Add toybox machine and move services around

erebe · Aug 30, 2023 · 5b87690 · 5b87690
1 parent 2ee7086
commit 5b87690
Show file tree

Hide file tree

Showing 14 changed files with 69 additions and 12 deletions.
diff --git a/nodes/router/wireguard/wg0.conf b/nodes/router/wireguard/wg0.conf
@@ -11,6 +11,10 @@ AllowedIPs = 10.200.0.2/32, fd00:cafe::2/128
 PublicKey = __LAB_PUBLIC_KEY__
 AllowedIPs = 10.200.0.3/32, fd00:cafe::3/128
 
+[Peer]
+PublicKey = __TOYBOX_PUBLIC_KEY__
+AllowedIPs = 10.200.0.4/32, fd00:cafe::4/128
+
 [Peer]
 PublicKey = __MAIL_PUBLIC_KEY__
 AllowedIPs = 10.200.0.5/32, fd00:cafe::5/128

diff --git a/nodes/toybox/config/allow-router-advertise b/nodes/toybox/config/allow-router-advertise
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+sysctl -w net.ipv6.conf.all.accept_ra=2
+sysctl -w net.ipv6.conf.ens18.accept_ra=2
+
+# Allow traffic forwarding
+sysctl -w net.ipv4.ip_forward=1
+sysctl -w net.ipv6.conf.all.forwarding=1
+
diff --git a/nodes/toybox/justfile b/nodes/toybox/justfile
@@ -0,0 +1,18 @@
+set dotenv-load := false
+
+_default:
+ @just --list
+
+HOST := "erebe@192.168.1.10"
+
+wireguard:
+ sops exec-env ../../secrets/wireguard.yml 'cp wireguard/wg0.conf secrets_decrypted/; for i in $(env | grep _KEY | cut -d = -f1); do sed -i "s#__${i}__#${!i}#g" secrets_decrypted/wg0.conf ; done'
+ ssh {{HOST}} "sudo cat /etc/wireguard/wg0.conf" | diff - secrets_decrypted/wg0.conf || exit 0
+ rsync --rsync-path="sudo rsync" secrets_decrypted/wg0.conf {{HOST}}:/etc/wireguard/wg0.conf
+ rsync --rsync-path="sudo rsync" config/allow-router-advertise {{HOST}}:/etc/network/if-pre-up.d/allow-router-advertise
+ ssh {{HOST}} "sudo systemctl restart wg-quick@wg0.service && sudo systemctl enable wg-quick@wg0.service"
+
+k3s:
+ ssh {{HOST}} "sudo mkdir -p /etc/rancher/k3s"
+ rsync --rsync-path="sudo rsync" k3s/config.yaml {{HOST}}:/etc/rancher/k3s/config.yaml
+ ssh {{HOST}} "curl -sfL https://get.k3s.io | K3S_VERSION="v1.27.4+k3s1" K3S_URL=https://[fd00:cafe::3]:6443 K3S_TOKEN=12345 sh -s -"
diff --git a/nodes/toybox/k3s/config.yaml b/nodes/toybox/k3s/config.yaml
@@ -0,0 +1,11 @@
+node-name: "toybox"
+node-ip: "fd00:cafe::4,10.200.0.4"
+node-external-ip: "2001:861:3886:7e01:108b:87ff:fe77:c88"
+
+# https://docs.k3s.io/installation/network-options#dual-stack-ipv4--ipv6-networking
+kubelet-arg: "node-ip=::"
+token: 12345
+node-label: []
+node-taint:
+ - kubernetes.io/hostname=toybox:NoSchedule
+
diff --git a/nodes/toybox/wireguard/wg0.conf b/nodes/toybox/wireguard/wg0.conf
@@ -0,0 +1,8 @@
+[Interface]
+Address = 10.200.0.4/32, fd00:cafe::4/128
+PrivateKey = __TOYBOX_PRIVATE_KEY__
+
+[Peer]
+PublicKey = __ROUTER_PUBLIC_KEY__
+AllowedIPs = 10.200.0.0/24, fd00:cafe::/32
+Endpoint = [2001:861:3886:7e00::1]:995
diff --git a/secrets/wireguard.yml b/secrets/wireguard.yml
@@ -15,14 +15,16 @@ ROUTER_PRIVATE_KEY: ENC[AES256_GCM,data:qEHMMgH9IzDtsVcu3zWYq5J369/ZUfglXLhn8+mP
 ROUTER_PUBLIC_KEY: ENC[AES256_GCM,data:MTNdxoIVzmymbOmoYpB/VEaXDpNPh+CIeqc1BBah9tjzwKydfDb4351pFq4=,iv:CE/MfKoNYpS2A5knXf1LP/oGHieZ+KG471FQ5u+hiIE=,tag:SogFcnhQiOAO2Z+pHTgoLw==,type:str]
 MAIL_PRIVATE_KEY: ENC[AES256_GCM,data:GSVc0he0ku1ncB5x203stfoZ9gkgQn3yWCUh53aXXtmBgig7n2ad6ZrjBfI=,iv:MQbiBWJWYdQ1/l9rWIi2256eDr2OBCOCS81r+/xdZNs=,tag:M4sFUJGnc1Ly1D01heRdJw==,type:str]
 MAIL_PUBLIC_KEY: ENC[AES256_GCM,data:g6/57fjN8TWH0PwzKljHYFBi+W/MeNu7fo+UTKrpmoYERe7s3HLVYxGgfNU=,iv:trg/BE3+bUP4pU3+AwG3lztsAKGlQeNOHFCHK4uHu/s=,tag:IWATvlSACPaUU9MWyOEVrw==,type:str]
+TOYBOX_PRIVATE_KEY: ENC[AES256_GCM,data:tL3jcvQUGZrXOmaBTfE/YGr2JiKvHGioPbcQNShXmzjK9gIOW+9v4b6+EhI=,iv:+f3656BY0R6ngU97/RK5X8ituEhTg5UlM5zDctCs1ME=,tag:0gKcLCo/N9bMKRP+PW6kEQ==,type:str]
+TOYBOX_PUBLIC_KEY: ENC[AES256_GCM,data:PIwJgldmh4CW8sFde7kpQVer/urlgfKeBKw4o57Y2V7eE4v4tb9+fbCNm8A=,iv:Wbnz17i7wBY3rVVJwpgUdNCDaVWh6d2deZV6pvWFtGE=,tag:cP2YO+arHoi968CA7k6Y0w==,type:str]
 sops:
  kms: []
  gcp_kms: []
  azure_kv: []
  hc_vault: []
  age: []
- lastmodified: "2023-08-27T17:50:58Z"
- mac: ENC[AES256_GCM,data:QrUb2vnKx0IHlLCTnYgZpHiNU9tEJioFRo+Ye+Fq/Xj0r1rRR0O6HGCpJ79z0OdxWymQwCc7xLW4mOq32OGrZsO02PCn//73LXvD0P08S8hI+DJFKlJyuKO+4kcw0CQtJnnUZbgM0f0jWAVup+graA3p61hkqwoKHTTe/hkpXaI=,iv:RuFLufxJm8AhsD5qQKE0PsCL4QIxIjcC9hq+K/o1ZoA=,tag:EcVe52e0E2yE//iZw42UNw==,type:str]
+ lastmodified: "2023-08-30T20:35:10Z"
+ mac: ENC[AES256_GCM,data:9tXtfCBt1rpsSqiTmg1ZglTL7A81E51MQ413P2ozpJHJERbDeVqfi/dNyEIBa94lpGoom0gs1U8RJP0Fya2qWu9xrJ/wJewh7XXYJcvrKtMppMRfZDnSM69H5UEJlHP6zduBpgYGKFCoF2XqjR+LNZUV5hsteXj1cCLyNHczadA=,iv:dVHvMWjMYQyLQ3b4AWQivRxjyO94V7RO7xdnHJeM6Wc=,tag:DSZpBeaa+k1RDXATqL7wmA==,type:str]
  pgp:
  - created_at: "2020-12-18T14:25:40Z"
  enc: |-

diff --git a/services/app/couber.yml b/services/app/couber.yml
@@ -21,7 +21,7 @@ spec:
  tolerations:
  - key: "kubernetes.io/hostname"
  operator: "Equal"
- value: "server"
+ value: "toybox"
  containers:
  - name: couber
  image: ghcr.io/erebe/couber:latest

diff --git a/services/app/warpgate.yml b/services/app/warpgate.yml
@@ -26,7 +26,7 @@ spec:
  - key: kubernetes.io/hostname
  operator: In
  values:
- - minio
+ - toybox
  containers:
  - name: warpgate
  image: ghcr.io/warp-tech/warpgate:v0.7.4
@@ -49,7 +49,7 @@ spec:
  tolerations:
  - key: "kubernetes.io/hostname"
  operator: "Equal"
- value: "minio"
+ value: "toybox"
  effect: "NoSchedule"
  - key: "node.kubernetes.io/unreachable"
  operator: "Exists"

diff --git a/services/blog/blog.yml b/services/blog/blog.yml
@@ -21,7 +21,7 @@ spec:
  tolerations:
  - key: "kubernetes.io/hostname"
  operator: "Equal"
- value: "server"
+ value: "toybox"
  containers:
  - name: blog
  image: ghcr.io/erebe/blog:latest

diff --git a/services/dashy/dashy.yml b/services/dashy/dashy.yml
@@ -30,7 +30,7 @@ spec:
  - key: kubernetes.io/hostname
  operator: In
  values:
- - minio
+ - toybox
  containers:
  - name: dashy
  image: docker.io/lissy93/dashy:2.1.1
@@ -59,7 +59,7 @@ spec:
  tolerations:
  - key: "kubernetes.io/hostname"
  operator: "Equal"
- value: "minio"
+ value: "toybox"
  effect: "NoSchedule"
  - key: "node.kubernetes.io/unreachable"
  operator: "Exists"

diff --git a/services/justfile b/services/justfile
@@ -34,7 +34,7 @@ app:
  kubectl apply -f app/couber.yml
  kubectl apply -f app/wstunnel.yml
 
-waprgate:
+warpgate:
  kubectl apply -f app/warpgate.yml
 
 blog:

diff --git a/services/minio/minio.yml b/services/minio/minio.yml
@@ -35,7 +35,7 @@ spec:
  - name: minio
  image: docker.io/minio/minio:RELEASE.2022-10-24T18-35-07Z
  imagePullPolicy: IfNotPresent
- args: ["server", "/mnt/data", "--console-address", ":80"]
+ args: ["server", "/mnt/data", "--console-address", ":80", "--address", ":9001"]
  env:
  - name: MINIO_ROOT_USER
  value: "admin"

diff --git a/services/nextcloud/nextcloud.yml b/services/nextcloud/nextcloud.yml
@@ -21,7 +21,7 @@ spec:
  tolerations:
  - key: "kubernetes.io/hostname"
  operator: "Equal"
- value: "server"
+ value: "minio"
  containers:
  - name: nextcloud
  image: linuxserver/nextcloud:amd64-25.0.0-php8

diff --git a/services/vaultwarden/vaultwarden.yml b/services/vaultwarden/vaultwarden.yml
@@ -21,17 +21,21 @@ spec:
  tolerations:
  - key: "kubernetes.io/hostname"
  operator: "Equal"
- value: "server"
+ value: "minio"
  containers:
  - name: vaultwarden
  image: docker.io/vaultwarden/server:1.27.0
  env:
  - name: DOMAIN
  value: "https://bitwarden.erebe.eu"
+ - name: ROCKET_ADDRESS
+ value: "::"
  - name: ROCKET_PORT
  value: "8088"
  - name: WEBSOCKET_ENABLED
  value: "true"
+ - name: WEBSOCKET_ADDRESS
+ value: "::"
  - name: WEBSOCKET_PORT
  value: "8089"
  - name: SHOW_PASSWORD_HINT
@@ -98,6 +102,7 @@ metadata:
  nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
  nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
  nginx.ingress.kubernetes.io/ssl-redirect: "true"
+ cert-manager.io/cluster-issuer: "letsencrypt-prod"
 spec:
  tls:
  - hosts: