Building Infrastructure on Deevnet Infrastructure Platform

Stage Artifacts

Mon, 01 Jan 0001 00:00:00 +0000

Stage Artifacts #

The builder node (with internet access) stages artifacts to the artifact server before any recovery is needed.

What Gets Staged #

Artifact	Source	Role/Task
Fedora install tree	rsync from Fedora mirrors	`artifacts` role
Fedora Server ISO	download.fedoraproject.org	`artifacts` role
Proxmox VE ISO	enterprise.proxmox.com	`artifacts` role
SSH public keys	Generated locally	`artifacts` role
Container images	docker.io, etc.	`artifacts` role

Commands #

From builder node with internet:

Seed Inventory

Mon, 01 Jan 0001 00:00:00 +0000

Seed Inventory #

Before any host can be PXE booted, its definition must exist in the Ansible inventory. MAC addresses, IP assignments, DNS records, and DHCP reservations are all driven from host_vars.

Repository: ansible-inventory-deevnet

When This Is Required #

Scenario	Action
Capacity expansion	Add host to `hosts.yml`, create new `host_vars/<hostname>.yml`
Hardware replacement	Update MAC address in existing `host_vars/<hostname>.yml`
Greenfield build	All hosts need both steps

Inventory Structure #

ansible-inventory-deevnet/
└── dvntm/
 ├── hosts.yml # Main inventory (hosts and group memberships)
 ├── group_vars/ # Variables by group
 └── host_vars/ # Per-host variables (MAC, IP, DNS, DHCP)
 ├── hv01.yml
 ├── hv02.yml
 └── ...

Adding a New Host (Expansion) #

1. Add to hosts.yml #

Add the hostname to appropriate groups:

Vault Operations

Mon, 01 Jan 0001 00:00:00 +0000

Vault Operations #

Ansible Vault protects sensitive variables (passwords, API keys, certificates) stored in the inventory. Each environment has its own set of vault.yml files that must be encrypted at rest and decrypted only while editing.

Repository: ansible-inventory-deevnet

Setup #

After cloning the inventory repository, run the one-time hook setup:

cd ansible-inventory-deevnet
make install-hooks

This runs git config core.hooksPath hooks, pointing Git at the version-controlled hooks/ directory. The hooks stay in sync with the repo automatically — no copying required. This must be run once per clone.

Configure PXE

Mon, 01 Jan 0001 00:00:00 +0000

Configure PXE #

Configure PXE boot authority before provisioning hosts.

Greenfield Build (No Core Router) #

For initial site build or full recovery, the bootstrap node provides DNS/DHCP/TFTP for the management subnet.

cd ~/dvnt/ansible-collection-deevnet.builder
make bootstrap-auth

This:

Discovers the WAN interface from inventory (bootstrap_wan_interface_key)
Enables IP forwarding and masquerading on the WAN interface
Activates dnsmasq for DHCP/DNS/TFTP on the downstream (management) interface
Populates DNS host records and DHCP static reservations from inventory
Swaps the management interface IP from the reserved address to the gateway address

The IP swap is the last step — it drops the SSH connection. All configuration completes first while connectivity is stable. Reconnect at the gateway IP to verify.

Build Network

Mon, 01 Jan 0001 00:00:00 +0000

Build Network #

Configure network infrastructure: Core Router, VLANs, firewall, DHCP, and wireless access points.

Collection: deevnet.net

Components #

Component	Role
Core Router	Firewall, DHCP, DNS, routing
Switch/VLANs	Network segmentation
Wireless AP	SSIDs, guest networks

Prerequisites #

Before the automated build-network procedures begin, the following manual steps must be completed:

Prerequisite	Method	Notes
Core Router	Fresh OPNsense install from USB	Manual installer; no PXE support
Access Switch	Factory reset to default state	Clears any prior VLAN/port config
Wireless AP	Factory reset to default state	Clears any prior SSID/network config

Additionally:

Build Management Plane

Mon, 01 Jan 0001 00:00:00 +0000

Build Management Plane #

PXE boot and install Proxmox VE hypervisors from local artifacts.

Prerequisites #

MAC addresses seeded in inventory
Network infrastructure running (or bootstrap-authoritative mode enabled)
Proxmox VE ISO staged on artifact server
DHCP reservations configured for target hosts

Procedure #

TBD

Verify Site

Mon, 01 Jan 0001 00:00:00 +0000

Verify Site #

Validation after site build is complete.

Overview #

Each build phase includes automated verification via Ansible. This page covers final validation once all components are operational.

Network Verification #

# Core Router reachable
ping gateway.dvntm.deevnet.net

# DNS resolution working
dig +short hv01.dvntm.deevnet.net
dig +short @192.168.10.1 hv01.dvntm.deevnet.net

# DHCP serving leases
# (check Core Router UI or API)

# VLAN connectivity
# (ping across segments as appropriate)

Management Plane Verification #

# Hypervisors reachable
ping hv01.dvntm.deevnet.net
ping hv02.dvntm.deevnet.net

# Proxmox API accessible
curl -k https://hv01.dvntm.deevnet.net:8006/api2/json/version

# SSH access working
ssh hv01.dvntm.deevnet.net hostname

PXE Infrastructure Verification #

# TFTP service running
systemctl status tftp.socket

# PXE configs present
ls /srv/tftp/pxelinux.cfg/

# Artifact server accessible
curl -I http://artifacts.dvntm.deevnet.net/fedora/43/mirror/

Automated Verification #

TBD - Ansible playbook for full substrate health check

Build Tenants

Mon, 01 Jan 0001 00:00:00 +0000

Build Tenants #

Provision tenant VMs and deploy application workloads.

Prerequisites #

Proxmox hypervisor(s) running
VM templates available
Application configuration in source control

Procedure #

TBD

Verify Tenants

Mon, 01 Jan 0001 00:00:00 +0000

Verify Tenants #

Validation after tenant workloads are provisioned.

Prerequisites #

Tenant VMs deployed via Build Tenants
Application services started

Application Verification #

TBD - Application-specific health checks

Backup Verification #

TBD - Verify tenant backup jobs configured and running