LintingHEAD master

author: uvok cheetah 2025-02-09 17:57:14 +0100
committer: uvok cheetah 2025-02-09 17:57:14 +0100
commit: a3ee42d1dde090c5baad512ff8707f7e2c068433 (patch)
tree: a619ef2f51c548a235b188cac19c7cf337686424 /roles/linux-ns/files
parent: bb989a2148686d1eb4f49b5aa2597c5162436196 (diff)
12 files changed, 0 insertions, 335 deletions
diff --git a/roles/linux-ns/files/iptables/ip6tables.save b/roles/linux-ns/files/iptables/ip6tables.save
deleted file mode 100644
index 036e5a5..0000000
--- a/roles/linux-ns/files/iptables/ip6tables.save
+++ /dev/null
@@ -1,38 +0,0 @@
-*filter
-:INPUT DROP [0:0]
-:FORWARD DROP [0:0]
-:OUTPUT ACCEPT [0:0]
-
--A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
--A INPUT -i lo -j ACCEPT
--A INPUT -i tinc_dn42 -j ACCEPT
-
--A INPUT -p icmpv6 -j ACCEPT
-
-# traceroute
--A INPUT -p udp -m multiport --dports 33434:33534 -j REJECT --reject-with icmp6-port-unreachable
-# DNS
--A INPUT -p udp --dport 53 -j ACCEPT
--A INPUT -p tcp --dport 53 -j ACCEPT
-# BGP
--A INPUT -p tcp --dport 179 -j ACCEPT
-# LG
--A INPUT -i eth0 -p tcp --dport 6042 -j ACCEPT
--A INPUT -i eth0 -p tcp --dport 6142 -j ACCEPT
-
--A INPUT -j REJECT --reject-with icmp6-port-unreachable
-
--A FORWARD -s fd00::/8 -d fd00::/8 -j ACCEPT
-
--A FORWARD -j REJECT --reject-with icmp6-port-unreachable
-
-COMMIT
-
-*mangle
--A PREROUTING -i eth0 -j MARK --set-mark 0x4242
-COMMIT
-
-*nat
--A POSTROUTING -d fd00::/8 -m mark --mark 0x4242 -j MASQUERADE
-COMMIT
diff --git a/roles/linux-ns/files/iptables/iptables.save b/roles/linux-ns/files/iptables/iptables.save
deleted file mode 100644
index 4f72cc5..0000000
--- a/roles/linux-ns/files/iptables/iptables.save
+++ /dev/null
@@ -1,24 +0,0 @@
-*filter
-:INPUT DROP [0:0]
-:FORWARD DROP [0:0]
-:OUTPUT ACCEPT [0:0]
-
--A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
--A INPUT -i lo -j ACCEPT
--A INPUT -i tinc_dn42 -j ACCEPT
-
--A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
--A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
--A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
--A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-
-# traceroute
--A INPUT -p udp -m multiport --dports 33434:33534 -j REJECT --reject-with icmp-port-unreachable
-# DNS
--A INPUT -p udp --dport 53 -j ACCEPT
--A INPUT -p tcp --dport 53 -j ACCEPT
-
--A FORWARD -j REJECT --reject-with icmp-port-unreachable
-
-COMMIT
diff --git a/roles/linux-ns/files/systemd/dn42_bird-lg.service b/roles/linux-ns/files/systemd/dn42_bird-lg.service
deleted file mode 100644
index 85c5358..0000000
--- a/roles/linux-ns/files/systemd/dn42_bird-lg.service
+++ /dev/null
@@ -1,24 +0,0 @@
-[Unit]
-Description=Run Bird Looking Glass - DN42 edition
-Requires=network-online.target
-After=network-online.target
-After=dn42_namespace.service
-Requires=dn42_namespace.service
-
-[Service]
-ExecStart=/bin/bash /home/lgproxy/lgstart.sh
-BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf
-User=lgproxy
-WorkingDirectory=/home/lgproxy/
-Environment="LG_PORT=6142"
-Environment="LG_CONFIG_FILE=/home/lgproxy/lg/lg-dn42.cfg"
-NetworkNamespacePath=/run/netns/dn42
-Type=exec
-PrivateTmp=true
-PrivateDevices=true
-PrivateIPC=true
-
-[Install]
-WantedBy=default.target
-
-#Type=simple
diff --git a/roles/linux-ns/files/systemd/dn42_bird-lgproxy.service b/roles/linux-ns/files/systemd/dn42_bird-lgproxy.service
deleted file mode 100644
index 273ab16..0000000
--- a/roles/linux-ns/files/systemd/dn42_bird-lgproxy.service
+++ /dev/null
@@ -1,24 +0,0 @@
-[Unit]
-Description=Run Bird Looking Glass Proxy
-Requires=network-online.target dn42_bird.service
-After=network-online.target dn42_bird.service
-After=dn42_namespace.service
-Requires=dn42_namespace.service
-
-[Service]
-ExecStart=/bin/bash /home/lgproxy/start.sh
-BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf
-User=lgproxy
-WorkingDirectory=/home/lgproxy/
-Environment="LGPROXY_PORT=6042"
-Environment="LGPROXY_CONFIG_FILE=/home/lgproxy/lgp/lgproxy-dn42.cfg"
-NetworkNamespacePath=/run/netns/dn42
-Type=exec
-PrivateTmp=true
-PrivateDevices=true
-PrivateIPC=true
-
-[Install]
-WantedBy=default.target
-
-#Type=simple
diff --git a/roles/linux-ns/files/systemd/dn42_bird.service b/roles/linux-ns/files/systemd/dn42_bird.service
deleted file mode 100644
index cbf80f0..0000000
--- a/roles/linux-ns/files/systemd/dn42_bird.service
+++ /dev/null
@@ -1,25 +0,0 @@
-[Unit]
-Description=BIRD Internet Routing Daemon - DN42 daemon
-After=network.target
-Wants=dn42_tinc@tn_int.service
-After=dn42_tinc@tn_int.service
-
-[Service]
-EnvironmentFile=/etc/bird/envvars
-ExecStartPre=/bin/sleep 3
-ExecStartPre=/usr/lib/bird/prepare-environment
-ExecStartPre=/usr/sbin/bird -c /etc/bird/dn42/bird.conf -p
-ExecStart=/usr/sbin/bird -c /etc/bird/dn42/bird.conf -f -g bird -u bird -s /var/run/bird/bird_dn42.sock
-ExecReload=/usr/sbin/birdc -s /var/run/bird/bird_dn42.sock configure
-Restart=on-abort
-
-NetworkNamespacePath=/run/netns/dn42
-BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf
-ProtectSystem=strict
-# rel: /var/log
-# nope, doesn't work, bird must start with root
-#LogsDirectory=
-ReadWritePaths=/run/bird/ /var/log/bird/dn42/
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/linux-ns/files/systemd/dn42_namespace.service b/roles/linux-ns/files/systemd/dn42_namespace.service
deleted file mode 100644
index 4034879..0000000
--- a/roles/linux-ns/files/systemd/dn42_namespace.service
+++ /dev/null
@@ -1,17 +0,0 @@
-# fine-adjustments, routing, etcpp
-
-[Unit]
-Description=DN42 Network namespace
-After=network-online.target my-netns@dn42.service
-Requires=my-netns@dn42.service
-Before=dn42_tinc@tn_int.service
-WantedBy=dn42_tinc@tn_int.service
-
-[Install]
-WantedBy=multi-user.target
-
-[Service]
-Type=oneshot
-ExecStart=/usr/local/bin/dn42-route-namespace.sh start
-ExecStop=/usr/local/bin/dn42-route-namespace.sh stop
-RemainAfterExit=yes
diff --git a/roles/linux-ns/files/systemd/dn42_nginx.service b/roles/linux-ns/files/systemd/dn42_nginx.service
deleted file mode 100644
index 43d8a67..0000000
--- a/roles/linux-ns/files/systemd/dn42_nginx.service
+++ /dev/null
@@ -1,37 +0,0 @@
-# Stop dance for nginx
-# =======================
-#
-# ExecStop sends SIGQUIT (graceful stop) to the nginx process.
-# If, after 5s (--retry QUIT/5) nginx is still running, systemd takes control
-# and sends SIGTERM (fast shutdown) to the main process.
-# After another 5s (TimeoutStopSec=5), and if nginx is alive, systemd sends
-# SIGKILL to all the remaining processes in the process group (KillMode=mixed).
-#
-# nginx signals reference doc:
-# http://nginx.org/en/docs/control.html
-#
-[Unit]
-Description=A high performance web server and a reverse proxy server
-Documentation=man:nginx(8)
-After=network-online.target remote-fs.target nss-lookup.target
-Wants=network-online.target
-After=dn42_namespace.service
-Requires=dn42_namespace.service
-
-[Service]
-Type=forking
-PIDFile=/run/dn42_nginx.pid
-ExecStartPre=/usr/sbin/nginx -t -q -c /etc/nginx/dn42/nginx.conf -g 'daemon on; master_process on;'
-ExecStart=/usr/sbin/nginx -c /etc/nginx/dn42/nginx.conf -g 'daemon on; master_process on;'
-ExecReload=/usr/sbin/nginx -c /etc/nginx/dn42/nginx.conf -g 'daemon on; master_process on;' -s reload
-ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/dn42_nginx.pid
-TimeoutStopSec=5
-KillMode=mixed
-NetworkNamespacePath=/run/netns/dn42
-BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf
-PrivateTmp=true
-PrivateDevices=true
-PrivateIPC=true
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/linux-ns/files/systemd/dn42_pdns.service b/roles/linux-ns/files/systemd/dn42_pdns.service
deleted file mode 100644
index 45cc367..0000000
--- a/roles/linux-ns/files/systemd/dn42_pdns.service
+++ /dev/null
@@ -1,55 +0,0 @@
-[Unit]
-Description=PowerDNS Authoritative Server dn42
-Documentation=man:pdns_server(1) man:pdns_control(1)
-Documentation=https://doc.powerdns.com
-Wants=network-online.target
-After=network-online.target time-sync.target
-After=dn42_namespace.service
-Requires=dn42_namespace.service
-
-[Service]
-ExecStart=/usr/sbin/pdns_server --config-name=dn42 --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no
-SyslogIdentifier=pdns_server-dn42
-User=pdns
-Group=pdns
-Type=notify
-Restart=on-failure
-RestartSec=1
-StartLimitInterval=0
-RuntimeDirectory=pdns-dn42
-BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf
-
-# Sandboxing
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN
-AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_CHOWN
-LockPersonality=true
-NoNewPrivileges=true
-PrivateDevices=true
-PrivateTmp=true
-# Setting PrivateUsers=true prevents us from opening our sockets
-ProtectClock=true
-ProtectControlGroups=true
-ProtectHome=true
-ProtectHostname=true
-ProtectKernelLogs=true
-ProtectKernelModules=true
-ProtectKernelTunables=true
-# ProtectSystem=full will disallow write access to /etc and /usr, possibly
-# not being able to write slaved-zones into sqlite3 or zonefiles.
-ProtectSystem=full
-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
-RestrictNamespaces=true
-RestrictRealtime=true
-RestrictSUIDSGID=true
-SystemCallArchitectures=native
-SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete
-ProtectProc=invisible
-PrivateIPC=true
-RemoveIPC=true
-DevicePolicy=closed
-# Not enabled by default because it does not play well with LuaJIT
-# MemoryDenyWriteExecute=true
-NetworkNamespacePath=/run/netns/dn42
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/linux-ns/files/systemd/dn42_tinc@.service b/roles/linux-ns/files/systemd/dn42_tinc@.service
deleted file mode 100644
index bf17815..0000000
--- a/roles/linux-ns/files/systemd/dn42_tinc@.service
+++ /dev/null
@@ -1,31 +0,0 @@
-[Unit]
-Description=Tinc net %i in namespace dn42
-Documentation=info:tinc
-Documentation=man:tinc(8) man:tinc.conf(5)
-Documentation=http://tinc-vpn.org/docs/
-PartOf=tinc.service
-ReloadPropagatedFrom=tinc.service
-
-[Service]
-Type=simple
-WorkingDirectory=/etc/tinc/%i
-EnvironmentFile=/etc/default/tinc
-ExecStart=/usr/sbin/tincd -c /etc/tinc/dn42/%i/ -n %i -D --pidfile /run/tinc/dn42/tinc.pid $EXTRA
-ExecReload=/usr/sbin/tincd -c /etc/tinc/dn42/%i/ -n %i --pidfile /run/tinc/dn42/tinc.pid -kHUP
-KillMode=mixed
-Restart=on-failure
-RestartSec=5
-TimeoutStopSec=5
-
-NetworkNamespacePath=/run/netns/dn42
-BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf
-ProtectSystem=strict
-RuntimeDirectory=./tinc/dn42/
-
-PrivateTmp=true
-#tun
-#PrivateDevices=true
-PrivateIPC=true
-
-#[Install]
-#WantedBy=tinc.service
diff --git a/roles/linux-ns/files/systemd/dn42_wg@.service b/roles/linux-ns/files/systemd/dn42_wg@.service
deleted file mode 100644
index 0f67fda..0000000
--- a/roles/linux-ns/files/systemd/dn42_wg@.service
+++ /dev/null
@@ -1,28 +0,0 @@
-[Unit]
-Description=WireGuard via wg-quick(8) for %I
-PartOf=wg-quick.target
-Documentation=man:wg-quick(8)
-Documentation=man:wg(8)
-Documentation=https://www.wireguard.com/
-Documentation=https://www.wireguard.com/quickstart/
-Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
-Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
-After=dn42_namespace.service network-online.target nss-lookup.target
-Requires=dn42_namespace.service network-online.target nss-lookup.target
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=/usr/bin/wg-quick up /etc/wireguard/dn42/%i.conf
-ExecStop=/usr/bin/wg-quick down /etc/wireguard/dn42/%i.conf
-#ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
-Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity
-NetworkNamespacePath=/run/netns/dn42
-BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf
-ProtectSystem=strict
-PrivateTmp=true
-PrivateDevices=true
-PrivateIPC=true
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/linux-ns/files/systemd/my-netns@.service b/roles/linux-ns/files/systemd/my-netns@.service
deleted file mode 100644
index c9735b7..0000000
--- a/roles/linux-ns/files/systemd/my-netns@.service
+++ /dev/null
@@ -1,30 +0,0 @@
-[Unit]
-Description=Named network namespace %I
-Documentation=https://github.com/Jamesits/systemd-named-netns
-
-After=network-pre.target
-Before=network.target network-online.target
-
-[Install]
-WantedBy=network-online.target
-WantedBy=multi-user.target
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-
-# precaution
-ExecStartPre=-/usr/bin/env ip netns delete %I
-
-# set up netns and bind it to this service
-ExecStart=/usr/bin/flock --no-fork -- /var/run/netns.lock /usr/bin/env ip netns add %I
-ExecStart=/usr/bin/env ip link add veth%I type veth peer vethpeer%I netns %I
-ExecStart=/usr/bin/env ip link set veth%I up
-ExecStart=/usr/bin/env ip netns exec %I ip link set vethpeer%I name eth0
-ExecStart=/usr/bin/env ip netns exec %I ip link set lo up
-ExecStart=/usr/bin/env ip netns exec %I ip link set eth0 up
-
-# remove the netns
-ExecStop=/usr/bin/env ip link del veth%I
-# type veth peer vethpeer%I netns %I
-ExecStop=/usr/bin/env ip netns delete %I
diff --git a/roles/linux-ns/files/systemd/readme.txt b/roles/linux-ns/files/systemd/readme.txt
deleted file mode 100644
index 99d220e..0000000
--- a/roles/linux-ns/files/systemd/readme.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-except my-netns@.service, consider these examples,
-or a "backup" for me.
-\ No newline at end of file
author	uvok cheetah	2025-02-09 17:57:14 +0100
committer	uvok cheetah	2025-02-09 17:57:14 +0100
commit	a3ee42d1dde090c5baad512ff8707f7e2c068433 (patch)
tree	a619ef2f51c548a235b188cac19c7cf337686424 /roles/linux-ns/files
parent	bb989a2148686d1eb4f49b5aa2597c5162436196 (diff)