init

.gitignore

@@ -0,0 +1,36 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version 
+# control as they are data points which are potentially sensitive and subject 
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+.terraform.lock.hcl
+*.tfbackend

ansible.cfg

@@ -0,0 +1,6 @@
+[defaults]
+inventory=inventory
+interpreter_python=/usr/bin/python3
+
+[diff]
+always = True

atlas.yml

@@ -0,0 +1,102 @@
+---
+- name: Setup Atlas
+  hosts: atlas
+
+  handlers:
+  - name: restart postgres
+    systemd:
+      name: postgresql
+      state: restarted
+  - name: enable interfaces
+    command:
+      cmd: ifup -a
+
+  tasks:
+  - name: Update
+    apt:
+      autoremove: true
+      upgrade: yes
+      state: latest
+      update_cache: yes
+      cache_valid_time: 86400
+  - name: Install packages
+    apt:
+      pkg:
+        - qemu-kvm
+        - libvirt-daemon-system
+        - postgresql
+        - python3-psycopg2
+        - sudo
+        - bridge-utils
+  - name: Start libvirtd
+    systemd:
+      name: libvirtd
+      enabled: true
+      state: started
+  - name: Add root to libvirt group
+    user:
+      name: root
+      groups: libvirt
+      append: yes
+  - name: Disable apparmor
+    systemd:
+      name: apparmor
+      enabled: false
+      state: stopped
+  - name: Create terraform database
+    postgresql_db:
+      name: terraform_state
+      owner: terraform
+    become: true
+    become_user: postgres
+  - name: Create database user
+    postgresql_user:
+      name: terraform
+    become: true
+    become_user: postgres
+  - name: Grant database user access to database
+    postgresql_privs:
+      type: database
+      database: terraform_state
+      roles: terraform
+      grant_option: no
+      privs: all
+    become: true
+    become_user: postgres
+    notify: restart postgres
+  # - name: Test
+  #   postgresql_privs:
+  #     database: terraform_state
+  #     type: table
+  #     schema: public
+  #     roles: terraform
+  #     grant_option: no
+  #     privs: all
+  #     objs: all
+  #   become: true
+  #   become_user: postgres
+  #   notify: restart postgres
+  - name: Allow remote access to database for user
+    postgresql_pg_hba:
+      dest: /etc/postgresql/15/main/pg_hba.conf
+      contype: host
+      databases: all
+      method: trust
+      users: terraform
+      address: 192.168.0.0/16
+      create: true
+    become: true
+    become_user: postgres
+    notify: restart postgres
+  - name: Open postgres port
+    ini_file:
+      path: /etc/postgresql/15/main/postgresql.conf
+      section: null
+      option: listen_addresses
+      value: "'*'"
+    notify: restart postgres
+  - name: Copy interfaces configuration
+    copy:
+      src: dmz.conf
+      dest: /etc/network/interfaces.d/dmz.conf
+    notify: enable interfaces

dmz.conf

@@ -0,0 +1,19 @@
+auto enp3s0.30
+iface enp3s0.30 inet manual
+iface enp3s0.30 inet6 auto
+	accept_ra 0
+	dhcp 0
+	request_prefix 0
+	privext 0
+	pre-up sysctl -w net/ipv6/conf/enp3s0.30/disable_ipv6=1
+
+auto dmzbr
+iface dmzbr inet manual
+	bridge_ports enp3s0.30
+	bridge_stp off
+iface dmzbr inet6 auto
+	accept_ra 0
+	dhcp 0
+	request_prefix 0
+	privext 0
+	pre-up sysctl -w net/ipv6/conf/dmzbr/disable_ipv6=1

inventory/host_vars/atlas.yml

@@ -0,0 +1 @@
+storage_pools: [iso, disk, init]

inventory/hosts.yml

@@ -0,0 +1,5 @@
+all:
+  hosts:
+    atlas:
+      ansible_host: atlas.lan
+      ansible_user: root

libvirt-bootstrap/main.tf

@@ -0,0 +1,64 @@
+terraform {
+  backend "pg" {
+    schema_name = "bootstrap"
+  }
+
+  required_providers {
+    libvirt = {
+      source = "dmacvicar/libvirt"
+    }
+  }
+}
+
+provider "libvirt" {
+  uri = var.libvirt_endpoint
+}
+
+resource "libvirt_pool" "iso" {
+  name = "iso"
+  type = "dir"
+  path = "/kvm/iso"
+}
+
+resource "libvirt_pool" "disk" {
+  name = "disk"
+  type = "dir"
+  path = "/kvm/disk"
+}
+
+resource "libvirt_pool" "init" {
+  name = "init"
+  type = "dir"
+  path = "/kvm/init"
+}
+
+resource "libvirt_volume" "ubuntu_jammy" {
+  name   = "ubuntu-jammy.img"
+  pool   = "iso"
+  source = "https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img"
+}
+
+resource "libvirt_volume" "debian_bullseye" {
+  name = "debian-bullseye.iso"
+  pool = "iso"
+  source = "https://cloud.debian.org/images/cloud/bullseye/latest/debian-11-generic-amd64.qcow2"
+}
+
+resource "libvirt_volume" "debian_bookworm" {
+  name = "debian-bookworm.qcow2"
+  pool = "iso"
+  source = "https://cloud.debian.org/images/cloud/bookworm/daily/latest/debian-12-generic-amd64-daily.qcow2"
+}
+
+resource "libvirt_network" "dmzbr" {
+  name = "dmzbr"
+  mode = "bridge"
+  bridge = "dmzbr"
+  dhcp {
+    enabled = false
+  }
+  dns {
+    enabled = false
+  }
+  autostart = true
+}

libvirt-bootstrap/variables.tf

@@ -0,0 +1,4 @@
+variable "libvirt_endpoint" {
+  type = string
+  default = "qemu+ssh://root@atlas.lan/system"
+}