nicklasfrahm / infrastructure Goto Github PK

I would like to have a CLI or script that I can run against a fresh router after provisioning to do the following tasks:

• Set hostname
• Change user password

The tasks below should most likely be carried out via a service running inside k3s:

• Configure dynamic DNS
• Configure router ID and ASN

For more info consider the source file cmd/ic/zone/up.go.

First disable hybernation:

sudo systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target

Also edit the /etc/systemd/logind.conf to look similar to this:

#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it under the
#  terms of the GNU Lesser General Public License as published by the Free
#  Software Foundation; either version 2.1 of the License, or (at your option)
#  any later version.
#
# Entries in this file show the compile time defaults. Local configuration
# should be created by either modifying this file, or by creating "drop-ins" in
# the logind.conf.d/ subdirectory. The latter is generally recommended.
# Defaults can be restored by simply deleting this file and all drop-ins.
#
# Use 'systemd-analyze cat-config systemd/logind.conf' to display the full config.
#
# See logind.conf(5) for details.

[Login]
#NAutoVTs=6
#ReserveVT=6
#KillUserProcesses=no
#KillOnlyUsers=
#KillExcludeUsers=root
#InhibitDelayMaxSec=5
#UserStopDelaySec=10
#HandlePowerKey=poweroff
#HandleSuspendKey=suspend
#HandleHibernateKey=hibernate
HandleLidSwitch=ignore
HandleLidSwitchExternalPower=ignore
HandleLidSwitchDocked=ignore
#HandleRebootKey=reboot
#PowerKeyIgnoreInhibited=no
#SuspendKeyIgnoreInhibited=no
#HibernateKeyIgnoreInhibited=no
LidSwitchIgnoreInhibited=no
#RebootKeyIgnoreInhibited=no
#HoldoffTimeoutSec=30s
#IdleAction=ignore
#IdleActionSec=30min
#RuntimeDirectorySize=10%
#RuntimeDirectoryInodesMax=400k
#RemoveIPC=yes
#InhibitorsMax=8192
#SessionsMax=8192

For my project k3se I need a self-hosted GitHub Actions runner so I can run automated tests via Vagrant.

Currently, k3s does not work out of the box when bootstrapping the OS with cloud-init. It is required to manually add cgroup_enable=cpuset cgroup_enable=memory cgroup_memory=1 to /boot/firmware/cmdline.txt.

The following parameters should be configured for all repositories:

• Set default branch to main
• Configure branch protection
• Set up unified set of labels across all repositories

Attached you may also find a code sample of a previous iteration.

var labels = []Label{
	NewLabel("f44336", "bug", "Something isn't working"),
	NewLabel("e91e63", "dependencies", "Pull requests that updates a dependency file"),
	NewLabel("9e9e9e", "duplicate", "This issue or pull request already exists"),
	NewLabel("3f51b5", "feature", "New feature or request"),
	NewLabel("673ab7", "good first issue", "Good for newcomers"),
	NewLabel("009688", "help wanted", "Extra attention is needed"),
	NewLabel("ffeb3b", "invalid", "This doesn't seem right"),
	NewLabel("9c27b0", "question", "Further information is requested"),
	NewLabel("ffffff", "wontfix", "This will not be worked on"),
	NewLabel("304ffe", "python", "Pull requests that update Python code"),
	NewLabel("00bcd4", "go", "Pull requests that update Go code"),
}

type Label struct {
	Color       string
	Name        string
	Description string
}

func NewLabel(color string, name string, description string) Label {
	return Label{Color: color, Name: name, Description: description}
}

func ConfigureLabels(ctx *pulumi.Context, provider *github.Provider, repo Repository, id pulumi.StringOutput) error {
	for _, label := range labels {
		_, err := github.NewIssueLabel(ctx, fmt.Sprintf("%s-%s", repo.Name, label.Name), &github.IssueLabelArgs{
			Repository:  id,
			Color:       pulumi.String(label.Color),
			Name:        pulumi.String(label.Name),
			Description: pulumi.String(label.Description),
		}, pulumi.Provider(provider))
		if err != nil {
			return err
		}
	}

	return nil
}

func ConfigureBranches(ctx *pulumi.Context, provider *github.Provider, repo Repository) error {
	branch := "main"

	_, err := github.NewBranch(ctx, fmt.Sprintf("%s-%s", repo.Name, branch), &github.BranchArgs{
		Repository: pulumi.String(repo.Name),
		Branch:     pulumi.String(branch),
	}, pulumi.Provider(provider))
	if err != nil {
		return err
	}

	return nil
}

Ideally the sites should update their IP via dynamic DNS.

• Deploy Kubernetes CronJob

We would like to host a Ghost instance for Olcia. To complete this task we need the following things:

• Set Ola's blog title
• set up Ola's DNS records for odance.dk
• Install Liebling Ghost theme
• Send credentials to Ola

If a network-config is changed, these changes should automatically be deployed via CI.

• Set up new job as part of baremetal deployment process

Currently, I set up access to my mom's PC for remote maintenance via a shared keypair. This keypair will be replaced by a specifically generated RSA keypair, which requires the PC to be on. Additionally, the connection information such as hostname and username should be somehow stored as part of this repository.

• Finish setup of personal keypair for remote access
• Test setup with personal keypair and remove shared keypair
• Store connection information in git repository
• Document infrastructure setup

Currently, when deploying an app of apps for a dedicated cluster, we need to rely on the user to only deploy to the designated project. There is however no enforcement at the moment. We need to identify a better way so that the user of a dedicated cluster can't deploy to an arbitrary project.

Trust is good, but control is better.

The following tasks are to be carried out:

• Provision router and management cluster workhorse-0
• Rename sites to tph99, plk42 and bl8

The dependencies of all repositories should be automatically upgraded. The following steps are needed.

• Configure auto-merge
• Configure dependabot.yml
• Configure the dependabot-auto-merge action

gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 648ACFD622F3D138 && \
gpg --export --armor 648ACFD622F3D138 > yourpubkey.gpg && \
gpg --batch --yes --delete-keys 648ACFD622F3D138

Reference: https://superuser.com/questions/1641291/gpg-only-download-a-key-from-a-keyserver

To apply security updates without downtime to the router, kexec should be investigated as a tool for quick reboots.