feat: new terraform stack for new switch

Author: kid

dagger.json

@@ -4,6 +4,11 @@
   "sdk": {
     "source": "go"
   },
+  "include": [
+    "!**/.devenv",
+    "!**/.direnv",
+    "!**/.terraform"
+  ],
   "dependencies": [
     {
       "name": "containers",
@@ -19,6 +24,5 @@
       "pin": "789200f43579a799b237c660e2faa79a83404104"
     }
   ],
-  "include": ["!**/.devenv", "!**/.direnv", "!**/.terraform"],
   "source": ".dagger"
 }

devenv.lock

@@ -5,10 +5,10 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1740026216,
+        "lastModified": 1743781909,
         "owner": "dagger",
         "repo": "nix",
-        "rev": "578e8c28bba72e4269cfe15de4a7097c1b3ebcff",
+        "rev": "21aa7e33f3cec8f77d7e59558a7210b99049e1ed",
         "type": "github"
       },
       "original": {
@@ -20,10 +20,10 @@
     "devenv": {
       "locked": {
         "dir": "src/modules",
-        "lastModified": 1740575096,
+        "lastModified": 1743783972,
         "owner": "cachix",
         "repo": "devenv",
-        "rev": "4000b0153c6f54a57368c0b066aaa0024450618c",
+        "rev": "2f53e2f867e0c2ba18b880e66169366e5f8ca554",
         "type": "github"
       },
       "original": {
@@ -53,10 +53,10 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1738453229,
+        "lastModified": 1743550720,
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd",
+        "rev": "c621e8422220273271f52058f618c94e405bb0f5",
         "type": "github"
       },
       "original": {
@@ -65,10 +65,31 @@
         "type": "github"
       }
     },
+    "git-hooks": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1742649964,
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "type": "github"
+      }
+    },
     "gitignore": {
       "inputs": {
         "nixpkgs": [
-          "pre-commit-hooks",
+          "git-hooks",
           "nixpkgs"
         ]
       },
@@ -87,10 +108,10 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1740547748,
+        "lastModified": 1743938762,
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "3a05eebede89661660945da1f151959900903b6a",
+        "rev": "74a40410369a1c35ee09b8a1abee6f4acbedc059",
         "type": "github"
       },
       "original": {
@@ -102,22 +123,24 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1740642049,
-        "narHash": "sha256-vJzFZGaCpnmo7I6i416HaBLpC+hvcURh/BQwROcGIp8=",
-        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
+        "lastModified": 1743901752,
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "2bb0af21f02e8c61a5dded3832b92db47d6a0411",
+        "type": "github"
       },
       "original": {
-        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "type": "github"
       }
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1740547748,
+        "lastModified": 1743938762,
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "3a05eebede89661660945da1f151959900903b6a",
+        "rev": "74a40410369a1c35ee09b8a1abee6f4acbedc059",
         "type": "github"
       },
       "original": {
@@ -129,10 +152,10 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1740367490,
+        "lastModified": 1743827369,
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "0196c0175e9191c474c26ab5548db27ef5d34b05",
+        "rev": "42a1c966be226125b48c384171c44c651c236c22",
         "type": "github"
       },
       "original": {
@@ -142,33 +165,15 @@
         "type": "github"
       }
     },
-    "pre-commit-hooks": {
-      "inputs": {
-        "flake-compat": "flake-compat",
-        "gitignore": "gitignore",
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1737465171,
-        "owner": "cachix",
-        "repo": "pre-commit-hooks.nix",
-        "rev": "9364dc02281ce2d37a1f55b6e51f7c0f65a75f17",
-        "type": "github"
-      },
-      "original": {
-        "owner": "cachix",
-        "repo": "pre-commit-hooks.nix",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
         "dagger": "dagger",
         "devenv": "devenv",
+        "git-hooks": "git-hooks",
         "nixpkgs": "nixpkgs_2",
-        "pre-commit-hooks": "pre-commit-hooks",
+        "pre-commit-hooks": [
+          "git-hooks"
+        ],
         "talhelper": "talhelper"
       }
     },
@@ -178,10 +183,10 @@
         "nixpkgs": "nixpkgs_3"
       },
       "locked": {
-        "lastModified": 1740628241,
+        "lastModified": 1743729608,
         "owner": "budimanjojo",
         "repo": "talhelper",
-        "rev": "e23e0e77e3c7c9fb08e0d783a11fa1d92227a70d",
+        "rev": "e5f08adb209adc686a217b48aa7d50b2bee2b3a9",
         "type": "github"
       },
       "original": {

devenv.nix

@@ -23,6 +23,7 @@
       talosctl
       timoni
       go-task
+      iptables
     ]);
 
   languages = {

terraform/.dagger/main.go

@@ -65,7 +65,7 @@ func (m *Terraform) Base() *dagger.Container {
 		Wolfi().
 		Container(dagger.WolfiContainerOpts{
 			Packages: []string{
-				"opentofu=1.8.2",
+				"opentofu=1.9.0",
 				"tflint=0.53.0",
 			},
 		})

terraform/modules/ros-bridge/inputs.tf

@@ -0,0 +1,16 @@
+variable "bridge_name" {
+  type = string
+}
+
+variable "bridge_ports" {
+  type = map(object({
+    comment  = optional(string)
+    vlan_ids = optional(list(number), [])
+    pvid     = optional(number)
+  }))
+}
+
+variable "ignore_interfaces" {
+  type    = list(string)
+  default = []
+}

terraform/modules/ros-bridge/main.tf

@@ -0,0 +1,51 @@
+data "routeros_interfaces" "ether" {
+  filter = {
+    type = "ether"
+  }
+}
+
+locals {
+  interface_list = toset([
+    for idx, item in data.routeros_interfaces.ether.interfaces : item.name
+    if !contains(var.ignore_interfaces, item.name)
+  ])
+  vlan_ids = distinct(flatten([for _, item in var.bridge_ports : try(item.vlan_ids, [])]))
+}
+
+resource "routeros_interface_ethernet" "self" {
+  for_each     = local.interface_list
+  factory_name = each.key
+  name         = each.key
+  comment      = try(var.bridge_ports[each.key].comment, null)
+}
+
+resource "routeros_interface_bridge" "self" {
+  name           = var.bridge_name
+  vlan_filtering = true
+}
+
+resource "routeros_interface_bridge_port" "self" {
+  for_each  = local.interface_list
+  bridge    = routeros_interface_bridge.self.name
+  interface = each.key
+  pvid      = try(var.bridge_ports[each.key].pvid, 1)
+  comment   = try(var.bridge_ports[each.key].comment, null)
+}
+
+resource "routeros_interface_bridge_vlan" "self" {
+  for_each = { for id in local.vlan_ids : "vlan${id}" => id }
+  bridge   = routeros_interface_bridge.self.name
+  vlan_ids = [each.value]
+  tagged = concat(
+    [routeros_interface_bridge.self.name],
+    [for k, v in var.bridge_ports : k if contains(try(v.vlan_ids, []), each.value)]
+  )
+}
+
+output "debug" {
+  value = {
+    bridge_ports = var.bridge_ports
+    vlan_ids     = local.vlan_ids
+    tagged99     = [for k, v in var.bridge_ports : k if contains(try(v.vlan_ids, []), 99)]
+  }
+}

terraform/modules/ros-bridge/outputs.tf

@@ -0,0 +1,3 @@
+output "bridge_name" {
+  value = routeros_interface_bridge.self.name
+}

terraform/modules/ros-bridge/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.9.0"
+
+  required_providers {
+    routeros = {
+      source  = "terraform-routeros/routeros"
+      version = "1.76.7"
+    }
+  }
+}

terraform/modules/ros-management-config/inputs.tf

@@ -0,0 +1,15 @@
+variable "bridge_name" {
+  type = string
+}
+
+variable "management_port" {
+  type = string
+}
+
+variable "management_address" {
+  type = string
+}
+
+variable "management_vlan_id" {
+  type = number
+}

terraform/modules/ros-management-config/main.tf

@@ -0,0 +1,74 @@
+data "routeros_interfaces" "ether" {
+  filter = {
+    type = "ether"
+  }
+}
+
+resource "routeros_interface_list" "admin" {
+  name = "admin-ifces"
+}
+
+resource "routeros_interface_list_member" "admin_port" {
+  list      = routeros_interface_list.admin.name
+  interface = var.management_port
+}
+
+resource "routeros_interface_list_member" "admin_vlan" {
+  list      = routeros_interface_list.admin.name
+  interface = routeros_interface_vlan.admin.name
+}
+
+# resource "routeros_interface_bridge_vlan" "admin" {
+#   bridge   = var.bridge_name
+#   vlan_ids = [routeros_interface_vlan.admin.vlan_id]
+#   tagged   = concat([var.bridge_name], var.management_tagged_ports)
+# }
+#
+# resource "routeros_interface_bridge_vlan" "srv" {
+#   bridge   = var.bridge_name
+#   vlan_ids = [10]
+#   tagged   = concat([var.bridge_name], var.trunk_ports)
+# }
+#
+# resource "routeros_interface_bridge_vlan" "lan" {
+#   bridge   = var.bridge_name
+#   vlan_ids = [100]
+#   tagged   = concat([var.bridge_name], var.trunk_ports)
+# }
+#
+# resource "routeros_interface_bridge_vlan" "iot" {
+#   bridge   = var.bridge_name
+#   vlan_ids = [101]
+#   tagged   = concat([var.bridge_name], var.trunk_ports)
+# }
+
+resource "routeros_interface_vlan" "admin" {
+  interface = var.bridge_name
+  name      = "admin-vlan"
+  vlan_id   = var.management_vlan_id
+}
+
+resource "routeros_interface_vlan" "srv" {
+  interface = var.bridge_name
+  name      = "srv-vlan"
+  vlan_id   = 10
+}
+
+resource "routeros_interface_vlan" "lan" {
+  interface = var.bridge_name
+  name      = "lan-vlan"
+  vlan_id   = 100
+}
+
+resource "routeros_interface_vlan" "iot" {
+  interface = var.bridge_name
+  name      = "iot-vlan"
+  vlan_id   = 101
+}
+
+# resource "routeros_ip_address" "admin" {
+#   # interface = routeros_interface_vlan.admin.name
+#   address   = "${var.management_address}/32"
+#   interface = "admin-vrrp-oob"
+#   # address   = "10.99.0.2/32"
+# }