bsdnix/README.md

## Ansible roles and playbook to maintain bsdnix.de

### Prepare hetzner cloud

In order to be able to deploy freebsd vps' on Hetzner cloud you need to do:

- first create a vps with debian
- from there install freebsd using mfs method (uncle google will tell you)
- update the freebsd system
- install python and https://github.com/paulc/hcloud-freebsd
- enable hcloud-freebsd
- `/etc/rc.conf` shall not contain a hostname or ip config, hcloud-freebsd will
  add it. Even ipv6 only works, since the script grabs the server vars from
  169.254.169.254, which will be reachable even if the server has no public ipv4 ip
- cleanup history, logs, etc
- shutdown the vps
- create a snapshot, name it visely, I name mine like: `FreeBSD-14.1-RELEASE-hcloud-init`
- delete the builder vps
- update the snapshot name in `group_vars/all/all.yaml`

Then you can deploy new freebsd vps' using this snapshot. They'll come
up, configure themselves to be reachable.

The `create.yaml` playbook  will create a new vps if  it doesn't exist
yet and  the `deploy.yaml`  playbook will then  use the  hetzner cloud
dynamic inventory to discover your vps.

### Hetzner cloud vps ipv6 only setup for jail+bridge operation

Here's how:  the major problem is,  that Hetzner sends all  traffic to
the mac  of the primary interface.  By default the bridge  has another
one, thus  it doesn't work.  Also, I  had ipv6 forwarding  turned off,
which is required for this to work.

Here's my setup:

host rc.conf:
```default
ifconfig_vtnet0="DHCP"
cloned_interfaces="bridge0"
create_args_bridge0="inet6 auto_linklocal -ifdisabled addm vtnet0"
ifconfig_vtnet0="up -tso -vlanhwtso DHCP"
ifconfig_bridge0="DHCP"
ifconfig_bridge0_ipv6="inet6 2a01:4f8:c013:6513::1 prefixlen 64"
ipv6_defaultrouter="fe80::1%bridge0"
```

host sysctl.conf
```default
net.link.bridge.inherit_mac=1
net.inet6.ip6.forwarding=1
```

host /boot/loader.conf:
```default
if_bridge_load=YES
```

### Setup ansible

- Create `group_vars/all/vars.yaml` with this content:
  ```yaml
  hetzner_cloud_token: <YOUR-HETZNER-HCLOUD-TOKEN>
  ```
- Create a file containing some generated password:
  `pwgen -ys 32 1 > ~/.config/ansible/hcloud.secret`
  
- Encrypt the vars file:
  `ansible-vault encrypt group_vars/all/vars.yaml`
  
Now the hetzner ansible plugin is able to call hcloud with the
appropriate token, no need to enter it manually anymore. Also, while
the yaml file containing the token might be part of your public repo,
it is a ansible vauld, properly encrypted and the key stays local on
your work machine.

The token is then being used as an environment variable setup in the Makefile.

### To use

- `make`: create a new VPS and configure it

- `make create`: create a new VPS and auxillary services

- `make deploy`: configure the VPS
   
- `make clean`: remove the shell VPC. Do not do this with the production instance!


To make the output more verbose,  add `verbose=N` to the target, e.g.:
`make depoy verbose=2` where N is the verbosity level (0-4)

If you want to execute only a subset of a playbook, remove the `active` tag from it.

### Updating

(not yet completely determined!)

- create a new release snapshot as outlined above
- add a new vps to the local inventory (`inventory/vps.yaml`)
- run `make`
- remove the old vps

or: just call `freebsd-update` - however,  if you ever need to rebuild
the vps,  then it  will come  up with the  - then  - old  release. So,
better rebuild from scratch to update.

### Deleting

**CAUTION** the  `cleanup.yaml` playbook  removes **ALL**  running vps
instances!   Better use  the `hcloud`  cli  to do  this.  The  cleanup
playbook just exists  to make development of the  deployment easier so
that I don't  need to pay for an non-ready  instance running while I'm
not working on it.
added creating new vps, fine tuned inventories (now using 2), + doc 2024-11-11 19:28:55 +01:00			`## Ansible roles and playbook to maintain bsdnix.de`

updated README, use 1 place for the release name (all.yaml) 2024-11-17 17:54:49 +01:00			`### Prepare hetzner cloud`
added creating new vps, fine tuned inventories (now using 2), + doc 2024-11-11 19:28:55 +01:00
			`In order to be able to deploy freebsd vps' on Hetzner cloud you need to do:`

			`- first create a vps with debian`
			`- from there install freebsd using mfs method (uncle google will tell you)`
			`- update the freebsd system`
			`- install python and https://github.com/paulc/hcloud-freebsd`
			`- enable hcloud-freebsd`
			- `/etc/rc.conf` shall not contain a hostname or ip config, hcloud-freebsd will
			`add it. Even ipv6 only works, since the script grabs the server vars from`
			`169.254.169.254, which will be reachable even if the server has no public ipv4 ip`
			`- cleanup history, logs, etc`
			`- shutdown the vps`
			- create a snapshot, name it visely, I name mine like: `FreeBSD-14.1-RELEASE-hcloud-init`
			`- delete the builder vps`
updated README, use 1 place for the release name (all.yaml) 2024-11-17 17:54:49 +01:00			- update the snapshot name in `group_vars/all/all.yaml`
added creating new vps, fine tuned inventories (now using 2), + doc 2024-11-11 19:28:55 +01:00
			`Then you can deploy new freebsd vps' using this snapshot. They'll come`
			`up, configure themselves to be reachable.`

updated README, use 1 place for the release name (all.yaml) 2024-11-17 17:54:49 +01:00			The `create.yaml` playbook will create a new vps if it doesn't exist
			yet and the `deploy.yaml` playbook will then use the hetzner cloud
			`dynamic inventory to discover your vps.`
added creating new vps, fine tuned inventories (now using 2), + doc 2024-11-11 19:28:55 +01:00
finally got the ipv6 jail stuff working, yeah 2024-11-20 18:15:48 +01:00			`### Hetzner cloud vps ipv6 only setup for jail+bridge operation`

			`Here's how: the major problem is, that Hetzner sends all traffic to`
			`the mac of the primary interface. By default the bridge has another`
			`one, thus it doesn't work. Also, I had ipv6 forwarding turned off,`
			`which is required for this to work.`

			`Here's my setup:`

			`host rc.conf:`
			```default
			`ifconfig_vtnet0="DHCP"`
			`cloned_interfaces="bridge0"`
			`create_args_bridge0="inet6 auto_linklocal -ifdisabled addm vtnet0"`
			`ifconfig_vtnet0="up -tso -vlanhwtso DHCP"`
			`ifconfig_bridge0="DHCP"`
			`ifconfig_bridge0_ipv6="inet6 2a01:4f8:c013:6513::1 prefixlen 64"`
			`ipv6_defaultrouter="fe80::1%bridge0"`
			```

			`host sysctl.conf`
			```default
			`net.link.bridge.inherit_mac=1`
			`net.inet6.ip6.forwarding=1`
			```

			`host /boot/loader.conf:`
			```default
			`if_bridge_load=YES`
			```

added creating new vps, fine tuned inventories (now using 2), + doc 2024-11-11 19:28:55 +01:00			`### Setup ansible`

			- Create `group_vars/all/vars.yaml` with this content:
			```yaml
			`hetzner_cloud_token: <YOUR-HETZNER-HCLOUD-TOKEN>`
			```
			`- Create a file containing some generated password:`
			`pwgen -ys 32 1 > ~/.config/ansible/hcloud.secret`

			`- Encrypt the vars file:`
added: - set file permissions - setup sysctls - set root password from vault var - added doas + config 2024-11-18 18:33:33 +01:00			`ansible-vault encrypt group_vars/all/vars.yaml`
added creating new vps, fine tuned inventories (now using 2), + doc 2024-11-11 19:28:55 +01:00
			`Now the hetzner ansible plugin is able to call hcloud with the`
			`appropriate token, no need to enter it manually anymore. Also, while`
			`the yaml file containing the token might be part of your public repo,`
			`it is a ansible vauld, properly encrypted and the key stays local on`
			`your work machine.`

updated README, added tags, fixed knownhosts, added cron mount 2024-11-17 16:34:32 +01:00			`The token is then being used as an environment variable setup in the Makefile.`

added creating new vps, fine tuned inventories (now using 2), + doc 2024-11-11 19:28:55 +01:00			`### To use`

updated README, added tags, fixed knownhosts, added cron mount 2024-11-17 16:34:32 +01:00			- `make`: create a new VPS and configure it

			- `make create`: create a new VPS and auxillary services

			- `make deploy`: configure the VPS
added creating new vps, fine tuned inventories (now using 2), + doc 2024-11-11 19:28:55 +01:00
			- `make clean`: remove the shell VPC. Do not do this with the production instance!


updated README, added tags, fixed knownhosts, added cron mount 2024-11-17 16:34:32 +01:00			To make the output more verbose, add `verbose=N` to the target, e.g.:
			`make depoy verbose=2` where N is the verbosity level (0-4)

			If you want to execute only a subset of a playbook, remove the `active` tag from it.
updated README, use 1 place for the release name (all.yaml) 2024-11-17 17:54:49 +01:00
			`### Updating`

			`(not yet completely determined!)`

			`- create a new release snapshot as outlined above`
			- add a new vps to the local inventory (`inventory/vps.yaml`)
			- run `make`
			`- remove the old vps`

fix md typo 2024-11-17 17:55:35 +01:00			or: just call `freebsd-update` - however, if you ever need to rebuild
updated README, use 1 place for the release name (all.yaml) 2024-11-17 17:54:49 +01:00			`the vps, then it will come up with the - then - old release. So,`
			`better rebuild from scratch to update.`

			`### Deleting`

			CAUTION the `cleanup.yaml` playbook removes ALL running vps
			instances! Better use the `hcloud` cli to do this. The cleanup
			`playbook just exists to make development of the deployment easier so`
			`that I don't need to pay for an non-ready instance running while I'm`
			`not working on it.`