From 7f8cb2967522011f0824885e5cb1fabb9ff41b10 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 9 Apr 2023 13:42:30 +0200 Subject: [PATCH 1/4] implement --- hermes.yml | 42 +++++++++++ main.tf | 104 +++++++++++++++------------ resolv.conf | 1 + roles/dnsmasq/files/dnsmasq.conf | 44 ++++++++++++ roles/dnsmasq/tasks/main.yml | 18 +++++ roles/nsd/files/nsd.conf | 26 +++++++ roles/nsd/files/zones/geokunis2.nl | 28 ++++++++ roles/nsd/files/zones/pim.kunis.nl | 22 ++++++ roles/nsd/files/zones/pizzapim.nl | 19 +++++ roles/nsd/tasks/main.yml | 18 +++++ roles/ssh/files/ca.sh | 29 ++++++++ roles/ssh/files/keys/host_ca_key | 27 +++++++ roles/ssh/files/keys/host_ca_key.pub | 1 + roles/ssh/files/keys/user_ca_key | 27 +++++++ roles/ssh/files/keys/user_ca_key.pub | 1 + roles/ssh/tasks/main.yml | 10 +++ util/secret-service-client.sh | 9 +++ 17 files changed, 379 insertions(+), 47 deletions(-) create mode 100644 hermes.yml create mode 100644 resolv.conf create mode 100644 roles/dnsmasq/files/dnsmasq.conf create mode 100644 roles/dnsmasq/tasks/main.yml create mode 100644 roles/nsd/files/nsd.conf create mode 100644 roles/nsd/files/zones/geokunis2.nl create mode 100644 roles/nsd/files/zones/pim.kunis.nl create mode 100644 roles/nsd/files/zones/pizzapim.nl create mode 100644 roles/nsd/tasks/main.yml create mode 100755 roles/ssh/files/ca.sh create mode 100644 roles/ssh/files/keys/host_ca_key create mode 100644 roles/ssh/files/keys/host_ca_key.pub create mode 100644 roles/ssh/files/keys/user_ca_key create mode 100644 roles/ssh/files/keys/user_ca_key.pub create mode 100644 roles/ssh/tasks/main.yml create mode 100755 util/secret-service-client.sh diff --git a/hermes.yml b/hermes.yml new file mode 100644 index 0000000..d6541a9 --- /dev/null +++ b/hermes.yml @@ -0,0 +1,42 @@ +--- +- hosts: all + gather_facts: no + + pre_tasks: + - name: Wait for host to come up + wait_for: + state: started + port: 22 + host: "192.168.30.7" + timeout: 300 + connect_timeout: 300 + search_regex: OpenSSH + delegate_to: localhost + - name: Wait for cloud-init to finish + command: + cmd: cloud-init status --wait + register: cloudinit + changed_when: "'..' in cloudinit.stdout" + - name: Gather facts + setup: + - name: Copy resolv.conf + copy: + src: resolv.conf + dest: /etc/resolv.conf + - name: Update repositories + apt: + autoremove: true + upgrade: yes + state: latest + update_cache: yes + cache_valid_time: 86400 # One day + - name: Install packages + apt: + pkg: + - qemu-guest-agent + - dnsutils + + roles: + - dnsmasq + - nsd + - ssh diff --git a/main.tf b/main.tf index 92c66ff..2eb6257 100644 --- a/main.tf +++ b/main.tf @@ -1,6 +1,7 @@ terraform { backend "pg" { schema_name = "dmz_dns" + conn_str = "postgres://terraform@10.42.0.1/terraform_state" } required_providers { @@ -14,54 +15,63 @@ terraform { } provider "libvirt" { - uri = var.libvirt_endpoint + uri = "qemu+ssh://root@atlas.lan/system" } -resource "libvirt_volume" "main_disk" { - name = "${var.name}.iso" - pool = "disk" - size = 1024 * 1024 * 1024 * 15 - base_volume_name = "debian-bookworm.qcow2" - base_volume_pool = "iso" +module "vm" { + source = "git::https://git.pim.kunis.nl/home/tf-modules.git//debian" + name = "hermes" + use_host_cert = false + fixed_address = "192.168.30.7/24" + ansible_command = "ANSIBLE_ROLES_PATH=roles ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u root -i '192.168.30.7,' hermes.yml" + mac = "CA:FE:C0:FF:EE:07" } -resource "libvirt_cloudinit_disk" "cloudinit" { - name = "${var.name}.iso" - pool = "init" - user_data = templatefile("cloud_init.cfg.tftpl", { name = var.name, admin_authorized_keys = var.admin_authorized_keys }) - network_config = templatefile("network_config.cfg.tftpl", { internal_ip = var.internal_ip }) -} - -resource "libvirt_domain" "ubuntu" { - name = var.name - memory = 1024 - vcpu = 4 - autostart = true - - disk { - volume_id = libvirt_volume.main_disk.id - } - - network_interface { - bridge = "dmzbr" - hostname = var.name - mac = "CA:FE:C0:FF:EE:07" - } - - cloudinit = libvirt_cloudinit_disk.cloudinit.id - - provisioner "local-exec" { - command = "ansible-playbook -e internal_ip=${var.internal_ip} -T 60 -u root -i ${var.ansible_inventory} ${var.ansible_playbook}" - - environment = { - ANSIBLE_HOST_KEY_CHECKING = "False" - ANSIBLE_CONFIG = "${var.ansible_cfg}" - } - } - - lifecycle { - replace_triggered_by = [ - libvirt_cloudinit_disk.cloudinit.id - ] - } -} +# resource "libvirt_volume" "main_disk" { +# name = "${var.name}.iso" +# pool = "disk" +# size = 1024 * 1024 * 1024 * 15 +# base_volume_name = "debian-bookworm.qcow2" +# base_volume_pool = "iso" +# } +# +# resource "libvirt_cloudinit_disk" "cloudinit" { +# name = "${var.name}.iso" +# pool = "init" +# user_data = templatefile("cloud_init.cfg.tftpl", { name = var.name, admin_authorized_keys = var.admin_authorized_keys }) +# network_config = templatefile("network_config.cfg.tftpl", { internal_ip = var.internal_ip }) +# } +# +# resource "libvirt_domain" "ubuntu" { +# name = var.name +# memory = 1024 +# vcpu = 4 +# autostart = true +# +# disk { +# volume_id = libvirt_volume.main_disk.id +# } +# +# network_interface { +# bridge = "dmzbr" +# hostname = var.name +# mac = "CA:FE:C0:FF:EE:07" +# } +# +# cloudinit = libvirt_cloudinit_disk.cloudinit.id +# +# provisioner "local-exec" { +# command = "ansible-playbook -e internal_ip=${var.internal_ip} -T 60 -u root -i ${var.ansible_inventory} ${var.ansible_playbook}" +# +# environment = { +# ANSIBLE_HOST_KEY_CHECKING = "False" +# ANSIBLE_CONFIG = "${var.ansible_cfg}" +# } +# } +# +# lifecycle { +# replace_triggered_by = [ +# libvirt_cloudinit_disk.cloudinit.id +# ] +# } +# } diff --git a/resolv.conf b/resolv.conf new file mode 100644 index 0000000..14b2a3d --- /dev/null +++ b/resolv.conf @@ -0,0 +1 @@ +nameserver 192.168.30.1 diff --git a/roles/dnsmasq/files/dnsmasq.conf b/roles/dnsmasq/files/dnsmasq.conf new file mode 100644 index 0000000..b9c5323 --- /dev/null +++ b/roles/dnsmasq/files/dnsmasq.conf @@ -0,0 +1,44 @@ +# Disable /etc/resolv.conf +no-resolv +# Upstream DNS server +server=192.168.30.1 +# Always serve .dmz locally +local=/dmz/ +# Put all clients in the dmz domain +dhcp-fqdn +# Don't read /etc/hosts +no-hosts +# Domain is automatically added to if missing +expand-hosts +# Domain that is used for DHCP on this network +domain=dmz +# IPv4 DHCP range +dhcp-range=192.168.30.100,192.168.30.200,15m +# Predefined DHCP hosts +dhcp-host=b8:27:eb:b9:ab:e2,esrom +dhcp-host=b4:2e:99:77:1b:da,max,192.168.30.3 +dhcp-host=d8:5e:d3:47:33:6e,lewis +# Advertise router +dhcp-option=3,192.168.30.1 +# Always send the IPv6 DNS server address (this machine) +dhcp-option=option6:dns-server,[2a02:58:19a:f730::1] +# Advertise SLAAC for the given prefix +dhcp-range=2a02:58:19a:f730::, ra-stateless, ra-names +# Do not advertise default gateway via DHCPv6 +ra-param=*,0,0 +# Alias public IP address to local +alias=84.245.14.149,192.168.30.3 +# Override DNS servers for our domains +server=/pizzapim.nl/192.168.30.7 +server=/geokunis2.nl/192.168.30.7 +server=/pim.kunis.nl/192.168.30.7 +# Enable extended logging +log-dhcp +log-queries +# Resolve dns.dmz to addresses on main NIC +interface-name=hermes.dmz,ens3 +# Non-conventional port because we also run nsd on this machine +port=5353 +# Override addresses of name servers +address=/ns.pizzapim.nl/ns.geokunis2.nl/ns.pim.kunis.nl/192.168.30.7 +address=/ns.pizzapim.nl/ns.geokunis2.nl/ns.pim.kunis.nl/2a02:58:19a:f730:c8fe:c0ff:feff:ee07 diff --git a/roles/dnsmasq/tasks/main.yml b/roles/dnsmasq/tasks/main.yml new file mode 100644 index 0000000..405be6c --- /dev/null +++ b/roles/dnsmasq/tasks/main.yml @@ -0,0 +1,18 @@ +- name: Install dnsmasq + apt: + name: dnsmasq +- name: Disable systemd-resolved + systemd: + name: systemd-resolved + enabled: false + state: stopped +- name: Copy dnsmasq configuration + copy: + src: "{{ role_path }}/files/dnsmasq.conf" + dest: "/etc/dnsmasq.conf" + register: config +- name: Enable dnsmasq + systemd: + name: dnsmasq + enabled: true + state: "{{ 'restarted' if config.changed else 'started' }}" diff --git a/roles/nsd/files/nsd.conf b/roles/nsd/files/nsd.conf new file mode 100644 index 0000000..50939a3 --- /dev/null +++ b/roles/nsd/files/nsd.conf @@ -0,0 +1,26 @@ +server: + ip-address: ens3 + port: 53 + server-count: 1 + verbosity: 1 + hide-version: yes + zonesdir: "/etc/nsd/zones" + ip-transparent: yes + ip-freebind: yes + +zone: + name: pim.kunis.nl + zonefile: pim.kunis.nl + +zone: + name: pizzapim.nl + zonefile: pizzapim.nl + provide-xfr: 87.253.155.96/27 NOKEY + provide-xfr: 157.97.168.160/27 NOKEY + + +zone: + name: geokunis2.nl + zonefile: geokunis2.nl + provide-xfr: 87.253.155.96/27 NOKEY + provide-xfr: 157.97.168.160/27 NOKEY diff --git a/roles/nsd/files/zones/geokunis2.nl b/roles/nsd/files/zones/geokunis2.nl new file mode 100644 index 0000000..4c934b0 --- /dev/null +++ b/roles/nsd/files/zones/geokunis2.nl @@ -0,0 +1,28 @@ +$ORIGIN geokunis2.nl. +$TTL 60 + +geokunis2.nl. IN SOA ns.geokunis2.nl. niels.kunis.nl. 2023031700 1800 3600 1209600 3600 + NS ns.geokunis2.nl. + NS ns0.transip.net. + NS ns1.transip.nl. + NS ns2.transip.eu. + A 84.245.14.149 + AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda +; MX 0 . +; TXT "v=spf1 -all" + CAA 0 issue "letsencrypt.org" +mail IN A 84.245.14.149 + MX 10 mail.geokunis2.nl +jenl IN A 217.123.41.225 +wg IN A 84.245.14.149 +wg IN AAAA 2a02:58:1:e::1afb +wg4 IN A 84.245.14.149 +wg6 IN AAAA 2a02:58:1:e::1afb +kms IN A 84.245.14.149 +files IN A 84.245.14.149 +files IN AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda +_dmarc IN TXT "v=DMARC1; p=reject; fo=0; adkim=s; aspf=s; pct=100; rf=afrf; sp=reject" +ns A 84.245.14.149 + AAAA 2a02:58:19a:f730:c8fe:c0ff:feff:ee07 +cyberchef IN A 84.245.14.149 + AAAA 2a02:58:19a:f730:c8fe:c0ff:feff:ee07 diff --git a/roles/nsd/files/zones/pim.kunis.nl b/roles/nsd/files/zones/pim.kunis.nl new file mode 100644 index 0000000..f708508 --- /dev/null +++ b/roles/nsd/files/zones/pim.kunis.nl @@ -0,0 +1,22 @@ +$ORIGIN pim.kunis.nl. +$TTL 60 + +pim.kunis.nl. IN SOA ns.pim.kunis.nl. pim.kunis.nl. 2023031700 1800 3600 1209600 3600 + + NS ns.pim.kunis.nl. + A 84.245.14.149 + AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda + TXT "v=spf1 ~all" + +_dmarc IN TXT "v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:wpux1bq8@ag.eu.dmarcian.com;" + +www IN A 84.245.14.149 + IN AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda +ns IN A 84.245.14.149 + IN AAAA 2a02:58:19a:f730:c8fe:c0ff:feff:ee07 + +social IN CNAME www.pim.kunis.nl. +dav IN CNAME www.pim.kunis.nl. +git IN CNAME www.pim.kunis.nl. +meet IN CNAME www.pim.kunis.nl. +rss IN CNAME www.pim.kunis.nl. diff --git a/roles/nsd/files/zones/pizzapim.nl b/roles/nsd/files/zones/pizzapim.nl new file mode 100644 index 0000000..22eeb2a --- /dev/null +++ b/roles/nsd/files/zones/pizzapim.nl @@ -0,0 +1,19 @@ +$ORIGIN pizzapim.nl. +$TTL 60 + +pizzapim.nl. IN SOA ns.pizzapim.nl. pim.kunis.nl. 2023031700 1800 3600 1209600 3600 + + NS ns.pizzapim.nl. + NS ns0.transip.net. + NS ns1.transip.nl. + NS ns2.transip.eu. + A 84.245.14.149 + TXT "v=spf1 ~all" + CAA 0 issue "letsencrypt.org" + +_dmarc IN TXT "v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:wpux1bq8@ag.eu.dmarcian.com;" + +social IN A 84.245.14.149 + AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda +ns IN A 84.245.14.149 + AAAA 2a02:58:19a:f730:c8fe:c0ff:feff:ee07 diff --git a/roles/nsd/tasks/main.yml b/roles/nsd/tasks/main.yml new file mode 100644 index 0000000..39d1547 --- /dev/null +++ b/roles/nsd/tasks/main.yml @@ -0,0 +1,18 @@ +- name: Install nsd + apt: + name: nsd +- name: Copy nsd.conf + copy: + src: "{{ role_path }}/files/nsd.conf" + dest: /etc/nsd/nsd.conf + register: config +- name: Copy zone directory + copy: + src: "{{ role_path }}/files/zones" + dest: /etc/nsd + register: zones +- name: Enable nsd + systemd: + name: nsd + enabled: true + state: "{{ 'restarted' if config.changed or zones.changed else 'started' }}" diff --git a/roles/ssh/files/ca.sh b/roles/ssh/files/ca.sh new file mode 100755 index 0000000..0a4db50 --- /dev/null +++ b/roles/ssh/files/ca.sh @@ -0,0 +1,29 @@ +#!/bin/bash +set -euo pipefail +IFS=$'\n\t' + +HOSTCAKEY=/root/.ssh/host_ca_key +USERCAKEY=/root/.ssh/user_ca_key + +host() { + PUBKEY="$2" + HOST="$3" + + echo "$PUBKEY" > /tmp/"$HOST".pub + ssh-keygen -h -s "$HOSTCAKEY" -I "$HOST" -n "$HOST" /tmp/"$HOST".pub + cat /tmp/"$HOST"-cert.pub + rm /tmp/"$HOST"*.pub +} + +user() { + PUBKEY="$2" + HOST="$3" + PRINCIPALS="$4" + + echo "$PUBKEY" > /tmp/"$HOST".pub + ssh-keygen -s "$USERCAKEY" -I "$HOST" -n "$HOST","$PRINCIPALS" /tmp/"$HOST".pub + cat /tmp/"$HOST"-cert.pub + rm /tmp/"$HOST"*.pub +} + +"$1" "$@" diff --git a/roles/ssh/files/keys/host_ca_key b/roles/ssh/files/keys/host_ca_key new file mode 100644 index 0000000..9942088 --- /dev/null +++ b/roles/ssh/files/keys/host_ca_key @@ -0,0 +1,27 @@ +$ANSIBLE_VAULT;1.1;AES256 +65393830356161326338323139306466316362303835393833383633363431303639393835666538 +6639653036666261363236393832343236656531633261360a333664363033356432386439336630 +65336333666662633635316565363366353530653831383937616566386165346663393938386530 +3233613134343331350a363163383831396265646333336334366664353164386538313031393230 +61356239333863366665396131633039663161306536386636336631646238303164303565653331 +64353465633235396261333739643635306530333665313330633936643966363539646636376630 +32303233303437393662393161313330333331396666613133633964393335393035363536373464 +36323334393235626561333262373639353332663337393562356562656662373833633833636466 +65373739663764623962323630623866363563626536313436346532643332646238393237396439 +35623961336266333037636532663833653466346264326330616135346234643363636662396630 +30613132633237333633636361323937643338323738386231383561613237646436333336383562 +61316232393864316236616561333139626463373962303134366131653439656638636365633930 +33353565373066623763346139663238346237376461613834323839336533653936646532316437 +66303565346665303335656233663735333630643963656637363934626336323361356639616430 +32323133396165356237613062313864313534323364663232636566373332633461316461346435 +32663862353439653764616461646463336639646636333862663832656131356536666233396638 +63613439636432306164393737353033383661623733646231313238303863376362376334656262 +33336132373139333030333533633032353564336666663237333135376532396165653831663537 +32653836373034383965653431646137633638633465626164386638323466636238393665303964 +35366432643962613063326338373031393036643437663438356339386662303362333062343730 +65646535373833343831633164666563616561633833353739643963633265396561386462336234 +66323330363662653235333464623965653635323437613734366231386331363461643262366565 +37626536623832323162363862363632666164353138616362386562393530623265303936656364 +65633463363935393838333338303239333538393865653338396635393262623636616364323133 +66333165616364356235303431316232666330313933386331383435663939386331626635316537 +3964323534326563303636616135663137373365663365663931 diff --git a/roles/ssh/files/keys/host_ca_key.pub b/roles/ssh/files/keys/host_ca_key.pub new file mode 100644 index 0000000..4a19643 --- /dev/null +++ b/roles/ssh/files/keys/host_ca_key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x Host Certficate Authority for DMZ diff --git a/roles/ssh/files/keys/user_ca_key b/roles/ssh/files/keys/user_ca_key new file mode 100644 index 0000000..cf8ef0c --- /dev/null +++ b/roles/ssh/files/keys/user_ca_key @@ -0,0 +1,27 @@ +$ANSIBLE_VAULT;1.1;AES256 +36306261333262396466633565653163323239396630653031343331653337376433356461613064 +3333316136343033396131356638666661623464333333310a636264616339363366386633663965 +64336437316366333363396162376337653537376365306638316166663437643731613935353137 +6138306232396134310a373962653330613331653830343766613435363339343438636665306633 +39633061303937313962323839336437653763336164616433353831646663393764373933306565 +38633335373863363437313531393530333562336430636261656564306563343537313264366436 +32653932356263333938386231333134303633333666343531616332376632343462316335643732 +30386465626533363333626162386331626436373935386537393335666437633166303838663264 +61353532306161343630303233336463376266366463313039343262656333663936333338373633 +31353361356232356637333466316634623739323335613433356362333565646138373838663034 +39363734623537633133393836323261353461623562386235646566303162373235623534383238 +33363264386438393563613639333336323963363733346665663430626335346334386233396236 +34636164653264386266393561303037646464646136313861343438636437626166333361613262 +66333333303139653639383963373731613639643837363639353264376230616264313930396434 +39303863653939613333323739363263383531333539333334306632323865646131653030356365 +38363530656131646431616661616137386161613033643664336661343531333933326339656636 +61356337393936623462323039343534656565353466353565653838666336306266313131316435 +39333739313262646462663531663234633066333033666461306434313166366533353865313530 +31326334383138383332366665383965633838636436646230323931646136336234636631313138 +33363062393632393830383231333166373032386163316633613061643166663266396131333838 +30316439373834356230633566323966376336363362346338323237343637393765323237373832 +61626432653935663230663261343037363037646539623330383235376231303738323132306131 +33646237633164356332366664353763623839623738633230613837356330393535346236383165 +35376631313332356164636336336439386432326337663436373661613264306135313961623434 +37386335663332613435626233333037316466363730623065633336666436343433326564333264 +6231373332643633346235663930616439653238396331626564 diff --git a/roles/ssh/files/keys/user_ca_key.pub b/roles/ssh/files/keys/user_ca_key.pub new file mode 100644 index 0000000..71ab782 --- /dev/null +++ b/roles/ssh/files/keys/user_ca_key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGKOClnK6/Hj8INjEgULY/lD2FM/nbiJHqaSXtEw4+Fj User Certificate Authority for DMZ diff --git a/roles/ssh/tasks/main.yml b/roles/ssh/tasks/main.yml new file mode 100644 index 0000000..20a992e --- /dev/null +++ b/roles/ssh/tasks/main.yml @@ -0,0 +1,10 @@ +- name: Copy ca.sh + copy: + src: "{{ role_path }}/files/ca.sh" + dest: /root/ca.sh + mode: 755 +- name: Copy keys + copy: + src: "{{ role_path }}/files/keys/" + dest: /root/.ssh/ + mode: preserve diff --git a/util/secret-service-client.sh b/util/secret-service-client.sh new file mode 100755 index 0000000..5743a9d --- /dev/null +++ b/util/secret-service-client.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +pass=`secret-tool lookup ansible_vault hermes` +retval=$? + +if [ $retval -ne 0 ]; then + read -s pass +fi +echo $pass -- 2.45.2 From bf7fc89e18492b1d0fc072b9b67eb1d4ded4283c Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 9 Apr 2023 14:36:45 +0200 Subject: [PATCH 2/4] fix ansible vault password --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 2eb6257..ef8947b 100644 --- a/main.tf +++ b/main.tf @@ -23,7 +23,7 @@ module "vm" { name = "hermes" use_host_cert = false fixed_address = "192.168.30.7/24" - ansible_command = "ANSIBLE_ROLES_PATH=roles ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u root -i '192.168.30.7,' hermes.yml" + ansible_command = "ANSIBLE_ROLES_PATH=roles ANSIBLE_HOST_KEY_CHECKING=False ANSIBLE_VAULT_PASSWORD_FILE=util/secret-service-client.sh ansible-playbook -u root -i '192.168.30.7,' hermes.yml" mac = "CA:FE:C0:FF:EE:07" } -- 2.45.2 From dd9345b8d9481288a8cd57517488e35315b7b52e Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 9 Apr 2023 19:29:18 +0200 Subject: [PATCH 3/4] remove comments --- main.tf | 49 ------------------------------------------------- 1 file changed, 49 deletions(-) diff --git a/main.tf b/main.tf index ef8947b..4bd908d 100644 --- a/main.tf +++ b/main.tf @@ -26,52 +26,3 @@ module "vm" { ansible_command = "ANSIBLE_ROLES_PATH=roles ANSIBLE_HOST_KEY_CHECKING=False ANSIBLE_VAULT_PASSWORD_FILE=util/secret-service-client.sh ansible-playbook -u root -i '192.168.30.7,' hermes.yml" mac = "CA:FE:C0:FF:EE:07" } - -# resource "libvirt_volume" "main_disk" { -# name = "${var.name}.iso" -# pool = "disk" -# size = 1024 * 1024 * 1024 * 15 -# base_volume_name = "debian-bookworm.qcow2" -# base_volume_pool = "iso" -# } -# -# resource "libvirt_cloudinit_disk" "cloudinit" { -# name = "${var.name}.iso" -# pool = "init" -# user_data = templatefile("cloud_init.cfg.tftpl", { name = var.name, admin_authorized_keys = var.admin_authorized_keys }) -# network_config = templatefile("network_config.cfg.tftpl", { internal_ip = var.internal_ip }) -# } -# -# resource "libvirt_domain" "ubuntu" { -# name = var.name -# memory = 1024 -# vcpu = 4 -# autostart = true -# -# disk { -# volume_id = libvirt_volume.main_disk.id -# } -# -# network_interface { -# bridge = "dmzbr" -# hostname = var.name -# mac = "CA:FE:C0:FF:EE:07" -# } -# -# cloudinit = libvirt_cloudinit_disk.cloudinit.id -# -# provisioner "local-exec" { -# command = "ansible-playbook -e internal_ip=${var.internal_ip} -T 60 -u root -i ${var.ansible_inventory} ${var.ansible_playbook}" -# -# environment = { -# ANSIBLE_HOST_KEY_CHECKING = "False" -# ANSIBLE_CONFIG = "${var.ansible_cfg}" -# } -# } -# -# lifecycle { -# replace_triggered_by = [ -# libvirt_cloudinit_disk.cloudinit.id -# ] -# } -# } -- 2.45.2 From 3826ceb6a32daee4244790eff7ecead8c695053d Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 9 Apr 2023 19:31:06 +0200 Subject: [PATCH 4/4] remove old ansible code --- ansible/ansible.cfg | 8 ---- ansible/hermes.yml | 42 ------------------- ansible/inventory/host_vars/hermes.yml | 1 - ansible/inventory/hosts.yml | 6 --- ansible/resolv.conf | 1 - ansible/roles/dnsmasq/files/dnsmasq.conf | 44 -------------------- ansible/roles/dnsmasq/tasks/main.yml | 18 -------- ansible/roles/nsd/files/nsd.conf | 26 ------------ ansible/roles/nsd/files/zones/geokunis2.nl | 28 ------------- ansible/roles/nsd/files/zones/pim.kunis.nl | 22 ---------- ansible/roles/nsd/files/zones/pizzapim.nl | 19 --------- ansible/roles/nsd/tasks/main.yml | 18 -------- ansible/roles/ssh/files/ca.sh | 29 ------------- ansible/roles/ssh/files/keys/host_ca_key | 27 ------------ ansible/roles/ssh/files/keys/host_ca_key.pub | 1 - ansible/roles/ssh/files/keys/user_ca_key | 27 ------------ ansible/roles/ssh/files/keys/user_ca_key.pub | 1 - ansible/roles/ssh/tasks/main.yml | 10 ----- ansible/util/secret-service-client.sh | 9 ---- 19 files changed, 337 deletions(-) delete mode 100644 ansible/ansible.cfg delete mode 100644 ansible/hermes.yml delete mode 100644 ansible/inventory/host_vars/hermes.yml delete mode 100644 ansible/inventory/hosts.yml delete mode 100644 ansible/resolv.conf delete mode 100644 ansible/roles/dnsmasq/files/dnsmasq.conf delete mode 100644 ansible/roles/dnsmasq/tasks/main.yml delete mode 100644 ansible/roles/nsd/files/nsd.conf delete mode 100644 ansible/roles/nsd/files/zones/geokunis2.nl delete mode 100644 ansible/roles/nsd/files/zones/pim.kunis.nl delete mode 100644 ansible/roles/nsd/files/zones/pizzapim.nl delete mode 100644 ansible/roles/nsd/tasks/main.yml delete mode 100755 ansible/roles/ssh/files/ca.sh delete mode 100644 ansible/roles/ssh/files/keys/host_ca_key delete mode 100644 ansible/roles/ssh/files/keys/host_ca_key.pub delete mode 100644 ansible/roles/ssh/files/keys/user_ca_key delete mode 100644 ansible/roles/ssh/files/keys/user_ca_key.pub delete mode 100644 ansible/roles/ssh/tasks/main.yml delete mode 100755 ansible/util/secret-service-client.sh diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg deleted file mode 100644 index 56c7e01..0000000 --- a/ansible/ansible.cfg +++ /dev/null @@ -1,8 +0,0 @@ -[defaults] -roles_path=roles -inventory=inventory -interpreter_python=/usr/bin/python3 -vault_password_file=util/secret-service-client.sh - -[diff] -always = True diff --git a/ansible/hermes.yml b/ansible/hermes.yml deleted file mode 100644 index 3e90e95..0000000 --- a/ansible/hermes.yml +++ /dev/null @@ -1,42 +0,0 @@ ---- -- hosts: all - gather_facts: no - - pre_tasks: - - name: Wait for host to come up - wait_for: - state: started - port: 22 - host: "{{ internal_ip }}" - timeout: 300 - connect_timeout: 300 - search_regex: OpenSSH - delegate_to: localhost - - name: Wait for cloud-init to finish - command: - cmd: cloud-init status --wait - register: cloudinit - changed_when: "'..' in cloudinit.stdout" - - name: Gather facts - setup: - - name: Copy resolv.conf - copy: - src: resolv.conf - dest: /etc/resolv.conf - - name: Update repositories - apt: - autoremove: true - upgrade: yes - state: latest - update_cache: yes - cache_valid_time: 86400 # One day - - name: Install packages - apt: - pkg: - - qemu-guest-agent - - dnsutils - - roles: - - dnsmasq - - nsd - - ssh diff --git a/ansible/inventory/host_vars/hermes.yml b/ansible/inventory/host_vars/hermes.yml deleted file mode 100644 index 73ada3f..0000000 --- a/ansible/inventory/host_vars/hermes.yml +++ /dev/null @@ -1 +0,0 @@ -internal_ip: 192.168.30.7 diff --git a/ansible/inventory/hosts.yml b/ansible/inventory/hosts.yml deleted file mode 100644 index a09a9b6..0000000 --- a/ansible/inventory/hosts.yml +++ /dev/null @@ -1,6 +0,0 @@ -all: - hosts: - hermes: - ansible_connection: ssh - ansible_user: root - ansible_host: 192.168.30.7 diff --git a/ansible/resolv.conf b/ansible/resolv.conf deleted file mode 100644 index 14b2a3d..0000000 --- a/ansible/resolv.conf +++ /dev/null @@ -1 +0,0 @@ -nameserver 192.168.30.1 diff --git a/ansible/roles/dnsmasq/files/dnsmasq.conf b/ansible/roles/dnsmasq/files/dnsmasq.conf deleted file mode 100644 index b9c5323..0000000 --- a/ansible/roles/dnsmasq/files/dnsmasq.conf +++ /dev/null @@ -1,44 +0,0 @@ -# Disable /etc/resolv.conf -no-resolv -# Upstream DNS server -server=192.168.30.1 -# Always serve .dmz locally -local=/dmz/ -# Put all clients in the dmz domain -dhcp-fqdn -# Don't read /etc/hosts -no-hosts -# Domain is automatically added to if missing -expand-hosts -# Domain that is used for DHCP on this network -domain=dmz -# IPv4 DHCP range -dhcp-range=192.168.30.100,192.168.30.200,15m -# Predefined DHCP hosts -dhcp-host=b8:27:eb:b9:ab:e2,esrom -dhcp-host=b4:2e:99:77:1b:da,max,192.168.30.3 -dhcp-host=d8:5e:d3:47:33:6e,lewis -# Advertise router -dhcp-option=3,192.168.30.1 -# Always send the IPv6 DNS server address (this machine) -dhcp-option=option6:dns-server,[2a02:58:19a:f730::1] -# Advertise SLAAC for the given prefix -dhcp-range=2a02:58:19a:f730::, ra-stateless, ra-names -# Do not advertise default gateway via DHCPv6 -ra-param=*,0,0 -# Alias public IP address to local -alias=84.245.14.149,192.168.30.3 -# Override DNS servers for our domains -server=/pizzapim.nl/192.168.30.7 -server=/geokunis2.nl/192.168.30.7 -server=/pim.kunis.nl/192.168.30.7 -# Enable extended logging -log-dhcp -log-queries -# Resolve dns.dmz to addresses on main NIC -interface-name=hermes.dmz,ens3 -# Non-conventional port because we also run nsd on this machine -port=5353 -# Override addresses of name servers -address=/ns.pizzapim.nl/ns.geokunis2.nl/ns.pim.kunis.nl/192.168.30.7 -address=/ns.pizzapim.nl/ns.geokunis2.nl/ns.pim.kunis.nl/2a02:58:19a:f730:c8fe:c0ff:feff:ee07 diff --git a/ansible/roles/dnsmasq/tasks/main.yml b/ansible/roles/dnsmasq/tasks/main.yml deleted file mode 100644 index 405be6c..0000000 --- a/ansible/roles/dnsmasq/tasks/main.yml +++ /dev/null @@ -1,18 +0,0 @@ -- name: Install dnsmasq - apt: - name: dnsmasq -- name: Disable systemd-resolved - systemd: - name: systemd-resolved - enabled: false - state: stopped -- name: Copy dnsmasq configuration - copy: - src: "{{ role_path }}/files/dnsmasq.conf" - dest: "/etc/dnsmasq.conf" - register: config -- name: Enable dnsmasq - systemd: - name: dnsmasq - enabled: true - state: "{{ 'restarted' if config.changed else 'started' }}" diff --git a/ansible/roles/nsd/files/nsd.conf b/ansible/roles/nsd/files/nsd.conf deleted file mode 100644 index 50939a3..0000000 --- a/ansible/roles/nsd/files/nsd.conf +++ /dev/null @@ -1,26 +0,0 @@ -server: - ip-address: ens3 - port: 53 - server-count: 1 - verbosity: 1 - hide-version: yes - zonesdir: "/etc/nsd/zones" - ip-transparent: yes - ip-freebind: yes - -zone: - name: pim.kunis.nl - zonefile: pim.kunis.nl - -zone: - name: pizzapim.nl - zonefile: pizzapim.nl - provide-xfr: 87.253.155.96/27 NOKEY - provide-xfr: 157.97.168.160/27 NOKEY - - -zone: - name: geokunis2.nl - zonefile: geokunis2.nl - provide-xfr: 87.253.155.96/27 NOKEY - provide-xfr: 157.97.168.160/27 NOKEY diff --git a/ansible/roles/nsd/files/zones/geokunis2.nl b/ansible/roles/nsd/files/zones/geokunis2.nl deleted file mode 100644 index 4c934b0..0000000 --- a/ansible/roles/nsd/files/zones/geokunis2.nl +++ /dev/null @@ -1,28 +0,0 @@ -$ORIGIN geokunis2.nl. -$TTL 60 - -geokunis2.nl. IN SOA ns.geokunis2.nl. niels.kunis.nl. 2023031700 1800 3600 1209600 3600 - NS ns.geokunis2.nl. - NS ns0.transip.net. - NS ns1.transip.nl. - NS ns2.transip.eu. - A 84.245.14.149 - AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda -; MX 0 . -; TXT "v=spf1 -all" - CAA 0 issue "letsencrypt.org" -mail IN A 84.245.14.149 - MX 10 mail.geokunis2.nl -jenl IN A 217.123.41.225 -wg IN A 84.245.14.149 -wg IN AAAA 2a02:58:1:e::1afb -wg4 IN A 84.245.14.149 -wg6 IN AAAA 2a02:58:1:e::1afb -kms IN A 84.245.14.149 -files IN A 84.245.14.149 -files IN AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda -_dmarc IN TXT "v=DMARC1; p=reject; fo=0; adkim=s; aspf=s; pct=100; rf=afrf; sp=reject" -ns A 84.245.14.149 - AAAA 2a02:58:19a:f730:c8fe:c0ff:feff:ee07 -cyberchef IN A 84.245.14.149 - AAAA 2a02:58:19a:f730:c8fe:c0ff:feff:ee07 diff --git a/ansible/roles/nsd/files/zones/pim.kunis.nl b/ansible/roles/nsd/files/zones/pim.kunis.nl deleted file mode 100644 index f708508..0000000 --- a/ansible/roles/nsd/files/zones/pim.kunis.nl +++ /dev/null @@ -1,22 +0,0 @@ -$ORIGIN pim.kunis.nl. -$TTL 60 - -pim.kunis.nl. IN SOA ns.pim.kunis.nl. pim.kunis.nl. 2023031700 1800 3600 1209600 3600 - - NS ns.pim.kunis.nl. - A 84.245.14.149 - AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda - TXT "v=spf1 ~all" - -_dmarc IN TXT "v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:wpux1bq8@ag.eu.dmarcian.com;" - -www IN A 84.245.14.149 - IN AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda -ns IN A 84.245.14.149 - IN AAAA 2a02:58:19a:f730:c8fe:c0ff:feff:ee07 - -social IN CNAME www.pim.kunis.nl. -dav IN CNAME www.pim.kunis.nl. -git IN CNAME www.pim.kunis.nl. -meet IN CNAME www.pim.kunis.nl. -rss IN CNAME www.pim.kunis.nl. diff --git a/ansible/roles/nsd/files/zones/pizzapim.nl b/ansible/roles/nsd/files/zones/pizzapim.nl deleted file mode 100644 index 22eeb2a..0000000 --- a/ansible/roles/nsd/files/zones/pizzapim.nl +++ /dev/null @@ -1,19 +0,0 @@ -$ORIGIN pizzapim.nl. -$TTL 60 - -pizzapim.nl. IN SOA ns.pizzapim.nl. pim.kunis.nl. 2023031700 1800 3600 1209600 3600 - - NS ns.pizzapim.nl. - NS ns0.transip.net. - NS ns1.transip.nl. - NS ns2.transip.eu. - A 84.245.14.149 - TXT "v=spf1 ~all" - CAA 0 issue "letsencrypt.org" - -_dmarc IN TXT "v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:wpux1bq8@ag.eu.dmarcian.com;" - -social IN A 84.245.14.149 - AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda -ns IN A 84.245.14.149 - AAAA 2a02:58:19a:f730:c8fe:c0ff:feff:ee07 diff --git a/ansible/roles/nsd/tasks/main.yml b/ansible/roles/nsd/tasks/main.yml deleted file mode 100644 index 39d1547..0000000 --- a/ansible/roles/nsd/tasks/main.yml +++ /dev/null @@ -1,18 +0,0 @@ -- name: Install nsd - apt: - name: nsd -- name: Copy nsd.conf - copy: - src: "{{ role_path }}/files/nsd.conf" - dest: /etc/nsd/nsd.conf - register: config -- name: Copy zone directory - copy: - src: "{{ role_path }}/files/zones" - dest: /etc/nsd - register: zones -- name: Enable nsd - systemd: - name: nsd - enabled: true - state: "{{ 'restarted' if config.changed or zones.changed else 'started' }}" diff --git a/ansible/roles/ssh/files/ca.sh b/ansible/roles/ssh/files/ca.sh deleted file mode 100755 index 0a4db50..0000000 --- a/ansible/roles/ssh/files/ca.sh +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/bash -set -euo pipefail -IFS=$'\n\t' - -HOSTCAKEY=/root/.ssh/host_ca_key -USERCAKEY=/root/.ssh/user_ca_key - -host() { - PUBKEY="$2" - HOST="$3" - - echo "$PUBKEY" > /tmp/"$HOST".pub - ssh-keygen -h -s "$HOSTCAKEY" -I "$HOST" -n "$HOST" /tmp/"$HOST".pub - cat /tmp/"$HOST"-cert.pub - rm /tmp/"$HOST"*.pub -} - -user() { - PUBKEY="$2" - HOST="$3" - PRINCIPALS="$4" - - echo "$PUBKEY" > /tmp/"$HOST".pub - ssh-keygen -s "$USERCAKEY" -I "$HOST" -n "$HOST","$PRINCIPALS" /tmp/"$HOST".pub - cat /tmp/"$HOST"-cert.pub - rm /tmp/"$HOST"*.pub -} - -"$1" "$@" diff --git a/ansible/roles/ssh/files/keys/host_ca_key b/ansible/roles/ssh/files/keys/host_ca_key deleted file mode 100644 index 9942088..0000000 --- a/ansible/roles/ssh/files/keys/host_ca_key +++ /dev/null @@ -1,27 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -65393830356161326338323139306466316362303835393833383633363431303639393835666538 -6639653036666261363236393832343236656531633261360a333664363033356432386439336630 -65336333666662633635316565363366353530653831383937616566386165346663393938386530 -3233613134343331350a363163383831396265646333336334366664353164386538313031393230 -61356239333863366665396131633039663161306536386636336631646238303164303565653331 -64353465633235396261333739643635306530333665313330633936643966363539646636376630 -32303233303437393662393161313330333331396666613133633964393335393035363536373464 -36323334393235626561333262373639353332663337393562356562656662373833633833636466 -65373739663764623962323630623866363563626536313436346532643332646238393237396439 -35623961336266333037636532663833653466346264326330616135346234643363636662396630 -30613132633237333633636361323937643338323738386231383561613237646436333336383562 -61316232393864316236616561333139626463373962303134366131653439656638636365633930 -33353565373066623763346139663238346237376461613834323839336533653936646532316437 -66303565346665303335656233663735333630643963656637363934626336323361356639616430 -32323133396165356237613062313864313534323364663232636566373332633461316461346435 -32663862353439653764616461646463336639646636333862663832656131356536666233396638 -63613439636432306164393737353033383661623733646231313238303863376362376334656262 -33336132373139333030333533633032353564336666663237333135376532396165653831663537 -32653836373034383965653431646137633638633465626164386638323466636238393665303964 -35366432643962613063326338373031393036643437663438356339386662303362333062343730 -65646535373833343831633164666563616561633833353739643963633265396561386462336234 -66323330363662653235333464623965653635323437613734366231386331363461643262366565 -37626536623832323162363862363632666164353138616362386562393530623265303936656364 -65633463363935393838333338303239333538393865653338396635393262623636616364323133 -66333165616364356235303431316232666330313933386331383435663939386331626635316537 -3964323534326563303636616135663137373365663365663931 diff --git a/ansible/roles/ssh/files/keys/host_ca_key.pub b/ansible/roles/ssh/files/keys/host_ca_key.pub deleted file mode 100644 index 4a19643..0000000 --- a/ansible/roles/ssh/files/keys/host_ca_key.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x Host Certficate Authority for DMZ diff --git a/ansible/roles/ssh/files/keys/user_ca_key b/ansible/roles/ssh/files/keys/user_ca_key deleted file mode 100644 index cf8ef0c..0000000 --- a/ansible/roles/ssh/files/keys/user_ca_key +++ /dev/null @@ -1,27 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -36306261333262396466633565653163323239396630653031343331653337376433356461613064 -3333316136343033396131356638666661623464333333310a636264616339363366386633663965 -64336437316366333363396162376337653537376365306638316166663437643731613935353137 -6138306232396134310a373962653330613331653830343766613435363339343438636665306633 -39633061303937313962323839336437653763336164616433353831646663393764373933306565 -38633335373863363437313531393530333562336430636261656564306563343537313264366436 -32653932356263333938386231333134303633333666343531616332376632343462316335643732 -30386465626533363333626162386331626436373935386537393335666437633166303838663264 -61353532306161343630303233336463376266366463313039343262656333663936333338373633 -31353361356232356637333466316634623739323335613433356362333565646138373838663034 -39363734623537633133393836323261353461623562386235646566303162373235623534383238 -33363264386438393563613639333336323963363733346665663430626335346334386233396236 -34636164653264386266393561303037646464646136313861343438636437626166333361613262 -66333333303139653639383963373731613639643837363639353264376230616264313930396434 -39303863653939613333323739363263383531333539333334306632323865646131653030356365 -38363530656131646431616661616137386161613033643664336661343531333933326339656636 -61356337393936623462323039343534656565353466353565653838666336306266313131316435 -39333739313262646462663531663234633066333033666461306434313166366533353865313530 -31326334383138383332366665383965633838636436646230323931646136336234636631313138 -33363062393632393830383231333166373032386163316633613061643166663266396131333838 -30316439373834356230633566323966376336363362346338323237343637393765323237373832 -61626432653935663230663261343037363037646539623330383235376231303738323132306131 -33646237633164356332366664353763623839623738633230613837356330393535346236383165 -35376631313332356164636336336439386432326337663436373661613264306135313961623434 -37386335663332613435626233333037316466363730623065633336666436343433326564333264 -6231373332643633346235663930616439653238396331626564 diff --git a/ansible/roles/ssh/files/keys/user_ca_key.pub b/ansible/roles/ssh/files/keys/user_ca_key.pub deleted file mode 100644 index 71ab782..0000000 --- a/ansible/roles/ssh/files/keys/user_ca_key.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGKOClnK6/Hj8INjEgULY/lD2FM/nbiJHqaSXtEw4+Fj User Certificate Authority for DMZ diff --git a/ansible/roles/ssh/tasks/main.yml b/ansible/roles/ssh/tasks/main.yml deleted file mode 100644 index 20a992e..0000000 --- a/ansible/roles/ssh/tasks/main.yml +++ /dev/null @@ -1,10 +0,0 @@ -- name: Copy ca.sh - copy: - src: "{{ role_path }}/files/ca.sh" - dest: /root/ca.sh - mode: 755 -- name: Copy keys - copy: - src: "{{ role_path }}/files/keys/" - dest: /root/.ssh/ - mode: preserve diff --git a/ansible/util/secret-service-client.sh b/ansible/util/secret-service-client.sh deleted file mode 100755 index 5743a9d..0000000 --- a/ansible/util/secret-service-client.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash - -pass=`secret-tool lookup ansible_vault hermes` -retval=$? - -if [ $retval -ne 0 ]; then - read -s pass -fi -echo $pass -- 2.45.2