From 0266d9499c81007c447fa604deb58a5c38ac0920 Mon Sep 17 00:00:00 2001 From: ducoterra Date: Wed, 31 Jan 2024 12:40:28 -0500 Subject: [PATCH] add dnsmasq pi server --- ansible/inventory.yaml | 1 + compose/iperf3-compose.yaml | 2 +- dns/README.md | 7 +++++++ dns/conf.d/dns.conf | 3 +++ dns/dns.yaml | 25 +++++++++++++++++++++++++ nginx/certbot.yaml | 8 ++++++++ nginx/nginx.conf | 16 ++++++++++------ nginx/stream.d/iperf3.conf | 6 ++++++ nginx/vars.yaml | 15 +++++++++++++++ quadlets/iperf3.container | 2 +- 10 files changed, 77 insertions(+), 8 deletions(-) create mode 100644 dns/README.md create mode 100644 dns/conf.d/dns.conf create mode 100644 dns/dns.yaml create mode 100644 nginx/stream.d/iperf3.conf diff --git a/ansible/inventory.yaml b/ansible/inventory.yaml index 71bbd6a..a7778df 100644 --- a/ansible/inventory.yaml +++ b/ansible/inventory.yaml @@ -17,6 +17,7 @@ apt: unifi-external: nextcloud-aio: replicator: + dns: hardware: hosts: diff --git a/compose/iperf3-compose.yaml b/compose/iperf3-compose.yaml index ff82f36..1f5123a 100644 --- a/compose/iperf3-compose.yaml +++ b/compose/iperf3-compose.yaml @@ -5,6 +5,6 @@ services: container_name: iperf3 image: docker.io/networkstatic/iperf3:latest ports: - - "5201:5201/tcp" + - "127.0.0.1:5201:5201/tcp" command: -s restart: unless-stopped diff --git a/dns/README.md b/dns/README.md new file mode 100644 index 0000000..66c8d6c --- /dev/null +++ b/dns/README.md @@ -0,0 +1,7 @@ +# DNS Server + +## Install + +```bash +ansible-playbook -i ansible/inventory.yaml dns/dns.yaml +``` diff --git a/dns/conf.d/dns.conf b/dns/conf.d/dns.conf new file mode 100644 index 0000000..d193001 --- /dev/null +++ b/dns/conf.d/dns.conf @@ -0,0 +1,3 @@ +server=10.1.0.1 +cache-size=1000 +address=/.reeseapps.com/10.1.203.197 diff --git a/dns/dns.yaml b/dns/dns.yaml new file mode 100644 index 0000000..ee91e03 --- /dev/null +++ b/dns/dns.yaml @@ -0,0 +1,25 @@ +- name: Update dnsmasq server + hosts: dns + become: true + become_user: root + become_method: sudo + tasks: + - name: Ensure dnsmasq is installed + ansible.builtin.apt: + pkg: + - dnsmasq + - dnsutils + - name: Copy dns configurations + template: + src: "{{ item }}" + dest: /etc/dnsmasq.d/{{ item | basename }} + owner: root + group: root + mode: '0644' + with_fileglob: + - conf.d/* + - name: Reload dnsmasq service + ansible.builtin.systemd_service: + state: restarted + name: dnsmasq + enabled: true diff --git a/nginx/certbot.yaml b/nginx/certbot.yaml index adf4c71..c8904a3 100644 --- a/nginx/certbot.yaml +++ b/nginx/certbot.yaml @@ -12,6 +12,14 @@ name: - certbot state: present + - name: Stop nginx service so we can get certs + ansible.builtin.systemd_service: + state: stopped + name: nginx - name: Get certs for all terminate domains ansible.builtin.shell: /usr/bin/certbot certonly --standalone -d '{{ item.external_domain }}' -n loop: "{{ terminate_ssl }}" + - name: Start nginx service + ansible.builtin.systemd_service: + state: started + name: nginx diff --git a/nginx/nginx.conf b/nginx/nginx.conf index cd265ff..7b896b3 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -1,5 +1,7 @@ load_module /usr/lib64/nginx/modules/ngx_stream_module.so; +worker_processes 8; + events {} stream { @@ -12,19 +14,19 @@ stream { # Map all SSL parsed server names to hosts map $ssl_preread_server_name $name { - "" 127.0.0.1; + "" 127.0.0.1:443; # For each domain we need to stream to a remote server, forward to internal domain {% for domain in stream_ssl %} - {{ domain.external_domain }} {{ domain.internal_domain }}; + {{ domain.external_domain }} {{ domain.internal_domain }}:{{ domain.internal_port }}; {% endfor %} # For each domain we want to terminate, forward to internal http server {% for domain in terminate_ssl %} - {{ domain.external_domain }} 127.0.0.1; + {{ domain.external_domain }} 127.0.0.1:443; {% endfor %} - default {{ nginx.defaults.domain }}; + default {{ nginx.defaults.domain }}:443; } # Forward 80 traffic @@ -32,8 +34,9 @@ stream { access_log /var/log/nginx/stream-access-80.log basic; listen {{ ansible_default_ipv4.address }}:80; resolver 1.1.1.1; - proxy_pass $name:80; + proxy_pass $name; ssl_preread on; + proxy_socket_keepalive on; } # Forward 443 traffic @@ -41,8 +44,9 @@ stream { access_log /var/log/nginx/stream-access-443.log basic; listen {{ ansible_default_ipv4.address }}:443; resolver 1.1.1.1; - proxy_pass $name:443; + proxy_pass $name; ssl_preread on; + proxy_socket_keepalive on; } } diff --git a/nginx/stream.d/iperf3.conf b/nginx/stream.d/iperf3.conf new file mode 100644 index 0000000..1df5309 --- /dev/null +++ b/nginx/stream.d/iperf3.conf @@ -0,0 +1,6 @@ +server { + access_log /var/log/nginx/iperf.log basic; + listen {{ ansible_default_ipv4.address }}:5201; + listen {{ ansible_default_ipv4.address }}:5201 udp; + proxy_pass 127.0.0.1:5201; +} diff --git a/nginx/vars.yaml b/nginx/vars.yaml index 31083a7..a78293d 100644 --- a/nginx/vars.yaml +++ b/nginx/vars.yaml @@ -29,6 +29,21 @@ terminate_ssl: internal_domain: orange.reeselink.com internal_port: 9090 internal_protocol: https + - external_domain: node1.reeseapps.com + external_port: 443 + internal_domain: node1.reeselink.com + internal_port: 9090 + internal_protocol: https + - external_domain: node2.reeseapps.com + external_port: 443 + internal_domain: node2.reeselink.com + internal_port: 9090 + internal_protocol: https + - external_domain: node3.reeseapps.com + external_port: 443 + internal_domain: node3.reeselink.com + internal_port: 9090 + internal_protocol: https stream_ssl: - external_domain: nextcloud-aio.reeseapps.com external_port: 443 diff --git a/quadlets/iperf3.container b/quadlets/iperf3.container index 42b0966..ab8236a 100644 --- a/quadlets/iperf3.container +++ b/quadlets/iperf3.container @@ -2,7 +2,7 @@ ContainerName=iperf3 Exec=-s Image=docker.io/networkstatic/iperf3:latest -PublishPort=5201:5201/tcp +PublishPort=127.0.0.1:5201:5201/tcp [Service] Restart=always