From 459b45ccc51d266618dc20b35cae92cd53de2c51 Mon Sep 17 00:00:00 2001 From: Kaare Hoff Skovgaard Date: Thu, 10 Jul 2025 00:51:28 +0200 Subject: [PATCH] Get openstack working again Also first instance of getting server up with working certificate right away, through cloud user data. --- .../vault-server-approle/default.nix | 1 + nix/modules/nixos/openstack/default.nix | 4 ++-- .../default.nix | 19 +++++++++++-------- .../virtualisation/qemu-guest/default.nix | 7 +++++-- .../virtualisation/qemu-guest/profile.nix | 7 +------ nix/packages/update-instance/default.nix | 2 +- 6 files changed, 21 insertions(+), 19 deletions(-) diff --git a/nix/modules/nixos/infrastructure/vault-server-approle/default.nix b/nix/modules/nixos/infrastructure/vault-server-approle/default.nix index 05fdb99..c3bc8b8 100644 --- a/nix/modules/nixos/infrastructure/vault-server-approle/default.nix +++ b/nix/modules/nixos/infrastructure/vault-server-approle/default.nix @@ -52,6 +52,7 @@ in }; config = lib.mkIf cfg.enable { + khscodes.services.openstack-read-vault-auth-from-userdata.enable = true; khscodes.infrastructure.provisioning.${cfg.stage} = { endpoints = [ "vault" ]; modules = [ diff --git a/nix/modules/nixos/openstack/default.nix b/nix/modules/nixos/openstack/default.nix index 20f6c61..bbc4bcb 100644 --- a/nix/modules/nixos/openstack/default.nix +++ b/nix/modules/nixos/openstack/default.nix @@ -17,13 +17,13 @@ in }; config = lib.mkIf cfg.enable { disko = lib.mkDefault ( - lib.khscodes.disko-root-bios { + lib.khscodes.disko-root-lvm-bios { device = "/dev/sda"; diskName = cfg.diskName; } ); boot.loader.grub.efiSupport = false; boot.loader.timeout = 1; - # khscodes.virtualisation.qemu-guest.enable = true; + khscodes.virtualisation.qemu-guest.enable = true; }; } diff --git a/nix/modules/nixos/services/openstack-read-vault-auth-from-userdata/default.nix b/nix/modules/nixos/services/openstack-read-vault-auth-from-userdata/default.nix index 3cb6e35..480c60e 100644 --- a/nix/modules/nixos/services/openstack-read-vault-auth-from-userdata/default.nix +++ b/nix/modules/nixos/services/openstack-read-vault-auth-from-userdata/default.nix @@ -15,13 +15,14 @@ in config = lib.mkIf (cfg.enable && config.khscodes.services.vault-agent.enable) ( let vault_addr = config.khscodes.services.vault-agent.vault.address; - secretIdFilePath = config.khscodes.services.vault-agent.secretIdFilePath; - roleIdFilePath = config.khscodes.services.vault-agent.roleIdFilePath; + secretIdFilePath = config.khscodes.services.vault-agent.vault.secretIdFilePath; + roleIdFilePath = config.khscodes.services.vault-agent.vault.roleIdFilePath; in { systemd.services."openstack-read-vault-auth-from-userdata" = { enable = true; wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; after = [ "network-online.target" ]; serviceConfig = { Type = "oneshot"; @@ -33,6 +34,8 @@ in pkgs.curl pkgs.jq pkgs.openbao + pkgs.getent + pkgs.systemd ]; text = '' if [[ -f "${lib.escapeShellArg secretIdFilePath}" ]]; then @@ -40,17 +43,17 @@ in exit 0 fi userdata="$(curl http://169.254.169.254/openstack/2012-08-10/user_data)" - role_id="$(echo "$userdata" | jq --raw '.VAULT_ROLE_ID')" - secret_id_wrapped="$(echo "$userdata" | jq --raw '.VAULT_SECRET_ID_WRAPPED')" + role_id="$(echo "$userdata" | jq --raw-output '.VAULT_ROLE_ID')" + secret_id_wrapped="$(echo "$userdata" | jq --raw-output '.VAULT_SECRET_ID_WRAPPED')" secret_id="$(BAO_ADDR=${lib.escapeShellArg vault_addr} bao unwrap -field=secret_id "$secret_id_wrapped")" mkdir -p "$(dirname ${lib.escapeShellArg secretIdFilePath})" mkdir -p "$(dirname ${lib.escapeShellArg roleIdFilePath})" echo -n "$role_id" > ${lib.escapeShellArg roleIdFilePath} echo -n "$secret_id" > ${lib.escapeShellArg secretIdFilePath} - chown root:root "$${lib.escapeShellArg secretIdFilePath}" - chmod 0600 "$${lib.escapeShellArg secretIdFilePath}" - chown root:root "$${lib.escapeShellArg roleIdFilePath}" - chmod 0600 "$${lib.escapeShellArg roleIdFilePath}" + chown root:root "${lib.escapeShellArg secretIdFilePath}" + chmod 0600 "${lib.escapeShellArg secretIdFilePath}" + chown root:root "${lib.escapeShellArg roleIdFilePath}" + chmod 0600 "${lib.escapeShellArg roleIdFilePath}" echo "Role id and secret id copied, restart vault-agent" systemctl restart vault-agent-openbao.service ''; diff --git a/nix/modules/nixos/virtualisation/qemu-guest/default.nix b/nix/modules/nixos/virtualisation/qemu-guest/default.nix index 5eec748..f40f946 100644 --- a/nix/modules/nixos/virtualisation/qemu-guest/default.nix +++ b/nix/modules/nixos/virtualisation/qemu-guest/default.nix @@ -23,8 +23,11 @@ in enableWhenVmTarget = lib.mkEnableOption "Enables some enhancement settings when building as a vm"; }; - config = lib.mkIf cfg.enableWhenVmTarget { - virtualisation = { + imports = [ ./profile.nix ]; + + config = lib.mkIf cfg.enable { + services.qemuGuest.enable = true; + virtualisation = lib.mkIf cfg.enableWhenVmTarget { vmVariant = { khscodes.virtualisation.qemu-guest.enable = true; services.spice-vdagentd.enable = true; diff --git a/nix/modules/nixos/virtualisation/qemu-guest/profile.nix b/nix/modules/nixos/virtualisation/qemu-guest/profile.nix index b7c329b..77560ee 100644 --- a/nix/modules/nixos/virtualisation/qemu-guest/profile.nix +++ b/nix/modules/nixos/virtualisation/qemu-guest/profile.nix @@ -8,10 +8,5 @@ let cfg = config.khscodes.virtualisation.qemu-guest; in { - config = lib.mkIf cfg.enable ( - (import "${modulesPath}/profiles/qemu-guest.nix" { }) - // { - services.qemuGuest.enable = true; - } - ); + config = lib.mkIf cfg.enable (import "${modulesPath}/profiles/qemu-guest.nix" { }); } diff --git a/nix/packages/update-instance/default.nix b/nix/packages/update-instance/default.nix index a18794d..4cd2786 100644 --- a/nix/packages/update-instance/default.nix +++ b/nix/packages/update-instance/default.nix @@ -5,6 +5,6 @@ pkgs.writeShellApplication { text = '' instance="''${1:-}" connect_host="''${2:-$1}" - nixos-rebuild switch --flake "${inputs.self}#$instance" --target-host "$connect_host" --build-host "localhost" + nixos-rebuild switch --flake "${inputs.self}#$instance" --target-host "$connect_host" --build-host "$connect_host" --use-remote-sudo ''; }