nixcache: improve auto-configuration of cache (#2010)

Fix a few issues with the current auto-configuration flow for private
nix caches:

- Track whether or not we've configured ~root/.aws/config in a separate
state file in the user's home directory. This lets Devbox know if AWS
has already been configured, even if it cannot read root's home
directory.
- If the user answers no to the sudo confirmation prompt, don't ask them
again. This is so we don't pester the user every time they install a
package.
- Preserve XDG_STATE_HOME in sudo so that we write state files to the
correct directory.
- Append a timestamp to the ~root/.aws directory when we back it up.
This allows multiple backups if the setup process is run more than once.

The logic for saving state around whether or not the cache setup has
already run lives in a new `setup` package. The `setup` package tracks
when a task last ran, what version of Devbox it ran with, and if there
was an error. This makes it easier to define tasks that only run once
for a user or only occur after an upgrade.

Author: gcurtis

internal/boxcli/cache.go

@@ -82,7 +82,7 @@ func cacheConfigureCmd() *cobra.Command {
 				u, _ := user.Current()
 				username = u.Username
 			}
-			return nixcache.Get().Configure(cmd.Context(), username)
+			return nixcache.Get().ConfigureReprompt(cmd.Context(), username)
 		},
 	}
 	cmd.Flags().StringVar(&username, "user", "", "")

internal/devbox/providers/nixcache/nixcache.go

@@ -2,23 +2,14 @@ package nixcache
 
 import (
 	"context"
-	"fmt"
-	"io/fs"
+	"errors"
 	"os"
-	"os/exec"
-	"os/user"
-	"path/filepath"
 	"time"
 
-	"github.com/AlecAivazis/survey/v2"
 	"go.jetpack.io/devbox/internal/build"
-	"go.jetpack.io/devbox/internal/debug"
 	"go.jetpack.io/devbox/internal/devbox/providers/identity"
-	"go.jetpack.io/devbox/internal/envir"
-	"go.jetpack.io/devbox/internal/fileutil"
-	"go.jetpack.io/devbox/internal/nix"
 	"go.jetpack.io/devbox/internal/redact"
-	"go.jetpack.io/devbox/internal/ux"
+	"go.jetpack.io/devbox/internal/setup"
 	"go.jetpack.io/pkg/api"
 	nixv1alpha1 "go.jetpack.io/pkg/api/gen/priv/nix/v1alpha1"
 	"go.jetpack.io/pkg/filecache"
@@ -33,154 +24,53 @@ func Get() *Provider {
 }
 
 func (p *Provider) Configure(ctx context.Context, username string) error {
-	debug.Log("checking if nix cache is configured for %s", username)
-
-	rootConfig, err := p.rootAWSConfigPath()
-	if err != nil {
-		return err
-	}
-	debug.Log("root aws config path is: %s", rootConfig)
-	awsConfigExists := fileutil.Exists(rootConfig)
+	return p.configure(ctx, username, false)
+}
 
-	cfg, err := nix.CurrentConfig(ctx)
-	if err != nil {
-		return err
-	}
-	trusted, _ := cfg.IsUserTrusted(ctx, username)
+func (p *Provider) ConfigureReprompt(ctx context.Context, username string) error {
+	return p.configure(ctx, username, true)
+}
 
-	configured := awsConfigExists && trusted
-	debug.Log("nix cache configured = %v (awsConfigExists == %v && trusted == %v)", configured, awsConfigExists, trusted)
-	if configured {
-		return nil
+func (p *Provider) configure(ctx context.Context, username string, reprompt bool) error {
+	setupTasks := []struct {
+		key  string
+		task setup.Task
+	}{
+		{"nixcache-setup-aws", &awsSetupTask{username}},
+		{"nixcache-setup-nix", &nixSetupTask{username}},
+	}
+	if reprompt {
+		for _, t := range setupTasks {
+			setup.Reset(t.key)
+		}
 	}
 
+	// If we're already root, then do the setup without prompting the user
+	// for confirmation.
 	if os.Getuid() == 0 {
-		err := p.configureRoot(ctx, username)
-		if err != nil {
-			return redact.Errorf("update ~root/.aws/config with devbox credentials: %s", err)
+		for _, t := range setupTasks {
+			err := setup.Run(ctx, t.key, t.task)
+			if err != nil {
+				return redact.Errorf("nixcache: run setup: %v", err)
+			}
 		}
 		return nil
 	}
 
-	_, err = nix.DaemonVersion(ctx)
-	if err == nil {
-		// It looks like this is a multi-user install running a Nix
-		// daemon, so we need to configure AWS S3 authentication for the
-		// root user.
-		if err := p.sudoConfigureRoot(ctx, username); err != nil {
-			return err
+	// Otherwise, ask the user to confirm if it's okay to sudo.
+	const sudoPrompt = "Devbox requires root to configure the Nix daemon to use your organization's Devbox cache. Allow sudo?"
+	for _, t := range setupTasks {
+		err := setup.ConfirmRun(ctx, t.key, t.task, sudoPrompt)
+		if errors.Is(err, setup.ErrUserRefused) {
+			return nil
+		}
+		if err != nil {
+			return redact.Errorf("nixcache: run setup: %v", err)
 		}
 	}
 	return nil
 }
 
-func (p *Provider) rootAWSConfigPath() (string, error) {
-	u, err := user.LookupId("0")
-	if err != nil {
-		return "", redact.Errorf("lookup root user: %s", err)
-	}
-	if u.HomeDir == "" {
-		return "", redact.Errorf("empty root user home directory: %s", u.Username, err)
-	}
-	return filepath.Join(u.HomeDir, ".aws", "config"), nil
-}
-
-func (p *Provider) configureRoot(ctx context.Context, username string) error {
-	exe := p.executable()
-	if exe == "" {
-		return redact.Errorf("get path to current devbox executable")
-	}
-	sudo, err := exec.LookPath("sudo")
-	if err != nil {
-		return redact.Errorf("get path to sudo executable: %s", err)
-	}
-	path, err := p.rootAWSConfigPath()
-	if err != nil {
-		return err
-	}
-
-	// Rename the .aws directory in case it already exists. We should
-	// improve this to be more careful with existing ~root/.aws/configs, but
-	// this seems rare enough that it should be okay for the initial
-	// implementation.
-	dir := filepath.Dir(path)
-	_ = os.Rename(dir, dir+".bak") // ignore errors for non-existent dir
-	_ = os.Mkdir(dir, 0o755)       // ignore errors for dir exists (don't os.MkdirAll the home directory)
-
-	config, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, fs.FileMode(0o644))
-	if err != nil {
-		return err
-	}
-	defer config.Close()
-
-	// TODO(gcurtis): it would be nice to use a non-default profile if
-	// https://github.com/NixOS/nix/issues/5525 ever gets fixed.
-	_, err = fmt.Fprintf(config, `# This file was generated by Devbox.
-# Any overwritten configs can be found in the .aws.bak directory.
-
-[default]
-# sudo as the configured user so that their cached credential files have the
-# correct ownership.
-credential_process = %s -u %s -i %s cache credentials
-`, sudo, username, exe)
-	if err != nil {
-		return err
-	}
-	if err := config.Close(); err != nil {
-		return err
-	}
-
-	if err := nix.IncludeDevboxConfig(ctx, username); err != nil {
-		return redact.Errorf("modify nix config: %v", err)
-	}
-	return nil
-}
-
-func (p *Provider) sudoConfigureRoot(ctx context.Context, username string) error {
-	// TODO(gcurtis): save the user's response so that we don't pester them
-	// every time if it's a no.
-	prompt := &survey.Confirm{
-		Message: "Devbox requires root to configure the Nix daemon to use your organization's private cache. Allow sudo?",
-	}
-	ok := false
-	if err := survey.AskOne(prompt, &ok); err != nil {
-		return err
-	}
-	if !ok {
-		return nil
-	}
-
-	exe := p.executable()
-	if exe == "" {
-		return redact.Errorf("get path to current devbox executable")
-	}
-
-	cmd := exec.CommandContext(ctx, "sudo", exe, "cache", "configure", "--user", username)
-	cmd.Stdin = os.Stdin
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-
-	debug.Log("running sudo: %s", cmd)
-	if err := cmd.Run(); err != nil {
-		return fmt.Errorf("failed to relaunch with sudo: %w", err)
-	}
-
-	// Print a warning if we were unable to automatically make the user
-	// trusted.
-	checkIfUserCanAddSubstituter(ctx)
-	return nil
-}
-
-func (*Provider) executable() string {
-	if exe := os.Getenv(envir.LauncherPath); exe != "" {
-		return exe
-	}
-	if exe, err := os.Executable(); err == nil {
-		return exe
-	}
-	return ""
-}
-
 // Credentials fetches short-lived credentials that grant access to the user's
 // private cache.
 func (p *Provider) Credentials(ctx context.Context) (AWSCredentials, error) {
@@ -250,38 +140,6 @@ func (p *Provider) URI(ctx context.Context) (string, error) {
 	return uri, nil
 }
 
-func checkIfUserCanAddSubstituter(ctx context.Context) {
-	// we need to ensure that the user can actually use the extra
-	// substituter. If the user did a root install, then we need to add
-	// the trusted user/substituter to the nix.conf file and restart the daemon.
-
-	// This check is not perfect, so we still try to use the substituter even if
-	// it fails
-
-	// TODOs:
-	// * Also check if cache is enabled in nix.conf
-	// * Test on single user install
-	// * Automate making user trusted if needed
-	cfg, err := nix.CurrentConfig(ctx)
-	if err != nil {
-		return
-	}
-
-	u, err := user.Current()
-	if err != nil {
-		return
-	}
-	trusted, _ := cfg.IsUserTrusted(ctx, u.Username)
-	if !trusted {
-		ux.Fwarning(
-			os.Stderr,
-			"In order to use a custom nix cache you must be a trusted user. Please "+
-				"add your username to nix.conf (usually located at /etc/nix/nix.conf)"+
-				" and restart the nix daemon.\n",
-		)
-	}
-}
-
 // AWSCredentials are short-lived credentials that grant access to a private Nix
 // cache in S3. It marshals to JSON per the schema described in
 // `aws help config-vars` under "Sourcing Credentials From External Processes".