restructure

update readme
fix ansible role tags

README.md

@@ -1,6 +1,11 @@
 # Hermes
 
-Hermes is the VM that runs Dnsmasq for DHCP and DNS in our DMZ.
+Hermes is the virtual machine that performs DHCP and DNS on our DMZ network.
+It also acts as a SSH certificate authority.
+
+The VM is provisioned using Terraform and configured using Ansible.
+
+## Motivation
 
 The VMs on our DMZ might like to contact eachother.
 For example, one VM wants to clone a repository from the git server.
@@ -12,9 +17,9 @@ However, then the router needs to operate on the DMZ vlan, which is not ideal in
 Additionally, it would be nice to define the DNS in the DMZ in terms of infrastructure as code.
 
 This solution creates a seperate VM on the DMZ that acts as the DNS and DHCP server.
-Concretely, Dnsmasq does DHCPv4 and assigns DNS names according to hostnames.
+Concretely, Dnsmasq does DHCPv4 and assigns DNS names according to hostnames and MAC addresses.
 Additionally, it tries to match IPv6 addresses using the SLAAC algorithm in order to incorporate them as AAAA records in DNS as well (using `ra-names`).
-Dnsmasq also overwrites the public IP address to `192.168.30.3`.
+Dnsmasq also overwrites the public IP address to `192.168.30.3` to solve the above problem.
 
 What is needed from the router:
 - Static IPv4 addresses on the DMZ interface (`192.168.30.1/24`).

ansible/ansible.cfg

@@ -0,0 +1,9 @@
+[defaults]
+roles_path=roles
+inventory=inventory
+vault_password_file=util/secret-service-client.sh
+interpreter_python=/usr/bin/python3
+host_key_checking = False
+
+[diff]
+always = True

ansible/hermes.yml

@@ -0,0 +1,45 @@
+---
+- hosts: all
+  gather_facts: no
+
+  pre_tasks:
+    - name: Wait for host to come up
+      tags: always
+      block:
+      - name: Wait for SSH connection
+        wait_for:
+          state: started
+          port: 22
+          host: "192.168.30.7"
+          timeout: 300
+          connect_timeout: 300
+          search_regex: OpenSSH
+        delegate_to: localhost
+      - name: Wait for cloud-init to finish
+        command:
+          cmd: cloud-init status --wait
+        register: cloudinit
+        changed_when: "'..' in cloudinit.stdout"
+      - name: Gather facts
+        setup:
+      - name: Copy resolv.conf
+        copy:
+          src: resolv.conf
+          dest: /etc/resolv.conf
+      - name: Update repositories
+        apt:
+          autoremove: true
+          upgrade: yes
+          state: latest
+          update_cache: yes
+          cache_valid_time: 86400 # One day
+      - name: Install packages
+        apt:
+          pkg:
+            - qemu-guest-agent
+            - dnsutils
+
+  roles:
+    - {role: 'dnsmasq', tags: 'dnsmasq'}
+    - {role: 'nsd', tags: 'nsd'}
+    - {role: 'ca', tags: 'ca'}

ansible/inventory/hosts.yml

@@ -0,0 +1,5 @@
+all:
+  hosts:
+    hermes:
+      ansible_user: root
+      ansible_host: 192.168.30.7

cloud_init.cfg.tftpl

@@ -1,9 +0,0 @@
-#cloud-config
-hostname: "${name}"
-manage_etc_hosts: true
-ssh_pwauth: false
-disable_root: false
-ssh_authorized_keys:
-%{ for key in admin_authorized_keys ~}
-  - "${key}"
-%{ endfor ~}

hermes.yml

@@ -1,42 +0,0 @@
----
-- hosts: all
-  gather_facts: no
-
-  pre_tasks:
-    - name: Wait for host to come up
-      wait_for:
-        state: started
-        port: 22
-        host: "192.168.30.7"
-        timeout: 300
-        connect_timeout: 300
-        search_regex: OpenSSH
-      delegate_to: localhost
-    - name: Wait for cloud-init to finish
-      command:
-        cmd: cloud-init status --wait
-      register: cloudinit
-      changed_when: "'..' in cloudinit.stdout"
-    - name: Gather facts
-      setup:
-    - name: Copy resolv.conf
-      copy:
-        src: resolv.conf
-        dest: /etc/resolv.conf
-    - name: Update repositories
-      apt:
-        autoremove: true
-        upgrade: yes
-        state: latest
-        update_cache: yes
-        cache_valid_time: 86400 # One day
-    - name: Install packages
-      apt:
-        pkg:
-          - qemu-guest-agent
-          - dnsutils
-
-  roles:
-    - dnsmasq
-    - nsd
-    - ssh

network_config.cfg.tftpl

@@ -1,9 +0,0 @@
-version: 2
-ethernets:
-  ens3:
-    dhcp4: false
-    addresses:
-      - "${internal_ip}/24"
-    routes:
-      - to: 0.0.0.0/0
-        via: 192.168.30.1

terraform/main.tf

@@ -18,23 +18,10 @@ provider "libvirt" {
   uri = "qemu+ssh://root@atlas.lan/system"
 }
 
-locals {
-  ansible_command = join(" ", [
-    "ANSIBLE_ROLES_PATH=roles",
-    "ANSIBLE_HOST_KEY_CHECKING=False",
-    "ANSIBLE_VAULT_PASSWORD_FILE=util/secret-service-client.sh",
-    "ansible-playbook",
-    "-u root",
-    "-i '192.168.30.7,'",
-    "hermes.yml"
-  ])
-}
-
 module "vm" {
   source          = "git::https://git.pim.kunis.nl/home/tf-modules.git//debian"
   name            = "hermes"
   use_host_cert   = false
   fixed_address   = "192.168.30.7/24"
-  ansible_command = local.ansible_command
   mac             = "CA:FE:C0:FF:EE:07"
 }

variables.tf

@@ -1,32 +0,0 @@
-variable "name" {
-  default = "hermes"
-}
-
-variable "libvirt_endpoint" {
-  type    = string
-  default = "qemu+ssh://root@atlas.lan/system"
-}
-
-variable "admin_authorized_keys" {
-  type    = list(string)
-  default = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOodpLr+FDRyKyHjucHizNLVFHZ5AQmE9GmxMnOsSoaw pimkunis@thinkpadpim",
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINUZp4BCxf7uLa1QWonx/Crf8tYZ5MKIZ+EuaBa82LrV user@user-laptop"
-  ]
-}
-
-variable "internal_ip" {
-  default = "192.168.30.7"
-}
-
-variable "ansible_inventory" {
-  default = "ansible/inventory"
-}
-
-variable "ansible_playbook" {
-  default = "ansible/hermes.yml"
-}
-
-variable "ansible_cfg" {
-  default = "ansible/ansible.cfg"
-}