From b1aec80110e822d835f6c97a2320b7dfc5fba039 Mon Sep 17 00:00:00 2001 From: ficus Date: Sun, 23 Sep 2012 04:22:14 +0200 Subject: possibly functional image builder --- packages/Makefile | 2 +- packages/torouter-prep/Makefile | 3 +- .../configs/apt-preferences.d-backports | 3 - packages/torouter-prep/configs/apt.conf | 1 - packages/torouter-prep/configs/dnsmasq.conf | 557 --------------------- .../torouter-prep/configs/etc/apt/sources.list | 2 + .../torouter-prep/configs/etc/default/openntpd | 6 + packages/torouter-prep/configs/etc/default/ttdnsd | 17 + packages/torouter-prep/configs/etc/dhcp/dhcpd.conf | 32 ++ packages/torouter-prep/configs/etc/dnsmasq.conf | 557 +++++++++++++++++++++ packages/torouter-prep/configs/etc/fstab | 6 + packages/torouter-prep/configs/etc/hostname | 1 + packages/torouter-prep/configs/etc/hosts | 7 + .../torouter-prep/configs/etc/init.d/first-run | 71 +++ packages/torouter-prep/configs/etc/init.d/proxy | 61 +++ packages/torouter-prep/configs/etc/inittab | 70 +++ .../configs/etc/modprobe.d/blacklist.conf | 26 + packages/torouter-prep/configs/etc/mtab | 0 .../torouter-prep/configs/etc/network/interfaces | 39 ++ packages/torouter-prep/configs/etc/ntp.conf | 55 ++ .../torouter-prep/configs/etc/openvpn/client.conf | 0 .../torouter-prep/configs/etc/openvpn/static.key | 0 .../torouter-prep/configs/etc/rc1.d/S01first-run | 1 + .../torouter-prep/configs/etc/rc2.d/S01first-run | 1 + packages/torouter-prep/configs/etc/rc2.d/S50proxy | 1 + packages/torouter-prep/configs/etc/resolv.conf | 2 + .../configs/etc/ssh/sshd_config/sshd_config | 87 ++++ packages/torouter-prep/configs/etc/sysctl.conf | 5 + packages/torouter-prep/configs/etc/tor/torrc | 180 +++++++ .../udev/rules.d/75-persistent-net-generator.rules | 0 packages/torouter-prep/configs/fstab | 2 - packages/torouter-prep/configs/hostname | 1 - packages/torouter-prep/configs/hosts | 1 - packages/torouter-prep/configs/inittab | 70 --- packages/torouter-prep/configs/interfaces | 39 -- .../configs/modprobe.d-blacklist.conf | 30 -- packages/torouter-prep/configs/ntp.conf | 55 -- packages/torouter-prep/configs/openntpd-default | 6 - packages/torouter-prep/configs/sbin/copy2dream | 47 ++ packages/torouter-prep/configs/sources.list | 29 -- packages/torouter-prep/configs/sshd_config | 87 ---- ...3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.apt-key | Bin 0 -> 3742 bytes packages/torouter-prep/configs/torrc | 180 ------- packages/torouter-prep/configs/ttdnsd-default | 17 - packages/torouter-prep/debian/changelog | 2 +- packages/torouter-prep/debian/files | 2 +- packages/torouter-prep/src/torouter_config.sh | 30 +- packages/torouter-prep/src/torouter_takeover.sh | 0 48 files changed, 1294 insertions(+), 1097 deletions(-) delete mode 100644 packages/torouter-prep/configs/apt-preferences.d-backports delete mode 100644 packages/torouter-prep/configs/apt.conf delete mode 100644 packages/torouter-prep/configs/dnsmasq.conf create mode 100644 packages/torouter-prep/configs/etc/apt/sources.list create mode 100644 packages/torouter-prep/configs/etc/default/openntpd create mode 100755 packages/torouter-prep/configs/etc/default/ttdnsd create mode 100644 packages/torouter-prep/configs/etc/dhcp/dhcpd.conf create mode 100644 packages/torouter-prep/configs/etc/dnsmasq.conf create mode 100644 packages/torouter-prep/configs/etc/fstab create mode 100644 packages/torouter-prep/configs/etc/hostname create mode 100644 packages/torouter-prep/configs/etc/hosts create mode 100755 packages/torouter-prep/configs/etc/init.d/first-run create mode 100755 packages/torouter-prep/configs/etc/init.d/proxy create mode 100644 packages/torouter-prep/configs/etc/inittab create mode 100644 packages/torouter-prep/configs/etc/modprobe.d/blacklist.conf create mode 100644 packages/torouter-prep/configs/etc/mtab create mode 100644 packages/torouter-prep/configs/etc/network/interfaces create mode 100644 packages/torouter-prep/configs/etc/ntp.conf create mode 100644 packages/torouter-prep/configs/etc/openvpn/client.conf create mode 100644 packages/torouter-prep/configs/etc/openvpn/static.key create mode 120000 packages/torouter-prep/configs/etc/rc1.d/S01first-run create mode 120000 packages/torouter-prep/configs/etc/rc2.d/S01first-run create mode 120000 packages/torouter-prep/configs/etc/rc2.d/S50proxy create mode 100644 packages/torouter-prep/configs/etc/resolv.conf create mode 100644 packages/torouter-prep/configs/etc/ssh/sshd_config/sshd_config create mode 100644 packages/torouter-prep/configs/etc/sysctl.conf create mode 100644 packages/torouter-prep/configs/etc/tor/torrc create mode 100644 packages/torouter-prep/configs/etc/udev/rules.d/75-persistent-net-generator.rules delete mode 100644 packages/torouter-prep/configs/fstab delete mode 100644 packages/torouter-prep/configs/hostname delete mode 100644 packages/torouter-prep/configs/hosts delete mode 100644 packages/torouter-prep/configs/inittab delete mode 100644 packages/torouter-prep/configs/interfaces delete mode 100644 packages/torouter-prep/configs/modprobe.d-blacklist.conf delete mode 100644 packages/torouter-prep/configs/ntp.conf delete mode 100644 packages/torouter-prep/configs/openntpd-default create mode 100644 packages/torouter-prep/configs/sbin/copy2dream delete mode 100644 packages/torouter-prep/configs/sources.list delete mode 100644 packages/torouter-prep/configs/sshd_config create mode 100644 packages/torouter-prep/configs/tmp/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.apt-key delete mode 100644 packages/torouter-prep/configs/torrc delete mode 100755 packages/torouter-prep/configs/ttdnsd-default mode change 100644 => 100755 packages/torouter-prep/src/torouter_config.sh mode change 100644 => 100755 packages/torouter-prep/src/torouter_takeover.sh (limited to 'packages') diff --git a/packages/Makefile b/packages/Makefile index 3fff908..875f65f 100644 --- a/packages/Makefile +++ b/packages/Makefile @@ -2,7 +2,7 @@ debs: webdeb prepdeb mvdebs webdeb: # By default we will but not sign for now - cd torouter-web && debuild --no-tgz-check -us -uc + #cd torouter-web && debuild --no-tgz-check -us -uc prepdeb: # By default we will but not sign for now diff --git a/packages/torouter-prep/Makefile b/packages/torouter-prep/Makefile index 8fbf692..be5548f 100644 --- a/packages/torouter-prep/Makefile +++ b/packages/torouter-prep/Makefile @@ -5,9 +5,10 @@ build: install: install -o root -g root -m 750 src/torouter_config.sh $(DESTDIR)/usr/bin + install -o root -g root -m 750 src/torouter_preboot.sh $(DESTDIR)/usr/bin install -o root -g root -m 750 src/torouter_takeover.sh $(DESTDIR)/usr/bin mkdir -p $(DESTDIR)/usr/share/torouter-prep - cp -ar configs $(DESTDIR)/usr/share/torouter-prep/example-configs/ + cp -ar configs/ $(DESTDIR)/usr/share/torouter-prep/example-configs/ clean: echo "nothing to clean" diff --git a/packages/torouter-prep/configs/apt-preferences.d-backports b/packages/torouter-prep/configs/apt-preferences.d-backports deleted file mode 100644 index 8e9275b..0000000 --- a/packages/torouter-prep/configs/apt-preferences.d-backports +++ /dev/null @@ -1,3 +0,0 @@ -Package: * -Pin: release a=squeeze-backports -Pin-Priority: 200 diff --git a/packages/torouter-prep/configs/apt.conf b/packages/torouter-prep/configs/apt.conf deleted file mode 100644 index 4143a94..0000000 --- a/packages/torouter-prep/configs/apt.conf +++ /dev/null @@ -1 +0,0 @@ -APT::Default-Release "stable"; diff --git a/packages/torouter-prep/configs/dnsmasq.conf b/packages/torouter-prep/configs/dnsmasq.conf deleted file mode 100644 index 2711486..0000000 --- a/packages/torouter-prep/configs/dnsmasq.conf +++ /dev/null @@ -1,557 +0,0 @@ -# Configuration file for dnsmasq. -# -# Format is one option per line, legal options are the same -# as the long options legal on the command line. See -# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details. - -# The following two options make you a better netizen, since they -# tell dnsmasq to filter out queries which the public DNS cannot -# answer, and which load the servers (especially the root servers) -# uneccessarily. If you have a dial-on-demand link they also stop -# these requests from bringing up the link uneccessarily. - -# Never forward plain names (without a dot or domain part) -#domain-needed -# Never forward addresses in the non-routed address spaces. -#bogus-priv - - -# Uncomment this to filter useless windows-originated DNS requests -# which can trigger dial-on-demand links needlessly. -# Note that (amongst other things) this blocks all SRV requests, -# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk. -# This option only affects forwarding, SRV records originating for -# dnsmasq (via srv-host= lines) are not suppressed by it. -#filterwin2k - -# Change this line if you want dns to get its upstream servers from -# somewhere other that /etc/resolv.conf -#resolv-file= - -# By default, dnsmasq will send queries to any of the upstream -# servers it knows about and tries to favour servers to are known -# to be up. Uncommenting this forces dnsmasq to try each query -# with each server strictly in the order they appear in -# /etc/resolv.conf -#strict-order - -# If you don't want dnsmasq to read /etc/resolv.conf or any other -# file, getting its servers from this file instead (see below), then -# uncomment this. -#no-resolv - -# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv -# files for changes and re-read them then uncomment this. -no-poll - -# Add other name servers here, with domain specs if they are for -# non-public domains. -#server=/localnet/192.168.0.1 - -# Example of routing PTR queries to nameservers: this will send all -# address->name queries for 192.168.3/24 to nameserver 10.1.2.3 -#server=/3.168.192.in-addr.arpa/10.1.2.3 - -# Add local-only domains here, queries in these domains are answered -# from /etc/hosts or DHCP only. -#local=/localnet/ - -# Add domains which you want to force to an IP address here. -# The example below send any host in doubleclick.net to a local -# webserver. -#address=/doubleclick.net/127.0.0.1 - -# --address (and --server) work with IPv6 addresses too. -#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83 - -# You can control how dnsmasq talks to a server: this forces -# queries to 10.1.2.3 to be routed via eth1 -# server=10.1.2.3@eth1 - -# and this sets the source (ie local) address used to talk to -# 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that -# IP on the machine, obviously). -# server=10.1.2.3@192.168.1.1#55 - -# If you want dnsmasq to change uid and gid to something other -# than the default, edit the following lines. -#user= -#group= - -# If you want dnsmasq to listen for DHCP and DNS requests only on -# specified interfaces (and the loopback) give the name of the -# interface (eg eth0) here. -# Repeat the line for more than one interface. -interface=eth1 -interface=uap0 -# Or you can specify which interface _not_ to listen on -except-interface=eth0 -except-interface=lo -# Or which to listen on by address (remember to include 127.0.0.1 if -# you use this.) -#listen-address= -# If you want dnsmasq to provide only DNS service on an interface, -# configure it as shown above, and then use the following line to -# disable DHCP on it. -#no-dhcp-interface= -#no-dns-interface=uap0 - -# On systems which support it, dnsmasq binds the wildcard address, -# even when it is listening on only some interfaces. It then discards -# requests that it shouldn't reply to. This has the advantage of -# working even when interfaces come and go and change address. If you -# want dnsmasq to really bind only the interfaces it is listening on, -# uncomment this option. About the only time you may need this is when -# running another nameserver on the same machine. -bind-interfaces - -# If you don't want dnsmasq to read /etc/hosts, uncomment the -# following line. -#no-hosts -# or if you want it to read another file, as well as /etc/hosts, use -# this. -#addn-hosts=/etc/banner_add_hosts - -# Set this (and domain: see below) if you want to have a domain -# automatically added to simple names in a hosts-file. -#expand-hosts - -# Set the domain for dnsmasq. this is optional, but if it is set, it -# does the following things. -# 1) Allows DHCP hosts to have fully qualified domain names, as long -# as the domain part matches this setting. -# 2) Sets the "domain" DHCP option thereby potentially setting the -# domain of all systems configured by DHCP -# 3) Provides the domain part for "expand-hosts" -#domain=thekelleys.org.uk - -# Set a different domain for a particular subnet -#domain=wireless.thekelleys.org.uk,192.168.2.0/24 - -# Same idea, but range rather then subnet -#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200 - -# Uncomment this to enable the integrated DHCP server, you need -# to supply the range of addresses available for lease and optionally -# a lease time. If you have more than one network, you will need to -# repeat this for each network on which you want to supply DHCP -# service. -#dhcp-range=192.168.0.50,192.168.0.150,12h -dhcp-range=10.23.42.10,10.23.42.254,255.255.255.0,12h -dhcp-range=172.16.23.10,172.16.23.254,255.255.255.0,12h - -# This is an example of a DHCP range where the netmask is given. This -# is needed for networks we reach the dnsmasq DHCP server via a relay -# agent. If you don't know what a DHCP relay agent is, you probably -# don't need to worry about this. -#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h - -# This is an example of a DHCP range which sets a tag, so that -# some DHCP options may be set only for this network. -#dhcp-range=set:red,192.168.0.50,192.168.0.150 - -# Use this DHCP range only when the tag "green" is set. -#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h - -# Specify a subnet which can't be used for dynamic address allocation, -# is available for hosts with matching --dhcp-host lines. Note that -# dhcp-host declarations will be ignored unless there is a dhcp-range -# of some type for the subnet in question. -# In this case the netmask is implied (it comes from the network -# configuration on the machine running dnsmasq) it is possible to give -# an explict netmask instead. -#dhcp-range=192.168.0.0,static - -# Supply parameters for specified hosts using DHCP. There are lots -# of valid alternatives, so we will give examples of each. Note that -# IP addresses DO NOT have to be in the range given above, they just -# need to be on the same network. The order of the parameters in these -# do not matter, it's permissble to give name,adddress and MAC in any order - -# Always allocate the host with ethernet address 11:22:33:44:55:66 -# The IP address 192.168.0.60 -#dhcp-host=11:22:33:44:55:66,192.168.0.60 - -# Always set the name of the host with hardware address -# 11:22:33:44:55:66 to be "fred" -#dhcp-host=11:22:33:44:55:66,fred - -# Always give the host with ethernet address 11:22:33:44:55:66 -# the name fred and IP address 192.168.0.60 and lease time 45 minutes -#dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m - -# Give a host with ethernet address 11:22:33:44:55:66 or -# 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume -# that these two ethernet interfaces will never be in use at the same -# time, and give the IP address to the second, even if it is already -# in use by the first. Useful for laptops with wired and wireless -# addresses. -#dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60 - -# Give the machine which says its name is "bert" IP address -# 192.168.0.70 and an infinite lease -#dhcp-host=bert,192.168.0.70,infinite - -# Always give the host with client identifier 01:02:02:04 -# the IP address 192.168.0.60 -#dhcp-host=id:01:02:02:04,192.168.0.60 - -# Always give the host with client identifier "marjorie" -# the IP address 192.168.0.60 -#dhcp-host=id:marjorie,192.168.0.60 - -# Enable the address given for "judge" in /etc/hosts -# to be given to a machine presenting the name "judge" when -# it asks for a DHCP lease. -#dhcp-host=judge - -# Never offer DHCP service to a machine whose ethernet -# address is 11:22:33:44:55:66 -#dhcp-host=11:22:33:44:55:66,ignore - -# Ignore any client-id presented by the machine with ethernet -# address 11:22:33:44:55:66. This is useful to prevent a machine -# being treated differently when running under different OS's or -# between PXE boot and OS boot. -#dhcp-host=11:22:33:44:55:66,id:* - -# Send extra options which are tagged as "red" to -# the machine with ethernet address 11:22:33:44:55:66 -#dhcp-host=11:22:33:44:55:66,set:red - -# Send extra options which are tagged as "red" to -# any machine with ethernet address starting 11:22:33: -#dhcp-host=11:22:33:*:*:*,set:red - -# Ignore any clients which are specified in dhcp-host lines -# or /etc/ethers. Equivalent to ISC "deny unkown-clients". -# This relies on the special "known" tag which is set when -# a host is matched. -#dhcp-ignore=tag:!known - -# Send extra options which are tagged as "red" to any machine whose -# DHCP vendorclass string includes the substring "Linux" -#dhcp-vendorclass=set:red,Linux - -# Send extra options which are tagged as "red" to any machine one -# of whose DHCP userclass strings includes the substring "accounts" -#dhcp-userclass=set:red,accounts - -# Send extra options which are tagged as "red" to any machine whose -# MAC address matches the pattern. -#dhcp-mac=set:red,00:60:8C:*:*:* - -# If this line is uncommented, dnsmasq will read /etc/ethers and act -# on the ethernet-address/IP pairs found there just as if they had -# been given as --dhcp-host options. Useful if you keep -# MAC-address/host mappings there for other purposes. -#read-ethers - -# Send options to hosts which ask for a DHCP lease. -# See RFC 2132 for details of available options. -# Common options can be given to dnsmasq by name: -# run "dnsmasq --help dhcp" to get a list. -# Note that all the common settings, such as netmask and -# broadcast address, DNS server and default route, are given -# sane defaults by dnsmasq. You very likely will not need -# any dhcp-options. If you use Windows clients and Samba, there -# are some options which are recommended, they are detailed at the -# end of this section. - -# Override the default route supplied by dnsmasq, which assumes the -# router is the same machine as the one running dnsmasq. -#dhcp-option=3,1.2.3.4 - -# Do the same thing, but using the option name -#dhcp-option=option:router,1.2.3.4 - -# Override the default route supplied by dnsmasq and send no default -# route at all. Note that this only works for the options sent by -# default (1, 3, 6, 12, 28) the same line will send a zero-length option -# for all other option numbers. -#dhcp-option=3 - -# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5 -#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5 - -# Set the NTP time server address to be the same machine as -# is running dnsmasq -#dhcp-option=42,0.0.0.0 - -# Set the NIS domain name to "welly" -#dhcp-option=40,welly - -# Set the default time-to-live to 50 -#dhcp-option=23,50 - -# Set the "all subnets are local" flag -#dhcp-option=27,1 - -# Send the etherboot magic flag and then etherboot options (a string). -#dhcp-option=128,e4:45:74:68:00:00 -#dhcp-option=129,NIC=eepro100 - -# Specify an option which will only be sent to the "red" network -# (see dhcp-range for the declaration of the "red" network) -# Note that the tag: part must precede the option: part. -#dhcp-option = tag:red, option:ntp-server, 192.168.1.1 - -# The following DHCP options set up dnsmasq in the same way as is specified -# for the ISC dhcpcd in -# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt -# adapted for a typical dnsmasq installation where the host running -# dnsmasq is also the host running samba. -# you may want to uncomment some or all of them if you use -# Windows clients and Samba. -#dhcp-option=19,0 # option ip-forwarding off -#dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s) -#dhcp-option=45,0.0.0.0 # netbios datagram distribution server -#dhcp-option=46,8 # netbios node type - -# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client -# probably doesn't support this...... -#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com - -# Send RFC-3442 classless static routes (note the netmask encoding) -#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8 - -# Send vendor-class specific options encapsulated in DHCP option 43. -# The meaning of the options is defined by the vendor-class so -# options are sent only when the client supplied vendor class -# matches the class given here. (A substring match is OK, so "MSFT" -# matches "MSFT" and "MSFT 5.0"). This example sets the -# mtftp address to 0.0.0.0 for PXEClients. -#dhcp-option=vendor:PXEClient,1,0.0.0.0 - -# Send microsoft-specific option to tell windows to release the DHCP lease -# when it shuts down. Note the "i" flag, to tell dnsmasq to send the -# value as a four-byte integer - that's what microsoft wants. See -# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true -#dhcp-option=vendor:MSFT,2,1i - -# Send the Encapsulated-vendor-class ID needed by some configurations of -# Etherboot to allow is to recognise the DHCP server. -#dhcp-option=vendor:Etherboot,60,"Etherboot" - -# Send options to PXELinux. Note that we need to send the options even -# though they don't appear in the parameter request list, so we need -# to use dhcp-option-force here. -# See http://syslinux.zytor.com/pxe.php#special for details. -# Magic number - needed before anything else is recognised -#dhcp-option-force=208,f1:00:74:7e -# Configuration file name -#dhcp-option-force=209,configs/common -# Path prefix -#dhcp-option-force=210,/tftpboot/pxelinux/files/ -# Reboot time. (Note 'i' to send 32-bit value) -#dhcp-option-force=211,30i - -# Set the boot filename for netboot/PXE. You will only need -# this is you want to boot machines over the network and you will need -# a TFTP server; either dnsmasq's built in TFTP server or an -# external one. (See below for how to enable the TFTP server.) -#dhcp-boot=pxelinux.0 - -# Boot for Etherboot gPXE. The idea is to send two different -# filenames, the first loads gPXE, and the second tells gPXE what to -# load. The dhcp-match sets the gpxe tag for requests from gPXE. -#dhcp-match=set:gpxe,175 # gPXE sends a 175 option. -#dhcp-boot=tag:!gpxe,undionly.kpxe -#dhcp-boot=mybootimage - -# Encapsulated options for Etherboot gPXE. All the options are -# encapsulated within option 175 -#dhcp-option=encap:175, 1, 5b # priority code -#dhcp-option=encap:175, 176, 1b # no-proxydhcp -#dhcp-option=encap:175, 177, string # bus-id -#dhcp-option=encap:175, 189, 1b # BIOS drive code -#dhcp-option=encap:175, 190, user # iSCSI username -#dhcp-option=encap:175, 191, pass # iSCSI password - -# Test for the architecture of a netboot client. PXE clients are -# supposed to send their architecture as option 93. (See RFC 4578) -#dhcp-match=peecees, option:client-arch, 0 #x86-32 -#dhcp-match=itanics, option:client-arch, 2 #IA64 -#dhcp-match=hammers, option:client-arch, 6 #x86-64 -#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64 - -# Do real PXE, rather than just booting a single file, this is an -# alternative to dhcp-boot. -#pxe-prompt="What system shall I netboot?" -# or with timeout before first available action is taken: -#pxe-prompt="Press F8 for menu.", 60 - -# Available boot services. for PXE. -#pxe-service=x86PC, "Boot from local disk" - -# Loads /pxelinux.0 from dnsmasq TFTP server. -#pxe-service=x86PC, "Install Linux", pxelinux - -# Loads /pxelinux.0 from TFTP server at 1.2.3.4. -# Beware this fails on old PXE ROMS. -#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4 - -# Use bootserver on network, found my multicast or broadcast. -#pxe-service=x86PC, "Install windows from RIS server", 1 - -# Use bootserver at a known IP address. -#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4 - -# If you have multicast-FTP available, -# information for that can be passed in a similar way using options 1 -# to 5. See page 19 of -# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf - - -# Enable dnsmasq's built-in TFTP server -#enable-tftp - -# Set the root directory for files availble via FTP. -#tftp-root=/var/ftpd - -# Make the TFTP server more secure: with this set, only files owned by -# the user dnsmasq is running as will be send over the net. -#tftp-secure - -# This option stops dnsmasq from negotiating a larger blocksize for TFTP -# transfers. It will slow things down, but may rescue some broken TFTP -# clients. -#tftp-no-blocksize - -# Set the boot file name only when the "red" tag is set. -#dhcp-boot=net:red,pxelinux.red-net - -# An example of dhcp-boot with an external TFTP server: the name and IP -# address of the server are given after the filename. -# Can fail with old PXE ROMS. Overridden by --pxe-service. -#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3 - -# Set the limit on DHCP leases, the default is 150 -#dhcp-lease-max=150 - -# The DHCP server needs somewhere on disk to keep its lease database. -# This defaults to a sane location, but if you want to change it, use -# the line below. -#dhcp-leasefile=/var/lib/misc/dnsmasq.leases - -# Set the DHCP server to authoritative mode. In this mode it will barge in -# and take over the lease for any client which broadcasts on the network, -# whether it has a record of the lease or not. This avoids long timeouts -# when a machine wakes up on a new network. DO NOT enable this if there's -# the slighest chance that you might end up accidentally configuring a DHCP -# server for your campus/company accidentally. The ISC server uses -# the same option, and this URL provides more information: -# http://www.isc.org/index.pl?/sw/dhcp/authoritative.php -#dhcp-authoritative - -# Run an executable when a DHCP lease is created or destroyed. -# The arguments sent to the script are "add" or "del", -# then the MAC address, the IP address and finally the hostname -# if there is one. -#dhcp-script=/bin/echo - -# Set the cachesize here. -#cache-size=150 - -# If you want to disable negative caching, uncomment this. -#no-negcache - -# Normally responses which come form /etc/hosts and the DHCP lease -# file have Time-To-Live set as zero, which conventionally means -# do not cache further. If you are happy to trade lower load on the -# server for potentially stale date, you can set a time-to-live (in -# seconds) here. -#local-ttl= - -# If you want dnsmasq to detect attempts by Verisign to send queries -# to unregistered .com and .net hosts to its sitefinder service and -# have dnsmasq instead return the correct NXDOMAIN response, uncomment -# this line. You can add similar lines to do the same for other -# registries which have implemented wildcard A records. -#bogus-nxdomain=64.94.110.11 - -# If you want to fix up DNS results from upstream servers, use the -# alias option. This only works for IPv4. -# This alias makes a result of 1.2.3.4 appear as 5.6.7.8 -#alias=1.2.3.4,5.6.7.8 -# and this maps 1.2.3.x to 5.6.7.x -#alias=1.2.3.0,5.6.7.0,255.255.255.0 -# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40 -#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0 - -# Change these lines if you want dnsmasq to serve MX records. - -# Return an MX record named "maildomain.com" with target -# servermachine.com and preference 50 -#mx-host=maildomain.com,servermachine.com,50 - -# Set the default target for MX records created using the localmx option. -#mx-target=servermachine.com - -# Return an MX record pointing to the mx-target for all local -# machines. -#localmx - -# Return an MX record pointing to itself for all local machines. -#selfmx - -# Change the following lines if you want dnsmasq to serve SRV -# records. These are useful if you want to serve ldap requests for -# Active Directory and other windows-originated DNS requests. -# See RFC 2782. -# You may add multiple srv-host lines. -# The fields are ,,,, -# If the domain part if missing from the name (so that is just has the -# service and protocol sections) then the domain given by the domain= -# config option is used. (Note that expand-hosts does not need to be -# set for this to work.) - -# A SRV record sending LDAP for the example.com domain to -# ldapserver.example.com port 389 -#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389 - -# A SRV record sending LDAP for the example.com domain to -# ldapserver.example.com port 389 (using domain=) -#domain=example.com -#srv-host=_ldap._tcp,ldapserver.example.com,389 - -# Two SRV records for LDAP, each with different priorities -#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1 -#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2 - -# A SRV record indicating that there is no LDAP server for the domain -# example.com -#srv-host=_ldap._tcp.example.com - -# The following line shows how to make dnsmasq serve an arbitrary PTR -# record. This is useful for DNS-SD. (Note that the -# domain-name expansion done for SRV records _does_not -# occur for PTR records.) -#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services" - -# Change the following lines to enable dnsmasq to serve TXT records. -# These are used for things like SPF and zeroconf. (Note that the -# domain-name expansion done for SRV records _does_not -# occur for TXT records.) - -#Example SPF. -#txt-record=example.com,"v=spf1 a -all" - -#Example zeroconf -#txt-record=_http._tcp.example.com,name=value,paper=A4 - -# Provide an alias for a "local" DNS name. Note that this _only_ works -# for targets which are names from DHCP or /etc/hosts. Give host -# "bert" another name, bertrand -#cname=bertand,bert - -# For debugging purposes, log each DNS query as it passes through -# dnsmasq. -#log-queries - -# Log lots of extra information about DHCP transactions. -#log-dhcp - -# Include a another lot of configuration options. -#conf-file=/etc/dnsmasq.more.conf -#conf-dir=/etc/dnsmasq.d diff --git a/packages/torouter-prep/configs/etc/apt/sources.list b/packages/torouter-prep/configs/etc/apt/sources.list new file mode 100644 index 0000000..c06710c --- /dev/null +++ b/packages/torouter-prep/configs/etc/apt/sources.list @@ -0,0 +1,2 @@ +deb http://http.debian.net/debian wheezy main +deb-src http://http.debian.net/debian wheezy main diff --git a/packages/torouter-prep/configs/etc/default/openntpd b/packages/torouter-prep/configs/etc/default/openntpd new file mode 100644 index 0000000..318e7bd --- /dev/null +++ b/packages/torouter-prep/configs/etc/default/openntpd @@ -0,0 +1,6 @@ +# /etc/default/openntpd + +# Append '-s' to set the system time when starting in case the offset +# between the local clock and the servers is more than 180 seconds. +# For other options, see man ntpd(8). +DAEMON_OPTS="-f /etc/openntpd/ntpd.conf -s" diff --git a/packages/torouter-prep/configs/etc/default/ttdnsd b/packages/torouter-prep/configs/etc/default/ttdnsd new file mode 100755 index 0000000..0a22bc4 --- /dev/null +++ b/packages/torouter-prep/configs/etc/default/ttdnsd @@ -0,0 +1,17 @@ +# /etc/default/ttdnsd + +# Address to bind to - usually this should be 127.0.0.1 +# unless a copy of ttdnsd runs on 127.0.0.n +ADDR_ARG="-b 172.16.23.1" + +# Port to listen on - almost always this should be port 53 +# unless an additional local DNS cache (like unbound, dnscache, pdnsd) +# listen on port 53 as system resolver and is used in front of ttdnsd +# for caching purposes. +PORT_ARG="-p 5354" + +# Debug logging +# DEBUG_LOGGING="-l" + +# Glue all of it together below +DEFAULTS="$ADDR_ARG $PORT_ARG" diff --git a/packages/torouter-prep/configs/etc/dhcp/dhcpd.conf b/packages/torouter-prep/configs/etc/dhcp/dhcpd.conf new file mode 100644 index 0000000..ec502c6 --- /dev/null +++ b/packages/torouter-prep/configs/etc/dhcp/dhcpd.conf @@ -0,0 +1,32 @@ +# +# FreedomBox ISC dhcpd configuration +# +# + +# The ddns-updates-style parameter controls whether or not the server will +# attempt to do a DNS update when a lease is confirmed. We default to the +# behavior of the version 2 packages ('none', since DHCP v2 didn't +# have support for DDNS.) +ddns-update-style none; + +# option definitions common to all supported networks... +option domain-name "free.dom"; +option domain-name-servers ns1.free.dom, ns2.free.dom; + +default-lease-time 600; +max-lease-time 7200; + +# If this DHCP server is the official DHCP server for the local +# network, the authoritative directive should be uncommented. +authoritative; + +# Use this to send dhcp log messages to a different log file (you also +# have to hack syslog.conf to complete the redirection). +log-facility local7; + +# basic subnet configuration for the 'downstream' wired network + +subnet 192.168.1.0 netmask 255.255.255.0 { + range 192.168.1.10 192.168.1.100; + option routers 192.168.1.1; +} diff --git a/packages/torouter-prep/configs/etc/dnsmasq.conf b/packages/torouter-prep/configs/etc/dnsmasq.conf new file mode 100644 index 0000000..2711486 --- /dev/null +++ b/packages/torouter-prep/configs/etc/dnsmasq.conf @@ -0,0 +1,557 @@ +# Configuration file for dnsmasq. +# +# Format is one option per line, legal options are the same +# as the long options legal on the command line. See +# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details. + +# The following two options make you a better netizen, since they +# tell dnsmasq to filter out queries which the public DNS cannot +# answer, and which load the servers (especially the root servers) +# uneccessarily. If you have a dial-on-demand link they also stop +# these requests from bringing up the link uneccessarily. + +# Never forward plain names (without a dot or domain part) +#domain-needed +# Never forward addresses in the non-routed address spaces. +#bogus-priv + + +# Uncomment this to filter useless windows-originated DNS requests +# which can trigger dial-on-demand links needlessly. +# Note that (amongst other things) this blocks all SRV requests, +# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk. +# This option only affects forwarding, SRV records originating for +# dnsmasq (via srv-host= lines) are not suppressed by it. +#filterwin2k + +# Change this line if you want dns to get its upstream servers from +# somewhere other that /etc/resolv.conf +#resolv-file= + +# By default, dnsmasq will send queries to any of the upstream +# servers it knows about and tries to favour servers to are known +# to be up. Uncommenting this forces dnsmasq to try each query +# with each server strictly in the order they appear in +# /etc/resolv.conf +#strict-order + +# If you don't want dnsmasq to read /etc/resolv.conf or any other +# file, getting its servers from this file instead (see below), then +# uncomment this. +#no-resolv + +# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv +# files for changes and re-read them then uncomment this. +no-poll + +# Add other name servers here, with domain specs if they are for +# non-public domains. +#server=/localnet/192.168.0.1 + +# Example of routing PTR queries to nameservers: this will send all +# address->name queries for 192.168.3/24 to nameserver 10.1.2.3 +#server=/3.168.192.in-addr.arpa/10.1.2.3 + +# Add local-only domains here, queries in these domains are answered +# from /etc/hosts or DHCP only. +#local=/localnet/ + +# Add domains which you want to force to an IP address here. +# The example below send any host in doubleclick.net to a local +# webserver. +#address=/doubleclick.net/127.0.0.1 + +# --address (and --server) work with IPv6 addresses too. +#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83 + +# You can control how dnsmasq talks to a server: this forces +# queries to 10.1.2.3 to be routed via eth1 +# server=10.1.2.3@eth1 + +# and this sets the source (ie local) address used to talk to +# 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that +# IP on the machine, obviously). +# server=10.1.2.3@192.168.1.1#55 + +# If you want dnsmasq to change uid and gid to something other +# than the default, edit the following lines. +#user= +#group= + +# If you want dnsmasq to listen for DHCP and DNS requests only on +# specified interfaces (and the loopback) give the name of the +# interface (eg eth0) here. +# Repeat the line for more than one interface. +interface=eth1 +interface=uap0 +# Or you can specify which interface _not_ to listen on +except-interface=eth0 +except-interface=lo +# Or which to listen on by address (remember to include 127.0.0.1 if +# you use this.) +#listen-address= +# If you want dnsmasq to provide only DNS service on an interface, +# configure it as shown above, and then use the following line to +# disable DHCP on it. +#no-dhcp-interface= +#no-dns-interface=uap0 + +# On systems which support it, dnsmasq binds the wildcard address, +# even when it is listening on only some interfaces. It then discards +# requests that it shouldn't reply to. This has the advantage of +# working even when interfaces come and go and change address. If you +# want dnsmasq to really bind only the interfaces it is listening on, +# uncomment this option. About the only time you may need this is when +# running another nameserver on the same machine. +bind-interfaces + +# If you don't want dnsmasq to read /etc/hosts, uncomment the +# following line. +#no-hosts +# or if you want it to read another file, as well as /etc/hosts, use +# this. +#addn-hosts=/etc/banner_add_hosts + +# Set this (and domain: see below) if you want to have a domain +# automatically added to simple names in a hosts-file. +#expand-hosts + +# Set the domain for dnsmasq. this is optional, but if it is set, it +# does the following things. +# 1) Allows DHCP hosts to have fully qualified domain names, as long +# as the domain part matches this setting. +# 2) Sets the "domain" DHCP option thereby potentially setting the +# domain of all systems configured by DHCP +# 3) Provides the domain part for "expand-hosts" +#domain=thekelleys.org.uk + +# Set a different domain for a particular subnet +#domain=wireless.thekelleys.org.uk,192.168.2.0/24 + +# Same idea, but range rather then subnet +#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200 + +# Uncomment this to enable the integrated DHCP server, you need +# to supply the range of addresses available for lease and optionally +# a lease time. If you have more than one network, you will need to +# repeat this for each network on which you want to supply DHCP +# service. +#dhcp-range=192.168.0.50,192.168.0.150,12h +dhcp-range=10.23.42.10,10.23.42.254,255.255.255.0,12h +dhcp-range=172.16.23.10,172.16.23.254,255.255.255.0,12h + +# This is an example of a DHCP range where the netmask is given. This +# is needed for networks we reach the dnsmasq DHCP server via a relay +# agent. If you don't know what a DHCP relay agent is, you probably +# don't need to worry about this. +#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h + +# This is an example of a DHCP range which sets a tag, so that +# some DHCP options may be set only for this network. +#dhcp-range=set:red,192.168.0.50,192.168.0.150 + +# Use this DHCP range only when the tag "green" is set. +#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h + +# Specify a subnet which can't be used for dynamic address allocation, +# is available for hosts with matching --dhcp-host lines. Note that +# dhcp-host declarations will be ignored unless there is a dhcp-range +# of some type for the subnet in question. +# In this case the netmask is implied (it comes from the network +# configuration on the machine running dnsmasq) it is possible to give +# an explict netmask instead. +#dhcp-range=192.168.0.0,static + +# Supply parameters for specified hosts using DHCP. There are lots +# of valid alternatives, so we will give examples of each. Note that +# IP addresses DO NOT have to be in the range given above, they just +# need to be on the same network. The order of the parameters in these +# do not matter, it's permissble to give name,adddress and MAC in any order + +# Always allocate the host with ethernet address 11:22:33:44:55:66 +# The IP address 192.168.0.60 +#dhcp-host=11:22:33:44:55:66,192.168.0.60 + +# Always set the name of the host with hardware address +# 11:22:33:44:55:66 to be "fred" +#dhcp-host=11:22:33:44:55:66,fred + +# Always give the host with ethernet address 11:22:33:44:55:66 +# the name fred and IP address 192.168.0.60 and lease time 45 minutes +#dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m + +# Give a host with ethernet address 11:22:33:44:55:66 or +# 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume +# that these two ethernet interfaces will never be in use at the same +# time, and give the IP address to the second, even if it is already +# in use by the first. Useful for laptops with wired and wireless +# addresses. +#dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60 + +# Give the machine which says its name is "bert" IP address +# 192.168.0.70 and an infinite lease +#dhcp-host=bert,192.168.0.70,infinite + +# Always give the host with client identifier 01:02:02:04 +# the IP address 192.168.0.60 +#dhcp-host=id:01:02:02:04,192.168.0.60 + +# Always give the host with client identifier "marjorie" +# the IP address 192.168.0.60 +#dhcp-host=id:marjorie,192.168.0.60 + +# Enable the address given for "judge" in /etc/hosts +# to be given to a machine presenting the name "judge" when +# it asks for a DHCP lease. +#dhcp-host=judge + +# Never offer DHCP service to a machine whose ethernet +# address is 11:22:33:44:55:66 +#dhcp-host=11:22:33:44:55:66,ignore + +# Ignore any client-id presented by the machine with ethernet +# address 11:22:33:44:55:66. This is useful to prevent a machine +# being treated differently when running under different OS's or +# between PXE boot and OS boot. +#dhcp-host=11:22:33:44:55:66,id:* + +# Send extra options which are tagged as "red" to +# the machine with ethernet address 11:22:33:44:55:66 +#dhcp-host=11:22:33:44:55:66,set:red + +# Send extra options which are tagged as "red" to +# any machine with ethernet address starting 11:22:33: +#dhcp-host=11:22:33:*:*:*,set:red + +# Ignore any clients which are specified in dhcp-host lines +# or /etc/ethers. Equivalent to ISC "deny unkown-clients". +# This relies on the special "known" tag which is set when +# a host is matched. +#dhcp-ignore=tag:!known + +# Send extra options which are tagged as "red" to any machine whose +# DHCP vendorclass string includes the substring "Linux" +#dhcp-vendorclass=set:red,Linux + +# Send extra options which are tagged as "red" to any machine one +# of whose DHCP userclass strings includes the substring "accounts" +#dhcp-userclass=set:red,accounts + +# Send extra options which are tagged as "red" to any machine whose +# MAC address matches the pattern. +#dhcp-mac=set:red,00:60:8C:*:*:* + +# If this line is uncommented, dnsmasq will read /etc/ethers and act +# on the ethernet-address/IP pairs found there just as if they had +# been given as --dhcp-host options. Useful if you keep +# MAC-address/host mappings there for other purposes. +#read-ethers + +# Send options to hosts which ask for a DHCP lease. +# See RFC 2132 for details of available options. +# Common options can be given to dnsmasq by name: +# run "dnsmasq --help dhcp" to get a list. +# Note that all the common settings, such as netmask and +# broadcast address, DNS server and default route, are given +# sane defaults by dnsmasq. You very likely will not need +# any dhcp-options. If you use Windows clients and Samba, there +# are some options which are recommended, they are detailed at the +# end of this section. + +# Override the default route supplied by dnsmasq, which assumes the +# router is the same machine as the one running dnsmasq. +#dhcp-option=3,1.2.3.4 + +# Do the same thing, but using the option name +#dhcp-option=option:router,1.2.3.4 + +# Override the default route supplied by dnsmasq and send no default +# route at all. Note that this only works for the options sent by +# default (1, 3, 6, 12, 28) the same line will send a zero-length option +# for all other option numbers. +#dhcp-option=3 + +# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5 +#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5 + +# Set the NTP time server address to be the same machine as +# is running dnsmasq +#dhcp-option=42,0.0.0.0 + +# Set the NIS domain name to "welly" +#dhcp-option=40,welly + +# Set the default time-to-live to 50 +#dhcp-option=23,50 + +# Set the "all subnets are local" flag +#dhcp-option=27,1 + +# Send the etherboot magic flag and then etherboot options (a string). +#dhcp-option=128,e4:45:74:68:00:00 +#dhcp-option=129,NIC=eepro100 + +# Specify an option which will only be sent to the "red" network +# (see dhcp-range for the declaration of the "red" network) +# Note that the tag: part must precede the option: part. +#dhcp-option = tag:red, option:ntp-server, 192.168.1.1 + +# The following DHCP options set up dnsmasq in the same way as is specified +# for the ISC dhcpcd in +# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt +# adapted for a typical dnsmasq installation where the host running +# dnsmasq is also the host running samba. +# you may want to uncomment some or all of them if you use +# Windows clients and Samba. +#dhcp-option=19,0 # option ip-forwarding off +#dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s) +#dhcp-option=45,0.0.0.0 # netbios datagram distribution server +#dhcp-option=46,8 # netbios node type + +# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client +# probably doesn't support this...... +#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com + +# Send RFC-3442 classless static routes (note the netmask encoding) +#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8 + +# Send vendor-class specific options encapsulated in DHCP option 43. +# The meaning of the options is defined by the vendor-class so +# options are sent only when the client supplied vendor class +# matches the class given here. (A substring match is OK, so "MSFT" +# matches "MSFT" and "MSFT 5.0"). This example sets the +# mtftp address to 0.0.0.0 for PXEClients. +#dhcp-option=vendor:PXEClient,1,0.0.0.0 + +# Send microsoft-specific option to tell windows to release the DHCP lease +# when it shuts down. Note the "i" flag, to tell dnsmasq to send the +# value as a four-byte integer - that's what microsoft wants. See +# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true +#dhcp-option=vendor:MSFT,2,1i + +# Send the Encapsulated-vendor-class ID needed by some configurations of +# Etherboot to allow is to recognise the DHCP server. +#dhcp-option=vendor:Etherboot,60,"Etherboot" + +# Send options to PXELinux. Note that we need to send the options even +# though they don't appear in the parameter request list, so we need +# to use dhcp-option-force here. +# See http://syslinux.zytor.com/pxe.php#special for details. +# Magic number - needed before anything else is recognised +#dhcp-option-force=208,f1:00:74:7e +# Configuration file name +#dhcp-option-force=209,configs/common +# Path prefix +#dhcp-option-force=210,/tftpboot/pxelinux/files/ +# Reboot time. (Note 'i' to send 32-bit value) +#dhcp-option-force=211,30i + +# Set the boot filename for netboot/PXE. You will only need +# this is you want to boot machines over the network and you will need +# a TFTP server; either dnsmasq's built in TFTP server or an +# external one. (See below for how to enable the TFTP server.) +#dhcp-boot=pxelinux.0 + +# Boot for Etherboot gPXE. The idea is to send two different +# filenames, the first loads gPXE, and the second tells gPXE what to +# load. The dhcp-match sets the gpxe tag for requests from gPXE. +#dhcp-match=set:gpxe,175 # gPXE sends a 175 option. +#dhcp-boot=tag:!gpxe,undionly.kpxe +#dhcp-boot=mybootimage + +# Encapsulated options for Etherboot gPXE. All the options are +# encapsulated within option 175 +#dhcp-option=encap:175, 1, 5b # priority code +#dhcp-option=encap:175, 176, 1b # no-proxydhcp +#dhcp-option=encap:175, 177, string # bus-id +#dhcp-option=encap:175, 189, 1b # BIOS drive code +#dhcp-option=encap:175, 190, user # iSCSI username +#dhcp-option=encap:175, 191, pass # iSCSI password + +# Test for the architecture of a netboot client. PXE clients are +# supposed to send their architecture as option 93. (See RFC 4578) +#dhcp-match=peecees, option:client-arch, 0 #x86-32 +#dhcp-match=itanics, option:client-arch, 2 #IA64 +#dhcp-match=hammers, option:client-arch, 6 #x86-64 +#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64 + +# Do real PXE, rather than just booting a single file, this is an +# alternative to dhcp-boot. +#pxe-prompt="What system shall I netboot?" +# or with timeout before first available action is taken: +#pxe-prompt="Press F8 for menu.", 60 + +# Available boot services. for PXE. +#pxe-service=x86PC, "Boot from local disk" + +# Loads /pxelinux.0 from dnsmasq TFTP server. +#pxe-service=x86PC, "Install Linux", pxelinux + +# Loads /pxelinux.0 from TFTP server at 1.2.3.4. +# Beware this fails on old PXE ROMS. +#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4 + +# Use bootserver on network, found my multicast or broadcast. +#pxe-service=x86PC, "Install windows from RIS server", 1 + +# Use bootserver at a known IP address. +#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4 + +# If you have multicast-FTP available, +# information for that can be passed in a similar way using options 1 +# to 5. See page 19 of +# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf + + +# Enable dnsmasq's built-in TFTP server +#enable-tftp + +# Set the root directory for files availble via FTP. +#tftp-root=/var/ftpd + +# Make the TFTP server more secure: with this set, only files owned by +# the user dnsmasq is running as will be send over the net. +#tftp-secure + +# This option stops dnsmasq from negotiating a larger blocksize for TFTP +# transfers. It will slow things down, but may rescue some broken TFTP +# clients. +#tftp-no-blocksize + +# Set the boot file name only when the "red" tag is set. +#dhcp-boot=net:red,pxelinux.red-net + +# An example of dhcp-boot with an external TFTP server: the name and IP +# address of the server are given after the filename. +# Can fail with old PXE ROMS. Overridden by --pxe-service. +#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3 + +# Set the limit on DHCP leases, the default is 150 +#dhcp-lease-max=150 + +# The DHCP server needs somewhere on disk to keep its lease database. +# This defaults to a sane location, but if you want to change it, use +# the line below. +#dhcp-leasefile=/var/lib/misc/dnsmasq.leases + +# Set the DHCP server to authoritative mode. In this mode it will barge in +# and take over the lease for any client which broadcasts on the network, +# whether it has a record of the lease or not. This avoids long timeouts +# when a machine wakes up on a new network. DO NOT enable this if there's +# the slighest chance that you might end up accidentally configuring a DHCP +# server for your campus/company accidentally. The ISC server uses +# the same option, and this URL provides more information: +# http://www.isc.org/index.pl?/sw/dhcp/authoritative.php +#dhcp-authoritative + +# Run an executable when a DHCP lease is created or destroyed. +# The arguments sent to the script are "add" or "del", +# then the MAC address, the IP address and finally the hostname +# if there is one. +#dhcp-script=/bin/echo + +# Set the cachesize here. +#cache-size=150 + +# If you want to disable negative caching, uncomment this. +#no-negcache + +# Normally responses which come form /etc/hosts and the DHCP lease +# file have Time-To-Live set as zero, which conventionally means +# do not cache further. If you are happy to trade lower load on the +# server for potentially stale date, you can set a time-to-live (in +# seconds) here. +#local-ttl= + +# If you want dnsmasq to detect attempts by Verisign to send queries +# to unregistered .com and .net hosts to its sitefinder service and +# have dnsmasq instead return the correct NXDOMAIN response, uncomment +# this line. You can add similar lines to do the same for other +# registries which have implemented wildcard A records. +#bogus-nxdomain=64.94.110.11 + +# If you want to fix up DNS results from upstream servers, use the +# alias option. This only works for IPv4. +# This alias makes a result of 1.2.3.4 appear as 5.6.7.8 +#alias=1.2.3.4,5.6.7.8 +# and this maps 1.2.3.x to 5.6.7.x +#alias=1.2.3.0,5.6.7.0,255.255.255.0 +# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40 +#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0 + +# Change these lines if you want dnsmasq to serve MX records. + +# Return an MX record named "maildomain.com" with target +# servermachine.com and preference 50 +#mx-host=maildomain.com,servermachine.com,50 + +# Set the default target for MX records created using the localmx option. +#mx-target=servermachine.com + +# Return an MX record pointing to the mx-target for all local +# machines. +#localmx + +# Return an MX record pointing to itself for all local machines. +#selfmx + +# Change the following lines if you want dnsmasq to serve SRV +# records. These are useful if you want to serve ldap requests for +# Active Directory and other windows-originated DNS requests. +# See RFC 2782. +# You may add multiple srv-host lines. +# The fields are ,,,, +# If the domain part if missing from the name (so that is just has the +# service and protocol sections) then the domain given by the domain= +# config option is used. (Note that expand-hosts does not need to be +# set for this to work.) + +# A SRV record sending LDAP for the example.com domain to +# ldapserver.example.com port 389 +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389 + +# A SRV record sending LDAP for the example.com domain to +# ldapserver.example.com port 389 (using domain=) +#domain=example.com +#srv-host=_ldap._tcp,ldapserver.example.com,389 + +# Two SRV records for LDAP, each with different priorities +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1 +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2 + +# A SRV record indicating that there is no LDAP server for the domain +# example.com +#srv-host=_ldap._tcp.example.com + +# The following line shows how to make dnsmasq serve an arbitrary PTR +# record. This is useful for DNS-SD. (Note that the +# domain-name expansion done for SRV records _does_not +# occur for PTR records.) +#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services" + +# Change the following lines to enable dnsmasq to serve TXT records. +# These are used for things like SPF and zeroconf. (Note that the +# domain-name expansion done for SRV records _does_not +# occur for TXT records.) + +#Example SPF. +#txt-record=example.com,"v=spf1 a -all" + +#Example zeroconf +#txt-record=_http._tcp.example.com,name=value,paper=A4 + +# Provide an alias for a "local" DNS name. Note that this _only_ works +# for targets which are names from DHCP or /etc/hosts. Give host +# "bert" another name, bertrand +#cname=bertand,bert + +# For debugging purposes, log each DNS query as it passes through +# dnsmasq. +#log-queries + +# Log lots of extra information about DHCP transactions. +#log-dhcp + +# Include a another lot of configuration options. +#conf-file=/etc/dnsmasq.more.conf +#conf-dir=/etc/dnsmasq.d diff --git a/packages/torouter-prep/configs/etc/fstab b/packages/torouter-prep/configs/etc/fstab new file mode 100644 index 0000000..7c48827 --- /dev/null +++ b/packages/torouter-prep/configs/etc/fstab @@ -0,0 +1,6 @@ +/dev/sdc2 / auto relatime,rw 0 0 +proc /proc proc none 0 0 +sys /sys sysfs none 0 0 +none /dev/pts devpts defaults 0 0 +tmpfs /tmp tmpfs rw,nosuid,nodev 0 0 +/dev/sdc1 /boot vfat defaults 0 0 diff --git a/packages/torouter-prep/configs/etc/hostname b/packages/torouter-prep/configs/etc/hostname new file mode 100644 index 0000000..a4a2962 --- /dev/null +++ b/packages/torouter-prep/configs/etc/hostname @@ -0,0 +1 @@ +torouter diff --git a/packages/torouter-prep/configs/etc/hosts b/packages/torouter-prep/configs/etc/hosts new file mode 100644 index 0000000..42dbc33 --- /dev/null +++ b/packages/torouter-prep/configs/etc/hosts @@ -0,0 +1,7 @@ +127.0.0.1 localhost torouter +::1 localhost ip6-localhost ip6-loopback +fe00::0 ip6-localnet +ff00::0 ip6-mcastprefix +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters + diff --git a/packages/torouter-prep/configs/etc/init.d/first-run b/packages/torouter-prep/configs/etc/init.d/first-run new file mode 100755 index 0000000..8df2c2d --- /dev/null +++ b/packages/torouter-prep/configs/etc/init.d/first-run @@ -0,0 +1,71 @@ +#!/bin/bash +# +# Script to complete the post-install process on first FBX boot. + +### BEGIN INIT INFO +# Provides: first-run +# Default-Start: 1 2 +# Required-Start: 2 +# Required-Stop: +# Default-Stop: +# Short-Description: Finish FBX install on DreamPlug +### END INIT INFO + +function tweak-kernel { + # Update the kernel unless requested otherwise. + + if [ -e /var/freedombox/dont-tweak-kernel ] + then + rm /var/freedombox/dont-tweak-kernel + else + kernel_version="$(/bin/ls $mountpoint/boot/vmlinuz-*-kirkwood | sort -rn | head -n1 | sed s#$mountpoint/boot/vmlinuz-##)" + + mount -t proc proc /proc + flash-kernel $kernel_version + umount /proc + fi +} + +function wifi-ap-setup { + # configure wireless access point with spinifex's prebuilt firmware + + echo "Sleeping 30s for DHCP" + sleep 30 # wait for dhcp + + echo "Installing UAP Firmware." + wget -O /tmp/marvell_wifi_firmware.tar.gz http://www.spinifex.com.au/plugs/downloads/dreamplug/marvell_wifi_firmware.tar.gz + tar -C /tmp -zxf /tmp/marvell_wifi_firmware.tar.gz + mkdir -p /lib/firmware/mrvl + cp /tmp/lib/firmware/mrvl/* /lib/firmware/mrvl +} + +function create-keys { + echo "Creating Keys." + + echo "Creating SSH keys." + rm /etc/ssh/ssh_host_* + dpkg-reconfigure openssh-server + + echo "Need to create other keys." + # gpg --batch --gen-key + # see http://lists.gnupg.org/pipermail/gnupg-users/2003-March/017376.html +} + +function remove-self { + rm -f /etc/init.d/first-run + rm -f /etc/rc1.d/S01first-run + rm -f /etc/rc2.d/S01first-run + rm /etc/init.d/first-run + rm /etc/rc1.d/S01first-run + rm /etc/rc2.d/S01first-run +} + +create-keys +# wifi-ap-setup + +# the last things we do before quitting. +tweak-kernel +remove-self + +echo "Kernel flashed. Rebooting." +reboot diff --git a/packages/torouter-prep/configs/etc/init.d/proxy b/packages/torouter-prep/configs/etc/init.d/proxy new file mode 100755 index 0000000..901507b --- /dev/null +++ b/packages/torouter-prep/configs/etc/init.d/proxy @@ -0,0 +1,61 @@ +#! /bin/sh + +### BEGIN INIT INFO +# Provides: proxy +# Required-Start: $network $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Proxy for clients. +### END INIT INFO + +set -e + +INTIF1="eth0" +INTIF2="uap0" +EXTIF="eth1" +EXTIP="`/sbin/ifconfig $EXTIF | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`" + +loadModules() { + depmod -a + modprobe ip_tables + modprobe ip_conntrack + modprobe ip_conntrack_ftp + modprobe ip_conntrack_irc + modprobe iptable_nat + modprobe ip_nat_ftp +} + +setProc() { + echo "1" > /proc/sys/net/ipv4/ip_forward + echo "1" > /proc/sys/net/ipv4/ip_dynaddr +} + +configIpTables() { + iptables -P INPUT ACCEPT + iptables -F INPUT + iptables -P OUTPUT ACCEPT + iptables -F OUTPUT + iptables -P FORWARD DROP + iptables -F FORWARD + iptables -t nat -F + + iptables -A FORWARD -i $EXTIF -o $INTIF1 -m state --state ESTABLISHED,RELATED -j ACCEPT + iptables -A FORWARD -i $EXTIF -o $INTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT + iptables -A FORWARD -i $INTIF1 -o $EXTIF -j ACCEPT + iptables -A FORWARD -i $INTIF2 -o $EXTIF -j ACCEPT + + iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE +} + +case "$1" in + start) + loadModules + setProc + configIpTables + ;; + *) + log_success_msg "Usage: /etc/init.d/proxy {start}" + exit 1 + ;; +esac diff --git a/packages/torouter-prep/configs/etc/inittab b/packages/torouter-prep/configs/etc/inittab new file mode 100644 index 0000000..98dca83 --- /dev/null +++ b/packages/torouter-prep/configs/etc/inittab @@ -0,0 +1,70 @@ +# /etc/inittab: init(8) configuration. +# $Id: inittab,v 1.91 2002/01/25 13:35:21 miquels Exp $ + +# The default runlevel. +id:2:initdefault: + +# Boot-time system configuration/initialization script. +# This is run first except when booting in emergency (-b) mode. +si::sysinit:/etc/init.d/rcS + +# What to do in single-user mode. +~~:S:wait:/sbin/sulogin + +# /etc/init.d executes the S and K scripts upon change +# of runlevel. +# +# Runlevel 0 is halt. +# Runlevel 1 is single-user. +# Runlevels 2-5 are multi-user. +# Runlevel 6 is reboot. + +l0:0:wait:/etc/init.d/rc 0 +l1:1:wait:/etc/init.d/rc 1 +l2:2:wait:/etc/init.d/rc 2 +l3:3:wait:/etc/init.d/rc 3 +l4:4:wait:/etc/init.d/rc 4 +l5:5:wait:/etc/init.d/rc 5 +l6:6:wait:/etc/init.d/rc 6 +# Normally not reached, but fallthrough in case of emergency. +z6:6:respawn:/sbin/sulogin + +# What to do when CTRL-ALT-DEL is pressed. +ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now + +# Action on special keypress (ALT-UpArrow). +#kb::kbrequest:/bin/echo "Keyboard Request--edit /etc/inittab to let this work." + +# What to do when the power fails/returns. +pf::powerwait:/etc/init.d/powerfail start +pn::powerfailnow:/etc/init.d/powerfail now +po::powerokwait:/etc/init.d/powerfail stop + +# /sbin/getty invocations for the runlevels. +# +# The "id" field MUST be the same as the last +# characters of the device (after "tty"). +# +# Format: +# ::: +# +# Note that on most Debian systems tty7 is used by the X Window System, +# so if you want to add more getty's go ahead but skip tty7 if you run X. +# +1:2345:respawn:/sbin/getty 38400 tty1 +#2:23:respawn:/sbin/getty 38400 tty2 +#3:23:respawn:/sbin/getty 38400 tty3 +#4:23:respawn:/sbin/getty 38400 tty4 +#5:23:respawn:/sbin/getty 38400 tty5 +#6:23:respawn:/sbin/getty 38400 tty6 + +# Example how to put a getty on a serial line (for a terminal) +# +#T0:23:respawn:/sbin/getty -L ttyS0 9600 vt100 +#T1:23:respawn:/sbin/getty -L ttyS1 9600 vt100 + +# Example how to put a getty on a modem line. +# +#T3:23:respawn:/sbin/mgetty -x0 -s 57600 ttyS3 + +T0:2345:respawn:/sbin/getty -L ttyS0 115200 linux diff --git a/packages/torouter-prep/configs/etc/modprobe.d/blacklist.conf b/packages/torouter-prep/configs/etc/modprobe.d/blacklist.conf new file mode 100644 index 0000000..dfb7967 --- /dev/null +++ b/packages/torouter-prep/configs/etc/modprobe.d/blacklist.conf @@ -0,0 +1,26 @@ +# This file lists modules which will not be loaded as the result of +# alias expansion, with the purpose of preventing the hotplug subsystem +# to load them. It does not affect autoloading of modules by the kernel. +# This file is provided by the udev package. + +# evbug is a debug tool and should be loaded explicitly +blacklist evbug + +# these drivers are very simple, the HID drivers are usually preferred +blacklist usbmouse +blacklist usbkbd + +# replaced by e100 +blacklist eepro100 + +# replaced by tulip +blacklist de4x5 + +# replaced by tmscsim +blacklist am53c974 + +# these watchdog drivers break some systems +blacklist iTCO_wdt + +# We do not need or want ipv6 right now +blacklist ipv6 diff --git a/packages/torouter-prep/configs/etc/mtab b/packages/torouter-prep/configs/etc/mtab new file mode 100644 index 0000000..e69de29 diff --git a/packages/torouter-prep/configs/etc/network/interfaces b/packages/torouter-prep/configs/etc/network/interfaces new file mode 100644 index 0000000..255075f --- /dev/null +++ b/packages/torouter-prep/configs/etc/network/interfaces @@ -0,0 +1,39 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# The primary network interface +auto eth0 +iface eth0 inet manual + post-up ifup uap0 + post-down ifdown uap0 + +auto eth1 +iface eth1 inet static + address 10.23.42.1 + netmask 255.255.255.0 + network 10.23.42.0 + broadcast 10.23.42.255 + post-up echo 1 > /proc/sys/net/ipv4/ip_forward + # this must happen after have brought up uap0 because it clears the nat tables + post-up iptables -t nat -A POSTROUTING -s 10.23.42.0/24 -o eth0 -j MASQUERADE + post-up /etc/init.d/dnsmasq restart + +# The magic Tor wireless network +auto uap0 +iface uap0 inet static + address 172.16.23.1 + netmask 255.255.255.0 + network 172.16.23.0 + broadcast 172.16.23.255 + pre-up ifconfig uap0 hw ether 00:66:66:66:66:66 + post-up /etc/init.d/tor reload + post-up /etc/init.d/dnsmasq restart + post-up /etc/init.d/ttdnsd restart + post-up /usr/bin/uaputl sys_cfg_ssid "torproject" || true + post-up /usr/bin/uaputl bss_start || true + post-up /usr/share/torouter-prep/example-configs/tor-wireless-firewall.sh || true + pre-down /usr/bin/uaputl bss_stop || true diff --git a/packages/torouter-prep/configs/etc/ntp.conf b/packages/torouter-prep/configs/etc/ntp.conf new file mode 100644 index 0000000..cb7d021 --- /dev/null +++ b/packages/torouter-prep/configs/etc/ntp.conf @@ -0,0 +1,55 @@ +# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help + +driftfile /var/lib/ntp/ntp.drift + + +# Enable this if you want statistics to be logged. +#statsdir /var/log/ntpstats/ + +statistics loopstats peerstats clockstats +filegen loopstats file loopstats type day enable +filegen peerstats file peerstats type day enable +filegen clockstats file clockstats type day enable + + +# You do need to talk to an NTP server or two (or three). +#server ntp.your-provider.example + +# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will +# pick a different set every time it starts up. Please consider joining the +# pool: +server 0.debian.pool.ntp.org iburst +server 1.debian.pool.ntp.org iburst +server 2.debian.pool.ntp.org iburst +server 3.debian.pool.ntp.org iburst + + +# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for +# details. The web page +# might also be helpful. +# +# Note that "restrict" applies to both servers and clients, so a configuration +# that might be intended to block requests from certain clients could also end +# up blocking replies from your own upstream servers. + +# By default, exchange time with everybody, but don't allow configuration. +restrict -4 default kod notrap nomodify nopeer noquery +restrict -6 default kod notrap nomodify nopeer noquery + +# Local users may interrogate the ntp server more closely. +restrict 127.0.0.1 +restrict ::1 + +# Clients from this (example!) subnet have unlimited access, but only if +# cryptographically authenticated. +#restrict 192.168.123.0 mask 255.255.255.0 notrust + + +# If you want to provide time to your local subnet, change the next line. +# (Again, the address is an example only.) +#broadcast 192.168.123.255 + +# If you want to listen to time broadcasts on your local subnet, de-comment the +# next lines. Please do this only if you trust everybody on the network! +#disable auth +#broadcastclient diff --git a/packages/torouter-prep/configs/etc/openvpn/client.conf b/packages/torouter-prep/configs/etc/openvpn/client.conf new file mode 100644 index 0000000..e69de29 diff --git a/packages/torouter-prep/configs/etc/openvpn/static.key b/packages/torouter-prep/configs/etc/openvpn/static.key new file mode 100644 index 0000000..e69de29 diff --git a/packages/torouter-prep/configs/etc/rc1.d/S01first-run b/packages/torouter-prep/configs/etc/rc1.d/S01first-run new file mode 120000 index 0000000..e24a808 --- /dev/null +++ b/packages/torouter-prep/configs/etc/rc1.d/S01first-run @@ -0,0 +1 @@ +../init.d/first-run \ No newline at end of file diff --git a/packages/torouter-prep/configs/etc/rc2.d/S01first-run b/packages/torouter-prep/configs/etc/rc2.d/S01first-run new file mode 120000 index 0000000..e24a808 --- /dev/null +++ b/packages/torouter-prep/configs/etc/rc2.d/S01first-run @@ -0,0 +1 @@ +../init.d/first-run \ No newline at end of file diff --git a/packages/torouter-prep/configs/etc/rc2.d/S50proxy b/packages/torouter-prep/configs/etc/rc2.d/S50proxy new file mode 120000 index 0000000..9855df4 --- /dev/null +++ b/packages/torouter-prep/configs/etc/rc2.d/S50proxy @@ -0,0 +1 @@ +../init.d/proxy \ No newline at end of file diff --git a/packages/torouter-prep/configs/etc/resolv.conf b/packages/torouter-prep/configs/etc/resolv.conf new file mode 100644 index 0000000..af9304d --- /dev/null +++ b/packages/torouter-prep/configs/etc/resolv.conf @@ -0,0 +1,2 @@ +nameserver 208.67.222.222 +nameserver 208.67.220.220 diff --git a/packages/torouter-prep/configs/etc/ssh/sshd_config/sshd_config b/packages/torouter-prep/configs/etc/ssh/sshd_config/sshd_config new file mode 100644 index 0000000..d079ac0 --- /dev/null +++ b/packages/torouter-prep/configs/etc/ssh/sshd_config/sshd_config @@ -0,0 +1,87 @@ +# Package generated configuration file +# See the sshd_config(5) manpage for details + +# What ports, IPs and protocols we listen for +Port 22 +# Use these options to restrict which interfaces/protocols sshd will bind to +#ListenAddress :: +#ListenAddress 0.0.0.0 +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 768 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 120 +PermitRootLogin yes +StrictModes yes + +RSAAuthentication yes +PubkeyAuthentication yes +#AuthorizedKeysFile %h/.ssh/authorized_keys + +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts yes +# For this to work you will also need host keys in /etc/ssh_known_hosts +RhostsRSAAuthentication no +# similar for protocol version 2 +HostbasedAuthentication no +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Change to no to disable tunnelled clear text passwords +#PasswordAuthentication yes + +# Kerberos options +#KerberosAuthentication no +#KerberosGetAFSToken no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +X11Forwarding yes +X11DisplayOffset 10 +PrintMotd no +PrintLastLog yes +TCPKeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +Subsystem sftp /usr/lib/openssh/sftp-server + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes +AddressFamily inet diff --git a/packages/torouter-prep/configs/etc/sysctl.conf b/packages/torouter-prep/configs/etc/sysctl.conf new file mode 100644 index 0000000..916e972 --- /dev/null +++ b/packages/torouter-prep/configs/etc/sysctl.conf @@ -0,0 +1,5 @@ +# Reduce writes to flash drives +vm.laptop_mode=5 +vm.swappiness=0 +vm.dirty_writeback_centisecs=1500 +vm.dirty_expire_centisecs=1500 diff --git a/packages/torouter-prep/configs/etc/tor/torrc b/packages/torouter-prep/configs/etc/tor/torrc new file mode 100644 index 0000000..5023d57 --- /dev/null +++ b/packages/torouter-prep/configs/etc/tor/torrc @@ -0,0 +1,180 @@ +## Configuration file for a typical Tor user +## Last updated 12 April 2009 for Tor 0.2.1.14-rc. +## (May or may not work for much older or much newer versions of Tor.) +## +## Lines that begin with "## " try to explain what's going on. Lines +## that begin with just "#" are disabled commands: you can enable them +## by removing the "#" symbol. +## +## See 'man tor', or https://www.torproject.org/tor-manual.html, +## for more options you can use in this file. +## +## Tor will look for this file in various places based on your platform: +## https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#torrc + + +## Replace this with "SocksPort 0" if you plan to run Tor only as a +## relay, and not make any local application connections yourself. +SocksPort 9050 # what port to open for local application connections +SocksListenAddress 127.0.0.1 # accept connections only from localhost +#SocksListenAddress 192.168.0.1:9100 # listen on this IP:port also + +## Entry policies to allow/deny SOCKS requests based on IP address. +## First entry that matches wins. If no SocksPolicy is set, we accept +## all (and only) requests from SocksListenAddress. +#SocksPolicy accept 192.168.0.0/16 +#SocksPolicy reject * + +## Logs go to stdout at level "notice" unless redirected by something +## else, like one of the below lines. You can have as many Log lines as +## you want. +## +## We advise using "notice" in most cases, since anything more verbose +## may provide sensitive information to an attacker who obtains the logs. +## +## Send all messages of level 'notice' or higher to /var/log/tor/notices.log +Log notice file /var/log/tor/notices.log +## Send every possible message to /var/log/tor/debug.log +#Log debug file /var/log/tor/debug.log +## Use the system log instead of Tor's logfiles +#Log notice syslog +## To send all messages to stderr: +#Log debug stderr + +## Uncomment this to start the process in the background... or use +## --runasdaemon 1 on the command line. This is ignored on Windows; +## see the FAQ entry if you want Tor to run as an NT service. +RunAsDaemon 1 + +## The directory for keeping all the keys/etc. By default, we store +## things in $HOME/.tor on Unix, and in Application Data\tor on Windows. +DataDirectory /var/lib/tor + +## The port on which Tor will listen for local connections from Tor +## controller applications, as documented in control-spec.txt. +#ControlPort 9051 +## If you enable the controlport, be sure to enable one of these +## authentication methods, to prevent attackers from accessing it. +#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C +#CookieAuthentication 1 + +############### This section is just for location-hidden services ### + +## Once you have configured a hidden service, you can look at the +## contents of the file ".../hidden_service/hostname" for the address +## to tell people. +## +## HiddenServicePort x y:z says to redirect requests on port x to the +## address y:z. + +# Uncomment this to allow ssh access to the Torouter over your own Hidden Service +#HiddenServiceDir /var/lib/tor/hidden_service/ +#HiddenServicePort 22 127.0.0.1:22 + +#HiddenServiceDir /var/lib/tor/other_hidden_service/ +#HiddenServicePort 80 127.0.0.1:80 +#HiddenServicePort 22 127.0.0.1:22 + +################ This section is just for relays ##################### +# +## See https://www.torproject.org/docs/tor-doc-relay for details. + +### Required: what port to advertise for incoming Tor connections. +ORPort auto +## If you want to listen on a port other than the one advertised +## in ORPort (e.g. to advertise 443 but bind to 9090), uncomment the +## line below too. You'll need to do ipchains or other port forwarding +## yourself to make this work. +#ORListenAddress 0.0.0.0:9090 +#ORListenAddress 0.0.0.0:9090 +Nickname Torouter + +## The IP address or full DNS name for your relay. Leave commented out +## and Tor will guess. +#Address noname.example.com + +## Define these to limit how much relayed traffic you will allow. Your +## own traffic is still unthrottled. Note that RelayBandwidthRate must +## be at least 20 KBytes. +RelayBandwidthRate 50KB +RelayBandwidthBurst 75KB + +## Contact info to be published in the directory, so we can contact you +## if your relay is misconfigured or something else goes wrong. Google +## indexes this, so spammers might also collect it. +#ContactInfo Random Person +## You might also include your PGP or GPG fingerprint if you have one: +#ContactInfo 1234D/FFFFFFFF Random Person + +## Uncomment this to mirror directory information for others. Please do +## if you have enough bandwidth. +#DirPort 9030 # what port to advertise for directory connections +## If you want to listen on a port other than the one advertised +## in DirPort (e.g. to advertise 80 but bind to 9091), uncomment the line +## below too. You'll need to do ipchains or other port forwarding yourself +## to make this work. +#DirListenAddress 0.0.0.0:9091 +## Uncomment to return an arbitrary blob of html on your DirPort. Now you +## can explain what Tor is if anybody wonders why your IP address is +## contacting them. See contrib/tor-exit-notice.html for a sample. +#DirPortFrontPage /etc/tor/exit-notice.html + +## Uncomment this if you run more than one Tor relay, and add the identity +## key fingerprint of each Tor relay you control, even if they're on +## different networks. You declare it here so Tor clients can avoid +## using more than one of your relays in a single circuit. See +## https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#MultipleServers +#MyFamily $keyid,$keyid,... + +## A comma-separated list of exit policies. They're considered first +## to last, and the first match wins. If you want to _replace_ +## the default exit policy, end this with either a reject *:* or an +## accept *:*. Otherwise, you're _augmenting_ (prepending to) the +## default exit policy. Leave commented to just use the default, which is +## described in the man page or at +## https://www.torproject.org/documentation.html +## +## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses +## for issues you might encounter if you use the default exit policy. +## +## If certain IPs and ports are blocked externally, e.g. by your firewall, +## you should update your exit policy to reflect this -- otherwise Tor +## users will be told that those destinations are down. +## +#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more +#ExitPolicy accept *:119 # accept nntp as well as default exit policy +#ExitPolicy reject *:* # no exits allowed +# +## Bridge relays (or "bridges") are Tor relays that aren't listed in the +## main directory. Since there is no complete public list of them, even if an +## ISP is filtering connections to all the known Tor relays, they probably +## won't be able to block all the bridges. Also, websites won't treat you +## differently because they won't know you're running Tor. If you can +# be a real relay, please do; but if not, be a bridge! +BridgeRelay 1 +ExitPolicy reject *:* + +AvoidDiskWrites 1 + +# middle box stuff +VirtualAddrNetwork 10.192.0.0/10 +AutomapHostsOnResolve 1 +TransPort 9040 +TransListenAddress 172.16.23.1 +DNSPort 5353 +DNSListenAddress 172.16.23.1 +# If you disable unbound, you may enable this +#DNSListenAddress 127.0.0.1:53 + +User debian-tor + +# By default we do not have PortForwarding support +# PortForwarding 1 +# PortForwardingHelper /usr/local/bin/tor-fw-helper + +PIDFile /var/run/tor/tor.pid + +ControlPort 9051 +ControlListenAddress 127.0.0.1:9051 +CookieAuthentication 1 + diff --git a/packages/torouter-prep/configs/etc/udev/rules.d/75-persistent-net-generator.rules b/packages/torouter-prep/configs/etc/udev/rules.d/75-persistent-net-generator.rules new file mode 100644 index 0000000..e69de29 diff --git a/packages/torouter-prep/configs/fstab b/packages/torouter-prep/configs/fstab deleted file mode 100644 index 292e521..0000000 --- a/packages/torouter-prep/configs/fstab +++ /dev/null @@ -1,2 +0,0 @@ -# This is the weird boot partition (hopefully ext2/3/4 later) -/dev/sda1 /boot vfat nodev,noexec,nosuid 0 0 diff --git a/packages/torouter-prep/configs/hostname b/packages/torouter-prep/configs/hostname deleted file mode 100644 index a4a2962..0000000 --- a/packages/torouter-prep/configs/hostname +++ /dev/null @@ -1 +0,0 @@ -torouter diff --git a/packages/torouter-prep/configs/hosts b/packages/torouter-prep/configs/hosts deleted file mode 100644 index 9a3311b..0000000 --- a/packages/torouter-prep/configs/hosts +++ /dev/null @@ -1 +0,0 @@ - 127.0.0.1 localhost torouter diff --git a/packages/torouter-prep/configs/inittab b/packages/torouter-prep/configs/inittab deleted file mode 100644 index 98dca83..0000000 --- a/packages/torouter-prep/configs/inittab +++ /dev/null @@ -1,70 +0,0 @@ -# /etc/inittab: init(8) configuration. -# $Id: inittab,v 1.91 2002/01/25 13:35:21 miquels Exp $ - -# The default runlevel. -id:2:initdefault: - -# Boot-time system configuration/initialization script. -# This is run first except when booting in emergency (-b) mode. -si::sysinit:/etc/init.d/rcS - -# What to do in single-user mode. -~~:S:wait:/sbin/sulogin - -# /etc/init.d executes the S and K scripts upon change -# of runlevel. -# -# Runlevel 0 is halt. -# Runlevel 1 is single-user. -# Runlevels 2-5 are multi-user. -# Runlevel 6 is reboot. - -l0:0:wait:/etc/init.d/rc 0 -l1:1:wait:/etc/init.d/rc 1 -l2:2:wait:/etc/init.d/rc 2 -l3:3:wait:/etc/init.d/rc 3 -l4:4:wait:/etc/init.d/rc 4 -l5:5:wait:/etc/init.d/rc 5 -l6:6:wait:/etc/init.d/rc 6 -# Normally not reached, but fallthrough in case of emergency. -z6:6:respawn:/sbin/sulogin - -# What to do when CTRL-ALT-DEL is pressed. -ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now - -# Action on special keypress (ALT-UpArrow). -#kb::kbrequest:/bin/echo "Keyboard Request--edit /etc/inittab to let this work." - -# What to do when the power fails/returns. -pf::powerwait:/etc/init.d/powerfail start -pn::powerfailnow:/etc/init.d/powerfail now -po::powerokwait:/etc/init.d/powerfail stop - -# /sbin/getty invocations for the runlevels. -# -# The "id" field MUST be the same as the last -# characters of the device (after "tty"). -# -# Format: -# ::: -# -# Note that on most Debian systems tty7 is used by the X Window System, -# so if you want to add more getty's go ahead but skip tty7 if you run X. -# -1:2345:respawn:/sbin/getty 38400 tty1 -#2:23:respawn:/sbin/getty 38400 tty2 -#3:23:respawn:/sbin/getty 38400 tty3 -#4:23:respawn:/sbin/getty 38400 tty4 -#5:23:respawn:/sbin/getty 38400 tty5 -#6:23:respawn:/sbin/getty 38400 tty6 - -# Example how to put a getty on a serial line (for a terminal) -# -#T0:23:respawn:/sbin/getty -L ttyS0 9600 vt100 -#T1:23:respawn:/sbin/getty -L ttyS1 9600 vt100 - -# Example how to put a getty on a modem line. -# -#T3:23:respawn:/sbin/mgetty -x0 -s 57600 ttyS3 - -T0:2345:respawn:/sbin/getty -L ttyS0 115200 linux diff --git a/packages/torouter-prep/configs/interfaces b/packages/torouter-prep/configs/interfaces deleted file mode 100644 index fdc8765..0000000 --- a/packages/torouter-prep/configs/interfaces +++ /dev/null @@ -1,39 +0,0 @@ -# This file describes the network interfaces available on your system -# and how to activate them. For more information, see interfaces(5). - -# The loopback network interface -auto lo -iface lo inet loopback - -# The primary network interface -auto eth0 -iface eth0 inet dhcp - post-up ifup uap0 - post-down ifdown uap0 - -auto eth1 -iface eth1 inet static - address 10.23.42.1 - netmask 255.255.255.0 - network 10.23.42.0 - broadcast 10.23.42.255 - post-up echo 1 > /proc/sys/net/ipv4/ip_forward - # this must happen after have brought up uap0 because it clears the nat tables - post-up iptables -t nat -A POSTROUTING -s 10.23.42.0/24 -o eth0 -j MASQUERADE - post-up /etc/init.d/dnsmasq restart - -# The magic Tor wireless network -auto uap0 -iface uap0 inet static - address 172.16.23.1 - netmask 255.255.255.0 - network 172.16.23.0 - broadcast 172.16.23.255 - pre-up ifconfig uap0 hw ether 00:66:66:66:66:66 - post-up /etc/init.d/tor reload - post-up /etc/init.d/dnsmasq restart - post-up /etc/init.d/ttdnsd restart - post-up /usr/bin/uaputl sys_cfg_ssid "torproject" || true - post-up /usr/bin/uaputl bss_start || true - post-up /usr/share/torouter-prep/example-configs/tor-wireless-firewall.sh || true - pre-down /usr/bin/uaputl bss_stop || true diff --git a/packages/torouter-prep/configs/modprobe.d-blacklist.conf b/packages/torouter-prep/configs/modprobe.d-blacklist.conf deleted file mode 100644 index e14a9d0..0000000 --- a/packages/torouter-prep/configs/modprobe.d-blacklist.conf +++ /dev/null @@ -1,30 +0,0 @@ -# This file lists modules which will not be loaded as the result of -# alias expansion, with the purpose of preventing the hotplug subsystem -# to load them. It does not affect autoloading of modules by the kernel. -# This file is provided by the udev package. - -# evbug is a debug tool and should be loaded explicitly -blacklist evbug - -# these drivers are very simple, the HID drivers are usually preferred -blacklist usbmouse -blacklist usbkbd - -# replaced by e100 -blacklist eepro100 - -# replaced by tulip -blacklist de4x5 - -# replaced by tmscsim -blacklist am53c974 - -# these watchdog drivers break some systems -blacklist iTCO_wdt - -# We do not need or want ipv6 right now -blacklist ipv6 - -# This wireless driver does not give us AP support, sadly -blacklist libertas -blacklist libertas_sdio diff --git a/packages/torouter-prep/configs/ntp.conf b/packages/torouter-prep/configs/ntp.conf deleted file mode 100644 index cb7d021..0000000 --- a/packages/torouter-prep/configs/ntp.conf +++ /dev/null @@ -1,55 +0,0 @@ -# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help - -driftfile /var/lib/ntp/ntp.drift - - -# Enable this if you want statistics to be logged. -#statsdir /var/log/ntpstats/ - -statistics loopstats peerstats clockstats -filegen loopstats file loopstats type day enable -filegen peerstats file peerstats type day enable -filegen clockstats file clockstats type day enable - - -# You do need to talk to an NTP server or two (or three). -#server ntp.your-provider.example - -# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will -# pick a different set every time it starts up. Please consider joining the -# pool: -server 0.debian.pool.ntp.org iburst -server 1.debian.pool.ntp.org iburst -server 2.debian.pool.ntp.org iburst -server 3.debian.pool.ntp.org iburst - - -# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for -# details. The web page -# might also be helpful. -# -# Note that "restrict" applies to both servers and clients, so a configuration -# that might be intended to block requests from certain clients could also end -# up blocking replies from your own upstream servers. - -# By default, exchange time with everybody, but don't allow configuration. -restrict -4 default kod notrap nomodify nopeer noquery -restrict -6 default kod notrap nomodify nopeer noquery - -# Local users may interrogate the ntp server more closely. -restrict 127.0.0.1 -restrict ::1 - -# Clients from this (example!) subnet have unlimited access, but only if -# cryptographically authenticated. -#restrict 192.168.123.0 mask 255.255.255.0 notrust - - -# If you want to provide time to your local subnet, change the next line. -# (Again, the address is an example only.) -#broadcast 192.168.123.255 - -# If you want to listen to time broadcasts on your local subnet, de-comment the -# next lines. Please do this only if you trust everybody on the network! -#disable auth -#broadcastclient diff --git a/packages/torouter-prep/configs/openntpd-default b/packages/torouter-prep/configs/openntpd-default deleted file mode 100644 index 318e7bd..0000000 --- a/packages/torouter-prep/configs/openntpd-default +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/default/openntpd - -# Append '-s' to set the system time when starting in case the offset -# between the local clock and the servers is more than 180 seconds. -# For other options, see man ntpd(8). -DAEMON_OPTS="-f /etc/openntpd/ntpd.conf -s" diff --git a/packages/torouter-prep/configs/sbin/copy2dream b/packages/torouter-prep/configs/sbin/copy2dream new file mode 100644 index 0000000..267c2b6 --- /dev/null +++ b/packages/torouter-prep/configs/sbin/copy2dream @@ -0,0 +1,47 @@ +#!/bin/sh +# +# this script assumes the current root filesystem is the source, and the +# internal microSD on a DreamPlug is the target .. all existing content on +# the microSD card will be lost. +# + +# partition microSD card inside DreamPlug +echo "=> partition internal microSD card" +parted -s /dev/sda mklabel msdos +parted -s /dev/sda mkpart primary fat16 0 128 +parted -s /dev/sda mkpart primary ext2 128 100% + +# create filesystems on new partitions +echo "=> create filesystems on internal microSD card" +mkdosfs /dev/sda1 +mke2fs -j /dev/sda2 + +echo "=> mount target partitions" +mount /dev/sda2 /media +mkdir -p /media/boot +mount /dev/sda1 /media/boot + +echo "=> copy filesystem content from USB stick to target partitions" +(cd / ; tar cpSf - `/bin/ls | grep -v boot | grep -v proc | grep -v sys | grep -v media | grep -v dev`) | (cd /media ; tar xpf -) +# the following intentionally ignores subdirectories +cp /boot/* /media/boot/ + +echo "=> touch up target root partition" +mkdir /media/proc /media/sys /media/media /media/dev +mknod /media/dev/console c 5 1 +mknod /media/dev/random c 1 8 +mknod /media/dev/urandom c 1 9 +mknod /media/dev/null c 1 3 +mknod /media/dev/ptmx c 5 2 + +# patch up /etc/fstab entry for /boot +sed -e 's/sdc/sda/g' < /etc/fstab > /media/etc/fstab + +# flash the kernel and create the device's keys +chroot /media /etc/init.d/first-run + +echo "unmount target partitions" +umount /dev/sda1 +umount /dev/sda2 + +echo "=> installation complete, see docs to boot from internal microSD" diff --git a/packages/torouter-prep/configs/sources.list b/packages/torouter-prep/configs/sources.list deleted file mode 100644 index 42bc62b..0000000 --- a/packages/torouter-prep/configs/sources.list +++ /dev/null @@ -1,29 +0,0 @@ -deb http://ftp.de.debian.org/pub/debian/ squeeze main non-free contrib -deb-src http://ftp.de.debian.org/pub/debian/ squeeze main non-free contrib -deb http://security.debian.org/ squeeze/updates main - -# Sid for uaputl -deb http://ftp.debian.org/debian sid main - -# experimental for natpmp -deb http://ftp.debian.org/debian experimental main -deb-src http://ftp.debian.org/debian experimental main - -# backports for upnp -deb http://backports.debian.org/debian-backports squeeze-backports main - -# Tor project repo -deb http://deb.torproject.org/torproject.org/ squeeze main -deb-src http://deb.torproject.org/torproject.org squeeze main - -# Tor project experimental package repo -deb http://deb.torproject.org/torproject.org experimental-squeeze main -deb-src http://deb.torproject.org/torproject.org experimental-squeeze main - -# Tor 0.2.3.x package repo -deb http://deb.torproject.org/torproject.org tor-0.2.3.x-stable main -deb-src http://deb.torproject.org/torproject.org tor-0.2.3.x-stable main - - -# Torouter project repo -deb http://torrouter.torproject.org/torrouter torrouter main diff --git a/packages/torouter-prep/configs/sshd_config b/packages/torouter-prep/configs/sshd_config deleted file mode 100644 index d079ac0..0000000 --- a/packages/torouter-prep/configs/sshd_config +++ /dev/null @@ -1,87 +0,0 @@ -# Package generated configuration file -# See the sshd_config(5) manpage for details - -# What ports, IPs and protocols we listen for -Port 22 -# Use these options to restrict which interfaces/protocols sshd will bind to -#ListenAddress :: -#ListenAddress 0.0.0.0 -Protocol 2 -# HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key -#Privilege Separation is turned on for security -UsePrivilegeSeparation yes - -# Lifetime and size of ephemeral version 1 server key -KeyRegenerationInterval 3600 -ServerKeyBits 768 - -# Logging -SyslogFacility AUTH -LogLevel INFO - -# Authentication: -LoginGraceTime 120 -PermitRootLogin yes -StrictModes yes - -RSAAuthentication yes -PubkeyAuthentication yes -#AuthorizedKeysFile %h/.ssh/authorized_keys - -# Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts yes -# For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication no -# similar for protocol version 2 -HostbasedAuthentication no -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes - -# To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords no - -# Change to yes to enable challenge-response passwords (beware issues with -# some PAM modules and threads) -ChallengeResponseAuthentication no - -# Change to no to disable tunnelled clear text passwords -#PasswordAuthentication yes - -# Kerberos options -#KerberosAuthentication no -#KerberosGetAFSToken no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -X11Forwarding yes -X11DisplayOffset 10 -PrintMotd no -PrintLastLog yes -TCPKeepAlive yes -#UseLogin no - -#MaxStartups 10:30:60 -#Banner /etc/issue.net - -# Allow client to pass locale environment variables -AcceptEnv LANG LC_* - -Subsystem sftp /usr/lib/openssh/sftp-server - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -UsePAM yes -AddressFamily inet diff --git a/packages/torouter-prep/configs/tmp/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.apt-key b/packages/torouter-prep/configs/tmp/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.apt-key new file mode 100644 index 0000000..5b6a4d3 Binary files /dev/null and b/packages/torouter-prep/configs/tmp/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.apt-key differ diff --git a/packages/torouter-prep/configs/torrc b/packages/torouter-prep/configs/torrc deleted file mode 100644 index 5023d57..0000000 --- a/packages/torouter-prep/configs/torrc +++ /dev/null @@ -1,180 +0,0 @@ -## Configuration file for a typical Tor user -## Last updated 12 April 2009 for Tor 0.2.1.14-rc. -## (May or may not work for much older or much newer versions of Tor.) -## -## Lines that begin with "## " try to explain what's going on. Lines -## that begin with just "#" are disabled commands: you can enable them -## by removing the "#" symbol. -## -## See 'man tor', or https://www.torproject.org/tor-manual.html, -## for more options you can use in this file. -## -## Tor will look for this file in various places based on your platform: -## https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#torrc - - -## Replace this with "SocksPort 0" if you plan to run Tor only as a -## relay, and not make any local application connections yourself. -SocksPort 9050 # what port to open for local application connections -SocksListenAddress 127.0.0.1 # accept connections only from localhost -#SocksListenAddress 192.168.0.1:9100 # listen on this IP:port also - -## Entry policies to allow/deny SOCKS requests based on IP address. -## First entry that matches wins. If no SocksPolicy is set, we accept -## all (and only) requests from SocksListenAddress. -#SocksPolicy accept 192.168.0.0/16 -#SocksPolicy reject * - -## Logs go to stdout at level "notice" unless redirected by something -## else, like one of the below lines. You can have as many Log lines as -## you want. -## -## We advise using "notice" in most cases, since anything more verbose -## may provide sensitive information to an attacker who obtains the logs. -## -## Send all messages of level 'notice' or higher to /var/log/tor/notices.log -Log notice file /var/log/tor/notices.log -## Send every possible message to /var/log/tor/debug.log -#Log debug file /var/log/tor/debug.log -## Use the system log instead of Tor's logfiles -#Log notice syslog -## To send all messages to stderr: -#Log debug stderr - -## Uncomment this to start the process in the background... or use -## --runasdaemon 1 on the command line. This is ignored on Windows; -## see the FAQ entry if you want Tor to run as an NT service. -RunAsDaemon 1 - -## The directory for keeping all the keys/etc. By default, we store -## things in $HOME/.tor on Unix, and in Application Data\tor on Windows. -DataDirectory /var/lib/tor - -## The port on which Tor will listen for local connections from Tor -## controller applications, as documented in control-spec.txt. -#ControlPort 9051 -## If you enable the controlport, be sure to enable one of these -## authentication methods, to prevent attackers from accessing it. -#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C -#CookieAuthentication 1 - -############### This section is just for location-hidden services ### - -## Once you have configured a hidden service, you can look at the -## contents of the file ".../hidden_service/hostname" for the address -## to tell people. -## -## HiddenServicePort x y:z says to redirect requests on port x to the -## address y:z. - -# Uncomment this to allow ssh access to the Torouter over your own Hidden Service -#HiddenServiceDir /var/lib/tor/hidden_service/ -#HiddenServicePort 22 127.0.0.1:22 - -#HiddenServiceDir /var/lib/tor/other_hidden_service/ -#HiddenServicePort 80 127.0.0.1:80 -#HiddenServicePort 22 127.0.0.1:22 - -################ This section is just for relays ##################### -# -## See https://www.torproject.org/docs/tor-doc-relay for details. - -### Required: what port to advertise for incoming Tor connections. -ORPort auto -## If you want to listen on a port other than the one advertised -## in ORPort (e.g. to advertise 443 but bind to 9090), uncomment the -## line below too. You'll need to do ipchains or other port forwarding -## yourself to make this work. -#ORListenAddress 0.0.0.0:9090 -#ORListenAddress 0.0.0.0:9090 -Nickname Torouter - -## The IP address or full DNS name for your relay. Leave commented out -## and Tor will guess. -#Address noname.example.com - -## Define these to limit how much relayed traffic you will allow. Your -## own traffic is still unthrottled. Note that RelayBandwidthRate must -## be at least 20 KBytes. -RelayBandwidthRate 50KB -RelayBandwidthBurst 75KB - -## Contact info to be published in the directory, so we can contact you -## if your relay is misconfigured or something else goes wrong. Google -## indexes this, so spammers might also collect it. -#ContactInfo Random Person -## You might also include your PGP or GPG fingerprint if you have one: -#ContactInfo 1234D/FFFFFFFF Random Person - -## Uncomment this to mirror directory information for others. Please do -## if you have enough bandwidth. -#DirPort 9030 # what port to advertise for directory connections -## If you want to listen on a port other than the one advertised -## in DirPort (e.g. to advertise 80 but bind to 9091), uncomment the line -## below too. You'll need to do ipchains or other port forwarding yourself -## to make this work. -#DirListenAddress 0.0.0.0:9091 -## Uncomment to return an arbitrary blob of html on your DirPort. Now you -## can explain what Tor is if anybody wonders why your IP address is -## contacting them. See contrib/tor-exit-notice.html for a sample. -#DirPortFrontPage /etc/tor/exit-notice.html - -## Uncomment this if you run more than one Tor relay, and add the identity -## key fingerprint of each Tor relay you control, even if they're on -## different networks. You declare it here so Tor clients can avoid -## using more than one of your relays in a single circuit. See -## https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#MultipleServers -#MyFamily $keyid,$keyid,... - -## A comma-separated list of exit policies. They're considered first -## to last, and the first match wins. If you want to _replace_ -## the default exit policy, end this with either a reject *:* or an -## accept *:*. Otherwise, you're _augmenting_ (prepending to) the -## default exit policy. Leave commented to just use the default, which is -## described in the man page or at -## https://www.torproject.org/documentation.html -## -## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses -## for issues you might encounter if you use the default exit policy. -## -## If certain IPs and ports are blocked externally, e.g. by your firewall, -## you should update your exit policy to reflect this -- otherwise Tor -## users will be told that those destinations are down. -## -#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more -#ExitPolicy accept *:119 # accept nntp as well as default exit policy -#ExitPolicy reject *:* # no exits allowed -# -## Bridge relays (or "bridges") are Tor relays that aren't listed in the -## main directory. Since there is no complete public list of them, even if an -## ISP is filtering connections to all the known Tor relays, they probably -## won't be able to block all the bridges. Also, websites won't treat you -## differently because they won't know you're running Tor. If you can -# be a real relay, please do; but if not, be a bridge! -BridgeRelay 1 -ExitPolicy reject *:* - -AvoidDiskWrites 1 - -# middle box stuff -VirtualAddrNetwork 10.192.0.0/10 -AutomapHostsOnResolve 1 -TransPort 9040 -TransListenAddress 172.16.23.1 -DNSPort 5353 -DNSListenAddress 172.16.23.1 -# If you disable unbound, you may enable this -#DNSListenAddress 127.0.0.1:53 - -User debian-tor - -# By default we do not have PortForwarding support -# PortForwarding 1 -# PortForwardingHelper /usr/local/bin/tor-fw-helper - -PIDFile /var/run/tor/tor.pid - -ControlPort 9051 -ControlListenAddress 127.0.0.1:9051 -CookieAuthentication 1 - diff --git a/packages/torouter-prep/configs/ttdnsd-default b/packages/torouter-prep/configs/ttdnsd-default deleted file mode 100755 index 0a22bc4..0000000 --- a/packages/torouter-prep/configs/ttdnsd-default +++ /dev/null @@ -1,17 +0,0 @@ -# /etc/default/ttdnsd - -# Address to bind to - usually this should be 127.0.0.1 -# unless a copy of ttdnsd runs on 127.0.0.n -ADDR_ARG="-b 172.16.23.1" - -# Port to listen on - almost always this should be port 53 -# unless an additional local DNS cache (like unbound, dnscache, pdnsd) -# listen on port 53 as system resolver and is used in front of ttdnsd -# for caching purposes. -PORT_ARG="-p 5354" - -# Debug logging -# DEBUG_LOGGING="-l" - -# Glue all of it together below -DEFAULTS="$ADDR_ARG $PORT_ARG" diff --git a/packages/torouter-prep/debian/changelog b/packages/torouter-prep/debian/changelog index 14ff45a..9b94c42 100644 --- a/packages/torouter-prep/debian/changelog +++ b/packages/torouter-prep/debian/changelog @@ -1,4 +1,4 @@ -torouter-prep (0.0.1-1) unstable; urgency=low +torouter-prep (0.0.1-dev) unstable; urgency=low * Initial release (Closes: #nnnn) diff --git a/packages/torouter-prep/debian/files b/packages/torouter-prep/debian/files index 298935e..f19b131 100644 --- a/packages/torouter-prep/debian/files +++ b/packages/torouter-prep/debian/files @@ -1 +1 @@ -torouter-prep_0.0.1-1_all.deb unknown extra +torouter-prep_0.0.1-dev_all.deb unknown extra diff --git a/packages/torouter-prep/src/torouter_config.sh b/packages/torouter-prep/src/torouter_config.sh old mode 100644 new mode 100755 index 93e8608..96bfaad --- a/packages/torouter-prep/src/torouter_config.sh +++ b/packages/torouter-prep/src/torouter_config.sh @@ -24,15 +24,15 @@ apt-key add $config_dir/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.apt-key apt-key add $config_dir/047E6A24.asc # Set us to have a default host name and hosts file -cp $config_dir/hostname /etc/hostname -cp $config_dir/hosts /etc/hosts +cp $config_dir/etc/hostname /etc/hostname +cp $config_dir/etc/hosts /etc/hosts # We need to prep apt to understand that we want packages from other repos cp $config_dir/sources.list /etc/apt/sources.list # We're creating this file to ensure we get updates -cp $config_dir/apt-preferences.d-backports /etc/apt/preferences.d/backports -cp $config_dir/apt.conf /etc/apt/apt.conf +cp $config_dir/etc/apt/apt-preferences.d/backports /etc/apt/preferences.d/backports +cp $config_dir/etc/apt/apt.conf /etc/apt/apt.conf apt-get -y update @@ -104,33 +104,33 @@ apt-get -y install unbound zcat $config_dir/armrc.sample.gz > ~$ADMINUSER/.armrc # Reconfigure /etc/inittab here -cp $config_dir/inittab /etc/inittab +cp $config_dir/etc/inittab /etc/inittab # Reconfigure fstab -cp $config_dir/fstab /etc/fstab +cp $config_dir/etc/fstab /etc/fstab # Configure the network # eth0 is our "internet" interface with a dhcp client -cp $config_dir/interfaces /etc/network/interfaces +cp $config_dir/etc/network/interfaces /etc/network/interfaces # Configure dnsmasq -cp $config_dir/dnsmasq.conf /etc/dnsmasq.conf +cp $config_dir/etc/dnsmasq.conf /etc/dnsmasq.conf # Configure ntp -cp $config_dir/ntp.conf /etc/ntp.conf -cp $config_dir/openntpd-default /etc/default/openntpd +cp $config_dir/etc/ntp.conf /etc/ntp.conf +cp $config_dir/etc/default/openntpd /etc/default/openntpd # Configure ssh -cp $config_dir/sshd_config /etc/ssh/sshd_config +cp $config_dir/etc/ssh/sshd_config /etc/ssh/sshd_config # XXX We should configure ufw here # XXX We should configure denyhosts -cp $config_dir/torrc /etc/tor/torrc -cp $config_dir/ttdnsd-default /etc/default/ttdnsd +cp $config_dir/etc/tor/torrc /etc/tor/torrc +cp $config_dir/etc/default/ttdnsd /etc/default/ttdnsd # Configure sshd -cp $config_dir/sshd_config /etc/ssh/sshd_config +cp $config_dir/etc/ssh/sshd_config /etc/ssh/sshd_config # Clean up our cache apt-get -f -y remove --purge polipo minissdpd @@ -145,7 +145,7 @@ apt-get -y clean apt-get install -f ## Disable ipv6 support for now -cp $config_dir/modprobe.d-blacklist.conf /etc/modprobe.d/blacklist.conf +cp $config_dir/etc/modprobe.d/blacklist.conf /etc/modprobe.d/blacklist.conf # We don't need this if the ipv6 module is not loaded #echo net.ipv6.conf.all.disable_ipv6=1 > /etc/sysctl.d/disableipv6.conf ## diff --git a/packages/torouter-prep/src/torouter_takeover.sh b/packages/torouter-prep/src/torouter_takeover.sh old mode 100644 new mode 100755 -- cgit v1.2.3