diff --git a/README.md b/README.md index 05dfdea..b392199 100644 --- a/README.md +++ b/README.md @@ -3,5 +3,6 @@ This repository has various deployment examples of real world software to the DeTEE network. The examples currently include: - [Gitea on DeTEE](https://gitea.detee.cloud/general/examples/src/branch/master/gitea/deploy_gitea.sh) - A small bash script that deploys a Gitea server (just like this one) to a VM on DeTEE - [Ansible Postgres](https://gitea.detee.cloud/general/examples/src/branch/master/ansible-postgres) - Deploy a Postgres DB and a read replica via Ansible to two DeTEE VMs. -- [Wireguard Overlay](https://gitea.detee.cloud/general/examples/src/branch/master/wireguard-bastion) - Hide resources behind VPN, by leveraging VM deployments on DeTEE. +- [Wireguard DMZ](https://gitea.detee.cloud/general/examples/src/branch/master/wireguard-bastion) - Hide resources behind WireGuard VPN, by leveraging VM deployments on DeTEE. +- [Overlay Network](https://gitea.detee.cloud/general/examples/src/branch/master/overlay-network) - Automated deployment of an encrypted network overlay (full-mesh between VMs). - [Kubernetes (k3s)](https://gitea.detee.cloud/general/examples/src/branch/master/kubernetes) - Use k3s to deploy 5 Kubernetes nodes to DeTEE VMs, forming a small cluster. diff --git a/overlay-network/README.md b/overlay-network/README.md new file mode 100644 index 0000000..7f45e39 --- /dev/null +++ b/overlay-network/README.md @@ -0,0 +1,15 @@ +# Overlay Network + +These scripts allow you to create an overlay network on top of DeTEE VMs. These +VMs do not need a public IP, however they require an extra port to be +forwarded. Every VM in the network will get an IP in the subnet `10.254.254.0/24`. + +The VMs will be connected in a full-mesh topology, meaning each VM can +communicate with each other VM directly. Here is a graphical representation of a +full mesh from wikipedia: https://en.wikipedia.org/wiki/File:FullMeshNetwork.svg + +To create the VMs, run `./create_vms.sh`. + +To deploy the network overlay, run `./setup_wg_mesh.sh`. This will create an +overlay on top of all the VMs created previously using the `./create_vms.sh` +script, assigning IPs in alphabetical order. diff --git a/overlay-network/create_vms.sh b/overlay-network/create_vms.sh new file mode 100755 index 0000000..1037887 --- /dev/null +++ b/overlay-network/create_vms.sh @@ -0,0 +1,14 @@ +#!/bin/bash +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +cd $script_dir +set -e +export FORMAT=YAML +mkdir -p tmp/vms + +for vm_config in vm_configs/*; do + vm_name=$(echo $vm_config | cut -d '/' -f2 | cut -d '.' -f1) + detee-cli vm deploy --from-yaml $vm_config > tmp/vms/${vm_name}_install.yaml && + echo "The VM $vm_name got created." & +done + +wait diff --git a/overlay-network/setup_wg_mesh.sh b/overlay-network/setup_wg_mesh.sh new file mode 100755 index 0000000..a8f7c45 --- /dev/null +++ b/overlay-network/setup_wg_mesh.sh @@ -0,0 +1,89 @@ +#!/bin/bash +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +cd $script_dir +set -e +export FORMAT=YAML +mkdir -p tmp/wg +mkdir -p tmp/logs +rm tmp/vms/*inspect.yaml || true +vms=() + +# inspect VMs +for vm_config in $(grep -r uuid: tmp/vms/ | awk '{ print $2}'); do + vm_id=$(echo $vm_config | cut -d '/' -f2 | cut -d '.' -f1) + detee-cli vm inspect $vm_id > tmp/vms/${vm_id}_inspect.yaml + vm_name=$(grep 'hostname: ' tmp/vms/${vm_id}_inspect.yaml | + awk '{ print $2 }') + mv tmp/vms/${vm_id}_inspect.yaml tmp/vms/${vm_name}_inspect.yaml +done + +# define VM object +vm_count=0 +new_vm() { + (( vm_count++ )) || true + local vm_name="$1" + local vm_id="vm$vm_count" + + local vm_install_data="tmp/vms/${vm_name}_install.yaml" + local vm_inspect_data="tmp/vms/${vm_name}_inspect.yaml" + + vm_node_ip=$(grep 'ip: ' $vm_install_data | awk '{ print $2 }') + vm_port=$(grep exposed_ports -A 1 $vm_inspect_data | tail -1 | grep -oE "[0-9]*") + wg_privkey=$(wg genkey) + wg_pubkey=$(echo $wg_privkey | wg pubkey) + + declare -gA "$vm_id" + eval "$vm_id[id]=$vm_count" + eval "$vm_id[name]=$vm_name" + eval "$vm_id[port]=$vm_port" + eval "$vm_id[node_ip]=$vm_node_ip" + eval "$vm_id[private_ip]=10.254.254.$vm_count" + eval "$vm_id[wg_priv]=$wg_privkey" + eval "$vm_id[wg_pub]=$wg_pubkey" + + vms+=("$vm_id") +} + +# loops over all VMs +for vm_install_file in tmp/vms/*_install.yaml; do + vm_name=$(echo $vm_install_file | cut -d '/' -f3 | cut -d '_' -f1) + new_vm $vm_name +done + +# loops over all VMs in array +for main_vm_loop in "${vms[@]}"; do + declare -n main_vm_ref="$main_vm_loop" + wg_file="tmp/wg/${main_vm_ref[name]}.ini" + { + echo "[Interface]" + echo "Address = "${main_vm_ref[private_ip]}" " + echo "PrivateKey = "${main_vm_ref[wg_priv]}" " + echo "ListenPort = 22" + } > ${wg_file} + + for inner_vm_loop in "${vms[@]}"; do + declare -n inner_vm_ref="$inner_vm_loop" + [[ "${inner_vm_ref[id]}" == "${main_vm_ref[id]}" ]] && continue + { + echo + echo "[Peer]" + echo "PublicKey = ${inner_vm_ref[wg_pub]}" + echo "Endpoint = ${inner_vm_ref[node_ip]}:${inner_vm_ref[port]}" + echo "AllowedIPs = ${inner_vm_ref[private_ip]}" + echo "PersistentKeepalive = 25" + } >> ${wg_file} + done + echo WireGuard config written to ${wg_file} + + ssh="ssh -p ${main_vm_ref[port]} root@${main_vm_ref[node_ip]}" + $ssh pacman -Syu --noconfirm > tmp/logs/${main_vm_ref[name]}.log 2>&1 + $ssh pacman -S wireguard-tools --needed --noconfirm >> tmp/logs/${main_vm_ref[name]}.log 2>&1 + echo Packages installed for ${main_vm_ref[name]} + + # TODO: make this reboot persistant + $ssh sysctl -w net.ipv4.conf.all.forwarding=1 > /dev/null + cat ${wg_file} | $ssh tee /etc/wireguard/brain.conf > /dev/null + $ssh wg-quick down brain >> tmp/logs/${main_vm_ref[name]}.log 2>&1 || true + $ssh wg-quick up brain >> tmp/logs/${main_vm_ref[name]}.log 2>&1 || true + echo WireGuard started on ${main_vm_ref[name]} +done diff --git a/overlay-network/vm_configs/template-1.yaml b/overlay-network/vm_configs/template-1.yaml new file mode 100644 index 0000000..8afd05f --- /dev/null +++ b/overlay-network/vm_configs/template-1.yaml @@ -0,0 +1,10 @@ +hostname: template-1 +hours: 2 +price: 20000 +location: + country: "FR" +ipv4: !PublishPorts [ ] +public_ipv6: false +vcpus: 4 +memory_mb: 8000 +disk_size_gb: 60 diff --git a/overlay-network/vm_configs/template-2.yaml b/overlay-network/vm_configs/template-2.yaml new file mode 100644 index 0000000..cfdfa7d --- /dev/null +++ b/overlay-network/vm_configs/template-2.yaml @@ -0,0 +1,10 @@ +hostname: template-2 +hours: 2 +price: 20000 +location: + country: "GB" +ipv4: !PublishPorts [ ] +public_ipv6: false +vcpus: 4 +memory_mb: 8000 +disk_size_gb: 60 diff --git a/overlay-network/vm_configs/template-3.yaml b/overlay-network/vm_configs/template-3.yaml new file mode 100644 index 0000000..d79625c --- /dev/null +++ b/overlay-network/vm_configs/template-3.yaml @@ -0,0 +1,10 @@ +hostname: template-3 +hours: 2 +price: 20000 +location: + country: "US" +ipv4: !PublishPorts [ ] +public_ipv6: false +vcpus: 4 +memory_mb: 8000 +disk_size_gb: 60 diff --git a/overlay-network/vm_configs/template-n.yaml b/overlay-network/vm_configs/template-n.yaml new file mode 100644 index 0000000..f03e326 --- /dev/null +++ b/overlay-network/vm_configs/template-n.yaml @@ -0,0 +1,10 @@ +hostname: template-n +hours: 2 +price: 20000 +location: + country: "US" +ipv4: !PublishPorts [ ] +public_ipv6: false +vcpus: 4 +memory_mb: 8000 +disk_size_gb: 60 diff --git a/overlay-network/vm_configs/template-x.yaml b/overlay-network/vm_configs/template-x.yaml new file mode 100644 index 0000000..14b5f83 --- /dev/null +++ b/overlay-network/vm_configs/template-x.yaml @@ -0,0 +1,10 @@ +hostname: template-x +hours: 2 +price: 20000 +location: + country: "FR" +ipv4: !PublishPorts [ ] +public_ipv6: false +vcpus: 4 +memory_mb: 8000 +disk_size_gb: 60 diff --git a/surrealdb_tikv_prod/README.md b/surrealdb_tikv_prod/README.md new file mode 100644 index 0000000..32db1c7 --- /dev/null +++ b/surrealdb_tikv_prod/README.md @@ -0,0 +1,6 @@ +# Production SurrealDB setup with TiKV + +This repo uses the [WireGuard +Overlay](https://gitea.detee.cloud/general/examples/src/branch/master/wireguard-bastion) +under the hood to protect the DataBase nodes, as TLS is not fully supported for +SurrealDB + TiKV. diff --git a/surrealdb_tikv_prod/deploy_nodes.sh b/surrealdb_tikv_prod/deploy_nodes.sh new file mode 100755 index 0000000..e5e3be8 --- /dev/null +++ b/surrealdb_tikv_prod/deploy_nodes.sh @@ -0,0 +1,31 @@ +#!/bin/bash +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +cd $script_dir +set -e +export FORMAT=YAML +mkdir -p tmp/ + +rm -rf tmp/overlay-network +cp -r ../overlay-network tmp/ +rm -rf tmp/overlay-network/tmp +cd tmp/overlay-network/vm_configs +find . -maxdepth 1 -type f ! -name 'template-n.yaml' -exec rm -- '{}' + + +setup_vm () { + vm_name="$1" + cp template-n.yaml $vm_name.yaml + sed -i "s/template-n/$vm_name/" $vm_name.yaml + sed -i '/PublishPorts/d' $vm_name.yaml + echo "ipv4: !PublishPorts [ 31337 ]" >> $vm_name.yaml +} + +setup_vm brain-1 +setup_vm brain-2 +setup_vm brain-3 +setup_vm brain-bastion +setup_vm brain-mon +rm template-n.yaml + +cd ../ +./create_vms.sh +./setup_wg_mesh.sh