add nix flake for development

remove secret service usage with password in home dir
replace hermes mounted dir with data disk
pin terraform libvirt provider due to SSH issue
hard-code ssh known host file
This commit is contained in:
Pim Kunis 2023-10-26 19:59:51 +02:00
parent bb57d3573d
commit 788939d8cf
8 changed files with 122 additions and 12 deletions

1
.envrc Normal file
View file

@ -0,0 +1 @@
use flake

1
.gitignore vendored
View file

@ -34,3 +34,4 @@ override.tf.json
terraform.rc terraform.rc
.terraform.lock.hcl .terraform.lock.hcl
*.tfbackend *.tfbackend
.direnv

View file

@ -1,7 +1,7 @@
[defaults] [defaults]
roles_path=~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:roles roles_path=~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:roles
inventory=inventory inventory=inventory
vault_password_file=util/secret-service-client.sh vault_password_file=$HOME/.config/home/ansible-vault-secret
interpreter_python=/usr/bin/python3 interpreter_python=/usr/bin/python3
host_key_checking = False host_key_checking = False

View file

@ -1,9 +0,0 @@
#!/bin/bash
pass=`secret-tool lookup ansible_vault hermes`
retval=$?
if [ $retval -ne 0 ]; then
read -s pass
fi
echo $pass

61
flake.lock Normal file
View file

@ -0,0 +1,61 @@
{
"nodes": {
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1694529238,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1698266953,
"narHash": "sha256-jf72t7pC8+8h8fUslUYbWTX5rKsRwOzRMX8jJsGqDXA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "75a52265bda7fd25e06e3a67dee3f0354e73243c",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

20
flake.nix Normal file
View file

@ -0,0 +1,20 @@
{
description = "A basic flake with a shell";
inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
inputs.flake-utils.url = "github:numtide/flake-utils";
outputs = { self, nixpkgs, flake-utils }:
flake-utils.lib.eachDefaultSystem (system: let
pkgs = nixpkgs.legacyPackages.${system};
in {
devShells.default = pkgs.mkShell {
packages = with pkgs; [
bashInteractive
opentofu
jq
cdrtools
ansible
];
};
});
}

31
terraform/data/main.tf Normal file
View file

@ -0,0 +1,31 @@
terraform {
backend "pg" {
schema_name = "hermes-data"
}
required_providers {
libvirt = {
source = "dmacvicar/libvirt"
version = "0.7.1" # https://github.com/dmacvicar/terraform-provider-libvirt/issues/1040
}
}
}
provider "libvirt" {
# https://libvirt.org/uri.html#libssh-and-libssh2-transport
uri = "qemu+ssh://root@atlas.hyp/system?known_hosts=/etc/ssh/ssh_known_hosts"
}
resource "libvirt_volume" "data" {
name = "hermes-data"
pool = "data"
size = 1024 * 1024
lifecycle {
prevent_destroy = true
}
}
output "data_disk_id" {
value = libvirt_volume.data.id
}

View file

@ -6,6 +6,7 @@ terraform {
required_providers { required_providers {
libvirt = { libvirt = {
source = "dmacvicar/libvirt" source = "dmacvicar/libvirt"
version = "0.7.1" # https://github.com/dmacvicar/terraform-provider-libvirt/issues/1040
} }
template = { template = {
source = "hashicorp/template" source = "hashicorp/template"
@ -14,7 +15,8 @@ terraform {
} }
provider "libvirt" { provider "libvirt" {
uri = "qemu+ssh://root@atlas.hyp/system" # https://libvirt.org/uri.html#libssh-and-libssh2-transport
uri = "qemu+ssh://root@atlas.hyp/system?known_hosts=/etc/ssh/ssh_known_hosts"
} }
module "vm" { module "vm" {
@ -24,5 +26,8 @@ module "vm" {
fixed_address = "192.168.30.7/24" fixed_address = "192.168.30.7/24"
mac = "CA:FE:C0:FF:EE:07" mac = "CA:FE:C0:FF:EE:07"
fixed_dns = "192.168.30.1" fixed_dns = "192.168.30.1"
hypervisor_host = "atlas.hyp" data_disk = "/kvm/data/hermes-data"
insecure_password = true
# hypervisor_host = "atlas.hyp"
} }