-
Notifications
You must be signed in to change notification settings - Fork 1
/
variables.tf
355 lines (323 loc) · 8.39 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
variable "instances" {
description = <<-EOS
Definition of specific instantiations of this template. There will be a
directory below "output" created with the "hostname" value. Each package
group names specific to "machine", "system" and "roles" will be merged
and the resulting list will be written to the cloud-config "packages" list.
If any of the network's ipv?s lists is empty, the corresponding dhcp? will
be set to true in the generated 'network-data' file. The config map will
be merged on top into the cloud-config file in such a way that you're able
to specify any keys that cloud-init accepts. Any key in this map will in
effect overwrite keys with the same name written by this template.
EOS
default = {
"demo" = {
config = {}
machine = ["amd64pc", "netbook"]
system = ["ubuntu", "focal"]
roles = ["generic", "client", "guardedwire"]
netzone = "demo"
networks = {
ethernets = {
eth0 = {
ipv4s = []
ipv6s = []
}
}
}
},
}
type = map(any)
}
#
# Networking parameters
#
variable "ethernets" {
description = <<-EOS
The addresses of the next hop router(s) must be specified 'gateway4: 172.16.0.1'
and / or 'gateway6: \"2001:4::1\"'. Please also specify at least one Nameserver.
The template currently uses the first search domain for it's fqdn generation logic.
EOS
default = {
"demo" = {
gateway4 = "192.168.1.1"
nameservers = {
addresses = [
"192.168.1.1",
]
search = ["home.network"]
}
},
}
type = map(any)
}
variable "wifis" {
description = <<-EOS
The top level map's keys represent the Wifi's SSID value.
EOS
default = {
demo = {}
}
type = map(any)
}
variable "matcher" {
description = <<-EOS
Specify machine types which should be matched to your Networking Interface Cards.
This could be everything cloud-init/netplan would accept as a matching expression
like 'driver', 'macaddress' or 'name'. Please extend according to your hardware.
EOS
default = {
kvm = {
driver = "virtio"
}
raspi4b = {
driver = "bcmgenet smsc95xx lan78xx"
}
}
type = map(any)
}
#
# Software installation and + configuration
#
variable "structs" {
description = "Define the cloud-init-specific types of data-structures under 'config' to search during user-data generation."
default = ["packages", "bootcmd", "runcmd"]
type = list(string)
}
variable "types" {
description = "Define the instance-specific types of data-structures under 'config' to search during user-data generation."
default = ["machine", "system", "roles"]
type = list(string)
}
variable "config" {
description = <<-EOS
bootcmd: Please state shell commands that shall be executed per boot for 'machine' type, operating 'system', instance 'role'.
runcmd: Please state shell commands that shall be executed on first boot for 'machine' type, operating 'system', instance 'role'.
packages: Please state packages that shall be installed per 'machine' type, operating 'system', instance 'role'.
EOS
type = map(map(map(list(string))))
default = {
bootcmd = {
roles = {
generic = [
"neofetch --stdout",
],
},
},
runcmd = {
roles = {
generic = [
"python -m pip install -U pip setuptools wheel",
],
guardedwire = [
"mkdir /root/wg",
"wg genkey > /root/wg/privatekey",
"wg pubkey > /root/wg/publickey < /root/wg/privatekey",
"ufw allow from 192.168.1.0/24 to any port 51820 proto udp comment 'wireguard'",
],
server = [
"ufw enable",
"ufw allow out domain",
"ufw allow in domain",
"ufw allow in ssh",
"ufw limit ssh comment 'Limit SSH connections'",
],
},
},
packages = {
machine = {
metal = [
"cpufreqd",
"cpufrequtils",
],
amd64pc = [
"linux-lowlatency",
"linux-tools-lowlatency",
],
raspi4b = [
"rpi-eeprom",
],
},
system = {
ubuntu = [
"language-pack-de",
],
bionic = [
"python",
"python3-pip",
],
focal = [
"python-is-python3",
"python3-pip",
],
groovy = [
"python-is-python3",
"python3-pip",
],
},
roles = {
generic = [
"byobu",
"ncdu",
"neofetch",
"neovim",
"unattended-upgrades",
],
client = [
"nmap",
],
server = [
"net-tools",
"ufw",
],
guardedwire = [
"wireguard",
],
},
},
}
}
#
# Access definitions
#
variable "users" {
default = ["default"]
type = list(any)
}
variable "byobu_by_default" {
description = "If to activate Byobu.io and on what level."
default = "user"
type = string
}
variable "chpasswd" {
description = <<-EOS
Sets the password for users. Be careful on what you configure here!
If you set a definitive user:password (like ubuntu:ubuntu) pair it is recommended
to expire the password on the first login, then change it right away to your secret.
On the other hand if you know in advance that you're going to use an SSH key pair
you might use a RANDOM value here. Please note that this effectively locks you out
of console access so you should have some fallback plan like to boot into a shell.
EOS
default = {
expire = true
list = [
"ubuntu:ubuntu",
]
}
type = object({
expire = bool
list = list(string)
})
}
variable "ssh" {
description = <<-EOS
Setting for cloud-init's SSH module. You can e.g. import from launchpad or github.
If you use an SSH key pair you probably want to disable password based ssh login.
EOS
default = {
ssh_pwauth = true
ssh_import_id = []
}
type = object({
ssh_pwauth = bool
ssh_import_id = list(string)
})
}
#
# Package manager config
#
variable "apt" {
description = "Module 'apt' for Debian-style package manager's configuration. Proxy is optional."
default = {}
}
variable "snap" {
description = "Please state assertions and commands that shall be forwarded to snapd."
default = {}
type = map(any)
}
variable "package" {
description = "System package manager options for first boot."
default = {
package_update = true
package_upgrade = true
package_reboot_if_required = true
}
type = object({
package_update = bool
package_upgrade = bool
package_reboot_if_required = bool
})
}
#
# Trust store handling
#
variable "ca_certs" {
description = "Inserted from ca-certs examples https://cloudinit.readthedocs.io/en/latest/topics/examples.html?highlight=cert#configure-an-instances-trusted-ca-certificates"
default = {
remove-defaults = false
trusted = []
}
type = object({
remove-defaults = bool
trusted = list(string)
})
}
#
# Localization
#
variable "locale" {
description = "Cloud-init compatible string to set the locale."
default = "de_DE.UTF-8"
type = string
}
variable "timezone" {
description = "Cloud-init compatible string to set the timezone."
default = "Europe/Berlin"
type = string
}
variable "ntp" {
description = "Specify if and where to fetch the current time from."
default = {
enabled = true
servers = [
"de.pool.ntp.org",
]
}
type = object({
enabled = bool
servers = list(string)
})
}
#
# Finalization
#
variable "power_state" {
description = "How the machines should act when cloud-init finishes."
default = {
delay = "now"
mode = "reboot"
message = "Finishing..."
timeout = "600"
condition = "exit 0"
}
type = object({
delay = string
mode = string
message = string
timeout = string
condition = string
})
}
#
# Where does it go?
#
variable "write" {
description = "Wether to write everything back to disk. Outputs will always be provided!"
default = false
type = bool
}
variable "output" {
description = "Root directory where the generated files will be written to."
default = "../.output/instances"
type = string
}