This work is deprecated, and this repo has been archived.
Infrastructure for the dweb.link IPFS gateway
- base
- inventory
- anycast
- addresses
- bird
- bird_exporter
- vpn
- wireguard
- topology
- openvpn
- wireguard_exporter
- openvpn_exporter
- cluster
- docker
- consul
- nomad
- consul_exporter
- nomad_exporter
- telemetry
- prometheus
- grafana
- logstash
- node_exporter
- logstash_exporter
- gateway
- go-ipfs
- consul-template
- caddy (tls termination) + caddy-tlsconsul
- caddy_exporter
- storage
- ipfs-cluster
- pinbot
Q: the change i made isn't triggering anything A: look into the code for the module and resource, and add a respective trigger A2: terraform taint command
Q: dns records of the private network don't work
A: use 8.8.8.8, or configure dnsmasq with domain-rebind-ok=/dweblink.net/
(/etc/NetworkManager/dnsmasq.d/rebind.conf)
- TF_VAR_use_public_ipv4s=true terraform apply -target=module.inventory
- TF_VAR_use_public_ipv4s=true terraform apply -target=module.wireguard
- TF_VAR_use_public_ipv4s=true terraform apply -target=module.openvpn
- terraform apply -parallelism=1
- for s in $(terraform state list | grep vultr_server); do terraform state show "$s" | grep -P 'ipv4_address|hostname'; echo ---; done
- use terraform 0.10.2 for now
- https://github.com/gruntwork-io/terragrunt
- https://news.ycombinator.com/item?id=14539814
- https://blog.gruntwork.io/how-to-use-terraform-as-a-team-251bc1104973
networking issues
- remote state is over vpn, so it's tricky to do changes that interrupt vpn connectivity (e.g. openvpn module)
- make it so bootstrap mode fixes that, e.g. when bootstrap then use local state only
- each consul agent (:8500) is exposed to the whole vpn
- containers can access vpn through host
- ssh (:22) is publicly exposed
- each module does its own firewall setup (ufw) so the inventory module can overwrite others
- could have firewall module which grabs rules from each module and applies them
-
ipv6
-
client isolation
-
dns
-
security
-
generate config:
docker run -it -v $(pwd)/secrets/openvpn-data:/etc/openvpn kylemanna/openvpn:2.4 ovpn_genconfig -u udp://vpn.dweblink.net
-
generate pki:
docker run -it -v $(pwd)/secrets/openvpn-data:/etc/openvpn -e EASYRSA_KEY_SIZE=4096 kylemanna/openvpn:2.4 ovpn_initpki
-
generate client:
docker run -it -v $(pwd)/secrets/openvpn-data:/etc/openvpn -e EASYRSA_KEY_SIZE=4096 kylemanna/openvpn:2.4 easyrsa build-client-full $CLIENTNAME nopass
-
get client config:
docker run -it -v $(pwd)/secrets/openvpn-data:/etc/openvpn kylemanna/openvpn:2.4 ovpn_getclient $CLIENTNAME
-
sudo chown -R user:user secrets/openvpn-data/