From 9770d8661315ca1112aa92580c6668ba0885b0c1 Mon Sep 17 00:00:00 2001
From: Andrew Cady <d@jerkface.net>
Date: Fri, 6 May 2016 20:34:29 +0200
Subject: added configuration files for various things

---
 Makefile                      | 13 +++++++++++++
 conf/dnsmasq.conf             |  9 +++++++++
 conf/interfaces.d_eth0        | 28 ++++++++++++++++++++++++++++
 conf/network_if-up.d_samizdat |  5 +++++
 conf/postfix_main.cf          | 43 +++++++++++++++++++++++++++++++++++++++++++
 conf/torrc                    | 17 +++++++++++++++++
 redo.sh                       |  6 ++++--
 src/publish-ip.sh             |  0
 src/samizdat-iptables.sh      | 14 ++++++++++++++
 9 files changed, 133 insertions(+), 2 deletions(-)
 create mode 100644 conf/dnsmasq.conf
 create mode 100644 conf/interfaces.d_eth0
 create mode 100755 conf/network_if-up.d_samizdat
 create mode 100644 conf/postfix_main.cf
 create mode 100644 conf/torrc
 mode change 100644 => 100755 src/publish-ip.sh
 create mode 100755 src/samizdat-iptables.sh

diff --git a/Makefile b/Makefile
index 7e3fde1..2389535 100644
--- a/Makefile
+++ b/Makefile
@@ -32,6 +32,19 @@ samizdat-paths.sh: src/samizdat-paths.in
 	@sed -e "s?PREFIX?$(prefix)?g" $< > $@
 include samizdat-paths.sh
 
+install-configuration:
+ifndef instdir
+	$(error "You must specify instdir, for safety.")
+else
+	install -DT  conf/dnsmasq.conf              ${instdir}/etc/dnsmasq.conf
+	install -DT  conf/interfaces.d_eth0         ${instdir}/etc/network/interfaces.d/eth0
+	install -DT  conf/network_if-up.d_samizdat  ${instdir}/etc/network/if-up.d/samizdat
+	install -DT  conf/postfix_main.cf           ${instdir}/etc/postfix/main.cf
+	install -DT  conf/torrc                     ${instdir}/etc/tor/torrc
+	ln -sf /var/cache/kiki/config/tor/hostname  ${instdir}/etc/mailname
+	ln -sf /var/cache/kiki/config/tor/hostname  ${instdir}/etc/hostname
+endif
+
 install: ${bin_programs} samizdat-paths.sh ${compiled_programs}
 	install ${bin_programs} ${instdir}${samizdat_bindir}
 	mkdir -p ${instdir}${samizdat_initrd_files_dir}
diff --git a/conf/dnsmasq.conf b/conf/dnsmasq.conf
new file mode 100644
index 0000000..2b523ec
--- /dev/null
+++ b/conf/dnsmasq.conf
@@ -0,0 +1,9 @@
+interface=br0
+domain=localdomain
+dhcp-range=192.168.10.10,192.168.10.253,255.255.255.0,1h
+dhcp-boot=pxelinux.0,pxeserver,192.168.10.1
+pxe-service=x86PC, "Samizdat", pxelinux
+enable-tftp
+tftp-root=/usr/local/lib/samizdat-rhizome/isolinux
+tftp-unique-root
+dhcp-script=/usr/local/bin/dnsmasq-dhcp-script.sh
diff --git a/conf/interfaces.d_eth0 b/conf/interfaces.d_eth0
new file mode 100644
index 0000000..5ec8666
--- /dev/null
+++ b/conf/interfaces.d_eth0
@@ -0,0 +1,28 @@
+# iface eth0 inet static
+#   address 192.168.10.1
+#   netmask 255.255.255.0
+# # post-up ipsec restart
+
+auto br0 eth0
+
+iface br0 inet static
+  address 192.168.10.1
+  netmask 255.255.255.0
+## These are useful for VMs:
+# pre-up   for n in 0 1 2 3 4; do tunctl -t tap$n; done; true
+# pre-down for n in 0 1 2 3 4; do tunctl -d tap$n; done; true
+# bridge_ports eth0 tap0 tap1 tap2 tap3 tap4
+# bridge_maxwait 10
+
+## Enable "internet connection sharing"
+  up iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
+  up sysctl -w net.ipv4.ip_forward=1
+
+## Disable ipv6 auto-address.
+## This is needed sometimes, if ipv6 breaks ipv4.
+# pre-up echo 0 > /proc/sys/net/ipv6/conf/br0/accept_ra_pinfo
+
+# NB. 'ipsec reload' does not work very well
+  post-up ipsec restart
+
+iface eth0 inet manual
diff --git a/conf/network_if-up.d_samizdat b/conf/network_if-up.d_samizdat
new file mode 100755
index 0000000..4c02c93
--- /dev/null
+++ b/conf/network_if-up.d_samizdat
@@ -0,0 +1,5 @@
+#!/bin/sh
+RULE='OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports 9040'
+iptables -t nat -D $RULE  2>/dev/null
+[ "$VERBOSITY" -gt 0 ] && set -x
+iptables -t nat -A $RULE
diff --git a/conf/postfix_main.cf b/conf/postfix_main.cf
new file mode 100644
index 0000000..7e11ff1
--- /dev/null
+++ b/conf/postfix_main.cf
@@ -0,0 +1,43 @@
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+
+# Debian specific:  Specifying a file name will cause the first
+# line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+myorigin = /etc/mailname
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = yes
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# It's 2013; we expect mail to be delivered quickly.  Generate "delayed mail" warnings after 7 minutes.
+delay_warning_time = 7m
+
+readme_directory = no
+
+# TLS parameters
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_use_tls=yes
+smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
+
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+relayhost = 
+mynetworks = 127.0.0.0/8 !127.84.111.114/32
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+
+# Samizdat: this is necessary for .onion URLs to resolve (until we implement DNSSEC).
+smtp_host_lookup = native
+# postfix versions before 2.11:
+disable_dns_lookups = yes
+# postfix versions 2.11 and later:
+#smtp_dns_support_level = disabled
diff --git a/conf/torrc b/conf/torrc
new file mode 100644
index 0000000..6e387ec
--- /dev/null
+++ b/conf/torrc
@@ -0,0 +1,17 @@
+SocksPort 9050 # what port to open for local application connections
+SocksListenAddress 127.0.0.1 # accept connections only from localhost
+
+HiddenServiceDir /var/lib/tor/samizdat/
+HiddenServicePort 80
+HiddenServicePort 22
+HiddenServicePort 25
+HiddenServicePort 11371
+
+HiddenServiceDir /var/lib/tor/tracker/
+HiddenServicePort 80 127.0.0.1:8070
+HiddenServicePort 2710 127.0.0.1:2710
+
+AutomapHostsOnResolve 1
+VirtualAddrNetwork 10.192.0.0/10
+DNSPort 553
+TransPort 9040
diff --git a/redo.sh b/redo.sh
index f618a79..703b830 100755
--- a/redo.sh
+++ b/redo.sh
@@ -1,7 +1,9 @@
 #!/bin/sh
-
+set -ex
+instdir=/home/d/sami/iso/debootstrap/jess
 sudo make install
-(cd ~/sami; sudo make install instdir=/home/d/sami/iso/debootstrap/jess)
+(cd ~/sami && sudo make instdir=${instdir} install install-configuration)
+(cd ~/src/kiki && stack install && sudo cp ~/.local/bin/*kiki ${instdir}/usr/local/bin/)
 sudo touch /usr/local/lib/samizdat-rhizome/initramfs-tools/
 sudo initrd.sh
 sudo cp -a /usr/local/lib/samizdat-rhizome/isolinux/linux/* ~/sami/iso/debootstrap/jess/usr/local/lib/samizdat-rhizome/isolinux/linux/
diff --git a/src/publish-ip.sh b/src/publish-ip.sh
old mode 100644
new mode 100755
diff --git a/src/samizdat-iptables.sh b/src/samizdat-iptables.sh
new file mode 100755
index 0000000..db5d039
--- /dev/null
+++ b/src/samizdat-iptables.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+iptables-restore -T nat <<END
+*nat
+:PREROUTING ACCEPT [1369:182220]
+:INPUT ACCEPT [2086:276956]
+:OUTPUT ACCEPT [134:22171]
+:POSTROUTING ACCEPT [144:22882]
+-A OUTPUT -p tcp -m tcp --dport 53 -m owner ! --uid-owner unbound -m owner ! --uid-owner pdns -j REDIRECT --to-ports 535
+-A OUTPUT -p udp -m udp --dport 53 -m owner ! --uid-owner unbound -m owner ! --uid-owner pdns -j REDIRECT --to-ports 535
+-A OUTPUT -d 10.192.0.0/10 -p tcp -j REDIRECT --to-ports 9040
+-A OUTPUT -d 10.64.0.1/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8118
+-A POSTROUTING -s 127.0.0.1/32 -m owner --uid-owner debian-tor -j SNAT --to-source 127.84.111.114
+COMMIT
+END
-- 
cgit v1.2.3