nix/machines
1
0
Fork 0
Code Issues Releases Packages Activity Actions

Test bringing up openstack instance
Some checks failed
/ check (push) Failing after 52s
Details
/ dev-shell (push) Successful in 1m8s
Details
/ rust-packages (push) Successful in 1m20s
Details
/ terraform-providers (push) Successful in 57s
Details

Browse source
This commit is contained in:
Kaare Hoff Skovgaard 2025-07-08 12:22:24 +02:00
parent ea031511cf
commit 748e1763ad
Signed by: khs
GPG key ID: C7D890804F01E9F0
24 changed files with 932 additions and 99 deletions
Download patch file Download diff file Expand all files Collapse all files

26
nix/modules/nixos/hetzner-instance/default.nix
View file

@ -2,7 +2,6 @@
config,
lib,
inputs,
pkgs,
...
}:
let
@ -75,11 +74,6 @@ in
description = "The Hetzner datacenter to create a server in";
default = "hel1-dc2";
};
output = lib.mkOption {
type = lib.types.nullOr lib.types.package;
description = "The terranix package built from the configuration";
default = null;
};
mapRdns = lib.mkOption {
type = lib.types.bool;
description = "Sets up RDNS for the server";
@ -148,23 +142,13 @@ in
imports = [
inputs.self.terranixModules.cloudflare
inputs.self.terranixModules.hcloud
inputs.self.terranixModules.s3
];
config = {
terraform.backend.s3 = {
bucket = "bw-terraform";
key = cfg.bucket.key;
region = "auto";
endpoints = {
s3 = "https://477b394a6a545699445c40953e40f00b.r2.cloudflarestorage.com";
};
use_path_style = true;
skip_credentials_validation = true;
skip_region_validation = true;
skip_metadata_api_check = true;
skip_requesting_account_id = true;
skip_s3_checksum = true;
khscodes.s3 = {
enable = true;
bucket.key = cfg.bucket.key;
};
khscodes.hcloud.data.ssh_key.khs = {
name = "ca.kaareskovgaard.net";
};
@ -229,7 +213,7 @@ in
khscodes.provisioning.pre = {
modules = modules;
secretsSource = cfg.secretsSource;
endspoints = [
endpoints = [
"aws"
"cloudflare"
"hcloud"

245
nix/modules/nixos/khs-openstack-instance/default.nix Normal file
View file

@ -0,0 +1,245 @@
{
config,
lib,
inputs,
...
}:
let
cfg = config.khscodes.khs-openstack-instance;
fqdn = config.khscodes.fqdn;
firewallTcpRules = lib.lists.flatten (
lib.lists.map (p: [
{
direction = "ingress";
ethertype = "IPv4";
protocol = "tcp";
port = p;
remote_subnet = "0.0.0.0/0";
}
{
direction = "ingress";
ethertype = "IPv6";
protocol = "tcp";
port = p;
remote_subnet = "::/0";
}
]) config.networking.firewall.allowedTCPPorts
);
firewallUdpRules = lib.lists.flatten (
lib.lists.map (p: [
{
direction = "ingress";
ethertype = "IPv4";
protocol = "udp";
port = p;
remote_subnet = "0.0.0.0/0";
}
{
direction = "ingress";
ethertype = "IPv6";
protocol = "udp";
port = p;
remote_subnet = "::/0";
}
]) config.networking.firewall.allowedUDPPorts
);
firewallIcmpRules = lib.lists.optionals config.networking.firewall.allowPing [
{
direction = "ingress";
ethertype = "IPv4";
protocol = "icmp";
remote_subnet = "0.0.0.0/0";
}
{
direction = "ingress";
ethertype = "IPv6";
protocol = "icmp";
remote_subnet = "::/0";
}
];
firewallRules = firewallTcpRules ++ firewallUdpRules ++ firewallIcmpRules ++ cfg.extraFirewallRules;
tldFromFqdn =
fqdn:
let
split = lib.strings.splitString "." fqdn;
in
if lib.lists.length split < 3 then
fqdn
else
lib.strings.removePrefix "${builtins.head split}." fqdn;
in
{
options.khscodes.khs-openstack-instance = {
enable = lib.mkEnableOption "enables generating a opentofu config for khs openstack instance";
dnsNames = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = "DNS names for the instance";
default = [ fqdn ];
};
bucket = {
key = lib.mkOption {
type = lib.types.str;
description = "Key for use in the bucket";
default = "${fqdn}.tfstate";
};
};
secretsSource = lib.mkOption {
type = lib.types.enum [
"bitwarden"
"vault"
];
description = "Whether to load opentofu secrets from Bitwarden or Vault";
default = "vault";
};
flavor = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "The server type to create";
default = null;
};
ssh_key = lib.mkOption {
type = lib.types.str;
description = "SSH key for the server (this only applies to the initial creation, deploying NixOS will render this key useless). Changing this will recreate the instance";
default = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqY0FHnWFKfLG2yfgr4qka5sR9CK+EMAhzlHUkaQyWHTKD+G0/vC/fNPyL1VV3Dxc/ajxGuPzVE+mBMoyxazL3EtuCDOVvHJ5CR+MUSEckg/DDwcGHqy6rC8BvVVpTAVL04ByQdwFnpE1qNSBaQLkxaFVdtriGKkgMkc7+UNeYX/bv7yn+APqfP1a3xr6wdkSSdO8x4N2jsSygOIMx10hLyCV4Ueu7Kp8Ww4rGY8j5o7lKJhbgfItBfSOuQHdppHVF/GKYRhdnK6Y2fZVYbhq4KipUtclbZ6O/VYd8/sOO98+LMm7cOX+K35PQjUpYgcoNy5+Sw3CNS/NHn4JvOtTaUEYP7fK6c9LhMULOO3T7Cm6TMdiFjUKHkyG+s2Mu/LXJJoilw571zwuh6chkeitW8+Ht7k0aPV96kNEvTdoXwLhBifVEaChlAsLAzSUjUq+YYCiXVk0VIXCZQWKj8LoVNTmaqDksWwbcT64fw/FpVC0N18WHbKcFUEIW/O4spJMa30CQwf9FeqpoWoaF1oRClCSDPvX0AauCu0JcmRinz1/JmlXljnXWbSfm20/V+WyvktlI0wTD0cdpNuSasT9vS77YfJ8nutcWWZKSkCj4R4uHeCNpDTX5YXzapy7FxpM9ANCXLIvoGX7Yafba2Po+er7SSsUIY1AsnBBr8ZoDVw==";
};
extraFirewallRules = lib.mkOption {
type = lib.types.listOf lib.types.attrs;
description = "Extra firewall rules added to the instance";
default = [
{
direction = "egress";
ethertype = "IPv4";
protocol = "tcp";
port = 80;
remote_subnet = "0.0.0.0/0";
}
{
direction = "egress";
ethertype = "IPv6";
protocol = "tcp";
port = 80;
remote_subnet = "::/0";
}
{
direction = "egress";
ethertype = "IPv4";
protocol = "tcp";
port = 443;
remote_subnet = "0.0.0.0/0";
}
{
direction = "egress";
ethertype = "IPv6";
protocol = "tcp";
port = 443;
remote_subnet = "::/0";
}
{
direction = "egress";
ethertype = "IPv4";
protocol = "udp";
port = 443;
remote_subnet = "0.0.0.0/0";
}
{
direction = "egress";
ethertype = "IPv6";
protocol = "udp";
port = 443;
remote_subnet = "::/0";
}
{
direction = "egress";
ethertype = "IPv4";
protocol = "icmp";
remote_subnet = "0.0.0.0/0";
}
{
direction = "egress";
ethertype = "IPv6";
protocol = "icmp";
remote_subnet = "::/0";
}
];
};
};
config = lib.mkIf cfg.enable (
let
tags = [ fqdn ];
modules = [
(
{ config, ... }:
{
imports = [
inputs.self.terranixModules.cloudflare
inputs.self.terranixModules.openstack
inputs.self.terranixModules.unifi
inputs.self.terranixModules.s3
];
config = {
khscodes.s3 = {
enable = true;
bucket.key = cfg.bucket.key;
};
khscodes.openstack.enable = true;
khscodes.openstack.compute_instance.compute = {
inherit tags;
name = fqdn;
initial_image = "Ubuntu-22.04";
flavor = cfg.flavor;
ssh_public_key = cfg.ssh_key;
firewall_rules = firewallRules;
};
khscodes.cloudflare = {
enable = true;
dns = {
enable = true;
zone_name = tldFromFqdn fqdn;
aRecords = [
{
inherit fqdn;
content = config.khscodes.openstack.output.compute_instance.compute.ipv4_address;
}
];
aaaaRecords = [
{
inherit fqdn;
content = config.khscodes.openstack.output.compute_instance.compute.ipv6_address;
}
];
};
};
output.ipv4_address = {
value = config.khscodes.openstack.output.compute_instance.compute.ipv4_address;
sensitive = false;
};
output.ipv6_address = {
value = config.khscodes.openstack.output.compute_instance.compute.ipv6_address;
sensitive = false;
};
};
}
)
];
in
{
assertions = [
{
assertion = config.khscodes.fqdn != null;
message = "Must set config.khscodes.fqdn when using opentofu";
}
];
khscodes.provisioning.pre = {
modules = modules;
secretsSource = cfg.secretsSource;
endpoints = [
"aws"
"cloudflare"
"openstack"
"unifi"
];
};
}
);
}

1
nix/modules/nixos/openstack/default.nix Normal file
View file

@ -0,0 +1 @@
{ ... }: { }

2
nix/modules/nixos/provisioning/default.nix
View file

@ -21,7 +21,7 @@ let
description = "Where to get the secrets for the provisioning from";
default = "vault";
};
endspoints = lib.mkOption {
endpoints = lib.mkOption {
type = lib.types.listOf (
lib.types.enum [
"openstack"