From b593a2874a7edb5905c6ac4ba8464720d6bfea48 Mon Sep 17 00:00:00 2001 From: Ruakij Date: Mon, 17 Oct 2022 14:48:02 +0200 Subject: [PATCH 01/23] Add role netmaker_server --- .../mosquitto/config/mosquitto.conf | 9 + .../netmaker_server/mosquitto/config/wait.sh | 23 +++ netmaker_server/meta/main.yml | 3 + netmaker_server/tasks/main.yml | 16 ++ netmaker_server/tasks/netmaker.yml | 29 +++ netmaker_server/tasks/prerequisites.yml | 10 + netmaker_server/tasks/rqlite.yml | 66 +++++++ .../templates/docker-compose.yml.template | 171 ++++++++++++++++++ .../templates/rqlite-config.json.template | 5 + 9 files changed, 332 insertions(+) create mode 100644 netmaker_server/files/opt/netmaker_server/mosquitto/config/mosquitto.conf create mode 100755 netmaker_server/files/opt/netmaker_server/mosquitto/config/wait.sh create mode 100644 netmaker_server/meta/main.yml create mode 100644 netmaker_server/tasks/main.yml create mode 100644 netmaker_server/tasks/netmaker.yml create mode 100644 netmaker_server/tasks/prerequisites.yml create mode 100644 netmaker_server/tasks/rqlite.yml create mode 100644 netmaker_server/templates/docker-compose.yml.template create mode 100644 netmaker_server/templates/rqlite-config.json.template diff --git a/netmaker_server/files/opt/netmaker_server/mosquitto/config/mosquitto.conf b/netmaker_server/files/opt/netmaker_server/mosquitto/config/mosquitto.conf new file mode 100644 index 0000000..299f632 --- /dev/null +++ b/netmaker_server/files/opt/netmaker_server/mosquitto/config/mosquitto.conf @@ -0,0 +1,9 @@ +per_listener_settings false +listener 8883 +allow_anonymous false + +listener 1883 +allow_anonymous false + +plugin /usr/lib/mosquitto_dynamic_security.so +plugin_opt_config_file /mosquitto/data/dynamic-security.json diff --git a/netmaker_server/files/opt/netmaker_server/mosquitto/config/wait.sh b/netmaker_server/files/opt/netmaker_server/mosquitto/config/wait.sh new file mode 100755 index 0000000..caf9d29 --- /dev/null +++ b/netmaker_server/files/opt/netmaker_server/mosquitto/config/wait.sh @@ -0,0 +1,23 @@ +#!/bin/ash + +wait_for_netmaker() { + echo "SERVER: ${NETMAKER_SERVER_HOST}" + until curl --output /dev/null --silent --fail --head \ + --location "${NETMAKER_SERVER_HOST}/api/server/health"; do + echo "Waiting for netmaker server to startup" + sleep 1 + done +} + +main(){ + # wait for netmaker to startup + apk add curl + wait_for_netmaker + echo "Starting MQ..." + # Run the main container command. + /docker-entrypoint.sh + /usr/sbin/mosquitto -c /mosquitto/config/mosquitto.conf + +} + +main "${@}" diff --git a/netmaker_server/meta/main.yml b/netmaker_server/meta/main.yml new file mode 100644 index 0000000..3f99ccf --- /dev/null +++ b/netmaker_server/meta/main.yml @@ -0,0 +1,3 @@ +--- +# dependencies: +# - role: docker diff --git a/netmaker_server/tasks/main.yml b/netmaker_server/tasks/main.yml new file mode 100644 index 0000000..2b1b967 --- /dev/null +++ b/netmaker_server/tasks/main.yml @@ -0,0 +1,16 @@ +- import_tasks: ./prerequisites.yml + +- name: Copy folder-structure + ansible.builtin.copy: + src: opt/netmaker_server + dest: /opt/ + mode: preserve + +- name: Deploy compose file + ansible.builtin.template: + src: docker-compose.yml.template + dest: /opt/netmaker_server/docker-compose.yml + +- import_tasks: ./rqlite.yml + +- import_tasks: ./netmaker.yml diff --git a/netmaker_server/tasks/netmaker.yml b/netmaker_server/tasks/netmaker.yml new file mode 100644 index 0000000..961e0d1 --- /dev/null +++ b/netmaker_server/tasks/netmaker.yml @@ -0,0 +1,29 @@ +- name: Start rest of netmaker-services + command: "docker-compose --project-directory /opt/netmaker_server/ up -d" + register: command + failed_when: command.rc != 0 + +- name: Wait for netmaker-api to become available + ansible.builtin.wait_for: + host: "{{ inventory_hostname }}" + port: 8081 + state: started + when: "inventory_hostname == groups['netmaker'][0]" + +- name: Create default mesh-network 'server' + uri: + url: 'http://netmaker-api.{{ netmaker.base_domain }}:8081/api/networks' + method: POST + body: + netid: servers + addressrange: 10.92.0.0/24 + addressrange6: fd92::/64 + body_format: json + headers: + Authorization: 'Bearer {{ netmaker.master_key }}' + Content-Type: application/json + when: "inventory_hostname == groups['netmaker'][0]" + register: default_mesh_ok + until: "default_mesh_ok is not failed" + retries: 2 + delay: 10 diff --git a/netmaker_server/tasks/prerequisites.yml b/netmaker_server/tasks/prerequisites.yml new file mode 100644 index 0000000..a9d91f9 --- /dev/null +++ b/netmaker_server/tasks/prerequisites.yml @@ -0,0 +1,10 @@ +- name: Install wireguard + package: + name: + - wireguard + state: latest + +- name: Check if default-ipv4-address is private + set_fact: + private_ipv4_address: "{{ ansible_facts.default_ipv4.address | regex_search('^((10)|(192\\.168)|(172\\.((1[6-9])|(2[0-9])|(3[0-1])))|(100))\\.') }}" + when: "netmaker.dynamicIp" diff --git a/netmaker_server/tasks/rqlite.yml b/netmaker_server/tasks/rqlite.yml new file mode 100644 index 0000000..7924969 --- /dev/null +++ b/netmaker_server/tasks/rqlite.yml @@ -0,0 +1,66 @@ +- name: Deploy rqlite config + ansible.builtin.template: + src: rqlite-config.json.template + dest: /opt/netmaker/rqlite/config.json + +# CERTIFICATE +- name: Generate PrivateKey + community.crypto.openssl_privatekey: + path: /opt/netmaker/rqlite/certs/node.key + +- name: Generate Certificate-Signing-Request from privateKey + community.crypto.openssl_csr: + path: /opt/netmaker/rqlite/certs/node.csr + privatekey_path: /opt/netmaker/rqlite/certs/node.key + common_name: "{{ ansible_facts.nodename }}" + +- name: Fetch CSR + ansible.builtin.fetch: + src: /opt/netmaker/rqlite/certs/node.csr + dest: tmp_files/ + +- name: Sign CSR locally with CA + local_action: community.crypto.x509_certificate + args: + path: tmp_files/{{ inventory_hostname }}/opt/netmaker_server/rqlite/certs/node.crt + csr_path: tmp_files/{{ inventory_hostname }}/opt/netmaker_server/rqlite/certs/node.csr + ownca_path: secret_files/netmaker_server/ca/ca.crt + ownca_privatekey_path: secret_files/netmaker_server/ca/ca.key + provider: ownca + +- name: Copy Signed Certificate + ansible.builtin.copy: + src: tmp_files/{{ inventory_hostname }}/opt/netmaker_server/rqlite/certs/node.crt + dest: /opt/netmaker_server/rqlite/certs/node.crt + +- name: Copy CA Certificate + ansible.builtin.copy: + src: secret_files/netmaker_server/ca/ca.crt + dest: /opt/netmaker_server/rqlite/certs/ca.crt +# CERTIFICATE + +- name: Start rqlite service for 1st-node + command: "docker-compose --project-directory /opt/netmaker_server/ up -d rqlite" + register: command + failed_when: command.rc != 0 + when: "inventory_hostname == groups['netmaker_server'][0]" + +- name: Waiting for rqlite to accept connections on 1st-node + ansible.builtin.wait_for: + host: "{{ inventory_hostname }}" + port: 4001 + state: started + when: "inventory_hostname == groups['netmaker_server'][0]" + +- name: Start rqlite service for other nodes + command: "docker-compose --project-directory /opt/netmaker_server/ up -d rqlite" + register: command + failed_when: command.rc != 0 + when: "inventory_hostname != groups['netmaker_server'][0]" + +- name: Waiting for rqlite to accept connections on other nodes + ansible.builtin.wait_for: + host: "{{ inventory_hostname }}" + port: 4001 + state: started + when: "inventory_hostname != groups['netmaker_server'][0]" diff --git a/netmaker_server/templates/docker-compose.yml.template b/netmaker_server/templates/docker-compose.yml.template new file mode 100644 index 0000000..9d689b3 --- /dev/null +++ b/netmaker_server/templates/docker-compose.yml.template @@ -0,0 +1,171 @@ +version: "3.4" + +services: + rqlite: # Distributed sqlite-db + image: rqlite/rqlite + restart: unless-stopped + hostname: "{{ ansible_facts.nodename }}" + volumes: + - "./rqlite/data:/rqlite/file" + - "./rqlite/config.json:/config.json:ro" + - "./rqlite/certs:/certs:ro" + ports: + - 4001:4001 + - 4002:4002 + # FIXME: "node-no-verify" Skipping certificate verification is bad! + #-http-ca-cert /certs/ca.crt + #-http-cert /certs/node.crt + #-http-key /certs/node.key + command: " + -node-encrypt + -node-ca-cert /certs/ca.crt + -node-cert /certs/node.crt + -node-key /certs/node.key + -node-no-verify + + -auth /config.json + +{% if inventory_hostname != groups['netmaker'][0] %} + -join-as netmaker + -join http://{{ groups['netmaker'][0] }}:4001 +{% endif %} + " + # FIXME: /\ \/ Change http -> https + + netmaker: # The Primary Server for running Netmaker + image: gravitl/netmaker:v0.16.1 + cap_add: + - NET_ADMIN + - NET_RAW + - SYS_MODULE + sysctls: + - net.ipv4.ip_forward=1 + - net.ipv4.conf.all.src_valid_mark=1 + - net.ipv6.conf.all.disable_ipv6=0 + - net.ipv6.conf.all.forwarding=1 + restart: unless-stopped + volumes: # Volume mounts necessary for sql, coredns, and mqtt + - ./dnsconfig/:/root/config/dnsconfig + - ./mosquitto/data/:/etc/netmaker/ + hostname: "{{ ansible_facts.nodename }}" + environment: # Necessary capabilities to set iptables when running in container + NODE_ID: "{{ ansible_facts.nodename }}" + MASTER_KEY: "{{ netmaker.master_key }}" # The admin master key for accessing the API. Change this in any production installation. + +{% if not private_ipv4_address %} + SERVER_HOST: "{{ ansible_facts.default_ipv4.address }}" # Set to public IP of machine. +{% endif %} + SERVER_NAME: "netmaker-broker.{{ netmaker.base_domain }}" # The domain/host IP indicating the mq broker address + SERVER_HTTP_HOST: "netmaker-api.{{ netmaker.base_domain }}" # Overrides SERVER_HOST if set. Useful for making HTTP available via different interfaces/networks. + SERVER_API_CONN_STRING: "netmaker-api.{{ netmaker.base_domain }}:8081" + + DISABLE_REMOTE_IP_CHECK: "off" # If turned "on", Server will not set Host based on remote IP check. This is already overridden if SERVER_HOST is set. Turned "off" by default. + DNS_MODE: "off" # Enables DNS Mode, meaning all nodes will set hosts file for private dns settings. + + API_PORT: "8081" # The HTTP API port for Netmaker. Used for API calls / communication from front end. If changed, need to change port of BACKEND_URL for netmaker-ui. + REST_BACKEND: "on" # Enables the REST backend (API running on API_PORT at SERVER_HTTP_HOST). Change to "off" to turn off. + RCE: "off" # Enables setting PostUp and PostDown (arbitrary commands) on nodes from the server. Off by default. + CORS_ALLOWED_ORIGIN: "*" # The "allowed origin" for API requests. Change to restrict where API requests can come from. + DISPLAY_KEYS: "on" # Show keys permanently in UI (until deleted) as opposed to 1-time display. + + DATABASE: "rqlite" + SQL_CONN: "http://netmaker:{{ netmaker.rqlite_password }}@rqlite:4001/" + + MQ_HOST: "mosquitto" # the address of the mq server. If running from docker compose it will be "mq". Otherwise, need to input address. If using "host networking", it will find and detect the IP of the mq container. + MQ_SERVER_PORT: "1883" # the reachable port of MQ by the server - change if internal MQ port changes (or use external port if MQ is not on the same machine) + MQ_PORT: "8883" # the reachable port of MQ - change if external MQ port changes (port on proxy, not necessarily the one exposed in docker-compose) + MQ_ADMIN_PASSWORD: "{{ netmaker.mq_admin_password }}" + + HOST_NETWORK: "off" # whether or not host networking is turned on. Only turn on if configured for host networking (see docker-compose.hostnetwork.yml). Will set host-level settings like iptables. + PORT_FORWARD_SERVICES: "" # decide which services to port forward ("dns","ssh", or "mq") + + # this section is for OAuth + AUTH_PROVIDER: "" # "" + CLIENT_ID: "" # "" + CLIENT_SECRET: "" # "" + FRONTEND_URL: "" # "https://dashboard." + AZURE_TENANT: "" # "" + OIDC_ISSUER: "" # https://oidc.yourprovider.com - URL of oidc provider + + VERBOSITY: "1" # logging verbosity level - 1, 2, or 3 + TELEMETRY: "off" # Whether or not to send telemetry data to help improve Netmaker. Switch to "off" to opt out of sending telemetry. + ports: + - "51821-51830:51821-51830/udp" # wireguard ports + - "8081:8081" # api port +{# labels: # only for use with traefik proxy (default) + - traefik.enable=true + - traefik.http.routers.netmaker-api.rule=Host(`netmaker-api.{{ netmaker.base_domain }}`) + - traefik.http.services.netmaker-api.loadbalancer.server.port=8081 #} + + netmaker-ui: # The Netmaker UI Component + image: gravitl/netmaker-ui:v0.16.1 + depends_on: + - netmaker + links: + - "netmaker:api" + restart: unless-stopped + environment: + #BACKEND_URL: "http://netmaker-api.{{ netmaker.base_domain }}:8081" # URL where UI will send API requests. Change based on SERVER_HOST, SERVER_HTTP_HOST, and API_PORT + BACKEND_URL: "http://tranio.ruekov.eu:8081" + ports: + - 8082:80 +{# labels: + - traefik.enable=true + - traefik.http.middlewares.nmui-security.headers.accessControlAllowOriginList=netmaker-dashboard.{{ netmaker.base_domain }} + - traefik.http.middlewares.nmui-security.headers.stsSeconds=31536000 + - traefik.http.middlewares.nmui-security.headers.browserXssFilter=true + - traefik.http.middlewares.nmui-security.headers.customFrameOptionsValue=SAMEORIGIN + - traefik.http.middlewares.nmui-security.headers.customResponseHeaders.X-Robots-Tag=none + - traefik.http.middlewares.nmui-security.headers.customResponseHeaders.Server= # Remove the server name + - traefik.http.routers.netmaker-ui.middlewares=nmui-security@docker + - traefik.http.routers.netmaker-ui.rule=Host(`netmaker-dashboard.{{ netmaker.base_domain }}`) + - traefik.http.services.netmaker-ui.loadbalancer.server.port=80 #} + + {# coredns: # The DNS Server. CoreDNS can be removed unless doing special advanced use cases + image: coredns/coredns + command: -conf /root/dnsconfig/Corefile + depends_on: + - netmaker + restart: unless-stopped + volumes: + - ./dnsconfig/:/root/dnsconfig #} + + mosquitto: # the MQTT broker for netmaker + image: eclipse-mosquitto:2.0.11-openssl + restart: unless-stopped + volumes: + - ./mosquitto/config:/mosquitto/config + - ./mosquitto/data:/mosquitto/data + - ./mosquitto/logs:/mosquitto/log + ports: + - "8883:8883" + depends_on: + - netmaker + command: ["/mosquitto/config/wait.sh"] + environment: + NETMAKER_SERVER_HOST: "http://netmaker:8081" +{# labels: + - traefik.enable=true + - traefik.tcp.routers.mqtts.rule=HostSNI(`netmaker-broker.{{ netmaker.base_domain }}`) + - traefik.tcp.routers.mqtts.tls.passthrough=true + - traefik.tcp.services.mqtts-svc.loadbalancer.server.port=8883 #} + + {# traefik: # the default proxy - can be replaced with caddy or nginx, but requires careful configuration + image: traefik:v2.6 + command: + - "--certificatesresolvers.http.acme.email=YOUR_EMAIL" + - "--certificatesresolvers.http.acme.storage=/letsencrypt/acme.json" + - "--certificatesresolvers.http.acme.tlschallenge=true" + - "--entrypoints.websecure.address=:443" + - "--entrypoints.websecure.http.tls=true" + - "--entrypoints.websecure.http.tls.certResolver=http" + - "--log.level=INFO" + - "--providers.docker=true" + - "--providers.docker.exposedByDefault=false" + - "--serverstransport.insecureskipverify=true" + restart: unless-stopped + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + - traefik_certs:/letsencrypt + ports: + - "443:443" #} diff --git a/netmaker_server/templates/rqlite-config.json.template b/netmaker_server/templates/rqlite-config.json.template new file mode 100644 index 0000000..5460bef --- /dev/null +++ b/netmaker_server/templates/rqlite-config.json.template @@ -0,0 +1,5 @@ +[{ + "username": "netmaker", + "password": "{{ netmaker.rqlite_password }}", + "perms": ["all"] +}] From 526cf66bd7124fe3a07db4bf645683dbd2c382c5 Mon Sep 17 00:00:00 2001 From: Ruakij Date: Mon, 17 Oct 2022 21:19:10 +0200 Subject: [PATCH 02/23] Add chart for architecture --- .../netmaker_server/docs/architecture.puml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 netmaker_server/files/opt/netmaker_server/docs/architecture.puml diff --git a/netmaker_server/files/opt/netmaker_server/docs/architecture.puml b/netmaker_server/files/opt/netmaker_server/docs/architecture.puml new file mode 100644 index 0000000..09ea902 --- /dev/null +++ b/netmaker_server/files/opt/netmaker_server/docs/architecture.puml @@ -0,0 +1,33 @@ +@startuml + +component netmaker_server { + component nginx { + component ng_stream + component ng_http + + ng_stream -right-> ng_http : tls-termination + } + + component Mosquitto + Mosquitto -up- mq_plain + Mosquitto -up- mq_tls + + ng_stream -down-( mq_tls + + component rqlite + rqlite -up- rq_http + rqlite -up- rq_cluster + ng_stream --down-( rq_cluster + + component nm_ui + nm_ui -up- nm_ui_http + ng_http -down-( nm_ui_http + + component nm_api + nm_api -up- nm_api_http + ng_http -down-( nm_api_http + nm_api --( rq_http +} +ng_TLS -down- ng_stream + +@enduml From f733543ae1f8708f46c1c801da7768652d6971dd Mon Sep 17 00:00:00 2001 From: Ruakij Date: Mon, 17 Oct 2022 21:30:50 +0200 Subject: [PATCH 03/23] Fix architecture-diagram --- netmaker_server/files/opt/netmaker_server/docs/architecture.puml | 1 + 1 file changed, 1 insertion(+) diff --git a/netmaker_server/files/opt/netmaker_server/docs/architecture.puml b/netmaker_server/files/opt/netmaker_server/docs/architecture.puml index 09ea902..b2aaf2e 100644 --- a/netmaker_server/files/opt/netmaker_server/docs/architecture.puml +++ b/netmaker_server/files/opt/netmaker_server/docs/architecture.puml @@ -18,6 +18,7 @@ component netmaker_server { rqlite -up- rq_http rqlite -up- rq_cluster ng_stream --down-( rq_cluster + ng_http --down-( rq_http component nm_ui nm_ui -up- nm_ui_http From 8fddfc532fa33522d2eea7dda6bfd4d125f6344a Mon Sep 17 00:00:00 2001 From: Ruakij Date: Mon, 17 Oct 2022 22:43:57 +0200 Subject: [PATCH 04/23] Add nginx as service --- .../nginx/conf/conf.d/proxy.conf | 26 +++++++++++++++ .../nginx/conf/stream.d/passthrough.conf | 24 ++++++++++++++ .../opt/netmaker_server/nginx/nginx.conf | 33 +++++++++++++++++++ netmaker_server/tasks/main.yml | 4 +++ .../templates/docker-compose.yml.template | 13 +++++++- 5 files changed, 99 insertions(+), 1 deletion(-) create mode 100644 netmaker_server/files/opt/netmaker_server/nginx/conf/conf.d/proxy.conf create mode 100644 netmaker_server/files/opt/netmaker_server/nginx/conf/stream.d/passthrough.conf create mode 100644 netmaker_server/files/opt/netmaker_server/nginx/nginx.conf diff --git a/netmaker_server/files/opt/netmaker_server/nginx/conf/conf.d/proxy.conf b/netmaker_server/files/opt/netmaker_server/nginx/conf/conf.d/proxy.conf new file mode 100644 index 0000000..f97d9fb --- /dev/null +++ b/netmaker_server/files/opt/netmaker_server/nginx/conf/conf.d/proxy.conf @@ -0,0 +1,26 @@ +map $host $proxy_name { + hostnames; + + netmaker-ui.* netmaker-ui:80; + netmaker-api.* netmaker:80; + netmaker-rqlite-http.* rqlite:4001; + + default 444; +} + +server { + resolver 127.0.0.11; # Explicitly set docker-resolver + + listen 8443 ssl; + + ssl_certificate /certs/node.crt; + ssl_certificate_key /certs/node.key; + + if ($proxy_name = 444){ + return 444; + } + + location / { + proxy_pass http://$proxy_name; + } +} diff --git a/netmaker_server/files/opt/netmaker_server/nginx/conf/stream.d/passthrough.conf b/netmaker_server/files/opt/netmaker_server/nginx/conf/stream.d/passthrough.conf new file mode 100644 index 0000000..8077e4e --- /dev/null +++ b/netmaker_server/files/opt/netmaker_server/nginx/conf/stream.d/passthrough.conf @@ -0,0 +1,24 @@ +stream{ + map $ssl_preread_server_name $name { + hostnames; # Use hostnames as map? + + netmaker-ui.* 127.0.0.1:8443; + netmaker-api.* 127.0.0.1:8443; + + netmaker-broker.* mosquitto:8883; # todo: tls-terminate? + + netmaker-rqlite-http.* 127.0.0.1:8443; + netmaker-rqlite-cluster.* rqlite:4002; + + default 127.0.0.1:1; + } + + server { + resolver 127.0.0.11; # Explicitly set docker-resolver + + listen 443; + ssl_preread on; + + proxy_pass $name; + } +} diff --git a/netmaker_server/files/opt/netmaker_server/nginx/nginx.conf b/netmaker_server/files/opt/netmaker_server/nginx/nginx.conf new file mode 100644 index 0000000..d1e9413 --- /dev/null +++ b/netmaker_server/files/opt/netmaker_server/nginx/nginx.conf @@ -0,0 +1,33 @@ + +user nginx; +worker_processes auto; + +error_log /var/log/nginx/error.log notice; +pid /var/run/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + include /etc/nginx/conf.d/*.conf; +} +include /etc/nginx/stream.d/*.conf; diff --git a/netmaker_server/tasks/main.yml b/netmaker_server/tasks/main.yml index 2b1b967..4aa89aa 100644 --- a/netmaker_server/tasks/main.yml +++ b/netmaker_server/tasks/main.yml @@ -11,6 +11,10 @@ src: docker-compose.yml.template dest: /opt/netmaker_server/docker-compose.yml +- import_tasks: ./certs.yml + +- import_tasks: ./nginx.yml + - import_tasks: ./rqlite.yml - import_tasks: ./netmaker.yml diff --git a/netmaker_server/templates/docker-compose.yml.template b/netmaker_server/templates/docker-compose.yml.template index 9d689b3..ec380dd 100644 --- a/netmaker_server/templates/docker-compose.yml.template +++ b/netmaker_server/templates/docker-compose.yml.template @@ -1,6 +1,17 @@ version: "3.4" services: + nginx: + image: nginx + restart: unless-stopped + volumes: + - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro # Override nginx-config to add stream-import + - ./nginx/conf/conf.d/:/etc/nginx/conf.d:ro # conf.d + - ./nginx/conf/stream.d/:/etc/nginx/stream.d:ro # conf.d + - ./certs:/certs:ro # SSL-certificates + ports: + - 51820:443 + rqlite: # Distributed sqlite-db image: rqlite/rqlite restart: unless-stopped @@ -8,7 +19,7 @@ services: volumes: - "./rqlite/data:/rqlite/file" - "./rqlite/config.json:/config.json:ro" - - "./rqlite/certs:/certs:ro" + - "./certs:/certs:ro" ports: - 4001:4001 - 4002:4002 From 86e6317e28495da0fb892c068b65e5dbfe06412a Mon Sep 17 00:00:00 2001 From: Ruakij Date: Mon, 17 Oct 2022 22:45:24 +0200 Subject: [PATCH 05/23] Fix naming --- netmaker_server/tasks/rqlite.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/netmaker_server/tasks/rqlite.yml b/netmaker_server/tasks/rqlite.yml index 7924969..549f657 100644 --- a/netmaker_server/tasks/rqlite.yml +++ b/netmaker_server/tasks/rqlite.yml @@ -1,7 +1,7 @@ - name: Deploy rqlite config ansible.builtin.template: src: rqlite-config.json.template - dest: /opt/netmaker/rqlite/config.json + dest: /opt/netmaker_server/rqlite/config.json # CERTIFICATE - name: Generate PrivateKey From dd87d5e724bbd01d1fc7d53bf26ace5fee884978 Mon Sep 17 00:00:00 2001 From: Ruakij Date: Mon, 17 Oct 2022 22:46:20 +0200 Subject: [PATCH 06/23] Move cert-generation outside --- netmaker_server/tasks/certs.yml | 34 ++++++++++++++++++++++++++++++ netmaker_server/tasks/rqlite.yml | 36 -------------------------------- 2 files changed, 34 insertions(+), 36 deletions(-) create mode 100644 netmaker_server/tasks/certs.yml diff --git a/netmaker_server/tasks/certs.yml b/netmaker_server/tasks/certs.yml new file mode 100644 index 0000000..86311ee --- /dev/null +++ b/netmaker_server/tasks/certs.yml @@ -0,0 +1,34 @@ +- name: Generate PrivateKey + community.crypto.openssl_privatekey: + path: /opt/netmaker_server/certs/node.key + +- name: Generate Certificate-Signing-Request from privateKey + community.crypto.openssl_csr: + path: /opt/netmaker_server/certs/node.csr + privatekey_path: /opt/netmaker_server/certs/node.key + common_name: "{{ ansible_facts.nodename }}" + subject_alt_name: "DNS:*.{{ ansible_facts.nodename }},DNS:*.{{ netmaker.base_domain }}" + +- name: Fetch CSR + ansible.builtin.fetch: + src: /opt/netmaker_server/certs/node.csr + dest: tmp_files/ + +- name: Sign CSR locally with CA + local_action: community.crypto.x509_certificate + args: + path: tmp_files/{{ inventory_hostname }}/opt/netmaker_server/certs/node.crt + csr_path: tmp_files/{{ inventory_hostname }}/opt/netmaker_server/certs/node.csr + ownca_path: secret_files/netmaker_server/ca/ca.crt + ownca_privatekey_path: secret_files/netmaker_server/ca/ca.key + provider: ownca + +- name: Copy Signed Certificate + ansible.builtin.copy: + src: tmp_files/{{ inventory_hostname }}/opt/netmaker_server/certs/node.crt + dest: /opt/netmaker_server/certs/node.crt + +- name: Copy CA Certificate + ansible.builtin.copy: + src: secret_files/netmaker_server/ca/ca.crt + dest: /opt/netmaker_server/certs/ca.crt diff --git a/netmaker_server/tasks/rqlite.yml b/netmaker_server/tasks/rqlite.yml index 549f657..465202b 100644 --- a/netmaker_server/tasks/rqlite.yml +++ b/netmaker_server/tasks/rqlite.yml @@ -3,42 +3,6 @@ src: rqlite-config.json.template dest: /opt/netmaker_server/rqlite/config.json -# CERTIFICATE -- name: Generate PrivateKey - community.crypto.openssl_privatekey: - path: /opt/netmaker/rqlite/certs/node.key - -- name: Generate Certificate-Signing-Request from privateKey - community.crypto.openssl_csr: - path: /opt/netmaker/rqlite/certs/node.csr - privatekey_path: /opt/netmaker/rqlite/certs/node.key - common_name: "{{ ansible_facts.nodename }}" - -- name: Fetch CSR - ansible.builtin.fetch: - src: /opt/netmaker/rqlite/certs/node.csr - dest: tmp_files/ - -- name: Sign CSR locally with CA - local_action: community.crypto.x509_certificate - args: - path: tmp_files/{{ inventory_hostname }}/opt/netmaker_server/rqlite/certs/node.crt - csr_path: tmp_files/{{ inventory_hostname }}/opt/netmaker_server/rqlite/certs/node.csr - ownca_path: secret_files/netmaker_server/ca/ca.crt - ownca_privatekey_path: secret_files/netmaker_server/ca/ca.key - provider: ownca - -- name: Copy Signed Certificate - ansible.builtin.copy: - src: tmp_files/{{ inventory_hostname }}/opt/netmaker_server/rqlite/certs/node.crt - dest: /opt/netmaker_server/rqlite/certs/node.crt - -- name: Copy CA Certificate - ansible.builtin.copy: - src: secret_files/netmaker_server/ca/ca.crt - dest: /opt/netmaker_server/rqlite/certs/ca.crt -# CERTIFICATE - - name: Start rqlite service for 1st-node command: "docker-compose --project-directory /opt/netmaker_server/ up -d rqlite" register: command From d2d8ebd8cc150a8dbf46040cf21967290ea85613 Mon Sep 17 00:00:00 2001 From: Ruakij Date: Mon, 17 Oct 2022 22:46:41 +0200 Subject: [PATCH 07/23] Add missing nginx-file --- netmaker_server/tasks/nginx.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 netmaker_server/tasks/nginx.yml diff --git a/netmaker_server/tasks/nginx.yml b/netmaker_server/tasks/nginx.yml new file mode 100644 index 0000000..b93eee0 --- /dev/null +++ b/netmaker_server/tasks/nginx.yml @@ -0,0 +1,10 @@ +- name: Start nginx service + command: "docker-compose --project-directory /opt/netmaker_server/ up -d nginx" + register: command + failed_when: command.rc != 0 + +- name: Waiting for nginx to accept connections + ansible.builtin.wait_for: + host: "{{ inventory_hostname }}" + port: 51820 + state: started From 315f5a1805f22d97328993b09de5d47e8652fb91 Mon Sep 17 00:00:00 2001 From: Ruakij Date: Mon, 17 Oct 2022 22:47:10 +0200 Subject: [PATCH 08/23] Fix private_ip checking --- netmaker_server/tasks/prerequisites.yml | 1 - netmaker_server/templates/docker-compose.yml.template | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/netmaker_server/tasks/prerequisites.yml b/netmaker_server/tasks/prerequisites.yml index a9d91f9..90a1b86 100644 --- a/netmaker_server/tasks/prerequisites.yml +++ b/netmaker_server/tasks/prerequisites.yml @@ -7,4 +7,3 @@ - name: Check if default-ipv4-address is private set_fact: private_ipv4_address: "{{ ansible_facts.default_ipv4.address | regex_search('^((10)|(192\\.168)|(172\\.((1[6-9])|(2[0-9])|(3[0-1])))|(100))\\.') }}" - when: "netmaker.dynamicIp" diff --git a/netmaker_server/templates/docker-compose.yml.template b/netmaker_server/templates/docker-compose.yml.template index ec380dd..69b7b41 100644 --- a/netmaker_server/templates/docker-compose.yml.template +++ b/netmaker_server/templates/docker-compose.yml.template @@ -63,7 +63,7 @@ services: NODE_ID: "{{ ansible_facts.nodename }}" MASTER_KEY: "{{ netmaker.master_key }}" # The admin master key for accessing the API. Change this in any production installation. -{% if not private_ipv4_address %} +{% if not private_ipv4_address and not netmaker.dynamicIp %} SERVER_HOST: "{{ ansible_facts.default_ipv4.address }}" # Set to public IP of machine. {% endif %} SERVER_NAME: "netmaker-broker.{{ netmaker.base_domain }}" # The domain/host IP indicating the mq broker address From e4a2c5dd2f17899d38e85b2be673d3ad9a4778ca Mon Sep 17 00:00:00 2001 From: Ruakij Date: Mon, 17 Oct 2022 22:48:49 +0200 Subject: [PATCH 09/23] Remove ports and add/change advertised adresses and ports --- .../templates/docker-compose.yml.template | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/netmaker_server/templates/docker-compose.yml.template b/netmaker_server/templates/docker-compose.yml.template index 69b7b41..afce877 100644 --- a/netmaker_server/templates/docker-compose.yml.template +++ b/netmaker_server/templates/docker-compose.yml.template @@ -20,14 +20,17 @@ services: - "./rqlite/data:/rqlite/file" - "./rqlite/config.json:/config.json:ro" - "./certs:/certs:ro" - ports: - - 4001:4001 - - 4002:4002 # FIXME: "node-no-verify" Skipping certificate verification is bad! #-http-ca-cert /certs/ca.crt #-http-cert /certs/node.crt #-http-key /certs/node.key command: " + -http-adv-addr netmaker-rqlite-http.{{ ansible_facts.nodename }}:51820 + -raft-addr [::]:4002 + -raft-adv-addr netmaker-rqlite-cluster.{{ ansible_facts.nodename }}:51820 + + -http-ca-cert /certs/ca.crt + -node-encrypt -node-ca-cert /certs/ca.crt -node-cert /certs/node.crt @@ -38,7 +41,7 @@ services: {% if inventory_hostname != groups['netmaker'][0] %} -join-as netmaker - -join http://{{ groups['netmaker'][0] }}:4001 + -join https://netmaker-rqlite-http.{{ groups['netmaker'][0] }}:51820 {% endif %} " # FIXME: /\ \/ Change http -> https @@ -84,7 +87,7 @@ services: MQ_HOST: "mosquitto" # the address of the mq server. If running from docker compose it will be "mq". Otherwise, need to input address. If using "host networking", it will find and detect the IP of the mq container. MQ_SERVER_PORT: "1883" # the reachable port of MQ by the server - change if internal MQ port changes (or use external port if MQ is not on the same machine) - MQ_PORT: "8883" # the reachable port of MQ - change if external MQ port changes (port on proxy, not necessarily the one exposed in docker-compose) + MQ_PORT: "51820" # the reachable port of MQ - change if external MQ port changes (port on proxy, not necessarily the one exposed in docker-compose) MQ_ADMIN_PASSWORD: "{{ netmaker.mq_admin_password }}" HOST_NETWORK: "off" # whether or not host networking is turned on. Only turn on if configured for host networking (see docker-compose.hostnetwork.yml). Will set host-level settings like iptables. @@ -102,7 +105,6 @@ services: TELEMETRY: "off" # Whether or not to send telemetry data to help improve Netmaker. Switch to "off" to opt out of sending telemetry. ports: - "51821-51830:51821-51830/udp" # wireguard ports - - "8081:8081" # api port {# labels: # only for use with traefik proxy (default) - traefik.enable=true - traefik.http.routers.netmaker-api.rule=Host(`netmaker-api.{{ netmaker.base_domain }}`) @@ -118,8 +120,6 @@ services: environment: #BACKEND_URL: "http://netmaker-api.{{ netmaker.base_domain }}:8081" # URL where UI will send API requests. Change based on SERVER_HOST, SERVER_HTTP_HOST, and API_PORT BACKEND_URL: "http://tranio.ruekov.eu:8081" - ports: - - 8082:80 {# labels: - traefik.enable=true - traefik.http.middlewares.nmui-security.headers.accessControlAllowOriginList=netmaker-dashboard.{{ netmaker.base_domain }} @@ -148,8 +148,6 @@ services: - ./mosquitto/config:/mosquitto/config - ./mosquitto/data:/mosquitto/data - ./mosquitto/logs:/mosquitto/log - ports: - - "8883:8883" depends_on: - netmaker command: ["/mosquitto/config/wait.sh"] From 6168ba2b0a03e396151ce5e3175f89fc02593369 Mon Sep 17 00:00:00 2001 From: Ruakij Date: Mon, 17 Oct 2022 22:48:58 +0200 Subject: [PATCH 10/23] Add missing dependency --- netmaker_server/templates/docker-compose.yml.template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/netmaker_server/templates/docker-compose.yml.template b/netmaker_server/templates/docker-compose.yml.template index afce877..b64ec8f 100644 --- a/netmaker_server/templates/docker-compose.yml.template +++ b/netmaker_server/templates/docker-compose.yml.template @@ -48,6 +48,8 @@ services: netmaker: # The Primary Server for running Netmaker image: gravitl/netmaker:v0.16.1 + depends_on: + - rqlite cap_add: - NET_ADMIN - NET_RAW From c94168fb30cd0f38c5e07e17b3080f4285393afb Mon Sep 17 00:00:00 2001 From: Ruakij Date: Mon, 17 Oct 2022 22:49:20 +0200 Subject: [PATCH 11/23] Comment-in connection-check todo: change check to http --- netmaker_server/tasks/rqlite.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/netmaker_server/tasks/rqlite.yml b/netmaker_server/tasks/rqlite.yml index 465202b..182804a 100644 --- a/netmaker_server/tasks/rqlite.yml +++ b/netmaker_server/tasks/rqlite.yml @@ -9,12 +9,12 @@ failed_when: command.rc != 0 when: "inventory_hostname == groups['netmaker_server'][0]" -- name: Waiting for rqlite to accept connections on 1st-node - ansible.builtin.wait_for: - host: "{{ inventory_hostname }}" - port: 4001 - state: started - when: "inventory_hostname == groups['netmaker_server'][0]" +# - name: Waiting for rqlite to accept connections on 1st-node +# ansible.builtin.wait_for: +# host: "{{ inventory_hostname }}" +# port: 4001 +# state: started +# when: "inventory_hostname == groups['netmaker_server'][0]" - name: Start rqlite service for other nodes command: "docker-compose --project-directory /opt/netmaker_server/ up -d rqlite" @@ -22,9 +22,9 @@ failed_when: command.rc != 0 when: "inventory_hostname != groups['netmaker_server'][0]" -- name: Waiting for rqlite to accept connections on other nodes - ansible.builtin.wait_for: - host: "{{ inventory_hostname }}" - port: 4001 - state: started - when: "inventory_hostname != groups['netmaker_server'][0]" +# - name: Waiting for rqlite to accept connections on other nodes +# ansible.builtin.wait_for: +# host: "{{ inventory_hostname }}" +# port: 4001 +# state: started +# when: "inventory_hostname != groups['netmaker_server'][0]" From 6d5c86927d5008d1d07185f424235e0ba895889f Mon Sep 17 00:00:00 2001 From: Ruakij Date: Tue, 18 Oct 2022 12:33:25 +0200 Subject: [PATCH 12/23] Make diagram more readable --- .../files/opt/netmaker_server/docs/architecture.puml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/netmaker_server/files/opt/netmaker_server/docs/architecture.puml b/netmaker_server/files/opt/netmaker_server/docs/architecture.puml index b2aaf2e..c48a070 100644 --- a/netmaker_server/files/opt/netmaker_server/docs/architecture.puml +++ b/netmaker_server/files/opt/netmaker_server/docs/architecture.puml @@ -15,10 +15,10 @@ component netmaker_server { ng_stream -down-( mq_tls component rqlite - rqlite -up- rq_http + rqlite -right- rq_http rqlite -up- rq_cluster ng_stream --down-( rq_cluster - ng_http --down-( rq_http + ng_http -down-( rq_http component nm_ui nm_ui -up- nm_ui_http @@ -27,7 +27,7 @@ component netmaker_server { component nm_api nm_api -up- nm_api_http ng_http -down-( nm_api_http - nm_api --( rq_http + nm_api -( rq_http } ng_TLS -down- ng_stream From 772dc3a620d0c5d2301f51ed70dce0c1b11b8304 Mon Sep 17 00:00:00 2001 From: Ruakij Date: Thu, 20 Oct 2022 08:32:49 +0200 Subject: [PATCH 13/23] Move TLS-point outside of netmaker-system --- .../files/opt/netmaker_server/docs/architecture.puml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/netmaker_server/files/opt/netmaker_server/docs/architecture.puml b/netmaker_server/files/opt/netmaker_server/docs/architecture.puml index c48a070..71ded73 100644 --- a/netmaker_server/files/opt/netmaker_server/docs/architecture.puml +++ b/netmaker_server/files/opt/netmaker_server/docs/architecture.puml @@ -1,10 +1,14 @@ @startuml +interface ng_TLS + component netmaker_server { component nginx { component ng_stream component ng_http + ng_stream -up- ng_TLS + ng_stream -right-> ng_http : tls-termination } @@ -29,6 +33,5 @@ component netmaker_server { ng_http -down-( nm_api_http nm_api -( rq_http } -ng_TLS -down- ng_stream @enduml From e022a6e9f06e0ff32f5e9ad24d7e225d428c6366 Mon Sep 17 00:00:00 2001 From: Ruakij Date: Thu, 20 Oct 2022 08:34:35 +0200 Subject: [PATCH 14/23] Restructure to make better looking --- .../netmaker_server/docs/architecture.puml | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/netmaker_server/files/opt/netmaker_server/docs/architecture.puml b/netmaker_server/files/opt/netmaker_server/docs/architecture.puml index 71ded73..af8c6bd 100644 --- a/netmaker_server/files/opt/netmaker_server/docs/architecture.puml +++ b/netmaker_server/files/opt/netmaker_server/docs/architecture.puml @@ -12,26 +12,26 @@ component netmaker_server { ng_stream -right-> ng_http : tls-termination } + component nm_ui + nm_ui -up- nm_ui_http + ng_http -down-( nm_ui_http + component Mosquitto Mosquitto -up- mq_plain Mosquitto -up- mq_tls - ng_stream -down-( mq_tls component rqlite - rqlite -right- rq_http + rqlite -up- rq_http rqlite -up- rq_cluster - ng_stream --down-( rq_cluster + ng_stream -down-( rq_cluster ng_http -down-( rq_http - component nm_ui - nm_ui -up- nm_ui_http - ng_http -down-( nm_ui_http - component nm_api - nm_api -up- nm_api_http - ng_http -down-( nm_api_http - nm_api -( rq_http + nm_api -down- nm_api_http + ng_http --( nm_api_http + nm_api -up-( ng_TLS : db-connection to rqlite-master + nm_api --( mq_plain } @enduml From 7453f1e616c947c3e2ec10445c54b503f632f103 Mon Sep 17 00:00:00 2001 From: Ruakij Date: Fri, 21 Oct 2022 08:31:05 +0200 Subject: [PATCH 15/23] Move variables to defaults-folder --- netmaker_server/defaults/credentials.yml | 5 +++++ netmaker_server/defaults/main.yml | 28 ++++++++++++++++++++++++ 2 files changed, 33 insertions(+) create mode 100644 netmaker_server/defaults/credentials.yml create mode 100644 netmaker_server/defaults/main.yml diff --git a/netmaker_server/defaults/credentials.yml b/netmaker_server/defaults/credentials.yml new file mode 100644 index 0000000..3a01343 --- /dev/null +++ b/netmaker_server/defaults/credentials.yml @@ -0,0 +1,5 @@ +netmaker_creds: + rqlite_password: + mq_admin_password: + + master_key: diff --git a/netmaker_server/defaults/main.yml b/netmaker_server/defaults/main.yml new file mode 100644 index 0000000..5785308 --- /dev/null +++ b/netmaker_server/defaults/main.yml @@ -0,0 +1,28 @@ +# Overwrite for specific nodes to force dynamic-ip (disable setting public-ip and forces external lookup for public-ip) +# When false, will check itself for dynamic-ip (based on private-ip) +netmaker_dynamicIp: false + +netmaker_nginx: + # Listen-port + tls_port: 51820 + # Advertise-Port for services + # (must also be reachable by internal services!) + advertise_port: 51820 + +# This is the base-domain used for generating hostnames for services +netmaker_base_domain: + +# host + base_domain +netmaker_api: + host: netmaker-api +netmaker_ui: + host: netmaker-ui +# MQTT-broker +netmaker_broker: + tls_host: netmaker-broker + +# host + node_hostname +netmaker_rqlite: + http_host: netmaker-rqlite-http + cluster_host: netmaker-rqlite-cluster + From bb3d3630946626ef79b6569315b5eef23b7c7752 Mon Sep 17 00:00:00 2001 From: Ruakij Date: Fri, 21 Oct 2022 08:33:08 +0200 Subject: [PATCH 16/23] Created nginx-config-file-templates --- .../nginx/conf/stream.d/passthrough.conf | 24 ----- netmaker_server/tasks/nginx.yml | 8 ++ .../templates/docker-compose.yml.template | 98 +++++-------------- .../templates/nginx/passthrough.conf.template | 34 +++++++ .../nginx/proxy.conf.template} | 9 +- .../templates/rqlite-config.json.template | 2 +- 6 files changed, 71 insertions(+), 104 deletions(-) delete mode 100644 netmaker_server/files/opt/netmaker_server/nginx/conf/stream.d/passthrough.conf create mode 100644 netmaker_server/templates/nginx/passthrough.conf.template rename netmaker_server/{files/opt/netmaker_server/nginx/conf/conf.d/proxy.conf => templates/nginx/proxy.conf.template} (54%) diff --git a/netmaker_server/files/opt/netmaker_server/nginx/conf/stream.d/passthrough.conf b/netmaker_server/files/opt/netmaker_server/nginx/conf/stream.d/passthrough.conf deleted file mode 100644 index 8077e4e..0000000 --- a/netmaker_server/files/opt/netmaker_server/nginx/conf/stream.d/passthrough.conf +++ /dev/null @@ -1,24 +0,0 @@ -stream{ - map $ssl_preread_server_name $name { - hostnames; # Use hostnames as map? - - netmaker-ui.* 127.0.0.1:8443; - netmaker-api.* 127.0.0.1:8443; - - netmaker-broker.* mosquitto:8883; # todo: tls-terminate? - - netmaker-rqlite-http.* 127.0.0.1:8443; - netmaker-rqlite-cluster.* rqlite:4002; - - default 127.0.0.1:1; - } - - server { - resolver 127.0.0.11; # Explicitly set docker-resolver - - listen 443; - ssl_preread on; - - proxy_pass $name; - } -} diff --git a/netmaker_server/tasks/nginx.yml b/netmaker_server/tasks/nginx.yml index b93eee0..786cf6c 100644 --- a/netmaker_server/tasks/nginx.yml +++ b/netmaker_server/tasks/nginx.yml @@ -1,3 +1,11 @@ +- name: Deploy nginx configs + template: + src: "{{item.src}}" + dest: "{{item.dst}}" + loop: + - { src: 'nginx/proxy.conf.template', dst: '/opt/netmaker_server/nginx/conf/conf.d/proxy.conf' } + - { src: 'nginx/passthrough.conf.template', dst: '/opt/netmaker_server/nginx/conf/stream.d/passthrough.conf' } + - name: Start nginx service command: "docker-compose --project-directory /opt/netmaker_server/ up -d nginx" register: command diff --git a/netmaker_server/templates/docker-compose.yml.template b/netmaker_server/templates/docker-compose.yml.template index b64ec8f..d7fbfc9 100644 --- a/netmaker_server/templates/docker-compose.yml.template +++ b/netmaker_server/templates/docker-compose.yml.template @@ -10,7 +10,7 @@ services: - ./nginx/conf/stream.d/:/etc/nginx/stream.d:ro # conf.d - ./certs:/certs:ro # SSL-certificates ports: - - 51820:443 + - {{ netmaker_nginx.tls_port }}:443 rqlite: # Distributed sqlite-db image: rqlite/rqlite @@ -20,14 +20,11 @@ services: - "./rqlite/data:/rqlite/file" - "./rqlite/config.json:/config.json:ro" - "./certs:/certs:ro" - # FIXME: "node-no-verify" Skipping certificate verification is bad! - #-http-ca-cert /certs/ca.crt - #-http-cert /certs/node.crt - #-http-key /certs/node.key + - ./certs/ca.crt:/etc/ssl/certs/netmaker-ca.pem:ro # Add CA to system-trust-store command: " - -http-adv-addr netmaker-rqlite-http.{{ ansible_facts.nodename }}:51820 + -http-adv-addr {{ netmaker_rqlite.http_host }}.{{ ansible_facts.nodename }}:{{ netmaker_nginx.advertise_port }} -raft-addr [::]:4002 - -raft-adv-addr netmaker-rqlite-cluster.{{ ansible_facts.nodename }}:51820 + -raft-adv-addr {{ netmaker_rqlite.cluster_host }}.{{ ansible_facts.nodename }}:{{ netmaker_nginx.advertise_port }} -http-ca-cert /certs/ca.crt @@ -41,7 +38,7 @@ services: {% if inventory_hostname != groups['netmaker'][0] %} -join-as netmaker - -join https://netmaker-rqlite-http.{{ groups['netmaker'][0] }}:51820 + -join https://{{ netmaker_rqlite.http_host }}.{{ groups['netmaker'][0] }}:{{ netmaker_nginx.advertise_port }} {% endif %} " # FIXME: /\ \/ Change http -> https @@ -63,17 +60,18 @@ services: volumes: # Volume mounts necessary for sql, coredns, and mqtt - ./dnsconfig/:/root/config/dnsconfig - ./mosquitto/data/:/etc/netmaker/ + - ./certs/ca.crt:/etc/ssl/certs/netmaker-ca.pem:ro # Add CA to system-trust-store hostname: "{{ ansible_facts.nodename }}" environment: # Necessary capabilities to set iptables when running in container NODE_ID: "{{ ansible_facts.nodename }}" - MASTER_KEY: "{{ netmaker.master_key }}" # The admin master key for accessing the API. Change this in any production installation. + MASTER_KEY: "{{ netmaker_creds.master_key }}" # The admin master key for accessing the API. Change this in any production installation. -{% if not private_ipv4_address and not netmaker.dynamicIp %} +{% if not private_ipv4_address and not netmaker_dynamicIp %} SERVER_HOST: "{{ ansible_facts.default_ipv4.address }}" # Set to public IP of machine. {% endif %} - SERVER_NAME: "netmaker-broker.{{ netmaker.base_domain }}" # The domain/host IP indicating the mq broker address - SERVER_HTTP_HOST: "netmaker-api.{{ netmaker.base_domain }}" # Overrides SERVER_HOST if set. Useful for making HTTP available via different interfaces/networks. - SERVER_API_CONN_STRING: "netmaker-api.{{ netmaker.base_domain }}:8081" + SERVER_NAME: "{{ netmaker_broker.tls_host }}.{{ netmaker_base_domain }}" # The domain/host IP indicating the mq broker address + SERVER_HTTP_HOST: "{{ netmaker_api.host }}.{{ netmaker_base_domain }}" # Overrides SERVER_HOST if set. Useful for making HTTP available via different interfaces/networks. + SERVER_API_CONN_STRING: "{{ netmaker_api.host }}.{{ netmaker_base_domain }}:{{ netmaker_nginx.advertise_port }}" DISABLE_REMOTE_IP_CHECK: "off" # If turned "on", Server will not set Host based on remote IP check. This is already overridden if SERVER_HOST is set. Turned "off" by default. DNS_MODE: "off" # Enables DNS Mode, meaning all nodes will set hosts file for private dns settings. @@ -85,32 +83,28 @@ services: DISPLAY_KEYS: "on" # Show keys permanently in UI (until deleted) as opposed to 1-time display. DATABASE: "rqlite" - SQL_CONN: "http://netmaker:{{ netmaker.rqlite_password }}@rqlite:4001/" + SQL_CONN: "https://netmaker:{{ netmaker_creds.rqlite_password }}@{{ netmaker_rqlite.http_host }}.{{ ansible_facts.nodename }}:{{ netmaker_nginx.advertise_port }}/" - MQ_HOST: "mosquitto" # the address of the mq server. If running from docker compose it will be "mq". Otherwise, need to input address. If using "host networking", it will find and detect the IP of the mq container. - MQ_SERVER_PORT: "1883" # the reachable port of MQ by the server - change if internal MQ port changes (or use external port if MQ is not on the same machine) - MQ_PORT: "51820" # the reachable port of MQ - change if external MQ port changes (port on proxy, not necessarily the one exposed in docker-compose) - MQ_ADMIN_PASSWORD: "{{ netmaker.mq_admin_password }}" + MQ_HOST: "mosquitto" # the address of the mq server. If running from docker compose it will be "mq". Otherwise, need to input address. If using "host networking", it will find and detect the IP of the mq container. + MQ_SERVER_PORT: "1883" # the reachable port of MQ by the server - change if internal MQ port changes (or use external port if MQ is not on the same machine) + MQ_PORT: "{{ netmaker_nginx.advertise_port }}" # the reachable port of MQ - change if external MQ port changes (port on proxy, not necessarily the one exposed in docker-compose) + MQ_ADMIN_PASSWORD: "{{ netmaker_creds.mq_admin_password }}" HOST_NETWORK: "off" # whether or not host networking is turned on. Only turn on if configured for host networking (see docker-compose.hostnetwork.yml). Will set host-level settings like iptables. PORT_FORWARD_SERVICES: "" # decide which services to port forward ("dns","ssh", or "mq") # this section is for OAuth - AUTH_PROVIDER: "" # "" - CLIENT_ID: "" # "" - CLIENT_SECRET: "" # "" - FRONTEND_URL: "" # "https://dashboard." - AZURE_TENANT: "" # "" - OIDC_ISSUER: "" # https://oidc.yourprovider.com - URL of oidc provider + AUTH_PROVIDER: "" # "" + CLIENT_ID: "" # "" + CLIENT_SECRET: "" # "" + FRONTEND_URL: "" # "https://dashboard." + AZURE_TENANT: "" # "" + OIDC_ISSUER: "" # https://oidc.yourprovider.com - URL of oidc provider VERBOSITY: "1" # logging verbosity level - 1, 2, or 3 TELEMETRY: "off" # Whether or not to send telemetry data to help improve Netmaker. Switch to "off" to opt out of sending telemetry. ports: - "51821-51830:51821-51830/udp" # wireguard ports -{# labels: # only for use with traefik proxy (default) - - traefik.enable=true - - traefik.http.routers.netmaker-api.rule=Host(`netmaker-api.{{ netmaker.base_domain }}`) - - traefik.http.services.netmaker-api.loadbalancer.server.port=8081 #} netmaker-ui: # The Netmaker UI Component image: gravitl/netmaker-ui:v0.16.1 @@ -120,28 +114,7 @@ services: - "netmaker:api" restart: unless-stopped environment: - #BACKEND_URL: "http://netmaker-api.{{ netmaker.base_domain }}:8081" # URL where UI will send API requests. Change based on SERVER_HOST, SERVER_HTTP_HOST, and API_PORT - BACKEND_URL: "http://tranio.ruekov.eu:8081" -{# labels: - - traefik.enable=true - - traefik.http.middlewares.nmui-security.headers.accessControlAllowOriginList=netmaker-dashboard.{{ netmaker.base_domain }} - - traefik.http.middlewares.nmui-security.headers.stsSeconds=31536000 - - traefik.http.middlewares.nmui-security.headers.browserXssFilter=true - - traefik.http.middlewares.nmui-security.headers.customFrameOptionsValue=SAMEORIGIN - - traefik.http.middlewares.nmui-security.headers.customResponseHeaders.X-Robots-Tag=none - - traefik.http.middlewares.nmui-security.headers.customResponseHeaders.Server= # Remove the server name - - traefik.http.routers.netmaker-ui.middlewares=nmui-security@docker - - traefik.http.routers.netmaker-ui.rule=Host(`netmaker-dashboard.{{ netmaker.base_domain }}`) - - traefik.http.services.netmaker-ui.loadbalancer.server.port=80 #} - - {# coredns: # The DNS Server. CoreDNS can be removed unless doing special advanced use cases - image: coredns/coredns - command: -conf /root/dnsconfig/Corefile - depends_on: - - netmaker - restart: unless-stopped - volumes: - - ./dnsconfig/:/root/dnsconfig #} + BACKEND_URL: "https://{{ netmaker_api.host }}.{{ netmaker_base_domain }}:{{ netmaker_nginx.advertise_port }}" # URL where UI will send API requests. Change based on SERVER_HOST, SERVER_HTTP_HOST, and API_PORT mosquitto: # the MQTT broker for netmaker image: eclipse-mosquitto:2.0.11-openssl @@ -155,28 +128,3 @@ services: command: ["/mosquitto/config/wait.sh"] environment: NETMAKER_SERVER_HOST: "http://netmaker:8081" -{# labels: - - traefik.enable=true - - traefik.tcp.routers.mqtts.rule=HostSNI(`netmaker-broker.{{ netmaker.base_domain }}`) - - traefik.tcp.routers.mqtts.tls.passthrough=true - - traefik.tcp.services.mqtts-svc.loadbalancer.server.port=8883 #} - - {# traefik: # the default proxy - can be replaced with caddy or nginx, but requires careful configuration - image: traefik:v2.6 - command: - - "--certificatesresolvers.http.acme.email=YOUR_EMAIL" - - "--certificatesresolvers.http.acme.storage=/letsencrypt/acme.json" - - "--certificatesresolvers.http.acme.tlschallenge=true" - - "--entrypoints.websecure.address=:443" - - "--entrypoints.websecure.http.tls=true" - - "--entrypoints.websecure.http.tls.certResolver=http" - - "--log.level=INFO" - - "--providers.docker=true" - - "--providers.docker.exposedByDefault=false" - - "--serverstransport.insecureskipverify=true" - restart: unless-stopped - volumes: - - /var/run/docker.sock:/var/run/docker.sock:ro - - traefik_certs:/letsencrypt - ports: - - "443:443" #} diff --git a/netmaker_server/templates/nginx/passthrough.conf.template b/netmaker_server/templates/nginx/passthrough.conf.template new file mode 100644 index 0000000..9abbb70 --- /dev/null +++ b/netmaker_server/templates/nginx/passthrough.conf.template @@ -0,0 +1,34 @@ +stream{ + # Map target-hosts based on hostname + map $ssl_preread_server_name $target_host { + hostnames; # Enable matching including prefix/suffix-mask + + {{ netmaker_ui.host }}.{{ netmaker_base_domain }} 127.0.0.1:8443; + {{ netmaker_api.host }}.{{ netmaker_base_domain }} 127.0.0.1:8443; + + {{ netmaker_broker.tls_host }}.{{ netmaker_base_domain }} mosquitto:8883; # todo: tls-terminate? + + {{ netmaker_rqlite.http_host }}.{{ ansible_facts.nodename }} 127.0.0.1:8443; + {{ netmaker_rqlite.cluster_host }}.{{ ansible_facts.nodename }} rqlite:4002; + + default 127.0.0.1:1; + } + + # Enable Proxy-Protocol for local calls + map $target_host $proxy_protocol_enabled { + hostnames; + + 127.0.0.1* on; + default off; + } + + server { + resolver 127.0.0.11; # Explicitly set docker-resolver + + listen 443; + ssl_preread on; + + proxy_protocol $proxy_protocol_enabled; + proxy_pass $name; + } +} diff --git a/netmaker_server/files/opt/netmaker_server/nginx/conf/conf.d/proxy.conf b/netmaker_server/templates/nginx/proxy.conf.template similarity index 54% rename from netmaker_server/files/opt/netmaker_server/nginx/conf/conf.d/proxy.conf rename to netmaker_server/templates/nginx/proxy.conf.template index f97d9fb..a483952 100644 --- a/netmaker_server/files/opt/netmaker_server/nginx/conf/conf.d/proxy.conf +++ b/netmaker_server/templates/nginx/proxy.conf.template @@ -1,9 +1,10 @@ map $host $proxy_name { hostnames; - netmaker-ui.* netmaker-ui:80; - netmaker-api.* netmaker:80; - netmaker-rqlite-http.* rqlite:4001; + {{ netmaker_ui.host }}.{{ netmaker_base_domain }} netmaker-ui:80; + {{ netmaker_api.host }}.{{ netmaker_base_domain }} netmaker:8081; + + {{ netmaker_rqlite.http_host }}.{{ ansible_facts.nodename }} rqlite:4001; default 444; } @@ -11,7 +12,7 @@ map $host $proxy_name { server { resolver 127.0.0.11; # Explicitly set docker-resolver - listen 8443 ssl; + listen 8443 ssl proxy_protocol; ssl_certificate /certs/node.crt; ssl_certificate_key /certs/node.key; diff --git a/netmaker_server/templates/rqlite-config.json.template b/netmaker_server/templates/rqlite-config.json.template index 5460bef..940de70 100644 --- a/netmaker_server/templates/rqlite-config.json.template +++ b/netmaker_server/templates/rqlite-config.json.template @@ -1,5 +1,5 @@ [{ "username": "netmaker", - "password": "{{ netmaker.rqlite_password }}", + "password": "{{ netmaker_creds.rqlite_password }}", "perms": ["all"] }] From 3890007042e2bf166b4fe7a029d0be86105acf4a Mon Sep 17 00:00:00 2001 From: Ruakij Date: Fri, 21 Oct 2022 08:42:11 +0200 Subject: [PATCH 17/23] Use more specific hostnames in cert --- netmaker_server/tasks/certs.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/netmaker_server/tasks/certs.yml b/netmaker_server/tasks/certs.yml index 86311ee..c47454f 100644 --- a/netmaker_server/tasks/certs.yml +++ b/netmaker_server/tasks/certs.yml @@ -7,7 +7,12 @@ path: /opt/netmaker_server/certs/node.csr privatekey_path: /opt/netmaker_server/certs/node.key common_name: "{{ ansible_facts.nodename }}" - subject_alt_name: "DNS:*.{{ ansible_facts.nodename }},DNS:*.{{ netmaker.base_domain }}" + subject_alt_name: + "DNS:{{ netmaker_rqlite.http_host }}.{{ ansible_facts.nodename }},\ + DNS:{{ netmaker_rqlite.cluster_host }}.{{ ansible_facts.nodename }},\ + DNS:{{ netmaker_broker.tls_host }}.{{ netmaker_base_domain }},\ + DNS:{{ netmaker_api.host }}.{{ netmaker_base_domain }},\ + DNS:{{ netmaker_ui.host }}.{{ netmaker_base_domain }}" - name: Fetch CSR ansible.builtin.fetch: From 83b50c10cd040445f2ee4cefa30bad6ca8eec6b9 Mon Sep 17 00:00:00 2001 From: Ruakij Date: Fri, 21 Oct 2022 08:42:37 +0200 Subject: [PATCH 18/23] Use new variables and fix requests --- netmaker_server/tasks/netmaker.yml | 48 +++++++++++++++++++++++------- netmaker_server/tasks/rqlite.yml | 36 ++++++++++++++-------- 2 files changed, 62 insertions(+), 22 deletions(-) diff --git a/netmaker_server/tasks/netmaker.yml b/netmaker_server/tasks/netmaker.yml index 961e0d1..fe4f3e4 100644 --- a/netmaker_server/tasks/netmaker.yml +++ b/netmaker_server/tasks/netmaker.yml @@ -4,26 +4,54 @@ failed_when: command.rc != 0 - name: Wait for netmaker-api to become available - ansible.builtin.wait_for: - host: "{{ inventory_hostname }}" - port: 8081 - state: started - when: "inventory_hostname == groups['netmaker'][0]" + uri: + url: 'https://{{ netmaker_api.host }}.{{ netmaker_base_domain }}:{{ netmaker_nginx.advertise_port }}' + return_content: yes + validate_certs: no + status_code: + - 404 + until: uri_output.status == 404 + retries: 24 # Retries for 24 * 5 seconds = 120 seconds = 2 minutes + delay: 5 # Every 5 seconds + register: uri_output + +# todo: check if exists? - name: Create default mesh-network 'server' uri: - url: 'http://netmaker-api.{{ netmaker.base_domain }}:8081/api/networks' + validate_certs: no + url: 'https://{{ netmaker_api.host }}.{{ netmaker_base_domain }}:{{ netmaker_nginx.advertise_port }}/api/networks' method: POST body: - netid: servers + netid: servnet addressrange: 10.92.0.0/24 addressrange6: fd92::/64 body_format: json headers: - Authorization: 'Bearer {{ netmaker.master_key }}' + Authorization: 'Bearer {{ netmaker_creds.master_key }}' + Content-Type: application/json + when: "inventory_hostname == groups['netmaker'][0]" + register: default_mesh + until: "default_mesh is not failed" + retries: 2 + delay: 10 + +# todo: check if exists? + +- name: Create token for default-network + uri: + validate_certs: no + url: 'https://{{ netmaker_api.host }}.{{ netmaker_base_domain }}:{{ netmaker_nginx.advertise_port }}/api/networks/servnet/keys' # todo: do implementation + method: POST + body: + name: "" + uses: 0 + body_format: json + headers: + Authorization: 'Bearer {{ netmaker_creds.master_key }}' Content-Type: application/json when: "inventory_hostname == groups['netmaker'][0]" - register: default_mesh_ok - until: "default_mesh_ok is not failed" + register: default_mesh_key + until: "default_mesh_key is not failed" retries: 2 delay: 10 diff --git a/netmaker_server/tasks/rqlite.yml b/netmaker_server/tasks/rqlite.yml index 182804a..956e787 100644 --- a/netmaker_server/tasks/rqlite.yml +++ b/netmaker_server/tasks/rqlite.yml @@ -9,12 +9,18 @@ failed_when: command.rc != 0 when: "inventory_hostname == groups['netmaker_server'][0]" -# - name: Waiting for rqlite to accept connections on 1st-node -# ansible.builtin.wait_for: -# host: "{{ inventory_hostname }}" -# port: 4001 -# state: started -# when: "inventory_hostname == groups['netmaker_server'][0]" +- name: Waiting for rqlite to accept connections on 1st-node + uri: + url: 'https://{{ netmaker_rqlite.http_host }}.{{ inventory_hostname }}:{{ netmaker_nginx.advertise_port }}/status' + return_content: yes + validate_certs: no + status_code: + - 401 + until: uri_output.status == 401 + retries: 24 # Retries for 24 * 5 seconds = 120 seconds = 2 minutes + delay: 5 # Every 5 seconds + register: uri_output + when: "inventory_hostname == groups['netmaker_server'][0]" - name: Start rqlite service for other nodes command: "docker-compose --project-directory /opt/netmaker_server/ up -d rqlite" @@ -22,9 +28,15 @@ failed_when: command.rc != 0 when: "inventory_hostname != groups['netmaker_server'][0]" -# - name: Waiting for rqlite to accept connections on other nodes -# ansible.builtin.wait_for: -# host: "{{ inventory_hostname }}" -# port: 4001 -# state: started -# when: "inventory_hostname != groups['netmaker_server'][0]" +- name: Waiting for rqlite to accept connections on other nodes + uri: + url: 'https://{{ netmaker_rqlite.http_host }}.{{ inventory_hostname }}:{{ netmaker_nginx.advertise_port }}/status' + return_content: yes + validate_certs: no + status_code: + - 401 + until: uri_output.status == 401 + retries: 24 # Retries for 24 * 5 seconds = 120 seconds = 2 minutes + delay: 5 # Every 5 seconds + register: uri_output + when: "inventory_hostname != groups['netmaker_server'][0]" From 06bdae380b7336032e16b821a86b5db04794cb62 Mon Sep 17 00:00:00 2001 From: Ruakij Date: Fri, 21 Oct 2022 11:45:12 +0200 Subject: [PATCH 19/23] Revert proxy-protocol-matching --- .../templates/nginx/passthrough.conf.template | 9 --------- 1 file changed, 9 deletions(-) diff --git a/netmaker_server/templates/nginx/passthrough.conf.template b/netmaker_server/templates/nginx/passthrough.conf.template index 9abbb70..b2a5e1d 100644 --- a/netmaker_server/templates/nginx/passthrough.conf.template +++ b/netmaker_server/templates/nginx/passthrough.conf.template @@ -14,21 +14,12 @@ stream{ default 127.0.0.1:1; } - # Enable Proxy-Protocol for local calls - map $target_host $proxy_protocol_enabled { - hostnames; - - 127.0.0.1* on; - default off; - } - server { resolver 127.0.0.11; # Explicitly set docker-resolver listen 443; ssl_preread on; - proxy_protocol $proxy_protocol_enabled; proxy_pass $name; } } From ec98188a241c023e338481391ef47dc5202a1813 Mon Sep 17 00:00:00 2001 From: Ruakij Date: Fri, 21 Oct 2022 14:20:26 +0200 Subject: [PATCH 20/23] Fix variable name --- netmaker_server/templates/nginx/passthrough.conf.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/netmaker_server/templates/nginx/passthrough.conf.template b/netmaker_server/templates/nginx/passthrough.conf.template index b2a5e1d..5ae1882 100644 --- a/netmaker_server/templates/nginx/passthrough.conf.template +++ b/netmaker_server/templates/nginx/passthrough.conf.template @@ -20,6 +20,6 @@ stream{ listen 443; ssl_preread on; - proxy_pass $name; + proxy_pass $target_host; } } From 806b41b73e6797fbb40860c857eff3ce539b51f9 Mon Sep 17 00:00:00 2001 From: Ruakij Date: Fri, 21 Oct 2022 14:22:38 +0200 Subject: [PATCH 21/23] Fix proxy-protocol being expected --- netmaker_server/templates/nginx/proxy.conf.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/netmaker_server/templates/nginx/proxy.conf.template b/netmaker_server/templates/nginx/proxy.conf.template index a483952..4ce74a3 100644 --- a/netmaker_server/templates/nginx/proxy.conf.template +++ b/netmaker_server/templates/nginx/proxy.conf.template @@ -12,7 +12,7 @@ map $host $proxy_name { server { resolver 127.0.0.11; # Explicitly set docker-resolver - listen 8443 ssl proxy_protocol; + listen 8443 ssl; ssl_certificate /certs/node.crt; ssl_certificate_key /certs/node.key; From d553f604a9db898085e30a5533c4ac37aebbe3b2 Mon Sep 17 00:00:00 2001 From: Ruakij Date: Fri, 21 Oct 2022 14:48:29 +0200 Subject: [PATCH 22/23] Add own certs to mosquitto --- .../files/opt/netmaker_server/mosquitto/config/mosquitto.conf | 3 +++ netmaker_server/tasks/certs.yml | 1 + netmaker_server/templates/docker-compose.yml.template | 1 + 3 files changed, 5 insertions(+) diff --git a/netmaker_server/files/opt/netmaker_server/mosquitto/config/mosquitto.conf b/netmaker_server/files/opt/netmaker_server/mosquitto/config/mosquitto.conf index 299f632..39ff237 100644 --- a/netmaker_server/files/opt/netmaker_server/mosquitto/config/mosquitto.conf +++ b/netmaker_server/files/opt/netmaker_server/mosquitto/config/mosquitto.conf @@ -1,6 +1,9 @@ per_listener_settings false + listener 8883 allow_anonymous false +certfile /certs/node.crt +keyfile /certs/node.key listener 1883 allow_anonymous false diff --git a/netmaker_server/tasks/certs.yml b/netmaker_server/tasks/certs.yml index c47454f..69eadc5 100644 --- a/netmaker_server/tasks/certs.yml +++ b/netmaker_server/tasks/certs.yml @@ -1,6 +1,7 @@ - name: Generate PrivateKey community.crypto.openssl_privatekey: path: /opt/netmaker_server/certs/node.key + owner: 1883 # Set owner to mosquitto-user (all other containers seem to run as root) - name: Generate Certificate-Signing-Request from privateKey community.crypto.openssl_csr: diff --git a/netmaker_server/templates/docker-compose.yml.template b/netmaker_server/templates/docker-compose.yml.template index d7fbfc9..5c00634 100644 --- a/netmaker_server/templates/docker-compose.yml.template +++ b/netmaker_server/templates/docker-compose.yml.template @@ -123,6 +123,7 @@ services: - ./mosquitto/config:/mosquitto/config - ./mosquitto/data:/mosquitto/data - ./mosquitto/logs:/mosquitto/log + - "./certs:/certs:ro" depends_on: - netmaker command: ["/mosquitto/config/wait.sh"] From cdd4c9babbb0cf7fdcd4d0e9e62caadc5c6a596c Mon Sep 17 00:00:00 2001 From: Ruakij Date: Fri, 21 Oct 2022 14:49:35 +0200 Subject: [PATCH 23/23] Remove CA in args rqlite will use the system trust-store then --- netmaker_server/templates/docker-compose.yml.template | 3 --- 1 file changed, 3 deletions(-) diff --git a/netmaker_server/templates/docker-compose.yml.template b/netmaker_server/templates/docker-compose.yml.template index 5c00634..5a242eb 100644 --- a/netmaker_server/templates/docker-compose.yml.template +++ b/netmaker_server/templates/docker-compose.yml.template @@ -26,10 +26,7 @@ services: -raft-addr [::]:4002 -raft-adv-addr {{ netmaker_rqlite.cluster_host }}.{{ ansible_facts.nodename }}:{{ netmaker_nginx.advertise_port }} - -http-ca-cert /certs/ca.crt - -node-encrypt - -node-ca-cert /certs/ca.crt -node-cert /certs/node.crt -node-key /certs/node.key -node-no-verify