Cloud/Hetzner/AA: Difference between revisions

Latest revision as of 03:30, 19 October 2025

Hetzner » Argo

Hetzner » Argo
Name	Network	Subnets	Forward
Hetzner » AA	`10.20.41.1/32`	`10.20.41.1 … 1/32 = 01`	✅
Hetzner » AB	`10.20.41.2/32`	`10.20.41.2 … 2/32 = 01`	✅
Hetzner » AC	`10.20.41.3/32`	`10.20.41.3 … 3/32 = 01`	⚪️
Hetzner » AD	`10.20.41.4/32`	`10.20.41.4 … 4/32 = 01`	⚪️
Hetzner » AE	`10.20.41.5/32`	`10.20.41.5 … 5/32 = 01`	⚪️

Hetzner » Analyze

Hetzner » Analyze
ssh -qt -i ~/.ssh/cid.chorke.org_ed25519 root@hetzner-aa.public.ip bash cat <<'EXE' \| sudo bash free -th && echo && systemd-analyze && echo df -h && echo && lsblk && echo swapon --show EXE

Hetzner » Add User

ssh -i ~/.ssh/ci.chorke.org_ed25519 -qt root@hetzner-aa.public.ip bash

sudo adduser -m        chorke
sudo passwd  -d        chorke
sudo passwd  -l        chorke
sudo chsh -s /bin/bash chorke

sudo adduser -m        shahed
sudo passwd  -d        shahed
sudo passwd  -l        shahed
sudo chsh -s /bin/bash shahed

sudo visudo
:'
# User privilege specification
root    ALL=(ALL:ALL) ALL
shahed  ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin  ALL=(ALL) ALL
shahed  ALL=(ALL) NOPASSWD: /usr/local/bin/supervisorctl

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL
shahed  ALL=(ALL) NOPASSWD: /usr/local/bin/supervisorctl

# See sudoers(5) for more information on "@include" directives:

@includedir /etc/sudoers.d
'

Hetzner » SSH Config

Hetzner » Config » SSH

ssh -i ~/.ssh/ci.chorke.org_ed25519 -qt root@hetzner-aa.public.ip bash

cat << EXE | sudo bash
sed 's|#PasswordAuthentication yes|PasswordAuthentication no|' -i /etc/ssh/sshd_config
sed 's|#PubkeyAuthentication yes|PubkeyAuthentication yes|'    -i /etc/ssh/sshd_config
sed 's|#PermitEmptyPasswords no|PermitEmptyPasswords no|'      -i /etc/ssh/sshd_config
sed 's|#PermitRootLogin yes|PermitRootLogin no|'               -i /etc/ssh/sshd_config
systemctl restart ssh
EXE

cat << EXE | sudo bash
sshd -T | grep -i PasswordAuthentication
sshd -T | grep -i PubkeyAuthentication
sshd -T | grep -i PermitEmptyPasswords
sshd -T | grep -i PermitRootLogin
EXE

sudo chattr +i /home/chorke/.ssh/authorized_keys
sudo chattr +i /home/shahed/.ssh/authorized_keys
sudo chattr +i /home/system/*-argo/.ssh/authorized_keys

Hetzner » APT Update

cat << EXE | sudo bash
apt-get update;echo
mkdir -p /etc/apt/keyrings
apt list -a --upgradable;apt-get upgrade -y;echo
apt-get install -y apt-transport-https ca-certificates \
  gnupg build-essential snapd jq traceroute moreutils;echo
apt-get clean cache && find /tmp -type f -atime +10 -delete && find /tmp -type s -atime +10 -delete
EXE

cat << EXE|sudo bash
PLATFORM=\$(uname -s)_\$(dpkg --print-architecture)
YQ_BINARY=\$(echo "yq_\${PLATFORM}"|tr '[:upper:]' '[:lower:]')
wget https://github.com/mikefarah/yq/releases/latest/download/\${YQ_BINARY} -O /usr/local/bin/yq
chmod +x /usr/local/bin/yq
EXE

Hetzner » Swap Space

echo 'swapon --show'|sudo bash
cat <<'EXE' | sudo bash
swapoff /swap.img
fallocate -l 20G /swap.img
ls -lh /swap.img && mkswap /swap.img
chmod 0600 /swap.img && swapon /swap.img && swapon --show && free -th
EXE

cat << FST | sudo tee -a /etc/fstab >/dev/null

# loop based swap storage » 16GB + 4GB 
/swap.img              none            swap    sw              0       0
FST

free -th
cat /etc/fstab
systemctl daemon-reload
echo 'swapon --show'|sudo bash

Hetzner » Attach Volume

Linode » Attach Volume

cat <<'EXE'| sudo bash
mkdir -p /var/minikube/pvc
mkfs.ext4 -F /dev/disk/by-id/scsi-0HC_Volume_102736305
cat <<'FST'| tee -a /etc/fstab >/dev/null

# hetzner-aa » attach 80gb storage » hetzner-aa-vol-aa
/dev/disk/by-id/scsi-0HC_Volume_102736305 /var/minikube/pvc ext4 discard,nofail,defaults 0 0
FST
chown minikube:minikube -R /var/minikube/pvc/
systemctl daemon-reload
mount -a
EXE

Hetzner » Containerize » LXD

cat << EXE | sudo bash
snap install lxd --channel=6/stable
usermod -aG lxd chorke
usermod -aG lxd shahed
EXE

echo 'id -nG'|sudo -i -u chorke bash
echo 'id -nG'|sudo -i -u shahed bash

cat <<YML | sudo lxd init --preseed
---
config: {}
networks:
- config:
    ipv4.address: 10.20.0.1/24
    ipv4.nat: "true"
    ipv6.address: auto
  description: ""
  name: lxdbr0
  type: ""
  project: default
storage_pools:
- config:
    size: 30GiB
  description: ""
  name: lxd-zfs-pool-aa
  driver: zfs
storage_volumes: []
profiles:
- config: {}
  description: ""
  devices:
    eth0:
      name: eth0
      network: lxdbr0
      type: nic
    root:
      path: /
      pool: lxd-zfs-pool-aa
      type: disk
  name: default
projects: []
cluster: null
YML

sudo ufw enable
sudo iptables -S

cat << EXE | sudo bash
ufw       allow OpenSSH
ufw       allow in  on lxdbr0
ufw route allow in  on lxdbr0
ufw route allow out on lxdbr0
EXE

sudo ufw status numbered
sudo iptables -S

cat << EXE | sudo bash
snap restart  lxd
snap services lxd
EXE

lxc launch images:alpine/3.21 academia
lxc list -c=n -f=json|jq -r '.[]|select(.name=="academia")|.status'

cat <<'EXE'| lxc exec academia -- sh
ping -c5 chorke.org
ping -c5 shahed.biz
EXE

Hetzner » Containerize » Docker

curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
| sudo tee /etc/apt/keyrings/docker.asc >/dev/null

DISTRIBUTION=$(. /etc/os-release && echo "${VERSION_CODENAME}")
cat << SRC | sudo tee /etc/apt/sources.list.d/docker.list >/dev/null
deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu ${DISTRIBUTION}  stable
SRC

cat << EXE | sudo bash
apt-get update;echo
apt-cache policy docker-ce
apt list -a --upgradable;apt-get upgrade -y;echo
apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
apt-get clean cache && find /tmp -type f,s -atime +10 -delete
EXE

cat << EOF | sudo tee /etc/docker/daemon.json >/dev/null
{
    "bip"  : "10.20.13.1/24",
    "mtu"  : 1500,
    "dns"  : [
        "1.1.1.1",
        "8.8.8.8",
        "192.168.49.2"
    ],
    "debug": true
}
EOF

cat << EXE | sudo bash
systemctl stop  docker.socket
systemctl stop  docker.service
systemctl start docker.service

usermod -aG docker chorke
usermod -aG docker shahed
EXE

ip a
docker image ls
docker network ls

echo 'id -nG'|sudo -i -u shahed bash
echo 'id -nG'|sudo -i -u chorke bash

cat <<'EXE'| docker run --rm -i alpine sh
echo
cat /etc/hosts       ;echo
cat /etc/resolv.conf ;echo
ping -c5 chorke.org  ;echo
ping -c5 shahed.biz  ;echo
EXE

Hetzner » Cloudflare » VIRT

Hetzner » Cloudflare » VIRTl

cat << INI | sudo tee /etc/systemd/system/warp0.service >/dev/null
[Unit]
Description=Cloudflared WARP Routing Virtual Interface
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/ip link add warp0 type dummy
ExecStartPost=/usr/sbin/ip addr add 10.20.41.1/32 dev warp0
ExecStartPost=/usr/sbin/ip link set warp0 up
ExecStop=/usr/sbin/ip link delete warp0
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
INI

cat << EXE | sudo bash
systemctl daemon-reload
systemctl enable --now warp0.service
systemctl status       warp0.service
EXE

ip a

Hetzner » Cloudflare » Argo » Tunnel

wget -cq https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64.deb -P ${HOME}/Downloads
sudo dpkg -i ${HOME}/Downloads/cloudflared-linux-arm64.deb; sudo apt install -f
      rm -rf ${HOME}/Downloads/cloudflared-linux-arm64.deb

cat <<'SYS' | sudo tee -a /etc/sysctl.conf >/dev/null

###################################################################
# Cloudflared Tunnel Private Network Config
# This config added by Chorke Academia, Inc
# ICMP Group ID Range 0 to 10,000 Users
net.ipv4.ping_group_range = 0 10000

# 208 KiB Default RX Buffer
net.core.rmem_default=212992

# 208 KiB Default TX Buffer
net.core.wmem_default=212992

# 8 MB Maximum RX Buffer
net.core.rmem_max=8388608

# 8 MB Maximum TX Buffer
net.core.wmem_max=8388608

SYS

sudo sysctl -p

Skipped » Find More » 👈

Hetzner » Cloudflare » WARP » Tunnel

lxc launch ubuntu:24.04 cloudflare
lxc list -c=n -f=json|jq -r '.[]|select(.name=="cloudflare")|.status'

cat <<'EXE' | lxc exec cloudflare -- bash
apt-get update;echo
mkdir -p /etc/apt/keyrings
apt list -a --upgradable;apt-get upgrade -y;echo
apt-get install -y apt-transport-https ca-certificates gnupg jq && apt-get clean
EXE

cat <<'EXE' | lxc exec cloudflare -- bash
curl -fsSL https://pkg.cloudflareclient.com/pubkey.gpg \
 | sudo tee /etc/apt/keyrings/cloudflare.asc >/dev/null

DISTRIBUTION=$(. /etc/os-release && echo "${VERSION_CODENAME}");\
cat << SRC | sudo tee /etc/apt/sources.list.d/cloudflare.list >/dev/null
deb [arch=$(dpkg --print-architecture)\
 signed-by=/etc/apt/keyrings/cloudflare.asc]\
 https://pkg.cloudflareclient.com/ ${DISTRIBUTION} main
SRC

cat /etc/apt/sources.list.d/cloudflare.list
cat /etc/apt/keyrings/cloudflare.asc
EXE

cat <<'EXE' | lxc exec cloudflare -- bash
apt-get update;echo
apt list -a --upgradable;apt-get upgrade -y;echo
apt-get install -y cloudflare-warp && apt-get clean
EXE

lxc exec cloudflare -- bash
sudo vim /etc/sysctl.conf

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

sudo sysctl -p
net.ipv4.ip_forward = 1

ip route | grep default
default via 10.20.0.1 dev eth0 proto dhcp src 10.20.0.161 metric 100

lxc snapshot cloudflare base:2024.12.554.0
lxc publish  cloudflare/base:2024.12.554.0 --alias cloudflare/base:2024.12.554.0
lxc restore  cloudflare base:2024.12.554.0

lxc exec cloudflare -- bash
sudo warp-cli status

cat <<'EXE' | lxc exec cloudflare -- bash
warp-cli connector new eyJhIjoiNW…
warp-cli connect
EXE

cat << EXE | lxc exec cloudflare -- bash
warp-cli status
systemctl daemon-reload
systemctl enable --now warp-svc.service
systemctl status       warp-svc.service
EXE

cat << EXE | lxc exec cloudflare -- bash
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections
apt-get -y install iptables-persistent && apt-get clean cache
EXE

cat << EXE | lxc exec cloudflare -- bash
# allow forwarding traffic from host
iptables -A FORWARD -i eth0 -o CloudflareWARP -j ACCEPT
iptables -A FORWARD -i CloudflareWARP -o eth0 -j ACCEPT

# cloudflarewarp nat gateway setup for host
iptables -t nat -A POSTROUTING -o CloudflareWARP -j MASQUERADE

# persist across reboots, save the rules
        mkdir -p /etc/iptables/
iptables-save  > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6
EXE

lxc snapshot cloudflare shahed:2025.03.09
lxc publish  cloudflare/shahed:2025.03.09 --alias cloudflare/shahed:2025.03.09
lxc restore  cloudflare shahed:2025.03.09

Skipped » Find More » 👈

Hetzner » Cloudflare » WARP » Exclude

Hetzner » Cloudflare » WARP » Exclude
`Settings » 0Trust » WARP Client » Device settings » Profile settings » Default » Configure »`
`Split Tunnels » Exclude IPs and domains » Manage » Manage Split Tunnels`
Name	Network	Exclude
Network » OpenVPN	`10.20.30.0/24`	✅
Network » Hetzner	`10.20.31.0/24`	✅
Network » Docker	`10.20.13.0/24`	✅
Network » Home	`10.19.83.0/24`	✅
Network » LXD	`10.20.0.0/24`	✅
Name	Network	Exclude
Network » WiFi	`192.168.10.0/24`	✅
Network » WiFi	`192.168.1.0/24`	✅
Network » WiFi	`192.168.0.0/24`	✅
Network » WiFi	`172.17.0.0/24`	✅
Network » WiFi	`172.16.0.0/24`	✅
Network » WiFi	`10.10.10.0/24`	✅
Network » WiFi	`10.0.1.0/24`	✅
Network » WiFi	`10.0.0.0/24`	✅

Hetzner » Cloudflare » WARP » Forward

Hetzner » Cloudflare » WARP » Forward
Implement Forward Routing
Name	Network	Subnets	Forward
Network » Cloud	`10.20.40.0/21`	`10.20.40 … 47.0/24 = 8`	✅
Network » Cloud	`10.20.48.0/21`	`10.20.48 … 55.0/24 = 8`	⚪️
Network » Cloud	`10.20.56.0/21`	`10.20.56 … 63.0/24 = 8`	⚪️
Network » Cloud	`10.20.46.0/23`	`10.20.46 … 47.0/24 = 2`	⚪️
Network » Cloud	`10.20.48.0/23`	`10.20.48 … 49.0/24 = 2`	✅
Network » Cloud	`10.20.50.0/23`	`10.20.50 … 51.0/24 = 2`	⚪️
Name	Network	Subnets	Forward
Network » Office	`10.20.10.0/24`	`10.20.10 … 10.0/24 = 1`	✅

Cloudflare » WARP » Forward » Route

Cloudflare » WARP » IP » Route » Service

vim /etc/sysctl.conf

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

sudo sysctl -p
net.ipv4.ip_forward = 1

ip route | grep default
default via 172.31.1.1 dev eth0 proto dhcp src 65.21.251.38 metric 100

cat << EXE | sudo bash
cat << ENV | tee /etc/default/warp-route >/dev/null
LXC_WARP_CLI_NAME=cloudflare
LXC_WARP_CLI_HOST=$(lxc list -f=json cloudflare | jq -r '.[]|.state.network.eth0.addresses[]|select(.family=="inet")|.address')
ENV
echo
cat /etc/default/warp-route
EXE

cat <<'INI' | sudo tee /etc/systemd/system/warp-route.service >/dev/null
[Unit]
Description=WARP Routes Over Clodflare LXC
Wants=network-online.target docker.service snap.lxd.daemon.service containerd.service
After=network-online.target docker.service snap.lxd.daemon.service containerd.service

[Service]
Type=oneshot
EnvironmentFile=-/etc/default/warp-route

ExecStartPre=/bin/sleep 15
ExecStartPre=/bin/bash -c "if [ -z \"${LXC_WARP_CLI_HOST}\" ]; then echo \"Variable LXC_WARP_CLI_HOST not set in /etc/default/warp-route\"; errors_exit; fi"
ExecStart=/usr/sbin/ip route add 10.20.10.0/24 via ${LXC_WARP_CLI_HOST}
ExecStart=/usr/sbin/ip route add 10.20.40.0/21 via ${LXC_WARP_CLI_HOST}
ExecStart=/usr/sbin/ip route add 10.20.48.0/23 via ${LXC_WARP_CLI_HOST}
ExecStop=/usr/sbin/ip  route del 10.20.10.0/24
ExecStop=/usr/sbin/ip  route del 10.20.40.0/21
ExecStop=/usr/sbin/ip  route del 10.20.48.0/23
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target
INI

cat << EXE | sudo bash
systemctl daemon-reload
cat /etc/systemd/system/warp-route.service
systemctl enable  --now warp-route.service
systemctl status        warp-route.service
echo && ip route show
echo && sysctl -p
EXE

cat << EXE | bash
traceroute 10.20.40.1
traceroute 10.20.41.1
EXE

cat << EXE | sudo bash
systemctl daemon-reload
cat /etc/systemd/system/warp-route.service
systemctl disable --now warp-route.service
systemctl status        warp-route.service
echo && ip route show
echo && sysctl -p
EXE

Hetzner » LB » HAProxy » Install & Configure

cat << EXE | sudo bash
apt-get update;echo
apt list -a --upgradable;apt-get upgrade -y;echo
apt-get install -y haproxy certbot;echo;haproxy -v;echo
cat /etc/haproxy/haproxy.cfg;echo
apt-get clean cache
EXE

sudo ufw status numbered
sudo iptables -S

cat << EXE | sudo bash
ufw       allow 80/tcp
ufw       allow 443/tcp
ufw       allow 4321/tcp
EXE

sudo ufw status numbered
sudo iptables -S

Skipped » Find More » 👈

cat <<'EXE'| sudo bash
        /etc/haproxy/proxy-scripts/reconfig
ls -alh /etc/haproxy/{haproxy.cfg,proxy-{backups,configs,default,enabled,scripts}}
EXE

     nmap --reason mail.shahed.biz -sT -Pn -p25,587,110,995,143,993,465,4190
     nmap --reason  vpn.shahed.biz -sT -Pn --top 20
     nmap --reason  git.shahed.biz -sT -Pn -p4321
     nmap --reason  vpn.shahed.biz -sT -Pn -p1194
sudo nmap --reason  vpn.shahed.biz -sU -Pn -p1194

Hetzner » LB » HAProxy » Frontend » HTTP Config

HAProxy » Frontend » HTTP

cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-http-all.cfg >/dev/null

# ##############################################################################
# http frontend config for *.chorke.org, *.chorke.com, *.shahed.biz
# this config added by chorke academia, inc

frontend           fnt_shahed_biz
   bind            *:80
   mode            http

   acl             path-is-acme-challenge                path_beg /.well-known/acme-challenge/

   http-request    redirect scheme https code 301        unless path-is-acme-challenge
   use_backend     bck_letsencrypt_org_acme_challenge    if path-is-acme-challenge
   default_backend bck_letsencrypt_org_acme_challenge

backend            bck_letsencrypt_org_acme_challenge
   server          letsencrypt 127.0.0.1:19830
   mode            http
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-http-all.cfg /etc/haproxy/proxy-enabled/

vim /etc/haproxy/proxy-scripts/reconfig
    /etc/haproxy/proxy-scripts/reconfig

Hetzner » LB » HAProxy » Frontend » HTTPS Config

certbot certonly --standalone --non-interactive --http-01-port=19830 -d k8s.aa.hetzner.shahed.biz --email tool.tech@shahed.biz --agree-tos --dry-run
certbot certonly --standalone --non-interactive --http-01-port=19830 -d k8s.aa.hetzner.shahed.biz --email tool.tech@shahed.biz --agree-tos
(cd /etc/letsencrypt/live/k8s.aa.hetzner.shahed.biz/;ln -s privkey.pem fullchain.pem.key)
certbot renew --http-01-port=19830 --force-renewal
certbot renew --http-01-port=19830

HAProxy » Frontend » HTTPS

certbot certonly --standalone --non-interactive --http-01-port=19830 -d  cid.chorke.org
certbot certonly --standalone --non-interactive --http-01-port=19830 -d  dev.chorke.org
certbot certonly --standalone --non-interactive --http-01-port=19830 -d  hub.chorke.org
certbot certonly --standalone --non-interactive --http-01-port=19830 -d  reg.chorke.org
certbot certonly --standalone --non-interactive --http-01-port=19830 -d wiki.chorke.org

cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then cat ${d}/{fullchain,privkey}.pem|tee ${d}.pem >/dev/null;fi;done
systemctl reload haproxy.service

SSL_CRT_LIST="$(cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then printf "crt ${PWD}/${d}.pem ";fi;done)"
cat << CFG | sudo tee /etc/haproxy/proxy-configs/shahed.biz-https-all.cfg >/dev/null

# ##############################################################################
# https frontend config for *.chorke.org, *.chorke.com, *.shahed.biz
# this config added by chorke academia, inc

frontend           fnt_shahed_biz_ssl
   bind            *:443 ssl ${SSL_CRT_LIST}alpn h2,http/1.1 ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3
   mode            http

   acl             host-is-k8s-aa-hetzner-shahed-biz     hdr(host) -i k8s.aa.hetzner.shahed.biz
   acl             host-is-cid-shahed-biz                hdr(host) -i            cid.chorke.org
   acl             host-is-dev-shahed-biz                hdr(host) -i            dev.chorke.org
   acl             host-is-hub-shahed-biz                hdr(host) -i            hub.chorke.org
   acl             host-is-reg-shahed-biz                hdr(host) -i            reg.chorke.org
   acl             host-is-wiki-chorke-org               hdr(host) -i           wiki.chorke.org
 
   acl             path-is-artifactory                   path_beg /artifactory/
   acl             path-is-jenkins                       path_beg /jenkins/
   acl             path-is-gitlab                        path_beg /gitlab/
   acl             path-is-nexus                         path_beg /nexus/

   http-request    set-header X-Forwarded-For            %[src]
   http-request    set-header X-Forwarded-Proto          https

   use_backend     bck_shahed_biz_cid_artifactory        if            host-is-cid-shahed-biz path-is-artifactory
   use_backend     bck_shahed_biz_cid_jenkins            if            host-is-cid-shahed-biz path-is-jenkins
   use_backend     bck_shahed_biz_cid_gitlab             if            host-is-cid-shahed-biz path-is-gitlab
   use_backend     bck_shahed_biz_cid_nexus              if            host-is-cid-shahed-biz path-is-nexus
   use_backend     bck_shahed_biz_hub_nexus              if            host-is-hub-shahed-biz
   use_backend     bck_shahed_biz_reg_nexus              if            host-is-reg-shahed-biz

   use_backend     bck_shahed_biz_hetzner_aa_k8s         if host-is-k8s-aa-hetzner-shahed-biz
   use_backend     bck_shahed_biz_hetzner_aa_k8s         if           host-is-wiki-chorke-org
   default_backend bck_shahed_biz_cid

backend            bck_shahed_biz_cid_artifactory
   server          shahed_ah_artifactory 10.20.40.8:8084
   mode            http

backend            bck_shahed_biz_cid_jenkins
   server          shahed_ah_jenkins 10.20.40.8:8080
   mode            http

backend            bck_shahed_biz_cid_gitlab
   server          shahed_af_gitlab 10.20.40.6:80
   mode            http

backend            bck_shahed_biz_cid_nexus
   server          shahed_ah_nexus 10.20.40.8:8081
   mode            http

backend            bck_shahed_biz_hub_nexus
   server          shahed_ah_nexus 10.20.40.8:8082
   mode            http

backend            bck_shahed_biz_reg_nexus
   server          shahed_ah_nexus 10.20.40.8:8083
   mode            http

backend            bck_shahed_biz_hetzner_aa_k8s
   server          hetzner_aa_k8s 192.168.49.2:80
   mode            http

backend            bck_shahed_biz_cid
   server          shahed_am_apache2 10.20.40.13:80
   mode            http
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-https-all.cfg /etc/haproxy/proxy-enabled/

vim /etc/haproxy/proxy-scripts/reconfig
    /etc/haproxy/proxy-scripts/reconfig

certbot renew --http-01-port=19830 --force-renewal
cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then cat ${d}/{fullchain,privkey}.pem|tee ${d}.pem >/dev/null;fi;done
systemctl reload haproxy.service

Hetzner » LB » HAProxy » Frontend » OVPN Config

cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-tcp-vpn.cfg >/dev/null


# ##############################################################################
# tcp frontend config for vpn.shahed.biz:1194
# this config added by chorke academia, inc

# udp mode not supported, please go with iptables forward

# cat <<'EXE'| sudo bash
# echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections
# echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections
# apt-get -y install iptables-persistent && apt-get clean cache
# EXE

# cat <<'EXE'| sudo bash
# iptables -t nat -A PREROUTING -p udp --dport 1194 -j DNAT --to-destination 10.20.40.9:1194
# iptables -A FORWARD -p udp -d 10.20.40.9 --dport 1194 -j ACCEPT
# EXE
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-tcp-vpn.cfg /etc/haproxy/proxy-enabled/

vim /etc/haproxy/proxy-scripts/reconfig
    /etc/haproxy/proxy-scripts/reconfig

Hetzner » LB » HAProxy » Frontend » Git Repo Config

cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-tcp-git.cfg >/dev/null


# ##############################################################################
# tcp frontend config for git.shahed.biz:4321
# this config added by chorke academia, inc

frontend           fnt_shahed_biz_git_gitlab_ssh
   bind            *:4321
   mode            tcp
   option          tcplog
   option          dontlognull
   default_backend bck_shahed_biz_git_gitlab_ssh

backend            bck_shahed_biz_git_gitlab_ssh
   server          shahed_af_gitlab 10.20.40.6:4321
   mode            tcp
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-tcp-git.cfg /etc/haproxy/proxy-enabled/

vim /etc/haproxy/proxy-scripts/reconfig
    /etc/haproxy/proxy-scripts/reconfig

ssh -oPreferredAuthentications=password -oPubkeyAuthentication=no -p4321 -qt pi@git.chorke.org bash
ssh -oPreferredAuthentications=password -oPubkeyAuthentication=no -p4321 -qt pi@aa.hetzner.shahed.biz bash

Hetzner » LB » HAProxy » Frontend » Kube API Config

cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-tcp-kube.cfg >/dev/null

# ##############################################################################
# tcp frontend config for 10.20.41.1:8443
# this config added by chorke academia, inc

frontend           fnt_shahed_biz_hetzner_aa
   bind            *:8443
   mode            tcp
   option          tcplog
   option          dontlognull
   default_backend bck_shahed_biz_hetzner_aa

backend            bck_shahed_biz_hetzner_aa
   server          hetzner_aa 192.168.49.2:8443
   mode            tcp
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-tcp-kube.cfg /etc/haproxy/proxy-enabled/

vim /etc/haproxy/proxy-scripts/reconfig
    /etc/haproxy/proxy-scripts/reconfig

systemctl disable --now minikube.service
vim /etc/systemd/system/minikube.service
# append --apiserver-ips=10.20.41.1 with ExecStart
systemctl enable --now minikube.service

ssh -qt root@10.20.41.1 bash
sudo -i -u minikube

# run this script on the minikube host. copy the generated output and
# execute it on your local machine's terminal to enable monitoring of
# the minikube cluster.

cat << LOG
$(cat <<'YML'| tee ~/.kube/hetzner-aa-kubeconfig.yaml >/dev/null
apiVersion: v1
kind: Config
clusters:
- name: minikube
  cluster:
    server: https://10.20.41.1:8443
    certificate-authority: ../.minikube/ca.crt

contexts:
- name: hetzner-aa
  context:
    cluster: minikube
    namespace: default
    user: minikube

users:
- name: minikube
  user:
    client-certificate: ../.minikube/profiles/minikube/client.crt
    client-key: ../.minikube/profiles/minikube/client.key

current-context: hetzner-aa
YML
)

cat <<'YML'| tee ~/.kube/hetzner-aa-kubeconfig.yaml >/dev/null
$(export KUBECONFIG=${HOME}/.kube/hetzner-aa-kubeconfig.yaml;\
kubectl config view --flatten;\
rm ${KUBECONFIG};\
)
YML

chmod 600 ~/.kube/hetzner-aa-kubeconfig.yaml
  ls -alh ~/.kube/

export KUBECONFIG=~/.kube/hetzner-aa-kubeconfig.yaml
kubectl config get-contexts
kubectl get    namespace
$(echo -n)
LOG

LB » HAProxy » Frontend » Mail TCP Config

LB » HAProxy » Frontend » Mail TCP Config

cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-tcp-mail.cfg >/dev/null


# ##############################################################################
# tcp frontend config for mail.shahed.biz:25,587,110,995,143,993,465,4190
# this config added by chorke academia, inc

# haproxy:         mail.shahed.biz:25
frontend           fnt_shahed_biz_mail_smtp_25
   bind            *:25
   mode            tcp
   option          tcplog
   option          dontlognull
   default_backend bck_shahed_biz_mail_smtp_25

backend            bck_shahed_biz_mail_smtp_25
   server          shahed_va 10.20.40.200:25
   mode            tcp

# haproxy:         mail.shahed.biz:587
frontend           fnt_shahed_biz_mail_smtp_587
   bind            *:587
   mode            tcp
   option          tcplog
   option          dontlognull
   default_backend bck_shahed_biz_mail_smtp_587

backend            bck_shahed_biz_mail_smtp_587
   server          shahed_va 10.20.40.200:587
   mode            tcp

# haproxy:         mail.shahed.biz:110
frontend           fnt_shahed_biz_mail_pop3_110
   bind            *:110
   mode            tcp
   option          tcplog
   option          dontlognull
   default_backend bck_shahed_biz_mail_pop3_110

backend            bck_shahed_biz_mail_pop3_110
   server          shahed_va 10.20.40.200:110
   mode            tcp

# haproxy:         mail.shahed.biz:995
frontend           fnt_shahed_biz_mail_pop3_995
   bind            *:995
   mode            tcp
   option          tcplog
   option          dontlognull
   default_backend bck_shahed_biz_mail_pop3_995

backend            bck_shahed_biz_mail_pop3_995
   server          shahed_va 10.20.40.200:995
   mode            tcp

# haproxy:         mail.shahed.biz:143
frontend           fnt_shahed_biz_mail_imap_143
   bind            *:143
   mode            tcp
   option          tcplog
   option          dontlognull
   default_backend bck_shahed_biz_mail_imap_143

backend            bck_shahed_biz_mail_imap_143
   server          shahed_va 10.20.40.200:143
   mode            tcp

# haproxy:         mail.shahed.biz:993
frontend           fnt_shahed_biz_mail_imap_993
   bind            *:993
   mode            tcp
   option          tcplog
   option          dontlognull
   default_backend bck_shahed_biz_mail_imap_993

backend            bck_shahed_biz_mail_imap_993
   server          shahed_va 10.20.40.200:993
   mode            tcp

# haproxy:         mail.shahed.biz:465
frontend           fnt_shahed_biz_mail_smtps_465
   bind            *:465
   mode            tcp
   option          tcplog
   option          dontlognull
   default_backend bck_shahed_biz_mail_smtps_465

backend            bck_shahed_biz_mail_smtps_465
   server          shahed_va 10.20.40.200:465
   mode            tcp

# haproxy:         mail.shahed.biz:4190
frontend           fnt_shahed_biz_mail_sieve_4190
   bind            *:4190
   mode            tcp
   option          tcplog
   option          dontlognull
   default_backend bck_shahed_biz_mail_sieve_4190

backend            bck_shahed_biz_mail_sieve_4190
   server          shahed_va 10.20.40.200:4190
   mode            tcp
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-tcp-mail.cfg /etc/haproxy/proxy-enabled/

vim /etc/haproxy/proxy-scripts/reconfig
    /etc/haproxy/proxy-scripts/reconfig

Hetzner » Kubernetes » Minikube » Install & Configure

curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.32/deb/Release.key | sudo tee /etc/apt/keyrings/kubernetes.asc >/dev/null

cat << SRC | sudo tee /etc/apt/sources.list.d/kubernetes.list >/dev/null
deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/kubernetes.asc] https://pkgs.k8s.io/core:/stable:/v1.32/deb/ /
SRC

cat << EXE | sudo bash
apt-get update;echo
apt list -a --upgradable;echo
apt-get install -y apache2-utils kubectl;echo
apt-get clean cache && find /tmp -type f -atime +10 -delete && find /tmp -type s -atime +10 -delete
EXE

if [ -x "$(command -v curl)" ];then \
sudo apt -qq update;\
export MINIKUBE_CPU_USE=6;\
export MINIKUBE_RAM_USE=13529;\
export MINIKUBE_INGRESS_HOST='k8s.aa.hetzner.shahed.biz';\
bash <(curl -s 'https://cdn.chorke.org/exec/cli/bash/install/minikube/1.0.01-ubuntu-24.04-arm64.sh.txt');\
else printf 'curl \033[0;31mnot found! \033[0m:(\n';fi

Skipped » Find More » 👈

Hetzner » Kubernetes » Minikube » Tunnel » Create Service

Hetzner » Kubernetes » Minikube » Tunnel » Create Service
Beginners	Professional
sudo visudo # minikube » no-password » sudo access » all minikube ALL=(ALL) NOPASSWD: ALL	sudo visudo -f /etc/sudoers.d/minikube # minikube » no-password » sudo access » specific minikube ALL=(ALL) NOPASSWD: /usr/sbin/ip route , /usr/bin/minikube tunnel
cat << INI \| sudo tee /etc/systemd/system/minikube-tunnel.service >/dev/null [Unit] Description=Minikube Tunnel Documentation=https://minikube.sigs.k8s.io/docs/commands/tunnel/ After=network-online.target containerd.service docker.service minikube.service Requires=network-online.target containerd.service docker.service minikube.service Wants=network-online.target docker.service minikube.service AssertFileIsExecutable=/var/minikube/bin/minikube [Service] User=minikube Group=minikube ProtectProc=invisible StandardOutput=journal WorkingDirectory=/var/minikube EnvironmentFile=-/etc/default/minikube ExecStart=/var/minikube/bin/minikube tunnel --cleanup=true Restart=always SendSIGKILL=no TasksMax=infinity TimeoutStopSec=infinity [Install] WantedBy=multi-user.target INI
sudo systemctl enable --now minikube-tunnel.service sudo systemctl disable --now minikube-tunnel.service Skipped » Find More 👉 Minikube » Tunnel » Systemd Skipped » Find More 👉 Minikube » MetalLB » Forward » Route

Hetzner » Kubernetes » Minikube » Ingress » Apply Dashboard

Hetzner » K8s » Dashboard » Ingress » Apply

export KUBECONFIG=${HOME}/.kube/hetzner-aa-kubeconfig.yaml
kubectl config get-contexts

cat << YML | kubectl -n kubernetes-dashboard apply -f -
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
  labels:
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: kubectl
    app.kubernetes.io/name: kubernetes-dashboard
    app.kubernetes.io/instance: kubernetes-dashboard
  annotations:
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-realm: Authentication Required
    nginx.ingress.kubernetes.io/auth-secret: kubernetes-dashboard-auth
spec:
  ingressClassName: nginx
  rules:
    - host: k8s.aa.hetzner.shahed.biz
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: kubernetes-dashboard
                port:
                  number: 80
YML

Skipped » Find More 👉 K8s » CoreDNS

Skipped » Find More 👉 K8s » Dashboard

Hetzner » Kubernetes » Debug » MariaDB

export KUBECONFIG=${HOME}/.kube/hetzner-aa-kubeconfig.yaml
kubectl config get-contexts

kubectl create ns   swiss-knife
kubectl get ns|grep swiss-knife

kubectl -n swiss-knife run -i --tty --rm mariadb-cli --image=alpine --restart=Never -- ash
apk --update add mariadb-client inetutils-telnet

echo -n password: ;read -s MYSQL_PWD;export MYSQL_PWD; echo
mariadb -u academia -D academia -P3306 -h 10.20.31.3
telnet 10.20.31.3 3306
echo ${MYSQL_PWD}

Hetzner » Kubernetes » Debug » PostgreSQL

export KUBECONFIG=${HOME}/.kube/hetzner-aa-kubeconfig.yaml
kubectl config get-contexts

kubectl create ns   swiss-knife
kubectl get ns|grep swiss-knife

kubectl -n swiss-knife run -i --tty --rm postgresql-cli --image=alpine --restart=Never -- ash
apk --update add postgresql-client inetutils-telnet

echo -n password: ; read -s PGPASSWORD; export PGPASSWORD; echo
telnet pgbouncer.pgbouncer.svc.cluster.local 5432
telnet pgbouncer.pgbouncer 5432
telnet 192.168.49.103 5432
telnet 10.20.31.3 5432
echo ${PGPASSWORD}

psql -U bouncer_aa -d bouncer_aa -p5432 -h pgbouncer.pgbouncer.svc.cluster.local
psql -U bouncer_aa -d bouncer_aa -p5432 -h pgbouncer.pgbouncer
psql -U bouncer_aa -d bouncer_aa -p5432 -h 192.168.49.103
psql -U bouncer_aa -d bouncer_aa -p5432 -h 10.20.31.3

Playground

Playground

ssh-copy-id -n -i ~/.ssh/cid.chorke.org_ed25519.pub shahed@10.20.40.1
ssh-copy-id    -i ~/.ssh/cid.chorke.org_ed25519.pub shahed@10.20.40.1

certbot delete --cert-name k8s.aa.hetzner.shahed.biz
certbot delete --cert-name cid.chorke.org

cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then cat ${d}/{fullchain,privkey}.pem|tee ${d}.pem >/dev/null;fi;done
cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then printf "crt ${PWD}/${d}.pem ";fi;done;\
printf "alpn h2,http/1.1 ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3\n"

cat << INI | visudo -cf /dev/stdin
# minikube » no-password » sudo access » all
minikube ALL=(ALL) NOPASSWD: ALL
INI

sudo visudo
sudo cat /etc/sudoers

cat << INI | visudo -cf /dev/stdin
# minikube » no-password » sudo access » specific
minikube ALL=(ALL) NOPASSWD: /usr/sbin/ip route *, /usr/bin/minikube tunnel *
INI

sudo visudo -f /etc/sudoers.d/minikube
sudo cat       /etc/sudoers.d/minikube

References

Cloud » Hetzner » AA Cloud » Hetzner » AB Cloud » Linode » AA Cloud » Shahed » AA Cloud » Shahed » AB Cloud » Shahed » AC Cloud » Shahed » AD Cloud » Shahed » AE Cloud » Shahed » AF Cloud » Shahed » AG	Cloud » Shahed » AH Cloud » Shahed » AI Cloud » Shahed » AJ Cloud » Shahed » AK Cloud » Shahed » AL Cloud » Shahed » AM Cloud » Shahed » AN Cloud » Shahed » VA

Minikube » Ingress » DNS Minikube » Systemd Minikube » MetalLB Minikube » Registry Minikube » Tunnel Minikube CIDR UFW YQ JQ	K8s » Academia » Ingress K8s » HAProxy » Ingress K8s » Apache » Ingress K8s » Nginx » Ingress K8s » Swiss Knife K8s » Storage K8s » Ingress K8s » Service K8s » Run K8s	Helm » Prometheus Stack Helm » Cert Manager Helm » Elasticsearch Helm » MetalLB Helm » Jenkins Helm » GitLab Helm » Nexus Helm » MinIO Helm » Kafka Helm » Redis	Security » Container » Snyk Security » Container » Trivy Security » Certificate » TLS Security » Java » Key Store Security » Java » Mail API Security » Password Security » ZA Proxy Security » Domain Security » Jasypt Security » HTTP

Benchmarks IPTables Kubectl PyEnv CURL TMux 7Zip LXC Zip Tar	Linux » Ubuntu Upgrade Linux » Service Creation Linux » User Creation Linux » Mount Drive Linux » Swap Space CLI » AWS » EKS CLI » AWS CLI » GCP CLI K9s	Cloudflare » Host Cloudflare Terraform ActiveMQ Keycloak Hadoop Jenkins Spark Bash Port	Private Enterprise Number Chorke Academia Backup Cost » Cloud » Computing Cost » Cloud » Chorke YouTube/Channel

10.20.40.0/21 🟢 10.20.48.0/21 ⚪️ 10.20.56.0/21 ⚪️ 10.20.46.0/23 ⚪️ 10.20.48.0/23 🟢 10.20.50.0/23 ⚪️

Cloud/Hetzner/AA: Difference between revisions

Latest revision as of 03:30, 19 October 2025

Contents

Hetzner » Argo

Hetzner » Analyze

Hetzner » Add User

Hetzner » SSH Config

Hetzner » APT Update

Hetzner » Swap Space

Hetzner » Attach Volume

Hetzner » Containerize » LXD

Hetzner » Containerize » Docker

Hetzner » Cloudflare » VIRT

Hetzner » Cloudflare » Argo » Tunnel

Hetzner » Cloudflare » WARP » Tunnel

Hetzner » Cloudflare » WARP » Exclude

Hetzner » Cloudflare » WARP » Forward

Cloudflare » WARP » Forward » Route

Hetzner » LB » HAProxy » Install & Configure

Hetzner » LB » HAProxy » Frontend » HTTP Config

Hetzner » LB » HAProxy » Frontend » HTTPS Config

Hetzner » LB » HAProxy » Frontend » OVPN Config

Hetzner » LB » HAProxy » Frontend » Git Repo Config

Hetzner » LB » HAProxy » Frontend » Kube API Config

LB » HAProxy » Frontend » Mail TCP Config

Hetzner » Kubernetes » Minikube » Install & Configure

Hetzner » Kubernetes » Minikube » Tunnel » Create Service

Hetzner » Kubernetes » Minikube » Ingress » Apply Dashboard

Hetzner » Kubernetes » Debug » MariaDB

Hetzner » Kubernetes » Debug » PostgreSQL

Playground

References

Navigation menu

@@ Line 1: / Line 1: @@
-==SSH==
+==Hetzner » Argo==
+{|class='wikitable mw-collapsible'
+!scope='col' style='width:900px' colspan='4'|
+Hetzner » Argo
+|-
+!scope="col" style='width:180px'| Name
+!scope="col" style='width:140px'| Network
+!scope="col" style='width:240px'| Subnets
+!scope="col" style='width:90px' | Forward
+|-
+| '''Hetzner » AA''' || <code>10.20.41.1/32</code>     || <code>10.20.41.1 … 1/32 = 01</code>  ||style='text-align:center'| ✅
+|-
+| Hetzner » AB       || <code>10.20.41.2/32</code>     || <code>10.20.41.2 … 2/32 = 01</code>  ||style='text-align:center'| ✅
+|-
+| Hetzner » AC       || <code>10.20.41.3/32</code>     || <code>10.20.41.3 … 3/32 = 01</code>  ||style='text-align:center'| ⚪️
+|-
+| Hetzner » AD       || <code>10.20.41.4/32</code>     || <code>10.20.41.4 … 4/32 = 01</code>  ||style='text-align:center'| ⚪️
+|-
+| Hetzner » AE       || <code>10.20.41.5/32</code>     || <code>10.20.41.5 … 5/32 = 01</code>  ||style='text-align:center'| ⚪️
+|}
+==Hetzner » Analyze==
+{|class='wikitable mw-collapsible mw-collapsed'
+!scope='col' style='width:900px'|
+Hetzner » Analyze
+|-
+|valign='top'|
 <syntaxhighlight lang="bash">
 ssh -qt -i ~/.ssh/cid.chorke.org_ed25519 root@hetzner-aa.public.ip bash
@@ Line 9: / Line 35: @@
 EXE
 </syntaxhighlight>
+|}
+==Hetzner » Add User==
+{|class='wikitable mw-collapsible mw-collapsed'
+!scope='col' colspan='2' style='width:900px'|
+Hetzner » Add User
+|-
+|valign='top' colspan='2'|
+<syntaxhighlight lang="bash">
+ssh -i ~/.ssh/ci.chorke.org_ed25519 -qt root@hetzner-aa.public.ip bash
+</syntaxhighlight>
+|-
+|valign='top'|
+<syntaxhighlight lang="bash">
+sudo adduser -m        chorke
+sudo passwd  -d        chorke
+sudo passwd  -l        chorke
+sudo chsh -s /bin/bash chorke
+</syntaxhighlight>
+|valign='top'|
+<syntaxhighlight lang="bash">
+sudo adduser -m        shahed
+sudo passwd  -d        shahed
+sudo passwd  -l        shahed
+sudo chsh -s /bin/bash shahed
+</syntaxhighlight>
+|-
+|valign='top' colspan='2'|
+<syntaxhighlight lang="bash">
+sudo visudo
+:'
+# User privilege specification
+root    ALL=(ALL:ALL) ALL
+shahed  ALL=(ALL:ALL) ALL
+# Members of the admin group may gain root privileges
+%admin  ALL=(ALL) ALL
+shahed  ALL=(ALL) NOPASSWD: /usr/local/bin/supervisorctl
+# Allow members of group sudo to execute any command
+%sudo   ALL=(ALL:ALL) ALL
+shahed  ALL=(ALL) NOPASSWD: /usr/local/bin/supervisorctl
+# See sudoers(5) for more information on "@include" directives:
+@includedir /etc/sudoers.d
+'
+</syntaxhighlight>
+|}
-==Add User==
+==Hetzner » SSH Config ==
+{|class='wikitable mw-collapsible'
+!scope='col' style='width:900px'|
+Hetzner » Config » SSH
+|-
+|valign='top'|
 <syntaxhighlight lang="bash">
-# root
+ssh -i ~/.ssh/ci.chorke.org_ed25519 -qt root@hetzner-aa.public.ip bash
-passwd
-adduser chorke
+cat << EXE | sudo bash
-passwd  chorke
+sed 's|#PasswordAuthentication yes|PasswordAuthentication no|' -i /etc/ssh/sshd_config
+sed 's|#PubkeyAuthentication yes|PubkeyAuthentication yes|'    -i /etc/ssh/sshd_config
+sed 's|#PermitEmptyPasswords no|PermitEmptyPasswords no|'      -i /etc/ssh/sshd_config
+sed 's|#PermitRootLogin yes|PermitRootLogin no|'               -i /etc/ssh/sshd_config
+systemctl restart ssh
+EXE
+</syntaxhighlight>
+|-
+|valign='top'|
+<syntaxhighlight lang="bash">
+cat << EXE | sudo bash
+sshd -T | grep -i PasswordAuthentication
+sshd -T | grep -i PubkeyAuthentication
+sshd -T | grep -i PermitEmptyPasswords
+sshd -T | grep -i PermitRootLogin
+EXE
+</syntaxhighlight>
-adduser shahed
+|-
-passwd  shahed
+|valign='top'|
+<syntaxhighlight lang="bash">
+sudo chattr +i /home/chorke/.ssh/authorized_keys
+sudo chattr +i /home/shahed/.ssh/authorized_keys
+sudo chattr +i /home/system/*-argo/.ssh/authorized_keys
 </syntaxhighlight>
+|}
-==APT Update==
+==Hetzner » APT Update==
+{|class='wikitable mw-collapsible mw-collapsed'
+!scope='col' style='width:900px'|
+Hetzner » APT Update
+|-
+|valign='top'|
 <syntaxhighlight lang="bash">
 cat << EXE | sudo bash
@@ Line 28: / Line 136: @@
 mkdir -p /etc/apt/keyrings
 apt list -a --upgradable;apt-get upgrade -y;echo
-apt-get install -y apt-transport-https ca-certificates gnupg build-essential snap jq traceroute
+apt-get install -y apt-transport-https ca-certificates \
+  gnupg build-essential snapd jq traceroute moreutils;echo
 apt-get clean cache && find /tmp -type f -atime +10 -delete && find /tmp -type s -atime +10 -delete
 EXE
 </syntaxhighlight>
+|-
+|valign='top'|
+<syntaxhighlight lang="bash">
+cat << EXE|sudo bash
+PLATFORM=\$(uname -s)_\$(dpkg --print-architecture)
+YQ_BINARY=\$(echo "yq_\${PLATFORM}"|tr '[:upper:]' '[:lower:]')
+wget https://github.com/mikefarah/yq/releases/latest/download/\${YQ_BINARY} -O /usr/local/bin/yq
+chmod +x /usr/local/bin/yq
+EXE
+</syntaxhighlight>
+|}
-==Swap Space==
+==Hetzner » Swap Space==
+{|class='wikitable mw-collapsible mw-collapsed'
+!scope='col' style='width:900px'|
+Hetzner » Swap Space
+|-
+|valign='top'|
 <syntaxhighlight lang="bash">
 echo 'swapon --show'|sudo bash
@@ Line 46: / Line 171: @@
 <syntaxhighlight lang="bash">
 cat << FST | sudo tee -a /etc/fstab >/dev/null
 # loop based swap storage » 16GB + 4GB
 /swap.img              none            swap    sw              0       0
@@ Line 51: / Line 177: @@
 free -th
 cat /etc/fstab
+systemctl daemon-reload
 echo 'swapon --show'|sudo bash
 </syntaxhighlight>
+|}
-==Utility » Tool==
+==Hetzner » Attach Volume==
+{|class='wikitable mw-collapsible mw-collapsed'
+!scope='col' style='width:900px'|
+Linode » Attach Volume
+|-
+|valign='top'|
 <syntaxhighlight lang="bash">
-cat << EXE|sudo bash
+cat <<'EXE'| sudo bash
-PLATFORM=\$(uname -s)_\$(dpkg --print-architecture)
+mkdir -p /var/minikube/pvc
-YQ_BINARY=\$(echo "yq_\${PLATFORM}"|tr '[:upper:]' '[:lower:]')
+mkfs.ext4 -F /dev/disk/by-id/scsi-0HC_Volume_102736305
-wget https://github.com/mikefarah/yq/releases/latest/download/\${YQ_BINARY} -O /usr/bin/yq && chmod +x /usr/bin/yq
+cat <<'FST'| tee -a /etc/fstab >/dev/null
+# hetzner-aa » attach 80gb storage » hetzner-aa-vol-aa
+/dev/disk/by-id/scsi-0HC_Volume_102736305 /var/minikube/pvc ext4 discard,nofail,defaults 0 0
+FST
+chown minikube:minikube -R /var/minikube/pvc/
+systemctl daemon-reload
+mount -a
 EXE
 </syntaxhighlight>
+|}
-==Containerize » LXD==
+==Hetzner » Containerize » LXD==
+{|class='wikitable mw-collapsible mw-collapsed'
+!scope='col' colspan='2' style='width:900px'|
+Hetzner » Containerize » LXD
+|-
+|valign='top' style='width:440px'|
 <syntaxhighlight lang="bash">
 cat << EXE | sudo bash
@@ Line 75: / Line 221: @@
 echo 'id -nG'|sudo -i -u shahed bash
 </syntaxhighlight>
-----
+|valign='top' rowspan='2' style='width:440px'|
 <syntaxhighlight lang="yaml">
 cat <<YML | sudo lxd init --preseed
@@ Line 113: / Line 260: @@
 YML
 </syntaxhighlight>
-----
+|-
+|valign='top'|
 <syntaxhighlight lang="bash">
 sudo ufw enable
@@ Line 135: / Line 284: @@
 EXE
 </syntaxhighlight>
+|-
+|valign='top' colspan='2'|
+<syntaxhighlight lang="bash">
+lxc launch images:alpine/3.21 academia
+lxc list -c=n -f=json|jq -r '.[]|select(.name=="academia")|.status'
-==Containerize » Docker==
+cat <<'EXE'| lxc exec academia -- sh
+ping -c5 chorke.org
+ping -c5 shahed.biz
+EXE
+</syntaxhighlight>
+|}
+==Hetzner » Containerize » Docker==
+{|class='wikitable mw-collapsible mw-collapsed'
+!scope='col' style='width:900px'|
+Hetzner » Containerize » Docker
+|-
+|valign='top'|
 <syntaxhighlight lang="bash">
 curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
@@ Line 163: / Line 329: @@
      "mtu"  : 1500,
      "dns"  : [
+        "1.1.1.1",
          "8.8.8.8",
-         "8.8.4.4"
+         "192.168.49.2"
      ],
      "debug": true
@@ Line 190: / Line 357: @@
 echo 'id -nG'|sudo -i -u chorke bash
-docker run --rm alpine cat /etc/hosts
+cat <<'EXE'| docker run --rm -i alpine sh
-docker run --rm alpine cat /etc/resolv.conf
+echo
+cat /etc/hosts       ;echo
+cat /etc/resolv.conf ;echo
+ping -c5 chorke.org  ;echo
+ping -c5 shahed.biz  ;echo
+EXE
 </syntaxhighlight>
+|}
-==Cloudflare » VIRT==
+==Hetzner » Cloudflare » VIRT==
+{|class='wikitable mw-collapsible mw-collapsed'
+!scope='col' style='width:900px'|
+Hetzner » Cloudflare » VIRTl
+|-
+|valign='top'|
 <syntaxhighlight lang="ini">
 cat << INI | sudo tee /etc/systemd/system/warp0.service >/dev/null
@@ Line 221: / Line 399: @@
 ip a
 </syntaxhighlight>
+|}
-==Cloudflare » Argo » Tunnel==
+==Hetzner » Cloudflare » Argo » Tunnel==
+{|class='wikitable mw-collapsible mw-collapsed'
+!scope='col' style='width:1100px'|
+Hetzner » Cloudflare » Argo » Tunnel
+|-
+|valign='top'|
 <syntaxhighlight lang="bash">
 wget -cq https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64.deb -P ${HOME}/Downloads
@@ Line 256: / Line 440: @@
 ----
 [[Cloudflare/Argo_Tunnel#Argo Tunnel|Skipped » Find More » 👈]]
+|}
-==Cloudflare » WARP » Tunnel==
+==Hetzner » Cloudflare » WARP » Tunnel==
+{|class='wikitable mw-collapsible mw-collapsed'
+!scope='col' style='width:900px'|
+Hetzner » Cloudflare » WARP » Tunnel
+|-
+|valign='top'|
 <syntaxhighlight lang="bash">
 lxc launch ubuntu:24.04 cloudflare
@@ Line 361: / Line 551: @@
 ----
 <syntaxhighlight lang="bash">
-lxc snapshot cloudflare init:2025.02.16
+lxc snapshot cloudflare shahed:2025.03.09
-lxc publish  cloudflare/init:2025.02.16 --alias cloudflare/init:2025.02.16
+lxc publish  cloudflare/shahed:2025.03.09 --alias cloudflare/shahed:2025.03.09
-lxc restore  cloudflare init:2025.02.16
+lxc restore  cloudflare shahed:2025.03.09
 </syntaxhighlight>
 ----
 [[Cloudflare/WARP Connector#WARP Client|Skipped » Find More » 👈]]
+|}
-==Cloudflare » WARP » Exclude==
+==Hetzner » Cloudflare » WARP » Exclude==
-{|class="wikitable"
+{|class='wikitable mw-collapsible'
+!scope='col' colspan="3" style='width:900px'|
+Hetzner » Cloudflare » WARP » Exclude
 |-
 | colspan="3"| <code>Settings » 0Trust » WARP Client » Device settings » Profile settings » Default » Configure » </code>
@@ Line 386: / Line 579: @@
 |-
 | Network » LXD       || <code>10.20.0.0/24</code>      ||style='text-align:center'| ✅
+|-
+!scope="col"| Name    !!scope="col"| Network            !!scope="col"              | Exclude
+|-
+| Network » WiFi      || <code>192.168.10.0/24</code>   ||style='text-align:center'| ✅
+|-
+| Network » WiFi      || <code>192.168.1.0/24</code>    ||style='text-align:center'| ✅
+|-
+| Network » WiFi      || <code>192.168.0.0/24</code>    ||style='text-align:center'| ✅
+|-
+| Network » WiFi      || <code>172.17.0.0/24</code>     ||style='text-align:center'| ✅
+|-
+| Network » WiFi      || <code>172.16.0.0/24</code>     ||style='text-align:center'| ✅
+|-
+| Network » WiFi      || <code>10.10.10.0/24</code>     ||style='text-align:center'| ✅
+|-
+| Network » WiFi      || <code>10.0.1.0/24</code>       ||style='text-align:center'| ✅
+|-
+| Network » WiFi      || <code>10.0.0.0/24</code>       ||style='text-align:center'| ✅
 |}
-==Cloudflare » WARP » Forward==
+==Hetzner » Cloudflare » WARP » Forward==
-{|class="wikitable"
+{|class='wikitable mw-collapsible'
+!scope='col' colspan="4" style='width:900px'|
+Hetzner » Cloudflare » WARP » Forward
 |-
 !scope="col" colspan="4" | Implement Forward Routing
@@ Line 398: / Line 611: @@
 !scope="col" style='width:90px' | Forward
 |-
-| Network » Cloudflare   || <code>10.20.40.0/21</code>     || <code>10.20.40 … 47.0/24 = 8</code>  ||style='text-align:center'| ✅
+| Network » Cloud        || <code>10.20.40.0/21</code>     || <code>10.20.40 … 47.0/24 = 8</code>  ||style='text-align:center'| ✅
+|-
+| Network » Cloud        || <code>10.20.48.0/21</code>     || <code>10.20.48 … 55.0/24 = 8</code>  ||style='text-align:center'| ⚪️
+|-
+| Network » Cloud        || <code>10.20.56.0/21</code>     || <code>10.20.56 … 63.0/24 = 8</code>  ||style='text-align:center'| ⚪️
 |-
-| Network » Cloudflare   || <code>10.20.48.0/21</code>     || <code>10.20.48 … 55.0/24 = 8</code>  ||style='text-align:center'| ⚪️
+| Network » Cloud        || <code>10.20.46.0/23</code>     || <code>10.20.46 … 47.0/24 = 2</code>  ||style='text-align:center'| ⚪️
 |-
-| Network » Cloudflare   || <code>10.20.56.0/21</code>     || <code>10.20.56 … 63.0/24 = 8</code>  ||style='text-align:center'| ⚪️
+| Network » Cloud        || <code>10.20.48.0/23</code>     || <code>10.20.48 … 49.0/24 = 2</code>  ||style='text-align:center'| ✅
 |-
-| Network » Cloudflare   || <code>10.20.46.0/23</code>     || <code>10.20.46 … 47.0/24 = 2</code>  ||style='text-align:center'| ⚪️
+| Network » Cloud        || <code>10.20.50.0/23</code>     || <code>10.20.50 … 51.0/24 = 2</code>  ||style='text-align:center'| ⚪️
 |-
-| Network » Cloudflare   || <code>10.20.48.0/23</code>     || <code>10.20.48 … 49.0/24 = 2</code>  ||style='text-align:center'| ✅
+!scope="col" style='width:180px'| Name
+!scope="col" style='width:140px'| Network
+!scope="col" style='width:220px'| Subnets
+!scope="col" style='width:90px' | Forward
 |-
-| Network » Cloudflare   || <code>10.20.50.0/23</code>     || <code>10.20.50 … 51.0/24 = 2</code>  ||style='text-align:center'| ⚪️
+| Network » Office       || <code>10.20.10.0/24</code>     || <code>10.20.10 … 10.0/24 = 1</code>  ||style='text-align:center'| ✅
 |}
-==Cloudflare » WARP » Route » Host==
+==Cloudflare » WARP » Forward » Route==
+{|class='wikitable mw-collapsible mw-collapsed'
+!scope='col' style='width:900px'|
+'''Cloudflare » WARP » IP » Route » Service'''
+|-
+|valign='top'|
   vim /etc/sysctl.conf
 <syntaxhighlight lang="ini" line start="27" highlight="2">
@@ Line 448: / Line 673: @@
 ExecStartPre=/bin/sleep 15
 ExecStartPre=/bin/bash -c "if [ -z \"${LXC_WARP_CLI_HOST}\" ]; then echo \"Variable LXC_WARP_CLI_HOST not set in /etc/default/warp-route\"; errors_exit; fi"
-ExecStart=/usr/sbin/ip route add 10.20.40.0/21 via $LXC_WARP_CLI_HOST
+ExecStart=/usr/sbin/ip route add 10.20.10.0/24 via ${LXC_WARP_CLI_HOST}
-ExecStart=/usr/sbin/ip route add 10.20.48.0/23 via $LXC_WARP_CLI_HOST
+ExecStart=/usr/sbin/ip route add 10.20.40.0/21 via ${LXC_WARP_CLI_HOST}
+ExecStart=/usr/sbin/ip route add 10.20.48.0/23 via ${LXC_WARP_CLI_HOST}
+ExecStop=/usr/sbin/ip  route del 10.20.10.0/24
 ExecStop=/usr/sbin/ip  route del 10.20.40.0/21
 ExecStop=/usr/sbin/ip  route del 10.20.48.0/23
@@ Line 487: / Line 714: @@
 EXE
 </syntaxhighlight>
+|}
-==LB » HAProxy » Install » Configure==
+==Hetzner » LB » HAProxy » Install & Configure==
+{|class='wikitable mw-collapsible mw-collapsed'
+!scope='col' style='width:900px'|
+Hetzner » LB » HAProxy » Install & Configure
+|-
+|valign='top'|
 <syntaxhighlight lang="bash">
 cat << EXE | sudo bash
 apt-get update;echo
 apt list -a --upgradable;apt-get upgrade -y;echo
-apt-get install -y haproxy;echo;haproxy -v;echo
+apt-get install -y haproxy certbot;echo;haproxy -v;echo
 cat /etc/haproxy/haproxy.cfg;echo
 apt-get clean cache
@@ Line 512: / Line 745: @@
 sudo iptables -S
 </syntaxhighlight>
+----
+[[HAProxy/Frontend#HAProxy » Reconfig|Skipped » Find More » 👈]]
 ----
 <syntaxhighlight lang="bash">
-cat <<'CFG'| sudo tee /etc/haproxy/haproxy.cfg >/dev/null
+cat <<'EXE'| sudo bash
-global
+        /etc/haproxy/proxy-scripts/reconfig
-   log             /dev/log   local0
+ls -alh /etc/haproxy/{haproxy.cfg,proxy-{backups,configs,default,enabled,scripts}}
-   log             /dev/log   local1 notice
+EXE
-   chroot          /var/lib/haproxy
-   stats           socket     /run/haproxy/admin.sock mode 660 level admin
-   stats           timeout    30s
-   user            haproxy
-   group           haproxy
-   daemon
-   # default ssl material locations
+     nmap --reason mail.shahed.biz -sT -Pn -p25,587,110,995,143,993,465,4190
-   ca-base         /etc/ssl/certs
+     nmap --reason  vpn.shahed.biz -sT -Pn --top 20
-   crt-base        /etc/ssl/private
+     nmap --reason  git.shahed.biz -sT -Pn -p4321
+     nmap --reason  vpn.shahed.biz -sT -Pn -p1194
+sudo nmap --reason  vpn.shahed.biz -sU -Pn -p1194
+</syntaxhighlight>
+|}
-   # see: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
+==Hetzner » LB » HAProxy » Frontend » HTTP Config==
-   ssl-default-bind-ciphers      ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+{|class='wikitable mw-collapsible mw-collapsed'
-   ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+!scope='col' style='width:900px'|
-   ssl-default-bind-options      ssl-min-ver TLSv1.2 no-tls-tickets
+HAProxy » Frontend » HTTP
+|-
+|valign='top'|
+<syntaxhighlight lang="bash">
+cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-http-all.cfg >/dev/null
-defaults
+# ##############################################################################
-   log             global
+# http frontend config for *.chorke.org, *.chorke.com, *.shahed.biz
-   option          httplog
+# this config added by chorke academia, inc
-   option          dontlognull
-    timeout         connect 5000
+frontend           fnt_shahed_biz
-    timeout         client  50000
+    bind            *:80
-   timeout         server  50000
+    mode            http
-    errorfile       400 /etc/haproxy/errors/400.http
-    errorfile       403 /etc/haproxy/errors/403.http
+    acl             path-is-acme-challenge                path_beg /.well-known/acme-challenge/
-    errorfile       408 /etc/haproxy/errors/408.http
-    errorfile       500 /etc/haproxy/errors/500.http
+    http-request    redirect scheme https code 301        unless path-is-acme-challenge
-    errorfile       502 /etc/haproxy/errors/502.http
+    use_backend     bck_letsencrypt_org_acme_challenge    if path-is-acme-challenge
-   errorfile       503 /etc/haproxy/errors/503.http
+    default_backend bck_letsencrypt_org_acme_challenge
-    errorfile       504 /etc/haproxy/errors/504.http
+backend            bck_letsencrypt_org_acme_challenge
+    server          letsencrypt 127.0.0.1:19830
+    mode            http
 CFG
+sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-http-all.cfg /etc/haproxy/proxy-enabled/
+</syntaxhighlight>
+----
+<syntaxhighlight lang="bash">
+vim /etc/haproxy/proxy-scripts/reconfig
+    /etc/haproxy/proxy-scripts/reconfig
+</syntaxhighlight>
+|}
-haproxy -c -V -f /etc/haproxy/haproxy.cfg
+==Hetzner » LB » HAProxy » Frontend » HTTPS Config==
+<syntaxhighlight lang="bash" highlight="3-4">
+certbot certonly --standalone --non-interactive --http-01-port=19830 -d k8s.aa.hetzner.shahed.biz --email tool.tech@shahed.biz --agree-tos --dry-run
+certbot certonly --standalone --non-interactive --http-01-port=19830 -d k8s.aa.hetzner.shahed.biz --email tool.tech@shahed.biz --agree-tos
+(cd /etc/letsencrypt/live/k8s.aa.hetzner.shahed.biz/;ln -s privkey.pem fullchain.pem.key)
+certbot renew --http-01-port=19830 --force-renewal
+certbot renew --http-01-port=19830
 </syntaxhighlight>
 ----
+{|class='wikitable mw-collapsible mw-collapsed'
+!scope='col' style='width:1100px'|
+HAProxy » Frontend » HTTPS
+|-
+|valign='top'|
 <syntaxhighlight lang="bash">
-cat <<'CFG'| sudo tee -a /etc/haproxy/haproxy.cfg >/dev/null
+certbot certonly --standalone --non-interactive --http-01-port=19830 -d  cid.chorke.org
+certbot certonly --standalone --non-interactive --http-01-port=19830 -d  dev.chorke.org
+certbot certonly --standalone --non-interactive --http-01-port=19830 -d  hub.chorke.org
+certbot certonly --standalone --non-interactive --http-01-port=19830 -d  reg.chorke.org
+certbot certonly --standalone --non-interactive --http-01-port=19830 -d wiki.chorke.org
+</syntaxhighlight>
+----
+<syntaxhighlight lang="bash">
+cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then cat ${d}/{fullchain,privkey}.pem|tee ${d}.pem >/dev/null;fi;done
+systemctl reload haproxy.service
+SSL_CRT_LIST="$(cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then printf "crt ${PWD}/${d}.pem ";fi;done)"
+cat << CFG | sudo tee /etc/haproxy/proxy-configs/shahed.biz-https-all.cfg >/dev/null
-# haproxy:         *.chorke.org, *.chorke.com, *.shahed.biz
+# ##############################################################################
-frontend           fnt_chorke
+# https frontend config for *.chorke.org, *.chorke.com, *.shahed.biz
-    bind            *:80
+# this config added by chorke academia, inc
+frontend           fnt_shahed_biz_ssl
+    bind            *:443 ssl ${SSL_CRT_LIST}alpn h2,http/1.1 ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3
     mode            http
-    acl             host-is-cid-chorke-org           hdr(host) -i cid.chorke.org
+   acl             host-is-k8s-aa-hetzner-shahed-biz     hdr(host) -i k8s.aa.hetzner.shahed.biz
-    acl             host-is-dev-chorke-org           hdr(host) -i dev.chorke.org
+    acl             host-is-cid-shahed-biz                hdr(host) -i            cid.chorke.org
+   acl             host-is-dev-shahed-biz                hdr(host) -i            dev.chorke.org
+   acl             host-is-hub-shahed-biz                hdr(host) -i            hub.chorke.org
+   acl             host-is-reg-shahed-biz                hdr(host) -i            reg.chorke.org
+    acl             host-is-wiki-chorke-org               hdr(host) -i           wiki.chorke.org
-    acl             path-is-artifactory              path_beg /artifactory
+    acl             path-is-artifactory                   path_beg /artifactory/
-    acl             path-is-jenkins                  path_beg /jenkins
+    acl             path-is-jenkins                       path_beg /jenkins/
-    acl             path-is-gitlab                   path_beg /gitlab
+    acl             path-is-gitlab                        path_beg /gitlab/
-    acl             path-is-nexus                    path_beg /nexus
+    acl             path-is-nexus                         path_beg /nexus/
+   http-request    set-header X-Forwarded-For            %[src]
+   http-request    set-header X-Forwarded-Proto          https
+   use_backend     bck_shahed_biz_cid_artifactory        if            host-is-cid-shahed-biz path-is-artifactory
+   use_backend     bck_shahed_biz_cid_jenkins            if            host-is-cid-shahed-biz path-is-jenkins
+   use_backend     bck_shahed_biz_cid_gitlab             if            host-is-cid-shahed-biz path-is-gitlab
+   use_backend     bck_shahed_biz_cid_nexus              if            host-is-cid-shahed-biz path-is-nexus
+   use_backend     bck_shahed_biz_hub_nexus              if            host-is-hub-shahed-biz
+   use_backend     bck_shahed_biz_reg_nexus              if            host-is-reg-shahed-biz
+   use_backend     bck_shahed_biz_hetzner_aa_k8s         if host-is-k8s-aa-hetzner-shahed-biz
+   use_backend     bck_shahed_biz_hetzner_aa_k8s         if           host-is-wiki-chorke-org
+   default_backend bck_shahed_biz_cid
+backend            bck_shahed_biz_cid_artifactory
+   server          shahed_ah_artifactory 10.20.40.8:8084
+   mode            http
-   use_backend     bck_cid_chorke_org_artifactory   if host-is-cid-chorke-org path-is-artifactory
+backend            bck_shahed_biz_cid_jenkins
-   use_backend     bck_cid_chorke_org_jenkins       if host-is-cid-chorke-org path-is-jenkins
+    server          shahed_ah_jenkins 10.20.40.8:8080
-   use_backend     bck_cid_chorke_org_gitlab        if host-is-cid-chorke-org path-is-gitlab
+    mode            http
-    use_backend     bck_cid_chorke_org_nexus         if host-is-cid-chorke-org path-is-nexus
-    default_backend bck_cid_chorke_org
-backend            bck_cid_chorke_org_artifactory
+backend            bck_shahed_biz_cid_gitlab
-    server          shahed_ah_artifactory 10.20.40.8:8084 check
+    server          shahed_af_gitlab 10.20.40.6:80
     mode            http
-backend            bck_cid_chorke_org_jenkins
+backend            bck_shahed_biz_cid_nexus
-    server          shahed_ah_jenkins 10.20.40.8:8080 check
+    server          shahed_ah_nexus 10.20.40.8:8081
     mode            http
-backend            bck_cid_chorke_org_gitlab
+backend            bck_shahed_biz_hub_nexus
-    server          shahed_af_gitlab 10.20.40.6:80 check
+    server          shahed_ah_nexus 10.20.40.8:8082
     mode            http
-backend            bck_cid_chorke_org_nexus
+backend            bck_shahed_biz_reg_nexus
-    server          shahed_ah_nexus 10.20.40.8:8081 check
+    server          shahed_ah_nexus 10.20.40.8:8083
     mode            http
-backend            bck_cid_chorke_org
+backend            bck_shahed_biz_hetzner_aa_k8s
-    server          shahed_am_apache2 10.20.40.13:80 check
+    server          hetzner_aa_k8s 192.168.49.2:80
     mode            http
+backend            bck_shahed_biz_cid
+   server          shahed_am_apache2 10.20.40.13:80
+   mode            http
 CFG
+sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-https-all.cfg /etc/haproxy/proxy-enabled/
+</syntaxhighlight>
+----
+<syntaxhighlight lang="bash">
+vim /etc/haproxy/proxy-scripts/reconfig
+    /etc/haproxy/proxy-scripts/reconfig
+</syntaxhighlight>
+----
+<syntaxhighlight lang="bash">
+certbot renew --http-01-port=19830 --force-renewal
+cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then cat ${d}/{fullchain,privkey}.pem|tee ${d}.pem >/dev/null;fi;done
+systemctl reload haproxy.service
+</syntaxhighlight>
+|}
+==Hetzner » LB » HAProxy » Frontend » OVPN Config==
+{|class='wikitable mw-collapsible mw-collapsed'
+!scope='col' style='width:1100px'|
+Hetzner » LB » HAProxy » Frontend » OVPN Config
+|-
+|valign='top'|
+<syntaxhighlight lang="bash">
+cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-tcp-vpn.cfg >/dev/null
-haproxy -c -V -f /etc/haproxy/haproxy.cfg
+# ##############################################################################
+# tcp frontend config for vpn.shahed.biz:1194
+# this config added by chorke academia, inc
+# udp mode not supported, please go with iptables forward
+# cat <<'EXE'| sudo bash
+# echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections
+# echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections
+# apt-get -y install iptables-persistent && apt-get clean cache
+# EXE
+# cat <<'EXE'| sudo bash
+# iptables -t nat -A PREROUTING -p udp --dport 1194 -j DNAT --to-destination 10.20.40.9:1194
+# iptables -A FORWARD -p udp -d 10.20.40.9 --dport 1194 -j ACCEPT
+# EXE
+CFG
+sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-tcp-vpn.cfg /etc/haproxy/proxy-enabled/
 </syntaxhighlight>
 ----
 <syntaxhighlight lang="bash">
-cat <<'CFG'| sudo tee -a /etc/haproxy/haproxy.cfg >/dev/null
+vim /etc/haproxy/proxy-scripts/reconfig
+    /etc/haproxy/proxy-scripts/reconfig
+</syntaxhighlight>
+|}
+==Hetzner » LB » HAProxy » Frontend » Git Repo Config==
+{|class='wikitable mw-collapsible mw-collapsed'
+!scope='col' style='width:1100px'|
+Hetzner » LB » HAProxy » Frontend » Git Repo Config
+|-
+|valign='top'|
+<syntaxhighlight lang="bash">
+cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-tcp-git.cfg >/dev/null
+# ##############################################################################
+# tcp frontend config for git.shahed.biz:4321
+# this config added by chorke academia, inc
-# haproxy:         vpn.shahed.biz:1194
+frontend           fnt_shahed_biz_git_gitlab_ssh
-# haproxy:         udp mode not supported, please go with iptables forward
+   bind            *:4321
+   mode            tcp
+   option          tcplog
+   option          dontlognull
+   default_backend bck_shahed_biz_git_gitlab_ssh
+backend            bck_shahed_biz_git_gitlab_ssh
+   server          shahed_af_gitlab 10.20.40.6:4321
+   mode            tcp
 CFG
+sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-tcp-git.cfg /etc/haproxy/proxy-enabled/
+</syntaxhighlight>
+----
+<syntaxhighlight lang="bash">
+vim /etc/haproxy/proxy-scripts/reconfig
+    /etc/haproxy/proxy-scripts/reconfig
+</syntaxhighlight>
+----
+<syntaxhighlight lang="bash">
+ssh -oPreferredAuthentications=password -oPubkeyAuthentication=no -p4321 -qt pi@git.chorke.org bash
+ssh -oPreferredAuthentications=password -oPubkeyAuthentication=no -p4321 -qt pi@aa.hetzner.shahed.biz bash
+</syntaxhighlight>
+|}
-haproxy -c -V -f /etc/haproxy/haproxy.cfg
+==Hetzner » LB » HAProxy » Frontend » Kube API Config==
+{|class='wikitable mw-collapsible mw-collapsed'
+!scope='col' style='width:1100px'|
+Hetzner » LB » HAProxy » Frontend » Kube API Config
+|-
+|valign='top'|
+<syntaxhighlight lang="bash" highlight="3-4">
+cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-tcp-kube.cfg >/dev/null
-cat <<'EXE'| sudo bash
+# ##############################################################################
-echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections
+# tcp frontend config for 10.20.41.1:8443
-echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections
+# this config added by chorke academia, inc
-apt-get -y install iptables-persistent && apt-get clean cache
-EXE
+frontend           fnt_shahed_biz_hetzner_aa
+   bind            *:8443
+   mode            tcp
+   option          tcplog
+   option          dontlognull
+   default_backend bck_shahed_biz_hetzner_aa
-cat <<'EXE'| sudo bash
+backend            bck_shahed_biz_hetzner_aa
-iptables -t nat -A PREROUTING -p udp --dport 1194 -j DNAT --to-destination 10.20.40.9:1194
+   server          hetzner_aa 192.168.49.2:8443
-iptables -A FORWARD -p udp -d 10.20.40.9 --dport 1194 -j ACCEPT
+   mode            tcp
-EXE
+CFG
+sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-tcp-kube.cfg /etc/haproxy/proxy-enabled/
+</syntaxhighlight>
+----
+<syntaxhighlight lang="bash">
+vim /etc/haproxy/proxy-scripts/reconfig
+    /etc/haproxy/proxy-scripts/reconfig
+</syntaxhighlight>
+----
+<syntaxhighlight lang="bash">
+systemctl disable --now minikube.service
+vim /etc/systemd/system/minikube.service
+# append --apiserver-ips=10.20.41.1 with ExecStart
+systemctl enable --now minikube.service
+</syntaxhighlight>
+----
+<syntaxhighlight lang="bash">
+ssh -qt root@10.20.41.1 bash
+sudo -i -u minikube
 </syntaxhighlight>
 ----
 <syntaxhighlight lang="bash">
-cat <<'CFG'| sudo tee -a /etc/haproxy/haproxy.cfg >/dev/null
+# run this script on the minikube host. copy the generated output and
+# execute it on your local machine's terminal to enable monitoring of
+# the minikube cluster.
+cat << LOG
+$(cat <<'YML'| tee ~/.kube/hetzner-aa-kubeconfig.yaml >/dev/null
+apiVersion: v1
+kind: Config
+clusters:
+- name: minikube
+  cluster:
+    server: https://10.20.41.1:8443
+    certificate-authority: ../.minikube/ca.crt
+contexts:
+- name: hetzner-aa
+  context:
+    cluster: minikube
+    namespace: default
+    user: minikube
+users:
+- name: minikube
+  user:
+    client-certificate: ../.minikube/profiles/minikube/client.crt
+    client-key: ../.minikube/profiles/minikube/client.key
+current-context: hetzner-aa
+YML
+)
+cat <<'YML'| tee ~/.kube/hetzner-aa-kubeconfig.yaml >/dev/null
+$(export KUBECONFIG=${HOME}/.kube/hetzner-aa-kubeconfig.yaml;\
+kubectl config view --flatten;\
+rm ${KUBECONFIG};\
+)
+YML
+chmod 600 ~/.kube/hetzner-aa-kubeconfig.yaml
+  ls -alh ~/.kube/
+export KUBECONFIG=~/.kube/hetzner-aa-kubeconfig.yaml
+kubectl config get-contexts
+kubectl get    namespace
+$(echo -n)
+LOG
+</syntaxhighlight>
+|}
+==LB » HAProxy » Frontend » Mail TCP Config==
+{|class='wikitable mw-collapsible mw-collapsed'
+!scope='col' style='width:1100px'|
+'''LB » HAProxy » Frontend » Mail TCP Config'''
+|-
+|valign='top'|
+<syntaxhighlight lang="bash">
+cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-tcp-mail.cfg >/dev/null
+# ##############################################################################
+# tcp frontend config for mail.shahed.biz:25,587,110,995,143,993,465,4190
+# this config added by chorke academia, inc
+# haproxy:         mail.shahed.biz:25
+frontend           fnt_shahed_biz_mail_smtp_25
+   bind            *:25
+   mode            tcp
+   option          tcplog
+   option          dontlognull
+   default_backend bck_shahed_biz_mail_smtp_25
+backend            bck_shahed_biz_mail_smtp_25
+   server          shahed_va 10.20.40.200:25
+   mode            tcp
+# haproxy:         mail.shahed.biz:587
+frontend           fnt_shahed_biz_mail_smtp_587
+   bind            *:587
+   mode            tcp
+   option          tcplog
+   option          dontlognull
+   default_backend bck_shahed_biz_mail_smtp_587
+backend            bck_shahed_biz_mail_smtp_587
+   server          shahed_va 10.20.40.200:587
+   mode            tcp
+# haproxy:         mail.shahed.biz:110
+frontend           fnt_shahed_biz_mail_pop3_110
+   bind            *:110
+   mode            tcp
+   option          tcplog
+   option          dontlognull
+   default_backend bck_shahed_biz_mail_pop3_110
+backend            bck_shahed_biz_mail_pop3_110
+   server          shahed_va 10.20.40.200:110
+   mode            tcp
+# haproxy:         mail.shahed.biz:995
+frontend           fnt_shahed_biz_mail_pop3_995
+   bind            *:995
+   mode            tcp
+   option          tcplog
+   option          dontlognull
+   default_backend bck_shahed_biz_mail_pop3_995
+backend            bck_shahed_biz_mail_pop3_995
+   server          shahed_va 10.20.40.200:995
+   mode            tcp
+# haproxy:         mail.shahed.biz:143
+frontend           fnt_shahed_biz_mail_imap_143
+   bind            *:143
+   mode            tcp
+   option          tcplog
+   option          dontlognull
+   default_backend bck_shahed_biz_mail_imap_143
+backend            bck_shahed_biz_mail_imap_143
+   server          shahed_va 10.20.40.200:143
+   mode            tcp
+# haproxy:         mail.shahed.biz:993
+frontend           fnt_shahed_biz_mail_imap_993
+   bind            *:993
+   mode            tcp
+   option          tcplog
+   option          dontlognull
+   default_backend bck_shahed_biz_mail_imap_993
+backend            bck_shahed_biz_mail_imap_993
+   server          shahed_va 10.20.40.200:993
+   mode            tcp
+# haproxy:         mail.shahed.biz:465
+frontend           fnt_shahed_biz_mail_smtps_465
+   bind            *:465
+   mode            tcp
+   option          tcplog
+   option          dontlognull
+   default_backend bck_shahed_biz_mail_smtps_465
+backend            bck_shahed_biz_mail_smtps_465
+   server          shahed_va 10.20.40.200:465
+   mode            tcp
-# haproxy:         cid.chorke.org:4321
+# haproxy:         mail.shahed.biz:4190
-frontend           fnt_cid_chorke_org_gitlab_ssh
+frontend           fnt_shahed_biz_mail_sieve_4190
-    bind            *:4321
+    bind            *:4190
     mode            tcp
     option          tcplog
     option          dontlognull
-    default_backend bck_cid_chorke_org_gitlab_ssh
+    default_backend bck_shahed_biz_mail_sieve_4190
-backend            bck_cid_chorke_org_gitlab_ssh
+backend            bck_shahed_biz_mail_sieve_4190
-    server          shahed_af_gitlab 10.20.40.6:4321 check
+    server          shahed_va 10.20.40.200:4190
     mode            tcp
 CFG
+sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-tcp-mail.cfg /etc/haproxy/proxy-enabled/
+</syntaxhighlight>
+----
+<syntaxhighlight lang="bash">
+vim /etc/haproxy/proxy-scripts/reconfig
+    /etc/haproxy/proxy-scripts/reconfig
+</syntaxhighlight>
+|}
-haproxy -c -V -f /etc/haproxy/haproxy.cfg
+==Hetzner » Kubernetes » Minikube » Install & Configure==
+{|class='wikitable mw-collapsible mw-collapsed'
+!scope='col' style='width:1100px'|
+Hetzner » Kubernetes » Minikube » Install & Configure
+|-
+|valign='top'|
+<syntaxhighlight lang="bash">
+curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.32/deb/Release.key | sudo tee /etc/apt/keyrings/kubernetes.asc >/dev/null
+cat << SRC | sudo tee /etc/apt/sources.list.d/kubernetes.list >/dev/null
+deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/kubernetes.asc] https://pkgs.k8s.io/core:/stable:/v1.32/deb/ /
+SRC
 </syntaxhighlight>
+----
+<syntaxhighlight lang="bash">
+cat << EXE | sudo bash
+apt-get update;echo
+apt list -a --upgradable;echo
+apt-get install -y apache2-utils kubectl;echo
+apt-get clean cache && find /tmp -type f -atime +10 -delete && find /tmp -type s -atime +10 -delete
+EXE
+</syntaxhighlight>
+----
+<syntaxhighlight lang="bash">
+if [ -x "$(command -v curl)" ];then \
+sudo apt -qq update;\
+export MINIKUBE_CPU_USE=6;\
+export MINIKUBE_RAM_USE=13529;\
+export MINIKUBE_INGRESS_HOST='k8s.aa.hetzner.shahed.biz';\
+bash <(curl -s 'https://cdn.chorke.org/exec/cli/bash/install/minikube/1.0.01-ubuntu-24.04-arm64.sh.txt');\
+else printf 'curl \033[0;31mnot found! \033[0m:(\n';fi
+</syntaxhighlight>
+----
+[[Minikube Systemd|Skipped » Find More » 👈]]
+|}
+==Hetzner » Kubernetes » Minikube » Tunnel » Create Service==
+{|class='wikitable mw-collapsible'
+!scope='col' colspan='2' style='width:1100px'|
+Hetzner » Kubernetes » Minikube » Tunnel » Create Service
+|-
+!scope='col'| Beginners
+!scope='col'| Professional
+|-
+|valign='top'|
+<syntaxhighlight lang="bash">
+sudo visudo
+# minikube » no-password » sudo access » all
+minikube ALL=(ALL) NOPASSWD: ALL
+</syntaxhighlight>
+|valign='top'|
+<syntaxhighlight lang="bash">
+sudo visudo -f /etc/sudoers.d/minikube
+# minikube » no-password » sudo access » specific
+minikube ALL=(ALL) NOPASSWD: /usr/sbin/ip route *, /usr/bin/minikube tunnel *
+</syntaxhighlight>
+|-
+|valign='top' colspan='2' |
+<syntaxhighlight lang="bash">
+cat << INI | sudo tee /etc/systemd/system/minikube-tunnel.service >/dev/null
+[Unit]
+Description=Minikube Tunnel
+Documentation=https://minikube.sigs.k8s.io/docs/commands/tunnel/
+After=network-online.target containerd.service docker.service minikube.service
+Requires=network-online.target containerd.service docker.service minikube.service
+Wants=network-online.target docker.service minikube.service
+AssertFileIsExecutable=/var/minikube/bin/minikube
+[Service]
+User=minikube
+Group=minikube
+ProtectProc=invisible
+StandardOutput=journal
+WorkingDirectory=/var/minikube
+EnvironmentFile=-/etc/default/minikube
+ExecStart=/var/minikube/bin/minikube tunnel --cleanup=true
+Restart=always
+SendSIGKILL=no
+TasksMax=infinity
+TimeoutStopSec=infinity
+[Install]
+WantedBy=multi-user.target
+INI
+</syntaxhighlight>
+|-
+|valign='top' colspan='2' |
+<syntaxhighlight lang="bash">
+sudo systemctl enable  --now minikube-tunnel.service
+sudo systemctl disable --now minikube-tunnel.service
+</syntaxhighlight>
+----
+[[Minikube Tunnel#Systemd|Skipped » Find More 👉 Minikube » Tunnel » Systemd]]
+----
+[[Minikube MetalLB#MetalLB » Forward » Route|Skipped » Find More 👉 Minikube » MetalLB » Forward » Route]]
+|}
+==Hetzner » Kubernetes » Minikube » Ingress » Apply Dashboard==
+{|class='wikitable mw-collapsible mw-collapsed'
+!scope='col' style='width:1100px'|
+Hetzner » K8s » Dashboard » Ingress » Apply
+|-
+|valign='top'|
+<syntaxhighlight lang="bash">
+export KUBECONFIG=${HOME}/.kube/hetzner-aa-kubeconfig.yaml
+kubectl config get-contexts
+</syntaxhighlight>
+----
+<syntaxhighlight lang="yaml" highlight="14-16,20" line>
+cat << YML | kubectl -n kubernetes-dashboard apply -f -
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: kubernetes-dashboard
+  namespace: kubernetes-dashboard
+  labels:
+    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/managed-by: kubectl
+    app.kubernetes.io/name: kubernetes-dashboard
+    app.kubernetes.io/instance: kubernetes-dashboard
+  annotations:
+    nginx.ingress.kubernetes.io/auth-type: basic
+    nginx.ingress.kubernetes.io/auth-realm: Authentication Required
+    nginx.ingress.kubernetes.io/auth-secret: kubernetes-dashboard-auth
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: k8s.aa.hetzner.shahed.biz
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: kubernetes-dashboard
+                port:
+                  number: 80
+YML
+</syntaxhighlight>
+----
+[[K8s/Ingress#CoreDNS|Skipped » Find More 👉 K8s » CoreDNS]]
+----
+[[K8s/Ingress#Ingress » Dashboard|Skipped » Find More 👉 K8s » Dashboard]]
+|}
+==Hetzner » Kubernetes » Debug » MariaDB==
+{|class='wikitable mw-collapsible mw-collapsed'
+!scope='col' colspan='2' style='width:1100px'|
+Hetzner » Kubernetes » Debug » MariaDB
+|-
+|valign='top' style='width:540px'|
+<syntaxhighlight lang="bash">
+export KUBECONFIG=${HOME}/.kube/hetzner-aa-kubeconfig.yaml
+kubectl config get-contexts
+</syntaxhighlight>
+|valign='top'|
+<syntaxhighlight lang="bash">
+kubectl create ns   swiss-knife
+kubectl get ns|grep swiss-knife
+</syntaxhighlight>
+|-
+|valign='top' colspan='2'|
+<syntaxhighlight lang="bash">
+kubectl -n swiss-knife run -i --tty --rm mariadb-cli --image=alpine --restart=Never -- ash
+apk --update add mariadb-client inetutils-telnet
+</syntaxhighlight>
+----
+<syntaxhighlight lang="bash">
+echo -n password: ;read -s MYSQL_PWD;export MYSQL_PWD; echo
+mariadb -u academia -D academia -P3306 -h 10.20.31.3
+telnet 10.20.31.3 3306
+echo ${MYSQL_PWD}
+</syntaxhighlight>
+|}
+==Hetzner » Kubernetes » Debug » PostgreSQL==
+{|class='wikitable mw-collapsible'
+!scope='col' colspan='2' style='width:1100px'|
+Hetzner » Kubernetes » Debug » PostgreSQL
+|-
+|valign='top' style='width:540px'|
+<syntaxhighlight lang="bash">
+export KUBECONFIG=${HOME}/.kube/hetzner-aa-kubeconfig.yaml
+kubectl config get-contexts
+</syntaxhighlight>
+|valign='top'|
+<syntaxhighlight lang="bash">
+kubectl create ns   swiss-knife
+kubectl get ns|grep swiss-knife
+</syntaxhighlight>
+|-
+|valign='top' colspan='2'|
+<syntaxhighlight lang="bash">
+kubectl -n swiss-knife run -i --tty --rm postgresql-cli --image=alpine --restart=Never -- ash
+apk --update add postgresql-client inetutils-telnet
+</syntaxhighlight>
+----
+<syntaxhighlight lang="bash">
+echo -n password: ; read -s PGPASSWORD; export PGPASSWORD; echo
+telnet pgbouncer.pgbouncer.svc.cluster.local 5432
+telnet pgbouncer.pgbouncer 5432
+telnet 192.168.49.103 5432
+telnet 10.20.31.3 5432
+echo ${PGPASSWORD}
+psql -U bouncer_aa -d bouncer_aa -p5432 -h pgbouncer.pgbouncer.svc.cluster.local
+psql -U bouncer_aa -d bouncer_aa -p5432 -h pgbouncer.pgbouncer
+psql -U bouncer_aa -d bouncer_aa -p5432 -h 192.168.49.103
+psql -U bouncer_aa -d bouncer_aa -p5432 -h 10.20.31.3
+</syntaxhighlight>
+|}
+==Playground==
+{|class='wikitable mw-collapsible mw-collapsed'
+!scope='col' colspan='2' style='width:1100px'|
+'''Playground'''
+|-
+|-
+|valign='top' colspan='2'|
+<syntaxhighlight lang="bash">
+ssh-copy-id -n -i ~/.ssh/cid.chorke.org_ed25519.pub shahed@10.20.40.1
+ssh-copy-id    -i ~/.ssh/cid.chorke.org_ed25519.pub shahed@10.20.40.1
+</syntaxhighlight>
+----
+<syntaxhighlight lang="bash">
+certbot delete --cert-name k8s.aa.hetzner.shahed.biz
+certbot delete --cert-name cid.chorke.org
+</syntaxhighlight>
+|-
+|valign='top' colspan='2'|
+<syntaxhighlight lang="bash">
+cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then cat ${d}/{fullchain,privkey}.pem|tee ${d}.pem >/dev/null;fi;done
+cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then printf "crt ${PWD}/${d}.pem ";fi;done;\
+printf "alpn h2,http/1.1 ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3\n"
+</syntaxhighlight>
+|-
+|valign='top'|
+<syntaxhighlight lang="bash">
+cat << INI | visudo -cf /dev/stdin
+# minikube » no-password » sudo access » all
+minikube ALL=(ALL) NOPASSWD: ALL
+INI
+sudo visudo
+sudo cat /etc/sudoers
+</syntaxhighlight>
+|valign='top'|
+<syntaxhighlight lang="bash">
+cat << INI | visudo -cf /dev/stdin
+# minikube » no-password » sudo access » specific
+minikube ALL=(ALL) NOPASSWD: /usr/sbin/ip route *, /usr/bin/minikube tunnel *
+INI
+sudo visudo -f /etc/sudoers.d/minikube
+sudo cat       /etc/sudoers.d/minikube
+</syntaxhighlight>
+|}
 ==References==
 {|
 |valign="top"|
-* [[OpenLDAP/BackSQL|OpenLDAP » BackSQL]]
+* [[Cloud/Hetzner/AA|Cloud » Hetzner » AA]]
-* [[Google Cloud CLI]]
+* [[Cloud/Hetzner/AB|Cloud » Hetzner » AB]]
-* [[EKSctl|AWS » EKS » CLI]]
+* [[Cloud/Linode/AA|Cloud » Linode » AA]]
-* [[Swap Space]]
+* [[Cloud/Shahed/AA|Cloud » Shahed » AA]]
-* [[Online App]]
+* [[Cloud/Shahed/AB|Cloud » Shahed » AB]]
-* [[OpenLDAP]]
+* [[Cloud/Shahed/AC|Cloud » Shahed » AC]]
-* [[Terraform]]
+* [[Cloud/Shahed/AD|Cloud » Shahed » AD]]
-* [[AWS CLI]]
+* [[Cloud/Shahed/AE|Cloud » Shahed » AE]]
-* [[CLI App]]
+* [[Cloud/Shahed/AF|Cloud » Shahed » AF]]
-* [[Kubectl]]
+* [[Cloud/Shahed/AG|Cloud » Shahed » AG]]
+|valign="top"|
+* [[Cloud/Shahed/AH|Cloud » Shahed » AH]]
+* [[Cloud/Shahed/AI|Cloud » Shahed » AI]]
+* [[Cloud/Shahed/AJ|Cloud » Shahed » AJ]]
+* [[Cloud/Shahed/AK|Cloud » Shahed » AK]]
+* [[Cloud/Shahed/AL|Cloud » Shahed » AL]]
+* [[Cloud/Shahed/AM|Cloud » Shahed » AM]]
+* [[Cloud/Shahed/AN|Cloud » Shahed » AN]]
+* [[Cloud/Shahed/VA|Cloud » Shahed » VA]]
 |valign="top"|
-* [https://docs.haproxy.org/2.8/configuration.html HAProxy » Configuration » 2.8]
-* [https://docs.haproxy.org/2.8/management.html HAProxy » Management » 2.8]
-* [[HAProxy]]
-* [[Jasypt]]
-* [[CURL]]
-* [[K8s]]
-* [[K9s]]
 |valign="top"|
 |-
-| colspan="3" |
+|colspan="4"|
 ----
 |-
-| valign="top" |
+|valign="top"|
-* [https://dash.cloudflare.com/profile/api-tokens Cloudflare » Profile » API Tokens]
+* [[Minikube Ingress DNS| Minikube » Ingress » DNS]]
-* [[Cloudflare/WARP Connector|Cloudflare » WARP Connector]]
+* [[Minikube Systemd|Minikube » Systemd]]
-* [https://chorke.cloudflareaccess.com Cloudflare » Access » Chorke]
+* [[Minikube MetalLB|Minikube » MetalLB]]
-* [[Cloudflare/Argo Tunnel|Cloudflare » Argo Tunnel]]
+* [[Minikube Registry|Minikube » Registry]]
-* [[Cloudflare/WARP Host|Cloudflare » WARP Host]]
+* [[Minikube Tunnel|Minikube » Tunnel]]
-* [[Cloud/Shahed/AA|Cloud » Shahed » AA]]
+* [[Minikube]]
-* [[Cloud/Shahed/AF|Cloud » Shahed » AF]]
+* [[CIDR]]
-* [[Cloud/Shahed/AL|Cloud » Shahed » AL]]
+* [[UFW]]
-* [[Cloudflare]]
+* [[YQ Tool|YQ]]
+* [[JQ Tool|JQ]]
+|valign="top"|
+* [[K8s/Academia/Ingress|K8s » Academia » Ingress]]
+* [[K8s/HAProxy/Ingress|K8s » HAProxy » Ingress]]
+* [[K8s/Apache/Ingress|K8s » Apache » Ingress]]
+* [[K8s/Nginx/Ingress|K8s » Nginx » Ingress]]
+* [[K8s/Swiss Knife|K8s » Swiss Knife]]
+* [[K8s/Storage|K8s » Storage]]
+* [[K8s/Ingress|K8s » Ingress]]
+* [[K8s/Service|K8s » Service]]
+* [[K8s/Run|K8s » Run]]
+* [[K8s]]
-| valign="top" |
+|valign="top"|
-* [https://www.calculator.net/ip-subnet-calculator.html?cclass=b&csubnet=21&cip=10.20.40.0&ctype=ipv4&x=Calculate 10.20.40.0/21 🟢]
+* [[Helm/Prometheus Stack|Helm » Prometheus Stack]]
-* [https://www.calculator.net/ip-subnet-calculator.html?cclass=b&csubnet=21&cip=10.20.40.0&ctype=ipv4&x=Calculate 10.20.48.0/21 ⚪️]
+* [[Helm/Cert Manager|Helm » Cert Manager]]
-* [https://www.calculator.net/ip-subnet-calculator.html?cclass=b&csubnet=21&cip=10.20.40.0&ctype=ipv4&x=Calculate 10.20.56.0/21 ⚪️]
+* [[Helm/Elasticsearch|Helm » Elasticsearch]]
+* [[Minikube MetalLB|Helm » MetalLB]]
+* [[Helm/Jenkins|Helm » Jenkins]]
+* [[Helm/GitLab|Helm » GitLab]]
+* [[Helm/Nexus|Helm » Nexus]]
+* [[Helm/MinIO|Helm » MinIO]]
+* [[Helm/Kafka|Helm » Kafka]]
+* [[Helm/Redis|Helm » Redis]]
-| valign="top" |
+|valign="top"|
-* [https://www.calculator.net/ip-subnet-calculator.html?cclass=b&csubnet=23&cip=10.20.40.0&ctype=ipv4&x=Calculate 10.20.46.0/23 ⚪️]
+* [[Security/Container/Snyk|Security » Container » Snyk]]
-* [https://www.calculator.net/ip-subnet-calculator.html?cclass=b&csubnet=23&cip=10.20.40.0&ctype=ipv4&x=Calculate 10.20.48.0/23 🟢]
+* [[Security/Container/Trivy|Security » Container » Trivy]]
-* [https://www.calculator.net/ip-subnet-calculator.html?cclass=b&csubnet=23&cip=10.20.40.0&ctype=ipv4&x=Calculate 10.20.50.0/23 ⚪️]
+* [[Security/Certificate/TLS|Security » Certificate » TLS]]
+* [[Java Key Store|Security » Java » Key Store]]
+* [[Java Mail API|Security » Java » Mail API]]
+* [[Security/Password|Security » Password]]
+* [[ZA Proxy|Security » ZA Proxy]]
+* [[Security/Domain|Security » Domain]]
+* [[Jasypt|Security » Jasypt]]
+* [[HTTP Security|Security » HTTP]]
 |-
-| colspan="3" |
+|colspan="4"|
 ----
 |-
-| valign="top" |
+|valign="top"|
-* [[Ubuntu/Raspberry Pi]]
+* [[Benchmarks]]
-* [[Ubuntu Upgrade]]
+* [[IPTables]]
-* [[ActiveMQ]]
+* [[Kubectl]]
-* [[Minikube]]
-* [[Keycloak]]
-* [[Hadoop]]
-* [[Jenkins]]
-* [[WildFly]]
-* [[Spark]]
-* [[MinIO]]
-| valign="top" |
-* [[Alpine/Morefine]]
-* [[Ruby on Rails]]
-* [[TensorFlow]]
-* [[Homebrew]]
-* [[Linuxbrew]]
 * [[PyEnv]]
+* [[CURL]]
 * [[TMux]]
 * [[7Zip]]
+* [[Linux Containers|LXC]]
 * [[Zip]]
 * [[Tar]]
-| valign="top" |
+|valign="top"|
-* [[Linux Service Creation]]
+* [[Ubuntu Upgrade|Linux » Ubuntu Upgrade]]
-* [[Bash/Port/Forward]]
+* [[Linux Service Creation|Linux » Service Creation]]
-* [[Linux Mount Drive]]
+* [[Linux User Creation|Linux » User Creation]]
-* [[YouTube/Channel]]
+* [[Linux Mount Drive|Linux » Mount Drive]]
-* [[Bash/Network]]
+* [[Swap Space|Linux » Swap Space]]
-* [[Bash/RAM]]
+* [[EKSctl|CLI » AWS » EKS]]
-* [[Bash/CPU]]
+* [[AWS CLI|CLI » AWS]]
-* [[Bash/Port]]
+* [[Google Cloud CLI|CLI » GCP]]
+* [[CLI App|CLI]]
+* [[K9s]]
+|valign="top"|
+* [[Cloudflare/WARP Host|Cloudflare » Host]]
+* [[Cloudflare]]
+* [[Terraform]]
+* [[ActiveMQ]]
+* [[Keycloak]]
+* [[Hadoop]]
+* [[Jenkins]]
+* [[Spark]]
 * [[Bash]]
 * [[Port]]
+|valign="top"|
+* [[Private Enterprise Number]]
+* [[Chorke Academia Backup]]
+* [[Cloud Computing Cost|Cost » Cloud » Computing]]
+* [[Cloud/Cost/Chorke|Cost » Cloud » Chorke]]
+* [[YouTube/Channel]]
+|-
+|colspan="4"|
+----
+|-
+|valign="top"|
+* [https://www.calculator.net/ip-subnet-calculator.html?cclass=b&csubnet=21&cip=10.20.40.0&ctype=ipv4&x=Calculate 10.20.40.0/21 🟢]
+* [https://www.calculator.net/ip-subnet-calculator.html?cclass=b&csubnet=21&cip=10.20.40.0&ctype=ipv4&x=Calculate 10.20.48.0/21 ⚪️]
+* [https://www.calculator.net/ip-subnet-calculator.html?cclass=b&csubnet=21&cip=10.20.40.0&ctype=ipv4&x=Calculate 10.20.56.0/21 ⚪️]
+* [https://www.calculator.net/ip-subnet-calculator.html?cclass=b&csubnet=23&cip=10.20.40.0&ctype=ipv4&x=Calculate 10.20.46.0/23 ⚪️]
+* [https://www.calculator.net/ip-subnet-calculator.html?cclass=b&csubnet=23&cip=10.20.40.0&ctype=ipv4&x=Calculate 10.20.48.0/23 🟢]
+* [https://www.calculator.net/ip-subnet-calculator.html?cclass=b&csubnet=23&cip=10.20.40.0&ctype=ipv4&x=Calculate 10.20.50.0/23 ⚪️]
+|valign="top"|
+|valign="top"|
+|valign="top"|
 |-
-|colspan="3"|
+|colspan="4"|
 ----
 |-
 |valign="top"|
-* [[Private Enterprise Number]]
-* [[Linux User Creation]]
-* [[Linux Containers]]
-* [[PostgreSQL]]
-* [[IPTables]]
-* [[MySQL]]
-* [[CIDR]]
-* [[UFW]]
-* [[YQ Tool|YQ]]
-* [[JQ Tool|JQ]]
 |valign="top"|
-* [[Chorke Academia Backup]]
-* [[Cloud Computing Cost]]
+|valign="top"|
-* [[Helm/PostgreSQL|Helm » PostgreSQL]]
-* [[Helm/MariaDB|Helm » MariaDB]]
-* [[Benchmarks]]
-* [[Helm]]
 |valign="top"|
 |}

Cloud/Hetzner/AA: Difference between revisions

Latest revision as of 03:30, 19 October 2025

Hetzner » Argo

Hetzner » Analyze

Hetzner » Add User

Hetzner » SSH Config

Hetzner » APT Update

Hetzner » Swap Space

Hetzner » Attach Volume

Hetzner » Containerize » LXD

Hetzner » Containerize » Docker

Hetzner » Cloudflare » VIRT

Hetzner » Cloudflare » Argo » Tunnel

Hetzner » Cloudflare » WARP » Tunnel

Hetzner » Cloudflare » WARP » Exclude

Hetzner » Cloudflare » WARP » Forward

Cloudflare » WARP » Forward » Route

Hetzner » LB » HAProxy » Install & Configure

Hetzner » LB » HAProxy » Frontend » HTTP Config

Hetzner » LB » HAProxy » Frontend » HTTPS Config

Hetzner » LB » HAProxy » Frontend » OVPN Config

Hetzner » LB » HAProxy » Frontend » Git Repo Config

Hetzner » LB » HAProxy » Frontend » Kube API Config

LB » HAProxy » Frontend » Mail TCP Config

Hetzner » Kubernetes » Minikube » Install & Configure

Hetzner » Kubernetes » Minikube » Tunnel » Create Service

Hetzner » Kubernetes » Minikube » Ingress » Apply Dashboard

Hetzner » Kubernetes » Debug » MariaDB

Hetzner » Kubernetes » Debug » PostgreSQL

Playground

References

Navigation menu

Search