fix...

Signed-off-by: Alex A. Naanou <alex.nanou@gmail.com>

.pct-helpers

@@ -228,10 +228,13 @@ xreadYes(){
 	# XXX check DFL_..???
 	if [[ "${!var}" == "SKIP" ]] ; then
 		eval "$var="
-		return
+		return 1
 	fi
 	if [ -z ${!var} ] ; then
-		if [ -z $(eval "echo \$DFL_${var}") ] ; then
+		if [[ "$(eval "echo \$DFL_${var}")" == "SKIP" ]] ; then
+			eval "$var="
+			return 1
+		elif [ -z $(eval "echo \$DFL_${var}") ] ; then
 			local yes=y
 			local no=N
 			local dfl=

Makefile

@@ -83,19 +83,19 @@ config.global: config.global.example
 bootstrap: \
 		host-bootstrap \
 		gate-bootstrap ns \
-		$(MINIMAL_CTs) \
+		$(MINIMAL_CTs)
-		bootstrap-clean
+	make bootstrap-clean
 
 
 # Bootstrap stage 2: reconnect host through the base infrastructure...
-.PHONY: bootstrap-clean host-bootstrap-clean
+.PHONY: bootstrap-clean 
 bootstrap-clean: host-bootstrap-clean
 
 
 # Finalize: reconect admin port/bridge correctly...
 .PHONY: finalize
 finalize: bootstrap-clean gate-bootstrap-clean 
-	@ make host-bootstrap-clean
+	make host-bootstrap-clean
 
 
 

README.md

@@ -41,35 +41,61 @@ Goals:
   and administration of all the related components at the cost of a 
   heavier CT transparently integrating multiple related services
 
-XXX service structure
 
-XXX network
+### Network
 
-In general `proxmox-utils` splits the configuration into two levels:
+```
+    Internet                                              Admin 
+       v                                                    v
+  +----|----------------------------------------------------|-----+  
+  |    |                                                    |     |  
+  |  (wan)                                (lan)          (admin)  |  
+  |    |                                    |               |     |  
+  |    |                                    |         pve --+     |  
+  |    |                                    |               |     |  
+  |    |                   +--------------------------------+     |  
+  |    |                  /                 |               |     |  
+  |    +--($WAN_SSH_IP)- ssh ---------------+               |     |  
+  |    |                  ^                 |               |     |  
+  |    |              (ssh:23)              |               |     |  
+  |    |                  .                 |               |     |  
+  |    |                  . +------------------------(nat)--+     |  
+  |    |                  ./                |               |     |  
+  |    +------($WAN_IP)- gate ------(nat)---+               |     |  
+  |                       .                 |               |     |  
+  |                       .                 +-- ns ---------+     |  
+  |                       .                 |               |     |  
+  |                       + - (udp:51820)-> +-- wireguard   |     |  
+  |                       .                 |               |     |  
+  |                       + - (ssh/https)-> +-- gitea       |     |  
+  |                       .                 |               |     |  
+  |                       + - - - (https)-> +-- nextcloud   |     |  
+  |                                         |               |     |  
+  |                                         +-- syncthing --+     |  
+  |                                                               |  
+  +---------------------------------------------------------------+  
+```
+
+XXX
 
 
-### CT level  
+### Services
 
-This level is handled by the `Makefile` and is almost completely automated
+XXX
-
-
-### Host level
-
-This level depends on the host setup and is currently done manually 
-depending on existing host configuration.
-
-XXX clean setup scripts...
 
 
 
-## Prerequisites
+## Setup
+
+### Prerequisites
 
 Install Proxmox and connect it to your network.
 
 
-## Semi-automated setup
 
-This will download the [`bootstrap.sh`](./scripts/bootstrap.sh) script and execute it:
+### Semi-automated setup
+
+Download the [`bootstrap.sh`](./scripts/bootstrap.sh) script and execute it:
 ```shell
 curl 'https://raw.githubusercontent.com/flynx/proxmox-utils/refs/heads/master/scripts/bootstrap.sh' | sudo bash
 ```
@@ -80,30 +106,79 @@ This will:
 - Run `make bootstrap` on the repo
 
 After the basic setup is done connect the device to the network via the 
-selcted WAN port and it is reccomended to disconnect the admin PORT.
+selcted WAN port and **disconnect** the ADMIN port.
 
 The WAN interface exposes two IPs:
-- Main server (config: `DFL_WAN_IP` / `WAN_IP`)
+- Main server (config: `$DFL_WAN_IP` / `$WAN_IP`)
   - ssh:23
   - wireguard:51820
-- Fail-safe ssh (config: `DFL_WAN_SSH_IP` / `WAN_SSH_IP`)
+- Fail-safe ssh (config: `$DFL_WAN_SSH_IP` / `$WAN_SSH_IP`)
   - ssh:22
 
+
 The Proxmox administrative interface is available behind the Wireguard 
 proxy or on the ADMIN port, both on https://10.0.0.254:8006.
 
+To finalize the setup run:
+```shell
+make finalize
+```
 
-XXX setup additional CTs...
+This will
+- detach the host from any external ports and make it accessible only 
+  from the internal network.  
+  See: [Architecture](#architecture) and [Bootstrapping](#bootstrapping)
+- setup firewall rules.  
+  Note that the firewall will not be enabled, this should be done manually
+  after rule review.
   
 
-XXX configuration / administration...
+*Note that the ADMIN port is configured for direct connections only (DHCP), 
+connecting it to a configured network can lead to unexpected behavior.*
+
+
+#### Accessing the host
+
+XXX
+
+
+#### Setup additional services
+
+XXX
+
+```shell
+make all
+```
+
+```shell
+make dev
+```
+
+
+Or individually:
+```shell
+make nextcloud
+```
+
+```shell
+make syncthing
+```
+
+```shell
+make gitea
+```
+
+
+#### Setup and configure custom services
+
+XXX traefik rules
 
 
 
-## Manual setup
+### Manual setup
 
 
-### Bootstrapping
+#### Bootstrapping
 
 Since all the internal traffic is routed through the `gate` we need both 
 the bridges and it setup for things to work, thus we first bootstrap the
@@ -136,7 +211,7 @@ only for administration and recovory cases.
 
 
 
-### Network Bridges
+#### Network Bridges
 
 `proxmox-utils` expects there to be at least three bridges:
 - `WAN` (`vmbr_wan`) - connected to the port that faces the external 
@@ -166,7 +241,7 @@ first/last ports to wan/admin respectively and clearly mark them as such.
 
 
 
-### DNS
+#### DNS
 
 Add `10.1.1.1` to the DNS on the Proxmox host node after the `127.0.0.1`
 but before whatever external DNS you are using.
@@ -182,7 +257,7 @@ make host-bootstrap
 ```
 
 
-### Firewall
+#### Firewall
 
 Make sure to allow at least `ssh` access to the host node from the `ADMIN` 
 interface to allow admin CT's access to the host if needed, this is mostly

host/make.sh

@@ -53,10 +53,26 @@ if ! [ -z $BOOTSTRAP_CLEAN ] ; then
 	# stage 1: bootstrap -> clean
 	if [ -e "$INTERFACES".clean ] ; then
 		@ mv "$INTERFACES"{.clean,.new}
+		DFL_UPDATE=SKIP
+		DFL_APPS=SKIP
+		DFL_BRIDGES=SKIP
+		DFL_HOSTS=SKIP
+		DFL_DNS=1
+		DFL_FIREWALL=SKIP
+
 	# stage 2: clean -> final
 	elif [ -e "$INTERFACES".final ] ; then
 		@ mv "$INTERFACES"{.final,.new}
-	# donw
+		DFL_UPDATE=SKIP
+		DFL_APPS=SKIP
+		DFL_BRIDGES=SKIP
+		DFL_HOSTS=1
+		DFL_DNS=SKIP
+		DFL_FIREWALL=1
+
+		REBOOT=1
+
+	# done
 	else
 		exit
 	fi
@@ -69,42 +85,40 @@ if ! [ -z $BOOTSTRAP_CLEAN ] ; then
 			@ ifreload -a	
 		fi
 	fi
-	exit
-fi
 
-
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 # Bootstrap...
-
+elif ! [ -z $BOOTSTRAP ] ; then
-# XXX
-if ! [ -z $BOOTSTRAP ] ; then
 	DFL_BOOTSTRAP_PORT=${DFL_BOOTSTRAP_PORT:-none}
 	xread "Bootstrap port: " BOOTSTRAP_PORT
 
 	BRIDGES_BOOTSTRAP_TPL=bootstrap-bridges.tpl
+
+	DFL_UPDATE=1
+	DFL_APPS=1
+	DFL_BRIDGES=1
+	DFL_HOSTS=SKIP
+	DFL_DNS=SKIP
+	DFL_FIREWALL=SKIP
 fi
 
 
 
 #----------------------------------------------------------------------
 
-# Tools
+# System...
 if xreadYes "# Update system?" UPDATE ; then
 	@ apt update
 	@ apt upgrade
 fi
+
+
+# Tools...
 if xreadYes "# Install additional apps?" APPS ; then
 	@ apt install ${SOFTWARE[@]}
 fi
 
+
 # Bridges...
-# XXX need to:
-#		- bootstrap this
-#		- setup the gate, ssh, and wireguard
-#		- inalize
-# XXX /etc/hosts
-# XXX save config???
-# XXX should we do things in ./staging ???
 if xreadYes "# Create bridges?" BRIDGES ; then
 	xread "WAN port: " WAN_PORT 
 	xread "ADMIN port: " ADMIN_PORT 
@@ -198,26 +212,30 @@ if xreadYes "# Create bridges?" BRIDGES ; then
 fi
 
 
-echo "# Building config..."
-# XXX do we need any extra vars here???
-buildAssets
-
-
-# XXX /etc/hosts???
-
-
 # /etc/hosts
 if xreadYes "# Update /etc/hosts?" HOSTS ; then
 	@ cp /etc/hosts{,.bak}
 	@ cp /etc/hosts{,.new}
 	@ sed -i \
-		-e 's/^[^#].* \(pve.local.*\)$/'${HOST_ADMIN_IP/\/*}'\1/' \
+		-e 's/^[^#].* \(pve.local.*\)$/'${HOST_ADMIN_IP/\/*}' \1/' \
 		/etc/hosts.new
 	reviewApplyChanges /etc/hosts
 fi
 
+
+# build only if we need to...
+build(){
+	if [ -z $__ASSETS ] ; then
+		__ASSETS=1
+		echo "# Building config templates..."
+		buildAssets
+	fi
+}
+
+
 # DNS
 if xreadYes "# Update DNS?" DNS ; then
+	build
 	file=/etc/resolv.conf
 	@ cp "staging/${file}" "${file}".new
 	reviewApplyChanges "${file}"
@@ -226,6 +244,7 @@ fi
 
 # Firewall
 if xreadYes "# Update firewall rules?" FIREWALL ; then
+	build
 	file=/etc/pve/firewall/cluster.fw
 	@ cp "staging/${file}" "${file}".new
 	reviewApplyChanges "${file}"
@@ -236,6 +255,12 @@ showNotes
 echo "# Done."
 
 
+if ! [ -z $REBOOT ] ; then
+	echo "# Rebooting..."
+	@ reboot
+fi
+
+
 
 #----------------------------------------------------------------------
 # vim:set ts=4 sw=4 :

wireguard/make.sh

@@ -89,7 +89,7 @@ pctCreateAlpine $ID "$PASS"
 
 echo "# Installing dependencies..."
 @ lxc-attach $ID apk add \
-	iptables wireguard-tools-wg-quick make bind-tools libqrencode logrotate
+	iptables wireguard-tools-wg-quick make bind-tools libqrencode-tools logrotate
 
 echo "# Copying assets..."
 pctPushAssets $ID