pew
/
scripts
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

setup proxy, minor updates

master
Paul Wako 2020-12-27 00:13:34 -05:00
parent f8767f269f
commit 7e770ce8a0
8 changed files with 149 additions and 119 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ansible/README.md
View File

@ -1,4 +1,4 @@
Usage: `ansible-playbook main.yml -i hosts.cfg --extra-vars "api_key=GANDI_API_KEY" --limit=cabinet` Usage: `ansible-playbook main.yml -i hosts.cfg --extra-vars "api_key=GANDI_API_KEY gandi=true" --limit=cabinet`
Assumes: Assumes:
@ -16,3 +16,6 @@ Assumes:
- Remote: - Remote:
- joe/pew users have been created - joe/pew users have been created
- TODO:
- fix for network-online.target debian 10 bug

24
ansible/files/fogcutter/sshtunnel.service Normal file
View File

@ -0,0 +1,24 @@
[Unit]
Description=Service to maintain an ssh reverse tunnel
Wants=network-online.target
After=network-online.target
StartLimitIntervalSec=0
[Service]
Type=simple
ExecStart=/usr/bin/ssh -Nn \
-o ServerAliveInterval=30 \
-o ServerAliveCountMax=3 \
-o ExitOnForwardFailure=yes \
-i /home/paul/.ssh/id_rsa_fast \
-R 7000:127.0.0.1:8080 \
-R 7001:127.0.0.1:8443 \
-R 7002:127.0.0.1:2222 \
-R 7003:127.0.0.1:25565 \
pew@polyvalent.seaturtle.pw
Restart=always
RestartSec=30
[Install]
WantedBy=multi-user.target

36
ansible/files/polyvalent/haproxy.cfg Normal file
View File

@ -0,0 +1,36 @@
# For haproxy 2.2
# tcp proxy to local (ssh forwarded) ports
defaults
log global
mode tcp
option dontlognull
retries 3
maxconn 4000
timeout connect 5000
timeout client 50000
timeout server 50000
# http
listen proxy80
mode tcp
bind :::80
server proxy7000 127.0.0.1:7000
# https
listen proxy443
mode tcp
bind :::443
server proxy7001 127.0.0.1:7001
# gitea ssh
listen proxy2222
mode tcp
bind :::2222
server proxy7002 127.0.0.1:7002
# minecraft
listen proxy25565
mode tcp
bind :::25565
server proxy7003 127.0.0.1:7003

12
ansible/handlers.yml
View File

@ -43,3 +43,15 @@
name: tor name: tor
enabled: yes enabled: yes
state: restarted state: restarted
- name: Restart haproxy
service:
name: haproxy
state: restarted
- name: Load, start, and enable sshtunnel service
systemd:
name: sshtunnel
daemon_reload: yes
enabled: yes
state: started

3
ansible/hosts.cfg
View File

@ -1,3 +1,6 @@
[all:vars]
ansible_python_interpreter=/usr/bin/python3
[compute] [compute]
fogcutter hostname=fogcutter.seaturtle.pw interface=eno1 fogcutter hostname=fogcutter.seaturtle.pw interface=eno1

131
ansible/main.yml
View File

@ -22,6 +22,7 @@
- htop - htop
- iperf3 - iperf3
- mosh - mosh
- nfs-common
- nmap - nmap
- oidentd - oidentd
- rsync - rsync
@ -36,9 +37,9 @@
update_cache: yes update_cache: yes
- name: Disable MOTDs - name: Disable MOTDs
command: chmod -x /etc/update-motd.d/10-uname file:
args: path: /etc/update-motd.d/10-uname
warn: no mode: '0644'
- name: Set MOTD - name: Set MOTD
copy: copy:
@ -114,7 +115,7 @@
- name: Install tor config - name: Install tor config
copy: copy:
src: files/torrc src: files/torrc
dest: /etc/torrc dest: /etc/tor/torrc
owner: root owner: root
group: root group: root
mode: '0644' mode: '0644'
@ -124,18 +125,19 @@
msg: Manually get tor hostname msg: Manually get tor hostname
# Common dynamic settings # Common dynamic settings
- hosts: daily,compute,nfs - hosts: compute,daily,proxy
become: yes become: yes
handlers: handlers:
- import_tasks: handlers.yml - import_tasks: handlers.yml
tasks: tasks:
- name: Copy Dynamic DNS script - name: Copy Dynamic DNS script
template: template:
src: templates/gandi-ddns.sh src: templates/gandi-ddns.sh.j2
dest: /usr/local/bin/gandi-ddns.sh dest: /usr/local/bin/gandi-ddns.sh
owner: root owner: root
group: root group: root
mode: '0755' mode: '0755'
when: gandi is defined
- name: Add Dynamic DNS cronjob - name: Add Dynamic DNS cronjob
cron: cron:
@ -143,37 +145,50 @@
job: /usr/local/bin/gandi-ddns.sh job: /usr/local/bin/gandi-ddns.sh
special_time: daily special_time: daily
user: root user: root
when: gandi is defined
### Router # Custom repo config
##- hosts: router - hosts: compute
## become: yes
## tasks:
## - name: Install frrouting and related router packages
## - name: Configure bgp, etc???
# Media networking (Wireguard VPN, NFS)
- hosts: compute,nfs
become: yes become: yes
handlers: handlers:
- import_tasks: handlers.yml - import_tasks: handlers.yml
tasks: tasks:
- name: Add unstable repository - name: Install compute packages
shell: |
echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
args:
creates: /etc/apt/sources.list.d/unstable.list
- name: Install media networking packages
apt: apt:
name: name:
- beets - podman
- nfs-common - sshfs
force_apt_get: yes force_apt_get: yes
update_cache: yes update_cache: yes
- name: Mount bigdummy /bigdata via NFS
mount:
src: root@10.42.0.202:/bigdata
path: /bigdata
fstype: fuse.sshfs
opts: reconnect,allow_other,_netdev,IdentityFile=/home/paul/.ssh/id_rsa_fast
state: mounted
- name: Mount vtluug /media via sshfs
mount:
src: pew-media@dirtycow.vtluug.org:/nfs/cistern/share/media
path: /media-vtluug
fstype: fuse.sshfs
opts: reconnect,allow_other,ro,_netdev,IdentityFile=/home/paul/.ssh/id_rsa_fast
state: mounted
# /home/paul/.ssh/id_rsa_fast must exist
- name: Install sshtunnel systemd service
copy:
src: files/fogcutter/sshtunnel.service
dest: /etc/systemd/system/sshtunnel.service
owner: root
group: root
mode: '0644'
notify: Load, start, and enable sshtunnel service
- debug: - debug:
msg: Manually do beets config https://wiki.archlinux.org/index.php/Beets msg: Start podman services manually
# NFS core config # NFS core config
# ASSUMES /bigdata IS CONFIGURED (make sure dir is 755) # ASSUMES /bigdata IS CONFIGURED (make sure dir is 755)
@ -185,6 +200,7 @@
- name: Install zfs-zed, dma, and nfs-kernel-server - name: Install zfs-zed, dma, and nfs-kernel-server
apt: apt:
name: name:
- beets
- dma - dma
- nfs-kernel-server - nfs-kernel-server
- zfs-auto-snapshot - zfs-auto-snapshot
@ -225,36 +241,18 @@
mode: '0644' mode: '0644'
notify: Re-export exportfs notify: Re-export exportfs
# Compute core config # Proxy config
- hosts: compute - hosts: proxy
become: yes become: yes
tasks: tasks:
- name: Install compute dependencies ## Changes will take effect during next reboot
apt: - name: Configure sysctl to reject RA acceptance
name: template:
- apt-transport-https src: templates/disablera.conf.j2
- ca-certificates dest: /etc/sysctl.d/disablera.conf
- gnupg2 owner: root
- software-properties-common group: root
- sshfs mode: '0644'
force_apt_get: yes
update_cache: yes
- name: Mount bigdummy /bigdata via NFS
mount:
src: root@10.42.0.202:/bigdata
path: /bigdata
fstype: fuse.sshfs
opts: reconnect,allow_other,_netdev,nonempty,IdentityFile=/home/paul/.ssh/id_rsa_fast
state: mounted
- name: Mount vtluug /media via sshfs
mount:
src: pew-media@dirtycow.vtluug.org:/nfs/cistern/share/media
path: /media-vtluug
fstype: fuse.sshfs
opts: reconnect,allow_other,ro,_netdev,IdentityFile=/home/paul/.ssh/id_rsa_fast
state: mounted
- name: Add HAProxy GPG key - name: Add HAProxy GPG key
apt_key: apt_key:
@ -271,26 +269,11 @@
force_apt_get: yes force_apt_get: yes
update_cache: yes update_cache: yes
- name: Install HAProxy proxy config
- name: Install microk8s copy:
command: snap install microk8s --classic src: files/{{ inventory_hostname }}/haproxy.cfg
args: dest: /etc/haproxy/haproxy.cfg
creates: /snap/bin/microk8s
- debug:
msg:
- Start/Configure haproxy manually
- Start microk8s manually
# Proxy config
- hosts: proxy
become: yes
tasks:
## Changes will take effect during next reboot
- name: Configure sysctl to reject RA acceptance
template:
src: templates/disablera.conf.j2
dest: /etc/sysctl.d/disablera.conf
owner: root owner: root
group: root group: root
mode: '0644' mode: '0644'
notify: Restart haproxy

44
ansible/templates/gandi-ddns.sh
View File

@ -1,44 +0,0 @@
#!/bin/bash
APIKEY={{ api_key }}
NAME=$(hostname)
IPV4=$(curl -4s https://icanhazip.com/)
IPV6=$(ip -6 addr | grep mngtmpaddr | head -n 1 | awk '/inet6 / {gsub(/\/.*/,"",$2); print $2}')
if [[ $NAME == 'fogcutter' ]]; then
# apex (doesn't really matter which host this is run on)
curl \
--header "Authorization: Apikey $APIKEY" \
--header "Content-Type: application/json" \
--request PUT \
--data "{\"rrset_values\": [\"$IPV4\"]}" \
https://api.gandi.net/v5/livedns/domains/seaturtle.pw/records/@/A
curl \
--header "Authorization: Apikey $APIKEY" \
--header "Content-Type: application/json" \
--request PUT \
--data "{\"rrset_values\": [\"$IPV6\"]}" \
https://api.gandi.net/v5/livedns/domains/seaturtle.pw/records/@/AAAA
# fogcutter (for web apps)
curl \
--header "Authorization: Apikey $APIKEY" \
--header "Content-Type: application/json" \
--request PUT \
--data "{\"rrset_values\": [\"$IPV4\"]}" \
https://api.gandi.net/v5/livedns/domains/seaturtle.pw/records/$NAME/A
elif [[ $NAME == 'madone' ]]; then
curl \
--header "Authorization: Apikey $APIKEY" \
--header "Content-Type: application/json" \
--request PUT \
--data "{\"rrset_values\": [\"$IPV4\"]}" \
https://api.gandi.net/v5/livedns/domains/seaturtle.pw/records/$NAME/A
fi
curl \
--header "Authorization: Apikey $APIKEY" \
--header "Content-Type: application/json" \
--request PUT \
--data "{\"rrset_values\": [\"$IPV6\"]}" \
https://api.gandi.net/v5/livedns/domains/seaturtle.pw/records/$NAME/AAAA

13
ansible/templates/gandi-ddns.sh.j2 Normal file
View File

@ -0,0 +1,13 @@
#!/bin/bash
APIKEY={{ api_key }}
NAME=$(hostname --short)
IPV6=$(ip -6 addr | grep mngtmpaddr | head -n 1 | awk '/inet6 / {gsub(/\/.*/,"",$2); print $2}')
curl \
--header "Authorization: Apikey $APIKEY" \
--header "Content-Type: application/json" \
--request PUT \
--data "{\"rrset_values\": [\"$IPV6\"]}" \
https://api.gandi.net/v5/livedns/domains/seaturtle.pw/records/$NAME/AAAA