From bc30db21605fbf2bc58452fbd39bd48a8c15933e Mon Sep 17 00:00:00 2001 From: salt-master Date: Mon, 13 Nov 2023 23:28:26 +0100 Subject: [PATCH] Fix stuff --- dns-server/auth/init.sls | 2 +- dns-server/auth/named.conf.options | 1 - dnsdist/dnsdist.conf.j2 | 8 ++-- icinga2/services/dns.conf | 2 +- icinga2/services/network.conf | 2 +- jitsi/README.md | 2 +- nebula/cert/regen.sh | 24 ++++++++++++ nginx/domains/broker.ffmuc.net.conf | 47 +++++++++++++++++++++-- nginx/domains/byro.ffmuc.net.conf | 7 +--- nginx/domains/speed.ffmuc.net.conf | 50 ++++++++++++++----------- nginx/domains/uisp.ffmuc.net.conf | 58 +++++++++++++++++++++++++++++ nginx/files/uisp_stream.conf | 11 ++++++ wgkex/init.sls | 30 +++++++++++++-- wgkex/wgkex-ffdon.service | 21 +++++++++++ wgkex/wgkex-ffdon.yaml | 25 +++++++++++++ wgkex/wgkex.yaml | 3 +- 16 files changed, 249 insertions(+), 44 deletions(-) create mode 100755 nebula/cert/regen.sh create mode 100644 nginx/domains/uisp.ffmuc.net.conf create mode 100644 nginx/files/uisp_stream.conf create mode 100644 wgkex/wgkex-ffdon.service create mode 100644 wgkex/wgkex-ffdon.yaml diff --git a/dns-server/auth/init.sls b/dns-server/auth/init.sls index 339dc5f6..4146efd6 100644 --- a/dns-server/auth/init.sls +++ b/dns-server/auth/init.sls @@ -404,7 +404,7 @@ record-AAAA-extra-{{ dns_entry }}: # Additional DNS records {%- set custom_records = salt['pillar.get']('netbox:config_context:dns_zones:custom_records', []) %} {%- for record in custom_records %} -record-{{ record.get('type') }}-{{ record.get('name') }}.{{ record.get('zone') }}: +record-{{ loop.index }}-{{ record.get('type') }}-{{ record.get('name') }}.{{ record.get('zone') }}: ddns.present: - name: {{ record.get('name') }} - zone: {{ record.get('zone') }} diff --git a/dns-server/auth/named.conf.options b/dns-server/auth/named.conf.options index 7a2d284a..45e56ffa 100644 --- a/dns-server/auth/named.conf.options +++ b/dns-server/auth/named.conf.options @@ -15,7 +15,6 @@ options { allow-recursion { trusted; }; allow-transfer { none; }; dnssec-validation auto; - auth-nxdomain no; # conform to RFC1035 {%- if "dnsdist" in salt['pillar.get']('netbox:tag_list', []) %} listen-on port {{ listening_port }} { 127.0.0.1; {{ salt['grains.get']('ip4_interfaces:nebula0')[0] }}; }; diff --git a/dnsdist/dnsdist.conf.j2 b/dnsdist/dnsdist.conf.j2 index e9826e9a..8b9c1e70 100644 --- a/dnsdist/dnsdist.conf.j2 +++ b/dnsdist/dnsdist.conf.j2 @@ -49,7 +49,7 @@ addDNSCryptBind("0.0.0.0:8443", "2.dnscrypt-cert.ffmuc.net", "/run/dnsdist/resol addDNSCryptBind("[::]:8443", "2.dnscrypt-cert.ffmuc.net", "/run/dnsdist/resolver.cert", "/run/dnsdist/resolver.key", { reusePort=true }) {% else %} -- limit resolving on Port 53 to "ffmuc-domains" -addAction(AndRule({NotRule(makeRule({"ffmuc.net"})), NotRule(makeRule({"127.0.0.1","::1","10.80.0.0/16","10.8.0.0/23","5.1.66.0/24","185.150.99.0/24","2001:678:e68::/48","2001:678:ed0::/48"})), DSTPortRule(53)}), DropAction(), {name="Drop-Gateway-Foreign-Source"}) +addAction(AndRule({NotRule(makeRule({"ffmuc.net"})), NotRule(makeRule({"127.0.0.1","::1","10.80.0.0/16","10.86.0.0/16","10.8.0.0/23","5.1.66.0/24","185.150.99.0/24","2001:678:e68::/48","2001:678:ed0::/48"})), DSTPortRule(53)}), DropAction(), {name="Drop-Gateway-Foreign-Source"}) {% endif %}{# webfrontend in grains.id #} -- keep BPF capabilities @@ -75,8 +75,8 @@ setRingBuffersSize(100000) {%- if 'muc01' in salt['pillar.get']('netbox:site:slug') %} newServer({address="10.8.0.39:1653", name="web05", weight=3, retries=2, id="7cd4655e-071e-4a9a-9623-834ba49ea472", sockets=6}) newServer({address="10.8.0.40:1653", name="web06", weight=3, retries=2, id="d5d0a3a9-6787-479f-ad0f-106d4618ccc2", sockets=6}) -newServer({address="10.8.0.38:1653", name="gw06", weight=2, retries=2, id="42c4bdfe-0ccc-4e9e-8816-7f88421b50f8", sockets=6}) -newServer({address="10.8.0.13:1653", name="gw07", weight=2, retries=2, id="1c961f33-3a09-4b40-ae9d-5b5a8dd71061", sockets=6}) +newServer({address="10.8.0.38:1653", name="gw06", weight=3, retries=2, id="42c4bdfe-0ccc-4e9e-8816-7f88421b50f8", sockets=6}) +newServer({address="10.8.0.13:1653", name="gw07", weight=3, retries=2, id="1c961f33-3a09-4b40-ae9d-5b5a8dd71061", sockets=6}) {%- elif 'vie01' in salt['pillar.get']('netbox:site:slug') %} newServer({address="10.8.0.29:1653", name="web03", weight=3, retries=2, id="23b0121d-91c5-4338-8c5a-cc8ba6f2ca8d", sockets=6}) newServer({address="10.8.0.30:1653", name="web04", weight=3, retries=2, id="0ed35651-7766-492c-ab44-562e76d395b6", sockets=6}) @@ -87,7 +87,7 @@ newServer({address="1.1.1.1", name="anycastCF"}) {%- endif %} setWHashedPertubation(3962345) -setServerPolicy(whashed) +setServerPolicy(wrandom) -- ask authorative servers for ffmuc.net directly {%- if 'authorative-dns' in salt['pillar.get']('netbox:tag_list', []) %} diff --git a/icinga2/services/dns.conf b/icinga2/services/dns.conf index bc91e0f0..b0e74b6d 100644 --- a/icinga2/services/dns.conf +++ b/icinga2/services/dns.conf @@ -70,7 +70,7 @@ apply Service "pdns_recursor" { max_check_attempts = 3 retry_interval = 1m - assign where "master" in host.vars.roles || "nextgen-gateway" in host.vars.roles || "webserver-external" in host.vars.roles + assign where "nextgen-gateway" in host.vars.roles || "webserver-external" in host.vars.roles } diff --git a/icinga2/services/network.conf b/icinga2/services/network.conf index 72779744..498366cd 100644 --- a/icinga2/services/network.conf +++ b/icinga2/services/network.conf @@ -73,7 +73,7 @@ apply Service "gw-ping6" { import "generic-service" check_command = "ping6" - vars.ping_address = "2001:67c:158c:4::137" + vars.ping_address = "2001:4860:4860::8888" if (host.name != NodeName) { command_endpoint = host.name } diff --git a/jitsi/README.md b/jitsi/README.md index b23aae89..0b87ceeb 100644 --- a/jitsi/README.md +++ b/jitsi/README.md @@ -15,4 +15,4 @@ Und wie immer: Man kann mit uns reden! Solltest du Zugriff auf unser Repository haben wollen schildere uns kurz deinen Zweck und wir können einen Weg finden dir den Zugang zu ermöglichen. -docker exec -ti salt_salt-master_1 salt 'jvb*.meet.ffmuc.net' cmd.run 'bash -c "apt show jitsi-videobridge2 2>/dev/null | grep 2.1-416 && /usr/share/jitsi-videobridge/graceful_shutdown.sh >/tmp/graceful_update.log && salt-call state.apply jitsi.videobridge >> /tmp/graceful_update.log"' bg=true \ No newline at end of file +docker exec -ti salt-salt-master-1 salt 'jvb*.meet.ffmuc.net' cmd.run 'bash -c "apt show jitsi-videobridge2 2>/dev/null | grep 2.2-43 && /usr/share/jitsi-videobridge/graceful_shutdown.sh >/tmp/graceful_update.log && salt-call state.apply jitsi.videobridge >> /tmp/graceful_update.log"' bg=true \ No newline at end of file diff --git a/nebula/cert/regen.sh b/nebula/cert/regen.sh new file mode 100755 index 00000000..5ff9ab01 --- /dev/null +++ b/nebula/cert/regen.sh @@ -0,0 +1,24 @@ +#!/bin/bash + +which nebula-cert 1>/dev/null || echo "nebula-cert not installed" || exit 2 +which jq 1>/dev/null || echo "jq not installed" || exit 2 + +echo "This script will delete the current nebula CA and related host certificates to create new ones. Press [ENTER] to continue" +read + +# Regenerate CA with validity of 10 years +rm ca.crt ca.key +nebula-cert ca -duration 87600h -name "Freifunk Muenchen Nebula CA G2" + +for i in *.ffmuc.net.crt; do + + _data=$(nebula-cert print -json -path $i) + name=$(echo $_data | jq '.details.name' | tr -d '"') + groups=$(echo $_data | jq '.details.groups' | tr -cd 'a-z,') + ip=$(echo $_data | jq '.details.ips[0]' | tr -d '"') + + rm -v $name.crt $name.key + + echo $ip - $name - $groups + nebula-cert sign -name "$name" -ip "$ip" -groups "$groups" +done diff --git a/nginx/domains/broker.ffmuc.net.conf b/nginx/domains/broker.ffmuc.net.conf index 7e77ac61..a1283c3d 100644 --- a/nginx/domains/broker.ffmuc.net.conf +++ b/nginx/domains/broker.ffmuc.net.conf @@ -1,5 +1,13 @@ upstream wgkex_backend { - server broker.ov.ffmuc.net:5000; + server docker04.ov.ffmuc.net:5000; + server docker05.ov.ffmuc.net:5000; + server docker06.ov.ffmuc.net:5000; + server docker07.ov.ffmuc.net:5000; + keepalive 32; +} + +upstream wgkex_ffdon_backend { + server broker.ov.ffmuc.net:5001; keepalive 32; } @@ -12,7 +20,7 @@ server { root /srv/www/{{ domain }}; - location /api/v1/wg/key/exchange { + location /api { proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -27,7 +35,40 @@ server { if ($scheme = http) { rewrite ^ https://$host$uri permanent; } - } + } + + ssl_certificate /etc/letsencrypt/live/ffmuc.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/ffmuc.net/privkey.pem; + + access_log /var/log/nginx/{{ domain }}_access.log json_normal; + error_log /var/log/nginx/{{ domain }}_error.log; +} + +server { + listen 80; + listen [::]:80; + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name ffdon.broker.ffmuc.net; + + root /srv/www/{{ domain }}; + + location /api { + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + + proxy_http_version 1.1; + proxy_pass http://wgkex_ffdon_backend; + } + + location / { + if ($scheme = http) { + rewrite ^ https://$host$uri permanent; + } + } ssl_certificate /etc/letsencrypt/live/ffmuc.net/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/ffmuc.net/privkey.pem; diff --git a/nginx/domains/byro.ffmuc.net.conf b/nginx/domains/byro.ffmuc.net.conf index b2bc98ff..9a2ad0ad 100644 --- a/nginx/domains/byro.ffmuc.net.conf +++ b/nginx/domains/byro.ffmuc.net.conf @@ -1,9 +1,6 @@ upstream byro_upstream { server docker06.ov.ffmuc.net:8345; } -upstream byro_static_upstream { - server docker06.ov.ffmuc.net:8346; -} server { listen 443 ssl http2; listen [::]:443 ssl http2; @@ -30,7 +27,7 @@ server { proxy_set_header X-Forwarded-Host $server_name; } location /media/ { - proxy_pass http://byro_static_upstream; + proxy_pass http://byro_upstream; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; @@ -38,7 +35,7 @@ server { proxy_set_header X-Forwarded-Host $server_name; } location /static/ { - proxy_pass http://byro_static_upstream; + proxy_pass http://byro_upstream; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; diff --git a/nginx/domains/speed.ffmuc.net.conf b/nginx/domains/speed.ffmuc.net.conf index 858af511..dbd1c0a0 100644 --- a/nginx/domains/speed.ffmuc.net.conf +++ b/nginx/domains/speed.ffmuc.net.conf @@ -6,13 +6,6 @@ upstream speed_frontend_upstream { server docker07.in.ffmuc.net:8080; {%- endif %} } -upstream speed_backend_upstream { - {%- if own_location == "VIE01" %} - server docker05.in.ffmuc.net:8082; - {%- else %} - server docker07.in.ffmuc.net:8082; - {%- endif %} -} server { listen 80; @@ -20,7 +13,16 @@ server { listen 443 ssl; listen [::]:443 ssl; server_name speed.ffmuc.net speed-muc.ffmuc.net speed-vie.ffmuc.net speed4.ffmuc.net speed6.ffmuc.net; - + gzip off; + tcp_nodelay on; + tcp_nopush on; + sendfile on; + open_file_cache max=200000 inactive=20s; + open_file_cache_valid 30s; + open_file_cache_min_uses 2; + open_file_cache_errors off; + + proxy_http_version 1.1; # Force HTTPS connection. This rules is domain agnostic if ($scheme != "https") { rewrite ^ https://$host$uri permanent; @@ -33,25 +35,29 @@ server { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $server_name; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; proxy_cache off; - client_max_body_size 200M; + client_max_body_size 10000M; proxy_http_version 1.1; proxy_request_buffering off; + + add_header Cache-Control 'no-store, no-cache, max-age=0, no-transform'; + + add_header Last-Modified $date_gmt; + if_modified_since off; + expires off; + etag off; } - location ~ ^/(empty|garbage|getIP).php$ { - proxy_pass http://speed_backend_upstream; - proxy_redirect off; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $server_name; - proxy_cache off; - client_max_body_size 200M; - proxy_http_version 1.1; - proxy_request_buffering off; + location = /dev-null { + return 200; + client_max_body_size 10000M; } - - ssl_certificate /etc/letsencrypt/live/ffmuc.net/fullchain.pem; + location = /upload { + client_max_body_size 10000M; + proxy_pass http://speed.ffmuc.net:80/dev-null; + } + ssl_certificate /etc/letsencrypt/live/ffmuc.net/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/ffmuc.net/privkey.pem; access_log /var/log/nginx/{{ domain }}_access.log json_normal; diff --git a/nginx/domains/uisp.ffmuc.net.conf b/nginx/domains/uisp.ffmuc.net.conf new file mode 100644 index 00000000..c0cd5109 --- /dev/null +++ b/nginx/domains/uisp.ffmuc.net.conf @@ -0,0 +1,58 @@ +upstream uisp_backend { + server docker07.ov.ffmuc.net:9443; + keepalive 32; +} +upstream uisp_inform_backend { + server docker07.ov.ffmuc.net:8080; + keepalive 32; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + listen 80; + listen [::]:80; + listen 8080; + listen [::]:8080; + + server_name uisp.ext.ffmuc.net uisp.ffmuc.net uisp; + + client_max_body_size 0; + + location /inform { + resolver 5.1.66.255 valid=30s; + proxy_pass http://uisp_inform_backend; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_http_version 1.1; + } + location / { + # Force HTTPS connection - but only for not /inform + if ($scheme != "https") { + rewrite ^ https://$host$uri permanent; + } + resolver 5.1.66.255 valid=30s; + proxy_pass https://uisp_backend; + proxy_redirect https://uisp_backend/ /; + proxy_ssl_verify off; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_http_version 1.1; + } + + # Force HTTPS connection. This rules is domain agnostic + + ssl_certificate /etc/letsencrypt/live/ffmuc.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/ffmuc.net/privkey.pem; + + access_log /var/log/nginx/{{ domain }}_access.log json_normal; + error_log /var/log/nginx/{{ domain }}_error.log; +} diff --git a/nginx/files/uisp_stream.conf b/nginx/files/uisp_stream.conf new file mode 100644 index 00000000..a1fe34e1 --- /dev/null +++ b/nginx/files/uisp_stream.conf @@ -0,0 +1,11 @@ +# Unifi STUN UDP Traffic +upstream uisp_stun { + server docker07.ov.ffmuc.net:2055; +} + +server { + listen 2055 udp; + proxy_pass uisp_stun; + proxy_responses 1; + error_log /var/log/nginx/uisp_stun.log; +} diff --git a/wgkex/init.sls b/wgkex/init.sls index a5d3796a..593a42ee 100644 --- a/wgkex/init.sls +++ b/wgkex/init.sls @@ -1,5 +1,3 @@ - - {%- if 'nextgen-gateway' in salt['pillar.get']('netbox:role:name') %} python3-pyroute2: @@ -10,15 +8,22 @@ python3-pyroute2: - name: https://github.com/freifunkMUC/wgkex - target: /srv/wgkex - rev: main - /etc/systemd/system/wgkex.service: file.managed: - source: salt://wgkex/wgkex.service +/etc/systemd/system/wgkex-ffdon.service: + file.managed: + - source: salt://wgkex/wgkex-ffdon.service + /etc/wgkex.yaml: file.managed: - source: salt://wgkex/wgkex.yaml +/etc/wgkex-ffdon.yaml: + file.managed: + - source: salt://wgkex/wgkex-ffdon.yaml + wgkex-service: service.running: - name: wgkex @@ -28,6 +33,15 @@ wgkex-service: - watch: - file: /etc/wgkex.yaml +wgkex-ffdon-service: + service.dead: + - name: wgkex-ffdon + - enable: False + - require: + - file: /etc/wgkex-ffdon.yaml + - watch: + - file: /etc/wgkex-ffdon.yaml + systemd-reload-wgkex: cmd.run: - name: systemctl --system daemon-reload @@ -36,4 +50,12 @@ systemd-reload-wgkex: - watch_in: - service: wgkex-service -{% endif %} \ No newline at end of file +systemd-reload-wgkex-ffdon: + cmd.run: + - name: systemctl --system daemon-reload + - onchanges: + - file: /etc/systemd/system/wgkex-ffdon.service + - watch_in: + - service: wgkex-ffdon-service + +{% endif %} diff --git a/wgkex/wgkex-ffdon.service b/wgkex/wgkex-ffdon.service new file mode 100644 index 00000000..faba4818 --- /dev/null +++ b/wgkex/wgkex-ffdon.service @@ -0,0 +1,21 @@ +[Unit] +Description=Wireguard Key Exchange Worker for Freifunk Donau-Ries segments +Documentation=https://github.com/freifunkMUC/wgkex +After=network-online.target + +[Service] +User=wgkex +Environment="WGKEX_CONFIG_FILE=/etc/wgkex-ffdon.yaml" +WorkingDirectory=/srv/wgkex +ExecStart=/usr/bin/python3 -u -m wgkex.worker.app +Restart=on-failure + +# Enable Logging +SyslogIdentifier=wgkex-ffdon + +# allow fetching metrics for wireguard +CapabilityBoundingSet=CAP_NET_ADMIN +AmbientCapabilities=CAP_NET_ADMIN + +[Install] +WantedBy=multi-user.target diff --git a/wgkex/wgkex-ffdon.yaml b/wgkex/wgkex-ffdon.yaml new file mode 100644 index 00000000..0b6b236a --- /dev/null +++ b/wgkex/wgkex-ffdon.yaml @@ -0,0 +1,25 @@ +--- + +domains: + - ffdon_test +domain_prefix: ffdon_ +mqtt: + broker_url: broker.ov.ffmuc.net + username: + password: + tls: False + broker_port: 1884 + keepalive: 20 +logging_config: + formatters: + standard: + format: '%(asctime)s,%(msecs)d %(levelname)-8s [%(filename)s:%(lineno)d] %(message)s' + handlers: + console: + class: logging.StreamHandler + formatter: standard + root: + handlers: + - console + level: INFO + version: 1 diff --git a/wgkex/wgkex.yaml b/wgkex/wgkex.yaml index a32173dd..d8d500a2 100644 --- a/wgkex/wgkex.yaml +++ b/wgkex/wgkex.yaml @@ -1,6 +1,7 @@ --- domains: + - ffmuc_ffdon_test - ffmuc_augsburg - ffmuc_freising - ffmuc_gauting @@ -20,7 +21,7 @@ mqtt: password: tls: False broker_port: 1883 - keepalive: 5 + keepalive: 20 domain_prefix: ffmuc_ logging_config: formatters: