20200726
From charlesreid1
Contents
Notes
network/domain/dns questions
- pod private wiki requires a domain
- that requires network interfaces and ip addresses to be set up
tinc
- installing tinc natively, whole point is to avoid fuss
- doesn't feel particularly secure, but it's all public/private key infra, soooo
- tinc is more limited, requires clients to have tinc installed and keys copied
- to get around that, create dorky socks proxy server that handles traffic to the wiki
bespin setup:
- bespin runs own dns server
- bespin.charles points to itself
- bespin.charles/wiki is wiki endpoint
- bespin connects to dorky via tinc, 10.6.0.10
- bespin has a self-signed ssl certificate for bespin.charles
dorky setup:
- dorky has a dns server bound to tinc interface - tinc dnsmasq
- dorky.charles points to itself
- dorky gets connection from bespin via tinc, 10.6.0.1
- dorky has a charlesreid1.party certificate
- dorky runs a socks server
- dorky forwards packets between socks tunnel and tinc tunnel
- dns requests forwarded thru socks tunnel are handled by tinc dnsmasq
Tinc on bespin and dorky
On bespin (behind NAT):
$ cd /etc/tinc/master $ cat tinc.conf Name = bespin AddressFamily = any Mode = switch ConnectTo = dorky $ cat tinc-up #!/bin/sh ifconfig $INTERFACE 10.6.0.10 netmask 255.255.0.0 $ cat tinc-down #!/bin/sh ifconfig $INTERFACE down $ ls hosts/ bespin dorky
On dorky (public IP):
$ cd /etc/tinc/master $ cat tinc.conf Name = dorky AddressFamily = any Mode = switch $ cat tinc-up #!/bin/sh ifconfig $INTERFACE 10.6.0.1 netmask 255.255.0.0 $ cat tinc-down #!/bin/sh ifconfig $INTERFACE down $ ls hosts/ bespin dorky
Bespin
Bespin DNS server
Bespin is running its own DNS server - PiHole in a docker conainer.
This needs a new DNS record, so bespin.charles will point to bespin's tinc IP address, 10.6.0.10.
Adding custom DNS entries to PiHole: https://github.com/pi-hole/pi-hole/issues/975#issuecomment-281027117
Open a shell in the PiHole container. Create a new dnsmasq configuration file with the following contents:
/etc/dnsmasq.d/charles.conf
address=/bespin.charles/10.6.0.10 address=/dorky.charles/10.6.0.1
To do this with commands:
$ docker exec -it e0dedd5f8129 /bin/bash # echo "address=/bespin.charles/10.6.0.10" > /etc/dnsmasq.d/charles.conf # echo "address=/dorky.charles/10.6.0.1" >> /etc/dnsmasq.d/charles.conf
Restart the container:
sudo systemctl restart pihole
Test that it works by doing a dig lookup of bespin.charles, specifying the pihole as the DNS server:
dig bespin.charles @127.53.0.1
Bespin tinc connection to dorky
Ensure this is okay by pinging other side of tunnel. From 10.6.0.10:
ping 10.6.0.1
and vice versa.
Bespin self-signed SSL cert
To create a self-signed certificate for bespin.charles:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/selfsigned-cert.key -out /etc/ssl/certs/selfsigned-cert.crt
Breakdown:
- using openssl tool
- x509 cert signing request
- nodes means skip passphrase protection
- days is number of days valid
- 2048 bit key
- keyout is output file for key
- out is output file for cert
Now we are ready to set up the private wiki container.
Thing 1
stock image wpa supplicant
stock ubuntu rpi image, populated wpa supplicant
no response, no ip. checked the logs. it was trying to get an ip of 169.254.x.y???
disable dhcpcd
removed dhcpcd service
but now we won't get an ip on wlan0
to fix that, enable the rc.local service
call dhclient from the rc.local file
/etc/rc.local
sleep 3 dhclient wlan0 exit 0
enabled wpa supplicant in the network interfaces file (b/c dhcpcd disabled, we can use /etc/network/interfaces
):
/etc/network/interfaces
source-directory /etc/network/interfaces.d allow-hotplug wlan0 iface wlan0 inet dhcp wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
this worked. amazing.
MediaWiki fix
ran into a problem with the mediawiki container - the database was not being restored so it had no structure
had to add mw-config directory from mw tarball
also had to set up alias for /wiki/mw-config in apache config file
finally able to download the file (it was adding :8989 to end)
had to use bespin.cloud - https only via nginx, no cert for ip addr