From 712d411b201a48b75b9a42f9a63462e7b9096b83 Mon Sep 17 00:00:00 2001
From: Jordan Olshevski <jordanolshevski@gmail.com>
Date: Sun, 17 Mar 2024 20:36:48 -0500
Subject: [PATCH] Add new tunnel docs

---
 README.md                |  4 +--
 docs/tunnelsvr-setup.md  | 69 ++++++++++++++++++++++++++++++++++++++++
 manifests/profile.yaml   | 25 ---------------
 patches/contour-ds.yaml  | 11 +++++++
 patches/contour-svc.yaml |  6 ++--
 5 files changed, 85 insertions(+), 30 deletions(-)
 create mode 100644 docs/tunnelsvr-setup.md

diff --git a/README.md b/README.md
index d7ec9d1..beff9d7 100644
--- a/README.md
+++ b/README.md
@@ -19,14 +19,14 @@ Or `make apply` to deploy locally.
 
 Install k3s with these flags:
 
-- --disable-traefik
+- --disable=traefik
+- --disable=servicelb
 
 After installing k3s there are a few steps that don't make sense to automate since they (hopefully) won't need to happen again.
 
 ```bash
 kubectl create secret generic oauth-cookie-secret --from-literal=secret=$(openssl rand -base64 24)
 kubectl create secret generic keycloak-admin --from-literal=KEYCLOAK_ADMIN_PASSWORD=$(openssl rand -base64 16)
-kubectl create secret generic profile-file-token-key --from-literal=key=$(openssl rand -base64 32)
 kubectl create secret generic reporting-psql --from-literal=password=$(openssl rand -base64 24)
 kubectl create secret generic wikijs --from-literal=password=$(openssl rand -base64 24)
 kubectl create secret generic keycloak-db --from-literal=password=$(openssl rand -base64 24)
diff --git a/docs/tunnelsvr-setup.md b/docs/tunnelsvr-setup.md
new file mode 100644
index 0000000..3b881da
--- /dev/null
+++ b/docs/tunnelsvr-setup.md
@@ -0,0 +1,69 @@
+
+Drop this systemd unit in place to generate wireguard keys/configs.
+
+```
+# /usr/lib/systemd/system/wireguard.service
+
+[Unit]
+Description=Wireguard
+After=network.target
+
+[Service]
+Type=simple
+Restart=always
+RestartSec=1
+ExecStart=podman run -it --rm --privileged --net=host -v /opt/wireguard:/config -e PEERS=thelabrouter,jordan,doug -e PUID=1000 -e PGID=100 -e TZ=Etc/UTC -e LOG_CONFS=false -e PERSISTENTKEEPALIVE_PEERS=thelabrouter -e SERVER_ALLOWEDIPS_PEER_thelabrouter=10.200.0.0/16 -e ALLOWEDIPS=10.13.13.0/24 docker.io/linuxserver/wireguard:1.0.20210914
+LimitAS=infinity
+LimitRSS=infinity
+LimitCORE=infinity
+LimitNOFILE=65536
+
+[Install]
+WantedBy=multi-user.target
+```
+
+This unit configures iptables on boot.
+
+```
+# /usr/lib/systemd/system/configure-iptables.service
+
+[Unit]
+Description=TheLab's iptables configuration applicator
+After=network.target
+
+[Service]
+Type=oneshot
+ExecStart=/opt/configure-iptables.sh
+
+[Install]
+WantedBy=multi-user.target
+```
+
+This is the script used by the above systemd unit.
+
+```
+# /opt/configure-iptables.sh
+
+#!/bin/bash
+
+set -e
+
+echo 1 > /proc/sys/net/ipv4/ip_forward
+
+rules=(
+    'POSTROUTING -j MASQUERADE'
+    'POSTROUTING -o eth0 -j SNAT --to-source 10.200.10.123'
+    'PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.200.10.123:80'
+    'PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.200.10.123:443'
+    'PREROUTING -i eth0 -p tcp -m tcp --dport 6443 -j DNAT --to-destination 10.200.10.123:6443'
+)
+
+for t in "${rules[@]}"; do
+    if iptables -t nat -C ${t} &> /dev/null; then
+        echo "rule '${t}' already exists"
+    else
+        iptables -t nat -A ${t} > /dev/null
+        echo "created rule '${t}'"
+    fi
+done
+```
diff --git a/manifests/profile.yaml b/manifests/profile.yaml
index 72f82c5..982cb18 100644
--- a/manifests/profile.yaml
+++ b/manifests/profile.yaml
@@ -89,15 +89,6 @@ spec:
             secretKeyRef:
               name: web-secrets-keys
               key: AGE_PUBLIC_KEY
-        - name: FILE_SERVER_URL
-          value: http://10.200.1.123:8888
-        - name: FILE_UPLOAD_DIR
-          value: /data
-        - name: FILE_TOKEN_SIGNING_KEY
-          valueFrom:
-            secretKeyRef:
-              name: profile-file-token-key
-              key: key
         readinessProbe:
           initialDelaySeconds: 2
           periodSeconds: 5
@@ -149,22 +140,6 @@ spec:
 
 ---
 
-apiVersion: v1
-kind: Service
-metadata:
-  name: profile-files
-spec:
-  type: LoadBalancer
-  selector:
-      app: profile
-  ports:
-    - name: http
-      protocol: TCP
-      port: 8888
-      targetPort: 8888
-
----
-
 apiVersion: projectcontour.io/v1
 kind: HTTPProxy
 metadata:
diff --git a/patches/contour-ds.yaml b/patches/contour-ds.yaml
index a665b79..6b0d2ed 100644
--- a/patches/contour-ds.yaml
+++ b/patches/contour-ds.yaml
@@ -11,3 +11,14 @@ spec:
         value: "please"
         operator: "Equal"
         effect: "NoSchedule"
+      containers:
+        - name: envoy
+          ports:
+            - containerPort: 8080
+              hostPort: 80
+              name: http
+              protocol: TCP
+            - containerPort: 8443
+              hostPort: 443
+              name: https
+              protocol: TCP
diff --git a/patches/contour-svc.yaml b/patches/contour-svc.yaml
index 8483bf6..1b125c0 100644
--- a/patches/contour-svc.yaml
+++ b/patches/contour-svc.yaml
@@ -5,13 +5,13 @@ metadata:
   namespace: projectcontour
 spec:
   $patch: replace
-  type: LoadBalancer
+  type: ClusterIP
   ports:
-  - port: 8080
+  - port: 80
     name: http
     protocol: TCP
     targetPort: 8080
-  - port: 8443
+  - port: 443
     name: https
     protocol: TCP
     targetPort: 8443