diff options
Diffstat (limited to 'roles/linux-ns/files')
| -rw-r--r-- | roles/linux-ns/files/iptables/ip6tables.save | 38 | ||||
| -rw-r--r-- | roles/linux-ns/files/iptables/iptables.save | 24 | ||||
| -rw-r--r-- | roles/linux-ns/files/systemd/dn42_bird-lg.service | 24 | ||||
| -rw-r--r-- | roles/linux-ns/files/systemd/dn42_bird-lgproxy.service | 24 | ||||
| -rw-r--r-- | roles/linux-ns/files/systemd/dn42_bird.service | 25 | ||||
| -rw-r--r-- | roles/linux-ns/files/systemd/dn42_namespace.service | 17 | ||||
| -rw-r--r-- | roles/linux-ns/files/systemd/dn42_nginx.service | 37 | ||||
| -rw-r--r-- | roles/linux-ns/files/systemd/dn42_pdns.service | 55 | ||||
| -rw-r--r-- | roles/linux-ns/files/systemd/dn42_tinc@.service | 31 | ||||
| -rw-r--r-- | roles/linux-ns/files/systemd/dn42_wg@.service | 28 | ||||
| -rw-r--r-- | roles/linux-ns/files/systemd/my-netns@.service | 30 | ||||
| -rw-r--r-- | roles/linux-ns/files/systemd/readme.txt | 2 |
12 files changed, 0 insertions, 335 deletions
diff --git a/roles/linux-ns/files/iptables/ip6tables.save b/roles/linux-ns/files/iptables/ip6tables.save deleted file mode 100644 index 036e5a5..0000000 --- a/roles/linux-ns/files/iptables/ip6tables.save +++ /dev/null @@ -1,38 +0,0 @@ -*filter -:INPUT DROP [0:0] -:FORWARD DROP [0:0] -:OUTPUT ACCEPT [0:0] - --A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - --A INPUT -i lo -j ACCEPT --A INPUT -i tinc_dn42 -j ACCEPT - --A INPUT -p icmpv6 -j ACCEPT - -# traceroute --A INPUT -p udp -m multiport --dports 33434:33534 -j REJECT --reject-with icmp6-port-unreachable -# DNS --A INPUT -p udp --dport 53 -j ACCEPT --A INPUT -p tcp --dport 53 -j ACCEPT -# BGP --A INPUT -p tcp --dport 179 -j ACCEPT -# LG --A INPUT -i eth0 -p tcp --dport 6042 -j ACCEPT --A INPUT -i eth0 -p tcp --dport 6142 -j ACCEPT - --A INPUT -j REJECT --reject-with icmp6-port-unreachable - --A FORWARD -s fd00::/8 -d fd00::/8 -j ACCEPT - --A FORWARD -j REJECT --reject-with icmp6-port-unreachable - -COMMIT - -*mangle --A PREROUTING -i eth0 -j MARK --set-mark 0x4242 -COMMIT - -*nat --A POSTROUTING -d fd00::/8 -m mark --mark 0x4242 -j MASQUERADE -COMMIT diff --git a/roles/linux-ns/files/iptables/iptables.save b/roles/linux-ns/files/iptables/iptables.save deleted file mode 100644 index 4f72cc5..0000000 --- a/roles/linux-ns/files/iptables/iptables.save +++ /dev/null @@ -1,24 +0,0 @@ -*filter -:INPUT DROP [0:0] -:FORWARD DROP [0:0] -:OUTPUT ACCEPT [0:0] - --A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - --A INPUT -i lo -j ACCEPT --A INPUT -i tinc_dn42 -j ACCEPT - --A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT --A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT --A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT --A INPUT -p icmp --icmp-type echo-request -j ACCEPT - -# traceroute --A INPUT -p udp -m multiport --dports 33434:33534 -j REJECT --reject-with icmp-port-unreachable -# DNS --A INPUT -p udp --dport 53 -j ACCEPT --A INPUT -p tcp --dport 53 -j ACCEPT - --A FORWARD -j REJECT --reject-with icmp-port-unreachable - -COMMIT diff --git a/roles/linux-ns/files/systemd/dn42_bird-lg.service b/roles/linux-ns/files/systemd/dn42_bird-lg.service deleted file mode 100644 index 85c5358..0000000 --- a/roles/linux-ns/files/systemd/dn42_bird-lg.service +++ /dev/null @@ -1,24 +0,0 @@ -[Unit] -Description=Run Bird Looking Glass - DN42 edition -Requires=network-online.target -After=network-online.target -After=dn42_namespace.service -Requires=dn42_namespace.service - -[Service] -ExecStart=/bin/bash /home/lgproxy/lgstart.sh -BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf -User=lgproxy -WorkingDirectory=/home/lgproxy/ -Environment="LG_PORT=6142" -Environment="LG_CONFIG_FILE=/home/lgproxy/lg/lg-dn42.cfg" -NetworkNamespacePath=/run/netns/dn42 -Type=exec -PrivateTmp=true -PrivateDevices=true -PrivateIPC=true - -[Install] -WantedBy=default.target - -#Type=simple diff --git a/roles/linux-ns/files/systemd/dn42_bird-lgproxy.service b/roles/linux-ns/files/systemd/dn42_bird-lgproxy.service deleted file mode 100644 index 273ab16..0000000 --- a/roles/linux-ns/files/systemd/dn42_bird-lgproxy.service +++ /dev/null @@ -1,24 +0,0 @@ -[Unit] -Description=Run Bird Looking Glass Proxy -Requires=network-online.target dn42_bird.service -After=network-online.target dn42_bird.service -After=dn42_namespace.service -Requires=dn42_namespace.service - -[Service] -ExecStart=/bin/bash /home/lgproxy/start.sh -BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf -User=lgproxy -WorkingDirectory=/home/lgproxy/ -Environment="LGPROXY_PORT=6042" -Environment="LGPROXY_CONFIG_FILE=/home/lgproxy/lgp/lgproxy-dn42.cfg" -NetworkNamespacePath=/run/netns/dn42 -Type=exec -PrivateTmp=true -PrivateDevices=true -PrivateIPC=true - -[Install] -WantedBy=default.target - -#Type=simple diff --git a/roles/linux-ns/files/systemd/dn42_bird.service b/roles/linux-ns/files/systemd/dn42_bird.service deleted file mode 100644 index cbf80f0..0000000 --- a/roles/linux-ns/files/systemd/dn42_bird.service +++ /dev/null @@ -1,25 +0,0 @@ -[Unit] -Description=BIRD Internet Routing Daemon - DN42 daemon -After=network.target -Wants=dn42_tinc@tn_int.service -After=dn42_tinc@tn_int.service - -[Service] -EnvironmentFile=/etc/bird/envvars -ExecStartPre=/bin/sleep 3 -ExecStartPre=/usr/lib/bird/prepare-environment -ExecStartPre=/usr/sbin/bird -c /etc/bird/dn42/bird.conf -p -ExecStart=/usr/sbin/bird -c /etc/bird/dn42/bird.conf -f -g bird -u bird -s /var/run/bird/bird_dn42.sock -ExecReload=/usr/sbin/birdc -s /var/run/bird/bird_dn42.sock configure -Restart=on-abort - -NetworkNamespacePath=/run/netns/dn42 -BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf -ProtectSystem=strict -# rel: /var/log -# nope, doesn't work, bird must start with root -#LogsDirectory= -ReadWritePaths=/run/bird/ /var/log/bird/dn42/ - -[Install] -WantedBy=multi-user.target diff --git a/roles/linux-ns/files/systemd/dn42_namespace.service b/roles/linux-ns/files/systemd/dn42_namespace.service deleted file mode 100644 index 4034879..0000000 --- a/roles/linux-ns/files/systemd/dn42_namespace.service +++ /dev/null @@ -1,17 +0,0 @@ -# fine-adjustments, routing, etcpp - -[Unit] -Description=DN42 Network namespace -After=network-online.target my-netns@dn42.service -Requires=my-netns@dn42.service -Before=dn42_tinc@tn_int.service -WantedBy=dn42_tinc@tn_int.service - -[Install] -WantedBy=multi-user.target - -[Service] -Type=oneshot -ExecStart=/usr/local/bin/dn42-route-namespace.sh start -ExecStop=/usr/local/bin/dn42-route-namespace.sh stop -RemainAfterExit=yes diff --git a/roles/linux-ns/files/systemd/dn42_nginx.service b/roles/linux-ns/files/systemd/dn42_nginx.service deleted file mode 100644 index 43d8a67..0000000 --- a/roles/linux-ns/files/systemd/dn42_nginx.service +++ /dev/null @@ -1,37 +0,0 @@ -# Stop dance for nginx -# ======================= -# -# ExecStop sends SIGQUIT (graceful stop) to the nginx process. -# If, after 5s (--retry QUIT/5) nginx is still running, systemd takes control -# and sends SIGTERM (fast shutdown) to the main process. -# After another 5s (TimeoutStopSec=5), and if nginx is alive, systemd sends -# SIGKILL to all the remaining processes in the process group (KillMode=mixed). -# -# nginx signals reference doc: -# http://nginx.org/en/docs/control.html -# -[Unit] -Description=A high performance web server and a reverse proxy server -Documentation=man:nginx(8) -After=network-online.target remote-fs.target nss-lookup.target -Wants=network-online.target -After=dn42_namespace.service -Requires=dn42_namespace.service - -[Service] -Type=forking -PIDFile=/run/dn42_nginx.pid -ExecStartPre=/usr/sbin/nginx -t -q -c /etc/nginx/dn42/nginx.conf -g 'daemon on; master_process on;' -ExecStart=/usr/sbin/nginx -c /etc/nginx/dn42/nginx.conf -g 'daemon on; master_process on;' -ExecReload=/usr/sbin/nginx -c /etc/nginx/dn42/nginx.conf -g 'daemon on; master_process on;' -s reload -ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/dn42_nginx.pid -TimeoutStopSec=5 -KillMode=mixed -NetworkNamespacePath=/run/netns/dn42 -BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf -PrivateTmp=true -PrivateDevices=true -PrivateIPC=true - -[Install] -WantedBy=multi-user.target diff --git a/roles/linux-ns/files/systemd/dn42_pdns.service b/roles/linux-ns/files/systemd/dn42_pdns.service deleted file mode 100644 index 45cc367..0000000 --- a/roles/linux-ns/files/systemd/dn42_pdns.service +++ /dev/null @@ -1,55 +0,0 @@ -[Unit] -Description=PowerDNS Authoritative Server dn42 -Documentation=man:pdns_server(1) man:pdns_control(1) -Documentation=https://doc.powerdns.com -Wants=network-online.target -After=network-online.target time-sync.target -After=dn42_namespace.service -Requires=dn42_namespace.service - -[Service] -ExecStart=/usr/sbin/pdns_server --config-name=dn42 --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no -SyslogIdentifier=pdns_server-dn42 -User=pdns -Group=pdns -Type=notify -Restart=on-failure -RestartSec=1 -StartLimitInterval=0 -RuntimeDirectory=pdns-dn42 -BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf - -# Sandboxing -CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN -AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_CHOWN -LockPersonality=true -NoNewPrivileges=true -PrivateDevices=true -PrivateTmp=true -# Setting PrivateUsers=true prevents us from opening our sockets -ProtectClock=true -ProtectControlGroups=true -ProtectHome=true -ProtectHostname=true -ProtectKernelLogs=true -ProtectKernelModules=true -ProtectKernelTunables=true -# ProtectSystem=full will disallow write access to /etc and /usr, possibly -# not being able to write slaved-zones into sqlite3 or zonefiles. -ProtectSystem=full -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 -RestrictNamespaces=true -RestrictRealtime=true -RestrictSUIDSGID=true -SystemCallArchitectures=native -SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete -ProtectProc=invisible -PrivateIPC=true -RemoveIPC=true -DevicePolicy=closed -# Not enabled by default because it does not play well with LuaJIT -# MemoryDenyWriteExecute=true -NetworkNamespacePath=/run/netns/dn42 - -[Install] -WantedBy=multi-user.target diff --git a/roles/linux-ns/files/systemd/dn42_tinc@.service b/roles/linux-ns/files/systemd/dn42_tinc@.service deleted file mode 100644 index bf17815..0000000 --- a/roles/linux-ns/files/systemd/dn42_tinc@.service +++ /dev/null @@ -1,31 +0,0 @@ -[Unit] -Description=Tinc net %i in namespace dn42 -Documentation=info:tinc -Documentation=man:tinc(8) man:tinc.conf(5) -Documentation=http://tinc-vpn.org/docs/ -PartOf=tinc.service -ReloadPropagatedFrom=tinc.service - -[Service] -Type=simple -WorkingDirectory=/etc/tinc/%i -EnvironmentFile=/etc/default/tinc -ExecStart=/usr/sbin/tincd -c /etc/tinc/dn42/%i/ -n %i -D --pidfile /run/tinc/dn42/tinc.pid $EXTRA -ExecReload=/usr/sbin/tincd -c /etc/tinc/dn42/%i/ -n %i --pidfile /run/tinc/dn42/tinc.pid -kHUP -KillMode=mixed -Restart=on-failure -RestartSec=5 -TimeoutStopSec=5 - -NetworkNamespacePath=/run/netns/dn42 -BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf -ProtectSystem=strict -RuntimeDirectory=./tinc/dn42/ - -PrivateTmp=true -#tun -#PrivateDevices=true -PrivateIPC=true - -#[Install] -#WantedBy=tinc.service diff --git a/roles/linux-ns/files/systemd/dn42_wg@.service b/roles/linux-ns/files/systemd/dn42_wg@.service deleted file mode 100644 index 0f67fda..0000000 --- a/roles/linux-ns/files/systemd/dn42_wg@.service +++ /dev/null @@ -1,28 +0,0 @@ -[Unit] -Description=WireGuard via wg-quick(8) for %I -PartOf=wg-quick.target -Documentation=man:wg-quick(8) -Documentation=man:wg(8) -Documentation=https://www.wireguard.com/ -Documentation=https://www.wireguard.com/quickstart/ -Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8 -Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8 -After=dn42_namespace.service network-online.target nss-lookup.target -Requires=dn42_namespace.service network-online.target nss-lookup.target - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/usr/bin/wg-quick up /etc/wireguard/dn42/%i.conf -ExecStop=/usr/bin/wg-quick down /etc/wireguard/dn42/%i.conf -#ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)' -Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity -NetworkNamespacePath=/run/netns/dn42 -BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf -ProtectSystem=strict -PrivateTmp=true -PrivateDevices=true -PrivateIPC=true - -[Install] -WantedBy=multi-user.target diff --git a/roles/linux-ns/files/systemd/my-netns@.service b/roles/linux-ns/files/systemd/my-netns@.service deleted file mode 100644 index c9735b7..0000000 --- a/roles/linux-ns/files/systemd/my-netns@.service +++ /dev/null @@ -1,30 +0,0 @@ -[Unit] -Description=Named network namespace %I -Documentation=https://github.com/Jamesits/systemd-named-netns - -After=network-pre.target -Before=network.target network-online.target - -[Install] -WantedBy=network-online.target -WantedBy=multi-user.target - -[Service] -Type=oneshot -RemainAfterExit=yes - -# precaution -ExecStartPre=-/usr/bin/env ip netns delete %I - -# set up netns and bind it to this service -ExecStart=/usr/bin/flock --no-fork -- /var/run/netns.lock /usr/bin/env ip netns add %I -ExecStart=/usr/bin/env ip link add veth%I type veth peer vethpeer%I netns %I -ExecStart=/usr/bin/env ip link set veth%I up -ExecStart=/usr/bin/env ip netns exec %I ip link set vethpeer%I name eth0 -ExecStart=/usr/bin/env ip netns exec %I ip link set lo up -ExecStart=/usr/bin/env ip netns exec %I ip link set eth0 up - -# remove the netns -ExecStop=/usr/bin/env ip link del veth%I -# type veth peer vethpeer%I netns %I -ExecStop=/usr/bin/env ip netns delete %I diff --git a/roles/linux-ns/files/systemd/readme.txt b/roles/linux-ns/files/systemd/readme.txt deleted file mode 100644 index 99d220e..0000000 --- a/roles/linux-ns/files/systemd/readme.txt +++ /dev/null @@ -1,2 +0,0 @@ -except my-netns@.service, consider these examples, -or a "backup" for me.
\ No newline at end of file |