From 5b87690d43d8a18b1ee5bf617be545f29a31c1ed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=CE=A3rebe=20-=20Romain=20GERARD?= Date: Wed, 30 Aug 2023 23:58:47 +0200 Subject: [PATCH] Add toybox machine and move services around --- nodes/router/wireguard/wg0.conf | 4 ++++ nodes/toybox/config/allow-router-advertise | 9 +++++++++ nodes/toybox/justfile | 18 ++++++++++++++++++ nodes/toybox/k3s/config.yaml | 11 +++++++++++ nodes/toybox/wireguard/wg0.conf | 8 ++++++++ secrets/wireguard.yml | 6 ++++-- services/app/couber.yml | 2 +- services/app/warpgate.yml | 4 ++-- services/blog/blog.yml | 2 +- services/dashy/dashy.yml | 4 ++-- services/justfile | 2 +- services/minio/minio.yml | 2 +- services/nextcloud/nextcloud.yml | 2 +- services/vaultwarden/vaultwarden.yml | 7 ++++++- 14 files changed, 69 insertions(+), 12 deletions(-) create mode 100755 nodes/toybox/config/allow-router-advertise create mode 100644 nodes/toybox/justfile create mode 100644 nodes/toybox/k3s/config.yaml create mode 100644 nodes/toybox/wireguard/wg0.conf diff --git a/nodes/router/wireguard/wg0.conf b/nodes/router/wireguard/wg0.conf index b23efa4f9..dd20ee0ee 100644 --- a/nodes/router/wireguard/wg0.conf +++ b/nodes/router/wireguard/wg0.conf @@ -11,6 +11,10 @@ AllowedIPs = 10.200.0.2/32, fd00:cafe::2/128 PublicKey = __LAB_PUBLIC_KEY__ AllowedIPs = 10.200.0.3/32, fd00:cafe::3/128 +[Peer] +PublicKey = __TOYBOX_PUBLIC_KEY__ +AllowedIPs = 10.200.0.4/32, fd00:cafe::4/128 + [Peer] PublicKey = __MAIL_PUBLIC_KEY__ AllowedIPs = 10.200.0.5/32, fd00:cafe::5/128 diff --git a/nodes/toybox/config/allow-router-advertise b/nodes/toybox/config/allow-router-advertise new file mode 100755 index 000000000..076fccba9 --- /dev/null +++ b/nodes/toybox/config/allow-router-advertise @@ -0,0 +1,9 @@ +#!/bin/bash + +sysctl -w net.ipv6.conf.all.accept_ra=2 +sysctl -w net.ipv6.conf.ens18.accept_ra=2 + +# Allow traffic forwarding +sysctl -w net.ipv4.ip_forward=1 +sysctl -w net.ipv6.conf.all.forwarding=1 + diff --git a/nodes/toybox/justfile b/nodes/toybox/justfile new file mode 100644 index 000000000..24aee6a94 --- /dev/null +++ b/nodes/toybox/justfile @@ -0,0 +1,18 @@ +set dotenv-load := false + +_default: + @just --list + +HOST := "erebe@192.168.1.10" + +wireguard: + sops exec-env ../../secrets/wireguard.yml 'cp wireguard/wg0.conf secrets_decrypted/; for i in $(env | grep _KEY | cut -d = -f1); do sed -i "s#__${i}__#${!i}#g" secrets_decrypted/wg0.conf ; done' + ssh {{HOST}} "sudo cat /etc/wireguard/wg0.conf" | diff - secrets_decrypted/wg0.conf || exit 0 + rsync --rsync-path="sudo rsync" secrets_decrypted/wg0.conf {{HOST}}:/etc/wireguard/wg0.conf + rsync --rsync-path="sudo rsync" config/allow-router-advertise {{HOST}}:/etc/network/if-pre-up.d/allow-router-advertise + ssh {{HOST}} "sudo systemctl restart wg-quick@wg0.service && sudo systemctl enable wg-quick@wg0.service" + +k3s: + ssh {{HOST}} "sudo mkdir -p /etc/rancher/k3s" + rsync --rsync-path="sudo rsync" k3s/config.yaml {{HOST}}:/etc/rancher/k3s/config.yaml + ssh {{HOST}} "curl -sfL https://get.k3s.io | K3S_VERSION="v1.27.4+k3s1" K3S_URL=https://[fd00:cafe::3]:6443 K3S_TOKEN=12345 sh -s -" diff --git a/nodes/toybox/k3s/config.yaml b/nodes/toybox/k3s/config.yaml new file mode 100644 index 000000000..55e37d39d --- /dev/null +++ b/nodes/toybox/k3s/config.yaml @@ -0,0 +1,11 @@ +node-name: "toybox" +node-ip: "fd00:cafe::4,10.200.0.4" +node-external-ip: "2001:861:3886:7e01:108b:87ff:fe77:c88" + +# https://docs.k3s.io/installation/network-options#dual-stack-ipv4--ipv6-networking +kubelet-arg: "node-ip=::" +token: 12345 +node-label: [] +node-taint: + - kubernetes.io/hostname=toybox:NoSchedule + diff --git a/nodes/toybox/wireguard/wg0.conf b/nodes/toybox/wireguard/wg0.conf new file mode 100644 index 000000000..5eda06eb5 --- /dev/null +++ b/nodes/toybox/wireguard/wg0.conf @@ -0,0 +1,8 @@ +[Interface] +Address = 10.200.0.4/32, fd00:cafe::4/128 +PrivateKey = __TOYBOX_PRIVATE_KEY__ + +[Peer] +PublicKey = __ROUTER_PUBLIC_KEY__ +AllowedIPs = 10.200.0.0/24, fd00:cafe::/32 +Endpoint = [2001:861:3886:7e00::1]:995 diff --git a/secrets/wireguard.yml b/secrets/wireguard.yml index 107e5bef7..75d1916ac 100644 --- a/secrets/wireguard.yml +++ b/secrets/wireguard.yml @@ -15,14 +15,16 @@ ROUTER_PRIVATE_KEY: ENC[AES256_GCM,data:qEHMMgH9IzDtsVcu3zWYq5J369/ZUfglXLhn8+mP ROUTER_PUBLIC_KEY: ENC[AES256_GCM,data:MTNdxoIVzmymbOmoYpB/VEaXDpNPh+CIeqc1BBah9tjzwKydfDb4351pFq4=,iv:CE/MfKoNYpS2A5knXf1LP/oGHieZ+KG471FQ5u+hiIE=,tag:SogFcnhQiOAO2Z+pHTgoLw==,type:str] MAIL_PRIVATE_KEY: ENC[AES256_GCM,data:GSVc0he0ku1ncB5x203stfoZ9gkgQn3yWCUh53aXXtmBgig7n2ad6ZrjBfI=,iv:MQbiBWJWYdQ1/l9rWIi2256eDr2OBCOCS81r+/xdZNs=,tag:M4sFUJGnc1Ly1D01heRdJw==,type:str] MAIL_PUBLIC_KEY: ENC[AES256_GCM,data:g6/57fjN8TWH0PwzKljHYFBi+W/MeNu7fo+UTKrpmoYERe7s3HLVYxGgfNU=,iv:trg/BE3+bUP4pU3+AwG3lztsAKGlQeNOHFCHK4uHu/s=,tag:IWATvlSACPaUU9MWyOEVrw==,type:str] +TOYBOX_PRIVATE_KEY: ENC[AES256_GCM,data:tL3jcvQUGZrXOmaBTfE/YGr2JiKvHGioPbcQNShXmzjK9gIOW+9v4b6+EhI=,iv:+f3656BY0R6ngU97/RK5X8ituEhTg5UlM5zDctCs1ME=,tag:0gKcLCo/N9bMKRP+PW6kEQ==,type:str] +TOYBOX_PUBLIC_KEY: ENC[AES256_GCM,data:PIwJgldmh4CW8sFde7kpQVer/urlgfKeBKw4o57Y2V7eE4v4tb9+fbCNm8A=,iv:Wbnz17i7wBY3rVVJwpgUdNCDaVWh6d2deZV6pvWFtGE=,tag:cP2YO+arHoi968CA7k6Y0w==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: [] - lastmodified: "2023-08-27T17:50:58Z" - mac: ENC[AES256_GCM,data:QrUb2vnKx0IHlLCTnYgZpHiNU9tEJioFRo+Ye+Fq/Xj0r1rRR0O6HGCpJ79z0OdxWymQwCc7xLW4mOq32OGrZsO02PCn//73LXvD0P08S8hI+DJFKlJyuKO+4kcw0CQtJnnUZbgM0f0jWAVup+graA3p61hkqwoKHTTe/hkpXaI=,iv:RuFLufxJm8AhsD5qQKE0PsCL4QIxIjcC9hq+K/o1ZoA=,tag:EcVe52e0E2yE//iZw42UNw==,type:str] + lastmodified: "2023-08-30T20:35:10Z" + mac: ENC[AES256_GCM,data:9tXtfCBt1rpsSqiTmg1ZglTL7A81E51MQ413P2ozpJHJERbDeVqfi/dNyEIBa94lpGoom0gs1U8RJP0Fya2qWu9xrJ/wJewh7XXYJcvrKtMppMRfZDnSM69H5UEJlHP6zduBpgYGKFCoF2XqjR+LNZUV5hsteXj1cCLyNHczadA=,iv:dVHvMWjMYQyLQ3b4AWQivRxjyO94V7RO7xdnHJeM6Wc=,tag:DSZpBeaa+k1RDXATqL7wmA==,type:str] pgp: - created_at: "2020-12-18T14:25:40Z" enc: |- diff --git a/services/app/couber.yml b/services/app/couber.yml index 122f1e095..065289029 100644 --- a/services/app/couber.yml +++ b/services/app/couber.yml @@ -21,7 +21,7 @@ spec: tolerations: - key: "kubernetes.io/hostname" operator: "Equal" - value: "server" + value: "toybox" containers: - name: couber image: ghcr.io/erebe/couber:latest diff --git a/services/app/warpgate.yml b/services/app/warpgate.yml index 3e6a66d44..b628264d0 100644 --- a/services/app/warpgate.yml +++ b/services/app/warpgate.yml @@ -26,7 +26,7 @@ spec: - key: kubernetes.io/hostname operator: In values: - - minio + - toybox containers: - name: warpgate image: ghcr.io/warp-tech/warpgate:v0.7.4 @@ -49,7 +49,7 @@ spec: tolerations: - key: "kubernetes.io/hostname" operator: "Equal" - value: "minio" + value: "toybox" effect: "NoSchedule" - key: "node.kubernetes.io/unreachable" operator: "Exists" diff --git a/services/blog/blog.yml b/services/blog/blog.yml index 4a5ceb2f4..d975f006a 100644 --- a/services/blog/blog.yml +++ b/services/blog/blog.yml @@ -21,7 +21,7 @@ spec: tolerations: - key: "kubernetes.io/hostname" operator: "Equal" - value: "server" + value: "toybox" containers: - name: blog image: ghcr.io/erebe/blog:latest diff --git a/services/dashy/dashy.yml b/services/dashy/dashy.yml index 17ae36ad7..5aefc66c1 100644 --- a/services/dashy/dashy.yml +++ b/services/dashy/dashy.yml @@ -30,7 +30,7 @@ spec: - key: kubernetes.io/hostname operator: In values: - - minio + - toybox containers: - name: dashy image: docker.io/lissy93/dashy:2.1.1 @@ -59,7 +59,7 @@ spec: tolerations: - key: "kubernetes.io/hostname" operator: "Equal" - value: "minio" + value: "toybox" effect: "NoSchedule" - key: "node.kubernetes.io/unreachable" operator: "Exists" diff --git a/services/justfile b/services/justfile index bd28d4104..2c59485a7 100644 --- a/services/justfile +++ b/services/justfile @@ -34,7 +34,7 @@ app: kubectl apply -f app/couber.yml kubectl apply -f app/wstunnel.yml -waprgate: +warpgate: kubectl apply -f app/warpgate.yml blog: diff --git a/services/minio/minio.yml b/services/minio/minio.yml index 30a736587..ebbb84308 100644 --- a/services/minio/minio.yml +++ b/services/minio/minio.yml @@ -35,7 +35,7 @@ spec: - name: minio image: docker.io/minio/minio:RELEASE.2022-10-24T18-35-07Z imagePullPolicy: IfNotPresent - args: ["server", "/mnt/data", "--console-address", ":80"] + args: ["server", "/mnt/data", "--console-address", ":80", "--address", ":9001"] env: - name: MINIO_ROOT_USER value: "admin" diff --git a/services/nextcloud/nextcloud.yml b/services/nextcloud/nextcloud.yml index 772919783..db6465a90 100644 --- a/services/nextcloud/nextcloud.yml +++ b/services/nextcloud/nextcloud.yml @@ -21,7 +21,7 @@ spec: tolerations: - key: "kubernetes.io/hostname" operator: "Equal" - value: "server" + value: "minio" containers: - name: nextcloud image: linuxserver/nextcloud:amd64-25.0.0-php8 diff --git a/services/vaultwarden/vaultwarden.yml b/services/vaultwarden/vaultwarden.yml index 15a58ea95..ad8dd5188 100644 --- a/services/vaultwarden/vaultwarden.yml +++ b/services/vaultwarden/vaultwarden.yml @@ -21,17 +21,21 @@ spec: tolerations: - key: "kubernetes.io/hostname" operator: "Equal" - value: "server" + value: "minio" containers: - name: vaultwarden image: docker.io/vaultwarden/server:1.27.0 env: - name: DOMAIN value: "https://bitwarden.erebe.eu" + - name: ROCKET_ADDRESS + value: "::" - name: ROCKET_PORT value: "8088" - name: WEBSOCKET_ENABLED value: "true" + - name: WEBSOCKET_ADDRESS + value: "::" - name: WEBSOCKET_PORT value: "8089" - name: SHOW_PASSWORD_HINT @@ -98,6 +102,7 @@ metadata: nginx.ingress.kubernetes.io/proxy-send-timeout: "1800" nginx.ingress.kubernetes.io/proxy-read-timeout: "1800" nginx.ingress.kubernetes.io/ssl-redirect: "true" + cert-manager.io/cluster-issuer: "letsencrypt-prod" spec: tls: - hosts: