Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/wuxxin/infra-shared

Software Defined Git Operated Infrastructure
https://github.com/wuxxin/infra-shared

butane coreos fcos gitops iaas mtls pulumi python

Last synced: 16 days ago
JSON representation

Software Defined Git Operated Infrastructure

Awesome Lists containing this project

README 

        
# infra-shared



## Software Defined Git Operated Infrastructure



Reusables of a learning project by rewriting parts of my home infrastructure as



a **Pulumi** and **Fedora Coreos** based **Gitops** Project in **Python**.



- See [safe](examples/safe) for usage in an example project



### Quick start



create a base project, lock and install build requirements,

install and configure a simulation of the targets



```sh

mkdir -p example; cd example; git init

git submodule add https://github.com/wuxxin/infra-shared.git infra

infra/scripts/create_skeleton.sh --yes

make sim-up

```



**Congratulations!**



You have just created two TLS Certificates and an SSH Keypair in a very fancy way!



See the [examples](examples/) for code of what else can be done with it



### Features



- **Fedora-CoreOS Linux** - updating, minimal, monolithic, container-focused operating system

    - **Setup**: Bootstrap and Reconfiguration of CoreOS with **Jinja templated butane** files

    - **Reconfiguration**: `update-system-config*`

        - Fast (~4s) reconfiguration using saltstack and butane to salt translation

    - **Single Container**: `podman-systemd.unit`

        - `container*` - run systemd container units using podman-quadlet

    - **Compose Container**: `compose.yml`

        - `compose*` - run multi-container applications defined using a compose file

    - **nSpawn OS-Container**: `systemd-nspawn`

        - `nspawn*` - run any linux OS in a light-weight system container

    - **tls/http/web FrontEnd**: `traefik`

        - using container, compose and nspawn labels for dynamic configuration

    - **DNS Resolver**: `unbound`

        - using container for local DNSSEC capable recursive DNS-Resolver

- **TLS Certificate-Authority**, TLS Certificates and **SSH**-Certificates

- **SSH** copy/deploy/execute functions, local and remote **Salt-Call**

- **serve** configuration **HTTPS** payloads, request a port forwarding

- **write** image to **removable storage** specified by serial_number

- build Embedded-OS Images and IOT Images

    - **Raspberry Extras** - U-Boot and UEFI Bios Files for Rpi3 and Rpi4

    - **Openwrt Linux** - Network Device Distribution for Router and other network devices



### Technologies



**Need to know** technologies (to write Deployment and Docs):



- Basic Knowledge of `Python, Yaml, Jinja, Systemd Service, Containerfile, Markdown`



**Advanced functionality** available with knowledge of:



- Pulumi, Butane, more Systemd, Fcos, Saltstack, Podman, compose.yml, makefile, Pipfile, libvirt, Bash, Mkdocs, Mermaid, Jupyter Notebooks



Provision can be run on **Arch** Linux, **Manjaro** Linux or as **Container Image**.



#### Tools used



- `pulumi` - imperativ infrastructure delaration using python

- `fcos` - Fedora-CoreOS, minimal OS with `clevis` (sss,tang,tpm) storage unlock

- `butane` - create fcos `ignition` configs using `jinja` enhanced butane yaml

- `systemd` - service, socker, path, timer, nspawn machine container

- `podman` - build Container images, run Container using quadlet systemd container

- `saltstack`

    - local build environments and local services

    - remote fcos config update using butane to saltstack translation and execution

- `mkdocs` - documentation using markdown and mermaid

- `libvirt` - simulation of machines using the virtualization api supporting qemu and kvm

- `tang` - server used for getting a key shard for unattended encrypted storage unlock on boot

- `mkosi` - build nspawn OS container images

- `age` - ssh keys based encryption of production files and pulumi master password

- `pipenv` - virtualenv management using Pipfile and Pipfile.lock



### Usage



#### List available Makefile targets/commands



```sh

make

```



#### Bootstrap skeleton files to a new repo



- from current directory, eg. pwd=~/code



```sh

project_name=example

current_dir=$(pwd)

project_dir=${current_dir}/${project_name}

mkdir -p ${project_dir}

cd ${project_dir}

git init

git submodule add https://github.com/wuxxin/infra-shared.git infra

infra/create_skeleton.sh --yes

```



- `create_skeleton.sh` creates default dirs and files in the project_dir

    - use `cat infra/create_skeleton.sh` to inspect script before running it

    - directories created:

        - _docs_, _state_, _target_ with an empty _.gitkeep_ file inside

    - files created:

        - README.md, \_\_main\_\_.py, Pulumi.yaml, Makefile, Pipfile

        - config-template.yaml, .gitignore, mkdocs.yml, empty authorized_keys



#### Install build requirements



- on arch or manjaro linux



```sh

make install-requirements

```



- on other linux, use a provision container.



This needs podman or docker already installed on host.



For the simulation environment with libvirt the host system must also have a configured libvirt.



```sh

# Either: build container using `sudo podman build`

make provision-client



# Or: build container using any other container tool

# - replace "docker" with the preferred container build call

cd infra/Containerfile/provision-client && \

    docker build -t provision-client:latest $(pwd)



# call provision shell(defaults to /usr/bin/bash interactive shell)

# defaults to podman, but can be overriden with DOCKER=executable

DOCKER=docker infra/scripts/provision_shell.sh

# use exit to return to base shell

```



#### Build documentation



```sh

make docs

# build infra-shared documentation

make docs-infra

```



#### Create/build/install simulation target



```sh

make sim-up

```



#### Show/use root and provision cert



```sh

make sim-show args="ca_factory" | jq ".root_cert_pem" -r | \

    openssl x509 -in /dev/stdin -noout -text

make sim-show args="ca_factory" | jq ".provision_cert_pem" -r | \

    openssl x509 -in /dev/stdin -noout -text

```



#### Manual pulumi invocation



```sh

export PULUMI_SKIP_UPDATE_CHECK=1

export PULUMI_CONFIG_PASSPHRASE=sim



pulumi stack select sim

pulumi about

```



#### Execute in provision python environment



```sh

pipenv run ipython

```



#### Sim stack: destroy, cleanup, re/create



```sh

make sim-clean

make sim-create

```



#### test if changes would compute before applying



```sh

make sim-preview

# if list of changes looks good, apply them

make sim-up



```



#### cancel an currently running/stuck pulumi update



```sh

# "error: the stack is currently locked by 1 lock(s)."

# "Either wait for the other process(es) to end or delete the lock file with `pulumi cancel`."

make sim__ args="cancel"

```



#### show resource output as json



```sh

make sim-show

```



#### show resource output key list as yaml



```sh

make sim-list

```



#### show resource output data as colorized formatted json or yaml



```sh

# use highlight and less

make sim-show | highlight --syntax json -O ansi | less

# use bat for integrated highlight plus pager

make sim-show | bat -l json

```



### Production



#### Add SSH Keys of GitOps Developer



```sh

# eg. add the own ssh public key in project_dir/authorized_keys

cat ~/.ssh/id_rsa.pub >> authorized_keys

```



#### Create stack



```sh

make prod-create

make prod__ args="preview --suppress-outputs"

make prod__ args=up

```



### Credits



- Inspired and impressed by [deuill/coreos-home-server](https://github.com/deuill/coreos-home-server)



### License



```text

All code in this repository is covered by the terms of the Apache 2.0 License,

the full text of which can be found in the LICENSE file.

```