diff --git a/systems/reisen/bin/ct-config.sh b/ci/proxmox/bin/ct-config.sh similarity index 100% rename from systems/reisen/bin/ct-config.sh rename to ci/proxmox/bin/ct-config.sh diff --git a/systems/reisen/bin/mkpam.sh b/ci/proxmox/bin/mkpam.sh similarity index 100% rename from systems/reisen/bin/mkpam.sh rename to ci/proxmox/bin/mkpam.sh diff --git a/systems/reisen/bin/putfile64.sh b/ci/proxmox/bin/putfile64.sh similarity index 100% rename from systems/reisen/bin/putfile64.sh rename to ci/proxmox/bin/putfile64.sh diff --git a/systems/reisen/bin/pve.sh b/ci/proxmox/bin/pve.sh similarity index 100% rename from systems/reisen/bin/pve.sh rename to ci/proxmox/bin/pve.sh diff --git a/systems/reisen/net.auth-rpcgss-module.service.overrides b/ci/proxmox/net.auth-rpcgss-module.service.overrides similarity index 100% rename from systems/reisen/net.auth-rpcgss-module.service.overrides rename to ci/proxmox/net.auth-rpcgss-module.service.overrides diff --git a/ci/proxmox/setup.sh b/ci/proxmox/setup.sh new file mode 100644 index 00000000..e7663fc6 --- /dev/null +++ b/ci/proxmox/setup.sh @@ -0,0 +1,152 @@ +#!/usr/bin/env bash +set -eu + +pveversion >&2 +echo "on $(hostname -f), press enter to continue" >&2 +read + +ROOT_AUTHORIZED_KEYS=$(grep "@$(hostname)$" /etc/pve/priv/authorized_keys) +TMP_KEYFILE=$(mktemp --tmpdir) +cat > $TMP_KEYFILE <> $TMP_KEYFILE < /etc/pve/priv/authorized_keys +rm $TMP_KEYFILE + +base64 -d > /etc/subuid < /etc/subgid <&2 + groupadd -g 1001 tf + useradd -u 1001 -g 1001 -d /home/tf -s /bin/bash tf + passwd tf + mkdir -m 0700 /home/tf + chown tf:tf /home/tf +fi + +mkdir -m 0755 -p /home/tf/.ssh +base64 -d > /home/tf/.ssh/authorized_keys < /dev/null || true +pveum role delete Terraform 2> /dev/null || true + +if ! pveum user list --noborder --noheader 2> /dev/null | grep -q tf@pam; then + pveum user add tf@pam --firstname Terraform --lastname Cloud +fi + +echo setting up pve terraform role... >&2 +# https://pve.proxmox.com/wiki/User_Management#_privileges +TF_ROLE_PRIVS=( + Group.Allocate Realm.AllocateUser User.Modify Permissions.Modify + Sys.Audit Sys.Modify # Sys.Console Sys.Incoming Sys.PowerMgmt Sys.Syslog + VM.Audit VM.Allocate VM.PowerMgmt + VM.Config.CDROM VM.Config.CPU VM.Config.Cloudinit VM.Config.Disk VM.Config.HWType VM.Config.Memory VM.Config.Network VM.Config.Options + VM.Backup VM.Clone VM.Migrate VM.Snapshot VM.Snapshot.Rollback VM.Console VM.Monitor + SDN.Audit SDN.Use SDN.Allocate + Datastore.Audit Datastore.Allocate Datastore.AllocateSpace # Datastore.AllocateTemplate + Mapping.Audit Mapping.Use Mapping.Modify + Pool.Audit # Pool.Allocate +) +pveum role add Terraform --privs "${TF_ROLE_PRIVS[*]}" +pveum acl modify / --users tf@pam --roles Terraform + +INFRABIN=/opt/infra/bin +WRAPPERBIN=/opt/infra/sbin +SUDOERS_INFRABINS= +rm -f "$INFRABIN/"* "$WRAPPERBIN/"* +mkdir -m 0755 -p "$INFRABIN" "$WRAPPERBIN" +for infrabin in $INPUT_INFRABINS; do + infrainput="${infrabin//-/_}" + infrainput="INPUT_INFRA_${infrainput^^}" + printf '%s\n' "${!infrainput}" | base64 -d > "$WRAPPERBIN/$infrabin" + chmod 0750 "$WRAPPERBIN/$infrabin" + + printf '#!/bin/bash\nsudo "%s" "$@"\n' "$WRAPPERBIN/$infrabin" > "$INFRABIN/$infrabin" + chmod 0755 "$INFRABIN/$infrabin" + + SUDOERS_WRAPPERS="${SUDOERS_WRAPPERS-}${SUDOERS_WRAPPERS:+, }$WRAPPERBIN/$infrabin" +done + +# provider also needs to be able to run: +# sudo qm importdisk VMID $(sudo pvesm path local:iso/ISO.iso) DATASTORE -format qcow2 +# sudo qm set VMID -scsi0 DATASTORE:disk,etc +# sudo qm resize VMID scsi0 SIZE +SUDOERS_TF="/usr/sbin/pvesm, /usr/sbin/qm" + +echo 'if [ -f ~/.bashrc ]; then . ~/.bashrc; fi' > /home/tf/.bash_profile +echo "export PATH=\$PATH:$INFRABIN" > /home/tf/.bashrc +chown tf:tf /home/tf/.bash{rc,_profile} + +cat > /etc/sudoers.d/tf <&2 +eval "$(printf '%s\n' "$INPUT_INFRA_SETUP_NODE" | base64 -d)" + +ln -sf /lib/systemd/system/auth-rpcgss-module.service /etc/systemd/system/ +mkdir -p /etc/systemd/system/auth-rpcgss-module.service.d +ln -sf /etc/systemd/system/auth-rpcgss-module.service /etc/systemd/system/multi-user.target.wants/ +base64 -d > /etc/systemd/system/auth-rpcgss-module.service.d/overrides.conf <&2 -echo "on $(hostname -f), press enter to continue" >&2 -read - -ROOT_AUTHORIZED_KEYS=$(grep "@$(hostname)$" /etc/pve/priv/authorized_keys) -TMP_KEYFILE=$(mktemp --tmpdir) -cat > $TMP_KEYFILE <> $TMP_KEYFILE < /etc/pve/priv/authorized_keys -rm $TMP_KEYFILE - -base64 -d > /etc/subuid < /etc/subgid <&2 - groupadd -g 1001 tf - useradd -u 1001 -g 1001 -d /home/tf -s /bin/bash tf - passwd tf - mkdir -m 0700 /home/tf - chown tf:tf /home/tf -fi - -mkdir -m 0755 -p /home/tf/.ssh -base64 -d > /home/tf/.ssh/authorized_keys < /dev/null || true -pveum role delete Terraform 2> /dev/null || true - -if ! pveum user list --noborder --noheader 2> /dev/null | grep -q tf@pam; then - pveum user add tf@pam --firstname Terraform --lastname Cloud -fi - -echo setting up pve terraform role... >&2 -# https://pve.proxmox.com/wiki/User_Management#_privileges -TF_ROLE_PRIVS=( - Group.Allocate Realm.AllocateUser User.Modify Permissions.Modify - Sys.Audit Sys.Modify # Sys.Console Sys.Incoming Sys.PowerMgmt Sys.Syslog - VM.Audit VM.Allocate VM.PowerMgmt - VM.Config.CDROM VM.Config.CPU VM.Config.Cloudinit VM.Config.Disk VM.Config.HWType VM.Config.Memory VM.Config.Network VM.Config.Options - VM.Backup VM.Clone VM.Migrate VM.Snapshot VM.Snapshot.Rollback VM.Console VM.Monitor - SDN.Audit SDN.Use SDN.Allocate - Datastore.Audit Datastore.Allocate Datastore.AllocateSpace # Datastore.AllocateTemplate - Mapping.Audit Mapping.Use Mapping.Modify - Pool.Audit # Pool.Allocate -) -pveum role add Terraform --privs "${TF_ROLE_PRIVS[*]}" -pveum acl modify / --users tf@pam --roles Terraform - -INFRABIN=/opt/infra/bin -WRAPPERBIN=/opt/infra/sbin -SUDOERS_INFRABINS= -rm -f "$INFRABIN/"* "$WRAPPERBIN/"* -mkdir -m 0755 -p "$INFRABIN" "$WRAPPERBIN" -for infrabin in putfile64 pve mkpam ct-config; do - infrainput="${infrabin//-/_}" - infrainput="INPUT_INFRA_${infrainput^^}" - printf '%s\n' "${!infrainput}" | base64 -d > "$WRAPPERBIN/$infrabin" - chmod 0750 "$WRAPPERBIN/$infrabin" - - printf '#!/bin/bash\nsudo "%s" "$@"\n' "$WRAPPERBIN/$infrabin" > "$INFRABIN/$infrabin" - chmod 0755 "$INFRABIN/$infrabin" - - SUDOERS_WRAPPERS="${SUDOERS_WRAPPERS-}${SUDOERS_WRAPPERS:+, }$WRAPPERBIN/$infrabin" -done - -# provider also needs to be able to run: -# sudo qm importdisk VMID $(sudo pvesm path local:iso/ISO.iso) DATASTORE -format qcow2 -# sudo qm set VMID -scsi0 DATASTORE:disk,etc -# sudo qm resize VMID scsi0 SIZE -SUDOERS_TF="/usr/sbin/pvesm, /usr/sbin/qm" - -echo 'if [ -f ~/.bashrc ]; then . ~/.bashrc; fi' > /home/tf/.bash_profile -echo "export PATH=\$PATH:$INFRABIN" > /home/tf/.bashrc -chown tf:tf /home/tf/.bash{rc,_profile} - -cat > /etc/sudoers.d/tf < /etc/systemd/system/auth-rpcgss-module.service.d/overrides.conf <