move to project lifecycle structure

2024-07-21 02:20:48 -04:00
parent fd1fde499d
commit e6aff894e8
121 changed files with 6234 additions and 196 deletions
--- a/systemd/graduated/ipv4-proxy/README.md
+++ b/systemd/graduated/ipv4-proxy/README.md
@@ -0,0 +1,24 @@
+# IPv4 Proxy
+
+This project aims to serve those without an IPv6 ISP by forwarding IPv4 requests to the
+correct destination. This is accomplished by SSL preread and port mapping. This service
+is intended only for publicly accessible services.
+
+## DDNS
+
+This project pairs with the ddns service. Set that up first!
+
+## Updating IPv4 Proxy Records
+
+1. In `ddns` create a new record in the `reeseapps_record_template.json`
+2. Apply the new record with ansible
+3. Update `vars.yaml` in this project
+4. Run the following ansible script:
+
+```bash
+ansible-playbook -i ansible/inventory.yaml ipv4-proxy/nginx.yaml
+```
+
+## Logging
+
+You can tail all the nginx logs with `ssh yellow 'tail -f /var/log/nginx/*.log'`
--- a/systemd/graduated/ipv4-proxy/nginx.conf
+++ b/systemd/graduated/ipv4-proxy/nginx.conf
@@ -0,0 +1,53 @@
+load_module /usr/lib64/nginx/modules/ngx_stream_module.so;
+
+worker_processes auto;
+
+events {
+    worker_connections 1024;
+}
+
+stream {
+    log_format ssl '| Remote Addr: $remote_addr:$server_port | SSL Preread: $ssl_preread_server_name | Forward: $map_forward_ssl | $time_local | $protocol | $status | $bytes_sent | $bytes_received | $session_time |';
+    log_format port '| Remote Addr: $remote_addr:$server_port | SSL Preread: $ssl_preread_server_name | Forward: $map_forward_port | $time_local | $protocol | $status | $bytes_sent | $bytes_received | $session_time |';
+
+    # Map all SSL parsed server names to hosts
+    map $ssl_preread_server_name $map_forward_ssl {
+
+{% for item in stream_ssl %}
+        {{ item.external.domain }} {{ item.internal.domain }}:{{ item.internal.port }};
+{% endfor %}
+    }
+
+    server {
+        access_log /var/log/nginx/nginx_stream_access.log ssl;
+        error_log /var/log/nginx/nginx_stream_error.log warn;
+
+        listen 443;
+
+        proxy_pass $map_forward_ssl;
+        ssl_preread on;
+        proxy_socket_keepalive on;
+        resolver 10.1.0.1;
+    }
+
+    map $server_port $map_forward_port {
+{% for item in stream_ports %}
+        {{ item.external }} {{ item.internal }};
+{% endfor %}
+    }
+
+    server {
+{% for item in stream_ports %}
+        listen {{ item.external }};
+{% endfor %}
+        access_log /var/log/nginx/nginx_stream_access.log port;
+        error_log /var/log/nginx/nginx_stream_error.log warn;
+
+        listen 443;
+
+        proxy_pass $map_forward_port;
+        proxy_socket_keepalive on;
+        resolver 10.1.0.1;
+
+    }
+}
--- a/systemd/graduated/ipv4-proxy/nginx.yaml
+++ b/systemd/graduated/ipv4-proxy/nginx.yaml
@@ -0,0 +1,42 @@
+- name: Update nginx stream configuration
+  hosts: yellow
+  vars_files:
+    - vars.yaml
+  tasks:
+  - name: Ensure nginx, certbot, and nginx-mod-stream are installed
+    ansible.builtin.dnf:
+      name:
+        - nginx
+        - nginx-mod-stream
+      state: present
+  - name: Remove http.d dir before repopulating
+    file:
+      path: /etc/nginx/http.d/
+      state: absent
+  - name: Remove stream.d dir before repopulating
+    file:
+      path: /etc/nginx/stream.d/
+      state: absent
+  - name: Create stream.d dir
+    ansible.builtin.file:
+      path: /etc/nginx/stream.d
+      state: directory
+      mode: '0755'
+  - name: Template nginx.conf
+    template:
+      src: nginx.conf
+      dest: /etc/nginx/nginx.conf
+      owner: root
+      group: root
+      mode: '0644'
+  - name: Test nginx configuration
+    ansible.builtin.shell: /usr/sbin/nginx -t
+  - name: Stop nginx service
+    ansible.builtin.systemd_service:
+      state: stopped
+      name: nginx
+  - name: Reload nginx service
+    ansible.builtin.systemd_service:
+      state: started
+      name: nginx
+      enabled: true
--- a/systemd/graduated/ipv4-proxy/vars.yaml
+++ b/systemd/graduated/ipv4-proxy/vars.yaml
@@ -0,0 +1,37 @@
+stream_ssl:
+  - external:
+      domain: homeassistant.reeseapps.com
+    internal:
+      domain: homeassistant.reeselink.com
+      port: 443
+      protocol: https
+  - external:
+      domain: gitea.reeseapps.com
+    internal:
+      domain: ingress-nginx.reeselink.com
+      port: 443
+      protocol: https
+  - external:
+      domain: nextcloud.reeseapps.com
+    internal:
+      domain: nextcloud.reeselink.com
+      port: 443
+      protocol: https
+  - external:
+      domain: jellyfin.reeseapps.com
+    internal:
+      domain: ingress-nginx.reeselink.com
+      port: 443
+      protocol: https
+  - external:
+      domain: snapdrop.reeseapps.com
+    internal:
+      domain: ingress-nginx.reeselink.com
+      port: 443
+      protocol: https
+
+stream_ports:
+  - external: 2222
+    internal: git.reeselink.com:22
+  - external: 3478
+    internal: nextcloud.reeselink.com:3478