9 files changed, 133 insertions, 2 deletions
diff --git a/Makefile b/Makefile
index 7e3fde1..2389535 100644
--- a/Makefile
+++ b/Makefile
@@ -32,6 +32,19 @@ samizdat-paths.sh: src/samizdat-paths.in
        @sed -e "s?PREFIX?$(prefix)?g" $< > $@
 include samizdat-paths.sh
+install-configuration:
+ifndef instdir
+        $(error "You must specify instdir, for safety.")
+else
+        install -DT  conf/dnsmasq.conf              ${instdir}/etc/dnsmasq.conf
+        install -DT  conf/interfaces.d_eth0         ${instdir}/etc/network/interfaces.d/eth0
+        install -DT  conf/network_if-up.d_samizdat  ${instdir}/etc/network/if-up.d/samizdat
+        install -DT  conf/postfix_main.cf           ${instdir}/etc/postfix/main.cf
+        install -DT  conf/torrc                     ${instdir}/etc/tor/torrc
+        ln -sf /var/cache/kiki/config/tor/hostname  ${instdir}/etc/mailname
+        ln -sf /var/cache/kiki/config/tor/hostname  ${instdir}/etc/hostname
+endif
 install: ${bin_programs} samizdat-paths.sh ${compiled_programs}
        install ${bin_programs} ${instdir}${samizdat_bindir}
        mkdir -p ${instdir}${samizdat_initrd_files_dir}
diff --git a/conf/dnsmasq.conf b/conf/dnsmasq.conf
new file mode 100644
index 0000000..2b523ec
--- /dev/null
+++ b/conf/dnsmasq.conf
@@ -0,0 +1,9 @@
+interface=br0
+domain=localdomain
+dhcp-range=192.168.10.10,192.168.10.253,255.255.255.0,1h
+dhcp-boot=pxelinux.0,pxeserver,192.168.10.1
+pxe-service=x86PC, "Samizdat", pxelinux
+enable-tftp
+tftp-root=/usr/local/lib/samizdat-rhizome/isolinux
+tftp-unique-root
+dhcp-script=/usr/local/bin/dnsmasq-dhcp-script.sh
diff --git a/conf/interfaces.d_eth0 b/conf/interfaces.d_eth0
new file mode 100644
index 0000000..5ec8666
--- /dev/null
+++ b/conf/interfaces.d_eth0
@@ -0,0 +1,28 @@
+# iface eth0 inet static
+#   address 192.168.10.1
+#   netmask 255.255.255.0
+# # post-up ipsec restart
+auto br0 eth0
+iface br0 inet static
+  address 192.168.10.1
+  netmask 255.255.255.0
+## These are useful for VMs:
+# pre-up   for n in 0 1 2 3 4; do tunctl -t tap$n; done; true
+# pre-down for n in 0 1 2 3 4; do tunctl -d tap$n; done; true
+# bridge_ports eth0 tap0 tap1 tap2 tap3 tap4
+# bridge_maxwait 10
+## Enable "internet connection sharing"
+  up iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
+  up sysctl -w net.ipv4.ip_forward=1
+## Disable ipv6 auto-address.
+## This is needed sometimes, if ipv6 breaks ipv4.
+# pre-up echo 0 > /proc/sys/net/ipv6/conf/br0/accept_ra_pinfo
+# NB. 'ipsec reload' does not work very well
+  post-up ipsec restart
+iface eth0 inet manual
diff --git a/conf/network_if-up.d_samizdat b/conf/network_if-up.d_samizdat
new file mode 100755
index 0000000..4c02c93
--- /dev/null
+++ b/conf/network_if-up.d_samizdat
@@ -0,0 +1,5 @@
+#!/bin/sh
+RULE='OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports 9040'
+iptables -t nat -D $RULE  2>/dev/null
+[ "$VERBOSITY" -gt 0 ] && set -x
+iptables -t nat -A $RULE
diff --git a/conf/postfix_main.cf b/conf/postfix_main.cf
new file mode 100644
index 0000000..7e11ff1
--- /dev/null
+++ b/conf/postfix_main.cf
@@ -0,0 +1,43 @@
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+# Debian specific:  Specifying a file name will cause the first
+# line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+myorigin = /etc/mailname
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = yes
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+# It's 2013; we expect mail to be delivered quickly.  Generate "delayed mail" warnings after 7 minutes.
+delay_warning_time = 7m
+readme_directory = no
+# TLS parameters
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_use_tls=yes
+smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+relayhost = 
+mynetworks = 127.0.0.0/8 !127.84.111.114/32
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+# Samizdat: this is necessary for .onion URLs to resolve (until we implement DNSSEC).
+smtp_host_lookup = native
+# postfix versions before 2.11:
+disable_dns_lookups = yes
+# postfix versions 2.11 and later:
+#smtp_dns_support_level = disabled
diff --git a/conf/torrc b/conf/torrc
new file mode 100644
index 0000000..6e387ec
--- /dev/null
+++ b/conf/torrc
@@ -0,0 +1,17 @@
+SocksPort 9050 # what port to open for local application connections
+SocksListenAddress 127.0.0.1 # accept connections only from localhost
+HiddenServiceDir /var/lib/tor/samizdat/
+HiddenServicePort 80
+HiddenServicePort 22
+HiddenServicePort 25
+HiddenServicePort 11371
+HiddenServiceDir /var/lib/tor/tracker/
+HiddenServicePort 80 127.0.0.1:8070
+HiddenServicePort 2710 127.0.0.1:2710
+AutomapHostsOnResolve 1
+VirtualAddrNetwork 10.192.0.0/10
+DNSPort 553
+TransPort 9040
diff --git a/redo.sh b/redo.sh
index f618a79..703b830 100755
--- a/redo.sh
+++ b/redo.sh
@@ -1,7 +1,9 @@
 #!/bin/sh
+set -ex
+instdir=/home/d/sami/iso/debootstrap/jess
 sudo make install
-(cd ~/sami; sudo make install instdir=/home/d/sami/iso/debootstrap/jess)
+(cd ~/sami && sudo make instdir=${instdir} install install-configuration)
+(cd ~/src/kiki && stack install && sudo cp ~/.local/bin/*kiki ${instdir}/usr/local/bin/)
 sudo touch /usr/local/lib/samizdat-rhizome/initramfs-tools/
 sudo initrd.sh
 sudo cp -a /usr/local/lib/samizdat-rhizome/isolinux/linux/* ~/sami/iso/debootstrap/jess/usr/local/lib/samizdat-rhizome/isolinux/linux/
diff --git a/src/publish-ip.sh b/src/publish-ip.sh
index 7da41b9..7da41b9 100644..100755
--- a/src/publish-ip.sh
+++ b/src/publish-ip.sh
diff --git a/src/samizdat-iptables.sh b/src/samizdat-iptables.sh
new file mode 100755
index 0000000..db5d039
--- /dev/null
+++ b/src/samizdat-iptables.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+iptables-restore -T nat <<END
+*nat
+:PREROUTING ACCEPT [1369:182220]
+:INPUT ACCEPT [2086:276956]
+:OUTPUT ACCEPT [134:22171]
+:POSTROUTING ACCEPT [144:22882]
+-A OUTPUT -p tcp -m tcp --dport 53 -m owner ! --uid-owner unbound -m owner ! --uid-owner pdns -j REDIRECT --to-ports 535
+-A OUTPUT -p udp -m udp --dport 53 -m owner ! --uid-owner unbound -m owner ! --uid-owner pdns -j REDIRECT --to-ports 535
+-A OUTPUT -d 10.192.0.0/10 -p tcp -j REDIRECT --to-ports 9040
+-A OUTPUT -d 10.64.0.1/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8118
+-A POSTROUTING -s 127.0.0.1/32 -m owner --uid-owner debian-tor -j SNAT --to-source 127.84.111.114
+COMMIT
+END

diff --git a/Makefile b/Makefile index 7e3fde1..2389535 100644 --- a/Makefile +++ b/Makefile
@@ -32,6 +32,19 @@ samizdat-paths.sh: src/samizdat-paths.in
32	@sed -e "s?PREFIX?$(prefix)?g" $< > $@	32	@sed -e "s?PREFIX?$(prefix)?g" $< > $@
33	include samizdat-paths.sh	33	include samizdat-paths.sh
34		34
		35	install-configuration:
		36	ifndef instdir
		37	$(error "You must specify instdir, for safety.")
		38	else
		39	install -DT conf/dnsmasq.conf ${instdir}/etc/dnsmasq.conf
		40	install -DT conf/interfaces.d_eth0 ${instdir}/etc/network/interfaces.d/eth0
		41	install -DT conf/network_if-up.d_samizdat ${instdir}/etc/network/if-up.d/samizdat
		42	install -DT conf/postfix_main.cf ${instdir}/etc/postfix/main.cf
		43	install -DT conf/torrc ${instdir}/etc/tor/torrc
		44	ln -sf /var/cache/kiki/config/tor/hostname ${instdir}/etc/mailname
		45	ln -sf /var/cache/kiki/config/tor/hostname ${instdir}/etc/hostname
		46	endif
		47
35	install: ${bin_programs} samizdat-paths.sh ${compiled_programs}	48	install: ${bin_programs} samizdat-paths.sh ${compiled_programs}
36	install ${bin_programs} ${instdir}${samizdat_bindir}	49	install ${bin_programs} ${instdir}${samizdat_bindir}
37	mkdir -p ${instdir}${samizdat_initrd_files_dir}	50	mkdir -p ${instdir}${samizdat_initrd_files_dir}


diff --git a/conf/dnsmasq.conf b/conf/dnsmasq.conf new file mode 100644 index 0000000..2b523ec --- /dev/null +++ b/conf/dnsmasq.conf
@@ -0,0 +1,9 @@
		1	interface=br0
		2	domain=localdomain
		3	dhcp-range=192.168.10.10,192.168.10.253,255.255.255.0,1h
		4	dhcp-boot=pxelinux.0,pxeserver,192.168.10.1
		5	pxe-service=x86PC, "Samizdat", pxelinux
		6	enable-tftp
		7	tftp-root=/usr/local/lib/samizdat-rhizome/isolinux
		8	tftp-unique-root
		9	dhcp-script=/usr/local/bin/dnsmasq-dhcp-script.sh


diff --git a/conf/interfaces.d_eth0 b/conf/interfaces.d_eth0 new file mode 100644 index 0000000..5ec8666 --- /dev/null +++ b/conf/interfaces.d_eth0
@@ -0,0 +1,28 @@
		1	# iface eth0 inet static
		2	# address 192.168.10.1
		3	# netmask 255.255.255.0
		4	# # post-up ipsec restart
		5
		6	auto br0 eth0
		7
		8	iface br0 inet static
		9	address 192.168.10.1
		10	netmask 255.255.255.0
		11	## These are useful for VMs:
		12	# pre-up for n in 0 1 2 3 4; do tunctl -t tap$n; done; true
		13	# pre-down for n in 0 1 2 3 4; do tunctl -d tap$n; done; true
		14	# bridge_ports eth0 tap0 tap1 tap2 tap3 tap4
		15	# bridge_maxwait 10
		16
		17	## Enable "internet connection sharing"
		18	up iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
		19	up sysctl -w net.ipv4.ip_forward=1
		20
		21	## Disable ipv6 auto-address.
		22	## This is needed sometimes, if ipv6 breaks ipv4.
		23	# pre-up echo 0 > /proc/sys/net/ipv6/conf/br0/accept_ra_pinfo
		24
		25	# NB. 'ipsec reload' does not work very well
		26	post-up ipsec restart
		27
		28	iface eth0 inet manual


diff --git a/conf/network_if-up.d_samizdat b/conf/network_if-up.d_samizdat new file mode 100755 index 0000000..4c02c93 --- /dev/null +++ b/conf/network_if-up.d_samizdat
@@ -0,0 +1,5 @@
		1	#!/bin/sh
		2	RULE='OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports 9040'
		3	iptables -t nat -D $RULE 2>/dev/null
		4	[ "$VERBOSITY" -gt 0 ] && set -x
		5	iptables -t nat -A $RULE


diff --git a/conf/postfix_main.cf b/conf/postfix_main.cf new file mode 100644 index 0000000..7e11ff1 --- /dev/null +++ b/conf/postfix_main.cf
@@ -0,0 +1,43 @@
		1	# See /usr/share/postfix/main.cf.dist for a commented, more complete version
		2
		3
		4	# Debian specific: Specifying a file name will cause the first
		5	# line of that file to be used as the name. The Debian default
		6	# is /etc/mailname.
		7	myorigin = /etc/mailname
		8
		9	smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
		10	biff = yes
		11
		12	# appending .domain is the MUA's job.
		13	append_dot_mydomain = no
		14
		15	# It's 2013; we expect mail to be delivered quickly. Generate "delayed mail" warnings after 7 minutes.
		16	delay_warning_time = 7m
		17
		18	readme_directory = no
		19
		20	# TLS parameters
		21	smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
		22	smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
		23	smtpd_use_tls=yes
		24	smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
		25	smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
		26
		27	# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
		28	# information on enabling SSL in the smtp client.
		29
		30	alias_maps = hash:/etc/aliases
		31	alias_database = hash:/etc/aliases
		32	relayhost =
		33	mynetworks = 127.0.0.0/8 !127.84.111.114/32
		34	mailbox_size_limit = 0
		35	recipient_delimiter = +
		36	inet_interfaces = all
		37
		38	# Samizdat: this is necessary for .onion URLs to resolve (until we implement DNSSEC).
		39	smtp_host_lookup = native
		40	# postfix versions before 2.11:
		41	disable_dns_lookups = yes
		42	# postfix versions 2.11 and later:
		43	#smtp_dns_support_level = disabled


diff --git a/conf/torrc b/conf/torrc new file mode 100644 index 0000000..6e387ec --- /dev/null +++ b/conf/torrc
@@ -0,0 +1,17 @@
		1	SocksPort 9050 # what port to open for local application connections
		2	SocksListenAddress 127.0.0.1 # accept connections only from localhost
		3
		4	HiddenServiceDir /var/lib/tor/samizdat/
		5	HiddenServicePort 80
		6	HiddenServicePort 22
		7	HiddenServicePort 25
		8	HiddenServicePort 11371
		9
		10	HiddenServiceDir /var/lib/tor/tracker/
		11	HiddenServicePort 80 127.0.0.1:8070
		12	HiddenServicePort 2710 127.0.0.1:2710
		13
		14	AutomapHostsOnResolve 1
		15	VirtualAddrNetwork 10.192.0.0/10
		16	DNSPort 553
		17	TransPort 9040


diff --git a/redo.sh b/redo.sh index f618a79..703b830 100755 --- a/redo.sh +++ b/redo.sh
@@ -1,7 +1,9 @@
1	#!/bin/sh	1	#!/bin/sh
2		2	set -ex
		3	instdir=/home/d/sami/iso/debootstrap/jess
3	sudo make install	4	sudo make install
4	(cd ~/sami; sudo make install instdir=/home/d/sami/iso/debootstrap/jess)	5	(cd ~/sami && sudo make instdir=${instdir} install install-configuration)
		6	(cd ~/src/kiki && stack install && sudo cp ~/.local/bin/*kiki ${instdir}/usr/local/bin/)
5	sudo touch /usr/local/lib/samizdat-rhizome/initramfs-tools/	7	sudo touch /usr/local/lib/samizdat-rhizome/initramfs-tools/
6	sudo initrd.sh	8	sudo initrd.sh
7	sudo cp -a /usr/local/lib/samizdat-rhizome/isolinux/linux/* ~/sami/iso/debootstrap/jess/usr/local/lib/samizdat-rhizome/isolinux/linux/	9	sudo cp -a /usr/local/lib/samizdat-rhizome/isolinux/linux/* ~/sami/iso/debootstrap/jess/usr/local/lib/samizdat-rhizome/isolinux/linux/


diff --git a/src/publish-ip.sh b/src/publish-ip.sh index 7da41b9..7da41b9 100644..100755 --- a/src/publish-ip.sh +++ b/src/publish-ip.sh


diff --git a/src/samizdat-iptables.sh b/src/samizdat-iptables.sh new file mode 100755 index 0000000..db5d039 --- /dev/null +++ b/src/samizdat-iptables.sh
@@ -0,0 +1,14 @@
		1	#!/bin/sh
		2	iptables-restore -T nat <<END
		3	*nat
		4	:PREROUTING ACCEPT [1369:182220]
		5	:INPUT ACCEPT [2086:276956]
		6	:OUTPUT ACCEPT [134:22171]
		7	:POSTROUTING ACCEPT [144:22882]
		8	-A OUTPUT -p tcp -m tcp --dport 53 -m owner ! --uid-owner unbound -m owner ! --uid-owner pdns -j REDIRECT --to-ports 535
		9	-A OUTPUT -p udp -m udp --dport 53 -m owner ! --uid-owner unbound -m owner ! --uid-owner pdns -j REDIRECT --to-ports 535
		10	-A OUTPUT -d 10.192.0.0/10 -p tcp -j REDIRECT --to-ports 9040
		11	-A OUTPUT -d 10.64.0.1/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8118
		12	-A POSTROUTING -s 127.0.0.1/32 -m owner --uid-owner debian-tor -j SNAT --to-source 127.84.111.114
		13	COMMIT
		14	END