infra/tasks.py

#!/usr/bin/env python3

import json
import subprocess
import sys
from typing import Any, List

from deploykit import DeployGroup, DeployHost
from invoke import task

RSYNC_EXCLUDES = [
    ".direnv",
    ".git",
    ".mypy-cache",
    ".ruff_cache",
    ".terraform",
    "result*",
]


def deploy_nixos(hosts: List[DeployHost]) -> None:
    """
    Deploy to all hosts in parallel
    """
    g = DeployGroup(hosts)

    def deploy(h: DeployHost) -> None:
        target = f"{h.user or 'root'}@{h.host}"
        h.run_local(
            f"rsync {' --exclude '.join([''] + RSYNC_EXCLUDES)} -vaF --delete -e ssh . {target}:/etc/nixos"
        )

        h.run("nixos-rebuild switch --option accept-flake-config true")

    g.run_function(deploy)


def sfdisk_json(host: DeployHost, dev: str) -> List[Any]:
    out = host.run(f"sfdisk --json {dev}", stdout=subprocess.PIPE)
    data = json.loads(out.stdout)
    return data["partitiontable"]["partitions"]


def _format_disks(host: DeployHost, devices: List[str]) -> None:
    assert (
        len(devices) == 1 or len(devices) == 2
    ), "we only support single devices or mirror raids at the moment"
    # format disk with as follow:
    # - partition 1 will be the boot partition, needed for legacy (BIOS) boot
    # - partition 2 is for boot partition
    # - partition 3 takes up the rest of the space and is for the system
    for device in devices:
        host.run(
            f"sgdisk -Z -n 1:2048:4095 -n 2:4096:+2G -N 3 -t 1:ef02 -t 2:8304 -t 3:8304 {device}"
        )

    # create mdadm raid for /boot with ext4
    if len(devices) == 2:
        boot_parts = []
        root_parts = []
        for dev in devices:
            # use partuuids as they are more stable than device names
            partitions = sfdisk_json(host, dev)
            boot_parts.append(partitions[1]["node"])
            root_parts.append(f"/dev/disk/by-partuuid/{partitions[2]['uuid'].lower()}")

        host.run(
            f"mdadm --create --verbose /dev/md127 --raid-devices=2 --level=1 {' '.join(boot_parts)}"
        )
        host.run(
            f"zpool create zroot -O acltype=posixacl -O xattr=sa -O compression=lz4 mirror {' '.join(root_parts)}"
        )
        boot = "/dev/md127"
    else:
        partitions = sfdisk_json(host, devices[0])
        boot = partitions[1]["node"]
        uuid = partitions[2]["uuid"].lower()
        root_part = f"/dev/disk/by-partuuid/{uuid}"
        host.run(
            f"zpool create zroot -O acltype=posixacl -O xattr=sa -O compression=lz4 -O atime=off {root_part}"
        )

    host.run("partprobe")
    host.run(f"mkfs.ext4 -F {boot}")

    # setup zfs dataset
    host.run("zfs create -o mountpoint=none zroot/root")
    host.run("zfs create -o mountpoint=legacy zroot/root/nixos")
    host.run("zfs create -o mountpoint=legacy zroot/root/home")

    ## and finally mount
    host.run("mount -t zfs zroot/root/nixos /mnt")
    host.run("mkdir /mnt/home /mnt/boot")
    host.run("mount -t zfs zroot/root/home /mnt/home")
    host.run("mount -t ext4 /dev/md127 /mnt/boot")


@task
def update_sops_files(c):
    """
    Update all sops yaml and json files according to .sops.yaml rules
    """

    c.run(
        """
find . \
        -type f \
        \( -iname '*.enc.json' -o -iname 'secrets.yaml' \) \
        -exec sops updatekeys --yes {} \;
"""
    )


@task
def scan_age_keys(c, host):
    """
    Scans for the host key via ssh an converts it to age
    """
    import subprocess

    proc = subprocess.run(
        ["ssh-keyscan", host], stdout=subprocess.PIPE, text=True, check=True
    )
    print("###### Age keys ######")
    subprocess.run(
        ["nix", "run", "--inputs-from", ".#", "nixpkgs#ssh-to-age"],
        input=proc.stdout,
        check=True,
        text=True,
    )


@task
def format_disks(c, hosts="", disks=""):
    """
    Format disks with zfs, i.e.: inv format-disks --hosts build02 --disks /dev/nvme0n1,/dev/nvme1n1
    """
    for h in get_hosts(hosts):
        _format_disks(h, disks.split(","))


@task
def setup_secret(c, hosts=""):
    """
    Setup SSH key and print age key for sops-nix
    """
    for h in get_hosts(hosts):
        h.run(
            "install -m600 -D /etc/ssh/ssh_host_rsa_key /mnt/etc/ssh/ssh_host_rsa_key"
        )
        h.run(
            "install -m600 -D /etc/ssh/ssh_host_ed25519_key /mnt/etc/ssh/ssh_host_ed25519_key"
        )
        print(h.host)
        h.run(
            "nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'"
        )


@task
def nixos_install(c, hosts=""):
    """
    Run NixOS install
    """
    for h in get_hosts(hosts):
        h.run(
            "nix-shell -p git --run 'git clone https://github.com/nix-community/infra && cd infra && nix-shell'"
        )
        hostname = h.host.replace(".nix-community.org", "")
        h.run(
            f"cd /root/infra && nixos-install --system $(nix-build -A {hostname}-system)"
        )


def get_hosts(hosts: str) -> List[DeployHost]:
    if hosts == "":
        return [
            DeployHost(f"build{n + 1:02d}.nix-community.org", user="root")
            for n in range(4)
        ]

    return [DeployHost(f"{h}.nix-community.org", user="root") for h in hosts.split(",")]


@task
def deploy(c, hosts=""):
    """
    Deploy to all servers. Use inv deploy --hosts build01 to deploy to a single server
    """
    deploy_nixos(get_hosts(hosts))


@task
def build_local(c, hosts=""):
    """
    Build all servers. Use inv build-local --hosts build01 to build a single server
    """
    g = DeployGroup(get_hosts(hosts))

    def build_local(h: DeployHost) -> None:
        h.run_local(
            [
                "nixos-rebuild",
                "build",
                "--option",
                "accept-flake-config",
                "true",
                "--flake",
                f".#{h.host}",
            ]
        )

    g.run_function(build_local)


def wait_for_port(host: str, port: int, shutdown: bool = False) -> None:
    import socket
    import time

    while True:
        try:
            with socket.create_connection((host, port), timeout=1):
                if shutdown:
                    time.sleep(1)
                    sys.stdout.write(".")
                    sys.stdout.flush()
                else:
                    break
        except OSError:
            if shutdown:
                break
            else:
                time.sleep(0.01)
                sys.stdout.write(".")
                sys.stdout.flush()


@task
def reboot(c, hosts=""):
    """
    Reboot hosts. example usage: inv reboot --hosts build01,build02
    """
    for h in get_hosts(hosts):
        h.run("reboot &")

        print(f"Wait for {h.host} to shutdown", end="")
        sys.stdout.flush()
        wait_for_port(h.host, h.port, shutdown=True)
        print("")

        print(f"Wait for {h.host} to start", end="")
        sys.stdout.flush()
        wait_for_port(h.host, h.port)
        print("")


@task
def cleanup_gcroots(c, hosts=""):
    g = DeployGroup(get_hosts(hosts))
    g.run("find /nix/var/nix/gcroots/auto -type s -delete")
    g.run("systemctl restart nix-gc")
use custom deploy script 2021-10-21 11:09:52 +02:00			`#!/usr/bin/env python3`

tasks: automate nixos-install 2021-10-24 01:04:22 +02:00			`import json`
apply treefmt to codebase 2022-12-31 07:24:17 +01:00			`import subprocess`
			`import sys`
			`from typing import Any, List`

			`from deploykit import DeployGroup, DeployHost`
			`from invoke import task`
use custom deploy script 2021-10-21 11:09:52 +02:00
tasks.py: add .ruff_cache, result* to excludes 2023-01-09 10:07:27 +10:00			`RSYNC_EXCLUDES = [`
			`".direnv",`
			`".git",`
			`".mypy-cache",`
			`".ruff_cache",`
			`".terraform",`
			`"result*",`
			`]`
deploy: improve rsync filter 2022-02-04 09:27:45 +01:00
use custom deploy script 2021-10-21 11:09:52 +02:00
			`def deploy_nixos(hosts: List[DeployHost]) -> None:`
			`"""`
			`Deploy to all hosts in parallel`
			`"""`
			`g = DeployGroup(hosts)`
tasks: reformat with black 2022-01-15 13:38:30 +01:00
use custom deploy script 2021-10-21 11:09:52 +02:00			`def deploy(h: DeployHost) -> None:`
bump deploykit version 2022-08-31 11:28:46 +02:00			`target = f"{h.user or 'root'}@{h.host}"`
use custom deploy script 2021-10-21 11:09:52 +02:00			`h.run_local(`
bump deploykit version 2022-08-31 11:28:46 +02:00			`f"rsync {' --exclude '.join([''] + RSYNC_EXCLUDES)} -vaF --delete -e ssh . {target}:/etc/nixos"`
use custom deploy script 2021-10-21 11:09:52 +02:00			`)`

apply treefmt to codebase 2022-12-31 07:24:17 +01:00			`h.run("nixos-rebuild switch --option accept-flake-config true")`
tasks: reformat with black 2022-01-15 13:38:30 +01:00
use custom deploy script 2021-10-21 11:09:52 +02:00			`g.run_function(deploy)`


tasks: automate nixos-install 2021-10-24 01:04:22 +02:00			`def sfdisk_json(host: DeployHost, dev: str) -> List[Any]:`
			`out = host.run(f"sfdisk --json {dev}", stdout=subprocess.PIPE)`
			`data = json.loads(out.stdout)`
			`return data["partitiontable"]["partitions"]`
use custom deploy script 2021-10-21 11:09:52 +02:00
tasks: automate nixos-install 2021-10-24 01:04:22 +02:00
			`def _format_disks(host: DeployHost, devices: List[str]) -> None:`
tasks: reformat with black 2022-01-15 13:38:30 +01:00			`assert (`
			`len(devices) == 1 or len(devices) == 2`
			`), "we only support single devices or mirror raids at the moment"`
tasks: automate nixos-install 2021-10-24 01:04:22 +02:00			`# format disk with as follow:`
			`# - partition 1 will be the boot partition, needed for legacy (BIOS) boot`
			`# - partition 2 is for boot partition`
			`# - partition 3 takes up the rest of the space and is for the system`
			`for device in devices:`
tasks: reformat with black 2022-01-15 13:38:30 +01:00			`host.run(`
			`f"sgdisk -Z -n 1:2048:4095 -n 2:4096:+2G -N 3 -t 1:ef02 -t 2:8304 -t 3:8304 {device}"`
			`)`
tasks: automate nixos-install 2021-10-24 01:04:22 +02:00
			`# create mdadm raid for /boot with ext4`
			`if len(devices) == 2:`
			`boot_parts = []`
			`root_parts = []`
			`for dev in devices:`
			`# use partuuids as they are more stable than device names`
			`partitions = sfdisk_json(host, dev)`
			`boot_parts.append(partitions[1]["node"])`
			`root_parts.append(f"/dev/disk/by-partuuid/{partitions[2]['uuid'].lower()}")`

tasks: reformat with black 2022-01-15 13:38:30 +01:00			`host.run(`
			`f"mdadm --create --verbose /dev/md127 --raid-devices=2 --level=1 {' '.join(boot_parts)}"`
			`)`
			`host.run(`
			`f"zpool create zroot -O acltype=posixacl -O xattr=sa -O compression=lz4 mirror {' '.join(root_parts)}"`
			`)`
tasks: automate nixos-install 2021-10-24 01:04:22 +02:00			`boot = "/dev/md127"`
			`else:`
			`partitions = sfdisk_json(host, devices[0])`
			`boot = partitions[1]["node"]`
			`uuid = partitions[2]["uuid"].lower()`
			`root_part = f"/dev/disk/by-partuuid/{uuid}"`
tasks: reformat with black 2022-01-15 13:38:30 +01:00			`host.run(`
			`f"zpool create zroot -O acltype=posixacl -O xattr=sa -O compression=lz4 -O atime=off {root_part}"`
			`)`
tasks: automate nixos-install 2021-10-24 01:04:22 +02:00
apply treefmt to codebase 2022-12-31 07:24:17 +01:00			`host.run("partprobe")`
tasks: automate nixos-install 2021-10-24 01:04:22 +02:00			`host.run(f"mkfs.ext4 -F {boot}")`

			`# setup zfs dataset`
apply treefmt to codebase 2022-12-31 07:24:17 +01:00			`host.run("zfs create -o mountpoint=none zroot/root")`
			`host.run("zfs create -o mountpoint=legacy zroot/root/nixos")`
			`host.run("zfs create -o mountpoint=legacy zroot/root/home")`
tasks: automate nixos-install 2021-10-24 01:04:22 +02:00
			`## and finally mount`
apply treefmt to codebase 2022-12-31 07:24:17 +01:00			`host.run("mount -t zfs zroot/root/nixos /mnt")`
			`host.run("mkdir /mnt/home /mnt/boot")`
			`host.run("mount -t zfs zroot/root/home /mnt/home")`
			`host.run("mount -t ext4 /dev/md127 /mnt/boot")`
tasks: automate nixos-install 2021-10-24 01:04:22 +02:00

add task to re-encrypt files 2022-10-25 09:55:14 +02:00			`@task`
			`def update_sops_files(c):`
			`"""`
			`Update all sops yaml and json files according to .sops.yaml rules`
			`"""`

			`c.run(`
			`"""`
			`find . \`
			`-type f \`
refactor sops secrets 2022-11-17 08:57:22 +10:00			`\( -iname '*.enc.json' -o -iname 'secrets.yaml' \) \`
			`-exec sops updatekeys --yes {} \;`
add task to re-encrypt files 2022-10-25 09:55:14 +02:00			`"""`
			`)`

apply treefmt to codebase 2022-12-31 07:24:17 +01:00
add task to scan age keys 2022-12-30 20:51:58 +01:00			`@task`
			`def scan_age_keys(c, host):`
			`"""`
			`Scans for the host key via ssh an converts it to age`
			`"""`
			`import subprocess`
apply treefmt to codebase 2022-12-31 07:24:17 +01:00
			`proc = subprocess.run(`
			`["ssh-keyscan", host], stdout=subprocess.PIPE, text=True, check=True`
			`)`
add task to scan age keys 2022-12-30 20:51:58 +01:00			`print("###### Age keys ######")`
apply treefmt to codebase 2022-12-31 07:24:17 +01:00			`subprocess.run(`
			`["nix", "run", "--inputs-from", ".#", "nixpkgs#ssh-to-age"],`
			`input=proc.stdout,`
			`check=True,`
			`text=True,`
			`)`
add task to scan age keys 2022-12-30 20:51:58 +01:00
add task to re-encrypt files 2022-10-25 09:55:14 +02:00
tasks: automate nixos-install 2021-10-24 01:04:22 +02:00			`@task`
tasks: reformat with black 2022-01-15 13:38:30 +01:00			`def format_disks(c, hosts="", disks=""):`
tasks: automate nixos-install 2021-10-24 01:04:22 +02:00			`"""`
tasks/format-disk: add usage 2021-10-24 01:31:30 +02:00			`Format disks with zfs, i.e.: inv format-disks --hosts build02 --disks /dev/nvme0n1,/dev/nvme1n1`
tasks: automate nixos-install 2021-10-24 01:04:22 +02:00			`"""`
tasks/format-disk: add usage 2021-10-24 01:31:30 +02:00			`for h in get_hosts(hosts):`
			`_format_disks(h, disks.split(","))`
tasks: automate nixos-install 2021-10-24 01:04:22 +02:00

			`@task`
tasks: reformat with black 2022-01-15 13:38:30 +01:00			`def setup_secret(c, hosts=""):`
tasks: automate nixos-install 2021-10-24 01:04:22 +02:00			`"""`
			`Setup SSH key and print age key for sops-nix`
			`"""`
			`for h in get_hosts(hosts):`
tasks: reformat with black 2022-01-15 13:38:30 +01:00			`h.run(`
			`"install -m600 -D /etc/ssh/ssh_host_rsa_key /mnt/etc/ssh/ssh_host_rsa_key"`
			`)`
			`h.run(`
			`"install -m600 -D /etc/ssh/ssh_host_ed25519_key /mnt/etc/ssh/ssh_host_ed25519_key"`
			`)`
tasks: automate nixos-install 2021-10-24 01:04:22 +02:00			`print(h.host)`
tasks: reformat with black 2022-01-15 13:38:30 +01:00			`h.run(`
			`"nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub \| ssh-to-age'"`
			`)`
tasks: automate nixos-install 2021-10-24 01:04:22 +02:00

			`@task`
tasks: reformat with black 2022-01-15 13:38:30 +01:00			`def nixos_install(c, hosts=""):`
tasks: automate nixos-install 2021-10-24 01:04:22 +02:00			`"""`
			`Run NixOS install`
			`"""`
			`for h in get_hosts(hosts):`
tasks: reformat with black 2022-01-15 13:38:30 +01:00			`h.run(`
			`"nix-shell -p git --run 'git clone https://github.com/nix-community/infra && cd infra && nix-shell'"`
			`)`
			`hostname = h.host.replace(".nix-community.org", "")`
			`h.run(`
			`f"cd /root/infra && nixos-install --system $(nix-build -A {hostname}-system)"`
			`)`
tasks: automate nixos-install 2021-10-24 01:04:22 +02:00

			`def get_hosts(hosts: str) -> List[DeployHost]:`
use custom deploy script 2021-10-21 11:09:52 +02:00			`if hosts == "":`
tasks: reformat 2022-09-28 10:20:56 +02:00			`return [`
			`DeployHost(f"build{n + 1:02d}.nix-community.org", user="root")`
			`for n in range(4)`
			`]`
use custom deploy script 2021-10-21 11:09:52 +02:00
deploy as root 2022-09-04 05:52:52 +02:00			`return [DeployHost(f"{h}.nix-community.org", user="root") for h in hosts.split(",")]`
use custom deploy script 2021-10-21 11:09:52 +02:00

			`@task`
tasks: reformat with black 2022-01-15 13:38:30 +01:00			`def deploy(c, hosts=""):`
use custom deploy script 2021-10-21 11:09:52 +02:00			`"""`
tasks.py: host -> hosts 2023-01-07 07:37:07 +10:00			`Deploy to all servers. Use inv deploy --hosts build01 to deploy to a single server`
use custom deploy script 2021-10-21 11:09:52 +02:00			`"""`
			`deploy_nixos(get_hosts(hosts))`


add task to build nixos machines locally this is also useful for people that do not have access to the servers (i.e. as part of a PR). 2022-12-19 15:39:59 +01:00			`@task`
			`def build_local(c, hosts=""):`
			`"""`
tasks.py: host -> hosts 2023-01-07 07:37:07 +10:00			`Build all servers. Use inv build-local --hosts build01 to build a single server`
add task to build nixos machines locally this is also useful for people that do not have access to the servers (i.e. as part of a PR). 2022-12-19 15:39:59 +01:00			`"""`
			`g = DeployGroup(get_hosts(hosts))`

			`def build_local(h: DeployHost) -> None:`
			`h.run_local(`
			`[`
			`"nixos-rebuild",`
			`"build",`
			`"--option",`
			`"accept-flake-config",`
			`"true",`
			`"--flake",`
			`f".#{h.host}",`
			`]`
			`)`

			`g.run_function(build_local)`


use custom deploy script 2021-10-21 11:09:52 +02:00			`def wait_for_port(host: str, port: int, shutdown: bool = False) -> None:`
apply treefmt to codebase 2022-12-31 07:24:17 +01:00			`import socket`
			`import time`
use custom deploy script 2021-10-21 11:09:52 +02:00
			`while True:`
			`try:`
			`with socket.create_connection((host, port), timeout=1):`
			`if shutdown:`
			`time.sleep(1)`
			`sys.stdout.write(".")`
			`sys.stdout.flush()`
			`else:`
			`break`
apply treefmt to codebase 2022-12-31 07:24:17 +01:00			`except OSError:`
use custom deploy script 2021-10-21 11:09:52 +02:00			`if shutdown:`
			`break`
			`else:`
			`time.sleep(0.01)`
			`sys.stdout.write(".")`
			`sys.stdout.flush()`


			`@task`
			`def reboot(c, hosts=""):`
			`"""`
			`Reboot hosts. example usage: inv reboot --hosts build01,build02`
			`"""`
tasks/reboot: simplify 2021-10-24 01:31:40 +02:00			`for h in get_hosts(hosts):`
			`h.run("reboot &")`
use custom deploy script 2021-10-21 11:09:52 +02:00
			`print(f"Wait for {h.host} to shutdown", end="")`
			`sys.stdout.flush()`
			`wait_for_port(h.host, h.port, shutdown=True)`
			`print("")`

			`print(f"Wait for {h.host} to start", end="")`
			`sys.stdout.flush()`
			`wait_for_port(h.host, h.port)`
			`print("")`


			`@task`
			`def cleanup_gcroots(c, hosts=""):`
			`g = DeployGroup(get_hosts(hosts))`
			`g.run("find /nix/var/nix/gcroots/auto -type s -delete")`
			`g.run("systemctl restart nix-gc")`
No results found.