gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

chore: migrate away from old nf-deploy script

Browse source
This commit is contained in:
arcnmx 2024-01-29 11:33:15 -08:00
parent fcdba6ed34
commit ad78295a06
8 changed files with 223 additions and 43 deletions
Download patch file Download diff file Expand all files Collapse all files

8
.sops.yaml
View file

@ -2,6 +2,7 @@ keys:
- &kat CD8CE78CB0B3BDD4 # https://inskip.me/pubkey.asc - &kat CD8CE78CB0B3BDD4 # https://inskip.me/pubkey.asc
- &mew 65BD3044771CB6FB - &mew 65BD3044771CB6FB
- &hakurei_osh age12ze362pu5mza6ef9akrptr7hfe4auaqul4rkta7kyy2tnrstqensgmujeq - &hakurei_osh age12ze362pu5mza6ef9akrptr7hfe4auaqul4rkta7kyy2tnrstqensgmujeq
- &reimu_osh age176uyyyk7veqnzmm8xzwfhf0u23m6hm02cldlfkldunqe6std0gcq6lg057
- &tewi_gen age17haatqc7gpk9t690affyqcvwmhmz0us95en2r7qpqzw29tpq3ffspld0cf - &tewi_gen age17haatqc7gpk9t690affyqcvwmhmz0us95en2r7qpqzw29tpq3ffspld0cf
- &tewi_osh age172nhlv3py990k2rgw64hy27hffmnpv6ssxyu9fepww7zxfgg347qna4gzt - &tewi_osh age172nhlv3py990k2rgw64hy27hffmnpv6ssxyu9fepww7zxfgg347qna4gzt
- &tei_osh age1a2quf2ekkj94ygu7wgvhrvh44fwn32c0l2cwvgvjh23wst90s54szdsvgr - &tei_osh age1a2quf2ekkj94ygu7wgvhrvh44fwn32c0l2cwvgvjh23wst90s54szdsvgr
@ -17,6 +18,7 @@ creation_rules:
- *mew - *mew
age: &reisen_common age: &reisen_common
- *hakurei_osh - *hakurei_osh
- *reimu_osh
- *tei_osh - *tei_osh
- *mediabox_osh - *mediabox_osh
- path_regex: 'systems/hakurei/secrets\.yaml$' - path_regex: 'systems/hakurei/secrets\.yaml$'
@ -25,6 +27,12 @@ creation_rules:
- pgp: *pgp_common - pgp: *pgp_common
age: age:
- *hakurei_osh - *hakurei_osh
- path_regex: 'systems/reimu/secrets\.yaml$'
shamir_threshold: 1
key_groups:
- pgp: *pgp_common
age:
- *reimu_osh
- path_regex: 'systems/tewi/secrets\.yaml$' - path_regex: 'systems/tewi/secrets\.yaml$'
shamir_threshold: 1 shamir_threshold: 1
key_groups: key_groups:

22
devShell.nix
View file

@ -22,8 +22,20 @@
nf-deploy = pkgs.writeShellScriptBin "nf-deploy" '' nf-deploy = pkgs.writeShellScriptBin "nf-deploy" ''
exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-deploy" -- "$@" exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-deploy" -- "$@"
''; '';
nf-setup-reisen = pkgs.writeShellScriptBin "nf-setup-reisen" '' nf-setup-node = pkgs.writeShellScriptBin "nf-setup-node" ''
exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-setup-reisen" -- "$@" exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-setup-node" -- "$@"
'';
nf-sops-keyscan = pkgs.writeShellScriptBin "nf-sops-keyscan" ''
exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-sops-keyscan" -- "$@"
'';
nf-ssh = pkgs.writeShellScriptBin "nf-ssh" ''
exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-ssh" -- "$@"
'';
nf-build = pkgs.writeShellScriptBin "nf-build" ''
exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-build" -- "$@"
'';
nf-tarball = pkgs.writeShellScriptBin "nf-tarball" ''
exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-tarball" -- "$@"
''; '';
nf-tf = pkgs.writeShellScriptBin "nf-tf" '' nf-tf = pkgs.writeShellScriptBin "nf-tf" ''
cd "$NF_CONFIG_ROOT/tf" cd "$NF_CONFIG_ROOT/tf"
@ -76,7 +88,11 @@ in
nf-actions-test nf-actions-test
nf-update nf-update
nf-deploy nf-deploy
nf-setup-reisen nf-setup-node
nf-sops-keyscan
nf-ssh
nf-build
nf-tarball
nf-tf nf-tf
nf-lint-tf nf-lint-tf
nf-lint-nix nf-lint-nix

134
packages/default.nix
View file

@ -4,7 +4,7 @@
lib, lib,
}: let }: let
inherit (lib.meta) getExe; inherit (lib.meta) getExe;
inherit (lib.strings) concatStringsSep concatMapStringsSep; inherit (inputs.std.lib) string list;
packages = inputs.self.packages.${system}; packages = inputs.self.packages.${system};
inherit (inputs.self.legacyPackages.${system}) pkgs; inherit (inputs.self.legacyPackages.${system}) pkgs;
fmt = import ../ci/fmt.nix; fmt = import ../ci/fmt.nix;
@ -12,21 +12,131 @@
inherit (pkgs.buildPackages) inherit (pkgs.buildPackages)
terraform tflint terraform tflint
alejandra deadnix statix alejandra deadnix statix
ssh-to-age jq
; ;
inherit (inputs.deploy-rs.packages.${system}) deploy-rs; inherit (inputs.deploy-rs.packages.${system}) deploy-rs;
nf-deploy = pkgs.writeShellScriptBin "nf-deploy" '' nf-deploy = pkgs.writeShellScriptBin "nf-deploy" ''
exec ${pkgs.runtimeShell} ${../ci/deploy.sh} "$@" exec ${pkgs.runtimeShell} ${../ci/deploy.sh} "$@"
''; '';
nf-setup-reisen = let nf-setup-node = let
bin = ../../systems/reisen/bin; reisen = ../systems/reisen;
in pkgs.writeShellScriptBin "nf-setup-reisen" '' inherit (inputs.self.nixosConfigurations.hakurei.config.users.users) arc kat;
ssh root@reisen env \ authorizedKeys = string.intercalate "\n" (arc.openssh.authorizedKeys.keys ++ kat.openssh.authorizedKeys.keys);
INPUT_INFRA_SETUP="$(base64 -w0 < ${bin + "/setup.sh"})" \ in pkgs.writeShellScriptBin "nf-setup-node" ''
INPUT_INFRA_PUTFILE64="$(base64 -w0 < ${bin + "/putfile64.sh"})" \ set -eu
INPUT_INFRA_PVE="$(base64 -w0 < ${bin + "/pve.sh"})" \ SETUP_HOSTNAME=''${1-reisen}
INPUT_INFRA_LXC_CONFIG="$(base64 -w0 < ${bin + "/lxc-config.sh"})" \ export INPUT_ROOT_SSH_AUTHORIZEDKEYS=${string.escapeShellArg authorizedKeys}
exec ssh root@$SETUP_HOSTNAME env \
INPUT_ROOT_SSH_AUTHORIZEDKEYS="$(base64 -w0 <<<"$INPUT_ROOT_SSH_AUTHORIZEDKEYS")" \
INPUT_TF_SSH_AUTHORIZEDKEYS="$(base64 -w0 < ${reisen + "/tf.authorized_keys"})" \
INPUT_INFRA_SETUP="$(base64 -w0 < ${reisen + "/setup.sh"})" \
INPUT_INFRA_PUTFILE64="$(base64 -w0 < ${reisen + "/bin/putfile64.sh"})" \
INPUT_INFRA_PVE="$(base64 -w0 < ${reisen + "/bin/pve.sh"})" \
INPUT_INFRA_LXC_CONFIG="$(base64 -w0 < ${reisen + "/bin/lxc-config.sh"})" \
"bash -c \"eval \\\"\\\$(base64 -d <<<\\\$INPUT_INFRA_SETUP)\\\"\"" "bash -c \"eval \\\"\\\$(base64 -d <<<\\\$INPUT_INFRA_SETUP)\\\"\""
''; '';
nf-hostname = pkgs.writeShellScriptBin "nf-hostname" ''
set -eu
DEPLOY_USER=
if [[ $# -gt 1 ]]; then
ARG_NODE=$1
ARG_HOSTNAME=$2
shift 2
else
ARG_HOSTNAME=$1
shift
ARG_NODE=''${ARG_HOSTNAME%%.*}
if [[ $ARG_HOSTNAME = $ARG_NODE ]]; then
if DEPLOY_HOSTNAME=$(nix eval --raw "''${NF_CONFIG_ROOT-${toString ../.}}"#"deploy.nodes.$ARG_HOSTNAME.hostname" 2>/dev/null); then
DEPLOY_USER=$(nix eval --raw "''${NF_CONFIG_ROOT-${toString ../.}}"#"deploy.nodes.$ARG_HOSTNAME.sshUser" 2>/dev/null || true)
ARG_HOSTNAME=$DEPLOY_HOSTNAME
if ! timeout 2 ping -c1 "$DEPLOY_HOSTNAME" >/dev/null 2>&1; then
ARG_HOSTNAME="$ARG_NODE.local"
fi
else
ARG_HOSTNAME="$ARG_NODE.local"
fi
fi
fi
if ! timeout 2 ping -c1 "$ARG_HOSTNAME" >/dev/null 2>&1; then
LOCAL_HOSTNAME=$ARG_NODE.local.gensokyo.zone
TAIL_HOSTNAME=$ARG_NODE.tail.gensokyo.zone
GLOBAL_HOSTNAME=$ARG_NODE.gensokyo.zone
if timeout 2 ping -c1 "$LOCAL_HOSTNAME" >/dev/null 2>&1; then
ARG_HOSTNAME=$LOCAL_HOSTNAME
elif timeout 2 ping -c1 "$TAIL_HOSTNAME" >/dev/null 2>&1; then
ARG_HOSTNAME=$TAIL_HOSTNAME
elif timeout 2 ping -c1 "$GLOBAL_HOSTNAME" >/dev/null 2>&1; then
ARG_HOSTNAME=$GLOBAL_HOSTNAME
fi
fi
echo "''${DEPLOY_USER-}''${DEPLOY_USER+@}$ARG_HOSTNAME"
'';
nf-sshopts = pkgs.writeShellScriptBin "nf-sshopts" ''
set -eu
ARG_HOSTNAME=$1
ARG_NODE=''${ARG_HOSTNAME%%.*}
if DEPLOY_SSHOPTS=$(nix eval --json "''${NF_CONFIG_ROOT-${toString ../.}}"#"deploy.nodes.$ARG_HOSTNAME.sshOpts" 2>/dev/null); then
SSHOPTS=($(${getExe packages.jq} -r '.[]' <<<"$DEPLOY_SSHOPTS"))
echo "''${SSHOPTS[*]}"
elif [[ $ARG_NODE = reisen ]]; then
SSHOPTS=()
else
SSHOPTS=(''${NIX_SSHOPTS--p62954})
fi
if [[ $ARG_NODE = ct || $ARG_NODE = reisen-ct ]]; then
SSHOPTS+=(-oUpdateHostKeys=no -oStrictHostKeyChecking=off)
else
SSHOPTS+=(-oHostKeyAlias=$ARG_NODE.gensokyo.zone)
fi
echo "''${SSHOPTS[*]}"
'';
nf-sops-keyscan = pkgs.writeShellScriptBin "nf-sops-keyscan" ''
set -eu
ARG_NODE=$1
shift
ARG_HOSTNAME=$(${getExe packages.nf-hostname} "$ARG_NODE")
ssh-keyscan ''${NIX_SSHOPTS--p62954} "''${ARG_HOSTNAME#*@}" "$@" | ${getExe packages.ssh-to-age}
'';
nf-ssh = pkgs.writeShellScriptBin "nf-ssh" ''
set -eu
ARG_NODE=$1
ARG_HOSTNAME=$(${getExe packages.nf-hostname} "$ARG_NODE")
NIX_SSHOPTS=$(${getExe packages.nf-sshopts} "$ARG_NODE")
exec ssh $NIX_SSHOPTS "$ARG_HOSTNAME"
'';
nf-build = pkgs.writeShellScriptBin "nf-build" ''
set -eu
ARG_NODE=$1
shift
exec nix build --no-link --print-out-paths \
"''${NF_CONFIG_ROOT-${toString ../.}}#nixosConfigurations.$ARG_NODE.config.system.build.toplevel" \
--show-trace "$@"
'';
nf-tarball = pkgs.writeShellScriptBin "nf-tarball" ''
set -eu
if [[ $# -gt 0 ]]; then
ARG_NODE=$1
shift
else
ARG_NODE=ct
fi
ARG_CONFIG_PATH=nixosConfigurations.$ARG_NODE.config
RESULT=$(nix build --no-link --print-out-paths \
"''${NF_CONFIG_ROOT-${toString ../.}}#$ARG_CONFIG_PATH.system.build.tarball" \
--show-trace "$@")
if [[ $ARG_NODE = ct ]]; then
DATESTAMP=$(nix eval --raw "''${NF_CONFIG_ROOT-${toString ../.}}#inputs.nixpkgs.sourceInfo.lastModifiedDate")
DATENAME=''${DATESTAMP:0:4}''${DATESTAMP:4:2}''${DATESTAMP:6:2}
SYSARCH=$(nix eval --raw "''${NF_CONFIG_ROOT-${toString ../.}}#$ARG_CONFIG_PATH.nixpkgs.system")
TAREXT=$(nix eval --raw "''${NF_CONFIG_ROOT-${toString ../.}}#$ARG_CONFIG_PATH.system.build.tarball.extension")
TARNAME=nixos-system-$SYSARCH.tar$TAREXT
OUTNAME="ct-$DATENAME-$TARNAME"
ln -sf "$RESULT/tarball/$TARNAME" "$OUTNAME"
echo $OUTNAME
ls -l $OUTNAME
fi
'';
nf-statix = pkgs.writeShellScriptBin "nf-statix" '' nf-statix = pkgs.writeShellScriptBin "nf-statix" ''
if [[ $# -eq 0 ]]; then if [[ $# -eq 0 ]]; then
set -- check set -- check
@ -41,7 +151,7 @@
''; '';
nf-deadnix = let nf-deadnix = let
inherit (fmt.nix) blacklistDirs; inherit (fmt.nix) blacklistDirs;
excludes = "${getExe pkgs.buildPackages.findutils} ${concatStringsSep " " blacklistDirs} -type f"; excludes = "${getExe pkgs.buildPackages.findutils} ${string.intercalate " " blacklistDirs} -type f";
in pkgs.writeShellScriptBin "nf-deadnix" '' in pkgs.writeShellScriptBin "nf-deadnix" ''
exec ${getExe packages.deadnix} "$@" \ exec ${getExe packages.deadnix} "$@" \
--no-lambda-arg \ --no-lambda-arg \
@ -49,7 +159,7 @@
''; '';
nf-alejandra = let nf-alejandra = let
inherit (fmt.nix) blacklistDirs; inherit (fmt.nix) blacklistDirs;
excludes = concatMapStringsSep " " (dir: "--exclude ${dir}") blacklistDirs; excludes = string.intercalate " " (list.map (dir: "--exclude ${dir}") blacklistDirs);
in pkgs.writeShellScriptBin "nf-alejandra" '' in pkgs.writeShellScriptBin "nf-alejandra" ''
exec ${getExe packages.alejandra} \ exec ${getExe packages.alejandra} \
${excludes} \ ${excludes} \
@ -65,7 +175,7 @@
''; '';
nf-fmt-nix = let nf-fmt-nix = let
inherit (fmt.nix) whitelist; inherit (fmt.nix) whitelist;
includes = concatStringsSep " " whitelist; includes = string.intercalate " " whitelist;
in pkgs.writeShellScriptBin "nf-fmt-nix" '' in pkgs.writeShellScriptBin "nf-fmt-nix" ''
exec ${getExe packages.nf-alejandra} ${includes} "$@" exec ${getExe packages.nf-alejandra} ${includes} "$@"
''; '';

2
patchedInputs.nix
View file

@ -20,5 +20,7 @@ in
sha256 = "sha256-boJLCdgamzX0fhLifdsxsFF/f7oXZwWJ7+WAkcA2GBg="; sha256 = "sha256-boJLCdgamzX0fhLifdsxsFF/f7oXZwWJ7+WAkcA2GBg=";
}) })
]; ];
} // {
inherit (inputs.nixpkgs) sourceInfo;
}; };
} }

8
readme.md
View file

@ -25,6 +25,8 @@ The `-s` disables flake checks.
deploy -s .#<hostname> deploy -s .#<hostname>
# with trace # with trace
deploy -s .#<hostname> -- --show-trace deploy -s .#<hostname> -- --show-trace
# deploy a fresh container
deploy -s .#<hostname> --hostname ct.local
``` ```
## Editing Secrets ## Editing Secrets
@ -36,7 +38,9 @@ sops nixos/systems/tewi/secrets.yaml
### Adding Hosts ### Adding Hosts
```shell ```shell
NF_ADDR=10.1.1.xxx nf-deploy sops-keyscan nf-sops-keyscan <hostname>
# or on a fresh container...
nf-sops-keyscan ct.local
vim .sops.yaml vim .sops.yaml
``` ```
@ -45,5 +49,5 @@ vim .sops.yaml
### Template ### Template
```shell ```shell
NF_HOST=ct nf-deploy tarball nf-tarball ct
``` ```

26
systems/reisen/bin/setup.sh
View file

@ -1,26 +0,0 @@
#!/usr/bin/env bash
set -eu
if [[ ! -d /home/tf ]]; then
echo setting up pve terraform user... >&2
groupadd -g 1001 tf
useradd -u 1001 -g 1001 -d /home/tf -s /bin/bash tf
passwd tf
pveum user add tf@pam --firstname Terraform --lastname Cloud
pveum acl modify / --users tf@pam --roles PVEVMAdmin
mkdir -p /home/tf/.ssh
cat > /home/tf/.ssh/authorized_keys <<<"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBFobUpp90cBjtqBfHlw49WohhLFeExAmOmHOnCentx+ hakurei-tf-proxmox"
chown -R tf:tf /home/tf
chmod -R og= /home/tf/.ssh
fi
mkdir -p /opt/infra/bin
base64 -d > /opt/infra/bin/putfile64 <<<"$INPUT_INFRA_PUTFILE64"
base64 -d > /opt/infra/bin/pve <<<"$INPUT_INFRA_PVE"
base64 -d > /opt/infra/bin/lxc-config <<<"$INPUT_INFRA_LXC_CONFIG"
chmod u+x /opt/infra/bin/*
chmod og-rwx /opt/infra/bin/*
cat > /etc/sudoers.d/tf <<EOF
tf ALL=(root:root) NOPASSWD: NOSETENV: /opt/infra/bin/putfile64, /opt/infra/bin/pve, /opt/infra/bin/lxc-config
EOF

65
systems/reisen/setup.sh Normal file
View file

@ -0,0 +1,65 @@
#!/usr/bin/env bash
set -eu
pveversion >&2
echo "on $(hostname -f), press enter to continue" >&2
read
ROOT_AUTHORIZED_KEYS=$(grep "@$(hostname)$" /etc/pve/priv/authorized_keys)
TMP_KEYFILE=$(mktemp --tmpdir)
cat > $TMP_KEYFILE <<EOF
$ROOT_AUTHORIZED_KEYS
EOF
base64 -d >> $TMP_KEYFILE <<EOF
$INPUT_ROOT_SSH_AUTHORIZEDKEYS
EOF
cat $TMP_KEYFILE > /etc/pve/priv/authorized_keys
rm $TMP_KEYFILE
if [[ ! -d /home/tf ]]; then
echo setting up pve terraform user... >&2
groupadd -g 1001 tf
useradd -u 1001 -g 1001 -d /home/tf -s /bin/bash tf
passwd tf
mkdir -m 0700 /home/tf
chown tf:tf /home/tf
fi
mkdir -m 0755 -p /home/tf/.ssh
base64 -d > /home/tf/.ssh/authorized_keys <<EOF
$INPUT_TF_SSH_AUTHORIZEDKEYS
EOF
chown -R tf:tf /home/tf/.ssh
if ! pveum user list --noborder --noheader | grep -q tf@pam; then
pveum user add tf@pam --firstname Terraform --lastname Cloud
fi
echo setting up pve terraform role... >&2
# https://pve.proxmox.com/wiki/User_Management#_privileges
TF_ROLE_PRIVS=(
Group.Allocate Realm.AllocateUser User.Modify Permissions.Modify
Sys.Audit
VM.Audit VM.Allocate
VM.Config.CDROM VM.Config.CPU VM.Config.Cloudinit VM.Config.Disk VM.Config.HWType VM.Config.Memory VM.Config.Network VM.Config.Options VM.PowerMgmt
Datastore.Audit Datastore.Allocate Datastore.AllocateSpace
)
pveum role delete Terraform 2> /dev/null || true
pveum role add Terraform --privs "${TF_ROLE_PRIVS[*]}"
pveum acl modify / --users tf@pam --roles Terraform
mkdir -m 0755 -p /opt/infra/bin
base64 -d > /opt/infra/bin/putfile64 <<EOF
$INPUT_INFRA_PUTFILE64
EOF
base64 -d > /opt/infra/bin/pve <<EOF
$INPUT_INFRA_PVE
EOF
base64 -d > /opt/infra/bin/lxc-config <<EOF
$INPUT_INFRA_LXC_CONFIG
EOF
chmod 0770 /opt/infra/bin/*
cat > /etc/sudoers.d/tf <<EOF
tf ALL=(root:root) NOPASSWD: NOSETENV: /opt/infra/bin/putfile64, /opt/infra/bin/pve, /opt/infra/bin/lxc-config
EOF

1
systems/reisen/tf.authorized_keys Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBFobUpp90cBjtqBfHlw49WohhLFeExAmOmHOnCentx+ hakurei-tf-proxmox