config: core.https_address: '[::]:8443' networks: - config: ipv4.address: 10.1.0.1/24 ipv6.address: none security.acls: DMZ description: "" name: DMZ type: bridge project: default - config: ipv4.address: 10.1.1.1/24 ipv4.nat: "true" ipv6.address: none description: "" name: automation type: bridge project: default - config: ipv4.address: 10.1.2.1/24 ipv4.nat: "true" ipv6.address: none security.acls: proxy description: "" name: proxy type: bridge project: default storage_pools: - config: size: 30GiB source: /var/snap/lxd/common/lxd/disks/storage1.img description: "" name: storage1 driver: btrfs storage_volumes: [] profiles: - config: cloud-init.network-config: "version: 1\nconfig:\n - type: physical\n name: eth0\n subnets:\n - type: static\n ipv4: true\n address: 10.1.0.2\n netmask: 255.255.255.0\n gateway: 10.1.0.1\n control: auto \n" cloud-init.user-data: "#cloud-config\npackage_update: true\npackage_upgrade: true\npackages:\n \ - apache2\n - fail2ban\n - certbot\n - python3-certbot-apache\n - less\napt:\n \ proxy: http://10.1.2.2:3128/\n http_proxy: http://10.1.2.2:3128/\n https_proxy: http://10.1.2.2:3128/\nruncmd:\n - systemctl stop ufw\n - systemctl disable ufw\n - mkdir /root/tools/\n - |\n cat > /root/tools/certs.sh <<'EOF'\n \ #!/bin/bash\n\n EMAIL=\"echoslidermail@googlemail.com\"\n DOMAINS=(\"global-itserv.de\")\n\n \ for DOMAIN in \"${DOMAINS[@]}\"; do\n CERT_PATH=\"/etc/letsencrypt/live/${DOMAIN}/fullchain.pem\"\n\n \ if [ -f \"$CERT_PATH\" ]; then\n EXPIRY_DATE=$(openssl x509 -enddate -noout -in \"$CERT_PATH\" | cut -d= -f2)\n EXPIRY_SEC=$(date -d \"$EXPIRY_DATE\" +%s)\n NOW_SEC=$(date +%s)\n REMAINING=$(( (EXPIRY_SEC - NOW_SEC) / 86400 ))\n\n [ \"$REMAINING\" -gt 7 ] && continue\n fi\n\n certbot certonly --apache --non-interactive --agree-tos --email \"$EMAIL\" -d \"$DOMAIN\"\n \ done\n EOF\n\n - chmod +x /root/tools/certs.sh\n - /root/tools/certs.sh \ \n - rm /etc/apache2/sites-enabled/*\n\n - |\n cat > /etc/apache2/sites-enabled/global-itserv.de.conf <<'EOF'\n \n ServerName global-itserv.de\n\n ProxyPreserveHost On\n ProxyPass / http://127.0.0.1:8080/\n ProxyPassReverse / http://127.0.0.1:8080/\n\n \ ErrorLog ${APACHE_LOG_DIR}/proxy_error.log\n CustomLog ${APACHE_LOG_DIR}/proxy_access.log combined\n \n EOF\n\n cat >> /etc/apache2/sites-enabled/global-itserv.de.conf <<'EOF'\n \n ServerName global-itserv.de\n\n SSLEngine on\n SSLCertificateFile /etc/letsencrypt/live/global-itserv.de/fullchain.pem\n \ SSLCertificateKeyFile /etc/letsencrypt/live/global-itserv.de/privkey.pem\n\n \ ProxyPreserveHost On\n ProxyPass / http://127.0.0.1:8080/\n ProxyPassReverse / http://127.0.0.1:8080/\n\n ErrorLog ${APACHE_LOG_DIR}/proxy_ssl_error.log\n \ CustomLog ${APACHE_LOG_DIR}/proxy_ssl_access.log combined\n \n \ EOF\n\n - echo '0 3 * * * /root/tools/certs.sh' > /root/tools/cronjob\n \ - crontab /root/tools/cronjob\n - rm /root/tools/cronjob\n - a2enmod proxy proxy_http ssl headers\n - systemctl restart apache2\n - useradd -M -s /usr/sbin/nologin -u 1001 deploy\n - chown deploy:deploy /storage/requests.log\n - chown -R deploy:deploy /storage/www\n - cp /storage/webserver/webserver.service /etc/systemd/system/webserver.service\n \ - systemctl daemon-reload\n - systemctl start webserver \n" limits.memory: 2GiB description: Webserver and Apache2 Proxy devices: disk-device-1: path: /etc/letsencrypt/ pool: storage1 source: balancer_etc-letsencrypt type: disk disk-device-2: path: /storage pool: storage1 source: app-storage type: disk eth0: ipv4.address: 10.1.0.2 network: DMZ security.ipv4_filtering: "true" security.mac_filtering: "true" type: nic proxy-1: bind: host connect: tcp:10.1.0.2:443 listen: tcp:10.0.0.152:443 nat: "true" type: proxy proxy-2: bind: host connect: tcp:10.1.0.2:80 listen: tcp:10.0.0.152:80 nat: "true" type: proxy root: path: / pool: storage1 size: 6GiB type: disk name: appsrv1 - config: cloud-init.network-config: "version: 1\nconfig:\n - type: physical\n name: eth0\n subnets:\n - type: static\n ipv4: true\n address: 10.1.0.3\n netmask: 255.255.255.0\n gateway: 10.1.0.1\n control: auto\n - type: nameserver\n address: 10.1.0.1 \n" cloud-init.user-data: "#cloud-config\npackage_update: true\npackage_upgrade: true\npackages:\n \ - podman\n - less\napt:\n proxy: http://10.1.2.2:3128/\n http_proxy: http://10.1.2.2:3128/\n \ https_proxy: http://10.1.2.2:3128/\nruncmd:\n - systemctl stop ufw\n - systemctl disable ufw \n - |\n cat > /etc/profile.d/global.sh <<'EOF'\n export http_proxy=\"http://10.1.2.2:3128/\"\n export https_proxy=\"http://10.1.2.2:3128/\"\n \ export HTTP_PROXY=\"http://10.1.2.2:3128/\"\n export HTTPS_PROXY=\"http://10.1.2.2:3128/\"\n \ EOF\n\n cat > /root/proxy.sh <<'EOF'\n export http_proxy=\"http://10.1.2.2:3128/\"\n \ export https_proxy=\"http://10.1.2.2:3128/\"\n export HTTP_PROXY=\"http://10.1.2.2:3128/\"\n \ export HTTPS_PROXY=\"http://10.1.2.2:3128/\"\n EOF\n - chmod +x /root/proxy.sh\n \ - systemctl disable --now apparmor\n - reboot\n" limits.memory: 2GiB security.nesting: "true" security.syscalls.intercept.mknod: "true" security.syscalls.intercept.setxattr: "true" description: For Podman/Docker inside LXC devices: disk-device-1: path: /storage pool: storage1 source: app-storage type: disk eth0: ipv4.address: 10.1.0.3 network: DMZ security.ipv4_filtering: "true" security.mac_filtering: "true" type: nic root: path: / pool: storage1 size: 6GiB type: disk name: appsrv2 - config: cloud-init.network-config: "version: 1\nconfig:\n - type: physical\n name: eth0\n subnets:\n - type: static\n ipv4: true\n address: 10.1.1.2\n netmask: 255.255.255.0\n gateway: 10.1.1.1\n control: auto \n - type: nameserver\n address: 10.1.1.1\n" cloud-init.user-data: | #cloud-config package_update: true package_upgrade: true packages: - golang - ansible runcmd: - systemctl stop ufw - systemctl disable ufw - snap install lxd - ./storage/lxd/add-remote.sh - lxc remote switch gw1 limits.memory: 2GiB description: Ansible + LXD Management devices: disk-device-1: path: /storage pool: storage1 source: app-storage type: disk eth0: ipv4.address: 10.1.1.2 network: automation security.ipv4_filtering: "true" security.mac_filtering: "true" type: nic root: path: / pool: storage1 size: 6GiB type: disk name: automation - config: {} description: Default LXD profile devices: {} name: default - config: cloud-init.network-config: "version: 1\nconfig:\n - type: physical\n name: eth0\n subnets:\n - type: static\n ipv4: true\n address: 10.1.2.2\n netmask: 255.255.255.0\n gateway: 10.1.2.1\n control: auto \n - type: nameserver\n address: 10.1.2.1\n" cloud-init.user-data: "#cloud-config\npackage_update: true\npackage_upgrade: true\npackages:\n \ - squid\n - golang\nruncmd:\n - systemctl stop ufw\n - systemctl disable ufw\n - |\n #!/bin/bash\n cat > /etc/squid/squid.conf <<'EOF'\n http_port 3128\n cache_dir ufs /var/spool/squid 100 16 256\n acl all src all\n http_access allow all\n access_log none\n EOF\n - systemctl disable --now squid\n \ - squid -z\n - systemctl enable --now squid \n" limits.memory: 2GiB description: squid Web-Proxy devices: eth0: hwaddr: 00:16:3e:cd:09:0b ipv4.address: 10.1.2.2 network: proxy security.ipv4_filtering: "true" security.mac_filtering: "true" type: nic root: path: / pool: storage1 size: 6GiB type: disk name: proxy projects: - config: features.images: "true" features.networks: "true" features.networks.zones: "true" features.profiles: "true" features.storage.buckets: "true" features.storage.volumes: "true" description: Default LXD project name: default storage: "" network: ""