Merge branch 'master' of github.com:Manevolent/lixonet-ee into wireguard

# Conflicts:
#	install.sh
This commit is contained in:
Manevolent 2021-09-21 14:52:43 -06:00
commit d14eafe578
No known key found for this signature in database
GPG Key ID: 2E9B7592DFA4F344
4 changed files with 47 additions and 20 deletions

View File

@ -4,12 +4,48 @@ This is the semi-official, testing Lixonet EE repository.
Custom configurations should be supplied in a `lixonet.conf` file in the `name=value` format, such as your subnet. Additionally, a tinc keypair is also be required.
# Setup, Installation, and Updating
#### Prerequisites/Setup:
1. `eth0` is the **LAN** or **WAN** interface supporting external routing, DNS, etc., and is the **bridged** interface to a router that will statically route the entire desired network subnet (i.e. x.x.0.0/21) through it. You may also have an `eth1` (and so on, so forth) that you statically configure for your entire, wide subnet (i.e. x.x.0.0/21) if you want to use two physical adapters. If you do have more than one interface, make sure that `internal_gateway` is set to the router IP address that can route your personal Lixonet subnets, and not your WAN gateway (unless they're the same).
2. `tun` and `tap` are in `/etc/modules` to load at boot (https://www.cyberciti.biz/faq/linux-how-to-load-a-kernel-module-automatically-at-boot-time/) and the system has been rebooted afterwards.
3. IPv4 forwarding is on: `sysctl -w net.ipv4.ip_forward=1`
4. Clone this repository: `git clone <url>`
5. `mkdir /etc/lixonet/(mesh)/` where `(mesh)` is something like `teamlixo` if you're planning to use `teamlixo.mesh`.
6. Fill out `/etc/lixonet/(mesh)/lixonet.conf` (see: **Configuration options**)
7. Supply `/etc/lixonet/(mesh)/tinc.key` (see: **Generating keypairs for tinc**)
8. Supply `/etc/lixonet/id_rsa` and `/etc/lixonet/(mesh)/id_rsa` for each mesh you'll be connected to (see: **Generating SSH keys**). Remember each id_rsa is unique!
9. Supply `/etc/lixonet/known_hosts` (see: **Setting `known_hosts`**)
**Generating keypairs for tinc (`tinc.key`)**:
Source: https://www.tinc-vpn.org/documentation/Generating-keypairs.html
Run: `tincd -n lixonet -K`
**Generating SSH keys (`id_rsa`)**:
1. I recommend PuTTYgen (https://www.puttygen.com/) on Windows, ssh-genkey on Linux.
2. Generate at least **two** keys. One will be for `lixonet-ee`, one will be for whichever repositories you're a part of (i.e. `teamlixo.mesh`).
3. Share the public keys (starting with something like `ssh-rsa`) with the repository owner(s) listed below so they can add a "Deploy key" to the repository for you.
**Setting `known_hosts`**
For GitHub, at this time the contents would be:
```
|1|hW/UPBCtfR0M/2GejxakBvoqGNY=|DXk4SRaJXzawNdHyBe9mrxvWYvk= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
```
Don't take my word for it, see: https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints
#### Install/Update:
1. Read and follow the prerequisites above and make sure you are ready to install.
2. Clone or navigate to a cloned repository folder you already have.
3. Run `chmod +x install.sh && ./install.sh`
4. Enjoy!
# Configuration options
#### Location
@ -146,22 +182,11 @@ These settings are optional, and are already defaulted to general network common
* `bind_forward_address`: The overridden DNS server IP address to forward all requests for your own domain to. Defaults to the value of `internal_gateway`, which is proper in most if not all cases. Your BIND zone is automatically converted from your `tinc_peer_name` (i.e. `lkwco_mane_lixo` becomes `lkwco.mane.lixo`).
* `tld`: The network-wide TLD to use. Defaults to `lixo`.
#### Wireguard options
# Setup, Installation, and Updating
Keep in mind that Wireguard is presently an auxilliary satellite connection point. Because of this, you shouldn't re-use any IP addresses related to WG.
#### Prerequisites/Setup:
1. `eth0` is the **LAN** or **WAN** interface supporting external routing, DNS, etc., and is the **bridged** interface to a router that will statically route the entire desired network subnet (i.e. x.x.0.0/21) through it. You may also have an `eth1` (and so on, so forth) that you statically configure for your entire, wide subnet (i.e. x.x.0.0/21) if you want to use two physical adapters. If you do have more than one interface, make sure that `internal_gateway` is set to the router IP address that can route your personal Lixonet subnets, and not your WAN gateway (unless they're the same).
2. `tun` and `tap` are in `/etc/modules` to load at boot (https://www.cyberciti.biz/faq/linux-how-to-load-a-kernel-module-automatically-at-boot-time/) and the system has been rebooted afterwards.
3. IPv4 forwarding is on: `sysctl -w net.ipv4.ip_forward=1`
4. Clone this repository: `git clone <url>`
5. `mkdir /etc/lixonet/(mesh)/`
6. Fill out `/etc/lixonet/(mesh)lixonet.conf` (see: **Configuration options**)
7. Supply `/etc/lixonet/(mesh)/tinc.key`
#### Install/Update:
You should **no longer** need to run `build.sh` directly. Instead, use a "self-configuring" Docker container to make your life easier.
1. Clone or navigate to a cloned repository folder you already have.
2. Run `git clean -f -d && git reset --hard && git pull origin master && docker build -t lixonet-ee . && docker run --rm -it -v /etc/bird:/etc/bird/ -v /etc/tinc:/etc/tinc -v /etc/bind:/etc/bind -v /etc/lixonet:/etc/lixonet -v /var/run/docker.sock:/var/run/docker.sock lixonet-ee`
* `wg_key`: The private key to use for the Wireguard peering point
* `wg_address`: The address to assign to Wireguard, should be unique.
* `wg_prefix`: The prefix to assign to Wireguard, defaults to 32.

View File

@ -8,7 +8,6 @@
- NETNAME=${netname}
- TZ=America/Denver
- SERVERPORT=${wg_port:-51820}
- INTERNAL_SUBNET=${wg_subnet}
- ALLOWEDIPS=${network_address}/${global_prefix:-16}
cap_add:
- NET_ADMIN

View File

@ -39,12 +39,14 @@ chmod -R a+X /etc/wireguard/
echo "Setting exclusive read access to SSH keys."
chmod -v 400 /etc/lixonet/id_rsa
chmod -v 400 /etc/lixonet/*/id_rsa
chmod -v 400 /etc/lixonet/known_hosts
stat /etc/lixonet/id_rsa
stat /etc/lixonet/*/id_rsa
stat /etc/lixonet/known_hosts
echo "Enabling write access to /etc/lixonet/version."
touch /etc/lixonet/version
chmod 660 /etc/lixonet/version
stat /etc/lixonet/version
docker build -t lixonet-ee . && docker run --restart always -d -e DOCKER_HOST=unix:///var/run/docker.sock -e GIT_URL=$ORIGIN -v /var/run/docker.sock:/var/run/docker.sock -v /etc/bird:/etc/bird/ -v /etc/tinc:/etc/tinc -v /etc/bind:/etc/bind -v /etc/lixonet:/etc/lixonet -v /etc/wireguard:/etc/wireguard/ -v /etc/lixonet/known_hosts:/home/lixonet/.ssh/known_hosts -v /etc/lixonet/id_rsa:/home/lixonet/.ssh/id_rsa --name lixonet-ee lixonet-ee
docker build -t lixonet-ee . && docker run --restart always -d -e DOCKER_HOST=unix:///var/run/docker.sock -e GIT_URL=$ORIGIN -v /var/run/docker.sock:/var/run/docker.sock -v /etc/bird:/etc/bird/ -v /etc/tinc:/etc/tinc -v /etc/bind:/etc/bind -v /etc/lixonet:/etc/lixonet -v /etc/lixonet/known_hosts:/home/lixonet/.ssh/known_hosts -v /etc/lixonet/id_rsa:/home/lixonet/.ssh/id_rsa lixonet-ee

3
run.sh
View File

@ -32,6 +32,7 @@ do
continue
fi
git reset --hard >> $log 2>&1
git checkout $latest_commit >> $log 2>&1
if [ $? -ne 0 ]; then
echo "Git checkout failed. For more details, see $log"
@ -53,4 +54,4 @@ do
fi
)
sleep $delay
done
done