From 9c9c776213478023d4cab6290efcb6adfdbbbe86 Mon Sep 17 00:00:00 2001
From: Alex Auvolat <alex@adnab.me>
Date: Wed, 20 Apr 2022 13:01:51 +0200
Subject: [PATCH] Refactor deployment scripts

---
 README.md     |  5 +--
 deploy.sh     | 91 ---------------------------------------------------
 deploy_nixos  | 12 +++++++
 deploy_pki    | 34 +++++++++++++++++++
 sshtool       | 83 ++++++++++++++++++++++++++++++++++++++++++++++
 upgrade.sh    | 51 -----------------------------
 upgrade_nixos | 11 +++++++
 7 files changed, 143 insertions(+), 144 deletions(-)
 delete mode 100755 deploy.sh
 create mode 100755 deploy_nixos
 create mode 100755 deploy_pki
 create mode 100755 sshtool
 delete mode 100755 upgrade.sh
 create mode 100755 upgrade_nixos

diff --git a/README.md b/README.md
index 9204a23..d993362 100644
--- a/README.md
+++ b/README.md
@@ -10,9 +10,10 @@ It sets up the following:
 
 The following scripts are available here:
 
+- `deploy_nixos`, the main script that updates the NixOS config
 - `genpki.sh`, a script to generate Consul and Nomad's TLS PKI (run this once only)
-- `deploy.sh`, the main script that updates the NixOS config and sets up all of the TLS secrets
-- `upgrade.sh`, a script to upgrade NixOS
+- `deploy_pki`, a script that sets up all of the TLS secrets
+- `upgrade_nixos`, a script to upgrade NixOS
 - `tlsproxy.sh`, a script that allows non-TLS access to the TLS-secured Consul and Nomad, by running a simple local proxy with socat
 - `tlsenv.sh`, a script to be sourced (`source tlsenv.sh`) that configures the correct environment variables to use the Nomad and Consul CLI tools with TLS
 
diff --git a/deploy.sh b/deploy.sh
deleted file mode 100755
index 8dcf3a8..0000000
--- a/deploy.sh
+++ /dev/null
@@ -1,91 +0,0 @@
-#!/usr/bin/env bash
-
-# Get cluster subdirectory name
-
-cd $(dirname $0)
-
-CLUSTER="$1"
-if [ -z "$CLUSTER" ] || [ ! -d "cluster/$CLUSTER" ]; then
-	echo "Usage: $0 <cluster name>"
-	echo "The cluster name must be the name of a subdirectory of cluster/"
-	exit 1
-fi
-shift 1
-
-# Do actual stuff
-
-if [ -z "$1" ]; then
-	NIXHOSTLIST=$(ls cluster/$CLUSTER/node | grep -v '\.site\.')
-else
-	NIXHOSTLIST="$@"
-fi
-
-TMP_PATH=/tmp/tmp-deploy-$(date +%s)
-SSH_CONFIG=cluster/$CLUSTER/ssh_config
-YEAR=$(date +%Y)
-
-for NIXHOST in $NIXHOSTLIST; do
-	NIXHOST=${NIXHOST%.*}
-
-	if [ -z "$SSH_USER" ]; then
-		SSH_DEST=$NIXHOST
-	else
-		SSH_DEST=$SSH_USER@$NIXHOST
-	fi
-
-	echo "==== DOING $NIXHOST ===="
-
-	echo "Sending NixOS config files"
-
-	ssh -F $SSH_CONFIG $SSH_DEST mkdir -p $TMP_PATH $TMP_PATH/pki
-	cat nix/configuration.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/configuration.nix > /dev/null
-	cat nix/deuxfleurs.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/deuxfleurs.nix > /dev/null
-	cat nix/remote-unlock.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/remote-unlock.nix > /dev/null
-	cat nix/wesher.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/wesher.nix > /dev/null
-	cat nix/wesher_service.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/wesher_service.nix > /dev/null
-	cat cluster/$CLUSTER/cluster.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/cluster.nix > /dev/null
-	cat cluster/$CLUSTER/node/$NIXHOST.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/node.nix > /dev/null
-	cat cluster/$CLUSTER/node/$NIXHOST.site.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/site.nix > /dev/null
-
-	echo "Sending secret files"
-	for SECRET in pki/consul-ca.crt pki/consul$YEAR.crt pki/consul$YEAR.key \
-		pki/consul$YEAR-client.crt pki/consul$YEAR-client.key \
-		pki/nomad-ca.crt pki/nomad$YEAR.crt pki/nomad$YEAR.key; do
-		test -f cluster/$CLUSTER/secrets/$SECRET && (cat cluster/$CLUSTER/secrets/$SECRET | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/$SECRET > /dev/null)
-	done
-
-	echo "Rebuilding NixOS"
-
-	ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/deploy.sh > /dev/null <<EOF
-set -ex
-
-cd $TMP_PATH
-mv deuxfleurs.nix remote-unlock.nix wesher.nix wesher_service.nix configuration.nix cluster.nix node.nix site.nix /etc/nixos
-
-nixos-rebuild switch
-
-mkdir -p /var/lib/nomad/pki /var/lib/consul/pki
-
-if [ -f pki/consul-ca.crt ]; then
-	cp pki/consul* /var/lib/nomad/pki
-	mv pki/consul* /var/lib/consul/pki
-	chown -R consul:root /var/lib/consul/pki
-fi
-
-if [ -f pki/nomad-ca.crt ]; then
-	mv pki/nomad* /var/lib/nomad/pki
-fi
-
-# Save up-to-date Consul client certificates in Consul itself
-export CONSUL_HTTP_ADDR=https://localhost:8501
-export CONSUL_CACERT=/var/lib/consul/pki/consul-ca.crt
-export CONSUL_CLIENT_CERT=/var/lib/consul/pki/consul$YEAR-client.crt
-export CONSUL_CLIENT_KEY=/var/lib/consul/pki/consul$YEAR-client.key
-consul kv put secrets/consul/consul-ca.crt - < /var/lib/consul/pki/consul-ca.crt
-consul kv put secrets/consul/consul-client.crt - < /var/lib/consul/pki/consul$YEAR-client.crt
-consul kv put secrets/consul/consul-client.key - < /var/lib/consul/pki/consul$YEAR-client.key
-EOF
-
-	ssh -t -F $SSH_CONFIG $SSH_DEST sudo sh $TMP_PATH/deploy.sh
-	ssh -F $SSH_CONFIG $SSH_DEST rm -rv '/tmp/tmp-deploy-*'
-done
diff --git a/deploy_nixos b/deploy_nixos
new file mode 100755
index 0000000..484bead
--- /dev/null
+++ b/deploy_nixos
@@ -0,0 +1,12 @@
+#!/usr/bin/env ./sshtool
+
+copy nix/configuration.nix /etc/nixos/configuration.nix
+copy nix/deuxfleurs.nix /etc/nixos/deuxfleurs.nix
+copy nix/remote-unlock.nix /etc/nixos/remote-unlock.nix
+copy nix/wesher.nix /etc/nixos/wesher.nix
+copy nix/wesher_service.nix /etc/nixos/wesher_service.nix
+copy cluster/$CLUSTER/cluster.nix /etc/nixos/cluster.nix
+copy cluster/$CLUSTER/node/$NIXHOST.nix /etc/nixos/node.nix
+copy cluster/$CLUSTER/node/$NIXHOST.site.nix /etc/nixos/site.nix
+
+cmd nixos-rebuild switch
diff --git a/deploy_pki b/deploy_pki
new file mode 100755
index 0000000..fffb3d0
--- /dev/null
+++ b/deploy_pki
@@ -0,0 +1,34 @@
+#!/usr/bin/env ./sshtool
+
+PKI=cluster/$CLUSTER/secrets/pki
+YEAR=$(date +%Y)
+
+cmd mkdir -p /var/lib/nomad/pki /var/lib/consul/pki
+
+for file in consul-ca.crt consul$YEAR.crt consul$YEAR.key consul$YEAR-client.crt consul$YEAR-client.key; do
+	if [ -f "$PKI/$file" ]; then
+		copy $PKI/$file /var/lib/consul/pki/$file
+		cmd chown consul:root /var/lib/consul/pki/$file
+		cmd chmod 0400 /var/lib/consul/pki/$file
+	fi
+done
+
+cmd systemctl restart consul
+cmd sleep 10
+
+for file in nomad-ca.crt nomad$YEAR.crt nomad$YER.key; do
+	if [ -f "$PKI/$file" ]; then
+		copy $PKI/$file /var/lib/nomad/pki/$file
+	fi
+done
+
+cmd systemctl restart nomad
+
+set_env CONSUL_HTTP_ADDR=https://localhost:8501
+set_env CONSUL_CACERT=/var/lib/consul/pki/consul-ca.crt
+set_env CONSUL_CLIENT_CERT=/var/lib/consul/pki/consul$YEAR-client.crt
+set_env CONSUL_CLIENT_KEY=/var/lib/consul/pki/consul$YEAR-client.key
+
+cmd "consul kv put secrets/consul/consul-ca.crt - < /var/lib/consul/pki/consul-ca.crt"
+cmd "consul kv put secrets/consul/consul-client.crt - < /var/lib/consul/pki/consul$YEAR-client.crt"
+cmd "consul kv put secrets/consul/consul-client.key - < /var/lib/consul/pki/consul$YEAR-client.key"
diff --git a/sshtool b/sshtool
new file mode 100755
index 0000000..94a3ea0
--- /dev/null
+++ b/sshtool
@@ -0,0 +1,83 @@
+#!/usr/bin/env bash
+
+cd $(dirname $0)
+
+CMDFILE="$1"
+shift 1
+
+CLUSTER="$1"
+if [ -z "$CLUSTER" ] || [ ! -d "cluster/$CLUSTER" ]; then
+	echo "Usage: $CMDFILE <cluster name>"
+	echo "The cluster name must be the name of a subdirectory of cluster/"
+	exit 1
+fi
+shift 1
+
+if [ -z "$1" ]; then
+	NIXHOSTLIST=$(ls cluster/$CLUSTER/node | grep -v '\.site\.')
+else
+	NIXHOSTLIST="$@"
+fi
+
+if [ -z "$ROOT_PASS" ]; then
+	read -s -p "Enter remote root password: " ROOT_PASS
+	echo
+fi
+
+SSH_CONFIG=cluster/$CLUSTER/ssh_config
+
+function header {
+	cat <<EOF
+export DEPLOYTOOL_ROOT_PASSWORD=$ROOT_PASS
+cat > /tmp/deploytool_askpass <<EOG
+#!/usr/bin/env sh
+echo \$DEPLOYTOOL_ROOT_PASSWORD
+EOG
+chmod +x /tmp/deploytool_askpass
+export SUDO_ASKPASS=/tmp/deploytool_askpass
+sudo -A sh - <<EOEVERYTHING
+EOF
+}
+
+function footer {
+	echo EOEVERYTHING
+}
+
+function message {
+	echo "echo '$@'"
+}
+
+function cmd {
+	echo "echo '- run $@'"
+	echo "$@"
+}
+
+function set_env {
+	echo "echo '- set $@'"
+	echo "export $@"
+}
+
+function copy {
+	local FROM=$1
+	local TO=$2
+	cat <<EOF
+echo '- write $TO from $FROM'
+base64 -d <<EOG | tee $TO > /dev/null
+$(base64 <$FROM)
+EOG
+EOF
+}
+
+for NIXHOST in $NIXHOSTLIST; do
+	NIXHOST=${NIXHOST%.*}
+
+	if [ -z "$SSH_USER" ]; then
+		SSH_DEST=$NIXHOST
+	else
+		SSH_DEST=$SSH_USER@$NIXHOST
+	fi
+
+	echo "==== DOING $NIXHOST ===="
+
+	(header; . $CMDFILE; footer) | ssh -F $SSH_CONFIG $SSH_DEST sh -
+done
diff --git a/upgrade.sh b/upgrade.sh
deleted file mode 100755
index cb45924..0000000
--- a/upgrade.sh
+++ /dev/null
@@ -1,51 +0,0 @@
-#!/usr/bin/env bash
-
-# Get cluster subdirectory name
-
-cd $(dirname $0)
-
-CLUSTER="$1"
-if [ -z "$CLUSTER" ] || [ ! -d "cluster/$CLUSTER" ]; then
-	echo "Usage: $0 <cluster name>"
-	echo "The cluster name must be the name of a subdirectory of cluster/"
-	exit 1
-fi
-shift 1
-
-# Do actual stuff
-
-if [ -z "$@" ]; then
-	NIXHOSTLIST=$(ls cluster/$CLUSTER/node | grep -v '\.site\.')
-else
-	NIXHOSTLIST="$@"
-fi
-
-TMP_SCRIPT=/tmp/tmp-upgrade-$(date +%s).sh
-SSH_CONFIG=cluster/$CLUSTER/ssh_config
-
-for NIXHOST in $NIXHOSTLIST; do
-	NIXHOST=${NIXHOST%.*}
-
-	if [ -z "$SSH_USER" ]; then
-		SSH_DEST=$NIXHOST
-	else
-		SSH_DEST=$SSH_USER@$NIXHOST
-	fi
-
-	echo "==== DOING $NIXHOST ===="
-
-	ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_SCRIPT > /dev/null <<EOF
-set -ex
-
-nix-channel --add https://nixos.org/channels/nixos-21.11 nixos
-nix-channel --update
-nixos-rebuild boot
-EOF
-
-	read -p "Press Enter to continue (run upgrade on $NIXHOST)..."
-	ssh -t -F $SSH_CONFIG $SSH_DEST sudo sh $TMP_SCRIPT
-	ssh -F $SSH_CONFIG $SSH_DEST rm -v $TMP_SCRIPT
-
-	read -p "Press Enter to continue (reboot $NIXHOST)..."
-	ssh -t -F $SSH_CONFIG $SSH_DEST sudo reboot
-done
diff --git a/upgrade_nixos b/upgrade_nixos
new file mode 100755
index 0000000..fd6cc62
--- /dev/null
+++ b/upgrade_nixos
@@ -0,0 +1,11 @@
+#!/usr/bin/env ./sshtool
+
+cmd nix-channel --add https://nixos.org/channels/nixos-21.11 nixos
+cmd nix-channel --update
+cmd nixos-rebuild boot
+
+if [ "$REBOOT_NODES" = "yes" ]; then
+	cmd reboot
+else
+	message "Node will not reboot, use \"REBOOT_NODES=yes $CMDFILE\" to reboot nodes when they finish upgrading."
+fi