skylab/skylab-ansible
Archived
2
0
Fork 0
Code Pull Requests Releases Activity

Compare commits

base: skylab:fa0df823eea13804928b9412b0b67f6bf7e5fe0d
Branches Tags
skylab:devel
..
compare: skylab:devel
Branches Tags
skylab:devel

16 Commits
fa0df823ee ... devel

Author SHA1 Message Date
Ethan Paul
4a516eee15 Stop assuming rockylinux has firewalld installed by default 2023-05-19 16:39:52 -04:00
Ethan Paul
15a1411f1a Add project resource assignments 2023-05-07 16:16:03 -04:00
Ethan Paul
868ab721dd Add scipio project 2023-05-07 16:06:53 -04:00
Ethan Paul
9776e9a316 Add skylab project definition 2023-05-07 16:04:25 -04:00
Ethan Paul
28f1f80d6f Remove pdb.enp.one 2023-05-07 15:49:14 -04:00
Ethan Paul
0f9479731a Update domains to use pointer vars instead of repeat values 2023-05-07 15:48:29 -04:00
Ethan Paul
3df0115191 Add CDN config for space 2023-05-07 15:43:39 -04:00
Ethan Paul
fcb25b79ce Add CDN space 2023-05-07 14:59:17 -04:00
Ethan Paul
e591db8581 Add auth subdomain 2023-05-04 16:23:59 -04:00
Ethan Paul
e4fd90c013 Restructure en1 main inventory group 2023-05-02 22:44:27 -04:00
Ethan Paul
219b03b4ee Add notify subdomain for scipio app 2023-05-02 22:44:26 -04:00
Ethan Paul
1b941a11a2 Add docs and notify subdomains to scipio doman 2023-05-02 18:02:20 -04:00
Ethan Paul
12991700b9 Disable hostkey checking on connection test task 2023-04-21 20:59:57 -04:00
Ethan Paul
02b6460cff Add ssh port update to bootstrap playbook 
Update to use dynamic managment settings
Remove check for existing bootstrap directory
Fix re-using ansible password for root user
 2023-04-19 18:42:04 -04:00
Ethan Paul
5f602c797f Add sanity connection check for bootstrap hosts 2023-04-18 21:56:02 -04:00
Ethan Paul
538bb26f83 Fix updating ssh keys before user exists 2023-04-18 21:39:32 -04:00
10 changed files with 419 additions and 238 deletions
Expand all files Collapse all files

166
inventory/en1.old.yaml Normal file
View File

@@ -0,0 +1,166 @@
---
workstation:
hosts:
voyager:
skylab_description: Personal Workstation
skylab_hostname: voyager.skylab.enp.one
skylab_targets: [workstation]
en1:
vars:
skylab_location: Newton MA
skylab_dashboard: info.en1.local
# gross hack for now, will be refactored later
_skylab_adguard_nat_rule: 9
hosts:
core:
ansible_host: 10.42.101.1
ansible_port: 4242
ansible_network_os: edgeos
skylab_description: EN1 Core Router
iridium:
ansible_host: 10.42.101.200
skylab_description: Local Monitor Node
skylab_hostname: iridium.skylab.enp.one
skylab_targets: [network]
skylab_networking:
enp4s0:
firewall: internal
dhcp: false
gateway: 10.42.101.1/24
dns:
- 10.42.101.1
addresses:
- 10.42.101.200/24
children:
cluster:
vars:
skylab_targets: [cluster, datastore]
skylab_compose_version: 3.8
skylab_compose_dir: "{{ skylab_state_dir }}/compose"
hosts:
pegasus: # jupiter
ansible_host: 10.42.101.100
skylab_hostname: pegasus.skylab.enp.one
skylab_legacy_names:
- jupiter.net.enp.one
- jupiter.svr.local
skylab_description: Arbiter Node
skylab_cluster:
address:
access: 10.42.101.10/24
internal: 192.168.42.10/24
interface:
access: bond0
internal: bond0.99
skylab_datastore_device: sdb
skylab_networking:
eno1:
bond: bond0
eno2:
bond: bond0
bond0:
device: bond
firewall: internal
gateway: 10.42.101.1/24
dns:
- 10.42.101.1
addresses:
- 10.42.101.100/24
- 192.168.255.255/32
dhcp: false
bond0.99:
device: vlan
firewall: trusted
addresses:
- 192.168.42.10/24
dhcp: false
saturn: # remus
ansible_host: 10.42.101.110
skylab_hostname: saturn.skylab.enp.one
skylab_legacy_names:
- remus.net.enp.one
- remus.svr.local
skylab_description: Operational Node
skylab_cluster:
address:
access: 10.42.101.11/24
internal: 192.168.42.20/24
interface:
access: bond0
internal: bond0.99
skylab_networking:
eno1:
bond: bond0
eno2:
bond: bond0
bond0:
device: bond
firewall: internal
dhcp: false
gateway: 10.42.101.1/24
addresses:
- 10.42.101.110/24
- 192.168.255.255/32
dns:
- 10.42.101.1
bond0.99:
device: vlan
firewall: trusted
dhcp: false
addresses:
- 192.168.42.20/24
orion: # romulus
ansible_host: 10.42.101.120
skylab_hostname: orion.skylab.enp.one
skylab_legacy_names:
- romulus.net.enp.one
- romulus.svr.local
skylab_description: Operational Node
skylab_cluster:
address:
access: 10.42.101.12/24
internal: 192.168.42.30/24
interface:
access: bond0
internal: bond0.99
skylab_datastore_device: sdb
skylab_networking:
eno1:
bond: bond0
eno2:
bond: bond0
bond0:
device: bond
firewall: internal
gateway: 10.42.101.1/24
dns:
- 10.42.101.1
addresses:
- 10.42.101.120/24
- 192.168.255.255/32
dhcp: false
bond0.99:
device: vlan
firewall: trusted
addresses:
- 192.168.42.30/24
dhcp: false
en2:
vars:
skylab_location: DigitalOcean TOR1
hosts:
hubble:
ansible_host: en2a.enp.one
skylab_hostname: hubble.en2.enp.one
skylab_description: Cloud Web Server
skylab_targets: [cloud]

210
inventory/en1.yaml
View File

@@ -1,175 +1,51 @@
---
all:
vars:
skylab_state_dir: /var/lib/skylab
skylab_ansible_venv: "{{ skylab_state_dir }}/ansible-runtime"
skylab_pip_version: 19.3.1
ansible_user: ansible
ansible_ssh_common_args: "-o ControlMaster=auto -o ControlPersist=60s -o ForwardAgent=yes"
workstation:
hosts:
voyager:
skylab_description: Personal Workstation
skylab_hostname: voyager.skylab.enp.one
skylab_targets: [workstation]
en1:
vars:
skylab_location: Newton MA
skylab_dashboard: info.en1.local
# gross hack for now, will be refactored later
_skylab_adguard_nat_rule: 9
hosts:
core:
ansible_host: 10.42.101.1
ansible_port: 4242
ansible_network_os: edgeos
skylab_description: EN1 Core Router
iridium:
ansible_host: 10.42.101.200
skylab_description: Local Monitor Node
skylab_hostname: iridium.skylab.enp.one
skylab_targets: [network]
skylab_networking:
enp4s0:
firewall: internal
dhcp: false
gateway: 10.42.101.1/24
dns:
- 10.42.101.1
addresses:
- 10.42.101.200/24
skylab_location: Cambridge
children:
domain:
children:
cluster:
vars:
skylab_targets: [cluster, datastore]
skylab_compose_version: 3.8
skylab_compose_dir: "{{ skylab_state_dir }}/compose"
cluster:
hosts:
canaveral:
ansible_host: 10.42.101.10
skylab_description: Compute and Storage Node
baikonur:
ansible_host: 10.42.101.11
skylab_description: Compute and Storage Node
vandenberg:
ansible_host: 10.42.101.12
skylab_description: Compute and Storage Node
andoya:
ansible_host: 10.42.101.13
skylab_description: Auxilary Compute Node
jiuquan:
ansible_host: 10.42.101.14
skylab_description: Auxilary Compute Node
datastore:
hosts:
canaveral:
skylab_datastore_block: /dev/sda
baikonur:
skylab_datastore_block: /dev/sda
vandenberg:
skylab_datastore_block: /dev/sda
hosts:
3d-printer: {}
mediastore: {}
backstore: {}
local:
hosts:
pegasus: # jupiter
ansible_host: 10.42.101.100
skylab_hostname: pegasus.skylab.enp.one
skylab_legacy_names:
- jupiter.net.enp.one
- jupiter.svr.local
skylab_description: Arbiter Node
skylab_cluster:
address:
access: 10.42.101.10/24
internal: 192.168.42.10/24
interface:
access: bond0
internal: bond0.99
skylab_datastore_device: sdb
skylab_networking:
eno1:
bond: bond0
eno2:
bond: bond0
bond0:
device: bond
firewall: internal
gateway: 10.42.101.1/24
dns:
- 10.42.101.1
addresses:
- 10.42.101.100/24
- 192.168.255.255/32
dhcp: false
bond0.99:
device: vlan
firewall: trusted
addresses:
- 192.168.42.10/24
dhcp: false
saturn: # remus
ansible_host: 10.42.101.110
skylab_hostname: saturn.skylab.enp.one
skylab_legacy_names:
- remus.net.enp.one
- remus.svr.local
skylab_description: Operational Node
skylab_cluster:
address:
access: 10.42.101.11/24
internal: 192.168.42.20/24
interface:
access: bond0
internal: bond0.99
skylab_networking:
eno1:
bond: bond0
eno2:
bond: bond0
bond0:
device: bond
firewall: internal
dhcp: false
gateway: 10.42.101.1/24
addresses:
- 10.42.101.110/24
- 192.168.255.255/32
dns:
- 10.42.101.1
bond0.99:
device: vlan
firewall: trusted
dhcp: false
addresses:
- 192.168.42.20/24
orion: # romulus
ansible_host: 10.42.101.120
skylab_hostname: orion.skylab.enp.one
skylab_legacy_names:
- romulus.net.enp.one
- romulus.svr.local
skylab_description: Operational Node
skylab_cluster:
address:
access: 10.42.101.12/24
internal: 192.168.42.30/24
interface:
access: bond0
internal: bond0.99
skylab_datastore_device: sdb
skylab_networking:
eno1:
bond: bond0
eno2:
bond: bond0
bond0:
device: bond
firewall: internal
gateway: 10.42.101.1/24
dns:
- 10.42.101.1
addresses:
- 10.42.101.120/24
- 192.168.255.255/32
dhcp: false
bond0.99:
device: vlan
firewall: trusted
addresses:
- 192.168.42.30/24
dhcp: false
en2:
vars:
skylab_location: DigitalOcean TOR1
hosts:
hubble:
ansible_host: en2a.enp.one
skylab_hostname: hubble.en2.enp.one
skylab_description: Cloud Web Server
skylab_targets: [cloud]
core: {}
switch-1: {}
switch-2: {}
wap-1: {}
wap-2: {}
wap-3: {}
printer: {}

27
inventory/group_vars/all.yaml
View File

@@ -1,7 +1,19 @@
---
skylab_mgmt_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5TGKururOa1Y+cbv8AWXYI5zhfZCDV0fsBG+33IYUc enpaul@ansible.voyager
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBf7i/8hSJDYnoD95noCJJVtSxxCp9N5EmnshALufiwm enpaul@ansible.opportunity
ansible_user: ansible
ansible_port: 4242
skylab_state_dir: /var/lib/skylab
skylab_ansible_venv: "{{ skylab_state_dir }}/ansible-runtime"
skylab_ansible_vault_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
61323762623165383963316238343539346336663864366631616339356564346636373561616237
6666363531393234636337656431366365343236346536320a346163353935366636303131313661
32623635363063383039363539303135393838376264356463646465376435616363376163373663
6366633665373939380a373234633365376632376433643034336539346338613566353537663731
34323464633165626133306464363464333539363761343831316565356266373833
skylab_tfstate_backend:
hostname: cluster.lab.enp.one
@@ -16,3 +28,12 @@ skylab_tfstate_backend:
3631343463616631380a386661336534663033383637666538316665303962353034376232356235
65323339353563623431666535366465353133343137653232326534326436323661636536373564
3466633762303966366366653531613261336561356531636461
skylab_mgmt:
sshport: 4242
group: skylab
user: ansible
id: 1400
sshkeys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5TGKururOa1Y+cbv8AWXYI5zhfZCDV0fsBG+33IYUc enpaul@ansible.voyager
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBf7i/8hSJDYnoD95noCJJVtSxxCp9N5EmnshALufiwm enpaul@ansible.opportunity

151
skylab/infra/playbooks/bootstrap.yml
View File

@@ -28,21 +28,23 @@
ansible_ssh_pass: "{{ bootstrap_password }}"
ansible_port: "{{ bootstrap_port }}"
- name: Test connection
delegate_to: bootstrap
delegate_facts: true
vars:
ansible_host_key_checking: false
ansible.builtin.ping: {}
- name: Bootstrap remote
hosts: bootstrap
vars:
ansible_host_key_checking: false
vars_prompt:
- name: vault_password
- name: skylab_ansible_vault_password
prompt: Enter Ansible vault password for generating user secrets
private: true
confirm: true
tasks:
- name: Fetch install path
ansible.builtin.stat:
path: /var/lib/skylab
register: _skylab_install_path
- name: Check OS requirements
ansible.builtin.assert:
that:
@@ -54,68 +56,75 @@
Unsupported operating system ({{ ansible_distribution }} {{ ansible_distribution_major_version }}),
only RockyLinux 8 and RockyLinux 9 are supported.
- name: Check boostrap state
ansible.builtin.assert:
that:
- not _skylab_install_path.stat.exists
success_msg: >-
Host is ready for boostrapping
fail_msg: >-
Host has already been boostrapped
- name: Check that management keys are defined
ansible.builtin.assert:
that:
- skylab_mgmt_keys is defined
- skylab_mgmt_keys != []
- skylab_mgmt is defined
- skylab_mgmt.sshkeys != []
success_msg: >-
Found {{ skylab_mgmt_keys | length }} SSH keys to install to the Ansible management user
Found {{ skylab_mgmt.sshkeys | length }} SSH keys to install to the Ansible management user
fail_msg: >-
No management keys were found for installation to the Ansible management user. Aborting to avoid
locking out SSH access to the boostrap host. Please define the 'skylab_mgmt_keys' variable with
locking out SSH access to the boostrap host. Please define the 'skylab_mgmt.sshkeys' variable with
a list of SSH public keys to install to the Ansible management user.
- name: Create skylab group
ansible.builtin.group:
name: skylab
- name: Install RockyLinux python bindings
become: true
ansible.builtin.dnf:
state: present
gid: 1400
name:
- libffi-devel
- python3-devel
- python3-libselinux
- python3-policycoreutils
- python3-firewall
- name: Update ansible user authorized keys
ansible.posix.authorized_key:
user: ansible
exclusive: true
key: "{{ skylab_mgmt_keys | join('\n') }}"
- name: Create mgmt group
become: true
ansible.builtin.group:
name: "{{ skylab_mgmt.group }}"
state: present
gid: "{{ skylab_mgmt.id }}"
- name: Generate ansible user account password
- name: Generate mgmt user account password
delegate_to: localhost
no_log: true
changed_when: false
ansible.builtin.shell:
cmd: >
command mpw -qq -F none -t max -u ansible {{ ansible_host }} -p <<<
'{{ vault_password }}' |
command mpw -qq -F none -t max -u {{ skylab_mgmt.user }} {{ ansible_host }} -p <<<
'{{ skylab_ansible_vault_password }}' |
python3 -c 'import crypt; print(crypt.crypt(input(), crypt.mksalt(crypt.METHOD_SHA512)))'
executable: /bin/bash
register: _password_ansible
register: _password_mgmt
- name: Update ansible user account
- name: Update mgmt user account
become: true
ansible.builtin.user:
name: ansible
name: "{{ skylab_mgmt.user }}"
state: present
group: skylab
group: "{{ skylab_mgmt.group }}"
groups:
- skylab
- "{{ skylab_mgmt.group }}"
- wheel
uid: 1400
password: "{{ _password_ansible.stdout }}"
uid: "{{ skylab_mgmt.id }}"
password: "{{ _password_mgmt.stdout }}"
- name: Remove ansible user group
- name: Update mgmt user authorized keys
become: true
ansible.posix.authorized_key:
user: "{{ skylab_mgmt.user }}"
exclusive: true
key: "{{ skylab_mgmt.sshkeys | join('\n') }}"
- name: Remove mgmt user group
become: true
ansible.builtin.group:
name: ansible
name: "{{ skylab_mgmt.user }}"
state: absent
- name: Update root user authorized keys
become: true
ansible.posix.authorized_key:
user: root
exclusive: true
@@ -127,22 +136,66 @@
content: "%wheel ALL=(ALL) NOPASSWD: ALL"
dest: /etc/sudoers.d/30-wheel
owner: root
group: skylab
group: "{{ skylab_mgmt.group }}"
mode: 0644
- name: Disable SSHD password auth
become: true
ansible.builtin.replace:
path: /etc/ssh/sshd_config
regexp: '^(#?)PasswordAuthentication .*$'
replace: 'PasswordAuthentication no'
replace: PasswordAuthentication no
- name: Disable SSHD root login
become: true
ansible.builtin.replace:
path: /etc/ssh/sshd_config
regexp: '^(#?)PermitRootLogin .*$'
replace: 'PermitRootLogin no'
replace: PermitRootLogin no
- name: Update SSHD mgmt port
become: true
ansible.builtin.replace:
path: /etc/ssh/sshd_config
regexp: '^(#?)Port .*$'
replace: Port {{ skylab_mgmt.sshport }}
- name: Grant SSHD permissions on the mgmt port
become: true
community.general.seport:
ports: "{{ skylab_mgmt.sshport }}"
proto: tcp
setype: ssh_port_t
state: present
- name: Install Firewalld
become: true
ansible.builtin.dnf:
name: firewalld
state: present
- name: Enable Firewalld
become: true
ansible.builtin.service:
name: firewalld
enabled: true
- name: Grant SSHD firewall access to the mgmt port
become: true
ansible.posix.firewalld:
port: "{{ skylab_mgmt.sshport }}/tcp"
state: enabled
permanent: true
- name: Revoke SSHD firewall access to default port
become: true
ansible.posix.firewalld:
service: ssh
permanent: true
state: disabled
- name: Update OS
become: true
ansible.builtin.dnf:
name: "*"
state: latest
@@ -154,22 +207,24 @@
changed_when: false
ansible.builtin.shell:
cmd: >
command mpw -qq -F none -t max -u ansible {{ ansible_host }} -p <<<
'{{ vault_password }}' |
command mpw -qq -F none -t max -u root {{ ansible_host }} -p <<<
'{{ skylab_ansible_vault_password }}' |
python3 -c 'import crypt; print(crypt.crypt(input(), crypt.mksalt(crypt.METHOD_SHA512)))'
executable: /bin/bash
register: _password_root
- name: Update root user account
become: true
ansible.builtin.user:
name: root
state: present
password: "{{ _password_root.stdout }}"
- name: Create SkyLab directory
become: true
ansible.builtin.file:
state: directory
path: /var/lib/skylab
owner: ansible
group: skylab
path: "{{ skylab_state_dir }}"
owner: "{{ skylab_mgmt.user }}"
group: "{{ skylab_mgmt.group }}"
mode: 0750

26
skylab/infra/playbooks/terraform/domain.enp.tf
View File

@@ -17,7 +17,7 @@ resource "digitalocean_record" "enp_en1" {
domain = digitalocean_domain.enp.id
type = "A"
name = "en1"
value = "24.2.156.189"
value = digitalocean_record.enp.value
ttl = 3600
}
@@ -28,7 +28,7 @@ resource "digitalocean_record" "enp_vcs" {
domain = digitalocean_domain.enp.id
type = "CNAME"
name = "vcs"
value = "en1.enp.one."
value = "${digitalocean_record.enp_en1.fqdn}."
ttl = 10600
}
@@ -36,7 +36,7 @@ resource "digitalocean_record" "enp_ssv" {
domain = digitalocean_domain.enp.id
type = "CNAME"
name = "ssv"
value = "en1.enp.one."
value = "${digitalocean_record.enp_en1.fqdn}."
ttl = 10600
}
@@ -44,7 +44,7 @@ resource "digitalocean_record" "enp_pms" {
domain = digitalocean_domain.enp.id
type = "CNAME"
name = "pms"
value = "en1.enp.one."
value = "${digitalocean_record.enp_en1.fqdn}."
ttl = 10600
}
@@ -52,7 +52,7 @@ resource "digitalocean_record" "enp_cdn" {
domain = digitalocean_domain.enp.id
type = "CNAME"
name = "cdn"
value = "en2-cdn.nyc3.cdn.digitaloceanspaces.com."
value = "${digitalocean_cdn.enp.endpoint}."
ttl = 3600
}
@@ -60,7 +60,7 @@ resource "digitalocean_record" "enp_vpn" {
domain = digitalocean_domain.enp.id
type = "CNAME"
name = "vpn"
value = "en1.enp.one."
value = "${digitalocean_record.enp_en1.fqdn}."
ttl = 10600
}
@@ -68,7 +68,7 @@ resource "digitalocean_record" "enp_www" {
domain = digitalocean_domain.enp.id
type = "CNAME"
name = "www"
value = "en1.enp.one."
value = "${digitalocean_record.enp_en1.fqdn}."
ttl = 10600
}
@@ -76,7 +76,7 @@ resource "digitalocean_record" "enp_sso" {
domain = digitalocean_domain.enp.id
type = "CNAME"
name = "sso"
value = "en1.enp.one."
value = "${digitalocean_record.enp_en1.fqdn}."
ttl = 10600
}
@@ -84,15 +84,7 @@ resource "digitalocean_record" "enp_img" {
domain = digitalocean_domain.enp.id
type = "CNAME"
name = "img"
value = "en1.enp.one."
ttl = 10600
}
resource "digitalocean_record" "enp_pdb" {
domain = digitalocean_domain.enp.id
type = "CNAME"
name = "pdb"
value = "en1.enp.one."
value = "${digitalocean_record.enp_en1.fqdn}."
ttl = 10600
}

2
skylab/infra/playbooks/terraform/domain.enpaul.tf
View File

@@ -9,7 +9,7 @@ resource "digitalocean_record" "enpaul" {
domain = digitalocean_domain.enpaul.id
type = "A"
name = "@"
value = "24.2.156.189"
value = digitalocean_record.enp.value
ttl = 3600
}

27
skylab/infra/playbooks/terraform/domain.scipiocapital.tf
View File

@@ -8,7 +8,7 @@ resource "digitalocean_record" "scipiocapital" {
domain = digitalocean_domain.scipiocapital.id
type = "A"
name = "@"
value = "24.2.156.189"
value = digitalocean_record.enp.value
ttl = 3600
}
@@ -16,10 +16,33 @@ resource "digitalocean_record" "scipiocapital_app" {
domain = digitalocean_domain.scipiocapital.id
type = "CNAME"
name = "app"
value = "en1.enp.one."
value = "${digitalocean_record.enp_en1.fqdn}."
ttl = 43200
}
resource "digitalocean_record" "scipiocapital_notify" {
domain = digitalocean_domain.scipiocapital.id
type = "CNAME"
name = "notify"
value = "${digitalocean_record.enp_en1.fqdn}."
ttl = 43200
}
resource "digitalocean_record" "scipiocapital_docs" {
domain = digitalocean_domain.scipiocapital.id
type = "CNAME"
name = "docs"
value = "${digitalocean_record.enp_en1.fqdn}."
ttl = 43200
}
resource "digitalocean_record" "scipiocapital_auth" {
domain = digitalocean_domain.scipiocapital.id
type = "CNAME"
name = "auth"
value = "${digitalocean_record.enp_en1.fqdn}."
ttl = 43200
}
# ==========================================================================
# Standard DO configuration for all managed domains, includes

13
skylab/infra/playbooks/terraform/project.scipio.tf Normal file
View File

@@ -0,0 +1,13 @@
resource "digitalocean_project" "scipio" {
name = "Scipio Capital"
description = "Eventual home of Scipio Capital systems"
purpose = "Service or API"
environment = "Production"
}
resource "digitalocean_project_resources" "scipio" {
project = digitalocean_project.scipio.id
resources = [
digitalocean_domain.scipiocapital.urn,
]
}

17
skylab/infra/playbooks/terraform/project.skylab.tf Normal file
View File

@@ -0,0 +1,17 @@
resource "digitalocean_project" "skylab" {
name = "SkyLab"
description = "SkyLab resources, with emphasis on Sky"
purpose = "Operational / Developer tooling"
environment = "Development"
is_default = true
}
resource "digitalocean_project_resources" "skylab" {
project = digitalocean_project.skylab.id
resources = [
digitalocean_domain.allaroundhere.urn,
digitalocean_domain.enpaul.urn,
digitalocean_domain.enp.urn,
digitalocean_spaces_bucket.enp_cdn.urn
]
}

18
skylab/infra/playbooks/terraform/spaces.cdn.tf Normal file
View File

@@ -0,0 +1,18 @@
resource "digitalocean_spaces_bucket" "enp_cdn" {
name = "en2-cdn"
region = "nyc3"
acl = "public-read"
force_destroy = false
}
resource "digitalocean_certificate" "enp_cdn" {
name = "CDN"
type = "lets_encrypt"
domains = ["cdn.enp.one", "enp.one"]
}
resource "digitalocean_cdn" "enp" {
origin = digitalocean_spaces_bucket.enp_cdn.bucket_domain_name
custom_domain = "cdn.enp.one"
certificate_name = digitalocean_certificate.enp_cdn.name
}