IMFreedom Terraform

This repository contains terraform for imfreedom resources.

All machines are configured to be logged into via the admin user account. There are a number of reasons for this, but the most important one is that sudo uses get logged for normal users which the admin user is.

Setup

TLDR: install mkisofs, libvirt, terraform, terraform-libvirt-provider, and make sure the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables are properly set to the imfreedom minio instance.

Terraform can be run from anywhere that this repository is cloned to with a few caveats. First you need to install terraform. I typically install it to ~/.local/bin/. Verify Terraform is installed and on your path by running terraform version.

~~Once you have a working Terraform install you need to install the terraform-libvirt-provider. This should be installed into ~/.terraform.d/plugins.~~ This might be done by terraform init now.

Next we need to make sure that AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables are set to your credentials to the imfreedom minio instance. If you need credentials, talk to grim. To make sure these environment variables are set, I recommend using direnv and saving them to your .envrc in your clone. This file is already ignored in .hgignore

On Debian based hosts there is an apparmor policy that is missing that will cause permission errors. To fix it you need to add the following to /etc/apparmor.d/abstractions/libvirt-qemu. I've been putting it at the end of the file and everything is fine.

  # for terraform-libvirt
  /var/lib/libvirt/images/* rwk,

Node Configuration

To actually Terraform a node, we first need to create a <node>.tfvars in the nodes/ directory. A bare minimal example is below.

libvirt_uri = "qemu+ssh://host/system"

libvirt_uri is the connect string for libvirt.

You can also use the volume_pool variable to use a different volume pool.

There is an optional node_prefix setting you can use to prefix all of the host names for the machines. This prefix will not change the names of the machines in libvirt, it's meant to disambiguate the machines in tailscale. It's obvious what node they belong to when you're looking at the nodes but in tailscale we don't have that luxury.

Once that file is created you can provision the node via:

make plan NODE=node1
make apply NODE=node1

Based on the number of vms, this can take quite a bit of time so make sure to run it in screen/tmux and maintain a stable internet connection.

Additional configuration for the <node>.tfvars file is below in the section for each machine type.

FreeBSD AMD64

The FreeBSD AMD64 machines have a number of options which are explained below. These should be set in your <node>.tfvars file.

freebsd_amd64_count: How many FreeBSD AMD64 machines to create. The default is 0.

freebsd_amd64_volume_pool: The name of which libvirt volume pool to use. This is seldomly changed, but defaults to default.

freebsd_amd64_ssh_pubkeys: A list of SSH public keys that are allowed to connect to this machine. The default is an empty list which means you will not be able to get into the machine.

freebsd_amd64_base_image: A dictionary containing information about the base image.

This has keys for the name, source URI, and format of the image.

The name is the name to use in the libvirt storage pool. This defaults to freebsd-amd64-base.

The source key is the URI to the file itself. We are currently uses images from bsd-cloud-image.org. Getting the URIs from there is kind of annoying as you have to start a download to get it.

Finally the format key the format of the image pointed to by the source key. Currently this is qcow2.

freebsd_amd64_volume_size: The size of the HDD for the machine. This defaults to 10GB.

freebsd_amd64_memory_size: The amount of memory to give to the machine. Defaults to 1GB.

freebsd_amd64_cpu_count: The number of CPUs to give the machine. Defaults to 1.

freebsd_amd64_network_name: The name of the libvirt network to use. This is seldomly changed, but defaults to default.