update to nixos 23.11

enable static IP for terraformed VMs
restructure legacy code
move hermes code to this repo
don't use data disk for hermes leases
This commit is contained in:
Pim Kunis 2023-12-17 16:22:22 +01:00
parent 04e9ce3abb
commit 721623c8fc
28 changed files with 402 additions and 80 deletions

View file

@ -9,11 +9,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1696775529, "lastModified": 1701216516,
"narHash": "sha256-TYlE4B0ktPtlJJF9IFxTWrEeq+XKG8Ny0gc2FGEAdj0=", "narHash": "sha256-jKSeJn+7hZ1dZdiH1L+NWUGT2i/BGomKAJ54B9kT06Q=",
"owner": "ryantm", "owner": "ryantm",
"repo": "agenix", "repo": "agenix",
"rev": "daf42cb35b2dc614d1551e37f96406e4c4a2d3e4", "rev": "13ac9ac6d68b9a0896e3d43a082947233189e247",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -51,11 +51,11 @@
"utils": "utils" "utils": "utils"
}, },
"locked": { "locked": {
"lastModified": 1698921442, "lastModified": 1702460489,
"narHash": "sha256-7KmvhQ7FuXlT/wG4zjTssap6maVqeAMBdtel+VjClSM=", "narHash": "sha256-H6s6oVLvx7PCjUcvfkB89Bb+kbaiJxTAgWfMjiQTjA0=",
"owner": "serokell", "owner": "serokell",
"repo": "deploy-rs", "repo": "deploy-rs",
"rev": "660180bbbeae7d60dad5a92b30858306945fd427", "rev": "915327515f5fd1b7719c06e2f1eb304ee0bdd803",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -71,11 +71,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1699781810, "lastModified": 1702569759,
"narHash": "sha256-LD+PIUbm1yQmQmGIbSsc/PB1dtJtGqXFgxRc1C7LlfQ=", "narHash": "sha256-Ze3AdEEsVZBRJ4wn13EZpV1Uubkzi59TkC4j2G9xoFI=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "2d7d77878c5d70f66f3d676ff66708d8d4f9d7df", "rev": "98ab91109716871f50ea8cb0e0ac7cc1e1e14714",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -87,11 +87,11 @@
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1668681692, "lastModified": 1696426674,
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra", "owner": "edolstra",
"repo": "flake-compat", "repo": "flake-compat",
"rev": "009399224d5e398d03b22badca40a37ac85412a1", "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -143,7 +143,7 @@
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"systems": "systems", "systems": "systems_2",
"treefmt": "treefmt" "treefmt": "treefmt"
}, },
"locked": { "locked": {
@ -162,11 +162,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1671417167, "lastModified": 1702272962,
"narHash": "sha256-JkHam6WQOwZN1t2C2sbp1TqMv3TVRjzrdoejqfefwrM=", "narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "bb31220cca6d044baa6dc2715b07497a2a7c4bc7", "rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -178,11 +178,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1699725108, "lastModified": 1702539185,
"narHash": "sha256-NTiPW4jRC+9puakU4Vi8WpFEirhp92kTOSThuZke+FA=", "narHash": "sha256-KnIRG5NMdLIpEkZTnN5zovNYc0hhXjAgv6pfd5Z4c7U=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "911ad1e67f458b6bcf0278fa85e33bb9924fed7e", "rev": "aa9d4729cbc99dabacb50e3994dcefb3ea0f7447",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -194,16 +194,16 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1699291058, "lastModified": 1702645756,
"narHash": "sha256-5ggduoaAMPHUy4riL+OrlAZE14Kh7JWX4oLEs22ZqfU=", "narHash": "sha256-qKI6OR3TYJYQB3Q8mAZ+DG4o/BR9ptcv9UnRV2hzljc=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "41de143fda10e33be0f47eab2bfe08a50f234267", "rev": "40c3c94c241286dd2243ea34d3aef8a488f9e4d0",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "nixos",
"ref": "nixos-23.05", "ref": "nixos-23.11",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@ -219,6 +219,21 @@
} }
}, },
"systems": { "systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": { "locked": {
"lastModified": 1681028828, "lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
@ -254,12 +269,15 @@
} }
}, },
"utils": { "utils": {
"inputs": {
"systems": "systems"
},
"locked": { "locked": {
"lastModified": 1667395993, "lastModified": 1701680307,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github" "type": "github"
}, },
"original": { "original": {

View file

@ -2,7 +2,7 @@
description = "NixOS definitions for our physical servers"; description = "NixOS definitions for our physical servers";
inputs = { inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
deploy-rs.url = "github:serokell/deploy-rs"; deploy-rs.url = "github:serokell/deploy-rs";
kubenix = { kubenix = {
@ -22,7 +22,7 @@
}; };
outputs = outputs =
{ self, nixpkgs, deploy-rs, disko, agenix, nixpkgs-unstable, kubenix, ... }: { self, nixpkgs, deploy-rs, disko, agenix, kubenix, nixpkgs-unstable, ... }:
let let
system = "x86_64-linux"; system = "x86_64-linux";
pkgs = nixpkgs.legacyPackages.${system}; pkgs = nixpkgs.legacyPackages.${system};
@ -45,18 +45,19 @@
in in
{ {
devShells.${system}.default = pkgs.mkShell { devShells.${system}.default = pkgs.mkShell {
packages = [ packages = with pkgs; [
pkgs.libsecret libsecret
# TODO: using nixos-anywhere from nixos-unstable produces buffer overflow. # TODO: using nixos-anywhere from nixos-unstable produces buffer overflow.
# Related to this issue: https://github.com/nix-community/nixos-anywhere/issues/242 # Related to this issue: https://github.com/nix-community/nixos-anywhere/issues/242
# Should wait until this is merged in nixos-unstable. # Should wait until this is merged in nixos-unstable.
# pkgs-unstable.nixos-anywhere # pkgs-unstable.nixos-anywhere
pkgs-unstable.deploy-rs pkgs-unstable.deploy-rs
pkgs.openssl openssl
pkgs.postgresql_15 postgresql_15
pkgs-unstable.opentofu opentofu
pkgs.cdrtools cdrtools
pkgs.kubectl kubectl
ansible
]; ];
}; };
@ -79,7 +80,7 @@
user = "root"; user = "root";
nodes = mkDeployNodes (machine: { nodes = mkDeployNodes (machine: {
hostname = machine.hostname; hostname = machine.hostName;
profiles.hypervisor = { profiles.hypervisor = {
path = deploy-rs.lib.${system}.activate.nixos path = deploy-rs.lib.${system}.activate.nixos
self.nixosConfigurations.${machine.name}; self.nixosConfigurations.${machine.name};

View file

@ -1,6 +1,6 @@
terraform { terraform {
backend "pg" { backend "pg" {
schema_name = "testje" schema_name = "dockerswarm"
conn_str = "postgresql://terraform@jefke.hyp/terraformstates" conn_str = "postgresql://terraform@jefke.hyp/terraformstates"
} }
@ -24,14 +24,14 @@ provider "libvirt" {
} }
module "setup_jefke" { module "setup_jefke" {
source = "./modules/setup" source = "../../terraform_modules/setup"
providers = { providers = {
libvirt = libvirt.jefke libvirt = libvirt.jefke
} }
} }
module "bancomart" { module "bancomart" {
source = "./modules/debian" source = "../../terraform_modules/debian"
name = "bancomart" name = "bancomart"
ram = 4096 ram = 4096
storage = 25 storage = 25
@ -41,14 +41,14 @@ module "bancomart" {
} }
module "setup_atlas" { module "setup_atlas" {
source = "./modules/setup" source = "../../terraform_modules/setup"
providers = { providers = {
libvirt = libvirt.atlas libvirt = libvirt.atlas
} }
} }
module "maestro" { module "maestro" {
source = "./modules/debian" source = "../../terraform_modules/debian"
name = "maestro" name = "maestro"
ram = 8192 ram = 8192
storage = 35 storage = 35

View file

@ -0,0 +1,9 @@
[defaults]
roles_path=~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:roles
inventory=inventory
vault_password_file=$HOME/.config/home/ansible-vault-secret
interpreter_python=/usr/bin/python3
host_key_checking = False
[diff]
always = True

View file

@ -0,0 +1,25 @@
- name: Wait for cloud-init to finish
hosts: all
gather_facts: no
roles:
- cloudinit_wait
- name: Install services
hosts: all
pre_tasks:
- name: Delete externally managed environment file
shell:
cmd: "rm /usr/lib/python*/EXTERNALLY-MANAGED"
register: rm
changed_when: "rm.rc == 0"
failed_when: "false"
- name: Copy resolv.conf
copy:
src: resolv.conf
dest: /etc/resolv.conf
roles:
- {role: apt, tags: apt}
- {role: dnsmasq, tags: dnsmasq}
- {role: powerdns, tags: powerdns}

View file

@ -0,0 +1,84 @@
apt_install_packages:
- qemu-guest-agent
- dnsutils
- pdns-server
- pdns-backend-pgsql
- postgresql-client
ssh_ca_dir: /root/ssh_ca
ssh_ca_user_ca_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGKOClnK6/Hj8INjEgULY/lD2FM/nbiJHqaSXtEw4+Fj User Certificate Authority for DMZ"
ssh_ca_host_ca_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x Host Certficate Authority for DMZ"
ssh_ca_user_ca_private_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
64343164666336316635323733353839373835316465653038333062386438363131353566626130
6531653835313838396638366330386331383533303435300a306333363238633864623864393665
31393036346532353134646466666465386633303061346662393430666532366137323866646561
3131653064323565370a656361326462336238333464353635303066323565633865663032313661
38366238613361626161633862353938326365306634303166346461366531663063343264353533
61656630633734643639333738616566326531653264306134363837616365643039626262613433
61656361326234313130386533363761366665383064643735316133313133643865616536306466
33303733663834646435303935633436383632306330616264343263303861313635383866636163
39653064373966643437636530326235653131616366396563386139333837616535616135323337
66626161336539356637373138613464376133373234353863383330313362623236633462386234
31386635613936306262346264343732623761303331623831353061343035626361623639326530
62643139663733666662623039396461623334666565663439613430353364626162653731303535
32396638393534363533303039343938346339656266303766613931316337333635373664643461
37303332386233663937636631373935613231356262346530323337393733373764613864616563
66383137393738316638393530616234653264613363383663366261303433636236326632323734
35616133386438613636663631653139386466303534636263393633633663303664326137373139
35626336653966396335623330663161333432306538316664376231616161353235353032633438
62363663613135616462323363333863376532623764663066616431636632653938666263383731
65666564656130383262373964386631643332323066386635643032663833306565643164376239
32383732393236336235363936303063663963343061306161643331623330326139663836323561
31353532313639613563393938643333326462653833623531613935363265333534663762333831
36376264636432656537313834373036623339306430333837323836303134323062306265356430
39663238363338666362663364643063613337646237356431383237616465643634313166643435
32623864313537336634373631396465643362333237646462336362656430653036656263613162
64306662313934643661333462306336333561626335303866306131326538653264343465633139
3466663135663239616135353764373532323935613233316132
ssh_ca_host_ca_private_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
34613835376232653534353636303364613437666563653530363564346164656136643732626234
6430316165623933666461646639303435386433333335660a393538303835616366333066353665
64663236353233383236656365356264653963366464303433313133386430646230363634353465
6365313836666534330a633832303963616162623631663732623236383665383333323032383364
36313663366461643733373836326335386562663362326438353033376431356537326133646338
31623064303662616464343639346663323437333038346664393166333930336539373031313161
39343365373238383661343234666430336131323666313032333666306333366566336361383536
64626261363138323766306239303133376632386235666633363461303135613865343161356266
33333634613761616336653162396662633131333336613264663764333761633032313436376534
65376631383239666235313939363265643364376638623630373839303236633635356431356263
66366535656335326335616666316534366232353262336164663562613439623135303262356130
36316134366366623331393230396132366535356435613563663937376639653339343761306431
33353331306334336133316234326133663939636430376139376231383966346363303362386265
32356166363231613962383434333536356138623039663561313137653037663231666666646230
66323932333031626637616434383737623634353933613861326666313737636133333438656634
31363461373639366464343836333031313632346465346535303139623038633330356334633866
61303765353439303966623030303966656465353538323932343536393764616566386261306466
36343237393333376366303933373139353161376262333739353138666162663339393136303634
39383433323563666661313631613761343532373736386537626433323631323465623736653165
35356163356361346438366430636563656531363164306534353865393039643136366634323638
62656261396635353332376661353661353931663932386465643238343031376235363239303832
63393437613362623963306364356363396134623739656265326433356134303835356266326465
64623631353163653438376534316162666330663963363064326161656335383639356164393237
39346231666362313632363737623139373632376461373362656563616566633265653438393361
39393734393061653639313365633931373963666635316138663538356265386562373837393530
6537646639613534666533626339356335396634613765616664
api_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
65376335393463353232386437613533396261383332653738323764633965393262363239376165
3566666139376135643833343535663130353631326466610a623161633238363338633461383434
63373365613765663830613565313164323938336338616666313365623261663037626132623531
3638653833626532300a656632356563613631633162643464356236396635633237376133323433
37363261376535306161393039396333656430323534616462393366643662306631306339346363
3065303163643732613435323561663035646365383237643464
postgresql_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
64646633623535383761356434643064383736626638333738323363393037393133363130623361
3965323132656263393365366131343732646239316564390a613263386166383438366162303561
63626162656337313034663830626432303437363764653336613338393038393737663238313737
3164323834393165380a393138363265393963613835376331623735303538316162343036306230
63633335343332313861393135366332313061353064306265653631613735336631653438383066
3034323733323333646532613233666333323363643534336233

View file

@ -0,0 +1,5 @@
all:
hosts:
hermes:
ansible_user: root
ansible_host: 192.168.30.7

View file

@ -0,0 +1,9 @@
- name: apt
src: https://github.com/sunscrapers/ansible-role-apt.git
scm: git
- name: cloudinit_wait
src: https://git.kun.is/pim/ansible-role-cloudinit-wait
scm: git
- name: postgresql_database
src: https://git.kun.is/home/ansible-role-postgresql-database
scm: git

View file

@ -0,0 +1 @@
nameserver 192.168.30.1

View file

@ -0,0 +1,51 @@
# Disable /etc/resolv.conf
no-resolv
# Upstream DNS server
server=192.168.30.1
# Always serve .dmz locally
local=/dmz/
# Put all clients in the dmz domain
dhcp-fqdn
# Don't read /etc/hosts
no-hosts
# Domain is automatically added to if missing
expand-hosts
# Domain that is used for DHCP on this network
domain=dmz
# IPv4 DHCP range
dhcp-authoritative
dhcp-range=192.168.30.50,192.168.30.127,15m
# Predefined DHCP hosts
dhcp-host=b8:27:eb:b9:ab:e2,esrom
dhcp-host=ca:fe:c0:ff:ee:03,max,192.168.30.3
dhcp-host=ca:fe:c0:ff:ee:08,maestro,192.168.30.8
dhcp-host=dc:a6:32:7b:e2:11,iris,192.168.30.9
dhcp-host=ca:fe:c0:ff:ee:0a,thecloud,192.168.30.10
dhcp-host=52:54:00:72:e0:9a,forum,192.168.30.11
# Advertise router
dhcp-option=3,192.168.30.1
# Always send the IPv6 DNS server address (this machine)
dhcp-option=option6:dns-server,[2a02:58:19a:f730::1]
# Advertise SLAAC for the given prefix
dhcp-range=2a02:58:19a:f730::, ra-stateless, ra-names
# Do not advertise default gateway via DHCPv6
ra-param=*,0,0
# Alias public IP address to local
alias=84.245.14.149,192.168.30.8
# Override DNS servers for our domains
server=/pizzapim.nl/192.168.30.7
server=/geokunis2.nl/192.168.30.7
server=/pim.kunis.nl/192.168.30.7
server=/kun.is/192.168.30.7
# Enable extended logging
log-dhcp
log-queries
# Resolve hermes.dmz to addresses on main NIC
interface-name=hermes.dmz,ens3
# Non-conventional port because we also run nsd on this machine
port=5353
# Override addresses of name servers
address=/ns.pizzapim.nl/ns.geokunis2.nl/ns.pim.kunis.nl/192.168.30.7
address=/ns.pizzapim.nl/ns.geokunis2.nl/ns.pim.kunis.nl/2a02:58:19a:f730:c8fe:c0ff:feff:ee07
# Advertise DNS server
dhcp-option=option:dns-server,192.168.30.1

View file

@ -0,0 +1,18 @@
- name: Install dnsmasq
apt:
name: dnsmasq
- name: Disable systemd-resolved
systemd:
name: systemd-resolved
enabled: false
state: stopped
- name: Copy dnsmasq configuration
copy:
src: "{{ role_path }}/files/dnsmasq.conf"
dest: "/etc/dnsmasq.conf"
register: config
- name: Enable dnsmasq
systemd:
name: dnsmasq
enabled: true
state: "{{ 'restarted' if config.changed else 'started' }}"

View file

@ -0,0 +1,5 @@
api=yes
api-key={{ api_key }}
webserver-address=0.0.0.0
webserver-port=3000
webserver-allow-from=0.0.0.0/0

View file

@ -0,0 +1,5 @@
launch=gpgsql
gpgsql-host=192.168.30.10
gpgsql-dbname=powerdns
gpgsql-user=powerdns
gpgsql-password={{ postgresql_password }}

View file

@ -0,0 +1,4 @@
- name: restart powerdns
systemd:
name: pdns
state: restarted

View file

@ -0,0 +1,4 @@
local-address=192.168.30.7, 127.0.0.1, ::
default-soa-content=ns.@ noreply.@ 0 10800 3600 604800 3600
# allow zone transfers from Transip ip's. see also: https://www.transip.nl/knowledgebase/artikel/26-nameservers-instellen-transip-nameservers-secondary/
allow-axfr-ips=87.253.155.96/27,157.97.168.160/27

View file

@ -0,0 +1,28 @@
- name: Remove BIND powerdns config
file:
path: /etc/powerdns/pdns.d/bind.conf
state: absent
notify: restart powerdns
- name: Copy postgresql powerdns config
template:
src: gpgsql.conf.j2
dest: /etc/powerdns/pdns.d/gpgsql.conf
notify: restart powerdns
- name: Add API powerdns config
template:
src: api.conf.j2
dest: /etc/powerdns/pdns.d/api.conf
notify: restart powerdns
- name: Overwrite powerdns config
copy:
src: overwrite.conf
dest: /etc/powerdns/pdns.d/overwrite.conf
notify: restart powerdns
- name: Start powerdns
systemd:
name: pdns
state: started

View file

@ -0,0 +1,10 @@
---
- hosts: hermes
tasks:
- name: Read dnsmasq leases
command: cat /mnt/data/dnsmasq.leases
register: leases
- name: Print dnsmasq leases
debug:
msg: "{{ leases.stdout_lines }}"

View file

@ -0,0 +1,31 @@
terraform {
backend "pg" {
schema_name = "hermes"
conn_str = "postgresql://terraform@jefke.hyp/terraformstates"
}
required_providers {
libvirt = {
source = "dmacvicar/libvirt"
version = "0.7.1" # https://github.com/dmacvicar/terraform-provider-libvirt/issues/1040
}
}
}
# https://libvirt.org/uri.html#libssh-and-libssh2-transport
provider "libvirt" {
alias = "atlas"
uri = "qemu+ssh://root@atlas.hyp/system?known_hosts=/etc/ssh/ssh_known_hosts"
}
module "hermes" {
source = "../../terraform_modules/debian"
name = "hermes"
ram = 1024
storage = 25
mac = "CA:FE:C0:FF:EE:07"
static_ip = "192.168.30.7/24"
providers = {
libvirt = libvirt.atlas
}
}

View file

@ -3,7 +3,13 @@ ethernets:
ens: ens:
match: match:
name: ens* name: ens*
%{ if static_ip != null }
dhcp4: false
addresses:
- "${static_ip}"
%{ else }
dhcp4: true dhcp4: true
%{ endif}
routes: routes:
- to: 0.0.0.0/0 - to: 0.0.0.0/0
via: 192.168.30.1 via: 192.168.30.1

View file

@ -26,7 +26,9 @@ resource "libvirt_cloudinit_disk" "main" {
user_data = templatefile("${path.module}/files/cloud_init.cfg.tftpl", { user_data = templatefile("${path.module}/files/cloud_init.cfg.tftpl", {
hostname = var.name hostname = var.name
}) })
network_config = file("${path.module}/files/network_config.cfg") network_config = templatefile("${path.module}/files/network_config.cfg.tftpl", {
static_ip = var.static_ip
})
} }
resource "libvirt_domain" "main" { resource "libvirt_domain" "main" {

View file

@ -17,3 +17,8 @@ variable "mac" {
description = "MAC address" description = "MAC address"
default = null default = null
} }
variable "static_ip" {
type = string
default = null
}

View file

@ -1,13 +1,12 @@
{ {
jefke = { jefke = {
name = "jefke"; name = "jefke";
hostname = "jefke.hyp"; hostName = "jefke.hyp";
nixosModule = { nixosModule.custom = {
custom = {
dataDisk.enable = true; dataDisk.enable = true;
terraformDatabase.enable = true; terraformDatabase.enable = true;
k3s.enable = true; # k3s.enable = true;
disko.osDiskDevice = "/dev/nvme0n1"; disko.osDiskDevice = "/dev/nvme0n1";
ssh = { ssh = {
@ -17,14 +16,12 @@
}; };
}; };
}; };
};
atlas = { atlas = {
name = "atlas"; name = "atlas";
hostname = "atlas.hyp"; hostName = "atlas.hyp";
nixosModule = { nixosModule.custom = {
custom = {
disko.osDiskDevice = "/dev/nvme0n1"; disko.osDiskDevice = "/dev/nvme0n1";
ssh = { ssh = {
@ -34,5 +31,24 @@
}; };
}; };
}; };
};
# lewis = {
# name = "lewis";
# hostName = "lewis.hyp";
# nixosModule.custom = {
# disko.osDiskDevice = "/dev/sda";
# dataDisk = {
# enable = true;
# devicePath = "/dev/nvme0n1p1";
# };
# ssh = {
# useCertificates = true;
# hostCert = builtins.readFile ./atlas_host_ed25519-cert.pub;
# userCert = builtins.readFile ./atlas_user_ed25519-cert.pub;
# };
# };
# };
} }

View file

@ -0,0 +1 @@
ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIAP9Xu3G75HcVIVhrgiCKSM+YTkaCbTqI18NBdWikIlHAAAAIKfbZauF+7q3s7VxhvxdPT7XDapch0P3tD//U4/70D6cAAAAAAAAAAAAAAACAAAACWxld2lzLmh5cAAAAA0AAAAJbGV3aXMuaHlwAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgXNGQfd38pUlCi6zBj8Myl6dZsMVU6cjdW63TFHR7W1sAAABTAAAAC3NzaC1lZDI1NTE5AAAAQGHtz4FNkj0LuplU+12A/sx0bE4QeHLYhctXag9DSMGJz9yOpyMpK3PPKkm6leLdGYs7RUjxwXvcj+f4k16VXA0= root@atlas

View file

@ -0,0 +1 @@
ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIGqYC+tRPZ24WMroezrFgxtm8YObweMCTpz/y+dbGrzKAAAAIEuhHYB6zdSsfvLm4zXfuUbUCkUgPRu6rdt1rninA7PwAAAAAAAAAAAAAAABAAAACWxld2lzLmh5cAAAABsAAAAJbGV3aXMuaHlwAAAACmh5cGVydmlzb3IAAAAAAAAAAP//////////AAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgdmt4SFL+swd8kHsh6cQR+TfzMKObJx75fYBbHNT83zUAAABTAAAAC3NzaC1lZDI1NTE5AAAAQGV0nCPl4HDo1Q24NnFcPc1/FPYxwkWg864eUp5hdbttL4f8h7YLtZw6k8hHIn50wVdHEJkUwYrXgR1dwYhfEwA= root@atlas

View file

@ -1,17 +0,0 @@
#!/bin/bash
set -euo pipefail
IFS=$'\n\t'
eval "$(jq -r '@sh "PUBKEY=\(.pubkey) HOST=\(.host) CAHOST=\(.cahost) CASCRIPT=\(.cascript) CAKEY=\(.cakey)"')"
# TODO: Can this be done more eye-pleasingly?
set +e
CERT=$(ssh -o ConnectTimeout=3 -o ConnectionAttempts=1 root@$CAHOST '"'"$CASCRIPT"'" host "'"$CAKEY"'" "'"$PUBKEY"'" "'"$HOST"'".dmz')
retval=$?
set -e
if [ retval -neq 0 ]; then
CERT=""
fi
jq -n --arg cert "$CERT" '{"cert":$cert}'