From 4e51d263fb761ae5b6a9694cdefd930489fcd0f1 Mon Sep 17 00:00:00 2001
From: ducoterra <git@ducoterra.net>
Date: Mon, 24 Jun 2024 17:04:36 -0400
Subject: [PATCH] update mesh

---
 README.md                           |  8 +++++++
 ansible/inventory.yaml              |  5 ----
 {wireguard => mesh}/README.md       |  0
 {wireguard => mesh}/interface.yaml  |  0
 {wireguard => mesh}/keys.yaml       |  0
 {wireguard => mesh}/peers.yaml      |  0
 {wireguard => mesh}/vars.yaml       |  0
 nginx/https.conf                    |  5 ++++
 nginx/service/certbot-renew.service |  2 +-
 nginx/vars.yaml                     |  4 +++-
 podman/README.md                    | 37 +++++++++++++++++++++++++++++
 11 files changed, 54 insertions(+), 7 deletions(-)
 rename {wireguard => mesh}/README.md (100%)
 rename {wireguard => mesh}/interface.yaml (100%)
 rename {wireguard => mesh}/keys.yaml (100%)
 rename {wireguard => mesh}/peers.yaml (100%)
 rename {wireguard => mesh}/vars.yaml (100%)

diff --git a/README.md b/README.md
index 5d1bda8..e04a3fb 100644
--- a/README.md
+++ b/README.md
@@ -10,6 +10,7 @@ A project to store homelab stuff.
     - [Reverse Proxy](#reverse-proxy)
     - [Service Mesh](#service-mesh)
     - [Data Storage](#data-storage)
+  - [Order of Operations](#order-of-operations)
   - [Components](#components)
     - [CoreDNS](#coredns)
     - [Metal LB](#metal-lb)
@@ -75,6 +76,13 @@ to the wireguard-assigned IP addresses.
 
 All servers will use ISCSI.
 
+## Order of Operations
+
+1. Establish DNS records (`dns/`, `aws/`, `ddns/`)
+2. Create reverse proxy(s) (`nginx/`)
+3. Create service mesh (`mesh/`)
+4. Install services
+
 ## Components
 
 ### CoreDNS
diff --git a/ansible/inventory.yaml b/ansible/inventory.yaml
index d22426f..5096c80 100644
--- a/ansible/inventory.yaml
+++ b/ansible/inventory.yaml
@@ -13,12 +13,7 @@ colors:
     yellow:
 
 nextcloud-aio:
-  hosts:
-    nextcloud-aio:
-
 unifi-external:
-  hosts:
-    unifi-external:
 
 hardware: 
   hosts:
diff --git a/wireguard/README.md b/mesh/README.md
similarity index 100%
rename from wireguard/README.md
rename to mesh/README.md
diff --git a/wireguard/interface.yaml b/mesh/interface.yaml
similarity index 100%
rename from wireguard/interface.yaml
rename to mesh/interface.yaml
diff --git a/wireguard/keys.yaml b/mesh/keys.yaml
similarity index 100%
rename from wireguard/keys.yaml
rename to mesh/keys.yaml
diff --git a/wireguard/peers.yaml b/mesh/peers.yaml
similarity index 100%
rename from wireguard/peers.yaml
rename to mesh/peers.yaml
diff --git a/wireguard/vars.yaml b/mesh/vars.yaml
similarity index 100%
rename from wireguard/vars.yaml
rename to mesh/vars.yaml
diff --git a/nginx/https.conf b/nginx/https.conf
index b82087a..aa10e88 100644
--- a/nginx/https.conf
+++ b/nginx/https.conf
@@ -8,6 +8,11 @@ server {
     }
 {% endif %}
 
+{% if item.external.password_protect is defined and item.external.password_protect is sameas true %}
+    auth_basic           "Administrator’s Area";
+    auth_basic_user_file /etc/nginx/.htpasswd;
+{% endif %}
+
     http2 on;
 
     gzip on;
diff --git a/nginx/service/certbot-renew.service b/nginx/service/certbot-renew.service
index d1d78a2..b129ac4 100644
--- a/nginx/service/certbot-renew.service
+++ b/nginx/service/certbot-renew.service
@@ -3,4 +3,4 @@ Description=Certbot Renewal
 
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/certbot renew
+ExecStart=/usr/bin/certbot renew --dns-route53 -n
diff --git a/nginx/vars.yaml b/nginx/vars.yaml
index 21cae7c..e6f7646 100644
--- a/nginx/vars.yaml
+++ b/nginx/vars.yaml
@@ -9,7 +9,9 @@ defaults:
     internal_https_port: 443
 internal_ipv4_regex:
   - "10.1.*"
-  - "10.10.*"
+  - "192.168.4.*"
+  - "192.168.5.*"
+  - "192.168.6.*"
 internal_ipv6_regex:
   - "2600:1700:1e6c:a81f.*"
 expose_tld: .reeseapps.com
diff --git a/podman/README.md b/podman/README.md
index 0f68934..04575db 100644
--- a/podman/README.md
+++ b/podman/README.md
@@ -6,6 +6,7 @@
     - [iperf3](#iperf3)
     - [pihole](#pihole)
     - [Cloudflared](#cloudflared)
+    - [WG Easy (Deprecated - use Unifi)](#wg-easy-deprecated---use-unifi)
   - [Update yellow/orange](#update-yelloworange)
 
 ## Notes
@@ -84,6 +85,42 @@ podman run \
     compose /compose/cloudflared-compose.yaml
 ```
 
+### WG Easy (Deprecated - use Unifi)
+
+<https://github.com/wg-easy/wg-easy>
+
+Note, to create PASSWORD_HASH run:
+
+```bash
+python -c 'import bcrypt; print(bcrypt.hashpw(b"testpass", bcrypt.gensalt()).decode())'
+```
+
+```bash
+podman run \
+    -v ./podman/quadlets:/quadlets \
+    quay.io/k9withabone/podlet \
+    -f /quadlets \
+    -i \
+    --overwrite \
+    --wants network-online.target \
+    --after network-online.target \
+    --name=wg-easy \
+    podman run \
+    -e LANG=en \
+    -e WG_HOST=wg.reeseapps.com \
+    -e PORT=51821 \
+    -e WG_PORT=51820 \
+    -v wg-easy:/etc/wireguard \
+    -p 51820:51820/udp \
+    -p 51822:51821/tcp \
+    --secret wg_easy_password,type=env,target=PASSWORD_HASH \
+    --cap-add=NET_ADMIN \
+    --cap-add=SYS_MODULE \
+    --cap-add=NET_RAW \
+    --restart unless-stopped \
+    ghcr.io/wg-easy/wg-easy:nightly
+```
+
 ## Update yellow/orange
 
 ```bash