1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
|
+++
title = "Lockdown chapter 2"
date = 2020-11-10
+++
## ansible
For this lockdown part. 2, it makes sense to run my internal servers and
infrastructure 24/7, so I can monitor the stress load and continously deploy
and provision my services between two stupid courses or useless java exercises.
I was already using Ansible for small tasks such as updating everything at once,
or generating git/syncthing/ssh configuration. This time I refactored my use of
Ansible, using
[best practices](https://docs.ansible.com/ansible/latest/user_guide/playbooks_best_practices.html).
Previously, my inventory was generated from an external YAML, but why should I
keep an additional layer of abstraction that adds nothing but complicated
infrastructure management ? Therefore, I refactored all my hosts, services and
meta details in the inventory file in YAML format. Yes, it does make my roles
and scripts more dependent to my specific inventory, but I can describe per-host
services and use dynamically loaded roles.
## stack
My main server running OpenBSD, using Docker is not possible. I have seen some
guys on Internet running Docker on an Alpine vm, but it adds two level of
abstraction, and I dont like cluttering my system with too many complex and
exotic setup when not needed.
Therefore, I have my own Ansible roles and playbooks for deploying Alpine or
OpenBSD iso on my hypervisor. Each services/type of services will leave in a
virtual machine, allowing me to backup disk images or making snapshots thanks
to qcow2.
> After tinkering around with vmm, it gaves me poor results for realtime needs
> in virtual machine (such as minecraft, factorio, ...) due to a high number
> of cpu interruptions.
>
> I then went with freebsd and bhyve.
```
+-------------------+
| domain controller |
| * openbsd |
| * ^irtual |
+-------------------+
^
|
v
+--------+----------+
| lan router |
| * ddwrt |
| * physical |
+--------+----------+
^
|
v
+--------+----------+
| 24 ports switch |
| * fiber ports |
+--------+-+-+------+
^ | |
| | +--------------------------------------------------------------------+
| +-------------------------------------------------+ |
v v v
+--------+--------------------------------------+ +--------+---------+ +------+---------+
| | | workstation | | laptop |
| Dell poweredge R710 | | * archlinux | | * archlinux |
| * 48GB ram | | * btrfs | | # encrypted |
| * freebsd /openbsd/ (ssd disk) | * encrypted | | |
| | +------------------+ +----------------+
| +------------+ +------------+ +-------------+ |
| | vm0 | | vm1 | | vm/n | |
| | * alpine | | * alpine | | * openbsd \ | |
| | | | | | alpine \ | |
| | | | | | ... | |
| +------------+ +------------+ +-------------+ |
| |
+-----------------------------------------------+
```
## grafana
<img class="wide-3 shadow-1" src="/images/grafana_01.jpg">
Thanks to ansible, I wrote roles for deploying grafana on a virtual machines,
then for deploying *prometheus* and *node_exporter* on all my servers.
|