setup proxy, minor updates

master
Paul Wako 2020-12-27 00:13:34 -05:00
parent f8767f269f
commit 7e770ce8a0
8 changed files with 149 additions and 119 deletions

View File

@ -1,4 +1,4 @@
Usage: `ansible-playbook main.yml -i hosts.cfg --extra-vars "api_key=GANDI_API_KEY" --limit=cabinet`
Usage: `ansible-playbook main.yml -i hosts.cfg --extra-vars "api_key=GANDI_API_KEY gandi=true" --limit=cabinet`
Assumes:
@ -16,3 +16,6 @@ Assumes:
- Remote:
- joe/pew users have been created
- TODO:
- fix for network-online.target debian 10 bug

View File

@ -0,0 +1,24 @@
[Unit]
Description=Service to maintain an ssh reverse tunnel
Wants=network-online.target
After=network-online.target
StartLimitIntervalSec=0
[Service]
Type=simple
ExecStart=/usr/bin/ssh -Nn \
-o ServerAliveInterval=30 \
-o ServerAliveCountMax=3 \
-o ExitOnForwardFailure=yes \
-i /home/paul/.ssh/id_rsa_fast \
-R 7000:127.0.0.1:8080 \
-R 7001:127.0.0.1:8443 \
-R 7002:127.0.0.1:2222 \
-R 7003:127.0.0.1:25565 \
pew@polyvalent.seaturtle.pw
Restart=always
RestartSec=30
[Install]
WantedBy=multi-user.target

View File

@ -0,0 +1,36 @@
# For haproxy 2.2
# tcp proxy to local (ssh forwarded) ports
defaults
log global
mode tcp
option dontlognull
retries 3
maxconn 4000
timeout connect 5000
timeout client 50000
timeout server 50000
# http
listen proxy80
mode tcp
bind :::80
server proxy7000 127.0.0.1:7000
# https
listen proxy443
mode tcp
bind :::443
server proxy7001 127.0.0.1:7001
# gitea ssh
listen proxy2222
mode tcp
bind :::2222
server proxy7002 127.0.0.1:7002
# minecraft
listen proxy25565
mode tcp
bind :::25565
server proxy7003 127.0.0.1:7003

View File

@ -43,3 +43,15 @@
name: tor
enabled: yes
state: restarted
- name: Restart haproxy
service:
name: haproxy
state: restarted
- name: Load, start, and enable sshtunnel service
systemd:
name: sshtunnel
daemon_reload: yes
enabled: yes
state: started

View File

@ -1,3 +1,6 @@
[all:vars]
ansible_python_interpreter=/usr/bin/python3
[compute]
fogcutter hostname=fogcutter.seaturtle.pw interface=eno1

View File

@ -22,6 +22,7 @@
- htop
- iperf3
- mosh
- nfs-common
- nmap
- oidentd
- rsync
@ -36,9 +37,9 @@
update_cache: yes
- name: Disable MOTDs
command: chmod -x /etc/update-motd.d/10-uname
args:
warn: no
file:
path: /etc/update-motd.d/10-uname
mode: '0644'
- name: Set MOTD
copy:
@ -114,7 +115,7 @@
- name: Install tor config
copy:
src: files/torrc
dest: /etc/torrc
dest: /etc/tor/torrc
owner: root
group: root
mode: '0644'
@ -124,18 +125,19 @@
msg: Manually get tor hostname
# Common dynamic settings
- hosts: daily,compute,nfs
- hosts: compute,daily,proxy
become: yes
handlers:
- import_tasks: handlers.yml
tasks:
- name: Copy Dynamic DNS script
template:
src: templates/gandi-ddns.sh
src: templates/gandi-ddns.sh.j2
dest: /usr/local/bin/gandi-ddns.sh
owner: root
group: root
mode: '0755'
when: gandi is defined
- name: Add Dynamic DNS cronjob
cron:
@ -143,37 +145,50 @@
job: /usr/local/bin/gandi-ddns.sh
special_time: daily
user: root
when: gandi is defined
### Router
##- hosts: router
## become: yes
## tasks:
## - name: Install frrouting and related router packages
## - name: Configure bgp, etc???
# Media networking (Wireguard VPN, NFS)
- hosts: compute,nfs
# Custom repo config
- hosts: compute
become: yes
handlers:
- import_tasks: handlers.yml
tasks:
- name: Add unstable repository
shell: |
echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
args:
creates: /etc/apt/sources.list.d/unstable.list
- name: Install media networking packages
- name: Install compute packages
apt:
name:
- beets
- nfs-common
- podman
- sshfs
force_apt_get: yes
update_cache: yes
- name: Mount bigdummy /bigdata via NFS
mount:
src: root@10.42.0.202:/bigdata
path: /bigdata
fstype: fuse.sshfs
opts: reconnect,allow_other,_netdev,IdentityFile=/home/paul/.ssh/id_rsa_fast
state: mounted
- name: Mount vtluug /media via sshfs
mount:
src: pew-media@dirtycow.vtluug.org:/nfs/cistern/share/media
path: /media-vtluug
fstype: fuse.sshfs
opts: reconnect,allow_other,ro,_netdev,IdentityFile=/home/paul/.ssh/id_rsa_fast
state: mounted
# /home/paul/.ssh/id_rsa_fast must exist
- name: Install sshtunnel systemd service
copy:
src: files/fogcutter/sshtunnel.service
dest: /etc/systemd/system/sshtunnel.service
owner: root
group: root
mode: '0644'
notify: Load, start, and enable sshtunnel service
- debug:
msg: Manually do beets config https://wiki.archlinux.org/index.php/Beets
msg: Start podman services manually
# NFS core config
# ASSUMES /bigdata IS CONFIGURED (make sure dir is 755)
@ -185,6 +200,7 @@
- name: Install zfs-zed, dma, and nfs-kernel-server
apt:
name:
- beets
- dma
- nfs-kernel-server
- zfs-auto-snapshot
@ -225,36 +241,18 @@
mode: '0644'
notify: Re-export exportfs
# Compute core config
- hosts: compute
# Proxy config
- hosts: proxy
become: yes
tasks:
- name: Install compute dependencies
apt:
name:
- apt-transport-https
- ca-certificates
- gnupg2
- software-properties-common
- sshfs
force_apt_get: yes
update_cache: yes
- name: Mount bigdummy /bigdata via NFS
mount:
src: root@10.42.0.202:/bigdata
path: /bigdata
fstype: fuse.sshfs
opts: reconnect,allow_other,_netdev,nonempty,IdentityFile=/home/paul/.ssh/id_rsa_fast
state: mounted
- name: Mount vtluug /media via sshfs
mount:
src: pew-media@dirtycow.vtluug.org:/nfs/cistern/share/media
path: /media-vtluug
fstype: fuse.sshfs
opts: reconnect,allow_other,ro,_netdev,IdentityFile=/home/paul/.ssh/id_rsa_fast
state: mounted
## Changes will take effect during next reboot
- name: Configure sysctl to reject RA acceptance
template:
src: templates/disablera.conf.j2
dest: /etc/sysctl.d/disablera.conf
owner: root
group: root
mode: '0644'
- name: Add HAProxy GPG key
apt_key:
@ -271,26 +269,11 @@
force_apt_get: yes
update_cache: yes
- name: Install microk8s
command: snap install microk8s --classic
args:
creates: /snap/bin/microk8s
- debug:
msg:
- Start/Configure haproxy manually
- Start microk8s manually
# Proxy config
- hosts: proxy
become: yes
tasks:
## Changes will take effect during next reboot
- name: Configure sysctl to reject RA acceptance
template:
src: templates/disablera.conf.j2
dest: /etc/sysctl.d/disablera.conf
- name: Install HAProxy proxy config
copy:
src: files/{{ inventory_hostname }}/haproxy.cfg
dest: /etc/haproxy/haproxy.cfg
owner: root
group: root
mode: '0644'
notify: Restart haproxy

View File

@ -1,44 +0,0 @@
#!/bin/bash
APIKEY={{ api_key }}
NAME=$(hostname)
IPV4=$(curl -4s https://icanhazip.com/)
IPV6=$(ip -6 addr | grep mngtmpaddr | head -n 1 | awk '/inet6 / {gsub(/\/.*/,"",$2); print $2}')
if [[ $NAME == 'fogcutter' ]]; then
# apex (doesn't really matter which host this is run on)
curl \
--header "Authorization: Apikey $APIKEY" \
--header "Content-Type: application/json" \
--request PUT \
--data "{\"rrset_values\": [\"$IPV4\"]}" \
https://api.gandi.net/v5/livedns/domains/seaturtle.pw/records/@/A
curl \
--header "Authorization: Apikey $APIKEY" \
--header "Content-Type: application/json" \
--request PUT \
--data "{\"rrset_values\": [\"$IPV6\"]}" \
https://api.gandi.net/v5/livedns/domains/seaturtle.pw/records/@/AAAA
# fogcutter (for web apps)
curl \
--header "Authorization: Apikey $APIKEY" \
--header "Content-Type: application/json" \
--request PUT \
--data "{\"rrset_values\": [\"$IPV4\"]}" \
https://api.gandi.net/v5/livedns/domains/seaturtle.pw/records/$NAME/A
elif [[ $NAME == 'madone' ]]; then
curl \
--header "Authorization: Apikey $APIKEY" \
--header "Content-Type: application/json" \
--request PUT \
--data "{\"rrset_values\": [\"$IPV4\"]}" \
https://api.gandi.net/v5/livedns/domains/seaturtle.pw/records/$NAME/A
fi
curl \
--header "Authorization: Apikey $APIKEY" \
--header "Content-Type: application/json" \
--request PUT \
--data "{\"rrset_values\": [\"$IPV6\"]}" \
https://api.gandi.net/v5/livedns/domains/seaturtle.pw/records/$NAME/AAAA

View File

@ -0,0 +1,13 @@
#!/bin/bash
APIKEY={{ api_key }}
NAME=$(hostname --short)
IPV6=$(ip -6 addr | grep mngtmpaddr | head -n 1 | awk '/inet6 / {gsub(/\/.*/,"",$2); print $2}')
curl \
--header "Authorization: Apikey $APIKEY" \
--header "Content-Type: application/json" \
--request PUT \
--data "{\"rrset_values\": [\"$IPV6\"]}" \
https://api.gandi.net/v5/livedns/domains/seaturtle.pw/records/$NAME/AAAA