0x90/0x90-pyinfra
12
0
Fork 0
Code Issues Pull requests 3 Packages Projects Releases Wiki Activity

A proposal for social practices, preferred tools, and documentation #2

Open
missytake wants to merge 3 commits from social-practices into kvm-base
pull from: social-practices
merge into: 0x90:kvm-base
Conversation 1 Commits 3 Files changed 3 +158 -84
2 changed files with 158 additions and 84 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit cb6676ab65 - Show all commits

84
README.md
View file

@ -220,87 +220,3 @@ a deltachat bot to receive support requests
and email alerts from grafana.
hagi commented 2024-12-04 20:36:03 +00:00
Review
Copy link

Ich würde noch nix erwähnen, einfach weil einige Leute im Space das lieber als Pyinfra benutzen. Aber das kann dann auch einer der NixOS-Menschen schreiben :)

Ich würde noch nix erwähnen, einfach weil einige Leute im Space das lieber als Pyinfra benutzen. Aber das kann dann auch einer der NixOS-Menschen schreiben :)
# Set up alpine on hetzner
This was only tested with a cloud VPS so far.
Source: <https://gist.github.com/c0m4r/e38d41d0e31f6adda4b4c5a88ba0a453>
(but it's less of a hassle than described there)
To create an alpine server on hetzner,
you need to first create a Debian VPS or something similar.
Then you boot into the rescue system.
Get the download link of the latest VIRTUAL x86_64 alpine iso
from <https://alpinelinux.org/downloads/>.
Login to the rescue system via console or SSH,
and write the ISO to the disk:
```
ssh root@xxxx:xxxx:xxxx:xxxx::1
wipefs -a /dev/sda
wget https://dl-cdn.alpinelinux.org/alpine/v3.20/releases/x86_64/alpine-virt-3.20.3-x86_64.iso # or whatever link you got from alpine
dd if=alpine-virt-3.20.3-x86_64.iso of=/dev/sda
reboot
```
Then open the server console (SSH doesn't work),
login to root (no password required),
and proceed with:
```
cp -r /.modloop /root
cp -r /media/sda /root
umount /.modloop /media/sda
rm /lib/modules
mv /root/.modloop/modules /lib
mv /root/sda /media
setup-alpine
```
Then select what you wish,
contrary to the guide above,
DHCP is actually fine.
The drive should be sda,
the installation type can be sys
(why go through the hassle).
Voilà! reboot and login.
Probably the first SSH login will be via root password,
as copy-pasting your public SSH key into the console doesn't work really.
Make sure the SSH config allows this
(and turn passwort root access off afterwards).
## Encrypting /var/lib/libvirt partition
**Status: tested with Hetzner VPS, not deployed in production yet**
Messing with file systems and partitions
should not be done by automation scripts,
so I created the LUKS-encrypted /dev/sdb partition manually.
(So far, /dev/sdb was added via a Hetzner volume,
but it can be any partition actually)
To create a partition in the VPS volume
(which was formatted to ext4 originally),
- I ran `fdisk /dev/sdb`,
- entered `o` to create a DOS partition table,
- added `n` to add a new primary partition, using all available space,
- and `w` to save to disk and exit.
Then I ran `cryptsetup luksFormat /dev/sdb1`
and entered the passphrase from `pass 0x90/ararat/sdb-crypt`
to create a LUKS volume.
Now I could decrypt the new volume with
`cryptsetup luksOpen /dev/sdb1 sdb_crypt`
and entering the passphrase from `pass 0x90/ararat/sdb-crypt`.
Finally, I ran `mkfs.ext4`
to create an ext4 file system
in the encrypted partition.

158
ararat/README.md Normal file
View file

@ -0,0 +1,158 @@
# Server: ararat test VPS
## Usage
For now this server doesn't host any production services.
## Maintainers
- missytake@systemli.org
## Domain Settings
It doesn't have a domain pointing to it yet.
## Hosting
For now, the VPS is hosted in missytake's personal hetzner account.
Ask them if you need something.
## Deployment
To deploy the server, run
```
pyinfra --yes inventory.py ararat/deploy.py --limit 95.217.163.200
```
You also need to run this after every reboot,
to decrypt the encrypted volume
and start the libvirt VMs.
## Services
### Service: kvm / libvirt
This is a KVM hypervisor,
which allows managing VMs with libvirt.
You can use libvirt through the `virsh` command line tool.
e.g. you can login via SSH as root
and run `virsh list` to see running VMs.
#### Monitoring
It doesn't really need monitoring for now.
#### Deployment
The service is part of the pyinfra deploy.py file;
you can deploy it with
`pyinfra --yes inventory.py ararat/deploy.py --limit 95.217.163.200`.
#### Upgrade Strategy
As long as it is a test deployment,
we don't need to upgrade it regularly.
## Users
There is only the root user,
the SSH keys of missytake, hagi, and vmann are deployed via pyinfra.
## Upgrade Strategy
To upgrade the packages,
you need to login via SSH and run `apk update && apk upgrade`.
## Backup and Restore
As long as it is a test deployment,
we don't need backups.
# Changelog
## 2024-12-02 Set up alpine VPS on hetzner
This was only tested with a cloud VPS so far.
Source: <https://gist.github.com/c0m4r/e38d41d0e31f6adda4b4c5a88ba0a453>
(but it's less of a hassle than described there)
To create an alpine server on hetzner,
you need to first create a Debian VPS or something similar.
Then you boot into the rescue system.
Get the download link of the latest VIRTUAL x86_64 alpine iso
from <https://alpinelinux.org/downloads/>.
Login to the rescue system via console or SSH,
and write the ISO to the disk:
```
ssh root@xxxx:xxxx:xxxx:xxxx::1
wipefs -a /dev/sda
wget https://dl-cdn.alpinelinux.org/alpine/v3.20/releases/x86_64/alpine-virt-3.20.3-x86_64.iso # or whatever link you got from alpine
dd if=alpine-virt-3.20.3-x86_64.iso of=/dev/sda
reboot
```
Then open the server console (SSH doesn't work),
login to root (no password required),
and proceed with:
```
cp -r /.modloop /root
cp -r /media/sda /root
umount /.modloop /media/sda
rm /lib/modules
mv /root/.modloop/modules /lib
mv /root/sda /media
setup-alpine
```
Then select what you wish,
contrary to the guide above,
DHCP is actually fine.
The drive should be sda,
the installation type can be sys
(why go through the hassle).
Voilà! reboot and login.
Probably the first SSH login will be via root password,
as copy-pasting your public SSH key into the console doesn't work really.
Make sure the SSH config allows this
(and turn passwort root access off afterwards).
## 2024-12-02 Encrypting /var/lib/libvirt partition
**Status: tested with Hetzner VPS, not deployed in production yet**
Messing with file systems and partitions
should not be done by automation scripts,
so I created the LUKS-encrypted /dev/sdb partition manually.
(So far, /dev/sdb was added via a Hetzner volume,
but it can be any partition actually)
To create a partition in the VPS volume
(which was formatted to ext4 originally),
- I ran `fdisk /dev/sdb`,
- entered `o` to create a DOS partition table,
- added `n` to add a new primary partition, using all available space,
- and `w` to save to disk and exit.
Then I ran `cryptsetup luksFormat /dev/sdb1`
and entered the passphrase from `pass 0x90/ararat/sdb-crypt`
to create a LUKS volume.
Now I could decrypt the new volume with
`cryptsetup luksOpen /dev/sdb1 sdb_crypt`
and entering the passphrase from `pass 0x90/ararat/sdb-crypt`.
Finally, I ran `mkfs.ext4`
to create an ext4 file system
in the encrypted partition.