From 74a4de161563e3007777b19771438eec22f0ff18 Mon Sep 17 00:00:00 2001
From: Pim Kunis <pim@kunis.nl>
Date: Wed, 12 Apr 2023 21:26:46 +0000
Subject: [PATCH] virtualize (#3)

Reviewed-on: https://git.pim.kunis.nl/home/max/pulls/3
---
 .gitignore                     | 37 ++++++++++++++++++++++++++++++++++
 ansible.cfg                    |  1 -
 data/main.tf                   | 30 +++++++++++++++++++++++++++
 inventory/host_vars/max.yml    |  2 +-
 inventory/hosts.yml            | 10 ++++-----
 main.tf                        | 26 ++++++++++++++++++++++++
 max.yml                        | 25 ++++++++++++++++++++---
 roles/common/files/resolv.conf |  5 -----
 roles/common/tasks/main.yml    | 16 ++++++---------
 roles/docker/tasks/main.yml    |  2 +-
 roles/static/vars/main.yml     |  2 +-
 11 files changed, 128 insertions(+), 28 deletions(-)
 create mode 100644 data/main.tf
 create mode 100644 main.tf
 delete mode 100644 roles/common/files/resolv.conf

diff --git a/.gitignore b/.gitignore
index b593a85..33b954c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,38 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+.terraform.lock.hcl
+*.tfbackend
+
 .vault_password
diff --git a/ansible.cfg b/ansible.cfg
index b598c64..5f42fc7 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -1,5 +1,4 @@
 [defaults]
-# (pathspec) Colon separated paths in which Ansible will search for Roles.
 roles_path=~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:roles
 inventory=inventory
 vault_password_file=util/secret-service-client.sh
diff --git a/data/main.tf b/data/main.tf
new file mode 100644
index 0000000..1961de5
--- /dev/null
+++ b/data/main.tf
@@ -0,0 +1,30 @@
+terraform {
+  backend "pg" {
+    schema_name = "max-data"
+    conn_str    = "postgres://terraform@10.42.0.1/terraform_state"
+  }
+
+  required_providers {
+    libvirt = {
+      source = "dmacvicar/libvirt"
+    }
+  }
+}
+
+provider "libvirt" {
+  uri = "qemu+ssh://root@atlas.lan/system"
+}
+
+resource "libvirt_volume" "data" {
+  name = "max-data"
+  pool = "data"
+  size = 1024 * 1024 * 1024 * 65
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+output "data_disk_id" {
+  value = libvirt_volume.data.id
+}
diff --git a/inventory/host_vars/max.yml b/inventory/host_vars/max.yml
index 11aa49f..55ff4c3 100644
--- a/inventory/host_vars/max.yml
+++ b/inventory/host_vars/max.yml
@@ -1,4 +1,4 @@
-base_data_dir: /data
+base_data_dir: /mnt/data
 base_service_dir: /srv
 
 # Additional open ports
diff --git a/inventory/hosts.yml b/inventory/hosts.yml
index b0f8f06..bf163f0 100644
--- a/inventory/hosts.yml
+++ b/inventory/hosts.yml
@@ -1,7 +1,5 @@
 all:
-  children:
-    homeserver:
-      hosts:
-        max:
-          ansible_user: root
-          ansible_host: max.dmz
+  hosts:
+    max:
+      ansible_user: root
+      ansible_host: max.dmz
diff --git a/main.tf b/main.tf
new file mode 100644
index 0000000..a4f49fb
--- /dev/null
+++ b/main.tf
@@ -0,0 +1,26 @@
+terraform {
+  backend "pg" {
+    schema_name = "max"
+    conn_str    = "postgres://terraform@10.42.0.1/terraform_state"
+  }
+
+  required_providers {
+    libvirt = {
+      source = "dmacvicar/libvirt"
+    }
+  }
+}
+
+provider "libvirt" {
+  uri = "qemu+ssh://root@atlas.lan/system"
+}
+
+module "tf-datatest" {
+  source            = "git::https://git.pim.kunis.nl/home/tf-modules.git//debian"
+  name              = "max"
+  domain_name       = "tf-max"
+  data_disk         = "/kvm/data/max-data"
+  #ansible_command   = "ansible-playbook max.yml"
+  memory            = 1024 * 8
+  mac               = "CA:FE:C0:FF:EE:03"
+}
diff --git a/max.yml b/max.yml
index bf406dd..eb6771f 100644
--- a/max.yml
+++ b/max.yml
@@ -1,13 +1,32 @@
 - name: Setup homeserver
-  hosts: homeserver
+  hosts: max
+  gather_facts: no
+
+  pre_tasks:
+  - name: Wait for host to come up
+    wait_for:
+      state: started
+      port: 22
+      host: max.dmz
+      timeout: 300
+      connect_timeout: 300
+      search_regex: OpenSSH
+    delegate_to: localhost
+  - name: Wait for cloud-init to finish
+    shell:
+      cmd: "cloud-init status --wait"
+    register: cloudinit
+    changed_when: "'..' in cloudinit.stdout"
+  - name: Gather facts
+    setup:
+
   roles:
-    - {role: 'ssh', tags: 'ssh'}
     - {role: 'watchtower', tags: 'watchtower'}
     - {role: 'forgejo', tags: 'forgejo'}
     - {role: 'syncthing', tags: 'syncthing'}
     - {role: 'kms', tags: 'kms'}
     - {role: 'cyberchef', tags: 'cyberchef'}
-    - {role: 'radicale', tags: 'radicale'}
+    # - {role: 'radicale', tags: 'radicale'}
     - {role: 'mastodon', tags: 'mastodon'}
     - {role: 'seafile', tags: 'seafile'}
     - {role: 'jitsi', tags: 'jitsi'}
diff --git a/roles/common/files/resolv.conf b/roles/common/files/resolv.conf
deleted file mode 100644
index cf23f28..0000000
--- a/roles/common/files/resolv.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-nameserver 192.168.30.7
-nameserver 192.168.30.1
-nameserver 1.1.1.1
-nameserver 1.0.0.1
-search lan
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index c32e911..b8f79d0 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -9,13 +9,9 @@
   file:
     path: "{{ base_service_dir }}"
     state: directory
-- name: Disable systemd-resolved
-  systemd:
-    name: systemd-resolved
-    enabled: false
-    state: stopped
-- name: Copy resolv.conf
-  copy:
-    src: "{{ role_path }}/files/resolv.conf"
-    dest: /etc/resolv.conf
-    follow: true
+- name: Delete externally managed environment file
+  shell:
+    cmd: "rm /usr/lib/python*/EXTERNALLY-MANAGED"
+  register: rm
+  changed_when: "rm.rc == 0"
+  failed_when: "false"
diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml
index 3acc420..7b7b88b 100644
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -12,7 +12,7 @@
     keyring: /etc/apt/keyrings/docker.gpg
 - name: Add Docker repository
   apt_repository:
-    repo: "deb [signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"
+    repo: "deb [signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable"
   register: apt_repository
 - name: Update APT cache
   apt:
diff --git a/roles/static/vars/main.yml b/roles/static/vars/main.yml
index 8838234..912dd02 100644
--- a/roles/static/vars/main.yml
+++ b/roles/static/vars/main.yml
@@ -1,3 +1,3 @@
 service_name: static
 service_dir: "{{ base_service_dir }}/{{ service_name }}"
-git_origin: "http://localhost:{{ internal_forgejo_port }}/pim/static.git"
+git_origin: "http://git.pim.kunis.nl/pim/static.git"