add nix flake for development

remove secret service usage with password in home dir
replace hermes mounted dir with data disk
pin terraform libvirt provider due to SSH issue
hard-code ssh known host file

.envrc

@@ -0,0 +1 @@
+use flake

.gitignore

@@ -34,3 +34,4 @@ override.tf.json
 terraform.rc
 .terraform.lock.hcl
 *.tfbackend
+.direnv

ansible/ansible.cfg

@@ -1,7 +1,7 @@
 [defaults]
 roles_path=~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:roles
 inventory=inventory
-vault_password_file=util/secret-service-client.sh
+vault_password_file=$HOME/.config/home/ansible-vault-secret
 interpreter_python=/usr/bin/python3
 host_key_checking = False
 

ansible/util/secret-service-client.sh

@@ -1,9 +0,0 @@
-#!/bin/bash
-
-pass=`secret-tool lookup ansible_vault hermes`
-retval=$?
-
-if [ $retval -ne 0 ]; then
-	read -s pass
-fi
-echo $pass

flake.lock

@@ -0,0 +1,61 @@
+{
+  "nodes": {
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1694529238,
+        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1698266953,
+        "narHash": "sha256-jf72t7pC8+8h8fUslUYbWTX5rKsRwOzRMX8jJsGqDXA=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "75a52265bda7fd25e06e3a67dee3f0354e73243c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": "nixpkgs"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,20 @@
+{
+  description = "A basic flake with a shell";
+  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
+  inputs.flake-utils.url = "github:numtide/flake-utils";
+
+  outputs = { self, nixpkgs, flake-utils }:
+    flake-utils.lib.eachDefaultSystem (system: let
+      pkgs = nixpkgs.legacyPackages.${system};
+    in {
+      devShells.default = pkgs.mkShell {
+        packages = with pkgs; [
+          bashInteractive
+          opentofu
+          jq
+          cdrtools
+          ansible
+        ];
+      };
+    });
+}

terraform/data/main.tf

@@ -0,0 +1,31 @@
+terraform {
+  backend "pg" {
+    schema_name = "hermes-data"
+  }
+
+  required_providers {
+    libvirt = {
+      source = "dmacvicar/libvirt"
+      version = "0.7.1" # https://github.com/dmacvicar/terraform-provider-libvirt/issues/1040
+    }
+  }
+}
+
+provider "libvirt" {
+  # https://libvirt.org/uri.html#libssh-and-libssh2-transport
+  uri = "qemu+ssh://root@atlas.hyp/system?known_hosts=/etc/ssh/ssh_known_hosts"
+}
+
+resource "libvirt_volume" "data" {
+  name = "hermes-data"
+  pool = "data"
+  size = 1024 * 1024
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+output "data_disk_id" {
+  value = libvirt_volume.data.id
+}

terraform/main.tf

@@ -6,6 +6,7 @@ terraform {
   required_providers {
     libvirt = {
       source = "dmacvicar/libvirt"
+      version = "0.7.1" # https://github.com/dmacvicar/terraform-provider-libvirt/issues/1040
     }
     template = {
       source = "hashicorp/template"
@@ -14,7 +15,8 @@ terraform {
 }
 
 provider "libvirt" {
-  uri = "qemu+ssh://root@atlas.hyp/system"
+  # https://libvirt.org/uri.html#libssh-and-libssh2-transport
+  uri = "qemu+ssh://root@atlas.hyp/system?known_hosts=/etc/ssh/ssh_known_hosts"
 }
 
 module "vm" {
@@ -24,5 +26,8 @@ module "vm" {
   fixed_address   = "192.168.30.7/24"
   mac             = "CA:FE:C0:FF:EE:07"
   fixed_dns       = "192.168.30.1"
-  hypervisor_host = "atlas.hyp"
+  data_disk       = "/kvm/data/hermes-data"
+  insecure_password = true
+
+  #  hypervisor_host = "atlas.hyp"
 }