1.0.0 Release IaaS

ansible/inventory/group_vars/all.yaml

@@ -0,0 +1,74 @@
+---
+# Global vars
+ansible_ssh_private_key_file: "/etc/secrets/{{ hostvars['console']['node']['uid'] }}/id_console"
+
+# URL infromation, you can use {{ infra_uri['services'] | split(':') | first|last }} to seperate domain and ports
+infra_uri:
+  crowdsec:
+    domain: "crowdsec.ilnmors.internal"
+    ports:
+      https: "8080"
+  bind:
+    domain: "bind.ilnmors.internal"
+    ports:
+      dns: "53"
+  blocky:
+    domain: "blocky.ilnmors.internal"
+    ports:
+      https: "443"
+      dns: "53"
+  postgresql:
+    domain: "postgresql.ilnmors.internal"
+    ports:
+      tcp: "5432" # postgresql db connection port
+  ldap:
+    domain: "ldap.ilnmors.internal"
+    ports:
+      http: "17170"
+      ldaps: "636"
+  ca:
+    domain: "ca.ilnmors.internal"
+    ports:
+      https: "9000"
+  prometheus:
+    domain: "prometheus.ilnmors.internal"
+    ports:
+      https: "9090"
+  loki:
+    domain: "loki.ilnmors.internal"
+    ports:
+      https: "3100"
+  nas:
+    domain: "nas.ilnmors.internal"
+    ports:
+      https: "5001"
+  kopia:
+    domain: "nas.ilnmors.internal"
+    ports:
+      https: "51515"
+
+version:
+  packages:
+    sops: "3.12.1"
+    step: "0.29.0"
+    kopia: "0.22.3"
+    blocky: "0.28.2"
+    alloy: "1.13.0"
+    # telegraf: "1.37.1"
+  containers:
+    # common
+    caddy: "2.10.2"
+    # infra
+    step: "0.29.0"
+    ldap: "v0.6.2"
+    x509-exporter: "3.19.1"
+    prometheus: "v3.9.1"
+    loki: "3.6.5"
+    grafana: "12.3.3"
+    ## Postgresql
+    postgresql: "18.2"
+    # For immich - https://github.com/immich-app/base-images/blob/main/postgres/versions.yaml
+#    pgvector: "v0.8.1"
+    vectorchord: "0.5.3"
+    # Auth
+    authelia: "4.39.15"

ansible/inventory/group_vars/hypervisor.yaml

@@ -0,0 +1,7 @@
+---
+node:
+  name: "vmm"
+  uid: 2000
+  home_path: "/home/vmm"
+  ssh_san: "vmm,vmm_init,vmm.ilnmors.internal,init.vmm.ilnmors.internal"
+  local_san: "localhost vmm.ilnmors.internal"

ansible/inventory/host_vars/app.yaml

@@ -0,0 +1,41 @@
+---
+# Node Factors
+node:
+  name: "app"
+  uid: 2004
+  home_path: "/home/app"
+  ssh_san: "app,app.ilnmors.internal"
+  local_san: "localhost app.ilnmors.internal"
+# VM Factors
+vm:
+  name: "app"
+  cpu: 4
+  shares: 1024
+  memory: 16
+  storage: 256
+  lan_mac: "0a:49:6e:4d:03:00"
+  lan_net: "lan-net"
+  lan_group: "vlan10-access"
+  # PCIe passthrough address
+  # result of `lspci | grep -i -e "sata controller" -e "vga"` and parse it.
+  # Ex) 04:00.0 > domain: "0x0000", bus: "0x04", slot: "0x00", function: "0x0"
+  pass_through:
+    igpu:
+      address: "0000:00:02.0"
+      domain: "0x0000"
+      bus: "0x00"
+      slot: "0x02"
+      function: "0x0"
+    sata_controller: # Additional SATA Controller
+      address: "0000:04:00.0"
+      domain: "0x0000"
+      bus: "0x04"
+      slot: "0x00"
+      function: "0x0"
+
+# BTRFS configuration for hdd which is passthroughed
+storage:
+  btrfs:
+    label: "APP_DATA"
+    level: "raid10"
+    mount_point: "/home/app/data"

ansible/inventory/host_vars/auth.yaml

@@ -0,0 +1,18 @@
+---
+# Node Factors
+node:
+  name: "auth"
+  uid: 2003
+  home_path: "/home/auth"
+  ssh_san: "auth,auth.ilnmors.internal"
+  local_san: "localhost auth.ilnmors.internal"
+# VM Factors
+vm:
+  name: "auth"
+  cpu: 2
+  shares: 512
+  memory: 2
+  storage: 64
+  lan_mac: "0a:49:6e:4d:02:00"
+  lan_net: "lan-net"
+  lan_group: "vlan10-access"

ansible/inventory/host_vars/console.yaml

@@ -0,0 +1,25 @@
+---
+# Secret management
+age_key: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          32343637656262323931313061323861393737663736626538396165613563323531316639346637
+          3766363134663963396634353764323166353936626633300a356338363036373165363335333665
+          38316638386661623265306538303739616638316565373864316364623539383736343366646463
+          3464613666663836310a666531386136326439616637393035333534303661373433343830323665
+          66613736613133616439393163653166306261376231646163323266616431623531313964326132
+          33653638373537323363316363646534323362353836373665636265663939353862663532313230
+          30643038313138626464626161373835646665326334393834616234643931656536343130316238
+          61656264643830616639
+# Node Factors
+node:
+  name: "console"
+  uid: 2999
+  home_path: "/home/console"
+  workspace_path: "{{ node.home_path }}/workspace"
+  homelab_path: "{{ node.home_path }}/workspace/homelab"
+  data_path: "{{ node.homelab_path }}/data"
+  config_path: "{{ node.homelab_path }}/config"
+  ssh_san: "console,console.ilnmors.internal"
+  ssh_users: "vmm,fw,infra,auth,app"
+  local_san: "localhost console.ilnmors.internal"
+# ansible_python_interpreter: "{{ ansible_playbook_python }}"

ansible/inventory/host_vars/fw.yaml

@@ -0,0 +1,98 @@
+---
+# Node Factors
+node:
+  name: "fw"
+  uid: 2001
+  home_path: "/home/fw"
+  ssh_san: "fw,fw.ilnmors.internal"
+  local_san: "localhost fw.ilnmors.internal"
+
+# VM Factors
+vm:
+  name: "fw"
+  cpu: 2
+  shares: 2048
+  memory: 4
+  storage: 64
+  wan_mac: "0a:49:6e:4d:00:00"
+  lan_mac: "0a:49:6e:4d:00:01"
+  wan_net: "wan-net"
+  lan_net: "lan-net"
+  lan_group: "vlan-trunk"
+
+# Network Factors
+# LLA is like MAC address for L3 (Network layer). Usually, subnet is used to seperate network.
+network4:
+  subnet:
+    client: "192.168.1.0/24"
+    server: "192.168.10.0/24"
+    user: "192.168.20.0/24"
+    wg: "192.168.99.0/24"
+    lla: "169.254.0.0/16"
+  # You can use "{{ hostvars['fw']['network4']['firewall'].values() | join(', ') }}" for all
+  firewall:
+    client: "192.168.1.1"
+    server: "192.168.10.1"
+    user: "192.168.20.1"
+    wg: "192.168.99.1"
+  blocky:
+    server: "192.168.10.2"
+  bind:
+    server: "192.168.10.3"
+  console:
+    client: "192.168.1.20"
+    wg: "192.168.99.20"
+  vmm:
+    client: "192.168.1.10"
+    server: "192.168.10.10"
+  infra:
+    server: "192.168.10.11"
+  auth:
+    server: "192.168.10.12"
+  app:
+    server: "192.168.10.13"
+  switch:
+    client: "192.168.1.2"
+  nas:
+    client: "192.168.1.11"
+  printer:
+    client: "192.168.1.101"
+
+network6:
+  subnet:
+    client: "fd00:1::/64"
+    server: "fd00:10::/64"
+    wg: "fd00:99::/64"
+    lla: "fe80::/10"
+  firewall:
+    client: "fd00:1::1"
+    server: "fd00:10::1"
+    wg: "fd00:99::1"
+  blocky:
+    server: "fd00:10::2"
+  bind:
+    server: "fd00:10::3"
+  console:
+    client: "fd00:1::20"
+    wg: "fd00:99::20"
+  vmm:
+    client: "fd00:1::10"
+    server: "fd00:10::10"
+  infra:
+    server: "fd00:10::11"
+  auth:
+    server: "fd00:10::12"
+  app:
+    server: "fd00:10::13"
+  switch:
+    client: "fd00:1::2"
+  nas:
+    client: "fd00:1::11"
+  printer:
+    client: "fd00:1::101"
+
+# Suricata Factors
+# suricata_home_net: '[10.0.0.0/8,172.16.0.0/12,192.168.0.0/16]'
+suricata:
+  home_net: '[10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,fd00::/8,fe80::/8]'
+  interfaces: ["wan", "client", "server", "user"]

ansible/inventory/host_vars/infra.yaml

@@ -0,0 +1,19 @@
+---
+# Node Factors
+node:
+  name: "infra"
+  uid: 2002
+  home_path: "/home/infra"
+  ssh_san: "infra,infra.ilnmors.internal"
+  local_san: "localhost infra.ilnmors.internal"
+
+# VM Factors
+vm:
+  name: "infra"
+  cpu: 2
+  shares: 1024
+  memory: 6
+  storage: 256
+  lan_mac: "0a:49:6e:4d:01:00"
+  lan_net: "lan-net"
+  lan_group: "vlan10-access"

ansible/inventory/hosts.ini

@@ -0,0 +1,14 @@
+# --- console ---
+console ansible_connection=local ansible_user=console
+
+# --- Hypervisor ---
+[hypervisor]
+vmm_init ansible_host=init.vmm.ilnmors.internal ansible_user=vmm
+vmm ansible_host=vmm.ilnmors.internal ansible_user=vmm
+
+# --- Virtual Machines ---
+[vms]
+fw ansible_host=fw.ilnmors.internal ansible_user=fw
+infra ansible_host=infra.ilnmors.internal ansible_user=infra
+auth  ansible_host=auth.ilnmors.internal ansible_user=auth
+app   ansible_host=app.ilnmors.internal ansible_user=app