forked from Deuxfleurs/nixcfg
Refactor deployment scripts
This commit is contained in:
parent
50e9f0b589
commit
9c9c776213
7 changed files with 143 additions and 144 deletions
|
@ -10,9 +10,10 @@ It sets up the following:
|
||||||
|
|
||||||
The following scripts are available here:
|
The following scripts are available here:
|
||||||
|
|
||||||
|
- `deploy_nixos`, the main script that updates the NixOS config
|
||||||
- `genpki.sh`, a script to generate Consul and Nomad's TLS PKI (run this once only)
|
- `genpki.sh`, a script to generate Consul and Nomad's TLS PKI (run this once only)
|
||||||
- `deploy.sh`, the main script that updates the NixOS config and sets up all of the TLS secrets
|
- `deploy_pki`, a script that sets up all of the TLS secrets
|
||||||
- `upgrade.sh`, a script to upgrade NixOS
|
- `upgrade_nixos`, a script to upgrade NixOS
|
||||||
- `tlsproxy.sh`, a script that allows non-TLS access to the TLS-secured Consul and Nomad, by running a simple local proxy with socat
|
- `tlsproxy.sh`, a script that allows non-TLS access to the TLS-secured Consul and Nomad, by running a simple local proxy with socat
|
||||||
- `tlsenv.sh`, a script to be sourced (`source tlsenv.sh`) that configures the correct environment variables to use the Nomad and Consul CLI tools with TLS
|
- `tlsenv.sh`, a script to be sourced (`source tlsenv.sh`) that configures the correct environment variables to use the Nomad and Consul CLI tools with TLS
|
||||||
|
|
||||||
|
|
91
deploy.sh
91
deploy.sh
|
@ -1,91 +0,0 @@
|
||||||
#!/usr/bin/env bash
|
|
||||||
|
|
||||||
# Get cluster subdirectory name
|
|
||||||
|
|
||||||
cd $(dirname $0)
|
|
||||||
|
|
||||||
CLUSTER="$1"
|
|
||||||
if [ -z "$CLUSTER" ] || [ ! -d "cluster/$CLUSTER" ]; then
|
|
||||||
echo "Usage: $0 <cluster name>"
|
|
||||||
echo "The cluster name must be the name of a subdirectory of cluster/"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
shift 1
|
|
||||||
|
|
||||||
# Do actual stuff
|
|
||||||
|
|
||||||
if [ -z "$1" ]; then
|
|
||||||
NIXHOSTLIST=$(ls cluster/$CLUSTER/node | grep -v '\.site\.')
|
|
||||||
else
|
|
||||||
NIXHOSTLIST="$@"
|
|
||||||
fi
|
|
||||||
|
|
||||||
TMP_PATH=/tmp/tmp-deploy-$(date +%s)
|
|
||||||
SSH_CONFIG=cluster/$CLUSTER/ssh_config
|
|
||||||
YEAR=$(date +%Y)
|
|
||||||
|
|
||||||
for NIXHOST in $NIXHOSTLIST; do
|
|
||||||
NIXHOST=${NIXHOST%.*}
|
|
||||||
|
|
||||||
if [ -z "$SSH_USER" ]; then
|
|
||||||
SSH_DEST=$NIXHOST
|
|
||||||
else
|
|
||||||
SSH_DEST=$SSH_USER@$NIXHOST
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "==== DOING $NIXHOST ===="
|
|
||||||
|
|
||||||
echo "Sending NixOS config files"
|
|
||||||
|
|
||||||
ssh -F $SSH_CONFIG $SSH_DEST mkdir -p $TMP_PATH $TMP_PATH/pki
|
|
||||||
cat nix/configuration.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/configuration.nix > /dev/null
|
|
||||||
cat nix/deuxfleurs.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/deuxfleurs.nix > /dev/null
|
|
||||||
cat nix/remote-unlock.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/remote-unlock.nix > /dev/null
|
|
||||||
cat nix/wesher.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/wesher.nix > /dev/null
|
|
||||||
cat nix/wesher_service.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/wesher_service.nix > /dev/null
|
|
||||||
cat cluster/$CLUSTER/cluster.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/cluster.nix > /dev/null
|
|
||||||
cat cluster/$CLUSTER/node/$NIXHOST.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/node.nix > /dev/null
|
|
||||||
cat cluster/$CLUSTER/node/$NIXHOST.site.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/site.nix > /dev/null
|
|
||||||
|
|
||||||
echo "Sending secret files"
|
|
||||||
for SECRET in pki/consul-ca.crt pki/consul$YEAR.crt pki/consul$YEAR.key \
|
|
||||||
pki/consul$YEAR-client.crt pki/consul$YEAR-client.key \
|
|
||||||
pki/nomad-ca.crt pki/nomad$YEAR.crt pki/nomad$YEAR.key; do
|
|
||||||
test -f cluster/$CLUSTER/secrets/$SECRET && (cat cluster/$CLUSTER/secrets/$SECRET | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/$SECRET > /dev/null)
|
|
||||||
done
|
|
||||||
|
|
||||||
echo "Rebuilding NixOS"
|
|
||||||
|
|
||||||
ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/deploy.sh > /dev/null <<EOF
|
|
||||||
set -ex
|
|
||||||
|
|
||||||
cd $TMP_PATH
|
|
||||||
mv deuxfleurs.nix remote-unlock.nix wesher.nix wesher_service.nix configuration.nix cluster.nix node.nix site.nix /etc/nixos
|
|
||||||
|
|
||||||
nixos-rebuild switch
|
|
||||||
|
|
||||||
mkdir -p /var/lib/nomad/pki /var/lib/consul/pki
|
|
||||||
|
|
||||||
if [ -f pki/consul-ca.crt ]; then
|
|
||||||
cp pki/consul* /var/lib/nomad/pki
|
|
||||||
mv pki/consul* /var/lib/consul/pki
|
|
||||||
chown -R consul:root /var/lib/consul/pki
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -f pki/nomad-ca.crt ]; then
|
|
||||||
mv pki/nomad* /var/lib/nomad/pki
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Save up-to-date Consul client certificates in Consul itself
|
|
||||||
export CONSUL_HTTP_ADDR=https://localhost:8501
|
|
||||||
export CONSUL_CACERT=/var/lib/consul/pki/consul-ca.crt
|
|
||||||
export CONSUL_CLIENT_CERT=/var/lib/consul/pki/consul$YEAR-client.crt
|
|
||||||
export CONSUL_CLIENT_KEY=/var/lib/consul/pki/consul$YEAR-client.key
|
|
||||||
consul kv put secrets/consul/consul-ca.crt - < /var/lib/consul/pki/consul-ca.crt
|
|
||||||
consul kv put secrets/consul/consul-client.crt - < /var/lib/consul/pki/consul$YEAR-client.crt
|
|
||||||
consul kv put secrets/consul/consul-client.key - < /var/lib/consul/pki/consul$YEAR-client.key
|
|
||||||
EOF
|
|
||||||
|
|
||||||
ssh -t -F $SSH_CONFIG $SSH_DEST sudo sh $TMP_PATH/deploy.sh
|
|
||||||
ssh -F $SSH_CONFIG $SSH_DEST rm -rv '/tmp/tmp-deploy-*'
|
|
||||||
done
|
|
12
deploy_nixos
Executable file
12
deploy_nixos
Executable file
|
@ -0,0 +1,12 @@
|
||||||
|
#!/usr/bin/env ./sshtool
|
||||||
|
|
||||||
|
copy nix/configuration.nix /etc/nixos/configuration.nix
|
||||||
|
copy nix/deuxfleurs.nix /etc/nixos/deuxfleurs.nix
|
||||||
|
copy nix/remote-unlock.nix /etc/nixos/remote-unlock.nix
|
||||||
|
copy nix/wesher.nix /etc/nixos/wesher.nix
|
||||||
|
copy nix/wesher_service.nix /etc/nixos/wesher_service.nix
|
||||||
|
copy cluster/$CLUSTER/cluster.nix /etc/nixos/cluster.nix
|
||||||
|
copy cluster/$CLUSTER/node/$NIXHOST.nix /etc/nixos/node.nix
|
||||||
|
copy cluster/$CLUSTER/node/$NIXHOST.site.nix /etc/nixos/site.nix
|
||||||
|
|
||||||
|
cmd nixos-rebuild switch
|
34
deploy_pki
Executable file
34
deploy_pki
Executable file
|
@ -0,0 +1,34 @@
|
||||||
|
#!/usr/bin/env ./sshtool
|
||||||
|
|
||||||
|
PKI=cluster/$CLUSTER/secrets/pki
|
||||||
|
YEAR=$(date +%Y)
|
||||||
|
|
||||||
|
cmd mkdir -p /var/lib/nomad/pki /var/lib/consul/pki
|
||||||
|
|
||||||
|
for file in consul-ca.crt consul$YEAR.crt consul$YEAR.key consul$YEAR-client.crt consul$YEAR-client.key; do
|
||||||
|
if [ -f "$PKI/$file" ]; then
|
||||||
|
copy $PKI/$file /var/lib/consul/pki/$file
|
||||||
|
cmd chown consul:root /var/lib/consul/pki/$file
|
||||||
|
cmd chmod 0400 /var/lib/consul/pki/$file
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
cmd systemctl restart consul
|
||||||
|
cmd sleep 10
|
||||||
|
|
||||||
|
for file in nomad-ca.crt nomad$YEAR.crt nomad$YER.key; do
|
||||||
|
if [ -f "$PKI/$file" ]; then
|
||||||
|
copy $PKI/$file /var/lib/nomad/pki/$file
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
cmd systemctl restart nomad
|
||||||
|
|
||||||
|
set_env CONSUL_HTTP_ADDR=https://localhost:8501
|
||||||
|
set_env CONSUL_CACERT=/var/lib/consul/pki/consul-ca.crt
|
||||||
|
set_env CONSUL_CLIENT_CERT=/var/lib/consul/pki/consul$YEAR-client.crt
|
||||||
|
set_env CONSUL_CLIENT_KEY=/var/lib/consul/pki/consul$YEAR-client.key
|
||||||
|
|
||||||
|
cmd "consul kv put secrets/consul/consul-ca.crt - < /var/lib/consul/pki/consul-ca.crt"
|
||||||
|
cmd "consul kv put secrets/consul/consul-client.crt - < /var/lib/consul/pki/consul$YEAR-client.crt"
|
||||||
|
cmd "consul kv put secrets/consul/consul-client.key - < /var/lib/consul/pki/consul$YEAR-client.key"
|
83
sshtool
Executable file
83
sshtool
Executable file
|
@ -0,0 +1,83 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
cd $(dirname $0)
|
||||||
|
|
||||||
|
CMDFILE="$1"
|
||||||
|
shift 1
|
||||||
|
|
||||||
|
CLUSTER="$1"
|
||||||
|
if [ -z "$CLUSTER" ] || [ ! -d "cluster/$CLUSTER" ]; then
|
||||||
|
echo "Usage: $CMDFILE <cluster name>"
|
||||||
|
echo "The cluster name must be the name of a subdirectory of cluster/"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
shift 1
|
||||||
|
|
||||||
|
if [ -z "$1" ]; then
|
||||||
|
NIXHOSTLIST=$(ls cluster/$CLUSTER/node | grep -v '\.site\.')
|
||||||
|
else
|
||||||
|
NIXHOSTLIST="$@"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -z "$ROOT_PASS" ]; then
|
||||||
|
read -s -p "Enter remote root password: " ROOT_PASS
|
||||||
|
echo
|
||||||
|
fi
|
||||||
|
|
||||||
|
SSH_CONFIG=cluster/$CLUSTER/ssh_config
|
||||||
|
|
||||||
|
function header {
|
||||||
|
cat <<EOF
|
||||||
|
export DEPLOYTOOL_ROOT_PASSWORD=$ROOT_PASS
|
||||||
|
cat > /tmp/deploytool_askpass <<EOG
|
||||||
|
#!/usr/bin/env sh
|
||||||
|
echo \$DEPLOYTOOL_ROOT_PASSWORD
|
||||||
|
EOG
|
||||||
|
chmod +x /tmp/deploytool_askpass
|
||||||
|
export SUDO_ASKPASS=/tmp/deploytool_askpass
|
||||||
|
sudo -A sh - <<EOEVERYTHING
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
|
||||||
|
function footer {
|
||||||
|
echo EOEVERYTHING
|
||||||
|
}
|
||||||
|
|
||||||
|
function message {
|
||||||
|
echo "echo '$@'"
|
||||||
|
}
|
||||||
|
|
||||||
|
function cmd {
|
||||||
|
echo "echo '- run $@'"
|
||||||
|
echo "$@"
|
||||||
|
}
|
||||||
|
|
||||||
|
function set_env {
|
||||||
|
echo "echo '- set $@'"
|
||||||
|
echo "export $@"
|
||||||
|
}
|
||||||
|
|
||||||
|
function copy {
|
||||||
|
local FROM=$1
|
||||||
|
local TO=$2
|
||||||
|
cat <<EOF
|
||||||
|
echo '- write $TO from $FROM'
|
||||||
|
base64 -d <<EOG | tee $TO > /dev/null
|
||||||
|
$(base64 <$FROM)
|
||||||
|
EOG
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
|
||||||
|
for NIXHOST in $NIXHOSTLIST; do
|
||||||
|
NIXHOST=${NIXHOST%.*}
|
||||||
|
|
||||||
|
if [ -z "$SSH_USER" ]; then
|
||||||
|
SSH_DEST=$NIXHOST
|
||||||
|
else
|
||||||
|
SSH_DEST=$SSH_USER@$NIXHOST
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "==== DOING $NIXHOST ===="
|
||||||
|
|
||||||
|
(header; . $CMDFILE; footer) | ssh -F $SSH_CONFIG $SSH_DEST sh -
|
||||||
|
done
|
51
upgrade.sh
51
upgrade.sh
|
@ -1,51 +0,0 @@
|
||||||
#!/usr/bin/env bash
|
|
||||||
|
|
||||||
# Get cluster subdirectory name
|
|
||||||
|
|
||||||
cd $(dirname $0)
|
|
||||||
|
|
||||||
CLUSTER="$1"
|
|
||||||
if [ -z "$CLUSTER" ] || [ ! -d "cluster/$CLUSTER" ]; then
|
|
||||||
echo "Usage: $0 <cluster name>"
|
|
||||||
echo "The cluster name must be the name of a subdirectory of cluster/"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
shift 1
|
|
||||||
|
|
||||||
# Do actual stuff
|
|
||||||
|
|
||||||
if [ -z "$@" ]; then
|
|
||||||
NIXHOSTLIST=$(ls cluster/$CLUSTER/node | grep -v '\.site\.')
|
|
||||||
else
|
|
||||||
NIXHOSTLIST="$@"
|
|
||||||
fi
|
|
||||||
|
|
||||||
TMP_SCRIPT=/tmp/tmp-upgrade-$(date +%s).sh
|
|
||||||
SSH_CONFIG=cluster/$CLUSTER/ssh_config
|
|
||||||
|
|
||||||
for NIXHOST in $NIXHOSTLIST; do
|
|
||||||
NIXHOST=${NIXHOST%.*}
|
|
||||||
|
|
||||||
if [ -z "$SSH_USER" ]; then
|
|
||||||
SSH_DEST=$NIXHOST
|
|
||||||
else
|
|
||||||
SSH_DEST=$SSH_USER@$NIXHOST
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "==== DOING $NIXHOST ===="
|
|
||||||
|
|
||||||
ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_SCRIPT > /dev/null <<EOF
|
|
||||||
set -ex
|
|
||||||
|
|
||||||
nix-channel --add https://nixos.org/channels/nixos-21.11 nixos
|
|
||||||
nix-channel --update
|
|
||||||
nixos-rebuild boot
|
|
||||||
EOF
|
|
||||||
|
|
||||||
read -p "Press Enter to continue (run upgrade on $NIXHOST)..."
|
|
||||||
ssh -t -F $SSH_CONFIG $SSH_DEST sudo sh $TMP_SCRIPT
|
|
||||||
ssh -F $SSH_CONFIG $SSH_DEST rm -v $TMP_SCRIPT
|
|
||||||
|
|
||||||
read -p "Press Enter to continue (reboot $NIXHOST)..."
|
|
||||||
ssh -t -F $SSH_CONFIG $SSH_DEST sudo reboot
|
|
||||||
done
|
|
11
upgrade_nixos
Executable file
11
upgrade_nixos
Executable file
|
@ -0,0 +1,11 @@
|
||||||
|
#!/usr/bin/env ./sshtool
|
||||||
|
|
||||||
|
cmd nix-channel --add https://nixos.org/channels/nixos-21.11 nixos
|
||||||
|
cmd nix-channel --update
|
||||||
|
cmd nixos-rebuild boot
|
||||||
|
|
||||||
|
if [ "$REBOOT_NODES" = "yes" ]; then
|
||||||
|
cmd reboot
|
||||||
|
else
|
||||||
|
message "Node will not reboot, use \"REBOOT_NODES=yes $CMDFILE\" to reboot nodes when they finish upgrading."
|
||||||
|
fi
|
Loading…
Reference in a new issue