Decentrala/dmzconf
18
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: Decentrala:master
Branches Tags
Decentrala:master
Decentrala:man
Decentrala:bydir
Decentrala:Help
disu1950:master
disu1950:Help
..
compare: disu1950:master
Branches Tags
disu1950:master
disu1950:Help
Decentrala:master
Decentrala:man
Decentrala:bydir
Decentrala:Help

No commits in common. "master" and "master" have entirely different histories.
master ... master

14 changed files with 136 additions and 294 deletions
Show Stats Expand all files Collapse all files

87
Makefile
View File

@ -1,77 +1,58 @@
ignore_file = .git/info/exclude
.PHONY: help .PHONY: help
help: ## Print the help message help: ## Print the help message
@awk 'BEGIN {FS = ":.*?## "} /^[0-9a-zA-Z._-]+:.*?## / {printf "\033[36m%s\033[0m : %s\n", $$1, $$2}' $(MAKEFILE_LIST) | \ @awk 'BEGIN {FS = ":.*?## "} /^[0-9a-zA-Z._-]+:.*?## / {printf "\033[36m%s\033[0m : %s\n", $$1, $$2}' $(MAKEFILE_LIST) | \
sort | \ sort | \
column -s ':' -t column -s ':' -t
.PHONY: check map.txt: map.ge ## Making map.txt
check: ## Check you have all dependencies grep -v '# unimportant' $< | graph-easy --boxart > $@
@command -v graph-easy >/dev/null || { echo "Install perl-graph-easy" && exit 1 ;} cat $@
@command -v recsel >/dev/null || { echo "Install recutils" && exit 1 ;}
@command -v lowdown >/dev/null || { echo "Install lowdown" && exit 1 ;}
@echo "All dependencies installed"
########## Network Map ########## full_map.txt: map.ge ## Generating full_map.txt with graph-easy
graph-easy --boxart < $< > $@
cat $@
graph_program != type graph-easy > /dev/null && printf graph-easy || printf dot ########## Man Pages ##########
graph_cmd = graph-easy --boxart mandir = $(HOME)/.local/man/man6
queries = queries authqueries kralizec_docs != grep -rl "^section:" kralizec
kralmans = $(kralizec_docs:kralizec/%/README.md=$(mandir)/%.6)
query_formats = $(patsubst %, .dbs/%.txt, $(queries)) $(mandir)/%.6: kralizec/%/README.md
lowdown -stman $< > $@
dotquery_formats = $(patsubst %, .dbs/%.dot, $(queries)) krov_docs != grep -rl "^section:" krov
krovmans = $(krov_docs:krov/%/README.md=$(mandir)/%.6)
.dbs/: | $(ignore_file) $(mandir)/%.6: krov/%/README.md
mkdir $@ lowdown -stman $< > $@
ignored += .dbs/ splint_docs != grep -rl "^section:" splintrs
splintmans = $(splint_docs:splintrs/%/README.md=$(mandir)/%.6)
$(query_formats): .dbs/%.txt: | .dbs/ $(mandir)/%.6: splintrs/%/README.md
echo "[ {{name}} ] -- $(basename $(@F)) --> [ {{$(basename $(@F))}} ]" > $@ lowdown -stman $< > $@
$(dotquery_formats): .dbs/%.dot: | .dbs/ setup_docs != grep -rl "^section:" setup
echo '{{name}} -> {{$(basename $(@F))}} [ label="$(basename $(@F))" ];' > $@ setupmans = $(setup_docs:setup/%.md=$(mandir)/%.6)
ifeq ($(graph_program),dot) $(mandir)/%.6: setup/%.md
map_file = network.png lowdown -stman $< > $@
else
map_file = network.txt
endif
ignored += $(map_file) $(mandir):
mkdir -p $@
.PHONY: map $(kralmans) $(krovmans) $(splintmans) $(setupmans) :| $(mandir)
map: $(map_file) ## Generate a network map
network.txt: .dbs/network.txt .PHONY: pages
$(graph_cmd) < $< pages: $(kralmans) $(krovmans) $(setupmans) $(splintmans)
$(info $(kralmans))
.dbs/network.txt: network.rec $(query_formats) @test ! $(command -v mandb) || mandb --user-db
$(RM) $@ $(info Open DMZ's man pages with 'man 6 <tab>')
$(foreach relation, $(queries), \
recsel $< -t lxc -e "$(relation) != ''" -p name,$(relation) | recfmt -f .dbs/$(relation).txt >> $@ ;\
)
.dbs/network.dot: network.rec $(dotquery_formats)
echo 'digraph network {' > $@
$(foreach relation, $(queries), \
recsel $< -t lxc -e "$(relation) != ''" -p name,$(relation) | recfmt -f .dbs/$(relation).dot >> $@ ;\
)
echo '}' >> $@
network.png: .dbs/network.dot $(ignore_file)
dot -T png < $< > $@
########## ##########
$(ignore_file): $(MAKEFILE_LIST)
echo $(ignored) | tr ' ' '\n' > $@
clean: clean:
$(RM) -r $(ignored) $(RM) $(kralmans) $(krovmans)

62
README.md
View File

@ -2,11 +2,6 @@ These setup files provide the text-only configurations for DMZ.
*It should not contain private data.* *It should not contain private data.*
# Dependencies
- `recutils`
- (optional) `graph-easy` (the package may be called `perl-graph-easy`)
# Aspirations # Aspirations
- Each service should reside in its own directory. - Each service should reside in its own directory.
@ -20,60 +15,3 @@ These setup files provide the text-only configurations for DMZ.
- Any maintenance scripts. - Any maintenance scripts.
- Configurations should reside in shadow-directories, e.g. a backup `soft-serve`'s `config.yaml` should reside in this repo under `splint.rs/soft-serve/etc/soft/config.yaml`. - Configurations should reside in shadow-directories, e.g. a backup `soft-serve`'s `config.yaml` should reside in this repo under `splint.rs/soft-serve/etc/soft/config.yaml`.
# Network Database
I have a half-baked plan to finally make use of plain-text databases, and it's already half-working.
Try these commands:
Ask what types of _rec_ords it contains:
## Database
```sh
recinf network.rec
```
### Select queries
Select with `recsel`, then specify the database (.rec) and type of record (like table in db).
- `--include-descriptors` or `-d`
- `--type` or `-t`
- `--expression` or `-e`
- `--quick` or `-q`
```sh
recsel network.rec --type router
recsel network.rec -d -t lxc
```
User `-q` for a `--quick` selection, or `-e` for more precise selections.
```sh
recsel network.rec --type lxc --quick wiki
recsel network.rec -t lxc -q nginx
recsel network.rec -t lxc -e "name ~ 'nginx'"
recsel network.rec -t lxc -e "name = 'nginx12'"
```
### Insert queries
Insert a new record with `recins`.
```sh
recins network.rec -t lxc -r "name: bob" -r "service: bob" -r "host: moxx"
```
### Update queries
If you can select something, you can also set its fields with `recset`.
Use `-f` to set the `--field`, and `-a` to `--add`, or `-s` to `--set`.
```sh
recset network.rec -t lxc -e "name = 'nginx12'" -f proxies -a soft-serve
recsel network.rec -t lxc -e "name = 'nginx11'" -p proxies[0]
recset network.rec -t lxc -e" name = 'nginx11'" -f proxies[0] -s wiki9
```

2
kralizec/ssh11/README.md
View File

@ -1,5 +1,3 @@
--- ---
VMID: 114 VMID: 114
--- ---
[wiki page](https://wiki.dmz.rs/en/sysadmin/ssh)

56
kralizec/wireguard11/README.md
View File

@ -1,56 +0,0 @@
---
VMID: 103
---
[Wireguard VPN quickstart](https://www.wireguard.com/quickstart)
Check `dmzadmin` for `wireguard.gpg` to know who to contact for access
---
### Client config
Client config example
`x` is the assigned on the server as peer:
```conf
[Interface]
Address = 192.168.164.x/32
DNS = 1.1.1.1
MTU = 1420
SaveConfig = true
ListenPort = 51820
FwMark = 0xca6c
PrivateKey = <your_private_wg_key>
[Peer]
PublicKey = JP2FTHLUujkevz1kUymciLImsx1OX9ViUko7oPAIoiA=
AllowedIPs = 192.168.164.0/24, 192.168.1.0/24
Endpoint = 77.105.27.232:51820
PersistentKeepalive = 21
```
---
### Server config
New user/client needs to provide their wireguard `publickey` and new ip on the network needs to be assigned (`x`)
check the server config file `/etc/wireguard/wg0.conf` to find free address
```sh
sudo wg set wg0 peer <client_public_key> allowed-ips 192.168.164.x/32
```
---
Command to resolve IP clashing with current and wireguard network, if needed
```shell
ip route add <ip> dev <wg0>
```
- `ip` you want to resolve -> for wireguard VM 192.168.1.10
- `wg0` name of the wireguard config

7
krov/srv1/cryptpad/README.md
View File

@ -1,7 +0,0 @@
---
VMID: 106
---
[Project page](https://cryptpad.org/)

8
krov/srv1/privatebin/README.md
View File

@ -1,8 +0,0 @@
---
VMID: 120
---
[Project page](https://privatebin.info/)
Hosted on [subdomain on dmz](https://pastebin.dmz.rs/)

8
krov/srv1/searxng/README.md
View File

@ -1,8 +0,0 @@
---
VMID: 121
---
[Project git repo](https://github.com/searxng/searxng)
Hosted on [subdomain on dmz](https://search.dmz.rs/)

5
krov/srv1/ssh12/README.md
View File

@ -1,5 +0,0 @@
---
VMID: 100
---
[wiki page](https://wiki.dmz.rs/en/sysadmin/ssh)

0
krov/srv1/postgresql12/README.md → krov/srv1/sshfs11/README.md
View File

39
map.ge Normal file
View File

@ -0,0 +1,39 @@
# Network map of Decentrala. Use with:
# graph-easy --boxart < netmap.txt
(Mox
[ m_router ]{label: router ;}
[ wireguard ] --> [ m_nginx ]{label: nginx-11 ;}
[ wiki ] --> [ m_nginx ]
[ gitea ] --> [ m_nginx ]
[ tor11 ] --> [ m_nginx ] --> [ m_router ]
[ smtp ]
)
(Serverko
[ s_nginx ]{label: nginx-12 ;}
[ s_router ]{label: router ;}
[ s_nginx ] --> [ nextcloud ]
[ s_nginx ] --> [ tor12 ]
[ s_nginx ] --> [ s_router ]
)
(splint.rs # unimportant
[ soft-serve ] # unimportant
[ mail-cache ]# unimportant
) # unimportant
[ tor12 ] <..> [ onions ] <..> [ tor11 ]
[ m_router ] <..> [ BGP ] <..> [ madness ] <..> [ s_router ]
[ smtp ] <..> [ madness ]
[ madness ] <..> [ mail-cache ]# unimportant
[ A ]{label: "" ;}
[ B ]{label: "" ;}
[ C ]{label: "" ;}
[ D ]{label: "" ;}
[ onions ] <..> [ A ]
[ onions ] <..> [ B ]
[ A ] <..> [ C ]
[ B ] <..> [ D ]
(Sharks! [ D ])

88
network.rec
View File

@ -1,88 +0,0 @@
%rec: router
%doc: Routers, or possibly modems?
name: ISP Router
location: kralizec
ISP: Orion
name: ISP Router
location: krov
ISP: Yettel
%rec: host
%doc: These are the real machines, most of which run VMs or containters.
%key: name
name: moxx
location: kralizec
name: Serverko
location: krov
%rec: lxc
%doc: A container, usually on a Proxmox host.
%type: host rec host
name: nginx11
gateway: ISP-router
host: moxx
proxies: wiki11
proxies: gitea11
proxies: forum11
proxies: ejabberd11
proxies: dmzrs
name: LDAP
host: moxx
name: website
host: moxx
authqueries: LDAP
queries: postgresql11
service: dmzrs
service: flask accounts
name: gitea11
service: gitea
host: moxx
authqueries: LDAP
queries: postgresql11
name: ejabberd11
service: ejabberd
host: moxx
authqueries: LDAP
queries: postgresql11
name: forum11
service: forum
host: moxx
authqueries: LDAP
queries: postgresql11
name: postfix11
service: postfix
authqueries: LDAP
name: tor11
service: tor
host: moxx
name: postgresql11
service: postgresql
host: moxx
name: wiki11
service: wiki
host: moxx
authqueries: LDAP
name: nginx12
host: Serverko
name: nextcloud
host: Serverko
name: tor12
host: nginx

5
scripts/generatepass.sh
View File

@ -1,5 +0,0 @@
#!/bin/bash
echo $(shuf shared/english.txt | head) | sed "s/ //g"

62
scripts/showpass.sh Executable file
View File

@ -0,0 +1,62 @@
#!/bin/sh
# If you want to add these passwords to the `pass` program, you can
# symlink all the passwords which you can open, then open the
# passwords with a script like this.
pass_store=~/.password-store
# THIS_PLACE="$PWD"
# mkdir $pass_store/dmz
# cd !$
# find "$THIS_PLACE" -type f -name "*.gpg" | \
# sed "s#/home/ghost#../..#" | \
# while read -r line; do
# gpg -d "$line" && ln -sf "$line" .
# done
sanity_check(){
command -v $1 >/dev/null || (
echo "You must install $1"
exit 1
)
}
set_selector_if_program_exists(){
command -v "$1" > /dev/null && selector="$1 $2"
}
if [ -z "$DISPLAY" ]; then
set_selector_if_program_exists sk || \
set_selector_if_program_exists fzy || \
set_selector_if_program_exists fzf
fail_sender='echo'
else
set_selector_if_program_exists "rofi" 'rofi -dmenu "$@"' || \
set_selector_if_program_exists dmenu || \
(
echo "Cannot find anything to select a key. Install dmenu."
exit 1
)
fail_sender='notify-send'
fi
list_keys(){
find -L . -mindepth 1 -type f -name "*.gpg" | \
sed 's/\.\///' | \
sed 's/.gpg//'
}
####################
set -e
sanity_check pass
cd "$pass_store"
password="$(list_keys | $selector)"
pass -c "$password" || $fail_sender 'Cannot decrypt'

1
setup/ssh_FAQ.md
View File

@ -56,6 +56,7 @@ Now all the files have 'read, write, and execute', but only for `$USER`.
Host soft Host soft
HostName soft.dmz.rs HostName soft.dmz.rs
Port 2222 Port 2222
User ghost
IdentityFile ~/.ssh/id rsa IdentityFile ~/.ssh/id rsa
Host dmz Host dmz
HostName dmz.rs HostName dmz.rs