split-zone, dn42-routes and more
This commit is contained in:
parent
7f654d8997
commit
17426c3eeb
@ -1,14 +1,18 @@
|
||||
{
|
||||
"zone": {
|
||||
"soa": "ns1.higgsboson.tk.",
|
||||
"serial": 124,
|
||||
"serial": 149,
|
||||
"refresh": "1H",
|
||||
"hostmaster": "hostmaster.higgsboson.tk",
|
||||
"domain": "eve.higgsboson.tk",
|
||||
"ttl": 300,
|
||||
"a": "148.251.132.243",
|
||||
"aaaa": "2a01:4f8:210:31fd::1",
|
||||
"retry": "4H",
|
||||
"expire": "3W",
|
||||
"minimum": "1D",
|
||||
"v4_subnet": "192.168.66.0/24",
|
||||
"dn42_v4_subnet": "172.23.75.0/24",
|
||||
"v6_subnet": "2a01:4f8:210:31fd:1::/80"
|
||||
},
|
||||
"network": {
|
||||
@ -19,17 +23,17 @@
|
||||
},
|
||||
"tinc2": {
|
||||
"ipv4": "188.166.16.37",
|
||||
"ipv6": "2a03:b0c0:2:d0::2a5:f004",
|
||||
"ipv6": "2a03:b0c0:0:1010::3d:b003",
|
||||
"lxc": false
|
||||
},
|
||||
"eve": {
|
||||
"ipv4": "192.168.66.1",
|
||||
"ipv6": "2a01:4f8:210:31fd::1",
|
||||
"ipv4": "148.251.132.243",
|
||||
"lxc": false
|
||||
},
|
||||
"eva": {
|
||||
"ipv4": "192.168.67.1",
|
||||
"ipv6": "2a03:b0c0:2:d0::2a5:f001",
|
||||
"ipv4": "188.166.16.37",
|
||||
"lxc": false
|
||||
},
|
||||
"bridge": {
|
||||
@ -68,23 +72,27 @@
|
||||
"ns1": {
|
||||
"ns": true,
|
||||
"lxc": false,
|
||||
"rdns6": "ns1.higgsboson.tk",
|
||||
"ipv4": "192.168.66.6/32",
|
||||
"ipv4": "148.251.132.243/32",
|
||||
"ipv6": "2a01:4f8:210:31fd:1::6/128"
|
||||
},
|
||||
"ns2": {
|
||||
"ns": true,
|
||||
"lxc": false,
|
||||
"ipv4": "192.168.67.1/32",
|
||||
"ipv6": "2a03:b0c0:2:d0:1::1/128"
|
||||
"ipv4": "188.226.214.194/32",
|
||||
"ipv6": "2a03:b0c0:0:1010::3d:b002/128"
|
||||
},
|
||||
"dns": {
|
||||
"ipv4": "192.168.66.6/32",
|
||||
"ipv6": "2a01:4f8:210:31fd:1::6/128",
|
||||
"rdns6": "ns1.higgsboson.tk",
|
||||
"dn42_ipv4": "172.23.75.6/32",
|
||||
"dn42_ipv6": "fdc0:4992:6a6d:6::1/64"
|
||||
},
|
||||
"dn42": {
|
||||
"ipv4": "172.23.75.4"
|
||||
}
|
||||
"ipv4": "192.168.66.31/32",
|
||||
"ipv6": "2a01:4f8:210:31fd:1::1f/128",
|
||||
"dn42_ipv4": "172.23.75.1/32",
|
||||
"dn42_ipv6": "fdc0:4992:6a6d:1::1/64"
|
||||
},
|
||||
"faces": {
|
||||
"ipv4": "192.168.66.7/32",
|
||||
@ -132,7 +140,8 @@
|
||||
"mysql",
|
||||
"pdo_mysql"
|
||||
]
|
||||
}
|
||||
},
|
||||
"lxc": false
|
||||
},
|
||||
"phppgadmin": {
|
||||
"ipv4": "192.168.66.13/32",
|
||||
@ -143,7 +152,8 @@
|
||||
"pgsql",
|
||||
"pdo_pgsql"
|
||||
]
|
||||
}
|
||||
},
|
||||
"lxc": false
|
||||
},
|
||||
"adminer": {
|
||||
"ipv4": "192.168.66.14/32",
|
||||
@ -339,6 +349,10 @@
|
||||
|
||||
]
|
||||
}
|
||||
},
|
||||
"terraria": {
|
||||
"ipv4": "192.168.66.34/32",
|
||||
"ipv6": "2a01:4f8:210:31fd:1::22/128"
|
||||
}
|
||||
}
|
||||
}
|
41
default.conf
41
default.conf
@ -1,6 +1,20 @@
|
||||
lxc.autodev = 1
|
||||
lxc.kmsg = 0
|
||||
lxc.cap.drop = sys_module mac_admin mac_override sys_time net_admin
|
||||
lxc.cap.drop = sys_module mac_admin mac_override sys_time net_admin setfcap sys_nice sys_pacct sys_rawio
|
||||
|
||||
# Setup the LXC devices in /dev/lxc/
|
||||
lxc.devttydir = lxc
|
||||
|
||||
# Set the halt/stop signals
|
||||
lxc.haltsignal=SIGRTMIN+4
|
||||
lxc.stopsignal=SIGRTMIN+14
|
||||
|
||||
# Set the pivot directory
|
||||
lxc.pivotdir = lxc_putold
|
||||
|
||||
# Blacklist some syscalls which are not safe in privileged
|
||||
# containers
|
||||
lxc.seccomp = /usr/share/lxc/config/common.seccomp
|
||||
|
||||
lxc.network.type = veth
|
||||
lxc.network.link = br0
|
||||
@ -12,30 +26,45 @@ lxc.network.ipv6.gateway = 2a01:4f8:210:31fd:1::1
|
||||
|
||||
# cgroups
|
||||
lxc.cgroup.devices.deny = a
|
||||
## Allow any mknod (but not reading/writing the node)
|
||||
lxc.cgroup.devices.allow = c *:* m
|
||||
lxc.cgroup.devices.allow = b *:* m
|
||||
## Allow specific devices
|
||||
### /dev/null
|
||||
lxc.cgroup.devices.allow = c 1:3 rwm
|
||||
### /dev/zero
|
||||
lxc.cgroup.devices.allow = c 1:5 rwm
|
||||
### /dev/full
|
||||
lxc.cgroup.devices.allow = c 1:7 rwm
|
||||
lxc.cgroup.devices.allow = c 1:8 rwm
|
||||
lxc.cgroup.devices.allow = c 1:9 rwm
|
||||
lxc.cgroup.devices.allow = c 4:1 rwm
|
||||
### /dev/tty
|
||||
lxc.cgroup.devices.allow = c 5:0 rwm
|
||||
### /dev/console
|
||||
lxc.cgroup.devices.allow = c 5:1 rwm
|
||||
### /dev/ptmx
|
||||
lxc.cgroup.devices.allow = c 5:2 rwm
|
||||
### /dev/random
|
||||
lxc.cgroup.devices.allow = c 1:8 rwm
|
||||
### /dev/urandom
|
||||
lxc.cgroup.devices.allow = c 1:9 rwm
|
||||
### /dev/pts/*
|
||||
lxc.cgroup.devices.allow = c 136:* rwm
|
||||
### fuse
|
||||
lxc.cgroup.devices.allow = c 10:229 rwm
|
||||
|
||||
lxc.cgroup.memory.soft_limit_in_bytes = 1500M
|
||||
lxc.cgroup.memory.limit_in_bytes = 2000M
|
||||
lxc.cgroup.cpu.shares = 256
|
||||
lxc.cgroup.blkio.weight = 500
|
||||
|
||||
lxc.mount.entry = /data/pacman-cache var/cache/pacman/pkg none bind 0 0
|
||||
# Setup the default mounts
|
||||
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
|
||||
lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
|
||||
lxc.mount.entry = /data/pacman/pkg var/cache/pacman/pkg none bind 0 0
|
||||
lxc.mount.entry = /data/pacman/sync var/lib/pacman/sync none bind 0 0
|
||||
lxc.mount.entry = /data/repo srv/repo none bind,ro,create=dir 0 0
|
||||
lxc.mount.entry = /run/systemd/journal mnt/journal none bind,ro,create=dir 0 0
|
||||
|
||||
lxc.hook.autodev = /etc/lxc/hooks/dn42-routes
|
||||
|
||||
lxc.hook.clone = /etc/lxc/hooks/setup-machine-id
|
||||
lxc.hook.clone = /etc/lxc/hooks/remove-journal
|
||||
lxc.hook.clone = /etc/lxc/hooks/cleanup-lxc-config
|
||||
|
@ -3,3 +3,4 @@ lxc.network.link = evenet
|
||||
lxc.network.flags = up
|
||||
lxc.network.name = eth1
|
||||
lxc.network.mtu = 1500
|
||||
lxc.hook.autodev = /etc/lxc/hooks/dn42-routes
|
||||
|
51
hooks/build-split-zone
Executable file
51
hooks/build-split-zone
Executable file
@ -0,0 +1,51 @@
|
||||
#!/usr/bin/env ruby
|
||||
require "resolv"
|
||||
require_relative "lib/lxc"
|
||||
|
||||
class Resolver
|
||||
def initialize
|
||||
@stub_resolver = Resolv::DNS.new
|
||||
@cache = {}
|
||||
end
|
||||
def resolve(name, delegated_subdomain, typeclass)
|
||||
if name == "@"
|
||||
fqdn = delegated_subdomain
|
||||
else
|
||||
fqdn = "#{name}.#{delegated_subdomain}"
|
||||
end
|
||||
result = @cache[fqdn + typeclass.to_s] ||= @stub_resolver.getresource(fqdn, typeclass)
|
||||
if result == :no_record
|
||||
nil
|
||||
else
|
||||
result
|
||||
end
|
||||
rescue Resolv::ResolvError => e
|
||||
puts "warning: #{e}"
|
||||
@cache[fqdn + typeclass.to_s] = :no_record
|
||||
return nil
|
||||
end
|
||||
def a(name, delegated_subdomain)
|
||||
result = resolve(name, delegated_subdomain, Resolv::DNS::Resource::IN::A)
|
||||
return "" unless result
|
||||
"#{name} A #{result.address.to_s}\n"
|
||||
end
|
||||
def aaaa(name, delegated_subdomain)
|
||||
result = resolve(name, delegated_subdomain, Resolv::DNS::Resource::IN::AAAA)
|
||||
return "" unless result
|
||||
"#{name} AAAA #{result.address.to_s}\n"
|
||||
end
|
||||
end
|
||||
|
||||
template_path = Lxc::CONFIG_ROOT.join("templates/higgsboson.tk.zone.erb")
|
||||
template = Lxc::Template.new(template_path)
|
||||
serial = Time.new.to_i
|
||||
resolver = Resolver.new
|
||||
zones = [
|
||||
["zones/higgsboson.tk.zone", :pub],
|
||||
["zones/internal-eve.higgsboson.tk.zone", :eve],
|
||||
["zones/internal-eva.higgsboson.tk.zone", :eva],
|
||||
]
|
||||
zones.each do |zone, type|
|
||||
template.write(zone, resolver: resolver, serial: serial, type: type)
|
||||
end
|
||||
Lxc::Utils.sh("lxc-attach", "-n", "dns", "--", "rndc", "reload")
|
@ -1,5 +1,7 @@
|
||||
#!/bin/bash
|
||||
|
||||
/usr/bin/ip route add 172.16.0.0/12 via 172.16.75.1 proto static metric 200
|
||||
/usr/bin/ip route add 10.0.0.0/8 via 172.16.75.1 proto static metric 200
|
||||
exit 0
|
||||
ip rule add from 172.23.75.0/24 table 42
|
||||
ip route add 192.168.66.0/24 via 172.23.75.4 dev eth1 table 42
|
||||
ip route add 172.16.0.0/12 via 172.23.75.1
|
||||
ip route add 10.0.0.0/8 via 172.23.75.1
|
||||
ip route flush cache
|
||||
|
@ -16,13 +16,13 @@ module Lxc
|
||||
@ipv4_subnet = NetAddr::CIDR.create(zone["v4_subnet"] || "192.168.10.0/24")
|
||||
@ipv6_subnet = NetAddr::CIDR.create(zone["v6_subnet"] || "fd7d:aed0:18aa::/48")
|
||||
|
||||
if subnet = zone["dn42_ipv4_subnet"]
|
||||
if subnet = zone["dn42_v4_subnet"]
|
||||
@dn42_ipv4_netmask = NetAddr::CIDR.create(subnet).to_i(:netmask)
|
||||
else
|
||||
@dn42_ipv4_netmask = 24
|
||||
end
|
||||
|
||||
if subnet = zone["dn42_ipv6_subnet"]
|
||||
if subnet = zone["dn42_v6_subnet"]
|
||||
@dn42_ipv6_netmask = NetAddr::CIDR.create(subnet).to_i(:netmask)
|
||||
else
|
||||
@dn42_ipv6_netmask = 48
|
||||
@ -47,12 +47,12 @@ module Lxc
|
||||
ipv4: format_address(@ipv4, @ipv4_subnet.to_i(:netmask)),
|
||||
ipv6: format_address(@ipv6, @ipv6_subnet.to_i(:netmask)))
|
||||
if @dn42_ipv4
|
||||
opts[:dn42_ipv4] = format_address(dn42_ipv6, dn42_ipv4_netmask)
|
||||
opts[:dn42_ipv4] = format_address(@dn42_ipv4, @dn42_ipv4_netmask)
|
||||
c["dn42_ipv4"] = NetAddr::CIDR.create(@dn42_ipv4).to_s(Short: true)
|
||||
end
|
||||
|
||||
if @dn42_ipv6
|
||||
opts[:dn42_ipv6] = format_address(dn42_ipv4, dn42_ipv6_netmask)
|
||||
opts[:dn42_ipv6] = format_address(@dn42_ipv6, @dn42_ipv6_netmask)
|
||||
c["dn42_ipv6"] = NetAddr::CIDR.create(@dn42_ipv6).to_s(Short: true)
|
||||
end
|
||||
|
||||
|
@ -8,12 +8,13 @@ module Lxc
|
||||
end
|
||||
|
||||
class Template
|
||||
def initialize(path)
|
||||
def initialize(path, context: nil)
|
||||
@path = path
|
||||
@erb = ERB.new(File.read(path), nil, "-")
|
||||
end
|
||||
def render(params={})
|
||||
@erb.result(TemplateContext.new(params).get_binding)
|
||||
context = TemplateContext.new(params)
|
||||
@erb.result(context.get_binding)
|
||||
rescue => e
|
||||
raise StandardError.new("fail to render '#{@path}': #{e}")
|
||||
end
|
||||
|
6
hooks/tun-device
Executable file
6
hooks/tun-device
Executable file
@ -0,0 +1,6 @@
|
||||
#!/bin/sh
|
||||
|
||||
cd ${LXC_ROOTFS_MOUNT}/dev
|
||||
mkdir net
|
||||
mknod net/tun c 10 200
|
||||
chmod 0666 net/tun
|
@ -5,3 +5,13 @@ lxc.rootfs = <%= rootfs %>
|
||||
lxc.network.ipv4 = <%= ipv4 %>
|
||||
lxc.network.ipv6 = <%= ipv6 %>
|
||||
lxc.network.veth.pair = lxc_<%= name[0..(16-4)] %>
|
||||
|
||||
<% if dn42_ipv4 || dn42_ipv6 -%>
|
||||
lxc.include = /etc/lxc/evenet.conf
|
||||
<% if dn42_ipv4 -%>
|
||||
lxc.network.ipv4 = <%= dn42_ipv4 %>
|
||||
<% end -%>
|
||||
<% if dn42_ipv6 -%>
|
||||
lxc.network.ipv6 = <%= dn42_ipv6 %>
|
||||
<% end -%>
|
||||
<% end -%>
|
||||
|
89
templates/higgsboson.tk.zone.erb
Normal file
89
templates/higgsboson.tk.zone.erb
Normal file
@ -0,0 +1,89 @@
|
||||
$TTL 300
|
||||
@ 3600 IN SOA ns1 admin.higgsboson.tk. (
|
||||
<%= serial %> ; serial
|
||||
7200 ; refresh
|
||||
3600 ; retry
|
||||
86400 ; expire
|
||||
3600) ; minimum
|
||||
|
||||
;; NS Records (YOU MUST CHANGE THIS)
|
||||
NS ns1
|
||||
NS ns2
|
||||
|
||||
;; MX Records
|
||||
MX 10 mail
|
||||
|
||||
;; TXT Records
|
||||
TXT "v=spf1 mx a:mail.higgsboson.tk aaaa:mail.higgsboson.tk -all"
|
||||
_adsp._domainkey TXT "dkim=all\;"
|
||||
default._domainkey TXT "v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDhqBgbSEMgdWYmBSBsNbI2opjEZSFuZiqnAzv2yxLYyXB0l1uL4tw9npNkC4w5cNehc87qhuuzADsSOJoFUQ+H3oWOnENcGKatQqRKzLxKLBWwUf+TnC21AKGHXD4eABZk3ahfYnlR7li3Wh/JSMsAxWmaikLj3uLHd/WN9eH4rwIDAQAB"
|
||||
_dmarc TXT "v=DMARC1\; p=none\; adkim=r\; aspf=r\; rua=mailto:admin@higgsboson.tk\; ruf=mailto:admin@higgsboson.tk\; pct=100"
|
||||
joerg._pka TXT "v=pka1\;fpr=4ABA07382AD57E6B9AA4E88DCA4106B8D7CC79FA\;uri=http://higgsboson.tk/joerg/joerg.asc"
|
||||
|
||||
;; SRV Records (Service locator)
|
||||
_xmpp-client._tcp.muc SRV 0 5 5222 jabber
|
||||
_xmpp-client._tcp SRV 0 5 5222 jabber
|
||||
_xmpp-server._tcp.muc SRV 0 5 5269 jabber
|
||||
_xmpp-server._tcp SRV 0 5 5269 jabber
|
||||
|
||||
;; CNAME Records
|
||||
*.jabber CNAME jabber
|
||||
anon CNAME jabber
|
||||
proxy CNAME jabber
|
||||
pubsub CNAME jabber
|
||||
|
||||
imap CNAME mail
|
||||
smtp CNAME mail
|
||||
|
||||
tinc1 CNAME dn42
|
||||
|
||||
archfeed CNAME arch-pkg-feed.herokuapp.com.
|
||||
githubtags CNAME github-tags-feed.herokuapp.com.
|
||||
reisekosten CNAME reisekosten.herokuapp.com.
|
||||
|
||||
;; A Records (IPv4 addresses)
|
||||
<% if type == :eve -%>
|
||||
* A 192.168.66.5
|
||||
<% else -%>
|
||||
* A 148.251.132.243
|
||||
<% end -%>
|
||||
|
||||
dn42 A 148.251.132.243
|
||||
<%= resolver.aaaa("dn42", "eve.higgsboson.tk") -%>
|
||||
|
||||
;; eve -->
|
||||
<% eve_services = %w{@ classifier eve jabber login mail ns1 web} -%>
|
||||
<% if type == :eve -%>
|
||||
<% eve_services.each do |name| -%>
|
||||
<%= resolver.a(name, "eve.higgsboson.tk") -%>
|
||||
<% end -%>
|
||||
<% else -%>
|
||||
<% eve_services.each do |name| -%>
|
||||
<%= name %> A 148.251.132.243
|
||||
<% end -%>
|
||||
<% end -%>
|
||||
;; <-- eve
|
||||
|
||||
;; eva -->
|
||||
<% eva_services = %w{eva ns2 tinc2} -%>
|
||||
<% if type == :eva -%>
|
||||
<% eva_services.each do |name| -%>
|
||||
<%= resolver.a(name, "eva.higgsboson.tk") -%>
|
||||
<% end -%>
|
||||
<% else -%>
|
||||
<% eva_services.each do |name| -%>
|
||||
<%= name %> A 188.166.16.37
|
||||
<% end -%>
|
||||
<% end -%>
|
||||
;; <-- eva
|
||||
|
||||
;; AAAA Records (IPv6 addresses)
|
||||
* AAAA 2a01:4f8:210:31fd:1::5
|
||||
|
||||
<% eve_services.each do |name| -%>
|
||||
<%= resolver.aaaa(name, "eve.higgsboson.tk") -%>
|
||||
<% end -%>
|
||||
|
||||
<% eva_services.each do |name| -%>
|
||||
<%= resolver.aaaa(name, "eva.higgsboson.tk") -%>
|
||||
<% end -%>
|
@ -1,15 +1,26 @@
|
||||
<% if data["zone"]["ttl"] -%>
|
||||
$TTL <%= data["zone"]["ttl"] %>
|
||||
<% end -%>
|
||||
|
||||
@ IN SOA <%= data["zone"]["soa"] %> <%= data["zone"]["hostmaster"] %> (
|
||||
<%= data["zone"]["serial"] %> ; serial
|
||||
<%= data["zone"]["refresh"] %> ; refresh
|
||||
<%= data["zone"]["retry"] %> ; retry
|
||||
<%= data["zone"]["expire"] %> ; expire
|
||||
<%= data["zone"]["minimum"] %>) ; minimum
|
||||
|
||||
<% data["network"].each do |name, value| -%>
|
||||
<% if value["ns"] -%>
|
||||
IN NS <%= name %>
|
||||
NS <%= name %>
|
||||
<% end -%>
|
||||
<% end -%>
|
||||
|
||||
<% if data["zone"]["a"] -%>
|
||||
A <%= data["zone"]["a"] %>
|
||||
<% end -%>
|
||||
<% if data["zone"]["aaaa"] -%>
|
||||
AAAA <%= data["zone"]["aaaa"]%>
|
||||
<% end -%>
|
||||
<% data["network"].each do |name, value| %>
|
||||
<% if value["cname"] -%>
|
||||
<%= name %> CNAME <%= value["cname"] %>
|
||||
|
@ -6,18 +6,7 @@
|
||||
<%= data["zone"]["minimum"] %>) ; minimum
|
||||
<% data["network"].each do |name, value| -%>
|
||||
<% if value["ns"] -%>
|
||||
IN NS <%= name %>
|
||||
<% end -%>
|
||||
<% end -%>
|
||||
|
||||
<% data["network"].each do |name, value| -%>
|
||||
<% if value["ns"] -%>
|
||||
<% if value["ipv4"] -%>
|
||||
<%= name %> A <%= NetAddr::CIDR.create(value["ipv4"]).ip(Short: true) %>
|
||||
<% end -%>
|
||||
<% if value["ipv6"] -%>
|
||||
<%= name %> AAAA <%= NetAddr::CIDR.create(value["ipv6"]).ip(Short: true) %>
|
||||
<% end -%>
|
||||
IN NS <%= name %>.<%= data["zone"]["domain"] %>.
|
||||
<% end -%>
|
||||
<% end -%>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user