diff --git a/container-eve.json b/container-eve.json index 6a8174b..7bb65df 100644 --- a/container-eve.json +++ b/container-eve.json @@ -1,10 +1,12 @@ { "zone": { "soa": "ns1.higgsboson.tk.", - "serial": 175, + "serial": 200, "refresh": "1H", "hostmaster": "hostmaster.higgsboson.tk", - "domain": "eve.higgsboson.tk", + "ipv6-domain": "eve.higgsboson.tk", + "ipv4-domain": "eve.evenet.dn42", + "ula-domain": "eve.evenet.dn42", "ttl": 300, "a": "148.251.132.243", "aaaa": "2a01:4f8:210:31fd::1", @@ -13,7 +15,9 @@ "minimum": "1D", "v4_subnet": "172.23.75.0/26", "ula_subnet": "fdc0:4992:6a6d::/80", - "v6_subnet": "2a01:4f8:210:31fd:1::/80" + "v6_subnet": "2a01:4f8:210:31fd:1::/80", + "lxc_root": "/data/containers/", + "lxc-config": "/etc/lxc/default.conf" }, "network": { "eve": { @@ -38,9 +42,9 @@ "lxc": false }, "base": { - "ipv4": "172.23.75.63/32", - "ipv6": "2a01:4f8:210:31fd:1::3f/128", - "ula": "fdc0:4992:6a6d::3f/128" + "ipv4": "172.23.75.62/32", + "ipv6": "2a01:4f8:210:31fd:1::3e/128", + "ula": "fdc0:4992:6a6d::3e/128" }, "ldap": { "ipv4": "172.23.75.3/32", @@ -56,10 +60,13 @@ "istwiki": { "srv/http/ist.devkid.net": true }, + "letsencrypt": { + "/etc/letsencrypt/": true + }, "git": { - "usr/share/webapps/gitlab": true, - "var/lib/gitlab/assets": true, - "var/lib/gitlab/uploads": true + "usr/share/webapps/gitlab/public": true, + "srv/http/higgsboson.tk": true, + "srv/http/blog.higgsboson.tk": true }, "halfcode": { "srv/http/halfco.de": true @@ -73,6 +80,9 @@ "rainloop": { "srv/http/mail.higgsboson.tk": true }, + "limesurvey": { + "usr/share/webapps/limesurvey": true + }, "etherpad": { "/usr/share/webapps/etherpad-lite/src/static": "/srv/http/pad.higgsboson.tk/static" }, @@ -103,7 +113,6 @@ "pyload": { "var/lib/pyload/Downloads": "mnt/pyload" }, - "phpmyadmin": true, "ttrss": { "usr/share/webapps/tt-rss": true, "var/lib/tt-rss/feed-icons": true @@ -111,17 +120,17 @@ }, "ula": "fdc0:4992:6a6d::5/128" }, - "ns1": { + "ns1.evenet.dn42": { "ns": true, "lxc": false, - "ipv4": "148.251.132.243/32", - "ipv6": "2a01:4f8:210:31fd:1::6/128" + "ipv4": "172.23.75.6", + "ipv6": "fdc0:4992:6a6d::6" }, - "ns2": { + "ns2.evenet.dn42": { "ns": true, "lxc": false, - "ipv4": "188.226.214.194/32", - "ipv6": "2a03:b0c0:0:1010::3d:b002/128" + "ipv4": "172.23.75.70", + "ipv6": "fdc0:4992:6a6d:300::6" }, "dns": { "ipv4": "172.23.75.6/32", @@ -132,12 +141,17 @@ "dn42": { "ipv4": "172.23.75.1/32", "ipv6": "2a01:4f8:210:31fd:1::1/128", - "ula": "fdc0:4992:6a6d::1/128" + "ula": "fdc0:4992:6a6d::1/128", + "mounts": { + "web": { + "srv/http/dl.higgsboson.tk": true + } + } }, "dn42-2": { - "ipv4": "172.23.75.64/32", + "ipv4": "172.23.75.65/32", "ipv6": "2a03:b0c0:0:1010::3d:b001", - "ula": "fdc0:4992:6a6d::1/128", + "ula": "fdc0:4992:6a6d:300::1", "lxc": false }, "faces": { @@ -224,6 +238,12 @@ "ipv4": "172.23.75.16/32", "ipv6": "2a01:4f8:210:31fd:1::10/128", "rdns6": "mail.higgsboson.tk", + "mounts": { + "letsencrypt": { + "/etc/letsencrypt/live/": true, + "/etc/letsencrypt/archive/": true + } + }, "backup-paths": [ "var/vmail" ], @@ -334,6 +354,12 @@ "backup-paths": [ "var/lib/prosody" ], + "mounts": { + "letsencrypt": { + "/etc/letsencrypt/live/": true, + "/etc/letsencrypt/archive/": true + } + }, "ula": "fdc0:4992:6a6d::16/128" }, "piwik": { @@ -380,11 +406,6 @@ "ipv6": "2a01:4f8:210:31fd:1::1b/128", "ula": "fdc0:4992:6a6d::1b/128" }, - "classifier": { - "ipv4": "172.23.75.28/32", - "ipv6": "2a01:4f8:210:31fd:1::1c/128", - "ula": "fdc0:4992:6a6d::1c/128" - }, "seafile": { "ipv4": "172.23.75.29/32", "ipv6": "2a01:4f8:210:31fd:1::1d/128", @@ -401,6 +422,7 @@ }, "vars": { "ssh_ldap": true, + "install_dn42_ca": false, "add_repo_in_pacman_conf": false, "additional_admins": [ { @@ -453,6 +475,43 @@ "ipv4": "172.23.75.37/32", "ipv6": "2a01:4f8:210:31fd:1::25/128", "ula": "fdc0:4992:6a6d::25/128" + }, + "honeypot": { + "ipv4": "172.23.75.38/32", + "ipv6": "2a01:4f8:210:31fd:1::26/128", + "ula": "fdc0:4992:6a6d::26/128", + "lxc": false + }, + "btsync": { + "ipv4": "172.23.75.31/32", + "ipv6": "2a01:4f8:210:31fd:1::1f/128", + "ula": "fdc0:4992:6a6d::1f/128", + "mounts": { + "pyload": { + "var/lib/pyload/Downloads": "mnt/pyload" + } + } + }, + "letsencrypt": { + "ipv4": "172.23.75.28/32", + "ipv6": "2a01:4f8:210:31fd:1::1c/128", + "ula": "fdc0:4992:6a6d::1c/128" + }, + "limesurvey": { + "ipv4": "172.23.75.39/32", + "ipv6": "2a01:4f8:210:31fd:1::27/128", + "ula": "fdc0:4992:6a6d::27/128", + "group": "php", + "vars": { + "php_extensions": [ + "pgsql", + "pdo_pgsql", + "gd", + "zip", + "ldap", + "imap" + ] + } } } } diff --git a/default-eve.conf b/default-eve.conf index 563d04d..10cce36 100644 --- a/default-eve.conf +++ b/default-eve.conf @@ -5,6 +5,8 @@ lxc.cap.keep = chown dac_override dac_read_search fowner fsetid ipc_owner kill l # Setup the LXC devices in /dev/lxc/ lxc.devttydir = lxc +lxc.init_cmd = /usr/lib/systemd/systemd + # Set the halt/stop signals lxc.haltsignal=SIGRTMIN+4 lxc.stopsignal=SIGRTMIN+14 diff --git a/hooks/lib/lxc/container.rb b/hooks/lib/lxc/container.rb index 6a1fbb6..a54c604 100644 --- a/hooks/lib/lxc/container.rb +++ b/hooks/lib/lxc/container.rb @@ -44,6 +44,7 @@ module Lxc FileUtils.touch(local_conf) end opts[:local_conf] = local_conf + opts[:global_conf] = @data["zone"]["lxc-config"] fstab = @container_root.join("fstab") opts[:fstab] = fstab if File.exists?(fstab) diff --git a/hooks/lib/lxc/rdns.rb b/hooks/lib/lxc/rdns.rb index 9a8abc2..99c4a2a 100644 --- a/hooks/lib/lxc/rdns.rb +++ b/hooks/lib/lxc/rdns.rb @@ -1,7 +1,8 @@ module Lxc class RdnsZone - def initialize(data, subnet) + def initialize(data, addr_field, subnet) @data = data + @addr_field = addr_field @subnet = NetAddr::CIDR.create(subnet) end @@ -12,16 +13,15 @@ module Lxc end def pointers(&blk) - version = @subnet.version - @data["network"].each do |name, host| - ip = host["ipv#{version}"] + ip = host[@addr_field] next unless ip arpa = NetAddr::CIDR.create(ip).arpa next unless arpa.end_with?(@subnet.arpa) host_part = arpa[0, arpa.size - @subnet.arpa.size - 1] # only allowed characters in FQDN name = name.gsub(/[^a-zA-Z0-9\-]/, "-") + # <%= addr %> PTR <%= fqdn(name) %>.<%= data["zone"]["domain"] %>. yield name, host_part end end @@ -32,7 +32,11 @@ module Lxc def write_zone_file(path) zone_template = Template.new(CONFIG_ROOT.join("hooks/templates/rdns-zone.erb")) - zone_template.write(path.join("zones", name), zone: self, data: data) + domain = data["zone"]["#{@addr_field}-domain"] + zone_template.write(path.join("zones", name), + zone: self, + data: data, + domain: domain) end end end diff --git a/hooks/templates/config.erb b/hooks/templates/config.erb index 98e1186..86ae5bd 100644 --- a/hooks/templates/config.erb +++ b/hooks/templates/config.erb @@ -1,4 +1,4 @@ -lxc.include = /etc/lxc/overlay.conf +lxc.include = <%= global_conf %> lxc.include = <%= local_conf %> lxc.utsname = <%= name %> lxc.rootfs = <%= rootfs %> diff --git a/hooks/templates/rdns-zone.erb b/hooks/templates/rdns-zone.erb index 05bdf80..dfcd82c 100644 --- a/hooks/templates/rdns-zone.erb +++ b/hooks/templates/rdns-zone.erb @@ -1,4 +1,4 @@ -@ IN SOA <%= data["zone"]["soa"] %> <%= data["zone"]["hostmaster"] %>. ( +@ IN SOA ns1.evenet.dn42. <%= data["zone"]["hostmaster"] %>. ( <%= data["zone"]["serial"] %> ; serial <%= data["zone"]["refresh"] %> ; refresh <%= data["zone"]["retry"] %> ; retry @@ -11,5 +11,5 @@ <% end -%> <% zone.pointers do |name, addr| -%> -<%= addr %> PTR <%= fqdn(name) %>.<%= data["zone"]["domain"] %>. +<%= addr %> PTR <%= fqdn(name) %>.<%= domain %>. <% end -%> diff --git a/hooks/update-hetzner-rdns b/hooks/update-hetzner-rdns index 95eb6f2..460a072 100755 --- a/hooks/update-hetzner-rdns +++ b/hooks/update-hetzner-rdns @@ -38,7 +38,7 @@ end registry = Lxc::Registry.new registry.data["zone"] ||= {} -domain = registry.data["zone"]["domain"] || "lxc" +domain = registry.data["zone"]["ipv6-domain"] || "lxc" subnet = registry.data["zone"]["v6_subnet"] if subnet subnet_cidr = NetAddr::CIDR.create(subnet) diff --git a/hooks/update-zone b/hooks/update-zone index 87cf3c5..754c3d9 100755 --- a/hooks/update-zone +++ b/hooks/update-zone @@ -12,16 +12,17 @@ def main registry.save root_path = Lxc::CONFIG_ROOT + + if subnet = registry.data["zone"]["ula_subnet"] + Lxc::RdnsZone.new(registry.data, "ula", subnet).write_zone_file(root_path) + end + if subnet = registry.data["zone"]["v4_subnet"] - Lxc::RdnsZone.new(registry.data, subnet).write_zone_file(root_path) + Lxc::RdnsZone.new(registry.data, "ipv4", subnet).write_zone_file(root_path) end if subnet = registry.data["zone"]["v6_subnet"] - Lxc::RdnsZone.new(registry.data, subnet).write_zone_file(root_path) - end - - if subnet = registry.data["zone"]["ula_subnet"] - Lxc::RdnsZone.new(registry.data, subnet).write_zone_file(root_path) + Lxc::RdnsZone.new(registry.data, "ipv6", subnet).write_zone_file(root_path) end root_path = Pathname.new(File.expand_path("../..", __FILE__))