From 8ea1060fe0e43cfb2731e37b61b2fb0c2f89c576 Mon Sep 17 00:00:00 2001 From: Finn Bear Date: Sun, 20 Aug 2023 12:35:26 -0700 Subject: [PATCH] Cleanup part 2. --- engine/game_terraform/core.tf | 11 - engine/game_terraform/dns.tf | 38 ---- engine/game_terraform/linode.tf | 54 ----- engine/game_terraform/provider.tf | 8 - engine/game_terraform/server_init.sh | 291 --------------------------- engine/game_terraform/variable.tf | 24 --- engine/terraform/.gitignore | 2 - engine/terraform/dynamodb.tf | 125 ------------ engine/terraform/firewall.tf | 28 --- engine/terraform/iam.tf | 44 ---- engine/terraform/provider.tf | 33 --- engine/terraform/variable.tf | 14 -- terraform/.gitignore | 1 - terraform/main.tf | 58 ------ 14 files changed, 731 deletions(-) delete mode 100644 engine/game_terraform/core.tf delete mode 100644 engine/game_terraform/dns.tf delete mode 100644 engine/game_terraform/linode.tf delete mode 100644 engine/game_terraform/provider.tf delete mode 100644 engine/game_terraform/server_init.sh delete mode 100644 engine/game_terraform/variable.tf delete mode 100644 engine/terraform/.gitignore delete mode 100644 engine/terraform/dynamodb.tf delete mode 100644 engine/terraform/firewall.tf delete mode 100644 engine/terraform/iam.tf delete mode 100644 engine/terraform/provider.tf delete mode 100644 engine/terraform/variable.tf delete mode 100644 terraform/.gitignore delete mode 100644 terraform/main.tf diff --git a/engine/game_terraform/core.tf b/engine/game_terraform/core.tf deleted file mode 100644 index bb31f2c..0000000 --- a/engine/game_terraform/core.tf +++ /dev/null @@ -1,11 +0,0 @@ -data "terraform_remote_state" "core" { - backend = "s3" - - config = { - profile = "terraform" - bucket = "softbear-terraform" - key = "core.tfstate" - dynamodb_table = "core_terraform" // For locking. - region = "us-east-1" - } -} \ No newline at end of file diff --git a/engine/game_terraform/dns.tf b/engine/game_terraform/dns.tf deleted file mode 100644 index e9365b4..0000000 --- a/engine/game_terraform/dns.tf +++ /dev/null @@ -1,38 +0,0 @@ -resource "linode_domain" "main" { - type = "master" - domain = var.domain - refresh_sec = 300 - retry_sec = 30 - expire_sec = 604800 - soa_email = "finnbearone@gmail.com" - tags = [var.name] -} - -// This is accomplished at runtime by the servutil watchdog. -/* -resource "linode_domain_record" "home_ipv4" { - count = var.servers - domain_id = linode_domain.main.id - name = "" - record_type = "A" - target = element(linode_instance.servers.*.ip_address, count.index) - ttl_sec = 30 -} -*/ - -resource "linode_domain_record" "servers_ipv4" { - for_each = var.servers - domain_id = linode_domain.main.id - name = each.key - record_type = "A" - target = linode_instance.servers[each.key].ip_address - ttl_sec = 120 -} - -resource "linode_domain_record" "www" { - domain_id = linode_domain.main.id - name = "www" - record_type = "CNAME" - target = var.domain - ttl_sec = 120 -} \ No newline at end of file diff --git a/engine/game_terraform/linode.tf b/engine/game_terraform/linode.tf deleted file mode 100644 index ad8b2fb..0000000 --- a/engine/game_terraform/linode.tf +++ /dev/null @@ -1,54 +0,0 @@ -resource "linode_instance" "servers" { - depends_on = [linode_domain.main] - for_each = var.servers - label = "${var.name}_${each.key}" - image = "linode/debian11" - region = each.value - type = "g6-nanode-1" - authorized_keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+TE0LBTlPK2g4ULX48WfBJZKk/8vs3/faGaEkr+Q8j6ZB3nl0qBVk7NI8ETxbqZ0WRXf21ExZUO6m+ecUB5JmkU19pw9zLwDB+TT8DVsjRDuMEW09afeMGux2eXOV+0w+G1qqqwH2V8zFGpRj91kNwvR2tZ5yc+r1NTC+T3gr5HeGXGb7Q82l7knUErSvCB52T0BR31lXT6FiNSdRt+uYAkAoe3gtdnlvKV3GkiWejgY3L6sXz63llnGDefxhXSATo6yj41UNbAXHxCHPmFNFktpYT+H2OkdRRdSSIcs+1/JtwEm3QKBkDsjKFrBP3ujuvlVOi1sStEesKyNAUOyX finnb@epyc", - chomp(file("../.ssh/id_rsa.pub")) - ] - tags = [var.name] - swap_size = 128 - private_ip = true - backups_enabled = false - - connection { - type = "ssh" - user = "root" - host = self.ip_address - } - - provisioner "file" { - source = "../server/target/release/server" - destination = "/root/server" - } - - provisioner "file" { - source = "../engine/game_terraform/server_init.sh" - destination = "/root/server_init.sh" - } - provisioner "remote-exec" { - inline = [ - "chmod u+x /root/server", - "chmod u+x /root/server_init.sh", - "echo \"SERVER_ID=\\\"${each.key}\\\"\" >> /etc/environment", - "echo \"IP_ADDRESS=\\\"${self.ip_address}\\\"\" >> /etc/environment", - "echo \"DOMAIN=\\\"${var.domain}\\\"\" >> /etc/environment", - "echo \"LINODE_TOKEN=\\\"${var.linode_token}\\\"\" >> /etc/environment" - ] - } - - provisioner "remote-exec" { - inline = [ - "/root/server_init.sh" - ] - } -} - -resource "linode_firewall_device" "servers" { - for_each = var.servers - firewall_id = data.terraform_remote_state.core.outputs.game_server_firewall_id - entity_id = linode_instance.servers[each.key].id -} \ No newline at end of file diff --git a/engine/game_terraform/provider.tf b/engine/game_terraform/provider.tf deleted file mode 100644 index 592c212..0000000 --- a/engine/game_terraform/provider.tf +++ /dev/null @@ -1,8 +0,0 @@ -terraform { - required_providers { - linode = { - source = "linode/linode" - # version = "1.20.2" - } - } -} \ No newline at end of file diff --git a/engine/game_terraform/server_init.sh b/engine/game_terraform/server_init.sh deleted file mode 100644 index 6ed446e..0000000 --- a/engine/game_terraform/server_init.sh +++ /dev/null @@ -1,291 +0,0 @@ -#!/bin/bash - -echo "RUST_BACKTRACE=\"1\"" >> /etc/environment - -echo "Security measures" - -sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config && service ssh restart - -cat < /etc/sysctl.d/1000-custom.conf - -# Limit memory use to min, default, max bytes per buffer -net.ipv4.tcp_rmem = 4096 32768 32768 -net.ipv4.tcp_wmem = 4096 65536 131072 - -# After no activity for X seconds, start sending Y keepalive probes, with Z seconds in between -net.ipv4.tcp_keepalive_time = 300 -net.ipv4.tcp_keepalive_probes = 4 -net.ipv4.tcp_keepalive_intvl = 30 - -# Get rid of orphans ASAP. -net.ipv4.tcp_max_orphans = 1024 -net.ipv4.tcp_orphan_retries = 3 -net.ipv4.tcp_max_tw_buckets = 1024 -net.ipv4.tcp_fin_timeout = 16 - -# Limit SYN flood and RST spoofing -net.ipv4.tcp_max_syn_backlog = 64 -net.ipv4.tcp_retries2 = 8 -net.ipv4.tcp_syncookies = 1 -net.ipv4.tcp_syn_retries = 3 -net.ipv4.tcp_synack_retries = 2 -net.ipv4.tcp_challenge_ack_limit = 500 - -# Optimization -net.ipv4.tcp_no_metrics_save = 1 - -# Enable Spoof protection (reverse-path filter) -# Turn on Source Address Verification in all interfaces to -# prevent some spoofing attacks -net.ipv4.conf.default.rp_filter=1 -net.ipv4.conf.all.rp_filter=1 - -# Do not accept ICMP redirects (prevent MITM attacks) -net.ipv4.conf.all.accept_redirects = 0 -net.ipv6.conf.all.accept_redirects = 0 - -# Do not send ICMP redirects (we are not a router) -net.ipv4.conf.all.send_redirects = 0 - -# Do not accept IP source route packets (we are not a router) -net.ipv4.conf.all.accept_source_route = 0 -net.ipv6.conf.all.accept_source_route = 0 -EOF - -cat < /etc/nftables.conf -#!/usr/sbin/nft -f - -flush ruleset - -# netdev runs very early but packets may be fragmented -table netdev filter { - chain ingress { - type filter hook ingress device eth0 priority -500; - - # drop IP fragments - ip frag-off & 0x1fff != 0 counter # drop - - # TCP x-mas - tcp flags & (fin|psh|urg) == fin|psh|urg counter drop - - # TCP null - tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop - - # TCP MSS - tcp flags syn tcp option maxseg size 1-535 counter # drop - } -} - -# mangle runs next -table inet mangle { - chain prerouting { - type filter hook prerouting priority -150; - - # Allow existing connections to continue, drop invalid packets - ct state invalid counter drop - - # New TCP packets must be SYN - tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop - } -} - -table inet filter { - # Garbage collected - set ipv4_total { - type ipv4_addr - size 2048 - flags dynamic - } - - # Expiry based - set ipv4_new { - type ipv4_addr - size 2048 - flags dynamic, timeout - } - # Expiry based - set ipv4_new_log { - type ipv4_addr - size 2048 - flags dynamic, timeout - } - - # Expiry based - set ipv4_established { - type ipv4_addr - size 2048 - flags dynamic, timeout - } - - # Garbage collected - set ipv6_total { - type ipv6_addr; - size 2048 - flags dynamic - } - - # Expiry based - set ipv6_new { - type ipv6_addr; - size 2048 - flags dynamic, timeout - } - - # Expiry based - set ipv6_new_log { - type ipv6_addr; - size 2048 - flags dynamic, timeout - } - - # Expiry based - set ipv6_established { - type ipv6_addr; - size 2048 - flags dynamic, timeout - } - - chain inbound_ipv4 { - # Limit connection rate per source IP (no log) - ct state new add @ipv4_new { ip saddr timeout 30s limit rate over 3/second burst 15 packets } counter drop - - # Limit connection rate per source IP (log) - ct state new add @ipv4_new_log { ip saddr timeout 30s limit rate over 3/second burst 12 packets } counter log prefix "IPv4 per-IP ratelimit: " drop - - # Limit connections per source IP - ct state new add @ipv4_total { ip saddr ct count over 20 } counter log prefix "IPv4 per-IP limit: " reject - - # Limit packet rate per source IP - ct state { established, related } add @ipv4_established { ip saddr timeout 30s limit rate over 2048/second burst 16384 packets } counter drop - - # Allow ICMP pings (with a global limit) - icmp type echo-request limit rate 5/second accept - } - - chain inbound_ipv6 { - # Limit connection rate per source IP (no log) - ct state new add @ipv6_new { ip6 saddr timeout 30s limit rate over 2/second burst 15 packets } counter drop - - # Limit connection rate per source IP (log) - ct state new add @ipv6_new_log { ip6 saddr timeout 30s limit rate over 2/second burst 12 packets } counter log prefix "IPv6 per-IP ratelimit: " drop - - # Limit connections per source IP - ct state new add @ipv6_total { ip6 saddr ct count over 6 } counter reject - - # Limit packet rate per source IP - ct state { established, related } add @ipv6_established { ip6 saddr timeout 30s limit rate over 1024/second } counter drop - - # Neighbor discovery. - icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } limit rate 10/second accept - - # Allow ICMP pings (with a global limit) - icmpv6 type echo-request limit rate 5/second accept - } - - chain inbound { - # What follows this is a whitelist - type filter hook input priority 0; policy drop; - - # Protocol-specific rules - meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 } - - # Allow loopback - iifname lo accept - - # Allow existing connections to continue, drop invalid packets - ct state vmap { established : accept, related : accept, invalid : drop } - - # Allow SSH (with a global limit) - tcp dport ssh ct count 32 accept - - # Allow HTTP (with a global limit) - tcp dport { http, https } ct count 1500 accept - } - - chain forward { - # We are not a router. - type filter hook forward priority 0; policy drop; - } -} -EOF - -echo "Updating" - -apt update - -echo "Uninstalling sysstat" - -# sysstat is suspected to steal the CPU for ~10s every 30m -sudo apt -y purge sysstat - -echo "Installing snap" - -apt install -y snapd -snap install core; -snap refresh core; - -echo "Installing linode token" - -printf "dns_linode_key = $LINODE_TOKEN\ndns_linode_version = 4\n" > /root/linode.ini -chmod 600 /root/linode.ini - -echo "Installing certbot" - -snap install --classic certbot -ln -s /snap/bin/certbot /usr/bin/certbot -snap set certbot trust-plugin-with-root=ok -snap install certbot-dns-linode - -printf "certbot certonly --agree-tos --non-interactive --dns-linode --dns-linode-credentials /root/linode.ini --dns-linode-propagation-seconds 180 --no-eff-email --no-redirect --email finnbearone@gmail.com -d $DOMAIN -d www.$DOMAIN -d $SERVER_ID.$DOMAIN" > get_ssl_cert.sh -chmod u+x /root/get_ssl_cert.sh -./get_ssl_cert.sh - -echo "Installing service..." -cat < /etc/systemd/system/game-server.service -[Unit] -Description=Game Server - -[Service] -Type=simple -User=root -Group=root -Restart=always -RestartSec=3 -EnvironmentFile=/etc/environment -WorkingDirectory=~ -ExecStart=/root/server \ - --server-id $SERVER_ID \ - --ip-address $IP_ADDRESS \ - --chat-log /root/chat.log \ - --trace-log /root/trace.log \ - --certificate-path /etc/letsencrypt/live/$DOMAIN/fullchain.pem \ - --private-key-path /etc/letsencrypt/live/$DOMAIN/privkey.pem - -[Install] -WantedBy=multi-user.target -EOF - -echo "Installing util scripts..." -printf "journalctl -a -f -o cat -u game-server" > /root/view-game-server-logs.sh -chmod u+x /root/view-game-server-logs.sh - -printf "sudo systemctl restart game-server" > /root/restart-game-server.sh -chmod u+x /root/restart-game-server.sh - -printf "journalctl -a --no-pager -o cat -u game-server | grep -i \$1" > /root/grep-game-server-logs.sh -chmod u+x /root/grep-game-server-logs.sh - -printf "nohup watch -c -n 1 'top -b -n1 | head -n 10 | tee -a top.txt' &" > /root/top.sh -chmod u+x /root/top.sh - -echo "Raising firewalls..." - -sysctl --system -nft -f /etc/nftables.conf - -echo "Enabling service..." -sudo systemctl daemon-reload -sudo systemctl start game-server -sudo systemctl enable game-server - -echo "Init done." diff --git a/engine/game_terraform/variable.tf b/engine/game_terraform/variable.tf deleted file mode 100644 index be40f35..0000000 --- a/engine/game_terraform/variable.tf +++ /dev/null @@ -1,24 +0,0 @@ -variable "name" { - type = string -} - -variable "domain" { - type = string -} - -variable "servers" { - type = map - default = { - 1 = "us-east" - 2 = "us-east" - } -} - -variable "aws_region" { - type = string -} - -variable "linode_token" { - type = string - sensitive = true -} \ No newline at end of file diff --git a/engine/terraform/.gitignore b/engine/terraform/.gitignore deleted file mode 100644 index 88eff74..0000000 --- a/engine/terraform/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -.terraform/ -*.hcl diff --git a/engine/terraform/dynamodb.tf b/engine/terraform/dynamodb.tf deleted file mode 100644 index 11b5ed6..0000000 --- a/engine/terraform/dynamodb.tf +++ /dev/null @@ -1,125 +0,0 @@ -resource "aws_dynamodb_table" "sessions" { - name = "core_sessions" - billing_mode = "PAY_PER_REQUEST" - hash_key = "arena_id" - range_key = "session_id" - - attribute { - name = "arena_id" - type = "N" - } - - attribute { - name = "session_id" - type = "N" - } - - ttl { - attribute_name = "ttl" - enabled = true - } - - point_in_time_recovery { - enabled = true - } -} - -resource "aws_dynamodb_table" "scores" { - name = "core_scores" - billing_mode = "PAY_PER_REQUEST" - hash_key = "game_id_score_type" - range_key = "alias" - - attribute { - name = "game_id_score_type" - type = "S" - } - - attribute { - name = "alias" - type = "S" - } - - ttl { - attribute_name = "ttl" - enabled = true - } - - point_in_time_recovery { - enabled = true - } -} - -resource "aws_dynamodb_table" "metrics" { - name = "core_metrics" - billing_mode = "PAY_PER_REQUEST" - hash_key = "game_id" - range_key = "timestamp" - - attribute { - name = "game_id" - type = "S" - } - - attribute { - name = "timestamp" - type = "N" - } - - point_in_time_recovery { - enabled = true - } -} - -resource "aws_dynamodb_table" "users" { - name = "core_users" - billing_mode = "PAY_PER_REQUEST" - hash_key = "user_id" - - attribute { - name = "user_id" - type = "N" - } - - stream_enabled = true - stream_view_type = "NEW_IMAGE" - - point_in_time_recovery { - enabled = true - } -} - -resource "aws_dynamodb_table" "logins" { - name = "core_logins" - billing_mode = "PAY_PER_REQUEST" - hash_key = "login_type" - range_key = "id" - - attribute { - name = "login_type" - type = "S" - } - - attribute { - name = "id" - type = "S" - } - - attribute { - name = "user_id" - type = "N" - } - - global_secondary_index { - hash_key = "user_id" - name = "user_id" - projection_type = "ALL" - } - - stream_enabled = true - stream_view_type = "NEW_IMAGE" - - point_in_time_recovery { - enabled = true - } -} diff --git a/engine/terraform/firewall.tf b/engine/terraform/firewall.tf deleted file mode 100644 index 8a5a55e..0000000 --- a/engine/terraform/firewall.tf +++ /dev/null @@ -1,28 +0,0 @@ -resource "linode_firewall" "game_server" { - label = "game_server" - tags = [] - - inbound { - label = "HTTP_SSH" - action = "ACCEPT" - protocol = "TCP" - ports = "443,80,22" - ipv4 = ["0.0.0.0/0"] - ipv6 = ["::/0"] - } - - inbound { - label = "ICMP" - action = "ACCEPT" - protocol = "ICMP" - ipv4 = ["0.0.0.0/0"] - ipv6 = ["::/0"] - } - - inbound_policy = "DROP" - outbound_policy = "ACCEPT" -} - -output "game_server_firewall_id" { - value = linode_firewall.game_server.id -} \ No newline at end of file diff --git a/engine/terraform/iam.tf b/engine/terraform/iam.tf deleted file mode 100644 index 9e2d8c1..0000000 --- a/engine/terraform/iam.tf +++ /dev/null @@ -1,44 +0,0 @@ -resource "aws_iam_access_key" "servers" { - user = aws_iam_user.servers.name -} - -resource "aws_iam_user" "servers" { - name = "${var.name}_servers" - path = "/system/" -} - -resource "aws_iam_user_policy" "servers" { - name = "${var.name}_servers" - user = aws_iam_user.servers.name - - policy = <