+++
title = "Lockdown chapter 2"
date = 2020-11-10
+++

## ansible

For this lockdown part. 2, it makes sense to run my internal servers and
infrastructure 24/7, so I can monitor the stress load and continously deploy
and provision my services between two stupid courses or useless java exercises.

I was already using Ansible for small tasks such as updating everything at once,
or generating git/syncthing/ssh configuration. This time I refactored my use of
Ansible, using 
[best practices](https://docs.ansible.com/ansible/latest/user_guide/playbooks_best_practices.html).

Previously, my inventory was generated from an external YAML, but why should I
keep an additional layer of abstraction that adds nothing but complicated
infrastructure management ? Therefore, I refactored all my hosts, services and
meta details in the inventory file in YAML format. Yes, it does make my roles
and scripts more dependent to my specific inventory, but I can describe per-host
services and use dynamically loaded roles.

## stack

My main server running OpenBSD, using Docker is not possible. I have seen some
guys on Internet running Docker on an Alpine vm, but it adds two level of
abstraction, and I dont like cluttering my system with too many complex and
exotic setup when not needed.

Therefore, I have my own Ansible roles and playbooks for deploying Alpine or
OpenBSD iso on my hypervisor. Each services/type of services will leave in a 
virtual machine, allowing me to backup disk images or making snapshots thanks
to qcow2.

> After tinkering around with vmm, it gaves me poor results for realtime needs
> in virtual machine (such as minecraft, factorio, ...) due to a high number
> of cpu interruptions.
>
> I then went with freebsd and bhyve.

```
+-------------------+
| domain controller |
| * openbsd         |
| * ^irtual         |
+-------------------+
         ^
         |
         v
+--------+----------+
| lan router        |
| * ddwrt           |
| * physical        |
+--------+----------+
         ^
         |
         v
+--------+----------+
| 24 ports switch   |
| * fiber ports     |
+--------+-+-+------+
         ^ | |
         | | +--------------------------------------------------------------------+
         | +-------------------------------------------------+                    |
         v                                                   v                    v
+--------+--------------------------------------+   +--------+---------+   +------+---------+
|                                               |   | workstation      |   | laptop         |
| Dell poweredge R710                           |   | * archlinux      |   | * archlinux    |
| * 48GB ram                                    |   | * btrfs          |   |  # encrypted   |
| * freebsd /openbsd/ (ssd disk)                    | * encrypted      |   |                |
|                                               |   +------------------+   +----------------+
| +------------+ +------------+ +-------------+ |
| | vm0        | | vm1        | | vm/n        | |
| | * alpine   | | * alpine   | | * openbsd \ | |
| |            | |            | |   alpine \  | |
| |            | |            | |   ...       | |
| +------------+ +------------+ +-------------+ |
|                                               |
+-----------------------------------------------+
```

## grafana

<img src="/images/grafana_01.jpg">

Thanks to ansible, I wrote roles for deploying grafana on a virtual machines,
then for deploying *prometheus* and *node_exporter* on all my servers.