Wire in a box updates (#599)

* remove non-functional syntax.

* comment out deprecated minio settings, and clear up language around network interface definition.

* add firewalling rules for when using UFW, and a forwarding firewall.

* clear up host entry listing instructions.

ansible/inventory/offline/99-static

@@ -57,8 +57,12 @@
 # execution is wrapped through a container, as the ssh-agent socket isn't
 # accessible there.
 
-# Uncomment the following lines when you have both a public and private network
-# and you want your databases to use the private one.
+## In the next three sections, Cassandra, elasticsearch, and MinIO need
+#  the name of the interface you want database services to run on
+#  specified. While this can be used to specify a private network just
+#  for databases, you must specify the interface name you want to run
+#  services on, even in the case that it is the only interface on the box.
+
 [cassandra:vars]
 # cassandra_network_interface = enp1s0
 
@@ -67,9 +71,11 @@
 
 [minio:vars]
 # minio_network_interface = enp1s0
-prefix = "example-"
-domain = "example.com"
-deeplink_title = "example.com environment"
+
+### No longer used. generated by the nginz section of values/wire-server/values.yaml instead.
+#prefix = "example-"
+#domain = "example.com"
+#deeplink_title = "example.com environment"
 
 [restund:vars]
 # Uncomment if your public IP is not on the default gateway

offline/docs.md

@@ -176,7 +176,7 @@ these criteria, so that we're sure SFT is deployed correctly.
 By using a `node_label` we can make sure SFT is only deployed on a certain node like `kubenode4`
 
 ```
-kubenode4 node_labels="wire.com/role=sftd" node_annotations="{'wire.com/external-ip': 'XXXX'}"
+kubenode4 node_labels="{'wire.com/role': 'sftd'}" node_annotations="{'wire.com/external-ip': 'a.b.c.d'}"
 ```
 
 If the node does not know its onw public IP (e.g. becuase it's behind NAT) then you should also set
@@ -409,12 +409,25 @@ Select one of your kubernetes nodes that you are fine with losing service if it
 export KUBENODE1IP=<your.kubernetes.node.ip>
 ```
 
-then run the following:
+then, if your box owns the public IP (you can see the IP in `ip addr`), run the following:
 ```
 sudo iptables -t nat -A PREROUTING -d $PUBLICIPADDRESS -i $OUTBOUNDINTERFACE -p tcp --dport 80 -j DNAT --to-destination $KUBENODE1IP:31772
 sudo iptables -t nat -A PREROUTING -d $PUBLICIPADDRESS -i $OUTBOUNDINTERFACE -p tcp --dport 443 -j DNAT --to-destination $KUBENODE1IP:31773
 ```
-or add an appropriate rule to a config file (for UFW, /etc/ufw/before.rules)
+
+If your box is being forwarded traffic from another firewall (you do not see the IP in `ip addr`), run the following:
+```
+sudo iptables -t nat -A PREROUTING -i $OUTBOUNDINTERFACE -p tcp --dport 80 -j DNAT --to-destination $KUBENODE1IP:31772
+sudo iptables -t nat -A PREROUTING -i $OUTBOUNDINTERFACE -p tcp --dport 443 -j DNAT --to-destination $KUBENODE1IP:31773
+```
+
+If you are running a UFW firewall, make sure to allow inbound traffic on 443 and 80:
+```
+sudo ufw allow in on $OUTBOUNDINTERFACE proto tcp to any port 443
+sudo ufw allow in on $OUTBOUNDINTERFACE proto tcp to any port 80
+```
+
+if you are running a UFW firewall, make sure to add the above iptables rules to /etc/ufw/before.rules, so they persist after a reboot.
 
 ###### Mirroring the public IP
 
@@ -553,7 +566,7 @@ for bring-your-own-certificate, this could be the same wildcard or SAN certifica
 
 Next, copy `values/sftd/prod-values.example.yaml` to `values/sftd/values.yaml`, and change the contents accordingly. 
 
- * If your turn servers can be reached on their public IP by the SFT service, Wire recommends you enable cooperation between turn and SFT. add a line reading `turnDiscoveryEnabled: true` to your values file.
+ * If your turn servers can be reached on their public IP by the SFT service, Wire recommends you enable cooperation between turn and SFT. add a line reading `turnDiscoveryEnabled: true` to `values/sftd/values.yaml`.
 
 edit values/sftd/values.yaml, and select whether you want lets-encrypt certificates, and ensure the alloworigin and the host point to the appropriate domains.
 

offline/kvm-hetzner.md

@@ -450,13 +450,22 @@ switch to docs.md.
 
 skip down to 'Making tooling available in your environment'
 
-when editing the inventory, create 'ansnode' entries, rather than separate cassandra, elasticsearch, and minio nodes.
+#### Editing the ansible inventory
+
+##### Adding host entries
+when editing the inventory, we only need seven entries in the '[all]' section. one entry for each of the VMs we are running.
+Edit the 'kubenode' entries, and the 'assethost' entry like normal.
+
+Instead of creating separate cassandra, elasticsearch, and minio entries, create three 'ansnode' entries, similar to the following:
 ```
 ansnode1 ansible_host=172.16.0.132
 ansnode2 ansible_host=172.16.0.133
 ansnode3 ansible_host=172.16.0.134
 ```
 
+##### Updating Group Membership
+Afterwards, we need to update the lists of what nodes belong to which group, so ansible knows what to install on these nodes.
+
 Add all three ansnode entries into the `cassandra` `elasticsearch`, and `minio` sections. They should look like the following:
 ```
 [elasticsearch]
@@ -483,8 +492,17 @@ ansnode3
 ```
 
 Add two of the ansnode entries into the `restund` section
+```
+[restund]
+ansnode1
+ansnode2
+```
 
 Add one of the ansnode entries into the `cassandra_seed` section.
+```
+[cassandra_seed]
+ansnode1
+```
 
 ### ERROR: after you install restund, the restund firewall will fail to start.