From b0c076755032b9280c0dafaf6ebcba4d821be87b Mon Sep 17 00:00:00 2001 From: Marcus Weiner Date: Sat, 24 Aug 2024 15:01:24 +0200 Subject: [PATCH 1/4] wip --- group_vars/all.yaml | 21 +++ netbox_inventory.yml | 2 +- .../templates/client-bridge.network.j2 | 5 +- roles/gateway/templates/dnsmasq.conf.j2 | 4 +- roles/kernel-full/tasks/main.yml | 7 + roles/service-ip/templates/bird.conf.j2 | 9 +- roles/service-ip/templates/service.network.j2 | 5 +- terraform/.terraform.lock.hcl | 125 +++++++++--------- terraform/domains/dev.tfvars | 2 + terraform/main.tf | 10 +- terraform/modules/supernode/interfaces.tf | 26 ++++ .../modules/supernode/management-ipv6.tf | 2 +- terraform/modules/supernode/primary-ipv4.tf | 20 ++- terraform/modules/supernode/primary-ipv6.tf | 16 +-- terraform/modules/supernode/provider.tf | 10 +- terraform/modules/supernode/variables.tf | 23 ++-- terraform/modules/supernode/vm.tf | 66 +++++---- terraform/primary-prefixes.tf | 29 ++-- terraform/providers.tf | 2 +- terraform/variables.tf | 12 +- 20 files changed, 239 insertions(+), 157 deletions(-) create mode 100644 terraform/domains/dev.tfvars create mode 100644 terraform/modules/supernode/interfaces.tf diff --git a/group_vars/all.yaml b/group_vars/all.yaml index b4c7908..5cb62ab 100644 --- a/group_vars/all.yaml +++ b/group_vars/all.yaml @@ -18,3 +18,24 @@ gateway_ipv4_address: >- ansible.utils.ipaddr(client_ipv4_container) | first }} +gateway_ipv6_address: >- + {{ client_bridge_interface.ip_addresses | + map(attribute='address') | + ansible.utils.ipv6 | + ansible.utils.ipaddr('public') | + first + }} + +wan_interface: "{{ interfaces | selectattr('name', 'equalto', 'eth0') | first }}" +service_ipv4_address: >- + {{ wan_interface.ip_addresses | + map(attribute='address') | + ansible.utils.ipv4 | + ansible.utils.ipaddr('public') | + first + }} + +loopback_interface: "{{ interfaces | selectattr('name', 'equalto', 'lo') | first }}" +service_ipv6_address: "{{ gateway_ipv6_address }}" + +domain_ipv6_subnet: "{{ gateway_ipv6_address | ipaddr('net') }}" diff --git a/netbox_inventory.yml b/netbox_inventory.yml index 220b9c6..c47fe11 100644 --- a/netbox_inventory.yml +++ b/netbox_inventory.yml @@ -2,8 +2,8 @@ plugin: netbox.netbox.nb_inventory api_endpoint: https://netbox.freifunk-duesseldorf.de/ validate_certs: True config_context: True -flatten_config_context: True interfaces: True +fetch_all: False query_filters: - role: supernode-v2 diff --git a/roles/gateway/templates/client-bridge.network.j2 b/roles/gateway/templates/client-bridge.network.j2 index 8cd3746..0222153 100644 --- a/roles/gateway/templates/client-bridge.network.j2 +++ b/roles/gateway/templates/client-bridge.network.j2 @@ -5,7 +5,9 @@ Name=br0 RequiredForOnline=no [Address] -Address={{ gateway_ipv4_address }} +{%- for addr in client_bridge_interface.ip_addresses %} +Address={{ addr }} +{%- endfor %} [Network] DHCPServer=yes @@ -14,4 +16,5 @@ DHCPServer=yes PoolOffset=10 PoolSize=64000 EmitDNS=yes +ServerAddress=10.12.255.254/16 DNS={{ service_ipv4_address | ipaddr('address') }} diff --git a/roles/gateway/templates/dnsmasq.conf.j2 b/roles/gateway/templates/dnsmasq.conf.j2 index 2ed66b8..afe34e4 100644 --- a/roles/gateway/templates/dnsmasq.conf.j2 +++ b/roles/gateway/templates/dnsmasq.conf.j2 @@ -1,7 +1,7 @@ interface=br0 except-interface=lo -listen-address={{ service_ipv4_address | ipaddr('address') }} -listen-address={{ service_ipv6_address | ipaddr('address') }} +listen-address={{ gateway_ipv4_address | ipaddr('address') }} +listen-address={{ gateway_ipv6_address | ipaddr('address') }} bind-interfaces cache-size=10000 diff --git a/roles/kernel-full/tasks/main.yml b/roles/kernel-full/tasks/main.yml index 7739b3e..d097d44 100644 --- a/roles/kernel-full/tasks/main.yml +++ b/roles/kernel-full/tasks/main.yml @@ -1,4 +1,8 @@ --- +- name: Refresh package sources + apt: + update_cache: true + - name: Ensure full kernel package: name: linux-image-amd64 @@ -12,3 +16,6 @@ - linux-image-*-cloud-amd64 state: absent notify: reboot + +- name: Flush handlers + meta: flush_handlers diff --git a/roles/service-ip/templates/bird.conf.j2 b/roles/service-ip/templates/bird.conf.j2 index 47b215e..08dcff6 100644 --- a/roles/service-ip/templates/bird.conf.j2 +++ b/roles/service-ip/templates/bird.conf.j2 @@ -1,5 +1,4 @@ -# TODO: use stable address -router id {{ ansible_default_ipv4.address }}; +router id {{ service_ipv4_address }}; log syslog all; @@ -12,7 +11,7 @@ protocol static service_v4 { protocol static service_v6 { ipv6; - route {{ service_ipv6_address }} blackhole; + route {{ domain_ipv6_subnet }} blackhole; } define ffddorf_asn = 207871; @@ -33,14 +32,14 @@ template bgp ffddorf { filter service { if net ~ {{ service_ipv4_address }} then accept; - if net ~ {{ service_ipv6_address }} then accept; + if net ~ {{ domain_ipv6_subnet }} then accept; reject; } {% for router in routers %} protocol bgp service_v4_{{ router.name | lower }} from ffddorf { description "Service Address Announcement IPv4 to {{ router.name }}"; - local {{ ansible_default_ipv4.address }}; + local {{ service_ipv4_address }}; neighbor {{ router.bgp_peer_ipv4_address }} as ffddorf_asn; ipv4 { diff --git a/roles/service-ip/templates/service.network.j2 b/roles/service-ip/templates/service.network.j2 index 7306412..fd7b449 100644 --- a/roles/service-ip/templates/service.network.j2 +++ b/roles/service-ip/templates/service.network.j2 @@ -2,5 +2,6 @@ Name=lo [Network] -Address={{ service_ipv4_address }} -Address={{ service_ipv6_address }} +{%- for addr in loopback_interface.ip_addresses %} +Address={{ addr }} +{%- endfor %} diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl index 3b22727..eea394d 100644 --- a/terraform/.terraform.lock.hcl +++ b/terraform/.terraform.lock.hcl @@ -25,84 +25,87 @@ provider "registry.terraform.io/e-breuninger/netbox" { } provider "registry.terraform.io/ffddorf/iphelpers" { - version = "1.0.0" + version = "1.0.1" constraints = "~> 1.0.0" hashes = [ - "h1:lOm9S1tvKHX+h8ahYH/mq4RmHZqFrOknG1E5P25VrDk=", - "zh:0c8c0f62d70aed6bd160aa3dc371ba09f614c24ca31361ca5643da690785f1a1", - "zh:409da07d45c56d39aec3395b37738c9287ab01b9bf39ec2eb96b781a35b56e94", - "zh:41acca7af903afcf3f1ce2c63835d3c616fadc5acab11b89380e89ba482ad6ba", - "zh:42a6354bde35450a72a4ec50a669675fd1c24b118da8ce2c5c70060e4ab17f14", - "zh:4a59c564da4d49df2b9f5b6bbd71c5d30b2f29f56a3c0c1c20add888209ce0ef", - "zh:693114f69a794820fffe1db9039691bbe91321cc1223413b9c15b3dce4f39fdb", - "zh:715baa3b349972e462ffafdce1ff161ff7164a054fd35f3d36c64f67a26bd119", - "zh:729a80591ea58c0819b84b4acf33479f558ba89fd10fb553450e1a6e0d475736", - "zh:74a0cbabe194485b86947b043c547452db6f73ac34479c3e469a97041d0511e0", - "zh:74cbec9a7e58407026bae7a0af481864e39aa543235e40742bf8d48b26b9bf08", - "zh:80c340fc240029d33632d4e51170d3ebc2fcfe43960fdf4e7113f5d1587c7031", - "zh:94894e330276b90db2ba5e5816984b47a4c9c5306322693e69b76f0d08e5fe01", + "h1:gAv/9xwAuj2VbeWW6X3H+4uxZN+NUIoDuwz0a6moc3I=", + "zh:164159c946f1a34f189af9ac6e41f91bdd6eba18a4e8da7b3ca08ba9c614b5d6", + "zh:1eacf7122e8d99ea5a02136b7ebfdfb173212e83129e1b3b6898d8011121a80d", + "zh:21ac01055525d7529cb06b9d5e127889fef6f99d6873a7e79401d3c29f63456d", + "zh:2bd43f3603134f7125239f1f3f6e0f3016b0a3b7ffa2e4ad688cebaf543a2dba", + "zh:431a73800aec3998436c3116a1f38b5b17b0a9ea15987c7f1a618d0006ab001d", + "zh:658cb79264f7a637381245167d2afa29417409390a54332bae9a3e9aff11b877", + "zh:74eba59c89af517eb7c1d9bb4554d4c6d3e213b300d967e67096bee51b6dc6f1", + "zh:9a50447ddea8b4b57e8a220ea979c99e8349b04e43738241d2cc1e22c90a5ef2", + "zh:a00c85470d1e1f81523efb68ddde7e1cc8af9a0662379615fef2b369164cad16", "zh:a33d53acc640dc93b81352ba633cf392bc8c7614a72d320d59d3dcdb22d73fc4", - "zh:d808c2afe57a0cda4383d8c9cb1444171fa6d0aa8badf219fda6b0ae8af36286", - "zh:e8efdb75df6346d4df0cc24344b614dd4a6db422977012257a02d4f1982b533a", + "zh:b1086b1a360a05efa9ca1dd6bd48f32a652bedef7005e217a42b87f45b4b3296", + "zh:b167aaf4d18e69d5c41e8b9de1c4b0da79878261dc4d0d5462c8ee482e492676", + "zh:f7f6fbeaf226adda6790d6e2e93ebb0c86fa1df028a5ff8d334da5002f92f7d2", + "zh:f94f92c2bdf96b85c57bd670a8c178ed246d4260ad960b3d93a7c12d91b5f601", + "zh:f9fa75b5e5d06afe014829ca8aac9fb8b6e8adba0bc43b3d2d2fff2b0b3148d6", ] } provider "registry.terraform.io/hashicorp/http" { - version = "3.4.1" + version = "3.4.4" hashes = [ - "h1:RLJ1zsc2ScUFapTANM91XHyAY7715gP3yPlBOcaBKuk=", - "zh:2a79832069a34e88ec997fb8d2c2bdad6f40bfe93a4ae5e6e7f0caf4eea2a9e5", - "zh:37d3611857ab207e1565e441a2df9020b1326b7df31e5656165cb6817306494b", - "zh:48cc974b12544be18c18bfcb5ea21a4818d03b897e96fb9b4d0d9303883cb3fa", - "zh:4b8da2ffe868082830173fdcc8632e2705918e0396c72158d7822650bb1d3bf6", + "h1:EqpXf0aaUCTyYzlNP9XhjzAMMImD1T5bAy1pgLjWx4s=", + "zh:28910c348aff60df15cb70c2838c5dac463de5d52fe41a511f122b0b5fa6032d", + "zh:61ddcdb703900b01a8d38c67bd68304e87e05aa82c2d6636a5c49813b0cee8bf", + "zh:6d7ba9fcebff1079b9cbad066874d83680a4aedc997baa597927f59b29a69186", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:8148614299a21be04dd11268047e110df3ce9ef585d6240bed2f196839946efa", - "zh:a6d583cb70b1355fbc7b1c2cffaa53e4703b04ced9d0ecf78708129ce7072128", - "zh:a95f770e8913dd48fde8836cf993fafdbf7da5308a6fbd3d455cb10737742990", - "zh:b36784e6602e6ae7ba67560ebcfd055b4448cb0edf9bf35744c2f32ddbd8fa2d", - "zh:c23b37fd9e481269fc55735b24c7e8877057c08b42671c796816409d54486a1c", - "zh:df07252b27120020d91d7ad11f7ea92832d8df2e81b55a658ac1eb93dc6b8d18", - "zh:e44dc5a1fd5995bfd21d385949d539c619e8b37b69875bd92ad4aa18e2435722", + "zh:82caa166f57808dd8421e9edf51bca0692135ca06ab548d5a2e3fe612bdd45a6", + "zh:95cb8ece59966d8f4020660879728dabaa158b3d188f22c0b92229347e740346", + "zh:ae56558b4262a4de250eec83e200ea4647badde10d1a14ed273f4daff650336f", + "zh:c1c5051eab9d9759fdb31bca6d7575a693558887a1156fa5f268963e05be4d92", + "zh:c90234ce3877e54be5b43493f51b582c6f9cb09138844cb048f63e9cd9f230fa", + "zh:cb237c6c47f085bf15149d6d2727b8bf108267582a30e7e2cd7393115896d003", + "zh:e7d782985f8b422cf265a856541ddb14f0d3ab0b54eb1aad6087ccfedacc7335", + "zh:ed0cc12d15226499fc7d173ad2b156c1934efae718cf254e79ca7f0ccd686b6d", ] } -provider "registry.terraform.io/hashicorp/null" { - version = "3.2.2" +provider "registry.terraform.io/ivoronin/macaddress" { + version = "0.3.2" + constraints = "~> 0.3.2" hashes = [ - "h1:IMVAUHKoydFrlPrl9OzasDnw/8ntZFerCC9iXw1rXQY=", - "zh:3248aae6a2198f3ec8394218d05bd5e42be59f43a3a7c0b71c66ec0df08b69e7", - "zh:32b1aaa1c3013d33c245493f4a65465eab9436b454d250102729321a44c8ab9a", - "zh:38eff7e470acb48f66380a73a5c7cdd76cc9b9c9ba9a7249c7991488abe22fe3", - "zh:4c2f1faee67af104f5f9e711c4574ff4d298afaa8a420680b0cb55d7bbc65606", - "zh:544b33b757c0b954dbb87db83a5ad921edd61f02f1dc86c6186a5ea86465b546", - "zh:696cf785090e1e8cf1587499516b0494f47413b43cb99877ad97f5d0de3dc539", - "zh:6e301f34757b5d265ae44467d95306d61bef5e41930be1365f5a8dcf80f59452", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:913a929070c819e59e94bb37a2a253c228f83921136ff4a7aa1a178c7cce5422", - "zh:aa9015926cd152425dbf86d1abdbc74bfe0e1ba3d26b3db35051d7b9ca9f72ae", - "zh:bb04798b016e1e1d49bcc76d62c53b56c88c63d6f2dfe38821afef17c416a0e1", - "zh:c23084e1b23577de22603cff752e59128d83cfecc2e6819edadd8cf7a10af11e", + "h1:LS/VDOR+qyThCjz+7ZnXxar/Jo/au6tfqdmHf3h8hMY=", + "zh:00cb168d9210ed88cfa7de8a33d5666b2cf6660a5d20a7a96348b8b902833eca", + "zh:1366458320df0b6f1132e59b5410931c0c5626bbf27b05b29dd311311a710e9b", + "zh:2e8102c7f6046665c95b806752d692843f2e846554f7eba85690cd2087c9048a", + "zh:3c1ae52f855d0e694ad28eb34ec41c553344aaa7bd51adaa48cf15e3ee842e17", + "zh:496d8db2055cead9d264fdad83534318e3ab77ce06e38d43674a4ec25c0e860d", + "zh:54c5eeae7cc61d706080256e06aaf509869b1d86297b9e99948a2fe2af6d455b", + "zh:5f26e851048be3c56f3706b7fde25fe76dd30003ef6356216dc9ecff400218bb", + "zh:5fc1debcd0fe043dfce00ab110e180b896a1a9958edea7d81d05aacc9b630e5e", + "zh:650045261b382b4559fd1bd190d6cabbeb022b53d7e240eb6b66f6824ca81bf4", + "zh:7203dea017883e8fdd7ba66c9b1a9aac0cab101133e4eeab365c4d0995194272", + "zh:726a9222d15f11316587c199ee367bae1d5495ff16ebdfc41635f7628834a8d6", + "zh:c9f3bcaa073a0921189bd74ef6b2b57cad34b3eb01788c010df8a15fd9d8045c", + "zh:d3fba491b0ff0d3d64162216159232398a75ad81c31e4304335d6b76b74a864a", + "zh:e80011c6e3af4eeafdeda9bd118a774f8b7cdf1f133953abf827f313653ec184", ] } provider "registry.terraform.io/telmate/proxmox" { - version = "2.9.11" - constraints = "2.9.11, <= 2.9.11" + version = "3.0.1-rc3" + constraints = "3.0.1-rc3, ~> 3.0.1" hashes = [ - "h1:Czc5iE16om2ruA/xfSR+3hT2NX0bfKkgsaQGnpIeoIc=", - "zh:0db1e3940cf208e56919e68c6d557dfc87d380316a474c8999916308bf991440", - "zh:2a0ae7af5b2f96d53b24f34575bc72ccbb79cab870901f26f00a301613f7c69e", - "zh:2f9eb4a4d2c5db04ec0940d7e250aaf1bac559acc787a5883688ba42159f8b8e", - "zh:362a5b44995a51c8de78f0106aa7741f212bb15fbf2d7477794ea3ee63e2c17d", - "zh:4d212404b741848cef1e469e390ad1df659bbfa8d47cd079d82d83c288925438", - "zh:54a65a01946839db263f8da389791863f6909db9d5fcfdb472e23b14883a5b6c", - "zh:5dfc95303efc53686b23762dfa4c50d887eb4cc0a3e9d527adc29b3a9f0439eb", - "zh:68db84c007cbdd7267d1f7b767b0b2b91e9ee2e2b92ac1d8a1568f3bc61e67cd", - "zh:85d45466445883ae64eed3d5fcb996de389ecf9268f0f7d2f22911fb3f56a344", - "zh:8673f8c794ea8413dc9a3933902492b3e5be99e79bc611fcef415be7d7268210", - "zh:d5041f72f550f3c81dafecb4e7dfca9f849737154a0e2c81434df6c72d75af25", - "zh:e60e03b495dd76660784a8ab07d8db0ce1df7165e713efb350c1864d92f87a8c", - "zh:ed1f75a2fe7d764356119a590f301ab8fd40cfeea78a514450868beb92115f28", - "zh:efa4140b78775509665370c915e60c9043a1325d608f96da151f8f7fcc7cb45e", + "h1:T4bbKkNL+iIAcGrtVv0CUnTkrBkHclX9Vc/e+t+o1l4=", + "zh:3699c41289c6fbe0f33b6c54360d43dcfba429de5fbf49506df9276d03aea915", + "zh:486c9ddda427d3fecdc6dfa189fce85c4a2aa1f490b024d636c0ac6a4dd3c692", + "zh:6091e141a0b8dcb1632c31e0f9555117bb023176c5d083f0e03441bbcf673a4e", + "zh:63d312c2c2994ed39dcb47b4d43c89990bd5fff20dbda63cddfb11c9202270f4", + "zh:6e69c70a85cfa720f543090ee3ce7d2eb2902df19657121b8b7ae64d44875d9f", + "zh:897b9f6075262fc9533f87d470217b14ae82614c6818a26b578a6d41c403d4eb", + "zh:91c24bd374fb8ee0c9e4e1c213d157139c047be78b0cafac3c4c9724db8083b0", + "zh:a224b58759314dc045fdbfc88b63b036b8ca6f75ad32606e94b553f150077c13", + "zh:a56e940c71b45e222c69a2a45388b58ed319836b922f84f62bded5b063662f4a", + "zh:b2e0a83aa535cd3493fbc7485d05d1a823c48bf487e313703f01a17edc631908", + "zh:ba0ad4fea8ba3b01c67fb164ed92fa927ac70d2d898378d192a01e818fcf6bee", + "zh:c49ebe13e7011d35d72e8e6a720df83f21c106444ef4383c5d6c0015aee55db6", + "zh:c53e2775040e103aedcce06b9acb79ca5fccdb4c578a4b6e32489c89e9c652dc", + "zh:c9002cc470ccfd8cd298d5655cf76af84b1d8a200207973d9ad80235818e89e3", ] } diff --git a/terraform/domains/dev.tfvars b/terraform/domains/dev.tfvars new file mode 100644 index 0000000..28a84a0 --- /dev/null +++ b/terraform/domains/dev.tfvars @@ -0,0 +1,2 @@ +domain_name = "dev" +domain_id = 12 diff --git a/terraform/main.tf b/terraform/main.tf index 0a0ffe0..5cce9ac 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -1,6 +1,3 @@ -resource "null_resource" "test" { -} - module "supernode" { count = var.supernode_count @@ -8,9 +5,10 @@ module "supernode" { supernode_name = "${var.domain_name}-${count.index}" - prefix_ipv4_id = data.netbox_prefix.primary_ipv4.id - prefix_ipv6_id = netbox_available_prefix.domain_ipv6.id - loopback_prefix_ipv6_id = netbox_prefix.loopback_ipv6.id + public_ipv4_prefix_id = data.netbox_prefix.primary_ipv4.id + domain_ipv4_id = netbox_prefix.domain_ipv4.id + domain_ipv6_id = netbox_prefix.domain_ipv6.id + domain_vrf_id = data.netbox_vrf.mesh.id vm_ssh_keys = local.ssh_keys } diff --git a/terraform/modules/supernode/interfaces.tf b/terraform/modules/supernode/interfaces.tf new file mode 100644 index 0000000..2b8d8ae --- /dev/null +++ b/terraform/modules/supernode/interfaces.tf @@ -0,0 +1,26 @@ +resource "macaddress" "eth0" {} + +resource "netbox_interface" "eth0" { + virtual_machine_id = netbox_virtual_machine.supernode.id + + name = "eth0" + mac_address = macaddress.eth0.address + + tags = toset(var.tags) +} + +resource "netbox_interface" "lo" { + virtual_machine_id = netbox_virtual_machine.supernode.id + name = "lo" + + tags = toset(var.tags) +} + +resource "netbox_interface" "br0" { + virtual_machine_id = netbox_virtual_machine.supernode.id + + name = "br0" + description = "client bridge" + + tags = toset(var.tags) +} diff --git a/terraform/modules/supernode/management-ipv6.tf b/terraform/modules/supernode/management-ipv6.tf index 7124bd8..2aacd32 100644 --- a/terraform/modules/supernode/management-ipv6.tf +++ b/terraform/modules/supernode/management-ipv6.tf @@ -3,7 +3,7 @@ data "netbox_prefix" "management_net" { } data "iphelpers_eui64_address" "supernode_management" { - mac_address = proxmox_vm_qemu.supernode.network[0].macaddr + mac_address = macaddress.eth0.address prefix = trimsuffix(data.netbox_prefix.management_net.prefix, "/64") } diff --git a/terraform/modules/supernode/primary-ipv4.tf b/terraform/modules/supernode/primary-ipv4.tf index e04a356..06ac940 100644 --- a/terraform/modules/supernode/primary-ipv4.tf +++ b/terraform/modules/supernode/primary-ipv4.tf @@ -2,7 +2,7 @@ resource "netbox_available_prefix" "primary_ipv4" { description = "Primary Address ${var.supernode_name}" status = "active" - parent_prefix_id = var.prefix_ipv4_id + parent_prefix_id = var.public_ipv4_prefix_id prefix_length = 32 tags = toset(var.tags) @@ -14,7 +14,23 @@ resource "netbox_available_ip_address" "primary_ipv4" { description = "Primary Address ${var.supernode_name}" prefix_id = netbox_available_prefix.primary_ipv4.id - // TODO: set interface_id + + object_type = "virtualization.vminterface" + interface_id = netbox_interface.eth0.id + + tags = toset(var.tags) +} + +resource "netbox_available_ip_address" "lan_ipv4" { + status = "active" + + description = "LAN Address ${var.supernode_name}" + + prefix_id = var.domain_ipv4_id + vrf_id = var.domain_vrf_id + + object_type = "virtualization.vminterface" + interface_id = netbox_interface.br0.id tags = toset(var.tags) } diff --git a/terraform/modules/supernode/primary-ipv6.tf b/terraform/modules/supernode/primary-ipv6.tf index 67a1fdb..cfb1d2b 100644 --- a/terraform/modules/supernode/primary-ipv6.tf +++ b/terraform/modules/supernode/primary-ipv6.tf @@ -1,20 +1,12 @@ -resource "netbox_available_prefix" "primary_ipv6" { - description = "Primary Address ${var.supernode_name}" - status = "active" - - parent_prefix_id = var.loopback_prefix_ipv6_id - prefix_length = 128 - - tags = toset(var.tags) -} - resource "netbox_available_ip_address" "primary_ipv6" { status = "active" description = "Primary Address ${var.supernode_name}" - prefix_id = netbox_available_prefix.primary_ipv6.id - // TODO: set interface_id + prefix_id = var.domain_ipv6_id + + object_type = "virtualization.vminterface" + interface_id = netbox_interface.br0.id tags = toset(var.tags) } diff --git a/terraform/modules/supernode/provider.tf b/terraform/modules/supernode/provider.tf index 5b96709..69e7f44 100644 --- a/terraform/modules/supernode/provider.tf +++ b/terraform/modules/supernode/provider.tf @@ -4,14 +4,16 @@ terraform { source = "e-breuninger/netbox" } proxmox = { - source = "Telmate/proxmox" - # newer versions have issues with granular permission on a token - # https://github.com/Telmate/terraform-provider-proxmox/issues/784 - version = "<= 2.9.11" + source = "Telmate/proxmox" + version = "~> 3.0.1" } iphelpers = { source = "ffddorf/iphelpers" version = "~> 1.0.0" } + macaddress = { + source = "ivoronin/macaddress" + version = "~> 0.3.2" + } } } diff --git a/terraform/modules/supernode/variables.tf b/terraform/modules/supernode/variables.tf index ab6dd90..7ce2576 100644 --- a/terraform/modules/supernode/variables.tf +++ b/terraform/modules/supernode/variables.tf @@ -9,31 +9,36 @@ variable "tags" { default = [] } -variable "prefix_ipv4_id" { +variable "public_ipv4_prefix_id" { type = string - description = "ID of the Supernode IPv4 prefix" + description = "ID of the prefix to assign a public IPv4 address from" } -variable "prefix_ipv6_id" { +variable "domain_ipv4_id" { type = string - description = "ID of the Supernode IPv6 prefix" + description = "ID of the Domain IPv4 prefix" } -variable "loopback_prefix_ipv6_id" { +variable "domain_ipv6_id" { type = string - description = "ID of the Loopback Supernode IPv6 prefix" + description = "ID of the Domain IPv6 prefix" +} + +variable "domain_vrf_id" { + type = string + description = "ID of the VRF for this domain" } variable "management_prefix_ipv6" { type = string description = "Prefix to use for the statically assigned IPv6 management address" - default = "2001:678:b7c:201::/64" + default = "2001:678:b7c:205::/64" } variable "vm_target_node" { type = string description = "Node to launch VM on" - default = "pm2" + default = "pm4" } variable "vm_template_name" { @@ -51,7 +56,7 @@ variable "vm_storage_pool_name" { variable "vm_resource_pool" { type = string description = "Proxmox pool to create VM in" - default = "Supernodes2.0" + default = "supernodes-v2" } variable "vm_ssh_keys" { diff --git a/terraform/modules/supernode/vm.tf b/terraform/modules/supernode/vm.tf index 823045d..5a78a58 100644 --- a/terraform/modules/supernode/vm.tf +++ b/terraform/modules/supernode/vm.tf @@ -1,5 +1,7 @@ locals { vm_name = "supernode-${var.supernode_name}" + cores = 2 + memory = 1024 } resource "proxmox_vm_qemu" "supernode" { @@ -11,19 +13,32 @@ resource "proxmox_vm_qemu" "supernode" { clone = var.vm_template_name full_clone = false - cores = 2 + cores = local.cores sockets = 1 - memory = 1024 - - disk { - type = "scsi" - storage = var.vm_storage_pool_name - size = "4G" + memory = local.memory + + disks { + ide { + ide2 { + cloudinit { + storage = "system" + } + } + } + + scsi { + scsi0 { + disk { + size = "10G" + storage = "system" + } + } + } } scsihw = "virtio-scsi-pci" boot = "c" - bootdisk = "virtio0" + bootdisk = "scsi0" vga { type = "serial0" @@ -36,15 +51,15 @@ resource "proxmox_vm_qemu" "supernode" { } network { - model = "virtio" - bridge = "vmbr0" + model = "virtio" + bridge = "vmbr0" + tag = 5 + macaddr = macaddress.eth0.address } - cloudinit_cdrom_storage = var.vm_storage_pool_name - agent = 1 os_type = "cloud-init" - ipconfig0 = "ip=dhcp,ip6=auto" + ipconfig0 = "ip=${netbox_available_ip_address.primary_ipv4.ip_address},gw=0.0.0.0,ip6=auto" ciuser = "admin" sshkeys = join("\n", var.vm_ssh_keys) @@ -53,6 +68,7 @@ resource "proxmox_vm_qemu" "supernode" { lifecycle { ignore_changes = [ define_connection_info, + clone, ] } } @@ -65,16 +81,6 @@ data "netbox_device_role" "supernode" { name = var.vm_role_name } -locals { - size_constants = { - G = 1024 * 1024 * 1024 - M = 1024 * 1024 - K = 1024 - } - disk_size_parts = regex("^([0-9]+)([GMK])$", proxmox_vm_qemu.supernode.disk[0].size) - disk_size_bytes = parseint(local.disk_size_parts[0], 10) * local.size_constants[local.disk_size_parts[1]] -} - resource "netbox_virtual_machine" "supernode" { site_id = data.netbox_cluster.vm_cluster.site_id cluster_id = data.netbox_cluster.vm_cluster.id @@ -82,9 +88,8 @@ resource "netbox_virtual_machine" "supernode" { status = "staged" role_id = data.netbox_device_role.supernode.id - vcpus = proxmox_vm_qemu.supernode.cores - memory_mb = proxmox_vm_qemu.supernode.memory - disk_size_gb = local.disk_size_bytes / local.size_constants.G + vcpus = local.cores + memory_mb = local.memory tags = toset(var.tags) @@ -95,12 +100,3 @@ resource "netbox_virtual_machine" "supernode" { ] } } - -resource "netbox_interface" "eth0" { - virtual_machine_id = netbox_virtual_machine.supernode.id - - name = "eth0" - mac_address = proxmox_vm_qemu.supernode.network[0].macaddr - - tags = toset(var.tags) -} diff --git a/terraform/primary-prefixes.tf b/terraform/primary-prefixes.tf index f58bcf3..8218827 100644 --- a/terraform/primary-prefixes.tf +++ b/terraform/primary-prefixes.tf @@ -2,23 +2,30 @@ data "netbox_prefix" "primary_ipv4" { prefix = var.primary_prefix_ipv4 } -data "netbox_prefix" "primary_ipv6" { +data "netbox_prefix" "ipv6_container" { prefix = var.primary_prefix_ipv6 } -resource "netbox_available_prefix" "domain_ipv6" { - description = "Supernode IPv6 addresses ${var.domain_name}" - prefix_length = 56 - status = "reserved" - parent_prefix_id = data.netbox_prefix.primary_ipv6.id +resource "netbox_prefix" "domain_ipv6" { + prefix = cidrsubnet(data.netbox_prefix.ipv6_container.prefix, 8, var.domain_id) + description = "Supernode IPv6 addresses ${var.domain_name}" + status = "active" tags = toset(var.tags) } -resource "netbox_prefix" "loopback_ipv6" { - prefix = cidrsubnet(netbox_available_prefix.domain_ipv6.prefix, 8, 0) - description = "Supernode IPv6 loopback addresses ${var.domain_name}" - status = "reserved" +output "domain_ipv6_prefix" { + value = netbox_prefix.domain_ipv6.prefix +} - tags = toset(var.tags) +data "netbox_vrf" "mesh" { + name = "Mesh" +} + +resource "netbox_prefix" "domain_ipv4" { + prefix = cidrsubnet("10.0.0.0/8", 8, var.domain_id) + description = "Supernode client subnet ${var.domain_name}" + status = "active" + + vrf_id = data.netbox_vrf.mesh.id } diff --git a/terraform/providers.tf b/terraform/providers.tf index 2317ea2..c13234c 100644 --- a/terraform/providers.tf +++ b/terraform/providers.tf @@ -6,7 +6,7 @@ terraform { } proxmox = { source = "Telmate/proxmox" - version = "2.9.11" + version = "3.0.1-rc3" } } } diff --git a/terraform/variables.tf b/terraform/variables.tf index 2e0bd53..08533cb 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -1,7 +1,11 @@ variable "domain_name" { type = string description = "Name of the supernode domain" - default = "dev" +} + +variable "domain_id" { + type = number + description = "Number of this domain (used in network addressing)" } variable "tags" { @@ -13,7 +17,7 @@ variable "tags" { variable "supernode_count" { type = number description = "Number of supernodes for this domain" - default = 2 + default = 1 } variable "primary_prefix_ipv4" { @@ -24,8 +28,8 @@ variable "primary_prefix_ipv4" { variable "primary_prefix_ipv6" { type = string - description = "Prefix to issue primary IPv6 addresses from" - default = "2001:678:b7c::/48" + description = "Prefix to issue IPv6 subnet from" + default = "2001:678:b7c:700::/56" } variable "ssh_github_users" { From 07e104e9c926d269ea37e3c9fede812945fdd894 Mon Sep 17 00:00:00 2001 From: Marcus Weiner Date: Sun, 25 Aug 2024 23:59:05 +0200 Subject: [PATCH 2/4] Upgrade provider --- terraform/.terraform.lock.hcl | 29 +++++++++++------------------ terraform/providers.tf | 2 +- 2 files changed, 12 insertions(+), 19 deletions(-) diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl index eea394d..4b56c5d 100644 --- a/terraform/.terraform.lock.hcl +++ b/terraform/.terraform.lock.hcl @@ -2,25 +2,18 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/e-breuninger/netbox" { - version = "3.8.0" - constraints = "3.8.0" + version = "3.9.0" + constraints = "3.9.0" hashes = [ - "h1:0JK/7pepriVNEa0b1F72gDFVo8nJKmg0Sy21Oa5cm6I=", - "h1:A/7a1MJhlwYP6rmPhiDDI7fdD3mrjixnn+5RNEGSD0E=", - "h1:N2KkkESzU+yBen/qo98K+xB+yf9EmMk3Urzdk30Br+g=", - "h1:VTiALb6Uezl8RZmNsIu4zYu1o6fngGr+8LWVpMFhbT8=", - "h1:gr0+MvaFHZgRYK76g4ak/jNwXX/M+zfyDlU/sczScO4=", - "h1:jeNV/v/u+nKuCHqgSjtXaJJiA3RTXE7CsuhHBmOoG4U=", - "h1:mkm+wxLIwnBSm1/qzmJR+x3ZKWtI2suiAof0pTmnyJY=", - "h1:zUFP+KuAkfpNEwMuSEFnCKZ9Cx7fzB0x7z6xe9XiYhI=", - "zh:23c74c155b99fab6eb9db6c4f1e9d47e2962cd2d72b1b07357a0da71c726add9", - "zh:50751d67f9eeeee1379485f1765dc8ede976b704fa44290ffe77085d4bc2f51b", - "zh:7d13af8050d677b71fb65b314e62da255168322d05403fb16cb39c908d280e76", - "zh:819b919f89db60d183388d961fbe94145f8d6013edde3cf9f0d39625841aa7e3", - "zh:8548b7f2c914f6a8a462d87df4c485bf6698214a6b05614232e231dc7ae179a1", - "zh:91f26b88b79f4f9ca40fae68220cbdea89d003a97f3969927e7e8501c0952d4d", - "zh:f52ee127b201699bd62142f4a1ae7cb73eb532dfe5e5e1f813506923c5423240", - "zh:febdbe33cb2b5725232109e58a99499c9183061ad6c95abc1ee1a2d1e6e472a7", + "h1:lAGWALJ+sw+RIJJQjVU0AQHDyzDx2l6LmJ5IRtE6+6U=", + "zh:1179589f3d23794ef85cb1df9d1bbb2b57b8fdb27da392170438728e8b6f8ac6", + "zh:21b2348d794faa2c3ea4d994fd657018652ab9d3972af4b462650270ee49308d", + "zh:2cb970d303f5a77d061b607705e2add1e51f925d38901f3d24d9efdc0fbb552e", + "zh:4348f2cf8ccdee3d7574cfaedcb5b06e63c2c0e0415300b27a04434f815ed539", + "zh:4d6ca2b0ad96c1d5346f1fe1a807d45409185d5898634f8aabdff7ae98cfc938", + "zh:4f056a8c5b49060beb2ecb094e6e1845ddfeaace5867781bd77e813be87f78f3", + "zh:b74c58bd86cd48051471c584aea9ecf2d821ef0c9d17fca3463ec1c8db60d713", + "zh:e57f9e5463a8db7012b40606d5d4be03ec7647e322e55d8aeb6cd4873653625a", ] } diff --git a/terraform/providers.tf b/terraform/providers.tf index c13234c..9c825a0 100644 --- a/terraform/providers.tf +++ b/terraform/providers.tf @@ -2,7 +2,7 @@ terraform { required_providers { netbox = { source = "e-breuninger/netbox" - version = "3.8.0" + version = "3.9.0" } proxmox = { source = "Telmate/proxmox" From 36a6a20dba5eec188768af6f1d5d3e0143bb2996 Mon Sep 17 00:00:00 2001 From: Marcus Weiner Date: Mon, 26 Aug 2024 23:46:12 +0200 Subject: [PATCH 3/4] Prevent dependency cycle between resources --- terraform/modules/supernode/vm.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/modules/supernode/vm.tf b/terraform/modules/supernode/vm.tf index 5a78a58..5bc185b 100644 --- a/terraform/modules/supernode/vm.tf +++ b/terraform/modules/supernode/vm.tf @@ -59,7 +59,7 @@ resource "proxmox_vm_qemu" "supernode" { agent = 1 os_type = "cloud-init" - ipconfig0 = "ip=${netbox_available_ip_address.primary_ipv4.ip_address},gw=0.0.0.0,ip6=auto" + ipconfig0 = "ip=${netbox_available_prefix.primary_ipv4.prefix},gw=0.0.0.0,ip6=auto" ciuser = "admin" sshkeys = join("\n", var.vm_ssh_keys) From 77a9a49c063bd84dda01fc9ca44b750fa0979d3d Mon Sep 17 00:00:00 2001 From: Marcus Weiner Date: Mon, 26 Aug 2024 23:49:24 +0200 Subject: [PATCH 4/4] Make terraform workflow domain specific --- .github/workflows/terraform.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml index 48c4e5f..e4ad2f3 100644 --- a/.github/workflows/terraform.yaml +++ b/.github/workflows/terraform.yaml @@ -9,17 +9,21 @@ jobs: run: name: Run runs-on: ubuntu-22.04 + strategy: + matrix: + domain: ["dev"] concurrency: - group: terraform + group: terraform-${{ matrix.domain }} cancel-in-progress: false permissions: contents: read pull-requests: write checks: write env: + TF_HTTP_USERNAME: ffddorf/supernodes-v2@${{ matrix.domain }} TF_HTTP_PASSWORD: ${{ github.token }} TF_IN_AUTOMATION: "true" - TF_CLI_ARGS: "-input=false" + TF_CLI_ARGS: "-input=false -var-file=domains/${{ matrix.domain }}.tfvars" NETBOX_API_TOKEN: ${{ secrets.NETBOX_API_TOKEN }} PM_API_TOKEN_ID: ${{ secrets.PM_API_TOKEN_ID }} PM_API_TOKEN_SECRET: ${{ secrets.PM_API_TOKEN_SECRET }}