From 427d24b2b5edfa4ff53ec7e23e969b663ef8b9b5 Mon Sep 17 00:00:00 2001 From: Ian Kelling Date: Thu, 5 Jan 2017 08:32:37 -0800 Subject: [PATCH] fix proxy nonroot, add vpn, backup services --- filesystem/etc/apt/detect-http-proxy | 8 +++-- .../etc/systemd/system/iptables.service | 13 ++++++++ .../systemd/system/openvpn-client-nn@.service | 32 +++++++++++++++++++ .../system/transmission-daemon-nn.service | 17 ++++++++++ .../etc/systemd/system/btrbk.service | 7 ++++ .../filesystem/etc/systemd/system/btrbk.timer | 8 +++++ 6 files changed, 83 insertions(+), 2 deletions(-) create mode 100644 filesystem/etc/systemd/system/iptables.service create mode 100644 filesystem/etc/systemd/system/openvpn-client-nn@.service create mode 100644 filesystem/etc/systemd/system/transmission-daemon-nn.service create mode 100644 machine_specific/treetowl/filesystem/etc/systemd/system/btrbk.service create mode 100644 machine_specific/treetowl/filesystem/etc/systemd/system/btrbk.timer diff --git a/filesystem/etc/apt/detect-http-proxy b/filesystem/etc/apt/detect-http-proxy index b5d502d..b8ec1d9 100755 --- a/filesystem/etc/apt/detect-http-proxy +++ b/filesystem/etc/apt/detect-http-proxy @@ -16,11 +16,15 @@ if [[ -r $f ]]; then echo DIRECT exit 0 else - rm $f + if [[ -w $f ]]; then + rm $f + fi fi fi if getent hosts $proxy_host && nc -z $proxy_host $proxy_port; then echo $proxy_url else - touch $f + if [[ ! -e $f || -w $f ]]; then + touch $f + fi fi diff --git a/filesystem/etc/systemd/system/iptables.service b/filesystem/etc/systemd/system/iptables.service new file mode 100644 index 0000000..403e076 --- /dev/null +++ b/filesystem/etc/systemd/system/iptables.service @@ -0,0 +1,13 @@ +[Unit] +Description=Packet Filtering Framework +Before=network-pre.target +Wants=network-pre.target + +[Service] +Type=oneshot +ExecStart=/sbin/iptables-restore /a/bin/transmission-firewall/default.rules +ExecStop=/sbin/iptables-restore /a/bin/transmission-firewall/empty.rules +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/filesystem/etc/systemd/system/openvpn-client-nn@.service b/filesystem/etc/systemd/system/openvpn-client-nn@.service new file mode 100644 index 0000000..2f3b013 --- /dev/null +++ b/filesystem/etc/systemd/system/openvpn-client-nn@.service @@ -0,0 +1,32 @@ +[Unit] +Description=OpenVPN tunnel for %I +After=syslog.target network-online.target +Wants=network-online.target +Documentation=man:openvpn(8) +Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage +Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO +Requires=iptables.service + +[Service] +Type=notify +RuntimeDirectory=openvpn-client +RuntimeDirectoryMode=0710 +WorkingDirectory=/etc/openvpn/client +ExecStart=/usr/bin/nsenter --mount=/root/mount_namespaces/%i /usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf +# until we get the next systemd version (233), which can do bind mounts +# inside a mnt namespace via systemd, we have to setup our own, which requires +# full priveledges. +#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE +LimitNPROC=10 +# DeviceAllow=/dev/null rw +# DeviceAllow=/dev/net/tun rw + +# ian: added just these lines from upstream +ExecStartPre=+/a/bin/nnnat/systemd-nnnat start %i +ExecStartPre=+/sbin/iptables-restore /a/bin/transmission-firewall/netns.rules +ExecStopPost=+/a/bin/nnnat/systemd-nnnat stop %i +PrivateNetwork=true + + +[Install] +WantedBy=multi-user.target diff --git a/filesystem/etc/systemd/system/transmission-daemon-nn.service b/filesystem/etc/systemd/system/transmission-daemon-nn.service new file mode 100644 index 0000000..ba3fc48 --- /dev/null +++ b/filesystem/etc/systemd/system/transmission-daemon-nn.service @@ -0,0 +1,17 @@ +[Unit] +Description=Transmission BitTorrent Daemon netns +After=network.target +Requires=openvpn-client-nn@client.service +After=openvpn-client-nn@client.service +JoinsNamespaceOf=openvpn-client-nn@client.service + +[Service] +#User=debian-transmission +# notify type doesn't work with sudo +#Type=notify +ExecStart=/usr/bin/nsenter --mount=/root/mount_namespaces/client sudo -u debian-transmission /usr/bin/transmission-daemon -f --log-error +ExecReload=/bin/kill -s HUP $MAINPID +PrivateNetwork=true + +[Install] +WantedBy=multi-user.target diff --git a/machine_specific/treetowl/filesystem/etc/systemd/system/btrbk.service b/machine_specific/treetowl/filesystem/etc/systemd/system/btrbk.service new file mode 100644 index 0000000..da692bb --- /dev/null +++ b/machine_specific/treetowl/filesystem/etc/systemd/system/btrbk.service @@ -0,0 +1,7 @@ +[Unit] +Description=Btrbk backup +After=network.target + +[Service] +Type=oneshot +ExecStart=/a/exe/btrbk-run diff --git a/machine_specific/treetowl/filesystem/etc/systemd/system/btrbk.timer b/machine_specific/treetowl/filesystem/etc/systemd/system/btrbk.timer new file mode 100644 index 0000000..27113f6 --- /dev/null +++ b/machine_specific/treetowl/filesystem/etc/systemd/system/btrbk.timer @@ -0,0 +1,8 @@ +[Unit] +Description=Run btrbk-run once every 20 mins + +[Timer] +OnCalendar=*:0/20 + +[Install] +WantedBy=timers.target -- 2.30.2