First Commit

Signed-off-by: Marc Ahlgrim <[email protected]>

Author: onemarcfifty

README

@@ -0,0 +1,53 @@
+## example.com domain on Proxmox
+
+### What?
+
+With these scripts you can install a complete example.com domain for testing purposes on your proxmox server. This includes:
+
+1. A client machine running a graphical MATE environment as entry point that can be accessed over RDP with the following software on it:
+    - a Firefox Browser with pre-loaded certificates
+    - Thunderbird Mail client, pre-loaded
+2. An OpenWrt Router as exit point
+3. DNS (running on dnsmasq on the OpenWrt Router) for the example.com domain
+4. A Docker host (running in an unprivileged LXC Container)
+5. A "fake" SMTP / IMAP Server
+
+The environment has everything you need to run the domain, including TLS certificates and e-Mail (internal only)
+
+### Why?
+
+A lot of examples and samples in the internet use the "example.com" domain. Testing software and running it in a "production" environment, i.e. in your "real" network can be cumbersome, because:
+
+- you might break something
+- you jeopardize the security and/or reliability of your network
+- you would have to change things and roll them back later
+- in order to make the examples run in the network, you need to change a lot of config files
+
+For all these reasons, a test environment or "Sandbox" can be extremely useful.
+
+- apply samples as they are without too many changes (we run the example.com domain - you remember ;-) )
+- No influence on the "real" world - everything is safely encapsulated
+- Quick deployment of Containers or VMs into the environment - just give a machine the virtual bridge as network and it will run inside the sandbox
+- The client container is lightweight, RDP makes access from Linux or Windows easy
+
+### How? (1) - Preparation steps
+
+Create a virtual network for your test "sandbox" that is connected nowhere (i.e. will only be visible inside the example.com). This will be the network that your example.com domain will use.
+
+- Select the PVE Server in the Proxmox VE GUI
+- Select the "Network" node
+- Click on "Create" - "Linux Bridge"
+- do only fill out the following fields (i.e. leave all others blank):
+    - Name (e.g. "vmbr999")
+    - Autostart: ticked
+    - VLAN aware: ticked
+    - Comment (e.g. "Virtual Sandbox Bridge")
+
+### How? (2) - Installation
+
+The installation can be done automatically. 
+Run the following command (as root) on the PVE Server:
+
+### More Info
+
+

config

@@ -0,0 +1,49 @@
+# ###################################
+# general config for the 
+# example.com Sandbox
+# ###################################
+
+# the "virtual WAN" - this is the network
+# going to the internet, i.e. your "normal"
+# Proxmox Network, by default it's vmbr0
+
+WAN=vmbr0
+
+# the "virtual LAN" - this is the network
+# that your example.com domain will run in,
+# i.e. the "encapsulated" network
+# that you created as a preparation step
+
+LAN=vmbr111
+
+# The domain that you want to have inside 
+# your virtual world
+
+DOMAIN=example.com
+
+# The storage where your containers shall reside
+# e.g. local or local-lvm or local-disc etc.
+
+STORAGE=local-lvm
+
+# CTTEMPLATE is the name of the template to use
+
+TEMPLATENAME=debian-11-standard_11.6-1_amd64.tar.zst
+TEMPLATESTORAGE=local
+
+# CTID contains a list of Container/VM IDs to use
+
+CTID=701,702,703
+
+# OPENWRTURL contains the URL for the OpenWrt Image to use.
+
+OPENWRTURL="https://downloads.openwrt.org/releases/22.03.3/targets/x86/64/openwrt-22.03.3-x86-64-generic-ext4-combined.img.gz"
+
+# the ROUTERIP is used later by the client Script in order to connect to the 
+# router and do the necessary changes. Change it here if needed. 
+# Furthermore, after the first installation step (when the script halts in order to
+# let you check the router's internet connection), log into the router shell
+# from the Proxmox GUI and run
+# uci set network.lan.ipaddr='x.x.x.x' ; uci commit ; reboot
+
+ROUTERIP=192.168.1.1

deploy-sandbox.sh

@@ -0,0 +1,168 @@
+#!/bin/bash
+
+# ############################################
+# This is the main deploy script
+# that creates all the containers for the
+# example.com domain
+# ############################################
+
+# include the config file
+. config
+
+# The script needs to be run as root!
+# if we are not root, we will exit
+if [ "$EUID" -ne 0 ]
+  then echo "Please run as root"
+  exit
+fi
+
+# ask for consent and abort or start the installation
+(cat) <<EOF
+This will install a virtual network 
+on your Proxmox VE host.
+the parameters that you have chosen are:
+
+Domain name:           $DOMAIN
+Virtual LAN interface: $LAN
+Virtual WAN interface: $WAN
+Container Storage:     $STORAGE
+
+Please type Enter to continue or CTRL-C to abort
+EOF
+read
+
+echo "Please specify a root password for the containers (input not shown)"
+read -s ROOTPASSWD
+echo "Please specify a non-root user name for the client container"
+read NONROOTUSER
+echo "Please specify a password for the non-root user (input not shown)"
+read -s NONROOTPASSWD
+
+
+# #########################################
+echo "##### finding the template"
+# #########################################
+
+pveam download $TEMPLATESTORAGE $TEMPLATENAME
+CTTEMPLATE=$(pveam list $TEMPLATESTORAGE |grep $TEMPLATENAME | cut -d " " -f 1 -)
+if [ "X" == "X${CTTEMPLATE}" ]; then
+  echo "Template not available - exiting"
+  exit
+fi
+
+# #########################################
+echo "##### deploying the router"
+# #########################################
+
+OPENWRTID=$(echo $CTID | cut -d "," -f 3 -)
+qm create $OPENWRTID --cores 1 --name "exc-OpenWrt" --net0 model=virtio,bridge=$LAN --net1 model=virtio,bridge=$WAN --storage $STORAGE --memory 512
+wget -q -O - $OPENWRTURL | gunzip -c >/tmp/openwrt.img
+qm importdisk $OPENWRTID /tmp/openwrt.img $STORAGE --format qcow2
+qm set $OPENWRTID --ide0 $STORAGE:vm-$OPENWRTID-disk-0
+qm set $OPENWRTID --boot order=ide0
+rm /tmp/openwrt.img
+qm start $OPENWRTID
+
+echo -e "\n ######### Please make sure the router has internet access"
+echo -e " ######### (open a shell on the VM and ping www.google.com or the like)"
+echo -e "\n ######### press ENTER to continue\n"
+read
+
+# #########################################
+echo "##### deploying the client"
+# #########################################
+
+CLIENTID=$(echo $CTID | cut -d "," -f 1 -)
+pct create $CLIENTID $CTTEMPLATE \
+    --cores 1 \
+    --description "RDP Server for the ${DOMAIN} domain" \
+    --hostname "exc-Client" \
+    --memory 2048 \
+    --password "$ROOTPASSWD" \
+    --storage $STORAGE \
+    --net0 name=eth0,bridge=$WAN,ip=dhcp \
+    --net1 name=eth1,bridge=$LAN,ip=dhcp \
+    --features nesting=1 \
+    --unprivileged 1
+
+# #########################################
+echo "##### deploying the docker-host"
+# #########################################
+
+DOCKERID=$(echo $CTID | cut -d "," -f 2 -)
+pct create $DOCKERID $CTTEMPLATE \
+    --cores 1 \
+    --description "Docker host for the ${DOMAIN} domain" \
+    --hostname "exc-Docker" \
+    --memory 2048 \
+    --password "$ROOTPASSWD" \
+    --storage $STORAGE \
+    --net0 name=eth1,bridge=$LAN,ip=dhcp \
+    --features keyctl=1,nesting=1 \
+    --unprivileged 1
+
+echo -e "\n ######### Please check the settings of the containers in the Proxmox GUI \n ######### press ENTER to continue\n"
+read
+
+
+# #########################################
+echo "##### starting the containers"
+# #########################################
+
+# start the containers
+pct start $CLIENTID
+pct start $DOCKERID
+
+# #########################################
+echo -e "\n ##### creating self-signed certs \n"
+# #########################################
+
+# in case the domain is not called example.com, let's bluntly replace it in the config file
+sed -i s/example.com/${DOMAIN}/ imap.cnf
+sed -i s/example.com/${DOMAIN}/ wildcard.cnf
+
+# create the Certificates - first the CA
+openssl req -newkey rsa:2048 -keyout rootCA.key -x509 -days 3650 -nodes -out rootCA.crt -subj "/CN=AAA_TestCA/C=DE/O=AAA_onemarcfifty/emailAddress=admin@${DOMAIN}"
+
+# now the CSR and cert for the *.example.com wildcard
+openssl req -newkey rsa:2048 -nodes -keyout wildcard.key -out wildcard.csr -subj "/CN=*.${DOMAIN}/C=DE/O=AAA_onemarcfifty/emailAddress=admin@${DOMAIN}"
+openssl x509 -req -in wildcard.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out wildcard.crt -days 3650 -sha256 -extfile wildcard.cnf -extensions req_ext
+cat wildcard.crt rootCA.crt >wildcard_fullchain.crt
+
+# now the CSR and cert for the imap server
+openssl req -newkey rsa:2048 -nodes -keyout imap.key -out imap.csr -subj "/CN=imap.${DOMAIN}/C=DE/O=AAA_onemarcfifty/emailAddress=admin@${DOMAIN}"
+openssl x509 -req -in imap.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out imap.crt -days 3650 -sha256 -extfile imap.cnf -extensions req_ext
+cat imap.crt rootCA.crt >imap_fullchain.crt
+
+# copy the certificates over to the containers
+for THECONTAINER in $CLIENTID $DOCKERID ; do
+  pct exec $THECONTAINER -- mkdir -p /etc/certificates/${DOMAIN}
+  for i in *.crt *.key ; do 
+    pct push $THECONTAINER $i /etc/certificates/${DOMAIN}/${i} 
+  done
+done
+
+# #########################################
+echo -e "\n ##### configuring the containers \n"
+# #########################################
+
+# create a non-root user
+pct exec $CLIENTID -- useradd -m -s /bin/bash -G sudo $NONROOTUSER
+pct exec $CLIENTID -- bash -c "echo -e '$NONROOTPASSWD\n$NONROOTPASSWD\n' | passwd $NONROOTUSER"
+
+# push dhcp settings to avoid routing over the ingress interface
+pct push $CLIENTID exc-client/dhclient.conf /etc/dhcp/dhclient.conf
+pct exec $CLIENTID -- systemctl restart networking
+
+# push and execute the init script to the client
+pct push $CLIENTID exc-client/init-router-script.sh /root/init-router-script.sh
+pct push $CLIENTID exc-client/init-script.sh /root/init-script.sh
+pct exec $CLIENTID -- bash /root/init-script.sh "$NONROOTUSER" "$DOMAIN" "$ROUTERIP"
+
+# push and execute the init script to the docker host
+pct push $DOCKERID exc-docker/init-script.sh /root/init-script.sh
+pct exec $DOCKERID -- bash /root/init-script.sh "$NONROOTUSER" "$DOMAIN" 
+
+echo -e "\n ############# DONE - Please reboot all VMs and CTs \n"
+echo -e "\n ############# and then connect with RDP to the following IP address : \n"
+pct exec $CLIENTID -- ip -br addr | grep eth0

destroy-sandbox.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+
+# ############################################
+# This destroys all Containers and VMs
+# of the example.com domain
+# ############################################
+
+# include the config file
+
+. config
+
+# The script needs to be run as root!
+# if we are not root, we will exit
+
+if [ "$EUID" -ne 0 ]
+  then echo "Please run as root"
+  exit
+fi
+
+(cat) <<EOF
+This will destroy all containers
+and VMs of the $DOMAIN domain!!!
+
+Please type Enter to continue or CTRL-C to abort
+EOF
+read
+
+OPENWRTID=$(echo $CTID | cut -d "," -f 3 -)
+qm stop $OPENWRTID
+qm destroy $OPENWRTID
+
+CLIENTID=$(echo $CTID | cut -d "," -f 1 -)
+pct stop $CLIENTID
+pct destroy $CLIENTID
+
+DOCKERID=$(echo $CTID | cut -d "," -f 2 -)
+pct stop $DOCKERID
+pct destroy $DOCKERID
+
+

exc-client/dhclient.conf

@@ -0,0 +1,30 @@
+# Configuration file for /sbin/dhclient.
+#
+# This is a sample configuration file for dhclient. See dhclient.conf's
+#	man page for more information about the syntax of this file
+#	and a more comprehensive list of the parameters understood by
+#	dhclient.
+#
+# Normally, if the DHCP server provides reasonable information and does
+#	not leave anything out (like the domain name, for example), then
+#	few changes must be made to this file, if any.
+#
+
+option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;
+
+send host-name = gethostname();
+
+interface "eth0" {
+	request subnet-mask, broadcast-address, time-offset, 
+        host-name,
+        interface-mtu,
+        ntp-servers;
+}
+
+interface "eth1" {
+	request subnet-mask, broadcast-address, time-offset, routers,
+        domain-name, domain-name-servers, domain-search, host-name,
+        dhcp6.name-servers, dhcp6.domain-search, dhcp6.fqdn, dhcp6.sntp-servers,
+        netbios-name-servers, netbios-scope, interface-mtu,
+        rfc3442-classless-static-routes, ntp-servers;
+}

exc-client/init-router-script.sh

@@ -0,0 +1,34 @@
+#!/bin/ash
+
+# ################################
+# the init script for the router 
+# ################################
+
+DOMAIN=$1
+
+# add the domain to the dnsmasq settings
+# and allow upstream RFC 1918 addresses
+uci set dhcp.@dnsmasq[0].domainneeded='0'
+uci set dhcp.@dnsmasq[0].rebind_protection='0'
+uci set dhcp.@dnsmasq[0].local="/${DOMAIN}/"
+uci set dhcp.@dnsmasq[0].domain="${DOMAIN}"
+uci set dhcp.@dnsmasq[0].boguspriv='0'
+uci commit
+
+# add the mail relevant settings (Server CNAMEs and MX record)
+if grep imap /etc/dnsmasq.conf ; then
+  echo "dnsmasq Config seems to be there already"
+else
+(cat >>/etc/dnsmasq.conf) <<EOF
+cname=imap,exc-Docker
+cname=smtp,exc-Docker
+cname=mail,exc-Docker
+cname=imap.${DOMAIN},exc-Docker
+cname=smtp.${DOMAIN},exc-Docker
+cname=mail.${DOMAIN},exc-Docker
+mx-host=${DOMAIN},mail.${DOMAIN},10
+EOF
+fi
+
+# apply all changes
+/etc/init.d/dnsmasq restart