From 5a5ffd6f0084727ca347bfe0c8b0ba4401379f9b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Motiejus=20Jak=C5=A1tys?= Date: Mon, 18 Sep 2023 19:50:24 +0300 Subject: [PATCH] upgrading fwminex too --- data.nix | 2 +- hosts/vno1-oh2/configuration.nix | 6 + modules/services/deployerbot/default.nix | 193 +++++++++++++---------- 3 files changed, 118 insertions(+), 83 deletions(-) diff --git a/data.nix b/data.nix index dfb6205..d48952d 100644 --- a/data.nix +++ b/data.nix @@ -69,7 +69,7 @@ rec { jakstIP = "100.89.176.5"; }; "fwminex.motiejus.jakst" = rec { - extraHostNames = [jakstIP]; + extraHostNames = [jakstIP vno1IP]; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHlWSZ/H6DR5i5aCrlrEQLVF9MXNvls/pjlLPLaav3f+"; jakstIP = "100.89.176.6"; vno1IP = "192.168.189.10"; diff --git a/hosts/vno1-oh2/configuration.nix b/hosts/vno1-oh2/configuration.nix index aaa3811..db7c829 100644 --- a/hosts/vno1-oh2/configuration.nix +++ b/hosts/vno1-oh2/configuration.nix @@ -186,6 +186,12 @@ ".#vno3-rp3b" ".#fra1-a" ]; + deployIfPresent = [ + { + derivationTarget = ".#fwminex"; + altHostname = myData.hosts."fwminex.motiejus.jakst".vno1IP; + } + ]; }; follower = { diff --git a/modules/services/deployerbot/default.nix b/modules/services/deployerbot/default.nix index a540ef7..a74a511 100644 --- a/modules/services/deployerbot/default.nix +++ b/modules/services/deployerbot/default.nix @@ -4,10 +4,37 @@ pkgs, myData, ... -}: { +}: let + cfg = config.mj.services.deployerbot; + mkOptional = { + derivationTarget, + altHostname, + }: '' + if ping -c 1 ${altHostname}; then + ${pkgs.deploy-rs}/bin/deploy \ + --ssh-opts="-i ''${CREDENTIALS_DIRECTORY}/ssh-key" \ + --ssh-user=deployerbot-follower \ + --confirm-timeout 60 \ + --hostname ${altHostname} \ + --targets ${derivationTarget} -- \ + --accept-flake-config + fi + ''; +in { options.mj.services.deployerbot.main = with lib.types; { enable = lib.mkEnableOption "Enable system updater orchestrator"; deployDerivations = lib.mkOption {type = listOf str;}; + deployIfPresent = lib.mkOption { + type = listOf (submodule ( + {...}: { + options = { + derivationTarget = lib.mkOption {type = str;}; + altHostname = lib.mkOption {type = str;}; + }; + } + )); + default = []; + }; uidgid = lib.mkOption {type = int;}; repo = lib.mkOption {type = str;}; }; @@ -19,90 +46,92 @@ }; config = lib.mkMerge [ - (with config.mj.services.deployerbot.main; - lib.mkIf enable { - # TODO: git config --global user.email bot@jakstys.lt - users.users.deployerbot-main = { - description = "Deployerbot Main"; - home = "/var/lib/deployerbot-main"; + (lib.mkIf cfg.main.enable { + # TODO: git config --global user.email bot@jakstys.lt + users.users.deployerbot-main = { + description = "Deployerbot Main"; + home = "/var/lib/deployerbot-main"; + useDefaultShell = true; + group = "deployerbot-main"; + isSystemUser = true; + createHome = true; + uid = cfg.main.uidgid; + }; + users.groups.deployerbot-main.gid = cfg.main.uidgid; + + systemd.services.deployerbot = { + description = "Update all known systems"; + environment = {TZ = "UTC";}; + path = [pkgs.git pkgs.openssh pkgs.nix]; + restartIfChanged = false; + serviceConfig = { + Type = "oneshot"; + User = "deployerbot-main"; + WorkingDirectory = config.users.users.deployerbot-main.home; + LoadCredential = ["ssh-key:/etc/ssh/ssh_host_ed25519_key"]; + }; + script = let + deployDerivationsStr = builtins.concatStringsSep " " cfg.main.deployDerivations; + in '' + set -x + export GIT_SSH_COMMAND="ssh -i ''${CREDENTIALS_DIRECTORY}/ssh-key" + if [[ ! -d config ]]; then + git clone ${cfg.main.repo} config + cd config + else + cd config + git fetch origin + git reset --hard origin/main + fi + + nix flake update --accept-flake-config --commit-lock-file + + ${pkgs.deploy-rs}/bin/deploy \ + --ssh-opts="-i ''${CREDENTIALS_DIRECTORY}/ssh-key" \ + --ssh-user=deployerbot-follower \ + --confirm-timeout 60 \ + --targets ${deployDerivationsStr} -- \ + --accept-flake-config + + # Optional deployments + ${lib.concatLines (map mkOptional cfg.main.deployIfPresent)} + + # done + git push origin main + ''; + }; + + systemd.timers.deployerbot = { + description = "deployerbot-main timer"; + wantedBy = ["timers.target"]; + # 15:38 UTC was the latest merge that I have observed since + # making the commit by looking at 3 commits of this repo. + # Let's try to be optimistic. + timerConfig.OnCalendar = "*-*-* 23:30:00 UTC"; + }; + + mj.base.unitstatus.units = ["deployerbot"]; + + nix.settings.trusted-users = ["deployerbot-main"]; + }) + (lib.mkIf cfg.follower.enable { + users.users = { + deployerbot-follower = { + description = "Deployerbot Follower"; + home = "/var/lib/deployerbot-follower"; useDefaultShell = true; - group = "deployerbot-main"; + group = "deployerbot-follower"; + extraGroups = ["wheel"]; isSystemUser = true; createHome = true; - uid = uidgid; + uid = cfg.follower.uidgid; + openssh.authorizedKeys.keys = let + restrictedPubKey = "from=\"${myData.subnets.tailscale.sshPattern}\" " + cfg.follower.publicKey; + in [restrictedPubKey]; }; - users.groups.deployerbot-main.gid = uidgid; - - systemd.services.deployerbot = { - description = "Update all known systems"; - environment = {TZ = "UTC";}; - path = [pkgs.git pkgs.openssh pkgs.nix]; - restartIfChanged = false; - serviceConfig = { - Type = "oneshot"; - User = "deployerbot-main"; - WorkingDirectory = config.users.users.deployerbot-main.home; - LoadCredential = ["ssh-key:/etc/ssh/ssh_host_ed25519_key"]; - }; - script = let - deployDerivationsStr = builtins.concatStringsSep " " deployDerivations; - in '' - set -x - export GIT_SSH_COMMAND="ssh -i ''${CREDENTIALS_DIRECTORY}/ssh-key" - if [[ ! -d config ]]; then - git clone ${repo} config - cd config - else - cd config - git fetch origin - git reset --hard origin/main - fi - - nix flake update --accept-flake-config --commit-lock-file - - ${pkgs.deploy-rs}/bin/deploy \ - --ssh-opts="-i ''${CREDENTIALS_DIRECTORY}/ssh-key" \ - --ssh-user=deployerbot-follower \ - --confirm-timeout 60 \ - --targets ${deployDerivationsStr} -- \ - --accept-flake-config - - git push origin main - ''; - }; - - systemd.timers.deployerbot = { - description = "deployerbot-main timer"; - wantedBy = ["timers.target"]; - # 15:38 UTC was the latest merge that I have observed since - # making the commit by looking at 3 commits of this repo. - # Let's try to be optimistic. - timerConfig.OnCalendar = "*-*-* 23:30:00 UTC"; - }; - - mj.base.unitstatus.units = ["deployerbot"]; - - nix.settings.trusted-users = ["deployerbot-main"]; - }) - (with config.mj.services.deployerbot.follower; - lib.mkIf enable { - users.users = { - deployerbot-follower = { - description = "Deployerbot Follower"; - home = "/var/lib/deployerbot-follower"; - useDefaultShell = true; - group = "deployerbot-follower"; - extraGroups = ["wheel"]; - isSystemUser = true; - createHome = true; - uid = uidgid; - openssh.authorizedKeys.keys = let - restrictedPubKey = "from=\"${myData.subnets.tailscale.sshPattern}\" " + publicKey; - in [restrictedPubKey]; - }; - }; - users.groups.deployerbot-follower.gid = uidgid; - nix.settings.trusted-users = ["deployerbot-follower"]; - }) + }; + users.groups.deployerbot-follower.gid = cfg.follower.uidgid; + nix.settings.trusted-users = ["deployerbot-follower"]; + }) ]; }