/
lxd.clj
65 lines (61 loc) · 2.58 KB
/
lxd.clj
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
(ns re-cipes.infra.lxd
"Setting up lxd locally and adding it to the local lxc client"
(:require
re-cipes.hardening
[re-cog.resources.ufw :refer (add-interface enable-forwarding)]
[re-cog.facts.config :refer (configuration)]
[re-cog.resources.file :refer (template)]
[re-cog.common.recipe :refer (require-recipe)]
[re-cog.resources.exec :refer [run]]))
(require-recipe)
(def-inline server
"Installing lxd"
[]
(let [{:keys [lxd]} (configuration)]
(letfn [(init []
(script
(pipe
(~cat-bin "/tmp/preseed.yaml")
("/usr/bin/lxd" "init" "--preseed"))))]
(package "lxd" :present)
(package "zfsutils-linux" :present)
(template "/tmp/resources/templates/lxd/preseed.mustache" "/tmp/preseed.yaml" lxd)
(run init))))
(def-inline {:depends #'re-cipes.hardening/firewall} bridging
"Enable bridge networking"
[]
(add-interface "lxdbr0" :in :allow)
(add-interface "lxdbr0" :out :allow)
(enable-forwarding))
(def-inline {:depends #'re-cipes.infra.lxd/server} remote
"add local lxd instance locally"
[]
(let [{:keys [lxd home user]} (configuration)
root (<< "~{home}/snap/lxd/current/.config/lxc")
certfile (<< "~{root}/servercerts/127.0.0.1.crt")
out (<< "~{root}/certificate.p12")
key (<< "~{root}/client.key")
crt (<< "~{root}/client.crt")
{:keys [password bind]} lxd
pass (<< "pass:~{password}")]
(letfn [(remove-remote []
(script
(set! ID @("id" "-u"))
(if (= "0" $ID)
(pipe ("sudo" "-u" ~user "/usr/bin/lxc" "remote" "remove" ~bind) "true")
(pipe ("/usr/bin/lxc" "remote" "remove" ~bind) "true"))))
(add-remote []
(script
(set! ID @("id" "-u"))
(if (= "0" $ID)
("sudo" "-u" ~user "/usr/bin/lxc" "remote" "add" ~bind "--password" ~password "--accept-certificate")
("/usr/bin/lxc" "remote" "add" ~bind "--password" ~password "--accept-certificate"))))
(export []
(script
(set! ID @("id" "-u"))
(if (= "0" $ID)
("sudo" "-u" ~user ~openssl-bin "pkcs12" "-export" "-out" ~out "-inkey" ~key "-in" ~crt "-certfile" ~certfile "-passout" ~pass)
(~openssl-bin "pkcs12" "-export" "-out" ~out "-inkey" ~key "-in" ~crt "-certfile" ~certfile "-passout" ~pass))))]
(run remove-remote)
(run add-remote)
(run export))))