init

ansible/ansible.cfg

@@ -0,0 +1,9 @@
+[defaults]
+roles_path=roles:~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles
+inventory=inventory
+vault_password_file=util/secret-service-client.sh
+interpreter_python=/usr/bin/python3
+remote_user = root
+
+[diff]
+always = True

ansible/carwash.yml

@@ -0,0 +1,45 @@
+---
+- name: Wait for Cloud-init to finish
+  hosts: all
+  gather_facts: no
+  roles:
+    - cloudinit_wait
+
+- hosts: all
+  pre_tasks:
+  - name: Delete externally managed environment file
+    shell:
+      cmd: "rm /usr/lib/python*/EXTERNALLY-MANAGED"
+    register: rm
+    changed_when: "rm.rc == 0"
+    failed_when: "false"
+  roles:
+    - {role: docker, tags: docker}
+    - {role: setup_apt, tags: setup_apt}
+    - {role: wireguard, tags: wireguard}
+  post_tasks:
+    - name: Disable systemd-resolved
+      systemd:
+        name: systemd-resolved
+        enabled: false
+        state: stopped
+    - name: Copy resolv.conf
+      copy:
+        src: resolv.conf
+        dest: /etc/resolv.conf
+    - name: Copy pi-hole docker compose
+      copy:
+        src: docker-compose.yml
+        dest: /root/docker-compose.yml
+    - name: Start pi-hole
+      docker_compose:
+        project_src: /root
+        pull: true
+        remove_orphans: true
+    - name: Enable routing
+      sysctl:
+        name: net.ipv4.ip_forward
+        value: '1'
+        sysctl_set: true
+        state: present
+        reload: true

ansible/docker-compose.yml

@@ -0,0 +1,18 @@
+version: "3"
+
+services:
+  pihole:
+    image: pihole/pihole:latest
+    container_name: pihole
+    network_mode: "host"
+    environment:
+      TZ: 'Europe/Amsterdam'
+      WEBPASSWORD: 'admin'
+      PIHOLE_DNS_: '192.168.30.1'
+      INTERFACE: wg0
+      DNSMASQ_LISTENING: single
+      WEB_BIND_ADDR: 192.168.30.128
+    volumes:
+      - /mnt/data/pihole:/etc/pihole
+      - /mnt/data/dnsmasq:/etc/dnsmasq.d
+    restart: unless-stopped

ansible/inventory/host_vars/carwash.yml

@@ -0,0 +1,16 @@
+wireguard_addresses:
+  - "192.168.30.128/25"
+wireguard_endpoint: "carwash.dmz"
+wireguard_port: "11946"
+wireguard_private_key: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  38353430356330373934643330396233336665633536303436623261346465366135313833306161
+  3235353865626331623266643035316264383734363736650a653531383930613631333035336336
+  66666466663939326431343365616330346132643233306636393033343833383032326237333036
+  6134336138346461310a366535353564363265356536643633373062626332663536343439373261
+  39316135643430343130623939323433653338653266386437386436653537626630303563316264
+  3765373432346531383332383235643830613439666463663832
+wireguard_unmanaged_peers:
+  pim:
+    public_key: "xQ1hkwpIf5x7Wkx1leQHXx3RK8fjGWt2ZmG9XUN3V08="
+    allowed_ips: "192.168.30.129/32"

ansible/inventory/hosts.yml

@@ -0,0 +1,4 @@
+all:
+  hosts:
+    carwash:
+      ansible_host: carwash.dmz

ansible/requirements.yml

@@ -0,0 +1,11 @@
+- name: setup_apt
+  src: https://github.com/sunscrapers/ansible-role-apt.git
+  scm: git
+- name: wireguard
+  src: githubixx.ansible_role_wireguard
+- name: cloudinit_wait
+  src: https://git.pim.kunis.nl/pim/ansible-role-cloudinit-wait
+  scm: git
+- name: docker
+  src: https://git.pim.kunis.nl/pim/ansible-role-docker
+  scm: git

ansible/resolv.conf

@@ -0,0 +1 @@
+nameserver 192.168.30.1

ansible/util/secret-service-client.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+pass=`secret-tool lookup ansible_vault vpn`
+retval=$?
+
+if [ $retval -ne 0 ]; then
+	read -s pass
+fi
+echo $pass

terraform/.gitignore

@@ -0,0 +1,38 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+.terraform.lock.hcl
+*.tfbackend
+
+.vault_password

terraform/main.tf

@@ -0,0 +1,25 @@
+terraform {
+  backend "pg" {
+    schema_name = "carwash"
+    conn_str    = "postgres://terraform@10.42.0.1/terraform_state"
+  }
+
+  required_providers {
+    libvirt = {
+      source = "dmacvicar/libvirt"
+    }
+  }
+}
+
+provider "libvirt" {
+  uri = "qemu+ssh://root@jefke.hyp/system"
+}
+
+module "carwash" {
+  source          = "git::https://git.pim.kunis.nl/home/tf-modules.git//debian"
+  name            = "carwash"
+  domain_name     = "tf-carwash"
+  hypervisor_host = "jefke.hyp"
+  mac             = "CA:FE:C0:FF:EE:0A"
+  memory          = 1024
+}