fix: sudo rights

loic-roux-404 · Jul 14, 2024 · 8d87f5d · 8d87f5d
1 parent 5d1939e
commit 8d87f5d
Show file tree

Hide file tree

Showing 18 changed files with 241 additions and 59 deletions.
diff --git a/Makefile b/Makefile
@@ -1,5 +1,6 @@
 SHELL:=/usr/bin/env bash
 MAKEFLAGS += --no-builtin-rules --no-builtin-variables
+TERRAFORM_CMD:=apply -auto-approve
 
 #### Nix
 
@@ -20,12 +21,14 @@ trust-ca:
 	@curl -k https://localhost:15000/intermediates/0 > /tmp/pebble.crt && \
       sudo security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain /tmp/pebble.crt
 
-#### Terraform
-
 TERRAGRUNT_FILES := $(shell find terragrunt -type d -name '.*' -prune -o -name 'terragrunt.hcl' -exec dirname {} \;)
 
 $(TERRAGRUNT_FILES):
 	@echo "Running apply in $@ directory"
-	@cd $@ && terragrunt apply -auto-approve
+	@mkdir -p $@/.terragrunt-cache || true && chmod -R 777 $@/.terragrunt-cache
+	@cd $@ && terragrunt $(TERRAFORM_CMD)
+
+release-stable:
+	@git tag nixos-stable -f && git push --tags --force
 
 .PHONY: fmt bootstrap nixos-local trust-ca $(TERRAGRUNT_FILES)
diff --git a/README.md b/README.md
@@ -58,28 +58,27 @@ make trust-ca
 ./result/sw/bin/darwin-uninstaller
 ```
 
-## Terraform project
+## Terraform project secrets
 
-### Terraform local
-
-Setup cloud modules :
+You have to create a secrets file utilising following sops command :
 
 ```bash
-cd tg-local
-terragrunt apply -auto-approve
+sops secrets/prod.yaml
 ```
 
+> **Note** : sops follow environment variables from default flake shell to encrypt files with the default `id_ed25519` ssh key.
+
 ### 1. Contabo (VPS)
 
 **contabo_credentials** :
 
-```hcl
-contabo_credentials = {
-  oauth2_client_id     = "client-id"
-  oauth2_client_secret = "secret"
-  oauth2_pass          = "password!"
-  oauth2_user = "mail@mail"
-}
+```yaml
+contabo_credentials:
+  oauth2_client_id: "client-id"
+  oauth2_client_secret: "secret"
+  oauth2_pass: "password!"
+  oauth2_user: "mail@mail"
+
 ```
 
 Seek for credentials in [API](https://my.contabo.com/api/details) 
@@ -99,41 +98,53 @@ cntb get instances
 > **Warn :** Delete `@` record for your domain on [gandi](https://admin.gandi.net/domain/)
 
 ### 3. Tailscale (SSH VPN)
-**`tailscale_oauth_client_id`** : Register on tailscale and get key on [admin console](https://login.tailscale.com/admin/settings/keys)
-**`tailscale_oauth_client_secret`** : retrieve it during step above.
+**`tailscale_oauth_client`** : 
+    - `id` : Register on tailscale and get key on [admin console](https://login.tailscale.com/admin/settings/keys)
+    - `secret` : retrieve it during step above.
+
 **`tailscale_trusted_device`** : Approve your device on tailscale with **`tailscale login`** and recover its tailscale hostname.
 
 ### 4. Github (Authentication & users)
 
 **`github_token`** : https://github.com/settings/tokens and create a token with scopes `repo`, `user` and `admin`.
 **`github_client_id`** : Create a new OAuth App.
 **`github_client_secret`** : On new OAuth App ask for a new client secret.
+**github_organisation :** : Your github organization name.
+**github_team :** : Your github team id.
 
 ### 5. Cert-manager (TLS)
 
 **`cert_manager_email`** : a valid email to register on letsencrypt.
 
-## Apply
-
-Init all terraform providers and modules.
+### Cloud (contabo)
 
 ```bash
-make init
+make terragrunt/cloud/contabo
 ```
 
-### Cloud (contabo)
+### Network (tailscale)
 
 ```bash
-make tf-root-contabo ARGS=-var-file=$PWD/.prod.tfvars
+make terragrunt/network/contabo
 ```
 
 ### infra (k8s)
 
 ```bash
-make . ARGS=-var-file=.prod.tfvars
+make terragrunt/paas/contabo
 ```
 
-> **Note :** You can also use `make trust-ca` to trust internal CA on your system.
+### Install in local
+
+Here is the command to set up the paas on a libvirt vm.
+
+```bash
+make terragrunt/cloud/local
+make terragrunt/network/local
+make terragrunt/paas/local
+```
+
+Then you have to do `make trust-ca` to trust paas internal CA on your system.
 
 ## Cheat Sheet
 
@@ -235,3 +246,17 @@ tailscale configure kubeconfig
 ```bash
 git tag nixos-stable -f && gp --tags --force
 ```
+
+### Contabo
+
+Retrieve images :
+
+```bash
+cntb get images --imageType custom
+```
+
+Import existing image in terraform :
+
+```bash
+terraform import module.contabo.contabo_image.k3s_paas_master_image uuid
+```
diff --git a/nixos/configuration.nix b/nixos/configuration.nix
@@ -133,10 +133,16 @@ in {
 
   security.sudo.wheelNeedsPassword = false;
 
+  nix.trustedUsers = [ user.name ];
   users = {
     defaultUserShell = pkgs.bashInteractive;
     allowNoPasswordLogin = true;
+    groups.readers = {};
     users = {
+      reader = {
+        isNormalUser = true;
+        extraGroups = [ "readers" ];
+      };
       ${user.name} = {
         hashedPasswordFile = lib.mkDefault "${(pkgs.writeText "password" user.defaultPassword)}";
         isNormalUser = true;
@@ -147,6 +153,9 @@ in {
           };
         };
       };
+      root = {
+        hashedPasswordFile = lib.mkDefault "${(pkgs.writeText "root-password" user.defaultPassword)}";
+      };
     };
   };
 

diff --git a/nixos/contabo.nix b/nixos/contabo.nix
@@ -8,7 +8,6 @@
 
   swapDevices = [ ];
 
-  security.sudo.wheelNeedsPassword = lib.mkForce true;
   security.sudo = {
     enable = true;
     extraRules = [{
@@ -36,7 +35,7 @@
         "${pkgs.iproute2}/bin/ip"
         "${pkgs.iptables}/bin/iptables"
       ];
-      groups = [ "wheel" ];
+      groups = [ "reader" ];
     }];
   };
 

diff --git a/terragrunt/network/contabo/.terraform.lock.hcl b/terragrunt/network/contabo/.terraform.lock.hcl
diff --git a/terragrunt/network/contabo/env.hcl b/terragrunt/network/contabo/env.hcl
@@ -9,5 +9,7 @@ locals {
     tailscale_oauth_client = local.secret_vars.tailscale_oauth_client
     tailscale_tailnet = local.secret_vars.tailscale_tailnet
     tailscale_trusted_device = local.secret_vars.tailscale_trusted_device
+    gandi_token = local.secret_vars.gandi_token
+    nix_flake = "${dirname(find_in_parent_folders("flake.nix"))}#deploy"
   }
 }
diff --git a/terragrunt/paas/contabo/env.hcl b/terragrunt/paas/contabo/env.hcl
@@ -10,7 +10,7 @@ locals {
     github_token = local.secret_vars.github_token
     github_client_id = local.secret_vars.github_client_id
     github_client_secret = local.secret_vars.github_client_secret
-    github_organization = local.secret_vars.github_organization
+    github_organisation = local.secret_vars.github_organisation
     github_team = local.secret_vars.github_team
   }
 }
diff --git a/tf-modules-cloud/contabo/main.tf b/tf-modules-cloud/contabo/main.tf
@@ -5,7 +5,7 @@ resource "contabo_secret" "k3s_paas_master_trusted_key" {
 }
 
 resource "contabo_image" "k3s_paas_master_image" {
-  name        = "k3s"
+  name        = "nixos-k3s-paas-${var.image_version}"
   image_url   = format(var.image_url_format, var.image_version)
   os_type     = "Linux"
   version     = var.image_version

diff --git a/tf-modules-cloud/contabo/variables.tf b/tf-modules-cloud/contabo/variables.tf
@@ -14,7 +14,7 @@ variable "contabo_credentials" {
 }
 
 variable "image_version" {
-  default = "1817d1d"
+  default = "stable"
 }
 
 variable "image_url_format" {