1 files changed, 88 insertions, 0 deletions
diff --git a/content/writeups/lockdown-chapter-2.md b/content/writeups/lockdown-chapter-2.md
new file mode 100644
index 0000000..9e462c6
--- /dev/null
+++ b/content/writeups/lockdown-chapter-2.md
@@ -0,0 +1,88 @@
++++
+title = "Lockdown chapter 2"
+date = 2020-11-10
++++
+
+## ansible
+
+For this lockdown part. 2, it makes sense to run my internal servers and
+infrastructure 24/7, so I can monitor the stress load and continously deploy
+and provision my services between two stupid courses or useless java exercises.
+
+I was already using Ansible for small tasks such as updating everything at once,
+or generating git/syncthing/ssh configuration. This time I refactored my use of
+Ansible, using 
+[best practices](https://docs.ansible.com/ansible/latest/user_guide/playbooks_best_practices.html).
+
+Previously, my inventory was generated from an external YAML, but why should I
+keep an additional layer of abstraction that adds nothing but complicated
+infrastructure management ? Therefore, I refactored all my hosts, services and
+meta details in the inventory file in YAML format. Yes, it does make my roles
+and scripts more dependent to my specific inventory, but I can describe per-host
+services and use dynamically loaded roles.
+
+## stack
+
+My main server running OpenBSD, using Docker is not possible. I have seen some
+guys on Internet running Docker on an Alpine vm, but it adds two level of
+abstraction, and I dont like cluttering my system with too many complex and
+exotic setup when not needed.
+
+Therefore, I have my own Ansible roles and playbooks for deploying Alpine or
+OpenBSD iso on my hypervisor. Each services/type of services will leave in a 
+virtual machine, allowing me to backup disk images or making snapshots thanks
+to qcow2.
+
+> After tinkering around with vmm, it gaves me poor results for realtime needs
+> in virtual machine (such as minecraft, factorio, ...) due to a high number
+> of cpu interruptions.
+>
+> I then went with freebsd and bhyve.
+
+```
++-------------------+
+| domain controller |
+| * openbsd         |
+| * ^irtual         |
++-------------------+
+         ^
+         |
+         v
++--------+----------+
+| lan router        |
+| * ddwrt           |
+| * physical        |
++--------+----------+
+         ^
+         |
+         v
++--------+----------+
+| 24 ports switch   |
+| * fiber ports     |
++--------+-+-+------+
+         ^ | |
+         | | +--------------------------------------------------------------------+
+         | +-------------------------------------------------+                    |
+         v                                                   v                    v
++--------+--------------------------------------+   +--------+---------+   +------+---------+
+|                                               |   | workstation      |   | laptop         |
+| Dell poweredge R710                           |   | * archlinux      |   | * archlinux    |
+| * 48GB ram                                    |   | * btrfs          |   |  # encrypted   |
+| * freebsd /openbsd/ (ssd disk)                    | * encrypted      |   |                |
+|                                               |   +------------------+   +----------------+
+| +------------+ +------------+ +-------------+ |
+| | vm0        | | vm1        | | vm/n        | |
+| | * alpine   | | * alpine   | | * openbsd \ | |
+| |            | |            | |   alpine \  | |
+| |            | |            | |   ...       | |
+| +------------+ +------------+ +-------------+ |
+|                                               |
++-----------------------------------------------+
+```
+
+## grafana
+
+<img class="wide-3 shadow-1" src="/images/grafana_01.jpg">
+
+Thanks to ansible, I wrote roles for deploying grafana on a virtual machines,
+then for deploying *prometheus* and *node_exporter* on all my servers.