feat(tools): create prototype for infra CLI

Makefile

@@ -1,26 +1,34 @@
-REGISTRY	:= ghcr.io
-REPO			:= nicklasfrahm/infrastructure
-TARGET		?= metal
-SOURCES		:= $(shell find . -name "*.go")
-PLATFORM	?= $(shell go version | cut -d " " -f 4)
-GOOS		:= $(shell echo $(PLATFORM) | cut -d "/" -f 1)
-GOARCH		:= $(shell echo $(PLATFORM) | cut -d "/" -f 2)
-SUFFIX		:= $(GOOS)-$(GOARCH)
-VERSION		?= $(shell git describe --always --tags --dirty)
+TARGET			?= ic
+PLATFORM		?= $(shell go version | cut -d " " -f 4)
+VERSION			?= $(shell git describe --always --tags --dirty)
+REPO				:= $(shell git remote get-url origin | sed 's|https://github.com||g' |  grep -oE '[a-z-]+/[a-z-]+')
+SOURCES			:= $(shell find . -name "*.go")
+GOOS				:= $(shell echo $(PLATFORM) | cut -d "/" -f 1)
+GOARCH			:= $(shell echo $(PLATFORM) | cut -d "/" -f 2)
+SUFFIX			:= $(GOOS)-$(GOARCH)
 BUILD_FLAGS	:= -ldflags="-s -w -X main.version=$(VERSION)"
+BIN_DIR			:= /usr/local/bin
+REGISTRY		:= ghcr.io
 
 ifeq ($(GOOS),windows)
 SUFFIX	= $(GOOS)-$(GOARCH).exe
 endif
 
-BINARY	?= bin/$(TARGET)-$(SUFFIX)
+BINARY			?= bin/$(TARGET)-$(SUFFIX)
 
-build: bin/$(TARGET)-$(SUFFIX)
+build: $(BINARY)
 
-bin/$(TARGET)-$(SUFFIX): $(SOURCES)
+$(BINARY): $(SOURCES)
 	@mkdir -p $(@D)
-	CGO_ENABLED=0 GOOS=$(GOOS) GOARCH=$(GOARCH) go build $(BUILD_FLAGS) -o $(BINARY) cmd/$(TARGET)/*.go
+	CGO_ENABLED=0 GOOS=$(GOOS) GOARCH=$(GOARCH) go build $(BUILD_FLAGS) -o $@ cmd/$(TARGET)/*.go
 
+install: $(BIN_DIR)/$(TARGET)
+
+$(BIN_DIR)/$(TARGET): $(BINARY)
+	sudo install -m 0755 $^ $@
+
+uninstall:
+	sudo rm -f $(BIN_DIR)/$(TARGET)
 
 .PHONY: docker
 docker:

README.md

@@ -14,6 +14,17 @@ Since 2018 I started to make significant changes by automating the configuration
 
 Now, I am in the process of upgrading my infrastructure to become cloud-native and fully automated. The goal is to provide a RESTful API to provision baremetal machines from scratch, configure networking, and bootstrap and autoscale Kubernetes clusters.
 
+## Identity 🔑
+
+**Status:** 🚧 Implementation
+
+The primary method of authentication will be Open ID Connect (OIDC) and OIDC federation. In this setup [accounts.google.com][google-accounts] will serve as the root of trust to support the following scenarios:
+
+- **Single-sign-on (SSO) as a user**  
+  In a browser and using CLIs, I can use my Google account, which is protected via two physical security keys, to authenticate myself to my services.
+- **A service running in Kubernetes**  
+  Each service running in Kubernetes will have a corresponding service account in Google Cloud. The service account will then use OIDC federation to authenticate itself to any other services and across clusters.
+
 ## Networking 🔌
 
 Below, I describe the network setup of my Homelab. Some parts of it are already implemented, while others are still being conceptualized.
@@ -157,3 +168,4 @@ This project is licensed under the terms of the [MIT license][file-license].
 [docs-netplan-examples]: https://netplan.io/examples/
 [docs-netplan]: https://netplan.io
 [website-argo-installation]: https://www.arthurkoziel.com/setting-up-argocd-with-helm/
+[google-accounts]: https://accounts.google.com

cmd/ic/main.go

@@ -0,0 +1,50 @@
+package main
+
+import (
+	"os"
+
+	"github.com/spf13/cobra"
+
+	"github.com/nicklasfrahm/infrastructure/cmd/ic/zone"
+)
+
+var version = "dev"
+var help bool
+
+var rootCmd = &cobra.Command{
+	Use:   "ic",
+	Short: "A CLI to manage infrastructure",
+	Long: `   _
+  (_) ___
+  | |/ __|
+  | | (__
+  |_|\___|
+
+ic is a CLI to manage infrastructure. It provides
+a variety of commands to manage different stages
+of the infrastructure lifecycle.`,
+	PersistentPreRun: func(cmd *cobra.Command, args []string) {
+		if help {
+			cmd.Help()
+			os.Exit(0)
+		}
+	},
+	RunE: func(cmd *cobra.Command, args []string) error {
+		cmd.Help()
+		os.Exit(1)
+		return nil
+	},
+	Version:      version,
+	SilenceUsage: true,
+}
+
+func init() {
+	rootCmd.PersistentFlags().BoolVarP(&help, "help", "h", false, "Print this help")
+	rootCmd.AddCommand(zone.Command)
+}
+
+func main() {
+	if err := rootCmd.Execute(); err != nil {
+		os.Exit(1)
+	}
+}

cmd/ic/zone/main.go

@@ -0,0 +1,23 @@
+package zone
+
+import (
+	"os"
+
+	"github.com/spf13/cobra"
+)
+
+var Command = &cobra.Command{
+	Use:   "zone",
+	Short: `Manage availability zones`,
+	Long: `Bootstrap new availability zones and manage the
+lifecycle of existing ones.`,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		cmd.Help()
+		os.Exit(1)
+		return nil
+	},
+}
+
+func init() {
+	Command.AddCommand(upCmd)
+}

cmd/ic/zone/up.go

@@ -0,0 +1,59 @@
+package zone
+
+import (
+	"fmt"
+
+	_ "github.com/joho/godotenv/autoload"
+	"github.com/spf13/cobra"
+
+	"github.com/nicklasfrahm/infrastructure/pkg/kraut/zone"
+)
+
+var (
+	zoneConfig = zone.Zone{
+		Router: &zone.ZoneRouter{},
+	}
+	configFile string
+)
+
+var upCmd = &cobra.Command{
+	Use:   "up <host>",
+	Short: "Bootstrap a new availability zone",
+	Long: `This command will bootstrap a new zone by connecting
+to the specified IP and setting up a k3s cluster on
+the host that will then set up the required services
+for managing the lifecycle of the zone.
+
+To manage a zone, the CLI needs credentials for the
+DNS provider that is used to manage the DNS records
+for the zone. These credentials can only be provided
+via the environment variable DNS_PROVIDER_CREDENTIAL
+and DNS_PROVIDER or via a ".env" file in the current
+working directory.`,
+	Args:       cobra.ExactArgs(1),
+	ArgAliases: []string{"host"},
+	ValidArgs:  []string{"host"},
+	RunE: func(cmd *cobra.Command, args []string) error {
+		// This should be safe because of the ExactArgs(1) constraint,
+		// but we still need to check it to avoid panics.
+		if len(args) != 1 {
+			return fmt.Errorf("accepts 1 arg(s), received %d", len(args))
+		}
+		host := args[0]
+
+		if err := zone.Up(host, &zoneConfig); err != nil {
+			return err
+		}
+
+		return nil
+	},
+}
+
+func init() {
+	upCmd.Flags().StringVarP(&zoneConfig.Name, "name", "n", "", "name of the zone")
+	upCmd.Flags().StringVarP(&zoneConfig.Domain, "domain", "d", "", "domain that will contain the DNS records for the zone")
+	upCmd.Flags().StringVarP(&zoneConfig.Router.Hostname, "hostname", "H", "", "hostname of the router serving the zone")
+	upCmd.Flags().IPVarP(&zoneConfig.Router.ID, "router-id", "r", nil, "IPv4 address of the router serving the zone")
+	upCmd.Flags().Uint32VarP(&zoneConfig.Router.ASN, "asn", "a", 0, "autonomous system number of the zone")
+	upCmd.Flags().StringVarP(&configFile, "config", "c", "", "path to the configuration file")
+}

cmd/metal/hardwares.go

@@ -25,7 +25,7 @@ func Hardware(useRemote bool) *fiber.App {
 		var bytes []byte
 		var err error
 
-		path := fmt.Sprintf("configs/hardwares/%s.yaml", name)
+		path := fmt.Sprintf("config/hardwares/%s.yaml", name)
 		if useRemote {
 			// Use the GitHub API to fetch the file.
 			path = fmt.Sprintf(fileURLTemplate, repository, path)

config/kraut/aar1.yaml

@@ -0,0 +1,7 @@
+# TODO: Create a manifest with a structure similar to ones Kubernetes.
+domain: nicklasfrahm.dev
+name: aar1
+router:
+  hostname: alfa
+  id: 172.31.255.0
+  asn: 65000

configs/sites/alfa/netplan.yaml → config/sites/alfa/netplan.yaml

@@ -18,7 +18,8 @@ network:
           - 1.1.1.1
           - 1.0.0.1
         search:
-          - nicklasfrahm.xyz
+          - srv.nicklasfrahm.dev
+          - nicklasfrahm.dev
     enp3s0:
       dhcp4: false
       dhcp6: false

configs/sites/bravo/netplan.yaml → config/sites/bravo/netplan.yaml

@@ -6,11 +6,7 @@ network:
         name: lo
       addresses:
         - 172.31.255.1/32
-        - fdff:ffff:ffff:ffff::1:0/128
-    eth0:
-      # Spoof MAC address to avoid same IP on multiple sites.
-      match:
-        macaddress: ae:99:7d:fb:4f:13
+    wan:
       macaddress: ae:99:7d:fb:4f:11
       dhcp4: true
       dhcp4-overrides:
@@ -25,19 +21,19 @@ network:
         search:
           - srv.nicklasfrahm.dev
           - nicklasfrahm.dev
-    eth1:
+    lan1:
       dhcp4: false
       dhcp6: false
       optional: true
-    eth2:
+    lan2:
       dhcp4: false
       dhcp6: false
       optional: true
   bridges:
     br0:
       interfaces:
-        - eth1
-        - eth2
+        - lan1
+        - lan2
       dhcp4: false
       dhcp6: false
       addresses:

configs/sites/bravo/nftables.conf → config/sites/bravo/nftables.conf

@@ -7,7 +7,7 @@
 flush ruleset
 
 # Declare variables.
-define iface_wan = "eth0"
+define iface_wan = "wan"
 
 # Create a table for firewalling.
 table inet firewall {

docs/appliance-lifecycle.md

@@ -0,0 +1,35 @@
+# Appliance lifycycle
+
+An appliance is a piece of hardware that comes with a pre-installed operating system. This document describes how the lifecycle of appliances is managed.
+
+## Provisioning 🪄
+
+For different hardware the appliance provisioning process is different. Please see the different sections below for more information.
+
+### Nano Pi R5S 📡
+
+1. Build a fresh appliance image:
+
+   ```bash
+   BOARD=nanopi-r5s make build-appliance
+   ```
+
+2. Use [Etcher][etcher] to flash the image to an SD card.
+3. Log in to the appliance using the default credentials:
+
+   - Username: `nicklasfrahm`
+   - Password: `nicklasfrahm`
+
+4. Fetch the IP address of the appliance:
+
+   ```bash
+   ip addr show wan | grep 'inet ' | awk '{print $2}'
+   ```
+
+5. On a different machine, run the bootstrap command:
+
+   ```bash
+   ic metal bootstrap <ip>
+   ```
+
+[etcher]: https://etcher.balena.io/