diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl index c82ca499..63fe96df 100644 --- a/.terraform.lock.hcl +++ b/.terraform.lock.hcl @@ -22,21 +22,21 @@ provider "registry.terraform.io/hashicorp/helm" { } provider "registry.terraform.io/hashicorp/http" { - version = "3.4.2" + version = "3.4.3" hashes = [ - "h1:vaoPfsLm6mOk6avKTrWi35o+9p4fEeZAY3hzYoXVTfo=", - "zh:0ba051c9c8659ce0fec94a3d50926745f11759509c4d6de0ad5f5eb289f0edd9", - "zh:23e6760e8406fef645913bf47bfab1ca984c1c5805d2bb0ef8310b16913d29cd", - "zh:3c69fde4548bfe65b968534c4df8d699648c921d6a065b97fec5faece73a442b", - "zh:41c7f9a8c117704b7a8fa96a57ebfb92b72129d9625128eeb0dee7d5a09d1110", - "zh:59d09d2e00727df10565cc82a33250b44201fcd353eb2b1579507a5a0adcce18", + "h1:Ep4kCumou6eEyPkFJFAfuzd7IAsYM7xMAdDaFTwdDZ8=", + "zh:001e12b8079955a9fa7f8fcd515ae665b2e1087107fd337c4b872e88a86d540b", + "zh:0874fb3f870b2ac24c967a9685f2da641079589024109340389694696301a85b", + "zh:3b5e533c3d2859575945568aad0aac66b71bfc709706231fc2de94e01ca76d7f", + "zh:622ee28d42ed9d4b1399dde377db515e62cac08bd65bb2455068621f7a42d90d", + "zh:6dea688d78840a3f678e06ee602d37c766ce2ee625dcdce0c6658116ebcbde8e", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:c95b2f63d4357b3068531b90d9dca62a32551d7693defb7ab14b650b5d139c57", - "zh:cc0a3bbd3026191b35f417d3a8f26bdfad376d15be9e8d99a8803487ca5b0105", - "zh:d1185c6abb3ba25123fb7df1ad7dbe2b9cd8f43962628da551040fbe1934656f", - "zh:dfb26fccab7ecdc150f67415e6cfe19d699dc43e8bf5722f36032b17b46a0fbe", - "zh:eb1fcc00073bc0463f64e49600a73d925b1a0c0ae5b94dd7b67d3ebac248a113", - "zh:ec9b9ad69cf790cb0603a1036d758063bbbc35c0c75f72dd04a1eddaf46ad010", + "zh:7f57a1436a464bc2e1698457b402ff0fd98ef9e7dcf6707d6bd0debc67fad164", + "zh:829d89d82e6fc3c89714950dc8afa51d622bb8e4f4bd5c73037505fb55a67834", + "zh:e453202d09b62531ed3278926307d315276e05784e7c6448a2c21c6a2da6e48f", + "zh:e76edc035240b4ad9334b4a0282b44a086e001df3007a2fc51f6262c4db032d1", + "zh:eeb0379da9093e155a193f666079de6baf8ed02855bf2a443448903f7cfef378", + "zh:fcb00eeb665ccae383645173d8e10c3071946396629a7797db39c798997f21b0", ] } @@ -101,21 +101,21 @@ provider "registry.terraform.io/hashicorp/random" { } provider "registry.terraform.io/hashicorp/time" { - version = "0.11.1" + version = "0.11.2" hashes = [ - "h1:pQGSL9mdgw4qsLndFYsEF93mbsIxyxNoAyIbBqhS3Xo=", - "zh:19a393db736ec4fd024d098d55aefaef07056c37a448ece3b55b3f5f4c2c7e4a", - "zh:227fa1e221de2907f37be78d40c06ca6a6f7b243a1ec33ade014dfaf6d92cd9c", - "zh:29970fecbf4a3ca23bacbb05d6b90cdd33dd379f90059fe39e08289951502d9f", - "zh:65024596f22f10e7dcb5e0e4a75277f275b529daa0bc0daf34ca7901c678ab88", - "zh:694d080cb5e3bf5ef08c7409208d061c135a4f5f4cdc93ea8607860995264b2e", + "h1:qg3O4PmHnlPcvuZ2LvzOYEAPGOKtccgD5kPdQPZw094=", + "zh:02588b5b8ba5d31e86d93edc93b306bcbf47c789f576769245968cc157a9e8c5", + "zh:088a30c23796133678d1d6614da5cf5544430570408a17062288b58c0bd67ac8", + "zh:0df5faa072d67616154d38021934d8a8a316533429a3f582df3b4b48c836cf89", + "zh:12edeeaef96c47f694bd1ba7ead6ccdb96028b25df352eea4bc5e40de7a59177", + "zh:1e859504a656a6e988f07b908e6ffe946b28bfb56889417c0a07ea9605a3b7b0", + "zh:64a6ae0320d4956c4fdb05629cfcebd03bcbd2206e2d733f2f18e4a97f4d5c7c", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:b29d15d13e1b3412e6a4e1627d378dbd102659132f7488f64017dd6b6d5216d3", - "zh:bb79f4cae9f8c17c73998edc54aa16c2130a03227f7f4e71fc6ac87e230575ec", - "zh:ceccf80e95929d97f62dcf1bb3c7c7553d5757b2d9e7d222518722fc934f7ad5", - "zh:f40e638336527490e294d9c938ae55919069e6987e85a80506784ba90348792a", - "zh:f99ef33b1629a3b2278201142a3011a8489e66d92da832a5b99e442204de18fb", - "zh:fded14754ea46fdecc62a52cd970126420d4cd190e598cb61190b4724a727edb", + "zh:924d137959193bf7aee6ebf241fbb9aec46d6eef828c5cf8d3c588770acae7b2", + "zh:b3cc76281a4faa9c2293a2460fc6962f6539e900994053f85185304887dddab8", + "zh:cbb40c791d4a1cdba56cffa43a9c0ed8e69930d49aa6bd931546b18c36e3b720", + "zh:d227d43594f8cb3d24f1fdd71382f14502cbe2a6deaddbc74242656bb5b38daf", + "zh:d4840641c46176bb9d70ba3aff09de749282136c779996b546c81e5ff701bbf6", ] } diff --git a/Makefile b/Makefile index 53510c1d..bfbf9457 100644 --- a/Makefile +++ b/Makefile @@ -16,20 +16,19 @@ bootstrap: @$(BUILDER_EXEC) echo "Started build environment" build: - @$(BUILDER_EXEC) nix build .#nixosConfigurations.aarch64-darwin.$(NIXOS_CONFIG) --system aarch64-linux $(ARGS) - -build-x86: - @$(BUILDER_EXEC) nix build .#nixosConfigurations.x86_64-darwin.$(NIXOS_CONFIG) --system x86_64-linux $(ARGS) + @nix build .#nixosConfigurations.$(NIXOS_CONFIG) --system aarch64-linux $(ARGS) #### Terraform TF_ROOT_DIRS := $(wildcard tf-root-*) . -TF_ROOT_DIRS_DESTROY:=$(addsuffix -destroy, $(TF_ROOT_DIRS)) -TF_ROOT_DIRS_INIT:=$(addsuffix -init, $(TF_ROOT_DIRS)) -TF_ROOT_DIRS_FMT:=$(addsuffix -fmt, $(TF_ROOT_DIRS)) -TF_ROOT_DIRS_VALIDATE:=$(addsuffix -validate, $(TF_ROOT_DIRS)) +TF_ROOT_DIRS_DESTROY:=$(addsuffix -destroy,$(TF_ROOT_DIRS)) +TF_ROOT_DIRS_CONSOLE:=$(addsuffix -console,$(TF_ROOT_DIRS)) +TF_ROOT_DIRS_INIT:=$(addsuffix -init,$(TF_ROOT_DIRS)) +TF_ROOT_DIRS_FMT:=$(addsuffix -fmt,$(TF_ROOT_DIRS)) +TF_ROOT_DIRS_VALIDATE:=$(addsuffix -validate,$(TF_ROOT_DIRS)) init: $(TF_ROOT_DIRS_INIT) $(TF_ALL_WORKSPACES) + @terraform workspace select $(TF_WORKSPACE) $(TF_ALL_WORKSPACES): @terraform workspace new $@ || true @@ -39,14 +38,16 @@ $(TF_ROOT_DIRS_INIT): terraform -chdir=$(DIR) init -upgrade $(ARGS) $(TF_ROOT_DIRS): - @terraform workspace select $(TF_WORKSPACE) @terraform -chdir=$@ apply -compact-warnings -auto-approve $(ARGS) $(TF_ROOT_DIRS_DESTROY): - @terraform workspace select $(TF_WORKSPACE) @$(eval DIR:=$(subst -destroy,,$@)) @terraform -chdir=$(DIR) destroy -auto-approve $(ARGS) +$(TF_ROOT_DIRS_CONSOLE): + @$(eval DIR:=$(subst -console,,$@)) + @terraform -chdir=$(DIR) console $(ARGS) + fmt: $(TF_ROOT_DIRS_FMT) $(TF_ROOT_DIRS_FMT): @@ -60,4 +61,5 @@ $(TF_ROOT_DIRS_VALIDATE): terraform -chdir=$(DIR) validate -no-color $(ARGS) .PHONY: fmt validate build build-x86 bootstrap init \ - $(TF_ROOT_DIRS) $(TF_ROOT_DIRS_DESTROY) $(TF_ROOT_DIRS_INIT) + $(TF_ROOT_DIRS) $(TF_ROOT_DIRS_DESTROY) $(TF_ROOT_DIRS_INIT) \ + $(TF_ROOT_DIRS_CONSOLE) $(TF_ROOT_DIRS_FMT) $(TF_ROOT_DIRS_VALIDATE) diff --git a/flake.lock b/flake.lock index 66c0ea57..f3c358df 100644 --- a/flake.lock +++ b/flake.lock @@ -1,6 +1,49 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "systems": "systems" + }, + "locked": { + "lastModified": 1716561646, + "narHash": "sha256-UIGtLO89RxKt7RF2iEgPikSdU53r6v/6WYB0RW3k89I=", + "owner": "ryantm", + "repo": "agenix", + "rev": "c2fc0762bbe8feb06a2e59a364fa81b3a57671c9", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, + "darwin_2": { "inputs": { "nixpkgs": [ "srvos", @@ -39,7 +82,7 @@ }, "flake-utils": { "inputs": { - "systems": "systems" + "systems": "systems_2" }, "locked": { "lastModified": 1710146030, @@ -56,6 +99,27 @@ } }, "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703113217, + "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { "inputs": { "nixpkgs": [ "srvos", @@ -116,21 +180,21 @@ }, "nixpkgs": { "locked": { - "lastModified": 1716127062, - "narHash": "sha256-2rk8FqB/iQV2d0vQLs684/Tj5PUHaS1sFwG7fng5vXE=", + "lastModified": 1703013332, + "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8a2555763c48e2410054de3f52f7310ce3241ec5", + "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable-small", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } }, - "nixpkgs-stable": { + "nixpkgs-legacy": { "locked": { "lastModified": 1701282334, "narHash": "sha256-MxCVrXY6v4QmfTwIysjjaX0XUhqBbxTWWB4HXtDYsdk=", @@ -146,18 +210,34 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1717179513, + "narHash": "sha256-vboIEwIQojofItm2xGCdZCzW96U85l9nDW3ifMuAIdM=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "63dacb46bf939521bdc93981b4cbb7ecb58427a0", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "24.05", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-stable-darwin": { "locked": { - "lastModified": 1716389660, - "narHash": "sha256-K8xKOu3/ix1Ki25Qa7Xq0qo/+eYmrGJNCRdelhp0QDI=", + "lastModified": 1717696253, + "narHash": "sha256-1+ua0ggXlYYPLTmMl3YeYYsBXDSCqT+Gw3u6l4gvMhA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "cbaa9d85551c96310edf4f388e17a49ec846223e", + "rev": "9b5328b7f761a7bbdc0e332ac4cf076a3eedb89b", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixpkgs-23.11-darwin", + "ref": "nixpkgs-24.05-darwin", "repo": "nixpkgs", "type": "github" } @@ -178,13 +258,31 @@ "type": "github" } }, + "nixpkgs_2": { + "locked": { + "lastModified": 1716127062, + "narHash": "sha256-2rk8FqB/iQV2d0vQLs684/Tj5PUHaS1sFwG7fng5vXE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "8a2555763c48e2410054de3f52f7310ce3241ec5", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { - "darwin": "darwin", + "agenix": "agenix", + "darwin": "darwin_2", "flake-compat": "flake-compat", "flake-utils": "flake-utils", - "home-manager": "home-manager", + "home-manager": "home-manager_2", "nixos-generators": "nixos-generators", + "nixpkgs-legacy": "nixpkgs-legacy", "nixpkgs-srvos": [ "srvos", "nixpkgs" @@ -197,7 +295,7 @@ }, "srvos": { "inputs": { - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs_2" }, "locked": { "lastModified": 1716233075, @@ -227,6 +325,21 @@ "repo": "default", "type": "github" } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 474e181b..79e89112 100644 --- a/flake.nix +++ b/flake.nix @@ -3,8 +3,9 @@ inputs = { # Package sets - nixpkgs-stable.url = "github:NixOS/nixpkgs/23.11"; - nixpkgs-stable-darwin.url = "github:NixOS/nixpkgs/nixpkgs-23.11-darwin"; + nixpkgs-legacy.url = "github:NixOS/nixpkgs/23.11"; + nixpkgs-stable.url = "github:NixOS/nixpkgs/24.05"; + nixpkgs-stable-darwin.url = "github:NixOS/nixpkgs/nixpkgs-24.05-darwin"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; srvos.url = "github:numtide/srvos"; nixpkgs-srvos.follows = "srvos/nixpkgs"; @@ -27,11 +28,13 @@ flake-compat = { url = "github:edolstra/flake-compat"; flake = false; }; flake-utils.url = "github:numtide/flake-utils"; + # NixOS utilities + agenix.url = "github:ryantm/agenix"; }; outputs = { self, srvos, darwin, nixos-generators, flake-utils, ... }@inputs: let - inherit (self.lib) attrValues makeOverridable mkForce optionalAttrs singleton; + inherit (self.lib) attrValues makeOverridable mkForce optionalAttrs singleton nixosSystem; nixpkgsDefaults = { config = { allowUnfree = true; @@ -75,6 +78,7 @@ }; nixosModules = { + secrets = inputs.agenix.nixosModules.default; common = srvos.nixosModules.common; server = srvos.nixosModules.server; home-manager = inputs.home-manager.nixosModules.home-manager; @@ -82,6 +86,12 @@ config = ./nixos-options/default.nix; }; + nixosAllModules = rec { + default = attrValues self.nixosModules; + contabo = default ++ [ ./nixos/contabo.nix ]; + deploy = ./nixos-options/deploy.nix; + }; + darwinConfigurations = { default = self.darwinConfigurations.builder; builder = makeOverridable self.lib.mkDarwinSystem ({ @@ -111,75 +121,54 @@ }; }; }; - - } // flake-utils.lib.eachDefaultSystem (system: + } + // flake-utils.lib.eachDefaultSystem (system: let linux = builtins.replaceStrings ["darwin"] ["linux"] system; legacyPackages = import inputs.nixpkgs-srvos (nixpkgsDefaults // { inherit system; }); stableLegacyPackages = import inputs.nixpkgs-stable (nixpkgsDefaults // { inherit system; }); - stablex86Packages = import inputs.nixpkgs-stable (nixpkgsDefaults // { system = "x86_64-linux"; }); + oldLegacyPackages = import inputs.nixpkgs-legacy (nixpkgsDefaults // { inherit system; }); + specialArgs = { + inherit oldLegacyPackages; + }; in { - # Re-export `nixpkgs-stable` with overlays. - # This is handy in combination with setting `nix.registry.my.flake = inputs.self`. - # Allows doing things like `nix run my#prefmanager -- watch --all` - inherit legacyPackages; - inherit stableLegacyPackages; - - colmena = { - meta = { - nixpkgs = import inputs.nixpkgs-stable (nixpkgsDefaults // { inherit system; }); - nodeNixpkgs = { - k3s-paas-master-contabo = stablex86Packages; - k3s-paas-agent-contabo = stablex86Packages; - }; - }; - default = attrValues self.nixosModules; - k3s-paas-master = [ - ./nixos-nodes/k3s-paas-master.nix - ]; - k3s-paas-agent = self.colmena.k3s-paas-master ++ [ - ./nixos-nodes/k3s-paas-agent.nix - ]; - k3s-paas-master-contabo = self.colmena.k3s-paas-master ++ [ - ./nixos/contabo.nix - ./nixos-nodes/contabo-master.nix - ]; - k3s-paas-agent-contabo = self.colmena.k3s-paas-agent ++ [ - ./nixos/contabo.nix - ./nixos-nodes/contabo-agent.nix - ]; - }; + packages.nixosConfigurations = { + default = self.qcow; + + deploy = nixosSystem { + system = linux; + inherit specialArgs; + modules = self.nixosAllModules.default ++ self.nixosAllModules.deploy; + }; - nixosConfigurations = rec { - default = qcow; + deploy-contabo = nixosSystem { + system = "x86_64-linux"; + inherit specialArgs; + modules = self.nixosAllModules.contabo ++ self.nixosAllModules.deploy; + }; qcow = makeOverridable nixos-generators.nixosGenerate { - system = linux; - modules = attrValues self.nixosModules ++ [ + inherit system specialArgs; + modules = self.nixosAllModules.default ++ [ ./nixos/qcow-compressed.nix ]; format = "qcow"; - specialArgs = { - inherit stableLegacyPackages; - }; }; - iso = self.nixosConfigurations.${system}.qcow.override { + iso = self.packages.nixosConfigurations.${system}.qcow.override { format = "iso"; }; - contabo = self.nixosConfigurations.${system}.qcow.override { - modules = attrValues self.nixosModules ++ [ - ./nixos/contabo.nix + contabo = self.packages.nixosConfigurations.${system}.qcow.override { + modules = self.nixosAllModules.contabo ++ [ ./nixos/qcow-compressed.nix ]; }; - container = self.nixosConfigurations.${system}.qcow.override { - modules = attrValues self.nixosModules ++ [ + container = self.packages.nixosConfigurations.${system}.qcow.override { + modules = self.nixosAllModules.default ++ [ ./nixos/docker.nix - ./nixos/qcow-compressed.nix ]; format = "docker"; }; @@ -190,8 +179,8 @@ # With `nix.registry.my.flake = inputs.self`, development shells can be created by running, # e.g., `nix develop my#python`. devShells = let - pkgs = self.legacyPackages.${system}; - stablePkgs = self.stableLegacyPackages.${system}; + pkgs = legacyPackages; + stablePkgs = stableLegacyPackages; in { default = pkgs.mkShell { @@ -201,7 +190,9 @@ docker-client kubectl kubernetes-helm libvirt qemu tailscale pebble cntb nil nix-tree colmena; - inherit (stablePkgs) nix terraform waypoint; + inherit (stablePkgs) nix terraform; + inherit (oldLegacyPackages) waypoint; + inherit (inputs.agenix.packages."${system}") default; }; shellHook = '' export DOCKER_HOST=tcp://127.0.0.1:2375 diff --git a/main.tf b/main.tf index dd07c553..af65740b 100644 --- a/main.tf +++ b/main.tf @@ -35,9 +35,8 @@ module "ingress-nginx" { } module "tailscale" { - source = "./tf-modules-k8s/tailscale" - tailscale_oauth_client_id = var.tailscale_oauth_client_id - tailscale_oauth_client_secret = var.tailscale_oauth_client_secret + source = "./tf-modules-k8s/tailscale" + tailscale_oauth_client = var.tailscale_oauth_client.id } module "internal_ca" { @@ -98,5 +97,5 @@ module "paas_config" { output "paas_token" { value = module.paas.token - sensitive = true + #sensitive = true } diff --git a/nixos-nodes/contabo-agent.nix b/nixos-nodes/contabo-agent.nix deleted file mode 100644 index b2812021..00000000 --- a/nixos-nodes/contabo-agent.nix +++ /dev/null @@ -1,3 +0,0 @@ -{ ... } : { - deployment.tags = [ "agent-contabo" ]; -} diff --git a/nixos-nodes/contabo-master.nix b/nixos-nodes/contabo-master.nix deleted file mode 100644 index 8b54c74e..00000000 --- a/nixos-nodes/contabo-master.nix +++ /dev/null @@ -1,3 +0,0 @@ -{ ... }: { - deployment.tags = [ "master-contabo" ]; -} diff --git a/nixos-nodes/k3s-paas-agent.nix b/nixos-nodes/k3s-paas-agent.nix deleted file mode 100644 index cfd6bf1e..00000000 --- a/nixos-nodes/k3s-paas-agent.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ lib, name, nodes, ... }: { - imports = [ ./k3s-paas-common.nix ]; - - deployment.tags = lib.mkDefault [ "agent" ]; - networking.hostName = lib.mkForce name; - services.k3s.serverAddr = nodes.k3s-paas-master.config.networking.hostName; -} diff --git a/nixos-nodes/k3s-paas-common.nix b/nixos-nodes/k3s-paas-common.nix deleted file mode 100644 index 8b648979..00000000 --- a/nixos-nodes/k3s-paas-common.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ lib, config, modulesPath, ... }: -{ - imports = [ - "${toString modulesPath}/profiles/qemu-guest.nix" - ]; - - deployment = { - targetHost = config.k3s-paas.dns.name; - buildOnTarget = true; - }; - - networking.firewall.allowedTCPPorts = lib.mkForce [80 443 22 6443]; -} diff --git a/nixos-nodes/k3s-paas-master.nix b/nixos-nodes/k3s-paas-master.nix deleted file mode 100644 index 9635ca7c..00000000 --- a/nixos-nodes/k3s-paas-master.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ lib, name, ... }: { - imports = [ - ./k3s-paas-common.nix - ]; - - deployment.tags = lib.mkDefault [ "master" ]; - networking.hostName = lib.mkForce name; - services.k3s.clusterInit = true; -} diff --git a/nixos-options/default.nix b/nixos-options/default.nix index d650d2ef..b1db090b 100644 --- a/nixos-options/default.nix +++ b/nixos-options/default.nix @@ -24,18 +24,30 @@ description = "Target IP address for dns.name (only in local dev)"; }; + network.hostnameSecret = lib.mkOption { + default = ""; + type = lib.types.str; + description = "Network name"; + }; + user.name = lib.mkOption { default = "admin"; type = lib.types.str; description = "User name"; }; - user.password = lib.mkOption { - default = "$6$zizou$reVO3q7LFsUq.GT5P5pYFFcpxCo7eTRT5yJTD.gVoOy/FSzHEtXdofvZ7E04Rej.jiQHKaWJB0Qob5FHov1WU/"; + user.passwordSecret = lib.mkOption { + default = ""; type = lib.types.str; description = "User password"; }; + user.defaultPassword = lib.mkOption { + default = "$6$zizou$reVO3q7LFsUq.GT5P5pYFFcpxCo7eTRT5yJTD.gVoOy/FSzHEtXdofvZ7E04Rej.jiQHKaWJB0Qob5FHov1WU/"; + type = lib.types.str; + description = "Default password for user"; + }; + user.key = lib.mkOption { default = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC94/4uRn429xMGLFWZMyJWlhb5D0L3EoO8HxzN4q1ps loic@Windows-8-Phone.local"; type = lib.types.str; @@ -48,22 +60,22 @@ description = "Disable k3s services eg: traefik,servicelb"; }; - tailscale.authKey = lib.mkOption { + k3s.token = lib.mkOption { type = lib.types.str; - description = "Client ID for Tailscale"; + description = "K3s token"; default = ""; }; - k3s.token = lib.mkOption { + tailscale.authKey = lib.mkOption { type = lib.types.str; - description = "K3s token"; + description = "Enable secret for tailscale"; default = ""; }; dex.dexClientId = lib.mkOption { type = lib.types.str; description = "Client ID for Dex"; - default = ""; + default = "dex-k3s-paas"; }; }; } diff --git a/nixos-options/deploy.nix b/nixos-options/deploy.nix new file mode 100644 index 00000000..77426d5a --- /dev/null +++ b/nixos-options/deploy.nix @@ -0,0 +1,5 @@ +{ config, ... } : { + k3s-paas.user.passwordSecret = config.age.secrets.password.path; + k3s-paas.networking.hostnameSecret = config.age.secrets.hostname.path; + k3s-paas.tailscale.authKey = config.age.secrets.tailscale.path; +} diff --git a/nixos/configuration.nix b/nixos/configuration.nix index 1a526725..c945ee75 100644 --- a/nixos/configuration.nix +++ b/nixos/configuration.nix @@ -2,14 +2,16 @@ config, lib, pkgs, - stableLegacyPackages, + oldLegacyPackages, + system, + inputs, ... }: with config.k3s-paas; let - certs = [ ../nixos-darwin/pebble/cert.crt ]; # builtins.map (cert: builtins.fetchurl { inherit (cert) url sha256; }) config.k3s-paas.certs; + certs = [ ../nixos-darwin/pebble/cert.crt ]; certManagerCrds = builtins.fetchurl { url = "https://github.com/cert-manager/cert-manager/releases/download/v1.14.4/cert-manager.crds.yaml"; sha256 = "060bn3gvrr5jphaig1g195prip5rn0x1s7qrp09q47719fgc6636"; @@ -61,7 +63,7 @@ in { enable = true; openFirewall = true; extraUpFlags = ["--ssh"]; - authKeyFile = pkgs.writeText "tailscale-authkey" tailscale.authKey; + authKeyFile = tailscale.authKey; permitCertUid = user.name; }; k3s = { @@ -125,8 +127,9 @@ in { wget k3s kubectl - stableLegacyPackages.waypoint + oldLegacyPackages.waypoint tailscale + inputs.agenix.packages."${system}".default ]; }; @@ -137,7 +140,9 @@ in { allowNoPasswordLogin = true; users = { ${user.name} = { - password = user.password; + passwordFile = if user.passwordSecret != "" + then builtins.readFile user.passwordSecret + else user.defaultPassword; isNormalUser = true; extraGroups = [ "wheel" "networkmanager" ]; openssh = { @@ -150,12 +155,15 @@ in { }; networking = { - hostName = "k3s-paas"; + hostName = if network.hostnameSecret != "" + then builtins.readFile network.hostnameSecret + else "k3s-paas"; useNetworkd = true; useDHCP = true; firewall = { enable = true; - allowedTCPPorts = [80 443 22 6443]; + allowedTCPPorts = [80 443] ++ ( + if tailscale.authKey == "" then [22 6443] else []); }; nftables.enable = true; networkmanager.enable = false; diff --git a/tf-modules-k8s/dex/main.tf b/tf-modules-k8s/dex/main.tf index 6642f9c1..e8617269 100644 --- a/tf-modules-k8s/dex/main.tf +++ b/tf-modules-k8s/dex/main.tf @@ -4,18 +4,12 @@ resource "kubernetes_namespace" "cert-manager" { } } -resource "random_password" "dex_client_id" { - length = 16 - special = false -} - resource "random_password" "dex_client_secret" { length = 24 special = false } locals { - dex_client_id = random_password.dex_client_id.result dex_client_secret = random_password.dex_client_secret.result } @@ -34,7 +28,7 @@ resource "helm_release" "dex" { github_client_id = var.github_client_id, github_client_secret = var.github_client_secret, dex_github_orgs = jsonencode(var.dex_github_orgs), - dex_client_id = local.dex_client_id, + dex_client_id = var.dex_client_id, paas_hostname = var.paas_hostname, dex_client_secret = local.dex_client_secret, k8s_ingress_class = var.k8s_ingress_class @@ -65,10 +59,6 @@ output "dex_service" { value = data.kubernetes_service.dex_service.id } -output "dex_client_id" { - value = local.dex_client_id -} - output "dex_client_secret" { value = local.dex_client_secret } diff --git a/tf-modules-k8s/dex/variables.tf b/tf-modules-k8s/dex/variables.tf index cdb9d371..4afd8ae1 100644 --- a/tf-modules-k8s/dex/variables.tf +++ b/tf-modules-k8s/dex/variables.tf @@ -17,6 +17,12 @@ variable "github_client_secret" { type = string } + variable "dex_client_id" { + description = "Client ID for Dex OIDC Connector" + type = string + default = "dex-k3s-paas" + } + variable "dex_github_orgs" { description = "Github Orgs for Dex OIDC Connector" type = list(object({ diff --git a/tf-modules-k8s/github/variables.tf b/tf-modules-k8s/github/variables.tf index 0a679053..dc076ac4 100644 --- a/tf-modules-k8s/github/variables.tf +++ b/tf-modules-k8s/github/variables.tf @@ -10,5 +10,5 @@ variable "github_team" { variable "github_token" { type = string - sensitive = true + #sensitive = true } diff --git a/tf-modules-k8s/tailscale/main.tf b/tf-modules-k8s/tailscale/main.tf index ed37a271..66d1ff09 100644 --- a/tf-modules-k8s/tailscale/main.tf +++ b/tf-modules-k8s/tailscale/main.tf @@ -14,17 +14,17 @@ resource "helm_release" "tailscale_operator" { set { name = "oauth.clientId" - value = var.tailscale_oauth_client_id + value = var.tailscale_oauth_client.id } set { - name = "apiServerProxyConfig.mode" - value = "true" - type = "string" + name = "oauth.clientSecret" + value = var.tailscale_oauth_client.secret } set { - name = "oauth.clientSecret" - value = var.tailscale_oauth_client_secret + name = "apiServerProxyConfig.mode" + value = "true" + type = "string" } } diff --git a/tf-modules-k8s/tailscale/variables.tf b/tf-modules-k8s/tailscale/variables.tf index 753e0033..98beea43 100644 --- a/tf-modules-k8s/tailscale/variables.tf +++ b/tf-modules-k8s/tailscale/variables.tf @@ -2,14 +2,11 @@ variable "tailscale_namespace" { default = "tailscale" } -variable "tailscale_oauth_client_id" { - description = "OAuth Client ID" - type = string - sensitive = true -} - -variable "tailscale_oauth_client_secret" { - description = "OAuth Client Secret" - type = string - sensitive = true +variable "tailscale_oauth_client" { + type = object({ + id = string + secret = string + }) + nullable = true + default = null } diff --git a/tf-modules-k8s/waypoint-config/main.tf b/tf-modules-k8s/waypoint-config/main.tf index 349f434c..696ee439 100644 --- a/tf-modules-k8s/waypoint-config/main.tf +++ b/tf-modules-k8s/waypoint-config/main.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.13" + required_version = ">=1.4" required_providers { null = { source = "hashicorp/null" diff --git a/tf-modules-k8s/waypoint-config/variables.tf b/tf-modules-k8s/waypoint-config/variables.tf index 2c91ab72..036e8053 100644 --- a/tf-modules-k8s/waypoint-config/variables.tf +++ b/tf-modules-k8s/waypoint-config/variables.tf @@ -37,5 +37,5 @@ variable "tls_skip_verify" { variable "internal_acme_ca_content" { type = string - sensitive = true + #sensitive = true } diff --git a/tf-modules-k8s/waypoint/main.tf b/tf-modules-k8s/waypoint/main.tf index d59c7642..a7dce9d7 100644 --- a/tf-modules-k8s/waypoint/main.tf +++ b/tf-modules-k8s/waypoint/main.tf @@ -99,6 +99,6 @@ resource "kubernetes_ingress_v1" "example" { } output "token" { - sensitive = true + #sensitive = true value = data.kubernetes_secret.waypoint_token.data.token } diff --git a/tf-root-contabo/main.tf b/tf-root-contabo/main.tf deleted file mode 100644 index b52624d1..00000000 --- a/tf-root-contabo/main.tf +++ /dev/null @@ -1,163 +0,0 @@ -data "tailscale_device" "trusted_device" { - for_each = toset([var.tailscale_trusted_device]) - name = each.value - wait_for = "60s" -} - -resource "tailscale_device_authorization" "sample_authorization" { - for_each = data.tailscale_device.trusted_device - device_id = each.value.id - authorized = true -} - -resource "tailscale_acl" "as_json" { - acl = jsonencode({ - acls = [ - { - action = "accept" - src = ["*"] - dst = ["*:*"] - } - ] - ssh = [ - { - action = "accept" - src = ["autogroup:member"] - dst = ["autogroup:self"] - users = [var.trusted_ssh_user] - } - ], - nodeAttrs = [ - { - target = ["autogroup:member"] - attr = ["funnel"] - }, - ], - tagOwners = { - "tag:k8s-operator" = [] - "tag:k8s" = ["tag:k8s-operator"] - } - grants = [{ - src = ["autogroup:member"] - dst = ["tag:k8s-operator"] - app = { - "tailscale.com/cap/kubernetes" = [{ - impersonate = { - groups = ["system:masters"] - } - }] - } - }] - }) -} - -resource "tailscale_dns_preferences" "sample_preferences" { - magic_dns = true -} - -resource "tailscale_tailnet_key" "k3s_paas_node" { - reusable = true - ephemeral = true - preauthorized = true - expiry = 3600 - description = "VM instance key" -} - -data "gandi_domain" "k3s_domain" { - name = var.paas_base_domain -} - -resource "gandi_dnssec_key" "dnssec" { - algorithm = 13 - domain = data.gandi_domain.k3s_domain.id - type = "zsk" - public_key = var.gandi_dnssec_public_key -} - -resource "gandi_livedns_record" "www" { - for_each = toset(["@", "*"]) - zone = data.gandi_domain.k3s_domain.id - name = each.key - type = "A" - ttl = 3600 - values = [ - data.contabo_instance.k3s_paas_master.ip_config[0].v4[0].ip - ] -} - -locals { - ssh_connection = merge(var.ssh_connection, { - public_key = trimspace(file(pathexpand(var.ssh_connection.public_key))) - private_key = trimspace(file(pathexpand(var.ssh_connection.private_key))) - }) -} - -resource "contabo_secret" "k3s_paas_master_trusted_key" { - name = "k3s_paas_master_trusted_key" - type = "ssh" - value = local.ssh_connection.public_key -} - -resource "contabo_image" "k3s_paas_master_image" { - name = "k3s" - image_url = format(var.image_url_format, var.image_version) - os_type = "Linux" - version = var.image_version - description = "Generated PaaS vm image with packer" -} - -data "contabo_instance" "k3s_paas_master" { - id = var.contabo_instance -} - -resource "contabo_instance" "k3s_paas_master" { - existing_instance_id = var.contabo_instance - display_name = "nixos-k3s-paas" - image_id = contabo_image.k3s_paas_master_image.id - ssh_keys = [contabo_secret.k3s_paas_master_trusted_key.id] -} - -locals { - nixos_options = { - "k3s-paas.dex.dexClientId" = "id-dex-default" - "k3s-paas.tailscale.authKey" = tailscale_tailnet_key.k3s_paas_node.key - } - nixos_option_flag = join(" ", [for k, v in local.nixos_options : "--nixos-option ${k}=${v}"]) -} - -resource "terraform_data" "colemna_apply" { - provisioner "local-exec" { - on_failure = fail - command = "colmena apply ${nixos_option_flag} --on master" - } -} - -resource "terraform_data" "tailscale_bootstrap" { - triggers_replace = [ - contabo_instance.k3s_paas_master.id - ] - - connection { - type = "ssh" - user = local.ssh_connection.user - private_key = local.ssh_connection.private_key - host = contabo_instance.k3s_paas_master.ip_config[0].v4[0].ip - } - - provisioner "remote-exec" { - on_failure = fail - inline = [ - "echo ${contabo_instance.k3s_paas_master.id}", - ] - } -} - -resource "null_resource" "copy_k3s_config" { - triggers = { - instance_id = contabo_instance.k3s_paas_master.id - started_id = terraform_data.tailscale_bootstrap.id - } - provisioner "local-exec" { - command = "ssh ${var.ssh_connection.user}@k3s-paas-master -p 2222 'sudo cat /etc/rancher/k3s/k3s.yaml' > ~/.kube/config" - } -} diff --git a/tf-root-libvirt/terraform.tf b/tf-root-libvirt/terraform.tf deleted file mode 100644 index 19721422..00000000 --- a/tf-root-libvirt/terraform.tf +++ /dev/null @@ -1,23 +0,0 @@ -terraform { - required_version = ">= 0.13" - required_providers { - libvirt = { - source = "dmacvicar/libvirt" - } - null = { - source = "hashicorp/null" - version = "3.2.2" - } - healthcheck = { - source = "Ferlab-Ste-Justine/healthcheck" - version = "0.2.0" - } - } -} - -provider "libvirt" { - uri = "qemu:///system" -} - -provider "healthcheck" { -} diff --git a/tf-root-vm/.terraform.lock.hcl b/tf-root-vm/.terraform.lock.hcl new file mode 100644 index 00000000..c3f26281 --- /dev/null +++ b/tf-root-vm/.terraform.lock.hcl @@ -0,0 +1,185 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/contabo/contabo" { + version = "0.1.26" + constraints = ">= 0.1.23" + hashes = [ + "h1:W+2NeFdGP/CWZv5e9xro3vgXq80G6ijcxnhfX1Y63j0=", + "zh:13599dd31f62369779bcfc937c68a0fa0b3c865e9cfd805f204f78f995bd78b9", + "zh:19bcf3660ac7545103cf999e0066442f9d6350db9654e1496726520cef287246", + "zh:35d60f0e7f69cf87cca2451cfb7dd5a5a8a49663f08a114895da08fd86394412", + "zh:3d993f0dc113982a7b2c2fdb6828bed9738631cf3c1e94cd8ad2a7ecd7a806bd", + "zh:4aab2991ef6b81a5e6bc63af8a6711319d8c47cf2d2fde63f161f2cf6df4aea2", + "zh:5d01929898c6e04d99264d6dd58424311a6f17415d583c74cdafc52cecc672ce", + "zh:607c4619d312d5b76f4350961f3f37811a2b84084f1bc5626e0887110d5f7345", + "zh:60d429eadbdab2f4c55a943760a172332c9c095e5f368ed682709146372adbc4", + "zh:6e6234f31ba1f023314fe87b008cadae01d53f1fc96061500d1b2aa51276daef", + "zh:7438d416c7f15b4484942bbce11b6f06b8c035b2dfd6066abc9fd92b50c655de", + "zh:7a077cbcf5761e5ef55cb4202f97399da4ee9dfd2c5c32d05cf93b5351ef8aa9", + "zh:91dbe0e31261e055f6af165a79cbf46e5712fcd1c80c24cf2d6ee2dfe60879f7", + "zh:d7004852a590acfc299a273d02f22e5e7479ed40682adc65d28d2263a82168a9", + "zh:f4b3a98be793845e886a4bbfdbe4d3dc833e151ba58c7807530d9c9fa9d19075", + "zh:f69768aa6a33359ed22ad25eb8aca296086b8d65d2eff7e9b211c49aa2583f7d", + ] +} + +provider "registry.terraform.io/dmacvicar/libvirt" { + version = "0.7.6" + hashes = [ + "h1:h5AOtaYpdnjPPtjKw2PsNmjZ9VmjnAgqXTndl3Mwwug=", + "zh:0bde54f6f658b20b620b875daf106b5b25b1bae4d15408d6c5f06d58360e254d", + "zh:0c97c6930015918b8a34b6d7a2b0c3d17a649c226fcd1874fcba5bbbc0f35972", + "zh:1bdd7aa0011c5f024a09a124836ee9bc8e71b05a6ece810c61824275fd3f695f", + "zh:2b0cc7c794e4caf395d84ffff0b380d17e4b3219a4696264271bfe5059450efe", + "zh:2f8633f7fe07f76c188836ed6f93321ec5fbf5c004bc7699e1741d9b21ed5f37", + "zh:5bf47eed286ce55ed10a5cf657de49a34ab21cc8677c56fef3aab69cdde41a27", + "zh:7dca790fc5fd1d42bc4bc7170be003a7093602026d0f95c8aab84ad551fdf2a4", + "zh:80476b68bc84e3d661d1390025f83879b88f9cdc836de9751af09bd5716089cb", + "zh:82f3e2f3f50176cd6041c8ba36e295cbda1b289ef52ab75b5eceb0f921f64f7b", + "zh:a179b165f3b9bb9a67ebbbf9d73157ded33f02d476b2f58906389dca03b653c9", + "zh:acae54a5d0616f22b3180ddd8e8aad39af664e604394fdacf1f7b337bca2d5b4", + "zh:da4406a2428a9a7e98272c032cb93431c3919253af2fe9934b532d26c0deab09", + "zh:f63dbd8e579ab5268d01ffab4503b8a8e736b70d1a04e4f271559ba8dd133dcd", + "zh:f85c1d9e51a94ecde137435c9d6b0fb7be590437ea8a725334d1577eebbc550c", + ] +} + +provider "registry.terraform.io/ferlab-ste-justine/healthcheck" { + version = "0.2.0" + constraints = "0.2.0" + hashes = [ + "h1:OSknP/lF1OzWBb53Iz8NHw7LoGmppGoIQk2vm97aCfE=", + "zh:0007d9c7c9f8a60313352cebc0b8a74bcd1f6d398b7a2868ef5e247293dcbde0", + "zh:136a690ca5384128f8849c86f081c7047a85f46ef013b3c103dff60b9736ddcc", + "zh:1b087be2c5f35db385260c142321a49f41c7ac8716d5b6d7aea64f0cd7181951", + "zh:2a5ee0e17ece8befe15e2c7f18d5d85f9957685a52281cc98d42ac1f45137792", + "zh:34b3ba5eef88edd86557654cbda279050d992f38ef67641faac7c735b09bf796", + "zh:4210cedcb1d3c443e0079542e8e594e25e718540a0c29bdbe10856e139bb6088", + "zh:58f5319f35745d6c59c258baf483c502544993157947f98bac7b7e598156cad2", + "zh:5b2bd3740a11e4ce6f8c0a7816fb40dbb997aa92c5c86c047e83dff9115f11e5", + "zh:7b1f1fd35278b860572d287ab901c5db7b42209c49410cb861ae0983b7bd00c7", + "zh:a0cac8e2256be8f10d9f4e32cf2cc339f40a1cc4727a8627426eff057e46b0f5", + "zh:b80e14f05155151565f0fd518acf67fa9f01680c3a02bebe038266759a807912", + "zh:ce85acdf165d1788beec47822399db905a98cb050b5df027b72238f913543ad0", + "zh:d9ea796153b1a313277e2da8835256d372cecd17b2cae0d657432ba796c6248c", + "zh:fedc4074779dbd352d4f1df2f71527dfa66c453e3b16ff84fc95614a81c60bbc", + ] +} + +provider "registry.terraform.io/go-gandi/gandi" { + version = "2.3.0" + hashes = [ + "h1:PH6KI61eli5OL/aN3Oi7NV9qkNbjGLoOYjJK3gvULj4=", + "zh:0936d011cf75bb5162c6027d00575a586807adc9008f4152def157b6ad22bae9", + "zh:2170e671f04d3346ea416fcc404be6d05f637eab7df77e289a6898a928885f0b", + "zh:250329baae3cb09cfb88dd004d45f003ba76fbe7b8daf9d18fd640b93a2b7252", + "zh:2ccd9f253424738ca5fbbcb2127bf3713c20e87bfb3829f8c4565569424fd0bd", + "zh:3607b48bc4691cd209528f9ffe16a6cc666bd284b0d0bdfe8c4e1d538559a408", + "zh:3bc1d2b770fe0f50027da59c405b2468d1322243235367014f75f765124f458d", + "zh:6c8a9092847ee2e2890825432b54424c456638d494e49b7d1845f055214714f5", + "zh:8e0b62a330876005d52bcd65d7b1d9a679a7ac79c626e0f86661519e8f9b5698", + "zh:8f44f4d52583ff249e2001ea2a8b8841010489dd43e1a01a9ec3a6813d121c28", + "zh:9a617927d4a3a2897ff10999a19a6d1f0ef634b8c6b8fc3be12cf53948cfd9cf", + "zh:cab3c82c54e38e6001eed5b80a2d16b7824921f8f8b3909049e174c48e6e8804", + "zh:f78cc685aa4ba5056ea53a7f8ce585f87a911f0a8a387a44a33d7dfb69db7663", + ] +} + +provider "registry.terraform.io/hashicorp/external" { + version = "2.3.3" + hashes = [ + "h1:gShzO1rJtADK9tDZMvMgjciVAzsBh39LNjtThCwX1Hg=", + "zh:03d81462f9578ec91ce8e26f887e34151eda0e100f57e9772dbea86363588239", + "zh:37ec2a20f6a3ec3a0fd95d3f3de26da6cb9534b30488bc45723e118a0911c0d8", + "zh:4eb5b119179539f2749ce9de0e1b9629d025990f062f4f4dddc161562bb89d37", + "zh:5a31bb58414f41bee5e09b939012df5b88654120b0238a89dfd6691ba197619a", + "zh:6221a05e52a6a2d4f520ffe7cbc741f4f6080e0855061b0ed54e8be4a84eb9b7", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:8bb068496b4679bef625e4710d9f3432e301c3a56602271f04e60eadf7f8a94c", + "zh:94742aa5378bab626ce34f79bcef6a373e4f86ea7a8b762e9f71270a899e0d00", + "zh:a485831b5a525cd8f40e8982fa37da40ff70b1ae092c8b755fcde123f0b1238d", + "zh:a647ff16d071eabcabd87ea8183eb90a775a0294ddd735d742075d62fff09193", + "zh:b74710c5954aaa3faf262c18d36a8c2407862d9f842c63e7fa92fa4de3d29df6", + "zh:fa73d83edc92af2e551857594c2232ba6a9e3603ad34b0a5940865202c08d8d7", + ] +} + +provider "registry.terraform.io/hashicorp/local" { + version = "2.5.1" + hashes = [ + "h1:/GAVA/xheGQcbOZEq0qxANOg+KVLCA7Wv8qluxhTjhU=", + "zh:0af29ce2b7b5712319bf6424cb58d13b852bf9a777011a545fac99c7fdcdf561", + "zh:126063ea0d79dad1f68fa4e4d556793c0108ce278034f101d1dbbb2463924561", + "zh:196bfb49086f22fd4db46033e01655b0e5e036a5582d250412cc690fa7995de5", + "zh:37c92ec084d059d37d6cffdb683ccf68e3a5f8d2eb69dd73c8e43ad003ef8d24", + "zh:4269f01a98513651ad66763c16b268f4c2da76cc892ccfd54b401fff6cc11667", + "zh:51904350b9c728f963eef0c28f1d43e73d010333133eb7f30999a8fb6a0cc3d8", + "zh:73a66611359b83d0c3fcba2984610273f7954002febb8a57242bbb86d967b635", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:7ae387993a92bcc379063229b3cce8af7eaf082dd9306598fcd42352994d2de0", + "zh:9e0f365f807b088646db6e4a8d4b188129d9ebdbcf2568c8ab33bddd1b82c867", + "zh:b5263acbd8ae51c9cbffa79743fbcadcb7908057c87eb22fd9048268056efbc4", + "zh:dfcd88ac5f13c0d04e24be00b686d069b4879cc4add1b7b1a8ae545783d97520", + ] +} + +provider "registry.terraform.io/hashicorp/null" { + version = "3.2.2" + constraints = "3.2.2" + hashes = [ + "h1:IMVAUHKoydFrlPrl9OzasDnw/8ntZFerCC9iXw1rXQY=", + "zh:3248aae6a2198f3ec8394218d05bd5e42be59f43a3a7c0b71c66ec0df08b69e7", + "zh:32b1aaa1c3013d33c245493f4a65465eab9436b454d250102729321a44c8ab9a", + "zh:38eff7e470acb48f66380a73a5c7cdd76cc9b9c9ba9a7249c7991488abe22fe3", + "zh:4c2f1faee67af104f5f9e711c4574ff4d298afaa8a420680b0cb55d7bbc65606", + "zh:544b33b757c0b954dbb87db83a5ad921edd61f02f1dc86c6186a5ea86465b546", + "zh:696cf785090e1e8cf1587499516b0494f47413b43cb99877ad97f5d0de3dc539", + "zh:6e301f34757b5d265ae44467d95306d61bef5e41930be1365f5a8dcf80f59452", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:913a929070c819e59e94bb37a2a253c228f83921136ff4a7aa1a178c7cce5422", + "zh:aa9015926cd152425dbf86d1abdbc74bfe0e1ba3d26b3db35051d7b9ca9f72ae", + "zh:bb04798b016e1e1d49bcc76d62c53b56c88c63d6f2dfe38821afef17c416a0e1", + "zh:c23084e1b23577de22603cff752e59128d83cfecc2e6819edadd8cf7a10af11e", + ] +} + +provider "registry.terraform.io/hashicorp/time" { + version = "0.11.2" + hashes = [ + "h1:qg3O4PmHnlPcvuZ2LvzOYEAPGOKtccgD5kPdQPZw094=", + "zh:02588b5b8ba5d31e86d93edc93b306bcbf47c789f576769245968cc157a9e8c5", + "zh:088a30c23796133678d1d6614da5cf5544430570408a17062288b58c0bd67ac8", + "zh:0df5faa072d67616154d38021934d8a8a316533429a3f582df3b4b48c836cf89", + "zh:12edeeaef96c47f694bd1ba7ead6ccdb96028b25df352eea4bc5e40de7a59177", + "zh:1e859504a656a6e988f07b908e6ffe946b28bfb56889417c0a07ea9605a3b7b0", + "zh:64a6ae0320d4956c4fdb05629cfcebd03bcbd2206e2d733f2f18e4a97f4d5c7c", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:924d137959193bf7aee6ebf241fbb9aec46d6eef828c5cf8d3c588770acae7b2", + "zh:b3cc76281a4faa9c2293a2460fc6962f6539e900994053f85185304887dddab8", + "zh:cbb40c791d4a1cdba56cffa43a9c0ed8e69930d49aa6bd931546b18c36e3b720", + "zh:d227d43594f8cb3d24f1fdd71382f14502cbe2a6deaddbc74242656bb5b38daf", + "zh:d4840641c46176bb9d70ba3aff09de749282136c779996b546c81e5ff701bbf6", + ] +} + +provider "registry.terraform.io/tailscale/tailscale" { + version = "0.16.1" + hashes = [ + "h1:lHafM3Dy22wmPyC6Ck1OVByOnQT6kUO6S3ff3DpofE4=", + "zh:0a9d28e5195e0e29ebf9b12b345cafcb686125008151fa01677c399d8f8f1321", + "zh:249bce2fcfd3414211ae9e49e179e31b5d3c23dd9da24dc45acdea34ad308cb0", + "zh:3129fb52a2aaa0c8c30aff21e7d4c0601d80898b3ecb9d7604b5933c14f54924", + "zh:4ec3e255f34bb4f6362ab41aa9e05a3ce040a791bc07445dec86188dee867f85", + "zh:68d3995e5a1722e24f89a385899f56a63542159b884cac989196e9538b53c6ce", + "zh:799840b3bfbd14537397f157f4e6a5e54080cd4fee51521bac675aa188e0b33e", + "zh:99f1da9fdaddd8a1255dce56edf8eb3e235293c72738cf70f1fb9ee9631b40e6", + "zh:9b18fd51e260b2f3100937c34feae5f6fe3515df9b5e27ae23d00af75249a6d4", + "zh:a7154cdce28aeb80e822a97c6bc8b8acb7a074304fd198e265ac9cbcbda0ca06", + "zh:b0ce2ca42f018e5235a2171cdd8ba9829c90c54a6b2d602bd38e0e90c43d5d5d", + "zh:c67609f7018fc6e48b17befd6eeb21197e8f524496185c5e29707efa6967a0a5", + "zh:d4c9dc9d2a5a535851fc10049506bad1e7ab88193d5dcd371f91ac1b84f43a0a", + "zh:da27f2a9b9d5a4c02ec3893a763874513825c7c4dc2bb870ba741cf7725bcf9f", + "zh:e5bc1797b97607ff3d841c6c0d40da89c3843156ad43e15ded7d41fc0ac27717", + ] +} diff --git a/tf-root-vm/main.tf b/tf-root-vm/main.tf new file mode 100644 index 00000000..ed9761a3 --- /dev/null +++ b/tf-root-vm/main.tf @@ -0,0 +1,104 @@ +module "libvirt_vm" { + count = var.vm_provider == "libvirt" ? 1 : 0 + source = "./tf-modules-cloud/libvirt" + node_hostname = "k3s-paas-master-${count.index}" +} + +module "contabo_vm" { + source = "./tf-modules-cloud/contabo" + count = var.vm_provider == "contabo" && var.contabo_instance != null ? 1 : 0 + contabo_instance = var.contabo_instance + image_version = var.image_version + image_url_format = var.image_url_format + ssh_connection = var.ssh_connection + node_hostname = "k3s-paas-master-${count.index}" +} + +locals { + contabo_hosts = { for vm in module.contabo_vm : vm.name => { + id = vm.id + ip = vm.ip + } + } + machines_hosts = merge( + { for vm in module.libvirt_vm : vm.name => { + id = vm.id + ip = vm.ip + } + }, + local.contabo_hosts + ) +} + +module "gandi_domain" { + source = "./tf-modules-cloud/gandi" + for_each = local.contabo_hosts + gandi_token = var.gandi_token + paas_base_domain = var.paas_base_domain + target_ip = each.value.ip +} + + + +locals { + ssh_connection = merge(var.ssh_connection, { + public_key = trimspace(file(pathexpand(var.ssh_connection.public_key))) + private_key = trimspace(file(pathexpand(var.ssh_connection.private_key))) + }) +} + +module "security" { + source = "./tf-modules-nix/security" + for_each = local.machines_hosts + node_hostname = each.key + tailscale_trusted_device = var.tailscale_trusted_device + dex_client_id = var.dex_client_id + vm_ip = each.value.ip + ssh_connection = local.ssh_connection +} + +resource "terraform_data" "wait_tunneled_vm_ssh" { + for_each = module.security + + connection { + type = "ssh" + user = local.ssh_connection.user + private_key = local.ssh_connection.private_key + host = each.value.secure_hostname + } + + provisioner "remote-exec" { + on_failure = fail + inline = ["echo ${each.value.id}"] + } +} + +resource "null_resource" "copy_k3s_config" { + for_each = module.security + triggers = { + started = terraform_data.wait_tunneled_vm_ssh[each.key].id + } + provisioner "local-exec" { + command = "ssh ${var.ssh_connection.user}@${each.value.secure_hostname} -p 2222 'sudo cat /etc/rancher/k3s/k3s.yaml' > ~/.kube/config" + } +} + +data "healthcheck_http" "k3s" { + depends_on = [null_resource.copy_k3s_config] + path = "livez?verbose" + status_codes = [200] + endpoints = [for _, v in module.security : { + name = v.secure_hostname + address = v.secure_hostname + port = 6443 + }] +} + +data "healthcheck_filter" "k3s" { + up = data.healthcheck_http.k3s.up + down = data.healthcheck_http.k3s.down +} + +output "up_k3s_endpoint" { + value = data.healthcheck_filter.k3s.up +} diff --git a/tf-root-contabo/terraform.tf b/tf-root-vm/terraform.tf similarity index 68% rename from tf-root-contabo/terraform.tf rename to tf-root-vm/terraform.tf index 4ec08915..7e3d77f9 100644 --- a/tf-root-contabo/terraform.tf +++ b/tf-root-vm/terraform.tf @@ -1,34 +1,36 @@ terraform { - required_version = ">=1.4" - required_providers { + null = { + source = "hashicorp/null" + version = "3.2.2" + } contabo = { source = "contabo/contabo" version = ">= 0.1.23" } - gandi = { - source = "go-gandi/gandi" - } time = { source = "hashicorp/time" } + local = { + source = "hashicorp/local" + } tailscale = { source = "tailscale/tailscale" } + gandi = { + source = "go-gandi/gandi" + } healthcheck = { source = "Ferlab-Ste-Justine/healthcheck" version = "0.2.0" } + libvirt = { + source = "dmacvicar/libvirt" + } } } -provider "tailscale" { - oauth_client_id = var.tailscale_oauth_client_id - oauth_client_secret = var.tailscale_oauth_client_secret - tailnet = var.tailscale_tailnet -} - provider "gandi" { personal_access_token = var.gandi_token } @@ -39,3 +41,17 @@ provider "contabo" { oauth2_user = var.contabo_credentials.oauth2_user oauth2_pass = var.contabo_credentials.oauth2_pass } + +provider "healthcheck" {} + +provider "libvirt" { + uri = "qemu:///system" +} + +provider "tailscale" { + oauth_client_id = var.tailscale_oauth_client.id + oauth_client_secret = var.tailscale_oauth_client.secret + tailnet = var.tailscale_tailnet + scopes = ["all"] +} + diff --git a/tf-root-contabo/.terraform.lock.hcl b/tf-root-vm/tf-modules-cloud/contabo/.terraform.lock.hcl similarity index 87% rename from tf-root-contabo/.terraform.lock.hcl rename to tf-root-vm/tf-modules-cloud/contabo/.terraform.lock.hcl index 7ee25de3..5e6b957a 100644 --- a/tf-root-contabo/.terraform.lock.hcl +++ b/tf-root-vm/tf-modules-cloud/contabo/.terraform.lock.hcl @@ -85,21 +85,21 @@ provider "registry.terraform.io/hashicorp/null" { } provider "registry.terraform.io/hashicorp/time" { - version = "0.11.1" + version = "0.11.2" hashes = [ - "h1:pQGSL9mdgw4qsLndFYsEF93mbsIxyxNoAyIbBqhS3Xo=", - "zh:19a393db736ec4fd024d098d55aefaef07056c37a448ece3b55b3f5f4c2c7e4a", - "zh:227fa1e221de2907f37be78d40c06ca6a6f7b243a1ec33ade014dfaf6d92cd9c", - "zh:29970fecbf4a3ca23bacbb05d6b90cdd33dd379f90059fe39e08289951502d9f", - "zh:65024596f22f10e7dcb5e0e4a75277f275b529daa0bc0daf34ca7901c678ab88", - "zh:694d080cb5e3bf5ef08c7409208d061c135a4f5f4cdc93ea8607860995264b2e", + "h1:qg3O4PmHnlPcvuZ2LvzOYEAPGOKtccgD5kPdQPZw094=", + "zh:02588b5b8ba5d31e86d93edc93b306bcbf47c789f576769245968cc157a9e8c5", + "zh:088a30c23796133678d1d6614da5cf5544430570408a17062288b58c0bd67ac8", + "zh:0df5faa072d67616154d38021934d8a8a316533429a3f582df3b4b48c836cf89", + "zh:12edeeaef96c47f694bd1ba7ead6ccdb96028b25df352eea4bc5e40de7a59177", + "zh:1e859504a656a6e988f07b908e6ffe946b28bfb56889417c0a07ea9605a3b7b0", + "zh:64a6ae0320d4956c4fdb05629cfcebd03bcbd2206e2d733f2f18e4a97f4d5c7c", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:b29d15d13e1b3412e6a4e1627d378dbd102659132f7488f64017dd6b6d5216d3", - "zh:bb79f4cae9f8c17c73998edc54aa16c2130a03227f7f4e71fc6ac87e230575ec", - "zh:ceccf80e95929d97f62dcf1bb3c7c7553d5757b2d9e7d222518722fc934f7ad5", - "zh:f40e638336527490e294d9c938ae55919069e6987e85a80506784ba90348792a", - "zh:f99ef33b1629a3b2278201142a3011a8489e66d92da832a5b99e442204de18fb", - "zh:fded14754ea46fdecc62a52cd970126420d4cd190e598cb61190b4724a727edb", + "zh:924d137959193bf7aee6ebf241fbb9aec46d6eef828c5cf8d3c588770acae7b2", + "zh:b3cc76281a4faa9c2293a2460fc6962f6539e900994053f85185304887dddab8", + "zh:cbb40c791d4a1cdba56cffa43a9c0ed8e69930d49aa6bd931546b18c36e3b720", + "zh:d227d43594f8cb3d24f1fdd71382f14502cbe2a6deaddbc74242656bb5b38daf", + "zh:d4840641c46176bb9d70ba3aff09de749282136c779996b546c81e5ff701bbf6", ] } diff --git a/tf-root-vm/tf-modules-cloud/contabo/main.tf b/tf-root-vm/tf-modules-cloud/contabo/main.tf new file mode 100644 index 00000000..7aacd75e --- /dev/null +++ b/tf-root-vm/tf-modules-cloud/contabo/main.tf @@ -0,0 +1,41 @@ +resource "contabo_secret" "k3s_paas_master_trusted_key" { + name = "k3s_paas_master_trusted_key" + type = "ssh" + value = var.ssh_connection.public_key +} + +resource "contabo_image" "k3s_paas_master_image" { + name = "k3s" + image_url = format(var.image_url_format, var.image_version) + os_type = "Linux" + version = var.image_version + description = "Generated PaaS vm image with packer" +} + +data "contabo_instance" "k3s_paas_master" { + id = var.contabo_instance +} + +resource "contabo_instance" "k3s_paas_master" { + existing_instance_id = var.contabo_instance + display_name = var.node_hostname + image_id = contabo_image.k3s_paas_master_image.id + ssh_keys = [contabo_secret.k3s_paas_master_trusted_key.id] +} + +output "k3s_paas_master" { + value = contabo_instance.k3s_paas_master +} + +output "name" { + depends_on = [ contabo_instance.k3s_paas_master ] + value = var.node_hostname +} + +output "ip" { + value = data.contabo_instance.k3s_paas_master.ip_config[0].v4[0].ip +} + +output "id" { + value = contabo_instance.k3s_paas_master.id +} diff --git a/tf-root-vm/tf-modules-cloud/contabo/terraform.tf b/tf-root-vm/tf-modules-cloud/contabo/terraform.tf new file mode 100644 index 00000000..0a9fc998 --- /dev/null +++ b/tf-root-vm/tf-modules-cloud/contabo/terraform.tf @@ -0,0 +1,15 @@ +terraform { + + required_version = ">=1.4" + + required_providers { + contabo = { + source = "contabo/contabo" + version = ">= 0.1.23" + } + time = { + source = "hashicorp/time" + } + } +} + diff --git a/tf-root-vm/tf-modules-cloud/contabo/variables.tf b/tf-root-vm/tf-modules-cloud/contabo/variables.tf new file mode 100644 index 00000000..09e28b96 --- /dev/null +++ b/tf-root-vm/tf-modules-cloud/contabo/variables.tf @@ -0,0 +1,26 @@ + +variable "contabo_instance" { + type = string +} + +variable "image_version" { + type = string +} + +variable "image_url_format" { + type = string +} + +variable "ssh_connection" { + type = object({ + user = string + password = string + public_key = string + private_key = string + }) + #sensitive = true +} + +variable "node_hostname" { + type = string +} diff --git a/tf-root-vm/tf-modules-cloud/gandi/main.tf b/tf-root-vm/tf-modules-cloud/gandi/main.tf new file mode 100644 index 00000000..203147f9 --- /dev/null +++ b/tf-root-vm/tf-modules-cloud/gandi/main.tf @@ -0,0 +1,12 @@ +data "gandi_domain" "k3s_domain" { + name = var.paas_base_domain +} + +resource "gandi_livedns_record" "www" { + for_each = toset(["@", "*"]) + zone = data.gandi_domain.k3s_domain.id + name = each.key + type = "A" + ttl = 3600 + values = [var.target_ip] +} diff --git a/tf-root-vm/tf-modules-cloud/gandi/terraform.tf b/tf-root-vm/tf-modules-cloud/gandi/terraform.tf new file mode 100644 index 00000000..4cb69f91 --- /dev/null +++ b/tf-root-vm/tf-modules-cloud/gandi/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">=1.4" + + required_providers { + gandi = { + source = "go-gandi/gandi" + } + } +} diff --git a/tf-root-vm/tf-modules-cloud/gandi/variables.tf b/tf-root-vm/tf-modules-cloud/gandi/variables.tf new file mode 100644 index 00000000..2d1c7f09 --- /dev/null +++ b/tf-root-vm/tf-modules-cloud/gandi/variables.tf @@ -0,0 +1,12 @@ +variable "gandi_token" { + type = string +} + +variable "paas_base_domain" { + type = string + default = "k3s.test" +} + +variable "target_ip" { + type = string +} diff --git a/tf-root-libvirt/.terraform.lock.hcl b/tf-root-vm/tf-modules-cloud/libvirt/.terraform.lock.hcl similarity index 77% rename from tf-root-libvirt/.terraform.lock.hcl rename to tf-root-vm/tf-modules-cloud/libvirt/.terraform.lock.hcl index e1ae8c69..7e990347 100644 --- a/tf-root-libvirt/.terraform.lock.hcl +++ b/tf-root-vm/tf-modules-cloud/libvirt/.terraform.lock.hcl @@ -44,6 +44,25 @@ provider "registry.terraform.io/ferlab-ste-justine/healthcheck" { ] } +provider "registry.terraform.io/hashicorp/external" { + version = "2.3.3" + hashes = [ + "h1:gShzO1rJtADK9tDZMvMgjciVAzsBh39LNjtThCwX1Hg=", + "zh:03d81462f9578ec91ce8e26f887e34151eda0e100f57e9772dbea86363588239", + "zh:37ec2a20f6a3ec3a0fd95d3f3de26da6cb9534b30488bc45723e118a0911c0d8", + "zh:4eb5b119179539f2749ce9de0e1b9629d025990f062f4f4dddc161562bb89d37", + "zh:5a31bb58414f41bee5e09b939012df5b88654120b0238a89dfd6691ba197619a", + "zh:6221a05e52a6a2d4f520ffe7cbc741f4f6080e0855061b0ed54e8be4a84eb9b7", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:8bb068496b4679bef625e4710d9f3432e301c3a56602271f04e60eadf7f8a94c", + "zh:94742aa5378bab626ce34f79bcef6a373e4f86ea7a8b762e9f71270a899e0d00", + "zh:a485831b5a525cd8f40e8982fa37da40ff70b1ae092c8b755fcde123f0b1238d", + "zh:a647ff16d071eabcabd87ea8183eb90a775a0294ddd735d742075d62fff09193", + "zh:b74710c5954aaa3faf262c18d36a8c2407862d9f842c63e7fa92fa4de3d29df6", + "zh:fa73d83edc92af2e551857594c2232ba6a9e3603ad34b0a5940865202c08d8d7", + ] +} + provider "registry.terraform.io/hashicorp/null" { version = "3.2.2" constraints = "3.2.2" diff --git a/tf-root-libvirt/main.tf b/tf-root-vm/tf-modules-cloud/libvirt/main.tf similarity index 58% rename from tf-root-libvirt/main.tf rename to tf-root-vm/tf-modules-cloud/libvirt/main.tf index 175b1bc3..a17bb4bb 100644 --- a/tf-root-libvirt/main.tf +++ b/tf-root-vm/tf-modules-cloud/libvirt/main.tf @@ -28,7 +28,7 @@ resource "libvirt_volume" "nixos_worker" { } resource "libvirt_domain" "machine" { - name = "vm1" + name = var.node_hostname vcpu = 2 memory = 4096 type = "hvf" @@ -83,57 +83,20 @@ resource "libvirt_domain" "machine" { provisioner "local-exec" { when = create - command = "ssh-keygen -R [localhost]:2222 && ssh-keygen -R [127.0.0.1]:2222" + command = "ssh-keygen -R [localhost]:22 && ssh-keygen -R [127.0.0.1]:22" } } -resource "null_resource" "ensure_started" { - triggers = { - domain_id = libvirt_domain.machine.id - } - provisioner "remote-exec" { - connection { - type = "ssh" - user = var.ssh_connection.user - host = "localhost" - private_key = local.private_key - port = "2222" - agent = false - timeout = "4m" - } - - inline = ["echo 'Vm ${libvirt_domain.machine.id} started'"] - } -} - -resource "null_resource" "copy_k3s_config" { - triggers = { - domain_id = libvirt_domain.machine.id - started = null_resource.ensure_started.id - } - provisioner "local-exec" { - command = "ssh ${var.ssh_connection.user}@localhost -p 2222 'sudo cat /etc/rancher/k3s/k3s.yaml' > ~/.kube/config" - } -} - -data "healthcheck_http" "k3s" { - depends_on = [null_resource.ensure_started] - path = "livez?verbose" - status_codes = [200] - endpoints = [ - { - name = "k3s-1" - address = "127.0.0.1" - port = 6443 - }, - ] +output "name" { + depends_on = [ libvirt_domain.machine ] + value = var.node_hostname } -data "healthcheck_filter" "k3s" { - up = data.healthcheck_http.k3s.up - down = data.healthcheck_http.k3s.down +output "id" { + value = libvirt_domain.machine.id } -output "up_k3s_endpoint" { - value = data.healthcheck_filter.k3s.up +output "ip" { + value = "127.0.0.1" + depends_on = [ libvirt_domain.machine ] } diff --git a/tf-root-libvirt/nixos.xslt.tmpl b/tf-root-vm/tf-modules-cloud/libvirt/nixos.xslt.tmpl similarity index 100% rename from tf-root-libvirt/nixos.xslt.tmpl rename to tf-root-vm/tf-modules-cloud/libvirt/nixos.xslt.tmpl diff --git a/tf-root-vm/tf-modules-cloud/libvirt/terraform.tf b/tf-root-vm/tf-modules-cloud/libvirt/terraform.tf new file mode 100644 index 00000000..29703881 --- /dev/null +++ b/tf-root-vm/tf-modules-cloud/libvirt/terraform.tf @@ -0,0 +1,12 @@ +terraform { + required_version = ">=1.4" + required_providers { + libvirt = { + source = "dmacvicar/libvirt" + } + null = { + source = "hashicorp/null" + version = "3.2.2" + } + } +} diff --git a/tf-root-libvirt/variables.tf b/tf-root-vm/tf-modules-cloud/libvirt/variables.tf similarity index 92% rename from tf-root-libvirt/variables.tf rename to tf-root-vm/tf-modules-cloud/libvirt/variables.tf index da8d3f18..154a1e73 100644 --- a/tf-root-libvirt/variables.tf +++ b/tf-root-vm/tf-modules-cloud/libvirt/variables.tf @@ -1,7 +1,7 @@ variable "port_mappings" { type = map(number) default = { - 2222 = 22 + 22 = 22 6443 = 6443 443 = 443 80 = 80 @@ -42,3 +42,7 @@ variable "ssh_connection" { variable "libvirt_pool_path" { default = "/etc/libvirt/k3s-paas-pool" } + +variable "node_hostname" { + type = string +} diff --git a/tf-root-vm/tf-modules-nix/security/main.tf b/tf-root-vm/tf-modules-nix/security/main.tf new file mode 100644 index 00000000..3ce432ca --- /dev/null +++ b/tf-root-vm/tf-modules-nix/security/main.tf @@ -0,0 +1,124 @@ +data "tailscale_device" "trusted_device" { + for_each = toset([var.tailscale_trusted_device]) + name = each.value + wait_for = "60s" +} + +resource "tailscale_device_authorization" "sample_authorization" { + for_each = data.tailscale_device.trusted_device + device_id = each.value.id + authorized = true +} + +resource "tailscale_acl" "as_json" { + acl = jsonencode({ + acls = [ + { + action = "accept" + src = ["tag:all", "*"] + dst = ["*:*"] + } + ] + ssh = [ + { + action = "accept" + src = ["autogroup:member"] + dst = ["autogroup:self"] + users = [var.trusted_ssh_user] + } + ], + nodeAttrs = [ + { + target = ["autogroup:member"] + attr = ["funnel"] + }, + ], + tagOwners = { + "tag:all": [], + "tag:k8s-operator" = [] + "tag:k8s" = ["tag:k8s-operator"] + } + grants = [{ + src = ["autogroup:member"] + dst = ["tag:k8s-operator"] + app = { + "tailscale.com/cap/kubernetes" = [{ + impersonate = { + groups = ["system:masters"] + } + }] + } + }] + }) +} + +resource "tailscale_dns_preferences" "sample_preferences" { + magic_dns = true +} + +resource "tailscale_tailnet_key" "k3s_paas_node" { + reusable = true + ephemeral = true + preauthorized = true + expiry = 3600 + description = "VM instance key" + tags = ["tag:all"] +} + +locals { + nixos_secrets = { + "tailscaleAuthKey" = "${tailscale_tailnet_key.k3s_paas_node.key}" + "adminPassword" = "${var.admin_password}" + "hostName" = "${var.node_hostname}" + } +} + +data "external" "machine_key" { + program = ["bash", "${path.module}/retrieve-vm-host.sh"] + + query = { + machine_ip = var.vm_ip + } +} + +locals { + secret_nix = templatefile("${path.module}/secrets.nix.tmpl", { + user_key = var.ssh_connection.public_key + machine_key = data.external.machine_key.result.key + }) +} + +resource "terraform_data" "init_secrets" { + for_each = local.nixos_secrets + + provisioner "local-exec" { + command = "echo '${each.value}' > ${each.key}" + } +} + +resource "terraform_data" "wait_ssh" { + + connection { + type = "ssh" + user = var.ssh_connection.user + private_key = var.ssh_connection.private_key + host = var.vm_ip + } + + provisioner "remote-exec" { + inline = ["echo 'Started'"] + } +} + +module "deploy_nixos" { + source = "github.com/Gabriella439/terraform-nixos-ng//nixos" + host = "${var.ssh_connection.user}@${var.vm_ip}" + flake = var.nix_flake + arguments = [ "--use-remote-sudo" ] + depends_on = [ terraform_data.wait_ssh ] +} + +output "secure_hostname" { + depends_on = [ module.deploy_nixos ] + value = var.node_hostname +} diff --git a/tf-root-vm/tf-modules-nix/security/retrieve-vm-host.sh b/tf-root-vm/tf-modules-nix/security/retrieve-vm-host.sh new file mode 100644 index 00000000..eb8a8178 --- /dev/null +++ b/tf-root-vm/tf-modules-nix/security/retrieve-vm-host.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash + +machine_ip=$1 + +eval "$(jq -r '@sh "machine_ip=\(.machine_ip)"')" + +OUTPUT=$(ssh-keyscan -H "$machine_ip") + +jq -n --arg output "$OUTPUT" '{"key": $output}' diff --git a/tf-root-vm/tf-modules-nix/security/secrets.nix.tmpl b/tf-root-vm/tf-modules-nix/security/secrets.nix.tmpl new file mode 100644 index 00000000..6c720f33 --- /dev/null +++ b/tf-root-vm/tf-modules-nix/security/secrets.nix.tmpl @@ -0,0 +1,3 @@ +{ + "tf.age".publicKeys = [ ${user_key} ${machine_key} ]; +} diff --git a/tf-root-vm/tf-modules-nix/security/terraform.tf b/tf-root-vm/tf-modules-nix/security/terraform.tf new file mode 100644 index 00000000..bfbfb174 --- /dev/null +++ b/tf-root-vm/tf-modules-nix/security/terraform.tf @@ -0,0 +1,10 @@ +terraform { + + required_version = ">=1.4" + + required_providers { + tailscale = { + source = "tailscale/tailscale" + } + } +} diff --git a/tf-root-vm/tf-modules-nix/security/variables.tf b/tf-root-vm/tf-modules-nix/security/variables.tf new file mode 100644 index 00000000..6ad879e6 --- /dev/null +++ b/tf-root-vm/tf-modules-nix/security/variables.tf @@ -0,0 +1,47 @@ +variable "dex_client_id" { + type = string + #sensitive = true + default = "dex-k3s-paas" +} + +variable "vm_ip" { + type = string +} + +variable "trusted_ssh_user" { + default = "admin" +} + +variable "admin_password" { + type = string + #sensitive = true + default = "$6$zizou$reVO3q7LFsUq.GT5P5pYFFcpxCo7eTRT5yJTD.gVoOy/FSzHEtXdofvZ7E04Rej.jiQHKaWJB0Qob5FHov1WU/" +} + +variable "node_hostname" { + type = string + default = "k3s-paas-master" +} + +variable "k3s_server_addr" { + type = string + default = null +} + +variable "tailscale_trusted_device" { + type = string +} + +variable "ssh_connection" { + type = object({ + user = string + password = string + public_key = string + private_key = string + }) + #sensitive = true +} + +variable "nix_flake" { + default = ".#deploy" +} diff --git a/tf-root-contabo/variables.tf b/tf-root-vm/variables.tf similarity index 58% rename from tf-root-contabo/variables.tf rename to tf-root-vm/variables.tf index c01f0073..19c61c02 100644 --- a/tf-root-contabo/variables.tf +++ b/tf-root-vm/variables.tf @@ -1,41 +1,22 @@ -variable "tailscale_trusted_device" { - type = string -} - -variable "tailscale_node_device" { - type = string - default = "k3s-paas" -} - -variable "tailscale_oauth_client_id" { - type = string +variable "vm_provider" { + description = "The provider to use for the VM" + type = string + default = "libvirt" } -variable "tailscale_oauth_client_secret" { - type = string -} +### Gandi domain provider -variable "tailscale_tailnet" { +variable "gandi_token" { type = string -} - -variable "trusted_ssh_user" { - default = "admin" + nullable = true } variable "paas_base_domain" { - type = string + type = string default = "k3s.test" } -variable "domain_ttl" { - type = number - default = 3000 -} - -variable "contabo_instance" { - type = string -} +### Contabo variable "contabo_credentials" { type = object({ @@ -44,23 +25,21 @@ variable "contabo_credentials" { oauth2_user = string oauth2_pass = string }) - sensitive = true -} - -variable "gandi_token" { - type = string + #sensitive = true } -variable "gandi_dnssec_public_key" { +variable "contabo_instance" { type = string + nullable = true + default = null } variable "image_version" { - default = "minimal" + default = "57942d4" } variable "image_url_format" { - default = "https://channels.nixos.org/nixos-23.11/latest-nixos-%s-x86_64-linux.iso" + default = "https://github.com/loic-roux-404/k3s-paas/releases/download/nixos-%s/nixos.qcow2" } variable "ssh_connection" { @@ -76,5 +55,30 @@ variable "ssh_connection" { public_key = "~/.ssh/id_ed25519.pub" user = "admin" } - sensitive = true + #sensitive = true +} + +### Security + +variable "tailscale_oauth_client" { + type = object({ + id = string + secret = string + }) +} + +variable "tailscale_tailnet" { + type = string + description = "Like tailxxxxx.ts.net" + nullable = true +} + +variable "tailscale_trusted_device" { + type = string +} + +variable "dex_client_id" { + type = string + #sensitive = true + default = "dex-k3s-paas" } diff --git a/variables.tf b/variables.tf index ccffcc54..03070e88 100644 --- a/variables.tf +++ b/variables.tf @@ -23,7 +23,7 @@ variable "dex_namespace" { } variable "github_token" { - sensitive = true + #sensitive = true type = string } @@ -43,16 +43,11 @@ variable "github_team" { default = "ops-team" } -variable "tailscale_oauth_client_id" { - description = "OAuth Client ID" - type = string - sensitive = true -} - -variable "tailscale_oauth_client_secret" { - description = "OAuth Client Secret" - type = string - sensitive = true +variable "tailscale_oauth_client" { + type = object({ + id = string + secret = string + }) } variable "paas_namespace" { @@ -105,3 +100,7 @@ variable "vm_ip" { variable "internal_network_ip" { default = "10.0.2.2" } + +variable "nix_flake" { + default = "#nixosConfigurations.aarch64-linux.default" +}