CICD Mothership aka tappaas-cicd¶
The TAPPaaS CICD "mothership" named "tappaas-cicd" is the central control VM that manages your entire TAPPaaS infrastructure through automation and configuration management.
Overview¶
The implementation involves three phases:
- VM Creation - Deploy from the NixOS template
- System Configuration - Configure git repository and NixOS settings
- Tool Installation - Set up CI/CD pipelines and utilities
Prerequisites¶
- VM Templates created
- Firewall accessible
- Git repository access configured
Deploy the VM¶
Download Configuration¶
On a Proxmox host:
REPO="https://raw.githubusercontent.com/TAPPaaS/TAPPaaS/"
BRANCH="stable"
curl -fsSL ${REPO}${BRANCH}/src/foundation/tappaas-cicd/tappaas-cicd.json \
> ~/tappaas/tappaas-cicd.json
Clone from Template¶
Get VM IP¶
Once the VM boots, find its IP address:
- Check DHCP leases in OPNsense, or
- View the VM summary page in Proxmox
Connect via SSH¶
Initial Configuration¶
Run Setup Script¶
REPO="https://raw.githubusercontent.com/TAPPaaS/TAPPaaS/"
REPOTOCLONE="https://github.com/TAPPaaS/TAPPaaS.git"
BRANCH="stable"
curl -fsSL "${REPO}${BRANCH}/src/foundation/tappaas-cicd/install1.sh" \
-o /tmp/install1.sh
bash /tmp/install1.sh "$REPOTOCLONE" "$BRANCH"
This script:
- Sets the hostname
- Clones the TAPPaaS repository
- Configures NixOS integration
Reboot¶
After reboot, verify connectivity using the FQDN:
Firewall Integration¶
SSH Authentication¶
Set up SSH key authentication to OPNsense:
- Enable SSH in OPNsense:
- Log into OPNsense on firewall.mgmt.internal
- Navigate to System → Settings → Administration
- Enable "Secure Shell"
- Permit root user login
- Disable password authentication
-
press Save to apply settings
-
Install Public Key:
Copy the output and enter it in the OPNsense gui under:
- System->Access->Users
- click edit command on the "root" account
- Scroll down to the bottom and enter the key
-
press save
-
Test Connection:
ssh [email protected] "echo 'SSH working'"
API Access¶
Create API credentials for automation:
- In OPNsense, navigate to System → Access → Users
- Create user
tappaaswith - gGoup membership "admin"
- Privileges: "all pages"
- Generate API key and secret
- On the same page, in the new user line tappaas, look at the commands section to the rigth. There is a "create and download API keys" button
- press and create
- open the downloaded txt file and copy the two key lines
- In a terminal window ssh into the tappaas-cicd and:
- create a file ~/.opnsense-credentials.txt using you vi or nano.
- insert the copied two API key lines
- save
Delete the downloaded key file from your browser pc.
Program Installation¶
Run Main Deployment¶
There is a simple way, with defaults being used (can change later)
This is the full call if you want to modify defaults
cd
cd TAPPaaS/src/foundation/tappaas-cicd
UPSTREAMGIT="github.com/TAPPaaS/TAPPaaS"
BRANCH="stable"
DOMAIN="yourdomain.com"
EMAIL="[email protected]"
SCHEDULE="weekly"
./install2.sh $UPSTREAMGIT $BRANCH $DOMAIN $EMAIL $SCHEDULE
The script might prompt for root paswords to the tappaas nodes
This script installs and configures:
- All the scripts and programs that tappaas-cicd need
- finish off install of firewall
- Installs Caddy reverse proxy
- Sets up Automation pipelines and scheduled maintenance tasks
Reverse Proxy Configuration¶
Reassign OPNsense Port¶
Move OPNsense web interface off port 443:
- Navigate to System → Settings → Administration
- Change "TCP Port" to
8443 - press Save to apply
- Reconnect to OPNsense at firewall.mgmt.internal:8443
Configure Caddy¶
Access OPNsense and configure Caddy:
- Navigate to Services → Caddy Web Server → General Settings
- Enable Caddy
- Set ACME email address to your administrator email
Add Domain Handlers¶
Configure reverse proxy for your services in Caddy's domain configuration.
(information to be provided eventually)
Verification¶
Verify the CICD system is operational:
Next Steps¶
Continue to Backup configuration.