Compare commits

1 Commits

Author SHA1 Message Date
unkinben ec8985e60a feat: enable access to vault certificate
Build / build (pull_request) Successful in 1m54s
- puppet now automatically trusts vault certs for some clients
- ensure build job can access vault certs
2025-10-17 22:27:02 +11:00
25 changed files with 8 additions and 579 deletions
+1 -1
View File
@@ -29,5 +29,5 @@ jobs:
env:
VAULT_ROLEID: ${{ secrets.TERRAFORM_INCUS_VAULT_ROLEID }}
run: |
dnf install terraform -y
ls -lh /etc/pki/tls/vault
make plan
+1 -2
View File
@@ -11,7 +11,7 @@ jobs:
runs-on: almalinux-8
container:
image: git.unkin.net/unkin/almalinux9-actionsdind:latest
options: "--privileged --volume /etc/pki/tls/vault:/etc/pki/tls/vault:ro"
options: --privileged
steps:
- name: Checkout code
@@ -23,5 +23,4 @@ jobs:
env:
VAULT_ROLEID: ${{ secrets.TERRAFORM_INCUS_VAULT_ROLEID }}
run: |
dnf install terraform -y
make apply
+3 -11
View File
@@ -20,17 +20,9 @@ define vault_env
mkdir -p $$INCUS_CONFIG_DIR && \
mkdir -p $$INCUS_CONFIG_DIR/servercerts && \
printf '%s\n' "$$INCUS_CONF_INCUSIMAGES_CERT" > $$INCUS_CONFIG_DIR/servercerts/incus-images.crt && \
printf '%s\n' "$$INCUS_CONF_CONFIG_YAML" > $$INCUS_CONFIG_DIR/config.yml && \
if [ -f /etc/pki/tls/vault/certificate.crt ] && [ -f /etc/pki/tls/vault/private.key ]; then \
cp /etc/pki/tls/vault/certificate.crt $$INCUS_CONFIG_DIR/client.crt && \
cp /etc/pki/tls/vault/private.key $$INCUS_CONFIG_DIR/client.key; \
elif [ -f $$HOME/.config/incus/client.crt ] && [ -f $$HOME/.config/incus/client.key ]; then \
cp $$HOME/.config/incus/client.crt $$INCUS_CONFIG_DIR/client.crt && \
cp $$HOME/.config/incus/client.key $$INCUS_CONFIG_DIR/client.key; \
else \
printf '%s\n' "$$INCUS_CLIENT_CRT" > $$INCUS_CONFIG_DIR/client.crt && \
printf '%s\n' "$$INCUS_CLIENT_KEY" > $$INCUS_CONFIG_DIR/client.key; \
fi
printf '%s\n' "$$INCUS_CONF_CONFIG_YAML" > $$INCUS_CONFIG_DIR/config.yaml && \
printf '%s\n' "$$INCUS_CLIENT_CRT" > $$INCUS_CONFIG_DIR/client.crt && \
printf '%s\n' "$$INCUS_CLIENT_KEY" > $$INCUS_CONFIG_DIR/client.key
endef
clean:
-10
View File
@@ -159,16 +159,6 @@ shared_apps_jellyfin:
properties:
source: /shared/apps/jellyfin
path: /shared/apps/jellyfin
shared_apps_maildata:
description: "Mount /shared/apps/maildata directly into the container"
project: null
config: {}
devices:
- type: disk
name: maildata-shared
properties:
source: /shared/apps/maildata
path: /shared/apps/maildata
# storage
disk10:
+1 -1
View File
@@ -10,4 +10,4 @@ storage_volumes:
pool: fastpool
path: /data
config:
size: 100GB
size: 50GB
+1 -1
View File
@@ -10,4 +10,4 @@ storage_volumes:
pool: fastpool
path: /data
config:
size: 100GB
size: 50GB
+1 -1
View File
@@ -10,4 +10,4 @@ storage_volumes:
pool: fastpool
path: /data
config:
size: 100GB
size: 50GB
@@ -1,7 +0,0 @@
description: Postfix MTA
cobbler_mgmt_classes:
- roles::infra::mail::gateway
profiles:
- disk20
- net_dmz1_eth0
- 2core4096
@@ -1,54 +0,0 @@
locals {
node_name = "prodnxsr0009"
config_common = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
config_specific = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
config = merge(local.config_common, local.config_specific)
instance_name = basename(get_terragrunt_dir())
}
inputs = merge(
{
name = local.instance_name
},
local.config
)
include "root" {
path = find_in_parent_folders("root.hcl")
}
include "instances" {
path = find_in_parent_folders("instances.hcl")
expose = true
merge_strategy = "deep"
}
dependencies {
paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
}
generate "incus" {
path = "incus.tf"
if_exists = "overwrite_terragrunt"
contents = <<-EOF
provider "incus" {
generate_client_certificates = false
accept_remote_certificate = true
config_dir = "${get_env("INCUS_CONFIG_DIR")}"
remote {
name = "${basename(get_terragrunt_dir())}"
scheme = "https"
address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
port = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
token = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
default = true
}
}
EOF
}
terraform {
source = "${get_repo_root()}/modules/instance"
}
@@ -1,7 +0,0 @@
description: Postfix MTA
cobbler_mgmt_classes:
- roles::infra::mail::gateway
profiles:
- disk20
- net_dmz1_eth0
- 2core4096
@@ -1,54 +0,0 @@
locals {
node_name = "prodnxsr0010"
config_common = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
config_specific = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
config = merge(local.config_common, local.config_specific)
instance_name = basename(get_terragrunt_dir())
}
inputs = merge(
{
name = local.instance_name
},
local.config
)
include "root" {
path = find_in_parent_folders("root.hcl")
}
include "instances" {
path = find_in_parent_folders("instances.hcl")
expose = true
merge_strategy = "deep"
}
dependencies {
paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
}
generate "incus" {
path = "incus.tf"
if_exists = "overwrite_terragrunt"
contents = <<-EOF
provider "incus" {
generate_client_certificates = false
accept_remote_certificate = true
config_dir = "${get_env("INCUS_CONFIG_DIR")}"
remote {
name = "${basename(get_terragrunt_dir())}"
scheme = "https"
address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
port = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
token = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
default = true
}
}
EOF
}
terraform {
source = "${get_repo_root()}/modules/instance"
}
@@ -1,7 +0,0 @@
description: Postfix MTA
cobbler_mgmt_classes:
- roles::infra::mail::gateway
profiles:
- disk20
- net_dmz1_eth0
- 2core4096
@@ -1,54 +0,0 @@
locals {
node_name = "prodnxsr0011"
config_common = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
config_specific = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
config = merge(local.config_common, local.config_specific)
instance_name = basename(get_terragrunt_dir())
}
inputs = merge(
{
name = local.instance_name
},
local.config
)
include "root" {
path = find_in_parent_folders("root.hcl")
}
include "instances" {
path = find_in_parent_folders("instances.hcl")
expose = true
merge_strategy = "deep"
}
dependencies {
paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
}
generate "incus" {
path = "incus.tf"
if_exists = "overwrite_terragrunt"
contents = <<-EOF
provider "incus" {
generate_client_certificates = false
accept_remote_certificate = true
config_dir = "${get_env("INCUS_CONFIG_DIR")}"
remote {
name = "${basename(get_terragrunt_dir())}"
scheme = "https"
address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
port = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
token = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
default = true
}
}
EOF
}
terraform {
source = "${get_repo_root()}/modules/instance"
}
@@ -1,8 +0,0 @@
description: Dovecot Backend
cobbler_mgmt_classes:
- roles::infra::mail::backend
profiles:
- disk20
- net_com1_eth0
- 2core4096
- shared_apps_maildata
@@ -1,54 +0,0 @@
locals {
node_name = "prodnxsr0012"
config_common = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
config_specific = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
config = merge(local.config_common, local.config_specific)
instance_name = basename(get_terragrunt_dir())
}
inputs = merge(
{
name = local.instance_name
},
local.config
)
include "root" {
path = find_in_parent_folders("root.hcl")
}
include "instances" {
path = find_in_parent_folders("instances.hcl")
expose = true
merge_strategy = "deep"
}
dependencies {
paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
}
generate "incus" {
path = "incus.tf"
if_exists = "overwrite_terragrunt"
contents = <<-EOF
provider "incus" {
generate_client_certificates = false
accept_remote_certificate = true
config_dir = "${get_env("INCUS_CONFIG_DIR")}"
remote {
name = "${basename(get_terragrunt_dir())}"
scheme = "https"
address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
port = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
token = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
default = true
}
}
EOF
}
terraform {
source = "${get_repo_root()}/modules/instance"
}
@@ -1,8 +0,0 @@
description: Dovecot Backend
cobbler_mgmt_classes:
- roles::infra::mail::backend
profiles:
- disk20
- net_com1_eth0
- 2core4096
- shared_apps_maildata
@@ -1,54 +0,0 @@
locals {
node_name = "prodnxsr0013"
config_common = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
config_specific = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
config = merge(local.config_common, local.config_specific)
instance_name = basename(get_terragrunt_dir())
}
inputs = merge(
{
name = local.instance_name
},
local.config
)
include "root" {
path = find_in_parent_folders("root.hcl")
}
include "instances" {
path = find_in_parent_folders("instances.hcl")
expose = true
merge_strategy = "deep"
}
dependencies {
paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
}
generate "incus" {
path = "incus.tf"
if_exists = "overwrite_terragrunt"
contents = <<-EOF
provider "incus" {
generate_client_certificates = false
accept_remote_certificate = true
config_dir = "${get_env("INCUS_CONFIG_DIR")}"
remote {
name = "${basename(get_terragrunt_dir())}"
scheme = "https"
address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
port = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
token = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
default = true
}
}
EOF
}
terraform {
source = "${get_repo_root()}/modules/instance"
}
@@ -1,8 +0,0 @@
description: Dovecot Backend
cobbler_mgmt_classes:
- roles::infra::mail::backend
profiles:
- disk20
- net_com1_eth0
- 2core4096
- shared_apps_maildata
@@ -1,54 +0,0 @@
locals {
node_name = "prodnxsr0009"
config_common = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
config_specific = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
config = merge(local.config_common, local.config_specific)
instance_name = basename(get_terragrunt_dir())
}
inputs = merge(
{
name = local.instance_name
},
local.config
)
include "root" {
path = find_in_parent_folders("root.hcl")
}
include "instances" {
path = find_in_parent_folders("instances.hcl")
expose = true
merge_strategy = "deep"
}
dependencies {
paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
}
generate "incus" {
path = "incus.tf"
if_exists = "overwrite_terragrunt"
contents = <<-EOF
provider "incus" {
generate_client_certificates = false
accept_remote_certificate = true
config_dir = "${get_env("INCUS_CONFIG_DIR")}"
remote {
name = "${basename(get_terragrunt_dir())}"
scheme = "https"
address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
port = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
token = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
default = true
}
}
EOF
}
terraform {
source = "${get_repo_root()}/modules/instance"
}
@@ -1,7 +0,0 @@
description: ExternalDNS For K8S
cobbler_mgmt_classes:
- roles::infra::dns::externaldns
profiles:
- disk20
- net_com1_eth0
- 2core3072
@@ -1,54 +0,0 @@
locals {
node_name = "prodnxsr0010"
config_common = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
config_specific = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
config = merge(local.config_common, local.config_specific)
instance_name = basename(get_terragrunt_dir())
}
inputs = merge(
{
name = local.instance_name
},
local.config
)
include "root" {
path = find_in_parent_folders("root.hcl")
}
include "instances" {
path = find_in_parent_folders("instances.hcl")
expose = true
merge_strategy = "deep"
}
dependencies {
paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
}
generate "incus" {
path = "incus.tf"
if_exists = "overwrite_terragrunt"
contents = <<-EOF
provider "incus" {
generate_client_certificates = false
accept_remote_certificate = true
config_dir = "${get_env("INCUS_CONFIG_DIR")}"
remote {
name = "${basename(get_terragrunt_dir())}"
scheme = "https"
address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
port = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
token = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
default = true
}
}
EOF
}
terraform {
source = "${get_repo_root()}/modules/instance"
}
@@ -1,7 +0,0 @@
description: ExternalDNS For K8S
cobbler_mgmt_classes:
- roles::infra::dns::externaldns
profiles:
- disk20
- net_com1_eth0
- 2core3072
@@ -1,54 +0,0 @@
locals {
node_name = "prodnxsr0011"
config_common = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
config_specific = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
config = merge(local.config_common, local.config_specific)
instance_name = basename(get_terragrunt_dir())
}
inputs = merge(
{
name = local.instance_name
},
local.config
)
include "root" {
path = find_in_parent_folders("root.hcl")
}
include "instances" {
path = find_in_parent_folders("instances.hcl")
expose = true
merge_strategy = "deep"
}
dependencies {
paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
}
generate "incus" {
path = "incus.tf"
if_exists = "overwrite_terragrunt"
contents = <<-EOF
provider "incus" {
generate_client_certificates = false
accept_remote_certificate = true
config_dir = "${get_env("INCUS_CONFIG_DIR")}"
remote {
name = "${basename(get_terragrunt_dir())}"
scheme = "https"
address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
port = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
token = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
default = true
}
}
EOF
}
terraform {
source = "${get_repo_root()}/modules/instance"
}
@@ -1,7 +0,0 @@
description: ExternalDNS For K8S
cobbler_mgmt_classes:
- roles::infra::dns::externaldns
profiles:
- disk20
- net_com1_eth0
- 2core3072
@@ -1,54 +0,0 @@
locals {
node_name = "prodnxsr0012"
config_common = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
config_specific = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
config = merge(local.config_common, local.config_specific)
instance_name = basename(get_terragrunt_dir())
}
inputs = merge(
{
name = local.instance_name
},
local.config
)
include "root" {
path = find_in_parent_folders("root.hcl")
}
include "instances" {
path = find_in_parent_folders("instances.hcl")
expose = true
merge_strategy = "deep"
}
dependencies {
paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
}
generate "incus" {
path = "incus.tf"
if_exists = "overwrite_terragrunt"
contents = <<-EOF
provider "incus" {
generate_client_certificates = false
accept_remote_certificate = true
config_dir = "${get_env("INCUS_CONFIG_DIR")}"
remote {
name = "${basename(get_terragrunt_dir())}"
scheme = "https"
address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
port = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
token = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
default = true
}
}
EOF
}
terraform {
source = "${get_repo_root()}/modules/instance"
}