Network:
iptables -A FORWARD -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
sysctl -w net.ipv4.ip_forward=1Tools:
- docker
- wireguard:
apt install wireguard - make:
apt install make
- Create a .env file based on the sample file.
- Fill in the parameters, and add the following line into the .env file.
RUNTIME_CONFIG="Production" - Execute the following command with root privilege:
venv/bin/gunicorn --bind localhost:8000 main:app
Make sure the parameters listed above are not empty. If you are not using LDAP authentication, you can just skip them.
Notices:
- You have to fill your public IP which receives the wireguard traffic from internet into the
WG_LISTEN_IPfield. - You have to create a kubernetes namespace before you use it. So as harbor project.
- DB and REDIS connection parameters should be fixed because they are containerized and listening on the loopback interface. Hence, if it is not necessary, you may not change them.
Warnings:
- Because of the usage of Wireguard in container, we have to grant container
CAP_NET_ADMINcapability. Make sure your network is well-designed or even isolated. Using some CNI plugin or firewall policies would be better. - Make sure your firewalls of judge server is well-configured, because traffic forwarding and NAT are enabled by default.