Compare commits

..

6 commits

Author SHA1 Message Date
b5cec5cf4c
fix: firezone websocket 2024-01-10 01:24:38 +01:00
23813ac048
fix: forgot ; 2024-01-10 01:22:35 +01:00
890b90a7c2
fix: firezone websocket 2024-01-10 01:20:54 +01:00
62037c2495
fix: firezone network 2024-01-10 01:10:32 +01:00
9dbfdeeb7a
feat: firezone yml 2024-01-10 01:06:29 +01:00
ac2e41e257
feat: firezone 2024-01-10 01:06:09 +01:00
25 changed files with 221 additions and 180 deletions

8
.idea/.gitignore vendored
View file

@ -1,8 +0,0 @@
# Default ignored files
/shelf/
/workspace.xml
# Editor-based HTTP Client requests
/httpRequests/
# Datasource local storage ignored files
/dataSources/
/dataSources.local.xml

View file

@ -1,10 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="DiscordProjectSettings">
<option name="show" value="ASK" />
<option name="description" value="" />
</component>
<component name="ProjectRootManager" version="2" languageLevel="JDK_17" default="true" project-jdk-name="jbr-17" project-jdk-type="JavaSDK">
<output url="file://$PROJECT_DIR$/out" />
</component>
</project>

View file

@ -1,8 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="ProjectModuleManager">
<modules>
<module fileurl="file://$PROJECT_DIR$/.idea/neb.iml" filepath="$PROJECT_DIR$/.idea/neb.iml" />
</modules>
</component>
</project>

View file

@ -1,9 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<module type="JAVA_MODULE" version="4">
<component name="NewModuleRootManager" inherit-compiler-output="true">
<exclude-output />
<content url="file://$MODULE_DIR$" />
<orderEntry type="inheritedJdk" />
<orderEntry type="sourceFolder" forTests="false" />
</component>
</module>

View file

@ -1,6 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="VcsDirectoryMappings">
<mapping directory="" vcs="Git" />
</component>
</project>

View file

@ -1,6 +0,0 @@
when:
event:
- push
- manual
- tag

View file

@ -1,16 +0,0 @@
FROM nginx:alpine
RUN apk add \
certbot \
certbot-nginx
COPY content /usr/share/nginx/html
COPY conf.d/ /etc/nginx/conf.d/
COPY nginx.conf /etc/nginx/nginx.conf
VOLUME /etc/nginx/conf.d/
VOLUME /usr/share/nginx/html/
COPY entrypoint.sh /entrypoint
ENTRYPOINT [ "sh", "/entrypoint" ]
CMD [ "nginx", "-g", "daemon off;" ]

View file

@ -1,17 +0,0 @@
server {
listen 80;
server_name _;
# SSL is managed by certbot, no need for a ssl listen; it will be generated automagically!
# default html page
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}

View file

@ -1,24 +0,0 @@
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html {
color-scheme: light dark;
}
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<span>This is the default page, so the admin was likely too lazy too remove it.</span>
</body>
</html>

View file

@ -1,28 +0,0 @@
#!/bin/sh
trap exit TERM
if [ -n "${CERTBOT_DOMAINS}" ]; then
echo "registering..."
if ! certbot show_account; then
certbot register -n \
--agree-tos \
-m "${CERTBOT_EMAIL}"
fi
for d in $(echo "${CERTBOT_DOMAINS}" | sed 's/,/ /g'); do
echo "requesting for $d..."
certbot --nginx -n --keep -d "$d"
done
while :; do
echo "renewing domains..."
certbot --nginx --keep -n renew
sleep 12h &
wait $!
done &
else
echo "skipping certbot due to no domains!"
fi &
exec "$@"

View file

@ -0,0 +1,27 @@
server {
listen 80;
server_name fz.ixvd.net;
location /live/websocket {
proxy_pass http://firezone:13000;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection upgrade;
}
location / {
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $host;
proxy_pass http://firezone:13000;
client_max_body_size 0;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}

View file

@ -0,0 +1,66 @@
version: '2.2'
# Example compose file for production deployment on Linux.
#
# Note: This file is meant to serve as a template. Please modify it
# according to your needs. Read more about Docker Compose:
#
# https://docs.docker.com/compose/compose-file/
#
#
x-deploy: &default-deploy
restart_policy:
condition: unless-stopped
delay: 5s
window: 120s
update_config:
order: start-first
services:
firezone:
image: firezone/firezone:${VERSION:-latest}
ports:
- 51820:51820/udp
environment:
EXTERNAL_URL: "https://fz.ixvd.net/"
DATABASE_HOST: "fz-postgres"
DATABASE_USER: "firezone"
DATABASE_PASSWORD: "firezone"
env_file:
- /etc/ixvd/secrets/env/firezone.env
volumes:
- /srv/firezone/config:/var/firezone
cap_add:
- NET_ADMIN
- SYS_MODULE
sysctls:
- net.ipv6.conf.all.disable_ipv6=0
- net.ipv4.ip_forward=1
- net.ipv6.conf.all.forwarding=1
depends_on:
- postgres
networks:
proxy:
fz-internal:
ipv4_address: 172.90.0.10
ipv6_address: fcff:3990:3990::99
fz-postgres:
image: postgres:15
volumes:
- /srv/firezone/data:/var/lib/postgresql/data
environment:
POSTGRES_DB: firezone
POSTGRES_USER: firezone
POSTGRES_PASSWORD: firezone
networks:
- fz-internal
networks:
fz-internal:
enable_ipv6: true
driver: bridge
ipam:
config:
- subnet: 172.90.0.0/16
- subnet: fcff:3990:3990::/64
gateway: fcff:3990:3990::1

View file

@ -7,7 +7,7 @@ services:
build: custom/nginx build: custom/nginx
environment: environment:
CERTBOT_EMAIL: "webmaster@ixvd.net" CERTBOT_EMAIL: "webmaster@ixvd.net"
CERTBOT_DOMAINS: "apoc.ixvd.net,mail.ixvd.net,git.ixvd.net,my.ixvd.net,ci.ixvd.net,baikal.ixvd.net,pg.ixvd.net,snipe.ixvd.net" CERTBOT_DOMAINS: "apoc.ixvd.net,mail.ixvd.net,git.ixvd.net,my.ixvd.net,ci.ixvd.net,baikal.ixvd.net,pg.ixvd.net,snipe.ixvd.net,fz.ixvd.net"
volumes: volumes:
- /srv/certbot/data:/etc/letsencrypt - /srv/certbot/data:/etc/letsencrypt
- /srv/certbot/other/www:/var/www/certbot - /srv/certbot/other/www:/var/www/certbot

View file

@ -1,10 +0,0 @@
server {
listen 80;
server_name nebulosus.nl;
# SSL is managed by certbot, no need for a ssl listen; it will be generated automagically!
location / {
proxy_pass http://site;
}
}

View file

@ -1,8 +0,0 @@
version: '2.2'
services:
site:
image: git.ixvd.net/nebulosus/web
networks:
- proxy

View file

@ -7,7 +7,7 @@ services:
build: custom/nginx build: custom/nginx
environment: environment:
CERTBOT_EMAIL: "webmaster@ixvd.net" CERTBOT_EMAIL: "webmaster@ixvd.net"
CERTBOT_DOMAINS: "keymaker.ixvd.net,ixvd.net,via.ixvd.net,cdn.ixvd.net,park.ixvd.net,nebulosus.nl" CERTBOT_DOMAINS: "keymaker.ixvd.net,ixvd.net,via.ixvd.net,cdn.ixvd.net,park.ixvd.net"
volumes: volumes:
- /srv/certbot/data:/etc/letsencrypt - /srv/certbot/data:/etc/letsencrypt
- /srv/certbot/other/www:/var/www/certbot - /srv/certbot/other/www:/var/www/certbot

View file

@ -0,0 +1,13 @@
FROM nginx:alpine
RUN apk add \
certbot \
certbot-nginx
COPY content /usr/share/nginx/html
COPY conf.d/ /etc/nginx/conf.d/
COPY nginx.conf /etc/nginx/nginx.conf
COPY entrypoint.sh /entrypoint
ENTRYPOINT [ "sh", "/entrypoint" ]
CMD [ "nginx", "-g", "daemon off;" ]

View file

@ -0,0 +1,21 @@
server {
listen 80;
server_name localhost;
# SSL is managed by certbot, no need for a ssl listen; it will be generated automagically!
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# default html page
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}

View file

@ -0,0 +1,26 @@
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html {
color-scheme: light dark;
}
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<hr/>
<span>If you're seeing this, it means the admin was too lazy to remove this page.</span><br/>
<span>Expected something here? contact the admin: webmaster@ixvd.net</span>
</body>
</html>

View file

@ -0,0 +1,28 @@
#!/bin/sh
trap exit TERM
if [ -n "${CERTBOT_DOMAINS}" ]; then
echo "registering..."
if ! certbot show_account; then
certbot register -n \
--agree-tos \
-m "${CERTBOT_EMAIL}"
fi
for d in $(echo "${CERTBOT_DOMAINS}" | sed 's/,/ /g'); do
echo "requesting for $d..."
certbot --nginx -n --keep -d "$d"
done
while :; do
echo "renewing domains..."
certbot --nginx --keep -n renew
sleep 12h &
wait $!
done &
else
echo "skipping certbot due to no domains!"
fi &
exec "$@"

View file

@ -0,0 +1,35 @@
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
# docker resolver and quad9;
resolver 127.0.0.11 9.9.9.9 ipv6=off;
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}

View file

@ -4,8 +4,7 @@ version: '2.2'
services: services:
# default nginx setup # default nginx setup
nginx: nginx:
build: build: custom/nginx
context: ../../../images/nginx
environment: environment:
CERTBOT_EMAIL: "webmaster@ixvd.net" CERTBOT_EMAIL: "webmaster@ixvd.net"
CERTBOT_DOMAINS: "localhost" CERTBOT_DOMAINS: "localhost"

View file

@ -1 +1 @@
07453417352829e9a47d22b3d8e15e0bb2d12df86f92165bda2568883d1817ab - 059c7c3eb87d4a9bd30b70ba9016b875783b9206cbd44b4c2dc1bb8f59787127 -

View file

@ -1,6 +0,0 @@
#!/bin/sh
for target in $@; do
ip=$(dig $target +short)
printf "%-20s -> %20s (%s)\n" "$target" "$(dig -x $ip +short)" "$ip"
done

View file

@ -1,18 +0,0 @@
#!/bin/sh
argi=1
while getopts '5qh' opt; do
case $opt in
5) argi=2 ;;
q) argi=3 ;;
h) echo "-5 = 5 minutes, -q = a quarter (15 min)"; exit ;;
\?) exit 1 ;;
esac
done
shift $((OPTIND-1))
LOADVAL=$(awk "{ print \$$argi; }" < /proc/loadavg)
NUMCPUS=$(getconf _NPROCESSORS_ONLN)
echo "$LOADVAL * 100 / $NUMCPUS" | bc