cleanup more nix code
This commit is contained in:
parent
3b7c72f326
commit
6b9fffb022
54 changed files with 49 additions and 96 deletions
46
flake-parts/scripts/bootstrap.sh
Executable file
46
flake-parts/scripts/bootstrap.sh
Executable file
|
|
@ -0,0 +1,46 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
set -euo pipefail
|
||||
IFS=$'\n\t'
|
||||
|
||||
servername="${1-}"
|
||||
|
||||
hostname="${2-}"
|
||||
|
||||
if [ -z "$servername" ] || [ -z "$hostname" ]
|
||||
then
|
||||
echo "Usage: $0 SERVERNAME HOSTNAME"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
confirmation="Yes, wipe ${servername}."
|
||||
|
||||
echo "⚠️ This will wipe ${servername} completely! ⚠️"
|
||||
echo "Confirm by typing: \"${confirmation}\""
|
||||
read response
|
||||
|
||||
if [ "$response" != "$confirmation" ]; then
|
||||
echo "Aborting."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Create a temporary directory
|
||||
temp=$(mktemp -d)
|
||||
|
||||
# Function to cleanup temporary directory on exit
|
||||
cleanup() {
|
||||
rm -rf "$temp"
|
||||
}
|
||||
trap cleanup EXIT
|
||||
|
||||
# Create directory where age key will go.
|
||||
# Nixos-anwhere creates a kind of overlay and retains this structure on the final file system.
|
||||
mkdir "$temp/etc"
|
||||
|
||||
secret-tool lookup age-identity "$servername" > "$temp/etc/age_ed25519"
|
||||
|
||||
# Set the correct permissions
|
||||
chmod 600 "$temp/etc/age_ed25519"
|
||||
|
||||
# Install NixOS to the host system with our age identity
|
||||
nixos-anywhere --extra-files "$temp" --flake ".#${servername}" "root@${hostname}"
|
||||
19
flake-parts/scripts/default.nix
Normal file
19
flake-parts/scripts/default.nix
Normal file
|
|
@ -0,0 +1,19 @@
|
|||
{ flake-utils, hostPkgs, ... }: flake-utils.lib.eachDefaultSystem (system:
|
||||
let
|
||||
createScript = name: runtimeInputs: scriptPath:
|
||||
let
|
||||
script = (hostPkgs.writeScriptBin name (builtins.readFile scriptPath)).overrideAttrs (old: {
|
||||
buildCommand = "${old.buildCommand}\n patchShebangs $out";
|
||||
});
|
||||
in
|
||||
hostPkgs.symlinkJoin {
|
||||
inherit name;
|
||||
paths = [ script ] ++ runtimeInputs;
|
||||
buildInputs = [ hostPkgs.makeWrapper ];
|
||||
postBuild = "wrapProgram $out/bin/${name} --set PATH $out/bin";
|
||||
};
|
||||
in
|
||||
{
|
||||
packages.bootstrap = createScript "bootstrap" (with hostPkgs; [ libsecret coreutils nixos-anywhere ]) ./bootstrap.sh;
|
||||
packages.gen-k3s-cert = createScript "create-k3s-cert" (with hostPkgs; [ openssl coreutils openssh yq ]) ./gen-k3s-cert.sh;
|
||||
})
|
||||
88
flake-parts/scripts/gen-k3s-cert.sh
Normal file
88
flake-parts/scripts/gen-k3s-cert.sh
Normal file
|
|
@ -0,0 +1,88 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
set -euo pipefail
|
||||
IFS=$'\n\t'
|
||||
|
||||
username="${1-}"
|
||||
host="${2-}"
|
||||
output_path="${3:-.}"
|
||||
|
||||
if [ -z "$username" ] || [ -z "$host" ]
|
||||
then
|
||||
echo "Usage: $0 USERNAME HOST [OUTPUTPATH]"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Create a temporary directory
|
||||
temp=$(mktemp -d)
|
||||
|
||||
# Function to cleanup temporary directory on exit
|
||||
cleanup() {
|
||||
rm -rf "$temp"
|
||||
}
|
||||
trap cleanup EXIT
|
||||
|
||||
echo Generating the private key
|
||||
openssl genpkey -algorithm ed25519 -out "$temp/key.pem"
|
||||
|
||||
echo Generating the certificate request
|
||||
openssl req -new -key "$temp/key.pem" -out "$temp/req.csr" -subj "/CN=$username"
|
||||
|
||||
echo Creating K8S CSR manifest
|
||||
csr="$(cat "$temp/req.csr" | base64 | tr -d '\n')"
|
||||
k8s_csr="apiVersion: certificates.k8s.io/v1
|
||||
kind: CertificateSigningRequest
|
||||
metadata:
|
||||
name: $username-csr
|
||||
spec:
|
||||
request: $csr
|
||||
expirationSeconds: 307584000 # 10 years
|
||||
signerName: kubernetes.io/kube-apiserver-client
|
||||
usages:
|
||||
- digital signature
|
||||
- key encipherment
|
||||
- client auth
|
||||
"
|
||||
|
||||
echo Creating K8S CSR resource
|
||||
ssh "root@$host" "echo \"$k8s_csr\" | k3s kubectl apply -f -"
|
||||
|
||||
echo Approving K8S CSR
|
||||
ssh "root@$host" "k3s kubectl certificate approve $username-csr"
|
||||
|
||||
echo Retrieving approved certificate
|
||||
encoded_cert="$(ssh root@"$host" "k3s kubectl get csr $username-csr -o jsonpath='{.status.certificate}'")"
|
||||
|
||||
echo Retrieving default K3S kubeconfig
|
||||
base_kubeconfig="$(ssh root@"$host" "cat /etc/rancher/k3s/k3s.yaml")"
|
||||
|
||||
echo Getting certificate authority data from default kubeconfig
|
||||
cert_authority_data="$(echo -n "$base_kubeconfig" | yq -r '.clusters[0].cluster."certificate-authority-data"')"
|
||||
|
||||
echo Generating final kubeconfig
|
||||
result_kubeconfig="apiVersion: v1
|
||||
clusters:
|
||||
- cluster:
|
||||
certificate-authority-data: $cert_authority_data
|
||||
server: https://$host:6443
|
||||
name: default
|
||||
contexts:
|
||||
- context:
|
||||
cluster: default
|
||||
user: $username
|
||||
name: default
|
||||
current-context: default
|
||||
kind: Config
|
||||
preferences: {}
|
||||
users:
|
||||
- name: $username
|
||||
user:
|
||||
client-certificate: $username.crt
|
||||
client-key: $username.key
|
||||
"
|
||||
|
||||
echo Writing resulting files to "$output_path"
|
||||
echo -n "$encoded_cert" | base64 -d > $output_path/$username.crt
|
||||
echo -n "$result_kubeconfig" > $output_path/config
|
||||
cp $temp/key.pem $output_path/$username.key
|
||||
|
||||
Reference in a new issue