Added ns1.in.

diff --git a/.hgignore b/.hgignore
index 7da3da6dca95832860f0278d7038d9aabc89fa16..bb867f66a9c79fe833f0189009b2c8bde5661bdb 100644 (file)
--- a/.hgignore
+++ b/.hgignore
@@ -3,5 +3,7 @@ syntax: regexp
 ^build/
 ^containers/
 ^filesystems/
+^sources/dhsvn.in/
+^sources/pastry.in/
 ^qqcs-ssh/
 ^user-ssh/

diff --git a/sources/ns1.in/config b/sources/ns1.in/config
new file mode 100644 (file)
index 0000000..56fd08b
--- /dev/null
+++ b/sources/ns1.in/config
@@ -0,0 +1,21 @@
+lxc.include = /usr/share/lxc/config/common.conf
+
+lxc.arch = x86_64
+lxc.uts.name = ns1.in.useribm.hu
+lxc.rootfs.path = __CONTAINER_PATH__/rootfs
+lxc.mount.auto = proc:rw sys:ro
+
+lxc.net.0.type = veth
+lxc.net.0.flags = up
+lxc.net.0.link = bri-dev
+lxc.net.0.hwaddr = 02:0c:18:03:6d:9f
+
+lxc.autodev = 1
+
+lxc.cgroup2.devices.allow = a
+
+lxc.signal.halt = SIGRTMIN+4
+
+lxc.start.auto = 1
+lxc.start.order = __CONTAINER_START_ORDER__
+lxc.start.delay = 5

diff --git a/sources/ns1.in/envvars b/sources/ns1.in/envvars
new file mode 100644 (file)
index 0000000..875dfc1
--- /dev/null
+++ b/sources/ns1.in/envvars
@@ -0,0 +1,5 @@
+DISTRIBUTION=Fedora
+DISTRIBUTION_VERSION=35
+ROOT_PACKAGES="hostname initscripts iproute rootfiles systemd-udev"
+BASE_PACKAGES="NetworkManager iputils logrotate rsyslog tar vim-minimal"
+SPEC_PACKAGES="bind bind-utils"

diff --git a/sources/ns1.in/firstboot/01_setupnetworking.sh b/sources/ns1.in/firstboot/01_setupnetworking.sh
new file mode 100755 (executable)
index 0000000..57af3f2
--- /dev/null
+++ b/sources/ns1.in/firstboot/01_setupnetworking.sh
@@ -0,0 +1,59 @@
+#!/bin/sh
+
+
+sleep 1
+systemctl --quiet is-active NetworkManager.service
+NM_RC=$?
+WAITED=0
+while [ $NM_RC -ne 0 ]
+do
+    echo -n .
+    sleep 1
+    WAITED=1
+    systemctl --quiet is-active NetworkManager.service
+    NM_RC=$?
+done
+[ $WAITED -eq 1 ] && echo
+
+CONNECTIONS=$(nmcli --terse connection show | wc -l)
+while [ $CONNECTIONS -ne 1 ]
+do
+    echo "Number of connections: $CONNECTIONS" >&2
+    sleep 1
+    CONNECTIONS=$(nmcli --terse connection show | wc -l)
+done
+
+nmcli --terse connection show | grep ':$' >/dev/null
+ALL_CONNECTION_DEVICES_KNOWN=$?
+while [ $ALL_CONNECTION_DEVICES_KNOWN -eq 0 ]
+do
+    echo "Not all connection devices are known yet" >&2
+    sleep 1
+    nmcli --terse connection show | grep ':$' >/dev/null
+    ALL_CONNECTION_DEVICES_KNOWN=$?
+done
+
+CONNECTION_LINE=$(nmcli --terse connection show)
+CONNECTION_UUID=$(echo $CONNECTION_LINE | cut -f 2 -d ':')
+CONNECTION_DEVICE=$(echo $CONNECTION_LINE | cut -f 4 -d ':')
+
+nmcli connection delete uuid "$CONNECTION_UUID"
+
+nmcli connection add \
+    connection.autoconnect yes \
+    connection.id internal \
+    connection.interface-name $CONNECTION_DEVICE \
+    connection.type 802-3-ethernet \
+    ipv4.addresses "10.228.109.159/16" \
+    ipv4.dns "10.228.92.159, 10.228.109.159" \
+    ipv4.dns-search "in.useribm.hu" \
+    ipv4.gateway "10.228.109.254" \
+    ipv4.method "manual" \
+    ipv6.addresses "2a02:d400:0000:f268:000c:18ff:fe03:6d9f/64" \
+    ipv6.dns "2a02:d400:0000:f268:000c:18ff:fe03:5c9f, 2a02:d400:0000:f268:000c:18ff:fe03:6d9f" \
+    ipv6.dns-search "in.useribm.hu" \
+    ipv6.gateway "2a02:d400:0000:f268:000c:18ff:fe03:6dfe" \
+    ipv6.method "manual" \
+    save yes
+
+nmcli connection show

diff --git a/sources/ns1.in/firstboot/02_settimezone.sh b/sources/ns1.in/firstboot/02_settimezone.sh
new file mode 100755 (executable)
index 0000000..20b2a71
--- /dev/null
+++ b/sources/ns1.in/firstboot/02_settimezone.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+
+sleep 1
+systemctl --quiet is-active dbus.service
+DBUS_RC=$?
+WAITED=0
+while [ $DBUS_RC -ne 0 ]
+do
+    if [ $WAITED -eq 0 ]
+    then
+        echo -n "Waiting for dbus.service"
+    fi
+    echo -n .
+    sleep 1
+    WAITED=1
+    systemctl --quiet is-active dbus.service
+    DBUS_RC=$?
+done
+[ $WAITED -ne 0 ] && echo
+timedatectl set-timezone Europe/Budapest

diff --git a/sources/ns1.in/firstboot/99_cleanup.sh b/sources/ns1.in/firstboot/99_cleanup.sh
new file mode 100755 (executable)
index 0000000..b87f2f4
--- /dev/null
+++ b/sources/ns1.in/firstboot/99_cleanup.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+
+REAL_PATH=$(dirname $(realpath $0))
+
+echo rm -Rf $REAL_PATH

diff --git a/sources/ns1.in/postinstall/01_setownership.sh b/sources/ns1.in/postinstall/01_setownership.sh
new file mode 100755 (executable)
index 0000000..51d768a
--- /dev/null
+++ b/sources/ns1.in/postinstall/01_setownership.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+
+REAL_PATH=$(dirname $(realpath $0))
+SOURCE_PATH=$REAL_PATH/install
+
+chown -R root.root $SOURCE_PATH/*
+
+chgrp named $SOURCE_PATH/etc/named.conf

diff --git a/sources/ns1.in/postinstall/02_setpermissions.sh b/sources/ns1.in/postinstall/02_setpermissions.sh
new file mode 100755 (executable)
index 0000000..e7e809e
--- /dev/null
+++ b/sources/ns1.in/postinstall/02_setpermissions.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+
+REAL_PATH=$(dirname $(realpath $0))
+SOURCE_PATH=$REAL_PATH/install
+
+chmod 640 $SOURCE_PATH/etc/named.conf

diff --git a/sources/ns1.in/postinstall/03_installfiles.sh b/sources/ns1.in/postinstall/03_installfiles.sh
new file mode 100755 (executable)
index 0000000..e4ee7ff
--- /dev/null
+++ b/sources/ns1.in/postinstall/03_installfiles.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+
+REAL_PATH=$(dirname $(realpath $0))
+
+tar --create \
+    --directory=$REAL_PATH \
+    --exclude=.placeholder \
+    --to-stdout \
+    install \
+    | tar --extract \
+          --backup \
+          --directory=/ \
+          --no-overwrite-dir \
+          --strip-components=1 \
+          --suffix=.orig

diff --git a/sources/ns1.in/postinstall/10_setupservices.sh b/sources/ns1.in/postinstall/10_setupservices.sh
new file mode 100755 (executable)
index 0000000..41df693
--- /dev/null
+++ b/sources/ns1.in/postinstall/10_setupservices.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+
+systemctl enable named.service
+systemctl enable NetworkManager-wait-online.service
+
+systemctl enable logrotate.timer

diff --git a/sources/ns1.in/postinstall/99_cleanup.sh b/sources/ns1.in/postinstall/99_cleanup.sh
new file mode 100755 (executable)
index 0000000..b87f2f4
--- /dev/null
+++ b/sources/ns1.in/postinstall/99_cleanup.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+
+REAL_PATH=$(dirname $(realpath $0))
+
+echo rm -Rf $REAL_PATH

diff --git a/sources/ns1.in/postinstall/install/etc/named.conf b/sources/ns1.in/postinstall/install/etc/named.conf
new file mode 100644 (file)
index 0000000..c72ac47
--- /dev/null
+++ b/sources/ns1.in/postinstall/install/etc/named.conf
@@ -0,0 +1,243 @@
+//
+// named.conf
+//
+
+options {
+       directory               "/var/named";
+       dump-file               "data/cache_dump.db";
+       statistics-file         "data/named_stats.txt";
+       memstatistics-file      "data/named_mem_stats.txt";
+       secroots-file           "data/named.secroots";
+       recursing-file          "data/named.recursing";
+
+       listen-on port 53       { any; };
+       listen-on-v6 port 53    { any; };
+
+       allow-query             { none; };
+       allow-query-cache       { none; };
+       allow-recursion         { none; };
+
+       dnssec-validation       yes;
+
+       random-device           "/dev/urandom";
+
+       max-cache-size          64m;
+
+       managed-keys-directory  "/var/named/dynamic";
+       geoip-directory         "/usr/share/GeoIP";
+
+       include                 "/etc/crypto-policies/back-ends/bind.config";
+};
+
+logging {
+       channel default_debug {
+               file "data/named.run" versions 3 size 5m;
+               severity dynamic;
+               print-category yes;
+               print-severity yes;
+               print-time yes;
+       };
+       channel client_channel {
+               file "data/client.log" versions 3 size 1m;
+               severity info;
+               print-category yes;
+               print-severity yes;
+               print-time yes;
+       };
+       channel lame-servers_channel {
+               file "data/lame-servers.log" versions 3 size 1m;
+               severity info;
+               print-category yes;
+               print-severity yes;
+               print-time yes;
+       };
+       channel notify_channel {
+               file "data/notify.log" versions 3 size 1m;
+               severity info;
+               print-category yes;
+               print-severity yes;
+               print-time yes;
+       };
+       channel queries_channel {
+               file "data/queries.log" versions 3 size 5m;
+               severity info;
+               print-category yes;
+               print-severity yes;
+               print-time yes;
+       };
+       channel security_channel {
+               file "data/security.log" versions 3 size 1m;
+               severity info;
+               print-category yes;
+               print-severity yes;
+               print-time yes;
+       };
+       channel xfer-in_channel {
+               file "data/xfer-in.log" versions 3 size 1m;
+               severity info;
+               print-category yes;
+               print-severity yes;
+               print-time yes;
+       };
+       channel xfer-out_channel {
+               file "data/xfer-out.log" versions 3 size 1m;
+               severity info;
+               print-category yes;
+               print-severity yes;
+               print-time yes;
+       };
+       category default {
+               default_syslog;
+               default_debug;
+       };
+       category client {
+               client_channel;
+       };
+       category lame-servers {
+               lame-servers_channel;
+       };
+       category notify {
+               notify_channel;
+       };
+       category queries {
+               queries_channel;
+       };
+       category security {
+               security_channel;
+       };
+       category xfer-in {
+               xfer-in_channel;
+       };
+       category xfer-out {
+               xfer-out_channel;
+       };
+};
+
+key "source_ns-internal_ns1" {
+        algorithm hmac-sha256;
+        secret "tFwMOb5GqnRAGnrXAJiY4JcCGfHi7V4Ut4POvNj2vnM=";
+};
+
+acl internal_networks  { 10.228.0.0/16; 192.168.42.0/24; 192.168.43.0/24; };
+acl vpn_client_network { 172.16.223.0/24; };
+acl source_ns_key_acl  { key "source_ns-internal_ns1"; };
+
+masters source_ns_master       { 10.228.109.204 key "source_ns-internal_ns1"; };
+
+server 10.228.109.204          { keys { "source_ns-internal_ns1"; }; };
+
+view "internal" {
+       match-clients           { internal_networks; vpn_client_network; localhost; };
+
+       recursion               yes;
+
+       allow-query             { internal_networks; vpn_client_network; localhost; };
+       allow-query-cache       { internal_networks; vpn_client_network; localhost; };
+       allow-recursion         { internal_networks; vpn_client_network; localhost; };
+
+       allow-notify            { source_ns_key_acl; };
+       notify                  no;
+
+       include "/etc/named.rfc1912.zones";
+
+       # internal zones
+       zone "in.user.hu" IN {
+               type slave;
+               masters { source_ns_master; };
+               file "slaves/in.user.hu.zone";
+       };
+       zone "43.168.192.in-addr.arpa" IN {
+               type slave;
+               masters { source_ns_master; };
+               file "slaves/43.168.192.in-addr.arpa.zone";
+       };
+       zone "in.useribm.hu" IN {
+               type slave;
+               masters { source_ns_master; };
+               file "slaves/in.useribm.hu.zone";
+       };
+       zone "228.10.in-addr.arpa" IN {
+               type slave;
+               masters { source_ns_master; };
+               file "slaves/228.10.in-addr.arpa.zone";
+       };
+       zone "8.6.2.f.0.0.0.0.0.0.4.d.2.0.a.2.ip6.arpa" IN {
+               type slave;
+               masters { source_ns_master; };
+               file "slaves/8.6.2.f.0.0.0.0.0.0.4.d.2.0.a.2.ip6.arpa.zone";
+       };
+       zone "mlx1.useribm.hu" IN {
+               type slave;
+               masters { source_ns_master; };
+               file "slaves/mlx1.useribm.hu.zone";
+       };
+       zone "131.16.172.in-addr.arpa" IN {
+               type slave;
+               masters { source_ns_master; };
+               file "slaves/131.16.172.in-addr.arpa.zone";
+       };
+       zone "mlx2.useribm.hu" IN {
+               type slave;
+               masters { source_ns_master; };
+               file "slaves/mlx2.useribm.hu.zone";
+       };
+       zone "132.16.172.in-addr.arpa" IN {
+               type slave;
+               masters { source_ns_master; };
+               file "slaves/132.16.172.in-addr.arpa.zone";
+       };
+       zone "sr.user.hu" IN {
+               type slave;
+               masters { source_ns_master; };
+               file "slaves/sr.user.hu.zone";
+       };
+       zone "42.168.192.in-addr.arpa" IN {
+               type slave;
+               masters { source_ns_master; };
+               file "slaves/42.168.192.in-addr.arpa.zone";
+       };
+       zone "usr.user.hu" IN {
+               type slave;
+               masters { source_ns_master; };
+               file "slaves/usr.user.hu.zone";
+       };
+
+       # perimeter zones
+       zone "pm.useribm.hu" IN {
+               type slave;
+               masters { source_ns_master; };
+               file "slaves/pm.useribm.hu.zone";
+       };
+       zone "173.168.192.in-addr.arpa" IN {
+               type slave;
+               masters { source_ns_master; };
+               file "slaves/173.168.192.in-addr.arpa.zone";
+       };
+       zone "d.a.2.f.0.0.0.0.0.0.4.d.2.0.a.2.ip6.arpa" IN {
+               type slave;
+               masters { source_ns_master; };
+               file "slaves/d.a.2.f.0.0.0.0.0.0.4.d.2.0.a.2.ip6.arpa.zone";
+       };
+
+       # external zones
+       zone "mediacube.hu" IN {
+               type slave;
+               masters { source_ns_master; };
+               file "slaves/mediacube.hu.zone.signed";
+       };
+       zone "useredms.hu" IN {
+               type slave;
+               masters { source_ns_master; };
+               file "slaves/useredms.hu.zone.signed";
+       };
+       zone "useribm.hu" IN {
+               type slave;
+               masters { source_ns_master; };
+               file "slaves/useribm.hu.zone.signed";
+       };
+       zone "userrendszerhaz.hu" IN {
+               type slave;
+               masters { source_ns_master; };
+               file "slaves/userrendszerhaz.hu.zone.signed";
+       };
+};

diff --git a/sources/start-order.txt b/sources/start-order.txt
index f2df0bab60ad559919f36dbda2637864bc2369b0..43d44913014986efb9b447bac28bbb5b5be1b22e 100644 (file)
--- a/sources/start-order.txt
+++ b/sources/start-order.txt
@@ -16,11 +16,13 @@ group 5:
   ins.in       41
   ldap.in      42
   ls.in                43
-  pns.in       44
-  sns.in       45
-  svc.in       46
-  vpn.in       47
-  wiki.in      48
+  ns1.in       44
+  ns2.in       45
+  pns.in       46
+  sns.in       47
+  svc.in       48
+  vpn.in       49
+  wiki.in      50
 
 group 6:
   dhsvn.in     51