update to nixos 23.11
enable static IP for terraformed VMs restructure legacy code move hermes code to this repo don't use data disk for hermes leases
This commit is contained in:
parent
04e9ce3abb
commit
721623c8fc
28 changed files with 402 additions and 80 deletions
70
flake.lock
70
flake.lock
|
@ -9,11 +9,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1696775529,
|
"lastModified": 1701216516,
|
||||||
"narHash": "sha256-TYlE4B0ktPtlJJF9IFxTWrEeq+XKG8Ny0gc2FGEAdj0=",
|
"narHash": "sha256-jKSeJn+7hZ1dZdiH1L+NWUGT2i/BGomKAJ54B9kT06Q=",
|
||||||
"owner": "ryantm",
|
"owner": "ryantm",
|
||||||
"repo": "agenix",
|
"repo": "agenix",
|
||||||
"rev": "daf42cb35b2dc614d1551e37f96406e4c4a2d3e4",
|
"rev": "13ac9ac6d68b9a0896e3d43a082947233189e247",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -51,11 +51,11 @@
|
||||||
"utils": "utils"
|
"utils": "utils"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1698921442,
|
"lastModified": 1702460489,
|
||||||
"narHash": "sha256-7KmvhQ7FuXlT/wG4zjTssap6maVqeAMBdtel+VjClSM=",
|
"narHash": "sha256-H6s6oVLvx7PCjUcvfkB89Bb+kbaiJxTAgWfMjiQTjA0=",
|
||||||
"owner": "serokell",
|
"owner": "serokell",
|
||||||
"repo": "deploy-rs",
|
"repo": "deploy-rs",
|
||||||
"rev": "660180bbbeae7d60dad5a92b30858306945fd427",
|
"rev": "915327515f5fd1b7719c06e2f1eb304ee0bdd803",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -71,11 +71,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1699781810,
|
"lastModified": 1702569759,
|
||||||
"narHash": "sha256-LD+PIUbm1yQmQmGIbSsc/PB1dtJtGqXFgxRc1C7LlfQ=",
|
"narHash": "sha256-Ze3AdEEsVZBRJ4wn13EZpV1Uubkzi59TkC4j2G9xoFI=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "disko",
|
"repo": "disko",
|
||||||
"rev": "2d7d77878c5d70f66f3d676ff66708d8d4f9d7df",
|
"rev": "98ab91109716871f50ea8cb0e0ac7cc1e1e14714",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -87,11 +87,11 @@
|
||||||
"flake-compat": {
|
"flake-compat": {
|
||||||
"flake": false,
|
"flake": false,
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1668681692,
|
"lastModified": 1696426674,
|
||||||
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
|
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
|
||||||
"owner": "edolstra",
|
"owner": "edolstra",
|
||||||
"repo": "flake-compat",
|
"repo": "flake-compat",
|
||||||
"rev": "009399224d5e398d03b22badca40a37ac85412a1",
|
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -143,7 +143,7 @@
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
"nixpkgs"
|
"nixpkgs"
|
||||||
],
|
],
|
||||||
"systems": "systems",
|
"systems": "systems_2",
|
||||||
"treefmt": "treefmt"
|
"treefmt": "treefmt"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
|
@ -162,11 +162,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1671417167,
|
"lastModified": 1702272962,
|
||||||
"narHash": "sha256-JkHam6WQOwZN1t2C2sbp1TqMv3TVRjzrdoejqfefwrM=",
|
"narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "bb31220cca6d044baa6dc2715b07497a2a7c4bc7",
|
"rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -178,11 +178,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs-unstable": {
|
"nixpkgs-unstable": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1699725108,
|
"lastModified": 1702539185,
|
||||||
"narHash": "sha256-NTiPW4jRC+9puakU4Vi8WpFEirhp92kTOSThuZke+FA=",
|
"narHash": "sha256-KnIRG5NMdLIpEkZTnN5zovNYc0hhXjAgv6pfd5Z4c7U=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "911ad1e67f458b6bcf0278fa85e33bb9924fed7e",
|
"rev": "aa9d4729cbc99dabacb50e3994dcefb3ea0f7447",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -194,16 +194,16 @@
|
||||||
},
|
},
|
||||||
"nixpkgs_2": {
|
"nixpkgs_2": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1699291058,
|
"lastModified": 1702645756,
|
||||||
"narHash": "sha256-5ggduoaAMPHUy4riL+OrlAZE14Kh7JWX4oLEs22ZqfU=",
|
"narHash": "sha256-qKI6OR3TYJYQB3Q8mAZ+DG4o/BR9ptcv9UnRV2hzljc=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "41de143fda10e33be0f47eab2bfe08a50f234267",
|
"rev": "40c3c94c241286dd2243ea34d3aef8a488f9e4d0",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"ref": "nixos-23.05",
|
"ref": "nixos-23.11",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
|
@ -219,6 +219,21 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"systems": {
|
"systems": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1681028828,
|
||||||
|
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||||
|
"owner": "nix-systems",
|
||||||
|
"repo": "default",
|
||||||
|
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nix-systems",
|
||||||
|
"repo": "default",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"systems_2": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1681028828,
|
"lastModified": 1681028828,
|
||||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||||
|
@ -254,12 +269,15 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"utils": {
|
"utils": {
|
||||||
|
"inputs": {
|
||||||
|
"systems": "systems"
|
||||||
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1667395993,
|
"lastModified": 1701680307,
|
||||||
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
|
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
|
||||||
"owner": "numtide",
|
"owner": "numtide",
|
||||||
"repo": "flake-utils",
|
"repo": "flake-utils",
|
||||||
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
|
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
21
flake.nix
21
flake.nix
|
@ -2,7 +2,7 @@
|
||||||
description = "NixOS definitions for our physical servers";
|
description = "NixOS definitions for our physical servers";
|
||||||
|
|
||||||
inputs = {
|
inputs = {
|
||||||
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
|
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
|
||||||
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
|
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
|
||||||
deploy-rs.url = "github:serokell/deploy-rs";
|
deploy-rs.url = "github:serokell/deploy-rs";
|
||||||
kubenix = {
|
kubenix = {
|
||||||
|
@ -22,7 +22,7 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs =
|
outputs =
|
||||||
{ self, nixpkgs, deploy-rs, disko, agenix, nixpkgs-unstable, kubenix, ... }:
|
{ self, nixpkgs, deploy-rs, disko, agenix, kubenix, nixpkgs-unstable, ... }:
|
||||||
let
|
let
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
pkgs = nixpkgs.legacyPackages.${system};
|
pkgs = nixpkgs.legacyPackages.${system};
|
||||||
|
@ -45,18 +45,19 @@
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
devShells.${system}.default = pkgs.mkShell {
|
devShells.${system}.default = pkgs.mkShell {
|
||||||
packages = [
|
packages = with pkgs; [
|
||||||
pkgs.libsecret
|
libsecret
|
||||||
# TODO: using nixos-anywhere from nixos-unstable produces buffer overflow.
|
# TODO: using nixos-anywhere from nixos-unstable produces buffer overflow.
|
||||||
# Related to this issue: https://github.com/nix-community/nixos-anywhere/issues/242
|
# Related to this issue: https://github.com/nix-community/nixos-anywhere/issues/242
|
||||||
# Should wait until this is merged in nixos-unstable.
|
# Should wait until this is merged in nixos-unstable.
|
||||||
# pkgs-unstable.nixos-anywhere
|
# pkgs-unstable.nixos-anywhere
|
||||||
pkgs-unstable.deploy-rs
|
pkgs-unstable.deploy-rs
|
||||||
pkgs.openssl
|
openssl
|
||||||
pkgs.postgresql_15
|
postgresql_15
|
||||||
pkgs-unstable.opentofu
|
opentofu
|
||||||
pkgs.cdrtools
|
cdrtools
|
||||||
pkgs.kubectl
|
kubectl
|
||||||
|
ansible
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -79,7 +80,7 @@
|
||||||
user = "root";
|
user = "root";
|
||||||
|
|
||||||
nodes = mkDeployNodes (machine: {
|
nodes = mkDeployNodes (machine: {
|
||||||
hostname = machine.hostname;
|
hostname = machine.hostName;
|
||||||
profiles.hypervisor = {
|
profiles.hypervisor = {
|
||||||
path = deploy-rs.lib.${system}.activate.nixos
|
path = deploy-rs.lib.${system}.activate.nixos
|
||||||
self.nixosConfigurations.${machine.name};
|
self.nixosConfigurations.${machine.name};
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
terraform {
|
terraform {
|
||||||
backend "pg" {
|
backend "pg" {
|
||||||
schema_name = "testje"
|
schema_name = "dockerswarm"
|
||||||
conn_str = "postgresql://terraform@jefke.hyp/terraformstates"
|
conn_str = "postgresql://terraform@jefke.hyp/terraformstates"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -24,14 +24,14 @@ provider "libvirt" {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "setup_jefke" {
|
module "setup_jefke" {
|
||||||
source = "./modules/setup"
|
source = "../../terraform_modules/setup"
|
||||||
providers = {
|
providers = {
|
||||||
libvirt = libvirt.jefke
|
libvirt = libvirt.jefke
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
module "bancomart" {
|
module "bancomart" {
|
||||||
source = "./modules/debian"
|
source = "../../terraform_modules/debian"
|
||||||
name = "bancomart"
|
name = "bancomart"
|
||||||
ram = 4096
|
ram = 4096
|
||||||
storage = 25
|
storage = 25
|
||||||
|
@ -41,14 +41,14 @@ module "bancomart" {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "setup_atlas" {
|
module "setup_atlas" {
|
||||||
source = "./modules/setup"
|
source = "../../terraform_modules/setup"
|
||||||
providers = {
|
providers = {
|
||||||
libvirt = libvirt.atlas
|
libvirt = libvirt.atlas
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
module "maestro" {
|
module "maestro" {
|
||||||
source = "./modules/debian"
|
source = "../../terraform_modules/debian"
|
||||||
name = "maestro"
|
name = "maestro"
|
||||||
ram = 8192
|
ram = 8192
|
||||||
storage = 35
|
storage = 35
|
9
legacy/projects/hermes/ansible/ansible.cfg
Normal file
9
legacy/projects/hermes/ansible/ansible.cfg
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
[defaults]
|
||||||
|
roles_path=~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:roles
|
||||||
|
inventory=inventory
|
||||||
|
vault_password_file=$HOME/.config/home/ansible-vault-secret
|
||||||
|
interpreter_python=/usr/bin/python3
|
||||||
|
host_key_checking = False
|
||||||
|
|
||||||
|
[diff]
|
||||||
|
always = True
|
25
legacy/projects/hermes/ansible/hermes.yml
Normal file
25
legacy/projects/hermes/ansible/hermes.yml
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
- name: Wait for cloud-init to finish
|
||||||
|
hosts: all
|
||||||
|
gather_facts: no
|
||||||
|
roles:
|
||||||
|
- cloudinit_wait
|
||||||
|
|
||||||
|
- name: Install services
|
||||||
|
hosts: all
|
||||||
|
pre_tasks:
|
||||||
|
- name: Delete externally managed environment file
|
||||||
|
shell:
|
||||||
|
cmd: "rm /usr/lib/python*/EXTERNALLY-MANAGED"
|
||||||
|
register: rm
|
||||||
|
changed_when: "rm.rc == 0"
|
||||||
|
failed_when: "false"
|
||||||
|
|
||||||
|
- name: Copy resolv.conf
|
||||||
|
copy:
|
||||||
|
src: resolv.conf
|
||||||
|
dest: /etc/resolv.conf
|
||||||
|
|
||||||
|
roles:
|
||||||
|
- {role: apt, tags: apt}
|
||||||
|
- {role: dnsmasq, tags: dnsmasq}
|
||||||
|
- {role: powerdns, tags: powerdns}
|
|
@ -0,0 +1,84 @@
|
||||||
|
apt_install_packages:
|
||||||
|
- qemu-guest-agent
|
||||||
|
- dnsutils
|
||||||
|
- pdns-server
|
||||||
|
- pdns-backend-pgsql
|
||||||
|
- postgresql-client
|
||||||
|
|
||||||
|
ssh_ca_dir: /root/ssh_ca
|
||||||
|
ssh_ca_user_ca_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGKOClnK6/Hj8INjEgULY/lD2FM/nbiJHqaSXtEw4+Fj User Certificate Authority for DMZ"
|
||||||
|
ssh_ca_host_ca_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x Host Certficate Authority for DMZ"
|
||||||
|
ssh_ca_user_ca_private_key: !vault |
|
||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
64343164666336316635323733353839373835316465653038333062386438363131353566626130
|
||||||
|
6531653835313838396638366330386331383533303435300a306333363238633864623864393665
|
||||||
|
31393036346532353134646466666465386633303061346662393430666532366137323866646561
|
||||||
|
3131653064323565370a656361326462336238333464353635303066323565633865663032313661
|
||||||
|
38366238613361626161633862353938326365306634303166346461366531663063343264353533
|
||||||
|
61656630633734643639333738616566326531653264306134363837616365643039626262613433
|
||||||
|
61656361326234313130386533363761366665383064643735316133313133643865616536306466
|
||||||
|
33303733663834646435303935633436383632306330616264343263303861313635383866636163
|
||||||
|
39653064373966643437636530326235653131616366396563386139333837616535616135323337
|
||||||
|
66626161336539356637373138613464376133373234353863383330313362623236633462386234
|
||||||
|
31386635613936306262346264343732623761303331623831353061343035626361623639326530
|
||||||
|
62643139663733666662623039396461623334666565663439613430353364626162653731303535
|
||||||
|
32396638393534363533303039343938346339656266303766613931316337333635373664643461
|
||||||
|
37303332386233663937636631373935613231356262346530323337393733373764613864616563
|
||||||
|
66383137393738316638393530616234653264613363383663366261303433636236326632323734
|
||||||
|
35616133386438613636663631653139386466303534636263393633633663303664326137373139
|
||||||
|
35626336653966396335623330663161333432306538316664376231616161353235353032633438
|
||||||
|
62363663613135616462323363333863376532623764663066616431636632653938666263383731
|
||||||
|
65666564656130383262373964386631643332323066386635643032663833306565643164376239
|
||||||
|
32383732393236336235363936303063663963343061306161643331623330326139663836323561
|
||||||
|
31353532313639613563393938643333326462653833623531613935363265333534663762333831
|
||||||
|
36376264636432656537313834373036623339306430333837323836303134323062306265356430
|
||||||
|
39663238363338666362663364643063613337646237356431383237616465643634313166643435
|
||||||
|
32623864313537336634373631396465643362333237646462336362656430653036656263613162
|
||||||
|
64306662313934643661333462306336333561626335303866306131326538653264343465633139
|
||||||
|
3466663135663239616135353764373532323935613233316132
|
||||||
|
ssh_ca_host_ca_private_key: !vault |
|
||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
34613835376232653534353636303364613437666563653530363564346164656136643732626234
|
||||||
|
6430316165623933666461646639303435386433333335660a393538303835616366333066353665
|
||||||
|
64663236353233383236656365356264653963366464303433313133386430646230363634353465
|
||||||
|
6365313836666534330a633832303963616162623631663732623236383665383333323032383364
|
||||||
|
36313663366461643733373836326335386562663362326438353033376431356537326133646338
|
||||||
|
31623064303662616464343639346663323437333038346664393166333930336539373031313161
|
||||||
|
39343365373238383661343234666430336131323666313032333666306333366566336361383536
|
||||||
|
64626261363138323766306239303133376632386235666633363461303135613865343161356266
|
||||||
|
33333634613761616336653162396662633131333336613264663764333761633032313436376534
|
||||||
|
65376631383239666235313939363265643364376638623630373839303236633635356431356263
|
||||||
|
66366535656335326335616666316534366232353262336164663562613439623135303262356130
|
||||||
|
36316134366366623331393230396132366535356435613563663937376639653339343761306431
|
||||||
|
33353331306334336133316234326133663939636430376139376231383966346363303362386265
|
||||||
|
32356166363231613962383434333536356138623039663561313137653037663231666666646230
|
||||||
|
66323932333031626637616434383737623634353933613861326666313737636133333438656634
|
||||||
|
31363461373639366464343836333031313632346465346535303139623038633330356334633866
|
||||||
|
61303765353439303966623030303966656465353538323932343536393764616566386261306466
|
||||||
|
36343237393333376366303933373139353161376262333739353138666162663339393136303634
|
||||||
|
39383433323563666661313631613761343532373736386537626433323631323465623736653165
|
||||||
|
35356163356361346438366430636563656531363164306534353865393039643136366634323638
|
||||||
|
62656261396635353332376661353661353931663932386465643238343031376235363239303832
|
||||||
|
63393437613362623963306364356363396134623739656265326433356134303835356266326465
|
||||||
|
64623631353163653438376534316162666330663963363064326161656335383639356164393237
|
||||||
|
39346231666362313632363737623139373632376461373362656563616566633265653438393361
|
||||||
|
39393734393061653639313365633931373963666635316138663538356265386562373837393530
|
||||||
|
6537646639613534666533626339356335396634613765616664
|
||||||
|
|
||||||
|
api_key: !vault |
|
||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
65376335393463353232386437613533396261383332653738323764633965393262363239376165
|
||||||
|
3566666139376135643833343535663130353631326466610a623161633238363338633461383434
|
||||||
|
63373365613765663830613565313164323938336338616666313365623261663037626132623531
|
||||||
|
3638653833626532300a656632356563613631633162643464356236396635633237376133323433
|
||||||
|
37363261376535306161393039396333656430323534616462393366643662306631306339346363
|
||||||
|
3065303163643732613435323561663035646365383237643464
|
||||||
|
|
||||||
|
postgresql_password: !vault |
|
||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
64646633623535383761356434643064383736626638333738323363393037393133363130623361
|
||||||
|
3965323132656263393365366131343732646239316564390a613263386166383438366162303561
|
||||||
|
63626162656337313034663830626432303437363764653336613338393038393737663238313737
|
||||||
|
3164323834393165380a393138363265393963613835376331623735303538316162343036306230
|
||||||
|
63633335343332313861393135366332313061353064306265653631613735336631653438383066
|
||||||
|
3034323733323333646532613233666333323363643534336233
|
5
legacy/projects/hermes/ansible/inventory/hosts.yml
Normal file
5
legacy/projects/hermes/ansible/inventory/hosts.yml
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
all:
|
||||||
|
hosts:
|
||||||
|
hermes:
|
||||||
|
ansible_user: root
|
||||||
|
ansible_host: 192.168.30.7
|
9
legacy/projects/hermes/ansible/requirements.yml
Normal file
9
legacy/projects/hermes/ansible/requirements.yml
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
- name: apt
|
||||||
|
src: https://github.com/sunscrapers/ansible-role-apt.git
|
||||||
|
scm: git
|
||||||
|
- name: cloudinit_wait
|
||||||
|
src: https://git.kun.is/pim/ansible-role-cloudinit-wait
|
||||||
|
scm: git
|
||||||
|
- name: postgresql_database
|
||||||
|
src: https://git.kun.is/home/ansible-role-postgresql-database
|
||||||
|
scm: git
|
1
legacy/projects/hermes/ansible/resolv.conf
Normal file
1
legacy/projects/hermes/ansible/resolv.conf
Normal file
|
@ -0,0 +1 @@
|
||||||
|
nameserver 192.168.30.1
|
|
@ -0,0 +1,51 @@
|
||||||
|
# Disable /etc/resolv.conf
|
||||||
|
no-resolv
|
||||||
|
# Upstream DNS server
|
||||||
|
server=192.168.30.1
|
||||||
|
# Always serve .dmz locally
|
||||||
|
local=/dmz/
|
||||||
|
# Put all clients in the dmz domain
|
||||||
|
dhcp-fqdn
|
||||||
|
# Don't read /etc/hosts
|
||||||
|
no-hosts
|
||||||
|
# Domain is automatically added to if missing
|
||||||
|
expand-hosts
|
||||||
|
# Domain that is used for DHCP on this network
|
||||||
|
domain=dmz
|
||||||
|
# IPv4 DHCP range
|
||||||
|
dhcp-authoritative
|
||||||
|
dhcp-range=192.168.30.50,192.168.30.127,15m
|
||||||
|
# Predefined DHCP hosts
|
||||||
|
dhcp-host=b8:27:eb:b9:ab:e2,esrom
|
||||||
|
dhcp-host=ca:fe:c0:ff:ee:03,max,192.168.30.3
|
||||||
|
dhcp-host=ca:fe:c0:ff:ee:08,maestro,192.168.30.8
|
||||||
|
dhcp-host=dc:a6:32:7b:e2:11,iris,192.168.30.9
|
||||||
|
dhcp-host=ca:fe:c0:ff:ee:0a,thecloud,192.168.30.10
|
||||||
|
dhcp-host=52:54:00:72:e0:9a,forum,192.168.30.11
|
||||||
|
# Advertise router
|
||||||
|
dhcp-option=3,192.168.30.1
|
||||||
|
# Always send the IPv6 DNS server address (this machine)
|
||||||
|
dhcp-option=option6:dns-server,[2a02:58:19a:f730::1]
|
||||||
|
# Advertise SLAAC for the given prefix
|
||||||
|
dhcp-range=2a02:58:19a:f730::, ra-stateless, ra-names
|
||||||
|
# Do not advertise default gateway via DHCPv6
|
||||||
|
ra-param=*,0,0
|
||||||
|
# Alias public IP address to local
|
||||||
|
alias=84.245.14.149,192.168.30.8
|
||||||
|
# Override DNS servers for our domains
|
||||||
|
server=/pizzapim.nl/192.168.30.7
|
||||||
|
server=/geokunis2.nl/192.168.30.7
|
||||||
|
server=/pim.kunis.nl/192.168.30.7
|
||||||
|
server=/kun.is/192.168.30.7
|
||||||
|
# Enable extended logging
|
||||||
|
log-dhcp
|
||||||
|
log-queries
|
||||||
|
# Resolve hermes.dmz to addresses on main NIC
|
||||||
|
interface-name=hermes.dmz,ens3
|
||||||
|
# Non-conventional port because we also run nsd on this machine
|
||||||
|
port=5353
|
||||||
|
# Override addresses of name servers
|
||||||
|
address=/ns.pizzapim.nl/ns.geokunis2.nl/ns.pim.kunis.nl/192.168.30.7
|
||||||
|
address=/ns.pizzapim.nl/ns.geokunis2.nl/ns.pim.kunis.nl/2a02:58:19a:f730:c8fe:c0ff:feff:ee07
|
||||||
|
# Advertise DNS server
|
||||||
|
dhcp-option=option:dns-server,192.168.30.1
|
18
legacy/projects/hermes/ansible/roles/dnsmasq/tasks/main.yml
Normal file
18
legacy/projects/hermes/ansible/roles/dnsmasq/tasks/main.yml
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
- name: Install dnsmasq
|
||||||
|
apt:
|
||||||
|
name: dnsmasq
|
||||||
|
- name: Disable systemd-resolved
|
||||||
|
systemd:
|
||||||
|
name: systemd-resolved
|
||||||
|
enabled: false
|
||||||
|
state: stopped
|
||||||
|
- name: Copy dnsmasq configuration
|
||||||
|
copy:
|
||||||
|
src: "{{ role_path }}/files/dnsmasq.conf"
|
||||||
|
dest: "/etc/dnsmasq.conf"
|
||||||
|
register: config
|
||||||
|
- name: Enable dnsmasq
|
||||||
|
systemd:
|
||||||
|
name: dnsmasq
|
||||||
|
enabled: true
|
||||||
|
state: "{{ 'restarted' if config.changed else 'started' }}"
|
|
@ -0,0 +1,5 @@
|
||||||
|
api=yes
|
||||||
|
api-key={{ api_key }}
|
||||||
|
webserver-address=0.0.0.0
|
||||||
|
webserver-port=3000
|
||||||
|
webserver-allow-from=0.0.0.0/0
|
|
@ -0,0 +1,5 @@
|
||||||
|
launch=gpgsql
|
||||||
|
gpgsql-host=192.168.30.10
|
||||||
|
gpgsql-dbname=powerdns
|
||||||
|
gpgsql-user=powerdns
|
||||||
|
gpgsql-password={{ postgresql_password }}
|
|
@ -0,0 +1,4 @@
|
||||||
|
- name: restart powerdns
|
||||||
|
systemd:
|
||||||
|
name: pdns
|
||||||
|
state: restarted
|
|
@ -0,0 +1,4 @@
|
||||||
|
local-address=192.168.30.7, 127.0.0.1, ::
|
||||||
|
default-soa-content=ns.@ noreply.@ 0 10800 3600 604800 3600
|
||||||
|
# allow zone transfers from Transip ip's. see also: https://www.transip.nl/knowledgebase/artikel/26-nameservers-instellen-transip-nameservers-secondary/
|
||||||
|
allow-axfr-ips=87.253.155.96/27,157.97.168.160/27
|
28
legacy/projects/hermes/ansible/roles/powerdns/tasks/main.yml
Normal file
28
legacy/projects/hermes/ansible/roles/powerdns/tasks/main.yml
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
- name: Remove BIND powerdns config
|
||||||
|
file:
|
||||||
|
path: /etc/powerdns/pdns.d/bind.conf
|
||||||
|
state: absent
|
||||||
|
notify: restart powerdns
|
||||||
|
|
||||||
|
- name: Copy postgresql powerdns config
|
||||||
|
template:
|
||||||
|
src: gpgsql.conf.j2
|
||||||
|
dest: /etc/powerdns/pdns.d/gpgsql.conf
|
||||||
|
notify: restart powerdns
|
||||||
|
|
||||||
|
- name: Add API powerdns config
|
||||||
|
template:
|
||||||
|
src: api.conf.j2
|
||||||
|
dest: /etc/powerdns/pdns.d/api.conf
|
||||||
|
notify: restart powerdns
|
||||||
|
|
||||||
|
- name: Overwrite powerdns config
|
||||||
|
copy:
|
||||||
|
src: overwrite.conf
|
||||||
|
dest: /etc/powerdns/pdns.d/overwrite.conf
|
||||||
|
notify: restart powerdns
|
||||||
|
|
||||||
|
- name: Start powerdns
|
||||||
|
systemd:
|
||||||
|
name: pdns
|
||||||
|
state: started
|
10
legacy/projects/hermes/ansible/show_leases.yml
Normal file
10
legacy/projects/hermes/ansible/show_leases.yml
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
---
|
||||||
|
- hosts: hermes
|
||||||
|
tasks:
|
||||||
|
- name: Read dnsmasq leases
|
||||||
|
command: cat /mnt/data/dnsmasq.leases
|
||||||
|
register: leases
|
||||||
|
|
||||||
|
- name: Print dnsmasq leases
|
||||||
|
debug:
|
||||||
|
msg: "{{ leases.stdout_lines }}"
|
31
legacy/projects/hermes/main.tf
Normal file
31
legacy/projects/hermes/main.tf
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
terraform {
|
||||||
|
backend "pg" {
|
||||||
|
schema_name = "hermes"
|
||||||
|
conn_str = "postgresql://terraform@jefke.hyp/terraformstates"
|
||||||
|
}
|
||||||
|
|
||||||
|
required_providers {
|
||||||
|
libvirt = {
|
||||||
|
source = "dmacvicar/libvirt"
|
||||||
|
version = "0.7.1" # https://github.com/dmacvicar/terraform-provider-libvirt/issues/1040
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# https://libvirt.org/uri.html#libssh-and-libssh2-transport
|
||||||
|
provider "libvirt" {
|
||||||
|
alias = "atlas"
|
||||||
|
uri = "qemu+ssh://root@atlas.hyp/system?known_hosts=/etc/ssh/ssh_known_hosts"
|
||||||
|
}
|
||||||
|
|
||||||
|
module "hermes" {
|
||||||
|
source = "../../terraform_modules/debian"
|
||||||
|
name = "hermes"
|
||||||
|
ram = 1024
|
||||||
|
storage = 25
|
||||||
|
mac = "CA:FE:C0:FF:EE:07"
|
||||||
|
static_ip = "192.168.30.7/24"
|
||||||
|
providers = {
|
||||||
|
libvirt = libvirt.atlas
|
||||||
|
}
|
||||||
|
}
|
|
@ -3,7 +3,13 @@ ethernets:
|
||||||
ens:
|
ens:
|
||||||
match:
|
match:
|
||||||
name: ens*
|
name: ens*
|
||||||
|
%{ if static_ip != null }
|
||||||
|
dhcp4: false
|
||||||
|
addresses:
|
||||||
|
- "${static_ip}"
|
||||||
|
%{ else }
|
||||||
dhcp4: true
|
dhcp4: true
|
||||||
|
%{ endif}
|
||||||
routes:
|
routes:
|
||||||
- to: 0.0.0.0/0
|
- to: 0.0.0.0/0
|
||||||
via: 192.168.30.1
|
via: 192.168.30.1
|
|
@ -26,7 +26,9 @@ resource "libvirt_cloudinit_disk" "main" {
|
||||||
user_data = templatefile("${path.module}/files/cloud_init.cfg.tftpl", {
|
user_data = templatefile("${path.module}/files/cloud_init.cfg.tftpl", {
|
||||||
hostname = var.name
|
hostname = var.name
|
||||||
})
|
})
|
||||||
network_config = file("${path.module}/files/network_config.cfg")
|
network_config = templatefile("${path.module}/files/network_config.cfg.tftpl", {
|
||||||
|
static_ip = var.static_ip
|
||||||
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "libvirt_domain" "main" {
|
resource "libvirt_domain" "main" {
|
|
@ -17,3 +17,8 @@ variable "mac" {
|
||||||
description = "MAC address"
|
description = "MAC address"
|
||||||
default = null
|
default = null
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "static_ip" {
|
||||||
|
type = string
|
||||||
|
default = null
|
||||||
|
}
|
|
@ -1,38 +1,54 @@
|
||||||
{
|
{
|
||||||
jefke = {
|
jefke = {
|
||||||
name = "jefke";
|
name = "jefke";
|
||||||
hostname = "jefke.hyp";
|
hostName = "jefke.hyp";
|
||||||
|
|
||||||
nixosModule = {
|
nixosModule.custom = {
|
||||||
custom = {
|
dataDisk.enable = true;
|
||||||
dataDisk.enable = true;
|
terraformDatabase.enable = true;
|
||||||
terraformDatabase.enable = true;
|
# k3s.enable = true;
|
||||||
k3s.enable = true;
|
disko.osDiskDevice = "/dev/nvme0n1";
|
||||||
disko.osDiskDevice = "/dev/nvme0n1";
|
|
||||||
|
|
||||||
ssh = {
|
ssh = {
|
||||||
useCertificates = true;
|
useCertificates = true;
|
||||||
hostCert = builtins.readFile ./jefke_host_ed25519-cert.pub;
|
hostCert = builtins.readFile ./jefke_host_ed25519-cert.pub;
|
||||||
userCert = builtins.readFile ./jefke_user_ed25519-cert.pub;
|
userCert = builtins.readFile ./jefke_user_ed25519-cert.pub;
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
atlas = {
|
atlas = {
|
||||||
name = "atlas";
|
name = "atlas";
|
||||||
hostname = "atlas.hyp";
|
hostName = "atlas.hyp";
|
||||||
|
|
||||||
nixosModule = {
|
nixosModule.custom = {
|
||||||
custom = {
|
disko.osDiskDevice = "/dev/nvme0n1";
|
||||||
disko.osDiskDevice = "/dev/nvme0n1";
|
|
||||||
|
|
||||||
ssh = {
|
ssh = {
|
||||||
useCertificates = true;
|
useCertificates = true;
|
||||||
hostCert = builtins.readFile ./atlas_host_ed25519-cert.pub;
|
hostCert = builtins.readFile ./atlas_host_ed25519-cert.pub;
|
||||||
userCert = builtins.readFile ./atlas_user_ed25519-cert.pub;
|
userCert = builtins.readFile ./atlas_user_ed25519-cert.pub;
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# lewis = {
|
||||||
|
# name = "lewis";
|
||||||
|
# hostName = "lewis.hyp";
|
||||||
|
|
||||||
|
# nixosModule.custom = {
|
||||||
|
# disko.osDiskDevice = "/dev/sda";
|
||||||
|
|
||||||
|
# dataDisk = {
|
||||||
|
# enable = true;
|
||||||
|
# devicePath = "/dev/nvme0n1p1";
|
||||||
|
# };
|
||||||
|
|
||||||
|
# ssh = {
|
||||||
|
# useCertificates = true;
|
||||||
|
# hostCert = builtins.readFile ./atlas_host_ed25519-cert.pub;
|
||||||
|
# userCert = builtins.readFile ./atlas_user_ed25519-cert.pub;
|
||||||
|
# };
|
||||||
|
# };
|
||||||
|
# };
|
||||||
}
|
}
|
||||||
|
|
1
machines/lewis_host_ed25519-cert.pub
Normal file
1
machines/lewis_host_ed25519-cert.pub
Normal file
|
@ -0,0 +1 @@
|
||||||
|
ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIAP9Xu3G75HcVIVhrgiCKSM+YTkaCbTqI18NBdWikIlHAAAAIKfbZauF+7q3s7VxhvxdPT7XDapch0P3tD//U4/70D6cAAAAAAAAAAAAAAACAAAACWxld2lzLmh5cAAAAA0AAAAJbGV3aXMuaHlwAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgXNGQfd38pUlCi6zBj8Myl6dZsMVU6cjdW63TFHR7W1sAAABTAAAAC3NzaC1lZDI1NTE5AAAAQGHtz4FNkj0LuplU+12A/sx0bE4QeHLYhctXag9DSMGJz9yOpyMpK3PPKkm6leLdGYs7RUjxwXvcj+f4k16VXA0= root@atlas
|
1
machines/lewis_user_ed25519-cert.pub
Normal file
1
machines/lewis_user_ed25519-cert.pub
Normal file
|
@ -0,0 +1 @@
|
||||||
|
ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIGqYC+tRPZ24WMroezrFgxtm8YObweMCTpz/y+dbGrzKAAAAIEuhHYB6zdSsfvLm4zXfuUbUCkUgPRu6rdt1rninA7PwAAAAAAAAAAAAAAABAAAACWxld2lzLmh5cAAAABsAAAAJbGV3aXMuaHlwAAAACmh5cGVydmlzb3IAAAAAAAAAAP//////////AAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgdmt4SFL+swd8kHsh6cQR+TfzMKObJx75fYBbHNT83zUAAABTAAAAC3NzaC1lZDI1NTE5AAAAQGV0nCPl4HDo1Q24NnFcPc1/FPYxwkWg864eUp5hdbttL4f8h7YLtZw6k8hHIn50wVdHEJkUwYrXgR1dwYhfEwA= root@atlas
|
|
@ -1,17 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
set -euo pipefail
|
|
||||||
IFS=$'\n\t'
|
|
||||||
|
|
||||||
eval "$(jq -r '@sh "PUBKEY=\(.pubkey) HOST=\(.host) CAHOST=\(.cahost) CASCRIPT=\(.cascript) CAKEY=\(.cakey)"')"
|
|
||||||
|
|
||||||
# TODO: Can this be done more eye-pleasingly?
|
|
||||||
set +e
|
|
||||||
CERT=$(ssh -o ConnectTimeout=3 -o ConnectionAttempts=1 root@$CAHOST '"'"$CASCRIPT"'" host "'"$CAKEY"'" "'"$PUBKEY"'" "'"$HOST"'".dmz')
|
|
||||||
retval=$?
|
|
||||||
set -e
|
|
||||||
|
|
||||||
if [ retval -neq 0 ]; then
|
|
||||||
CERT=""
|
|
||||||
fi
|
|
||||||
|
|
||||||
jq -n --arg cert "$CERT" '{"cert":$cert}'
|
|
Loading…
Reference in a new issue