tasks.py: various
- add install, print_keys - drop scan_age_keys
This commit is contained in:
zowoq
parent
8fd3b4da2a
commit
155d604bac
1 changed files with 53 additions and 12 deletions
65
tasks.py
65
tasks.py
|
|
@ -4,6 +4,7 @@ import json
|
||||||
import os
|
import os
|
||||||
import subprocess
|
import subprocess
|
||||||
import sys
|
import sys
|
||||||
|
import tempfile
|
||||||
from pathlib import Path
|
from pathlib import Path
|
||||||
from typing import List
|
from typing import List
|
||||||
|
|
||||||
|
|
@ -65,20 +66,33 @@ find . \
|
||||||
|
|
||||||
|
|
||||||
@task
|
@task
|
||||||
def scan_age_keys(c, host):
|
def print_keys(c, hosts=""):
|
||||||
"""
|
"""
|
||||||
Scans for the host key via ssh an converts it to age. Use inv scan-age-keys build**.nix-community.org
|
Decrypt host private key, print ssh and age public keys. Use inv print-keys --hosts build01
|
||||||
"""
|
"""
|
||||||
proc = subprocess.run(
|
g = DeployGroup(get_hosts(hosts))
|
||||||
["ssh-keyscan", host], stdout=subprocess.PIPE, text=True, check=True
|
|
||||||
)
|
def key(h: DeployHost) -> None:
|
||||||
print("###### Age keys ######")
|
hostname = h.host.replace(".nix-community.org", "")
|
||||||
subprocess.run(
|
with tempfile.TemporaryDirectory() as tmpdir:
|
||||||
["ssh-to-age"],
|
decrypt_host_key(c, hostname, tmpdir)
|
||||||
input=proc.stdout,
|
pubkey = subprocess.run(
|
||||||
check=True,
|
["ssh-keygen", "-y", "-f", f"{tmpdir}/etc/ssh/ssh_host_ed25519_key"],
|
||||||
text=True,
|
stdout=subprocess.PIPE,
|
||||||
)
|
text=True,
|
||||||
|
check=True,
|
||||||
|
)
|
||||||
|
print("###### Public keys ######")
|
||||||
|
print(pubkey.stdout)
|
||||||
|
print("###### Age keys ######")
|
||||||
|
subprocess.run(
|
||||||
|
["ssh-to-age"],
|
||||||
|
input=pubkey.stdout,
|
||||||
|
check=True,
|
||||||
|
text=True,
|
||||||
|
)
|
||||||
|
|
||||||
|
g.run_function(key)
|
||||||
|
|
||||||
|
|
||||||
@task
|
@task
|
||||||
|
|
@ -123,6 +137,33 @@ def deploy(c, hosts=""):
|
||||||
deploy_nixos(get_hosts(hosts))
|
deploy_nixos(get_hosts(hosts))
|
||||||
|
|
||||||
|
|
||||||
|
def decrypt_host_key(c, hostname, tmpdir):
|
||||||
|
os.mkdir(f"{tmpdir}/etc")
|
||||||
|
os.mkdir(f"{tmpdir}/etc/ssh")
|
||||||
|
os.umask(0o177)
|
||||||
|
c.run(
|
||||||
|
f"sops --extract '[\"ssh_host_ed25519_key\"]' --decrypt {ROOT}/{hostname}/secrets.yaml > {tmpdir}/etc/ssh/ssh_host_ed25519_key"
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
@task
|
||||||
|
def install(c, hosts=""):
|
||||||
|
"""
|
||||||
|
Decrypt host private key, install with nixos-anywhere. Use inv install --hosts build01
|
||||||
|
"""
|
||||||
|
g = DeployGroup(get_hosts(hosts))
|
||||||
|
|
||||||
|
def anywhere(h: DeployHost) -> None:
|
||||||
|
hostname = h.host.replace(".nix-community.org", "")
|
||||||
|
with tempfile.TemporaryDirectory() as tmpdir:
|
||||||
|
decrypt_host_key(c, hostname, tmpdir)
|
||||||
|
c.run(
|
||||||
|
f"nix run github:numtide/nixos-anywhere#nixos-anywhere -- --extra-files {tmpdir} --flake .#{hostname} {h.host}"
|
||||||
|
)
|
||||||
|
|
||||||
|
g.run_function(anywhere)
|
||||||
|
|
||||||
|
|
||||||
@task
|
@task
|
||||||
def build_local(c, hosts=""):
|
def build_local(c, hosts=""):
|
||||||
"""
|
"""
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue