From 50fd9928b2ca3b2e966b4516203397409233e41a Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Wed, 1 Jan 2025 23:33:39 -0600 Subject: [PATCH] overhauled build, import, deploy, and bootstrap scripts and added tailscale. --- mise-tasks/bootstrap_instance.sh | 85 +++++++++++++++++++ mise-tasks/build_import.sh | 10 +-- mise-tasks/launch.sh | 5 +- mise-tasks/push_token.sh | 73 ---------------- .../{ => .archive}/fj-shadowfax-x86_64.nix | 0 profiles/{ => .archive}/host-qemu.nix | 0 profiles/{ => .archive}/hw-shadowfax.nix | 0 profiles/{ => .archive}/role-fj-hetzner.nix | 0 profiles/role-lxc-vm.nix | 19 +++++ 9 files changed, 111 insertions(+), 81 deletions(-) create mode 100755 mise-tasks/bootstrap_instance.sh delete mode 100755 mise-tasks/push_token.sh rename profiles/{ => .archive}/fj-shadowfax-x86_64.nix (100%) rename profiles/{ => .archive}/host-qemu.nix (100%) rename profiles/{ => .archive}/hw-shadowfax.nix (100%) rename profiles/{ => .archive}/role-fj-hetzner.nix (100%) diff --git a/mise-tasks/bootstrap_instance.sh b/mise-tasks/bootstrap_instance.sh new file mode 100755 index 0000000..ece2310 --- /dev/null +++ b/mise-tasks/bootstrap_instance.sh @@ -0,0 +1,85 @@ +#!/usr/bin/env bash +# Prerequisites: +# 1password vault created with a single item in it with the property 'runner_token'. +# Define the vault and item used. +# Usage: ./bootstrap_instace.sh + +set -euo pipefail + +# Check if instance name is provided +if [ "$#" -ne 1 ]; then + echo "Usage: $0 " >&2 + exit 1 +fi + +INCUS_INSTANCE="$1" # Use the provided instance name + +# Set variables +INCUS_PATH="/var/lib/gitea-runner/default/tokenfile" + +# Check if OP_SESSION environment variable exists, if not, sign in +if [ -z "${OP_SESSION:-}" ]; then + echo "Not logged in to 1Password CLI. Attempting to sign in..." + if ! eval "$(op signin)"; then + echo "Failed to sign in to 1Password CLI. Please sign in manually using 'op signin'" >&2 + exit 1 + fi +fi + +# Retrieve both tokens from 1Password +RUNNER_TOKEN=$(op read "op://forgejo-runner/forgejo-runner/runner_token") +TAILSCALE_KEY=$(op read "op://forgejo-runner/tailscale/client_secret") + +if [ -z "$RUNNER_TOKEN" ]; then + echo "Failed to retrieve runner token from 1Password" >&2 + exit 1 +fi + +if [ -z "$TAILSCALE_KEY" ]; then + echo "Failed to retrieve Tailscale auth key from 1Password" >&2 + exit 1 +fi + +# Function to configure runner token with retries +push_and_check_token() { + local retries=5 + local count=0 + while [ $count -lt $retries ]; do + echo "Attempt $((count+1)) of $retries: Configuring runner token..." + if incus exec "$INCUS_INSTANCE" -- sh -c "echo 'TOKEN=$RUNNER_TOKEN' > '$INCUS_PATH'"; then + if incus exec "$INCUS_INSTANCE" -- test -f "$INCUS_PATH"; then + echo "Runner token file successfully verified in Incus instance." + return 0 + fi + fi + ((count++)) + echo "File not found or configuration failed. Retrying in 5 seconds..." + sleep 5 + done + echo "Failed to configure and verify runner token after $retries attempts." >&2 + return 1 +} + +# Configure runner token and Tailscale +if push_and_check_token; then + echo "Runner token successfully configured in instance $INCUS_INSTANCE" + echo "Configuring Tailscale..." + TAILSCALE_CMD="/run/current-system/sw/bin/tailscale" + TAILSCALE_ARGS=( + "--ssh" + "--auth-key=\"$TAILSCALE_KEY?ephemeral=false&preauthorized=true\"" + "--advertise-tags=tag:forgejo-runner" + ) + if incus exec "$INCUS_INSTANCE" -- sh -c "$TAILSCALE_CMD up ${TAILSCALE_ARGS[*]}"; then + echo "Tailscale successfully configured" + else + echo "Failed to configure Tailscale" >&2 + exit 1 + fi +else + echo "Failed to bootstrap $INCUS_INSTANCE" >&2 + exit 1 +fi + +echo "Bootstrapping $INCUS_INSTANCE completed successfully." + diff --git a/mise-tasks/build_import.sh b/mise-tasks/build_import.sh index a181c34..8ca1dd0 100755 --- a/mise-tasks/build_import.sh +++ b/mise-tasks/build_import.sh @@ -10,19 +10,19 @@ check_command() { } # Build the qemu image and get the path -qemuImageBuildPath=$(nix build .#nixosConfigurations.lxc-vm-x86_64.config.system.build.qemuImage --print-out-paths) +qemuImageBuildPath=$(nix build .#nixosConfigurations.x86_64.config.system.build.qemuImage --print-out-paths) check_command "Building qemu image" # Build the metadata and get the path -metadataBuildPath=$(nix build .#nixosConfigurations.lxc-vm-x86_64.config.system.build.metadata --print-out-paths) +metadataBuildPath=$(nix build .#nixosConfigurations.x86_64.config.system.build.metadata --print-out-paths) check_command "Building metadata" # Set the paths for the metadata and qemu image MBP="${metadataBuildPath}/tarball/nixos-system-x86_64-linux.tar.xz" -QBP="${qemuImageBuildPath}/nixos.qcow2" +QIBP="${qemuImageBuildPath}/nixos.qcow2" # Import the image to Incus and capture the instance name -incus image import --alias nixos-gen/custom/fj-lxc-vm-x86_64 "$MBP" "$QBP" +incus image import --alias nixos-gen/custom/fj-lxc-vm-x86_64 "$MBP" "$QIBP" check_command "Importing image to Incus" -echo "Process completed successfully" +echo "Importing $1 completed successfully." diff --git a/mise-tasks/launch.sh b/mise-tasks/launch.sh index 6028da2..39756a4 100755 --- a/mise-tasks/launch.sh +++ b/mise-tasks/launch.sh @@ -6,8 +6,7 @@ INCUS_PROFILE="forgejo-runner" INSTANCE_NAME=$(incus launch nixos-gen/custom/fj-lxc-vm-x86_64 -p ${INCUS_PROFILE:-'default'} | grep -oP 'Instance name is: \K\S+') echo "The captured instance name is: $INSTANCE_NAME" -# Call the push_token.sh script with the new instance name -"$MISE_TASK_DIR"/push_token.sh "$INSTANCE_NAME" -echo "Pushing token to instance" +# Call the bootstrap_instance.sh script with the new instance name +"$MISE_TASK_DIR"/bootstrap_instance.sh "$INSTANCE_NAME" echo "Process completed successfully" diff --git a/mise-tasks/push_token.sh b/mise-tasks/push_token.sh deleted file mode 100755 index ce67f75..0000000 --- a/mise-tasks/push_token.sh +++ /dev/null @@ -1,73 +0,0 @@ -#!/usr/bin/env bash -# Prerequisites: -# 1password vault created with a single item in it with the property 'runner_token'. -# Define the vault and item used. -# Usage: ./push_token.sh - -set -euo pipefail - -# Check if instance name is provided -if [ "$#" -ne 1 ]; then - echo "Usage: $0 " >&2 - exit 1 -fi - -INCUS_INSTANCE="$1" # Use the provided instance name - -# Set variables -TOKEN_FILE="tokenfile" # Name of the temporary file to store the token -INCUS_PATH="/var/lib/gitea-runner/default/$TOKEN_FILE" - -# Check if OP_SESSION environment variable exists, if not, sign in -if [ -z "${OP_SESSION:-}" ]; then - echo "Not logged in to 1Password CLI. Attempting to sign in..." - if ! eval "$(op signin)"; then - echo "Failed to sign in to 1Password CLI. Please sign in manually using 'op signin'" >&2 - exit 1 - fi -fi - -# Retrieve the token from 1Password using op:// format -TOKEN=$(op read "op://forgejo-runner/forgejo-runner/runner_token") - -if [ -z "$TOKEN" ]; then - echo "Failed to retrieve token from 1Password" >&2 - exit 1 -fi - -# Create the token file -echo "TOKEN=$TOKEN" > "$TOKEN_FILE" - -# Function to push file and check existence with retries -push_and_check_file() { - local retries=5 - local count=0 - while [ $count -lt $retries ]; do - echo "Attempt $((count+1)) of $retries: Pushing file to Incus instance..." - if incus file push "$TOKEN_FILE" "$INCUS_INSTANCE$INCUS_PATH"; then - if incus exec "$INCUS_INSTANCE" -- test -f "$INCUS_PATH"; then - echo "File successfully verified in Incus instance." - return 0 - fi - fi - ((count++)) - echo "File not found or push failed. Retrying in 5 seconds..." - sleep 5 - done - echo "Failed to push and verify file after $retries attempts." >&2 - return 1 -} - -# Push the file to Incus and verify its existence -if push_and_check_file; then - echo "Token file successfully pushed and verified in Incus instance $INCUS_INSTANCE" -else - echo "Failed to push or verify token file in Incus instance $INCUS_INSTANCE" >&2 - rm "$TOKEN_FILE" - exit 1 -fi - -# Clean up the local token file -rm "$TOKEN_FILE" - -echo "Operation completed successfully" diff --git a/profiles/fj-shadowfax-x86_64.nix b/profiles/.archive/fj-shadowfax-x86_64.nix similarity index 100% rename from profiles/fj-shadowfax-x86_64.nix rename to profiles/.archive/fj-shadowfax-x86_64.nix diff --git a/profiles/host-qemu.nix b/profiles/.archive/host-qemu.nix similarity index 100% rename from profiles/host-qemu.nix rename to profiles/.archive/host-qemu.nix diff --git a/profiles/hw-shadowfax.nix b/profiles/.archive/hw-shadowfax.nix similarity index 100% rename from profiles/hw-shadowfax.nix rename to profiles/.archive/hw-shadowfax.nix diff --git a/profiles/role-fj-hetzner.nix b/profiles/.archive/role-fj-hetzner.nix similarity index 100% rename from profiles/role-fj-hetzner.nix rename to profiles/.archive/role-fj-hetzner.nix diff --git a/profiles/role-lxc-vm.nix b/profiles/role-lxc-vm.nix index 38be392..28d5029 100644 --- a/profiles/role-lxc-vm.nix +++ b/profiles/role-lxc-vm.nix @@ -8,6 +8,7 @@ # and has the correct permissions. systemd.tmpfiles.rules = [ "d /var/lib/gitea-runner/default 0750 gitea-runner gitea-runner -" + "d /var/lib/tailscale 0750 root root -" ]; services.gitea-actions-runner = { @@ -20,10 +21,28 @@ # `incus file push "$TOKEN_FILE" "$INCUS_INSTANCE/var/lib/forgejo/$TOKEN_FILE" --mode 400` tokenFile = "/var/lib/gitea-runner/default/tokenfile"; labels = [ + "docker:docker://node:20-bullseye" "docker-x86_64:docker://node:20-bullseye" "ubuntu-x86_64:docker://node:20-bullseye" "native-x86_64:host" ]; }; }; + + # Enable Tailscale with enhanced configuration + services.tailscale = { + enable = true; + openFirewall = true; + }; + + # Ensure networking dependencies are properly ordered + # systemd.services.tailscaled = { + # after = [ + # "network-pre.target" + # "NetworkManager.service" + # "systemd-resolved.service" + # ]; + # wants = [ "network-pre.target" ]; + # requires = [ "network-online.target" ]; + # }; }