From d2af0b979b239505c0dbdb664f3b727bc55a5ab7 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Zolt=C3=A1n=20Felleg?= <zoltan.felleg@userrendszerhaz.hu>
Date: Fri, 7 Jan 2022 15:41:29 +0100
Subject: [PATCH] Added ns2.in.

---
 sources/ns2.in/config                         |  21 ++
 sources/ns2.in/envvars                        |   5 +
 .../ns2.in/firstboot/01_setupnetworking.sh    |  59 +++++
 sources/ns2.in/firstboot/02_settimezone.sh    |  21 ++
 sources/ns2.in/firstboot/99_cleanup.sh        |   6 +
 sources/ns2.in/postinstall/01_setownership.sh |   9 +
 .../ns2.in/postinstall/02_setpermissions.sh   |   7 +
 sources/ns2.in/postinstall/03_installfiles.sh |  16 ++
 .../ns2.in/postinstall/10_setupservices.sh    |   7 +
 sources/ns2.in/postinstall/99_cleanup.sh      |   6 +
 .../ns2.in/postinstall/install/etc/named.conf | 243 ++++++++++++++++++
 11 files changed, 400 insertions(+)
 create mode 100644 sources/ns2.in/config
 create mode 100644 sources/ns2.in/envvars
 create mode 100755 sources/ns2.in/firstboot/01_setupnetworking.sh
 create mode 100755 sources/ns2.in/firstboot/02_settimezone.sh
 create mode 100755 sources/ns2.in/firstboot/99_cleanup.sh
 create mode 100755 sources/ns2.in/postinstall/01_setownership.sh
 create mode 100755 sources/ns2.in/postinstall/02_setpermissions.sh
 create mode 100755 sources/ns2.in/postinstall/03_installfiles.sh
 create mode 100755 sources/ns2.in/postinstall/10_setupservices.sh
 create mode 100755 sources/ns2.in/postinstall/99_cleanup.sh
 create mode 100644 sources/ns2.in/postinstall/install/etc/named.conf

diff --git a/sources/ns2.in/config b/sources/ns2.in/config
new file mode 100644
index 0000000..d28f4de
--- /dev/null
+++ b/sources/ns2.in/config
@@ -0,0 +1,21 @@
+lxc.include = /usr/share/lxc/config/common.conf
+
+lxc.arch = x86_64
+lxc.uts.name = ns2.in.useribm.hu
+lxc.rootfs.path = __CONTAINER_PATH__/rootfs
+lxc.mount.auto = proc:rw sys:ro
+
+lxc.net.0.type = veth
+lxc.net.0.flags = up
+lxc.net.0.link = bri-dev
+lxc.net.0.hwaddr = 02:0c:18:03:5c:9f
+
+lxc.autodev = 1
+
+lxc.cgroup2.devices.allow = a
+
+lxc.signal.halt = SIGRTMIN+4
+
+lxc.start.auto = 1
+lxc.start.order = __CONTAINER_START_ORDER__
+lxc.start.delay = 5
diff --git a/sources/ns2.in/envvars b/sources/ns2.in/envvars
new file mode 100644
index 0000000..875dfc1
--- /dev/null
+++ b/sources/ns2.in/envvars
@@ -0,0 +1,5 @@
+DISTRIBUTION=Fedora
+DISTRIBUTION_VERSION=35
+ROOT_PACKAGES="hostname initscripts iproute rootfiles systemd-udev"
+BASE_PACKAGES="NetworkManager iputils logrotate rsyslog tar vim-minimal"
+SPEC_PACKAGES="bind bind-utils"
diff --git a/sources/ns2.in/firstboot/01_setupnetworking.sh b/sources/ns2.in/firstboot/01_setupnetworking.sh
new file mode 100755
index 0000000..f6b8d27
--- /dev/null
+++ b/sources/ns2.in/firstboot/01_setupnetworking.sh
@@ -0,0 +1,59 @@
+#!/bin/sh
+
+
+sleep 1
+systemctl --quiet is-active NetworkManager.service
+NM_RC=$?
+WAITED=0
+while [ $NM_RC -ne 0 ]
+do
+    echo -n .
+    sleep 1
+    WAITED=1
+    systemctl --quiet is-active NetworkManager.service
+    NM_RC=$?
+done
+[ $WAITED -eq 1 ] && echo
+
+CONNECTIONS=$(nmcli --terse connection show | wc -l)
+while [ $CONNECTIONS -ne 1 ]
+do
+    echo "Number of connections: $CONNECTIONS" >&2
+    sleep 1
+    CONNECTIONS=$(nmcli --terse connection show | wc -l)
+done
+
+nmcli --terse connection show | grep ':$' >/dev/null
+ALL_CONNECTION_DEVICES_KNOWN=$?
+while [ $ALL_CONNECTION_DEVICES_KNOWN -eq 0 ]
+do
+    echo "Not all connection devices are known yet" >&2
+    sleep 1
+    nmcli --terse connection show | grep ':$' >/dev/null
+    ALL_CONNECTION_DEVICES_KNOWN=$?
+done
+
+CONNECTION_LINE=$(nmcli --terse connection show)
+CONNECTION_UUID=$(echo $CONNECTION_LINE | cut -f 2 -d ':')
+CONNECTION_DEVICE=$(echo $CONNECTION_LINE | cut -f 4 -d ':')
+
+nmcli connection delete uuid "$CONNECTION_UUID"
+
+nmcli connection add \
+    connection.autoconnect yes \
+    connection.id internal \
+    connection.interface-name $CONNECTION_DEVICE \
+    connection.type 802-3-ethernet \
+    ipv4.addresses "10.228.92.159/16" \
+    ipv4.dns "10.228.109.159, 10.228.92.159" \
+    ipv4.dns-search "in.useribm.hu" \
+    ipv4.gateway "10.228.109.254" \
+    ipv4.method "manual" \
+    ipv6.addresses "2a02:d400:0000:f268:000c:18ff:fe03:5c9f/64" \
+    ipv6.dns "2a02:d400:0000:f268:000c:18ff:fe03:6d9f, 2a02:d400:0000:f268:000c:18ff:fe03:5c9f" \
+    ipv6.dns-search "in.useribm.hu" \
+    ipv6.gateway "2a02:d400:0000:f268:000c:18ff:fe03:6dfe" \
+    ipv6.method "manual" \
+    save yes
+
+nmcli connection show
diff --git a/sources/ns2.in/firstboot/02_settimezone.sh b/sources/ns2.in/firstboot/02_settimezone.sh
new file mode 100755
index 0000000..20b2a71
--- /dev/null
+++ b/sources/ns2.in/firstboot/02_settimezone.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+
+sleep 1
+systemctl --quiet is-active dbus.service
+DBUS_RC=$?
+WAITED=0
+while [ $DBUS_RC -ne 0 ]
+do
+    if [ $WAITED -eq 0 ]
+    then
+        echo -n "Waiting for dbus.service"
+    fi
+    echo -n .
+    sleep 1
+    WAITED=1
+    systemctl --quiet is-active dbus.service
+    DBUS_RC=$?
+done
+[ $WAITED -ne 0 ] && echo
+timedatectl set-timezone Europe/Budapest
diff --git a/sources/ns2.in/firstboot/99_cleanup.sh b/sources/ns2.in/firstboot/99_cleanup.sh
new file mode 100755
index 0000000..b87f2f4
--- /dev/null
+++ b/sources/ns2.in/firstboot/99_cleanup.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+
+REAL_PATH=$(dirname $(realpath $0))
+
+echo rm -Rf $REAL_PATH
diff --git a/sources/ns2.in/postinstall/01_setownership.sh b/sources/ns2.in/postinstall/01_setownership.sh
new file mode 100755
index 0000000..51d768a
--- /dev/null
+++ b/sources/ns2.in/postinstall/01_setownership.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+
+REAL_PATH=$(dirname $(realpath $0))
+SOURCE_PATH=$REAL_PATH/install
+
+chown -R root.root $SOURCE_PATH/*
+
+chgrp named $SOURCE_PATH/etc/named.conf
diff --git a/sources/ns2.in/postinstall/02_setpermissions.sh b/sources/ns2.in/postinstall/02_setpermissions.sh
new file mode 100755
index 0000000..e7e809e
--- /dev/null
+++ b/sources/ns2.in/postinstall/02_setpermissions.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+
+REAL_PATH=$(dirname $(realpath $0))
+SOURCE_PATH=$REAL_PATH/install
+
+chmod 640 $SOURCE_PATH/etc/named.conf
diff --git a/sources/ns2.in/postinstall/03_installfiles.sh b/sources/ns2.in/postinstall/03_installfiles.sh
new file mode 100755
index 0000000..e4ee7ff
--- /dev/null
+++ b/sources/ns2.in/postinstall/03_installfiles.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+
+REAL_PATH=$(dirname $(realpath $0))
+
+tar --create \
+    --directory=$REAL_PATH \
+    --exclude=.placeholder \
+    --to-stdout \
+    install \
+    | tar --extract \
+          --backup \
+          --directory=/ \
+          --no-overwrite-dir \
+          --strip-components=1 \
+          --suffix=.orig
diff --git a/sources/ns2.in/postinstall/10_setupservices.sh b/sources/ns2.in/postinstall/10_setupservices.sh
new file mode 100755
index 0000000..41df693
--- /dev/null
+++ b/sources/ns2.in/postinstall/10_setupservices.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+
+systemctl enable named.service
+systemctl enable NetworkManager-wait-online.service
+
+systemctl enable logrotate.timer
diff --git a/sources/ns2.in/postinstall/99_cleanup.sh b/sources/ns2.in/postinstall/99_cleanup.sh
new file mode 100755
index 0000000..b87f2f4
--- /dev/null
+++ b/sources/ns2.in/postinstall/99_cleanup.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+
+REAL_PATH=$(dirname $(realpath $0))
+
+echo rm -Rf $REAL_PATH
diff --git a/sources/ns2.in/postinstall/install/etc/named.conf b/sources/ns2.in/postinstall/install/etc/named.conf
new file mode 100644
index 0000000..c9b1dde
--- /dev/null
+++ b/sources/ns2.in/postinstall/install/etc/named.conf
@@ -0,0 +1,243 @@
+//
+// named.conf
+//
+
+options {
+	directory		"/var/named";
+	dump-file		"data/cache_dump.db";
+	statistics-file		"data/named_stats.txt";
+	memstatistics-file	"data/named_mem_stats.txt";
+	secroots-file		"data/named.secroots";
+	recursing-file		"data/named.recursing";
+
+	listen-on port 53	{ any; };
+	listen-on-v6 port 53	{ any; };
+
+	allow-query		{ none; };
+	allow-query-cache	{ none; };
+	allow-recursion		{ none; };
+
+	dnssec-validation	yes;
+
+	random-device		"/dev/urandom";
+
+	max-cache-size		64m;
+
+	managed-keys-directory	"/var/named/dynamic";
+	geoip-directory		"/usr/share/GeoIP";
+
+	include			"/etc/crypto-policies/back-ends/bind.config";
+};
+
+logging {
+	channel default_debug {
+		file "data/named.run" versions 3 size 5m;
+		severity dynamic;
+		print-category yes;
+		print-severity yes;
+		print-time yes;
+	};
+	channel client_channel {
+		file "data/client.log" versions 3 size 1m;
+		severity info;
+		print-category yes;
+		print-severity yes;
+		print-time yes;
+	};
+	channel lame-servers_channel {
+		file "data/lame-servers.log" versions 3 size 1m;
+		severity info;
+		print-category yes;
+		print-severity yes;
+		print-time yes;
+	};
+	channel notify_channel {
+		file "data/notify.log" versions 3 size 1m;
+		severity info;
+		print-category yes;
+		print-severity yes;
+		print-time yes;
+	};
+	channel queries_channel {
+		file "data/queries.log" versions 3 size 5m;
+		severity info;
+		print-category yes;
+		print-severity yes;
+		print-time yes;
+	};
+	channel security_channel {
+		file "data/security.log" versions 3 size 1m;
+		severity info;
+		print-category yes;
+		print-severity yes;
+		print-time yes;
+	};
+	channel xfer-in_channel {
+		file "data/xfer-in.log" versions 3 size 1m;
+		severity info;
+		print-category yes;
+		print-severity yes;
+		print-time yes;
+	};
+	channel xfer-out_channel {
+		file "data/xfer-out.log" versions 3 size 1m;
+		severity info;
+		print-category yes;
+		print-severity yes;
+		print-time yes;
+	};
+	category default {
+		default_syslog;
+		default_debug;
+	};
+	category client {
+		client_channel;
+	};
+	category lame-servers {
+		lame-servers_channel;
+	};
+	category notify {
+		notify_channel;
+	};
+	category queries {
+		queries_channel;
+	};
+	category security {
+		security_channel;
+	};
+	category xfer-in {
+		xfer-in_channel;
+	};
+	category xfer-out {
+		xfer-out_channel;
+	};
+};
+
+key "source_ns-internal_ns2" {
+        algorithm hmac-sha256;
+        secret "8GgA5QFCrn3rx0skQOoZH5kdqPOSyx87IJ7Cg1ocvyA=";
+};
+
+acl internal_networks	{ 10.228.0.0/16; 192.168.42.0/24; 192.168.43.0/24; };
+acl vpn_client_network	{ 172.16.223.0/24; };
+acl source_ns_key_acl	{ key "source_ns-internal_ns2"; };
+
+masters source_ns_master	{ 10.228.109.204 key "source_ns-internal_ns2"; };
+
+server 10.228.109.204		{ keys { "source_ns-internal_ns2"; }; };
+
+view "internal" {
+	match-clients		{ internal_networks; vpn_client_network; localhost; };
+
+	recursion		yes;
+
+	allow-query		{ internal_networks; vpn_client_network; localhost; };
+	allow-query-cache	{ internal_networks; vpn_client_network; localhost; };
+	allow-recursion		{ internal_networks; vpn_client_network; localhost; };
+
+	allow-notify		{ source_ns_key_acl; };
+	notify			no;
+
+	include "/etc/named.rfc1912.zones";
+
+	# internal zones
+	zone "in.user.hu" IN {
+		type slave;
+		masters { source_ns_master; };
+		file "slaves/in.user.hu.zone";
+	};
+	zone "43.168.192.in-addr.arpa" IN {
+		type slave;
+		masters { source_ns_master; };
+		file "slaves/43.168.192.in-addr.arpa.zone";
+	};
+	zone "in.useribm.hu" IN {
+		type slave;
+		masters { source_ns_master; };
+		file "slaves/in.useribm.hu.zone";
+	};
+	zone "228.10.in-addr.arpa" IN {
+		type slave;
+		masters { source_ns_master; };
+		file "slaves/228.10.in-addr.arpa.zone";
+	};
+	zone "8.6.2.f.0.0.0.0.0.0.4.d.2.0.a.2.ip6.arpa" IN {
+		type slave;
+		masters { source_ns_master; };
+		file "slaves/8.6.2.f.0.0.0.0.0.0.4.d.2.0.a.2.ip6.arpa.zone";
+	};
+	zone "mlx1.useribm.hu" IN {
+		type slave;
+		masters { source_ns_master; };
+		file "slaves/mlx1.useribm.hu.zone";
+	};
+	zone "131.16.172.in-addr.arpa" IN {
+		type slave;
+		masters { source_ns_master; };
+		file "slaves/131.16.172.in-addr.arpa.zone";
+	};
+	zone "mlx2.useribm.hu" IN {
+		type slave;
+		masters { source_ns_master; };
+		file "slaves/mlx2.useribm.hu.zone";
+	};
+	zone "132.16.172.in-addr.arpa" IN {
+		type slave;
+		masters { source_ns_master; };
+		file "slaves/132.16.172.in-addr.arpa.zone";
+	};
+	zone "sr.user.hu" IN {
+		type slave;
+		masters { source_ns_master; };
+		file "slaves/sr.user.hu.zone";
+	};
+	zone "42.168.192.in-addr.arpa" IN {
+		type slave;
+		masters { source_ns_master; };
+		file "slaves/42.168.192.in-addr.arpa.zone";
+	};
+	zone "usr.user.hu" IN {
+		type slave;
+		masters { source_ns_master; };
+		file "slaves/usr.user.hu.zone";
+	};
+
+	# perimeter zones
+	zone "pm.useribm.hu" IN {
+		type slave;
+		masters { source_ns_master; };
+		file "slaves/pm.useribm.hu.zone";
+	};
+	zone "173.168.192.in-addr.arpa" IN {
+		type slave;
+		masters { source_ns_master; };
+		file "slaves/173.168.192.in-addr.arpa.zone";
+	};
+	zone "d.a.2.f.0.0.0.0.0.0.4.d.2.0.a.2.ip6.arpa" IN {
+		type slave;
+		masters { source_ns_master; };
+		file "slaves/d.a.2.f.0.0.0.0.0.0.4.d.2.0.a.2.ip6.arpa.zone";
+	};
+
+	# external zones
+	zone "mediacube.hu" IN {
+		type slave;
+		masters { source_ns_master; };
+		file "slaves/mediacube.hu.zone.signed";
+	};
+	zone "useredms.hu" IN {
+		type slave;
+		masters { source_ns_master; };
+		file "slaves/useredms.hu.zone.signed";
+	};
+	zone "useribm.hu" IN {
+		type slave;
+		masters { source_ns_master; };
+		file "slaves/useribm.hu.zone.signed";
+	};
+	zone "userrendszerhaz.hu" IN {
+		type slave;
+		masters { source_ns_master; };
+		file "slaves/userrendszerhaz.hu.zone.signed";
+	};
+};
-- 
2.54.0