From 613c3bb599f51ca29644f2397a0a4681b839510e Mon Sep 17 00:00:00 2001
From: arcnmx <git@git.arcn.mx>
Date: Tue, 6 Feb 2024 09:39:34 -0800
Subject: [PATCH] fix(reisen): roles

---
 packages/default.nix                          |  2 +-
 .../bin/{lxc-config.sh => ct-config.sh}       |  0
 systems/reisen/setup.sh                       | 57 +++++++++++++------
 tf/proxmox_vms.tf                             |  2 +-
 4 files changed, 41 insertions(+), 20 deletions(-)
 rename systems/reisen/bin/{lxc-config.sh => ct-config.sh} (100%)

diff --git a/packages/default.nix b/packages/default.nix
index c507b5ca..47c27df3 100644
--- a/packages/default.nix
+++ b/packages/default.nix
@@ -32,7 +32,7 @@
         INPUT_INFRA_SETUP="$(base64 -w0 < ${reisen + "/setup.sh"})" \
         INPUT_INFRA_PUTFILE64="$(base64 -w0 < ${reisen + "/bin/putfile64.sh"})" \
         INPUT_INFRA_PVE="$(base64 -w0 < ${reisen + "/bin/pve.sh"})" \
-        INPUT_INFRA_LXC_CONFIG="$(base64 -w0 < ${reisen + "/bin/lxc-config.sh"})" \
+        INPUT_INFRA_CT_CONFIG="$(base64 -w0 < ${reisen + "/bin/ct-config.sh"})" \
         "bash -c \"eval \\\"\\\$(base64 -d <<<\\\$INPUT_INFRA_SETUP)\\\"\""
     '';
     nf-hostname = pkgs.writeShellScriptBin "nf-hostname" ''
diff --git a/systems/reisen/bin/lxc-config.sh b/systems/reisen/bin/ct-config.sh
similarity index 100%
rename from systems/reisen/bin/lxc-config.sh
rename to systems/reisen/bin/ct-config.sh
diff --git a/systems/reisen/setup.sh b/systems/reisen/setup.sh
index cedfae11..51927ea6 100644
--- a/systems/reisen/setup.sh
+++ b/systems/reisen/setup.sh
@@ -31,7 +31,10 @@ $INPUT_TF_SSH_AUTHORIZEDKEYS
 EOF
 chown -R tf:tf /home/tf/.ssh
 
-if ! pveum user list --noborder --noheader | grep -q tf@pam; then
+pveum acl delete / --users tf@pam --roles Terraform 2> /dev/null || true
+pveum role delete Terraform 2> /dev/null || true
+
+if ! pveum user list --noborder --noheader 2> /dev/null | grep -q tf@pam; then
 	pveum user add tf@pam --firstname Terraform --lastname Cloud
 fi
 
@@ -39,27 +42,45 @@ echo setting up pve terraform role... >&2
 # https://pve.proxmox.com/wiki/User_Management#_privileges
 TF_ROLE_PRIVS=(
 	Group.Allocate Realm.AllocateUser User.Modify Permissions.Modify
-	Sys.Audit
-	VM.Audit VM.Allocate
-	VM.Config.CDROM VM.Config.CPU VM.Config.Cloudinit VM.Config.Disk VM.Config.HWType VM.Config.Memory VM.Config.Network VM.Config.Options VM.PowerMgmt
-	Datastore.Audit Datastore.Allocate Datastore.AllocateSpace
+	Sys.Audit # Sys.Console Sys.Incoming Sys.Modify Sys.PowerMgmt Sys.Syslog
+	VM.Audit VM.Allocate VM.PowerMgmt
+	VM.Config.CDROM VM.Config.CPU VM.Config.Cloudinit VM.Config.Disk VM.Config.HWType VM.Config.Memory VM.Config.Network VM.Config.Options
+	VM.Backup VM.Clone VM.Migrate VM.Snapshot VM.Snapshot.Rollback # VM.Console VM.Monitor
+	SDN.Audit SDN.Use # SDN.Allocate
+	Datastore.Audit Datastore.Allocate Datastore.AllocateSpace # Datastore.AllocateTemplate
+	Mapping.Audit Mapping.Use # Mapping.Modify
+	Pool.Audit # Pool.Allocate
 )
-pveum role delete Terraform 2> /dev/null || true
 pveum role add Terraform --privs "${TF_ROLE_PRIVS[*]}"
 pveum acl modify / --users tf@pam --roles Terraform
 
-mkdir -m 0755 -p /opt/infra/bin
-base64 -d > /opt/infra/bin/putfile64 <<EOF
-$INPUT_INFRA_PUTFILE64
-EOF
-base64 -d > /opt/infra/bin/pve <<EOF
-$INPUT_INFRA_PVE
-EOF
-base64 -d > /opt/infra/bin/lxc-config <<EOF
-$INPUT_INFRA_LXC_CONFIG
-EOF
-chmod 0770 /opt/infra/bin/*
+INFRABIN=/opt/infra/bin
+WRAPPERBIN=/opt/infra/sbin
+SUDOERS_INFRABINS=
+rm -f "$INFRABIN/"* "$WRAPPERBIN/"*
+mkdir -m 0755 -p "$INFRABIN" "$WRAPPERBIN"
+for infrabin in putfile64 pve ct-config; do
+	infrainput="${infrabin//-/_}"
+	infrainput="INPUT_INFRA_${infrainput^^}"
+	printf '%s\n' "${!infrainput}" | base64 -d > "$WRAPPERBIN/$infrabin"
+	chmod 0750 "$WRAPPERBIN/$infrabin"
+
+	printf '#!/bin/bash\nsudo "%s" "$@"\n' "$WRAPPERBIN/$infrabin" > "$INFRABIN/$infrabin"
+	chmod 0755 "$INFRABIN/$infrabin"
+
+	SUDOERS_WRAPPERS="${SUDOERS_WRAPPERS-}${SUDOERS_WRAPPERS:+, }$WRAPPERBIN/$infrabin"
+done
+
+# provider also needs to be able to run:
+# sudo qm importdisk VMID $(sudo pvesm path local:iso/ISO.iso) DATASTORE -format qcow2
+# sudo qm set VMID -scsi0 DATASTORE:disk,etc
+# sudo qm resize VMID scsi0 SIZE
+SUDOERS_TF="/usr/sbin/pvesm, /usr/sbin/qm"
+
+echo 'if [ -f ~/.bashrc ]; then . ~/.bashrc; fi' > /home/tf/.bash_profile
+echo "export PATH=\$PATH:$INFRABIN" > /home/tf/.bashrc
+chown tf:tf /home/tf/.bash{rc,_profile}
 
 cat > /etc/sudoers.d/tf <<EOF
-tf ALL=(root:root) NOPASSWD: NOSETENV: /opt/infra/bin/putfile64, /opt/infra/bin/pve, /opt/infra/bin/lxc-config
+tf ALL=(root:root) NOPASSWD: NOSETENV: $SUDOERS_WRAPPERS, $SUDOERS_TF
 EOF
diff --git a/tf/proxmox_vms.tf b/tf/proxmox_vms.tf
index 6577cbdd..4e245a88 100644
--- a/tf/proxmox_vms.tf
+++ b/tf/proxmox_vms.tf
@@ -77,7 +77,7 @@ resource "terraform_data" "proxmox_reimu_config" {
 
   provisioner "remote-exec" {
     inline = [
-      "sudo /opt/infra/bin/lxc-config ${proxmox_virtual_environment_container.reimu.vm_id} unprivileged 0 features 'nesting=1,mount=nfs,mknod=1' lxc.mount.entry '/dev/net/tun dev/net/tun none bind,optional,create=file' lxc.mount.entry '/mnt/kyuuto-media mnt/kyuuto-media none bind,optional,create=dir' lxc.cgroup2.devices.allow 'c 10:200 rwm'",
+      "ct-config ${proxmox_virtual_environment_container.reimu.vm_id} unprivileged 0 features 'nesting=1,mount=nfs,mknod=1' lxc.mount.entry '/dev/net/tun dev/net/tun none bind,optional,create=file' lxc.mount.entry '/mnt/kyuuto-media mnt/kyuuto-media none bind,optional,create=dir' lxc.cgroup2.devices.allow 'c 10:200 rwm'",
     ]
   }
 }