forked from fediversity/fediversity
implicit ssh
This commit is contained in:
parent
e4c1a77353
commit
8b85c15df1
SSH key fingerprint:
SHA256:COspvLoLJ5WC5rFb9ZDe5urVCkK4LJZOsjfF4duRJFU
7 changed files with 4 additions and 37 deletions
|
|
@ -55,9 +55,6 @@ in
|
||||||
COMPRESS_OFFLINE = true;
|
COMPRESS_OFFLINE = true;
|
||||||
LIBSASS_OUTPUT_STYLE = "compressed";
|
LIBSASS_OUTPUT_STYLE = "compressed";
|
||||||
};
|
};
|
||||||
environment = {
|
|
||||||
SSH_PRIVATE_KEY_FILE = config.age.secrets.panel-ssh-key.path;
|
|
||||||
};
|
|
||||||
secrets = {
|
secrets = {
|
||||||
SECRET_KEY = config.age.secrets.panel-secret-key.path;
|
SECRET_KEY = config.age.secrets.panel-secret-key.path;
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -18,7 +18,6 @@ $ nix-shell
|
||||||
$ eval "$(ssh-agent -s)"
|
$ eval "$(ssh-agent -s)"
|
||||||
# set your ssh key, e.g.:
|
# set your ssh key, e.g.:
|
||||||
$ ssh_key="$(readlink -f ~/.ssh/id_ed25519)"
|
$ ssh_key="$(readlink -f ~/.ssh/id_ed25519)"
|
||||||
$ echo "{\"ssh_private_key_file\": \"${ssh_key}\", \"deploy_environment\": {\"SSH_AUTH_SOCK\": \"${SSH_AUTH_SOCK}\"}}" > .auto.tfvars.json
|
|
||||||
$ rm -rf .terraform/
|
$ rm -rf .terraform/
|
||||||
$ tofu init
|
$ tofu init
|
||||||
```
|
```
|
||||||
|
|
|
||||||
|
|
@ -47,18 +47,6 @@ variable "initialUser" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "ssh_private_key_file" {
|
|
||||||
type = string
|
|
||||||
description = "Path to private key used to connect to the target_host"
|
|
||||||
default = ""
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "deploy_environment" {
|
|
||||||
type = map(string)
|
|
||||||
description = "Extra environment variables to be set during deployment."
|
|
||||||
default = {}
|
|
||||||
}
|
|
||||||
|
|
||||||
locals {
|
locals {
|
||||||
system = "x86_64-linux"
|
system = "x86_64-linux"
|
||||||
pins = jsondecode(file("${path.module}/.npins.json"))
|
pins = jsondecode(file("${path.module}/.npins.json"))
|
||||||
|
|
@ -107,7 +95,6 @@ resource "terraform_data" "nixos" {
|
||||||
|
|
||||||
triggers_replace = [
|
triggers_replace = [
|
||||||
data.external.hash.result,
|
data.external.hash.result,
|
||||||
var.deploy_environment,
|
|
||||||
var.domain,
|
var.domain,
|
||||||
var.initialUser,
|
var.initialUser,
|
||||||
local.system,
|
local.system,
|
||||||
|
|
@ -117,9 +104,9 @@ resource "terraform_data" "nixos" {
|
||||||
|
|
||||||
provisioner "local-exec" {
|
provisioner "local-exec" {
|
||||||
working_dir = path.root
|
working_dir = path.root
|
||||||
environment = merge(var.deploy_environment, {
|
environment = {
|
||||||
NIX_PATH = join(":", [for name, path in local.pins : "${name}=${path}"]),
|
NIX_PATH = join(":", [for name, path in local.pins : "${name}=${path}"]),
|
||||||
})
|
}
|
||||||
# TODO: refactor back to command="ignoreme" interpreter=concat([]) to protect sensitive data from error logs?
|
# TODO: refactor back to command="ignoreme" interpreter=concat([]) to protect sensitive data from error logs?
|
||||||
# TODO: build on target?
|
# TODO: build on target?
|
||||||
command = <<-EOF
|
command = <<-EOF
|
||||||
|
|
@ -169,7 +156,6 @@ resource "terraform_data" "nixos" {
|
||||||
sshOpts=(
|
sshOpts=(
|
||||||
-o StrictHostKeyChecking=no
|
-o StrictHostKeyChecking=no
|
||||||
-o BatchMode=yes
|
-o BatchMode=yes
|
||||||
-o "IdentityFile='${var.ssh_private_key_file}'"
|
|
||||||
)
|
)
|
||||||
outPath=$(nix-store --realize "$drv_path" "$${buildArgs[@]}")
|
outPath=$(nix-store --realize "$drv_path" "$${buildArgs[@]}")
|
||||||
NIX_SSHOPTS="$${sshOpts[*]}" nix-copy-closure --to "$host" "$outPath" --gzip --use-substitutes
|
NIX_SSHOPTS="$${sshOpts[*]}" nix-copy-closure --to "$host" "$outPath" --gzip --use-substitutes
|
||||||
|
|
|
||||||
|
|
@ -13,5 +13,4 @@
|
||||||
pkgs.jaq # tf
|
pkgs.jaq # tf
|
||||||
(import ../launch/tf.nix { inherit lib pkgs; })
|
(import ../launch/tf.nix { inherit lib pkgs; })
|
||||||
];
|
];
|
||||||
SSH_PRIVATE_KEY_FILE = "";
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -130,10 +130,6 @@ in
|
||||||
Contents will be appended to the definitions in `settings`.
|
Contents will be appended to the definitions in `settings`.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
environment = mkOption {
|
|
||||||
type = types.attrs;
|
|
||||||
default = {};
|
|
||||||
};
|
|
||||||
secrets = mkOption {
|
secrets = mkOption {
|
||||||
type = types.attrsOf types.path;
|
type = types.attrsOf types.path;
|
||||||
default = { };
|
default = { };
|
||||||
|
|
@ -212,7 +208,7 @@ in
|
||||||
# - manipulation should be straightforward in both places; e.g. dumping secrets to a directory that is not git-tracked and adding values to an attrset otherwise
|
# - manipulation should be straightforward in both places; e.g. dumping secrets to a directory that is not git-tracked and adding values to an attrset otherwise
|
||||||
# - error detection and correction; it should be clear where and why one messed up so it can be fixed immediately
|
# - error detection and correction; it should be clear where and why one messed up so it can be fixed immediately
|
||||||
# We may also want to test the development environment in CI in order to make sure that we don't break it inadvertently, because misconfiguration due to multiplpe sources of truth wastes a lot of time.
|
# We may also want to test the development environment in CI in order to make sure that we don't break it inadvertently, because misconfiguration due to multiplpe sources of truth wastes a lot of time.
|
||||||
environment = environment // cfg.environment;
|
inherit environment;
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [
|
networking.firewall.allowedTCPPorts = [
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,6 @@ https://docs.djangoproject.com/en/4.2/ref/settings/
|
||||||
|
|
||||||
import re
|
import re
|
||||||
import sys
|
import sys
|
||||||
import subprocess
|
|
||||||
import os
|
import os
|
||||||
import json
|
import json
|
||||||
import importlib.util
|
import importlib.util
|
||||||
|
|
@ -249,12 +248,3 @@ bin_path=env['BIN_PATH']
|
||||||
# path of the root flake to trigger nixops from, see #94.
|
# path of the root flake to trigger nixops from, see #94.
|
||||||
# to deploy this should be specified, for dev just use a relative path.
|
# to deploy this should be specified, for dev just use a relative path.
|
||||||
repo_dir = env["REPO_DIR"]
|
repo_dir = env["REPO_DIR"]
|
||||||
|
|
||||||
output = subprocess.run(["ssh-agent"], capture_output=True, text=True, env={"PATH": bin_path}).stdout
|
|
||||||
ssh_auth_sock = re.search("(?<==)([^;]*)", output)[1]
|
|
||||||
ENV_VARS = {
|
|
||||||
"ssh_private_key_file": env["SSH_PRIVATE_KEY_FILE"],
|
|
||||||
"deploy_environment": {
|
|
||||||
"SSH_AUTH_SOCK": ssh_auth_sock,
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
|
||||||
|
|
@ -145,7 +145,7 @@ class DeploymentStatus(ConfigurationForm):
|
||||||
} | {
|
} | {
|
||||||
# pass in form info to our deployment
|
# pass in form info to our deployment
|
||||||
# FIXME: ensure sensitive info is protected
|
# FIXME: ensure sensitive info is protected
|
||||||
f"TF_VAR_{k}": v if isinstance(v, str) else json.dumps(v) for k, v in (settings.ENV_VARS | deployment_params).items()
|
f"TF_VAR_{k}": v if isinstance(v, str) else json.dumps(v) for k, v in deployment_params.items()
|
||||||
}
|
}
|
||||||
logger.info("env: %s", env)
|
logger.info("env: %s", env)
|
||||||
cwd = f"{settings.repo_dir}/launch"
|
cwd = f"{settings.repo_dir}/launch"
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue