ofilter/home_setup
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

in progress migration, backing progress.

Browse Source
This commit is contained in:
savagebidoof
2023-07-20 13:22:30 +02:00
parent aa2ac69c9f
commit cfa74ce963
18 changed files with 412 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
Migrations/Forget_Traefik_2023/Istio/External_Services/01-Namespace.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
name: external
labels:
istio-injection: "enabled"

14
Migrations/Forget_Traefik_2023/Istio/External_Services/Filebrowser/DestinationRule.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: filebrowser
# namespace: default
namespace: external
spec:
host: "filebrowser.filterhome.xyz"
trafficPolicy:
tls:
mode: SIMPLE
connectionPool:
http:
h2UpgradePolicy: UPGRADE

20
Migrations/Forget_Traefik_2023/Istio/External_Services/Filebrowser/ServiceEntry.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: filebrowser-se
# namespace: default
namespace: external
spec:
hosts:
- filebrowser.filterhome.xyz
- filebrowser.filterhome.duckdns.org
- filebrowser.filter.home
location: MESH_INTERNAL
ports:
- number: 443
name: https
protocol: HTTPS
resolution: NONE
workloadSelector:
labels:
host: srv

23
Migrations/Forget_Traefik_2023/Istio/External_Services/Filebrowser/VirtualService.yaml Normal file
View File

@ -0,0 +1,23 @@
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: filebrowser-vs
# namespace: default
namespace: external
spec:
hosts:
- "filebrowser.filter.home"
- "filebrowser.filterhome.xyz"
- "filebrowser.filterhome.duckdns.org"
gateways:
- default/public-gateway
http:
- route:
- destination:
host: filebrowser.filterhome.xyz
port:
number: 443
# headers:
# request:
# set:
# HOST: "filebrowser.filterhome.xyz"

63
Migrations/Forget_Traefik_2023/Istio/External_Services/Gateway.yaml Executable file
View File

@ -0,0 +1,63 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: public-gateway
namespace: default
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
# - "*.filterhome.xyz"
# - "filterhome.xyz"
#
# - "filterhome.duckdns.org"
# - "*.filterhome.duckdns.org"
tls:
httpsRedirect: true
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "*.filterhome.xyz"
- "filterhome.xyz"
- "filterhome.duckdns.org"
- "*.filterhome.duckdns.org"
tls:
mode: SIMPLE
credentialName: filterhome-domain-cert-public
---
#apiVersion: networking.istio.io/v1alpha3
#kind: Gateway
#metadata:
# name: home-gateway
#spec:
# selector:
# istio: ingressgateway
# servers:
# - port:
# number: 80
# name: http
# protocol: HTTP
# hosts:
# - "*.filter.home"
# - "filter.home"
# # tls:
# # httpsRedirect: true
## - port:
## number: 443
## name: secure-http
## protocol: HTTPS
## hosts:
## - "*.filter.home"
## - "filter.home"
## tls:
## mode: SIMPLE
## credentialName: filterhome-domain-cert-public

14
Migrations/Forget_Traefik_2023/Istio/External_Services/Gitea/DestinationRule.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: gitea
# namespace: default
namespace: external
spec:
host: "gitea.filterhome.xyz"
trafficPolicy:
tls:
mode: SIMPLE
connectionPool:
http:
h2UpgradePolicy: UPGRADE

20
Migrations/Forget_Traefik_2023/Istio/External_Services/Gitea/ServiceEntry.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: gitea-se
# namespace: default
namespace: external
spec:
hosts:
- gitea.filterhome.xyz
- gitea.filterhome.duckdns.org
- gitea.filter.home
location: MESH_INTERNAL
ports:
- number: 443
name: https
protocol: HTTPS
resolution: NONE
workloadSelector:
labels:
host: srv

23
Migrations/Forget_Traefik_2023/Istio/External_Services/Gitea/VirtualService.yaml Normal file
View File

@ -0,0 +1,23 @@
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: gitea-vs
# namespace: default
namespace: external
spec:
hosts:
- "gitea.filter.home"
- "gitea.filterhome.xyz"
- "gitea.filterhome.duckdns.org"
gateways:
- default/public-gateway
http:
- route:
- destination:
host: gitea.filterhome.xyz
port:
number: 443
# headers:
# request:
# set:
# HOST: "gitea.filterhome.xyz"

9
Migrations/Forget_Traefik_2023/Istio/External_Services/Hosts.yaml Normal file
View File

@ -0,0 +1,9 @@
apiVersion: networking.istio.io/v1alpha3
kind: WorkloadEntry
metadata:
name: srv-host
namespace: external
spec:
address: 192.168.1.3
labels:
host: srv

14
Migrations/Forget_Traefik_2023/Istio/External_Services/Jelly/DestinationRule.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: jelly
# namespace: default
namespace: external
spec:
host: "jelly.filterhome.xyz"
trafficPolicy:
tls:
mode: SIMPLE
connectionPool:
http:
h2UpgradePolicy: UPGRADE

20
Migrations/Forget_Traefik_2023/Istio/External_Services/Jelly/ServiceEntry.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: jelly-se
# namespace: default
namespace: external
spec:
hosts:
- jelly.filterhome.xyz
- jelly.filterhome.duckdns.org
- jelly.filter.home
location: MESH_INTERNAL
ports:
- number: 443
name: https
protocol: HTTPS
resolution: NONE
workloadSelector:
labels:
host: srv

23
Migrations/Forget_Traefik_2023/Istio/External_Services/Jelly/VirtualService.yaml Normal file
View File

@ -0,0 +1,23 @@
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: jelly-vs
# namespace: default
namespace: external
spec:
hosts:
- "jelly.filter.home"
- "jelly.filterhome.xyz"
- "jelly.filterhome.duckdns.org"
gateways:
- default/public-gateway
http:
- route:
- destination:
host: jelly.filterhome.xyz
port:
number: 443
# headers:
# request:
# set:
# HOST: "jelly.filterhome.xyz"

14
Migrations/Forget_Traefik_2023/Istio/External_Services/Tube/DestinationRule.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: tube
# namespace: default
namespace: external
spec:
host: "tube.filterhome.xyz"
trafficPolicy:
tls:
mode: SIMPLE
connectionPool:
http:
h2UpgradePolicy: UPGRADE

20
Migrations/Forget_Traefik_2023/Istio/External_Services/Tube/ServiceEntry.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: tube-se
# namespace: default
namespace: external
spec:
hosts:
- tube.filterhome.xyz
- tube.filterhome.duckdns.org
- tube.filter.home
location: MESH_INTERNAL
ports:
- number: 443
name: https
protocol: HTTPS
resolution: NONE
workloadSelector:
labels:
host: srv

23
Migrations/Forget_Traefik_2023/Istio/External_Services/Tube/VirtualService.yaml Normal file
View File

@ -0,0 +1,23 @@
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: tube-vs
# namespace: default
namespace: external
spec:
hosts:
- "tube.filter.home"
- "tube.filterhome.xyz"
- "tube.filterhome.duckdns.org"
gateways:
- default/public-gateway
http:
- route:
- destination:
host: tube.filterhome.xyz
port:
number: 443
# headers:
# request:
# set:
# HOST: "tube.filterhome.xyz"

57
Migrations/Forget_Traefik_2023/Istio/Issuer.yaml Normal file
View File

@ -0,0 +1,57 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-public
namespace: istio-system
spec:
acme:
# The ACME server URL
# server: https://acme-staging-v02.api.letsencrypt.org/directory # Testing
server: https://acme-v02.api.letsencrypt.org/directory # Prod
# Email address used for ACME registration
email: filter.oriol@gmail.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-public
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: istio
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: filterhome-domain-cert-public
namespace: istio-system
spec:
secretName: filterhome-domain-cert-public
duration: 48h # 90d
renewBefore: 2h # 15d
isCA: false
privateKey:
algorithm: RSA
encoding: PKCS1
size: 4096
rotationPolicy: Always
usages:
- server auth
- client auth
dnsNames:
# - "*.filterhome.xyz"
# Gitea
- "gitea.filterhome.xyz"
# Jellyfin
- "jelly.filterhome.xyz"
# Filebrowser
- "filebrowser.filterhome.xyz"
# Tube
- "tube.filterhome.xyz"
issuerRef:
name: letsencrypt-public
kind: ClusterIssuer
group: cert-manager.io

853
Migrations/Forget_Traefik_2023/README.md Normal file
View File

@ -0,0 +1,853 @@
---
gitea: none
include_toc: true
---
## Current architecture
> **Note:**\
> The ingress port mapping uses both port `80` and port `443`.
```yaml
Public ingress port mapping: 192.168.1.2
```
### Standalone
```yaml
Gateway: 192.168.1.1
Pi4: 192.168.1.2
Srv: 192.168.1.3
```
### Kluster
> Kubernetes Cluster
A set of Orange PI 5, so far all of them are the 4GB of RAM version.
```yaml
Masterk: 192.168.1.10
Slave01: 192.168.1.11
```
## Objectives
- Set the Kubernetes Istio public Ingress as the main ingress.
- Join the Pi4 to the Kubernetes Cluster, therefore the Pi4/cluster cannot run dependencies to the same cluster. Pi4 will be the control plane
- Logs should be exported to the host `srv`.
- Services in kubernetes should have a health probe and prometheus configured to allow for metrics.
- Allow to set some CI/CD pipelines -> automatically build and deploy some images that I manage/own. (Not done on this example.)
## Requirements
- NFS server for PVC on Kubernetes.
- Check for OWASP security
- Public and Locale Ingress.
- Configure a Cert Manager to provide public certs.
> https://medium.com/@rd.petrusek/kubernetes-istio-cert-manager-and-lets-encrypt-c3e0822a3aaf
- Pi4 USB powered storage.
- Normalize `arm7` running distribution -> choose one OS that that works on all devices.
- New `Gitea` account with limited permissions for CI/CD.
## Dependencies
- DHCP service
- DNS service
- Gitea service (and it's database)
## Suggestions/notes.
- Instead of changing the port tunnel IP from the router, could set the Istio Ingress to have the current Pi4 IP, yet this would limit some process.
- Performing this without "downtime" will be extremely annoying, since if I need/want to use the Pi4 as the control plane device, the cluster itself should need to be recreated, therefore, until the Pi4 is not removed from the equation, the cluster cannot be created/used/enabled. Tips:
- First move the key services to the SRV.
- Remove the current drive from the Pi4, create an Ingress on the current Kubernetes Cluster with the IP set to the Pi4, configure Certificate Manager temporarily thereto allow traffic meanwhile the Pi4 is no longer available.
- Explore storage options for the Pi4, aka try the low voltage/energy consumption m.2 drive bought recently.
- Another option would be, moving everything to the SRV and use that meanwhile, this would allow for less downtime, and I could get to do whatever I want with the Pi4 and Cluster in the meantime, could deploy the `Traefik` with the Pi4 IP (.2) to allow for *shooting down the Pi4 shenanigans*.
### Regarding the Cert-Manager
> https://cert-manager.io/
`HTTP01 challenge`, doesn't allow for wildcard certificates, therefore, for better comfort, use the `DNS01 challange`.
Current Issue? For X and y, I need to wait for a while for the DNS provider to release the domain and acquire it back again.
### Core services
- Tube
- Jellyfin
- Gitea
- Filebrowser
## Limitations
- Limited hardware
- Only 1 external IP / router, therefore I need to do some Cert Manager tests before.
## Pi4 Storage related-specific
- If I keep using a SSD, 3D print a base for it, the Pi4 doesn't need a shell as it already has one, but just a platform that allows the Pi4 to sit on the top.
## Procedure
> Note:\
> I will be making backups of certain configurations before modifying them, yet I won't be displaying it for the sake of reducing a bit the amount of text dumped here.
### Part 1
> Completed 19/July/2023
- [x] Move local DHCP and DNS to the host `srv`.
- [x] Move Gitea to the host `srv`.
- [ ] Move registry to the host `srv`. -> Not relevant for my current setup, therefore can and (probably will) be skipped.
- [X] Update Traefik ingress configs
#### Rollback plan
> Not required.
- Launch the services in the `Pi4` server.
- Return the Traefik configuration to the previous one.
- Modify the DNS configurations (if applicable).
### Part 2
[//]: # (> Started 19/July/2023)
[//]: # (> Finished /July/2023)
- [x] Deploy Certificate Manager on the current `Kluster` with let's encrypt certificate provisioning.
- [ ] Deploy an Istio Ingress Gateway to allow access to the "core" services.
- [ ] Deploy an Istio Egress Gateway to allow egress towards the "core" services.
- [x] Update the router `Virtual Service Port Mapping` to set the Istio Ingress deployed as the new Public Ingress.
- [x] Ensure the Certificates are being provisioned.
#### Rollback plan
- Delete the deployed configurations.
- Update the router `Virtual Service Port Mapping` to set back the Traefik Ingress form the Pi4 host.
### Part 3
- [x] Configure Istio to route traffic towards Jellyfin and Filebrowser services.
- [ ] Backup the Istio/Kubernetes configurations used.
#### Rollback plan
- As much, delete the deployed configurations.
### Part 4
- [ ] Explore Pi4 Storage options.
- [ ] Consider Storage options for the OrangePi5.
#### Rollback plan
- Return the acquired drives to Amazon?
### Part 5
- [ ] ~~Wipe~~ (**don't wipe** just use a different drive) and recreate the current `Kluster`, this time using the Pi4 as a _master_, and the 2 Orange Pi5 as _slaves_ (this will require updating the DNS/DHCP local services).
> **Note**:\
> I can make a new cluster on the Pi4, and remove the taint that prevents from scheduling pods on that node. Deploy everything inside (a well a LB with the same exact IP than the current one, and proceed to stop the Orange PI 5), then "reformat" the OPi5s with a new distro, install stuff etc, and join them to the cluster running on the Pi4.
- [ ] Update the `Current Setup` documentation with the new container and architecture rearrangement.
- [ ] Deploy NFS service on the `media SRV` host.
- [ ] Migrate some lightweight/not data heavy services from the `media SRV` to the `Kluster`.
- [ ] Update the `Current Setup` documentation with the new container and architecture rearrangement.
### Part 6
- Set wildcards certificates.
#### Rollback plan
- Revert orange Pi 5 to the previous drive.
- Revert Pi4 to the previous drive.
- Delete the NFS service deployed.
- Run the old migrated services back on the `media SRV` host.
# Execution
## Part 1
### Transfer local network dependencies services from Pi4 to SRV.
#### Install ZIP on `Pi4`
```shell
dnf install zip
```
```text
Last metadata expiration check: 1:17:47 ago on Wed 19 Jul 2023 07:26:42 AM UTC.
Dependencies resolved.
==========================================================================================================================================================================================================================================
Package Architecture Version Repository Size
==========================================================================================================================================================================================================================================
Installing:
zip aarch64 3.0-23.el8 baseos 264 k
Installing dependencies:
unzip aarch64 6.0-46.el8 baseos 188 k
Transaction Summary
==========================================================================================================================================================================================================================================
Install 2 Packages
Total download size: 452 k
Installed size: 1.4 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): zip-3.0-23.el8.aarch64.rpm 1.7 MB/s | 264 kB 00:00
(2/2): unzip-6.0-46.el8.aarch64.rpm 1.2 MB/s | 188 kB 00:00
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 790 kB/s | 452 kB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : unzip-6.0-46.el8.aarch64 1/2
Installing : zip-3.0-23.el8.aarch64 2/2
Running scriptlet: zip-3.0-23.el8.aarch64 2/2
Verifying : unzip-6.0-46.el8.aarch64 1/2
Verifying : zip-3.0-23.el8.aarch64 2/2
Installed:
unzip-6.0-46.el8.aarch64 zip-3.0-23.el8.aarch64
Complete!
```
#### DHCP
##### From Pi4
###### Compress DHCP service
```shell
zip -r /tmp/dhcpd.zip /scripts/docker/dhcpd
```
```text
adding: scripts/docker/dhcpd/dhcpd.leases (stored 0%)
adding: scripts/docker/dhcpd/docker-compose.yaml (deflated 55%)
adding: scripts/docker/dhcpd/dhcpd.conf (deflated 61%)
adding: scripts/docker/dhcpd/Dockerfile (deflated 61%)
```
###### List compressed file
```shell
ls /tmp/dhcpd.zip -l
```
```text
-rw-r--r--. 1 root root 1987 Jul 19 09:00 /tmp/dhcpd.zip
```
###### Send file to the srv.
```shell
scp /scripts/docker/dhcpd.zip user@srv:/tmp
```
##### From SRV
###### Unzip to the desired location, maintaining permissions.
```shell
unzip -X /tmp/dhcpd.zip -d /scripts/docker/
```
```text
Archive: /tmp/dhcpd.zip
creating: /scripts/docker/scripts/docker/dhcpd/
extracting: /scripts/docker/scripts/docker/dhcpd/dhcpd.leases
inflating: /scripts/docker/scripts/docker/dhcpd/docker-compose.yaml
inflating: /scripts/docker/scripts/docker/dhcpd/dhcpd.conf
inflating: /scripts/docker/scripts/docker/dhcpd/Dockerfile
```
###### Modify the DHCP configuration to point to this server as a DNS Server.
```shell
nano /scripts/docker/dhcpd/dhcpd.conf
```
Replace
```text
option domain-name-servers 192.168.1.2, 9.9.9.9, 149.112.112.112; # IBM Quad9
```
For
```text
option domain-name-servers 192.168.1.3, 9.9.9.9, 149.112.112.112; # IBM Quad9
```
###### Fix the DHCP interface to listen.
```shell
nano /scripts/docker/dhcpd/Dockerfile
```
Replace
```text
"-group", "dhcp", "eth0"]
```
For
```text
"-group", "dhcp", "enp3s0"]
```
#### DNS
##### From Pi4
###### Compress DHCP service
```shell
zip -r /tmp/coredns.zip /scripts/docker/coredns
```
```text
adding: scripts/docker/coredns/ (stored 0%)
adding: scripts/docker/coredns/config/ (stored 0%)
adding: scripts/docker/coredns/config/Corefile (deflated 31%)
adding: scripts/docker/coredns/config/example.db (deflated 37%)
adding: scripts/docker/coredns/config/filter.home.db (deflated 71%)
adding: scripts/docker/coredns/docker-compose.yml (deflated 57%)
```
###### List compressed file
```shell
ls /tmp/coredns.zip -l
```
```text
-rw-r--r--. 1 root root 2284 Jul 19 09:34 /tmp/coredns.zip
```
###### Send file to the srv.
```shell
scp /tmp/coredns.zip user@srv:/tmp
```
##### From SRV
###### Unzip to the desired location, maintaining permissions.
```shell
unzip -X /tmp/coredns.zip -d /scripts/docker/
```
```text
creating: /scripts/docker/scripts/docker/coredns/
creating: /scripts/docker/scripts/docker/coredns/config/
inflating: /scripts/docker/scripts/docker/coredns/config/Corefile
inflating: /scripts/docker/scripts/docker/coredns/config/example.db
inflating: /scripts/docker/scripts/docker/coredns/config/filter.home.db
inflating: /scripts/docker/scripts/docker/coredns/docker-compose.yml
```
###### Modify the DHCP configuration to point to this server as a DNS Server.
```shell
nano /scripts/docker/scripts/docker/coredns/config/filter.home.db
```
Replace
```text
dhcp IN CNAME pi4
dns IN CNAME pi4
```
For
```text
dhcp IN CNAME srv
dns IN CNAME srv
```
##### Realize that things uncompressed into `/scripts/docker/scripts/docker/`, fix that.
Use the `mv` command to fix it.
Remove the folders with `rmdir` to avoid surprises.
### Update nameservers
#### From SRV
##### Start the DNS service
```shell
cd /scripts/docker/coredns/ && docker-compose up -d
```
```text
[+] Running 3/3
⠿ coredns Pulled 3.1s
⠿ 25b7032c281a Pull complete 0.5s
⠿ 3799eae1a077 Pull complete 1.1s
[+] Running 2/2
⠿ Network coredns_default Created 0.2s
⠿ Container coredns Started 0.5s
```
```shell
docker-compose logs -f
```
```text
coredns | .:53
coredns | filter.home.:53
coredns | CoreDNS-1.10.1
coredns | linux/amd64, go1.20, 055b2c3
```
###### Test the DNS service
From any host within the network that can reach / is supposed to use that DNS server:
```shell
dig google.es @192.168.1.3
```
```text
; <<>> DiG 9.18.16 <<>> google.es @192.168.1.3
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49583
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.es. IN A
;; ANSWER SECTION:
google.es. 99 IN A 142.250.200.67
;; Query time: 13 msec
;; SERVER: 192.168.1.3#53(192.168.1.3) (UDP)
;; WHEN: Wed Jul 19 12:30:42 CEST 2023
;; MSG SIZE rcvd: 63
```
[//]: # (##### Restart DNS service _just in case_)
[//]: # ()
[//]: # (```shell)
[//]: # (cd /scripts/docker/coredns/ && docker-compose restart)
[//]: # (```)
[//]: # (```text)
[//]: # ([+] Running 1/1)
[//]: # ( ⠿ Container coredns Started 0.7s 0.5s)
[//]: # (```)
#### Start the DHCP Service
###### Set static IP on the desired interface (enp3s0 in my case)
```text
nano /etc/sysconfig/network-scripts/ifcfg-enp3s0
```
```text
# Network type
TYPE=Ethernet
# Device Name #
NAME=enp3s0
DEVICE=enp3s0
# Static IP Address #
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
# Server IP #
IPADDR=192.168.1.3
# DNS SERVERS #
DNS1=127.0.0.1
DNS2=8.8.8.8
# GATEWAY ADDRESS #
GATEWAY=192.168.1.1
# SUBNET MASK #
SUBNET MASK=255.255.255.0
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
# Disable ipv6#
IPV6INIT=no
# Activate on system Boot #
ONBOOT=yes
```
###### Restart server to ensure everything is working correctly.
```shell
reboot
```
###### Start container/service
```shell
cd /scripts/docker/dhcpd/ && docker-compose up
```
<pre>[+] Running 0/1
<span style="color:#FF7F7F"> ⠿ isc_dhcp Error 1.4s</span>
[+] Building 4.2s (8/8) FINISHED
<span style="color:#7FBAFF"> =&gt; [internal] load .dockerignore 0.0s</span>
<span style="color:#7FBAFF"> =&gt; =&gt; transferring context: 2B 0.0s</span>
<span style="color:#7FBAFF"> =&gt; [internal] load build definition from Dockerfile 0.0s</span>
<span style="color:#7FBAFF"> =&gt; =&gt; transferring dockerfile: 1.03kB 0.0s</span>
<span style="color:#7FBAFF"> =&gt; [internal] load metadata for docker.io/library/alpine:latest 1.5s</span>
<span style="color:#7FBAFF"> =&gt; [1/4] FROM docker.io/library/alpine:latest@sha256:82d1e9d7ed48a7523bdebc18cf6290bdb97b82302a8a9c27d4fe885949ea94d1 0.0s</span>
<span style="color:#7FBAFF"> =&gt; =&gt; resolve docker.io/library/alpine:latest@sha256:82d1e9d7ed48a7523bdebc18cf6290bdb97b82302a8a9c27d4fe885949ea94d1 0.0s</span>
<span style="color:#7FBAFF"> =&gt; =&gt; sha256:82d1e9d7ed48a7523bdebc18cf6290bdb97b82302a8a9c27d4fe885949ea94d1 1.64kB / 1.64kB 0.0s</span>
<span style="color:#7FBAFF"> =&gt; =&gt; sha256:25fad2a32ad1f6f510e528448ae1ec69a28ef81916a004d3629874104f8a7f70 528B / 528B 0.0s</span>
<span style="color:#7FBAFF"> =&gt; =&gt; sha256:c1aabb73d2339c5ebaa3681de2e9d9c18d57485045a4e311d9f8004bec208d67 1.47kB / 1.47kB 0.0s</span>
<span style="color:#7FBAFF"> =&gt; [2/4] RUN apk update &amp;&amp; apk add --no-cache dhcp 1.7s</span>
<span style="color:#7FBAFF"> =&gt; [3/4] RUN mkdir /var/lib/dhcpd &amp;&amp; touch /var/lib/dhcpd/dhcpd.leases &amp;&amp; chown dhcp:dhcp /var/lib/dhcpd -R &amp;&amp; mkdir -p /run/dhcp 0.4s</span>
<span style="color:#7FBAFF"> =&gt; [4/4] RUN id dhcp 0.4s</span>
<span style="color:#7FBAFF"> =&gt; exporting to image 0.1s</span>
<span style="color:#7FBAFF"> =&gt; =&gt; exporting layers 0.1s</span>
<span style="color:#7FBAFF"> =&gt; =&gt; writing image sha256:07b6db561779c547d96d07fe3a995668ba459ac72fe8c5b48de5e8956e138dd9 0.0s</span>
<span style="color:#7FBAFF"> =&gt; =&gt; naming to docker.io/library/rpi_dhcp 0.0s</span>
Use &apos;docker scan&apos; to run Snyk tests against images to find vulnerabilities and learn how to fix them
<span style="color:#7FBAFF">[+] Running 1/1</span>
<span style="color:#7FBAFF"> ⠿ Container dhcpd Created 0.0s</span>
</pre>
```shell
docker-compose logs -f
```
<pre><span style="color:#7F7FFF">dhcpd | </span>Internet Systems Consortium DHCP Server 4.4.3-P1
<span style="color:#7F7FFF">dhcpd | </span>Copyright 2004-2022 Internet Systems Consortium.
<span style="color:#7F7FFF">dhcpd | </span>All rights reserved.
<span style="color:#7F7FFF">dhcpd | </span>For info, please visit https://www.isc.org/software/dhcp/
<span style="color:#7F7FFF">dhcpd | </span>WARNING: Host declarations are global. They are not limited to the scope you declared them in.
<span style="color:#7F7FFF">dhcpd | </span>Config file: /etc/dhcp/dhcpd.conf
<span style="color:#7F7FFF">dhcpd | </span>Database file: /var/lib/dhcpd/dhcpd.leases
<span style="color:#7F7FFF">dhcpd | </span>PID file: /run/dhcp/dhcpd.pid
<span style="color:#7F7FFF">dhcpd | </span>Wrote 0 deleted host decls to leases file.
<span style="color:#7F7FFF">dhcpd | </span>Wrote 0 new dynamic host decls to leases file.
<span style="color:#7F7FFF">dhcpd | </span>Wrote 0 leases to leases file.
<span style="color:#7F7FFF">dhcpd | </span>Listening on LPF/enp3s0/50:3e:aa:03:7a:37/192.168.1.0/24
<span style="color:#7F7FFF">dhcpd | </span>Sending on LPF/enp3s0/50:3e:aa:03:7a:37/192.168.1.0/24
<span style="color:#7F7FFF">dhcpd | </span>Sending on Socket/fallback/fallback-net
<span style="color:#7F7FFF">dhcpd | </span>Server starting service.
</pre>
#### Update rest of nameservers
Modify the `/etc/resolve.conf` or whatever static configurations you have deployed in specific devices.
On my scenario only applies to the pi4.
### Transfer Gitea from Pi4 to SRV.
#### Service
##### From Pi4
###### Compress Gitea service
```shell
zip -r /tmp/gitea.zip /scripts/docker/gitea
```
```text
zip -r /tmp/gitea.zip /scripts/docker/gitea
adding: scripts/docker/gitea/ (stored 0%)
adding: scripts/docker/gitea/app.ini (deflated 47%)
adding: scripts/docker/gitea/docker-compose.yml (deflated 60%)
adding: scripts/docker/gitea/renderers/ (stored 0%)
adding: scripts/docker/gitea/renderers/.placeholder (stored 0%)
adding: scripts/docker/gitea/Dockerfile (deflated 49%)
```
###### List compressed file
```shell
ls /tmp/gitea.zip -l
```
```text
-rw-r--r--. 1 root root 2231 Jul 19 10:39 /tmp/gitea.zip
```
###### Send file to the srv.
```shell
scp /tmp/gitea.zip user@srv:/tmp
```
#### From SRV
##### Unzip to the desired location, maintaining permissions.
> Learn from the mistakes, use the `/` path and let everything sit correctly by itself.
```shell
unzip -X /tmp/gitea.zip -d /
```
```text
creating: /scripts/docker/gitea/
inflating: /scripts/docker/gitea/app.ini
inflating: /scripts/docker/gitea/docker-compose.yml
creating: /scripts/docker/gitea/renderers/
extracting: /scripts/docker/gitea/renderers/.placeholder
inflating: /scripts/docker/gitea/Dockerfile
```
#### Volumes data
##### From Pi4
###### Stop the service
```shell
docker-compose down
```
<pre>
<span style="color:#7FBAFF">[+] Running 3/3</span>
<span style="color:#7FBAFF"> ⠿ Container gitea_cont Removed 1.6s</span>
<span style="color:#7FBAFF"> ⠿ Container gitea-db-1 Removed 0.4s</span>
<span style="color:#7FBAFF"> ⠿ Network gitea_gitea Removed 0.7s</span>
</pre>
###### Locate desired volumes
```shell
ls /var/lib/docker/volumes/gitea_d* -l
```
<pre>
/var/lib/docker/volumes/gitea_data:
total 4
drwxr-xr-x. 5 root root 4096 Dec 8 2021 <span style="color:#0087FF">_data</span>
/var/lib/docker/volumes/gitea_db:
total 4
drwx------. 19 70 ssh_keys 4096 Jul 19 10:35 <span style="color:#0087FF">_data</span></pre>
On this scenario, we want **BOTH**.
###### Compress Gitea data volumes
```shell
zip -r /tmp/gitea_data.zip /var/lib/docker/volumes/gitea_db /var/lib/docker/volumes/gitea_data
```
This returns some text and can take a while so... wait.
```text
Too much text so imagine a bunch of `adding: var/lib/docker/volumes/gitea_ etc`
```
###### List compressed file
```shell
ls /tmp/gitea_data.zip -l
```
```text
-rw-r--r--. 1 root root 5486975291 Jul 19 10:59 /tmp/gitea_data.zip
```
###### Send file to the srv.
It can take a while so... wait?
```shell
scp /tmp/gitea_data.zip user@srv:/tmp
```
#### From SRV
##### Unzip to the desired location, maintaining permissions.
> Learn from the mistakes, use the `/` path and let everything sit correctly by itself.
Also, again, can take a while, let it do the needful.
```shell
unzip -X /tmp/gitea_data.zip -d /
```
```text
creating: /scripts/docker/gitea/
inflating: /scripts/docker/gitea/app.ini
inflating: /scripts/docker/gitea/docker-compose.yml
creating: /scripts/docker/gitea/renderers/
extracting: /scripts/docker/gitea/renderers/.placeholder
inflating: /scripts/docker/gitea/Dockerfile
```
##### Start docker service.
```shell
cd /scripts/docker/gitea/ && docker-compose up -d
```
<pre><span style="color:#7FBAFF">[+] Running 20/20</span>
<span style="color:#7FBAFF"> ⠿ db Pulled 8.5s</span>
<span style="color:#7FBAFF"> ⠿ 4c0d98bf9879 Pull complete 0.6s</span>
<span style="color:#7FBAFF"> ⠿ 7ff5918c11c3 Pull complete 0.7s</span>
<span style="color:#7FBAFF"> ⠿ c393806625cd Pull complete 0.8s</span>
<span style="color:#7FBAFF"> ⠿ 9307f3bcca3a Pull complete 3.8s</span>
<span style="color:#7FBAFF"> ⠿ 5eee78b95230 Pull complete 3.9s</span>
<span style="color:#7FBAFF"> ⠿ c0f2174cad0e Pull complete 3.9s</span>
<span style="color:#7FBAFF"> ⠿ dd6b4e21c993 Pull complete 3.9s</span>
<span style="color:#7FBAFF"> ⠿ 1011823211fa Pull complete 3.9s</span>
<span style="color:#7FBAFF"> ⠿ gitea_cont Pulled 9.9s</span>
<span style="color:#7FBAFF"> ⠿ 31e352740f53 Already exists 0.0s</span>
<span style="color:#7FBAFF"> ⠿ 395889657acd Pull complete 2.8s</span>
<span style="color:#7FBAFF"> ⠿ fca9ea837ad0 Pull complete 2.8s</span>
<span style="color:#7FBAFF"> ⠿ 27ebbe228e73 Pull complete 2.9s</span>
<span style="color:#7FBAFF"> ⠿ 34a463970b12 Pull complete 4.2s</span>
<span style="color:#7FBAFF"> ⠿ 791a5d24dab3 Pull complete 4.3s</span>
<span style="color:#7FBAFF"> ⠿ ad1a83d556b7 Pull complete 4.3s</span>
<span style="color:#7FBAFF"> ⠿ 8da8fce0c22f Pull complete 5.2s</span>
<span style="color:#7FBAFF"> ⠿ 559bdde1e56a Pull complete 5.2s</span>
<span style="color:#7FBAFF"> ⠿ 40fa068ee382 Pull complete 5.3s</span>
<span style="color:#7FBAFF">[+] Running 5/5</span>
<span style="color:#7FBAFF"> ⠿ Network gitea_gitea Created 0.2s</span>
<span style="color:#7FBAFF"> ⠿ Volume &quot;gitea_data&quot; Created 0.0s</span>
<span style="color:#7FBAFF"> ⠿ Volume &quot;gitea_db&quot; Created 0.0s</span>
<span style="color:#7FBAFF"> ⠿ Container gitea-db-1 Started 1.5s</span>
<span style="color:#7FBAFF"> ⠿ Container gitea_cont Started 0.6s</span></pre>
```shell
docker-compose logs -f
```
<pre>docker-compose logs -f
<span style="color:#CC3980">gitea-db-1 | </span>
<span style="color:#CC3980">gitea-db-1 | </span>PostgreSQL Database directory appears to contain a database; Skipping initialization
<span style="color:#CC3980">gitea-db-1 | </span>
<span style="color:#CC3980">gitea-db-1 | </span>2023-07-19 11:42:58.664 UTC [1] LOG: starting PostgreSQL ???? on x86_64-pc-linux-musl, compiled by gcc (Alpine ????) ???? ?????, 64-bit
<span style="color:#CC3980">gitea-db-1 | </span>2023-07-19 11:42:58.665 UTC [1] LOG: listening on IPv4 address &quot;???????&quot;, port 5432
<span style="color:#CC3980">gitea-db-1 | </span>2023-07-19 11:42:58.665 UTC [1] LOG: listening on IPv6 address &quot;::&quot;, port 5432
<span style="color:#CC3980">gitea-db-1 | </span>2023-07-19 11:42:58.669 UTC [1] LOG: listening on Unix socket &quot;/var/run/postgresql/.s.PGSQL.5432&quot;
<span style="color:#CC3980">gitea-db-1 | </span>2023-07-19 11:42:58.672 UTC [22] LOG: database system was shut down at 2023-07-19 10:48:03 UTC
<span style="color:#CC3980">gitea-db-1 | </span>2023-07-19 11:42:58.676 UTC [1] LOG: database system is ready to accept connections
<span style="color:#7F7FFF">gitea_cont | </span>Server listening on :: port 22.
<span style="color:#7F7FFF">gitea_cont | </span>Server listening on 0.0.0.0 port 22.
<span style="color:#7F7FFF">gitea_cont | </span>2023/07/19 13:42:59 cmd/web.go:223:runWeb() [I] Starting Gitea on PID: 20
<span style="color:#7F7FFF">gitea_cont | </span>2023/07/19 13:42:59 cmd/web.go:148:serveInstalled() [I] Gitea version: 1.20.0 built with GNU Make 4.4.1, go1.20.6 : bindata, timetzdata, sqlite, sqlite_unlock_notify
<span style="color:#7F7FFF">gitea_cont | </span>2023/07/19 13:42:59 cmd/web.go:149:serveInstalled() [I] App path: /usr/local/bin/gitea
<span style="color:#7F7FFF">gitea_cont | </span>2023/07/19 13:42:59 cmd/web.go:150:serveInstalled() [I] Work path: /data/gitea
<span style="color:#7F7FFF">gitea_cont | </span>2023/07/19 13:42:59 cmd/web.go:151:serveInstalled() [I] Custom path: /data/gitea
<span style="color:#7F7FFF">gitea_cont | </span>2023/07/19 13:42:59 cmd/web.go:152:serveInstalled() [I] Config file: /data/gitea/conf/app.ini
<span style="color:#7F7FFF">gitea_cont | </span>2023/07/19 13:42:59 cmd/web.go:153:serveInstalled() [I] Run mode: prod
<span style="color:#7F7FFF">gitea_cont | </span>2023/07/19 13:42:59 cmd/web.go:154:serveInstalled() [I] Prepare to run web server
<span style="color:#7F7FFF">gitea_cont | </span>2023/07/19 13:42:59 routers/init.go:112:InitWebInstalled() [I] Git version: 2.40.1, Wire Protocol Version 2 Enabled (home: /data/gitea/home)
</pre>
#### Traefik
##### Update SRV Traefik to accept traffic for that service.
Configure SRV Traefik to redirect the traffic towards the `Gitea` container.
##### Update Pi4 Traefik to use SRV as backend.
Configure Pi4 Traefik to use as a backend for the `Gitea` service, the host SRV.
##### Test the service is up and running
Test the Gitea service URL
```shell
curl -I https://gitea.filterhome.xyz/
```
Returns a status code `200`, therefore we were able to receive a successful request (still it's recommended to doublecheck through the browser and ensure that the correct service was served, as it could conflict with other rules set, returning a status `200` for a different service than the desired).
```text
HTTP/2 200
date: Wed, 19 Jul 2023 11:55:15 GMT
permissions-policy: vibrate=('self'); geolocation=('self'); midi=('self'); notifications=('self'); push=('self'); microphone=(); camera=(); magnetometer=(); gyroscope=(); speaker=(); vibrate=('self'); fullscreen=('self')
referrer-policy: same-origin
strict-transport-security: max-age=31536000; includeSubDomains
x-content-type-options: nosniff
x-frame-options: DENY
x-xss-protection: 1; mode=block
```
## Part 2 & 3
**I am HERE right now**
---
### "Last", change the ingress from the Pi4 Traefik ingress, to the Istio Public Ingress.
This gotta be performed on the router, therefore gotta access the GUI from the ISP router and select the new IP address.
### Check for the Certificate Manager to confirm that it's generating the certificates.
### Update DNS records
## Difficulties