150 lines
5.3 KiB
Markdown
150 lines
5.3 KiB
Markdown
# TuDatTr IaC
|
|
|
|
## Backups
|
|
Backup for aya01 and raspberry are in a backblaze b2, which gets encrypted on the clientside by rclone.
|
|
but first of all we need to create the buckets and provide ansible with the needed information.
|
|
## Vault
|
|
- Create vault with: `ansible-vault create secrets.yml`
|
|
- Create entry in vault with: `ansible-vault edit secrets.yml`
|
|
- Add following entries:
|
|
- `vault_pi_tudattr_password: <YOURPASSWORD>` (password you've setup on the device)
|
|
- `vault_aya01_tudattr_password: <YOURPASSWORD>` (password you've setup on the device)
|
|
- `vault_pihole_password: <YOURPASSWORD>` (arbitrary password you want to log in with)
|
|
- `vault_mysql_root_password: <YOURPASSWORD>` (arbitrary password, used internally)
|
|
- `vault_mysql_user_password: <YOURPASSWORD>` (arbitrary password, used internally)
|
|
- `vault_ddns_tudattrdev_password: <YOURPASSWORD>` (password needed for ddns, refer to [here](https://www.namecheap.com/support/knowledgebase/article.aspx/595/11/how-do-i-enable-dynamic-dns-for-a-domain/))
|
|
- `vault_ddns_borgland_password: <YOURPASSWORD>` (password needed for ddns, refer to [here](https://www.namecheap.com/support/knowledgebase/article.aspx/595/11/how-do-i-enable-dynamic-dns-for-a-domain/))
|
|
|
|
## Server
|
|
- Install Debian (debian-11.5.0-amd64-netinst.iso) on remote system
|
|
- Create user (tudattr)
|
|
- Get IP of remote system (192.168.20.11)
|
|
- Create ssh-config entry
|
|
```config
|
|
Host aya01
|
|
HostName 192.168.20.11
|
|
Port 22
|
|
User tudattr
|
|
IdentityFile /mnt/veracrypt1/genesis
|
|
```
|
|
- copy public key to remote system
|
|
`ssh-copy-id -i /mnt/veracrypt1/genesis.pub aya01`
|
|
- Add this host to ansible inventory
|
|
- Install sudo on remote
|
|
- add user to sudo group (with `su --login` without login the path will not be loaded correctly see [here](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918754)) and `usermod -a -G sudo tudattr`
|
|
- set time correctly when getting the following error
|
|
```sh
|
|
Release file for http://security.debian.org/debian-security/dists/bullseye-security/InRelease is not valid yet (invalid for another 12h 46min 9s). Updates for this repository will not be applied.
|
|
```
|
|
By doing on remote system (example):
|
|
```sh
|
|
sudo systemctl stop ntp.service
|
|
sudo ntpd -gq
|
|
sudo systemctl start ntp.service
|
|
```
|
|
### zoneminder
|
|
- Enable authentification in (Option->System)
|
|
- Create new Camera:
|
|
- General>Name: BirdCam
|
|
- General>Function: Ffmpeg
|
|
- General>Function: Modect
|
|
- Source>Source Path: `rtsp://user:pw@ip:554/cam/mpeg4`
|
|
- Change default admin password
|
|
- Create users
|
|
|
|
|
|
|
|
## RaspberryPi
|
|
- Install raspbian lite (2022-09-22-raspios-bullseye-arm64-lite.img) on pi
|
|
- Get IP of remote system (192.168.20.11)
|
|
- Create ssh-config entry
|
|
```config
|
|
Host pi
|
|
HostName 192.168.20.11
|
|
Port 22
|
|
User tudattr
|
|
IdentityFile /mnt/veracrypt1/genesis
|
|
```
|
|
- enable ssh on pi
|
|
- copy public key to pi
|
|
- change user password of user on pi
|
|
- execute `ansible-playbook -i production --ask-vault-pass --extra-vars '@secrets.yml' pi.yml`
|
|
|
|
## Mikrotik
|
|
- Create rsa-key on your device and name it mikrotik_rsa
|
|
- On mikrotik run: `/user/ssh-keys/import public-key-file=mikrotik_rsa.pub user=tudattr`
|
|
- Create ssh-config entry:
|
|
```config
|
|
Host mikrotik
|
|
HostName 192.168.70.1
|
|
Port 2200
|
|
User tudattr
|
|
IdentityFile /mnt/veracrypt1/mikrotik_rsa
|
|
```
|
|
|
|
### wireguard
|
|
thanks to [mikrotik](https://www.medo64.com/2022/04/wireguard-on-mikrotik-routeros-7/)0
|
|
quick code
|
|
```
|
|
# add wiregurad interface
|
|
interface/wireguard/add listen-port=51820 name=wg1
|
|
# get public key
|
|
interface/wireguard/print
|
|
$ > public-key: <mikrotik_public_key>
|
|
# add network/ip for wireguard interface
|
|
ip/address/add address=192.168.200.1/24 network=192.168.200.0 interface=wg1
|
|
# add firewall rule for wireguard (maybe specify to be from pppoe-wan)
|
|
/ip/firewall/filter/add chain=input protocol=udp dst-port=51820 action=accept
|
|
# routing for wg1 clients and rest of the network
|
|
> <insert forward for routing between wg1 and other networks>
|
|
# enable internet for wg1 clients (may have to add to enable internet list
|
|
/ip/firewall/nat/add chain=srcnat src-address=192.168.200.0/24 out-interface=pppoe-wan action=masquerade
|
|
```
|
|
add peer
|
|
```
|
|
/interface/wireguard/peers/add interface=wg1 allowed-address=<untaken_ipv4>/24 public-key="<client_public_key"
|
|
```
|
|
|
|
Keygeneragion on archlinux `wg genkey | (umask 0077 && tee wireguard.key) | wg pubkey > peer_A.pub`
|
|
Wireguard config on archlinux at `/etc/wireguard/wg0.conf`:
|
|
```
|
|
[Interface]
|
|
PrivateKey = <client_private_key>
|
|
Address = 192.168.200.250/24
|
|
|
|
[Peer]
|
|
PublicKey = <mikrotik public key>
|
|
Endpoint = tudattr.dev:51820
|
|
AllowedIPs = 0.0.0.0/0
|
|
```
|
|
used ipv4:
|
|
- tudattr: 192.168.200.250
|
|
- livei: 192.168.200.240
|
|
|
|
#### notes
|
|
- wireguard->add
|
|
name: wg_tunnel01
|
|
listen port: 51820
|
|
[save]
|
|
- wireguard->peers->add
|
|
interface: wg_tunnel01
|
|
endpoint port: 51820
|
|
allowed address: ::/0
|
|
psk: <password>
|
|
persistent keepalive: 25
|
|
- ip->address->address list->add
|
|
address:192.168.200.1/24
|
|
network: 192.168.200.0
|
|
interface: wg_tunnel01
|
|
|
|
## troubleshooting
|
|
### Docker networking problem
|
|
`docker system prune -a`
|
|
### Time problems (NTP service: n/a)
|
|
systemctl status systemd-timesyncd.service
|
|
when not available
|
|
sudo apt install systemd-timesyncd/stable
|
|
### Syncthing inotify
|
|
echo "fs.inotify.max_user_watches=204800" | sudo tee -a /etc/sysctl.conf
|
|
https://forum.cloudron.io/topic/7163/how-to-increase-inotify-limit-for-syncthing/2
|