emdee/proxy_role
1
0
Fork 0
Code Issues Pull requests Wiki Activity

first

Browse source
This commit is contained in:
emdee 2024-01-06 01:57:28 +00:00
commit 757ca483f0
115 changed files with 13170 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
overlay/Linux/usr/local/etc/firewall.conf.gateway Symbolic link
View file

@ -0,0 +1 @@
../../../../../templates/etc/firewall.conf.gateway

1
overlay/Linux/usr/local/etc/firewall.conf.selektor Symbolic link
View file

@ -0,0 +1 @@
../../../../../templates/etc/firewall.conf.selektor

1
overlay/Linux/usr/local/etc/firewall.conf.tor Symbolic link
View file

@ -0,0 +1 @@
../../../../../templates/etc/firewall.conf.tor

1
overlay/Linux/usr/local/etc/firewall.conf.whonix Symbolic link
View file

@ -0,0 +1 @@
../../../../../templates/etc/firewall.conf.whonix

1
overlay/Linux/usr/local/etc/firewall.conf.ws Symbolic link
View file

@ -0,0 +1 @@
../../../../../templates/etc/firewall.conf.ws

20
overlay/Linux/usr/local/etc/hosts Normal file
View file

@ -0,0 +1,20 @@
151.101.122.132 deb.debian.org
216.58.204.110 google.com
151.80.211.8 pool.ntp.org
78.46.53.2 pool.ntp.org
207.34.49.172 pool.ntp.org
205.206.70.7 pool.ntp.org
206.108.0.131 pool.ntp.org
162.159.200.1 pool.ntp.org
140.82.112.4 github.com
37.58.58.140 mirror.leaseweb.com
5.79.75.37 novg.net
193.150.121.24 reseed.i2p2.no
167.71.120.31 reseed.onion.im
34.201.225.154 i2pseed.creativecowpat.net
80.74.145.70 reseed.diva.exchange
167.71.120.31 reseed.onion.im
68.183.196.133 reseed.i2pgit.org
193.150.121.24 reseed.i2p2.no
81.7.7.4 reseed.i2p-projekt.de
132.163.97.3 time.nist.gov

33
overlay/Linux/usr/local/etc/init.d/libvirtd.openrc Executable file
View file

@ -0,0 +1,33 @@
#!/sbin/openrc-run
# Copyright 1999-2020 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
description="Virtual Machine Management daemon (libvirt)"
LIBVIRTD_OPTS=${LIBVIRTD_OPTS:-"${LIBVIRTD_OPTS}"}
LIBVIRTD_TIMEOUT=${LIBVIRTD_TERMTIMEOUT:-"TERM/25/KILL/5"}
command="/usr/sbin/libvirtd"
command_args="${LIBVIRTD_OPTS}"
start_stop_daemon_args="-b --env KRB5_KTNAME=/etc/libvirt/krb5.tab"
pidfile="/run/libvirtd.pid"
retry="${LIBVIRTD_TERMTIMEOUT}"
depend() {
need virtlogd
use ceph dbus iscsid virtlockd
after cgconfig corosync ebtables iptables ip6tables nfs nfsmount ntp-client ntpdportmap rpc.statd sanlock xenconsoled
USE_FLAG_FIREWALLD
}
start_pre() {
# Test configuration directories in /etc/libvirt/ to be either not
# present or a directory, i.e. not a regular file, bug #532892
checkpath --directory /etc/libvirt/lxc || return 1
checkpath --directory /etc/libvirt/nwfilter || return 1
[ -L /etc/libvirt/qemu ] ||
checkpath --directory /etc/libvirt/qemu || return 1
[ -L /etc/libvirt/storage ] ||
checkpath --directory /etc/libvirt/storage || return 1
}

41
overlay/Linux/usr/local/etc/jnettop.conf Normal file
View file

@ -0,0 +1,41 @@
#
# jnettop, network online traffic visualiser
# Copyright (C) 2002-2005 Jakub Skopal
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# $Header: /cvsroot/jnettop/jnettop/.jnettop,v 1.7 2006/04/11 15:59:59 merunka Exp $
#
# interface "eth1"
variable "intranet" "net 192.168.0.0/16 or 10.0.0.0/8 or 172.16.0.0/12"
variable "me" "net 10.16.238.53"
variable "lo" "net 127.0.0.1/32"
variable "virbr1" "net 10.0.2.2"
variable "whonix" "net 10.0.2.0/24"
rule "Intranet<->Extranet" "((src ${intranet}) and not (dst ${intranet})) or ((dst ${intranet}) and not (src ${intranet}))"
rule "Me<->Whonix" "((src ${me}) and ((dst ${whonix}) or (dst ${lo}))) or (((dst ${me}) or (dst ${lo})) and (src ${whonix}))"
rule "Me<->Extranet" "((src ${me}) and not (dst ${me})) or ((dst ${me}) and not (src ${me}))"
rule "Google" "host www.google.com"
rule "IPv6" "ip6"
local_aggregation none
remote_aggregation none
local_network "192.168.0.0" "255.255.0.0"
local_network "10.0.0.0" "255.0.0.0"
# select_rule "Me<->Whonix"
# resolve_rule "192.168.0.0" "255.255.0.0" normal
# resolve_rule "192.168.0.0" "255.255.0.0" external "/usr/share/jnettop/jnettop-lookup-nmb"
resolve off

42
overlay/Linux/usr/local/etc/jnettop.conf.vda Normal file
View file

@ -0,0 +1,42 @@
#
# jnettop, network online traffic visualiser
# Copyright (C) 2002-2005 Jakub Skopal
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# $Header: /cvsroot/jnettop/jnettop/.jnettop,v 1.7 2006/04/11 15:59:59 merunka Exp $
#
interface "eth0"
variable "intranet" "net 192.168.0.0/16 or 10.0.0.0/8 or 172.16.0.0/12"
variable "me" "net 10.16.238.53"
variable "vda" "net 10.152.152.11"
variable "lo" "net 127.0.0.1/32"
variable "virbr1" "net 10.0.2.2"
variable "whonix" "net 10.0.2.0/24"
rule "Intranet<->Extranet" "((src ${intranet}) and not (dst ${intranet})) or ((dst ${intranet}) and not (src ${intranet}))"
rule "Me<->Whonix" "((src ${me}) and ((dst ${whonix}) or (dst ${lo}))) or (((dst ${me}) or (dst ${lo})) and (src ${whonix}))"
rule "Vda<->Intranet" "((src ${vda}) and not (dst ${vda})) or ((dst ${vda}) and not (src ${vda}))"
rule "Google" "host www.google.com"
rule "IPv6" "ip6"
local_aggregation none
remote_aggregation none
local_network "192.168.0.0" "255.255.0.0"
local_network "10.0.0.0" "255.0.0.0"
select_rule "Vda<->Intranet"
# resolve_rule "192.168.0.0" "255.255.0.0" normal
# resolve_rule "192.168.0.0" "255.255.0.0" external "/usr/share/jnettop/jnettop-lookup-nmb"
resolve off

6
overlay/Linux/usr/local/etc/libvirt/hooks/network Executable file
View file

@ -0,0 +1,6 @@
#!/bin/sh
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
# BEGIN ANSIBLE MANAGED BLOCK proxy whonix_host.yml
[ ! -f /usr/local/sbin/proxy_libvirt_hook_network.bash ] || \
/usr/local/sbin/proxy_libvirt_hook_network.bash
# END ANSIBLE MANAGED BLOCK proxy whonix_host.yml

381
overlay/Linux/usr/local/etc/local.bash Executable file
View file

@ -0,0 +1,381 @@
#!/bin/sh
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
# prog=rc.local
PREFIX=/usr/local
ROLE=local
export PATH=$PATH:/usr/local/sbin:/usr/local/bin
if [ -x /sbin/rc-service ] ; then
local_rc_service () { rc-service "$@" ; }
local_rc_update () { rc-update "$@" ; }
elif [ -x /bin/systemctl ] ; then
local_rc_service () {
systemctl list-units --no-pager | grep -q $1 && \
echo INFO: /usr/sbin/service "$@" || \
echo WARN: /usr/sbin/service "$@"
/usr/sbin/service "$@" 2>/dev/null
return $?
}
local_rc_update () {
if [ "$#" -eq 0 ] ; then
systemctl list-units --no-pager
return $?
fi
dir=$1 ; shift ;
svc=$1 ; shift ;
if [ $dir = add ] ; then
dire=enable
elif [ $dir = del ] ; then
dire=disable
else
dire=$dir
fi
echo INFO: $prog systemctl --no-pager $dire $svc "$@"
systemctl --no-pager $dire $svc "$@"
return $?
}
elif [ -x /usr/sbin/service ] ; then
local_rc_service () {
/usr/sbin/service --status-all 2>&1 | grep -q $1 && \
echo INFO: /usr/sbin/service "$@" || \
echo WARN: /usr/sbin/service "$@"
/usr/sbin/service "$@" 2>/dev/null
return $?
}
local_rc_update () {
if [ "$#" -eq 0 ] ; then
/usr/sbin/service --status-all 2>&1 | sed -e 's/.* //'
return $?
fi
dir=$1 ; shift ;
svc=$1 ; shift ;
# disable|enable |remove
if [ $dir = add ] ; then
dire=enable
elif [ $dir = del ] ; then
dire=disable
else
dire=$dir
fi
update-rc.d $svc $dire || echo WARN: update-rc.d $svc $dir $dire
}
fi
proxy_rc_service () { local_rc_service $* ; }
proxy_rc_update () { local_rc_update $* ; }
grep -q root=/dev/vda /proc/cmdline
PROXY_IS_VDA=$?
## local_disable_lid
local_disable_lid () {
# https://bbs.archlinux.org/viewtopic.php?id=72779
echo LID0 > /proc/acpi/wakeup
# https://forums.linuxmint.com/viewtopic.php?f=208&t=106532
if [ -f /etc/UPower/UPower.conf ] ; then
[ -f /etc/UPower/UPower.conf.bak ] || \
cp -p /etc/UPower/UPower.conf /etc/UPower/UPower.conf.bak
grep -q '^IgnoreLid=true' /etc/UPower/UPower.conf || \
sed -e 's@#*IgnoreLid=.*@IgnoreLid=true@' -i /etc/UPower/UPower.conf
fi
if [ -f /etc/systemd/logind.conf ] ; then
[ -f /etc/systemd/logind.conf.bak ] || \
cp -p /etc/systemd/logind.conf /etc/systemd/logind.conf.bak
grep -q '^HandleLidSwitch=ignore' /etc/systemd/logind.conf || \
sed -e 's@^#*HandleLidSwitch=.*@HandleLidSwitch=ignore@' -i /etc/systemd/logind.conf
fi
return 0
}
## local_guest_start_services
local_guest_start_services () {
for file in /usr/local/etc/modules-load.d/vda*conf ; do
[ -s $file ] || continue
base=`basename $file`
[ -e /etc/modules-load.d/$base ] && continue
echo "# from $file" > /etc/modules-load.d/$base
grep -v '^#' $file >> /etc/modules-load.d/$base
done
grep -hv '#' /etc/modules-load.d/vda*.conf | xargs modprobe --all
local_start_services $*
exit 0
}
local_guest_add_xorg_conf () {
[ -f /etc/X11/xorg.conf.d/80_qxl.conf ] || \
grep -q Drive.*qxl /etc/X11/xorg.conf.d/*.conf || \
cat > /etc/X11/xorg.conf.d/80_qxl.conf << EOF
# BEGIN ANSIBLE MANAGED BLOCK proxy whonix_guest.yml
Section "Device"
Identifier "qxl"
Driver "qxl"
Option "DPI" "96 x 96"
Option "ENABLE_IMAGE_CACHE" "True"
Option "ENABLE_FALLBACK_CACHE" "False"
Option "ENABLE_SURFACES" "False"
EndSection
# END ANSIBLE MANAGED BLOCK proxy whonix_guest.yml
EOF
return 0
}
## local_guest_config
local_guest_config () {
[ -d /etc/qemu ] || mkdir /etc/qemu
[ -f /etc/qemu/qemu-ga.conf ] || cat > /etc/qemu/qemu-ga.conf <<EOF
[general]
daemon=false
method=virtio-serial
path=/dev/virtio-ports/org.qemu.guest_agent.0
pidfile=/run/qemu-ga.pid
statedir=/run
verbose=true
retry-path=false
blacklist=
logfile=/var/log/libvirtd/qemu-ga.log
EOF
[ -d /var/log/libvirtd/ ] || mkdir /var/log/libvirtd/
[ -f /etc/default/qemu-guest-agent.diff ] || cat > /etc/default/qemu-guest-agent.diff <<EOF
*** /etc/default/qemu-guest-agent.dst 2021-01-05 03:28:20.579117119 +0000
--- /etc/default/qemu-guest-agent 2021-08-27 20:26:36.234739996 +0000
***************
*** 1 ****
! DAEMON_ARGS="--logfile /var/log/libvirtd/qemu-ga.log"
--- 1 ----
! DAEMON_ARGS="--logfile /var/log/libvirtd/qemu-ga.log --verbose --pidfile /run/qemu-ga.pid"
EOF
[ -f /etc/default/qemu-guest-agent.dst ] || \
patch -z .st -b /etc/default/qemu-guest-agent \
< /etc/default/qemu-guest-agent.diff
return 0
}
## local_guest_status
local_guest_status () {
if [ ! -f /var/log/libvirtd/qemu-ga.log ] ; then
echo WARN: missing /var/log/libvirtd/qemu-ga.log
elif grep -q critical: /var/log/libvirtd/qemu-ga.log ; then
echo ERROR: critical /var/log/libvirtd/qemu-ga.log
fi
return 0
}
## local_guest_neutersystemd
local_guest_neutersystemd () {
[ ! -f /lib/lsb/init-functions.d/40-systemd ] || \
mv /lib/lsb/init-functions.d/40-systemd /lib/lsb/.40-systemd
return 0
}
# vda
## local_host_symlink_usr_src
local_host_symlink_etc_fstab () {
# guest
[ -h /etc/fstab ] && [ -f /etc/fstab.vda ] && \
rm -f /etc/fstab && ln -s /etc/fstab.vda /etc/fstab
return 0
}
## local_host_make_dmcrypt_swap
local_host_make_dmcrypt_swap () {
local two five
if ! grep -q '/dev/mapper\|/dev/sd\|/dev/dm' /proc/swaps ; then
blkid > ~/blkid.txt
five=`grep _05E ~/blkid.txt | head -1`
if [ $? -eq 0 -a -n "$five" ] ; then
two=`echo $five | sed -e 's/_.*//' -e 's/.*="//'`_02SWAP
if ! grep $two ~/blkid.txt ; then
dev=`echo $five | sed -e 's/:.*//' -e 's/5/2/'`
[ $? -eq 0 -a -n "$dev" ] && mkswap -L $two $dev
fi
grep $two /etc/conf.d/dmcrypt && local_rc_service dmcrypt restart || echo WARN: $two not in /etc/conf.d/dmcrypt
grep -q '/dev/mapper\|/dev/sd\|/dev/dm' /proc/swaps || local_rc_service swap restart
# if its not in fstab
grep -q '/dev/mapper\|/dev/sd\|/dev/dm' /proc/swaps || swapon /dev/mapper/cryptswap*
fi
fi
return 0
}
# all
## local_start_services
local_start_services () {
for elt in $*; do
local_rc_service $elt status >/dev/null || local_rc_service $elt start
local_rc_update | grep -q $elt || local_rc_update add $elt
done
return 0
}
# all
## nlocal_manual_stop_services
local_manual_stop_services () {
# set these to stop now and restart them manually as we configure them
# rsync on debian
for elt in $* ; do
local_rc_service $elt status >/dev/null && local_rc_service $elt stop
local_rc_update | grep -q $elt && local_rc_update del $elt
done
return 0
}
# all
## local_host_symlink_usr_src
local_host_symlink_usr_src () {
local dir
dir=`cat /proc/cmdline|sed -e 's/.*BOOT_IMAGE=kernel-pentoo-x86_64/linux/' -e 's/_.*//'`
WD=$PWD
cd /usr/src
if [ -d $dir ] ; then
rm -f linux
ln -s $dir linux || echo WARN: $PWD/$dir not found
fi
cd $WD
return 0
}
# all
## local_lightdm_on_text
local_lightdm_on_text () {
return 0
[ ! -f /usr/sbin/lightdm ] && return 0
if [ ! -f /usr/sbin/lightdm.bin ] ; then
[ -f /usr/sbin/lightdm.bad ] && mv /usr/sbin/lightdm.bad /usr/sbin/lightdm.bin
[ ! -f /usr/sbin/lightdm.bin ] && mv /usr/sbin/lightdm /usr/sbin/lightdm.bin
if [ -f /usr/sbin/lightdm.bin ] && [ -f /usr/sbin/lightdm ] ; then
cat > /usr/sbin/lightdm << EOF
#!/bin/sh
grep -q ' text ' /proc/cmdline && exit 0
exec /usr/sbin/lightdm.bin "$@"
EOF
chmod 755 /usr/sbin/lightdm
fi
fi
return 0
}
## local_host_restart_psmouse
local_host_restart_psmouse () {
local_rc_service gpm status && local_rc_service gpm stop
rmmod psmouse; sleep 1; modprobe psmouse proto=exps
local_rc_service gpm start
return 0
}
## local_host_restart_intel_sound
local_host_restart_intel_sound () {
which aplay >/dev/null 2>/dev/null || return 0
# both
if ! aplay -L | grep -q default:CARD=PCH ; then
rmmod snd_hda_intel ;
sleep 5
modprobe snd_hda_intel enable=1 ;
sleep 1
aplay -L >/dev/null || exit 2
fi
return 0
}
## local_all
local_all () {
local_disable_lid
touch /var/log/boot
chmod 775 /usr/local/*bin/*sh /var/local/*bin/*sh
# grep -q text /proc/cmdline && local_lightdm_on_text
( cd /var/tmp && rm -rf ansible-local-* Temp-* ssh-* pulse-* .xfsm-ICE-* )
return 0
}
## local_manual_mask_services
local_manual_mask_services () {
if [ -d /usr/local/etc/systemd/ ] ; then
local_systemd_stop_and_mask $* || return 1$?
elif [ -x /usr/sbin/update-rc.d ] ; then
/usr/sbin/invoke-rc.d $1 stop
/usr/sbin/update-rc.d $1 remove || return 2$?
elif [ /sbin/rc-update ] ; then
/sbin/rc-service $1 stop
/sbin/rc-update $1 del || return 3$?
fi
return 0
}
## local_systemd_stop_and_mask
local_systemd_stop_and_mask () {
[ $# -eq 0 ] && [ -d /usr/local/etc/systemd/ ] && \
set - `grep -v '@\.service' /usr/local/etc/systemd/*.mask`
for file in $* ; do
[ -e /lib/systemd/system/$file ] || continue
elt=`basename $file`
systemctl is-enabled $elt 2>/dev/null >/dev/null || continue
echo INFO: local_systemd_stop_and_mask systemctl disable $elt
systemctl disable --now $elt && systemctl mask $elt
# [ -h /etc/systemd/system/$file ]
# [ `readlink /etc/systemd/system/$file ` = /dev/null ]
done
return 0
}
## local_neuter_gvfs
local_neuter_gvfs () {
[ -d /usr/local/share/dbus-1/services ] || exit 0
cd /usr/local/share/dbus-1/services
for file in /usr/share/dbus-1/services/*vfs* ; do
sed -e 's@^Exec=.*@Exec=/bin/false@' > `basename $file`
done
}
local_link_linux () {
sed < /proc/cmdline -e 's@.*BOOT_IMAGE=vmlinuz-@linux-@' -e 's/[_ ].*//'| \
while read line ; do
[ -z "$line" ] && continue
[ -d "/usr/src/$line" ] || { echo WARN: /usr/src/$line ; continue ; }
rm -f /usr/src/linux
echo INFO: /usr/src/$line /usr/src/linux
ln -s /usr/src/$line /usr/src/linux
done
return 0
}
local_null_machineid () {
[ -s /etc/machine-id ] && cp /dev/null /etc/machine-id
return 0
}
base=local
if [ -x /usr/bin/basename ] && [ `/usr/bin/basename -- $0` = $base'.bash' ] ; then
[ "$#" -eq 1 ] && [ "$1" = '-h' -o "$1" = '--help' ] && \
echo USAGE: $0 && grep '^[a-z].*()\|^## ' $0 | sed -e 's/().*//'| sort \
&& exit 0
eval "$@"
exit $?
fi

43
overlay/Linux/usr/local/etc/local.d/Whonix-All.rc Executable file
View file

@ -0,0 +1,43 @@
#!/bin/bash -e
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
# run this first
ROLE=local
MODE=all
CONN=all
BIN=/usr/local/sbin
. /usr/local/etc/local.d/local.bash || exit 1
local_all
local_manual_mask_services pdnsd ntpd tor polipo dnsmasq \
NetworkManager-wait-online apt-daily-upgrade apt-daily
# support the console
local_start_services gpm
# adjust to your taste here
[ -e /dev/autofs ] && rm /dev/autofs
if false && which systemctl 2>/dev/null >/dev/null ; then
systemctl | grep -q proc-sys-fs-binfmt_misc.automount && \
systemctl mask proc-sys-fs-binfmt_misc.automount
fi
exit 0
#? systemctl unmask -- -.mount run-msgcollector.mount run-user-1000.mount

19
overlay/Linux/usr/local/etc/local.d/Whonix-Gateway.local Executable file
View file

@ -0,0 +1,19 @@
#!/bin/sh -e
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
sh /usr/local/etc/local.d/Whonix-All.rc
sh /usr/local/etc/local.d/Whonix-Guest.rc
sh /usr/local/etc/local.d/Whonix-Gateway.rc
[ -f /usr/local/etc/local.d/Whonix-Local.rc ] && \
sh /usr/local/etc/local.d/Whonix-Local.rc

29
overlay/Linux/usr/local/etc/local.d/Whonix-Gateway.rc Executable file
View file

@ -0,0 +1,29 @@
#!/bin/bash -e
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
ROLE=proxy
MODE=gateway
CONN=guest
BIN=/usr/local/sbin
. /usr/local/etc/local.d/local.bash || exit 1
local_guest || exit 3$?
# leave this for later when online
if false ; then
if ! $BIN/proxy_whonix_guest_gateway.bash config ; then
echo WARN: proxy_whonix_guest_gateway.bash config retval=$?
fi
if ! $BIN/proxy_whonix_guest_gateway.bash start ; then
echo WARN: proxy_whonix_guest_gateway.bash start retval=$?
fi
fi
exit 0

35
overlay/Linux/usr/local/etc/local.d/Whonix-Guest.rc Normal file
View file

@ -0,0 +1,35 @@
#!/bin/bash -e
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
ROLE=proxy
MODE=gateway
CONN=guest
. /usr/local/etc/local.d/local.bash || exit 1
local_start_services qemu-guest-agent # spice-vdagent
if ! [ -e /dev/virtio-ports/org.qemu.guest_agent.0 ] ; then
echo WARN: $prog /dev/virtio-ports/org.qemu.guest_agent.0 not found
echo WARN: $prog Add "<channel type='unix'><target type='virtio' name='org.qemu.guest_agent.0'/></channel>"
echo 'WARN: to the /etc/libvirtd/qemu/*.xml file on the host'
fi
local_guest_config
local_guest_neutersystemd
local_guest_start_services qemu-guest-agent # spice-vdagent
# local_guest_add_xorg_conf
local_guest_status

25
overlay/Linux/usr/local/etc/local.d/Whonix-Host.local Normal file
View file

@ -0,0 +1,25 @@
#!/bin/sh -e
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
dmesg>/var/log/dmesg.log
[ -d /usr/local/tmp/rc ] || mkdir -p /usr/local/tmp/rc
chmod 1777 /usr/local/tmp/rc
for elt in All Host Local ; do
sh /usr/local/etc/local.d/Whonix-$elt.rc
done > /usr/local/tmp/rc/rc.local.log 2>&1
#[ -f /usr/local/etc/local.d/Whonix-Lati.rc ] && \
# sh /usr/local/etc/local.d/Whonix-Lati.rc
timeout 20s tail -f /usr/local/tmp/rc/rc.local.log
exit 0

138
overlay/Linux/usr/local/etc/local.d/Whonix-Host.rc Executable file
View file

@ -0,0 +1,138 @@
#!/bin/bash
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
. /usr/local/etc/local.d/local.bash
chmod 775 /usr/local/sbin/*sh /usr/local/bin/*sh
export PATH=$PATH:/usr/local/bin:/usr/local/sbin
grep -q root=/dev/vda /proc/cmdline
PROXY_IS_VDA=$?
if [ $PROXY_IS_VDA -eq 0 ] ; then
/usr/local/sbin/proxy_whonix_lib.bash proxy_vda_config
fi
# Host and Vda
[ -d /etc/apt ] && \
local_manual_stop_services openvpn exim4 apt-daily-upgrade udisks2 \
sdwdate tb-updater-first-boot lvm2-monitor
# BEGIN ANSIBLE MANAGED BLOCK base initctl
if [ ! -e /dev/initctl -a -e /run/initctl ] ; then
ln -s /run/initctl /dev/initctl
elif [ ! -e /dev/initctl ] ; then
mknod -m=0600 /dev/initctl p
fi
# END ANSIBLE MANAGED BLOCK base initctl
# BEGIN ANSIBLE MANAGED BLOCK base
( cd /var/tmp && rm -rf ansible-local-* Temp-* ssh-* pulse-* .xfsm-ICE-* )
# END ANSIBLE MANAGED BLOCK base
# sh "/var/local/etc/local.d/testforge.start"
# redis
# WARNING you have Transparent Huge Pages (THP) support enabled in your kernel. This will create latency and memory usage issues with Redis. To fix this issue run the command 'echo never > /sys/kernel/mm/transparent_hugepage/enabled' as root, and add it to your /etc/rc.local in order to retain the setting after a reboot. Redis must be restarted after THP is disabled.
#? echo never > /sys/kernel/mm/transparent_hugepage/enabled
if false;then
# failsafe but independent of whether wlan exists
[ -f /usr/local/sbin/proxy_whonix_host_libvirt.bash ] && \
sh /usr/local/sbin/proxy_whonix_host_libvirt.bash proxy_whonix_libvirt_start
if ! /usr/local/sbin/proxy_whonix_host.bash config ; then
echo WARN: Whonix-Host.rc proxy_whonix_host.bash config failed $?
fi
if ! /usr/local/sbin/proxy_whonix_host.bash start ; then
echo WARN: Whonix-Host.rc proxy_whonix_host.bash start failed $?
fi
if ! /usr/local/sbin/proxy_whonix_host.bash test ; then
echo WARN: Whonix-Host.rc proxy_whonix_host.bash test failed $?
fi
fi
exit 0
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml text
local_systemd_stop_services display-manager
# END ANSIBLE MANAGED BLOCK update lati_unix.yml text
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml fstab
for eltin h i j o q v q w l ; do
[ -d /mnt/$elt/tmp ] || mount /mnt/$elt
done
exit 0
# END ANSIBLE MANAGED BLOCK update lati_unix.yml fstab
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml mask
# local_manual_stop_services
SYSTEMD_STOP_AND_MASK="
debug-shell.service
systemd-backlight@.service
phpsessionclean.service
phpsessionclean.timer
apt-daily-upgrade.service
apt-daily-upgrade.timer
dbus-org.freedesktop.nm-dispatcher.service
tb-updater-first-boot.service
openvpn.service
systemd-backlight@.service
systemd-backlight@backlight.service
vboxadd-service.service
vboxautostart-service.service
vboxballoonctrl-service.service
vboxdrv.service
vboxweb-service.service
"
# /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask $SYSTEMD_STOP_AND_MASK
for file in /usr/local/etc/systemd/*.mask ; do
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
done
# END ANSIBLE MANAGED BLOCK update lati_unix.yml mask
/var/local/bin/harden_dbus_neuter.bash
which brightnessctl 2>/dev/null >/dev/null && brightnessctl set 90%
# BEGIN ANSIBLE MANAGED BLOCK update
/usr/local/etc/local.d/local.bash local_disable_lid
# END ANSIBLE MANAGED BLOCK update
# BEGIN ANSIBLE MANAGED BLOCK update local_disable_lid
/usr/local/etc/local.d/local.bash local_disable_lid
# END ANSIBLE MANAGED BLOCK update local_disable_lid
# BEGIN ANSIBLE MANAGED BLOCK base lati_unix.yml mask
ROLE=base
for file in /usr/local/etc/systemd/$ROLE.mask ; do
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
done
# END ANSIBLE MANAGED BLOCK base lati_unix.yml mask
# BEGIN ANSIBLE MANAGED BLOCK gpgkey lati_unix.yml mask
ROLE=gpgkey
for file in /usr/local/etc/systemd/$ROLE.mask ; do
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
done
# END ANSIBLE MANAGED BLOCK gpgkey lati_unix.yml mask
# BEGIN ANSIBLE MANAGED BLOCK hostvms lati_unix.yml mask
ROLE=hostvms
for file in /usr/local/etc/systemd/$ROLE.mask ; do
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
done
# END ANSIBLE MANAGED BLOCK hostvms lati_unix.yml mask
# BEGIN ANSIBLE MANAGED BLOCK privacy lati_unix.yml mask
ROLE=privacy
for file in /usr/local/etc/systemd/$ROLE.mask ; do
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
done
# END ANSIBLE MANAGED BLOCK privacy lati_unix.yml mask
# BEGIN ANSIBLE MANAGED BLOCK proxy lati_unix.yml mask
ROLE=proxy
for file in /usr/local/etc/systemd/$ROLE.mask ; do
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
done
# END ANSIBLE MANAGED BLOCK proxy lati_unix.yml mask
# BEGIN ANSIBLE MANAGED BLOCK testforge lati_unix.yml mask
ROLE=testforge
for file in /usr/local/etc/systemd/$ROLE.mask ; do
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
done
# END ANSIBLE MANAGED BLOCK testforge lati_unix.yml mask

19
overlay/Linux/usr/local/etc/local.d/Whonix-Kicksecure.local Normal file
View file

@ -0,0 +1,19 @@
#!/bin/sh -e
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
sh /usr/local/etc/local.d/Whonix-All.rc
sh /usr/local/etc/local.d/Whonix-Host.rc
sh /usr/local/etc/local.d/Whonix-Kicksecure.rc
#[ -f /usr/local/etc/local.d/Whonix-Local.rc ] && \
# sh /usr/local/etc/local.d/Whonix-Local.rc

19
overlay/Linux/usr/local/etc/local.d/Whonix-Kicksecure.rc Executable file
View file

@ -0,0 +1,19 @@
#!/bin/bash -e
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
ROLE=proxy
CONN=guest
BIN=/usr/local/sbin
. /usr/local/etc/local.d/local.bash || exit 1
local_kicksecure || exit 3$?
exit 0

140
overlay/Linux/usr/local/etc/local.d/Whonix-Lati.rc Executable file
View file

@ -0,0 +1,140 @@
#!/bin/bash
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
# local_host_sys_scaling
ROLE=local
MODE=all
CONN=all
BIN=/usr/local/sbin
. /usr/local/etc/local.d/local.bash || exit 1
loadkeys /etc/keymaps/us.map
# BEGIN ANSIBLE MANAGED BLOCK proxy main.yml start
grep -q root=/dev/vda /proc/cmdline
PROXY_IS_VDA=$?
# END ANSIBLE MANAGED BLOCK proxy main.yml start
if [ $PROXY_IS_VDA -eq 0 ] ; then
:
elif [ -n "$CHROOT" ] ; then
:
else
# host
:
fi
local_host_sys_scaling () {
local file
if [ $PROXY_IS_VDA -ne 0 -a -z "$CHROOT" ] ; then
for file in /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor ; do
echo performance >>$file
done
for file in /sys/devices/system/cpu/cpu*/cpufreq/scaling_min_freq ; do
echo 1600000 >>$file
done
fi
return 0
}
# BEGIN ANSIBLE MANAGED BLOCK proxy whonix_host.yml
local_host_sys_scaling
# END ANSIBLE MANAGED BLOCK proxy whonix_host.yml
# BEGIN ANSIBLE MANAGED BLOCK base Debian
[ -f /etc/init.d/console-setup.sh ] && \
/etc/init.d/console-setup.sh start
# END ANSIBLE MANAGED BLOCK base Debian
local_host_restart_psmouse
local_host_restart_intel_sound
if [ "$PROXY_IS_VDA" -ne 0 ] ; then
local_manual_stop_services redis postgresql-11
fi
# BEGIN ANSIBLE MANAGED BLOCK base Debian
/etc/init.d/console-setup.sh start
# END ANSIBLE MANAGED BLOCK base Debian
mount /mnt/o
mount /mnt/i
mount /mnt/j
mount /mnt/e
mount /mnt/q
mount /mnt/w
exit 0
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml sound
( cd /var/tmp && rm -rf ansible-local-* Temp-* ssh-* pulse-* .xfsm-ICE-* )
ls /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor 2>/dev/null >/dev/null && \
for file in /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor ; do
echo performance >>$file
done
for file in /sys/devices/system/cpu/cpu*/cpufreq/scaling_min_freq ; do
echo 1600000 >>$file
done
[ -e /usr/share/netsurf/DejaVuSans.ttf ] || \
sudo ln -s /usr/share/fonts/truetype/dejavu/DejaVuSans.ttf /usr/share/netsurf
true
# END ANSIBLE MANAGED BLOCK update lati_unix.yml sound
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml sysrq
# On x86 - You press the key combo ALT-SysRq-<command key>.
# Some keyboards may not have a key labeled ?SysRq?. The ?SysRq? key is also known as the ?Print Screen? key.
# Also some keyboards cannot handle so many keys being pressed at the same time, so you might have better
# luck with press Alt, press SysRq, release SysRq, press <command key>, release everything.
echo 1> /proc/sys/kernel/sysrq 2>/dev/null
# END ANSIBLE MANAGED BLOCK update lati_unix.yml sysrq
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml dmcrypt
grep -q root=/dev/vda /proc/cmdline ; PROXY_IS_VDA=$?
if [ "$PROXY_IS_VDA" -ne 0 ] ; then
local_host_make_dmcrypt_swap
fi
exit 0
# END ANSIBLE MANAGED BLOCK update lati_unix.yml dmcrypt
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml fstab
for elt in h i j o q w l ; do
[ -d /mnt/$elt/tmp ] || mount /mnt/$elt
done
# END ANSIBLE MANAGED BLOCK update lati_unix.yml fstab
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml scheduler
for elt in b c ; do
[ -d /sys/block/sd$elt ] || continue
echo deadline > /sys/block/sd$elt/queue/scheduler
done
# END ANSIBLE MANAGED BLOCK update lati_unix.yml scheduler
# BEGIN ANSIBLE MANAGED BLOCK base initctl
[ ! -e /dev/initctl -a -e /run/initctl ] && ln -s /run/initctl /dev/initctl && exit 0
[ ! -e /dev/initctl ] || mknod -m=0600 /dev/initctl p
# END ANSIBLE MANAGED BLOCK base initctl
# BEGIN ANSIBLE MANAGED BLOCK testforge npm
[ -f /usr/lib/node_modules/npm/node_modules/update-notifier/check.js ] && \
chmod 000 /usr/lib/node_modules/npm/node_modules/update-notifier/check.js
# END ANSIBLE MANAGED BLOCK testforge npm
# BEGIN ANSIBLE MANAGED BLOCK update Pentoo linux
dir=`cat /proc/cmdline|sed -e 's/BOOT_IMAGE=kernel-pentoo-x86_64/linux/' -e 's/_.*//'`
pushd /usr/src
rm -f linux
[ -d $dir ] && ln -s $dir linux || echo WARN: $PWD/$dir not found
popd
# END ANSIBLE MANAGED BLOCK update Pentoo linux
which brightnessctl 2>/dev/null >/dev/null && brightnessctl -c backlight set 95%
local_neuter_gvfs
local_link_linux
local_null_machineid
pkill gvfs
loadkeys /etc/keymaps/us.map

110
overlay/Linux/usr/local/etc/local.d/Whonix-Local.rc Executable file
View file

@ -0,0 +1,110 @@
#!/bin/bash -e
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
ROLE=local
MODE=all
CONN=all
BIN=/usr/local/sbin
. /usr/local/etc/local.d/local.bash || exit 1
# run this last
# BEGIN ANSIBLE MANAGED BLOCK update lati dmcrypt
if [ "$PROXY_IS_VDA" -ne 0 ] ; then
local_host_make_dmcrypt_swap
fi
# END ANSIBLE MANAGED BLOCK update lati dmcrypt
# BEGIN ANSIBLE MANAGED BLOCK update lati scheduler
## local_host_sys_set_scheduler
local_host_sys_set_scheduler () {
local elt
if [ "$PROXY_IS_VDA" -ne 0 ] ; then
for elt in b c ; do
[ -d /sys/block/sd$elt ] || continue
echo deadline > /sys/block/sd$elt/queue/scheduler
done
fi
return 0
}
local_host_sys_set_scheduler
# END ANSIBLE MANAGED BLOCK update lati scheduler
# BEGIN ANSIBLE MANAGED BLOCK update lati sysrq
# On x86 - You press the key combo ALT-SysRq-<command key>.
# Some keyboards may not have a key labeled ?SysRq?. The ?SysRq? key is also known as the ?Print Screen? key.
# Also some keyboards cannot handle so many keys being pressed at the same time, so you might have better
# luck with press Alt, press SysRq, release SysRq, press <command key>, release everything.
echo 1> /proc/sys/kernel/sysrq 2>/dev/null
# END ANSIBLE MANAGED BLOCK update lati sysrq
# BEGIN ANSIBLE MANAGED BLOCK update Pentoo linux
if [ "$PROXY_IS_VDA" -ne 0 ] ; then
local_host_symlink_usr_src
fi
# END ANSIBLE MANAGED BLOCK update Pentoo linux
## local_host_restart_intel_sound
local_host_restart_intel_sound () {
which aplay >/dev/null 2>/dev/null || return 0
# both
if ! aplay -L | grep -q default:CARD=PCH ; then
rmmod snd_hda_intel ;
sleep 5
modprobe snd_hda_intel enable=1 ;
sleep 1
aplay -L ;
fi
return 0
}
# BEGIN ANSIBLE MANAGED BLOCK update lati
#? rmmod pata_pcmcia pcmcia pcmcia_core 2>/dev/null
local_host_restart_intel_sound
# END ANSIBLE MANAGED BLOCK update lati
# BEGIN ANSIBLE MANAGED BLOCK testforge npm
[ -f /usr/lib64/node_modules/npm/node_modules/update-notifier/check.js ] && \
chmod 000 /usr/lib64/node_modules/npm/node_modules/update-notifier/check.js
# END ANSIBLE MANAGED BLOCK testforge npm
# BEGIN ANSIBLE MANAGED BLOCK update lati fstab
# END ANSIBLE MANAGED BLOCK update lati fstab
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml sysrq
# On x86 - You press the key combo ALT-SysRq-<command key>.
# Some keyboards may not have a key labeled ?SysRq?. The ?SysRq? key is also known as the ?Print Screen? key.
# Also some keyboards cannot handle so many keys being pressed at the same time, so you might have better
# luck with press Alt, press SysRq, release SysRq, press <command key>, release everything.
echo 1> /proc/sys/kernel/sysrq 2>/dev/null
# END ANSIBLE MANAGED BLOCK update lati_unix.yml sysrq
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml fstab
grep '/mnt/[a-z][ ]' /etc/fstab| \
sed -e 's@.*/mnt/@/mnt/@' -e 's/[ ].*//' | \
while read elt ;do
[ -d $elt/tmp ] || mount $elt
done
exit 0
# END ANSIBLE MANAGED BLOCK update lati_unix.yml fstab
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml stop
local_systemd_stop_services display-manager
# END ANSIBLE MANAGED BLOCK update lati_unix.yml stop
# BEGIN ANSIBLE MANAGED BLOCK hostvms libvirt.yml libvirtd.log
cp /dev/null /var/local/var/log/libvirtd.log
# END ANSIBLE MANAGED BLOCK hostvms libvirt.yml libvirtd.log

23
overlay/Linux/usr/local/etc/local.d/Whonix-Vda.local Normal file
View file

@ -0,0 +1,23 @@
#!/bin/sh -e
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
for elt in All Guest Vda ; do
sh /usr/local/etc/local.d/Whonix-$elt.rc
done > /usr/local/tmp/rc.local.log 2>&1 &
#[ -f /usr/local/etc/local.d/Whonix-Local.rc ] && \
# sh /usr/local/etc/local.d/Whonix-Local.rc
#[ -f /usr/local/etc/local.d/Whonix-Lati.rc ] && \
# sh /usr/local/etc/local.d/Whonix-Lati.rc
timeout 20s tail -f /usr/local/tmp/rc.local.log
exit 0

42
overlay/Linux/usr/local/etc/local.d/Whonix-Vda.rc Executable file
View file

@ -0,0 +1,42 @@
#!/bin/bash -e
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
ROLE=local
MODE=vda
CONN=guest
. /usr/local/etc/local.d/local.bash || exit 1
if [ $PROXY_IS_VDA -ne 0 ] ; then
exit 1
fi
if [ $PROXY_IS_VDA -eq 0 ] ; then
:
else
:
fi
chmod 775 /usr/local/sbin/*sh /usr/local/bin/*sh
export PATH=$PATH:/usr/local/sbin
if ! proxy_whonix_vda.bash config ; then
echo WARN: proxy_whonix_vda.bash config retval=$?
elif ! proxy_whonix_vda.bash install ; then
echo WARN: proxy_whonix_vda.bash install retval=$?
elif ! proxy_whonix_vda.bash start ; then
echo WARN: proxy_whonix_vda.bash start retval=$?
fi
exit 0

19
overlay/Linux/usr/local/etc/local.d/Whonix-Workstation.local Normal file
View file

@ -0,0 +1,19 @@
#!/bin/sh -e
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
sh /usr/local/etc/local.d/Whonix-All.rc
sh /usr/local/etc/local.d/Whonix-Guest.rc
sh /usr/local/etc/local.d/Whonix-Workstation.rc
[ -f /usr/local/etc/local.d/Whonix-Local.rc ] && \
sh /usr/local/etc/local.d/Whonix-Local.rc

20
overlay/Linux/usr/local/etc/local.d/Whonix-Workstation.rc Normal file
View file

@ -0,0 +1,20 @@
#!/bin/bash -e
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
ROLE=local
MODE=workstation
CONN=guest
. /usr/local/etc/local.d/local.bash || exit 1

19
overlay/Linux/usr/local/etc/local.d/rc.local.start Executable file
View file

@ -0,0 +1,19 @@
# On some systems (openrc) the /etc/local.d directory should contain programs
# or scripts which are to be run when the local service is started or stopped.
#
# If a file in this directory is executable and it has a .start extension,
# it will be run when the local service is started. If a file is
# executable and it has a .stop extension, it will be run when the local
# service is stopped.
#
# All files are processed in lexical order.
#
# Keep in mind that files in this directory are processed sequentially,
# and the local service is not considered started or stopped until
# everything is processed, so if you have a process which takes a long
# time to run, it can delay your boot or shutdown processing.
# copying this file to /etc/local.d/ will run the /etc/rc.local file on startup
# On systemd systems you must add the rc.local service with systemctl.
sh /etc/rc.local

25
overlay/Linux/usr/local/etc/modules-load.d/firewall.conf Normal file
View file

@ -0,0 +1,25 @@
# BEGIN ANSIBLE MANAGED BLOCK proxy whonix_host.yml
#modprobe: FATAL: Module xt_MASQUERADE not found in directory /lib/modules/4.19.0-10-amd64
ip_tables
ipt_REJECT
iptable_filter
iptable_nat
xt_LOG
xt_conntrack
xt_nat
xt_owner
xt_state
xt_tcpudp
nf_conntrack
nf_defrag_ipv4
nf_log_common
nf_log_ipv4
nf_nat
#5 nf_nat_ipv4
#5 nf_reject_ipv4
#5 x_tables
xt_MASQUERADE
nft_masq
iptable_mangle
bridge
# END ANSIBLE MANAGED BLOCK proxy whonix_host.yml

5
overlay/Linux/usr/local/etc/modules-load.d/not_on_5.txt Normal file
View file

@ -0,0 +1,5 @@
# not with a 5 kernel
fscrypto
nf-nat0ipv4
ntf-chain-nat-ipv4
nft-chain-toute-ipv4

12
overlay/Linux/usr/local/etc/modules-load.d/vda_crypto.conf Normal file
View file

@ -0,0 +1,12 @@
aes_x86_64
algif_skcipher
crc16
crc32c_generic
crc32c_intel
cryptd
crypto_simd
dm_crypt
dm_mod
ecb
ghash_clmulni_intel
jitterentropy_rng

25
overlay/Linux/usr/local/etc/modules-load.d/vda_mods.conf Executable file
View file

@ -0,0 +1,25 @@
af_alg
ata_generic
ata_piix
autofs4
ext4
failover
## floppy
fscache
#5? fscrypto
glue_helper
i2c_piix4
libata
libcrc32c
loop
mbcache
net_failover
#5? nf_nat_ipv4
rng_core
scsi_mod
ttm
uhci_hcd
uinput
usb_common
usbcore

4
overlay/Linux/usr/local/etc/modules-load.d/vda_mods.err Normal file
View file

@ -0,0 +1,4 @@
modprobe: WARNING: Module aes_x86_64 not found in directory /lib/modules/5.8.12-pentoo_2020-09-30
modprobe: WARNING: Module nf_nat_ipv4 not found in directory /lib/modules/5.8.12-pentoo_2020-09-30
modprobe: WARNING: Module nft_chain_nat_ipv4 not found in directory /lib/modules/5.8.12-pentoo_2020-09-30
modprobe: WARNING: Module nft_chain_route_ipv4 not found in directory /lib/modules/5.8.12-pentoo_2020-09-30

4
overlay/Linux/usr/local/etc/modules-load.d/vda_net.conf Normal file
View file

@ -0,0 +1,4 @@
nft_chain_nat_ipv4
nft_chain_route_ipv4
nft_compat
nft_counter

12
overlay/Linux/usr/local/etc/modules-load.d/vda_virtio.conf Normal file
View file

@ -0,0 +1,12 @@
9p
9pnet
9pnet_virtio
qemu_fw_cfg
virtio_blk
virtio_gpu
virtio_net
virtio_pci
virtio_ring
virtio_rng

113
overlay/Linux/usr/local/etc/modules_load.sh Normal file
View file

@ -0,0 +1,113 @@
#!/bin/sh
TEMP=/c/tmp
cd $TEMP
[ -f $TEMP/lsmod ] || cat > $TEMP/lsmod <<EOF
Module Size Used by
joydev 24576 0
dm_crypt 40960 1
dm_mod 155648 3 dm_crypt
ip6t_REJECT 16384 1
nf_reject_ipv6 16384 1 ip6t_REJECT
nft_chain_route_ipv6 16384 1
ipt_REJECT 16384 12
nf_reject_ipv4 16384 1 ipt_REJECT
xt_tcpudp 16384 13
xt_state 16384 0
kvm_intel 233472 0
nft_counter 16384 33
xt_conntrack 16384 5
algif_skcipher 16384 0
kvm 757760 1 kvm_intel
nft_compat 20480 31
af_alg 28672 1 algif_skcipher
snd_hda_codec_generic 86016 1
nft_chain_route_ipv4 16384 1
irqbypass 16384 1 kvm
snd_hda_intel 49152 3
crct10dif_pclmul 16384 0
crc32_pclmul 16384 0
snd_hda_codec 151552 2 snd_hda_codec_generic,snd_hda_intel
snd_hda_core 94208 3 snd_hda_codec_generic,snd_hda_intel,snd_hda_codec
nft_chain_nat_ipv4 16384 4
snd_hwdep 16384 1 snd_hda_codec
nf_nat_ipv4 16384 1 nft_chain_nat_ipv4
ghash_clmulni_intel 16384 0
virtio_gpu 61440 7
nf_nat 36864 1 nf_nat_ipv4
snd_pcm 114688 3 snd_hda_intel,snd_hda_codec,snd_hda_core
nf_conntrack 172032 4 xt_conntrack,nf_nat,xt_state,nf_nat_ipv4
9p 65536 2
ttm 131072 1 virtio_gpu
pcspkr 16384 0
serio_raw 16384 0
uinput 20480 2
nf_defrag_ipv6 20480 1 nf_conntrack
snd_timer 36864 1 snd_pcm
drm_kms_helper 208896 1 virtio_gpu
loop 36864 2
fscache 385024 1 9p
nf_defrag_ipv4 16384 1 nf_conntrack
9pnet_virtio 20480 2
snd 94208 12 snd_hda_codec_generic,snd_hwdep,snd_hda_intel,snd_hda_codec,snd_timer,snd_pcm
drm 495616 10 drm_kms_helper,virtio_gpu,ttm
9pnet 86016 2 9p,9pnet_virtio
virtio_console 32768 2
libcrc32c 16384 2 nf_conntrack,nf_nat
soundcore 16384 1 snd
qemu_fw_cfg 16384 0
evdev 28672 9
nf_tables 143360 75 nft_chain_route_ipv4,nft_compat,nft_chain_nat_ipv4,nft_counter,nft_chain_route_ipv6
nfnetlink 16384 2 nft_compat,nf_tables
tirdad 16384 0
jitterentropy_rng 16384 0
virtio_rng 16384 0
rng_core 16384 1 virtio_rng
ip_tables 28672 0
x_tables 45056 7 xt_conntrack,nft_compat,xt_state,xt_tcpudp,ipt_REJECT,ip_tables,ip6t_REJECT
autofs4 49152 2
ext4 741376 1
crc16 16384 1 ext4
mbcache 16384 1 ext4
jbd2 122880 1 ext4
crc32c_generic 16384 0
fscrypto 32768 1 ext4
ecb 16384 0
crc32c_intel 24576 3
aesni_intel 200704 2
virtio_net 53248 0
aes_x86_64 20480 1 aesni_intel
net_failover 20480 1 virtio_net
crypto_simd 16384 1 aesni_intel
virtio_blk 20480 2
failover 16384 1 net_failover
cryptd 28672 4 crypto_simd,ghash_clmulni_intel,aesni_intel
psmouse 172032 0
glue_helper 16384 1 aesni_intel
ata_generic 16384 0
uhci_hcd 49152 0
ata_piix 36864 0
ehci_hcd 94208 0
libata 270336 2 ata_piix,ata_generic
usbcore 294912 2 ehci_hcd,uhci_hcd
virtio_pci 28672 0
scsi_mod 249856 1 libata
virtio_ring 28672 7 virtio_rng,virtio_console,9pnet_virtio,virtio_gpu,virtio_pci,virtio_blk,virtio_net
i2c_piix4 24576 0
usb_common 16384 1 usbcore
virtio 16384 7 virtio_rng,virtio_console,9pnet_virtio,virtio_gpu,virtio_pci,virtio_blk,virtio_net
floppy 86016 0
button 16384 0
EOF
cp /dev/null vda_mods.errs
cp /dev/null vda_mods.elts
cp /dev/null vda_mods.modinfo
grep -v 'tirdad\|pcspkr\|v6\|ip6' $TEMP/lsmod |sort| \
| sed -e 's/ .*//'|while read elt; do
lsmod | grep -q ^$elt && continue
modinfo $elt >> vda_mods.modinfo 2>>vda_mods.errs
echo $elt>>vda_mods.elts
done
exit 0

116
overlay/Linux/usr/local/etc/sdwdate.d/30_default.conf Normal file
View file

@ -0,0 +1,116 @@
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
## Please use "/etc/sdwdate.d/50_user.conf" for your custom
## configuration, which will override the defaults found here.
## When sdwdate is updated, this file may be overwritten.
## Proxy settings for non anonymous distributions.
## Uncomment for standard tor configuration (no stream isolation).
#PROXY_IP=127.0.0.1
#PROXY_PORT=9050
## Allowed percentage of url failures common to every pool.
## If sdwdate frequently stops with "Maximum allowed number of failures" error,
## create a file "/etc/sdwdate.d/50_user.conf" overriding MAX_FAILURE_RATIO
## with a higher figure.
MAX_FAILURE_RATIO=0.34
## pool syntax
## "url.onion[:port]#comment"
## "
## url.onion[:port]#comment
## [url.onion[:port]#comment]
## [url.onion[:port]#comment]
## [...]
## "
## "url.onion[:port]#comment"
## ...
## pool one.
## SecureDrop List
SDWDATE_POOL_ONE=(
"secrdrop5wyphb5x.onion#https://securedrop.org https://web.archive.org/web/20170403043247/https://securedrop.org"
"gmg7jl25ony5g7ws.onion#Gizmodo Media Group https://specialprojectsdesk.com/securedrop/ https://web.archive.org/web/20170215221547/https://specialprojectsdesk.com/securedrop/"
"33y6fjyhs3phzfjj.onion#The Guardian https://securedrop.theguardian.com https://web.archive.org/web/20170408213324/https://securedrop.theguardian.com"
"intrcept32ncblef.onion#The Intercept https://theintercept.com/source/ https://web.archive.org/web/20190502234252/https://theintercept.com/source/"
"qn4qfeeslglmwxgb.onion#Lucy Parsons Labs https://lucyparsonslabs.com/securedrop https://web.archive.org/web/20170322113502/https://lucyparsonslabs.com/securedrop/"
"usatodayw7vu5egc.onion#USA Today https://newstips.usatoday.com/securedrop.html https://web.archive.org/web/20170419183541/https://newstips.usatoday.com/securedrop.html"
"mprt35sjunnxfa76.onion#https://informant.taz.de https://web.archive.org/web/20170329061908/https://informant.taz.de"
"p53lf57qovyuvwsc6xnrppyply3vtqm7l6pcobkmyqsiofyeznfu5uqd.onion#https://securityheaders.com/?q=https%3A%2F%2Fwww.propublica.org&followRedirects=off https://web.archive.org/web/20200905091808/https://securityheaders.com/?q=https%3A%2F%2Fwww.propublica.org&followRedirects=off"
"nrkvarslekidu2uz.onion#NRKbeta https://www.nrk.no/varsle/ https://web.archive.org/web/20170329103137/https://www.nrk.no/varsle/"
)
## pool two.
##
## GlobaLeaks List
## info:
## https://www.globaleaks.org/implementations/ https://web.archive.org/web/20170421150421/https://www.globaleaks.org/implementations/
## Project Name Year Category HTTPS URL Country
## individual websites
## WikiLeaks List
SDWDATE_POOL_TWO=(
"ak2uqfavwgmjrvtu.onion#MagyarLeaks 2013 Investigative Journalism https://atlatszo.hu/magyarleaks/ Hungary https://web.archive.org/web/20170128142348/https://atlatszo.hu/magyarleaks/"
"zvldz46bbxqlw4od.onion#Transparencia https://www.transparencia.click"
"eljwdzi4pgrrlwwq.onion#https://citizen-cam.de https://github.com/asciimoo/searx/wiki/Searx-instances https://web.archive.org/web/20170519171857/https://github.com/asciimoo/searx/wiki/Searx-instances"
"nxhhwbbxc4khvvlw.onion#https://searx.gotrust.de https://web.archive.org/web/20170519171857/https://github.com/asciimoo/searx/wiki/Searx-instances"
"o2jdk5mdsijm2b7l.onion#https://search.gibberfish.org https://gibberfish.org/community-resources/ https://web.archive.org/web/20170512060744/https://gibberfish.org/community-resources/"
"ic6au7wa3f6naxjq.onion#https://lists.gnupg.org/pipermail/gnupg-users/2014-April/049578.html https://web.archive.org/web/20140617045518/https://lists.gnupg.org/pipermail/gnupg-users/2014-April/049578.html"
"gnjtzu5c2lv4zasv.onion#https://pgp.key-server.io https://web.archive.org/web/20170421212020/https://pgp.key-server.io"
"qdigse2yzvuglcix.onion#https://keys.mayfirst.org https://archive.fo/FC1lg"
"clgs64523yi2bkhz.onion#https://www.mailpile.is https://web.archive.org/web/20170409064457/https://www.mailpile.is"
"bitlox2twvzwbzpk.onion#https://bitlox.io https://archive.fo/0zcqz"
"ltcpool5brio2gaj.onion#https://www.litecoinpool.org/help https://web.archive.org/web/20161114095946/https://www.litecoinpool.org/help"
"wlchatc3pjwpli5r.onion#https://wikileaks.org/talk/ https://twitter.com/wikileaks/status/590907709387624450 https://web.archive.org/web/20150423160622/https:/twitter.com/wikileaks/status/590907709387624450"
"cyphdbyhiddenbhs.onion#Cyph - Encrypted Messenger https://www.cyph.com https://web.archive.org/web/20160827040234/https://www.cyph.com/"
[
"wooprzddebtxfhnq.onion#https://keys.void.gr https://sks-keyservers.net/status/info/keys.void.gr"
"xogxzfyhwmgfvmlr.onion#http://keyserver.c3l.lu https://sks-keyservers.net/status/info/keyserver.c3l.lu"
"pgpkeysximvxiazm.onion#https://pgpkeys.urown.net https://web.archive.org/web/20170421213557/https://pgpkeys.urown.net"
]
)
## pool three.
## info:
## individual websites
## Devuan List
## Void Linux List
## CryptoParty List
## systemli.org List
## Riseup List
## https://riseup.net/en/tor#riseups-tor-hidden-services https://web.archive.org/web/20170421215906/https://riseup.net/en/tor#riseups-tor-hidden-services
SDWDATE_POOL_THREE=(
"cheettyiapsyciew.onion#http://secushare.org https://archive.fo/vsFJS"
"7tm2lzezyjwtpn2s.onion#https://mascherari.press https://web.archive.org/web/20170210154832/https://mascherari.press"
"3kyl4i7bfdgwelmf.onion#http://www.wefightcensorship.org https://archive.fo/GhgMU"
"privacyintyqcroe.onion#https://www.privacyinternational.org https://twitter.com/privacyint/status/762656779272593408 https://web.archive.org/web/20170421233214/https:/twitter.com/privacyint/status/762656779272593408"
"grrmailb3fxpjbwm.onion#https://www.guerrillamail.com https://twitter.com/GuerrillaMail/status/751015957770801152 https://web.archive.org/web/20170421233232/https://twitter.com/GuerrillaMail/status/751015957770801152"
"t3qi4hdmvqo752lhyglhyb5ysoutggsdocmkxhuojfn62ntpcyydwmqd.onion#https://torstatus.rueckgr.at https://web.archive.org/web/20200904001100/https://torstatus.rueckgr.at/"
"expressobutiolem.onion#https://www.expressvpn.com https://web.archive.org/web/20170420065743/https://www.expressvpn.com"
"tinhat233xymse34.onion#https://thetinhat.com https://web.archive.org/web/20170421233308/https://thetinhat.com"
"rvy6qmlqfstv6rlz.onion#https://www.c3d2.de/news/20160106-c3d2-as-onionservice.html https://web.archive.org/web/20160807015616/https://www.c3d2.de/news/20160106-c3d2-as-onionservice.html"
"6zwctlqtpilbkl47.onion#https://piratenpartij.nl/contact/ https://web.archive.org/web/20170315154213/https://piratenpartij.nl/contact/"
[
"devuanzuwu3xoqwp.onion#www.devuan.org https://www.devuan.org https://web.archive.org/web/20170421215927/https://www.devuan.org/"
"devuanfwojg73k6r.onion#auto.mirror.devuan.org https://www.devuan.org https://web.archive.org/web/20170421215927/https://www.devuan.org/"
]
"crypty22ijtotell.onion#https://cryptoparty.is https://web.archive.org/web/20161015004023/https://www.cryptoparty.is/"
[
"llqiiswupgezsco4ux47cco3bxsaihbss5c3piefv6bhvpgfofyk7kad.onion#https://mail.systemli.org https://www.systemli.org/en/service/mail.html https://web.archive.org/web/20200825072459/https://www.systemli.org/en/service/mail.html"
"mjrkrqnlf26etelsi7zpkqc3dzlrzyurvmd3jksmndarzzbugz5xctid.onion#https://pad.systemli.org https://www.systemli.org/en/service/etherpad.html https://web.archive.org/web/20191025120405/https://www.systemli.org/en/service/etherpad.html"
]
[
"2h3xkc7wmxthijqb.onion#https://www.privacyfoundation.ch/de/kontakt.html https://web.archive.org/web/20151210044252/http://www.privacyfoundation.ch/de/kontakt.html"
"qcdbc7vspedojrr7.onion#https://www.digitale-gesellschaft.ch/uber-uns/ https://web.archive.org/web/20170415183758/https://www.digitale-gesellschaft.ch/uber-uns/"
]
[
"vww6ybal4bd7szmgncyruucpgfkqahzddi37ktceo3ah7ngmcopnpyyd.onion#https://riseup.net https://riseup.net/en/security/network-security/tor https://web.archive.org/web/20200717041213/https://riseup.net/en/security/network-security/tor"
"7sbw6jufrirhyltzkslhcmkik4z7yrsmbpnptyritvz5nhbk35hncsqd.onion#https://lists.riseup.net https://riseup.net/en/security/network-security/tor https://web.archive.org/web/20200717041213/https://riseup.net/en/security/network-security/tor"
"5gdvpfoh6kb2iqbizb37lzk2ddzrwa47m6rpdueg2m656fovmbhoptqd.onion#https://mail.riseup.net https://riseup.net/en/security/network-security/tor https://web.archive.org/web/20200717041213/https://riseup.net/en/security/network-security/tor"
"kfahv6wfkbezjyg4r6mlhpmieydbebr5vkok5r34ya464gqz6c44bnyd.onion#https://pad.riseup.net https://riseup.net/en/security/network-security/tor https://web.archive.org/web/20200717041213/https://riseup.net/en/security/network-security/tor"
"zs7xwvcspvnnrqhvyxyxpjkihc4lva3yustfr75j6giy24mdfg3rcwqd.onion#https://share.riseup.net https://riseup.net/en/security/network-security/tor https://web.archive.org/web/20200717041213/https://riseup.net/en/security/network-security/tor"
"3xeiol2bnhrsqhcsaifwtnlqkylrerdspzua7bcjrh26qlrrrctfobid.onion#https://account.riseup.net https://riseup.net/en/security/network-security/tor https://web.archive.org/web/20200717041213/https://riseup.net/en/security/network-security/tor"
"zkdppoahhqu5ihjqd4qqvyfd2bm4wejrhjosim67t6yopl77jitg2nad.onion#https://we.riseup.net https://riseup.net/en/security/network-security/tor https://web.archive.org/web/20200717041213/https://riseup.net/en/security/network-security/tor"
"wmj5kiic7b6kjplpbvwadnht2nh2qnkbnqtcv3dyvpqtz7ssbssftxid.onion#https://about.0xacab.org https://web.archive.org/web/20200629165325/https://about.0xacab.org/"
]
)

3281
overlay/Linux/usr/local/etc/ssl/cacert-curl.se_ca_cacert.pem Normal file
View file

File diff suppressed because it is too large Load diff

1
overlay/Linux/usr/local/etc/ssl/cacert-testforge.pem Symbolic link
View file

@ -0,0 +1 @@
cacert-curl.se_ca_cacert.pem