1.0.0 Release IaaS

config/services/systemd/vmm/libvirt/seeds/user-data.j2

@@ -0,0 +1,79 @@
+#cloud-config
+
+bootcmd:
+    - groupadd -g 2000 svadmins || true
+
+hostname: {{ hostvars[target_vm]['vm']['name'] }}
+
+disable_root: true
+
+users:
+    - name: {{ target_vm }}
+      uid: {{ hostvars[target_vm]['node']['uid'] }}
+      gecos: {{ target_vm }}
+      primary_group: svadmins
+      groups: sudo
+      lock_passwd: false
+      passwd: {{ hostvars['console']['sudo']['hash'][target_vm] }}
+      shell: /bin/bash
+
+write_files:
+    - path: /etc/ssh/local_ssh_ca.pub
+      content: |
+        {{ hostvars['console']['ssh']['ca']['pub'] | trim }}
+      owner: "root:root"
+      permissions: "0644"
+    - path: /etc/ssh/sshd_config.d/ssh_ca.conf
+      content: |
+        TrustedUserCAKeys /etc/ssh/local_ssh_ca.pub
+      owner: "root:root"
+      permissions: "0644"
+    - path: /etc/ssh/sshd_config.d/prohibit_root.conf
+      content: |
+        PermitRootLogin no
+      owner: "root:root"
+      permissions: "0644"
+    - path: /etc/apt/sources.list.d/debian.sources
+      content: |
+        Types: deb deb-src
+        URIs: https://deb.debian.org/debian
+        Suites: trixie trixie-updates trixie-backports
+        Components: main contrib non-free non-free-firmware
+        Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+        Types: deb deb-src
+        URIs: https://deb.debian.org/debian-security
+        Suites: trixie-security
+        Components: main contrib non-free non-free-firmware
+        Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+      owner: "root:root"
+      permissions: "0644"
+{% if target_vm == 'fw' %}
+    - path: /etc/sysctl.d/ipforward.conf
+      content: |
+        net.ipv4.ip_forward = 1
+        net.ipv6.conf.all.forwarding = 1
+      owner: "root:root"
+      permissions: "0644"
+{% endif %}
+{% set net_config_dir = 'fw' if target_vm == 'fw' else 'common' %}
+{% for file_path in query('fileglob', hostvars['console']['node']['config_path'] + '/node/' + net_config_dir + '/networkd/' + '/*') | sort %}
+    - path: /etc/systemd/network/{{ file_path | basename}}
+      content: |
+        {{ lookup('template', file_path) | indent(8) | trim }}
+      owner: "root:root"
+      permissions: "0644"
+{% endfor %}
+
+runcmd:
+    - update-initramfs -u
+    - systemctl disable networking
+    - systemctl enable systemd-networkd
+    - systemctl enable getty@ttyS0
+    - sync
+
+power_state:
+    delay: "now"
+    mode: reboot
+    message: "rebooting after cloud-init configuration"
+    timeout: 30

config/services/systemd/vmm/libvirt/services/app.service

@@ -0,0 +1,23 @@
+[Unit]
+Description=app vm
+After=network-online.target libvirtd.service fw.service infra.service auth.service
+Wants=fw.service infra.service auth.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+TimeoutStopSec=360
+
+ExecStart=/usr/bin/virsh -c qemu:///system start app
+
+ExecStartPost=/bin/sleep 30
+
+ExecStop=/bin/bash -c '\
+  /usr/bin/virsh -c qemu:///system shutdown app; \
+  while /usr/bin/virsh -c qemu:///system list --state-running --name | grep -q "app"; do \
+    echo "Waiting for app to shutdown..."; \
+    sleep 2; \
+  done'
+
+[Install]
+WantedBy=default.target

config/services/systemd/vmm/libvirt/services/auth.service

@@ -0,0 +1,23 @@
+[Unit]
+Description=auth vm
+After=network-online.target libvirtd.service fw.service infra.service
+Wants=fw.service infra.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+TimeoutStopSec=360
+
+ExecStart=/usr/bin/virsh -c qemu:///system start auth
+
+ExecStartPost=/bin/sleep 30
+
+ExecStop=/bin/bash -c '\
+  /usr/bin/virsh -c qemu:///system shutdown auth; \
+  while /usr/bin/virsh -c qemu:///system list --state-running --name | grep -q "auth"; do \
+    echo "Waiting for auth to shutdown..."; \
+    sleep 2; \
+  done'
+
+[Install]
+WantedBy=default.target

config/services/systemd/vmm/libvirt/services/fw.service

@@ -0,0 +1,23 @@
+[Unit]
+Description=fw vm
+After=network-online.target libvirtd.service
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+TimeoutStopSec=360
+
+ExecStart=/usr/bin/virsh -c qemu:///system start fw
+
+ExecStartPost=/bin/sleep 30
+
+ExecStop=/bin/bash -c '\
+  /usr/bin/virsh -c qemu:///system shutdown fw; \
+  while /usr/bin/virsh -c qemu:///system list --state-running --name | grep -q "fw"; do \
+    echo "Waiting for fw to shutdown..."; \
+    sleep 2; \
+  done'
+
+[Install]
+WantedBy=default.target

config/services/systemd/vmm/libvirt/services/infra.service

@@ -0,0 +1,23 @@
+[Unit]
+Description=infra vm
+After=network-online.target libvirtd.service fw.service
+Wants=fw.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+TimeoutStopSec=360
+
+ExecStart=/usr/bin/virsh -c qemu:///system start infra
+
+ExecStartPost=/bin/sleep 30
+
+ExecStop=/bin/bash -c '\
+  /usr/bin/virsh -c qemu:///system shutdown infra; \
+  while /usr/bin/virsh -c qemu:///system list --state-running --name | grep -q "infra"; do \
+    echo "Waiting for infra to shutdown..."; \
+    sleep 2; \
+  done'
+
+[Install]
+WantedBy=default.target

config/services/systemd/vmm/libvirt/xml/networks/lan-net.xml

@@ -0,0 +1,19 @@
+<!-- LAN network for Hypervisor -->
+<!-- lan-net.xml -->
+<network>
+  <name>lan-net</name>
+  <forward mode='bridge'/>
+  <bridge name='br1'/>
+  <portgroup name='vlan-trunk'>
+    <vlan trunk='yes'>
+      <tag id='1' nativeMode='untagged'/>
+      <tag id='10'/>
+      <tag id='20'/>
+    </vlan>
+  </portgroup>
+  <portgroup name='vlan10-access'>
+    <vlan>
+      <tag id='10'/>
+    </vlan>
+  </portgroup>
+</network>

config/services/systemd/vmm/libvirt/xml/networks/wan-net.xml

@@ -0,0 +1,7 @@
+<!-- WAN network for Hypervisor -->
+<!-- wan-net.xml -->
+<network>
+  <name>wan-net</name>
+  <forward mode='bridge'/>
+  <bridge name='br0'/>
+</network>

config/services/systemd/vmm/libvirt/xml/storages/images-pool.xml

@@ -0,0 +1,8 @@
+<!-- Storage pool define -->
+<!-- images.xml -->
+<pool type='dir'>
+  <name>images-pool</name>
+  <target>
+    <path>/var/lib/libvirt/images</path>
+  </target>    
+</pool>

config/services/systemd/vmm/libvirt/xml/storages/seeds-pool.xml

@@ -0,0 +1,8 @@
+<!-- Storage pool define -->
+<!-- seeds-pool.xml -->
+<pool type='dir'>
+  <name>seeds-pool</name>
+  <target>
+    <path>/var/lib/libvirt/seeds</path>
+  </target>    
+</pool>

config/services/systemd/vmm/libvirt/xml/vms/vms.xml.j2

@@ -0,0 +1,78 @@
+<domain type='kvm'>
+    <name>{{ hostvars[target_vm]['vm']['name'] }}</name>
+    <memory unit='GiB'>{{ hostvars[target_vm]['vm']['memory'] }}</memory>
+    <vcpu placement='static'>{{ hostvars[target_vm]['vm']['cpu'] }}</vcpu>
+    <cputune>
+        <shares>{{ hostvars[target_vm]['vm']['shares'] }}</shares>
+    </cputune>
+    <os firmware='efi'>
+        <type arch='x86_64' machine='pc-q35-10.0'>hvm</type>
+        <firmware>
+            <feature enabled='yes' name='enrolled-keys'/>
+            <feature enabled='yes' name='secure-boot'/>
+        </firmware>
+        <loader readonly='yes' secure='yes' type='pflash' format='raw'>/usr/share/OVMF/OVMF_CODE_4M.ms.fd</loader>
+        <nvram template='/usr/share/OVMF/OVMF_VARS_4M.ms.fd' templateFormat='raw' format='raw'>/var/lib/libvirt/qemu/nvram/{{ hostvars[target_vm]['vm']['name'] }}_VARS.fd</nvram>
+        <boot dev='hd'/>
+    </os>
+    <features>
+        <acpi/>
+        <apic/>
+    </features>
+    <cpu mode='host-passthrough' check='none' migratable='on'/>
+    <on_poweroff>destroy</on_poweroff>
+    <on_reboot>restart</on_reboot>
+    <on_crash>destroy</on_crash>
+    <devices>
+        <disk type='file' device='disk'>
+            <driver name='qemu' type='qcow2' discard='unmap' />
+            <source file='/var/lib/libvirt/images/{{ hostvars[target_vm]['vm']['name'] }}.qcow2' />
+            <target dev='vda' bus='virtio' />
+        </disk>
+        <disk type='file' device='cdrom'>
+            <driver name='qemu' type='raw' cache='none' />
+            <source file='/var/lib/libvirt/seeds/{{ hostvars[target_vm]['vm']['name'] }}_seed.iso' />
+            <target dev='sdb' bus='sata' />
+            <readonly/>
+        </disk>
+{% if target_vm == 'fw' %}
+        <interface type='network'>
+            <mac address='{{ hostvars[target_vm]['vm']['wan_mac'] }}' />
+            <source network='{{ hostvars[target_vm]['vm']['wan_net'] }}' />
+            <model type='virtio' />
+        </interface>
+        <interface type='network'>
+            <mac address='{{ hostvars[target_vm]['vm']['lan_mac'] }}' />
+            <source network='{{ hostvars[target_vm]['vm']['lan_net'] }}' portgroup='{{ hostvars[target_vm]['vm']['lan_group'] }}' />
+            <model type='virtio' />
+        </interface>
+{% else %}
+        <interface type='network'>
+            <mac address='{{ hostvars[target_vm]['vm']['lan_mac'] }}' />
+            <source network='{{ hostvars[target_vm]['vm']['lan_net'] }}' portgroup='{{ hostvars[target_vm]['vm']['lan_group'] }}' />
+            <model type='virtio' />
+        </interface>
+{% endif %}
+        <console type='pty'>
+            <target type='serial' port='0' />
+        </console>
+        <channel type='unix'>
+            <target type='virtio' name='org.qemu.guest_agent.0' />
+            <address type='virtio-serial' controller='0' bus='0' port='1' />
+        </channel>
+{% if target_vm == 'app' %}
+{% for device in hostvars[target_vm]['vm']['pass_through'].values() %}
+        <hostdev mode='subsystem' type='pci' managed='yes'>
+            <driver name='vfio'/>
+            <source>
+                <address type='pci' domain='{{ device['domain'] }}' bus='{{ device['bus'] }}' slot='{{ device['slot'] }}' function='{{ device['function'] }}'/>
+            </source>
+            <address type='pci' domain='{{ device['domain'] }}' bus='{{ device['bus'] }}' slot='{{ device['slot'] }}' function='{{ device['function'] }}'/>
+        </hostdev>
+{% endfor %}
+{% endif %} 
+        <tpm model='tpm-crb'>
+            <backend type='emulator' version='2.0'/>
+        </tpm>
+    </devices>
+</domain>