Mikrotik container + observium

/interface veth
add address=10.0.0.11/24 gateway=10.0.0.1 name=veth-mariadb
add address=10.0.0.12/24 gateway=10.0.0.1 name=veth-observium

/interface bridge port
add bridge=Docker interface=veth-mariadb
add bridge=Docker interface=veth-observium

/container envs
add name=mariadb key=MYSQL_ROOT_PASSWORD value=root_pass
add name=mariadb key=MYSQL_USER value=observium
add name=mariadb key=MYSQL_PASSWORD value=db_pass
add name=mariadb key=MYSQL_DATABASE value=observium
add name=mariadb key=TZ value=Asia/Bangkok
add name=observium key=OBSERVIUM_ADMIN_USER value=admin
add name=observium key=OBSERVIUM_ADMIN_PASS value=admin
add name=observium key=OBSERVIUM_DB_HOST value=10.0.0.11
add name=observium key=OBSERVIUM_DB_NAME value=observium
add name=observium key=OBSERVIUM_DB_USER value=observium
add name=observium key=OBSERVIUM_DB_PASS value=db_pass
add name=observium key=OBSERVIUM_BASE_URL value=http://10.0.0.12
add name=observium key=TZ value=Asia/Bangkok

/container mounts
add name=mariadb_data src=/mariadb/data dst=/var/lib/mysql
add name=observium_rrd src=/observium_log/rrd dst=/opt/observium/rrd
add name=observium_log src=/observium_log/log dst=/opt/observium/logs

/container
add interface=veth-mariadb mounts=mariadb_data envlist=mariadb remote-image=mariadb:latest dns=10.0.0.1 start-on-boot=yes logging=yes
add interface=veth-observium mounts=observium_rrd,observium_log envlist=observium remote-image=mbixtech/observium:latest dns=10.0.0.1 start-on-boot=yes logging=yes

Pi-hole Mikrotik container

/system/device-mode/update container=yes

/container config
set registry-url=https://registry-1.docker.io

/interface bridge
add name=Docker

/ip address
add address=10.0.0.1/24 interface=Docker

/ip firewall nat
add chain=srcnat src-address=10.0.0.0/24 action=masquerade

/interface veth
add address=10.0.0.12/24 gateway=10.0.0.1 name=veth-pihole

/interface bridge port
add bridge=Docker interface=veth-pihole

/container envs
add key=TZ name=pihole_envs value=Asia/Bangkok
add key=WEBPASSWORD name=pihole_envs value=mypassword
add key=DNSMASQ_USER name=pihole_envs value=root

/container mounts
add dst=/etc/pihole name=pihole-etc src=/pihole/etc-pihole
add dst=/etc/dnsmasq.d name=pihole-dnsmasq src=/pihole/etc-dnsmasq.d

/container
add interface=veth-pihole remote-image=pihole/pihole:latest envlist=pihole_envs mounts=pihole-etc,pihole-dnsmasq start-on-boot=yes logging=yes

cloudflare docker

container_name: tomcat9-jdk8
network name: tomcat9-jdk8_default
map ports: 8980:8080

Quick Tunnels

# host network
docker run --rm --network host --name cloudflared cloudflare/cloudflared:latest tunnel --url http://127.0.0.1:8980

# container network
docker run --rm --network tomcat9-jdk8_default --name cloudflared cloudflare/cloudflared:latest tunnel --url http://tomcat9-jdk8:8080

with cloudflare account

# host network
public hostname url http://127.0.0.1:8980

 

docker run -d --rm --network host --name cloudflared cloudflare/cloudflared:latest tunnel --no-autoupdate run --token XXXX

# container network

public hostname url http://tomcat9-jdk8:8080

docker run -d --rm --network tomcat9-jdk8_default --name cloudflared cloudflare/cloudflared:latest tunnel --no-autoupdate run --token XXXX

acme.sh with alias challenge and cloudflare api

issue domain : domain.tld

alias domain : alias-domain.tld

- set CNAME

_acme-challenge.domain.tld CNAME _acme-challenge.alias-domain.tld

- cloudflare token for edit dns zone alias-dmain.tld

acme.sh command

Issue cert

export CF_Token="xxx"

acme.sh --issue --server letsencrypt -k ec-256 --dns dns_cf --challenge-alias alias-domain.tld  -d domain.tld --home /home/user/docker/nginx/acme.sh

Install cert

acme.sh --install-cert -d domain.tld  --key-file /home/user/docker/nginx/etc-nginx-certs/domain.tld.key --fullchain-file /home/user/docker/nginx/etc-nginx-certs/domain.tld.crt --reloadcmd "docker exec nginx /etc/init.d/nginx reload"  --home /home/user/docker/nginx/acme.sh

# renew cert

acme.sh --cron --home /home/user/docker/nginx/acme.sh 

acme.sh docker

Issue cert

docker run --rm -it -e CF_Token="xxx" -v /home/user/docker/nginx/acme.sh:/acme.sh neilpang/acme.sh --issue --server letsencrypt -k ec-256 --dns dns_cf --challenge-alias alias-domain.tld -d domain.tld

Install cert

docker run --rm -it -v /home/user/docker/nginx/acme.sh:/acme.sh -v /home/user/docker/nginx/etc-nginx-certs:/etc/nginx/cert neilpang/acme.sh --install-cert -d domain.tld --key-file /etc/nginx/certs/domain.tld.key --fullchain-file /etc/nginx/certs/domain.tld.crt && docker exec -it nginx /etc/init.d/nginx restart

Renew cert

docker run --rm -it -v /home/user/docker/nginx/acme.sh:/acme.sh -v /home/user/docker/nginx/etc-nginx-certs:/etc/nginx/certs neilpang/acme.sh --cron && docker exec -it nginx /etc/init.d/nginx restart

Mikrotik persist route to wireguard server for dynamic wan

Persist route to wireguard server for dynamic wan in case of setting default route via wireguard

 

 

DHCP client script

 

:if ($bound=1) do={
    :ip route remove [/ip route find comment="route-wireguard-wan"]
    :ip route add distance=5 gateway=$"gateway-address" dst-address="1.2.3.4/32" scope=30  target-scope=10  comment="route-wireguard-wan"
} else={
    :ip route remove [/ip route find comment="route-wireguard-wan"]
}

Change ubuntu source list to kku mirror

Change ubuntu source list to kku mirror

sed -i "s/th.archive.ubuntu.com/mirror.kku.ac.th/" /etc/apt/sources.list 

or

sed -i "s/archive.ubuntu.com/mirror.kku.ac.th/" /etc/apt/sources.list

Mikrotik script change wireguard listen port in case of unable to connect

Base on routerOS 7.12 

wireguard name : wg1
port range : 13232 - 13239

/system script
add dont-require-permissions=no name=checkWireguard owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":local wgName wg1;\r\
    \n:local newPort [:rndstr length=1 from=\"23456789\"];\r\
    \n:local newPort (\"1323\".\$newPort);\r\
    \n\r\
    \n:if ([/interface wireguard get [find name=\$wgName] running] = true) do={\r\
    \n\r\
    \n  :local pingResult [/ping count=1 10.10.10.1];\r\
    \n\r\
    \n  :if (\$pingResult = 0) do={\r\
    \n\r\
    \n    :log warning \"\$wgName connection lost. Changing listen port...\";\r\
    \n\r\
    \n    /interface wireguard set [find name=\$wgName] disabled=yes\r\
    \n    /interface wireguard set [find name=\$wgName] listen-port=\$newPort;\r\
    \n    /interface wireguard set [find name=\$wgName] disabled=no\r\
    \n\r\
    \n    :local currentPort [/interface wireguard get [find name=\$wgName] listen-port];\r\
    \n    :log warning \"WireGuard \$wgName listen port changed to \$currentPort\";\r\
    \n\r\
    \n  }\r\
    \n  \r\
    \n}"



/system scheduler
add interval=1m name=checkWireguard on-event=checkWireguard start-time=startup