limit disk size

Signed-off-by: Kiara Grouwstra <kiara@procolix.eu>

deployment/check/data-model-tf-proxmox/nixosTest.nix

@@ -24,7 +24,7 @@ let
     ];
     key-file = "/root/.ssh/id_ed25519";
     node-name = "pve";
-    bridge = "br-vm";
+    bridge = "br0";
     vlanId = 0;
     imageDatastoreId = "local";
     vmDatastoreId = "local";
@@ -73,33 +73,20 @@ in
       networking.useDHCP = false;
 
       networking = {
-        bridges.br-vm.interfaces = [ ]; # internal bridge
+        bridges.br0.interfaces = [ ];
-        interfaces.br-vm.ipv4.addresses = [
+        interfaces.br0.ipv4.addresses = [
           {
             address = "192.168.10.1";
             prefixLength = 24;
           }
         ];
-        # Timed out waiting for device /sys/subsystem/net/devices/br0
-        interfaces.br0.ipv4.addresses = [
-          {
-            address = "192.168.1.3";
-            prefixLength = 24;
-          }
-        ];
         nat = {
           enable = true;
-          # Timed out waiting for device /sys/subsystem/net/devices/br0
+          internalInterfaces = [ "br0" ];
-          externalInterface = "br0";
-          internalInterfaces = [ "br-vm" ];
         };
       };
       boot.kernel.sysctl."net.ipv4.ip_forward" = "1";
 
-      networking.defaultGateway = {
-        interface = "br0";
-        address = "192.168.1.1";
-      };
       users.users.root = {
         password = "mytestpw";
         hashedPasswordFile = lib.mkForce null;
@@ -110,8 +97,8 @@ in
         ipAddress = "192.168.1.1";
       };
       virtualisation = {
-        diskSize = 24 * 1024;
+        diskSize = 5 * 1024;
-        memorySize = 4 * 1024;
+        memorySize = 3 * 1024;
       };
     };
 
@@ -162,9 +149,6 @@ in
           KMS_KEY = "tsjxw9NjKUBUlzbTnD7orqIAdEmpGYRARvxD51jtY+o=";
         };
       };
-      virtualisation = {
-        memorySize = lib.mkForce (24 * 1024);
-      };
     };
 
   extraTestScript = ''
@@ -219,18 +203,23 @@ in
       openssl verify -CApath /etc/ssl/certs ./pve-root-ca.pem
     """)
 
-    with subtest("Run the deployment"):
+    deploy = f"""
-
-      ip = deployer.succeed(f"""
-        export SSL_CERT_FILE=/tmp/pve-ca-bundle.crt
       ssh -o BatchMode=yes -o StrictHostKeyChecking=no pve "true"
+      export PROXMOX_VE_INSECURE="true"
+      export SSL_CERT_FILE=/tmp/pve-ca-bundle.crt
       export PROXMOX_VE_API_TOKEN="root@pam!mytoken={pm_token}"
       ${lib.getExe deployment.run} | jq -r '.ipv4.value[0]'
-        # ${lib.getExe deployment.run} >&2
+    """
-      """).strip()
 
+    with subtest("Run the deployment"):
+      ip = deployer.succeed(deploy).strip()
+
+    with subtest("Verify package"):
       deployer.succeed(f"""
         ssh -i "/root/.ssh/id_ed25519" -o StrictHostKeyChecking=no -o BatchMode=yes -J pve root@{ip} su - operator -c hello >&2
       """)
+
+    with subtest("No-op update"):
+      deployer.succeed(deploy, timeout=120)
   '';
 }

deployment/run/tf-proxmox/main.tf

@@ -16,9 +16,6 @@ locals {
 # https://registry.terraform.io/providers/bpg/proxmox/latest/docs
 provider "proxmox" {
   endpoint = "https://${var.host}:8006/"
-  insecure = true
-  # FIXME secure
-  # insecure = false
 
   # used only for files and creating custom disks
   ssh {
@@ -33,12 +30,13 @@ provider "proxmox" {
   }
 }
 
-# # hash of our code directory, used to trigger re-deploy
+# hash of our code directory, used to trigger re-deploy
-# # FIXME calculate separately to reduce false positives
+# FIXME calculate separately to reduce false positives
-# data "external" "hash" {
+data "external" "hash" {
-#   program = ["sh", "-c", "echo \"{\\\"hash\\\":\\\"$(nix-hash ..)\\\"}\""]
+  program = ["sh", "-c", "echo \"{\\\"hash\\\":\\\"$(nix-hash ../../..)\\\"}\""]
-# }
+}
 
+# FIXME (un)stream
 # FIXME handle known-hosts in TF state
 # FIXME move to host
 # FIXME switch to base image shared between jobs as upload seems a bottleneck? e.g. by:
@@ -51,13 +49,6 @@ resource "proxmox_virtual_environment_file" "upload" {
   #   create = "60m"
   # }
 
-  # content_type - (Optional) The content type. If not specified, the content type will be inferred from the file extension. Valid values are:
-  #     backup (allowed extensions: .vzdump, .tar.gz, .tar.xz, tar.zst)
-  #     iso (allowed extensions: .iso, .img)
-  #     snippets (allowed extensions: any)
-  #     import (allowed extensions: .raw, .qcow2, .vmdk)
-  #     vztmpl (allowed extensions: .tar.gz, .tar.xz, tar.zst)
-  # content_type = "backup"
   content_type = "import"
   # https://192.168.51.81:8006/#v1:0:=storage%2Fnode051%2Flocal:4::=contentIso:::::
   # PVE -> Datacenter -> Storage -> local -> Edit -> General -> Content -> check Import + Disk Images -> OK
@@ -83,6 +74,7 @@ resource "proxmox_virtual_environment_vm" "nix_vm" {
     # or just defer syncing when only this changed?
     ignore_changes = [
       disk["import_from"],
+      initialization,
     ]
   }
   node_name      = var.node_name
@@ -118,11 +110,6 @@ resource "proxmox_virtual_environment_vm" "nix_vm" {
     ssd          = true
     backup       = false
     cache        = "none"
-
-    # FIXME make the provider allow this as a distinct block to allow making this depend on VM id?
-    # FIXME replace with an effectful ~~function~~template from vm_id replacing resource `proxmox_virtual_environment_file.upload`
-    # import_from  = "local:import/${proxmox_virtual_environment_vm.nix_vm.vm_id}-${local.dump_name}" # bogus import name to test if it would accept self-referential values here # may not refer to itself
-    # import_from  = "local:import/${local.dump_name}"
     import_from  = proxmox_virtual_environment_file.upload.id
   }
 
@@ -153,10 +140,10 @@ resource "proxmox_virtual_environment_vm" "nix_vm" {
         gateway = var.ipv4_gateway
         address = var.ipv4_address
       }
-      # ipv6 {
+      ipv6 {
-      #   gateway = var.ipv6_gateway
+        gateway = var.ipv6_gateway
-      #   address = var.ipv6_address
+        address = var.ipv6_address
-      # }
+      }
     }
   }
 }
@@ -170,20 +157,22 @@ resource "null_resource" "await_ssh" {
   }
 }
 
-# FIXME expose (and handle thru) [`exec`](https://pve.proxmox.com/pve-docs/api-viewer/#/nodes/{node}/qemu/{vmid}/agent/exec) endpoint in proxmox TF provider? wait, what command would i use it for?: https://github.com/bpg/terraform-provider-proxmox/issues/1576
 module "nixos-rebuild" {
   depends_on = [
-    null_resource.await_ssh
+    data.external.hash,
+    null_resource.await_ssh,
   ]
   source = "../tf-single-host"
   nixos_conf = var.nixos_conf
-  # username = var.ssh_user # refers to the proxmox ssh user, not the VM one
   username = "root"
   host = proxmox_virtual_environment_vm.nix_vm.ipv4_addresses[1][0]
   key_file = var.key_file
   ssh_opts = var.ssh_opts
 }
 
+output "id" {
+  value = proxmox_virtual_environment_vm.nix_vm.vm_id
+}
 output "ipv4" {
   value = proxmox_virtual_environment_vm.nix_vm.ipv4_addresses[1]
 }