infra/tasks.py

#!/usr/bin/env python3

import json
import os
import subprocess
from pathlib import Path
from tempfile import TemporaryDirectory
from typing import Any, List, Union

from deploykit import DeployGroup, DeployHost
from invoke import task

ROOT = Path(__file__).parent.resolve()
os.chdir(ROOT)


@task
def deploy(c: Any, hosts: str) -> None:
    """
    Use inv deploy --hosts build01,darwin01
    """
    g = DeployGroup(get_hosts(hosts))

    def deploy(h: DeployHost) -> None:
        if "darwin" in h.host:
            command = "sudo -H darwin-rebuild"
            target = f"{h.user}@{h.host}"
        else:
            command = "sudo nixos-rebuild"
            target = f"{h.host}"

        res = subprocess.run(
            ["nix", "flake", "metadata", "--json"],
            text=True,
            check=True,
            stdout=subprocess.PIPE,
        )
        data = json.loads(res.stdout)
        path = data["path"]

        send = (
            "nix flake archive"
            if any(
                (
                    n.get("locked", {}).get("type") == "path"
                    or n.get("locked", {}).get("url", "").startswith("file:")
                )
                for n in data["locks"]["nodes"].values()
            )
            else f"nix copy {path}"
        )

        h.run_local(f"{send} --to ssh://{target}")

        hostname = h.host.replace(".nix-community.org", "")
        h.run(
            f"{command} switch --option accept-flake-config true --flake {path}#{hostname}"
        )

    g.run_function(deploy)


@task
def sotp(c: Any, acct: str) -> None:
    """
    Get TOTP token from sops
    """
    c.run(f"nix develop .#sotp -c sotp {acct}")


@task
def update_sops_files(c: Any) -> None:
    """
    Update all sops yaml files according to sops.nix rules
    """
    with open(f"{ROOT}/.sops.yaml", "w") as f:
        print("# AUTOMATICALLY GENERATED WITH: $ inv update-sops-files", file=f)

    c.run(f"nix eval --json -f {ROOT}/sops.nix | yq e -P - >> {ROOT}/.sops.yaml")
    c.run(
        "shopt -s globstar && sops updatekeys --yes **/secrets.yaml modules/secrets/*.yaml"
    )


@task
def print_keys(c: Any, flake_attr: str) -> None:
    """
    Decrypt host private key, print ssh and age public keys. Use inv print-keys --flake-attr build01
    """
    with TemporaryDirectory() as tmpdir:
        decrypt_host_key(flake_attr, tmpdir)
        key = f"{tmpdir}/etc/ssh/ssh_host_ed25519_key"
        pubkey = subprocess.run(
            ["ssh-keygen", "-y", "-f", f"{key}"],
            stdout=subprocess.PIPE,
            text=True,
            check=True,
        )
        print("###### Public keys ######")
        print(pubkey.stdout)
        print("###### Age keys ######")
        subprocess.run(
            ["ssh-to-age"],
            input=pubkey.stdout,
            check=True,
            text=True,
        )


@task
def docs(c: Any) -> None:
    """
    Serve docs (mkdoc serve)
    """
    c.run("nix develop .#mkdocs -c mkdocs serve")


@task
def docs_linkcheck(c: Any) -> None:
    """
    Run docs online linkchecker
    """
    c.run("nix run .#docs-linkcheck.online")


def get_hosts(hosts: str) -> List[DeployHost]:
    deploy_hosts = []
    for host in hosts.split(","):
        if host.startswith("darwin"):
            deploy_hosts.append(
                DeployHost(f"{host}.nix-community.org", user="customer")
            )
        else:
            deploy_hosts.append(DeployHost(f"{host}.nix-community.org"))

    return deploy_hosts


def decrypt_host_key(flake_attr: str, tmpdir: str) -> None:
    def opener(path: str, flags: int) -> Union[str, int]:
        return os.open(path, flags, 0o400)

    t = Path(tmpdir)
    t.mkdir(parents=True, exist_ok=True)
    t.chmod(0o755)
    host_key = t / "etc/ssh/ssh_host_ed25519_key"
    host_key.parent.mkdir(parents=True, exist_ok=True)
    with open(host_key, "w", opener=opener) as fh:
        subprocess.run(
            [
                "sops",
                "--extract",
                f'["ssh_host_ed25519_key"]["{flake_attr}"]',
                "--decrypt",
                f"{ROOT}/secrets.yaml",
            ],
            check=True,
            stdout=fh,
        )


@task
def install(c: Any, flake_attr: str, hostname: str) -> None:
    """
    Decrypt host private key, install with nixos-anywhere. Use inv install --flake-attr build01 --hostname build01.nix-community.org
    """
    ask = input(f"Install {hostname} with {flake_attr}? [y/N] ")
    if ask != "y":
        return
    with TemporaryDirectory() as tmpdir:
        decrypt_host_key(flake_attr, tmpdir)
        flags = "--build-on-remote --debug --option accept-flake-config true"
        c.run(
            f"nix run --inputs-from . nixpkgs#nixos-anywhere -- {hostname} --extra-files {tmpdir} --flake .#{flake_attr} {flags}",
            echo=True,
        )


@task
def cleanup_gcroots(c: Any, hosts: str) -> None:
    g = DeployGroup(get_hosts(hosts))
    g.run("sudo find /nix/var/nix/gcroots/auto -type s -delete")
use custom deploy script 2021-10-21 11:09:52 +02:00			`#!/usr/bin/env python3`

tasks: automate nixos-install 2021-10-24 01:04:22 +02:00			`import json`
tasks: add update_hound_repos 2023-01-16 09:37:38 +10:00			`import os`
apply treefmt to codebase 2022-12-31 07:24:17 +01:00			`import subprocess`
tasks.py: misc fixes 2023-03-12 15:02:16 +10:00			`from pathlib import Path`
tasks.py: refactor install, print-keys 2023-05-13 21:32:00 +10:00			`from tempfile import TemporaryDirectory`
tasks.py: mypy fixes 2023-09-06 17:27:23 +10:00			`from typing import Any, List, Union`
apply treefmt to codebase 2022-12-31 07:24:17 +01:00
			`from deploykit import DeployGroup, DeployHost`
			`from invoke import task`
use custom deploy script 2021-10-21 11:09:52 +02:00
tasks.py: misc fixes 2023-03-12 15:02:16 +10:00			`ROOT = Path(__file__).parent.resolve()`
			`os.chdir(ROOT)`
use custom deploy script 2021-10-21 11:09:52 +02:00
tasks.py: format 2023-03-17 13:36:07 +10:00
tasks.py: simplify deploy, require host(s) input 2024-10-16 21:59:06 +10:00			`@task`
			`def deploy(c: Any, hosts: str) -> None:`
			`"""`
			`Use inv deploy --hosts build01,darwin01`
			`"""`
			`g = DeployGroup(get_hosts(hosts))`
tasks: reformat with black 2022-01-15 13:38:30 +01:00
use custom deploy script 2021-10-21 11:09:52 +02:00			`def deploy(h: DeployHost) -> None:`
darwin03: init 2023-07-17 09:37:43 +10:00			`if "darwin" in h.host:`
darwin: sudo activation 2025-02-16 12:32:20 +10:00			`command = "sudo -H darwin-rebuild"`
tasks.py: fix deploy username 2024-03-07 09:16:59 +10:00			`target = f"{h.user}@{h.host}"`
tasks.py: interim support for deploying darwin02 2023-06-04 07:13:45 +10:00			`else:`
			`command = "sudo nixos-rebuild"`
tasks.py: fix deploy username 2024-03-07 09:16:59 +10:00			`target = f"{h.host}"`
tasks.py: interim support for deploying darwin02 2023-06-04 07:13:45 +10:00
tasks.py: use copy instead of archive for deploy this is faster but it assumes that the flake inputs can be substituted on the target 2025-01-05 10:38:42 +10:00			`res = subprocess.run(`
			`["nix", "flake", "metadata", "--json"],`
			`text=True,`
			`check=True,`
tasks.py: switch to nix flake archive for deploy 2023-09-14 22:47:15 +10:00			`stdout=subprocess.PIPE,`
tasks.py: fix rsync ignoring some file changes in the nix store timestamps are not correct. 2023-03-18 17:00:02 +01:00			`)`
tasks.py: switch to nix flake archive for deploy 2023-09-14 22:47:15 +10:00			`data = json.loads(res.stdout)`
			`path = data["path"]`
use custom deploy script 2021-10-21 11:09:52 +02:00
tasks.py: use archive for deploy when the flake has file or path inputs 2025-01-19 09:56:35 +10:00			`send = (`
			`"nix flake archive"`
			`if any(`
			`(`
			`n.get("locked", {}).get("type") == "path"`
			`or n.get("locked", {}).get("url", "").startswith("file:")`
			`)`
			`for n in data["locks"]["nodes"].values()`
			`)`
			`else f"nix copy {path}"`
			`)`

			`h.run_local(f"{send} --to ssh://{target}")`
tasks.py: use copy instead of archive for deploy this is faster but it assumes that the flake inputs can be substituted on the target 2025-01-05 10:38:42 +10:00
tasks.py: don't use root also explicitly set hostname for nixos deploy 2023-03-08 15:34:50 +10:00			`hostname = h.host.replace(".nix-community.org", "")`
			`h.run(`
tasks.py: switch to nix flake archive for deploy 2023-09-14 22:47:15 +10:00			`f"{command} switch --option accept-flake-config true --flake {path}#{hostname}"`
tasks.py: don't use root also explicitly set hostname for nixos deploy 2023-03-08 15:34:50 +10:00			`)`
tasks: reformat with black 2022-01-15 13:38:30 +01:00
use custom deploy script 2021-10-21 11:09:52 +02:00			`g.run_function(deploy)`


use `sotp` for TOTP secrets 2023-10-02 09:14:57 +10:00			`@task`
			`def sotp(c: Any, acct: str) -> None:`
			`"""`
			`Get TOTP token from sops`
			`"""`
			`c.run(f"nix develop .#sotp -c sotp {acct}")`


add task to re-encrypt files 2022-10-25 09:55:14 +02:00			`@task`
tasks.py: mypy fixes 2023-09-06 17:27:23 +10:00			`def update_sops_files(c: Any) -> None:`
add task to re-encrypt files 2022-10-25 09:55:14 +02:00			`"""`
use nix to generate .sops.yaml 2024-12-16 08:34:28 +10:00			`Update all sops yaml files according to sops.nix rules`
add task to re-encrypt files 2022-10-25 09:55:14 +02:00			`"""`
use nix to generate .sops.yaml 2024-12-16 08:34:28 +10:00			`with open(f"{ROOT}/.sops.yaml", "w") as f:`
			`print("# AUTOMATICALLY GENERATED WITH: $ inv update-sops-files", file=f)`

			`c.run(f"nix eval --json -f {ROOT}/sops.nix \| yq e -P - >> {ROOT}/.sops.yaml")`
move hercules CI secrets to sops 2024-12-16 08:34:56 +10:00			`c.run(`
			`"shopt -s globstar && sops updatekeys --yes */secrets.yaml modules/secrets/.yaml"`
			`)`
add task to re-encrypt files 2022-10-25 09:55:14 +02:00
apply treefmt to codebase 2022-12-31 07:24:17 +01:00
add task to scan age keys 2022-12-30 20:51:58 +01:00			`@task`
tasks.py: mypy fixes 2023-09-06 17:27:23 +10:00			`def print_keys(c: Any, flake_attr: str) -> None:`
add task to scan age keys 2022-12-30 20:51:58 +01:00			`"""`
tasks.py: refactor install, print-keys 2023-05-13 21:32:00 +10:00			`Decrypt host private key, print ssh and age public keys. Use inv print-keys --flake-attr build01`
add task to scan age keys 2022-12-30 20:51:58 +01:00			`"""`
tasks.py: refactor install, print-keys 2023-05-13 21:32:00 +10:00			`with TemporaryDirectory() as tmpdir:`
			`decrypt_host_key(flake_attr, tmpdir)`
			`key = f"{tmpdir}/etc/ssh/ssh_host_ed25519_key"`
			`pubkey = subprocess.run(`
			`["ssh-keygen", "-y", "-f", f"{key}"],`
			`stdout=subprocess.PIPE,`
			`text=True,`
			`check=True,`
			`)`
			`print("###### Public keys ######")`
			`print(pubkey.stdout)`
			`print("###### Age keys ######")`
			`subprocess.run(`
			`["ssh-to-age"],`
			`input=pubkey.stdout,`
			`check=True,`
			`text=True,`
			`)`
add task to scan age keys 2022-12-30 20:51:58 +01:00
add task to re-encrypt files 2022-10-25 09:55:14 +02:00
shell: refactor, reduce size - drop treefmt, accessible via `nix fmt` - drop mkdocs, accessible via `inv mkdocs` this halves the size of the devshell 2023-05-04 07:51:58 +10:00			`@task`
tasks.py: various - drop build-local, reboot - mkdocs -> docs - remove systemctl from cleanup-gcroots 2024-10-16 21:56:58 +10:00			`def docs(c: Any) -> None:`
shell: refactor, reduce size - drop treefmt, accessible via `nix fmt` - drop mkdocs, accessible via `inv mkdocs` this halves the size of the devshell 2023-05-04 07:51:58 +10:00			`"""`
			`Serve docs (mkdoc serve)`
			`"""`
refactor mkdocs - use devshell instead of package - build pages with hercules-ci.github-pages - drop unnecessary packages restriction 2023-08-28 14:21:56 +10:00			`c.run("nix develop .#mkdocs -c mkdocs serve")`
shell: refactor, reduce size - drop treefmt, accessible via `nix fmt` - drop mkdocs, accessible via `inv mkdocs` this halves the size of the devshell 2023-05-04 07:51:58 +10:00

docs: add linkcheck 2024-06-01 08:22:31 +10:00			`@task`
			`def docs_linkcheck(c: Any) -> None:`
			`"""`
			`Run docs online linkchecker`
			`"""`
			`c.run("nix run .#docs-linkcheck.online")`


tasks: automate nixos-install 2021-10-24 01:04:22 +02:00			`def get_hosts(hosts: str) -> List[DeployHost]:`
tasks.py: fix darwin/nixos deploy 2024-10-16 22:22:16 +10:00			`deploy_hosts = []`
			`for host in hosts.split(","):`
			`if host.startswith("darwin"):`
			`deploy_hosts.append(`
			`DeployHost(f"{host}.nix-community.org", user="customer")`
			`)`
			`else:`
			`deploy_hosts.append(DeployHost(f"{host}.nix-community.org"))`
tasks.py: interim support for deploying darwin02 2023-06-04 07:13:45 +10:00
tasks.py: fix darwin/nixos deploy 2024-10-16 22:22:16 +10:00			`return deploy_hosts`
use custom deploy script 2021-10-21 11:09:52 +02:00

tasks.py: mypy fixes 2023-09-06 17:27:23 +10:00			`def decrypt_host_key(flake_attr: str, tmpdir: str) -> None:`
			`def opener(path: str, flags: int) -> Union[str, int]:`
tasks.py: refactor install, print-keys 2023-05-13 21:32:00 +10:00			`return os.open(path, flags, 0o400)`

			`t = Path(tmpdir)`
			`t.mkdir(parents=True, exist_ok=True)`
			`t.chmod(0o755)`
			`host_key = t / "etc/ssh/ssh_host_ed25519_key"`
			`host_key.parent.mkdir(parents=True, exist_ok=True)`
			`with open(host_key, "w", opener=opener) as fh:`
			`subprocess.run(`
			`[`
			`"sops",`
			`"--extract",`
secrets.yaml: move ssh host keys 2024-06-30 13:20:54 +10:00			`f'["ssh_host_ed25519_key"]["{flake_attr}"]',`
tasks.py: refactor install, print-keys 2023-05-13 21:32:00 +10:00			`"--decrypt",`
secrets.yaml: move ssh host keys 2024-06-30 13:20:54 +10:00			`f"{ROOT}/secrets.yaml",`
tasks.py: refactor install, print-keys 2023-05-13 21:32:00 +10:00			`],`
			`check=True,`
			`stdout=fh,`
			`)`
tasks.py: various - add install, print_keys - drop scan_age_keys 2023-04-25 10:21:27 +10:00

			`@task`
tasks.py: mypy fixes 2023-09-06 17:27:23 +10:00			`def install(c: Any, flake_attr: str, hostname: str) -> None:`
tasks.py: various - add install, print_keys - drop scan_age_keys 2023-04-25 10:21:27 +10:00			`"""`
tasks.py: refactor install, print-keys 2023-05-13 21:32:00 +10:00			`Decrypt host private key, install with nixos-anywhere. Use inv install --flake-attr build01 --hostname build01.nix-community.org`
tasks.py: various - add install, print_keys - drop scan_age_keys 2023-04-25 10:21:27 +10:00			`"""`
tasks.py: refactor install, print-keys 2023-05-13 21:32:00 +10:00			`ask = input(f"Install {hostname} with {flake_attr}? [y/N] ")`
			`if ask != "y":`
			`return`
			`with TemporaryDirectory() as tmpdir:`
			`decrypt_host_key(flake_attr, tmpdir)`
tasks.py: install: add build-on-remote, drop no-reboot 2024-05-05 10:06:09 +10:00			`flags = "--build-on-remote --debug --option accept-flake-config true"`
tasks.py: refactor install, print-keys 2023-05-13 21:32:00 +10:00			`c.run(`
Revert "tasks.py: use upstream nixos-anywhere" This reverts commit ce35954cc11480208a0026e880c8f9d5e979c3d5. 2023-12-04 13:02:25 +10:00			`f"nix run --inputs-from . nixpkgs#nixos-anywhere -- {hostname} --extra-files {tmpdir} --flake .#{flake_attr} {flags}",`
tasks.py: refactor install, print-keys 2023-05-13 21:32:00 +10:00			`echo=True,`
			`)`
tasks.py: various - add install, print_keys - drop scan_age_keys 2023-04-25 10:21:27 +10:00

use custom deploy script 2021-10-21 11:09:52 +02:00			`@task`
tasks.py: simplify deploy, require host(s) input 2024-10-16 21:59:06 +10:00			`def cleanup_gcroots(c: Any, hosts: str) -> None:`
use custom deploy script 2021-10-21 11:09:52 +02:00			`g = DeployGroup(get_hosts(hosts))`
tasks.py: don't use root also explicitly set hostname for nixos deploy 2023-03-08 15:34:50 +10:00			`g.run("sudo find /nix/var/nix/gcroots/auto -type s -delete")`