it-infra/m-labs-intl/setup.md
Egor Savkin 683a565a1d Document intl node set up
Uses strongswan and GRE for mail connection, iptables for port forwarding to the smtp, nginx for website and webhook service, with static files getting uploaded from nixbld

Signed-off-by: Egor Savkin <es@m-labs.hk>
2024-10-18 17:40:04 +08:00

2.9 KiB

Setup m-labs-intl.com server

# Install required packages
apt install git nginx-full python3 python3.12-venv python3-pip iptables ufw \
  strongswan strongswan-swanctl strongswan-pki strongswan-libcharon
snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot

# Set up networks (includes GRE)
cp 60-tunnels.yaml /etc/netplan/
netplan apply

# set up IPsec-AH connection
cp m-labs.hk.conf /etc/swanctl/conf.d/
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
sysctl -p
cp m-labs.hk /etc/swanctl/pubkey/m-labs.hk # get pubkey from nixbld
pki --gen --type rsa --size 4096 --outform pem > /etc/swanctl/private/m-labs-intl.com
pki --pub --in /etc/swanctl/private/m-labs-intl.com --outform pem > /etc/swanctl/pubkey/m-labs-intl.com
cp /etc/swanctl/pubkey/m-labs-intl.com m-labs-intl.com # add it to the nixbld
systemctl enable strongswan --now
systemctl restart strongswan

# Set up website
cp m-labs-intl.com /etc/nginx/sites-available/
cp nginx.conf /etc/nginx/
ln -s /etc/nginx/sites-available/m-labs-intl.com /etc/nginx/sites-enabled/
systemctl enable nginx --now
service nginx restart

# Issue SSL certificate - website only, the mail is on the HK side
certbot --nginx
service nginx restart

# Create a user for automatic website deployment from nixbld
useradd -m zolaupd
mkdir -p /var/www/m-labs-intl.com/html
chown -R zolaupd /var/www/m-labs-intl.com/
sudo -u zolaupd sh -c '
  cd /home/zolaupd;
  mkdir /home/zolaupd/.ssh;
  echo -n "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP1OJJM8g/1ffxDjN31XKEfGmrYaW03lwpyTa1UGWqVx
  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6R6XK0IiuAKxVKvSABm4m9bfOlvfJcMvTpjenuXUPv" > /home/zolaupd/.ssh/authorized_keys
  chmod 700 .ssh/
  chmod 600 .ssh/authorized_keys
  '

# Create a user for RFQ hooks service
useradd -m rfqserver
cp runrfq.sh /home/rfqserver/
cp mail.secret /home/rfqserver/
chown rfqserver /home/rfqserver/runrfq.sh
chmod +x /home/rfqserver/runrfq.sh
chown rfqserver /home/rfqserver/mail.secret

sudo -u rfqserver sh -c '
  cd /home/rfqserver;
  git clone https://git.m-labs.hk/M-Labs/web2019.git;
  cd web2019;
  python3 -m venv ./venv;
  source venv/bin/activate;
  pip install -r requirements.txt;
'
cp rfq.service /etc/systemd/system/

# Automate port forwarding rules creation
cp gretun.sh /root/gretun.sh
cp gretun_down.sh /root/gretun_down.sh
chmod u+x /root/gretun.sh
chmod u+x /root/gretun_down.sh
cp gretun.service /etc/systemd/system/

# Enable custom services
systemctl daemon-reload
systemctl enable rfq.service --now
systemctl enable gretun.service --now

# Setup basic firewall rules  
ufw default deny
ufw default allow outgoing

ufw allow from 94.190.212.123
ufw allow from 2001:470:f891:1::/64
ufw allow from 202.77.7.238
ufw allow from 2001:470:18:390::2
ufw allow "Nginx HTTP"
ufw allow "Nginx HTTPS"
ufw limit OpenSSH
ufw allow 25/tcp
ufw allow 587/tcp
ufw limit 500,4500/udp

ufw route allow in on gre1 out on eth0
ufw allow from 10.47.3.0/31

ufw show added
ufw enable