From 5272d8efc1741bbc979924aa19be5419937505be Mon Sep 17 00:00:00 2001 From: root Date: Thu, 18 Dec 2025 09:23:17 +0100 Subject: [PATCH] Ajout opentofu --- README.md | 3 +- opentofu/credential.auto.tfvars | 3 + opentofu/crtoken.sh | 48 ++++++++++++++ opentofu/inst-toku.sh | 20 ++++++ opentofu/main.tf | 114 ++++++++++++++++++++++++++++++++ opentofu/provider.tf | 23 +++++++ opentofu/terraform.tfvars | 8 +++ opentofu/token.txt | 10 +++ opentofu/variables.tf | 99 +++++++++++++++++++++++++++ 9 files changed, 327 insertions(+), 1 deletion(-) create mode 100644 opentofu/credential.auto.tfvars create mode 100644 opentofu/crtoken.sh create mode 100644 opentofu/inst-toku.sh create mode 100644 opentofu/main.tf create mode 100644 opentofu/provider.tf create mode 100644 opentofu/terraform.tfvars create mode 100644 opentofu/token.txt create mode 100644 opentofu/variables.tf diff --git a/README.md b/README.md index 2268c46..52d5920 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # vagrant -le 2025-11-25 13h30 - ps +le 2025-12-18 9h30 - ps Ce dépôt héberge des **Vagrantfile** dont : * **dns** : Vagrantfile pour 2 serveurs **Bind9** (1 maitre et un esclave), tests **goss** chainés @@ -25,6 +25,7 @@ Ce dépôt héberge des **Vagrantfile** dont : * **lldap2** : Vagrantfile pour serveur LDAP en mode service **lldap** - integration pour Proxmox * **minione** : Vagrantfile pour Opennebula All In One * **netbox** : Vagrantfile pour Netbox dockerisée + * **opentofu** : sccript d'installation de **OpenTofu** et d'utilisation avec **bpg/proxmox** * **rundeck** : Vagrantfile + playbook pour installation avec Mariadb * **samba-ad-dc** : Vagrantfile + playbook pour **Samba 4.17 ad-dc** sur **Debian 12 Bookworm** * **wazuh** : Vagrantfile + playbook pour serveur **wazuh** 4.10 et client Debian diff --git a/opentofu/credential.auto.tfvars b/opentofu/credential.auto.tfvars new file mode 100644 index 0000000..c8e5f3b --- /dev/null +++ b/opentofu/credential.auto.tfvars @@ -0,0 +1,3 @@ +proxmox_endpoint = "https://px2.sio.lan:8006/" +proxmox_api_token = "tofuer@pve!tofu=123456c0-xxxx-yyyy-zzzz-abcdef37eb7a" + diff --git a/opentofu/crtoken.sh b/opentofu/crtoken.sh new file mode 100644 index 0000000..bc649b8 --- /dev/null +++ b/opentofu/crtoken.sh @@ -0,0 +1,48 @@ +#!/bin/bash +# +# +tfR=TofuUser +tfU=tofuer +tk=tofu + +pveum role add "${tfR}" -privs "\ + Datastore.Allocate \ + Datastore.AllocateSpace \ + Datastore.Audit \ + Pool.Allocate \ + Pool.Audit \ + Sys.Audit \ + Sys.Console \ + Sys.Modify \ + Sys.Syslog \ + VM.Allocate \ + VM.Audit \ + VM.Clone \ + VM.Config.CDROM \ + VM.Config.Cloudinit \ + VM.Config.CPU \ + VM.Config.Disk \ + VM.Config.HWType \ + VM.Config.Memory \ + VM.Config.Network \ + VM.Config.Options \ + VM.Console \ + VM.Migrate \ + VM.GuestAgent.Audit \ + VM.GuestAgent.FileRead \ + VM.GuestAgent.FileWrite \ + VM.GuestAgent.FileSystemMgmt \ + VM.GuestAgent.Unrestricted \ + VM.PowerMgmt \ + Mapping.Audit \ + Mapping.Use \ + SDN.Audit \ + SDN.Use" + + +pveum user add "${tfU}@pve" --password 'Azerty1+-' + +pveum aclmod / -user "${tfU}@pve" -role "${tfR}" + +pveum user token add "${tfU}@pve" "$tk" -expire 0 -privsep 0 -comment "Tofu token"|tee "tk-${tk}.txt" + diff --git a/opentofu/inst-toku.sh b/opentofu/inst-toku.sh new file mode 100644 index 0000000..adadd3e --- /dev/null +++ b/opentofu/inst-toku.sh @@ -0,0 +1,20 @@ +#!§bin/bash +#echo "Installation d'OpenTofu +# +## Download the installer script: +curl --proto '=https' --tlsv1.2 -fsSL https://get.opentofu.org/install-opentofu.sh -o install-opentofu.sh +## Alternatively: wget --secure-protocol=TLSv1_2 --https-only https://get.opentofu.org/install-opentofu.sh -O install-opentofu.sh +# +# # Give it execution permissions: + chmod +x install-opentofu.sh +# +# Please inspect the downloaded script +# +# Run the installer: +./install-opentofu.sh --install-method deb +# +# Remove the installer: +rm -f install-opentofu.sh + +tofu version +# diff --git a/opentofu/main.tf b/opentofu/main.tf new file mode 100644 index 0000000..917c724 --- /dev/null +++ b/opentofu/main.tf @@ -0,0 +1,114 @@ +# Retrieve VM templates available in Proxmox that match the specified name +data "proxmox_virtual_environment_vms" "template" { + filter { + name = "name" + values = ["${var.vm_template}"] # The name of the template to clone from + } +} + +# Create a cloud-init configuration file as a Proxmox snippet +resource "proxmox_virtual_environment_file" "cloud_config" { + content_type = "snippets" # Cloud-init files are stored as snippets in Proxmox + datastore_id = "local" # Local datastore used to store the snippet + node_name = var.node_name # The Proxmox node where the file will be uploaded + + source_raw { + file_name = "vm.cloud-config.yaml" # The name of the snippet file + data = <<-EOF + #cloud-config + hostname: ${var.vm_name} + package_update: true + package_upgrade: true + packages: + - qemu-guest-agent # Ensures the guest agent is installed + users: + - default + - name: ${var.vm_user} + groups: sudo + shell: /bin/bash + ssh-authorized-keys: + - "${var.vm_user_sshkey}" # Inject user's SSH key + sudo: ALL=(ALL) NOPASSWD:ALL + runcmd: + - systemctl enable qemu-guest-agent + - systemctl start qemu-guest-agent + - echo "done" > /tmp/cloud-config.done + #- reboot # Reboot the VM after provisioning + EOF + } +} + +# Define and provision a new VM by cloning the template and applying initialization +resource "proxmox_virtual_environment_vm" "vm" { + name = var.vm_name # VM name + node_name = var.node_name # Proxmox node to deploy the VM + tags = var.vm_tags # Optional VM tags for categorization + vm_id = var.vm_id + + agent { + enabled = true # Enable the QEMU guest agent + } + + stop_on_destroy = true # Ensure VM is stopped gracefully when destroyed + + clone { + vm_id = data.proxmox_virtual_environment_vms.template.vms[0].vm_id # ID of the source template + node_name = data.proxmox_virtual_environment_vms.template.vms[0].node_name # Node of the source template + } + + bios = var.vm_bios # BIOS type (e.g., seabios or ovmf) + machine = var.vm_machine # Machine type (e.g., q35) + + cpu { + cores = var.vm_cpu # Number of CPU cores + type = "host" # Use host CPU type for best compatibility/performance + } + + memory { + dedicated = var.vm_ram # RAM in MB + } + + disk { + datastore_id = var.node_datastore # Datastore to hold the disk + interface = "scsi0" # Primary disk interface + size = 4 # Disk size in GB + } + + initialization { + user_data_file_id = proxmox_virtual_environment_file.cloud_config.id # Link the cloud-init file + datastore_id = var.node_datastore + interface = "scsi1" # Separate interface for cloud-init + ip_config { + ipv4 { + address = var.vm_address # CIDR + gateway = var.vm_gateway # Get IP via DHCP + } + } + } + + network_device { + bridge = "vmbr0" # Use the default bridge + #vlan_id = var.vm_vlan # VLAN tagging if used + } + + operating_system { + type = "l26" # Linux 2.6+ kernel + } + + vga { + type = "std" # Standard VGA type + } + + lifecycle { + ignore_changes = [ # Ignore initialization section after first depoloyment for idempotency + initialization + ] + } +} + +# Output the assigned IP address of the VM after provisioning +#output "vm_ip" { +# value = proxmox_virtual_environment_vm.vm.ipv4_addresses[1][0] # Second network interface's first IP +# description = "VM IP" +#} + diff --git a/opentofu/provider.tf b/opentofu/provider.tf new file mode 100644 index 0000000..ce5b55b --- /dev/null +++ b/opentofu/provider.tf @@ -0,0 +1,23 @@ +# Define the required Terraform provider block +terraform { + required_providers { + proxmox = { + source = "bpg/proxmox" # Use the community Proxmox provider from the bpg namespace + } + } +} + +# Configure the Proxmox provider with API and SSH access +provider "proxmox" { + endpoint = var.proxmox_endpoint # Proxmox API URL (e.g., https://proxmox.local:8006/api2/json) + api_token = var.proxmox_api_token # API token for authentication (should have appropriate permissions) + insecure = true # Reject self-signed or invalid TLS certificates (set to true only in trusted/test environments) + + # Optional SSH settings used for VM customization via SSH + ssh { + agent = true # Do not use the local SSH agent; use key file instead +# private_key = file("~/.ssh/id_ed25519") # Load SSH private key from the local file system + username = "root" # SSH username for connecting to the Proxmox host + } +} + diff --git a/opentofu/terraform.tfvars b/opentofu/terraform.tfvars new file mode 100644 index 0000000..00c1920 --- /dev/null +++ b/opentofu/terraform.tfvars @@ -0,0 +1,8 @@ +node_name = "px2" # Name of the Proxmox node where the VM will be deployed +vm_name = "infra4" # Desired name for the new virtual machine +vm_id = "2001" # Desired Id for the new virtual machine +vm_cpu = 1 # Number of CPU cores to allocate to the VM +vm_ram = 1024 # Amount of RAM in MB (2 GB) +#vm_vlan = 66 # VLAN ID for network segmentation +vm_address = "10.121.38.43/24" +vm_gateway = "10.121.38.254" diff --git a/opentofu/token.txt b/opentofu/token.txt new file mode 100644 index 0000000..b713d01 --- /dev/null +++ b/opentofu/token.txt @@ -0,0 +1,10 @@ +┌──────────────┬─────────────────────────────────────────────────────┐ +│ key │ value │ +╞══════════════╪═════════════════════════════════════════════════════╡ +│ full-tokenid │ tofuer@pve!tofu │ +├──────────────┼─────────────────────────────────────────────────────┤ +│ info │ {"comment":"Tofu token","expire":"0","privsep":"0"} │ +├──────────────┼─────────────────────────────────────────────────────┤ +│ value │ 4b1234c0-1239-4563-789c-abcdef12eb7a │ +└──────────────┴─────────────────────────────────────────────────────┘ + diff --git a/opentofu/variables.tf b/opentofu/variables.tf new file mode 100644 index 0000000..a6639b5 --- /dev/null +++ b/opentofu/variables.tf @@ -0,0 +1,99 @@ +variable "proxmox_endpoint" { + description = "Proxmox URL endpoint" + type = string +} + +variable "proxmox_api_token" { + description = "Proxmox API token" + type = string + sensitive = true +} + +variable "node_name" { + description = "Proxmox host for the VM" + type = string +} + +variable "node_datastore" { + description = "Datastore used for VM storage" + type = string + default = "local-lvm" +} + +variable "vm_template" { + description = "Template of the VM" + type = string + #default = "ubuntu-cloud" + default = "Debian-12-Template" +} + +variable "vm_name" { + description = "Hostname of the VM" + type = string +} + +variable "vm_user" { + description = "Admin user of the VM" + type = string + default = "debian" +} + +variable "vm_user_sshkey" { + description = "Admin user SSH key of the VM" + type = string + default = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDd97G/Uw3zlnhVByjpHZFw9FDa88phFUMtYfstTq7wYlUOJB2rdLPpU0bAjIpvpYmHOmBNseWYKaOT7EXNdxWPWJGuoen23tqdSzhnOV0LJz8zbCIA0Ykz/XOqRyJkq6qUw+L3atDxVC5pSSSY279yJtuQ2nmVld2KWDY4lnyZzZT5eQsrxCbT57hVMLCKcMKNb4QnYlLgnyHW8DyWHGG5GEWF9skFSPlmwY5s5H3OYg3u8ijuGjenjDTzLfRUzFltGJ2kBYbIn1iailArKpCiasmJyyja+YuYn3WwaNcl8Tpqa8eI52/LtOXDMwUKzvRJ6D6INEr/1duGYP/fQSEH root@ansible" +} + +variable "vm_cpu" { + description = "Number of CPU cores of the VM" + type = number + default = 1 +} + +variable "vm_ram" { + description = "Number of RAM (MB) of the VM" + type = number + default = 1024 +} + +variable "vm_bios" { + description = "Type of BIOS used for the VM" + type = string + default = "ovmf" +} + +variable "vm_machine" { + description = "Type of machine used for the VM" + type = string + default = "q35" +} + +#variable "vm_vlan" { +# description = "VLAN of the VM" +# type = number +# #default = 66 +#} + +variable "vm_tags" { + description = "Tags for the VM" + type = list(any) + default = ["test"] +} + +variable "vm_address" { + description = "IP v4 address for the VM - CIDR format" + type = string +# default = "q35" +} + +variable "vm_gateway" { + description = "Gateway IP v4 address for the VM" + type = string + default = "10.121.38.254" +} + + +variable "vm_id" { + description = "VM identifier" + type = string +}