Nomad removal

https://developer.hashicorp.com/nomad/tutorials/manage-clusters/reverse-proxy-ui#extend-connection-timeout

.gitea/workflows/ansible-lint.yaml

@@ -10,6 +10,6 @@ jobs:
     steps:
       - name: Checkout repo content
         uses: actions/checkout@v4
-      - run: ansible-lint
+      - run: ansible-lint -c linter.yaml
         working-directory: ansible/
 

.gitignore

@@ -21,3 +21,4 @@ docker/beta/shockrah.xyz/
 docker/beta/resume.shockrah.xyz/
 k8s/config.yaml
 infra/**/tfplan
+.ansible/

ansible/inventory.yaml

@@ -0,0 +1,3 @@
+nigel:
+  hosts:
+    nigel.local:

ansible/linter.yaml

@@ -0,0 +1,4 @@
+---
+skip_list:
+    - role-name
+    - var-naming[no-role-prefix]

ansible/local-setup-admin-user.yaml

@@ -0,0 +1,28 @@
+# This playbook is meant to be a oneshot to be ran manually on the dev box
+# The rest of the role stuff is meant to be ran as the admin user that
+# this playbook creates for us
+---
+- name: Setup local admin user with a fresh ubuntu host
+  hosts: nigel.local
+  remote_user: nigel
+  vars:
+    admin:
+      username: nigel
+  tasks:
+    - name: Copy the nigel admin key
+      ansible.posix.authorized_key:
+        user: "{{ admin.username }}"
+        state: present
+        key: "{{ lookup('file', '~/.ssh/nigel/admin.pub') }}"
+    - name: Prevent password based logins
+      become: true
+      ansible.builtin.lineinfile:
+        dest: /etc/ssh/sshd_config
+        line: PasswordAuthentication no
+        state: present
+        backup: true
+    - name: Restart SSH Daemon
+      become: true
+      ansible.builtin.service:
+        name: ssh
+        state: restarted

ansible/nomad.yaml

@@ -0,0 +1,9 @@
+---
+- name: Setup all the responsibilities of the nomad server
+  hosts: nigel.local
+  remote_user: nigel
+  tasks:
+    - name: Apply the nomad role
+      ansible.builtin.include_role:
+        name: nomad
+

ansible/nuc.yaml

@@ -0,0 +1,14 @@
+---
+- name: Setup bare metal requirements
+  hosts: nigel.local
+  remote_user: nigel
+  tasks:
+    - name: Apply the base role to the nuc
+      ansible.builtin.include_role:
+        name: base
+    - name: Apply the k3s base role
+      ansible.builtin.include_role:
+        name: k3s
+    - name: Apply the proxy role
+      ansible.builtin.include_role:
+        name: proxy

ansible/proxy.yaml

@@ -0,0 +1,8 @@
+---
+- name: Setup host as a reverse proxy
+  hosts: nigel.local
+  remote_user: nigel
+  tasks:
+    - name: Apply reverse proxy role
+      ansible.builtin.include_role:
+        name: proxy

ansible/roles/base/files/docker.list

@@ -0,0 +1 @@
+deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu noble stable

ansible/roles/base/tasks/ensure-docker-basic.yaml

@@ -0,0 +1,41 @@
+- name: Ensure we have basic updated packages setting up docker
+  ansible.builtin.apt:
+    name: "{{ item }}"
+    update_cache: true
+  loop:
+    - ca-certificates
+    - curl
+- name: Running install on the keyrings directory
+  ansible.builtin.command:
+    cmd: install -m 0755 -d /etc/apt/keyrings
+  register: install
+  changed_when: install.rc == 0
+- name: Fetch Docker GPG Key
+  vars:
+    keylink: https://download.docker.com/linux/ubuntu/gpg
+  ansible.builtin.get_url:
+    url: "{{ keylink }}"
+    dest: /etc/apt/keyrings/docker.asc
+    mode: "0644"
+- name: Add repo to apt sources
+  ansible.builtin.copy:
+    src: docker.list
+    dest: /etc/apt/sources.list.d/docker.list
+    mode: "0644"
+- name: Update Apt cache with latest docker.list packages
+  ansible.builtin.apt:
+    update_cache: true
+- name: Ensure all docker packages are updated to the latest versions
+  ansible.builtin.apt:
+    name: "{{ item }}"
+  loop:
+    - docker-ce
+    - docker-ce-cli
+    - containerd.io
+    - docker-buildx-plugin
+    - docker-compose-plugin
+- name: Verify that the docker components are installed properly
+  ansible.builtin.command:
+    cmd: docker run hello-world
+  register: docker
+  changed_when: docker.rc == 0

ansible/roles/base/tasks/k3s.yaml

@@ -0,0 +1,8 @@
+- name: Download the setup script
+  ansible.builtin.get_url:
+    url: https://get.k3s.io
+    dest: /tmp/k3s.sh
+    mode: "0644"
+- name: Run installation script
+  ansible.builtin.command:
+    cmd: bash /tmp/k3s.sh

ansible/roles/base/tasks/main.yaml

@@ -0,0 +1,25 @@
+- name: Ensure nigel can use sudo without password
+  become: true
+  tags:
+    - setup
+  ansible.builtin.lineinfile:
+    path: /etc/sudoers
+    state: present
+    line: "nigel ALL=(ALL) NOPASSWD:ALL"
+- name: Ensure docker components are installed
+  tags:
+    - setup
+  ansible.builtin.include_tasks:
+    file: ensure-docker-basic.yaml
+    apply:
+      become: true
+      tags:
+        - setup
+- name: Run through nomad removal steps
+  tags: nomad
+  ansible.builtin.include_tasks:
+    file: nomad.yaml
+    apply:
+      become: true
+      tags:
+        - nomad

ansible/roles/base/templates/consul.hcl

@@ -0,0 +1,12 @@
+bind_addr = "{{ ip }}"
+advertise_addr = "{{ ip }}"
+bootstrap = true
+bootstrap_expect = 1
+client_addr = "{{ ip }}"
+server = true
+data_dir = "/opt/consul"
+
+ui_config { 
+    enabled = true
+}
+

ansible/roles/base/templates/hashicorp.list

@@ -0,0 +1 @@
+deb [signed-by={{ keyfile }}] https://apt.releases.hashicorp.com jammy main

ansible/roles/k3s/tasks/main.yaml

@@ -0,0 +1,11 @@
+- name: Download the installation script
+  ansible.builtin.get_url:
+    url: https://get.k3s.io
+    dest: /tmp
+  register: install_script
+- name: Run installation script
+  become: true
+  environment:
+      INSTALL_K3S_EXEC: server
+  ansible.builtin.command:
+    cmd: sh {{ install_script.dest }}

ansible/roles/nomad/files/nomad.hcl

@@ -0,0 +1,24 @@
+data_dir  = "/opt/nomad/data"
+bind_addr = "0.0.0.0"
+
+server {
+  enabled          = true
+  bootstrap_expect = 1
+}
+
+
+client {
+  enabled = true
+  servers = ["127.0.0.1"]
+}
+
+host_volume "registry" {
+    path = "/opt/volumes/registry"
+    read_only = false
+}
+
+host_volume "nfs" {
+  path = "/opt/volumes/nfs"
+  read_only = false
+}
+

ansible/roles/nomad/tasks/main.yaml

@@ -0,0 +1,18 @@
+- name: Nomad server configuration
+  become:  true
+  block:
+    - name: Ensure the root data directory is present
+      ansible.builtin.file:
+        path: "{{ nomad.volumes.root }}"
+        state: absent
+        mode: "0755"
+    - name: Ensure registry volume is present
+      ansible.builtin.file:
+        path: "{{ nomad.volumes.registry }}"
+        state: absent
+        mode: "0755"
+    - name: Ensure the MinIO diretory is present
+      ansible.builtin.file:
+        path: "{{ nomad.volumes.nfs }}"
+        state: absent
+        mode: "0755"

ansible/roles/nomad/vars/main.yaml

@@ -0,0 +1,5 @@
+nomad:
+  volumes:
+    root: /opt/volumes
+    registry: /opt/volumes/ncr
+    nfs: /opt/volumes/nfs

ansible/roles/proxy/files/host-file

@@ -0,0 +1,15 @@
+127.0.0.1 localhost
+127.0.1.1 nigel
+
+# Our own dns stuff
+127.0.1.1 nigel.local
+127.0.1.1 nomad.nigel.local
+127.0.1.1 sanity.nigel.local
+127.0.1.1 ncr.nigel.local
+
+# The following lines are desirable for IPv6 capable hosts
+::1     ip6-localhost ip6-loopback
+fe00::0 ip6-localnet
+ff00::0 ip6-mcastprefix
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters

ansible/roles/proxy/files/ncr.conf

@@ -0,0 +1,6 @@
+server {
+    server_name ncr.nigel.local;
+    location / {
+        proxy_pass http://localhost:5000;
+    }
+}

ansible/roles/proxy/files/nomad.conf

@@ -0,0 +1,25 @@
+server {
+    server_name nomad.nigel.local;
+    location / {
+        proxy_pass http://nomad-ws;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+        proxy_read_timeout 319s;
+
+        # This is for log streaming requests
+        proxy_buffering off;
+
+        # Upgrade and Connection headers for upgrading to websockets
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+
+        proxy_set_header Origin "${scheme}://${proxy_host}";
+    }
+}
+
+
+upstream nomad-ws {
+    ip_hash;
+    server nomad.nigel.local:4646;
+}

ansible/roles/proxy/tasks/main.yaml

@@ -0,0 +1,28 @@
+- name: Reverse proxy role configuration
+  become: true
+  block:
+    - name: Ensure /etc/hosts are up to date
+      ansible.builtin.copy:
+        dest: /etc/hosts
+        src: host-file
+        mode: "0644"
+    - name: Ensure nginx is setup as latest
+      ansible.builtin.apt:
+        name: nginx
+    - name: Copy the nomad.conf to available configurations
+      ansible.builtin.copy:
+        src: "{{ item }}"
+        dest: "/etc/nginx/sites-available/{{ item }}"
+        mode: "0644"
+      loop: "{{ proxy_nginx_configs }}"
+    - name: Link the nomad.conf to sites-enabled
+      ansible.builtin.file:
+        path: "/etc/nginx/sites-enabled/{{ item }}"
+        state: link
+        src: "/etc/nginx/sites-available/{{ item }}"
+        mode: "0644"
+      loop: "{{ proxy_nginx_configs }}"
+    - name: Restart nginx
+      ansible.builtin.systemd_service:
+        name: nginx
+        state: restarted

ansible/roles/proxy/vars/main.yaml

@@ -0,0 +1,3 @@
+proxy_nginx_configs:
+  - nomad.conf
+  - ncr.conf

ansible/scripts/pull-down-s3.sh

@@ -1,23 +0,0 @@
-#!/bin/bash
-
-set -e
-
-bucket="$1"
-s3env=/opt/nginx/s3.env
-
-[[ -z "$bucket" ]] && echo "No bucket selected" && exit 1
-
-[[ ! -f $s3env ]] && echo "No credentials to source!" && exit 1
-source $s3env
-
-pull() {
-	aws s3 sync s3://$bucket /opt/nginx/$bucket
-}
-
-
-case $bucket in 
-	resume.shockrah.xyz|shockrah.xyz|temper.tv) pull;;
-	*) echo "Invalid bucket name" && exit 1 ;;
-esac
-
-

infra/containers/docker-compose.yaml

@@ -1,40 +0,0 @@
-networks:
-  gitea:
-    external: false
-
-
-services:
-  gitea:
-    image: gitea/gitea:latest-rootless
-    container_name: gitea
-    environment:
-      - USER_UID=1000
-      - USER_GID=1000
-    restart: always
-    networks:
-      - gitea
-    volumes:
-      - /opt/containers/gitea:/data
-      - /etc/timezone:/etc/timezone:ro
-      - /etc/localtime:/etc/localtime:ro
-    ports:
-      - "3000:3000"
-      - "2222:22"
-  gitea-runner:
-    image: gitea/act_runner:nightly
-    container_name: gitea-runner
-    restart: always
-    networks:
-      - gitea
-    volumes:
-      - /opt/containers/gitea_runner/
-      - /var/run/docker.sock:/var/run/docker.sock
-    environment:
-      - GITEA_INSTANCE_URL=https://git.shockrah.xyz
-      - GITEA_RUNNER_NAME=gitea-main
-      - GITEA_RUNNER_LABELS=gitea-main
-      - GITEA_RUNNER_REGISTRATION_TOKEN=${token}
-
-
-
-

infra/containers/readme.md

@@ -1,29 +0,0 @@
-What is this
-============
-
-Here we contain scripts to build out all the containers that are run.
-All of these images are based on images that are made from other projects
-
-docker-compose.yaml
-===================
-
-Services that are more/less "special" go here since most of the stuff that is
-run on the main host are basically just static html websites
-
-Services & Containers
-=====================
-
-| Service    | Docker Image Used        |
-|------------|--------------------------|
-| Gitea      | gitea/gitea:latest       |
-| Act Runner | gitea/act_runner:nightly |
-
-Why the servics above?
-======================
-
-The Gitea related services are there so that I can host my own Git projects
-away from "Git as a service" services. I have no issue with Github/Gitlab
-but I just like being able to host my own stuff when possible :smiley:
-
-
-

infra/dns/build.sh

@@ -1,34 +0,0 @@
-#!/bin/bash
-
-set -e
-
-opt=$1
-plan=tfplan
-
-build_plan() {
-	echo Generating plan
-	set -x
-	terraform plan -var-file variables.tfvars -input=false -out $plan
-}
-
-deploy_plan() {
-	terraform apply $plan
-}
-
-init() {
-	terraform init
-}
-
-help_prompt() {
-	cat <<- EOF
-	Options: plan deploy help
-	EOF
-}
-
-# Default to building a plan
-source ./secrets.sh
-case $opt in 
-	plan) build_plan;;
-	deploy) deploy_plan;;
-	*) help_prompt;;
-esac

infra/dns/shockrah-xyz.tf

@@ -37,6 +37,7 @@ locals {
     { name = "www.shockrah.xyz",      records = [ var.vultr_host ] },
     { name = "resume.shockrah.xyz",   records = [ var.vultr_host ] },
     { name = "git.shockrah.xyz",      records = [ var.vultr_host ] },
+    { name = "lmao.shockrah.xyz",      records = [ "207.246.107.99" ] },
   ]
 }
 

infra/nigel-nomad/nfs.nomad.hcl

@@ -0,0 +1,34 @@
+# Nigel's NFS that we use for rando stuff
+job "nfs" {
+  type = "service"
+
+  group "nfs" {
+    count = 1
+    network {
+      port "v4" {
+        static = 2049
+      }
+    }
+
+    service {
+      name = "nfs"
+      port = "v4"
+      provider = "nomad"
+    }
+
+    volume "nfs_files" {
+      type      = "host"
+      read_only = false
+      source    = "nfs"
+    }
+    task "nfs" {
+      driver = "docker"
+
+      config {
+        image = "erichough/nfs-server"
+        ports = [ "v4" ]
+        args = ["--cap-add", "SYS_ADMIN"]
+      }
+    }
+  }
+}

infra/nigel-nomad/registry.hcl

@@ -0,0 +1,46 @@
+# Nigel's Container Registry
+job "ncr" {
+    type = "service"
+
+    group "ncr" {
+        count = 1
+        network {
+            port "docker" {
+                static = 5000
+            }
+        }
+
+        service {
+            name = "ncr"
+            port = "docker"
+            provider = "nomad"
+        }
+
+        volume "container_images" {
+            type = "host"
+            read_only = false
+            source = "registry"
+        }
+
+        restart {
+            attempts = 10
+            interval = "5m"
+            delay    = "30s"
+            mode     = "delay"
+        }
+
+        task "ncr" {
+            driver = "docker"
+
+            volume_mount {
+                volume      = "container_images"
+                destination = "/registry/data"
+                read_only   = false
+            }
+            config {
+                image = "registry:latest"
+                ports = [ "docker" ]
+            }
+        }
+    }
+}

infra/nigel-nomad/sanity-service.nomad.hcl

@@ -0,0 +1,30 @@
+# This 'service' job is just a simple nginx container that lives here as a kind of sanity check
+# PORT: 8080
+# DNS : sanity.nigel.local
+job "health" {
+    type = "service"
+
+    group "health" {
+        count = 1
+        network {
+            port "http" {
+                static = 8080
+            }
+        }
+
+        service {
+            name = "health-svc"
+            port = "http"
+            provider = "nomad"
+        }
+
+        task "health-setup" {
+            driver = "docker"
+
+            config {
+                image = "shockrah/sanity:latest"
+                ports = [ "http" ]
+            }
+        }
+    }
+}

infra/static-vultr/tarpit.tf

@@ -0,0 +1,28 @@
+resource tls_private_key tarpit {
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}
+
+resource vultr_ssh_key tarpit {
+  name = "tarpit_ssh_key"
+  ssh_key = chomp(tls_private_key.tarpit.public_key_openssh)
+}
+
+resource vultr_instance tarpit {
+  # Core configuration
+  plan    = var.host.plan
+  region  = var.host.region
+  os_id   = var.host.os
+  enable_ipv6 = true
+
+
+  ssh_key_ids = [ vultr_ssh_key.host.id ]
+  firewall_group_id = vultr_firewall_group.host.id
+  label = "Tarpit"
+}
+
+
+output tarpit_ssh_key {
+  sensitive = true
+  value = tls_private_key.host.private_key_pem
+}

infra/vultr-kubernetes/admin-services.tf

@@ -1,62 +0,0 @@
-resource kubernetes_namespace admin-servers {
-    count = length(var.admin_services.configs) > 0 ? 1 : 0
-    metadata {
-        name = var.admin_services.namespace
-    }
-}
-
-resource kubernetes_pod admin {
-    for_each = var.admin_services.configs
-
-    metadata {
-        name = each.key
-        namespace = var.admin_services.namespace
-        labels = {
-            app = each.key
-        }
-    }
-    spec {
-        node_selector = {
-            NodeType = var.admin_services.namespace
-        }
-        container {
-            image = each.value.image
-            name  = coalesce(each.value.name, each.key)
-            resources {
-                limits = {
-                    cpu    = each.value.cpu
-                    memory = each.value.mem
-                }
-            }
-            port {
-                container_port = each.value.port.internal
-                protocol       = coalesce(each.value.proto, "TCP")
-            }
-        }
-    }
-}
-
-resource kubernetes_service admin {
-    for_each = var.admin_services.configs
-    metadata {
-        name = each.key
-        namespace = var.admin_services.namespace
-        labels = {
-            app = each.key
-        }
-    }
-    # TODO: don't make these NodePorts since we're gonna want them
-    # to be purely internal to the Cluster.
-    # WHY? Because we want to keep dashboards as unexposed as possible
-    spec {
-        selector = {
-            app = each.key
-        }
-        port {
-            target_port        = each.value.port.internal
-            port               = each.value.port.expose
-        }
-        type = "NodePort"
-    }
-}
-

infra/vultr-kubernetes/backend.tf

@@ -9,15 +9,20 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 5.0"
+      version = "5.98.0"
     }
     vultr = {
       source = "vultr/vultr"
-      version = "2.22.1"
+      version = "2.26.0"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"
-      version = "2.34.0"
+      version = "2.37.1"
+    }
+
+    tls = {
+      source  = "hashicorp/tls"
+      version = "4.1.0"
     }
   }
 }

infra/vultr-kubernetes/bastion.tf

@@ -0,0 +1,27 @@
+resource tls_private_key bastion {
+  algorithm = "ED25519"
+}
+
+resource vultr_ssh_key bastion {
+  name = "bastion"
+  ssh_key = tls_private_key.bastion.public_key_openssh
+}
+
+resource vultr_instance bastion {
+  region  = var.cluster.region
+  vpc_ids = [ vultr_vpc.athens.id ]
+  plan    = var.bastion.plan
+  os_id   = var.bastion.os
+  label   = var.bastion.label
+
+  ssh_key_ids = [ vultr_ssh_key.bastion.id ]
+
+  enable_ipv6         = true
+  disable_public_ipv4 = false
+  activation_email    = false
+}
+
+output bastion_ssh {
+  value = tls_private_key.bastion.private_key_pem
+  sensitive = true
+}

infra/vultr-kubernetes/cluster.tf

@@ -1,28 +1,16 @@
 resource vultr_kubernetes athens {
-  region = var.cluster.region
+  region  = var.cluster.region
   version = var.cluster.version
-  label = var.cluster.label
+  label   = var.cluster.label
-  # BUG: only have this set when creating the resource for the first time
+  vpc_id  = vultr_vpc.athens.id
-  # once the cluster is up, we should comment this out again
-  # enable_firewall = true
-  node_pools {
-    node_quantity = 1
-    plan      = var.cluster.pools["meta"].plan
-    label     = var.admin_services.namespace
-    min_nodes = var.cluster.pools["meta"].min
-    max_nodes = var.cluster.pools["meta"].max
-    # tag       = var.admin_services.namespace
-  }
-}
 
-resource vultr_kubernetes_node_pools games {
+  node_pools {
-  cluster_id = vultr_kubernetes.athens.id
+    node_quantity = var.cluster.pools["main"].min_nodes
-  node_quantity = var.cluster.pools["games"].min
+    plan          = var.cluster.pools["main"].plan
-  plan      = var.cluster.pools["games"].plan
+    label         = var.cluster.pools["main"].label
-  label     = var.game_servers.namespace
+    min_nodes     = var.cluster.pools["main"].min_nodes
-  min_nodes = var.cluster.pools["games"].min
+    max_nodes     = var.cluster.pools["main"].max_nodes
-  max_nodes = var.cluster.pools["games"].max
+  }
-  tag       = var.admin_services.namespace
 }
 
 output k8s_config {

infra/vultr-kubernetes/dev/.gitignore

@@ -1,4 +0,0 @@
-# created by virtualenv automatically
-bin/
-lib/
-

infra/vultr-kubernetes/dev/find-server.py

@@ -1,51 +0,0 @@
-from argparse import ArgumentParser
-from argparse import Namespace
-from kubernetes import client, config
-import re
-
-def get_args() -> Namespace:
-    parser = ArgumentParser(
-        prog="Cluster Search Thing",
-        description="General utility for finding resources for game server bot"
-    )
-    games = {"reflex", "minecraft"}
-    parser.add_argument('-g', '--game', required=False, choices=games)
-
-    admin = {"health"}
-    parser.add_argument('-a', '--admin', required=False, choices=admin)
-    return parser.parse_args()
-
-def k8s_api(config_path: str) -> client.api.core_v1_api.CoreV1Api:
-    config.load_kube_config("../config.yaml")
-    return client.CoreV1Api()
-
-def get_admin_service_details(args: ArgumentParser, api: client.api.core_v1_api.CoreV1Api):
-    print('admin thing requested', args.admin)
-
-def get_game_server_ip(args: ArgumentParser, api: client.api.core_v1_api.CoreV1Api):
-    pods = api.list_pod_for_all_namespaces(label_selector=f'app={args.game}')
-    node_name = pods.items[0].spec.node_name
-
-    services = api.list_service_for_all_namespaces(label_selector=f'app={args.game}')
-    port = services.items[0].spec.ports[0].port
-
-    # Collecting the IPV4 of the node that contains the pod(container)
-    # we actually care about. Since these pods only have 1 container
-    # Now we collect specific data about the game server we requested
-    node_ips  = list(filter(lambda a: a.type == 'ExternalIP', api.list_node().items[0].status.addresses))
-    ipv4 = list(filter(lambda item: not re.match('[\d\.]{3}\d', item.address), node_ips))[0].address
-    ipv6 = list(filter(lambda item: re.match('[\d\.]{3}\d', item.address), node_ips))[0].address
-    
-    print(f'{args.game} --> {ipv4}:{port} ~~> {ipv6}:{port}')
-
-
-if __name__ == '__main__':
-    args = get_args()
-    api = k8s_api('../config.yaml')
-
-    if args.game:
-        get_game_server_ip(args, api)
-    
-    if args.admin:
-        get_admin_service_details(args, api)
-    

infra/vultr-kubernetes/dev/pyvenv.cfg

@@ -1,8 +0,0 @@
-home = /usr
-implementation = CPython
-version_info = 3.10.12.final.0
-virtualenv = 20.13.0+ds
-include-system-site-packages = false
-base-prefix = /usr
-base-exec-prefix = /usr
-base-executable = /usr/bin/python3

infra/vultr-kubernetes/dev/requirements.txt

@@ -1,18 +0,0 @@
-cachetools==5.5.0
-certifi==2024.8.30
-charset-normalizer==3.4.0
-durationpy==0.9
-google-auth==2.36.0
-idna==3.10
-kubernetes==31.0.0
-oauthlib==3.2.2
-pyasn1==0.6.1
-pyasn1_modules==0.4.1
-python-dateutil==2.9.0.post0
-PyYAML==6.0.2
-requests==2.32.3
-requests-oauthlib==2.0.0
-rsa==4.9
-six==1.17.0
-urllib3==2.2.3
-websocket-client==1.8.0

infra/vultr-kubernetes/firewall.tf

@@ -1,32 +1,23 @@
-resource vultr_firewall_rule web_inbound {
+# resource vultr_firewall_rule web_inbound {
-  for_each = toset([for port in [80, 443, 6443] : tostring(port) ])
+#   for_each = toset([for port in [80, 443, 6443] : tostring(port) ])
-  firewall_group_id = vultr_kubernetes.athens.firewall_group_id
+#   firewall_group_id = vultr_kubernetes.athens.firewall_group_id
+#   protocol = "tcp"
+#   ip_type = "v4"
+#   subnet = "0.0.0.0"
+#   subnet_size = 0
+#   port = each.value
+# }
+
+resource vultr_firewall_group bastion {
+  description = "For connections into and out of the bastion host"
+}
+
+resource vultr_firewall_rule bastion_inbound {
+  firewall_group_id = vultr_firewall_group.bastion.id
   protocol = "tcp"
   ip_type = "v4"
   subnet = "0.0.0.0"
   subnet_size = 0
-  port = each.value
+  port = 22
-}
-
-resource vultr_firewall_rule game-server-inbound {
-  for_each = var.game_servers.configs
-  firewall_group_id = vultr_kubernetes.athens.firewall_group_id
-  protocol = "tcp"
-  ip_type = "v4"
-  subnet = "0.0.0.0"
-  subnet_size = 0
-  port = each.value.port.expose
-}
-
-
-resource vultr_firewall_rule admin-service-inbound {
-  for_each = var.admin_services.configs
-  firewall_group_id = vultr_kubernetes.athens.firewall_group_id
-  protocol = "tcp"
-  ip_type = "v4"
-  subnet = "0.0.0.0"
-  subnet_size = 0
-  notes = each.value.port.notes
-  port = each.value.port.expose
 }
 

infra/vultr-kubernetes/game-server.tf

@@ -1,55 +0,0 @@
-resource kubernetes_namespace game-servers {
-    count = length(var.game_servers.configs) > 0 ? 1 : 0
-    metadata {
-        name = var.game_servers.namespace
-    }
-}
-
-resource kubernetes_pod game {
-    for_each = var.game_servers.configs
-
-    metadata {
-        name = each.key
-        namespace = var.game_servers.namespace
-        labels = {
-            app = each.key
-        }
-    }
-    spec {
-        container {
-            image = each.value.image
-            name  = coalesce(each.value.name, each.key)
-            resources {
-                limits = {
-                    cpu    = each.value.cpu
-                    memory = each.value.mem
-                }
-            }
-            port {
-                container_port = each.value.port.internal
-                protocol       = coalesce(each.value.proto, "TCP")
-            }
-        }
-    }
-}
-
-resource kubernetes_service game {
-    for_each = var.game_servers.configs
-    metadata {
-        name = each.key
-        namespace = var.game_servers.namespace
-        labels = {
-            app = each.key
-        }
-    }
-    spec {
-        selector = {
-            app = each.key
-        }
-        port {
-            target_port        = each.value.port.internal
-            port   = each.value.port.expose
-        }
-        type = "NodePort"
-    }
-}

infra/vultr-kubernetes/variables.tf

@@ -26,46 +26,30 @@ variable cluster {
     label   = string
     version = string
     pools = map(object({
-      plan = string
+      node_quantity = number
-      autoscale = bool
+      plan          = string
-      min = number
+      label         = string
-      max = number
+      min_nodes     = number
+      max_nodes     = number
+      tag           = string
     }))
   })
 }
 
-variable game_servers {
+
+variable personal {
   type = object({
     namespace = string
-    configs = map(object({
-      name  = optional(string)
-      image = string
-      cpu   = string
-      mem   = string
-      port  = object({
-        internal = number
-        expose   = number
-      })
-      proto = optional(string)
-    }))
   })
 }
 
-variable admin_services {
+
+variable bastion {
   type = object({
-    namespace = string
+    plan  = string
-    configs = map(object({
+    os    = string
-      name  = string
+    label = string
-      image = string
-      cpu   = string
-      mem   = string
-      port  = object({
-        notes = optional(string)
-        internal = number
-        expose   = number
-      })
-      proto = optional(string)
-    }))
   })
 }
 
+

infra/vultr-kubernetes/variables.tfvars

@@ -1,51 +1,27 @@
 cluster = {
   region = "lax"
   label   = "athens-cluster"
-  version = "v1.31.2+1"
+  version = "v1.33.0+1"
   pools = {
-    meta = {
+    main = {
-      plan =  "vc2-1c-2gb"
+      node_quantity = 1
-      autoscale = true
+      plan          =  "vc2-1c-2gb"
-      min = 1
+      label         = "main"
-      max = 2
+      min_nodes     = 1
-    }
+      max_nodes     = 2
-    games = {
+      tag           = "athens-main"
-      plan =  "vc2-1c-2gb"
-      autoscale = true
-      min = 1
-      max = 3
     }
   }
 }
 
-game_servers = {
+personal = {
-  namespace = "games"
+  namespace = "athens-main"
-  configs = {
-    # minecraft = {
-    #   image = "itzg/minecraft-server"
-    #   cpu   = "1000m"
-    #   mem   = "2048Mi"
-    #   port  = {
-    #     expose = 30808
-    #     internal = 80
-    #   }
-    # }
-  }
 }
 
-admin_services = {
+bastion = {
-  namespace = "admin-services"
+  plan  = "vc2-1c-2gb"
-  configs = {
+  label = "bastion"
-    # health = {
+  os    = "1743"
-    #   image = "nginx:latest"
-    #   name  = "health"
-    #   cpu   = "200m"
-    #   mem   = "64Mi"
-    #   port  = {
-    #     notes    = "Basic nginx sanity check service"
-    #     expose   = 30800
-    #     internal = 80
-    #   }
-    # }
-  }
 }
+
+

infra/vultr-kubernetes/vpc.tf

@@ -0,0 +1,4 @@
+resource vultr_vpc athens {
+    description = "Private VPC for private and personal service projects"
+    region = var.cluster.region
+}