Stop assuming rockylinux has firewalld installed by default

Update to use dynamic managment settings
Remove check for existing bootstrap directory
Fix re-using ansible password for root user

.gitignore

@@ -7,3 +7,5 @@ playbooks/testing.yml
 .venv/
 .ansible/
 .tox/
+.terraform/
+.terraform.lock.*

.pre-commit-config.yaml

@@ -32,3 +32,11 @@ repos:
           - "--wrap=90"
         types:
           - markdown
+
+      - id: terraform
+        name: terraform format
+        entry: terraform
+        language: system
+        args:
+          - fmt
+        files: ".*\\.tf$"

Makefile

@@ -3,7 +3,7 @@ clean:
 	rm --recursive --force .tox/
 
 dev:
-	@poetry install --remove-untracked
+	@poetry install --sync
 	@poetry run pre-commit install
 	@poetry run ansible-galaxy collection install --requirements-file ./requirements.yaml --collections-path ./.ansible
 	@bash ./link-local-collections.sh

ansible.cfg

@@ -1,10 +1,10 @@
 [defaults]
-host_key_checking = false
+host_key_checking = true
 collections_path = .ansible
-inventory = inventory.yaml
+inventory = inventory/
 
 [ssh_connection]
-ssh_args = "-o ControlMaster=auto -o ControlPersist=60s -o ForwardAgent=yes"
+ssh_args = "-o ControlMaster=auto -o ControlPersist=60s"
 
 [inventory]
 enable_plugins = ansible.builtin.yaml

inventory/en1.old.yaml

@@ -1,12 +1,4 @@
 ---
-all:
-  vars:
-    skylab_state_dir: /var/lib/skylab
-    skylab_ansible_venv: "{{ skylab_state_dir }}/ansible-runtime"
-    skylab_pip_version: 19.3.1
-    ansible_user: ansible
-    ansible_ssh_common_args: "-o ControlMaster=auto -o ControlPersist=60s -o ForwardAgent=yes"
-
 workstation:
   hosts:
     voyager:
@@ -14,7 +6,6 @@ workstation:
       skylab_hostname: voyager.skylab.enp.one
       skylab_targets: [workstation]
 
-
 en1:
   vars:
     skylab_location: Newton MA

inventory/en1.yaml

@@ -0,0 +1,51 @@
+---
+en1:
+
+  vars:
+    skylab_location: Cambridge
+
+  children:
+    domain:
+      children:
+
+        cluster:
+          hosts:
+            canaveral:
+              ansible_host: 10.42.101.10
+              skylab_description: Compute and Storage Node
+            baikonur:
+              ansible_host: 10.42.101.11
+              skylab_description: Compute and Storage Node
+            vandenberg:
+              ansible_host: 10.42.101.12
+              skylab_description: Compute and Storage Node
+            andoya:
+              ansible_host: 10.42.101.13
+              skylab_description: Auxilary Compute Node
+            jiuquan:
+              ansible_host: 10.42.101.14
+              skylab_description: Auxilary Compute Node
+
+        datastore:
+          hosts:
+            canaveral:
+              skylab_datastore_block: /dev/sda
+            baikonur:
+              skylab_datastore_block: /dev/sda
+            vandenberg:
+              skylab_datastore_block: /dev/sda
+
+        hosts:
+          3d-printer: {}
+          mediastore: {}
+          backstore: {}
+
+    local:
+      hosts:
+        core: {}
+        switch-1: {}
+        switch-2: {}
+        wap-1: {}
+        wap-2: {}
+        wap-3: {}
+        printer: {}

inventory/group_vars/all.yaml

@@ -0,0 +1,39 @@
+---
+ansible_user: ansible
+
+ansible_port: 4242
+
+skylab_state_dir: /var/lib/skylab
+
+skylab_ansible_venv: "{{ skylab_state_dir }}/ansible-runtime"
+
+skylab_ansible_vault_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          61323762623165383963316238343539346336663864366631616339356564346636373561616237
+          6666363531393234636337656431366365343236346536320a346163353935366636303131313661
+          32623635363063383039363539303135393838376264356463646465376435616363376163373663
+          6366633665373939380a373234633365376632376433643034336539346338613566353537663731
+          34323464633165626133306464363464333539363761343831316565356266373833
+
+skylab_tfstate_backend:
+  hostname: cluster.lab.enp.one
+  username: terraform
+  schema: terraform
+  port: 32421
+  password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          30313365393065316563323363663135313438616461356439366632303636343735653033363930
+          6334613931376566363064663539643639326363663933610a306138616362376435386466306538
+          30626330613932363339363438356430613461313335333536623931343436353330393433373630
+          3631343463616631380a386661336534663033383637666538316665303962353034376232356235
+          65323339353563623431666535366465353133343137653232326534326436323661636536373564
+          3466633762303966366366653531613261336561356531636461
+
+skylab_mgmt:
+  sshport: 4242
+  group: skylab
+  user: ansible
+  id: 1400
+  sshkeys:
+  - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5TGKururOa1Y+cbv8AWXYI5zhfZCDV0fsBG+33IYUc enpaul@ansible.voyager
+  - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBf7i/8hSJDYnoD95noCJJVtSxxCp9N5EmnshALufiwm enpaul@ansible.opportunity

pyproject.toml

@@ -7,22 +7,21 @@ license = "MIT"
 
 [tool.poetry.dependencies]
 python = "^3.10"
-ansible-core = "^2.12.1"
-docker = "^4.2.0"
-docker-compose = "^1.25.4"
+ansible-core = "^2.14.3"
+docker = "^6.0.1"
 paramiko = "^2.7.1"
-jsondiff = "^1.2.0"
+jsondiff = "^2.0.0"
 netaddr = "^0.8.0"
 
 [tool.poetry.dev-dependencies]
-ansible-lint = "^4.2.0"
-ipython = "^7.28.0"
-mdformat = "^0.7.9"
-mdformat-gfm = "^0.3.3"
-poetry = "^1.1.0"
-pre-commit = "^2.9.2"
-pre-commit-hooks = "^3.3.0"
-safety = "^1.9.0"
+ansible-lint = {version = "^6.14.0", markers = "platform_system != 'Windows'"}
+ipython = "^8.11.0"
+mdformat = "^0.7.16"
+mdformat-gfm = "^0.3.5"
+poetry = "^1.3.0"
+pre-commit = "^3.2.0"
+pre-commit-hooks = "^4.4.0"
+safety = "^2.3.5"
 tox = "^3.20.1"
-tox-poetry-installer = {extras = ["poetry"], version = "^0.8.3"}
-yamllint = "^1.20.0"
+tox-poetry-installer = {extras = ["poetry"], version = "^0.10.0"}
+yamllint = "^1.29.0"

skylab/core/roles/workstation/files/bashrc.sh

@@ -6,12 +6,12 @@ if [ -f `which powerline-daemon` ]; then
 fi
 
 export NVM_DIR="$HOME/.nvm"
-export PROJECTS_DIR="$HOME/Documents/projects"
+export PROJECTS_DIR="$HOME/projects"
 
 function gg() {
   cd "$PROJECTS_DIR/$1";
   if [ -f "$PROJECTS_DIR/$1/ansible.cfg" ]; then
-    ANSIBLE_CONFIG="$PROJECTS_DIR/$1/ansible.cfg" ANSIBLE_COLLECTIONS_DIR="$PROJECTS_DIR/$1/.ansible" poetry shell;
+    ANSIBLE_CONFIG="$PROJECTS_DIR/$1/ansible.cfg" ANSIBLE_COLLECTIONS_PATH="$PROJECTS_DIR/$1/.ansible" poetry shell;
   elif [ -f "$PROJECTS_DIR/$1/pyproject.toml" ]; then
     poetry shell;
   fi

skylab/core/roles/workstation/tasks/environment.yml

@@ -17,6 +17,14 @@
     state: present
   loop: "{{ _local_human_users }}"
 
+- name: Configure local bash completions loading
+  become: true
+  ansible.builtin.lineinfile:
+    path: ~{{ item }}/.bashrc
+    line: source ~/.config/bash_completions
+    state: present
+  loop: "{{ _local_human_users }}"
+
 - name: Configure bash completions
   become: true
   ansible.builtin.blockinfile:
@@ -25,7 +33,7 @@
     block: >-
       function _gg_completion() {
           local cur=${COMP_WORDS[COMP_CWORD]};
-          COMPREPLY=( $(compgen -W "$(command ls $PROJECT_DIR)" -- $cur) );
+          COMPREPLY=( $(compgen -W "$(command ls $PROJECTS_DIR)" -- $cur) );
       }
 
       complete -F _gg_completion gg
@@ -125,3 +133,12 @@
     owner: "{{ item }}"
     group: "{{ item }}"
   loop: "{{ _local_human_users }}"
+
+- name: Link external media directory
+  become: true
+  ansible.builtin.file:
+    path: ~{{ item }}/Drives
+    src: /run/media/{{ item }}
+    state: link
+    force: true
+  loop: "{{ _local_human_users }}"

skylab/infra/README.md

@@ -0,0 +1,3 @@
+# Ansible Collection - skylab.infra
+
+Documentation for the collection.

skylab/infra/galaxy.yml

@@ -0,0 +1,16 @@
+namespace: skylab
+name: core
+version: 0.0.0
+description: Network deployment procedures and configuration state management
+authors:
+  - Ethan Paul <me@enp.one>
+license:
+  - MIT
+readme: README.md
+tags: []
+repository: https://vcs.enp.one/skylab/skylab-ansible/
+build_ignore: []
+
+dependencies:
+  community.general: ">=6.5.0,<7.0"
+  ansible.posix: ">=1.5.1,<2.0"

skylab/infra/meta/runtime.yml

@@ -0,0 +1,2 @@
+---
+requires_ansible: '>=2.9.10'

skylab/infra/playbooks/bootstrap.yml

@@ -0,0 +1,230 @@
+---
+- name: Prompt for parameters
+  hosts: localhost
+  gather_facts: false
+  vars_prompt:
+  - name: bootstrap_hostname
+    prompt: Enter hostname (or IP address) of bootstrap target
+    private: false
+  - name: bootstrap_username
+    prompt: Enter username to use for connecting to boostrap target
+    default: root
+    private: false
+  - name: bootstrap_password
+    prompt: Enter password to use for connecting to boostrap target
+    private: true
+    default: skylab
+  - name: bootstrap_port
+    prompt: Enter SSH port to connect to on bootstrap target
+    default: 22
+    private: false
+  tasks:
+  - name: Add boostrap host
+    changed_when: false
+    ansible.builtin.add_host:
+      hostname: bootstrap
+      ansible_host: "{{ bootstrap_hostname }}"
+      ansible_user: "{{ bootstrap_username }}"
+      ansible_ssh_pass: "{{ bootstrap_password }}"
+      ansible_port: "{{ bootstrap_port }}"
+
+  - name: Test connection
+    delegate_to: bootstrap
+    delegate_facts: true
+    vars:
+      ansible_host_key_checking: false
+    ansible.builtin.ping: {}
+
+- name: Bootstrap remote
+  hosts: bootstrap
+  vars:
+    ansible_host_key_checking: false
+  vars_prompt:
+  - name: skylab_ansible_vault_password
+    prompt: Enter Ansible vault password for generating user secrets
+    private: true
+    confirm: true
+  tasks:
+  - name: Check OS requirements
+    ansible.builtin.assert:
+      that:
+      - ansible_distribution == 'Rocky'
+      - ansible_distribution_major_version in ['8', '9']
+      success_msg: >-
+        Host is running supported OS {{ ansible_distribution }} {{ ansible_distribution_version }}
+      fail_msg: >-
+        Unsupported operating system ({{ ansible_distribution }} {{ ansible_distribution_major_version }}),
+        only RockyLinux 8 and RockyLinux 9 are supported.
+
+  - name: Check that management keys are defined
+    ansible.builtin.assert:
+      that:
+        - skylab_mgmt is defined
+        - skylab_mgmt.sshkeys != []
+      success_msg: >-
+        Found {{ skylab_mgmt.sshkeys | length }} SSH keys to install to the Ansible management user
+      fail_msg: >-
+        No management keys were found for installation to the Ansible management user. Aborting to avoid
+        locking out SSH access to the boostrap host. Please define the 'skylab_mgmt.sshkeys' variable with
+        a list of SSH public keys to install to the Ansible management user.
+
+  - name: Install RockyLinux python bindings
+    become: true
+    ansible.builtin.dnf:
+      state: present
+      name:
+        - libffi-devel
+        - python3-devel
+        - python3-libselinux
+        - python3-policycoreutils
+        - python3-firewall
+
+  - name: Create mgmt group
+    become: true
+    ansible.builtin.group:
+      name: "{{ skylab_mgmt.group }}"
+      state: present
+      gid: "{{ skylab_mgmt.id }}"
+
+  - name: Generate mgmt user account password
+    delegate_to: localhost
+    no_log: true
+    changed_when: false
+    ansible.builtin.shell:
+      cmd: >
+        command mpw -qq -F none -t max -u {{ skylab_mgmt.user }} {{ ansible_host }} -p <<<
+        '{{ skylab_ansible_vault_password }}' |
+        python3 -c 'import crypt; print(crypt.crypt(input(), crypt.mksalt(crypt.METHOD_SHA512)))'
+      executable: /bin/bash
+    register: _password_mgmt
+
+  - name: Update mgmt user account
+    become: true
+    ansible.builtin.user:
+      name: "{{ skylab_mgmt.user }}"
+      state: present
+      group: "{{ skylab_mgmt.group }}"
+      groups:
+        - "{{ skylab_mgmt.group }}"
+        - wheel
+      uid: "{{ skylab_mgmt.id }}"
+      password: "{{ _password_mgmt.stdout }}"
+
+  - name: Update mgmt user authorized keys
+    become: true
+    ansible.posix.authorized_key:
+      user: "{{ skylab_mgmt.user }}"
+      exclusive: true
+      key: "{{ skylab_mgmt.sshkeys | join('\n') }}"
+
+  - name: Remove mgmt user group
+    become: true
+    ansible.builtin.group:
+      name: "{{ skylab_mgmt.user }}"
+      state: absent
+
+  - name: Update root user authorized keys
+    become: true
+    ansible.posix.authorized_key:
+      user: root
+      exclusive: true
+      key: ""
+
+  - name: Disable sudo password for WHEEL group
+    become: true
+    ansible.builtin.copy:
+      content: "%wheel ALL=(ALL) NOPASSWD: ALL"
+      dest: /etc/sudoers.d/30-wheel
+      owner: root
+      group: "{{ skylab_mgmt.group }}"
+      mode: 0644
+
+  - name: Disable SSHD password auth
+    become: true
+    ansible.builtin.replace:
+      path: /etc/ssh/sshd_config
+      regexp: '^(#?)PasswordAuthentication .*$'
+      replace: PasswordAuthentication no
+
+  - name: Disable SSHD root login
+    become: true
+    ansible.builtin.replace:
+      path: /etc/ssh/sshd_config
+      regexp: '^(#?)PermitRootLogin .*$'
+      replace: PermitRootLogin no
+
+  - name: Update SSHD mgmt port
+    become: true
+    ansible.builtin.replace:
+      path: /etc/ssh/sshd_config
+      regexp: '^(#?)Port .*$'
+      replace: Port {{ skylab_mgmt.sshport }}
+
+  - name: Grant SSHD permissions on the mgmt port
+    become: true
+    community.general.seport:
+      ports: "{{ skylab_mgmt.sshport }}"
+      proto: tcp
+      setype: ssh_port_t
+      state: present
+
+  - name: Install Firewalld
+    become: true
+    ansible.builtin.dnf:
+      name: firewalld
+      state: present
+
+  - name: Enable Firewalld
+    become: true
+    ansible.builtin.service:
+      name: firewalld
+      enabled: true
+
+  - name: Grant SSHD firewall access to the mgmt port
+    become: true
+    ansible.posix.firewalld:
+      port: "{{ skylab_mgmt.sshport }}/tcp"
+      state: enabled
+      permanent: true
+
+  - name: Revoke SSHD firewall access to default port
+    become: true
+    ansible.posix.firewalld:
+      service: ssh
+      permanent: true
+      state: disabled
+
+  - name: Update OS
+    become: true
+    ansible.builtin.dnf:
+      name: "*"
+      state: latest
+      allowerasing: true
+
+  - name: Generate root user account password
+    delegate_to: localhost
+    no_log: true
+    changed_when: false
+    ansible.builtin.shell:
+      cmd: >
+        command mpw -qq -F none -t max -u root {{ ansible_host }} -p <<<
+        '{{ skylab_ansible_vault_password }}' |
+        python3 -c 'import crypt; print(crypt.crypt(input(), crypt.mksalt(crypt.METHOD_SHA512)))'
+      executable: /bin/bash
+    register: _password_root
+
+  - name: Update root user account
+    become: true
+    ansible.builtin.user:
+      name: root
+      state: present
+      password: "{{ _password_root.stdout }}"
+
+  - name: Create SkyLab directory
+    become: true
+    ansible.builtin.file:
+      state: directory
+      path: "{{ skylab_state_dir }}"
+      owner: "{{ skylab_mgmt.user }}"
+      group: "{{ skylab_mgmt.group }}"
+      mode: 0750

skylab/infra/playbooks/cloud.yml

@@ -0,0 +1,46 @@
+---
+- name: Provision DigitalOcean cloud
+  hosts: localhost
+  vars:
+    terraform_backend: "postgres://{{ skylab_tfstate_backend.username }}:{{ skylab_tfstate_backend.password }}@{{ skylab_tfstate_backend.hostname }}:{{ skylab_tfstate_backend.port }}/{{ skylab_tfstate_backend.schema }}"
+  tasks:
+  - name: Deploy terraform config
+    block:
+    - name: Create temp plan file
+      changed_when: false
+      ansible.builtin.tempfile:
+        state: file
+        prefix: skylab
+        suffix: tfplan
+      register: _tfplan_tempfile
+
+    # Generating a plan file before yeeting a deployment into the
+    # wind helps to ensure that the syntax is correct, backend and
+    # state are valid, and all the plumbing is working as expected.
+    # We don't want errors when we deploy, so it's better to
+    # generate the plan first
+    - name: Initialize terraform backend and generate plan file
+      community.general.terraform:
+        state: planned
+        project_path: terraform/
+        backend_config:
+          conn_str: "{{ terraform_backend }}"
+        force_init: true
+        init_reconfigure: true
+        plan_file: "{{ _tfplan_tempfile.path }}"
+
+    # TODO: update to take DO token from invocation args rather than
+    # implicit env var
+    - name: Apply terraform plan
+      community.general.terraform:
+        state: present
+        project_path: terraform/
+        backend_config:
+          conn_str: "{{ terraform_backend }}"
+        plan_file: "{{ _tfplan_tempfile.path }}"
+    always:
+    - name: Remove temp plan file
+      changed_when: false
+      ansible.builtin.file:
+        path: "{{ _tfplan_tempfile.path }}"
+        state: absent

skylab/infra/playbooks/terraform/domain.allaroundhere.tf

@@ -0,0 +1,57 @@
+resource "digitalocean_domain" "allaroundhere" {
+  name = "allaroundhere.org"
+}
+
+
+# ==========================================================================
+# Standard hostname configuration
+resource "digitalocean_record" "allaroundhere" {
+  domain = digitalocean_domain.allaroundhere.id
+  type   = "A"
+  name   = "@"
+  value  = "24.2.156.189"
+  ttl    = 3600
+}
+
+resource "digitalocean_record" "allaroundhere_www" {
+  domain = digitalocean_domain.allaroundhere.id
+  type   = "CNAME"
+  name   = "www"
+  value  = "@"
+  ttl    = 43200
+}
+
+resource "digitalocean_record" "allaroundhere_content" {
+  domain = digitalocean_domain.allaroundhere.id
+  type   = "CNAME"
+  name   = "content"
+  value  = "en1.enp.one."
+  ttl    = 10300
+}
+
+# ==========================================================================
+# Standard DO configuration for all managed domains, includes
+# NS records and SOA
+resource "digitalocean_record" "allaroundhere_ns1" {
+  domain = digitalocean_domain.allaroundhere.id
+  type   = "NS"
+  name   = "@"
+  value  = "ns1.digitalocean.com."
+  ttl    = 1800
+}
+
+resource "digitalocean_record" "allaroundhere_ns2" {
+  domain = digitalocean_domain.allaroundhere.id
+  type   = "NS"
+  name   = "@"
+  value  = "ns2.digitalocean.com."
+  ttl    = 1800
+}
+
+resource "digitalocean_record" "allaroundhere_ns3" {
+  domain = digitalocean_domain.allaroundhere.id
+  type   = "NS"
+  name   = "@"
+  value  = "ns3.digitalocean.com."
+  ttl    = 1800
+}

skylab/infra/playbooks/terraform/domain.enp.tf

@@ -0,0 +1,200 @@
+resource "digitalocean_domain" "enp" {
+  name = "enp.one"
+}
+
+
+# ==========================================================================
+# Standard hostname configuration
+resource "digitalocean_record" "enp" {
+  domain = digitalocean_domain.enp.id
+  type   = "A"
+  name   = "@"
+  value  = "24.2.156.189"
+  ttl    = 3600
+}
+
+resource "digitalocean_record" "enp_en1" {
+  domain = digitalocean_domain.enp.id
+  type   = "A"
+  name   = "en1"
+  value  = digitalocean_record.enp.value
+  ttl    = 3600
+}
+
+
+# ==========================================================================
+# Service CNAME configuration
+resource "digitalocean_record" "enp_vcs" {
+  domain = digitalocean_domain.enp.id
+  type   = "CNAME"
+  name   = "vcs"
+  value  = "${digitalocean_record.enp_en1.fqdn}."
+  ttl    = 10600
+}
+
+resource "digitalocean_record" "enp_ssv" {
+  domain = digitalocean_domain.enp.id
+  type   = "CNAME"
+  name   = "ssv"
+  value  = "${digitalocean_record.enp_en1.fqdn}."
+  ttl    = 10600
+}
+
+resource "digitalocean_record" "enp_pms" {
+  domain = digitalocean_domain.enp.id
+  type   = "CNAME"
+  name   = "pms"
+  value  = "${digitalocean_record.enp_en1.fqdn}."
+  ttl    = 10600
+}
+
+resource "digitalocean_record" "enp_cdn" {
+  domain = digitalocean_domain.enp.id
+  type   = "CNAME"
+  name   = "cdn"
+  value  = "${digitalocean_cdn.enp.endpoint}."
+  ttl    = 3600
+}
+
+resource "digitalocean_record" "enp_vpn" {
+  domain = digitalocean_domain.enp.id
+  type   = "CNAME"
+  name   = "vpn"
+  value  = "${digitalocean_record.enp_en1.fqdn}."
+  ttl    = 10600
+}
+
+resource "digitalocean_record" "enp_www" {
+  domain = digitalocean_domain.enp.id
+  type   = "CNAME"
+  name   = "www"
+  value  = "${digitalocean_record.enp_en1.fqdn}."
+  ttl    = 10600
+}
+
+resource "digitalocean_record" "enp_sso" {
+  domain = digitalocean_domain.enp.id
+  type   = "CNAME"
+  name   = "sso"
+  value  = "${digitalocean_record.enp_en1.fqdn}."
+  ttl    = 10600
+}
+
+resource "digitalocean_record" "enp_img" {
+  domain = digitalocean_domain.enp.id
+  type   = "CNAME"
+  name   = "img"
+  value  = "${digitalocean_record.enp_en1.fqdn}."
+  ttl    = 10600
+}
+
+
+# ==========================================================================
+# Standard DO configuration for all managed domains, includes
+# NS records and SOA
+resource "digitalocean_record" "enp_ns1" {
+  domain = digitalocean_domain.enp.id
+  type   = "NS"
+  name   = "@"
+  value  = "ns1.digitalocean.com."
+  ttl    = 1800
+}
+
+resource "digitalocean_record" "enp_ns2" {
+  domain = digitalocean_domain.enp.id
+  type   = "NS"
+  name   = "@"
+  value  = "ns2.digitalocean.com."
+  ttl    = 1800
+}
+
+resource "digitalocean_record" "enp_ns3" {
+  domain = digitalocean_domain.enp.id
+  type   = "NS"
+  name   = "@"
+  value  = "ns3.digitalocean.com."
+  ttl    = 1800
+}
+
+
+# ==========================================================================
+# DMARC and HTTPS security configuration
+resource "digitalocean_record" "enp_dmarc" {
+  domain = digitalocean_domain.enp.id
+  type   = "TXT"
+  name   = "_dmarc"
+  value  = "v=DMARC1; p=quarantine; adkim=s"
+  ttl    = 3600
+}
+
+resource "digitalocean_record" "enp_caa" {
+  domain = digitalocean_domain.enp.id
+  type   = "CAA"
+  name   = "@"
+  value  = "letsencrypt.org."
+  ttl    = 3600
+  tag    = "issue"
+  flags  = 0
+}
+
+resource "digitalocean_record" "enp_iodef" {
+  domain = digitalocean_domain.enp.id
+  type   = "CAA"
+  name   = "@"
+  value  = "mailto:admin@enp.one"
+  ttl    = 3600
+  tag    = "iodef"
+  flags  = 0
+}
+
+
+# ==========================================================================
+# Tutanota mailer integration configuration
+resource "digitalocean_record" "enp_mx" {
+  domain   = digitalocean_domain.enp.id
+  type     = "MX"
+  name     = "@"
+  value    = "mail.tutanota.de."
+  ttl      = 3600
+  priority = 1010
+}
+
+resource "digitalocean_record" "enp_spf" {
+  domain = digitalocean_domain.enp.id
+  type   = "TXT"
+  name   = "@"
+  value  = "v=spf1 include:spf.tutanota.de -all"
+  ttl    = 3600
+}
+
+resource "digitalocean_record" "enp_domainkey1" {
+  domain = digitalocean_domain.enp.id
+  type   = "CNAME"
+  name   = "s1._domainkey"
+  value  = "s1._domainkey.tutanota.de."
+  ttl    = 10600
+}
+
+resource "digitalocean_record" "enp_domainkey2" {
+  domain = digitalocean_domain.enp.id
+  type   = "CNAME"
+  name   = "s2._domainkey"
+  value  = "s2._domainkey.tutanota.de."
+  ttl    = 10600
+}
+
+resource "digitalocean_record" "enp_mta1" {
+  domain = digitalocean_domain.enp.id
+  type   = "CNAME"
+  name   = "_mta-sts"
+  value  = "_mta-sts.tutanota.com."
+  ttl    = 10600
+}
+
+resource "digitalocean_record" "enp_mta2" {
+  domain = digitalocean_domain.enp.id
+  type   = "CNAME"
+  name   = "mta-sts"
+  value  = "mta-sts.tutanota.com."
+  ttl    = 10600
+}

skylab/infra/playbooks/terraform/domain.enpaul.tf

@@ -0,0 +1,123 @@
+resource "digitalocean_domain" "enpaul" {
+  name = "enpaul.net"
+}
+
+
+# ==========================================================================
+# Standard hostname configuration
+resource "digitalocean_record" "enpaul" {
+  domain = digitalocean_domain.enpaul.id
+  type   = "A"
+  name   = "@"
+  value  = digitalocean_record.enp.value
+  ttl    = 3600
+}
+
+resource "digitalocean_record" "enpaul_www" {
+  domain = digitalocean_domain.enpaul.id
+  type   = "CNAME"
+  name   = "www"
+  value  = "@"
+  ttl    = 10800
+}
+
+
+# ==========================================================================
+# Standard DO configuration for all managed domains, includes
+# NS records and SOA
+resource "digitalocean_record" "enpaul_ns1" {
+  domain = digitalocean_domain.enpaul.id
+  type   = "NS"
+  name   = "@"
+  value  = "ns1.digitalocean.com."
+  ttl    = 1800
+}
+
+resource "digitalocean_record" "enpaul_ns2" {
+  domain = digitalocean_domain.enpaul.id
+  type   = "NS"
+  name   = "@"
+  value  = "ns2.digitalocean.com."
+  ttl    = 1800
+}
+
+resource "digitalocean_record" "enpaul_ns3" {
+  domain = digitalocean_domain.enpaul.id
+  type   = "NS"
+  name   = "@"
+  value  = "ns3.digitalocean.com."
+  ttl    = 1800
+}
+
+
+# ==========================================================================
+# DMARC and HTTPS security configuration
+resource "digitalocean_record" "enpaul_dmarc" {
+  domain = digitalocean_domain.enpaul.id
+  type   = "TXT"
+  name   = "_dmarc"
+  value  = "v=DMARC1; p=quarantine; adkim=s"
+  ttl    = 3600
+}
+
+resource "digitalocean_record" "enpaul_caa" {
+  domain = digitalocean_domain.enpaul.id
+  type   = "CAA"
+  name   = "@"
+  value  = "letsencrypt.org."
+  ttl    = 3600
+  tag    = "issue"
+  flags  = 0
+}
+
+
+# ==========================================================================
+# Tutanota mailer integration configuration
+resource "digitalocean_record" "enpaul_mx" {
+  domain   = digitalocean_domain.enpaul.id
+  type     = "MX"
+  name     = "@"
+  value    = "mail.tutanota.de."
+  ttl      = 3600
+  priority = 10
+}
+
+resource "digitalocean_record" "enpaul_spf" {
+  domain = digitalocean_domain.enpaul.id
+  type   = "TXT"
+  name   = "@"
+  value  = "v=spf1 include:spf.tutanota.de -all"
+  ttl    = 3600
+}
+
+resource "digitalocean_record" "enpaul_domainkey1" {
+  domain = digitalocean_domain.enpaul.id
+  type   = "CNAME"
+  name   = "s1._domainkey"
+  value  = "s1._domainkey.tutanota.de."
+  ttl    = 10600
+}
+
+resource "digitalocean_record" "enpaul_domainkey2" {
+  domain = digitalocean_domain.enpaul.id
+  type   = "CNAME"
+  name   = "s2._domainkey"
+  value  = "s2._domainkey.tutanota.de."
+  ttl    = 10600
+}
+
+resource "digitalocean_record" "enpaul_mta1" {
+  domain = digitalocean_domain.enpaul.id
+  type   = "CNAME"
+  name   = "_mta-sts"
+  value  = "_mta-sts.tutanota.com."
+  ttl    = 10600
+}
+
+resource "digitalocean_record" "enpaul_mta2" {
+  domain = digitalocean_domain.enpaul.id
+  type   = "CNAME"
+  name   = "mta-sts"
+  value  = "mta-sts.tutanota.com."
+  ttl    = 10600
+}

skylab/infra/playbooks/terraform/domain.scipiocapital.tf

@@ -0,0 +1,72 @@
+resource "digitalocean_domain" "scipiocapital" {
+  name = "scipiocapital.us"
+}
+
+# ==========================================================================
+# Standard hostname configuration
+resource "digitalocean_record" "scipiocapital" {
+  domain = digitalocean_domain.scipiocapital.id
+  type   = "A"
+  name   = "@"
+  value  = digitalocean_record.enp.value
+  ttl    = 3600
+}
+
+resource "digitalocean_record" "scipiocapital_app" {
+  domain = digitalocean_domain.scipiocapital.id
+  type   = "CNAME"
+  name   = "app"
+  value  = "${digitalocean_record.enp_en1.fqdn}."
+  ttl    = 43200
+}
+
+resource "digitalocean_record" "scipiocapital_notify" {
+  domain = digitalocean_domain.scipiocapital.id
+  type   = "CNAME"
+  name   = "notify"
+  value  = "${digitalocean_record.enp_en1.fqdn}."
+  ttl    = 43200
+}
+
+resource "digitalocean_record" "scipiocapital_docs" {
+  domain = digitalocean_domain.scipiocapital.id
+  type   = "CNAME"
+  name   = "docs"
+  value  = "${digitalocean_record.enp_en1.fqdn}."
+  ttl    = 43200
+}
+
+resource "digitalocean_record" "scipiocapital_auth" {
+  domain = digitalocean_domain.scipiocapital.id
+  type   = "CNAME"
+  name   = "auth"
+  value  = "${digitalocean_record.enp_en1.fqdn}."
+  ttl    = 43200
+}
+
+# ==========================================================================
+# Standard DO configuration for all managed domains, includes
+# NS records and SOA
+resource "digitalocean_record" "scipiocapital_ns1" {
+  domain = digitalocean_domain.scipiocapital.id
+  type   = "NS"
+  name   = "@"
+  value  = "ns1.digitalocean.com."
+  ttl    = 1800
+}
+
+resource "digitalocean_record" "scipiocapital_ns2" {
+  domain = digitalocean_domain.scipiocapital.id
+  type   = "NS"
+  name   = "@"
+  value  = "ns2.digitalocean.com."
+  ttl    = 1800
+}
+
+resource "digitalocean_record" "scipiocapital_ns3" {
+  domain = digitalocean_domain.scipiocapital.id
+  type   = "NS"
+  name   = "@"
+  value  = "ns3.digitalocean.com."
+  ttl    = 1800
+}

skylab/infra/playbooks/terraform/main.tf

@@ -0,0 +1,10 @@
+terraform {
+  backend "pg" {}
+
+  required_providers {
+    digitalocean = {
+      source  = "digitalocean/digitalocean"
+      version = "~> 2.0"
+    }
+  }
+}

skylab/infra/playbooks/terraform/project.scipio.tf

@@ -0,0 +1,13 @@
+resource "digitalocean_project" "scipio" {
+  name        = "Scipio Capital"
+  description = "Eventual home of Scipio Capital systems"
+  purpose     = "Service or API"
+  environment = "Production"
+}
+
+resource "digitalocean_project_resources" "scipio" {
+  project = digitalocean_project.scipio.id
+  resources = [
+    digitalocean_domain.scipiocapital.urn,
+  ]
+}

skylab/infra/playbooks/terraform/project.skylab.tf

@@ -0,0 +1,17 @@
+resource "digitalocean_project" "skylab" {
+  name        = "SkyLab"
+  description = "SkyLab resources, with emphasis on Sky"
+  purpose     = "Operational / Developer tooling"
+  environment = "Development"
+  is_default  = true
+}
+
+resource "digitalocean_project_resources" "skylab" {
+  project = digitalocean_project.skylab.id
+  resources = [
+    digitalocean_domain.allaroundhere.urn,
+    digitalocean_domain.enpaul.urn,
+    digitalocean_domain.enp.urn,
+    digitalocean_spaces_bucket.enp_cdn.urn
+  ]
+}

skylab/infra/playbooks/terraform/spaces.cdn.tf

@@ -0,0 +1,18 @@
+resource "digitalocean_spaces_bucket" "enp_cdn" {
+  name          = "en2-cdn"
+  region        = "nyc3"
+  acl           = "public-read"
+  force_destroy = false
+}
+
+resource "digitalocean_certificate" "enp_cdn" {
+  name    = "CDN"
+  type    = "lets_encrypt"
+  domains = ["cdn.enp.one", "enp.one"]
+}
+
+resource "digitalocean_cdn" "enp" {
+  origin           = digitalocean_spaces_bucket.enp_cdn.bucket_domain_name
+  custom_domain    = "cdn.enp.one"
+  certificate_name = digitalocean_certificate.enp_cdn.name
+}

tox.ini

@@ -1,5 +1,5 @@
 [tox]
-envlist = ansible, python, security
+envlist = ansible, security
 skipsdist = true
 
 [testenv]
@@ -36,7 +36,9 @@ locked_deps =
     poetry
     safety
 commands =
-    poetry export --format requirements.txt --without-hashes --dev --output {envtmpdir}/req.txt
-    safety check --json --file {envtmpdir}/req.txt \
+    poetry export --format requirements.txt --without-hashes --with dev --output {envtmpdir}/req.txt
+    safety check --output text --file {envtmpdir}/req.txt \
         # Ignore unfixed CVE-2021-3532 from ansible \
-        --ignore 42923
+        --ignore 42923 \
+        # https://github.com/pytest-dev/py/issues/287#issuecomment-1283567565
+        --ignore 51457