chore: Add example site configuration for Skiff VM setup

Signed-off-by: Schubert Anselme <[email protected]>
anselmes · Nov 5, 2024 · d807841 · d807841
1 parent 7d62883
commit d807841
Show file tree

Hide file tree

Showing 5 changed files with 134 additions and 80 deletions.
diff --git a/config/site.yaml b/config/site.yaml
@@ -1,43 +1,25 @@
 ---
-spec:
-  domain: local
-  dir: /tmp
+metadata:
+  name: skiff
+site:
+  domain: labos.local
   config:
-    ssh:
-      key:
-        file: ${site_dir}/id_ed25519
-    gpg:
-      dir: ${site_dir}/.gnupg
     pki:
-      dir: ${site_dir}/pki
       ca:
-        bundle: ${site_dir}/ca.pfx
-        days: "3065"
-        subj: /CN=root-ca
-        key:
-          file: ${site_dir}/pki/ca.key
-        cert:
-          file: ${site_dir}/pki/ca.crt
+        days: 3065
+        subj: /CN=skiff-root-ca
   service:
     libvirt:
       enabled: true
-      cloudinit: ${libvirt_dir}/boot
-      emulator: $(command -v ${qemu-system-${arch})
-      firmware: ${firmware_dir}/edk2-${arch}-code.fd
-      images: ${libvirt_dir}/images
   vm:
     - name: skiff
-      arch: null
-      cpu: null
-      image: null
-      memory: null
-      os:
-        name: ubuntu
-        version: 24.04
-        url: http://ubuntu.com
+      osinfo: ${os_url}/${os_name}/${os_version}
+      arch: ${arch}
+      cpu: ${cpu}
+      image: ${image}
+      memory: ${memory}
       cloudinit:
         enabled: true
-        file: ${site_dir}/user-data
       networks:
         interfaces:
           oam:
@@ -47,4 +29,15 @@ spec:
                 dhcp: true
               ipv6:
                 dhcpv6: true
-status: {}
+status:
+  gpg_dir: ${site_dir}/.gnupg
+  libvirt_cloudinit_dir: ${libvirt_dir}/boot
+  libvirt_emulator: $(command -v ${qemu-system-${arch})
+  libvirt_firmware_file: ${firmware_dir}/edk2-${arch}-code.fd
+  libvirt_image_dir: ${libvirt_dir}/images
+  pki_ca_bundle: ${site_dir}/ca.pfx
+  pki_ca_cert_file: ${site_dir}/pki/ca.crt
+  pki_ca_key_file: ${site_dir}/pki/ca.key
+  pki_dir: ${site_dir}/pki
+  site_dir: /tmp/skiff
+  ssh_key_file: ${site_dir}/id_ed25519
diff --git a/config/vm.xml b/config/vm.xml
@@ -2,7 +2,7 @@
   <vcpu placement="static">2</vcpu>
   <metadata>
     <libosinfo xmlns="http://libosinfo.org/xmlns/libvirt/domain/1.0">
-      <os id="${os_url}/${os_name}/${os_version}"/>
+      <os id="${osinfo}"/>
     </libosinfo>
   </metadata>
   <os>
@@ -37,7 +37,7 @@
   </devices>
   <commandline xmlns="http://libvirt.org/schemas/domain/qemu/1.0">
     <arg value="-drive"/>
-    <arg value="id=hd0,if=pflash,readonly=on,format=raw,file=${libvirt_firmware}"/>
+    <arg value="id=hd0,if=pflash,readonly=on,format=raw,file=${libvirt_firmware_file}"/>
     <arg value="-drive"/>
     <arg value="file=${vol},id=hd1,if=none,discard=unmap,format=qcow2"/>
     <arg value="-device"/>

diff --git a/hack/site.yaml.example b/hack/site.yaml.example
@@ -0,0 +1,43 @@
+---
+metadata:
+  name: skiff
+site:
+  domain: labos.local
+  config:
+    pki:
+      ca:
+        days: 3065
+        subj: /CN=skiff-root-ca
+  service:
+    libvirt:
+      enabled: true
+  vm:
+    - name: skiff
+      arch: null
+      cpu: null
+      image: null
+      memory: null
+      osinfo: http://ubuntu.com/ubuntu/24.04
+      cloudinit:
+        enabled: true
+      networks:
+        interfaces:
+          oam:
+            address:
+              mac: ba:be:fa:ce:00:00
+              ipv4:
+                dhcp: true
+              ipv6:
+                dhcpv6: true
+status:
+  site_dir: /tmp/skiff
+  gpg_dir: /tmp/skiff/.gnupg
+  pki_dir: /tmp/skiff/pki
+  pki_ca_key_file: /tmp/skiff/pki/ca.key
+  pki_ca_cert_file: /tmp/skiff/pki/ca.crt
+  pki_ca_bundle: /tmp/skiff/ca.pfx
+  ssh_key_file: /tmp/skiff/id_ed25519
+  libvirt_emulator: /opt/homebrew/bin/qemu-system-aarch64
+  libvirt_firmware_file: /opt/homebrew/share/qemu/edk2-aarch64-code.fd
+  libvirt_image_dir: /tmp/skiff/images
+  libvirt_cloudinit_dir: /tmp/skiff/boot
diff --git a/scripts/createvm.sh b/scripts/createvm.sh
@@ -4,12 +4,15 @@
 source scripts/environment.sh
 
 create_vm() {
+  export vm_id="$(uuidgen)"
   export name="${1}"
   config="${2}"
 
   [[ -z "${name}" ]] && echo "name is required" && exit 1
   [[ -z "${config}" ]] && echo "config is required" && exit 1
-  export site_dir="$(yq '.site.dir' "${config}")"
+
+  export site_dir="$(yq '.status.site_dir' "${config}")"
+  export $(getenv <(yq '.site.vm[] | select(.name == env(name))' "${config}"))
 
   [[ -z "${arch}" ]] && export arch="$(uname -m)"
   case "${arch}" in
@@ -19,9 +22,7 @@ create_vm() {
   *) ;;
   esac
 
-  export $(getenv <(yq '.site.service | select(.libvirt)' "${config}") | envsubst)
-  export $(getenv <(yq '.site.vm[] | select(.name == env(name))' "${config}") | envsubst)
-  export vm_id="$(uuidgen)"
+  export $(yq --output-format shell '.status' "${config}" | tr -d "'")
 
   if [[ -z "${vm_type}" ]]; then
     case "$(uname -s)" in
@@ -39,8 +40,9 @@ create_vm() {
     esac
   fi
 
-  user_data="${cloudinit_file}"
+  # user_data="${cloudinit_file}"
   network_config="${site_dir}/network-config"
+  user_data="${site_dir}/user-data"
   vm_file="${site_dir}/vm-${name}.xml"
 
   stat "${vm_file}" >/dev/null 2>&1 ||
@@ -57,17 +59,19 @@ create_vm() {
     ' config/netplan/default.yaml | tr -d '"' >"${network_config}"
 
     # user-data
-    stat "${cloudinit_file}" >/dev/null 2>&1 ||
-      printf "#cloud-config" >"${cloudinit_file}"
+    if ! stat "${user_data}" >/dev/null 2>&1; then
+      pubkey="$(cat "${ssh_key_file}.pub")"
+      printf "#cloud-config\nssh_authorized_keys: \n  - ${pubkey}\n" >"${user_data}"
+    fi
 
-    if [[ -n "${libvirt_cloudinit}" ]]; then
-      export vm_cloudinit="${libvirt_cloudinit}"
+    if [[ -n "${libvirt_cloudinit_dir}" ]]; then
+      export vm_cloudinit="${libvirt_cloudinit_dir}/cloudinit.iso"
     else
       export vm_cloudinit="${site_dir}/cloudinit.iso"
     fi
 
     stat "${vm_cloudinit}" >/dev/null 2>&1 ||
-      createiso "${vm_cloudinit}" /tmp/meta-data "${cloudinit_file}" "${network_config}"
+      createiso "${vm_cloudinit}" /tmp/meta-data "${user_data}" "${network_config}"
 
     # update vm config
     yq --inplace '. |
@@ -76,10 +80,10 @@ create_vm() {
   fi
 
   # create volume
-  if [[ -n "${libvirt_images}" ]]; then
-    export vol="${libvirt_images}/${name}.qcow2"
+  if [[ -n "${libvirt_image_dir}" ]]; then
+    export vol="${libvirt_image_dir}/${name}.qcow2"
   else
-    export vol="/tmp/${name}.qcow2"
+    export vol="${site_dir}/${name}.qcow2"
   fi
   if [[ -n "${image}" ]]; then
     stat "${vol}" >/dev/null 2>&1 ||

diff --git a/scripts/gencert.sh b/scripts/gencert.sh
@@ -4,76 +4,89 @@
 source scripts/environment.sh
 
 generate_root_ca() {
-  stat "${spec_config_pki_ca_cert_file}" >/dev/null 2>&1 ||
+  config="${1}"
+  [[ -z "${config}" ]] && echo "missing config file" && exit 1
+
+  export name="$(yq '.metadata.name' "${config}")"
+  export site_dir="$(yq '.status.site_dir' "${config}")"
+
+  export $(getenv <(yq '.site.config' "${config}"))
+  export $(yq --output-format shell '.status' "${config}" | tr -d "'")
+
+  stat "${pki_ca_cert_file}" >/dev/null 2>&1 ||
     openssl req \
       -new \
       -x509 \
-      -days ${spec_config_pki_ca_days} \
+      -days ${pki_ca_days} \
       -extensions v3_ca \
-      -keyout "${spec_config_pki_ca_key_file}" \
-      -out "${spec_config_pki_ca_cert_file}" \
+      -keyout "${pki_ca_key_file}" \
+      -out "${pki_ca_cert_file}" \
       -passout pass: \
-      -subj "${spec_config_pki_ca_subj}"
+      -subj "${pki_ca_subj}"
 
-  stat "${config_pki_ca_bundle}" >/dev/null 2>&1 ||
+  stat "${pki_ca_bundle}" >/dev/null 2>&1 ||
     openssl pkcs12 \
       -export \
-      -in "${spec_config_pki_ca_cert_file}" \
-      -inkey "${spec_config_pki_ca_key_file}" \
-      -out "${spec_config_pki_ca_bundle}" \
+      -in "${pki_ca_cert_file}" \
+      -inkey "${pki_ca_key_file}" \
+      -out "${pki_ca_bundle}" \
       -passin pass: \
       -passout pass:
 }
 
 generate_intermediate_ca() {
-  INTERMEDIATE_CERT_SUBJ="${2}"
-  INTERMEDIATE_CA_VALID_FOR="${3}"
-  INTERMEDIATE_KEY_FILE="${4}"
-  INTERMEDIATE_CA_FILE="${5}"
-  INTERMEDIATE_CA_BUNDLE_FILE="${6}"
+  config="${1}"
+  intermediate_ca_subj="${2}"
+  intermediate_ca_valid_for="${3}"
+  intermediate_ca_key_file="${4}"
+  intermediate_ca_cert_file="${5}"
+  intermediate_ca_bundle="${6}"
+
+  export $(getenv <(yq '.status' "${config}" | grep pki))
 
-  [[ -z "${INTERMEDIATE_CERT_SUBJ}" ]] && echo "missing intermediate subject" && exit 1
-  [[ -z "${INTERMEDIATE_CA_VALID_FOR}" ]] && echo "missing intermediate valid for" && exit 1
-  [[ -z "${INTERMEDIATE_KEY_FILE}" ]] && echo "missing intermediate key file" && exit 1
-  [[ -z "${INTERMEDIATE_CA_FILE}" ]] && echo "missing intermediate ca file" && exit 1
-  [[ -z "${INTERMEDIATE_CA_BUNDLE_FILE}" ]] && echo "missing intermediate ca bundle file" && exit 1
+  [[ -z "${config}" ]] && echo "missing config file" && exit 1
+  [[ -z "${intermediate_ca_subj}" ]] && echo "missing intermediate subject" && exit 1
+  [[ -z "${intermediate_ca_valid_for}" ]] && echo "missing intermediate valid for" && exit 1
+  [[ -z "${intermediate_ca_key_file}" ]] && echo "missing intermediate key file" && exit 1
+  [[ -z "${intermediate_ca_cert_file}" ]] && echo "missing intermediate ca file" && exit 1
+  [[ -z "${intermediate_ca_bundle}" ]] && echo "missing intermediate ca bundle file" && exit 1
 
-  OUT_DIR="$(dirname ${INTERMEDIATE_CA_FILE})"
+  out_dir="$(dirname ${intermediate_ca_cert_file})"
 
-  stat "${INTERMEDIATE_CA_FILE}" >/dev/null 2>&1 ||
-    openssl genrsa -out "${INTERMEDIATE_KEY_FILE}"
+  stat "${intermediate_ca_cert_file}" >/dev/null 2>&1 ||
+    openssl genrsa -out "${intermediate_ca_key_file}"
 
-  if ! stat "${INTERMEDIATE_CA_FILE}" >/dev/null 2>&1; then
+  if ! stat "${intermediate_ca_cert_file}" >/dev/null 2>&1; then
     openssl req \
       -new \
-      -key "${INTERMEDIATE_KEY_FILE}" \
+      -key "${intermediate_ca_key_file}" \
       -out /tmp/intermediate-ca.csr \
-      -subj "${INTERMEDIATE_CERT_SUBJ}"
+      -subj "${intermediate_ca_subj}"
 
-    cd "${OUT_DIR}"
+    cd "${out_dir}"
     openssl ca \
       -batch \
       -notext \
       -rand_serial \
-      -cert "${spec_config_pki_ca_cert_file}" \
-      -days ${INTERMEDIATE_CA_VALID_FOR} \
+      -cert "${pki_ca_cert_file}" \
+      -days ${intermediate_ca_valid_for} \
       -extensions v3_ca \
       -in /tmp/intermediate-ca.csr \
-      -keyfile "${spec_config_pki_ca_key_file}" \
-      -out "${INTERMEDIATE_CA_FILE}" \
+      -keyfile "${pki_ca_key_file}" \
+      -out "${intermediate_ca_cert_file}" \
       -outdir . \
       -passin pass: \
       -policy policy_anything \
-      -subj "${INTERMEDIATE_CERT_SUBJ}"
+      -subj "${intermediate_ca_subj}"
     popd
   fi
 
-  stat "${INTERMEDIATE_CA_BUNDLE_FILE}" >/dev/null 2>&1 ||
+  stat "${intermediate_ca_bundle}" >/dev/null 2>&1 ||
     openssl pkcs12 \
       -export \
-      -in "${INTERMEDIATE_CA_FILE}" \
-      -inkey "${INTERMEDIATE_KEY_FILE}" \
-      -out "${INTERMEDIATE_CA_BUNDLE_FILE}" \
+      -in "${intermediate_ca_cert_file}" \
+      -inkey "${intermediate_ca_key_file}" \
+      -out "${intermediate_ca_bundle}" \
       -passout pass:
 
   rm -f /tmp/intermediate-ca.csr
@@ -91,6 +104,7 @@ case "${1}" in
 Usage: ${0} [OPTIONS]
 
 OPTIONS:
+  --root-ca <config-file>
   --intermediate-ca <config-file> <subject> <days> <key-file> <ca-file> <ca-bundle-file>
 
 EXAMPLES: