Stop assuming rockylinux has firewalld installed by default

Add project resource assignments
Add scipio project
2023-05-19 16:39:52 -04:00 · 2023-05-07 16:16:03 -04:00 · 2023-05-07 16:06:53 -04:00 · 2023-05-07 16:04:25 -04:00 · 2023-05-07 15:49:14 -04:00 · 2023-05-07 15:48:29 -04:00
10 changed files with 293 additions and 188 deletions
--- a/inventory/en1.old.yaml
+++ b/inventory/en1.old.yaml
@@ -0,0 +1,166 @@
 ---
 workstation:
  hosts:
    voyager:
      skylab_description: Personal Workstation
      skylab_hostname: voyager.skylab.enp.one
      skylab_targets: [workstation]
 en1:
  vars:
    skylab_location: Newton MA
    skylab_dashboard: info.en1.local
    # gross hack for now, will be refactored later
    _skylab_adguard_nat_rule: 9
  hosts:
    core:
      ansible_host: 10.42.101.1
      ansible_port: 4242
      ansible_network_os: edgeos
      skylab_description: EN1 Core Router
    iridium:
      ansible_host: 10.42.101.200
      skylab_description: Local Monitor Node
      skylab_hostname: iridium.skylab.enp.one
      skylab_targets: [network]
      skylab_networking:
        enp4s0:
          firewall: internal
          dhcp: false
          gateway: 10.42.101.1/24
          dns:
            - 10.42.101.1
          addresses:
            - 10.42.101.200/24
  children:
    cluster:
      vars:
        skylab_targets: [cluster, datastore]
        skylab_compose_version: 3.8
        skylab_compose_dir: "{{ skylab_state_dir }}/compose"
      hosts:
        pegasus:  # jupiter
          ansible_host: 10.42.101.100
          skylab_hostname: pegasus.skylab.enp.one
          skylab_legacy_names:
            - jupiter.net.enp.one
            - jupiter.svr.local
          skylab_description: Arbiter Node
          skylab_cluster:
            address:
              access: 10.42.101.10/24
              internal: 192.168.42.10/24
            interface:
              access: bond0
              internal: bond0.99
          skylab_datastore_device: sdb
          skylab_networking:
            eno1:
              bond: bond0
            eno2:
              bond: bond0
            bond0:
              device: bond
              firewall: internal
              gateway: 10.42.101.1/24
              dns:
                - 10.42.101.1
              addresses:
                - 10.42.101.100/24
                - 192.168.255.255/32
              dhcp: false
            bond0.99:
              device: vlan
              firewall: trusted
              addresses:
                - 192.168.42.10/24
              dhcp: false
        saturn:  # remus
          ansible_host: 10.42.101.110
          skylab_hostname: saturn.skylab.enp.one
          skylab_legacy_names:
            - remus.net.enp.one
            - remus.svr.local
          skylab_description: Operational Node
          skylab_cluster:
            address:
              access: 10.42.101.11/24
              internal: 192.168.42.20/24
            interface:
              access: bond0
              internal: bond0.99
          skylab_networking:
            eno1:
              bond: bond0
            eno2:
              bond: bond0
            bond0:
              device: bond
              firewall: internal
              dhcp: false
              gateway: 10.42.101.1/24
              addresses:
                - 10.42.101.110/24
                - 192.168.255.255/32
              dns:
                - 10.42.101.1
            bond0.99:
              device: vlan
              firewall: trusted
              dhcp: false
              addresses:
                - 192.168.42.20/24
        orion:  # romulus
          ansible_host: 10.42.101.120
          skylab_hostname: orion.skylab.enp.one
          skylab_legacy_names:
            - romulus.net.enp.one
            - romulus.svr.local
          skylab_description: Operational Node
          skylab_cluster:
            address:
              access: 10.42.101.12/24
              internal: 192.168.42.30/24
            interface:
              access: bond0
              internal: bond0.99
          skylab_datastore_device: sdb
          skylab_networking:
            eno1:
              bond: bond0
            eno2:
              bond: bond0
            bond0:
              device: bond
              firewall: internal
              gateway: 10.42.101.1/24
              dns:
                - 10.42.101.1
              addresses:
                - 10.42.101.120/24
                - 192.168.255.255/32
              dhcp: false
            bond0.99:
              device: vlan
              firewall: trusted
              addresses:
                - 192.168.42.30/24
              dhcp: false
 en2:
  vars:
    skylab_location: DigitalOcean TOR1
  hosts:
    hubble:
      ansible_host: en2a.enp.one
      skylab_hostname: hubble.en2.enp.one
      skylab_description: Cloud Web Server
      skylab_targets: [cloud]
--- a/inventory/en1.yaml
+++ b/inventory/en1.yaml
@@ -1,175 +1,51 @@
 ---
 all:
  children:
    en1: {}
  vars:
    skylab_pip_version: 19.3.1
    ansible_user: ansible
    ansible_ssh_common_args: "-o ControlMaster=auto -o ControlPersist=60s -o ForwardAgent=yes"
 workstation:
  hosts:
    voyager:
      skylab_description: Personal Workstation
      skylab_hostname: voyager.skylab.enp.one
      skylab_targets: [workstation]
 en1:
  vars:
-    skylab_location: Newton MA
+    skylab_location: Cambridge
    skylab_dashboard: info.en1.local
    # gross hack for now, will be refactored later
    _skylab_adguard_nat_rule: 9
  hosts:
    core:
      ansible_host: 10.42.101.1
      ansible_port: 4242
      ansible_network_os: edgeos
      skylab_description: EN1 Core Router
    iridium:
      ansible_host: 10.42.101.200
      skylab_description: Local Monitor Node
      skylab_hostname: iridium.skylab.enp.one
      skylab_targets: [network]
      skylab_networking:
        enp4s0:
          firewall: internal
          dhcp: false
          gateway: 10.42.101.1/24
          dns:
            - 10.42.101.1
          addresses:
            - 10.42.101.200/24
  children:
    domain:
      children:
-    cluster:
+        cluster:
-      vars:
+          hosts:
-        skylab_targets: [cluster, datastore]
+            canaveral:
-        skylab_compose_version: 3.8
+              ansible_host: 10.42.101.10
-        skylab_compose_dir: "{{ skylab_state_dir }}/compose"
+              skylab_description: Compute and Storage Node
            baikonur:
              ansible_host: 10.42.101.11
              skylab_description: Compute and Storage Node
            vandenberg:
              ansible_host: 10.42.101.12
              skylab_description: Compute and Storage Node
            andoya:
              ansible_host: 10.42.101.13
              skylab_description: Auxilary Compute Node
            jiuquan:
              ansible_host: 10.42.101.14
              skylab_description: Auxilary Compute Node
        datastore:
          hosts:
            canaveral:
              skylab_datastore_block: /dev/sda
            baikonur:
              skylab_datastore_block: /dev/sda
            vandenberg:
              skylab_datastore_block: /dev/sda
        hosts:
          3d-printer: {}
          mediastore: {}
          backstore: {}
    local:
      hosts:
-        pegasus:  # jupiter
+        core: {}
-          ansible_host: 10.42.101.100
+        switch-1: {}
-          skylab_hostname: pegasus.skylab.enp.one
+        switch-2: {}
-          skylab_legacy_names:
+        wap-1: {}
-            - jupiter.net.enp.one
+        wap-2: {}
-            - jupiter.svr.local
+        wap-3: {}
-          skylab_description: Arbiter Node
+        printer: {}
          skylab_cluster:
            address:
              access: 10.42.101.10/24
              internal: 192.168.42.10/24
            interface:
              access: bond0
              internal: bond0.99
          skylab_datastore_device: sdb
          skylab_networking:
            eno1:
              bond: bond0
            eno2:
              bond: bond0
            bond0:
              device: bond
              firewall: internal
              gateway: 10.42.101.1/24
              dns:
                - 10.42.101.1
              addresses:
                - 10.42.101.100/24
                - 192.168.255.255/32
              dhcp: false
            bond0.99:
              device: vlan
              firewall: trusted
              addresses:
                - 192.168.42.10/24
              dhcp: false
        saturn:  # remus
          ansible_host: 10.42.101.110
          skylab_hostname: saturn.skylab.enp.one
          skylab_legacy_names:
            - remus.net.enp.one
            - remus.svr.local
          skylab_description: Operational Node
          skylab_cluster:
            address:
              access: 10.42.101.11/24
              internal: 192.168.42.20/24
            interface:
              access: bond0
              internal: bond0.99
          skylab_networking:
            eno1:
              bond: bond0
            eno2:
              bond: bond0
            bond0:
              device: bond
              firewall: internal
              dhcp: false
              gateway: 10.42.101.1/24
              addresses:
                - 10.42.101.110/24
                - 192.168.255.255/32
              dns:
                - 10.42.101.1
            bond0.99:
              device: vlan
              firewall: trusted
              dhcp: false
              addresses:
                - 192.168.42.20/24
        orion:  # romulus
          ansible_host: 10.42.101.120
          skylab_hostname: orion.skylab.enp.one
          skylab_legacy_names:
            - romulus.net.enp.one
            - romulus.svr.local
          skylab_description: Operational Node
          skylab_cluster:
            address:
              access: 10.42.101.12/24
              internal: 192.168.42.30/24
            interface:
              access: bond0
              internal: bond0.99
          skylab_datastore_device: sdb
          skylab_networking:
            eno1:
              bond: bond0
            eno2:
              bond: bond0
            bond0:
              device: bond
              firewall: internal
              gateway: 10.42.101.1/24
              dns:
                - 10.42.101.1
              addresses:
                - 10.42.101.120/24
                - 192.168.255.255/32
              dhcp: false
            bond0.99:
              device: vlan
              firewall: trusted
              addresses:
                - 192.168.42.30/24
              dhcp: false
 en2:
  vars:
    skylab_location: DigitalOcean TOR1
  hosts:
    hubble:
      ansible_host: en2a.enp.one
      skylab_hostname: hubble.en2.enp.one
      skylab_description: Cloud Web Server
      skylab_targets: [cloud]
--- a/inventory/group_vars/all.yaml
+++ b/inventory/group_vars/all.yaml
@@ -1,4 +1,8 @@
 ---
 ansible_user: ansible
 ansible_port: 4242
 skylab_state_dir: /var/lib/skylab
 skylab_ansible_venv: "{{ skylab_state_dir }}/ansible-runtime"
--- a/skylab/infra/playbooks/bootstrap.yml
+++ b/skylab/infra/playbooks/bootstrap.yml
@@ -168,6 +168,18 @@
      setype: ssh_port_t
      state: present
  - name: Install Firewalld
    become: true
    ansible.builtin.dnf:
      name: firewalld
      state: present
  - name: Enable Firewalld
    become: true
    ansible.builtin.service:
      name: firewalld
      enabled: true
  - name: Grant SSHD firewall access to the mgmt port
    become: true
    ansible.posix.firewalld:
--- a/skylab/infra/playbooks/terraform/domain.enp.tf
+++ b/skylab/infra/playbooks/terraform/domain.enp.tf
@@ -17,7 +17,7 @@ resource "digitalocean_record" "enp_en1" {
  domain = digitalocean_domain.enp.id
  type   = "A"
  name   = "en1"
-  value  = "24.2.156.189"
+  value  = digitalocean_record.enp.value
  ttl    = 3600
 }
@@ -28,7 +28,7 @@ resource "digitalocean_record" "enp_vcs" {
  domain = digitalocean_domain.enp.id
  type   = "CNAME"
  name   = "vcs"
-  value  = "en1.enp.one."
+  value  = "${digitalocean_record.enp_en1.fqdn}."
  ttl    = 10600
 }
@@ -36,7 +36,7 @@ resource "digitalocean_record" "enp_ssv" {
  domain = digitalocean_domain.enp.id
  type   = "CNAME"
  name   = "ssv"
-  value  = "en1.enp.one."
+  value  = "${digitalocean_record.enp_en1.fqdn}."
  ttl    = 10600
 }
@@ -44,7 +44,7 @@ resource "digitalocean_record" "enp_pms" {
  domain = digitalocean_domain.enp.id
  type   = "CNAME"
  name   = "pms"
-  value  = "en1.enp.one."
+  value  = "${digitalocean_record.enp_en1.fqdn}."
  ttl    = 10600
 }
@@ -52,7 +52,7 @@ resource "digitalocean_record" "enp_cdn" {
  domain = digitalocean_domain.enp.id
  type   = "CNAME"
  name   = "cdn"
-  value  = "en2-cdn.nyc3.cdn.digitaloceanspaces.com."
+  value  = "${digitalocean_cdn.enp.endpoint}."
  ttl    = 3600
 }
@@ -60,7 +60,7 @@ resource "digitalocean_record" "enp_vpn" {
  domain = digitalocean_domain.enp.id
  type   = "CNAME"
  name   = "vpn"
-  value  = "en1.enp.one."
+  value  = "${digitalocean_record.enp_en1.fqdn}."
  ttl    = 10600
 }
@@ -68,7 +68,7 @@ resource "digitalocean_record" "enp_www" {
  domain = digitalocean_domain.enp.id
  type   = "CNAME"
  name   = "www"
-  value  = "en1.enp.one."
+  value  = "${digitalocean_record.enp_en1.fqdn}."
  ttl    = 10600
 }
@@ -76,7 +76,7 @@ resource "digitalocean_record" "enp_sso" {
  domain = digitalocean_domain.enp.id
  type   = "CNAME"
  name   = "sso"
-  value  = "en1.enp.one."
+  value  = "${digitalocean_record.enp_en1.fqdn}."
  ttl    = 10600
 }
@@ -84,15 +84,7 @@ resource "digitalocean_record" "enp_img" {
  domain = digitalocean_domain.enp.id
  type   = "CNAME"
  name   = "img"
-  value  = "en1.enp.one."
+  value  = "${digitalocean_record.enp_en1.fqdn}."
  ttl    = 10600
 }
 resource "digitalocean_record" "enp_pdb" {
  domain = digitalocean_domain.enp.id
  type   = "CNAME"
  name   = "pdb"
  value  = "en1.enp.one."
  ttl    = 10600
 }
--- a/skylab/infra/playbooks/terraform/domain.enpaul.tf
+++ b/skylab/infra/playbooks/terraform/domain.enpaul.tf
@@ -9,7 +9,7 @@ resource "digitalocean_record" "enpaul" {
  domain = digitalocean_domain.enpaul.id
  type   = "A"
  name   = "@"
-  value  = "24.2.156.189"
+  value  = digitalocean_record.enp.value
  ttl    = 3600
 }
--- a/skylab/infra/playbooks/terraform/domain.scipiocapital.tf
+++ b/skylab/infra/playbooks/terraform/domain.scipiocapital.tf
@@ -8,7 +8,7 @@ resource "digitalocean_record" "scipiocapital" {
  domain = digitalocean_domain.scipiocapital.id
  type   = "A"
  name   = "@"
-  value  = "24.2.156.189"
+  value  = digitalocean_record.enp.value
  ttl    = 3600
 }
@@ -16,7 +16,7 @@ resource "digitalocean_record" "scipiocapital_app" {
  domain = digitalocean_domain.scipiocapital.id
  type   = "CNAME"
  name   = "app"
-  value  = "en1.enp.one."
+  value  = "${digitalocean_record.enp_en1.fqdn}."
  ttl    = 43200
 }
@@ -24,7 +24,7 @@ resource "digitalocean_record" "scipiocapital_notify" {
  domain = digitalocean_domain.scipiocapital.id
  type   = "CNAME"
  name   = "notify"
-  value  = "en1.enp.one."
+  value  = "${digitalocean_record.enp_en1.fqdn}."
  ttl    = 43200
 }
@@ -36,6 +36,13 @@ resource "digitalocean_record" "scipiocapital_docs" {
  ttl    = 43200
 }
 resource "digitalocean_record" "scipiocapital_auth" {
  domain = digitalocean_domain.scipiocapital.id
  type   = "CNAME"
  name   = "auth"
  value  = "${digitalocean_record.enp_en1.fqdn}."
  ttl    = 43200
 }
 # ==========================================================================
 # Standard DO configuration for all managed domains, includes
--- a/skylab/infra/playbooks/terraform/project.scipio.tf
+++ b/skylab/infra/playbooks/terraform/project.scipio.tf
@@ -0,0 +1,13 @@
 resource "digitalocean_project" "scipio" {
  name        = "Scipio Capital"
  description = "Eventual home of Scipio Capital systems"
  purpose     = "Service or API"
  environment = "Production"
 }
 resource "digitalocean_project_resources" "scipio" {
  project = digitalocean_project.scipio.id
  resources = [
    digitalocean_domain.scipiocapital.urn,
  ]
 }
--- a/skylab/infra/playbooks/terraform/project.skylab.tf
+++ b/skylab/infra/playbooks/terraform/project.skylab.tf
@@ -0,0 +1,17 @@
 resource "digitalocean_project" "skylab" {
  name        = "SkyLab"
  description = "SkyLab resources, with emphasis on Sky"
  purpose     = "Operational / Developer tooling"
  environment = "Development"
  is_default  = true
 }
 resource "digitalocean_project_resources" "skylab" {
  project = digitalocean_project.skylab.id
  resources = [
    digitalocean_domain.allaroundhere.urn,
    digitalocean_domain.enpaul.urn,
    digitalocean_domain.enp.urn,
    digitalocean_spaces_bucket.enp_cdn.urn
  ]
 }
--- a/skylab/infra/playbooks/terraform/spaces.cdn.tf
+++ b/skylab/infra/playbooks/terraform/spaces.cdn.tf
@@ -0,0 +1,18 @@
 resource "digitalocean_spaces_bucket" "enp_cdn" {
  name          = "en2-cdn"
  region        = "nyc3"
  acl           = "public-read"
  force_destroy = false
 }
 resource "digitalocean_certificate" "enp_cdn" {
  name    = "CDN"
  type    = "lets_encrypt"
  domains = ["cdn.enp.one", "enp.one"]
 }
 resource "digitalocean_cdn" "enp" {
  origin           = digitalocean_spaces_bucket.enp_cdn.bucket_domain_name
  custom_domain    = "cdn.enp.one"
  certificate_name = digitalocean_certificate.enp_cdn.name
 }
Author	SHA1	Message	Date
Ethan Paul	4a516eee15	Stop assuming rockylinux has firewalld installed by default	2023-05-19 16:39:52 -04:00
Ethan Paul	15a1411f1a	Add project resource assignments	2023-05-07 16:16:03 -04:00
Ethan Paul	868ab721dd	Add scipio project	2023-05-07 16:06:53 -04:00
Ethan Paul	9776e9a316	Add skylab project definition	2023-05-07 16:04:25 -04:00
Ethan Paul	28f1f80d6f	Remove pdb.enp.one	2023-05-07 15:49:14 -04:00
Ethan Paul	0f9479731a	Update domains to use pointer vars instead of repeat values	2023-05-07 15:48:29 -04:00
Ethan Paul	3df0115191	Add CDN config for space	2023-05-07 15:43:39 -04:00
Ethan Paul	fcb25b79ce	Add CDN space	2023-05-07 14:59:17 -04:00
Ethan Paul	e591db8581	Add auth subdomain	2023-05-04 16:23:59 -04:00
Ethan Paul	e4fd90c013	Restructure en1 main inventory group	2023-05-02 22:44:27 -04:00
Ethan Paul	219b03b4ee	Add notify subdomain for scipio app	2023-05-02 22:44:26 -04:00