diff options
Diffstat (limited to 'roles/linux_ns/files/systemd')
| -rw-r--r-- | roles/linux_ns/files/systemd/dn42_bird-lg.service | 24 | ||||
| -rw-r--r-- | roles/linux_ns/files/systemd/dn42_bird-lgproxy.service | 24 | ||||
| -rw-r--r-- | roles/linux_ns/files/systemd/dn42_bird.service | 25 | ||||
| -rw-r--r-- | roles/linux_ns/files/systemd/dn42_namespace.service | 17 | ||||
| -rw-r--r-- | roles/linux_ns/files/systemd/dn42_nginx.service | 37 | ||||
| -rw-r--r-- | roles/linux_ns/files/systemd/dn42_pdns.service | 55 | ||||
| -rw-r--r-- | roles/linux_ns/files/systemd/dn42_tinc@.service | 31 | ||||
| -rw-r--r-- | roles/linux_ns/files/systemd/dn42_wg@.service | 28 | ||||
| -rw-r--r-- | roles/linux_ns/files/systemd/my-netns@.service | 30 | ||||
| -rw-r--r-- | roles/linux_ns/files/systemd/readme.txt | 2 |
10 files changed, 273 insertions, 0 deletions
diff --git a/roles/linux_ns/files/systemd/dn42_bird-lg.service b/roles/linux_ns/files/systemd/dn42_bird-lg.service new file mode 100644 index 0000000..85c5358 --- /dev/null +++ b/roles/linux_ns/files/systemd/dn42_bird-lg.service @@ -0,0 +1,24 @@ +[Unit] +Description=Run Bird Looking Glass - DN42 edition +Requires=network-online.target +After=network-online.target +After=dn42_namespace.service +Requires=dn42_namespace.service + +[Service] +ExecStart=/bin/bash /home/lgproxy/lgstart.sh +BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf +User=lgproxy +WorkingDirectory=/home/lgproxy/ +Environment="LG_PORT=6142" +Environment="LG_CONFIG_FILE=/home/lgproxy/lg/lg-dn42.cfg" +NetworkNamespacePath=/run/netns/dn42 +Type=exec +PrivateTmp=true +PrivateDevices=true +PrivateIPC=true + +[Install] +WantedBy=default.target + +#Type=simple diff --git a/roles/linux_ns/files/systemd/dn42_bird-lgproxy.service b/roles/linux_ns/files/systemd/dn42_bird-lgproxy.service new file mode 100644 index 0000000..273ab16 --- /dev/null +++ b/roles/linux_ns/files/systemd/dn42_bird-lgproxy.service @@ -0,0 +1,24 @@ +[Unit] +Description=Run Bird Looking Glass Proxy +Requires=network-online.target dn42_bird.service +After=network-online.target dn42_bird.service +After=dn42_namespace.service +Requires=dn42_namespace.service + +[Service] +ExecStart=/bin/bash /home/lgproxy/start.sh +BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf +User=lgproxy +WorkingDirectory=/home/lgproxy/ +Environment="LGPROXY_PORT=6042" +Environment="LGPROXY_CONFIG_FILE=/home/lgproxy/lgp/lgproxy-dn42.cfg" +NetworkNamespacePath=/run/netns/dn42 +Type=exec +PrivateTmp=true +PrivateDevices=true +PrivateIPC=true + +[Install] +WantedBy=default.target + +#Type=simple diff --git a/roles/linux_ns/files/systemd/dn42_bird.service b/roles/linux_ns/files/systemd/dn42_bird.service new file mode 100644 index 0000000..cbf80f0 --- /dev/null +++ b/roles/linux_ns/files/systemd/dn42_bird.service @@ -0,0 +1,25 @@ +[Unit] +Description=BIRD Internet Routing Daemon - DN42 daemon +After=network.target +Wants=dn42_tinc@tn_int.service +After=dn42_tinc@tn_int.service + +[Service] +EnvironmentFile=/etc/bird/envvars +ExecStartPre=/bin/sleep 3 +ExecStartPre=/usr/lib/bird/prepare-environment +ExecStartPre=/usr/sbin/bird -c /etc/bird/dn42/bird.conf -p +ExecStart=/usr/sbin/bird -c /etc/bird/dn42/bird.conf -f -g bird -u bird -s /var/run/bird/bird_dn42.sock +ExecReload=/usr/sbin/birdc -s /var/run/bird/bird_dn42.sock configure +Restart=on-abort + +NetworkNamespacePath=/run/netns/dn42 +BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf +ProtectSystem=strict +# rel: /var/log +# nope, doesn't work, bird must start with root +#LogsDirectory= +ReadWritePaths=/run/bird/ /var/log/bird/dn42/ + +[Install] +WantedBy=multi-user.target diff --git a/roles/linux_ns/files/systemd/dn42_namespace.service b/roles/linux_ns/files/systemd/dn42_namespace.service new file mode 100644 index 0000000..4034879 --- /dev/null +++ b/roles/linux_ns/files/systemd/dn42_namespace.service @@ -0,0 +1,17 @@ +# fine-adjustments, routing, etcpp + +[Unit] +Description=DN42 Network namespace +After=network-online.target my-netns@dn42.service +Requires=my-netns@dn42.service +Before=dn42_tinc@tn_int.service +WantedBy=dn42_tinc@tn_int.service + +[Install] +WantedBy=multi-user.target + +[Service] +Type=oneshot +ExecStart=/usr/local/bin/dn42-route-namespace.sh start +ExecStop=/usr/local/bin/dn42-route-namespace.sh stop +RemainAfterExit=yes diff --git a/roles/linux_ns/files/systemd/dn42_nginx.service b/roles/linux_ns/files/systemd/dn42_nginx.service new file mode 100644 index 0000000..43d8a67 --- /dev/null +++ b/roles/linux_ns/files/systemd/dn42_nginx.service @@ -0,0 +1,37 @@ +# Stop dance for nginx +# ======================= +# +# ExecStop sends SIGQUIT (graceful stop) to the nginx process. +# If, after 5s (--retry QUIT/5) nginx is still running, systemd takes control +# and sends SIGTERM (fast shutdown) to the main process. +# After another 5s (TimeoutStopSec=5), and if nginx is alive, systemd sends +# SIGKILL to all the remaining processes in the process group (KillMode=mixed). +# +# nginx signals reference doc: +# http://nginx.org/en/docs/control.html +# +[Unit] +Description=A high performance web server and a reverse proxy server +Documentation=man:nginx(8) +After=network-online.target remote-fs.target nss-lookup.target +Wants=network-online.target +After=dn42_namespace.service +Requires=dn42_namespace.service + +[Service] +Type=forking +PIDFile=/run/dn42_nginx.pid +ExecStartPre=/usr/sbin/nginx -t -q -c /etc/nginx/dn42/nginx.conf -g 'daemon on; master_process on;' +ExecStart=/usr/sbin/nginx -c /etc/nginx/dn42/nginx.conf -g 'daemon on; master_process on;' +ExecReload=/usr/sbin/nginx -c /etc/nginx/dn42/nginx.conf -g 'daemon on; master_process on;' -s reload +ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/dn42_nginx.pid +TimeoutStopSec=5 +KillMode=mixed +NetworkNamespacePath=/run/netns/dn42 +BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf +PrivateTmp=true +PrivateDevices=true +PrivateIPC=true + +[Install] +WantedBy=multi-user.target diff --git a/roles/linux_ns/files/systemd/dn42_pdns.service b/roles/linux_ns/files/systemd/dn42_pdns.service new file mode 100644 index 0000000..45cc367 --- /dev/null +++ b/roles/linux_ns/files/systemd/dn42_pdns.service @@ -0,0 +1,55 @@ +[Unit] +Description=PowerDNS Authoritative Server dn42 +Documentation=man:pdns_server(1) man:pdns_control(1) +Documentation=https://doc.powerdns.com +Wants=network-online.target +After=network-online.target time-sync.target +After=dn42_namespace.service +Requires=dn42_namespace.service + +[Service] +ExecStart=/usr/sbin/pdns_server --config-name=dn42 --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no +SyslogIdentifier=pdns_server-dn42 +User=pdns +Group=pdns +Type=notify +Restart=on-failure +RestartSec=1 +StartLimitInterval=0 +RuntimeDirectory=pdns-dn42 +BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf + +# Sandboxing +CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN +AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_CHOWN +LockPersonality=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +# Setting PrivateUsers=true prevents us from opening our sockets +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +# ProtectSystem=full will disallow write access to /etc and /usr, possibly +# not being able to write slaved-zones into sqlite3 or zonefiles. +ProtectSystem=full +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true +SystemCallArchitectures=native +SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete +ProtectProc=invisible +PrivateIPC=true +RemoveIPC=true +DevicePolicy=closed +# Not enabled by default because it does not play well with LuaJIT +# MemoryDenyWriteExecute=true +NetworkNamespacePath=/run/netns/dn42 + +[Install] +WantedBy=multi-user.target diff --git a/roles/linux_ns/files/systemd/dn42_tinc@.service b/roles/linux_ns/files/systemd/dn42_tinc@.service new file mode 100644 index 0000000..bf17815 --- /dev/null +++ b/roles/linux_ns/files/systemd/dn42_tinc@.service @@ -0,0 +1,31 @@ +[Unit] +Description=Tinc net %i in namespace dn42 +Documentation=info:tinc +Documentation=man:tinc(8) man:tinc.conf(5) +Documentation=http://tinc-vpn.org/docs/ +PartOf=tinc.service +ReloadPropagatedFrom=tinc.service + +[Service] +Type=simple +WorkingDirectory=/etc/tinc/%i +EnvironmentFile=/etc/default/tinc +ExecStart=/usr/sbin/tincd -c /etc/tinc/dn42/%i/ -n %i -D --pidfile /run/tinc/dn42/tinc.pid $EXTRA +ExecReload=/usr/sbin/tincd -c /etc/tinc/dn42/%i/ -n %i --pidfile /run/tinc/dn42/tinc.pid -kHUP +KillMode=mixed +Restart=on-failure +RestartSec=5 +TimeoutStopSec=5 + +NetworkNamespacePath=/run/netns/dn42 +BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf +ProtectSystem=strict +RuntimeDirectory=./tinc/dn42/ + +PrivateTmp=true +#tun +#PrivateDevices=true +PrivateIPC=true + +#[Install] +#WantedBy=tinc.service diff --git a/roles/linux_ns/files/systemd/dn42_wg@.service b/roles/linux_ns/files/systemd/dn42_wg@.service new file mode 100644 index 0000000..0f67fda --- /dev/null +++ b/roles/linux_ns/files/systemd/dn42_wg@.service @@ -0,0 +1,28 @@ +[Unit] +Description=WireGuard via wg-quick(8) for %I +PartOf=wg-quick.target +Documentation=man:wg-quick(8) +Documentation=man:wg(8) +Documentation=https://www.wireguard.com/ +Documentation=https://www.wireguard.com/quickstart/ +Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8 +Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8 +After=dn42_namespace.service network-online.target nss-lookup.target +Requires=dn42_namespace.service network-online.target nss-lookup.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/bin/wg-quick up /etc/wireguard/dn42/%i.conf +ExecStop=/usr/bin/wg-quick down /etc/wireguard/dn42/%i.conf +#ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)' +Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity +NetworkNamespacePath=/run/netns/dn42 +BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf +ProtectSystem=strict +PrivateTmp=true +PrivateDevices=true +PrivateIPC=true + +[Install] +WantedBy=multi-user.target diff --git a/roles/linux_ns/files/systemd/my-netns@.service b/roles/linux_ns/files/systemd/my-netns@.service new file mode 100644 index 0000000..c9735b7 --- /dev/null +++ b/roles/linux_ns/files/systemd/my-netns@.service @@ -0,0 +1,30 @@ +[Unit] +Description=Named network namespace %I +Documentation=https://github.com/Jamesits/systemd-named-netns + +After=network-pre.target +Before=network.target network-online.target + +[Install] +WantedBy=network-online.target +WantedBy=multi-user.target + +[Service] +Type=oneshot +RemainAfterExit=yes + +# precaution +ExecStartPre=-/usr/bin/env ip netns delete %I + +# set up netns and bind it to this service +ExecStart=/usr/bin/flock --no-fork -- /var/run/netns.lock /usr/bin/env ip netns add %I +ExecStart=/usr/bin/env ip link add veth%I type veth peer vethpeer%I netns %I +ExecStart=/usr/bin/env ip link set veth%I up +ExecStart=/usr/bin/env ip netns exec %I ip link set vethpeer%I name eth0 +ExecStart=/usr/bin/env ip netns exec %I ip link set lo up +ExecStart=/usr/bin/env ip netns exec %I ip link set eth0 up + +# remove the netns +ExecStop=/usr/bin/env ip link del veth%I +# type veth peer vethpeer%I netns %I +ExecStop=/usr/bin/env ip netns delete %I diff --git a/roles/linux_ns/files/systemd/readme.txt b/roles/linux_ns/files/systemd/readme.txt new file mode 100644 index 0000000..99d220e --- /dev/null +++ b/roles/linux_ns/files/systemd/readme.txt @@ -0,0 +1,2 @@ +except my-netns@.service, consider these examples, +or a "backup" for me.
\ No newline at end of file |