diff --git a/certmanager/letsencrypt-issuer.yaml b/certmanager/letsencrypt-issuer.yaml deleted file mode 100755 index cb9b17a..0000000 --- a/certmanager/letsencrypt-issuer.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: letsencrypt -spec: - acme: - # The ACME server URL - server: https://acme-v02.api.letsencrypt.org/directory - # Email address used for ACME registration - email: nginx@ducoterra.net - # Name of a secret used to store the ACME account private key - privateKeySecretRef: - name: letsencrypt - # Enable the HTTP-01 challenge provider - solvers: - - http01: - ingress: - class: nginx diff --git a/k3s/README.md b/k3s/README.md index 3c78764..be3eb52 100644 --- a/k3s/README.md +++ b/k3s/README.md @@ -276,7 +276,49 @@ helm upgrade --install \ Create the let's encrypt issuer (Route53 DNS) ```bash -kubectl apply -f certmanager/letsencrypt-issuer.yaml +export LE_ACCESS_KEY_ID= +export LE_SECRET_KEY= + +cat < secrets/cert-manager-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: prod-route53-credentials-cert-manager +data: + access-key-id: $(echo $LE_ACCESS_KEY_ID | base64) + secret-access-key: $(echo $LE_SECRET_KEY | base64) +EOF + +kubectl apply -f secrets/cert-manager-secret.yaml +``` + +```bash +cat < secrets/route53-cluster-issuer.yaml +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: nginx@ducoterra.net + privateKeySecretRef: + name: letsencrypt + solvers: + - selector: + dnsZones: + - "reeseapps.com" + dns01: + route53: + region: us-east-1 + hostedZoneID: Z012820733346FJ0U4FUF + accessKeyID: ${LE_ACCESS_KEY_ID} + secretAccessKeySecretRef: + name: prod-route53-credentials-cert-manager + key: secret-access-key +EOF + +kubectl apply -f secrets/route53-cluster-issuer.yaml ``` You can test if your ingress is working with: diff --git a/pihole_blocklist/README.md b/pihole_blocklist/README.md index 1fcd5a7..5546463 100644 --- a/pihole_blocklist/README.md +++ b/pihole_blocklist/README.md @@ -21,7 +21,7 @@ podman-compose push helm upgrade --install \ --namespace pihole \ --create-namespace \ - blocklist ./helm/blocklist + blocklist ./pihole_blocklist/helm ``` ## Notes diff --git a/pihole_blocklist/helm/blocklist/.helmignore b/pihole_blocklist/helm/.helmignore similarity index 100% rename from pihole_blocklist/helm/blocklist/.helmignore rename to pihole_blocklist/helm/.helmignore diff --git a/pihole_blocklist/helm/blocklist/Chart.yaml b/pihole_blocklist/helm/Chart.yaml similarity index 100% rename from pihole_blocklist/helm/blocklist/Chart.yaml rename to pihole_blocklist/helm/Chart.yaml diff --git a/pihole_blocklist/helm/blocklist/templates/blocklist.yaml b/pihole_blocklist/helm/templates/blocklist.yaml similarity index 97% rename from pihole_blocklist/helm/blocklist/templates/blocklist.yaml rename to pihole_blocklist/helm/templates/blocklist.yaml index cb3d9d8..91013dc 100644 --- a/pihole_blocklist/helm/blocklist/templates/blocklist.yaml +++ b/pihole_blocklist/helm/templates/blocklist.yaml @@ -52,10 +52,10 @@ metadata: name: {{ .Release.Name }} annotations: cert-manager.io/cluster-issuer: letsencrypt - kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/proxy-body-size: "0" nginx.org/client-max-body-size: "0" spec: + ingressClassName: nginx rules: - host: {{ .Values.domain }} http: diff --git a/pihole_blocklist/helm/blocklist/values.yaml b/pihole_blocklist/helm/values.yaml similarity index 100% rename from pihole_blocklist/helm/blocklist/values.yaml rename to pihole_blocklist/helm/values.yaml diff --git a/vpn/README.md b/vpn/README.md index 103b492..3182c4b 100644 --- a/vpn/README.md +++ b/vpn/README.md @@ -1,25 +1,96 @@ # VPN +## Raspberry Pi Setup + +You'll need to configure systemd-networkd to not use ipv6 privacy extensions + +/etc/systemd/network/05-end0.conf + +```conf +[Match] +Name=end0 + +[Network] +DHCP=yes +IPv6PrivacyExtensions=false +IPv6AcceptRA=true +``` + +## Pihole + + + +If you install pihole first pivpn will discover it automatically. + +```bash +curl -sSL https://install.pi-hole.net | bash +``` + ## PiVPN -1. You'll need to configure systemd-networkd to not use ipv6 privacy extensions +```bash +curl -L https://install.pivpn.io | bash - /etc/systemd/network/05-end0.conf +# PiVPN can sometimes have issues after install. Run debug to fix them: +pivpn -d +``` - ```conf - [Match] - Name=end0 +## Cloudflared (DOH) - [Network] - DHCP=yes - IPv6PrivacyExtensions=false - IPv6AcceptRA=true - ``` + -2. Install pivpn +```bash +wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64 +sudo mv -f ./cloudflared-linux-arm64 /usr/local/bin/cloudflared +sudo chmod +x /usr/local/bin/cloudflared +cloudflared -v - ```bash - curl -L https://install.pivpn.io | bash - ``` +sudo useradd -s /usr/sbin/nologin -r -M cloudflared +sudo vim /etc/default/cloudflared + +# Commandline args for cloudflared, using Cloudflare DNS +CLOUDFLARED_OPTS=--port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query + +sudo chown cloudflared:cloudflared /etc/default/cloudflared +sudo chown cloudflared:cloudflared /usr/local/bin/cloudflared + +sudo vim /etc/systemd/system/cloudflared.service + +[Unit] +Description=cloudflared DNS over HTTPS proxy +After=syslog.target network-online.target + +[Service] +Type=simple +User=cloudflared +EnvironmentFile=/etc/default/cloudflared +ExecStart=/usr/local/bin/cloudflared proxy-dns $CLOUDFLARED_OPTS +Restart=on-failure +RestartSec=10 +KillMode=process + +[Install] +WantedBy=multi-user.target + +sudo systemctl enable cloudflared +sudo systemctl start cloudflared +sudo systemctl status cloudflared + +dig @127.0.0.1 -p 5053 google.com +``` + +Finally, configure Pi-hole to use the local cloudflared service as the upstream DNS server by +specifying 127.0.0.1#5053 as the Custom DNS (IPv4) + +```bash +sudo vim /etc/cron.weekly/cloudflared-updater + +#!/bin/bash +cloudflared update +systemctl restart cloudflared + +sudo chmod +x /etc/cron.weekly/cloudflared-updater +sudo chown root:root /etc/cron.weekly/cloudflared-updater +```