[Sumadija] docs init

2026-02-23 23:45:08 +01:00
24 changed files with 79 additions and 260 deletions
--- a/6
+++ b/6
@@ -8,8 +8,6 @@ help: ## Print the help message
 		sort | \
 		column -s ':' -t
 include wg.mk
 .PHONY: check
 check: ## Check you have all dependencies
 	@command -v graph-easy >/dev/null || { echo "Install perl-graph-easy" && exit 1 ;}
@@ -17,10 +15,6 @@ check: ## Check you have all dependencies
 	@command -v lowdown >/dev/null || { echo "Install lowdown" && exit 1 ;}
 	@echo "All dependencies installed"
 %/:
 	mkdir $@
 	echo '*' > $@.gitignore
 ########## Network Map ##########
 graph_program != type graph-easy > /dev/null && printf graph-easy || printf dot 
--- a/ansible/Makefile
+++ b/ansible/Makefile
@@ -1,46 +0,0 @@
 hosts = $(wildcard host_vars/*.yml)
 logs = $(patsubst host_vars/%.yml, logs/%.json, $(hosts) )
 playbooks = $(wildcard playbooks/*.yml)
 plays = $(patsubst playbooks/%.yml, %, $(playbooks) )
 defaults += $(wildcard logs/*)
 ###### Recipes ######
 .PHONY: help
 help: ## Print the help message.
 	@awk 'BEGIN {FS = ":.*?## "} /^[0-9a-zA-Z._-]+:.*?## / {printf "\033[36m%s\033[0m : %s\n", $$1, $$2}' $(MAKEFILE_LIST) | \
 		column -s ':' -t
 .PHONY: lint
 lint: $(playbooks) | .ansible/ ## Check syntax and lint all playbooks
 	ansible-playbook --syntax-check $^
 	ansible-lint $^
 .PHONY: records
 records: $(logs) ## Current info on each host
 $(logs): logs/%.json: | logs/
 	ansible -m setup $(basename $(@F) ) > $@
 -include logs/play.mk
 make_play = printf '.PHONY: %s\n%s: %s \#\# %s\n\n' '$(notdir $(basename $1) )' '$(notdir $(basename $1) )' '$1' '$(shell grep -m1 -oP 'name: \K.*' $1)'
 logs/play.mk: playbooks/*.yml
 	@$(RM) $@
 	@$(foreach book, $^, \
 		$(call make_play, $(book), $@ )  >> $@ ; \
 		printf '\t%s\n\n' 'ansible-playbook $(book)' >> $@ ; \
 	)
 %/:
 	mkdir $@
 	echo '*' > $@.gitignore
 .PHONY: clean
 clean: ## Remove generated files.
 	$(RM) $(defaults)
--- a/ansible/ansible.cfg
+++ b/ansible/ansible.cfg
@@ -1,7 +0,0 @@
 [defaults]
 inventory      = hosts.yaml
 local_tmp      = .ansible
 cow_selection  = random
 vault_password_file = pass.sh
 interpreter_python = auto_silent
--- a/ansible/host_vars/wireguard.yml
+++ b/ansible/host_vars/wireguard.yml
@@ -1,9 +0,0 @@
 $ANSIBLE_VAULT;1.1;AES256
 37363765623839666637633861353139353935323364343538356536653561373266336161353937
 3466653434666163313936393366613666393863616262320a643930663038326666653064613062
 62613661396538363539643938323033663932326362626335333438653865623038336136623030
 3735366564366431330a373061393766346631643434383364646431346231356466663737626435
 64303835343237383761633939643431333439643933636139666163393637363430633261633736
 34626631366163616439366534393031353063363138356638323634313430666330613833386661
 61346365313534353535633365626364303565363565353765353833363065343232633866633132
 63643930633266653765
--- a/ansible/hosts.yaml
+++ b/ansible/hosts.yaml
@@ -1,13 +0,0 @@
 all:
  vars:
    username: dmz
    locale: Europe/Belgrade
    libc_locale: en_GB.UTF-8 UTF-8
    var_locale: LANG=en_GB.UTF-8
 wireguard:
  hosts:
    192.168.0.93:
 arch:
  hosts:
    10.0.0.1:
--- a/ansible/pass.sh
+++ b/ansible/pass.sh
@@ -1,3 +0,0 @@
 #!/bin/sh
 pass dmz/xecut/dmz_ansible
--- a/ansible/playbooks/files/wireguard/server_head
+++ b/ansible/playbooks/files/wireguard/server_head
@@ -1,26 +0,0 @@
 $ANSIBLE_VAULT;1.1;AES256
 33343563633965306633313265643038646236633465353133386365346663336163646430333962
 6165663662663065623232383636336236376363623762640a633139343330646532333631396639
 39323432323636626166636561383539353161646636666131623833396138666531616366633032
 3064646331643732660a613562343637393134323830643263393464363332663664623761636636
 38343638623539636134633735313161353233333936396638653066346163613335353266343334
 39313062633261393038636131313665653631333039633533363236636131323337633031386436
 38366435386334303366636231643565383931373936313365363165666464636236376262363336
 31363664336535343363646231306237383739326239356232343761623937666533663131323266
 30323138663666666538353063623566333961326233646533323831363433653764323566333564
 37633865313966336164336433306663343435653062396533633037333430366266376465613039
 35373762306363393534373861633839353736373463346638613838636466383762336562386434
 37666133666662633331313863636161343031666438363638356538623164343764353431373566
 35653662326134366366323835623265663530323132313138393566653063376163366132326232
 62653337383336396466386631393739633164646433373231656664376463306333643663393061
 32303535323336313364343131333633633261313761326566643733646564313432396165316532
 62303539653763343963343865626135633738666331366334353530393961623337363035333662
 38396533376166363164623531396238356632336534386636363364646263623334336666343834
 37396235346431393033303834323163646561643162646135383162623034343366613431366563
 66386330323933363035393330326539336134616364303037633230663664373335663739343361
 36653533333139336331393239626335623337663133393538343361303431636661316666383733
 64343234306336353163323235633031343138643661333863373965623666336331636339653862
 61616431366439643063313336336530383164313639646130383362643339386264333264376236
 63333531616561636638376635623738623933363933663439373137396334623361656233616236
 64386638653336616366653836663762306334363065356162353431633332633537623362643363
 3265
--- a/ansible/playbooks/files/wireguard/server_private_key
+++ b/ansible/playbooks/files/wireguard/server_private_key
@@ -1,7 +0,0 @@
 $ANSIBLE_VAULT;1.1;AES256
 39653235613163636362653036663563383839313836643563323462616163353364323862313039
 6564656661323039393563636133303132626663366233390a343535383963353763383364376438
 36306435396461393132653161393238623562393465356166343764336661376434333335643863
 3865373732363761620a613236613963396638613831326332386530326239373062333933646239
 39313336383366636133646336653236303261346238306336663564373063383634313361356335
 6334353863363931643338663833333065343435333231623466
--- a/ansible/playbooks/files/wireguard/server_public_key
+++ b/ansible/playbooks/files/wireguard/server_public_key
@@ -1 +0,0 @@
 GH+qA1Au9BraGhNt7Aqp8tdhGVfH8ENnY3VzKhe69XQ=
--- a/ansible/playbooks/wireguard.yml
+++ b/ansible/playbooks/wireguard.yml
@@ -1,32 +0,0 @@
 ---
 - name: Install Wireguard on Server
  hosts: wireguard
  become: true
  tasks:
    - name: Install wireguard tools and dig
      ansible.builtin.package:
        name:
          - wireguard-tools
          - bind
    - name: Copy keys to server
      ansible.builtin.copy:
        src: wireguard/wg0.conf
        dest: /etc/wireguard/wg0.conf
    - name: Get server public IP
      ansible.builtin.command: dig +short myip.opendns.com @resolver1.opendns.com
      register: wireguard_public_ip
    - name: Allow ipv4 forwarding
      ansible.builtin.lineinfile:
        path: /etc/sysctl.d/wg.conf
        line: net.ipv4.ip_forward=1
        create: yes
    - name: Start the wireguard service
      ansible.builtin.service:
        name: wg-quick@wg0
        enabled: yes
--- a/ansible/templates/wireguard/wg0.conf.j2
+++ b/ansible/templates/wireguard/wg0.conf.j2
@@ -1,14 +0,0 @@
 [Interface]
 Address = 10.0.0.1/24
 SaveConfig = true
 PrivateKey = {{ wg_private_key }}
 ListenPort = 51900
 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
 [Peer]
 PublicKey = {{ wg_public_key }}
 AllowedIPs = 10.0.0.2/32
--- a/sumadija/sumadijamoxx/README.md
+++ b/sumadija/sumadijamoxx/README.md
@@ -0,0 +1,29 @@
 # List of containers
 ## sumadijamoxx
 ip is the same as a container ID
 example
 101 ssh12  -> 192.168.7.101
 VMID Name  
 101  ssh12  
 102  nginxproxymanager12  
 103  searxng12  
 104  homepage12  
 105  privatebin13  
 106  librespeed-rust12
 107  tor13
 200  wireguard12
 ##### Legend
 12 -> debian 12
 13 -> debian 13
 ## Forwareded ports
 192.168.7.243:443 -> 80
 192.168.7.101:22 -> 22
--- a/sumadija/sumadijamoxx/nginxproxymanager12/README.md
+++ b/sumadija/sumadijamoxx/nginxproxymanager12/README.md
@@ -0,0 +1,9 @@
 ---
 VMID: 102
 ---
 NgniX proxy manager built with [script](https://community-scripts.github.io/ProxmoxVE/scripts?id=nginxproxymanager)
 Forwarded to port 80
--- a/sumadija/sumadijamoxx/pastebin13/README.md
+++ b/sumadija/sumadijamoxx/pastebin13/README.md
@@ -0,0 +1,7 @@
 ---
 VMID: 105
 ---
 PrivateBin instance built with [script](https://community-scripts.github.io/ProxmoxVE/scripts?id=privatebin)
 Not yet public/forwarded
--- a/sumadija/sumadijamoxx/router/README.md
+++ b/sumadija/sumadijamoxx/router/README.md
@@ -0,0 +1,3 @@
 TP Link (hopefully openWRT in future)
 Router is inside the existing network for further forwarding, contact coja (best on xmpp)
--- a/sumadija/sumadijamoxx/searxng12/README.md
+++ b/sumadija/sumadijamoxx/searxng12/README.md
@@ -0,0 +1,8 @@
 ---
 VMID: 102
 ---
 SearXNG instance built with [script](https://community-scripts.github.io/ProxmoxVE/scripts?id=searxng)
 Not yet public/forwarded
--- a/sumadija/sumadijamoxx/ssh12/README.md
+++ b/sumadija/sumadijamoxx/ssh12/README.md
@@ -0,0 +1,9 @@
 ---
 VMID: 101
 ---
 SSH port from this container should be forwarded to sumadija.dmz.rs
 SSH access to other containers is done through this one with ssh jump, passwords are disabled, so only keys verification is used. 
 [wiki page](https://wiki.dmz.rs/en/sysadmin/ssh)
--- a/sumadija/sumadijamoxx/tor13/README.md
+++ b/sumadija/sumadijamoxx/tor13/README.md
@@ -0,0 +1,9 @@
 ---
 VMID: 107
 ---
 In this container hosts the tor onion service, used for remote access to the proxmox, through tor. Credentatials are in the password manager
 ssh12 -> port 22
 smoxx -> 8006
--- a/sumadija/sumadijamoxx/wireguard12/README.md
+++ b/sumadija/sumadijamoxx/wireguard12/README.md
@@ -0,0 +1,5 @@
 ---
 VMID: 200
 ---
 Wireguard server for VPN access to sumadija network
--- a/wg.mk
+++ b/wg.mk
@@ -1,54 +0,0 @@
 public_key = $(shell cat /etc/wireguard/dmz_public_key)
 name := $(shell git config list | grep user.nam | cut -d= -f2)
 # Local keys
 wireguard/dmz_private_key: | /bin/wg wireguard/
 	wg genkey > $@
 	chmod 700 $@
 wireguard/dmz_public_key: wireguard/dmz_private_key | /bin/wg
 	$| pubkey < $< > $@
 ##############################
 wgkeys.rec: wireguard/dmz_public_key
 	$(info Adding wireguard key as '$(name)')
 	recins --verbose $@ -t $(basename $@) -f name -v '$(name)' -f pubkey -v '$(shell cat $<)'
 	git add $@
 	git commit -m"add wireguard key for $(name)"
 	$(info Remember to git push)
 wireguard/dmz.conf: wireguard/dmz_bare.conf | wireguard/dmz_private_key
 	sed 's#PRIVATE_KEY#$(shell cat $|)#' $< > $@
 wireguard/dmz_bare.conf: wgkeys.rec | xecut/nimbus/dmz.conf
 	recsel $< -t $(basename $<) -e 'name = "$(name)"' | recfmt -f $| > $@
 ###### Wireguard configuration #####
 wireguard/wg_peers.txt: wgkeys.rec | xecut/nimbus/wg_peer.fmt
 	recsel $< -t $(basename $<) | recfmt -f $| > $@
 ignored += ansible/playbooks/files/wireguard/wg0.conf
 ansible/playbooks/files/wireguard/wg0.conf: wireguard/wg_peers.txt | ansible/playbooks/files/wireguard/server_head
 	cd ansible && ansible-vault view playbooks/files/wireguard/server_head > playbooks/files/wireguard/wg0.conf
 	cat $< >> $@
 	cd ansible && ansible-vault encrypt playbooks/files/wireguard/wg0.conf
 ##### Installing Wireguard Client #####
 .PHONY: wg-create
 wg-create: wireguard/dmz.conf ## Set up wireguard keys (do this before installing)
 .PHONY: wg-install
 wg-install: /etc/wireguard/dmz.conf ## Install wireguard keys (use sudo)
 /etc/wireguard/dmz.conf: wireguard/dmz.conf | /bin/wg
 	cp $< $@
 .PHONY: wg-setup
 wg-setup: ansible/playbooks/files/wireguard/wg0.conf ## Renew the wireguard config
 	make -C ansible wireguard
--- a/wgkeys.rec
+++ b/wgkeys.rec
@@ -1,12 +0,0 @@
 %rec: wgkeys
 %key: id
 %type: name,pubkey line
 %type: id int
 %auto: id
 %mandatory: name
 + pubkey
 id: 2
 name: Malin Freeborn
 pubkey: loNnXRalD0ZyOLadSWm31rqOuRfEbgtX9O4/z7eSIho=
--- a/xecut/nimbus/dmz.conf
+++ b/xecut/nimbus/dmz.conf
@@ -1,12 +0,0 @@
 # Client configuration for wireguard to nimbus at xecut.
 [Interface]
 Address = 10.0.0.2/32
 PrivateKey = PRIVATE_KEY
 DNS = 9.9.9.9
 [Peer]
 PublicKey = GH+qA1Au9BraGhNt7Aqp8tdhGVfH8ENnY3VzKhe69XQ=
 Endpoint = space.xecut.me:51900
 AllowedIPs = 10.0.0.{{id}}/24
--- a/xecut/nimbus/wg_peer.fmt
+++ b/xecut/nimbus/wg_peer.fmt
@@ -1,4 +0,0 @@
 [Peer]
 PublicKey = {{pubkey}}
 AllowedIPs = 10.0.0.{{id}}/32
--- a/xecut/nimbus/wireguard_client.conf
+++ b/xecut/nimbus/wireguard_client.conf
@@ -1,14 +0,0 @@
 [Interface]
 Address = 10.0.0.1/24
 SaveConfig = true
 PrivateKey = PRIVATE_KEY
 ListenPort = 51900
 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
 [Peer]
 PublicKey = GH+qA1Au9BraGhNt7Aqp8tdhGVfH8ENnY3VzKhe69XQ=
 AllowedIPs = 10.0.0.2/32
		`@@ -1 +0,0 @@`
			`GH+qA1Au9BraGhNt7Aqp8tdhGVfH8ENnY3VzKhe69XQ=`
		`@@ -0,0 +1,3 @@`
							`TP Link (hopefully openWRT in future)`

							`Router is inside the existing network for further forwarding, contact coja (best on xmpp)`