big refactor

mipmip · mipmip · commit 59454524deed · 2025-09-15T15:45:16.000+02:00
diff --git a/instance/ec2.tf b/instance/ec2.tf
@@ -33,7 +33,7 @@ resource "aws_instance" "ec2nix_server" {
 
   provisioner "local-exec" {
 
-    command     = file("${path.module}/script/test-machine-up.sh")
+    command     = file("${path.module}/script/local_exec_test_machine_up.sh")
     interpreter = ["bash", "-c"]
 
     environment = {
diff --git a/instance/local_exec_deploy_via_ssm.tf b/instance/local_exec_deploy_via_ssm.tf
@@ -0,0 +1,22 @@
+resource "null_resource" "nixos_deployment_ssm" {
+
+  triggers = {
+    live_config_path = var.live_config_path
+  }
+
+  provisioner "local-exec" {
+
+    command     = file("${path.module}/script/local_exec_deploy_via_ssm.sh")
+    interpreter = ["bash", "-c"]
+
+    environment = {
+      LIVE_CONFIG_PATH = var.live_config_path
+      NIX_SSHOPTS      = "-F ${path.module}/ssh.conf -i ${var.ssh_id_file}"
+      SSH_ID_FILE      = var.ssh_id_file
+      AWS_ACCOUNT_ID  = var.aws_account_id
+      SCRIPT_PATH     = "${path.module}/script"
+      SSH_CONFIG_FILE  = "${path.module}/ssh.conf"
+      TARGET           = var.associate_public_ip_address ? "root@${aws_instance.ec2nix_server.public_ip}" : "root@${aws_instance.ec2nix_server.id}"
+    }
+  }
+}
diff --git a/instance/local_exec_upload_ssh_workloads_key.tf b/instance/local_exec_upload_ssh_workloads_key.tf
@@ -0,0 +1,18 @@
+resource "null_resource" "upload_ssh_workloads_key" {
+  triggers = {
+    live_config_path = var.live_config_path
+  }
+
+  provisioner "local-exec" {
+    command     = file("${path.module}/script/local_exec_upload_ssh_workloads_key.sh")
+    interpreter = ["bash", "-c"]
+    environment = {
+      NIX_SSHOPTS     = "-F ${path.module}/ssh.conf -i ${var.ssh_id_file}"
+      AWS_ACCOUNT_ID  = var.aws_account_id
+      SCRIPT_PATH     = "${path.module}/script"
+      SSH_ID_FILE     = var.ssh_id_file
+      SSH_CONFIG_FILE = "${path.module}/ssh.conf"
+      TARGET          = var.associate_public_ip_address ? "root@${aws_instance.ec2nix_server.public_ip}" : "root@${aws_instance.ec2nix_server.id}"
+    }
+  }
+}
diff --git a/instance/script/find_profile.sh b/instance/script/find_profile.sh
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+# Script to find AWS profile by account ID
+# Usage: ./find_profile.sh ACCOUNT_ID
+
+if [ -z "$1" ]; then
+  echo "Please provide an account ID"
+  echo "Usage: ./find_profile.sh ACCOUNT_ID"
+  exit 1
+fi
+
+ACCOUNT_ID="$1"
+jsonify-aws-dotfiles | jq -r '.config | to_entries[] | select(.value.role_arn != null) | select(.value.role_arn | contains("'"$ACCOUNT_ID"'")) | .key'
diff --git a/instance/script/local_exec_deploy_via_ssm.sh b/instance/script/local_exec_deploy_via_ssm.sh
@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+echo $TARGET >> /tmp/debug-target.txt
+
+AWS_PROFILE=$($SCRIPT_PATH/find_profile.sh $AWS_ACCOUNT_ID)
+echo $AWS_PROFILE >> /tmp/debug-target.txt
+
+# TODO replace unset SSH_AUTH_SOCK with -o IdentitiesOnly=yes
+unset SSH_AUTH_SOCK
+
+echo
+echo "UPDATE KNOWN HOSTS"
+ssh-keygen -R $(echo $TARGET | sed "s/root@//")
+
+echo
+echo "NIX-COPY-CLOSURE"
+nix-copy-closure $TARGET $LIVE_CONFIG_PATH
+
+echo
+echo "NIX SWITCH TO NEW CONFIG"
+ssh -F $SSH_CONFIG_FILE -i $SSH_ID_FILE -oStrictHostKeyChecking=no $TARGET "$LIVE_CONFIG_PATH/bin/switch-to-configuration switch"
+
+# TODO MAKE OPTIONAL
+echo
+echo "NIX GARBAGE COLLECT"
+ssh -F $SSH_CONFIG_FILE -i $SSH_ID_FILE -oStrictHostKeyChecking=no $TARGET 'nix-collect-garbage'
+
diff --git a/instance/script/local_exec_test_machine_up.sh b/instance/script/local_exec_test_machine_up.sh
@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+
+set -e
+test -n "$INSTANCE_ID" || (echo missing INSTANCE_ID; exit 1)
+test -n "$SSH_ID_FILE" || (echo missing SSH_ID_FILE; exit 1)
+test -n "$SSH_CONFIG_FILE" || (echo missing SSH_CONFIG_FILE; exit 1)
+set +e
+
+AWS_PROFILE=$($SCRIPT_PATH/find_profile.sh $AWS_ACCOUNT_ID)
+echo $AWS_PROFILE >> /tmp/debug-target.txt
+
+cleanup() {
+  exit $!
+}
+
+for try in {0..100}; do
+  echo "Polling for machine to come up. Retry #$try"
+  unset SSH_AUTH_SOCK
+
+  if [[ -z "${PUBLIC_IP}" ]]; then
+    ssh -F $SSH_CONFIG_FILE -i "$SSH_ID_FILE" -oStrictHostKeyChecking=no "root@$INSTANCE_ID" uptime
+  else
+    ### TODO MAKE CONFIG SWITCH OR ALWAYS USE SSM
+    ssh -F $SSH_CONFIG_FILE -i "$SSH_ID_FILE" -oStrictHostKeyChecking=no "root@$INSTANCE_ID" uptime
+    #ssh -i "$SSH_ID_FILE" -oStrictHostKeyChecking=no "root@$PUBLIC_IP" uptime
+  fi
+
+  success="$?"
+  if [ "$success" -eq 0 ]; then
+    echo "Machine ${INSTANCE_ID} up and ready to for provisioning over SSM/SSH"
+    echo ""
+    echo "Add the the systems private key to agenix and run rekey (agenix -r -i PRIVATE_KEY)"
+    cat /etc/ssh/ssh_host_ed25519_key.pub
+    echo
+    cleanup 0
+  fi
+  sleep 5s
+done
+
+echo "Failed to poll for machine up status"
+cleanup 1
diff --git a/instance/script/local_exec_upload_ssh_workloads_key.sh b/instance/script/local_exec_upload_ssh_workloads_key.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+
+echo
+echo "UPDATE KNOWN HOSTS"
+ssh-keygen -R $(echo $TARGET | sed "s/root@//")
+
+export AWS_PROFILE=$($SCRIPT_PATH/find_profile.sh $AWS_ACCOUNT_ID)
+
+# TODO only if debug=true
+echo $AWS_PROFILE >> /tmp/debug-target.txt
+echo $TARGET >> /tmp/debug-target.txt
+
+# TODO replace unset SSH_AUTH_SOCK with -o IdentitiesOnly=yes
+unset SSH_AUTH_SOCK
+
+CURR_DIR=$(pwd)
+echo $CURR_DIR
+
+cd secrets
+SYS_SSH_KEY=$(agenix -d system_sshd_key.age --identity $SSH_ID_FILE)
+cd $CURR_DIR
+
+echo $SYS_SSH_KEY | ssh -F $SSH_CONFIG_FILE -oStrictHostKeyChecking=no -i $SSH_ID_FILE \
+  $TARGET 'cat - > /tmp/system_sshd_key && chmod 600 /tmp/system_sshd_key && chown root:root /tmp/system_sshd_key'
diff --git a/instance/security_group.tf b/instance/security_group.tf
@@ -0,0 +1,41 @@
+resource "aws_security_group" "ec2nix_security_group" {
+
+  vpc_id = var.vpc_id
+
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  dynamic "ingress" {
+    for_each = var.ingress_ports
+
+    content {
+      from_port   = ingress.value
+      to_port     = ingress.value
+      protocol    = "tcp"
+      cidr_blocks = ["0.0.0.0/0"]
+    }
+  }
+
+  dynamic "ingress" {
+    for_each = var.ingress_from_to_ports
+
+    content {
+      from_port   = ingress.value.from
+      to_port     = ingress.value.to
+      protocol    = "tcp"
+      cidr_blocks = ["0.0.0.0/0"]
+    }
+  }
+
+  ## FOR SSM BE SURE 443 is open
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
diff --git a/instance/ssh.conf b/instance/ssh.conf
@@ -0,0 +1,8 @@
+# vim: set ft=sshconfig:
+
+# SSH over Session Manager
+host i-* mi-*
+  StrictHostKeyChecking no
+  UserKnownHostsFile=/dev/null
+  CheckHostIP=no
+  ProxyCommand sh -c "aws ssm start-session --region eu-central-1 --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"
diff --git a/instance/volume_attachment.tf b/instance/volume_attachment.tf
@@ -0,0 +1,6 @@
+resource "aws_volume_attachment" "ec2nix_server_vol" {
+  count       = var.ebs_volume_id != "" ? 1 : 0
+  device_name = "/dev/xvdb"
+  volume_id   = var.ebs_volume_id
+  instance_id = aws_instance.ec2nix_server.id
+}
