miaou
/
miaou-server
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

fix set raw.dnsmasq breaks nftables

main
pvincent 1 year ago
parent
8a65146071
commit
fd86ed4837
12 changed files with 31 additions and 50 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 4
      recipes/cagettepei/crud.sh
  2. 2
      recipes/discourse/crud.sh
  3. 31
      recipes/dmz/install.sh
  4. 2
      recipes/dolibarr/crud.sh
  5. 4
      recipes/odoo12/crud.sh
  6. 4
      recipes/odoo15/crud.sh
  7. 2
      recipes/postgresql/install.sh
  8. 4
      recipes/wordpress/crud.sh
  9. 2
      scripts/lxc-miaou-enable-ssh
  10. 4
      scripts/lxd-restart-dnsmasq
  11. 14
      scripts/miaou
  12. 6
      templates/nftables/nat.table.j2

4
recipes/cagettepei/crud.sh
View File

@ -33,9 +33,9 @@ function _create() {
APP_PORT=$port APP_NAME=$shortname tera -e --env-key env -t "$MIAOU_BASEDIR/templates/apps/cagettepei/cagettepei-host.j2" -o "$MIAOU_CONFIGDIR/apps/cagettepei/$longname.conf" "$MIAOU_CONFIGDIR/miaou.expanded.yaml" APP_PORT=$port APP_NAME=$shortname tera -e --env-key env -t "$MIAOU_BASEDIR/templates/apps/cagettepei/cagettepei-host.j2" -o "$MIAOU_CONFIGDIR/apps/cagettepei/$longname.conf" "$MIAOU_CONFIGDIR/miaou.expanded.yaml"
echo "creating templates ... OK" echo "creating templates ... OK"
echo "copying files over container <$container> ... "
echo "copying files to container <$container> ... "
lxc file push --uid 0 --gid 0 "$MIAOU_CONFIGDIR/apps/cagettepei/$longname.conf" "$container/etc/apache2/sites-available/$longname.conf" lxc file push --uid 0 --gid 0 "$MIAOU_CONFIGDIR/apps/cagettepei/$longname.conf" "$container/etc/apache2/sites-available/$longname.conf"
echo "copying files over container <$container> ... OK"
echo "copying files to container <$container> ... OK"
if ! (db-maria list | grep -q "$longname"); then if ! (db-maria list | grep -q "$longname"); then
echo "create empty database <$longname> ... " echo "create empty database <$longname> ... "

2
recipes/discourse/crud.sh
View File

@ -28,7 +28,7 @@ function _create() {
echo "copying files to container <$container> ... " echo "copying files to container <$container> ... "
lxc file push --uid 0 --gid 0 "$MIAOU_CONFIGDIR/apps/discourse/$longname.yml" "$container/var/discourse/containers/$longname.yml" lxc file push --uid 0 --gid 0 "$MIAOU_CONFIGDIR/apps/discourse/$longname.yml" "$container/var/discourse/containers/$longname.yml"
echo "copying files over container <$container> ... OK"
echo "copying files to container <$container> ... OK"
if ! (db-psql list | grep -q "$longname"); then if ! (db-psql list | grep -q "$longname"); then
echo "create empty database <$longname> ... " echo "create empty database <$longname> ... "

31
recipes/dmz/install.sh
View File

@ -64,7 +64,7 @@ function install() {
lxc exec "$CONTAINER" -- bash <<EOF lxc exec "$CONTAINER" -- bash <<EOF
set -Eeuo pipefail set -Eeuo pipefail
apt-get update && apt-get dist-upgrade -y apt-get update && apt-get dist-upgrade -y
apt-get install -y nftables nginx ssl-cert libnginx-mod-http-subs-filter certbot python3-certbot-nginx
apt-get install -y nginx ssl-cert libnginx-mod-http-subs-filter certbot python3-certbot-nginx
echo "registering with your default credential email <$credential_email>" echo "registering with your default credential email <$credential_email>"
certbot register --agree-tos --email $credential_email --no-eff-email || echo "already resgistered!" certbot register --agree-tos --email $credential_email --no-eff-email || echo "already resgistered!"
@ -80,37 +80,10 @@ EOF
echo "copying Nginx banner to container <$CONTAINER> ... " echo "copying Nginx banner to container <$CONTAINER> ... "
lxc file push --uid 0 --gid 0 "$MIAOU_BASEDIR/templates/nginx/snippets/banner_$TARGET.conf" "$CONTAINER/etc/nginx/snippets/banner_$TARGET.conf" lxc file push --uid 0 --gid 0 "$MIAOU_BASEDIR/templates/nginx/snippets/banner_$TARGET.conf" "$CONTAINER/etc/nginx/snippets/banner_$TARGET.conf"
lxc file push --uid 0 --gid 0 "$MIAOU_BASEDIR/templates/nginx/snippets/banner_exp.conf" "$CONTAINER/etc/nginx/snippets/banner_exp.conf" lxc file push --uid 0 --gid 0 "$MIAOU_BASEDIR/templates/nginx/snippets/banner_exp.conf" "$CONTAINER/etc/nginx/snippets/banner_exp.conf"
echo "copying files over container <$CONTAINER> ... OK"
echo "copying files to container <$CONTAINER> ... OK"
else else
echo "no Nginx banner on PROD!" echo "no Nginx banner on PROD!"
fi fi
echo "populate nftables entries into yaml"
local wan_interface dmz_ip
wan_interface=$(ip route show default | cut -d ' ' -f5)
dmz_ip=$(host "$CONTAINER.lxd" | cut -d ' ' -f4)
yq ".nftables.wan_interface=\"$wan_interface\"" "$EXPANDED_CONF" -i
yq ".nftables.dmz_ip=\"$dmz_ip\"" "$EXPANDED_CONF" -i
local nftables_reloading=false
if [[ "$TARGET" != "dev" ]]; then
mkdir -p "$MIAOU_CONFIGDIR/nftables.rules.d"
echo "nat http/s port to dmz"
tera -t "$MIAOU_BASEDIR/templates/nftables/nat.table.j2" "$EXPANDED_CONF" -o "$MIAOU_CONFIGDIR/nftables.rules.d/nat.table" &>/dev/null
sudo cp "$MIAOU_CONFIGDIR/nftables.rules.d/nat.table" /etc/nftables.rules.d/nat.table
nftables_reloading=true
else
if [[ -f /etc/nftables.rules.d/nat.table ]]; then
sudo_required "remove previous nat.table"
sudo rm -f /etc/nftables.rules.d/nat.table
nftables_reloading=true
fi
fi
if [[ "$nftables_reloading" == true ]]; then
sudo_required "reload nftables"
sudo systemctl reload nftables.service
fi
} }
# MAIN # MAIN

2
recipes/dolibarr/crud.sh
View File

@ -64,7 +64,7 @@ EOF
echo "copying configuration files to container <$container>... " echo "copying configuration files to container <$container>... "
lxc file push --uid 0 --gid 0 "$MIAOU_CONFIGDIR/apps/dolibarr/$shortname/host.conf" "$container/etc/nginx/sites-available/$longname.conf" lxc file push --uid 0 --gid 0 "$MIAOU_CONFIGDIR/apps/dolibarr/$shortname/host.conf" "$container/etc/nginx/sites-available/$longname.conf"
echo "copying files over container <$container> ... OK"
echo "copying files to container <$container> ... OK"
if ! (db-psql list | grep -q "$longname"); then if ! (db-psql list | grep -q "$longname"); then
echo "create empty database <$longname> ... " echo "create empty database <$longname> ... "

4
recipes/odoo12/crud.sh
View File

@ -34,10 +34,10 @@ function _create() {
APP_NAME=$shortname tera -t "$MIAOU_BASEDIR/templates/apps/odoo12/odoo.service.j2" --env-only -o "$MIAOU_CONFIGDIR/apps/odoo12/$longname.service" >/dev/null APP_NAME=$shortname tera -t "$MIAOU_BASEDIR/templates/apps/odoo12/odoo.service.j2" --env-only -o "$MIAOU_CONFIGDIR/apps/odoo12/$longname.service" >/dev/null
echo "creating templates ... OK" echo "creating templates ... OK"
echo "copying files over container <$container> ... "
echo "copying files to container <$container> ... "
lxc file push --uid 0 --gid 0 "$MIAOU_CONFIGDIR/apps/odoo12/$shortname.conf" "$container/etc/odoo12/$shortname.conf" lxc file push --uid 0 --gid 0 "$MIAOU_CONFIGDIR/apps/odoo12/$shortname.conf" "$container/etc/odoo12/$shortname.conf"
lxc file push --uid 0 --gid 0 "$MIAOU_CONFIGDIR/apps/odoo12/$longname.service" "$container/etc/systemd/system/$longname.service" lxc file push --uid 0 --gid 0 "$MIAOU_CONFIGDIR/apps/odoo12/$longname.service" "$container/etc/systemd/system/$longname.service"
echo "copying files over container <$container> ... OK"
echo "copying files to container <$container> ... OK"
if ! (db-psql list | grep -q "$longname"); then if ! (db-psql list | grep -q "$longname"); then
echo "create empty database <$longname> ... " echo "create empty database <$longname> ... "

4
recipes/odoo15/crud.sh
View File

@ -34,10 +34,10 @@ function _create() {
APP_NAME=$shortname tera -t "$MIAOU_BASEDIR/templates/apps/odoo15/odoo.service.j2" --env-only -o "$MIAOU_CONFIGDIR/apps/odoo15/$longname.service" >/dev/null APP_NAME=$shortname tera -t "$MIAOU_BASEDIR/templates/apps/odoo15/odoo.service.j2" --env-only -o "$MIAOU_CONFIGDIR/apps/odoo15/$longname.service" >/dev/null
echo "creating templates ... OK" echo "creating templates ... OK"
echo "copying files over container <$container> ... "
echo "copying files to container <$container> ... "
lxc file push --uid 0 --gid 0 "$MIAOU_CONFIGDIR/apps/odoo15/$shortname.conf" "$container/etc/odoo15/$shortname.conf" lxc file push --uid 0 --gid 0 "$MIAOU_CONFIGDIR/apps/odoo15/$shortname.conf" "$container/etc/odoo15/$shortname.conf"
lxc file push --uid 0 --gid 0 "$MIAOU_CONFIGDIR/apps/odoo15/$longname.service" "$container/etc/systemd/system/$longname.service" lxc file push --uid 0 --gid 0 "$MIAOU_CONFIGDIR/apps/odoo15/$longname.service" "$container/etc/systemd/system/$longname.service"
echo "copying files over container <$container> ... OK"
echo "copying files to container <$container> ... OK"
echo "create data folder for $shortname" echo "create data folder for $shortname"
cat <<EOF | lxc_exec "$container" cat <<EOF | lxc_exec "$container"

2
recipes/postgresql/install.sh
View File

@ -45,7 +45,7 @@ function install() {
systemctl restart postgresql.service systemctl restart postgresql.service
EOF EOF
echo -n "copying <autopostgresqlbackup> files over container <$CONTAINER> ... "
echo -n "copying <autopostgresqlbackup> files to container <$CONTAINER> ... "
lxc file push --uid 0 --gid 0 "$MIAOU_BASEDIR/templates/autopostgresqlbackup/script" "$CONTAINER/usr/sbin/autopostgresqlbackup" lxc file push --uid 0 --gid 0 "$MIAOU_BASEDIR/templates/autopostgresqlbackup/script" "$CONTAINER/usr/sbin/autopostgresqlbackup"
lxc file push --uid 0 --gid 0 "$MIAOU_BASEDIR/templates/autopostgresqlbackup/cron.daily" "$CONTAINER/etc/cron.daily/autopostgresqlbackup" lxc file push --uid 0 --gid 0 "$MIAOU_BASEDIR/templates/autopostgresqlbackup/cron.daily" "$CONTAINER/etc/cron.daily/autopostgresqlbackup"
lxc file push --uid 0 --gid 0 "$MIAOU_BASEDIR/templates/autopostgresqlbackup/default.conf" "$CONTAINER/etc/default/autopostgresqlbackup" lxc file push --uid 0 --gid 0 "$MIAOU_BASEDIR/templates/autopostgresqlbackup/default.conf" "$CONTAINER/etc/default/autopostgresqlbackup"

4
recipes/wordpress/crud.sh
View File

@ -32,9 +32,9 @@ function _create() {
APP_PORT=$port APP_NAME=$shortname tera -e --env-key env -t "$MIAOU_BASEDIR/templates/apps/wordpress/wp-host.j2" -o "$MIAOU_CONFIGDIR/apps/wordpress/$longname.conf" "$MIAOU_CONFIGDIR/miaou.expanded.yaml" APP_PORT=$port APP_NAME=$shortname tera -e --env-key env -t "$MIAOU_BASEDIR/templates/apps/wordpress/wp-host.j2" -o "$MIAOU_CONFIGDIR/apps/wordpress/$longname.conf" "$MIAOU_CONFIGDIR/miaou.expanded.yaml"
echo "creating templates ... OK" echo "creating templates ... OK"
echo "copying files over container <$container> ... "
echo "copying files to container <$container> ... "
lxc file push --uid 0 --gid 0 "$MIAOU_CONFIGDIR/apps/wordpress/$longname.conf" "$container/etc/nginx/sites-available/$longname.conf" lxc file push --uid 0 --gid 0 "$MIAOU_CONFIGDIR/apps/wordpress/$longname.conf" "$container/etc/nginx/sites-available/$longname.conf"
echo "copying files over container <$container> ... OK"
echo "copying files to container <$container> ... OK"
if ! (db-maria list | grep -q "$longname"); then if ! (db-maria list | grep -q "$longname"); then
echo "create empty database <$longname> ... " echo "create empty database <$longname> ... "

2
scripts/lxc-miaou-enable-ssh
View File

@ -54,7 +54,7 @@ EOF
echo -n "building template for sshd_config..." echo -n "building template for sshd_config..."
USERS=${previous_users[*]} tera -e --env-key env -t "$MIAOU_BASEDIR/templates/dev-container-ssh/sshd_config.j2" -o "/tmp/sshd_config" "$MIAOU_CONFIGDIR/miaou.expanded.yaml" >/dev/null USERS=${previous_users[*]} tera -e --env-key env -t "$MIAOU_BASEDIR/templates/dev-container-ssh/sshd_config.j2" -o "/tmp/sshd_config" "$MIAOU_CONFIGDIR/miaou.expanded.yaml" >/dev/null
echo 'OK' echo 'OK'
echo -n "copying sshd_config over container <$CONTAINER> ... "
echo -n "copying sshd_config to container <$CONTAINER> ... "
lxc file push --uid 0 --gid 0 "/tmp/sshd_config" "$CONTAINER/etc/ssh/sshd_config" &>/dev/null lxc file push --uid 0 --gid 0 "/tmp/sshd_config" "$CONTAINER/etc/ssh/sshd_config" &>/dev/null
echo 'OK' echo 'OK'
lxc exec "$CONTAINER" -- systemctl reload sshd.service lxc exec "$CONTAINER" -- systemctl reload sshd.service

4
scripts/lxd-restart-dnsmasq
View File

@ -10,3 +10,7 @@ function restart_dnsmasq() {
## MAIN ## MAIN
. "$MIAOU_BASEDIR/lib/init.sh" . "$MIAOU_BASEDIR/lib/init.sh"
restart_dnsmasq restart_dnsmasq
echo "WARNING: restarting dnsmasq may break your NFT ruleset!"
echo "You should reload NFTables as well..."
echo "sudo systemctl reload nftables.service"

14
scripts/miaou
View File

@ -165,6 +165,8 @@ function expand_conf() {
function build_routes() { function build_routes() {
PREFIX="miaou:routes" PREFIX="miaou:routes"
mkdir -p "$MIAOU_CONFIGDIR/dnsmasq"
mapfile -t fqdns < <(yqm '.expanded.services[].fqdn') mapfile -t fqdns < <(yqm '.expanded.services[].fqdn')
echo "found <${#fqdns[@]}> fqdn" echo "found <${#fqdns[@]}> fqdn"
raw_dnsmasq='' raw_dnsmasq=''
@ -174,7 +176,17 @@ function build_routes() {
echo "re-routing any connection from <$i> to internal container <$DMZ_CONTAINER.lxd>" echo "re-routing any connection from <$i> to internal container <$DMZ_CONTAINER.lxd>"
done done
builtin echo -e "$raw_dnsmasq" >"$MIAOU_CONFIGDIR/dnsmasq/raw.new"
lxc network get $BRIDGE raw.dnsmasq | head -n-1 >"$MIAOU_CONFIGDIR/dnsmasq/raw.old"
if ! diff -q "$MIAOU_CONFIGDIR/dnsmasq/raw.old" "$MIAOU_CONFIGDIR/dnsmasq/raw.new"; then
echo "reload dnsmasq"
builtin echo -e "$raw_dnsmasq" | lxc network set $BRIDGE raw.dnsmasq - builtin echo -e "$raw_dnsmasq" | lxc network set $BRIDGE raw.dnsmasq -
echo "reload nftables"
sudo systemctl reload nftables.service
else
echo "no changes"
fi
} }
function build_dmz_certbot { function build_dmz_certbot {
@ -548,10 +560,8 @@ if check_expand_conf; then
check_resolv_conf check_resolv_conf
build_nftables build_nftables
prepare_containers prepare_containers
DMZ_CONTAINER=$(get_unique_container_dmz) DMZ_CONTAINER=$(get_unique_container_dmz)
build_dmz_reverseproxy build_dmz_reverseproxy
DMZ_IP=$(get_dmz_ip) DMZ_IP=$(get_dmz_ip)
build_services build_services
build_dmz_certbot build_dmz_certbot

6
templates/nftables/nat.table.j2
View File

@ -1,6 +0,0 @@
table ip nat {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
iif "{{ nftables.wan_interface }}" tcp dport { 80, 443 } dnat to {{ nftables.dmz_ip }}
}
}
Write Preview
Loading…
Cancel
Save