Skip to content

Commit

Permalink
Fix stuff
Browse files Browse the repository at this point in the history
  • Loading branch information
salt-master committed Nov 22, 2023
1 parent 481318e commit bc30db2
Show file tree
Hide file tree
Showing 16 changed files with 249 additions and 44 deletions.
2 changes: 1 addition & 1 deletion dns-server/auth/init.sls
View file
Original file line number Diff line number Diff line change
Expand Up @@ -404,7 +404,7 @@ record-AAAA-extra-{{ dns_entry }}:
# Additional DNS records
{%- set custom_records = salt['pillar.get']('netbox:config_context:dns_zones:custom_records', []) %}
{%- for record in custom_records %}
record-{{ record.get('type') }}-{{ record.get('name') }}.{{ record.get('zone') }}:
record-{{ loop.index }}-{{ record.get('type') }}-{{ record.get('name') }}.{{ record.get('zone') }}:
ddns.present:
- name: {{ record.get('name') }}
- zone: {{ record.get('zone') }}
Expand Down
1 change: 0 additions & 1 deletion dns-server/auth/named.conf.options
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@ options {
allow-recursion { trusted; };
allow-transfer { none; };
dnssec-validation auto;

auth-nxdomain no; # conform to RFC1035
{%- if "dnsdist" in salt['pillar.get']('netbox:tag_list', []) %}
listen-on port {{ listening_port }} { 127.0.0.1; {{ salt['grains.get']('ip4_interfaces:nebula0')[0] }}; };
Expand Down
8 changes: 4 additions & 4 deletions dnsdist/dnsdist.conf.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ addDNSCryptBind("0.0.0.0:8443", "2.dnscrypt-cert.ffmuc.net", "/run/dnsdist/resol
addDNSCryptBind("[::]:8443", "2.dnscrypt-cert.ffmuc.net", "/run/dnsdist/resolver.cert", "/run/dnsdist/resolver.key", { reusePort=true })
{% else %}
-- limit resolving on Port 53 to "ffmuc-domains"
addAction(AndRule({NotRule(makeRule({"ffmuc.net"})), NotRule(makeRule({"127.0.0.1","::1","10.80.0.0/16","10.8.0.0/23","5.1.66.0/24","185.150.99.0/24","2001:678:e68::/48","2001:678:ed0::/48"})), DSTPortRule(53)}), DropAction(), {name="Drop-Gateway-Foreign-Source"})
addAction(AndRule({NotRule(makeRule({"ffmuc.net"})), NotRule(makeRule({"127.0.0.1","::1","10.80.0.0/16","10.86.0.0/16","10.8.0.0/23","5.1.66.0/24","185.150.99.0/24","2001:678:e68::/48","2001:678:ed0::/48"})), DSTPortRule(53)}), DropAction(), {name="Drop-Gateway-Foreign-Source"})
{% endif %}{# webfrontend in grains.id #}

-- keep BPF capabilities
Expand All @@ -75,8 +75,8 @@ setRingBuffersSize(100000)
{%- if 'muc01' in salt['pillar.get']('netbox:site:slug') %}
newServer({address="10.8.0.39:1653", name="web05", weight=3, retries=2, id="7cd4655e-071e-4a9a-9623-834ba49ea472", sockets=6})
newServer({address="10.8.0.40:1653", name="web06", weight=3, retries=2, id="d5d0a3a9-6787-479f-ad0f-106d4618ccc2", sockets=6})
newServer({address="10.8.0.38:1653", name="gw06", weight=2, retries=2, id="42c4bdfe-0ccc-4e9e-8816-7f88421b50f8", sockets=6})
newServer({address="10.8.0.13:1653", name="gw07", weight=2, retries=2, id="1c961f33-3a09-4b40-ae9d-5b5a8dd71061", sockets=6})
newServer({address="10.8.0.38:1653", name="gw06", weight=3, retries=2, id="42c4bdfe-0ccc-4e9e-8816-7f88421b50f8", sockets=6})
newServer({address="10.8.0.13:1653", name="gw07", weight=3, retries=2, id="1c961f33-3a09-4b40-ae9d-5b5a8dd71061", sockets=6})
{%- elif 'vie01' in salt['pillar.get']('netbox:site:slug') %}
newServer({address="10.8.0.29:1653", name="web03", weight=3, retries=2, id="23b0121d-91c5-4338-8c5a-cc8ba6f2ca8d", sockets=6})
newServer({address="10.8.0.30:1653", name="web04", weight=3, retries=2, id="0ed35651-7766-492c-ab44-562e76d395b6", sockets=6})
Expand All @@ -87,7 +87,7 @@ newServer({address="1.1.1.1", name="anycastCF"})
{%- endif %}

setWHashedPertubation(3962345)
setServerPolicy(whashed)
setServerPolicy(wrandom)

-- ask authorative servers for ffmuc.net directly
{%- if 'authorative-dns' in salt['pillar.get']('netbox:tag_list', []) %}
Expand Down
2 changes: 1 addition & 1 deletion icinga2/services/dns.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ apply Service "pdns_recursor" {
max_check_attempts = 3
retry_interval = 1m

assign where "master" in host.vars.roles || "nextgen-gateway" in host.vars.roles || "webserver-external" in host.vars.roles
assign where "nextgen-gateway" in host.vars.roles || "webserver-external" in host.vars.roles
}


Expand Down
2 changes: 1 addition & 1 deletion icinga2/services/network.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ apply Service "gw-ping6" {
import "generic-service"

check_command = "ping6"
vars.ping_address = "2001:67c:158c:4::137"
vars.ping_address = "2001:4860:4860::8888"
if (host.name != NodeName) {
command_endpoint = host.name
}
Expand Down
2 changes: 1 addition & 1 deletion jitsi/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,4 +15,4 @@ Und wie immer: Man kann mit uns reden!
Solltest du Zugriff auf unser Repository haben wollen schildere uns kurz deinen Zweck und wir können einen Weg finden dir den Zugang zu ermöglichen.


docker exec -ti salt_salt-master_1 salt 'jvb*.meet.ffmuc.net' cmd.run 'bash -c "apt show jitsi-videobridge2 2>/dev/null | grep 2.1-416 && /usr/share/jitsi-videobridge/graceful_shutdown.sh >/tmp/graceful_update.log && salt-call state.apply jitsi.videobridge >> /tmp/graceful_update.log"' bg=true
docker exec -ti salt-salt-master-1 salt 'jvb*.meet.ffmuc.net' cmd.run 'bash -c "apt show jitsi-videobridge2 2>/dev/null | grep 2.2-43 && /usr/share/jitsi-videobridge/graceful_shutdown.sh >/tmp/graceful_update.log && salt-call state.apply jitsi.videobridge >> /tmp/graceful_update.log"' bg=true
24 changes: 24 additions & 0 deletions nebula/cert/regen.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
#!/bin/bash

which nebula-cert 1>/dev/null || echo "nebula-cert not installed" || exit 2
which jq 1>/dev/null || echo "jq not installed" || exit 2

echo "This script will delete the current nebula CA and related host certificates to create new ones. Press [ENTER] to continue"
read

# Regenerate CA with validity of 10 years
rm ca.crt ca.key
nebula-cert ca -duration 87600h -name "Freifunk Muenchen Nebula CA G2"

for i in *.ffmuc.net.crt; do

_data=$(nebula-cert print -json -path $i)
name=$(echo $_data | jq '.details.name' | tr -d '"')
groups=$(echo $_data | jq '.details.groups' | tr -cd 'a-z,')
ip=$(echo $_data | jq '.details.ips[0]' | tr -d '"')

rm -v $name.crt $name.key

echo $ip - $name - $groups
nebula-cert sign -name "$name" -ip "$ip" -groups "$groups"
done
47 changes: 44 additions & 3 deletions nginx/domains/broker.ffmuc.net.conf
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,13 @@
upstream wgkex_backend {
server broker.ov.ffmuc.net:5000;
server docker04.ov.ffmuc.net:5000;
server docker05.ov.ffmuc.net:5000;
server docker06.ov.ffmuc.net:5000;
server docker07.ov.ffmuc.net:5000;
keepalive 32;
}

upstream wgkex_ffdon_backend {
server broker.ov.ffmuc.net:5001;
keepalive 32;
}

Expand All @@ -12,7 +20,7 @@ server {

root /srv/www/{{ domain }};

location /api/v1/wg/key/exchange {
location /api {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
Expand All @@ -27,7 +35,40 @@ server {
if ($scheme = http) {
rewrite ^ https://$host$uri permanent;
}
}
}

ssl_certificate /etc/letsencrypt/live/ffmuc.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ffmuc.net/privkey.pem;

access_log /var/log/nginx/{{ domain }}_access.log json_normal;
error_log /var/log/nginx/{{ domain }}_error.log;
}

server {
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ffdon.broker.ffmuc.net;

root /srv/www/{{ domain }};

location /api {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;

proxy_http_version 1.1;
proxy_pass http://wgkex_ffdon_backend;
}

location / {
if ($scheme = http) {
rewrite ^ https://$host$uri permanent;
}
}

ssl_certificate /etc/letsencrypt/live/ffmuc.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ffmuc.net/privkey.pem;
Expand Down
7 changes: 2 additions & 5 deletions nginx/domains/byro.ffmuc.net.conf
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,6 @@
upstream byro_upstream {
server docker06.ov.ffmuc.net:8345;
}
upstream byro_static_upstream {
server docker06.ov.ffmuc.net:8346;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
Expand All @@ -30,15 +27,15 @@ server {
proxy_set_header X-Forwarded-Host $server_name;
}
location /media/ {
proxy_pass http://byro_static_upstream;
proxy_pass http://byro_upstream;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
location /static/ {
proxy_pass http://byro_static_upstream;
proxy_pass http://byro_upstream;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
Expand Down
50 changes: 28 additions & 22 deletions nginx/domains/speed.ffmuc.net.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,21 +6,23 @@ upstream speed_frontend_upstream {
server docker07.in.ffmuc.net:8080;
{%- endif %}
}
upstream speed_backend_upstream {
{%- if own_location == "VIE01" %}
server docker05.in.ffmuc.net:8082;
{%- else %}
server docker07.in.ffmuc.net:8082;
{%- endif %}
}

server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
server_name speed.ffmuc.net speed-muc.ffmuc.net speed-vie.ffmuc.net speed4.ffmuc.net speed6.ffmuc.net;

gzip off;
tcp_nodelay on;
tcp_nopush on;
sendfile on;
open_file_cache max=200000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors off;

proxy_http_version 1.1;
# Force HTTPS connection. This rules is domain agnostic
if ($scheme != "https") {
rewrite ^ https://$host$uri permanent;
Expand All @@ -33,25 +35,29 @@ server {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_cache off;
client_max_body_size 200M;
client_max_body_size 10000M;
proxy_http_version 1.1;
proxy_request_buffering off;

add_header Cache-Control 'no-store, no-cache, max-age=0, no-transform';

add_header Last-Modified $date_gmt;
if_modified_since off;
expires off;
etag off;
}
location ~ ^/(empty|garbage|getIP).php$ {
proxy_pass http://speed_backend_upstream;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_cache off;
client_max_body_size 200M;
proxy_http_version 1.1;
proxy_request_buffering off;
location = /dev-null {
return 200;
client_max_body_size 10000M;
}

ssl_certificate /etc/letsencrypt/live/ffmuc.net/fullchain.pem;
location = /upload {
client_max_body_size 10000M;
proxy_pass http://speed.ffmuc.net:80/dev-null;
}
ssl_certificate /etc/letsencrypt/live/ffmuc.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ffmuc.net/privkey.pem;

access_log /var/log/nginx/{{ domain }}_access.log json_normal;
Expand Down
58 changes: 58 additions & 0 deletions nginx/domains/uisp.ffmuc.net.conf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
upstream uisp_backend {
server docker07.ov.ffmuc.net:9443;
keepalive 32;
}
upstream uisp_inform_backend {
server docker07.ov.ffmuc.net:8080;
keepalive 32;
}

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
listen 80;
listen [::]:80;
listen 8080;
listen [::]:8080;

server_name uisp.ext.ffmuc.net uisp.ffmuc.net uisp;

client_max_body_size 0;

location /inform {
resolver 5.1.66.255 valid=30s;
proxy_pass http://uisp_inform_backend;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_http_version 1.1;
}
location / {
# Force HTTPS connection - but only for not /inform
if ($scheme != "https") {
rewrite ^ https://$host$uri permanent;
}
resolver 5.1.66.255 valid=30s;
proxy_pass https://uisp_backend;
proxy_redirect https://uisp_backend/ /;
proxy_ssl_verify off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_http_version 1.1;
}

# Force HTTPS connection. This rules is domain agnostic

ssl_certificate /etc/letsencrypt/live/ffmuc.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ffmuc.net/privkey.pem;

access_log /var/log/nginx/{{ domain }}_access.log json_normal;
error_log /var/log/nginx/{{ domain }}_error.log;
}
11 changes: 11 additions & 0 deletions nginx/files/uisp_stream.conf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# Unifi STUN UDP Traffic
upstream uisp_stun {
server docker07.ov.ffmuc.net:2055;
}

server {
listen 2055 udp;
proxy_pass uisp_stun;
proxy_responses 1;
error_log /var/log/nginx/uisp_stun.log;
}
30 changes: 26 additions & 4 deletions wgkex/init.sls
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@


{%- if 'nextgen-gateway' in salt['pillar.get']('netbox:role:name') %}

python3-pyroute2:
Expand All @@ -10,15 +8,22 @@ python3-pyroute2:
- name: https://github.com/freifunkMUC/wgkex
- target: /srv/wgkex
- rev: main

/etc/systemd/system/wgkex.service:
file.managed:
- source: salt://wgkex/wgkex.service

/etc/systemd/system/wgkex-ffdon.service:
file.managed:
- source: salt://wgkex/wgkex-ffdon.service

/etc/wgkex.yaml:
file.managed:
- source: salt://wgkex/wgkex.yaml

/etc/wgkex-ffdon.yaml:
file.managed:
- source: salt://wgkex/wgkex-ffdon.yaml

wgkex-service:
service.running:
- name: wgkex
Expand All @@ -28,6 +33,15 @@ wgkex-service:
- watch:
- file: /etc/wgkex.yaml

wgkex-ffdon-service:
service.dead:
- name: wgkex-ffdon
- enable: False
- require:
- file: /etc/wgkex-ffdon.yaml
- watch:
- file: /etc/wgkex-ffdon.yaml

systemd-reload-wgkex:
cmd.run:
- name: systemctl --system daemon-reload
Expand All @@ -36,4 +50,12 @@ systemd-reload-wgkex:
- watch_in:
- service: wgkex-service

{% endif %}
systemd-reload-wgkex-ffdon:
cmd.run:
- name: systemctl --system daemon-reload
- onchanges:
- file: /etc/systemd/system/wgkex-ffdon.service
- watch_in:
- service: wgkex-ffdon-service

{% endif %}
Loading

0 comments on commit bc30db2

Please sign in to comment.