"
local-data: "1.0.120.100.in-addr.arpa. IN PTR router.isp-a.sns"

4
files/snster-kaz/kaz/group.yml
View File

@ -26,7 +26,7 @@ hosts:
neighbors4: 100.64.0.1 as 30 neighbors4: 100.64.0.1 as 30
neighbors6: 2001:db8:b000::1 as 30 neighbors6: 2001:db8:b000::1 as 30
- resolv: - resolv:
nameserver: 100.100.100.100 ns: 100.100.100.100
domain: kaz.sns domain: kaz.sns
prod: prod:
@ -42,7 +42,7 @@ hosts:
templates: templates:
- updatecaroots: - updatecaroots:
- authns: - authns:
zonefile: dns.conf zonefiles: kaz.sns.zone;80.100.in-addr.arpa.zone
- resolv: - resolv:
domain: kaz.sns domain: kaz.sns
ns: 100.100.100.100 ns: 100.100.100.100

16
files/snster-kaz/kaz/prod/80.100.in-addr.arpa.zone Normal file
View File

@ -0,0 +1,16 @@
$TTL 86400
$ORIGIN 80.100.in-addr.arpa.
@ 1D IN SOA ns.kaz.sns. hostmaster.kaz.sns. (
2002022401 ; serial
3H ; refresh
15 ; retry
1w ; expire
3h ; nxdomain ttl
)
IN NS ns.kaz.sns.
ns IN A 100.80.0.2
ns IN AAAA 2001:db8:80::0:2
2.0 IN PTR smtp.kaz.sns.
1.0 IN PTR router.kaz.sns.
1.1 IN PTR router.kaz.sns.
2.1 IN PTR listes.kaz.sns.

6
files/snster-kaz/kaz/prod/kaz.sh
View File

@ -61,13 +61,7 @@ export DebugLog="${OUTPUT_DIR}/log/log-kaz-$(date +%y-%m-%d-%T)-"
echo -e "\n #### secretGen\n" echo -e "\n #### secretGen\n"
/kaz/bin/secretGen.sh /kaz/bin/secretGen.sh
#possibilité de lancer vagrant up NOKAZ="true" quand on construit la machine
if [ "${NOKAZ}" == "true" ]; then
echo "on ne lance pas install.sh"
else
echo "on lance install.sh"
/kaz/bin/install.sh /kaz/bin/install.sh
fi
# clear apt cache # clear apt cache
DEBIAN_FRONTEND=noninteractive apt-get autoremove -y DEBIAN_FRONTEND=noninteractive apt-get autoremove -y

1
files/snster-kaz/kaz/prod/dns.conf → files/snster-kaz/kaz/prod/kaz.sns.zone
View File

@ -24,6 +24,7 @@ wiki IN CNAME dmz
git IN CNAME dmz git IN CNAME dmz
office IN CNAME dmz office IN CNAME dmz
depot IN CNAME dmz depot IN CNAME dmz
ldap IN CNAME dmz
listes IN MX 10 listes listes IN MX 10 listes
listes IN A 100.80.1.2 listes IN A 100.80.1.2
firewall IN A 100.80.0.1 firewall IN A 100.80.0.1

4
files/snster-kaz/kaz/prod/kaz/config/dockers.env
View File

@ -98,7 +98,7 @@ sympaDBName=sympaDB
vigiloDBName=vigiloDB vigiloDBName=vigiloDB
wordpressDBName=wpDB wordpressDBName=wpDB
ldapIUName=ldapIU ldapUIName=ldapUI
######################################## ########################################
# politique de redémarrage # politique de redémarrage
@ -112,7 +112,7 @@ restartPolicy=no
jirafeauDir=/var/jirafeauData/lkuDM16R5Sp4QHr/ jirafeauDir=/var/jirafeauData/lkuDM16R5Sp4QHr/
ldapRoot=dc=kaz,dc=sns ldap_root=dc=kaz,dc=sns
######################################## ########################################
# services activés par container.sh # services activés par container.sh

20
files/snster-kaz/kaz/prod/provision.sh
View File

@ -18,7 +18,7 @@ DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
# KAZ specific things # KAZ specific things
#installation de docker, docker-compose et on y fourre le user debian dans le groupe idoine #installation de docker, docker-compose et on y fourre le user debian dans le groupe idoine
DEBIAN_FRONTEND=noninteractive apt-get install -y docker.io docker-compose docker-clean git apg curl sudo unzip rsync fuse-overlayfs DEBIAN_FRONTEND=noninteractive apt-get install -y docker.io docker-compose docker-clean git apg curl sudo unzip rsync btrfs-progs ldap-utils # fuse-overlayfs
usermod -G docker debian usermod -G docker debian
# activation dans alias dans /root/.bashrc # activation dans alias dans /root/.bashrc
sed -i \ sed -i \
@ -49,13 +49,23 @@ echo "export SNSTERGUARD='true'" >> /root/.bashrc
# On active fuse-overlayfs pour docker # On active fuse-overlayfs pour docker
cat >> /etc/docker/daemon.json <<EOF cat >> /etc/docker/daemon.json <<EOF
{ "storage-driver": "fuse-overlayfs" } { "storage-driver": "btrfs" }
EOF EOF
service docker restart service docker restart
mknod -m 666 /dev/fuse c 10 229 #mknod -m 666 /dev/fuse c 10 229
echo -e '#!/bin/sh\nmknod -m 666 /dev/fuse c 10 229' >> /etc/rc.local #echo -e '#!/bin/sh\nmknod -m 666 /dev/fuse c 10 229' >> /etc/rc.local
chmod +x /etc/rc.local #chmod +x /etc/rc.local
# lxc.cgroup2.devices.allow = b 7:* rwm
# lxc.cgroup2.devices.allow = c 10:237 rwm
#
# mknod -m 666 /dev/loop0 b 7 0
# mknod -m 666 /dev/loop-control c 10 237
# truncate -s 30G /root/varlibdocker.img
# mkfs.btrfs /root/varlibdocker.img
# losetup -f /root/varlibdocker.img
# mount /dev/loop0 /var/lib/docker
# On place les certifs # On place les certifs
if [ -d letsencrypt ]; then if [ -d letsencrypt ]; then

5
files/snster-kaz/main.yml
View File

@ -29,5 +29,6 @@ masters:
family: alpine family: alpine
disabled-groups: disabled-groups:
#- target - _global
#- root-o - _templates
- _masters

2
files/snster-kaz/mica/group.yml
View File

@ -24,7 +24,7 @@ hosts:
neighbors4: 100.64.0.1 as 30 neighbors4: 100.64.0.1 as 30
neighbors6: 2001:db8:b000::1 as 30 neighbors6: 2001:db8:b000::1 as 30
- resolv: - resolv:
nameserver: 100.100.100.100 ns: 100.100.100.100
domain: mica.sns domain: mica.sns
infra: infra:

3
files/snster-kaz/opendns/group.yml
View File

@ -24,7 +24,7 @@ hosts:
neighbors4: 100.64.0.1 as 30 neighbors4: 100.64.0.1 as 30
neighbors6: 2001:db8:b000::1 as 30 neighbors6: 2001:db8:b000::1 as 30
- resolv: - resolv:
nameserver: 100.100.100.100 ns: 100.100.100.100
domain: opendns.sns domain: opendns.sns
resolver: resolver:
@ -38,6 +38,7 @@ hosts:
gatewayv6: 2001:db8:a100::1 gatewayv6: 2001:db8:a100::1
templates: templates:
- resolverns: - resolverns:
roots: p,100.100.1.10,2001:db8:a001::10
- resolv: - resolv:
domain: opendns.sns domain: opendns.sns
ns: 100.100.100.100 ns: 100.100.100.100

32
files/snster-kaz/opendns/resolver/provision.sh Normal file
View File

@ -0,0 +1,32 @@
#!/bin/bash
set -e
if [ -z $SNSTERGUARD ] ; then exit 1; fi
DIR=`dirname $0`
cd `dirname $0`
mkdir -p /etc/unbound/unbound.conf.d/
cat >> /etc/unbound/unbound.conf.d/unblockdns.conf <<EOF
stub-zone:
name: "sns"
stub-addr: 100.100.20.10
stub-zone:
name: "100.in-addr.arpa"
stub-addr: 100.100.1.10
forward-zone:
name: "."
forward-addr: 100.64.0.1
EOF
# notes
# apt install build-essential libnghttp2-dev libssl-dev libexpat-dev
# wget https://nlnetlabs.nl/downloads/unbound/unbound-1.17.1.tar.gz
# ./configure --with-libnghttp2
# adduser unbound
# fixdns.sh
# SNSTER="snster -c /root/snster-kaz attach $1 -x"
# $SNSTER "DEBIAN_FRONTEND=noninteractive apt-get install -y nss-tlsd libnss-tls"
# $SNSTER "sed -i -e 's/^hosts:\s*files/hosts:\tfiles tls/' /etc/nsswitch.conf"

5
files/snster-kaz/root-p/group.yml
View File

@ -24,7 +24,7 @@ hosts:
neighbors4: 100.64.0.1 as 30 neighbors4: 100.64.0.1 as 30
neighbors6: 2001:db8:b000::1 as 30 neighbors6: 2001:db8:b000::1 as 30
- resolv: - resolv:
nameserver: 100.100.100.100 ns: 100.100.100.100
domain: ns-root-p.sns domain: ns-root-p.sns
rootns: rootns:
@ -38,6 +38,9 @@ hosts:
gatewayv6: 2001:db8:a001::1 gatewayv6: 2001:db8:a001::1
templates: templates:
- rootns: - rootns:
roots: p,100.100.1.10,2001:db8:a001::10
tlds: sns,100.100.20.10,2001:db8:a020::10
reverse: reverse.zone
- resolv: - resolv:
domain: ns-root-p.sns domain: ns-root-p.sns
ns: 100.100.100.100 ns: 100.100.100.100

5
files/snster-kaz/root-p/rootns/reverse.zone Normal file
View File

@ -0,0 +1,5 @@
120.100.in-addr.arpa. 172800 IN NS p.120.100.in-addr.arpa.
p.120.100.in-addr.arpa. 172800 IN A 100.120.1.2
p.120.100.in-addr.arpa. 172800 IN AAAA 2001:db8:120:1::2
80.100.in-addr.arpa. 172800 IN NS p.80.100.in-addr.arpa.
p.80.100.in-addr.arpa. 172800 IN A 100.80.0.2

2
files/snster-kaz/tld-sns/group.yml
View File

@ -24,7 +24,7 @@ hosts:
neighbors4: 100.64.0.1 as 30 neighbors4: 100.64.0.1 as 30
neighbors6: 2001:db8:b000::1 as 30 neighbors6: 2001:db8:b000::1 as 30
- resolv: - resolv:
nameserver: 100.100.100.100 ns: 100.100.100.100
domain: tld-sns.sns domain: tld-sns.sns
ns: ns:

2
files/snster-kaz/transit-a/group.yml
View File

@ -23,5 +23,5 @@ hosts:
neighbors4: 100.64.0.10 as 10;100.64.0.30 as 7;100.64.0.40 as 8; 100.64.0.20 as 6; 100.64.0.50 as 13; 100.64.0.110 as 20; 100.64.1.140 as 12 neighbors4: 100.64.0.10 as 10;100.64.0.30 as 7;100.64.0.40 as 8; 100.64.0.20 as 6; 100.64.0.50 as 13; 100.64.0.110 as 20; 100.64.1.140 as 12
neighbors6: 2001:db8:b000::10 as 10; 2001:db8:b000::30 as 7;2001:db8:b000::40 as 8; 2001:db8:b000::20 as 6; 2001:db8:b000::50 as 13; 2001:db8:b000::110 as 20; 2001:db8:b001::140 as 12 neighbors6: 2001:db8:b000::10 as 10; 2001:db8:b000::30 as 7;2001:db8:b000::40 as 8; 2001:db8:b000::20 as 6; 2001:db8:b000::50 as 13; 2001:db8:b000::110 as 20; 2001:db8:b001::140 as 12
- resolv: - resolv:
nameserver: 100.100.100.100 ns: 100.100.100.100
domain: transit-a.sns domain: transit-a.sns

5
files/snster-kaz/transit-a/router/provision.sh
View File

@ -33,3 +33,8 @@ protocol static {
route 0.0.0.0/0 via 100.64.0.1; route 0.0.0.0/0 via 100.64.0.1;
} }
" >> /etc/bird.conf " >> /etc/bird.conf
# Add dnsmasq for external dns
apk add dnsmasq
rc-update add dnsmasq

41
files/templates/debian/resolverns/provision.sh
View File

@ -1,41 +0,0 @@
#!/bin/bash
# Root NS template
set -e
if [ -z $SNSTERGUARD ] ; then exit 1; fi
DIR=`dirname $0`
cd `dirname $0`
# disable systemd-resolved which conflicts with nsd
echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
systemctl stop systemd-resolved
apt-get update
DEBIAN_FRONTEND=noninteractive apt-get install -y unbound dnsutils
# get root hints
#wget "http://www.internic.net/domain/named.root" -O /etc/unbound/root.hints
echo -e ". 3600000 NS P.ROOT-SERVERS.NET.
P.ROOT-SERVERS.NET. 3600000 A 100.100.1.10
P.ROOT-SERVERS.NET. 3600000 AAAA 2001:db8:a001::10
" > /etc/unbound/root.hints
# customize unbound config
#echo -e "server:
# ip-address: 127.0.0.1
echo -e "server:
root-hints: root.hints
" > /etc/unbound/unbound.conf.d/root.conf
# no DNSSEC validation for now
sed -i "s/auto/\#auto/" /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf
# Be an open dns resolver -- TO CHANGE LATER
echo -e "server:
interface: 0.0.0.0
access-control: 0.0.0.0/0 allow
cache-max-ttl: 20
cache-min-ttl: 10
cache-max-negative-ttl: 20
" > /etc/unbound/unbound.conf.d/listen.conf
service unbound restart

42
files/templates/debian/rootns/provision.sh
View File

@ -1,42 +0,0 @@
#!/bin/bash
# Root NS template
set -e
if [ -z $SNSTERGUARD ] ; then exit 1; fi
DIR=`dirname $0`
cd `dirname $0`
# disable systemd-resolved which conflicts with nsd
echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
systemctl stop systemd-resolved
apt-get update
DEBIAN_FRONTEND=noninteractive apt-get install -y nsd
# get root zone
wget "http://www.internic.net/domain/root.zone" -O /etc/nsd/root.zone
# customize root zone
# remove official roots
sed -i -e 's/^\.\s.*NS.*[a-m].root-servers.net.*//' /etc/nsd/root.zone
# add alternative milxc root
echo -e ". 518400 IN NS p.root-servers.net
p.root-servers.net 518400 IN A 100.100.1.10
p.root-servers.net 518400 IN AAAA 2001:db8:a001::10
" >> /etc/nsd/root.zone
# add .sns TLD served by 100.100.20.10
echo -e "sns. 518400 IN NS ns.sns.
ns.sns. 518400 IN A 100.100.20.10
ns.sns. 518400 IN AAAA 2001:db8:a020::10" >> /etc/nsd/root.zone
# customize nsd config
#echo -e "server:
# ip-address: 127.0.0.1
echo -e "zone:
name: \".\"
zonefile: \"root.zone\"
" > /etc/nsd/nsd.conf
#service nsd restart

20
files/vm-install-kaz.sh Normal file
View File

@ -0,0 +1,20 @@
#!/bin/bash
# Installation de Kaz
if [ -z "${KAZGUARD}" ] ; then
exit 1
fi
snster -c /root/snster-kaz start
sleep 10
snster -c /root/snster-kaz attach kaz-prod -x /mnt/snster/root/snster-kaz/kaz/prod/kaz.sh
# On crée quelques mails
SETUP_MAIL="docker exec mailServ setup"
snster -c /root/snster-kaz attach kaz-prod -x "${SETUP_MAIL} email add contact1@kaz.sns toto"
snster -c /root/snster-kaz attach kaz-prod -x "${SETUP_MAIL} email add contact2@kaz.sns toto"
snster -c /root/snster-kaz attach kaz-prod -x "${SETUP_MAIL} email add contact3@kaz.sns toto"
snster -c /root/snster-kaz attach kaz-prod -x "${SETUP_MAIL} email add contact4@kaz.sns toto"
echo -e '#!/bin/sh\nsnster -c /root/snster-kaz start' >> /etc/rc.local
chmod +x /etc/rc.local

56
files/provision.sh → files/vm-provision.sh
View File

@ -40,7 +40,7 @@ export DebugLog="${VAGRANT_SRC_DIR}/log/log-vagrant-$(date +%y-%m-%d-%T)-"
DEBIAN_FRONTEND=noninteractive apt-get --allow-releaseinfo-change update DEBIAN_FRONTEND=noninteractive apt-get --allow-releaseinfo-change update
DEBIAN_FRONTEND=noninteractive apt-get -y upgrade DEBIAN_FRONTEND=noninteractive apt-get -y upgrade
DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade
DEBIAN_FRONTEND=noninteractive apt-get install -y apg curl git sudo unzip rsync firefox-esr tcpdump net-tools mousepad wireshark swapspace whois ldap-utils python3-lxc lxc python3-pygraphviz python3-pil python3-yaml imagemagick # could be with --no-install-recommends DEBIAN_FRONTEND=noninteractive apt-get install -y apg curl git sudo unzip rsync firefox-esr tcpdump net-tools mousepad wireshark swapspace whois ldap-utils python3-lxc lxc python3-pygraphviz python3-pil python3-yaml imagemagick btrfs-progs # could be with --no-install-recommends
DEBIAN_FRONTEND=noninteractive apt-get install -y xfce4 lightdm xfce4-terminal xserver-xorg gitk # needs to install recommends DEBIAN_FRONTEND=noninteractive apt-get install -y xfce4 lightdm xfce4-terminal xserver-xorg gitk # needs to install recommends
ssh-keygen -t rsa -b 4096 -N '' <<<$'\ny' ssh-keygen -t rsa -b 4096 -N '' <<<$'\ny'
@ -180,35 +180,51 @@ EOF
cd cd
git clone https://framagit.org/flesueur/snster.git git clone https://framagit.org/flesueur/snster.git
cd snster cd snster
# git checkout tags/v1.1.0
git checkout fe59ef1f
./install.sh ./install.sh
# BTRFS avec hotfix sale de SNSTER
freespace=`df /root | awk '/[0-9]%/{print $(NF-2)}'`
btrsize=$(( $freespace - 5000000 )) # on laisse 5GB libres
truncate -s ${btrsize}k /root/btrfs.img
mkfs.btrfs -f /root/btrfs.img
echo "/root/btrfs.img /var/lib/lxc btrfs loop 0 0" >> /etc/fstab
mount /var/lib/lxc
#losetup -f /root/btrfs.img
#mount /dev/loop0 /var/lib/lxc
sed -i -e "s/template=self.template/template=self.template, bdevtype='btrfs'/" /usr/local/lib/python3.9/dist-packages/backends/LxcBackend.py
# SNSTER KAZ # SNSTER KAZ
cp -ar ${VAGRANT_SRC_DIR}/templates /root # cp -ar ${VAGRANT_SRC_DIR}/templates /root
cp -ar ${VAGRANT_SRC_DIR}/snster-kaz /root cp -ar ${VAGRANT_SRC_DIR}/snster-kaz /root
# crypto keys # crypto keys
cp -ar /etc/letsencrypt /root/snster-kaz/kaz/prod/ cp -ar /etc/letsencrypt /root/snster-kaz/kaz/prod/
cp -ar /etc/letsencrypt /root/snster-kaz/isp-a/home/ cp -ar /etc/letsencrypt /root/snster-kaz/isp-a/home/
# On monte le filesystem de kaz-prod dans le /kaz de la VM pour le dév (en nofail)
# mkdir /kaz-prod /kaz
# echo "overlay /kaz-prod overlay lowerdir=/var/lib/lxc/sr-masters-bullseye/rootfs,upperdir=/var/lib/lxc/kaz-kaz-prod/overlay/delta,workdir=/var/lib/lxc/kaz-kaz-prod/overlay/work,nofail 0 0" >> /etc/fstab
# echo "/kaz-prod/kaz /kaz none bind,nofail 0 0" >> /etc/fstab
ln -s /var/lib/lxc/kaz-kaz-prod/rootfs/ /kaz-prod
ln -s /kaz-prod/kaz /kaz
# On met le KAZGUARD pour la mise au point
echo "export KAZGUARD='true'" >> /root/.bashrc
# Build SNSTER KAZ ! # Build SNSTER KAZ !
snster -c /root/snster-kaz -t /root/templates create snster -c /root/snster-kaz create
snster -c /root/snster-kaz -t /root/templates start cp "${VAGRANT_SRC_DIR}/vm-install-kaz.sh" /root/
snster -c /root/snster-kaz -t /root/templates attach kaz-prod -x /mnt/snster/root/snster-kaz/kaz/prod/kaz.sh chmod +x /root/vm-install-kaz.sh
cp "${VAGRANT_SRC_DIR}/vm-upgrade.sh" /root/
# On crée quelques mails chmod +x /root/vm-upgrade.sh
SETUP_MAIL="docker exec mailServ setup" if [ "${NOKAZ}" == "true" ]; then
snster -c /root/snster-kaz -t /root/templates attach kaz-prod -x "${SETUP_MAIL} email add contact1@kaz.sns toto" echo "on ne fait pas l'install de kaz sur kaz-prod"
snster -c /root/snster-kaz -t /root/templates attach kaz-prod -x "${SETUP_MAIL} email add contact2@kaz.sns toto" else
snster -c /root/snster-kaz -t /root/templates attach kaz-prod -x "${SETUP_MAIL} email add contact3@kaz.sns toto" echo "on installe kaz sur kaz-prod"
snster -c /root/snster-kaz -t /root/templates attach kaz-prod -x "${SETUP_MAIL} email add contact4@kaz.sns toto" bash "/root/vm-install-kaz.sh"
fi
echo -e '#!/bin/sh\nsnster -c /root/snster-kaz start' >> /etc/rc.local
chmod +x /etc/rc.local
# On monte le filesystem de kaz-prod dans le /kaz de la VM pour le dév
mkdir /kaz-prod /kaz
echo "overlay /kaz-prod overlay lowerdir=/var/lib/lxc/sr-masters-bullseye/rootfs,upperdir=/var/lib/lxc/kaz-kaz-prod/overlay/delta,workdir=/var/lib/lxc/kaz-kaz-prod/overlay/work,nofail 0 0" >> /etc/fstab
echo "/kaz-prod/kaz /kaz none bind,nofail 0 0" >> /etc/fstab
echo "########## ********** End Vagrant $(date +%D-%T)" echo "########## ********** End Vagrant $(date +%D-%T)"
) > >(tee ${DebugLog}stdout.log) 2> >(tee ${DebugLog}stderr.log >&2) ) > >(tee ${DebugLog}stdout.log) 2> >(tee ${DebugLog}stderr.log >&2)

47
files/vm-upgrade.sh Executable file
View File

@ -0,0 +1,47 @@
#!/bin/bash
# Upgrade de tout sauf kaz-prod
if [ -z "${KAZGUARD}" ] ; then
exit 1
fi
set -e
# On met à jour SNSTER
cd /root/snster
git switch main
git pull
./install.sh
# hotfix pour btrfs
sed -i -e "s/template=self.template/template=self.template, bdevtype='btrfs'/" /usr/local/lib/python3.9/dist-packages/backends/LxcBackend.py
# On récupère le dernier kaz-vagrant
cd /tmp
git clone https://git.kaz.bzh/KAZ/kaz-vagrant.git || (cd kaz-vagrant && git pull)
cd /tmp/kaz-vagrant
git switch develop-snster
# On écrase les anciens fichiers
cp -ar /tmp/kaz-vagrant/files/snster-kaz /root/
# crypto keys
cp -ar /etc/letsencrypt /root/snster-kaz/kaz/prod/
cp -ar /etc/letsencrypt /root/snster-kaz/isp-a/home/
# On détruit et reconstruit tout sauf kaz-prod
SNSTER="snster -c /root/snster-kaz"
$SNSTER destroy isp-a-home
$SNSTER destroy isp-a-infra
$SNSTER destroy isp-a-router
$SNSTER destroy kaz-router
$SNSTER destroy mica-router
$SNSTER destroy mica-infra
$SNSTER destroy opendns-router
$SNSTER destroy opendns-resolver
$SNSTER destroy root-p-router
$SNSTER destroy root-p-rootns
$SNSTER destroy tld-sns-router
$SNSTER destroy tld-sns-ns
$SNSTER destroy transit-a-router
$SNSTER create
$SNSTER start

4
sparsify.sh
View File

@ -3,14 +3,14 @@
set -e set -e
# Get HD filename # Get HD filename
FILENAME=`vboxmanage showvminfo kaz-dev-amd64 | grep SATA | grep UUID | cut -d':' -f2 | cut -d'(' -f1 | sed -e 's/^[ \t]*//' | sed -e 's/[ \t]*$//'` FILENAME=`vboxmanage showvminfo kaz-vm | grep SATA | grep UUID | cut -d':' -f2 | cut -d'(' -f1 | sed -e 's/^[ \t]*//' | sed -e 's/[ \t]*$//'`
# Split the dir and filename # Split the dir and filename
DIR=`dirname "$FILENAME"` DIR=`dirname "$FILENAME"`
FILE=`basename "$FILENAME"` FILE=`basename "$FILENAME"`
# Get HD UUID # Get HD UUID
UUID=`vboxmanage showvminfo kaz-dev-amd64 | grep SATA | grep UUID | cut -d':' -f 3| cut -d')' -f1 | sed -e 's/^[ \t]*//' | sed -e 's/[ \t]*$//'` UUID=`vboxmanage showvminfo kaz-vm | grep SATA | grep UUID | cut -d':' -f 3| cut -d')' -f1 | sed -e 's/^[ \t]*//' | sed -e 's/[ \t]*$//'`
# echo -e $DIR # echo -e $DIR
# echo -e $FILE # echo -e $FILE

16
trim_enable.sh Executable file
View File

@ -0,0 +1,16 @@
#!/usr/bin/env bash
set -e
# Get HD UUID
HDUUID=`vboxmanage showvminfo kaz-vm --machinereadable | grep ImageUUID | cut -d= -f2 | sed -e "s/\"//g"`
# Get storage controller
STCTRL=`vboxmanage showvminfo kaz-vm --machinereadable | grep storagecontrollername0 | cut -d= -f2 | sed -e "s/\"//g"`
#echo -e $HDUUID
#echo -e $STCTRL
vboxmanage storageattach kaz-vm --medium="$HDUUID" --storagectl="${STCTRL}" --port=0 --discard=on --nonrotational=on
echo "Trim enabled !"