2026 cleanup

2026-06-02 11:11:36 +02:00
parent 099e37e08a
commit 77e1caa3bc
10 changed files with 237 additions and 0 deletions
--- a/server/.gitignore
+++ b/server/.gitignore
@@ -0,0 +1,5 @@
+skz-void-bbb88f038188.json
+opack-cloud
+opack_deploy_*
+opack_installer_*
+id_ed25519
--- a/server/Makefile
+++ b/server/Makefile
@@ -0,0 +1,51 @@
+OPACK_TARGET=			skz-void-server
+OPACK_SYS_VERSION=		snapshots
+OPACK_SYS_CPU=			2
+OPACK_SYS_MEMORY=		1024
+OPACK_SYS_DISK_SIZE=		10000
+OPACK_SYS_SETS=			+* -x* +xbase* -game* -comp* +bsd.rd
+OPACK_SYS_HOSTNAME=		void.sk4.nz
+OPACK_SYS_USER=			sk4nz
+#OPACK_SYS_SSH_PRIVATE_KEY=	$(HOME)/.ssh/id_ed25519
+OPACK_GCE_MACHINE=		e2-micro
+OPACK_AUTODISKLABEL_FILE=	$(shell realpath ./autodisklabel)
+OPACK_PROVISION_FILE=		$(shell realpath void-provision.sh)
+OPACK_GCE_PROJECT=		skz-void
+OPACK_GCE_JSON_KEY=		skz-void-bbb88f038188.json
+OPACK_DEBUG=y
+
+include ../skz-opack/src/opack.mk
+
+SSH_OPTS=	-i $(OPACK_SYS_SSH_PRIVATE_KEY) -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
+FW_TF=		$(OPACK_TERRAFORM_DIR)/opack-module/firewall.tf
+
+IN_TCP=		ssh
+VPN_TCP=	ssh domain http https 1024:65535
+VPN_UDP=	domain ntp 1024:65535
+
+VOID_CLIENTS=	psychopomp skzphone miri
+
+.DEFAULT_GOAL := all
+
+all: void
+
+$(FW_TF): | opack-cloud
+	cp firewall.tf $@
+	cd $(OPACK_TERRAFORM_DIR) && terraform apply \
+		-target=module.opack-module.google_compute_firewall.icmp \
+		-target=module.opack-module.google_compute_firewall.wireguard \
+		-target=module.opack-module.google_compute_firewall.ssh \
+		-auto-approve > /dev/null
+	echo ▒ GCP Firewall configured
+	#-target=module.opack-module.google_compute_firewall.deny \
+
+void: | $(FW_TF)
+	ssh $(SSH_OPTS) root@$(shell cat opack-cloud) \
+		"uname -a; sysctl kern.version;" 2> /dev/null
+	scp -q -r $(SSH_OPTS) \
+		../../skz-wg root@$(shell cat opack-cloud):/root/skz-wg
+	#vagrant ssh -c "make -C run bootstrap"
+	ssh $(SSH_OPTS) root@$(shell cat opack-cloud) \
+		"sh -c 'IN_TCP=\"$(IN_TCP)\" VPN_TCP=\"$(VPN_TCP)\" VPN_UDP=\"$(VPN_UDP)\" CLIENTS=\"$(VOID_CLIENTS)\" make -C /root/skz-wg'" 2> /dev/null
+
+clean: opack-clean
--- a/server/autodisklabel
+++ b/server/autodisklabel
@@ -0,0 +1,5 @@
+/              1G-*     60%
+swap           1G-2G    2%
+/tmp           1G-4G    4%
+/usr           3G-*     24%
+/usr/local     2G-*     10%
--- a/server/firewall.tf
+++ b/server/firewall.tf
@@ -0,0 +1,46 @@
+#resource "google_compute_firewall" "deny" {
+#  name        = "deny-all"
+#  network     = "default"
+#  direction   = "INGRESS"
+#  deny {
+#    protocol = "all"
+#  }
+#  target_tags   = ["skz-opack"]
+#  source_ranges = ["0.0.0.0/0"]
+#  priority = 1001
+#}
+
+resource "google_compute_firewall" "icmp" {
+  name        = "allow-icmp"
+  network     = "default"
+  direction   = "INGRESS"
+  allow {
+    protocol = "icmp"
+  }
+  target_tags   = ["skz-opack"]
+  source_ranges = ["0.0.0.0/0"]
+}
+
+resource "google_compute_firewall" "wireguard" {
+  name        = "allow-wireguard"
+  network     = "default"
+  direction   = "INGRESS"
+  allow {
+    protocol = "udp"
+    ports    = ["5353"]
+  }
+  target_tags   = ["skz-opack"]
+  source_ranges = ["0.0.0.0/0"]
+}
+
+resource "google_compute_firewall" "ssh" {
+  name        = "allow-ssh"
+  network     = "default"
+  direction   = "INGRESS"
+  allow {
+    protocol = "tcp"
+    ports    = ["22"]
+  }
+  target_tags   = ["skz-opack"]
+  source_ranges = ["0.0.0.0/0"]
+}
--- a/server/id_ed25519.pub
+++ b/server/id_ed25519.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHG+eIJBRWgko97xcSbp9EWI/LT82WKubSfYUvR7cErb sk4nz@psychopomp
--- a/server/void-provision.sh
+++ b/server/void-provision.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+set -e
+set +x
+packages="htop vim--no_x11 nload"
+(
+        echo VOID: Starting provisioning.
+        sysctl -n kern.version
+	printf 'hw.smt=1\n' >> /etc/sysctl.conf
+        printf 'permit nopass :wheel\n' > /etc/doas.conf
+	pkg_add -u 2> /dev/null || pkg_add -u -D snap 2> /dev/null
+	pkg_add -Iv $packages 2> /dev/null || pkg_add -Iv -D snap $packages 2> /dev/null
+	while(pgrep -f reorder_kernel > /dev/null) do echo Waiting for reorder_kernel to finish...; sleep 10; done
+	syspatch 2> /dev/null || (echo "No syspatch, continuing..."; true)
+	rm -f /etc/ssh/ssh_host*
+        find /var/log -type f | while read f; do echo -ne '' > $f; done
+        find /tmp -type f | while read f; do echo -ne '' > $f; done
+	for part in $(df | tail -n+2 | awk '{print $6}'); do dd if=/dev/zero of=$part/EMPTY bs=1M 2> /dev/null || true; rm -f $part/EMPTY || true; done
+        sync
+        sync
+        echo OPACK: provisionning done.
+)
+exit 0
				`@@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHG+eIJBRWgko97xcSbp9EWI/LT82WKubSfYUvR7cErb sk4nz@psychopomp`