updaterbot: move all to deployer

data.nix

@@ -3,7 +3,8 @@ rec {
     motiejus = 1000;
 
     gitea = 995;
-    updaterbot = 501;
+    updaterbot-deployer = 501;
+    updaterbot-deployee = 502;
   };
 
   people_pubkeys = {

flake.nix

@@ -111,12 +111,6 @@
       deploy.nodes.vno1-oh2 = {
         hostname = myData.hosts."vno1-oh2.servers.jakst".jakstIP;
         profiles = {
-          #updaterbot = {
-          #  sshUser = "updaterbot";
-          #  path =
-          #    deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.vno1-oh2;
-          #  user = "root";
-          #};
           system = {
             sshUser = "motiejus";
             path =

hosts/vno1-oh2/configuration.nix

@@ -63,11 +63,19 @@
     };
 
     services = {
-      updaterbot = {
-        enableMaster = true;
-        uidgid = myData.uidgid.updaterbot;
-        repo = "git@git.jakstys.lt:motiejus/config";
-        deployDerivations = [".#vno1-oh2"];
+      deployerbot = {
+        main = {
+          enable = true;
+          uidgid = myData.uidgid.updaterbot-deployer;
+          repo = "git@git.jakstys.lt:motiejus/config";
+          deployDerivations = [".#vno1-oh2"];
+        };
+
+        follower = {
+          enable = true;
+          uidgid = myData.uidgid.updaterbot-deployee;
+          publicKey = myData.hosts."vno1-oh2.servers.jakst".publicKey;
+        };
       };
 
       postfix = {

modules/services/default.nix

@@ -5,9 +5,9 @@
   ...
 }: {
   imports = [
+    ./deployerbot
     ./postfix
     ./syncthing
-    ./updaterbot
     ./zfsunlock
   ];
 }

modules/services/deployerbot/default.nix

@@ -0,0 +1,99 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  options.mj.services.deployerbot.main = with lib.types; {
+    enable = lib.mkEnableOption "Enable system updater orchestrator";
+    deployDerivations = lib.mkOption {type = listOf str;};
+    uidgid = lib.mkOption {type = int;};
+    repo = lib.mkOption {type = str;};
+  };
+
+  options.mj.services.deployerbot.follower = with lib.types; {
+    enable = lib.mkEnableOption "Allow system to be deployed with deployerbot";
+    publicKey = lib.mkOption {type = str;};
+    uidgid = lib.mkOption {type = int;};
+  };
+
+  config = lib.mkMerge [
+    (with config.mj.services.deployerbot.main;
+      lib.mkIf enable {
+        # TODO: git config --global user.email bot@jakstys.lt
+        users.users.deployerbot-main = {
+          description = "Deployerbot Main";
+          home = "/var/lib/deployerbot-main";
+          useDefaultShell = true;
+          group = "deployerbot-main";
+          isSystemUser = true;
+          createHome = true;
+          uid = uidgid;
+        };
+        users.groups.deployerbot-main.gid = uidgid;
+
+        systemd.services.deployerbot = {
+          description = "Update all known systems";
+          serviceConfig = {
+            Type = "oneshot";
+            User = "deployerbot-main";
+            WorkingDirectory = config.users.users.deployerbot-main.home;
+            LoadCredential = ["ssh-key:/etc/ssh/ssh_host_ed25519_key"];
+          };
+          script = let
+            deployDerivationsStr = builtins.concatStringsSep " " deployDerivations;
+          in ''
+            set -x
+            export GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i ''${CREDENTIALS_DIRECTORY}/ssh-key"
+            if [[ ! -d config ]]; then
+              ${pkgs.git}/bin/git clone ${repo} config
+              cd config
+            else
+              cd config
+              ${pkgs.git}/bin/git fetch origin
+              ${pkgs.git}/bin/git reset --hard origin/main
+            fi
+
+            OLD_PATH=$PATH
+            export PATH=$PATH:${pkgs.git}/bin
+            ${pkgs.nix}/bin/nix flake update --accept-flake-config --commit-lock-file
+            ${pkgs.git}/bin/git push origin main
+            export PATH=$OLD_PATH
+
+            export PATH=$PATH:${pkgs.git}/bin:${pkgs.openssh}/bin:${pkgs.nix}/bin
+            exec ${pkgs.nix}/bin/nix run .#deploy-rs -- \
+              --ssh-opts="-i ''${CREDENTIALS_DIRECTORY}/ssh-key" \
+              --ssh-user=deployerbot-follower \
+              ${deployDerivationsStr}
+          '';
+        };
+
+        #systemd.timers.deployerbot = {
+        #  description = "deployerbot-main timer";
+        #  wantedBy = ["timers.target"];
+        #  timerConfig.OnCalendar = "";
+        #};
+
+        mj.base.unitstatus.units = ["deployerbot"];
+
+        nix.settings.trusted-users = ["deployerbot-main"];
+      })
+    (with config.mj.services.deployerbot.follower;
+      lib.mkIf enable {
+        users.users = {
+          deployerbot-follower = {
+            description = "Deployerbot Follower";
+            home = "/var/lib/deployerbot-follower";
+            useDefaultShell = true;
+            group = "deployerbot-follower";
+            extraGroups = ["wheel"];
+            isSystemUser = true;
+            createHome = true;
+            uid = uidgid;
+            openssh.authorizedKeys.keys = [publicKey];
+          };
+        };
+        users.groups.deployerbot-follower.gid = uidgid;
+      })
+  ];
+}

modules/services/updaterbot/default.nix

@@ -1,83 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}: {
-  options.mj.services.updaterbot = with lib.types; {
-    enableMaster = lib.mkEnableOption "Enable system updater orchestrator";
-    enableDeployer = lib.mkEnableOption "Enable system updater deployer";
-    deployDerivations = lib.mkOption {type = listOf str;};
-    uidgid = lib.mkOption {type = int;};
-    repo = lib.mkOption {type = str;};
-  };
-
-  config = lib.mkIf config.mj.services.updaterbot.enableMaster {
-    users = {
-      users = {
-        # TODO: git config --global user.email updaterbot@jakstys.lt
-        # TODO: ssh-keygen -t ed25519
-        updaterbot = {
-          description = "Dear Updaterbot";
-          home = "/var/lib/updaterbot";
-          useDefaultShell = true;
-          group = "updaterbot";
-          isSystemUser = true;
-          createHome = true;
-          uid = config.mj.services.updaterbot.uidgid;
-        };
-      };
-
-      groups = {
-        updaterbot.gid = config.mj.services.updaterbot.uidgid;
-      };
-    };
-
-    systemd.services.updaterbot = {
-      description = "Update all known systems";
-      preStart = ''
-        if [[ -f .ssh/id_ed25519 ]]; then exit; fi
-
-        ${pkgs.openssh}/bin/ssh-keygen -N "" -t ed25519 -f .ssh/id_ed25519
-      '';
-      serviceConfig = {
-        Type = "oneshot";
-        User = "updaterbot";
-        WorkingDirectory = config.users.users.updaterbot.home;
-      };
-      script = let
-        deployDerivations = builtins.concatStringsSep " " config.mj.services.updaterbot.deployDerivations;
-      in ''
-        set -x
-        export GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i $HOME/.ssh/id_ed25519"
-        if [[ ! -d config ]]; then
-          ${pkgs.git}/bin/git clone ${config.mj.services.updaterbot.repo} config
-          cd config
-        else
-          cd config
-          ${pkgs.git}/bin/git fetch origin
-          ${pkgs.git}/bin/git reset --hard origin/main
-        fi
-
-        OLD_PATH=$PATH
-        export PATH=$PATH:${pkgs.git}/bin
-        ${pkgs.nix}/bin/nix flake update --accept-flake-config --commit-lock-file
-        ${pkgs.git}/bin/git push origin main
-        export PATH=$OLD_PATH
-
-        export PATH=$PATH:${pkgs.openssh}/bin:${pkgs.nix}/bin
-        exec ${pkgs.nix}/bin/nix run .#deploy-rs -- ${deployDerivations}
-      '';
-    };
-
-    #systemd.timers.updaterbot = {
-    #  description = "updaterbot timer";
-    #  wantedBy = ["timers.target"];
-    #  timerConfig.OnCalendar = "";
-    #};
-
-    mj.base.unitstatus.units = ["updaterbot"];
-
-    nix.settings.trusted-users = ["updaterbot"];
-  };
-}