From ad78295a0651a040392ddea33d5dce2c14732863 Mon Sep 17 00:00:00 2001 From: arcnmx Date: Mon, 29 Jan 2024 11:33:15 -0800 Subject: [PATCH] chore: migrate away from old nf-deploy script --- .sops.yaml | 8 ++ devShell.nix | 22 ++++- packages/default.nix | 134 +++++++++++++++++++++++++++--- patchedInputs.nix | 2 + readme.md | 8 +- systems/reisen/bin/setup.sh | 26 ------ systems/reisen/setup.sh | 65 +++++++++++++++ systems/reisen/tf.authorized_keys | 1 + 8 files changed, 223 insertions(+), 43 deletions(-) delete mode 100644 systems/reisen/bin/setup.sh create mode 100644 systems/reisen/setup.sh create mode 100644 systems/reisen/tf.authorized_keys diff --git a/.sops.yaml b/.sops.yaml index cffb2d17..557dcab8 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,6 +2,7 @@ keys: - &kat CD8CE78CB0B3BDD4 # https://inskip.me/pubkey.asc - &mew 65BD3044771CB6FB - &hakurei_osh age12ze362pu5mza6ef9akrptr7hfe4auaqul4rkta7kyy2tnrstqensgmujeq +- &reimu_osh age176uyyyk7veqnzmm8xzwfhf0u23m6hm02cldlfkldunqe6std0gcq6lg057 - &tewi_gen age17haatqc7gpk9t690affyqcvwmhmz0us95en2r7qpqzw29tpq3ffspld0cf - &tewi_osh age172nhlv3py990k2rgw64hy27hffmnpv6ssxyu9fepww7zxfgg347qna4gzt - &tei_osh age1a2quf2ekkj94ygu7wgvhrvh44fwn32c0l2cwvgvjh23wst90s54szdsvgr @@ -17,6 +18,7 @@ creation_rules: - *mew age: &reisen_common - *hakurei_osh + - *reimu_osh - *tei_osh - *mediabox_osh - path_regex: 'systems/hakurei/secrets\.yaml$' @@ -25,6 +27,12 @@ creation_rules: - pgp: *pgp_common age: - *hakurei_osh +- path_regex: 'systems/reimu/secrets\.yaml$' + shamir_threshold: 1 + key_groups: + - pgp: *pgp_common + age: + - *reimu_osh - path_regex: 'systems/tewi/secrets\.yaml$' shamir_threshold: 1 key_groups: diff --git a/devShell.nix b/devShell.nix index deee849f..3b956e43 100644 --- a/devShell.nix +++ b/devShell.nix @@ -22,8 +22,20 @@ nf-deploy = pkgs.writeShellScriptBin "nf-deploy" '' exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-deploy" -- "$@" ''; - nf-setup-reisen = pkgs.writeShellScriptBin "nf-setup-reisen" '' - exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-setup-reisen" -- "$@" + nf-setup-node = pkgs.writeShellScriptBin "nf-setup-node" '' + exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-setup-node" -- "$@" + ''; + nf-sops-keyscan = pkgs.writeShellScriptBin "nf-sops-keyscan" '' + exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-sops-keyscan" -- "$@" + ''; + nf-ssh = pkgs.writeShellScriptBin "nf-ssh" '' + exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-ssh" -- "$@" + ''; + nf-build = pkgs.writeShellScriptBin "nf-build" '' + exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-build" -- "$@" + ''; + nf-tarball = pkgs.writeShellScriptBin "nf-tarball" '' + exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-tarball" -- "$@" ''; nf-tf = pkgs.writeShellScriptBin "nf-tf" '' cd "$NF_CONFIG_ROOT/tf" @@ -76,7 +88,11 @@ in nf-actions-test nf-update nf-deploy - nf-setup-reisen + nf-setup-node + nf-sops-keyscan + nf-ssh + nf-build + nf-tarball nf-tf nf-lint-tf nf-lint-nix diff --git a/packages/default.nix b/packages/default.nix index c7db4e88..d6169218 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -4,7 +4,7 @@ lib, }: let inherit (lib.meta) getExe; - inherit (lib.strings) concatStringsSep concatMapStringsSep; + inherit (inputs.std.lib) string list; packages = inputs.self.packages.${system}; inherit (inputs.self.legacyPackages.${system}) pkgs; fmt = import ../ci/fmt.nix; @@ -12,21 +12,131 @@ inherit (pkgs.buildPackages) terraform tflint alejandra deadnix statix + ssh-to-age jq ; inherit (inputs.deploy-rs.packages.${system}) deploy-rs; nf-deploy = pkgs.writeShellScriptBin "nf-deploy" '' exec ${pkgs.runtimeShell} ${../ci/deploy.sh} "$@" ''; - nf-setup-reisen = let - bin = ../../systems/reisen/bin; - in pkgs.writeShellScriptBin "nf-setup-reisen" '' - ssh root@reisen env \ - INPUT_INFRA_SETUP="$(base64 -w0 < ${bin + "/setup.sh"})" \ - INPUT_INFRA_PUTFILE64="$(base64 -w0 < ${bin + "/putfile64.sh"})" \ - INPUT_INFRA_PVE="$(base64 -w0 < ${bin + "/pve.sh"})" \ - INPUT_INFRA_LXC_CONFIG="$(base64 -w0 < ${bin + "/lxc-config.sh"})" \ + nf-setup-node = let + reisen = ../systems/reisen; + inherit (inputs.self.nixosConfigurations.hakurei.config.users.users) arc kat; + authorizedKeys = string.intercalate "\n" (arc.openssh.authorizedKeys.keys ++ kat.openssh.authorizedKeys.keys); + in pkgs.writeShellScriptBin "nf-setup-node" '' + set -eu + SETUP_HOSTNAME=''${1-reisen} + export INPUT_ROOT_SSH_AUTHORIZEDKEYS=${string.escapeShellArg authorizedKeys} + exec ssh root@$SETUP_HOSTNAME env \ + INPUT_ROOT_SSH_AUTHORIZEDKEYS="$(base64 -w0 <<<"$INPUT_ROOT_SSH_AUTHORIZEDKEYS")" \ + INPUT_TF_SSH_AUTHORIZEDKEYS="$(base64 -w0 < ${reisen + "/tf.authorized_keys"})" \ + INPUT_INFRA_SETUP="$(base64 -w0 < ${reisen + "/setup.sh"})" \ + INPUT_INFRA_PUTFILE64="$(base64 -w0 < ${reisen + "/bin/putfile64.sh"})" \ + INPUT_INFRA_PVE="$(base64 -w0 < ${reisen + "/bin/pve.sh"})" \ + INPUT_INFRA_LXC_CONFIG="$(base64 -w0 < ${reisen + "/bin/lxc-config.sh"})" \ "bash -c \"eval \\\"\\\$(base64 -d <<<\\\$INPUT_INFRA_SETUP)\\\"\"" ''; + nf-hostname = pkgs.writeShellScriptBin "nf-hostname" '' + set -eu + DEPLOY_USER= + if [[ $# -gt 1 ]]; then + ARG_NODE=$1 + ARG_HOSTNAME=$2 + shift 2 + else + ARG_HOSTNAME=$1 + shift + ARG_NODE=''${ARG_HOSTNAME%%.*} + if [[ $ARG_HOSTNAME = $ARG_NODE ]]; then + if DEPLOY_HOSTNAME=$(nix eval --raw "''${NF_CONFIG_ROOT-${toString ../.}}"#"deploy.nodes.$ARG_HOSTNAME.hostname" 2>/dev/null); then + DEPLOY_USER=$(nix eval --raw "''${NF_CONFIG_ROOT-${toString ../.}}"#"deploy.nodes.$ARG_HOSTNAME.sshUser" 2>/dev/null || true) + ARG_HOSTNAME=$DEPLOY_HOSTNAME + if ! timeout 2 ping -c1 "$DEPLOY_HOSTNAME" >/dev/null 2>&1; then + ARG_HOSTNAME="$ARG_NODE.local" + fi + else + ARG_HOSTNAME="$ARG_NODE.local" + fi + fi + fi + if ! timeout 2 ping -c1 "$ARG_HOSTNAME" >/dev/null 2>&1; then + LOCAL_HOSTNAME=$ARG_NODE.local.gensokyo.zone + TAIL_HOSTNAME=$ARG_NODE.tail.gensokyo.zone + GLOBAL_HOSTNAME=$ARG_NODE.gensokyo.zone + if timeout 2 ping -c1 "$LOCAL_HOSTNAME" >/dev/null 2>&1; then + ARG_HOSTNAME=$LOCAL_HOSTNAME + elif timeout 2 ping -c1 "$TAIL_HOSTNAME" >/dev/null 2>&1; then + ARG_HOSTNAME=$TAIL_HOSTNAME + elif timeout 2 ping -c1 "$GLOBAL_HOSTNAME" >/dev/null 2>&1; then + ARG_HOSTNAME=$GLOBAL_HOSTNAME + fi + fi + echo "''${DEPLOY_USER-}''${DEPLOY_USER+@}$ARG_HOSTNAME" + ''; + nf-sshopts = pkgs.writeShellScriptBin "nf-sshopts" '' + set -eu + ARG_HOSTNAME=$1 + ARG_NODE=''${ARG_HOSTNAME%%.*} + if DEPLOY_SSHOPTS=$(nix eval --json "''${NF_CONFIG_ROOT-${toString ../.}}"#"deploy.nodes.$ARG_HOSTNAME.sshOpts" 2>/dev/null); then + SSHOPTS=($(${getExe packages.jq} -r '.[]' <<<"$DEPLOY_SSHOPTS")) + echo "''${SSHOPTS[*]}" + elif [[ $ARG_NODE = reisen ]]; then + SSHOPTS=() + else + SSHOPTS=(''${NIX_SSHOPTS--p62954}) + fi + if [[ $ARG_NODE = ct || $ARG_NODE = reisen-ct ]]; then + SSHOPTS+=(-oUpdateHostKeys=no -oStrictHostKeyChecking=off) + else + SSHOPTS+=(-oHostKeyAlias=$ARG_NODE.gensokyo.zone) + fi + echo "''${SSHOPTS[*]}" + ''; + nf-sops-keyscan = pkgs.writeShellScriptBin "nf-sops-keyscan" '' + set -eu + ARG_NODE=$1 + shift + ARG_HOSTNAME=$(${getExe packages.nf-hostname} "$ARG_NODE") + ssh-keyscan ''${NIX_SSHOPTS--p62954} "''${ARG_HOSTNAME#*@}" "$@" | ${getExe packages.ssh-to-age} + ''; + nf-ssh = pkgs.writeShellScriptBin "nf-ssh" '' + set -eu + ARG_NODE=$1 + ARG_HOSTNAME=$(${getExe packages.nf-hostname} "$ARG_NODE") + NIX_SSHOPTS=$(${getExe packages.nf-sshopts} "$ARG_NODE") + exec ssh $NIX_SSHOPTS "$ARG_HOSTNAME" + ''; + nf-build = pkgs.writeShellScriptBin "nf-build" '' + set -eu + ARG_NODE=$1 + shift + exec nix build --no-link --print-out-paths \ + "''${NF_CONFIG_ROOT-${toString ../.}}#nixosConfigurations.$ARG_NODE.config.system.build.toplevel" \ + --show-trace "$@" + ''; + nf-tarball = pkgs.writeShellScriptBin "nf-tarball" '' + set -eu + if [[ $# -gt 0 ]]; then + ARG_NODE=$1 + shift + else + ARG_NODE=ct + fi + ARG_CONFIG_PATH=nixosConfigurations.$ARG_NODE.config + RESULT=$(nix build --no-link --print-out-paths \ + "''${NF_CONFIG_ROOT-${toString ../.}}#$ARG_CONFIG_PATH.system.build.tarball" \ + --show-trace "$@") + if [[ $ARG_NODE = ct ]]; then + DATESTAMP=$(nix eval --raw "''${NF_CONFIG_ROOT-${toString ../.}}#inputs.nixpkgs.sourceInfo.lastModifiedDate") + DATENAME=''${DATESTAMP:0:4}''${DATESTAMP:4:2}''${DATESTAMP:6:2} + SYSARCH=$(nix eval --raw "''${NF_CONFIG_ROOT-${toString ../.}}#$ARG_CONFIG_PATH.nixpkgs.system") + TAREXT=$(nix eval --raw "''${NF_CONFIG_ROOT-${toString ../.}}#$ARG_CONFIG_PATH.system.build.tarball.extension") + TARNAME=nixos-system-$SYSARCH.tar$TAREXT + OUTNAME="ct-$DATENAME-$TARNAME" + ln -sf "$RESULT/tarball/$TARNAME" "$OUTNAME" + echo $OUTNAME + ls -l $OUTNAME + fi + ''; nf-statix = pkgs.writeShellScriptBin "nf-statix" '' if [[ $# -eq 0 ]]; then set -- check @@ -41,7 +151,7 @@ ''; nf-deadnix = let inherit (fmt.nix) blacklistDirs; - excludes = "${getExe pkgs.buildPackages.findutils} ${concatStringsSep " " blacklistDirs} -type f"; + excludes = "${getExe pkgs.buildPackages.findutils} ${string.intercalate " " blacklistDirs} -type f"; in pkgs.writeShellScriptBin "nf-deadnix" '' exec ${getExe packages.deadnix} "$@" \ --no-lambda-arg \ @@ -49,7 +159,7 @@ ''; nf-alejandra = let inherit (fmt.nix) blacklistDirs; - excludes = concatMapStringsSep " " (dir: "--exclude ${dir}") blacklistDirs; + excludes = string.intercalate " " (list.map (dir: "--exclude ${dir}") blacklistDirs); in pkgs.writeShellScriptBin "nf-alejandra" '' exec ${getExe packages.alejandra} \ ${excludes} \ @@ -65,7 +175,7 @@ ''; nf-fmt-nix = let inherit (fmt.nix) whitelist; - includes = concatStringsSep " " whitelist; + includes = string.intercalate " " whitelist; in pkgs.writeShellScriptBin "nf-fmt-nix" '' exec ${getExe packages.nf-alejandra} ${includes} "$@" ''; diff --git a/patchedInputs.nix b/patchedInputs.nix index ae6c82b7..29172dd9 100644 --- a/patchedInputs.nix +++ b/patchedInputs.nix @@ -20,5 +20,7 @@ in sha256 = "sha256-boJLCdgamzX0fhLifdsxsFF/f7oXZwWJ7+WAkcA2GBg="; }) ]; + } // { + inherit (inputs.nixpkgs) sourceInfo; }; } diff --git a/readme.md b/readme.md index 7e9ca84c..b6cf5657 100644 --- a/readme.md +++ b/readme.md @@ -25,6 +25,8 @@ The `-s` disables flake checks. deploy -s .# # with trace deploy -s .# -- --show-trace +# deploy a fresh container +deploy -s .# --hostname ct.local ``` ## Editing Secrets @@ -36,7 +38,9 @@ sops nixos/systems/tewi/secrets.yaml ### Adding Hosts ```shell -NF_ADDR=10.1.1.xxx nf-deploy sops-keyscan +nf-sops-keyscan +# or on a fresh container... +nf-sops-keyscan ct.local vim .sops.yaml ``` @@ -45,5 +49,5 @@ vim .sops.yaml ### Template ```shell -NF_HOST=ct nf-deploy tarball +nf-tarball ct ``` diff --git a/systems/reisen/bin/setup.sh b/systems/reisen/bin/setup.sh deleted file mode 100644 index 5825660f..00000000 --- a/systems/reisen/bin/setup.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/usr/bin/env bash -set -eu - -if [[ ! -d /home/tf ]]; then - echo setting up pve terraform user... >&2 - groupadd -g 1001 tf - useradd -u 1001 -g 1001 -d /home/tf -s /bin/bash tf - passwd tf - pveum user add tf@pam --firstname Terraform --lastname Cloud - pveum acl modify / --users tf@pam --roles PVEVMAdmin - mkdir -p /home/tf/.ssh - cat > /home/tf/.ssh/authorized_keys <<<"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBFobUpp90cBjtqBfHlw49WohhLFeExAmOmHOnCentx+ hakurei-tf-proxmox" - chown -R tf:tf /home/tf - chmod -R og= /home/tf/.ssh -fi - -mkdir -p /opt/infra/bin -base64 -d > /opt/infra/bin/putfile64 <<<"$INPUT_INFRA_PUTFILE64" -base64 -d > /opt/infra/bin/pve <<<"$INPUT_INFRA_PVE" -base64 -d > /opt/infra/bin/lxc-config <<<"$INPUT_INFRA_LXC_CONFIG" -chmod u+x /opt/infra/bin/* -chmod og-rwx /opt/infra/bin/* - -cat > /etc/sudoers.d/tf <&2 +echo "on $(hostname -f), press enter to continue" >&2 +read + +ROOT_AUTHORIZED_KEYS=$(grep "@$(hostname)$" /etc/pve/priv/authorized_keys) +TMP_KEYFILE=$(mktemp --tmpdir) +cat > $TMP_KEYFILE <> $TMP_KEYFILE < /etc/pve/priv/authorized_keys +rm $TMP_KEYFILE + +if [[ ! -d /home/tf ]]; then + echo setting up pve terraform user... >&2 + groupadd -g 1001 tf + useradd -u 1001 -g 1001 -d /home/tf -s /bin/bash tf + passwd tf + mkdir -m 0700 /home/tf + chown tf:tf /home/tf +fi + +mkdir -m 0755 -p /home/tf/.ssh +base64 -d > /home/tf/.ssh/authorized_keys <&2 +# https://pve.proxmox.com/wiki/User_Management#_privileges +TF_ROLE_PRIVS=( + Group.Allocate Realm.AllocateUser User.Modify Permissions.Modify + Sys.Audit + VM.Audit VM.Allocate + VM.Config.CDROM VM.Config.CPU VM.Config.Cloudinit VM.Config.Disk VM.Config.HWType VM.Config.Memory VM.Config.Network VM.Config.Options VM.PowerMgmt + Datastore.Audit Datastore.Allocate Datastore.AllocateSpace +) +pveum role delete Terraform 2> /dev/null || true +pveum role add Terraform --privs "${TF_ROLE_PRIVS[*]}" +pveum acl modify / --users tf@pam --roles Terraform + +mkdir -m 0755 -p /opt/infra/bin +base64 -d > /opt/infra/bin/putfile64 < /opt/infra/bin/pve < /opt/infra/bin/lxc-config < /etc/sudoers.d/tf <