From 48f27dcba2f09987a65e22d956094612690a484b Mon Sep 17 00:00:00 2001 From: Victor Roest Date: Thu, 25 Nov 2021 00:15:19 +0100 Subject: [PATCH] nix,terraform: auto generate tf variables based on hosts.nix --- flake.nix | 27 +++++++- result | 1 + terraform/hosts.auto.tfvars.json | 52 +++++++++++++++ terraform/main.tf | 82 +++++------------------- terraform/{lxc.tf => proxmox_lxc.tf} | 77 +++++++++++++++++++--- terraform/{vms.tf => proxmox_vm_qemu.tf} | 6 +- terraform/vault.tf | 13 ---- terraform/{version.tf => versions.tf} | 0 8 files changed, 165 insertions(+), 93 deletions(-) create mode 120000 result create mode 100644 terraform/hosts.auto.tfvars.json rename terraform/{lxc.tf => proxmox_lxc.tf} (67%) rename terraform/{vms.tf => proxmox_vm_qemu.tf} (90%) delete mode 100644 terraform/vault.tf rename terraform/{version.tf => versions.tf} (100%) diff --git a/flake.nix b/flake.nix index 28e67bc..630de2c 100644 --- a/flake.nix +++ b/flake.nix @@ -48,16 +48,31 @@ }; }; + # Generates hosts.auto.tfvars.json for Terraform + genTFVars = let + hostToVar = z@{ hostname, mac, ... }: { + "${hostname}" = { inherit mac; }; + }; + hostSet = lib.foldr (el: acc: acc // hostToVar el) { } hosts; + json = builtins.toJSON { hosts = hostSet; }; + in pkgs.writeScriptBin "gen-tf-vars" '' + echo '${json}' | ${pkgs.jq}/bin/jq > terraform/hosts.auto.tfvars.json; + echo "Generated Terraform Variables"; + ''; + # Import all nixos host definitions that are actual nix machines nixHosts = filter ({ nix ? true, ... }: nix) hosts; - pkgs = serokell-nix.lib.pkgsWith nixpkgs.legacyPackages.${system} [ vault-secrets.overlay ]; + pkgs = serokell-nix.lib.pkgsWith nixpkgs.legacyPackages.${system} + [ vault-secrets.overlay ]; - deployChecks = mapAttrs (_: lib: lib.deployChecks self.deploy) deploy-rs.lib; + deployChecks = + mapAttrs (_: lib: lib.deployChecks self.deploy) deploy-rs.lib; checks = { }; in { # Make the config and deploy sets - nixosConfigurations = lib.foldr (el: acc: acc // mkConfig el) { } nixHosts; + nixosConfigurations = + lib.foldr (el: acc: acc // mkConfig el) { } nixHosts; deploy.nodes = lib.foldr (el: acc: acc // mkDeploy el) { } nixHosts; apps.x86_64-linux.vault-push-approles = { @@ -70,6 +85,11 @@ "${pkgs.vault-push-approle-envs self}/bin/vault-push-approle-envs"; }; + apps.x86_64-linux.tfvars = { + type = "app"; + program = "${genTFVars}/bin/gen-tf-vars"; + }; + # Use by running `nix develop` devShell.${system} = pkgs.mkShell { VAULT_ADDR = "http://vault.olympus:8200/"; @@ -86,6 +106,7 @@ vault (vault-push-approles self { }) (vault-push-approle-envs self { }) + genTFVars ]; }; diff --git a/result b/result new file mode 120000 index 0000000..aa1e5b2 --- /dev/null +++ b/result @@ -0,0 +1 @@ +/nix/store/0z1qg2m6fjz3wpb93z3cjrvkr198rp6y-tf \ No newline at end of file diff --git a/terraform/hosts.auto.tfvars.json b/terraform/hosts.auto.tfvars.json new file mode 100644 index 0000000..1498605 --- /dev/null +++ b/terraform/hosts.auto.tfvars.json @@ -0,0 +1,52 @@ +{ + "hosts": { + "WoolooTV": { + "mac": "74:40:be:48:85:a4" + }, + "bastion": { + "mac": "82:F0:7C:CB:BD:6D" + }, + "consul": { + "mac": "D6:DE:07:41:73:81" + }, + "dhcp": { + "mac": "3E:2D:E8:AA:E2:81" + }, + "dns-1": { + "mac": "5E:F6:36:23:16:E3" + }, + "dns-2": { + "mac": "B6:04:0B:CD:0F:9F" + }, + "edgerouter": { + "mac": "B4:FB:E4:53:9C:0A" + }, + "eevee": { + "mac": "34:97:f6:93:9A:AA" + }, + "home-assistant": { + "mac": "9E:60:78:ED:81:B4" + }, + "k3s-node1": { + "mac": "2E:F8:55:23:D9:9B" + }, + "minio": { + "mac": "0A:06:5E:E7:9A:0C" + }, + "mosquitto": { + "mac": "C6:F9:8B:3D:9E:37" + }, + "nginx": { + "mac": "6A:C2:89:85:CF:A6" + }, + "nuc": { + "mac": "1C:69:7A:62:30:88" + }, + "unifi-ap": { + "mac": "b4:fb:e4:f3:ff:1b" + }, + "vault": { + "mac": "16:2B:87:55:0C:0C" + } + } +} diff --git a/terraform/main.tf b/terraform/main.tf index 1f41c0e..49f13aa 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -1,12 +1,3 @@ -provider "proxmox" { - pm_api_url = "https://10.42.42.42:8006/api2/json" - pm_user = data.vault_generic_secret.proxmox_auth.data["user"] - pm_password = data.vault_generic_secret.proxmox_auth.data["pass"] - pm_tls_insecure = true -} - - - terraform { backend "s3" { bucket = "terraform" @@ -22,63 +13,22 @@ terraform { } } -# For full info see: https://blog.xirion.net/posts/nixos-proxmox-lxc/ -resource "proxmox_lxc" "nixos-template" { - target_node = "nuc" - description = "NixOS LXC Template" - hostname = "nixos-template" - ostemplate = "local:vztmpl/nixos-unstable-default_156198829_amd64.tar.xz" - ostype = "unmanaged" - unprivileged = true - vmid = 101 - template = true - - memory = 1024 - - features { - nesting = true - } - - rootfs { - storage = "local-zfs" - size = "8G" - } - - network { - name = "eth0" - bridge = "vmbr0" - ip = "dhcp" - ip6 = "auto" - hwaddr = "22:D7:C1:FF:9D:5F" - } +provider "proxmox" { + pm_api_url = "https://10.42.42.42:8006/api2/json" + pm_user = data.vault_generic_secret.proxmox_auth.data["user"] + pm_password = data.vault_generic_secret.proxmox_auth.data["pass"] + pm_tls_insecure = true } -resource "proxmox_lxc" "nixos-template-2" { - target_node = "nuc" - description = "NixOS LXC Template" - hostname = "nixos-template" - ostype = "unmanaged" - unprivileged = true - vmid = 108 - template = true - cores = 1 - - memory = 512 - - rootfs { - storage = "local-zfs" - size = "8G" - } - - features { - nesting = true - } - - network { - name = "eth0" - bridge = "vmbr0" - ip = "dhcp" - ip6 = "auto" - hwaddr = "FA:71:3F:31:34:41" - } +provider "vault" { + address = "http://vault:8200" + skip_tls_verify = true } + +# Proxmox authentication for terraform +data "vault_generic_secret" "proxmox_auth" { + path = "secrets/terraform/proxmox_credentials" +} + +# Imported from hosts.auto.tfvars.json +variable "hosts" { } diff --git a/terraform/lxc.tf b/terraform/proxmox_lxc.tf similarity index 67% rename from terraform/lxc.tf rename to terraform/proxmox_lxc.tf index b45a491..f1dbf88 100644 --- a/terraform/lxc.tf +++ b/terraform/proxmox_lxc.tf @@ -1,3 +1,64 @@ +# For full info see: https://blog.xirion.net/posts/nixos-proxmox-lxc/ +resource "proxmox_lxc" "nixos-template" { + target_node = "nuc" + description = "NixOS LXC Template" + hostname = "nixos-template" + ostemplate = "local:vztmpl/nixos-unstable-default_156198829_amd64.tar.xz" + ostype = "unmanaged" + unprivileged = true + vmid = 101 + template = true + + memory = 1024 + + features { + nesting = true + } + + rootfs { + storage = "local-zfs" + size = "8G" + } + + network { + name = "eth0" + bridge = "vmbr0" + ip = "dhcp" + ip6 = "auto" + hwaddr = "22:D7:C1:FF:9D:5F" + } +} + +resource "proxmox_lxc" "nixos-template-2" { + target_node = "nuc" + description = "NixOS LXC Template" + hostname = "nixos-template" + ostype = "unmanaged" + unprivileged = true + vmid = 108 + template = true + cores = 1 + + memory = 512 + + rootfs { + storage = "local-zfs" + size = "8G" + } + + features { + nesting = true + } + + network { + name = "eth0" + bridge = "vmbr0" + ip = "dhcp" + ip6 = "auto" + hwaddr = "FA:71:3F:31:34:41" + } +} + resource "proxmox_lxc" "vault" { target_node = "nuc" description = "Vault Secrets Management" @@ -18,7 +79,7 @@ resource "proxmox_lxc" "vault" { bridge = "vmbr0" ip = "dhcp" ip6 = "auto" - hwaddr = "16:2B:87:55:0C:0C" + hwaddr = var.hosts.vault.mac } } @@ -43,7 +104,7 @@ resource "proxmox_lxc" "mosquitto" { bridge = "vmbr0" ip = "dhcp" ip6 = "auto" - hwaddr = "C6:F9:8B:3D:9E:37" + hwaddr = var.hosts.mosquitto.mac } } @@ -68,7 +129,7 @@ resource "proxmox_lxc" "nginx" { bridge = "vmbr0" ip = "dhcp" ip6 = "auto" - hwaddr = "6A:C2:89:85:CF:A6" + hwaddr = var.hosts.nginx.mac } } @@ -92,7 +153,7 @@ resource "proxmox_lxc" "consul" { bridge = "vmbr0" ip = "dhcp" ip6 = "auto" - hwaddr = "D6:DE:07:41:73:81" + hwaddr = var.hosts.consul.mac } } @@ -117,7 +178,7 @@ resource "proxmox_lxc" "dns-1" { bridge = "vmbr0" ip = "dhcp" ip6 = "auto" - hwaddr = "5E:F6:36:23:16:E3" + hwaddr = var.hosts.dns-1.mac } } @@ -142,7 +203,7 @@ resource "proxmox_lxc" "dns-2" { bridge = "vmbr0" ip = "dhcp" ip6 = "auto" - hwaddr = "B6:04:0B:CD:0F:9F" + hwaddr = var.hosts.dns-2.mac } } @@ -166,7 +227,7 @@ resource "proxmox_lxc" "minio" { bridge = "vmbr0" ip = "dhcp" ip6 = "auto" - hwaddr = "0A:06:5E:E7:9A:0C" + hwaddr = var.hosts.minio.mac } } @@ -188,6 +249,6 @@ resource "proxmox_lxc" "dhcp" { network { name = "eth0" bridge = "vmbr0" - hwaddr = "3E:2D:E8:AA:E2:81" + hwaddr = var.hosts.dhcp.mac } } diff --git a/terraform/vms.tf b/terraform/proxmox_vm_qemu.tf similarity index 90% rename from terraform/vms.tf rename to terraform/proxmox_vm_qemu.tf index fbb73ac..a402a6a 100644 --- a/terraform/vms.tf +++ b/terraform/proxmox_vm_qemu.tf @@ -21,7 +21,7 @@ resource "proxmox_vm_qemu" "bastion" { network { model = "virtio" - macaddr = "82:F0:7C:CB:BD:6D" + macaddr = var.hosts.bastion.mac bridge = "vmbr0" } } @@ -41,7 +41,7 @@ resource "proxmox_vm_qemu" "k3s-node1" { network { model = "virtio" - macaddr = "2E:F8:55:23:D9:9B" + macaddr = var.hosts.k3s-node1.mac bridge = "vmbr0" } @@ -70,7 +70,7 @@ resource "proxmox_vm_qemu" "home-assistant" { network { model = "virtio" - macaddr = "9E:60:78:ED:81:B4" + macaddr = var.hosts.home-assistant.mac bridge = "vmbr0" } } diff --git a/terraform/vault.tf b/terraform/vault.tf deleted file mode 100644 index 7755a74..0000000 --- a/terraform/vault.tf +++ /dev/null @@ -1,13 +0,0 @@ -provider "vault" { - address = "http://vault:8200" - skip_tls_verify = true -} - -# Proxmox authentication for terraform -data "vault_generic_secret" "proxmox_auth" { - path = "secrets/terraform/proxmox_credentials" -} - -data "vault_generic_secret" "minio_auth" { - path = "secrets/terraform/minio_credentials" -} diff --git a/terraform/version.tf b/terraform/versions.tf similarity index 100% rename from terraform/version.tf rename to terraform/versions.tf