Merge branch 'master' into develop-snster

DETAILS.md

@@ -1,5 +1,7 @@
 # kaz-vagrant
 
+(ATTENTION, NON À JOUR POUR SNSTER)
+
 [Kaz](https://kaz.bzh/) est un CHATONS du Morbihan. Nous proposons ici un moyen de le répliquer dans d'autres lieux. Il y a des éléments de configuration à définir avant d'initialiser ce simulateur.
 
 Le principe est de faire fonctionner un simulateur de notre CHATONS dans une VirtualBox pour mettre au point nos différents services.

README.md

@@ -6,20 +6,33 @@ Le principe est de faire fonctionner un simulateur de notre CHATONS dans une Vir
 
 Nous utilisons :
   * Vagrant pour automatiser la création de la Machine Virtuelle
-  * VirtualBox pour simuler notre serveur
+  * VirtualBox pour une VM isolée
+  * [SNSTER](https://framagit.org/flesueur/snster) pour créer des services internet tiers et notre serveur
+  * LXC pour faire tourner ces services dans des conteneurs distincts (ie, kaz-prod est un conteneur LXC)
   * Docker pour chaque service de notre serveur
 
+À la fin, nous obtenons une maquette d'un petit internet simulé, avec du DNS, des mails tiers, et notre serveur kaz-prod dans un coin.
+
+![topologie](/doc/images/topologie.png)
+
+
 ## Pré-requis
 
 Vous avez besoin de [vagrant](https://www.vagrantup.com/), [VirtualBox](https://www.virtualbox.org/) et éventuellement git.
 
+UDP/53 ne doit pas être filtré depuis votre poste (par un firewall d'entreprise par exemple). Pour tester:
+```bash
+# dig @80.67.169.12 www.kaz.bzh
+```
+
 ## Installation
 
-* Télécharger le dépôt kaz-vagrant ou utilisez la commande git :
+* Télécharger le dépôt kaz-vagrant, branche develop-snster, ou utilisez la commande git :
 ```bash
 git clone https://git.kaz.bzh/KAZ/kaz-vagrant.git # pour essayer
 git clone git+ssh://git@git.kaz.bzh:2202/KAZ/kaz-vagrant.git # pour contribuer
 cd kaz-vagrant/
+git switch develop-snster # dans les 2 cas
 ```
 * Personalisez votre simulateur avec la commande (au besoin ajustez la mémoire et les cpus utilisés dans Vagrantfile) :
 ```bash
@@ -32,7 +45,7 @@ vagrant plugin install vagrant-vbguest
 vagrant up
 ```
 
-Cette étape peut-être (très) longue. Il faudra éventuellement répondre "docker0" à la question "Which interface should the network bridge to?"
+Cette étape peut-être (très) longue. Notamment, la construction de kaz-prod se fait dans un conteneur LXC, dans lequel les overlays docker passent par un filesystem FUSE beaucoup plus lent qu'en natif...
 
 
 ## Mise au point
@@ -44,7 +57,7 @@ NOKAZ="true" vagrant up
 
 Dans ce cas, il faudra ensuite lancer dans la VM :
 ```bash
-/kaz/bin/install.sh
+KAZGUARD="true" /root/vm-install-kaz.sh
 ```
 
 Pour détruire la VM et recommencer :
@@ -59,16 +72,36 @@ Les utilisateurs créés sont
   * debian/debian
   * root/root.
 
-Si vous avec laissé la création des dockers, il faut bien attendre la fermeture automatique de la fenêtre et l'apparition de l'écran de connexion (on vous a dit que c'était long).
+Si vous avec laissé la création de Kaz, il faut bien attendre la fermeture automatique de la fenêtre et l'apparition de l'écran de connexion (on vous a dit que c'était long).
 
-Lors du démarrage de la VM, il faut lancer les conteneurs dans la VM :
+Lors du démarrage de la VM, il faut lancer SNSTER et éventuellement les conteneurs :
 ```bash
-/kaz/bin/container.sh start
+cd /root/snster-kaz
+snster start
 ```
 
-Vous pouvez alors démarrer le client de messagerie clawsmail dans lequel 4 comptes ont été paramétrés (contact1@kaz.local, contact2@kaz.local, contact3@kaz.local, contact4@kaz.local) tous avec le mot de passe 'toto'
+Normalement, kaz-prod lance automatiquement les dockers (dans son rc.local), mais si ça ne marche pas bien il peut falloir les relancer (que se passe-t-il si on relance container.sh pendant que container.sh n'est pas encore fini ? faut-il l'enlever du rc.local ? Le lancement initial peut rater, probablement si le DNS n'est pas encore fonctionnel lors du lancement, à mettre au point et peut-être enlever du rc.local ?)
+```bash
+snster attach kaz-prod -x /kaz/bin/container.sh start
+```
 
-Il y a un aperçu de l'état des services avec l'url https://kaz.local/status/allServices.html
+Vous pouvez alors (toutes les commandes snster doivent être exécutées dans `/root/snster-kaz`) :
+* Afficher un bureau graphique sur une machine tierce à Kaz : `snster display isp-a-home`. Sur cette machine, vous pouvez :
+  * Ouvrir Firefox et naviguer vers :
+    * `https://www.kaz.sns`, le Kaz interne à la VM
+    * `https://listes.kaz.sns`, le sympa interne à la VM
+    * `https://www.kaz.bzh`, le vrai Kaz
+  * Ouvrir claws-mail et retrouver les comptes mails configurés :
+    * `contact1@kaz.sns` à `contact4@kaz.sns`, hébergés sur le kaz-prod de la VM
+    * `email@isp-a.sns`, hébergé dans le conteneur LXC isp-a-infra
+* Travailler sur kaz-prod : `snster attach kaz-prod`
+* Afficher un plan de réseau : `snster print`
+* Le système de fichiers de kaz-prod est accessible directement dans la VM:
+  * `/kaz-prod/` [VM] correspond à `/` [kaz-prod]
+  * `/kaz` [VM] correspond à `/kaz` [kaz-prod]
+* Il est probablement pratique d'installer son environnement de développement sur la VM, avec ses clés SSH et son éditeur favori.
+
+Il y a un aperçu de l'état des services avec l'url https://kaz.sns/status/allServices.html
 
 ![status](/doc/images/allServices.jpg)
 
@@ -76,13 +109,13 @@ Les erreurs 502 correspondent à des fonctions en cours de développement. Les m
 
 
 Vous pouvez également démarrer firefox avec les URL suivantes:
-  * https://www.kaz.local
-  * https://tableur.kaz.local
-  * https://pad.kaz.local
-  * https://depot.kaz.local
-  * https://agora.kaz.local/login (compte contact1@kaz.local créé, mot de passe toto)
-  * https://cloud.kaz.local/login (compte contact1@kaz.local créé, mot de passe totototototototo1234 )
-  * https://sondage.kaz.local
+  * https://www.kaz.sns
+  * https://tableur.kaz.sns
+  * https://pad.kaz.sns
+  * https://depot.kaz.sns
+  * https://agora.kaz.sns/login (compte contact1@kaz.local créé, mot de passe toto)
+  * https://cloud.kaz.sns/login (compte contact1@kaz.local créé, mot de passe totototototototo1234 )
+  * https://sondage.kaz.sns
 
 Il vous faudra accepter les alertes de sécurité pour certificat absent (web et messagerie)
 

Vagrantfile.dist

@@ -26,6 +26,7 @@ Vagrant.configure("2") do |config|
   end
 
   config.vm.box = "debian/bullseye64"
+  config.vm.hostname = 'kaz-vm'
   config.disksize.size = '32GB'
 
   # Disable automatic box update checking. If you disable this, then
@@ -66,7 +67,7 @@ Vagrant.configure("2") do |config|
   #   # Customize the amount of memory on the VM:
     vb.memory = "4096"
     vb.cpus="2"
-    vb.name = "kaz-dev-amd64"
+    vb.name = "kaz-vm"
     vb.customize ["modifyvm", :id, "--vram", "64", "--clipboard-mode", "bidirectional", '--graphicscontroller', 'vmsvga', '--natnet1', '192.168.64.0/24']
     vb.gui = true
 
@@ -85,9 +86,10 @@ Vagrant.configure("2") do |config|
 
   #permet d'avoir un répertoire partagé entre la VM et le host
   config.vm.synced_folder "/tmp/", "/tmp_host"
-	
+  config.vm.synced_folder "files/", "/root/kaz-vagrant"
+
  config.vm.provision "shell" do |s|
-    s.inline = "/vagrant/files/provision.sh"
+    s.inline = "/vagrant/files/vm-provision.sh"
     s.env   = {"KAZGUARD" => "true", "HOSTLANG" => ENV['LANG'], "NOKAZ" => ENV['NOKAZ'], "KAZBRANCH" => ENV['KAZBRANCH']}
   end
 end

files/kaz.sh

@@ -1,78 +0,0 @@
-#!/bin/bash
-if [ -z "${KAZGUARD}" ] ; then
-    exit 1
-fi
-
-DIR=$(cd "$(dirname $0)"; pwd)
-cd "${DIR}"
-set -e
-export VAGRANT_SRC_DIR=/vagrant/files
-
-mkdir -p "${VAGRANT_SRC_DIR}/log/"
-export DebugLog="${VAGRANT_SRC_DIR}/log/log-kaz-$(date +%y-%m-%d-%T)-"
-(
-    echo "########## ********** Start kaz.sh $(date +%D-%T)"
-    #pour la résolution de noms dans /etc/hosts
-    SERVICES_LIST="smtp mail ldap www depot tableur pad webmail sondage garradin test-garradin wiki git agora cloud office cachet quotas"
-
-    docker-clean -a
-    rm -rf /kaz
-
-    if [ -z "${KAZBRANCH}" ] ; then
-	     KAZBRANCH="master"
-    fi
-    echo -e "\n    #### git checkout ${KAZBRANCH}\n"
-
-
-    # copie des sources
-    cd /
-    [ -f kaz ] || git clone https://git.kaz.bzh/KAZ/kaz.git
-    (cd /kaz ; git checkout "${KAZBRANCH}" )
-    find /kaz -name \*.sh -exec chmod a+x {} \;
-
-    # pour ceux qui disposent d'un cache apt local et pas la fibre
-    if [ -f "${VAGRANT_SRC_DIR}/.apt-mirror-config" ]; then
-	rsync -a "${VAGRANT_SRC_DIR}/.apt-mirror-config" /kaz/
-    fi
-    if [ -f "${VAGRANT_SRC_DIR}/.proxy-config" ]; then
-	rsync -a "${VAGRANT_SRC_DIR}/.proxy-config" /etc/profile.d/proxy.sh
-	rsync -a "${VAGRANT_SRC_DIR}/.proxy-config" /kaz/
-    fi
-    if [ -f "${VAGRANT_SRC_DIR}/.docker-config.json" ]; then
-	mkdir -p /root/.docker
-	rsync -a "${VAGRANT_SRC_DIR}/.docker-config.json" /root/.docker/config.json
-    fi
-
-
-
-    echo -e "\n    #### rsync download\n"
-    [ -d "${VAGRANT_SRC_DIR}/kaz/download" ] &&
-	rsync -a "${VAGRANT_SRC_DIR}/kaz/download/" /kaz/download/
-    [ -d "${VAGRANT_SRC_DIR}/kaz/git" ] &&
-	rsync -a "${VAGRANT_SRC_DIR}/kaz/git/" /kaz/git/
-    [ -f "${VAGRANT_SRC_DIR}/kaz/config/dockers.env" ] &&
-	[ ! -f "/kaz/config/dockers.env" ] &&
-	rsync -a "${VAGRANT_SRC_DIR}/kaz/config/dockers.env" /kaz/config/dockers.env
-    for type in mail orga proxy withMail withoutMail ; do
-	[ -f "${VAGRANT_SRC_DIR}/kaz/config/container-${type}.list" ] &&
-	    [ ! -f "/kaz/config/config/container-${type}.list" ] &&
-	    rsync -a  "${VAGRANT_SRC_DIR}/kaz/config/container-${type}.list" /kaz/config/
-    done
-
-    echo -e "\n    #### secretGen\n"
-    /kaz/bin/secretGen.sh
-
-    #possibilité de lancer vagrant up NOKAZ="true" quand on construit la machine
-    if [ "${NOKAZ}" == "true" ]; then
-	echo "on ne lance pas install.sh"
-    else
-	echo "on lance install.sh"
-	/kaz/bin/install.sh
-    fi
-
-    # clear apt cache
-    DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
-    DEBIAN_FRONTEND=noninteractive apt-get clean
-
-    echo "########## ********** End kaz.sh $(date +%D-%T)"
-)  > >(tee ${DebugLog}stdout.log) 2> >(tee ${DebugLog}stderr.log >&2)

files/snster-kaz/isp-a/group.yml

@@ -0,0 +1,62 @@
+version: 1
+
+header:
+  name: ISP-A AS
+  comment: An ISP
+
+hosts:
+  router:
+    master: alpine
+    network:
+      interfaces:
+        eth0:
+          bridge: transit-a
+          ipv4: 100.64.0.110/24
+          ipv6: 2001:db8:b000::110/48
+        eth1:
+          bridge: isp-a-cust
+          ipv4: 100.120.0.1/24
+        eth2:
+          bridge: isp-a-infra
+          ipv4: 100.120.1.1/24
+          ipv6: 2001:db8:120:1::1/64
+    templates:
+      - bgprouter:
+          asn: 20
+          asdev: eth1;eth2
+          neighbors4: 100.64.0.1 as 30
+          neighbors6: 2001:db8:b000::1 as 30
+      - resolv:
+          ns: 100.100.100.100
+          domain: isp-a.sns
+
+  infra:
+    network:
+      interfaces:
+        eth0:
+          bridge: isp-a-infra
+          ipv4: 100.120.1.2/24
+          ipv6: 2001:db8:120:1::2/64
+      gatewayv4: 100.120.1.1
+      gatewayv6: 2001:db8:120:1::1
+    templates:
+      - mailserver:
+          domain: isp-a.sns
+      - resolverns:
+          roots: p,100.100.1.10,2001:db8:a001::10
+      - resolv:
+          domain: isp-a.sns
+          ns: 100.100.100.100
+
+  home:
+    network:
+      interfaces:
+        eth0:
+          bridge: isp-a-cust
+          ipv4: 100.120.0.3/24
+      gatewayv4: 100.120.0.1
+    templates:
+      - updatecaroots:
+      - resolv:
+          domain: isp-a.sns
+          ns: 100.100.100.100

files/snster-kaz/isp-a/home/clawsmail/addclawsuser.sh

@@ -9,8 +9,9 @@ cd `dirname $0`
 
 name=$1
 domainname=$2
-password=$3
-number=$4
+login=$3
+password=$4
+number=$5
 
 # cp -ar claws-mail ~/.claws-mail
 
@@ -22,6 +23,7 @@ cat claws-mail/accountrc > /tmp/accountrc
 sed -i -e "s/\$name/$name/" /tmp/accountrc
 sed -i -e "s/\$domainname/$domainname/" /tmp/accountrc
 sed -i -e "s/\$number/$number/" /tmp/accountrc
+sed -i -e "s/\$login/$login/" /tmp/accountrc
 cat /tmp/accountrc >> ~/.claws-mail/accountrc
 
 if [ ! -f ~/.claws-mail/folderlist.xml ]; then
@@ -32,6 +34,7 @@ cat claws-mail/folderlist.xml > /tmp/folderlist.xml
 sed -i -e "s/\$name/$name/" /tmp/folderlist.xml
 sed -i -e "s/\$domainname/$domainname/" /tmp/folderlist.xml
 sed -i -e "s/\$number/$number/" /tmp/folderlist.xml
+sed -i -e "s/\$login/$login/" /tmp/folderlist.xml
 sed -i -e "s/<\/folderlist>//" ~/.claws-mail/folderlist.xml
 cat /tmp/folderlist.xml >> ~/.claws-mail/folderlist.xml
 echo "</folderlist>" >> ~/.claws-mail/folderlist.xml

files/snster-kaz/isp-a/home/clawsmail/claws-mail/accountrc

@@ -1,7 +1,7 @@
 [Account: $number]
 domain=kaz.local
 name=$name@$domainname
-account_name=IMAP
+account_name=$name@$domainname
 is_default=1
 address=$name@$domainname
 organization=
@@ -15,7 +15,7 @@ use_mail_command=0
 mail_command=/usr/sbin/sendmail -t -i
 use_nntp_auth=0
 use_nntp_auth_onconnect=0
-user_id=$name@$domainname
+user_id=$login
 use_apop_auth=0
 remove_mail=1
 message_leave_time=7
@@ -36,7 +36,7 @@ generate_msgid=1
 generate_xmailer=1
 add_custom_header=0
 msgid_with_addr=0
-use_smtp_auth=0
+use_smtp_auth=1
 smtp_auth_method=0
 smtp_user_id=
 pop_before_smtp=0
@@ -76,7 +76,7 @@ ssl_pop=0
 ssl_imap=0
 ssl_nntp=0
 ssl_smtp=0
-ssl_certs_auto_accept=0
+ssl_certs_auto_accept=1
 use_nonblocking_ssl=1
 in_ssl_client_cert_file=
 out_ssl_client_cert_file=

files/snster-kaz/isp-a/home/clawsmail/claws-mail/clawsrc

@@ -366,7 +366,7 @@ hover_timeout=500
 cache_max_mem_usage=4096
 cache_min_keep_time=15
 thread_by_subject_max_age=10
-last_opened_folder=#imap/hacker@isp-a.milxc/Trash
+last_opened_folder=#imap/email@isp-a.sns/Trash
 goto_last_folder_on_startup=0
 summary_quicksearch_sticky=1
 summary_quicksearch_dynamic=0

files/snster-kaz/isp-a/home/provision.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+# ISP-A infra
+set -e
+if [ -z $SNSTERGUARD ] ; then exit 1; fi
+DIR=`dirname $0`
+cd `dirname $0`
+
+# les scripts de créations de BAL pour clawsmail
+cp -ar "clawsmail" /
+chmod +x /clawsmail/addclawsuser.sh
+chmod +x /clawsmail/genpasswd
+
+#client pour tester la messagerie
+DEBIAN_FRONTEND=noninteractive apt-get install -y claws-mail
+
+# On configure les comptes mail
+if [ -f /clawsmail/addclawsuser.sh ]; then
+    su debian /clawsmail/addclawsuser.sh contact1 kaz.sns contact1@kaz.sns toto 1
+    su debian /clawsmail/addclawsuser.sh contact2 kaz.sns contact2@kaz.sns toto 2
+    su debian /clawsmail/addclawsuser.sh contact3 kaz.sns contact3@kaz.sns toto 3
+    su debian /clawsmail/addclawsuser.sh contact4 kaz.sns contact4@kaz.sns toto 4
+    su debian /clawsmail/addclawsuser.sh email isp-a.sns email email 5
+fi
+
+# On place les certifs
+if  [ -d letsencrypt ]; then
+  cp -ar letsencrypt /etc/
+  cp /etc/letsencrypt/local/rootCA.pem /usr/local/share/ca-certificates/root.crt
+  /usr/sbin/update-ca-certificates --fresh
+fi
+
+# Add to Firefox store
+echo -e '{
+ "policies": {
+   "Certificates": {
+      "ImportEnterpriseRoots": true,
+      "Install": ["/etc/ssl/certs/root.pem"]
+   }
+ }
+}' > /usr/lib/firefox-esr/distribution/policies.json

files/snster-kaz/isp-a/infra/dns.conf

@@ -0,0 +1,15 @@
+server:
+  interface: 0.0.0.0
+  access-control: 100.64.0.0/10 allow
+
+  local-zone: "isp-a.sns." static
+  local-data: "smtp.isp-a.sns. IN A 100.120.1.2"
+  local-data: "mail.isp-a.sns. IN A 100.120.1.2"
+  local-data: "ns.isp-a.sns. IN A 100.120.1.2"
+  local-data: "isp-a.sns. IN MX 10 smtp.isp-a.sns."
+
+  local-zone: "120.100.in-addr.arpa." static
+  local-data: "2.1.120.100.in-addr.arpa. IN PTR smtp.isp-a.sns"
+  local-data: "2.0.120.100.in-addr.arpa. IN PTR home.isp-a.sns"
+  local-data: "1.1.120.100.in-addr.arpa. IN PTR router.isp-a.sns"
+  local-data: "1.0.120.100.in-addr.arpa. IN PTR router.isp-a.sns"

files/snster-kaz/isp-a/infra/provision.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+# ISP-A infra
+set -e
+if [ -z $SNSTERGUARD ] ; then exit 1; fi
+DIR=`dirname $0`
+cd `dirname $0`
+
+# Email's mail account email@isp-a.sns
+useradd -m -s "/bin/bash" -p `mkpasswd --method=sha-512 email` email || true
+addgroup email mail
+#mkdir /home/hacker/mail
+#touch /home/hacker/mail/Drafts /home/hacker/mail/Queue /home/hacker/mail/Sent /home/hacker/mail/Trash
+
+# disable systemd-resolved which conflicts with nsd
+echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
+systemctl stop systemd-resolved
+
+# manage isp-a.sns zone
+apt-get update
+DEBIAN_FRONTEND=noninteractive apt-get install -y unbound
+cp dns.conf /etc/unbound/unbound.conf.d/

files/snster-kaz/kaz/group.yml

@@ -0,0 +1,48 @@
+version: 1
+
+header:
+  name: Target AS
+  comment: AS of the Target organization
+
+hosts:
+  router:
+    master: alpine
+    network:
+      interfaces:
+        eth0:
+          bridge: transit-a
+          ipv4: 100.64.0.10/24
+          ipv6: 2001:db8:b000::10/48
+        eth1:
+          bridge: kaz-lan1
+          ipv4: 100.80.0.1/24
+        eth2:
+          bridge: kaz-lan2
+          ipv4: 100.80.1.1/24
+    templates:
+      - bgprouter:
+          asn: 10
+          asdev: eth1;eth2
+          neighbors4: 100.64.0.1 as 30
+          neighbors6: 2001:db8:b000::1 as 30
+      - resolv:
+          ns: 100.100.100.100
+          domain: kaz.sns
+
+  prod:
+    network:
+      interfaces:
+        eth0:
+          bridge: kaz-lan1
+          ipv4: 100.80.0.2/24
+        eth1:
+          bridge: kaz-lan2
+          ipv4: 100.80.1.2/24
+      gatewayv4: 100.80.0.1
+    templates:
+      - updatecaroots:
+      - authns:
+          zonefiles: kaz.sns.zone;80.100.in-addr.arpa.zone
+      - resolv:
+          domain: kaz.sns
+          ns: 100.100.100.100

files/snster-kaz/kaz/prod/80.100.in-addr.arpa.zone

@@ -0,0 +1,16 @@
+$TTL	86400
+$ORIGIN 80.100.in-addr.arpa.
+@  1D  IN  SOA ns.kaz.sns. hostmaster.kaz.sns. (
+			      2002022401 ; serial
+			      3H ; refresh
+			      15 ; retry
+			      1w ; expire
+			      3h ; nxdomain ttl
+			     )
+       IN  NS     ns.kaz.sns.
+ns    IN  A      100.80.0.2
+ns		IN	AAAA		2001:db8:80::0:2
+2.0		IN	PTR 		smtp.kaz.sns.
+1.0		IN	PTR			router.kaz.sns.
+1.1		IN	PTR			router.kaz.sns.
+2.1		IN	PTR			listes.kaz.sns.

files/snster-kaz/kaz/prod/kaz.sh

@@ -0,0 +1,71 @@
+#!/bin/bash
+if [ -z "${SNSTERGUARD}" ] ; then
+    exit 1
+fi
+
+DIR=$(cd "$(dirname $0)"; pwd)
+cd "${DIR}"
+set -e
+export OUTPUT_DIR="/root/install"
+
+
+mkdir -p "${OUTPUT_DIR}/log/"
+export DebugLog="${OUTPUT_DIR}/log/log-kaz-$(date +%y-%m-%d-%T)-"
+(
+    echo "########## ********** Start kaz.sh $(date +%D-%T)"
+
+    docker-clean -a
+    rm -rf /kaz
+
+    if [ -z "${KAZBRANCH}" ] ; then
+	     KAZBRANCH="master"
+    fi
+    echo -e "\n    #### git checkout ${KAZBRANCH}\n"
+
+
+    # copie des sources
+    cd /
+    [ -f kaz ] || git clone https://git.kaz.bzh/KAZ/kaz.git
+    (cd /kaz ; git checkout "${KAZBRANCH}" )
+    find /kaz -name \*.sh -exec chmod a+x {} \;
+
+    # pour ceux qui disposent d'un cache apt local et pas la fibre
+    if [ -f "${DIR}/.apt-mirror-config" ]; then
+	rsync -a "${DIR}/.apt-mirror-config" /kaz/
+    fi
+    if [ -f "${DIR}/.proxy-config" ]; then
+	rsync -a "${DIR}/.proxy-config" /etc/profile.d/proxy.sh
+	rsync -a "${DIR}/.proxy-config" /kaz/
+    fi
+    if [ -f "${DIR}/.docker-config.json" ]; then
+	mkdir -p /root/.docker
+	rsync -a "${DIR}/.docker-config.json" /root/.docker/config.json
+    fi
+
+
+
+    echo -e "\n    #### rsync download\n"
+    [ -d "${DIR}/kaz/download" ] &&
+	rsync -a "${DIR}/kaz/download/" /kaz/download/
+    [ -d "${DIR}/kaz/git" ] &&
+	rsync -a "${DIR}/kaz/git/" /kaz/git/
+    [ -f "${DIR}/kaz/config/dockers.env" ] &&
+	[ ! -f "/kaz/config/dockers.env" ] &&
+	rsync -a "${DIR}/kaz/config/dockers.env" /kaz/config/dockers.env
+    for type in mail orga proxy withMail withoutMail ; do
+	[ -f "${DIR}/kaz/config/container-${type}.list" ] &&
+	    [ ! -f "/kaz/config/config/container-${type}.list" ] &&
+	    rsync -a  "${DIR}/kaz/config/container-${type}.list" /kaz/config/
+    done
+
+    echo -e "\n    #### secretGen\n"
+    /kaz/bin/secretGen.sh
+
+	  /kaz/bin/install.sh
+
+    # clear apt cache
+    DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
+    DEBIAN_FRONTEND=noninteractive apt-get clean
+
+    echo "########## ********** End kaz.sh $(date +%D-%T)"
+)  > >(tee ${DebugLog}stdout.log) 2> >(tee ${DebugLog}stderr.log >&2)

files/snster-kaz/kaz/prod/kaz.sns.zone

@@ -0,0 +1,33 @@
+$TTL	86400
+$ORIGIN kaz.sns.
+@  1D  IN  SOA ns.kaz.sns. hostmaster.kaz.sns. (
+			      2002022401 ; serial
+			      3H ; refresh
+			      15 ; retry
+			      1w ; expire
+			      3h ; nxdomain ttl
+			     )
+       IN  NS     ns.kaz.sns.
+       IN  MX  10 smtp.kaz.sns.
+			 IN	A	100.80.0.2
+ns    IN  A      100.80.0.2
+dmz   IN A 100.80.0.2
+smtp  IN CNAME 	dmz
+imap  IN CNAME 	dmz
+www   IN CNAME 	dmz
+mail	IN	CNAME	dmz
+cloud	IN	CNAME	dmz
+tableur	IN	CNAME	dmz
+webmail	IN	CNAME	dmz
+garradin	IN	CNAME	dmz
+wiki	IN	CNAME	dmz
+git	IN	CNAME	dmz
+office	IN	CNAME	dmz
+depot	IN	CNAME	dmz
+ldap	IN	CNAME	dmz
+listes	IN	MX	10	listes
+listes	IN	A	100.80.1.2
+firewall   IN A 100.80.0.1
+firewall	IN	AAAA	2001:db8:80::0:1
+router		IN	A	100.80.0.1
+router		IN	AAAA	2001:db8:80::0:1

files/snster-kaz/kaz/prod/kaz/config/container-withoutMail.list

@@ -3,7 +3,7 @@ jirafeau
 ethercalc
 collabora
 ethercalc
-etherpad
+#etherpad
 ldap
 quotas
 web

files/snster-kaz/kaz/prod/kaz/config/dockers.env

@@ -9,12 +9,12 @@ mode=local
 ########################################
 # choix du domaine
 # prod=kaz.bzh / dev=dev.kaz.bzh / local=kaz.local
-domain=kaz.local
+domain=kaz.sns
 
 ########################################
 # choix du domaine des mails sympa
 # prod=kaz.bzh / dev=kaz2.ovh / local=kaz.local
-domain_sympa=kaz.local
+domain_sympa=listes.kaz.sns
 
 ########################################
 # choix d'un serveur partiel
@@ -29,10 +29,10 @@ site=
 httpProto=https
 
 # prod=89.234.186.111 / dev=192.168.57.1 / local=127.0.0.1
-MAIN_IP=127.0.0.1
+MAIN_IP=100.80.0.2
 
 # prod=89.234.186.151 / dev=192.168.57.2 / local=127.0.0.2
-SYMPA_IP=127.0.0.2
+SYMPA_IP=100.80.1.2
 
 ########################################
 # noms des services
@@ -98,7 +98,7 @@ sympaDBName=sympaDB
 vigiloDBName=vigiloDB
 wordpressDBName=wpDB
 
-ldapIUName=ldapIU
+ldapUIName=ldapUI
 
 ########################################
 # politique de redémarrage
@@ -112,7 +112,7 @@ restartPolicy=no
 
 jirafeauDir=/var/jirafeauData/lkuDM16R5Sp4QHr/
 
-ldapRoot=dc=kaz,dc=local
+ldap_root=dc=kaz,dc=sns
 
 ########################################
 # services activés par container.sh

files/snster-kaz/kaz/prod/provision.sh

@@ -0,0 +1,85 @@
+#!/bin/bash
+# Target DMZ
+set -e
+if [ -z $SNSTERGUARD ] ; then exit 1; fi
+DIR=`dirname $0`
+cd `dirname $0`
+
+# disable systemd-resolved which conflicts with nsd
+echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
+systemctl stop systemd-resolved
+
+DEBIAN_FRONTEND=noninteractive apt-get update
+DEBIAN_FRONTEND=noninteractive apt-get remove -y apache2
+DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
+
+
+# Go KAZ !
+# KAZ specific things
+#installation de docker, docker-compose et on y fourre le user debian dans le groupe idoine
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y docker.io docker-compose docker-clean git apg curl sudo unzip rsync btrfs-progs ldap-utils # fuse-overlayfs 
+usermod -G docker debian
+# activation dans alias dans /root/.bashrc
+sed -i \
+-e 's/^\# alias/alias/g' \
+-e 's/^\# export/export/g' \
+-e 's/^\# eval/eval/g' \
+/root/.bashrc
+
+if ! grep -q "for file in /dockers" /root/.bashrc 2>/dev/null; then
+cat >> /root/.bashrc <<EOF
+# enable bash completion in interactive shells
+if ! shopt -oq posix; then
+if [ -f /usr/share/bash-completion/bash_completion ]; then
+. /usr/share/bash-completion/bash_completion
+elif [ -f /etc/bash_completion ]; then
+. /etc/bash_completion
+fi
+fi
+for file in /kaz/bin/.*-completion.bash ; do
+source "\${file}"
+done
+EOF
+fi
+
+
+# On met le GUARD pour la mise au point
+echo "export SNSTERGUARD='true'" >> /root/.bashrc
+
+# On active fuse-overlayfs pour docker
+cat >> /etc/docker/daemon.json <<EOF
+{ "storage-driver": "btrfs" }
+EOF
+service docker restart
+
+#mknod -m 666 /dev/fuse c 10 229
+#echo -e '#!/bin/sh\nmknod -m 666 /dev/fuse c 10 229' >> /etc/rc.local
+#chmod +x /etc/rc.local
+
+# lxc.cgroup2.devices.allow = b 7:* rwm
+# lxc.cgroup2.devices.allow = c 10:237 rwm
+#
+# mknod -m 666 /dev/loop0 b 7 0
+# mknod -m 666 /dev/loop-control c 10 237
+# truncate -s 30G /root/varlibdocker.img
+# mkfs.btrfs /root/varlibdocker.img
+# losetup -f /root/varlibdocker.img
+# mount /dev/loop0 /var/lib/docker
+
+# On place les certifs
+if  [ -d letsencrypt ]; then
+  cp -ar letsencrypt /etc/
+  cp /etc/letsencrypt/local/rootCA.pem /usr/local/share/ca-certificates/rootCA.crt
+  /usr/sbin/update-ca-certificates --fresh
+fi
+
+# ./kaz.sh
+
+# On démarre au boot
+echo -e '#!/bin/sh\n/kaz/bin/container.sh start' >> /etc/rc.local
+chmod +x /etc/rc.local
+
+# clear apt cache
+DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
+DEBIAN_FRONTEND=noninteractive apt-get clean

files/snster-kaz/main.yml

@@ -0,0 +1,34 @@
+version: 1
+
+header:
+  name: KAZ
+  comment: KAZ development environment
+
+config:
+  prefix: kaz
+  nat-bridge: lxcbr0
+  default-master: bullseye
+
+masters:
+  bullseye:
+    backend: lxc
+    template: debian
+    parameters:
+      release: bullseye
+      arch: amd64
+    family: debian
+
+  alpine:
+    backend: lxc
+    template: download
+    parameters:
+      dist: alpine
+      release: 3.14
+      arch: amd64
+      no-validate: true
+    family: alpine
+
+disabled-groups:
+  - _global
+  - _templates
+  - _masters

files/snster-kaz/mica/group.yml

@@ -0,0 +1,42 @@
+version: 1
+
+header:
+  name: MICA AS
+  comment: An ACME Certification Authority
+
+hosts:
+  router:
+    master: alpine
+    network:
+      interfaces:
+        eth0:
+          bridge: transit-a
+          ipv4: 100.64.1.140/24
+          ipv6: 2001:db8:b001::140/48
+        eth1:
+          bridge: mica-lan
+          ipv4: 100.82.0.1/16
+          ipv6: 2001:db8:82::1/48
+    templates:
+      - bgprouter:
+          asn: 12
+          asdev: eth1
+          neighbors4: 100.64.0.1 as 30
+          neighbors6: 2001:db8:b000::1 as 30
+      - resolv:
+          ns: 100.100.100.100
+          domain: mica.sns
+
+  infra:
+    network:
+      interfaces:
+        eth0:
+          bridge: mica-lan
+          ipv4: 100.82.0.2/16
+          ipv6: 2001:db8:82::2/48
+      gatewayv4: 100.82.0.1
+      gatewayv6: 2001:db8:82::1
+    templates:
+      - resolv:
+          domain: mica.sns
+          ns: 100.100.100.100

files/snster-kaz/mica/infra/dns.conf

@@ -0,0 +1,8 @@
+server:
+  interface: 0.0.0.0
+  access-control: 100.64.0.0/10 allow
+
+	local-zone: "mica.sns." static
+	local-data: "ns.mica.sns. IN A 100.82.0.2"
+  local-data: "www.mica.sns. IN A 100.82.0.2"
+  local-data: "ca.mica.sns. IN A 100.82.0.2"

files/snster-kaz/mica/infra/provision.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+# MICA infra
+set -e
+if [ -z $SNSTERGUARD ] ; then exit 1; fi
+DIR=`dirname $0`
+cd `dirname $0`
+
+# disable systemd-resolved which conflicts with nsd
+echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
+systemctl stop systemd-resolved
+
+# manage mica.sns zone
+apt-get update
+DEBIAN_FRONTEND=noninteractive apt-get install -y unbound
+cp dns.conf /etc/unbound/unbound.conf.d/
+
+
+# Install smallstep CA / ACME server
+cd /tmp
+wget https://github.com/smallstep/cli/releases/download/v0.17.2/step-cli_0.17.2_amd64.deb
+dpkg -i step-cli_0.17.2_amd64.deb
+wget https://github.com/smallstep/certificates/releases/download/v0.17.2/step-ca_0.17.2_amd64.deb
+dpkg -i step-ca_0.17.2_amd64.deb
+
+# step ca init
+# step ca root root.crt
+# step ca provisioner add acme --type ACME
+# certbot certonly -n --standalone -d www.target.sns   --server https://www.mica.sns/acme/acme/directory --agree-tos --email "fr@fr.fr"

files/snster-kaz/opendns/group.yml

@@ -0,0 +1,44 @@
+version: 1
+
+header:
+  name: open DNS service AS
+  comment: an open DNS resolver
+
+hosts:
+  router:
+    master: alpine
+    network:
+      interfaces:
+        eth0:
+          bridge: transit-a
+          ipv4: 100.64.0.30/24
+          ipv6: 2001:db8:b000::30/48
+        eth2:
+          bridge: opendns-lan
+          ipv4: 100.100.100.1/24
+          ipv6: 2001:db8:a100::1/48
+    templates:
+      - bgprouter:
+          asn: 7
+          asdev: eth2
+          neighbors4: 100.64.0.1 as 30
+          neighbors6: 2001:db8:b000::1 as 30
+      - resolv:
+          ns: 100.100.100.100
+          domain: opendns.sns
+
+  resolver:
+    network:
+      interfaces:
+        eth0:
+          bridge: opendns-lan
+          ipv4: 100.100.100.100/24
+          ipv6: 2001:db8:a100::100/48
+      gatewayv4: 100.100.100.1
+      gatewayv6: 2001:db8:a100::1
+    templates:
+      - resolverns:
+          roots: p,100.100.1.10,2001:db8:a001::10
+      - resolv:
+          domain: opendns.sns
+          ns: 100.100.100.100

files/snster-kaz/opendns/resolver/provision.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+set -e
+if [ -z $SNSTERGUARD ] ; then exit 1; fi
+DIR=`dirname $0`
+cd `dirname $0`
+
+mkdir -p /etc/unbound/unbound.conf.d/
+
+cat >> /etc/unbound/unbound.conf.d/unblockdns.conf <<EOF
+stub-zone:
+  name: "sns"
+  stub-addr: 100.100.20.10
+
+stub-zone:
+  name: "100.in-addr.arpa"
+  stub-addr: 100.100.1.10
+
+forward-zone:
+  name: "."
+  forward-addr: 100.64.0.1
+EOF
+
+# notes
+# apt install build-essential libnghttp2-dev libssl-dev libexpat-dev
+# wget https://nlnetlabs.nl/downloads/unbound/unbound-1.17.1.tar.gz
+# ./configure --with-libnghttp2
+# adduser unbound
+
+# fixdns.sh
+# SNSTER="snster -c /root/snster-kaz attach $1 -x"
+# $SNSTER "DEBIAN_FRONTEND=noninteractive apt-get install -y  nss-tlsd libnss-tls"
+# $SNSTER "sed -i -e 's/^hosts:\s*files/hosts:\tfiles tls/' /etc/nsswitch.conf"

files/snster-kaz/root-p/group.yml

@@ -0,0 +1,46 @@
+version: 1
+
+header:
+  name: Root-P AS
+  comment: A DNS Root server
+
+hosts:
+  router:
+    master: alpine
+    network:
+      interfaces:
+        eth0:
+          bridge: transit-a
+          ipv4: 100.64.0.20/24
+          ipv6: 2001:db8:b000::20/48
+        eth1:
+          bridge: root-p-lan
+          ipv4: 100.100.1.1/24
+          ipv6: 2001:db8:a001::1/48
+    templates:
+      - bgprouter:
+          asn: 6
+          asdev: eth1
+          neighbors4: 100.64.0.1 as 30
+          neighbors6: 2001:db8:b000::1 as 30
+      - resolv:
+          ns: 100.100.100.100
+          domain: ns-root-p.sns
+
+  rootns:
+    network:
+      interfaces:
+        eth0:
+          bridge: root-p-lan
+          ipv4: 100.100.1.10/24
+          ipv6: 2001:db8:a001::10/48
+      gatewayv4: 100.100.1.1
+      gatewayv6: 2001:db8:a001::1
+    templates:
+      - rootns:
+          roots: p,100.100.1.10,2001:db8:a001::10
+          tlds: sns,100.100.20.10,2001:db8:a020::10
+          reverse: reverse.zone
+      - resolv:
+          domain: ns-root-p.sns
+          ns: 100.100.100.100

files/snster-kaz/root-p/rootns/reverse.zone

@@ -0,0 +1,5 @@
+120.100.in-addr.arpa.		172800	IN	NS	p.120.100.in-addr.arpa.
+p.120.100.in-addr.arpa.              172800  IN      A       100.120.1.2
+p.120.100.in-addr.arpa.              172800  IN      AAAA     2001:db8:120:1::2
+80.100.in-addr.arpa.		172800	IN	NS	p.80.100.in-addr.arpa.
+p.80.100.in-addr.arpa.              172800  IN      A       100.80.0.2

files/snster-kaz/tld-sns/group.yml

@@ -0,0 +1,42 @@
+version: 1
+
+header:
+  name: TLD SNS AS
+  comment: The .sns TLD auth NS
+
+hosts:
+  router:
+    master: alpine
+    network:
+      interfaces:
+        eth0:
+          bridge: transit-a
+          ipv4: 100.64.0.40/24
+          ipv6: 2001:db8:b000::40/48
+        eth1:
+          bridge: tld-sns-lan
+          ipv4: 100.100.20.1/24
+          ipv6: 2001:db8:a020::1/48
+    templates:
+      - bgprouter:
+          asn: 8
+          asdev: eth1
+          neighbors4: 100.64.0.1 as 30
+          neighbors6: 2001:db8:b000::1 as 30
+      - resolv:
+          ns: 100.100.100.100
+          domain: tld-sns.sns
+
+  ns:
+    network:
+      interfaces:
+        eth0:
+          bridge: tld-sns-lan
+          ipv4: 100.100.20.10/24
+          ipv6: 2001:db8:a020::10/48
+      gatewayv4: 100.100.20.1
+      gatewayv6: 2001:db8:a020::1
+    templates:
+      - resolv:
+          domain: tld-sns.sns
+          ns: 100.100.100.100

files/snster-kaz/tld-sns/ns/provision.sh

@@ -0,0 +1,41 @@
+#!/bin/bash
+# .sns registry
+
+set -e
+if [ -z $SNSTERGUARD ] ; then exit 1; fi
+DIR=`dirname $0`
+cd `dirname $0`
+
+# disable systemd-resolved which conflicts with nsd
+echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
+systemctl stop systemd-resolved
+
+apt-get update
+DEBIAN_FRONTEND=noninteractive apt-get install -y nsd
+
+echo -e "zone:
+	name: \"sns.\"
+	zonefile: \"sns.zone\"
+" > /etc/nsd/nsd.conf
+
+echo -e "\$TTL	86400
+\$ORIGIN sns.
+@  1D  IN  SOA ns.sns. hostmaster.sns. (
+			      2002022401 ; serial
+			      3H ; refresh
+			      15 ; retry
+			      1w ; expire
+			      3h ; nxdomain ttl
+			     )
+       IN  NS     ns.sns.
+ns    IN  A      100.100.20.10  ;name server definition
+ns	IN	AAAA	2001:db8:a020::10
+kaz.sns.		IN	NS	ns.kaz.sns.
+ns.kaz.sns.	IN	A 100.80.0.2
+isp-a.sns.	IN	NS	ns.isp-a.sns.
+ns.isp-a.sns.	IN	A 100.120.1.2
+ns.isp-a.sns.	IN	AAAA 2001:db8:120:1::2
+mica.sns.	IN	NS	ns.mica.sns.
+ns.mica.sns.	IN	A 100.82.0.2
+ns.mica.sns.	IN	AAAA 2001:db8:82::2
+" >> /etc/nsd/sns.zone

files/snster-kaz/transit-a/group.yml

@@ -0,0 +1,27 @@
+version: 1
+
+header:
+  name: Transit-A
+  comment: Transit-A IXP
+
+hosts:
+  router:
+    master: alpine
+    network:
+      interfaces:
+        eth0:
+          bridge: nat-bridge
+          ipv4: dhcp
+        eth1:
+          bridge: transit-a
+          ipv4: 100.64.0.1/24
+          ipv6: 2001:db8:b000::1/48
+    templates:
+      - bgprouter:
+          asn: 30
+          asdev: eth1
+          neighbors4: 100.64.0.10 as 10;100.64.0.30 as 7;100.64.0.40 as 8; 100.64.0.20 as 6; 100.64.0.50 as 13; 100.64.0.110 as 20; 100.64.1.140 as 12
+          neighbors6: 2001:db8:b000::10 as 10; 2001:db8:b000::30 as 7;2001:db8:b000::40 as 8; 2001:db8:b000::20 as 6; 2001:db8:b000::50 as 13; 2001:db8:b000::110 as 20; 2001:db8:b001::140 as 12
+      - resolv:
+          ns: 100.100.100.100
+          domain: transit-a.sns

files/snster-kaz/transit-a/router/provision.sh

@@ -0,0 +1,40 @@
+#!/bin/sh
+# Transit A with alpine
+set -e
+if [ -z $SNSTERGUARD ] ; then exit 1; fi
+DIR=`dirname $0`
+cd `dirname $0`
+
+echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories
+apk update
+apk add bird iptables
+rc-update add bird
+
+# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
+echo -e '#!/bin/sh\niptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE' > /etc/local.d/iptables.start
+chmod +x /etc/local.d/iptables.start
+rc-update add local
+
+# keep DHCP on eth0
+touch /etc/network/keepdhcp
+
+# Force lxc bridged interface metric (else, it grows to 200+interface_index, which can be large with successive  stop/start)
+# This metric must be lower than the one exported by BGP for the default route (static part below)
+mkdir /etc/udhcpc
+echo "IF_METRIC=200" > /etc/udhcpc/udhcpc.conf
+
+
+# customize bird config (BGP)
+sed -i "s/protocol kernel {/protocol kernel { metric 2000;/" /etc/bird.conf
+# sed -i "s/\#.*export all/\texport all/" /etc/bird/bird.conf
+echo -e "
+protocol static {
+	ipv4;
+	route 0.0.0.0/0 via 100.64.0.1;
+}
+" >> /etc/bird.conf
+
+
+# Add dnsmasq for external dns
+apk add dnsmasq
+rc-update add dnsmasq

files/vm-install-kaz.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+# Installation de Kaz
+
+if [ -z "${KAZGUARD}" ] ; then
+    exit 1
+fi
+
+snster -c /root/snster-kaz start
+sleep 10
+snster -c /root/snster-kaz attach kaz-prod -x /mnt/snster/root/snster-kaz/kaz/prod/kaz.sh
+
+# On crée quelques mails
+SETUP_MAIL="docker exec mailServ setup"
+snster -c /root/snster-kaz attach kaz-prod -x "${SETUP_MAIL} email add contact1@kaz.sns toto"
+snster -c /root/snster-kaz attach kaz-prod -x "${SETUP_MAIL} email add contact2@kaz.sns toto"
+snster -c /root/snster-kaz attach kaz-prod -x "${SETUP_MAIL} email add contact3@kaz.sns toto"
+snster -c /root/snster-kaz attach kaz-prod -x "${SETUP_MAIL} email add contact4@kaz.sns toto"
+
+echo -e '#!/bin/sh\nsnster -c /root/snster-kaz start' >> /etc/rc.local
+chmod +x /etc/rc.local

files/vm-provision.sh

@@ -21,9 +21,7 @@ export DebugLog="${VAGRANT_SRC_DIR}/log/log-vagrant-$(date +%y-%m-%d-%T)-"
     # Copie de qques fichiers
     cp "${VAGRANT_SRC_DIR}/keyboard" /etc/default/keyboard
 
-    # Lock grub (https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1758060.html)
     sysctl -w net.ipv4.ip_forward=1
-    DEBIAN_FRONTEND=noninteractive apt-mark hold grub*
 
     # MAJ et install
     sed -i -e 's/main.*/main contrib non-free/' /etc/apt/sources.list
@@ -42,7 +40,7 @@ export DebugLog="${VAGRANT_SRC_DIR}/log/log-vagrant-$(date +%y-%m-%d-%T)-"
     DEBIAN_FRONTEND=noninteractive apt-get --allow-releaseinfo-change update
     DEBIAN_FRONTEND=noninteractive apt-get -y upgrade
     DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade
-    DEBIAN_FRONTEND=noninteractive apt-get install -y apg curl git sudo unzip rsync firefox-esr tcpdump net-tools mousepad wireshark swapspace whois ldap-utils # could be with --no-install-recommends
+    DEBIAN_FRONTEND=noninteractive apt-get install -y apg curl git sudo unzip rsync firefox-esr tcpdump net-tools mousepad wireshark swapspace whois ldap-utils python3-lxc lxc python3-pygraphviz python3-pil python3-yaml imagemagick btrfs-progs # could be with --no-install-recommends
     DEBIAN_FRONTEND=noninteractive apt-get install -y xfce4 lightdm xfce4-terminal xserver-xorg gitk # needs to install recommends
 
     ssh-keygen -t rsa -b 4096 -N '' <<<$'\ny'
@@ -110,7 +108,6 @@ export DebugLog="${VAGRANT_SRC_DIR}/log/log-vagrant-$(date +%y-%m-%d-%T)-"
 
 
     # enable bash autocompletion
-    if ! grep -q "/usr/share/bash-completion/bash_completion" /etc/bash.bashrc 2>/dev/null; then
 	cat >> /etc/bash.bashrc <<EOF
 # enable bash completion in interactive shells
 if ! shopt -oq posix; then
@@ -121,7 +118,6 @@ if ! shopt -oq posix; then
   fi
 fi
 EOF
-    fi
 
     # XFCE4 panel: use default config
     # source: https://forum.xfce.org/viewtopic.php?pid=36585#p36585
@@ -150,65 +146,6 @@ SystemMaxFileSize=2M
 EOF
     fi
 
-    # KAZ specific things
-    #installation de docker, docker-compose et on y fourre le user debian dans le groupe idoine
-
-    DEBIAN_FRONTEND=noninteractive apt-get install -y docker.io docker-compose docker-clean
-    usermod -G docker debian
-    # activation dans alias dans /root/.bashrc
-    sed -i \
-	-e 's/^\# alias/alias/g' \
-	-e 's/^\# export/export/g' \
-	-e 's/^\# eval/eval/g' \
-	/root/.bashrc
-
-    if ! grep -q "for file in /dockers" /root/.bashrc 2>/dev/null; then
-	cat >> /root/.bashrc <<EOF
-
-# enable bash completion in interactive shells
-if ! shopt -oq posix; then
-  if [ -f /usr/share/bash-completion/bash_completion ]; then
-    . /usr/share/bash-completion/bash_completion
-  elif [ -f /etc/bash_completion ]; then
-    . /etc/bash_completion
-  fi
-fi
-
-for file in /kaz/bin/.*-completion.bash ; do
-    source "\${file}"
-done
-EOF
-    fi
-
-  #   # Localisation du $LANG, en par défaut, timezone Paris
-  #   if [ -z "${KAZBRANCH}" ] ; then
-	#      KAZBRANCH="develop-vm"
-  #   fi
-  #   echo -e "\n    #### git checkout ${KAZBRANCH}\n"
-  #
-  #   # copie des sources
-  #   cd /
-  #   [ -f kaz ] || git clone https://git.kaz.bzh/KAZ/kaz.git
-  #   (cd /kaz ; git checkout "${KAZBRANCH}" )
-  #   find /kaz -name \*.sh -exec chmod a+x {} \;
-  #
-  #   # pour ceux qui disposent d'un cache apt local et pas la fibre
-  #   if [ -f "${VAGRANT_SRC_DIR}/.apt-mirror-config" ]; then
-	# rsync -a "${VAGRANT_SRC_DIR}/.apt-mirror-config" /kaz/
-  #   fi
-  #   if [ -f "${VAGRANT_SRC_DIR}/.proxy-config" ]; then
-	# rsync -a "${VAGRANT_SRC_DIR}/.proxy-config" /etc/profile.d/proxy.sh
-	# rsync -a "${VAGRANT_SRC_DIR}/.proxy-config" /kaz/
-  #   fi
-  #   if [ -f "${VAGRANT_SRC_DIR}/.docker-config.json" ]; then
-	# mkdir -p /root/.docker
-	# rsync -a "${VAGRANT_SRC_DIR}/.docker-config.json" /root/.docker/config.json
-  #   fi
-
-    # Ajout d'un serveur DNS sur la VM
-    #*****************ATTENTION: semble inutile. peut-être privilégié les entrées dans /etc/hosts tout simplement ?
-    DEBIAN_FRONTEND=noninteractive apt-get install -y dnsmasq
-
     #***********DEBUT CERTIF*******************
     #*****************ATTENTION:  MARCHE PAS (il faut accepter toutes les exceptions de sécurité
 
@@ -225,91 +162,76 @@ EOF
 	export CAROOT=/etc/letsencrypt/local/
 	/root/mkcert/mkcert -install      # CA dans /etc/letsencrypt/local/
 	cd "${CAROOT}"
-	/root/mkcert/mkcert "*.kaz.local" # cert et clé dans /etc/letsencrypt/local/
+	/root/mkcert/mkcert "*.kaz.sns" # cert et clé dans /etc/letsencrypt/local/
 
-	mkdir -p /etc/letsencrypt/live/kaz.local/
-	ln -s ../../local/_wildcard.kaz.local.pem /etc/letsencrypt/live/kaz.local/fullchain.pem
-	ln -s ../../local/_wildcard.kaz.local-key.pem /etc/letsencrypt/live/kaz.local/privkey.pem
+	mkdir -p /etc/letsencrypt/live/kaz.sns/
+	ln -s ../../local/_wildcard.kaz.sns.pem /etc/letsencrypt/live/kaz.sns/fullchain.pem
+	ln -s ../../local/_wildcard.kaz.sns-key.pem /etc/letsencrypt/live/kaz.sns/privkey.pem
     fi
 
-    # Essai pour faire accepter la CA à FFOX dès le début
-    # Add to Firefox store
-    if  [ ! -f /usr/lib/firefox-esr/distribution/policies.json ]; then
-	cat > /usr/lib/firefox-esr/distribution/policies.json << EOF
-{
- "policies": {
-   "Certificates": {
-      "ImportEnterpriseRoots": true,
-      "Install": ["/etc/letsencrypt/local/rootCA.pem"]
-   }
- }
-}
-EOF
-    fi
 
     #***********FIN CERTIF*******************
 
-    #ajout des services dans le host
-    echo -e "\n    #### update /etc/hosts\n"
-    if ! grep -q "\skaz.local\b" /etc/hosts 2>/dev/null; then
-	echo "127.0.0.1	kaz.local" >>/etc/hosts
-    fi
-    if ! grep -q "\slistes.kaz.local\b" /etc/hosts 2>/dev/null; then
-	echo "127.0.0.2	listes.kaz.local" >>/etc/hosts
-    fi
-    for SERVICE in ${SERVICES_LIST}; do
-	if ! grep -q "\s${SERVICE}.kaz.local\b" /etc/hosts 2>/dev/null; then
-	    sed -i /etc/hosts \
-		-e "/\skaz.local\b/ s/$/ ${SERVICE}.kaz.local/"
-	fi
-    done
-
-    echo -e "\n    #### clawsmail\n"
-    # les scripts de créations de BAL pour clawsmail
-    cp -ar "${VAGRANT_SRC_DIR}/clawsmail" /
-    cd /clawsmail
-    chmod +x addclawsuser.sh
-    chmod +x genpasswd
-
-    #client pour tester la messagerie
-    DEBIAN_FRONTEND=noninteractive apt-get install -y claws-mail
-
-    # On met le KAZGUARD pour la mise au point
-    echo "export KAZGUARD='true'" >> /root/.bashrc
-
-
-  #   echo -e "\n    #### rsync download\n"
-  #   [ -d "${VAGRANT_SRC_DIR}/kaz/download" ] &&
-	# rsync -a "${VAGRANT_SRC_DIR}/kaz/download/" /kaz/download/
-  #   [ -d "${VAGRANT_SRC_DIR}/kaz/git" ] &&
-	# rsync -a "${VAGRANT_SRC_DIR}/kaz/git/" /kaz/git/
-  #   [ -f "${VAGRANT_SRC_DIR}/kaz/config/dockers.env" ] &&
-	# [ ! -f "/kaz/config/dockers.env" ] &&
-	# rsync -a "${VAGRANT_SRC_DIR}/kaz/config/dockers.env" /kaz/config/dockers.env
-  #   for type in mail orga proxy withMail withoutMail ; do
-	# [ -f "${VAGRANT_SRC_DIR}/kaz/config/container-${type}.list" ] &&
-	#     [ ! -f "/kaz/config/config/container-${type}.list" ] &&
-	#     rsync -a  "${VAGRANT_SRC_DIR}/kaz/config/container-${type}.list" /kaz/config/
-  #   done
-  #
-  #   echo -e "\n    #### secretGen\n"
-  #   /kaz/bin/secretGen.sh
-  #
-  #   #possibilité de lancer vagrant up NOKAZ="true" quand on construit la machine
-  #   if [ "${NOKAZ}" == "true" ]; then
-	# echo "on ne lance pas install.sh"
-  #   else
-	# echo "on lance install.sh"
-	# /kaz/bin/install.sh
-  #   fi
-
-    ${VAGRANT_SRC_DIR}/kaz.sh
-
     # clear apt cache
     DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
     DEBIAN_FRONTEND=noninteractive apt-get clean
 
+    # SNSTER
+    cd
+    git clone https://framagit.org/flesueur/snster.git
+    cd snster
+    # git checkout tags/v1.1.0
+    git checkout fe59ef1f
+    ./install.sh
+
+    # BTRFS avec hotfix sale de SNSTER
+    freespace=`df /root | awk '/[0-9]%/{print $(NF-2)}'`
+    btrsize=$(( $freespace - 5000000 )) # on laisse 5GB libres
+    truncate -s ${btrsize}k /root/btrfs.img
+    mkfs.btrfs -f /root/btrfs.img
+    echo "/root/btrfs.img	/var/lib/lxc	btrfs	loop	0	0" >> /etc/fstab
+    mount /var/lib/lxc
+    #losetup -f /root/btrfs.img
+    #mount /dev/loop0 /var/lib/lxc
+    sed -i -e "s/template=self.template/template=self.template, bdevtype='btrfs'/" /usr/local/lib/python3.9/dist-packages/backends/LxcBackend.py
+
+    # SNSTER KAZ
+    # cp -ar ${VAGRANT_SRC_DIR}/templates /root
+    cp -ar ${VAGRANT_SRC_DIR}/snster-kaz /root
+
+    # crypto keys
+    cp -ar /etc/letsencrypt /root/snster-kaz/kaz/prod/
+    cp -ar /etc/letsencrypt /root/snster-kaz/isp-a/home/
+
+    # On monte le filesystem de kaz-prod dans le /kaz de la VM pour le dév (en nofail)
+#    mkdir /kaz-prod /kaz
+#    echo "overlay	/kaz-prod	overlay	lowerdir=/var/lib/lxc/sr-masters-bullseye/rootfs,upperdir=/var/lib/lxc/kaz-kaz-prod/overlay/delta,workdir=/var/lib/lxc/kaz-kaz-prod/overlay/work,nofail  0 0" >> /etc/fstab
+#    echo "/kaz-prod/kaz /kaz  none  bind,nofail  0 0" >> /etc/fstab
+    ln -s /var/lib/lxc/kaz-kaz-prod/rootfs/ /kaz-prod
+    ln -s /kaz-prod/kaz /kaz
+
+    # On met le KAZGUARD pour la mise au point
+    echo "export KAZGUARD='true'" >> /root/.bashrc
+
+    # Build SNSTER KAZ !
+    snster -c /root/snster-kaz create
+    cp "${VAGRANT_SRC_DIR}/vm-install-kaz.sh" /root/
+    chmod +x /root/vm-install-kaz.sh
+    cp "${VAGRANT_SRC_DIR}/vm-upgrade.sh" /root/
+    chmod +x /root/vm-upgrade.sh
+    if [ "${NOKAZ}" == "true" ]; then
+      echo "on ne fait pas l'install de kaz sur kaz-prod"
+    else
+      echo "on installe kaz sur kaz-prod"
+      bash "/root/vm-install-kaz.sh"
+    fi
+
     echo "########## ********** End Vagrant $(date +%D-%T)"
 )  > >(tee ${DebugLog}stdout.log) 2> >(tee ${DebugLog}stderr.log >&2)
 
 reboot
+
+# Pour sympa-SOAP
+# KAZPROD="snster -c /root/snster-kaz -t /root/templates attach kaz-prod -x"
+# ${KAZPROD} "docker cp /etc/letsencrypt/local/rootCA.pem sympaServ:/usr/local/share/ca-certificates/rootCA.crt"
+# ${KAZPROD} "docker exec -it sympaServ update-ca-certificates"

files/vm-upgrade.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+# Upgrade de tout sauf kaz-prod
+
+if [ -z "${KAZGUARD}" ] ; then
+    exit 1
+fi
+set -e
+
+# On met à jour SNSTER
+cd /root/snster
+git switch main
+git pull
+./install.sh
+# hotfix pour btrfs
+sed -i -e "s/template=self.template/template=self.template, bdevtype='btrfs'/" /usr/local/lib/python3.9/dist-packages/backends/LxcBackend.py
+
+# On récupère le dernier kaz-vagrant
+cd /tmp
+git clone https://git.kaz.bzh/KAZ/kaz-vagrant.git || (cd kaz-vagrant && git pull)
+cd /tmp/kaz-vagrant
+git switch develop-snster
+
+# On écrase les anciens fichiers
+cp -ar /tmp/kaz-vagrant/files/snster-kaz /root/
+# crypto keys
+cp -ar /etc/letsencrypt /root/snster-kaz/kaz/prod/
+cp -ar /etc/letsencrypt /root/snster-kaz/isp-a/home/
+
+# On détruit et reconstruit tout sauf kaz-prod
+SNSTER="snster -c /root/snster-kaz"
+$SNSTER destroy isp-a-home
+$SNSTER destroy isp-a-infra
+$SNSTER destroy isp-a-router
+$SNSTER destroy kaz-router
+$SNSTER destroy mica-router
+$SNSTER destroy mica-infra
+$SNSTER destroy opendns-router
+$SNSTER destroy opendns-resolver
+$SNSTER destroy root-p-router
+$SNSTER destroy root-p-rootns
+$SNSTER destroy tld-sns-router
+$SNSTER destroy tld-sns-ns
+$SNSTER destroy transit-a-router
+
+$SNSTER create
+
+$SNSTER start

sparsify.sh

@@ -3,14 +3,14 @@
 set -e
 
 # Get HD filename
-FILENAME=`vboxmanage showvminfo kaz-dev-amd64 | grep SATA | grep UUID | cut -d':' -f2 | cut -d'(' -f1 | sed -e 's/^[ \t]*//' |  sed -e 's/[ \t]*$//'`
+FILENAME=`vboxmanage showvminfo kaz-vm | grep SATA | grep UUID | cut -d':' -f2 | cut -d'(' -f1 | sed -e 's/^[ \t]*//' |  sed -e 's/[ \t]*$//'`
 
 # Split the dir and filename
 DIR=`dirname "$FILENAME"`
 FILE=`basename "$FILENAME"`
 
 # Get HD UUID
-UUID=`vboxmanage showvminfo kaz-dev-amd64 | grep SATA | grep UUID | cut -d':' -f 3| cut -d')' -f1 | sed -e 's/^[ \t]*//' |  sed -e 's/[ \t]*$//'`
+UUID=`vboxmanage showvminfo kaz-vm | grep SATA | grep UUID | cut -d':' -f 3| cut -d')' -f1 | sed -e 's/^[ \t]*//' |  sed -e 's/[ \t]*$//'`
 
 # echo -e $DIR
 # echo -e $FILE

trim_enable.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+set -e
+
+# Get HD UUID
+HDUUID=`vboxmanage showvminfo kaz-vm --machinereadable | grep ImageUUID | cut -d= -f2 | sed -e "s/\"//g"`
+
+# Get storage controller
+STCTRL=`vboxmanage showvminfo kaz-vm --machinereadable | grep storagecontrollername0 | cut -d= -f2 | sed -e "s/\"//g"`
+
+#echo -e $HDUUID
+#echo -e $STCTRL
+
+vboxmanage storageattach kaz-vm --medium="$HDUUID" --storagectl="${STCTRL}" --port=0 --discard=on --nonrotational=on
+
+echo "Trim enabled !"