Merge branch 'master' of github.com:Manevolent/lixonet-ee into wireguard
# Conflicts: # install.sh
This commit is contained in:
commit
d14eafe578
59
README.md
59
README.md
@ -4,12 +4,48 @@ This is the semi-official, testing Lixonet EE repository.
|
||||
|
||||
Custom configurations should be supplied in a `lixonet.conf` file in the `name=value` format, such as your subnet. Additionally, a tinc keypair is also be required.
|
||||
|
||||
# Setup, Installation, and Updating
|
||||
|
||||
#### Prerequisites/Setup:
|
||||
|
||||
1. `eth0` is the **LAN** or **WAN** interface supporting external routing, DNS, etc., and is the **bridged** interface to a router that will statically route the entire desired network subnet (i.e. x.x.0.0/21) through it. You may also have an `eth1` (and so on, so forth) that you statically configure for your entire, wide subnet (i.e. x.x.0.0/21) if you want to use two physical adapters. If you do have more than one interface, make sure that `internal_gateway` is set to the router IP address that can route your personal Lixonet subnets, and not your WAN gateway (unless they're the same).
|
||||
2. `tun` and `tap` are in `/etc/modules` to load at boot (https://www.cyberciti.biz/faq/linux-how-to-load-a-kernel-module-automatically-at-boot-time/) and the system has been rebooted afterwards.
|
||||
3. IPv4 forwarding is on: `sysctl -w net.ipv4.ip_forward=1`
|
||||
4. Clone this repository: `git clone <url>`
|
||||
5. `mkdir /etc/lixonet/(mesh)/` where `(mesh)` is something like `teamlixo` if you're planning to use `teamlixo.mesh`.
|
||||
6. Fill out `/etc/lixonet/(mesh)/lixonet.conf` (see: **Configuration options**)
|
||||
7. Supply `/etc/lixonet/(mesh)/tinc.key` (see: **Generating keypairs for tinc**)
|
||||
8. Supply `/etc/lixonet/id_rsa` and `/etc/lixonet/(mesh)/id_rsa` for each mesh you'll be connected to (see: **Generating SSH keys**). Remember each id_rsa is unique!
|
||||
9. Supply `/etc/lixonet/known_hosts` (see: **Setting `known_hosts`**)
|
||||
|
||||
**Generating keypairs for tinc (`tinc.key`)**:
|
||||
|
||||
Source: https://www.tinc-vpn.org/documentation/Generating-keypairs.html
|
||||
|
||||
Run: `tincd -n lixonet -K`
|
||||
|
||||
**Generating SSH keys (`id_rsa`)**:
|
||||
|
||||
1. I recommend PuTTYgen (https://www.puttygen.com/) on Windows, ssh-genkey on Linux.
|
||||
2. Generate at least **two** keys. One will be for `lixonet-ee`, one will be for whichever repositories you're a part of (i.e. `teamlixo.mesh`).
|
||||
3. Share the public keys (starting with something like `ssh-rsa`) with the repository owner(s) listed below so they can add a "Deploy key" to the repository for you.
|
||||
|
||||
**Setting `known_hosts`**
|
||||
|
||||
For GitHub, at this time the contents would be:
|
||||
```
|
||||
|1|hW/UPBCtfR0M/2GejxakBvoqGNY=|DXk4SRaJXzawNdHyBe9mrxvWYvk= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
|
||||
```
|
||||
|
||||
Don't take my word for it, see: https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints
|
||||
|
||||
#### Install/Update:
|
||||
|
||||
1. Read and follow the prerequisites above and make sure you are ready to install.
|
||||
2. Clone or navigate to a cloned repository folder you already have.
|
||||
3. Run `chmod +x install.sh && ./install.sh`
|
||||
4. Enjoy!
|
||||
|
||||
# Configuration options
|
||||
|
||||
#### Location
|
||||
@ -146,22 +182,11 @@ These settings are optional, and are already defaulted to general network common
|
||||
|
||||
* `bind_forward_address`: The overridden DNS server IP address to forward all requests for your own domain to. Defaults to the value of `internal_gateway`, which is proper in most if not all cases. Your BIND zone is automatically converted from your `tinc_peer_name` (i.e. `lkwco_mane_lixo` becomes `lkwco.mane.lixo`).
|
||||
* `tld`: The network-wide TLD to use. Defaults to `lixo`.
|
||||
|
||||
#### Wireguard options
|
||||
|
||||
# Setup, Installation, and Updating
|
||||
Keep in mind that Wireguard is presently an auxilliary satellite connection point. Because of this, you shouldn't re-use any IP addresses related to WG.
|
||||
|
||||
#### Prerequisites/Setup:
|
||||
|
||||
1. `eth0` is the **LAN** or **WAN** interface supporting external routing, DNS, etc., and is the **bridged** interface to a router that will statically route the entire desired network subnet (i.e. x.x.0.0/21) through it. You may also have an `eth1` (and so on, so forth) that you statically configure for your entire, wide subnet (i.e. x.x.0.0/21) if you want to use two physical adapters. If you do have more than one interface, make sure that `internal_gateway` is set to the router IP address that can route your personal Lixonet subnets, and not your WAN gateway (unless they're the same).
|
||||
2. `tun` and `tap` are in `/etc/modules` to load at boot (https://www.cyberciti.biz/faq/linux-how-to-load-a-kernel-module-automatically-at-boot-time/) and the system has been rebooted afterwards.
|
||||
3. IPv4 forwarding is on: `sysctl -w net.ipv4.ip_forward=1`
|
||||
4. Clone this repository: `git clone <url>`
|
||||
5. `mkdir /etc/lixonet/(mesh)/`
|
||||
6. Fill out `/etc/lixonet/(mesh)lixonet.conf` (see: **Configuration options**)
|
||||
7. Supply `/etc/lixonet/(mesh)/tinc.key`
|
||||
|
||||
#### Install/Update:
|
||||
|
||||
You should **no longer** need to run `build.sh` directly. Instead, use a "self-configuring" Docker container to make your life easier.
|
||||
|
||||
1. Clone or navigate to a cloned repository folder you already have.
|
||||
2. Run `git clean -f -d && git reset --hard && git pull origin master && docker build -t lixonet-ee . && docker run --rm -it -v /etc/bird:/etc/bird/ -v /etc/tinc:/etc/tinc -v /etc/bind:/etc/bind -v /etc/lixonet:/etc/lixonet -v /var/run/docker.sock:/var/run/docker.sock lixonet-ee`
|
||||
* `wg_key`: The private key to use for the Wireguard peering point
|
||||
* `wg_address`: The address to assign to Wireguard, should be unique.
|
||||
* `wg_prefix`: The prefix to assign to Wireguard, defaults to 32.
|
||||
|
@ -8,7 +8,6 @@
|
||||
- NETNAME=${netname}
|
||||
- TZ=America/Denver
|
||||
- SERVERPORT=${wg_port:-51820}
|
||||
- INTERNAL_SUBNET=${wg_subnet}
|
||||
- ALLOWEDIPS=${network_address}/${global_prefix:-16}
|
||||
cap_add:
|
||||
- NET_ADMIN
|
||||
|
@ -39,12 +39,14 @@ chmod -R a+X /etc/wireguard/
|
||||
echo "Setting exclusive read access to SSH keys."
|
||||
chmod -v 400 /etc/lixonet/id_rsa
|
||||
chmod -v 400 /etc/lixonet/*/id_rsa
|
||||
chmod -v 400 /etc/lixonet/known_hosts
|
||||
stat /etc/lixonet/id_rsa
|
||||
stat /etc/lixonet/*/id_rsa
|
||||
stat /etc/lixonet/known_hosts
|
||||
|
||||
echo "Enabling write access to /etc/lixonet/version."
|
||||
touch /etc/lixonet/version
|
||||
chmod 660 /etc/lixonet/version
|
||||
stat /etc/lixonet/version
|
||||
|
||||
docker build -t lixonet-ee . && docker run --restart always -d -e DOCKER_HOST=unix:///var/run/docker.sock -e GIT_URL=$ORIGIN -v /var/run/docker.sock:/var/run/docker.sock -v /etc/bird:/etc/bird/ -v /etc/tinc:/etc/tinc -v /etc/bind:/etc/bind -v /etc/lixonet:/etc/lixonet -v /etc/wireguard:/etc/wireguard/ -v /etc/lixonet/known_hosts:/home/lixonet/.ssh/known_hosts -v /etc/lixonet/id_rsa:/home/lixonet/.ssh/id_rsa --name lixonet-ee lixonet-ee
|
||||
docker build -t lixonet-ee . && docker run --restart always -d -e DOCKER_HOST=unix:///var/run/docker.sock -e GIT_URL=$ORIGIN -v /var/run/docker.sock:/var/run/docker.sock -v /etc/bird:/etc/bird/ -v /etc/tinc:/etc/tinc -v /etc/bind:/etc/bind -v /etc/lixonet:/etc/lixonet -v /etc/lixonet/known_hosts:/home/lixonet/.ssh/known_hosts -v /etc/lixonet/id_rsa:/home/lixonet/.ssh/id_rsa lixonet-ee
|
||||
|
Loading…
x
Reference in New Issue
Block a user