From f8a59b9720fd5d6d51176b20cfe2912a0ce63a4d Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Thu, 10 Mar 2022 11:53:40 -0600 Subject: [PATCH 01/19] WIP Use clearnet connections for clearnet LND nodes --- site-cookbooks/kosmos-bitcoin/attributes/default.rb | 8 ++++++-- site-cookbooks/kosmos-bitcoin/recipes/lnd.rb | 1 + site-cookbooks/kosmos-bitcoin/templates/lnd.conf.erb | 4 ++++ 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/site-cookbooks/kosmos-bitcoin/attributes/default.rb b/site-cookbooks/kosmos-bitcoin/attributes/default.rb index 39756a5..986724f 100644 --- a/site-cookbooks/kosmos-bitcoin/attributes/default.rb +++ b/site-cookbooks/kosmos-bitcoin/attributes/default.rb @@ -48,9 +48,13 @@ node.default['lnd']['public_ip'] = '148.251.237.111' node.default['lnd']['public_port'] = '9735' node.default['lnd']['port'] = '9736' node.default['lnd']['minchansize'] = '1000000' -node.default['lnd']['basefee'] = '1000' -node.default['lnd']['feerate'] = '50' +node.default['lnd']['basefee'] = '100' +node.default['lnd']['feerate'] = '10' node.default['lnd']['auto_unlock'] = true # requires credentials/lnd data bag item +node.default['lnd']['tor'] = { + 'streamisolation' => 'false', + 'skip-proxy-for-clearnet-targets' => 'true' +} node.default['boltz']['repo'] = 'https://github.com/BoltzExchange/boltz-lnd.git' node.default['boltz']['revision'] = 'v1.2.6' diff --git a/site-cookbooks/kosmos-bitcoin/recipes/lnd.rb b/site-cookbooks/kosmos-bitcoin/recipes/lnd.rb index b3776bc..a1f166e 100644 --- a/site-cookbooks/kosmos-bitcoin/recipes/lnd.rb +++ b/site-cookbooks/kosmos-bitcoin/recipes/lnd.rb @@ -61,6 +61,7 @@ template "#{lnd_dir}/lnd.conf" do lnd_basefee: node['lnd']['basefee'], lnd_feerate: node['lnd']['feerate'], lnd_dir: lnd_dir, + lnd_tor: node['lnd']['tor'], auto_unlock: node['lnd']['auto_unlock'], bitcoin_datadir: node['bitcoin']['datadir'], bitcoin_rpc_user: node['bitcoin']['conf']['rpcuser'], diff --git a/site-cookbooks/kosmos-bitcoin/templates/lnd.conf.erb b/site-cookbooks/kosmos-bitcoin/templates/lnd.conf.erb index 57c7caf..b30ebc4 100644 --- a/site-cookbooks/kosmos-bitcoin/templates/lnd.conf.erb +++ b/site-cookbooks/kosmos-bitcoin/templates/lnd.conf.erb @@ -25,3 +25,7 @@ bitcoind.rpcuser=<%= @bitcoin_rpc_user %> bitcoind.rpcpass=<%= @bitcoin_rpc_password %> bitcoind.zmqpubrawblock=<%= @bitcoin_zmqpubrawblock %> bitcoind.zmqpubrawtx=<%= @bitcoin_zmqpubrawtx %> + +[tor] +tor.streamisolation=<%= @lnd_tor['streamisolation'] %> +tor.skip-proxy-for-clearnet-targets=<%= @lnd_tor['skip-proxy-for-clearnet-targets'] %> From b78e6685ed2cba8bae25c490488ef39e937caa4c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Tue, 18 Oct 2022 18:43:21 +0200 Subject: [PATCH 02/19] Add kvm_guest role to VMs on fornax --- nodes/discourse-2.json | 8 ++++-- nodes/drone-1.json | 7 +++-- nodes/ejabberd-8.json | 3 +- nodes/fornax.kosmos.org.json | 2 ++ nodes/gitea-2.json | 7 +++-- nodes/jitsi-meet-1.json | 55 ++++++++++++++++++++++++++++++++++++ nodes/mastodon-3.json | 10 ++++--- nodes/nodejs-4.json | 3 ++ nodes/postgres-4.json | 3 ++ nodes/rs-discourse-1.json | 9 ++++-- nodes/rsk-mainnet-2.json | 9 ++++-- nodes/rsk-testnet-3.json | 9 ++++-- 12 files changed, 105 insertions(+), 20 deletions(-) create mode 100644 nodes/jitsi-meet-1.json diff --git a/nodes/discourse-2.json b/nodes/discourse-2.json index 8db4677..5f16686 100644 --- a/nodes/discourse-2.json +++ b/nodes/discourse-2.json @@ -12,13 +12,16 @@ "hostname": "discourse-2", "ipaddress": "192.168.122.104", "roles": [ - "discourse" + "kosmos_discourse", + "kvm_guest" ], "recipes": [ "kosmos-base", "kosmos-base::default", + "kosmos-dirsrv::hostsfile", "kosmos_discourse", "kosmos_discourse::default", + "kosmos_kvm::guest", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -33,7 +36,7 @@ "postfix::_attributes", "postfix::sasl_auth", "hostname::default", - "kosmos-dirsrv::hostsfile", + "discourse::default", "firewall::default", "chef-sugar::default" ], @@ -54,6 +57,7 @@ }, "run_list": [ "recipe[kosmos-base]", + "role[kvm_guest]", "role[kosmos_discourse]" ] } diff --git a/nodes/drone-1.json b/nodes/drone-1.json index 5ad5474..daa2016 100644 --- a/nodes/drone-1.json +++ b/nodes/drone-1.json @@ -13,7 +13,8 @@ "ipaddress": "192.168.122.200", "roles": [ "drone", - "postgresql_client" + "postgresql_client", + "kvm_guest" ], "recipes": [ "kosmos-base", @@ -21,6 +22,7 @@ "kosmos_postgresql::hostsfile", "kosmos_drone", "kosmos_drone::default", + "kosmos_kvm::guest", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -53,6 +55,7 @@ }, "run_list": [ "recipe[kosmos-base]", + "role[kvm_guest]", "role[drone]" ] -} \ No newline at end of file +} diff --git a/nodes/ejabberd-8.json b/nodes/ejabberd-8.json index 9ebc158..71c7504 100644 --- a/nodes/ejabberd-8.json +++ b/nodes/ejabberd-8.json @@ -58,6 +58,7 @@ }, "run_list": [ "recipe[kosmos-base]", + "role[kvm_guest]", "role[ejabberd]" ] -} \ No newline at end of file +} diff --git a/nodes/fornax.kosmos.org.json b/nodes/fornax.kosmos.org.json index bbd1f0e..d9c4aa0 100644 --- a/nodes/fornax.kosmos.org.json +++ b/nodes/fornax.kosmos.org.json @@ -19,6 +19,7 @@ "kosmos-base", "kosmos-base::default", "kosmos_kvm::host", + "kosmos_kvm::backup", "kosmos_assets::nginx_site", "kosmos_discourse::nginx", "kosmos_drone::nginx", @@ -77,6 +78,7 @@ "run_list": [ "recipe[kosmos-base]", "recipe[kosmos_kvm::host]", + "recipe[kosmos_kvm::backup]", "role[nginx_proxy]", "role[zerotier_controller]" ] diff --git a/nodes/gitea-2.json b/nodes/gitea-2.json index ee569c7..acbfb42 100644 --- a/nodes/gitea-2.json +++ b/nodes/gitea-2.json @@ -13,7 +13,8 @@ "ipaddress": "192.168.122.189", "roles": [ "gitea", - "postgresql_client" + "postgresql_client", + "kvm_guest" ], "recipes": [ "kosmos-base", @@ -22,6 +23,7 @@ "kosmos_gitea", "kosmos_gitea::default", "kosmos_gitea::backup", + "kosmos_kvm::guest", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -57,6 +59,7 @@ }, "run_list": [ "recipe[kosmos-base]", + "role[kvm_guest]", "role[gitea]" ] -} \ No newline at end of file +} diff --git a/nodes/jitsi-meet-1.json b/nodes/jitsi-meet-1.json new file mode 100644 index 0000000..76eff64 --- /dev/null +++ b/nodes/jitsi-meet-1.json @@ -0,0 +1,55 @@ +{ + "name": "jitsi-meet-1", + "normal": { + "knife_zero": { + "host": "10.1.1.20" + } + }, + "automatic": { + "fqdn": "jitsi-meet-1", + "os": "linux", + "os_version": "5.4.0-1073-kvm", + "hostname": "jitsi-meet-1", + "ipaddress": "192.168.122.188", + "roles": [ + "kvm_guest" + ], + "recipes": [ + "kosmos-base", + "kosmos-base::default", + "kosmos_kvm::guest", + "apt::default", + "timezone_iii::default", + "timezone_iii::debian", + "ntp::default", + "ntp::apparmor", + "kosmos-base::systemd_emails", + "apt::unattended-upgrades", + "kosmos-base::firewall", + "kosmos-postfix::default", + "postfix::default", + "postfix::_common", + "postfix::_attributes", + "postfix::sasl_auth", + "hostname::default" + ], + "platform": "ubuntu", + "platform_version": "20.04", + "cloud": null, + "chef_packages": { + "chef": { + "version": "17.10.3", + "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.10.3/lib", + "chef_effortless": null + }, + "ohai": { + "version": "17.9.0", + "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai" + } + } + }, + "run_list": [ + "recipe[kosmos-base]", + "role[kvm_guest]" + ] +} \ No newline at end of file diff --git a/nodes/mastodon-3.json b/nodes/mastodon-3.json index 293bcd3..66f0d9b 100644 --- a/nodes/mastodon-3.json +++ b/nodes/mastodon-3.json @@ -8,12 +8,13 @@ "automatic": { "fqdn": "mastodon-3", "os": "linux", - "os_version": "5.4.0-1058-kvm", + "os_version": "5.4.0-1071-kvm", "hostname": "mastodon-3", "ipaddress": "192.168.122.161", "roles": [ "mastodon", - "postgresql_client" + "postgresql_client", + "kvm_guest" ], "recipes": [ "kosmos-base", @@ -22,6 +23,7 @@ "kosmos-mastodon", "kosmos-mastodon::default", "kosmos-mastodon::nginx", + "kosmos_kvm::guest", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -65,7 +67,6 @@ "nginx::commons_conf", "kosmos-nginx::firewall", "tor-full::default", - "poise-git::default", "git::default", "git::package", "kosmos-base::letsencrypt" @@ -86,6 +87,7 @@ }, "run_list": [ "recipe[kosmos-base]", + "role[kvm_guest]", "role[mastodon]" ] -} \ No newline at end of file +} diff --git a/nodes/nodejs-4.json b/nodes/nodejs-4.json index 4cca5ad..c974ec9 100644 --- a/nodes/nodejs-4.json +++ b/nodes/nodejs-4.json @@ -12,12 +12,14 @@ "hostname": "nodejs-4", "ipaddress": "192.168.122.106", "roles": [ + "kvm_guest", "kredits_github", "sockethub" ], "recipes": [ "kosmos-base", "kosmos-base::default", + "kosmos_kvm::guest", "kosmos-hubot::botka_irc-libera-chat", "kredits-github", "kredits-github::default", @@ -81,6 +83,7 @@ }, "run_list": [ "recipe[kosmos-base]", + "role[kvm_guest]", "recipe[kosmos-hubot::botka_irc-libera-chat]", "role[kredits_github]", "role[sockethub]" diff --git a/nodes/postgres-4.json b/nodes/postgres-4.json index 7cf0419..684e87d 100644 --- a/nodes/postgres-4.json +++ b/nodes/postgres-4.json @@ -12,11 +12,13 @@ "hostname": "postgres-4", "ipaddress": "192.168.122.3", "roles": [ + "kvm_guest", "postgresql_replica" ], "recipes": [ "kosmos-base", "kosmos-base::default", + "kosmos_kvm::guest", "kosmos_postgresql::hostsfile", "kosmos_postgresql::replica", "kosmos_postgresql::firewall", @@ -52,6 +54,7 @@ }, "run_list": [ "recipe[kosmos-base]", + "role[kvm_guest]", "role[postgresql_replica]" ] } \ No newline at end of file diff --git a/nodes/rs-discourse-1.json b/nodes/rs-discourse-1.json index 1852527..ef67953 100644 --- a/nodes/rs-discourse-1.json +++ b/nodes/rs-discourse-1.json @@ -8,17 +8,19 @@ "automatic": { "fqdn": "rs-discourse-1", "os": "linux", - "os_version": "5.4.0-1073-kvm", + "os_version": "5.4.0-1076-kvm", "hostname": "rs-discourse-1", "ipaddress": "192.168.122.30", "roles": [ - "remotestorage_discourse" + "remotestorage_discourse", + "kvm_guest" ], "recipes": [ "kosmos-base", "kosmos-base::default", "remotestorage_discourse", "remotestorage_discourse::default", + "kosmos_kvm::guest", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -54,6 +56,7 @@ }, "run_list": [ "recipe[kosmos-base]", + "role[kvm_guest]", "role[remotestorage_discourse]" ] -} \ No newline at end of file +} diff --git a/nodes/rsk-mainnet-2.json b/nodes/rsk-mainnet-2.json index b24ba39..5d6017a 100644 --- a/nodes/rsk-mainnet-2.json +++ b/nodes/rsk-mainnet-2.json @@ -8,17 +8,19 @@ "automatic": { "fqdn": "rsk-mainnet-2", "os": "linux", - "os_version": "5.4.0-1058-kvm", + "os_version": "5.4.0-1075-kvm", "hostname": "rsk-mainnet-2", "ipaddress": "192.168.122.208", "roles": [ - "rskj_mainnet" + "rskj_mainnet", + "kvm_guest" ], "recipes": [ "kosmos-base", "kosmos-base::default", "kosmos_rsk::rskj", "kosmos_rsk::nginx", + "kosmos_kvm::guest", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -65,6 +67,7 @@ }, "run_list": [ "recipe[kosmos-base]", + "role[kvm_guest]", "role[rskj_mainnet]" ] -} \ No newline at end of file +} diff --git a/nodes/rsk-testnet-3.json b/nodes/rsk-testnet-3.json index 34af5d9..e9b0cf4 100644 --- a/nodes/rsk-testnet-3.json +++ b/nodes/rsk-testnet-3.json @@ -8,17 +8,19 @@ "automatic": { "fqdn": "rsk-testnet-3", "os": "linux", - "os_version": "5.4.0-1058-kvm", + "os_version": "5.4.0-1075-kvm", "hostname": "rsk-testnet-3", "ipaddress": "192.168.122.231", "roles": [ - "rskj_testnet" + "rskj_testnet", + "kvm_guest" ], "recipes": [ "kosmos-base", "kosmos-base::default", "kosmos_rsk::rskj", "kosmos_rsk::nginx", + "kosmos_kvm::guest", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -65,6 +67,7 @@ }, "run_list": [ "recipe[kosmos-base]", + "role[kvm_guest]", "role[rskj_testnet]" ] -} \ No newline at end of file +} From 063e9e070ca895ef957a488e03ec1b3318eecef5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Tue, 18 Oct 2022 18:43:45 +0200 Subject: [PATCH 03/19] Add borg credentials --- data_bags/credentials/borg.json | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 data_bags/credentials/borg.json diff --git a/data_bags/credentials/borg.json b/data_bags/credentials/borg.json new file mode 100644 index 0000000..25b875b --- /dev/null +++ b/data_bags/credentials/borg.json @@ -0,0 +1,24 @@ +{ + "id": "borg", + "ssh_key": { + "encrypted_data": "znPXuD/hMY4+1eihuSx1sB/QKohd92B8/TkZd5g+J+uH1yedbeKosc+q7fJT\njlFy0ebySS5URB1O5ij4/YbulnhcNhYb5/ozf6GnhBl2VlmQD0fdE+NlSlGf\nB6nM+qbvtR9V2sAtaVaugILHy4jD/y1jBnh3VyoKtiLG9WrPe1Q5gwTxEDLi\nn7qpcamZt1D5QB+6kMpVqAmL4oV0oFervfrRcf1QyR0vriwdAMz2+iuQ6/Cq\nyRSDkuaGChrX3W8hd+WkaQaU3ak6A2Ih9iO8MIa9j75FpzCDnBl0A1WLvzeC\ngILDFT0J1eSnDhAZfpOPZxCkaGB6ueop1BwWGhtmDZns1IdKccKRhK56i7BC\nGaJv8nDYxmSq90RYZdhnmbVPCyNrbcj+Pkun+N/us7WE2mYZZTXXy0CE1WMC\n0xglisNS06ODTToD8dmv3wLqeS4yk0Ws9JypWxjUS0NGc9k/uGa5MGIBxJfm\nsi4X0ZaoxMPHmNnOCMMIC0MQE82tBtA3tM2mxd6rohgtdtpo9cxsKWW2Pu3O\nW6Wq/A3d4X/9+LbjQKe48gqCeuZXanJxniBtdm2Z08Yi30/lQRwhauGXP1FT\nyot2FVZLLdTHaDHdcaUjU8A/NJsS+DRPWT8xAk1w1jVPytQMZUrPUYbjPXTu\nhqj24Qyyxb836y23hVCNrrRJg35Mb/mHy8LEbxJ1cxoekAR8d5r+yR5UF72j\nDLg+7fEqzIoSqjFB5Ho2hemTzajxwD2d+FATxQN7C+T1LBenDE/cw0HTKV/H\nnjPvb+bLfhCVb0xdkTlFlnF4WUn32tEQhTGrXefQcSV94Go75MoegIflwNo4\nnOsEOeD9VSwRKqsJ82pjRFaGr7HovakeqE/itruvEKGKn+53Sc9xVRgnyve7\nsQ0vdbVSsH6dBQJYDgSUdNNU9PXbqRqbk3CqFpQAEaxoy6mE9oPK89Mdx9mF\no9B8G291d1GvaOSvJjvlzlWmqUCYhQLR+HTeHf+5gp1dSJRlL3b55m1x7PCC\nB4Ma6XLo9gdF/XXGfZE98vg/MJ5w0JjLYouU/v8BaHNWdrxo5MEoky246LmL\ntLY57TbfGu8HTmvScir43hevIC4JqDHJhUQrz3vmd1yFcUBgWIqEYv6guU8K\nW9cYS+LBwbKDg7uXOx93P5pgPzMZbS0aBPt0QCwIwGmhQTPba+WWh6rPwNkl\nV4HRG0TgFJ8skgKWLhEMOYC02KRT/ve+OJ1LawqIK5BsMK81KoX2Drf7Oyba\nOkekMHsA9T6woSjIBTouKIz8r09vkJe9W/0pN7Y/NtE+y+FuZlKC1peafc3x\nE4ZhNotHtyAydsB6NgxpjkBNxUsVe+DlTyGCzEis/pG2XREUniiqd5DhbPKM\nH9EkXiRrtvrmD792ca8lGfMYTNOcoLD1vRlzFmHCjE7NOKAZ4lEwZWEGnxwp\nIEJFCScdPmDxK0uqMw2DaEjlAVblg1EOcs1xG4JwOcY/aWkuslp2MrmOIh7a\nSUdlr+SBi7faEMIslG24s3noDD4DFU5CQSb0ErH6j02VsUi90QYrm9XCkfEl\n2OcbvC9KICmKEj1mxvTQLBALtyTJGXIOzPbxp/Dw2a9o/WnsWDaXhTcLGqdu\nNn3ghESEb1G+pYHJa7lJ62RSQTpRp19gpdUS8SRhqwUkceFCnuuFST3SmspU\ngpjY8xsRZ3h9fzI/ob1nan5pXnzZCf76X7bGL3DqNlpq1SkdGI5NaN7ko42u\nkPafYy6MiAU6lYvg4G4pobJu8qnGcX9Wuf4K2Jl7niOQTUDIwjyrd+1uI9S2\nn5rLmwhQFxPrT/FuLg3nYAohrnAuMDXFQ13XO0q9smaSZDXPheGdTxT4HRTE\nkN1oAvvmhtVbBqNbKBY09Dn1khiUa3mIineJ6wuKS1buiTDlLGiSPAXhaJRB\naplbJLGjtBXSGiAuxHEb2l/G/kIa71R7Vc7h2fYzAXFbPhApllEof43cZVtM\n9kN1m2bshbAG2boD51jb9P4C9H73ICJXGDAUVvScgYAIs4YnCVFIPdmU6dP+\nd4yZTM9bxuezUI2sj6cpWcq8H9+skZjRY+J2vKH/twAaWcnxLUxKfLuUAWNy\nH63iRIAhaWfl3k6dhPbYFnsxrrch99NuMTAEyE5vykiCMg8WlCmittteGyIq\nfOs9eFaoNRkf4Qh5IrOUoPhXO/8Jw7eY3aK2bQvGuutlfxOYsFJWjK3qT7RQ\nAeyv639jDn1W3vvOlFX5+Xx8R5IZLVdElAe39y6rgw27pMZT+IJew/j5EF2j\nsinxUvARi98wW+NP8WXV5CMFXh2JnmxfTLvdsWHJlB/XyktIiJE4KaHlNIaV\nxLdKmarS3hS31DQmpB2LDGPp8QFyV9kY0gvE282A1Fs0w01pByKDcMmvr3pD\nHh40DfYt4ZTJGnLP69IKt3328KEeMlHqns22zZuAidMus1o6k4YkF1WNpZn2\nSdXVG0hcdnvRC4qKdVv+TBFuPSy68cdwPeHs612hcezoHi2pbTkM2YKDJ75m\nvqaBzdpSDcuKVovuwBt3/guHoLD2ipRM0EfZ208aKiuOuYXwGD3PPm5WKUvd\nBSiZw7p37QY6zYh0/bTN2FumftYWz7mrZL4pFIcd8m/tSlU537+TnCbPm1KT\nWFVFBonxsyhHnZC4X0YQQTZ0V9TKCGWdVUgRxZwwQ/0acxFe1j1bqVnDBxR6\nH98xnEPvEh6bHpHujwcdCKTN4AbIJcFVKuCyvl/OtzMBjUXVKOAZcRS42TvY\nkhzQXiOOKqoE29aNDtQ/VRC8s1aN6L6xCorlCcBBurMcmDdJy+r4YUrNqmEA\nZQwFecRXxwzguk6GR3m8RzY1iDRSqm+yCMqjWKx6eycV91izjXbueT45g3Hn\nSqw2cw6rowGZUEcP3vRdHyxsJSEG2kPvU9JLzgkCwUovtlbdHee2JkV9TdkF\nzEMxjA9B5mxPp5lMFj8jhHhzDmZRxpW/EUBZCkZh5SVbGeg6qTFKRS6zZPYC\nkfv0XICx154cOj0TsW4QHxTHLOV9r93HIPihZDHg2udN7JhYfwsO4RbwDQEv\nxumaM3NTGrXOBxV2vtYSoGSQOmCd8X+gXKxKtTeaV4rCm2aIGVsdfeYQTNSD\nrBxetCJdGB0DrEAr/9bJ5RS2CB9JmEa4ktMHEFTmvTqhWu4Ye2TJBC+H/yqP\nNrYQ4+5lYnZ4BuvxKBvhbH52UURqG27NwQXmFd/h3NlI5GVi5tveRO1+3F1j\ncMTgj49UCB2SNndcJDkK9z7kSBdnmtNo3m3/K9wucw9NxH7sM0yrgeQupbrU\nlgsobzoGluvBijJlp6A7qy4AoOsDGoo4gevK23CR8XN+droGY2RGWThWGuPZ\np7hsG/0f6ICQmU8ARsj/Civ9EbGe/2ZnlHafBtRhmfpZp2/Y7UxX6pmcNARB\nj8Gmr9DWiUXKUBtIkiBSTr7keRF8GuaXSc4pz1phKuAhngy7rYuMhqQr7Sw0\nJCk7cwdvZdq/erjtIh/AHJOPboUCalsLfTdMJguuocUuQr+SEg==\n", + "iv": "3uagVTqoXUcWvs9W\n", + "auth_tag": "s3wlsnLRHCI2NjC6/ZwbiQ==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "passphrase": { + "encrypted_data": "wzSJQ+VfZuXmqrL3xW/LxiUvF/B6EYHAQtmhrJjt2oMT1G2OEgp5\n", + "iv": "BqTyfQwKKCTOn3q3\n", + "auth_tag": "sh1e8UuQSrq1o5G0O5fXCA==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "repository": { + "encrypted_data": "Ezc5YMp0VM82dlq0+ikk2xZeqNHi+XETlsc2cDlFG/NxY408JO3ErPDEa9d9\nzud+jcCt/01GKqPdslGhP3jsUUb/f3kWMkTWqGkyWXV1121E0uHwyrva62NT\n5A==\n", + "iv": "QtNBUjJ5NrQS0JD7\n", + "auth_tag": "ZQImzlvHWwX1OsxMZK1jGA==\n", + "version": 3, + "cipher": "aes-256-gcm" + } +} \ No newline at end of file From 7848b4d365275e535b2161da2dc1569f2177557e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Tue, 18 Oct 2022 18:44:21 +0200 Subject: [PATCH 04/19] Add jitsi-meet-1 VM --- clients/jitsi-meet-1.json | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 clients/jitsi-meet-1.json diff --git a/clients/jitsi-meet-1.json b/clients/jitsi-meet-1.json new file mode 100644 index 0000000..68ce055 --- /dev/null +++ b/clients/jitsi-meet-1.json @@ -0,0 +1,4 @@ +{ + "name": "jitsi-meet-1", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyNMD7N7s+JZM6PLlcrKN\n4jnr0jB5kU+Gr8EHtdpaBDGN5x8BahAkMuXcWfMQj4xIvUhTY4tTvDDYgcJGbrY4\ncmmt/YLX4t/OR6g2JxzIRWDBITTTlX7h5QUg10irjfPsyaU9O7lChDk4M3j5J4c2\nZFlZAar1+CeC5nwcEtNg4nL36I6bxUL5e/rEeeUGCGuqn3tAQ+GXj1G4uJYI18JQ\nhv43nIqbF+oVe5iRy58rXILd+zmbOq87cnF8O2ode44jRwtH4K0+uHTmq+83Q8Ld\n3wBZTnrQEnUDm6IuFuWfYhvNGlXAJrcmoH/wA1B5IAcuF3vhw9JY9axy+GDFszOX\nxwIDAQAB\n-----END PUBLIC KEY-----\n" +} \ No newline at end of file From 6d50a32aca69f3e8e99063751b95f5bf3bc13ace Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Tue, 18 Oct 2022 18:44:53 +0200 Subject: [PATCH 05/19] Add FIXME note --- site-cookbooks/kosmos-mediawiki/recipes/default.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/site-cookbooks/kosmos-mediawiki/recipes/default.rb b/site-cookbooks/kosmos-mediawiki/recipes/default.rb index 5046629..4f24146 100644 --- a/site-cookbooks/kosmos-mediawiki/recipes/default.rb +++ b/site-cookbooks/kosmos-mediawiki/recipes/default.rb @@ -165,6 +165,8 @@ end ruby_block "configuration" do block do + # FIXME This is internal Chef API and should not be used from recipes, as + # it is unsupported for that file = Chef::Util::FileEdit.new("#{node['mediawiki']['webdir']}/LocalSettings.php") file.search_file_replace_line(%r{\$wgLogo\ =\ \"\$wgResourceBasePath\/resources\/assets\/wiki.png\";}, "$wgLogo = \"$wgResourceBasePath/skins/common/images/kosmos.png\";") From a3844b7ef67c8ad6f7109a26355d3dbc63c29a4a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Tue, 18 Oct 2022 18:45:17 +0200 Subject: [PATCH 06/19] WIP Add KVM host backup recipe Add a recipe that configures scripts for live backups of VM images via libvirt and borg. --- site-cookbooks/kosmos_kvm/files/backup_vm.sh | 30 ++++++++++++++ site-cookbooks/kosmos_kvm/recipes/backup.rb | 40 +++++++++++++++++++ .../templates/backup_all_vms.sh.erb | 11 +++++ 3 files changed, 81 insertions(+) create mode 100644 site-cookbooks/kosmos_kvm/files/backup_vm.sh create mode 100644 site-cookbooks/kosmos_kvm/recipes/backup.rb create mode 100644 site-cookbooks/kosmos_kvm/templates/backup_all_vms.sh.erb diff --git a/site-cookbooks/kosmos_kvm/files/backup_vm.sh b/site-cookbooks/kosmos_kvm/files/backup_vm.sh new file mode 100644 index 0000000..96dbaea --- /dev/null +++ b/site-cookbooks/kosmos_kvm/files/backup_vm.sh @@ -0,0 +1,30 @@ +#!/bin/bash +# GENERATED BY CHEF +# DO NOT EDIT +set -e + +REPOSITORY=$BORG_REPO + +echo "Starting backup of VM: $1" + +echo "Dumping domain XML to /root/backups/vm_meta/$1.xml" +virsh dumpxml --migratable $1 > /root/backups/vm_meta/$1.xml + +virsh snapshot-create-as --domain $1 \ + --name hotswap.qcow2 \ + --no-metadata \ + --atomic \ + --quiesce \ + --disk-only \ + --diskspec vda,snapshot=external + +borg create -v --stats \ + $REPOSITORY::$1_$(date +%F_%H-%M) \ + /var/lib/libvirt/images/$1.qcow2 \ + /root/backups/vm_meta + +echo "Pivoting base image back to original" +virsh blockcommit $1 vda --pivot --base=/var/lib/libvirt/images/$1.qcow2 + +echo "Removing snapshot image" +rm /var/lib/libvirt/images/$1.hotswap.qcow2 diff --git a/site-cookbooks/kosmos_kvm/recipes/backup.rb b/site-cookbooks/kosmos_kvm/recipes/backup.rb new file mode 100644 index 0000000..e8429b0 --- /dev/null +++ b/site-cookbooks/kosmos_kvm/recipes/backup.rb @@ -0,0 +1,40 @@ +# +# Cookbook:: kosmos_kvm +# Recipe:: backup +# + +apt_package "borgbackup" + +borg_credentials = data_bag_item("credentials", "borg") + +file "/root/.ssh/borg_rsa" do + content borg_credentials["ssh_key"] + mode '0600' +end + +bash "Add borg environment variables for bash" do + code <<-EOF + cat >>/root/.bashrc < +do + /root/backups/backup_vm.sh $domain +done From 2e2ebbcc02078aca9db51af4332bca969946cd62 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 19 Oct 2022 12:23:17 +0200 Subject: [PATCH 07/19] Fix filenames for guest agent sockets --- site-cookbooks/kosmos_kvm/templates/create_vm.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site-cookbooks/kosmos_kvm/templates/create_vm.erb b/site-cookbooks/kosmos_kvm/templates/create_vm.erb index 0514f5d..7d155e0 100644 --- a/site-cookbooks/kosmos_kvm/templates/create_vm.erb +++ b/site-cookbooks/kosmos_kvm/templates/create_vm.erb @@ -86,6 +86,6 @@ virt-install \ --graphics none \ --serial pty \ --console pty \ - --channel unix,mode=bind,path=/var/lib/libvirt/qemu/guest01.agent,target_type=virtio,name=org.qemu.guest_agent.0 \ + --channel unix,mode=bind,path=/var/lib/libvirt/qemu/$VMNAME.guest_agent.0,target_type=virtio,name=org.qemu.guest_agent.0 \ --autostart \ --import From 6c8f9055c14de085d403ba38c5d988740eba37b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 19 Oct 2022 12:23:54 +0200 Subject: [PATCH 08/19] Create directories for KVM host backup files --- site-cookbooks/kosmos_kvm/recipes/backup.rb | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/site-cookbooks/kosmos_kvm/recipes/backup.rb b/site-cookbooks/kosmos_kvm/recipes/backup.rb index e8429b0..131f8c4 100644 --- a/site-cookbooks/kosmos_kvm/recipes/backup.rb +++ b/site-cookbooks/kosmos_kvm/recipes/backup.rb @@ -24,6 +24,14 @@ export BORG_REPO='#{borg_credentials["repository"]}' not_if "grep -q BORG /root/.bashrc" end +directory "/root/backups" do + mode "0750" +end + +directory "/root/backups/vm_meta" do + mode "0750" +end + cookbook_file "/root/backups/backup_vm.sh" do source "backup_vm.sh" mode "0750" From 82f50b0caa4b8b9ac4dea06cd008b31ed3248e79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 19 Oct 2022 12:24:10 +0200 Subject: [PATCH 09/19] Only back up domain-specific XML per archive --- site-cookbooks/kosmos_kvm/files/backup_vm.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site-cookbooks/kosmos_kvm/files/backup_vm.sh b/site-cookbooks/kosmos_kvm/files/backup_vm.sh index 96dbaea..9a26252 100644 --- a/site-cookbooks/kosmos_kvm/files/backup_vm.sh +++ b/site-cookbooks/kosmos_kvm/files/backup_vm.sh @@ -21,7 +21,7 @@ virsh snapshot-create-as --domain $1 \ borg create -v --stats \ $REPOSITORY::$1_$(date +%F_%H-%M) \ /var/lib/libvirt/images/$1.qcow2 \ - /root/backups/vm_meta + /root/backups/vm_meta/$1.xml echo "Pivoting base image back to original" virsh blockcommit $1 vda --pivot --base=/var/lib/libvirt/images/$1.qcow2 From 6d765f959d848c6fc246688fd9c4686fa52ee533 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 19 Oct 2022 12:51:46 +0200 Subject: [PATCH 10/19] Fix backup VM name for ldap-3 (and potentially other guests where the name differs from the libvirt domain name) --- site-cookbooks/kosmos_kvm/recipes/backup.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site-cookbooks/kosmos_kvm/recipes/backup.rb b/site-cookbooks/kosmos_kvm/recipes/backup.rb index 131f8c4..64dbd08 100644 --- a/site-cookbooks/kosmos_kvm/recipes/backup.rb +++ b/site-cookbooks/kosmos_kvm/recipes/backup.rb @@ -38,7 +38,7 @@ cookbook_file "/root/backups/backup_vm.sh" do end # Search all guests and filter by presence on current host -vm_domains = search(:node, "role:kvm_guest").map(&:name) \ +vm_domains = search(:node, "role:kvm_guest").map{|n| n["hostname"] } \ & `virsh list --name`.strip.chomp.split("\n") template "/root/backups/backup_all_vms.sh" do From 927bb635353bc503caad868d4b3977b14e4ef7ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 19 Oct 2022 16:28:07 +0200 Subject: [PATCH 11/19] Add kvm_guest role to nodes --- nodes/bitcoin-2.json | 3 +++ nodes/ejabberd-4.json | 5 ++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/nodes/bitcoin-2.json b/nodes/bitcoin-2.json index 3b80c1e..0d6d430 100644 --- a/nodes/bitcoin-2.json +++ b/nodes/bitcoin-2.json @@ -12,12 +12,14 @@ "hostname": "bitcoin-2", "ipaddress": "192.168.122.148", "roles": [ + "kvm_guest", "btcpay", "postgresql_client" ], "recipes": [ "kosmos-base", "kosmos-base::default", + "kosmos_kvm::guest", "tor-full", "tor-full::default", "kosmos-bitcoin::source", @@ -94,6 +96,7 @@ }, "run_list": [ "recipe[kosmos-base]", + "role[kvm_guest]", "recipe[tor-full]", "recipe[kosmos-bitcoin::source]", "recipe[kosmos-bitcoin::c-lightning]", diff --git a/nodes/ejabberd-4.json b/nodes/ejabberd-4.json index 4ce65bc..18e81cc 100644 --- a/nodes/ejabberd-4.json +++ b/nodes/ejabberd-4.json @@ -8,16 +8,18 @@ "automatic": { "fqdn": "ejabberd-4", "os": "linux", - "os_version": "5.4.0-1051-kvm", + "os_version": "5.4.0-1073-kvm", "hostname": "ejabberd-4", "ipaddress": "192.168.122.39", "roles": [ + "kvm_guest", "ejabberd", "postgresql_client" ], "recipes": [ "kosmos-base", "kosmos-base::default", + "kosmos_kvm::guest", "kosmos_postgresql::hostsfile", "kosmos-ejabberd::letsencrypt", "kosmos-ejabberd", @@ -58,6 +60,7 @@ }, "run_list": [ "recipe[kosmos-base]", + "role[kvm_guest]", "role[ejabberd]" ] } \ No newline at end of file From 51163ca3a3b551c649d205df3d413eeddc2f9bf9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Fri, 21 Oct 2022 10:46:16 +0200 Subject: [PATCH 12/19] Whitelist Chef attributes for newer client versions --- .chef/config.rb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.chef/config.rb b/.chef/config.rb index 0609bb3..d2935d0 100644 --- a/.chef/config.rb +++ b/.chef/config.rb @@ -25,6 +25,9 @@ knife[:automatic_attribute_whitelist] = %w[ cloud_v2 chef_packages ] + knife[:default_attribute_whitelist] = [] -knife[:normal_attribute_whitelist] = ['knife_zero','kosmos-ejabberd'] +knife[:normal_attribute_whitelist] = ['knife_zero', 'kosmos_kvm', 'kosmos-ejabberd'] knife[:override_attribute_whitelist] = [] + +knife[:allowed_normal_attributes] = ['knife_zero', 'kosmos_kvm', 'kosmos-ejabberd'] From 7051cc9da8f20ba534b548be2de8246eed186ab3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Fri, 21 Oct 2022 10:47:17 +0200 Subject: [PATCH 13/19] Update draco's main IP address --- nodes/draco.kosmos.org.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/draco.kosmos.org.json b/nodes/draco.kosmos.org.json index 04e75b3..b62dc83 100644 --- a/nodes/draco.kosmos.org.json +++ b/nodes/draco.kosmos.org.json @@ -10,7 +10,7 @@ "os": "linux", "os_version": "5.4.0-54-generic", "hostname": "draco", - "ipaddress": "148.251.237.73", + "ipaddress": "148.251.237.111", "roles": [ ], From 374654f8fd8e0324d0bc566a9ffa11a691533f81 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Fri, 21 Oct 2022 10:47:46 +0200 Subject: [PATCH 14/19] Update chef/ohai on hosts --- nodes/draco.kosmos.org.json | 8 ++++---- nodes/fornax.kosmos.org.json | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/nodes/draco.kosmos.org.json b/nodes/draco.kosmos.org.json index b62dc83..3e6e9bb 100644 --- a/nodes/draco.kosmos.org.json +++ b/nodes/draco.kosmos.org.json @@ -50,12 +50,12 @@ "cloud": null, "chef_packages": { "ohai": { - "version": "15.9.1", - "ohai_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/ohai-15.9.1/lib/ohai" + "version": "15.12.0", + "ohai_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/ohai-15.12.0/lib/ohai" }, "chef": { - "version": "15.11.8", - "chef_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/chef-15.11.8/lib" + "version": "15.17.4", + "chef_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/chef-15.17.4/lib" } } }, diff --git a/nodes/fornax.kosmos.org.json b/nodes/fornax.kosmos.org.json index d9c4aa0..d0ecedc 100644 --- a/nodes/fornax.kosmos.org.json +++ b/nodes/fornax.kosmos.org.json @@ -70,8 +70,8 @@ "ohai_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/ohai-15.12.0/lib/ohai" }, "chef": { - "version": "15.14.0", - "chef_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/chef-15.14.0/lib" + "version": "15.17.4", + "chef_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/chef-15.17.4/lib" } } }, From a5b2eb5f97a9360e933cc79c59739dca569ebbb0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Fri, 21 Oct 2022 10:49:02 +0200 Subject: [PATCH 15/19] Move borg credentials to a separate file To be used from a service --- site-cookbooks/kosmos_kvm/recipes/backup.rb | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/site-cookbooks/kosmos_kvm/recipes/backup.rb b/site-cookbooks/kosmos_kvm/recipes/backup.rb index 64dbd08..8c97576 100644 --- a/site-cookbooks/kosmos_kvm/recipes/backup.rb +++ b/site-cookbooks/kosmos_kvm/recipes/backup.rb @@ -12,16 +12,24 @@ file "/root/.ssh/borg_rsa" do mode '0600' end -bash "Add borg environment variables for bash" do +file "/root/.borg_credentials.env" do + content <<-EOF +BORG_RSH='ssh -i /root/.ssh/borg_rsa' +BORG_PASSPHRASE=#{borg_credentials["passphrase"]} +BORG_REPO='#{borg_credentials["repository"]}' + EOF +end + +bash "Load borg credentials in console sessions" do code <<-EOF cat >>/root/.bashrc < Date: Fri, 21 Oct 2022 10:49:30 +0200 Subject: [PATCH 16/19] Remove verbose stats outout from backup script --- site-cookbooks/kosmos_kvm/files/backup_vm.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/site-cookbooks/kosmos_kvm/files/backup_vm.sh b/site-cookbooks/kosmos_kvm/files/backup_vm.sh index 9a26252..33a259b 100644 --- a/site-cookbooks/kosmos_kvm/files/backup_vm.sh +++ b/site-cookbooks/kosmos_kvm/files/backup_vm.sh @@ -18,8 +18,7 @@ virsh snapshot-create-as --domain $1 \ --disk-only \ --diskspec vda,snapshot=external -borg create -v --stats \ - $REPOSITORY::$1_$(date +%F_%H-%M) \ +borg create -v $REPOSITORY::$1_$(date +%F_%H-%M) \ /var/lib/libvirt/images/$1.qcow2 \ /root/backups/vm_meta/$1.xml From 61710aa4a4da06e9e53abc82af89328762cecccd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Fri, 21 Oct 2022 10:50:04 +0200 Subject: [PATCH 17/19] Set up systemd service and timer for backups --- nodes/draco.kosmos.org.json | 5 +++ nodes/fornax.kosmos.org.json | 5 +++ .../kosmos_kvm/attributes/default.rb | 3 ++ site-cookbooks/kosmos_kvm/recipes/backup.rb | 36 +++++++++++++++++++ 4 files changed, 49 insertions(+) diff --git a/nodes/draco.kosmos.org.json b/nodes/draco.kosmos.org.json index 3e6e9bb..8a09ead 100644 --- a/nodes/draco.kosmos.org.json +++ b/nodes/draco.kosmos.org.json @@ -3,6 +3,11 @@ "normal": { "knife_zero": { "host": "10.1.1.167" + }, + "kosmos_kvm": { + "backup": { + "schedule": "0/3:45" + } } }, "automatic": { diff --git a/nodes/fornax.kosmos.org.json b/nodes/fornax.kosmos.org.json index d0ecedc..ba22c12 100644 --- a/nodes/fornax.kosmos.org.json +++ b/nodes/fornax.kosmos.org.json @@ -3,6 +3,11 @@ "normal": { "knife_zero": { "host": "10.1.1.147" + }, + "kosmos_kvm": { + "backup": { + "schedule": "0/3:00" + } } }, "automatic": { diff --git a/site-cookbooks/kosmos_kvm/attributes/default.rb b/site-cookbooks/kosmos_kvm/attributes/default.rb index d20a34b..dc2b563 100644 --- a/site-cookbooks/kosmos_kvm/attributes/default.rb +++ b/site-cookbooks/kosmos_kvm/attributes/default.rb @@ -5,3 +5,6 @@ node.default["kosmos_kvm"]["host"]["qemu_base_image"] = { "checksum" => "6db74917f85146569cb6ae89e1d163ac6d1e488a7f32bc74761ec6d1869c714f", "path" => "/var/lib/libvirt/images/base/ubuntu-20.04-server-cloudimg-amd64-disk-kvm-#{ubuntu_server_cloud_image_release}.qcow2" } + +# A systemd.timer OnCalendar config value +node.default["kosmos_kvm"]["backup"]["schedule"] = "daily" diff --git a/site-cookbooks/kosmos_kvm/recipes/backup.rb b/site-cookbooks/kosmos_kvm/recipes/backup.rb index 8c97576..e7e7f49 100644 --- a/site-cookbooks/kosmos_kvm/recipes/backup.rb +++ b/site-cookbooks/kosmos_kvm/recipes/backup.rb @@ -54,3 +54,39 @@ template "/root/backups/backup_all_vms.sh" do mode '0750' variables vm_domains: vm_domains end + +systemd_unit "backup-libvirt-guests.service" do + content({ + Unit: { + Description: "Back up libvirt guest images and metadata", + Wants: "network.target" + }, + Service: { + Type: "oneshot", + EnvironmentFile: "/root/.borg_credentials.env", + ExecStart: "/root/backups/backup_all_vms.sh", + SyslogIdentifier: "backup-libvirt-guests", + Restart: "no" + } + }) + verify false + triggers_reload true + action [:create] +end + +systemd_unit "backup-libvirt-guests.timer" do + content({ + Unit: { + Description: "Back up libvirt guest images and metadata", + }, + Timer: { + OnCalendar: node["kosmos_kvm"]["backup"]["schedule"] + }, + Install: { + WantedBy: "timers.target" + } + }) + verify false + triggers_reload true + action [:create, :enable, :start] +end From 1afc3a5de567c0d0887c601334af596a4c88a840 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Fri, 21 Oct 2022 13:37:38 +0200 Subject: [PATCH 18/19] Block outgoing traffic to local networks by default Some software, e.g. go-ipfs, is rather aggressive in scanning local networks for peers, which can trigger abuse reports and IP locks in the data center. --- site-cookbooks/kosmos_kvm/recipes/host.rb | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/site-cookbooks/kosmos_kvm/recipes/host.rb b/site-cookbooks/kosmos_kvm/recipes/host.rb index 5e7776f..702451a 100644 --- a/site-cookbooks/kosmos_kvm/recipes/host.rb +++ b/site-cookbooks/kosmos_kvm/recipes/host.rb @@ -32,3 +32,19 @@ firewall_rule 'ssh-alt-port' do protocol :tcp command :allow end + +%w{ + 10.0.0.0/8 + 172.16.0.0/12 + 192.168.0.0/16 + 100.64.0.0/10 +}.each do |ip| + firewall_rule "unauthorized-private-network-#{ip}" do + interface "enp35s0" + destination ip + direction :out + protocol :none + command :deny + logging :connections + end +end From 58e6e7de034c4745ba66e03de4b3173460a44e2c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Sat, 22 Oct 2022 13:03:16 +0200 Subject: [PATCH 19/19] Remove ufw logs Just added them to check the blocking for a while --- site-cookbooks/kosmos_kvm/recipes/host.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/site-cookbooks/kosmos_kvm/recipes/host.rb b/site-cookbooks/kosmos_kvm/recipes/host.rb index 702451a..4e833e2 100644 --- a/site-cookbooks/kosmos_kvm/recipes/host.rb +++ b/site-cookbooks/kosmos_kvm/recipes/host.rb @@ -45,6 +45,5 @@ end direction :out protocol :none command :deny - logging :connections end end