ipv6 migration

network/README.md

@@ -3,6 +3,7 @@
 - [Network Management](#network-management)
   - [Route53](#route53)
   - [Reeselink Addresses](#reeselink-addresses)
+  - [Reeseapps Addresses](#reeseapps-addresses)
 
 ## Route53
 
@@ -27,7 +28,22 @@ aws route53 change-resource-record-sets --hosted-zone-id Z0092652G7L97DSINN18 --
 You can extract these addresses into a text file with:
 
 ```bash
-cat network/reeselink.json | jq -c -r '[ .Changes.[] | select( .ResourceRecordSet.Type | contains("AAAA")) ] | .[] | .ResourceRecordSet | .Name,.ResourceRecords.[].Value' > network/ipv6.txt```
+# IPV6
+cat network/reeselink.json | \
+    jq -c -r '[ .Changes.[] |
+        select( .ResourceRecordSet.Type | . == "AAAA") ]
+        | .[]
+        | .ResourceRecordSet
+        | .Name,.ResourceRecords.[].Value' > network/ipv6.txt
+
+# IPV4
+cat network/reeselink.json | \
+    jq -c -r '[ .Changes.[] | 
+        select( .ResourceRecordSet.Type | . == "A") ] 
+        | .[]
+        | .ResourceRecordSet
+        | .Name,.ResourceRecords.[].Value' > network/ipv4.txt
+```
 
 ## Reeseapps Addresses
 

network/ipv4.txt

@@ -1,14 +1,24 @@
-Shelly
+gamebox.reeselink.com
-10.1.197.88
+10.1.235.45
-10.1.172.63
+driveripper.reeselink.com
-10.1.248.70
+10.1.2.10
-10.1.142.201
+yellow.reeselink.com
-10.1.163.235
+10.1.203.197
-10.1.129.124
+orange.reeselink.com
-10.1.195.60
+10.1.200.253
-10.1.157.209
+node1.reeselink.com
-10.1.93.31
+10.1.2.13
-10.1.223.134
+node2.reeselink.com
-10.1.189.8
+10.1.2.14
-10.1.205.155
+node3.reeselink.com
-10.1.96.48
+10.1.2.15
+homeassistant.reeselink.com
+10.1.27.89
+nextcloud-aio.reeselink.com
+10.1.175.237
+unifi-external.reeselink.com
+10.1.241.139
+e3s1plus.reeselink.com
+10.1.224.78
+cr10se.reeselink.com
+10.2.165.70

network/ipv6.txt

@@ -1,3 +1,5 @@
+gamebox.reeselink.com
+2600:1700:1e6c:a81f:5d69:2d:101a:7aef
 driveripper.reeselink.com
 2600:1700:1e6c:a81f:94bb:b8ff:fe9f:1c63
 yellow.reeselink.com
@@ -16,3 +18,5 @@ nextcloud-aio.reeselink.com
 2600:1700:1e6c:a81f:5054:ff:fe03:880
 unifi-external.reeselink.com
 2600:1700:1e6c:a81f:5054:ff:fea0:200c
+e3s1plus.reeselink.com
+2600:1700:1e6c:a81f:19a4:37de:9672:1f76

network/reeselink.json

@@ -1,6 +1,32 @@
 {
     "Comment": "CREATE/UPSERT/DELETE a record ",
     "Changes": [
+        {
+            "Action": "UPSERT",
+            "ResourceRecordSet": {
+                "Name": "gamebox.reeselink.com",
+                "Type": "AAAA",
+                "TTL": 300,
+                "ResourceRecords": [
+                    {
+                        "Value": "2600:1700:1e6c:a81f:5d69:2d:101a:7aef"
+                    }
+                ]
+            }
+        },
+        {
+            "Action": "UPSERT",
+            "ResourceRecordSet": {
+                "Name": "gamebox.reeselink.com",
+                "Type": "A",
+                "TTL": 300,
+                "ResourceRecords": [
+                    {
+                        "Value": "10.1.235.45"
+                    }
+                ]
+            }
+        },
         {
             "Action": "UPSERT",
             "ResourceRecordSet": {
@@ -234,6 +260,45 @@
                     }
                 ]
             }
+        },
+        {
+            "Action": "UPSERT",
+            "ResourceRecordSet": {
+                "Name": "e3s1plus.reeselink.com",
+                "Type": "AAAA",
+                "TTL": 300,
+                "ResourceRecords": [
+                    {
+                        "Value": "2600:1700:1e6c:a81f:19a4:37de:9672:1f76"
+                    }
+                ]
+            }
+        },
+        {
+            "Action": "UPSERT",
+            "ResourceRecordSet": {
+                "Name": "e3s1plus.reeselink.com",
+                "Type": "A",
+                "TTL": 300,
+                "ResourceRecords": [
+                    {
+                        "Value": "10.1.224.78"
+                    }
+                ]
+            }
+        },
+        {
+            "Action": "UPSERT",
+            "ResourceRecordSet": {
+                "Name": "cr10se.reeselink.com",
+                "Type": "A",
+                "TTL": 300,
+                "ResourceRecords": [
+                    {
+                        "Value": "10.2.165.70"
+                    }
+                ]
+            }
         }
     ]
 }

nextcloud/README.md

@@ -1,12 +1,76 @@
 # Nextcloud AIO
 
+- [Nextcloud AIO](#nextcloud-aio)
+  - [Prereq](#prereq)
+    - [Iscsi](#iscsi)
+  - [Setup](#setup)
+    - [IPV6 (Optional)](#ipv6-optional)
+    - [Install](#install)
+  - [Trusted Proxy](#trusted-proxy)
+  - [Uninstall](#uninstall)
+  - [Edit QCOW](#edit-qcow)
+
 ## Prereq
 
 1. Have a reverse proxy pointing at your server
 2. Have a valid certificate
 
+### Iscsi
+
+We can use iscsi to give nextcloud a large block store.
+
+On Nextcloud:
+
+1. Create an iscsi initiator in Truenas named `iqn.2024-02.com.reeselink:nextcloud-aio`.
+2. Create a new authorized access with username `iqn.2024-02.com.reeselink:nextcloud-aio` and password.
+3. Create a new target called `iqn.2024-02.com.reeselink:nextcloud-aio-data`
+   1. Create an alias called `Nextcloud AIO Data`
+   2. Select the exposed portal
+   3. Select the `iqn.2024-02.com.reeselink:nextcloud-aio` initiator group
+   4. Select CHAP Auth method
+   5. Select auth group containing `iqn.2024-02.com.reeselink:nextcloud-aio`
+4. Create a new extent called `nextcloud-aio-data`, leave all settings alone
+5. Create a new associated target with `iqn.2024-02.com.reeselink:nextcloud-aio-data` target and
+   `nextcloud-aio-data` extent
+
+On Nextcloud AIO:
+
+Edit `/etc/iscsi/initiatorname.iscsi` and set your initiatorname.
+
+Edit `/etc/iscsi/iscsid.conf`
+
+```conf
+node.session.auth.username = iqn.2024-02.com.reeselink:nextcloud-aio
+node.session.auth.password = <password>
+```
+
+```bash
+iscsiadm -m discovery -t st -p driveripper.reeselink.com
+iscsiadm -m node --login
+```
+
 ## Setup
 
+### IPV6 (Optional)
+
+Add to /etc/docker/daemon.json
+
+```json
+{
+  "ipv6": true,
+  "fixed-cidr-v6": "fd12:3456:789a:1::/64",
+  "experimental": true,
+  "ip6tables": true
+}
+```
+
+```bash
+# Enable IPV6
+docker network create --subnet="fd12:3456:789a:2::/64" --driver bridge --ipv6 nextcloud-aio
+```
+
+### Install
+
 ```bash
 docker run \
 --init \
@@ -16,6 +80,7 @@ docker run \
 --publish 8080:8080 \
 --env APACHE_PORT=11000 \
 --env APACHE_IP_BINDING=0.0.0.0 \
+--env NEXTCLOUD_DATADIR="/mnt/ncdata" \
 --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
 --volume /var/run/docker.sock:/var/run/docker.sock:ro \
 nextcloud/all-in-one:latest
@@ -34,3 +99,13 @@ docker stop $(docker ps -a -q)
 docker system prune
 docker volume prune -a -f
 ```
+
+defaults,_netdev,x-systemd.requires=iscsid.service   0      1
+
+## Edit QCOW
+
+```bash
+sudo modprobe nbd
+sudo qemu-nbd -c /dev/nbd0 --read-only /path/to/image.qcow2
+udisksctl mount -b /dev/nbd0p1
+```

nginx/https.conf

@@ -2,6 +2,12 @@ server {
     access_log /var/log/nginx/nginx_https_access.log basic;
     error_log /var/log/nginx/nginx_https_error.log warn;
 
+{% if item.external.restricted %}
+    if ($external_addr) {
+        return 404;
+    }
+{% endif %}
+
     http2 on;
 
     gzip on;
@@ -19,21 +25,13 @@ server {
     }
 
     set_real_ip_from  unix:;
-    set_real_ip_from  {{ internal_ipv4 }};
-    set_real_ip_from  {{ internal_ipv6 }};
     real_ip_header    X-Real-IP;
     real_ip_recursive on;
 
-
     server_name {{ item.external.domain }}{{ expose_tld }};
 
     location / {
 
-{% if item.external.protect %}
-        auth_basic           "Restricted";
-        auth_basic_user_file /etc/nginx/.htpasswd;
-{% endif %}
-
         proxy_pass {{ item.internal.protocol }}://{{ item.internal.ip }}:{{ item.internal.port }}$request_uri;
 
         proxy_set_header X-Forwarded-Port $server_port;

nginx/nginx.conf

@@ -27,10 +27,12 @@ events {
 }
 
 stream {
-    log_format basic '| Remote Addr: $remote_addr:$server_port | SSL Preread: $ssl_preread_server_name | Forward: $map_forward_ip$upstream_port | Upstream Addr: $upstream_addr | $time_local | $protocol | $status | $bytes_sent | $bytes_received | $session_time |';
+    log_format basic '| Remote Addr: $remote_addr:$server_port | SSL Preread: $ssl_preread_server_name | Forward: $map_forward$upstream_port | Upstream Addr: $upstream_addr | $time_local | $protocol | $status | $bytes_sent | $bytes_received | $session_time |';
+
+    include /etc/nginx/stream.d/*.conf;
 
     # Map all SSL parsed server names to hosts
-    map $ssl_preread_server_name $map_forward_ip {
+    map $ssl_preread_server_name $map_forward {
 
         # Empty ssl preread gets forwarded to internal http server
         "" "unix:/var/lib/nginx/tmp/nginx_http.sock";
@@ -46,7 +48,7 @@ stream {
 
     # Since traffic being forwarded to the unix socket doesn't need a port we'll create
     # a map here to enforce that case.
-    map $map_forward_ip $upstream_port {
+    map $map_forward $upstream_port {
         {{ defaults.forward_ip }} ":443";
 
         "unix:/var/lib/nginx/tmp/nginx_http.sock" "";
@@ -73,18 +75,16 @@ stream {
         listen [::]:{{ port }};
 {% endfor %}
 
-        proxy_pass $map_forward_ip$upstream_port;
+        proxy_pass $map_forward$upstream_port;
         ssl_preread on;
         proxy_socket_keepalive on;
     }
-
-    include /etc/nginx/stream.d/*.conf;
 }
 
 http {
-    log_format basic '| Proxy Proto Addr: $proxy_protocol_addr | Remote Addr: $remote_addr:$server_port | Host: $host | Forward: $map_forward_ip$server_port | Referer: $http_referer | $request | $time_local | $status |';
+    log_format basic '| Proxy Proto Addr: $proxy_protocol_addr | Internal: $external_addr | Remote Addr: $remote_addr:$server_port | Host: $host | Forward: $map_forward$server_port | Referer: $http_referer | $request | $time_local | $status |';
 
-    map $host $map_forward_ip {
+    map $host $map_forward {
         "" "unix:/var/lib/nginx/tmp/nginx_http.sock";
 
         # We don't want to forward traffic we're terminating
@@ -105,8 +105,8 @@ http {
 
         location / {
             # If we have an external forward IP, forward traffic
-            if ($map_forward_ip != "unix:/var/lib/nginx/tmp/nginx_http.sock") {
+            if ($map_forward != "unix:/var/lib/nginx/tmp/nginx_http.sock") {
-                proxy_pass $map_forward_ip:80;
+                proxy_pass $map_forward:80;
             }
             # Else redirect if the scheme is http
             if ($scheme = "http") {
@@ -115,6 +115,16 @@ http {
         }
     }
 
+    map $proxy_protocol_addr $external_addr {
+        default 1;
+{% for ip in internal_ipv4_regex %}
+        ~{{ ip }} 0;
+{% endfor %}
+{% for ip in internal_ipv6_regex %}
+        ~{{ ip }} 0;
+{% endfor %}
+    }
+
     map $http_upgrade $connection_upgrade {
         default upgrade;
         '' close;

nginx/stream.d/gitea-ssh.conf

@@ -3,5 +3,6 @@ server {
     error_log /var/log/nginx/nginx_stream_error.log warn;
 
     listen 2222;
+    listen [::]:2222;
     proxy_pass 10.1.2.100:2222;
 }

nginx/stream.d/iperf3.conf

@@ -3,6 +3,9 @@ server {
     error_log /var/log/nginx/nginx_stream_error.log warn;
 
     listen 5201;
+    listen [::]:5201;
     listen 5201 udp;
+    listen [::]:5201 udp;
+
     proxy_pass 127.0.0.1:5202;
 }

nginx/stream.d/kube.conf

@@ -9,5 +9,6 @@ server {
     error_log /var/log/nginx/nginx_stream_error.log warn;
 
     listen 6443;
+    listen [::]:6443;
     proxy_pass kube_backend;
 }

nginx/stream.d/minecraft.conf

@@ -3,5 +3,7 @@ server {
     error_log /var/log/nginx/nginx_stream_error.log warn;
 
     listen 25565-25575;
+    listen [::]:25565-25575;
+
     proxy_pass 10.1.2.100:$server_port;
 }

nginx/stream.d/nextcloud-talk.conf

@@ -0,0 +1,11 @@
+server {
+    access_log /var/log/nginx/nginx_stream_access.log basic;
+    error_log /var/log/nginx/nginx_stream_error.log warn;
+
+    listen 3478;
+    listen 3478 udp;
+    listen [::]:3478;
+    listen [::]:3478 udp;
+
+    proxy_pass 10.1.175.237:3478;
+}

nginx/vars.yaml

@@ -7,14 +7,17 @@ defaults:
   http:
     internal_http_port: 80
     internal_https_port: 443
-internal_ipv4: 10.1.0.0/16
+internal_ipv4_regex:
-internal_ipv6: 2600:1700:1e6c:a81f::/64
+  - "10.1.*"
+  - "10.10.*"
+internal_ipv6_regex:
+  - "2600:1700:1e6c:a81f.*"
 expose_tld: .reeseapps.com
 
 http:
   - external:
       domain: homeassistant
-      protect: false
+      restricted: false
       extra_http_ports: []
       extra_https_ports: []
     internal:
@@ -24,7 +27,7 @@ http:
 
   - external:
       domain: driveripper
-      protect: false
+      restricted: false
       extra_http_ports: []
       extra_https_ports: []
     internal:
@@ -34,17 +37,17 @@ http:
 
   - external:
       domain: e3s1plus
-      protect: true
+      restricted: true
       extra_http_ports: []
       extra_https_ports: []
     internal:
-      ip: "10.2.224.77"
+      ip: "10.1.224.78"
       port: 80
       protocol: http
 
   - external:
       domain: yellow
-      protect: false
+      restricted: true
       extra_http_ports: []
       extra_https_ports: []
     internal:
@@ -54,7 +57,7 @@ http:
 
   - external:
       domain: orange
-      protect: false
+      restricted: true
       extra_http_ports: []
       extra_https_ports: []
     internal:
@@ -64,7 +67,7 @@ http:
 
   - external:
       domain: node1
-      protect: false
+      restricted: true
       extra_http_ports: []
       extra_https_ports: []
     internal:
@@ -74,7 +77,7 @@ http:
 
   - external:
       domain: node2
-      protect: false
+      restricted: true
       extra_http_ports: []
       extra_https_ports: []
     internal:
@@ -84,7 +87,7 @@ http:
 
   - external:
       domain: node3
-      protect: false
+      restricted: true
       extra_http_ports: []
       extra_https_ports: []
     internal:
@@ -92,10 +95,30 @@ http:
       port: 9090
       protocol: https
 
+  - external:
+      domain: unifi-external-cockpit
+      restricted: true
+      extra_http_ports: []
+      extra_https_ports: []
+    internal:
+      ip: "10.1.241.139"
+      port: 9090
+      protocol: https
+
+  - external:
+      domain: nextcloud-aio-cockpit
+      restricted: true
+      extra_http_ports: []
+      extra_https_ports: []
+    internal:
+      ip: "10.1.175.237"
+      port: 9090
+      protocol: https
+
   # Printer
   - external:
       domain: cr10se
-      protect: true
+      restricted: true
       extra_http_ports: []
       extra_https_ports:
       # websocket
@@ -103,13 +126,13 @@ http:
       # camera
       - 8080
     internal:
-      ip: "10.3.165.70"
+      ip: "10.2.165.70"
       port: 80
       protocol: http
 
   - external:
       domain: pihole-yellow
-      protect: true
+      restricted: true
       extra_http_ports: []
       extra_https_ports: []
     internal:
@@ -119,7 +142,7 @@ http:
 
   - external:
       domain: pihole-orange
-      protect: true
+      restricted: true
       extra_http_ports: []
       extra_https_ports: []
     internal:
@@ -129,7 +152,7 @@ http:
 
   - external:
       domain: attmodem
-      protect: true
+      restricted: true
       extra_http_ports: []
       extra_https_ports: []
     internal:
@@ -139,7 +162,7 @@ http:
 
   - external:
       domain: nextcloud-aio
-      protect: false
+      restricted: false
       extra_http_ports: []
       extra_https_ports: []
     internal:
@@ -149,7 +172,7 @@ http:
 
   - external:
       domain: unifi-external
-      protect: false
+      restricted: false
       extra_http_ports:
       - 8080
       extra_https_ports: []

podman/compose/cloudflared-compose.yaml

@@ -7,6 +7,6 @@ services:
     image: docker.io/cloudflare/cloudflared:2024.5.0
     command: proxy-dns --address 0.0.0.0 --port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query
     ports:
-      - "127.0.0.1:5053:5053/tcp"
+      - "0.0.0.0:5053:5053/tcp"
-      - "127.0.0.1:5053:5053/udp"
+      - "0.0.0.0:5053:5053/udp"
     restart: unless-stopped

podman/compose/iperf3-compose.yaml

@@ -5,6 +5,6 @@ services:
     container_name: iperf3
     image: docker.io/networkstatic/iperf3:latest
     ports:
-      - "127.0.0.1:5202:5201/tcp"
+      - "0.0.0.0:5202:5201/tcp"
     command: -s
     restart: unless-stopped

podman/compose/pihole-compose.yaml

@@ -8,7 +8,7 @@ services:
     ports:
       - "0.0.0.0:53:53/tcp"
       - "0.0.0.0:53:53/udp"
-      - "127.0.0.1:8081:80/tcp"
+      - "0.0.0.0:8081:80/tcp"
     environment:
       TZ: "America/Chicago"
       # WEBPASSWORD: "SET A PASSWORD HERE"

podman/quadlets/cloudflared.container

@@ -5,8 +5,8 @@ Wants=network-online.target
 ContainerName=cloudflared
 Exec=proxy-dns --address 0.0.0.0 --port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query
 Image=docker.io/cloudflare/cloudflared:2024.5.0
-PublishPort=127.0.0.1:5053:5053/tcp
+PublishPort=0.0.0.0:5053:5053/tcp
-PublishPort=127.0.0.1:5053:5053/udp
+PublishPort=0.0.0.0:5053:5053/udp
 
 [Service]
 Restart=always

podman/quadlets/iperf3.container

@@ -2,7 +2,7 @@
 ContainerName=iperf3
 Exec=-s
 Image=docker.io/networkstatic/iperf3:latest
-PublishPort=127.0.0.1:5202:5201/tcp
+PublishPort=0.0.0.0:5202:5201/tcp
 
 [Service]
 Restart=always

podman/quadlets/pihole.container

@@ -7,7 +7,7 @@ Environment=TZ=America/Chicago
 Image=docker.io/pihole/pihole:2024.05.0
 PublishPort=0.0.0.0:53:53/tcp
 PublishPort=0.0.0.0:53:53/udp
-PublishPort=127.0.0.1:8081:80/tcp
+PublishPort=0.0.0.0:8081:80/tcp
 Volume=pihole:/etc/pihole
 Volume=dnsmasq:/etc/dnsmasq.d
 

truenas-iscsi-enc0.yaml

@@ -28,7 +28,7 @@ driver:
     instance_id:
     httpConnection:
       protocol: https
-      host: driveripper.reeselink.com
+      host: driveripper.reeseapps.com
       port: 443
       apiKey: ""
       allowInsecure: false

truenas-iscsi-enc1.yaml

@@ -28,7 +28,7 @@ driver:
     instance_id:
     httpConnection:
       protocol: https
-      host: driveripper.reeselink.com
+      host: driveripper.reeseapps.com
       port: 443
       apiKey: ""
       allowInsecure: false

truenas-nfs-enc1.yaml

@@ -24,7 +24,7 @@ driver:
     instance_id:
     httpConnection:
       protocol: https
-      host: driveripper.reeselink.com
+      host: driveripper.reeseapps.com
       port: 443
       apiKey: ""
       allowInsecure: true

wireguard/wireguard.yaml

@@ -0,0 +1,76 @@
+- name: Update nginx stream configuration
+  hosts: colors
+  become: true
+  become_user: root
+  become_method: sudo
+  vars_files:
+    - vars.yaml
+  tasks:
+  - name: Remove http.d dir before repopulating
+    file:
+      path: /etc/nginx/http.d/
+      state: absent
+  - name: Remove stream.d dir before repopulating
+    file:
+      path: /etc/nginx/stream.d/
+      state: absent
+  - name: Create stream.d dir
+    ansible.builtin.file:
+      path: /etc/nginx/stream.d
+      state: directory
+      mode: '0755'
+  - name: Create http.d dir
+    ansible.builtin.file:
+      path: /etc/nginx/http.d
+      state: directory
+      mode: '0755'
+  - name: Copy nginx.conf
+    template:
+      src: nginx.conf
+      dest: /etc/nginx/nginx.conf
+      owner: root
+      group: root
+      mode: '0644'
+  - name: Copy .htpasswd
+    template:
+      src: ../secrets/.htpasswd
+      dest: /etc/nginx/.htpasswd
+      owner: nginx
+      group: nginx
+      mode: '0600'
+  - name: Copy stream configurations
+    template:
+      src: "{{ item }}"
+      dest: /etc/nginx/stream.d/{{ item | basename }}
+      owner: root
+      group: root
+      mode: '0644'
+    with_fileglob:
+    - stream.d/*
+  - name: Template all http configurations
+    template:
+      src: https.conf
+      dest: /etc/nginx/http.d/{{ item.external.domain }}.conf
+      owner: root
+      group: root
+      mode: '0644'
+    loop: "{{ http }}"
+  - name: Test nginx configuration
+    ansible.builtin.shell: /usr/sbin/nginx -t
+  - name: Stop nginx service
+    ansible.builtin.systemd_service:
+      state: stopped
+      name: nginx
+  - name: Remove old socket files
+    file:
+      path: /var/lib/nginx/tmp/nginx_http.sock
+      state: absent
+  - name: Remove old socket files
+    file:
+      path: /var/lib/nginx/tmp/nginx_https.sock
+      state: absent
+  - name: Reload nginx service
+    ansible.builtin.systemd_service:
+      state: started
+      name: nginx
+      enabled: true