feat: new terraform stack for new switch (#162)

Author: kid

dagger.json

@@ -4,6 +4,11 @@
   "sdk": {
     "source": "go"
   },
+  "include": [
+    "!**/.devenv",
+    "!**/.direnv",
+    "!**/.terraform"
+  ],
   "dependencies": [
     {
       "name": "containers",
@@ -19,6 +24,5 @@
       "pin": "789200f43579a799b237c660e2faa79a83404104"
     }
   ],
-  "include": ["!**/.devenv", "!**/.direnv", "!**/.terraform"],
   "source": ".dagger"
 }

devenv.lock

@@ -65,10 +65,31 @@
         "type": "github"
       }
     },
+    "git-hooks": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1742649964,
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "type": "github"
+      }
+    },
     "gitignore": {
       "inputs": {
         "nixpkgs": [
-          "pre-commit-hooks",
+          "git-hooks",
           "nixpkgs"
         ]
       },
@@ -142,33 +163,15 @@
         "type": "github"
       }
     },
-    "pre-commit-hooks": {
-      "inputs": {
-        "flake-compat": "flake-compat",
-        "gitignore": "gitignore",
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1737465171,
-        "owner": "cachix",
-        "repo": "pre-commit-hooks.nix",
-        "rev": "9364dc02281ce2d37a1f55b6e51f7c0f65a75f17",
-        "type": "github"
-      },
-      "original": {
-        "owner": "cachix",
-        "repo": "pre-commit-hooks.nix",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
         "dagger": "dagger",
         "devenv": "devenv",
+        "git-hooks": "git-hooks",
         "nixpkgs": "nixpkgs_2",
-        "pre-commit-hooks": "pre-commit-hooks",
+        "pre-commit-hooks": [
+          "git-hooks"
+        ],
         "talhelper": "talhelper"
       }
     },

devenv.nix

@@ -23,6 +23,7 @@
       talosctl
       timoni
       go-task
+      iptables
     ]);
 
   languages = {

terraform/.dagger/main.go

@@ -65,7 +65,7 @@ func (m *Terraform) Base() *dagger.Container {
 		Wolfi().
 		Container(dagger.WolfiContainerOpts{
 			Packages: []string{
-				"opentofu=1.8.2",
+				"opentofu=1.9.0",
 				"tflint=0.53.0",
 			},
 		})

terraform/modules/ros-bridge/inputs.tf

@@ -0,0 +1,16 @@
+variable "bridge_name" {
+  type = string
+}
+
+variable "bridge_ports" {
+  type = map(object({
+    comment  = optional(string)
+    vlan_ids = optional(list(number), [])
+    pvid     = optional(number)
+  }))
+}
+
+variable "ignore_interfaces" {
+  type    = list(string)
+  default = []
+}

terraform/modules/ros-bridge/main.tf

@@ -0,0 +1,51 @@
+data "routeros_interfaces" "ether" {
+  filter = {
+    type = "ether"
+  }
+}
+
+locals {
+  interface_list = toset([
+    for idx, item in data.routeros_interfaces.ether.interfaces : item.name
+    if !contains(var.ignore_interfaces, item.name)
+  ])
+  vlan_ids = distinct(flatten([for _, item in var.bridge_ports : try(item.vlan_ids, [])]))
+}
+
+resource "routeros_interface_ethernet" "self" {
+  for_each     = local.interface_list
+  factory_name = each.key
+  name         = each.key
+  comment      = try(var.bridge_ports[each.key].comment, null)
+}
+
+resource "routeros_interface_bridge" "self" {
+  name           = var.bridge_name
+  vlan_filtering = true
+}
+
+resource "routeros_interface_bridge_port" "self" {
+  for_each  = local.interface_list
+  bridge    = routeros_interface_bridge.self.name
+  interface = each.key
+  pvid      = try(var.bridge_ports[each.key].pvid, 1)
+  comment   = try(var.bridge_ports[each.key].comment, null)
+}
+
+resource "routeros_interface_bridge_vlan" "self" {
+  for_each = { for id in local.vlan_ids : "vlan${id}" => id }
+  bridge   = routeros_interface_bridge.self.name
+  vlan_ids = [each.value]
+  tagged = concat(
+    [routeros_interface_bridge.self.name],
+    [for k, v in var.bridge_ports : k if contains(try(v.vlan_ids, []), each.value)]
+  )
+}
+
+output "debug" {
+  value = {
+    bridge_ports = var.bridge_ports
+    vlan_ids     = local.vlan_ids
+    tagged99     = [for k, v in var.bridge_ports : k if contains(try(v.vlan_ids, []), 99)]
+  }
+}

terraform/modules/ros-bridge/outputs.tf

@@ -0,0 +1,3 @@
+output "bridge_name" {
+  value = routeros_interface_bridge.self.name
+}

terraform/modules/ros-bridge/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.9.0"
+
+  required_providers {
+    routeros = {
+      source  = "terraform-routeros/routeros"
+      version = "1.76.7"
+    }
+  }
+}

terraform/modules/ros-management-config/inputs.tf

@@ -0,0 +1,15 @@
+variable "bridge_name" {
+  type = string
+}
+
+variable "oob_mgmt_port" {
+  type = string
+}
+
+variable "oob_mgmt_address" {
+  type = string
+}
+
+variable "mgmt_vlan_id" {
+  type = number
+}

terraform/modules/ros-management-config/main.tf

@@ -0,0 +1,28 @@
+# TODO: add dhcp-server on management subnet
+# TODO: add dhcp-client on admin vlan
+# TODO: implement VRF for services
+
+resource "routeros_interface_list" "admin" {
+  name = "admin-ifces"
+}
+
+resource "routeros_interface_list_member" "admin_port" {
+  list      = routeros_interface_list.admin.name
+  interface = var.oob_mgmt_port
+}
+
+resource "routeros_interface_list_member" "admin_vlan" {
+  list      = routeros_interface_list.admin.name
+  interface = routeros_interface_vlan.admin.name
+}
+
+resource "routeros_interface_vlan" "admin" {
+  interface = var.bridge_name
+  name      = "admin-vlan"
+  vlan_id   = var.mgmt_vlan_id
+}
+
+resource "routeros_ip_address" "admin" {
+  interface = var.oob_mgmt_port
+  address   = var.oob_mgmt_address
+}