Software Defined Git Operated Infrastructure
APACHE-2.0 License
Reusables of a learning project by rewriting parts of my home infrastructure as
a Pulumi and Fedora Coreos based Gitops Project in Python.
create a base project, lock and install build requirements, install and configure a simulation of the targets
mkdir -p example; cd example; git init
git submodule add https://github.com/wuxxin/infra-shared.git infra
infra/scripts/create_skeleton.sh --yes
make sim-up
Congratulations!
You have just created two TLS Certificates and an SSH Keypair in a very fancy way!
See the examples for code of what else can be done with it
update-system-config*
podman-systemd.unit
container*
- run systemd container units using podman-quadletcompose.yml
compose*
- run multi-container applications defined using a compose filesystemd-nspawn
nspawn*
- run any linux OS in a light-weight system containertraefik
unbound
Need to know technologies (to write Deployment and Docs):
Python, Yaml, Jinja, Systemd Service, Containerfile, Markdown
Advanced functionality available with knowledge of:
Provision can be run on Arch Linux, Manjaro Linux or as Container Image.
pulumi
- imperativ infrastructure delaration using pythonfcos
- Fedora-CoreOS, minimal OS with clevis
(sss,tang,tpm) storage unlockbutane
- create fcos ignition
configs using jinja
enhanced butane yamlsystemd
- service, socker, path, timer, nspawn machine containerpodman
- build Container images, run Container using quadlet systemd containersaltstack
mkdocs
- documentation using markdown and mermaidlibvirt
- simulation of machines using the virtualization api supporting qemu and kvmtang
- server used for getting a key shard for unattended encrypted storage unlock on bootmkosi
- build nspawn OS container imagesage
- ssh keys based encryption of production files and pulumi master passwordpipenv
- virtualenv management using Pipfile and Pipfile.lockmake
project_name=example
current_dir=$(pwd)
project_dir=${current_dir}/${project_name}
mkdir -p ${project_dir}
cd ${project_dir}
git init
git submodule add https://github.com/wuxxin/infra-shared.git infra
infra/create_skeleton.sh --yes
create_skeleton.sh
creates default dirs and files in the project_dir
cat infra/create_skeleton.sh
to inspect script before running itmake install-requirements
This needs podman or docker already installed on host.
For the simulation environment with libvirt the host system must also have a configured libvirt.
# Either: build container using `sudo podman build`
make provision-client
# Or: build container using any other container tool
# - replace "docker" with the preferred container build call
cd infra/Containerfile/provision-client && \
docker build -t provision-client:latest $(pwd)
# call provision shell(defaults to /usr/bin/bash interactive shell)
# defaults to podman, but can be overriden with DOCKER=executable
DOCKER=docker infra/scripts/provision_shell.sh
# use exit to return to base shell
make docs
# build infra-shared documentation
make docs-infra
make sim-up
make sim-show args="ca_factory" | jq ".root_cert_pem" -r | \
openssl x509 -in /dev/stdin -noout -text
make sim-show args="ca_factory" | jq ".provision_cert_pem" -r | \
openssl x509 -in /dev/stdin -noout -text
export PULUMI_SKIP_UPDATE_CHECK=1
export PULUMI_CONFIG_PASSPHRASE=sim
pulumi stack select sim
pulumi about
pipenv run ipython
make sim-clean
make sim-create
make sim-preview
# if list of changes looks good, apply them
make sim-up
# "error: the stack is currently locked by 1 lock(s)."
# "Either wait for the other process(es) to end or delete the lock file with `pulumi cancel`."
make sim__ args="cancel"
make sim-show
make sim-list
# use highlight and less
make sim-show | highlight --syntax json -O ansi | less
# use bat for integrated highlight plus pager
make sim-show | bat -l json
# eg. add the own ssh public key in project_dir/authorized_keys
cat ~/.ssh/id_rsa.pub >> authorized_keys
make prod-create
make prod__ args="preview --suppress-outputs"
make prod__ args=up
All code in this repository is covered by the terms of the Apache 2.0 License,
the full text of which can be found in the LICENSE file.