KAZ/kaz-vagrant
2
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

Compare commits

base: KAZ:66a965e4669bc6d3503f9a9535b0329a80ef1a3f
Branches Tags
KAZ:master
KAZ:v1.0.0
..
compare: KAZ:835397e973fb6477e90ac8eb7233ae82615fb0d0
Branches Tags
KAZ:master
KAZ:v1.0.0

No commits in common. "66a965e4669bc6d3503f9a9535b0329a80ef1a3f" and "835397e973fb6477e90ac8eb7233ae82615fb0d0" have entirely different histories.
66a965e466 ... 835397e973

47 changed files with 251 additions and 998 deletions
Show Stats Expand all files Collapse all files

2
DETAILS.md
View File

@ -1,7 +1,5 @@
# kaz-vagrant # kaz-vagrant
(ATTENTION, NON À JOUR POUR SNSTER)
[Kaz](https://kaz.bzh/) est un CHATONS du Morbihan. Nous proposons ici un moyen de le répliquer dans d'autres lieux. Il y a des éléments de configuration à définir avant d'initialiser ce simulateur. [Kaz](https://kaz.bzh/) est un CHATONS du Morbihan. Nous proposons ici un moyen de le répliquer dans d'autres lieux. Il y a des éléments de configuration à définir avant d'initialiser ce simulateur.
Le principe est de faire fonctionner un simulateur de notre CHATONS dans une VirtualBox pour mettre au point nos différents services. Le principe est de faire fonctionner un simulateur de notre CHATONS dans une VirtualBox pour mettre au point nos différents services.

65
README.md
View File

@ -6,33 +6,20 @@ Le principe est de faire fonctionner un simulateur de notre CHATONS dans une Vir
Nous utilisons : Nous utilisons :
* Vagrant pour automatiser la création de la Machine Virtuelle * Vagrant pour automatiser la création de la Machine Virtuelle
* VirtualBox pour une VM isolée * VirtualBox pour simuler notre serveur
* [SNSTER](https://framagit.org/flesueur/snster) pour créer des services internet tiers et notre serveur
* LXC pour faire tourner ces services dans des conteneurs distincts (ie, kaz-prod est un conteneur LXC)
* Docker pour chaque service de notre serveur * Docker pour chaque service de notre serveur
À la fin, nous obtenons une maquette d'un petit internet simulé, avec du DNS, des mails tiers, et notre serveur kaz-prod dans un coin.
![topologie](/doc/images/topologie.png)
## Pré-requis ## Pré-requis
Vous avez besoin de [vagrant](https://www.vagrantup.com/), [VirtualBox](https://www.virtualbox.org/) et éventuellement git. Vous avez besoin de [vagrant](https://www.vagrantup.com/), [VirtualBox](https://www.virtualbox.org/) et éventuellement git.
UDP/53 ne doit pas être filtré depuis votre poste (par un firewall d'entreprise par exemple). Pour tester:
```bash
# dig @80.67.169.12 www.kaz.bzh
```
## Installation ## Installation
* Télécharger le dépôt kaz-vagrant, branche develop-snster, ou utilisez la commande git : * Télécharger le dépôt kaz-vagrant ou utilisez la commande git :
```bash ```bash
git clone https://git.kaz.bzh/KAZ/kaz-vagrant.git # pour essayer git clone https://git.kaz.bzh/KAZ/kaz-vagrant.git # pour essayer
git clone git+ssh://git@git.kaz.bzh:2202/KAZ/kaz-vagrant.git # pour contribuer git clone git+ssh://git@git.kaz.bzh:2202/KAZ/kaz-vagrant.git # pour contribuer
cd kaz-vagrant/ cd kaz-vagrant/
git switch develop-snster # dans les 2 cas
``` ```
* Personalisez votre simulateur avec la commande (au besoin ajustez la mémoire et les cpus utilisés dans Vagrantfile) : * Personalisez votre simulateur avec la commande (au besoin ajustez la mémoire et les cpus utilisés dans Vagrantfile) :
```bash ```bash
@ -45,7 +32,7 @@ vagrant plugin install vagrant-vbguest
vagrant up vagrant up
``` ```
Cette étape peut-être (très) longue. Notamment, la construction de kaz-prod se fait dans un conteneur LXC, dans lequel les overlays docker passent par un filesystem FUSE beaucoup plus lent qu'en natif... Cette étape peut-être (très) longue. Il faudra éventuellement répondre "docker0" à la question "Which interface should the network bridge to?"
## Mise au point ## Mise au point
@ -57,7 +44,7 @@ NOKAZ="true" vagrant up
Dans ce cas, il faudra ensuite lancer dans la VM : Dans ce cas, il faudra ensuite lancer dans la VM :
```bash ```bash
KAZGUARD="true" /root/vm-install-kaz.sh /kaz/bin/install.sh
``` ```
Pour détruire la VM et recommencer : Pour détruire la VM et recommencer :
@ -72,36 +59,16 @@ Les utilisateurs créés sont
* debian/debian * debian/debian
* root/root. * root/root.
Si vous avec laissé la création de Kaz, il faut bien attendre la fermeture automatique de la fenêtre et l'apparition de l'écran de connexion (on vous a dit que c'était long). Si vous avec laissé la création des dockers, il faut bien attendre la fermeture automatique de la fenêtre et l'apparition de l'écran de connexion (on vous a dit que c'était long).
Lors du démarrage de la VM, il faut lancer SNSTER et éventuellement les conteneurs : Lors du démarrage de la VM, il faut lancer les conteneurs dans la VM :
```bash ```bash
cd /root/snster-kaz /kaz/bin/container.sh start
snster start
``` ```
Normalement, kaz-prod lance automatiquement les dockers (dans son rc.local), mais si ça ne marche pas bien il peut falloir les relancer (que se passe-t-il si on relance container.sh pendant que container.sh n'est pas encore fini ? faut-il l'enlever du rc.local ? Le lancement initial peut rater, probablement si le DNS n'est pas encore fonctionnel lors du lancement, à mettre au point et peut-être enlever du rc.local ?) Vous pouvez alors démarrer le client de messagerie clawsmail dans lequel 4 comptes ont été paramétrés (contact1@kaz.local, contact2@kaz.local, contact3@kaz.local, contact4@kaz.local) tous avec le mot de passe 'toto'
```bash
snster attach kaz-prod -x /kaz/bin/container.sh start
```
Vous pouvez alors (toutes les commandes snster doivent être exécutées dans `/root/snster-kaz`) : Il y a un aperçu de l'état des services avec l'url https://kaz.local/status/allServices.html
* Afficher un bureau graphique sur une machine tierce à Kaz : `snster display isp-a-home`. Sur cette machine, vous pouvez :
* Ouvrir Firefox et naviguer vers :
* `https://www.kaz.sns`, le Kaz interne à la VM
* `https://listes.kaz.sns`, le sympa interne à la VM
* `https://www.kaz.bzh`, le vrai Kaz
* Ouvrir claws-mail et retrouver les comptes mails configurés :
* `contact1@kaz.sns` à `contact4@kaz.sns`, hébergés sur le kaz-prod de la VM
* `email@isp-a.sns`, hébergé dans le conteneur LXC isp-a-infra
* Travailler sur kaz-prod : `snster attach kaz-prod`
* Afficher un plan de réseau : `snster print`
* Le système de fichiers de kaz-prod est accessible directement dans la VM:
* `/kaz-prod/` [VM] correspond à `/` [kaz-prod]
* `/kaz` [VM] correspond à `/kaz` [kaz-prod]
* Il est probablement pratique d'installer son environnement de développement sur la VM, avec ses clés SSH et son éditeur favori.
Il y a un aperçu de l'état des services avec l'url https://kaz.sns/status/allServices.html
![status](/doc/images/allServices.jpg) ![status](/doc/images/allServices.jpg)
@ -109,13 +76,13 @@ Les erreurs 502 correspondent à des fonctions en cours de développement. Les m
Vous pouvez également démarrer firefox avec les URL suivantes: Vous pouvez également démarrer firefox avec les URL suivantes:
* https://www.kaz.sns * https://www.kaz.local
* https://tableur.kaz.sns * https://tableur.kaz.local
* https://pad.kaz.sns * https://pad.kaz.local
* https://depot.kaz.sns * https://depot.kaz.local
* https://agora.kaz.sns/login (compte contact1@kaz.local créé, mot de passe toto) * https://agora.kaz.local/login (compte contact1@kaz.local créé, mot de passe toto)
* https://cloud.kaz.sns/login (compte contact1@kaz.local créé, mot de passe totototototototo1234 ) * https://cloud.kaz.local/login (compte contact1@kaz.local créé, mot de passe totototototototo1234 )
* https://sondage.kaz.sns * https://sondage.kaz.local
Il vous faudra accepter les alertes de sécurité pour certificat absent (web et messagerie) Il vous faudra accepter les alertes de sécurité pour certificat absent (web et messagerie)

8
Vagrantfile.dist
View File

@ -26,7 +26,6 @@ Vagrant.configure("2") do |config|
end end
config.vm.box = "debian/bullseye64" config.vm.box = "debian/bullseye64"
config.vm.hostname = 'kaz-vm'
config.disksize.size = '32GB' config.disksize.size = '32GB'
# Disable automatic box update checking. If you disable this, then # Disable automatic box update checking. If you disable this, then
@ -67,7 +66,7 @@ Vagrant.configure("2") do |config|
# # Customize the amount of memory on the VM: # # Customize the amount of memory on the VM:
vb.memory = "4096" vb.memory = "4096"
vb.cpus="2" vb.cpus="2"
vb.name = "kaz-vm" vb.name = "kaz-dev-amd64"
vb.customize ["modifyvm", :id, "--vram", "64", "--clipboard-mode", "bidirectional", '--graphicscontroller', 'vmsvga', '--natnet1', '192.168.64.0/24'] vb.customize ["modifyvm", :id, "--vram", "64", "--clipboard-mode", "bidirectional", '--graphicscontroller', 'vmsvga', '--natnet1', '192.168.64.0/24']
vb.gui = true vb.gui = true
@ -86,10 +85,9 @@ Vagrant.configure("2") do |config|
#permet d'avoir un répertoire partagé entre la VM et le host #permet d'avoir un répertoire partagé entre la VM et le host
config.vm.synced_folder "/tmp/", "/tmp_host" config.vm.synced_folder "/tmp/", "/tmp_host"
config.vm.synced_folder "files/", "/root/kaz-vagrant"
config.vm.provision "shell" do |s| config.vm.provision "shell" do |s|
s.inline = "/vagrant/files/vm-provision.sh" s.inline = "/vagrant/files/provision.sh"
s.env = {"KAZGUARD" => "true", "HOSTLANG" => ENV['LANG'], "NOKAZ" => ENV['NOKAZ'], "KAZBRANCH" => ENV['KAZBRANCH']} s.env = {"KAZGUARD" => "true", "HOSTLANG" => ENV['LANG'], "NOKAZ" => ENV['NOKAZ'], "KAZBRANCH" => ENV['KAZBRANCH']}
end end
end end

BIN
doc/images/topologie.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 156 KiB

7
files/snster-kaz/isp-a/home/clawsmail/addclawsuser.sh → files/clawsmail/addclawsuser.sh Normal file → Executable file
View File

@ -9,9 +9,8 @@ cd `dirname $0`
name=$1 name=$1
domainname=$2 domainname=$2
login=$3 password=$3
password=$4 number=$4
number=$5
# cp -ar claws-mail ~/.claws-mail # cp -ar claws-mail ~/.claws-mail
@ -23,7 +22,6 @@ cat claws-mail/accountrc > /tmp/accountrc
sed -i -e "s/\$name/$name/" /tmp/accountrc sed -i -e "s/\$name/$name/" /tmp/accountrc
sed -i -e "s/\$domainname/$domainname/" /tmp/accountrc sed -i -e "s/\$domainname/$domainname/" /tmp/accountrc
sed -i -e "s/\$number/$number/" /tmp/accountrc sed -i -e "s/\$number/$number/" /tmp/accountrc
sed -i -e "s/\$login/$login/" /tmp/accountrc
cat /tmp/accountrc >> ~/.claws-mail/accountrc cat /tmp/accountrc >> ~/.claws-mail/accountrc
if [ ! -f ~/.claws-mail/folderlist.xml ]; then if [ ! -f ~/.claws-mail/folderlist.xml ]; then
@ -34,7 +32,6 @@ cat claws-mail/folderlist.xml > /tmp/folderlist.xml
sed -i -e "s/\$name/$name/" /tmp/folderlist.xml sed -i -e "s/\$name/$name/" /tmp/folderlist.xml
sed -i -e "s/\$domainname/$domainname/" /tmp/folderlist.xml sed -i -e "s/\$domainname/$domainname/" /tmp/folderlist.xml
sed -i -e "s/\$number/$number/" /tmp/folderlist.xml sed -i -e "s/\$number/$number/" /tmp/folderlist.xml
sed -i -e "s/\$login/$login/" /tmp/folderlist.xml
sed -i -e "s/<\/folderlist>//" ~/.claws-mail/folderlist.xml sed -i -e "s/<\/folderlist>//" ~/.claws-mail/folderlist.xml
cat /tmp/folderlist.xml >> ~/.claws-mail/folderlist.xml cat /tmp/folderlist.xml >> ~/.claws-mail/folderlist.xml
echo "</folderlist>" >> ~/.claws-mail/folderlist.xml echo "</folderlist>" >> ~/.claws-mail/folderlist.xml

8
files/snster-kaz/isp-a/home/clawsmail/claws-mail/accountrc → files/clawsmail/claws-mail/accountrc
View File

@ -1,7 +1,7 @@
[Account: $number] [Account: $number]
domain=kaz.local domain=kaz.local
name=$name@$domainname name=$name@$domainname
account_name=$name@$domainname account_name=IMAP
is_default=1 is_default=1
address=$name@$domainname address=$name@$domainname
organization= organization=
@ -15,7 +15,7 @@ use_mail_command=0
mail_command=/usr/sbin/sendmail -t -i mail_command=/usr/sbin/sendmail -t -i
use_nntp_auth=0 use_nntp_auth=0
use_nntp_auth_onconnect=0 use_nntp_auth_onconnect=0
user_id=$login user_id=$name@$domainname
use_apop_auth=0 use_apop_auth=0
remove_mail=1 remove_mail=1
message_leave_time=7 message_leave_time=7
@ -36,7 +36,7 @@ generate_msgid=1
generate_xmailer=1 generate_xmailer=1
add_custom_header=0 add_custom_header=0
msgid_with_addr=0 msgid_with_addr=0
use_smtp_auth=1 use_smtp_auth=0
smtp_auth_method=0 smtp_auth_method=0
smtp_user_id= smtp_user_id=
pop_before_smtp=0 pop_before_smtp=0
@ -76,7 +76,7 @@ ssl_pop=0
ssl_imap=0 ssl_imap=0
ssl_nntp=0 ssl_nntp=0
ssl_smtp=0 ssl_smtp=0
ssl_certs_auto_accept=1 ssl_certs_auto_accept=0
use_nonblocking_ssl=1 use_nonblocking_ssl=1
in_ssl_client_cert_file= in_ssl_client_cert_file=
out_ssl_client_cert_file= out_ssl_client_cert_file=

0
files/snster-kaz/isp-a/home/clawsmail/claws-mail/accountrc.tmpl → files/clawsmail/claws-mail/accountrc.tmpl
View File

2
files/snster-kaz/isp-a/home/clawsmail/claws-mail/clawsrc → files/clawsmail/claws-mail/clawsrc
View File

@ -366,7 +366,7 @@ hover_timeout=500
cache_max_mem_usage=4096 cache_max_mem_usage=4096
cache_min_keep_time=15 cache_min_keep_time=15
thread_by_subject_max_age=10 thread_by_subject_max_age=10
last_opened_folder=#imap/email@isp-a.sns/Trash last_opened_folder=#imap/hacker@isp-a.milxc/Trash
goto_last_folder_on_startup=0 goto_last_folder_on_startup=0
summary_quicksearch_sticky=1 summary_quicksearch_sticky=1
summary_quicksearch_dynamic=0 summary_quicksearch_dynamic=0

0
files/snster-kaz/isp-a/home/clawsmail/claws-mail/folderlist.xml → files/clawsmail/claws-mail/folderlist.xml
View File

0
files/snster-kaz/isp-a/home/clawsmail/claws-mail/folderlist_skel.xml → files/clawsmail/claws-mail/folderlist_skel.xml
View File

0
files/snster-kaz/isp-a/home/clawsmail/claws-mail/passwordstorerc → files/clawsmail/claws-mail/passwordstorerc
View File

0
files/snster-kaz/isp-a/home/clawsmail/genpasswd → files/clawsmail/genpasswd Normal file → Executable file
View File

0
files/snster-kaz/isp-a/home/clawsmail/genpasswd.c → files/clawsmail/genpasswd.c
View File

78
files/kaz.sh Executable file
View File

@ -0,0 +1,78 @@
#!/bin/bash
if [ -z "${KAZGUARD}" ] ; then
exit 1
fi
DIR=$(cd "$(dirname $0)"; pwd)
cd "${DIR}"
set -e
export VAGRANT_SRC_DIR=/vagrant/files
mkdir -p "${VAGRANT_SRC_DIR}/log/"
export DebugLog="${VAGRANT_SRC_DIR}/log/log-kaz-$(date +%y-%m-%d-%T)-"
(
echo "########## ********** Start kaz.sh $(date +%D-%T)"
#pour la résolution de noms dans /etc/hosts
SERVICES_LIST="smtp mail ldap www depot tableur pad webmail sondage garradin test-garradin wiki git agora cloud office cachet quotas"
docker-clean -a
rm -rf /kaz
if [ -z "${KAZBRANCH}" ] ; then
KAZBRANCH="master"
fi
echo -e "\n #### git checkout ${KAZBRANCH}\n"
# copie des sources
cd /
[ -f kaz ] || git clone https://git.kaz.bzh/KAZ/kaz.git
(cd /kaz ; git checkout "${KAZBRANCH}" )
find /kaz -name \*.sh -exec chmod a+x {} \;
# pour ceux qui disposent d'un cache apt local et pas la fibre
if [ -f "${VAGRANT_SRC_DIR}/.apt-mirror-config" ]; then
rsync -a "${VAGRANT_SRC_DIR}/.apt-mirror-config" /kaz/
fi
if [ -f "${VAGRANT_SRC_DIR}/.proxy-config" ]; then
rsync -a "${VAGRANT_SRC_DIR}/.proxy-config" /etc/profile.d/proxy.sh
rsync -a "${VAGRANT_SRC_DIR}/.proxy-config" /kaz/
fi
if [ -f "${VAGRANT_SRC_DIR}/.docker-config.json" ]; then
mkdir -p /root/.docker
rsync -a "${VAGRANT_SRC_DIR}/.docker-config.json" /root/.docker/config.json
fi
echo -e "\n #### rsync download\n"
[ -d "${VAGRANT_SRC_DIR}/kaz/download" ] &&
rsync -a "${VAGRANT_SRC_DIR}/kaz/download/" /kaz/download/
[ -d "${VAGRANT_SRC_DIR}/kaz/git" ] &&
rsync -a "${VAGRANT_SRC_DIR}/kaz/git/" /kaz/git/
[ -f "${VAGRANT_SRC_DIR}/kaz/config/dockers.env" ] &&
[ ! -f "/kaz/config/dockers.env" ] &&
rsync -a "${VAGRANT_SRC_DIR}/kaz/config/dockers.env" /kaz/config/dockers.env
for type in mail orga proxy withMail withoutMail ; do
[ -f "${VAGRANT_SRC_DIR}/kaz/config/container-${type}.list" ] &&
[ ! -f "/kaz/config/config/container-${type}.list" ] &&
rsync -a "${VAGRANT_SRC_DIR}/kaz/config/container-${type}.list" /kaz/config/
done
echo -e "\n #### secretGen\n"
/kaz/bin/secretGen.sh
#possibilité de lancer vagrant up NOKAZ="true" quand on construit la machine
if [ "${NOKAZ}" == "true" ]; then
echo "on ne lance pas install.sh"
else
echo "on lance install.sh"
/kaz/bin/install.sh
fi
# clear apt cache
DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
DEBIAN_FRONTEND=noninteractive apt-get clean
echo "########## ********** End kaz.sh $(date +%D-%T)"
) > >(tee ${DebugLog}stdout.log) 2> >(tee ${DebugLog}stderr.log >&2)

0
files/snster-kaz/kaz/prod/kaz/config/container-mail.list → files/kaz/config/container-mail.list
View File

0
files/snster-kaz/kaz/prod/kaz/config/container-orga.list → files/kaz/config/container-orga.list
View File

0
files/snster-kaz/kaz/prod/kaz/config/container-proxy.list → files/kaz/config/container-proxy.list
View File

0
files/snster-kaz/kaz/prod/kaz/config/container-withMail.list → files/kaz/config/container-withMail.list
View File

2
files/snster-kaz/kaz/prod/kaz/config/container-withoutMail.list → files/kaz/config/container-withoutMail.list
View File

@ -3,7 +3,7 @@ jirafeau
ethercalc ethercalc
collabora collabora
ethercalc ethercalc
#etherpad etherpad
ldap ldap
quotas quotas
web web

12
files/snster-kaz/kaz/prod/kaz/config/dockers.env → files/kaz/config/dockers.env
View File

@ -9,12 +9,12 @@ mode=local
######################################## ########################################
# choix du domaine # choix du domaine
# prod=kaz.bzh / dev=dev.kaz.bzh / local=kaz.local # prod=kaz.bzh / dev=dev.kaz.bzh / local=kaz.local
domain=kaz.sns domain=kaz.local
######################################## ########################################
# choix du domaine des mails sympa # choix du domaine des mails sympa
# prod=kaz.bzh / dev=kaz2.ovh / local=kaz.local # prod=kaz.bzh / dev=kaz2.ovh / local=kaz.local
domain_sympa=listes.kaz.sns domain_sympa=kaz.local
######################################## ########################################
# choix d'un serveur partiel # choix d'un serveur partiel
@ -29,10 +29,10 @@ site=
httpProto=https httpProto=https
# prod=89.234.186.111 / dev=192.168.57.1 / local=127.0.0.1 # prod=89.234.186.111 / dev=192.168.57.1 / local=127.0.0.1
MAIN_IP=100.80.0.2 MAIN_IP=127.0.0.1
# prod=89.234.186.151 / dev=192.168.57.2 / local=127.0.0.2 # prod=89.234.186.151 / dev=192.168.57.2 / local=127.0.0.2
SYMPA_IP=100.80.1.2 SYMPA_IP=127.0.0.2
######################################## ########################################
# noms des services # noms des services
@ -98,7 +98,7 @@ sympaDBName=sympaDB
vigiloDBName=vigiloDB vigiloDBName=vigiloDB
wordpressDBName=wpDB wordpressDBName=wpDB
ldapUIName=ldapUI ldapIUName=ldapIU
######################################## ########################################
# politique de redémarrage # politique de redémarrage
@ -112,7 +112,7 @@ restartPolicy=no
jirafeauDir=/var/jirafeauData/lkuDM16R5Sp4QHr/ jirafeauDir=/var/jirafeauData/lkuDM16R5Sp4QHr/
ldap_root=dc=kaz,dc=sns ldapRoot=dc=kaz,dc=local
######################################## ########################################
# services activés par container.sh # services activés par container.sh

198
files/vm-provision.sh → files/provision.sh
View File

@ -21,7 +21,9 @@ export DebugLog="${VAGRANT_SRC_DIR}/log/log-vagrant-$(date +%y-%m-%d-%T)-"
# Copie de qques fichiers # Copie de qques fichiers
cp "${VAGRANT_SRC_DIR}/keyboard" /etc/default/keyboard cp "${VAGRANT_SRC_DIR}/keyboard" /etc/default/keyboard
# Lock grub (https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1758060.html)
sysctl -w net.ipv4.ip_forward=1 sysctl -w net.ipv4.ip_forward=1
DEBIAN_FRONTEND=noninteractive apt-mark hold grub*
# MAJ et install # MAJ et install
sed -i -e 's/main.*/main contrib non-free/' /etc/apt/sources.list sed -i -e 's/main.*/main contrib non-free/' /etc/apt/sources.list
@ -40,7 +42,7 @@ export DebugLog="${VAGRANT_SRC_DIR}/log/log-vagrant-$(date +%y-%m-%d-%T)-"
DEBIAN_FRONTEND=noninteractive apt-get --allow-releaseinfo-change update DEBIAN_FRONTEND=noninteractive apt-get --allow-releaseinfo-change update
DEBIAN_FRONTEND=noninteractive apt-get -y upgrade DEBIAN_FRONTEND=noninteractive apt-get -y upgrade
DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade
DEBIAN_FRONTEND=noninteractive apt-get install -y apg curl git sudo unzip rsync firefox-esr tcpdump net-tools mousepad wireshark swapspace whois ldap-utils python3-lxc lxc python3-pygraphviz python3-pil python3-yaml imagemagick btrfs-progs # could be with --no-install-recommends DEBIAN_FRONTEND=noninteractive apt-get install -y apg curl git sudo unzip rsync firefox-esr tcpdump net-tools mousepad wireshark swapspace whois ldap-utils # could be with --no-install-recommends
DEBIAN_FRONTEND=noninteractive apt-get install -y xfce4 lightdm xfce4-terminal xserver-xorg gitk # needs to install recommends DEBIAN_FRONTEND=noninteractive apt-get install -y xfce4 lightdm xfce4-terminal xserver-xorg gitk # needs to install recommends
ssh-keygen -t rsa -b 4096 -N '' <<<$'\ny' ssh-keygen -t rsa -b 4096 -N '' <<<$'\ny'
@ -108,6 +110,7 @@ export DebugLog="${VAGRANT_SRC_DIR}/log/log-vagrant-$(date +%y-%m-%d-%T)-"
# enable bash autocompletion # enable bash autocompletion
if ! grep -q "/usr/share/bash-completion/bash_completion" /etc/bash.bashrc 2>/dev/null; then
cat >> /etc/bash.bashrc <<EOF cat >> /etc/bash.bashrc <<EOF
# enable bash completion in interactive shells # enable bash completion in interactive shells
if ! shopt -oq posix; then if ! shopt -oq posix; then
@ -118,6 +121,7 @@ if ! shopt -oq posix; then
fi fi
fi fi
EOF EOF
fi
# XFCE4 panel: use default config # XFCE4 panel: use default config
# source: https://forum.xfce.org/viewtopic.php?pid=36585#p36585 # source: https://forum.xfce.org/viewtopic.php?pid=36585#p36585
@ -146,6 +150,65 @@ SystemMaxFileSize=2M
EOF EOF
fi fi
# KAZ specific things
#installation de docker, docker-compose et on y fourre le user debian dans le groupe idoine
DEBIAN_FRONTEND=noninteractive apt-get install -y docker.io docker-compose docker-clean
usermod -G docker debian
# activation dans alias dans /root/.bashrc
sed -i \
-e 's/^\# alias/alias/g' \
-e 's/^\# export/export/g' \
-e 's/^\# eval/eval/g' \
/root/.bashrc
if ! grep -q "for file in /dockers" /root/.bashrc 2>/dev/null; then
cat >> /root/.bashrc <<EOF
# enable bash completion in interactive shells
if ! shopt -oq posix; then
if [ -f /usr/share/bash-completion/bash_completion ]; then
. /usr/share/bash-completion/bash_completion
elif [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
fi
for file in /kaz/bin/.*-completion.bash ; do
source "\${file}"
done
EOF
fi
# # Localisation du $LANG, en par défaut, timezone Paris
# if [ -z "${KAZBRANCH}" ] ; then
# KAZBRANCH="develop-vm"
# fi
# echo -e "\n #### git checkout ${KAZBRANCH}\n"
#
# # copie des sources
# cd /
# [ -f kaz ] || git clone https://git.kaz.bzh/KAZ/kaz.git
# (cd /kaz ; git checkout "${KAZBRANCH}" )
# find /kaz -name \*.sh -exec chmod a+x {} \;
#
# # pour ceux qui disposent d'un cache apt local et pas la fibre
# if [ -f "${VAGRANT_SRC_DIR}/.apt-mirror-config" ]; then
# rsync -a "${VAGRANT_SRC_DIR}/.apt-mirror-config" /kaz/
# fi
# if [ -f "${VAGRANT_SRC_DIR}/.proxy-config" ]; then
# rsync -a "${VAGRANT_SRC_DIR}/.proxy-config" /etc/profile.d/proxy.sh
# rsync -a "${VAGRANT_SRC_DIR}/.proxy-config" /kaz/
# fi
# if [ -f "${VAGRANT_SRC_DIR}/.docker-config.json" ]; then
# mkdir -p /root/.docker
# rsync -a "${VAGRANT_SRC_DIR}/.docker-config.json" /root/.docker/config.json
# fi
# Ajout d'un serveur DNS sur la VM
#*****************ATTENTION: semble inutile. peut-être privilégié les entrées dans /etc/hosts tout simplement ?
DEBIAN_FRONTEND=noninteractive apt-get install -y dnsmasq
#***********DEBUT CERTIF******************* #***********DEBUT CERTIF*******************
#*****************ATTENTION: MARCHE PAS (il faut accepter toutes les exceptions de sécurité #*****************ATTENTION: MARCHE PAS (il faut accepter toutes les exceptions de sécurité
@ -162,76 +225,91 @@ EOF
export CAROOT=/etc/letsencrypt/local/ export CAROOT=/etc/letsencrypt/local/
/root/mkcert/mkcert -install # CA dans /etc/letsencrypt/local/ /root/mkcert/mkcert -install # CA dans /etc/letsencrypt/local/
cd "${CAROOT}" cd "${CAROOT}"
/root/mkcert/mkcert "*.kaz.sns" # cert et clé dans /etc/letsencrypt/local/ /root/mkcert/mkcert "*.kaz.local" # cert et clé dans /etc/letsencrypt/local/
mkdir -p /etc/letsencrypt/live/kaz.sns/ mkdir -p /etc/letsencrypt/live/kaz.local/
ln -s ../../local/_wildcard.kaz.sns.pem /etc/letsencrypt/live/kaz.sns/fullchain.pem ln -s ../../local/_wildcard.kaz.local.pem /etc/letsencrypt/live/kaz.local/fullchain.pem
ln -s ../../local/_wildcard.kaz.sns-key.pem /etc/letsencrypt/live/kaz.sns/privkey.pem ln -s ../../local/_wildcard.kaz.local-key.pem /etc/letsencrypt/live/kaz.local/privkey.pem
fi fi
# Essai pour faire accepter la CA à FFOX dès le début
# Add to Firefox store
if [ ! -f /usr/lib/firefox-esr/distribution/policies.json ]; then
cat > /usr/lib/firefox-esr/distribution/policies.json << EOF
{
"policies": {
"Certificates": {
"ImportEnterpriseRoots": true,
"Install": ["/etc/letsencrypt/local/rootCA.pem"]
}
}
}
EOF
fi
#***********FIN CERTIF******************* #***********FIN CERTIF*******************
#ajout des services dans le host
echo -e "\n #### update /etc/hosts\n"
if ! grep -q "\skaz.local\b" /etc/hosts 2>/dev/null; then
echo "127.0.0.1 kaz.local" >>/etc/hosts
fi
if ! grep -q "\slistes.kaz.local\b" /etc/hosts 2>/dev/null; then
echo "127.0.0.2 listes.kaz.local" >>/etc/hosts
fi
for SERVICE in ${SERVICES_LIST}; do
if ! grep -q "\s${SERVICE}.kaz.local\b" /etc/hosts 2>/dev/null; then
sed -i /etc/hosts \
-e "/\skaz.local\b/ s/$/ ${SERVICE}.kaz.local/"
fi
done
echo -e "\n #### clawsmail\n"
# les scripts de créations de BAL pour clawsmail
cp -ar "${VAGRANT_SRC_DIR}/clawsmail" /
cd /clawsmail
chmod +x addclawsuser.sh
chmod +x genpasswd
#client pour tester la messagerie
DEBIAN_FRONTEND=noninteractive apt-get install -y claws-mail
# On met le KAZGUARD pour la mise au point
echo "export KAZGUARD='true'" >> /root/.bashrc
# echo -e "\n #### rsync download\n"
# [ -d "${VAGRANT_SRC_DIR}/kaz/download" ] &&
# rsync -a "${VAGRANT_SRC_DIR}/kaz/download/" /kaz/download/
# [ -d "${VAGRANT_SRC_DIR}/kaz/git" ] &&
# rsync -a "${VAGRANT_SRC_DIR}/kaz/git/" /kaz/git/
# [ -f "${VAGRANT_SRC_DIR}/kaz/config/dockers.env" ] &&
# [ ! -f "/kaz/config/dockers.env" ] &&
# rsync -a "${VAGRANT_SRC_DIR}/kaz/config/dockers.env" /kaz/config/dockers.env
# for type in mail orga proxy withMail withoutMail ; do
# [ -f "${VAGRANT_SRC_DIR}/kaz/config/container-${type}.list" ] &&
# [ ! -f "/kaz/config/config/container-${type}.list" ] &&
# rsync -a "${VAGRANT_SRC_DIR}/kaz/config/container-${type}.list" /kaz/config/
# done
#
# echo -e "\n #### secretGen\n"
# /kaz/bin/secretGen.sh
#
# #possibilité de lancer vagrant up NOKAZ="true" quand on construit la machine
# if [ "${NOKAZ}" == "true" ]; then
# echo "on ne lance pas install.sh"
# else
# echo "on lance install.sh"
# /kaz/bin/install.sh
# fi
${VAGRANT_SRC_DIR}/kaz.sh
# clear apt cache # clear apt cache
DEBIAN_FRONTEND=noninteractive apt-get autoremove -y DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
DEBIAN_FRONTEND=noninteractive apt-get clean DEBIAN_FRONTEND=noninteractive apt-get clean
# SNSTER
cd
git clone https://framagit.org/flesueur/snster.git
cd snster
# git checkout tags/v1.1.0
git checkout fe59ef1f
./install.sh
# BTRFS avec hotfix sale de SNSTER
freespace=`df /root | awk '/[0-9]%/{print $(NF-2)}'`
btrsize=$(( $freespace - 5000000 )) # on laisse 5GB libres
truncate -s ${btrsize}k /root/btrfs.img
mkfs.btrfs -f /root/btrfs.img
echo "/root/btrfs.img /var/lib/lxc btrfs loop 0 0" >> /etc/fstab
mount /var/lib/lxc
#losetup -f /root/btrfs.img
#mount /dev/loop0 /var/lib/lxc
sed -i -e "s/template=self.template/template=self.template, bdevtype='btrfs'/" /usr/local/lib/python3.9/dist-packages/backends/LxcBackend.py
# SNSTER KAZ
# cp -ar ${VAGRANT_SRC_DIR}/templates /root
cp -ar ${VAGRANT_SRC_DIR}/snster-kaz /root
# crypto keys
cp -ar /etc/letsencrypt /root/snster-kaz/kaz/prod/
cp -ar /etc/letsencrypt /root/snster-kaz/isp-a/home/
# On monte le filesystem de kaz-prod dans le /kaz de la VM pour le dév (en nofail)
# mkdir /kaz-prod /kaz
# echo "overlay /kaz-prod overlay lowerdir=/var/lib/lxc/sr-masters-bullseye/rootfs,upperdir=/var/lib/lxc/kaz-kaz-prod/overlay/delta,workdir=/var/lib/lxc/kaz-kaz-prod/overlay/work,nofail 0 0" >> /etc/fstab
# echo "/kaz-prod/kaz /kaz none bind,nofail 0 0" >> /etc/fstab
ln -s /var/lib/lxc/kaz-kaz-prod/rootfs/ /kaz-prod
ln -s /kaz-prod/kaz /kaz
# On met le KAZGUARD pour la mise au point
echo "export KAZGUARD='true'" >> /root/.bashrc
# Build SNSTER KAZ !
snster -c /root/snster-kaz create
cp "${VAGRANT_SRC_DIR}/vm-install-kaz.sh" /root/
chmod +x /root/vm-install-kaz.sh
cp "${VAGRANT_SRC_DIR}/vm-upgrade.sh" /root/
chmod +x /root/vm-upgrade.sh
if [ "${NOKAZ}" == "true" ]; then
echo "on ne fait pas l'install de kaz sur kaz-prod"
else
echo "on installe kaz sur kaz-prod"
bash "/root/vm-install-kaz.sh"
fi
echo "########## ********** End Vagrant $(date +%D-%T)" echo "########## ********** End Vagrant $(date +%D-%T)"
) > >(tee ${DebugLog}stdout.log) 2> >(tee ${DebugLog}stderr.log >&2) ) > >(tee ${DebugLog}stdout.log) 2> >(tee ${DebugLog}stderr.log >&2)
reboot reboot
# Pour sympa-SOAP
# KAZPROD="snster -c /root/snster-kaz -t /root/templates attach kaz-prod -x"
# ${KAZPROD} "docker cp /etc/letsencrypt/local/rootCA.pem sympaServ:/usr/local/share/ca-certificates/rootCA.crt"
# ${KAZPROD} "docker exec -it sympaServ update-ca-certificates"

62
files/snster-kaz/isp-a/group.yml
View File

@ -1,62 +0,0 @@
version: 1
header:
name: ISP-A AS
comment: An ISP
hosts:
router:
master: alpine
network:
interfaces:
eth0:
bridge: transit-a
ipv4: 100.64.0.110/24
ipv6: 2001:db8:b000::110/48
eth1:
bridge: isp-a-cust
ipv4: 100.120.0.1/24
eth2:
bridge: isp-a-infra
ipv4: 100.120.1.1/24
ipv6: 2001:db8:120:1::1/64
templates:
- bgprouter:
asn: 20
asdev: eth1;eth2
neighbors4: 100.64.0.1 as 30
neighbors6: 2001:db8:b000::1 as 30
- resolv:
ns: 100.100.100.100
domain: isp-a.sns
infra:
network:
interfaces:
eth0:
bridge: isp-a-infra
ipv4: 100.120.1.2/24
ipv6: 2001:db8:120:1::2/64
gatewayv4: 100.120.1.1
gatewayv6: 2001:db8:120:1::1
templates:
- mailserver:
domain: isp-a.sns
- resolverns:
roots: p,100.100.1.10,2001:db8:a001::10
- resolv:
domain: isp-a.sns
ns: 100.100.100.100
home:
network:
interfaces:
eth0:
bridge: isp-a-cust
ipv4: 100.120.0.3/24
gatewayv4: 100.120.0.1
templates:
- updatecaroots:
- resolv:
domain: isp-a.sns
ns: 100.100.100.100

40
files/snster-kaz/isp-a/home/provision.sh
View File

@ -1,40 +0,0 @@
#!/bin/bash
# ISP-A infra
set -e
if [ -z $SNSTERGUARD ] ; then exit 1; fi
DIR=`dirname $0`
cd `dirname $0`
# les scripts de créations de BAL pour clawsmail
cp -ar "clawsmail" /
chmod +x /clawsmail/addclawsuser.sh
chmod +x /clawsmail/genpasswd
#client pour tester la messagerie
DEBIAN_FRONTEND=noninteractive apt-get install -y claws-mail
# On configure les comptes mail
if [ -f /clawsmail/addclawsuser.sh ]; then
su debian /clawsmail/addclawsuser.sh contact1 kaz.sns contact1@kaz.sns toto 1
su debian /clawsmail/addclawsuser.sh contact2 kaz.sns contact2@kaz.sns toto 2
su debian /clawsmail/addclawsuser.sh contact3 kaz.sns contact3@kaz.sns toto 3
su debian /clawsmail/addclawsuser.sh contact4 kaz.sns contact4@kaz.sns toto 4
su debian /clawsmail/addclawsuser.sh email isp-a.sns email email 5
fi
# On place les certifs
if [ -d letsencrypt ]; then
cp -ar letsencrypt /etc/
cp /etc/letsencrypt/local/rootCA.pem /usr/local/share/ca-certificates/root.crt
/usr/sbin/update-ca-certificates --fresh
fi
# Add to Firefox store
echo -e '{
"policies": {
"Certificates": {
"ImportEnterpriseRoots": true,
"Install": ["/etc/ssl/certs/root.pem"]
}
}
}' > /usr/lib/firefox-esr/distribution/policies.json

15
files/snster-kaz/isp-a/infra/dns.conf
View File

@ -1,15 +0,0 @@
server:
interface: 0.0.0.0
access-control: 100.64.0.0/10 allow
local-zone: "isp-a.sns." static
local-data: "smtp.isp-a.sns. IN A 100.120.1.2"
local-data: "mail.isp-a.sns. IN A 100.120.1.2"
local-data: "ns.isp-a.sns. IN A 100.120.1.2"
local-data: "isp-a.sns. IN MX 10 smtp.isp-a.sns."
local-zone: "120.100.in-addr.arpa." static
local-data: "2.1.120.100.in-addr.arpa. IN PTR smtp.isp-a.sns"
local-data: "2.0.120.100.in-addr.arpa. IN PTR home.isp-a.sns"
local-data: "1.1.120.100.in-addr.arpa. IN PTR router.isp-a.sns"
local-data: "1.0.120.100.in-addr.arpa. IN PTR router.isp-a.sns"

21
files/snster-kaz/isp-a/infra/provision.sh
View File

@ -1,21 +0,0 @@
#!/bin/bash
# ISP-A infra
set -e
if [ -z $SNSTERGUARD ] ; then exit 1; fi
DIR=`dirname $0`
cd `dirname $0`
# Email's mail account email@isp-a.sns
useradd -m -s "/bin/bash" -p `mkpasswd --method=sha-512 email` email || true
addgroup email mail
#mkdir /home/hacker/mail
#touch /home/hacker/mail/Drafts /home/hacker/mail/Queue /home/hacker/mail/Sent /home/hacker/mail/Trash
# disable systemd-resolved which conflicts with nsd
echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
systemctl stop systemd-resolved
# manage isp-a.sns zone
apt-get update
DEBIAN_FRONTEND=noninteractive apt-get install -y unbound
cp dns.conf /etc/unbound/unbound.conf.d/

48
files/snster-kaz/kaz/group.yml
View File

@ -1,48 +0,0 @@
version: 1
header:
name: Target AS
comment: AS of the Target organization
hosts:
router:
master: alpine
network:
interfaces:
eth0:
bridge: transit-a
ipv4: 100.64.0.10/24
ipv6: 2001:db8:b000::10/48
eth1:
bridge: kaz-lan1
ipv4: 100.80.0.1/24
eth2:
bridge: kaz-lan2
ipv4: 100.80.1.1/24
templates:
- bgprouter:
asn: 10
asdev: eth1;eth2
neighbors4: 100.64.0.1 as 30
neighbors6: 2001:db8:b000::1 as 30
- resolv:
ns: 100.100.100.100
domain: kaz.sns
prod:
network:
interfaces:
eth0:
bridge: kaz-lan1
ipv4: 100.80.0.2/24
eth1:
bridge: kaz-lan2
ipv4: 100.80.1.2/24
gatewayv4: 100.80.0.1
templates:
- updatecaroots:
- authns:
zonefiles: kaz.sns.zone;80.100.in-addr.arpa.zone
- resolv:
domain: kaz.sns
ns: 100.100.100.100

16
files/snster-kaz/kaz/prod/80.100.in-addr.arpa.zone
View File

@ -1,16 +0,0 @@
$TTL 86400
$ORIGIN 80.100.in-addr.arpa.
@ 1D IN SOA ns.kaz.sns. hostmaster.kaz.sns. (
2002022401 ; serial
3H ; refresh
15 ; retry
1w ; expire
3h ; nxdomain ttl
)
IN NS ns.kaz.sns.
ns IN A 100.80.0.2
ns IN AAAA 2001:db8:80::0:2
2.0 IN PTR smtp.kaz.sns.
1.0 IN PTR router.kaz.sns.
1.1 IN PTR router.kaz.sns.
2.1 IN PTR listes.kaz.sns.

71
files/snster-kaz/kaz/prod/kaz.sh
View File

@ -1,71 +0,0 @@
#!/bin/bash
if [ -z "${SNSTERGUARD}" ] ; then
exit 1
fi
DIR=$(cd "$(dirname $0)"; pwd)
cd "${DIR}"
set -e
export OUTPUT_DIR="/root/install"
mkdir -p "${OUTPUT_DIR}/log/"
export DebugLog="${OUTPUT_DIR}/log/log-kaz-$(date +%y-%m-%d-%T)-"
(
echo "########## ********** Start kaz.sh $(date +%D-%T)"
docker-clean -a
rm -rf /kaz
if [ -z "${KAZBRANCH}" ] ; then
KAZBRANCH="master"
fi
echo -e "\n #### git checkout ${KAZBRANCH}\n"
# copie des sources
cd /
[ -f kaz ] || git clone https://git.kaz.bzh/KAZ/kaz.git
(cd /kaz ; git checkout "${KAZBRANCH}" )
find /kaz -name \*.sh -exec chmod a+x {} \;
# pour ceux qui disposent d'un cache apt local et pas la fibre
if [ -f "${DIR}/.apt-mirror-config" ]; then
rsync -a "${DIR}/.apt-mirror-config" /kaz/
fi
if [ -f "${DIR}/.proxy-config" ]; then
rsync -a "${DIR}/.proxy-config" /etc/profile.d/proxy.sh
rsync -a "${DIR}/.proxy-config" /kaz/
fi
if [ -f "${DIR}/.docker-config.json" ]; then
mkdir -p /root/.docker
rsync -a "${DIR}/.docker-config.json" /root/.docker/config.json
fi
echo -e "\n #### rsync download\n"
[ -d "${DIR}/kaz/download" ] &&
rsync -a "${DIR}/kaz/download/" /kaz/download/
[ -d "${DIR}/kaz/git" ] &&
rsync -a "${DIR}/kaz/git/" /kaz/git/
[ -f "${DIR}/kaz/config/dockers.env" ] &&
[ ! -f "/kaz/config/dockers.env" ] &&
rsync -a "${DIR}/kaz/config/dockers.env" /kaz/config/dockers.env
for type in mail orga proxy withMail withoutMail ; do
[ -f "${DIR}/kaz/config/container-${type}.list" ] &&
[ ! -f "/kaz/config/config/container-${type}.list" ] &&
rsync -a "${DIR}/kaz/config/container-${type}.list" /kaz/config/
done
echo -e "\n #### secretGen\n"
/kaz/bin/secretGen.sh
/kaz/bin/install.sh
# clear apt cache
DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
DEBIAN_FRONTEND=noninteractive apt-get clean
echo "########## ********** End kaz.sh $(date +%D-%T)"
) > >(tee ${DebugLog}stdout.log) 2> >(tee ${DebugLog}stderr.log >&2)

33
files/snster-kaz/kaz/prod/kaz.sns.zone
View File

@ -1,33 +0,0 @@
$TTL 86400
$ORIGIN kaz.sns.
@ 1D IN SOA ns.kaz.sns. hostmaster.kaz.sns. (
2002022401 ; serial
3H ; refresh
15 ; retry
1w ; expire
3h ; nxdomain ttl
)
IN NS ns.kaz.sns.
IN MX 10 smtp.kaz.sns.
IN A 100.80.0.2
ns IN A 100.80.0.2
dmz IN A 100.80.0.2
smtp IN CNAME dmz
imap IN CNAME dmz
www IN CNAME dmz
mail IN CNAME dmz
cloud IN CNAME dmz
tableur IN CNAME dmz
webmail IN CNAME dmz
garradin IN CNAME dmz
wiki IN CNAME dmz
git IN CNAME dmz
office IN CNAME dmz
depot IN CNAME dmz
ldap IN CNAME dmz
listes IN MX 10 listes
listes IN A 100.80.1.2
firewall IN A 100.80.0.1
firewall IN AAAA 2001:db8:80::0:1
router IN A 100.80.0.1
router IN AAAA 2001:db8:80::0:1

85
files/snster-kaz/kaz/prod/provision.sh
View File

@ -1,85 +0,0 @@
#!/bin/bash
# Target DMZ
set -e
if [ -z $SNSTERGUARD ] ; then exit 1; fi
DIR=`dirname $0`
cd `dirname $0`
# disable systemd-resolved which conflicts with nsd
echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
systemctl stop systemd-resolved
DEBIAN_FRONTEND=noninteractive apt-get update
DEBIAN_FRONTEND=noninteractive apt-get remove -y apache2
DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
# Go KAZ !
# KAZ specific things
#installation de docker, docker-compose et on y fourre le user debian dans le groupe idoine
DEBIAN_FRONTEND=noninteractive apt-get install -y docker.io docker-compose docker-clean git apg curl sudo unzip rsync btrfs-progs ldap-utils # fuse-overlayfs
usermod -G docker debian
# activation dans alias dans /root/.bashrc
sed -i \
-e 's/^\# alias/alias/g' \
-e 's/^\# export/export/g' \
-e 's/^\# eval/eval/g' \
/root/.bashrc
if ! grep -q "for file in /dockers" /root/.bashrc 2>/dev/null; then
cat >> /root/.bashrc <<EOF
# enable bash completion in interactive shells
if ! shopt -oq posix; then
if [ -f /usr/share/bash-completion/bash_completion ]; then
. /usr/share/bash-completion/bash_completion
elif [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
fi
for file in /kaz/bin/.*-completion.bash ; do
source "\${file}"
done
EOF
fi
# On met le GUARD pour la mise au point
echo "export SNSTERGUARD='true'" >> /root/.bashrc
# On active fuse-overlayfs pour docker
cat >> /etc/docker/daemon.json <<EOF
{ "storage-driver": "btrfs" }
EOF
service docker restart
#mknod -m 666 /dev/fuse c 10 229
#echo -e '#!/bin/sh\nmknod -m 666 /dev/fuse c 10 229' >> /etc/rc.local
#chmod +x /etc/rc.local
# lxc.cgroup2.devices.allow = b 7:* rwm
# lxc.cgroup2.devices.allow = c 10:237 rwm
#
# mknod -m 666 /dev/loop0 b 7 0
# mknod -m 666 /dev/loop-control c 10 237
# truncate -s 30G /root/varlibdocker.img
# mkfs.btrfs /root/varlibdocker.img
# losetup -f /root/varlibdocker.img
# mount /dev/loop0 /var/lib/docker
# On place les certifs
if [ -d letsencrypt ]; then
cp -ar letsencrypt /etc/
cp /etc/letsencrypt/local/rootCA.pem /usr/local/share/ca-certificates/rootCA.crt
/usr/sbin/update-ca-certificates --fresh
fi
# ./kaz.sh
# On démarre au boot
echo -e '#!/bin/sh\n/kaz/bin/container.sh start' >> /etc/rc.local
chmod +x /etc/rc.local
# clear apt cache
DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
DEBIAN_FRONTEND=noninteractive apt-get clean

34
files/snster-kaz/main.yml
View File

@ -1,34 +0,0 @@
version: 1
header:
name: KAZ
comment: KAZ development environment
config:
prefix: kaz
nat-bridge: lxcbr0
default-master: bullseye
masters:
bullseye:
backend: lxc
template: debian
parameters:
release: bullseye
arch: amd64
family: debian
alpine:
backend: lxc
template: download
parameters:
dist: alpine
release: 3.14
arch: amd64
no-validate: true
family: alpine
disabled-groups:
- _global
- _templates
- _masters

42
files/snster-kaz/mica/group.yml
View File

@ -1,42 +0,0 @@
version: 1
header:
name: MICA AS
comment: An ACME Certification Authority
hosts:
router:
master: alpine
network:
interfaces:
eth0:
bridge: transit-a
ipv4: 100.64.1.140/24
ipv6: 2001:db8:b001::140/48
eth1:
bridge: mica-lan
ipv4: 100.82.0.1/16
ipv6: 2001:db8:82::1/48
templates:
- bgprouter:
asn: 12
asdev: eth1
neighbors4: 100.64.0.1 as 30
neighbors6: 2001:db8:b000::1 as 30
- resolv:
ns: 100.100.100.100
domain: mica.sns
infra:
network:
interfaces:
eth0:
bridge: mica-lan
ipv4: 100.82.0.2/16
ipv6: 2001:db8:82::2/48
gatewayv4: 100.82.0.1
gatewayv6: 2001:db8:82::1
templates:
- resolv:
domain: mica.sns
ns: 100.100.100.100

8
files/snster-kaz/mica/infra/dns.conf
View File

@ -1,8 +0,0 @@
server:
interface: 0.0.0.0
access-control: 100.64.0.0/10 allow
local-zone: "mica.sns." static
local-data: "ns.mica.sns. IN A 100.82.0.2"
local-data: "www.mica.sns. IN A 100.82.0.2"
local-data: "ca.mica.sns. IN A 100.82.0.2"

28
files/snster-kaz/mica/infra/provision.sh
View File

@ -1,28 +0,0 @@
#!/bin/bash
# MICA infra
set -e
if [ -z $SNSTERGUARD ] ; then exit 1; fi
DIR=`dirname $0`
cd `dirname $0`
# disable systemd-resolved which conflicts with nsd
echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
systemctl stop systemd-resolved
# manage mica.sns zone
apt-get update
DEBIAN_FRONTEND=noninteractive apt-get install -y unbound
cp dns.conf /etc/unbound/unbound.conf.d/
# Install smallstep CA / ACME server
cd /tmp
wget https://github.com/smallstep/cli/releases/download/v0.17.2/step-cli_0.17.2_amd64.deb
dpkg -i step-cli_0.17.2_amd64.deb
wget https://github.com/smallstep/certificates/releases/download/v0.17.2/step-ca_0.17.2_amd64.deb
dpkg -i step-ca_0.17.2_amd64.deb
# step ca init
# step ca root root.crt
# step ca provisioner add acme --type ACME
# certbot certonly -n --standalone -d www.target.sns --server https://www.mica.sns/acme/acme/directory --agree-tos --email "fr@fr.fr"

44
files/snster-kaz/opendns/group.yml
View File

@ -1,44 +0,0 @@
version: 1
header:
name: open DNS service AS
comment: an open DNS resolver
hosts:
router:
master: alpine
network:
interfaces:
eth0:
bridge: transit-a
ipv4: 100.64.0.30/24
ipv6: 2001:db8:b000::30/48
eth2:
bridge: opendns-lan
ipv4: 100.100.100.1/24
ipv6: 2001:db8:a100::1/48
templates:
- bgprouter:
asn: 7
asdev: eth2
neighbors4: 100.64.0.1 as 30
neighbors6: 2001:db8:b000::1 as 30
- resolv:
ns: 100.100.100.100
domain: opendns.sns
resolver:
network:
interfaces:
eth0:
bridge: opendns-lan
ipv4: 100.100.100.100/24
ipv6: 2001:db8:a100::100/48
gatewayv4: 100.100.100.1
gatewayv6: 2001:db8:a100::1
templates:
- resolverns:
roots: p,100.100.1.10,2001:db8:a001::10
- resolv:
domain: opendns.sns
ns: 100.100.100.100

32
files/snster-kaz/opendns/resolver/provision.sh
View File

@ -1,32 +0,0 @@
#!/bin/bash
set -e
if [ -z $SNSTERGUARD ] ; then exit 1; fi
DIR=`dirname $0`
cd `dirname $0`
mkdir -p /etc/unbound/unbound.conf.d/
cat >> /etc/unbound/unbound.conf.d/unblockdns.conf <<EOF
stub-zone:
name: "sns"
stub-addr: 100.100.20.10
stub-zone:
name: "100.in-addr.arpa"
stub-addr: 100.100.1.10
forward-zone:
name: "."
forward-addr: 100.64.0.1
EOF
# notes
# apt install build-essential libnghttp2-dev libssl-dev libexpat-dev
# wget https://nlnetlabs.nl/downloads/unbound/unbound-1.17.1.tar.gz
# ./configure --with-libnghttp2
# adduser unbound
# fixdns.sh
# SNSTER="snster -c /root/snster-kaz attach $1 -x"
# $SNSTER "DEBIAN_FRONTEND=noninteractive apt-get install -y nss-tlsd libnss-tls"
# $SNSTER "sed -i -e 's/^hosts:\s*files/hosts:\tfiles tls/' /etc/nsswitch.conf"

46
files/snster-kaz/root-p/group.yml
View File

@ -1,46 +0,0 @@
version: 1
header:
name: Root-P AS
comment: A DNS Root server
hosts:
router:
master: alpine
network:
interfaces:
eth0:
bridge: transit-a
ipv4: 100.64.0.20/24
ipv6: 2001:db8:b000::20/48
eth1:
bridge: root-p-lan
ipv4: 100.100.1.1/24
ipv6: 2001:db8:a001::1/48
templates:
- bgprouter:
asn: 6
asdev: eth1
neighbors4: 100.64.0.1 as 30
neighbors6: 2001:db8:b000::1 as 30
- resolv:
ns: 100.100.100.100
domain: ns-root-p.sns
rootns:
network:
interfaces:
eth0:
bridge: root-p-lan
ipv4: 100.100.1.10/24
ipv6: 2001:db8:a001::10/48
gatewayv4: 100.100.1.1
gatewayv6: 2001:db8:a001::1
templates:
- rootns:
roots: p,100.100.1.10,2001:db8:a001::10
tlds: sns,100.100.20.10,2001:db8:a020::10
reverse: reverse.zone
- resolv:
domain: ns-root-p.sns
ns: 100.100.100.100

5
files/snster-kaz/root-p/rootns/reverse.zone
View File

@ -1,5 +0,0 @@
120.100.in-addr.arpa. 172800 IN NS p.120.100.in-addr.arpa.
p.120.100.in-addr.arpa. 172800 IN A 100.120.1.2
p.120.100.in-addr.arpa. 172800 IN AAAA 2001:db8:120:1::2
80.100.in-addr.arpa. 172800 IN NS p.80.100.in-addr.arpa.
p.80.100.in-addr.arpa. 172800 IN A 100.80.0.2

42
files/snster-kaz/tld-sns/group.yml
View File

@ -1,42 +0,0 @@
version: 1
header:
name: TLD SNS AS
comment: The .sns TLD auth NS
hosts:
router:
master: alpine
network:
interfaces:
eth0:
bridge: transit-a
ipv4: 100.64.0.40/24
ipv6: 2001:db8:b000::40/48
eth1:
bridge: tld-sns-lan
ipv4: 100.100.20.1/24
ipv6: 2001:db8:a020::1/48
templates:
- bgprouter:
asn: 8
asdev: eth1
neighbors4: 100.64.0.1 as 30
neighbors6: 2001:db8:b000::1 as 30
- resolv:
ns: 100.100.100.100
domain: tld-sns.sns
ns:
network:
interfaces:
eth0:
bridge: tld-sns-lan
ipv4: 100.100.20.10/24
ipv6: 2001:db8:a020::10/48
gatewayv4: 100.100.20.1
gatewayv6: 2001:db8:a020::1
templates:
- resolv:
domain: tld-sns.sns
ns: 100.100.100.100

41
files/snster-kaz/tld-sns/ns/provision.sh
View File

@ -1,41 +0,0 @@
#!/bin/bash
# .sns registry
set -e
if [ -z $SNSTERGUARD ] ; then exit 1; fi
DIR=`dirname $0`
cd `dirname $0`
# disable systemd-resolved which conflicts with nsd
echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
systemctl stop systemd-resolved
apt-get update
DEBIAN_FRONTEND=noninteractive apt-get install -y nsd
echo -e "zone:
name: \"sns.\"
zonefile: \"sns.zone\"
" > /etc/nsd/nsd.conf
echo -e "\$TTL 86400
\$ORIGIN sns.
@ 1D IN SOA ns.sns. hostmaster.sns. (
2002022401 ; serial
3H ; refresh
15 ; retry
1w ; expire
3h ; nxdomain ttl
)
IN NS ns.sns.
ns IN A 100.100.20.10 ;name server definition
ns IN AAAA 2001:db8:a020::10
kaz.sns. IN NS ns.kaz.sns.
ns.kaz.sns. IN A 100.80.0.2
isp-a.sns. IN NS ns.isp-a.sns.
ns.isp-a.sns. IN A 100.120.1.2
ns.isp-a.sns. IN AAAA 2001:db8:120:1::2
mica.sns. IN NS ns.mica.sns.
ns.mica.sns. IN A 100.82.0.2
ns.mica.sns. IN AAAA 2001:db8:82::2
" >> /etc/nsd/sns.zone

27
files/snster-kaz/transit-a/group.yml
View File

@ -1,27 +0,0 @@
version: 1
header:
name: Transit-A
comment: Transit-A IXP
hosts:
router:
master: alpine
network:
interfaces:
eth0:
bridge: nat-bridge
ipv4: dhcp
eth1:
bridge: transit-a
ipv4: 100.64.0.1/24
ipv6: 2001:db8:b000::1/48
templates:
- bgprouter:
asn: 30
asdev: eth1
neighbors4: 100.64.0.10 as 10;100.64.0.30 as 7;100.64.0.40 as 8; 100.64.0.20 as 6; 100.64.0.50 as 13; 100.64.0.110 as 20; 100.64.1.140 as 12
neighbors6: 2001:db8:b000::10 as 10; 2001:db8:b000::30 as 7;2001:db8:b000::40 as 8; 2001:db8:b000::20 as 6; 2001:db8:b000::50 as 13; 2001:db8:b000::110 as 20; 2001:db8:b001::140 as 12
- resolv:
ns: 100.100.100.100
domain: transit-a.sns

40
files/snster-kaz/transit-a/router/provision.sh
View File

@ -1,40 +0,0 @@
#!/bin/sh
# Transit A with alpine
set -e
if [ -z $SNSTERGUARD ] ; then exit 1; fi
DIR=`dirname $0`
cd `dirname $0`
echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories
apk update
apk add bird iptables
rc-update add bird
# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
echo -e '#!/bin/sh\niptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE' > /etc/local.d/iptables.start
chmod +x /etc/local.d/iptables.start
rc-update add local
# keep DHCP on eth0
touch /etc/network/keepdhcp
# Force lxc bridged interface metric (else, it grows to 200+interface_index, which can be large with successive stop/start)
# This metric must be lower than the one exported by BGP for the default route (static part below)
mkdir /etc/udhcpc
echo "IF_METRIC=200" > /etc/udhcpc/udhcpc.conf
# customize bird config (BGP)
sed -i "s/protocol kernel {/protocol kernel { metric 2000;/" /etc/bird.conf
# sed -i "s/\#.*export all/\texport all/" /etc/bird/bird.conf
echo -e "
protocol static {
ipv4;
route 0.0.0.0/0 via 100.64.0.1;
}
" >> /etc/bird.conf
# Add dnsmasq for external dns
apk add dnsmasq
rc-update add dnsmasq

0
files/snster-kaz/isp-a/home/test.html → files/test.html
View File

20
files/vm-install-kaz.sh
View File

@ -1,20 +0,0 @@
#!/bin/bash
# Installation de Kaz
if [ -z "${KAZGUARD}" ] ; then
exit 1
fi
snster -c /root/snster-kaz start
sleep 10
snster -c /root/snster-kaz attach kaz-prod -x /mnt/snster/root/snster-kaz/kaz/prod/kaz.sh
# On crée quelques mails
SETUP_MAIL="docker exec mailServ setup"
snster -c /root/snster-kaz attach kaz-prod -x "${SETUP_MAIL} email add contact1@kaz.sns toto"
snster -c /root/snster-kaz attach kaz-prod -x "${SETUP_MAIL} email add contact2@kaz.sns toto"
snster -c /root/snster-kaz attach kaz-prod -x "${SETUP_MAIL} email add contact3@kaz.sns toto"
snster -c /root/snster-kaz attach kaz-prod -x "${SETUP_MAIL} email add contact4@kaz.sns toto"
echo -e '#!/bin/sh\nsnster -c /root/snster-kaz start' >> /etc/rc.local
chmod +x /etc/rc.local

47
files/vm-upgrade.sh
View File

@ -1,47 +0,0 @@
#!/bin/bash
# Upgrade de tout sauf kaz-prod
if [ -z "${KAZGUARD}" ] ; then
exit 1
fi
set -e
# On met à jour SNSTER
cd /root/snster
git switch main
git pull
./install.sh
# hotfix pour btrfs
sed -i -e "s/template=self.template/template=self.template, bdevtype='btrfs'/" /usr/local/lib/python3.9/dist-packages/backends/LxcBackend.py
# On récupère le dernier kaz-vagrant
cd /tmp
git clone https://git.kaz.bzh/KAZ/kaz-vagrant.git || (cd kaz-vagrant && git pull)
cd /tmp/kaz-vagrant
git switch develop-snster
# On écrase les anciens fichiers
cp -ar /tmp/kaz-vagrant/files/snster-kaz /root/
# crypto keys
cp -ar /etc/letsencrypt /root/snster-kaz/kaz/prod/
cp -ar /etc/letsencrypt /root/snster-kaz/isp-a/home/
# On détruit et reconstruit tout sauf kaz-prod
SNSTER="snster -c /root/snster-kaz"
$SNSTER destroy isp-a-home
$SNSTER destroy isp-a-infra
$SNSTER destroy isp-a-router
$SNSTER destroy kaz-router
$SNSTER destroy mica-router
$SNSTER destroy mica-infra
$SNSTER destroy opendns-router
$SNSTER destroy opendns-resolver
$SNSTER destroy root-p-router
$SNSTER destroy root-p-rootns
$SNSTER destroy tld-sns-router
$SNSTER destroy tld-sns-ns
$SNSTER destroy transit-a-router
$SNSTER create
$SNSTER start

4
sparsify.sh
View File

@ -3,14 +3,14 @@
set -e set -e
# Get HD filename # Get HD filename
FILENAME=`vboxmanage showvminfo kaz-vm | grep SATA | grep UUID | cut -d':' -f2 | cut -d'(' -f1 | sed -e 's/^[ \t]*//' | sed -e 's/[ \t]*$//'` FILENAME=`vboxmanage showvminfo kaz-dev-amd64 | grep SATA | grep UUID | cut -d':' -f2 | cut -d'(' -f1 | sed -e 's/^[ \t]*//' | sed -e 's/[ \t]*$//'`
# Split the dir and filename # Split the dir and filename
DIR=`dirname "$FILENAME"` DIR=`dirname "$FILENAME"`
FILE=`basename "$FILENAME"` FILE=`basename "$FILENAME"`
# Get HD UUID # Get HD UUID
UUID=`vboxmanage showvminfo kaz-vm | grep SATA | grep UUID | cut -d':' -f 3| cut -d')' -f1 | sed -e 's/^[ \t]*//' | sed -e 's/[ \t]*$//'` UUID=`vboxmanage showvminfo kaz-dev-amd64 | grep SATA | grep UUID | cut -d':' -f 3| cut -d')' -f1 | sed -e 's/^[ \t]*//' | sed -e 's/[ \t]*$//'`
# echo -e $DIR # echo -e $DIR
# echo -e $FILE # echo -e $FILE

16
trim_enable.sh
View File

@ -1,16 +0,0 @@
#!/usr/bin/env bash
set -e
# Get HD UUID
HDUUID=`vboxmanage showvminfo kaz-vm --machinereadable | grep ImageUUID | cut -d= -f2 | sed -e "s/\"//g"`
# Get storage controller
STCTRL=`vboxmanage showvminfo kaz-vm --machinereadable | grep storagecontrollername0 | cut -d= -f2 | sed -e "s/\"//g"`
#echo -e $HDUUID
#echo -e $STCTRL
vboxmanage storageattach kaz-vm --medium="$HDUUID" --storagectl="${STCTRL}" --port=0 --discard=on --nonrotational=on
echo "Trim enabled !"