Merge pull request #121 from clincha-org/11-packer-kickstart-delivery

11 packer kickstart delivery

.github/workflows/packer-build.yml

@@ -1,34 +1,88 @@
 name: packer-build
-
 on:
   workflow_dispatch:
 
 jobs:
   build-templates:
-    runs-on: self-hosted
+    runs-on: ubuntu-latest
     strategy:
+      max-parallel: 1
       matrix:
-        node: [ bri-s-01, bri-s-02, bri-s-03 ]
+        node:
+         - "bri-s-01"
+         - "bri-s-02"
+         - "bri-s-03"
     steps:
       - name: Checkout
-        uses: actions/checkout@v3.1.0
+        uses: actions/checkout@v4.1.1
+
+      - name: "Install WireGuard"
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y wireguard
+          # https://superuser.com/questions/1500691/usr-bin-wg-quick-line-31-resolvconf-command-not-found-wireguard-debian
+          ln -s /usr/bin/resolvectl /usr/local/bin/resolvconf
+
+      - name: "Create WireGuard config"
+        run: |
+          sudo mkdir -p /etc/wireguard
+          sudo chmod 700 /etc/wireguard
+          sudo touch /etc/wireguard/wg0.conf
+          sudo chmod 600 /etc/wireguard/wg0.conf
+          sudo bash -c "cat > /etc/wireguard/wg0.conf" << EOF
+          [Interface]
+          PrivateKey = ${{ secrets.HL_PKR_PRIVATE_KEY }}
+          Address = 10.1.5.3/32
+          DNS = 10.1.5.1
+          
+          [Peer]
+          PublicKey = 6/tGUsqU3ib5LEEua2cLCUxSDFpiEFhOT0sGkqz0LHk=
+          PresharedKey = ${{ secrets.HL_PKR_PRESHARED_KEY }}
+          AllowedIPs = 10.1.5.1/32,10.1.5.2/32,192.168.1.11/24,10.1.1.1/24,10.1.2.1/24,10.1.3.1/24,0.0.0.0/0
+          Endpoint = ${{ secrets.HL_ENDPOINT }}
+          EOF
+
+      - name: "Start WireGuard"
+        run: |
+          sudo wg-quick up wg0
+          sudo wg
+          ping 192.168.1.11 -c 3
+
+      - name: Install Packer
+        run: |
+          curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
+          sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
+          sudo apt-get update && sudo apt-get install -y packer
 
       - name: Create SSH key
         run: 'echo "$ANSIBLE_PK" > id_rsa && chmod 600 id_rsa'
         shell: bash
         env:
           ANSIBLE_PK: ${{ secrets.ANSIBLE_PK }}
 
+      - name: Disable the firewall
+        run: |
+          sudo ufw status
+          sudo ufw disable
+          sudo ufw status
+
       - name: packer init
         working-directory: packer
         run: |
           /usr/bin/packer init .
 
+
       - name: packer build
         working-directory: packer
         run: |
-          /usr/bin/packer build --force \
+          packer build --force \
           -var "ansible_ssh_password=${{ secrets.ANSIBLE_PASSWORD }}" \
           -var "proxmox_api_token_secret=${{ secrets.PACKER_BRISTOL_PROXMOX_TOKEN_SECRET }}" \
           -var-file="nodes/${{ matrix.node }}.pkrvars.hcl" \
           .
+
+      - name: "Stop WireGuard"
+        if: always()
+        run: |
+          sudo wg-quick down wg0
+          sudo rm -rf /etc/wireguard

.github/workflows/template-terraform.yml

@@ -32,10 +32,10 @@ on:
       BRISTOL_PROXMOX_TOKEN_SECRET:
         required: true
         description: "The HL Proxmox token secret"
-      HL_PRIVATE_KEY:
+      HL_TF_PRIVATE_KEY:
         required: true
         description: "The HL WireGuard private key"
-      HL_PRESHARED_KEY:
+      HL_TF_PRESHARED_KEY:
         required: true
         description: "The HL WireGuard preshared key"
       HL_ENDPOINT:
@@ -66,13 +66,13 @@ jobs:
           sudo chmod 600 /etc/wireguard/wg0.conf
           sudo bash -c "cat > /etc/wireguard/wg0.conf" << EOF
           [Interface]
-          PrivateKey = ${{ secrets.HL_PRIVATE_KEY }}
+          PrivateKey = ${{ secrets.HL_TF_PRIVATE_KEY }}
           Address = ${{ inputs.wg_address }}
           DNS = ${{ inputs.wg_dns }}
           
           [Peer]
           PublicKey = 6/tGUsqU3ib5LEEua2cLCUxSDFpiEFhOT0sGkqz0LHk=
-          PresharedKey = ${{ secrets.HL_PRESHARED_KEY }}
+          PresharedKey = ${{ secrets.HL_TF_PRESHARED_KEY }}
           AllowedIPs = ${{ inputs.wg_allowed_ips }}
           Endpoint = ${{ secrets.HL_ENDPOINT }}
           EOF
@@ -92,6 +92,7 @@ jobs:
 
       - name: "Run the make command"
         run: make ${{ inputs.command }} ARM_ACCESS_KEY=${{ secrets.ARM_ACCESS_KEY }}
+        working-directory: terraform
         env:
           TF_VAR_ansible_id_rsa: ${{ secrets.ANSIBLE_PK }}
           TF_VAR_bristol_proxmox_token_secret: ${{ secrets.BRISTOL_PROXMOX_TOKEN_SECRET }}

.github/workflows/terraform-apply.yml

@@ -3,6 +3,7 @@ on:
   push:
     tags:
       - 'v*'
+  workflow_dispatch:
 jobs:
   apply:
     uses: "./.github/workflows/template-terraform.yml"
@@ -12,7 +13,7 @@ jobs:
       ARM_ACCESS_KEY: ${{ secrets.ARM_ACCESS_KEY }}
       ANSIBLE_PK: ${{ secrets.ANSIBLE_PK }}
       BRISTOL_PROXMOX_TOKEN_SECRET: ${{ secrets.BRISTOL_PROXMOX_TOKEN_SECRET }}
-      HL_PRIVATE_KEY: ${{ secrets.HL_PRIVATE_KEY }}
-      HL_PRESHARED_KEY: ${{ secrets.HL_PRESHARED_KEY }}
+      HL_TF_PRIVATE_KEY: ${{ secrets.HL_TF_PRIVATE_KEY }}
+      HL_TF_PRESHARED_KEY: ${{ secrets.HL_TF_PRESHARED_KEY }}
       HL_ENDPOINT: ${{ secrets.HL_ENDPOINT }}
       DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}

.github/workflows/terraform-destroy.yml

@@ -4,15 +4,15 @@ on:
   workflow_dispatch:
 
 jobs:
-  plan:
+  destroy:
     uses: "./.github/workflows/template-terraform.yml"
     with:
       command: "destroy"
     secrets:
       ARM_ACCESS_KEY: ${{ secrets.ARM_ACCESS_KEY }}
       ANSIBLE_PK: ${{ secrets.ANSIBLE_PK }}
       BRISTOL_PROXMOX_TOKEN_SECRET: ${{ secrets.BRISTOL_PROXMOX_TOKEN_SECRET }}
-      HL_PRIVATE_KEY: ${{ secrets.HL_PRIVATE_KEY }}
-      HL_PRESHARED_KEY: ${{ secrets.HL_PRESHARED_KEY }}
+      HL_TF_PRIVATE_KEY: ${{ secrets.HL_TF_PRIVATE_KEY }}
+      HL_TF_PRESHARED_KEY: ${{ secrets.HL_TF_PRESHARED_KEY }}
       HL_ENDPOINT: ${{ secrets.HL_ENDPOINT }}
       DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}

.github/workflows/terraform-plan.yml

@@ -13,7 +13,7 @@ jobs:
       ARM_ACCESS_KEY: ${{ secrets.ARM_ACCESS_KEY }}
       ANSIBLE_PK: ${{ secrets.ANSIBLE_PK }}
       BRISTOL_PROXMOX_TOKEN_SECRET: ${{ secrets.BRISTOL_PROXMOX_TOKEN_SECRET }}
-      HL_PRIVATE_KEY: ${{ secrets.HL_PRIVATE_KEY }}
-      HL_PRESHARED_KEY: ${{ secrets.HL_PRESHARED_KEY }}
+      HL_TF_PRIVATE_KEY: ${{ secrets.HL_TF_PRIVATE_KEY }}
+      HL_TF_PRESHARED_KEY: ${{ secrets.HL_TF_PRESHARED_KEY }}
       HL_ENDPOINT: ${{ secrets.HL_ENDPOINT }}
       DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}

packer/settings.pkr.hcl

@@ -83,7 +83,7 @@ variable "cloud_init_storage_pool" {
 variable "boot_command" {
   type    = list(string)
   default = [
-    "<up><wait><tab><wait> text inst.ks=http://{{ .HTTPIP }}:{{ .HTTPPort }}/rocky8.ks<enter><wait5>"
+    "<up><wait><tab><wait> text inst.ks=http://10.1.5.3:{{ .HTTPPort }}/rocky8.ks<enter><wait5>"
   ]
   description = "Command to send to the template as it starts up"
 }

terraform/Dockerfile

@@ -0,0 +1,3 @@
+FROM docker.io/clincha/terraform-provider-proxmox:1.0.16
+
+COPY . .

Makefile → terraform/Makefile

@@ -11,7 +11,7 @@ all: build plan
 
 build:
 	@echo "Building..."
-	@podman build . --file containers/Dockerfile --tag docker.io/clincha/terraform-init:${VERSION}
+	@podman build . --file Dockerfile --tag docker.io/clincha/terraform-init:${VERSION}
 
 debug: build
 	@echo "Debugging..."

terraform/providers.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     proxmox = {
       source  = "telmate/proxmox"
-      version = "1.0.12"
+      version = "1.0.16"
     }
     azurerm = {
       source  = "hashicorp/azurerm"