WIP: nixos-anywhere for virtual machines

terraform/modules/README.md

@@ -0,0 +1,7 @@
+# tf-modules
+
+Terraform modules we use for the virtual machines in our home network.
+These are all personalized and probably of little use outside our network.
+The modules are currently:
+- `debian`: Personalized Debian VM using Terraform's `libvirt` provider
+- `invariants`: Invariants for our home network we use in multiple places.

terraform/modules/debian/files/cloud_init.cfg.tftpl

@@ -0,0 +1,15 @@
+#cloud-config
+hostname: "${hostname}"
+manage_etc_hosts: true
+disable_root: false
+
+ssh_authorized_keys:
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOodpLr+FDRyKyHjucHizNLVFHZ5AQmE9GmxMnOsSoaw pimkunis@thinkpadpim"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINUZp4BCxf7uLa1QWonx/Crf8tYZ5MKIZ+EuaBa82LrV user@user-laptop"
+
+ssh_pwauth: false
+
+# TODO: Do we need this?
+runcmd:
+- dhclient -r
+- dhclient

terraform/modules/debian/files/get_cert.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
+
+eval "$(jq -r '@sh "PUBKEY=\(.pubkey) HOST=\(.host) CAHOST=\(.cahost) CASCRIPT=\(.cascript) CAKEY=\(.cakey)"')"
+
+# TODO: Can this be done more eye-pleasingly?
+set +e
+CERT=$(ssh -o ConnectTimeout=3 -o ConnectionAttempts=1 root@$CAHOST '"'"$CASCRIPT"'" host "'"$CAKEY"'" "'"$PUBKEY"'" "'"$HOST"'".dmz')
+retval=$?
+set -e
+
+if [ retval -neq 0 ]; then
+	CERT=""
+fi
+
+jq -n --arg cert "$CERT" '{"cert":$cert}'

terraform/modules/debian/files/network_config.cfg

@@ -0,0 +1,9 @@
+version: 2
+ethernets:
+  ens:
+    match:
+      name: ens*
+    dhcp4: true
+    routes:
+    - to: 0.0.0.0/0
+      via: 192.168.30.1

terraform/modules/debian/main.tf

@@ -0,0 +1,54 @@
+terraform {
+  required_providers {
+    libvirt = {
+      source = "dmacvicar/libvirt"
+    }
+  }
+}
+
+resource "libvirt_volume" "os" {
+  name             = "${var.name}.qcow2"
+  pool             = "disks"
+  size             = 1024 * 1024 * 1024 * var.storage
+  base_volume_name = "debian-bookworm.qcow2"
+  base_volume_pool = "images"
+
+  lifecycle {
+    replace_triggered_by = [
+      libvirt_cloudinit_disk.main.id
+    ]
+  }
+}
+
+resource "libvirt_cloudinit_disk" "main" {
+  name           = "${var.name}.iso"
+  pool           = "cloudinit"
+  user_data      = templatefile("${path.module}/files/cloud_init.cfg.tftpl", {
+    hostname = var.name
+  })
+  network_config = file("${path.module}/files/network_config.cfg")
+}
+
+resource "libvirt_domain" "main" {
+  name      = var.name
+  memory    = var.ram
+  vcpu      = 4
+  autostart = true
+
+  disk {
+    volume_id = libvirt_volume.os.id
+  }
+
+  network_interface {
+    bridge   = "bridgedmz"
+    hostname = var.name
+  }
+
+  cloudinit = libvirt_cloudinit_disk.main.id
+
+  lifecycle {
+    replace_triggered_by = [
+      libvirt_cloudinit_disk.main.id
+    ]
+  }
+}

terraform/modules/debian/variables.tf

@@ -0,0 +1,13 @@
+variable "name" {
+  type = string
+}
+
+variable "ram" {
+  type = number
+  description = "In MiB"
+}
+
+variable "storage" {
+  type = number
+  description = "In GiB"
+}

terraform/modules/setup/main.tf

@@ -0,0 +1,44 @@
+terraform {
+  required_providers {
+    libvirt = {
+      source = "dmacvicar/libvirt"
+    }
+  }
+}
+
+resource "libvirt_pool" "images" {
+  name = "images"
+  type = "dir"
+  path = "/var/lib/libvirt/pools/images"
+}
+
+resource "libvirt_pool" "cloudinit" {
+  name = "cloudinit"
+  type = "dir"
+  path = "/var/lib/libvirt/pools/cloudinit"
+}
+
+resource "libvirt_pool" "disks" {
+  name = "disks"
+  type = "dir"
+  path = "/var/lib/libvirt/pools/disks"
+}
+
+resource "libvirt_volume" "debian_bookworm" {
+  name = "debian-bookworm.qcow2"
+  pool = libvirt_pool.images.name
+  source = "https://cloud.debian.org/images/cloud/bookworm/daily/latest/debian-12-generic-amd64-daily.qcow2"
+}
+
+resource "libvirt_network" "bridgedmz" {
+  name = "bridgedmz"
+  mode = "bridge"
+  bridge = "bridgedmz"
+  dhcp {
+    enabled = false
+  }
+  dns {
+    enabled = false
+  }
+  autostart = true
+}