remove hermes virtual machines

2024-01-07 22:39:34 +01:00 · 2024-01-07 22:39:34 +01:00 · 11ec763244
commit 11ec763244
parent 54d5f6f5dc
10 changed files with 0 additions and 318 deletions
--- a/legacy/projects/hermes/README.md
+++ b/legacy/projects/hermes/README.md
@ -1,28 +0,0 @@
-# Hermes
-
-Hermes is the virtual machine that performs DHCP and DNS on our DMZ network.
-It also acts as a SSH certificate authority.
-
-The VM is provisioned using Terraform and configured using Ansible.
-
-## Motivation
-
-The VMs on our DMZ might like to contact eachother.
-For example, one VM wants to clone a repository from the git server.
-However, because our home network is NATed, a DNS lookup of these servers will result in our public IP address.
-This will in general not work, because the public IP address is only assigned on the WAN port of the router.
-
-One solution is to overwrite DNS requests from the DMZ to the router if they query these VMs.
-However, then the router needs to operate on the DMZ vlan, which is not ideal in terms of security.
-Additionally, it would be nice to define the DNS in the DMZ in terms of infrastructure as code.
-
-This solution creates a seperate VM on the DMZ that acts as the DNS and DHCP server.
-Concretely, Dnsmasq does DHCPv4 and assigns DNS names according to hostnames and MAC addresses.
-Additionally, it tries to match IPv6 addresses using the SLAAC algorithm in order to incorporate them as AAAA records in DNS as well (using `ra-names`).
-Dnsmasq also overwrites the public IP address to `192.168.30.3` to solve the above problem.
-
-What is needed from the router:
- Static IPv4 addresses on the DMZ interface (`192.168.30.1/24`).
- Static IPv6 addresses on the DMZ interface (`2a02:58:19a:f730::1/64`).
- DNS domain override for `geokunis2.nl`, `pizzapim.nl`, `pim.kunis.nl` and `dmz` to `192.18.30.7`.
- `unmanaged` (SLAAC) IPv6 router advertisements on the DMZ interface.
--- a/legacy/projects/hermes/ansible/ansible.cfg
+++ b/legacy/projects/hermes/ansible/ansible.cfg
@ -1,9 +0,0 @@
-[defaults]
-roles_path=../../../ansible_roles:~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:roles
-inventory=inventory
-vault_password_file=$HOME/.config/home/ansible-vault-secret
-interpreter_python=/usr/bin/python3
-host_key_checking = False
-
-[diff]
-always = True
--- a/legacy/projects/hermes/ansible/hermes.yml
+++ b/legacy/projects/hermes/ansible/hermes.yml
@ -1,25 +0,0 @@
- name: Wait for cloud-init to finish
-  hosts: all
-  gather_facts: no
-  roles:
-    - cloudinit_wait
-
- name: Install services
-  hosts: all
-  pre_tasks:
-    - name: Delete externally managed environment file
-      shell:
-        cmd: "rm /usr/lib/python*/EXTERNALLY-MANAGED"
-      register: rm
-      changed_when: "rm.rc == 0"
-      failed_when: "false"
-
-    - name: Copy resolv.conf
-      copy:
-        src: resolv.conf
-        dest: /etc/resolv.conf
-
-  roles:
-    - {role: apt, tags: apt}
-    - {role: dnsmasq, tags: dnsmasq}
-    - {role: bertvv.bind, tags: bind}
--- a/legacy/projects/hermes/ansible/inventory/host_vars/hermes.yml
+++ b/legacy/projects/hermes/ansible/inventory/host_vars/hermes.yml
@ -1,146 +0,0 @@
-apt_install_packages:
-  - qemu-guest-agent
-  - dnsutils
-
-ssh_ca_dir: /root/ssh_ca
-ssh_ca_user_ca_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGKOClnK6/Hj8INjEgULY/lD2FM/nbiJHqaSXtEw4+Fj User Certificate Authority for DMZ"
-ssh_ca_host_ca_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x Host Certficate Authority for DMZ"
-ssh_ca_user_ca_private_key: !vault |
-  $ANSIBLE_VAULT;1.1;AES256
-  64343164666336316635323733353839373835316465653038333062386438363131353566626130
-  6531653835313838396638366330386331383533303435300a306333363238633864623864393665
-  31393036346532353134646466666465386633303061346662393430666532366137323866646561
-  3131653064323565370a656361326462336238333464353635303066323565633865663032313661
-  38366238613361626161633862353938326365306634303166346461366531663063343264353533
-  61656630633734643639333738616566326531653264306134363837616365643039626262613433
-  61656361326234313130386533363761366665383064643735316133313133643865616536306466
-  33303733663834646435303935633436383632306330616264343263303861313635383866636163
-  39653064373966643437636530326235653131616366396563386139333837616535616135323337
-  66626161336539356637373138613464376133373234353863383330313362623236633462386234
-  31386635613936306262346264343732623761303331623831353061343035626361623639326530
-  62643139663733666662623039396461623334666565663439613430353364626162653731303535
-  32396638393534363533303039343938346339656266303766613931316337333635373664643461
-  37303332386233663937636631373935613231356262346530323337393733373764613864616563
-  66383137393738316638393530616234653264613363383663366261303433636236326632323734
-  35616133386438613636663631653139386466303534636263393633633663303664326137373139
-  35626336653966396335623330663161333432306538316664376231616161353235353032633438
-  62363663613135616462323363333863376532623764663066616431636632653938666263383731
-  65666564656130383262373964386631643332323066386635643032663833306565643164376239
-  32383732393236336235363936303063663963343061306161643331623330326139663836323561
-  31353532313639613563393938643333326462653833623531613935363265333534663762333831
-  36376264636432656537313834373036623339306430333837323836303134323062306265356430
-  39663238363338666362663364643063613337646237356431383237616465643634313166643435
-  32623864313537336634373631396465643362333237646462336362656430653036656263613162
-  64306662313934643661333462306336333561626335303866306131326538653264343465633139
-  3466663135663239616135353764373532323935613233316132
-ssh_ca_host_ca_private_key: !vault |
-  $ANSIBLE_VAULT;1.1;AES256
-  34613835376232653534353636303364613437666563653530363564346164656136643732626234
-  6430316165623933666461646639303435386433333335660a393538303835616366333066353665
-  64663236353233383236656365356264653963366464303433313133386430646230363634353465
-  6365313836666534330a633832303963616162623631663732623236383665383333323032383364
-  36313663366461643733373836326335386562663362326438353033376431356537326133646338
-  31623064303662616464343639346663323437333038346664393166333930336539373031313161
-  39343365373238383661343234666430336131323666313032333666306333366566336361383536
-  64626261363138323766306239303133376632386235666633363461303135613865343161356266
-  33333634613761616336653162396662633131333336613264663764333761633032313436376534
-  65376631383239666235313939363265643364376638623630373839303236633635356431356263
-  66366535656335326335616666316534366232353262336164663562613439623135303262356130
-  36316134366366623331393230396132366535356435613563663937376639653339343761306431
-  33353331306334336133316234326133663939636430376139376231383966346363303362386265
-  32356166363231613962383434333536356138623039663561313137653037663231666666646230
-  66323932333031626637616434383737623634353933613861326666313737636133333438656634
-  31363461373639366464343836333031313632346465346535303139623038633330356334633866
-  61303765353439303966623030303966656465353538323932343536393764616566386261306466
-  36343237393333376366303933373139353161376262333739353138666162663339393136303634
-  39383433323563666661313631613761343532373736386537626433323631323465623736653165
-  35356163356361346438366430636563656531363164306534353865393039643136366634323638
-  62656261396635353332376661353661353931663932386465643238343031376235363239303832
-  63393437613362623963306364356363396134623739656265326433356134303835356266326465
-  64623631353163653438376534316162666330663963363064326161656335383639356164393237
-  39346231666362313632363737623139373632376461373362656563616566633265653438393361
-  39393734393061653639313365633931373963666635316138663538356265386562373837393530
-  6537646639613534666533626339356335396634613765616664
-
-external_ipv4_address: "192.145.57.90"
-external_ipv6_address: "2a0d:6e00:1a77::1"
-
-bind_zone_ttl: 1h
-bind_allow_query:
-  - any
-bind_listen_ipv4:
-  - any
-bind_dnssec_enable: false
-bind_zones:
-  - name: kun.is
-
-    primaries:
-      - 192.168.30.7
-
-    name_servers:
-      - ns1.kun.is.
-      - ns2.kun.is.
-
-    hosts:
-      - name: ns
-        ip: "{{external_ipv4_address}}"
-      - name: ns1
-        ip: "{{external_ipv4_address}}"
-      - name: ns2
-        ip: "{{external_ipv4_address}}"
-      - name: '*'
-        ip: "{{external_ipv4_address}}"
-      - name: fcfe5d31d5b7ae1af0b352a6b4c75d3f
-        aliases:
-          - verify.bing.com.
-    text:
-      - name: '@'
-        text: "\\\"google-site-verification=sznWJNdSZfiAESJhnDQEJ6hf06W9vndvhMi6wP_HH04\\\""
-
-    mail_servers:
-      - name: mail
-        preference: 10
-
-  - name: geokunis2.nl
-    primaries:
-      - 192.168.30.7
-
-    name_servers:
-      - ns.geokunis2.nl.
-      - ns0.transip.net.
-      - ns1.transip.nl.
-      - ns2.transip.eu.
-
-    hosts:
-      - name: '@'
-        ip: "{{external_ipv4_address}}"
-        ipv6: 2a0d:6e00:1a77:30:b62e:99ff:fe77:1bda
-      - name: mail
-        ip: "{{external_ipv4_address}}"
-      - name: wg
-        ip: "{{external_ipv4_address}}"
-        ipv6: "{{external_ipv6_address}}"
-      - name: wg4
-        ip: "{{external_ipv4_address}}"
-      - name: wg6
-        ipv6: "{{external_ipv6_address}}"
-      - name: tuindersweijde
-        ip: "{{external_ipv4_address}}"
-      - name: ns
-        ip: "{{external_ipv4_address}}"
-        ipv6: 2a0d:6e00:1a77:30:c8fe:c0ff:feff:ee07
-      - name: cyberchef
-        ip: "{{external_ipv4_address}}"
-        ipv6: 2a0d:6e00:1a77:30:c8fe:c0ff:feff:ee03
-      - name: inbucket
-        ip: "{{external_ipv4_address}}"
-      - name: kms
-        ip: "{{external_ipv4_address}}"
-
-    mail_servers:
-      - name: mail
-        preference: 10
-
-    caa:
-      - name: '@'
-        text: "0 issue \\\"letsencrypt.org\\\""
--- a/legacy/projects/hermes/ansible/inventory/hosts.yml
+++ b/legacy/projects/hermes/ansible/inventory/hosts.yml
@ -1,5 +0,0 @@
-all:
-  hosts:
-    hermes:
-      ansible_user: root
-      ansible_host: 192.168.30.7
--- a/legacy/projects/hermes/ansible/requirements.yml
+++ b/legacy/projects/hermes/ansible/requirements.yml
@ -1,4 +0,0 @@
- name: apt
-  src: https://github.com/sunscrapers/ansible-role-apt.git
-  scm: git
- name: bertvv.bind
--- a/legacy/projects/hermes/ansible/resolv.conf
+++ b/legacy/projects/hermes/ansible/resolv.conf
@ -1 +0,0 @@
-nameserver 192.168.30.1
--- a/legacy/projects/hermes/ansible/roles/dnsmasq/files/dnsmasq.conf
+++ b/legacy/projects/hermes/ansible/roles/dnsmasq/files/dnsmasq.conf
@ -1,51 +0,0 @@
-# Disable /etc/resolv.conf
-no-resolv
-# Upstream DNS server
-server=192.168.30.1
-# Always serve .dmz locally
-local=/dmz/
-# Put all clients in the dmz domain
-dhcp-fqdn
-# Don't read /etc/hosts
-no-hosts
-# Domain is automatically added to if missing
-expand-hosts
-# Domain that is used for DHCP on this network
-domain=dmz
-# IPv4 DHCP range
-dhcp-authoritative
-dhcp-range=192.168.30.50,192.168.30.127,15m
-# Predefined DHCP hosts
-dhcp-host=b8:27:eb:b9:ab:e2,esrom
-dhcp-host=ca:fe:c0:ff:ee:03,max,192.168.30.3
-dhcp-host=ca:fe:c0:ff:ee:08,maestro,192.168.30.8
-dhcp-host=dc:a6:32:7b:e2:11,iris,192.168.30.9
-dhcp-host=ca:fe:c0:ff:ee:0a,thecloud,192.168.30.10
-dhcp-host=52:54:00:72:e0:9a,forum,192.168.30.11
-# Advertise router
-dhcp-option=3,192.168.30.1
-# Always send the IPv6 DNS server address (this machine)
-dhcp-option=option6:dns-server,[2a02:58:19a:f730::1]
-# Advertise SLAAC for the given prefix
-dhcp-range=2a02:58:19a:f730::, ra-stateless, ra-names
-# Do not advertise default gateway via DHCPv6
-ra-param=*,0,0
-# Alias public IP address to local
-alias=192.145.57.90,192.168.30.8
-# Override DNS servers for our domains
-server=/pizzapim.nl/192.168.30.7
-server=/geokunis2.nl/192.168.30.7
-server=/pim.kunis.nl/192.168.30.7
-server=/kun.is/192.168.30.7
-# Enable extended logging
-log-dhcp
-log-queries
-# Resolve hermes.dmz to addresses on main NIC
-interface-name=hermes.dmz,ens3
-# Non-conventional port because we also run nsd on this machine
-port=5353
-# Override addresses of name servers
-address=/ns.pizzapim.nl/ns.geokunis2.nl/ns.pim.kunis.nl/192.168.30.7
-address=/ns.pizzapim.nl/ns.geokunis2.nl/ns.pim.kunis.nl/2a02:58:19a:f730:c8fe:c0ff:feff:ee07
-# Advertise DNS server
-dhcp-option=option:dns-server,192.168.30.1
--- a/legacy/projects/hermes/ansible/roles/dnsmasq/tasks/main.yml
+++ b/legacy/projects/hermes/ansible/roles/dnsmasq/tasks/main.yml
@ -1,18 +0,0 @@
- name: Install dnsmasq
-  apt:
-    name: dnsmasq
- name: Disable systemd-resolved
-  systemd:
-    name: systemd-resolved
-    enabled: false
-    state: stopped
- name: Copy dnsmasq configuration
-  copy:
-    src: "{{ role_path }}/files/dnsmasq.conf"
-    dest: "/etc/dnsmasq.conf"
-  register: config
- name: Enable dnsmasq
-  systemd:
-    name: dnsmasq
-    enabled: true
-    state: "{{ 'restarted' if config.changed else 'started' }}"
--- a/legacy/projects/hermes/vm/main.tf
+++ b/legacy/projects/hermes/vm/main.tf
@ -1,31 +0,0 @@
-terraform {
-  backend "pg" {
-    schema_name = "hermes"
-    conn_str = "postgresql://terraform@jefke.hyp/terraformstates"
-  }
-
-  required_providers {
-    libvirt = {
-      source = "dmacvicar/libvirt"
-      version = "0.7.1" # https://github.com/dmacvicar/terraform-provider-libvirt/issues/1040
-    }
-  }
-}
-
-# https://libvirt.org/uri.html#libssh-and-libssh2-transport
-provider "libvirt" {
-  alias = "atlas"
-  uri = "qemu+ssh://root@atlas.hyp/system?known_hosts=/etc/ssh/ssh_known_hosts"
-}
-
-module "hermes" {
-  source = "../../../terraform_modules/debian"
-  name = "hermes"
-  ram = 1024
-  storage = 25
-  mac = "CA:FE:C0:FF:EE:07"
-  static_ip = "192.168.30.7/24"
-  providers = {
-    libvirt = libvirt.atlas
-  }
-}