updated tailscale

README.md

@@ -2,13 +2,5 @@
 
 How I put my very own personal servers online, for free.
 
-Details at [the blog post](http://ralsina.me/weblog/posts/the-cheapest-server.html)
-
-When adding a new hostname, remember to create a cert for it using
-`flyctl certs create hostname`
-
-Every 90 days the tailscale auth key will expire and you need to set a new one as
-a secret.
-
-* Create the new one at https://login.tailscale.com/admin/settings/keys
-* Configure it using flyctl secrets set TAILSCALE_AUTHKEY={{PASTEKEYHERE}}
+* The reverse proxy setup is in `reverse_proxy/`
+* The ansible playbooks to setup the actual server are in `provision-pinky`

nginx.conf

@@ -1,89 +0,0 @@
-server {
-  listen 8080;
-  listen [::]:8080;
-
-  server_name home.ralsina.me;
-
-  location / {
-      proxy_pass http://pinky.ralsina.github.beta.tailscale.net:8080;
-      proxy_set_header X-Forwarded-Host $http_host;
-  }
-  error_page 500 502 503 504 /custom_50x.html;
-  location = /custom_50x.html {
-      root /usr/share/nginx/html;
-      internal;
-  }
-}
-
-server {
-  listen 8080;
-  listen [::]:8080;
-
-  server_name git.ralsina.me;
-
-  location / {
-      proxy_pass http://pinky.ralsina.github.beta.tailscale.net:3000;
-      proxy_set_header X-Forwarded-Host $http_host;
-  }
-  error_page 403 404 500 502 503 504 /custom_50x.html;
-  location = /custom_50x.html {
-      root /usr/share/nginx/html;
-      internal;
-  }
-}
-
-server {
-  listen 8080;
-  listen [::]:8080;
-
-  server_name faas.ralsina.me;
-
-  add_header 'Access-Control-Allow-Origin' '*';
-  add_header 'Access-Control-Allow-Headers' '*';
-  add_header 'Access-Control-Allow-Credentials' 'true';
-
-  location / {
-      proxy_pass http://pinky.ralsina.github.beta.tailscale.net:8082;
-      proxy_set_header X-Forwarded-Host $http_host;
-  }
-  error_page 403 404 500 502 503 504 /custom_50x.html;
-  location = /custom_50x.html {
-      root /usr/share/nginx/html;
-      internal;
-  }
-}
-
-# server {
-  # listen 8080;
-  # listen [::]:8080;
-
-  # server_name hass.ralsina.me;
-
-  # location / {
-      # proxy_pass http://pinky.ralsina.github.beta.tailscale.net:8123;
-      # proxy_set_header X-Forwarded-Host $http_host;
-
-      # WebSocket support
-      # proxy_http_version 1.1;
-      # proxy_set_header Upgrade $http_upgrade;
-      # proxy_set_header Connection "upgrade";
-  # }
-# }
-
-# server {
-  # listen 8080;
-  # listen [::]:8080;
-
-  # server_name social.ralsina.me;
-
-  # location / {
-      # proxy_pass http://pinky.ralsina.github.beta.tailscale.net:3003;
-      # proxy_set_header X-Forwarded-Host $http_host;
-
-      # # WebSocket support
-      # proxy_http_version 1.1;
-      # proxy_set_header Upgrade $http_upgrade;
-      # proxy_set_header Connection "upgrade";
-  # }
-# }
-

provision-pinky/.vscode/settings.json

@@ -0,0 +1,3 @@
+{
+    "ansible.python.interpreterPath": "/usr/bin/python"
+}

provision-pinky/firecracker.yml

@@ -0,0 +1,57 @@
+# Setup Firecracker for VMs
+- name: Firecracker
+  hosts: servers
+  become_method: ansible.builtin.sudo
+  become: true
+  tasks:
+    - name: Get firecracker
+      become: false
+      ansible.builtin.get_url:
+        url: https://github.com/firecracker-microvm/firecracker/releases/download/v1.7.0/firecracker-v1.7.0-aarch64.tgz
+        dest: ~ralsina/firecracker.tgz
+        mode: '0644'
+    - name: Get kernel
+      become: false
+      ansible.builtin.get_url:
+        url: https://s3.amazonaws.com/spec.ccfc.min/img/quickstart_guide/aarch64/kernels/vmlinux.bin
+        dest: ~ralsina/vmlinux.bin
+        mode: '0644'
+    - name: Get root image
+      become: false
+      ansible.builtin.get_url:
+        url: https://s3.amazonaws.com/spec.ccfc.min/img/quickstart_guide/aarch64/rootfs/bionic.rootfs.ext4
+        dest: ~ralsina/bionic.rootfs.ext4
+        mode: '0644'
+    - name: Unpack firecracker
+      become: false
+      ansible.builtin.unarchive:
+        src: ~ralsina/firecracker.tgz
+        dest: ~ralsina
+        remote_src: true
+    - name: Install firecracker
+      become: true
+      ansible.builtin.command:
+        cmd: mv /home/ralsina/release-v1.7.0-aarch64/firecracker-v1.7.0-aarch64 /usr/bin/firecracker
+        creates: /usr/bin/firecracker
+    - name: Setup systemd unit for firecracker
+      become: true
+      ansible.builtin.copy:
+        dest: /etc/systemd/system/firecracker.service
+        content: |
+          [Unit]
+          Description=Firecracker VM Manager
+
+          [Service]
+          Type=simple
+          ExecStart=/usr/bin/firecracker --api-sock /tmp/firecracker.socket
+          Restart=always
+
+          [Install]
+          WantedBy=default.target
+        mode: '0644'
+    - name: Start and enable service
+      become: true
+      ansible.builtin.service:
+        name: firecracker
+        state: started
+        enabled: true

provision-pinky/hosts

@@ -0,0 +1,16 @@
+[servers]
+pinky 
+rocky
+
+[faas]
+lawn
+
+[interactive]
+pinky
+rocky
+lawn
+
+[all:vars]
+ansible_user=ralsina
+ansible_connection=ssh
+ansible_python_interpreter=/usr/bin/python3

provision-pinky/server.yml

@@ -0,0 +1,54 @@
+# Setup basic server stuff
+- name: Basic Server Setup
+  hosts: servers
+  become_method: ansible.builtin.sudo
+  tasks:
+    - name: Install some packages
+      become: true
+      ansible.builtin.package:
+        name:
+          - docker
+          - docker-compose
+          - btrfs-progs
+          - qemu-system-arm
+          - qemu-utils
+        state: present
+    - name: Install Debian-specific packages
+      become: true
+      when: ansible_os_family == 'Debian'
+      ansible.builtin.apt:
+        name:
+          - qemu-efi-aarch64
+          - net-tools
+        state: present
+    - name: Start and enable service docker
+      become: true
+      ansible.builtin.service:
+        name: docker
+        state: started
+        enabled: true
+    - name: Add ralsina to docker group
+      become: true
+      ansible.builtin.user:
+        name: ralsina
+        groups: docker
+        append: true
+    - name: Configure Docker
+      become: true
+      ansible.builtin.copy:
+        dest: /etc/docker/daemon.json
+        mode: '0644'
+        content: |
+          {
+            "data-root": "/data/docker"
+          }
+      notify:
+        - Restart Docker
+
+  handlers:
+    - name: Restart Docker
+      become: true
+      ansible.builtin.service:
+        name: docker
+        state: restarted
+ 

provision-pinky/setup_user.yml

@@ -0,0 +1,68 @@
+# Setup my user with some QoL packages and settings
+- name: Basic Setup
+  hosts: interactive
+  become_method: ansible.builtin.sudo
+  tasks:
+    - name: Install some packages
+      become: true
+      ansible.builtin.package:
+        name:
+          - git
+          - vim
+          - htop
+          - fish
+          - rsync
+          - restic
+          - vim
+        state: present
+    - name: Install Debian-specific packages
+      become: true
+      when: ansible_os_family == 'Debian'
+      ansible.builtin.apt:
+        name:
+          - ncurses-term
+        state: present
+        update_cache: true
+    - name: Add the user ralsina
+      become: true
+      ansible.builtin.user:
+        name: ralsina
+        create_home: true
+        password_lock: true
+        shell: /usr/bin/fish
+    - name: Authorize ssh
+      become: true
+      ansible.posix.authorized_key:
+        user: ralsina
+        state: present
+        key: "{{ lookup('file', '/home/ralsina/.ssh/id_rsa.pub') }}"
+    - name: Make ralsina a sudoer
+      become: true
+      community.general.sudoers:
+        name: ralsina
+        user: ralsina
+        state: present
+        commands: ALL
+        nopassword: true
+    - name: Create fish config directory
+      ansible.builtin.file:
+        path: /home/ralsina/.config/fish/conf.d
+        recurse: true
+        state: directory
+        mode: '0755'
+    - name: Get starship installer
+      ansible.builtin.get_url:
+        url: https://starship.rs/install.sh
+        dest: /tmp/starship.sh
+        mode: '0755'
+    - name: Install starship
+      become: true
+      ansible.builtin.command:
+        cmd: sh /tmp/starship.sh -y
+        creates: /usr/local/bin/starship
+    - name: Enable starship
+      ansible.builtin.copy:
+        dest: /home/ralsina/.config/fish/conf.d/starship.fish
+        mode: '0644'
+        content: |
+          starship init fish | source

ralsina.me.txt

@@ -0,0 +1,59 @@
+;;
+;; Domain:     ralsina.me.
+;; Exported:   2024-08-20 14:42:21
+;;
+;; This file is intended for use for informational and archival
+;; purposes ONLY and MUST be edited before use on a production
+;; DNS server.  In particular, you must:
+;;   -- update the SOA record with the correct authoritative name server
+;;   -- update the SOA record with the contact e-mail address information
+;;   -- update the NS record(s) with the authoritative name servers for this domain.
+;;
+;; For further information, please consult the BIND documentation
+;; located on the following website:
+;;
+;; http://www.isc.org/
+;;
+;; And RFC 1035:
+;;
+;; http://www.ietf.org/rfc/rfc1035.txt
+;;
+;; Please note that we do NOT offer technical support for any use
+;; of this zone data, the BIND name server, or any other third-party
+;; DNS software.
+;;
+;; Use at your own risk.
+;; SOA Record
+ralsina.me	3600	IN	SOA	princess.ns.cloudflare.com. dns.cloudflare.com. 2047583154 10000 2400 604800 3600
+
+;; NS Records
+ralsina.me.	86400	IN	NS	princess.ns.cloudflare.com.
+ralsina.me.	86400	IN	NS	tim.ns.cloudflare.com.
+
+;; A Records
+direct.ralsina.me.	1	IN	A	192.241.197.159 ; Points to DigitalOcean VPS for nikola and others
+
+;; CAA Records
+ralsina.me.	1	IN	CAA	0 issuewild "pki.goog; cansignhttpexchanges=yes"
+ralsina.me.	1	IN	CAA	0 issuewild "letsencrypt.org"
+ralsina.me.	1	IN	CAA	0 issuewild "digicert.com; cansignhttpexchanges=yes"
+ralsina.me.	1	IN	CAA	0 issuewild "comodoca.com"
+ralsina.me.	1	IN	CAA	0 issue "pki.goog; cansignhttpexchanges=yes"
+ralsina.me.	1	IN	CAA	0 issue "letsencrypt.org"
+ralsina.me.	1	IN	CAA	0 issue "digicert.com; cansignhttpexchanges=yes"
+ralsina.me.	1	IN	CAA	0 issue "comodoca.com"
+
+;; CNAME Records
+_acme-challenge.ralsina.me.	1	IN	CNAME	ralsina.me.ydzmj.flydns.net.
+*.ralsina.me.	1	IN	CNAME	white-wave-7409.fly.dev.
+ralsina.me.	1	IN	CNAME	white-wave-7409.fly.dev.
+
+;; MX Records
+ralsina.me.	1	IN	MX	75 route2.mx.cloudflare.net.
+ralsina.me.	1	IN	MX	27 route3.mx.cloudflare.net.
+ralsina.me.	1	IN	MX	1 route1.mx.cloudflare.net.
+
+;; TXT Records
+_dmarc.ralsina.me.	1	IN	TXT	"v=DMARC1; p=none; rua=mailto:ralsina@netmanagers.com.ar,mailto:roberto.alsina@gmail.com,mailto:roberto@ralsina.me"
+ralsina.me.	1	IN	TXT	"v=spf1 include:_spf.mx.cloudflare.net ~all"
+ralsina.me.	1	IN	TXT	"google-site-verification=GLjctZfTmZSRp8wt7vx4ko-KaGlqT5hxfUTliYpX9V8"

reverse_proxy/Dockerfile

@@ -1,13 +1,13 @@
-FROM alpine:latest as builder
+FROM alpine:latest AS builder
 WORKDIR /app
 COPY . ./
 # This is where one could build the application code as well.
 
 
-FROM alpine:latest as tailscale
+FROM alpine:latest AS tailscale
 WORKDIR /app
 COPY . ./
-ENV TSFILE=tailscale_1.28.0_amd64.tgz
+ENV TSFILE=tailscale_1.84.0_amd64.tgz
 RUN wget https://pkgs.tailscale.com/stable/${TSFILE} && tar xzf ${TSFILE} --strip-components=1
 COPY . ./
 

reverse_proxy/README.md

@@ -0,0 +1,17 @@
+# Reverse Proxy setup
+
+How I put my very own personal servers online, for free.
+
+This sets up a reverse proxy using nginx on a VM in fly.io using
+tailscale to access the internal servers.
+
+Details at [the blog post](http://ralsina.me/weblog/posts/the-cheapest-server.html)
+
+When adding a new hostname, remember to create a cert for it using
+`flyctl certs create hostname`
+
+Every 90 days the tailscale auth key will expire and you need to set a new one as
+a secret.
+
+* Create the new one at https://login.tailscale.com/admin/settings/keys (MAKE IT REUSABLE)
+* Configure it using flyctl secrets set TAILSCALE_AUTHKEY={{PASTEKEYHERE}}

reverse_proxy/fly.toml

@@ -1,40 +1,39 @@
-# fly.toml file generated for white-wave-7409 on 2022-05-02T16:24:11-03:00
+# fly.toml app configuration file generated for white-wave-7409 on 2023-05-16T12:52:57-03:00
+#
+# See https://fly.io/docs/reference/configuration/ for information about how to use this file.
+#
 
 app = "white-wave-7409"
-
+primary_region = "mia"
 kill_signal = "SIGINT"
-kill_timeout = 5
-processes = []
+kill_timeout = "5s"
+
+[experimental]
+  auto_rollback = true
 
 [deploy]
   strategy = "rolling"
 
-[env]
-
-[experimental]
-  allowed_public_ports = [8080]
-  auto_rollback = true
-
 [[services]]
-  internal_port = 8080
   protocol = "tcp"
+  internal_port = 8080
+  min_machines_running = 0
 
+  [[services.ports]]
+    port = 80
+    handlers = ["http"]
+    force_https = true
+
+  [[services.ports]]
+    port = 443
+    handlers = ["tls", "http"]
   [services.concurrency]
+    type = "connections"
     hard_limit = 25
     soft_limit = 20
-    type = "connections"
-
-  [[services.ports]]
-    force_https = true
-    handlers = ["http"]
-    port = 80
-
-  [[services.ports]]
-    handlers = ["tls", "http"]
-    port = "443"
 
   [[services.tcp_checks]]
-    grace_period = "1s"
     interval = "15s"
-    restart_limit = 0
     timeout = "2s"
+    grace_period = "1s"
+    restart_limit = 0

reverse_proxy/nginx.conf

@@ -0,0 +1,208 @@
+map $upstream_http_access_control_allow_origin $allow_origin {
+    '' "*";
+}
+
+
+server {
+    listen 8080;
+    listen [::]:8080;
+
+    server_name faaso-prod.ralsina.me;
+
+    add_header 'Access-Control-Allow-Origin' $allow_origin;
+    add_header 'Access-Control-Allow-Headers' '*';
+    add_header 'Access-Control-Allow-Credentials' 'true';
+    add_header 'Allow' 'POST, GET, OPTIONS';
+
+    if ($request_method = 'OPTIONS' ) {
+        return 200;
+    }
+
+    location / {
+        proxy_pass http://rocky.tail20c16.ts.net:8888;
+        proxy_set_header X-Forwarded-Host $http_host;
+    }
+}
+
+server {
+    listen 8080;
+    listen [::]:8080;
+
+    server_name grafito-demo.ralsina.me;
+
+    add_header 'Access-Control-Allow-Origin' $allow_origin;
+    add_header 'Access-Control-Allow-Headers' '*';
+    add_header 'Access-Control-Allow-Credentials' 'true';
+    add_header 'Allow' 'POST, GET, OPTIONS';
+
+    if ($request_method = 'OPTIONS' ) {
+        return 200;
+    }
+
+    location / {
+        proxy_pass http://rocky.tail20c16.ts.net:1112;
+        proxy_set_header X-Forwarded-Host $http_host;
+    }
+}
+
+server {
+    listen 8080;
+    listen [::]:8080;
+
+    server_name code.ralsina.me;
+
+    location / {
+        proxy_pass http://mindy.tail20c16.ts.net:8088;
+        proxy_set_header X-Forwarded-Host $http_host;
+        proxy_set_header Host $host;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection upgrade;
+        proxy_set_header Accept-Encoding gzip;
+    }
+    error_page 500 502 503 504 /custom_50x.html;
+    location = /custom_50x.html {
+        root /usr/share/nginx/html;
+        internal;
+    }
+}
+server {
+    listen 8080;
+    listen [::]:8080;
+
+    server_name home.ralsina.me;
+    server_name ralsina.me;
+    server_name faaso.ralsina.me;
+    server_name nicolino.ralsina.me;
+    server_name crycco.ralsina.me;
+    server_name nombres.ralsina.me;
+    server_name grafito.ralsina.me;
+
+    location / {
+        proxy_pass http://rocky.tail20c16.ts.net:8080;
+        proxy_set_header X-Forwarded-Host $http_host;
+        proxy_set_header Host $host;
+    }
+    error_page 500 502 503 504 /custom_50x.html;
+    location = /custom_50x.html {
+        root /usr/share/nginx/html;
+        internal;
+    }
+}
+
+server {
+    listen 8080;
+    listen [::]:8080;
+
+    server_name links.ralsina.me;
+
+    location / {
+        proxy_pass http://rocky.tail20c16.ts.net:8086;
+        proxy_set_header X-Forwarded-Host $http_host;
+        proxy_set_header Host $host;
+    }
+    error_page 500 502 503 504 /custom_50x.html;
+    location = /custom_50x.html {
+        root /usr/share/nginx/html;
+        internal;
+    }
+}
+
+server {
+    listen 8080;
+    listen [::]:8080;
+
+    server_name git.ralsina.me;
+
+    location / {
+        proxy_pass http://rocky.tail20c16.ts.net:3000;
+        proxy_set_header X-Forwarded-Host $http_host;
+        proxy_set_header Host $host;
+    }
+    error_page 403 404 500 502 503 504 /custom_50x.html;
+    location = /custom_50x.html {
+        root /usr/share/nginx/html;
+        internal;
+    }
+}
+
+server {
+    listen 8080;
+    listen [::]:8080;
+
+    server_name gotify.ralsina.me;
+
+    add_header 'Access-Control-Allow-Origin' '*';
+    add_header 'Access-Control-Allow-Headers' '*';
+    add_header 'Access-Control-Allow-Credentials' 'true';
+    add_header 'Allow' 'POST, GET, OPTIONS';
+
+    if ($request_method = 'OPTIONS' ) {
+        return 200;
+    }
+
+    location / {
+        proxy_pass http://rocky.tail20c16.ts.net:7777;
+        proxy_set_header X-Forwarded-Host $http_host;
+        proxy_set_header Host $host;
+    }
+
+    location /stream {
+        proxy_pass http://rocky.tail20c16.ts.net:7777;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+    }
+
+    error_page 403 404 500 502 503 504 /custom_50x.html;
+    location = /custom_50x.html {
+        root /usr/share/nginx/html;
+        internal;
+    }
+}
+
+server {
+    listen 8080;
+    listen [::]:8080;
+
+    server_name faas.ralsina.me;
+
+    add_header 'Access-Control-Allow-Origin' '*';
+    add_header 'Access-Control-Allow-Headers' '*';
+    add_header 'Access-Control-Allow-Credentials' 'true';
+    add_header 'Allow' 'POST, GET, OPTIONS';
+
+    if ($request_method = 'OPTIONS' ) {
+        return 200;
+    }
+
+    location / {
+        proxy_pass http://rocky.tail20c16.ts.net:8082;
+        proxy_set_header X-Forwarded-Host $http_host;
+    }
+}
+
+server {
+    listen 8080;
+    listen [::]:8080;
+
+    server_name snips.ralsina.me;
+
+    location / {
+        proxy_pass http://rocky.tail20c16.ts.net:8091	;
+        proxy_set_header X-Forwarded-Host $http_host;
+
+        # WebSocket support
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+    }
+}
+
+server {
+    listen 8080;
+    listen [::]:8080;
+
+    server_name covers.ralsina.me;
+    return 301 https://ralsina.me/stories/covers/;
+}