infra/tasks.py

#!/usr/bin/env python3

import json
import os
import subprocess
import sys
import tempfile
from pathlib import Path
from typing import List

from deploykit import DeployGroup, DeployHost
from invoke import task

ROOT = Path(__file__).parent.resolve()
os.chdir(ROOT)


# Deploy to all hosts in parallel
def deploy_nixos(hosts: List[DeployHost]) -> None:
    g = DeployGroup(hosts)

    res = subprocess.run(
        ["nix", "flake", "metadata", "--json"],
        check=True,
        text=True,
        stdout=subprocess.PIPE,
    )
    data = json.loads(res.stdout)
    path = data["path"]

    def deploy(h: DeployHost) -> None:
        h.run_local(
            f"rsync --rsync-path='sudo rsync' --checksum -vaF --delete -e ssh {path}/ {h.host}:/etc/nixos"
        )

        hostname = h.host.replace(".nix-community.org", "")
        h.run(
            [
                "sudo",
                "nixos-rebuild",
                "switch",
                "--option",
                "accept-flake-config",
                "true",
                "--flake",
                f"/etc/nixos#{hostname}",
            ]
        )

    g.run_function(deploy)


@task
def update_sops_files(c):
    """
    Update all sops yaml and json files according to .sops.yaml rules
    """
    c.run(
        """
find . \
        -type f \
        \( -iname '*.enc.json' -o -iname 'secrets.yaml' \) \
        -exec sops updatekeys --yes {} \;
"""
    )


@task
def print_keys(c, hosts=""):
    """
    Decrypt host private key, print ssh and age public keys. Use inv print-keys --hosts build01
    """
    g = DeployGroup(get_hosts(hosts))

    def key(h: DeployHost) -> None:
        hostname = h.host.replace(".nix-community.org", "")
        with tempfile.TemporaryDirectory() as tmpdir:
            decrypt_host_key(c, hostname, tmpdir)
            pubkey = subprocess.run(
                ["ssh-keygen", "-y", "-f", f"{tmpdir}/etc/ssh/ssh_host_ed25519_key"],
                stdout=subprocess.PIPE,
                text=True,
                check=True,
            )
            print("###### Public keys ######")
            print(pubkey.stdout)
            print("###### Age keys ######")
            subprocess.run(
                ["ssh-to-age"],
                input=pubkey.stdout,
                check=True,
                text=True,
            )

    g.run_function(key)


@task
def update_terraform(c):
    """
    Update terraform devshell flake
    """
    with c.cd("terraform"):
        c.run(
            """
system="$(nix eval --impure --raw --expr 'builtins.currentSystem')"
old="$(nix build --no-link --print-out-paths ".#devShells.${system}.default")"
nix flake update --commit-lock-file
new="$(nix build --no-link --print-out-paths ".#devShells.${system}.default")"
commit="$(git log --pretty=format:%B -1)"
diff="$(nix store diff-closures "${old}" "${new}" | awk -F ',' '/terraform/ && /→/ {print $1}')"
git commit --amend -m "${commit}" -m "Terraform updates:" -m "${diff}"
"""
        )


@task
def mkdocs(c):
    """
    Serve docs (mkdoc serve)
    """
    c.run("nix develop .#pages -c mkdocs serve")


def get_hosts(hosts: str) -> List[DeployHost]:
    if hosts == "":
        return [DeployHost(f"build{n + 1:02d}.nix-community.org") for n in range(4)]

    return [DeployHost(f"{h}.nix-community.org") for h in hosts.split(",")]


@task
def deploy(c, hosts=""):
    """
    Deploy to all servers. Use inv deploy --hosts build01 to deploy to a single server
    """
    deploy_nixos(get_hosts(hosts))


def decrypt_host_key(c, hostname, tmpdir):
    os.mkdir(f"{tmpdir}/etc")
    os.mkdir(f"{tmpdir}/etc/ssh")
    os.umask(0o177)
    c.run(
        f"sops --extract '[\"ssh_host_ed25519_key\"]' --decrypt {ROOT}/{hostname}/secrets.yaml > {tmpdir}/etc/ssh/ssh_host_ed25519_key"
    )


@task
def install(c, hosts=""):
    """
    Decrypt host private key, install with nixos-anywhere. Use inv install --hosts build01
    """
    g = DeployGroup(get_hosts(hosts))

    def anywhere(h: DeployHost) -> None:
        hostname = h.host.replace(".nix-community.org", "")
        with tempfile.TemporaryDirectory() as tmpdir:
            decrypt_host_key(c, hostname, tmpdir)
            c.run(
                f"nix run github:numtide/nixos-anywhere#nixos-anywhere -- --extra-files {tmpdir} --flake .#{hostname} {h.host}"
            )

    g.run_function(anywhere)


@task
def build_local(c, hosts=""):
    """
    Build all servers. Use inv build-local --hosts build01 to build a single server
    """
    g = DeployGroup(get_hosts(hosts))

    def build_local(h: DeployHost) -> None:
        hostname = h.host.replace(".nix-community.org", "")
        h.run_local(
            [
                "nixos-rebuild",
                "build",
                "--option",
                "accept-flake-config",
                "true",
                "--flake",
                f".#{hostname}",
            ]
        )

    g.run_function(build_local)


def wait_for_port(host: str, port: int, shutdown: bool = False) -> None:
    import socket
    import time

    while True:
        try:
            with socket.create_connection((host, port), timeout=1):
                if shutdown:
                    time.sleep(1)
                    sys.stdout.write(".")
                    sys.stdout.flush()
                else:
                    break
        except OSError:
            if shutdown:
                break
            else:
                time.sleep(0.01)
                sys.stdout.write(".")
                sys.stdout.flush()


@task
def reboot(c, hosts=""):
    """
    Reboot hosts. example usage: inv reboot --hosts build01,build02
    """
    for h in get_hosts(hosts):
        h.run("sudo reboot &")

        print(f"Wait for {h.host} to shutdown", end="")
        sys.stdout.flush()
        wait_for_port(h.host, h.port, shutdown=True)
        print("")

        print(f"Wait for {h.host} to start", end="")
        sys.stdout.flush()
        wait_for_port(h.host, h.port)
        print("")


@task
def cleanup_gcroots(c, hosts=""):
    g = DeployGroup(get_hosts(hosts))
    g.run("sudo find /nix/var/nix/gcroots/auto -type s -delete")
    g.run("sudo systemctl restart nix-gc")
use custom deploy script 2021-10-21 11:09:52 +02:00			`#!/usr/bin/env python3`

tasks: automate nixos-install 2021-10-24 01:04:22 +02:00			`import json`
tasks: add update_hound_repos 2023-01-16 09:37:38 +10:00			`import os`
apply treefmt to codebase 2022-12-31 07:24:17 +01:00			`import subprocess`
			`import sys`
tasks.py: various - add install, print_keys - drop scan_age_keys 2023-04-25 10:21:27 +10:00			`import tempfile`
tasks.py: misc fixes 2023-03-12 15:02:16 +10:00			`from pathlib import Path`
tasks.py: remove format_disks, nixos_install, setup_secret 2023-02-07 11:14:56 +10:00			`from typing import List`
apply treefmt to codebase 2022-12-31 07:24:17 +01:00
			`from deploykit import DeployGroup, DeployHost`
			`from invoke import task`
use custom deploy script 2021-10-21 11:09:52 +02:00
tasks.py: misc fixes 2023-03-12 15:02:16 +10:00			`ROOT = Path(__file__).parent.resolve()`
			`os.chdir(ROOT)`
use custom deploy script 2021-10-21 11:09:52 +02:00
tasks.py: format 2023-03-17 13:36:07 +10:00
tasks.py: misc fixes 2023-03-12 15:02:16 +10:00			`# Deploy to all hosts in parallel`
use custom deploy script 2021-10-21 11:09:52 +02:00			`def deploy_nixos(hosts: List[DeployHost]) -> None:`
			`g = DeployGroup(hosts)`
tasks: reformat with black 2022-01-15 13:38:30 +01:00
change deployment to use flake only 2023-03-06 16:42:08 +01:00			`res = subprocess.run(`
			`["nix", "flake", "metadata", "--json"],`
			`check=True,`
			`text=True,`
			`stdout=subprocess.PIPE,`
			`)`
			`data = json.loads(res.stdout)`
			`path = data["path"]`

use custom deploy script 2021-10-21 11:09:52 +02:00			`def deploy(h: DeployHost) -> None:`
tasks.py: fix rsync ignoring some file changes in the nix store timestamps are not correct. 2023-03-18 17:00:02 +01:00			`h.run_local(`
tasks.py: don't use root also explicitly set hostname for nixos deploy 2023-03-08 15:34:50 +10:00			`f"rsync --rsync-path='sudo rsync' --checksum -vaF --delete -e ssh {path}/ {h.host}:/etc/nixos"`
tasks.py: fix rsync ignoring some file changes in the nix store timestamps are not correct. 2023-03-18 17:00:02 +01:00			`)`
use custom deploy script 2021-10-21 11:09:52 +02:00
tasks.py: don't use root also explicitly set hostname for nixos deploy 2023-03-08 15:34:50 +10:00			`hostname = h.host.replace(".nix-community.org", "")`
			`h.run(`
			`[`
			`"sudo",`
			`"nixos-rebuild",`
			`"switch",`
			`"--option",`
			`"accept-flake-config",`
			`"true",`
			`"--flake",`
tasks/deploy: fix flake path 2023-03-25 10:44:53 +00:00			`f"/etc/nixos#{hostname}",`
tasks.py: don't use root also explicitly set hostname for nixos deploy 2023-03-08 15:34:50 +10:00			`]`
			`)`
tasks: reformat with black 2022-01-15 13:38:30 +01:00
use custom deploy script 2021-10-21 11:09:52 +02:00			`g.run_function(deploy)`


add task to re-encrypt files 2022-10-25 09:55:14 +02:00			`@task`
			`def update_sops_files(c):`
			`"""`
			`Update all sops yaml and json files according to .sops.yaml rules`
			`"""`
			`c.run(`
			`"""`
			`find . \`
			`-type f \`
refactor sops secrets 2022-11-17 08:57:22 +10:00			`\( -iname '*.enc.json' -o -iname 'secrets.yaml' \) \`
			`-exec sops updatekeys --yes {} \;`
add task to re-encrypt files 2022-10-25 09:55:14 +02:00			`"""`
			`)`

apply treefmt to codebase 2022-12-31 07:24:17 +01:00
add task to scan age keys 2022-12-30 20:51:58 +01:00			`@task`
tasks.py: various - add install, print_keys - drop scan_age_keys 2023-04-25 10:21:27 +10:00			`def print_keys(c, hosts=""):`
add task to scan age keys 2022-12-30 20:51:58 +01:00			`"""`
tasks.py: various - add install, print_keys - drop scan_age_keys 2023-04-25 10:21:27 +10:00			`Decrypt host private key, print ssh and age public keys. Use inv print-keys --hosts build01`
add task to scan age keys 2022-12-30 20:51:58 +01:00			`"""`
tasks.py: various - add install, print_keys - drop scan_age_keys 2023-04-25 10:21:27 +10:00			`g = DeployGroup(get_hosts(hosts))`

			`def key(h: DeployHost) -> None:`
			`hostname = h.host.replace(".nix-community.org", "")`
			`with tempfile.TemporaryDirectory() as tmpdir:`
			`decrypt_host_key(c, hostname, tmpdir)`
			`pubkey = subprocess.run(`
			`["ssh-keygen", "-y", "-f", f"{tmpdir}/etc/ssh/ssh_host_ed25519_key"],`
			`stdout=subprocess.PIPE,`
			`text=True,`
			`check=True,`
			`)`
			`print("###### Public keys ######")`
			`print(pubkey.stdout)`
			`print("###### Age keys ######")`
			`subprocess.run(`
			`["ssh-to-age"],`
			`input=pubkey.stdout,`
			`check=True,`
			`text=True,`
			`)`

			`g.run_function(key)`
add task to scan age keys 2022-12-30 20:51:58 +01:00
add task to re-encrypt files 2022-10-25 09:55:14 +02:00
tasks.py: add update-terraform 2023-03-15 10:50:57 +10:00			`@task`
			`def update_terraform(c):`
			`"""`
			`Update terraform devshell flake`
			`"""`
			`with c.cd("terraform"):`
			`c.run(`
			`"""`
			`system="$(nix eval --impure --raw --expr 'builtins.currentSystem')"`
			`old="$(nix build --no-link --print-out-paths ".#devShells.${system}.default")"`
			`nix flake update --commit-lock-file`
			`new="$(nix build --no-link --print-out-paths ".#devShells.${system}.default")"`
			`commit="$(git log --pretty=format:%B -1)"`
			`diff="$(nix store diff-closures "${old}" "${new}" \| awk -F ',' '/terraform/ && /→/ {print $1}')"`
			`git commit --amend -m "${commit}" -m "Terraform updates:" -m "${diff}"`
			`"""`
			`)`


shell: refactor, reduce size - drop treefmt, accessible via `nix fmt` - drop mkdocs, accessible via `inv mkdocs` this halves the size of the devshell 2023-05-04 07:51:58 +10:00			`@task`
			`def mkdocs(c):`
			`"""`
			`Serve docs (mkdoc serve)`
			`"""`
			`c.run("nix develop .#pages -c mkdocs serve")`


tasks: automate nixos-install 2021-10-24 01:04:22 +02:00			`def get_hosts(hosts: str) -> List[DeployHost]:`
use custom deploy script 2021-10-21 11:09:52 +02:00			`if hosts == "":`
tasks.py: don't use root also explicitly set hostname for nixos deploy 2023-03-08 15:34:50 +10:00			`return [DeployHost(f"build{n + 1:02d}.nix-community.org") for n in range(4)]`
use custom deploy script 2021-10-21 11:09:52 +02:00
tasks.py: don't use root also explicitly set hostname for nixos deploy 2023-03-08 15:34:50 +10:00			`return [DeployHost(f"{h}.nix-community.org") for h in hosts.split(",")]`
use custom deploy script 2021-10-21 11:09:52 +02:00

			`@task`
tasks: reformat with black 2022-01-15 13:38:30 +01:00			`def deploy(c, hosts=""):`
use custom deploy script 2021-10-21 11:09:52 +02:00			`"""`
tasks.py: host -> hosts 2023-01-07 07:37:07 +10:00			`Deploy to all servers. Use inv deploy --hosts build01 to deploy to a single server`
use custom deploy script 2021-10-21 11:09:52 +02:00			`"""`
			`deploy_nixos(get_hosts(hosts))`


tasks.py: various - add install, print_keys - drop scan_age_keys 2023-04-25 10:21:27 +10:00			`def decrypt_host_key(c, hostname, tmpdir):`
			`os.mkdir(f"{tmpdir}/etc")`
			`os.mkdir(f"{tmpdir}/etc/ssh")`
			`os.umask(0o177)`
			`c.run(`
			`f"sops --extract '[\"ssh_host_ed25519_key\"]' --decrypt {ROOT}/{hostname}/secrets.yaml > {tmpdir}/etc/ssh/ssh_host_ed25519_key"`
			`)`


			`@task`
			`def install(c, hosts=""):`
			`"""`
			`Decrypt host private key, install with nixos-anywhere. Use inv install --hosts build01`
			`"""`
			`g = DeployGroup(get_hosts(hosts))`

			`def anywhere(h: DeployHost) -> None:`
			`hostname = h.host.replace(".nix-community.org", "")`
			`with tempfile.TemporaryDirectory() as tmpdir:`
			`decrypt_host_key(c, hostname, tmpdir)`
			`c.run(`
			`f"nix run github:numtide/nixos-anywhere#nixos-anywhere -- --extra-files {tmpdir} --flake .#{hostname} {h.host}"`
			`)`

			`g.run_function(anywhere)`


add task to build nixos machines locally this is also useful for people that do not have access to the servers (i.e. as part of a PR). 2022-12-19 15:39:59 +01:00			`@task`
			`def build_local(c, hosts=""):`
			`"""`
tasks.py: host -> hosts 2023-01-07 07:37:07 +10:00			`Build all servers. Use inv build-local --hosts build01 to build a single server`
add task to build nixos machines locally this is also useful for people that do not have access to the servers (i.e. as part of a PR). 2022-12-19 15:39:59 +01:00			`"""`
			`g = DeployGroup(get_hosts(hosts))`

			`def build_local(h: DeployHost) -> None:`
tasks.py: don't use root also explicitly set hostname for nixos deploy 2023-03-08 15:34:50 +10:00			`hostname = h.host.replace(".nix-community.org", "")`
add task to build nixos machines locally this is also useful for people that do not have access to the servers (i.e. as part of a PR). 2022-12-19 15:39:59 +01:00			`h.run_local(`
			`[`
			`"nixos-rebuild",`
			`"build",`
			`"--option",`
			`"accept-flake-config",`
			`"true",`
			`"--flake",`
tasks.py: don't use root also explicitly set hostname for nixos deploy 2023-03-08 15:34:50 +10:00			`f".#{hostname}",`
add task to build nixos machines locally this is also useful for people that do not have access to the servers (i.e. as part of a PR). 2022-12-19 15:39:59 +01:00			`]`
			`)`

			`g.run_function(build_local)`


use custom deploy script 2021-10-21 11:09:52 +02:00			`def wait_for_port(host: str, port: int, shutdown: bool = False) -> None:`
apply treefmt to codebase 2022-12-31 07:24:17 +01:00			`import socket`
			`import time`
use custom deploy script 2021-10-21 11:09:52 +02:00
			`while True:`
			`try:`
			`with socket.create_connection((host, port), timeout=1):`
			`if shutdown:`
			`time.sleep(1)`
			`sys.stdout.write(".")`
			`sys.stdout.flush()`
			`else:`
			`break`
apply treefmt to codebase 2022-12-31 07:24:17 +01:00			`except OSError:`
use custom deploy script 2021-10-21 11:09:52 +02:00			`if shutdown:`
			`break`
			`else:`
			`time.sleep(0.01)`
			`sys.stdout.write(".")`
			`sys.stdout.flush()`


			`@task`
			`def reboot(c, hosts=""):`
			`"""`
			`Reboot hosts. example usage: inv reboot --hosts build01,build02`
			`"""`
tasks/reboot: simplify 2021-10-24 01:31:40 +02:00			`for h in get_hosts(hosts):`
tasks.py: don't use root also explicitly set hostname for nixos deploy 2023-03-08 15:34:50 +10:00			`h.run("sudo reboot &")`
use custom deploy script 2021-10-21 11:09:52 +02:00
			`print(f"Wait for {h.host} to shutdown", end="")`
			`sys.stdout.flush()`
			`wait_for_port(h.host, h.port, shutdown=True)`
			`print("")`

			`print(f"Wait for {h.host} to start", end="")`
			`sys.stdout.flush()`
			`wait_for_port(h.host, h.port)`
			`print("")`


			`@task`
			`def cleanup_gcroots(c, hosts=""):`
			`g = DeployGroup(get_hosts(hosts))`
tasks.py: don't use root also explicitly set hostname for nixos deploy 2023-03-08 15:34:50 +10:00			`g.run("sudo find /nix/var/nix/gcroots/auto -type s -delete")`
			`g.run("sudo systemctl restart nix-gc")`
No results found.