diff options
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | Makefile | 4 | ||||
| -rw-r--r-- | docs/backups.md | 22 | ||||
| -rw-r--r-- | docs/changelog.md | 13 | ||||
| -rw-r--r-- | docs/index.md | 2 | ||||
| -rw-r--r-- | docs/todo.md | 18 | ||||
| -rw-r--r-- | docs/tpc.md | 6 | ||||
| -rw-r--r-- | mkdocs.yml | 56 | ||||
| -rwxr-xr-x | share/hydra/deploy | 3 | ||||
| -rwxr-xr-x | share/hydractl/sync-home | 2 | ||||
| -rwxr-xr-x | share/hydractl/sync-tpc | 2 |
11 files changed, 112 insertions, 17 deletions
@@ -1,3 +1,4 @@ *.swp doc/_build site +.cache @@ -4,9 +4,11 @@ .PHONY: publish docs -publish: docs +web_deploy: @rsync -avz --delete site/ hydra:/var/sites/hidra/www/ @rsync -avz --delete slides/ hydra:/var/sites/hidra/www/slides/ docs: @mkdocs build + +publish: docs web_deploy diff --git a/docs/backups.md b/docs/backups.md index d645207..d39a85c 100644 --- a/docs/backups.md +++ b/docs/backups.md @@ -48,6 +48,11 @@ generated above by keyringer: $SUDO cryptsetup luksFormat ${DEVICE}1 +If you want to make this volume to have a label (helpful for detecting the disk +etc; downside: third parties can easily get the name), run this command: + + $SUDO cryptsetup config ${DEVICE}1 --label ${DISK} + Open the encrypted volume and create the basic filesystem structure needed to sync content: @@ -155,7 +160,13 @@ This may be the ultimate disaster recovery kit for your Hydra! ## Restore -Examples according to the software used to make the backup. +Having backup data leaked is a serious security issue, and that's why we +encrypt backups. +But losing access to the encrypted material is data loss, so it's important +to make sure in advance that we can get back the material. + +Procedures vary, and the following examples are sorted according to the +software used to make the backup. ### Duplicity @@ -196,6 +207,15 @@ Note on backup keys: encrypted-storage workstations_ (recommendation is to not do this on the remote repository). +Just to be sure, let's emphasize Borg's own recommendation: + +> IMPORTANT: you will need both KEY AND PASSPHRASE to access this repo! +> +> If you used a repokey mode, the key is stored in the repo, but you should +> back it up separately. +> Use "borg key export" to export the key, optionally in printable format. +> Write down the passphrase. Store both at safe place(s). + [Borg]: https://www.borgbackup.org/ [Puppet]: https://www.puppet.com/ [not possible anymore]: https://github.com/borgbackup/borg/issues/7047 diff --git a/docs/changelog.md b/docs/changelog.md index 859518c..155459b 100644 --- a/docs/changelog.md +++ b/docs/changelog.md @@ -4,12 +4,15 @@ ### hydra +* [x] Deploy: + * [x] Automatically fix permission of (or delete) puppet's `devices` + folder: https://github.com/puppetlabs/puppet-specifications/blob/master/file_paths.md * [x] Keys: - * [x] Deprecate generating and deploying/import borg keys, since - pre-generation is not a supported behavior right now: - https://github.com/borgbackup/borg/issues/7047 - * [x] Document about how keys are encrypted and backed up in the server: - https://borgbackup.readthedocs.io/en/latest/faq.html#how-important-is-the-home-config-borg-directory + * [x] Deprecate generating and deploying/import borg keys, since + pre-generation is not a supported behavior right now: + https://github.com/borgbackup/borg/issues/7047 + * [x] Document about how keys are encrypted and backed up in the server: + https://borgbackup.readthedocs.io/en/latest/faq.html#how-important-is-the-home-config-borg-directory ### hydractl diff --git a/docs/index.md b/docs/index.md index 1da4c48..66915c2 100644 --- a/docs/index.md +++ b/docs/index.md @@ -1,5 +1,7 @@ # Hydra Suite - Command and Control +{ align=left } + Hydra is a suite for orchestration and management of machines composed of **lots of conventions and assumptions**, and the following basic commands: diff --git a/docs/todo.md b/docs/todo.md index 89127d2..f40950a 100644 --- a/docs/todo.md +++ b/docs/todo.md @@ -4,12 +4,11 @@ * [ ] Deploy: * [ ] Collect basic hardware information along with facts: cpuid, - dmidecode, hwinfo, lsblk, lscpu, lshw, lspci, lsusb etc. + dmidecode, hwinfo, lsblk, lscpu, lshw, lspci, lsusb, sfdisk etc. Store somewhere under the `config/hardware` folder? + Could also be a separate action, `hydra <hydra> collect <node>`. * [ ] Command line is broken for ansible when multiple nodes are provided. * [ ] Use console-based GnuPG agent when calling `keyringer`. - * [ ] Automatically fix permission of (or delete) puppet's `devices` - folder: https://github.com/puppetlabs/puppet-specifications/blob/master/file_paths.md * [ ] Mass: * [ ] Support for [cumin][] ([Debian package](https://tracker.debian.org/pkg/cumin)). @@ -24,8 +23,19 @@ > Disabling STANDBY on drive... > couldn't find field acronym: STANDBY > [perhaps a '--transport=<tn>' or '--vendor=<vn>' option is needed] - * [ ] Mount/umount system volume supporting split partitoon scheme (`root`, + * [ ] Mount/umount system volume supporting split partiton scheme (`root`, `var`, `home` etc). + * [ ] Try to detected the device partition (`/dev/sdb1` etc) based + on the LUKS2 label. +* [ ] Syncing: + * [ ] Syncing packages: a frontend to `apt-offline` that uses `git-annex` + repositories: getting, installing, cleaning. One node can request + packages through an external drive, and another can fetch then. + * [ ] Integration with [Baobáxia](https://baobaxia.mocambos.net)? + Maybe that will already happen if `git-annex` can run directly + on a mucua's repository. + * [ ] Merge `sync-home` into `sync-tpc`, or make `sync-tpc` call + `sync-home`, to avoid code duplication. * [ ] Provision: * [ ] Fix booting issues detailed [here](tpc.md#booting). * [ ] Upgrade: diff --git a/docs/tpc.md b/docs/tpc.md index 44b35ac..c2a6954 100644 --- a/docs/tpc.md +++ b/docs/tpc.md @@ -78,14 +78,14 @@ generator like this: head -c ${1:-20} /dev/urandom | base64 | \ tr -d '\n' | \ - hydra $HYDRA eyaml $DISK encrypt -q -o block --stdin -l some::random:password >> \ + hydra $HYDRA eyaml $DISK encrypt -q -o block --stdin -l some::random::password >> \ $CONFIG_FOLDER/puppet/config/secrets/node/$DISK.$DOMAIN.yaml For `passwd(5)` and `shadow(5)` hashed passphrases, use something like this: mkpasswd -m sha-512 | \ tr -d '\n' | \ - hydra $HYDRA eyaml $DISK encrypt -q -o block --stdin -l some::random:password >> \ + hydra $HYDRA eyaml $DISK encrypt -q -o block --stdin -l some::random::password >> \ $CONFIG_FOLDER/puppet/config/secrets/node/$DISK.$DOMAIN.yaml Or this, for a random passphrase: @@ -93,7 +93,7 @@ Or this, for a random passphrase: head -c ${1:-20} /dev/urandom | base64 | \ mkpasswd -m sha-512 --stdin | \ tr -d '\n' | \ - hydra $HYDRA eyaml $DISK encrypt -q -o block --stdin -l some::random:password >> \ + hydra $HYDRA eyaml $DISK encrypt -q -o block --stdin -l some::random::password >> \ $CONFIG_FOLDER/puppet/config/secrets/node/$DISK.$DOMAIN.yaml [hiera-yaml]: https://github.com/voxpupuli/hiera-eyaml @@ -17,7 +17,61 @@ theme: # # This option was superseded by the privacy plugin: # https://squidfunk.github.io/mkdocs-material/setup/ensuring-data-privacy/#built-in-privacy-plugin - font: false + #font: false + +# Plugins +# https://www.mkdocs.org/dev-guide/plugins/ +plugins: + # Note that this might not be available in the mkdocs-material package from + # Debian bookworm (as of 2024-08-23) + privacy: {} + +# Markdown extensions +# See https://www.mkdocs.org/user-guide/configuration/#markdown_extensions +# https://squidfunk.github.io/mkdocs-material/setup/extensions/ +markdown_extensions: + # Footnotes + # https://squidfunk.github.io/mkdocs-material/reference/footnotes/ + footnotes: {} + + # Tasklist handling + # https://squidfunk.github.io/mkdocs-material/setup/extensions/python-markdown-extensions/#tasklist + pymdownx.tasklist: + custom_checkbox: true + + # SuperFences + # https://squidfunk.github.io/mkdocs-material/setup/extensions/python-markdown-extensions/#superfences + pymdownx.superfences: + custom_fences: + - name: mermaid + class: mermaid + format: !!python/name:pymdownx.superfences.fence_code_format + + # Table of Contents configuration + # See https://www.mkdocs.org/user-guide/configuration/#markdown_extensions + # https://www.mkdocs.org/user-guide/writing-your-docs/#linking-to-pages + toc: + permalink: true + + # Attribute Lists + # Needed by proper image handling + # https://squidfunk.github.io/mkdocs-material/reference/images/ + # https://squidfunk.github.io/mkdocs-material/setup/extensions/python-markdown/#attribute-lists + attr_list: {} + + # Markdown in HTML + # Needed by proper image handling + # https://squidfunk.github.io/mkdocs-material/reference/images/ + # https://squidfunk.github.io/mkdocs-material/setup/extensions/python-markdown/#markdown-in-html + md_in_html: {} + +# Copyright notice +copyright: Copyleft © 2024 Fluxo Group. See LICENSE for details. + +# Extra template parameters +# https://www.mkdocs.org/user-guide/configuration/#extra +extra: + generator: false # Navigation # https://www.mkdocs.org/user-guide/writing-your-docs/#configure-pages-and-navigation diff --git a/share/hydra/deploy b/share/hydra/deploy index e440ae5..5fabb6c 100755 --- a/share/hydra/deploy +++ b/share/hydra/deploy @@ -151,6 +151,9 @@ for node in $NODES; do # Fix ssl folder ownership $SUDO chown -R `whoami`: $HYDRA_FOLDER/puppet/ssl + # Fix devices folder ownership + $SUDO chown -R `whoami`: $HYDRA_FOLDER/puppet/devices + # Import keys if needed if ! $SUDO test -f /root/.ssh/id_rsa || \ ! $SUDO test -f /root/.config/borg/hydra/key || \ diff --git a/share/hydractl/sync-home b/share/hydractl/sync-home index a0460e9..b2cd85f 100755 --- a/share/hydractl/sync-home +++ b/share/hydractl/sync-home @@ -4,7 +4,7 @@ # # Parameters -BASENAME="$0" +BASENAME="`basename $0`" TPC="$1" DEST="/media/$1" MEDIA="$DEST/var/cache/$TPC/media" diff --git a/share/hydractl/sync-tpc b/share/hydractl/sync-tpc index c739c5a..0a72866 100755 --- a/share/hydractl/sync-tpc +++ b/share/hydractl/sync-tpc @@ -4,7 +4,7 @@ # # Parameters -BASENAME="$0" +BASENAME="`basename $0`" TPC="$1" DEST="/media/$1" MEDIA="$DEST/var/cache/$TPC/media" |