Document strongswan setup

Signed-off-by: Egor Savkin <es@m-labs.hk>

m-labs-intl/60-tunnels.yaml

@@ -0,0 +1,18 @@
+network:
+   version: 2
+   renderer: networkd
+   ethernets:
+     eth0:
+       addresses:
+       - 5.78.86.156/32
+       - 2a01:4ff:1f0:83de::2/64
+       - 2a01:4ff:1f0:83de::3/64
+       - 2a01:4ff:1f0:83de::4/64
+   tunnels:
+     gre1:
+       mode: gre
+       local: 5.78.86.156
+       remote: 94.190.212.123
+       addresses:
+        - 10.47.3.0/31
+

m-labs-intl/gretun.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=GRE tunnel to the main host
+After=network.target
+
+[Service]
+Type=simple
+User=root
+ExecStart=/root/gretun.sh
+ExecStop=/root/gretun_down.sh
+Restart=on-failure
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target

m-labs-intl/gretun.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+/usr/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 25 -j DNAT --to-destination 10.47.3.1:25
+/usr/sbin/iptables -A FORWARD -p tcp -d 10.47.3.1/31 --dport 25 -j ACCEPT
+
+/usr/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 587 -j DNAT --to-destination 10.47.3.1:587
+/usr/sbin/iptables -A FORWARD -p tcp -d 10.47.3.1/31 --dport 587 -j ACCEPT
+
+/usr/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+/usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+/usr/sbin/ufw route allow in on gre1 out on eth0
+

m-labs-intl/gretun_down.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+
+/usr/sbin/iptables -t nat -D PREROUTING -p tcp -i eth0 --dport 25 -j DNAT --to-destination 10.47.3.1:25
+/usr/sbin/iptables -D FORWARD -p tcp -d 10.47.3.1/31 --dport 25 -j ACCEPT
+
+/usr/sbin/iptables -t nat -D PREROUTING -p tcp -i eth0 --dport 587 -j DNAT --to-destination 10.47.3.1:587
+/usr/sbin/iptables -D FORWARD -p tcp -d 10.47.3.1/31 --dport 587 -j ACCEPT
+
+/usr/sbin/iptables -D FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+/usr/sbin/iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+/usr/sbin/ufw delete route allow in on gre1 out on eth0

m-labs-intl/m-labs.hk.conf

@@ -0,0 +1,34 @@
+
+
+connections {
+  m_labs {
+    version = 2
+    encap = no
+    mobike = no
+    send_certreq = no
+    proposals = aes128gcm128-sha256-prfsha256-curve25519,aes128gcm128-sha256-prfsha256-ecp256
+    local_addrs = 5.78.86.156
+    remote_addrs = 94.190.212.123
+    local {
+      auth = pubkey
+      id = fqdn:m-labs-intl.com
+      pubkeys = m-labs-intl.com
+    }
+    remote {
+      auth = pubkey
+      id = fqdn:m-labs.hk
+      pubkeys = m-labs.hk
+    }
+    children {
+      con1 {
+        mode = transport
+        ah_proposals = sha256-curve25519,sha256-ecp256
+        esp_proposals =
+        local_ts = 5.78.86.156[gre]
+        remote_ts = 94.190.212.123[gre]
+        start_action = start
+        close_action = none
+      }
+    }
+  } 
+}

m-labs-intl/main.cf

@@ -1,63 +0,0 @@
-# See /usr/share/postfix/main.cf.dist for a commented, more complete version
-
-
-# Debian specific:  Specifying a file name will cause the first
-# line of that file to be used as the name.  The Debian default
-# is /etc/mailname.
-#myorigin = /etc/mailname
-
-smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
-biff = no
-
-# appending .domain is the MUA's job.
-append_dot_mydomain = no
-
-# Uncomment the next line to generate "delayed mail" warnings
-#delay_warning_time = 4h
-
-readme_directory = no
-
-# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
-# fresh installs.
-compatibility_level = 3.6
-
-
-
-# TLS parameters
-smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
-smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
-smtpd_tls_security_level=may
-
-smtp_tls_CApath=/etc/ssl/certs
-smtp_tls_security_level=may
-smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
-
-
-smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
-myhostname = mail.m-labs-intl.com
-mydomain = m-labs-intl.com
-alias_maps = hash:/etc/aliases
-alias_database = hash:/etc/aliases
-myorigin = $mydomain
-#mydestination = $myhostname, m-labs-intl.com, localhost.localdomain, localhost
-mydestination = 
-relayhost = mail.m-labs.hk
-#relay_domains = $mydomain
-local_transport = error:local delivery disabled
-mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
-mailbox_size_limit = 0
-recipient_delimiter = +
-inet_interfaces = all
-inet_protocols = all
-
-
-	
-virtual_alias_maps = hash:/etc/postfix/virtual
-virtual_alias_domains = $mydomain m-labs.hk
-
-
-# DKIM
-milter_default_action = accept
-milter_protocol = 2
-smtpd_milters = inet:localhost:8891
-non_smtpd_milters = inet:localhost:8891

m-labs-intl/nginx.conf

@@ -63,28 +63,3 @@ http {
 	include /etc/nginx/sites-enabled/*;
 }
 
-
-stream {
-    # Upstream mail servers
-    upstream smtp_backend {
-        server mail.m-labs.hk:25;
-    }
-
-    upstream submission_backend {
-        server mail.m-labs.hk:587;
-    }
-
-    # SMTP
-    server {
-        listen 25;
-        proxy_protocol on;
-        proxy_pass smtp_backend;
-    }
-
-    # Submission (Authenticated SMTP)
-    server {
-        listen 587;
-        proxy_protocol on;
-        proxy_pass submission_backend;
-    }
-}

m-labs-intl/opendkim

@@ -1,32 +0,0 @@
-# NOTE: This is a legacy configuration file. It is not used by the opendkim
-# systemd service. Please use the corresponding configuration parameters in
-# /etc/opendkim.conf instead.
-#
-# Previously, one would edit the default settings here, and then execute
-# /lib/opendkim/opendkim.service.generate to generate systemd override files at
-# /etc/systemd/system/opendkim.service.d/override.conf and
-# /etc/tmpfiles.d/opendkim.conf. While this is still possible, it is now
-# recommended to adjust the settings directly in /etc/opendkim.conf.
-#
-#DAEMON_OPTS=""
-# Change to /var/spool/postfix/run/opendkim to use a Unix socket with
-# postfix in a chroot:
-#RUNDIR=/var/spool/postfix/run/opendkim
-RUNDIR=/run/opendkim
-#
-# Uncomment to specify an alternate socket
-# Note that setting this will override any Socket value in opendkim.conf
-# default:
-SOCKET=local:$RUNDIR/opendkim.sock
-# listen on all interfaces on port 54321:
-#SOCKET=inet:54321
-# listen on loopback on port 12345:
-#SOCKET=inet:12345@localhost
-# listen on 192.0.2.1 on port 12345:
-#SOCKET=inet:12345@192.0.2.1
-USER=opendkim
-GROUP=opendkim
-PIDFILE=$RUNDIR/$NAME.pid
-EXTRAAFTER=
-
-SOCKET="inet:8891@localhost"

m-labs-intl/opendkim.conf

@@ -1,57 +0,0 @@
-# This is a basic configuration for signing and verifying. It can easily be
-# adapted to suit a basic installation. See opendkim.conf(5) and
-# /usr/share/doc/opendkim/examples/opendkim.conf.sample for complete
-# documentation of available configuration parameters.
-
-Syslog			yes
-SyslogSuccess		yes
-#LogWhy			no
-
-# Common signing and verification parameters. In Debian, the "From" header is
-# oversigned, because it is often the identity key used by reputation systems
-# and thus somewhat security sensitive.
-Canonicalization	relaxed/simple
-#Mode			sv
-#SubDomains		no
-OversignHeaders		From
-
-# Signing domain, selector, and key (required). For example, perform signing
-# for domain "example.com" with selector "2020" (2020._domainkey.example.com),
-# using the private key stored in /etc/dkimkeys/example.private. More granular
-# setup options can be found in /usr/share/doc/opendkim/README.opendkim.
-#Domain			example.com
-#Selector		2020
-#KeyFile		/etc/dkimkeys/example.private
-
-# In Debian, opendkim runs as user "opendkim". A umask of 007 is required when
-# using a local socket with MTAs that access the socket as a non-privileged
-# user (for example, Postfix). You may need to add user "postfix" to group
-# "opendkim" in that case.
-UserID			opendkim
-UMask			007
-
-# Socket for the MTA connection (required). If the MTA is inside a chroot jail,
-# it must be ensured that the socket is accessible. In Debian, Postfix runs in
-# a chroot in /var/spool/postfix, therefore a Unix socket would have to be
-# configured as shown on the last line below.
-Socket			local:/run/opendkim/opendkim.sock
-#Socket			inet:8891@localhost
-#Socket			inet:8891
-#Socket			local:/var/spool/postfix/opendkim/opendkim.sock
-
-PidFile			/run/opendkim/opendkim.pid
-
-# Hosts for which to sign rather than verify, default is 127.0.0.1. See the
-# OPERATION section of opendkim(8) for more information.
-#InternalHosts		192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12
-
-# The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided
-# by the package dns-root-data.
-TrustAnchorFile		/usr/share/dns/root.key
-#Nameservers		127.0.0.1
-
-
-Domain                  m-labs-intl.com
-KeyFile                 /etc/postfix/dkim.key
-Selector                mail
-SOCKET                  inet:8891@localhost

m-labs-intl/setup.md

@@ -1,26 +1,42 @@
 # Setup m-labs-intl.com server
 
 ```shell
-apt install git nginx-full python3 python3.12-venv python3-pip
+# Install required packages
+apt install git nginx-full python3 python3.12-venv python3-pip iptables ufw \
+  strongswan strongswan-swanctl strongswan-pki strongswan-libcharon
 snap install --classic certbot
 ln -s /snap/bin/certbot /usr/bin/certbot
-useradd -m rfqserver
-useradd -m zolaupd
 
+# Set up networks (includes GRE)
+cp 60-tunnels.yaml /etc/netplan/
+netplan apply
+
+# set up IPsec-AH connection
+cp m-labs.hk.conf /etc/swanctl/conf.d/
+echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
+sysctl -p
+cp m-labs.hk /etc/swanctl/pubkey/m-labs.hk # get pubkey from nixbld
+pki --gen --type rsa --size 4096 --outform pem > /etc/swanctl/private/m-labs-intl.com
+pki --pub --in /etc/swanctl/private/m-labs-intl.com --outform pem > /etc/swanctl/pubkey/m-labs-intl.com
+cp /etc/swanctl/pubkey/m-labs-intl.com m-labs-intl.com # add it to the nixbld
+systemctl enable strongswan --now
+systemctl restart strongswan
+
+# Set up website
 cp m-labs-intl.com /etc/nginx/sites-available/
 cp nginx.conf /etc/nginx/
 ln -s /etc/nginx/sites-available/m-labs-intl.com /etc/nginx/sites-enabled/
+systemctl enable nginx --now
+service nginx restart
 
+# Issue SSL certificate - website only, the mail is on the HK side
+certbot --nginx
+service nginx restart
+
+# Create a user for automatic website deployment from nixbld
+useradd -m zolaupd
 mkdir -p /var/www/m-labs-intl.com/html
 chown -R zolaupd /var/www/m-labs-intl.com/
-
-cp runrfq.sh /home/rfqserver/
-cp mail.secret /home/rfqserver/
-chown rfqserver /home/rfqserver/runrfq.sh
-chmod +x /home/rfqserver/runrfq.sh
-chown rfqserver /home/rfqserver/mail.secret
-
-
 sudo -u zolaupd sh -c '
   cd /home/zolaupd;
   mkdir /home/zolaupd/.ssh;
@@ -30,6 +46,14 @@ sudo -u zolaupd sh -c '
   chmod 600 .ssh/authorized_keys
   '
 
+# Create a user for RFQ hooks service
+useradd -m rfqserver
+cp runrfq.sh /home/rfqserver/
+cp mail.secret /home/rfqserver/
+chown rfqserver /home/rfqserver/runrfq.sh
+chmod +x /home/rfqserver/runrfq.sh
+chown rfqserver /home/rfqserver/mail.secret
+
 sudo -u rfqserver sh -c '
   cd /home/rfqserver;
   git clone https://git.m-labs.hk/M-Labs/web2019.git;
@@ -38,31 +62,38 @@ sudo -u rfqserver sh -c '
   source venv/bin/activate;
   pip install -r requirements.txt;
 '
-
 cp rfq.service /etc/systemd/system/
 
+# Automate port forwarding rules creation
+cp gretun.sh /root/gretun.sh
+cp gretun_down.sh /root/gretun_down.sh
+chmod u+x /root/gretun.sh
+chmod u+x /root/gretun_down.sh
+cp gretun.service /etc/systemd/system/
+
+# Enable custom services
 systemctl daemon-reload
-systemctl enable rfq.service
+systemctl enable rfq.service --now
-systemctl start rfq.service
+systemctl enable gretun.service --now
-systemctl enable danted.service
-
-service nginx restart
-
-certbot --nginx
-
-service nginx restart
 
+# Setup basic firewall rules  
 ufw default deny
+ufw default allow outgoing
+
 ufw allow from 94.190.212.123
-ufw allow from 2001:470:f891:1:5999:5529:5d:f71d
+ufw allow from 2001:470:f891:1::/64
 ufw allow from 202.77.7.238
 ufw allow from 2001:470:18:390::2
 ufw allow "Nginx HTTP"
 ufw allow "Nginx HTTPS"
 ufw limit OpenSSH
-ufw default allow outgoing
+ufw allow 25/tcp
-ufw limit 25/tcp
+ufw allow 587/tcp
-ufw limit 587/tcp
+ufw limit 500,4500/udp
+
+ufw route allow in on gre1 out on eth0
+ufw allow from 10.47.3.0/31
+
 ufw show added
 ufw enable
 ```