gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 04:19:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

chore: migrate away from old nf-deploy script

Browse source
This commit is contained in:
arcnmx 2024-01-29 11:33:15 -08:00
parent fcdba6ed34
commit ad78295a06
8 changed files with 223 additions and 43 deletions
Download patch file Download diff file Expand all files Collapse all files

26
systems/reisen/bin/setup.sh
View file

@ -1,26 +0,0 @@
#!/usr/bin/env bash
set -eu
if [[ ! -d /home/tf ]]; then
echo setting up pve terraform user... >&2
groupadd -g 1001 tf
useradd -u 1001 -g 1001 -d /home/tf -s /bin/bash tf
passwd tf
pveum user add tf@pam --firstname Terraform --lastname Cloud
pveum acl modify / --users tf@pam --roles PVEVMAdmin
mkdir -p /home/tf/.ssh
cat > /home/tf/.ssh/authorized_keys <<<"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBFobUpp90cBjtqBfHlw49WohhLFeExAmOmHOnCentx+ hakurei-tf-proxmox"
chown -R tf:tf /home/tf
chmod -R og= /home/tf/.ssh
fi
mkdir -p /opt/infra/bin
base64 -d > /opt/infra/bin/putfile64 <<<"$INPUT_INFRA_PUTFILE64"
base64 -d > /opt/infra/bin/pve <<<"$INPUT_INFRA_PVE"
base64 -d > /opt/infra/bin/lxc-config <<<"$INPUT_INFRA_LXC_CONFIG"
chmod u+x /opt/infra/bin/*
chmod og-rwx /opt/infra/bin/*
cat > /etc/sudoers.d/tf <<EOF
tf ALL=(root:root) NOPASSWD: NOSETENV: /opt/infra/bin/putfile64, /opt/infra/bin/pve, /opt/infra/bin/lxc-config
EOF

65
systems/reisen/setup.sh Normal file
View file

@ -0,0 +1,65 @@
#!/usr/bin/env bash
set -eu
pveversion >&2
echo "on $(hostname -f), press enter to continue" >&2
read
ROOT_AUTHORIZED_KEYS=$(grep "@$(hostname)$" /etc/pve/priv/authorized_keys)
TMP_KEYFILE=$(mktemp --tmpdir)
cat > $TMP_KEYFILE <<EOF
$ROOT_AUTHORIZED_KEYS
EOF
base64 -d >> $TMP_KEYFILE <<EOF
$INPUT_ROOT_SSH_AUTHORIZEDKEYS
EOF
cat $TMP_KEYFILE > /etc/pve/priv/authorized_keys
rm $TMP_KEYFILE
if [[ ! -d /home/tf ]]; then
echo setting up pve terraform user... >&2
groupadd -g 1001 tf
useradd -u 1001 -g 1001 -d /home/tf -s /bin/bash tf
passwd tf
mkdir -m 0700 /home/tf
chown tf:tf /home/tf
fi
mkdir -m 0755 -p /home/tf/.ssh
base64 -d > /home/tf/.ssh/authorized_keys <<EOF
$INPUT_TF_SSH_AUTHORIZEDKEYS
EOF
chown -R tf:tf /home/tf/.ssh
if ! pveum user list --noborder --noheader | grep -q tf@pam; then
pveum user add tf@pam --firstname Terraform --lastname Cloud
fi
echo setting up pve terraform role... >&2
# https://pve.proxmox.com/wiki/User_Management#_privileges
TF_ROLE_PRIVS=(
Group.Allocate Realm.AllocateUser User.Modify Permissions.Modify
Sys.Audit
VM.Audit VM.Allocate
VM.Config.CDROM VM.Config.CPU VM.Config.Cloudinit VM.Config.Disk VM.Config.HWType VM.Config.Memory VM.Config.Network VM.Config.Options VM.PowerMgmt
Datastore.Audit Datastore.Allocate Datastore.AllocateSpace
)
pveum role delete Terraform 2> /dev/null || true
pveum role add Terraform --privs "${TF_ROLE_PRIVS[*]}"
pveum acl modify / --users tf@pam --roles Terraform
mkdir -m 0755 -p /opt/infra/bin
base64 -d > /opt/infra/bin/putfile64 <<EOF
$INPUT_INFRA_PUTFILE64
EOF
base64 -d > /opt/infra/bin/pve <<EOF
$INPUT_INFRA_PVE
EOF
base64 -d > /opt/infra/bin/lxc-config <<EOF
$INPUT_INFRA_LXC_CONFIG
EOF
chmod 0770 /opt/infra/bin/*
cat > /etc/sudoers.d/tf <<EOF
tf ALL=(root:root) NOPASSWD: NOSETENV: /opt/infra/bin/putfile64, /opt/infra/bin/pve, /opt/infra/bin/lxc-config
EOF

1
systems/reisen/tf.authorized_keys Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBFobUpp90cBjtqBfHlw49WohhLFeExAmOmHOnCentx+ hakurei-tf-proxmox