TLS proxy in im.deuxfleurs.fr for Android 7 #17

Closed
adrien wants to merge 4 commits from feat/im-tls-proxy into main
12 changed files with 68 additions and 20 deletions
Showing only changes of commit 672c398315 - Show all commits

View file

@ -13,7 +13,7 @@ job "core-diplonat" {
driver = "docker" driver = "docker"
config { config {
image = "lxpz/amd64_diplonat:6" image = "lxpz/amd64_diplonat:7"
network_mode = "host" network_mode = "host"
readonly_rootfs = true readonly_rootfs = true
privileged = true privileged = true

View file

@ -44,7 +44,7 @@ job "garage" {
template { template {
data = file("../config/garage.toml") data = file("../config/garage.toml")
destination = "secrets/garage.toml" destination = "secrets/garage.toml"
change_mode = "noop" #change_mode = "noop"
} }
template { template {

View file

@ -106,6 +106,18 @@
baptiste = [ baptiste = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnGkJZZrHIUp9q0DXmVLLuhCIe7Vu1J3j6dJ1z1BglqX7yOLdFQ6LhHXx65aND/KCOM1815tJSnaAyKWEj9qJ31RVUoRl42yBn54DvQumamJUaXAHqJrXhjwxfUkF9B73ZSUzHGADlQnxcBkmrjC5FkrpC/s4xr0o7/GIBkBdtZhX9YpxBfpH6wEcCruTOlm92E3HvvjpBb/wHsoxL1f2czvWe69021gqWEYRFjqtBwP36NYZnGOJZ0RrlP3wUrGCSHxOKW+2Su+tM6g07KPJn5l1wNJiOcyBQ0/Sv7ptCJ9+rTQNeVBMoXshaucYP/bKJbqH7dONrYDgz59C4+Kax" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnGkJZZrHIUp9q0DXmVLLuhCIe7Vu1J3j6dJ1z1BglqX7yOLdFQ6LhHXx65aND/KCOM1815tJSnaAyKWEj9qJ31RVUoRl42yBn54DvQumamJUaXAHqJrXhjwxfUkF9B73ZSUzHGADlQnxcBkmrjC5FkrpC/s4xr0o7/GIBkBdtZhX9YpxBfpH6wEcCruTOlm92E3HvvjpBb/wHsoxL1f2czvWe69021gqWEYRFjqtBwP36NYZnGOJZ0RrlP3wUrGCSHxOKW+2Su+tM6g07KPJn5l1wNJiOcyBQ0/Sv7ptCJ9+rTQNeVBMoXshaucYP/bKJbqH7dONrYDgz59C4+Kax"
]; ];
aeddis = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILoFf9fMYwLOpmiXKgn4Rs99YCj94SU1V0gwGXR5N4Md"
];
boris = [
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPts/36UvMCFcx3anSMV8bQKGel4c4wCsdhDGWHzZHgg07DxMt+Wk9uv0hWkqLojkUbCl/bI5siftiEv6En0mHw="
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJaD6flgTLkKimMB1qukiLKLVqsN+gizgajETjTwbscXEP2Fajmqy+90v1eXTDcGivmTyi8wOqkJ0s4D7dWP7Ck="
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEIZKA/SIicXq7HPFJfumrMc1iARqA1TQWWuWLrguOlKgFPBVym/IVjtYGAQ/Xtv4wU9Ak0s+t9UKpQ/K38kVe0="
];
vincent = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEve02acr522psrPxeElkwIPw2pc6QWtsUVZoaigqwZZ"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL/h+rxR2o+vN0hUWQPdpO7YY9aaKxO3ZRnUh9QiKBE7"
];
}; };
# For Garage external communication # For Garage external communication

View file

@ -22,7 +22,7 @@ job "core-diplonat" {
"#iptables", "#iptables",
"#bash", "#bash",
"#coreutils", "#coreutils",
"git+https://git.deuxfleurs.fr/Deuxfleurs/diplonat.git?ref=main&rev=05872634a42bf0aef3ab0a2760e2be4590bc8b73" "git+https://git.deuxfleurs.fr/Deuxfleurs/diplonat.git?ref=main&rev=843104dad73bfdebb674d3c3ec82af225c20c493"
] ]
command = "diplonat" command = "diplonat"
} }

View file

@ -82,6 +82,7 @@ EOH
name = "tricot-http" name = "tricot-http"
port = "http_port" port = "http_port"
tags = [ tags = [
"d53-aaaa ${attr.unique.hostname}.machine.staging.deuxfleurs.org",
"d53-aaaa ${meta.site}.site.staging.deuxfleurs.org", "d53-aaaa ${meta.site}.site.staging.deuxfleurs.org",
"d53-aaaa staging.deuxfleurs.org", "d53-aaaa staging.deuxfleurs.org",
"(diplonat (tcp_port 80))" "(diplonat (tcp_port 80))"

View file

@ -26,8 +26,8 @@ job "garage-staging" {
packages = [ packages = [
"#bash", # so that we can enter a shell inside container "#bash", # so that we can enter a shell inside container
"#coreutils", "#coreutils",
# garage v0.9.0 # garage v0.9.1-rc
"git+https://git.deuxfleurs.fr/Deuxfleurs/garage.git?ref=main&rev=952c9570c494468643353ee1ae9052b510353665", "git+https://git.deuxfleurs.fr/Deuxfleurs/garage.git?ref=main&rev=9cfeea389a1274d4d3c1f4b7072b0c056af410ef",
] ]
command = "garage" command = "garage"
args = [ "server" ] args = [ "server" ]

View file

@ -192,8 +192,8 @@ EOH
} }
resources { resources {
memory = 200 memory = 500
memory_max = 200 memory_max = 500
cpu = 100 cpu = 100
} }
} }

View file

@ -79,6 +79,18 @@
armael = [ armael = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOoPghSM72AVp1zATgQzeLkuoGuP9uUTTAtwliyWoix" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOoPghSM72AVp1zATgQzeLkuoGuP9uUTTAtwliyWoix"
]; ];
aeddis = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILoFf9fMYwLOpmiXKgn4Rs99YCj94SU1V0gwGXR5N4Md"
];
boris = [
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPts/36UvMCFcx3anSMV8bQKGel4c4wCsdhDGWHzZHgg07DxMt+Wk9uv0hWkqLojkUbCl/bI5siftiEv6En0mHw="
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJaD6flgTLkKimMB1qukiLKLVqsN+gizgajETjTwbscXEP2Fajmqy+90v1eXTDcGivmTyi8wOqkJ0s4D7dWP7Ck="
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEIZKA/SIicXq7HPFJfumrMc1iARqA1TQWWuWLrguOlKgFPBVym/IVjtYGAQ/Xtv4wU9Ak0s+t9UKpQ/K38kVe0="
];
vincent = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEve02acr522psrPxeElkwIPw2pc6QWtsUVZoaigqwZZ"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL/h+rxR2o+vN0hUWQPdpO7YY9aaKxO3ZRnUh9QiKBE7"
];
}; };
# For Garage ipv6 communication # For Garage ipv6 communication

View file

@ -11,3 +11,5 @@ df-pw5.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK/dJIxioCkfeeh
10.14.3.1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnpO6zpLWsyyugOoOj+2bUow9TUrcWgURFGGaoyu+co 10.14.3.1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnpO6zpLWsyyugOoOj+2bUow9TUrcWgURFGGaoyu+co
192.168.1.22 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMf/ioVSSb19Slu+HZLgKt4f1/XsL+K9uMxazSWb/+nQ 192.168.1.22 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMf/ioVSSb19Slu+HZLgKt4f1/XsL+K9uMxazSWb/+nQ
2a01:cb05:911e:ec00:223:24ff:feb0:ea82 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnpO6zpLWsyyugOoOj+2bUow9TUrcWgURFGGaoyu+co 2a01:cb05:911e:ec00:223:24ff:feb0:ea82 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnpO6zpLWsyyugOoOj+2bUow9TUrcWgURFGGaoyu+co
carcajou.machine.staging.deuxfleurs.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMf/ioVSSb19Slu+HZLgKt4f1/XsL+K9uMxazSWb/+nQ
caribou.machine.staging.deuxfleurs.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPtsVFIoIu6tnYrzlcCbBiQXxNkFSWVMhMznUuSxGZ22

View file

@ -1,18 +1,24 @@
UserKnownHostsFile ./cluster/staging/known_hosts UserKnownHostsFile ./cluster/staging/known_hosts
Host caribou Host caribou
HostName caribou.machine.deuxfleurs.fr #HostName caribou.machine.deuxfleurs.fr
HostName caribou.machine.staging.deuxfleurs.org
Host carcajou Host carcajou
HostName carcajou.machine.deuxfleurs.fr #HostName carcajou.machine.deuxfleurs.fr
HostName carcajou.machine.staging.deuxfleurs.org
Host origan Host origan
HostName origan.df.trinity.fr.eu.org #HostName origan.df.trinity.fr.eu.org
HostName origan.machine.staging.deuxfleurs.org
Host piranha Host piranha
ProxyJump carcajou.machine.deuxfleurs.fr
HostName 10.14.3.1
#HostName piranha.polyno.me #HostName piranha.polyno.me
#OR
#ProxyJump carcajou.machine.deuxfleurs.fr
#HostName 10.14.3.1
HostName piranha.machine.staging.deuxfleurs.org
Host df-pw5 Host df-pw5
HostName df-pw5.machine.deuxfleurs.fr #HostName df-pw5.machine.deuxfleurs.fr
HostName df-pw5.machine.staging.deuxfleurs.org

View file

@ -17,12 +17,26 @@ Basically:
Edit your `~/.ssh/config` file with content such as the following: Edit your `~/.ssh/config` file with content such as the following:
``` ```
Host dahlia # Deuxfleurs prod
HostName dahlia.machine.deuxfleurs.fr Host abricot ananas concombre celeri courgette df-ykl df-ymf df-ymk
LocalForward 14646 127.0.0.1:4646 HostName %h.machine.deuxfleurs.fr
LocalForward 8501 127.0.0.1:8501 IdentityFile ~/.ssh/deuxfleurs_ed25519
LocalForward 1389 bottin.service.prod.consul:389 User adrien
LocalForward 5432 psql-proxy.service.prod.consul:5432 LocalForward 14646 127.0.0.1:4646
LocalForward 8501 127.0.0.1:8501
LocalForward 1389 bottin.service.prod.consul:389
LocalForward 5432 psql-proxy.service.prod.consul:5432
# Deuxfleurs staging
Host piranha df-pw5 # et autres
HostName %h.machine.deuxfleurs.fr
IdentityFile ~/.ssh/deuxfleurs_ed25519
User adrien
LocalForward 14646 127.0.0.1:4646
LocalForward 8501 127.0.0.1:8501
LocalForward 1389 bottin.service.prod.consul:389
LocalForward 5432 psql-proxy.service.prod.consul:5432
``` ```
Then run the TLS proxy and leave it running: Then run the TLS proxy and leave it running:

View file

@ -17,7 +17,8 @@ PREFIX="deuxfleurs/cluster/$CLUSTER"
# Do actual stuff # Do actual stuff
YEAR=$(date +%Y) #YEAR=$(date +%Y)
YEAR=2023
CERTDIR=$(mktemp -d) CERTDIR=$(mktemp -d)