Initial commit

defaults/main.yml

@@ -0,0 +1,10 @@
+---
+ctr_name: maatma
+
+maatma_network:
+  network6: "2a01:e0a:518:833::/64"
+  prefix6: "2a01:e0a:518:833:"
+  netmask6: "64"
+  gateway6: "2a01:e0a:518:833::1"
+
+wg_adlin_port: 42912

handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: restart networking
+  service:
+    name: networking
+    state: restarted

meta/main.yml

@@ -0,0 +1,15 @@
+---
+galaxy_info:
+  role_name: maatma
+  author: 'Pierre-Olivier Mercier <nemunaire+iac@nemunai.re>'
+  description: Deploy the Maatma hosting service
+  license: GPL-3.0-or-later
+  min_ansible_version: 2.9
+  platforms:
+    - name: Alpine
+      versions:
+        - all
+
+  galaxy_tags: []
+
+dependencies: []

tasks/container-setup.yml

@@ -0,0 +1,105 @@
+---
+- name: Create maatma container
+  community.general.lxc_container:
+    name: "{{ ctr_name }}"
+    backing_store: dir
+    container_log: true
+    container_log_level: DEBUG
+    template: download
+    template_options: "--dist alpine --release 3.17 --arch armhf"
+    state: stopped
+
+- name: Erase container configuration
+  copy:
+    content: |
+      # Template used to create this container: /usr/share/lxc/templates/lxc-download
+      # Parameters passed to the template: --dist alpine --release 3.17 --arch armhf
+      # For additional config options, please look at lxc.container.conf(5)
+
+      # Uncomment the following line to support nesting containers:
+      #lxc.include = /usr/share/lxc/config/nesting.conf
+      # (Be aware this has security implications)
+
+
+      # Distribution configuration
+      lxc.include = /usr/share/lxc/config/common.conf
+      lxc.arch = linux32
+
+      # Container specific configuration
+      lxc.rootfs.path = dir:/var/lib/lxc/{{ ctr_name }}/rootfs
+      lxc.uts.name = {{ ctr_name }}
+
+      lxc.net.0.type = macvlan
+      lxc.net.0.macvlan.mode = vepa
+      lxc.net.0.flags = up
+      lxc.net.0.link = eth0
+      lxc.net.0.hwaddr = de:de:d7:8e:36:5e
+      lxc.net.0.ipv4.address = {{ local_network.prefix4 }}201/{{ local_network.netmask4 }}
+      lxc.net.0.ipv4.gateway = {{ local_network.gateway }}
+      lxc.net.0.ipv6.address = {{ local_network.prefix6 }}:1:a/64
+      lxc.net.0.ipv6.gateway = {{ local_network.gateway6 }}
+
+      lxc.net.2.type = phys
+      lxc.net.2.flags = up
+      lxc.net.2.link = wg-adlin
+      lxc.net.2.ipv6.address = {{ maatma_network.gateway6 }}/{{ maatma_network.netmask6 }}
+
+      lxc.net.1.type = veth
+      lxc.net.1.flags = up
+      lxc.net.1.veth.pair = veth_sshpipper
+      lxc.net.1.ipv4.address = 169.254.42.1/30
+
+      lxc.sysctl.net.ipv6.conf.eth0.autoconf = 0
+      lxc.sysctl.net.ipv6.conf.all.forwarding = 1
+
+      lxc.cap.drop = setgid
+      lxc.cap.drop = setuid
+      lxc.cap.drop = setpcap
+      lxc.cap.drop = sys_resource
+      lxc.cap.drop = sys_boot
+    dest: "/var/lib/lxc/{{ ctr_name }}/config"
+
+- name: Update runlevels
+  file:
+    path: "/var/lib/lxc/{{ ctr_name }}/rootfs{{ item }}"
+    state: absent
+  loop:
+    - "/etc/runlevels/boot/syslog"
+    - "/etc/runlevels/default/crond"
+    - "/etc/runlevels/default/networking"
+
+- name: Copy init scripts
+  template:
+    src: "{{ item }}.init.j2"
+    dest: "/var/lib/lxc/{{ ctr_name }}/rootfs/etc/init.d/{{ item }}"
+    mode: 0755
+  loop:
+    - token-validator
+    - checker
+    - clean-wg
+
+- name: Setup runlevels
+  file:
+    path: "/var/lib/lxc/{{ ctr_name }}/rootfs/etc/runlevels/{{ item.runlevel }}/{{ item.filename }}"
+    src: "/etc/init.d/{{ item.filename }}"
+    state: link
+    force: yes
+  loop:
+    - { filename: "token-validator", runlevel: "default" }
+    - { filename: "checker", runlevel: "default" }
+    - { filename: "clean-wg", runlevel: "default" }
+
+# Does not work
+- name: Setup maatma container
+  community.general.lxc_container:
+    name: "{{ ctr_name }}"
+    container_command: |
+      echo nameserver 192.168.0.254 > /etc/resolv.conf;
+      apk add --no-cache wireguard-tools-wg nftables;
+    state: started
+
+- name: Create symlink for service
+  file:
+    path: "/etc/init.d/lxc.{{ ctr_name }}"
+    src: "/etc/init.d/lxc"
+    state: link

tasks/main.yml

@@ -0,0 +1,52 @@
+---
+# 1. Setup LXC
+- include_tasks: pkg.yml
+
+# 2. Setup networking
+- include_tasks: networking.yml
+
+# 2. Create maatma container from alpine ctr
+- include_tasks: container-setup.yml
+
+- name: "Ensure container's directory is traversable by srs-deploy"
+  file:
+    path: "/var/lib/lxc/maatma"
+    group: srs-deploy
+    state: directory
+
+# 3. Install others scripts
+- name: Retrieve clean-wg.sh
+  get_url:
+    url: https://git.nemunai.re/teach/adlin/raw/branch/master/token-validator/clean-wg.sh
+    dest: "/var/lib/lxc/{{ ctr_name }}/rootfs/usr/sbin/clean-wg.sh"
+    mode: 0755
+
+- name: Add update-adlin script
+  template:
+    src: update-adlin
+    dest: /sbin/update-adlin
+    mode: 0755
+
+- name: Define authorized key for srs-deploy
+  ansible.posix.authorized_key:
+    user: srs-deploy
+    state: present
+    key: "{{ ssh_key_srs_deploy }}"
+
+- name: Ensure directory exists for receiving new builds
+  file:
+    path: "/var/lib/lxc/{{ ctr_name }}/rootfs/home/newbuilds"
+    owner: srs-deploy
+    state: directory
+
+- name: Ensure directory exists for receiving maatma error pages
+  file:
+    path: "/var/www/nemunai.re/adlin/.error-pages"
+    owner: srs-deploy
+    state: directory
+
+- name: Launch maatma container
+  service:
+    name: "lxc.{{ ctr_name }}"
+    state: started
+    enabled: true

tasks/networking.yml

@@ -0,0 +1,28 @@
+---
+- name: Install wg-tools on host
+  apk:
+    name:
+      - wireguard-tools-wg
+    state: present
+
+- name: Enable IPv6 forwarding
+  ansible.posix.sysctl:
+    name: net.ipv6.conf.all.forwarding
+    value: '1'
+    sysctl_file: /etc/sysctl.d/maatma.conf
+
+- name: ensure /etc/wireguard exists
+  file:
+    path: /etc/wireguard
+    state: directory
+
+- name: configure wg-adlin
+  template:
+    src: "wg.conf.j2"
+    dest: "/etc/wireguard/wg-adlin.conf"
+
+- name: enable wg-adlin
+  template:
+    src: networking.j2
+    dest: "/etc/network/interfaces.d/wg-adlin"
+  notify: restart networking

tasks/pkg.yml

@@ -0,0 +1,9 @@
+---
+- name: Install dependancies
+  apk:
+    name:
+      - lxc
+      - lxc-download
+      - py3-lxc
+      - xz
+    state: present

templates/checker.init.j2

@@ -0,0 +1,7 @@
+#!/sbin/openrc-run
+
+description="Maatma interface, API and more"
+command="/usr/sbin/checker"
+command_args="-dsn '{{ mysql_maatma.username }}:{{ mysql_maatma.password }}@tcp({{ mysql_endpoint.host }}:{{ mysql_endpoint.port}})/{{ mysql_maatma.database }}'"
+start_stop_daemon_args="--background --quiet"
+pidfile="/var/run/$SVCNAME.pid"

templates/clean-wg.init.j2

@@ -0,0 +1,6 @@
+#!/sbin/openrc-run
+
+description="Maatma interface, API and more"
+command="/usr/sbin/clean-wg.sh"
+start_stop_daemon_args="--background --quiet"
+pidfile="/var/run/$SVCNAME.pid"

templates/networking.j2

@@ -0,0 +1,5 @@
+auto wg-adlin
+iface wg-adlin inet static
+       requires eth0
+       use wireguard
+       address {{ maatma_network.gateway6 }}/{{ maatma_network.netmask6 }}

templates/token-validator.init.j2

@@ -0,0 +1,7 @@
+#!/sbin/openrc-run
+
+description="Maatma interface, API and more"
+command="/usr/sbin/token-validator"
+command_args="-baseurl /maatma/ -dsn '{{ mysql_maatma.username }}:{{ mysql_maatma.password }}@tcp({{ mysql_endpoint.host }}:{{ mysql_endpoint.port}})/{{ mysql_maatma.database }}' -oidc-clientid {{ oidc.clientid }} -oidc-secret {{ oidc.client_secret }}"
+start_stop_daemon_args="--background --quiet"
+pidfile="/var/run/$SVCNAME.pid"

templates/update-adlin

@@ -0,0 +1,47 @@
+#!/bin/sh
+
+usage() {
+    echo -e "Usage: $0 [OPTION...]\n"
+    echo -e "  -?, --help\tgive this help list"
+    echo -e "  -R\trollback to the last binary backup"
+}
+
+while getopts "R" opt; do
+    case $opt in
+        R|r)
+	    ROLLBACK=1
+	    ;;
+	\?)
+	    usage
+	    exit 1
+	    ;;
+    esac
+done
+
+/etc/init.d/lxc.{{ ctr_name }}-final status > /dev/null 2> /dev/null
+FINAL_UP=$?
+
+[ "$FINAL_UP" = 0 ] && /etc/init.d/lxc.{{ ctr_name }}-final stop
+/etc/init.d/lxc.{{ ctr_name }} stop
+
+for b in checker token-validator
+do
+    echo -n " * Updating $b ..."
+    if [ -n "$ROLLBACK" ]
+    then
+	[ -f "/var/lib/lxc/{{ ctr_name }}/rootfs/home/backups/$b" ] || echo " Doesn't exists"
+	[ -f "/var/lib/lxc/{{ ctr_name }}/rootfs/home/backups/$b" ] && {
+	    mv "/var/lib/lxc/{{ ctr_name }}/rootfs/usr/sbin/$b" /var/lib/lxc/{{ ctr_name }}/rootfs/home/newbuilds/
+	    cp "/var/lib/lxc/{{ ctr_name }}/rootfs/home/backups/$b" /var/lib/lxc/{{ ctr_name }}/rootfs/usr/sbin/
+	} && echo " DONE"
+    else
+	[ -f "/var/lib/lxc/{{ ctr_name }}/rootfs/home/newbuilds/$b" ] || echo " Doesn't exists"
+	[ -f "/var/lib/lxc/{{ ctr_name }}/rootfs/home/newbuilds/$b" ] && {
+	    cp "/var/lib/lxc/{{ ctr_name }}/rootfs/usr/sbin/$b" /var/lib/lxc/{{ ctr_name }}/rootfs/home/backups/
+	    mv "/var/lib/lxc/{{ ctr_name }}/rootfs/home/newbuilds/$b" /var/lib/lxc/{{ ctr_name }}/rootfs/usr/sbin/
+	} && echo " DONE"
+    fi
+done
+
+/etc/init.d/lxc.{{ ctr_name }} start
+[ "$FINAL_UP" = 0 ] && /etc/init.d/lxc.{{ ctr_name }}-final start

templates/wg.conf.j2

@@ -0,0 +1,3 @@
+[Interface]
+PrivateKey = {{ wg_adlin_private_key }}
+ListenPort = {{ wg_adlin_port }}

vars/main.yml

@@ -0,0 +1,2 @@
+---
+ssh_key_srs_deploy: 'no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding,from="192.168.0.*,82.64.151.41,2a01:e0a:518:83?:*" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE26xEqztOHrF1rL2klBc5Tr2lhm2zPXUyKvlW8tgrN0 deploy-key-drone-adlin'