fix: working on infrastructure

Author: Dimy Jeannot

apps/workloads/private/event/v2alpha/event-multiplexer/spec.yaml

@@ -54,7 +54,7 @@ nebula:
   static_host_map:
     - '192.168.100.1'
   host:
-    - '192.168.100.1': ['144.202.30.222:4242']
+    - '192.168.100.1': ['45.63.49.173:4242']
   lighthouse:
     am_lighthouse: false
     interval: 60
@@ -73,6 +73,9 @@ nebula:
         proto: any
         host: any
   pki:
-    ca: /Users/dimyjeannot/workspaces/jeannotcompany/ecosystem/.config/ca/ca.crt
-    cert: /Users/dimyjeannot/workspaces/jeannotcompany/ecosystem/.config/ca/hosts/configuration-v2alpha-configuration.crt
-    key: /Users/dimyjeannot/workspaces/jeannotcompany/ecosystem/.config/ca/hosts/configuration-v2alpha-configuration.key
+    ca: ../../../../../tmp/ca.crt
+    cert: ../../../../../tmp/local-1-event-v2alpha-event-multiplexer.crt
+    key: ../../../../../tmp/local-1-event-v2alpha-event-multiplexer.key
+#    ca: /Users/dimyjeannot/workspaces/jeannotcompany/ecosystem/.config/ca/ca.crt
+#    cert: /Users/dimyjeannot/workspaces/jeannotcompany/ecosystem/.config/ca/hosts/configuration-v2alpha-configuration.crt
+#    key: /Users/dimyjeannot/workspaces/jeannotcompany/ecosystem/.config/ca/hosts/configuration-v2alpha-configuration.key

apps/workloads/public/mesh/v2alpha/lighthouse/main.go

@@ -19,24 +19,24 @@ func main() {
 func run() error {
 	configStr := `
 tun:
-  user: true
-  disabled: true
-
-static_host_map:
-  '192.168.100.1': ['localhost:4242']
+  disabled: false
+  dev: nebula1
+  drop_local_broadcast: false
+  drop_multicast: false
+  tx_queue: 500
+  mtu: 1300
+  routes:
 
 listen:
   host: 0.0.0.0
   port: 4242
 
 lighthouse:
   am_lighthouse: true
-  interval: 60
-  hosts:
-    - '192.168.100.1'
 
 punchy:
   punch: true
+  respond: true
 
 firewall:
   outbound:

infrastructure/apps/workloads/private/event/v2alpha/event-multiplexer/README.md

@@ -3,6 +3,7 @@
 - Install Nebula client using TUN device
 - Route all traffic through TUN device except for what is on port 6477
 - Bind port 4222 to TUN device
+- Bind port 7999 to TUN device
 - Bind port 6477 to eth0 device
 
 run as nonroot

infrastructure/apps/workloads/private/event/v2alpha/event-multiplexer/cloud-init.go

@@ -28,6 +28,12 @@ write_files:
   - path: /etc/motd
     content: |
       Welcome to the Event Multiplexer!
+  - path: /etc/sysctl.d/99-disable-ipv6.conf
+    content: |
+      # Disable IPv6 on all interfaces
+      net.ipv6.conf.all.disable_ipv6 = 1
+      net.ipv6.conf.default.disable_ipv6 = 1
+      net.ipv6.conf.lo.disable_ipv6 = 1
   - content: |
       [Unit]
       Description=Event Multiplexer
@@ -151,14 +157,19 @@ packages:
 
 runcmd:
   - sed -i '/PermitRootLogin/d' /etc/ssh/sshd_config
-  - echo "PermitRootLogin no" >> /etc/ssh/sshd_config
+  - echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
   - echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
   - echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config
   - systemctl restart sshd
+  - sysctl --system
   - curl -L https://github.com/openecosystems/ecosystem/releases/download/apps-workloads-private-event-v2alpha-event-multiplexer/devel/apps-workloads-private-event-v2alpha-event-multiplexer_%s_Linux_x86_64.tar.gz | tar zx --strip-components=1 --directory /opt
   - chmod +x /opt/app
+  - setcap cap_net_admin=+pe /opt/app
   - sudo systemctl enable app.service
   - sudo systemctl start app.service
+  - ufw allow 6477/tcp
+  - ufw allow from 192.168.0.0/16 to any port 4222
+  - ufw allow from 192.168.0.0/16 to any port 7999
 
 `, key, _caCrt, _hostCrt, _hostKey, version)
 }

infrastructure/apps/workloads/private/event/v2alpha/event-multiplexer/sample-config.yaml

@@ -0,0 +1,54 @@
+pki:
+  ca: /etc/nebula/ca.crt
+  cert: /etc/nebula/host.crt
+  key: /etc/nebula/host.key
+static_host_map:
+  "192.168.100.1": ["45.63.49.173:4242"]
+lighthouse:
+  am_lighthouse: false
+  interval: 60
+  hosts:
+    - "192.168.100.1"
+listen:
+  host: 0.0.0.0
+  port: 4242
+punchy:
+  punch: true
+  respond: true
+relay:
+  am_relay: false
+  use_relays: false
+
+tun:
+  disabled: false
+  dev: nebula1
+  drop_local_broadcast: false
+  drop_multicast: false
+  tx_queue: 500
+  mtu: 1300
+  routes:
+
+logging:
+  level: info
+  format: text
+
+firewall:
+  outbound_action: drop
+  inbound_action: drop
+
+  conntrack:
+    tcp_timeout: 12m
+    udp_timeout: 3m
+    default_timeout: 10m
+
+  outbound:
+    - port: any
+      proto: any
+      host: any
+  inbound:
+    - port: any
+      proto: icmp
+      host: any
+    - port: any
+      proto: any
+      host: any

infrastructure/apps/workloads/public/mesh/v2alpha/lighthouse/README.md

@@ -34,3 +34,20 @@ cat local-1-mesh-v2alpha-lighthouse.crt | pulumi config set hostCrt
 cat local-1-mesh-v2alpha-lighthouse.key | pulumi config set hostKey
 
 ./nebula-cert sign -name "configuration-v2alpha-configuration" -ip "192.168.100.9/24" -groups "connectors"
+
+
+
+# Enable CAP_NET for TUN device
+setcap cap_net_admin=+pe /opt/nebula
+
+
+## Disable IpV6
+vim /etc/sysctl.d/70-disable-ipv6.conf
+
+net.ipv6.conf.all.disable_ipv6 = 1
+
+sysctl -p -f /etc/sysctl.d/70-disable-ipv6.conf
+
+
+# Allow UDP on firewall
+ufw allow 4242/udp

infrastructure/apps/workloads/public/mesh/v2alpha/lighthouse/cloud-init.go

@@ -28,6 +28,12 @@ write_files:
   - path: /etc/motd
     content: |
       Welcome to your Lighthouse!
+  - path: /etc/sysctl.d/99-disable-ipv6.conf
+    content: |
+      # Disable IPv6 on all interfaces
+      net.ipv6.conf.all.disable_ipv6 = 1
+      net.ipv6.conf.default.disable_ipv6 = 1
+      net.ipv6.conf.lo.disable_ipv6 = 1
   - content: |
       [Unit]
       Description=Lighthouse Service
@@ -74,14 +80,17 @@ packages:
 
 runcmd:
   - sed -i '/PermitRootLogin/d' /etc/ssh/sshd_config
-  - echo "PermitRootLogin no" >> /etc/ssh/sshd_config
+  - echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
   - echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
   - echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config
   - systemctl restart sshd
+  - sysctl --system
   - curl -L https://github.com/openecosystems/ecosystem/releases/download/apps-workloads-public-mesh-v2alpha-lighthouse/devel/apps-workloads-public-mesh-v2alpha-lighthouse_%s_Linux_x86_64.tar.gz | tar zx --strip-components=1 --directory /opt
   - chmod +x /opt/app
+  - setcap cap_net_admin=+pe /opt/app
   - sudo systemctl enable lighthouse.service
   - sudo systemctl start lighthouse.service
+  - ufw allow 4242/udp
 
 `, key, _caCrt, _hostCrt, _hostKey, version)
 }

infrastructure/apps/workloads/public/mesh/v2alpha/lighthouse/sample-config.yaml

@@ -0,0 +1,49 @@
+pki:
+  ca: /etc/nebula/ca.crt
+  cert: /etc/nebula/host.crt
+  key: /etc/nebula/host.key
+lighthouse:
+  am_lighthouse: true
+listen:
+  host: 0.0.0.0
+  port: 4242
+punchy:
+  punch: true
+  respond: true
+relay:
+  am_relay: false
+  use_relays: false
+
+tun:
+  disabled: false
+  dev: nebula1
+  drop_local_broadcast: false
+  drop_multicast: false
+  tx_queue: 500
+  mtu: 1300
+  routes:
+
+logging:
+  level: debug
+  format: text
+
+firewall:
+  outbound_action: drop
+  inbound_action: drop
+
+  conntrack:
+    tcp_timeout: 12m
+    udp_timeout: 3m
+    default_timeout: 10m
+
+  outbound:
+    - port: any
+      proto: any
+      host: any
+  inbound:
+    - port: any
+      proto: icmp
+      host: any
+    - port: any
+      proto: any
+      host: any