Compare commits

..

No commits in common. "f0270a56eceaa5da3d65e3425c060d5f86397283" and "1dd6092aa83f3fa5b839c9dd6b32bf5b80be2891" have entirely different histories.

32 changed files with 135 additions and 522 deletions

View File

@ -11,7 +11,7 @@ Nous utilisons :
* LXC pour faire tourner ces services dans des conteneurs distincts (ie, kaz-prod est un conteneur LXC)
* Docker pour chaque service de notre serveur
À la fin, nous obtenons une maquette d'un petit internet simulé, avec du DNS, des mails tiers, et nos serveurs hoster-a-kaz1 et hoster-b-kaz2 dans un coin.
À la fin, nous obtenons une maquette d'un petit internet simulé, avec du DNS, des mails tiers, et notre serveur kaz-prod dans un coin.
![topologie](/doc/images/topologie.png)
@ -36,7 +36,7 @@ cd kaz-vagrant/
vagrant up
```
Cette étape peut-être (très) longue, notamment la construction des machines Kaz... Comptez entre 40 minutes et quelques heures, selon la connexion réseau et les performances de la machine.
Cette étape peut-être (très) longue. Notamment, la construction de kaz-prod se fait dans un conteneur LXC, dans lequel les overlays docker passent par un filesystem plus lent qu'en natif... Comptez entre 40 minutes et quelques heures, selon la connexion réseau et les performances de la machine.
@ -52,10 +52,9 @@ cd /root/snster-kaz
snster start
```
Normalement, hoster-a-kaz1 et hoster-b-kaz2 lancent automatiquement les dockers (dans rc.local), mais si ça ne marche pas bien il peut falloir les relancer (que se passe-t-il si on relance container.sh pendant que container.sh n'est pas encore fini ? faut-il l'enlever du rc.local ? Le lancement initial peut rater, probablement si le DNS n'est pas encore fonctionnel lors du lancement, à mettre au point et peut-être enlever du rc.local ?)
Normalement, kaz-prod lance automatiquement les dockers (dans son rc.local), mais si ça ne marche pas bien il peut falloir les relancer (que se passe-t-il si on relance container.sh pendant que container.sh n'est pas encore fini ? faut-il l'enlever du rc.local ? Le lancement initial peut rater, probablement si le DNS n'est pas encore fonctionnel lors du lancement, à mettre au point et peut-être enlever du rc.local ?)
```bash
snster attach hoster-a-kaz1 -x /kaz/bin/container.sh start
snster attach hoster-b-kaz2 -x /kaz/bin/container.sh start
snster attach kaz-prod -x /kaz/bin/container.sh start
```
Vous pouvez alors (toutes les commandes snster doivent être exécutées dans `/root/snster-kaz`) :
@ -63,16 +62,15 @@ Vous pouvez alors (toutes les commandes snster doivent être exécutées dans `/
* Ouvrir Firefox et naviguer vers :
* `https://www.kaz.sns`, le Kaz interne à la VM
* `https://listes.kaz.sns`, le sympa interne à la VM
* `https://pad2.kaz.sns`, le pad sur kaz2
* `https://www.kaz.bzh`, le vrai Kaz
* Ouvrir claws-mail et retrouver les comptes mails configurés :
* `contact1@kaz.sns` à `contact4@kaz.sns`, hébergés sur le kaz-prod de la VM
* `email@isp-a.sns`, hébergé dans le conteneur LXC isp-a-infra
* Travailler sur hoster-a-kaz1 : `snster attach hoster-a-kaz1`
* Travailler sur kaz-prod : `snster attach kaz-prod`
* Afficher un plan de réseau : `snster print`
* Le système de fichiers de hoster-a-kaz1 est accessible directement dans la VM:
* `/kaz1-prod/` [VM] correspond à `/` [hoster-a-kaz1]
* `/kaz` [VM] correspond à `/kaz` [hoster-a-kaz1]
* Le système de fichiers de kaz-prod est accessible directement dans la VM:
* `/kaz-prod/` [VM] correspond à `/` [kaz-prod]
* `/kaz` [VM] correspond à `/kaz` [kaz-prod]
* Il est probablement pratique d'installer son environnement de développement sur la VM, avec ses clés SSH et son éditeur favori.
Il y a un aperçu de l'état des services avec l'url https://kaz.sns/status/allServices.html
@ -95,9 +93,9 @@ Il vous faudra accepter les éventuelles alertes de sécurité pour certificat a
## Mise au point
Pour réinstaller Kaz sur kaz1 (avec suppression de /kaz, des volumes dockers et réinstallation complète; idem kaz2), depuis la VM :
Pour réinstaller Kaz sur kaz-prod (avec suppression de /kaz, des volumes dockers et réinstallation complète), depuis la VM :
```bash
snster attach hoster-a-kaz1 -x "/root/kaz.sh"
snster attach kaz-prod -x "/root/kaz.sh"
```
Pour détruire la VM et recommencer, depuis l'hôte :

2
Vagrantfile vendored
View File

@ -27,7 +27,7 @@ Vagrant.configure("2") do |config|
config.vm.box = "debian/bullseye64"
config.vm.hostname = 'kaz-vm'
config.disksize.size = '50GB'
config.disksize.size = '32GB'
config.vm.provider "virtualbox" do |vb|
vb.memory = "4096"

Binary file not shown.

Before

Width:  |  Height:  |  Size: 103 KiB

After

Width:  |  Height:  |  Size: 156 KiB

View File

@ -1,2 +0,0 @@
proxy
#traefik

View File

@ -1,43 +0,0 @@
$TTL 86400
$ORIGIN kaz.sns.
@ 1D IN SOA ns.kaz.sns. hostmaster.kaz.sns. (
2002022401 ; serial
3H ; refresh
15 ; retry
1w ; expire
3h ; nxdomain ttl
)
IN NS ns.kaz.sns.
IN MX 10 smtp.kaz.sns.
IN A 100.80.0.2
ns IN A 100.80.0.2
kaz1 IN A 100.80.0.2
kaz2 IN A 100.81.0.2
smtp IN CNAME kaz1
imap IN CNAME kaz1
www IN CNAME kaz1
mail IN CNAME kaz1
cloud IN CNAME kaz1
tableur IN CNAME kaz1
dashboard IN CNAME kaz1
dashboard2 IN CNAME kaz2
sondage IN CNAME kaz1
webmail IN CNAME kaz1
garradin IN CNAME kaz1
wiki IN CNAME kaz1
git IN CNAME kaz1
office IN CNAME kaz1
depot IN CNAME kaz1
ldap IN CNAME kaz1
mobilizon IN CNAME kaz1
mdp IN CNAME kaz1
koffre IN CNAME kaz1
pad IN CNAME kaz1
agora IN CNAME kaz1
listes IN MX 10 listes
pad2 IN CNAME kaz2
listes IN A 100.80.1.2
firewall IN A 100.80.0.1
firewall IN AAAA 2001:db8:80::0:1
router IN A 100.80.0.1
router IN AAAA 2001:db8:80::0:1

View File

@ -1,40 +0,0 @@
version: 1
header:
name: Hoster-B AS
comment: AS of the second hoster of Kaz CHATONS
hosts:
router:
master: alpine
network:
interfaces:
eth0:
bridge: transit-a
ipv4: 100.64.0.11/24
ipv6: 2001:db8:b000::11/48
eth1:
bridge: hb-lan1
ipv4: 100.81.0.1/24
templates:
- bgprouter:
asn: 11
asdev: eth1
neighbors4: 100.64.0.1 as 30
neighbors6: 2001:db8:b000::1 as 30
- resolv:
ns: 100.100.100.100
domain: kaz.sns
kaz2:
network:
interfaces:
eth0:
bridge: hb-lan1
ipv4: 100.81.0.2/24
gatewayv4: 100.81.0.1
templates:
- updatecaroots:
- resolv:
domain: kaz.sns
ns: 100.100.100.100

View File

@ -1,4 +0,0 @@
# e-mail server composer
#ldap
#postfix
#sympa

View File

@ -1 +0,0 @@
# orga composer

View File

@ -1,2 +0,0 @@
#proxy
traefik

View File

@ -1,12 +0,0 @@
#cloud
#dokuwiki
#framadate
#garradin
#gitea
#jirafeau
#mattermost
#roundcube
#keycloak
#mobilizon
#vaultwarden
#ldap

View File

@ -1,8 +0,0 @@
#cachet
#jirafeau
#ethercalc
#collabora
etherpad
#quotas
#web
#vigilo

View File

@ -1,135 +0,0 @@
# Les variables d'environnements utilisées
# par les dockers via le lien :
# .env -> ../../config/dockers.env
#######################################
# prod / dev / local
mode=local
########################################
# choix du domaine
# prod=kaz.bzh / dev=dev.kaz.bzh / local=kaz.local
domain=kaz.sns
########################################
# choix du domaine des mails sympa
# prod=kaz.bzh / dev=kaz2.ovh / local=kaz.local
domain_sympa=listes.kaz.sns
########################################
# choix d'un serveur partiel
# site=site-2
site=kaz2
acme_server="https://ca.mica.sns/acme/acme/directory"
########################################
# Pour garradin qui met en "dure" dans
# sa config l'URL pour l'atteindre
# prod=https (gandi) / dev=https (letsencrypt) / local=http
httpProto=https
# prod=89.234.186.111 / dev=192.168.57.1 / local=127.0.0.1
MAIN_IP=100.81.0.2
# prod=89.234.186.151 / dev=192.168.57.2 / local=127.0.0.2
SYMPA_IP=100.81.1.2
########################################
# noms des services
# ou www (mais bof)
webHost=
cachetHost=cachet
calcHost=tableur
cloudHost=cloud
dateHost=sondage
dokuwikiHost=wiki
fileHost=depot
garHost=garradin
gitHost=git
gravHost=grav
ldapHost=ldap
matterHost=agora
officeHost=office
padHost=pad2
quotasHost=quotas
smtpHost=smtp
sympaHost=listes
vigiloHost=vigilo
webmailHost=webmail
wordpressHost=wp
ldapUIHost=mdp
mobilizonHost=mobilizon
vaultwardenHost=koffre
traefikHost=dashboard2
########################################
# ports internes
matterPort=8000
########################################
# noms des containers
cachetServName=cachetServ
dokuwikiServName=dokuwikiServ
ethercalcServName=ethercalcServ
etherpadServName=etherpadServ
framadateServName=framadateServ
garradinServName=garradinServ
gitServName=gitServ
gravServName=gravServ
jirafeauServName=jirafeauServ
ldapServName=ldapServ
mattermostServName=mattermostServ
nextcloudServName=nextcloudServ
officeServName=officeServ
proxyServName=proxyServ
traefikServName=traefikServ
quotasServName=quotasServ
roundcubeServName=roundcubeServ
smtpServName=mailServ
sympaServName=sympaServ
vigiloServName=vigiloServ
webServName=webServ
wordpressServName=wpServ
mobilizonServName=mobilizonServ
vaultwardenServName=vaultwardenServ
cachetDBName=cachetDB
ethercalcDBName=ethercalcDB
etherpadDBName=etherpadDB
framadateDBName=framadateDB
gitDBName=gitDB
mattermostDBName=mattermostDB
nextcloudDBName=nextcloudDB
quotasDBName=quotasDB
roundcubeDBName=roundcubeDB
sympaDBName=sympaDB
vigiloDBName=vigiloDB
wordpressDBName=wpDB
mobilizonDBName=mobilizonDB
vaultwardenDBName=vaultwardenDB
ldapUIName=ldapUI
########################################
# politique de redémarrage
# prod=always / test=unless-stopped / local=no
restartPolicy=no
########################################
# devrait être dans env-jirafeauServ
# mais seuls les variables de ".env" sont
# utilisables pour le montage des volumes
jirafeauDir=/var/jirafeauData/lkuDM16R5Sp4QHr/
ldap_root=dc=kaz,dc=sns
########################################
# services activés par container.sh
# variables d'environneements utilisées
# pour le tmpl du mandataire (proxy)

View File

@ -1,50 +0,0 @@
#!/bin/bash
if [ -z "${SNSTERGUARD}" ] ; then
exit 1
fi
DIR=$(cd "$(dirname $0)"; pwd)
cd "${DIR}"
set -e
export OUTPUT_DIR="/root/install"
mkdir -p "${OUTPUT_DIR}/log/"
export DebugLog="${OUTPUT_DIR}/log/log-kaz-$(date +%y-%m-%d-%T)-"
(
echo "########## ********** Start kaz.sh $(date +%D-%T)"
docker-clean -a
rm -rf /kaz
if [ -z "${KAZBRANCH}" ] ; then
KAZBRANCH="master"
fi
echo -e "\n #### git checkout ${KAZBRANCH}\n"
# copie des sources
cd /
git clone https://git.kaz.bzh/KAZ/kaz.git
(cd /kaz ; git checkout "${KAZBRANCH}" )
cp "${DIR}/kaz-config/dockers.env" /kaz/config/dockers.env
for type in mail orga proxy withMail withoutMail ; do
[ -f "${DIR}/kaz-config/container-${type}.list" ] &&
cp "${DIR}/kaz-config/container-${type}.list" /kaz/config/
done
# copie certif de la CA locale pour traefik (nécessaire pour ACME/Smallstep)
cp /usr/local/share/ca-certificates/root_ca.crt /kaz/dockers/traefik/conf/
echo -e "\n #### secretGen\n"
/kaz/bin/secretGen.sh
echo -e "\n #### install\n"
/kaz/bin/install.sh
# clear apt cache
DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
DEBIAN_FRONTEND=noninteractive apt-get clean
echo "########## ********** End kaz.sh $(date +%D-%T)"
) > >(tee ${DebugLog}stdout.log) 2> >(tee ${DebugLog}stderr.log >&2)

View File

@ -1,131 +0,0 @@
#!/bin/bash
# Target DMZ
set -e
if [ -z $SNSTERGUARD ] ; then exit 1; fi
DIR=`dirname $0`
cd `dirname $0`
# disable systemd-resolved which conflicts with nsd
echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
systemctl stop systemd-resolved
DEBIAN_FRONTEND=noninteractive apt-get update
DEBIAN_FRONTEND=noninteractive apt-get remove -y apache2
DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
# Go KAZ !
# KAZ specific things
#installation de docker, docker-compose et on y fourre le user debian dans le groupe idoine
DEBIAN_FRONTEND=noninteractive apt-get install -y dos2unix jq ldapvi argon2 docker.io docker-clean git apg curl sudo unzip rsync btrfs-progs ldap-utils unaccent # fuse-overlayfs
usermod -G docker debian
# docker-compose
curl -SL https://github.com/docker/compose/releases/download/v2.17.3/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose
sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
chmod +x /usr/bin/docker-compose
# activation dans alias dans /root/.bashrc
sed -i \
-e 's/^\# alias/alias/g' \
-e 's/^\# export/export/g' \
-e 's/^\# eval/eval/g' \
/root/.bashrc
if ! grep -q "for file in /dockers" /root/.bashrc 2>/dev/null; then
cat >> /root/.bashrc <<EOF
# enable bash completion in interactive shells
if ! shopt -oq posix; then
if [ -f /usr/share/bash-completion/bash_completion ]; then
. /usr/share/bash-completion/bash_completion
elif [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
fi
for file in /kaz/bin/.*-completion.bash ; do
source "\${file}"
done
EOF
fi
# On met le GUARD pour la mise au point
echo "export SNSTERGUARD='true'" >> /root/.bashrc
# On place les certifs
cp -ar tls/root_ca.crt /usr/local/share/ca-certificates/
/usr/sbin/update-ca-certificates --fresh
mkdir -p /etc/letsencrypt/live/kaz.sns
cp tls/wildcard.crt /etc/letsencrypt/live/kaz.sns/fullchain.pem
cp tls/wildcard.key /etc/letsencrypt/live/kaz.sns/privkey.pem
# On sauve le proxy APT
proxy=$(/sbin/ip route | awk '/default/ { print $3 }' | head -1)
sed -i -e "s/^proxy.*$/proxy=$proxy/" /usr/local/sbin/detect_proxy.sh
#echo "export http_proxy=\"http://$proxy:3142\"" > /etc/profile.d/proxy.sh
#echo "export https_proxy=\"http://$proxy:3142\"" >> /etc/profile.d/proxy.sh
# Proxy pour les environnements durant les dockerbuilds
mkdir /root/.docker
echo "{
\"proxies\":
{
\"default\":
{
\"httpProxy\": \"http://$proxy:3142\",
\"httpsProxy\": \"http://$proxy:3142\",
\"noProxy\": \"*.sns,127.0.0.1,localhost,127.0.0.0/8,100.64.0.0/10,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,agora\"
}
}
}" > /root/.docker/config.json
# Proxy pour les docker pull -> commenté car pas de cache avec dockerhub
# echo "http_proxy=\"http://$proxy:3142\"
# https_proxy=\"http://$proxy:3142\"
# no_proxy=\"*.sns,127.0.0.0/8,100.64.0.0/10,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16\"
# " >> /etc/default/docker
# On active btrfs+registry miroir pour docker
cat >> /etc/docker/daemon.json <<EOF
{ "storage-driver": "btrfs",
"registry-mirrors": ["http://$proxy:5000"] }
EOF
service docker restart
# clear apt cache
DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
DEBIAN_FRONTEND=noninteractive apt-get clean
# On installe Kaz
docker network create postfixNet # temp fix
ifconfig lo:0 100.81.0.2
echo "100.81.0.2 smtp imap www mail cloud cloud.kaz.sns tableur tableur.kaz.sns webmail webmail.kaz.sns garradin garradin.kaz.sns wiki wiki.kaz.sns git git.kaz.sns office office.kaz.sns depot depot.kaz.sns ldap ldap.kaz.sns mdp mdp.kaz.sns koffre koffre.kaz.sns pad pad.kaz.sns agora agora.kaz.sns dashboard dashboard.kaz.sns" >> /etc/hosts
cp "${DIR}/kaz.sh" /root/kaz.sh
cp -ar "${DIR}/kaz-config" /root/
chmod +x /root/kaz.sh
bash "/root/kaz.sh"
sed -i -e "s/100.81.0.2.*//g" /etc/hosts
# On démarre au boot
echo -e '#!/bin/sh\n/kaz/bin/container.sh start' >> /etc/rc.local
chmod +x /etc/rc.local
# notes fuse-overlayfs :
#mknod -m 666 /dev/fuse c 10 229
#echo -e '#!/bin/sh\nmknod -m 666 /dev/fuse c 10 229' >> /etc/rc.local
#chmod +x /etc/rc.local
# lxc.cgroup2.devices.allow = b 7:* rwm
# lxc.cgroup2.devices.allow = c 10:237 rwm
#
# mknod -m 666 /dev/loop0 b 7 0
# mknod -m 666 /dev/loop-control c 10 237
# truncate -s 30G /root/varlibdocker.img
# mkfs.btrfs /root/varlibdocker.img
# losetup -f /root/varlibdocker.img
# mount /dev/loop0 /var/lib/docker

View File

@ -15,16 +15,17 @@ DEBIAN_FRONTEND=noninteractive apt-get install -y claws-mail
# On configure les comptes mail
if [ -f /clawsmail/addclawsuser.sh ]; then
su debian /clawsmail/addclawsuser.sh contact1 kaz.sns contact1@kaz.sns tototototo 1
su debian /clawsmail/addclawsuser.sh contact2 kaz.sns contact2@kaz.sns tototototo 2
su debian /clawsmail/addclawsuser.sh contact3 kaz.sns contact3@kaz.sns tototototo 3
su debian /clawsmail/addclawsuser.sh contact4 kaz.sns contact4@kaz.sns tototototo 4
su debian /clawsmail/addclawsuser.sh contact1 kaz.sns contact1@kaz.sns toto 1
su debian /clawsmail/addclawsuser.sh contact2 kaz.sns contact2@kaz.sns toto 2
su debian /clawsmail/addclawsuser.sh contact3 kaz.sns contact3@kaz.sns toto 3
su debian /clawsmail/addclawsuser.sh contact4 kaz.sns contact4@kaz.sns toto 4
su debian /clawsmail/addclawsuser.sh email isp-a.sns email email 5
fi
# On place les certifs
if [ -f tls/root_ca.crt ]; then
cp -ar tls/root_ca.crt /usr/local/share/ca-certificates/root.crt
if [ -d letsencrypt ]; then
cp -ar letsencrypt /etc/
cp /etc/letsencrypt/local/rootCA.pem /usr/local/share/ca-certificates/root.crt
/usr/sbin/update-ca-certificates --fresh
fi

View File

@ -1,8 +1,8 @@
version: 1
header:
name: Hoster-A AS
comment: AS of the first hoster of Kaz CHATONS
name: Target AS
comment: AS of the Target organization
hosts:
router:
@ -14,10 +14,10 @@ hosts:
ipv4: 100.64.0.10/24
ipv6: 2001:db8:b000::10/48
eth1:
bridge: ha-lan1
bridge: kaz-lan1
ipv4: 100.80.0.1/24
eth2:
bridge: ha-lan2
bridge: kaz-lan2
ipv4: 100.80.1.1/24
templates:
- bgprouter:
@ -29,14 +29,14 @@ hosts:
ns: 100.100.100.100
domain: kaz.sns
kaz1:
prod:
network:
interfaces:
eth0:
bridge: ha-lan1
bridge: kaz-lan1
ipv4: 100.80.0.2/24
eth1:
bridge: ha-lan2
bridge: kaz-lan2
ipv4: 100.80.1.2/24
gatewayv4: 100.80.0.1
templates:

View File

@ -19,7 +19,7 @@
# --
# NOM ; PRENOM ; EMAIL_SOUHAITE ; EMAIL_SECOURS ; ORGA ; ADMIN_ORGA ; NC_ORGA ; GARRADIN_ORGA ; WP_ORGA ; AGORA_ORGA ; WIKI_ORGA ; NC_BASE ; GROUPE_NC_BASE ; EQUIPE_AGORA ; QUOTA
Hello1;Contact1;contact1@kaz.sns;contact2@kaz.sns; ;N;N;N;N;N;N;N; ; ;1;tototototo
Hello2;Contact2;contact2@kaz.sns;contact2@kaz.sns; ;N;N;N;N;N;N;N; ; ;1;tototototo
Hello3;Contact3;contact3@kaz.sns;contact2@kaz.sns; ;N;N;N;N;N;N;N; ; ;10;tototototo
Hello4;Contact4;contact4@kaz.sns;contact2@kaz.sns; ;N;N;N;N;N;N;N; ; ;10;tototototo
Hello1;Contact1;contact1@kaz.sns;contact2@kaz.sns; ;N;N;N;N;N;N;N; ; ;1;toto
Hello2;Contact2;contact2@kaz.sns;contact2@kaz.sns; ;N;N;N;N;N;N;N; ; ;1;toto
Hello3;Contact3;contact3@kaz.sns;contact2@kaz.sns; ;N;N;N;N;N;N;N; ; ;10;toto
Hello4;Contact4;contact4@kaz.sns;contact2@kaz.sns; ;N;N;N;N;N;N;N; ; ;10;toto

View File

@ -0,0 +1,2 @@
proxy
#traefic

View File

@ -3,7 +3,7 @@ jirafeau
ethercalc
collabora
ethercalc
etherpad
#etherpad
quotas
web
#vigilo

View File

@ -19,8 +19,7 @@ domain_sympa=listes.kaz.sns
########################################
# choix d'un serveur partiel
# site=site-2
site=kaz1
acme_server="https://ca.mica.sns/acme/acme/directory"
site=
########################################
# Pour garradin qui met en "dure" dans

View File

@ -0,0 +1,39 @@
$TTL 86400
$ORIGIN kaz.sns.
@ 1D IN SOA ns.kaz.sns. hostmaster.kaz.sns. (
2002022401 ; serial
3H ; refresh
15 ; retry
1w ; expire
3h ; nxdomain ttl
)
IN NS ns.kaz.sns.
IN MX 10 smtp.kaz.sns.
IN A 100.80.0.2
ns IN A 100.80.0.2
dmz IN A 100.80.0.2
smtp IN CNAME dmz
imap IN CNAME dmz
www IN CNAME dmz
mail IN CNAME dmz
cloud IN CNAME dmz
tableur IN CNAME dmz
dashboard IN CNAME dmz
webmail IN CNAME dmz
garradin IN CNAME dmz
wiki IN CNAME dmz
git IN CNAME dmz
office IN CNAME dmz
depot IN CNAME dmz
ldap IN CNAME dmz
mobilizon IN CNAME dmz
mdp IN CNAME dmz
koffre IN CNAME dmz
pad IN CNAME dmz
agora IN CNAME dmz
listes IN MX 10 listes
listes IN A 100.80.1.2
firewall IN A 100.80.0.1
firewall IN AAAA 2001:db8:80::0:1
router IN A 100.80.0.1
router IN AAAA 2001:db8:80::0:1

View File

@ -55,12 +55,11 @@ echo "export SNSTERGUARD='true'" >> /root/.bashrc
# On place les certifs
cp -ar tls/root_ca.crt /usr/local/share/ca-certificates/
if [ -d letsencrypt ]; then
cp -ar letsencrypt /etc/
cp /etc/letsencrypt/local/rootCA.pem /usr/local/share/ca-certificates/rootCA.crt
/usr/sbin/update-ca-certificates --fresh
mkdir -p /etc/letsencrypt/live/kaz.sns
cp tls/wildcard.crt /etc/letsencrypt/live/kaz.sns/fullchain.pem
cp tls/wildcard.key /etc/letsencrypt/live/kaz.sns/privkey.pem
fi
# On sauve le proxy APT
proxy=$(/sbin/ip route | awk '/default/ { print $3 }' | head -1)
@ -77,7 +76,7 @@ echo "{
{
\"httpProxy\": \"http://$proxy:3142\",
\"httpsProxy\": \"http://$proxy:3142\",
\"noProxy\": \"*.sns,127.0.0.1,localhost,127.0.0.0/8,100.64.0.0/10,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,agora\"
\"noProxy\": \"*.sns,127.0.0.0/8,100.64.0.0/10,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16\"
}
}
}" > /root/.docker/config.json
@ -102,7 +101,7 @@ DEBIAN_FRONTEND=noninteractive apt-get clean
# On installe Kaz
ifconfig lo:0 100.80.0.2
ifconfig lo:1 100.80.1.2
echo "100.80.0.2 smtp imap www mail cloud cloud.kaz.sns tableur tableur.kaz.sns webmail webmail.kaz.sns garradin garradin.kaz.sns wiki wiki.kaz.sns git git.kaz.sns office office.kaz.sns depot depot.kaz.sns ldap ldap.kaz.sns mdp mdp.kaz.sns koffre koffre.kaz.sns pad pad.kaz.sns agora agora.kaz.sns dashboard dashboard.kaz.sns" >> /etc/hosts
echo "100.80.0.2 smtp imap www mail cloud cloud.kaz.sns tableur tableur.kaz.sns webmail webmail.kaz.sns garradin garradin.kaz.sns wiki wiki.kaz.sns git git.kaz.sns office office.kaz.sns depot depot.kaz.sns ldap ldap.kaz.sns mdp mdp.kaz.sns koffre koffre.kaz.sns pad pad.kaz.sns agora agora.kaz.sns" >> /etc/hosts
echo "100.80.1.2 listes listes.kaz.sns" >> /etc/hosts
cp "${DIR}/kaz.sh" /root/kaz.sh
cp "${DIR}/createUser.txt" /root/

View File

@ -11,8 +11,8 @@ hosts:
interfaces:
eth0:
bridge: transit-a
ipv4: 100.64.0.140/24
ipv6: 2001:db8:b000::140/48
ipv4: 100.64.1.140/24
ipv6: 2001:db8:b001::140/48
eth1:
bridge: mica-lan
ipv4: 100.82.0.1/16

View File

@ -14,23 +14,13 @@ apt-get update
DEBIAN_FRONTEND=noninteractive apt-get install -y unbound
cp dns.conf /etc/unbound/unbound.conf.d/
# On place les certifs
if [ -f tls/root_ca.crt ]; then
cp -ar tls/root_ca.crt /usr/local/share/ca-certificates/
/usr/sbin/update-ca-certificates --fresh
fi
# Install smallstep CA / ACME server
cd /tmp
wget "https://dl.smallstep.com/gh-release/cli/gh-release-header/v0.24.4/step-cli_0.24.4_amd64.deb"
dpkg -i step-cli_0.24.4_amd64.deb
wget "https://dl.smallstep.com/gh-release/certificates/gh-release-header/v0.24.2/step-ca_0.24.2_amd64.deb"
dpkg -i step-ca_0.24.2_amd64.deb
echo "password" > /root/ca-passwordfile
step ca init --deployment-type=standalone --name="Kaz CA" --dns="ca.mica.sns" --acme --address=":443" --provisioner="contact@kaz.sns" --password-file="/root/ca-passwordfile" --root="${DIR}/tls/root_ca.crt" --key "${DIR}/tls/root_ca.key"
echo -e '#!/bin/sh\nstep-ca --password-file /root/ca-passwordfile' >> /etc/rc.local
chmod +x /etc/rc.local
wget https://github.com/smallstep/cli/releases/download/v0.17.2/step-cli_0.17.2_amd64.deb
dpkg -i step-cli_0.17.2_amd64.deb
wget https://github.com/smallstep/certificates/releases/download/v0.17.2/step-ca_0.17.2_amd64.deb
dpkg -i step-ca_0.17.2_amd64.deb
# step ca init
# step ca root root.crt

View File

@ -20,8 +20,8 @@ hosts:
- bgprouter:
asn: 30
asdev: eth1
neighbors4: 100.64.0.10 as 10;100.64.0.11 as 11;100.64.0.30 as 7;100.64.0.40 as 8; 100.64.0.20 as 6; 100.64.0.50 as 13; 100.64.0.110 as 20; 100.64.0.140 as 12
neighbors6: 2001:db8:b000::10 as 10; 2001:db8:b000::11 as 11; 2001:db8:b000::30 as 7;2001:db8:b000::40 as 8; 2001:db8:b000::20 as 6; 2001:db8:b000::50 as 13; 2001:db8:b000::110 as 20; 2001:db8:b000::140 as 12
neighbors4: 100.64.0.10 as 10;100.64.0.30 as 7;100.64.0.40 as 8; 100.64.0.20 as 6; 100.64.0.50 as 13; 100.64.0.110 as 20; 100.64.1.140 as 12
neighbors6: 2001:db8:b000::10 as 10; 2001:db8:b000::30 as 7;2001:db8:b000::40 as 8; 2001:db8:b000::20 as 6; 2001:db8:b000::50 as 13; 2001:db8:b000::110 as 20; 2001:db8:b001::140 as 12
- resolv:
ns: 100.100.100.100
domain: transit-a.sns

View File

@ -143,22 +143,48 @@ SystemMaxFileSize=2M
EOF
fi
# CA et certifs avec smallstep
# CA et certifs avec mkcert
echo -e "\n #### smallstep\n"
cd /tmp
wget "https://dl.smallstep.com/gh-release/cli/gh-release-header/v0.24.4/step-cli_0.24.4_amd64.deb"
dpkg -i step-cli_0.24.4_amd64.deb
echo "password" > /root/ca-passwordfile
step ca init --deployment-type=standalone --name="Kaz CA" --dns="ca.mica.sns" --acme --address=":443" --provisioner="contact@kaz.sns" --password-file="/root/ca-passwordfile"
echo -e "\n #### mkcert\n"
DEBIAN_FRONTEND=noninteractive apt-get install -y libnss3-tools
mkdir -p /root/tls
cp /root/.step/certs/root_ca.crt /root/tls/root_ca.crt
chmod 644 /root/tls/root_ca.crt
cp /root/.step/secrets/root_ca_key /root/tls/root_ca.key
step crypto change-pass /root/tls/root_ca.key --no-password --insecure --password-file="/root/ca-passwordfile" --force
mkdir -p /root/mkcert
cd /root/mkcert
if [ ! -f mkcert ]; then
wget https://github.com/FiloSottile/mkcert/releases/download/v1.4.3/mkcert-v1.4.3-linux-amd64 -O mkcert
chmod +x mkcert
mkdir -p /etc/letsencrypt/local/
export CAROOT=/etc/letsencrypt/local/
/root/mkcert/mkcert -install # CA dans /etc/letsencrypt/local/
cd "${CAROOT}"
cat > "${CAROOT}/kaz.sns.cnf" <<EOF
[ req ]
prompt = no
distinguished_name = dn
req_extensions = req_ext
step certificate create "*.kaz.sns" /root/tls/wildcard.crt /root/tls/wildcard.key --profile leaf --ca /root/.step/certs/intermediate_ca.crt --ca-key /root/.step/secrets/intermediate_ca_key --ca-password-file /root/ca-passwordfile --bundle --force --no-password --insecure --not-after 20000h
[ dn ]
CN = *.kaz.sns
emailAddress = admin@kaz.sns
O = KAZ
OU = Dev
L = Vannes
ST = France
C = FR
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.0 = *.kaz.sns
EOF
openssl req -new -newkey rsa:2048 -sha256 -nodes -keyout kaz.sns.key -out kaz.sns.csr -config kaz.sns.cnf
/root/mkcert/mkcert -csr "${CAROOT}/kaz.sns.csr" # cert et clé dans /etc/letsencrypt/local/
mkdir -p /etc/letsencrypt/live/kaz.sns/
ln -s ../../local/_wildcard.kaz.sns.pem /etc/letsencrypt/live/kaz.sns/fullchain.pem
ln -s ../../local/kaz.sns.key /etc/letsencrypt/live/kaz.sns/privkey.pem
fi
# Cache docker registry
echo "proxy:
@ -193,30 +219,24 @@ auth:
cp -ar ${VAGRANT_SRC_DIR}/snster-kaz /root
# crypto keys
cp -ar /root/tls /root/snster-kaz/hoster-a/kaz1/
cp -ar /root/tls /root/snster-kaz/hoster-b/kaz2/
cp -ar /root/tls /root/snster-kaz/isp-a/home/
cp -ar /root/tls /root/snster-kaz/mica/infra/
cp -ar /etc/letsencrypt /root/snster-kaz/kaz/prod/
cp -ar /etc/letsencrypt /root/snster-kaz/isp-a/home/
# On lie le filesystem de kaz-prod dans le /kaz de la VM pour le dév
ln -s /var/lib/lxc/kaz-hoster-a-kaz1/rootfs/ /kaz1-prod
ln -s /var/lib/lxc/kaz-hoster-b-kaz2/rootfs/ /kaz2-prod
ln -s /var/lib/lxc/kaz-kaz-prod/rootfs/ /kaz-prod
ln -s /kaz-prod/kaz /kaz
# On met le KAZGUARD pour la mise au point
echo "export KAZGUARD='true'" >> /root/.bashrc
# quelques détails
# Build SNSTER KAZ !
snster -c /root/snster-kaz create
cp "${VAGRANT_SRC_DIR}/vm-upgrade.sh" /root/
chmod +x /root/vm-upgrade.sh
echo -e '#!/bin/sh\nsnster -c /root/snster-kaz start' >> /etc/rc.local
chmod +x /etc/rc.local
# Build SNSTER KAZ !
snster -c /root/snster-kaz create
echo "########## ********** End Vagrant $(date +%D-%T)"
) > >(tee ${DebugLog}stdout.log) 2> >(tee ${DebugLog}stderr.log >&2)

View File

@ -15,29 +15,22 @@ git pull
sed -i -e "s/template=self.template/template=self.template, bdevtype='btrfs'/" /usr/local/lib/python3.9/dist-packages/backends/LxcBackend.py
# On récupère le dernier kaz-vagrant
if [ -z "${KAZBRANCH}" ] ; then
KAZBRANCH="master"
fi
cd /tmp
git clone https://git.kaz.bzh/KAZ/kaz-vagrant.git || (cd kaz-vagrant && git fetch && git switch "${KAZBRANCH}" && git pull)
git clone https://git.kaz.bzh/KAZ/kaz-vagrant.git || (cd kaz-vagrant && git pull)
cd /tmp/kaz-vagrant
git switch "${KAZBRANCH}"
# On écrase les anciens fichiers
cp -ar /tmp/kaz-vagrant/files/snster-kaz /root/
# crypto keys
cp -ar /root/tls /root/snster-kaz/hoster-a/kaz1/
cp -ar /root/tls /root/snster-kaz/hoster-b/kaz2/
cp -ar /root/tls /root/snster-kaz/isp-a/home/
cp -ar /root/tls /root/snster-kaz/mica/infra/
cp -ar /etc/letsencrypt /root/snster-kaz/kaz/prod/
cp -ar /etc/letsencrypt /root/snster-kaz/isp-a/home/
# On détruit et reconstruit tout sauf kaz-prod
SNSTER="snster -c /root/snster-kaz"
$SNSTER destroy isp-a-home
$SNSTER destroy isp-a-infra
$SNSTER destroy isp-a-router
$SNSTER destroy hoster-a-router
$SNSTER destroy hoster-b-router
$SNSTER destroy kaz-router
$SNSTER destroy mica-router
$SNSTER destroy mica-infra
$SNSTER destroy opendns-router