diff --git a/.gitignore b/.gitignore index 62e2251..0fcd8ea 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ .DS_Store alpine-iso -keys \ No newline at end of file +keys +user-data +user-data-internal \ No newline at end of file diff --git a/README.md b/README.md index c2c51c0..e020384 100644 --- a/README.md +++ b/README.md @@ -176,15 +176,28 @@ ssh moeny@ns1.moeny.ai "sudo rndc sync moeny.ai" ## VMs on an Internal Network -In order to spin up VMs on an internal network, you will need to generate an Alpine iso comatible with the internal IPs you are using and specify its path. You will also want to declare the staging IP and gateway IP parameters accordingly. Here is a sample command to run the Alpine bolt plan. +In order to spin up VMs on an internal network, you will need to generate an Alpine iso compatible with the internal IPs you are using and specify its path. You will also want to declare the staging IP and gateway IP parameters accordingly. Here is a sample command to run the Alpine bolt plan. ```bash bolt plan run bolt_vm_automation::create_alpine \ - vm_name=moeny-service \ + vm_name=moeny-service-alpine \ ip_with_cidr=10.44.0.20/24 \ - hostname=moeny-service \ + hostname=moeny-service-alpine \ network=internal-moeny \ staging_ip=10.44.0.250 \ gateway_ip=10.44.0.1 \ iso_path=/mnt/nfs/kvm-isos/iso-build/alpine-autoinstall-internal_moeny.iso -v +``` + +Similarly, a new Ubuntu iso will need to be generated that is compatible with the internal IPs. This can be done by simply updating the `user-data` file from Step 6 to have the proper network configuration, as in [`user-data-internal`](user-data-internal.yaml). Here is a sample command to run the Ubuntu bolt plan. + +```bash +bolt plan run bolt_vm_automation::create_ubuntu \ + vm_name=moeny-service-ubuntu \ + ip_with_cidr=10.44.0.20/24 \ + hostname=moeny-service-ubuntu \ + network=internal-moeny \ + gateway=10.44.0.1 \ + iso_path=/mnt/nfs/kvm-isos/iso-build/ubuntu-22.04-autoinstall-internal_moeny.iso \ + vm_target=vm-template-internal -v ``` \ No newline at end of file diff --git a/bolt_vm_automation/inventory.yaml b/bolt_vm_automation/inventory.yaml index ff5392c..c5d7165 100644 --- a/bolt_vm_automation/inventory.yaml +++ b/bolt_vm_automation/inventory.yaml @@ -12,15 +12,21 @@ groups: uri: astrocore.masiero.us - name: new-vm + config: + transport: ssh + ssh: + user: moeny + private-key: ~/.ssh/DMMF-20211104 + host-key-check: false targets: - - name: vm-template-staging + - name: vm-template-public config: - transport: ssh ssh: host: 100.40.223.190 - user: moeny - private-key: ~/.ssh/DMMF-20211104 - host-key-check: false + - name: vm-template-internal + config: + ssh: + host: 10.44.0.250 - name: alpine-vms config: diff --git a/bolt_vm_automation/plans/create_ubuntu.yaml b/bolt_vm_automation/plans/create_ubuntu.yaml index 886be0f..8884e35 100644 --- a/bolt_vm_automation/plans/create_ubuntu.yaml +++ b/bolt_vm_automation/plans/create_ubuntu.yaml @@ -4,10 +4,14 @@ parameters: type: String description: "Target host to create the VM on" default: "vortex" + vm_target: + type: String + description: "Target VM for post-installation tasks" + default: "vm-template-public" iso_path: type: String description: "Path to the ISO file" - default: "/mnt/nfs/kvm-isos/iso-build/ubuntu-22.04-autoinstall.iso" + default: "/mnt/nfs/kvm-isos/iso-build/ubuntu-22.04-autoinstall-wan_verizon.iso" vm_name: type: String description: "Name of the VM" @@ -66,6 +70,13 @@ parameters: default: "1.1.1.1" steps: + - name: check_ip_availability + description: Check if the target IP is already in use + task: bolt_vm_automation::check_ip_availability + targets: localhost + parameters: + network: $network + - name: create_vm task: bolt_vm_automation::create_ubuntu targets: $target @@ -82,11 +93,11 @@ steps: - name: install_docker description: Install Docker on the VM task: bolt_vm_automation::install_docker_ubuntu - targets: vm-template-staging + targets: $vm_target - name: system_setup task: bolt_vm_automation::system_setup_ubuntu - targets: vm-template-staging + targets: $vm_target parameters: ip_with_cidr: $ip_with_cidr hostname: $hostname diff --git a/bolt_vm_automation/tasks/check_ip_availability.json b/bolt_vm_automation/tasks/check_ip_availability.json new file mode 100644 index 0000000..d18cef3 --- /dev/null +++ b/bolt_vm_automation/tasks/check_ip_availability.json @@ -0,0 +1,9 @@ +{ + "description": "Check if the target IP is already in use", + "parameters": { + "network": { + "type": "String", + "description": "Network type (internal-moeny or wan-verizon)" + } + } +} \ No newline at end of file diff --git a/bolt_vm_automation/tasks/check_ip_availability.sh b/bolt_vm_automation/tasks/check_ip_availability.sh new file mode 100644 index 0000000..fa5dfe6 --- /dev/null +++ b/bolt_vm_automation/tasks/check_ip_availability.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +# Extract parameters +network="$PT_network" + +# Determine which IP to ping based on network +if [ "$network" = "internal-moeny" ]; then + ping_ip="10.44.0.250" +elif [ "$network" = "wan-verizon" ]; then + ping_ip="100.40.223.190" +else + echo "{\"status\": \"error\", \"message\": \"Unsupported network type: $network. Must be either internal-moeny or wan-verizon.\"}" + exit 1 +fi + +# Ping the target IP with 3 second timeout +if ping -c 1 -W 3 "$ping_ip" > /dev/null 2>&1; then + echo "{\"status\": \"error\", \"message\": \"IP $ping_ip is already in use. Please choose a different IP.\"}" + exit 1 +else + echo "{\"status\": \"success\", \"message\": \"IP $ping_ip is available.\"}" + exit 0 +fi \ No newline at end of file diff --git a/bolt_vm_automation/tasks/system_setup_ubuntu.sh b/bolt_vm_automation/tasks/system_setup_ubuntu.sh index 764a011..457e2f2 100644 --- a/bolt_vm_automation/tasks/system_setup_ubuntu.sh +++ b/bolt_vm_automation/tasks/system_setup_ubuntu.sh @@ -20,7 +20,7 @@ sudo DEBIAN_FRONTEND=noninteractive apt-get -y install iptables-persistent # Restrict SSH access sudo iptables -A INPUT -p tcp --dport 22 -s 100.40.223.128/26 -j ACCEPT -sudo iptables -A INPUT -p tcp --dport 22 -s 173.62.109.73/32 -j ACCEPT +sudo iptables -A INPUT -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 22 -j DROP # Use netfilter-persistent to save rules instead of direct file writing sudo netfilter-persistent save diff --git a/user-data-internal.yaml b/user-data-internal.yaml new file mode 100644 index 0000000..129ddf8 --- /dev/null +++ b/user-data-internal.yaml @@ -0,0 +1,46 @@ +#cloud-config +--- +autoinstall: + version: 1 + locale: en_US.UTF-8 + keyboard: + layout: us + identity: + hostname: vm-template-staging + username: moeny + password: '$6$rounds=4096$saltsaltsaltsalt$hashedpasswordhere' + ssh: + install-server: true + authorized-keys: + # Add username or email to end of authorized-key below + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCRMJNdI/n/7xYN65zHFN8hlRSDg5OPJ12AwOsUyP8OmKCQTapoVQ/suvjaUTCtt8o28QNIQm1vAD03hFNzVJn6F6FJu9vUbR+YqlmzmzGJXB6sWWTEnc9/GsVvLoculuzFYfa2qU9xFbuUTtqFRu6qor82TPAhy/yVWzIvRxlfuxKLpdU9paKiV+WtCkSpVoBgIH6soBE1swMX4ILIOGeFTrmCdBac4K1Bs0OarKtShR6PHdNiqPlwpCeQQDZD8ops69yBMc0t6poFZC9FYSj7arJEWvZN9YtUr+PJiYZQc+gIG4enPW1Zf4FEkXXvH/t6RaYMq9w/P5lIUNOVe169 + allow-pw: false + + network: + version: 2 + ethernets: + enp1s0: + dhcp4: false + addresses: + - 10.44.0.250/24 + gateway4: 10.44.0.1 + nameservers: + addresses: + - 8.8.8.8 + - 8.8.4.4 + storage: + layout: + name: lvm + sizing-policy: all + packages: + - vim + - btop + - net-tools + - fping + user-data: + disable_root: false + updates: all + shutdown: reboot + + late-commands: + - ["curtin", "in-target", "--target=/target", "--", "/bin/bash", "-c", "echo '%sudo ALL=(ALL) NOPASSWD: ALL' | tee -a /etc/sudoers.d/nopasswd_sudo_group"] \ No newline at end of file