From 476ec250ca8f24486e8e8f9efaeb04be73c3ce09 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Thu, 21 Mar 2024 23:21:25 +0100 Subject: [PATCH] expose cyberchef deployment on k3s publicly remove geokunis2.nl zone --- .../roles/traefik/docker-stack.yml.j2 | 6 +++ docker_swarm/roles/traefik/services.yml | 4 ++ kubernetes/mysite.yaml | 53 +++++++++++++++++++ .../networking/dmz_services/default.nix | 15 ------ .../networking/dmz_services/dnsmasq.nix | 5 +- .../dmz_services/zones/geokunis2.nl.nix | 41 -------------- .../networking/dmz_services/zones/kun.is.nix | 30 +++-------- 7 files changed, 71 insertions(+), 83 deletions(-) create mode 100644 kubernetes/mysite.yaml delete mode 100644 nix/modules/networking/dmz_services/zones/geokunis2.nl.nix diff --git a/docker_swarm/roles/traefik/docker-stack.yml.j2 b/docker_swarm/roles/traefik/docker-stack.yml.j2 index 70800cb..5ddc583 100644 --- a/docker_swarm/roles/traefik/docker-stack.yml.j2 +++ b/docker_swarm/roles/traefik/docker-stack.yml.j2 @@ -54,6 +54,12 @@ services: - traefik.http.routers.esrom.rule=Host(`esrom.kun.is`) - traefik.http.routers.esrom.tls=true - traefik.http.routers.esrom.tls.certresolver=letsencrypt + + - traefik.http.routers.k3s.entrypoints=websecure + - traefik.http.routers.k3s.service=k3s@file + - traefik.http.routers.k3s.rule=Host(`cyberchef.k3s.kun.is`) + - traefik.http.routers.k3s.tls=true + - traefik.http.routers.k3s.tls.certresolver=letsencrypt volumes: - type: bind source: /var/run/docker.sock diff --git a/docker_swarm/roles/traefik/services.yml b/docker_swarm/roles/traefik/services.yml index 9823a9b..8f75e2a 100644 --- a/docker_swarm/roles/traefik/services.yml +++ b/docker_swarm/roles/traefik/services.yml @@ -1,5 +1,9 @@ http: services: + k3s: + loadBalancer: + servers: + - url: http://jefke.dmz esrom: loadBalancer: servers: diff --git a/kubernetes/mysite.yaml b/kubernetes/mysite.yaml new file mode 100644 index 0000000..bad926b --- /dev/null +++ b/kubernetes/mysite.yaml @@ -0,0 +1,53 @@ +--- +# https://opensource.com/article/20/3/kubernetes-traefik +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mysite-cyberchef + labels: + app: mysite-cyberchef +spec: + replicas: 1 + selector: + matchLabels: + app: mysite-cyberchef + template: + metadata: + labels: + app: mysite-cyberchef + spec: + containers: + - name: cyberchef + image: mpepping/cyberchef + ports: + - containerPort: 8000 +--- +apiVersion: v1 +kind: Service +metadata: + name: mysite-cyberchef-service +spec: + selector: + app: mysite-cyberchef + ports: + - protocol: TCP + port: 80 + targetPort: 8000 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: mysite-cyberchef-ingress + annotations: + kubernetes.io/ingress.class: "traefik" +spec: + rules: + - http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: mysite-cyberchef-service + port: + number: 80 diff --git a/nix/modules/networking/dmz_services/default.nix b/nix/modules/networking/dmz_services/default.nix index c9eb235..f0b8223 100644 --- a/nix/modules/networking/dmz_services/default.nix +++ b/nix/modules/networking/dmz_services/default.nix @@ -8,11 +8,6 @@ let name = "kunis-zone-file"; text = (dns.lib.toString "kun.is" (import ./zones/kun.is.nix inputs)); }; - - geokunis2nlZoneFile = pkgs.writeTextFile { - name = "geokunis2nl-zone-file"; - text = (dns.lib.toString "geokunis2.nl" (import ./zones/geokunis2.nl.nix inputs)); - }; in { options.lab.networking.dmz.services.enable = lib.mkOption { @@ -51,16 +46,6 @@ in file = kunisZoneFile; allowQuery = [ "any" ]; }; - - "geokunis2.nl" = { - master = true; - file = geokunis2nlZoneFile; - allowQuery = [ "any" ]; - slaves = [ - "87.253.155.96/27" - "157.97.168.160/27" - ]; - }; }; }; diff --git a/nix/modules/networking/dmz_services/dnsmasq.nix b/nix/modules/networking/dmz_services/dnsmasq.nix index 258f392..239dc63 100644 --- a/nix/modules/networking/dmz_services/dnsmasq.nix +++ b/nix/modules/networking/dmz_services/dnsmasq.nix @@ -23,7 +23,6 @@ in server = [ cfg.dmz.ipv4.router - "/geokunis2.nl/${cfg.dmz.ipv4.services}" "/kun.is/${cfg.dmz.ipv4.services}" ]; @@ -44,7 +43,7 @@ in ]; address = [ - "/ns.pizzapim.nl/ns.geokunis2.nl/${cfg.dmz.ipv4.services}" - "/ns.pizzapim.nl/ns.geokunis2.nl/${cfg.dmz.ipv6.services}" + "/ns.pizzapim.nl/${cfg.dmz.ipv4.services}" + "/ns.pizzapim.nl/${cfg.dmz.ipv6.services}" ]; } diff --git a/nix/modules/networking/dmz_services/zones/geokunis2.nl.nix b/nix/modules/networking/dmz_services/zones/geokunis2.nl.nix deleted file mode 100644 index a3563b1..0000000 --- a/nix/modules/networking/dmz_services/zones/geokunis2.nl.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ config, dns, ... }: -with dns.lib.combinators; -let - cfg = config.lab.networking; -in -{ - SOA = { - nameServer = "ns"; - adminEmail = "hostmaster@geokunis2.nl"; - serial = 2024020500; - }; - - NS = [ - "ns.geokunis2.nl." - "ns0.transip.net." - "ns1.transip.nl." - "ns2.transip.eu." - ]; - - MX = [ (mx.mx 10 "mail.geokunis2.nl.") ]; - - CAA = letsEncrypt "caa@geokunis2.nl"; - - subdomains = { - ns = { - A = [ cfg.public.ipv4.router ]; - AAAA = [ cfg.dmz.ipv6.services ]; - }; - - ns1 = { - A = [ cfg.public.ipv4.router ]; - AAAA = [ cfg.dmz.ipv6.services ]; - }; - - ns2 = { - A = [ cfg.public.ipv4.router ]; - AAAA = [ cfg.dmz.ipv6.services ]; - }; - - }; -} diff --git a/nix/modules/networking/dmz_services/zones/kun.is.nix b/nix/modules/networking/dmz_services/zones/kun.is.nix index a13c443..d609b64 100644 --- a/nix/modules/networking/dmz_services/zones/kun.is.nix +++ b/nix/modules/networking/dmz_services/zones/kun.is.nix @@ -25,26 +25,12 @@ in (with spf; soft [ "include:spf.glasnet.nl" ]) ]; - subdomains = { - "*" = { - A = [ cfg.public.ipv4.router ]; - AAAA = [ cfg.dmz.ipv6.dockerSwarm ]; - }; + subdomains = rec { + "*" = host cfg.public.ipv4.router cfg.dmz.ipv6.dockerSwarm; - ns = { - A = [ cfg.public.ipv4.router ]; - AAAA = [ cfg.dmz.ipv6.services ]; - }; - - ns1 = { - A = [ cfg.public.ipv4.router ]; - AAAA = [ cfg.dmz.ipv6.services ]; - }; - - ns2 = { - A = [ cfg.public.ipv4.router ]; - AAAA = [ cfg.dmz.ipv6.services ]; - }; + ns = host cfg.public.ipv4.router cfg.dmz.ipv6.services; + ns1 = ns; + ns2 = ns; # Override because we don't support IPv6 for Git SSH. git = { @@ -59,10 +45,7 @@ in }; # Override because wg is on opnsense so ipv6 differs from "cfg.dmz.ipv6.services" - wg = { - A = [ cfg.public.ipv4.router ]; - AAAA = [ cfg.dmz.ipv6.router ]; - }; + wg = host cfg.public.ipv4.router cfg.dmz.ipv6.router; #for SMTP2GO to be able send emails from kun.is domain em670271 = { @@ -76,6 +59,5 @@ in link = { CNAME = [ "track.smtp2go.net." ]; }; - }; }