skylab/skylab-ansible
Archived
2
0
Fork 0
Code Pull Requests Releases Activity

Compare commits

base: skylab:d901c1d94070e7f9bb472718e53cb06d9b983ab8
Branches Tags
skylab:devel
..
compare: skylab:devel
Branches Tags
skylab:devel

21 Commits
d901c1d940 ... devel

Author SHA1 Message Date
Ethan Paul
4a516eee15 Stop assuming rockylinux has firewalld installed by default 2023-05-19 16:39:52 -04:00
Ethan Paul
15a1411f1a Add project resource assignments 2023-05-07 16:16:03 -04:00
Ethan Paul
868ab721dd Add scipio project 2023-05-07 16:06:53 -04:00
Ethan Paul
9776e9a316 Add skylab project definition 2023-05-07 16:04:25 -04:00
Ethan Paul
28f1f80d6f Remove pdb.enp.one 2023-05-07 15:49:14 -04:00
Ethan Paul
0f9479731a Update domains to use pointer vars instead of repeat values 2023-05-07 15:48:29 -04:00
Ethan Paul
3df0115191 Add CDN config for space 2023-05-07 15:43:39 -04:00
Ethan Paul
fcb25b79ce Add CDN space 2023-05-07 14:59:17 -04:00
Ethan Paul
e591db8581 Add auth subdomain 2023-05-04 16:23:59 -04:00
Ethan Paul
e4fd90c013 Restructure en1 main inventory group 2023-05-02 22:44:27 -04:00
Ethan Paul
219b03b4ee Add notify subdomain for scipio app 2023-05-02 22:44:26 -04:00
Ethan Paul
1b941a11a2 Add docs and notify subdomains to scipio doman 2023-05-02 18:02:20 -04:00
Ethan Paul
12991700b9 Disable hostkey checking on connection test task 2023-04-21 20:59:57 -04:00
Ethan Paul
02b6460cff Add ssh port update to bootstrap playbook 
Update to use dynamic managment settings
Remove check for existing bootstrap directory
Fix re-using ansible password for root user
 2023-04-19 18:42:04 -04:00
Ethan Paul
5f602c797f Add sanity connection check for bootstrap hosts 2023-04-18 21:56:02 -04:00
Ethan Paul
538bb26f83 Fix updating ssh keys before user exists 2023-04-18 21:39:32 -04:00
Ethan Paul
fa0df823ee Add main hosts for scipio domain 2023-04-14 15:11:45 -04:00
Ethan Paul
49eacf103c Add scipiocapital domain 2023-04-13 23:35:02 -04:00
Ethan Paul
4d1d28c64b Add pdb subdomain for grist 2023-04-11 17:49:33 -04:00
Ethan Paul
5803ea337e Add www subdomain for enp 2023-04-05 23:04:34 -04:00
Ethan Paul
20e9ec68d2 Improve docs on cloud playbook 2023-04-05 01:52:45 -04:00
11 changed files with 475 additions and 230 deletions
Expand all files Collapse all files

166
inventory/en1.old.yaml Normal file
View File

@@ -0,0 +1,166 @@
---
workstation:
hosts:
voyager:
skylab_description: Personal Workstation
skylab_hostname: voyager.skylab.enp.one
skylab_targets: [workstation]
en1:
vars:
skylab_location: Newton MA
skylab_dashboard: info.en1.local
# gross hack for now, will be refactored later
_skylab_adguard_nat_rule: 9
hosts:
core:
ansible_host: 10.42.101.1
ansible_port: 4242
ansible_network_os: edgeos
skylab_description: EN1 Core Router
iridium:
ansible_host: 10.42.101.200
skylab_description: Local Monitor Node
skylab_hostname: iridium.skylab.enp.one
skylab_targets: [network]
skylab_networking:
enp4s0:
firewall: internal
dhcp: false
gateway: 10.42.101.1/24
dns:
- 10.42.101.1
addresses:
- 10.42.101.200/24
children:
cluster:
vars:
skylab_targets: [cluster, datastore]
skylab_compose_version: 3.8
skylab_compose_dir: "{{ skylab_state_dir }}/compose"
hosts:
pegasus: # jupiter
ansible_host: 10.42.101.100
skylab_hostname: pegasus.skylab.enp.one
skylab_legacy_names:
- jupiter.net.enp.one
- jupiter.svr.local
skylab_description: Arbiter Node
skylab_cluster:
address:
access: 10.42.101.10/24
internal: 192.168.42.10/24
interface:
access: bond0
internal: bond0.99
skylab_datastore_device: sdb
skylab_networking:
eno1:
bond: bond0
eno2:
bond: bond0
bond0:
device: bond
firewall: internal
gateway: 10.42.101.1/24
dns:
- 10.42.101.1
addresses:
- 10.42.101.100/24
- 192.168.255.255/32
dhcp: false
bond0.99:
device: vlan
firewall: trusted
addresses:
- 192.168.42.10/24
dhcp: false
saturn: # remus
ansible_host: 10.42.101.110
skylab_hostname: saturn.skylab.enp.one
skylab_legacy_names:
- remus.net.enp.one
- remus.svr.local
skylab_description: Operational Node
skylab_cluster:
address:
access: 10.42.101.11/24
internal: 192.168.42.20/24
interface:
access: bond0
internal: bond0.99
skylab_networking:
eno1:
bond: bond0
eno2:
bond: bond0
bond0:
device: bond
firewall: internal
dhcp: false
gateway: 10.42.101.1/24
addresses:
- 10.42.101.110/24
- 192.168.255.255/32
dns:
- 10.42.101.1
bond0.99:
device: vlan
firewall: trusted
dhcp: false
addresses:
- 192.168.42.20/24
orion: # romulus
ansible_host: 10.42.101.120
skylab_hostname: orion.skylab.enp.one
skylab_legacy_names:
- romulus.net.enp.one
- romulus.svr.local
skylab_description: Operational Node
skylab_cluster:
address:
access: 10.42.101.12/24
internal: 192.168.42.30/24
interface:
access: bond0
internal: bond0.99
skylab_datastore_device: sdb
skylab_networking:
eno1:
bond: bond0
eno2:
bond: bond0
bond0:
device: bond
firewall: internal
gateway: 10.42.101.1/24
dns:
- 10.42.101.1
addresses:
- 10.42.101.120/24
- 192.168.255.255/32
dhcp: false
bond0.99:
device: vlan
firewall: trusted
addresses:
- 192.168.42.30/24
dhcp: false
en2:
vars:
skylab_location: DigitalOcean TOR1
hosts:
hubble:
ansible_host: en2a.enp.one
skylab_hostname: hubble.en2.enp.one
skylab_description: Cloud Web Server
skylab_targets: [cloud]

204
inventory/en1.yaml
View File

@@ -1,175 +1,51 @@
--- ---
all:
vars:
skylab_state_dir: /var/lib/skylab
skylab_ansible_venv: "{{ skylab_state_dir }}/ansible-runtime"
skylab_pip_version: 19.3.1
ansible_user: ansible
ansible_ssh_common_args: "-o ControlMaster=auto -o ControlPersist=60s -o ForwardAgent=yes"
workstation:
hosts:
voyager:
skylab_description: Personal Workstation
skylab_hostname: voyager.skylab.enp.one
skylab_targets: [workstation]
en1: en1:
vars: vars:
skylab_location: Newton MA skylab_location: Cambridge
skylab_dashboard: info.en1.local
# gross hack for now, will be refactored later
_skylab_adguard_nat_rule: 9
hosts:
core:
ansible_host: 10.42.101.1
ansible_port: 4242
ansible_network_os: edgeos
skylab_description: EN1 Core Router
iridium:
ansible_host: 10.42.101.200
skylab_description: Local Monitor Node
skylab_hostname: iridium.skylab.enp.one
skylab_targets: [network]
skylab_networking:
enp4s0:
firewall: internal
dhcp: false
gateway: 10.42.101.1/24
dns:
- 10.42.101.1
addresses:
- 10.42.101.200/24
children:
domain:
children: children:
cluster: cluster:
vars: hosts:
skylab_targets: [cluster, datastore] canaveral:
skylab_compose_version: 3.8 ansible_host: 10.42.101.10
skylab_compose_dir: "{{ skylab_state_dir }}/compose" skylab_description: Compute and Storage Node
baikonur:
ansible_host: 10.42.101.11
skylab_description: Compute and Storage Node
vandenberg:
ansible_host: 10.42.101.12
skylab_description: Compute and Storage Node
andoya:
ansible_host: 10.42.101.13
skylab_description: Auxilary Compute Node
jiuquan:
ansible_host: 10.42.101.14
skylab_description: Auxilary Compute Node
datastore:
hosts:
canaveral:
skylab_datastore_block: /dev/sda
baikonur:
skylab_datastore_block: /dev/sda
vandenberg:
skylab_datastore_block: /dev/sda
hosts: hosts:
pegasus: # jupiter 3d-printer: {}
ansible_host: 10.42.101.100 mediastore: {}
skylab_hostname: pegasus.skylab.enp.one backstore: {}
skylab_legacy_names:
- jupiter.net.enp.one
- jupiter.svr.local
skylab_description: Arbiter Node
skylab_cluster:
address:
access: 10.42.101.10/24
internal: 192.168.42.10/24
interface:
access: bond0
internal: bond0.99
skylab_datastore_device: sdb
skylab_networking:
eno1:
bond: bond0
eno2:
bond: bond0
bond0:
device: bond
firewall: internal
gateway: 10.42.101.1/24
dns:
- 10.42.101.1
addresses:
- 10.42.101.100/24
- 192.168.255.255/32
dhcp: false
bond0.99:
device: vlan
firewall: trusted
addresses:
- 192.168.42.10/24
dhcp: false
saturn: # remus
ansible_host: 10.42.101.110
skylab_hostname: saturn.skylab.enp.one
skylab_legacy_names:
- remus.net.enp.one
- remus.svr.local
skylab_description: Operational Node
skylab_cluster:
address:
access: 10.42.101.11/24
internal: 192.168.42.20/24
interface:
access: bond0
internal: bond0.99
skylab_networking:
eno1:
bond: bond0
eno2:
bond: bond0
bond0:
device: bond
firewall: internal
dhcp: false
gateway: 10.42.101.1/24
addresses:
- 10.42.101.110/24
- 192.168.255.255/32
dns:
- 10.42.101.1
bond0.99:
device: vlan
firewall: trusted
dhcp: false
addresses:
- 192.168.42.20/24
orion: # romulus
ansible_host: 10.42.101.120
skylab_hostname: orion.skylab.enp.one
skylab_legacy_names:
- romulus.net.enp.one
- romulus.svr.local
skylab_description: Operational Node
skylab_cluster:
address:
access: 10.42.101.12/24
internal: 192.168.42.30/24
interface:
access: bond0
internal: bond0.99
skylab_datastore_device: sdb
skylab_networking:
eno1:
bond: bond0
eno2:
bond: bond0
bond0:
device: bond
firewall: internal
gateway: 10.42.101.1/24
dns:
- 10.42.101.1
addresses:
- 10.42.101.120/24
- 192.168.255.255/32
dhcp: false
bond0.99:
device: vlan
firewall: trusted
addresses:
- 192.168.42.30/24
dhcp: false
en2:
vars:
skylab_location: DigitalOcean TOR1
local:
hosts: hosts:
hubble: core: {}
ansible_host: en2a.enp.one switch-1: {}
skylab_hostname: hubble.en2.enp.one switch-2: {}
skylab_description: Cloud Web Server wap-1: {}
skylab_targets: [cloud] wap-2: {}
wap-3: {}
printer: {}

27
inventory/group_vars/all.yaml
View File

@@ -1,7 +1,19 @@
--- ---
skylab_mgmt_keys: ansible_user: ansible
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5TGKururOa1Y+cbv8AWXYI5zhfZCDV0fsBG+33IYUc enpaul@ansible.voyager
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBf7i/8hSJDYnoD95noCJJVtSxxCp9N5EmnshALufiwm enpaul@ansible.opportunity ansible_port: 4242
skylab_state_dir: /var/lib/skylab
skylab_ansible_venv: "{{ skylab_state_dir }}/ansible-runtime"
skylab_ansible_vault_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
61323762623165383963316238343539346336663864366631616339356564346636373561616237
6666363531393234636337656431366365343236346536320a346163353935366636303131313661
32623635363063383039363539303135393838376264356463646465376435616363376163373663
6366633665373939380a373234633365376632376433643034336539346338613566353537663731
34323464633165626133306464363464333539363761343831316565356266373833
skylab_tfstate_backend: skylab_tfstate_backend:
hostname: cluster.lab.enp.one hostname: cluster.lab.enp.one
@@ -16,3 +28,12 @@ skylab_tfstate_backend:
3631343463616631380a386661336534663033383637666538316665303962353034376232356235 3631343463616631380a386661336534663033383637666538316665303962353034376232356235
65323339353563623431666535366465353133343137653232326534326436323661636536373564 65323339353563623431666535366465353133343137653232326534326436323661636536373564
3466633762303966366366653531613261336561356531636461 3466633762303966366366653531613261336561356531636461
skylab_mgmt:
sshport: 4242
group: skylab
user: ansible
id: 1400
sshkeys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5TGKururOa1Y+cbv8AWXYI5zhfZCDV0fsBG+33IYUc enpaul@ansible.voyager
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBf7i/8hSJDYnoD95noCJJVtSxxCp9N5EmnshALufiwm enpaul@ansible.opportunity

151
skylab/infra/playbooks/bootstrap.yml
View File

@@ -28,21 +28,23 @@
ansible_ssh_pass: "{{ bootstrap_password }}" ansible_ssh_pass: "{{ bootstrap_password }}"
ansible_port: "{{ bootstrap_port }}" ansible_port: "{{ bootstrap_port }}"
- name: Test connection
delegate_to: bootstrap
delegate_facts: true
vars:
ansible_host_key_checking: false
ansible.builtin.ping: {}
- name: Bootstrap remote - name: Bootstrap remote
hosts: bootstrap hosts: bootstrap
vars: vars:
ansible_host_key_checking: false ansible_host_key_checking: false
vars_prompt: vars_prompt:
- name: vault_password - name: skylab_ansible_vault_password
prompt: Enter Ansible vault password for generating user secrets prompt: Enter Ansible vault password for generating user secrets
private: true private: true
confirm: true confirm: true
tasks: tasks:
- name: Fetch install path
ansible.builtin.stat:
path: /var/lib/skylab
register: _skylab_install_path
- name: Check OS requirements - name: Check OS requirements
ansible.builtin.assert: ansible.builtin.assert:
that: that:
@@ -54,68 +56,75 @@
Unsupported operating system ({{ ansible_distribution }} {{ ansible_distribution_major_version }}), Unsupported operating system ({{ ansible_distribution }} {{ ansible_distribution_major_version }}),
only RockyLinux 8 and RockyLinux 9 are supported. only RockyLinux 8 and RockyLinux 9 are supported.
- name: Check boostrap state
ansible.builtin.assert:
that:
- not _skylab_install_path.stat.exists
success_msg: >-
Host is ready for boostrapping
fail_msg: >-
Host has already been boostrapped
- name: Check that management keys are defined - name: Check that management keys are defined
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- skylab_mgmt_keys is defined - skylab_mgmt is defined
- skylab_mgmt_keys != [] - skylab_mgmt.sshkeys != []
success_msg: >- success_msg: >-
Found {{ skylab_mgmt_keys | length }} SSH keys to install to the Ansible management user Found {{ skylab_mgmt.sshkeys | length }} SSH keys to install to the Ansible management user
fail_msg: >- fail_msg: >-
No management keys were found for installation to the Ansible management user. Aborting to avoid No management keys were found for installation to the Ansible management user. Aborting to avoid
locking out SSH access to the boostrap host. Please define the 'skylab_mgmt_keys' variable with locking out SSH access to the boostrap host. Please define the 'skylab_mgmt.sshkeys' variable with
a list of SSH public keys to install to the Ansible management user. a list of SSH public keys to install to the Ansible management user.
- name: Create skylab group - name: Install RockyLinux python bindings
ansible.builtin.group: become: true
name: skylab ansible.builtin.dnf:
state: present state: present
gid: 1400 name:
- libffi-devel
- python3-devel
- python3-libselinux
- python3-policycoreutils
- python3-firewall
- name: Update ansible user authorized keys - name: Create mgmt group
ansible.posix.authorized_key: become: true
user: ansible ansible.builtin.group:
exclusive: true name: "{{ skylab_mgmt.group }}"
key: "{{ skylab_mgmt_keys | join('\n') }}" state: present
gid: "{{ skylab_mgmt.id }}"
- name: Generate ansible user account password - name: Generate mgmt user account password
delegate_to: localhost delegate_to: localhost
no_log: true no_log: true
changed_when: false changed_when: false
ansible.builtin.shell: ansible.builtin.shell:
cmd: > cmd: >
command mpw -qq -F none -t max -u ansible {{ ansible_host }} -p <<< command mpw -qq -F none -t max -u {{ skylab_mgmt.user }} {{ ansible_host }} -p <<<
'{{ vault_password }}' | '{{ skylab_ansible_vault_password }}' |
python3 -c 'import crypt; print(crypt.crypt(input(), crypt.mksalt(crypt.METHOD_SHA512)))' python3 -c 'import crypt; print(crypt.crypt(input(), crypt.mksalt(crypt.METHOD_SHA512)))'
executable: /bin/bash executable: /bin/bash
register: _password_ansible register: _password_mgmt
- name: Update ansible user account - name: Update mgmt user account
become: true
ansible.builtin.user: ansible.builtin.user:
name: ansible name: "{{ skylab_mgmt.user }}"
state: present state: present
group: skylab group: "{{ skylab_mgmt.group }}"
groups: groups:
- skylab - "{{ skylab_mgmt.group }}"
- wheel - wheel
uid: 1400 uid: "{{ skylab_mgmt.id }}"
password: "{{ _password_ansible.stdout }}" password: "{{ _password_mgmt.stdout }}"
- name: Remove ansible user group - name: Update mgmt user authorized keys
become: true
ansible.posix.authorized_key:
user: "{{ skylab_mgmt.user }}"
exclusive: true
key: "{{ skylab_mgmt.sshkeys | join('\n') }}"
- name: Remove mgmt user group
become: true
ansible.builtin.group: ansible.builtin.group:
name: ansible name: "{{ skylab_mgmt.user }}"
state: absent state: absent
- name: Update root user authorized keys - name: Update root user authorized keys
become: true
ansible.posix.authorized_key: ansible.posix.authorized_key:
user: root user: root
exclusive: true exclusive: true
@@ -127,22 +136,66 @@
content: "%wheel ALL=(ALL) NOPASSWD: ALL" content: "%wheel ALL=(ALL) NOPASSWD: ALL"
dest: /etc/sudoers.d/30-wheel dest: /etc/sudoers.d/30-wheel
owner: root owner: root
group: skylab group: "{{ skylab_mgmt.group }}"
mode: 0644 mode: 0644
- name: Disable SSHD password auth - name: Disable SSHD password auth
become: true
ansible.builtin.replace: ansible.builtin.replace:
path: /etc/ssh/sshd_config path: /etc/ssh/sshd_config
regexp: '^(#?)PasswordAuthentication .*$' regexp: '^(#?)PasswordAuthentication .*$'
replace: 'PasswordAuthentication no' replace: PasswordAuthentication no
- name: Disable SSHD root login - name: Disable SSHD root login
become: true
ansible.builtin.replace: ansible.builtin.replace:
path: /etc/ssh/sshd_config path: /etc/ssh/sshd_config
regexp: '^(#?)PermitRootLogin .*$' regexp: '^(#?)PermitRootLogin .*$'
replace: 'PermitRootLogin no' replace: PermitRootLogin no
- name: Update SSHD mgmt port
become: true
ansible.builtin.replace:
path: /etc/ssh/sshd_config
regexp: '^(#?)Port .*$'
replace: Port {{ skylab_mgmt.sshport }}
- name: Grant SSHD permissions on the mgmt port
become: true
community.general.seport:
ports: "{{ skylab_mgmt.sshport }}"
proto: tcp
setype: ssh_port_t
state: present
- name: Install Firewalld
become: true
ansible.builtin.dnf:
name: firewalld
state: present
- name: Enable Firewalld
become: true
ansible.builtin.service:
name: firewalld
enabled: true
- name: Grant SSHD firewall access to the mgmt port
become: true
ansible.posix.firewalld:
port: "{{ skylab_mgmt.sshport }}/tcp"
state: enabled
permanent: true
- name: Revoke SSHD firewall access to default port
become: true
ansible.posix.firewalld:
service: ssh
permanent: true
state: disabled
- name: Update OS - name: Update OS
become: true
ansible.builtin.dnf: ansible.builtin.dnf:
name: "*" name: "*"
state: latest state: latest
@@ -154,22 +207,24 @@
changed_when: false changed_when: false
ansible.builtin.shell: ansible.builtin.shell:
cmd: > cmd: >
command mpw -qq -F none -t max -u ansible {{ ansible_host }} -p <<< command mpw -qq -F none -t max -u root {{ ansible_host }} -p <<<
'{{ vault_password }}' | '{{ skylab_ansible_vault_password }}' |
python3 -c 'import crypt; print(crypt.crypt(input(), crypt.mksalt(crypt.METHOD_SHA512)))' python3 -c 'import crypt; print(crypt.crypt(input(), crypt.mksalt(crypt.METHOD_SHA512)))'
executable: /bin/bash executable: /bin/bash
register: _password_root register: _password_root
- name: Update root user account - name: Update root user account
become: true
ansible.builtin.user: ansible.builtin.user:
name: root name: root
state: present state: present
password: "{{ _password_root.stdout }}" password: "{{ _password_root.stdout }}"
- name: Create SkyLab directory - name: Create SkyLab directory
become: true
ansible.builtin.file: ansible.builtin.file:
state: directory state: directory
path: /var/lib/skylab path: "{{ skylab_state_dir }}"
owner: ansible owner: "{{ skylab_mgmt.user }}"
group: skylab group: "{{ skylab_mgmt.group }}"
mode: 0750 mode: 0750

7
skylab/infra/playbooks/cloud.yml
View File

@@ -14,6 +14,11 @@
suffix: tfplan suffix: tfplan
register: _tfplan_tempfile register: _tfplan_tempfile
# Generating a plan file before yeeting a deployment into the
# wind helps to ensure that the syntax is correct, backend and
# state are valid, and all the plumbing is working as expected.
# We don't want errors when we deploy, so it's better to
# generate the plan first
- name: Initialize terraform backend and generate plan file - name: Initialize terraform backend and generate plan file
community.general.terraform: community.general.terraform:
state: planned state: planned
@@ -24,6 +29,8 @@
init_reconfigure: true init_reconfigure: true
plan_file: "{{ _tfplan_tempfile.path }}" plan_file: "{{ _tfplan_tempfile.path }}"
# TODO: update to take DO token from invocation args rather than
# implicit env var
- name: Apply terraform plan - name: Apply terraform plan
community.general.terraform: community.general.terraform:
state: present state: present

22
skylab/infra/playbooks/terraform/domain.enp.tf
View File

@@ -17,7 +17,7 @@ resource "digitalocean_record" "enp_en1" {
domain = digitalocean_domain.enp.id domain = digitalocean_domain.enp.id
type = "A" type = "A"
name = "en1" name = "en1"
value = "24.2.156.189" value = digitalocean_record.enp.value
ttl = 3600 ttl = 3600
} }
@@ -28,7 +28,7 @@ resource "digitalocean_record" "enp_vcs" {
domain = digitalocean_domain.enp.id domain = digitalocean_domain.enp.id
type = "CNAME" type = "CNAME"
name = "vcs" name = "vcs"
value = "en1.enp.one." value = "${digitalocean_record.enp_en1.fqdn}."
ttl = 10600 ttl = 10600
} }
@@ -36,7 +36,7 @@ resource "digitalocean_record" "enp_ssv" {
domain = digitalocean_domain.enp.id domain = digitalocean_domain.enp.id
type = "CNAME" type = "CNAME"
name = "ssv" name = "ssv"
value = "en1.enp.one." value = "${digitalocean_record.enp_en1.fqdn}."
ttl = 10600 ttl = 10600
} }
@@ -44,7 +44,7 @@ resource "digitalocean_record" "enp_pms" {
domain = digitalocean_domain.enp.id domain = digitalocean_domain.enp.id
type = "CNAME" type = "CNAME"
name = "pms" name = "pms"
value = "en1.enp.one." value = "${digitalocean_record.enp_en1.fqdn}."
ttl = 10600 ttl = 10600
} }
@@ -52,7 +52,7 @@ resource "digitalocean_record" "enp_cdn" {
domain = digitalocean_domain.enp.id domain = digitalocean_domain.enp.id
type = "CNAME" type = "CNAME"
name = "cdn" name = "cdn"
value = "en2-cdn.nyc3.cdn.digitaloceanspaces.com." value = "${digitalocean_cdn.enp.endpoint}."
ttl = 3600 ttl = 3600
} }
@@ -60,15 +60,15 @@ resource "digitalocean_record" "enp_vpn" {
domain = digitalocean_domain.enp.id domain = digitalocean_domain.enp.id
type = "CNAME" type = "CNAME"
name = "vpn" name = "vpn"
value = "en1.enp.one." value = "${digitalocean_record.enp_en1.fqdn}."
ttl = 10600 ttl = 10600
} }
resource "digitalocean_record" "enp_web" { resource "digitalocean_record" "enp_www" {
domain = digitalocean_domain.enp.id domain = digitalocean_domain.enp.id
type = "CNAME" type = "CNAME"
name = "web" name = "www"
value = "en1.enp.one." value = "${digitalocean_record.enp_en1.fqdn}."
ttl = 10600 ttl = 10600
} }
@@ -76,7 +76,7 @@ resource "digitalocean_record" "enp_sso" {
domain = digitalocean_domain.enp.id domain = digitalocean_domain.enp.id
type = "CNAME" type = "CNAME"
name = "sso" name = "sso"
value = "en1.enp.one." value = "${digitalocean_record.enp_en1.fqdn}."
ttl = 10600 ttl = 10600
} }
@@ -84,7 +84,7 @@ resource "digitalocean_record" "enp_img" {
domain = digitalocean_domain.enp.id domain = digitalocean_domain.enp.id
type = "CNAME" type = "CNAME"
name = "img" name = "img"
value = "en1.enp.one." value = "${digitalocean_record.enp_en1.fqdn}."
ttl = 10600 ttl = 10600
} }

2
skylab/infra/playbooks/terraform/domain.enpaul.tf
View File

@@ -9,7 +9,7 @@ resource "digitalocean_record" "enpaul" {
domain = digitalocean_domain.enpaul.id domain = digitalocean_domain.enpaul.id
type = "A" type = "A"
name = "@" name = "@"
value = "24.2.156.189" value = digitalocean_record.enp.value
ttl = 3600 ttl = 3600
} }

72
skylab/infra/playbooks/terraform/domain.scipiocapital.tf Normal file
View File

@@ -0,0 +1,72 @@
resource "digitalocean_domain" "scipiocapital" {
name = "scipiocapital.us"
}
# ==========================================================================
# Standard hostname configuration
resource "digitalocean_record" "scipiocapital" {
domain = digitalocean_domain.scipiocapital.id
type = "A"
name = "@"
value = digitalocean_record.enp.value
ttl = 3600
}
resource "digitalocean_record" "scipiocapital_app" {
domain = digitalocean_domain.scipiocapital.id
type = "CNAME"
name = "app"
value = "${digitalocean_record.enp_en1.fqdn}."
ttl = 43200
}
resource "digitalocean_record" "scipiocapital_notify" {
domain = digitalocean_domain.scipiocapital.id
type = "CNAME"
name = "notify"
value = "${digitalocean_record.enp_en1.fqdn}."
ttl = 43200
}
resource "digitalocean_record" "scipiocapital_docs" {
domain = digitalocean_domain.scipiocapital.id
type = "CNAME"
name = "docs"
value = "${digitalocean_record.enp_en1.fqdn}."
ttl = 43200
}
resource "digitalocean_record" "scipiocapital_auth" {
domain = digitalocean_domain.scipiocapital.id
type = "CNAME"
name = "auth"
value = "${digitalocean_record.enp_en1.fqdn}."
ttl = 43200
}
# ==========================================================================
# Standard DO configuration for all managed domains, includes
# NS records and SOA
resource "digitalocean_record" "scipiocapital_ns1" {
domain = digitalocean_domain.scipiocapital.id
type = "NS"
name = "@"
value = "ns1.digitalocean.com."
ttl = 1800
}
resource "digitalocean_record" "scipiocapital_ns2" {
domain = digitalocean_domain.scipiocapital.id
type = "NS"
name = "@"
value = "ns2.digitalocean.com."
ttl = 1800
}
resource "digitalocean_record" "scipiocapital_ns3" {
domain = digitalocean_domain.scipiocapital.id
type = "NS"
name = "@"
value = "ns3.digitalocean.com."
ttl = 1800
}

13
skylab/infra/playbooks/terraform/project.scipio.tf Normal file
View File

@@ -0,0 +1,13 @@
resource "digitalocean_project" "scipio" {
name = "Scipio Capital"
description = "Eventual home of Scipio Capital systems"
purpose = "Service or API"
environment = "Production"
}
resource "digitalocean_project_resources" "scipio" {
project = digitalocean_project.scipio.id
resources = [
digitalocean_domain.scipiocapital.urn,
]
}

17
skylab/infra/playbooks/terraform/project.skylab.tf Normal file
View File

@@ -0,0 +1,17 @@
resource "digitalocean_project" "skylab" {
name = "SkyLab"
description = "SkyLab resources, with emphasis on Sky"
purpose = "Operational / Developer tooling"
environment = "Development"
is_default = true
}
resource "digitalocean_project_resources" "skylab" {
project = digitalocean_project.skylab.id
resources = [
digitalocean_domain.allaroundhere.urn,
digitalocean_domain.enpaul.urn,
digitalocean_domain.enp.urn,
digitalocean_spaces_bucket.enp_cdn.urn
]
}

18
skylab/infra/playbooks/terraform/spaces.cdn.tf Normal file
View File

@@ -0,0 +1,18 @@
resource "digitalocean_spaces_bucket" "enp_cdn" {
name = "en2-cdn"
region = "nyc3"
acl = "public-read"
force_destroy = false
}
resource "digitalocean_certificate" "enp_cdn" {
name = "CDN"
type = "lets_encrypt"
domains = ["cdn.enp.one", "enp.one"]
}
resource "digitalocean_cdn" "enp" {
origin = digitalocean_spaces_bucket.enp_cdn.bucket_domain_name
custom_domain = "cdn.enp.one"
certificate_name = digitalocean_certificate.enp_cdn.name
}