diff options
-rw-r--r-- | Makefile | 13 | ||||
-rw-r--r-- | conf/dnsmasq.conf | 9 | ||||
-rw-r--r-- | conf/interfaces.d_eth0 | 28 | ||||
-rwxr-xr-x | conf/network_if-up.d_samizdat | 5 | ||||
-rw-r--r-- | conf/postfix_main.cf | 43 | ||||
-rw-r--r-- | conf/torrc | 17 | ||||
-rwxr-xr-x | redo.sh | 6 | ||||
-rwxr-xr-x[-rw-r--r--] | src/publish-ip.sh | 0 | ||||
-rwxr-xr-x | src/samizdat-iptables.sh | 14 |
9 files changed, 133 insertions, 2 deletions
@@ -32,6 +32,19 @@ samizdat-paths.sh: src/samizdat-paths.in | |||
32 | @sed -e "s?PREFIX?$(prefix)?g" $< > $@ | 32 | @sed -e "s?PREFIX?$(prefix)?g" $< > $@ |
33 | include samizdat-paths.sh | 33 | include samizdat-paths.sh |
34 | 34 | ||
35 | install-configuration: | ||
36 | ifndef instdir | ||
37 | $(error "You must specify instdir, for safety.") | ||
38 | else | ||
39 | install -DT conf/dnsmasq.conf ${instdir}/etc/dnsmasq.conf | ||
40 | install -DT conf/interfaces.d_eth0 ${instdir}/etc/network/interfaces.d/eth0 | ||
41 | install -DT conf/network_if-up.d_samizdat ${instdir}/etc/network/if-up.d/samizdat | ||
42 | install -DT conf/postfix_main.cf ${instdir}/etc/postfix/main.cf | ||
43 | install -DT conf/torrc ${instdir}/etc/tor/torrc | ||
44 | ln -sf /var/cache/kiki/config/tor/hostname ${instdir}/etc/mailname | ||
45 | ln -sf /var/cache/kiki/config/tor/hostname ${instdir}/etc/hostname | ||
46 | endif | ||
47 | |||
35 | install: ${bin_programs} samizdat-paths.sh ${compiled_programs} | 48 | install: ${bin_programs} samizdat-paths.sh ${compiled_programs} |
36 | install ${bin_programs} ${instdir}${samizdat_bindir} | 49 | install ${bin_programs} ${instdir}${samizdat_bindir} |
37 | mkdir -p ${instdir}${samizdat_initrd_files_dir} | 50 | mkdir -p ${instdir}${samizdat_initrd_files_dir} |
diff --git a/conf/dnsmasq.conf b/conf/dnsmasq.conf new file mode 100644 index 0000000..2b523ec --- /dev/null +++ b/conf/dnsmasq.conf | |||
@@ -0,0 +1,9 @@ | |||
1 | interface=br0 | ||
2 | domain=localdomain | ||
3 | dhcp-range=192.168.10.10,192.168.10.253,255.255.255.0,1h | ||
4 | dhcp-boot=pxelinux.0,pxeserver,192.168.10.1 | ||
5 | pxe-service=x86PC, "Samizdat", pxelinux | ||
6 | enable-tftp | ||
7 | tftp-root=/usr/local/lib/samizdat-rhizome/isolinux | ||
8 | tftp-unique-root | ||
9 | dhcp-script=/usr/local/bin/dnsmasq-dhcp-script.sh | ||
diff --git a/conf/interfaces.d_eth0 b/conf/interfaces.d_eth0 new file mode 100644 index 0000000..5ec8666 --- /dev/null +++ b/conf/interfaces.d_eth0 | |||
@@ -0,0 +1,28 @@ | |||
1 | # iface eth0 inet static | ||
2 | # address 192.168.10.1 | ||
3 | # netmask 255.255.255.0 | ||
4 | # # post-up ipsec restart | ||
5 | |||
6 | auto br0 eth0 | ||
7 | |||
8 | iface br0 inet static | ||
9 | address 192.168.10.1 | ||
10 | netmask 255.255.255.0 | ||
11 | ## These are useful for VMs: | ||
12 | # pre-up for n in 0 1 2 3 4; do tunctl -t tap$n; done; true | ||
13 | # pre-down for n in 0 1 2 3 4; do tunctl -d tap$n; done; true | ||
14 | # bridge_ports eth0 tap0 tap1 tap2 tap3 tap4 | ||
15 | # bridge_maxwait 10 | ||
16 | |||
17 | ## Enable "internet connection sharing" | ||
18 | up iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE | ||
19 | up sysctl -w net.ipv4.ip_forward=1 | ||
20 | |||
21 | ## Disable ipv6 auto-address. | ||
22 | ## This is needed sometimes, if ipv6 breaks ipv4. | ||
23 | # pre-up echo 0 > /proc/sys/net/ipv6/conf/br0/accept_ra_pinfo | ||
24 | |||
25 | # NB. 'ipsec reload' does not work very well | ||
26 | post-up ipsec restart | ||
27 | |||
28 | iface eth0 inet manual | ||
diff --git a/conf/network_if-up.d_samizdat b/conf/network_if-up.d_samizdat new file mode 100755 index 0000000..4c02c93 --- /dev/null +++ b/conf/network_if-up.d_samizdat | |||
@@ -0,0 +1,5 @@ | |||
1 | #!/bin/sh | ||
2 | RULE='OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports 9040' | ||
3 | iptables -t nat -D $RULE 2>/dev/null | ||
4 | [ "$VERBOSITY" -gt 0 ] && set -x | ||
5 | iptables -t nat -A $RULE | ||
diff --git a/conf/postfix_main.cf b/conf/postfix_main.cf new file mode 100644 index 0000000..7e11ff1 --- /dev/null +++ b/conf/postfix_main.cf | |||
@@ -0,0 +1,43 @@ | |||
1 | # See /usr/share/postfix/main.cf.dist for a commented, more complete version | ||
2 | |||
3 | |||
4 | # Debian specific: Specifying a file name will cause the first | ||
5 | # line of that file to be used as the name. The Debian default | ||
6 | # is /etc/mailname. | ||
7 | myorigin = /etc/mailname | ||
8 | |||
9 | smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) | ||
10 | biff = yes | ||
11 | |||
12 | # appending .domain is the MUA's job. | ||
13 | append_dot_mydomain = no | ||
14 | |||
15 | # It's 2013; we expect mail to be delivered quickly. Generate "delayed mail" warnings after 7 minutes. | ||
16 | delay_warning_time = 7m | ||
17 | |||
18 | readme_directory = no | ||
19 | |||
20 | # TLS parameters | ||
21 | smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem | ||
22 | smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key | ||
23 | smtpd_use_tls=yes | ||
24 | smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache | ||
25 | smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache | ||
26 | |||
27 | # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for | ||
28 | # information on enabling SSL in the smtp client. | ||
29 | |||
30 | alias_maps = hash:/etc/aliases | ||
31 | alias_database = hash:/etc/aliases | ||
32 | relayhost = | ||
33 | mynetworks = 127.0.0.0/8 !127.84.111.114/32 | ||
34 | mailbox_size_limit = 0 | ||
35 | recipient_delimiter = + | ||
36 | inet_interfaces = all | ||
37 | |||
38 | # Samizdat: this is necessary for .onion URLs to resolve (until we implement DNSSEC). | ||
39 | smtp_host_lookup = native | ||
40 | # postfix versions before 2.11: | ||
41 | disable_dns_lookups = yes | ||
42 | # postfix versions 2.11 and later: | ||
43 | #smtp_dns_support_level = disabled | ||
diff --git a/conf/torrc b/conf/torrc new file mode 100644 index 0000000..6e387ec --- /dev/null +++ b/conf/torrc | |||
@@ -0,0 +1,17 @@ | |||
1 | SocksPort 9050 # what port to open for local application connections | ||
2 | SocksListenAddress 127.0.0.1 # accept connections only from localhost | ||
3 | |||
4 | HiddenServiceDir /var/lib/tor/samizdat/ | ||
5 | HiddenServicePort 80 | ||
6 | HiddenServicePort 22 | ||
7 | HiddenServicePort 25 | ||
8 | HiddenServicePort 11371 | ||
9 | |||
10 | HiddenServiceDir /var/lib/tor/tracker/ | ||
11 | HiddenServicePort 80 127.0.0.1:8070 | ||
12 | HiddenServicePort 2710 127.0.0.1:2710 | ||
13 | |||
14 | AutomapHostsOnResolve 1 | ||
15 | VirtualAddrNetwork 10.192.0.0/10 | ||
16 | DNSPort 553 | ||
17 | TransPort 9040 | ||
@@ -1,7 +1,9 @@ | |||
1 | #!/bin/sh | 1 | #!/bin/sh |
2 | 2 | set -ex | |
3 | instdir=/home/d/sami/iso/debootstrap/jess | ||
3 | sudo make install | 4 | sudo make install |
4 | (cd ~/sami; sudo make install instdir=/home/d/sami/iso/debootstrap/jess) | 5 | (cd ~/sami && sudo make instdir=${instdir} install install-configuration) |
6 | (cd ~/src/kiki && stack install && sudo cp ~/.local/bin/*kiki ${instdir}/usr/local/bin/) | ||
5 | sudo touch /usr/local/lib/samizdat-rhizome/initramfs-tools/ | 7 | sudo touch /usr/local/lib/samizdat-rhizome/initramfs-tools/ |
6 | sudo initrd.sh | 8 | sudo initrd.sh |
7 | sudo cp -a /usr/local/lib/samizdat-rhizome/isolinux/linux/* ~/sami/iso/debootstrap/jess/usr/local/lib/samizdat-rhizome/isolinux/linux/ | 9 | sudo cp -a /usr/local/lib/samizdat-rhizome/isolinux/linux/* ~/sami/iso/debootstrap/jess/usr/local/lib/samizdat-rhizome/isolinux/linux/ |
diff --git a/src/publish-ip.sh b/src/publish-ip.sh index 7da41b9..7da41b9 100644..100755 --- a/src/publish-ip.sh +++ b/src/publish-ip.sh | |||
diff --git a/src/samizdat-iptables.sh b/src/samizdat-iptables.sh new file mode 100755 index 0000000..db5d039 --- /dev/null +++ b/src/samizdat-iptables.sh | |||
@@ -0,0 +1,14 @@ | |||
1 | #!/bin/sh | ||
2 | iptables-restore -T nat <<END | ||
3 | *nat | ||
4 | :PREROUTING ACCEPT [1369:182220] | ||
5 | :INPUT ACCEPT [2086:276956] | ||
6 | :OUTPUT ACCEPT [134:22171] | ||
7 | :POSTROUTING ACCEPT [144:22882] | ||
8 | -A OUTPUT -p tcp -m tcp --dport 53 -m owner ! --uid-owner unbound -m owner ! --uid-owner pdns -j REDIRECT --to-ports 535 | ||
9 | -A OUTPUT -p udp -m udp --dport 53 -m owner ! --uid-owner unbound -m owner ! --uid-owner pdns -j REDIRECT --to-ports 535 | ||
10 | -A OUTPUT -d 10.192.0.0/10 -p tcp -j REDIRECT --to-ports 9040 | ||
11 | -A OUTPUT -d 10.64.0.1/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8118 | ||
12 | -A POSTROUTING -s 127.0.0.1/32 -m owner --uid-owner debian-tor -j SNAT --to-source 127.84.111.114 | ||
13 | COMMIT | ||
14 | END | ||