Compare commits

..

44 Commits

Author SHA1 Message Date
Francois Lesueur
66a965e466 Merge branch 'master' into develop-snster 2023-02-09 16:43:12 +01:00
Francois Lesueur
2feb7f1ee3 ajout ldap-utils 2023-02-09 16:42:45 +01:00
Francois Lesueur
7b1d549fcb ajout du trim_enable.sh 2023-02-08 12:40:52 +01:00
Francois Lesueur
41cf9fc93f fix sparsify 2023-02-08 12:26:39 +01:00
Francois Lesueur
e10d3e66bc Merge branch 'develop-snster' of ssh://git.kaz.bzh:2202/KAZ/kaz-vagrant into develop-snster 2023-02-07 22:11:11 +01:00
Francois Lesueur
66dd827628 passage à btrfs 2023-02-07 22:11:03 +01:00
fab
f96016be61 Mise à jour de 'README.md' 2023-02-06 15:39:32 +01:00
Francois Lesueur
5389b2eee7 upgrade snster version 2023-02-06 12:26:55 +01:00
Francois Lesueur
148911bdad ajout dnsmasq a tranit-a-router 2023-02-03 16:57:49 +01:00
Francois Lesueur
7506ee8b34 crypto keys dans le vm-upggrade 2023-02-03 16:36:58 +01:00
Francois Lesueur
5a2b90e18f ajout d'un vm-upgrade.sh 2023-02-03 16:35:24 +01:00
Francois Lesueur
c4fa09044d fix reverse dns 2023-02-03 15:40:19 +01:00
Francois Lesueur
7ef54ff691 fix ns pour les router 2023-02-03 15:16:18 +01:00
Francois Lesueur
ca87b04797 Merge branch 'develop-snster' of ssh://git.kaz.bzh:2202/KAZ/kaz-vagrant into develop-snster 2023-02-03 15:12:12 +01:00
Francois Lesueur
e619c4375f contourne les filtrages DNS 2023-02-03 15:11:51 +01:00
fab
1cad566b24 Mise à jour de 'README.md' 2023-02-02 10:26:00 +01:00
Francois Lesueur
037fc70452 update readme 2023-01-31 14:52:38 +01:00
Francois Lesueur
aa11ace0bc modifs pour ldap 2023-01-31 14:38:45 +01:00
Francois Lesueur
e531939a6d ajout ldap au dns 2023-01-30 20:59:19 +01:00
Francois Lesueur
c7ba96ea2e ajout reverse dns 2023-01-30 17:49:53 +01:00
Francois Lesueur
e1ac42525b passage a snster 1.1.0 2023-01-27 21:15:36 +01:00
Francois Lesueur
91c982ff1c root.hints 2023-01-25 14:51:13 +01:00
Francois Lesueur
1f63e688b3 reverse DNS ok 2023-01-18 20:09:29 +01:00
Francois Lesueur
2968582a74 ajout option NOKAZ 2023-01-18 12:13:48 +01:00
Francois Lesueur
08390feb38 petit sleep pour être sûr que kaz-prod est prêt 2023-01-17 11:51:38 +01:00
Francois Lesueur
500556c31d ajout option nofail aux montages de kaz-prod sur la VM 2023-01-17 11:33:49 +01:00
Francois Lesueur
62132bcd55 montage du FS de kaz-prod directement dans la VM 2023-01-17 11:29:03 +01:00
Francois Lesueur
8dc0cb76b4 ajout image snster 2023-01-15 21:03:43 +01:00
Francois Lesueur
fd89477565 update doc 2023-01-14 09:16:52 +01:00
Francois Lesueur
88b95d7ff7 update doc snster 2023-01-14 09:11:53 +01:00
Francois Lesueur
fb07ff2b4a mknod fuse pendant l'install 2023-01-14 08:52:25 +01:00
Francois Lesueur
7667e21c0d fix domaine sympa 2023-01-12 07:56:24 +01:00
Francois Lesueur
c1627a211e fix snster 2023-01-12 07:53:26 +01:00
Francois Lesueur
d71c219a1e smallies 2022-12-23 18:23:33 +01:00
Francois Lesueur
d7807b6d58 bugfix certificat 2022-12-23 18:07:37 +01:00
Francois Lesueur
6c643405b2 bugfix smtp auth pour clawsmail 2022-12-23 18:03:22 +01:00
Francois Lesueur
849b67d6d2 bugfix creation comptes postfix 2022-12-23 18:00:00 +01:00
Francois Lesueur
4672e0dfc3 progress 2022-12-23 15:15:49 +01:00
Francois Lesueur
5e5fd1b19a switch domain from kaz.milxc to kaz.sns 2022-12-23 14:32:08 +01:00
Francois Lesueur
215e77c226 some progress... 2022-12-23 13:50:27 +01:00
Francois Lesueur
5981655b54 some progress... 2022-12-22 18:52:38 +01:00
Francois Lesueur
a84600e42a kaz et claws aux bons endroits 2022-12-22 17:35:23 +01:00
Francois Lesueur
0733aa3ae8 snster bootstrap 2022-12-22 17:25:05 +01:00
Francois Lesueur
5545db5891 added a hostname to the vm 2022-12-22 17:20:53 +01:00
47 changed files with 998 additions and 251 deletions

View File

@ -1,5 +1,7 @@
# kaz-vagrant
(ATTENTION, NON À JOUR POUR SNSTER)
[Kaz](https://kaz.bzh/) est un CHATONS du Morbihan. Nous proposons ici un moyen de le répliquer dans d'autres lieux. Il y a des éléments de configuration à définir avant d'initialiser ce simulateur.
Le principe est de faire fonctionner un simulateur de notre CHATONS dans une VirtualBox pour mettre au point nos différents services.

View File

@ -6,20 +6,33 @@ Le principe est de faire fonctionner un simulateur de notre CHATONS dans une Vir
Nous utilisons :
* Vagrant pour automatiser la création de la Machine Virtuelle
* VirtualBox pour simuler notre serveur
* VirtualBox pour une VM isolée
* [SNSTER](https://framagit.org/flesueur/snster) pour créer des services internet tiers et notre serveur
* LXC pour faire tourner ces services dans des conteneurs distincts (ie, kaz-prod est un conteneur LXC)
* Docker pour chaque service de notre serveur
À la fin, nous obtenons une maquette d'un petit internet simulé, avec du DNS, des mails tiers, et notre serveur kaz-prod dans un coin.
![topologie](/doc/images/topologie.png)
## Pré-requis
Vous avez besoin de [vagrant](https://www.vagrantup.com/), [VirtualBox](https://www.virtualbox.org/) et éventuellement git.
UDP/53 ne doit pas être filtré depuis votre poste (par un firewall d'entreprise par exemple). Pour tester:
```bash
# dig @80.67.169.12 www.kaz.bzh
```
## Installation
* Télécharger le dépôt kaz-vagrant ou utilisez la commande git :
* Télécharger le dépôt kaz-vagrant, branche develop-snster, ou utilisez la commande git :
```bash
git clone https://git.kaz.bzh/KAZ/kaz-vagrant.git # pour essayer
git clone git+ssh://git@git.kaz.bzh:2202/KAZ/kaz-vagrant.git # pour contribuer
cd kaz-vagrant/
git switch develop-snster # dans les 2 cas
```
* Personalisez votre simulateur avec la commande (au besoin ajustez la mémoire et les cpus utilisés dans Vagrantfile) :
```bash
@ -32,7 +45,7 @@ vagrant plugin install vagrant-vbguest
vagrant up
```
Cette étape peut-être (très) longue. Il faudra éventuellement répondre "docker0" à la question "Which interface should the network bridge to?"
Cette étape peut-être (très) longue. Notamment, la construction de kaz-prod se fait dans un conteneur LXC, dans lequel les overlays docker passent par un filesystem FUSE beaucoup plus lent qu'en natif...
## Mise au point
@ -44,7 +57,7 @@ NOKAZ="true" vagrant up
Dans ce cas, il faudra ensuite lancer dans la VM :
```bash
/kaz/bin/install.sh
KAZGUARD="true" /root/vm-install-kaz.sh
```
Pour détruire la VM et recommencer :
@ -59,16 +72,36 @@ Les utilisateurs créés sont
* debian/debian
* root/root.
Si vous avec laissé la création des dockers, il faut bien attendre la fermeture automatique de la fenêtre et l'apparition de l'écran de connexion (on vous a dit que c'était long).
Si vous avec laissé la création de Kaz, il faut bien attendre la fermeture automatique de la fenêtre et l'apparition de l'écran de connexion (on vous a dit que c'était long).
Lors du démarrage de la VM, il faut lancer les conteneurs dans la VM :
Lors du démarrage de la VM, il faut lancer SNSTER et éventuellement les conteneurs :
```bash
/kaz/bin/container.sh start
cd /root/snster-kaz
snster start
```
Vous pouvez alors démarrer le client de messagerie clawsmail dans lequel 4 comptes ont été paramétrés (contact1@kaz.local, contact2@kaz.local, contact3@kaz.local, contact4@kaz.local) tous avec le mot de passe 'toto'
Normalement, kaz-prod lance automatiquement les dockers (dans son rc.local), mais si ça ne marche pas bien il peut falloir les relancer (que se passe-t-il si on relance container.sh pendant que container.sh n'est pas encore fini ? faut-il l'enlever du rc.local ? Le lancement initial peut rater, probablement si le DNS n'est pas encore fonctionnel lors du lancement, à mettre au point et peut-être enlever du rc.local ?)
```bash
snster attach kaz-prod -x /kaz/bin/container.sh start
```
Il y a un aperçu de l'état des services avec l'url https://kaz.local/status/allServices.html
Vous pouvez alors (toutes les commandes snster doivent être exécutées dans `/root/snster-kaz`) :
* Afficher un bureau graphique sur une machine tierce à Kaz : `snster display isp-a-home`. Sur cette machine, vous pouvez :
* Ouvrir Firefox et naviguer vers :
* `https://www.kaz.sns`, le Kaz interne à la VM
* `https://listes.kaz.sns`, le sympa interne à la VM
* `https://www.kaz.bzh`, le vrai Kaz
* Ouvrir claws-mail et retrouver les comptes mails configurés :
* `contact1@kaz.sns` à `contact4@kaz.sns`, hébergés sur le kaz-prod de la VM
* `email@isp-a.sns`, hébergé dans le conteneur LXC isp-a-infra
* Travailler sur kaz-prod : `snster attach kaz-prod`
* Afficher un plan de réseau : `snster print`
* Le système de fichiers de kaz-prod est accessible directement dans la VM:
* `/kaz-prod/` [VM] correspond à `/` [kaz-prod]
* `/kaz` [VM] correspond à `/kaz` [kaz-prod]
* Il est probablement pratique d'installer son environnement de développement sur la VM, avec ses clés SSH et son éditeur favori.
Il y a un aperçu de l'état des services avec l'url https://kaz.sns/status/allServices.html
![status](/doc/images/allServices.jpg)
@ -76,13 +109,13 @@ Les erreurs 502 correspondent à des fonctions en cours de développement. Les m
Vous pouvez également démarrer firefox avec les URL suivantes:
* https://www.kaz.local
* https://tableur.kaz.local
* https://pad.kaz.local
* https://depot.kaz.local
* https://agora.kaz.local/login (compte contact1@kaz.local créé, mot de passe toto)
* https://cloud.kaz.local/login (compte contact1@kaz.local créé, mot de passe totototototototo1234 )
* https://sondage.kaz.local
* https://www.kaz.sns
* https://tableur.kaz.sns
* https://pad.kaz.sns
* https://depot.kaz.sns
* https://agora.kaz.sns/login (compte contact1@kaz.local créé, mot de passe toto)
* https://cloud.kaz.sns/login (compte contact1@kaz.local créé, mot de passe totototototototo1234 )
* https://sondage.kaz.sns
Il vous faudra accepter les alertes de sécurité pour certificat absent (web et messagerie)

View File

@ -26,6 +26,7 @@ Vagrant.configure("2") do |config|
end
config.vm.box = "debian/bullseye64"
config.vm.hostname = 'kaz-vm'
config.disksize.size = '32GB'
# Disable automatic box update checking. If you disable this, then
@ -66,7 +67,7 @@ Vagrant.configure("2") do |config|
# # Customize the amount of memory on the VM:
vb.memory = "4096"
vb.cpus="2"
vb.name = "kaz-dev-amd64"
vb.name = "kaz-vm"
vb.customize ["modifyvm", :id, "--vram", "64", "--clipboard-mode", "bidirectional", '--graphicscontroller', 'vmsvga', '--natnet1', '192.168.64.0/24']
vb.gui = true
@ -85,9 +86,10 @@ Vagrant.configure("2") do |config|
#permet d'avoir un répertoire partagé entre la VM et le host
config.vm.synced_folder "/tmp/", "/tmp_host"
config.vm.synced_folder "files/", "/root/kaz-vagrant"
config.vm.provision "shell" do |s|
s.inline = "/vagrant/files/provision.sh"
s.inline = "/vagrant/files/vm-provision.sh"
s.env = {"KAZGUARD" => "true", "HOSTLANG" => ENV['LANG'], "NOKAZ" => ENV['NOKAZ'], "KAZBRANCH" => ENV['KAZBRANCH']}
end
end

BIN
doc/images/topologie.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 156 KiB

View File

@ -1,78 +0,0 @@
#!/bin/bash
if [ -z "${KAZGUARD}" ] ; then
exit 1
fi
DIR=$(cd "$(dirname $0)"; pwd)
cd "${DIR}"
set -e
export VAGRANT_SRC_DIR=/vagrant/files
mkdir -p "${VAGRANT_SRC_DIR}/log/"
export DebugLog="${VAGRANT_SRC_DIR}/log/log-kaz-$(date +%y-%m-%d-%T)-"
(
echo "########## ********** Start kaz.sh $(date +%D-%T)"
#pour la résolution de noms dans /etc/hosts
SERVICES_LIST="smtp mail ldap www depot tableur pad webmail sondage garradin test-garradin wiki git agora cloud office cachet quotas"
docker-clean -a
rm -rf /kaz
if [ -z "${KAZBRANCH}" ] ; then
KAZBRANCH="master"
fi
echo -e "\n #### git checkout ${KAZBRANCH}\n"
# copie des sources
cd /
[ -f kaz ] || git clone https://git.kaz.bzh/KAZ/kaz.git
(cd /kaz ; git checkout "${KAZBRANCH}" )
find /kaz -name \*.sh -exec chmod a+x {} \;
# pour ceux qui disposent d'un cache apt local et pas la fibre
if [ -f "${VAGRANT_SRC_DIR}/.apt-mirror-config" ]; then
rsync -a "${VAGRANT_SRC_DIR}/.apt-mirror-config" /kaz/
fi
if [ -f "${VAGRANT_SRC_DIR}/.proxy-config" ]; then
rsync -a "${VAGRANT_SRC_DIR}/.proxy-config" /etc/profile.d/proxy.sh
rsync -a "${VAGRANT_SRC_DIR}/.proxy-config" /kaz/
fi
if [ -f "${VAGRANT_SRC_DIR}/.docker-config.json" ]; then
mkdir -p /root/.docker
rsync -a "${VAGRANT_SRC_DIR}/.docker-config.json" /root/.docker/config.json
fi
echo -e "\n #### rsync download\n"
[ -d "${VAGRANT_SRC_DIR}/kaz/download" ] &&
rsync -a "${VAGRANT_SRC_DIR}/kaz/download/" /kaz/download/
[ -d "${VAGRANT_SRC_DIR}/kaz/git" ] &&
rsync -a "${VAGRANT_SRC_DIR}/kaz/git/" /kaz/git/
[ -f "${VAGRANT_SRC_DIR}/kaz/config/dockers.env" ] &&
[ ! -f "/kaz/config/dockers.env" ] &&
rsync -a "${VAGRANT_SRC_DIR}/kaz/config/dockers.env" /kaz/config/dockers.env
for type in mail orga proxy withMail withoutMail ; do
[ -f "${VAGRANT_SRC_DIR}/kaz/config/container-${type}.list" ] &&
[ ! -f "/kaz/config/config/container-${type}.list" ] &&
rsync -a "${VAGRANT_SRC_DIR}/kaz/config/container-${type}.list" /kaz/config/
done
echo -e "\n #### secretGen\n"
/kaz/bin/secretGen.sh
#possibilité de lancer vagrant up NOKAZ="true" quand on construit la machine
if [ "${NOKAZ}" == "true" ]; then
echo "on ne lance pas install.sh"
else
echo "on lance install.sh"
/kaz/bin/install.sh
fi
# clear apt cache
DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
DEBIAN_FRONTEND=noninteractive apt-get clean
echo "########## ********** End kaz.sh $(date +%D-%T)"
) > >(tee ${DebugLog}stdout.log) 2> >(tee ${DebugLog}stderr.log >&2)

View File

@ -0,0 +1,62 @@
version: 1
header:
name: ISP-A AS
comment: An ISP
hosts:
router:
master: alpine
network:
interfaces:
eth0:
bridge: transit-a
ipv4: 100.64.0.110/24
ipv6: 2001:db8:b000::110/48
eth1:
bridge: isp-a-cust
ipv4: 100.120.0.1/24
eth2:
bridge: isp-a-infra
ipv4: 100.120.1.1/24
ipv6: 2001:db8:120:1::1/64
templates:
- bgprouter:
asn: 20
asdev: eth1;eth2
neighbors4: 100.64.0.1 as 30
neighbors6: 2001:db8:b000::1 as 30
- resolv:
ns: 100.100.100.100
domain: isp-a.sns
infra:
network:
interfaces:
eth0:
bridge: isp-a-infra
ipv4: 100.120.1.2/24
ipv6: 2001:db8:120:1::2/64
gatewayv4: 100.120.1.1
gatewayv6: 2001:db8:120:1::1
templates:
- mailserver:
domain: isp-a.sns
- resolverns:
roots: p,100.100.1.10,2001:db8:a001::10
- resolv:
domain: isp-a.sns
ns: 100.100.100.100
home:
network:
interfaces:
eth0:
bridge: isp-a-cust
ipv4: 100.120.0.3/24
gatewayv4: 100.120.0.1
templates:
- updatecaroots:
- resolv:
domain: isp-a.sns
ns: 100.100.100.100

View File

@ -9,8 +9,9 @@ cd `dirname $0`
name=$1
domainname=$2
password=$3
number=$4
login=$3
password=$4
number=$5
# cp -ar claws-mail ~/.claws-mail
@ -22,6 +23,7 @@ cat claws-mail/accountrc > /tmp/accountrc
sed -i -e "s/\$name/$name/" /tmp/accountrc
sed -i -e "s/\$domainname/$domainname/" /tmp/accountrc
sed -i -e "s/\$number/$number/" /tmp/accountrc
sed -i -e "s/\$login/$login/" /tmp/accountrc
cat /tmp/accountrc >> ~/.claws-mail/accountrc
if [ ! -f ~/.claws-mail/folderlist.xml ]; then
@ -32,6 +34,7 @@ cat claws-mail/folderlist.xml > /tmp/folderlist.xml
sed -i -e "s/\$name/$name/" /tmp/folderlist.xml
sed -i -e "s/\$domainname/$domainname/" /tmp/folderlist.xml
sed -i -e "s/\$number/$number/" /tmp/folderlist.xml
sed -i -e "s/\$login/$login/" /tmp/folderlist.xml
sed -i -e "s/<\/folderlist>//" ~/.claws-mail/folderlist.xml
cat /tmp/folderlist.xml >> ~/.claws-mail/folderlist.xml
echo "</folderlist>" >> ~/.claws-mail/folderlist.xml

View File

@ -1,7 +1,7 @@
[Account: $number]
domain=kaz.local
name=$name@$domainname
account_name=IMAP
account_name=$name@$domainname
is_default=1
address=$name@$domainname
organization=
@ -15,7 +15,7 @@ use_mail_command=0
mail_command=/usr/sbin/sendmail -t -i
use_nntp_auth=0
use_nntp_auth_onconnect=0
user_id=$name@$domainname
user_id=$login
use_apop_auth=0
remove_mail=1
message_leave_time=7
@ -36,7 +36,7 @@ generate_msgid=1
generate_xmailer=1
add_custom_header=0
msgid_with_addr=0
use_smtp_auth=0
use_smtp_auth=1
smtp_auth_method=0
smtp_user_id=
pop_before_smtp=0
@ -76,7 +76,7 @@ ssl_pop=0
ssl_imap=0
ssl_nntp=0
ssl_smtp=0
ssl_certs_auto_accept=0
ssl_certs_auto_accept=1
use_nonblocking_ssl=1
in_ssl_client_cert_file=
out_ssl_client_cert_file=

View File

@ -366,7 +366,7 @@ hover_timeout=500
cache_max_mem_usage=4096
cache_min_keep_time=15
thread_by_subject_max_age=10
last_opened_folder=#imap/hacker@isp-a.milxc/Trash
last_opened_folder=#imap/email@isp-a.sns/Trash
goto_last_folder_on_startup=0
summary_quicksearch_sticky=1
summary_quicksearch_dynamic=0

View File

@ -0,0 +1,40 @@
#!/bin/bash
# ISP-A infra
set -e
if [ -z $SNSTERGUARD ] ; then exit 1; fi
DIR=`dirname $0`
cd `dirname $0`
# les scripts de créations de BAL pour clawsmail
cp -ar "clawsmail" /
chmod +x /clawsmail/addclawsuser.sh
chmod +x /clawsmail/genpasswd
#client pour tester la messagerie
DEBIAN_FRONTEND=noninteractive apt-get install -y claws-mail
# On configure les comptes mail
if [ -f /clawsmail/addclawsuser.sh ]; then
su debian /clawsmail/addclawsuser.sh contact1 kaz.sns contact1@kaz.sns toto 1
su debian /clawsmail/addclawsuser.sh contact2 kaz.sns contact2@kaz.sns toto 2
su debian /clawsmail/addclawsuser.sh contact3 kaz.sns contact3@kaz.sns toto 3
su debian /clawsmail/addclawsuser.sh contact4 kaz.sns contact4@kaz.sns toto 4
su debian /clawsmail/addclawsuser.sh email isp-a.sns email email 5
fi
# On place les certifs
if [ -d letsencrypt ]; then
cp -ar letsencrypt /etc/
cp /etc/letsencrypt/local/rootCA.pem /usr/local/share/ca-certificates/root.crt
/usr/sbin/update-ca-certificates --fresh
fi
# Add to Firefox store
echo -e '{
"policies": {
"Certificates": {
"ImportEnterpriseRoots": true,
"Install": ["/etc/ssl/certs/root.pem"]
}
}
}' > /usr/lib/firefox-esr/distribution/policies.json

View File

@ -0,0 +1,15 @@
server:
interface: 0.0.0.0
access-control: 100.64.0.0/10 allow
local-zone: "isp-a.sns." static
local-data: "smtp.isp-a.sns. IN A 100.120.1.2"
local-data: "mail.isp-a.sns. IN A 100.120.1.2"
local-data: "ns.isp-a.sns. IN A 100.120.1.2"
local-data: "isp-a.sns. IN MX 10 smtp.isp-a.sns."
local-zone: "120.100.in-addr.arpa." static
local-data: "2.1.120.100.in-addr.arpa. IN PTR smtp.isp-a.sns"
local-data: "2.0.120.100.in-addr.arpa. IN PTR home.isp-a.sns"
local-data: "1.1.120.100.in-addr.arpa. IN PTR router.isp-a.sns"
local-data: "1.0.120.100.in-addr.arpa. IN PTR router.isp-a.sns"

View File

@ -0,0 +1,21 @@
#!/bin/bash
# ISP-A infra
set -e
if [ -z $SNSTERGUARD ] ; then exit 1; fi
DIR=`dirname $0`
cd `dirname $0`
# Email's mail account email@isp-a.sns
useradd -m -s "/bin/bash" -p `mkpasswd --method=sha-512 email` email || true
addgroup email mail
#mkdir /home/hacker/mail
#touch /home/hacker/mail/Drafts /home/hacker/mail/Queue /home/hacker/mail/Sent /home/hacker/mail/Trash
# disable systemd-resolved which conflicts with nsd
echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
systemctl stop systemd-resolved
# manage isp-a.sns zone
apt-get update
DEBIAN_FRONTEND=noninteractive apt-get install -y unbound
cp dns.conf /etc/unbound/unbound.conf.d/

View File

@ -0,0 +1,48 @@
version: 1
header:
name: Target AS
comment: AS of the Target organization
hosts:
router:
master: alpine
network:
interfaces:
eth0:
bridge: transit-a
ipv4: 100.64.0.10/24
ipv6: 2001:db8:b000::10/48
eth1:
bridge: kaz-lan1
ipv4: 100.80.0.1/24
eth2:
bridge: kaz-lan2
ipv4: 100.80.1.1/24
templates:
- bgprouter:
asn: 10
asdev: eth1;eth2
neighbors4: 100.64.0.1 as 30
neighbors6: 2001:db8:b000::1 as 30
- resolv:
ns: 100.100.100.100
domain: kaz.sns
prod:
network:
interfaces:
eth0:
bridge: kaz-lan1
ipv4: 100.80.0.2/24
eth1:
bridge: kaz-lan2
ipv4: 100.80.1.2/24
gatewayv4: 100.80.0.1
templates:
- updatecaroots:
- authns:
zonefiles: kaz.sns.zone;80.100.in-addr.arpa.zone
- resolv:
domain: kaz.sns
ns: 100.100.100.100

View File

@ -0,0 +1,16 @@
$TTL 86400
$ORIGIN 80.100.in-addr.arpa.
@ 1D IN SOA ns.kaz.sns. hostmaster.kaz.sns. (
2002022401 ; serial
3H ; refresh
15 ; retry
1w ; expire
3h ; nxdomain ttl
)
IN NS ns.kaz.sns.
ns IN A 100.80.0.2
ns IN AAAA 2001:db8:80::0:2
2.0 IN PTR smtp.kaz.sns.
1.0 IN PTR router.kaz.sns.
1.1 IN PTR router.kaz.sns.
2.1 IN PTR listes.kaz.sns.

View File

@ -0,0 +1,71 @@
#!/bin/bash
if [ -z "${SNSTERGUARD}" ] ; then
exit 1
fi
DIR=$(cd "$(dirname $0)"; pwd)
cd "${DIR}"
set -e
export OUTPUT_DIR="/root/install"
mkdir -p "${OUTPUT_DIR}/log/"
export DebugLog="${OUTPUT_DIR}/log/log-kaz-$(date +%y-%m-%d-%T)-"
(
echo "########## ********** Start kaz.sh $(date +%D-%T)"
docker-clean -a
rm -rf /kaz
if [ -z "${KAZBRANCH}" ] ; then
KAZBRANCH="master"
fi
echo -e "\n #### git checkout ${KAZBRANCH}\n"
# copie des sources
cd /
[ -f kaz ] || git clone https://git.kaz.bzh/KAZ/kaz.git
(cd /kaz ; git checkout "${KAZBRANCH}" )
find /kaz -name \*.sh -exec chmod a+x {} \;
# pour ceux qui disposent d'un cache apt local et pas la fibre
if [ -f "${DIR}/.apt-mirror-config" ]; then
rsync -a "${DIR}/.apt-mirror-config" /kaz/
fi
if [ -f "${DIR}/.proxy-config" ]; then
rsync -a "${DIR}/.proxy-config" /etc/profile.d/proxy.sh
rsync -a "${DIR}/.proxy-config" /kaz/
fi
if [ -f "${DIR}/.docker-config.json" ]; then
mkdir -p /root/.docker
rsync -a "${DIR}/.docker-config.json" /root/.docker/config.json
fi
echo -e "\n #### rsync download\n"
[ -d "${DIR}/kaz/download" ] &&
rsync -a "${DIR}/kaz/download/" /kaz/download/
[ -d "${DIR}/kaz/git" ] &&
rsync -a "${DIR}/kaz/git/" /kaz/git/
[ -f "${DIR}/kaz/config/dockers.env" ] &&
[ ! -f "/kaz/config/dockers.env" ] &&
rsync -a "${DIR}/kaz/config/dockers.env" /kaz/config/dockers.env
for type in mail orga proxy withMail withoutMail ; do
[ -f "${DIR}/kaz/config/container-${type}.list" ] &&
[ ! -f "/kaz/config/config/container-${type}.list" ] &&
rsync -a "${DIR}/kaz/config/container-${type}.list" /kaz/config/
done
echo -e "\n #### secretGen\n"
/kaz/bin/secretGen.sh
/kaz/bin/install.sh
# clear apt cache
DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
DEBIAN_FRONTEND=noninteractive apt-get clean
echo "########## ********** End kaz.sh $(date +%D-%T)"
) > >(tee ${DebugLog}stdout.log) 2> >(tee ${DebugLog}stderr.log >&2)

View File

@ -0,0 +1,33 @@
$TTL 86400
$ORIGIN kaz.sns.
@ 1D IN SOA ns.kaz.sns. hostmaster.kaz.sns. (
2002022401 ; serial
3H ; refresh
15 ; retry
1w ; expire
3h ; nxdomain ttl
)
IN NS ns.kaz.sns.
IN MX 10 smtp.kaz.sns.
IN A 100.80.0.2
ns IN A 100.80.0.2
dmz IN A 100.80.0.2
smtp IN CNAME dmz
imap IN CNAME dmz
www IN CNAME dmz
mail IN CNAME dmz
cloud IN CNAME dmz
tableur IN CNAME dmz
webmail IN CNAME dmz
garradin IN CNAME dmz
wiki IN CNAME dmz
git IN CNAME dmz
office IN CNAME dmz
depot IN CNAME dmz
ldap IN CNAME dmz
listes IN MX 10 listes
listes IN A 100.80.1.2
firewall IN A 100.80.0.1
firewall IN AAAA 2001:db8:80::0:1
router IN A 100.80.0.1
router IN AAAA 2001:db8:80::0:1

View File

@ -3,7 +3,7 @@ jirafeau
ethercalc
collabora
ethercalc
etherpad
#etherpad
ldap
quotas
web

View File

@ -9,12 +9,12 @@ mode=local
########################################
# choix du domaine
# prod=kaz.bzh / dev=dev.kaz.bzh / local=kaz.local
domain=kaz.local
domain=kaz.sns
########################################
# choix du domaine des mails sympa
# prod=kaz.bzh / dev=kaz2.ovh / local=kaz.local
domain_sympa=kaz.local
domain_sympa=listes.kaz.sns
########################################
# choix d'un serveur partiel
@ -29,10 +29,10 @@ site=
httpProto=https
# prod=89.234.186.111 / dev=192.168.57.1 / local=127.0.0.1
MAIN_IP=127.0.0.1
MAIN_IP=100.80.0.2
# prod=89.234.186.151 / dev=192.168.57.2 / local=127.0.0.2
SYMPA_IP=127.0.0.2
SYMPA_IP=100.80.1.2
########################################
# noms des services
@ -98,7 +98,7 @@ sympaDBName=sympaDB
vigiloDBName=vigiloDB
wordpressDBName=wpDB
ldapIUName=ldapIU
ldapUIName=ldapUI
########################################
# politique de redémarrage
@ -112,7 +112,7 @@ restartPolicy=no
jirafeauDir=/var/jirafeauData/lkuDM16R5Sp4QHr/
ldapRoot=dc=kaz,dc=local
ldap_root=dc=kaz,dc=sns
########################################
# services activés par container.sh

View File

@ -0,0 +1,85 @@
#!/bin/bash
# Target DMZ
set -e
if [ -z $SNSTERGUARD ] ; then exit 1; fi
DIR=`dirname $0`
cd `dirname $0`
# disable systemd-resolved which conflicts with nsd
echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
systemctl stop systemd-resolved
DEBIAN_FRONTEND=noninteractive apt-get update
DEBIAN_FRONTEND=noninteractive apt-get remove -y apache2
DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
# Go KAZ !
# KAZ specific things
#installation de docker, docker-compose et on y fourre le user debian dans le groupe idoine
DEBIAN_FRONTEND=noninteractive apt-get install -y docker.io docker-compose docker-clean git apg curl sudo unzip rsync btrfs-progs ldap-utils # fuse-overlayfs
usermod -G docker debian
# activation dans alias dans /root/.bashrc
sed -i \
-e 's/^\# alias/alias/g' \
-e 's/^\# export/export/g' \
-e 's/^\# eval/eval/g' \
/root/.bashrc
if ! grep -q "for file in /dockers" /root/.bashrc 2>/dev/null; then
cat >> /root/.bashrc <<EOF
# enable bash completion in interactive shells
if ! shopt -oq posix; then
if [ -f /usr/share/bash-completion/bash_completion ]; then
. /usr/share/bash-completion/bash_completion
elif [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
fi
for file in /kaz/bin/.*-completion.bash ; do
source "\${file}"
done
EOF
fi
# On met le GUARD pour la mise au point
echo "export SNSTERGUARD='true'" >> /root/.bashrc
# On active fuse-overlayfs pour docker
cat >> /etc/docker/daemon.json <<EOF
{ "storage-driver": "btrfs" }
EOF
service docker restart
#mknod -m 666 /dev/fuse c 10 229
#echo -e '#!/bin/sh\nmknod -m 666 /dev/fuse c 10 229' >> /etc/rc.local
#chmod +x /etc/rc.local
# lxc.cgroup2.devices.allow = b 7:* rwm
# lxc.cgroup2.devices.allow = c 10:237 rwm
#
# mknod -m 666 /dev/loop0 b 7 0
# mknod -m 666 /dev/loop-control c 10 237
# truncate -s 30G /root/varlibdocker.img
# mkfs.btrfs /root/varlibdocker.img
# losetup -f /root/varlibdocker.img
# mount /dev/loop0 /var/lib/docker
# On place les certifs
if [ -d letsencrypt ]; then
cp -ar letsencrypt /etc/
cp /etc/letsencrypt/local/rootCA.pem /usr/local/share/ca-certificates/rootCA.crt
/usr/sbin/update-ca-certificates --fresh
fi
# ./kaz.sh
# On démarre au boot
echo -e '#!/bin/sh\n/kaz/bin/container.sh start' >> /etc/rc.local
chmod +x /etc/rc.local
# clear apt cache
DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
DEBIAN_FRONTEND=noninteractive apt-get clean

34
files/snster-kaz/main.yml Normal file
View File

@ -0,0 +1,34 @@
version: 1
header:
name: KAZ
comment: KAZ development environment
config:
prefix: kaz
nat-bridge: lxcbr0
default-master: bullseye
masters:
bullseye:
backend: lxc
template: debian
parameters:
release: bullseye
arch: amd64
family: debian
alpine:
backend: lxc
template: download
parameters:
dist: alpine
release: 3.14
arch: amd64
no-validate: true
family: alpine
disabled-groups:
- _global
- _templates
- _masters

View File

@ -0,0 +1,42 @@
version: 1
header:
name: MICA AS
comment: An ACME Certification Authority
hosts:
router:
master: alpine
network:
interfaces:
eth0:
bridge: transit-a
ipv4: 100.64.1.140/24
ipv6: 2001:db8:b001::140/48
eth1:
bridge: mica-lan
ipv4: 100.82.0.1/16
ipv6: 2001:db8:82::1/48
templates:
- bgprouter:
asn: 12
asdev: eth1
neighbors4: 100.64.0.1 as 30
neighbors6: 2001:db8:b000::1 as 30
- resolv:
ns: 100.100.100.100
domain: mica.sns
infra:
network:
interfaces:
eth0:
bridge: mica-lan
ipv4: 100.82.0.2/16
ipv6: 2001:db8:82::2/48
gatewayv4: 100.82.0.1
gatewayv6: 2001:db8:82::1
templates:
- resolv:
domain: mica.sns
ns: 100.100.100.100

View File

@ -0,0 +1,8 @@
server:
interface: 0.0.0.0
access-control: 100.64.0.0/10 allow
local-zone: "mica.sns." static
local-data: "ns.mica.sns. IN A 100.82.0.2"
local-data: "www.mica.sns. IN A 100.82.0.2"
local-data: "ca.mica.sns. IN A 100.82.0.2"

View File

@ -0,0 +1,28 @@
#!/bin/bash
# MICA infra
set -e
if [ -z $SNSTERGUARD ] ; then exit 1; fi
DIR=`dirname $0`
cd `dirname $0`
# disable systemd-resolved which conflicts with nsd
echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
systemctl stop systemd-resolved
# manage mica.sns zone
apt-get update
DEBIAN_FRONTEND=noninteractive apt-get install -y unbound
cp dns.conf /etc/unbound/unbound.conf.d/
# Install smallstep CA / ACME server
cd /tmp
wget https://github.com/smallstep/cli/releases/download/v0.17.2/step-cli_0.17.2_amd64.deb
dpkg -i step-cli_0.17.2_amd64.deb
wget https://github.com/smallstep/certificates/releases/download/v0.17.2/step-ca_0.17.2_amd64.deb
dpkg -i step-ca_0.17.2_amd64.deb
# step ca init
# step ca root root.crt
# step ca provisioner add acme --type ACME
# certbot certonly -n --standalone -d www.target.sns --server https://www.mica.sns/acme/acme/directory --agree-tos --email "fr@fr.fr"

View File

@ -0,0 +1,44 @@
version: 1
header:
name: open DNS service AS
comment: an open DNS resolver
hosts:
router:
master: alpine
network:
interfaces:
eth0:
bridge: transit-a
ipv4: 100.64.0.30/24
ipv6: 2001:db8:b000::30/48
eth2:
bridge: opendns-lan
ipv4: 100.100.100.1/24
ipv6: 2001:db8:a100::1/48
templates:
- bgprouter:
asn: 7
asdev: eth2
neighbors4: 100.64.0.1 as 30
neighbors6: 2001:db8:b000::1 as 30
- resolv:
ns: 100.100.100.100
domain: opendns.sns
resolver:
network:
interfaces:
eth0:
bridge: opendns-lan
ipv4: 100.100.100.100/24
ipv6: 2001:db8:a100::100/48
gatewayv4: 100.100.100.1
gatewayv6: 2001:db8:a100::1
templates:
- resolverns:
roots: p,100.100.1.10,2001:db8:a001::10
- resolv:
domain: opendns.sns
ns: 100.100.100.100

View File

@ -0,0 +1,32 @@
#!/bin/bash
set -e
if [ -z $SNSTERGUARD ] ; then exit 1; fi
DIR=`dirname $0`
cd `dirname $0`
mkdir -p /etc/unbound/unbound.conf.d/
cat >> /etc/unbound/unbound.conf.d/unblockdns.conf <<EOF
stub-zone:
name: "sns"
stub-addr: 100.100.20.10
stub-zone:
name: "100.in-addr.arpa"
stub-addr: 100.100.1.10
forward-zone:
name: "."
forward-addr: 100.64.0.1
EOF
# notes
# apt install build-essential libnghttp2-dev libssl-dev libexpat-dev
# wget https://nlnetlabs.nl/downloads/unbound/unbound-1.17.1.tar.gz
# ./configure --with-libnghttp2
# adduser unbound
# fixdns.sh
# SNSTER="snster -c /root/snster-kaz attach $1 -x"
# $SNSTER "DEBIAN_FRONTEND=noninteractive apt-get install -y nss-tlsd libnss-tls"
# $SNSTER "sed -i -e 's/^hosts:\s*files/hosts:\tfiles tls/' /etc/nsswitch.conf"

View File

@ -0,0 +1,46 @@
version: 1
header:
name: Root-P AS
comment: A DNS Root server
hosts:
router:
master: alpine
network:
interfaces:
eth0:
bridge: transit-a
ipv4: 100.64.0.20/24
ipv6: 2001:db8:b000::20/48
eth1:
bridge: root-p-lan
ipv4: 100.100.1.1/24
ipv6: 2001:db8:a001::1/48
templates:
- bgprouter:
asn: 6
asdev: eth1
neighbors4: 100.64.0.1 as 30
neighbors6: 2001:db8:b000::1 as 30
- resolv:
ns: 100.100.100.100
domain: ns-root-p.sns
rootns:
network:
interfaces:
eth0:
bridge: root-p-lan
ipv4: 100.100.1.10/24
ipv6: 2001:db8:a001::10/48
gatewayv4: 100.100.1.1
gatewayv6: 2001:db8:a001::1
templates:
- rootns:
roots: p,100.100.1.10,2001:db8:a001::10
tlds: sns,100.100.20.10,2001:db8:a020::10
reverse: reverse.zone
- resolv:
domain: ns-root-p.sns
ns: 100.100.100.100

View File

@ -0,0 +1,5 @@
120.100.in-addr.arpa. 172800 IN NS p.120.100.in-addr.arpa.
p.120.100.in-addr.arpa. 172800 IN A 100.120.1.2
p.120.100.in-addr.arpa. 172800 IN AAAA 2001:db8:120:1::2
80.100.in-addr.arpa. 172800 IN NS p.80.100.in-addr.arpa.
p.80.100.in-addr.arpa. 172800 IN A 100.80.0.2

View File

@ -0,0 +1,42 @@
version: 1
header:
name: TLD SNS AS
comment: The .sns TLD auth NS
hosts:
router:
master: alpine
network:
interfaces:
eth0:
bridge: transit-a
ipv4: 100.64.0.40/24
ipv6: 2001:db8:b000::40/48
eth1:
bridge: tld-sns-lan
ipv4: 100.100.20.1/24
ipv6: 2001:db8:a020::1/48
templates:
- bgprouter:
asn: 8
asdev: eth1
neighbors4: 100.64.0.1 as 30
neighbors6: 2001:db8:b000::1 as 30
- resolv:
ns: 100.100.100.100
domain: tld-sns.sns
ns:
network:
interfaces:
eth0:
bridge: tld-sns-lan
ipv4: 100.100.20.10/24
ipv6: 2001:db8:a020::10/48
gatewayv4: 100.100.20.1
gatewayv6: 2001:db8:a020::1
templates:
- resolv:
domain: tld-sns.sns
ns: 100.100.100.100

View File

@ -0,0 +1,41 @@
#!/bin/bash
# .sns registry
set -e
if [ -z $SNSTERGUARD ] ; then exit 1; fi
DIR=`dirname $0`
cd `dirname $0`
# disable systemd-resolved which conflicts with nsd
echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
systemctl stop systemd-resolved
apt-get update
DEBIAN_FRONTEND=noninteractive apt-get install -y nsd
echo -e "zone:
name: \"sns.\"
zonefile: \"sns.zone\"
" > /etc/nsd/nsd.conf
echo -e "\$TTL 86400
\$ORIGIN sns.
@ 1D IN SOA ns.sns. hostmaster.sns. (
2002022401 ; serial
3H ; refresh
15 ; retry
1w ; expire
3h ; nxdomain ttl
)
IN NS ns.sns.
ns IN A 100.100.20.10 ;name server definition
ns IN AAAA 2001:db8:a020::10
kaz.sns. IN NS ns.kaz.sns.
ns.kaz.sns. IN A 100.80.0.2
isp-a.sns. IN NS ns.isp-a.sns.
ns.isp-a.sns. IN A 100.120.1.2
ns.isp-a.sns. IN AAAA 2001:db8:120:1::2
mica.sns. IN NS ns.mica.sns.
ns.mica.sns. IN A 100.82.0.2
ns.mica.sns. IN AAAA 2001:db8:82::2
" >> /etc/nsd/sns.zone

View File

@ -0,0 +1,27 @@
version: 1
header:
name: Transit-A
comment: Transit-A IXP
hosts:
router:
master: alpine
network:
interfaces:
eth0:
bridge: nat-bridge
ipv4: dhcp
eth1:
bridge: transit-a
ipv4: 100.64.0.1/24
ipv6: 2001:db8:b000::1/48
templates:
- bgprouter:
asn: 30
asdev: eth1
neighbors4: 100.64.0.10 as 10;100.64.0.30 as 7;100.64.0.40 as 8; 100.64.0.20 as 6; 100.64.0.50 as 13; 100.64.0.110 as 20; 100.64.1.140 as 12
neighbors6: 2001:db8:b000::10 as 10; 2001:db8:b000::30 as 7;2001:db8:b000::40 as 8; 2001:db8:b000::20 as 6; 2001:db8:b000::50 as 13; 2001:db8:b000::110 as 20; 2001:db8:b001::140 as 12
- resolv:
ns: 100.100.100.100
domain: transit-a.sns

View File

@ -0,0 +1,40 @@
#!/bin/sh
# Transit A with alpine
set -e
if [ -z $SNSTERGUARD ] ; then exit 1; fi
DIR=`dirname $0`
cd `dirname $0`
echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories
apk update
apk add bird iptables
rc-update add bird
# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
echo -e '#!/bin/sh\niptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE' > /etc/local.d/iptables.start
chmod +x /etc/local.d/iptables.start
rc-update add local
# keep DHCP on eth0
touch /etc/network/keepdhcp
# Force lxc bridged interface metric (else, it grows to 200+interface_index, which can be large with successive stop/start)
# This metric must be lower than the one exported by BGP for the default route (static part below)
mkdir /etc/udhcpc
echo "IF_METRIC=200" > /etc/udhcpc/udhcpc.conf
# customize bird config (BGP)
sed -i "s/protocol kernel {/protocol kernel { metric 2000;/" /etc/bird.conf
# sed -i "s/\#.*export all/\texport all/" /etc/bird/bird.conf
echo -e "
protocol static {
ipv4;
route 0.0.0.0/0 via 100.64.0.1;
}
" >> /etc/bird.conf
# Add dnsmasq for external dns
apk add dnsmasq
rc-update add dnsmasq

20
files/vm-install-kaz.sh Normal file
View File

@ -0,0 +1,20 @@
#!/bin/bash
# Installation de Kaz
if [ -z "${KAZGUARD}" ] ; then
exit 1
fi
snster -c /root/snster-kaz start
sleep 10
snster -c /root/snster-kaz attach kaz-prod -x /mnt/snster/root/snster-kaz/kaz/prod/kaz.sh
# On crée quelques mails
SETUP_MAIL="docker exec mailServ setup"
snster -c /root/snster-kaz attach kaz-prod -x "${SETUP_MAIL} email add contact1@kaz.sns toto"
snster -c /root/snster-kaz attach kaz-prod -x "${SETUP_MAIL} email add contact2@kaz.sns toto"
snster -c /root/snster-kaz attach kaz-prod -x "${SETUP_MAIL} email add contact3@kaz.sns toto"
snster -c /root/snster-kaz attach kaz-prod -x "${SETUP_MAIL} email add contact4@kaz.sns toto"
echo -e '#!/bin/sh\nsnster -c /root/snster-kaz start' >> /etc/rc.local
chmod +x /etc/rc.local

View File

@ -21,9 +21,7 @@ export DebugLog="${VAGRANT_SRC_DIR}/log/log-vagrant-$(date +%y-%m-%d-%T)-"
# Copie de qques fichiers
cp "${VAGRANT_SRC_DIR}/keyboard" /etc/default/keyboard
# Lock grub (https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1758060.html)
sysctl -w net.ipv4.ip_forward=1
DEBIAN_FRONTEND=noninteractive apt-mark hold grub*
# MAJ et install
sed -i -e 's/main.*/main contrib non-free/' /etc/apt/sources.list
@ -42,7 +40,7 @@ export DebugLog="${VAGRANT_SRC_DIR}/log/log-vagrant-$(date +%y-%m-%d-%T)-"
DEBIAN_FRONTEND=noninteractive apt-get --allow-releaseinfo-change update
DEBIAN_FRONTEND=noninteractive apt-get -y upgrade
DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade
DEBIAN_FRONTEND=noninteractive apt-get install -y apg curl git sudo unzip rsync firefox-esr tcpdump net-tools mousepad wireshark swapspace whois ldap-utils # could be with --no-install-recommends
DEBIAN_FRONTEND=noninteractive apt-get install -y apg curl git sudo unzip rsync firefox-esr tcpdump net-tools mousepad wireshark swapspace whois ldap-utils python3-lxc lxc python3-pygraphviz python3-pil python3-yaml imagemagick btrfs-progs # could be with --no-install-recommends
DEBIAN_FRONTEND=noninteractive apt-get install -y xfce4 lightdm xfce4-terminal xserver-xorg gitk # needs to install recommends
ssh-keygen -t rsa -b 4096 -N '' <<<$'\ny'
@ -110,7 +108,6 @@ export DebugLog="${VAGRANT_SRC_DIR}/log/log-vagrant-$(date +%y-%m-%d-%T)-"
# enable bash autocompletion
if ! grep -q "/usr/share/bash-completion/bash_completion" /etc/bash.bashrc 2>/dev/null; then
cat >> /etc/bash.bashrc <<EOF
# enable bash completion in interactive shells
if ! shopt -oq posix; then
@ -121,7 +118,6 @@ if ! shopt -oq posix; then
fi
fi
EOF
fi
# XFCE4 panel: use default config
# source: https://forum.xfce.org/viewtopic.php?pid=36585#p36585
@ -150,65 +146,6 @@ SystemMaxFileSize=2M
EOF
fi
# KAZ specific things
#installation de docker, docker-compose et on y fourre le user debian dans le groupe idoine
DEBIAN_FRONTEND=noninteractive apt-get install -y docker.io docker-compose docker-clean
usermod -G docker debian
# activation dans alias dans /root/.bashrc
sed -i \
-e 's/^\# alias/alias/g' \
-e 's/^\# export/export/g' \
-e 's/^\# eval/eval/g' \
/root/.bashrc
if ! grep -q "for file in /dockers" /root/.bashrc 2>/dev/null; then
cat >> /root/.bashrc <<EOF
# enable bash completion in interactive shells
if ! shopt -oq posix; then
if [ -f /usr/share/bash-completion/bash_completion ]; then
. /usr/share/bash-completion/bash_completion
elif [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
fi
for file in /kaz/bin/.*-completion.bash ; do
source "\${file}"
done
EOF
fi
# # Localisation du $LANG, en par défaut, timezone Paris
# if [ -z "${KAZBRANCH}" ] ; then
# KAZBRANCH="develop-vm"
# fi
# echo -e "\n #### git checkout ${KAZBRANCH}\n"
#
# # copie des sources
# cd /
# [ -f kaz ] || git clone https://git.kaz.bzh/KAZ/kaz.git
# (cd /kaz ; git checkout "${KAZBRANCH}" )
# find /kaz -name \*.sh -exec chmod a+x {} \;
#
# # pour ceux qui disposent d'un cache apt local et pas la fibre
# if [ -f "${VAGRANT_SRC_DIR}/.apt-mirror-config" ]; then
# rsync -a "${VAGRANT_SRC_DIR}/.apt-mirror-config" /kaz/
# fi
# if [ -f "${VAGRANT_SRC_DIR}/.proxy-config" ]; then
# rsync -a "${VAGRANT_SRC_DIR}/.proxy-config" /etc/profile.d/proxy.sh
# rsync -a "${VAGRANT_SRC_DIR}/.proxy-config" /kaz/
# fi
# if [ -f "${VAGRANT_SRC_DIR}/.docker-config.json" ]; then
# mkdir -p /root/.docker
# rsync -a "${VAGRANT_SRC_DIR}/.docker-config.json" /root/.docker/config.json
# fi
# Ajout d'un serveur DNS sur la VM
#*****************ATTENTION: semble inutile. peut-être privilégié les entrées dans /etc/hosts tout simplement ?
DEBIAN_FRONTEND=noninteractive apt-get install -y dnsmasq
#***********DEBUT CERTIF*******************
#*****************ATTENTION: MARCHE PAS (il faut accepter toutes les exceptions de sécurité
@ -225,91 +162,76 @@ EOF
export CAROOT=/etc/letsencrypt/local/
/root/mkcert/mkcert -install # CA dans /etc/letsencrypt/local/
cd "${CAROOT}"
/root/mkcert/mkcert "*.kaz.local" # cert et clé dans /etc/letsencrypt/local/
/root/mkcert/mkcert "*.kaz.sns" # cert et clé dans /etc/letsencrypt/local/
mkdir -p /etc/letsencrypt/live/kaz.local/
ln -s ../../local/_wildcard.kaz.local.pem /etc/letsencrypt/live/kaz.local/fullchain.pem
ln -s ../../local/_wildcard.kaz.local-key.pem /etc/letsencrypt/live/kaz.local/privkey.pem
mkdir -p /etc/letsencrypt/live/kaz.sns/
ln -s ../../local/_wildcard.kaz.sns.pem /etc/letsencrypt/live/kaz.sns/fullchain.pem
ln -s ../../local/_wildcard.kaz.sns-key.pem /etc/letsencrypt/live/kaz.sns/privkey.pem
fi
# Essai pour faire accepter la CA à FFOX dès le début
# Add to Firefox store
if [ ! -f /usr/lib/firefox-esr/distribution/policies.json ]; then
cat > /usr/lib/firefox-esr/distribution/policies.json << EOF
{
"policies": {
"Certificates": {
"ImportEnterpriseRoots": true,
"Install": ["/etc/letsencrypt/local/rootCA.pem"]
}
}
}
EOF
fi
#***********FIN CERTIF*******************
#ajout des services dans le host
echo -e "\n #### update /etc/hosts\n"
if ! grep -q "\skaz.local\b" /etc/hosts 2>/dev/null; then
echo "127.0.0.1 kaz.local" >>/etc/hosts
fi
if ! grep -q "\slistes.kaz.local\b" /etc/hosts 2>/dev/null; then
echo "127.0.0.2 listes.kaz.local" >>/etc/hosts
fi
for SERVICE in ${SERVICES_LIST}; do
if ! grep -q "\s${SERVICE}.kaz.local\b" /etc/hosts 2>/dev/null; then
sed -i /etc/hosts \
-e "/\skaz.local\b/ s/$/ ${SERVICE}.kaz.local/"
fi
done
echo -e "\n #### clawsmail\n"
# les scripts de créations de BAL pour clawsmail
cp -ar "${VAGRANT_SRC_DIR}/clawsmail" /
cd /clawsmail
chmod +x addclawsuser.sh
chmod +x genpasswd
#client pour tester la messagerie
DEBIAN_FRONTEND=noninteractive apt-get install -y claws-mail
# On met le KAZGUARD pour la mise au point
echo "export KAZGUARD='true'" >> /root/.bashrc
# echo -e "\n #### rsync download\n"
# [ -d "${VAGRANT_SRC_DIR}/kaz/download" ] &&
# rsync -a "${VAGRANT_SRC_DIR}/kaz/download/" /kaz/download/
# [ -d "${VAGRANT_SRC_DIR}/kaz/git" ] &&
# rsync -a "${VAGRANT_SRC_DIR}/kaz/git/" /kaz/git/
# [ -f "${VAGRANT_SRC_DIR}/kaz/config/dockers.env" ] &&
# [ ! -f "/kaz/config/dockers.env" ] &&
# rsync -a "${VAGRANT_SRC_DIR}/kaz/config/dockers.env" /kaz/config/dockers.env
# for type in mail orga proxy withMail withoutMail ; do
# [ -f "${VAGRANT_SRC_DIR}/kaz/config/container-${type}.list" ] &&
# [ ! -f "/kaz/config/config/container-${type}.list" ] &&
# rsync -a "${VAGRANT_SRC_DIR}/kaz/config/container-${type}.list" /kaz/config/
# done
#
# echo -e "\n #### secretGen\n"
# /kaz/bin/secretGen.sh
#
# #possibilité de lancer vagrant up NOKAZ="true" quand on construit la machine
# if [ "${NOKAZ}" == "true" ]; then
# echo "on ne lance pas install.sh"
# else
# echo "on lance install.sh"
# /kaz/bin/install.sh
# fi
${VAGRANT_SRC_DIR}/kaz.sh
# clear apt cache
DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
DEBIAN_FRONTEND=noninteractive apt-get clean
# SNSTER
cd
git clone https://framagit.org/flesueur/snster.git
cd snster
# git checkout tags/v1.1.0
git checkout fe59ef1f
./install.sh
# BTRFS avec hotfix sale de SNSTER
freespace=`df /root | awk '/[0-9]%/{print $(NF-2)}'`
btrsize=$(( $freespace - 5000000 )) # on laisse 5GB libres
truncate -s ${btrsize}k /root/btrfs.img
mkfs.btrfs -f /root/btrfs.img
echo "/root/btrfs.img /var/lib/lxc btrfs loop 0 0" >> /etc/fstab
mount /var/lib/lxc
#losetup -f /root/btrfs.img
#mount /dev/loop0 /var/lib/lxc
sed -i -e "s/template=self.template/template=self.template, bdevtype='btrfs'/" /usr/local/lib/python3.9/dist-packages/backends/LxcBackend.py
# SNSTER KAZ
# cp -ar ${VAGRANT_SRC_DIR}/templates /root
cp -ar ${VAGRANT_SRC_DIR}/snster-kaz /root
# crypto keys
cp -ar /etc/letsencrypt /root/snster-kaz/kaz/prod/
cp -ar /etc/letsencrypt /root/snster-kaz/isp-a/home/
# On monte le filesystem de kaz-prod dans le /kaz de la VM pour le dév (en nofail)
# mkdir /kaz-prod /kaz
# echo "overlay /kaz-prod overlay lowerdir=/var/lib/lxc/sr-masters-bullseye/rootfs,upperdir=/var/lib/lxc/kaz-kaz-prod/overlay/delta,workdir=/var/lib/lxc/kaz-kaz-prod/overlay/work,nofail 0 0" >> /etc/fstab
# echo "/kaz-prod/kaz /kaz none bind,nofail 0 0" >> /etc/fstab
ln -s /var/lib/lxc/kaz-kaz-prod/rootfs/ /kaz-prod
ln -s /kaz-prod/kaz /kaz
# On met le KAZGUARD pour la mise au point
echo "export KAZGUARD='true'" >> /root/.bashrc
# Build SNSTER KAZ !
snster -c /root/snster-kaz create
cp "${VAGRANT_SRC_DIR}/vm-install-kaz.sh" /root/
chmod +x /root/vm-install-kaz.sh
cp "${VAGRANT_SRC_DIR}/vm-upgrade.sh" /root/
chmod +x /root/vm-upgrade.sh
if [ "${NOKAZ}" == "true" ]; then
echo "on ne fait pas l'install de kaz sur kaz-prod"
else
echo "on installe kaz sur kaz-prod"
bash "/root/vm-install-kaz.sh"
fi
echo "########## ********** End Vagrant $(date +%D-%T)"
) > >(tee ${DebugLog}stdout.log) 2> >(tee ${DebugLog}stderr.log >&2)
reboot
# Pour sympa-SOAP
# KAZPROD="snster -c /root/snster-kaz -t /root/templates attach kaz-prod -x"
# ${KAZPROD} "docker cp /etc/letsencrypt/local/rootCA.pem sympaServ:/usr/local/share/ca-certificates/rootCA.crt"
# ${KAZPROD} "docker exec -it sympaServ update-ca-certificates"

47
files/vm-upgrade.sh Executable file
View File

@ -0,0 +1,47 @@
#!/bin/bash
# Upgrade de tout sauf kaz-prod
if [ -z "${KAZGUARD}" ] ; then
exit 1
fi
set -e
# On met à jour SNSTER
cd /root/snster
git switch main
git pull
./install.sh
# hotfix pour btrfs
sed -i -e "s/template=self.template/template=self.template, bdevtype='btrfs'/" /usr/local/lib/python3.9/dist-packages/backends/LxcBackend.py
# On récupère le dernier kaz-vagrant
cd /tmp
git clone https://git.kaz.bzh/KAZ/kaz-vagrant.git || (cd kaz-vagrant && git pull)
cd /tmp/kaz-vagrant
git switch develop-snster
# On écrase les anciens fichiers
cp -ar /tmp/kaz-vagrant/files/snster-kaz /root/
# crypto keys
cp -ar /etc/letsencrypt /root/snster-kaz/kaz/prod/
cp -ar /etc/letsencrypt /root/snster-kaz/isp-a/home/
# On détruit et reconstruit tout sauf kaz-prod
SNSTER="snster -c /root/snster-kaz"
$SNSTER destroy isp-a-home
$SNSTER destroy isp-a-infra
$SNSTER destroy isp-a-router
$SNSTER destroy kaz-router
$SNSTER destroy mica-router
$SNSTER destroy mica-infra
$SNSTER destroy opendns-router
$SNSTER destroy opendns-resolver
$SNSTER destroy root-p-router
$SNSTER destroy root-p-rootns
$SNSTER destroy tld-sns-router
$SNSTER destroy tld-sns-ns
$SNSTER destroy transit-a-router
$SNSTER create
$SNSTER start

View File

@ -3,14 +3,14 @@
set -e
# Get HD filename
FILENAME=`vboxmanage showvminfo kaz-dev-amd64 | grep SATA | grep UUID | cut -d':' -f2 | cut -d'(' -f1 | sed -e 's/^[ \t]*//' | sed -e 's/[ \t]*$//'`
FILENAME=`vboxmanage showvminfo kaz-vm | grep SATA | grep UUID | cut -d':' -f2 | cut -d'(' -f1 | sed -e 's/^[ \t]*//' | sed -e 's/[ \t]*$//'`
# Split the dir and filename
DIR=`dirname "$FILENAME"`
FILE=`basename "$FILENAME"`
# Get HD UUID
UUID=`vboxmanage showvminfo kaz-dev-amd64 | grep SATA | grep UUID | cut -d':' -f 3| cut -d')' -f1 | sed -e 's/^[ \t]*//' | sed -e 's/[ \t]*$//'`
UUID=`vboxmanage showvminfo kaz-vm | grep SATA | grep UUID | cut -d':' -f 3| cut -d')' -f1 | sed -e 's/^[ \t]*//' | sed -e 's/[ \t]*$//'`
# echo -e $DIR
# echo -e $FILE

16
trim_enable.sh Executable file
View File

@ -0,0 +1,16 @@
#!/usr/bin/env bash
set -e
# Get HD UUID
HDUUID=`vboxmanage showvminfo kaz-vm --machinereadable | grep ImageUUID | cut -d= -f2 | sed -e "s/\"//g"`
# Get storage controller
STCTRL=`vboxmanage showvminfo kaz-vm --machinereadable | grep storagecontrollername0 | cut -d= -f2 | sed -e "s/\"//g"`
#echo -e $HDUUID
#echo -e $STCTRL
vboxmanage storageattach kaz-vm --medium="$HDUUID" --storagectl="${STCTRL}" --port=0 --discard=on --nonrotational=on
echo "Trim enabled !"