public/geek-cookbook
1
0
Fork 0
mirror of https://github.com/funkypenguin/geek-cookbook/ synced 2025-12-15 10:46:34 +00:00
Code Issues Releases Wiki Activity

Add authentik, tidy up recipe-footer

Browse Source 
Signed-off-by: David Young <davidy@funkypenguin.co.nz>
This commit is contained in:
David Young
2023-10-31 14:37:29 +13:00
parent 0378e356fe
commit f22dd8eb50
142 changed files with 805 additions and 708 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
docs/blog/posts/notes/elfhosted/secure-private-network-within-hetzner.md Normal file
View File

@@ -0,0 +1,67 @@
---
date: 2023-06-09
categories:
- note
tags:
- elfhosted
title: Baby steps towards ElfHosted
description: Every journey has a beginning. This is the beginning of the ElfHosted journey
draft: true
---
Securing the Hetzner environment
Before building out our Kubernetes cluster, I wanted to secure the environment a little. On Hetzner, each server is assigned a public IP from a huge pool, and is directly accessible over the internet. This provides quick access for administration, but before building out our controlplane, I wanted to lock down access.
## Requirements
* [x] Kubernetes worker/controlplane nodes are privately addressed
* [x] Control plane (API) will be accessible only internally
* [x] Nodes can be administered directly on their private address range
## The bastion VM
I created a small cloud "ampere" VM using Hetzner's cloud console. These cloud VMs are provisioned separately from dedicated servers, but it's possible to interconnect them with dedicated servers using vSwitches/subnets (bascically VLANs)
I needed a "bastion" host - a small node (probably a VM), which I could secure and then use for further ingress into my infrastructure.
## Connecting Bastion VM to dedicated VMs
I
https://tailscale.com/kb/1150/cloud-hetzner/
https://tailscale.com/kb/1077/secure-server-ubuntu-18-04/
https://docs.hetzner.com/cloud/networks/connect-dedi-vswitch
```bash
tailscale up --advertise-routes 10.0.42.0/24
```
sysctl edit
```bash
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Forward traffic through eth0 - Change to match you out-interface
-A POSTROUTING -s <your tailscale ip> -j MASQUERADE
# don't delete the 'COMMIT' line or these nat table rules won't
# be processed
COMMIT
```
hetzner_cloud_console_subnet_routes.png
hetzner_vswitch_setup.png
## Secure hosts
* [ ] Create last-resort root password
* [ ] Setup non-root sudo account (ansiblize this?)