v/infrastructure
1
0
Fork 0
Code Issues 13 Pull requests 1 Actions Packages Projects Releases Activity

nix,terraform: auto generate tf variables based on hosts.nix

Browse source
This commit is contained in:
Vivian 2021-11-25 00:15:19 +01:00
parent ad26c6b9d8
commit 48f27dcba2
No known key found for this signature in database
GPG key ID: A3923C699D1A3BDA
8 changed files with 165 additions and 93 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
flake.nix
View file

@ -48,16 +48,31 @@
};
};
# Generates hosts.auto.tfvars.json for Terraform
genTFVars = let
hostToVar = z@{ hostname, mac, ... }: {
"${hostname}" = { inherit mac; };
};
hostSet = lib.foldr (el: acc: acc // hostToVar el) { } hosts;
json = builtins.toJSON { hosts = hostSet; };
in pkgs.writeScriptBin "gen-tf-vars" ''
echo '${json}' | ${pkgs.jq}/bin/jq > terraform/hosts.auto.tfvars.json;
echo "Generated Terraform Variables";
'';
# Import all nixos host definitions that are actual nix machines
nixHosts = filter ({ nix ? true, ... }: nix) hosts;
pkgs = serokell-nix.lib.pkgsWith nixpkgs.legacyPackages.${system} [ vault-secrets.overlay ];
pkgs = serokell-nix.lib.pkgsWith nixpkgs.legacyPackages.${system}
[ vault-secrets.overlay ];
deployChecks = mapAttrs (_: lib: lib.deployChecks self.deploy) deploy-rs.lib;
deployChecks =
mapAttrs (_: lib: lib.deployChecks self.deploy) deploy-rs.lib;
checks = { };
in {
# Make the config and deploy sets
nixosConfigurations = lib.foldr (el: acc: acc // mkConfig el) { } nixHosts;
nixosConfigurations =
lib.foldr (el: acc: acc // mkConfig el) { } nixHosts;
deploy.nodes = lib.foldr (el: acc: acc // mkDeploy el) { } nixHosts;
apps.x86_64-linux.vault-push-approles = {
@ -70,6 +85,11 @@
"${pkgs.vault-push-approle-envs self}/bin/vault-push-approle-envs";
};
apps.x86_64-linux.tfvars = {
type = "app";
program = "${genTFVars}/bin/gen-tf-vars";
};
# Use by running `nix develop`
devShell.${system} = pkgs.mkShell {
VAULT_ADDR = "http://vault.olympus:8200/";
@ -86,6 +106,7 @@
vault
(vault-push-approles self { })
(vault-push-approle-envs self { })
genTFVars
];
};

1
result Symbolic link
View file

@ -0,0 +1 @@
/nix/store/0z1qg2m6fjz3wpb93z3cjrvkr198rp6y-tf

52
terraform/hosts.auto.tfvars.json Normal file
View file

@ -0,0 +1,52 @@
{
"hosts": {
"WoolooTV": {
"mac": "74:40:be:48:85:a4"
},
"bastion": {
"mac": "82:F0:7C:CB:BD:6D"
},
"consul": {
"mac": "D6:DE:07:41:73:81"
},
"dhcp": {
"mac": "3E:2D:E8:AA:E2:81"
},
"dns-1": {
"mac": "5E:F6:36:23:16:E3"
},
"dns-2": {
"mac": "B6:04:0B:CD:0F:9F"
},
"edgerouter": {
"mac": "B4:FB:E4:53:9C:0A"
},
"eevee": {
"mac": "34:97:f6:93:9A:AA"
},
"home-assistant": {
"mac": "9E:60:78:ED:81:B4"
},
"k3s-node1": {
"mac": "2E:F8:55:23:D9:9B"
},
"minio": {
"mac": "0A:06:5E:E7:9A:0C"
},
"mosquitto": {
"mac": "C6:F9:8B:3D:9E:37"
},
"nginx": {
"mac": "6A:C2:89:85:CF:A6"
},
"nuc": {
"mac": "1C:69:7A:62:30:88"
},
"unifi-ap": {
"mac": "b4:fb:e4:f3:ff:1b"
},
"vault": {
"mac": "16:2B:87:55:0C:0C"
}
}
}

82
terraform/main.tf
View file

@ -1,12 +1,3 @@
provider "proxmox" {
pm_api_url = "https://10.42.42.42:8006/api2/json"
pm_user = data.vault_generic_secret.proxmox_auth.data["user"]
pm_password = data.vault_generic_secret.proxmox_auth.data["pass"]
pm_tls_insecure = true
}
terraform {
backend "s3" {
bucket = "terraform"
@ -22,63 +13,22 @@ terraform {
}
}
# For full info see: https://blog.xirion.net/posts/nixos-proxmox-lxc/
resource "proxmox_lxc" "nixos-template" {
target_node = "nuc"
description = "NixOS LXC Template"
hostname = "nixos-template"
ostemplate = "local:vztmpl/nixos-unstable-default_156198829_amd64.tar.xz"
ostype = "unmanaged"
unprivileged = true
vmid = 101
template = true
memory = 1024
features {
nesting = true
}
rootfs {
storage = "local-zfs"
size = "8G"
}
network {
name = "eth0"
bridge = "vmbr0"
ip = "dhcp"
ip6 = "auto"
hwaddr = "22:D7:C1:FF:9D:5F"
}
provider "proxmox" {
pm_api_url = "https://10.42.42.42:8006/api2/json"
pm_user = data.vault_generic_secret.proxmox_auth.data["user"]
pm_password = data.vault_generic_secret.proxmox_auth.data["pass"]
pm_tls_insecure = true
}
resource "proxmox_lxc" "nixos-template-2" {
target_node = "nuc"
description = "NixOS LXC Template"
hostname = "nixos-template"
ostype = "unmanaged"
unprivileged = true
vmid = 108
template = true
cores = 1
memory = 512
rootfs {
storage = "local-zfs"
size = "8G"
}
features {
nesting = true
}
network {
name = "eth0"
bridge = "vmbr0"
ip = "dhcp"
ip6 = "auto"
hwaddr = "FA:71:3F:31:34:41"
}
provider "vault" {
address = "http://vault:8200"
skip_tls_verify = true
}
# Proxmox authentication for terraform
data "vault_generic_secret" "proxmox_auth" {
path = "secrets/terraform/proxmox_credentials"
}
# Imported from hosts.auto.tfvars.json
variable "hosts" { }

77
terraform/lxc.tf → terraform/proxmox_lxc.tf
View file

@ -1,3 +1,64 @@
# For full info see: https://blog.xirion.net/posts/nixos-proxmox-lxc/
resource "proxmox_lxc" "nixos-template" {
target_node = "nuc"
description = "NixOS LXC Template"
hostname = "nixos-template"
ostemplate = "local:vztmpl/nixos-unstable-default_156198829_amd64.tar.xz"
ostype = "unmanaged"
unprivileged = true
vmid = 101
template = true
memory = 1024
features {
nesting = true
}
rootfs {
storage = "local-zfs"
size = "8G"
}
network {
name = "eth0"
bridge = "vmbr0"
ip = "dhcp"
ip6 = "auto"
hwaddr = "22:D7:C1:FF:9D:5F"
}
}
resource "proxmox_lxc" "nixos-template-2" {
target_node = "nuc"
description = "NixOS LXC Template"
hostname = "nixos-template"
ostype = "unmanaged"
unprivileged = true
vmid = 108
template = true
cores = 1
memory = 512
rootfs {
storage = "local-zfs"
size = "8G"
}
features {
nesting = true
}
network {
name = "eth0"
bridge = "vmbr0"
ip = "dhcp"
ip6 = "auto"
hwaddr = "FA:71:3F:31:34:41"
}
}
resource "proxmox_lxc" "vault" {
target_node = "nuc"
description = "Vault Secrets Management"
@ -18,7 +79,7 @@ resource "proxmox_lxc" "vault" {
bridge = "vmbr0"
ip = "dhcp"
ip6 = "auto"
hwaddr = "16:2B:87:55:0C:0C"
hwaddr = var.hosts.vault.mac
}
}
@ -43,7 +104,7 @@ resource "proxmox_lxc" "mosquitto" {
bridge = "vmbr0"
ip = "dhcp"
ip6 = "auto"
hwaddr = "C6:F9:8B:3D:9E:37"
hwaddr = var.hosts.mosquitto.mac
}
}
@ -68,7 +129,7 @@ resource "proxmox_lxc" "nginx" {
bridge = "vmbr0"
ip = "dhcp"
ip6 = "auto"
hwaddr = "6A:C2:89:85:CF:A6"
hwaddr = var.hosts.nginx.mac
}
}
@ -92,7 +153,7 @@ resource "proxmox_lxc" "consul" {
bridge = "vmbr0"
ip = "dhcp"
ip6 = "auto"
hwaddr = "D6:DE:07:41:73:81"
hwaddr = var.hosts.consul.mac
}
}
@ -117,7 +178,7 @@ resource "proxmox_lxc" "dns-1" {
bridge = "vmbr0"
ip = "dhcp"
ip6 = "auto"
hwaddr = "5E:F6:36:23:16:E3"
hwaddr = var.hosts.dns-1.mac
}
}
@ -142,7 +203,7 @@ resource "proxmox_lxc" "dns-2" {
bridge = "vmbr0"
ip = "dhcp"
ip6 = "auto"
hwaddr = "B6:04:0B:CD:0F:9F"
hwaddr = var.hosts.dns-2.mac
}
}
@ -166,7 +227,7 @@ resource "proxmox_lxc" "minio" {
bridge = "vmbr0"
ip = "dhcp"
ip6 = "auto"
hwaddr = "0A:06:5E:E7:9A:0C"
hwaddr = var.hosts.minio.mac
}
}
@ -188,6 +249,6 @@ resource "proxmox_lxc" "dhcp" {
network {
name = "eth0"
bridge = "vmbr0"
hwaddr = "3E:2D:E8:AA:E2:81"
hwaddr = var.hosts.dhcp.mac
}
}

6
terraform/vms.tf → terraform/proxmox_vm_qemu.tf
View file

@ -21,7 +21,7 @@ resource "proxmox_vm_qemu" "bastion" {
network {
model = "virtio"
macaddr = "82:F0:7C:CB:BD:6D"
macaddr = var.hosts.bastion.mac
bridge = "vmbr0"
}
}
@ -41,7 +41,7 @@ resource "proxmox_vm_qemu" "k3s-node1" {
network {
model = "virtio"
macaddr = "2E:F8:55:23:D9:9B"
macaddr = var.hosts.k3s-node1.mac
bridge = "vmbr0"
}
@ -70,7 +70,7 @@ resource "proxmox_vm_qemu" "home-assistant" {
network {
model = "virtio"
macaddr = "9E:60:78:ED:81:B4"
macaddr = var.hosts.home-assistant.mac
bridge = "vmbr0"
}
}

13
terraform/vault.tf
View file

@ -1,13 +0,0 @@
provider "vault" {
address = "http://vault:8200"
skip_tls_verify = true
}
# Proxmox authentication for terraform
data "vault_generic_secret" "proxmox_auth" {
path = "secrets/terraform/proxmox_credentials"
}
data "vault_generic_secret" "minio_auth" {
path = "secrets/terraform/minio_credentials"
}

0
terraform/version.tf → terraform/versions.tf
View file