personal_infra/scripts/README.md

# Infrastructure Setup Scripts

This directory contains automated setup scripts for each layer of the infrastructure.

## Overview

Each script handles a complete layer of the infrastructure setup:
- Prompts for required variables
- Validates prerequisites
- Creates configuration files
- Executes playbooks
- Verifies completion

## Usage

Run scripts in order, completing one layer before moving to the next:

### Layer 0: Foundation Setup
```bash
./scripts/setup_layer_0.sh
```
Sets up Ansible control node on your laptop.

### Layer 1A: VPS Basic Setup
```bash
source venv/bin/activate
./scripts/setup_layer_1a_vps.sh
```
Configures users, SSH, firewall, and fail2ban on VPS machines (vipy, watchtower, spacey).
**Runs independently** - no Nodito required.

### Layer 1B: Nodito (Proxmox) Setup
```bash
source venv/bin/activate
./scripts/setup_layer_1b_nodito.sh
```
Configures Nodito Proxmox server: bootstrap, community repos, optional ZFS.
**Runs independently** - no VPS required.

### Layer 2: General Infrastructure Tools
```bash
source venv/bin/activate
./scripts/setup_layer_2.sh
```
Installs rsync and docker on hosts that need them.
- **rsync:** For backup operations (vipy, watchtower, lapy recommended)
- **docker:** For containerized services (vipy, watchtower recommended)
- Interactive: Choose which hosts get which tools

### Layer 3: Reverse Proxy (Caddy)
```bash
source venv/bin/activate
./scripts/setup_layer_3_caddy.sh
```
Deploys Caddy reverse proxy on VPS machines (vipy, watchtower, spacey).
- **Critical:** All web services depend on Caddy
- Automatic HTTPS with Let's Encrypt
- Opens firewall ports 80/443
- Creates sites-enabled directory structure

### Layer 4: Core Monitoring & Notifications
```bash
source venv/bin/activate
./scripts/setup_layer_4_monitoring.sh
```
Deploys ntfy and Uptime Kuma on watchtower.
- **ntfy:** Notification service for alerts
- **Uptime Kuma:** Monitoring platform for all services
- **Critical:** All infrastructure monitoring depends on these
- Sets up backups (optional)
- **Post-deploy:** Create Uptime Kuma admin user and update infra_secrets.yml

### Layer 5: VPN Infrastructure (Headscale)
```bash
source venv/bin/activate
./scripts/setup_layer_5_headscale.sh
```
Deploys Headscale VPN mesh networking on spacey.
- **OPTIONAL** - Skip to Layer 6 if you don't need VPN
- Secure mesh networking between all machines
- Magic DNS for hostname resolution
- NAT traversal support
- Can join machines automatically or manually
- Post-deploy: Configure ACL policies for machine communication

### Layer 6: Infrastructure Monitoring
```bash
source venv/bin/activate
./scripts/setup_layer_6_infra_monitoring.sh
```
Deploys automated monitoring for infrastructure.
- **Requires:** Uptime Kuma credentials in infra_secrets.yml (Layer 4)
- Disk usage monitoring with auto-created push monitors
- System healthcheck (heartbeat) monitoring
- CPU temperature monitoring (nodito only)
- Interactive selection of which hosts to monitor
- All monitors organized by host groups

### Layer 7: Core Services
```bash
source venv/bin/activate
./scripts/setup_layer_7_services.sh
```
Deploys core services on vipy: Vaultwarden, Forgejo, LNBits.
- Password manager (Vaultwarden) with /alive endpoint
- Git server (Forgejo) with /api/healthz endpoint  
- Lightning wallet (LNBits) with /api/v1/health endpoint
- **Automatic:** Creates Uptime Kuma monitors in "services" group
- **Requires:** Uptime Kuma credentials in infra_secrets.yml
- Optional: Configure backups to lapy

### Layer 8+
More scripts will be added as we build out each layer.

## Important Notes

1. **Centralized Configuration:**
   - All service subdomains are configured in `ansible/services_config.yml`
   - Edit this ONE file instead of multiple vars files
   - Created automatically in Layer 0
   - DNS records must match the subdomains you configure

2. **Always activate the venv first** (except for Layer 0):
   ```bash
   source venv/bin/activate
   ```

3. **Complete each layer fully** before moving to the next

4. **Scripts are idempotent** - safe to run multiple times

5. **Review changes** before confirming actions

## Getting Started

1. Read `../human_script.md` for the complete guide
2. Start with Layer 0
3. Follow the prompts
4. Proceed layer by layer
lots of stuff man 2025-11-06 23:09:44 +01:00			`# Infrastructure Setup Scripts`

			`This directory contains automated setup scripts for each layer of the infrastructure.`

			`## Overview`

			`Each script handles a complete layer of the infrastructure setup:`
			`- Prompts for required variables`
			`- Validates prerequisites`
			`- Creates configuration files`
			`- Executes playbooks`
			`- Verifies completion`

			`## Usage`

			`Run scripts in order, completing one layer before moving to the next:`

			`### Layer 0: Foundation Setup`
			```bash
			`./scripts/setup_layer_0.sh`
			```
			`Sets up Ansible control node on your laptop.`

			`### Layer 1A: VPS Basic Setup`
			```bash
			`source venv/bin/activate`
			`./scripts/setup_layer_1a_vps.sh`
			```
			`Configures users, SSH, firewall, and fail2ban on VPS machines (vipy, watchtower, spacey).`
			`Runs independently - no Nodito required.`

			`### Layer 1B: Nodito (Proxmox) Setup`
			```bash
			`source venv/bin/activate`
			`./scripts/setup_layer_1b_nodito.sh`
			```
			`Configures Nodito Proxmox server: bootstrap, community repos, optional ZFS.`
			`Runs independently - no VPS required.`

			`### Layer 2: General Infrastructure Tools`
			```bash
			`source venv/bin/activate`
			`./scripts/setup_layer_2.sh`
			```
			`Installs rsync and docker on hosts that need them.`
			`- rsync: For backup operations (vipy, watchtower, lapy recommended)`
			`- docker: For containerized services (vipy, watchtower recommended)`
			`- Interactive: Choose which hosts get which tools`

			`### Layer 3: Reverse Proxy (Caddy)`
			```bash
			`source venv/bin/activate`
			`./scripts/setup_layer_3_caddy.sh`
			```
			`Deploys Caddy reverse proxy on VPS machines (vipy, watchtower, spacey).`
			`- Critical: All web services depend on Caddy`
			`- Automatic HTTPS with Let's Encrypt`
			`- Opens firewall ports 80/443`
			`- Creates sites-enabled directory structure`

			`### Layer 4: Core Monitoring & Notifications`
			```bash
			`source venv/bin/activate`
			`./scripts/setup_layer_4_monitoring.sh`
			```
			`Deploys ntfy and Uptime Kuma on watchtower.`
			`- ntfy: Notification service for alerts`
			`- Uptime Kuma: Monitoring platform for all services`
			`- Critical: All infrastructure monitoring depends on these`
			`- Sets up backups (optional)`
			`- Post-deploy: Create Uptime Kuma admin user and update infra_secrets.yml`

			`### Layer 5: VPN Infrastructure (Headscale)`
			```bash
			`source venv/bin/activate`
			`./scripts/setup_layer_5_headscale.sh`
			```
			`Deploys Headscale VPN mesh networking on spacey.`
			`- OPTIONAL - Skip to Layer 6 if you don't need VPN`
			`- Secure mesh networking between all machines`
			`- Magic DNS for hostname resolution`
			`- NAT traversal support`
			`- Can join machines automatically or manually`
			`- Post-deploy: Configure ACL policies for machine communication`

			`### Layer 6: Infrastructure Monitoring`
			```bash
			`source venv/bin/activate`
			`./scripts/setup_layer_6_infra_monitoring.sh`
			```
			`Deploys automated monitoring for infrastructure.`
			`- Requires: Uptime Kuma credentials in infra_secrets.yml (Layer 4)`
			`- Disk usage monitoring with auto-created push monitors`
			`- System healthcheck (heartbeat) monitoring`
			`- CPU temperature monitoring (nodito only)`
			`- Interactive selection of which hosts to monitor`
			`- All monitors organized by host groups`

			`### Layer 7: Core Services`
			```bash
			`source venv/bin/activate`
			`./scripts/setup_layer_7_services.sh`
			```
			`Deploys core services on vipy: Vaultwarden, Forgejo, LNBits.`
			`- Password manager (Vaultwarden) with /alive endpoint`
			`- Git server (Forgejo) with /api/healthz endpoint`
			`- Lightning wallet (LNBits) with /api/v1/health endpoint`
			`- Automatic: Creates Uptime Kuma monitors in "services" group`
			`- Requires: Uptime Kuma credentials in infra_secrets.yml`
			`- Optional: Configure backups to lapy`

			`### Layer 8+`
			`More scripts will be added as we build out each layer.`

			`## Important Notes`

			`1. Centralized Configuration:`
			- All service subdomains are configured in `ansible/services_config.yml`
			`- Edit this ONE file instead of multiple vars files`
			`- Created automatically in Layer 0`
			`- DNS records must match the subdomains you configure`

			`2. Always activate the venv first (except for Layer 0):`
			```bash
			`source venv/bin/activate`
			```

			`3. Complete each layer fully before moving to the next`

			`4. Scripts are idempotent - safe to run multiple times`

			`5. Review changes before confirming actions`

			`## Getting Started`

			1. Read `../human_script.md` for the complete guide
			`2. Start with Layer 0`
			`3. Follow the prompts`
			`4. Proceed layer by layer`