forked from Fediversity/Fediversity
90 lines
2.3 KiB
HCL
90 lines
2.3 KiB
HCL
terraform {
|
|
required_providers {
|
|
proxmox = {
|
|
source = "bpg/proxmox"
|
|
version = "= 0.76.1"
|
|
}
|
|
}
|
|
}
|
|
|
|
provider "proxmox" {
|
|
endpoint = "https://192.168.51.81:8006/"
|
|
# because self-signed TLS certificate is in use
|
|
insecure = true
|
|
|
|
ssh {
|
|
agent = true
|
|
# TODO: uncomment and configure if using api_token instead of password
|
|
username = "root" # FIXME: #24
|
|
}
|
|
}
|
|
|
|
locals {
|
|
# user-facing applications
|
|
application_configs = {
|
|
# FIXME: wrap applications at the interface to grab them in one go?
|
|
mastodon = var.mastodon
|
|
pixelfed = var.pixelfed
|
|
peertube = var.peertube
|
|
}
|
|
# services shared between applications
|
|
peripherals = { for name in [
|
|
"garage"
|
|
] : name => {
|
|
cfg = {
|
|
# enable if any user applications are enabled
|
|
enable = anytrue([for _, app in local.application_configs: try(app.enable, false)])
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
module "nixos" {
|
|
source = "../sync-nix"
|
|
category = "operator"
|
|
|
|
description = each.key
|
|
config_nix = each.value.config_nix
|
|
config_tf = each.value.config_tf
|
|
|
|
# FIXME recheck what may be moved back to sync-nix
|
|
for_each = {for name, inst in merge(
|
|
local.peripherals,
|
|
# local.application_configs,
|
|
) : name => merge(inst, {
|
|
config_tf = {
|
|
fediversityVm = {
|
|
name = name # used in hostname, selecting secrets
|
|
domain = var.domain
|
|
}
|
|
fediversity = {
|
|
domain = var.domain
|
|
temp = {
|
|
initialUser = var.initialUser
|
|
}
|
|
}
|
|
}
|
|
config_nix = <<-EOF
|
|
{
|
|
# note interpolations here are TF ones
|
|
imports = [
|
|
# shared NixOS config
|
|
${path.root}/../common/shared.nix
|
|
# FIXME: separate template options by service
|
|
${path.root}/options.nix
|
|
# for service `mastodon` import `mastodon.nix`
|
|
# FIXME: get VM details from TF
|
|
${path.root}/../../machines/operator/${inst.hostname}
|
|
${path.module}/${name}.nix
|
|
];
|
|
## FIXME: switch root authentication to users with password-less sudo, see #24
|
|
users.users.root.openssh.authorizedKeys.keys = let
|
|
keys = import ../../keys;
|
|
in [
|
|
# allow our panel vm access to the test machines
|
|
keys.panel
|
|
];
|
|
}
|
|
EOF
|
|
}) if try(inst.enable, false)}
|
|
}
|