mmckinnon/homelab-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: mmckinnon:48bdaf28ec5fa372cd147a229978e53167e3d49c
Branches Tags
mmckinnon:master
...
compare: mmckinnon:master
Branches Tags
mmckinnon:master

12 Commits
48bdaf28ec ... master

Author SHA1 Message Date
Matthew McKinnon
81698be718 chore: update README.md 2025-10-16 10:02:43 +10:00
Matthew McKinnon
31a11ac255 chore: remove ci/cd for build 2025-10-16 09:59:59 +10:00
Matthew McKinnon
ab3427fd82 chore: add shell script to generate vars files 2025-10-16 09:56:50 +10:00
Matthew McKinnon
0536e9252a chore: move omada to 201 2025-10-15 11:49:58 +10:00
Matthew McKinnon
e6ed17b127 chore: remove pihold. Add netbox 2025-10-12 16:27:45 +10:00
Matthew McKinnon
fb2526154b chore: update lxc to ignore mountpoint changes 2025-10-10 22:55:50 +10:00
Matthew McKinnon
b7a7daef3b chore: move omada storage to pve bind mount 2025-10-03 21:55:14 +10:00
Matthew McKinnon
c5559fbb38 chore: set storage location to local 2025-10-02 21:46:31 +10:00
Matthew McKinnon
30e36beb93 chore: add pihole lxc 2025-09-28 00:52:17 +10:00
Matthew McKinnon
e65da68f2d chore: remove tags from dev-docker.tf 2025-09-27 19:03:51 +10:00
Matthew McKinnon
6c1ac8d96c chore: fix infra-build.yml format 2025-09-27 19:01:15 +10:00
Matthew McKinnon
f35163b5cd chore: Add markdown files 2025-09-27 18:59:45 +10:00
10 changed files with 164 additions and 110 deletions
Expand all files Collapse all files

58
.github/workflows/infra-build.yml vendored
View File

@@ -1,58 +0,0 @@
name: Build Infra (Opentofu)
on:
push:
branches:
- master
jobs:
opentofu:
name: Opentofu Build
runs-on: self-hosted
container:
image: node:20-bullseye
env:
PG_CONN_STR: ${{ secrets.PG_CONN_STR }} # available to all steps
steps:
- name: Checkout code
uses: actions/checkout@v5
with:
fetch-depth: 0
- name: Generate Dynamic Vars (Secrets)
run: |
cat <<EOF > terraform.auto.tfvars
ci_user = "${{ secrets.CI_USER }}"
ci_password = "${{ secrets.CI_PASSWORD }}"
proxmox_api_url = "${{ secrets.PVE_API_URL }}"
proxmox_api_token_id = "${{ secrets.PVE_API_TOKEN_ID }}"
proxmox_api_token_secret = "${{ secrets.PVE_API_TOKEN_SECRET }}"
ssh_key = "${{ secrets.SSH_PRIVATE_KEY }}"
passphrase = "${{ secrets.SSH_PASSPHRASE }}"
EOF
- name: Setup Opentofu
uses: opentofu/setup-opentofu@v1
- name: Format vars file
run: tofu fmt terraform.auto.tfvars
- name: Opentofu Init
run: tofu init
- name: Opentofu Format Check
run: tofu fmt -check -recursive
- name: Opentofu Validate
run: tofu validate
- name: Opentofu Plan
id: plan
run: |
tofu plan -out=tfplan -detailed-exitcode
- name: Opentofu Apply
if: success()
run: tofu apply -auto-approve tfplan

3
.gitignore vendored
View File

@@ -5,6 +5,9 @@
*.tfstate *.tfstate
*.tfstate.* *.tfstate.*
# var files
*.tfvars
# Crash log files # Crash log files
crash.log crash.log
crash.*.log crash.*.log

27
omada.tf → 201-omada.tf
View File

@@ -1,17 +1,16 @@
resource "proxmox_lxc" "omada" { resource "proxmox_lxc" "omada" {
depends_on = [
proxmox_vm_qemu.dev-docker
]
target_node = "pve" target_node = "pve"
vmid = "200" vmid = "201"
hostname = "omada" hostname = "omada"
ostemplate = "local:vztmpl/debian-12-standard_12.7-1_amd64.tar.zst" ostemplate = "local:vztmpl/debian-13-standard_13.1-1_amd64.tar.zst"
password = var.ci_password password = var.ci_password
unprivileged = false unprivileged = false
ostype = "debian" ostype = "debian"
onboot = true onboot = true
start = true start = true
startup = "order=1000" startup = "order=1000"
tags = "docker;container;appliance"
ssh_public_keys = <<EOF ssh_public_keys = <<EOF
@@ -32,11 +31,29 @@ resource "proxmox_lxc" "omada" {
mount = "nfs;cifs" mount = "nfs;cifs"
} }
// Bind Mount Point
mountpoint {
key = "1"
slot = 1
//storage = "/mnt/lxc/omada"
volume = "/mnt/lxc/omada"
size = "1G"
mp = "/data"
}
network { network {
name = "eth0" name = "eth0"
bridge = "vmbr0" bridge = "vmbr0"
ip = "10.10.40.2/24" ip = "10.10.40.2/24"
gw = "10.10.40.1" gw = "10.10.40.1"
tag = 40 tag = 40
ip6 = "auto"
}
lifecycle {
ignore_changes = [
mountpoint,
]
} }
} }

4
docker.tf → 400-dev-docker.tf
View File

@@ -4,14 +4,14 @@ resource "proxmox_vm_qemu" "dev-docker" {
target_node = "pve" target_node = "pve"
vmid = "400" vmid = "400"
name = "dev-docker" name = "dev-docker"
tags = null tags = "linux;vm;docker"
# VM Advanced General Settings # VM Advanced General Settings
onboot = true onboot = true
scsihw = "virtio-scsi-single" scsihw = "virtio-scsi-single"
# VM OS Settings # VM OS Settings
clone = "debian-12-generic-amd64" clone = "debian-13-generic-amd64"
clone_wait = 120 clone_wait = 120
timeouts { timeouts {
create = "1h" create = "1h"

34
CHANGELOG.md Normal file
View File

@@ -0,0 +1,34 @@
# Changelog
All notable changes to this project will be documented in this file.
The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
and this project adheres to [Semantic Versioning](https://semver.org/).
---
## [Unreleased]
### Added
- Initial setup of OpenTofu project structure
- Providers for Proxmox, Omada, GitHub
- PostgreSQL backend support
- GitHub Actions CI/CD workflow with `init`, `fmt`, `validate`, `plan`, and `apply`
- Secure secrets handling via `terraform.auto.tfvars`
### Changed
- N/A
### Removed
- N/A
---
## [0.1.0] - 2025-09-27
### Added
- First working pipeline applying infrastructure automatically on `main`
- Docker VM definition (`docker.tf`)
- GitHub repo/org configuration (`github.tf`)
- Omada networking definitions (`omada.tf`)
- Provider and backend config (`provider.tf`)

21
LICENSE.md Normal file
View File

@@ -0,0 +1,21 @@
MIT License
Copyright (c) 2025 Matthew McKinnon
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

50
README.md Normal file
View File

@@ -0,0 +1,50 @@
![Header Image](https://miro.medium.com/v2/resize:fit:4000/1*16DgdobhWUUXKzF4fwjOdw.png)
[![deploy-containers](https://github.com/comprofix/opentofu-homelab/actions/workflows/infra-build.yml/badge.svg)](https://github.com/comprofix/opentofu-homelab/actions)
## 📖 Overview
Infrastructure as Code (IaC) for the Comprofix homelab using [OpenTofu](https://opentofu.org/).
This repository provisions and manages resources such as the Proxmox VMs and LXC containers used in the Comprofix Homelab
---
## 🚀 Features
- Declarative infrastructure management with OpenTofu
- Remote state stored in PostgreSQL backend
- Secure injection of secrets into `terraform.auto.tfvars`
- Supports Proxmox VM provisioning and Omada configuration
---
## 🔄 Workflow
1. Checkout repo
2. Generate `terraform.auto.tfvars`
3. Run `tofu init`, `tofu fmt`, `tofu validate`
4. Execute `tofu plan`
5. If successful, run `tofu apply`
---
## 📖 Usage
Local testing:
```bash
# Initialize
tofu init
# Format configs
tofu fmt -recursive
# Validate configs
tofu validate
# Plan changes
PG_CONN_STR="postgres://..." tofu plan
# Apply changes
PG_CONN_STR="postgres://..." tofu apply

44
github.tf
View File

@@ -1,44 +0,0 @@
resource "proxmox_lxc" "ghshr" {
depends_on = [
proxmox_vm_qemu.dev-docker
]
target_node = "pve"
vmid = "201"
hostname = "ghshr"
ostemplate = "local:vztmpl/debian-12-standard_12.7-1_amd64.tar.zst"
password = var.ci_password
unprivileged = false
ostype = "debian"
onboot = true
start = true
startup = "order=1000"
ssh_public_keys = <<EOF
${var.ssh_key}
EOF
memory = "4096"
swap = "512"
rootfs {
storage = "local"
size = "8G"
}
features {
fuse = true
nesting = true
mount = "nfs;cifs"
}
network {
name = "eth0"
bridge = "vmbr0"
ip = "10.10.10.8/24"
gw = "10.10.10.1"
tag = 10
}
}

29
prepareEnvs.sh Normal file
View File

@@ -0,0 +1,29 @@
#!/bin/bash
bw config server https://vault.comprofix.com
bw login
export BW_SESSION=$(bw unlock --raw)
bw sync
echo "Please wait while we prepare terraform.auto.tfvars"
proxmox_api_url=$(bw get --session $BW_SESSION uri proxmox_api)
proxmox_api_token_id=$(bw get --session $BW_SESSION username f295a859-154a-482d-8129-c6ec6e06131e)
proxmox_api_token_secret=$(bw get --session $BW_SESSION password f295a859-154a-482d-8129-c6ec6e06131e)
ci_user=$(bw get --session $BW_SESSION username ci_details)
ci_password=$(bw get --session $BW_SESSION password ci_details)
ssh_key=$(bw get --session $BW_SESSION notes ssh_public_key_main)
passphrase=$(bw get --session $BW_SESSION password state_passphrase)
echo 'proxmox_api_url = "'$proxmox_api_url'"' > terraform.auto.tfvars
echo 'proxmox_api_token_id = "'$proxmox_api_token_id'"' >> terraform.auto.tfvars
echo 'proxmox_api_token_secret = "'$proxmox_api_token_secret'"' >> terraform.auto.tfvars
echo 'ci_user = "'$ci_user'"' >> terraform.auto.tfvars
echo 'ci_password = "'$ci_password'"' >> terraform.auto.tfvars
echo 'ssh_key = "'$ssh_key'"' >> terraform.auto.tfvars
echo 'passphrase = "'$passphrase'"' >> terraform.auto.tfvars

4
provider.tf
View File

@@ -11,7 +11,9 @@ terraform {
} }
} }
backend "pg" {} backend "pg" {
schema_name = "homelab-infra"
}
encryption { encryption {
key_provider "pbkdf2" "mykey" { key_provider "pbkdf2" "mykey" {
passphrase = var.passphrase passphrase = var.passphrase