[wg] update requirements check

Signed-off-by: coja <coja@dmz.rs>

Makefile

@@ -1,82 +1,85 @@
-.PHONY: help
 
+ignore_file = .git/info/exclude
+
+
+.PHONY: help
 help: ## Print the help message
 	@awk 'BEGIN {FS = ":.*?## "} /^[0-9a-zA-Z._-]+:.*?## / {printf "\033[36m%s\033[0m : %s\n", $$1, $$2}' $(MAKEFILE_LIST) | \
 		sort | \
 		column -s ':' -t
 
+include wg.mk
+
 .PHONY: check
 check: ## Check you have all dependencies
 	@command -v graph-easy >/dev/null || { echo "Install perl-graph-easy" && exit 1 ;}
+	@command -v ansible >/dev/null || { echo "Install ansible" && exit 1 ;}
 	@command -v recsel >/dev/null || { echo "Install recutils" && exit 1 ;}
+	@command -v wg >/dev/null || { echo "Install wireguard" && exit 1 ;}
 	@command -v lowdown >/dev/null || { echo "Install lowdown" && exit 1 ;}
 	@echo "All dependencies installed"
 
+%/:
+	mkdir $@
+	echo '*' > $@.gitignore
+
 ########## Network Map ##########
 
+graph_program != type graph-easy > /dev/null && printf graph-easy || printf dot 
+
 graph_cmd = graph-easy --boxart
 
 queries = queries authqueries
 
 query_formats = $(patsubst %, .dbs/%.txt, $(queries))
 
-.dbs/:
+dotquery_formats = $(patsubst %, .dbs/%.dot, $(queries))
+
+.dbs/: | $(ignore_file)
 	mkdir $@
 
+ignored += .dbs/
+
 $(query_formats): .dbs/%.txt: | .dbs/
 	echo "[ {{name}} ] -- $(basename $(@F)) --> [ {{$(basename $(@F))}} ]" > $@
 
+$(dotquery_formats): .dbs/%.dot: | .dbs/
+	echo '{{name}} -> {{$(basename $(@F))}} [ label="$(basename $(@F))" ];' > $@
+
+ifeq ($(graph_program),dot)
+  map_file = network.png
+else
+  map_file = network.txt
+endif
+
+ignored += $(map_file)
+
 .PHONY: map
-map: .dbs/network.txt ## Show a network map
+map: $(map_file) ## Generate a network map
+
+network.txt: .dbs/network.txt
 	$(graph_cmd) < $<
 
 .dbs/network.txt: network.rec $(query_formats)
-	$(RM) .dbs/network.txt
+	$(RM) $@
 	$(foreach relation, $(queries), \
 	recsel $< -t lxc -e "$(relation) != ''" -p name,$(relation) | recfmt -f .dbs/$(relation).txt >> $@ ;\
 	)
 
-########## Man Pages ##########
+.dbs/network.dot: network.rec $(dotquery_formats)
+	echo 'digraph network {' > $@
+	$(foreach relation, $(queries), \
+	recsel $< -t lxc -e "$(relation) != ''" -p name,$(relation) | recfmt -f .dbs/$(relation).dot >> $@ ;\
+	)
+	echo '}' >> $@
 
-mandir = $(HOME)/.local/man/man6
-
-kralizec_docs != grep -rl "^section:" kralizec 
-kralmans = $(kralizec_docs:kralizec/%/README.md=$(mandir)/%.6)
-
-$(mandir)/%.6: kralizec/%/README.md
-	lowdown -stman $< > $@
-
-krov_docs != grep -rl "^section:" krov 
-krovmans = $(krov_docs:krov/%/README.md=$(mandir)/%.6)
-
-$(mandir)/%.6: krov/%/README.md
-	lowdown -stman $< > $@
-
-splint_docs != grep -rl "^section:" splintrs
-splintmans = $(splint_docs:splintrs/%/README.md=$(mandir)/%.6)
-
-$(mandir)/%.6: splintrs/%/README.md
-	lowdown -stman $< > $@
-
-setup_docs != grep -rl "^section:" setup 
-setupmans = $(setup_docs:setup/%.md=$(mandir)/%.6)
-
-$(mandir)/%.6: setup/%.md
-	lowdown -stman $< > $@
-
-$(mandir):
-	mkdir -p $@
-
-$(kralmans) $(krovmans) $(splintmans) $(setupmans) :| $(mandir)
-
-.PHONY: pages
-pages: $(kralmans) $(krovmans) $(setupmans) $(splintmans)
-	$(info $(kralmans))
-	@test ! $(command -v mandb) || mandb --user-db
-	$(info Open DMZ's man pages with 'man 6 <tab>')
+network.png: .dbs/network.dot $(ignore_file)
+	dot -T png < $< > $@
 
 ##########
 
+$(ignore_file): $(MAKEFILE_LIST)
+	echo $(ignored) | tr ' ' '\n' > $@
+
 clean:
-	$(RM) $(kralmans) $(krovmans)
-	$(RM) -r .dbs
+	$(RM) -r $(ignored)

README.md

@@ -27,41 +27,53 @@ Try these commands:
 
 Ask what types of _rec_ords it contains:
 
+## Database
+
 ```sh
 recinf network.rec
 ```
 
-Select with `recsel`, then specify the type of record.
+### Select queries
+
+Select with `recsel`, then specify the database (.rec) and type of record (like table in db).
+
+- `--include-descriptors` or `-d`
+- `--type` or `-t`
+- `--expression` or `-e`
+- `--quick` or `-q`
 
 ```sh
 recsel network.rec --type router
-recsel network.rec --include-descriptors --type lxc
 recsel network.rec -d -t lxc
-recsel network.rec -d -t lxc --expression
 ```
 
-User `-q` for a 'quick' selection, or `-e` for more precise selections.
+User `-q` for a `--quick` selection, or `-e` for more precise selections.
 
 ```sh
 recsel network.rec --type lxc --quick wiki
-recsel network.rec --type lxc -q nginx
-recsel network.rec -t lxc --expression "name ~ 'nginx'"
-recsel network.rec -t lxc --expression "name = 'nginx12'"
+recsel network.rec -t lxc -q nginx
+recsel network.rec -t lxc -e "name ~ 'nginx'"
+recsel network.rec -t lxc -e "name = 'nginx12'"
 ```
 
-If you can select something, you can also set its fields with `recset`.
-
-Use `-f` to set the field, and `-a` to add, or `-s` to set.
-
-
-```sh
-recset network.rec -t lxc --expression "name = 'nginx12'" -f proxies --add soft-serve
-recsel network.rec -t lxc --expression "name = 'nginx11'" -p proxies[0]
-recset network.rec -t lxc --expression "name = 'nginx11'" -f proxies[0] -s wiki9
-```
+### Insert queries
 
 Insert a new record with `recins`.
 
 ```sh
 recins network.rec -t lxc -r "name: bob" -r "service: bob" -r "host: moxx"
 ```
+
+### Update queries
+
+If you can select something, you can also set its fields with `recset`.
+
+Use `-f` to set the `--field`, and `-a` to `--add`, or `-s` to `--set`.
+
+
+```sh
+recset network.rec -t lxc -e "name = 'nginx12'" -f proxies -a soft-serve
+recsel network.rec -t lxc -e "name = 'nginx11'" -p proxies[0]
+recset network.rec -t lxc -e" name = 'nginx11'" -f proxies[0] -s wiki9
+```
+

ansible/Makefile

@@ -0,0 +1,46 @@
+hosts = $(wildcard host_vars/*.yml)
+
+logs = $(patsubst host_vars/%.yml, logs/%.json, $(hosts) )
+
+playbooks = $(wildcard playbooks/*.yml)
+plays = $(patsubst playbooks/%.yml, %, $(playbooks) )
+
+defaults += $(wildcard logs/*)
+
+###### Recipes ######
+
+.PHONY: help
+help: ## Print the help message.
+	@awk 'BEGIN {FS = ":.*?## "} /^[0-9a-zA-Z._-]+:.*?## / {printf "\033[36m%s\033[0m : %s\n", $$1, $$2}' $(MAKEFILE_LIST) | \
+		column -s ':' -t
+
+.PHONY: lint
+lint: $(playbooks) | .ansible/ ## Check syntax and lint all playbooks
+	ansible-playbook --syntax-check $^
+	ansible-lint $^
+
+.PHONY: records
+records: $(logs) ## Current info on each host
+
+$(logs): logs/%.json: | logs/
+	ansible -m setup $(basename $(@F) ) > $@
+
+-include logs/play.mk
+
+make_play = printf '.PHONY: %s\n%s: %s \#\# %s\n\n' '$(notdir $(basename $1) )' '$(notdir $(basename $1) )' '$1' '$(shell grep -m1 -oP 'name: \K.*' $1)'
+
+logs/play.mk: playbooks/*.yml
+	@$(RM) $@
+	@$(foreach book, $^, \
+		$(call make_play, $(book), $@ )  >> $@ ; \
+		printf '\t%s\n\n' 'ansible-playbook $(book)' >> $@ ; \
+	)
+
+%/:
+	mkdir $@
+	echo '*' > $@.gitignore
+
+.PHONY: clean
+clean: ## Remove generated files.
+	$(RM) $(defaults)
+

ansible/ansible.cfg

@@ -0,0 +1,7 @@
+[defaults]
+inventory      = hosts.yaml
+local_tmp      = .ansible
+cow_selection  = random
+vault_password_file = pass.sh
+interpreter_python = auto_silent
+

ansible/host_vars/wireguard.yml

@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+37363765623839666637633861353139353935323364343538356536653561373266336161353937
+3466653434666163313936393366613666393863616262320a643930663038326666653064613062
+62613661396538363539643938323033663932326362626335333438653865623038336136623030
+3735366564366431330a373061393766346631643434383364646431346231356466663737626435
+64303835343237383761633939643431333439643933636139666163393637363430633261633736
+34626631366163616439366534393031353063363138356638323634313430666330613833386661
+61346365313534353535633365626364303565363565353765353833363065343232633866633132
+63643930633266653765

ansible/hosts.yaml

@@ -0,0 +1,13 @@
+all:
+  vars:
+    username: dmz
+    locale: Europe/Belgrade
+    libc_locale: en_GB.UTF-8 UTF-8
+    var_locale: LANG=en_GB.UTF-8
+
+wireguard:
+  hosts:
+    192.168.10.93:
+arch:
+  hosts:
+    10.0.0.1:

ansible/pass.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+pass dmz/xecut/dmz_ansible

ansible/playbooks/files/wireguard/server_head

@@ -0,0 +1,26 @@
+$ANSIBLE_VAULT;1.1;AES256
+33343563633965306633313265643038646236633465353133386365346663336163646430333962
+6165663662663065623232383636336236376363623762640a633139343330646532333631396639
+39323432323636626166636561383539353161646636666131623833396138666531616366633032
+3064646331643732660a613562343637393134323830643263393464363332663664623761636636
+38343638623539636134633735313161353233333936396638653066346163613335353266343334
+39313062633261393038636131313665653631333039633533363236636131323337633031386436
+38366435386334303366636231643565383931373936313365363165666464636236376262363336
+31363664336535343363646231306237383739326239356232343761623937666533663131323266
+30323138663666666538353063623566333961326233646533323831363433653764323566333564
+37633865313966336164336433306663343435653062396533633037333430366266376465613039
+35373762306363393534373861633839353736373463346638613838636466383762336562386434
+37666133666662633331313863636161343031666438363638356538623164343764353431373566
+35653662326134366366323835623265663530323132313138393566653063376163366132326232
+62653337383336396466386631393739633164646433373231656664376463306333643663393061
+32303535323336313364343131333633633261313761326566643733646564313432396165316532
+62303539653763343963343865626135633738666331366334353530393961623337363035333662
+38396533376166363164623531396238356632336534386636363364646263623334336666343834
+37396235346431393033303834323163646561643162646135383162623034343366613431366563
+66386330323933363035393330326539336134616364303037633230663664373335663739343361
+36653533333139336331393239626335623337663133393538343361303431636661316666383733
+64343234306336353163323235633031343138643661333863373965623666336331636339653862
+61616431366439643063313336336530383164313639646130383362643339386264333264376236
+63333531616561636638376635623738623933363933663439373137396334623361656233616236
+64386638653336616366653836663762306334363065356162353431633332633537623362643363
+3265

ansible/playbooks/files/wireguard/server_private_key

@@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+39653235613163636362653036663563383839313836643563323462616163353364323862313039
+6564656661323039393563636133303132626663366233390a343535383963353763383364376438
+36306435396461393132653161393238623562393465356166343764336661376434333335643863
+3865373732363761620a613236613963396638613831326332386530326239373062333933646239
+39313336383366636133646336653236303261346238306336663564373063383634313361356335
+6334353863363931643338663833333065343435333231623466

ansible/playbooks/files/wireguard/server_public_key

@@ -0,0 +1 @@
+GH+qA1Au9BraGhNt7Aqp8tdhGVfH8ENnY3VzKhe69XQ=

ansible/playbooks/wireguard.yml

@@ -0,0 +1,38 @@
+---
+- name: Install Wireguard on Server
+  hosts: wireguard
+  user: root 
+
+  tasks:
+    - name: Install wireguard tools and dig
+      ansible.builtin.package:
+        name:
+          - wireguard-tools
+          - bind
+
+    - name: Copy keys to server
+      ansible.builtin.copy:
+        src: wireguard/wg0.conf
+        dest: /etc/wireguard/wg0.conf
+      notify: Reload systemd daemon
+
+    - name: Get server public IP
+      ansible.builtin.command: dig +short myip.opendns.com @resolver1.opendns.com
+      register: wireguard_public_ip
+
+    - name: Allow ipv4 forwarding
+      ansible.builtin.lineinfile:
+        path: /etc/sysctl.d/wg.conf
+        line: net.ipv4.ip_forward=1
+        create: yes
+
+    - name: Start the wireguard service
+      ansible.builtin.service:
+        name: wg-quick@wg0
+        enabled: yes
+
+  handlers:
+    - name: Reload systemd daemon
+      ansible.builtin.command:
+        cmd: systemctl daemon-reload
+

ansible/templates/wireguard/wg0.conf.j2

@@ -0,0 +1,14 @@
+
+[Interface]
+Address = 10.0.0.1/24
+SaveConfig = true
+PrivateKey = {{ wg_private_key }}
+ListenPort = 51900
+
+PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+
+[Peer]
+PublicKey = {{ wg_public_key }}
+AllowedIPs = 10.0.0.2/32
+

kralizec/flaskldap11/README.md

@@ -1,3 +1,37 @@
 ---
 VMID: 109
 ---
+
+[project git](https://gitea.dmz.rs/Decentrala/luser)
+
+runs on OpenBSD 71
+
+make
+- all:
+- man:
+- deb:
+- clean:
+
+## SYNOPSIS
+
+**python3 run.py**
+
+## Login - Register
+
+Web app for adding,delating and modifying users using LDAP called `luser` - LdapUser
+website redirects to those web pages
+
+```sh 
+service luser restart
+```
+
+
+## Capcha script
+...
+
+## COPYRIGHT
+
+**AGPLv3+**: GNU AGPL version 3 or later <https://gnu.org/licenses/agpl.html>
+This is *free* software: you are free to change and redistribute it.
+There is **NO WARRANTY**, to the extent permitted by law.
+

kralizec/forum11/README.md

@@ -0,0 +1,46 @@
+---
+VMID: 119
+---
+
+
+## Data
+
+`/var/discourse/shared/web_only/`
+
+
+## Web 
+
+`/var/discourse_docker/`
+
+
+## Help
+
+`/var/discourse_docker/discourse_doctor`
+
+
+## Docker rebuild errors
+
+`/var/discourse_docker/launcher rebuild web_only`
+
+
+```
+Plugin name is 'ldap', but plugin directory is named 'discourse-ldap-auth'
+rake aborted!
+ActiveRecord::NoDatabaseError: We could not find your database: discoursedb. Available database configurations can be found in config/database.yml. (ActiveRecord::NoDatabaseError)
+
+```
+
+
+```
+FAILED
+--------------------
+Pups::ExecError: cd /var/www/discourse && su discourse -c 'bundle exec rake db:migrate' failed with return #<Process::Status: pid 593 exit 1>
+Location of failure: /usr/local/lib/ruby/gems/3.3.0/gems/pups-1.3.0/lib/pups/exec_command.rb:131:in `spawn'
+exec failed with the params {"cd"=>"$home", "tag"=>"migrate", "hook"=>"db_migrate", "cmd"=>["su discourse -c 'bundle exec rake db:migrate'"]}
+bootstrap failed with exit code 1
+** FAILED TO BOOTSTRAP ** please scroll up and look for earlier error messages, there may be more than one.
+./discourse-doctor may help diagnose the problem.
+a9a704b1ee166487d8cd2acd5bd9bcc050ed0ec93fc065f58440e4ae208e1937
+```
+
+

kralizec/http11/README.md

@@ -1,3 +1,6 @@
 ---
 VMID: 104
 ---
+
+nginx server
+

kralizec/ldap71/README.md

@@ -0,0 +1,17 @@
+---
+VMID: 109
+---
+
+OpenBSD with ldap service
+
+192.168.1.15
+
+
+Restart the service
+
+```sh
+rcctl check ldapd
+rcctl stop ldapd
+rcctl start ldapd
+```
+

kralizec/postgresql11/README.md

@@ -1,3 +1,14 @@
 ---
 VMID: 105
 ---
+
+Posgresql v13
+
+- ejabberd (xmpp)
+- discourse (forum)
+
+root@192.168.1.28
+
+other databases are migrated to posgresql12
+
+ 

kralizec/postgresql12/README.md

@@ -0,0 +1,54 @@
+---
+VMID: 121
+---
+
+PostgreSql v15
+
+port 5432
+
+[installation wiki](https://wiki.debian.org/PostgreSql)
+
+## Users
+
+- ejabberd
+- discorse
+- gitea
+- wiki
+- replication
+- xmppsqlkrov (not created)
+- dmzrsflask (not created)
+
+
+## Config for databases
+
+- ejabberddb - `/etc/ejabberd/ejabberd.yml`
+- discorsedb (forum11) `/etc/discorse_docker/containers/web_only.yml` and `-||-/data.yml`
+- giteadb `/etc/gitea/app.ini`
+- wikidb `/root/wiki/config.yml`
+- replication
+
+
+```sh
+pg_dump -d <database> -f <file>
+psql -U <user> -d <dababase> -f <dump.psql>
+
+```
+
+## Config file
+
+`/etc/postresql/15main/postresql.conf`
+changed listening_address from localhost to *
+
+`/etc/postresql/15main/pg_hba.conf`
+host all all all md5
+
+add `/etc/ssl/certs/ssl-cert-snakeoil.pem` to `/etc/ssl/` on every service
+
+
+## SSL
+
+For wiki machine certificate pinging is setup
+In config.yml on wiki machine, the certificate path for new sql server should be added
+
+
+    

kralizec/ssh11/README.md

@@ -1,3 +1,5 @@
 ---
 VMID: 114
 ---
+
+[wiki page](https://wiki.dmz.rs/en/sysadmin/ssh)

kralizec/wireguard11/README.md

@@ -0,0 +1,56 @@
+---
+VMID: 103
+---
+
+[Wireguard VPN quickstart](https://www.wireguard.com/quickstart)
+
+Check `dmzadmin` for `wireguard.gpg` to know who to contact for access 
+
+---
+
+### Client config
+
+Client config example
+`x` is the assigned on the server as peer:
+
+```conf
+
+[Interface]
+Address = 192.168.164.x/32
+DNS = 1.1.1.1
+MTU = 1420
+SaveConfig = true
+ListenPort = 51820
+FwMark = 0xca6c
+PrivateKey = <your_private_wg_key>
+
+[Peer]
+PublicKey = JP2FTHLUujkevz1kUymciLImsx1OX9ViUko7oPAIoiA=
+AllowedIPs = 192.168.164.0/24, 192.168.1.0/24
+Endpoint = 77.105.27.232:51820
+PersistentKeepalive = 21
+
+```
+
+---
+
+### Server config
+
+New user/client needs to provide their wireguard `publickey` and new ip on the network needs to be assigned (`x`)
+check the server config file `/etc/wireguard/wg0.conf` to find free address
+
+```sh
+sudo wg set wg0 peer <client_public_key> allowed-ips 192.168.164.x/32
+```
+
+---
+
+Command to resolve IP clashing with current and wireguard network, if needed
+
+```shell
+ip route add <ip> dev <wg0>
+```
+
+- `ip` you want to resolve -> for wireguard VM 192.168.1.10
+- `wg0` name of the wireguard config
+

krov/serverko/README.md

@@ -17,3 +17,6 @@ VMID Name
 111  taskmanager12  
 112  stopreklamama12  
 
+##### Legend
+
+12 -> debian 12

krov/serverko/ejabberd12/README.md

@@ -1,3 +1,5 @@
 ---
 VMID: 109
 ---
+
+XMPP server, used for future decentralization

krov/serverko/nginx12/README.md

@@ -1,3 +1,26 @@
 ---
 VMID: 100
 ---
+
+This VM is a reverse proxy, all serveces go through it and get their SSL certificates
+
+## Creating new record
+
+```sh
+cd /etc/nginx/sites-available/ # configs are located here
+vim.tiny pastebin.dmz.rs # using pastebin as example, copy existing one and edit it
+ln -s /etc/nginx/sites-available/pastebin.dmz.rs  /etc/nging/sites-enabled/pastebin.dmz.rs # creating link since file is the same
+mkdir /var/www/pastebindmzrs # new dir where certificate will be validated
+nginx -t # checking for errors
+systemctl reload nginx.service # reloading the service for changes to apply, reset will work too
+service nginx reload # alternative server reload
+certbot certonly --webroot -w /var/www/pastebindmzrs -d pastebin.dmz.rs -d pastebin.decentrala.org # requesting the certificates
+```
+
+## renewal
+
+```sh
+ls /var/www/
+cd /etc/letsencrypt/renewal
+certbot renew
+```

krov/serverko/stopreklamama12/README.md

@@ -1,3 +1,6 @@
 ---
 VMID: 112
 ---
+
+This container is for hosting the [website](https://gitea.dmz.rs/svitvojimilioni/stopreklamama)
+hosted on domen `stopreklamama.dmz.rs`

krov/serverko/taskmanager12/README.md

@@ -1,3 +1,8 @@
 ---
 VMID: 111
 ---
+
+Old app for group task managment, [gitea project](https://gitea.dmz.rs/Decentrala/taskmanager)
+Hosted on [todo.dmz.rs](https://todo.dmz.rs/)
+
+Now using soft.dmz.rs/fixme instead

krov/serverko/tor12/README.md

@@ -1,3 +1,5 @@
 ---
 VMID: 103
 ---
+
+In this container hosts the tor onion service, used for remote access to the proxmox, through tor.

krov/serverko/wireguard12/README.md

@@ -1,3 +1,5 @@
 ---
 VMID: 105
 ---
+
+Wireguard server for VPN access to krov network

krov/srv1/README.md

@@ -1,15 +1,39 @@
 # List of containers
 
-## srv1
+# srv1
 
 VMID Name  
-102  tor12  
-103  dendrite  
-106  icecast12  
-107  mariadb12  
-108  mpd12  
-109  ympd  
-111  sshfs11
-113  ollama12  
-114  chatbot12  
-115  goodvibes12  
+100  ssh12
+101  vukbox
+102  mad3v-container-postgresql  
+103  nextcloud1 
+104  pentest
+105  dns12
+106  cryptpad  
+107  cryptpad12
+108  ejabberd12 
+109  dante12  
+111  postgresql12
+112  gitea12
+113  game12 
+114  coja-nginx 
+115  mad3v-container-1  
+116  hugo12  
+118  mumble
+119  netstat-game12
+120  privatebin12
+121  searxng12 
+122  alpine-it-tools  
+123  test  
+124  jitsi12
+
+---
+
+### Hardware
+
+Dell enterprise server
+
+##### Legend
+
+12 -> debian 12 lxc
+

krov/srv1/alpine-it-tools/README.md

@@ -0,0 +1,7 @@
+---
+VMID: 122
+---
+
+Installed with [proxmox helper scripts](https://community-scripts.github.io/ProxmoxVE/scripts?id=alpine-it-tools)
+
+Plan to host it on tools.dmz.rs

krov/srv1/chatbot12/README.md

@@ -1,3 +0,0 @@
----
-VMID: 114
----

krov/srv1/cryptpad12/README.md

@@ -0,0 +1,13 @@
+---
+VMID: 106
+---
+
+Installed with [proxmox helper scripts](https://community-scripts.github.io/ProxmoxVE/scripts?id=cryptpad)
+
+[Project page](https://cryptpad.org/)
+
+
+Plan to host it on cryptpad.dmz.rs
+
+cryptpad (106) is already on that subdomain, but it doesnt work
+

krov/srv1/ejabberd12/README.md

@@ -0,0 +1,5 @@
+---
+VMID: 108
+---
+
+XMPP server, practice for future decentralization of the service

krov/srv1/homeAssistentInstanca/README.md

@@ -0,0 +1,9 @@
+---
+VMID: 117
+---
+
+Installed with [proxmox helper scripts](https://community-scripts.github.io/ProxmoxVE/scripts?id=haos-vm)
+
+[Forum descussion](https://forum.dmz.rs/t/automatizacija-krova/469)
+
+

krov/srv1/icecast12/README.md

@@ -1,3 +0,0 @@
----
-VMID: 106
----

krov/srv1/jitsi12/README.md

@@ -0,0 +1,9 @@
+---
+VMID: 124
+---
+
+Video converencing server. Zoom alternative.
+
+[website](https://jitsi.org/)
+
+Plan to host it on jitsi.dmz.rs, video.dmz.rs or else

krov/srv1/mumble/README.md

@@ -0,0 +1,9 @@
+---
+VMID: 118
+---
+
+VOIP server, hosted on krov.dmz.rs
+
+[website](https://www.mumble.info/)
+
+

krov/srv1/netstat-game12/README.md

@@ -0,0 +1,6 @@
+---
+VMID: 119 
+---
+
+Open arena server, free clone of FPS Quake III Arena
+Hosted on krov.dmz.rs:27960 for LAN Parties

krov/srv1/nextcloud1/README.md

@@ -0,0 +1,9 @@
+---
+VMID: 103
+---
+
+Plan for this services was to use the shared callendar with members of DC Krov
+
+Register as a user is disabled, only admins can create the accounts
+LDAP is not connected
+

krov/srv1/old-abandoned/README.md

@@ -0,0 +1 @@
+Those serveces are not on the server

krov/srv1/old-abandoned/chatbot12/README.md

@@ -0,0 +1,5 @@
+---
+VMID: 114
+---
+
+[Forum discussion](https://forum.dmz.rs/t/jel-neko-u-krovu-bot/779)

krov/srv1/other/README.md

@@ -0,0 +1,32 @@
+Here should be the list of other containers on the server
+
+## "Personal containers" 
+created on some of the sysadmin workshops, used for learning and practice, usually named by the nickname
+
+- vukbox
+- hugo12
+- malin
+- mad3v-container-postresql
+- mad3v-container-1
+- coja-nginx hosting [coja.krov.dmz.rs](https://coja.krov.dmz.rs/)
+- 
+
+---
+
+## Other 
+
+- pentest - created by fleka for CTF challange
+
+---
+
+## Containers with no info
+Feel free to add info 
+
+- dante12
+- dns12
+- gitea12
+- test
+- game12
+
+
+

krov/srv1/postgresql12/README.md

@@ -0,0 +1,5 @@
+---
+VMID: 111
+---
+
+Probably used as a testing ground for syncing the database, for future decentralization.

krov/srv1/privatebin12/README.md

@@ -0,0 +1,10 @@
+---
+VMID: 120
+---
+
+Installed with [proxmox helper scripts](https://community-scripts.github.io/ProxmoxVE/scripts?id=privatebin)
+
+[Project page](https://privatebin.info/)
+
+Hosted on [subdomain on dmz](https://pastebin.dmz.rs/)
+

krov/srv1/searxng12/README.md

@@ -0,0 +1,10 @@
+---
+VMID: 121
+---
+
+Installed with [proxmox helper scripts](https://community-scripts.github.io/ProxmoxVE/scripts?id=searxng)
+
+[Project git repo](https://github.com/searxng/searxng)
+
+Hosted on [subdomain on dmz](https://search.dmz.rs/)
+

krov/srv1/ssh12/README.md

@@ -0,0 +1,8 @@
+---
+VMID: 100
+---
+
+SSH port from this container is forwarded on krov.dmz.rs
+SSH access to other containers is done through this one with ssh jump, passwords are disabled, so only keys verification is used. 
+
+[wiki page](https://wiki.dmz.rs/en/sysadmin/ssh)

krov/srv1/sshfs11/README.md

@@ -1,3 +0,0 @@
----
-VMID: 111
----

network.rec

@@ -5,19 +5,18 @@ name: ISP Router
 location: kralizec
 ISP: Orion
 
-name: ISP Router
-location: krov
-ISP: Yettel
-
 %rec: host
 %doc: These are the real machines, most of which run VMs or containters.
 %key: name
 
 name: moxx
 location: kralizec
+local_access: 192.168.1.200:8006
 
-name: Serverko
-location: krov
+name: nimbus
+location: xecut
+description: raspberry pi
+os: Arch Linux Aarm
 
 %rec: lxc
 %doc: A container, usually on a Proxmox host.
@@ -35,6 +34,10 @@ proxies: dmzrs
 name: LDAP
 host: moxx
 
+name: dmzrs
+host: moxx
+note: hosts the dmz.rs website
+
 name: website
 host: moxx
 authqueries: LDAP
@@ -85,4 +88,3 @@ host: Serverko
 
 name: tor12
 host: nginx
-

scripts/generatepass.sh

@@ -0,0 +1,5 @@
+
+#!/bin/bash
+
+echo $(shuf shared/english.txt | head) | sed "s/ //g"
+

setup/ssh_FAQ.md

@@ -56,7 +56,6 @@ Now all the files have 'read, write, and execute', but only for `$USER`.
 Host soft
     HostName soft.dmz.rs
     Port 2222
-	User ghost
 	IdentityFile ~/.ssh/id rsa
 Host dmz
     HostName dmz.rs

setup/ssh_to_lxc.md

@@ -0,0 +1,36 @@
+---
+volume: Decentrala
+section: 6
+title: Access Linux Containers in Moxx over `ssh`
+author: Malin
+source: dmz.rs
+---
+
+Access `moxx`, the Proxmox machine:
+
+1. Check you can access the creds in `dmzadmin`: `gpg -d credentials/kralizec/ssh11.gpg`.
+2. Check the creds work: `ssh dmz.rs ls`.
+3. Copy your ssh keys across: `ssh-copy-id -i ~/id_selected dmz.rs`.
+4. Check that works: `test $(ssh dmz.rs hostname) = ssh11`
+5. Find `moxx`' IP address in its credentials: `moxxIP=[ user ]@[ local ip ]`
+6. Jump through `ssh11` to access `moxx`: `ssh -J user@dmz.rs $moxx_ip`
+
+
+# Enter Containers
+
+Use `pct` to find and access containers:
+
+```sh
+pct list | grep -v stopped
+pct enter 112
+```
+
+- Don't tell people to type 'pct enter', or they will type `pct`, and hit the enter key I TOLD YOU ALL THE KEY SHOULD BE CALLED RETURN.
+- Now you're in the container.
+
+## Just for Fun
+
+```sh
+pct list | grep -v VMID |\
+    column -J -N vmid,state,current,name  | less -R
+```

wg.mk

@@ -0,0 +1,54 @@
+public_key = $(shell cat /etc/wireguard/dmz_public_key)
+name := $(shell git config list | grep user.nam | cut -d= -f2)
+
+
+# Local keys
+
+wireguard/dmz_private_key: | /bin/wg wireguard/
+	wg genkey > $@
+	chmod 700 $@
+
+wireguard/dmz_public_key: wireguard/dmz_private_key | /bin/wg
+	$| pubkey < $< > $@
+
+##############################
+
+wgkeys.rec: wireguard/dmz_public_key
+	$(info Adding wireguard key as '$(name)')
+	recins --verbose $@ -t $(basename $@) -f name -v '$(name)' -f pubkey -v '$(shell cat $<)'
+	git add $@
+	git commit -m"add wireguard key for $(name)"
+	$(info Remember to git push)
+
+wireguard/dmz.conf: wireguard/dmz_bare.conf | wireguard/dmz_private_key
+	sed 's#PRIVATE_KEY#$(shell cat $|)#' $< > $@
+
+wireguard/dmz_bare.conf: wgkeys.rec | xecut/nimbus/dmz.conf
+	recsel $< -t $(basename $<) -e 'name = "$(name)"' | recfmt -f $| > $@
+
+###### Wireguard configuration #####
+
+wireguard/wg_peers.txt: wgkeys.rec | xecut/nimbus/wg_peer.fmt
+	recsel $< -t $(basename $<) | recfmt -f $| > $@
+
+ignored += ansible/playbooks/files/wireguard/wg0.conf
+
+ansible/playbooks/files/wireguard/wg0.conf: wireguard/wg_peers.txt | ansible/playbooks/files/wireguard/server_head
+	cd ansible && ansible-vault view playbooks/files/wireguard/server_head > playbooks/files/wireguard/wg0.conf
+	cat $< >> $@
+	cd ansible && ansible-vault encrypt playbooks/files/wireguard/wg0.conf
+
+
+##### Installing Wireguard Client #####
+
+.PHONY: wg-create
+wg-create: wireguard/dmz.conf ## Set up wireguard keys (do this before installing)
+
+.PHONY: wg-install
+wg-install: /etc/wireguard/dmz.conf ## Install wireguard keys (use sudo)
+/etc/wireguard/dmz.conf: wireguard/dmz.conf | /bin/wg
+	cp $< $@
+
+.PHONY: wg-setup
+wg-setup: ansible/playbooks/files/wireguard/wg0.conf ## Renew the wireguard config
+	make -C ansible wireguard

wgkeys.rec

@@ -0,0 +1,19 @@
+%rec: wgkeys
+%key: id
+%type: name,pubkey line
+%type: id int
+%auto: id
+%mandatory: name
++ pubkey
+
+id: 2
+name: Malin Freeborn
+pubkey: loNnXRalD0ZyOLadSWm31rqOuRfEbgtX9O4/z7eSIho=
+
+id: 3
+name: coja
+pubkey: snfw8r1hIAtTABGd7K9xIZ9RH62qMEK4fRqVm4EbniQ=
+
+id: 4
+name: netstat
+pubkey: Z8bk25hHo6oadOX7KtoLUDXGW9r+thMiR320aiGmQAQ=

xecut/nimbus/README.md

@@ -0,0 +1,25 @@
+---
+source: Decentrala
+section: 6
+title: Nimbus
+---
+
+Nimbus is a raspberry pi.
+
+Somehow, nimbus has two ip addresses.
+They're not yet static, or available from outside.
+
+```
+IP =  192.168.0.93
+      192.168.0.94
+```
+
+Plan (tentative)
+----------------
+
+1. Set Pi up with Wireguard.
+1. Possibly create a separate network for Decentrala services.
+1. Ansible.
+1. ... ?
+1. Profit.
+

xecut/nimbus/dmz.conf

@@ -0,0 +1,11 @@
+# Client configuration for wireguard to nimbus at xecut.
+
+[Interface]
+Address = 10.0.0.{{id}}/32
+PrivateKey = PRIVATE_KEY
+
+[Peer]
+PublicKey = GH+qA1Au9BraGhNt7Aqp8tdhGVfH8ENnY3VzKhe69XQ=
+Endpoint = space.xecut.me:51900
+AllowedIPs = 10.0.0.1/24
+

xecut/nimbus/wg_peer.fmt

@@ -0,0 +1,4 @@
+[Peer]
+PublicKey = {{pubkey}}
+AllowedIPs = 10.0.0.{{id}}/32
+

xecut/nimbus/wireguard_client.conf

@@ -0,0 +1,14 @@
+
+[Interface]
+Address = 10.0.0.1/24
+SaveConfig = true
+PrivateKey = PRIVATE_KEY
+ListenPort = 51900
+
+PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+
+[Peer]
+PublicKey = GH+qA1Au9BraGhNt7Aqp8tdhGVfH8ENnY3VzKhe69XQ=
+AllowedIPs = 10.0.0.2/32
+