config/modules/services/deployerbot/default.nix

141 lines
4.6 KiB
Nix
Raw Normal View History

2023-07-30 05:49:54 +03:00
{
config,
lib,
pkgs,
...
2024-02-26 07:57:16 +02:00
}: {
2023-07-30 05:49:54 +03:00
options.mj.services.deployerbot.main = with lib.types; {
enable = lib.mkEnableOption "Enable system updater orchestrator";
deployDerivations = lib.mkOption {type = listOf str;};
2023-09-18 19:50:24 +03:00
deployIfPresent = lib.mkOption {
2023-10-01 23:14:05 +03:00
type = listOf (submodule {
options = {
derivationTarget = lib.mkOption {type = str;};
pingTarget = lib.mkOption {type = str;};
};
});
2023-09-18 19:50:24 +03:00
default = [];
};
2023-07-30 05:49:54 +03:00
uidgid = lib.mkOption {type = int;};
repo = lib.mkOption {type = str;};
};
options.mj.services.deployerbot.follower = with lib.types; {
enable = lib.mkEnableOption "Allow system to be deployed with deployerbot";
2023-09-18 20:49:17 +03:00
sshAllowSubnets = lib.mkOption {type = listOf str;};
2023-07-30 05:49:54 +03:00
publicKey = lib.mkOption {type = str;};
uidgid = lib.mkOption {type = int;};
};
config = lib.mkMerge [
2023-09-23 22:25:58 +03:00
(let
cfg = config.mj.services.deployerbot.main;
in
lib.mkIf cfg.enable {
# TODO: git config --global user.email bot@jakstys.lt
users.users.deployerbot-main = {
description = "Deployerbot Main";
home = "/var/lib/deployerbot-main";
shell = "/bin/sh";
2023-09-23 22:25:58 +03:00
group = "deployerbot-main";
isSystemUser = true;
createHome = true;
uid = cfg.uidgid;
2023-07-30 05:49:54 +03:00
};
2023-09-23 22:25:58 +03:00
users.groups.deployerbot-main.gid = cfg.uidgid;
2023-07-30 05:49:54 +03:00
2023-09-23 22:25:58 +03:00
systemd.services.deployerbot = {
description = "Update all known systems";
environment = {TZ = "UTC";};
path = [pkgs.git pkgs.openssh pkgs.nix];
restartIfChanged = false;
serviceConfig = {
Type = "oneshot";
User = "deployerbot-main";
WorkingDirectory = config.users.users.deployerbot-main.home;
LoadCredential = ["ssh-key:/etc/ssh/ssh_host_ed25519_key"];
};
script = let
deployDerivationsStr = builtins.concatStringsSep " " cfg.deployDerivations;
in ''
2024-02-26 00:15:15 +02:00
set -xeuo pipefail
2023-09-23 22:25:58 +03:00
export GIT_SSH_COMMAND="ssh -i ''${CREDENTIALS_DIRECTORY}/ssh-key"
if [[ ! -d config ]]; then
git clone ${cfg.repo} config
cd config
else
cd config
git fetch origin
git reset --hard origin/main
fi
2023-07-30 05:49:54 +03:00
2023-09-23 22:25:58 +03:00
nix flake update --accept-flake-config --commit-lock-file
2024-02-26 00:15:15 +02:00
# TODO --all-systems
nix flake check --all-systems --accept-flake-config
2023-07-30 05:49:54 +03:00
2024-02-26 00:15:15 +02:00
EXITCODE=0
2024-02-02 15:29:53 +02:00
${pkgs.deploy-rs.deploy-rs}/bin/deploy \
2023-09-23 22:25:58 +03:00
--ssh-opts="-i ''${CREDENTIALS_DIRECTORY}/ssh-key" \
--ssh-user=deployerbot-follower \
--confirm-timeout 60 \
2024-02-25 23:53:58 +02:00
--skip-checks \
2023-09-23 22:25:58 +03:00
--targets ${deployDerivationsStr} -- \
2024-02-26 00:15:15 +02:00
--accept-flake-config || EXITCODE=1
2024-02-28 14:55:42 +02:00
if [[ $EXITCODE == 0 ]]; then
2024-02-26 07:57:16 +02:00
git push origin main
fi
2023-09-23 22:25:58 +03:00
# Optional deployments
2024-02-26 13:56:05 +02:00
${lib.concatMapStringsSep "\n" (t: ''
2024-02-26 12:39:08 +02:00
if ${pkgs.inetutils}/bin/ping -c 1 ${t.pingTarget}; then
2024-02-26 07:57:16 +02:00
${pkgs.deploy-rs.deploy-rs}/bin/deploy \
--ssh-opts="-i ''${CREDENTIALS_DIRECTORY}/ssh-key" \
--ssh-user=deployerbot-follower \
--confirm-timeout 60 \
--skip-checks \
2024-02-26 12:39:08 +02:00
--targets ${t.derivationTarget} -- \
2024-02-26 07:57:16 +02:00
--accept-flake-config || EXITCODE=1
fi
'')
2024-02-26 13:56:05 +02:00
cfg.deployIfPresent}
2023-07-30 05:49:54 +03:00
exit $EXITCODE
2023-09-23 22:25:58 +03:00
'';
};
2023-07-30 05:49:54 +03:00
2023-09-23 22:25:58 +03:00
systemd.timers.deployerbot = {
description = "deployerbot-main timer";
wantedBy = ["timers.target"];
2023-12-19 23:58:53 +02:00
timerConfig.OnCalendar = "*-*-* 23:30:00 UTC";
2023-09-23 22:25:58 +03:00
};
2023-07-30 05:49:54 +03:00
2023-09-23 22:25:58 +03:00
mj.base.unitstatus.units = ["deployerbot"];
nix.settings.trusted-users = ["deployerbot-main"];
})
(let
cfg = config.mj.services.deployerbot.follower;
in
lib.mkIf cfg.enable {
2023-09-23 22:56:23 +03:00
users.users.deployerbot-follower = {
description = "Deployerbot Follower";
home = "/var/lib/deployerbot-follower";
shell = "/bin/sh";
group = "deployerbot-follower";
extraGroups = ["wheel"];
isSystemUser = true;
createHome = true;
uid = cfg.uidgid;
openssh.authorizedKeys.keys = let
restrictedPubKey = "from=\"${builtins.concatStringsSep "," cfg.sshAllowSubnets}\" " + cfg.publicKey;
in [restrictedPubKey];
2023-07-30 05:49:54 +03:00
};
2023-09-23 22:25:58 +03:00
users.groups.deployerbot-follower.gid = cfg.uidgid;
nix.settings.trusted-users = ["deployerbot-follower"];
})
2023-07-30 05:49:54 +03:00
];
}