Cloud/Hetzner/AA: Difference between revisions

From Chorke Wiki
Jump to navigation Jump to search
← Older editNewer edit →
VisualWikitext
Line 502: Line 502:
cat <<'CFG' | tee /etc/haproxy/haproxy.cfg >/dev/null
cat <<'CFG' | tee /etc/haproxy/haproxy.cfg >/dev/null
global
global
   log       /dev/log  local0
   log             /dev/log  local0
   log       /dev/log  local1 notice
   log             /dev/log  local1 notice
   chroot   /var/lib/haproxy
   chroot         /var/lib/haproxy
   stats     socket    /run/haproxy/admin.sock mode 660 level admin
   stats           socket    /run/haproxy/admin.sock mode 660 level admin
   stats     timeout    30s
   stats           timeout    30s
   user     haproxy
   user           haproxy
   group     haproxy
   group           haproxy
   daemon
   daemon


   # default ssl material locations
   # default ssl material locations
   ca-base   /etc/ssl/certs
   ca-base         /etc/ssl/certs
   crt-base /etc/ssl/private
   crt-base       /etc/ssl/private


   # see: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
   # see: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
Line 521: Line 521:


defaults
defaults
   log       global
   log             global
   option   httplog
   option         httplog
   option   dontlognull
   option         dontlognull
   timeout   connect 5000
   timeout         connect 5000
   timeout   client  50000
   timeout         client  50000
   timeout   server  50000
   timeout         server  50000
   errorfile 400 /etc/haproxy/errors/400.http
   errorfile       400 /etc/haproxy/errors/400.http
   errorfile 403 /etc/haproxy/errors/403.http
   errorfile       403 /etc/haproxy/errors/403.http
   errorfile 408 /etc/haproxy/errors/408.http
   errorfile       408 /etc/haproxy/errors/408.http
   errorfile 500 /etc/haproxy/errors/500.http
   errorfile       500 /etc/haproxy/errors/500.http
   errorfile 502 /etc/haproxy/errors/502.http
   errorfile       502 /etc/haproxy/errors/502.http
   errorfile 503 /etc/haproxy/errors/503.http
   errorfile       503 /etc/haproxy/errors/503.http
   errorfile 504 /etc/haproxy/errors/504.http
   errorfile       504 /etc/haproxy/errors/504.http
CFG
CFG


Line 542: Line 542:
cat <<'CFG' | tee -a /etc/haproxy/haproxy.cfg >/dev/null
cat <<'CFG' | tee -a /etc/haproxy/haproxy.cfg >/dev/null


# haproxy:   vpn.shahed.biz:1194
# haproxy:         vpn.shahed.biz:1194
frontend     fnt_vpn_shahed_biz_udp
frontend           fnt_vpn_shahed_biz_udp
   bind     *:1194 proto udp
   bind           *:1194 proto udp
   mode     tcp
   mode           tcp
   option   tcplog
   option         tcplog
   option   udp-check
   option         udp-check
   option   dontlognull
   option         dontlognull
   timeout   connect 5000
   timeout         connect 5000
   timeout   client  50000
   timeout         client  50000
   timeout   server  50000
   timeout         server  50000
   default_backend bck_vpn_shahed_biz_udp
   default_backend bck_vpn_shahed_biz_udp


backend     bck_vpn_shahed_biz_udp
backend           bck_vpn_shahed_biz_udp
   mode     tcp
   mode           tcp
   server   shahed_al 10.20.40.12:1194
   server         shahed_al 10.20.40.12:1194
CFG
CFG


Line 565: Line 565:
cat <<'CFG' | tee -a /etc/haproxy/haproxy.cfg >/dev/null
cat <<'CFG' | tee -a /etc/haproxy/haproxy.cfg >/dev/null


# haproxy:   cid.chorke.org:4321
# haproxy:         cid.chorke.org:4321
frontend     fnt_cid_chorke_org_ssh
frontend           fnt_cid_chorke_org_ssh
   bind     *:4321 proto tcp
   bind           *:4321 proto tcp
   mode     tcp
   mode           tcp
   option   tcplog
   option         tcplog
   option   tcp-check
   option         tcp-check
   option   dontlognull
   option         dontlognull
   timeout   connect 5000
   timeout         connect 5000
   timeout   client  50000
   timeout         client  50000
   timeout   server  50000
   timeout         server  50000
   default_backend bck_cid_chorke_org_ssh
   default_backend bck_cid_chorke_org_ssh


backend     bck_cid_chorke_org_ssh
backend           bck_cid_chorke_org_ssh
   mode     tcp
   mode           tcp
   server   shahed_af 10.20.40.6:4321
   server         shahed_af 10.20.40.6:4321
CFG
CFG


Revision as of 16:48, 27 February 2025

SSH

ssh -qt -i ~/.ssh/cid.chorke.org_ed25519 root@hetzner-aa.public.ip bash

cat <<'EXE' | sudo bash
free -th && echo && systemd-analyze && echo
df -h    && echo && lsblk && echo
swapon --show
EXE

Add User

# root
passwd

adduser chorke
passwd  chorke

adduser shahed
passwd  shahed

APT Update

cat << EXE | sudo bash
apt-get update;echo
mkdir -p /etc/apt/keyrings
apt list -a --upgradable;apt-get upgrade -y;echo
apt-get install -y apt-transport-https ca-certificates gnupg build-essential snap jq traceroute
apt-get clean cache && find /tmp -type f -atime +10 -delete && find /tmp -type s -atime +10 -delete
EXE

Swap Space

echo 'swapon --show'|sudo bash
cat <<'EXE' | sudo bash
swapoff /swap.img
fallocate -l 20G /swap.img
ls -lh /swap.img && mkswap /swap.img
chmod 0600 /swap.img && swapon /swap.img && swapon --show && free -th
EXE

cat << FST | sudo tee -a /etc/fstab >/dev/null
# loop based swap storage » 16GB + 4GB 
/swap.img              none            swap    sw              0       0
FST

free -th
cat /etc/fstab 
echo 'swapon --show'|sudo bash

Utility » Tool

cat << EXE|sudo bash
PLATFORM=\$(uname -s)_\$(dpkg --print-architecture)
YQ_BINARY=\$(echo "yq_\${PLATFORM}"|tr '[:upper:]' '[:lower:]')
wget https://github.com/mikefarah/yq/releases/latest/download/\${YQ_BINARY} -O /usr/bin/yq && chmod +x /usr/bin/yq
EXE

Containerize » LXD

cat << EXE | sudo bash
snap install lxd --channel=6/stable
usermod -aG lxd chorke
usermod -aG lxd shahed
EXE

echo 'id -nG'|sudo -i -u chorke bash
echo 'id -nG'|sudo -i -u shahed bash

cat <<YML | sudo lxd init --preseed
---
config: {}
networks:
- config:
    ipv4.address: 10.20.0.1/24
    ipv4.nat: "true"
    ipv6.address: auto
  description: ""
  name: lxdbr0
  type: ""
  project: default
storage_pools:
- config:
    size: 30GiB
  description: ""
  name: lxd-zfs-pool-aa
  driver: zfs
storage_volumes: []
profiles:
- config: {}
  description: ""
  devices:
    eth0:
      name: eth0
      network: lxdbr0
      type: nic
    root:
      path: /
      pool: lxd-zfs-pool-aa
      type: disk
  name: default
projects: []
cluster: null
YML

sudo ufw enable
sudo iptables -S

cat << EXE | sudo bash
ufw       allow OpenSSH
ufw       allow in  on lxdbr0
ufw route allow in  on lxdbr0
ufw route allow out on lxdbr0
EXE

sudo ufw status numbered
sudo iptables -S

cat << EXE | sudo bash
snap restart  lxd
snap services lxd
EXE

Containerize » Docker

curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
| sudo tee /etc/apt/keyrings/docker.asc >/dev/null

DISTRIBUTION=$(. /etc/os-release && echo "${VERSION_CODENAME}")
cat << SRC | sudo tee /etc/apt/sources.list.d/docker.list >/dev/null
deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu ${DISTRIBUTION}  stable
SRC

cat << EXE | sudo bash
apt-get update;echo
apt-cache policy docker-ce
apt list -a --upgradable;apt-get upgrade -y;echo
apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
apt-get clean cache && find /tmp -type f,s -atime +10 -delete
EXE

cat << EOF | sudo tee /etc/docker/daemon.json >/dev/null
{
    "bip"  : "10.20.13.1/24",
    "mtu"  : 1500,
    "dns"  : [
        "8.8.8.8",
        "8.8.4.4"
    ],
    "debug": true
}
EOF

cat << EXE | sudo bash
systemctl stop  docker.socket
systemctl stop  docker.service
systemctl start docker.service

usermod -aG docker chorke
usermod -aG docker shahed
EXE

ip a
docker image ls
docker network ls

echo 'id -nG'|sudo -i -u shahed bash
echo 'id -nG'|sudo -i -u chorke bash

docker run --rm alpine cat /etc/hosts
docker run --rm alpine cat /etc/resolv.conf

Cloudflare » VIRT

cat << INI | sudo tee /etc/systemd/system/warp0.service >/dev/null
[Unit]
Description=Cloudflared WARP Routing Virtual Interface
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/ip link add warp0 type dummy
ExecStartPost=/usr/sbin/ip addr add 10.20.41.1/32 dev warp0
ExecStartPost=/usr/sbin/ip link set warp0 up
ExecStop=/usr/sbin/ip link delete warp0
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
INI

cat << EXE | sudo bash
systemctl daemon-reload
systemctl enable --now warp0.service
systemctl status       warp0.service
EXE

ip a

Cloudflare » Argo » Tunnel

wget -cq https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64.deb -P ${HOME}/Downloads
sudo dpkg -i ${HOME}/Downloads/cloudflared-linux-arm64.deb; sudo apt install -f
      rm -rf ${HOME}/Downloads/cloudflared-linux-arm64.deb

cat <<'SYS' | sudo tee -a /etc/sysctl.conf >/dev/null

###################################################################
# Cloudflared Tunnel Private Network Config
# This config added by Chorke Academia, Inc
# ICMP Group ID Range 0 to 10,000 Users
net.ipv4.ping_group_range = 0 10000

# 208 KiB Default RX Buffer
net.core.rmem_default=212992

# 208 KiB Default TX Buffer
net.core.wmem_default=212992

# 8 MB Maximum RX Buffer
net.core.rmem_max=8388608

# 8 MB Maximum TX Buffer
net.core.wmem_max=8388608

SYS

sudo sysctl -p

Skipped » Find More » 👈

Cloudflare » WARP » Tunnel

lxc launch ubuntu:24.04 cloudflare
lxc list -c=n -f=json|jq -r '.[]|select(.name=="cloudflare")|.status'

cat <<'EXE' | lxc exec cloudflare -- bash
apt-get update;echo
mkdir -p /etc/apt/keyrings
apt list -a --upgradable;apt-get upgrade -y;echo
apt-get install -y apt-transport-https ca-certificates gnupg jq && apt-get clean
EXE

cat <<'EXE' | lxc exec cloudflare -- bash
curl -fsSL https://pkg.cloudflareclient.com/pubkey.gpg \
 | sudo tee /etc/apt/keyrings/cloudflare.asc >/dev/null

DISTRIBUTION=$(. /etc/os-release && echo "${VERSION_CODENAME}");\
cat << SRC | sudo tee /etc/apt/sources.list.d/cloudflare.list >/dev/null
deb [arch=$(dpkg --print-architecture)\
 signed-by=/etc/apt/keyrings/cloudflare.asc]\
 https://pkg.cloudflareclient.com/ ${DISTRIBUTION} main
SRC

cat /etc/apt/sources.list.d/cloudflare.list
cat /etc/apt/keyrings/cloudflare.asc
EXE

cat <<'EXE' | lxc exec cloudflare -- bash
apt-get update;echo
apt list -a --upgradable;apt-get upgrade -y;echo
apt-get install -y cloudflare-warp && apt-get clean
EXE

lxc exec cloudflare -- bash
sudo vim /etc/sysctl.conf

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

sudo sysctl -p
net.ipv4.ip_forward = 1

ip route | grep default
default via 10.20.0.1 dev eth0 proto dhcp src 10.20.0.161 metric 100

lxc snapshot cloudflare base:2024.12.554.0
lxc publish  cloudflare/base:2024.12.554.0 --alias cloudflare/base:2024.12.554.0
lxc restore  cloudflare base:2024.12.554.0

lxc exec cloudflare -- bash
sudo warp-cli status

cat <<'EXE' | lxc exec cloudflare -- bash
warp-cli connector new eyJhIjoiNW…
warp-cli connect
EXE

cat << EXE | lxc exec cloudflare -- bash
warp-cli status
systemctl daemon-reload
systemctl enable --now warp-svc.service
systemctl status       warp-svc.service
EXE

cat << EXE | lxc exec cloudflare -- bash
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections
apt-get -y install iptables-persistent && apt-get clean cache
EXE

cat << EXE | lxc exec cloudflare -- bash
# allow forwarding traffic from host
iptables -A FORWARD -i eth0 -o CloudflareWARP -j ACCEPT
iptables -A FORWARD -i CloudflareWARP -o eth0 -j ACCEPT

# cloudflarewarp nat gateway setup for host
iptables -t nat -A POSTROUTING -o CloudflareWARP -j MASQUERADE

# persist across reboots, save the rules
        mkdir -p /etc/iptables/
iptables-save  > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6
EXE

lxc snapshot cloudflare init:2025.02.16
lxc publish  cloudflare/init:2025.02.16 --alias cloudflare/init:2025.02.16
lxc restore  cloudflare init:2025.02.16

Skipped » Find More » 👈

Cloudflare » WARP » Exclude

Settings » 0Trust » WARP Client » Device settings » Profile settings » Default » Configure »
Split Tunnels » Exclude IPs and domains » Manage » Manage Split Tunnels
Name Network Exclude
Network » OpenVPN 10.20.30.0/24
Network » Hetzner 10.20.31.0/24
Network » Docker 10.20.13.0/24
Network » Home 10.19.83.0/24
Network » LXD 10.20.0.0/24

Cloudflare » WARP » Forward

Implement Forward Routing
Name Network Subnets Forward
Network » Cloudflare 10.20.40.0/21 10.20.40 … 47.0/24 = 8
Network » Cloudflare 10.20.48.0/21 10.20.48 … 55.0/24 = 8 ⚪️
Network » Cloudflare 10.20.56.0/21 10.20.56 … 63.0/24 = 8 ⚪️
Network » Cloudflare 10.20.46.0/23 10.20.46 … 47.0/24 = 2 ⚪️
Network » Cloudflare 10.20.48.0/23 10.20.48 … 49.0/24 = 2
Network » Cloudflare 10.20.50.0/23 10.20.50 … 51.0/24 = 2 ⚪️

Cloudflare » WARP » Route » Host

vim /etc/sysctl.conf

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

sudo sysctl -p
net.ipv4.ip_forward = 1

ip route | grep default
default via 172.31.1.1 dev eth0 proto dhcp src 65.21.251.38 metric 100

cat << EXE | sudo bash
cat << ENV | tee /etc/default/warp-route >/dev/null
LXC_WARP_CLI_NAME=cloudflare
LXC_WARP_CLI_HOST=$(lxc list -f=json cloudflare | jq -r '.[]|.state.network.eth0.addresses[]|select(.family=="inet")|.address')
ENV
echo
cat /etc/default/warp-route
EXE

cat <<'INI' | sudo tee /etc/systemd/system/warp-route.service >/dev/null
[Unit]
Description=WARP Routes Over Clodflare LXC
Wants=network-online.target docker.service snap.lxd.daemon.service containerd.service
After=network-online.target docker.service snap.lxd.daemon.service containerd.service

[Service]
Type=oneshot
EnvironmentFile=-/etc/default/warp-route

ExecStartPre=/bin/sleep 60
ExecStartPre=/bin/bash -c "if [ -z \"${LXC_WARP_CLI_HOST}\" ]; then echo \"Variable LXC_WARP_CLI_HOST not set in /etc/default/warp-route\"; errors_exit; fi"
ExecStart=/usr/sbin/ip route add 10.20.40.0/21 via $LXC_WARP_CLI_HOST
ExecStart=/usr/sbin/ip route add 10.20.48.0/23 via $LXC_WARP_CLI_HOST
ExecStop=/usr/sbin/ip  route del 10.20.40.0/21
ExecStop=/usr/sbin/ip  route del 10.20.48.0/23
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target
INI

cat << EXE | sudo bash
systemctl daemon-reload
cat /etc/systemd/system/warp-route.service
systemctl enable  --now warp-route.service
systemctl status        warp-route.service
echo && ip route show
echo && sysctl -p
EXE

cat << EXE | bash
traceroute 10.20.40.1
traceroute 10.20.41.1
EXE

cat << EXE | sudo bash
systemctl daemon-reload
cat /etc/systemd/system/warp-route.service
systemctl disable --now warp-route.service
systemctl status        warp-route.service
echo && ip route show
echo && sysctl -p
EXE

LB » HAProxy » Install » Configure

cat << EXE | sudo bash
apt-get update;echo
apt list -a --upgradable;apt-get upgrade -y;echo
apt-get install -y haproxy;echo;haproxy -v;echo
cat /etc/haproxy/haproxy.cfg;echo
apt-get clean cache
EXE

cat <<'CFG' | tee /etc/haproxy/haproxy.cfg >/dev/null
global
   log             /dev/log   local0
   log             /dev/log   local1 notice
   chroot          /var/lib/haproxy
   stats           socket     /run/haproxy/admin.sock mode 660 level admin
   stats           timeout    30s
   user            haproxy
   group           haproxy
   daemon

   # default ssl material locations
   ca-base         /etc/ssl/certs
   crt-base        /etc/ssl/private

   # see: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
   ssl-default-bind-ciphers      ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
   ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
   ssl-default-bind-options      ssl-min-ver TLSv1.2 no-tls-tickets

defaults
   log             global
   option          httplog
   option          dontlognull
   timeout         connect 5000
   timeout         client  50000
   timeout         server  50000
   errorfile       400 /etc/haproxy/errors/400.http
   errorfile       403 /etc/haproxy/errors/403.http
   errorfile       408 /etc/haproxy/errors/408.http
   errorfile       500 /etc/haproxy/errors/500.http
   errorfile       502 /etc/haproxy/errors/502.http
   errorfile       503 /etc/haproxy/errors/503.http
   errorfile       504 /etc/haproxy/errors/504.http
CFG

haproxy -c -V -f /etc/haproxy/haproxy.cfg

cat <<'CFG' | tee -a /etc/haproxy/haproxy.cfg >/dev/null

# haproxy:         vpn.shahed.biz:1194
frontend           fnt_vpn_shahed_biz_udp
   bind            *:1194 proto udp
   mode            tcp
   option          tcplog
   option          udp-check
   option          dontlognull
   timeout         connect 5000
   timeout         client  50000
   timeout         server  50000
   default_backend bck_vpn_shahed_biz_udp

backend            bck_vpn_shahed_biz_udp
   mode            tcp
   server          shahed_al 10.20.40.12:1194
CFG

haproxy -c -V -f /etc/haproxy/haproxy.cfg

cat <<'CFG' | tee -a /etc/haproxy/haproxy.cfg >/dev/null

# haproxy:         cid.chorke.org:4321
frontend           fnt_cid_chorke_org_ssh
   bind            *:4321 proto tcp
   mode            tcp
   option          tcplog
   option          tcp-check
   option          dontlognull
   timeout         connect 5000
   timeout         client  50000
   timeout         server  50000
   default_backend bck_cid_chorke_org_ssh

backend            bck_cid_chorke_org_ssh
   mode            tcp
   server          shahed_af 10.20.40.6:4321
CFG

haproxy -c -V -f /etc/haproxy/haproxy.cfg

References

Retrieved from "https://wiki.chorke.org/index.php?title=Cloud/Hetzner/AA&oldid=14171"