torjus/nixos-servers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity

migrate-ns2-opentofu #33

Merged
torjus merged 2 commits from migrate-ns2-opentofu into master 2026-02-07 19:07:33 +00:00
Conversation 0 Commits 2 Files Changed 28 +346 -187
torjus commented 2026-02-07 19:07:24 +00:00
Owner
Copy Link

Summary

Migrate ns2 (secondary DNS server) to OpenTofu management using the create-host workflow.

Changes

  • Remove legacy template1: Delete hosts/template/ directory and template1 from flake.nix
  • Distribute hardware configs: Copy hardware-configuration.nix to each legacy host that referenced the shared template (ha1, http-proxy, jelly01, jump, monitoring01, nats1, nix-cache01, ns1, pgdb1)
  • Recreate ns2: Generate new ns2 configuration using create-host with template2 base
  • Add DNS services: Configure secondary authoritative DNS (NSD) and resolver (Unbound)
  • Vault integration: Add secret/data/shared/dns/* path to ns2's AppRole policy for TSIG key access
  • Fix create-host bug: Update IP uniqueness validator to check CIDR notation, preventing false positives from DNS resolver entries

Additional

  • Add planning doc for configuring template2 with local nix cache to speed up bootstrap

Testing

  • nix build .#nixosConfigurations.ns2.config.system.build.toplevel succeeds
  • tofu validate passes for both terraform/ and terraform/vault/
  • VM bootstrapped and booted successfully
  • All Prometheus exporters reporting up
  • Logs flowing to Loki via Promtail
  • DNS resolution working (tested with dig)
  • NSD running with zone data
  • homelab-deploy listener connected to NATS

Post-merge

  1. Delete old ns2 VM in Proxmox
  2. Update ns1 to sync zone serials (ns2 currently has newer serial from feature branch)
## Summary Migrate ns2 (secondary DNS server) to OpenTofu management using the `create-host` workflow. ### Changes - **Remove legacy template1**: Delete `hosts/template/` directory and `template1` from flake.nix - **Distribute hardware configs**: Copy `hardware-configuration.nix` to each legacy host that referenced the shared template (ha1, http-proxy, jelly01, jump, monitoring01, nats1, nix-cache01, ns1, pgdb1) - **Recreate ns2**: Generate new ns2 configuration using `create-host` with template2 base - **Add DNS services**: Configure secondary authoritative DNS (NSD) and resolver (Unbound) - **Vault integration**: Add `secret/data/shared/dns/*` path to ns2's AppRole policy for TSIG key access - **Fix create-host bug**: Update IP uniqueness validator to check CIDR notation, preventing false positives from DNS resolver entries ### Additional - Add planning doc for configuring template2 with local nix cache to speed up bootstrap ## Testing - [x] `nix build .#nixosConfigurations.ns2.config.system.build.toplevel` succeeds - [x] `tofu validate` passes for both `terraform/` and `terraform/vault/` - [x] VM bootstrapped and booted successfully - [x] All Prometheus exporters reporting up - [x] Logs flowing to Loki via Promtail - [x] DNS resolution working (tested with dig) - [x] NSD running with zone data - [x] homelab-deploy listener connected to NATS ## Post-merge 1. Delete old ns2 VM in Proxmox 2. Update ns1 to sync zone serials (ns2 currently has newer serial from feature branch)
torjus added 2 commits 2026-02-07 19:07:24 +00:00
ns2: migrate to OpenTofu management
Some checks failed
Run nix flake check / flake-check (push) Failing after 1s
Details
536daee4c7 
- Remove hosts/template/ (legacy template1) and give each legacy host
  its own hardware-configuration.nix copy
- Recreate ns2 using create-host with template2 base
- Add secondary DNS services (NSD + Unbound resolver)
- Configure Vault policy for shared DNS secrets
- Fix create-host IP uniqueness validator to check CIDR notation
  (prevents false positives from DNS resolver entries)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
docs: add plan for configuring template2 with nix cache
Some checks failed
Run nix flake check / flake-check (push) Failing after 1s
Details
Run nix flake check / flake-check (pull_request) Failing after 1s
Details
38c104ea8c 
Bootstrap times can be improved by configuring the base template
to use the local nix cache during initial builds.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
torjus merged commit 4e8ecb8a99 into master 2026-02-07 19:07:33 +00:00
torjus deleted branch migrate-ns2-opentofu 2026-02-07 19:07:33 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
torjus
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: torjus/nixos-servers#33
Delete Branch "migrate-ns2-opentofu"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?