services/homelab
1
1
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity

ipv6 migration

Browse Source
This commit is contained in:
Reese Wells
2024-06-21 15:04:58 -04:00
parent 1f4769fdbe
commit 45c58aeba7
25 changed files with 357 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
network/README.md
View File

@@ -3,6 +3,7 @@
- [Network Management](#network-management)
- [Route53](#route53)
- [Reeselink Addresses](#reeselink-addresses)
- [Reeseapps Addresses](#reeseapps-addresses)
## Route53
@@ -27,7 +28,22 @@ aws route53 change-resource-record-sets --hosted-zone-id Z0092652G7L97DSINN18 --
You can extract these addresses into a text file with:
```bash
cat network/reeselink.json | jq -c -r '[ .Changes.[] | select( .ResourceRecordSet.Type | contains("AAAA")) ] | .[] | .ResourceRecordSet | .Name,.ResourceRecords.[].Value' > network/ipv6.txt```
# IPV6
cat network/reeselink.json | \
jq -c -r '[ .Changes.[] |
select( .ResourceRecordSet.Type | . == "AAAA") ]
| .[]
| .ResourceRecordSet
| .Name,.ResourceRecords.[].Value' > network/ipv6.txt
# IPV4
cat network/reeselink.json | \
jq -c -r '[ .Changes.[] |
select( .ResourceRecordSet.Type | . == "A") ]
| .[]
| .ResourceRecordSet
| .Name,.ResourceRecords.[].Value' > network/ipv4.txt
```
## Reeseapps Addresses

38
network/ipv4.txt
View File

@@ -1,14 +1,24 @@
Shelly
10.1.197.88
10.1.172.63
10.1.248.70
10.1.142.201
10.1.163.235
10.1.129.124
10.1.195.60
10.1.157.209
10.1.93.31
10.1.223.134
10.1.189.8
10.1.205.155
10.1.96.48
gamebox.reeselink.com
10.1.235.45
driveripper.reeselink.com
10.1.2.10
yellow.reeselink.com
10.1.203.197
orange.reeselink.com
10.1.200.253
node1.reeselink.com
10.1.2.13
node2.reeselink.com
10.1.2.14
node3.reeselink.com
10.1.2.15
homeassistant.reeselink.com
10.1.27.89
nextcloud-aio.reeselink.com
10.1.175.237
unifi-external.reeselink.com
10.1.241.139
e3s1plus.reeselink.com
10.1.224.78
cr10se.reeselink.com
10.2.165.70

4
network/ipv6.txt
View File

@@ -1,3 +1,5 @@
gamebox.reeselink.com
2600:1700:1e6c:a81f:5d69:2d:101a:7aef
driveripper.reeselink.com
2600:1700:1e6c:a81f:94bb:b8ff:fe9f:1c63
yellow.reeselink.com
@@ -16,3 +18,5 @@ nextcloud-aio.reeselink.com
2600:1700:1e6c:a81f:5054:ff:fe03:880
unifi-external.reeselink.com
2600:1700:1e6c:a81f:5054:ff:fea0:200c
e3s1plus.reeselink.com
2600:1700:1e6c:a81f:19a4:37de:9672:1f76

65
network/reeselink.json
View File

@@ -1,6 +1,32 @@
{
"Comment": "CREATE/UPSERT/DELETE a record ",
"Changes": [
{
"Action": "UPSERT",
"ResourceRecordSet": {
"Name": "gamebox.reeselink.com",
"Type": "AAAA",
"TTL": 300,
"ResourceRecords": [
{
"Value": "2600:1700:1e6c:a81f:5d69:2d:101a:7aef"
}
]
}
},
{
"Action": "UPSERT",
"ResourceRecordSet": {
"Name": "gamebox.reeselink.com",
"Type": "A",
"TTL": 300,
"ResourceRecords": [
{
"Value": "10.1.235.45"
}
]
}
},
{
"Action": "UPSERT",
"ResourceRecordSet": {
@@ -234,6 +260,45 @@
}
]
}
},
{
"Action": "UPSERT",
"ResourceRecordSet": {
"Name": "e3s1plus.reeselink.com",
"Type": "AAAA",
"TTL": 300,
"ResourceRecords": [
{
"Value": "2600:1700:1e6c:a81f:19a4:37de:9672:1f76"
}
]
}
},
{
"Action": "UPSERT",
"ResourceRecordSet": {
"Name": "e3s1plus.reeselink.com",
"Type": "A",
"TTL": 300,
"ResourceRecords": [
{
"Value": "10.1.224.78"
}
]
}
},
{
"Action": "UPSERT",
"ResourceRecordSet": {
"Name": "cr10se.reeselink.com",
"Type": "A",
"TTL": 300,
"ResourceRecords": [
{
"Value": "10.2.165.70"
}
]
}
}
]
}

75
nextcloud/README.md
View File

@@ -1,12 +1,76 @@
# Nextcloud AIO
- [Nextcloud AIO](#nextcloud-aio)
- [Prereq](#prereq)
- [Iscsi](#iscsi)
- [Setup](#setup)
- [IPV6 (Optional)](#ipv6-optional)
- [Install](#install)
- [Trusted Proxy](#trusted-proxy)
- [Uninstall](#uninstall)
- [Edit QCOW](#edit-qcow)
## Prereq
1. Have a reverse proxy pointing at your server
2. Have a valid certificate
### Iscsi
We can use iscsi to give nextcloud a large block store.
On Nextcloud:
1. Create an iscsi initiator in Truenas named `iqn.2024-02.com.reeselink:nextcloud-aio`.
2. Create a new authorized access with username `iqn.2024-02.com.reeselink:nextcloud-aio` and password.
3. Create a new target called `iqn.2024-02.com.reeselink:nextcloud-aio-data`
1. Create an alias called `Nextcloud AIO Data`
2. Select the exposed portal
3. Select the `iqn.2024-02.com.reeselink:nextcloud-aio` initiator group
4. Select CHAP Auth method
5. Select auth group containing `iqn.2024-02.com.reeselink:nextcloud-aio`
4. Create a new extent called `nextcloud-aio-data`, leave all settings alone
5. Create a new associated target with `iqn.2024-02.com.reeselink:nextcloud-aio-data` target and
`nextcloud-aio-data` extent
On Nextcloud AIO:
Edit `/etc/iscsi/initiatorname.iscsi` and set your initiatorname.
Edit `/etc/iscsi/iscsid.conf`
```conf
node.session.auth.username = iqn.2024-02.com.reeselink:nextcloud-aio
node.session.auth.password = <password>
```
```bash
iscsiadm -m discovery -t st -p driveripper.reeselink.com
iscsiadm -m node --login
```
## Setup
### IPV6 (Optional)
Add to /etc/docker/daemon.json
```json
{
"ipv6": true,
"fixed-cidr-v6": "fd12:3456:789a:1::/64",
"experimental": true,
"ip6tables": true
}
```
```bash
# Enable IPV6
docker network create --subnet="fd12:3456:789a:2::/64" --driver bridge --ipv6 nextcloud-aio
```
### Install
```bash
docker run \
--init \
@@ -16,6 +80,7 @@ docker run \
--publish 8080:8080 \
--env APACHE_PORT=11000 \
--env APACHE_IP_BINDING=0.0.0.0 \
--env NEXTCLOUD_DATADIR="/mnt/ncdata" \
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
nextcloud/all-in-one:latest
@@ -34,3 +99,13 @@ docker stop $(docker ps -a -q)
docker system prune
docker volume prune -a -f
```
defaults,_netdev,x-systemd.requires=iscsid.service 0 1
## Edit QCOW
```bash
sudo modprobe nbd
sudo qemu-nbd -c /dev/nbd0 --read-only /path/to/image.qcow2
udisksctl mount -b /dev/nbd0p1
```

14
nginx/https.conf
View File

@@ -2,6 +2,12 @@ server {
access_log /var/log/nginx/nginx_https_access.log basic;
error_log /var/log/nginx/nginx_https_error.log warn;
{% if item.external.restricted %}
if ($external_addr) {
return 404;
}
{% endif %}
http2 on;
gzip on;
@@ -19,21 +25,13 @@ server {
}
set_real_ip_from unix:;
set_real_ip_from {{ internal_ipv4 }};
set_real_ip_from {{ internal_ipv6 }};
real_ip_header X-Real-IP;
real_ip_recursive on;
server_name {{ item.external.domain }}{{ expose_tld }};
location / {
{% if item.external.protect %}
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
{% endif %}
proxy_pass {{ item.internal.protocol }}://{{ item.internal.ip }}:{{ item.internal.port }}$request_uri;
proxy_set_header X-Forwarded-Port $server_port;

30
nginx/nginx.conf
View File

@@ -27,10 +27,12 @@ events {
}
stream {
log_format basic '| Remote Addr: $remote_addr:$server_port | SSL Preread: $ssl_preread_server_name | Forward: $map_forward_ip$upstream_port | Upstream Addr: $upstream_addr | $time_local | $protocol | $status | $bytes_sent | $bytes_received | $session_time |';
log_format basic '| Remote Addr: $remote_addr:$server_port | SSL Preread: $ssl_preread_server_name | Forward: $map_forward$upstream_port | Upstream Addr: $upstream_addr | $time_local | $protocol | $status | $bytes_sent | $bytes_received | $session_time |';
include /etc/nginx/stream.d/*.conf;
# Map all SSL parsed server names to hosts
map $ssl_preread_server_name $map_forward_ip {
map $ssl_preread_server_name $map_forward {
# Empty ssl preread gets forwarded to internal http server
"" "unix:/var/lib/nginx/tmp/nginx_http.sock";
@@ -46,7 +48,7 @@ stream {
# Since traffic being forwarded to the unix socket doesn't need a port we'll create
# a map here to enforce that case.
map $map_forward_ip $upstream_port {
map $map_forward $upstream_port {
{{ defaults.forward_ip }} ":443";
"unix:/var/lib/nginx/tmp/nginx_http.sock" "";
@@ -73,18 +75,16 @@ stream {
listen [::]:{{ port }};
{% endfor %}
proxy_pass $map_forward_ip$upstream_port;
proxy_pass $map_forward$upstream_port;
ssl_preread on;
proxy_socket_keepalive on;
}
include /etc/nginx/stream.d/*.conf;
}
http {
log_format basic '| Proxy Proto Addr: $proxy_protocol_addr | Remote Addr: $remote_addr:$server_port | Host: $host | Forward: $map_forward_ip$server_port | Referer: $http_referer | $request | $time_local | $status |';
log_format basic '| Proxy Proto Addr: $proxy_protocol_addr | Internal: $external_addr | Remote Addr: $remote_addr:$server_port | Host: $host | Forward: $map_forward$server_port | Referer: $http_referer | $request | $time_local | $status |';
map $host $map_forward_ip {
map $host $map_forward {
"" "unix:/var/lib/nginx/tmp/nginx_http.sock";
# We don't want to forward traffic we're terminating
@@ -105,8 +105,8 @@ http {
location / {
# If we have an external forward IP, forward traffic
if ($map_forward_ip != "unix:/var/lib/nginx/tmp/nginx_http.sock") {
proxy_pass $map_forward_ip:80;
if ($map_forward != "unix:/var/lib/nginx/tmp/nginx_http.sock") {
proxy_pass $map_forward:80;
}
# Else redirect if the scheme is http
if ($scheme = "http") {
@@ -115,6 +115,16 @@ http {
}
}
map $proxy_protocol_addr $external_addr {
default 1;
{% for ip in internal_ipv4_regex %}
~{{ ip }} 0;
{% endfor %}
{% for ip in internal_ipv6_regex %}
~{{ ip }} 0;
{% endfor %}
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;

1
nginx/stream.d/gitea-ssh.conf
View File

@@ -3,5 +3,6 @@ server {
error_log /var/log/nginx/nginx_stream_error.log warn;
listen 2222;
listen [::]:2222;
proxy_pass 10.1.2.100:2222;
}

3
nginx/stream.d/iperf3.conf
View File

@@ -3,6 +3,9 @@ server {
error_log /var/log/nginx/nginx_stream_error.log warn;
listen 5201;
listen [::]:5201;
listen 5201 udp;
listen [::]:5201 udp;
proxy_pass 127.0.0.1:5202;
}

1
nginx/stream.d/kube.conf
View File

@@ -9,5 +9,6 @@ server {
error_log /var/log/nginx/nginx_stream_error.log warn;
listen 6443;
listen [::]:6443;
proxy_pass kube_backend;
}

2
nginx/stream.d/minecraft.conf
View File

@@ -3,5 +3,7 @@ server {
error_log /var/log/nginx/nginx_stream_error.log warn;
listen 25565-25575;
listen [::]:25565-25575;
proxy_pass 10.1.2.100:$server_port;
}

11
nginx/stream.d/nextcloud-talk.conf Normal file
View File

@@ -0,0 +1,11 @@
server {
access_log /var/log/nginx/nginx_stream_access.log basic;
error_log /var/log/nginx/nginx_stream_error.log warn;
listen 3478;
listen 3478 udp;
listen [::]:3478;
listen [::]:3478 udp;
proxy_pass 10.1.175.237:3478;
}

59
nginx/vars.yaml
View File

@@ -7,14 +7,17 @@ defaults:
http:
internal_http_port: 80
internal_https_port: 443
internal_ipv4: 10.1.0.0/16
internal_ipv6: 2600:1700:1e6c:a81f::/64
internal_ipv4_regex:
- "10.1.*"
- "10.10.*"
internal_ipv6_regex:
- "2600:1700:1e6c:a81f.*"
expose_tld: .reeseapps.com
http:
- external:
domain: homeassistant
protect: false
restricted: false
extra_http_ports: []
extra_https_ports: []
internal:
@@ -24,7 +27,7 @@ http:
- external:
domain: driveripper
protect: false
restricted: false
extra_http_ports: []
extra_https_ports: []
internal:
@@ -34,17 +37,17 @@ http:
- external:
domain: e3s1plus
protect: true
restricted: true
extra_http_ports: []
extra_https_ports: []
internal:
ip: "10.2.224.77"
ip: "10.1.224.78"
port: 80
protocol: http
- external:
domain: yellow
protect: false
restricted: true
extra_http_ports: []
extra_https_ports: []
internal:
@@ -54,7 +57,7 @@ http:
- external:
domain: orange
protect: false
restricted: true
extra_http_ports: []
extra_https_ports: []
internal:
@@ -64,7 +67,7 @@ http:
- external:
domain: node1
protect: false
restricted: true
extra_http_ports: []
extra_https_ports: []
internal:
@@ -74,7 +77,7 @@ http:
- external:
domain: node2
protect: false
restricted: true
extra_http_ports: []
extra_https_ports: []
internal:
@@ -84,7 +87,7 @@ http:
- external:
domain: node3
protect: false
restricted: true
extra_http_ports: []
extra_https_ports: []
internal:
@@ -92,10 +95,30 @@ http:
port: 9090
protocol: https
- external:
domain: unifi-external-cockpit
restricted: true
extra_http_ports: []
extra_https_ports: []
internal:
ip: "10.1.241.139"
port: 9090
protocol: https
- external:
domain: nextcloud-aio-cockpit
restricted: true
extra_http_ports: []
extra_https_ports: []
internal:
ip: "10.1.175.237"
port: 9090
protocol: https
# Printer
- external:
domain: cr10se
protect: true
restricted: true
extra_http_ports: []
extra_https_ports:
# websocket
@@ -103,13 +126,13 @@ http:
# camera
- 8080
internal:
ip: "10.3.165.70"
ip: "10.2.165.70"
port: 80
protocol: http
- external:
domain: pihole-yellow
protect: true
restricted: true
extra_http_ports: []
extra_https_ports: []
internal:
@@ -119,7 +142,7 @@ http:
- external:
domain: pihole-orange
protect: true
restricted: true
extra_http_ports: []
extra_https_ports: []
internal:
@@ -129,7 +152,7 @@ http:
- external:
domain: attmodem
protect: true
restricted: true
extra_http_ports: []
extra_https_ports: []
internal:
@@ -139,7 +162,7 @@ http:
- external:
domain: nextcloud-aio
protect: false
restricted: false
extra_http_ports: []
extra_https_ports: []
internal:
@@ -149,7 +172,7 @@ http:
- external:
domain: unifi-external
protect: false
restricted: false
extra_http_ports:
- 8080
extra_https_ports: []

4
podman/compose/cloudflared-compose.yaml
View File

@@ -7,6 +7,6 @@ services:
image: docker.io/cloudflare/cloudflared:2024.5.0
command: proxy-dns --address 0.0.0.0 --port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query
ports:
- "127.0.0.1:5053:5053/tcp"
- "127.0.0.1:5053:5053/udp"
- "0.0.0.0:5053:5053/tcp"
- "0.0.0.0:5053:5053/udp"
restart: unless-stopped

2
podman/compose/iperf3-compose.yaml
View File

@@ -5,6 +5,6 @@ services:
container_name: iperf3
image: docker.io/networkstatic/iperf3:latest
ports:
- "127.0.0.1:5202:5201/tcp"
- "0.0.0.0:5202:5201/tcp"
command: -s
restart: unless-stopped

2
podman/compose/pihole-compose.yaml
View File

@@ -8,7 +8,7 @@ services:
ports:
- "0.0.0.0:53:53/tcp"
- "0.0.0.0:53:53/udp"
- "127.0.0.1:8081:80/tcp"
- "0.0.0.0:8081:80/tcp"
environment:
TZ: "America/Chicago"
# WEBPASSWORD: "SET A PASSWORD HERE"

4
podman/quadlets/cloudflared.container
View File

@@ -5,8 +5,8 @@ Wants=network-online.target
ContainerName=cloudflared
Exec=proxy-dns --address 0.0.0.0 --port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query
Image=docker.io/cloudflare/cloudflared:2024.5.0
PublishPort=127.0.0.1:5053:5053/tcp
PublishPort=127.0.0.1:5053:5053/udp
PublishPort=0.0.0.0:5053:5053/tcp
PublishPort=0.0.0.0:5053:5053/udp
[Service]
Restart=always

2
podman/quadlets/iperf3.container
View File

@@ -2,7 +2,7 @@
ContainerName=iperf3
Exec=-s
Image=docker.io/networkstatic/iperf3:latest
PublishPort=127.0.0.1:5202:5201/tcp
PublishPort=0.0.0.0:5202:5201/tcp
[Service]
Restart=always

2
podman/quadlets/pihole.container
View File

@@ -7,7 +7,7 @@ Environment=TZ=America/Chicago
Image=docker.io/pihole/pihole:2024.05.0
PublishPort=0.0.0.0:53:53/tcp
PublishPort=0.0.0.0:53:53/udp
PublishPort=127.0.0.1:8081:80/tcp
PublishPort=0.0.0.0:8081:80/tcp
Volume=pihole:/etc/pihole
Volume=dnsmasq:/etc/dnsmasq.d

2
truenas-iscsi-enc0.yaml
View File

@@ -28,7 +28,7 @@ driver:
instance_id:
httpConnection:
protocol: https
host: driveripper.reeselink.com
host: driveripper.reeseapps.com
port: 443
apiKey: ""
allowInsecure: false

2
truenas-iscsi-enc1.yaml
View File

@@ -28,7 +28,7 @@ driver:
instance_id:
httpConnection:
protocol: https
host: driveripper.reeselink.com
host: driveripper.reeseapps.com
port: 443
apiKey: ""
allowInsecure: false

2
truenas-nfs-enc1.yaml
View File

@@ -24,7 +24,7 @@ driver:
instance_id:
httpConnection:
protocol: https
host: driveripper.reeselink.com
host: driveripper.reeseapps.com
port: 443
apiKey: ""
allowInsecure: true

0
wireguard/README.md Normal file
View File

0
wireguard/vars.yaml Normal file
View File

76
wireguard/wireguard.yaml Normal file
View File

@@ -0,0 +1,76 @@
- name: Update nginx stream configuration
hosts: colors
become: true
become_user: root
become_method: sudo
vars_files:
- vars.yaml
tasks:
- name: Remove http.d dir before repopulating
file:
path: /etc/nginx/http.d/
state: absent
- name: Remove stream.d dir before repopulating
file:
path: /etc/nginx/stream.d/
state: absent
- name: Create stream.d dir
ansible.builtin.file:
path: /etc/nginx/stream.d
state: directory
mode: '0755'
- name: Create http.d dir
ansible.builtin.file:
path: /etc/nginx/http.d
state: directory
mode: '0755'
- name: Copy nginx.conf
template:
src: nginx.conf
dest: /etc/nginx/nginx.conf
owner: root
group: root
mode: '0644'
- name: Copy .htpasswd
template:
src: ../secrets/.htpasswd
dest: /etc/nginx/.htpasswd
owner: nginx
group: nginx
mode: '0600'
- name: Copy stream configurations
template:
src: "{{ item }}"
dest: /etc/nginx/stream.d/{{ item | basename }}
owner: root
group: root
mode: '0644'
with_fileglob:
- stream.d/*
- name: Template all http configurations
template:
src: https.conf
dest: /etc/nginx/http.d/{{ item.external.domain }}.conf
owner: root
group: root
mode: '0644'
loop: "{{ http }}"
- name: Test nginx configuration
ansible.builtin.shell: /usr/sbin/nginx -t
- name: Stop nginx service
ansible.builtin.systemd_service:
state: stopped
name: nginx
- name: Remove old socket files
file:
path: /var/lib/nginx/tmp/nginx_http.sock
state: absent
- name: Remove old socket files
file:
path: /var/lib/nginx/tmp/nginx_https.sock
state: absent
- name: Reload nginx service
ansible.builtin.systemd_service:
state: started
name: nginx
enabled: true