Added lxchost.in.

diff --git a/sources/lxchost.in/01_setupnetworking.sh b/sources/lxchost.in/01_setupnetworking.sh
new file mode 100755 (executable)
index 0000000..58c4c07
--- /dev/null
+++ b/sources/lxchost.in/01_setupnetworking.sh
@@ -0,0 +1,74 @@
+#!/bin/sh
+set -x
+
+# network interfaces are:
+#   ens33: used for internal host network
+#   ens34: used for internal container bridge
+#   ens35: used for external container bridge
+
+
+INTERNAL_DEVICE=ens33
+BRI_DEVICE=ens34
+EXTERNAL_DEVICE=ens35
+
+
+nmcli --terse connection show | grep --invert-match ':lo$' | while read CONNECTION_LINE
+do
+    CONNECTION_UUID=$(echo $CONNECTION_LINE | cut -f 2 -d ':')
+    nmcli connection delete uuid "$CONNECTION_UUID"
+done
+
+nmcli connection add \
+    connection.autoconnect yes \
+    connection.id internal \
+    connection.interface-name $INTERNAL_DEVICE \
+    connection.type 802-3-ethernet \
+    ipv4.addresses "10.228.109.30/16" \
+    ipv4.dns "10.228.109.159, 10.228.92.159" \
+    ipv4.dns-search "in.useribm.hu" \
+    ipv4.gateway "10.228.109.254" \
+    ipv4.method "manual" \
+    ipv6.addresses "2001:1aa1:000a:7dae:0250:56ff:fead:36b1/64" \
+    ipv6.dns "2001:1aa1:000a:7dae:000c:18ff:fe03:5c9f, 2001:1aa1:000a:7dae:000c:18ff:fe03:6d9f" \
+    ipv6.dns-search "in.useribm.hu" \
+    ipv6.gateway "2001:1aa1:000a:7dae:000c:18ff:fe03:6dfe" \
+    ipv6.method "manual" \
+    save yes
+
+nmcli connection add \
+    connection.autoconnect yes \
+    connection.id bri \
+    connection.interface-name bri \
+    connection.type bridge \
+    bridge.stp no \
+    ipv4.method "disabled" \
+    ipv6.method "disabled" \
+    save yes
+
+nmcli connection add \
+    connection.autoconnect yes \
+    connection.id brislave \
+    connection.interface-name $BRI_DEVICE \
+    connection.master bri \
+    connection.slave-type bridge \
+    connection.type 802-3-ethernet \
+    save yes
+
+nmcli connection add \
+    connection.autoconnect yes \
+    connection.id brh \
+    connection.interface-name brh \
+    connection.type bridge \
+    bridge.stp no \
+    ipv4.method "disabled" \
+    ipv6.method "disabled" \
+    save yes
+
+nmcli connection add \
+    connection.autoconnect yes \
+    connection.id external \
+    connection.interface-name $EXTERNAL_DEVICE \
+    connection.type 802-3-ethernet \
+    ipv4.method "disabled" \
+    ipv6.method "disabled" \
+    save yes

diff --git a/sources/lxchost.in/02_addremovepackages.sh b/sources/lxchost.in/02_addremovepackages.sh
new file mode 100755 (executable)
index 0000000..6170769
--- /dev/null
+++ b/sources/lxchost.in/02_addremovepackages.sh
@@ -0,0 +1,54 @@
+#!/bin/sh
+
+
+dnf erase \
+      bluez \
+      c-ares \
+      deltarpm \
+      dhcp-client \
+      f2fs-tools \
+      firewalld \
+      hunspell \
+      inih \
+      jq \
+      js-jquery \
+      memstrack \
+      ModemManager-glib \
+      nano \
+      nilfs-utils \
+      ntfs-3g \
+      ntfs-3g-libs \
+      pcsc-lite \
+      pkgconf \
+      qrencode-libs \
+      selinux-policy \
+      udftools \
+      unbound-anchor \
+      zram-generator
+
+dnf --setopt=install_weak_deps=False \
+    install \
+      atop \
+      bonnie++ \
+      cronie \
+      crontabs \
+      git \
+      logrotate \
+      lxc \
+      lxc-templates \
+      lxcfs \
+      mailx \
+      man-pages \
+      pciutils \
+      postfix \
+      rsync-daemon \
+      rsyslog \
+      rsyslog-logrotate \
+      screen \
+      speedtest-cli \
+      sysstat \
+      tar \
+      unzip \
+      vim-enhanced \
+      wget \
+      zip

diff --git a/sources/lxchost.in/03_configuresystem b/sources/lxchost.in/03_configuresystem
new file mode 100755 (executable)
index 0000000..a213290
--- /dev/null
+++ b/sources/lxchost.in/03_configuresystem
@@ -0,0 +1,33 @@
+#!/bin/sh
+
+
+echo "lxc.lxcpath = /lxc/containers" >/etc/lxc/lxc.conf
+echo "fs.inotify.max_user_instances = 1024" >/etc/sysctl.d/lxc.conf
+
+echo "" >>/etc/dnf/dnf.conf
+echo "deltarpm=False" >>/etc/dnf/dnf.conf
+echo "fastestmirror=True" >>/etc/dnf/dnf.conf
+echo "install_weak_deps=False" >>/etc/dnf/dnf.conf
+echo "max_parallel_downloads=10" >>/etc/dnf/dnf.conf
+
+echo "root:100000:100000" >>/etc/subuid
+echo "root:100000:100000" >>/etc/subgid
+
+echo "change USE_LXC_BRIDGE to false in /etc/sysconfig/lxc-net"
+echo "change clean_requirements_on_remove to False in /etc/dnf/dnf.conf"
+
+echo "@cert-authority *.in.useribm.hu ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXYIIzrUSx8/BQ6/ttkSr5oEyB5F5Yg4bp1DOkqDON9 host-CA" >>/etc/ssh/ssh_known_hosts
+echo "@cert-authority *.pm.useribm.hu ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXYIIzrUSx8/BQ6/ttkSr5oEyB5F5Yg4bp1DOkqDON9 host-CA" >>/etc/ssh/ssh_known_hosts
+echo "@cert-authority *.useribm.hu ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXYIIzrUSx8/BQ6/ttkSr5oEyB5F5Yg4bp1DOkqDON9 host-CA" >>/etc/ssh/ssh_known_hosts
+
+hostnamectl set-hostname lxchost.in.useribm.hu
+localectl set-locale LANG=en_US.UTF-8 LC_TIME=C.UTF-8 LC_PAPER=C.UTF-8
+timedatectl set-timezone Europe/Budapest
+
+echo "set up ssh keys/certificates"
+
+systemctl enable lxc
+systemctl enable lxcfs
+systemctl enable postfix
+
+echo "update packages and reboot system"

diff --git a/sources/lxchost.in/99_setupsystem.sh b/sources/lxchost.in/99_setupsystem.sh
new file mode 100755 (executable)
index 0000000..495a23c
--- /dev/null
+++ b/sources/lxchost.in/99_setupsystem.sh
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+
+hostnamectl set-hostname lxchost.in.useribm.hu
+timedatectl set-timezone Europe/Budapest
+
+#dnf erase \
+#    firewalld \
+#    firewalld-filesystem \
+#    python3-firewall
+dnf erase \
+    selinux-policy \
+    zram-generator
+
+dnf install \
+    chrony \
+    cronie \
+    logrotate \
+    lxc \
+    lxc-templates \
+    mailx \
+    postfix \
+    rsyslog \
+    screen \
+    vim-enhanced \
+    wget2
+
+systemctl disable firewalld.service
+
+systemctl enable logrotate.timer
+systemctl enable lxc.service
+systemctl enable rsyslog.service
+
+systemctl start logrotate.timer
+systemctl start lxc.service
+systemctl start rsyslog.service
+
+systemctl stop firewalld.service

diff --git a/sources/lxchost.in/etc/ssh/ssh_host_ed25519_key b/sources/lxchost.in/etc/ssh/ssh_host_ed25519_key
new file mode 100644 (file)
index 0000000..1c40eaf
--- /dev/null
+++ b/sources/lxchost.in/etc/ssh/ssh_host_ed25519_key
@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACA1iH2Z+2TZPaaPpIFV+ypafimCfIYr8JDrsolxnOGkWQAAAIjtYA3x7WAN
+8QAAAAtzc2gtZWQyNTUxOQAAACA1iH2Z+2TZPaaPpIFV+ypafimCfIYr8JDrsolxnOGkWQ
+AAAEDvUybO4S86jtF4cNmdgyhugj1bSAZZntdzPN72XniawzWIfZn7ZNk9po+kgVX7Klp+
+KYJ8hivwkOuyiXGc4aRZAAAAAAECAwQF
+-----END OPENSSH PRIVATE KEY-----

diff --git a/sources/lxchost.in/etc/ssh/ssh_host_ed25519_key-cert.pub b/sources/lxchost.in/etc/ssh/ssh_host_ed25519_key-cert.pub
new file mode 100644 (file)
index 0000000..31834e6
--- /dev/null
+++ b/sources/lxchost.in/etc/ssh/ssh_host_ed25519_key-cert.pub
@@ -0,0 +1 @@
+ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAII6bN5gImxZtD8/Qq1Uea0TmUlC4kCE4kO5IvuiFvpHxAAAAIDWIfZn7ZNk9po+kgVX7Klp+KYJ8hivwkOuyiXGc4aRZAAAAAAAAAAAAAAACAAAAFWx4Y2hvc3QuaW4udXNlcmlibS5odQAAAAAAAAAAAAAAAP//////////AAAAAAAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACAnH/111PHTVbW73hpsG3Z0SX2CCLc8SpoEZM5adJOq+QAAAFMAAAALc3NoLWVkMjU1MTkAAABACsEelN95x8SyABbNcGIP6z9cRc8lvBBCErMJESyHROe1a4l8xQQ11Am3mqJDX7Q9jobiSzhjtrT9cCcZCgOICA== ssh_host_ed25519_key.pub

diff --git a/sources/lxchost.in/etc/ssh/ssh_host_ed25519_key.pub b/sources/lxchost.in/etc/ssh/ssh_host_ed25519_key.pub
new file mode 100644 (file)
index 0000000..f77e1ab
--- /dev/null
+++ b/sources/lxchost.in/etc/ssh/ssh_host_ed25519_key.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDWIfZn7ZNk9po+kgVX7Klp+KYJ8hivwkOuyiXGc4aRZ

diff --git a/sources/lxchost.in/etc/ssh/sshd_config.d/99-host-cert.conf b/sources/lxchost.in/etc/ssh/sshd_config.d/99-host-cert.conf
new file mode 100644 (file)
index 0000000..173b545
--- /dev/null
+++ b/sources/lxchost.in/etc/ssh/sshd_config.d/99-host-cert.conf
@@ -0,0 +1 @@
+HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub

diff --git a/sources/lxchost.in/etc/ssh/sshd_config.d/99-user-CA.conf b/sources/lxchost.in/etc/ssh/sshd_config.d/99-user-CA.conf
new file mode 100644 (file)
index 0000000..115882b
--- /dev/null
+++ b/sources/lxchost.in/etc/ssh/sshd_config.d/99-user-CA.conf
@@ -0,0 +1 @@
+TrustedUserCAKeys /etc/ssh/trusted-user-ca.keys

diff --git a/sources/lxchost.in/etc/ssh/trusted-user-ca.keys b/sources/lxchost.in/etc/ssh/trusted-user-ca.keys
new file mode 100644 (file)
index 0000000..84d19e3
--- /dev/null
+++ b/sources/lxchost.in/etc/ssh/trusted-user-ca.keys
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICcf/XXU8dNVtbveGmwbdnRJfYIItzxKmgRkzlp0k6r5 user-CA

diff --git a/sources/lxchost.in/etc/sysctl.d/01-lxc.conf b/sources/lxchost.in/etc/sysctl.d/01-lxc.conf
new file mode 100644 (file)
index 0000000..77fcb19
--- /dev/null
+++ b/sources/lxchost.in/etc/sysctl.d/01-lxc.conf
@@ -0,0 +1,8 @@
+#fs.inotify.max_queued_events = 16384
+# This is the default.
+
+fs.inotify.max_user_instances = 1024
+# The default is 128.
+
+#fs.inotify.max_user_watches = 8192
+# This is the default.