kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f29f1a562ad90f816dcadeb54c48467cac40d37d
hunfabric/modules/cloud-config-container/__need_fixing/onprem2/assets/cloud-config.yaml
Ludo f29f1a562a update changelog
2022-12-11 09:41:56 +01:00

155 lines
4.4 KiB
YAML
Raw Blame History

#cloud-config
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
write_files:
- path: /etc/docker/daemon.json
owner: root:root
permissions: "0644"
content: |
{"log-driver": "json-file", "log-opts": {"max-size": "10m"}}
- path: /etc/systemd/system/docker-onprem.service
permissions: "0644"
owner: root
content: |
[Install]
WantedBy=multi-user.target
[Unit]
Description=Start Docker Compose onprem infrastructure
After=network-online.target docker.socket
Wants=network-online.target docker.socket
[Service]
ExecStart=/bin/sh -c \
"cd /var/run/onprem && /var/run/docker-compose up"
ExecStop=/bin/sh -c \
"cd /var/run/onprem && /var/run/docker-compose down"
- path: /var/run/onprem/docker-compose.yaml
permissions: "0644"
owner: root
content: |
version: "3"
services:
vpn:
image: debian:bullseye-slim
networks:
onprem:
ipv4_address: ${cidrhost(ip_range, 2)}
ports:
- "500:500/udp"
- "4500:4500/udp"
- "179:179/tcp"
privileged: true
cap_add:
- NET_ADMIN
- NET_BROADCAST
- NET_RAW
command: bash /start.sh
volumes:
- "/lib/modules:/lib/modules:ro"
- "/usr/share/zoneinfo/UTC:/etc/localtime:ro"
- "/var/run/onprem/vpn/ipsec.conf:/etc/ipsec.conf:ro"
- "/var/run/onprem/vpn/ipsec.secrets:/etc/ipsec.secrets:ro"
- "/var/run/onprem/vpn/ipsec-vti.sh:/etc/ipsec-vti.sh:ro"
- "/var/run/onprem/vpn/start.sh:/start.sh:ro"
environment:
- LAN_NETWORKS=${ip_range}
networks:
onprem:
ipam:
driver: default
config:
- subnet: ${ip_range}
- path: /var/run/onprem/vpn/start.sh
owner: root:root
permissions: "0755"
content: |
#!/bin/bash
apt-get update
apt-get install -y bird procps strongswan
sysctl -w net.ipv4.ip_forward=1
_stop_ipsec() {
echo "Shutting down strongSwan/ipsec..."
ipsec stop
}
trap _stop_ipsec TERM
echo "Starting up strongSwan/ipsec..."
ipsec start --nofork "$@" &
child=$!
wait "$child"
- path: /var/run/onprem/vpn/ipsec.secrets
owner: root:root
permissions: "0600"
content: |
%{for peer in peer_configs}${peer.address} : PSK "${peer.shared_secret}"%{endfor}
- path: /var/run/onprem/vpn/ipsec.conf
owner: root:root
permissions: "0644"
content: |
# ipsec.conf - strongswan IPsec configuration file
# https://developers.microad.co.jp/entry/2022/05/30/100000
config setup
# strictcrlpolicy=yes
# uniqueids = no
# left: onprem Strongswan
# right: GCP VPN
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
mobike=no
type=tunnel
leftsubnet=0.0.0.0/0,::/0
rightsubnet=0.0.0.0/0,::/0
%{~ for i, peer in peer_configs }
conn gcp-vpn-tunnel-${i}
esp=aes128-sha1-modp1024,3des-sha1-modp1024
ikelifetime=600m
keylife=180m
rekeymargin=1m
keyingtries=5
keyexchange=ikev2
left = ${peer.bgp_session.local_address}
leftid = ${external_address}
leftupdown = /etc/ipsec-vti.sh
right = ${peer.address}
auto = start
mark=100
%{~ endfor }
- path: /var/run/onprem/vpn/ipsec-vti.sh
owner: root:root
permissions: "0644"
content: |
${ipsec_vti}
runcmd:
- wget -O /var/run/docker-compose https://github.com/docker/compose/releases/download/v2.14.0/docker-compose-linux-x86_64
- chmod 755 /var/run/docker-compose
- systemctl daemon-reload
- systemctl enable docker-onprem.service
- systemctl start docker-onprem.service
Reference in New Issue View Git Blame Copy Permalink