Stop assuming rockylinux has firewalld installed by default

Update to use dynamic managment settings
Remove check for existing bootstrap directory
Fix re-using ansible password for root user

.gitignore

@@ -7,3 +7,5 @@ playbooks/testing.yml
 .venv/
 .ansible/
 .tox/
+.terraform/
+.terraform.lock.*

.pre-commit-config.yaml

@@ -32,3 +32,11 @@ repos:
           - "--wrap=90"
         types:
           - markdown
+
+      - id: terraform
+        name: terraform format
+        entry: terraform
+        language: system
+        args:
+          - fmt
+        files: ".*\\.tf$"

ansible.cfg

@@ -1,7 +1,7 @@
 [defaults]
 host_key_checking = true
 collections_path = .ansible
-inventory = inventory.yaml
+inventory = inventory/
 
 [ssh_connection]
 ssh_args = "-o ControlMaster=auto -o ControlPersist=60s"

inventory/en1.old.yaml

@@ -1,12 +1,4 @@
 ---
-all:
-  vars:
-    skylab_state_dir: /var/lib/skylab
-    skylab_ansible_venv: "{{ skylab_state_dir }}/ansible-runtime"
-    skylab_pip_version: 19.3.1
-    ansible_user: ansible
-    ansible_ssh_common_args: "-o ControlMaster=auto -o ControlPersist=60s -o ForwardAgent=yes"
-
 workstation:
   hosts:
     voyager:
@@ -14,7 +6,6 @@ workstation:
       skylab_hostname: voyager.skylab.enp.one
       skylab_targets: [workstation]
 
-
 en1:
   vars:
     skylab_location: Newton MA

inventory/en1.yaml

@@ -0,0 +1,51 @@
+---
+en1:
+
+  vars:
+    skylab_location: Cambridge
+
+  children:
+    domain:
+      children:
+
+        cluster:
+          hosts:
+            canaveral:
+              ansible_host: 10.42.101.10
+              skylab_description: Compute and Storage Node
+            baikonur:
+              ansible_host: 10.42.101.11
+              skylab_description: Compute and Storage Node
+            vandenberg:
+              ansible_host: 10.42.101.12
+              skylab_description: Compute and Storage Node
+            andoya:
+              ansible_host: 10.42.101.13
+              skylab_description: Auxilary Compute Node
+            jiuquan:
+              ansible_host: 10.42.101.14
+              skylab_description: Auxilary Compute Node
+
+        datastore:
+          hosts:
+            canaveral:
+              skylab_datastore_block: /dev/sda
+            baikonur:
+              skylab_datastore_block: /dev/sda
+            vandenberg:
+              skylab_datastore_block: /dev/sda
+
+        hosts:
+          3d-printer: {}
+          mediastore: {}
+          backstore: {}
+
+    local:
+      hosts:
+        core: {}
+        switch-1: {}
+        switch-2: {}
+        wap-1: {}
+        wap-2: {}
+        wap-3: {}
+        printer: {}

inventory/group_vars/all.yaml

@@ -0,0 +1,39 @@
+---
+ansible_user: ansible
+
+ansible_port: 4242
+
+skylab_state_dir: /var/lib/skylab
+
+skylab_ansible_venv: "{{ skylab_state_dir }}/ansible-runtime"
+
+skylab_ansible_vault_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          61323762623165383963316238343539346336663864366631616339356564346636373561616237
+          6666363531393234636337656431366365343236346536320a346163353935366636303131313661
+          32623635363063383039363539303135393838376264356463646465376435616363376163373663
+          6366633665373939380a373234633365376632376433643034336539346338613566353537663731
+          34323464633165626133306464363464333539363761343831316565356266373833
+
+skylab_tfstate_backend:
+  hostname: cluster.lab.enp.one
+  username: terraform
+  schema: terraform
+  port: 32421
+  password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          30313365393065316563323363663135313438616461356439366632303636343735653033363930
+          6334613931376566363064663539643639326363663933610a306138616362376435386466306538
+          30626330613932363339363438356430613461313335333536623931343436353330393433373630
+          3631343463616631380a386661336534663033383637666538316665303962353034376232356235
+          65323339353563623431666535366465353133343137653232326534326436323661636536373564
+          3466633762303966366366653531613261336561356531636461
+
+skylab_mgmt:
+  sshport: 4242
+  group: skylab
+  user: ansible
+  id: 1400
+  sshkeys:
+  - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5TGKururOa1Y+cbv8AWXYI5zhfZCDV0fsBG+33IYUc enpaul@ansible.voyager
+  - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBf7i/8hSJDYnoD95noCJJVtSxxCp9N5EmnshALufiwm enpaul@ansible.opportunity

skylab/infra/galaxy.yml

@@ -11,4 +11,6 @@ tags: []
 repository: https://vcs.enp.one/skylab/skylab-ansible/
 build_ignore: []
 
-dependencies: {}
+dependencies:
+  community.general: ">=6.5.0,<7.0"
+  ansible.posix: ">=1.5.1,<2.0"

skylab/infra/meta/runtime.yml

@@ -1,52 +1,2 @@
 ---
-# Collections must specify a minimum required ansible version to upload
-# to galaxy
-# requires_ansible: '>=2.9.10'
-
-# Content that Ansible needs to load from another location or that has
-# been deprecated/removed
-# plugin_routing:
-#   action:
-#     redirected_plugin_name:
-#       redirect: ns.col.new_location
-#     deprecated_plugin_name:
-#       deprecation:
-#         removal_version: "4.0.0"
-#         warning_text: |
-#           See the porting guide on how to update your playbook to
-#           use ns.col.another_plugin instead.
-#     removed_plugin_name:
-#       tombstone:
-#         removal_version: "2.0.0"
-#         warning_text: |
-#           See the porting guide on how to update your playbook to
-#           use ns.col.another_plugin instead.
-#   become:
-#   cache:
-#   callback:
-#   cliconf:
-#   connection:
-#   doc_fragments:
-#   filter:
-#   httpapi:
-#   inventory:
-#   lookup:
-#   module_utils:
-#   modules:
-#   netconf:
-#   shell:
-#   strategy:
-#   terminal:
-#   test:
-#   vars:
-
-# Python import statements that Ansible needs to load from another location
-# import_redirection:
-#   ansible_collections.ns.col.plugins.module_utils.old_location:
-#     redirect: ansible_collections.ns.col.plugins.module_utils.new_location
-
-# Groups of actions/modules that take a common set of options
-# action_groups:
-#   group_name:
-#     - module1
-#     - module2
+requires_ansible: '>=2.9.10'

skylab/infra/playbooks/bootstrap.yml

@@ -13,7 +13,7 @@
   - name: bootstrap_password
     prompt: Enter password to use for connecting to boostrap target
     private: true
-    confirm: true
+    default: skylab
   - name: bootstrap_port
     prompt: Enter SSH port to connect to on bootstrap target
     default: 22
@@ -28,16 +28,23 @@
       ansible_ssh_pass: "{{ bootstrap_password }}"
       ansible_port: "{{ bootstrap_port }}"
 
+  - name: Test connection
+    delegate_to: bootstrap
+    delegate_facts: true
+    vars:
+      ansible_host_key_checking: false
+    ansible.builtin.ping: {}
+
 - name: Bootstrap remote
   hosts: bootstrap
   vars:
     ansible_host_key_checking: false
+  vars_prompt:
+  - name: skylab_ansible_vault_password
+    prompt: Enter Ansible vault password for generating user secrets
+    private: true
+    confirm: true
   tasks:
-  - name: Fetch install path
-    ansible.builtin.stat:
-      path: /var/lib/skylab
-    register: _skylab_install_path
-
   - name: Check OS requirements
     ansible.builtin.assert:
       that:
@@ -49,80 +56,175 @@
         Unsupported operating system ({{ ansible_distribution }} {{ ansible_distribution_major_version }}),
         only RockyLinux 8 and RockyLinux 9 are supported.
 
-  - name: Check boostrap state
+  - name: Check that management keys are defined
     ansible.builtin.assert:
       that:
-      - not _skylab_install_path.stat.exists
+        - skylab_mgmt is defined
+        - skylab_mgmt.sshkeys != []
       success_msg: >-
-        Host is ready for boostrapping
+        Found {{ skylab_mgmt.sshkeys | length }} SSH keys to install to the Ansible management user
       fail_msg: >-
-        Host has already been boostrapped
+        No management keys were found for installation to the Ansible management user. Aborting to avoid
+        locking out SSH access to the boostrap host. Please define the 'skylab_mgmt.sshkeys' variable with
+        a list of SSH public keys to install to the Ansible management user.
 
-  - name: Update ansible user account
-    ansible.builtin.user:
-      name: ansible
+  - name: Install RockyLinux python bindings
+    become: true
+    ansible.builtin.dnf:
       state: present
-      uid: 1400
-      password: # WIP
+      name:
+        - libffi-devel
+        - python3-devel
+        - python3-libselinux
+        - python3-policycoreutils
+        - python3-firewall
 
-  - name: Remove ansible user group
+  - name: Create mgmt group
+    become: true
     ansible.builtin.group:
-      name: ansible
+      name: "{{ skylab_mgmt.group }}"
+      state: present
+      gid: "{{ skylab_mgmt.id }}"
+
+  - name: Generate mgmt user account password
+    delegate_to: localhost
+    no_log: true
+    changed_when: false
+    ansible.builtin.shell:
+      cmd: >
+        command mpw -qq -F none -t max -u {{ skylab_mgmt.user }} {{ ansible_host }} -p <<<
+        '{{ skylab_ansible_vault_password }}' |
+        python3 -c 'import crypt; print(crypt.crypt(input(), crypt.mksalt(crypt.METHOD_SHA512)))'
+      executable: /bin/bash
+    register: _password_mgmt
+
+  - name: Update mgmt user account
+    become: true
+    ansible.builtin.user:
+      name: "{{ skylab_mgmt.user }}"
+      state: present
+      group: "{{ skylab_mgmt.group }}"
+      groups:
+        - "{{ skylab_mgmt.group }}"
+        - wheel
+      uid: "{{ skylab_mgmt.id }}"
+      password: "{{ _password_mgmt.stdout }}"
+
+  - name: Update mgmt user authorized keys
+    become: true
+    ansible.posix.authorized_key:
+      user: "{{ skylab_mgmt.user }}"
+      exclusive: true
+      key: "{{ skylab_mgmt.sshkeys | join('\n') }}"
+
+  - name: Remove mgmt user group
+    become: true
+    ansible.builtin.group:
+      name: "{{ skylab_mgmt.user }}"
       state: absent
 
-  - name: Create skylab group
-    ansible.builtin.group:
-      name: skylab
-      state: present
-      gid: 1400
-
-  - name: Update ansible user authorized keys
-    ansible.posix.authorized_keys:
-      user: ansible
-      exclusive: true
-      key: []
-
-  - name: Update root user account
-    ansible.builtin.user:
-      name: ansible
-      state: present
-      password: # WIP
-
   - name: Update root user authorized keys
-    ansible.posix.authorized_keys:
+    become: true
+    ansible.posix.authorized_key:
       user: root
       exclusive: true
-      key: []
+      key: ""
 
-  - name: Update SSHD port
-    ansible.builtin.replace:
-      path: /etc/ssh/sshd_config
-      regexp: "^(#?)Port [0-9]+$"
-      replace: "Port 4242"
+  - name: Disable sudo password for WHEEL group
+    become: true
+    ansible.builtin.copy:
+      content: "%wheel ALL=(ALL) NOPASSWD: ALL"
+      dest: /etc/sudoers.d/30-wheel
+      owner: root
+      group: "{{ skylab_mgmt.group }}"
+      mode: 0644
 
   - name: Disable SSHD password auth
+    become: true
     ansible.builtin.replace:
       path: /etc/ssh/sshd_config
       regexp: '^(#?)PasswordAuthentication .*$'
-      replace: 'PasswordAuthentication no'
+      replace: PasswordAuthentication no
 
   - name: Disable SSHD root login
+    become: true
     ansible.builtin.replace:
       path: /etc/ssh/sshd_config
       regexp: '^(#?)PermitRootLogin .*$'
-      replace: 'PermitRootLogin no'
+      replace: PermitRootLogin no
+
+  - name: Update SSHD mgmt port
+    become: true
+    ansible.builtin.replace:
+      path: /etc/ssh/sshd_config
+      regexp: '^(#?)Port .*$'
+      replace: Port {{ skylab_mgmt.sshport }}
+
+  - name: Grant SSHD permissions on the mgmt port
+    become: true
+    community.general.seport:
+      ports: "{{ skylab_mgmt.sshport }}"
+      proto: tcp
+      setype: ssh_port_t
+      state: present
+
+  - name: Install Firewalld
+    become: true
+    ansible.builtin.dnf:
+      name: firewalld
+      state: present
+
+  - name: Enable Firewalld
+    become: true
+    ansible.builtin.service:
+      name: firewalld
+      enabled: true
+
+  - name: Grant SSHD firewall access to the mgmt port
+    become: true
+    ansible.posix.firewalld:
+      port: "{{ skylab_mgmt.sshport }}/tcp"
+      state: enabled
+      permanent: true
+
+  - name: Revoke SSHD firewall access to default port
+    become: true
+    ansible.posix.firewalld:
+      service: ssh
+      permanent: true
+      state: disabled
 
   - name: Update OS
+    become: true
     ansible.builtin.dnf:
       name: "*"
       state: latest
       allowerasing: true
-      autoremove: true
+
+  - name: Generate root user account password
+    delegate_to: localhost
+    no_log: true
+    changed_when: false
+    ansible.builtin.shell:
+      cmd: >
+        command mpw -qq -F none -t max -u root {{ ansible_host }} -p <<<
+        '{{ skylab_ansible_vault_password }}' |
+        python3 -c 'import crypt; print(crypt.crypt(input(), crypt.mksalt(crypt.METHOD_SHA512)))'
+      executable: /bin/bash
+    register: _password_root
+
+  - name: Update root user account
+    become: true
+    ansible.builtin.user:
+      name: root
+      state: present
+      password: "{{ _password_root.stdout }}"
 
   - name: Create SkyLab directory
+    become: true
     ansible.builtin.file:
       state: directory
-      path: /var/lib/skylab
-      owner: ansible
-      group: skylab
+      path: "{{ skylab_state_dir }}"
+      owner: "{{ skylab_mgmt.user }}"
+      group: "{{ skylab_mgmt.group }}"
       mode: 0750

skylab/infra/playbooks/cloud.yml

@@ -0,0 +1,46 @@
+---
+- name: Provision DigitalOcean cloud
+  hosts: localhost
+  vars:
+    terraform_backend: "postgres://{{ skylab_tfstate_backend.username }}:{{ skylab_tfstate_backend.password }}@{{ skylab_tfstate_backend.hostname }}:{{ skylab_tfstate_backend.port }}/{{ skylab_tfstate_backend.schema }}"
+  tasks:
+  - name: Deploy terraform config
+    block:
+    - name: Create temp plan file
+      changed_when: false
+      ansible.builtin.tempfile:
+        state: file
+        prefix: skylab
+        suffix: tfplan
+      register: _tfplan_tempfile
+
+    # Generating a plan file before yeeting a deployment into the
+    # wind helps to ensure that the syntax is correct, backend and
+    # state are valid, and all the plumbing is working as expected.
+    # We don't want errors when we deploy, so it's better to
+    # generate the plan first
+    - name: Initialize terraform backend and generate plan file
+      community.general.terraform:
+        state: planned
+        project_path: terraform/
+        backend_config:
+          conn_str: "{{ terraform_backend }}"
+        force_init: true
+        init_reconfigure: true
+        plan_file: "{{ _tfplan_tempfile.path }}"
+
+    # TODO: update to take DO token from invocation args rather than
+    # implicit env var
+    - name: Apply terraform plan
+      community.general.terraform:
+        state: present
+        project_path: terraform/
+        backend_config:
+          conn_str: "{{ terraform_backend }}"
+        plan_file: "{{ _tfplan_tempfile.path }}"
+    always:
+    - name: Remove temp plan file
+      changed_when: false
+      ansible.builtin.file:
+        path: "{{ _tfplan_tempfile.path }}"
+        state: absent

skylab/infra/playbooks/terraform/domain.allaroundhere.tf

@@ -0,0 +1,57 @@
+resource "digitalocean_domain" "allaroundhere" {
+  name = "allaroundhere.org"
+}
+
+
+# ==========================================================================
+# Standard hostname configuration
+resource "digitalocean_record" "allaroundhere" {
+  domain = digitalocean_domain.allaroundhere.id
+  type   = "A"
+  name   = "@"
+  value  = "24.2.156.189"
+  ttl    = 3600
+}
+
+resource "digitalocean_record" "allaroundhere_www" {
+  domain = digitalocean_domain.allaroundhere.id
+  type   = "CNAME"
+  name   = "www"
+  value  = "@"
+  ttl    = 43200
+}
+
+resource "digitalocean_record" "allaroundhere_content" {
+  domain = digitalocean_domain.allaroundhere.id
+  type   = "CNAME"
+  name   = "content"
+  value  = "en1.enp.one."
+  ttl    = 10300
+}
+
+# ==========================================================================
+# Standard DO configuration for all managed domains, includes
+# NS records and SOA
+resource "digitalocean_record" "allaroundhere_ns1" {
+  domain = digitalocean_domain.allaroundhere.id
+  type   = "NS"
+  name   = "@"
+  value  = "ns1.digitalocean.com."
+  ttl    = 1800
+}
+
+resource "digitalocean_record" "allaroundhere_ns2" {
+  domain = digitalocean_domain.allaroundhere.id
+  type   = "NS"
+  name   = "@"
+  value  = "ns2.digitalocean.com."
+  ttl    = 1800
+}
+
+resource "digitalocean_record" "allaroundhere_ns3" {
+  domain = digitalocean_domain.allaroundhere.id
+  type   = "NS"
+  name   = "@"
+  value  = "ns3.digitalocean.com."
+  ttl    = 1800
+}

skylab/infra/playbooks/terraform/domain.enp.tf

@@ -0,0 +1,200 @@
+resource "digitalocean_domain" "enp" {
+  name = "enp.one"
+}
+
+
+# ==========================================================================
+# Standard hostname configuration
+resource "digitalocean_record" "enp" {
+  domain = digitalocean_domain.enp.id
+  type   = "A"
+  name   = "@"
+  value  = "24.2.156.189"
+  ttl    = 3600
+}
+
+resource "digitalocean_record" "enp_en1" {
+  domain = digitalocean_domain.enp.id
+  type   = "A"
+  name   = "en1"
+  value  = digitalocean_record.enp.value
+  ttl    = 3600
+}
+
+
+# ==========================================================================
+# Service CNAME configuration
+resource "digitalocean_record" "enp_vcs" {
+  domain = digitalocean_domain.enp.id
+  type   = "CNAME"
+  name   = "vcs"
+  value  = "${digitalocean_record.enp_en1.fqdn}."
+  ttl    = 10600
+}
+
+resource "digitalocean_record" "enp_ssv" {
+  domain = digitalocean_domain.enp.id
+  type   = "CNAME"
+  name   = "ssv"
+  value  = "${digitalocean_record.enp_en1.fqdn}."
+  ttl    = 10600
+}
+
+resource "digitalocean_record" "enp_pms" {
+  domain = digitalocean_domain.enp.id
+  type   = "CNAME"
+  name   = "pms"
+  value  = "${digitalocean_record.enp_en1.fqdn}."
+  ttl    = 10600
+}
+
+resource "digitalocean_record" "enp_cdn" {
+  domain = digitalocean_domain.enp.id
+  type   = "CNAME"
+  name   = "cdn"
+  value  = "${digitalocean_cdn.enp.endpoint}."
+  ttl    = 3600
+}
+
+resource "digitalocean_record" "enp_vpn" {
+  domain = digitalocean_domain.enp.id
+  type   = "CNAME"
+  name   = "vpn"
+  value  = "${digitalocean_record.enp_en1.fqdn}."
+  ttl    = 10600
+}
+
+resource "digitalocean_record" "enp_www" {
+  domain = digitalocean_domain.enp.id
+  type   = "CNAME"
+  name   = "www"
+  value  = "${digitalocean_record.enp_en1.fqdn}."
+  ttl    = 10600
+}
+
+resource "digitalocean_record" "enp_sso" {
+  domain = digitalocean_domain.enp.id
+  type   = "CNAME"
+  name   = "sso"
+  value  = "${digitalocean_record.enp_en1.fqdn}."
+  ttl    = 10600
+}
+
+resource "digitalocean_record" "enp_img" {
+  domain = digitalocean_domain.enp.id
+  type   = "CNAME"
+  name   = "img"
+  value  = "${digitalocean_record.enp_en1.fqdn}."
+  ttl    = 10600
+}
+
+
+# ==========================================================================
+# Standard DO configuration for all managed domains, includes
+# NS records and SOA
+resource "digitalocean_record" "enp_ns1" {
+  domain = digitalocean_domain.enp.id
+  type   = "NS"
+  name   = "@"
+  value  = "ns1.digitalocean.com."
+  ttl    = 1800
+}
+
+resource "digitalocean_record" "enp_ns2" {
+  domain = digitalocean_domain.enp.id
+  type   = "NS"
+  name   = "@"
+  value  = "ns2.digitalocean.com."
+  ttl    = 1800
+}
+
+resource "digitalocean_record" "enp_ns3" {
+  domain = digitalocean_domain.enp.id
+  type   = "NS"
+  name   = "@"
+  value  = "ns3.digitalocean.com."
+  ttl    = 1800
+}
+
+
+# ==========================================================================
+# DMARC and HTTPS security configuration
+resource "digitalocean_record" "enp_dmarc" {
+  domain = digitalocean_domain.enp.id
+  type   = "TXT"
+  name   = "_dmarc"
+  value  = "v=DMARC1; p=quarantine; adkim=s"
+  ttl    = 3600
+}
+
+resource "digitalocean_record" "enp_caa" {
+  domain = digitalocean_domain.enp.id
+  type   = "CAA"
+  name   = "@"
+  value  = "letsencrypt.org."
+  ttl    = 3600
+  tag    = "issue"
+  flags  = 0
+}
+
+resource "digitalocean_record" "enp_iodef" {
+  domain = digitalocean_domain.enp.id
+  type   = "CAA"
+  name   = "@"
+  value  = "mailto:admin@enp.one"
+  ttl    = 3600
+  tag    = "iodef"
+  flags  = 0
+}
+
+
+# ==========================================================================
+# Tutanota mailer integration configuration
+resource "digitalocean_record" "enp_mx" {
+  domain   = digitalocean_domain.enp.id
+  type     = "MX"
+  name     = "@"
+  value    = "mail.tutanota.de."
+  ttl      = 3600
+  priority = 1010
+}
+
+resource "digitalocean_record" "enp_spf" {
+  domain = digitalocean_domain.enp.id
+  type   = "TXT"
+  name   = "@"
+  value  = "v=spf1 include:spf.tutanota.de -all"
+  ttl    = 3600
+}
+
+resource "digitalocean_record" "enp_domainkey1" {
+  domain = digitalocean_domain.enp.id
+  type   = "CNAME"
+  name   = "s1._domainkey"
+  value  = "s1._domainkey.tutanota.de."
+  ttl    = 10600
+}
+
+resource "digitalocean_record" "enp_domainkey2" {
+  domain = digitalocean_domain.enp.id
+  type   = "CNAME"
+  name   = "s2._domainkey"
+  value  = "s2._domainkey.tutanota.de."
+  ttl    = 10600
+}
+
+resource "digitalocean_record" "enp_mta1" {
+  domain = digitalocean_domain.enp.id
+  type   = "CNAME"
+  name   = "_mta-sts"
+  value  = "_mta-sts.tutanota.com."
+  ttl    = 10600
+}
+
+resource "digitalocean_record" "enp_mta2" {
+  domain = digitalocean_domain.enp.id
+  type   = "CNAME"
+  name   = "mta-sts"
+  value  = "mta-sts.tutanota.com."
+  ttl    = 10600
+}

skylab/infra/playbooks/terraform/domain.enpaul.tf

@@ -0,0 +1,123 @@
+resource "digitalocean_domain" "enpaul" {
+  name = "enpaul.net"
+}
+
+
+# ==========================================================================
+# Standard hostname configuration
+resource "digitalocean_record" "enpaul" {
+  domain = digitalocean_domain.enpaul.id
+  type   = "A"
+  name   = "@"
+  value  = digitalocean_record.enp.value
+  ttl    = 3600
+}
+
+resource "digitalocean_record" "enpaul_www" {
+  domain = digitalocean_domain.enpaul.id
+  type   = "CNAME"
+  name   = "www"
+  value  = "@"
+  ttl    = 10800
+}
+
+
+# ==========================================================================
+# Standard DO configuration for all managed domains, includes
+# NS records and SOA
+resource "digitalocean_record" "enpaul_ns1" {
+  domain = digitalocean_domain.enpaul.id
+  type   = "NS"
+  name   = "@"
+  value  = "ns1.digitalocean.com."
+  ttl    = 1800
+}
+
+resource "digitalocean_record" "enpaul_ns2" {
+  domain = digitalocean_domain.enpaul.id
+  type   = "NS"
+  name   = "@"
+  value  = "ns2.digitalocean.com."
+  ttl    = 1800
+}
+
+resource "digitalocean_record" "enpaul_ns3" {
+  domain = digitalocean_domain.enpaul.id
+  type   = "NS"
+  name   = "@"
+  value  = "ns3.digitalocean.com."
+  ttl    = 1800
+}
+
+
+# ==========================================================================
+# DMARC and HTTPS security configuration
+resource "digitalocean_record" "enpaul_dmarc" {
+  domain = digitalocean_domain.enpaul.id
+  type   = "TXT"
+  name   = "_dmarc"
+  value  = "v=DMARC1; p=quarantine; adkim=s"
+  ttl    = 3600
+}
+
+resource "digitalocean_record" "enpaul_caa" {
+  domain = digitalocean_domain.enpaul.id
+  type   = "CAA"
+  name   = "@"
+  value  = "letsencrypt.org."
+  ttl    = 3600
+  tag    = "issue"
+  flags  = 0
+}
+
+
+# ==========================================================================
+# Tutanota mailer integration configuration
+resource "digitalocean_record" "enpaul_mx" {
+  domain   = digitalocean_domain.enpaul.id
+  type     = "MX"
+  name     = "@"
+  value    = "mail.tutanota.de."
+  ttl      = 3600
+  priority = 10
+}
+
+resource "digitalocean_record" "enpaul_spf" {
+  domain = digitalocean_domain.enpaul.id
+  type   = "TXT"
+  name   = "@"
+  value  = "v=spf1 include:spf.tutanota.de -all"
+  ttl    = 3600
+}
+
+resource "digitalocean_record" "enpaul_domainkey1" {
+  domain = digitalocean_domain.enpaul.id
+  type   = "CNAME"
+  name   = "s1._domainkey"
+  value  = "s1._domainkey.tutanota.de."
+  ttl    = 10600
+}
+
+resource "digitalocean_record" "enpaul_domainkey2" {
+  domain = digitalocean_domain.enpaul.id
+  type   = "CNAME"
+  name   = "s2._domainkey"
+  value  = "s2._domainkey.tutanota.de."
+  ttl    = 10600
+}
+
+resource "digitalocean_record" "enpaul_mta1" {
+  domain = digitalocean_domain.enpaul.id
+  type   = "CNAME"
+  name   = "_mta-sts"
+  value  = "_mta-sts.tutanota.com."
+  ttl    = 10600
+}
+
+resource "digitalocean_record" "enpaul_mta2" {
+  domain = digitalocean_domain.enpaul.id
+  type   = "CNAME"
+  name   = "mta-sts"
+  value  = "mta-sts.tutanota.com."
+  ttl    = 10600
+}

skylab/infra/playbooks/terraform/domain.scipiocapital.tf

@@ -0,0 +1,72 @@
+resource "digitalocean_domain" "scipiocapital" {
+  name = "scipiocapital.us"
+}
+
+# ==========================================================================
+# Standard hostname configuration
+resource "digitalocean_record" "scipiocapital" {
+  domain = digitalocean_domain.scipiocapital.id
+  type   = "A"
+  name   = "@"
+  value  = digitalocean_record.enp.value
+  ttl    = 3600
+}
+
+resource "digitalocean_record" "scipiocapital_app" {
+  domain = digitalocean_domain.scipiocapital.id
+  type   = "CNAME"
+  name   = "app"
+  value  = "${digitalocean_record.enp_en1.fqdn}."
+  ttl    = 43200
+}
+
+resource "digitalocean_record" "scipiocapital_notify" {
+  domain = digitalocean_domain.scipiocapital.id
+  type   = "CNAME"
+  name   = "notify"
+  value  = "${digitalocean_record.enp_en1.fqdn}."
+  ttl    = 43200
+}
+
+resource "digitalocean_record" "scipiocapital_docs" {
+  domain = digitalocean_domain.scipiocapital.id
+  type   = "CNAME"
+  name   = "docs"
+  value  = "${digitalocean_record.enp_en1.fqdn}."
+  ttl    = 43200
+}
+
+resource "digitalocean_record" "scipiocapital_auth" {
+  domain = digitalocean_domain.scipiocapital.id
+  type   = "CNAME"
+  name   = "auth"
+  value  = "${digitalocean_record.enp_en1.fqdn}."
+  ttl    = 43200
+}
+
+# ==========================================================================
+# Standard DO configuration for all managed domains, includes
+# NS records and SOA
+resource "digitalocean_record" "scipiocapital_ns1" {
+  domain = digitalocean_domain.scipiocapital.id
+  type   = "NS"
+  name   = "@"
+  value  = "ns1.digitalocean.com."
+  ttl    = 1800
+}
+
+resource "digitalocean_record" "scipiocapital_ns2" {
+  domain = digitalocean_domain.scipiocapital.id
+  type   = "NS"
+  name   = "@"
+  value  = "ns2.digitalocean.com."
+  ttl    = 1800
+}
+
+resource "digitalocean_record" "scipiocapital_ns3" {
+  domain = digitalocean_domain.scipiocapital.id
+  type   = "NS"
+  name   = "@"
+  value  = "ns3.digitalocean.com."
+  ttl    = 1800
+}

skylab/infra/playbooks/terraform/main.tf

@@ -0,0 +1,10 @@
+terraform {
+  backend "pg" {}
+
+  required_providers {
+    digitalocean = {
+      source  = "digitalocean/digitalocean"
+      version = "~> 2.0"
+    }
+  }
+}

skylab/infra/playbooks/terraform/project.scipio.tf

@@ -0,0 +1,13 @@
+resource "digitalocean_project" "scipio" {
+  name        = "Scipio Capital"
+  description = "Eventual home of Scipio Capital systems"
+  purpose     = "Service or API"
+  environment = "Production"
+}
+
+resource "digitalocean_project_resources" "scipio" {
+  project = digitalocean_project.scipio.id
+  resources = [
+    digitalocean_domain.scipiocapital.urn,
+  ]
+}

skylab/infra/playbooks/terraform/project.skylab.tf

@@ -0,0 +1,17 @@
+resource "digitalocean_project" "skylab" {
+  name        = "SkyLab"
+  description = "SkyLab resources, with emphasis on Sky"
+  purpose     = "Operational / Developer tooling"
+  environment = "Development"
+  is_default  = true
+}
+
+resource "digitalocean_project_resources" "skylab" {
+  project = digitalocean_project.skylab.id
+  resources = [
+    digitalocean_domain.allaroundhere.urn,
+    digitalocean_domain.enpaul.urn,
+    digitalocean_domain.enp.urn,
+    digitalocean_spaces_bucket.enp_cdn.urn
+  ]
+}

skylab/infra/playbooks/terraform/spaces.cdn.tf

@@ -0,0 +1,18 @@
+resource "digitalocean_spaces_bucket" "enp_cdn" {
+  name          = "en2-cdn"
+  region        = "nyc3"
+  acl           = "public-read"
+  force_destroy = false
+}
+
+resource "digitalocean_certificate" "enp_cdn" {
+  name    = "CDN"
+  type    = "lets_encrypt"
+  domains = ["cdn.enp.one", "enp.one"]
+}
+
+resource "digitalocean_cdn" "enp" {
+  origin           = digitalocean_spaces_bucket.enp_cdn.bucket_domain_name
+  custom_domain    = "cdn.enp.one"
+  certificate_name = digitalocean_certificate.enp_cdn.name
+}

skylab/infra/plugins/README.md

@@ -1,33 +0,0 @@
-# Collections Plugins Directory
-
-This directory can be used to ship various plugins inside an Ansible collection. Each
-plugin is placed in a folder that is named after the type of plugin it is in. It can also
-include the `module_utils` and `modules` directory that would contain module utils and
-modules respectively.
-
-Here is an example directory of the majority of plugins currently supported by Ansible:
-
-```
-└── plugins
-    ├── action
-    ├── become
-    ├── cache
-    ├── callback
-    ├── cliconf
-    ├── connection
-    ├── filter
-    ├── httpapi
-    ├── inventory
-    ├── lookup
-    ├── module_utils
-    ├── modules
-    ├── netconf
-    ├── shell
-    ├── strategy
-    ├── terminal
-    ├── test
-    └── vars
-```
-
-A full list of plugin types can be found at
-[Working With Plugins](https://docs.ansible.com/ansible-core/2.14/plugins/plugins.html).