From 562fec8549ac57dbfad1ed9ce51b00c13f875b98 Mon Sep 17 00:00:00 2001
From: Thomas von Dein <tom@vondein.org>
Date: Mon, 11 Nov 2024 19:28:55 +0100
Subject: [PATCH] added creating new vps, fine tuned inventories (now using 2),
 + doc

---
 Makefile                         | 32 +++++++++++++++----
 README.md                        | 55 ++++++++++++++++++++++++++++++++
 TODO.md                          |  8 +++++
 ansible.cfg                      |  2 +-
 bak/Makefile                     |  7 ----
 bak/group_vars/all.yaml          |  5 ---
 bak/host_vars/shell.yaml         |  2 --
 bak/inventory/all.yaml           |  3 --
 bak/roles/server/tasks/main.yaml | 19 -----------
 bak/server-role.yaml             | 23 -------------
 cleanup.yaml                     |  8 +++++
 deploy.yaml                      | 12 +++++--
 group_vars/all/all.yaml          | 18 +++++++++--
 inventory/hosts.hcloud.yaml      |  1 +
 inventory/vps.yaml               |  5 +++
 roles/install/tasks/main.yaml    | 19 +++++++++++
 roles/remove/tasks/main.yaml     | 12 +++++++
 17 files changed, 161 insertions(+), 70 deletions(-)
 create mode 100644 README.md
 delete mode 100644 bak/Makefile
 delete mode 100644 bak/group_vars/all.yaml
 delete mode 100644 bak/host_vars/shell.yaml
 delete mode 100644 bak/inventory/all.yaml
 delete mode 100644 bak/roles/server/tasks/main.yaml
 delete mode 100644 bak/server-role.yaml
 create mode 100644 cleanup.yaml
 create mode 100644 inventory/vps.yaml
 create mode 100644 roles/install/tasks/main.yaml
 create mode 100644 roles/remove/tasks/main.yaml

diff --git a/Makefile b/Makefile
index f71bbbc..4814f0f 100644
--- a/Makefile
+++ b/Makefile
@@ -1,22 +1,42 @@
-.PHONY: all deploy depoy-v deploy-vv deploy-vvv deploy-vvv check
+.PHONY: all deploy depoy-v deploy-vv deploy-vvv deploy-vvv check clean clean-v clean-vv clean-vvv clean-vvvv
 
 TOKEN = $(shell ansible-vault decrypt --vault-password-file ~/.config/ansible/hcloud.secret --output - group_vars/all/vars.yaml | cut -d' ' -f2)
 
+SNAPSHOT = $(shell hcloud image  list -t snapshot -o yaml | yq '. | map(select(.description == "FreeBSD-14.1-RELEASE-hcloud-init")) | .[].id')
+
+DEPLOY_COMMAND = ansible-playbook deploy.yaml -i inventory
+CLEAN_COMMAND = ansible-playbook cleanup.yaml -i inventory
+ENV = HCLOUD_TOKEN="$(TOKEN)" SNAPSHOT="$(SNAPSHOT)"
 
 deploy:
-	HCLOUD_TOKEN="$(TOKEN)" ansible-playbook deploy.yaml -i inventory
+	$(ENV) $(DEPLOY_COMMAND)
 
 deploy-v:
-	HCLOUD_TOKEN="$(TOKEN)" ansible-playbook -v deploy.yaml -i inventory
+	$(ENV) ANSIBLE_VERBOSITY=1 $(DEPLOY_COMMAND)
 
 deploy-vv:
-	HCLOUD_TOKEN="$(TOKEN)" ansible-playbook -vv deploy.yaml -i inventory
+	$(ENV) ANSIBLE_VERBOSITY=2 $(DEPLOY_COMMAND)
 
 deploy-vvv:
-	HCLOUD_TOKEN="$(TOKEN)" ansible-playbook -vvv deploy.yaml -i inventory
+	$(ENV) ANSIBLE_VERBOSITY=3 $(DEPLOY_COMMAND)
 
 deploy-vvvv:
-	HCLOUD_TOKEN="$(TOKEN)" ansible-playbook -vvvv deploy.yaml -i inventory
+	$(ENV) ANSIBLE_VERBOSITY=4 $(DEPLOY_COMMAND)
+
+clean:
+	$(ENV) $(CLEAN_COMMAND)
+
+clean-v:
+	$(ENV) ANSIBLE_VERBOSITY=1 $(CLEAN_COMMAND)
+
+clean-vv:
+	$(ENV) ANSIBLE_VERBOSITY=2 $(CLEAN_COMMAND)
+
+clean-vvv:
+	$(ENV) ANSIBLE_VERBOSITY=3 $(CLEAN_COMMAND)
+
+clean-vvvv:
+	$(ENV) ANSIBLE_VERBOSITY=4 $(CLEAN_COMMAND)
 
 check:
 	ansible-playbook -vvv --ask-vault-pass deploy.yaml -i inventory --syntax-check
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..b86f151
--- /dev/null
+++ b/README.md
@@ -0,0 +1,55 @@
+## Ansible roles and playbook to maintain bsdnix.de
+
+### Basics
+
+In order to be able to deploy freebsd vps' on Hetzner cloud you need to do:
+
+- first create a vps with debian
+- from there install freebsd using mfs method (uncle google will tell you)
+- update the freebsd system
+- install python and https://github.com/paulc/hcloud-freebsd
+- enable hcloud-freebsd
+- `/etc/rc.conf` shall not contain a hostname or ip config, hcloud-freebsd will
+  add it. Even ipv6 only works, since the script grabs the server vars from
+  169.254.169.254, which will be reachable even if the server has no public ipv4 ip
+- cleanup history, logs, etc
+- shutdown the vps
+- create a snapshot, name it visely, I name mine like: `FreeBSD-14.1-RELEASE-hcloud-init`
+- delete the builder vps
+
+Then you can deploy new freebsd vps' using this snapshot. They'll come
+up, configure themselves to be reachable.
+
+The `deploy.yaml` playbook will then use the hetzner cloud dynamic
+inventory to discover your vps. So, you have to call `make deploy`
+twice: once to deploy a new vps and second time to configure
+it. Subsequent calls only configure of course.
+
+### Setup ansible
+
+- Create `group_vars/all/vars.yaml` with this content:
+  ```yaml
+  hetzner_cloud_token: <YOUR-HETZNER-HCLOUD-TOKEN>
+  ```
+- Create a file containing some generated password:
+  `pwgen -ys 32 1 > ~/.config/ansible/hcloud.secret`
+  
+- Encrypt the vars file:
+  `ansible-vault encrypt --vault-password-file
+  ~/.config/ansible/hcloud.secret group_vars/all/vars.yaml`
+  
+Now the hetzner ansible plugin is able to call hcloud with the
+appropriate token, no need to enter it manually anymore. Also, while
+the yaml file containing the token might be part of your public repo,
+it is a ansible vauld, properly encrypted and the key stays local on
+your work machine.
+
+### To use
+
+- `make deploy`: deploy a new shell VPS and configure it
+   if it already exists, only configure
+   
+- `make clean`: remove the shell VPC. Do not do this with the production instance!
+
+
+To make the output more verbose, add `-v[vvv]` to the target, e.g.: `make depoy-vvvv`
diff --git a/TODO.md b/TODO.md
index fa483b3..a3b9383 100644
--- a/TODO.md
+++ b/TODO.md
@@ -1,5 +1,7 @@
 ## Install tarball
 
+### install from tarball example:
+
 ```yaml
 - name: "If jdk not exists then only download and unarchive"
   unarchive:
@@ -12,3 +14,9 @@
   command: mv /opt/jdk-17_linux-arch64 /opt/jdk-17
   when: foo.changed == True
 ```
+
+### configure DNS record for newly created instance
+
+https://github.com/bodsch/ansible-collection-dns/blob/main/roles/knot/README.md
+
+or using e3 using wrapper script around `jaildk exec dns knotc ...`
diff --git a/ansible.cfg b/ansible.cfg
index 17f2f18..be25feb 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -6,4 +6,4 @@ stdout_callback: yaml
 pipelining = True
 
 [inventory]
-enable_plugins = hcloud
+enable_plugins = hcloud, host_list, yaml
diff --git a/bak/Makefile b/bak/Makefile
deleted file mode 100644
index d0aeb9b..0000000
--- a/bak/Makefile
+++ /dev/null
@@ -1,7 +0,0 @@
-.PHONY: all deploy check
-
-deploy:
-	ansible-playbook -vvv --ask-vault-pass server-role.yaml -i inventory
-
-check:
-	ansible-playbook -vvv --ask-vault-pass server-role.yaml -i inventory --syntax-check
diff --git a/bak/group_vars/all.yaml b/bak/group_vars/all.yaml
deleted file mode 100644
index 4e83659..0000000
--- a/bak/group_vars/all.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
-type: cpx11
-image: 191285714
-packages:
-  - cpdup
-  - bash
diff --git a/bak/host_vars/shell.yaml b/bak/host_vars/shell.yaml
deleted file mode 100644
index 36b1056..0000000
--- a/bak/host_vars/shell.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-hostname: shell.daemon.de
-ansible_user: root
diff --git a/bak/inventory/all.yaml b/bak/inventory/all.yaml
deleted file mode 100644
index fe780d0..0000000
--- a/bak/inventory/all.yaml
+++ /dev/null
@@ -1,3 +0,0 @@
-shellservers:
-  hosts:
-    shell.daemon.de:
diff --git a/bak/roles/server/tasks/main.yaml b/bak/roles/server/tasks/main.yaml
deleted file mode 100644
index 28a2547..0000000
--- a/bak/roles/server/tasks/main.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-# - name: Create server
-#   hcloud_server:
-#     api_token: "{{ hcloud_token }}"
-#     name: "{{ hostname }}"
-#     server_type: "{{ type }}"
-#     image: "{{ image }}"
-#     location: ash
-#     enable_ipv4: false
-#     state: present
-#   register: server
-
-- command: which python
-  register: result
-
-# - name: Install Packages
-#   community.general.pkgng:
-#     state: present
-#     name: "{{ packages }}"
diff --git a/bak/server-role.yaml b/bak/server-role.yaml
deleted file mode 100644
index 36b1844..0000000
--- a/bak/server-role.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
----
-- name: Create BSDNIX Servers
-  hosts: all
-  connection: local
-  gather_facts: False
-  user: root
-  vars:
-    # generated with:
-    # echo -n $(hcloud config get token --allow-sensitive) \
-    #     | ansible-vault encrypt_string --stdin-name hcloud_token
-    hcloud_token: !vault |
-          $ANSIBLE_VAULT;1.1;AES256
-          64393765623232326566303864653934396432613235626330326335383332623437396163336432
-          3035386161376333386334653863323933393366636537300a666338373539633566336230353362
-          66653331663364346137383637666332333565373138646533313339323034353833383832336261
-          3665656264356165300a636633366166363261663663336664653832646666313936396665356132
-          37373235623735633266353963666364363461303939343532636131643164333930343434336366
-          36346235336561386237323931333435343461336239323435356634333439303765313663656231
-          65313964306535376236613635346363376235363330303962353365383537616139393965646563
-          37356465653663373362
-  roles:
-    - role: server
-          
diff --git a/cleanup.yaml b/cleanup.yaml
new file mode 100644
index 0000000..2521df8
--- /dev/null
+++ b/cleanup.yaml
@@ -0,0 +1,8 @@
+---
+- name: Remove BSDNIX Servers
+  hosts: vps
+  connection: local
+  gather_facts: False
+  user: root
+  roles:
+    - role: remove
diff --git a/deploy.yaml b/deploy.yaml
index 4ae5fee..228b2e4 100644
--- a/deploy.yaml
+++ b/deploy.yaml
@@ -1,6 +1,6 @@
 ---
-- name: Create BSDNIX Servers
-  hosts: all
+- name: Configure BSDNIX Servers
+  hosts: running
   gather_facts: true
   user: root
   roles:
@@ -8,3 +8,11 @@
     - role: network
     - role: firewall
     - role: jails
+
+- name: Create BSDNIX Servers
+  hosts: vps
+  connection: local
+  gather_facts: False
+  user: root
+  roles:
+    - role: install
diff --git a/group_vars/all/all.yaml b/group_vars/all/all.yaml
index 7fb632b..82f6d7c 100644
--- a/group_vars/all/all.yaml
+++ b/group_vars/all/all.yaml
@@ -1,6 +1,20 @@
-type: cpx11
-image: 191285714
+type: cx22
+
+# resolved on startup in Makefile
+image: "{{ lookup('ansible.builtin.env', 'SNAPSHOT') }}"
+
+# extranous general packages we might need
 packages:
   - cpdup
   - bash
+
+# used by bastille to build a base
 release: 14.1-RELEASE
+
+location: fsn1
+
+# must already exist in group project
+ssh_keys:
+  - scip@e3
+  - scip@tripod
+  - scip@pixel8
diff --git a/inventory/hosts.hcloud.yaml b/inventory/hosts.hcloud.yaml
index e701bbe..47c5b5f 100644
--- a/inventory/hosts.hcloud.yaml
+++ b/inventory/hosts.hcloud.yaml
@@ -1,4 +1,5 @@
 plugin: hcloud
+group: running
 status:
   - running
 groups:
diff --git a/inventory/vps.yaml b/inventory/vps.yaml
new file mode 100644
index 0000000..f9d25e6
--- /dev/null
+++ b/inventory/vps.yaml
@@ -0,0 +1,5 @@
+---
+vps:
+  hosts:
+    shell:
+      hostname: shell.daemon.de
diff --git a/roles/install/tasks/main.yaml b/roles/install/tasks/main.yaml
new file mode 100644
index 0000000..6bac4d8
--- /dev/null
+++ b/roles/install/tasks/main.yaml
@@ -0,0 +1,19 @@
+---
+- name: Create server
+  hcloud_server:
+    name: "{{ hostname }}"
+    server_type: "{{ type }}"
+    image: "{{ image }}"
+    location: "{{ location }}"
+    enable_ipv4: false
+    state: present
+    ssh_keys: "{{ ssh_keys }}"
+  register: server
+
+# - command: which python
+#   register: result
+
+# - name: Install Packages
+#   community.general.pkgng:
+#     state: present
+#     name: "{{ packages }}"
diff --git a/roles/remove/tasks/main.yaml b/roles/remove/tasks/main.yaml
new file mode 100644
index 0000000..7446e15
--- /dev/null
+++ b/roles/remove/tasks/main.yaml
@@ -0,0 +1,12 @@
+---
+- name: Remove server
+  hcloud_server:
+    name: "{{ hostname }}"
+    server_type: "{{ type }}"
+    image: "{{ image }}"
+    location: "{{ location }}"
+    enable_ipv4: false
+    state: absent
+    ssh_keys: "{{ ssh_keys }}"
+  register: server
+