setup proxy, minor updates
parent
f8767f269f
commit
7e770ce8a0
|
@ -1,4 +1,4 @@
|
|||
Usage: `ansible-playbook main.yml -i hosts.cfg --extra-vars "api_key=GANDI_API_KEY" --limit=cabinet`
|
||||
Usage: `ansible-playbook main.yml -i hosts.cfg --extra-vars "api_key=GANDI_API_KEY gandi=true" --limit=cabinet`
|
||||
|
||||
Assumes:
|
||||
|
||||
|
@ -16,3 +16,6 @@ Assumes:
|
|||
|
||||
- Remote:
|
||||
- joe/pew users have been created
|
||||
|
||||
- TODO:
|
||||
- fix for network-online.target debian 10 bug
|
||||
|
|
|
@ -0,0 +1,24 @@
|
|||
[Unit]
|
||||
Description=Service to maintain an ssh reverse tunnel
|
||||
Wants=network-online.target
|
||||
After=network-online.target
|
||||
StartLimitIntervalSec=0
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
ExecStart=/usr/bin/ssh -Nn \
|
||||
-o ServerAliveInterval=30 \
|
||||
-o ServerAliveCountMax=3 \
|
||||
-o ExitOnForwardFailure=yes \
|
||||
-i /home/paul/.ssh/id_rsa_fast \
|
||||
-R 7000:127.0.0.1:8080 \
|
||||
-R 7001:127.0.0.1:8443 \
|
||||
-R 7002:127.0.0.1:2222 \
|
||||
-R 7003:127.0.0.1:25565 \
|
||||
pew@polyvalent.seaturtle.pw
|
||||
Restart=always
|
||||
RestartSec=30
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
@ -0,0 +1,36 @@
|
|||
# For haproxy 2.2
|
||||
# tcp proxy to local (ssh forwarded) ports
|
||||
|
||||
defaults
|
||||
log global
|
||||
mode tcp
|
||||
option dontlognull
|
||||
retries 3
|
||||
maxconn 4000
|
||||
timeout connect 5000
|
||||
timeout client 50000
|
||||
timeout server 50000
|
||||
|
||||
# http
|
||||
listen proxy80
|
||||
mode tcp
|
||||
bind :::80
|
||||
server proxy7000 127.0.0.1:7000
|
||||
|
||||
# https
|
||||
listen proxy443
|
||||
mode tcp
|
||||
bind :::443
|
||||
server proxy7001 127.0.0.1:7001
|
||||
|
||||
# gitea ssh
|
||||
listen proxy2222
|
||||
mode tcp
|
||||
bind :::2222
|
||||
server proxy7002 127.0.0.1:7002
|
||||
|
||||
# minecraft
|
||||
listen proxy25565
|
||||
mode tcp
|
||||
bind :::25565
|
||||
server proxy7003 127.0.0.1:7003
|
|
@ -43,3 +43,15 @@
|
|||
name: tor
|
||||
enabled: yes
|
||||
state: restarted
|
||||
|
||||
- name: Restart haproxy
|
||||
service:
|
||||
name: haproxy
|
||||
state: restarted
|
||||
|
||||
- name: Load, start, and enable sshtunnel service
|
||||
systemd:
|
||||
name: sshtunnel
|
||||
daemon_reload: yes
|
||||
enabled: yes
|
||||
state: started
|
||||
|
|
|
@ -1,3 +1,6 @@
|
|||
[all:vars]
|
||||
ansible_python_interpreter=/usr/bin/python3
|
||||
|
||||
[compute]
|
||||
fogcutter hostname=fogcutter.seaturtle.pw interface=eno1
|
||||
|
||||
|
|
131
ansible/main.yml
131
ansible/main.yml
|
@ -22,6 +22,7 @@
|
|||
- htop
|
||||
- iperf3
|
||||
- mosh
|
||||
- nfs-common
|
||||
- nmap
|
||||
- oidentd
|
||||
- rsync
|
||||
|
@ -36,9 +37,9 @@
|
|||
update_cache: yes
|
||||
|
||||
- name: Disable MOTDs
|
||||
command: chmod -x /etc/update-motd.d/10-uname
|
||||
args:
|
||||
warn: no
|
||||
file:
|
||||
path: /etc/update-motd.d/10-uname
|
||||
mode: '0644'
|
||||
|
||||
- name: Set MOTD
|
||||
copy:
|
||||
|
@ -114,7 +115,7 @@
|
|||
- name: Install tor config
|
||||
copy:
|
||||
src: files/torrc
|
||||
dest: /etc/torrc
|
||||
dest: /etc/tor/torrc
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
|
@ -124,18 +125,19 @@
|
|||
msg: Manually get tor hostname
|
||||
|
||||
# Common dynamic settings
|
||||
- hosts: daily,compute,nfs
|
||||
- hosts: compute,daily,proxy
|
||||
become: yes
|
||||
handlers:
|
||||
- import_tasks: handlers.yml
|
||||
tasks:
|
||||
- name: Copy Dynamic DNS script
|
||||
template:
|
||||
src: templates/gandi-ddns.sh
|
||||
src: templates/gandi-ddns.sh.j2
|
||||
dest: /usr/local/bin/gandi-ddns.sh
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0755'
|
||||
when: gandi is defined
|
||||
|
||||
- name: Add Dynamic DNS cronjob
|
||||
cron:
|
||||
|
@ -143,37 +145,50 @@
|
|||
job: /usr/local/bin/gandi-ddns.sh
|
||||
special_time: daily
|
||||
user: root
|
||||
when: gandi is defined
|
||||
|
||||
### Router
|
||||
##- hosts: router
|
||||
## become: yes
|
||||
## tasks:
|
||||
## - name: Install frrouting and related router packages
|
||||
## - name: Configure bgp, etc???
|
||||
|
||||
# Media networking (Wireguard VPN, NFS)
|
||||
- hosts: compute,nfs
|
||||
# Custom repo config
|
||||
- hosts: compute
|
||||
become: yes
|
||||
handlers:
|
||||
- import_tasks: handlers.yml
|
||||
tasks:
|
||||
- name: Add unstable repository
|
||||
shell: |
|
||||
echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
|
||||
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
|
||||
args:
|
||||
creates: /etc/apt/sources.list.d/unstable.list
|
||||
|
||||
- name: Install media networking packages
|
||||
- name: Install compute packages
|
||||
apt:
|
||||
name:
|
||||
- beets
|
||||
- nfs-common
|
||||
- podman
|
||||
- sshfs
|
||||
force_apt_get: yes
|
||||
update_cache: yes
|
||||
|
||||
- name: Mount bigdummy /bigdata via NFS
|
||||
mount:
|
||||
src: root@10.42.0.202:/bigdata
|
||||
path: /bigdata
|
||||
fstype: fuse.sshfs
|
||||
opts: reconnect,allow_other,_netdev,IdentityFile=/home/paul/.ssh/id_rsa_fast
|
||||
state: mounted
|
||||
|
||||
- name: Mount vtluug /media via sshfs
|
||||
mount:
|
||||
src: pew-media@dirtycow.vtluug.org:/nfs/cistern/share/media
|
||||
path: /media-vtluug
|
||||
fstype: fuse.sshfs
|
||||
opts: reconnect,allow_other,ro,_netdev,IdentityFile=/home/paul/.ssh/id_rsa_fast
|
||||
state: mounted
|
||||
|
||||
# /home/paul/.ssh/id_rsa_fast must exist
|
||||
- name: Install sshtunnel systemd service
|
||||
copy:
|
||||
src: files/fogcutter/sshtunnel.service
|
||||
dest: /etc/systemd/system/sshtunnel.service
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
notify: Load, start, and enable sshtunnel service
|
||||
|
||||
- debug:
|
||||
msg: Manually do beets config https://wiki.archlinux.org/index.php/Beets
|
||||
msg: Start podman services manually
|
||||
|
||||
# NFS core config
|
||||
# ASSUMES /bigdata IS CONFIGURED (make sure dir is 755)
|
||||
|
@ -185,6 +200,7 @@
|
|||
- name: Install zfs-zed, dma, and nfs-kernel-server
|
||||
apt:
|
||||
name:
|
||||
- beets
|
||||
- dma
|
||||
- nfs-kernel-server
|
||||
- zfs-auto-snapshot
|
||||
|
@ -225,36 +241,18 @@
|
|||
mode: '0644'
|
||||
notify: Re-export exportfs
|
||||
|
||||
# Compute core config
|
||||
- hosts: compute
|
||||
# Proxy config
|
||||
- hosts: proxy
|
||||
become: yes
|
||||
tasks:
|
||||
- name: Install compute dependencies
|
||||
apt:
|
||||
name:
|
||||
- apt-transport-https
|
||||
- ca-certificates
|
||||
- gnupg2
|
||||
- software-properties-common
|
||||
- sshfs
|
||||
force_apt_get: yes
|
||||
update_cache: yes
|
||||
|
||||
- name: Mount bigdummy /bigdata via NFS
|
||||
mount:
|
||||
src: root@10.42.0.202:/bigdata
|
||||
path: /bigdata
|
||||
fstype: fuse.sshfs
|
||||
opts: reconnect,allow_other,_netdev,nonempty,IdentityFile=/home/paul/.ssh/id_rsa_fast
|
||||
state: mounted
|
||||
|
||||
- name: Mount vtluug /media via sshfs
|
||||
mount:
|
||||
src: pew-media@dirtycow.vtluug.org:/nfs/cistern/share/media
|
||||
path: /media-vtluug
|
||||
fstype: fuse.sshfs
|
||||
opts: reconnect,allow_other,ro,_netdev,IdentityFile=/home/paul/.ssh/id_rsa_fast
|
||||
state: mounted
|
||||
## Changes will take effect during next reboot
|
||||
- name: Configure sysctl to reject RA acceptance
|
||||
template:
|
||||
src: templates/disablera.conf.j2
|
||||
dest: /etc/sysctl.d/disablera.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
|
||||
- name: Add HAProxy GPG key
|
||||
apt_key:
|
||||
|
@ -271,26 +269,11 @@
|
|||
force_apt_get: yes
|
||||
update_cache: yes
|
||||
|
||||
|
||||
- name: Install microk8s
|
||||
command: snap install microk8s --classic
|
||||
args:
|
||||
creates: /snap/bin/microk8s
|
||||
|
||||
- debug:
|
||||
msg:
|
||||
- Start/Configure haproxy manually
|
||||
- Start microk8s manually
|
||||
|
||||
# Proxy config
|
||||
- hosts: proxy
|
||||
become: yes
|
||||
tasks:
|
||||
## Changes will take effect during next reboot
|
||||
- name: Configure sysctl to reject RA acceptance
|
||||
template:
|
||||
src: templates/disablera.conf.j2
|
||||
dest: /etc/sysctl.d/disablera.conf
|
||||
- name: Install HAProxy proxy config
|
||||
copy:
|
||||
src: files/{{ inventory_hostname }}/haproxy.cfg
|
||||
dest: /etc/haproxy/haproxy.cfg
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
notify: Restart haproxy
|
||||
|
|
|
@ -1,44 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
APIKEY={{ api_key }}
|
||||
NAME=$(hostname)
|
||||
|
||||
IPV4=$(curl -4s https://icanhazip.com/)
|
||||
IPV6=$(ip -6 addr | grep mngtmpaddr | head -n 1 | awk '/inet6 / {gsub(/\/.*/,"",$2); print $2}')
|
||||
|
||||
if [[ $NAME == 'fogcutter' ]]; then
|
||||
# apex (doesn't really matter which host this is run on)
|
||||
curl \
|
||||
--header "Authorization: Apikey $APIKEY" \
|
||||
--header "Content-Type: application/json" \
|
||||
--request PUT \
|
||||
--data "{\"rrset_values\": [\"$IPV4\"]}" \
|
||||
https://api.gandi.net/v5/livedns/domains/seaturtle.pw/records/@/A
|
||||
curl \
|
||||
--header "Authorization: Apikey $APIKEY" \
|
||||
--header "Content-Type: application/json" \
|
||||
--request PUT \
|
||||
--data "{\"rrset_values\": [\"$IPV6\"]}" \
|
||||
https://api.gandi.net/v5/livedns/domains/seaturtle.pw/records/@/AAAA
|
||||
# fogcutter (for web apps)
|
||||
curl \
|
||||
--header "Authorization: Apikey $APIKEY" \
|
||||
--header "Content-Type: application/json" \
|
||||
--request PUT \
|
||||
--data "{\"rrset_values\": [\"$IPV4\"]}" \
|
||||
https://api.gandi.net/v5/livedns/domains/seaturtle.pw/records/$NAME/A
|
||||
elif [[ $NAME == 'madone' ]]; then
|
||||
curl \
|
||||
--header "Authorization: Apikey $APIKEY" \
|
||||
--header "Content-Type: application/json" \
|
||||
--request PUT \
|
||||
--data "{\"rrset_values\": [\"$IPV4\"]}" \
|
||||
https://api.gandi.net/v5/livedns/domains/seaturtle.pw/records/$NAME/A
|
||||
fi
|
||||
|
||||
curl \
|
||||
--header "Authorization: Apikey $APIKEY" \
|
||||
--header "Content-Type: application/json" \
|
||||
--request PUT \
|
||||
--data "{\"rrset_values\": [\"$IPV6\"]}" \
|
||||
https://api.gandi.net/v5/livedns/domains/seaturtle.pw/records/$NAME/AAAA
|
|
@ -0,0 +1,13 @@
|
|||
#!/bin/bash
|
||||
|
||||
APIKEY={{ api_key }}
|
||||
NAME=$(hostname --short)
|
||||
|
||||
IPV6=$(ip -6 addr | grep mngtmpaddr | head -n 1 | awk '/inet6 / {gsub(/\/.*/,"",$2); print $2}')
|
||||
|
||||
curl \
|
||||
--header "Authorization: Apikey $APIKEY" \
|
||||
--header "Content-Type: application/json" \
|
||||
--request PUT \
|
||||
--data "{\"rrset_values\": [\"$IPV6\"]}" \
|
||||
https://api.gandi.net/v5/livedns/domains/seaturtle.pw/records/$NAME/AAAA
|
Loading…
Reference in New Issue