create wireguard mesh and deploy surrealdb

README.md

@@ -3,5 +3,6 @@
 This repository has various deployment examples of real world software to the DeTEE network. The examples currently include:
 - [Gitea on DeTEE](https://gitea.detee.cloud/general/examples/src/branch/master/gitea/deploy_gitea.sh) - A small bash script that deploys a Gitea server (just like this one) to a VM on DeTEE
 - [Ansible Postgres](https://gitea.detee.cloud/general/examples/src/branch/master/ansible-postgres) - Deploy a Postgres DB and a read replica via Ansible to two DeTEE VMs.
-- [Wireguard Overlay](https://gitea.detee.cloud/general/examples/src/branch/master/wireguard-bastion) - Hide resources behind VPN, by leveraging VM deployments on DeTEE.
+- [Wireguard DMZ](https://gitea.detee.cloud/general/examples/src/branch/master/wireguard-bastion) - Hide resources behind WireGuard VPN, by leveraging VM deployments on DeTEE.
+- [Overlay Network](https://gitea.detee.cloud/general/examples/src/branch/master/overlay-network) - Automated deployment of an encrypted network overlay (full-mesh between VMs).
 - [Kubernetes (k3s)](https://gitea.detee.cloud/general/examples/src/branch/master/kubernetes) - Use k3s to deploy 5 Kubernetes nodes to DeTEE VMs, forming a small cluster.

overlay-network/README.md

@@ -0,0 +1,15 @@
+# Overlay Network
+
+These scripts allow you to create an overlay network on top of DeTEE VMs. These
+VMs do not need a public IP, however they require an extra port to be
+forwarded. Every VM in the network will get an IP in the subnet `10.254.254.0/24`.
+
+The VMs will be connected in a full-mesh topology, meaning each VM can
+communicate with each other VM directly. Here is a graphical representation of a
+full mesh from wikipedia: https://en.wikipedia.org/wiki/File:FullMeshNetwork.svg
+
+To create the VMs, run `./create_vms.sh`.
+
+To deploy the network overlay, run `./setup_wg_mesh.sh`. This will create an
+overlay on top of all the VMs created previously using the `./create_vms.sh`
+script, assigning IPs in alphabetical order.

overlay-network/create_vms.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+cd $script_dir
+set -e
+export FORMAT=YAML
+mkdir -p tmp/vms
+
+for vm_config in vm_configs/*; do
+  vm_name=$(echo $vm_config | cut -d '/' -f2 | cut -d '.' -f1)
+  detee-cli vm deploy --from-yaml $vm_config > tmp/vms/${vm_name}_install.yaml &&
+    echo "The VM $vm_name got created." &
+done
+
+wait

overlay-network/setup_wg_mesh.sh

@@ -0,0 +1,89 @@
+#!/bin/bash
+script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+cd $script_dir
+set -e
+export FORMAT=YAML
+mkdir -p tmp/wg
+mkdir -p tmp/logs
+rm tmp/vms/*inspect.yaml
+vms=()
+
+# inspect VMs
+for vm_config in $(grep -r uuid: tmp/vms/ | awk '{ print $2}'); do
+  vm_id=$(echo $vm_config | cut -d '/' -f2 | cut -d '.' -f1)
+  detee-cli vm inspect $vm_id > tmp/vms/${vm_id}_inspect.yaml
+  vm_name=$(grep 'hostname: ' tmp/vms/${vm_id}_inspect.yaml |
+    awk '{ print $2 }')
+  mv tmp/vms/${vm_id}_inspect.yaml tmp/vms/${vm_name}_inspect.yaml
+done
+
+# define VM object
+vm_count=0
+new_vm() {
+  (( vm_count++ )) || true
+  local vm_name="$1"
+  local vm_id="vm$vm_count"
+
+  local vm_install_data="tmp/vms/${vm_name}_install.yaml"
+  local vm_inspect_data="tmp/vms/${vm_name}_inspect.yaml"
+
+  vm_node_ip=$(grep 'ip: ' $vm_install_data | awk '{ print $2 }')
+  vm_port=$(grep exposed_ports -A 1 $vm_inspect_data | tail -1 | grep -oE "[0-9]*")
+  wg_privkey=$(wg genkey)
+  wg_pubkey=$(echo $wg_privkey | wg pubkey)
+
+  declare -gA "$vm_id"
+  eval "$vm_id[id]=$vm_count"
+  eval "$vm_id[name]=$vm_name"
+  eval "$vm_id[port]=$vm_port"
+  eval "$vm_id[node_ip]=$vm_node_ip"
+  eval "$vm_id[private_ip]=10.254.254.$vm_count"
+  eval "$vm_id[wg_priv]=$wg_privkey"
+  eval "$vm_id[wg_pub]=$wg_pubkey"
+
+  vms+=("$vm_id")
+}
+
+# loops over all VMs
+for vm_install_file in tmp/vms/*_install.yaml; do
+  vm_name=$(echo $vm_install_file | cut -d '/' -f3 | cut -d '_' -f1)
+  new_vm $vm_name
+done
+
+# loops over all VMs in array
+for main_vm_loop in "${vms[@]}"; do
+  declare -n main_vm_ref="$main_vm_loop"
+  wg_file="tmp/wg/${main_vm_ref[name]}.ini"
+  {
+    echo "[Interface]"
+    echo "Address = "${main_vm_ref[private_ip]}" "
+    echo "PrivateKey = "${main_vm_ref[wg_priv]}" "
+    echo "ListenPort = 22"
+  } > ${wg_file}
+
+  for inner_vm_loop in "${vms[@]}"; do
+    declare -n inner_vm_ref="$inner_vm_loop"
+    [[ "${inner_vm_ref[id]}" == "${main_vm_ref[id]}" ]] && continue
+    {
+      echo
+      echo "[Peer]"
+      echo "PublicKey = ${inner_vm_ref[wg_pub]}"
+      echo "Endpoint = ${inner_vm_ref[node_ip]}:${inner_vm_ref[port]}"
+      echo "AllowedIPs = ${inner_vm_ref[private_ip]}"
+      echo "PersistentKeepalive = 25"
+    } >> ${wg_file}
+  done
+  echo WireGuard config written to ${wg_file}
+
+  ssh="ssh -p ${main_vm_ref[port]} root@${main_vm_ref[node_ip]}"
+  $ssh pacman -Syu --noconfirm > tmp/logs/${main_vm_ref[name]}.log 2>&1
+  $ssh pacman -S wireguard-tools --needed --noconfirm >> tmp/logs/${main_vm_ref[name]}.log 2>&1
+  echo Packages installed for ${main_vm_ref[name]}
+
+  # TODO: make this reboot persistant
+  $ssh sysctl -w net.ipv4.conf.all.forwarding=1 > /dev/null
+  cat ${wg_file} | $ssh tee /etc/wireguard/brain.conf > /dev/null
+  $ssh wg-quick down brain >> tmp/logs/${main_vm_ref[name]}.log 2>&1 || true
+  $ssh wg-quick up brain >> tmp/logs/${main_vm_ref[name]}.log 2>&1 || true
+  echo WireGuard started on ${main_vm_ref[name]}
+done

overlay-network/vm_configs/template-1.yaml

@@ -0,0 +1,10 @@
+hostname: template-1
+hours: 2
+price: 20000
+location:
+  country: "FR"
+ipv4: !PublishPorts [ ]
+public_ipv6: false
+vcpus: 4
+memory_mb: 8000
+disk_size_gb: 60

overlay-network/vm_configs/template-2.yaml

@@ -0,0 +1,10 @@
+hostname: template-2
+hours: 2
+price: 20000
+location:
+  country: "GB"
+ipv4: !PublishPorts [ ]
+public_ipv6: false
+vcpus: 4
+memory_mb: 8000
+disk_size_gb: 60

overlay-network/vm_configs/template-3.yaml

@@ -0,0 +1,10 @@
+hostname: template-3
+hours: 2
+price: 20000
+location:
+  country: "US"
+ipv4: !PublishPorts [ ]
+public_ipv6: false
+vcpus: 4
+memory_mb: 8000
+disk_size_gb: 60

overlay-network/vm_configs/template-n.yaml

@@ -0,0 +1,10 @@
+hostname: template-n
+hours: 2
+price: 20000
+location:
+  country: "US"
+ipv4: !PublishPorts [ ]
+public_ipv6: false
+vcpus: 4
+memory_mb: 8000
+disk_size_gb: 60

overlay-network/vm_configs/template-x.yaml

@@ -0,0 +1,10 @@
+hostname: template-x
+hours: 2
+price: 20000
+location:
+  country: "FR"
+ipv4: !PublishPorts [ ]
+public_ipv6: false
+vcpus: 4
+memory_mb: 8000
+disk_size_gb: 60

surrealdb_tikv_prod/README.md

@@ -0,0 +1,6 @@
+# Production SurrealDB setup with TiKV
+
+This repo uses the [WireGuard
+Overlay](https://gitea.detee.cloud/general/examples/src/branch/master/wireguard-bastion)
+under the hood to protect the DataBase nodes, as TLS is not fully supported for
+SurrealDB + TiKV.

surrealdb_tikv_prod/deploy_nodes.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+cd $script_dir
+set -e
+export FORMAT=YAML
+mkdir -p tmp/
+
+rm -rf tmp/overlay-network
+cp -r ../overlay-network tmp/
+rm -rf tmp/overlay-network/tmp
+cd tmp/overlay-network/vm_configs
+find . -maxdepth 1 -type f ! -name 'template-n.yaml' -exec rm -- '{}' +
+
+setup_vm () {
+  vm_name="$1"
+  cp template-n.yaml $vm_name.yaml
+  sed -i "s/template-n/$vm_name/" $vm_name.yaml
+  sed -i '/PublishPorts/d' $vm_name.yaml
+  echo "ipv4: !PublishPorts [ 31337 ]" >> $vm_name.yaml
+}
+
+setup_vm brain-1
+setup_vm brain-2
+setup_vm brain-3
+setup_vm brain-bastion
+setup_vm brain-mon
+rm template-n.yaml