nix/machines
1
0
Fork 0
Code Issues Releases Packages Activity Actions

Get openstack working again

Browse source 
Also first instance of getting server up with working certificate
right away, through cloud user data.


Former-commit-id: 459b45ccc5
This commit is contained in:
Kaare Hoff Skovgaard 2025-07-10 00:51:28 +02:00
parent d406c83aa1
commit bb93578b88
6 changed files with 21 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

1
nix/modules/nixos/infrastructure/vault-server-approle/default.nix
View file

@ -52,6 +52,7 @@ in
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
khscodes.services.openstack-read-vault-auth-from-userdata.enable = true;
khscodes.infrastructure.provisioning.${cfg.stage} = { khscodes.infrastructure.provisioning.${cfg.stage} = {
endpoints = [ "vault" ]; endpoints = [ "vault" ];
modules = [ modules = [

4
nix/modules/nixos/openstack/default.nix
View file

@ -17,13 +17,13 @@ in
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
disko = lib.mkDefault ( disko = lib.mkDefault (
lib.khscodes.disko-root-bios { lib.khscodes.disko-root-lvm-bios {
device = "/dev/sda"; device = "/dev/sda";
diskName = cfg.diskName; diskName = cfg.diskName;
} }
); );
boot.loader.grub.efiSupport = false; boot.loader.grub.efiSupport = false;
boot.loader.timeout = 1; boot.loader.timeout = 1;
# khscodes.virtualisation.qemu-guest.enable = true; khscodes.virtualisation.qemu-guest.enable = true;
}; };
} }

19
nix/modules/nixos/services/openstack-read-vault-auth-from-userdata/default.nix
View file

@ -15,13 +15,14 @@ in
config = lib.mkIf (cfg.enable && config.khscodes.services.vault-agent.enable) ( config = lib.mkIf (cfg.enable && config.khscodes.services.vault-agent.enable) (
let let
vault_addr = config.khscodes.services.vault-agent.vault.address; vault_addr = config.khscodes.services.vault-agent.vault.address;
secretIdFilePath = config.khscodes.services.vault-agent.secretIdFilePath; secretIdFilePath = config.khscodes.services.vault-agent.vault.secretIdFilePath;
roleIdFilePath = config.khscodes.services.vault-agent.roleIdFilePath; roleIdFilePath = config.khscodes.services.vault-agent.vault.roleIdFilePath;
in in
{ {
systemd.services."openstack-read-vault-auth-from-userdata" = { systemd.services."openstack-read-vault-auth-from-userdata" = {
enable = true; enable = true;
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ];
after = [ "network-online.target" ]; after = [ "network-online.target" ];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
@ -33,6 +34,8 @@ in
pkgs.curl pkgs.curl
pkgs.jq pkgs.jq
pkgs.openbao pkgs.openbao
pkgs.getent
pkgs.systemd
]; ];
text = '' text = ''
if [[ -f "${lib.escapeShellArg secretIdFilePath}" ]]; then if [[ -f "${lib.escapeShellArg secretIdFilePath}" ]]; then
@ -40,17 +43,17 @@ in
exit 0 exit 0
fi fi
userdata="$(curl http://169.254.169.254/openstack/2012-08-10/user_data)" userdata="$(curl http://169.254.169.254/openstack/2012-08-10/user_data)"
role_id="$(echo "$userdata" | jq --raw '.VAULT_ROLE_ID')" role_id="$(echo "$userdata" | jq --raw-output '.VAULT_ROLE_ID')"
secret_id_wrapped="$(echo "$userdata" | jq --raw '.VAULT_SECRET_ID_WRAPPED')" secret_id_wrapped="$(echo "$userdata" | jq --raw-output '.VAULT_SECRET_ID_WRAPPED')"
secret_id="$(BAO_ADDR=${lib.escapeShellArg vault_addr} bao unwrap -field=secret_id "$secret_id_wrapped")" secret_id="$(BAO_ADDR=${lib.escapeShellArg vault_addr} bao unwrap -field=secret_id "$secret_id_wrapped")"
mkdir -p "$(dirname ${lib.escapeShellArg secretIdFilePath})" mkdir -p "$(dirname ${lib.escapeShellArg secretIdFilePath})"
mkdir -p "$(dirname ${lib.escapeShellArg roleIdFilePath})" mkdir -p "$(dirname ${lib.escapeShellArg roleIdFilePath})"
echo -n "$role_id" > ${lib.escapeShellArg roleIdFilePath} echo -n "$role_id" > ${lib.escapeShellArg roleIdFilePath}
echo -n "$secret_id" > ${lib.escapeShellArg secretIdFilePath} echo -n "$secret_id" > ${lib.escapeShellArg secretIdFilePath}
chown root:root "$${lib.escapeShellArg secretIdFilePath}" chown root:root "${lib.escapeShellArg secretIdFilePath}"
chmod 0600 "$${lib.escapeShellArg secretIdFilePath}" chmod 0600 "${lib.escapeShellArg secretIdFilePath}"
chown root:root "$${lib.escapeShellArg roleIdFilePath}" chown root:root "${lib.escapeShellArg roleIdFilePath}"
chmod 0600 "$${lib.escapeShellArg roleIdFilePath}" chmod 0600 "${lib.escapeShellArg roleIdFilePath}"
echo "Role id and secret id copied, restart vault-agent" echo "Role id and secret id copied, restart vault-agent"
systemctl restart vault-agent-openbao.service systemctl restart vault-agent-openbao.service
''; '';

7
nix/modules/nixos/virtualisation/qemu-guest/default.nix
View file

@ -23,8 +23,11 @@ in
enableWhenVmTarget = lib.mkEnableOption "Enables some enhancement settings when building as a vm"; enableWhenVmTarget = lib.mkEnableOption "Enables some enhancement settings when building as a vm";
}; };
config = lib.mkIf cfg.enableWhenVmTarget { imports = [ ./profile.nix ];
virtualisation = {
config = lib.mkIf cfg.enable {
services.qemuGuest.enable = true;
virtualisation = lib.mkIf cfg.enableWhenVmTarget {
vmVariant = { vmVariant = {
khscodes.virtualisation.qemu-guest.enable = true; khscodes.virtualisation.qemu-guest.enable = true;
services.spice-vdagentd.enable = true; services.spice-vdagentd.enable = true;

7
nix/modules/nixos/virtualisation/qemu-guest/profile.nix
View file

@ -8,10 +8,5 @@ let
cfg = config.khscodes.virtualisation.qemu-guest; cfg = config.khscodes.virtualisation.qemu-guest;
in in
{ {
config = lib.mkIf cfg.enable ( config = lib.mkIf cfg.enable (import "${modulesPath}/profiles/qemu-guest.nix" { });
(import "${modulesPath}/profiles/qemu-guest.nix" { })
// {
services.qemuGuest.enable = true;
}
);
} }

2
nix/packages/update-instance/default.nix
View file

@ -5,6 +5,6 @@ pkgs.writeShellApplication {
text = '' text = ''
instance="''${1:-}" instance="''${1:-}"
connect_host="''${2:-$1}" connect_host="''${2:-$1}"
nixos-rebuild switch --flake "${inputs.self}#$instance" --target-host "$connect_host" --build-host "localhost" nixos-rebuild switch --flake "${inputs.self}#$instance" --target-host "$connect_host" --build-host "$connect_host" --use-remote-sudo
''; '';
} }