diff --git a/legacy/projects/hermes/README.md b/legacy/projects/hermes/README.md deleted file mode 100644 index 8bb0c05..0000000 --- a/legacy/projects/hermes/README.md +++ /dev/null @@ -1,28 +0,0 @@ -# Hermes - -Hermes is the virtual machine that performs DHCP and DNS on our DMZ network. -It also acts as a SSH certificate authority. - -The VM is provisioned using Terraform and configured using Ansible. - -## Motivation - -The VMs on our DMZ might like to contact eachother. -For example, one VM wants to clone a repository from the git server. -However, because our home network is NATed, a DNS lookup of these servers will result in our public IP address. -This will in general not work, because the public IP address is only assigned on the WAN port of the router. - -One solution is to overwrite DNS requests from the DMZ to the router if they query these VMs. -However, then the router needs to operate on the DMZ vlan, which is not ideal in terms of security. -Additionally, it would be nice to define the DNS in the DMZ in terms of infrastructure as code. - -This solution creates a seperate VM on the DMZ that acts as the DNS and DHCP server. -Concretely, Dnsmasq does DHCPv4 and assigns DNS names according to hostnames and MAC addresses. -Additionally, it tries to match IPv6 addresses using the SLAAC algorithm in order to incorporate them as AAAA records in DNS as well (using `ra-names`). -Dnsmasq also overwrites the public IP address to `192.168.30.3` to solve the above problem. - -What is needed from the router: -- Static IPv4 addresses on the DMZ interface (`192.168.30.1/24`). -- Static IPv6 addresses on the DMZ interface (`2a02:58:19a:f730::1/64`). -- DNS domain override for `geokunis2.nl`, `pizzapim.nl`, `pim.kunis.nl` and `dmz` to `192.18.30.7`. -- `unmanaged` (SLAAC) IPv6 router advertisements on the DMZ interface. diff --git a/legacy/projects/hermes/ansible/ansible.cfg b/legacy/projects/hermes/ansible/ansible.cfg deleted file mode 100644 index 63b0f4d..0000000 --- a/legacy/projects/hermes/ansible/ansible.cfg +++ /dev/null @@ -1,9 +0,0 @@ -[defaults] -roles_path=../../../ansible_roles:~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:roles -inventory=inventory -vault_password_file=$HOME/.config/home/ansible-vault-secret -interpreter_python=/usr/bin/python3 -host_key_checking = False - -[diff] -always = True diff --git a/legacy/projects/hermes/ansible/hermes.yml b/legacy/projects/hermes/ansible/hermes.yml deleted file mode 100644 index ae722f6..0000000 --- a/legacy/projects/hermes/ansible/hermes.yml +++ /dev/null @@ -1,25 +0,0 @@ -- name: Wait for cloud-init to finish - hosts: all - gather_facts: no - roles: - - cloudinit_wait - -- name: Install services - hosts: all - pre_tasks: - - name: Delete externally managed environment file - shell: - cmd: "rm /usr/lib/python*/EXTERNALLY-MANAGED" - register: rm - changed_when: "rm.rc == 0" - failed_when: "false" - - - name: Copy resolv.conf - copy: - src: resolv.conf - dest: /etc/resolv.conf - - roles: - - {role: apt, tags: apt} - - {role: dnsmasq, tags: dnsmasq} - - {role: bertvv.bind, tags: bind} diff --git a/legacy/projects/hermes/ansible/inventory/host_vars/hermes.yml b/legacy/projects/hermes/ansible/inventory/host_vars/hermes.yml deleted file mode 100644 index 283822f..0000000 --- a/legacy/projects/hermes/ansible/inventory/host_vars/hermes.yml +++ /dev/null @@ -1,146 +0,0 @@ -apt_install_packages: - - qemu-guest-agent - - dnsutils - -ssh_ca_dir: /root/ssh_ca -ssh_ca_user_ca_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGKOClnK6/Hj8INjEgULY/lD2FM/nbiJHqaSXtEw4+Fj User Certificate Authority for DMZ" -ssh_ca_host_ca_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x Host Certficate Authority for DMZ" -ssh_ca_user_ca_private_key: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 64343164666336316635323733353839373835316465653038333062386438363131353566626130 - 6531653835313838396638366330386331383533303435300a306333363238633864623864393665 - 31393036346532353134646466666465386633303061346662393430666532366137323866646561 - 3131653064323565370a656361326462336238333464353635303066323565633865663032313661 - 38366238613361626161633862353938326365306634303166346461366531663063343264353533 - 61656630633734643639333738616566326531653264306134363837616365643039626262613433 - 61656361326234313130386533363761366665383064643735316133313133643865616536306466 - 33303733663834646435303935633436383632306330616264343263303861313635383866636163 - 39653064373966643437636530326235653131616366396563386139333837616535616135323337 - 66626161336539356637373138613464376133373234353863383330313362623236633462386234 - 31386635613936306262346264343732623761303331623831353061343035626361623639326530 - 62643139663733666662623039396461623334666565663439613430353364626162653731303535 - 32396638393534363533303039343938346339656266303766613931316337333635373664643461 - 37303332386233663937636631373935613231356262346530323337393733373764613864616563 - 66383137393738316638393530616234653264613363383663366261303433636236326632323734 - 35616133386438613636663631653139386466303534636263393633633663303664326137373139 - 35626336653966396335623330663161333432306538316664376231616161353235353032633438 - 62363663613135616462323363333863376532623764663066616431636632653938666263383731 - 65666564656130383262373964386631643332323066386635643032663833306565643164376239 - 32383732393236336235363936303063663963343061306161643331623330326139663836323561 - 31353532313639613563393938643333326462653833623531613935363265333534663762333831 - 36376264636432656537313834373036623339306430333837323836303134323062306265356430 - 39663238363338666362663364643063613337646237356431383237616465643634313166643435 - 32623864313537336634373631396465643362333237646462336362656430653036656263613162 - 64306662313934643661333462306336333561626335303866306131326538653264343465633139 - 3466663135663239616135353764373532323935613233316132 -ssh_ca_host_ca_private_key: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 34613835376232653534353636303364613437666563653530363564346164656136643732626234 - 6430316165623933666461646639303435386433333335660a393538303835616366333066353665 - 64663236353233383236656365356264653963366464303433313133386430646230363634353465 - 6365313836666534330a633832303963616162623631663732623236383665383333323032383364 - 36313663366461643733373836326335386562663362326438353033376431356537326133646338 - 31623064303662616464343639346663323437333038346664393166333930336539373031313161 - 39343365373238383661343234666430336131323666313032333666306333366566336361383536 - 64626261363138323766306239303133376632386235666633363461303135613865343161356266 - 33333634613761616336653162396662633131333336613264663764333761633032313436376534 - 65376631383239666235313939363265643364376638623630373839303236633635356431356263 - 66366535656335326335616666316534366232353262336164663562613439623135303262356130 - 36316134366366623331393230396132366535356435613563663937376639653339343761306431 - 33353331306334336133316234326133663939636430376139376231383966346363303362386265 - 32356166363231613962383434333536356138623039663561313137653037663231666666646230 - 66323932333031626637616434383737623634353933613861326666313737636133333438656634 - 31363461373639366464343836333031313632346465346535303139623038633330356334633866 - 61303765353439303966623030303966656465353538323932343536393764616566386261306466 - 36343237393333376366303933373139353161376262333739353138666162663339393136303634 - 39383433323563666661313631613761343532373736386537626433323631323465623736653165 - 35356163356361346438366430636563656531363164306534353865393039643136366634323638 - 62656261396635353332376661353661353931663932386465643238343031376235363239303832 - 63393437613362623963306364356363396134623739656265326433356134303835356266326465 - 64623631353163653438376534316162666330663963363064326161656335383639356164393237 - 39346231666362313632363737623139373632376461373362656563616566633265653438393361 - 39393734393061653639313365633931373963666635316138663538356265386562373837393530 - 6537646639613534666533626339356335396634613765616664 - -external_ipv4_address: "192.145.57.90" -external_ipv6_address: "2a0d:6e00:1a77::1" - -bind_zone_ttl: 1h -bind_allow_query: - - any -bind_listen_ipv4: - - any -bind_dnssec_enable: false -bind_zones: - - name: kun.is - - primaries: - - 192.168.30.7 - - name_servers: - - ns1.kun.is. - - ns2.kun.is. - - hosts: - - name: ns - ip: "{{external_ipv4_address}}" - - name: ns1 - ip: "{{external_ipv4_address}}" - - name: ns2 - ip: "{{external_ipv4_address}}" - - name: '*' - ip: "{{external_ipv4_address}}" - - name: fcfe5d31d5b7ae1af0b352a6b4c75d3f - aliases: - - verify.bing.com. - text: - - name: '@' - text: "\\\"google-site-verification=sznWJNdSZfiAESJhnDQEJ6hf06W9vndvhMi6wP_HH04\\\"" - - mail_servers: - - name: mail - preference: 10 - - - name: geokunis2.nl - primaries: - - 192.168.30.7 - - name_servers: - - ns.geokunis2.nl. - - ns0.transip.net. - - ns1.transip.nl. - - ns2.transip.eu. - - hosts: - - name: '@' - ip: "{{external_ipv4_address}}" - ipv6: 2a0d:6e00:1a77:30:b62e:99ff:fe77:1bda - - name: mail - ip: "{{external_ipv4_address}}" - - name: wg - ip: "{{external_ipv4_address}}" - ipv6: "{{external_ipv6_address}}" - - name: wg4 - ip: "{{external_ipv4_address}}" - - name: wg6 - ipv6: "{{external_ipv6_address}}" - - name: tuindersweijde - ip: "{{external_ipv4_address}}" - - name: ns - ip: "{{external_ipv4_address}}" - ipv6: 2a0d:6e00:1a77:30:c8fe:c0ff:feff:ee07 - - name: cyberchef - ip: "{{external_ipv4_address}}" - ipv6: 2a0d:6e00:1a77:30:c8fe:c0ff:feff:ee03 - - name: inbucket - ip: "{{external_ipv4_address}}" - - name: kms - ip: "{{external_ipv4_address}}" - - mail_servers: - - name: mail - preference: 10 - - caa: - - name: '@' - text: "0 issue \\\"letsencrypt.org\\\"" diff --git a/legacy/projects/hermes/ansible/inventory/hosts.yml b/legacy/projects/hermes/ansible/inventory/hosts.yml deleted file mode 100644 index e7e7ab1..0000000 --- a/legacy/projects/hermes/ansible/inventory/hosts.yml +++ /dev/null @@ -1,5 +0,0 @@ -all: - hosts: - hermes: - ansible_user: root - ansible_host: 192.168.30.7 diff --git a/legacy/projects/hermes/ansible/requirements.yml b/legacy/projects/hermes/ansible/requirements.yml deleted file mode 100644 index 5406aa0..0000000 --- a/legacy/projects/hermes/ansible/requirements.yml +++ /dev/null @@ -1,4 +0,0 @@ -- name: apt - src: https://github.com/sunscrapers/ansible-role-apt.git - scm: git -- name: bertvv.bind diff --git a/legacy/projects/hermes/ansible/resolv.conf b/legacy/projects/hermes/ansible/resolv.conf deleted file mode 100644 index 14b2a3d..0000000 --- a/legacy/projects/hermes/ansible/resolv.conf +++ /dev/null @@ -1 +0,0 @@ -nameserver 192.168.30.1 diff --git a/legacy/projects/hermes/ansible/roles/dnsmasq/files/dnsmasq.conf b/legacy/projects/hermes/ansible/roles/dnsmasq/files/dnsmasq.conf deleted file mode 100644 index 53115d1..0000000 --- a/legacy/projects/hermes/ansible/roles/dnsmasq/files/dnsmasq.conf +++ /dev/null @@ -1,51 +0,0 @@ -# Disable /etc/resolv.conf -no-resolv -# Upstream DNS server -server=192.168.30.1 -# Always serve .dmz locally -local=/dmz/ -# Put all clients in the dmz domain -dhcp-fqdn -# Don't read /etc/hosts -no-hosts -# Domain is automatically added to if missing -expand-hosts -# Domain that is used for DHCP on this network -domain=dmz -# IPv4 DHCP range -dhcp-authoritative -dhcp-range=192.168.30.50,192.168.30.127,15m -# Predefined DHCP hosts -dhcp-host=b8:27:eb:b9:ab:e2,esrom -dhcp-host=ca:fe:c0:ff:ee:03,max,192.168.30.3 -dhcp-host=ca:fe:c0:ff:ee:08,maestro,192.168.30.8 -dhcp-host=dc:a6:32:7b:e2:11,iris,192.168.30.9 -dhcp-host=ca:fe:c0:ff:ee:0a,thecloud,192.168.30.10 -dhcp-host=52:54:00:72:e0:9a,forum,192.168.30.11 -# Advertise router -dhcp-option=3,192.168.30.1 -# Always send the IPv6 DNS server address (this machine) -dhcp-option=option6:dns-server,[2a02:58:19a:f730::1] -# Advertise SLAAC for the given prefix -dhcp-range=2a02:58:19a:f730::, ra-stateless, ra-names -# Do not advertise default gateway via DHCPv6 -ra-param=*,0,0 -# Alias public IP address to local -alias=192.145.57.90,192.168.30.8 -# Override DNS servers for our domains -server=/pizzapim.nl/192.168.30.7 -server=/geokunis2.nl/192.168.30.7 -server=/pim.kunis.nl/192.168.30.7 -server=/kun.is/192.168.30.7 -# Enable extended logging -log-dhcp -log-queries -# Resolve hermes.dmz to addresses on main NIC -interface-name=hermes.dmz,ens3 -# Non-conventional port because we also run nsd on this machine -port=5353 -# Override addresses of name servers -address=/ns.pizzapim.nl/ns.geokunis2.nl/ns.pim.kunis.nl/192.168.30.7 -address=/ns.pizzapim.nl/ns.geokunis2.nl/ns.pim.kunis.nl/2a02:58:19a:f730:c8fe:c0ff:feff:ee07 -# Advertise DNS server -dhcp-option=option:dns-server,192.168.30.1 diff --git a/legacy/projects/hermes/ansible/roles/dnsmasq/tasks/main.yml b/legacy/projects/hermes/ansible/roles/dnsmasq/tasks/main.yml deleted file mode 100644 index 405be6c..0000000 --- a/legacy/projects/hermes/ansible/roles/dnsmasq/tasks/main.yml +++ /dev/null @@ -1,18 +0,0 @@ -- name: Install dnsmasq - apt: - name: dnsmasq -- name: Disable systemd-resolved - systemd: - name: systemd-resolved - enabled: false - state: stopped -- name: Copy dnsmasq configuration - copy: - src: "{{ role_path }}/files/dnsmasq.conf" - dest: "/etc/dnsmasq.conf" - register: config -- name: Enable dnsmasq - systemd: - name: dnsmasq - enabled: true - state: "{{ 'restarted' if config.changed else 'started' }}" diff --git a/legacy/projects/hermes/vm/main.tf b/legacy/projects/hermes/vm/main.tf deleted file mode 100644 index a77bfd8..0000000 --- a/legacy/projects/hermes/vm/main.tf +++ /dev/null @@ -1,31 +0,0 @@ -terraform { - backend "pg" { - schema_name = "hermes" - conn_str = "postgresql://terraform@jefke.hyp/terraformstates" - } - - required_providers { - libvirt = { - source = "dmacvicar/libvirt" - version = "0.7.1" # https://github.com/dmacvicar/terraform-provider-libvirt/issues/1040 - } - } -} - -# https://libvirt.org/uri.html#libssh-and-libssh2-transport -provider "libvirt" { - alias = "atlas" - uri = "qemu+ssh://root@atlas.hyp/system?known_hosts=/etc/ssh/ssh_known_hosts" -} - -module "hermes" { - source = "../../../terraform_modules/debian" - name = "hermes" - ram = 1024 - storage = 25 - mac = "CA:FE:C0:FF:EE:07" - static_ip = "192.168.30.7/24" - providers = { - libvirt = libvirt.atlas - } -}