feat(ci): per-node setup

2026-02-09 20:39:18 -08:00 · 2025-09-02 16:08:42 -07:00 · 2025-09-02 16:08:42 -07:00 · fa7cf40195
commit fa7cf40195
parent f095d809c1
12 changed files with 199 additions and 173 deletions
--- a/systems/reisen/bin/ct-config.sh
+++ b/systems/reisen/bin/ct-config.sh
--- a/systems/reisen/bin/mkpam.sh
+++ b/systems/reisen/bin/mkpam.sh
--- a/systems/reisen/bin/putfile64.sh
+++ b/systems/reisen/bin/putfile64.sh
--- a/systems/reisen/bin/pve.sh
+++ b/systems/reisen/bin/pve.sh
--- a/systems/reisen/net.auth-rpcgss-module.service.overrides
+++ b/systems/reisen/net.auth-rpcgss-module.service.overrides
--- a/ci/proxmox/setup.sh
+++ b/ci/proxmox/setup.sh
@ -0,0 +1,152 @@
 #!/usr/bin/env bash
 set -eu
 pveversion >&2
 echo "on $(hostname -f), press enter to continue" >&2
 read
 ROOT_AUTHORIZED_KEYS=$(grep "@$(hostname)$" /etc/pve/priv/authorized_keys)
 TMP_KEYFILE=$(mktemp --tmpdir)
 cat > $TMP_KEYFILE <<EOF
 $ROOT_AUTHORIZED_KEYS
 EOF
 base64 -d >> $TMP_KEYFILE <<EOF
 $INPUT_ROOT_SSH_AUTHORIZEDKEYS
 EOF
 cat $TMP_KEYFILE > /etc/pve/priv/authorized_keys
 rm $TMP_KEYFILE
 base64 -d > /etc/subuid <<EOF
 $INPUT_SUBUID
 EOF
 base64 -d > /etc/subgid <<EOF
 $INPUT_SUBGID
 EOF
 if [[ ! -d /home/tf ]]; then
 	echo setting up pve terraform user... >&2
 	groupadd -g 1001 tf
 	useradd -u 1001 -g 1001 -d /home/tf -s /bin/bash tf
 	passwd tf
 	mkdir -m 0700 /home/tf
 	chown tf:tf /home/tf
 fi
 mkdir -m 0755 -p /home/tf/.ssh
 base64 -d > /home/tf/.ssh/authorized_keys <<EOF
 $INPUT_TF_SSH_AUTHORIZEDKEYS
 EOF
 chown -R tf:tf /home/tf/.ssh
 pveum acl delete / --users tf@pam --roles Terraform 2> /dev/null || true
 pveum role delete Terraform 2> /dev/null || true
 if ! pveum user list --noborder --noheader 2> /dev/null | grep -q tf@pam; then
 	pveum user add tf@pam --firstname Terraform --lastname Cloud
 fi
 echo setting up pve terraform role... >&2
 # https://pve.proxmox.com/wiki/User_Management#_privileges
 TF_ROLE_PRIVS=(
 	Group.Allocate Realm.AllocateUser User.Modify Permissions.Modify
 	Sys.Audit Sys.Modify # Sys.Console Sys.Incoming Sys.PowerMgmt Sys.Syslog
 	VM.Audit VM.Allocate VM.PowerMgmt
 	VM.Config.CDROM VM.Config.CPU VM.Config.Cloudinit VM.Config.Disk VM.Config.HWType VM.Config.Memory VM.Config.Network VM.Config.Options
 	VM.Backup VM.Clone VM.Migrate VM.Snapshot VM.Snapshot.Rollback VM.Console VM.Monitor
 	SDN.Audit SDN.Use SDN.Allocate
 	Datastore.Audit Datastore.Allocate Datastore.AllocateSpace # Datastore.AllocateTemplate
 	Mapping.Audit Mapping.Use Mapping.Modify
 	Pool.Audit # Pool.Allocate
 )
 pveum role add Terraform --privs "${TF_ROLE_PRIVS[*]}"
 pveum acl modify / --users tf@pam --roles Terraform
 INFRABIN=/opt/infra/bin
 WRAPPERBIN=/opt/infra/sbin
 SUDOERS_INFRABINS=
 rm -f "$INFRABIN/"* "$WRAPPERBIN/"*
 mkdir -m 0755 -p "$INFRABIN" "$WRAPPERBIN"
 for infrabin in $INPUT_INFRABINS; do
 	infrainput="${infrabin//-/_}"
 	infrainput="INPUT_INFRA_${infrainput^^}"
 	printf '%s\n' "${!infrainput}" | base64 -d > "$WRAPPERBIN/$infrabin"
 	chmod 0750 "$WRAPPERBIN/$infrabin"
 	printf '#!/bin/bash\nsudo "%s" "$@"\n' "$WRAPPERBIN/$infrabin" > "$INFRABIN/$infrabin"
 	chmod 0755 "$INFRABIN/$infrabin"
 	SUDOERS_WRAPPERS="${SUDOERS_WRAPPERS-}${SUDOERS_WRAPPERS:+, }$WRAPPERBIN/$infrabin"
 done
 # provider also needs to be able to run:
 # sudo qm importdisk VMID $(sudo pvesm path local:iso/ISO.iso) DATASTORE -format qcow2
 # sudo qm set VMID -scsi0 DATASTORE:disk,etc
 # sudo qm resize VMID scsi0 SIZE
 SUDOERS_TF="/usr/sbin/pvesm, /usr/sbin/qm"
 echo 'if [ -f ~/.bashrc ]; then . ~/.bashrc; fi' > /home/tf/.bash_profile
 echo "export PATH=\$PATH:$INFRABIN" > /home/tf/.bashrc
 chown tf:tf /home/tf/.bash{rc,_profile}
 cat > /etc/sudoers.d/tf <<EOF
 tf ALL=(root:root) NOPASSWD: NOSETENV: $SUDOERS_WRAPPERS, $SUDOERS_TF
 EOF
 if [[ ! -d /rpool/shared ]]; then
 	zfs create rpool/shared
 fi
 if [[ ! -d /rpool/caches ]]; then
 	zfs create rpool/caches
 fi
 mkzfs() {
 	local ZFS_PATH ZFS_MODE ZFS_OWNER ZFS_GROUP
 	ZFS_PATH=$1
 	ZFS_OWNER=$2
 	ZFS_GROUP=$3
 	ZFS_MODE=$4
 	shift 4
 	ZFS_NAME=${ZFS_PATH#/}
 	if [[ $# -gt 0 ]]; then
 		ZFS_NAME=$1
 		shift
 	fi
 	ZFS_ARGS=("$@")
 	if [[ $ZFS_NAME != ${ZFS_PATH#/} ]]; then
 		ZFS_ARGS+=(-o "mountpoint=${ZFS_PATH-none}")
 	fi
 	if [[ -z "$ZFS_PATH" || ! -d "$ZFS_PATH" ]]; then
 		zfs create "$ZFS_NAME" ${ZFS_ARGS[@]+"${ZFS_ARGS[@]}"}
 	fi
 	if [[ -n "$ZFS_PATH" ]]; then
 		chmod "$ZFS_MODE" "$ZFS_PATH"
 		chown "$ZFS_OWNER:$ZFS_GROUP" "$ZFS_PATH"
 	fi
 }
 mkshared() {
 	local SHARED_PATH=$1
 	shift
 	mkzfs "/rpool/shared/$SHARED_PATH" "$@"
 }
 mkcache() {
 	local CACHE_PATH=$1
 	shift
 	mkzfs "/rpool/caches/$CACHE_PATH" "$@"
 }
 echo running system setup... >&2
 eval "$(printf '%s\n' "$INPUT_INFRA_SETUP_NODE" | base64 -d)"
 ln -sf /lib/systemd/system/auth-rpcgss-module.service /etc/systemd/system/
 mkdir -p /etc/systemd/system/auth-rpcgss-module.service.d
 ln -sf /etc/systemd/system/auth-rpcgss-module.service /etc/systemd/system/multi-user.target.wants/
 base64 -d > /etc/systemd/system/auth-rpcgss-module.service.d/overrides.conf <<EOF
 $INPUT_AUTHRPCGSS_OVERRIDES
 EOF
--- a/systems/reisen/subgid
+++ b/systems/reisen/subgid
--- a/systems/reisen/subuid
+++ b/systems/reisen/subuid
--- a/systems/reisen/tf.authorized_keys
+++ b/systems/reisen/tf.authorized_keys
--- a/ci/setup.sh
+++ b/ci/setup.sh
@ -1,7 +1,8 @@
 #!/usr/bin/env bash
 set -eu
-SETUP_HOSTNAME=${1-reisen}
+NF_SETUP_NODE_HOST=${NF_SETUP_NODE_HOST-$NF_SETUP_NODE_NAME}
 NF_SETUP_INPUTS_NAME="NF_SETUP_INPUTS_${NF_SETUP_NODE_NAME}[@]"
-exec ssh root@$SETUP_HOSTNAME env \
+exec ssh root@$NF_SETUP_NODE_HOST env \
-	"${NF_SETUP_INPUTS[@]}" \
+	"${!NF_SETUP_INPUTS_NAME}" \
 	"bash -c \"eval \\\"\\\$(base64 -d <<<\\\$INPUT_INFRA_SETUP)\\\"\""
--- a/packages/default.nix
+++ b/packages/default.nix
@ -60,33 +60,56 @@
    pygrocy = pkgs.python3Packages.callPackage ./grocy/pygrocy.nix { };
    nf-setup-node = let
-      reisen = ../systems/reisen;
+      defaultNodeName = "reisen";
      nodes = {
        reisen = {
          root = ../systems/reisen;
          nodeType = "proxmox";
          userReferenceSystem = "hakurei";
        };
      };
      inherit (inputs.self.lib.lib) userIs;
-      inherit (inputs.self.nixosConfigurations.hakurei.config) users;
+      INPUT_INFRABINS = string.escapeShellArg [ "putfile64" "pve" "mkpam" "ct-config" ];
-      authorizedKeys = list.concatMap (user: user.openssh.authorizedKeys.keys) (
+      inputAuthorizedKeys = userReferenceSystem: let
-        list.filter (userIs "wheel") (set.values users.users)
+        inherit (inputs.self.nixosConfigurations.${userReferenceSystem}.config) users;
-      );
+        authorizedKeys = list.concatMap (user: user.openssh.authorizedKeys.keys) (
-      inputAttrs = {
+          list.filter (userIs "wheel") (set.values users.users)
-        INPUT_ROOT_SSH_AUTHORIZEDKEYS = pkgs.writeText "root.authorized_keys" (
+        );
      in {
        base64path = pkgs.writeText "root.authorized_keys" (
          string.intercalate "\n" authorizedKeys
        );
        INPUT_TF_SSH_AUTHORIZEDKEYS = reisen + "/tf.authorized_keys";
        INPUT_SUBUID = reisen + "/subuid";
        INPUT_SUBGID = reisen + "/subgid";
        INPUT_INFRA_SETUP = reisen + "/setup.sh";
        INPUT_INFRA_PUTFILE64 = reisen + "/bin/putfile64.sh";
        INPUT_INFRA_PVE = reisen + "/bin/pve.sh";
        INPUT_INFRA_MKPAM = reisen + "/bin/mkpam.sh";
        INPUT_INFRA_CT_CONFIG = reisen + "/bin/ct-config.sh";
        INPUT_AUTHRPCGSS_OVERRIDES = reisen + "/net.auth-rpcgss-module.service.overrides";
      };
-      inputVars = set.mapToValues (key: path: ''${key}="$(base64 -w0 < ${path})"'') inputAttrs;
+      proxmoxRoot = ../ci/proxmox;
      inputAttrs.proxmox = { root, userReferenceSystem, extraAttrs ? {}, ... }: {
        INPUT_INFRA_SETUP_NODE.base64path = root + "/setup.sh";
        inherit INPUT_INFRABINS;
        INPUT_ROOT_SSH_AUTHORIZEDKEYS = inputAuthorizedKeys userReferenceSystem;
        INPUT_TF_SSH_AUTHORIZEDKEYS.base64path = proxmoxRoot + "/tf.authorized_keys";
        INPUT_SUBUID.base64path = proxmoxRoot + "/subuid";
        INPUT_SUBGID.base64path = proxmoxRoot + "/subgid";
        INPUT_INFRA_SETUP.base64path = proxmoxRoot + "/setup.sh";
        INPUT_INFRA_PUTFILE64.base64path = proxmoxRoot + "/bin/putfile64.sh";
        INPUT_INFRA_PVE.base64path = proxmoxRoot + "/bin/pve.sh";
        INPUT_INFRA_MKPAM.base64path = proxmoxRoot + "/bin/mkpam.sh";
        INPUT_INFRA_CT_CONFIG.base64path = proxmoxRoot + "/bin/ct-config.sh";
        INPUT_AUTHRPCGSS_OVERRIDES.base64path = proxmoxRoot + "/net.auth-rpcgss-module.service.overrides";
      } // extraAttrs;
      inputVars = { nodeType, ... }@node: set.mapToValues (key: input: let
        value =
          if input ? base64path then ''"$(base64 -w0 < ${input.base64path})"''
          else string.escapeShellArg input;
      in ''${key}=${value}'') (inputAttrs.${nodeType} node);
      setInputVars = nodeName: node: ''
        NF_SETUP_NODE_NAME=''${NF_SETUP_NODE_NAME:-''${1-${defaultNodeName}}}
        NF_SETUP_INPUTS_${nodeName}=(
          ${string.intercalate "\n" (inputVars node)}
        )
      '';
    in
      pkgs.writeShellScriptBin "nf-setup-node" ''
        ${exports}
-        NF_SETUP_INPUTS=(
+        ${string.intercalate "\n" (set.mapToValues setInputVars nodes)}
          ${string.intercalate "\n" inputVars}
        )
        source ${../ci/setup.sh}
      '';
    nf-actions-test = pkgs.writeShellScriptBin "nf-actions-test" ''
--- a/systems/reisen/setup.sh
+++ b/systems/reisen/setup.sh
@ -1,146 +1,3 @@
 #!/usr/bin/env bash
 set -eu
 pveversion >&2
 echo "on $(hostname -f), press enter to continue" >&2
 read
 ROOT_AUTHORIZED_KEYS=$(grep "@$(hostname)$" /etc/pve/priv/authorized_keys)
 TMP_KEYFILE=$(mktemp --tmpdir)
 cat > $TMP_KEYFILE <<EOF
 $ROOT_AUTHORIZED_KEYS
 EOF
 base64 -d >> $TMP_KEYFILE <<EOF
 $INPUT_ROOT_SSH_AUTHORIZEDKEYS
 EOF
 cat $TMP_KEYFILE > /etc/pve/priv/authorized_keys
 rm $TMP_KEYFILE
 base64 -d > /etc/subuid <<EOF
 $INPUT_SUBUID
 EOF
 base64 -d > /etc/subgid <<EOF
 $INPUT_SUBGID
 EOF
 if [[ ! -d /home/tf ]]; then
 	echo setting up pve terraform user... >&2
 	groupadd -g 1001 tf
 	useradd -u 1001 -g 1001 -d /home/tf -s /bin/bash tf
 	passwd tf
 	mkdir -m 0700 /home/tf
 	chown tf:tf /home/tf
 fi
 mkdir -m 0755 -p /home/tf/.ssh
 base64 -d > /home/tf/.ssh/authorized_keys <<EOF
 $INPUT_TF_SSH_AUTHORIZEDKEYS
 EOF
 chown -R tf:tf /home/tf/.ssh
 pveum acl delete / --users tf@pam --roles Terraform 2> /dev/null || true
 pveum role delete Terraform 2> /dev/null || true
 if ! pveum user list --noborder --noheader 2> /dev/null | grep -q tf@pam; then
 	pveum user add tf@pam --firstname Terraform --lastname Cloud
 fi
 echo setting up pve terraform role... >&2
 # https://pve.proxmox.com/wiki/User_Management#_privileges
 TF_ROLE_PRIVS=(
 	Group.Allocate Realm.AllocateUser User.Modify Permissions.Modify
 	Sys.Audit Sys.Modify # Sys.Console Sys.Incoming Sys.PowerMgmt Sys.Syslog
 	VM.Audit VM.Allocate VM.PowerMgmt
 	VM.Config.CDROM VM.Config.CPU VM.Config.Cloudinit VM.Config.Disk VM.Config.HWType VM.Config.Memory VM.Config.Network VM.Config.Options
 	VM.Backup VM.Clone VM.Migrate VM.Snapshot VM.Snapshot.Rollback VM.Console VM.Monitor
 	SDN.Audit SDN.Use SDN.Allocate
 	Datastore.Audit Datastore.Allocate Datastore.AllocateSpace # Datastore.AllocateTemplate
 	Mapping.Audit Mapping.Use Mapping.Modify
 	Pool.Audit # Pool.Allocate
 )
 pveum role add Terraform --privs "${TF_ROLE_PRIVS[*]}"
 pveum acl modify / --users tf@pam --roles Terraform
 INFRABIN=/opt/infra/bin
 WRAPPERBIN=/opt/infra/sbin
 SUDOERS_INFRABINS=
 rm -f "$INFRABIN/"* "$WRAPPERBIN/"*
 mkdir -m 0755 -p "$INFRABIN" "$WRAPPERBIN"
 for infrabin in putfile64 pve mkpam ct-config; do
 	infrainput="${infrabin//-/_}"
 	infrainput="INPUT_INFRA_${infrainput^^}"
 	printf '%s\n' "${!infrainput}" | base64 -d > "$WRAPPERBIN/$infrabin"
 	chmod 0750 "$WRAPPERBIN/$infrabin"
 	printf '#!/bin/bash\nsudo "%s" "$@"\n' "$WRAPPERBIN/$infrabin" > "$INFRABIN/$infrabin"
 	chmod 0755 "$INFRABIN/$infrabin"
 	SUDOERS_WRAPPERS="${SUDOERS_WRAPPERS-}${SUDOERS_WRAPPERS:+, }$WRAPPERBIN/$infrabin"
 done
 # provider also needs to be able to run:
 # sudo qm importdisk VMID $(sudo pvesm path local:iso/ISO.iso) DATASTORE -format qcow2
 # sudo qm set VMID -scsi0 DATASTORE:disk,etc
 # sudo qm resize VMID scsi0 SIZE
 SUDOERS_TF="/usr/sbin/pvesm, /usr/sbin/qm"
 echo 'if [ -f ~/.bashrc ]; then . ~/.bashrc; fi' > /home/tf/.bash_profile
 echo "export PATH=\$PATH:$INFRABIN" > /home/tf/.bashrc
 chown tf:tf /home/tf/.bash{rc,_profile}
 cat > /etc/sudoers.d/tf <<EOF
 tf ALL=(root:root) NOPASSWD: NOSETENV: $SUDOERS_WRAPPERS, $SUDOERS_TF
 EOF
 if [[ ! -d /rpool/shared ]]; then
 	zfs create rpool/shared
 fi
 if [[ ! -d /rpool/caches ]]; then
 	zfs create rpool/caches
 fi
 mkzfs() {
 	local ZFS_PATH ZFS_MODE ZFS_OWNER ZFS_GROUP
 	ZFS_PATH=$1
 	ZFS_OWNER=$2
 	ZFS_GROUP=$3
 	ZFS_MODE=$4
 	shift 4
 	ZFS_NAME=${ZFS_PATH#/}
 	if [[ $# -gt 0 ]]; then
 		ZFS_NAME=$1
 		shift
 	fi
 	ZFS_ARGS=("$@")
 	if [[ $ZFS_NAME != ${ZFS_PATH#/} ]]; then
 		ZFS_ARGS+=(-o "mountpoint=${ZFS_PATH-none}")
 	fi
 	if [[ -z "$ZFS_PATH" || ! -d "$ZFS_PATH" ]]; then
 		zfs create "$ZFS_NAME" ${ZFS_ARGS[@]+"${ZFS_ARGS[@]}"}
 	fi
 	if [[ -n "$ZFS_PATH" ]]; then
 		chmod "$ZFS_MODE" "$ZFS_PATH"
 		chown "$ZFS_OWNER:$ZFS_GROUP" "$ZFS_PATH"
 	fi
 }
 mkshared() {
 	local SHARED_PATH=$1
 	shift
 	mkzfs "/rpool/shared/$SHARED_PATH" "$@"
 }
 mkcache() {
 	local CACHE_PATH=$1
 	shift
 	mkzfs "/rpool/caches/$CACHE_PATH" "$@"
 }
 mkkyuuto() {
 	local KYUUTO_MOUNTNAME KYUUTO_ARGS=()
 	KYUUTO_NAME=$1
@ -216,10 +73,3 @@ for nfsystem in gengetsu mugetsu goliath; do
 		KYUUTO_MOUNT=data/systems/$nfsystem/fs/$nfsystemfs mkkyuuto data/systems/$nfsystem/$nfsystemfs 0 0 0755
 	done
 done
 ln -sf /lib/systemd/system/auth-rpcgss-module.service /etc/systemd/system/
 mkdir -p /etc/systemd/system/auth-rpcgss-module.service.d
 ln -sf /etc/systemd/system/auth-rpcgss-module.service /etc/systemd/system/multi-user.target.wants/
 base64 -d > /etc/systemd/system/auth-rpcgss-module.service.d/overrides.conf <<EOF
 $INPUT_AUTHRPCGSS_OVERRIDES
 EOF