Cloud/Linode/AA: Difference between revisions

From Chorke Wiki
Jump to navigation Jump to search
← Older editNewer edit →
VisualWikitext
Line 385: Line 385:
ping -c5 shahed.biz  ;echo
ping -c5 shahed.biz  ;echo
EXE
EXE
</syntaxhighlight>
|}
==Linode » Cloudflare » VIRT==
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='width:800px'|
Linode » Cloudflare » VIRT
|-
|valign='top'|
<syntaxhighlight lang="ini">
cat << INI | sudo tee /etc/systemd/system/warp0.service >/dev/null
[Unit]
Description=Cloudflared WARP Routing Virtual Interface
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/ip link add warp0 type dummy
ExecStartPost=/usr/sbin/ip addr add 10.20.42.1/32 dev warp0
ExecStartPost=/usr/sbin/ip link set warp0 up
ExecStop=/usr/sbin/ip link delete warp0
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
INI
</syntaxhighlight>
|-
|valign='top'|
<syntaxhighlight lang="bash">
cat << EXE | sudo bash
systemctl daemon-reload
systemctl enable --now warp0.service
systemctl status      warp0.service
EXE
ip a
</syntaxhighlight>
|}
==Linode » Cloudflare » Argo » Tunnel==
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='width:1100px'|
Linode » Cloudflare » Argo » Tunnel
|-
|valign='top'|
<syntaxhighlight lang="bash">
wget -cq https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb -P ${HOME}/Downloads
sudo dpkg -i ${HOME}/Downloads/cloudflared-linux-amd64.deb; sudo apt install -f
      rm -rf ${HOME}/Downloads/cloudflared-linux-amd64.deb
</syntaxhighlight>
|-
|valign='top'|
<syntaxhighlight lang="properties">
cat <<'SYS' | sudo tee -a /etc/sysctl.conf >/dev/null
###################################################################
# Cloudflared Tunnel Private Network Config
# This config added by Chorke Academia, Inc
# ICMP Group ID Range 0 to 10,000 Users
net.ipv4.ping_group_range = 0 10000
# 208 KiB Default RX Buffer
net.core.rmem_default=212992
# 208 KiB Default TX Buffer
net.core.wmem_default=212992
# 8 MB Maximum RX Buffer
net.core.rmem_max=8388608
# 8 MB Maximum TX Buffer
net.core.wmem_max=8388608
SYS
sudo sysctl -p
</syntaxhighlight>
|-
|valign='top'|
[[Cloudflare/Argo_Tunnel#Argo Tunnel|Skipped » Find More » 👈]]
|}
==Linode » Cloudflare » WARP » Tunnel==
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='width:800px'|
Linode » Cloudflare » WARP » Tunnel
|-
|valign='top'|
[[Cloud/Hetzner/AA#Cloudflare » WARP » Tunnel|Skipped » Find More » 👈]]
|-
|valign='top'|
<syntaxhighlight lang="bash">
lxc snapshot cloudflare base:2025.1.861.0
lxc publish  cloudflare/base:2025.1.861.0 --alias cloudflare/base:2025.1.861.0
lxc restore  cloudflare base:2025.1.861.0
</syntaxhighlight>
|-
|valign='top'|
<syntaxhighlight lang="bash">
lxc snapshot cloudflare shahed:2025.03.09
lxc publish  cloudflare/shahed:2025.03.09 --alias cloudflare/shahed:2025.03.09
lxc restore  cloudflare shahed:2025.03.09
</syntaxhighlight>
|}
==Linode » LB » HAProxy » Install & Configure==
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='width:800px'|
Linode » LB » HAProxy » Install & Configure
|-
|valign='top'|
[[Cloud/Hetzner/AA#LB » HAProxy » Install & Configure|Skipped » Find More » 👈]]
|-
|valign='top'|
<syntaxhighlight lang="bash">
sudo ufw status numbered
sudo iptables -S
cat << EXE | sudo bash
ufw      allow 80/tcp
ufw      allow 443/tcp
EXE
sudo ufw status numbered
sudo iptables -S
</syntaxhighlight>
|}
==Linode » LB » HAProxy » Frontend » HTTP Config==
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='width:1000px'|
Linode » LB » HAProxy » Frontend » HTTP Config
|-
|valign='top'|
<syntaxhighlight lang="bash">
cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-http-all.cfg >/dev/null
# ##############################################################################
# http frontend config for *.chorke.org, *.chorke.com, *.shahed.biz
# this config added by chorke academia, inc
frontend          fnt_shahed_biz
  bind            *:80
  mode            http
  acl            path-is-acme-challenge                path_beg /.well-known/acme-challenge/
  http-request    redirect scheme https code 301        unless path-is-acme-challenge
  use_backend    bck_letsencrypt_org_acme_challenge    if path-is-acme-challenge
  default_backend bck_letsencrypt_org_acme_challenge
backend            bck_letsencrypt_org_acme_challenge
  server          letsencrypt 127.0.0.1:19830
  mode            http
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-http-all.cfg /etc/haproxy/proxy-enabled/
</syntaxhighlight>
|-
|valign='top'|
<syntaxhighlight lang="bash">
vim /etc/haproxy/proxy-scripts/reconfig
    /etc/haproxy/proxy-scripts/reconfig
</syntaxhighlight>
</syntaxhighlight>
|}
|}

Revision as of 08:26, 6 July 2025

Linode » Argo

Linode » Argo

Name Network Subnets Forward
Linode » AA 10.20.42.1/32 10.20.42.1 … 1/32 = 01 ⚪️
Linode » AB 10.20.42.2/32 10.20.42.2 … 2/32 = 01 ⚪️
Linode » AC 10.20.42.3/32 10.20.42.3 … 3/32 = 01 ⚪️
Linode » AD 10.20.42.4/32 10.20.42.4 … 4/32 = 01 ⚪️
Linode » AE 10.20.42.5/32 10.20.42.5 … 5/32 = 01 ⚪️

Linode » Analyze

Linode » Analyze 

ssh -qt -i ~/.ssh/cid.chorke.org_ed25519 root@linode-aa.public.ip bash

cat <<'EXE' | sudo bash
free -th && echo && systemd-analyze && echo
df -h    && echo && lsblk && echo
swapon --show
EXE

Linode » Hostname

Linode » Hostname 

ssh -qt -i ~/.ssh/cid.chorke.org_ed25519 root@linode-aa.public.ip bash

cat <<'EXE' | sudo bash
hostnamectl set-hostname linode-aa
hostnamectl status
EXE

Linode » Add User

Linode » Add User 

ssh -i ~/.ssh/ci.chorke.org_ed25519 -qt root@linode-aa.public.ip bash

sudo adduser -m        chorke
sudo passwd  -d        chorke
sudo passwd  -l        chorke
sudo chsh -s /bin/bash chorke

sudo adduser -m        shahed
sudo passwd  -d        shahed
sudo passwd  -l        shahed
sudo chsh -s /bin/bash shahed

sudo visudo
:'
# User privilege specification
root    ALL=(ALL:ALL) ALL
shahed  ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin  ALL=(ALL) ALL
shahed  ALL=(ALL) NOPASSWD: /usr/local/bin/supervisorctl

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL
shahed  ALL=(ALL) NOPASSWD: /usr/local/bin/supervisorctl

# See sudoers(5) for more information on "@include" directives:

@includedir /etc/sudoers.d
'

Linode » SSH Config

Linode » Config » SSH 

ssh -i ~/.ssh/ci.chorke.org_ed25519 -qt root@linode-aa.public.ip bash

cat << EXE | sudo bash
sed 's|#PasswordAuthentication yes|PasswordAuthentication no|' -i /etc/ssh/sshd_config
sed 's|#PubkeyAuthentication yes|PubkeyAuthentication yes|'    -i /etc/ssh/sshd_config
sed 's|#PermitEmptyPasswords no|PermitEmptyPasswords no|'      -i /etc/ssh/sshd_config
sed 's|#PermitRootLogin yes|PermitRootLogin no|'               -i /etc/ssh/sshd_config
systemctl restart ssh
EXE

cat << EXE | sudo bash
sshd -T | grep -i PasswordAuthentication
sshd -T | grep -i PubkeyAuthentication
sshd -T | grep -i PermitEmptyPasswords
sshd -T | grep -i PermitRootLogin
EXE

sudo chattr +i /home/chorke/.ssh/authorized_keys
sudo chattr +i /home/shahed/.ssh/authorized_keys
sudo chattr +i /home/system/*-argo/.ssh/authorized_keys

Linode » APT Update

Linode » APT Update 

cat << EXE | sudo bash
apt-get update;echo
mkdir -p /etc/apt/keyrings
apt list -a --upgradable;apt-get upgrade -y;echo
apt-get install -y apt-transport-https ca-certificates gnupg build-essential snapd jq traceroute
apt-get clean cache && find /tmp -type f -atime +10 -delete && find /tmp -type s -atime +10 -delete
EXE

cat << EXE|sudo bash
PLATFORM=\$(uname -s)_\$(dpkg --print-architecture)
YQ_BINARY=\$(echo "yq_\${PLATFORM}"|tr '[:upper:]' '[:lower:]')
wget https://github.com/mikefarah/yq/releases/latest/download/\${YQ_BINARY} -O /usr/local/bin/yq
chmod +x /usr/local/bin/yq
EXE

Linode » Swap Space

Linode » Swap Space 

echo 'swapon --show'|sudo bash
cat <<'EXE' | sudo bash
swapoff /swap.img
fallocate -l 11G /swap.img
ls -lh /swap.img && mkswap /swap.img
chmod 0600 /swap.img && swapon /swap.img && swapon --show && free -th
EXE

cat << FST | sudo tee -a /etc/fstab >/dev/null
# loop based swap storage » 8GB + 3GB 
/swap.img              none            swap    sw              0       0
FST

free -th
cat /etc/fstab
systemctl daemon-reload
echo 'swapon --show'|sudo bash

Linode » Attach Volume

Linode » Attach Volume 

cat <<'EXE'| sudo bash
mkdir -p /var/minikube/pvc
mkfs.ext4 -F /dev/disk/by-id/scsi-0Linode_Volume_linode-aa-vol-aa
cat <<'FST'| tee -a /etc/fstab >/dev/null

# linode-aa » attach 40gb storage » linode-aa-vol-aa
/dev/disk/by-id/scsi-0Linode_Volume_linode-aa-vol-aa /var/minikube/pvc ext4 defaults,noatime,nofail 0 2
FST

chown minikube:minikube -R /var/minikube/pvc/
systemctl daemon-reload
mount -a
EXE

Linode » Containerize » LXD

Linode » Containerize » LXD 

cat << EXE | sudo bash
snap install lxd --channel=6/stable
usermod -aG lxd chorke
usermod -aG lxd shahed
EXE

echo 'id -nG'|sudo -i -u chorke bash
echo 'id -nG'|sudo -i -u shahed bash

cat <<YML | sudo lxd init --preseed
---
config: {}
networks:
- config:
    ipv4.address: 10.20.0.1/24
    ipv4.nat: "true"
    ipv6.address: auto
  description: ""
  name: lxdbr0
  type: ""
  project: default
storage_pools:
- config:
    size: 15GiB
  description: ""
  name: lxd-zfs-pool-aa
  driver: zfs
storage_volumes: []
profiles:
- config: {}
  description: ""
  devices:
    eth0:
      name: eth0
      network: lxdbr0
      type: nic
    root:
      path: /
      pool: lxd-zfs-pool-aa
      type: disk
  name: default
projects: []
cluster: null
YML

sudo ufw enable
sudo iptables -S

cat << EXE | sudo bash
ufw       allow OpenSSH
ufw       allow in  on lxdbr0
ufw route allow in  on lxdbr0
ufw route allow out on lxdbr0
EXE

sudo ufw status numbered
sudo iptables -S

cat << EXE | sudo bash
snap restart  lxd
snap services lxd
EXE

lxc launch images:alpine/3.21 academia
lxc list -c=n -f=json|jq -r '.[]|select(.name=="academia")|.status'

cat <<'EXE'| lxc exec academia -- sh
ping -c5 chorke.org
ping -c5 shahed.biz
EXE

Linode » Containerize » Docker

Linode » Attach Volume 

curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
| sudo tee /etc/apt/keyrings/docker.asc >/dev/null

DISTRIBUTION=$(. /etc/os-release && echo "${VERSION_CODENAME}")
cat << SRC | sudo tee /etc/apt/sources.list.d/docker.list >/dev/null
deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] \
https://download.docker.com/linux/ubuntu ${DISTRIBUTION}  stable
SRC

cat << EXE | sudo bash
apt-get update;echo
apt-cache policy docker-ce
apt list -a --upgradable;apt-get upgrade -y;echo
apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
apt-get clean cache && find /tmp -type f,s -atime +10 -delete
EXE

cat << EOF | sudo tee /etc/docker/daemon.json >/dev/null
{
    "bip"  : "10.20.13.1/24",
    "mtu"  : 1500,
    "dns"  : [
        "1.1.1.1",
        "8.8.8.8"
    ],
    "debug": true
}
EOF

cat << EXE | sudo bash
systemctl stop  docker.socket
systemctl stop  docker.service
systemctl start docker.service

usermod -aG docker chorke
usermod -aG docker shahed
EXE

ip a
docker image ls
docker network ls

echo 'id -nG'|sudo -i -u shahed bash
echo 'id -nG'|sudo -i -u chorke bash

cat <<'EXE'| docker run --rm -i alpine sh
echo
cat /etc/hosts       ;echo
cat /etc/resolv.conf ;echo
ping -c5 chorke.org  ;echo
ping -c5 shahed.biz  ;echo
EXE

Linode » Cloudflare » VIRT

Linode » Cloudflare » VIRT 

cat << INI | sudo tee /etc/systemd/system/warp0.service >/dev/null
[Unit]
Description=Cloudflared WARP Routing Virtual Interface
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/ip link add warp0 type dummy
ExecStartPost=/usr/sbin/ip addr add 10.20.42.1/32 dev warp0
ExecStartPost=/usr/sbin/ip link set warp0 up
ExecStop=/usr/sbin/ip link delete warp0
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
INI

cat << EXE | sudo bash
systemctl daemon-reload
systemctl enable --now warp0.service
systemctl status       warp0.service
EXE

ip a

Linode » Cloudflare » Argo » Tunnel

Linode » Cloudflare » Argo » Tunnel 

wget -cq https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb -P ${HOME}/Downloads
sudo dpkg -i ${HOME}/Downloads/cloudflared-linux-amd64.deb; sudo apt install -f
      rm -rf ${HOME}/Downloads/cloudflared-linux-amd64.deb

cat <<'SYS' | sudo tee -a /etc/sysctl.conf >/dev/null

###################################################################
# Cloudflared Tunnel Private Network Config
# This config added by Chorke Academia, Inc
# ICMP Group ID Range 0 to 10,000 Users
net.ipv4.ping_group_range = 0 10000

# 208 KiB Default RX Buffer
net.core.rmem_default=212992

# 208 KiB Default TX Buffer
net.core.wmem_default=212992

# 8 MB Maximum RX Buffer
net.core.rmem_max=8388608

# 8 MB Maximum TX Buffer
net.core.wmem_max=8388608

SYS

sudo sysctl -p

Skipped » Find More » 👈

Linode » Cloudflare » WARP » Tunnel

Linode » Cloudflare » WARP » Tunnel

Skipped » Find More » 👈 

lxc snapshot cloudflare base:2025.1.861.0
lxc publish  cloudflare/base:2025.1.861.0 --alias cloudflare/base:2025.1.861.0
lxc restore  cloudflare base:2025.1.861.0

lxc snapshot cloudflare shahed:2025.03.09
lxc publish  cloudflare/shahed:2025.03.09 --alias cloudflare/shahed:2025.03.09
lxc restore  cloudflare shahed:2025.03.09

Linode » LB » HAProxy » Install & Configure

Linode » LB » HAProxy » Install & Configure

Skipped » Find More » 👈 

sudo ufw status numbered
sudo iptables -S

cat << EXE | sudo bash
ufw       allow 80/tcp
ufw       allow 443/tcp
EXE

sudo ufw status numbered
sudo iptables -S

Linode » LB » HAProxy » Frontend » HTTP Config

Linode » LB » HAProxy » Frontend » HTTP Config 

cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-http-all.cfg >/dev/null

# ##############################################################################
# http frontend config for *.chorke.org, *.chorke.com, *.shahed.biz
# this config added by chorke academia, inc

frontend           fnt_shahed_biz
   bind            *:80
   mode            http

   acl             path-is-acme-challenge                path_beg /.well-known/acme-challenge/

   http-request    redirect scheme https code 301        unless path-is-acme-challenge
   use_backend     bck_letsencrypt_org_acme_challenge    if path-is-acme-challenge
   default_backend bck_letsencrypt_org_acme_challenge

backend            bck_letsencrypt_org_acme_challenge
   server          letsencrypt 127.0.0.1:19830
   mode            http
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-http-all.cfg /etc/haproxy/proxy-enabled/

vim /etc/haproxy/proxy-scripts/reconfig
    /etc/haproxy/proxy-scripts/reconfig

Playground

Playground 

ssh-copy-id -n -i ~/.ssh/cid.chorke.org_ed25519.pub shahed@10.20.40.1
ssh-copy-id    -i ~/.ssh/cid.chorke.org_ed25519.pub shahed@10.20.40.1

certbot delete --cert-name  k8s.ab.linode.shahed.biz
certbot delete --cert-name psql.ab.linode.shahed.biz

cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then cat ${d}/{fullchain,privkey}.pem|tee ${d}.pem >/dev/null;fi;done
cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then printf "crt ${PWD}/${d}.pem ";fi;done;\
printf "alpn h2,http/1.1 ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3\n"

cat << INI | visudo -cf /dev/stdin
# minikube » no-password » sudo access » all
minikube ALL=(ALL) NOPASSWD: ALL
INI

sudo visudo
sudo cat /etc/sudoers
sudo realpath $(which minikube)

cat << INI | visudo -cf /dev/stdin
# minikube » no-password » sudo access » specific
minikube ALL=(ALL) NOPASSWD: /usr/sbin/ip route *, /usr/bin/minikube tunnel *
INI

sudo visudo -f /etc/sudoers.d/minikube
sudo cat       /etc/sudoers.d/minikube
sudo realpath $(which ip)

References

Retrieved from "https://wiki.chorke.org/index.php?title=Cloud/Linode/AA&oldid=15220"