fix...

Signed-off-by: Alex A. Naanou <alex.nanou@gmail.com>

.pct-helpers

@@ -10,7 +10,7 @@ CT_DIR=${CT_DIR:=/etc/pve/lxc/}
 # XXX
 
 
-EDITOR=${EDITOR:-vim}
+EDITOR=${EDITOR:-nano}
 
 
 

Makefile

@@ -15,20 +15,10 @@ EDITOR ?= vim
 
 # CTs...
 #
-# NOTE: The order here is important: 
-# 	- to avoid bootstrapping network connections gate must be the 
-# 	  first CT to get built to route the rest of CT's to the WAN 
-# 	  connection during the build process.
-# 	- ns should be the second to be built to provide the rest of the
-# 	  CT's with DHCP network configuration.
-# 	- the rest of the CT's are created in order of importance, strting 
-# 	  from CT's needed for access and ending with services.
-CORE_CTs := \
-	gate ns
 MINIMAL_CTs := \
 	ssh wireguard 
 APP_CTs := \
-	syncthing nextcloud #gitea
+	syncthing nextcloud
 # Optional (see dev target)...
 DEV_CTs := \
 	gitea
@@ -60,7 +50,6 @@ check: check-message $(foreach dep,$(DEPENDENCIES),require($(dep)))
 FORCE:
 
 
-# XXX should thisbe an env var or an arg to make.sh???
 %-bootstrap: export BOOTSTRAP=1
 %-bootstrap: %
 	@true
@@ -86,6 +75,30 @@ config.global: config.global.example
 
 
 
+#----------------------------------------------------------------------
+# Bootstrapping...
+
+# Bootstrap stage 1: build basic infrastructure...
+.PHONY: bootstrap
+bootstrap: \
+		host-bootstrap \
+		gate-bootstrap ns \
+		$(MINIMAL_CTs) \
+		bootstrap-clean
+
+
+# Bootstrap stage 2: reconnect host through the base infrastructure...
+.PHONY: bootstrap-clean host-bootstrap-clean
+bootstrap-clean: host-bootstrap-clean
+
+
+# Finalize: reconect admin port/bridge correctly...
+.PHONY: finalize
+finalize: bootstrap-clean gate-bootstrap-clean 
+	@ make host-bootstrap-clean
+
+
+
 #----------------------------------------------------------------------
 # Shorthands...
 
@@ -100,40 +113,12 @@ gate: gate-traefik
 
 #----------------------------------------------------------------------
 
-# XXX goal:
+.PHONY: all
-# 	- build minimal system
+all: $(APP_CTs)
-# 		- bootstrap bridge
-# 		- gate
-# 		- ns
-# 	...not yet sure of the best way to do this...
-# 	
-.PHONY: bootstrap
-bootstrap: host-bootstrap gate-bootstrap \
-		ns \
-		wireguard \
-		bootstrap-clean
-
-.PHONY: bootstrap-clean
-bootstrap-clean: gate-bootstrap-clean host-bootstrap-clean
-
-
-
-#----------------------------------------------------------------------
-
-.PHONY: core
-core: config $(CORE_CTs)
-
-
-.PHONY: minimal
-minimal: core $(MINIMAL_CTs)
 
 
 .PHONY: dev
-dev: minimal $(DEV_CTs) 
+dev: $(DEV_CTs) 
-
-
-.PHONY: all
-all: minimal $(APP_CTs)
 
 
 

README.md

@@ -64,38 +64,123 @@ XXX clean setup scripts...
 
 ## Prerequisites
 
-### Proxmox
+Install Proxmox and connect it to your network.
 
+
+## Semi-automated setup
+
+This will download the [`bootstrap.sh`](./scripts/bootstrap.sh) script and execute it:
 ```shell
-sudo apt update && sudo apt upgrade
+curl 'https://raw.githubusercontent.com/flynx/proxmox-utils/refs/heads/master/scripts/bootstrap.sh' | sudo bash
 ```
 
+This will:
+- Install basic dependencies
+- Clone this repo
+- Run `make bootstrap` on the repo
+
+After the basic setup is done connect the device to the network via the 
+selcted WAN port and it is reccomended to disconnect the admin PORT.
+
+The WAN interface exposes two IPs:
+- Main server (config: `DFL_WAN_IP` / `WAN_IP`)
+  - ssh:23
+  - wireguard:51820
+- Fail-safe ssh (config: `DFL_WAN_SSH_IP` / `WAN_SSH_IP`)
+  - ssh:22
+
+The Proxmox administrative interface is available behind the Wireguard 
+proxy or on the ADMIN port, both on https://10.0.0.254:8006.
+
+
+XXX setup additional CTs...
+
+
+XXX configuration / administration...
+
+
+
+## Manual setup
+
+
+### Bootstrapping
+
+Since all the internal traffic is routed through the `gate` we need both 
+the bridges and it setup for things to work, thus we first bootstrap the
+bridges, create the basic infrastructure and then finalize the setup.
+
+Bootsrapping is done in three stages:
+1. Bootstrap: 
   ```shell
-sudo apt install git make 
+  make bootstrap
   ```
+  - Create the needed bridges
+  - Create the infrastructure CT's (`gate`, `ns`, `ssh`, ...)
+2. Cleanup: 
+  ```shell
+  make bootstrap-clean
+  ```
+  - Route the `host` through the `gate`
+3. Finalize: 
+  ```shell
+  make finalise
+  ```
+  - disconnect the `host` from the non-ADMIN networks
+
+
+After the final stage two physical ports will be active, the ADMIN port 
+and the WAN port, the former is by default the same port set by Proxmox 
+setup, the WAN port is the port selected during the stup stage. All the 
+services will be listening on the WAN port while the admin port is used 
+only for administration and recovory cases.
+
 
 
 ### Network Bridges
 
 `proxmox-utils` expects there to be at least three bridges:
-- `WAN` - connected to the port that faces the external network (either 
+- `WAN` (`vmbr_wan`) - connected to the port that faces the external 
-  directly of via a router)
+  network (either directly of via a router)
-- `LAN` - a virtual bridge, not connected to any physical interfaces
+- `LAN` (`vmbr_lan`) - a virtual bridge, not connected to any physical 
-- `ADMIN` - connected to a second physical interface used for 
+  interfaces
-  administrative purposes.
+- `ADMIN` (`vmbr_admin`) - connected to a second physical interface used 
+  for administrative purposes.
 
-Note their numbers (i.e. the number in `vmbr#`), this will be needed for 
+Created via:
-setup.
+```shell
+make host-bootstrap
+```
 
-Note, if the device has more that two ports it is recommended to assign 
+Updated by:
+```shell
+make host-bootstrap-clean
+```
+
+and:
+```shell
+make finalize
+```
+
+If the device has more that two ports it is recommended to assign 
 first/last ports to wan/admin respectively and clearly mark them as such.
 
 
+
 ### DNS
 
 Add `10.1.1.1` to the DNS on the Proxmox host node after the `127.0.0.1`
 but before whatever external DNS you are using.
 
+Donw via:
+```shell
+make host
+```
+
+or:
+```shell
+make host-bootstrap
+```
+
 
 ### Firewall
 
@@ -103,6 +188,16 @@ Make sure to allow at least `ssh` access to the host node from the `ADMIN`
 interface to allow admin CT's access to the host if needed, this is mostly
 needed to allow VPN/ssh administration from outside.
 
+Donw via:
+```shell
+make host
+```
+
+or:
+```shell
+make host-bootstrap
+```
+
 For Proxmox firewall configuration see:
 https://pve.proxmox.com/wiki/Firewall
 
@@ -117,32 +212,13 @@ XXX emergency access points: ssh and wireguard
 
 
 
-## Setup
+## Misc
-
-Get the code:
-```shell
-git clone https://github.com/flynx/proxmox-utils.git
-```
-or:
-```shell
-git clone git@github.com:flynx/proxmox-utils.git
-```
-
-
-For host setup:
-```shell
-sudo make host
-```
-
-Be carefull as this may overwrite existing configuration.
-
 
 Install CT's:
 ```shell
 sudo make all
 ```
 
-
 Install gitea (optional):
 ```shell
 sudo make dev

config.global.example

@@ -18,25 +18,35 @@
 #
 #------------------------------------------------------------------------
 
+# Bootsrap configuration...
+#
+# Usually this is the default bridge created in Proxmox, so there is no 
+# need to touch this.
+BOOTSTRAP_BRIDGE=0
+# XXX
+#BOOTSTRAP_PORT=none
+
+
 # CT interface bridge configuration.
 #
 # These are set to the bridge number (the number in 'vmbr#') used for 
 # a specific network.
 #
-# Example:
-# 	WAN_BRIDGE=0
-#	LAN_BRIDGE=1
-#	ADMIN_BRIDGE=2
-#
 # NOTE: on a clean Proxmox install ADMIN is pre-setup, we will use it 
 # 	for bootstrapping and reconfigure it later.
 # NOTE: to make things simpler it is recommmended to number bridges 
 # 	connecting to physical ports the same as ports and virtual 
 # 	bridges with numbers greater than X (10 in the example below)
 #
-ADMIN_BRIDGE=0
+# Example:
-WAN_BRIDGE=3
+# 	WAN_BRIDGE=0
-LAN_BRIDGE=10
+#	ADMIN_BRIDGE=3
+#	LAN_BRIDGE=10
+#
+# XXX revise numbering...
+ADMIN_BRIDGE=_admin
+WAN_BRIDGE=_wan
+LAN_BRIDGE=_lan
 
 
 # NOTE: it is simpler to statically assign these than to configure dhcp
@@ -92,7 +102,7 @@ DFL_PCT_EXTRA=SKIP
 #
 
 # host
-HOST_ADMIN_IP=10.0.0.245/24
+HOST_ADMIN_IP=10.0.0.254/24
 
 # Nameserver
 NS_HOSTNAME=ns

gate-traefik/make.sh

@@ -41,18 +41,17 @@ REBOOT=${REBOOT:=1}
 # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 # Bootstrap cleanup...
 
+# NOTE: this is intentionally handled before the bootstrap...
 if ! [ -z $BOOTSTRAP_CLEAN ] ; then
-	ID=${GATE_ID:=${DFL_ID}}
+	#ID=${ID:-${DFL_ID}}
 
 	xread "ID: " ID
+	xread "Bootstrap bridge: vmbr" BOOTSTRAP_BRIDGE
 	readBridgeVars
 
-	# XXX update WAN ip... (???)
+	echo "# Reverting gate's WAN bridge to: vmbr${WAN_BRIDGE}..."
-	# XXX
-	
-	echo "# Reverting gate's WAN bridge to vmbr${WAN_BRIDGE}..."
 	@ sed -i \
-		-e 's/^\(net0.*vmbr\)'${ADMIN_BRIDGE}'/\1'${WAN_BRIDGE}'/' \
+		-e 's/^\(net0.*vmbr\)'${BOOTSTRAP_BRIDGE}'/\1'${WAN_BRIDGE}'/' \
 		/etc/pve/lxc/${ID}.conf 
 	exit
 fi
@@ -62,9 +61,9 @@ fi
 # Bootstrap...
 
 if ! [ -z $BOOTSTRAP ] ; then
+	xread "Bootstrap bridge: vmbr" BOOTSTRAP_BRIDGE
 	# this will allow the bootstrapped CTs to access the network...
-	WAN_BRIDGE=$ADMIN_BRIDGE
+	WAN_BRIDGE=${BOOTSTRAP_BRIDGE}
-	#DFL_CTHOSTNAME=${DFL_CTHOSTNAME}-bootstrap
 fi
 
 

host/bootstrap-bridges.tpl

@@ -1,6 +1,4 @@
 
-# NOTE: this assumes the ADMIN bridge to exist (proxmox default) and to be vmbr0...
-
 auto vmbr${LAN_BRIDGE}
 iface vmbr${LAN_BRIDGE} inet manual
         bridge-ports none
@@ -15,3 +13,11 @@ iface vmbr${WAN_BRIDGE} inet manual
         bridge-fd 0
 #WAN
 
+auto vmbr${ADMIN_BRIDGE}
+iface vmbr${ADMIN_BRIDGE} inet static
+        address ${HOST_ADMIN_IP}
+        bridge-ports ${BOOTSTRAP_PORT}
+        bridge-stp off
+        bridge-fd 0
+#ADMIN
+

host/make.sh

@@ -19,6 +19,7 @@ need ifreload
 
 readConfig
 
+
 DFL_WAN_PORT=${DFL_WAN_PORT:-enp5s0}
 DFL_ADMIN_PORT=${DFL_ADMIN_PORT:-enp2s0}
 
@@ -35,9 +36,9 @@ SOFTWARE=(
 	tmux
 )
 
-# XXX
+INTERFACES=/etc/network/interfaces
-#BRIDGES_TPL=bridges.tpl
+
-BRIDGES_TPL=bootstrap-bridges.tpl
+BRIDGES_TPL=bridges.tpl
 
 # XXX
 #readVars
@@ -47,8 +48,27 @@ BRIDGES_TPL=bootstrap-bridges.tpl
 # Bootstrap...
 
 if ! [ -z $BOOTSTRAP_CLEAN ] ; then
-	# XXX switch admin interface IP and Gateway to admin net...
+	@ cp "$INTERFACES"{,.bak}
-	# XXX
+
+	# stage 1: bootstrap -> clean
+	if [ -e "$INTERFACES".clean ] ; then
+		@ mv "$INTERFACES"{.clean,.new}
+	# stage 2: clean -> final
+	elif [ -e "$INTERFACES".final ] ; then
+		@ mv "$INTERFACES"{.final,.new}
+	# donw
+	else
+		exit
+	fi
+
+	if reviewApplyChanges "$INTERFACES" ; then
+		# XXX this must be done in nohup to avoid breaking on connection lost...
+		if ! @ ifreload -a ; then
+			# reset settings back if ifreload fails...
+			@ cp "$INTERFACES"{.bak,}
+			@ ifreload -a	
+		fi
+	fi
 	exit
 fi
 
@@ -56,10 +76,12 @@ fi
 # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 # Bootstrap...
 
-if ! [ -z $BOOTSTRAP ] ; then
 # XXX
-	BRIDGES_TPL=bootstrap-bridges.tpl
+if ! [ -z $BOOTSTRAP ] ; then
-	true
+	DFL_BOOTSTRAP_PORT=${DFL_BOOTSTRAP_PORT:-none}
+	xread "Bootstrap port: " BOOTSTRAP_PORT
+
+	BRIDGES_BOOTSTRAP_TPL=bootstrap-bridges.tpl
 fi
 
 
@@ -90,8 +112,6 @@ if xreadYes "# Create bridges?" BRIDGES ; then
 	xread "Gate ADMIN IP: " GATE_ADMIN_IP
 	readBridgeVars
 
-	INTERFACES=/etc/network/interfaces
-
 	# check if new bridges already exist in interfaces...
 	if [ -e "$INTERFACES" ] \
 			&& grep -q \
@@ -118,20 +138,57 @@ if xreadYes "# Create bridges?" BRIDGES ; then
 	BRIDGES="$(\
 		cat "$BRIDGES_TPL" \
 			| expandPCTTemplate \
-				LAN_BRIDGE WAN_BRIDGE ADMIN_BRIDGE \
+				LAN_BRIDGE WAN_BRIDGE ADMIN_BRIDGE BOOTSTRAP_BRIDGE \
-				WAN_PORT ADMIN_PORT \
+				WAN_PORT ADMIN_PORT BOOTSTRAP_ADMIN_PORT \
+				HOST_ADMIN_IP GATE_ADMIN_IP)"
+
+	[ -z $BRIDGES_BOOTSTRAP_TPL ] \
+		|| BRIDGES_BOOTSTRAP="$(\
+			cat "$BRIDGES_BOOTSTRAP_TPL" \
+				| expandPCTTemplate \
+					LAN_BRIDGE WAN_BRIDGE ADMIN_BRIDGE BOOTSTRAP_BRIDGE \
+					WAN_PORT ADMIN_PORT BOOTSTRAP_PORT \
 					HOST_ADMIN_IP GATE_ADMIN_IP)"
 
 	if [ -z "$DRY_RUN" ] ; then
-		# XXX add $BRIDGES to "$INTERFACES" either before the 
+		# write both bootstrap and clean bridge configurations...
-		#		source command or at the end...
+		if ! [ -z $BRIDGES_BOOTSTRAP ] ; then
-		# XXX
+
+			# interfaces.final
+			@ cp "$INTERFACES"{.new,.final}
+			@ sed -i \
+				-e 's/'$ADMIN_PORT'/'$BOOTSTRAP_PORT'/' \
+				-e '/^.*gateway .*$/d' \
+				"$INTERFACES".final
+			echo "$BRIDGES" \
+				>> "$INTERFACES".final
+
+			# interfaces.clean
+			@ cp "$INTERFACES"{.new,.clean}
+			@ sed -i \
+				-e '/^.*gateway .*$/d' \
+				"$INTERFACES".clean
+			echo "$BRIDGES" \
+				| sed \
+					-e 's/'$ADMIN_PORT'/'$BOOTSTRAP_PORT'/' \
+				>> "$INTERFACES".clean
+
+			# interfaces.new (prep)
+			BRIDGES=$(\
+				echo "$BRIDGES_BOOTSTRAP" \
+					| sed -e '/^.*gateway .*$/d')
+		fi
+
+		# interfaces.new
 		echo "$BRIDGES" >> "$INTERFACES".new
+
 	else
 		echo "$BRIDGES"
 	fi
 
+	# interfaces
 	if reviewApplyChanges "$INTERFACES" ; then
+		# XXX this must be done in nohup to avoid breaking on connection lost...
 		if ! @ ifreload -a ; then
 			# reset settings back if ifreload fails...
 			@ cp "$INTERFACES"{.bak,}
@@ -149,6 +206,16 @@ buildAssets
 # XXX /etc/hosts???
 
 
+# /etc/hosts
+if xreadYes "# Update /etc/hosts?" HOSTS ; then
+	@ cp /etc/hosts{,.bak}
+	@ cp /etc/hosts{,.new}
+	@ sed -i \
+		-e 's/^[^#].* \(pve.local.*\)$/'${HOST_ADMIN_IP/\/*}'\1/' \
+		/etc/hosts.new
+	reviewApplyChanges /etc/hosts
+fi
+
 # DNS
 if xreadYes "# Update DNS?" DNS ; then
 	file=/etc/resolv.conf

ns/make.sh

@@ -67,6 +67,7 @@ echo "# Installing dependencies..."
 
 echo "# Copying assets..."
 pctPushAssets $ID
+@ lxc-attach $ID chmod +x /root/leases
 
 echo "# Setup: dnsmasq..."
 @ lxc-attach $ID rc-update add dnsmasq

scripts/bootstrap.sh

@@ -4,13 +4,9 @@
 #PROXMOX_UTILS=git@github.com:flynx/proxmox-utils.git
 PROXMOX_UTILS=${PROXMOX_UTILS:-https://github.com/flynx/proxmox-utils.git}
 
-# XXX do we need to update the system here?
-apt update
-apt upgrade
-
 # keep this to the minimum, at this point...
 apt install \
-	git make wget vim
+	git make wget
 
 git clone $PROXMOX_UTILS 
 

ssh/make.sh

@@ -21,7 +21,7 @@ readConfig
 
 #----------------------------------------------------------------------
 
-DFL_ID=${DFL_ID:=102}
+DFL_ID=${DFL_ID:=120}
 DFL_CTHOSTNAME=${DFL_CTHOSTNAME:=ssh}
 
 DFL_CORES=${DFL_CORES:=1}

syncthing/make.sh

@@ -17,7 +17,7 @@ readConfig
 
 #----------------------------------------------------------------------
 
-DFL_ID=${DFL_ID:=1001}
+DFL_ID=${DFL_ID:=1010}
 DFL_CTHOSTNAME=${DFL_CTHOSTNAME:=syncthing}
 
 DFL_CORES=${DFL_CORES:=1}

wireguard/make.sh

@@ -21,7 +21,7 @@ would-like dig #qrencode
 
 readConfig
 
-DFL_ID=${DFL_ID:=103}
+DFL_ID=${DFL_ID:=130}
 DFL_CTHOSTNAME=${DFL_CTHOSTNAME:=wireguard}
 
 DFL_CORES=${DFL_CORES:=1}