commit b95d1f22ef7759f2daf44bdb9ab7c9c1b4b7165e Author: Pim Kunis Date: Mon May 8 23:49:04 2023 +0200 init diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg new file mode 100644 index 0000000..231f274 --- /dev/null +++ b/ansible/ansible.cfg @@ -0,0 +1,9 @@ +[defaults] +roles_path=roles:~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles +inventory=inventory +vault_password_file=util/secret-service-client.sh +interpreter_python=/usr/bin/python3 +remote_user = root + +[diff] +always = True diff --git a/ansible/carwash.yml b/ansible/carwash.yml new file mode 100644 index 0000000..9f62f3b --- /dev/null +++ b/ansible/carwash.yml @@ -0,0 +1,45 @@ +--- +- name: Wait for Cloud-init to finish + hosts: all + gather_facts: no + roles: + - cloudinit_wait + +- hosts: all + pre_tasks: + - name: Delete externally managed environment file + shell: + cmd: "rm /usr/lib/python*/EXTERNALLY-MANAGED" + register: rm + changed_when: "rm.rc == 0" + failed_when: "false" + roles: + - {role: docker, tags: docker} + - {role: setup_apt, tags: setup_apt} + - {role: wireguard, tags: wireguard} + post_tasks: + - name: Disable systemd-resolved + systemd: + name: systemd-resolved + enabled: false + state: stopped + - name: Copy resolv.conf + copy: + src: resolv.conf + dest: /etc/resolv.conf + - name: Copy pi-hole docker compose + copy: + src: docker-compose.yml + dest: /root/docker-compose.yml + - name: Start pi-hole + docker_compose: + project_src: /root + pull: true + remove_orphans: true + - name: Enable routing + sysctl: + name: net.ipv4.ip_forward + value: '1' + sysctl_set: true + state: present + reload: true diff --git a/ansible/docker-compose.yml b/ansible/docker-compose.yml new file mode 100644 index 0000000..115e12a --- /dev/null +++ b/ansible/docker-compose.yml @@ -0,0 +1,18 @@ +version: "3" + +services: + pihole: + image: pihole/pihole:latest + container_name: pihole + network_mode: "host" + environment: + TZ: 'Europe/Amsterdam' + WEBPASSWORD: 'admin' + PIHOLE_DNS_: '192.168.30.1' + INTERFACE: wg0 + DNSMASQ_LISTENING: single + WEB_BIND_ADDR: 192.168.30.128 + volumes: + - /mnt/data/pihole:/etc/pihole + - /mnt/data/dnsmasq:/etc/dnsmasq.d + restart: unless-stopped diff --git a/ansible/inventory/host_vars/carwash.yml b/ansible/inventory/host_vars/carwash.yml new file mode 100644 index 0000000..f1b9f90 --- /dev/null +++ b/ansible/inventory/host_vars/carwash.yml @@ -0,0 +1,16 @@ +wireguard_addresses: + - "192.168.30.128/25" +wireguard_endpoint: "carwash.dmz" +wireguard_port: "11946" +wireguard_private_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 38353430356330373934643330396233336665633536303436623261346465366135313833306161 + 3235353865626331623266643035316264383734363736650a653531383930613631333035336336 + 66666466663939326431343365616330346132643233306636393033343833383032326237333036 + 6134336138346461310a366535353564363265356536643633373062626332663536343439373261 + 39316135643430343130623939323433653338653266386437386436653537626630303563316264 + 3765373432346531383332383235643830613439666463663832 +wireguard_unmanaged_peers: + pim: + public_key: "xQ1hkwpIf5x7Wkx1leQHXx3RK8fjGWt2ZmG9XUN3V08=" + allowed_ips: "192.168.30.129/32" diff --git a/ansible/inventory/hosts.yml b/ansible/inventory/hosts.yml new file mode 100644 index 0000000..7a0bab2 --- /dev/null +++ b/ansible/inventory/hosts.yml @@ -0,0 +1,4 @@ +all: + hosts: + carwash: + ansible_host: carwash.dmz diff --git a/ansible/requirements.yml b/ansible/requirements.yml new file mode 100644 index 0000000..62dccc8 --- /dev/null +++ b/ansible/requirements.yml @@ -0,0 +1,11 @@ +- name: setup_apt + src: https://github.com/sunscrapers/ansible-role-apt.git + scm: git +- name: wireguard + src: githubixx.ansible_role_wireguard +- name: cloudinit_wait + src: https://git.pim.kunis.nl/pim/ansible-role-cloudinit-wait + scm: git +- name: docker + src: https://git.pim.kunis.nl/pim/ansible-role-docker + scm: git diff --git a/ansible/resolv.conf b/ansible/resolv.conf new file mode 100644 index 0000000..14b2a3d --- /dev/null +++ b/ansible/resolv.conf @@ -0,0 +1 @@ +nameserver 192.168.30.1 diff --git a/ansible/util/secret-service-client.sh b/ansible/util/secret-service-client.sh new file mode 100644 index 0000000..cd0933e --- /dev/null +++ b/ansible/util/secret-service-client.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +pass=`secret-tool lookup ansible_vault vpn` +retval=$? + +if [ $retval -ne 0 ]; then + read -s pass +fi +echo $pass diff --git a/terraform/.gitignore b/terraform/.gitignore new file mode 100644 index 0000000..33b954c --- /dev/null +++ b/terraform/.gitignore @@ -0,0 +1,38 @@ +# Local .terraform directories +**/.terraform/* + +# .tfstate files +*.tfstate +*.tfstate.* + +# Crash log files +crash.log +crash.*.log + +# Exclude all .tfvars files, which are likely to contain sensitive data, such as +# password, private keys, and other secrets. These should not be part of version +# control as they are data points which are potentially sensitive and subject +# to change depending on the environment. +*.tfvars +*.tfvars.json + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +# Include override files you do wish to add to version control using negated pattern +# !example_override.tf + +# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan +# example: *tfplan* + +# Ignore CLI configuration files +.terraformrc +terraform.rc +.terraform.lock.hcl +*.tfbackend + +.vault_password diff --git a/terraform/main.tf b/terraform/main.tf new file mode 100644 index 0000000..e69b6c9 --- /dev/null +++ b/terraform/main.tf @@ -0,0 +1,25 @@ +terraform { + backend "pg" { + schema_name = "carwash" + conn_str = "postgres://terraform@10.42.0.1/terraform_state" + } + + required_providers { + libvirt = { + source = "dmacvicar/libvirt" + } + } +} + +provider "libvirt" { + uri = "qemu+ssh://root@jefke.hyp/system" +} + +module "carwash" { + source = "git::https://git.pim.kunis.nl/home/tf-modules.git//debian" + name = "carwash" + domain_name = "tf-carwash" + hypervisor_host = "jefke.hyp" + mac = "CA:FE:C0:FF:EE:0A" + memory = 1024 +}