sercanto/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

tasks.py: refactor install, print-keys

Browse source
This commit is contained in:
zowoq 2023-05-13 21:32:00 +10:00
parent 91028319fa
commit 0b4d4f17dc
1 changed files with 54 additions and 46 deletions

100
tasks.py
View file

@ -4,8 +4,8 @@ import json
import os import os
import subprocess import subprocess
import sys import sys
import tempfile
from pathlib import Path from pathlib import Path
from tempfile import TemporaryDirectory
from typing import List from typing import List
from deploykit import DeployGroup, DeployHost from deploykit import DeployGroup, DeployHost
@ -66,33 +66,28 @@ find . \
@task @task
def print_keys(c, hosts=""): def print_keys(c, flake_attr: str) -> None:
""" """
Decrypt host private key, print ssh and age public keys. Use inv print-keys --hosts build01 Decrypt host private key, print ssh and age public keys. Use inv print-keys --flake-attr build01
""" """
g = DeployGroup(get_hosts(hosts)) with TemporaryDirectory() as tmpdir:
decrypt_host_key(flake_attr, tmpdir)
def key(h: DeployHost) -> None: key = f"{tmpdir}/etc/ssh/ssh_host_ed25519_key"
hostname = h.host.replace(".nix-community.org", "") pubkey = subprocess.run(
with tempfile.TemporaryDirectory() as tmpdir: ["ssh-keygen", "-y", "-f", f"{key}"],
decrypt_host_key(c, hostname, tmpdir) stdout=subprocess.PIPE,
pubkey = subprocess.run( text=True,
["ssh-keygen", "-y", "-f", f"{tmpdir}/etc/ssh/ssh_host_ed25519_key"], check=True,
stdout=subprocess.PIPE, )
text=True, print("###### Public keys ######")
check=True, print(pubkey.stdout)
) print("###### Age keys ######")
print("###### Public keys ######") subprocess.run(
print(pubkey.stdout) ["ssh-to-age"],
print("###### Age keys ######") input=pubkey.stdout,
subprocess.run( check=True,
["ssh-to-age"], text=True,
input=pubkey.stdout, )
check=True,
text=True,
)
g.run_function(key)
@task @task
@ -137,31 +132,44 @@ def deploy(c, hosts=""):
deploy_nixos(get_hosts(hosts)) deploy_nixos(get_hosts(hosts))
def decrypt_host_key(c, hostname, tmpdir): def decrypt_host_key(flake_attr, tmpdir):
os.mkdir(f"{tmpdir}/etc") def opener(path, flags):
os.mkdir(f"{tmpdir}/etc/ssh") return os.open(path, flags, 0o400)
os.umask(0o177)
c.run( t = Path(tmpdir)
f"sops --extract '[\"ssh_host_ed25519_key\"]' --decrypt {ROOT}/{hostname}/secrets.yaml > {tmpdir}/etc/ssh/ssh_host_ed25519_key" t.mkdir(parents=True, exist_ok=True)
) t.chmod(0o755)
host_key = t / "etc/ssh/ssh_host_ed25519_key"
host_key.parent.mkdir(parents=True, exist_ok=True)
with open(host_key, "w", opener=opener) as fh:
subprocess.run(
[
"sops",
"--extract",
'["ssh_host_ed25519_key"]',
"--decrypt",
f"{ROOT}/{flake_attr}/secrets.yaml",
],
check=True,
stdout=fh,
)
@task @task
def install(c, hosts=""): def install(c, flake_attr: str, hostname: str) -> None:
""" """
Decrypt host private key, install with nixos-anywhere. Use inv install --hosts build01 Decrypt host private key, install with nixos-anywhere. Use inv install --flake-attr build01 --hostname build01.nix-community.org
""" """
g = DeployGroup(get_hosts(hosts)) ask = input(f"Install {hostname} with {flake_attr}? [y/N] ")
if ask != "y":
def anywhere(h: DeployHost) -> None: return
hostname = h.host.replace(".nix-community.org", "") with TemporaryDirectory() as tmpdir:
with tempfile.TemporaryDirectory() as tmpdir: decrypt_host_key(flake_attr, tmpdir)
decrypt_host_key(c, hostname, tmpdir) flags = "--debug --no-reboot --option accept-flake-config true"
c.run( c.run(
f"nix run github:numtide/nixos-anywhere#nixos-anywhere -- --extra-files {tmpdir} --flake .#{hostname} {h.host}" f"nix run github:numtide/nixos-anywhere -- {hostname} --extra-files {tmpdir} --flake .#{flake_attr} {flags}",
) echo=True,
)
g.run_function(anywhere)
@task @task