feat: Add infrastructure provision logic

Author: adskyiproger

.github/workflows/provision-k8s.yml

@@ -0,0 +1,73 @@
+name: Provision k8s Infrastructure
+run-name: "Provision ${{ inputs.environment }} (tag: ${{ inputs.tags }})"
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: 'Infrastructure to provision'
+        required: true
+        default: 'e2e'
+        type: choice
+        options:
+          - e2e
+
+      tags:
+        description: 'Tags to apply to the provisioned resources'
+        required: true
+        default: all
+        type: choice
+        options:
+          - all
+          - updates
+          - users
+          - backup
+          - application
+          - tools
+          - fail2ban
+          - decrypt-on-boot
+          - checks
+          - containerd-setup
+          - kubernetes-installation
+          - join-workers
+          - system-preparation
+jobs:
+  provision:
+    runs-on:
+      - self-hosted
+      - ${{ inputs.environment }}
+      - node
+    environment: ${{ inputs.environment }}
+    steps:
+      - name: Set variables for ansible
+        id: ansible-variables
+        run: |
+          JSON_WITH_NEWLINES=$(cat<<EOF
+            ${{ toJSON(env) }}
+          EOF)
+          JSON_WITHOUT_NEWLINES=$(echo $JSON_WITH_NEWLINES | jq -R -c .)
+          echo "EXTRA_VARS=$JSON_WITHOUT_NEWLINES" >> $GITHUB_OUTPUT
+        env:
+          encrypted_disk_size: ${{ vars.DISK_SPACE }}
+          disk_encryption_key: ${{ secrets.ENCRYPTION_KEY }}
+          k8s_runner_token: ${{ secrets.GH_TOKEN }}
+          repository: ${{ github.repository }}
+          k8s_cluster_env: ${{ inputs.environment }}
+          docker_username: ${{ secrets.DOCKER_USERNAME }}
+          docker_password: ${{ secrets.DOCKER_TOKEN }}
+      - name: checkout repository
+        uses: actions/checkout@v5
+      - name: Run Ansible Playbook
+        uses: dawidd6/action-ansible-playbook@v4
+        env:
+          ANSIBLE_PERSISTENT_COMMAND_TIMEOUT: 10
+          ANSIBLE_SSH_TIMEOUT: 10
+          ANSIBLE_SSH_RETRIES: 5
+        with:
+          requirements: galaxy-requirements.yml
+          playbook: playbook.yml
+          directory: ./infrastructure-k8s/server-setup
+          # Add --verbose to get more output
+          options: |-
+            --inventory inventory/${{ inputs.environment }}.yml
+            ${{ inputs.tags != 'all' && format('--tags={0}', inputs.tags) || '' }}
+            --extra-vars ""${{ steps.ansible-variables.outputs.EXTRA_VARS }}""

infrastructure-k8s/README.md

@@ -0,0 +1,7 @@
+# WORK IN PROGRESS!!!!!!!
+
+DONT'T TRY TO RUN CONTENT INSIDE THIS FOLDER
+
+# Kubernetes todo
+
+1. Add metrics server: https://github.com/kubernetes-sigs/metrics-server

infrastructure-k8s/cryptfs/bootstrap.sh

@@ -0,0 +1,67 @@
+#!/bin/bash
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# OpenCRVS is also distributed under the terms of the Civil Registration
+# & Healthcare Disclaimer located at http://opencrvs.org/license.
+#
+# Copyright (C) The OpenCRVS Authors located at https://github.com/opencrvs/opencrvs-core/blob/master/AUTHORS.
+
+set -e
+
+# defaults, use options to override
+FS_SIZE=50g                       # -s, --size
+FS_FILE=/cryptfs_file_sparse.img  # -f, --file
+MOUNT_PATH=/data                  # -m, --mount
+DEV_MAP_NAME=cryptfs              # -n, --name
+                                  # -p, --passphrase (required)
+
+# options
+while [[ "$1" =~ ^- && ! "$1" == "--" ]]; do case $1 in
+  -s | --size )
+    shift; FS_SIZE=$1
+    ;;
+  -f | --file )
+    shift; FS_FILE=$1
+    ;;
+  -m | --mount )
+    shift; MOUNT_PATH=$1
+    ;;
+  -n | --dev-map-name )
+    shift; DEV_MAP_NAME=$1
+    ;;
+  -p | --passphrase )
+    shift; PASSPHRASE=$1
+    ;;
+esac; shift; done
+if [[ "$1" == '--' ]]; then shift; fi
+
+if [[ -z "$PASSPHRASE" ]]; then
+  echo "ERROR: Passphrase is required. Use -p or --passphrase."
+  exit 1
+fi
+
+# creates a sparse file that will be used for the crypt file system data
+if test -f "$FS_FILE"; then
+  echo "ERROR: $FS_FILE exists, cannot bootstrap as the file might already contain existing data. Try run mount.sh to mount the file."
+  exit 1
+else
+  truncate -s $FS_SIZE $FS_FILE
+fi
+
+# create a loop device from the data file
+LOOP_DEVICE=$(losetup --find --show $FS_FILE)
+
+# setup encryption on the device
+echo $PASSPHRASE | cryptsetup -q -d - luksFormat $LOOP_DEVICE
+
+# open the LUKS device and set a mapping name
+echo $PASSPHRASE | cryptsetup -d - luksOpen $LOOP_DEVICE $DEV_MAP_NAME
+
+# create a file system on the device
+mkfs.ext4 /dev/mapper/$DEV_MAP_NAME
+
+# mount the device to a folder
+mkdir -p $MOUNT_PATH
+mount /dev/mapper/$DEV_MAP_NAME $MOUNT_PATH

infrastructure-k8s/cryptfs/decrypt.sh

@@ -0,0 +1,56 @@
+#!/bin/bash
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# OpenCRVS is also distributed under the terms of the Civil Registration
+# & Healthcare Disclaimer located at http://opencrvs.org/license.
+#
+# Copyright (C) The OpenCRVS Authors located at https://github.com/opencrvs/opencrvs-core/blob/master/AUTHORS.
+
+# defaults, use options to override
+FS_FILE=/cryptfs_file_sparse.img  # -f, --file
+MOUNT_PATH=/data                  # -m, --mount
+DEV_MAP_NAME=cryptfs              # -n, --name
+                                  # -key, --encryptionKeyFilepath (required - path to a file containing the decryption passphrase in the format DISK_ENCRYPTION_KEY=XXXX.)
+# options
+while [[ "$1" =~ ^- && ! "$1" == "--" ]]; do case $1 in
+  -f | --file )
+    shift; FS_FILE=$1
+    ;;
+  -m | --mount )
+    shift; MOUNT_PATH=$1
+    ;;
+  -n | --dev-map-name )
+    shift; DEV_MAP_NAME=$1
+    ;;
+  -key | --encryptionKeyFilepath )
+    shift; ENCRYPTION_KEY_FILE_PATH=$1
+    ;;
+esac; shift; done
+if [[ "$1" == '--' ]]; then shift; fi
+
+# In this example, we load the disk encryption password from a file.
+# We recommend that the encryption key is served via a secure API from a Hardware Security Module
+if [[ -z "$ENCRYPTION_KEY_FILE_PATH" ]]; then
+  echo "ERROR: Disk encrytion key file path is required. Use -key or --encryptionKeyFilepath."
+  exit 1
+fi
+
+source $ENCRYPTION_KEY_FILE_PATH
+
+# create a loop device from the data file if it doesn't already exist
+LOOP_DEVICE=$(losetup -j /cryptfs_file_sparse.img | awk '{print substr($1, 1, length($1)-1)}' | head -1)
+echo $LOOP_DEVICE
+if [[ -z "$LOOP_DEVICE" ]]; then
+  LOOP_DEVICE=$(losetup --find --show $FS_FILE)
+  echo "Created new loop device $LOOP_DEVICE"
+else
+  echo "Using existing loop device $LOOP_DEVICE"
+fi
+
+# open the LUKS device and set a mapping name
+echo $DISK_ENCRYPTION_KEY | cryptsetup -d - luksOpen $LOOP_DEVICE $DEV_MAP_NAME || true
+
+# mount the device to a folder
+mount /dev/mapper/$DEV_MAP_NAME $MOUNT_PATH || true

infrastructure-k8s/cryptfs/mount.sh

@@ -0,0 +1,53 @@
+#!/bin/bash
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# OpenCRVS is also distributed under the terms of the Civil Registration
+# & Healthcare Disclaimer located at http://opencrvs.org/license.
+#
+# Copyright (C) The OpenCRVS Authors located at https://github.com/opencrvs/opencrvs-core/blob/master/AUTHORS.
+
+# defaults, use options to override
+FS_FILE=/cryptfs_file_sparse.img  # -f, --file
+MOUNT_PATH=/data                  # -m, --mount
+DEV_MAP_NAME=cryptfs              # -n, --name
+                                  # -p, --passphrase (required)
+
+# options
+while [[ "$1" =~ ^- && ! "$1" == "--" ]]; do case $1 in
+  -f | --file )
+    shift; FS_FILE=$1
+    ;;
+  -m | --mount )
+    shift; MOUNT_PATH=$1
+    ;;
+  -n | --dev-map-name )
+    shift; DEV_MAP_NAME=$1
+    ;;
+  -p | --passphrase )
+    shift; PASSPHRASE=$1
+    ;;
+esac; shift; done
+if [[ "$1" == '--' ]]; then shift; fi
+
+if [[ -z "$PASSPHRASE" ]]; then
+  echo "ERROR: Passphrase is required. Use -p or --passphrase."
+  exit 1
+fi
+
+# create a loop device from the data file if it doesn't already exist
+LOOP_DEVICE=$(losetup -j /cryptfs_file_sparse.img | awk '{print substr($1, 1, length($1)-1)}' | head -1)
+echo $LOOP_DEVICE
+if [[ -z "$LOOP_DEVICE" ]]; then
+  LOOP_DEVICE=$(losetup --find --show $FS_FILE)
+  echo "Created new loop device $LOOP_DEVICE"
+else
+  echo "Using existing loop device $LOOP_DEVICE"
+fi
+
+# open the LUKS device and set a mapping name
+echo $PASSPHRASE | cryptsetup -d - luksOpen $LOOP_DEVICE $DEV_MAP_NAME || true
+
+# mount the device to a folder
+mount /dev/mapper/$DEV_MAP_NAME $MOUNT_PATH || true

infrastructure-k8s/cryptfs/umount.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# OpenCRVS is also distributed under the terms of the Civil Registration
+# & Healthcare Disclaimer located at http://opencrvs.org/license.
+#
+# Copyright (C) The OpenCRVS Authors located at https://github.com/opencrvs/opencrvs-core/blob/master/AUTHORS.
+
+# defaults, use options to override
+FS_FILE=/cryptfs_file_sparse.img  # -f, --file
+MOUNT_PATH=/data                  # -m, --mount
+DEV_MAP_NAME=cryptfs              # -n, --name
+
+# options
+while [[ "$1" =~ ^- && ! "$1" == "--" ]]; do case $1 in
+  -f | --file )
+    shift; FS_FILE=$1
+    ;;
+  -m | --mount )
+    shift; MOUNT_PATH=$1
+    ;;
+  -n | --dev-map-name )
+    shift; DEV_MAP_NAME=$1
+    ;;
+esac; shift; done
+if [[ "$1" == '--' ]]; then shift; fi
+
+# unmount the device from a folder
+umount $MOUNT_PATH
+
+# close the encrypted device
+cryptsetup luksClose /dev/mapper/$DEV_MAP_NAME
+
+# remove the associated loop devices
+losetup -l | grep $FS_FILE | awk '{print $1}' | xargs -L 1 losetup -d