Cloud/Hetzner/AA: Difference between revisions

From Chorke Wiki
Jump to navigation Jump to search
← Older edit
VisualWikitext
 
(212 intermediate revisions by the same user not shown)
Line 1: Line 1:
==SSH==
==Hetzner » Argo==
{|class='wikitable mw-collapsible'
!scope='col' style='width:900px' colspan='4'|
Hetzner » Argo
|-
!scope="col" style='width:180px'| Name
!scope="col" style='width:140px'| Network
!scope="col" style='width:240px'| Subnets
!scope="col" style='width:90px' | Forward
|-
| '''Hetzner » AA''' || <code>10.20.41.1/32</code>    || <code>10.20.41.1 … 1/32 = 01</code>  ||style='text-align:center'| ✅
|-
| Hetzner » AB      || <code>10.20.41.2/32</code>    || <code>10.20.41.2 … 2/32 = 01</code>  ||style='text-align:center'| ✅
|-
| Hetzner » AC      || <code>10.20.41.3/32</code>    || <code>10.20.41.3 … 3/32 = 01</code>  ||style='text-align:center'| ⚪️
|-
| Hetzner » AD      || <code>10.20.41.4/32</code>    || <code>10.20.41.4 … 4/32 = 01</code>  ||style='text-align:center'| ⚪️
|-
| Hetzner » AE      || <code>10.20.41.5/32</code>    || <code>10.20.41.5 … 5/32 = 01</code>  ||style='text-align:center'| ⚪️
|}
 
==Hetzner » Analyze==
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='width:900px'|
Hetzner » Analyze
|-
|valign='top'|
<syntaxhighlight lang="bash">
ssh -qt -i ~/.ssh/cid.chorke.org_ed25519 root@hetzner-aa.public.ip bash
 
cat <<'EXE' | sudo bash
free -th && echo && systemd-analyze && echo
df -h    && echo && lsblk && echo
swapon --show
EXE
</syntaxhighlight>
|}
 
==Hetzner » Add User==
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' colspan='2' style='width:900px'|
Hetzner » Add User
|-
|valign='top' colspan='2'|
<syntaxhighlight lang="bash">
ssh -i ~/.ssh/ci.chorke.org_ed25519 -qt root@hetzner-aa.public.ip bash
</syntaxhighlight>
 
|-
|valign='top'|
<syntaxhighlight lang="bash">
sudo adduser -m        chorke
sudo passwd  -d        chorke
sudo passwd  -l        chorke
sudo chsh -s /bin/bash chorke
</syntaxhighlight>
 
|valign='top'|
<syntaxhighlight lang="bash">
sudo adduser -m        shahed
sudo passwd  -d        shahed
sudo passwd  -l        shahed
sudo chsh -s /bin/bash shahed
</syntaxhighlight>
 
|-
|valign='top' colspan='2'|
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
ssh -i ~/.ssh/cid.chorke.org_ed25519 root@hetzner-aa.public.ip
sudo visudo
:'
# User privilege specification
root    ALL=(ALL:ALL) ALL
shahed  ALL=(ALL:ALL) ALL
 
# Members of the admin group may gain root privileges
%admin  ALL=(ALL) ALL
shahed  ALL=(ALL) NOPASSWD: /usr/local/bin/supervisorctl
 
# Allow members of group sudo to execute any command
%sudo  ALL=(ALL:ALL) ALL
shahed  ALL=(ALL) NOPASSWD: /usr/local/bin/supervisorctl
 
# See sudoers(5) for more information on "@include" directives:
 
@includedir /etc/sudoers.d
'
</syntaxhighlight>
</syntaxhighlight>
|}


==Add User==
==Hetzner » SSH Config ==
{|class='wikitable mw-collapsible'
!scope='col' style='width:900px'|
Hetzner » Config » SSH
|-
|valign='top'|
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
# root
ssh -i ~/.ssh/ci.chorke.org_ed25519 -qt root@hetzner-aa.public.ip bash
passwd


adduser chorke
cat << EXE | sudo bash
passwd  chorke
sed 's|#PasswordAuthentication yes|PasswordAuthentication no|' -i /etc/ssh/sshd_config
sed 's|#PubkeyAuthentication yes|PubkeyAuthentication yes|'    -i /etc/ssh/sshd_config
sed 's|#PermitEmptyPasswords no|PermitEmptyPasswords no|'      -i /etc/ssh/sshd_config
sed 's|#PermitRootLogin yes|PermitRootLogin no|'              -i /etc/ssh/sshd_config
systemctl restart ssh
EXE
</syntaxhighlight>
|-
|valign='top'|
<syntaxhighlight lang="bash">
cat << EXE | sudo bash
sshd -T | grep -i PasswordAuthentication
sshd -T | grep -i PubkeyAuthentication
sshd -T | grep -i PermitEmptyPasswords
sshd -T | grep -i PermitRootLogin
EXE
</syntaxhighlight>


adduser shahed
|-
passwd  shahed
|valign='top'|
<syntaxhighlight lang="bash">
sudo chattr +i /home/chorke/.ssh/authorized_keys
sudo chattr +i /home/shahed/.ssh/authorized_keys
sudo chattr +i /home/system/*-argo/.ssh/authorized_keys
</syntaxhighlight>
</syntaxhighlight>
|}


==APT Update==
==Hetzner » APT Update==
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='width:900px'|
Hetzner » APT Update
|-
|valign='top'|
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
cat << EXE | sudo bash
cat << EXE | sudo bash
Line 22: Line 136:
mkdir -p /etc/apt/keyrings
mkdir -p /etc/apt/keyrings
apt list -a --upgradable;apt-get upgrade -y;echo
apt list -a --upgradable;apt-get upgrade -y;echo
apt-get install -y apt-transport-https ca-certificates gnupg build-essential snap jq
apt-get install -y apt-transport-https ca-certificates \
  gnupg build-essential snapd jq traceroute moreutils;echo
apt-get clean cache && find /tmp -type f -atime +10 -delete && find /tmp -type s -atime +10 -delete
EXE
</syntaxhighlight>
|-
|valign='top'|
<syntaxhighlight lang="bash">
cat << EXE|sudo bash
PLATFORM=\$(uname -s)_\$(dpkg --print-architecture)
YQ_BINARY=\$(echo "yq_\${PLATFORM}"|tr '[:upper:]' '[:lower:]')
wget https://github.com/mikefarah/yq/releases/latest/download/\${YQ_BINARY} -O /usr/local/bin/yq
chmod +x /usr/local/bin/yq
EXE
EXE
</syntaxhighlight>
</syntaxhighlight>
|}


==Swap Space==
==Hetzner » Swap Space==
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='width:900px'|
Hetzner » Swap Space
|-
|valign='top'|
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
echo 'swapon --show'|sudo bash
echo 'swapon --show'|sudo bash
Line 39: Line 171:
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
cat << FST | sudo tee -a /etc/fstab >/dev/null
cat << FST | sudo tee -a /etc/fstab >/dev/null
# loop based swap storage » 16GB + 4GB  
# loop based swap storage » 16GB + 4GB  
/swap.img              none            swap    sw              0      0
/swap.img              none            swap    sw              0      0
Line 44: Line 177:


free -th
free -th
cat /etc/fstab  
cat /etc/fstab
systemctl daemon-reload
echo 'swapon --show'|sudo bash
echo 'swapon --show'|sudo bash
</syntaxhighlight>
</syntaxhighlight>
|}


==Utility » Tool==
==Hetzner » Attach Volume==
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='width:900px'|
Linode » Attach Volume
|-
|valign='top'|
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
cat << EXE|sudo bash
cat <<'EXE'| sudo bash
PLATFORM=\$(uname -s)_\$(dpkg --print-architecture)
mkdir -p /var/minikube/pvc
YQ_BINARY=\$(echo "yq_\${PLATFORM}"|tr '[:upper:]' '[:lower:]')
mkfs.ext4 -F /dev/disk/by-id/scsi-0HC_Volume_102736305
wget https://github.com/mikefarah/yq/releases/latest/download/\${YQ_BINARY} -O /usr/bin/yq && chmod +x /usr/bin/yq
cat <<'FST'| tee -a /etc/fstab >/dev/null
 
# hetzner-aa » attach 80gb storage » hetzner-aa-vol-aa
/dev/disk/by-id/scsi-0HC_Volume_102736305 /var/minikube/pvc ext4 discard,nofail,defaults 0 0
FST
chown minikube:minikube -R /var/minikube/pvc/
systemctl daemon-reload
mount -a
EXE
EXE
</syntaxhighlight>
</syntaxhighlight>
|}


==Containerize » LXD==
==Hetzner » Containerize » LXD==
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' colspan='2' style='width:900px'|
Hetzner » Containerize » LXD
|-
|valign='top' style='width:440px'|
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
cat << EXE | sudo bash
cat << EXE | sudo bash
Line 68: Line 221:
echo 'id -nG'|sudo -i -u shahed bash
echo 'id -nG'|sudo -i -u shahed bash
</syntaxhighlight>
</syntaxhighlight>
----
 
|valign='top' rowspan='2' style='width:440px'|
<syntaxhighlight lang="yaml">
<syntaxhighlight lang="yaml">
cat <<YML | sudo lxd init --preseed
cat <<YML | sudo lxd init --preseed
Line 106: Line 260:
YML
YML
</syntaxhighlight>
</syntaxhighlight>
----
 
|-
|valign='top'|
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
sudo ufw enable
sudo ufw enable
Line 112: Line 268:


cat << EXE | sudo bash
cat << EXE | sudo bash
ufw allow OpenSSH
ufw       allow OpenSSH
ufw allow in on lxdbr0
ufw       allow in on lxdbr0
ufw route allow in  on lxdbr0
ufw route allow in  on lxdbr0
ufw route allow out on lxdbr0
ufw route allow out on lxdbr0
Line 128: Line 284:
EXE
EXE
</syntaxhighlight>
</syntaxhighlight>
|-
|valign='top' colspan='2'|
<syntaxhighlight lang="bash">
lxc launch images:alpine/3.21 academia
lxc list -c=n -f=json|jq -r '.[]|select(.name=="academia")|.status'
cat <<'EXE'| lxc exec academia -- sh
ping -c5 chorke.org
ping -c5 shahed.biz
EXE
</syntaxhighlight>
|}


==Containerize » Docker==
==Hetzner » Containerize » Docker==
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='width:900px'|
Hetzner » Containerize » Docker
|-
|valign='top'|
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
Line 146: Line 319:
apt list -a --upgradable;apt-get upgrade -y;echo
apt list -a --upgradable;apt-get upgrade -y;echo
apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
apt-get clean cache && find /tmp -type f,s -atime +10 -delete
EXE
EXE
</syntaxhighlight>
</syntaxhighlight>
Line 155: Line 329:
     "mtu"  : 1500,
     "mtu"  : 1500,
     "dns"  : [
     "dns"  : [
        "1.1.1.1",
         "8.8.8.8",
         "8.8.8.8",
         "8.8.4.4"
         "192.168.49.2"
     ],
     ],
     "debug": true
     "debug": true
Line 172: Line 347:
usermod -aG docker shahed
usermod -aG docker shahed
EXE
EXE
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
ip a
docker image ls
docker network ls


ip a
echo 'id -nG'|sudo -i -u shahed bash
echo 'id -nG'|sudo -i -u shahed bash
echo 'id -nG'|sudo -i -u chorke bash
echo 'id -nG'|sudo -i -u chorke bash
cat <<'EXE'| docker run --rm -i alpine sh
echo
cat /etc/hosts      ;echo
cat /etc/resolv.conf ;echo
ping -c5 chorke.org  ;echo
ping -c5 shahed.biz  ;echo
EXE
</syntaxhighlight>
</syntaxhighlight>
|}


==Cloudflare » VIRT==
==Hetzner » Cloudflare » VIRT==
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='width:900px'|
Hetzner » Cloudflare » VIRTl
|-
|valign='top'|
<syntaxhighlight lang="ini">
<syntaxhighlight lang="ini">
cat << INI | sudo tee /etc/systemd/system/warp0.service >/dev/null
cat << INI | sudo tee /etc/systemd/system/warp0.service >/dev/null
Line 198: Line 392:
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
cat << EXE | sudo bash
cat << EXE | sudo bash
systemctl enable  warp0.service
systemctl daemon-reload
systemctl start  warp0.service
systemctl enable --now warp0.service
systemctl status warp0.service
systemctl status       warp0.service
EXE
EXE


ip a
ip a
</syntaxhighlight>
</syntaxhighlight>
|}


==Cloudflare » Argo Tunnel==
==Hetzner » Cloudflare » Argo » Tunnel==
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='width:1100px'|
Hetzner » Cloudflare » Argo » Tunnel
|-
|valign='top'|
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
wget -cq https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64.deb -P ${HOME}/Downloads
wget -cq https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64.deb -P ${HOME}/Downloads
Line 212: Line 412:
       rm -rf ${HOME}/Downloads/cloudflared-linux-arm64.deb
       rm -rf ${HOME}/Downloads/cloudflared-linux-arm64.deb
</syntaxhighlight>
</syntaxhighlight>
----
<syntaxhighlight lang="properties">
cat <<'SYS' | sudo tee -a /etc/sysctl.conf >/dev/null
###################################################################
# Cloudflared Tunnel Private Network Config
# This config added by Chorke Academia, Inc
# ICMP Group ID Range 0 to 10,000 Users
net.ipv4.ping_group_range = 0 10000
# 208 KiB Default RX Buffer
net.core.rmem_default=212992
# 208 KiB Default TX Buffer
net.core.wmem_default=212992
# 8 MB Maximum RX Buffer
net.core.rmem_max=8388608
# 8 MB Maximum TX Buffer
net.core.wmem_max=8388608
SYS


sudo sysctl -p
</syntaxhighlight>
----
[[Cloudflare/Argo_Tunnel#Argo Tunnel|Skipped » Find More » 👈]]
[[Cloudflare/Argo_Tunnel#Argo Tunnel|Skipped » Find More » 👈]]
|}


==Cloudflare » WARP Tunnel==
==Hetzner » Cloudflare » WARP » Tunnel==
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='width:900px'|
Hetzner » Cloudflare » WARP » Tunnel
|-
|valign='top'|
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
lxc launch ubuntu:24.04 cloudflare
lxc launch ubuntu:24.04 cloudflare
Line 227: Line 459:
EXE
EXE
</syntaxhighlight>
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
cat <<'EXE' | lxc exec cloudflare -- bash
curl -fsSL https://pkg.cloudflareclient.com/pubkey.gpg \
| sudo tee /etc/apt/keyrings/cloudflare.asc >/dev/null
DISTRIBUTION=$(. /etc/os-release && echo "${VERSION_CODENAME}");\
cat << SRC | sudo tee /etc/apt/sources.list.d/cloudflare.list >/dev/null
deb [arch=$(dpkg --print-architecture)\
signed-by=/etc/apt/keyrings/cloudflare.asc]\
https://pkg.cloudflareclient.com/ ${DISTRIBUTION} main
SRC


cat /etc/apt/sources.list.d/cloudflare.list
cat /etc/apt/keyrings/cloudflare.asc
EXE
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
cat <<'EXE' | lxc exec cloudflare -- bash
apt-get update;echo
apt list -a --upgradable;apt-get upgrade -y;echo
apt-get install -y cloudflare-warp && apt-get clean
EXE
lxc exec cloudflare -- bash
sudo vim /etc/sysctl.conf
</syntaxhighlight>
<syntaxhighlight lang="ini" line start="27" highlight="2">
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
</syntaxhighlight>
----
sudo sysctl -p
'''net.ipv4.ip_forward = 1'''
ip route | grep default
default via 10.20.0.1 dev eth0 proto dhcp src 10.20.0.161 metric 100
----
<syntaxhighlight lang="bash">
lxc snapshot cloudflare base:2024.12.554.0
lxc publish  cloudflare/base:2024.12.554.0 --alias cloudflare/base:2024.12.554.0
lxc restore  cloudflare base:2024.12.554.0
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
lxc exec cloudflare -- bash
sudo warp-cli status
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
cat <<'EXE' | lxc exec cloudflare -- bash
warp-cli connector new eyJhIjoiNW…
warp-cli connect
EXE
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
cat << EXE | lxc exec cloudflare -- bash
warp-cli status
systemctl daemon-reload
systemctl enable --now warp-svc.service
systemctl status      warp-svc.service
EXE
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
cat << EXE | lxc exec cloudflare -- bash
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections
apt-get -y install iptables-persistent && apt-get clean cache
EXE
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
cat << EXE | lxc exec cloudflare -- bash
# allow forwarding traffic from host
iptables -A FORWARD -i eth0 -o CloudflareWARP -j ACCEPT
iptables -A FORWARD -i CloudflareWARP -o eth0 -j ACCEPT
# cloudflarewarp nat gateway setup for host
iptables -t nat -A POSTROUTING -o CloudflareWARP -j MASQUERADE
# persist across reboots, save the rules
        mkdir -p /etc/iptables/
iptables-save  > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6
EXE
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
lxc snapshot cloudflare shahed:2025.03.09
lxc publish  cloudflare/shahed:2025.03.09 --alias cloudflare/shahed:2025.03.09
lxc restore  cloudflare shahed:2025.03.09
</syntaxhighlight>
----
[[Cloudflare/WARP Connector#WARP Client|Skipped » Find More » 👈]]
[[Cloudflare/WARP Connector#WARP Client|Skipped » Find More » 👈]]
|}
==Hetzner » Cloudflare » WARP » Exclude==
{|class='wikitable mw-collapsible'
!scope='col' colspan="3" style='width:900px'|
Hetzner » Cloudflare » WARP » Exclude
|-
| colspan="3"| <code>Settings » 0Trust » WARP Client » Device settings » Profile settings » Default » Configure » </code>
|-
| colspan="3"| <code>Split Tunnels » Exclude IPs and domains » Manage » Manage Split Tunnels</code>
|-
!scope="col"| Name    !!scope="col"| Network            !!scope="col"              | Exclude
|-
| Network » OpenVPN  || <code>10.20.30.0/24</code>    ||style='text-align:center'| ✅
|-
| Network » Hetzner  || <code>10.20.31.0/24</code>    ||style='text-align:center'| ✅
|-
| Network » Docker    || <code>10.20.13.0/24</code>    ||style='text-align:center'| ✅
|-
| Network » Home      || <code>10.19.83.0/24</code>    ||style='text-align:center'| ✅
|-
| Network » LXD      || <code>10.20.0.0/24</code>      ||style='text-align:center'| ✅
|-
!scope="col"| Name    !!scope="col"| Network            !!scope="col"              | Exclude
|-
| Network » WiFi      || <code>192.168.10.0/24</code>  ||style='text-align:center'| ✅
|-
| Network » WiFi      || <code>192.168.1.0/24</code>    ||style='text-align:center'| ✅
|-
| Network » WiFi      || <code>192.168.0.0/24</code>    ||style='text-align:center'| ✅
|-
| Network » WiFi      || <code>172.17.0.0/24</code>    ||style='text-align:center'| ✅
|-
| Network » WiFi      || <code>172.16.0.0/24</code>    ||style='text-align:center'| ✅
|-
| Network » WiFi      || <code>10.10.10.0/24</code>    ||style='text-align:center'| ✅
|-
| Network » WiFi      || <code>10.0.1.0/24</code>      ||style='text-align:center'| ✅
|-
| Network » WiFi      || <code>10.0.0.0/24</code>      ||style='text-align:center'| ✅
|}
==Hetzner » Cloudflare » WARP » Forward==
{|class='wikitable mw-collapsible'
!scope='col' colspan="4" style='width:900px'|
Hetzner » Cloudflare » WARP » Forward
|-
!scope="col" colspan="4" | Implement Forward Routing
|-
!scope="col" style='width:180px'| Name
!scope="col" style='width:140px'| Network
!scope="col" style='width:220px'| Subnets
!scope="col" style='width:90px' | Forward
|-
| Network » Cloud        || <code>10.20.40.0/21</code>    || <code>10.20.40 … 47.0/24 = 8</code>  ||style='text-align:center'| ✅
|-
| Network » Cloud        || <code>10.20.48.0/21</code>    || <code>10.20.48 … 55.0/24 = 8</code>  ||style='text-align:center'| ⚪️
|-
| Network » Cloud        || <code>10.20.56.0/21</code>    || <code>10.20.56 … 63.0/24 = 8</code>  ||style='text-align:center'| ⚪️
|-
| Network » Cloud        || <code>10.20.46.0/23</code>    || <code>10.20.46 … 47.0/24 = 2</code>  ||style='text-align:center'| ⚪️
|-
| Network » Cloud        || <code>10.20.48.0/23</code>    || <code>10.20.48 … 49.0/24 = 2</code>  ||style='text-align:center'| ✅
|-
| Network » Cloud        || <code>10.20.50.0/23</code>    || <code>10.20.50 … 51.0/24 = 2</code>  ||style='text-align:center'| ⚪️
|-
!scope="col" style='width:180px'| Name
!scope="col" style='width:140px'| Network
!scope="col" style='width:220px'| Subnets
!scope="col" style='width:90px' | Forward
|-
| Network » Office      || <code>10.20.10.0/24</code>    || <code>10.20.10 … 10.0/24 = 1</code>  ||style='text-align:center'| ✅
|}
==Cloudflare » WARP » Forward » Route==
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='width:900px'|
'''Cloudflare » WARP » IP » Route » Service'''
|-
|valign='top'|
vim /etc/sysctl.conf
<syntaxhighlight lang="ini" line start="27" highlight="2">
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
</syntaxhighlight>
----
sudo sysctl -p
'''net.ipv4.ip_forward = 1'''
ip route | grep default
default via 172.31.1.1 dev eth0 proto dhcp src 65.21.251.38 metric 100
----
<syntaxhighlight lang="bash">
cat << EXE | sudo bash
cat << ENV | tee /etc/default/warp-route >/dev/null
LXC_WARP_CLI_NAME=cloudflare
LXC_WARP_CLI_HOST=$(lxc list -f=json cloudflare | jq -r '.[]|.state.network.eth0.addresses[]|select(.family=="inet")|.address')
ENV
echo
cat /etc/default/warp-route
EXE
</syntaxhighlight>
----
<syntaxhighlight lang="ini">
cat <<'INI' | sudo tee /etc/systemd/system/warp-route.service >/dev/null
[Unit]
Description=WARP Routes Over Clodflare LXC
Wants=network-online.target docker.service snap.lxd.daemon.service containerd.service
After=network-online.target docker.service snap.lxd.daemon.service containerd.service
[Service]
Type=oneshot
EnvironmentFile=-/etc/default/warp-route
ExecStartPre=/bin/sleep 15
ExecStartPre=/bin/bash -c "if [ -z \"${LXC_WARP_CLI_HOST}\" ]; then echo \"Variable LXC_WARP_CLI_HOST not set in /etc/default/warp-route\"; errors_exit; fi"
ExecStart=/usr/sbin/ip route add 10.20.10.0/24 via ${LXC_WARP_CLI_HOST}
ExecStart=/usr/sbin/ip route add 10.20.40.0/21 via ${LXC_WARP_CLI_HOST}
ExecStart=/usr/sbin/ip route add 10.20.48.0/23 via ${LXC_WARP_CLI_HOST}
ExecStop=/usr/sbin/ip  route del 10.20.10.0/24
ExecStop=/usr/sbin/ip  route del 10.20.40.0/21
ExecStop=/usr/sbin/ip  route del 10.20.48.0/23
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
INI
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
cat << EXE | sudo bash
systemctl daemon-reload
cat /etc/systemd/system/warp-route.service
systemctl enable  --now warp-route.service
systemctl status        warp-route.service
echo && ip route show
echo && sysctl -p
EXE
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
cat << EXE | bash
traceroute 10.20.40.1
traceroute 10.20.41.1
EXE
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
cat << EXE | sudo bash
systemctl daemon-reload
cat /etc/systemd/system/warp-route.service
systemctl disable --now warp-route.service
systemctl status        warp-route.service
echo && ip route show
echo && sysctl -p
EXE
</syntaxhighlight>
|}
==Hetzner » LB » HAProxy » Install & Configure==
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='width:900px'|
Hetzner » LB » HAProxy » Install & Configure
|-
|valign='top'|
<syntaxhighlight lang="bash">
cat << EXE | sudo bash
apt-get update;echo
apt list -a --upgradable;apt-get upgrade -y;echo
apt-get install -y haproxy certbot;echo;haproxy -v;echo
cat /etc/haproxy/haproxy.cfg;echo
apt-get clean cache
EXE
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
sudo ufw status numbered
sudo iptables -S
cat << EXE | sudo bash
ufw      allow 80/tcp
ufw      allow 443/tcp
ufw      allow 4321/tcp
EXE
sudo ufw status numbered
sudo iptables -S
</syntaxhighlight>
----
[[HAProxy/Frontend#HAProxy » Reconfig|Skipped » Find More » 👈]]
----
<syntaxhighlight lang="bash">
cat <<'EXE'| sudo bash
        /etc/haproxy/proxy-scripts/reconfig
ls -alh /etc/haproxy/{haproxy.cfg,proxy-{backups,configs,default,enabled,scripts}}
EXE
    nmap --reason mail.shahed.biz -sT -Pn -p25,587,110,995,143,993,465,4190
    nmap --reason  vpn.shahed.biz -sT -Pn --top 20
    nmap --reason  git.shahed.biz -sT -Pn -p4321
    nmap --reason  vpn.shahed.biz -sT -Pn -p1194
sudo nmap --reason  vpn.shahed.biz -sU -Pn -p1194
</syntaxhighlight>
|}
==Hetzner » LB » HAProxy » Frontend » HTTP Config==
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='width:900px'|
HAProxy » Frontend » HTTP
|-
|valign='top'|
<syntaxhighlight lang="bash">
cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-http-all.cfg >/dev/null
# ##############################################################################
# http frontend config for *.chorke.org, *.chorke.com, *.shahed.biz
# this config added by chorke academia, inc
frontend          fnt_shahed_biz
  bind            *:80
  mode            http
  acl            path-is-acme-challenge                path_beg /.well-known/acme-challenge/
  http-request    redirect scheme https code 301        unless path-is-acme-challenge
  use_backend    bck_letsencrypt_org_acme_challenge    if path-is-acme-challenge
  default_backend bck_letsencrypt_org_acme_challenge
backend            bck_letsencrypt_org_acme_challenge
  server          letsencrypt 127.0.0.1:19830
  mode            http
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-http-all.cfg /etc/haproxy/proxy-enabled/
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
vim /etc/haproxy/proxy-scripts/reconfig
    /etc/haproxy/proxy-scripts/reconfig
</syntaxhighlight>
|}
==Hetzner » LB » HAProxy » Frontend » HTTPS Config==
<syntaxhighlight lang="bash" highlight="3-4">
certbot certonly --standalone --non-interactive --http-01-port=19830 -d k8s.aa.hetzner.shahed.biz --email tool.tech@shahed.biz --agree-tos --dry-run
certbot certonly --standalone --non-interactive --http-01-port=19830 -d k8s.aa.hetzner.shahed.biz --email tool.tech@shahed.biz --agree-tos
(cd /etc/letsencrypt/live/k8s.aa.hetzner.shahed.biz/;ln -s privkey.pem fullchain.pem.key)
certbot renew --http-01-port=19830 --force-renewal
certbot renew --http-01-port=19830
</syntaxhighlight>
----
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='width:1100px'|
HAProxy » Frontend » HTTPS
|-
|valign='top'|
<syntaxhighlight lang="bash">
certbot certonly --standalone --non-interactive --http-01-port=19830 -d  cid.chorke.org
certbot certonly --standalone --non-interactive --http-01-port=19830 -d  dev.chorke.org
certbot certonly --standalone --non-interactive --http-01-port=19830 -d  hub.chorke.org
certbot certonly --standalone --non-interactive --http-01-port=19830 -d  reg.chorke.org
certbot certonly --standalone --non-interactive --http-01-port=19830 -d wiki.chorke.org
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then cat ${d}/{fullchain,privkey}.pem|tee ${d}.pem >/dev/null;fi;done
systemctl reload haproxy.service
SSL_CRT_LIST="$(cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then printf "crt ${PWD}/${d}.pem ";fi;done)"
cat << CFG | sudo tee /etc/haproxy/proxy-configs/shahed.biz-https-all.cfg >/dev/null
# ##############################################################################
# https frontend config for *.chorke.org, *.chorke.com, *.shahed.biz
# this config added by chorke academia, inc
frontend          fnt_shahed_biz_ssl
  bind            *:443 ssl ${SSL_CRT_LIST}alpn h2,http/1.1 ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3
  mode            http
  acl            host-is-k8s-aa-hetzner-shahed-biz    hdr(host) -i k8s.aa.hetzner.shahed.biz
  acl            host-is-cid-shahed-biz                hdr(host) -i            cid.chorke.org
  acl            host-is-dev-shahed-biz                hdr(host) -i            dev.chorke.org
  acl            host-is-hub-shahed-biz                hdr(host) -i            hub.chorke.org
  acl            host-is-reg-shahed-biz                hdr(host) -i            reg.chorke.org
  acl            host-is-wiki-chorke-org              hdr(host) -i          wiki.chorke.org
  acl            path-is-artifactory                  path_beg /artifactory/
  acl            path-is-jenkins                      path_beg /jenkins/
  acl            path-is-gitlab                        path_beg /gitlab/
  acl            path-is-nexus                        path_beg /nexus/
  http-request    set-header X-Forwarded-For            %[src]
  http-request    set-header X-Forwarded-Proto          https
  use_backend    bck_shahed_biz_cid_artifactory        if            host-is-cid-shahed-biz path-is-artifactory
  use_backend    bck_shahed_biz_cid_jenkins            if            host-is-cid-shahed-biz path-is-jenkins
  use_backend    bck_shahed_biz_cid_gitlab            if            host-is-cid-shahed-biz path-is-gitlab
  use_backend    bck_shahed_biz_cid_nexus              if            host-is-cid-shahed-biz path-is-nexus
  use_backend    bck_shahed_biz_hub_nexus              if            host-is-hub-shahed-biz
  use_backend    bck_shahed_biz_reg_nexus              if            host-is-reg-shahed-biz
  use_backend    bck_shahed_biz_hetzner_aa_k8s        if host-is-k8s-aa-hetzner-shahed-biz
  use_backend    bck_shahed_biz_hetzner_aa_k8s        if          host-is-wiki-chorke-org
  default_backend bck_shahed_biz_cid
backend            bck_shahed_biz_cid_artifactory
  server          shahed_ah_artifactory 10.20.40.8:8084
  mode            http
backend            bck_shahed_biz_cid_jenkins
  server          shahed_ah_jenkins 10.20.40.8:8080
  mode            http
backend            bck_shahed_biz_cid_gitlab
  server          shahed_af_gitlab 10.20.40.6:80
  mode            http
backend            bck_shahed_biz_cid_nexus
  server          shahed_ah_nexus 10.20.40.8:8081
  mode            http
backend            bck_shahed_biz_hub_nexus
  server          shahed_ah_nexus 10.20.40.8:8082
  mode            http
backend            bck_shahed_biz_reg_nexus
  server          shahed_ah_nexus 10.20.40.8:8083
  mode            http
backend            bck_shahed_biz_hetzner_aa_k8s
  server          hetzner_aa_k8s 192.168.49.2:80
  mode            http
backend            bck_shahed_biz_cid
  server          shahed_am_apache2 10.20.40.13:80
  mode            http
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-https-all.cfg /etc/haproxy/proxy-enabled/
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
vim /etc/haproxy/proxy-scripts/reconfig
    /etc/haproxy/proxy-scripts/reconfig
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
certbot renew --http-01-port=19830 --force-renewal
cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then cat ${d}/{fullchain,privkey}.pem|tee ${d}.pem >/dev/null;fi;done
systemctl reload haproxy.service
</syntaxhighlight>
|}
==Hetzner » LB » HAProxy » Frontend » OVPN Config==
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='width:1100px'|
Hetzner » LB » HAProxy » Frontend » OVPN Config
|-
|valign='top'|
<syntaxhighlight lang="bash">
cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-tcp-vpn.cfg >/dev/null
# ##############################################################################
# tcp frontend config for vpn.shahed.biz:1194
# this config added by chorke academia, inc
# udp mode not supported, please go with iptables forward
# cat <<'EXE'| sudo bash
# echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections
# echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections
# apt-get -y install iptables-persistent && apt-get clean cache
# EXE
# cat <<'EXE'| sudo bash
# iptables -t nat -A PREROUTING -p udp --dport 1194 -j DNAT --to-destination 10.20.40.9:1194
# iptables -A FORWARD -p udp -d 10.20.40.9 --dport 1194 -j ACCEPT
# EXE
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-tcp-vpn.cfg /etc/haproxy/proxy-enabled/
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
vim /etc/haproxy/proxy-scripts/reconfig
    /etc/haproxy/proxy-scripts/reconfig
</syntaxhighlight>
|}
==Hetzner » LB » HAProxy » Frontend » Git Repo Config==
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='width:1100px'|
Hetzner » LB » HAProxy » Frontend » Git Repo Config
|-
|valign='top'|
<syntaxhighlight lang="bash">
cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-tcp-git.cfg >/dev/null
# ##############################################################################
# tcp frontend config for git.shahed.biz:4321
# this config added by chorke academia, inc
frontend          fnt_shahed_biz_git_gitlab_ssh
  bind            *:4321
  mode            tcp
  option          tcplog
  option          dontlognull
  default_backend bck_shahed_biz_git_gitlab_ssh
backend            bck_shahed_biz_git_gitlab_ssh
  server          shahed_af_gitlab 10.20.40.6:4321
  mode            tcp
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-tcp-git.cfg /etc/haproxy/proxy-enabled/
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
vim /etc/haproxy/proxy-scripts/reconfig
    /etc/haproxy/proxy-scripts/reconfig
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
ssh -oPreferredAuthentications=password -oPubkeyAuthentication=no -p4321 -qt pi@git.chorke.org bash
ssh -oPreferredAuthentications=password -oPubkeyAuthentication=no -p4321 -qt pi@aa.hetzner.shahed.biz bash
</syntaxhighlight>
|}
==Hetzner » LB » HAProxy » Frontend » Kube API Config==
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='width:1100px'|
Hetzner » LB » HAProxy » Frontend » Kube API Config
|-
|valign='top'|
<syntaxhighlight lang="bash" highlight="3-4">
cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-tcp-kube.cfg >/dev/null
# ##############################################################################
# tcp frontend config for 10.20.41.1:8443
# this config added by chorke academia, inc
frontend          fnt_shahed_biz_hetzner_aa
  bind            *:8443
  mode            tcp
  option          tcplog
  option          dontlognull
  default_backend bck_shahed_biz_hetzner_aa
backend            bck_shahed_biz_hetzner_aa
  server          hetzner_aa 192.168.49.2:8443
  mode            tcp
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-tcp-kube.cfg /etc/haproxy/proxy-enabled/
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
vim /etc/haproxy/proxy-scripts/reconfig
    /etc/haproxy/proxy-scripts/reconfig
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
systemctl disable --now minikube.service
vim /etc/systemd/system/minikube.service
# append --apiserver-ips=10.20.41.1 with ExecStart
systemctl enable --now minikube.service
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
ssh -qt root@10.20.41.1 bash
sudo -i -u minikube
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
# run this script on the minikube host. copy the generated output and
# execute it on your local machine's terminal to enable monitoring of
# the minikube cluster.
cat << LOG
$(cat <<'YML'| tee ~/.kube/hetzner-aa-kubeconfig.yaml >/dev/null
apiVersion: v1
kind: Config
clusters:
- name: minikube
  cluster:
    server: https://10.20.41.1:8443
    certificate-authority: ../.minikube/ca.crt
contexts:
- name: hetzner-aa
  context:
    cluster: minikube
    namespace: default
    user: minikube
users:
- name: minikube
  user:
    client-certificate: ../.minikube/profiles/minikube/client.crt
    client-key: ../.minikube/profiles/minikube/client.key
current-context: hetzner-aa
YML
)
cat <<'YML'| tee ~/.kube/hetzner-aa-kubeconfig.yaml >/dev/null
$(export KUBECONFIG=${HOME}/.kube/hetzner-aa-kubeconfig.yaml;\
kubectl config view --flatten;\
rm ${KUBECONFIG};\
)
YML
chmod 600 ~/.kube/hetzner-aa-kubeconfig.yaml
  ls -alh ~/.kube/
export KUBECONFIG=~/.kube/hetzner-aa-kubeconfig.yaml
kubectl config get-contexts
kubectl get    namespace
$(echo -n)
LOG
</syntaxhighlight>
|}
==LB » HAProxy » Frontend » Mail TCP Config==
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='width:1100px'|
'''LB » HAProxy » Frontend » Mail TCP Config'''
|-
|valign='top'|
<syntaxhighlight lang="bash">
cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-tcp-mail.cfg >/dev/null
# ##############################################################################
# tcp frontend config for mail.shahed.biz:25,587,110,995,143,993,465,4190
# this config added by chorke academia, inc
# haproxy:        mail.shahed.biz:25
frontend          fnt_shahed_biz_mail_smtp_25
  bind            *:25
  mode            tcp
  option          tcplog
  option          dontlognull
  default_backend bck_shahed_biz_mail_smtp_25
backend            bck_shahed_biz_mail_smtp_25
  server          shahed_va 10.20.40.200:25
  mode            tcp
# haproxy:        mail.shahed.biz:587
frontend          fnt_shahed_biz_mail_smtp_587
  bind            *:587
  mode            tcp
  option          tcplog
  option          dontlognull
  default_backend bck_shahed_biz_mail_smtp_587
backend            bck_shahed_biz_mail_smtp_587
  server          shahed_va 10.20.40.200:587
  mode            tcp
# haproxy:        mail.shahed.biz:110
frontend          fnt_shahed_biz_mail_pop3_110
  bind            *:110
  mode            tcp
  option          tcplog
  option          dontlognull
  default_backend bck_shahed_biz_mail_pop3_110
backend            bck_shahed_biz_mail_pop3_110
  server          shahed_va 10.20.40.200:110
  mode            tcp
# haproxy:        mail.shahed.biz:995
frontend          fnt_shahed_biz_mail_pop3_995
  bind            *:995
  mode            tcp
  option          tcplog
  option          dontlognull
  default_backend bck_shahed_biz_mail_pop3_995
backend            bck_shahed_biz_mail_pop3_995
  server          shahed_va 10.20.40.200:995
  mode            tcp
# haproxy:        mail.shahed.biz:143
frontend          fnt_shahed_biz_mail_imap_143
  bind            *:143
  mode            tcp
  option          tcplog
  option          dontlognull
  default_backend bck_shahed_biz_mail_imap_143
backend            bck_shahed_biz_mail_imap_143
  server          shahed_va 10.20.40.200:143
  mode            tcp
# haproxy:        mail.shahed.biz:993
frontend          fnt_shahed_biz_mail_imap_993
  bind            *:993
  mode            tcp
  option          tcplog
  option          dontlognull
  default_backend bck_shahed_biz_mail_imap_993
backend            bck_shahed_biz_mail_imap_993
  server          shahed_va 10.20.40.200:993
  mode            tcp
# haproxy:        mail.shahed.biz:465
frontend          fnt_shahed_biz_mail_smtps_465
  bind            *:465
  mode            tcp
  option          tcplog
  option          dontlognull
  default_backend bck_shahed_biz_mail_smtps_465
backend            bck_shahed_biz_mail_smtps_465
  server          shahed_va 10.20.40.200:465
  mode            tcp
# haproxy:        mail.shahed.biz:4190
frontend          fnt_shahed_biz_mail_sieve_4190
  bind            *:4190
  mode            tcp
  option          tcplog
  option          dontlognull
  default_backend bck_shahed_biz_mail_sieve_4190
backend            bck_shahed_biz_mail_sieve_4190
  server          shahed_va 10.20.40.200:4190
  mode            tcp
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-tcp-mail.cfg /etc/haproxy/proxy-enabled/
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
vim /etc/haproxy/proxy-scripts/reconfig
    /etc/haproxy/proxy-scripts/reconfig
</syntaxhighlight>
|}
==Hetzner » Kubernetes » Minikube » Install & Configure==
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='width:1100px'|
Hetzner » Kubernetes » Minikube » Install & Configure
|-
|valign='top'|
<syntaxhighlight lang="bash">
curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.32/deb/Release.key | sudo tee /etc/apt/keyrings/kubernetes.asc >/dev/null
cat << SRC | sudo tee /etc/apt/sources.list.d/kubernetes.list >/dev/null
deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/kubernetes.asc] https://pkgs.k8s.io/core:/stable:/v1.32/deb/ /
SRC
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
cat << EXE | sudo bash
apt-get update;echo
apt list -a --upgradable;echo
apt-get install -y apache2-utils kubectl;echo
apt-get clean cache && find /tmp -type f -atime +10 -delete && find /tmp -type s -atime +10 -delete
EXE
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
if [ -x "$(command -v curl)" ];then \
sudo apt -qq update;\
export MINIKUBE_CPU_USE=6;\
export MINIKUBE_RAM_USE=13529;\
export MINIKUBE_INGRESS_HOST='k8s.aa.hetzner.shahed.biz';\
bash <(curl -s 'https://cdn.chorke.org/exec/cli/bash/install/minikube/1.0.01-ubuntu-24.04-arm64.sh.txt');\
else printf 'curl \033[0;31mnot found! \033[0m:(\n';fi
</syntaxhighlight>
----
[[Minikube Systemd|Skipped » Find More » 👈]]
|}
==Hetzner » Kubernetes » Minikube » Tunnel » Create Service==
{|class='wikitable mw-collapsible'
!scope='col' colspan='2' style='width:1100px'|
Hetzner » Kubernetes » Minikube » Tunnel » Create Service
|-
!scope='col'| Beginners
!scope='col'| Professional
|-
|valign='top'|
<syntaxhighlight lang="bash">
sudo visudo
# minikube » no-password » sudo access » all
minikube ALL=(ALL) NOPASSWD: ALL
</syntaxhighlight>
|valign='top'|
<syntaxhighlight lang="bash">
sudo visudo -f /etc/sudoers.d/minikube
# minikube » no-password » sudo access » specific
minikube ALL=(ALL) NOPASSWD: /usr/sbin/ip route *, /usr/bin/minikube tunnel *
</syntaxhighlight>
|-
|valign='top' colspan='2' |
<syntaxhighlight lang="bash">
cat << INI | sudo tee /etc/systemd/system/minikube-tunnel.service >/dev/null
[Unit]
Description=Minikube Tunnel
Documentation=https://minikube.sigs.k8s.io/docs/commands/tunnel/
After=network-online.target containerd.service docker.service minikube.service
Requires=network-online.target containerd.service docker.service minikube.service
Wants=network-online.target docker.service minikube.service
AssertFileIsExecutable=/var/minikube/bin/minikube
[Service]
User=minikube
Group=minikube
ProtectProc=invisible
StandardOutput=journal
WorkingDirectory=/var/minikube
EnvironmentFile=-/etc/default/minikube
ExecStart=/var/minikube/bin/minikube tunnel --cleanup=true
Restart=always
SendSIGKILL=no
TasksMax=infinity
TimeoutStopSec=infinity
[Install]
WantedBy=multi-user.target
INI
</syntaxhighlight>
|-
|valign='top' colspan='2' |
<syntaxhighlight lang="bash">
sudo systemctl enable  --now minikube-tunnel.service
sudo systemctl disable --now minikube-tunnel.service
</syntaxhighlight>
----
[[Minikube Tunnel#Systemd|Skipped » Find More 👉 Minikube » Tunnel » Systemd]]
----
[[Minikube MetalLB#MetalLB » Forward » Route|Skipped » Find More 👉 Minikube » MetalLB » Forward » Route]]
|}
==Hetzner » Kubernetes » Minikube » Ingress » Apply Dashboard==
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='width:1100px'|
Hetzner » K8s » Dashboard » Ingress » Apply
|-
|valign='top'|
<syntaxhighlight lang="bash">
export KUBECONFIG=${HOME}/.kube/hetzner-aa-kubeconfig.yaml
kubectl config get-contexts
</syntaxhighlight>
----
<syntaxhighlight lang="yaml" highlight="14-16,20" line>
cat << YML | kubectl -n kubernetes-dashboard apply -f -
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
  labels:
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: kubectl
    app.kubernetes.io/name: kubernetes-dashboard
    app.kubernetes.io/instance: kubernetes-dashboard
  annotations:
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-realm: Authentication Required
    nginx.ingress.kubernetes.io/auth-secret: kubernetes-dashboard-auth
spec:
  ingressClassName: nginx
  rules:
    - host: k8s.aa.hetzner.shahed.biz
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: kubernetes-dashboard
                port:
                  number: 80
YML
</syntaxhighlight>
----
[[K8s/Ingress#CoreDNS|Skipped » Find More 👉 K8s » CoreDNS]]
----
[[K8s/Ingress#Ingress » Dashboard|Skipped » Find More 👉 K8s » Dashboard]]
|}
==Hetzner » Kubernetes » Debug » MariaDB==
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' colspan='2' style='width:1100px'|
Hetzner » Kubernetes » Debug » MariaDB
|-
|valign='top' style='width:540px'|
<syntaxhighlight lang="bash">
export KUBECONFIG=${HOME}/.kube/hetzner-aa-kubeconfig.yaml
kubectl config get-contexts
</syntaxhighlight>
|valign='top'|
<syntaxhighlight lang="bash">
kubectl create ns  swiss-knife
kubectl get ns|grep swiss-knife
</syntaxhighlight>
|-
|valign='top' colspan='2'|
<syntaxhighlight lang="bash">
kubectl -n swiss-knife run -i --tty --rm mariadb-cli --image=alpine --restart=Never -- ash
apk --update add mariadb-client inetutils-telnet
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
echo -n password: ;read -s MYSQL_PWD;export MYSQL_PWD; echo
mariadb -u academia -D academia -P3306 -h 10.20.31.3
telnet 10.20.31.3 3306
echo ${MYSQL_PWD}
</syntaxhighlight>
|}
==Hetzner » Kubernetes » Debug » PostgreSQL==
{|class='wikitable mw-collapsible'
!scope='col' colspan='2' style='width:1100px'|
Hetzner » Kubernetes » Debug » PostgreSQL
|-
|valign='top' style='width:540px'|
<syntaxhighlight lang="bash">
export KUBECONFIG=${HOME}/.kube/hetzner-aa-kubeconfig.yaml
kubectl config get-contexts
</syntaxhighlight>
|valign='top'|
<syntaxhighlight lang="bash">
kubectl create ns  swiss-knife
kubectl get ns|grep swiss-knife
</syntaxhighlight>
|-
|valign='top' colspan='2'|
<syntaxhighlight lang="bash">
kubectl -n swiss-knife run -i --tty --rm postgresql-cli --image=alpine --restart=Never -- ash
apk --update add postgresql-client inetutils-telnet
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
echo -n password: ; read -s PGPASSWORD; export PGPASSWORD; echo
telnet pgbouncer.pgbouncer.svc.cluster.local 5432
telnet pgbouncer.pgbouncer 5432
telnet 192.168.49.103 5432
telnet 10.20.31.3 5432
echo ${PGPASSWORD}
psql -U bouncer_aa -d bouncer_aa -p5432 -h pgbouncer.pgbouncer.svc.cluster.local
psql -U bouncer_aa -d bouncer_aa -p5432 -h pgbouncer.pgbouncer
psql -U bouncer_aa -d bouncer_aa -p5432 -h 192.168.49.103
psql -U bouncer_aa -d bouncer_aa -p5432 -h 10.20.31.3
</syntaxhighlight>
|}
==Playground==
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' colspan='2' style='width:1100px'|
'''Playground'''
|-
|-
|valign='top' colspan='2'|
<syntaxhighlight lang="bash">
ssh-copy-id -n -i ~/.ssh/cid.chorke.org_ed25519.pub shahed@10.20.40.1
ssh-copy-id    -i ~/.ssh/cid.chorke.org_ed25519.pub shahed@10.20.40.1
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
certbot delete --cert-name k8s.aa.hetzner.shahed.biz
certbot delete --cert-name cid.chorke.org
</syntaxhighlight>
|-
|valign='top' colspan='2'|
<syntaxhighlight lang="bash">
cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then cat ${d}/{fullchain,privkey}.pem|tee ${d}.pem >/dev/null;fi;done
cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then printf "crt ${PWD}/${d}.pem ";fi;done;\
printf "alpn h2,http/1.1 ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3\n"
</syntaxhighlight>
|-
|valign='top'|
<syntaxhighlight lang="bash">
cat << INI | visudo -cf /dev/stdin
# minikube » no-password » sudo access » all
minikube ALL=(ALL) NOPASSWD: ALL
INI
sudo visudo
sudo cat /etc/sudoers
</syntaxhighlight>
|valign='top'|
<syntaxhighlight lang="bash">
cat << INI | visudo -cf /dev/stdin
# minikube » no-password » sudo access » specific
minikube ALL=(ALL) NOPASSWD: /usr/sbin/ip route *, /usr/bin/minikube tunnel *
INI
sudo visudo -f /etc/sudoers.d/minikube
sudo cat      /etc/sudoers.d/minikube
</syntaxhighlight>
|}


==References==
==References==
{|
{|
|valign="top"|
|valign="top"|
* [[Cloudflare/WARP Connector|Cloudflare » WARP Connector]]
* [[Cloud/Hetzner/AA|Cloud » Hetzner » AA]]
* [[Cloudflare/Argo Tunnel|Cloudflare » Argo Tunnel]]
* [[Cloud/Hetzner/AB|Cloud » Hetzner » AB]]
* [[Cloudflare/WARP Host|Cloudflare » WARP Host]]
* [[Cloud/Linode/AA|Cloud » Linode » AA]]
* [[Cloud Computing Cost]]
* [[Cloud/Shahed/AA|Cloud » Shahed » AA]]
* [[OpenLDAP/BackSQL|OpenLDAP » BackSQL]]
* [[Cloud/Shahed/AB|Cloud » Shahed » AB]]
* [[Swap Space]]
* [[Cloud/Shahed/AC|Cloud » Shahed » AC]]
* [[OpenLDAP]]
* [[Cloud/Shahed/AD|Cloud » Shahed » AD]]
* [[Cloudflare]]
* [[Cloud/Shahed/AE|Cloud » Shahed » AE]]
* [[Cloud/Shahed/AF|Cloud » Shahed » AF]]
* [[Cloud/Shahed/AG|Cloud » Shahed » AG]]
 
|valign="top"|
* [[Cloud/Shahed/AH|Cloud » Shahed » AH]]
* [[Cloud/Shahed/AI|Cloud » Shahed » AI]]
* [[Cloud/Shahed/AJ|Cloud » Shahed » AJ]]
* [[Cloud/Shahed/AK|Cloud » Shahed » AK]]
* [[Cloud/Shahed/AL|Cloud » Shahed » AL]]
* [[Cloud/Shahed/AM|Cloud » Shahed » AM]]
* [[Cloud/Shahed/AN|Cloud » Shahed » AN]]
* [[Cloud/Shahed/VA|Cloud » Shahed » VA]]


|valign="top"|
|valign="top"|
Line 247: Line 1,491:


|-
|-
| colspan="3" |
|colspan="4"|
----
----
|-
|-
| valign="top" |
|valign="top"|
* [[Ubuntu/Raspberry Pi]]
* [[Minikube Ingress DNS| Minikube » Ingress » DNS]]
* [[Ubuntu Upgrade]]
* [[Minikube Systemd|Minikube » Systemd]]
* [[ActiveMQ]]
* [[Minikube MetalLB|Minikube » MetalLB]]
* [[Minikube Registry|Minikube » Registry]]
* [[Minikube Tunnel|Minikube » Tunnel]]
* [[Minikube]]
* [[Minikube]]
* [[Keycloak]]
* [[CIDR]]
* [[Hadoop]]
* [[UFW]]
* [[Jenkins]]
* [[YQ Tool|YQ]]
* [[WildFly]]
* [[JQ Tool|JQ]]
* [[Spark]]
 
* [[MinIO]]
|valign="top"|
* [[K8s/Academia/Ingress|K8s » Academia » Ingress]]
* [[K8s/HAProxy/Ingress|K8s » HAProxy » Ingress]]
* [[K8s/Apache/Ingress|K8s » Apache » Ingress]]
* [[K8s/Nginx/Ingress|K8s » Nginx » Ingress]]
* [[K8s/Swiss Knife|K8s » Swiss Knife]]
* [[K8s/Storage|K8s » Storage]]
* [[K8s/Ingress|K8s » Ingress]]
* [[K8s/Service|K8s » Service]]
* [[K8s/Run|K8s » Run]]
* [[K8s]]
 
|valign="top"|
* [[Helm/Prometheus Stack|Helm » Prometheus Stack]]
* [[Helm/Cert Manager|Helm » Cert Manager]]
* [[Helm/Elasticsearch|Helm » Elasticsearch]]
* [[Minikube MetalLB|Helm » MetalLB]]
* [[Helm/Jenkins|Helm » Jenkins]]
* [[Helm/GitLab|Helm » GitLab]]
* [[Helm/Nexus|Helm » Nexus]]
* [[Helm/MinIO|Helm » MinIO]]
* [[Helm/Kafka|Helm » Kafka]]
* [[Helm/Redis|Helm » Redis]]
 
|valign="top"|
* [[Security/Container/Snyk|Security » Container » Snyk]]
* [[Security/Container/Trivy|Security » Container » Trivy]]
* [[Security/Certificate/TLS|Security » Certificate » TLS]]
* [[Java Key Store|Security » Java » Key Store]]
* [[Java Mail API|Security » Java » Mail API]]
* [[Security/Password|Security » Password]]
* [[ZA Proxy|Security » ZA Proxy]]
* [[Security/Domain|Security » Domain]]
* [[Jasypt|Security » Jasypt]]
* [[HTTP Security|Security » HTTP]]


| valign="top" |
|-
* [[Alpine/Morefine]]
|colspan="4"|
* [[Ruby on Rails]]
----
* [[TensorFlow]]
|-
* [[Homebrew]]
|valign="top"|
* [[Linuxbrew]]
* [[Benchmarks]]
* [[IPTables]]
* [[Kubectl]]
* [[PyEnv]]
* [[PyEnv]]
* [[CURL]]
* [[TMux]]
* [[TMux]]
* [[7Zip]]
* [[7Zip]]
* [[Linux Containers|LXC]]
* [[Zip]]
* [[Zip]]
* [[Tar]]
* [[Tar]]


| valign="top" |
|valign="top"|
* [[Linux Service Creation]]
* [[Ubuntu Upgrade|Linux » Ubuntu Upgrade]]
* [[Bash/Port/Forward]]
* [[Linux Service Creation|Linux » Service Creation]]
* [[Linux Mount Drive]]
* [[Linux User Creation|Linux » User Creation]]
* [[YouTube/Channel]]
* [[Linux Mount Drive|Linux » Mount Drive]]
* [[Bash/Network]]
* [[Swap Space|Linux » Swap Space]]
* [[Bash/RAM]]
* [[EKSctl|CLI » AWS » EKS]]
* [[Bash/CPU]]
* [[AWS CLI|CLI » AWS]]
* [[Bash/Port]]
* [[Google Cloud CLI|CLI » GCP]]
* [[CLI App|CLI]]
* [[K9s]]
 
|valign="top"|
* [[Cloudflare/WARP Host|Cloudflare » Host]]
* [[Cloudflare]]
* [[Terraform]]
* [[ActiveMQ]]
* [[Keycloak]]
* [[Hadoop]]
* [[Jenkins]]
* [[Spark]]
* [[Bash]]
* [[Bash]]
* [[Port]]
* [[Port]]
|valign="top"|
* [[Private Enterprise Number]]
* [[Chorke Academia Backup]]
* [[Cloud Computing Cost|Cost » Cloud » Computing]]
* [[Cloud/Cost/Chorke|Cost » Cloud » Chorke]]
* [[YouTube/Channel]]


|-
|-
|colspan="3"|
|colspan="4"|
----
----
|-
|-
|valign="top"|
|valign="top"|
* [[Private Enterprise Number]]
* [https://www.calculator.net/ip-subnet-calculator.html?cclass=b&csubnet=21&cip=10.20.40.0&ctype=ipv4&x=Calculate 10.20.40.0/21 🟢]
* [[Linux User Creation]]
* [https://www.calculator.net/ip-subnet-calculator.html?cclass=b&csubnet=21&cip=10.20.40.0&ctype=ipv4&x=Calculate 10.20.48.0/21 ⚪️]
* [[Linux Containers]]
* [https://www.calculator.net/ip-subnet-calculator.html?cclass=b&csubnet=21&cip=10.20.40.0&ctype=ipv4&x=Calculate 10.20.56.0/21 ⚪️]
* [[PostgreSQL]]
* [https://www.calculator.net/ip-subnet-calculator.html?cclass=b&csubnet=23&cip=10.20.40.0&ctype=ipv4&x=Calculate 10.20.46.0/23 ⚪️]
* [[IPTables]]
* [https://www.calculator.net/ip-subnet-calculator.html?cclass=b&csubnet=23&cip=10.20.40.0&ctype=ipv4&x=Calculate 10.20.48.0/23 🟢]
* [[MySQL]]
* [https://www.calculator.net/ip-subnet-calculator.html?cclass=b&csubnet=23&cip=10.20.40.0&ctype=ipv4&x=Calculate 10.20.50.0/23 ⚪️]
* [[CIDR]]
 
* [[UFW]]
|valign="top"|
* [[YQ Tool|YQ]]
 
* [[JQ Tool|JQ]]
|valign="top"|
 
|valign="top"|
 
|-
|colspan="4"|
----
|-
|valign="top"|
 
|valign="top"|


|valign="top"|
|valign="top"|
* [[Chorke Academia Backup]]
* [[Cloud Computing Cost]]
* [[Helm/PostgreSQL|Helm » PostgreSQL]]
* [[Helm/MariaDB|Helm » MariaDB]]
* [[Benchmarks]]
* [[Helm]]


|valign="top"|
|valign="top"|


|}
|}

Latest revision as of 03:30, 19 October 2025

Hetzner » Argo

Hetzner » Argo

Name Network Subnets Forward
Hetzner » AA 10.20.41.1/32 10.20.41.1 … 1/32 = 01
Hetzner » AB 10.20.41.2/32 10.20.41.2 … 2/32 = 01
Hetzner » AC 10.20.41.3/32 10.20.41.3 … 3/32 = 01 ⚪️
Hetzner » AD 10.20.41.4/32 10.20.41.4 … 4/32 = 01 ⚪️
Hetzner » AE 10.20.41.5/32 10.20.41.5 … 5/32 = 01 ⚪️

Hetzner » Analyze

Hetzner » Analyze 

ssh -qt -i ~/.ssh/cid.chorke.org_ed25519 root@hetzner-aa.public.ip bash

cat <<'EXE' | sudo bash
free -th && echo && systemd-analyze && echo
df -h    && echo && lsblk && echo
swapon --show
EXE

Hetzner » Add User

Hetzner » Add User 

ssh -i ~/.ssh/ci.chorke.org_ed25519 -qt root@hetzner-aa.public.ip bash

sudo adduser -m        chorke
sudo passwd  -d        chorke
sudo passwd  -l        chorke
sudo chsh -s /bin/bash chorke

sudo adduser -m        shahed
sudo passwd  -d        shahed
sudo passwd  -l        shahed
sudo chsh -s /bin/bash shahed

sudo visudo
:'
# User privilege specification
root    ALL=(ALL:ALL) ALL
shahed  ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin  ALL=(ALL) ALL
shahed  ALL=(ALL) NOPASSWD: /usr/local/bin/supervisorctl

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL
shahed  ALL=(ALL) NOPASSWD: /usr/local/bin/supervisorctl

# See sudoers(5) for more information on "@include" directives:

@includedir /etc/sudoers.d
'

Hetzner » SSH Config

Hetzner » Config » SSH 

ssh -i ~/.ssh/ci.chorke.org_ed25519 -qt root@hetzner-aa.public.ip bash

cat << EXE | sudo bash
sed 's|#PasswordAuthentication yes|PasswordAuthentication no|' -i /etc/ssh/sshd_config
sed 's|#PubkeyAuthentication yes|PubkeyAuthentication yes|'    -i /etc/ssh/sshd_config
sed 's|#PermitEmptyPasswords no|PermitEmptyPasswords no|'      -i /etc/ssh/sshd_config
sed 's|#PermitRootLogin yes|PermitRootLogin no|'               -i /etc/ssh/sshd_config
systemctl restart ssh
EXE

cat << EXE | sudo bash
sshd -T | grep -i PasswordAuthentication
sshd -T | grep -i PubkeyAuthentication
sshd -T | grep -i PermitEmptyPasswords
sshd -T | grep -i PermitRootLogin
EXE

sudo chattr +i /home/chorke/.ssh/authorized_keys
sudo chattr +i /home/shahed/.ssh/authorized_keys
sudo chattr +i /home/system/*-argo/.ssh/authorized_keys

Hetzner » APT Update

Hetzner » APT Update 

cat << EXE | sudo bash
apt-get update;echo
mkdir -p /etc/apt/keyrings
apt list -a --upgradable;apt-get upgrade -y;echo
apt-get install -y apt-transport-https ca-certificates \
  gnupg build-essential snapd jq traceroute moreutils;echo
apt-get clean cache && find /tmp -type f -atime +10 -delete && find /tmp -type s -atime +10 -delete
EXE

cat << EXE|sudo bash
PLATFORM=\$(uname -s)_\$(dpkg --print-architecture)
YQ_BINARY=\$(echo "yq_\${PLATFORM}"|tr '[:upper:]' '[:lower:]')
wget https://github.com/mikefarah/yq/releases/latest/download/\${YQ_BINARY} -O /usr/local/bin/yq
chmod +x /usr/local/bin/yq
EXE

Hetzner » Swap Space

Hetzner » Swap Space 

echo 'swapon --show'|sudo bash
cat <<'EXE' | sudo bash
swapoff /swap.img
fallocate -l 20G /swap.img
ls -lh /swap.img && mkswap /swap.img
chmod 0600 /swap.img && swapon /swap.img && swapon --show && free -th
EXE

cat << FST | sudo tee -a /etc/fstab >/dev/null

# loop based swap storage » 16GB + 4GB 
/swap.img              none            swap    sw              0       0
FST

free -th
cat /etc/fstab
systemctl daemon-reload
echo 'swapon --show'|sudo bash

Hetzner » Attach Volume

Linode » Attach Volume 

cat <<'EXE'| sudo bash
mkdir -p /var/minikube/pvc
mkfs.ext4 -F /dev/disk/by-id/scsi-0HC_Volume_102736305
cat <<'FST'| tee -a /etc/fstab >/dev/null

# hetzner-aa » attach 80gb storage » hetzner-aa-vol-aa
/dev/disk/by-id/scsi-0HC_Volume_102736305 /var/minikube/pvc ext4 discard,nofail,defaults 0 0
FST
chown minikube:minikube -R /var/minikube/pvc/
systemctl daemon-reload
mount -a
EXE

Hetzner » Containerize » LXD

Hetzner » Containerize » LXD 

cat << EXE | sudo bash
snap install lxd --channel=6/stable
usermod -aG lxd chorke
usermod -aG lxd shahed
EXE

echo 'id -nG'|sudo -i -u chorke bash
echo 'id -nG'|sudo -i -u shahed bash

cat <<YML | sudo lxd init --preseed
---
config: {}
networks:
- config:
    ipv4.address: 10.20.0.1/24
    ipv4.nat: "true"
    ipv6.address: auto
  description: ""
  name: lxdbr0
  type: ""
  project: default
storage_pools:
- config:
    size: 30GiB
  description: ""
  name: lxd-zfs-pool-aa
  driver: zfs
storage_volumes: []
profiles:
- config: {}
  description: ""
  devices:
    eth0:
      name: eth0
      network: lxdbr0
      type: nic
    root:
      path: /
      pool: lxd-zfs-pool-aa
      type: disk
  name: default
projects: []
cluster: null
YML

sudo ufw enable
sudo iptables -S

cat << EXE | sudo bash
ufw       allow OpenSSH
ufw       allow in  on lxdbr0
ufw route allow in  on lxdbr0
ufw route allow out on lxdbr0
EXE

sudo ufw status numbered
sudo iptables -S

cat << EXE | sudo bash
snap restart  lxd
snap services lxd
EXE

lxc launch images:alpine/3.21 academia
lxc list -c=n -f=json|jq -r '.[]|select(.name=="academia")|.status'

cat <<'EXE'| lxc exec academia -- sh
ping -c5 chorke.org
ping -c5 shahed.biz
EXE

Hetzner » Containerize » Docker

Hetzner » Containerize » Docker 

curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
| sudo tee /etc/apt/keyrings/docker.asc >/dev/null

DISTRIBUTION=$(. /etc/os-release && echo "${VERSION_CODENAME}")
cat << SRC | sudo tee /etc/apt/sources.list.d/docker.list >/dev/null
deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu ${DISTRIBUTION}  stable
SRC

cat << EXE | sudo bash
apt-get update;echo
apt-cache policy docker-ce
apt list -a --upgradable;apt-get upgrade -y;echo
apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
apt-get clean cache && find /tmp -type f,s -atime +10 -delete
EXE

cat << EOF | sudo tee /etc/docker/daemon.json >/dev/null
{
    "bip"  : "10.20.13.1/24",
    "mtu"  : 1500,
    "dns"  : [
        "1.1.1.1",
        "8.8.8.8",
        "192.168.49.2"
    ],
    "debug": true
}
EOF

cat << EXE | sudo bash
systemctl stop  docker.socket
systemctl stop  docker.service
systemctl start docker.service

usermod -aG docker chorke
usermod -aG docker shahed
EXE

ip a
docker image ls
docker network ls

echo 'id -nG'|sudo -i -u shahed bash
echo 'id -nG'|sudo -i -u chorke bash

cat <<'EXE'| docker run --rm -i alpine sh
echo
cat /etc/hosts       ;echo
cat /etc/resolv.conf ;echo
ping -c5 chorke.org  ;echo
ping -c5 shahed.biz  ;echo
EXE

Hetzner » Cloudflare » VIRT

Hetzner » Cloudflare » VIRTl 

cat << INI | sudo tee /etc/systemd/system/warp0.service >/dev/null
[Unit]
Description=Cloudflared WARP Routing Virtual Interface
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/ip link add warp0 type dummy
ExecStartPost=/usr/sbin/ip addr add 10.20.41.1/32 dev warp0
ExecStartPost=/usr/sbin/ip link set warp0 up
ExecStop=/usr/sbin/ip link delete warp0
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
INI

cat << EXE | sudo bash
systemctl daemon-reload
systemctl enable --now warp0.service
systemctl status       warp0.service
EXE

ip a

Hetzner » Cloudflare » Argo » Tunnel

Hetzner » Cloudflare » Argo » Tunnel 

wget -cq https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64.deb -P ${HOME}/Downloads
sudo dpkg -i ${HOME}/Downloads/cloudflared-linux-arm64.deb; sudo apt install -f
      rm -rf ${HOME}/Downloads/cloudflared-linux-arm64.deb

cat <<'SYS' | sudo tee -a /etc/sysctl.conf >/dev/null

###################################################################
# Cloudflared Tunnel Private Network Config
# This config added by Chorke Academia, Inc
# ICMP Group ID Range 0 to 10,000 Users
net.ipv4.ping_group_range = 0 10000

# 208 KiB Default RX Buffer
net.core.rmem_default=212992

# 208 KiB Default TX Buffer
net.core.wmem_default=212992

# 8 MB Maximum RX Buffer
net.core.rmem_max=8388608

# 8 MB Maximum TX Buffer
net.core.wmem_max=8388608

SYS

sudo sysctl -p

Skipped » Find More » 👈

Hetzner » Cloudflare » WARP » Tunnel

Hetzner » Cloudflare » WARP » Tunnel 

lxc launch ubuntu:24.04 cloudflare
lxc list -c=n -f=json|jq -r '.[]|select(.name=="cloudflare")|.status'

cat <<'EXE' | lxc exec cloudflare -- bash
apt-get update;echo
mkdir -p /etc/apt/keyrings
apt list -a --upgradable;apt-get upgrade -y;echo
apt-get install -y apt-transport-https ca-certificates gnupg jq && apt-get clean
EXE

cat <<'EXE' | lxc exec cloudflare -- bash
curl -fsSL https://pkg.cloudflareclient.com/pubkey.gpg \
 | sudo tee /etc/apt/keyrings/cloudflare.asc >/dev/null

DISTRIBUTION=$(. /etc/os-release && echo "${VERSION_CODENAME}");\
cat << SRC | sudo tee /etc/apt/sources.list.d/cloudflare.list >/dev/null
deb [arch=$(dpkg --print-architecture)\
 signed-by=/etc/apt/keyrings/cloudflare.asc]\
 https://pkg.cloudflareclient.com/ ${DISTRIBUTION} main
SRC

cat /etc/apt/sources.list.d/cloudflare.list
cat /etc/apt/keyrings/cloudflare.asc
EXE

cat <<'EXE' | lxc exec cloudflare -- bash
apt-get update;echo
apt list -a --upgradable;apt-get upgrade -y;echo
apt-get install -y cloudflare-warp && apt-get clean
EXE

lxc exec cloudflare -- bash
sudo vim /etc/sysctl.conf

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

sudo sysctl -p
net.ipv4.ip_forward = 1

ip route | grep default
default via 10.20.0.1 dev eth0 proto dhcp src 10.20.0.161 metric 100

lxc snapshot cloudflare base:2024.12.554.0
lxc publish  cloudflare/base:2024.12.554.0 --alias cloudflare/base:2024.12.554.0
lxc restore  cloudflare base:2024.12.554.0

lxc exec cloudflare -- bash
sudo warp-cli status

cat <<'EXE' | lxc exec cloudflare -- bash
warp-cli connector new eyJhIjoiNW…
warp-cli connect
EXE

cat << EXE | lxc exec cloudflare -- bash
warp-cli status
systemctl daemon-reload
systemctl enable --now warp-svc.service
systemctl status       warp-svc.service
EXE

cat << EXE | lxc exec cloudflare -- bash
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections
apt-get -y install iptables-persistent && apt-get clean cache
EXE

cat << EXE | lxc exec cloudflare -- bash
# allow forwarding traffic from host
iptables -A FORWARD -i eth0 -o CloudflareWARP -j ACCEPT
iptables -A FORWARD -i CloudflareWARP -o eth0 -j ACCEPT

# cloudflarewarp nat gateway setup for host
iptables -t nat -A POSTROUTING -o CloudflareWARP -j MASQUERADE

# persist across reboots, save the rules
        mkdir -p /etc/iptables/
iptables-save  > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6
EXE

lxc snapshot cloudflare shahed:2025.03.09
lxc publish  cloudflare/shahed:2025.03.09 --alias cloudflare/shahed:2025.03.09
lxc restore  cloudflare shahed:2025.03.09

Skipped » Find More » 👈

Hetzner » Cloudflare » WARP » Exclude

Hetzner » Cloudflare » WARP » Exclude

Settings » 0Trust » WARP Client » Device settings » Profile settings » Default » Configure »
Split Tunnels » Exclude IPs and domains » Manage » Manage Split Tunnels
Name Network Exclude
Network » OpenVPN 10.20.30.0/24
Network » Hetzner 10.20.31.0/24
Network » Docker 10.20.13.0/24
Network » Home 10.19.83.0/24
Network » LXD 10.20.0.0/24
Name Network Exclude
Network » WiFi 192.168.10.0/24
Network » WiFi 192.168.1.0/24
Network » WiFi 192.168.0.0/24
Network » WiFi 172.17.0.0/24
Network » WiFi 172.16.0.0/24
Network » WiFi 10.10.10.0/24
Network » WiFi 10.0.1.0/24
Network » WiFi 10.0.0.0/24

Hetzner » Cloudflare » WARP » Forward

Hetzner » Cloudflare » WARP » Forward

Implement Forward Routing
Name Network Subnets Forward
Network » Cloud 10.20.40.0/21 10.20.40 … 47.0/24 = 8
Network » Cloud 10.20.48.0/21 10.20.48 … 55.0/24 = 8 ⚪️
Network » Cloud 10.20.56.0/21 10.20.56 … 63.0/24 = 8 ⚪️
Network » Cloud 10.20.46.0/23 10.20.46 … 47.0/24 = 2 ⚪️
Network » Cloud 10.20.48.0/23 10.20.48 … 49.0/24 = 2
Network » Cloud 10.20.50.0/23 10.20.50 … 51.0/24 = 2 ⚪️
Name Network Subnets Forward
Network » Office 10.20.10.0/24 10.20.10 … 10.0/24 = 1

Cloudflare » WARP » Forward » Route

Cloudflare » WARP » IP » Route » Service 

vim /etc/sysctl.conf

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

sudo sysctl -p
net.ipv4.ip_forward = 1

ip route | grep default
default via 172.31.1.1 dev eth0 proto dhcp src 65.21.251.38 metric 100

cat << EXE | sudo bash
cat << ENV | tee /etc/default/warp-route >/dev/null
LXC_WARP_CLI_NAME=cloudflare
LXC_WARP_CLI_HOST=$(lxc list -f=json cloudflare | jq -r '.[]|.state.network.eth0.addresses[]|select(.family=="inet")|.address')
ENV
echo
cat /etc/default/warp-route
EXE

cat <<'INI' | sudo tee /etc/systemd/system/warp-route.service >/dev/null
[Unit]
Description=WARP Routes Over Clodflare LXC
Wants=network-online.target docker.service snap.lxd.daemon.service containerd.service
After=network-online.target docker.service snap.lxd.daemon.service containerd.service

[Service]
Type=oneshot
EnvironmentFile=-/etc/default/warp-route

ExecStartPre=/bin/sleep 15
ExecStartPre=/bin/bash -c "if [ -z \"${LXC_WARP_CLI_HOST}\" ]; then echo \"Variable LXC_WARP_CLI_HOST not set in /etc/default/warp-route\"; errors_exit; fi"
ExecStart=/usr/sbin/ip route add 10.20.10.0/24 via ${LXC_WARP_CLI_HOST}
ExecStart=/usr/sbin/ip route add 10.20.40.0/21 via ${LXC_WARP_CLI_HOST}
ExecStart=/usr/sbin/ip route add 10.20.48.0/23 via ${LXC_WARP_CLI_HOST}
ExecStop=/usr/sbin/ip  route del 10.20.10.0/24
ExecStop=/usr/sbin/ip  route del 10.20.40.0/21
ExecStop=/usr/sbin/ip  route del 10.20.48.0/23
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target
INI

cat << EXE | sudo bash
systemctl daemon-reload
cat /etc/systemd/system/warp-route.service
systemctl enable  --now warp-route.service
systemctl status        warp-route.service
echo && ip route show
echo && sysctl -p
EXE

cat << EXE | bash
traceroute 10.20.40.1
traceroute 10.20.41.1
EXE

cat << EXE | sudo bash
systemctl daemon-reload
cat /etc/systemd/system/warp-route.service
systemctl disable --now warp-route.service
systemctl status        warp-route.service
echo && ip route show
echo && sysctl -p
EXE

Hetzner » LB » HAProxy » Install & Configure

Hetzner » LB » HAProxy » Install & Configure 

cat << EXE | sudo bash
apt-get update;echo
apt list -a --upgradable;apt-get upgrade -y;echo
apt-get install -y haproxy certbot;echo;haproxy -v;echo
cat /etc/haproxy/haproxy.cfg;echo
apt-get clean cache
EXE

sudo ufw status numbered
sudo iptables -S

cat << EXE | sudo bash
ufw       allow 80/tcp
ufw       allow 443/tcp
ufw       allow 4321/tcp
EXE

sudo ufw status numbered
sudo iptables -S

Skipped » Find More » 👈 

cat <<'EXE'| sudo bash
        /etc/haproxy/proxy-scripts/reconfig
ls -alh /etc/haproxy/{haproxy.cfg,proxy-{backups,configs,default,enabled,scripts}}
EXE

     nmap --reason mail.shahed.biz -sT -Pn -p25,587,110,995,143,993,465,4190
     nmap --reason  vpn.shahed.biz -sT -Pn --top 20
     nmap --reason  git.shahed.biz -sT -Pn -p4321
     nmap --reason  vpn.shahed.biz -sT -Pn -p1194
sudo nmap --reason  vpn.shahed.biz -sU -Pn -p1194

Hetzner » LB » HAProxy » Frontend » HTTP Config

HAProxy » Frontend » HTTP 

cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-http-all.cfg >/dev/null

# ##############################################################################
# http frontend config for *.chorke.org, *.chorke.com, *.shahed.biz
# this config added by chorke academia, inc

frontend           fnt_shahed_biz
   bind            *:80
   mode            http

   acl             path-is-acme-challenge                path_beg /.well-known/acme-challenge/

   http-request    redirect scheme https code 301        unless path-is-acme-challenge
   use_backend     bck_letsencrypt_org_acme_challenge    if path-is-acme-challenge
   default_backend bck_letsencrypt_org_acme_challenge

backend            bck_letsencrypt_org_acme_challenge
   server          letsencrypt 127.0.0.1:19830
   mode            http
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-http-all.cfg /etc/haproxy/proxy-enabled/

vim /etc/haproxy/proxy-scripts/reconfig
    /etc/haproxy/proxy-scripts/reconfig

Hetzner » LB » HAProxy » Frontend » HTTPS Config

certbot certonly --standalone --non-interactive --http-01-port=19830 -d k8s.aa.hetzner.shahed.biz --email tool.tech@shahed.biz --agree-tos --dry-run
certbot certonly --standalone --non-interactive --http-01-port=19830 -d k8s.aa.hetzner.shahed.biz --email tool.tech@shahed.biz --agree-tos
(cd /etc/letsencrypt/live/k8s.aa.hetzner.shahed.biz/;ln -s privkey.pem fullchain.pem.key)
certbot renew --http-01-port=19830 --force-renewal
certbot renew --http-01-port=19830

HAProxy » Frontend » HTTPS 

certbot certonly --standalone --non-interactive --http-01-port=19830 -d  cid.chorke.org
certbot certonly --standalone --non-interactive --http-01-port=19830 -d  dev.chorke.org
certbot certonly --standalone --non-interactive --http-01-port=19830 -d  hub.chorke.org
certbot certonly --standalone --non-interactive --http-01-port=19830 -d  reg.chorke.org
certbot certonly --standalone --non-interactive --http-01-port=19830 -d wiki.chorke.org

cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then cat ${d}/{fullchain,privkey}.pem|tee ${d}.pem >/dev/null;fi;done
systemctl reload haproxy.service

SSL_CRT_LIST="$(cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then printf "crt ${PWD}/${d}.pem ";fi;done)"
cat << CFG | sudo tee /etc/haproxy/proxy-configs/shahed.biz-https-all.cfg >/dev/null

# ##############################################################################
# https frontend config for *.chorke.org, *.chorke.com, *.shahed.biz
# this config added by chorke academia, inc

frontend           fnt_shahed_biz_ssl
   bind            *:443 ssl ${SSL_CRT_LIST}alpn h2,http/1.1 ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3
   mode            http

   acl             host-is-k8s-aa-hetzner-shahed-biz     hdr(host) -i k8s.aa.hetzner.shahed.biz
   acl             host-is-cid-shahed-biz                hdr(host) -i            cid.chorke.org
   acl             host-is-dev-shahed-biz                hdr(host) -i            dev.chorke.org
   acl             host-is-hub-shahed-biz                hdr(host) -i            hub.chorke.org
   acl             host-is-reg-shahed-biz                hdr(host) -i            reg.chorke.org
   acl             host-is-wiki-chorke-org               hdr(host) -i           wiki.chorke.org
 
   acl             path-is-artifactory                   path_beg /artifactory/
   acl             path-is-jenkins                       path_beg /jenkins/
   acl             path-is-gitlab                        path_beg /gitlab/
   acl             path-is-nexus                         path_beg /nexus/

   http-request    set-header X-Forwarded-For            %[src]
   http-request    set-header X-Forwarded-Proto          https

   use_backend     bck_shahed_biz_cid_artifactory        if            host-is-cid-shahed-biz path-is-artifactory
   use_backend     bck_shahed_biz_cid_jenkins            if            host-is-cid-shahed-biz path-is-jenkins
   use_backend     bck_shahed_biz_cid_gitlab             if            host-is-cid-shahed-biz path-is-gitlab
   use_backend     bck_shahed_biz_cid_nexus              if            host-is-cid-shahed-biz path-is-nexus
   use_backend     bck_shahed_biz_hub_nexus              if            host-is-hub-shahed-biz
   use_backend     bck_shahed_biz_reg_nexus              if            host-is-reg-shahed-biz

   use_backend     bck_shahed_biz_hetzner_aa_k8s         if host-is-k8s-aa-hetzner-shahed-biz
   use_backend     bck_shahed_biz_hetzner_aa_k8s         if           host-is-wiki-chorke-org
   default_backend bck_shahed_biz_cid

backend            bck_shahed_biz_cid_artifactory
   server          shahed_ah_artifactory 10.20.40.8:8084
   mode            http

backend            bck_shahed_biz_cid_jenkins
   server          shahed_ah_jenkins 10.20.40.8:8080
   mode            http

backend            bck_shahed_biz_cid_gitlab
   server          shahed_af_gitlab 10.20.40.6:80
   mode            http

backend            bck_shahed_biz_cid_nexus
   server          shahed_ah_nexus 10.20.40.8:8081
   mode            http

backend            bck_shahed_biz_hub_nexus
   server          shahed_ah_nexus 10.20.40.8:8082
   mode            http

backend            bck_shahed_biz_reg_nexus
   server          shahed_ah_nexus 10.20.40.8:8083
   mode            http

backend            bck_shahed_biz_hetzner_aa_k8s
   server          hetzner_aa_k8s 192.168.49.2:80
   mode            http

backend            bck_shahed_biz_cid
   server          shahed_am_apache2 10.20.40.13:80
   mode            http
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-https-all.cfg /etc/haproxy/proxy-enabled/

vim /etc/haproxy/proxy-scripts/reconfig
    /etc/haproxy/proxy-scripts/reconfig

certbot renew --http-01-port=19830 --force-renewal
cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then cat ${d}/{fullchain,privkey}.pem|tee ${d}.pem >/dev/null;fi;done
systemctl reload haproxy.service

Hetzner » LB » HAProxy » Frontend » OVPN Config

Hetzner » LB » HAProxy » Frontend » OVPN Config 

cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-tcp-vpn.cfg >/dev/null


# ##############################################################################
# tcp frontend config for vpn.shahed.biz:1194
# this config added by chorke academia, inc

# udp mode not supported, please go with iptables forward

# cat <<'EXE'| sudo bash
# echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections
# echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections
# apt-get -y install iptables-persistent && apt-get clean cache
# EXE

# cat <<'EXE'| sudo bash
# iptables -t nat -A PREROUTING -p udp --dport 1194 -j DNAT --to-destination 10.20.40.9:1194
# iptables -A FORWARD -p udp -d 10.20.40.9 --dport 1194 -j ACCEPT
# EXE
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-tcp-vpn.cfg /etc/haproxy/proxy-enabled/

vim /etc/haproxy/proxy-scripts/reconfig
    /etc/haproxy/proxy-scripts/reconfig

Hetzner » LB » HAProxy » Frontend » Git Repo Config

Hetzner » LB » HAProxy » Frontend » Git Repo Config 

cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-tcp-git.cfg >/dev/null


# ##############################################################################
# tcp frontend config for git.shahed.biz:4321
# this config added by chorke academia, inc

frontend           fnt_shahed_biz_git_gitlab_ssh
   bind            *:4321
   mode            tcp
   option          tcplog
   option          dontlognull
   default_backend bck_shahed_biz_git_gitlab_ssh

backend            bck_shahed_biz_git_gitlab_ssh
   server          shahed_af_gitlab 10.20.40.6:4321
   mode            tcp
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-tcp-git.cfg /etc/haproxy/proxy-enabled/

vim /etc/haproxy/proxy-scripts/reconfig
    /etc/haproxy/proxy-scripts/reconfig

ssh -oPreferredAuthentications=password -oPubkeyAuthentication=no -p4321 -qt pi@git.chorke.org bash
ssh -oPreferredAuthentications=password -oPubkeyAuthentication=no -p4321 -qt pi@aa.hetzner.shahed.biz bash

Hetzner » LB » HAProxy » Frontend » Kube API Config

Hetzner » LB » HAProxy » Frontend » Kube API Config 

cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-tcp-kube.cfg >/dev/null

# ##############################################################################
# tcp frontend config for 10.20.41.1:8443
# this config added by chorke academia, inc

frontend           fnt_shahed_biz_hetzner_aa
   bind            *:8443
   mode            tcp
   option          tcplog
   option          dontlognull
   default_backend bck_shahed_biz_hetzner_aa

backend            bck_shahed_biz_hetzner_aa
   server          hetzner_aa 192.168.49.2:8443
   mode            tcp
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-tcp-kube.cfg /etc/haproxy/proxy-enabled/

vim /etc/haproxy/proxy-scripts/reconfig
    /etc/haproxy/proxy-scripts/reconfig

systemctl disable --now minikube.service
vim /etc/systemd/system/minikube.service
# append --apiserver-ips=10.20.41.1 with ExecStart
systemctl enable --now minikube.service

ssh -qt root@10.20.41.1 bash
sudo -i -u minikube

# run this script on the minikube host. copy the generated output and
# execute it on your local machine's terminal to enable monitoring of
# the minikube cluster.

cat << LOG
$(cat <<'YML'| tee ~/.kube/hetzner-aa-kubeconfig.yaml >/dev/null
apiVersion: v1
kind: Config
clusters:
- name: minikube
  cluster:
    server: https://10.20.41.1:8443
    certificate-authority: ../.minikube/ca.crt

contexts:
- name: hetzner-aa
  context:
    cluster: minikube
    namespace: default
    user: minikube

users:
- name: minikube
  user:
    client-certificate: ../.minikube/profiles/minikube/client.crt
    client-key: ../.minikube/profiles/minikube/client.key

current-context: hetzner-aa
YML
)

cat <<'YML'| tee ~/.kube/hetzner-aa-kubeconfig.yaml >/dev/null
$(export KUBECONFIG=${HOME}/.kube/hetzner-aa-kubeconfig.yaml;\
kubectl config view --flatten;\
rm ${KUBECONFIG};\
)
YML

chmod 600 ~/.kube/hetzner-aa-kubeconfig.yaml
  ls -alh ~/.kube/

export KUBECONFIG=~/.kube/hetzner-aa-kubeconfig.yaml
kubectl config get-contexts
kubectl get    namespace
$(echo -n)
LOG

LB » HAProxy » Frontend » Mail TCP Config

LB » HAProxy » Frontend » Mail TCP Config 

cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-tcp-mail.cfg >/dev/null


# ##############################################################################
# tcp frontend config for mail.shahed.biz:25,587,110,995,143,993,465,4190
# this config added by chorke academia, inc

# haproxy:         mail.shahed.biz:25
frontend           fnt_shahed_biz_mail_smtp_25
   bind            *:25
   mode            tcp
   option          tcplog
   option          dontlognull
   default_backend bck_shahed_biz_mail_smtp_25

backend            bck_shahed_biz_mail_smtp_25
   server          shahed_va 10.20.40.200:25
   mode            tcp

# haproxy:         mail.shahed.biz:587
frontend           fnt_shahed_biz_mail_smtp_587
   bind            *:587
   mode            tcp
   option          tcplog
   option          dontlognull
   default_backend bck_shahed_biz_mail_smtp_587

backend            bck_shahed_biz_mail_smtp_587
   server          shahed_va 10.20.40.200:587
   mode            tcp

# haproxy:         mail.shahed.biz:110
frontend           fnt_shahed_biz_mail_pop3_110
   bind            *:110
   mode            tcp
   option          tcplog
   option          dontlognull
   default_backend bck_shahed_biz_mail_pop3_110

backend            bck_shahed_biz_mail_pop3_110
   server          shahed_va 10.20.40.200:110
   mode            tcp

# haproxy:         mail.shahed.biz:995
frontend           fnt_shahed_biz_mail_pop3_995
   bind            *:995
   mode            tcp
   option          tcplog
   option          dontlognull
   default_backend bck_shahed_biz_mail_pop3_995

backend            bck_shahed_biz_mail_pop3_995
   server          shahed_va 10.20.40.200:995
   mode            tcp

# haproxy:         mail.shahed.biz:143
frontend           fnt_shahed_biz_mail_imap_143
   bind            *:143
   mode            tcp
   option          tcplog
   option          dontlognull
   default_backend bck_shahed_biz_mail_imap_143

backend            bck_shahed_biz_mail_imap_143
   server          shahed_va 10.20.40.200:143
   mode            tcp

# haproxy:         mail.shahed.biz:993
frontend           fnt_shahed_biz_mail_imap_993
   bind            *:993
   mode            tcp
   option          tcplog
   option          dontlognull
   default_backend bck_shahed_biz_mail_imap_993

backend            bck_shahed_biz_mail_imap_993
   server          shahed_va 10.20.40.200:993
   mode            tcp

# haproxy:         mail.shahed.biz:465
frontend           fnt_shahed_biz_mail_smtps_465
   bind            *:465
   mode            tcp
   option          tcplog
   option          dontlognull
   default_backend bck_shahed_biz_mail_smtps_465

backend            bck_shahed_biz_mail_smtps_465
   server          shahed_va 10.20.40.200:465
   mode            tcp

# haproxy:         mail.shahed.biz:4190
frontend           fnt_shahed_biz_mail_sieve_4190
   bind            *:4190
   mode            tcp
   option          tcplog
   option          dontlognull
   default_backend bck_shahed_biz_mail_sieve_4190

backend            bck_shahed_biz_mail_sieve_4190
   server          shahed_va 10.20.40.200:4190
   mode            tcp
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-tcp-mail.cfg /etc/haproxy/proxy-enabled/

vim /etc/haproxy/proxy-scripts/reconfig
    /etc/haproxy/proxy-scripts/reconfig

Hetzner » Kubernetes » Minikube » Install & Configure

Hetzner » Kubernetes » Minikube » Install & Configure 

curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.32/deb/Release.key | sudo tee /etc/apt/keyrings/kubernetes.asc >/dev/null

cat << SRC | sudo tee /etc/apt/sources.list.d/kubernetes.list >/dev/null
deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/kubernetes.asc] https://pkgs.k8s.io/core:/stable:/v1.32/deb/ /
SRC

cat << EXE | sudo bash
apt-get update;echo
apt list -a --upgradable;echo
apt-get install -y apache2-utils kubectl;echo
apt-get clean cache && find /tmp -type f -atime +10 -delete && find /tmp -type s -atime +10 -delete
EXE

if [ -x "$(command -v curl)" ];then \
sudo apt -qq update;\
export MINIKUBE_CPU_USE=6;\
export MINIKUBE_RAM_USE=13529;\
export MINIKUBE_INGRESS_HOST='k8s.aa.hetzner.shahed.biz';\
bash <(curl -s 'https://cdn.chorke.org/exec/cli/bash/install/minikube/1.0.01-ubuntu-24.04-arm64.sh.txt');\
else printf 'curl \033[0;31mnot found! \033[0m:(\n';fi

Skipped » Find More » 👈

Hetzner » Kubernetes » Minikube » Tunnel » Create Service

Hetzner » Kubernetes » Minikube » Tunnel » Create Service

Beginners Professional 
sudo visudo
# minikube » no-password » sudo access » all
minikube ALL=(ALL) NOPASSWD: ALL

sudo visudo -f /etc/sudoers.d/minikube
# minikube » no-password » sudo access » specific
minikube ALL=(ALL) NOPASSWD: /usr/sbin/ip route *, /usr/bin/minikube tunnel *

cat << INI | sudo tee /etc/systemd/system/minikube-tunnel.service >/dev/null
[Unit]
Description=Minikube Tunnel
Documentation=https://minikube.sigs.k8s.io/docs/commands/tunnel/
After=network-online.target containerd.service docker.service minikube.service
Requires=network-online.target containerd.service docker.service minikube.service
Wants=network-online.target docker.service minikube.service
AssertFileIsExecutable=/var/minikube/bin/minikube

[Service]
User=minikube
Group=minikube
ProtectProc=invisible
StandardOutput=journal
WorkingDirectory=/var/minikube

EnvironmentFile=-/etc/default/minikube
ExecStart=/var/minikube/bin/minikube tunnel --cleanup=true

Restart=always
SendSIGKILL=no
TasksMax=infinity
TimeoutStopSec=infinity

[Install]
WantedBy=multi-user.target
INI

sudo systemctl enable  --now minikube-tunnel.service
sudo systemctl disable --now minikube-tunnel.service

Skipped » Find More 👉 Minikube » Tunnel » Systemd

Skipped » Find More 👉 Minikube » MetalLB » Forward » Route

Hetzner » Kubernetes » Minikube » Ingress » Apply Dashboard

Hetzner » K8s » Dashboard » Ingress » Apply 

export KUBECONFIG=${HOME}/.kube/hetzner-aa-kubeconfig.yaml
kubectl config get-contexts

cat << YML | kubectl -n kubernetes-dashboard apply -f -
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
  labels:
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: kubectl
    app.kubernetes.io/name: kubernetes-dashboard
    app.kubernetes.io/instance: kubernetes-dashboard
  annotations:
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-realm: Authentication Required
    nginx.ingress.kubernetes.io/auth-secret: kubernetes-dashboard-auth
spec:
  ingressClassName: nginx
  rules:
    - host: k8s.aa.hetzner.shahed.biz
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: kubernetes-dashboard
                port:
                  number: 80
YML

Skipped » Find More 👉 K8s » CoreDNS

Skipped » Find More 👉 K8s » Dashboard

Hetzner » Kubernetes » Debug » MariaDB

Hetzner » Kubernetes » Debug » MariaDB 

export KUBECONFIG=${HOME}/.kube/hetzner-aa-kubeconfig.yaml
kubectl config get-contexts

kubectl create ns   swiss-knife
kubectl get ns|grep swiss-knife

kubectl -n swiss-knife run -i --tty --rm mariadb-cli --image=alpine --restart=Never -- ash
apk --update add mariadb-client inetutils-telnet

echo -n password: ;read -s MYSQL_PWD;export MYSQL_PWD; echo
mariadb -u academia -D academia -P3306 -h 10.20.31.3
telnet 10.20.31.3 3306
echo ${MYSQL_PWD}

Hetzner » Kubernetes » Debug » PostgreSQL

Hetzner » Kubernetes » Debug » PostgreSQL 

export KUBECONFIG=${HOME}/.kube/hetzner-aa-kubeconfig.yaml
kubectl config get-contexts

kubectl create ns   swiss-knife
kubectl get ns|grep swiss-knife

kubectl -n swiss-knife run -i --tty --rm postgresql-cli --image=alpine --restart=Never -- ash
apk --update add postgresql-client inetutils-telnet

echo -n password: ; read -s PGPASSWORD; export PGPASSWORD; echo
telnet pgbouncer.pgbouncer.svc.cluster.local 5432
telnet pgbouncer.pgbouncer 5432
telnet 192.168.49.103 5432
telnet 10.20.31.3 5432
echo ${PGPASSWORD}

psql -U bouncer_aa -d bouncer_aa -p5432 -h pgbouncer.pgbouncer.svc.cluster.local
psql -U bouncer_aa -d bouncer_aa -p5432 -h pgbouncer.pgbouncer
psql -U bouncer_aa -d bouncer_aa -p5432 -h 192.168.49.103
psql -U bouncer_aa -d bouncer_aa -p5432 -h 10.20.31.3

Playground

Playground 

ssh-copy-id -n -i ~/.ssh/cid.chorke.org_ed25519.pub shahed@10.20.40.1
ssh-copy-id    -i ~/.ssh/cid.chorke.org_ed25519.pub shahed@10.20.40.1

certbot delete --cert-name k8s.aa.hetzner.shahed.biz
certbot delete --cert-name cid.chorke.org

cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then cat ${d}/{fullchain,privkey}.pem|tee ${d}.pem >/dev/null;fi;done
cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then printf "crt ${PWD}/${d}.pem ";fi;done;\
printf "alpn h2,http/1.1 ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3\n"

cat << INI | visudo -cf /dev/stdin
# minikube » no-password » sudo access » all
minikube ALL=(ALL) NOPASSWD: ALL
INI

sudo visudo
sudo cat /etc/sudoers

cat << INI | visudo -cf /dev/stdin
# minikube » no-password » sudo access » specific
minikube ALL=(ALL) NOPASSWD: /usr/sbin/ip route *, /usr/bin/minikube tunnel *
INI

sudo visudo -f /etc/sudoers.d/minikube
sudo cat       /etc/sudoers.d/minikube

References

Retrieved from "https://wiki.chorke.org/index.php?title=Cloud/Hetzner/AA&oldid=15667"