kiara/Fediversity
1
0
Fork 0
forked from fediversity/fediversity
Code Pull requests Activity
Fediversity/deployment/check/data-model-tf-proxmox/nixosTest.nix
Kiara Grouwstra 6ea3f9db90
use token 
Signed-off-by: Kiara Grouwstra <kiara@procolix.eu>
2025-10-22 15:27:27 +02:00

217 lines
6 KiB
Nix
Raw Blame History

{
lib,
pkgs,
sources,
...
}:
let
inherit (pkgs) system;
backendPort = builtins.toString 8080;
httpBackend = rec {
TF_HTTP_USERNAME = "basic";
TF_HTTP_PASSWORD = "fake-secret";
TF_HTTP_ADDRESS = "http://localhost:${backendPort}/state/project1/example";
TF_HTTP_LOCK_ADDRESS = TF_HTTP_ADDRESS;
TF_HTTP_UNLOCK_ADDRESS = TF_HTTP_ADDRESS;
};
# FIXME generate the image `nixos-generate` was to make, but now do it for a desired `-c configuration.nix` rather than whatever generic thing now
deployment =
(import ./data-model.nix {
inherit sources system;
config = {
inherit httpBackend;
inherit (import ./constants.nix) pathToRoot;
nodeName = "pve";
targetSystem = system;
sshOpts = [
"ProxyCommand=ssh -W %h:%p pve"
];
key-file = "/root/.ssh/id_ed25519";
node-name = "pve";
bridge = "br0";
vlanId = 0;
imageDatastoreId = "local";
vmDatastoreId = "local";
cdDatastoreId = "local";
ipv4Gateway = "192.168.10.1";
ipv4Address = "192.168.10.236/24";
ipv6Gateway = "";
ipv6Address = "";
};
}).default.tf-proxmox-vm;
in
{
_class = "nixosTest";
name = "deployment-model";
sourceFileset = lib.fileset.unions [
../../run/tf-proxmox-vm/run.sh
../../run/tf-proxmox-vm/await-ssh.sh
];
nodes.pve =
{ sources, ... }:
{
imports = [
"${sources.proxmox-nixos}/modules/proxmox-ve"
];
environment.systemPackages = [
pkgs.jq
pkgs.qemu
];
networking.firewall.enable = false;
networking.vlans = {
vlan0 = {
id = 0;
interface = "eth0";
};
};
networking.useDHCP = false;
networking = {
bridges.br0.interfaces = [ ];
interfaces.br0.ipv4.addresses = [
{
address = "192.168.10.1";
prefixLength = 24;
}
];
nat = {
enable = true;
internalInterfaces = [ "br0" ];
};
};
boot.kernel.sysctl."net.ipv4.ip_forward" = "1";
users.users.root = {
password = "mytestpw";
hashedPasswordFile = lib.mkForce null;
};
# https://github.com/SaumonNet/proxmox-nixos/blob/main/modules/proxmox-ve/default.nix
services.proxmox-ve = {
enable = true;
ipAddress = "192.168.1.1";
};
virtualisation = {
diskSize = 5 * 1024;
memorySize = 3 * 1024;
};
};
nodes.deployer =
{ ... }:
{
imports = [
../../modules/terraform-backend
];
networking.firewall.enable = false;
nix.nixPath = [
(lib.concatStringsSep ":" (lib.mapAttrsToList (k: v: k + "=" + v) sources))
];
environment.systemPackages = [
deployment.run
pkgs.pve-manager
pkgs.openssl
pkgs.jq
(pkgs.callPackage ../../run/tf-proxmox-vm/tf.nix { })
];
# needed only when building from deployer
system.extraDependenciesFromModule =
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
hello
];
};
system.extraDependencies = [
pkgs.ubootQemuX86
pkgs.ubootQemuX86.inputDerivation
pkgs.pve-qemu
pkgs.pve-qemu.inputDerivation
pkgs.gnu-config
pkgs.byacc
pkgs.stdenv
pkgs.stdenvNoCC
sources.nixpkgs
pkgs.vte
];
services.terraform-backend = {
enable = true;
settings = {
LISTEN_ADDR = ":${backendPort}";
KMS_KEY = "tsjxw9NjKUBUlzbTnD7orqIAdEmpGYRARvxD51jtY+o=";
};
};
};
extraTestScript = ''
pve.wait_for_unit("pveproxy.service")
assert "running" in pve.succeed("pveproxy status")
pve.succeed("mkdir -p /run/pve")
assert "Proxmox" in pve.succeed("curl -s -i -k https://localhost:8006")
cert = pve.succeed("cat /etc/pve/pve-root-ca.pem").strip()
# set up proxmox
pm_token = pve.succeed("""
set -e
pvesh create /pools --poolid Fediversity
pvesh set /storage/local --content "vztmpl,rootdir,backup,snippets,import,iso,images" 1>/dev/null
pvesh create /access/users/root@pam/token/mytoken --output-format json | jq -r .value
pvesh set /access/acl --path "/" --token "root@pam!mytoken" --roles "Administrator"
""").strip()
# skip indent for EOF
deployer.succeed(f"""
cat > /etc/ssl/certs/pve-root-ca.pem <<EOF
{cert}
EOF
mkdir -p /root/.ssh
cat > /root/.ssh/id_ed25519 <<EOF
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACBWbJXVjBLGo2MrI2LBKTbzDozuA/C9taU630EtU/h38gAAAJDAOy8uwDsv
LgAAAAtzc2gtZWQyNTUxOQAAACBWbJXVjBLGo2MrI2LBKTbzDozuA/C9taU630EtU/h38g
AAAECcF8xjLavgWePoVx45Euewsh6Kw07L6QDDy3WXFCn4bFZsldWMEsajYysjYsEpNvMO
jO4D8L21pTrfQS1T+HfyAAAAC2tpYXJhQG5peG9zAQI=
-----END OPENSSH PRIVATE KEY-----
EOF
chmod 600 /root/.ssh/id_ed25519
""")
deployer.succeed("""
set -xe
cd /etc/ssl/certs
{ cat ca-bundle.crt
cat ca-certificates.crt
cat pve-root-ca.pem
} > new-ca-bundle.crt
rm ca-bundle.crt ca-certificates.crt
mv new-ca-bundle.crt ca-bundle.crt
ln -s ca-bundle.crt ca-certificates.crt
openssl verify -CApath /etc/ssl/certs ./pve-root-ca.pem
""")
deploy = f"""
ssh -o BatchMode=yes -o StrictHostKeyChecking=no pve "true"
export PROXMOX_VE_INSECURE="true"
export SSL_CERT_FILE=/tmp/pve-ca-bundle.crt
export PROXMOX_VE_API_TOKEN="root@pam!mytoken={pm_token}"
${lib.getExe deployment.run} | jq -r '.ipv4.value[0]'
"""
with subtest("Run the deployment"):
ip = deployer.succeed(deploy).strip()
with subtest("Verify package"):
deployer.succeed(f"""
ssh -i "/root/.ssh/id_ed25519" -o StrictHostKeyChecking=no -o BatchMode=yes -J pve root@{ip} su - operator -c hello >&2
""")
with subtest("No-op update"):
deployer.succeed(deploy, timeout=120)
'';
}
View git blame Copy permalink