infra-k8s/tofu/main.tf

terraform {
  required_providers {
    incus = {
      source  = "lxc/incus"
      version = "0.3.1"
    }
  }
}

provider "incus" {
}

resource "incus_project" "kubernetes" {
  name        = "kubernetes"
  description = "Kubernetes project"

  config = {
    "features.storage.volumes" = false
    "features.images"          = false
    "features.profiles"        = false
    "features.storage.buckets" = false
  }
}

locals {
  ssh_public_key = trimspace(file("~/.ssh/id_ed25519.pub"))
}

locals {
  kubeadmin_password_hash = trimspace(file("./kubeadmin_password_hash"))
}

data "template_file" "cloud_init" {
  template = file("${path.module}/files/cloud-init.yaml")
  vars = {
    ssh_public_key = local.ssh_public_key
  }
}

resource "incus_profile" "kubenode" {
  name        = "kubenode"
  project     = "kubernetes"
  description = "Kubernetes lab node"

  depends_on = [
    incus_project.kubernetes
  ]

  config = {
    # "linux.kernel_modules" = "ip_tables,ip6_tables,nf_nat,overlay,br_netfilter"
    "security.nesting"    = "true"
    "security.privileged" = "true"
    # "security.syscalls.intercept.mknod" = "true"
    # "security.syscalls.intercept.mount" = "true"
    # "security.syscalls.intercept.setxattr" = "true"
    "limits.cpu"         = "4"
    "limits.memory"      = "6GiB"
    "limits.memory.swap" = "false"
    "boot.autostart"     = "true"
    "cloud-init.vendor-data" = templatefile(
      "${path.module}/files/cloud-init.yaml", { ssh_public_key = local.ssh_public_key, kubeadmin_password_hash = local.kubeadmin_password_hash }
      )
  }

  device {
    name = "eth0"
    type = "nic"
    properties = {
      network = "incusbr0"
      name    = "eth0"
    }
  }

  device {
    name = "root"
    type = "disk"
    properties = {
      pool = "default"
      path = "/"
    }
  }
}

resource "incus_instance" "kube-main" {
  name  = "kube-main"
  type  = "virtual-machine"
  image = "images:fedora/43/cloud"
  profiles = [incus_profile.kubenode.name]
  project  = incus_project.kubernetes.name

  depends_on = [
    incus_profile.kubenode
  ]

  device {
    name = "eth0"
    type = "nic"
    properties = {
      network        = "incusbr0"
      name           = "eth0"
      "ipv4.address" = "10.1.1.100"
    }
  }
}

resource "incus_instance" "kube-worker1" {
  name     = "kube-worker1"
  type  = "virtual-machine"
  image    = "images:fedora/43/cloud"
  profiles = [incus_profile.kubenode.name]
  project  = incus_project.kubernetes.name

  depends_on = [
    incus_profile.kubenode
  ]

  device {
    name = "eth0"
    type = "nic"
    properties = {
      network        = "incusbr0"
      name           = "eth0"
      "ipv4.address" = "10.1.1.101"
    }
  }
}

resource "incus_instance" "kube-worker2" {
  name     = "kube-worker2"
  type  = "virtual-machine"
  image    = "images:fedora/43/cloud"
  profiles = [incus_profile.kubenode.name]
  project  = incus_project.kubernetes.name

  depends_on = [
    incus_profile.kubenode
  ]

  device {
    name = "eth0"
    type = "nic"
    properties = {
      network        = "incusbr0"
      name           = "eth0"
      "ipv4.address" = "10.1.1.102"
    }
  }
}