Kwuxlab

The Kwuxlab is a repository containing real-world examples of:

1. Infrastructure configuration/deployment (via terraform/terragrunt)
2. Configuration management (via ansible)
3. Deploying services on-top of a cluster of machines
   1. Private networking via Tailscale
   2. Hashicorp stack
      • Service Discovery via Consul
      • Container (and direct-host) workload scheduling and orchestration via Nomad
      • Service mesh via Consul Connect
      • Secret management via Vault

Kwuxlab Free vs. Kwuxlab Pro

Kwuxlab Free is designed to be a playground environment, where you can get familiar with basic features of Consul, Vault, and Nomad.

Kwuxlab Free allows you to quickly deploy a fully functional Hashicorp cluster on your local machine via VMs, so you can follow along with tutorials and get familiar with the fantastic developer experience that the stack enables!

Kwuxlab Pro provides you with a complete set of tools to deploy and comfortably maintain a complete environment, including, at a high-level:

• Connecting all nodes in the environment via Tailscale VPN, and using the dual-network configuration to deploy sensitive applications (e.g. Consul) on the private network, while allowing internet-facing traffic via the Envoy proxy, managed by Nomad.
• Configuring and initializing Consul and Nomad Access Control Lists (ACLs) for secure authentication/authorization across services and Vault-managed secrets.
• And much, much, more (see below)!

Moving from the Kwuxlab Pro environment to a homelab/production environment requires only that you add additional security where desired (e.g. configuring cloud-provider firewalls).

Features

1. Infrastructure Environment

   • ✔️ (Kwuxlab Pro Only) Terraform modules and Terragrunt configuration for deployment on
     • ✔️ Hetzner Cloud
     • AWS
     • GCP
     • Azure
   • ✔️ Virtual machine deployment via Vagrant

2. Basic compute environment configuration, including basic security/quality-of-life settings:

   • ✔️ (Kwuxlab Pro Only) Non-root sudoer user creation
     • Includes configuration to allow non-root user with Ansible
   • ✔️ (Kwuxlab Pro Only) Log-rotation & Journalctl max disk usage settings
   • ✔️ (Kwuxlab Pro Only) NTP installation/configuration to avoid time-drift
   • ✔️ (Kwuxlab Pro Only) Base firewall configuration via the Uncomplicated Firewall (UFW)
   • ✔️ (Kwuxlab Pro Only) Secure SSH configuration
     • Includes configuration of authorized_hosts file
   • ✔️ (Kwuxlab Pro Only) Fail2Ban configuration
   • ✔️ (Kwuxlab Pro Only) Hostname configuration
   • ✔️ (Kwuxlab Pro Only) Tailscale installation & bootstrapping
   • ✔️ (Kwuxlab Pro Only) Stateful storage with details of ansible playbook execution (version, etc.) on remote host for future debugging/upgrade reference.
   • ✔️ Docker installation & base configuration
   • ✔️ Python/python3-pip installation/configuration
   • ✔️ Envoy proxy installation/base configuration

3. Consul deployment/configuration

   • ✔️ (Kwuxlab Pro Only) Service (all ports) bound to private (tailscale) network; not accessible via internet.
   • ✔️ (Kwuxlab Pro Only) Configure Consul DNS (Service discovery via DNS)
   • ✔️ (Kwuxlab Pro Only) Configure and enable Consul Access Control Lists (ACLs)
   • ✔️ Consul Server/Client deployment and bootstrap

4. Vault deployment/configuration

   • ✔️ (Kwuxlab Pro Only) Service (all ports) bound to private (tailscale) network; not accessible via internet.
   • ✔️ (Kwuxlab Pro Only) Integrate with Consul via ACL token
   • ✔️ Basic Vault installation

5. Nomad deployment/configuration

   • ✔️ (Kwuxlab Pro Only) Service (all ports) bound to private (tailscale) network; not accessible via internet.
   • ✔️ (Kwuxlab Pro Only) Configure and manage Host Volumes for stateful workloads
   • ✔️ (Kwuxlab Pro Only) Dynamic integration with upstream services (Vault, Consul) via Consul DNS/Service Discovery
   • ✔️ (Kwuxlab Pro Only) Authorization with Consul via Consul ACLs Consul Access Control Lists (ACLs)
   • ✔️ (Kwuxlab Pro Only) Configuration & Bootstrapping of Nomad Access Control Lists (ACLs)
   • ✔️ Nomad installation
   • ✔️ Consul integration
   • ✔️ Vault integration

Support Kwuxlab/InfraCasts to get these awesome features AND awesome tutorials on how to make use of this code at https://infracasts.com

Getting Started

This repository makes use of git submodules, which you'll need to fetch. Don't worry, it's pretty straight-forward; the commands below should fetch all required components!

1. Clone this repository with submodules

   git clone --recurse-submodules -j4 git@gitlab.com:momer/kwuxlab.git

2. Ensure fetch of submodules

   git submodule update --init --recursive --remote

3. Begin by creating your target infrastructure environment /infrastructure/README.md for details.

4. Configure your machines with Ansible, securing them and installing services like Tailscale, the Hashicorp stack, etc. See this project's /ansible/README for details.