gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 04:19:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(ci): per-node setup

Browse source
This commit is contained in:
arcnmx 2025-09-02 16:08:42 -07:00
parent f095d809c1
commit fa7cf40195
12 changed files with 199 additions and 173 deletions
Download patch file Download diff file Expand all files Collapse all files

48
systems/reisen/bin/ct-config.sh
View file

@ -1,48 +0,0 @@
#!/usr/bin/env bash
set -eu
shopt -s extglob
ARG_VMID=$1
shift
case "$ARG_VMID" in
+([0-9]))
;;
*)
echo unknown vmid "$ARG_VMID" >&2
exit 1
;;
esac
LXC_CONF_PATH="/etc/pve/lxc/$ARG_VMID.conf"
if [[ ! -e $LXC_CONF_PATH ]]; then
echo missing vmid "$ARG_VMID" >&2
exit 1
fi
ARG_VARS=("$@")
EXCLUDE_KEYS=(
-e "^lxc\\."
)
while [[ $# -gt 0 ]]; do
ARG_VAR="$1"
ARG_VALUE="$2"
shift 2
EXCLUDE_KEYS+=(
-e "^${ARG_VAR//./\\.}:"
)
done
set -- "${ARG_VARS[@]}"
LXC_CONF=$(grep -v "${EXCLUDE_KEYS[@]}" "$LXC_CONF_PATH")
cat > "$LXC_CONF_PATH" <<<"$LXC_CONF"
while [[ $# -gt 0 ]]; do
ARG_VAR="$1"
ARG_VALUE="$2"
shift 2
echo "$ARG_VAR: $ARG_VALUE"
done >> "$LXC_CONF_PATH"

40
systems/reisen/bin/mkpam.sh
View file

@ -1,40 +0,0 @@
#!/usr/bin/env bash
set -eu
ARG_NAME=$1
ARG_UID=$2
shift 2
if [[ $ARG_UID != 8??? ]]; then
echo "uid $ARG_UID out of range" >&2
exit 1
fi
id_exists() {
ARG_FILE=$1
if grep -q "^${ARG_NAME}:x:" "${ARG_FILE}"; then
if ! grep -q "^${ARG_NAME}:x:${ARG_UID}:" "${ARG_FILE}"; then
echo "${ARG_NAME} already exists but with unexpected id" >&2
exit 1
fi
return 0
else
return 1
fi
}
if ! id_exists /etc/group; then
echo "creating group $ARG_NAME=$ARG_UID..." >&2
groupadd \
-g "$ARG_UID" \
"$ARG_NAME"
fi
if ! id_exists /etc/passwd; then
echo "creating user $ARG_NAME=$ARG_UID..." >&2
useradd -r \
-M -d /nonexistent -s /usr/sbin/nologin \
-N -g "$ARG_UID" \
-u "$ARG_UID" \
"$ARG_NAME"
fi

37
systems/reisen/bin/putfile64.sh
View file

@ -1,37 +0,0 @@
#!/usr/bin/env bash
set -eu
ARG_DEST=$1
ARG_INPUT_BASE64=$2
case "$ARG_DEST" in
*..*)
echo ugh >&2
exit 1
;;
/etc/network/interfaces*)
ARG_IS_INTERFACES=1
;;
/etc/sysctl.d/*.conf)
ARG_IS_SYSCTL=1
;;
/etc/udev/rules.d/*.rules)
ARG_IS_UDEV=1
;;
*)
echo unsupported destination >&2
exit 1
;;
esac
base64 -d <<<"$ARG_INPUT_BASE64" \
> "$ARG_DEST"
if [[ -n ${ARG_IS_SYSCTL-} ]]; then
sysctl -f "$ARG_DEST"
fi
if [[ -n ${ARG_IS_UDEV-} ]]; then
udevadm control --reload-rules
udevadm trigger
fi

16
systems/reisen/bin/pve.sh
View file

@ -1,16 +0,0 @@
#!/usr/bin/env bash
set -eu
ARG_CMD=$1
shift
case "$ARG_CMD" in
qm|pct|pveum)
;;
*)
echo unsupported pve command "$ARG_CMD" >&2
exit 1
;;
esac
exec "$ARG_CMD" "$@"

2
systems/reisen/net.auth-rpcgss-module.service.overrides
View file

@ -1,2 +0,0 @@
[Unit]
ConditionPathExists=

150
systems/reisen/setup.sh
View file

@ -1,146 +1,3 @@
#!/usr/bin/env bash
set -eu
pveversion >&2
echo "on $(hostname -f), press enter to continue" >&2
read
ROOT_AUTHORIZED_KEYS=$(grep "@$(hostname)$" /etc/pve/priv/authorized_keys)
TMP_KEYFILE=$(mktemp --tmpdir)
cat > $TMP_KEYFILE <<EOF
$ROOT_AUTHORIZED_KEYS
EOF
base64 -d >> $TMP_KEYFILE <<EOF
$INPUT_ROOT_SSH_AUTHORIZEDKEYS
EOF
cat $TMP_KEYFILE > /etc/pve/priv/authorized_keys
rm $TMP_KEYFILE
base64 -d > /etc/subuid <<EOF
$INPUT_SUBUID
EOF
base64 -d > /etc/subgid <<EOF
$INPUT_SUBGID
EOF
if [[ ! -d /home/tf ]]; then
echo setting up pve terraform user... >&2
groupadd -g 1001 tf
useradd -u 1001 -g 1001 -d /home/tf -s /bin/bash tf
passwd tf
mkdir -m 0700 /home/tf
chown tf:tf /home/tf
fi
mkdir -m 0755 -p /home/tf/.ssh
base64 -d > /home/tf/.ssh/authorized_keys <<EOF
$INPUT_TF_SSH_AUTHORIZEDKEYS
EOF
chown -R tf:tf /home/tf/.ssh
pveum acl delete / --users tf@pam --roles Terraform 2> /dev/null || true
pveum role delete Terraform 2> /dev/null || true
if ! pveum user list --noborder --noheader 2> /dev/null | grep -q tf@pam; then
pveum user add tf@pam --firstname Terraform --lastname Cloud
fi
echo setting up pve terraform role... >&2
# https://pve.proxmox.com/wiki/User_Management#_privileges
TF_ROLE_PRIVS=(
Group.Allocate Realm.AllocateUser User.Modify Permissions.Modify
Sys.Audit Sys.Modify # Sys.Console Sys.Incoming Sys.PowerMgmt Sys.Syslog
VM.Audit VM.Allocate VM.PowerMgmt
VM.Config.CDROM VM.Config.CPU VM.Config.Cloudinit VM.Config.Disk VM.Config.HWType VM.Config.Memory VM.Config.Network VM.Config.Options
VM.Backup VM.Clone VM.Migrate VM.Snapshot VM.Snapshot.Rollback VM.Console VM.Monitor
SDN.Audit SDN.Use SDN.Allocate
Datastore.Audit Datastore.Allocate Datastore.AllocateSpace # Datastore.AllocateTemplate
Mapping.Audit Mapping.Use Mapping.Modify
Pool.Audit # Pool.Allocate
)
pveum role add Terraform --privs "${TF_ROLE_PRIVS[*]}"
pveum acl modify / --users tf@pam --roles Terraform
INFRABIN=/opt/infra/bin
WRAPPERBIN=/opt/infra/sbin
SUDOERS_INFRABINS=
rm -f "$INFRABIN/"* "$WRAPPERBIN/"*
mkdir -m 0755 -p "$INFRABIN" "$WRAPPERBIN"
for infrabin in putfile64 pve mkpam ct-config; do
infrainput="${infrabin//-/_}"
infrainput="INPUT_INFRA_${infrainput^^}"
printf '%s\n' "${!infrainput}" | base64 -d > "$WRAPPERBIN/$infrabin"
chmod 0750 "$WRAPPERBIN/$infrabin"
printf '#!/bin/bash\nsudo "%s" "$@"\n' "$WRAPPERBIN/$infrabin" > "$INFRABIN/$infrabin"
chmod 0755 "$INFRABIN/$infrabin"
SUDOERS_WRAPPERS="${SUDOERS_WRAPPERS-}${SUDOERS_WRAPPERS:+, }$WRAPPERBIN/$infrabin"
done
# provider also needs to be able to run:
# sudo qm importdisk VMID $(sudo pvesm path local:iso/ISO.iso) DATASTORE -format qcow2
# sudo qm set VMID -scsi0 DATASTORE:disk,etc
# sudo qm resize VMID scsi0 SIZE
SUDOERS_TF="/usr/sbin/pvesm, /usr/sbin/qm"
echo 'if [ -f ~/.bashrc ]; then . ~/.bashrc; fi' > /home/tf/.bash_profile
echo "export PATH=\$PATH:$INFRABIN" > /home/tf/.bashrc
chown tf:tf /home/tf/.bash{rc,_profile}
cat > /etc/sudoers.d/tf <<EOF
tf ALL=(root:root) NOPASSWD: NOSETENV: $SUDOERS_WRAPPERS, $SUDOERS_TF
EOF
if [[ ! -d /rpool/shared ]]; then
zfs create rpool/shared
fi
if [[ ! -d /rpool/caches ]]; then
zfs create rpool/caches
fi
mkzfs() {
local ZFS_PATH ZFS_MODE ZFS_OWNER ZFS_GROUP
ZFS_PATH=$1
ZFS_OWNER=$2
ZFS_GROUP=$3
ZFS_MODE=$4
shift 4
ZFS_NAME=${ZFS_PATH#/}
if [[ $# -gt 0 ]]; then
ZFS_NAME=$1
shift
fi
ZFS_ARGS=("$@")
if [[ $ZFS_NAME != ${ZFS_PATH#/} ]]; then
ZFS_ARGS+=(-o "mountpoint=${ZFS_PATH-none}")
fi
if [[ -z "$ZFS_PATH" || ! -d "$ZFS_PATH" ]]; then
zfs create "$ZFS_NAME" ${ZFS_ARGS[@]+"${ZFS_ARGS[@]}"}
fi
if [[ -n "$ZFS_PATH" ]]; then
chmod "$ZFS_MODE" "$ZFS_PATH"
chown "$ZFS_OWNER:$ZFS_GROUP" "$ZFS_PATH"
fi
}
mkshared() {
local SHARED_PATH=$1
shift
mkzfs "/rpool/shared/$SHARED_PATH" "$@"
}
mkcache() {
local CACHE_PATH=$1
shift
mkzfs "/rpool/caches/$CACHE_PATH" "$@"
}
mkkyuuto() {
local KYUUTO_MOUNTNAME KYUUTO_ARGS=()
KYUUTO_NAME=$1
@ -216,10 +73,3 @@ for nfsystem in gengetsu mugetsu goliath; do
KYUUTO_MOUNT=data/systems/$nfsystem/fs/$nfsystemfs mkkyuuto data/systems/$nfsystem/$nfsystemfs 0 0 0755
done
done
ln -sf /lib/systemd/system/auth-rpcgss-module.service /etc/systemd/system/
mkdir -p /etc/systemd/system/auth-rpcgss-module.service.d
ln -sf /etc/systemd/system/auth-rpcgss-module.service /etc/systemd/system/multi-user.target.wants/
base64 -d > /etc/systemd/system/auth-rpcgss-module.service.d/overrides.conf <<EOF
$INPUT_AUTHRPCGSS_OVERRIDES
EOF

4
systems/reisen/subgid
View file

@ -1,4 +0,0 @@
root:100000:65536
root:65534:1
root:30000:256
root:8000:256

4
systems/reisen/subuid
View file

@ -1,4 +0,0 @@
root:100000:65536
root:65534:1
root:30000:256
root:8000:128

1
systems/reisen/tf.authorized_keys
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBFobUpp90cBjtqBfHlw49WohhLFeExAmOmHOnCentx+ hakurei-tf-proxmox