Cloud/Hetzner/AB: Difference between revisions

From Chorke Wiki
Jump to navigation Jump to search
← Older edit
VisualWikitext
 
(36 intermediate revisions by the same user not shown)
Line 27: Line 27:
|valign='top'|
|valign='top'|
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
ssh -i ~/.ssh/ci.chorke.org_ed25519 -qt root@hetzner-aa.public.ip bash
ssh -i ~/.ssh/ci.chorke.org_ed25519 -qt root@hetzner-ab.public.ip bash


cat <<'EXE' | sudo bash
cat <<'EXE' | sudo bash
Line 44: Line 44:
|valign='top' colspan='2'|
|valign='top' colspan='2'|
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
ssh -i ~/.ssh/ci.chorke.org_ed25519 -qt root@hetzner-aa.public.ip bash
ssh -i ~/.ssh/ci.chorke.org_ed25519 -qt root@hetzner-ab.public.ip bash
</syntaxhighlight>
</syntaxhighlight>


Line 95: Line 95:
|valign='top'|
|valign='top'|
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
ssh -i ~/.ssh/ci.chorke.org_ed25519 -qt root@hetzner-aa.public.ip bash
ssh -i ~/.ssh/ci.chorke.org_ed25519 -qt root@hetzner-ab.public.ip bash


cat << EXE | sudo bash
cat << EXE | sudo bash
Line 137: Line 137:
mkdir -p /etc/apt/keyrings
mkdir -p /etc/apt/keyrings
apt list -a --upgradable;apt-get upgrade -y;echo
apt list -a --upgradable;apt-get upgrade -y;echo
apt-get install -y apt-transport-https ca-certificates gnupg build-essential snapd jq traceroute
apt-get install -y apt-transport-https ca-certificates \
  gnupg build-essential snapd jq traceroute moreutils;echo
apt-get clean cache && find /tmp -type f -atime +10 -delete && find /tmp -type s -atime +10 -delete
apt-get clean cache && find /tmp -type f -atime +10 -delete && find /tmp -type s -atime +10 -delete
EXE
EXE
Line 329: Line 330:
     "mtu"  : 1500,
     "mtu"  : 1500,
     "dns"  : [
     "dns"  : [
        "1.1.1.1",
         "8.8.8.8",
         "8.8.8.8",
         "8.8.4.4"
         "192.168.49.2"
     ],
     ],
     "debug": true
     "debug": true
Line 447: Line 449:
|-
|-
|valign='top'|
|valign='top'|
[[Cloud/Hetzner/AA#Cloudflare » WARP » Tunnel|Skipped » Find More » 👈]]
[[Cloud/Hetzner/AA#Hetzner » Cloudflare » WARP » Tunnel|Skipped » Find More » 👈]]
----
----
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
Line 465: Line 467:
{|class='wikitable mw-collapsible mw-collapsed'
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='width:900px'|
!scope='col' style='width:900px'|
Hetzner » LB » HAProxy » Install & Configure
Hetzner » LB » HAProxy » Install & Config
|-
|-
|valign='top'|
|valign='top'|
[[Cloud/Hetzner/AA#LB » HAProxy » Install & Configure|Skipped » Find More » 👈]]
[[Cloud/Hetzner/AA#Hetzner » LB » HAProxy » Install & Configure|Skipped » Find More » 👈]]
----
----
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
Line 481: Line 483:
sudo ufw status numbered
sudo ufw status numbered
sudo iptables -S
sudo iptables -S
</syntaxhighlight>
|}
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='width:900px'|
Hetzner » LB » HAProxy » Defaults Config
|-
|valign='top'|
<syntaxhighlight lang="bash">
cat <<'CFG'| sudo tee /etc/haproxy/proxy-default/global.cfg >/dev/null
global
  log            /dev/log  local0
  log            /dev/log  local1 notice
  chroot          /var/lib/haproxy
  stats          socket    /run/haproxy/admin.sock mode 660 level admin
  stats          timeout    30s
  user            haproxy
  group          haproxy
  maxconn        3000
  tune.maxrewrite 1024
  tune.bufsize    32768
  daemon
CFG
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
cat <<'CFG'| sudo tee /etc/haproxy/proxy-default/default-http.cfg >/dev/null
defaults
  mode            http
  log            global
  option          httplog
  option          dontlognull
  option          http-server-close
  timeout        connect      60s
  timeout        client      30m
  timeout        server      30m
  timeout        http-request 60s
  errorfile      400          /etc/haproxy/errors/400.http
  errorfile      403          /etc/haproxy/errors/403.http
  errorfile      408          /etc/haproxy/errors/408.http
  errorfile      500          /etc/haproxy/errors/500.http
  errorfile      502          /etc/haproxy/errors/502.http
  errorfile      503          /etc/haproxy/errors/503.http
  errorfile      504          /etc/haproxy/errors/504.http
CFG
</syntaxhighlight>
</syntaxhighlight>
|}
|}
Line 534: Line 583:
|-
|-
|valign='top'|
|valign='top'|
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash" highlight="17,20,22">
certbot certonly --standalone --non-interactive --http-01-port=19830 -d   k8s.aa.shahed.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d             s3.minio.hetzner.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d   k8s.ab.shahed.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d                minio.hetzner.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d   k8s.ac.shahed.shahed.biz
 
certbot certonly --standalone --non-interactive --http-01-port=19830 -d   k8s.ad.shahed.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d                k8s.aa.shahed.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d   k8s.ae.shahed.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d               k8s.ab.shahed.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d   minio.shahed.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d               k8s.ac.shahed.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d s3.minio.shahed.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d               k8s.ad.shahed.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d               k8s.ae.shahed.shahed.biz
 
certbot certonly --standalone --non-interactive --http-01-port=19830 -d          alertmanager.shahed.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d           prometheus.shahed.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d              s3.minio.shahed.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d               grafana.shahed.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d                minio.shahed.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d                  loki.shahed.shahed.biz
 
certbot certonly --standalone --non-interactive --http-01-port=19830 -d                  artifactory.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d                    pgvector.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d                      jenkins.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d                      camunda.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d                      harbor.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d                      gitlab.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d                      docker.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d                        nexus.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d                        wiki.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d                          n8n.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d                          id.shahed.biz
</syntaxhighlight>
</syntaxhighlight>
----
----
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash" highlight="32,35,37,65,68,70">
cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then cat ${d}/{fullchain,privkey}.pem|tee ${d}.pem >/dev/null;fi;done
cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then cat ${d}/{fullchain,privkey}.pem|tee ${d}.pem >/dev/null;fi;done
systemctl reload haproxy.service
SSL_CRT_LIST="$(cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then printf "crt ${PWD}/${d}.pem ";fi;done)"
SSL_CRT_LIST="$(cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then printf "crt ${PWD}/${d}.pem ";fi;done)"
cat << CFG | sudo tee /etc/haproxy/proxy-configs/shahed.biz-https-all.cfg >/dev/null
cat << CFG | sudo tee /etc/haproxy/proxy-configs/shahed.biz-https-all.cfg >/dev/null
Line 557: Line 628:
   mode            http
   mode            http


   acl            host-is-k8s-ab-hetzner-shahed-biz     hdr(host) -i k8s.ab.hetzner.shahed.biz
   acl            host-is-s3-minio-hetzner-shahed-biz         hdr(host) -i         s3.minio.hetzner.shahed.biz
  acl            host-is-k8s-aa-shahed-shahed-biz      hdr(host) -i  k8s.aa.shahed.shahed.biz
   acl            host-is-k8s-ab-hetzner-shahed-biz           hdr(host) -i           k8s.ab.hetzner.shahed.biz
   acl            host-is-k8s-ab-shahed-shahed-biz     hdr(host) -i   k8s.ab.shahed.shahed.biz
   acl            host-is-minio-hetzner-shahed-biz           hdr(host) -i           minio.hetzner.shahed.biz
  acl            host-is-k8s-ac-shahed-shahed-biz      hdr(host) -i  k8s.ac.shahed.shahed.biz
  acl            host-is-k8s-ad-shahed-shahed-biz      hdr(host) -i  k8s.ad.shahed.shahed.biz
  acl            host-is-k8s-ae-shahed-shahed-biz      hdr(host) -i  k8s.ae.shahed.shahed.biz
   acl            host-is-minio-shahed-shahed-biz       hdr(host) -i   minio.shahed.shahed.biz
  acl            host-is-s3-minio-shahed-shahed-biz    hdr(host) -i s3.minio.shahed.shahed.biz


   http-request   set-header X-Forwarded-For           %[src]
   acl            host-is-k8s-aa-shahed-shahed-biz            hdr(host) -i            k8s.aa.shahed.shahed.biz
   http-request   set-header X-Forwarded-Proto          https
  acl            host-is-k8s-ab-shahed-shahed-biz            hdr(host) -i            k8s.ab.shahed.shahed.biz
   acl            host-is-k8s-ac-shahed-shahed-biz            hdr(host) -i           k8s.ac.shahed.shahed.biz
   acl            host-is-k8s-ad-shahed-shahed-biz            hdr(host) -i            k8s.ad.shahed.shahed.biz
   acl            host-is-k8s-ae-shahed-shahed-biz            hdr(host) -i            k8s.ae.shahed.shahed.biz


   use_backend    bck_shahed_biz_hetzner_ab_k8s         if host-is-k8s-ab-hetzner-shahed-biz
  acl            host-is-alertmanager-shahed-shahed-biz      hdr(host) -i      alertmanager.shahed.shahed.biz
   use_backend    bck_shahed_biz_shahed_aa_k8s         if host-is-k8s-aa-shahed-shahed-biz
  acl            host-is-prometheus-shahed-shahed-biz        hdr(host) -i        prometheus.shahed.shahed.biz
   use_backend    bck_shahed_biz_shahed_ab_k8s         if host-is-k8s-ab-shahed-shahed-biz
  acl            host-is-s3-minio-shahed-shahed-biz          hdr(host) -i          s3.minio.shahed.shahed.biz
   use_backend    bck_shahed_biz_shahed_ac_k8s         if host-is-k8s-ac-shahed-shahed-biz
  acl            host-is-grafana-shahed-shahed-biz          hdr(host) -i          grafana.shahed.shahed.biz
   use_backend    bck_shahed_biz_shahed_ad_k8s         if host-is-k8s-ad-shahed-shahed-biz
  acl            host-is-minio-shahed-shahed-biz            hdr(host) -i            minio.shahed.shahed.biz
   use_backend    bck_shahed_biz_shahed_ae_k8s         if host-is-k8s-ae-shahed-shahed-biz
  acl            host-is-loki-shahed-shahed-biz              hdr(host) -i              loki.shahed.shahed.biz
   use_backend    bck_shahed_biz_shahed_ae_k8s          if host-is-minio-shahed-shahed-biz
 
   use_backend    bck_shahed_biz_shahed_ae_k8s         if host-is-s3-minio-shahed-shahed-biz
  acl            host-is-artifactory-shahed-biz              hdr(host) -i              artifactory.shahed.biz
  acl            host-is-pgvector-shahed-biz                hdr(host) -i                pgvector.shahed.biz
  acl            host-is-jenkins-shahed-biz                  hdr(host) -i                  jenkins.shahed.biz
  acl            host-is-camunda-shahed-biz                  hdr(host) -i                  camunda.shahed.biz
  acl            host-is-harbor-shahed-biz                  hdr(host) -i                  harbor.shahed.biz
  acl            host-is-gitlab-shahed-biz                  hdr(host) -i                  gitlab.shahed.biz
  acl            host-is-docker-shahed-biz                  hdr(host) -i                  docker.shahed.biz
  acl            host-is-nexus-shahed-biz                    hdr(host) -i                    nexus.shahed.biz
  acl            host-is-wiki-shahed-biz                    hdr(host) -i                    wiki.shahed.biz
  acl            host-is-n8n-shahed-biz                      hdr(host) -i                      n8n.shahed.biz
  acl            host-is-id-shahed-biz                      hdr(host) -i                      id.shahed.biz
 
  http-request    set-header X-Forwarded-For                  %[src]
  http-request    set-header X-Forwarded-Proto                https
 
   use_backend    bck_shahed_biz_hetzner_ab_k8s               if           host-is-s3-minio-hetzner-shahed-biz
  use_backend    bck_shahed_biz_hetzner_ab_k8s              if            host-is-k8s-ab-hetzner-shahed-biz
  use_backend    bck_shahed_biz_hetzner_ab_k8s              if              host-is-minio-hetzner-shahed-biz
  use_backend    bck_shahed_biz_hetzner_ab_k8s              if                        host-is-id-shahed-biz
 
   use_backend    bck_shahed_biz_shahed_aa_k8s               if             host-is-k8s-aa-shahed-shahed-biz
   use_backend    bck_shahed_biz_shahed_ab_k8s               if             host-is-k8s-ab-shahed-shahed-biz
   use_backend    bck_shahed_biz_shahed_ac_k8s               if             host-is-k8s-ac-shahed-shahed-biz
   use_backend    bck_shahed_biz_shahed_ad_k8s               if             host-is-k8s-ad-shahed-shahed-biz
   use_backend    bck_shahed_biz_shahed_ae_k8s               if             host-is-k8s-ae-shahed-shahed-biz
 
   use_backend    bck_shahed_biz_shahed_ae_k8s               if        host-is-alertmanager-shahed-shahed-biz
  use_backend    bck_shahed_biz_shahed_ae_k8s                if         host-is-prometheus-shahed-shahed-biz
  use_backend    bck_shahed_biz_shahed_ae_k8s                if             host-is-grafana-shahed-shahed-biz
   use_backend    bck_shahed_biz_shahed_ae_k8s               if           host-is-s3-minio-shahed-shahed-biz
  use_backend    bck_shahed_biz_shahed_ae_k8s                if              host-is-minio-shahed-shahed-biz
  use_backend    bck_shahed_biz_shahed_ae_k8s                if                host-is-loki-shahed-shahed-biz
 
  use_backend    bck_shahed_biz_shahed_ae_k8s                if                host-is-artifactory-shahed-biz
  use_backend    bck_shahed_biz_shahed_ae_k8s                if                  host-is-pgvector-shahed-biz
  use_backend    bck_shahed_biz_shahed_ae_k8s                if                    host-is-jenkins-shahed-biz
  use_backend    bck_shahed_biz_shahed_ae_k8s                if                    host-is-camunda-shahed-biz
  use_backend    bck_shahed_biz_shahed_ae_k8s                if                    host-is-harbor-shahed-biz
  use_backend    bck_shahed_biz_shahed_ae_k8s                if                    host-is-gitlab-shahed-biz
  use_backend    bck_shahed_biz_shahed_ae_k8s                if                    host-is-docker-shahed-biz
  use_backend    bck_shahed_biz_shahed_ae_k8s                if                      host-is-nexus-shahed-biz
  use_backend    bck_shahed_biz_shahed_aa_k8s                if                      host-is-wiki-shahed-biz
  use_backend    bck_shahed_biz_shahed_ae_k8s                if                        host-is-n8n-shahed-biz


   default_backend bck_shahed_biz_hetzner_ab_k8s
   default_backend bck_shahed_biz_hetzner_ab_k8s
Line 585: Line 696:


backend            bck_shahed_biz_shahed_aa_k8s
backend            bck_shahed_biz_shahed_aa_k8s
   server          shahed_aa_k8s 10.20.40.1:80
   server          shahed_aa_k8s 10.20.40.1:443 ssl verify required ca-file /etc/haproxy/certs/Shahed_ECC_CA_2025.ca-chain.pem ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3
   mode            http
   mode            http


backend            bck_shahed_biz_shahed_ab_k8s
backend            bck_shahed_biz_shahed_ab_k8s
   server          shahed_ab_k8s 10.20.40.2:80
   server          shahed_ab_k8s 10.20.40.2:443 ssl verify required ca-file /etc/haproxy/certs/Shahed_ECC_CA_2025.ca-chain.pem ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3
   mode            http
   mode            http


backend            bck_shahed_biz_shahed_ac_k8s
backend            bck_shahed_biz_shahed_ac_k8s
   server          shahed_ac_k8s 10.20.40.3:80
   server          shahed_ac_k8s 10.20.40.3:443 ssl verify required ca-file /etc/haproxy/certs/Shahed_ECC_CA_2025.ca-chain.pem ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3
   mode            http
   mode            http


backend            bck_shahed_biz_shahed_ad_k8s
backend            bck_shahed_biz_shahed_ad_k8s
   server          shahed_ad_k8s 10.20.40.4:80
   server          shahed_ad_k8s 10.20.40.4:443 ssl verify required ca-file /etc/haproxy/certs/Shahed_ECC_CA_2025.ca-chain.pem ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3
   mode            http
   mode            http


backend            bck_shahed_biz_shahed_ae_k8s
backend            bck_shahed_biz_shahed_ae_k8s
   server          shahed_ae_k8s 10.20.40.5:80
   server          shahed_ae_k8s 10.20.40.5:443 ssl verify required ca-file /etc/haproxy/certs/Shahed_ECC_CA_2025.ca-chain.pem ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3
   mode            http
   mode            http
CFG
CFG
Line 738: Line 849:
----
----
<syntaxhighlight lang="sql">
<syntaxhighlight lang="sql">
# security risk: don't exec it
# -- security risk: don't exec it
cat << EXE | sudo -i -u root bash
cat << DDL | sudo -i -u root mariadb
cat << DDL | mariadb
CREATE USER '${USER}'@'localhost' IDENTIFIED VIA unix_socket;
CREATE USER '${USER}'@'localhost' IDENTIFIED VIA unix_socket;
GRANT ALL PRIVILEGES ON *.* TO '${USER}'@'localhost' WITH GRANT OPTION;
GRANT ALL PRIVILEGES ON *.* TO '${USER}'@'localhost' WITH GRANT OPTION;
FLUSH PRIVILEGES;
FLUSH PRIVILEGES;
DDL
DDL
EXE
</syntaxhighlight>
----
<syntaxhighlight lang="sql">
echo -n 'Password: ';read -s ACADEMIA_PASSWORD;export ACADEMIA_PASSWORD;echo
# Password: sadaqah!
</syntaxhighlight>
----
<syntaxhighlight lang="sql">
cat << DDL | sudo -i -u root mariadb
CREATE DATABASE IF NOT EXISTS academia;
CREATE USER 'academia'@'%' IDENTIFIED BY '${ACADEMIA_PASSWORD}';
GRANT ALL PRIVILEGES ON academia.* TO 'academia'@'%';
FLUSH PRIVILEGES;
DDL
</syntaxhighlight>
</syntaxhighlight>
----
----
Line 757: Line 880:
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
cat << EXE | sudo bash
cat << EXE | sudo bash
ufw allow from 192.168.49.1 to any port 3306 proto tcp
# ufw allow 3306/tcp
ufw allow from 10.20.31.3   to any port 3306 proto tcp
  ufw allow from 192.168.49.2/32 to any port 3306 proto tcp
  ufw allow from 10.20.0.0/24    to any port 3306 proto tcp
  ufw allow from 10.20.13.0/24  to any port 3306 proto tcp
  ufw allow from 10.20.31.0/24   to any port 3306 proto tcp
EXE
EXE
</syntaxhighlight>
</syntaxhighlight>
Line 791: Line 917:
----
----
<syntaxhighlight lang="sql">
<syntaxhighlight lang="sql">
# security risk: don't exec it
# -- security risk: don't exec it
cat << EXE | sudo -i -u postgres bash
cat << EXE | sudo -i -u postgres bash
createuser ${USER}
createuser ${USER}
Line 799: Line 925:
DDL
DDL
EXE
EXE
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
echo -n 'Password: ';read -s PGBOUNCER_PASSWORD;export PGBOUNCER_PASSWORD;echo
# Password: sadaqah!
</syntaxhighlight>
----
<syntaxhighlight lang="sql">
cat << DDL | sudo -i -u postgres psql
\! printf '\n'
SELECT 'CREATE DATABASE bouncer_aa'
WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'bouncer_aa')\gexec
CREATE USER bouncer_aa WITH ENCRYPTED PASSWORD '${PGBOUNCER_PASSWORD}';
GRANT ALL PRIVILEGES ON DATABASE bouncer_aa TO bouncer_aa;
ALTER DATABASE bouncer_aa OWNER TO bouncer_aa;
DDL
</syntaxhighlight>
----
<syntaxhighlight lang="sql">
cat << DDL | sudo -i -u postgres psql
\! printf '\n'
SELECT 'CREATE DATABASE bouncer_ab'
WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'bouncer_ab')\gexec
CREATE USER bouncer_ab WITH ENCRYPTED PASSWORD '${PGBOUNCER_PASSWORD}';
GRANT ALL PRIVILEGES ON DATABASE bouncer_ab TO bouncer_ab;
ALTER DATABASE bouncer_ab OWNER TO bouncer_ab;
DDL
</syntaxhighlight>
</syntaxhighlight>
----
----
Line 809: Line 962:
IPV4_LOCAL_FILL[${YARN_CONF_INDX}]=$(cat <<EOF
IPV4_LOCAL_FILL[${YARN_CONF_INDX}]=$(cat <<EOF
host    all            all            127.0.0.1/32            scram-sha-256\n\
host    all            all            127.0.0.1/32            scram-sha-256\n\
host    all            all            192.168.49.1/32        scram-sha-256\n\
host    all            all            192.168.49.2/32        scram-sha-256\n\
host    all            all            10.20.31.3/32           scram-sha-256
host    all            all            10.20.0.0/24            scram-sha-256\n\
host    all            all            10.20.13.0/24          scram-sha-256\n\
host    all            all            10.20.31.0/24           scram-sha-256
EOF
EOF
)
)
Line 821: Line 976:
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
cat << EXE | sudo bash
cat << EXE | sudo bash
ufw allow from 192.168.49.1 to any port 5432 proto tcp
# ufw allow 5432/tcp
ufw allow from 10.20.31.3   to any port 5432 proto tcp
  ufw allow from 192.168.49.2/32 to any port 5432 proto tcp
  ufw allow from 10.20.0.0/24    to any port 5432 proto tcp
  ufw allow from 10.20.13.0/24  to any port 5432 proto tcp
  ufw allow from 10.20.31.0/24   to any port 5432 proto tcp
EXE
EXE
</syntaxhighlight>
</syntaxhighlight>
Line 835: Line 993:
|-
|-
|valign='top'|
|valign='top'|
[[Cloud/Hetzner/AA#Kubernetes » Minikube » Install & Configure|Skipped » Find More » 👈]]
[[Cloud/Hetzner/AA#Hetzner » Kubernetes » Minikube » Install & Configure|Skipped » Find More » 👈]]
----
----
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
Line 851: Line 1,009:


==Hetzner » Kubernetes » Minikube » Tunnel » Create Service==
==Hetzner » Kubernetes » Minikube » Tunnel » Create Service==
{|class='wikitable mw-collapsible mw-collapsed'
{|class='wikitable mw-collapsible'
!scope='col' style='width:1100px'|
!scope='col' style='width:1100px'|
Hetzner » Kubernetes » Minikube » Tunnel » Create Service
Hetzner » Kubernetes » Minikube » Tunnel » Create Service
|-
|-
|valign='top'|
|valign='top'|
[[Cloud/Hetzner/AA#Kubernetes » Minikube » Tunnel » Create Service|Skipped » Find More 👉 Minikube » Tunnel » Systemd]]
[[Cloud/Hetzner/AA#Hetzner » Kubernetes » Minikube » Tunnel » Create Service|Skipped » Find More 👉 Minikube » Tunnel » Systemd]]
----
----
[[Minikube MetalLB#MetalLB » Forward » Route|Skipped » Find More 👉 Minikube » MetalLB » Forward » Route]]
[[Minikube MetalLB#MetalLB » Forward » Route|Skipped » Find More 👉 Minikube » MetalLB » Forward » Route]]
|}
|}


==Kubernetes » Minikube » Ingress » Apply Dashboard==
==Hetzner » Kubernetes » Minikube » Ingress » Apply Dashboard==
{|class='wikitable mw-collapsible mw-collapsed'
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='width:700px'|
!scope='col' style='width:1100px'|
'''K8s » Dashboard » Ingress » Apply'''
Hetzner » K8s » Dashboard » Ingress » Apply
|-
|-
|valign='top'|
|valign='top'|
Line 908: Line 1,066:
----
----
[[K8s/Ingress#Ingress » Dashboard|Skipped » Find More 👉 K8s » Dashboard]]
[[K8s/Ingress#Ingress » Dashboard|Skipped » Find More 👉 K8s » Dashboard]]
|}
==Hetzner » Kubernetes » Debug » MariaDB==
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' colspan='2' style='width:1100px'|
Hetzner » Kubernetes » Debug » MariaDB
|-
|valign='top' style='width:540px'|
<syntaxhighlight lang="bash">
export KUBECONFIG=${HOME}/.kube/hetzner-ab-kubeconfig.yaml
kubectl config get-contexts
</syntaxhighlight>
|valign='top'|
<syntaxhighlight lang="bash">
kubectl create ns  swiss-knife
kubectl get ns|grep swiss-knife
</syntaxhighlight>
|-
|valign='top' colspan='2'|
<syntaxhighlight lang="bash">
kubectl -n swiss-knife run -i --tty --rm mariadb-cli --image=alpine --restart=Never -- ash
apk --update add mariadb-client inetutils-telnet
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
echo -n password: ;read -s MYSQL_PWD;export MYSQL_PWD; echo
telnet 192.168.49.1 3306
telnet 10.20.31.3  3306
telnet 10.20.13.3  3306
telnet 10.20.0.1    3306
echo ${MYSQL_PWD}
mariadb -u academia -D academia -P3306 -h 192.168.49.1
mariadb -u academia -D academia -P3306 -h 10.20.31.3
mariadb -u academia -D academia -P3306 -h 10.20.13.1
mariadb -u academia -D academia -P3306 -h 10.20.0.1
</syntaxhighlight>
|}
==Hetzner » Kubernetes » Debug » PostgreSQL==
{|class='wikitable mw-collapsible'
!scope='col' colspan='2' style='width:1100px'|
Hetzner » Kubernetes » Debug » PostgreSQL
|-
|valign='top' style='width:540px'|
<syntaxhighlight lang="bash">
export KUBECONFIG=${HOME}/.kube/hetzner-ab-kubeconfig.yaml
kubectl config get-contexts
</syntaxhighlight>
|valign='top'|
<syntaxhighlight lang="bash">
kubectl create ns  swiss-knife
kubectl get ns|grep swiss-knife
</syntaxhighlight>
|-
|valign='top' colspan='2'|
<syntaxhighlight lang="bash">
kubectl -n swiss-knife run -i --tty --rm postgresql-cli --image=alpine --restart=Never -- ash
apk --update add postgresql-client inetutils-telnet
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
echo -n password: ; read -s PGPASSWORD; export PGPASSWORD; echo
telnet pgbouncer.pgbouncer.svc.cluster.local 5432
telnet pgbouncer.pgbouncer 5432
telnet 192.168.49.103 5432
telnet 192.168.49.1  5432
telnet 10.20.31.3    5432
telnet 10.20.13.1    5432
telnet 10.20.0.1      5432
echo ${PGPASSWORD}
psql -U bouncer_ab -d bouncer_ab -p5432 -h pgbouncer.pgbouncer.svc.cluster.local
psql -U bouncer_ab -d bouncer_ab -p5432 -h pgbouncer.pgbouncer
psql -U bouncer_ab -d bouncer_ab -p5432 -h 192.168.49.103
psql -U bouncer_ab -d bouncer_ab -p5432 -h 192.168.49.1
psql -U bouncer_ab -d bouncer_ab -p5432 -h 10.20.31.3
psql -U bouncer_ab -d bouncer_ab -p5432 -h 10.20.13.1
psql -U bouncer_ab -d bouncer_ab -p5432 -h 10.20.0.1
</syntaxhighlight>
|}
|}


==Playground==
==Playground==
{|class='wikitable mw-collapsible mw-collapsed'
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' colspan='2' style='width:1400px'|
!scope='col' colspan='2' style='width:1100px'|
'''Playground'''
'''Playground'''
|-
|-
|valign='top'|
|valign='top' colspan='2'|
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
ssh-copy-id -n -i ~/.ssh/cid.chorke.org_ed25519.pub shahed@10.20.40.1
ssh-copy-id -n -i ~/.ssh/cid.chorke.org_ed25519.pub shahed@10.20.40.1
ssh-copy-id    -i ~/.ssh/cid.chorke.org_ed25519.pub shahed@10.20.40.1
ssh-copy-id    -i ~/.ssh/cid.chorke.org_ed25519.pub shahed@10.20.40.1
</syntaxhighlight>
</syntaxhighlight>
 
----
|valign='top'|
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
certbot delete --cert-name  k8s.ab.hetzner.shahed.biz
certbot delete --cert-name  k8s.ab.hetzner.shahed.biz

Latest revision as of 03:31, 19 October 2025

Hetzner » Argo

Hetzner » Argo

Name Network Subnets Forward
Hetzner » AA 10.20.41.1/32 10.20.41.1 … 1/32 = 01
Hetzner » AB 10.20.41.2/32 10.20.41.2 … 2/32 = 01
Hetzner » AC 10.20.41.3/32 10.20.41.3 … 3/32 = 01 ⚪️
Hetzner » AD 10.20.41.4/32 10.20.41.4 … 4/32 = 01 ⚪️
Hetzner » AE 10.20.41.5/32 10.20.41.5 … 5/32 = 01 ⚪️

Hetzner » Analyze

Hetzner » Analyze 

ssh -i ~/.ssh/ci.chorke.org_ed25519 -qt root@hetzner-ab.public.ip bash

cat <<'EXE' | sudo bash
free -th && echo && systemd-analyze && echo
df -h    && echo && lsblk && echo
swapon --show
EXE

Hetzner » Add User

Hetzner » Add User 

ssh -i ~/.ssh/ci.chorke.org_ed25519 -qt root@hetzner-ab.public.ip bash

sudo adduser -m        chorke
sudo passwd  -d        chorke
sudo passwd  -l        chorke
sudo chsh -s /bin/bash chorke

sudo adduser -m        shahed
sudo passwd  -d        shahed
sudo passwd  -l        shahed
sudo chsh -s /bin/bash shahed

sudo visudo
:'
# User privilege specification
root    ALL=(ALL:ALL) ALL
shahed  ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin  ALL=(ALL) ALL
shahed  ALL=(ALL) NOPASSWD: /usr/local/bin/supervisorctl

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL
shahed  ALL=(ALL) NOPASSWD: /usr/local/bin/supervisorctl

# See sudoers(5) for more information on "@include" directives:

@includedir /etc/sudoers.d
'

Hetzner » SSH Config

Hetzner » Config » SSH 

ssh -i ~/.ssh/ci.chorke.org_ed25519 -qt root@hetzner-ab.public.ip bash

cat << EXE | sudo bash
sed 's|#PasswordAuthentication yes|PasswordAuthentication no|' -i /etc/ssh/sshd_config
sed 's|#PubkeyAuthentication yes|PubkeyAuthentication yes|'    -i /etc/ssh/sshd_config
sed 's|#PermitEmptyPasswords no|PermitEmptyPasswords no|'      -i /etc/ssh/sshd_config
sed 's|#PermitRootLogin yes|PermitRootLogin no|'               -i /etc/ssh/sshd_config
systemctl restart ssh
EXE

cat << EXE | sudo bash
sshd -T | grep -i PasswordAuthentication
sshd -T | grep -i PubkeyAuthentication
sshd -T | grep -i PermitEmptyPasswords
sshd -T | grep -i PermitRootLogin
EXE

sudo chattr +i /home/chorke/.ssh/authorized_keys
sudo chattr +i /home/shahed/.ssh/authorized_keys
sudo chattr +i /home/system/*-argo/.ssh/authorized_keys

Hetzner » APT Update

Hetzner » APT Update 

cat << EXE | sudo bash
apt-get update;echo
mkdir -p /etc/apt/keyrings
apt list -a --upgradable;apt-get upgrade -y;echo
apt-get install -y apt-transport-https ca-certificates \
  gnupg build-essential snapd jq traceroute moreutils;echo
apt-get clean cache && find /tmp -type f -atime +10 -delete && find /tmp -type s -atime +10 -delete
EXE

cat << EXE|sudo bash
PLATFORM=\$(uname -s)_\$(dpkg --print-architecture)
YQ_BINARY=\$(echo "yq_\${PLATFORM}"|tr '[:upper:]' '[:lower:]')
wget https://github.com/mikefarah/yq/releases/latest/download/\${YQ_BINARY} -O /usr/local/bin/yq
chmod +x /usr/local/bin/yq
EXE

Hetzner » Swap Space

Hetzner » Swap Space 

echo 'swapon --show'|sudo bash
cat <<'EXE' | sudo bash
swapoff /swap.img
fallocate -l 11G /swap.img
ls -lh /swap.img && mkswap /swap.img
chmod 0600 /swap.img && swapon /swap.img && swapon --show && free -th
EXE

cat << FST | sudo tee -a /etc/fstab >/dev/null
# loop based swap storage » 8GB + 3GB 
/swap.img              none            swap    sw              0       0
FST

free -th
cat /etc/fstab
systemctl daemon-reload
echo 'swapon --show'|sudo bash

Hetzner » Attach Volume

Linode » Attach Volume 

cat <<'EXE'| sudo bash
mkdir -p /var/minikube/pvc
mkfs.ext4 -F /dev/disk/by-id/scsi-0HC_Volume_102736306
cat <<'FST'| tee -a /etc/fstab >/dev/null

# hetzner-ab » attach 40gb storage » hetzner-ab-vol-aa
/dev/disk/by-id/scsi-0HC_Volume_102736306 /var/minikube/pvc ext4 discard,nofail,defaults 0 0
FST
chown minikube:minikube -R /var/minikube/pvc/
systemctl daemon-reload
mount -a
EXE

Hetzner » Containerize » LXD

Hetzner » Containerize » LXD 

cat << EXE | sudo bash
snap install lxd --channel=6/stable
usermod -aG lxd chorke
usermod -aG lxd shahed
EXE

echo 'id -nG'|sudo -i -u chorke bash
echo 'id -nG'|sudo -i -u shahed bash

cat <<YML | sudo lxd init --preseed
---
config: {}
networks:
- config:
    ipv4.address: 10.20.0.1/24
    ipv4.nat: "true"
    ipv6.address: auto
  description: ""
  name: lxdbr0
  type: ""
  project: default
storage_pools:
- config:
    size: 15GiB
  description: ""
  name: lxd-zfs-pool-ab
  driver: zfs
storage_volumes: []
profiles:
- config: {}
  description: ""
  devices:
    eth0:
      name: eth0
      network: lxdbr0
      type: nic
    root:
      path: /
      pool: lxd-zfs-pool-ab
      type: disk
  name: default
projects: []
cluster: null
YML

sudo ufw enable
sudo iptables -S

cat << EXE | sudo bash
ufw       allow OpenSSH
ufw       allow in  on lxdbr0
ufw route allow in  on lxdbr0
ufw route allow out on lxdbr0
EXE

sudo ufw status numbered
sudo iptables -S

cat << EXE | sudo bash
snap restart  lxd
snap services lxd
EXE

lxc launch images:alpine/3.21 academia
lxc list -c=n -f=json|jq -r '.[]|select(.name=="academia")|.status'

cat <<'EXE'| lxc exec academia -- sh
ping -c5 chorke.org
ping -c5 shahed.biz
EXE

Hetzner » Containerize » Docker

Hetzner » Containerize » Docker 

curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
| sudo tee /etc/apt/keyrings/docker.asc >/dev/null

DISTRIBUTION=$(. /etc/os-release && echo "${VERSION_CODENAME}")
cat << SRC | sudo tee /etc/apt/sources.list.d/docker.list >/dev/null
deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] \
 https://download.docker.com/linux/ubuntu ${DISTRIBUTION}  stable
SRC

cat << EXE | sudo bash
apt-get update;echo
apt-cache policy docker-ce
apt list -a --upgradable;apt-get upgrade -y;echo
apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
apt-get clean cache && find /tmp -type f,s -atime +10 -delete
EXE

cat << EOF | sudo tee /etc/docker/daemon.json >/dev/null
{
    "bip"  : "10.20.13.1/24",
    "mtu"  : 1500,
    "dns"  : [
        "1.1.1.1",
        "8.8.8.8",
        "192.168.49.2"
    ],
    "debug": true
}
EOF

cat << EXE | sudo bash
systemctl stop  docker.socket
systemctl stop  docker.service
systemctl start docker.service

usermod -aG docker chorke
usermod -aG docker shahed
EXE

ip a
docker image ls
docker network ls

echo 'id -nG'|sudo -i -u shahed bash
echo 'id -nG'|sudo -i -u chorke bash

cat <<'EXE'| docker run --rm -i alpine sh
echo
cat /etc/hosts       ;echo
cat /etc/resolv.conf ;echo
ping -c5 chorke.org  ;echo
ping -c5 shahed.biz  ;echo
EXE

Hetzner » Cloudflare » VIRT

Hetzner » Cloudflare » VIRTl 

cat << INI | sudo tee /etc/systemd/system/warp0.service >/dev/null
[Unit]
Description=Cloudflared WARP Routing Virtual Interface
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/ip link add warp0 type dummy
ExecStartPost=/usr/sbin/ip addr add 10.20.41.2/32 dev warp0
ExecStartPost=/usr/sbin/ip link set warp0 up
ExecStop=/usr/sbin/ip link delete warp0
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
INI

cat << EXE | sudo bash
systemctl daemon-reload
systemctl enable --now warp0.service
systemctl status       warp0.service
EXE

ip a

Hetzner » Cloudflare » Argo » Tunnel

Hetzner » Cloudflare » Argo » Tunnel 

wget -cq https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64.deb -P ${HOME}/Downloads
sudo dpkg -i ${HOME}/Downloads/cloudflared-linux-arm64.deb; sudo apt install -f
      rm -rf ${HOME}/Downloads/cloudflared-linux-arm64.deb

cat <<'SYS' | sudo tee -a /etc/sysctl.conf >/dev/null

###################################################################
# Cloudflared Tunnel Private Network Config
# This config added by Chorke Academia, Inc
# ICMP Group ID Range 0 to 10,000 Users
net.ipv4.ping_group_range = 0 10000

# 208 KiB Default RX Buffer
net.core.rmem_default=212992

# 208 KiB Default TX Buffer
net.core.wmem_default=212992

# 8 MB Maximum RX Buffer
net.core.rmem_max=8388608

# 8 MB Maximum TX Buffer
net.core.wmem_max=8388608

SYS

sudo sysctl -p

Skipped » Find More » 👈

Hetzner » Cloudflare » WARP » Tunnel

Hetzner » Cloudflare » WARP » Tunnel

Skipped » Find More » 👈 

lxc snapshot cloudflare base:2025.1.861.0
lxc publish  cloudflare/base:2025.1.861.0 --alias cloudflare/base:2025.1.861.0
lxc restore  cloudflare base:2025.1.861.0

lxc snapshot cloudflare shahed:2025.03.09
lxc publish  cloudflare/shahed:2025.03.09 --alias cloudflare/shahed:2025.03.09
lxc restore  cloudflare shahed:2025.03.09

Hetzner » LB » HAProxy » Install & Configure

Hetzner » LB » HAProxy » Install & Config

Skipped » Find More » 👈 

sudo ufw status numbered
sudo iptables -S

cat << EXE | sudo bash
ufw       allow 80/tcp
ufw       allow 443/tcp
EXE

sudo ufw status numbered
sudo iptables -S

Hetzner » LB » HAProxy » Defaults Config 

cat <<'CFG'| sudo tee /etc/haproxy/proxy-default/global.cfg >/dev/null
global
   log             /dev/log   local0
   log             /dev/log   local1 notice
   chroot          /var/lib/haproxy
   stats           socket     /run/haproxy/admin.sock mode 660 level admin
   stats           timeout    30s
   user            haproxy
   group           haproxy
   maxconn         3000
   tune.maxrewrite 1024
   tune.bufsize    32768
   daemon

CFG

cat <<'CFG'| sudo tee /etc/haproxy/proxy-default/default-http.cfg >/dev/null

defaults
   mode            http
   log             global
   option          httplog
   option          dontlognull
   option          http-server-close
   timeout         connect      60s
   timeout         client       30m
   timeout         server       30m
   timeout         http-request 60s
   errorfile       400          /etc/haproxy/errors/400.http
   errorfile       403          /etc/haproxy/errors/403.http
   errorfile       408          /etc/haproxy/errors/408.http
   errorfile       500          /etc/haproxy/errors/500.http
   errorfile       502          /etc/haproxy/errors/502.http
   errorfile       503          /etc/haproxy/errors/503.http
   errorfile       504          /etc/haproxy/errors/504.http
CFG

Hetzner » LB » HAProxy » Frontend » HTTP Config

HAProxy » Frontend » HTTP 

cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-http-all.cfg >/dev/null

# ##############################################################################
# http frontend config for *.chorke.org, *.chorke.com, *.shahed.biz
# this config added by chorke academia, inc

frontend           fnt_shahed_biz
   bind            *:80
   mode            http

   acl             path-is-acme-challenge                path_beg /.well-known/acme-challenge/

   http-request    redirect scheme https code 301        unless path-is-acme-challenge
   use_backend     bck_letsencrypt_org_acme_challenge    if path-is-acme-challenge
   default_backend bck_letsencrypt_org_acme_challenge

backend            bck_letsencrypt_org_acme_challenge
   server          letsencrypt 127.0.0.1:19830
   mode            http
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-http-all.cfg /etc/haproxy/proxy-enabled/

vim /etc/haproxy/proxy-scripts/reconfig
    /etc/haproxy/proxy-scripts/reconfig

Hetzner » LB » HAProxy » Frontend » HTTPS Config

certbot certonly --standalone --non-interactive --http-01-port=19830 -d k8s.ab.hetzner.shahed.biz --email tool.tech@shahed.biz --agree-tos --dry-run
certbot certonly --standalone --non-interactive --http-01-port=19830 -d k8s.ab.hetzner.shahed.biz --email tool.tech@shahed.biz --agree-tos
(cd /etc/letsencrypt/live/k8s.ab.hetzner.shahed.biz/;ln -s privkey.pem fullchain.pem.key)
certbot renew --http-01-port=19830 --force-renewal
certbot renew --http-01-port=19830

HAProxy » Frontend » HTTPS 

certbot certonly --standalone --non-interactive --http-01-port=19830 -d             s3.minio.hetzner.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d                minio.hetzner.shahed.biz

certbot certonly --standalone --non-interactive --http-01-port=19830 -d                k8s.aa.shahed.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d                k8s.ab.shahed.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d                k8s.ac.shahed.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d                k8s.ad.shahed.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d                k8s.ae.shahed.shahed.biz

certbot certonly --standalone --non-interactive --http-01-port=19830 -d          alertmanager.shahed.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d            prometheus.shahed.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d              s3.minio.shahed.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d               grafana.shahed.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d                 minio.shahed.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d                  loki.shahed.shahed.biz

certbot certonly --standalone --non-interactive --http-01-port=19830 -d                  artifactory.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d                     pgvector.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d                      jenkins.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d                      camunda.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d                       harbor.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d                       gitlab.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d                       docker.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d                        nexus.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d                         wiki.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d                          n8n.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d                           id.shahed.biz

cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then cat ${d}/{fullchain,privkey}.pem|tee ${d}.pem >/dev/null;fi;done
systemctl reload haproxy.service

SSL_CRT_LIST="$(cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then printf "crt ${PWD}/${d}.pem ";fi;done)"
cat << CFG | sudo tee /etc/haproxy/proxy-configs/shahed.biz-https-all.cfg >/dev/null

# ##############################################################################
# https frontend config for *.chorke.org, *.chorke.com, *.shahed.biz
# this config added by chorke academia, inc

frontend           fnt_shahed_biz_ssl
   bind            *:443 ssl ${SSL_CRT_LIST}alpn h2,http/1.1 ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3
   mode            http

   acl             host-is-s3-minio-hetzner-shahed-biz         hdr(host) -i         s3.minio.hetzner.shahed.biz
   acl             host-is-k8s-ab-hetzner-shahed-biz           hdr(host) -i           k8s.ab.hetzner.shahed.biz
   acl             host-is-minio-hetzner-shahed-biz            hdr(host) -i            minio.hetzner.shahed.biz

   acl             host-is-k8s-aa-shahed-shahed-biz            hdr(host) -i            k8s.aa.shahed.shahed.biz
   acl             host-is-k8s-ab-shahed-shahed-biz            hdr(host) -i            k8s.ab.shahed.shahed.biz
   acl             host-is-k8s-ac-shahed-shahed-biz            hdr(host) -i            k8s.ac.shahed.shahed.biz
   acl             host-is-k8s-ad-shahed-shahed-biz            hdr(host) -i            k8s.ad.shahed.shahed.biz
   acl             host-is-k8s-ae-shahed-shahed-biz            hdr(host) -i            k8s.ae.shahed.shahed.biz

   acl             host-is-alertmanager-shahed-shahed-biz      hdr(host) -i      alertmanager.shahed.shahed.biz
   acl             host-is-prometheus-shahed-shahed-biz        hdr(host) -i        prometheus.shahed.shahed.biz
   acl             host-is-s3-minio-shahed-shahed-biz          hdr(host) -i          s3.minio.shahed.shahed.biz
   acl             host-is-grafana-shahed-shahed-biz           hdr(host) -i           grafana.shahed.shahed.biz
   acl             host-is-minio-shahed-shahed-biz             hdr(host) -i             minio.shahed.shahed.biz
   acl             host-is-loki-shahed-shahed-biz              hdr(host) -i              loki.shahed.shahed.biz

   acl             host-is-artifactory-shahed-biz              hdr(host) -i              artifactory.shahed.biz
   acl             host-is-pgvector-shahed-biz                 hdr(host) -i                 pgvector.shahed.biz
   acl             host-is-jenkins-shahed-biz                  hdr(host) -i                  jenkins.shahed.biz
   acl             host-is-camunda-shahed-biz                  hdr(host) -i                  camunda.shahed.biz
   acl             host-is-harbor-shahed-biz                   hdr(host) -i                   harbor.shahed.biz
   acl             host-is-gitlab-shahed-biz                   hdr(host) -i                   gitlab.shahed.biz
   acl             host-is-docker-shahed-biz                   hdr(host) -i                   docker.shahed.biz
   acl             host-is-nexus-shahed-biz                    hdr(host) -i                    nexus.shahed.biz
   acl             host-is-wiki-shahed-biz                     hdr(host) -i                     wiki.shahed.biz
   acl             host-is-n8n-shahed-biz                      hdr(host) -i                      n8n.shahed.biz
   acl             host-is-id-shahed-biz                       hdr(host) -i                       id.shahed.biz

   http-request    set-header X-Forwarded-For                  %[src]
   http-request    set-header X-Forwarded-Proto                https

   use_backend     bck_shahed_biz_hetzner_ab_k8s               if           host-is-s3-minio-hetzner-shahed-biz
   use_backend     bck_shahed_biz_hetzner_ab_k8s               if             host-is-k8s-ab-hetzner-shahed-biz
   use_backend     bck_shahed_biz_hetzner_ab_k8s               if              host-is-minio-hetzner-shahed-biz
   use_backend     bck_shahed_biz_hetzner_ab_k8s               if                         host-is-id-shahed-biz

   use_backend     bck_shahed_biz_shahed_aa_k8s                if              host-is-k8s-aa-shahed-shahed-biz
   use_backend     bck_shahed_biz_shahed_ab_k8s                if              host-is-k8s-ab-shahed-shahed-biz
   use_backend     bck_shahed_biz_shahed_ac_k8s                if              host-is-k8s-ac-shahed-shahed-biz
   use_backend     bck_shahed_biz_shahed_ad_k8s                if              host-is-k8s-ad-shahed-shahed-biz
   use_backend     bck_shahed_biz_shahed_ae_k8s                if              host-is-k8s-ae-shahed-shahed-biz

   use_backend     bck_shahed_biz_shahed_ae_k8s                if        host-is-alertmanager-shahed-shahed-biz
   use_backend     bck_shahed_biz_shahed_ae_k8s                if          host-is-prometheus-shahed-shahed-biz
   use_backend     bck_shahed_biz_shahed_ae_k8s                if             host-is-grafana-shahed-shahed-biz
   use_backend     bck_shahed_biz_shahed_ae_k8s                if            host-is-s3-minio-shahed-shahed-biz
   use_backend     bck_shahed_biz_shahed_ae_k8s                if               host-is-minio-shahed-shahed-biz
   use_backend     bck_shahed_biz_shahed_ae_k8s                if                host-is-loki-shahed-shahed-biz

   use_backend     bck_shahed_biz_shahed_ae_k8s                if                host-is-artifactory-shahed-biz
   use_backend     bck_shahed_biz_shahed_ae_k8s                if                   host-is-pgvector-shahed-biz
   use_backend     bck_shahed_biz_shahed_ae_k8s                if                    host-is-jenkins-shahed-biz
   use_backend     bck_shahed_biz_shahed_ae_k8s                if                    host-is-camunda-shahed-biz
   use_backend     bck_shahed_biz_shahed_ae_k8s                if                     host-is-harbor-shahed-biz
   use_backend     bck_shahed_biz_shahed_ae_k8s                if                     host-is-gitlab-shahed-biz
   use_backend     bck_shahed_biz_shahed_ae_k8s                if                     host-is-docker-shahed-biz
   use_backend     bck_shahed_biz_shahed_ae_k8s                if                      host-is-nexus-shahed-biz
   use_backend     bck_shahed_biz_shahed_aa_k8s                if                       host-is-wiki-shahed-biz
   use_backend     bck_shahed_biz_shahed_ae_k8s                if                        host-is-n8n-shahed-biz

   default_backend bck_shahed_biz_hetzner_ab_k8s

backend            bck_shahed_biz_hetzner_ab_k8s
   server          hetzner_ab_k8s 192.168.49.2:80
   mode            http

backend            bck_shahed_biz_shahed_aa_k8s
   server          shahed_aa_k8s 10.20.40.1:443 ssl verify required ca-file /etc/haproxy/certs/Shahed_ECC_CA_2025.ca-chain.pem ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3
   mode            http

backend            bck_shahed_biz_shahed_ab_k8s
   server          shahed_ab_k8s 10.20.40.2:443 ssl verify required ca-file /etc/haproxy/certs/Shahed_ECC_CA_2025.ca-chain.pem ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3
   mode            http

backend            bck_shahed_biz_shahed_ac_k8s
   server          shahed_ac_k8s 10.20.40.3:443 ssl verify required ca-file /etc/haproxy/certs/Shahed_ECC_CA_2025.ca-chain.pem ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3
   mode            http

backend            bck_shahed_biz_shahed_ad_k8s
   server          shahed_ad_k8s 10.20.40.4:443 ssl verify required ca-file /etc/haproxy/certs/Shahed_ECC_CA_2025.ca-chain.pem ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3
   mode            http

backend            bck_shahed_biz_shahed_ae_k8s
   server          shahed_ae_k8s 10.20.40.5:443 ssl verify required ca-file /etc/haproxy/certs/Shahed_ECC_CA_2025.ca-chain.pem ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3
   mode            http
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-https-all.cfg /etc/haproxy/proxy-enabled/

vim /etc/haproxy/proxy-scripts/reconfig
    /etc/haproxy/proxy-scripts/reconfig

certbot renew --http-01-port=19830 --force-renewal
cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then cat ${d}/{fullchain,privkey}.pem|tee ${d}.pem >/dev/null;fi;done
systemctl reload haproxy.service

Hetzner » LB » HAProxy » Frontend » Kube API Config

Hetzner » LB » HAProxy » Frontend » Kube API Config 

cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-tcp-kube.cfg >/dev/null

# ##############################################################################
# tcp frontend config for 10.20.41.2:8443
# this config added by chorke academia, inc

frontend           fnt_shahed_biz_hetzner_ab
   bind            *:8443
   mode            tcp
   option          tcplog
   option          dontlognull
   default_backend bck_shahed_biz_hetzner_ab

backend            bck_shahed_biz_hetzner_ab
   server          hetzner_ab 192.168.49.2:8443
   mode            tcp
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-tcp-kube.cfg /etc/haproxy/proxy-enabled/

vim /etc/haproxy/proxy-scripts/reconfig
    /etc/haproxy/proxy-scripts/reconfig

systemctl disable --now minikube.service
vim /etc/systemd/system/minikube.service
# append --apiserver-ips=10.20.41.2 with ExecStart
systemctl enable --now minikube.service

ssh -qt root@10.20.41.2 bash
sudo -i -u minikube

# run this script on the minikube host. copy the generated output and
# execute it on your local machine's terminal to enable monitoring of
# the minikube cluster.

cat << LOG
$(cat <<'YML'| tee ~/.kube/hetzner-ab-kubeconfig.yaml >/dev/null
apiVersion: v1
kind: Config
clusters:
- name: minikube
  cluster:
    server: https://10.20.41.2:8443
    certificate-authority: ../.minikube/ca.crt

contexts:
- name: hetzner-ab
  context:
    cluster: minikube
    namespace: default
    user: minikube

users:
- name: minikube
  user:
    client-certificate: ../.minikube/profiles/minikube/client.crt
    client-key: ../.minikube/profiles/minikube/client.key

current-context: hetzner-ab
YML
)

cat <<'YML'| tee ~/.kube/hetzner-ab-kubeconfig.yaml >/dev/null
$(export KUBECONFIG=${HOME}/.kube/hetzner-ab-kubeconfig.yaml;\
kubectl config view --flatten;\
rm ${KUBECONFIG};\
)
YML

chmod 600 ~/.kube/hetzner-ab-kubeconfig.yaml
  ls -alh ~/.kube/

export KUBECONFIG=~/.kube/hetzner-ab-kubeconfig.yaml
kubectl config get-contexts
kubectl get    namespace
$(echo -n)
LOG

Hetzner » Database » MariaDB » Install & Configure

Database » MariaDB » Install & Configure 

cat << EXE | sudo bash
apt-get update;echo
apt list -a --upgradable;apt-get upgrade -y;echo
apt-get install -y mariadb-server mariadb-client;echo
apt-get clean cache && find /tmp -type f -atime +10 -delete && find /tmp -type s -atime +10 -delete
EXE

cat << EXE | sudo bash
systemctl daemon-reload;echo
systemctl enable --now mariadb.service
systemctl status       mariadb.service
mariadb --version
EXE

# -- security risk: don't exec it
cat << DDL | sudo -i -u root mariadb
CREATE USER '${USER}'@'localhost' IDENTIFIED VIA unix_socket;
GRANT ALL PRIVILEGES ON *.* TO '${USER}'@'localhost' WITH GRANT OPTION;
FLUSH PRIVILEGES;
DDL

echo -n 'Password: ';read -s ACADEMIA_PASSWORD;export ACADEMIA_PASSWORD;echo
# Password: sadaqah!

cat << DDL | sudo -i -u root mariadb
CREATE DATABASE IF NOT EXISTS academia;
CREATE USER 'academia'@'%' IDENTIFIED BY '${ACADEMIA_PASSWORD}';
GRANT ALL PRIVILEGES ON academia.* TO 'academia'@'%';
FLUSH PRIVILEGES;
DDL

cat << EXE | sudo bash
sed 's|bind-address            = 127.0.0.1|bind-address            = 0.0.0.0|' -i /etc/mysql/mariadb.conf.d/50-server.cnf
systemctl restart      mariadb.service
EXE

cat << EXE | sudo bash
# ufw allow 3306/tcp
  ufw allow from 192.168.49.2/32 to any port 3306 proto tcp
  ufw allow from 10.20.0.0/24    to any port 3306 proto tcp
  ufw allow from 10.20.13.0/24   to any port 3306 proto tcp
  ufw allow from 10.20.31.0/24   to any port 3306 proto tcp
EXE

Skipped » Find More » 👈

Hetzner » Database » PostgreSQL » Install & Configure

Database » PostgreSQL » Install & Configure 

cat << EXE | sudo bash
apt-get update;echo
apt list -a --upgradable;apt-get upgrade -y;echo
apt-get install -y postgresql postgresql-contrib;echo
apt-get clean cache && find /tmp -type f -atime +10 -delete && find /tmp -type s -atime +10 -delete
EXE

cat << EXE | sudo bash
systemctl daemon-reload;echo
systemctl enable --now postgresql.service
systemctl status       postgresql.service
pg_lsclusters;echo
psql --version
EXE

# -- security risk: don't exec it
cat << EXE | sudo -i -u postgres bash
createuser ${USER}
createdb   ${USER}
cat << DDL | psql
ALTER USER ${USER} WITH SUPERUSER;
DDL
EXE

echo -n 'Password: ';read -s PGBOUNCER_PASSWORD;export PGBOUNCER_PASSWORD;echo
# Password: sadaqah!

cat << DDL | sudo -i -u postgres psql
\! printf '\n'
SELECT 'CREATE DATABASE bouncer_aa' 
WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'bouncer_aa')\gexec
CREATE USER bouncer_aa WITH ENCRYPTED PASSWORD '${PGBOUNCER_PASSWORD}';
GRANT ALL PRIVILEGES ON DATABASE bouncer_aa TO bouncer_aa;
ALTER DATABASE bouncer_aa OWNER TO bouncer_aa;
DDL

cat << DDL | sudo -i -u postgres psql
\! printf '\n'
SELECT 'CREATE DATABASE bouncer_ab' 
WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'bouncer_ab')\gexec
CREATE USER bouncer_ab WITH ENCRYPTED PASSWORD '${PGBOUNCER_PASSWORD}';
GRANT ALL PRIVILEGES ON DATABASE bouncer_ab TO bouncer_ab;
ALTER DATABASE bouncer_ab OWNER TO bouncer_ab;
DDL

cat <<'EXE'| sudo bash
IPV4_LOCAL_FIND=$(cat <<EOF
host    all             all             127.0.0.1/32            scram-sha-256
EOF
)
IPV4_LOCAL_FILL[${YARN_CONF_INDX}]=$(cat <<EOF
host    all             all             127.0.0.1/32            scram-sha-256\n\
host    all             all             192.168.49.2/32         scram-sha-256\n\
host    all             all             10.20.0.0/24            scram-sha-256\n\
host    all             all             10.20.13.0/24           scram-sha-256\n\
host    all             all             10.20.31.0/24           scram-sha-256
EOF
)
sed    "s|#listen_addresses = 'localhost'|listen_addresses = '*'         |" -i /etc/postgresql/16/main/postgresql.conf
sed -z "s|${IPV4_LOCAL_FIND}|${IPV4_LOCAL_FILL}|"                           -i /etc/postgresql/16/main/pg_hba.conf
systemctl restart      postgresql.service
EXE

cat << EXE | sudo bash
# ufw allow 5432/tcp
  ufw allow from 192.168.49.2/32 to any port 5432 proto tcp
  ufw allow from 10.20.0.0/24    to any port 5432 proto tcp
  ufw allow from 10.20.13.0/24   to any port 5432 proto tcp
  ufw allow from 10.20.31.0/24   to any port 5432 proto tcp
EXE

Skipped » Find More » 👈

Hetzner » Kubernetes » Minikube » Install & Configure

Hetzner » Kubernetes » Minikube » Install & Configure

Skipped » Find More » 👈 

if [ -x "$(command -v curl)" ];then \
sudo apt -qq update;\
export MINIKUBE_CPU_USE=2;\
export MINIKUBE_RAM_USE=5682;\
export MINIKUBE_INGRESS_HOST='k8s.ab.hetzner.shahed.biz';\
bash <(curl -s 'https://cdn.chorke.org/exec/cli/bash/install/minikube/1.0.01-ubuntu-24.04-arm64.sh.txt');\
else printf 'curl \033[0;31mnot found! \033[0m:(\n';fi

Skipped » Find More » 👈

Hetzner » Kubernetes » Minikube » Tunnel » Create Service

Hetzner » Kubernetes » Minikube » Tunnel » Create Service

Skipped » Find More 👉 Minikube » Tunnel » Systemd

Skipped » Find More 👉 Minikube » MetalLB » Forward » Route

Hetzner » Kubernetes » Minikube » Ingress » Apply Dashboard

Hetzner » K8s » Dashboard » Ingress » Apply 

export KUBECONFIG=${HOME}/.kube/hetzner-ab-kubeconfig.yaml
kubectl config get-contexts

cat << YML | kubectl -n kubernetes-dashboard apply -f -
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
  labels:
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: kubectl
    app.kubernetes.io/name: kubernetes-dashboard
    app.kubernetes.io/instance: kubernetes-dashboard
  annotations:
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-realm: Authentication Required
    nginx.ingress.kubernetes.io/auth-secret: kubernetes-dashboard-auth
spec:
  ingressClassName: nginx
  rules:
    - host: k8s.ab.hetzner.shahed.biz
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: kubernetes-dashboard
                port:
                  number: 80
YML

Skipped » Find More 👉 K8s » CoreDNS

Skipped » Find More 👉 K8s » Dashboard

Hetzner » Kubernetes » Debug » MariaDB

Hetzner » Kubernetes » Debug » MariaDB 

export KUBECONFIG=${HOME}/.kube/hetzner-ab-kubeconfig.yaml
kubectl config get-contexts

kubectl create ns   swiss-knife
kubectl get ns|grep swiss-knife

kubectl -n swiss-knife run -i --tty --rm mariadb-cli --image=alpine --restart=Never -- ash
apk --update add mariadb-client inetutils-telnet

echo -n password: ;read -s MYSQL_PWD;export MYSQL_PWD; echo
telnet 192.168.49.1 3306
telnet 10.20.31.3   3306
telnet 10.20.13.3   3306
telnet 10.20.0.1    3306
echo ${MYSQL_PWD}

mariadb -u academia -D academia -P3306 -h 192.168.49.1
mariadb -u academia -D academia -P3306 -h 10.20.31.3
mariadb -u academia -D academia -P3306 -h 10.20.13.1
mariadb -u academia -D academia -P3306 -h 10.20.0.1

Hetzner » Kubernetes » Debug » PostgreSQL

Hetzner » Kubernetes » Debug » PostgreSQL 

export KUBECONFIG=${HOME}/.kube/hetzner-ab-kubeconfig.yaml
kubectl config get-contexts

kubectl create ns   swiss-knife
kubectl get ns|grep swiss-knife

kubectl -n swiss-knife run -i --tty --rm postgresql-cli --image=alpine --restart=Never -- ash
apk --update add postgresql-client inetutils-telnet

echo -n password: ; read -s PGPASSWORD; export PGPASSWORD; echo
telnet pgbouncer.pgbouncer.svc.cluster.local 5432
telnet pgbouncer.pgbouncer 5432
telnet 192.168.49.103 5432
telnet 192.168.49.1   5432
telnet 10.20.31.3     5432
telnet 10.20.13.1     5432
telnet 10.20.0.1      5432
echo ${PGPASSWORD}

psql -U bouncer_ab -d bouncer_ab -p5432 -h pgbouncer.pgbouncer.svc.cluster.local
psql -U bouncer_ab -d bouncer_ab -p5432 -h pgbouncer.pgbouncer
psql -U bouncer_ab -d bouncer_ab -p5432 -h 192.168.49.103
psql -U bouncer_ab -d bouncer_ab -p5432 -h 192.168.49.1
psql -U bouncer_ab -d bouncer_ab -p5432 -h 10.20.31.3
psql -U bouncer_ab -d bouncer_ab -p5432 -h 10.20.13.1
psql -U bouncer_ab -d bouncer_ab -p5432 -h 10.20.0.1

Playground

Playground 

ssh-copy-id -n -i ~/.ssh/cid.chorke.org_ed25519.pub shahed@10.20.40.1
ssh-copy-id    -i ~/.ssh/cid.chorke.org_ed25519.pub shahed@10.20.40.1

certbot delete --cert-name  k8s.ab.hetzner.shahed.biz
certbot delete --cert-name psql.ab.hetzner.shahed.biz

cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then cat ${d}/{fullchain,privkey}.pem|tee ${d}.pem >/dev/null;fi;done
cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then printf "crt ${PWD}/${d}.pem ";fi;done;\
printf "alpn h2,http/1.1 ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3\n"

cat << INI | visudo -cf /dev/stdin
# minikube » no-password » sudo access » all
minikube ALL=(ALL) NOPASSWD: ALL
INI

sudo visudo
sudo cat /etc/sudoers

cat << INI | visudo -cf /dev/stdin
# minikube » no-password » sudo access » specific
minikube ALL=(ALL) NOPASSWD: /usr/sbin/ip route *, /usr/bin/minikube tunnel *
INI

sudo visudo -f /etc/sudoers.d/minikube
sudo cat       /etc/sudoers.d/minikube

References

Retrieved from "https://wiki.chorke.org/index.php?title=Cloud/Hetzner/AB&oldid=15668"