From 721623c8fc6893c8047308536a0d40bc994521b0 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 17 Dec 2023 16:22:22 +0100 Subject: [PATCH] update to nixos 23.11 enable static IP for terraformed VMs restructure legacy code move hermes code to this repo don't use data disk for hermes leases --- flake.lock | 70 ++++++++++------ flake.nix | 21 ++--- .../projects/docker_swarm}/main.tf | 10 +-- legacy/projects/hermes/ansible/ansible.cfg | 9 ++ legacy/projects/hermes/ansible/hermes.yml | 25 ++++++ .../ansible/inventory/host_vars/hermes.yml | 84 +++++++++++++++++++ .../hermes/ansible/inventory/hosts.yml | 5 ++ .../projects/hermes/ansible/requirements.yml | 9 ++ legacy/projects/hermes/ansible/resolv.conf | 1 + .../ansible/roles/dnsmasq/files/dnsmasq.conf | 51 +++++++++++ .../ansible/roles/dnsmasq/tasks/main.yml | 18 ++++ .../hermes/ansible/roles/powerdns/api.conf.j2 | 5 ++ .../ansible/roles/powerdns/gpgsql.conf.j2 | 5 ++ .../ansible/roles/powerdns/handlers/main.yml | 4 + .../ansible/roles/powerdns/overwrite.conf | 4 + .../ansible/roles/powerdns/tasks/main.yml | 28 +++++++ .../projects/hermes/ansible/show_leases.yml | 10 +++ legacy/projects/hermes/main.tf | 31 +++++++ .../terraform_modules}/README.md | 0 .../debian/files/cloud_init.cfg.tftpl | 0 .../debian/files/network_config.cfg.tftpl | 6 ++ .../terraform_modules}/debian/main.tf | 4 +- .../terraform_modules}/debian/variables.tf | 5 ++ .../terraform_modules}/setup/main.tf | 0 machines/default.nix | 58 ++++++++----- machines/lewis_host_ed25519-cert.pub | 1 + machines/lewis_user_ed25519-cert.pub | 1 + terraform/modules/debian/files/get_cert.sh | 17 ---- 28 files changed, 402 insertions(+), 80 deletions(-) rename {terraform => legacy/projects/docker_swarm}/main.tf (82%) create mode 100644 legacy/projects/hermes/ansible/ansible.cfg create mode 100644 legacy/projects/hermes/ansible/hermes.yml create mode 100644 legacy/projects/hermes/ansible/inventory/host_vars/hermes.yml create mode 100644 legacy/projects/hermes/ansible/inventory/hosts.yml create mode 100644 legacy/projects/hermes/ansible/requirements.yml create mode 100644 legacy/projects/hermes/ansible/resolv.conf create mode 100644 legacy/projects/hermes/ansible/roles/dnsmasq/files/dnsmasq.conf create mode 100644 legacy/projects/hermes/ansible/roles/dnsmasq/tasks/main.yml create mode 100644 legacy/projects/hermes/ansible/roles/powerdns/api.conf.j2 create mode 100644 legacy/projects/hermes/ansible/roles/powerdns/gpgsql.conf.j2 create mode 100644 legacy/projects/hermes/ansible/roles/powerdns/handlers/main.yml create mode 100644 legacy/projects/hermes/ansible/roles/powerdns/overwrite.conf create mode 100644 legacy/projects/hermes/ansible/roles/powerdns/tasks/main.yml create mode 100644 legacy/projects/hermes/ansible/show_leases.yml create mode 100644 legacy/projects/hermes/main.tf rename {terraform/modules => legacy/terraform_modules}/README.md (100%) rename {terraform/modules => legacy/terraform_modules}/debian/files/cloud_init.cfg.tftpl (100%) rename terraform/modules/debian/files/network_config.cfg => legacy/terraform_modules/debian/files/network_config.cfg.tftpl (56%) rename {terraform/modules => legacy/terraform_modules}/debian/main.tf (89%) rename {terraform/modules => legacy/terraform_modules}/debian/variables.tf (80%) rename {terraform/modules => legacy/terraform_modules}/setup/main.tf (100%) create mode 100644 machines/lewis_host_ed25519-cert.pub create mode 100644 machines/lewis_user_ed25519-cert.pub delete mode 100755 terraform/modules/debian/files/get_cert.sh diff --git a/flake.lock b/flake.lock index 2bbf083..e28e088 100644 --- a/flake.lock +++ b/flake.lock @@ -9,11 +9,11 @@ ] }, "locked": { - "lastModified": 1696775529, - "narHash": "sha256-TYlE4B0ktPtlJJF9IFxTWrEeq+XKG8Ny0gc2FGEAdj0=", + "lastModified": 1701216516, + "narHash": "sha256-jKSeJn+7hZ1dZdiH1L+NWUGT2i/BGomKAJ54B9kT06Q=", "owner": "ryantm", "repo": "agenix", - "rev": "daf42cb35b2dc614d1551e37f96406e4c4a2d3e4", + "rev": "13ac9ac6d68b9a0896e3d43a082947233189e247", "type": "github" }, "original": { @@ -51,11 +51,11 @@ "utils": "utils" }, "locked": { - "lastModified": 1698921442, - "narHash": "sha256-7KmvhQ7FuXlT/wG4zjTssap6maVqeAMBdtel+VjClSM=", + "lastModified": 1702460489, + "narHash": "sha256-H6s6oVLvx7PCjUcvfkB89Bb+kbaiJxTAgWfMjiQTjA0=", "owner": "serokell", "repo": "deploy-rs", - "rev": "660180bbbeae7d60dad5a92b30858306945fd427", + "rev": "915327515f5fd1b7719c06e2f1eb304ee0bdd803", "type": "github" }, "original": { @@ -71,11 +71,11 @@ ] }, "locked": { - "lastModified": 1699781810, - "narHash": "sha256-LD+PIUbm1yQmQmGIbSsc/PB1dtJtGqXFgxRc1C7LlfQ=", + "lastModified": 1702569759, + "narHash": "sha256-Ze3AdEEsVZBRJ4wn13EZpV1Uubkzi59TkC4j2G9xoFI=", "owner": "nix-community", "repo": "disko", - "rev": "2d7d77878c5d70f66f3d676ff66708d8d4f9d7df", + "rev": "98ab91109716871f50ea8cb0e0ac7cc1e1e14714", "type": "github" }, "original": { @@ -87,11 +87,11 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1668681692, - "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", "owner": "edolstra", "repo": "flake-compat", - "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", "type": "github" }, "original": { @@ -143,7 +143,7 @@ "nixpkgs": [ "nixpkgs" ], - "systems": "systems", + "systems": "systems_2", "treefmt": "treefmt" }, "locked": { @@ -162,11 +162,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1671417167, - "narHash": "sha256-JkHam6WQOwZN1t2C2sbp1TqMv3TVRjzrdoejqfefwrM=", + "lastModified": 1702272962, + "narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "bb31220cca6d044baa6dc2715b07497a2a7c4bc7", + "rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d", "type": "github" }, "original": { @@ -178,11 +178,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1699725108, - "narHash": "sha256-NTiPW4jRC+9puakU4Vi8WpFEirhp92kTOSThuZke+FA=", + "lastModified": 1702539185, + "narHash": "sha256-KnIRG5NMdLIpEkZTnN5zovNYc0hhXjAgv6pfd5Z4c7U=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "911ad1e67f458b6bcf0278fa85e33bb9924fed7e", + "rev": "aa9d4729cbc99dabacb50e3994dcefb3ea0f7447", "type": "github" }, "original": { @@ -194,16 +194,16 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1699291058, - "narHash": "sha256-5ggduoaAMPHUy4riL+OrlAZE14Kh7JWX4oLEs22ZqfU=", + "lastModified": 1702645756, + "narHash": "sha256-qKI6OR3TYJYQB3Q8mAZ+DG4o/BR9ptcv9UnRV2hzljc=", "owner": "nixos", "repo": "nixpkgs", - "rev": "41de143fda10e33be0f47eab2bfe08a50f234267", + "rev": "40c3c94c241286dd2243ea34d3aef8a488f9e4d0", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-23.05", + "ref": "nixos-23.11", "repo": "nixpkgs", "type": "github" } @@ -219,6 +219,21 @@ } }, "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { "locked": { "lastModified": 1681028828, "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", @@ -254,12 +269,15 @@ } }, "utils": { + "inputs": { + "systems": "systems" + }, "locked": { - "lastModified": 1667395993, - "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", "owner": "numtide", "repo": "flake-utils", - "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index db3c004..97f1f47 100644 --- a/flake.nix +++ b/flake.nix @@ -2,7 +2,7 @@ description = "NixOS definitions for our physical servers"; inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; deploy-rs.url = "github:serokell/deploy-rs"; kubenix = { @@ -22,7 +22,7 @@ }; outputs = - { self, nixpkgs, deploy-rs, disko, agenix, nixpkgs-unstable, kubenix, ... }: + { self, nixpkgs, deploy-rs, disko, agenix, kubenix, nixpkgs-unstable, ... }: let system = "x86_64-linux"; pkgs = nixpkgs.legacyPackages.${system}; @@ -45,18 +45,19 @@ in { devShells.${system}.default = pkgs.mkShell { - packages = [ - pkgs.libsecret + packages = with pkgs; [ + libsecret # TODO: using nixos-anywhere from nixos-unstable produces buffer overflow. # Related to this issue: https://github.com/nix-community/nixos-anywhere/issues/242 # Should wait until this is merged in nixos-unstable. # pkgs-unstable.nixos-anywhere pkgs-unstable.deploy-rs - pkgs.openssl - pkgs.postgresql_15 - pkgs-unstable.opentofu - pkgs.cdrtools - pkgs.kubectl + openssl + postgresql_15 + opentofu + cdrtools + kubectl + ansible ]; }; @@ -79,7 +80,7 @@ user = "root"; nodes = mkDeployNodes (machine: { - hostname = machine.hostname; + hostname = machine.hostName; profiles.hypervisor = { path = deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.${machine.name}; diff --git a/terraform/main.tf b/legacy/projects/docker_swarm/main.tf similarity index 82% rename from terraform/main.tf rename to legacy/projects/docker_swarm/main.tf index 76a8053..7dfc05c 100644 --- a/terraform/main.tf +++ b/legacy/projects/docker_swarm/main.tf @@ -1,6 +1,6 @@ terraform { backend "pg" { - schema_name = "testje" + schema_name = "dockerswarm" conn_str = "postgresql://terraform@jefke.hyp/terraformstates" } @@ -24,14 +24,14 @@ provider "libvirt" { } module "setup_jefke" { - source = "./modules/setup" + source = "../../terraform_modules/setup" providers = { libvirt = libvirt.jefke } } module "bancomart" { - source = "./modules/debian" + source = "../../terraform_modules/debian" name = "bancomart" ram = 4096 storage = 25 @@ -41,14 +41,14 @@ module "bancomart" { } module "setup_atlas" { - source = "./modules/setup" + source = "../../terraform_modules/setup" providers = { libvirt = libvirt.atlas } } module "maestro" { - source = "./modules/debian" + source = "../../terraform_modules/debian" name = "maestro" ram = 8192 storage = 35 diff --git a/legacy/projects/hermes/ansible/ansible.cfg b/legacy/projects/hermes/ansible/ansible.cfg new file mode 100644 index 0000000..28a2849 --- /dev/null +++ b/legacy/projects/hermes/ansible/ansible.cfg @@ -0,0 +1,9 @@ +[defaults] +roles_path=~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:roles +inventory=inventory +vault_password_file=$HOME/.config/home/ansible-vault-secret +interpreter_python=/usr/bin/python3 +host_key_checking = False + +[diff] +always = True diff --git a/legacy/projects/hermes/ansible/hermes.yml b/legacy/projects/hermes/ansible/hermes.yml new file mode 100644 index 0000000..496ca8e --- /dev/null +++ b/legacy/projects/hermes/ansible/hermes.yml @@ -0,0 +1,25 @@ +- name: Wait for cloud-init to finish + hosts: all + gather_facts: no + roles: + - cloudinit_wait + +- name: Install services + hosts: all + pre_tasks: + - name: Delete externally managed environment file + shell: + cmd: "rm /usr/lib/python*/EXTERNALLY-MANAGED" + register: rm + changed_when: "rm.rc == 0" + failed_when: "false" + + - name: Copy resolv.conf + copy: + src: resolv.conf + dest: /etc/resolv.conf + + roles: + - {role: apt, tags: apt} + - {role: dnsmasq, tags: dnsmasq} + - {role: powerdns, tags: powerdns} diff --git a/legacy/projects/hermes/ansible/inventory/host_vars/hermes.yml b/legacy/projects/hermes/ansible/inventory/host_vars/hermes.yml new file mode 100644 index 0000000..ab05003 --- /dev/null +++ b/legacy/projects/hermes/ansible/inventory/host_vars/hermes.yml @@ -0,0 +1,84 @@ +apt_install_packages: + - qemu-guest-agent + - dnsutils + - pdns-server + - pdns-backend-pgsql + - postgresql-client + +ssh_ca_dir: /root/ssh_ca +ssh_ca_user_ca_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGKOClnK6/Hj8INjEgULY/lD2FM/nbiJHqaSXtEw4+Fj User Certificate Authority for DMZ" +ssh_ca_host_ca_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x Host Certficate Authority for DMZ" +ssh_ca_user_ca_private_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 64343164666336316635323733353839373835316465653038333062386438363131353566626130 + 6531653835313838396638366330386331383533303435300a306333363238633864623864393665 + 31393036346532353134646466666465386633303061346662393430666532366137323866646561 + 3131653064323565370a656361326462336238333464353635303066323565633865663032313661 + 38366238613361626161633862353938326365306634303166346461366531663063343264353533 + 61656630633734643639333738616566326531653264306134363837616365643039626262613433 + 61656361326234313130386533363761366665383064643735316133313133643865616536306466 + 33303733663834646435303935633436383632306330616264343263303861313635383866636163 + 39653064373966643437636530326235653131616366396563386139333837616535616135323337 + 66626161336539356637373138613464376133373234353863383330313362623236633462386234 + 31386635613936306262346264343732623761303331623831353061343035626361623639326530 + 62643139663733666662623039396461623334666565663439613430353364626162653731303535 + 32396638393534363533303039343938346339656266303766613931316337333635373664643461 + 37303332386233663937636631373935613231356262346530323337393733373764613864616563 + 66383137393738316638393530616234653264613363383663366261303433636236326632323734 + 35616133386438613636663631653139386466303534636263393633633663303664326137373139 + 35626336653966396335623330663161333432306538316664376231616161353235353032633438 + 62363663613135616462323363333863376532623764663066616431636632653938666263383731 + 65666564656130383262373964386631643332323066386635643032663833306565643164376239 + 32383732393236336235363936303063663963343061306161643331623330326139663836323561 + 31353532313639613563393938643333326462653833623531613935363265333534663762333831 + 36376264636432656537313834373036623339306430333837323836303134323062306265356430 + 39663238363338666362663364643063613337646237356431383237616465643634313166643435 + 32623864313537336634373631396465643362333237646462336362656430653036656263613162 + 64306662313934643661333462306336333561626335303866306131326538653264343465633139 + 3466663135663239616135353764373532323935613233316132 +ssh_ca_host_ca_private_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 34613835376232653534353636303364613437666563653530363564346164656136643732626234 + 6430316165623933666461646639303435386433333335660a393538303835616366333066353665 + 64663236353233383236656365356264653963366464303433313133386430646230363634353465 + 6365313836666534330a633832303963616162623631663732623236383665383333323032383364 + 36313663366461643733373836326335386562663362326438353033376431356537326133646338 + 31623064303662616464343639346663323437333038346664393166333930336539373031313161 + 39343365373238383661343234666430336131323666313032333666306333366566336361383536 + 64626261363138323766306239303133376632386235666633363461303135613865343161356266 + 33333634613761616336653162396662633131333336613264663764333761633032313436376534 + 65376631383239666235313939363265643364376638623630373839303236633635356431356263 + 66366535656335326335616666316534366232353262336164663562613439623135303262356130 + 36316134366366623331393230396132366535356435613563663937376639653339343761306431 + 33353331306334336133316234326133663939636430376139376231383966346363303362386265 + 32356166363231613962383434333536356138623039663561313137653037663231666666646230 + 66323932333031626637616434383737623634353933613861326666313737636133333438656634 + 31363461373639366464343836333031313632346465346535303139623038633330356334633866 + 61303765353439303966623030303966656465353538323932343536393764616566386261306466 + 36343237393333376366303933373139353161376262333739353138666162663339393136303634 + 39383433323563666661313631613761343532373736386537626433323631323465623736653165 + 35356163356361346438366430636563656531363164306534353865393039643136366634323638 + 62656261396635353332376661353661353931663932386465643238343031376235363239303832 + 63393437613362623963306364356363396134623739656265326433356134303835356266326465 + 64623631353163653438376534316162666330663963363064326161656335383639356164393237 + 39346231666362313632363737623139373632376461373362656563616566633265653438393361 + 39393734393061653639313365633931373963666635316138663538356265386562373837393530 + 6537646639613534666533626339356335396634613765616664 + +api_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 65376335393463353232386437613533396261383332653738323764633965393262363239376165 + 3566666139376135643833343535663130353631326466610a623161633238363338633461383434 + 63373365613765663830613565313164323938336338616666313365623261663037626132623531 + 3638653833626532300a656632356563613631633162643464356236396635633237376133323433 + 37363261376535306161393039396333656430323534616462393366643662306631306339346363 + 3065303163643732613435323561663035646365383237643464 + +postgresql_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 64646633623535383761356434643064383736626638333738323363393037393133363130623361 + 3965323132656263393365366131343732646239316564390a613263386166383438366162303561 + 63626162656337313034663830626432303437363764653336613338393038393737663238313737 + 3164323834393165380a393138363265393963613835376331623735303538316162343036306230 + 63633335343332313861393135366332313061353064306265653631613735336631653438383066 + 3034323733323333646532613233666333323363643534336233 diff --git a/legacy/projects/hermes/ansible/inventory/hosts.yml b/legacy/projects/hermes/ansible/inventory/hosts.yml new file mode 100644 index 0000000..e7e7ab1 --- /dev/null +++ b/legacy/projects/hermes/ansible/inventory/hosts.yml @@ -0,0 +1,5 @@ +all: + hosts: + hermes: + ansible_user: root + ansible_host: 192.168.30.7 diff --git a/legacy/projects/hermes/ansible/requirements.yml b/legacy/projects/hermes/ansible/requirements.yml new file mode 100644 index 0000000..17fea38 --- /dev/null +++ b/legacy/projects/hermes/ansible/requirements.yml @@ -0,0 +1,9 @@ +- name: apt + src: https://github.com/sunscrapers/ansible-role-apt.git + scm: git +- name: cloudinit_wait + src: https://git.kun.is/pim/ansible-role-cloudinit-wait + scm: git +- name: postgresql_database + src: https://git.kun.is/home/ansible-role-postgresql-database + scm: git diff --git a/legacy/projects/hermes/ansible/resolv.conf b/legacy/projects/hermes/ansible/resolv.conf new file mode 100644 index 0000000..14b2a3d --- /dev/null +++ b/legacy/projects/hermes/ansible/resolv.conf @@ -0,0 +1 @@ +nameserver 192.168.30.1 diff --git a/legacy/projects/hermes/ansible/roles/dnsmasq/files/dnsmasq.conf b/legacy/projects/hermes/ansible/roles/dnsmasq/files/dnsmasq.conf new file mode 100644 index 0000000..aab10be --- /dev/null +++ b/legacy/projects/hermes/ansible/roles/dnsmasq/files/dnsmasq.conf @@ -0,0 +1,51 @@ +# Disable /etc/resolv.conf +no-resolv +# Upstream DNS server +server=192.168.30.1 +# Always serve .dmz locally +local=/dmz/ +# Put all clients in the dmz domain +dhcp-fqdn +# Don't read /etc/hosts +no-hosts +# Domain is automatically added to if missing +expand-hosts +# Domain that is used for DHCP on this network +domain=dmz +# IPv4 DHCP range +dhcp-authoritative +dhcp-range=192.168.30.50,192.168.30.127,15m +# Predefined DHCP hosts +dhcp-host=b8:27:eb:b9:ab:e2,esrom +dhcp-host=ca:fe:c0:ff:ee:03,max,192.168.30.3 +dhcp-host=ca:fe:c0:ff:ee:08,maestro,192.168.30.8 +dhcp-host=dc:a6:32:7b:e2:11,iris,192.168.30.9 +dhcp-host=ca:fe:c0:ff:ee:0a,thecloud,192.168.30.10 +dhcp-host=52:54:00:72:e0:9a,forum,192.168.30.11 +# Advertise router +dhcp-option=3,192.168.30.1 +# Always send the IPv6 DNS server address (this machine) +dhcp-option=option6:dns-server,[2a02:58:19a:f730::1] +# Advertise SLAAC for the given prefix +dhcp-range=2a02:58:19a:f730::, ra-stateless, ra-names +# Do not advertise default gateway via DHCPv6 +ra-param=*,0,0 +# Alias public IP address to local +alias=84.245.14.149,192.168.30.8 +# Override DNS servers for our domains +server=/pizzapim.nl/192.168.30.7 +server=/geokunis2.nl/192.168.30.7 +server=/pim.kunis.nl/192.168.30.7 +server=/kun.is/192.168.30.7 +# Enable extended logging +log-dhcp +log-queries +# Resolve hermes.dmz to addresses on main NIC +interface-name=hermes.dmz,ens3 +# Non-conventional port because we also run nsd on this machine +port=5353 +# Override addresses of name servers +address=/ns.pizzapim.nl/ns.geokunis2.nl/ns.pim.kunis.nl/192.168.30.7 +address=/ns.pizzapim.nl/ns.geokunis2.nl/ns.pim.kunis.nl/2a02:58:19a:f730:c8fe:c0ff:feff:ee07 +# Advertise DNS server +dhcp-option=option:dns-server,192.168.30.1 diff --git a/legacy/projects/hermes/ansible/roles/dnsmasq/tasks/main.yml b/legacy/projects/hermes/ansible/roles/dnsmasq/tasks/main.yml new file mode 100644 index 0000000..405be6c --- /dev/null +++ b/legacy/projects/hermes/ansible/roles/dnsmasq/tasks/main.yml @@ -0,0 +1,18 @@ +- name: Install dnsmasq + apt: + name: dnsmasq +- name: Disable systemd-resolved + systemd: + name: systemd-resolved + enabled: false + state: stopped +- name: Copy dnsmasq configuration + copy: + src: "{{ role_path }}/files/dnsmasq.conf" + dest: "/etc/dnsmasq.conf" + register: config +- name: Enable dnsmasq + systemd: + name: dnsmasq + enabled: true + state: "{{ 'restarted' if config.changed else 'started' }}" diff --git a/legacy/projects/hermes/ansible/roles/powerdns/api.conf.j2 b/legacy/projects/hermes/ansible/roles/powerdns/api.conf.j2 new file mode 100644 index 0000000..fdbf48d --- /dev/null +++ b/legacy/projects/hermes/ansible/roles/powerdns/api.conf.j2 @@ -0,0 +1,5 @@ +api=yes +api-key={{ api_key }} +webserver-address=0.0.0.0 +webserver-port=3000 +webserver-allow-from=0.0.0.0/0 diff --git a/legacy/projects/hermes/ansible/roles/powerdns/gpgsql.conf.j2 b/legacy/projects/hermes/ansible/roles/powerdns/gpgsql.conf.j2 new file mode 100644 index 0000000..7401f94 --- /dev/null +++ b/legacy/projects/hermes/ansible/roles/powerdns/gpgsql.conf.j2 @@ -0,0 +1,5 @@ +launch=gpgsql +gpgsql-host=192.168.30.10 +gpgsql-dbname=powerdns +gpgsql-user=powerdns +gpgsql-password={{ postgresql_password }} diff --git a/legacy/projects/hermes/ansible/roles/powerdns/handlers/main.yml b/legacy/projects/hermes/ansible/roles/powerdns/handlers/main.yml new file mode 100644 index 0000000..d358e6e --- /dev/null +++ b/legacy/projects/hermes/ansible/roles/powerdns/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart powerdns + systemd: + name: pdns + state: restarted diff --git a/legacy/projects/hermes/ansible/roles/powerdns/overwrite.conf b/legacy/projects/hermes/ansible/roles/powerdns/overwrite.conf new file mode 100644 index 0000000..cd4116b --- /dev/null +++ b/legacy/projects/hermes/ansible/roles/powerdns/overwrite.conf @@ -0,0 +1,4 @@ +local-address=192.168.30.7, 127.0.0.1, :: +default-soa-content=ns.@ noreply.@ 0 10800 3600 604800 3600 +# allow zone transfers from Transip ip's. see also: https://www.transip.nl/knowledgebase/artikel/26-nameservers-instellen-transip-nameservers-secondary/ +allow-axfr-ips=87.253.155.96/27,157.97.168.160/27 diff --git a/legacy/projects/hermes/ansible/roles/powerdns/tasks/main.yml b/legacy/projects/hermes/ansible/roles/powerdns/tasks/main.yml new file mode 100644 index 0000000..aa50105 --- /dev/null +++ b/legacy/projects/hermes/ansible/roles/powerdns/tasks/main.yml @@ -0,0 +1,28 @@ +- name: Remove BIND powerdns config + file: + path: /etc/powerdns/pdns.d/bind.conf + state: absent + notify: restart powerdns + +- name: Copy postgresql powerdns config + template: + src: gpgsql.conf.j2 + dest: /etc/powerdns/pdns.d/gpgsql.conf + notify: restart powerdns + +- name: Add API powerdns config + template: + src: api.conf.j2 + dest: /etc/powerdns/pdns.d/api.conf + notify: restart powerdns + +- name: Overwrite powerdns config + copy: + src: overwrite.conf + dest: /etc/powerdns/pdns.d/overwrite.conf + notify: restart powerdns + +- name: Start powerdns + systemd: + name: pdns + state: started diff --git a/legacy/projects/hermes/ansible/show_leases.yml b/legacy/projects/hermes/ansible/show_leases.yml new file mode 100644 index 0000000..cdd7c8a --- /dev/null +++ b/legacy/projects/hermes/ansible/show_leases.yml @@ -0,0 +1,10 @@ +--- +- hosts: hermes + tasks: + - name: Read dnsmasq leases + command: cat /mnt/data/dnsmasq.leases + register: leases + + - name: Print dnsmasq leases + debug: + msg: "{{ leases.stdout_lines }}" diff --git a/legacy/projects/hermes/main.tf b/legacy/projects/hermes/main.tf new file mode 100644 index 0000000..ba4b00f --- /dev/null +++ b/legacy/projects/hermes/main.tf @@ -0,0 +1,31 @@ +terraform { + backend "pg" { + schema_name = "hermes" + conn_str = "postgresql://terraform@jefke.hyp/terraformstates" + } + + required_providers { + libvirt = { + source = "dmacvicar/libvirt" + version = "0.7.1" # https://github.com/dmacvicar/terraform-provider-libvirt/issues/1040 + } + } +} + +# https://libvirt.org/uri.html#libssh-and-libssh2-transport +provider "libvirt" { + alias = "atlas" + uri = "qemu+ssh://root@atlas.hyp/system?known_hosts=/etc/ssh/ssh_known_hosts" +} + +module "hermes" { + source = "../../terraform_modules/debian" + name = "hermes" + ram = 1024 + storage = 25 + mac = "CA:FE:C0:FF:EE:07" + static_ip = "192.168.30.7/24" + providers = { + libvirt = libvirt.atlas + } +} diff --git a/terraform/modules/README.md b/legacy/terraform_modules/README.md similarity index 100% rename from terraform/modules/README.md rename to legacy/terraform_modules/README.md diff --git a/terraform/modules/debian/files/cloud_init.cfg.tftpl b/legacy/terraform_modules/debian/files/cloud_init.cfg.tftpl similarity index 100% rename from terraform/modules/debian/files/cloud_init.cfg.tftpl rename to legacy/terraform_modules/debian/files/cloud_init.cfg.tftpl diff --git a/terraform/modules/debian/files/network_config.cfg b/legacy/terraform_modules/debian/files/network_config.cfg.tftpl similarity index 56% rename from terraform/modules/debian/files/network_config.cfg rename to legacy/terraform_modules/debian/files/network_config.cfg.tftpl index b7c4ff2..2690d23 100644 --- a/terraform/modules/debian/files/network_config.cfg +++ b/legacy/terraform_modules/debian/files/network_config.cfg.tftpl @@ -3,7 +3,13 @@ ethernets: ens: match: name: ens* +%{ if static_ip != null } + dhcp4: false + addresses: + - "${static_ip}" +%{ else } dhcp4: true +%{ endif} routes: - to: 0.0.0.0/0 via: 192.168.30.1 diff --git a/terraform/modules/debian/main.tf b/legacy/terraform_modules/debian/main.tf similarity index 89% rename from terraform/modules/debian/main.tf rename to legacy/terraform_modules/debian/main.tf index 5616dc6..fd8597c 100644 --- a/terraform/modules/debian/main.tf +++ b/legacy/terraform_modules/debian/main.tf @@ -26,7 +26,9 @@ resource "libvirt_cloudinit_disk" "main" { user_data = templatefile("${path.module}/files/cloud_init.cfg.tftpl", { hostname = var.name }) - network_config = file("${path.module}/files/network_config.cfg") + network_config = templatefile("${path.module}/files/network_config.cfg.tftpl", { + static_ip = var.static_ip + }) } resource "libvirt_domain" "main" { diff --git a/terraform/modules/debian/variables.tf b/legacy/terraform_modules/debian/variables.tf similarity index 80% rename from terraform/modules/debian/variables.tf rename to legacy/terraform_modules/debian/variables.tf index ae92434..db7ab43 100644 --- a/terraform/modules/debian/variables.tf +++ b/legacy/terraform_modules/debian/variables.tf @@ -17,3 +17,8 @@ variable "mac" { description = "MAC address" default = null } + +variable "static_ip" { + type = string + default = null +} diff --git a/terraform/modules/setup/main.tf b/legacy/terraform_modules/setup/main.tf similarity index 100% rename from terraform/modules/setup/main.tf rename to legacy/terraform_modules/setup/main.tf diff --git a/machines/default.nix b/machines/default.nix index 4d4457f..36e9fe5 100644 --- a/machines/default.nix +++ b/machines/default.nix @@ -1,38 +1,54 @@ { jefke = { name = "jefke"; - hostname = "jefke.hyp"; + hostName = "jefke.hyp"; - nixosModule = { - custom = { - dataDisk.enable = true; - terraformDatabase.enable = true; - k3s.enable = true; - disko.osDiskDevice = "/dev/nvme0n1"; + nixosModule.custom = { + dataDisk.enable = true; + terraformDatabase.enable = true; + # k3s.enable = true; + disko.osDiskDevice = "/dev/nvme0n1"; - ssh = { - useCertificates = true; - hostCert = builtins.readFile ./jefke_host_ed25519-cert.pub; - userCert = builtins.readFile ./jefke_user_ed25519-cert.pub; - }; + ssh = { + useCertificates = true; + hostCert = builtins.readFile ./jefke_host_ed25519-cert.pub; + userCert = builtins.readFile ./jefke_user_ed25519-cert.pub; }; }; }; atlas = { name = "atlas"; - hostname = "atlas.hyp"; + hostName = "atlas.hyp"; - nixosModule = { - custom = { - disko.osDiskDevice = "/dev/nvme0n1"; + nixosModule.custom = { + disko.osDiskDevice = "/dev/nvme0n1"; - ssh = { - useCertificates = true; - hostCert = builtins.readFile ./atlas_host_ed25519-cert.pub; - userCert = builtins.readFile ./atlas_user_ed25519-cert.pub; - }; + ssh = { + useCertificates = true; + hostCert = builtins.readFile ./atlas_host_ed25519-cert.pub; + userCert = builtins.readFile ./atlas_user_ed25519-cert.pub; }; }; }; + + # lewis = { + # name = "lewis"; + # hostName = "lewis.hyp"; + + # nixosModule.custom = { + # disko.osDiskDevice = "/dev/sda"; + + # dataDisk = { + # enable = true; + # devicePath = "/dev/nvme0n1p1"; + # }; + + # ssh = { + # useCertificates = true; + # hostCert = builtins.readFile ./atlas_host_ed25519-cert.pub; + # userCert = builtins.readFile ./atlas_user_ed25519-cert.pub; + # }; + # }; + # }; } diff --git a/machines/lewis_host_ed25519-cert.pub b/machines/lewis_host_ed25519-cert.pub new file mode 100644 index 0000000..a430a63 --- /dev/null +++ b/machines/lewis_host_ed25519-cert.pub @@ -0,0 +1 @@ +ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIAP9Xu3G75HcVIVhrgiCKSM+YTkaCbTqI18NBdWikIlHAAAAIKfbZauF+7q3s7VxhvxdPT7XDapch0P3tD//U4/70D6cAAAAAAAAAAAAAAACAAAACWxld2lzLmh5cAAAAA0AAAAJbGV3aXMuaHlwAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgXNGQfd38pUlCi6zBj8Myl6dZsMVU6cjdW63TFHR7W1sAAABTAAAAC3NzaC1lZDI1NTE5AAAAQGHtz4FNkj0LuplU+12A/sx0bE4QeHLYhctXag9DSMGJz9yOpyMpK3PPKkm6leLdGYs7RUjxwXvcj+f4k16VXA0= root@atlas diff --git a/machines/lewis_user_ed25519-cert.pub b/machines/lewis_user_ed25519-cert.pub new file mode 100644 index 0000000..027e49d --- /dev/null +++ b/machines/lewis_user_ed25519-cert.pub @@ -0,0 +1 @@ +ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIGqYC+tRPZ24WMroezrFgxtm8YObweMCTpz/y+dbGrzKAAAAIEuhHYB6zdSsfvLm4zXfuUbUCkUgPRu6rdt1rninA7PwAAAAAAAAAAAAAAABAAAACWxld2lzLmh5cAAAABsAAAAJbGV3aXMuaHlwAAAACmh5cGVydmlzb3IAAAAAAAAAAP//////////AAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgdmt4SFL+swd8kHsh6cQR+TfzMKObJx75fYBbHNT83zUAAABTAAAAC3NzaC1lZDI1NTE5AAAAQGV0nCPl4HDo1Q24NnFcPc1/FPYxwkWg864eUp5hdbttL4f8h7YLtZw6k8hHIn50wVdHEJkUwYrXgR1dwYhfEwA= root@atlas diff --git a/terraform/modules/debian/files/get_cert.sh b/terraform/modules/debian/files/get_cert.sh deleted file mode 100755 index b6a6f85..0000000 --- a/terraform/modules/debian/files/get_cert.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash -set -euo pipefail -IFS=$'\n\t' - -eval "$(jq -r '@sh "PUBKEY=\(.pubkey) HOST=\(.host) CAHOST=\(.cahost) CASCRIPT=\(.cascript) CAKEY=\(.cakey)"')" - -# TODO: Can this be done more eye-pleasingly? -set +e -CERT=$(ssh -o ConnectTimeout=3 -o ConnectionAttempts=1 root@$CAHOST '"'"$CASCRIPT"'" host "'"$CAKEY"'" "'"$PUBKEY"'" "'"$HOST"'".dmz') -retval=$? -set -e - -if [ retval -neq 0 ]; then - CERT="" -fi - -jq -n --arg cert "$CERT" '{"cert":$cert}'