0x90-pyinfra/README.md

# initial setup
 - install `pyinfra` with your favorite package manager

or

 - install `pipx` with your favorite package manager
 - add `~/.local/bin` to your `PATH`
 - `pipx install pyinfra`

# before each use
 - communicate your intent to do changes to your co-admins to prevent conflicting access
 - run `git pull` to fetch the newest version
 - run `pyinfra @local deploy.py` to install/update `0x90.ssh_config` trustmebro
 - run `pyinfra --dry inventory.py deploy.py` and check that you are on the same state that is already deployed


# Set up alpine on hetzner

This was only tested with a cloud VPS so far.
Source: <https://gist.github.com/c0m4r/e38d41d0e31f6adda4b4c5a88ba0a453>
(but it's less of a hassle than described there)

To create an alpine server on hetzner,
you need to first create a Debian VPS or something similar.

Then you boot into the rescue system.

Get the download link of the latest VIRTUAL x86_64 alpine iso
from <https://alpinelinux.org/downloads/>.

Login to the rescue system via console or SSH,
and write the ISO to the disk:

```
ssh root@xxxx:xxxx:xxxx:xxxx::1
wipefs -a /dev/sda
wget https://dl-cdn.alpinelinux.org/alpine/v3.20/releases/x86_64/alpine-virt-3.20.3-x86_64.iso  # or whatever link you got from alpine
dd if=alpine-virt-3.20.3-x86_64.iso of=/dev/sda
reboot
```

Then open the server console (SSH doesn't work),
login to root (no password required),
and proceed with:

```
cp -r /.modloop /root
cp -r /media/sda /root
umount /.modloop /media/sda
rm /lib/modules
mv /root/.modloop/modules /lib
mv /root/sda /media
setup-alpine
```

Then select what you wish,
contrary to the guide above,
DHCP is actually fine.
The drive should be sda,
the installation type can be sys
(why go through the hassle).

Voilà! reboot and login.
Probably the first SSH login will be via root password,
as copy-pasting your public SSH key into the console doesn't work really.
Make sure the SSH config allows this
(and turn passwort root access off afterwards).


## Encrypting /var/lib/libvirt partition

**Status: tested with Hetzner VPS, not deployed in production yet**

Messing with file systems and partitions
should not be done by automation scripts,
so I created the LUKS-encrypted /dev/sdb partition manually.

(So far, /dev/sdb was added via a Hetzner volume,
but it can be any partition actually)

To create a partition in the VPS volume
(which was formatted to ext4 originally),
- I ran `fdisk /dev/sdb`,
- entered `o` to create a DOS partition table,
- added `n` to add a new primary partition, using all available space,
- and `w` to save to disk and exit.

Then I ran `cryptsetup luksFormat /dev/sdb1`
and entered the passphrase from `pass 0x90/ararat/sdb-crypt`
to create a LUKS volume.

Now I could decrypt the new volume with
`cryptsetup luksOpen /dev/sdb1 sdb_crypt`
and entering the passphrase from `pass 0x90/ararat/sdb-crypt`.

Finally, I ran `mkfs.ext4`
to create an ext4 file system
in the encrypted partition.
some basic structure 2024-05-16 19:18:15 +00:00			`# initial setup`
			- install `pyinfra` with your favorite package manager

			`or`

			- install `pipx` with your favorite package manager
			- add `~/.local/bin` to your `PATH`
			- `pipx install pyinfra`

			`# before each use`
			`- communicate your intent to do changes to your co-admins to prevent conflicting access`
			- run `git pull` to fetch the newest version
			- run `pyinfra @local deploy.py` to install/update `0x90.ssh_config` trustmebro
			- run `pyinfra --dry inventory.py deploy.py` and check that you are on the same state that is already deployed
doc: documented alpine installation 2024-12-04 13:42:14 +00:00

			`# Set up alpine on hetzner`

			`This was only tested with a cloud VPS so far.`
			`Source: <https://gist.github.com/c0m4r/e38d41d0e31f6adda4b4c5a88ba0a453>`
			`(but it's less of a hassle than described there)`

			`To create an alpine server on hetzner,`
			`you need to first create a Debian VPS or something similar.`

			`Then you boot into the rescue system.`

			`Get the download link of the latest VIRTUAL x86_64 alpine iso`
			`from <https://alpinelinux.org/downloads/>.`

			`Login to the rescue system via console or SSH,`
			`and write the ISO to the disk:`

			```
			`ssh root@xxxx:xxxx:xxxx:xxxx::1`
			`wipefs -a /dev/sda`
			`wget https://dl-cdn.alpinelinux.org/alpine/v3.20/releases/x86_64/alpine-virt-3.20.3-x86_64.iso # or whatever link you got from alpine`
			`dd if=alpine-virt-3.20.3-x86_64.iso of=/dev/sda`
			`reboot`
			```

			`Then open the server console (SSH doesn't work),`
			`login to root (no password required),`
			`and proceed with:`

			```
			`cp -r /.modloop /root`
			`cp -r /media/sda /root`
			`umount /.modloop /media/sda`
			`rm /lib/modules`
			`mv /root/.modloop/modules /lib`
			`mv /root/sda /media`
			`setup-alpine`
			```

			`Then select what you wish,`
			`contrary to the guide above,`
			`DHCP is actually fine.`
			`The drive should be sda,`
			`the installation type can be sys`
			`(why go through the hassle).`

			`Voilà! reboot and login.`
			`Probably the first SSH login will be via root password,`
			`as copy-pasting your public SSH key into the console doesn't work really.`
			`Make sure the SSH config allows this`
			`(and turn passwort root access off afterwards).`

doc: documented encrypting /var/lib/libvirt on a VPS 2024-12-04 13:42:53 +00:00
			`## Encrypting /var/lib/libvirt partition`

			`Status: tested with Hetzner VPS, not deployed in production yet`

			`Messing with file systems and partitions`
			`should not be done by automation scripts,`
			`so I created the LUKS-encrypted /dev/sdb partition manually.`

			`(So far, /dev/sdb was added via a Hetzner volume,`
			`but it can be any partition actually)`

			`To create a partition in the VPS volume`
			`(which was formatted to ext4 originally),`
			- I ran `fdisk /dev/sdb`,
			- entered `o` to create a DOS partition table,
			- added `n` to add a new primary partition, using all available space,
			- and `w` to save to disk and exit.

			Then I ran `cryptsetup luksFormat /dev/sdb1`
			and entered the passphrase from `pass 0x90/ararat/sdb-crypt`
			`to create a LUKS volume.`

			`Now I could decrypt the new volume with`
			`cryptsetup luksOpen /dev/sdb1 sdb_crypt`
			and entering the passphrase from `pass 0x90/ararat/sdb-crypt`.

			Finally, I ran `mkfs.ext4`
			`to create an ext4 file system`
			`in the encrypted partition.`