From 155d604bac312d04832014a6fc3d0e572f335efc Mon Sep 17 00:00:00 2001
From: zowoq <59103226+zowoq@users.noreply.github.com>
Date: Tue, 25 Apr 2023 10:21:27 +1000
Subject: [PATCH] tasks.py: various

- add install, print_keys

- drop scan_age_keys
---
 tasks.py | 65 +++++++++++++++++++++++++++++++++++++++++++++-----------
 1 file changed, 53 insertions(+), 12 deletions(-)

diff --git a/tasks.py b/tasks.py
index 7ea6539..48eb762 100644
--- a/tasks.py
+++ b/tasks.py
@@ -4,6 +4,7 @@ import json
 import os
 import subprocess
 import sys
+import tempfile
 from pathlib import Path
 from typing import List
 
@@ -65,20 +66,33 @@ find . \
 
 
 @task
-def scan_age_keys(c, host):
+def print_keys(c, hosts=""):
     """
-    Scans for the host key via ssh an converts it to age. Use inv scan-age-keys build**.nix-community.org
+    Decrypt host private key, print ssh and age public keys. Use inv print-keys --hosts build01
     """
-    proc = subprocess.run(
-        ["ssh-keyscan", host], stdout=subprocess.PIPE, text=True, check=True
-    )
-    print("###### Age keys ######")
-    subprocess.run(
-        ["ssh-to-age"],
-        input=proc.stdout,
-        check=True,
-        text=True,
-    )
+    g = DeployGroup(get_hosts(hosts))
+
+    def key(h: DeployHost) -> None:
+        hostname = h.host.replace(".nix-community.org", "")
+        with tempfile.TemporaryDirectory() as tmpdir:
+            decrypt_host_key(c, hostname, tmpdir)
+            pubkey = subprocess.run(
+                ["ssh-keygen", "-y", "-f", f"{tmpdir}/etc/ssh/ssh_host_ed25519_key"],
+                stdout=subprocess.PIPE,
+                text=True,
+                check=True,
+            )
+            print("###### Public keys ######")
+            print(pubkey.stdout)
+            print("###### Age keys ######")
+            subprocess.run(
+                ["ssh-to-age"],
+                input=pubkey.stdout,
+                check=True,
+                text=True,
+            )
+
+    g.run_function(key)
 
 
 @task
@@ -123,6 +137,33 @@ def deploy(c, hosts=""):
     deploy_nixos(get_hosts(hosts))
 
 
+def decrypt_host_key(c, hostname, tmpdir):
+    os.mkdir(f"{tmpdir}/etc")
+    os.mkdir(f"{tmpdir}/etc/ssh")
+    os.umask(0o177)
+    c.run(
+        f"sops --extract '[\"ssh_host_ed25519_key\"]' --decrypt {ROOT}/{hostname}/secrets.yaml > {tmpdir}/etc/ssh/ssh_host_ed25519_key"
+    )
+
+
+@task
+def install(c, hosts=""):
+    """
+    Decrypt host private key, install with nixos-anywhere. Use inv install --hosts build01
+    """
+    g = DeployGroup(get_hosts(hosts))
+
+    def anywhere(h: DeployHost) -> None:
+        hostname = h.host.replace(".nix-community.org", "")
+        with tempfile.TemporaryDirectory() as tmpdir:
+            decrypt_host_key(c, hostname, tmpdir)
+            c.run(
+                f"nix run github:numtide/nixos-anywhere#nixos-anywhere -- --extra-files {tmpdir} --flake .#{hostname} {h.host}"
+            )
+
+    g.run_function(anywhere)
+
+
 @task
 def build_local(c, hosts=""):
     """