1

outline.txt

@@ -0,0 +1,119 @@
+Hey Everybody,
+
+I have seen couple free proxy providers like:
+Urban vpn
+Nord vpn
+Clearvpn
+
+And couple other proxy services.
+
+A long time ago I wrote the article:
+A Proxy for each Internet user! The future!
+
+https://www1.ngtech.co.il/wpe/2016/05/02/proxy-per-internet-user-is-it-realistic/
+
+And I was just wondering to myself a thing or two about http proxies.
+
+Most of the VPN services use and support OpenVPN, wireguard and other vpn services on the route level.
+These are simple and needs some kinds of "smart" CGNAT to operate and are cheaper than a http proxy since the it works in the lower
+level of the connection.
+For example, you can give a static private IP to the client in your system and apply all the relevant routing and NAT rules and the connection
+will be initiated automatically with the relevant external IP.
+Also, if you need an IP address you can just spin an "exit" node on any public cloud and add it into the pool of routes.
+
+But there is another option, the proxy way of things.
+Either socks or plain HTTP Proxy..
+
+But let start with a proxy to simplify things.
+
+Let say I want to spin couple squid "exit" nodes and I would like to have a frontend that will route traffic based on authentication details.
+I have seen an answer which is un-verified since 2013 at:
+https://access.redhat.com/solutions/259903
+
+To make it all work we first need to assume that 
+bever_direct allow all
+
+will force all CONNECT requests to a cache_peer (since there aren't too many plain http services else then MS updates and couple others).
+
+There is also another problem, how do we route clients based on credentials from a frontend to the backend exit nodes / cache peers?
+
+There are couple issues in this kinds of setup.
+Since the client connects to the proxy service in plain text it can be intercepted so we will assume that the user can access some securely to the proxy.
+IE Wireguard or OpenVPN or SSTP or other IPSEC based solution which or any other alternative method like a Trusted network...
+
+The next step in this setup is securing the connections between the proxies.
+For this we need to use some kind of network of connection between the Hub or Hubs to the exit nodes.
+If both the HUB and the exit node has a public IP address behind a 1:1 nat and can communicate directly they can use Wireguard or OpenVPN to secure their connections.
+There are couple other things that need to be sorted and these are the provisioning of the exit nodes and their registration and status check each.
+Any of the HUBs need to be able to handle couple of these tasks with a bit of automation and couple uuid generators.
+
+I wanted to build such a tiny setup but I lack couple things for the specs for such a system.
+I have seen this nice post:
+* https://www.blackhatworld.com/seo/developer-needed-to-build-scripts-to-create-proxies-using-haproxy-or-squid-advanced-expertise-required.1300167/
+
+So I am trying to mimic a WWW net.
+The first thing is to have two to three ipconfig.io nodes which will have a very tiny foot print that I will use to test the setup.
+The next thing is the basic WWW net ie couple sites with BGP each will have a /24(?) CIDR behind them and a central /24(?) for all of them.
+Since it's a lab it's preferable that all these will have a very small resources foot print.
+We can use a simple containers network and use the next piece of software:
+* https://github.com/georgyo/ifconfig.io
+* https://hub.docker.com/r/elicro/ifconfig.io
+
+For the tests we might need a root CA but not really relevant since -k is good enough for most basic tests with curl since... we assume the connection is secured already.
+
+Networks the we can use, private only(?):
+192.168.0.0/16
+10.0.0.0/8
+172.16. 0.0/12
+
+We can use also use CGNAT cidr:
+100.64.0.0/10
+
+* https://www.rfc-editor.org/rfc/rfc6598
+
+And just for theses who need:
+* https://www.ngtech.co.il/ipcalc/
+* https://hub.docker.com/r/elicro/ipcalc
+
+
+So we will need first one central hub for automation registry and management.
+It will use couple internal CIDRs and couple 1:1 nat address spaces.
+
+The end result should be couple tiny clients that will run couple curl tests with usename and password that will be the routing vector for the setup.
+So we will have one main HUB and this hub will have 1 port that will listen to all proxy requests with username and passwords.
+So basically we need an office and an internet connection, an idea and all the automation tools to implement it.
+Currently AWS and many other providers have enough automation tools that can remove some of the heavy lifting off the table.
+So now for the DB and registration system.
+For each exit node we need a uuid and couple specific services.
+* health check
+* external ip verification
+* registration against the hub
+* VPN to the central HUB? (complexity.. but flexibility for the NAT connection tracking limit of the OFFICE/Proxy IP)
+
+In the central office we need let say port 10000 a http proxy in port which will be port forwarded to a single squid proxy server with a floating ip and redundant server.
+If we would have a secure channel between the proxies and the central office it will be much simple to register new proxies 
+(Assuming each proxy receives the uuid and registration and VPN details in it's cloud-init or any other initialization method)
+
+So we would have a DB which will hold a uuid and configuration details prepared before for the registration and health checks and status.
+
+The squid.conf of the proxy should be created dynamically since there are changes in the network....
+Unless we assume a specific capacity and an internal connection between the HUB and the proxy.
+If we assume an internal connection between the HUB and the proxies we can dedicate a cidr for the proxies.
+Then we can create a pretty "static" squid.conf (a big one..) and we can change the configuration in the DB so
+helpers will help us decide which proxy is up or down and which of the static cache_peers a user name and password will use.
+
+What do you think about this? How will it work?
+Squid can handle this kind of load with couple workers and couple scripts but to create such a setup, it’s a bit of a job.
+Let say I will assume a network of proxies with 10 proxies which will spin up and down, how will it work????
+How much resources are required to run test such a setup?
+
+I believe a demo can all be done on a linux network namespaces on a single node setup but it's not like real world...
+What OS will you use in such a setup?
+These days any linux OS requires at-least 512 MB of RAM to spin nicely so I assume an Alpine based setup would be nice but...
+It's not like RHEL systems, There are scripts that should be written and supervised to be used (compared to systemd) etc...
+
+Let me know if the script I wrote seems reasonable enough.
+
+( 6.0.3 here I'm coming, here since 3.2 beta )
+
+Eliezer

vms/build-cloud-init-alpine/build.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+export DEBIAN_FRONTEND=noninteractive
+
+# install ubuntu dependenices for image building
+apt update
+apt install -y libvirt-daemon qemu-utils qemu wget genisoimage
+
+wget https://raw.githubusercontent.com/alpinelinux/alpine-make-vm-image/master/alpine-make-vm-image -O alpine-make-vm-image
+chmod +x alpine-make-vm-image
+echo '0d5d3e375cb676d6eb5c1a52109a3a0a8e4cd7ac  alpine-make-vm-image' | sha1sum -c 
+if [ "$?" -gt "0" ];then
+	echo "alpine-make-vm-image checksum is bad, check for an update at:"
+	echo "https://github.com/alpinelinux/alpine-make-vm-image"
+	exit 1
+fi
+
+PACKAGES_FILE="os/packages"
+INIT_SCRIPT="os/configure.sh"
+IMAGES_FILENAME="alpine_cloud_init_vm.qcow2"
+ALPINE_BRANCH="3.17"
+DISK_SIZE="20G"
+IMAGE_FORMAT="qcow2"
+
+bash alpine-make-vm-image -b ${ALPINE_BRANCH} -p "$( cat ${PACKAGES_FILE} | xargs) " -s ${DISK_SIZE} -f ${IMAGE_FORMAT} ${IMAGES_FILENAME} --script-chroot ${INIT_SCRIPT}
+
+cd seed
+mkisofs -output ../alpine-cloud-init-data.iso -volid cidata -joliet -rock user-data meta-data
+cd -

vms/build-cloud-init-alpine/os/configure.sh

@@ -0,0 +1,71 @@
+#!/bin/sh
+
+_step_counter=0
+step() {
+	_step_counter=$(( _step_counter + 1 ))
+	printf '\n\033[1;36m%d) %s\033[0m\n' $_step_counter "$@" >&2  # bold cyan
+}
+
+
+step 'Set up timezone'
+setup-timezone -z Asia/Jerusalem
+
+#step 'Set up keymap'
+#setup-keymap fr fr-azerty
+
+step 'Set up networking'
+cat > /etc/network/interfaces <<-EOF
+	auto lo
+	iface lo inet loopback
+
+	auto eth0
+	iface eth0 inet dhcp
+EOF
+
+# FIXME: remove root and alpine password
+step 'Set cloud configuration'
+sed -e '/disable_root:/ s/true/false/' \
+	-e '/ssh_pwauth:/ s/0/no/' \
+    -e '/name: alpine/a \     passwd: "*"' \
+    -e '/lock_passwd:/ s/True/False/' \
+    -i /etc/cloud/cloud.cfg
+
+# To have oh-my-zsh working on first boot
+cat >> /etc/cloud/cloud.cfg <<EOF
+EOF
+
+step 'Allow only key based ssh login'
+sed -e '/PermitRootLogin yes/d' \
+    -e 's/^#PasswordAuthentication yes/PasswordAuthentication no/' \
+    -e 's/^#PubkeyAuthentication yes/PubkeyAuthentication yes/' \
+    -i /etc/ssh/sshd_config
+
+# Terraform and github actions need ssh-rsa as accepted algorithm
+# The ssh client needs to be updated (see https://www.openssh.com/txt/release-8.8)
+echo "PubkeyAcceptedKeyTypes=+ssh-rsa" >> /etc/ssh/sshd_config
+
+step 'Remove password for users'
+usermod -p '*' root
+
+step 'Adjust rc.conf'
+sed -Ei \
+	-e 's/^[# ](rc_depend_strict)=.*/\1=NO/' \
+	-e 's/^[# ](rc_logger)=.*/\1=YES/' \
+	-e 's/^[# ](unicode)=.*/\1=YES/' \
+	/etc/rc.conf
+
+# see https://gitlab.alpinelinux.org/alpine/aports/-/issues/8861
+step 'Enable cloud-init configuration via NoCloud iso image'
+
+echo "iso9660" >> /etc/filesystems
+
+step 'Enable services'
+/sbin/rc-update add acpid default
+/sbin/rc-update add chronyd default
+/sbin/rc-update add crond default
+/sbin/rc-update add networking boot
+/sbin/rc-update add termencoding boot
+/sbin/rc-update add sshd default
+/sbin/rc-update add cloud-init default
+/sbin/rc-update add cloud-config default
+/sbin/rc-update add cloud-final default

vms/build-cloud-init-alpine/os/packages

@@ -0,0 +1,16 @@
+acpi
+curl
+wget
+htop
+bash
+ca-certificates
+chrony
+cloud-init
+e2fsprogs-extra
+less
+logrotate
+openssh
+py3-netifaces
+py3-pyserial
+ssl_client
+sudo

vms/build-cloud-init-alpine/os/repositories

@@ -0,0 +1,3 @@
+http://dl-cdn.alpinelinux.org/alpine/v3.17/main
+http://dl-cdn.alpinelinux.org/alpine/v3.17/community
+http://dl-cdn.alpinelinux.org/alpine/edge/testing

vms/build-cloud-init-alpine/scripts/spin-vm.ps1

@@ -0,0 +1,6 @@
+$vmname = Get-Content .\vmname -First 1
+$vmnet = Get-Content .\vmnet -First 1
+
+New-VM -Name $vmname -MemoryStartupBytes 2GB -Path . -BootDevice VHD -VHDPath .\alpine-openstack.vhdx -SwitchName $vmnet -Generation 1
+Set-VMDvdDrive -VMName $vmname -Path .\alpine-seed.iso
+Start-VM $vmname

vms/build-cloud-init-alpine/seed/meta-data

@@ -0,0 +1,2 @@
+instance-id: iid-local01
+local-hostname: cloudimg

vms/build-cloud-init-alpine/seed/user-data

@@ -0,0 +1,4 @@
+#cloud-config
+password: passw0rd
+chpasswd: { expire: False }
+ssh_pwauth: True

vms/images/update-images.ps1

@@ -0,0 +1,4 @@
+Invoke-WebRequest -Uri "http://www.ngtech.co.il/static/cloud-images/AlmaLinux-8-GenericCloud-latest.x86_64.vhdx" -OutFile "AlmaLinux-8-GenericCloud-latest.x86_64.vhdx"
+Invoke-WebRequest -Uri "http://www.ngtech.co.il/static/cloud-images/jammy-server-cloudimg-amd64.vhdx" -OutFile "jammy-server-cloudimg-amd64.vhdx"
+Invoke-WebRequest -Uri "http://www.ngtech.co.il/static/cloud-images/debian-11-generic-amd64.vhdx" -OutFile "debian-11-generic-amd64.vhdx"
+Invoke-WebRequest -Uri "http://www.ngtech.co.il/static/cloud-images/debian-12-generic-amd64.vhdx" -OutFile "debian-12-generic-amd64.vhdx"

vms/px-001-Office-DB/Vagrantfile

@@ -0,0 +1,99 @@
+
+$ENALBE_SYNC_FOLDER = false
+
+$ENALBE_SYNC_FOLDER = true if File.exist?("sync_shared")
+
+if File.exist?("net1")
+	$HOST_NET_1 =  File.readlines('net1').first.chomp
+end
+
+if File.exist?("net2")
+	$HOST_NET_2 =  File.readlines('net2').first.chomp
+end
+
+if File.exist?("net3")
+	$HOST_NET_3 =  File.readlines('net3').first.chomp
+end
+
+if File.exist?("net4")
+	$HOST_NET_4 =  File.readlines('net4').first.chomp
+end
+
+$VM_NAME = File.readlines('vmname').first.chomp
+$VM_MEM = File.readlines('vmmem').first.chomp.to_i
+$VM_VCPU = File.readlines('vmcpu').first.chomp.to_i
+
+$BOX = File.readlines('box').first.chomp
+
+$HOSTNAME = File.readlines('hostname').first.chomp if File.exist?("hostname")
+
+
+# Will not work on Hyper-V
+#$VM_DISK_SIZE = File.readlines('disksize').first.chomp
+
+
+$PROVISION_SSH_KEY_SCRIPT=<<EOF
+mkdir -p /root/.ssh
+chmod 0700 /root/.ssh
+cat /home/vagrant/.ssh/vagrant.pub >> /root/.ssh/authorized_keys
+chmod 0600 /root/.ssh/authorized_keys
+chown root:root -R /root/.ssh
+mkdir -p /home/vagrant/.ssh
+chmod 0700 /home/vagrant/.ssh
+echo /home/vagrant/.ssh/vagrant.pub >> /home/vagrant/.ssh/authorized_keys
+chmod 0600 /home/vagrant/.ssh/authorized_keys
+chown vagrant:vagrant -R /home/vagrant/.ssh
+EOF
+
+
+Vagrant.configure("2") do |config|
+  config.vm.box = $BOX
+
+## Remember to generate the vagrant private key.
+## ssh-keygen -f C:\Users\eliezer\.ssh\vagrant
+
+  config.ssh.insert_key = false
+  config.ssh.private_key_path = ['~/.ssh/vagrant', '~/.vagrant.d/insecure_private_key' ]
+
+  config.vm.provider "hyperv" do |hv, override|
+    hv.vmname = $VM_NAME
+    hv.maxmemory = $VM_MEM
+    hv.memory = $VM_MEM
+    hv.cpus = $VM_VCPU
+    override.vm.allowed_synced_folder_types = [:rsync]
+  end
+
+if $HOST_NET_1 and !$HOST_NET_1.empty?
+  config.vm.network "public_network", bridge: $HOST_NET_1
+end
+
+if $HOST_NET_2 and !$HOST_NET_2.empty?
+  config.vm.network "private_network", bridge: $HOST_NET_2
+end
+
+if $HOST_NET_3 and !$HOST_NET_4.empty?
+  config.vm.network "private_network", bridge: $HOST_NET_3
+end
+
+if $HOST_NET_4 and !$HOST_NET_4.empty?
+  config.vm.network "private_network", bridge: $HOST_NET_4
+end
+
+  config.vm.synced_folder ".", "/vagrant", disabled: true
+
+if $ENALBE_SYNC_FOLDER  == true
+  config.vm.synced_folder "shared/", "/vagrant", type: "rsync"
+end
+
+if !$HOSTNAME.empty?
+  config.vm.provision 'shell', inline: "hostnamectl set-hostname #{$HOSTNAME}"
+end
+
+  config.vm.provision "file", source: "~/.ssh/vagrant.pub", destination: "/home/vagrant/.ssh/vagrant.pub"
+  config.vm.provision 'shell', inline: $PROVISION_SSH_KEY_SCRIPT
+
+if $ENALBE_SYNC_FOLDER  == true
+  config.vm.provision 'shell', inline: "stat /vagrant/init.sh && cd /vagrant && bash init.sh;true"
+end
+
+end

vms/px-001-Office-DB/box

@@ -0,0 +1 @@
+generic/debian11

vms/px-001-Office-DB/hostname

@@ -0,0 +1 @@
+px-001-Office-DB

vms/px-001-Office-DB/net1

@@ -0,0 +1 @@
+OpenWRT-LAN

vms/px-001-Office-DB/net2

@@ -0,0 +1 @@
+proxy_office

vms/px-001-Office-DB/shared/init.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+export DEBIAN_FRONTEND="noninteractive"
+
+# Upgrading system
+apt update
+apt upgrade -y
+
+# Install Software
+apt install -y mariadb-server htop iptstate iptables conntrack tcpdump
+
+# Configure Software
+sed -i -e "s@^bind-address            =.*@bind-address            = 0.0.0.0@g" /etc/mysql/mariadb.conf.d/50-server.cnf
+
+systemctl restart mariadb.service
+
+cat <<EOF | mysql
+CREATE USER 'admin'@'localhost' IDENTIFIED BY 'gFrKmVjPr8WX3kDK4X8Phw4vSZkQnRk4gT9QWqGs';
+GRANT ALL PRIVILEGES ON *.* TO 'admin'@'localhost' WITH GRANT OPTION;
+CREATE USER 'admin'@'%' IDENTIFIED BY 'gFrKmVjPr8WX3kDK4X8Phw4vSZkQnRk4gT9QWqGs';
+GRANT ALL PRIVILEGES ON *.* TO 'admin'@'%' WITH GRANT OPTION;
+SHOW GRANTS FOR admin;
+FLUSH PRIVILEGES;
+EOF

vms/px-001-Office-DB/sync_shared

@@ -0,0 +1 @@
+

vms/px-001-Office-DB/vmcpu

@@ -0,0 +1 @@
+2

vms/px-001-Office-DB/vmmem

@@ -0,0 +1 @@
+2048

vms/px-001-Office-DB/vmname

@@ -0,0 +1 @@
+px-001-Office-DB

vms/px-002-Office-Web/Vagrantfile

@@ -0,0 +1,99 @@
+
+$ENALBE_SYNC_FOLDER = false
+
+$ENALBE_SYNC_FOLDER = true if File.exist?("sync_shared")
+
+if File.exist?("net1")
+	$HOST_NET_1 =  File.readlines('net1').first.chomp
+end
+
+if File.exist?("net2")
+	$HOST_NET_2 =  File.readlines('net2').first.chomp
+end
+
+if File.exist?("net3")
+	$HOST_NET_3 =  File.readlines('net3').first.chomp
+end
+
+if File.exist?("net4")
+	$HOST_NET_4 =  File.readlines('net4').first.chomp
+end
+
+$VM_NAME = File.readlines('vmname').first.chomp
+$VM_MEM = File.readlines('vmmem').first.chomp.to_i
+$VM_VCPU = File.readlines('vmcpu').first.chomp.to_i
+
+$BOX = File.readlines('box').first.chomp
+
+$HOSTNAME = File.readlines('hostname').first.chomp if File.exist?("hostname")
+
+
+# Will not work on Hyper-V
+#$VM_DISK_SIZE = File.readlines('disksize').first.chomp
+
+
+$PROVISION_SSH_KEY_SCRIPT=<<EOF
+mkdir -p /root/.ssh
+chmod 0700 /root/.ssh
+cat /home/vagrant/.ssh/vagrant.pub >> /root/.ssh/authorized_keys
+chmod 0600 /root/.ssh/authorized_keys
+chown root:root -R /root/.ssh
+mkdir -p /home/vagrant/.ssh
+chmod 0700 /home/vagrant/.ssh
+echo /home/vagrant/.ssh/vagrant.pub >> /home/vagrant/.ssh/authorized_keys
+chmod 0600 /home/vagrant/.ssh/authorized_keys
+chown vagrant:vagrant -R /home/vagrant/.ssh
+EOF
+
+
+Vagrant.configure("2") do |config|
+  config.vm.box = $BOX
+
+## Remember to generate the vagrant private key.
+## ssh-keygen -f C:\Users\eliezer\.ssh\vagrant
+
+  config.ssh.insert_key = false
+  config.ssh.private_key_path = ['~/.ssh/vagrant', '~/.vagrant.d/insecure_private_key' ]
+
+  config.vm.provider "hyperv" do |hv, override|
+    hv.vmname = $VM_NAME
+    hv.maxmemory = $VM_MEM
+    hv.memory = $VM_MEM
+    hv.cpus = $VM_VCPU
+    override.vm.allowed_synced_folder_types = [:rsync]
+  end
+
+if $HOST_NET_1 and !$HOST_NET_1.empty?
+  config.vm.network "public_network", bridge: $HOST_NET_1
+end
+
+if $HOST_NET_2 and !$HOST_NET_2.empty?
+  config.vm.network "private_network", bridge: $HOST_NET_2
+end
+
+if $HOST_NET_3 and !$HOST_NET_4.empty?
+  config.vm.network "private_network", bridge: $HOST_NET_3
+end
+
+if $HOST_NET_4 and !$HOST_NET_4.empty?
+  config.vm.network "private_network", bridge: $HOST_NET_4
+end
+
+  config.vm.synced_folder ".", "/vagrant", disabled: true
+
+if $ENALBE_SYNC_FOLDER  == true
+  config.vm.synced_folder "shared/", "/vagrant", type: "rsync"
+end
+
+if !$HOSTNAME.empty?
+  config.vm.provision 'shell', inline: "hostnamectl set-hostname #{$HOSTNAME}"
+end
+
+  config.vm.provision "file", source: "~/.ssh/vagrant.pub", destination: "/home/vagrant/.ssh/vagrant.pub"
+  config.vm.provision 'shell', inline: $PROVISION_SSH_KEY_SCRIPT
+
+if $ENALBE_SYNC_FOLDER  == true
+  config.vm.provision 'shell', inline: "stat /vagrant/init.sh && cd /vagrant && bash init.sh;true"
+end
+
+end

vms/px-002-Office-Web/box

@@ -0,0 +1 @@
+generic/alma8

vms/px-002-Office-Web/hostname

@@ -0,0 +1 @@
+px-002-Office-Web

vms/px-002-Office-Web/net

@@ -0,0 +1 @@
+VMs_OUT

vms/px-002-Office-Web/net1

@@ -0,0 +1 @@
+OpenWRT-LAN

vms/px-002-Office-Web/net2

@@ -0,0 +1 @@
+proxy_office

vms/px-002-Office-Web/shared/init.sh

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+# Disabling selinux
+sed -i -e "s@^SELINUX=.*@SELINUX=disabled@g" /etc/selinux/config
+grubby --update-kernel ALL --args selinux=0
+setenforce 0
+
+# Updating OS
+dnf update -y
+
+# Installing basic dependencies
+dnf install -y epel-release
+/usr/bin/crb enable
+
+dnf install -y git wget curl bash-completion vim make
+
+dnf module reset ruby mariadb php -y
+dnf module enable ruby:3.1 mariadb:10.5 php:8.0 -y
+
+dnf install -y httpd php php-fpm php-mysqlnd ruby ruby-devel rubygem-mysql2 rubygem-irb python3.11 python3.11-devel python3.11-pip
+dnf install -y mariadb-server
+dnf install -y podman htop tree
+
+update-alternatives --set python3 /usr/bin/python3.11
+
+python3 -m pip install --upgrade pip
+
+systemctl start httpd mariadb podman php-fpm
+systemctl enable httpd mariadb podman php-fpm
+
+firewall-cmd --add-service=http --permanent
+firewall-cmd --add-service=https --permanent
+
+firewall-cmd --reload

vms/px-002-Office-Web/sync_shared

@@ -0,0 +1 @@
+

vms/px-002-Office-Web/vmcpu

@@ -0,0 +1 @@
+2

vms/px-002-Office-Web/vmmem

@@ -0,0 +1 @@
+2048

vms/px-002-Office-Web/vmname

@@ -0,0 +1 @@
+px-002-Office-Web

vms/px-003-Office-PX-Frontend/Vagrantfile

@@ -0,0 +1,99 @@
+
+$ENALBE_SYNC_FOLDER = false
+
+$ENALBE_SYNC_FOLDER = true if File.exist?("sync_shared")
+
+if File.exist?("net1")
+	$HOST_NET_1 =  File.readlines('net1').first.chomp
+end
+
+if File.exist?("net2")
+	$HOST_NET_2 =  File.readlines('net2').first.chomp
+end
+
+if File.exist?("net3")
+	$HOST_NET_3 =  File.readlines('net3').first.chomp
+end
+
+if File.exist?("net4")
+	$HOST_NET_4 =  File.readlines('net4').first.chomp
+end
+
+$VM_NAME = File.readlines('vmname').first.chomp
+$VM_MEM = File.readlines('vmmem').first.chomp.to_i
+$VM_VCPU = File.readlines('vmcpu').first.chomp.to_i
+
+$BOX = File.readlines('box').first.chomp
+
+$HOSTNAME = File.readlines('hostname').first.chomp if File.exist?("hostname")
+
+
+# Will not work on Hyper-V
+#$VM_DISK_SIZE = File.readlines('disksize').first.chomp
+
+
+$PROVISION_SSH_KEY_SCRIPT=<<EOF
+mkdir -p /root/.ssh
+chmod 0700 /root/.ssh
+cat /home/vagrant/.ssh/vagrant.pub >> /root/.ssh/authorized_keys
+chmod 0600 /root/.ssh/authorized_keys
+chown root:root -R /root/.ssh
+mkdir -p /home/vagrant/.ssh
+chmod 0700 /home/vagrant/.ssh
+echo /home/vagrant/.ssh/vagrant.pub >> /home/vagrant/.ssh/authorized_keys
+chmod 0600 /home/vagrant/.ssh/authorized_keys
+chown vagrant:vagrant -R /home/vagrant/.ssh
+EOF
+
+
+Vagrant.configure("2") do |config|
+  config.vm.box = $BOX
+
+## Remember to generate the vagrant private key.
+## ssh-keygen -f C:\Users\eliezer\.ssh\vagrant
+
+  config.ssh.insert_key = false
+  config.ssh.private_key_path = ['~/.ssh/vagrant', '~/.vagrant.d/insecure_private_key' ]
+
+  config.vm.provider "hyperv" do |hv, override|
+    hv.vmname = $VM_NAME
+    hv.maxmemory = $VM_MEM
+    hv.memory = $VM_MEM
+    hv.cpus = $VM_VCPU
+    override.vm.allowed_synced_folder_types = [:rsync]
+  end
+
+if $HOST_NET_1 and !$HOST_NET_1.empty?
+  config.vm.network "public_network", bridge: $HOST_NET_1
+end
+
+if $HOST_NET_2 and !$HOST_NET_2.empty?
+  config.vm.network "private_network", bridge: $HOST_NET_2
+end
+
+if $HOST_NET_3 and !$HOST_NET_4.empty?
+  config.vm.network "private_network", bridge: $HOST_NET_3
+end
+
+if $HOST_NET_4 and !$HOST_NET_4.empty?
+  config.vm.network "private_network", bridge: $HOST_NET_4
+end
+
+  config.vm.synced_folder ".", "/vagrant", disabled: true
+
+if $ENALBE_SYNC_FOLDER  == true
+  config.vm.synced_folder "shared/", "/vagrant", type: "rsync"
+end
+
+if !$HOSTNAME.empty?
+  config.vm.provision 'shell', inline: "hostnamectl set-hostname #{$HOSTNAME}"
+end
+
+  config.vm.provision "file", source: "~/.ssh/vagrant.pub", destination: "/home/vagrant/.ssh/vagrant.pub"
+  config.vm.provision 'shell', inline: $PROVISION_SSH_KEY_SCRIPT
+
+if $ENALBE_SYNC_FOLDER  == true
+  config.vm.provision 'shell', inline: "stat /vagrant/init.sh && cd /vagrant && bash init.sh;true"
+end
+
+end

vms/px-003-Office-PX-Frontend/box

@@ -0,0 +1 @@
+generic/alma8

vms/px-003-Office-PX-Frontend/hostname

@@ -0,0 +1 @@
+px-003-Office-PX-Frontend

vms/px-003-Office-PX-Frontend/net1

@@ -0,0 +1 @@
+OpenWRT-LAN

vms/px-003-Office-PX-Frontend/net2

@@ -0,0 +1 @@
+proxy_office

vms/px-003-Office-PX-Frontend/shared/init.sh

@@ -0,0 +1,77 @@
+#!/usr/bin/env bash
+
+# Disabling selinux
+sed -i -e "s@^SELINUX=.*@SELINUX=disabled@g" /etc/selinux/config
+grubby --update-kernel ALL --args selinux=0
+setenforce 0
+
+# Updating OS
+dnf update -y
+
+# Installing basic dependencies
+dnf install -y epel-release
+/usr/bin/crb enable
+
+dnf install -y git wget curl bash-completion vim make
+
+dnf module reset ruby mariadb php -y
+dnf module enable ruby:3.1 mariadb:10.5 php:8.0 -y
+
+dnf install -y httpd php php-fpm php-mysqlnd ruby ruby-devel rubygem-mysql2 rubygem-irb python3.11 python3.11-devel python3.11-pip
+dnf install -y mariadb-server
+dnf install -y podman htop tree mkisofs
+
+update-alternatives --set python3 /usr/bin/python3.11
+
+python3 -m pip install --upgrade pip
+
+sed -i -e "s@AllowOverride None@AllowOverride All@g" -e "s@AllowOverride none@AllowOverride all@g" /etc/httpd/conf/httpd.conf
+sed -i -e "s@^IndexOptions.*@IndexOptions FancyIndexing HTMLTable VersionSort namewidth=\* htmltable charset=utf-8@g" /etc/httpd/conf.d/autoindex.conf
+
+systemctl start httpd mariadb podman php-fpm
+systemctl enable httpd mariadb podman php-fpm
+
+mkdir -p /opt/src
+wget http://www.ngtech.co.il/repo/alma/8/x86_64/squid-5.9-1.el8.x86_64.rpm -O /opt/src/squid-5.9-1.el8.x86_64.rpm
+wget http://www.ngtech.co.il/repo/alma/8/x86_64/squid-helpers-5.9-1.el8.x86_64.rpm -O /opt/src/squid-helpers-5.9-1.el8.x86_64.rpm
+
+dnf localinstall -y /opt/src/squid-5.9-1.el8.x86_64.rpm /opt/src/squid-5.9-1.el8.x86_64.rpm
+
+firewall-cmd --add-service=http --permanent
+firewall-cmd --add-service=https --permanent
+firewall-cmd --add-port=3128/tcp --permanent
+firewall-cmd --add-port=23128/tcp --permanent
+
+firewall-cmd --reload
+
+# Installing Wireguard
+dnf install -y elrepo-release
+dnf install -y kmod-wireguard wireguard-tools
+
+mkdir -p /etc/wireguard
+
+stat /etc/wireguard/wireguard.key || (
+umask 077 | wg genkey | tee /etc/wireguard/wireguard.key
+wg pubkey < /etc/wireguard/wireguard.key > /etc/wireguard/wireguard.pub.key
+)
+cat /etc/wireguard/wireguard.pub.key 
+
+cat <<EOF > /etc/wireguard/wg0.conf
+[Interface]
+Address = 100.20.20.1/24
+SaveConfig = true
+ListenPort = 51820
+PrivateKey = $(cat /etc/wireguard/wireguard.pub.key |head -1 )
+EOF
+echo "net.ipv4.ip_forward = 1" > /etc/sysctl.conf.d/050-wg.conf
+
+sysctl --system
+
+systemctl start wg-quick@wg0
+systemctl status wg-quick@wg0 --no-pager
+
+echo "Example command for adding a peer key to the wg0 interface"
+echo "wg set wg0 peer <client public key> allowed-ips 10.10.10.<client VPN network IP>"
+
+firewall-cmd --add-port=51820/udp --permanent
+firewall-cmd --reload

vms/px-003-Office-PX-Frontend/sync_shared

@@ -0,0 +1 @@
+

vms/px-003-Office-PX-Frontend/vmcpu

@@ -0,0 +1 @@
+2

vms/px-003-Office-PX-Frontend/vmmem

@@ -0,0 +1 @@
+2048

vms/px-003-Office-PX-Frontend/vmname

@@ -0,0 +1 @@
+px-003-Office-PX-Frontend

vms/scripts/spin-vm.ps1

@@ -0,0 +1,6 @@
+$vmname = Get-Content .\vmname -First 1
+$vmnet = Get-Content .\vmnet -First 1
+
+New-VM -Name $vmname -MemoryStartupBytes 2GB -Path . -BootDevice VHD -VHDPath .\alpine-openstack.vhdx -SwitchName $vmnet -Generation 1
+Set-VMDvdDrive -VMName $vmname -Path .\alpine-seed.iso
+Start-VM $vmname

vms/spin-183f199c-bdc6-408a-8286-d04afc3ab0f9_px.ps1

@@ -0,0 +1,42 @@
+$imageUrl = "http://www.ngtech.co.il/static/cloud-images/jammy-server-cloudimg-amd64.vhdx"
+$seedUrl = "http://10.50.1.100/config/183f199c-bdc6-408a-8286-d04afc3ab0f9/183f199c-bdc6-408a-8286-d04afc3ab0f9-cloud-init-data.iso"
+$imageFileName = "jammy-server-cloudimg-amd64.vhdx"
+
+$user = "183f199c-bdc6-408a-8286-d04afc3ab0f9_px"
+$password = "ca43b9de-4d37-4c4e-be91-80148f823f01"
+
+$vmnet = "DigitalyOcean_Cloud1"
+
+$userPassPair = $user + ":" + $password
+
+$vmdisk = ".\px-sys-disk.vhdx"
+
+$vmseed = ".\seed.iso"
+
+$vmname = "DIGITALOCEAN_183f199c-bdc6-408a-8286-d04afc3ab0f9"
+
+
+mkdir $vmname
+cd $vmname
+
+if ( Test-Path("..\images\" + $imageFileName)) {
+	Write-Output "Copying image locally"
+	Copy-Item ("..\images\" + $imageFileName) -Destination $vmdisk
+	Write-Output "Finished copying image locally"
+} else {
+	Write-Output "Downloading image from a remote server"
+	Invoke-WebRequest -Uri $imageUrl -OutFile $vmdisk
+	Write-Output "Finished downloading image from a remote server"
+}
+
+Write-Output "Downloading seed image from a remote server"
+
+Invoke-WebRequest -Uri $seedUrl -OutFile $vmseed -Headers @{ Authorization = "Basic "+ [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($userPassPair)) }
+
+Write-Output "Finished downloading seed image from a remote server"
+
+New-VM -Name $vmname -MemoryStartupBytes 2GB -Path . -BootDevice VHD -VHDPath $vmdisk -SwitchName $vmnet -Generation 1
+Set-VMDvdDrive -VMName $vmname -Path $vmseed
+
+Start-VM $vmname
+cd ..

vms/spin-4f936f1e-a410-4681-b4ec-daa8ec44c9e1_px.ps1

@@ -0,0 +1,42 @@
+$imageUrl = "http://www.ngtech.co.il/static/cloud-images/jammy-server-cloudimg-amd64.vhdx"
+$seedUrl = "http://10.50.1.100/config/4f936f1e-a410-4681-b4ec-daa8ec44c9e1/4f936f1e-a410-4681-b4ec-daa8ec44c9e1-cloud-init-data.iso"
+$imageFileName = "jammy-server-cloudimg-amd64.vhdx"
+
+$user = "4f936f1e-a410-4681-b4ec-daa8ec44c9e1_px"
+$password = "a5da948a-1e0a-4a84-8c0b-359fb234d1a6"
+
+$vmnet = "Alibaba_Cloud1"
+
+$userPassPair = $user + ":" + $password
+
+$vmdisk = ".\px-sys-disk.vhdx"
+
+$vmseed = ".\seed.iso"
+
+$vmname = "ALIBABA_4f936f1e-a410-4681-b4ec-daa8ec44c9e1"
+
+
+mkdir $vmname
+cd $vmname
+
+if ( Test-Path("..\images\" + $imageFileName)) {
+	Write-Output "Copying image locally"
+	Copy-Item ("..\images\" + $imageFileName) -Destination $vmdisk
+	Write-Output "Finished copying image locally"
+} else {
+	Write-Output "Downloading image from a remote server"
+	Invoke-WebRequest -Uri $imageUrl -OutFile $vmdisk
+	Write-Output "Finished downloading image from a remote server"
+}
+
+Write-Output "Downloading seed image from a remote server"
+
+Invoke-WebRequest -Uri $seedUrl -OutFile $vmseed -Headers @{ Authorization = "Basic "+ [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($userPassPair)) }
+
+Write-Output "Finished downloading seed image from a remote server"
+
+New-VM -Name $vmname -MemoryStartupBytes 2GB -Path . -BootDevice VHD -VHDPath $vmdisk -SwitchName $vmnet -Generation 1
+Set-VMDvdDrive -VMName $vmname -Path $vmseed
+
+Start-VM $vmname
+cd ..

vms/spin-a9d4ca52-ebb0-4d12-a885-d1bf142f5726_px.ps1

@@ -0,0 +1,42 @@
+$imageUrl = "http://www.ngtech.co.il/static/cloud-images/jammy-server-cloudimg-amd64.vhdx"
+$seedUrl = "http://10.50.1.100/config/a9d4ca52-ebb0-4d12-a885-d1bf142f5726/a9d4ca52-ebb0-4d12-a885-d1bf142f5726-cloud-init-data.iso"
+$imageFileName = "jammy-server-cloudimg-amd64.vhdx"
+
+$user = "a9d4ca52-ebb0-4d12-a885-d1bf142f5726_px"
+$password = "e5020a9d-2b68-4740-a686-49f4a7335179"
+
+$vmnet = "AWS_Cloud1"
+
+$userPassPair = $user + ":" + $password
+
+$vmdisk = ".\px-sys-disk.vhdx"
+
+$vmseed = ".\seed.iso"
+
+$vmname = "AWS_a9d4ca52-ebb0-4d12-a885-d1bf142f5726"
+
+
+mkdir $vmname
+cd $vmname
+
+if ( Test-Path("..\images\" + $imageFileName)) {
+	Write-Output "Copying image locally"
+	Copy-Item ("..\images\" + $imageFileName) -Destination $vmdisk
+	Write-Output "Finished copying image locally"
+} else {
+	Write-Output "Downloading image from a remote server"
+	Invoke-WebRequest -Uri $imageUrl -OutFile $vmdisk
+	Write-Output "Finished downloading image from a remote server"
+}
+
+Write-Output "Downloading seed image from a remote server"
+
+Invoke-WebRequest -Uri $seedUrl -OutFile $vmseed -Headers @{ Authorization = "Basic "+ [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($userPassPair)) }
+
+Write-Output "Finished downloading seed image from a remote server"
+
+New-VM -Name $vmname -MemoryStartupBytes 2GB -Path . -BootDevice VHD -VHDPath $vmdisk -SwitchName $vmnet -Generation 1
+Set-VMDvdDrive -VMName $vmname -Path $vmseed
+
+Start-VM $vmname
+cd ..

vms/spin-afca9258-834c-4c5b-be3c-11a52ec7edbf_px.ps1

@@ -0,0 +1,42 @@
+$imageUrl = "http://www.ngtech.co.il/static/cloud-images/debian-12-generic-amd64.vhdx"
+$seedUrl = "http://10.50.1.100/config/afca9258-834c-4c5b-be3c-11a52ec7edbf/afca9258-834c-4c5b-be3c-11a52ec7edbf-cloud-init-data.iso"
+$imageFileName = "debian-12-generic-amd64.vhdx"
+
+$user = "afca9258-834c-4c5b-be3c-11a52ec7edbf_px"
+$password = "aab51b40-0a9f-42bd-802a-7a23fcccade5"
+
+$vmnet = "DigitalyOcean_Cloud1"
+
+$userPassPair = $user + ":" + $password
+
+$vmdisk = ".\px-sys-disk.vhdx"
+
+$vmseed = ".\seed.iso"
+
+$vmname = "DIGITALOCEAN_afca9258-834c-4c5b-be3c-11a52ec7edbf"
+
+
+mkdir $vmname
+cd $vmname
+
+if ( Test-Path("..\images\" + $imageFileName)) {
+	Write-Output "Copying image locally"
+	Copy-Item ("..\images\" + $imageFileName) -Destination $vmdisk
+	Write-Output "Finished copying image locally"
+} else {
+	Write-Output "Downloading image from a remote server"
+	Invoke-WebRequest -Uri $imageUrl -OutFile $vmdisk
+	Write-Output "Finished downloading image from a remote server"
+}
+
+Write-Output "Downloading seed image from a remote server"
+
+Invoke-WebRequest -Uri $seedUrl -OutFile $vmseed -Headers @{ Authorization = "Basic "+ [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($userPassPair)) }
+
+Write-Output "Finished downloading seed image from a remote server"
+
+New-VM -Name $vmname -MemoryStartupBytes 2GB -Path . -BootDevice VHD -VHDPath $vmdisk -SwitchName $vmnet -Generation 1
+Set-VMDvdDrive -VMName $vmname -Path $vmseed
+
+Start-VM $vmname
+cd ..

vms/spin-c3d16106-8ba0-4a9e-a1c1-e4d32b841503_px.ps1

@@ -0,0 +1,42 @@
+$imageUrl = "http://www.ngtech.co.il/static/cloud-images/jammy-server-cloudimg-amd64.vhdx"
+$seedUrl = "http://10.50.1.100/config/c3d16106-8ba0-4a9e-a1c1-e4d32b841503/c3d16106-8ba0-4a9e-a1c1-e4d32b841503-cloud-init-data.iso"
+$imageFileName = "jammy-server-cloudimg-amd64.vhdx"
+
+$user = "c3d16106-8ba0-4a9e-a1c1-e4d32b841503_px"
+$password = "6a543ecd-0114-4d44-a599-36903008709f"
+
+$vmnet = "DigitalyOcean_Cloud1"
+
+$userPassPair = $user + ":" + $password
+
+$vmdisk = ".\px-sys-disk.vhdx"
+
+$vmseed = ".\seed.iso"
+
+$vmname = "DIGITALOCEAN_c3d16106-8ba0-4a9e-a1c1-e4d32b841503"
+
+
+mkdir $vmname
+cd $vmname
+
+if ( Test-Path("..\images\" + $imageFileName)) {
+	Write-Output "Copying image locally"
+	Copy-Item ("..\images\" + $imageFileName) -Destination $vmdisk
+	Write-Output "Finished copying image locally"
+} else {
+	Write-Output "Downloading image from a remote server"
+	Invoke-WebRequest -Uri $imageUrl -OutFile $vmdisk
+	Write-Output "Finished downloading image from a remote server"
+}
+
+Write-Output "Downloading seed image from a remote server"
+
+Invoke-WebRequest -Uri $seedUrl -OutFile $vmseed -Headers @{ Authorization = "Basic "+ [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($userPassPair)) }
+
+Write-Output "Finished downloading seed image from a remote server"
+
+New-VM -Name $vmname -MemoryStartupBytes 2GB -Path . -BootDevice VHD -VHDPath $vmdisk -SwitchName $vmnet -Generation 1
+Set-VMDvdDrive -VMName $vmname -Path $vmseed
+
+Start-VM $vmname
+cd ..