Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • improved-skeleton
  • xsrf-token
3 results
Blame Permalink
beta-deployment.md 5.43 KiB

Software

$ apt install dnsutils, which provides dig

resolvconf

Firewall

front-web

/etc/iptables/rules.v4

*filter
:INPUT DROP [0:0]
-A INPUT -s 192.168.0.0/24 -j ACCEPT -m comment --comment "FULL ACCESS LAN"
-A INPUT -i lo -j ACCEPT -m comment --comment "FULL ACCESS LOOPBACK"

-A INPUT -s 217.182.252.78/32 -p tcp --dport 22 -j ACCEPT -m comment --comment "SSH neogeo-ansible"
-A INPUT -s 80.12.88.99/32 -p tcp --dport 22 -j ACCEPT -m comment --comment "SSH neogeo-bureau"
-A INPUT -s 213.245.116.190/32 -p tcp --dport 22 -j ACCEPT -m comment --comment "SSH erasmes"

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "in order to receive responses to outgoing requests"
-A INPUT -i ens3 -p tcp -m tcp --dport 443 -d 51.83.13.51 -j ACCEPT
-A INPUT -i ens3 -p tcp -m tcp --dport 80  -d 51.83.13.51 -j ACCEPT
:FORWARD ACCEPT [0:0]

Domain Name Resolution

/etc/hosts

By default, the /etc/hosts file is managed by the system. Hence, user modifications as deleted at each reboot. In order to prevent that from happening, a line has to be modified in the /etc/cloud/cloud.cfg file:

manage_etc_hosts: false

dnsmasq

Installed in the front-web machine, with the following configuration (/etc/dnsmasq.conf):

domain-needed
bogus-priv
server=213.186.33.99
listen-address=192.168.0.59
no-dhcp-interface=ens4
bind-interfaces

The following lines are appended to the /etc/hosts file in the front-web machine:

51.83.13.51     front-web.wan
192.168.0.59    front-web.lan

51.83.15.2      back-office.wan 
192.168.0.146   back-office.lan

51.68.115.202   es-1.wan
192.168.0.74    es-1.lan

51.77.229.85    es-2.wan
192.168.0.65    es-2.lan

51.83.13.94     es-3.wan
192.168.0.236   es-3.lan

The other machines will use front-web as DNS.

Routing

In order for the front-web machine to be usable as a router, we need to apply the following modifications within front-web:

  1. In /etc/sysctl.conf -> net.ipv4.ip_forward=1.

  2. In /etc/iptables/rules.v4, *nat -I POSTROUTING -s 192.168.0.0/24 -o ens3 -j MASQUERADE

Once that it is done, the other machines can be setup as follows:

/etc/network/interfaces

[...]
iface ens4 inet static
	address 192.168.0.XXX
	netmask 255.255.255.0
	gateway 192.168.0.59
        dns-nameservers 192.168.0.59
[...]

In case the default gateway is not taken into account, the following command has to be issued:

$ route add default gw 192.168.0.59 ens4

The line auto ens3 can be commented out in the file /etc/network/interfaces.d/50-cloud-init.cfg, in order to prevent the ens3 from being "upped" at reboot.

In order for the modification to be persisten, we need to disable cloud-init's network configuration capabilities, by editing the file /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following content:

network: {config: disabled}

Postfix, OpenDKIM

cf. https://wiki.debian.org/opendkim

$ sudp mkdir /etc/postfix/dkim/ 
$ sudo opendkim-genkey -D /etc/postfix/dkim/ -d data.beta.grandlyon.com -s mail

/etc/opendkim.conf

  • the line "Mode sv" is uncommented (why?)
  • the following lines are appended
# Specify the list of keys
KeyTable file:/etc/postfix/dkim/keytable

# Match keys and domains. To use regular expressions in the file, use refile: instead of file:
SigningTable refile:/etc/postfix/dkim/signingtable

# Match a list of hosts whose messages will be signed. By default, only localhost is considered as internal host.
InternalHosts refile:/etc/postfix/dkim/trustedhosts

The 'Socket' line is setup as follows:

Socket                  inet:8892@localhost

/etc/postfix/dkim/keytable

mail._domainkey.data.beta.grandlyon.com data.beta.grandlyon.com:mail:/etc/postfix/dkim/mail.private

/etc/postfix/dkim/signingtable 

# Domain data.beta.grandlyon.com
*@data.beta.grandlyon.com mail._domainkey.data.beta.grandlyon.com

/etc/postfix/dkim/trustedhosts 

127.0.0.1
192.168.0.0/24

Note

$ sudo chgrp opendkim /etc/postfix/dkim/*
$ sudo chmod o= /etc/postfix/dkim/*

/etc/postfix/main.cf 

[...]
myhostname = data.beta.grandlyon.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, data.beta.grandlyon.com, front-web.localdomain, localhost.localdomain, localhost
relayhost = 
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/24
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
[...]

The following lines are appended:

milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:127.0.0.1:8892
non_smtpd_milters = $smtpd_milters

DNS

The DNS records needs to be updated as follows:

data.beta.grandlyon.com. 86400	IN	TXT	"v=spf1 +ip4:51.83.13.51 ~all"
mail._domainkey.data.beta.grandlyon.com. 86400 IN TXT "v=DKIM1; h=sha256; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzzoL8dvkfhm3xCpGxW8COUIgmw4r0PV/5GSUekCA8sLGPiqNh8//Jj4tFpLK6eUMacKYPbL4goUdRyTF5gqh/MdEWwafodZczELETRcp3a7mGdmM2nDhD6lk2Xtdf+nS+HWobYN18a3abNFchcF62LJWGTd4fwKV8gOIIuvTiakVxFuC7eIBUO+7m0JU0EnnivLUabphFSL3yV" "hEdpCD3csRGedSnG6+ocpZw25ll8/5f6WZnobU2d5KKqk7MVgOFXfuJMhdjmd6UvSGPaxR+/E+PsxQCU0f9vLG4R8fLPLh0ngNGGiyNYGHB5Sn8VxIrxqpH2pQKaJsfHLK/IgRJwIDAQAB"

Remote API for Dockerd (-> Portainer)

cf. https://success.docker.com/article/how-do-i-enable-the-remote-api-for-dockerd