Cloud/Hetzner/AB
Hetzner » Argo
|
Hetzner » Argo | |||
|---|---|---|---|
| Name | Network | Subnets | Forward |
| Hetzner » AA | 10.20.41.1/32 |
10.20.41.1 … 1/32 = 01 |
✅ |
| Hetzner » AB | 10.20.41.2/32 |
10.20.41.2 … 2/32 = 01 |
✅ |
| Hetzner » AC | 10.20.41.3/32 |
10.20.41.3 … 3/32 = 01 |
⚪️ |
| Hetzner » AD | 10.20.41.4/32 |
10.20.41.4 … 4/32 = 01 |
⚪️ |
| Hetzner » AE | 10.20.41.5/32 |
10.20.41.5 … 5/32 = 01 |
⚪️ |
Hetzner » Analyze
|
Hetzner » Analyze |
|---|
ssh -i ~/.ssh/ci.chorke.org_ed25519 -qt root@hetzner-ab.public.ip bash
cat <<'EXE' | sudo bash
free -th && echo && systemd-analyze && echo
df -h && echo && lsblk && echo
swapon --show
EXE
|
Hetzner » Add User
|
Hetzner » Add User | |
|---|---|
ssh -i ~/.ssh/ci.chorke.org_ed25519 -qt root@hetzner-ab.public.ip bash
| |
sudo adduser -m chorke
sudo passwd -d chorke
sudo passwd -l chorke
sudo chsh -s /bin/bash chorke
|
sudo adduser -m shahed
sudo passwd -d shahed
sudo passwd -l shahed
sudo chsh -s /bin/bash shahed
|
sudo visudo
:'
# User privilege specification
root ALL=(ALL:ALL) ALL
shahed ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
shahed ALL=(ALL) NOPASSWD: /usr/local/bin/supervisorctl
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
shahed ALL=(ALL) NOPASSWD: /usr/local/bin/supervisorctl
# See sudoers(5) for more information on "@include" directives:
@includedir /etc/sudoers.d
'
| |
Hetzner » SSH Config
|
Hetzner » Config » SSH |
|---|
ssh -i ~/.ssh/ci.chorke.org_ed25519 -qt root@hetzner-ab.public.ip bash
cat << EXE | sudo bash
sed 's|#PasswordAuthentication yes|PasswordAuthentication no|' -i /etc/ssh/sshd_config
sed 's|#PubkeyAuthentication yes|PubkeyAuthentication yes|' -i /etc/ssh/sshd_config
sed 's|#PermitEmptyPasswords no|PermitEmptyPasswords no|' -i /etc/ssh/sshd_config
sed 's|#PermitRootLogin yes|PermitRootLogin no|' -i /etc/ssh/sshd_config
systemctl restart ssh
EXE
|
cat << EXE | sudo bash
sshd -T | grep -i PasswordAuthentication
sshd -T | grep -i PubkeyAuthentication
sshd -T | grep -i PermitEmptyPasswords
sshd -T | grep -i PermitRootLogin
EXE
|
sudo chattr +i /home/chorke/.ssh/authorized_keys
sudo chattr +i /home/shahed/.ssh/authorized_keys
sudo chattr +i /home/system/*-argo/.ssh/authorized_keys
|
Hetzner » APT Update
|
Hetzner » APT Update |
|---|
cat << EXE | sudo bash
apt-get update;echo
mkdir -p /etc/apt/keyrings
apt list -a --upgradable;apt-get upgrade -y;echo
apt-get install -y apt-transport-https ca-certificates gnupg build-essential snapd jq traceroute
apt-get clean cache && find /tmp -type f -atime +10 -delete && find /tmp -type s -atime +10 -delete
EXE
|
cat << EXE|sudo bash
PLATFORM=\$(uname -s)_\$(dpkg --print-architecture)
YQ_BINARY=\$(echo "yq_\${PLATFORM}"|tr '[:upper:]' '[:lower:]')
wget https://github.com/mikefarah/yq/releases/latest/download/\${YQ_BINARY} -O /usr/local/bin/yq
chmod +x /usr/local/bin/yq
EXE
|
Hetzner » Swap Space
|
Hetzner » Swap Space |
|---|
echo 'swapon --show'|sudo bash
cat <<'EXE' | sudo bash
swapoff /swap.img
fallocate -l 11G /swap.img
ls -lh /swap.img && mkswap /swap.img
chmod 0600 /swap.img && swapon /swap.img && swapon --show && free -th
EXE
cat << FST | sudo tee -a /etc/fstab >/dev/null
# loop based swap storage » 8GB + 3GB
/swap.img none swap sw 0 0
FST
free -th
cat /etc/fstab
systemctl daemon-reload
echo 'swapon --show'|sudo bash
|
Hetzner » Attach Volume
|
Linode » Attach Volume |
|---|
cat <<'EXE'| sudo bash
mkdir -p /var/minikube/pvc
mkfs.ext4 -F /dev/disk/by-id/scsi-0HC_Volume_102736306
cat <<'FST'| tee -a /etc/fstab >/dev/null
# hetzner-ab » attach 40gb storage » hetzner-ab-vol-aa
/dev/disk/by-id/scsi-0HC_Volume_102736306 /var/minikube/pvc ext4 discard,nofail,defaults 0 0
FST
chown minikube:minikube -R /var/minikube/pvc/
systemctl daemon-reload
mount -a
EXE
|
Hetzner » Containerize » LXD
|
Hetzner » Containerize » LXD | |
|---|---|
cat << EXE | sudo bash
snap install lxd --channel=6/stable
usermod -aG lxd chorke
usermod -aG lxd shahed
EXE
echo 'id -nG'|sudo -i -u chorke bash
echo 'id -nG'|sudo -i -u shahed bash
|
cat <<YML | sudo lxd init --preseed
---
config: {}
networks:
- config:
ipv4.address: 10.20.0.1/24
ipv4.nat: "true"
ipv6.address: auto
description: ""
name: lxdbr0
type: ""
project: default
storage_pools:
- config:
size: 15GiB
description: ""
name: lxd-zfs-pool-ab
driver: zfs
storage_volumes: []
profiles:
- config: {}
description: ""
devices:
eth0:
name: eth0
network: lxdbr0
type: nic
root:
path: /
pool: lxd-zfs-pool-ab
type: disk
name: default
projects: []
cluster: null
YML
|
sudo ufw enable
sudo iptables -S
cat << EXE | sudo bash
ufw allow OpenSSH
ufw allow in on lxdbr0
ufw route allow in on lxdbr0
ufw route allow out on lxdbr0
EXE
sudo ufw status numbered
sudo iptables -S
cat << EXE | sudo bash
snap restart lxd
snap services lxd
EXE
| |
lxc launch images:alpine/3.21 academia
lxc list -c=n -f=json|jq -r '.[]|select(.name=="academia")|.status'
cat <<'EXE'| lxc exec academia -- sh
ping -c5 chorke.org
ping -c5 shahed.biz
EXE
| |
Hetzner » Containerize » Docker
|
Hetzner » Containerize » Docker |
|---|
curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
| sudo tee /etc/apt/keyrings/docker.asc >/dev/null
DISTRIBUTION=$(. /etc/os-release && echo "${VERSION_CODENAME}")
cat << SRC | sudo tee /etc/apt/sources.list.d/docker.list >/dev/null
deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] \
https://download.docker.com/linux/ubuntu ${DISTRIBUTION} stable
SRC
cat << EXE | sudo bash
apt-get update;echo
apt-cache policy docker-ce
apt list -a --upgradable;apt-get upgrade -y;echo
apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
apt-get clean cache && find /tmp -type f,s -atime +10 -delete
EXE
cat << EOF | sudo tee /etc/docker/daemon.json >/dev/null
{
"bip" : "10.20.13.1/24",
"mtu" : 1500,
"dns" : [
"1.1.1.1",
"8.8.8.8"
],
"debug": true
}
EOF
cat << EXE | sudo bash
systemctl stop docker.socket
systemctl stop docker.service
systemctl start docker.service
usermod -aG docker chorke
usermod -aG docker shahed
EXE
ip a
docker image ls
docker network ls
echo 'id -nG'|sudo -i -u shahed bash
echo 'id -nG'|sudo -i -u chorke bash
cat <<'EXE'| docker run --rm -i alpine sh
echo
cat /etc/hosts ;echo
cat /etc/resolv.conf ;echo
ping -c5 chorke.org ;echo
ping -c5 shahed.biz ;echo
EXE
|
Hetzner » Cloudflare » VIRT
|
Hetzner » Cloudflare » VIRTl |
|---|
cat << INI | sudo tee /etc/systemd/system/warp0.service >/dev/null
[Unit]
Description=Cloudflared WARP Routing Virtual Interface
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/ip link add warp0 type dummy
ExecStartPost=/usr/sbin/ip addr add 10.20.41.2/32 dev warp0
ExecStartPost=/usr/sbin/ip link set warp0 up
ExecStop=/usr/sbin/ip link delete warp0
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
INI
cat << EXE | sudo bash
systemctl daemon-reload
systemctl enable --now warp0.service
systemctl status warp0.service
EXE
ip a
|
Hetzner » Cloudflare » Argo » Tunnel
|
Hetzner » Cloudflare » Argo » Tunnel |
|---|
wget -cq https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64.deb -P ${HOME}/Downloads
sudo dpkg -i ${HOME}/Downloads/cloudflared-linux-arm64.deb; sudo apt install -f
rm -rf ${HOME}/Downloads/cloudflared-linux-arm64.deb
cat <<'SYS' | sudo tee -a /etc/sysctl.conf >/dev/null
###################################################################
# Cloudflared Tunnel Private Network Config
# This config added by Chorke Academia, Inc
# ICMP Group ID Range 0 to 10,000 Users
net.ipv4.ping_group_range = 0 10000
# 208 KiB Default RX Buffer
net.core.rmem_default=212992
# 208 KiB Default TX Buffer
net.core.wmem_default=212992
# 8 MB Maximum RX Buffer
net.core.rmem_max=8388608
# 8 MB Maximum TX Buffer
net.core.wmem_max=8388608
SYS
sudo sysctl -p
|
Hetzner » Cloudflare » WARP » Tunnel
|
Hetzner » Cloudflare » WARP » Tunnel |
|---|
lxc snapshot cloudflare base:2025.1.861.0
lxc publish cloudflare/base:2025.1.861.0 --alias cloudflare/base:2025.1.861.0
lxc restore cloudflare base:2025.1.861.0
lxc snapshot cloudflare shahed:2025.03.09
lxc publish cloudflare/shahed:2025.03.09 --alias cloudflare/shahed:2025.03.09
lxc restore cloudflare shahed:2025.03.09
|
Hetzner » LB » HAProxy » Install & Configure
|
Hetzner » LB » HAProxy » Install & Configure |
|---|
sudo ufw status numbered
sudo iptables -S
cat << EXE | sudo bash
ufw allow 80/tcp
ufw allow 443/tcp
EXE
sudo ufw status numbered
sudo iptables -S
|
Hetzner » LB » HAProxy » Frontend » HTTP Config
|
HAProxy » Frontend » HTTP |
|---|
cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-http-all.cfg >/dev/null
# ##############################################################################
# http frontend config for *.chorke.org, *.chorke.com, *.shahed.biz
# this config added by chorke academia, inc
frontend fnt_shahed_biz
bind *:80
mode http
acl path-is-acme-challenge path_beg /.well-known/acme-challenge/
http-request redirect scheme https code 301 unless path-is-acme-challenge
use_backend bck_letsencrypt_org_acme_challenge if path-is-acme-challenge
default_backend bck_letsencrypt_org_acme_challenge
backend bck_letsencrypt_org_acme_challenge
server letsencrypt 127.0.0.1:19830
mode http
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-http-all.cfg /etc/haproxy/proxy-enabled/
vim /etc/haproxy/proxy-scripts/reconfig
/etc/haproxy/proxy-scripts/reconfig
|
Hetzner » LB » HAProxy » Frontend » HTTPS Config
certbot certonly --standalone --non-interactive --http-01-port=19830 -d k8s.ab.hetzner.shahed.biz --email tool.tech@shahed.biz --agree-tos --dry-run
certbot certonly --standalone --non-interactive --http-01-port=19830 -d k8s.ab.hetzner.shahed.biz --email tool.tech@shahed.biz --agree-tos
(cd /etc/letsencrypt/live/k8s.ab.hetzner.shahed.biz/;ln -s privkey.pem fullchain.pem.key)
certbot renew --http-01-port=19830 --force-renewal
certbot renew --http-01-port=19830
|
HAProxy » Frontend » HTTPS |
|---|
certbot certonly --standalone --non-interactive --http-01-port=19830 -d s3.minio.shahed.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d k8s.aa.shahed.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d k8s.ab.shahed.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d k8s.ac.shahed.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d k8s.ad.shahed.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d k8s.ae.shahed.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d minio.shahed.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d artifactory.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d jenkins.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d camunda.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d harbor.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d gitlab.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d docker.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d nexus.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d wiki.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d n8n.shahed.biz
certbot certonly --standalone --non-interactive --http-01-port=19830 -d id.shahed.biz
cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then cat ${d}/{fullchain,privkey}.pem|tee ${d}.pem >/dev/null;fi;done
SSL_CRT_LIST="$(cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then printf "crt ${PWD}/${d}.pem ";fi;done)"
cat << CFG | sudo tee /etc/haproxy/proxy-configs/shahed.biz-https-all.cfg >/dev/null
# ##############################################################################
# https frontend config for *.chorke.org, *.chorke.com, *.shahed.biz
# this config added by chorke academia, inc
frontend fnt_shahed_biz_ssl
bind *:443 ssl ${SSL_CRT_LIST}alpn h2,http/1.1 ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3
mode http
acl host-is-s3-minio-shahed-shahed-biz hdr(host) -i s3.minio.shahed.shahed.biz
acl host-is-k8s-ab-hetzner-shahed-biz hdr(host) -i k8s.ab.hetzner.shahed.biz
acl host-is-k8s-aa-shahed-shahed-biz hdr(host) -i k8s.aa.shahed.shahed.biz
acl host-is-k8s-ab-shahed-shahed-biz hdr(host) -i k8s.ab.shahed.shahed.biz
acl host-is-k8s-ac-shahed-shahed-biz hdr(host) -i k8s.ac.shahed.shahed.biz
acl host-is-k8s-ad-shahed-shahed-biz hdr(host) -i k8s.ad.shahed.shahed.biz
acl host-is-k8s-ae-shahed-shahed-biz hdr(host) -i k8s.ae.shahed.shahed.biz
acl host-is-minio-shahed-shahed-biz hdr(host) -i minio.shahed.shahed.biz
acl host-is-artifactory-shahed-biz hdr(host) -i artifactory.shahed.biz
acl host-is-jenkins-shahed-biz hdr(host) -i jenkins.shahed.biz
acl host-is-camunda-shahed-biz hdr(host) -i camunda.shahed.biz
acl host-is-harbor-shahed-biz hdr(host) -i harbor.shahed.biz
acl host-is-gitlab-shahed-biz hdr(host) -i gitlab.shahed.biz
acl host-is-docker-shahed-biz hdr(host) -i docker.shahed.biz
acl host-is-nexus-shahed-biz hdr(host) -i nexus.shahed.biz
acl host-is-wiki-shahed-biz hdr(host) -i wiki.shahed.biz
acl host-is-n8n-shahed-biz hdr(host) -i n8n.shahed.biz
acl host-is-id-shahed-biz hdr(host) -i id.shahed.biz
http-request set-header X-Forwarded-For %[src]
http-request set-header X-Forwarded-Proto https
use_backend bck_shahed_biz_shahed_ae_k8s if host-is-s3-minio-shahed-shahed-biz
use_backend bck_shahed_biz_hetzner_ab_k8s if host-is-k8s-ab-hetzner-shahed-biz
use_backend bck_shahed_biz_shahed_aa_k8s if host-is-k8s-aa-shahed-shahed-biz
use_backend bck_shahed_biz_shahed_ab_k8s if host-is-k8s-ab-shahed-shahed-biz
use_backend bck_shahed_biz_shahed_ac_k8s if host-is-k8s-ac-shahed-shahed-biz
use_backend bck_shahed_biz_shahed_ad_k8s if host-is-k8s-ad-shahed-shahed-biz
use_backend bck_shahed_biz_shahed_ae_k8s if host-is-k8s-ae-shahed-shahed-biz
use_backend bck_shahed_biz_shahed_ae_k8s if host-is-minio-shahed-shahed-biz
use_backend bck_shahed_biz_shahed_ae_k8s if host-is-artifactory-shahed-biz
use_backend bck_shahed_biz_shahed_ae_k8s if host-is-jenkins-shahed-biz
use_backend bck_shahed_biz_shahed_ae_k8s if host-is-camunda-shahed-biz
use_backend bck_shahed_biz_shahed_ae_k8s if host-is-harbor-shahed-biz
use_backend bck_shahed_biz_shahed_ae_k8s if host-is-gitlab-shahed-biz
use_backend bck_shahed_biz_shahed_ae_k8s if host-is-docker-shahed-biz
use_backend bck_shahed_biz_shahed_ae_k8s if host-is-nexus-shahed-biz
use_backend bck_shahed_biz_shahed_ae_k8s if host-is-wiki-shahed-biz
use_backend bck_shahed_biz_shahed_ae_k8s if host-is-n8n-shahed-biz
use_backend bck_shahed_biz_hetzner_ab_k8s if host-is-id-shahed-biz
default_backend bck_shahed_biz_hetzner_ab_k8s
backend bck_shahed_biz_hetzner_ab_k8s
server hetzner_ab_k8s 192.168.49.2:80
mode http
backend bck_shahed_biz_shahed_aa_k8s
server shahed_aa_k8s 10.20.40.1:80
mode http
backend bck_shahed_biz_shahed_ab_k8s
server shahed_ab_k8s 10.20.40.2:80
mode http
backend bck_shahed_biz_shahed_ac_k8s
server shahed_ac_k8s 10.20.40.3:80
mode http
backend bck_shahed_biz_shahed_ad_k8s
server shahed_ad_k8s 10.20.40.4:80
mode http
backend bck_shahed_biz_shahed_ae_k8s
server shahed_ae_k8s 10.20.40.5:80
mode http
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-https-all.cfg /etc/haproxy/proxy-enabled/
vim /etc/haproxy/proxy-scripts/reconfig
/etc/haproxy/proxy-scripts/reconfig
certbot renew --http-01-port=19830 --force-renewal
cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then cat ${d}/{fullchain,privkey}.pem|tee ${d}.pem >/dev/null;fi;done
systemctl reload haproxy.service
|
Hetzner » LB » HAProxy » Frontend » Kube API Config
|
Hetzner » LB » HAProxy » Frontend » Kube API Config |
|---|
cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-tcp-kube.cfg >/dev/null
# ##############################################################################
# tcp frontend config for 10.20.41.2:8443
# this config added by chorke academia, inc
frontend fnt_shahed_biz_hetzner_ab
bind *:8443
mode tcp
option tcplog
option dontlognull
default_backend bck_shahed_biz_hetzner_ab
backend bck_shahed_biz_hetzner_ab
server hetzner_ab 192.168.49.2:8443
mode tcp
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-tcp-kube.cfg /etc/haproxy/proxy-enabled/
vim /etc/haproxy/proxy-scripts/reconfig
/etc/haproxy/proxy-scripts/reconfig
systemctl disable --now minikube.service
vim /etc/systemd/system/minikube.service
# append --apiserver-ips=10.20.41.2 with ExecStart
systemctl enable --now minikube.service
ssh -qt root@10.20.41.2 bash
sudo -i -u minikube
# run this script on the minikube host. copy the generated output and
# execute it on your local machine's terminal to enable monitoring of
# the minikube cluster.
cat << LOG
$(cat <<'YML'| tee ~/.kube/hetzner-ab-kubeconfig.yaml >/dev/null
apiVersion: v1
kind: Config
clusters:
- name: minikube
cluster:
server: https://10.20.41.2:8443
certificate-authority: ../.minikube/ca.crt
contexts:
- name: hetzner-ab
context:
cluster: minikube
namespace: default
user: minikube
users:
- name: minikube
user:
client-certificate: ../.minikube/profiles/minikube/client.crt
client-key: ../.minikube/profiles/minikube/client.key
current-context: hetzner-ab
YML
)
cat <<'YML'| tee ~/.kube/hetzner-ab-kubeconfig.yaml >/dev/null
$(export KUBECONFIG=${HOME}/.kube/hetzner-ab-kubeconfig.yaml;\
kubectl config view --flatten;\
rm ${KUBECONFIG};\
)
YML
chmod 600 ~/.kube/hetzner-ab-kubeconfig.yaml
ls -alh ~/.kube/
export KUBECONFIG=~/.kube/hetzner-ab-kubeconfig.yaml
kubectl config get-contexts
kubectl get namespace
$(echo -n)
LOG
|
Hetzner » Database » MariaDB » Install & Configure
|
Database » MariaDB » Install & Configure |
|---|
cat << EXE | sudo bash
apt-get update;echo
apt list -a --upgradable;apt-get upgrade -y;echo
apt-get install -y mariadb-server mariadb-client;echo
apt-get clean cache && find /tmp -type f -atime +10 -delete && find /tmp -type s -atime +10 -delete
EXE
cat << EXE | sudo bash
systemctl daemon-reload;echo
systemctl enable --now mariadb.service
systemctl status mariadb.service
mariadb --version
EXE
# -- security risk: don't exec it
cat << DDL | sudo -i -u root mariadb
CREATE USER '${USER}'@'localhost' IDENTIFIED VIA unix_socket;
GRANT ALL PRIVILEGES ON *.* TO '${USER}'@'localhost' WITH GRANT OPTION;
FLUSH PRIVILEGES;
DDL
echo -n 'Password: ';read -s ACADEMIA_PASSWORD;export ACADEMIA_PASSWORD;echo
# Password: sadaqah!
cat << DDL | sudo -i -u root mariadb
CREATE DATABASE IF NOT EXISTS academia;
CREATE USER 'academia'@'%' IDENTIFIED BY '${ACADEMIA_PASSWORD}';
GRANT ALL PRIVILEGES ON academia.* TO 'academia'@'%';
FLUSH PRIVILEGES;
DDL
cat << EXE | sudo bash
sed 's|bind-address = 127.0.0.1|bind-address = 0.0.0.0|' -i /etc/mysql/mariadb.conf.d/50-server.cnf
systemctl restart mariadb.service
EXE
cat << EXE | sudo bash
# ufw allow 3306/tcp
ufw allow from 192.168.49.2/32 to any port 3306 proto tcp
ufw allow from 10.20.0.0/24 to any port 3306 proto tcp
ufw allow from 10.20.13.0/24 to any port 3306 proto tcp
ufw allow from 10.20.31.0/24 to any port 3306 proto tcp
EXE
|
Hetzner » Database » PostgreSQL » Install & Configure
|
Database » PostgreSQL » Install & Configure |
|---|
cat << EXE | sudo bash
apt-get update;echo
apt list -a --upgradable;apt-get upgrade -y;echo
apt-get install -y postgresql postgresql-contrib;echo
apt-get clean cache && find /tmp -type f -atime +10 -delete && find /tmp -type s -atime +10 -delete
EXE
cat << EXE | sudo bash
systemctl daemon-reload;echo
systemctl enable --now postgresql.service
systemctl status postgresql.service
pg_lsclusters;echo
psql --version
EXE
# security risk: don't exec it
cat << EXE | sudo -i -u postgres bash
createuser ${USER}
createdb ${USER}
cat << DDL | psql
ALTER USER ${USER} WITH SUPERUSER;
DDL
EXE
echo -n 'Password: ';read -s PGBOUNCER_PASSWORD;export PGBOUNCER_PASSWORD;echo
# Password: sadaqah!
cat << DDL | sudo -i -u postgres psql
\! printf '\n'
SELECT 'CREATE DATABASE bouncer_aa'
WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'bouncer_aa')\gexec
CREATE USER bouncer_aa WITH ENCRYPTED PASSWORD '${PGBOUNCER_PASSWORD}';
GRANT ALL PRIVILEGES ON DATABASE bouncer_aa TO bouncer_aa;
ALTER DATABASE bouncer_aa OWNER TO bouncer_aa;
DDL
cat << DDL | sudo -i -u postgres psql
\! printf '\n'
SELECT 'CREATE DATABASE bouncer_ab'
WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'bouncer_ab')\gexec
CREATE USER bouncer_ab WITH ENCRYPTED PASSWORD '${PGBOUNCER_PASSWORD}';
GRANT ALL PRIVILEGES ON DATABASE bouncer_ab TO bouncer_ab;
ALTER DATABASE bouncer_ab OWNER TO bouncer_ab;
DDL
cat <<'EXE'| sudo bash
IPV4_LOCAL_FIND=$(cat <<EOF
host all all 127.0.0.1/32 scram-sha-256
EOF
)
IPV4_LOCAL_FILL[${YARN_CONF_INDX}]=$(cat <<EOF
host all all 127.0.0.1/32 scram-sha-256\n\
host all all 192.168.49.2/32 scram-sha-256\n\
host all all 10.20.0.0/24 scram-sha-256\n\
host all all 10.20.13.0/24 scram-sha-256\n\
host all all 10.20.31.0/24 scram-sha-256
EOF
)
sed "s|#listen_addresses = 'localhost'|listen_addresses = '*' |" -i /etc/postgresql/16/main/postgresql.conf
sed -z "s|${IPV4_LOCAL_FIND}|${IPV4_LOCAL_FILL}|" -i /etc/postgresql/16/main/pg_hba.conf
systemctl restart postgresql.service
EXE
cat << EXE | sudo bash
# ufw allow 5432/tcp
ufw allow from 192.168.49.2/32 to any port 5432 proto tcp
ufw allow from 10.20.0.0/24 to any port 5432 proto tcp
ufw allow from 10.20.13.0/24 to any port 5432 proto tcp
ufw allow from 10.20.31.0/24 to any port 5432 proto tcp
EXE
|
Hetzner » Kubernetes » Minikube » Install & Configure
|
Hetzner » Kubernetes » Minikube » Install & Configure |
|---|
if [ -x "$(command -v curl)" ];then \
sudo apt -qq update;\
export MINIKUBE_CPU_USE=2;\
export MINIKUBE_RAM_USE=5682;\
export MINIKUBE_INGRESS_HOST='k8s.ab.hetzner.shahed.biz';\
bash <(curl -s 'https://cdn.chorke.org/exec/cli/bash/install/minikube/1.0.01-ubuntu-24.04-arm64.sh.txt');\
else printf 'curl \033[0;31mnot found! \033[0m:(\n';fi
|
Hetzner » Kubernetes » Minikube » Tunnel » Create Service
|
Hetzner » Kubernetes » Minikube » Tunnel » Create Service |
|---|
|
Skipped » Find More 👉 Minikube » Tunnel » Systemd |
Hetzner » Kubernetes » Minikube » Ingress » Apply Dashboard
|
Hetzner » K8s » Dashboard » Ingress » Apply |
|---|
export KUBECONFIG=${HOME}/.kube/hetzner-ab-kubeconfig.yaml
kubectl config get-contexts
cat << YML | kubectl -n kubernetes-dashboard apply -f -
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kubernetes-dashboard
namespace: kubernetes-dashboard
labels:
app.kubernetes.io/version: 1.0.0
app.kubernetes.io/managed-by: kubectl
app.kubernetes.io/name: kubernetes-dashboard
app.kubernetes.io/instance: kubernetes-dashboard
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-realm: Authentication Required
nginx.ingress.kubernetes.io/auth-secret: kubernetes-dashboard-auth
spec:
ingressClassName: nginx
rules:
- host: k8s.ab.hetzner.shahed.biz
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kubernetes-dashboard
port:
number: 80
YML
Skipped » Find More 👉 K8s » CoreDNS |
Hetzner » Kubernetes » Debug » MariaDB
|
Hetzner » Kubernetes » Debug » MariaDB | |
|---|---|
export KUBECONFIG=${HOME}/.kube/hetzner-ab-kubeconfig.yaml
kubectl config get-contexts
|
kubectl create ns swiss-knife
kubectl get ns|grep swiss-knife
|
kubectl -n swiss-knife run -i --tty --rm mariadb-cli --image=alpine --restart=Never -- ash
apk --update add mariadb-client inetutils-telnet
echo -n password: ;read -s MYSQL_PWD;export MYSQL_PWD; echo
telnet 192.168.49.1 3306
telnet 10.20.31.3 3306
telnet 10.20.13.3 3306
telnet 10.20.0.1 3306
echo ${MYSQL_PWD}
mariadb -u academia -D academia -P3306 -h 192.168.49.1
mariadb -u academia -D academia -P3306 -h 10.20.31.3
mariadb -u academia -D academia -P3306 -h 10.20.13.1
mariadb -u academia -D academia -P3306 -h 10.20.0.1
| |
Hetzner » Kubernetes » Debug » PostgreSQL
|
Hetzner » Kubernetes » Debug » PostgreSQL | |
|---|---|
export KUBECONFIG=${HOME}/.kube/hetzner-ab-kubeconfig.yaml
kubectl config get-contexts
|
kubectl create ns swiss-knife
kubectl get ns|grep swiss-knife
|
kubectl -n swiss-knife run -i --tty --rm postgresql-cli --image=alpine --restart=Never -- ash
apk --update add postgresql-client inetutils-telnet
echo -n password: ; read -s PGPASSWORD; export PGPASSWORD; echo
telnet pgbouncer.pgbouncer.svc.cluster.local 5432
telnet pgbouncer.pgbouncer 5432
telnet 192.168.49.103 5432
telnet 192.168.49.1 5432
telnet 10.20.31.3 5432
telnet 10.20.13.1 5432
telnet 10.20.0.1 5432
echo ${PGPASSWORD}
psql -U bouncer_ab -d bouncer_ab -p5432 -h pgbouncer.pgbouncer.svc.cluster.local
psql -U bouncer_ab -d bouncer_ab -p5432 -h pgbouncer.pgbouncer
psql -U bouncer_ab -d bouncer_ab -p5432 -h 192.168.49.103
psql -U bouncer_ab -d bouncer_ab -p5432 -h 192.168.49.1
psql -U bouncer_ab -d bouncer_ab -p5432 -h 10.20.31.3
psql -U bouncer_ab -d bouncer_ab -p5432 -h 10.20.13.1
psql -U bouncer_ab -d bouncer_ab -p5432 -h 10.20.0.1
| |
Playground
|
Playground | |
|---|---|
ssh-copy-id -n -i ~/.ssh/cid.chorke.org_ed25519.pub shahed@10.20.40.1
ssh-copy-id -i ~/.ssh/cid.chorke.org_ed25519.pub shahed@10.20.40.1
certbot delete --cert-name k8s.ab.hetzner.shahed.biz
certbot delete --cert-name psql.ab.hetzner.shahed.biz
| |
cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then cat ${d}/{fullchain,privkey}.pem|tee ${d}.pem >/dev/null;fi;done
cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then printf "crt ${PWD}/${d}.pem ";fi;done;\
printf "alpn h2,http/1.1 ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3\n"
| |
cat << INI | visudo -cf /dev/stdin
# minikube » no-password » sudo access » all
minikube ALL=(ALL) NOPASSWD: ALL
INI
sudo visudo
sudo cat /etc/sudoers
|
cat << INI | visudo -cf /dev/stdin
# minikube » no-password » sudo access » specific
minikube ALL=(ALL) NOPASSWD: /usr/sbin/ip route *, /usr/bin/minikube tunnel *
INI
sudo visudo -f /etc/sudoers.d/minikube
sudo cat /etc/sudoers.d/minikube
|
References
|
| |||
|
| |||
|
| |||