diff options
author | Alex Auvolat <alex@adnab.me> | 2022-04-20 13:01:51 +0200 |
---|---|---|
committer | Alex Auvolat <alex@adnab.me> | 2022-04-20 13:03:29 +0200 |
commit | 9c9c776213478023d4cab6290efcb6adfdbbbe86 (patch) | |
tree | 85ae8d2c3dac9c01daf5a1524b8a4ff83b84df70 | |
parent | 50e9f0b589b6387d193fcb420ddc045c0bc6d632 (diff) | |
download | nixcfg-9c9c776213478023d4cab6290efcb6adfdbbbe86.tar.gz nixcfg-9c9c776213478023d4cab6290efcb6adfdbbbe86.zip |
Refactor deployment scripts
-rw-r--r-- | README.md | 5 | ||||
-rwxr-xr-x | deploy.sh | 91 | ||||
-rwxr-xr-x | deploy_nixos | 12 | ||||
-rwxr-xr-x | deploy_pki | 34 | ||||
-rwxr-xr-x | sshtool | 83 | ||||
-rwxr-xr-x | upgrade.sh | 51 | ||||
-rwxr-xr-x | upgrade_nixos | 11 |
7 files changed, 143 insertions, 144 deletions
@@ -10,9 +10,10 @@ It sets up the following: The following scripts are available here: +- `deploy_nixos`, the main script that updates the NixOS config - `genpki.sh`, a script to generate Consul and Nomad's TLS PKI (run this once only) -- `deploy.sh`, the main script that updates the NixOS config and sets up all of the TLS secrets -- `upgrade.sh`, a script to upgrade NixOS +- `deploy_pki`, a script that sets up all of the TLS secrets +- `upgrade_nixos`, a script to upgrade NixOS - `tlsproxy.sh`, a script that allows non-TLS access to the TLS-secured Consul and Nomad, by running a simple local proxy with socat - `tlsenv.sh`, a script to be sourced (`source tlsenv.sh`) that configures the correct environment variables to use the Nomad and Consul CLI tools with TLS diff --git a/deploy.sh b/deploy.sh deleted file mode 100755 index 8dcf3a8..0000000 --- a/deploy.sh +++ /dev/null @@ -1,91 +0,0 @@ -#!/usr/bin/env bash - -# Get cluster subdirectory name - -cd $(dirname $0) - -CLUSTER="$1" -if [ -z "$CLUSTER" ] || [ ! -d "cluster/$CLUSTER" ]; then - echo "Usage: $0 <cluster name>" - echo "The cluster name must be the name of a subdirectory of cluster/" - exit 1 -fi -shift 1 - -# Do actual stuff - -if [ -z "$1" ]; then - NIXHOSTLIST=$(ls cluster/$CLUSTER/node | grep -v '\.site\.') -else - NIXHOSTLIST="$@" -fi - -TMP_PATH=/tmp/tmp-deploy-$(date +%s) -SSH_CONFIG=cluster/$CLUSTER/ssh_config -YEAR=$(date +%Y) - -for NIXHOST in $NIXHOSTLIST; do - NIXHOST=${NIXHOST%.*} - - if [ -z "$SSH_USER" ]; then - SSH_DEST=$NIXHOST - else - SSH_DEST=$SSH_USER@$NIXHOST - fi - - echo "==== DOING $NIXHOST ====" - - echo "Sending NixOS config files" - - ssh -F $SSH_CONFIG $SSH_DEST mkdir -p $TMP_PATH $TMP_PATH/pki - cat nix/configuration.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/configuration.nix > /dev/null - cat nix/deuxfleurs.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/deuxfleurs.nix > /dev/null - cat nix/remote-unlock.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/remote-unlock.nix > /dev/null - cat nix/wesher.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/wesher.nix > /dev/null - cat nix/wesher_service.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/wesher_service.nix > /dev/null - cat cluster/$CLUSTER/cluster.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/cluster.nix > /dev/null - cat cluster/$CLUSTER/node/$NIXHOST.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/node.nix > /dev/null - cat cluster/$CLUSTER/node/$NIXHOST.site.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/site.nix > /dev/null - - echo "Sending secret files" - for SECRET in pki/consul-ca.crt pki/consul$YEAR.crt pki/consul$YEAR.key \ - pki/consul$YEAR-client.crt pki/consul$YEAR-client.key \ - pki/nomad-ca.crt pki/nomad$YEAR.crt pki/nomad$YEAR.key; do - test -f cluster/$CLUSTER/secrets/$SECRET && (cat cluster/$CLUSTER/secrets/$SECRET | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/$SECRET > /dev/null) - done - - echo "Rebuilding NixOS" - - ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/deploy.sh > /dev/null <<EOF -set -ex - -cd $TMP_PATH -mv deuxfleurs.nix remote-unlock.nix wesher.nix wesher_service.nix configuration.nix cluster.nix node.nix site.nix /etc/nixos - -nixos-rebuild switch - -mkdir -p /var/lib/nomad/pki /var/lib/consul/pki - -if [ -f pki/consul-ca.crt ]; then - cp pki/consul* /var/lib/nomad/pki - mv pki/consul* /var/lib/consul/pki - chown -R consul:root /var/lib/consul/pki -fi - -if [ -f pki/nomad-ca.crt ]; then - mv pki/nomad* /var/lib/nomad/pki -fi - -# Save up-to-date Consul client certificates in Consul itself -export CONSUL_HTTP_ADDR=https://localhost:8501 -export CONSUL_CACERT=/var/lib/consul/pki/consul-ca.crt -export CONSUL_CLIENT_CERT=/var/lib/consul/pki/consul$YEAR-client.crt -export CONSUL_CLIENT_KEY=/var/lib/consul/pki/consul$YEAR-client.key -consul kv put secrets/consul/consul-ca.crt - < /var/lib/consul/pki/consul-ca.crt -consul kv put secrets/consul/consul-client.crt - < /var/lib/consul/pki/consul$YEAR-client.crt -consul kv put secrets/consul/consul-client.key - < /var/lib/consul/pki/consul$YEAR-client.key -EOF - - ssh -t -F $SSH_CONFIG $SSH_DEST sudo sh $TMP_PATH/deploy.sh - ssh -F $SSH_CONFIG $SSH_DEST rm -rv '/tmp/tmp-deploy-*' -done diff --git a/deploy_nixos b/deploy_nixos new file mode 100755 index 0000000..484bead --- /dev/null +++ b/deploy_nixos @@ -0,0 +1,12 @@ +#!/usr/bin/env ./sshtool + +copy nix/configuration.nix /etc/nixos/configuration.nix +copy nix/deuxfleurs.nix /etc/nixos/deuxfleurs.nix +copy nix/remote-unlock.nix /etc/nixos/remote-unlock.nix +copy nix/wesher.nix /etc/nixos/wesher.nix +copy nix/wesher_service.nix /etc/nixos/wesher_service.nix +copy cluster/$CLUSTER/cluster.nix /etc/nixos/cluster.nix +copy cluster/$CLUSTER/node/$NIXHOST.nix /etc/nixos/node.nix +copy cluster/$CLUSTER/node/$NIXHOST.site.nix /etc/nixos/site.nix + +cmd nixos-rebuild switch diff --git a/deploy_pki b/deploy_pki new file mode 100755 index 0000000..fffb3d0 --- /dev/null +++ b/deploy_pki @@ -0,0 +1,34 @@ +#!/usr/bin/env ./sshtool + +PKI=cluster/$CLUSTER/secrets/pki +YEAR=$(date +%Y) + +cmd mkdir -p /var/lib/nomad/pki /var/lib/consul/pki + +for file in consul-ca.crt consul$YEAR.crt consul$YEAR.key consul$YEAR-client.crt consul$YEAR-client.key; do + if [ -f "$PKI/$file" ]; then + copy $PKI/$file /var/lib/consul/pki/$file + cmd chown consul:root /var/lib/consul/pki/$file + cmd chmod 0400 /var/lib/consul/pki/$file + fi +done + +cmd systemctl restart consul +cmd sleep 10 + +for file in nomad-ca.crt nomad$YEAR.crt nomad$YER.key; do + if [ -f "$PKI/$file" ]; then + copy $PKI/$file /var/lib/nomad/pki/$file + fi +done + +cmd systemctl restart nomad + +set_env CONSUL_HTTP_ADDR=https://localhost:8501 +set_env CONSUL_CACERT=/var/lib/consul/pki/consul-ca.crt +set_env CONSUL_CLIENT_CERT=/var/lib/consul/pki/consul$YEAR-client.crt +set_env CONSUL_CLIENT_KEY=/var/lib/consul/pki/consul$YEAR-client.key + +cmd "consul kv put secrets/consul/consul-ca.crt - < /var/lib/consul/pki/consul-ca.crt" +cmd "consul kv put secrets/consul/consul-client.crt - < /var/lib/consul/pki/consul$YEAR-client.crt" +cmd "consul kv put secrets/consul/consul-client.key - < /var/lib/consul/pki/consul$YEAR-client.key" @@ -0,0 +1,83 @@ +#!/usr/bin/env bash + +cd $(dirname $0) + +CMDFILE="$1" +shift 1 + +CLUSTER="$1" +if [ -z "$CLUSTER" ] || [ ! -d "cluster/$CLUSTER" ]; then + echo "Usage: $CMDFILE <cluster name>" + echo "The cluster name must be the name of a subdirectory of cluster/" + exit 1 +fi +shift 1 + +if [ -z "$1" ]; then + NIXHOSTLIST=$(ls cluster/$CLUSTER/node | grep -v '\.site\.') +else + NIXHOSTLIST="$@" +fi + +if [ -z "$ROOT_PASS" ]; then + read -s -p "Enter remote root password: " ROOT_PASS + echo +fi + +SSH_CONFIG=cluster/$CLUSTER/ssh_config + +function header { + cat <<EOF +export DEPLOYTOOL_ROOT_PASSWORD=$ROOT_PASS +cat > /tmp/deploytool_askpass <<EOG +#!/usr/bin/env sh +echo \$DEPLOYTOOL_ROOT_PASSWORD +EOG +chmod +x /tmp/deploytool_askpass +export SUDO_ASKPASS=/tmp/deploytool_askpass +sudo -A sh - <<EOEVERYTHING +EOF +} + +function footer { + echo EOEVERYTHING +} + +function message { + echo "echo '$@'" +} + +function cmd { + echo "echo '- run $@'" + echo "$@" +} + +function set_env { + echo "echo '- set $@'" + echo "export $@" +} + +function copy { + local FROM=$1 + local TO=$2 + cat <<EOF +echo '- write $TO from $FROM' +base64 -d <<EOG | tee $TO > /dev/null +$(base64 <$FROM) +EOG +EOF +} + +for NIXHOST in $NIXHOSTLIST; do + NIXHOST=${NIXHOST%.*} + + if [ -z "$SSH_USER" ]; then + SSH_DEST=$NIXHOST + else + SSH_DEST=$SSH_USER@$NIXHOST + fi + + echo "==== DOING $NIXHOST ====" + + (header; . $CMDFILE; footer) | ssh -F $SSH_CONFIG $SSH_DEST sh - +done diff --git a/upgrade.sh b/upgrade.sh deleted file mode 100755 index cb45924..0000000 --- a/upgrade.sh +++ /dev/null @@ -1,51 +0,0 @@ -#!/usr/bin/env bash - -# Get cluster subdirectory name - -cd $(dirname $0) - -CLUSTER="$1" -if [ -z "$CLUSTER" ] || [ ! -d "cluster/$CLUSTER" ]; then - echo "Usage: $0 <cluster name>" - echo "The cluster name must be the name of a subdirectory of cluster/" - exit 1 -fi -shift 1 - -# Do actual stuff - -if [ -z "$@" ]; then - NIXHOSTLIST=$(ls cluster/$CLUSTER/node | grep -v '\.site\.') -else - NIXHOSTLIST="$@" -fi - -TMP_SCRIPT=/tmp/tmp-upgrade-$(date +%s).sh -SSH_CONFIG=cluster/$CLUSTER/ssh_config - -for NIXHOST in $NIXHOSTLIST; do - NIXHOST=${NIXHOST%.*} - - if [ -z "$SSH_USER" ]; then - SSH_DEST=$NIXHOST - else - SSH_DEST=$SSH_USER@$NIXHOST - fi - - echo "==== DOING $NIXHOST ====" - - ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_SCRIPT > /dev/null <<EOF -set -ex - -nix-channel --add https://nixos.org/channels/nixos-21.11 nixos -nix-channel --update -nixos-rebuild boot -EOF - - read -p "Press Enter to continue (run upgrade on $NIXHOST)..." - ssh -t -F $SSH_CONFIG $SSH_DEST sudo sh $TMP_SCRIPT - ssh -F $SSH_CONFIG $SSH_DEST rm -v $TMP_SCRIPT - - read -p "Press Enter to continue (reboot $NIXHOST)..." - ssh -t -F $SSH_CONFIG $SSH_DEST sudo reboot -done diff --git a/upgrade_nixos b/upgrade_nixos new file mode 100755 index 0000000..fd6cc62 --- /dev/null +++ b/upgrade_nixos @@ -0,0 +1,11 @@ +#!/usr/bin/env ./sshtool + +cmd nix-channel --add https://nixos.org/channels/nixos-21.11 nixos +cmd nix-channel --update +cmd nixos-rebuild boot + +if [ "$REBOOT_NODES" = "yes" ]; then + cmd reboot +else + message "Node will not reboot, use \"REBOOT_NODES=yes $CMDFILE\" to reboot nodes when they finish upgrading." +fi |