From 33fd71beee74132474a6458701760d27c359ff65 Mon Sep 17 00:00:00 2001
From: Tobias Manske <mail@tobiasmanske.de>
Date: Sun, 17 Dec 2023 00:17:18 +0100
Subject: [PATCH] Onboard backup.unruhig.eu

---
 .gitea/issue_template/new_device.md |   5 +-
 ansible/inventory.yaml              |   6 ++
 ansible/known_hosts                 |   8 +-
 ansible/secrets.yml                 |   1 +
 tf-stage-0/butane/backup.unruhig.eu | 115 ++++++++++++++++++++++++++++
 tf-stage-1/dns-unruhig-eu.tf        |   2 +
 6 files changed, 132 insertions(+), 5 deletions(-)
 create mode 100644 tf-stage-0/butane/backup.unruhig.eu

diff --git a/.gitea/issue_template/new_device.md b/.gitea/issue_template/new_device.md
index 9b2f670..3bd0f31 100644
--- a/.gitea/issue_template/new_device.md
+++ b/.gitea/issue_template/new_device.md
@@ -13,5 +13,6 @@ labels:
 - [ ] Add host to ansible inventory
 - [ ] Add machine ssh-key to Backup Storagebox
 - [ ] `touch /etc/setup_complete` if no restore is needed
-- [ ] Update known_hosts `ansible-playbook regenerate-known-hosts.yaml`
-- [ ] Run `ansible-playbook --tags setup playbook.yaml`
+- [ ] Update known_hosts `summon ansible-playbook regenerate-known-hosts.yaml`
+- [ ] Generate new ansible ssh key `summon ansible-playbook --inventory=inventory.yaml tasks/create_ssh_keys.yaml`
+- [ ] Run `summon ansible-playbook --tags setup playbook.yaml`
diff --git a/ansible/inventory.yaml b/ansible/inventory.yaml
index acc320d..08c8564 100644
--- a/ansible/inventory.yaml
+++ b/ansible/inventory.yaml
@@ -20,6 +20,11 @@ all:
       network_interface: ens3
       network_ipv6_addr: "2a03:4000:9:176::1"
       wg_addr: 10.1.0.4
+    backup.unruhig.eu:
+      ansible_user: core
+      network_interface: ens3
+      network_ipv6_addr: "2a03:4000:56:e17::1"
+      wg_addr: 10.1.0.5
     # localhost:
     #   ansible_interpreter_python: ./ENV/bin/python
     #   ansible_connection: local
@@ -46,3 +51,4 @@ all:
         host.nc.chaoswg.org: null
         mon1.hel1.chaoswg.org: null
         infra.unruhig.eu: null
+        backup.unruhig.eu: null
diff --git a/ansible/known_hosts b/ansible/known_hosts
index f997bd9..9f430a3 100644
--- a/ansible/known_hosts
+++ b/ansible/known_hosts
@@ -1,9 +1,11 @@
+backup.unruhig.eu ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNxa8vbJ70oM2PlEKegPu3/SUO7oXz2lM6PvR74Ad+RYjjAQZr/j3WMpeDn15ugexlYmYoHgxgeT0xA6E/ZAM/0=
+backup.unruhig.eu ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXlm4q3UBK2ChZCujrc9nv45tnntj6E+80UOOzZ6EEFWeUkJ0R+o4z4bnLsWBfFxfwgMDUvFCUCuS7R7xo2pE6vlRhPeD6eTitqNmRMfgmMZLJCdWD5eechg2FNSIht+wB61KEwMBuARXX45nmvIknWiRBK0qAGMLgy46hAx60hf/2uzSuyF6cxQdRqH7TNKZ/06aC7fCo9MCvHbiWvOSKbRx+jYSw8L27DW8WbPTqTGhywidij3nQEjwCFof/IN/hdp7NLpF/8qAoxW9iLWHh7ghESSwHxDF+QC1NjyA1g9QvyX+4p/hzR71wvQ2OVT/R9qx45jJiEi4dVQtsPGbcMzY9gQNbzyzl898cvnp2OuS50kGxuJZaJLMOj2UClbpW+lTrrkKvBZKkAF85v+C6Xcx/waY01eH0PaDBpoo40Y+vS9nWLmnKcvz5iDC6DVL8gUyDxuQj6/qMQuVsr5GL7GnvqIF/jjz6rNqES5Lr88c18ZyWeaupAHNnSgxaGV8=
 host.nc.chaoswg.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE+xbsYUu5fNjUZuJMER9VMx7aPCPCVcZvBpnNjxySRrkUSOgLV6n2IYj+aTfrxT3sCJFzkXzNS8R25Fyqw53WE=
 host.nc.chaoswg.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGfZWpJz8JiM6F5zXcUg9K7OsCx0UbrK4z9sijpmUn3F
 host.nc.chaoswg.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCiVZ57grUnL7JNyUTlU2LVVCS5cfC4dasBGvdQDlN36VNGxo3HDzu9ppichlXUO2KNT5J86sgh6o9KeAmu/mqIasNm2JQC+FIRc1xKQU1xufLVHm9LZqUfk18olHm8tTIxE3yOpcPYJRRlBe+l66OYary9huJfQZPvHik5umQ4fWg+l1VBd8p6IMOQHNA8AyGlb/VKg79c1Qk9fxzKxqkSAc0LCIwrNPSQNF8BzjiBXaw1AuHwvPDmMFjb3cFv4I8GwNSH/A1xRHXg2ymqE818A9eXim/RHDHNiyEf7HPC0kuT95x5ii9pd8WRqa5GXULSHMz1vajAMtgfnGawz8pvY+MnfOFqF2i5WLcaPSqK9IdFst6lFp2ThBCAijW2Wa8o8gQeazr3twhC9Dd5C3+HkNq2MpEYM8ck0yZUFhAkRPUc3laX+8y9KsiqDMbfg1aErEbrezlSb6h19oWVAhFy+d8xVUX53a/9C9uF3P8hFwy4o76lTHVwmB8rTD8DXT8=
-infra.unruhig.eu ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAcuxMyUl5L/gs1+hqrtz1ywzWo4DiuwUGaPyMgCSZbReAFZ6LVmmMwllKJyF6IhEDhvMckNxraMtLQHLA7kyDY=
-infra.unruhig.eu ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAdD0VzFKRzUJ9lZQ7viRY3jJKB6LTUdLintKDHzvdjG
-infra.unruhig.eu ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC0l2SDWE+RROnCgR2kIWr58ozcSHfS0jKH90Lr+w5Gd6ddiz1oRPPlTA3drQb6LRQo+TfPxeajzJdpxXHDKOtD6C7aSg0YbXAWu9D2t5PwAlCLfslpD7W3O6NKjfuT7rgtp+W15CYhWGOMxJZt0EORZFvpV9kf5XFADRJymay9MEU7LL4HDoEO0chqsodW1aYZMcZxSwPh4XmKEpS6fraCUMulsmkka4RtVysOhl/qvOWut+KckERKMg2RFLPpfqRUAG6oZbRLksni7TYPULJqaucHUmtiK2RP4D4woISz4orC5cIbDOpZP7lcovFSVlD2rbSiLbCfjIt8pQVShFnDEOZkRGyhS9/0F4/vFQXhX/zpCasUlIL+TpCUBUfX5d0QX7/yBQPogMQDo4sxXe5Eq3eR2Qgv61yrxQpbkWQHb/7WFCBorlroD6YWp1aR0VkJ9s31TjPhSVAoVRVbKUh65QgiAXh6VUbw22+AyVZ9hHYobSrYItoULNPBNtxoRVk=
+infra.unruhig.eu ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGpspDDbmZt71/g8R4K+jn3A4n7z+8lO3unv8Pm8xLKhr3mDD0MErbRrP/ucYtsBRauMc+IOmBsDtM2Ayp/0zio=
+infra.unruhig.eu ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC8dLUAnoazcq9Tl2zeLP0Ed8QlMs6226raruQhP/0y8
+infra.unruhig.eu ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC0cOVaDYrycZ89VpBoysO2f5ihYGpz4Fxw2tpOSW16JztwGA7mksI9sSJUus69RtsFwgzxW9XNfKA1V63yVc5lE2f8PJg4zTTLtHRJk6V6mjWgIKQV6Ro9lxVW1g+bxVnRmkC2JC7OPE/k4qQcVKF7JMsCD8oG6uV4ghGaisDBifmixyGAwtsJ+Ev9M92HvWLvRRVLgMXozLgWfJUZJvz4p/xgKqrfS1WmjCRRqQT+FeI3BqWoA6l1jgY5xa/qeie5SYEClEp3K30wfI9bLBCSZiKYOHBnhrWtPcNw8z0G2pdLIbWpH6nM78nZ60UiK5yHjbR4XcxDxaZ695SKolyOjDazkt8yjuLM2kz//C+Tj/+1/rrUkEn8bT6zdJmmFzz++d+o6sYAPczcsmc40rs9+DHp7lFcgv7/RSVryXkdK71plhb4Uj/xpf2VlriiUe8+FzxMHu8NH5B3NlZAKLyhEQVPIHxsY0/7MjKdF2igGNgJZ7UA8BNYfTZ+9+Wx7cs=
 mon1.hel1.chaoswg.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFGUIZFzyXd6QAA4Xn+SikYIdfZ+c2R4aFXCY6/Gh2oZGjpq4xtHLw7AFyadnC1UGVNNINNJY1FLfgbavIkeh6M=
 mon1.hel1.chaoswg.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGsSgW6MyvR0YJWn61UZLG8hgj/ewvlRqiHIZDAkYDtV
 mon1.hel1.chaoswg.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCl6bzWEhtuyKLLOUjRv0mxkmzpnjGzzdkc2DFZU+ueiMG4cTxCpwO5cXOST8RXC5WU49HtEpW0ZX4oCWxdEKhFeUXpij1Ins9Hvx31nHMot7sTLa745QcR0feQGYFl9DXfK1OADvstzWBL4n/UO70psK2Ir6aoBV1CM18w2Gk+DVSh5coLsMRczPczzG08ALIvhWa/1l3ObX7tULjs2y5Pf0F6Ukns8wcfxarUfUihdgnRwHdyc4yxaLHBvizAs3bl1G7zXdOh4SMOjw219J1ORbO/+n9fTSwhs78jU0IQCSZgI86Tp+EaLk+6RmA9SIGhI0+s3qk6UfwqMFM6VPxbiCUMbUeAhGcOo8UD3PMlLeTHWBwADHl2ee/mUmXBUh6Smyr9YlpbSCfcTNgXX2enkByidIgy+tEhJzaTub9vFRt8q0nj7fEimqQ63NecMzMZXPTGxnCma5Y3/TSLeBPE1aUNLGea6MFwUevCamdn9qB/KTAmMoyRTRR8pREsdfs=
diff --git a/ansible/secrets.yml b/ansible/secrets.yml
index 944c90b..0396b45 100644
--- a/ansible/secrets.yml
+++ b/ansible/secrets.yml
@@ -4,3 +4,4 @@ SSH_KEY_thonkpad_ka_chaoswg_org: !var:file machine/thonkpad.ka.chaoswg.org/ssh_k
 SSH_KEY_host_nc_chaoswg_org: !var:file machine/host.nc.chaoswg.org/ssh_key
 SSH_KEY_mon1_hel1_chaoswg_org: !var:file machine/mon1.hel1.chaoswg.org/ssh_key
 SSH_KEY_infra_unruhig_eu: !var:file machine/infra.unruhig.eu/ssh_key
+SSH_KEY_backup_unruhig_eu: !var:file machine/backup.unruhig.eu/ssh_key
diff --git a/tf-stage-0/butane/backup.unruhig.eu b/tf-stage-0/butane/backup.unruhig.eu
new file mode 100644
index 0000000..2c82e6e
--- /dev/null
+++ b/tf-stage-0/butane/backup.unruhig.eu
@@ -0,0 +1,115 @@
+---
+variant: fcos
+version: 1.4.0
+systemd:
+  units:
+    # Installing vim as a layered package with rpm-ostree
+    - name: rpm-ostree-install-pkg.service
+      enabled: true
+      contents: |
+        [Unit]
+        Description=Layer packages with rpm-ostree
+        Wants=network-online.target
+        After=network-online.target
+        # We run before `zincati.service` to avoid conflicting rpm-ostree
+        # transactions.
+        Before=zincati.service
+        # Otherwise vagrant will try to run the playbook before we got python
+        Before=sshd.service
+        ConditionPathExists=!/var/lib/%N.stamp
+
+        [Service]
+        Type=oneshot
+        RemainAfterExit=yes
+        # `--allow-inactive` ensures that rpm-ostree does not return an error
+        # if the package is already installed. This is useful if the package is
+        # added to the root image in a future Fedora CoreOS release as it will
+        # prevent the service from failing.
+        ExecStart=/usr/bin/rpm-ostree install --apply-live --allow-inactive vim python docker-compose borgbackup btop iftop iotop
+        ExecStart=/bin/touch /var/lib/%N.stamp
+
+        [Install]
+        WantedBy=multi-user.target
+    # Make sure docker is actually starting without a call to the socket.
+    - name: docker.service
+      enabled: true
+    - name: borgbackup.service
+      contents: |
+        [Unit]
+        Description=Run Backup of /var/lib/docker
+
+        [Service]
+        ExecStart=/usr/bin/bash /root/backup.sh
+
+        [Install]
+        WantedBy=multi-user.target
+    - name: borgbackup.timer
+      enabled: true
+      contents: |
+        [Unit]
+        Description=Daily backup
+
+        [Timer]
+        OnCalendar=daily
+        Persistent=true
+
+        [Install]
+        WantedBy=timers.target
+storage:
+  disks:
+    - device: /dev/disk/by-id/coreos-boot-disk
+      wipe_table: false
+      partitions:
+      - number: 4
+        label: root
+        size_mib: 4096
+        resize: true
+      - label: swap
+        size_mib: 3072
+      - label: var  # not specifying "number", so this will go after the root partition
+        size_mib: 0 # means "use the rest of the space on the disk"
+  filesystems:
+    - path: /var
+      device: /dev/disk/by-partlabel/var
+      format: xfs
+      wipe_filesystem: true # preserve /var on reinstall (this is the default, but be explicit)
+      with_mount_unit: true  # mount this filesystem in the real root
+    - device: /dev/disk/by-partlabel/swap
+      format: swap
+      wipe_filesystem: true # preserve /var on reinstall (this is the default, but be explicit)
+      with_mount_unit: true  # mount this filesystem in the real root
+  files:
+    # Set vim as default editor
+    # We use `zz-` as prefix to make sure this is processed last in order to
+    # override any previously set defaults.
+    - path: /etc/profile.d/zz-default-editor.sh
+      overwrite: true
+      contents:
+        inline: |
+          export EDITOR=vim
+    - path: /etc/hostname
+      mode: 0644
+      contents:
+        inline: backup.unruhig.eu
+    - path: /etc/zincati/config.d/55-updates-strategy.toml
+      contents:
+        inline: |
+          [updates]
+          strategy = "periodic"
+          [[updates.periodic.window]]
+          days = [ "Tue" ]
+          start_time = "12:00"
+          length_minutes = 60
+  links:
+    - path: /etc/localtime
+      target: /usr/share/zoneinfo/Europe/Berlin
+passwd:
+  users:
+    - name: core
+      groups:
+        - docker
+      ssh_authorized_keys:
+        - ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBL72XuF23TEDahZtoYsOXGVc9HDuuUeVJI5EjD5Y8JJoIN5wOQdDUg92cde4pcMCgQUzjDTg7hzjxb3117ElzIM+A3yhNEoEYJksPHkiXuTgR6ZTSnLM9OhGa80+qtV09g== openpgp:0x694A0709
+        - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhzs4vCOhy3yH2TF2bO5Qalt2P4WG4nDYTLarPKFrdM ansible@provisioner
+...
+# vim: ft=yaml.butane
diff --git a/tf-stage-1/dns-unruhig-eu.tf b/tf-stage-1/dns-unruhig-eu.tf
index ac630df..b67152d 100644
--- a/tf-stage-1/dns-unruhig-eu.tf
+++ b/tf-stage-1/dns-unruhig-eu.tf
@@ -7,6 +7,8 @@ module "dns-unruhig-eu" {
   records = [
     { type = "A", name = "infra", value = "37.221.198.143" },
     { type = "AAAA", name = "infra", value = "2a03:4000:9:176::1" },
+    { type = "A", name = "backup", value = "202.61.225.46" },
+    { type = "AAAA", name = "backup", value = "2a03:4000:56:e17::1" },
     { type = "CNAME", name = "@", value = "web.tobiasmanske.de" },
     { type = "CNAME", name = "www", value = "unruhig.eu" },
     { type = "CNAME", name = "s3", value = "web.tobiasmanske.de" },