aboutsummaryrefslogtreecommitdiffstats
path: root/config
diff options
context:
space:
mode:
Diffstat (limited to 'config')
-rwxr-xr-xconfig/hooks/remove-packages.sh.chroot5
-rwxr-xr-xconfig/hooks/tor-usergroup.sh.chroot15
-rw-r--r--config/includes.chroot/etc/default/dnsmasq2
-rw-r--r--config/includes.chroot/etc/default/openntpd6
-rwxr-xr-xconfig/includes.chroot/etc/default/ttdnsd17
-rw-r--r--config/includes.chroot/etc/dnsmasq.conf555
-rw-r--r--config/includes.chroot/etc/dnsmasq_lan.conf6
-rw-r--r--config/includes.chroot/etc/dnsmasq_wifi.conf7
-rwxr-xr-xconfig/includes.chroot/etc/init.d/dnsmasq_lan290
-rwxr-xr-xconfig/includes.chroot/etc/init.d/dnsmasq_wifi290
-rwxr-xr-xconfig/includes.chroot/etc/init.d/proxy61
-rw-r--r--config/includes.chroot/etc/modprobe.d/blacklist.conf26
-rw-r--r--config/includes.chroot/etc/network/interfaces44
-rw-r--r--config/includes.chroot/etc/ssh/sshd_config87
-rw-r--r--config/includes.chroot/etc/sysctl.conf5
-rw-r--r--config/includes.chroot/etc/tor/torrc183
-rwxr-xr-xconfig/includes.chroot/sbin/tor-wireless-firewall.sh20
17 files changed, 1619 insertions, 0 deletions
diff --git a/config/hooks/remove-packages.sh.chroot b/config/hooks/remove-packages.sh.chroot
new file mode 100755
index 0000000..10fa78b
--- /dev/null
+++ b/config/hooks/remove-packages.sh.chroot
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+apt-get -f -y remove --purge polipo minissdpd
+apt-get -y remove exim4-base exim4-config exim4-daemon-light dbus isc-dhcp-server
+
diff --git a/config/hooks/tor-usergroup.sh.chroot b/config/hooks/tor-usergroup.sh.chroot
new file mode 100755
index 0000000..e46ad16
--- /dev/null
+++ b/config/hooks/tor-usergroup.sh.chroot
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+export ADMINUSER="tor"
+export ADMINGROUP="tor"
+export TORADMINGROUP="debian-tor"
+
+# add users and groups (ignore failures if groups already exist)
+addgroup $ADMINGROUP
+useradd -g $ADMINGROUP -G $TORADMINGROUP -s /bin/bash $ADMINUSER
+# TODO: $ADMINUSER passwd?
+
+# give Tor permission to modify it's own configuration
+chgrp $TORADMINGROUP /etc/tor/ /etc/tor/*
+chmod g+rw /etc/tor/ /etc/tor/*
+
diff --git a/config/includes.chroot/etc/default/dnsmasq b/config/includes.chroot/etc/default/dnsmasq
new file mode 100644
index 0000000..ddaa02b
--- /dev/null
+++ b/config/includes.chroot/etc/default/dnsmasq
@@ -0,0 +1,2 @@
+
+ENABLED=0
diff --git a/config/includes.chroot/etc/default/openntpd b/config/includes.chroot/etc/default/openntpd
new file mode 100644
index 0000000..318e7bd
--- /dev/null
+++ b/config/includes.chroot/etc/default/openntpd
@@ -0,0 +1,6 @@
+# /etc/default/openntpd
+
+# Append '-s' to set the system time when starting in case the offset
+# between the local clock and the servers is more than 180 seconds.
+# For other options, see man ntpd(8).
+DAEMON_OPTS="-f /etc/openntpd/ntpd.conf -s"
diff --git a/config/includes.chroot/etc/default/ttdnsd b/config/includes.chroot/etc/default/ttdnsd
new file mode 100755
index 0000000..0a22bc4
--- /dev/null
+++ b/config/includes.chroot/etc/default/ttdnsd
@@ -0,0 +1,17 @@
+# /etc/default/ttdnsd
+
+# Address to bind to - usually this should be 127.0.0.1
+# unless a copy of ttdnsd runs on 127.0.0.n
+ADDR_ARG="-b 172.16.23.1"
+
+# Port to listen on - almost always this should be port 53
+# unless an additional local DNS cache (like unbound, dnscache, pdnsd)
+# listen on port 53 as system resolver and is used in front of ttdnsd
+# for caching purposes.
+PORT_ARG="-p 5354"
+
+# Debug logging
+# DEBUG_LOGGING="-l"
+
+# Glue all of it together below
+DEFAULTS="$ADDR_ARG $PORT_ARG"
diff --git a/config/includes.chroot/etc/dnsmasq.conf b/config/includes.chroot/etc/dnsmasq.conf
new file mode 100644
index 0000000..806996e
--- /dev/null
+++ b/config/includes.chroot/etc/dnsmasq.conf
@@ -0,0 +1,555 @@
+# Configuration file for dnsmasq.
+#
+# Format is one option per line, legal options are the same
+# as the long options legal on the command line. See
+# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.
+
+# The following two options make you a better netizen, since they
+# tell dnsmasq to filter out queries which the public DNS cannot
+# answer, and which load the servers (especially the root servers)
+# uneccessarily. If you have a dial-on-demand link they also stop
+# these requests from bringing up the link uneccessarily.
+
+# Never forward plain names (without a dot or domain part)
+#domain-needed
+# Never forward addresses in the non-routed address spaces.
+#bogus-priv
+
+# Uncomment this to filter useless windows-originated DNS requests
+# which can trigger dial-on-demand links needlessly.
+# Note that (amongst other things) this blocks all SRV requests,
+# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk.
+# This option only affects forwarding, SRV records originating for
+# dnsmasq (via srv-host= lines) are not suppressed by it.
+#filterwin2k
+
+# Change this line if you want dns to get its upstream servers from
+# somewhere other that /etc/resolv.conf
+#resolv-file=
+
+# By default, dnsmasq will send queries to any of the upstream
+# servers it knows about and tries to favour servers to are known
+# to be up. Uncommenting this forces dnsmasq to try each query
+# with each server strictly in the order they appear in
+# /etc/resolv.conf
+#strict-order
+
+# If you don't want dnsmasq to read /etc/resolv.conf or any other
+# file, getting its servers from this file instead (see below), then
+# uncomment this.
+#no-resolv
+
+# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
+# files for changes and re-read them then uncomment this.
+no-poll
+
+# Add other name servers here, with domain specs if they are for
+# non-public domains.
+#server=/localnet/192.168.0.1
+
+# Example of routing PTR queries to nameservers: this will send all
+# address->name queries for 192.168.3/24 to nameserver 10.1.2.3
+#server=/3.168.192.in-addr.arpa/10.1.2.3
+
+# Add local-only domains here, queries in these domains are answered
+# from /etc/hosts or DHCP only.
+#local=/localnet/
+
+# Add domains which you want to force to an IP address here.
+# The example below send any host in doubleclick.net to a local
+# webserver.
+#address=/doubleclick.net/127.0.0.1
+
+# --address (and --server) work with IPv6 addresses too.
+#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83
+
+# You can control how dnsmasq talks to a server: this forces
+# queries to 10.1.2.3 to be routed via eth1
+# server=10.1.2.3@eth1
+
+# and this sets the source (ie local) address used to talk to
+# 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that
+# IP on the machine, obviously).
+# server=10.1.2.3@192.168.1.1#55
+
+# If you want dnsmasq to change uid and gid to something other
+# than the default, edit the following lines.
+#user=
+#group=
+
+# If you want dnsmasq to listen for DHCP and DNS requests only on
+# specified interfaces (and the loopback) give the name of the
+# interface (eg eth0) here.
+# Repeat the line for more than one interface.
+#interface=eth1
+#interface=uap0
+# Or you can specify which interface _not_ to listen on
+#except-interface=eth0
+#except-interface=lo
+# Or which to listen on by address (remember to include 127.0.0.1 if
+# you use this.)
+#listen-address=
+# If you want dnsmasq to provide only DNS service on an interface,
+# configure it as shown above, and then use the following line to
+# disable DHCP on it.
+#no-dhcp-interface=
+
+# On systems which support it, dnsmasq binds the wildcard address,
+# even when it is listening on only some interfaces. It then discards
+# requests that it shouldn't reply to. This has the advantage of
+# working even when interfaces come and go and change address. If you
+# want dnsmasq to really bind only the interfaces it is listening on,
+# uncomment this option. About the only time you may need this is when
+# running another nameserver on the same machine.
+#bind-interfaces
+
+# If you don't want dnsmasq to read /etc/hosts, uncomment the
+# following line.
+#no-hosts
+# or if you want it to read another file, as well as /etc/hosts, use
+# this.
+#addn-hosts=/etc/banner_add_hosts
+
+# Set this (and domain: see below) if you want to have a domain
+# automatically added to simple names in a hosts-file.
+#expand-hosts
+
+# Set the domain for dnsmasq. this is optional, but if it is set, it
+# does the following things.
+# 1) Allows DHCP hosts to have fully qualified domain names, as long
+# as the domain part matches this setting.
+# 2) Sets the "domain" DHCP option thereby potentially setting the
+# domain of all systems configured by DHCP
+# 3) Provides the domain part for "expand-hosts"
+#domain=thekelleys.org.uk
+
+# Set a different domain for a particular subnet
+#domain=wireless.thekelleys.org.uk,192.168.2.0/24
+
+# Same idea, but range rather then subnet
+#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200
+
+# Uncomment this to enable the integrated DHCP server, you need
+# to supply the range of addresses available for lease and optionally
+# a lease time. If you have more than one network, you will need to
+# repeat this for each network on which you want to supply DHCP
+# service.
+#dhcp-range=192.168.0.50,192.168.0.150,12h
+
+# see also /etc/dnsmasq.d/lan and /etc/dnsmasq.d/wifi
+
+# This is an example of a DHCP range where the netmask is given. This
+# is needed for networks we reach the dnsmasq DHCP server via a relay
+# agent. If you don't know what a DHCP relay agent is, you probably
+# don't need to worry about this.
+#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h
+
+# This is an example of a DHCP range which sets a tag, so that
+# some DHCP options may be set only for this network.
+#dhcp-range=set:red,192.168.0.50,192.168.0.150
+
+# Use this DHCP range only when the tag "green" is set.
+#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h
+
+# Specify a subnet which can't be used for dynamic address allocation,
+# is available for hosts with matching --dhcp-host lines. Note that
+# dhcp-host declarations will be ignored unless there is a dhcp-range
+# of some type for the subnet in question.
+# In this case the netmask is implied (it comes from the network
+# configuration on the machine running dnsmasq) it is possible to give
+# an explict netmask instead.
+#dhcp-range=192.168.0.0,static
+
+# Supply parameters for specified hosts using DHCP. There are lots
+# of valid alternatives, so we will give examples of each. Note that
+# IP addresses DO NOT have to be in the range given above, they just
+# need to be on the same network. The order of the parameters in these
+# do not matter, it's permissble to give name,adddress and MAC in any order
+
+# Always allocate the host with ethernet address 11:22:33:44:55:66
+# The IP address 192.168.0.60
+#dhcp-host=11:22:33:44:55:66,192.168.0.60
+
+# Always set the name of the host with hardware address
+# 11:22:33:44:55:66 to be "fred"
+#dhcp-host=11:22:33:44:55:66,fred
+
+# Always give the host with ethernet address 11:22:33:44:55:66
+# the name fred and IP address 192.168.0.60 and lease time 45 minutes
+#dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m
+
+# Give a host with ethernet address 11:22:33:44:55:66 or
+# 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume
+# that these two ethernet interfaces will never be in use at the same
+# time, and give the IP address to the second, even if it is already
+# in use by the first. Useful for laptops with wired and wireless
+# addresses.
+#dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60
+
+# Give the machine which says its name is "bert" IP address
+# 192.168.0.70 and an infinite lease
+#dhcp-host=bert,192.168.0.70,infinite
+
+# Always give the host with client identifier 01:02:02:04
+# the IP address 192.168.0.60
+#dhcp-host=id:01:02:02:04,192.168.0.60
+
+# Always give the host with client identifier "marjorie"
+# the IP address 192.168.0.60
+#dhcp-host=id:marjorie,192.168.0.60
+
+# Enable the address given for "judge" in /etc/hosts
+# to be given to a machine presenting the name "judge" when
+# it asks for a DHCP lease.
+#dhcp-host=judge
+
+# Never offer DHCP service to a machine whose ethernet
+# address is 11:22:33:44:55:66
+#dhcp-host=11:22:33:44:55:66,ignore
+
+# Ignore any client-id presented by the machine with ethernet
+# address 11:22:33:44:55:66. This is useful to prevent a machine
+# being treated differently when running under different OS's or
+# between PXE boot and OS boot.
+#dhcp-host=11:22:33:44:55:66,id:*
+
+# Send extra options which are tagged as "red" to
+# the machine with ethernet address 11:22:33:44:55:66
+#dhcp-host=11:22:33:44:55:66,set:red
+
+# Send extra options which are tagged as "red" to
+# any machine with ethernet address starting 11:22:33:
+#dhcp-host=11:22:33:*:*:*,set:red
+
+# Ignore any clients which are specified in dhcp-host lines
+# or /etc/ethers. Equivalent to ISC "deny unkown-clients".
+# This relies on the special "known" tag which is set when
+# a host is matched.
+#dhcp-ignore=tag:!known
+
+# Send extra options which are tagged as "red" to any machine whose
+# DHCP vendorclass string includes the substring "Linux"
+#dhcp-vendorclass=set:red,Linux
+
+# Send extra options which are tagged as "red" to any machine one
+# of whose DHCP userclass strings includes the substring "accounts"
+#dhcp-userclass=set:red,accounts
+
+# Send extra options which are tagged as "red" to any machine whose
+# MAC address matches the pattern.
+#dhcp-mac=set:red,00:60:8C:*:*:*
+
+# If this line is uncommented, dnsmasq will read /etc/ethers and act
+# on the ethernet-address/IP pairs found there just as if they had
+# been given as --dhcp-host options. Useful if you keep
+# MAC-address/host mappings there for other purposes.
+#read-ethers
+
+# Send options to hosts which ask for a DHCP lease.
+# See RFC 2132 for details of available options.
+# Common options can be given to dnsmasq by name:
+# run "dnsmasq --help dhcp" to get a list.
+# Note that all the common settings, such as netmask and
+# broadcast address, DNS server and default route, are given
+# sane defaults by dnsmasq. You very likely will not need
+# any dhcp-options. If you use Windows clients and Samba, there
+# are some options which are recommended, they are detailed at the
+# end of this section.
+
+# Override the default route supplied by dnsmasq, which assumes the
+# router is the same machine as the one running dnsmasq.
+#dhcp-option=3,1.2.3.4
+
+# Do the same thing, but using the option name
+#dhcp-option=option:router,1.2.3.4
+
+# Override the default route supplied by dnsmasq and send no default
+# route at all. Note that this only works for the options sent by
+# default (1, 3, 6, 12, 28) the same line will send a zero-length option
+# for all other option numbers.
+#dhcp-option=3
+
+# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5
+#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
+
+# Set the NTP time server address to be the same machine as
+# is running dnsmasq
+#dhcp-option=42,0.0.0.0
+
+# Set the NIS domain name to "welly"
+#dhcp-option=40,welly
+
+# Set the default time-to-live to 50
+#dhcp-option=23,50
+
+# Set the "all subnets are local" flag
+#dhcp-option=27,1
+
+# Send the etherboot magic flag and then etherboot options (a string).
+#dhcp-option=128,e4:45:74:68:00:00
+#dhcp-option=129,NIC=eepro100
+
+# Specify an option which will only be sent to the "red" network
+# (see dhcp-range for the declaration of the "red" network)
+# Note that the tag: part must precede the option: part.
+#dhcp-option = tag:red, option:ntp-server, 192.168.1.1
+
+# The following DHCP options set up dnsmasq in the same way as is specified
+# for the ISC dhcpcd in
+# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
+# adapted for a typical dnsmasq installation where the host running
+# dnsmasq is also the host running samba.
+# you may want to uncomment some or all of them if you use
+# Windows clients and Samba.
+#dhcp-option=19,0 # option ip-forwarding off
+#dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
+#dhcp-option=45,0.0.0.0 # netbios datagram distribution server
+#dhcp-option=46,8 # netbios node type
+
+# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
+# probably doesn't support this......
+#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com
+
+# Send RFC-3442 classless static routes (note the netmask encoding)
+#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8
+
+# Send vendor-class specific options encapsulated in DHCP option 43.
+# The meaning of the options is defined by the vendor-class so
+# options are sent only when the client supplied vendor class
+# matches the class given here. (A substring match is OK, so "MSFT"
+# matches "MSFT" and "MSFT 5.0"). This example sets the
+# mtftp address to 0.0.0.0 for PXEClients.
+#dhcp-option=vendor:PXEClient,1,0.0.0.0
+
+# Send microsoft-specific option to tell windows to release the DHCP lease
+# when it shuts down. Note the "i" flag, to tell dnsmasq to send the
+# value as a four-byte integer - that's what microsoft wants. See
+# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true
+#dhcp-option=vendor:MSFT,2,1i
+
+# Send the Encapsulated-vendor-class ID needed by some configurations of
+# Etherboot to allow is to recognise the DHCP server.
+#dhcp-option=vendor:Etherboot,60,"Etherboot"
+
+# Send options to PXELinux. Note that we need to send the options even
+# though they don't appear in the parameter request list, so we need
+# to use dhcp-option-force here.
+# See http://syslinux.zytor.com/pxe.php#special for details.
+# Magic number - needed before anything else is recognised
+#dhcp-option-force=208,f1:00:74:7e
+# Configuration file name
+#dhcp-option-force=209,configs/common
+# Path prefix
+#dhcp-option-force=210,/tftpboot/pxelinux/files/
+# Reboot time. (Note 'i' to send 32-bit value)
+#dhcp-option-force=211,30i
+
+# Set the boot filename for netboot/PXE. You will only need
+# this is you want to boot machines over the network and you will need
+# a TFTP server; either dnsmasq's built in TFTP server or an
+# external one. (See below for how to enable the TFTP server.)
+#dhcp-boot=pxelinux.0
+
+# Boot for Etherboot gPXE. The idea is to send two different
+# filenames, the first loads gPXE, and the second tells gPXE what to
+# load. The dhcp-match sets the gpxe tag for requests from gPXE.
+#dhcp-match=set:gpxe,175 # gPXE sends a 175 option.
+#dhcp-boot=tag:!gpxe,undionly.kpxe
+#dhcp-boot=mybootimage
+
+# Encapsulated options for Etherboot gPXE. All the options are
+# encapsulated within option 175
+#dhcp-option=encap:175, 1, 5b # priority code
+#dhcp-option=encap:175, 176, 1b # no-proxydhcp
+#dhcp-option=encap:175, 177, string # bus-id
+#dhcp-option=encap:175, 189, 1b # BIOS drive code
+#dhcp-option=encap:175, 190, user # iSCSI username
+#dhcp-option=encap:175, 191, pass # iSCSI password
+
+# Test for the architecture of a netboot client. PXE clients are
+# supposed to send their architecture as option 93. (See RFC 4578)
+#dhcp-match=peecees, option:client-arch, 0 #x86-32
+#dhcp-match=itanics, option:client-arch, 2 #IA64
+#dhcp-match=hammers, option:client-arch, 6 #x86-64
+#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64
+
+# Do real PXE, rather than just booting a single file, this is an
+# alternative to dhcp-boot.
+#pxe-prompt="What system shall I netboot?"
+# or with timeout before first available action is taken:
+#pxe-prompt="Press F8 for menu.", 60
+
+# Available boot services. for PXE.
+#pxe-service=x86PC, "Boot from local disk"
+
+# Loads <tftp-root>/pxelinux.0 from dnsmasq TFTP server.
+#pxe-service=x86PC, "Install Linux", pxelinux
+
+# Loads <tftp-root>/pxelinux.0 from TFTP server at 1.2.3.4.
+# Beware this fails on old PXE ROMS.
+#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4
+
+# Use bootserver on network, found my multicast or broadcast.
+#pxe-service=x86PC, "Install windows from RIS server", 1
+
+# Use bootserver at a known IP address.
+#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4
+
+# If you have multicast-FTP available,
+# information for that can be passed in a similar way using options 1
+# to 5. See page 19 of
+# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf
+
+
+# Enable dnsmasq's built-in TFTP server
+#enable-tftp
+
+# Set the root directory for files availble via FTP.
+#tftp-root=/var/ftpd
+
+# Make the TFTP server more secure: with this set, only files owned by
+# the user dnsmasq is running as will be send over the net.
+#tftp-secure
+
+# This option stops dnsmasq from negotiating a larger blocksize for TFTP
+# transfers. It will slow things down, but may rescue some broken TFTP
+# clients.
+#tftp-no-blocksize
+
+# Set the boot file name only when the "red" tag is set.
+#dhcp-boot=net:red,pxelinux.red-net
+
+# An example of dhcp-boot with an external TFTP server: the name and IP
+# address of the server are given after the filename.
+# Can fail with old PXE ROMS. Overridden by --pxe-service.
+#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3
+
+# Set the limit on DHCP leases, the default is 150
+#dhcp-lease-max=150
+
+# The DHCP server needs somewhere on disk to keep its lease database.
+# This defaults to a sane location, but if you want to change it, use
+# the line below.
+#dhcp-leasefile=/var/lib/misc/dnsmasq.leases
+
+# Set the DHCP server to authoritative mode. In this mode it will barge in
+# and take over the lease for any client which broadcasts on the network,
+# whether it has a record of the lease or not. This avoids long timeouts
+# when a machine wakes up on a new network. DO NOT enable this if there's
+# the slighest chance that you might end up accidentally configuring a DHCP
+# server for your campus/company accidentally. The ISC server uses
+# the same option, and this URL provides more information:
+# http://www.isc.org/index.pl?/sw/dhcp/authoritative.php
+#dhcp-authoritative
+
+# Run an executable when a DHCP lease is created or destroyed.
+# The arguments sent to the script are "add" or "del",
+# then the MAC address, the IP address and finally the hostname
+# if there is one.
+#dhcp-script=/bin/echo
+
+# Set the cachesize here.
+#cache-size=150
+
+# If you want to disable negative caching, uncomment this.
+#no-negcache
+
+# Normally responses which come form /etc/hosts and the DHCP lease
+# file have Time-To-Live set as zero, which conventionally means
+# do not cache further. If you are happy to trade lower load on the
+# server for potentially stale date, you can set a time-to-live (in
+# seconds) here.
+#local-ttl=
+
+# If you want dnsmasq to detect attempts by Verisign to send queries
+# to unregistered .com and .net hosts to its sitefinder service and
+# have dnsmasq instead return the correct NXDOMAIN response, uncomment
+# this line. You can add similar lines to do the same for other
+# registries which have implemented wildcard A records.
+#bogus-nxdomain=64.94.110.11
+
+# If you want to fix up DNS results from upstream servers, use the
+# alias option. This only works for IPv4.
+# This alias makes a result of 1.2.3.4 appear as 5.6.7.8
+#alias=1.2.3.4,5.6.7.8
+# and this maps 1.2.3.x to 5.6.7.x
+#alias=1.2.3.0,5.6.7.0,255.255.255.0
+# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
+#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
+
+# Change these lines if you want dnsmasq to serve MX records.
+
+# Return an MX record named "maildomain.com" with target
+# servermachine.com and preference 50
+#mx-host=maildomain.com,servermachine.com,50
+
+# Set the default target for MX records created using the localmx option.
+#mx-target=servermachine.com
+
+# Return an MX record pointing to the mx-target for all local
+# machines.
+#localmx
+
+# Return an MX record pointing to itself for all local machines.
+#selfmx
+
+# Change the following lines if you want dnsmasq to serve SRV
+# records. These are useful if you want to serve ldap requests for
+# Active Directory and other windows-originated DNS requests.
+# See RFC 2782.
+# You may add multiple srv-host lines.
+# The fields are <name>,<target>,<port>,<priority>,<weight>
+# If the domain part if missing from the name (so that is just has the
+# service and protocol sections) then the domain given by the domain=
+# config option is used. (Note that expand-hosts does not need to be
+# set for this to work.)
+
+# A SRV record sending LDAP for the example.com domain to
+# ldapserver.example.com port 389
+#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389
+
+# A SRV record sending LDAP for the example.com domain to
+# ldapserver.example.com port 389 (using domain=)
+#domain=example.com
+#srv-host=_ldap._tcp,ldapserver.example.com,389
+
+# Two SRV records for LDAP, each with different priorities
+#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1
+#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2
+
+# A SRV record indicating that there is no LDAP server for the domain
+# example.com
+#srv-host=_ldap._tcp.example.com
+
+# The following line shows how to make dnsmasq serve an arbitrary PTR
+# record. This is useful for DNS-SD. (Note that the
+# domain-name expansion done for SRV records _does_not
+# occur for PTR records.)
+#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services"
+
+# Change the following lines to enable dnsmasq to serve TXT records.
+# These are used for things like SPF and zeroconf. (Note that the
+# domain-name expansion done for SRV records _does_not
+# occur for TXT records.)
+
+#Example SPF.
+#txt-record=example.com,"v=spf1 a -all"
+
+#Example zeroconf
+#txt-record=_http._tcp.example.com,name=value,paper=A4
+
+# Provide an alias for a "local" DNS name. Note that this _only_ works
+# for targets which are names from DHCP or /etc/hosts. Give host
+# "bert" another name, bertrand
+#cname=bertand,bert
+
+# For debugging purposes, log each DNS query as it passes through
+# dnsmasq.
+#log-queries
+
+# Log lots of extra information about DHCP transactions.
+#log-dhcp
+
+# Include a another lot of configuration options.
+#conf-file=/etc/dnsmasq.more.conf
+#conf-dir=/etc/dnsmasq.d
diff --git a/config/includes.chroot/etc/dnsmasq_lan.conf b/config/includes.chroot/etc/dnsmasq_lan.conf
new file mode 100644
index 0000000..1143401
--- /dev/null
+++ b/config/includes.chroot/etc/dnsmasq_lan.conf
@@ -0,0 +1,6 @@
+
+no-poll
+bind-interfaces
+interface=eth1
+except-interface=lo
+dhcp-range=10.23.42.10,10.23.42.254,255.255.255.0,12h
diff --git a/config/includes.chroot/etc/dnsmasq_wifi.conf b/config/includes.chroot/etc/dnsmasq_wifi.conf
new file mode 100644
index 0000000..56c268e
--- /dev/null
+++ b/config/includes.chroot/etc/dnsmasq_wifi.conf
@@ -0,0 +1,7 @@
+
+no-poll
+bind-interfaces
+except-interface=lo
+interface=uap0
+server=172.16.23.1#5353
+dhcp-range=172.16.23.10,172.16.23.254,255.255.255.0,12h
diff --git a/config/includes.chroot/etc/init.d/dnsmasq_lan b/config/includes.chroot/etc/init.d/dnsmasq_lan
new file mode 100755
index 0000000..22f2557
--- /dev/null
+++ b/config/includes.chroot/etc/init.d/dnsmasq_lan
@@ -0,0 +1,290 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides: dnsmasq_lan
+# Required-Start: $network $remote_fs $syslog
+# Required-Stop: $network $remote_fs $syslog
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Description: DHCP and DNS server
+### END INIT INFO
+
+set +e # Don't exit on error status
+
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+DAEMON=/usr/sbin/dnsmasq
+NAME=dnsmasq_lan
+DESC="DNS forwarder and DHCP server"
+
+# Most configuration options in /etc/default/dnsmasq are deprecated
+# but still honoured.
+ENABLED=1
+if [ -r /etc/default/$NAME ]; then
+ . /etc/default/$NAME
+fi
+
+# Get the system locale, so that messages are in the correct language, and the
+# charset for IDN is correct
+if [ -r /etc/default/locale ]; then
+ . /etc/default/locale
+ export LANG
+fi
+
+test -x $DAEMON || exit 0
+
+# Provide skeleton LSB log functions for backports which don't have LSB functions.
+if [ -f /lib/lsb/init-functions ]; then
+ . /lib/lsb/init-functions
+else
+ log_warning_msg () {
+ echo "${@}."
+ }
+
+ log_success_msg () {
+ echo "${@}."
+ }
+
+ log_daemon_msg () {
+ echo -n "${1}: $2"
+ }
+
+ log_end_msg () {
+ if [ $1 -eq 0 ]; then
+ echo "."
+ elif [ $1 -eq 255 ]; then
+ /bin/echo -e " (warning)."
+ else
+ /bin/echo -e " failed!"
+ fi
+ }
+fi
+
+# RESOLV_CONF:
+# If the resolvconf package is installed then use the resolv conf file
+# that it provides as the default. Otherwise use /etc/resolv.conf as
+# the default.
+#
+# If IGNORE_RESOLVCONF is set in /etc/default/dnsmasq or an explicit
+# filename is set there then this inhibits the use of the resolvconf-provided
+# information.
+#
+# Note that if the resolvconf package is installed it is not possible to
+# override it just by configuration in /etc/dnsmasq.conf, it is necessary
+# to set IGNORE_RESOLVCONF=yes in /etc/default/dnsmasq.
+
+if [ ! "$RESOLV_CONF" ] &&
+ [ "$IGNORE_RESOLVCONF" != "yes" ] &&
+ [ -x /sbin/resolvconf ]
+then
+ RESOLV_CONF=/var/run/dnsmasq/resolv.conf
+fi
+
+for INTERFACE in $DNSMASQ_INTERFACE; do
+ DNSMASQ_INTERFACES="$DNSMASQ_INTERFACES -i $INTERFACE"
+done
+
+for INTERFACE in $DNSMASQ_EXCEPT; do
+ DNSMASQ_INTERFACES="$DNSMASQ_INTERFACES -I $INTERFACE"
+done
+
+if [ ! "$DNSMASQ_USER" ]; then
+ DNSMASQ_USER="dnsmasq"
+fi
+
+start()
+{
+ # Return
+ # 0 if daemon has been started
+ # 1 if daemon was already running
+ # 2 if daemon could not be started
+
+ # /var/run may be volatile, so we need to ensure that
+ # /var/run/dnsmasq exists here as well as in postinst
+ if [ ! -d /var/run/dnsmasq ]; then
+ mkdir /var/run/dnsmasq || return 2
+ chown dnsmasq:nogroup /var/run/dnsmasq || return 2
+ fi
+
+ start-stop-daemon --start --quiet --pidfile /var/run/dnsmasq/$NAME.pid --exec $DAEMON --test -- -C /etc/dnsmasq_lan.conf > /dev/null || return 1
+ start-stop-daemon --start --quiet --pidfile /var/run/dnsmasq/$NAME.pid --exec $DAEMON -- -C /etc/dnsmasq_lan.conf \
+ -x /var/run/dnsmasq/$NAME.pid \
+ ${MAILHOSTNAME:+ -m $MAILHOSTNAME} \
+ ${MAILTARGET:+ -t $MAILTARGET} \
+ ${DNSMASQ_USER:+ -u $DNSMASQ_USER} \
+ ${DNSMASQ_INTERFACES:+ $DNSMASQ_INTERFACES} \
+ ${DHCP_LEASE:+ -l $DHCP_LEASE} \
+ ${DOMAIN_SUFFIX:+ -s $DOMAIN_SUFFIX} \
+ ${RESOLV_CONF:+ -r $RESOLV_CONF} \
+ ${CACHESIZE:+ -c $CACHESIZE} \
+ ${CONFIG_DIR:+ -7 $CONFIG_DIR} \
+ ${DNSMASQ_OPTS:+ $DNSMASQ_OPTS} \
+ || return 2
+}
+
+start_resolvconf()
+{
+# If interface "lo" is explicitly disabled in /etc/default/dnsmasq
+# Then dnsmasq won't be providing local DNS, so don't add it to
+# the resolvconf server set.
+ for interface in $DNSMASQ_EXCEPT
+ do
+ [ $interface = lo ] && return
+ done
+
+ if [ -x /sbin/resolvconf ] ; then
+ echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo.$NAME
+ fi
+ return 0
+}
+
+stop()
+{
+ # Return
+ # 0 if daemon has been stopped
+ # 1 if daemon was already stopped
+ # 2 if daemon could not be stopped
+ # other if a failure occurred
+ start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile /var/run/dnsmasq/$NAME.pid
+ RETVAL="$?"
+ [ "$RETVAL" = 2 ] && return 2
+ return "$RETVAL"
+}
+
+stop_resolvconf()
+{
+ if [ -x /sbin/resolvconf ] ; then
+ /sbin/resolvconf -d lo.$NAME
+ fi
+ return 0
+}
+
+status()
+{
+ # Return
+ # 0 if daemon is running
+ # 1 if daemon is dead and pid file exists
+ # 3 if daemon is not running
+ # 4 if daemon status is unknown
+ start-stop-daemon --start --quiet --pidfile /var/run/dnsmasq/$NAME.pid --exec $DAEMON --test > /dev/null
+ case "$?" in
+ 0) [ -e "/var/run/dnsmasq/$NAME.pid" ] && return 1 ; return 3 ;;
+ 1) return 0 ;;
+ *) return 4 ;;
+ esac
+}
+
+case "$1" in
+ start)
+ test "$ENABLED" != "0" || exit 0
+ log_daemon_msg "Starting $DESC" "$NAME"
+ start
+ case "$?" in
+ 0)
+ log_end_msg 0
+ start_resolvconf
+ exit 0
+ ;;
+ 1)
+ log_success_msg "(already running)"
+ exit 0
+ ;;
+ *)
+ log_end_msg 1
+ exit 1
+ ;;
+ esac
+ ;;
+ stop)
+ stop_resolvconf
+ if [ "$ENABLED" != "0" ]; then
+ log_daemon_msg "Stopping $DESC" "$NAME"
+ fi
+ stop
+ RETVAL="$?"
+ if [ "$ENABLED" = "0" ]; then
+ case "$RETVAL" in
+ 0) log_daemon_msg "Stopping $DESC" "$NAME"; log_end_msg 0 ;;
+ esac
+ exit 0
+ fi
+ case "$RETVAL" in
+ 0) log_end_msg 0 ; exit 0 ;;
+ 1) log_warning_msg "(not running)" ; exit 0 ;;
+ *) log_end_msg 1; exit 1 ;;
+ esac
+ ;;
+ restart|force-reload)
+ test "$ENABLED" != "0" || exit 1
+ $DAEMON --test ${CONFIG_DIR:+ -7 $CONFIG_DIR} ${DNSMASQ_OPTS:+ $DNSMASQ_OPTS} >/dev/null 2>&1
+ if [ $? -ne 0 ]; then
+ NAME="configuration syntax check"
+ RETVAL="2"
+ else
+ stop_resolvconf
+ stop
+ RETVAL="$?"
+ fi
+ log_daemon_msg "Restarting $DESC" "$NAME"
+ case "$RETVAL" in
+ 0|1)
+ sleep 2
+ start
+ case "$?" in
+ 0)
+ log_end_msg 0
+ start_resolvconf
+ exit 0
+ ;;
+ *)
+ log_end_msg 1
+ exit 1
+ ;;
+ esac
+ ;;
+ *)
+ log_end_msg 1
+ exit 1
+ ;;
+ esac
+ ;;
+ status)
+ log_daemon_msg "Checking $DESC" "$NAME"
+ status
+ case "$?" in
+ 0) log_success_msg "(running)" ; exit 0 ;;
+ 1) log_success_msg "(dead, pid file exists)" ; exit 1 ;;
+ 3) log_success_msg "(not running)" ; exit 3 ;;
+ *) log_success_msg "(unknown)" ; exit 4 ;;
+ esac
+ ;;
+ dump-stats)
+ kill -s USR1 `cat /var/run/dnsmasq/$NAME.pid`
+ ;;
+ systemd-start-resolvconf)
+ start_resolvconf
+ ;;
+ systemd-stop-resolvconf)
+ stop_resolvconf
+ ;;
+ systemd-exec)
+# --pid-file without argument disables writing a PIDfile, we don't need one with sytemd.
+# Enable DBus by default because we use DBus activation with systemd.
+ exec $DAEMON --keep-in-foreground --pid-file --enable-dbus \
+ ${MAILHOSTNAME:+ -m $MAILHOSTNAME} \
+ ${MAILTARGET:+ -t $MAILTARGET} \
+ ${DNSMASQ_USER:+ -u $DNSMASQ_USER} \
+ ${DNSMASQ_INTERFACES:+ $DNSMASQ_INTERFACES} \
+ ${DHCP_LEASE:+ -l $DHCP_LEASE} \
+ ${DOMAIN_SUFFIX:+ -s $DOMAIN_SUFFIX} \
+ ${RESOLV_CONF:+ -r $RESOLV_CONF} \
+ ${CACHESIZE:+ -c $CACHESIZE} \
+ ${CONFIG_DIR:+ -7 $CONFIG_DIR} \
+ ${DNSMASQ_OPTS:+ $DNSMASQ_OPTS}
+ ;;
+ *)
+ echo "Usage: /etc/init.d/$NAME {start|stop|restart|force-reload|dump-stats|status}" >&2
+ exit 3
+ ;;
+esac
+
+exit 0
+
diff --git a/config/includes.chroot/etc/init.d/dnsmasq_wifi b/config/includes.chroot/etc/init.d/dnsmasq_wifi
new file mode 100755
index 0000000..dfd103c
--- /dev/null
+++ b/config/includes.chroot/etc/init.d/dnsmasq_wifi
@@ -0,0 +1,290 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides: dnsmasq_wifi
+# Required-Start: $network $remote_fs $syslog
+# Required-Stop: $network $remote_fs $syslog
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Description: DHCP and DNS server
+### END INIT INFO
+
+set +e # Don't exit on error status
+
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+DAEMON=/usr/sbin/dnsmasq
+NAME=dnsmasq_wifi
+DESC="DNS forwarder and DHCP server"
+
+# Most configuration options in /etc/default/dnsmasq are deprecated
+# but still honoured.
+ENABLED=1
+if [ -r /etc/default/$NAME ]; then
+ . /etc/default/$NAME
+fi
+
+# Get the system locale, so that messages are in the correct language, and the
+# charset for IDN is correct
+if [ -r /etc/default/locale ]; then
+ . /etc/default/locale
+ export LANG
+fi
+
+test -x $DAEMON || exit 0
+
+# Provide skeleton LSB log functions for backports which don't have LSB functions.
+if [ -f /lib/lsb/init-functions ]; then
+ . /lib/lsb/init-functions
+else
+ log_warning_msg () {
+ echo "${@}."
+ }
+
+ log_success_msg () {
+ echo "${@}."
+ }
+
+ log_daemon_msg () {
+ echo -n "${1}: $2"
+ }
+
+ log_end_msg () {
+ if [ $1 -eq 0 ]; then
+ echo "."
+ elif [ $1 -eq 255 ]; then
+ /bin/echo -e " (warning)."
+ else
+ /bin/echo -e " failed!"
+ fi
+ }
+fi
+
+# RESOLV_CONF:
+# If the resolvconf package is installed then use the resolv conf file
+# that it provides as the default. Otherwise use /etc/resolv.conf as
+# the default.
+#
+# If IGNORE_RESOLVCONF is set in /etc/default/dnsmasq or an explicit
+# filename is set there then this inhibits the use of the resolvconf-provided
+# information.
+#
+# Note that if the resolvconf package is installed it is not possible to
+# override it just by configuration in /etc/dnsmasq.conf, it is necessary
+# to set IGNORE_RESOLVCONF=yes in /etc/default/dnsmasq.
+
+if [ ! "$RESOLV_CONF" ] &&
+ [ "$IGNORE_RESOLVCONF" != "yes" ] &&
+ [ -x /sbin/resolvconf ]
+then
+ RESOLV_CONF=/var/run/dnsmasq/resolv.conf
+fi
+
+for INTERFACE in $DNSMASQ_INTERFACE; do
+ DNSMASQ_INTERFACES="$DNSMASQ_INTERFACES -i $INTERFACE"
+done
+
+for INTERFACE in $DNSMASQ_EXCEPT; do
+ DNSMASQ_INTERFACES="$DNSMASQ_INTERFACES -I $INTERFACE"
+done
+
+if [ ! "$DNSMASQ_USER" ]; then
+ DNSMASQ_USER="dnsmasq"
+fi
+
+start()
+{
+ # Return
+ # 0 if daemon has been started
+ # 1 if daemon was already running
+ # 2 if daemon could not be started
+
+ # /var/run may be volatile, so we need to ensure that
+ # /var/run/dnsmasq exists here as well as in postinst
+ if [ ! -d /var/run/dnsmasq ]; then
+ mkdir /var/run/dnsmasq || return 2
+ chown dnsmasq:nogroup /var/run/dnsmasq || return 2
+ fi
+
+ start-stop-daemon --start --quiet --pidfile /var/run/dnsmasq/$NAME.pid --exec $DAEMON --test -- -C /etc/dnsmasq_wifi.conf > /dev/null || return 1
+ start-stop-daemon --start --quiet --pidfile /var/run/dnsmasq/$NAME.pid --exec $DAEMON -- -C /etc/dnsmasq_wifi.conf \
+ -x /var/run/dnsmasq/$NAME.pid \
+ ${MAILHOSTNAME:+ -m $MAILHOSTNAME} \
+ ${MAILTARGET:+ -t $MAILTARGET} \
+ ${DNSMASQ_USER:+ -u $DNSMASQ_USER} \
+ ${DNSMASQ_INTERFACES:+ $DNSMASQ_INTERFACES} \
+ ${DHCP_LEASE:+ -l $DHCP_LEASE} \
+ ${DOMAIN_SUFFIX:+ -s $DOMAIN_SUFFIX} \
+ ${RESOLV_CONF:+ -r $RESOLV_CONF} \
+ ${CACHESIZE:+ -c $CACHESIZE} \
+ ${CONFIG_DIR:+ -7 $CONFIG_DIR} \
+ ${DNSMASQ_OPTS:+ $DNSMASQ_OPTS} \
+ || return 2
+}
+
+start_resolvconf()
+{
+# If interface "lo" is explicitly disabled in /etc/default/dnsmasq
+# Then dnsmasq won't be providing local DNS, so don't add it to
+# the resolvconf server set.
+ for interface in $DNSMASQ_EXCEPT
+ do
+ [ $interface = lo ] && return
+ done
+
+ if [ -x /sbin/resolvconf ] ; then
+ echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo.$NAME
+ fi
+ return 0
+}
+
+stop()
+{
+ # Return
+ # 0 if daemon has been stopped
+ # 1 if daemon was already stopped
+ # 2 if daemon could not be stopped
+ # other if a failure occurred
+ start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile /var/run/dnsmasq/$NAME.pid
+ RETVAL="$?"
+ [ "$RETVAL" = 2 ] && return 2
+ return "$RETVAL"
+}
+
+stop_resolvconf()
+{
+ if [ -x /sbin/resolvconf ] ; then
+ /sbin/resolvconf -d lo.$NAME
+ fi
+ return 0
+}
+
+status()
+{
+ # Return
+ # 0 if daemon is running
+ # 1 if daemon is dead and pid file exists
+ # 3 if daemon is not running
+ # 4 if daemon status is unknown
+ start-stop-daemon --start --quiet --pidfile /var/run/dnsmasq/$NAME.pid --exec $DAEMON --test > /dev/null
+ case "$?" in
+ 0) [ -e "/var/run/dnsmasq/$NAME.pid" ] && return 1 ; return 3 ;;
+ 1) return 0 ;;
+ *) return 4 ;;
+ esac
+}
+
+case "$1" in
+ start)
+ test "$ENABLED" != "0" || exit 0
+ log_daemon_msg "Starting $DESC" "$NAME"
+ start
+ case "$?" in
+ 0)
+ log_end_msg 0
+ start_resolvconf
+ exit 0
+ ;;
+ 1)
+ log_success_msg "(already running)"
+ exit 0
+ ;;
+ *)
+ log_end_msg 1
+ exit 1
+ ;;
+ esac
+ ;;
+ stop)
+ stop_resolvconf
+ if [ "$ENABLED" != "0" ]; then
+ log_daemon_msg "Stopping $DESC" "$NAME"
+ fi
+ stop
+ RETVAL="$?"
+ if [ "$ENABLED" = "0" ]; then
+ case "$RETVAL" in
+ 0) log_daemon_msg "Stopping $DESC" "$NAME"; log_end_msg 0 ;;
+ esac
+ exit 0
+ fi
+ case "$RETVAL" in
+ 0) log_end_msg 0 ; exit 0 ;;
+ 1) log_warning_msg "(not running)" ; exit 0 ;;
+ *) log_end_msg 1; exit 1 ;;
+ esac
+ ;;
+ restart|force-reload)
+ test "$ENABLED" != "0" || exit 1
+ $DAEMON --test ${CONFIG_DIR:+ -7 $CONFIG_DIR} ${DNSMASQ_OPTS:+ $DNSMASQ_OPTS} >/dev/null 2>&1
+ if [ $? -ne 0 ]; then
+ NAME="configuration syntax check"
+ RETVAL="2"
+ else
+ stop_resolvconf
+ stop
+ RETVAL="$?"
+ fi
+ log_daemon_msg "Restarting $DESC" "$NAME"
+ case "$RETVAL" in
+ 0|1)
+ sleep 2
+ start
+ case "$?" in
+ 0)
+ log_end_msg 0
+ start_resolvconf
+ exit 0
+ ;;
+ *)
+ log_end_msg 1
+ exit 1
+ ;;
+ esac
+ ;;
+ *)
+ log_end_msg 1
+ exit 1
+ ;;
+ esac
+ ;;
+ status)
+ log_daemon_msg "Checking $DESC" "$NAME"
+ status
+ case "$?" in
+ 0) log_success_msg "(running)" ; exit 0 ;;
+ 1) log_success_msg "(dead, pid file exists)" ; exit 1 ;;
+ 3) log_success_msg "(not running)" ; exit 3 ;;
+ *) log_success_msg "(unknown)" ; exit 4 ;;
+ esac
+ ;;
+ dump-stats)
+ kill -s USR1 `cat /var/run/dnsmasq/$NAME.pid`
+ ;;
+ systemd-start-resolvconf)
+ start_resolvconf
+ ;;
+ systemd-stop-resolvconf)
+ stop_resolvconf
+ ;;
+ systemd-exec)
+# --pid-file without argument disables writing a PIDfile, we don't need one with sytemd.
+# Enable DBus by default because we use DBus activation with systemd.
+ exec $DAEMON --keep-in-foreground --pid-file --enable-dbus \
+ ${MAILHOSTNAME:+ -m $MAILHOSTNAME} \
+ ${MAILTARGET:+ -t $MAILTARGET} \
+ ${DNSMASQ_USER:+ -u $DNSMASQ_USER} \
+ ${DNSMASQ_INTERFACES:+ $DNSMASQ_INTERFACES} \
+ ${DHCP_LEASE:+ -l $DHCP_LEASE} \
+ ${DOMAIN_SUFFIX:+ -s $DOMAIN_SUFFIX} \
+ ${RESOLV_CONF:+ -r $RESOLV_CONF} \
+ ${CACHESIZE:+ -c $CACHESIZE} \
+ ${CONFIG_DIR:+ -7 $CONFIG_DIR} \
+ ${DNSMASQ_OPTS:+ $DNSMASQ_OPTS}
+ ;;
+ *)
+ echo "Usage: /etc/init.d/$NAME {start|stop|restart|force-reload|dump-stats|status}" >&2
+ exit 3
+ ;;
+esac
+
+exit 0
+
diff --git a/config/includes.chroot/etc/init.d/proxy b/config/includes.chroot/etc/init.d/proxy
new file mode 100755
index 0000000..901507b
--- /dev/null
+++ b/config/includes.chroot/etc/init.d/proxy
@@ -0,0 +1,61 @@
+#! /bin/sh
+
+### BEGIN INIT INFO
+# Provides: proxy
+# Required-Start: $network $remote_fs $syslog
+# Required-Stop: $remote_fs $syslog
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Proxy for clients.
+### END INIT INFO
+
+set -e
+
+INTIF1="eth0"
+INTIF2="uap0"
+EXTIF="eth1"
+EXTIP="`/sbin/ifconfig $EXTIF | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
+
+loadModules() {
+ depmod -a
+ modprobe ip_tables
+ modprobe ip_conntrack
+ modprobe ip_conntrack_ftp
+ modprobe ip_conntrack_irc
+ modprobe iptable_nat
+ modprobe ip_nat_ftp
+}
+
+setProc() {
+ echo "1" > /proc/sys/net/ipv4/ip_forward
+ echo "1" > /proc/sys/net/ipv4/ip_dynaddr
+}
+
+configIpTables() {
+ iptables -P INPUT ACCEPT
+ iptables -F INPUT
+ iptables -P OUTPUT ACCEPT
+ iptables -F OUTPUT
+ iptables -P FORWARD DROP
+ iptables -F FORWARD
+ iptables -t nat -F
+
+ iptables -A FORWARD -i $EXTIF -o $INTIF1 -m state --state ESTABLISHED,RELATED -j ACCEPT
+ iptables -A FORWARD -i $EXTIF -o $INTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT
+ iptables -A FORWARD -i $INTIF1 -o $EXTIF -j ACCEPT
+ iptables -A FORWARD -i $INTIF2 -o $EXTIF -j ACCEPT
+
+ iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
+}
+
+case "$1" in
+ start)
+ loadModules
+ setProc
+ configIpTables
+ ;;
+ *)
+ log_success_msg "Usage: /etc/init.d/proxy {start}"
+ exit 1
+ ;;
+esac
diff --git a/config/includes.chroot/etc/modprobe.d/blacklist.conf b/config/includes.chroot/etc/modprobe.d/blacklist.conf
new file mode 100644
index 0000000..dfb7967
--- /dev/null
+++ b/config/includes.chroot/etc/modprobe.d/blacklist.conf
@@ -0,0 +1,26 @@
+# This file lists modules which will not be loaded as the result of
+# alias expansion, with the purpose of preventing the hotplug subsystem
+# to load them. It does not affect autoloading of modules by the kernel.
+# This file is provided by the udev package.
+
+# evbug is a debug tool and should be loaded explicitly
+blacklist evbug
+
+# these drivers are very simple, the HID drivers are usually preferred
+blacklist usbmouse
+blacklist usbkbd
+
+# replaced by e100
+blacklist eepro100
+
+# replaced by tulip
+blacklist de4x5
+
+# replaced by tmscsim
+blacklist am53c974
+
+# these watchdog drivers break some systems
+blacklist iTCO_wdt
+
+# We do not need or want ipv6 right now
+blacklist ipv6
diff --git a/config/includes.chroot/etc/network/interfaces b/config/includes.chroot/etc/network/interfaces
new file mode 100644
index 0000000..34b2f35
--- /dev/null
+++ b/config/includes.chroot/etc/network/interfaces
@@ -0,0 +1,44 @@
+# This file describes the network interfaces available on your system
+# and how to activate them. For more information, see interfaces(5).
+
+# The loopback network interface
+auto lo
+iface lo inet loopback
+
+# The primary network interface
+auto eth0
+iface eth0 inet dhcp
+ post-down ifdown uap0
+
+auto eth1
+iface eth1 inet static
+ address 10.23.42.1
+ netmask 255.255.255.0
+ network 10.23.42.0
+ broadcast 10.23.42.255
+ pre-up ip addr del 10.23.42.1/24 dev eth1 || true
+ post-up echo 1 > /proc/sys/net/ipv4/ip_forward
+ post-up /etc/init.d/dnsmasq_lan start
+ # this must happen after have brought up uap0 because it clears the nat tables
+ post-up iptables -t nat -A POSTROUTING -s 10.23.42.0/24 -o eth0 -j MASQUERADE
+ pre-down /etc/init.d/dnsmasq_lan stop
+
+# The magic Tor wireless network
+auto uap0
+iface uap0 inet static
+ address 172.16.23.1
+ netmask 255.255.255.0
+ network 172.16.23.0
+ broadcast 172.16.23.255
+ pre-up ifconfig uap0 hw ether 00:66:66:66:66:66
+ pre-up ip addr del 172.16.23.1/24 dev uap0 || true
+ post-up /etc/init.d/tor start
+ post-up /etc/init.d/tor reload
+ post-up /etc/init.d/dnsmasq_wifi start
+ post-up /etc/init.d/ttdnsd restart
+ post-up /usr/bin/uaputl sys_cfg_ssid "torproject" || true
+ post-up /usr/bin/uaputl bss_start || true
+ post-up /usr/sbin/tor-wireless-firewall.sh || true
+ post-up /sbin/iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports 9040
+ pre-down /usr/bin/uaputl bss_stop || true
+ pre-down /etc/init.d/dnsmasq_wifi stop
diff --git a/config/includes.chroot/etc/ssh/sshd_config b/config/includes.chroot/etc/ssh/sshd_config
new file mode 100644
index 0000000..d079ac0
--- /dev/null
+++ b/config/includes.chroot/etc/ssh/sshd_config
@@ -0,0 +1,87 @@
+# Package generated configuration file
+# See the sshd_config(5) manpage for details
+
+# What ports, IPs and protocols we listen for
+Port 22
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin yes
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile %h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+#PasswordAuthentication yes
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+X11Forwarding yes
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication. Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+AddressFamily inet
diff --git a/config/includes.chroot/etc/sysctl.conf b/config/includes.chroot/etc/sysctl.conf
new file mode 100644
index 0000000..916e972
--- /dev/null
+++ b/config/includes.chroot/etc/sysctl.conf
@@ -0,0 +1,5 @@
+# Reduce writes to flash drives
+vm.laptop_mode=5
+vm.swappiness=0
+vm.dirty_writeback_centisecs=1500
+vm.dirty_expire_centisecs=1500
diff --git a/config/includes.chroot/etc/tor/torrc b/config/includes.chroot/etc/tor/torrc
new file mode 100644
index 0000000..063dde8
--- /dev/null
+++ b/config/includes.chroot/etc/tor/torrc
@@ -0,0 +1,183 @@
+## Configuration file for a typical Tor user
+## Last updated 12 April 2009 for Tor 0.2.1.14-rc.
+## (May or may not work for much older or much newer versions of Tor.)
+##
+## Lines that begin with "## " try to explain what's going on. Lines
+## that begin with just "#" are disabled commands: you can enable them
+## by removing the "#" symbol.
+##
+## See 'man tor', or https://www.torproject.org/tor-manual.html,
+## for more options you can use in this file.
+##
+## Tor will look for this file in various places based on your platform:
+## https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#torrc
+
+
+## Replace this with "SocksPort 0" if you plan to run Tor only as a
+## relay, and not make any local application connections yourself.
+SocksPort 9050 # what port to open for local application connections
+SocksListenAddress 127.0.0.1 # accept connections only from localhost
+#SocksListenAddress 192.168.0.1:9100 # listen on this IP:port also
+
+## Entry policies to allow/deny SOCKS requests based on IP address.
+## First entry that matches wins. If no SocksPolicy is set, we accept
+## all (and only) requests from SocksListenAddress.
+#SocksPolicy accept 192.168.0.0/16
+#SocksPolicy reject *
+
+## Logs go to stdout at level "notice" unless redirected by something
+## else, like one of the below lines. You can have as many Log lines as
+## you want.
+##
+## We advise using "notice" in most cases, since anything more verbose
+## may provide sensitive information to an attacker who obtains the logs.
+##
+## Send all messages of level 'notice' or higher to /var/log/tor/notices.log
+Log notice file /var/log/tor/notices.log
+## Send every possible message to /var/log/tor/debug.log
+#Log debug file /var/log/tor/debug.log
+## Use the system log instead of Tor's logfiles
+#Log notice syslog
+## To send all messages to stderr:
+#Log debug stderr
+
+## Uncomment this to start the process in the background... or use
+## --runasdaemon 1 on the command line. This is ignored on Windows;
+## see the FAQ entry if you want Tor to run as an NT service.
+RunAsDaemon 1
+
+## The directory for keeping all the keys/etc. By default, we store
+## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
+DataDirectory /var/lib/tor
+
+## The port on which Tor will listen for local connections from Tor
+## controller applications, as documented in control-spec.txt.
+#ControlPort 9051
+## If you enable the controlport, be sure to enable one of these
+## authentication methods, to prevent attackers from accessing it.
+#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C
+#CookieAuthentication 1
+
+############### This section is just for location-hidden services ###
+
+## Once you have configured a hidden service, you can look at the
+## contents of the file ".../hidden_service/hostname" for the address
+## to tell people.
+##
+## HiddenServicePort x y:z says to redirect requests on port x to the
+## address y:z.
+
+# Uncomment this to allow ssh access to the Torouter over your own Hidden Service
+#HiddenServiceDir /var/lib/tor/hidden_service/
+#HiddenServicePort 22 127.0.0.1:22
+
+#HiddenServiceDir /var/lib/tor/other_hidden_service/
+#HiddenServicePort 80 127.0.0.1:80
+#HiddenServicePort 22 127.0.0.1:22
+
+################ This section is just for relays #####################
+#
+## See https://www.torproject.org/docs/tor-doc-relay for details.
+
+### Required: what port to advertise for incoming Tor connections.
+ORPort auto
+## If you want to listen on a port other than the one advertised
+## in ORPort (e.g. to advertise 443 but bind to 9090), uncomment the
+## line below too. You'll need to do ipchains or other port forwarding
+## yourself to make this work.
+#ORListenAddress 0.0.0.0:9090
+#ORListenAddress 0.0.0.0:9090
+Nickname Torouter
+
+## The IP address or full DNS name for your relay. Leave commented out
+## and Tor will guess.
+#Address noname.example.com
+
+## Define these to limit how much relayed traffic you will allow. Your
+## own traffic is still unthrottled. Note that RelayBandwidthRate must
+## be at least 20 KBytes.
+RelayBandwidthRate 50KB
+RelayBandwidthBurst 75KB
+
+## Contact info to be published in the directory, so we can contact you
+## if your relay is misconfigured or something else goes wrong. Google
+## indexes this, so spammers might also collect it.
+#ContactInfo Random Person <nobody AT example dot com>
+## You might also include your PGP or GPG fingerprint if you have one:
+#ContactInfo 1234D/FFFFFFFF Random Person <nobody AT example dot com>
+
+## Uncomment this to mirror directory information for others. Please do
+## if you have enough bandwidth.
+#DirPort 9030 # what port to advertise for directory connections
+## If you want to listen on a port other than the one advertised
+## in DirPort (e.g. to advertise 80 but bind to 9091), uncomment the line
+## below too. You'll need to do ipchains or other port forwarding yourself
+## to make this work.
+#DirListenAddress 0.0.0.0:9091
+## Uncomment to return an arbitrary blob of html on your DirPort. Now you
+## can explain what Tor is if anybody wonders why your IP address is
+## contacting them. See contrib/tor-exit-notice.html for a sample.
+#DirPortFrontPage /etc/tor/exit-notice.html
+
+## Uncomment this if you run more than one Tor relay, and add the identity
+## key fingerprint of each Tor relay you control, even if they're on
+## different networks. You declare it here so Tor clients can avoid
+## using more than one of your relays in a single circuit. See
+## https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#MultipleServers
+#MyFamily $keyid,$keyid,...
+
+## A comma-separated list of exit policies. They're considered first
+## to last, and the first match wins. If you want to _replace_
+## the default exit policy, end this with either a reject *:* or an
+## accept *:*. Otherwise, you're _augmenting_ (prepending to) the
+## default exit policy. Leave commented to just use the default, which is
+## described in the man page or at
+## https://www.torproject.org/documentation.html
+##
+## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses
+## for issues you might encounter if you use the default exit policy.
+##
+## If certain IPs and ports are blocked externally, e.g. by your firewall,
+## you should update your exit policy to reflect this -- otherwise Tor
+## users will be told that those destinations are down.
+##
+#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more
+#ExitPolicy accept *:119 # accept nntp as well as default exit policy
+#ExitPolicy reject *:* # no exits allowed
+#
+## Bridge relays (or "bridges") are Tor relays that aren't listed in the
+## main directory. Since there is no complete public list of them, even if an
+## ISP is filtering connections to all the known Tor relays, they probably
+## won't be able to block all the bridges. Also, websites won't treat you
+## differently because they won't know you're running Tor. If you can
+# be a real relay, please do; but if not, be a bridge!
+BridgeRelay 1
+ExitPolicy reject *:*
+
+AvoidDiskWrites 1
+
+# middle box stuff
+VirtualAddrNetwork 10.192.0.0/10
+AutomapHostsOnResolve 1
+TransPort 9040
+TransListenAddress 172.16.23.1
+DNSPort 5353
+DNSListenAddress 172.16.23.1
+# If you disable unbound, you may enable this
+#DNSListenAddress 127.0.0.1:53
+
+User debian-tor
+
+# By default we do not have PortForwarding support
+# PortForwarding 1
+# PortForwardingHelper /usr/local/bin/tor-fw-helper
+
+PIDFile /var/run/tor/tor.pid
+
+ControlPort 9051
+ControlListenAddress 127.0.0.1:9051
+CookieAuthentication 1
+
+# On torouter, tor daemon should always be running, but defaults to disabled
+# until user enables it specifically through the web interface
+DisableNetwork 1
diff --git a/config/includes.chroot/sbin/tor-wireless-firewall.sh b/config/includes.chroot/sbin/tor-wireless-firewall.sh
new file mode 100755
index 0000000..4310e7b
--- /dev/null
+++ b/config/includes.chroot/sbin/tor-wireless-firewall.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+# destinations you don't want routed through Tor
+NON_TOR="10.0.2.0/24 10.23.42.0/24 172.16.23.0/24"
+
+# Tor's TransPort
+TRANS_PORT="9040"
+
+# your internal interface
+INT_IF="uap0"
+
+iptables -F
+iptables -t nat -F
+
+for NET in $NON_TOR; do
+ iptables -t nat -A PREROUTING -i $INT_IF -d $NET -j RETURN
+done
+iptables -t nat -A PREROUTING -i $INT_IF -p udp --dport 53 -j REDIRECT --to-ports 5353
+#iptables -t nat -A PREROUTING -i $INT_IF -p udp --dport 67 -j REDIRECT --to-ports 67
+iptables -t nat -A PREROUTING -i $INT_IF -p tcp --syn -j REDIRECT --to-ports $TRANS_PORT