diff --git a/container.json b/container.json index f6c36e8..bd19b28 100644 --- a/container.json +++ b/container.json @@ -1,14 +1,18 @@ { "zone": { "soa": "ns1.higgsboson.tk.", - "serial": 124, + "serial": 149, "refresh": "1H", "hostmaster": "hostmaster.higgsboson.tk", "domain": "eve.higgsboson.tk", + "ttl": 300, + "a": "148.251.132.243", + "aaaa": "2a01:4f8:210:31fd::1", "retry": "4H", "expire": "3W", "minimum": "1D", "v4_subnet": "192.168.66.0/24", + "dn42_v4_subnet": "172.23.75.0/24", "v6_subnet": "2a01:4f8:210:31fd:1::/80" }, "network": { @@ -19,17 +23,17 @@ }, "tinc2": { "ipv4": "188.166.16.37", - "ipv6": "2a03:b0c0:2:d0::2a5:f004", + "ipv6": "2a03:b0c0:0:1010::3d:b003", "lxc": false }, "eve": { + "ipv4": "192.168.66.1", "ipv6": "2a01:4f8:210:31fd::1", - "ipv4": "148.251.132.243", "lxc": false }, "eva": { + "ipv4": "192.168.67.1", "ipv6": "2a03:b0c0:2:d0::2a5:f001", - "ipv4": "188.166.16.37", "lxc": false }, "bridge": { @@ -68,23 +72,27 @@ "ns1": { "ns": true, "lxc": false, - "rdns6": "ns1.higgsboson.tk", - "ipv4": "192.168.66.6/32", + "ipv4": "148.251.132.243/32", "ipv6": "2a01:4f8:210:31fd:1::6/128" }, "ns2": { "ns": true, "lxc": false, - "ipv4": "192.168.67.1/32", - "ipv6": "2a03:b0c0:2:d0:1::1/128" + "ipv4": "188.226.214.194/32", + "ipv6": "2a03:b0c0:0:1010::3d:b002/128" }, "dns": { "ipv4": "192.168.66.6/32", "ipv6": "2a01:4f8:210:31fd:1::6/128", "rdns6": "ns1.higgsboson.tk", - "dn42": { - "ipv4": "172.23.75.4" - } + "dn42_ipv4": "172.23.75.6/32", + "dn42_ipv6": "fdc0:4992:6a6d:6::1/64" + }, + "dn42": { + "ipv4": "192.168.66.31/32", + "ipv6": "2a01:4f8:210:31fd:1::1f/128", + "dn42_ipv4": "172.23.75.1/32", + "dn42_ipv6": "fdc0:4992:6a6d:1::1/64" }, "faces": { "ipv4": "192.168.66.7/32", @@ -132,7 +140,8 @@ "mysql", "pdo_mysql" ] - } + }, + "lxc": false }, "phppgadmin": { "ipv4": "192.168.66.13/32", @@ -143,7 +152,8 @@ "pgsql", "pdo_pgsql" ] - } + }, + "lxc": false }, "adminer": { "ipv4": "192.168.66.14/32", @@ -339,6 +349,10 @@ ] } + }, + "terraria": { + "ipv4": "192.168.66.34/32", + "ipv6": "2a01:4f8:210:31fd:1::22/128" } } -} \ No newline at end of file +} diff --git a/default.conf b/default.conf index 58262c0..f8f6814 100644 --- a/default.conf +++ b/default.conf @@ -1,6 +1,20 @@ lxc.autodev = 1 lxc.kmsg = 0 -lxc.cap.drop = sys_module mac_admin mac_override sys_time net_admin +lxc.cap.drop = sys_module mac_admin mac_override sys_time net_admin setfcap sys_nice sys_pacct sys_rawio + +# Setup the LXC devices in /dev/lxc/ +lxc.devttydir = lxc + +# Set the halt/stop signals +lxc.haltsignal=SIGRTMIN+4 +lxc.stopsignal=SIGRTMIN+14 + +# Set the pivot directory +lxc.pivotdir = lxc_putold + +# Blacklist some syscalls which are not safe in privileged +# containers +lxc.seccomp = /usr/share/lxc/config/common.seccomp lxc.network.type = veth lxc.network.link = br0 @@ -12,30 +26,45 @@ lxc.network.ipv6.gateway = 2a01:4f8:210:31fd:1::1 # cgroups lxc.cgroup.devices.deny = a +## Allow any mknod (but not reading/writing the node) lxc.cgroup.devices.allow = c *:* m lxc.cgroup.devices.allow = b *:* m +## Allow specific devices +### /dev/null lxc.cgroup.devices.allow = c 1:3 rwm +### /dev/zero lxc.cgroup.devices.allow = c 1:5 rwm +### /dev/full lxc.cgroup.devices.allow = c 1:7 rwm -lxc.cgroup.devices.allow = c 1:8 rwm -lxc.cgroup.devices.allow = c 1:9 rwm lxc.cgroup.devices.allow = c 4:1 rwm +### /dev/tty lxc.cgroup.devices.allow = c 5:0 rwm +### /dev/console lxc.cgroup.devices.allow = c 5:1 rwm +### /dev/ptmx lxc.cgroup.devices.allow = c 5:2 rwm +### /dev/random +lxc.cgroup.devices.allow = c 1:8 rwm +### /dev/urandom +lxc.cgroup.devices.allow = c 1:9 rwm +### /dev/pts/* lxc.cgroup.devices.allow = c 136:* rwm +### fuse +lxc.cgroup.devices.allow = c 10:229 rwm lxc.cgroup.memory.soft_limit_in_bytes = 1500M lxc.cgroup.memory.limit_in_bytes = 2000M lxc.cgroup.cpu.shares = 256 lxc.cgroup.blkio.weight = 500 -lxc.mount.entry = /data/pacman-cache var/cache/pacman/pkg none bind 0 0 +# Setup the default mounts +lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed +lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0 +lxc.mount.entry = /data/pacman/pkg var/cache/pacman/pkg none bind 0 0 +lxc.mount.entry = /data/pacman/sync var/lib/pacman/sync none bind 0 0 lxc.mount.entry = /data/repo srv/repo none bind,ro,create=dir 0 0 lxc.mount.entry = /run/systemd/journal mnt/journal none bind,ro,create=dir 0 0 -lxc.hook.autodev = /etc/lxc/hooks/dn42-routes - lxc.hook.clone = /etc/lxc/hooks/setup-machine-id lxc.hook.clone = /etc/lxc/hooks/remove-journal lxc.hook.clone = /etc/lxc/hooks/cleanup-lxc-config diff --git a/evenet.conf b/evenet.conf index 50f74bc..dd7a2bf 100644 --- a/evenet.conf +++ b/evenet.conf @@ -3,3 +3,4 @@ lxc.network.link = evenet lxc.network.flags = up lxc.network.name = eth1 lxc.network.mtu = 1500 +lxc.hook.autodev = /etc/lxc/hooks/dn42-routes diff --git a/hooks/build-split-zone b/hooks/build-split-zone new file mode 100755 index 0000000..cc624de --- /dev/null +++ b/hooks/build-split-zone @@ -0,0 +1,51 @@ +#!/usr/bin/env ruby +require "resolv" +require_relative "lib/lxc" + +class Resolver + def initialize + @stub_resolver = Resolv::DNS.new + @cache = {} + end + def resolve(name, delegated_subdomain, typeclass) + if name == "@" + fqdn = delegated_subdomain + else + fqdn = "#{name}.#{delegated_subdomain}" + end + result = @cache[fqdn + typeclass.to_s] ||= @stub_resolver.getresource(fqdn, typeclass) + if result == :no_record + nil + else + result + end + rescue Resolv::ResolvError => e + puts "warning: #{e}" + @cache[fqdn + typeclass.to_s] = :no_record + return nil + end + def a(name, delegated_subdomain) + result = resolve(name, delegated_subdomain, Resolv::DNS::Resource::IN::A) + return "" unless result + "#{name} A #{result.address.to_s}\n" + end + def aaaa(name, delegated_subdomain) + result = resolve(name, delegated_subdomain, Resolv::DNS::Resource::IN::AAAA) + return "" unless result + "#{name} AAAA #{result.address.to_s}\n" + end +end + +template_path = Lxc::CONFIG_ROOT.join("templates/higgsboson.tk.zone.erb") +template = Lxc::Template.new(template_path) +serial = Time.new.to_i +resolver = Resolver.new +zones = [ + ["zones/higgsboson.tk.zone", :pub], + ["zones/internal-eve.higgsboson.tk.zone", :eve], + ["zones/internal-eva.higgsboson.tk.zone", :eva], +] +zones.each do |zone, type| + template.write(zone, resolver: resolver, serial: serial, type: type) +end +Lxc::Utils.sh("lxc-attach", "-n", "dns", "--", "rndc", "reload") diff --git a/hooks/dn42-routes b/hooks/dn42-routes index 00d6927..8383db4 100755 --- a/hooks/dn42-routes +++ b/hooks/dn42-routes @@ -1,5 +1,7 @@ #!/bin/bash -/usr/bin/ip route add 172.16.0.0/12 via 172.16.75.1 proto static metric 200 -/usr/bin/ip route add 10.0.0.0/8 via 172.16.75.1 proto static metric 200 -exit 0 +ip rule add from 172.23.75.0/24 table 42 +ip route add 192.168.66.0/24 via 172.23.75.4 dev eth1 table 42 +ip route add 172.16.0.0/12 via 172.23.75.1 +ip route add 10.0.0.0/8 via 172.23.75.1 +ip route flush cache diff --git a/hooks/lib/lxc/container.rb b/hooks/lib/lxc/container.rb index 125f91a..f70f8a7 100644 --- a/hooks/lib/lxc/container.rb +++ b/hooks/lib/lxc/container.rb @@ -16,13 +16,13 @@ module Lxc @ipv4_subnet = NetAddr::CIDR.create(zone["v4_subnet"] || "192.168.10.0/24") @ipv6_subnet = NetAddr::CIDR.create(zone["v6_subnet"] || "fd7d:aed0:18aa::/48") - if subnet = zone["dn42_ipv4_subnet"] + if subnet = zone["dn42_v4_subnet"] @dn42_ipv4_netmask = NetAddr::CIDR.create(subnet).to_i(:netmask) else @dn42_ipv4_netmask = 24 end - if subnet = zone["dn42_ipv6_subnet"] + if subnet = zone["dn42_v6_subnet"] @dn42_ipv6_netmask = NetAddr::CIDR.create(subnet).to_i(:netmask) else @dn42_ipv6_netmask = 48 @@ -47,12 +47,12 @@ module Lxc ipv4: format_address(@ipv4, @ipv4_subnet.to_i(:netmask)), ipv6: format_address(@ipv6, @ipv6_subnet.to_i(:netmask))) if @dn42_ipv4 - opts[:dn42_ipv4] = format_address(dn42_ipv6, dn42_ipv4_netmask) + opts[:dn42_ipv4] = format_address(@dn42_ipv4, @dn42_ipv4_netmask) c["dn42_ipv4"] = NetAddr::CIDR.create(@dn42_ipv4).to_s(Short: true) end if @dn42_ipv6 - opts[:dn42_ipv6] = format_address(dn42_ipv4, dn42_ipv6_netmask) + opts[:dn42_ipv6] = format_address(@dn42_ipv6, @dn42_ipv6_netmask) c["dn42_ipv6"] = NetAddr::CIDR.create(@dn42_ipv6).to_s(Short: true) end diff --git a/hooks/lib/lxc/template.rb b/hooks/lib/lxc/template.rb index c6cb5cc..48f2b63 100644 --- a/hooks/lib/lxc/template.rb +++ b/hooks/lib/lxc/template.rb @@ -8,12 +8,13 @@ module Lxc end class Template - def initialize(path) + def initialize(path, context: nil) @path = path @erb = ERB.new(File.read(path), nil, "-") end def render(params={}) - @erb.result(TemplateContext.new(params).get_binding) + context = TemplateContext.new(params) + @erb.result(context.get_binding) rescue => e raise StandardError.new("fail to render '#{@path}': #{e}") end diff --git a/hooks/tun-device b/hooks/tun-device new file mode 100755 index 0000000..e5e6d77 --- /dev/null +++ b/hooks/tun-device @@ -0,0 +1,6 @@ +#!/bin/sh + +cd ${LXC_ROOTFS_MOUNT}/dev +mkdir net +mknod net/tun c 10 200 +chmod 0666 net/tun diff --git a/templates/config.erb b/templates/config.erb index 50c18f1..cbbecb7 100644 --- a/templates/config.erb +++ b/templates/config.erb @@ -5,3 +5,13 @@ lxc.rootfs = <%= rootfs %> lxc.network.ipv4 = <%= ipv4 %> lxc.network.ipv6 = <%= ipv6 %> lxc.network.veth.pair = lxc_<%= name[0..(16-4)] %> + +<% if dn42_ipv4 || dn42_ipv6 -%> +lxc.include = /etc/lxc/evenet.conf +<% if dn42_ipv4 -%> +lxc.network.ipv4 = <%= dn42_ipv4 %> +<% end -%> +<% if dn42_ipv6 -%> +lxc.network.ipv6 = <%= dn42_ipv6 %> +<% end -%> +<% end -%> diff --git a/templates/higgsboson.tk.zone.erb b/templates/higgsboson.tk.zone.erb new file mode 100644 index 0000000..2289834 --- /dev/null +++ b/templates/higgsboson.tk.zone.erb @@ -0,0 +1,89 @@ +$TTL 300 +@ 3600 IN SOA ns1 admin.higgsboson.tk. ( + <%= serial %> ; serial + 7200 ; refresh + 3600 ; retry + 86400 ; expire + 3600) ; minimum + +;; NS Records (YOU MUST CHANGE THIS) + NS ns1 + NS ns2 + +;; MX Records + MX 10 mail + +;; TXT Records + TXT "v=spf1 mx a:mail.higgsboson.tk aaaa:mail.higgsboson.tk -all" +_adsp._domainkey TXT "dkim=all\;" +default._domainkey TXT "v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDhqBgbSEMgdWYmBSBsNbI2opjEZSFuZiqnAzv2yxLYyXB0l1uL4tw9npNkC4w5cNehc87qhuuzADsSOJoFUQ+H3oWOnENcGKatQqRKzLxKLBWwUf+TnC21AKGHXD4eABZk3ahfYnlR7li3Wh/JSMsAxWmaikLj3uLHd/WN9eH4rwIDAQAB" +_dmarc TXT "v=DMARC1\; p=none\; adkim=r\; aspf=r\; rua=mailto:admin@higgsboson.tk\; ruf=mailto:admin@higgsboson.tk\; pct=100" +joerg._pka TXT "v=pka1\;fpr=4ABA07382AD57E6B9AA4E88DCA4106B8D7CC79FA\;uri=http://higgsboson.tk/joerg/joerg.asc" + +;; SRV Records (Service locator) +_xmpp-client._tcp.muc SRV 0 5 5222 jabber +_xmpp-client._tcp SRV 0 5 5222 jabber +_xmpp-server._tcp.muc SRV 0 5 5269 jabber +_xmpp-server._tcp SRV 0 5 5269 jabber + +;; CNAME Records +*.jabber CNAME jabber +anon CNAME jabber +proxy CNAME jabber +pubsub CNAME jabber + +imap CNAME mail +smtp CNAME mail + +tinc1 CNAME dn42 + +archfeed CNAME arch-pkg-feed.herokuapp.com. +githubtags CNAME github-tags-feed.herokuapp.com. +reisekosten CNAME reisekosten.herokuapp.com. + +;; A Records (IPv4 addresses) +<% if type == :eve -%> +* A 192.168.66.5 +<% else -%> +* A 148.251.132.243 +<% end -%> + +dn42 A 148.251.132.243 +<%= resolver.aaaa("dn42", "eve.higgsboson.tk") -%> + +;; eve --> +<% eve_services = %w{@ classifier eve jabber login mail ns1 web} -%> +<% if type == :eve -%> +<% eve_services.each do |name| -%> +<%= resolver.a(name, "eve.higgsboson.tk") -%> +<% end -%> +<% else -%> +<% eve_services.each do |name| -%> +<%= name %> A 148.251.132.243 +<% end -%> +<% end -%> +;; <-- eve + +;; eva --> +<% eva_services = %w{eva ns2 tinc2} -%> +<% if type == :eva -%> +<% eva_services.each do |name| -%> +<%= resolver.a(name, "eva.higgsboson.tk") -%> +<% end -%> +<% else -%> +<% eva_services.each do |name| -%> +<%= name %> A 188.166.16.37 +<% end -%> +<% end -%> +;; <-- eva + +;; AAAA Records (IPv6 addresses) +* AAAA 2a01:4f8:210:31fd:1::5 + +<% eve_services.each do |name| -%> +<%= resolver.aaaa(name, "eve.higgsboson.tk") -%> +<% end -%> + +<% eva_services.each do |name| -%> +<%= resolver.aaaa(name, "eva.higgsboson.tk") -%> +<% end -%> diff --git a/templates/lxc-zone.erb b/templates/lxc-zone.erb index 7afda15..4c640db 100644 --- a/templates/lxc-zone.erb +++ b/templates/lxc-zone.erb @@ -1,15 +1,26 @@ -@ IN SOA <%= data["zone"]["soa"] %> <%= data["zone"]["hostmaster"] %> ( +<% if data["zone"]["ttl"] -%> +$TTL <%= data["zone"]["ttl"] %> +<% end -%> + +@ IN SOA <%= data["zone"]["soa"] %> <%= data["zone"]["hostmaster"] %> ( <%= data["zone"]["serial"] %> ; serial <%= data["zone"]["refresh"] %> ; refresh <%= data["zone"]["retry"] %> ; retry <%= data["zone"]["expire"] %> ; expire <%= data["zone"]["minimum"] %>) ; minimum + <% data["network"].each do |name, value| -%> <% if value["ns"] -%> - IN NS <%= name %> + NS <%= name %> <% end -%> <% end -%> +<% if data["zone"]["a"] -%> + A <%= data["zone"]["a"] %> +<% end -%> +<% if data["zone"]["aaaa"] -%> + AAAA <%= data["zone"]["aaaa"]%> +<% end -%> <% data["network"].each do |name, value| %> <% if value["cname"] -%> <%= name %> CNAME <%= value["cname"] %> diff --git a/templates/rdns-zone.erb b/templates/rdns-zone.erb index c5a011f..cfa3a25 100644 --- a/templates/rdns-zone.erb +++ b/templates/rdns-zone.erb @@ -1,4 +1,4 @@ -@ IN SOA <%= data["zone"]["soa"] %> <%= data["zone"]["hostmaster"] %> ( +@ IN SOA <%= data["zone"]["soa"] %> <%= data["zone"]["hostmaster"] %> ( <%= data["zone"]["serial"] %> ; serial <%= data["zone"]["refresh"] %> ; refresh <%= data["zone"]["retry"] %> ; retry @@ -6,18 +6,7 @@ <%= data["zone"]["minimum"] %>) ; minimum <% data["network"].each do |name, value| -%> <% if value["ns"] -%> - IN NS <%= name %> -<% end -%> -<% end -%> - -<% data["network"].each do |name, value| -%> -<% if value["ns"] -%> -<% if value["ipv4"] -%> -<%= name %> A <%= NetAddr::CIDR.create(value["ipv4"]).ip(Short: true) %> -<% end -%> -<% if value["ipv6"] -%> -<%= name %> AAAA <%= NetAddr::CIDR.create(value["ipv6"]).ip(Short: true) %> -<% end -%> + IN NS <%= name %>.<%= data["zone"]["domain"] %>. <% end -%> <% end -%>