diff --git a/flake.nix b/flake.nix index 41f0f1c..1632423 100644 --- a/flake.nix +++ b/flake.nix @@ -188,7 +188,8 @@ default = pkgs.mkShell { name = "default"; packages = attrValues { - inherit (pkgs) bashInteractive grpcurl jq coreutils e2fsprogs + inherit (pkgs) bashInteractive grpcurl + jq coreutils e2fsprogs lsof docker-client kubectl kubernetes-helm libvirt qemu tailscale pebble cntb nil nix-tree; diff --git a/nixos/deploy.nix b/nixos/deploy.nix index b33c2c6..fbe1473 100644 --- a/nixos/deploy.nix +++ b/nixos/deploy.nix @@ -1,14 +1,19 @@ -{ config, pkgs, ... } : +{ config, ... } : with config.k3s-paas; + { + imports = [ + ./temporary-configuration.nix + ]; + networking.hostName = additionalConfig.hostname; + sops.validateSopsFiles = false; sops.defaultSopsFormat = "yaml"; sops.defaultSopsFile = "/home/${user.name}/secrets.yaml"; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.secrets.tailscale = {}; - sops.secrets.hostname = {}; sops.secrets.password = { neededForUsers = true; }; @@ -16,9 +21,4 @@ with config.k3s-paas; services.tailscale.authKeyFile = config.sops.secrets.tailscale.path; users.users.${user.name}.hashedPasswordFile = config.sops.secrets.password.path; - - environment.etc."hostname".source = config.sops.secrets.hostname.path; - system.activationScripts.tailscale.text = '' - ${pkgs.systemd}/bin/hostnamectl set-hostname --transient $(cat /etc/hostname) - ''; } diff --git a/nixos/temporary-configuration.nix b/nixos/temporary-configuration.nix new file mode 100644 index 0000000..278ecb5 --- /dev/null +++ b/nixos/temporary-configuration.nix @@ -0,0 +1,2 @@ +# This files will be overwritten by the next run of the script +{...}: {} diff --git a/tf-root-vm/main.tf b/tf-root-vm/main.tf index 66a7a78..def1bb8 100644 --- a/tf-root-vm/main.tf +++ b/tf-root-vm/main.tf @@ -68,7 +68,6 @@ module "deploy" { nixos_secrets = { "tailscale" = "${module.tailscale.key}" "password" = "${random_password.admin_password.bcrypt_hash}" - "hostname" = "${each.key}" } } diff --git a/tf-root-vm/tf-modules-cloud/tailscale/main.tf b/tf-root-vm/tf-modules-cloud/tailscale/main.tf index 64af505..022b27b 100644 --- a/tf-root-vm/tf-modules-cloud/tailscale/main.tf +++ b/tf-root-vm/tf-modules-cloud/tailscale/main.tf @@ -25,7 +25,7 @@ resource "tailscale_acl" "as_json" { action = "accept" src = ["autogroup:member"] dst = ["autogroup:self"] - users = [var.trusted_ssh_user] + users = ["autogroup:nonroot"] } ], nodeAttrs = [ @@ -60,9 +60,8 @@ resource "tailscale_dns_preferences" "sample_preferences" { resource "tailscale_tailnet_key" "k3s_paas_node" { depends_on = [ tailscale_acl.as_json ] reusable = true - ephemeral = true + ephemeral = false preauthorized = true - expiry = 3600 description = "VM instance key" tags = ["tag:all"] } diff --git a/tf-root-vm/tf-modules-nix/deploy/main.tf b/tf-root-vm/tf-modules-nix/deploy/main.tf index 2c0c766..f7ede84 100644 --- a/tf-root-vm/tf-modules-nix/deploy/main.tf +++ b/tf-root-vm/tf-modules-nix/deploy/main.tf @@ -15,7 +15,23 @@ data "external" "deploy_key" { } } +resource "terraform_data" "check_ssh" { + connection { + type = "ssh" + user = var.ssh_connection.user + private_key = var.ssh_connection.private_key + host = var.vm_ip + } + + provisioner "remote-exec" { + inline = [ + "echo 'SSH connection established'", + ] + } +} + data "external" "machine_key_pub" { + depends_on = [ terraform_data.check_ssh ] program = ["bash", "${path.module}/retrieve-vm-age-key.sh"] query = { @@ -97,9 +113,14 @@ locals { real_flake = "${local.uri}#nixosConfigurations.${local.attribute_path}" } +resource local_file "additional_nixos_vars" { + content = "{}: { networking.hostName = \"${var.node_hostname}\";}" + filename = "${path.cwd}/nixos/temporary-configuration.nix" +} + data "external" "instantiate" { depends_on = [terraform_data.apply_secrets] - program = [ "${path.module}/instantiate.sh", local.real_flake ] + program = [ "${path.module}/instantiate.sh", local.real_flake] } resource "null_resource" "deploy" { @@ -118,7 +139,7 @@ resource "null_resource" "deploy" { "--fast", "--flake", var.nix_flake, "--target-host", - "${var.ssh_connection.user}@${var.vm_ip}", + "${var.ssh_connection.user}@${var.vm_ip}" ], var.nix_rebuild_arguments ) @@ -127,6 +148,37 @@ resource "null_resource" "deploy" { } } +resource "local_file" "reset_temporary_configuration" { + depends_on = [null_resource.deploy] + content = "{...}: {}" + filename = "${path.cwd}/nixos/temporary-configuration.nix" +} + +resource "terraform_data" "cleanup" { + count = var.nix_deploy_debug ? 0 : 1 + depends_on = [null_resource.deploy] + + provisioner "local-exec" { + on_failure = continue + command = "rm ${local_file.additional_nixos_vars.filename}" + } + + provisioner "local-exec" { + on_failure = continue + command = "rm ${local_sensitive_file.non_encrypted_secrets.filename}" + } + + provisioner "local-exec" { + on_failure = continue + command = "rm ${data.local_file.encrypted_secrets.filename}" + } + + provisioner "local-exec" { + on_failure = continue + command = "rm ${local_file.sops_config.filename}" + } +} + output "secure_hostname" { depends_on = [null_resource.deploy] value = var.node_hostname diff --git a/tf-root-vm/tf-modules-nix/deploy/variables.tf b/tf-root-vm/tf-modules-nix/deploy/variables.tf index a77bf1f..b3616e8 100644 --- a/tf-root-vm/tf-modules-nix/deploy/variables.tf +++ b/tf-root-vm/tf-modules-nix/deploy/variables.tf @@ -80,3 +80,7 @@ variable "nix_flake" { error_message = "Empty flake attribute paths not supported" } } + +variable "nix_deploy_debug" { + default = false +}