updaterbot: move all to deployer
This commit is contained in:
parent
9e0bd48a22
commit
9de5120cc3
3
data.nix
3
data.nix
@ -3,7 +3,8 @@ rec {
|
|||||||
motiejus = 1000;
|
motiejus = 1000;
|
||||||
|
|
||||||
gitea = 995;
|
gitea = 995;
|
||||||
updaterbot = 501;
|
updaterbot-deployer = 501;
|
||||||
|
updaterbot-deployee = 502;
|
||||||
};
|
};
|
||||||
|
|
||||||
people_pubkeys = {
|
people_pubkeys = {
|
||||||
|
@ -111,12 +111,6 @@
|
|||||||
deploy.nodes.vno1-oh2 = {
|
deploy.nodes.vno1-oh2 = {
|
||||||
hostname = myData.hosts."vno1-oh2.servers.jakst".jakstIP;
|
hostname = myData.hosts."vno1-oh2.servers.jakst".jakstIP;
|
||||||
profiles = {
|
profiles = {
|
||||||
#updaterbot = {
|
|
||||||
# sshUser = "updaterbot";
|
|
||||||
# path =
|
|
||||||
# deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.vno1-oh2;
|
|
||||||
# user = "root";
|
|
||||||
#};
|
|
||||||
system = {
|
system = {
|
||||||
sshUser = "motiejus";
|
sshUser = "motiejus";
|
||||||
path =
|
path =
|
||||||
|
@ -63,13 +63,21 @@
|
|||||||
};
|
};
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
updaterbot = {
|
deployerbot = {
|
||||||
enableMaster = true;
|
main = {
|
||||||
uidgid = myData.uidgid.updaterbot;
|
enable = true;
|
||||||
|
uidgid = myData.uidgid.updaterbot-deployer;
|
||||||
repo = "git@git.jakstys.lt:motiejus/config";
|
repo = "git@git.jakstys.lt:motiejus/config";
|
||||||
deployDerivations = [".#vno1-oh2"];
|
deployDerivations = [".#vno1-oh2"];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
follower = {
|
||||||
|
enable = true;
|
||||||
|
uidgid = myData.uidgid.updaterbot-deployee;
|
||||||
|
publicKey = myData.hosts."vno1-oh2.servers.jakst".publicKey;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
postfix = {
|
postfix = {
|
||||||
enable = true;
|
enable = true;
|
||||||
saslPasswdPath = config.age.secrets.sasl-passwd.path;
|
saslPasswdPath = config.age.secrets.sasl-passwd.path;
|
||||||
|
@ -5,9 +5,9 @@
|
|||||||
...
|
...
|
||||||
}: {
|
}: {
|
||||||
imports = [
|
imports = [
|
||||||
|
./deployerbot
|
||||||
./postfix
|
./postfix
|
||||||
./syncthing
|
./syncthing
|
||||||
./updaterbot
|
|
||||||
./zfsunlock
|
./zfsunlock
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
99
modules/services/deployerbot/default.nix
Normal file
99
modules/services/deployerbot/default.nix
Normal file
@ -0,0 +1,99 @@
|
|||||||
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
options.mj.services.deployerbot.main = with lib.types; {
|
||||||
|
enable = lib.mkEnableOption "Enable system updater orchestrator";
|
||||||
|
deployDerivations = lib.mkOption {type = listOf str;};
|
||||||
|
uidgid = lib.mkOption {type = int;};
|
||||||
|
repo = lib.mkOption {type = str;};
|
||||||
|
};
|
||||||
|
|
||||||
|
options.mj.services.deployerbot.follower = with lib.types; {
|
||||||
|
enable = lib.mkEnableOption "Allow system to be deployed with deployerbot";
|
||||||
|
publicKey = lib.mkOption {type = str;};
|
||||||
|
uidgid = lib.mkOption {type = int;};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = lib.mkMerge [
|
||||||
|
(with config.mj.services.deployerbot.main;
|
||||||
|
lib.mkIf enable {
|
||||||
|
# TODO: git config --global user.email bot@jakstys.lt
|
||||||
|
users.users.deployerbot-main = {
|
||||||
|
description = "Deployerbot Main";
|
||||||
|
home = "/var/lib/deployerbot-main";
|
||||||
|
useDefaultShell = true;
|
||||||
|
group = "deployerbot-main";
|
||||||
|
isSystemUser = true;
|
||||||
|
createHome = true;
|
||||||
|
uid = uidgid;
|
||||||
|
};
|
||||||
|
users.groups.deployerbot-main.gid = uidgid;
|
||||||
|
|
||||||
|
systemd.services.deployerbot = {
|
||||||
|
description = "Update all known systems";
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
User = "deployerbot-main";
|
||||||
|
WorkingDirectory = config.users.users.deployerbot-main.home;
|
||||||
|
LoadCredential = ["ssh-key:/etc/ssh/ssh_host_ed25519_key"];
|
||||||
|
};
|
||||||
|
script = let
|
||||||
|
deployDerivationsStr = builtins.concatStringsSep " " deployDerivations;
|
||||||
|
in ''
|
||||||
|
set -x
|
||||||
|
export GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i ''${CREDENTIALS_DIRECTORY}/ssh-key"
|
||||||
|
if [[ ! -d config ]]; then
|
||||||
|
${pkgs.git}/bin/git clone ${repo} config
|
||||||
|
cd config
|
||||||
|
else
|
||||||
|
cd config
|
||||||
|
${pkgs.git}/bin/git fetch origin
|
||||||
|
${pkgs.git}/bin/git reset --hard origin/main
|
||||||
|
fi
|
||||||
|
|
||||||
|
OLD_PATH=$PATH
|
||||||
|
export PATH=$PATH:${pkgs.git}/bin
|
||||||
|
${pkgs.nix}/bin/nix flake update --accept-flake-config --commit-lock-file
|
||||||
|
${pkgs.git}/bin/git push origin main
|
||||||
|
export PATH=$OLD_PATH
|
||||||
|
|
||||||
|
export PATH=$PATH:${pkgs.git}/bin:${pkgs.openssh}/bin:${pkgs.nix}/bin
|
||||||
|
exec ${pkgs.nix}/bin/nix run .#deploy-rs -- \
|
||||||
|
--ssh-opts="-i ''${CREDENTIALS_DIRECTORY}/ssh-key" \
|
||||||
|
--ssh-user=deployerbot-follower \
|
||||||
|
${deployDerivationsStr}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
#systemd.timers.deployerbot = {
|
||||||
|
# description = "deployerbot-main timer";
|
||||||
|
# wantedBy = ["timers.target"];
|
||||||
|
# timerConfig.OnCalendar = "";
|
||||||
|
#};
|
||||||
|
|
||||||
|
mj.base.unitstatus.units = ["deployerbot"];
|
||||||
|
|
||||||
|
nix.settings.trusted-users = ["deployerbot-main"];
|
||||||
|
})
|
||||||
|
(with config.mj.services.deployerbot.follower;
|
||||||
|
lib.mkIf enable {
|
||||||
|
users.users = {
|
||||||
|
deployerbot-follower = {
|
||||||
|
description = "Deployerbot Follower";
|
||||||
|
home = "/var/lib/deployerbot-follower";
|
||||||
|
useDefaultShell = true;
|
||||||
|
group = "deployerbot-follower";
|
||||||
|
extraGroups = ["wheel"];
|
||||||
|
isSystemUser = true;
|
||||||
|
createHome = true;
|
||||||
|
uid = uidgid;
|
||||||
|
openssh.authorizedKeys.keys = [publicKey];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
users.groups.deployerbot-follower.gid = uidgid;
|
||||||
|
})
|
||||||
|
];
|
||||||
|
}
|
@ -1,83 +0,0 @@
|
|||||||
{
|
|
||||||
config,
|
|
||||||
lib,
|
|
||||||
pkgs,
|
|
||||||
...
|
|
||||||
}: {
|
|
||||||
options.mj.services.updaterbot = with lib.types; {
|
|
||||||
enableMaster = lib.mkEnableOption "Enable system updater orchestrator";
|
|
||||||
enableDeployer = lib.mkEnableOption "Enable system updater deployer";
|
|
||||||
deployDerivations = lib.mkOption {type = listOf str;};
|
|
||||||
uidgid = lib.mkOption {type = int;};
|
|
||||||
repo = lib.mkOption {type = str;};
|
|
||||||
};
|
|
||||||
|
|
||||||
config = lib.mkIf config.mj.services.updaterbot.enableMaster {
|
|
||||||
users = {
|
|
||||||
users = {
|
|
||||||
# TODO: git config --global user.email updaterbot@jakstys.lt
|
|
||||||
# TODO: ssh-keygen -t ed25519
|
|
||||||
updaterbot = {
|
|
||||||
description = "Dear Updaterbot";
|
|
||||||
home = "/var/lib/updaterbot";
|
|
||||||
useDefaultShell = true;
|
|
||||||
group = "updaterbot";
|
|
||||||
isSystemUser = true;
|
|
||||||
createHome = true;
|
|
||||||
uid = config.mj.services.updaterbot.uidgid;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
groups = {
|
|
||||||
updaterbot.gid = config.mj.services.updaterbot.uidgid;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services.updaterbot = {
|
|
||||||
description = "Update all known systems";
|
|
||||||
preStart = ''
|
|
||||||
if [[ -f .ssh/id_ed25519 ]]; then exit; fi
|
|
||||||
|
|
||||||
${pkgs.openssh}/bin/ssh-keygen -N "" -t ed25519 -f .ssh/id_ed25519
|
|
||||||
'';
|
|
||||||
serviceConfig = {
|
|
||||||
Type = "oneshot";
|
|
||||||
User = "updaterbot";
|
|
||||||
WorkingDirectory = config.users.users.updaterbot.home;
|
|
||||||
};
|
|
||||||
script = let
|
|
||||||
deployDerivations = builtins.concatStringsSep " " config.mj.services.updaterbot.deployDerivations;
|
|
||||||
in ''
|
|
||||||
set -x
|
|
||||||
export GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i $HOME/.ssh/id_ed25519"
|
|
||||||
if [[ ! -d config ]]; then
|
|
||||||
${pkgs.git}/bin/git clone ${config.mj.services.updaterbot.repo} config
|
|
||||||
cd config
|
|
||||||
else
|
|
||||||
cd config
|
|
||||||
${pkgs.git}/bin/git fetch origin
|
|
||||||
${pkgs.git}/bin/git reset --hard origin/main
|
|
||||||
fi
|
|
||||||
|
|
||||||
OLD_PATH=$PATH
|
|
||||||
export PATH=$PATH:${pkgs.git}/bin
|
|
||||||
${pkgs.nix}/bin/nix flake update --accept-flake-config --commit-lock-file
|
|
||||||
${pkgs.git}/bin/git push origin main
|
|
||||||
export PATH=$OLD_PATH
|
|
||||||
|
|
||||||
export PATH=$PATH:${pkgs.openssh}/bin:${pkgs.nix}/bin
|
|
||||||
exec ${pkgs.nix}/bin/nix run .#deploy-rs -- ${deployDerivations}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
#systemd.timers.updaterbot = {
|
|
||||||
# description = "updaterbot timer";
|
|
||||||
# wantedBy = ["timers.target"];
|
|
||||||
# timerConfig.OnCalendar = "";
|
|
||||||
#};
|
|
||||||
|
|
||||||
mj.base.unitstatus.units = ["updaterbot"];
|
|
||||||
|
|
||||||
nix.settings.trusted-users = ["updaterbot"];
|
|
||||||
};
|
|
||||||
}
|
|
Loading…
Reference in New Issue
Block a user