From 7e770ce8a011f91041556c991f3858dbdc4c5c3e Mon Sep 17 00:00:00 2001
From: Paul Wako <paul@walko.org>
Date: Sun, 27 Dec 2020 00:13:34 -0500
Subject: [PATCH] setup proxy, minor updates

---
 ansible/README.md                         |   5 +-
 ansible/files/fogcutter/sshtunnel.service |  24 ++++
 ansible/files/polyvalent/haproxy.cfg      |  36 ++++++
 ansible/handlers.yml                      |  12 ++
 ansible/hosts.cfg                         |   3 +
 ansible/main.yml                          | 131 ++++++++++------------
 ansible/templates/gandi-ddns.sh           |  44 --------
 ansible/templates/gandi-ddns.sh.j2        |  13 +++
 8 files changed, 149 insertions(+), 119 deletions(-)
 create mode 100644 ansible/files/fogcutter/sshtunnel.service
 create mode 100644 ansible/files/polyvalent/haproxy.cfg
 delete mode 100644 ansible/templates/gandi-ddns.sh
 create mode 100644 ansible/templates/gandi-ddns.sh.j2

diff --git a/ansible/README.md b/ansible/README.md
index 8b8ce87..b3873a2 100644
--- a/ansible/README.md
+++ b/ansible/README.md
@@ -1,4 +1,4 @@
-Usage: `ansible-playbook main.yml -i hosts.cfg --extra-vars "api_key=GANDI_API_KEY" --limit=cabinet`
+Usage: `ansible-playbook main.yml -i hosts.cfg --extra-vars "api_key=GANDI_API_KEY gandi=true" --limit=cabinet`
 
 Assumes:
 
@@ -16,3 +16,6 @@ Assumes:
 
 - Remote:
   - joe/pew users have been created
+
+- TODO:
+  - fix for network-online.target debian 10 bug
diff --git a/ansible/files/fogcutter/sshtunnel.service b/ansible/files/fogcutter/sshtunnel.service
new file mode 100644
index 0000000..ca23e3e
--- /dev/null
+++ b/ansible/files/fogcutter/sshtunnel.service
@@ -0,0 +1,24 @@
+[Unit]
+Description=Service to maintain an ssh reverse tunnel
+Wants=network-online.target
+After=network-online.target
+StartLimitIntervalSec=0
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/ssh -Nn \
+      -o ServerAliveInterval=30 \
+      -o ServerAliveCountMax=3 \
+      -o ExitOnForwardFailure=yes \
+      -i /home/paul/.ssh/id_rsa_fast \
+      -R 7000:127.0.0.1:8080 \
+      -R 7001:127.0.0.1:8443 \
+      -R 7002:127.0.0.1:2222 \
+      -R 7003:127.0.0.1:25565 \
+      pew@polyvalent.seaturtle.pw
+Restart=always
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target
+
diff --git a/ansible/files/polyvalent/haproxy.cfg b/ansible/files/polyvalent/haproxy.cfg
new file mode 100644
index 0000000..ea94f95
--- /dev/null
+++ b/ansible/files/polyvalent/haproxy.cfg
@@ -0,0 +1,36 @@
+# For haproxy 2.2
+# tcp proxy to local (ssh forwarded) ports
+
+defaults
+    log                 global
+    mode                tcp
+    option              dontlognull
+    retries             3
+    maxconn             4000
+    timeout connect     5000
+    timeout client      50000
+    timeout server      50000
+
+# http
+listen proxy80
+    mode tcp
+    bind :::80
+    server proxy7000 127.0.0.1:7000
+
+# https
+listen proxy443
+    mode tcp
+    bind :::443
+    server proxy7001 127.0.0.1:7001
+
+# gitea ssh
+listen proxy2222
+    mode tcp
+    bind :::2222
+    server proxy7002 127.0.0.1:7002
+
+# minecraft
+listen proxy25565
+    mode tcp
+    bind :::25565
+    server proxy7003 127.0.0.1:7003
diff --git a/ansible/handlers.yml b/ansible/handlers.yml
index 859825d..a041d27 100644
--- a/ansible/handlers.yml
+++ b/ansible/handlers.yml
@@ -43,3 +43,15 @@
     name: tor
     enabled: yes
     state: restarted
+
+- name: Restart haproxy
+  service:
+    name: haproxy
+    state: restarted
+
+- name: Load, start, and enable sshtunnel service
+  systemd:
+    name: sshtunnel
+    daemon_reload: yes
+    enabled: yes
+    state: started
diff --git a/ansible/hosts.cfg b/ansible/hosts.cfg
index 7ba1705..cead8eb 100644
--- a/ansible/hosts.cfg
+++ b/ansible/hosts.cfg
@@ -1,3 +1,6 @@
+[all:vars]
+ansible_python_interpreter=/usr/bin/python3
+
 [compute]
 fogcutter hostname=fogcutter.seaturtle.pw interface=eno1
 
diff --git a/ansible/main.yml b/ansible/main.yml
index 98bdbce..11a40f6 100644
--- a/ansible/main.yml
+++ b/ansible/main.yml
@@ -22,6 +22,7 @@
           - htop
           - iperf3
           - mosh
+          - nfs-common
           - nmap
           - oidentd
           - rsync
@@ -36,9 +37,9 @@
         update_cache: yes
 
     - name: Disable MOTDs
-      command: chmod -x /etc/update-motd.d/10-uname
-      args:
-        warn: no
+      file:
+        path: /etc/update-motd.d/10-uname
+        mode: '0644'
 
     - name: Set MOTD
       copy:
@@ -114,7 +115,7 @@
     - name: Install tor config
       copy:
         src: files/torrc
-        dest: /etc/torrc
+        dest: /etc/tor/torrc
         owner: root
         group: root
         mode: '0644'
@@ -124,18 +125,19 @@
         msg: Manually get tor hostname
 
 # Common dynamic settings
-- hosts: daily,compute,nfs
+- hosts: compute,daily,proxy
   become: yes
   handlers:
     - import_tasks: handlers.yml
   tasks:
     - name: Copy Dynamic DNS script
       template:
-        src: templates/gandi-ddns.sh
+        src: templates/gandi-ddns.sh.j2
         dest: /usr/local/bin/gandi-ddns.sh
         owner: root
         group: root
         mode: '0755'
+      when: gandi is defined
 
     - name: Add Dynamic DNS cronjob
       cron:
@@ -143,37 +145,50 @@
         job: /usr/local/bin/gandi-ddns.sh
         special_time: daily
         user: root
+      when: gandi is defined
 
-### Router
-##- hosts: router
-##  become: yes
-##  tasks:
-##    - name: Install frrouting and related router packages
-##    - name: Configure bgp, etc???
-
-# Media networking (Wireguard VPN, NFS)
-- hosts: compute,nfs
+# Custom repo config
+- hosts: compute
   become: yes
   handlers:
     - import_tasks: handlers.yml
   tasks:
-    - name: Add unstable repository
-      shell: |
-        echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
-        printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
-      args:
-        creates: /etc/apt/sources.list.d/unstable.list
-
-    - name: Install media networking packages
+    - name: Install compute packages
       apt:
         name:
-          - beets
-          - nfs-common
+          - podman
+          - sshfs
         force_apt_get: yes
         update_cache: yes
 
+    - name: Mount bigdummy /bigdata via NFS
+      mount:
+        src: root@10.42.0.202:/bigdata
+        path: /bigdata
+        fstype: fuse.sshfs
+        opts: reconnect,allow_other,_netdev,IdentityFile=/home/paul/.ssh/id_rsa_fast
+        state: mounted
+
+    - name: Mount vtluug /media via sshfs
+      mount:
+        src: pew-media@dirtycow.vtluug.org:/nfs/cistern/share/media
+        path: /media-vtluug
+        fstype: fuse.sshfs
+        opts: reconnect,allow_other,ro,_netdev,IdentityFile=/home/paul/.ssh/id_rsa_fast
+        state: mounted
+
+    # /home/paul/.ssh/id_rsa_fast must exist
+    - name: Install sshtunnel systemd service
+      copy:
+        src: files/fogcutter/sshtunnel.service
+        dest: /etc/systemd/system/sshtunnel.service
+        owner: root
+        group: root
+        mode: '0644'
+      notify: Load, start, and enable sshtunnel service
+
     - debug:
-        msg: Manually do beets config https://wiki.archlinux.org/index.php/Beets
+        msg: Start podman services manually
 
 # NFS core config
 # ASSUMES /bigdata IS CONFIGURED (make sure dir is 755)
@@ -185,6 +200,7 @@
     - name: Install zfs-zed, dma, and nfs-kernel-server
       apt:
         name:
+          - beets
           - dma
           - nfs-kernel-server
           - zfs-auto-snapshot
@@ -225,36 +241,18 @@
         mode: '0644'
       notify: Re-export exportfs
 
-# Compute core config
-- hosts: compute
+# Proxy config
+- hosts: proxy
   become: yes
   tasks:
-    - name: Install compute dependencies
-      apt:
-        name:
-          - apt-transport-https
-          - ca-certificates
-          - gnupg2
-          - software-properties-common
-          - sshfs
-        force_apt_get: yes
-        update_cache: yes
-
-    - name: Mount bigdummy /bigdata via NFS
-      mount:
-        src: root@10.42.0.202:/bigdata
-        path: /bigdata
-        fstype: fuse.sshfs
-        opts: reconnect,allow_other,_netdev,nonempty,IdentityFile=/home/paul/.ssh/id_rsa_fast
-        state: mounted
-
-    - name: Mount vtluug /media via sshfs
-      mount:
-        src: pew-media@dirtycow.vtluug.org:/nfs/cistern/share/media
-        path: /media-vtluug
-        fstype: fuse.sshfs
-        opts: reconnect,allow_other,ro,_netdev,IdentityFile=/home/paul/.ssh/id_rsa_fast
-        state: mounted
+    ## Changes will take effect during next reboot
+    - name: Configure sysctl to reject RA acceptance
+      template:
+        src: templates/disablera.conf.j2
+        dest: /etc/sysctl.d/disablera.conf
+        owner: root
+        group: root
+        mode: '0644'
 
     - name: Add HAProxy GPG key
       apt_key:
@@ -271,26 +269,11 @@
         force_apt_get: yes
         update_cache: yes
 
-
-    - name: Install microk8s
-      command: snap install microk8s --classic
-      args:
-        creates: /snap/bin/microk8s
-
-    - debug:
-        msg:
-          - Start/Configure haproxy manually
-          - Start microk8s manually
-
-# Proxy config
-- hosts: proxy
-  become: yes
-  tasks:
-    ## Changes will take effect during next reboot
-    - name: Configure sysctl to reject RA acceptance
-      template:
-        src: templates/disablera.conf.j2
-        dest: /etc/sysctl.d/disablera.conf
+    - name: Install HAProxy proxy config
+      copy:
+        src: files/{{ inventory_hostname }}/haproxy.cfg
+        dest: /etc/haproxy/haproxy.cfg
         owner: root
         group: root
         mode: '0644'
+      notify: Restart haproxy
diff --git a/ansible/templates/gandi-ddns.sh b/ansible/templates/gandi-ddns.sh
deleted file mode 100644
index daa8190..0000000
--- a/ansible/templates/gandi-ddns.sh
+++ /dev/null
@@ -1,44 +0,0 @@
-#!/bin/bash
-
-APIKEY={{ api_key }}
-NAME=$(hostname)
-
-IPV4=$(curl -4s https://icanhazip.com/)
-IPV6=$(ip -6 addr | grep mngtmpaddr | head -n 1 | awk '/inet6 / {gsub(/\/.*/,"",$2); print $2}')
-
-if [[ $NAME == 'fogcutter' ]]; then
-  # apex (doesn't really matter which host this is run on)
-  curl \
-    --header "Authorization: Apikey $APIKEY" \
-    --header "Content-Type: application/json" \
-    --request PUT \
-    --data "{\"rrset_values\": [\"$IPV4\"]}" \
-    https://api.gandi.net/v5/livedns/domains/seaturtle.pw/records/@/A
-  curl \
-    --header "Authorization: Apikey $APIKEY" \
-    --header "Content-Type: application/json" \
-    --request PUT \
-    --data "{\"rrset_values\": [\"$IPV6\"]}" \
-    https://api.gandi.net/v5/livedns/domains/seaturtle.pw/records/@/AAAA
-  # fogcutter (for web apps)
-  curl \
-    --header "Authorization: Apikey $APIKEY" \
-    --header "Content-Type: application/json" \
-    --request PUT \
-    --data "{\"rrset_values\": [\"$IPV4\"]}" \
-    https://api.gandi.net/v5/livedns/domains/seaturtle.pw/records/$NAME/A
-elif [[ $NAME == 'madone' ]]; then
-  curl \
-    --header "Authorization: Apikey $APIKEY" \
-    --header "Content-Type: application/json" \
-    --request PUT \
-    --data "{\"rrset_values\": [\"$IPV4\"]}" \
-    https://api.gandi.net/v5/livedns/domains/seaturtle.pw/records/$NAME/A
-fi
-
-curl \
-  --header "Authorization: Apikey $APIKEY" \
-  --header "Content-Type: application/json" \
-  --request PUT \
-  --data "{\"rrset_values\": [\"$IPV6\"]}" \
-  https://api.gandi.net/v5/livedns/domains/seaturtle.pw/records/$NAME/AAAA
diff --git a/ansible/templates/gandi-ddns.sh.j2 b/ansible/templates/gandi-ddns.sh.j2
new file mode 100644
index 0000000..21e5efd
--- /dev/null
+++ b/ansible/templates/gandi-ddns.sh.j2
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+APIKEY={{ api_key }}
+NAME=$(hostname --short)
+
+IPV6=$(ip -6 addr | grep mngtmpaddr | head -n 1 | awk '/inet6 / {gsub(/\/.*/,"",$2); print $2}')
+
+curl \
+  --header "Authorization: Apikey $APIKEY" \
+  --header "Content-Type: application/json" \
+  --request PUT \
+  --data "{\"rrset_values\": [\"$IPV6\"]}" \
+  https://api.gandi.net/v5/livedns/domains/seaturtle.pw/records/$NAME/AAAA