Files

153 lines
4.6 KiB
Markdown
Raw Permalink Normal View History

2024-09-24 15:12:33 +02:00
# Legal Notice
This is part of A13Labs project, any unauthorized copy is no allowed. If you got access to this
code DELETE immediately. We have been warned.
# Updating Nextcloud
```
# Enable maintenance
/bin/occ maintenance:mode --on
# Update config.tf
# Apply
# Run maintenance operations
./bin/occ upgrade
./bin/occ db:add-missing-columns
./bin/occ db:add-missing-indices
./bin/occ db:add-missing-primary-keys
# Disable maintenance
./bin/occ maintenance:mode --off
```
# Contabo CLI
Download latest version from [here](https://github.com/contabo/cntb/releases).
Setup:
```
sectool exec cntb get instances --oauth2-clientid="$CONTABO_CLIENT_ID" --oauth2-client-secret="$CONTABO_CLIENT_SECRET" --oauth2-user="$CONTABO_API_USER" --oauth2-password="$CONTABO_API_PASSWORD"
```
# Windows
## Create a Dedicated “Ansible” User (One-Time Setup) — Linux
```
# Create the provision user (Debian/Ubuntu)
sudo useradd -m -s /bin/bash -G sudo provision
sudo passwd provision
# OR (RHEL/CentOS/Fedora)
sudo useradd -m -s /bin/bash -G wheel provision
sudo passwd provision
```
```
# Allow passwordless sudo for the provision user (recommended for Ansible)
echo 'provision ALL=(ALL) NOPASSWD:ALL' | sudo tee /etc/sudoers.d/provision
sudo chmod 440 /etc/sudoers.d/provision
# Or edit safely:
sudo visudo -f /etc/sudoers.d/provision
# and add:
# provision ALL=(ALL) NOPASSWD:ALL
```
```
# Install SSH authorized key for the provision user (recommended over passwords)
sudo -u provision mkdir -p /home/provision/.ssh
sudo -u provision chmod 700 /home/provision/.ssh
echo "<your_public_key_here>" | sudo -u provision tee /home/provision/.ssh/authorized_keys
sudo -u provision chmod 600 /home/provision/.ssh/authorized_keys
```
Notes:
- Replace <your_public_key_here> with the actual public key.
- Use a strong password if you must set one; prefer SSH keys.
- For tighter security, restrict the sudoers entry to only the commands Ansible requires instead of ALL.
- Validate sudoers syntax with visudo to avoid lockout.
## Configure windows to allow Ansible to connect via WinRM
Copy the script located in scripts "ConfigureRemotingForAnsible.ps1" and run it on the target machine.
```
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
.\ConfigureRemotingForAnsible.ps1
```
# Using MSYS2
Upgrade your system:
```
pacman -Syu
```
Install the following packages:
```
mingw-w64-ucrt-x86_64-go
mingw-w64-ucrt-x86_64-make
mingw-w64-ucrt-x86_64-python
ucrt-w64-ucrt-x86_64-gcc
mingw-w64-ucrt-x86_64-python-cryptography
mingw-w64-ucrt-x86_64-python-paramiko
mingw-w64-ucrt-x86_64-python-rpds-py
python-lxml
mingw-w64-ucrt-x86_64-python-ruamel-yaml
mingw-w64-ucrt-x86_64-python-sspilib
unzip
```
Create a python environment use:
```
python -m venv .venv --system-site-packages
```
# macOS Dev Station
Use the repository hybrid flow: bootstrap once with shell script, then manage day-2 changes with Ansible.
## 1) Bootstrap prerequisites on the Mac
```
./scripts/setup-dev-station.sh
```
This installs only prerequisites (Homebrew, base tools, Ansible) and avoids persistent shell side effects.
## 2) Configure the Mac with Ansible
1. Add or adjust the host in `inventory/hosts` under `[darwin_dev]`.
2. Configure host vars in `ansible/host_vars/mac-01.lab.alexpires.me.yml`.
3. Run:
```
cd ansible
sectool exec ansible-playbook playbook_macos_dev_station.yml --limit darwin_dev
```
The macOS role configures tools, tmux, code-server and opencode as system launchd daemons running under a dedicated service user. This allows services to start at boot without requiring an interactive login.
OpenCode server auth is injected from environment variables. Ensure `OPENCODE_SERVER_USERNAME` and `OPENCODE_SERVER_PASSWORD` are available through `ansible/sectool.env` values before running the playbook.
code-server password auth is also env-backed. Ensure `CODE_SERVER_PASSWORD` is available through `ansible/sectool.env` values before running the playbook.
Hard mode (system daemons + dedicated service user) also requires sudo rights. Use passwordless sudo for your ansible user or set `ANSIBLE_BECOME_PASSWORD` through `ansible/sectool.env` values before running the playbook.
## 3) Optional DNS entry in dev-01 CoreDNS
From `terraform/apps/dev-01`, you can inject an optional DNS record for the Mac dev station:
```
export TF_VAR_mac_dev_station_dns_name="mac-mini"
export TF_VAR_mac_dev_station_dns_type="A"
export TF_VAR_mac_dev_station_dns_target="10.19.4.250"
sectool -f ../../../sectool.json exec tofu validate
sectool -f ../../../sectool.json exec tofu plan
sectool -f ../../../sectool.json exec tofu apply -auto-approve
```
Use `CNAME` + hostname target instead of `A` when you want an alias.