feat(vm): add Debian VM

kube/clusters/biohazard/flux/kustomization.yaml

@@ -115,3 +115,4 @@ resources:
   - ../../../deploy/vm/_kubevirt/
   #- ../../../deploy/vm/_base/
   - ../../../deploy/vm/ad/
+  - ../../../deploy/vm/jj/

kube/deploy/vm/jj/_deps/netpol.yaml

@@ -0,0 +1,40 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: &app vm-jj
+  namespace: *app
+spec:
+  endpointSelector: {}
+  ingress:
+    # Tailscale default port
+    - fromEntities:
+        - all
+      toPorts:
+        - ports:
+            - port: "41641"
+              protocol: UDP
+  egress:
+    # same namespace
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: *app
+    # WireGuard to router
+    - toCIDRSet:
+        - cidr: "${IP_ROUTER_LAN}/32"
+      toPorts:
+        - ports:
+            - port: "45678"
+              protocol: UDP
+    # egress to Tailscale default port
+    - toEntities:
+        - all
+      toPorts:
+        - ports:
+            - port: "41641"
+              protocol: UDP
+    # internet
+    - toCIDRSet:
+        - cidr: "0.0.0.0/0"
+          except: ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10"] # private IP ranges should go through WireGuard with OPNsense rules or Tailscale's ACLs, but internet egress should still go through Cilium for DNS netpols and whatnot

kube/deploy/vm/jj/_deps/ns.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vm-jj

kube/deploy/vm/jj/_deps/preference.yaml

@@ -0,0 +1,34 @@
+---
+apiVersion: instancetype.kubevirt.io/v1beta1
+kind: VirtualMachinePreference
+metadata:
+  name: "jj" # Windows Server 2022 & Windows 11
+# from https://github.com/kubevirt/kubevirt/blob/2c5e56f2cd0fcde341f47a7da0b94bc812c2f43f/examples/windows.yaml
+spec:
+  preferredSubdomain: "jj"
+  requirements:
+    cpu:
+      guest: 2
+    memory:
+      guest: 8192Mi
+  clock:
+    preferredClockOffset:
+      timezone: "${CONFIG_TZ}"
+  devices:
+    preferredDiskBus: virtio
+    preferredInterfaceModel: virtio
+    preferredTPM:
+      persistent: true
+    preferredAutoattachMemBalloon: false
+    preferredAutoattachGraphicsDevice: true
+    preferredAutoattachSerialConsole: true
+    preferredAutoattachPodInterface: true
+    preferredAutoattachInputDevice: true
+    preferredInputType: "tablet"
+  firmware:
+    preferredUseEfi: true
+  volumes:
+    preferredStorageClassName: "file"
+  preferredTerminationGracePeriodSeconds: 180
+  machine:
+    preferredMachineType: "pc-q35-rhel9.2.0"

kube/deploy/vm/jj/_deps/svc.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: "vm-jj"
+spec:
+  type: ClusterIP
+  clusterIP: None
+  selector:
+    vm.home.arpa: "jj"

kube/deploy/vm/jj/_deps/type.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: instancetype.kubevirt.io/v1beta1
+kind: VirtualMachineInstancetype
+metadata:
+  name: "jj"
+spec:
+  cpu:
+    guest: 2
+  memory:
+    guest: 8192Mi

kube/deploy/vm/jj/ks.yaml

@@ -0,0 +1,50 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: zz-vm-jj-1-deps
+  namespace: flux-system
+spec:
+  path: ./kube/deploy/vm/ad/_deps
+  targetNamespace: "vm-ad"
+  dependsOn:
+    - name: zz-vm-1-kubevirt-app
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: zz-vm-jj-debian-pvc
+  namespace: flux-system
+spec:
+  path: ./kube/deploy/core/storage/volsync/template
+  targetNamespace: "vm-jj"
+  dependsOn:
+    - name: 1-core-storage-volsync-app
+    - name: 1-core-storage-rook-ceph-cluster
+    - name: zz-vm-jj-1-deps
+  postBuild:
+    substitute:
+      PVC: "vm-jj-debian-root"
+      SIZE: "55Gi"
+      VOLUMEMODE: "Filesystem"
+      RUID: &uid "107"
+      RGID: *uid
+      RFSG: *uid
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: zz-vm-jj-debian
+  namespace: flux-system
+  labels:
+    wait.flux.home.arpa/disabled: "true"
+spec:
+  path: ./kube/deploy/vm/jj/template
+  targetNamespace: "vm-jj"
+  dependsOn:
+    - name: zz-vm-1-kubevirt-app
+    - name: zz-vm-jj-1-deps
+    - name: zz-vm-jj-debian-pvc
+  postBuild:
+    substitute:
+      VM: "debian"

kube/deploy/vm/jj/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  # - ns.yaml
+  - ks.yaml

kube/deploy/vm/jj/template/svc.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: "jj-${VM}"
+spec:
+  type: ClusterIP
+  clusterIP: None
+  selector:
+    vm.home.arpa/jj: "${VM}"

kube/deploy/vm/jj/template/vm.yaml

@@ -0,0 +1,50 @@
+---
+apiVersion: kubevirt.io/v1
+kind: VirtualMachine
+metadata:
+  name: "jj-${VM}"
+spec:
+  preference:
+    kind: "VirtualMachinePreference"
+    name: "jj"
+  instancetype:
+    kind: "VirtualMachineInstancetype"
+    name: "jj"
+  runStrategy: "Always"
+  template:
+    metadata:
+      labels:
+        vm.home.arpa: "jj"
+        vm.home.arpa/os: "linux"
+        vm.home.arpa/jj: "${VM}"
+    spec:
+      hostname: "jj-${VM}"
+      networks:
+        - name: "main"
+          pod:
+            vmNetworkCIDR: "${IP_KUBEVIRT_JJ_CIDR_V4}"
+      volumes:
+        - name: "root"
+          persistentVolumeClaim:
+            claimName: "vm-jj-${VM}-root"
+      domain:
+        devices:
+          disks:
+            - name: "root"
+              disk: {}
+          interfaces:
+            - name: "main"
+              masquerade: {}
+              ports:
+                - name: "tailscale"
+                  port: 41641
+                  protocol: "UDP"
+          autoattachInputDevice: true
+          inputs:
+            - name: "tablet1"
+              type: "tablet"
+              bus: "virtio"
+        firmware:
+          bootloader:
+            efi:
+              persistent: true