From 5a74d8ce5107fe1641583029dcfb8fc7790ba8ba Mon Sep 17 00:00:00 2001 From: james-otten Date: Fri, 6 Dec 2024 23:30:43 -0500 Subject: [PATCH 01/60] try --- .github/workflows/deploy.yaml | 20 ++ .github/workflows/deploy_ntp.yaml | 87 +++++++ ansible/ansible.cfg | 8 + ansible/chrony_server/tasks/main.yaml | 72 ++++++ ansible/chrony_server/templates/bird.conf.j2 | 229 ++++++++++++++++++ ansible/chrony_server/templates/iptables.j2 | 0 .../templates/netplan_dummy0.yaml.j2 | 9 + .../templates/netplan_dummy1.yaml.j2 | 9 + ansible/inventory.yaml | 3 + ansible/ntp_servers.yaml | 4 + terraform/ansible.tf | 20 ++ terraform/dev3.tfvars | 9 + terraform/lxc.tf | 28 +++ terraform/provider.tf | 24 ++ terraform/vars.tf | 104 ++++++++ 15 files changed, 626 insertions(+) create mode 100644 .github/workflows/deploy.yaml create mode 100644 .github/workflows/deploy_ntp.yaml create mode 100644 ansible/ansible.cfg create mode 100644 ansible/chrony_server/tasks/main.yaml create mode 100644 ansible/chrony_server/templates/bird.conf.j2 create mode 100644 ansible/chrony_server/templates/iptables.j2 create mode 100644 ansible/chrony_server/templates/netplan_dummy0.yaml.j2 create mode 100644 ansible/chrony_server/templates/netplan_dummy1.yaml.j2 create mode 100644 ansible/inventory.yaml create mode 100644 ansible/ntp_servers.yaml create mode 100644 terraform/ansible.tf create mode 100644 terraform/dev3.tfvars create mode 100644 terraform/lxc.tf create mode 100644 terraform/provider.tf create mode 100644 terraform/vars.tf diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml new file mode 100644 index 0000000..a6af5fc --- /dev/null +++ b/.github/workflows/deploy.yaml @@ -0,0 +1,20 @@ +name: Deploy Environments +permissions: read-all + +on: + push: + branches: + - main + - james/init + workflow_dispatch: + branches: + - main + +jobs: + deploy_prod3: + name: Deploy prod3 + uses: ./.github/workflows/deploy_ntp.yaml + with: + environment: prod3 + secrets: inherit + #if: github.ref == 'refs/heads/main' diff --git a/.github/workflows/deploy_ntp.yaml b/.github/workflows/deploy_ntp.yaml new file mode 100644 index 0000000..93efb89 --- /dev/null +++ b/.github/workflows/deploy_ntp.yaml @@ -0,0 +1,87 @@ +name: Deploy NTP Server +permissions: read-all + +on: + workflow_call: + inputs: + environment: + required: true + type: string + +env: + # Secrets + TF_VAR_proxmox_host: ${{ secrets.TF_VAR_PROXMOX_HOST }} + TF_VAR_proxmox_token_id: ${{ secrets.TF_VAR_PROXMOX_TOKEN_ID }} + TF_VAR_proxmox_token_secret: ${{ secrets.TF_VAR_PROXMOX_TOKEN_SECRET }} + TF_VAR_local_password: ${{ secrets.TF_VAR_LOCAL_PASSWORD }} + TF_VAR_datadog_api_key: ${{ secrets.DATADOG_API_KEY }} + TF_VAR_datadog_site: ${{ secrets.DATADOG_SITE }} + # Credentials for deployment to AWS + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + # S3 bucket for the Terraform state + BUCKET_TF_STATE: ${{ secrets.BUCKET_TF_STATE}} + +jobs: + deploy: + runs-on: ubuntu-latest + environment: ${{ inputs.environment }} + steps: + - name: Checkout + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # @v4 + + - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d #@v5 + with: + python-version: '3.11' + + - name: Setup ansible + run: pip install ansible && export PATH="$HOME/.local/bin:$PATH" && ansible-galaxy collection install cloud.terraform && ansible-galaxy collection install datadog.dd + + - name: Setup Terraform with specified version on the runner + uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8 # @v3 + with: + terraform_version: 1.8.3 + + - name: Setup backend + run: | + echo "bucket = \"${{ secrets.BUCKET_TF_STATE }}\"" > backend.tfvars + echo "key = \"terraform/state/ntp-${{ inputs.environment }}.tfstate\"" >> backend.tfvars + working-directory: ./terraform/ + + - name: Terraform init + id: init + run: terraform init -backend-config=backend.tfvars + working-directory: ./terraform/ + + - name: Terraform format + id: fmt + run: terraform fmt -check + working-directory: ./terraform/ + + - name: Terraform validate + run: | + echo "${{ secrets.SSH_PRIVATE_KEY }}" > ntp + echo "${{ secrets.SSH_PUBLIC_KEY }}" > ntp.pub + chmod 600 ntp + chmod 600 ntp.pub + terraform validate + working-directory: ./terraform/ + + - name: Setup WireGuard + run: | + sudo apt-get update && sudo apt-get install -y wireguard + echo "${{ secrets.WIREGUARD_PRIVATE_KEY }}" > privatekey + sudo ip link add dev wg0 type wireguard + sudo ip address add dev wg0 ${{ secrets.WIREGUARD_OVERLAY_NETWORK_IP }} peer ${{ secrets.WIREGUARD_PEER }} + sudo wg set wg0 listen-port 48123 private-key privatekey peer ${{ secrets.WIREGUARD_PEER_PUBLIC_KEY }} allowed-ips 0.0.0.0/0 endpoint ${{ secrets.WIREGUARD_ENDPOINT }} + sudo ip link set up dev wg0 + rm privatekey + + - name: Terraform Apply + run: | + terraform apply -auto-approve -input=false -var-file=${{ inputs.environment }}.tfvars + working-directory: ./terraform/ + + - name: Run playbook + run: sleep 20 && export PATH="$HOME/.local/bin:$PATH" && ansible-playbook -i inventory.yaml ntp_servers.yaml + working-directory: ./ansible/ diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg new file mode 100644 index 0000000..87d5391 --- /dev/null +++ b/ansible/ansible.cfg @@ -0,0 +1,8 @@ +[defaults] +host_key_checking = False +callbacks_enabled = timer, profile_tasks, profile_roles +gathering = 'explicit' +pipelining = True + +[ssh_connection] +ssh_args = '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o CheckHostIP=no -o ControlMaster=auto -o ControlPersist=60s' diff --git a/ansible/chrony_server/tasks/main.yaml b/ansible/chrony_server/tasks/main.yaml new file mode 100644 index 0000000..fd1d695 --- /dev/null +++ b/ansible/chrony_server/tasks/main.yaml @@ -0,0 +1,72 @@ +- name: Install deps + ansible.builtin.apt: + lock_timeout: 240 + update_cache: true + pkg: + - ca-certificates + - iptables-persistent + - bird2 + - chrony + +- name: Import the Datadog Agent role from the Datadog collection + ansible.builtin.import_role: + name: datadog.dd.agent + vars: + datadog_api_key: "{{ DATADOG_API_KEY }}" + datadog_site: "{{ DATADOG_SITE }}" + datadog_config: + hostname: "{{ VM_HOSTNAME }}" + +- name: Reload datadog + ansible.builtin.systemd_service: + name: datadog-agent + state: restarted + enabled: true + daemon_reload: true + +- name: dummy0 interface + ansible.builtin.template: + src: ../templates/netplan_dummy0.yaml.j2 + dest: /etc/netplan/dummy0.yaml + mode: "600" + +- name: dummy1 interface + ansible.builtin.template: + src: ../templates/netplan_dummy1.yaml.j2 + dest: /etc/netplan/dummy1.yaml + mode: "600" + +- name: Iptables rules + ansible.builtin.template: + src: ../templates/iptables.j2 + dest: /etc/iptables/rules.v4 + +- name: Restore iptables rules + ansible.builtin.command: + cmd: "bash -c '/sbin/iptables-restore < /etc/iptables/rules.v4'" + +- name: Netplan apply + ansible.builtin.command: + cmd: "bash -c 'netplan apply && touch /tmp/netplan_applied'" + creates: /tmp/netplan_applied + +- name: Restart and enable iptables service + ansible.builtin.service: + name: netfilter-persistent + state: restarted + enabled: true + +- name: Bird config + ansible.builtin.template: + src: ../templates/bird.conf.j2 + dest: /etc/bird/bird.conf + mode: "640" + owner: "bird" + group: "bird" + +- name: Reload bird + ansible.builtin.systemd_service: + name: bird + state: reloaded + enabled: true + daemon_reload: true diff --git a/ansible/chrony_server/templates/bird.conf.j2 b/ansible/chrony_server/templates/bird.conf.j2 new file mode 100644 index 0000000..82d9223 --- /dev/null +++ b/ansible/chrony_server/templates/bird.conf.j2 @@ -0,0 +1,229 @@ +# This is a basic configuration file, which contains boilerplate options and +# some basic examples. It allows the BIRD daemon to start but will not cause +# anything else to happen. +# +# Please refer to the BIRD User's Guide documentation, which is also available +# online at http://bird.network.cz/ in HTML format, for more information on +# configuring BIRD and adding routing protocols. + +# Configure logging +log syslog all; +# log "/var/log/bird.log" { debug, trace, info, remote, warning, error, auth, fatal, bug }; + +# Set router ID. It is a unique identification of your router, usually one of +# IPv4 addresses of the router. It is recommended to configure it explicitly. +router id {{ ROUTER_ID }}; + +# Turn on global debugging of all protocols (all messages or just selected classes) +# debug protocols all; +# debug protocols { events, states }; + +# Turn on internal watchdog +# watchdog warning 5 s; +# watchdog timeout 30 s; + +# You can define your own constants +# define my_asn = 65000; +# define my_addr = 198.51.100.1; + +# Tables master4 and master6 are defined by default +# ipv4 table master4; +# ipv6 table master6; + +# Define more tables, e.g. for policy routing or as MRIB +# ipv4 table mrib4; +# ipv6 table mrib6; + +# The Device protocol is not a real routing protocol. It does not generate any +# routes and it only serves as a module for getting information about network +# interfaces from the kernel. It is necessary in almost any configuration. +protocol device { + scan time 10; +} + +# The direct protocol is not a real routing protocol. It automatically generates +# direct routes to all network interfaces. Can exist in as many instances as you +# wish if you want to populate multiple routing tables with direct routes. +protocol direct { + #disabled; # Disable by default + ipv4; # Connect to default IPv4 table + ipv6; # ... and to default IPv6 table +} + +# The Kernel protocol is not a real routing protocol. Instead of communicating +# with other routers in the network, it performs synchronization of BIRD +# routing tables with the OS kernel. One instance per table. +protocol kernel { + persist; + scan time 10; + ipv4 { # Connect protocol to IPv4 table by channel +# table master4; # Default IPv4 table is master4 + import all; # Import to table, default is import all + export all; # Export to protocol. default is export none + }; + learn; # Learn alien routes from the kernel +# kernel table 10; # Kernel table to synchronize with (default: main) +} + +# Another instance for IPv6, skipping default options +#protocol kernel { +# ipv6 { export all; }; +#} + +# Static routes (Again, there can be multiple instances, for different address +# families and to disable/enable various groups of static routes on the fly). +protocol static { + ipv4; # Again, IPv4 channel with default options + +# route 0.0.0.0/0 via 198.51.100.10; +# route 192.0.2.0/24 blackhole; +# route 10.0.0.0/8 unreachable; +# route 10.2.0.0/24 via "eth0"; +# # Static routes can be defined with optional attributes +# route 10.1.1.0/24 via 198.51.100.3 { rip_metric = 3; }; +# route 10.1.2.0/24 via 198.51.100.3 { ospf_metric1 = 100; }; +# route 10.1.3.0/24 via 198.51.100.4 { ospf_metric2 = 100; }; +} + +# Pipe protocol connects two routing tables. Beware of loops. +# protocol pipe { +# table master4; # No ipv4/ipv6 channel definition like in other protocols +# peer table mrib4; +# import all; # Direction peer table -> table +# export all; # Direction table -> peer table +# } + +# RIP example, both RIP and RIPng are supported +# protocol rip { +# ipv4 { +# # Export direct, static routes and ones from RIP itself +# import all; +# export where source ~ [ RTS_DEVICE, RTS_STATIC, RTS_RIP ]; +# }; +# interface "eth*" { +# update time 10; # Default period is 30 +# timeout time 60; # Default timeout is 180 +# authentication cryptographic; # No authentication by default +# password "hello" { algorithm hmac sha256; }; # Default is MD5 +# }; +# } + +# OSPF example, both OSPFv2 and OSPFv3 are supported +# protocol ospf v3 { +# ipv6 { +# import all; +# export where source = RTS_STATIC; +# }; +# area 0 { +# interface "eth*" { +# type broadcast; # Detected by default +# cost 10; # Interface metric +# hello 5; # Default hello perid 10 is too long +# }; +# interface "tun*" { +# type ptp; # PtP mode, avoids DR selection +# cost 100; # Interface metric +# hello 5; # Default hello perid 10 is too long +# }; +# interface "dummy0" { +# stub; # Stub interface, just propagate it +# }; +# }; +#} + +protocol ospf v2 { + ipv4 { + import none; + }; + area 0 { + default cost 10; + networks { + {{ BIRD_NETWORK }}; + }; + interface "eth*" { + type broadcast; # Detected by default + cost 10; # Interface metric + neighbors { + {{ BIRD_NEIGHBOR }}; + }; + }; + interface "lo" { + cost 10; + }; + }; +} + +# Define simple filter as an example for BGP import filter +# See https://gitlab.labs.nic.cz/labs/bird/wikis/BGP_filtering for more examples +# filter rt_import +# { +# if bgp_path.first != 64496 then accept; +# if bgp_path.len > 64 then accept; +# if bgp_next_hop != from then accept; +# reject; +# } + +# BGP example, explicit name 'uplink1' is used instead of default 'bgp1' +# protocol bgp uplink1 { +# description "My BGP uplink"; +# local 198.51.100.1 as 65000; +# neighbor 198.51.100.10 as 64496; +# hold time 90; # Default is 240 +# password "secret"; # Password used for MD5 authentication +# +# ipv4 { # regular IPv4 unicast (1/1) +# import filter rt_import; +# export where source ~ [ RTS_STATIC, RTS_BGP ]; +# }; +# +# ipv6 { # regular IPv6 unicast (2/1) +# import filter rt_import; +# export filter { # The same as 'where' expression above +# if source ~ [ RTS_STATIC, RTS_BGP ] +# then accept; +# else reject; +# }; +# }; +# +# ipv4 multicast { # IPv4 multicast topology (1/2) +# table mrib4; # explicit IPv4 table +# import filter rt_import; +# export all; +# }; +# +# ipv6 multicast { # IPv6 multicast topology (2/2) +# table mrib6; # explicit IPv6 table +# import filter rt_import; +# export all; +# }; +#} + +# Template example. Using templates to define IBGP route reflector clients. +# template bgp rr_clients { +# local 10.0.0.1 as 65000; +# neighbor as 65000; +# rr client; +# rr cluster id 1.0.0.1; +# +# ipv4 { +# import all; +# export where source = RTS_BGP; +# }; +# +# ipv6 { +# import all; +# export where source = RTS_BGP; +# }; +# } +# +# protocol bgp client1 from rr_clients { +# neighbor 10.0.1.1; +# } +# +# protocol bgp client2 from rr_clients { +# neighbor 10.0.2.1; +# } +# +# protocol bgp client3 from rr_clients { +# neighbor 10.0.3.1; +# } diff --git a/ansible/chrony_server/templates/iptables.j2 b/ansible/chrony_server/templates/iptables.j2 new file mode 100644 index 0000000..e69de29 diff --git a/ansible/chrony_server/templates/netplan_dummy0.yaml.j2 b/ansible/chrony_server/templates/netplan_dummy0.yaml.j2 new file mode 100644 index 0000000..ef1138a --- /dev/null +++ b/ansible/chrony_server/templates/netplan_dummy0.yaml.j2 @@ -0,0 +1,9 @@ +network: + version: 2 + renderer: networkd + ethernets: + lo: + dhcp4: no + dhcp6: no + addresses: + - {{ NTP_IP }}/32 diff --git a/ansible/chrony_server/templates/netplan_dummy1.yaml.j2 b/ansible/chrony_server/templates/netplan_dummy1.yaml.j2 new file mode 100644 index 0000000..220d3bb --- /dev/null +++ b/ansible/chrony_server/templates/netplan_dummy1.yaml.j2 @@ -0,0 +1,9 @@ +network: + version: 2 + renderer: networkd + ethernets: + lo: + dhcp4: no + dhcp6: no + addresses: + - {{ ROUTER_ID }}/32 diff --git a/ansible/inventory.yaml b/ansible/inventory.yaml new file mode 100644 index 0000000..4d39cd4 --- /dev/null +++ b/ansible/inventory.yaml @@ -0,0 +1,3 @@ +--- +plugin: cloud.terraform.terraform_provider +project_path: "../terraform" diff --git a/ansible/ntp_servers.yaml b/ansible/ntp_servers.yaml new file mode 100644 index 0000000..6f38875 --- /dev/null +++ b/ansible/ntp_servers.yaml @@ -0,0 +1,4 @@ +- hosts: ntp_mgt + become: true + roles: + - role: chrony_server diff --git a/terraform/ansible.tf b/terraform/ansible.tf new file mode 100644 index 0000000..f8ab17a --- /dev/null +++ b/terraform/ansible.tf @@ -0,0 +1,20 @@ +resource "ansible_group" "ntp_mgt_group" { + name = "ntp_mgt" + variables = { + ansible_user = var.mesh_local_user + ansible_ssh_private_key_file = "../terraform/messh" + ansible_ssh_common_args = "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" + DATADOG_API_KEY = var.datadog_api_key + DATADOG_SITE = var.datadog_site + VM_HOSTNAME = var.hostname + ROUTER_ID = var.router_id + BIRD_NETWORK = bar.bird_network + BIRD_NEIGHBOR = var.bird_neighbor + NTP_IP = var.ntp_ip + } +} + +resource "ansible_host" "ntp_mgt" { + name = var.vm_mgt_ip + groups = [ansible_group.ntp_mgt_group.name] +} diff --git a/terraform/dev3.tfvars b/terraform/dev3.tfvars new file mode 100644 index 0000000..5eadca1 --- /dev/null +++ b/terraform/dev3.tfvars @@ -0,0 +1,9 @@ +proxmox_node = "jon" +proxmox_storage_location = "local-lvm" +hostname = "nycmesh-713-ntp-1" +vm_mgt_ip = "10.70.90.54" +vm_mgt_default_gateway = "10.70.90.1" +router_id = "10.70.90.55" +bird_neighbor = "10.69.7.13" +bird_network = "10.69.0.0/16" +ntp_ip = "10.70.90.123" diff --git a/terraform/lxc.tf b/terraform/lxc.tf new file mode 100644 index 0000000..e93f495 --- /dev/null +++ b/terraform/lxc.tf @@ -0,0 +1,28 @@ +resource "proxmox_lxc" "ntp_server" { + target_node = var.proxmox_node + hostname = var.hostname + description = "NTP server managed IaC via https://github.com/nycmesh/ntp-infra" + ostemplate = var.system_image + password = var.local_password + cores = 1 + memory = 1024 + unprivileged = true + start = true + onboot = true + + ssh_public_keys = file("${path.root}/ntp.pub") + + rootfs { + storage = var.proxmox_storage_location + size = "20G" + } + + network { + name = "eth0" + bridge = var.vm_nic + ip = "${var.vm_mgt_ip}/${var.internal_host_identifier}" + gw = var.vm_mgt_default_gateway + } + + tags = "ntp,managed_by_iac" +} diff --git a/terraform/provider.tf b/terraform/provider.tf new file mode 100644 index 0000000..cf9dc01 --- /dev/null +++ b/terraform/provider.tf @@ -0,0 +1,24 @@ +terraform { + backend "s3" { + region = "us-east-1" + } + required_providers { + ansible = { + source = "ansible/ansible" + version = "1.3.0" + } + proxmox = { + source = "telmate/proxmox" + version = "3.0.1-rc1" + } + } +} +provider "proxmox" { + # Configuration options + pm_api_url = "https://${var.proxmox_host}:8006/api2/json" + # TODO: Setup cert + pm_tls_insecure = true + pm_debug = true + pm_api_token_id = var.proxmox_token_id + pm_api_token_secret = var.proxmox_token_secret +} diff --git a/terraform/vars.tf b/terraform/vars.tf new file mode 100644 index 0000000..dda12d7 --- /dev/null +++ b/terraform/vars.tf @@ -0,0 +1,104 @@ +variable "proxmox_host" { + type = string + description = "proxmox host" +} + +variable "proxmox_token_id" { + type = string + description = "proxmox token id" + sensitive = true +} + +variable "proxmox_token_secret" { + type = string + description = "proxmox token secret" + sensitive = true +} + +variable "proxmox_node" { + type = string + description = "name of the proxmox node" +} + +variable "proxmox_storage_location" { + type = string + description = "target resource pool on the proxmox server" +} + +variable "hostname" { + type = string + description = "hostname of the lxc" +} + +variable "system_image" { + type = string + description = "system image for the lxc" + default = "local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst" +} + +variable "mesh_local_user" { + type = string + description = "local user username" + default = "root" +} + +variable "local_password" { + type = string + description = "password for the local user" + sensitive = true +} + +variable "vm_nic" { + type = string + description = "nic for the vm" + default = "vmbr0" +} + +variable "vm_mgt_ip" { + type = string + description = "IP for the managment interface" +} + +variable "internal_host_identifier" { + type = string + description = "Host identifier for the internal network interface eth0" + default = "24" +} + +variable "vm_mgt_default_gateway" { + type = string + description = "IP of the default gateway of the managment interface" +} + +variable "router_id" { + type = string + description = "IP to use for the router id" +} + +variable "bird_neighbor" { + type = string + description = "neighbor for the ospf router" +} + +variable "bird_network" { + type = string + description = "ospf network" +} + +variable "ntp_ip" { + type = string + description = "IP to use for the ntp service" + default = "10.69.0.0/16" +} + +variable "datadog_api_key" { + type = string + description = "datadog API key" + sensitive = true +} + +variable "datadog_site" { + type = string + description = "datadog site url" + sensitive = true +} From 4c796b946a1aa07b5d1dc4d64f29ef65dfaf010f Mon Sep 17 00:00:00 2001 From: james-otten Date: Fri, 6 Dec 2024 23:32:25 -0500 Subject: [PATCH 02/60] lol --- terraform/ansible.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/ansible.tf b/terraform/ansible.tf index f8ab17a..5116a16 100644 --- a/terraform/ansible.tf +++ b/terraform/ansible.tf @@ -8,7 +8,7 @@ resource "ansible_group" "ntp_mgt_group" { DATADOG_SITE = var.datadog_site VM_HOSTNAME = var.hostname ROUTER_ID = var.router_id - BIRD_NETWORK = bar.bird_network + BIRD_NETWORK = var.bird_network BIRD_NEIGHBOR = var.bird_neighbor NTP_IP = var.ntp_ip } From ac041bff72d7919bd85a3d6270a4fc4b3b3df905 Mon Sep 17 00:00:00 2001 From: james-otten Date: Fri, 6 Dec 2024 23:41:30 -0500 Subject: [PATCH 03/60] vm --- terraform/lxc.tf | 28 ------------- terraform/{dev3.tfvars => prod3.tfvars} | 0 terraform/vars.tf | 8 ++-- terraform/vm.tf | 55 +++++++++++++++++++++++++ 4 files changed, 59 insertions(+), 32 deletions(-) delete mode 100644 terraform/lxc.tf rename terraform/{dev3.tfvars => prod3.tfvars} (100%) create mode 100644 terraform/vm.tf diff --git a/terraform/lxc.tf b/terraform/lxc.tf deleted file mode 100644 index e93f495..0000000 --- a/terraform/lxc.tf +++ /dev/null @@ -1,28 +0,0 @@ -resource "proxmox_lxc" "ntp_server" { - target_node = var.proxmox_node - hostname = var.hostname - description = "NTP server managed IaC via https://github.com/nycmesh/ntp-infra" - ostemplate = var.system_image - password = var.local_password - cores = 1 - memory = 1024 - unprivileged = true - start = true - onboot = true - - ssh_public_keys = file("${path.root}/ntp.pub") - - rootfs { - storage = var.proxmox_storage_location - size = "20G" - } - - network { - name = "eth0" - bridge = var.vm_nic - ip = "${var.vm_mgt_ip}/${var.internal_host_identifier}" - gw = var.vm_mgt_default_gateway - } - - tags = "ntp,managed_by_iac" -} diff --git a/terraform/dev3.tfvars b/terraform/prod3.tfvars similarity index 100% rename from terraform/dev3.tfvars rename to terraform/prod3.tfvars diff --git a/terraform/vars.tf b/terraform/vars.tf index dda12d7..7e7ab5f 100644 --- a/terraform/vars.tf +++ b/terraform/vars.tf @@ -30,16 +30,16 @@ variable "hostname" { description = "hostname of the lxc" } -variable "system_image" { +variable "mesh_proxmox_template_image" { type = string - description = "system image for the lxc" - default = "local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst" + description = "name of the template you have already setup in proxmox" + default = "debian-cloud" } variable "mesh_local_user" { type = string description = "local user username" - default = "root" + default = "debian" } variable "local_password" { diff --git a/terraform/vm.tf b/terraform/vm.tf new file mode 100644 index 0000000..73632b1 --- /dev/null +++ b/terraform/vm.tf @@ -0,0 +1,55 @@ +resource "proxmox_vm_qemu" "ntp_server" { + name = var.hostname + desc = "NTP server managed IaC via https://github.com/nycmesh/ntp-infra" + target_node = var.proxmox_node + + clone = var.mesh_proxmox_template_image + + cores = 1 + sockets = 1 + memory = 1024 + os_type = "cloud-init" + agent = 1 + cloudinit_cdrom_storage = var.proxmox_storage_location + ciuser = var.mesh_local_user + cipassword = var.local_password + + scsihw = "virtio-scsi-pci" + + disks { + scsi { + scsi0 { + disk { + backup = false + size = "20G" + storage = var.proxmox_storage_location + } + } + } + } + + network { + bridge = var.vm_nic + model = "virtio" + } + + ipconfig0 = "ip=${var.vm_mgt_ip}/${var.internal_host_identifier},gw=${var.vm_mgt_default_gateway}" + + ssh_user = "root" + ssh_private_key = file("${path.root}/ntp") + + sshkeys = file("${path.root}/ntp.pub") + + serial { + id = 0 + type = "socket" + } + + tags = "managed_by_iac,ntp" + + lifecycle { + ignore_changes = [ + qemu_os, + ] + } +} From d63901d84fc5c63174bdbfe64aa157ca197300fd Mon Sep 17 00:00:00 2001 From: james-otten Date: Fri, 6 Dec 2024 23:43:15 -0500 Subject: [PATCH 04/60] vm --- terraform/vm.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/vm.tf b/terraform/vm.tf index 73632b1..38e1bb2 100644 --- a/terraform/vm.tf +++ b/terraform/vm.tf @@ -21,7 +21,7 @@ resource "proxmox_vm_qemu" "ntp_server" { scsi0 { disk { backup = false - size = "20G" + size = 20 storage = var.proxmox_storage_location } } From d8bd25e6c8c48a6bc644c106ac9878613a9be329 Mon Sep 17 00:00:00 2001 From: james-otten Date: Sat, 7 Dec 2024 11:39:44 -0500 Subject: [PATCH 05/60] fix --- terraform/ansible.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/ansible.tf b/terraform/ansible.tf index 5116a16..1acc63c 100644 --- a/terraform/ansible.tf +++ b/terraform/ansible.tf @@ -2,7 +2,7 @@ resource "ansible_group" "ntp_mgt_group" { name = "ntp_mgt" variables = { ansible_user = var.mesh_local_user - ansible_ssh_private_key_file = "../terraform/messh" + ansible_ssh_private_key_file = "../terraform/ntp" ansible_ssh_common_args = "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" DATADOG_API_KEY = var.datadog_api_key DATADOG_SITE = var.datadog_site From c2ac4439da118cd05c7d5d8b00d18f2dc4c42df9 Mon Sep 17 00:00:00 2001 From: james-otten Date: Sat, 7 Dec 2024 23:08:23 -0500 Subject: [PATCH 06/60] chrony --- ansible/chrony_server/files/sources.list | 2 + ansible/chrony_server/tasks/main.yaml | 30 ++++++++++- .../chrony_server/templates/chrony.conf.j2 | 53 +++++++++++++++++++ 3 files changed, 84 insertions(+), 1 deletion(-) create mode 100644 ansible/chrony_server/files/sources.list create mode 100644 ansible/chrony_server/templates/chrony.conf.j2 diff --git a/ansible/chrony_server/files/sources.list b/ansible/chrony_server/files/sources.list new file mode 100644 index 0000000..daa60ca --- /dev/null +++ b/ansible/chrony_server/files/sources.list @@ -0,0 +1,2 @@ +# HE +server clock.nyc.he.net iburst diff --git a/ansible/chrony_server/tasks/main.yaml b/ansible/chrony_server/tasks/main.yaml index fd1d695..579764f 100644 --- a/ansible/chrony_server/tasks/main.yaml +++ b/ansible/chrony_server/tasks/main.yaml @@ -8,6 +8,19 @@ - bird2 - chrony +- name: Allow restarting of bird + ansible.builtin.lineinfile: + path: /lib/systemd/system/bird.service + search_string: Restart= + line: "Restart=always" + +- name: Allow restarting of chrony + ansible.builtin.lineinfile: + path: /lib/systemd/system/chrony.service + insertafter: '\[Service\]' + search_string: Restart= + line: "Restart=always" + - name: Import the Datadog Agent role from the Datadog collection ansible.builtin.import_role: name: datadog.dd.agent @@ -55,6 +68,22 @@ name: netfilter-persistent state: restarted enabled: true + +- name: Chrony config + ansible.builtin.template: + src: ../templates/chrony.conf.j2 + dest: /etc/chrony/chrony.conf + +- name: Chrony sources + ansible.builtin.copy: + src: ../files/sources.list + dest: /etc/chrony/sources.d/configured_servers.list + +- name: Reload chrony + ansible.builtin.systemd_service: + name: chrony + state: reloaded + enabled: true - name: Bird config ansible.builtin.template: @@ -69,4 +98,3 @@ name: bird state: reloaded enabled: true - daemon_reload: true diff --git a/ansible/chrony_server/templates/chrony.conf.j2 b/ansible/chrony_server/templates/chrony.conf.j2 new file mode 100644 index 0000000..64aa6bb --- /dev/null +++ b/ansible/chrony_server/templates/chrony.conf.j2 @@ -0,0 +1,53 @@ +# Welcome to the chrony configuration file. See chrony.conf(5) for more +# information about usable directives. + +# Include configuration files found in /etc/chrony/conf.d. +confdir /etc/chrony/conf.d + +# Use Debian vendor zone. +pool 2.debian.pool.ntp.org iburst + +# Use NTP sources found in /etc/chrony/sources.d. +sourcedir /etc/chrony/sources.d + +# This directive specify the location of the file containing ID/key pairs for +# NTP authentication. +keyfile /etc/chrony/chrony.keys + +# This directive specify the file into which chronyd will store the rate +# information. +driftfile /var/lib/chrony/chrony.drift + +# Save NTS keys and cookies. +ntsdumpdir /var/lib/chrony + +# Uncomment the following line to turn logging on. +#log tracking measurements statistics + +# Log files location. +logdir /var/log/chrony + +# Stop bad estimates upsetting machine clock. +maxupdateskew 100.0 + +# This directive enables kernel synchronisation (every 11 minutes) of the +# real-time clock. Note that it can't be used along with the 'rtcfile' directive. +rtcsync + +# Step the system clock instead of slewing it if the adjustment is larger than +# one second, but only in the first three clock updates. +makestep 1 3 + +# Get TAI-UTC offset and leap seconds from the system tz database. +# This directive must be commented out when using time sources serving +# leap-smeared time. +leapsectz right/UTC + +# Operate as an NTP server for the mesh +allow 10.0.0.0/8 +allow 23.158.16.0/24 +allow 199.167.59.0/24 +allow 199.170.132.0/24 +allow 208.68.5.0/24 + +bindaddress {{ NTP_IP }} From 874e9e2ce8b327cbc5adf041c1a36f3b3e478bf9 Mon Sep 17 00:00:00 2001 From: james-otten Date: Sat, 7 Dec 2024 23:15:40 -0500 Subject: [PATCH 07/60] chrony --- ansible/chrony_server/tasks/main.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/chrony_server/tasks/main.yaml b/ansible/chrony_server/tasks/main.yaml index 579764f..3feb411 100644 --- a/ansible/chrony_server/tasks/main.yaml +++ b/ansible/chrony_server/tasks/main.yaml @@ -79,10 +79,10 @@ src: ../files/sources.list dest: /etc/chrony/sources.d/configured_servers.list -- name: Reload chrony +- name: Restart chrony ansible.builtin.systemd_service: name: chrony - state: reloaded + state: restarted enabled: true - name: Bird config From 9930e361eefab36f4f362d74d3d0425699979dd3 Mon Sep 17 00:00:00 2001 From: james-otten Date: Sat, 7 Dec 2024 23:33:37 -0500 Subject: [PATCH 08/60] dd logs --- ansible/chrony_server/tasks/main.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ansible/chrony_server/tasks/main.yaml b/ansible/chrony_server/tasks/main.yaml index 3feb411..0c59b5d 100644 --- a/ansible/chrony_server/tasks/main.yaml +++ b/ansible/chrony_server/tasks/main.yaml @@ -29,6 +29,12 @@ datadog_site: "{{ DATADOG_SITE }}" datadog_config: hostname: "{{ VM_HOSTNAME }}" + logs_enabled: true + datadog_additional_groups: "systemd-journal" + datadog_checks: + logs: + - type: journald + path: /bar/log/journal/ - name: Reload datadog ansible.builtin.systemd_service: From 745ec7949e8ed4255a0a2907fc1ea57ba9910086 Mon Sep 17 00:00:00 2001 From: james-otten Date: Sat, 7 Dec 2024 23:34:11 -0500 Subject: [PATCH 09/60] dd logs --- ansible/chrony_server/tasks/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/chrony_server/tasks/main.yaml b/ansible/chrony_server/tasks/main.yaml index 0c59b5d..ab20b33 100644 --- a/ansible/chrony_server/tasks/main.yaml +++ b/ansible/chrony_server/tasks/main.yaml @@ -34,7 +34,7 @@ datadog_checks: logs: - type: journald - path: /bar/log/journal/ + path: /var/log/journal/ - name: Reload datadog ansible.builtin.systemd_service: From ac8cc09a726438c0bde975e213114e9c703bac37 Mon Sep 17 00:00:00 2001 From: james-otten Date: Sat, 7 Dec 2024 23:45:17 -0500 Subject: [PATCH 10/60] dd logs --- ansible/chrony_server/tasks/main.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/ansible/chrony_server/tasks/main.yaml b/ansible/chrony_server/tasks/main.yaml index ab20b33..06f9ac0 100644 --- a/ansible/chrony_server/tasks/main.yaml +++ b/ansible/chrony_server/tasks/main.yaml @@ -30,11 +30,11 @@ datadog_config: hostname: "{{ VM_HOSTNAME }}" logs_enabled: true - datadog_additional_groups: "systemd-journal" - datadog_checks: - logs: - - type: journald - path: /var/log/journal/ + datadog_additional_groups: "systemd-journal" + datadog_checks: + logs: + - type: journald + path: /var/log/journal/ - name: Reload datadog ansible.builtin.systemd_service: From e1da32cb6ba9f8be4310804ea741247f77acc1d6 Mon Sep 17 00:00:00 2001 From: james Date: Tue, 10 Dec 2024 20:59:54 -0500 Subject: [PATCH 11/60] role dir --- ansible/{ => roles}/chrony_server/files/sources.list | 0 ansible/{ => roles}/chrony_server/tasks/main.yaml | 0 ansible/{ => roles}/chrony_server/templates/bird.conf.j2 | 0 ansible/{ => roles}/chrony_server/templates/chrony.conf.j2 | 0 ansible/{ => roles}/chrony_server/templates/iptables.j2 | 0 .../{ => roles}/chrony_server/templates/netplan_dummy0.yaml.j2 | 0 .../{ => roles}/chrony_server/templates/netplan_dummy1.yaml.j2 | 0 7 files changed, 0 insertions(+), 0 deletions(-) rename ansible/{ => roles}/chrony_server/files/sources.list (100%) rename ansible/{ => roles}/chrony_server/tasks/main.yaml (100%) rename ansible/{ => roles}/chrony_server/templates/bird.conf.j2 (100%) rename ansible/{ => roles}/chrony_server/templates/chrony.conf.j2 (100%) rename ansible/{ => roles}/chrony_server/templates/iptables.j2 (100%) rename ansible/{ => roles}/chrony_server/templates/netplan_dummy0.yaml.j2 (100%) rename ansible/{ => roles}/chrony_server/templates/netplan_dummy1.yaml.j2 (100%) diff --git a/ansible/chrony_server/files/sources.list b/ansible/roles/chrony_server/files/sources.list similarity index 100% rename from ansible/chrony_server/files/sources.list rename to ansible/roles/chrony_server/files/sources.list diff --git a/ansible/chrony_server/tasks/main.yaml b/ansible/roles/chrony_server/tasks/main.yaml similarity index 100% rename from ansible/chrony_server/tasks/main.yaml rename to ansible/roles/chrony_server/tasks/main.yaml diff --git a/ansible/chrony_server/templates/bird.conf.j2 b/ansible/roles/chrony_server/templates/bird.conf.j2 similarity index 100% rename from ansible/chrony_server/templates/bird.conf.j2 rename to ansible/roles/chrony_server/templates/bird.conf.j2 diff --git a/ansible/chrony_server/templates/chrony.conf.j2 b/ansible/roles/chrony_server/templates/chrony.conf.j2 similarity index 100% rename from ansible/chrony_server/templates/chrony.conf.j2 rename to ansible/roles/chrony_server/templates/chrony.conf.j2 diff --git a/ansible/chrony_server/templates/iptables.j2 b/ansible/roles/chrony_server/templates/iptables.j2 similarity index 100% rename from ansible/chrony_server/templates/iptables.j2 rename to ansible/roles/chrony_server/templates/iptables.j2 diff --git a/ansible/chrony_server/templates/netplan_dummy0.yaml.j2 b/ansible/roles/chrony_server/templates/netplan_dummy0.yaml.j2 similarity index 100% rename from ansible/chrony_server/templates/netplan_dummy0.yaml.j2 rename to ansible/roles/chrony_server/templates/netplan_dummy0.yaml.j2 diff --git a/ansible/chrony_server/templates/netplan_dummy1.yaml.j2 b/ansible/roles/chrony_server/templates/netplan_dummy1.yaml.j2 similarity index 100% rename from ansible/chrony_server/templates/netplan_dummy1.yaml.j2 rename to ansible/roles/chrony_server/templates/netplan_dummy1.yaml.j2 From 3b6b6ed8f54587da25aadb4956675b8ab1b31d73 Mon Sep 17 00:00:00 2001 From: james Date: Wed, 11 Dec 2024 00:55:36 -0500 Subject: [PATCH 12/60] fix --- ansible/roles/chrony_server/tasks/main.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/ansible/roles/chrony_server/tasks/main.yaml b/ansible/roles/chrony_server/tasks/main.yaml index 06f9ac0..6d6e28e 100644 --- a/ansible/roles/chrony_server/tasks/main.yaml +++ b/ansible/roles/chrony_server/tasks/main.yaml @@ -32,9 +32,10 @@ logs_enabled: true datadog_additional_groups: "systemd-journal" datadog_checks: - logs: - - type: journald - path: /var/log/journal/ + journald: + logs: + - type: journald + path: /var/log/journal/ - name: Reload datadog ansible.builtin.systemd_service: From a0138f2d1e9e1e7660d3d9a1a1a9445a6dd8dba4 Mon Sep 17 00:00:00 2001 From: james Date: Wed, 11 Dec 2024 21:52:13 -0500 Subject: [PATCH 13/60] iptables --- .../chrony_server/templates/chrony.conf.j2 | 2 +- .../roles/chrony_server/templates/iptables.j2 | 21 +++++++++++++++++++ terraform/ansible.tf | 1 + 3 files changed, 23 insertions(+), 1 deletion(-) diff --git a/ansible/roles/chrony_server/templates/chrony.conf.j2 b/ansible/roles/chrony_server/templates/chrony.conf.j2 index 64aa6bb..18db21d 100644 --- a/ansible/roles/chrony_server/templates/chrony.conf.j2 +++ b/ansible/roles/chrony_server/templates/chrony.conf.j2 @@ -5,7 +5,7 @@ confdir /etc/chrony/conf.d # Use Debian vendor zone. -pool 2.debian.pool.ntp.org iburst +#pool 2.debian.pool.ntp.org iburst # Use NTP sources found in /etc/chrony/sources.d. sourcedir /etc/chrony/sources.d diff --git a/ansible/roles/chrony_server/templates/iptables.j2 b/ansible/roles/chrony_server/templates/iptables.j2 index e69de29..477ef36 100644 --- a/ansible/roles/chrony_server/templates/iptables.j2 +++ b/ansible/roles/chrony_server/templates/iptables.j2 @@ -0,0 +1,21 @@ +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] + +# Allow ICMP traffic from Mesh +-A INPUT -p icmp -s 10.0.0.0/8 -j ACCEPT +-A INPUT -p icmp -s 23.158.16.0/24 -j ACCEPT +-A INPUT -p icmp -s 199.167.59.0/24 -j ACCEPT +-A INPUT -p icmp -s 199.170.132.0/24 -j ACCEPT +-A INPUT -p icmp -s 208.68.5.0/24 -j ACCEPT + +# Allow SSH to the mgt address only +-A INPUT -d {{ inventory_hostname }}/{{ INTERNAL_NETWORK_RANGE }} -p tcp -m tcp --dport 22 -j ACCEPT +-A INPUT -d {{ inventory_hostname }}/{{ INTERNAL_NETWORK_RANGE }} -j DROP + +# Allow NTP traffic +-A INPUT -d {{ NTP_IP }}/32 -p udp -m udp --dport 123 -j ACCEPT +-A INPUT -d {{ NTP_IP }}/32 -j DROP + +COMMIT diff --git a/terraform/ansible.tf b/terraform/ansible.tf index 1acc63c..27c3d05 100644 --- a/terraform/ansible.tf +++ b/terraform/ansible.tf @@ -11,6 +11,7 @@ resource "ansible_group" "ntp_mgt_group" { BIRD_NETWORK = var.bird_network BIRD_NEIGHBOR = var.bird_neighbor NTP_IP = var.ntp_ip + INTERNAL_NETWORK_RANGE = var.internal_host_identifier } } From 246f4f780f0095d76b250a0e97f5e9338da8c1bd Mon Sep 17 00:00:00 2001 From: james Date: Wed, 11 Dec 2024 22:09:37 -0500 Subject: [PATCH 14/60] iptables --- ansible/roles/chrony_server/templates/iptables.j2 | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ansible/roles/chrony_server/templates/iptables.j2 b/ansible/roles/chrony_server/templates/iptables.j2 index 477ef36..5d35347 100644 --- a/ansible/roles/chrony_server/templates/iptables.j2 +++ b/ansible/roles/chrony_server/templates/iptables.j2 @@ -16,6 +16,11 @@ # Allow NTP traffic -A INPUT -d {{ NTP_IP }}/32 -p udp -m udp --dport 123 -j ACCEPT --A INPUT -d {{ NTP_IP }}/32 -j DROP +-A INPUT -d {{ NTP_IP }}/32 -p tcp -m tcp --dport 123 -j ACCEPT +#-A INPUT -d {{ NTP_IP }}/32 -j DROP + +-A FORWARD -d {{ NTP_IP }}/32 -p udp -m udp --dport 123 -j ACCEPT +-A FORWARD -d {{ NTP_IP }}/32 -p tcp -m tcp --dport 123 -j ACCEPT +#-A FORWARD -d {{ NTP_IP }}/32 -j DROP COMMIT From 3a52fac04937f5d3b7071f5c474c19b93ae1abaa Mon Sep 17 00:00:00 2001 From: james Date: Thu, 12 Dec 2024 00:23:52 -0500 Subject: [PATCH 15/60] lint --- .github/workflows/ansible_lint.yaml | 16 +++++++++++++++ ansible/ntp_servers.yaml | 3 ++- ansible/roles/chrony_server/tasks/main.yaml | 22 ++++++++++++--------- ansible/roles/requirements.yml | 4 ++++ 4 files changed, 35 insertions(+), 10 deletions(-) create mode 100644 .github/workflows/ansible_lint.yaml create mode 100644 ansible/roles/requirements.yml diff --git a/.github/workflows/ansible_lint.yaml b/.github/workflows/ansible_lint.yaml new file mode 100644 index 0000000..627c19e --- /dev/null +++ b/.github/workflows/ansible_lint.yaml @@ -0,0 +1,16 @@ +name: ansible-lint +on: + pull_request: +jobs: + build: + name: Ansible Lint + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Run ansible-lint + uses: ansible/ansible-lint@c629b235398065e24ff44b5f1138028642c74a03 + with: + args: "" + setup_python: "true" + working_directory: "./ansible/" + requirements_file: "" diff --git a/ansible/ntp_servers.yaml b/ansible/ntp_servers.yaml index 6f38875..08bebdf 100644 --- a/ansible/ntp_servers.yaml +++ b/ansible/ntp_servers.yaml @@ -1,4 +1,5 @@ -- hosts: ntp_mgt +- name: NTP Servers + hosts: ntp_mgt become: true roles: - role: chrony_server diff --git a/ansible/roles/chrony_server/tasks/main.yaml b/ansible/roles/chrony_server/tasks/main.yaml index 6d6e28e..06c0958 100644 --- a/ansible/roles/chrony_server/tasks/main.yaml +++ b/ansible/roles/chrony_server/tasks/main.yaml @@ -44,26 +44,28 @@ enabled: true daemon_reload: true -- name: dummy0 interface +- name: Netplan dummy0 interface ansible.builtin.template: - src: ../templates/netplan_dummy0.yaml.j2 + src: netplan_dummy0.yaml.j2 dest: /etc/netplan/dummy0.yaml mode: "600" -- name: dummy1 interface +- name: Netplan dummy1 interface ansible.builtin.template: - src: ../templates/netplan_dummy1.yaml.j2 + src: netplan_dummy1.yaml.j2 dest: /etc/netplan/dummy1.yaml mode: "600" - name: Iptables rules ansible.builtin.template: - src: ../templates/iptables.j2 + src: iptables.j2 dest: /etc/iptables/rules.v4 + mode: "600" - name: Restore iptables rules ansible.builtin.command: cmd: "bash -c '/sbin/iptables-restore < /etc/iptables/rules.v4'" + creates: /tmp/fake_for_linter - name: Netplan apply ansible.builtin.command: @@ -75,16 +77,18 @@ name: netfilter-persistent state: restarted enabled: true - + - name: Chrony config ansible.builtin.template: - src: ../templates/chrony.conf.j2 + src: chrony.conf.j2 dest: /etc/chrony/chrony.conf + mode: "0644" - name: Chrony sources ansible.builtin.copy: - src: ../files/sources.list + src: sources.list dest: /etc/chrony/sources.d/configured_servers.list + mode: "0644" - name: Restart chrony ansible.builtin.systemd_service: @@ -94,7 +98,7 @@ - name: Bird config ansible.builtin.template: - src: ../templates/bird.conf.j2 + src: bird.conf.j2 dest: /etc/bird/bird.conf mode: "640" owner: "bird" diff --git a/ansible/roles/requirements.yml b/ansible/roles/requirements.yml new file mode 100644 index 0000000..e66e72c --- /dev/null +++ b/ansible/roles/requirements.yml @@ -0,0 +1,4 @@ +--- +collections: + - name: datadog.dd + version: 5.8.0 From eb6f0c1a02bf9d37104a1bdad1375aae7789a6a6 Mon Sep 17 00:00:00 2001 From: james Date: Thu, 12 Dec 2024 00:25:38 -0500 Subject: [PATCH 16/60] mgt --- ansible/roles/chrony_server/files/sources.list | 2 ++ ansible/roles/chrony_server/templates/bird.conf.j2 | 2 ++ ansible/roles/chrony_server/templates/chrony.conf.j2 | 2 ++ ansible/roles/chrony_server/templates/iptables.j2 | 2 ++ 4 files changed, 8 insertions(+) diff --git a/ansible/roles/chrony_server/files/sources.list b/ansible/roles/chrony_server/files/sources.list index daa60ca..6a36342 100644 --- a/ansible/roles/chrony_server/files/sources.list +++ b/ansible/roles/chrony_server/files/sources.list @@ -1,2 +1,4 @@ +# Managed by ansible + # HE server clock.nyc.he.net iburst diff --git a/ansible/roles/chrony_server/templates/bird.conf.j2 b/ansible/roles/chrony_server/templates/bird.conf.j2 index 82d9223..e20c676 100644 --- a/ansible/roles/chrony_server/templates/bird.conf.j2 +++ b/ansible/roles/chrony_server/templates/bird.conf.j2 @@ -1,3 +1,5 @@ +# Managed by ansible + # This is a basic configuration file, which contains boilerplate options and # some basic examples. It allows the BIRD daemon to start but will not cause # anything else to happen. diff --git a/ansible/roles/chrony_server/templates/chrony.conf.j2 b/ansible/roles/chrony_server/templates/chrony.conf.j2 index 18db21d..aba9602 100644 --- a/ansible/roles/chrony_server/templates/chrony.conf.j2 +++ b/ansible/roles/chrony_server/templates/chrony.conf.j2 @@ -1,3 +1,5 @@ +# Managed by ansible + # Welcome to the chrony configuration file. See chrony.conf(5) for more # information about usable directives. diff --git a/ansible/roles/chrony_server/templates/iptables.j2 b/ansible/roles/chrony_server/templates/iptables.j2 index 5d35347..9ac456d 100644 --- a/ansible/roles/chrony_server/templates/iptables.j2 +++ b/ansible/roles/chrony_server/templates/iptables.j2 @@ -1,3 +1,5 @@ +# Managed by ansible + *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] From 8bf48fdc74b138b04efed9d52a71903003580d48 Mon Sep 17 00:00:00 2001 From: james Date: Thu, 12 Dec 2024 23:02:39 -0500 Subject: [PATCH 17/60] iptables --- ansible/roles/chrony_server/templates/iptables.j2 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ansible/roles/chrony_server/templates/iptables.j2 b/ansible/roles/chrony_server/templates/iptables.j2 index 9ac456d..8266635 100644 --- a/ansible/roles/chrony_server/templates/iptables.j2 +++ b/ansible/roles/chrony_server/templates/iptables.j2 @@ -14,12 +14,11 @@ # Allow SSH to the mgt address only -A INPUT -d {{ inventory_hostname }}/{{ INTERNAL_NETWORK_RANGE }} -p tcp -m tcp --dport 22 -j ACCEPT --A INPUT -d {{ inventory_hostname }}/{{ INTERNAL_NETWORK_RANGE }} -j DROP # Allow NTP traffic -A INPUT -d {{ NTP_IP }}/32 -p udp -m udp --dport 123 -j ACCEPT -A INPUT -d {{ NTP_IP }}/32 -p tcp -m tcp --dport 123 -j ACCEPT -#-A INPUT -d {{ NTP_IP }}/32 -j DROP +-A INPUT -d {{ NTP_IP }}/32 -j DROP -A FORWARD -d {{ NTP_IP }}/32 -p udp -m udp --dport 123 -j ACCEPT -A FORWARD -d {{ NTP_IP }}/32 -p tcp -m tcp --dport 123 -j ACCEPT From 30d67bc29d44badac90ff1265bb596f9478950fe Mon Sep 17 00:00:00 2001 From: james Date: Thu, 12 Dec 2024 23:20:44 -0500 Subject: [PATCH 18/60] boot --- terraform/vm.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/vm.tf b/terraform/vm.tf index 38e1bb2..ff18baa 100644 --- a/terraform/vm.tf +++ b/terraform/vm.tf @@ -8,6 +8,7 @@ resource "proxmox_vm_qemu" "ntp_server" { cores = 1 sockets = 1 memory = 1024 + onboot = true os_type = "cloud-init" agent = 1 cloudinit_cdrom_storage = var.proxmox_storage_location From 2448a5030386e2939d986e6e54b88c7bcddeeaef Mon Sep 17 00:00:00 2001 From: james Date: Thu, 12 Dec 2024 23:52:04 -0500 Subject: [PATCH 19/60] sources --- .../files/{sources.list => configured_servers.sources} | 0 ansible/roles/chrony_server/tasks/main.yaml | 4 ++-- 2 files changed, 2 insertions(+), 2 deletions(-) rename ansible/roles/chrony_server/files/{sources.list => configured_servers.sources} (100%) diff --git a/ansible/roles/chrony_server/files/sources.list b/ansible/roles/chrony_server/files/configured_servers.sources similarity index 100% rename from ansible/roles/chrony_server/files/sources.list rename to ansible/roles/chrony_server/files/configured_servers.sources diff --git a/ansible/roles/chrony_server/tasks/main.yaml b/ansible/roles/chrony_server/tasks/main.yaml index 06c0958..8083e6e 100644 --- a/ansible/roles/chrony_server/tasks/main.yaml +++ b/ansible/roles/chrony_server/tasks/main.yaml @@ -86,8 +86,8 @@ - name: Chrony sources ansible.builtin.copy: - src: sources.list - dest: /etc/chrony/sources.d/configured_servers.list + src: configured_servers.sources + dest: /etc/chrony/sources.d/configured_servers.sources mode: "0644" - name: Restart chrony From ed44097fa94eefb428d30d9754cacf20856794f4 Mon Sep 17 00:00:00 2001 From: james-otten Date: Wed, 18 Dec 2024 21:28:49 -0500 Subject: [PATCH 20/60] sn10 --- .github/workflows/deploy.yaml | 9 +++++++++ ansible/roles/chrony_server/templates/iptables.j2 | 2 ++ terraform/prod2.tfvars | 10 ++++++++++ 3 files changed, 21 insertions(+) create mode 100644 terraform/prod2.tfvars diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index a6af5fc..ffa9af2 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -11,10 +11,19 @@ on: - main jobs: + deploy_prod2: + name: Deploy prod2 + uses: ./.github/workflows/deploy_ntp.yaml + with: + environment: prod2 + secrets: inherit + #if: github.ref == 'refs/heads/main' + deploy_prod3: name: Deploy prod3 uses: ./.github/workflows/deploy_ntp.yaml with: environment: prod3 secrets: inherit + needs: deploy_prod2 #if: github.ref == 'refs/heads/main' diff --git a/ansible/roles/chrony_server/templates/iptables.j2 b/ansible/roles/chrony_server/templates/iptables.j2 index 8266635..91022f6 100644 --- a/ansible/roles/chrony_server/templates/iptables.j2 +++ b/ansible/roles/chrony_server/templates/iptables.j2 @@ -18,6 +18,8 @@ # Allow NTP traffic -A INPUT -d {{ NTP_IP }}/32 -p udp -m udp --dport 123 -j ACCEPT -A INPUT -d {{ NTP_IP }}/32 -p tcp -m tcp --dport 123 -j ACCEPT +-A INPUT -d {{ NTP_IP }}/32 -p udp -m upd --dport 4460 -j ACCEPT +-A INPUT -d {{ NTP_IP }}/32 -p tcp -m tcp --dport 4460 -j ACCEPT -A INPUT -d {{ NTP_IP }}/32 -j DROP -A FORWARD -d {{ NTP_IP }}/32 -p udp -m udp --dport 123 -j ACCEPT diff --git a/terraform/prod2.tfvars b/terraform/prod2.tfvars new file mode 100644 index 0000000..81b1f88 --- /dev/null +++ b/terraform/prod2.tfvars @@ -0,0 +1,10 @@ +proxmox_node = "nycmesh-10-r630-01" +proxmox_storage_location = "local-lvm" +vm_nic = "vmbr1" +hostname = "nycmesh-10-ntp-2" +vm_mgt_ip = "10.70.100.58" +vm_mgt_default_gateway = "10.70.100.1" +router_id = "10.70.100.59" +bird_neighbor = "10.69.0.10" +bird_network = "10.69.0.0/16" +ntp_ip = "10.70.90.123" From 62ee1bc2a508a40909a34a44ae9066181055011b Mon Sep 17 00:00:00 2001 From: james-otten Date: Wed, 18 Dec 2024 22:03:11 -0500 Subject: [PATCH 21/60] fix --- ansible/roles/chrony_server/templates/iptables.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/chrony_server/templates/iptables.j2 b/ansible/roles/chrony_server/templates/iptables.j2 index 91022f6..bd5f500 100644 --- a/ansible/roles/chrony_server/templates/iptables.j2 +++ b/ansible/roles/chrony_server/templates/iptables.j2 @@ -18,7 +18,7 @@ # Allow NTP traffic -A INPUT -d {{ NTP_IP }}/32 -p udp -m udp --dport 123 -j ACCEPT -A INPUT -d {{ NTP_IP }}/32 -p tcp -m tcp --dport 123 -j ACCEPT --A INPUT -d {{ NTP_IP }}/32 -p udp -m upd --dport 4460 -j ACCEPT +-A INPUT -d {{ NTP_IP }}/32 -p udp -m udp --dport 4460 -j ACCEPT -A INPUT -d {{ NTP_IP }}/32 -p tcp -m tcp --dport 4460 -j ACCEPT -A INPUT -d {{ NTP_IP }}/32 -j DROP From 0cb8cd745925d992ee66c917ee39098c2f034498 Mon Sep 17 00:00:00 2001 From: james-otten Date: Wed, 18 Dec 2024 23:59:56 -0500 Subject: [PATCH 22/60] deps --- ansible/roles/chrony_server/files/bird.service | 17 +++++++++++++++++ ansible/roles/chrony_server/tasks/main.yaml | 10 +++++----- 2 files changed, 22 insertions(+), 5 deletions(-) create mode 100644 ansible/roles/chrony_server/files/bird.service diff --git a/ansible/roles/chrony_server/files/bird.service b/ansible/roles/chrony_server/files/bird.service new file mode 100644 index 0000000..6fbd44c --- /dev/null +++ b/ansible/roles/chrony_server/files/bird.service @@ -0,0 +1,17 @@ +[Unit] +Description=BIRD Internet Routing Daemon +# Bind to and start after chrony so that the IP is only announced when chrony is running +#After=network.target +After=network.target,chrony.service +BindsTo=chrony.service + +[Service] +EnvironmentFile=/etc/bird/envvars +ExecStartPre=/usr/lib/bird/prepare-environment +ExecStartPre=/usr/sbin/bird -p +ExecReload=/usr/sbin/birdc configure +ExecStart=/usr/sbin/bird -f -u $BIRD_RUN_USER -g $BIRD_RUN_GROUP $BIRD_ARGS +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/ansible/roles/chrony_server/tasks/main.yaml b/ansible/roles/chrony_server/tasks/main.yaml index 8083e6e..78b0e2c 100644 --- a/ansible/roles/chrony_server/tasks/main.yaml +++ b/ansible/roles/chrony_server/tasks/main.yaml @@ -8,11 +8,11 @@ - bird2 - chrony -- name: Allow restarting of bird - ansible.builtin.lineinfile: - path: /lib/systemd/system/bird.service - search_string: Restart= - line: "Restart=always" +- name: Bird systemd unit + ansible.builtin.copy: + src: bird.service + dest: /lib/systemd/system/bird.service + mode: "0644" - name: Allow restarting of chrony ansible.builtin.lineinfile: From 42aca5c337df9ec0d6991d6ba5607ec42106507c Mon Sep 17 00:00:00 2001 From: james-otten Date: Wed, 25 Dec 2024 19:49:25 -0500 Subject: [PATCH 23/60] ssh --- .github/workflows/deploy_ntp.yaml | 2 +- .gitignore | 3 ++- ansible/roles/chrony_server/tasks/main.yaml | 4 ++++ ansible/roles/requirements.yml | 6 ++++++ 4 files changed, 13 insertions(+), 2 deletions(-) diff --git a/.github/workflows/deploy_ntp.yaml b/.github/workflows/deploy_ntp.yaml index 93efb89..150890c 100644 --- a/.github/workflows/deploy_ntp.yaml +++ b/.github/workflows/deploy_ntp.yaml @@ -35,7 +35,7 @@ jobs: python-version: '3.11' - name: Setup ansible - run: pip install ansible && export PATH="$HOME/.local/bin:$PATH" && ansible-galaxy collection install cloud.terraform && ansible-galaxy collection install datadog.dd + run: pip install ansible && export PATH="$HOME/.local/bin:$PATH" && ansible-galaxy collection install -r ansible/roles/requiremetns.yaml - name: Setup Terraform with specified version on the runner uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8 # @v3 diff --git a/.gitignore b/.gitignore index adbb97d..39ef9b0 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ -data/ \ No newline at end of file +data/ +.vscode/ diff --git a/ansible/roles/chrony_server/tasks/main.yaml b/ansible/roles/chrony_server/tasks/main.yaml index 78b0e2c..4fd7f9a 100644 --- a/ansible/roles/chrony_server/tasks/main.yaml +++ b/ansible/roles/chrony_server/tasks/main.yaml @@ -8,6 +8,10 @@ - bird2 - chrony +- name: Import the ssh_config role from the nycmesh.common collection + ansible.builtin.import_role: + name: nycmesh.common.ssh_config + - name: Bird systemd unit ansible.builtin.copy: src: bird.service diff --git a/ansible/roles/requirements.yml b/ansible/roles/requirements.yml index e66e72c..a72af73 100644 --- a/ansible/roles/requirements.yml +++ b/ansible/roles/requirements.yml @@ -2,3 +2,9 @@ collections: - name: datadog.dd version: 5.8.0 + - name: cloud.terraform + version: 3.0.0 + - name: nycmesh.common + source: git+https://github.com/nycmeshnet/nycmesh-ansible.git + type: git + version: james/init From af837dbd903112b07b37f0705dba550f77ee8339 Mon Sep 17 00:00:00 2001 From: james-otten Date: Wed, 25 Dec 2024 19:51:06 -0500 Subject: [PATCH 24/60] spell --- .github/workflows/deploy_ntp.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy_ntp.yaml b/.github/workflows/deploy_ntp.yaml index 150890c..0ba0e9a 100644 --- a/.github/workflows/deploy_ntp.yaml +++ b/.github/workflows/deploy_ntp.yaml @@ -35,7 +35,7 @@ jobs: python-version: '3.11' - name: Setup ansible - run: pip install ansible && export PATH="$HOME/.local/bin:$PATH" && ansible-galaxy collection install -r ansible/roles/requiremetns.yaml + run: pip install ansible && export PATH="$HOME/.local/bin:$PATH" && ansible-galaxy collection install -r ansible/roles/requirements.yaml - name: Setup Terraform with specified version on the runner uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8 # @v3 From 62e167580610a91f9e62c1a7fddacb584741e722 Mon Sep 17 00:00:00 2001 From: james-otten Date: Wed, 25 Dec 2024 19:54:21 -0500 Subject: [PATCH 25/60] ahh --- .github/workflows/deploy_ntp.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy_ntp.yaml b/.github/workflows/deploy_ntp.yaml index 0ba0e9a..6bf09f0 100644 --- a/.github/workflows/deploy_ntp.yaml +++ b/.github/workflows/deploy_ntp.yaml @@ -35,7 +35,7 @@ jobs: python-version: '3.11' - name: Setup ansible - run: pip install ansible && export PATH="$HOME/.local/bin:$PATH" && ansible-galaxy collection install -r ansible/roles/requirements.yaml + run: pip install ansible && export PATH="$HOME/.local/bin:$PATH" && ansible-galaxy collection install -r ansible/roles/requirements.yml - name: Setup Terraform with specified version on the runner uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8 # @v3 From 59aba995c1f6443040ff8b1b6671d5dc8d5db013 Mon Sep 17 00:00:00 2001 From: james-otten Date: Wed, 25 Dec 2024 20:47:58 -0500 Subject: [PATCH 26/60] mesh_dns --- ansible/roles/chrony_server/tasks/main.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ansible/roles/chrony_server/tasks/main.yaml b/ansible/roles/chrony_server/tasks/main.yaml index 4fd7f9a..47b7dcc 100644 --- a/ansible/roles/chrony_server/tasks/main.yaml +++ b/ansible/roles/chrony_server/tasks/main.yaml @@ -12,6 +12,10 @@ ansible.builtin.import_role: name: nycmesh.common.ssh_config +- name: Import the mesh_dns role from the nycmesh.common collection + ansible.builtin.import_role: + name: nycmesh.common.mesh_dns + - name: Bird systemd unit ansible.builtin.copy: src: bird.service From d6fd17d71febd29dfcf70157e27fd61320a89017 Mon Sep 17 00:00:00 2001 From: james-otten Date: Wed, 25 Dec 2024 23:01:18 -0500 Subject: [PATCH 27/60] mesh_dns --- ansible/roles/chrony_server/tasks/main.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ansible/roles/chrony_server/tasks/main.yaml b/ansible/roles/chrony_server/tasks/main.yaml index 47b7dcc..3ed56b8 100644 --- a/ansible/roles/chrony_server/tasks/main.yaml +++ b/ansible/roles/chrony_server/tasks/main.yaml @@ -15,6 +15,8 @@ - name: Import the mesh_dns role from the nycmesh.common collection ansible.builtin.import_role: name: nycmesh.common.mesh_dns + vars: + extra_resolvers: "9.9.9.9" - name: Bird systemd unit ansible.builtin.copy: From 861390d36a02c417b3631e3426076eedce63badb Mon Sep 17 00:00:00 2001 From: james-otten Date: Thu, 26 Dec 2024 00:01:35 -0500 Subject: [PATCH 28/60] branch + support --- ansible/roles/chrony_server/tasks/main.yaml | 4 ++++ ansible/roles/requirements.yml | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ansible/roles/chrony_server/tasks/main.yaml b/ansible/roles/chrony_server/tasks/main.yaml index 3ed56b8..416e871 100644 --- a/ansible/roles/chrony_server/tasks/main.yaml +++ b/ansible/roles/chrony_server/tasks/main.yaml @@ -18,6 +18,10 @@ vars: extra_resolvers: "9.9.9.9" +- name: Import the support_account role from the nycmesh.common collection + ansible.builtin.import_role: + name: nycmesh.common.support_account + - name: Bird systemd unit ansible.builtin.copy: src: bird.service diff --git a/ansible/roles/requirements.yml b/ansible/roles/requirements.yml index a72af73..ae2158b 100644 --- a/ansible/roles/requirements.yml +++ b/ansible/roles/requirements.yml @@ -7,4 +7,4 @@ collections: - name: nycmesh.common source: git+https://github.com/nycmeshnet/nycmesh-ansible.git type: git - version: james/init + version: main From 379fd3f2f208a270e6437105fd8f57c7d0d4e420 Mon Sep 17 00:00:00 2001 From: james-otten Date: Thu, 26 Dec 2024 00:05:59 -0500 Subject: [PATCH 29/60] branch + support --- terraform/ansible.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/ansible.tf b/terraform/ansible.tf index 27c3d05..4a1b882 100644 --- a/terraform/ansible.tf +++ b/terraform/ansible.tf @@ -12,6 +12,7 @@ resource "ansible_group" "ntp_mgt_group" { BIRD_NEIGHBOR = var.bird_neighbor NTP_IP = var.ntp_ip INTERNAL_NETWORK_RANGE = var.internal_host_identifier + local_password = var.local_password } } From 086dc9169dc949a4f9e18f0745c68d51150c54a6 Mon Sep 17 00:00:00 2001 From: james-otten Date: Thu, 26 Dec 2024 00:08:53 -0500 Subject: [PATCH 30/60] branch + support --- .github/workflows/deploy_ntp.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy_ntp.yaml b/.github/workflows/deploy_ntp.yaml index 6bf09f0..cf1efbf 100644 --- a/.github/workflows/deploy_ntp.yaml +++ b/.github/workflows/deploy_ntp.yaml @@ -35,7 +35,7 @@ jobs: python-version: '3.11' - name: Setup ansible - run: pip install ansible && export PATH="$HOME/.local/bin:$PATH" && ansible-galaxy collection install -r ansible/roles/requirements.yml + run: pip install ansible passlib==1.7.4 && export PATH="$HOME/.local/bin:$PATH" && ansible-galaxy collection install -r ansible/roles/requirements.yml - name: Setup Terraform with specified version on the runner uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8 # @v3 From 8d26c312c880055cf63d74d23df5a43e9e86b22c Mon Sep 17 00:00:00 2001 From: james-otten Date: Sat, 28 Dec 2024 00:26:01 -0500 Subject: [PATCH 31/60] cf --- ansible/roles/chrony_server/files/configured_servers.sources | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/roles/chrony_server/files/configured_servers.sources b/ansible/roles/chrony_server/files/configured_servers.sources index 6a36342..d7f93f3 100644 --- a/ansible/roles/chrony_server/files/configured_servers.sources +++ b/ansible/roles/chrony_server/files/configured_servers.sources @@ -1,4 +1,4 @@ # Managed by ansible -# HE -server clock.nyc.he.net iburst +# Cloudflare NTS +server time.cloudflare.com nts iburst From 170cb7a5918860b0507e179a8cfb11b41e6eeca4 Mon Sep 17 00:00:00 2001 From: james-otten Date: Sun, 29 Dec 2024 19:11:24 -0500 Subject: [PATCH 32/60] netplan --- ansible/roles/chrony_server/tasks/main.yaml | 31 +++++++++---------- .../templates/netplan_dummy0.yaml.j2 | 9 ------ .../templates/netplan_dummy1.yaml.j2 | 9 ------ ansible/roles/requirements.yml | 2 +- 4 files changed, 16 insertions(+), 35 deletions(-) delete mode 100644 ansible/roles/chrony_server/templates/netplan_dummy0.yaml.j2 delete mode 100644 ansible/roles/chrony_server/templates/netplan_dummy1.yaml.j2 diff --git a/ansible/roles/chrony_server/tasks/main.yaml b/ansible/roles/chrony_server/tasks/main.yaml index 416e871..3cf78d2 100644 --- a/ansible/roles/chrony_server/tasks/main.yaml +++ b/ansible/roles/chrony_server/tasks/main.yaml @@ -58,18 +58,6 @@ enabled: true daemon_reload: true -- name: Netplan dummy0 interface - ansible.builtin.template: - src: netplan_dummy0.yaml.j2 - dest: /etc/netplan/dummy0.yaml - mode: "600" - -- name: Netplan dummy1 interface - ansible.builtin.template: - src: netplan_dummy1.yaml.j2 - dest: /etc/netplan/dummy1.yaml - mode: "600" - - name: Iptables rules ansible.builtin.template: src: iptables.j2 @@ -81,10 +69,21 @@ cmd: "bash -c '/sbin/iptables-restore < /etc/iptables/rules.v4'" creates: /tmp/fake_for_linter -- name: Netplan apply - ansible.builtin.command: - cmd: "bash -c 'netplan apply && touch /tmp/netplan_applied'" - creates: /tmp/netplan_applied +- name: Cleanup old netplan file + ansible.builtin.file: + path: /etc/netplan/dummy0.yaml + state: "absent" + +- name: Cleanup old netplan file + ansible.builtin.file: + path: /etc/netplan/dummy1.yaml + state: "absent" + +- name: Import the netplan_loopback role from the nycmesh.common collection + ansible.builtin.import_role: + name: nycmesh.common.netplan_loopback + vars: + netplan_loopback_ips: "{{ NTP_IP }};{{ ROUTER_ID }}" - name: Restart and enable iptables service ansible.builtin.service: diff --git a/ansible/roles/chrony_server/templates/netplan_dummy0.yaml.j2 b/ansible/roles/chrony_server/templates/netplan_dummy0.yaml.j2 deleted file mode 100644 index ef1138a..0000000 --- a/ansible/roles/chrony_server/templates/netplan_dummy0.yaml.j2 +++ /dev/null @@ -1,9 +0,0 @@ -network: - version: 2 - renderer: networkd - ethernets: - lo: - dhcp4: no - dhcp6: no - addresses: - - {{ NTP_IP }}/32 diff --git a/ansible/roles/chrony_server/templates/netplan_dummy1.yaml.j2 b/ansible/roles/chrony_server/templates/netplan_dummy1.yaml.j2 deleted file mode 100644 index 220d3bb..0000000 --- a/ansible/roles/chrony_server/templates/netplan_dummy1.yaml.j2 +++ /dev/null @@ -1,9 +0,0 @@ -network: - version: 2 - renderer: networkd - ethernets: - lo: - dhcp4: no - dhcp6: no - addresses: - - {{ ROUTER_ID }}/32 diff --git a/ansible/roles/requirements.yml b/ansible/roles/requirements.yml index ae2158b..68d2967 100644 --- a/ansible/roles/requirements.yml +++ b/ansible/roles/requirements.yml @@ -7,4 +7,4 @@ collections: - name: nycmesh.common source: git+https://github.com/nycmeshnet/nycmesh-ansible.git type: git - version: main + version: james/netplan_loopback_ip From f65645ae2d9dfabdb222382bcdd66c9e02945e91 Mon Sep 17 00:00:00 2001 From: james-otten Date: Sun, 29 Dec 2024 20:09:14 -0500 Subject: [PATCH 33/60] netplan --- ansible/roles/.ansible-lint-ignore | 1 + ansible/roles/chrony_server/tasks/main.yaml | 11 ----------- ansible/roles/requirements.yml | 2 +- 3 files changed, 2 insertions(+), 12 deletions(-) create mode 100644 ansible/roles/.ansible-lint-ignore diff --git a/ansible/roles/.ansible-lint-ignore b/ansible/roles/.ansible-lint-ignore new file mode 100644 index 0000000..e97d651 --- /dev/null +++ b/ansible/roles/.ansible-lint-ignore @@ -0,0 +1 @@ +chrony_server/tasks/main.yml no-changed-when diff --git a/ansible/roles/chrony_server/tasks/main.yaml b/ansible/roles/chrony_server/tasks/main.yaml index 3cf78d2..e216039 100644 --- a/ansible/roles/chrony_server/tasks/main.yaml +++ b/ansible/roles/chrony_server/tasks/main.yaml @@ -67,17 +67,6 @@ - name: Restore iptables rules ansible.builtin.command: cmd: "bash -c '/sbin/iptables-restore < /etc/iptables/rules.v4'" - creates: /tmp/fake_for_linter - -- name: Cleanup old netplan file - ansible.builtin.file: - path: /etc/netplan/dummy0.yaml - state: "absent" - -- name: Cleanup old netplan file - ansible.builtin.file: - path: /etc/netplan/dummy1.yaml - state: "absent" - name: Import the netplan_loopback role from the nycmesh.common collection ansible.builtin.import_role: diff --git a/ansible/roles/requirements.yml b/ansible/roles/requirements.yml index 68d2967..ae2158b 100644 --- a/ansible/roles/requirements.yml +++ b/ansible/roles/requirements.yml @@ -7,4 +7,4 @@ collections: - name: nycmesh.common source: git+https://github.com/nycmeshnet/nycmesh-ansible.git type: git - version: james/netplan_loopback_ip + version: main From 30cf6ac3d1c5f86e322bbec5fc9782bd6e70d059 Mon Sep 17 00:00:00 2001 From: james-otten Date: Sun, 29 Dec 2024 20:11:00 -0500 Subject: [PATCH 34/60] netplan --- ansible/{roles => }/.ansible-lint-ignore | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename ansible/{roles => }/.ansible-lint-ignore (100%) diff --git a/ansible/roles/.ansible-lint-ignore b/ansible/.ansible-lint-ignore similarity index 100% rename from ansible/roles/.ansible-lint-ignore rename to ansible/.ansible-lint-ignore From 23775d6d662dbf3f43ddb682e95fb25847922896 Mon Sep 17 00:00:00 2001 From: james-otten Date: Sun, 29 Dec 2024 20:12:36 -0500 Subject: [PATCH 35/60] netplan --- ansible/.ansible-lint-ignore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/.ansible-lint-ignore b/ansible/.ansible-lint-ignore index e97d651..d3af007 100644 --- a/ansible/.ansible-lint-ignore +++ b/ansible/.ansible-lint-ignore @@ -1 +1 @@ -chrony_server/tasks/main.yml no-changed-when +roles/chrony_server/tasks/main.yml no-changed-when From dad342cf909c9b81468eab5aa41817778e33a3fb Mon Sep 17 00:00:00 2001 From: james-otten Date: Sun, 29 Dec 2024 20:15:38 -0500 Subject: [PATCH 36/60] netplan --- ansible/.ansible-lint-ignore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/.ansible-lint-ignore b/ansible/.ansible-lint-ignore index d3af007..b0f1a48 100644 --- a/ansible/.ansible-lint-ignore +++ b/ansible/.ansible-lint-ignore @@ -1 +1 @@ -roles/chrony_server/tasks/main.yml no-changed-when +roles/chrony_server/tasks/main.yaml no-changed-when From 284b811d49940a72b9ba4875c76ed5381891b49f Mon Sep 17 00:00:00 2001 From: james-otten Date: Fri, 10 Jan 2025 00:17:22 -0500 Subject: [PATCH 37/60] motd --- ansible/roles/chrony_server/tasks/main.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ansible/roles/chrony_server/tasks/main.yaml b/ansible/roles/chrony_server/tasks/main.yaml index e216039..6158e79 100644 --- a/ansible/roles/chrony_server/tasks/main.yaml +++ b/ansible/roles/chrony_server/tasks/main.yaml @@ -22,6 +22,12 @@ ansible.builtin.import_role: name: nycmesh.common.support_account +- name: Import the motd role from the nycmesh.common collection + ansible.builtin.import_role: + name: nycmesh.common.motd + vars: + github_repo: https://github.com/nycmeshnet/ntp-infra + - name: Bird systemd unit ansible.builtin.copy: src: bird.service From fc456652509258074f8f88426325bbdee8d877e5 Mon Sep 17 00:00:00 2001 From: james-otten Date: Wed, 15 Jan 2025 20:35:45 -0500 Subject: [PATCH 38/60] lint --- .github/workflows/ansible_lint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ansible_lint.yaml b/.github/workflows/ansible_lint.yaml index 627c19e..6f02746 100644 --- a/.github/workflows/ansible_lint.yaml +++ b/.github/workflows/ansible_lint.yaml @@ -10,7 +10,7 @@ jobs: - name: Run ansible-lint uses: ansible/ansible-lint@c629b235398065e24ff44b5f1138028642c74a03 with: - args: "" + args: "--exclude .ansible/collections/" setup_python: "true" working_directory: "./ansible/" requirements_file: "" From 4a6b8a3b19e6a5ace70eea39e1c9ad335cf54d3f Mon Sep 17 00:00:00 2001 From: james-otten Date: Wed, 22 Jan 2025 20:07:54 -0500 Subject: [PATCH 39/60] remove the bird_neighbor parameter due to broadcast mode per daniel --- ansible/roles/chrony_server/templates/bird.conf.j2 | 3 --- terraform/ansible.tf | 1 - terraform/prod2.tfvars | 1 - terraform/prod3.tfvars | 1 - terraform/vars.tf | 5 ----- 5 files changed, 11 deletions(-) diff --git a/ansible/roles/chrony_server/templates/bird.conf.j2 b/ansible/roles/chrony_server/templates/bird.conf.j2 index e20c676..d40438f 100644 --- a/ansible/roles/chrony_server/templates/bird.conf.j2 +++ b/ansible/roles/chrony_server/templates/bird.conf.j2 @@ -145,9 +145,6 @@ protocol ospf v2 { interface "eth*" { type broadcast; # Detected by default cost 10; # Interface metric - neighbors { - {{ BIRD_NEIGHBOR }}; - }; }; interface "lo" { cost 10; diff --git a/terraform/ansible.tf b/terraform/ansible.tf index 4a1b882..7a4e67f 100644 --- a/terraform/ansible.tf +++ b/terraform/ansible.tf @@ -9,7 +9,6 @@ resource "ansible_group" "ntp_mgt_group" { VM_HOSTNAME = var.hostname ROUTER_ID = var.router_id BIRD_NETWORK = var.bird_network - BIRD_NEIGHBOR = var.bird_neighbor NTP_IP = var.ntp_ip INTERNAL_NETWORK_RANGE = var.internal_host_identifier local_password = var.local_password diff --git a/terraform/prod2.tfvars b/terraform/prod2.tfvars index 81b1f88..1cebfcf 100644 --- a/terraform/prod2.tfvars +++ b/terraform/prod2.tfvars @@ -5,6 +5,5 @@ hostname = "nycmesh-10-ntp-2" vm_mgt_ip = "10.70.100.58" vm_mgt_default_gateway = "10.70.100.1" router_id = "10.70.100.59" -bird_neighbor = "10.69.0.10" bird_network = "10.69.0.0/16" ntp_ip = "10.70.90.123" diff --git a/terraform/prod3.tfvars b/terraform/prod3.tfvars index 5eadca1..ddbf2d3 100644 --- a/terraform/prod3.tfvars +++ b/terraform/prod3.tfvars @@ -4,6 +4,5 @@ hostname = "nycmesh-713-ntp-1" vm_mgt_ip = "10.70.90.54" vm_mgt_default_gateway = "10.70.90.1" router_id = "10.70.90.55" -bird_neighbor = "10.69.7.13" bird_network = "10.69.0.0/16" ntp_ip = "10.70.90.123" diff --git a/terraform/vars.tf b/terraform/vars.tf index 7e7ab5f..2fdb516 100644 --- a/terraform/vars.tf +++ b/terraform/vars.tf @@ -75,11 +75,6 @@ variable "router_id" { description = "IP to use for the router id" } -variable "bird_neighbor" { - type = string - description = "neighbor for the ospf router" -} - variable "bird_network" { type = string description = "ospf network" From f924906306a8db7de3b9b2a14309659b390510e7 Mon Sep 17 00:00:00 2001 From: james-otten Date: Wed, 22 Jan 2025 20:57:01 -0500 Subject: [PATCH 40/60] switch to shared role --- .../roles/chrony_server/files/bird.service | 17 -- ansible/roles/chrony_server/tasks/main.yaml | 23 +- .../chrony_server/templates/bird.conf.j2 | 228 ------------------ ansible/roles/requirements.yml | 2 +- terraform/ansible.tf | 4 +- 5 files changed, 6 insertions(+), 268 deletions(-) delete mode 100644 ansible/roles/chrony_server/files/bird.service delete mode 100644 ansible/roles/chrony_server/templates/bird.conf.j2 diff --git a/ansible/roles/chrony_server/files/bird.service b/ansible/roles/chrony_server/files/bird.service deleted file mode 100644 index 6fbd44c..0000000 --- a/ansible/roles/chrony_server/files/bird.service +++ /dev/null @@ -1,17 +0,0 @@ -[Unit] -Description=BIRD Internet Routing Daemon -# Bind to and start after chrony so that the IP is only announced when chrony is running -#After=network.target -After=network.target,chrony.service -BindsTo=chrony.service - -[Service] -EnvironmentFile=/etc/bird/envvars -ExecStartPre=/usr/lib/bird/prepare-environment -ExecStartPre=/usr/sbin/bird -p -ExecReload=/usr/sbin/birdc configure -ExecStart=/usr/sbin/bird -f -u $BIRD_RUN_USER -g $BIRD_RUN_GROUP $BIRD_ARGS -Restart=always - -[Install] -WantedBy=multi-user.target diff --git a/ansible/roles/chrony_server/tasks/main.yaml b/ansible/roles/chrony_server/tasks/main.yaml index 6158e79..868d697 100644 --- a/ansible/roles/chrony_server/tasks/main.yaml +++ b/ansible/roles/chrony_server/tasks/main.yaml @@ -5,7 +5,6 @@ pkg: - ca-certificates - iptables-persistent - - bird2 - chrony - name: Import the ssh_config role from the nycmesh.common collection @@ -28,12 +27,6 @@ vars: github_repo: https://github.com/nycmeshnet/ntp-infra -- name: Bird systemd unit - ansible.builtin.copy: - src: bird.service - dest: /lib/systemd/system/bird.service - mode: "0644" - - name: Allow restarting of chrony ansible.builtin.lineinfile: path: /lib/systemd/system/chrony.service @@ -104,16 +97,6 @@ state: restarted enabled: true -- name: Bird config - ansible.builtin.template: - src: bird.conf.j2 - dest: /etc/bird/bird.conf - mode: "640" - owner: "bird" - group: "bird" - -- name: Reload bird - ansible.builtin.systemd_service: - name: bird - state: reloaded - enabled: true +- name: Import the bird_basic role from the nycmesh.common collection + ansible.builtin.import_role: + name: nycmesh.common.bird2_basic diff --git a/ansible/roles/chrony_server/templates/bird.conf.j2 b/ansible/roles/chrony_server/templates/bird.conf.j2 deleted file mode 100644 index d40438f..0000000 --- a/ansible/roles/chrony_server/templates/bird.conf.j2 +++ /dev/null @@ -1,228 +0,0 @@ -# Managed by ansible - -# This is a basic configuration file, which contains boilerplate options and -# some basic examples. It allows the BIRD daemon to start but will not cause -# anything else to happen. -# -# Please refer to the BIRD User's Guide documentation, which is also available -# online at http://bird.network.cz/ in HTML format, for more information on -# configuring BIRD and adding routing protocols. - -# Configure logging -log syslog all; -# log "/var/log/bird.log" { debug, trace, info, remote, warning, error, auth, fatal, bug }; - -# Set router ID. It is a unique identification of your router, usually one of -# IPv4 addresses of the router. It is recommended to configure it explicitly. -router id {{ ROUTER_ID }}; - -# Turn on global debugging of all protocols (all messages or just selected classes) -# debug protocols all; -# debug protocols { events, states }; - -# Turn on internal watchdog -# watchdog warning 5 s; -# watchdog timeout 30 s; - -# You can define your own constants -# define my_asn = 65000; -# define my_addr = 198.51.100.1; - -# Tables master4 and master6 are defined by default -# ipv4 table master4; -# ipv6 table master6; - -# Define more tables, e.g. for policy routing or as MRIB -# ipv4 table mrib4; -# ipv6 table mrib6; - -# The Device protocol is not a real routing protocol. It does not generate any -# routes and it only serves as a module for getting information about network -# interfaces from the kernel. It is necessary in almost any configuration. -protocol device { - scan time 10; -} - -# The direct protocol is not a real routing protocol. It automatically generates -# direct routes to all network interfaces. Can exist in as many instances as you -# wish if you want to populate multiple routing tables with direct routes. -protocol direct { - #disabled; # Disable by default - ipv4; # Connect to default IPv4 table - ipv6; # ... and to default IPv6 table -} - -# The Kernel protocol is not a real routing protocol. Instead of communicating -# with other routers in the network, it performs synchronization of BIRD -# routing tables with the OS kernel. One instance per table. -protocol kernel { - persist; - scan time 10; - ipv4 { # Connect protocol to IPv4 table by channel -# table master4; # Default IPv4 table is master4 - import all; # Import to table, default is import all - export all; # Export to protocol. default is export none - }; - learn; # Learn alien routes from the kernel -# kernel table 10; # Kernel table to synchronize with (default: main) -} - -# Another instance for IPv6, skipping default options -#protocol kernel { -# ipv6 { export all; }; -#} - -# Static routes (Again, there can be multiple instances, for different address -# families and to disable/enable various groups of static routes on the fly). -protocol static { - ipv4; # Again, IPv4 channel with default options - -# route 0.0.0.0/0 via 198.51.100.10; -# route 192.0.2.0/24 blackhole; -# route 10.0.0.0/8 unreachable; -# route 10.2.0.0/24 via "eth0"; -# # Static routes can be defined with optional attributes -# route 10.1.1.0/24 via 198.51.100.3 { rip_metric = 3; }; -# route 10.1.2.0/24 via 198.51.100.3 { ospf_metric1 = 100; }; -# route 10.1.3.0/24 via 198.51.100.4 { ospf_metric2 = 100; }; -} - -# Pipe protocol connects two routing tables. Beware of loops. -# protocol pipe { -# table master4; # No ipv4/ipv6 channel definition like in other protocols -# peer table mrib4; -# import all; # Direction peer table -> table -# export all; # Direction table -> peer table -# } - -# RIP example, both RIP and RIPng are supported -# protocol rip { -# ipv4 { -# # Export direct, static routes and ones from RIP itself -# import all; -# export where source ~ [ RTS_DEVICE, RTS_STATIC, RTS_RIP ]; -# }; -# interface "eth*" { -# update time 10; # Default period is 30 -# timeout time 60; # Default timeout is 180 -# authentication cryptographic; # No authentication by default -# password "hello" { algorithm hmac sha256; }; # Default is MD5 -# }; -# } - -# OSPF example, both OSPFv2 and OSPFv3 are supported -# protocol ospf v3 { -# ipv6 { -# import all; -# export where source = RTS_STATIC; -# }; -# area 0 { -# interface "eth*" { -# type broadcast; # Detected by default -# cost 10; # Interface metric -# hello 5; # Default hello perid 10 is too long -# }; -# interface "tun*" { -# type ptp; # PtP mode, avoids DR selection -# cost 100; # Interface metric -# hello 5; # Default hello perid 10 is too long -# }; -# interface "dummy0" { -# stub; # Stub interface, just propagate it -# }; -# }; -#} - -protocol ospf v2 { - ipv4 { - import none; - }; - area 0 { - default cost 10; - networks { - {{ BIRD_NETWORK }}; - }; - interface "eth*" { - type broadcast; # Detected by default - cost 10; # Interface metric - }; - interface "lo" { - cost 10; - }; - }; -} - -# Define simple filter as an example for BGP import filter -# See https://gitlab.labs.nic.cz/labs/bird/wikis/BGP_filtering for more examples -# filter rt_import -# { -# if bgp_path.first != 64496 then accept; -# if bgp_path.len > 64 then accept; -# if bgp_next_hop != from then accept; -# reject; -# } - -# BGP example, explicit name 'uplink1' is used instead of default 'bgp1' -# protocol bgp uplink1 { -# description "My BGP uplink"; -# local 198.51.100.1 as 65000; -# neighbor 198.51.100.10 as 64496; -# hold time 90; # Default is 240 -# password "secret"; # Password used for MD5 authentication -# -# ipv4 { # regular IPv4 unicast (1/1) -# import filter rt_import; -# export where source ~ [ RTS_STATIC, RTS_BGP ]; -# }; -# -# ipv6 { # regular IPv6 unicast (2/1) -# import filter rt_import; -# export filter { # The same as 'where' expression above -# if source ~ [ RTS_STATIC, RTS_BGP ] -# then accept; -# else reject; -# }; -# }; -# -# ipv4 multicast { # IPv4 multicast topology (1/2) -# table mrib4; # explicit IPv4 table -# import filter rt_import; -# export all; -# }; -# -# ipv6 multicast { # IPv6 multicast topology (2/2) -# table mrib6; # explicit IPv6 table -# import filter rt_import; -# export all; -# }; -#} - -# Template example. Using templates to define IBGP route reflector clients. -# template bgp rr_clients { -# local 10.0.0.1 as 65000; -# neighbor as 65000; -# rr client; -# rr cluster id 1.0.0.1; -# -# ipv4 { -# import all; -# export where source = RTS_BGP; -# }; -# -# ipv6 { -# import all; -# export where source = RTS_BGP; -# }; -# } -# -# protocol bgp client1 from rr_clients { -# neighbor 10.0.1.1; -# } -# -# protocol bgp client2 from rr_clients { -# neighbor 10.0.2.1; -# } -# -# protocol bgp client3 from rr_clients { -# neighbor 10.0.3.1; -# } diff --git a/ansible/roles/requirements.yml b/ansible/roles/requirements.yml index ae2158b..bcbe8c7 100644 --- a/ansible/roles/requirements.yml +++ b/ansible/roles/requirements.yml @@ -7,4 +7,4 @@ collections: - name: nycmesh.common source: git+https://github.com/nycmeshnet/nycmesh-ansible.git type: git - version: main + version: james/bird diff --git a/terraform/ansible.tf b/terraform/ansible.tf index 7a4e67f..09dbe45 100644 --- a/terraform/ansible.tf +++ b/terraform/ansible.tf @@ -7,8 +7,8 @@ resource "ansible_group" "ntp_mgt_group" { DATADOG_API_KEY = var.datadog_api_key DATADOG_SITE = var.datadog_site VM_HOSTNAME = var.hostname - ROUTER_ID = var.router_id - BIRD_NETWORK = var.bird_network + bird_router_id = var.router_id + bird_network = var.bird_network NTP_IP = var.ntp_ip INTERNAL_NETWORK_RANGE = var.internal_host_identifier local_password = var.local_password From 0308b40dae9d71504c48acd2c259474002f90dc4 Mon Sep 17 00:00:00 2001 From: james-otten Date: Wed, 22 Jan 2025 21:02:26 -0500 Subject: [PATCH 41/60] switch to shared role --- ansible/roles/chrony_server/tasks/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/chrony_server/tasks/main.yaml b/ansible/roles/chrony_server/tasks/main.yaml index 868d697..f8bb688 100644 --- a/ansible/roles/chrony_server/tasks/main.yaml +++ b/ansible/roles/chrony_server/tasks/main.yaml @@ -71,7 +71,7 @@ ansible.builtin.import_role: name: nycmesh.common.netplan_loopback vars: - netplan_loopback_ips: "{{ NTP_IP }};{{ ROUTER_ID }}" + netplan_loopback_ips: "{{ NTP_IP }};{{ bird_router_id }}" - name: Restart and enable iptables service ansible.builtin.service: From f5ebaa06ed4f2107b75bffa3119a6b2f986cc511 Mon Sep 17 00:00:00 2001 From: james-otten Date: Wed, 22 Jan 2025 21:58:03 -0500 Subject: [PATCH 42/60] bind bird to chrony --- ansible/roles/chrony_server/tasks/main.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ansible/roles/chrony_server/tasks/main.yaml b/ansible/roles/chrony_server/tasks/main.yaml index f8bb688..3da6e7a 100644 --- a/ansible/roles/chrony_server/tasks/main.yaml +++ b/ansible/roles/chrony_server/tasks/main.yaml @@ -100,3 +100,5 @@ - name: Import the bird_basic role from the nycmesh.common collection ansible.builtin.import_role: name: nycmesh.common.bird2_basic + vars: + bird_binds_to_service: "chrony.service" From 11ec2655feea5f2d450ecceb1aa8d14d1c55a454 Mon Sep 17 00:00:00 2001 From: james-otten Date: Thu, 23 Jan 2025 20:39:51 -0500 Subject: [PATCH 43/60] cleanup --- ansible/roles/requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/requirements.yml b/ansible/roles/requirements.yml index bcbe8c7..ae2158b 100644 --- a/ansible/roles/requirements.yml +++ b/ansible/roles/requirements.yml @@ -7,4 +7,4 @@ collections: - name: nycmesh.common source: git+https://github.com/nycmeshnet/nycmesh-ansible.git type: git - version: james/bird + version: main From 285768bd383b78f180e874667b48d346a730150d Mon Sep 17 00:00:00 2001 From: james-otten Date: Sun, 9 Mar 2025 16:27:51 -0400 Subject: [PATCH 44/60] prod1 --- .github/workflows/deploy.yaml | 16 ++++++++++++---- terraform/prod1.tfvars | 9 +++++++++ 2 files changed, 21 insertions(+), 4 deletions(-) create mode 100644 terraform/prod1.tfvars diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index ffa9af2..9a2e8e5 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -11,6 +11,15 @@ on: - main jobs: + deploy_prod3: + name: Deploy prod3 + uses: ./.github/workflows/deploy_ntp.yaml + with: + environment: prod3 + secrets: inherit + needs: deploy_prod2 + #if: github.ref == 'refs/heads/main' + deploy_prod2: name: Deploy prod2 uses: ./.github/workflows/deploy_ntp.yaml @@ -19,11 +28,10 @@ jobs: secrets: inherit #if: github.ref == 'refs/heads/main' - deploy_prod3: - name: Deploy prod3 + deploy_prod1: + name: Deploy prod1 uses: ./.github/workflows/deploy_ntp.yaml with: - environment: prod3 + environment: prod1 secrets: inherit - needs: deploy_prod2 #if: github.ref == 'refs/heads/main' diff --git a/terraform/prod1.tfvars b/terraform/prod1.tfvars new file mode 100644 index 0000000..688da1d --- /dev/null +++ b/terraform/prod1.tfvars @@ -0,0 +1,9 @@ +proxmox_node = "nycmesh-713-r640-02" +proxmox_storage_location = "local-lvm" +hostname = "nycmesh-713-ntp-3" +vm_mgt_ip = "10.70.90.204" +vm_nic = "vmbr0v32" +vm_mgt_default_gateway = "10.70.90.1" +router_id = "10.70.90.205" +bird_network = "10.69.0.0/16" +ntp_ip = "10.70.90.123" From 15c641e23bc0f10dc310f8882fceeea21dc28ffb Mon Sep 17 00:00:00 2001 From: james-otten Date: Sun, 9 Mar 2025 17:17:30 -0400 Subject: [PATCH 45/60] add servers --- .github/workflows/deploy.yaml | 3 ++- ansible/roles/chrony_server/files/configured_servers.sources | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 9a2e8e5..99f1db5 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -17,7 +17,6 @@ jobs: with: environment: prod3 secrets: inherit - needs: deploy_prod2 #if: github.ref == 'refs/heads/main' deploy_prod2: @@ -26,6 +25,7 @@ jobs: with: environment: prod2 secrets: inherit + needs: deploy_prod3 #if: github.ref == 'refs/heads/main' deploy_prod1: @@ -34,4 +34,5 @@ jobs: with: environment: prod1 secrets: inherit + needs: deploy_prod2 #if: github.ref == 'refs/heads/main' diff --git a/ansible/roles/chrony_server/files/configured_servers.sources b/ansible/roles/chrony_server/files/configured_servers.sources index d7f93f3..36da7d0 100644 --- a/ansible/roles/chrony_server/files/configured_servers.sources +++ b/ansible/roles/chrony_server/files/configured_servers.sources @@ -2,3 +2,5 @@ # Cloudflare NTS server time.cloudflare.com nts iburst +server virginia.time.system76.com nts iburst +server ohio.time.system76.com nts iburst From db8bf1ff60892ad1a6e67f26a227d012041d8fcb Mon Sep 17 00:00:00 2001 From: james-otten Date: Sun, 9 Mar 2025 23:22:34 -0400 Subject: [PATCH 46/60] no3 --- .github/workflows/deploy.yaml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 99f1db5..fadbc33 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -11,13 +11,13 @@ on: - main jobs: - deploy_prod3: - name: Deploy prod3 - uses: ./.github/workflows/deploy_ntp.yaml - with: - environment: prod3 - secrets: inherit - #if: github.ref == 'refs/heads/main' + # deploy_prod3: + # name: Deploy prod3 + # uses: ./.github/workflows/deploy_ntp.yaml + # with: + # environment: prod3 + # secrets: inherit + # #if: github.ref == 'refs/heads/main' deploy_prod2: name: Deploy prod2 @@ -25,8 +25,8 @@ jobs: with: environment: prod2 secrets: inherit - needs: deploy_prod3 - #if: github.ref == 'refs/heads/main' + # needs: deploy_prod3 + # if: github.ref == 'refs/heads/main' deploy_prod1: name: Deploy prod1 @@ -35,4 +35,4 @@ jobs: environment: prod1 secrets: inherit needs: deploy_prod2 - #if: github.ref == 'refs/heads/main' + # if: github.ref == 'refs/heads/main' From a9f5f888475dc7922817529f5bb37a2532bfd499 Mon Sep 17 00:00:00 2001 From: james-otten Date: Mon, 10 Mar 2025 22:45:21 -0400 Subject: [PATCH 47/60] clean --- .github/workflows/deploy.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index fadbc33..54c7487 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -5,7 +5,6 @@ on: push: branches: - main - - james/init workflow_dispatch: branches: - main @@ -26,7 +25,7 @@ jobs: environment: prod2 secrets: inherit # needs: deploy_prod3 - # if: github.ref == 'refs/heads/main' + if: github.ref == 'refs/heads/main' deploy_prod1: name: Deploy prod1 @@ -35,4 +34,4 @@ jobs: environment: prod1 secrets: inherit needs: deploy_prod2 - # if: github.ref == 'refs/heads/main' + if: github.ref == 'refs/heads/main' From dcbdf828dd0fbee7763ab7d0235dc231e5f17d23 Mon Sep 17 00:00:00 2001 From: james-otten Date: Mon, 2 Jun 2025 20:48:18 -0400 Subject: [PATCH 48/60] Create scorecard.yaml --- .github/workflows/scorecard.yaml | 64 ++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 .github/workflows/scorecard.yaml diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml new file mode 100644 index 0000000..36988dd --- /dev/null +++ b/.github/workflows/scorecard.yaml @@ -0,0 +1,64 @@ +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '30 15 * * 6' + push: + branches: [ "main" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + # `publish_results: true` only works when run from the default branch. conditional can be removed if disabled. + if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request' + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + + steps: + - name: "Checkout code" + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard (optional). + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@d39d31e687223d841ef683f52467bd88e9b21c14 # v3 + with: + sarif_file: results.sarif From 7892b039c3bea59d47a8ff5b1b160d1fb9aa3077 Mon Sep 17 00:00:00 2001 From: james-otten Date: Mon, 23 Jun 2025 21:12:06 -0400 Subject: [PATCH 49/60] Create dependabot.yml --- .github/dependabot.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..f0e3525 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,16 @@ +version: 2 +updates: +- package-ecosystem: "pip" + directory: "/ansible/" + schedule: + interval: "cron" + cronjob: "41 6 * * *" + assignees: + - "james-otten" +- package-ecosystem: "terraform" + directory: "/terraform/" + schedule: + interval: "cron" + cronjob: "4 6 * * *" + assignees: + - "james-otten" From 57b49b30d4658a2288ce87fdec4dda5a59e33a0e Mon Sep 17 00:00:00 2001 From: james-otten Date: Mon, 23 Jun 2025 21:15:36 -0400 Subject: [PATCH 50/60] Create requirements.txt --- ansible/requirements.txt | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 ansible/requirements.txt diff --git a/ansible/requirements.txt b/ansible/requirements.txt new file mode 100644 index 0000000..1386376 --- /dev/null +++ b/ansible/requirements.txt @@ -0,0 +1,28 @@ +ansible==11.6.0 \ + --hash=sha256:5b9c19d6a1080011c14c821bc7e6f8fd5b2a392219cbf2ced9be05e6d447d8cd +ansible-core==2.18.6 \ + --hash=sha256:12a34749a7b20f0f1536bd3e3b2e137341867e4642e351273e96647161f595c0 +cffi==1.17.1 \ + --hash=sha256:dd398dbc6773384a17fe0d3e7eeb8d1a21c2200473ee6806bb5e6a8e62bb73dd \ + --hash=sha256:610faea79c43e44c71e1ec53a554553fa22321b65fae24889706c0a84d4ad86d \ + --hash=sha256:b62ce867176a75d03a665bad002af8e6d54644fad99a3c70905c543130e39d93 +cryptography==45.0.4 \ + --hash=sha256:2882338b2a6e0bd337052e8b9007ced85c637da19ef9ecaf437744495c8c2999 +Jinja2==3.1.6 \ + --hash=sha256:85ece4451f492d0c13c5dd7c13a64681a86afae63a5f347908daf103ce6d2f67 +MarkupSafe==3.0.2 \ + --hash=sha256:15ab75ef81add55874e7ab7055e9c397312385bd9ced94920f2802310c930396 \ + --hash=sha256:a123e330ef0853c6e822384873bef7507557d8e4a082961e1defa947aa59ba84 \ + --hash=sha256:e17c96c14e19278594aa4841ec148115f9c7615a47382ecb6b82bd8fea3ab0c8 +packaging==25.0 \ + --hash=sha256:29572ef2b1f17581046b3a2227d5c611fb25ec70ca1ba8554b24b0e69331a484 +passlib==1.7.4 \ + --hash=sha256:aa6bca462b8d8bda89c70b382f0c298a20b5560af6cbfa2dce410c0a2fb669f1 +pycparser==2.22 \ + --hash=sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc +PyYAML==6.0.2 \ + --hash=sha256:70b189594dbe54f75ab3a1acec5f1e3faa7e8cf2f1e08d9b561cb41b845f69d5 \ + --hash=sha256:80bab7bfc629882493af4aa31a4cfa43a4c57c83813253626916b8c7ada83476 +resolvelib==1.0.1 \ + --hash=sha256:f80de38ae744bcf4e918e27a681a5c6cb63a08d9a926c0989c0730bcdd089049 \ + --hash=sha256:d2da45d1a8dfee81bdd591647783e340ef3bcb104b54c383f70d422ef5cc7dbf From c1fdfaf4dba38ade1875c5b5cc35f6748c91c47b Mon Sep 17 00:00:00 2001 From: james-otten Date: Mon, 23 Jun 2025 21:16:14 -0400 Subject: [PATCH 51/60] Update deploy_ntp.yaml --- .github/workflows/deploy_ntp.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy_ntp.yaml b/.github/workflows/deploy_ntp.yaml index cf1efbf..5c6e13a 100644 --- a/.github/workflows/deploy_ntp.yaml +++ b/.github/workflows/deploy_ntp.yaml @@ -35,7 +35,7 @@ jobs: python-version: '3.11' - name: Setup ansible - run: pip install ansible passlib==1.7.4 && export PATH="$HOME/.local/bin:$PATH" && ansible-galaxy collection install -r ansible/roles/requirements.yml + run: pip install --require-hashes -r ansible/requirements.txt && export PATH="$HOME/.local/bin:$PATH" && ansible-galaxy collection install -r ansible/roles/requirements.yml - name: Setup Terraform with specified version on the runner uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8 # @v3 From 1186a9c4106fb033109737c0dd87051766c7068e Mon Sep 17 00:00:00 2001 From: james-otten Date: Mon, 12 Jan 2026 21:05:45 -0500 Subject: [PATCH 52/60] Update deploy_ntp.yaml --- .github/workflows/deploy_ntp.yaml | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/.github/workflows/deploy_ntp.yaml b/.github/workflows/deploy_ntp.yaml index 5c6e13a..c99cefb 100644 --- a/.github/workflows/deploy_ntp.yaml +++ b/.github/workflows/deploy_ntp.yaml @@ -68,14 +68,17 @@ jobs: working-directory: ./terraform/ - name: Setup WireGuard - run: | - sudo apt-get update && sudo apt-get install -y wireguard - echo "${{ secrets.WIREGUARD_PRIVATE_KEY }}" > privatekey - sudo ip link add dev wg0 type wireguard - sudo ip address add dev wg0 ${{ secrets.WIREGUARD_OVERLAY_NETWORK_IP }} peer ${{ secrets.WIREGUARD_PEER }} - sudo wg set wg0 listen-port 48123 private-key privatekey peer ${{ secrets.WIREGUARD_PEER_PUBLIC_KEY }} allowed-ips 0.0.0.0/0 endpoint ${{ secrets.WIREGUARD_ENDPOINT }} - sudo ip link set up dev wg0 - rm privatekey + uses: james-otten/nycmesh-vpn-action@main + with: + config-name: ghntp + # run: | + # sudo apt-get update && sudo apt-get install -y wireguard + # echo "${{ secrets.WIREGUARD_PRIVATE_KEY }}" > privatekey + # sudo ip link add dev wg0 type wireguard + # sudo ip address add dev wg0 ${{ secrets.WIREGUARD_OVERLAY_NETWORK_IP }} peer ${{ secrets.WIREGUARD_PEER }} + # sudo wg set wg0 listen-port 48123 private-key privatekey peer ${{ secrets.WIREGUARD_PEER_PUBLIC_KEY }} allowed-ips 0.0.0.0/0 endpoint ${{ secrets.WIREGUARD_ENDPOINT }} + # sudo ip link set up dev wg0 + # rm privatekey - name: Terraform Apply run: | From bf59e387a61c31b57856a2b627d1db2287524e42 Mon Sep 17 00:00:00 2001 From: james-otten Date: Mon, 12 Jan 2026 21:07:23 -0500 Subject: [PATCH 53/60] Update deploy.yaml --- .github/workflows/deploy.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 54c7487..a8ea276 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -3,8 +3,8 @@ permissions: read-all on: push: - branches: - - main + # branches: + # - main workflow_dispatch: branches: - main @@ -25,7 +25,7 @@ jobs: environment: prod2 secrets: inherit # needs: deploy_prod3 - if: github.ref == 'refs/heads/main' + #if: github.ref == 'refs/heads/main' deploy_prod1: name: Deploy prod1 From cbf73ca00a05cc9aefd099ee6e7b530c1497aa64 Mon Sep 17 00:00:00 2001 From: james-otten Date: Mon, 12 Jan 2026 21:09:43 -0500 Subject: [PATCH 54/60] Update deploy_ntp.yaml --- .github/workflows/deploy_ntp.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/deploy_ntp.yaml b/.github/workflows/deploy_ntp.yaml index c99cefb..e083cda 100644 --- a/.github/workflows/deploy_ntp.yaml +++ b/.github/workflows/deploy_ntp.yaml @@ -71,6 +71,7 @@ jobs: uses: james-otten/nycmesh-vpn-action@main with: config-name: ghntp + secrets: inherit # run: | # sudo apt-get update && sudo apt-get install -y wireguard # echo "${{ secrets.WIREGUARD_PRIVATE_KEY }}" > privatekey From 49c61efe4e2013c5f348e08436fe47dffa4dfc0e Mon Sep 17 00:00:00 2001 From: james-otten Date: Mon, 12 Jan 2026 21:21:49 -0500 Subject: [PATCH 55/60] Update deploy_ntp.yaml --- .github/workflows/deploy_ntp.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy_ntp.yaml b/.github/workflows/deploy_ntp.yaml index e083cda..f193d6e 100644 --- a/.github/workflows/deploy_ntp.yaml +++ b/.github/workflows/deploy_ntp.yaml @@ -35,7 +35,7 @@ jobs: python-version: '3.11' - name: Setup ansible - run: pip install --require-hashes -r ansible/requirements.txt && export PATH="$HOME/.local/bin:$PATH" && ansible-galaxy collection install -r ansible/roles/requirements.yml + run: pip install -r ansible/requirements.txt && export PATH="$HOME/.local/bin:$PATH" && ansible-galaxy collection install -r ansible/roles/requirements.yml - name: Setup Terraform with specified version on the runner uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8 # @v3 From d37f757577ae9c0cee55eaa703de396b314bdc8f Mon Sep 17 00:00:00 2001 From: james-otten Date: Mon, 12 Jan 2026 21:22:44 -0500 Subject: [PATCH 56/60] Update deploy_ntp.yaml --- .github/workflows/deploy_ntp.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/deploy_ntp.yaml b/.github/workflows/deploy_ntp.yaml index f193d6e..14bff88 100644 --- a/.github/workflows/deploy_ntp.yaml +++ b/.github/workflows/deploy_ntp.yaml @@ -71,7 +71,6 @@ jobs: uses: james-otten/nycmesh-vpn-action@main with: config-name: ghntp - secrets: inherit # run: | # sudo apt-get update && sudo apt-get install -y wireguard # echo "${{ secrets.WIREGUARD_PRIVATE_KEY }}" > privatekey From f2cd5ee495bdbc7e6a6e2e8efc0fb5ad8ff7affb Mon Sep 17 00:00:00 2001 From: james-otten Date: Mon, 12 Jan 2026 21:23:55 -0500 Subject: [PATCH 57/60] Update requirements.txt --- ansible/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/requirements.txt b/ansible/requirements.txt index 1386376..f4d108a 100644 --- a/ansible/requirements.txt +++ b/ansible/requirements.txt @@ -21,7 +21,7 @@ passlib==1.7.4 \ pycparser==2.22 \ --hash=sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc PyYAML==6.0.2 \ - --hash=sha256:70b189594dbe54f75ab3a1acec5f1e3faa7e8cf2f1e08d9b561cb41b845f69d5 \ + --hash=sha256:3ad2a3decf9aaba3d29c8f537ac4b243e36bef957511b4766cb0057d32b0be85 \ --hash=sha256:80bab7bfc629882493af4aa31a4cfa43a4c57c83813253626916b8c7ada83476 resolvelib==1.0.1 \ --hash=sha256:f80de38ae744bcf4e918e27a681a5c6cb63a08d9a926c0989c0730bcdd089049 \ From 850a3a6386bcce922ad5ffad2d71e8fcb54646e0 Mon Sep 17 00:00:00 2001 From: james-otten Date: Mon, 12 Jan 2026 21:40:20 -0500 Subject: [PATCH 58/60] Update deploy_ntp.yaml --- .github/workflows/deploy_ntp.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/deploy_ntp.yaml b/.github/workflows/deploy_ntp.yaml index 14bff88..a485f32 100644 --- a/.github/workflows/deploy_ntp.yaml +++ b/.github/workflows/deploy_ntp.yaml @@ -71,6 +71,7 @@ jobs: uses: james-otten/nycmesh-vpn-action@main with: config-name: ghntp + private-key: ${{ secrets.WIREGUARD_PRIVATE_KEY }} # run: | # sudo apt-get update && sudo apt-get install -y wireguard # echo "${{ secrets.WIREGUARD_PRIVATE_KEY }}" > privatekey From dda8953dfef57874c35923eb27fbd8abbf0ff50f Mon Sep 17 00:00:00 2001 From: james-otten Date: Mon, 12 Jan 2026 21:45:06 -0500 Subject: [PATCH 59/60] Update deploy_ntp.yaml --- .github/workflows/deploy_ntp.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/deploy_ntp.yaml b/.github/workflows/deploy_ntp.yaml index a485f32..2191e28 100644 --- a/.github/workflows/deploy_ntp.yaml +++ b/.github/workflows/deploy_ntp.yaml @@ -72,6 +72,7 @@ jobs: with: config-name: ghntp private-key: ${{ secrets.WIREGUARD_PRIVATE_KEY }} + server-preference: '10,3,11' # run: | # sudo apt-get update && sudo apt-get install -y wireguard # echo "${{ secrets.WIREGUARD_PRIVATE_KEY }}" > privatekey From 6575e83a8b62758bb8797dff5281a48618bd2067 Mon Sep 17 00:00:00 2001 From: james-otten Date: Mon, 12 Jan 2026 22:27:45 -0500 Subject: [PATCH 60/60] Update deploy_ntp.yaml --- .github/workflows/deploy_ntp.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy_ntp.yaml b/.github/workflows/deploy_ntp.yaml index 2191e28..94b6cfb 100644 --- a/.github/workflows/deploy_ntp.yaml +++ b/.github/workflows/deploy_ntp.yaml @@ -68,7 +68,7 @@ jobs: working-directory: ./terraform/ - name: Setup WireGuard - uses: james-otten/nycmesh-vpn-action@main + uses: nycmeshnet/nycmesh-vpn-action@main with: config-name: ghntp private-key: ${{ secrets.WIREGUARD_PRIVATE_KEY }}