module

.github/workflows/deploy.yaml

@@ -0,0 +1,122 @@
+name: Deploy
+
+on:
+  pull_request:
+  push:
+    branches:
+      - james/move
+  workflow_dispatch:
+    branches:
+      - main
+
+permissions: read-all
+
+env:
+  # Secrets
+  TF_VAR_meshdb_prod_proxmox_token_id: ${{ secrets.meshdb_prod_proxmox_token_id }}
+  TF_VAR_meshdb_prod_proxmox_token_secret: ${{ secrets.meshdb_prod_proxmox_token_secret }}
+  TF_VAR_meshdb_proxmox_token_id: ${{ secrets.meshdb_proxmox_token_id }}
+  TF_VAR_meshdb_proxmox_token_secret: ${{ secrets.meshdb_proxmox_token_secret }}
+  # Credentials for deployment to AWS
+  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+  # S3 bucket for the Terraform state
+  BUCKET_TF_STATE: ${{ secrets.BUCKET_TF_STATE}}
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    environment: prod
+    steps:
+      - name: Checkout
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # @v4
+
+      - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d #@v5
+        with:
+          python-version: '3.11'
+
+      - name: Setup ansible
+        run: pip install ansible && export PATH="$HOME/.local/bin:$PATH" && ansible-galaxy collection install cloud.terraform
+
+      - name: Setup Terraform with specified version on the runner
+        uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8 # @v3
+        with:
+          terraform_version: 1.8.3
+
+      - name: Terraform init
+        id: init
+        run: terraform init -backend-config="bucket=$BUCKET_TF_STATE"
+        working-directory: ./terraform/
+
+      - name: Terraform format
+        id: fmt
+        run: terraform fmt -check
+        working-directory: ./terraform/
+
+      - name: Terraform validate
+        id: validate
+        run: terraform validate
+        working-directory: ./terraform/
+
+      - name: Setup WireGuard
+        run:  |
+          sudo apt-get update && sudo apt-get install -y wireguard
+          echo "${{ secrets.WIREGUARD_PRIVATE_KEY }}" > privatekey
+          sudo ip link add dev wg0 type wireguard
+          sudo ip address add dev wg0 ${{ secrets.WIREGUARD_OVERLAY_NETWORK_IP }} peer ${{ secrets.WIREGUARD_PEER }}
+          sudo wg set wg0 listen-port 48123 private-key privatekey peer ${{ secrets.WIREGUARD_PEER_PUBLIC_KEY }} allowed-ips 0.0.0.0/0 endpoint ${{ secrets.WIREGUARD_ENDPOINT }}
+          sudo ip link set up dev wg0
+          rm privatekey
+
+      - name: Terraform plan
+        id: plan
+        if: github.event_name == 'pull_request'
+        run: terraform plan -no-color -input=false
+        continue-on-error: true
+        working-directory: ./terraform/
+
+      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # @v7
+        if: github.event_name == 'pull_request'
+        env:
+          PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
+        with:
+          script: |
+            const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
+            #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
+            #### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
+            #### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
+ 
+            <details><summary>Show Plan</summary>
+
+            \`\`\`\n
+            ${process.env.PLAN}
+            \`\`\`
+
+            </details>
+            *Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
+
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            })
+
+      - name: Terraform Plan Status
+        if: steps.plan.outcome == 'failure'
+        run: exit 1
+
+      - name: Terraform Apply
+        if: github.ref == 'refs/heads/james/move' && github.event_name == 'push'
+        run: |
+          echo "${{ secrets.SSH_PRIVATE_KEY }}" > dns_ed25519
+          echo "${{ secrets.SSH_PUBLIC_KEY }}" > dns_ed25519.pub
+          chmod 600 dns_ed25519
+          chmod 600 dns_ed25519.pub
+          terraform apply -auto-approve -input=false
+        working-directory: ./terraform/
+
+      - name: Run playbook
+        if: github.ref == 'refs/heads/james/move' && github.event_name == 'push'
+        run: sleep 45 && export PATH="$HOME/.local/bin:$PATH" && ansible-playbook -i inventory.yaml k8s_infra.yaml
+        working-directory: ./ansible/

.github/workflows/pr.yaml

@@ -0,0 +1,31 @@
+name: pull-request
+
+on:
+  pull_request:
+
+permissions: read-all
+
+env:
+  BUCKET_TF_STATE: ${{ secrets.BUCKET_TF_STATE}}
+
+jobs:
+  pull-request:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # @v4
+
+      - name: Setup Terraform with specified version on the runner
+        uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8 # @v3
+        with:
+          terraform_version: 1.8.3
+
+      - name: Terraform format
+        id: fmt
+        run: terraform fmt -check
+        working-directory: ./terraform/
+
+      - name: Terraform validate
+        id: validate
+        run: terraform init && terraform validate
+        working-directory: ./terraform/

ansible/ansible.cfg

@@ -0,0 +1,5 @@
+[defaults]
+host_key_checking = False
+
+[ssh_connection]
+ssh_args = '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o CheckHostIP=no'

ansible/inventory.yaml

@@ -0,0 +1,3 @@
+---
+plugin: cloud.terraform.terraform_provider
+project_path: "../terraform"

ansible/meshdb.yaml

@@ -0,0 +1,11 @@
+- hosts: mgrs:workers 
+  roles:
+    - role: meshdb-k8s-node
+
+- hosts: mgrs 
+  roles:
+    - role: meshdb-mgr
+
+- hosts: lb
+  roles:
+    - role: k8s-lb

ansible/roles/k8s-lb/tasks/main.yaml

@@ -0,0 +1,134 @@
+
+- name: Install deps
+  ansible.builtin.apt:
+    lock_timeout: 240
+    update_cache: true
+    pkg:
+      - ca-certificates
+      - python3-pip
+      - python3.11-venv
+      - cron
+      - iptables-persistent
+      - haproxy
+  become: true
+
+- name: Install certbot
+  ansible.builtin.pip:
+    name: certbot==2.11.0
+    virtualenv: /root/certbot_venv
+    virtualenv_command: python3 -m venv
+  become: true
+
+- name: certbot script
+  ansible.builtin.template:
+    src: ../templates/certbot.sh.j2
+    dest: /root/certbot.sh
+    mode: "700"
+  become: true
+
+- name: dummy0 interface
+  ansible.builtin.template:
+    src: ../templates/netplan_dummy0.yaml.j2
+    dest: /etc/netplan/dummy0.yaml
+    mode: "600"
+  become: true
+
+- name: eth0 interface
+  ansible.builtin.template:
+    src: ../templates/netplan_50_cloud_init.yaml.j2
+    dest: /etc/netplan/50-cloud-init.yaml
+    mode: "600"
+  become: true
+
+- name: Install frr
+  ansible.builtin.apt:
+    update_cache: true
+    pkg:
+      - frr
+  become: true
+
+- name: Enable ospfd
+  ansible.builtin.lineinfile:
+    path: /etc/frr/daemons
+    search_string: ospfd=no
+    line: "ospfd=yes"
+  become: true
+
+- name: Config template frr
+  ansible.builtin.template:
+    src: ../templates/frr.conf.j2
+    dest: /etc/frr/frr.conf
+  become: true
+
+- name: Config template haproxy
+  ansible.builtin.template:
+    src: ../templates/haproxy.cfg
+    dest: /etc/haproxy/haproxy.cfg
+  become: true
+
+- name: Iptables rules
+  ansible.builtin.template:
+    src: ../templates/iptables.j2
+    dest: /etc/iptables/rules.v4
+  become: true
+
+- name: Restore iptables rules
+  ansible.builtin.command:
+    cmd: "bash -c '/sbin/iptables-restore < /etc/iptables/rules.v4'"
+  become: true
+
+- name: Netplan apply
+  ansible.builtin.command:
+    cmd: "bash -c 'netplan apply && touch /tmp/netplan_applied'"
+    creates: /tmp/netplan_applied
+  become: true
+
+- name: Restart and enable iptables service
+  ansible.builtin.service:
+    name: netfilter-persistent
+    state: restarted
+    enabled: true
+  become: true
+
+- name: Restart and enable frr service
+  ansible.builtin.service:
+    name: frr
+    state: restarted
+    enabled: true
+  become: true
+
+- name: Restart and enable haproxy service
+  ansible.builtin.service:
+    name: haproxy
+    state: restarted
+    enabled: true
+  become: true
+
+- name: net.ipv4.ip_forward
+  ansible.posix.sysctl:
+    name: net.ipv4.ip_forward
+    value: '1'
+    sysctl_set: true
+    state: present
+    reload: true
+  become: true
+
+- name: Get cert
+  ansible.builtin.shell:
+    cmd: /root/certbot.sh
+    creates: "/etc/haproxy/ssl/{{ MESHDB_FQDN }}.pem"
+  become: true
+
+- name: Crontab
+  ansible.builtin.lineinfile:
+    path: /etc/cron.d/certbot_update_cert
+    line: "2 1 * * 1   root    bash /root/certbot.sh 2>&1 > /dev/null"
+    create: true
+  become: true
+
+- name: Restart and enable cron service
+  ansible.builtin.service:
+    name: cron
+    state: restarted
+    enabled: true
+  become: true

ansible/roles/k8s-lb/templates/certbot.sh.j2

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+# Renew the cert
+/root/certbot_venv/bin/certbot certonly \
+    --authenticator standalone \
+    --http-01-port 63443 \
+    --text \
+    --expand \
+    --non-interactive \
+    --agree-tos \
+    -m [email protected] \
+    --domain {{ MESHDB_FQDN }}
+
+# Copy the current full cert chain to haproxy config location
+CERTS_DIR="/etc/haproxy/ssl"
+if [ ! -d "$CERTS_DIR" ]; then
+    mkdir -p "$CERTS_DIR"
+fi
+
+cat /etc/letsencrypt/live/{{ MESHDB_FQDN }}/fullchain.pem > $CERTS_DIR/{{ MESHDB_FQDN }}.pem
+cat /etc/letsencrypt/live/{{ MESHDB_FQDN }}/privkey.pem > $CERTS_DIR/{{ MESHDB_FQDN }}.pem.key
+
+# Reload the service
+service haproxy reload

ansible/roles/k8s-lb/templates/frr.conf.j2

@@ -0,0 +1,17 @@
+frr version 8.4.4
+frr defaults traditional
+hostname {{ LB_HOSTNAME }}
+log syslog informational
+no ip forwarding
+no ipv6 forwarding
+service integrated-vtysh-config
+!
+interface eth0
+ ip ospf cost 10
+exit
+!
+router ospf
+ network {{ INTERNAL_NETWORK_BLOCK }} area 0
+ network {{ EXTERNAL_LISTEN_IP }}/32 area 0
+exit
+!