commit d7ec0d2317529f355d096da15702d7aa2a927f37 Author: Eliezer Croitoru Date: Wed Feb 7 23:57:14 2024 +0200 1 diff --git a/outline.txt b/outline.txt new file mode 100644 index 0000000..d21ea24 --- /dev/null +++ b/outline.txt @@ -0,0 +1,119 @@ +Hey Everybody, + +I have seen couple free proxy providers like: +Urban vpn +Nord vpn +Clearvpn + +And couple other proxy services. + +A long time ago I wrote the article: +A Proxy for each Internet user! The future! + +https://www1.ngtech.co.il/wpe/2016/05/02/proxy-per-internet-user-is-it-realistic/ + +And I was just wondering to myself a thing or two about http proxies. + +Most of the VPN services use and support OpenVPN, wireguard and other vpn services on the route level. +These are simple and needs some kinds of "smart" CGNAT to operate and are cheaper than a http proxy since the it works in the lower +level of the connection. +For example, you can give a static private IP to the client in your system and apply all the relevant routing and NAT rules and the connection +will be initiated automatically with the relevant external IP. +Also, if you need an IP address you can just spin an "exit" node on any public cloud and add it into the pool of routes. + +But there is another option, the proxy way of things. +Either socks or plain HTTP Proxy.. + +But let start with a proxy to simplify things. + +Let say I want to spin couple squid "exit" nodes and I would like to have a frontend that will route traffic based on authentication details. +I have seen an answer which is un-verified since 2013 at: +https://access.redhat.com/solutions/259903 + +To make it all work we first need to assume that +bever_direct allow all + +will force all CONNECT requests to a cache_peer (since there aren't too many plain http services else then MS updates and couple others). + +There is also another problem, how do we route clients based on credentials from a frontend to the backend exit nodes / cache peers? + +There are couple issues in this kinds of setup. +Since the client connects to the proxy service in plain text it can be intercepted so we will assume that the user can access some securely to the proxy. +IE Wireguard or OpenVPN or SSTP or other IPSEC based solution which or any other alternative method like a Trusted network... + +The next step in this setup is securing the connections between the proxies. +For this we need to use some kind of network of connection between the Hub or Hubs to the exit nodes. +If both the HUB and the exit node has a public IP address behind a 1:1 nat and can communicate directly they can use Wireguard or OpenVPN to secure their connections. +There are couple other things that need to be sorted and these are the provisioning of the exit nodes and their registration and status check each. +Any of the HUBs need to be able to handle couple of these tasks with a bit of automation and couple uuid generators. + +I wanted to build such a tiny setup but I lack couple things for the specs for such a system. +I have seen this nice post: +* https://www.blackhatworld.com/seo/developer-needed-to-build-scripts-to-create-proxies-using-haproxy-or-squid-advanced-expertise-required.1300167/ + +So I am trying to mimic a WWW net. +The first thing is to have two to three ipconfig.io nodes which will have a very tiny foot print that I will use to test the setup. +The next thing is the basic WWW net ie couple sites with BGP each will have a /24(?) CIDR behind them and a central /24(?) for all of them. +Since it's a lab it's preferable that all these will have a very small resources foot print. +We can use a simple containers network and use the next piece of software: +* https://github.com/georgyo/ifconfig.io +* https://hub.docker.com/r/elicro/ifconfig.io + +For the tests we might need a root CA but not really relevant since -k is good enough for most basic tests with curl since... we assume the connection is secured already. + +Networks the we can use, private only(?): +192.168.0.0/16 +10.0.0.0/8 +172.16. 0.0/12 + +We can use also use CGNAT cidr: +100.64.0.0/10 + +* https://www.rfc-editor.org/rfc/rfc6598 + +And just for theses who need: +* https://www.ngtech.co.il/ipcalc/ +* https://hub.docker.com/r/elicro/ipcalc + + +So we will need first one central hub for automation registry and management. +It will use couple internal CIDRs and couple 1:1 nat address spaces. + +The end result should be couple tiny clients that will run couple curl tests with usename and password that will be the routing vector for the setup. +So we will have one main HUB and this hub will have 1 port that will listen to all proxy requests with username and passwords. +So basically we need an office and an internet connection, an idea and all the automation tools to implement it. +Currently AWS and many other providers have enough automation tools that can remove some of the heavy lifting off the table. +So now for the DB and registration system. +For each exit node we need a uuid and couple specific services. +* health check +* external ip verification +* registration against the hub +* VPN to the central HUB? (complexity.. but flexibility for the NAT connection tracking limit of the OFFICE/Proxy IP) + +In the central office we need let say port 10000 a http proxy in port which will be port forwarded to a single squid proxy server with a floating ip and redundant server. +If we would have a secure channel between the proxies and the central office it will be much simple to register new proxies +(Assuming each proxy receives the uuid and registration and VPN details in it's cloud-init or any other initialization method) + +So we would have a DB which will hold a uuid and configuration details prepared before for the registration and health checks and status. + +The squid.conf of the proxy should be created dynamically since there are changes in the network.... +Unless we assume a specific capacity and an internal connection between the HUB and the proxy. +If we assume an internal connection between the HUB and the proxies we can dedicate a cidr for the proxies. +Then we can create a pretty "static" squid.conf (a big one..) and we can change the configuration in the DB so +helpers will help us decide which proxy is up or down and which of the static cache_peers a user name and password will use. + +What do you think about this? How will it work? +Squid can handle this kind of load with couple workers and couple scripts but to create such a setup, it’s a bit of a job. +Let say I will assume a network of proxies with 10 proxies which will spin up and down, how will it work???? +How much resources are required to run test such a setup? + +I believe a demo can all be done on a linux network namespaces on a single node setup but it's not like real world... +What OS will you use in such a setup? +These days any linux OS requires at-least 512 MB of RAM to spin nicely so I assume an Alpine based setup would be nice but... +It's not like RHEL systems, There are scripts that should be written and supervised to be used (compared to systemd) etc... + +Let me know if the script I wrote seems reasonable enough. + +( 6.0.3 here I'm coming, here since 3.2 beta ) + +Eliezer diff --git a/vms/build-cloud-init-alpine/build.sh b/vms/build-cloud-init-alpine/build.sh new file mode 100644 index 0000000..9062423 --- /dev/null +++ b/vms/build-cloud-init-alpine/build.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +export DEBIAN_FRONTEND=noninteractive + +# install ubuntu dependenices for image building +apt update +apt install -y libvirt-daemon qemu-utils qemu wget genisoimage + +wget https://raw.githubusercontent.com/alpinelinux/alpine-make-vm-image/master/alpine-make-vm-image -O alpine-make-vm-image +chmod +x alpine-make-vm-image +echo '0d5d3e375cb676d6eb5c1a52109a3a0a8e4cd7ac alpine-make-vm-image' | sha1sum -c +if [ "$?" -gt "0" ];then + echo "alpine-make-vm-image checksum is bad, check for an update at:" + echo "https://github.com/alpinelinux/alpine-make-vm-image" + exit 1 +fi + +PACKAGES_FILE="os/packages" +INIT_SCRIPT="os/configure.sh" +IMAGES_FILENAME="alpine_cloud_init_vm.qcow2" +ALPINE_BRANCH="3.17" +DISK_SIZE="20G" +IMAGE_FORMAT="qcow2" + +bash alpine-make-vm-image -b ${ALPINE_BRANCH} -p "$( cat ${PACKAGES_FILE} | xargs) " -s ${DISK_SIZE} -f ${IMAGE_FORMAT} ${IMAGES_FILENAME} --script-chroot ${INIT_SCRIPT} + +cd seed +mkisofs -output ../alpine-cloud-init-data.iso -volid cidata -joliet -rock user-data meta-data +cd - diff --git a/vms/build-cloud-init-alpine/os/configure.sh b/vms/build-cloud-init-alpine/os/configure.sh new file mode 100644 index 0000000..7bcb8a7 --- /dev/null +++ b/vms/build-cloud-init-alpine/os/configure.sh @@ -0,0 +1,71 @@ +#!/bin/sh + +_step_counter=0 +step() { + _step_counter=$(( _step_counter + 1 )) + printf '\n\033[1;36m%d) %s\033[0m\n' $_step_counter "$@" >&2 # bold cyan +} + + +step 'Set up timezone' +setup-timezone -z Asia/Jerusalem + +#step 'Set up keymap' +#setup-keymap fr fr-azerty + +step 'Set up networking' +cat > /etc/network/interfaces <<-EOF + auto lo + iface lo inet loopback + + auto eth0 + iface eth0 inet dhcp +EOF + +# FIXME: remove root and alpine password +step 'Set cloud configuration' +sed -e '/disable_root:/ s/true/false/' \ + -e '/ssh_pwauth:/ s/0/no/' \ + -e '/name: alpine/a \ passwd: "*"' \ + -e '/lock_passwd:/ s/True/False/' \ + -i /etc/cloud/cloud.cfg + +# To have oh-my-zsh working on first boot +cat >> /etc/cloud/cloud.cfg <> /etc/ssh/sshd_config + +step 'Remove password for users' +usermod -p '*' root + +step 'Adjust rc.conf' +sed -Ei \ + -e 's/^[# ](rc_depend_strict)=.*/\1=NO/' \ + -e 's/^[# ](rc_logger)=.*/\1=YES/' \ + -e 's/^[# ](unicode)=.*/\1=YES/' \ + /etc/rc.conf + +# see https://gitlab.alpinelinux.org/alpine/aports/-/issues/8861 +step 'Enable cloud-init configuration via NoCloud iso image' + +echo "iso9660" >> /etc/filesystems + +step 'Enable services' +/sbin/rc-update add acpid default +/sbin/rc-update add chronyd default +/sbin/rc-update add crond default +/sbin/rc-update add networking boot +/sbin/rc-update add termencoding boot +/sbin/rc-update add sshd default +/sbin/rc-update add cloud-init default +/sbin/rc-update add cloud-config default +/sbin/rc-update add cloud-final default diff --git a/vms/build-cloud-init-alpine/os/packages b/vms/build-cloud-init-alpine/os/packages new file mode 100644 index 0000000..b713386 --- /dev/null +++ b/vms/build-cloud-init-alpine/os/packages @@ -0,0 +1,16 @@ +acpi +curl +wget +htop +bash +ca-certificates +chrony +cloud-init +e2fsprogs-extra +less +logrotate +openssh +py3-netifaces +py3-pyserial +ssl_client +sudo diff --git a/vms/build-cloud-init-alpine/os/repositories b/vms/build-cloud-init-alpine/os/repositories new file mode 100644 index 0000000..5f2522a --- /dev/null +++ b/vms/build-cloud-init-alpine/os/repositories @@ -0,0 +1,3 @@ +http://dl-cdn.alpinelinux.org/alpine/v3.17/main +http://dl-cdn.alpinelinux.org/alpine/v3.17/community +http://dl-cdn.alpinelinux.org/alpine/edge/testing diff --git a/vms/build-cloud-init-alpine/scripts/spin-vm.ps1 b/vms/build-cloud-init-alpine/scripts/spin-vm.ps1 new file mode 100644 index 0000000..c2eaffd --- /dev/null +++ b/vms/build-cloud-init-alpine/scripts/spin-vm.ps1 @@ -0,0 +1,6 @@ +$vmname = Get-Content .\vmname -First 1 +$vmnet = Get-Content .\vmnet -First 1 + +New-VM -Name $vmname -MemoryStartupBytes 2GB -Path . -BootDevice VHD -VHDPath .\alpine-openstack.vhdx -SwitchName $vmnet -Generation 1 +Set-VMDvdDrive -VMName $vmname -Path .\alpine-seed.iso +Start-VM $vmname \ No newline at end of file diff --git a/vms/build-cloud-init-alpine/seed/meta-data b/vms/build-cloud-init-alpine/seed/meta-data new file mode 100644 index 0000000..77da86d --- /dev/null +++ b/vms/build-cloud-init-alpine/seed/meta-data @@ -0,0 +1,2 @@ +instance-id: iid-local01 +local-hostname: cloudimg diff --git a/vms/build-cloud-init-alpine/seed/user-data b/vms/build-cloud-init-alpine/seed/user-data new file mode 100644 index 0000000..9d4107f --- /dev/null +++ b/vms/build-cloud-init-alpine/seed/user-data @@ -0,0 +1,4 @@ +#cloud-config +password: passw0rd +chpasswd: { expire: False } +ssh_pwauth: True diff --git a/vms/images/update-images.ps1 b/vms/images/update-images.ps1 new file mode 100644 index 0000000..9d4c5d5 --- /dev/null +++ b/vms/images/update-images.ps1 @@ -0,0 +1,4 @@ +Invoke-WebRequest -Uri "http://www.ngtech.co.il/static/cloud-images/AlmaLinux-8-GenericCloud-latest.x86_64.vhdx" -OutFile "AlmaLinux-8-GenericCloud-latest.x86_64.vhdx" +Invoke-WebRequest -Uri "http://www.ngtech.co.il/static/cloud-images/jammy-server-cloudimg-amd64.vhdx" -OutFile "jammy-server-cloudimg-amd64.vhdx" +Invoke-WebRequest -Uri "http://www.ngtech.co.il/static/cloud-images/debian-11-generic-amd64.vhdx" -OutFile "debian-11-generic-amd64.vhdx" +Invoke-WebRequest -Uri "http://www.ngtech.co.il/static/cloud-images/debian-12-generic-amd64.vhdx" -OutFile "debian-12-generic-amd64.vhdx" \ No newline at end of file diff --git a/vms/px-001-Office-DB/Vagrantfile b/vms/px-001-Office-DB/Vagrantfile new file mode 100644 index 0000000..549465d --- /dev/null +++ b/vms/px-001-Office-DB/Vagrantfile @@ -0,0 +1,99 @@ + +$ENALBE_SYNC_FOLDER = false + +$ENALBE_SYNC_FOLDER = true if File.exist?("sync_shared") + +if File.exist?("net1") + $HOST_NET_1 = File.readlines('net1').first.chomp +end + +if File.exist?("net2") + $HOST_NET_2 = File.readlines('net2').first.chomp +end + +if File.exist?("net3") + $HOST_NET_3 = File.readlines('net3').first.chomp +end + +if File.exist?("net4") + $HOST_NET_4 = File.readlines('net4').first.chomp +end + +$VM_NAME = File.readlines('vmname').first.chomp +$VM_MEM = File.readlines('vmmem').first.chomp.to_i +$VM_VCPU = File.readlines('vmcpu').first.chomp.to_i + +$BOX = File.readlines('box').first.chomp + +$HOSTNAME = File.readlines('hostname').first.chomp if File.exist?("hostname") + + +# Will not work on Hyper-V +#$VM_DISK_SIZE = File.readlines('disksize').first.chomp + + +$PROVISION_SSH_KEY_SCRIPT=<> /root/.ssh/authorized_keys +chmod 0600 /root/.ssh/authorized_keys +chown root:root -R /root/.ssh +mkdir -p /home/vagrant/.ssh +chmod 0700 /home/vagrant/.ssh +echo /home/vagrant/.ssh/vagrant.pub >> /home/vagrant/.ssh/authorized_keys +chmod 0600 /home/vagrant/.ssh/authorized_keys +chown vagrant:vagrant -R /home/vagrant/.ssh +EOF + + +Vagrant.configure("2") do |config| + config.vm.box = $BOX + +## Remember to generate the vagrant private key. +## ssh-keygen -f C:\Users\eliezer\.ssh\vagrant + + config.ssh.insert_key = false + config.ssh.private_key_path = ['~/.ssh/vagrant', '~/.vagrant.d/insecure_private_key' ] + + config.vm.provider "hyperv" do |hv, override| + hv.vmname = $VM_NAME + hv.maxmemory = $VM_MEM + hv.memory = $VM_MEM + hv.cpus = $VM_VCPU + override.vm.allowed_synced_folder_types = [:rsync] + end + +if $HOST_NET_1 and !$HOST_NET_1.empty? + config.vm.network "public_network", bridge: $HOST_NET_1 +end + +if $HOST_NET_2 and !$HOST_NET_2.empty? + config.vm.network "private_network", bridge: $HOST_NET_2 +end + +if $HOST_NET_3 and !$HOST_NET_4.empty? + config.vm.network "private_network", bridge: $HOST_NET_3 +end + +if $HOST_NET_4 and !$HOST_NET_4.empty? + config.vm.network "private_network", bridge: $HOST_NET_4 +end + + config.vm.synced_folder ".", "/vagrant", disabled: true + +if $ENALBE_SYNC_FOLDER == true + config.vm.synced_folder "shared/", "/vagrant", type: "rsync" +end + +if !$HOSTNAME.empty? + config.vm.provision 'shell', inline: "hostnamectl set-hostname #{$HOSTNAME}" +end + + config.vm.provision "file", source: "~/.ssh/vagrant.pub", destination: "/home/vagrant/.ssh/vagrant.pub" + config.vm.provision 'shell', inline: $PROVISION_SSH_KEY_SCRIPT + +if $ENALBE_SYNC_FOLDER == true + config.vm.provision 'shell', inline: "stat /vagrant/init.sh && cd /vagrant && bash init.sh;true" +end + +end diff --git a/vms/px-001-Office-DB/box b/vms/px-001-Office-DB/box new file mode 100644 index 0000000..4e97d49 --- /dev/null +++ b/vms/px-001-Office-DB/box @@ -0,0 +1 @@ +generic/debian11 \ No newline at end of file diff --git a/vms/px-001-Office-DB/hostname b/vms/px-001-Office-DB/hostname new file mode 100644 index 0000000..a3e1ff5 --- /dev/null +++ b/vms/px-001-Office-DB/hostname @@ -0,0 +1 @@ +px-001-Office-DB \ No newline at end of file diff --git a/vms/px-001-Office-DB/net1 b/vms/px-001-Office-DB/net1 new file mode 100644 index 0000000..e82c424 --- /dev/null +++ b/vms/px-001-Office-DB/net1 @@ -0,0 +1 @@ +OpenWRT-LAN \ No newline at end of file diff --git a/vms/px-001-Office-DB/net2 b/vms/px-001-Office-DB/net2 new file mode 100644 index 0000000..75ebb04 --- /dev/null +++ b/vms/px-001-Office-DB/net2 @@ -0,0 +1 @@ +proxy_office \ No newline at end of file diff --git a/vms/px-001-Office-DB/shared/init.sh b/vms/px-001-Office-DB/shared/init.sh new file mode 100644 index 0000000..c3f7e00 --- /dev/null +++ b/vms/px-001-Office-DB/shared/init.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +export DEBIAN_FRONTEND="noninteractive" + +# Upgrading system +apt update +apt upgrade -y + +# Install Software +apt install -y mariadb-server htop iptstate iptables conntrack tcpdump + +# Configure Software +sed -i -e "s@^bind-address =.*@bind-address = 0.0.0.0@g" /etc/mysql/mariadb.conf.d/50-server.cnf + +systemctl restart mariadb.service + +cat <> /root/.ssh/authorized_keys +chmod 0600 /root/.ssh/authorized_keys +chown root:root -R /root/.ssh +mkdir -p /home/vagrant/.ssh +chmod 0700 /home/vagrant/.ssh +echo /home/vagrant/.ssh/vagrant.pub >> /home/vagrant/.ssh/authorized_keys +chmod 0600 /home/vagrant/.ssh/authorized_keys +chown vagrant:vagrant -R /home/vagrant/.ssh +EOF + + +Vagrant.configure("2") do |config| + config.vm.box = $BOX + +## Remember to generate the vagrant private key. +## ssh-keygen -f C:\Users\eliezer\.ssh\vagrant + + config.ssh.insert_key = false + config.ssh.private_key_path = ['~/.ssh/vagrant', '~/.vagrant.d/insecure_private_key' ] + + config.vm.provider "hyperv" do |hv, override| + hv.vmname = $VM_NAME + hv.maxmemory = $VM_MEM + hv.memory = $VM_MEM + hv.cpus = $VM_VCPU + override.vm.allowed_synced_folder_types = [:rsync] + end + +if $HOST_NET_1 and !$HOST_NET_1.empty? + config.vm.network "public_network", bridge: $HOST_NET_1 +end + +if $HOST_NET_2 and !$HOST_NET_2.empty? + config.vm.network "private_network", bridge: $HOST_NET_2 +end + +if $HOST_NET_3 and !$HOST_NET_4.empty? + config.vm.network "private_network", bridge: $HOST_NET_3 +end + +if $HOST_NET_4 and !$HOST_NET_4.empty? + config.vm.network "private_network", bridge: $HOST_NET_4 +end + + config.vm.synced_folder ".", "/vagrant", disabled: true + +if $ENALBE_SYNC_FOLDER == true + config.vm.synced_folder "shared/", "/vagrant", type: "rsync" +end + +if !$HOSTNAME.empty? + config.vm.provision 'shell', inline: "hostnamectl set-hostname #{$HOSTNAME}" +end + + config.vm.provision "file", source: "~/.ssh/vagrant.pub", destination: "/home/vagrant/.ssh/vagrant.pub" + config.vm.provision 'shell', inline: $PROVISION_SSH_KEY_SCRIPT + +if $ENALBE_SYNC_FOLDER == true + config.vm.provision 'shell', inline: "stat /vagrant/init.sh && cd /vagrant && bash init.sh;true" +end + +end diff --git a/vms/px-002-Office-Web/box b/vms/px-002-Office-Web/box new file mode 100644 index 0000000..3f13982 --- /dev/null +++ b/vms/px-002-Office-Web/box @@ -0,0 +1 @@ +generic/alma8 \ No newline at end of file diff --git a/vms/px-002-Office-Web/hostname b/vms/px-002-Office-Web/hostname new file mode 100644 index 0000000..1b1cacf --- /dev/null +++ b/vms/px-002-Office-Web/hostname @@ -0,0 +1 @@ +px-002-Office-Web \ No newline at end of file diff --git a/vms/px-002-Office-Web/net b/vms/px-002-Office-Web/net new file mode 100644 index 0000000..3ce4ea7 --- /dev/null +++ b/vms/px-002-Office-Web/net @@ -0,0 +1 @@ +VMs_OUT \ No newline at end of file diff --git a/vms/px-002-Office-Web/net1 b/vms/px-002-Office-Web/net1 new file mode 100644 index 0000000..e82c424 --- /dev/null +++ b/vms/px-002-Office-Web/net1 @@ -0,0 +1 @@ +OpenWRT-LAN \ No newline at end of file diff --git a/vms/px-002-Office-Web/net2 b/vms/px-002-Office-Web/net2 new file mode 100644 index 0000000..75ebb04 --- /dev/null +++ b/vms/px-002-Office-Web/net2 @@ -0,0 +1 @@ +proxy_office \ No newline at end of file diff --git a/vms/px-002-Office-Web/shared/init.sh b/vms/px-002-Office-Web/shared/init.sh new file mode 100644 index 0000000..aa17661 --- /dev/null +++ b/vms/px-002-Office-Web/shared/init.sh @@ -0,0 +1,34 @@ +#!/usr/bin/env bash + +# Disabling selinux +sed -i -e "s@^SELINUX=.*@SELINUX=disabled@g" /etc/selinux/config +grubby --update-kernel ALL --args selinux=0 +setenforce 0 + +# Updating OS +dnf update -y + +# Installing basic dependencies +dnf install -y epel-release +/usr/bin/crb enable + +dnf install -y git wget curl bash-completion vim make + +dnf module reset ruby mariadb php -y +dnf module enable ruby:3.1 mariadb:10.5 php:8.0 -y + +dnf install -y httpd php php-fpm php-mysqlnd ruby ruby-devel rubygem-mysql2 rubygem-irb python3.11 python3.11-devel python3.11-pip +dnf install -y mariadb-server +dnf install -y podman htop tree + +update-alternatives --set python3 /usr/bin/python3.11 + +python3 -m pip install --upgrade pip + +systemctl start httpd mariadb podman php-fpm +systemctl enable httpd mariadb podman php-fpm + +firewall-cmd --add-service=http --permanent +firewall-cmd --add-service=https --permanent + +firewall-cmd --reload \ No newline at end of file diff --git a/vms/px-002-Office-Web/sync_shared b/vms/px-002-Office-Web/sync_shared new file mode 100644 index 0000000..d3f5a12 --- /dev/null +++ b/vms/px-002-Office-Web/sync_shared @@ -0,0 +1 @@ + diff --git a/vms/px-002-Office-Web/vmcpu b/vms/px-002-Office-Web/vmcpu new file mode 100644 index 0000000..0cfbf08 --- /dev/null +++ b/vms/px-002-Office-Web/vmcpu @@ -0,0 +1 @@ +2 diff --git a/vms/px-002-Office-Web/vmmem b/vms/px-002-Office-Web/vmmem new file mode 100644 index 0000000..f3e53ee --- /dev/null +++ b/vms/px-002-Office-Web/vmmem @@ -0,0 +1 @@ +2048 \ No newline at end of file diff --git a/vms/px-002-Office-Web/vmname b/vms/px-002-Office-Web/vmname new file mode 100644 index 0000000..1b1cacf --- /dev/null +++ b/vms/px-002-Office-Web/vmname @@ -0,0 +1 @@ +px-002-Office-Web \ No newline at end of file diff --git a/vms/px-003-Office-PX-Frontend/Vagrantfile b/vms/px-003-Office-PX-Frontend/Vagrantfile new file mode 100644 index 0000000..549465d --- /dev/null +++ b/vms/px-003-Office-PX-Frontend/Vagrantfile @@ -0,0 +1,99 @@ + +$ENALBE_SYNC_FOLDER = false + +$ENALBE_SYNC_FOLDER = true if File.exist?("sync_shared") + +if File.exist?("net1") + $HOST_NET_1 = File.readlines('net1').first.chomp +end + +if File.exist?("net2") + $HOST_NET_2 = File.readlines('net2').first.chomp +end + +if File.exist?("net3") + $HOST_NET_3 = File.readlines('net3').first.chomp +end + +if File.exist?("net4") + $HOST_NET_4 = File.readlines('net4').first.chomp +end + +$VM_NAME = File.readlines('vmname').first.chomp +$VM_MEM = File.readlines('vmmem').first.chomp.to_i +$VM_VCPU = File.readlines('vmcpu').first.chomp.to_i + +$BOX = File.readlines('box').first.chomp + +$HOSTNAME = File.readlines('hostname').first.chomp if File.exist?("hostname") + + +# Will not work on Hyper-V +#$VM_DISK_SIZE = File.readlines('disksize').first.chomp + + +$PROVISION_SSH_KEY_SCRIPT=<> /root/.ssh/authorized_keys +chmod 0600 /root/.ssh/authorized_keys +chown root:root -R /root/.ssh +mkdir -p /home/vagrant/.ssh +chmod 0700 /home/vagrant/.ssh +echo /home/vagrant/.ssh/vagrant.pub >> /home/vagrant/.ssh/authorized_keys +chmod 0600 /home/vagrant/.ssh/authorized_keys +chown vagrant:vagrant -R /home/vagrant/.ssh +EOF + + +Vagrant.configure("2") do |config| + config.vm.box = $BOX + +## Remember to generate the vagrant private key. +## ssh-keygen -f C:\Users\eliezer\.ssh\vagrant + + config.ssh.insert_key = false + config.ssh.private_key_path = ['~/.ssh/vagrant', '~/.vagrant.d/insecure_private_key' ] + + config.vm.provider "hyperv" do |hv, override| + hv.vmname = $VM_NAME + hv.maxmemory = $VM_MEM + hv.memory = $VM_MEM + hv.cpus = $VM_VCPU + override.vm.allowed_synced_folder_types = [:rsync] + end + +if $HOST_NET_1 and !$HOST_NET_1.empty? + config.vm.network "public_network", bridge: $HOST_NET_1 +end + +if $HOST_NET_2 and !$HOST_NET_2.empty? + config.vm.network "private_network", bridge: $HOST_NET_2 +end + +if $HOST_NET_3 and !$HOST_NET_4.empty? + config.vm.network "private_network", bridge: $HOST_NET_3 +end + +if $HOST_NET_4 and !$HOST_NET_4.empty? + config.vm.network "private_network", bridge: $HOST_NET_4 +end + + config.vm.synced_folder ".", "/vagrant", disabled: true + +if $ENALBE_SYNC_FOLDER == true + config.vm.synced_folder "shared/", "/vagrant", type: "rsync" +end + +if !$HOSTNAME.empty? + config.vm.provision 'shell', inline: "hostnamectl set-hostname #{$HOSTNAME}" +end + + config.vm.provision "file", source: "~/.ssh/vagrant.pub", destination: "/home/vagrant/.ssh/vagrant.pub" + config.vm.provision 'shell', inline: $PROVISION_SSH_KEY_SCRIPT + +if $ENALBE_SYNC_FOLDER == true + config.vm.provision 'shell', inline: "stat /vagrant/init.sh && cd /vagrant && bash init.sh;true" +end + +end diff --git a/vms/px-003-Office-PX-Frontend/box b/vms/px-003-Office-PX-Frontend/box new file mode 100644 index 0000000..3f13982 --- /dev/null +++ b/vms/px-003-Office-PX-Frontend/box @@ -0,0 +1 @@ +generic/alma8 \ No newline at end of file diff --git a/vms/px-003-Office-PX-Frontend/hostname b/vms/px-003-Office-PX-Frontend/hostname new file mode 100644 index 0000000..4d21822 --- /dev/null +++ b/vms/px-003-Office-PX-Frontend/hostname @@ -0,0 +1 @@ +px-003-Office-PX-Frontend \ No newline at end of file diff --git a/vms/px-003-Office-PX-Frontend/net1 b/vms/px-003-Office-PX-Frontend/net1 new file mode 100644 index 0000000..e82c424 --- /dev/null +++ b/vms/px-003-Office-PX-Frontend/net1 @@ -0,0 +1 @@ +OpenWRT-LAN \ No newline at end of file diff --git a/vms/px-003-Office-PX-Frontend/net2 b/vms/px-003-Office-PX-Frontend/net2 new file mode 100644 index 0000000..75ebb04 --- /dev/null +++ b/vms/px-003-Office-PX-Frontend/net2 @@ -0,0 +1 @@ +proxy_office \ No newline at end of file diff --git a/vms/px-003-Office-PX-Frontend/shared/init.sh b/vms/px-003-Office-PX-Frontend/shared/init.sh new file mode 100644 index 0000000..1186095 --- /dev/null +++ b/vms/px-003-Office-PX-Frontend/shared/init.sh @@ -0,0 +1,77 @@ +#!/usr/bin/env bash + +# Disabling selinux +sed -i -e "s@^SELINUX=.*@SELINUX=disabled@g" /etc/selinux/config +grubby --update-kernel ALL --args selinux=0 +setenforce 0 + +# Updating OS +dnf update -y + +# Installing basic dependencies +dnf install -y epel-release +/usr/bin/crb enable + +dnf install -y git wget curl bash-completion vim make + +dnf module reset ruby mariadb php -y +dnf module enable ruby:3.1 mariadb:10.5 php:8.0 -y + +dnf install -y httpd php php-fpm php-mysqlnd ruby ruby-devel rubygem-mysql2 rubygem-irb python3.11 python3.11-devel python3.11-pip +dnf install -y mariadb-server +dnf install -y podman htop tree mkisofs + +update-alternatives --set python3 /usr/bin/python3.11 + +python3 -m pip install --upgrade pip + +sed -i -e "s@AllowOverride None@AllowOverride All@g" -e "s@AllowOverride none@AllowOverride all@g" /etc/httpd/conf/httpd.conf +sed -i -e "s@^IndexOptions.*@IndexOptions FancyIndexing HTMLTable VersionSort namewidth=\* htmltable charset=utf-8@g" /etc/httpd/conf.d/autoindex.conf + +systemctl start httpd mariadb podman php-fpm +systemctl enable httpd mariadb podman php-fpm + +mkdir -p /opt/src +wget http://www.ngtech.co.il/repo/alma/8/x86_64/squid-5.9-1.el8.x86_64.rpm -O /opt/src/squid-5.9-1.el8.x86_64.rpm +wget http://www.ngtech.co.il/repo/alma/8/x86_64/squid-helpers-5.9-1.el8.x86_64.rpm -O /opt/src/squid-helpers-5.9-1.el8.x86_64.rpm + +dnf localinstall -y /opt/src/squid-5.9-1.el8.x86_64.rpm /opt/src/squid-5.9-1.el8.x86_64.rpm + +firewall-cmd --add-service=http --permanent +firewall-cmd --add-service=https --permanent +firewall-cmd --add-port=3128/tcp --permanent +firewall-cmd --add-port=23128/tcp --permanent + +firewall-cmd --reload + +# Installing Wireguard +dnf install -y elrepo-release +dnf install -y kmod-wireguard wireguard-tools + +mkdir -p /etc/wireguard + +stat /etc/wireguard/wireguard.key || ( +umask 077 | wg genkey | tee /etc/wireguard/wireguard.key +wg pubkey < /etc/wireguard/wireguard.key > /etc/wireguard/wireguard.pub.key +) +cat /etc/wireguard/wireguard.pub.key + +cat < /etc/wireguard/wg0.conf +[Interface] +Address = 100.20.20.1/24 +SaveConfig = true +ListenPort = 51820 +PrivateKey = $(cat /etc/wireguard/wireguard.pub.key |head -1 ) +EOF +echo "net.ipv4.ip_forward = 1" > /etc/sysctl.conf.d/050-wg.conf + +sysctl --system + +systemctl start wg-quick@wg0 +systemctl status wg-quick@wg0 --no-pager + +echo "Example command for adding a peer key to the wg0 interface" +echo "wg set wg0 peer allowed-ips 10.10.10." + +firewall-cmd --add-port=51820/udp --permanent +firewall-cmd --reload diff --git a/vms/px-003-Office-PX-Frontend/sync_shared b/vms/px-003-Office-PX-Frontend/sync_shared new file mode 100644 index 0000000..d3f5a12 --- /dev/null +++ b/vms/px-003-Office-PX-Frontend/sync_shared @@ -0,0 +1 @@ + diff --git a/vms/px-003-Office-PX-Frontend/vmcpu b/vms/px-003-Office-PX-Frontend/vmcpu new file mode 100644 index 0000000..0cfbf08 --- /dev/null +++ b/vms/px-003-Office-PX-Frontend/vmcpu @@ -0,0 +1 @@ +2 diff --git a/vms/px-003-Office-PX-Frontend/vmmem b/vms/px-003-Office-PX-Frontend/vmmem new file mode 100644 index 0000000..f3e53ee --- /dev/null +++ b/vms/px-003-Office-PX-Frontend/vmmem @@ -0,0 +1 @@ +2048 \ No newline at end of file diff --git a/vms/px-003-Office-PX-Frontend/vmname b/vms/px-003-Office-PX-Frontend/vmname new file mode 100644 index 0000000..4d21822 --- /dev/null +++ b/vms/px-003-Office-PX-Frontend/vmname @@ -0,0 +1 @@ +px-003-Office-PX-Frontend \ No newline at end of file diff --git a/vms/scripts/spin-vm.ps1 b/vms/scripts/spin-vm.ps1 new file mode 100644 index 0000000..c2eaffd --- /dev/null +++ b/vms/scripts/spin-vm.ps1 @@ -0,0 +1,6 @@ +$vmname = Get-Content .\vmname -First 1 +$vmnet = Get-Content .\vmnet -First 1 + +New-VM -Name $vmname -MemoryStartupBytes 2GB -Path . -BootDevice VHD -VHDPath .\alpine-openstack.vhdx -SwitchName $vmnet -Generation 1 +Set-VMDvdDrive -VMName $vmname -Path .\alpine-seed.iso +Start-VM $vmname \ No newline at end of file diff --git a/vms/spin-183f199c-bdc6-408a-8286-d04afc3ab0f9_px.ps1 b/vms/spin-183f199c-bdc6-408a-8286-d04afc3ab0f9_px.ps1 new file mode 100644 index 0000000..ab72f03 --- /dev/null +++ b/vms/spin-183f199c-bdc6-408a-8286-d04afc3ab0f9_px.ps1 @@ -0,0 +1,42 @@ +$imageUrl = "http://www.ngtech.co.il/static/cloud-images/jammy-server-cloudimg-amd64.vhdx" +$seedUrl = "http://10.50.1.100/config/183f199c-bdc6-408a-8286-d04afc3ab0f9/183f199c-bdc6-408a-8286-d04afc3ab0f9-cloud-init-data.iso" +$imageFileName = "jammy-server-cloudimg-amd64.vhdx" + +$user = "183f199c-bdc6-408a-8286-d04afc3ab0f9_px" +$password = "ca43b9de-4d37-4c4e-be91-80148f823f01" + +$vmnet = "DigitalyOcean_Cloud1" + +$userPassPair = $user + ":" + $password + +$vmdisk = ".\px-sys-disk.vhdx" + +$vmseed = ".\seed.iso" + +$vmname = "DIGITALOCEAN_183f199c-bdc6-408a-8286-d04afc3ab0f9" + + +mkdir $vmname +cd $vmname + +if ( Test-Path("..\images\" + $imageFileName)) { + Write-Output "Copying image locally" + Copy-Item ("..\images\" + $imageFileName) -Destination $vmdisk + Write-Output "Finished copying image locally" +} else { + Write-Output "Downloading image from a remote server" + Invoke-WebRequest -Uri $imageUrl -OutFile $vmdisk + Write-Output "Finished downloading image from a remote server" +} + +Write-Output "Downloading seed image from a remote server" + +Invoke-WebRequest -Uri $seedUrl -OutFile $vmseed -Headers @{ Authorization = "Basic "+ [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($userPassPair)) } + +Write-Output "Finished downloading seed image from a remote server" + +New-VM -Name $vmname -MemoryStartupBytes 2GB -Path . -BootDevice VHD -VHDPath $vmdisk -SwitchName $vmnet -Generation 1 +Set-VMDvdDrive -VMName $vmname -Path $vmseed + +Start-VM $vmname +cd .. diff --git a/vms/spin-4f936f1e-a410-4681-b4ec-daa8ec44c9e1_px.ps1 b/vms/spin-4f936f1e-a410-4681-b4ec-daa8ec44c9e1_px.ps1 new file mode 100644 index 0000000..421f8fe --- /dev/null +++ b/vms/spin-4f936f1e-a410-4681-b4ec-daa8ec44c9e1_px.ps1 @@ -0,0 +1,42 @@ +$imageUrl = "http://www.ngtech.co.il/static/cloud-images/jammy-server-cloudimg-amd64.vhdx" +$seedUrl = "http://10.50.1.100/config/4f936f1e-a410-4681-b4ec-daa8ec44c9e1/4f936f1e-a410-4681-b4ec-daa8ec44c9e1-cloud-init-data.iso" +$imageFileName = "jammy-server-cloudimg-amd64.vhdx" + +$user = "4f936f1e-a410-4681-b4ec-daa8ec44c9e1_px" +$password = "a5da948a-1e0a-4a84-8c0b-359fb234d1a6" + +$vmnet = "Alibaba_Cloud1" + +$userPassPair = $user + ":" + $password + +$vmdisk = ".\px-sys-disk.vhdx" + +$vmseed = ".\seed.iso" + +$vmname = "ALIBABA_4f936f1e-a410-4681-b4ec-daa8ec44c9e1" + + +mkdir $vmname +cd $vmname + +if ( Test-Path("..\images\" + $imageFileName)) { + Write-Output "Copying image locally" + Copy-Item ("..\images\" + $imageFileName) -Destination $vmdisk + Write-Output "Finished copying image locally" +} else { + Write-Output "Downloading image from a remote server" + Invoke-WebRequest -Uri $imageUrl -OutFile $vmdisk + Write-Output "Finished downloading image from a remote server" +} + +Write-Output "Downloading seed image from a remote server" + +Invoke-WebRequest -Uri $seedUrl -OutFile $vmseed -Headers @{ Authorization = "Basic "+ [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($userPassPair)) } + +Write-Output "Finished downloading seed image from a remote server" + +New-VM -Name $vmname -MemoryStartupBytes 2GB -Path . -BootDevice VHD -VHDPath $vmdisk -SwitchName $vmnet -Generation 1 +Set-VMDvdDrive -VMName $vmname -Path $vmseed + +Start-VM $vmname +cd .. diff --git a/vms/spin-a9d4ca52-ebb0-4d12-a885-d1bf142f5726_px.ps1 b/vms/spin-a9d4ca52-ebb0-4d12-a885-d1bf142f5726_px.ps1 new file mode 100644 index 0000000..e5e882f --- /dev/null +++ b/vms/spin-a9d4ca52-ebb0-4d12-a885-d1bf142f5726_px.ps1 @@ -0,0 +1,42 @@ +$imageUrl = "http://www.ngtech.co.il/static/cloud-images/jammy-server-cloudimg-amd64.vhdx" +$seedUrl = "http://10.50.1.100/config/a9d4ca52-ebb0-4d12-a885-d1bf142f5726/a9d4ca52-ebb0-4d12-a885-d1bf142f5726-cloud-init-data.iso" +$imageFileName = "jammy-server-cloudimg-amd64.vhdx" + +$user = "a9d4ca52-ebb0-4d12-a885-d1bf142f5726_px" +$password = "e5020a9d-2b68-4740-a686-49f4a7335179" + +$vmnet = "AWS_Cloud1" + +$userPassPair = $user + ":" + $password + +$vmdisk = ".\px-sys-disk.vhdx" + +$vmseed = ".\seed.iso" + +$vmname = "AWS_a9d4ca52-ebb0-4d12-a885-d1bf142f5726" + + +mkdir $vmname +cd $vmname + +if ( Test-Path("..\images\" + $imageFileName)) { + Write-Output "Copying image locally" + Copy-Item ("..\images\" + $imageFileName) -Destination $vmdisk + Write-Output "Finished copying image locally" +} else { + Write-Output "Downloading image from a remote server" + Invoke-WebRequest -Uri $imageUrl -OutFile $vmdisk + Write-Output "Finished downloading image from a remote server" +} + +Write-Output "Downloading seed image from a remote server" + +Invoke-WebRequest -Uri $seedUrl -OutFile $vmseed -Headers @{ Authorization = "Basic "+ [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($userPassPair)) } + +Write-Output "Finished downloading seed image from a remote server" + +New-VM -Name $vmname -MemoryStartupBytes 2GB -Path . -BootDevice VHD -VHDPath $vmdisk -SwitchName $vmnet -Generation 1 +Set-VMDvdDrive -VMName $vmname -Path $vmseed + +Start-VM $vmname +cd .. diff --git a/vms/spin-afca9258-834c-4c5b-be3c-11a52ec7edbf_px.ps1 b/vms/spin-afca9258-834c-4c5b-be3c-11a52ec7edbf_px.ps1 new file mode 100644 index 0000000..3212a0d --- /dev/null +++ b/vms/spin-afca9258-834c-4c5b-be3c-11a52ec7edbf_px.ps1 @@ -0,0 +1,42 @@ +$imageUrl = "http://www.ngtech.co.il/static/cloud-images/debian-12-generic-amd64.vhdx" +$seedUrl = "http://10.50.1.100/config/afca9258-834c-4c5b-be3c-11a52ec7edbf/afca9258-834c-4c5b-be3c-11a52ec7edbf-cloud-init-data.iso" +$imageFileName = "debian-12-generic-amd64.vhdx" + +$user = "afca9258-834c-4c5b-be3c-11a52ec7edbf_px" +$password = "aab51b40-0a9f-42bd-802a-7a23fcccade5" + +$vmnet = "DigitalyOcean_Cloud1" + +$userPassPair = $user + ":" + $password + +$vmdisk = ".\px-sys-disk.vhdx" + +$vmseed = ".\seed.iso" + +$vmname = "DIGITALOCEAN_afca9258-834c-4c5b-be3c-11a52ec7edbf" + + +mkdir $vmname +cd $vmname + +if ( Test-Path("..\images\" + $imageFileName)) { + Write-Output "Copying image locally" + Copy-Item ("..\images\" + $imageFileName) -Destination $vmdisk + Write-Output "Finished copying image locally" +} else { + Write-Output "Downloading image from a remote server" + Invoke-WebRequest -Uri $imageUrl -OutFile $vmdisk + Write-Output "Finished downloading image from a remote server" +} + +Write-Output "Downloading seed image from a remote server" + +Invoke-WebRequest -Uri $seedUrl -OutFile $vmseed -Headers @{ Authorization = "Basic "+ [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($userPassPair)) } + +Write-Output "Finished downloading seed image from a remote server" + +New-VM -Name $vmname -MemoryStartupBytes 2GB -Path . -BootDevice VHD -VHDPath $vmdisk -SwitchName $vmnet -Generation 1 +Set-VMDvdDrive -VMName $vmname -Path $vmseed + +Start-VM $vmname +cd .. diff --git a/vms/spin-c3d16106-8ba0-4a9e-a1c1-e4d32b841503_px.ps1 b/vms/spin-c3d16106-8ba0-4a9e-a1c1-e4d32b841503_px.ps1 new file mode 100644 index 0000000..6600fd2 --- /dev/null +++ b/vms/spin-c3d16106-8ba0-4a9e-a1c1-e4d32b841503_px.ps1 @@ -0,0 +1,42 @@ +$imageUrl = "http://www.ngtech.co.il/static/cloud-images/jammy-server-cloudimg-amd64.vhdx" +$seedUrl = "http://10.50.1.100/config/c3d16106-8ba0-4a9e-a1c1-e4d32b841503/c3d16106-8ba0-4a9e-a1c1-e4d32b841503-cloud-init-data.iso" +$imageFileName = "jammy-server-cloudimg-amd64.vhdx" + +$user = "c3d16106-8ba0-4a9e-a1c1-e4d32b841503_px" +$password = "6a543ecd-0114-4d44-a599-36903008709f" + +$vmnet = "DigitalyOcean_Cloud1" + +$userPassPair = $user + ":" + $password + +$vmdisk = ".\px-sys-disk.vhdx" + +$vmseed = ".\seed.iso" + +$vmname = "DIGITALOCEAN_c3d16106-8ba0-4a9e-a1c1-e4d32b841503" + + +mkdir $vmname +cd $vmname + +if ( Test-Path("..\images\" + $imageFileName)) { + Write-Output "Copying image locally" + Copy-Item ("..\images\" + $imageFileName) -Destination $vmdisk + Write-Output "Finished copying image locally" +} else { + Write-Output "Downloading image from a remote server" + Invoke-WebRequest -Uri $imageUrl -OutFile $vmdisk + Write-Output "Finished downloading image from a remote server" +} + +Write-Output "Downloading seed image from a remote server" + +Invoke-WebRequest -Uri $seedUrl -OutFile $vmseed -Headers @{ Authorization = "Basic "+ [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($userPassPair)) } + +Write-Output "Finished downloading seed image from a remote server" + +New-VM -Name $vmname -MemoryStartupBytes 2GB -Path . -BootDevice VHD -VHDPath $vmdisk -SwitchName $vmnet -Generation 1 +Set-VMDvdDrive -VMName $vmname -Path $vmseed + +Start-VM $vmname +cd .. diff --git a/vms/spinner-386.exe b/vms/spinner-386.exe new file mode 100644 index 0000000..f14538d Binary files /dev/null and b/vms/spinner-386.exe differ diff --git a/vms/spinner-amd64.exe b/vms/spinner-amd64.exe new file mode 100644 index 0000000..f180161 Binary files /dev/null and b/vms/spinner-amd64.exe differ diff --git a/vms/tmp/alpine-seed.iso b/vms/tmp/alpine-seed.iso new file mode 100644 index 0000000..1cad8c5 Binary files /dev/null and b/vms/tmp/alpine-seed.iso differ