From 9de5120cc3ee8b1a0dec7f6ba476250f50d05257 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Motiejus=20Jak=C5=A1tys?= Date: Sun, 30 Jul 2023 05:49:54 +0300 Subject: [PATCH] updaterbot: move all to deployer --- data.nix | 3 +- flake.nix | 6 -- hosts/vno1-oh2/configuration.nix | 18 +++-- modules/services/default.nix | 2 +- modules/services/deployerbot/default.nix | 99 ++++++++++++++++++++++++ modules/services/updaterbot/default.nix | 83 -------------------- 6 files changed, 115 insertions(+), 96 deletions(-) create mode 100644 modules/services/deployerbot/default.nix delete mode 100644 modules/services/updaterbot/default.nix diff --git a/data.nix b/data.nix index 6de0878..a10a75b 100644 --- a/data.nix +++ b/data.nix @@ -3,7 +3,8 @@ rec { motiejus = 1000; gitea = 995; - updaterbot = 501; + updaterbot-deployer = 501; + updaterbot-deployee = 502; }; people_pubkeys = { diff --git a/flake.nix b/flake.nix index 8ab2807..ee239da 100644 --- a/flake.nix +++ b/flake.nix @@ -111,12 +111,6 @@ deploy.nodes.vno1-oh2 = { hostname = myData.hosts."vno1-oh2.servers.jakst".jakstIP; profiles = { - #updaterbot = { - # sshUser = "updaterbot"; - # path = - # deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.vno1-oh2; - # user = "root"; - #}; system = { sshUser = "motiejus"; path = diff --git a/hosts/vno1-oh2/configuration.nix b/hosts/vno1-oh2/configuration.nix index 9f4ee44..5f2c25e 100644 --- a/hosts/vno1-oh2/configuration.nix +++ b/hosts/vno1-oh2/configuration.nix @@ -63,11 +63,19 @@ }; services = { - updaterbot = { - enableMaster = true; - uidgid = myData.uidgid.updaterbot; - repo = "git@git.jakstys.lt:motiejus/config"; - deployDerivations = [".#vno1-oh2"]; + deployerbot = { + main = { + enable = true; + uidgid = myData.uidgid.updaterbot-deployer; + repo = "git@git.jakstys.lt:motiejus/config"; + deployDerivations = [".#vno1-oh2"]; + }; + + follower = { + enable = true; + uidgid = myData.uidgid.updaterbot-deployee; + publicKey = myData.hosts."vno1-oh2.servers.jakst".publicKey; + }; }; postfix = { diff --git a/modules/services/default.nix b/modules/services/default.nix index 630f1f6..8d8819e 100644 --- a/modules/services/default.nix +++ b/modules/services/default.nix @@ -5,9 +5,9 @@ ... }: { imports = [ + ./deployerbot ./postfix ./syncthing - ./updaterbot ./zfsunlock ]; } diff --git a/modules/services/deployerbot/default.nix b/modules/services/deployerbot/default.nix new file mode 100644 index 0000000..67571a9 --- /dev/null +++ b/modules/services/deployerbot/default.nix @@ -0,0 +1,99 @@ +{ + config, + lib, + pkgs, + ... +}: { + options.mj.services.deployerbot.main = with lib.types; { + enable = lib.mkEnableOption "Enable system updater orchestrator"; + deployDerivations = lib.mkOption {type = listOf str;}; + uidgid = lib.mkOption {type = int;}; + repo = lib.mkOption {type = str;}; + }; + + options.mj.services.deployerbot.follower = with lib.types; { + enable = lib.mkEnableOption "Allow system to be deployed with deployerbot"; + publicKey = lib.mkOption {type = str;}; + uidgid = lib.mkOption {type = int;}; + }; + + config = lib.mkMerge [ + (with config.mj.services.deployerbot.main; + lib.mkIf enable { + # TODO: git config --global user.email bot@jakstys.lt + users.users.deployerbot-main = { + description = "Deployerbot Main"; + home = "/var/lib/deployerbot-main"; + useDefaultShell = true; + group = "deployerbot-main"; + isSystemUser = true; + createHome = true; + uid = uidgid; + }; + users.groups.deployerbot-main.gid = uidgid; + + systemd.services.deployerbot = { + description = "Update all known systems"; + serviceConfig = { + Type = "oneshot"; + User = "deployerbot-main"; + WorkingDirectory = config.users.users.deployerbot-main.home; + LoadCredential = ["ssh-key:/etc/ssh/ssh_host_ed25519_key"]; + }; + script = let + deployDerivationsStr = builtins.concatStringsSep " " deployDerivations; + in '' + set -x + export GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i ''${CREDENTIALS_DIRECTORY}/ssh-key" + if [[ ! -d config ]]; then + ${pkgs.git}/bin/git clone ${repo} config + cd config + else + cd config + ${pkgs.git}/bin/git fetch origin + ${pkgs.git}/bin/git reset --hard origin/main + fi + + OLD_PATH=$PATH + export PATH=$PATH:${pkgs.git}/bin + ${pkgs.nix}/bin/nix flake update --accept-flake-config --commit-lock-file + ${pkgs.git}/bin/git push origin main + export PATH=$OLD_PATH + + export PATH=$PATH:${pkgs.git}/bin:${pkgs.openssh}/bin:${pkgs.nix}/bin + exec ${pkgs.nix}/bin/nix run .#deploy-rs -- \ + --ssh-opts="-i ''${CREDENTIALS_DIRECTORY}/ssh-key" \ + --ssh-user=deployerbot-follower \ + ${deployDerivationsStr} + ''; + }; + + #systemd.timers.deployerbot = { + # description = "deployerbot-main timer"; + # wantedBy = ["timers.target"]; + # timerConfig.OnCalendar = ""; + #}; + + mj.base.unitstatus.units = ["deployerbot"]; + + nix.settings.trusted-users = ["deployerbot-main"]; + }) + (with config.mj.services.deployerbot.follower; + lib.mkIf enable { + users.users = { + deployerbot-follower = { + description = "Deployerbot Follower"; + home = "/var/lib/deployerbot-follower"; + useDefaultShell = true; + group = "deployerbot-follower"; + extraGroups = ["wheel"]; + isSystemUser = true; + createHome = true; + uid = uidgid; + openssh.authorizedKeys.keys = [publicKey]; + }; + }; + users.groups.deployerbot-follower.gid = uidgid; + }) + ]; +} diff --git a/modules/services/updaterbot/default.nix b/modules/services/updaterbot/default.nix deleted file mode 100644 index 7f2d8b2..0000000 --- a/modules/services/updaterbot/default.nix +++ /dev/null @@ -1,83 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: { - options.mj.services.updaterbot = with lib.types; { - enableMaster = lib.mkEnableOption "Enable system updater orchestrator"; - enableDeployer = lib.mkEnableOption "Enable system updater deployer"; - deployDerivations = lib.mkOption {type = listOf str;}; - uidgid = lib.mkOption {type = int;}; - repo = lib.mkOption {type = str;}; - }; - - config = lib.mkIf config.mj.services.updaterbot.enableMaster { - users = { - users = { - # TODO: git config --global user.email updaterbot@jakstys.lt - # TODO: ssh-keygen -t ed25519 - updaterbot = { - description = "Dear Updaterbot"; - home = "/var/lib/updaterbot"; - useDefaultShell = true; - group = "updaterbot"; - isSystemUser = true; - createHome = true; - uid = config.mj.services.updaterbot.uidgid; - }; - }; - - groups = { - updaterbot.gid = config.mj.services.updaterbot.uidgid; - }; - }; - - systemd.services.updaterbot = { - description = "Update all known systems"; - preStart = '' - if [[ -f .ssh/id_ed25519 ]]; then exit; fi - - ${pkgs.openssh}/bin/ssh-keygen -N "" -t ed25519 -f .ssh/id_ed25519 - ''; - serviceConfig = { - Type = "oneshot"; - User = "updaterbot"; - WorkingDirectory = config.users.users.updaterbot.home; - }; - script = let - deployDerivations = builtins.concatStringsSep " " config.mj.services.updaterbot.deployDerivations; - in '' - set -x - export GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i $HOME/.ssh/id_ed25519" - if [[ ! -d config ]]; then - ${pkgs.git}/bin/git clone ${config.mj.services.updaterbot.repo} config - cd config - else - cd config - ${pkgs.git}/bin/git fetch origin - ${pkgs.git}/bin/git reset --hard origin/main - fi - - OLD_PATH=$PATH - export PATH=$PATH:${pkgs.git}/bin - ${pkgs.nix}/bin/nix flake update --accept-flake-config --commit-lock-file - ${pkgs.git}/bin/git push origin main - export PATH=$OLD_PATH - - export PATH=$PATH:${pkgs.openssh}/bin:${pkgs.nix}/bin - exec ${pkgs.nix}/bin/nix run .#deploy-rs -- ${deployDerivations} - ''; - }; - - #systemd.timers.updaterbot = { - # description = "updaterbot timer"; - # wantedBy = ["timers.target"]; - # timerConfig.OnCalendar = ""; - #}; - - mj.base.unitstatus.units = ["updaterbot"]; - - nix.settings.trusted-users = ["updaterbot"]; - }; -}