From a6a24c9dd286280e99bbaf283c94567b9bf58ac2 Mon Sep 17 00:00:00 2001 From: Jesse Luehrs Date: Wed, 21 Feb 2024 04:03:58 -0500 Subject: remove algo --- bin/algo-config | 59 ---------------------- bin/helpers/algo-config.diff | 70 --------------------------- bin/helpers/algo-virtualenv | 10 ---- bin/helpers/launch-algo | 50 ------------------- bin/launch | 2 +- bin/secrets | 8 +-- bin/terminate | 5 +- hiera/data/common.yaml | 6 --- modules/base/templates/hosts | 4 -- modules/borgmatic/manifests/init.pp | 2 +- modules/mail/manifests/backups.pp | 2 +- modules/mail/manifests/operatingsystem.pp | 1 - modules/partofme/manifests/operatingsystem.pp | 1 - modules/tozt/manifests/backups.pp | 2 +- modules/tozt/manifests/operatingsystem.pp | 1 - modules/wireguard/manifests/init.pp | 18 ------- 16 files changed, 9 insertions(+), 232 deletions(-) delete mode 100755 bin/algo-config delete mode 100644 bin/helpers/algo-config.diff delete mode 100755 bin/helpers/algo-virtualenv delete mode 100755 bin/helpers/launch-algo delete mode 100644 modules/wireguard/manifests/init.pp diff --git a/bin/algo-config b/bin/algo-config deleted file mode 100755 index f9297ab..0000000 --- a/bin/algo-config +++ /dev/null @@ -1,59 +0,0 @@ -#!/usr/bin/env bash -set -eu -set -o pipefail - -script_path="$(realpath "$(dirname "$0")")" -secrets_bin="${script_path}/secrets" -config_path="$(echo /mnt/algo/configs/*/wireguard)" - -"$secrets_bin" open -trap '"$secrets_bin" close' EXIT - -if [ -z "${VIRTUAL_ENV:-}" ]; then - # shellcheck disable=SC1090 - . "${script_path}/helpers/algo-virtualenv" - python -m pip install segno -fi - -fixup_configs() { - name=$1 - shift - - sed -i 's/^\(Address.*\) *,.*/\1/' "$config_path"/"${name}".conf - sed -i '/^DNS/d' "$config_path"/"${name}".conf - cp "$config_path"/"${name}".conf "$config_path"/"${name}"-not-captive.conf - sed -i 's|^AllowedIPs.*|AllowedIPs = 0.0.0.0/0|' "$config_path"/"${name}".conf - sed -i 's|^AllowedIPs.*|AllowedIPs = 10.49.0.0/24|' "$config_path"/"${name}"-not-captive.conf -} - -# hornet -fixup_configs hornet -sudo cp "$config_path"/hornet.conf /etc/wireguard/algo-captive.conf -sudo cp "$config_path"/hornet-not-captive.conf /etc/wireguard/algo.conf - -# tozt -fixup_configs tozt -scp "$config_path"/tozt-not-captive.conf root@tozt.net:/etc/wireguard/algo.conf -cp "$config_path"/tozt-not-captive.conf /mnt/puppet/tozt/wireguard -$secrets_bin sync tozt - -# partofme -fixup_configs partofme -scp "$config_path"/partofme-not-captive.conf root@partofme:/etc/wireguard/algo.conf -cp "$config_path"/partofme-not-captive.conf /mnt/puppet/partofme/wireguard -$secrets_bin sync partofme - -# mail -fixup_configs mail -scp "$config_path"/mail-not-captive.conf root@mail.tozt.net:/etc/wireguard/algo.conf -cp "$config_path"/mail-not-captive.conf /mnt/puppet/mail/wireguard -$secrets_bin sync mail - -# phone -fixup_configs phone -echo "algo-captive" -segno --scale=5 --output="$config_path"/phone.png "$(cat "$config_path"/phone.conf)" -sxiv "$config_path/phone.png" -echo "algo" -segno --scale=5 --output="$config_path"/phone-not-captive.png "$(cat "$config_path"/phone-not-captive.conf)" -sxiv "$config_path/phone-not-captive.png" diff --git a/bin/helpers/algo-config.diff b/bin/helpers/algo-config.diff deleted file mode 100644 index edc046f..0000000 --- a/bin/helpers/algo-config.diff +++ /dev/null @@ -1,70 +0,0 @@ -diff --git i/config.cfg w/config.cfg -index a6b8952..3c78520 100644 ---- i/config.cfg -+++ w/config.cfg -@@ -6,9 +6,11 @@ - # User names with leading 0's or containing only numbers should be escaped in double quotes, e.g. "000dan" or "123". - # Email addresses are not allowed. - users: -+ - hornet -+ - mail -+ - partofme - - phone -- - laptop -- - desktop -+ - tozt - - ### Review these options BEFORE you run Algo, as they are very difficult/impossible to change after the server is deployed. - -@@ -17,7 +19,7 @@ users: - ssh_port: 4160 - - # Deploy StrongSwan to enable IPsec support --ipsec_enabled: true -+ipsec_enabled: false - - # Deploy WireGuard - # WireGuard will listen on 51820/UDP. You might need to change to another port -@@ -40,7 +42,7 @@ alternative_ingress_ip: false - # automatically based on your server, but if connections hang you might need to - # adjust this yourself. - # See: https://github.com/trailofbits/algo/blob/master/docs/troubleshooting.md#various-websites-appear-to-be-offline-through-the-vpn --reduce_mtu: 0 -+reduce_mtu: 184 - - # Algo will use the following lists to block ads. You can add new block lists - # after deployment by modifying the line starting "BLOCKLIST_URLS=" at: -@@ -53,13 +55,13 @@ adblock_lists: - # Enable DNS encryption. - # If 'false', 'dns_servers' should be specified below. - # DNS encryption can not be disabled if DNS adblocking is enabled --dns_encryption: true -+dns_encryption: false - - # Block traffic between connected clients. Change this to false to enable - # connected clients to reach each other, as well as other computers on the - # same LAN as your Algo server (i.e. the "road warrior" setup). In this - # case, you may also want to enable SMB/CIFS and NETBIOS traffic below. --BetweenClients_DROP: true -+BetweenClients_DROP: false - - # Block SMB/CIFS traffic - block_smb: true -@@ -73,7 +75,7 @@ block_netbios: true - # which case a reboot will take place if necessary at the time specified (as - # HH:MM) in the time zone of your Algo server. The default time zone is UTC. - unattended_reboot: -- enabled: false -+ enabled: true - time: 06:00 - - ### Advanced users only below this line ### -@@ -122,7 +124,7 @@ strongswan_network_ipv6: '2001:db8:4160::/48' - # If you're behind NAT or a firewall and you want to receive incoming connections long after network traffic has gone silent. - # This option will keep the "connection" open in the eyes of NAT. - # See: https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence --wireguard_PersistentKeepalive: 0 -+wireguard_PersistentKeepalive: 25 - - # WireGuard network configuration - wireguard_network_ipv4: 10.49.0.0/16 diff --git a/bin/helpers/algo-virtualenv b/bin/helpers/algo-virtualenv deleted file mode 100755 index 4e8d9f6..0000000 --- a/bin/helpers/algo-virtualenv +++ /dev/null @@ -1,10 +0,0 @@ -#!/usr/bin/env bash -set -eu -set -o pipefail - -python -m virtualenv --python="$(command -v python)" .env -set +eu -# shellcheck disable=SC1091 -source .env/bin/activate -set -eu -python -m pip install -U pip virtualenv diff --git a/bin/helpers/launch-algo b/bin/helpers/launch-algo deleted file mode 100755 index 00cdafb..0000000 --- a/bin/helpers/launch-algo +++ /dev/null @@ -1,50 +0,0 @@ -#!/usr/bin/env bash -set -eu -set -o pipefail - -script_path="$(realpath "$(dirname "$0")")" -logfile="/mnt/algo/algo-log-$(date +%s).log" -latest_logfile=/mnt/algo/algo-log-latest.log -algodir="$(mktemp --tmpdir -d launch-algo.XXXXXXXXXX)" - -cleanup() { - if perl -e'exit 1 unless $ARGV[0] =~ m{^/tmp/launch-algo.*$}' "$algodir"; then - rm -rf "$algodir" - fi -} -trap cleanup EXIT - -touch "$logfile" -ln -sf "$(basename "$logfile")" "$latest_logfile" -echo "Logging to $latest_logfile" - -git clone git@github.com:trailofbits/algo "$algodir" -cd "$algodir" - -echo "Installing dependencies..." -# shellcheck disable=SC1090 -. "${script_path}/algo-virtualenv" >> "$logfile" -python -m pip install -r requirements.txt -echo "done." - -rm -f configs/.gitinit -rmdir configs -mkdir -p .venvs -rm -rf /mnt/algo/configs -mkdir -p /mnt/algo/configs -ln -sf /mnt/algo/configs configs -ln -sf "$algodir"/.venvs /mnt/algo/configs/.venvs - -git apply "${script_path}/algo-config.diff" - -echo "Running Ansible..." -do_token=$(cat /mnt/digitalocean) -ansible-playbook main.yml -e "provider=digitalocean server_name=algo.tozt.net region=nyc3 do_token=$do_token dns_adblocking=false ssh_tunneling=false ondemand_cellular=false ondemand_wifi=false" >> "$logfile" - -"${script_path}/../algo-config" - -# need to wait for the controlmaster process to exit -# XXX there should be a way to tell it to exit, but i don't know how to -# calculate the correct controlpath -sleep 60 -echo "Done" diff --git a/bin/launch b/bin/launch index d24acf5..571b70d 100755 --- a/bin/launch +++ b/bin/launch @@ -6,7 +6,7 @@ script_path="$(realpath "$(dirname "$0")")" secrets_bin="${script_path}/secrets" case "$1" in -base | algo | mail | partofme) +base | mail | partofme) "$secrets_bin" open trap '"$secrets_bin" close' EXIT "$(dirname "$0")/helpers/launch-$1" diff --git a/bin/secrets b/bin/secrets index f29a5b2..721bd3a 100755 --- a/bin/secrets +++ b/bin/secrets @@ -30,14 +30,14 @@ cmd_close() { } cmd_sync() { - if [ "${2:-}" = "--algo" ]; then + if [ "${2:-}" = "--ts" ]; then host="${3:-tozt}" if [ "${host}" = "tozt" ]; then - hostname=tozt.algo + hostname=tozt elif [ "${host}" = "mail" ]; then - hostname=mail.algo + hostname=mail elif [ "${host}" = "partofme" ]; then - hostname=partofme.algo + hostname=partofme else echo "unknown host ${host}" >&2 exit 1 diff --git a/bin/terminate b/bin/terminate index e760c09..9ff1941 100755 --- a/bin/terminate +++ b/bin/terminate @@ -6,13 +6,10 @@ script_path="$(realpath "$(dirname "$0")")" secrets_bin="${script_path}/secrets" case "$1" in -algo | mail | mail2) +mail) "$secrets_bin" open trap '"$secrets_bin" close' EXIT case "$1" in - algo) - hostname=algo.tozt.net - ;; mail) hostname=mail.tozt.net ;; diff --git a/hiera/data/common.yaml b/hiera/data/common.yaml index c961617..2fcfa2c 100644 --- a/hiera/data/common.yaml +++ b/hiera/data/common.yaml @@ -1,11 +1,5 @@ --- default_user: doy -vpn_ips: - hornet: '10.49.0.2' - mail: '10.49.0.3' - partofme: '10.49.0.4' - phone: '10.49.0.5' - tozt: '10.49.0.6' # when updating this value, also rm /opt/metabase/metabase.jar metabase::version: 'v0.48.3' diff --git a/modules/base/templates/hosts b/modules/base/templates/hosts index 73bfc38..63fe815 100644 --- a/modules/base/templates/hosts +++ b/modules/base/templates/hosts @@ -1,6 +1,2 @@ 127.0.0.1 localhost 127.0.1.1 <%= @hostname %>.localdomain <%= @hostname %> - -<% @vpn_ips.each do |hostname, ip| -%> -<%= ip %> <%= hostname %>.algo -<% end -%> diff --git a/modules/borgmatic/manifests/init.pp b/modules/borgmatic/manifests/init.pp index fe1e4fd..7b409d6 100644 --- a/modules/borgmatic/manifests/init.pp +++ b/modules/borgmatic/manifests/init.pp @@ -1,4 +1,4 @@ -class borgmatic($host = 'partofme.algo', $extra_paths = []) { +class borgmatic($host = 'partofme', $extra_paths = []) { package { 'borgmatic': ensure => installed; } diff --git a/modules/mail/manifests/backups.pp b/modules/mail/manifests/backups.pp index 013d651..1195dd4 100644 --- a/modules/mail/manifests/backups.pp +++ b/modules/mail/manifests/backups.pp @@ -1,6 +1,6 @@ class mail::backups { class { 'borgmatic': extra_paths => ['/media/persistent'], - require => Service["wg-quick@algo"]; + require => Service["tailscaled"]; } } diff --git a/modules/mail/manifests/operatingsystem.pp b/modules/mail/manifests/operatingsystem.pp index 9863a3f..26c307e 100644 --- a/modules/mail/manifests/operatingsystem.pp +++ b/modules/mail/manifests/operatingsystem.pp @@ -1,5 +1,4 @@ class mail::operatingsystem { include reflector include tailscale - include wireguard } diff --git a/modules/partofme/manifests/operatingsystem.pp b/modules/partofme/manifests/operatingsystem.pp index 04fc393..7f25635 100644 --- a/modules/partofme/manifests/operatingsystem.pp +++ b/modules/partofme/manifests/operatingsystem.pp @@ -1,7 +1,6 @@ class partofme::operatingsystem { include reflector include tailscale - include wireguard file { '/etc/mkinitcpio.conf': diff --git a/modules/tozt/manifests/backups.pp b/modules/tozt/manifests/backups.pp index 086de4e..28b3d0d 100644 --- a/modules/tozt/manifests/backups.pp +++ b/modules/tozt/manifests/backups.pp @@ -1,6 +1,6 @@ class tozt::backups { class { 'borgmatic': extra_paths => ['/media/persistent'], - require => Service["wg-quick@algo"]; + require => Service["tailscaled"]; } } diff --git a/modules/tozt/manifests/operatingsystem.pp b/modules/tozt/manifests/operatingsystem.pp index 18e801e..e62376d 100644 --- a/modules/tozt/manifests/operatingsystem.pp +++ b/modules/tozt/manifests/operatingsystem.pp @@ -1,5 +1,4 @@ class tozt::operatingsystem { include reflector include tailscale - include wireguard } diff --git a/modules/wireguard/manifests/init.pp b/modules/wireguard/manifests/init.pp deleted file mode 100644 index e988b66..0000000 --- a/modules/wireguard/manifests/init.pp +++ /dev/null @@ -1,18 +0,0 @@ -class wireguard { - package { ["wireguard-tools", "openresolv"]: - ensure => installed, - } - - secret { "/etc/wireguard/algo.conf": - source => "wireguard", - } - - service { "wg-quick@algo": - ensure => running, - enable => true, - require => [ - Package["wireguard-tools"], - Secret["/etc/wireguard/algo.conf"], - ], - } -} -- cgit v1.2.3-54-g00ecf