diff options
Diffstat (limited to 'nixos/maintainers')
-rw-r--r-- | nixos/maintainers/scripts/azure-new/.gitignore | 1 | ||||
-rw-r--r-- | nixos/maintainers/scripts/azure-new/README.md | 42 | ||||
-rwxr-xr-x | nixos/maintainers/scripts/azure-new/boot-vm.sh | 36 | ||||
-rw-r--r-- | nixos/maintainers/scripts/azure-new/common.sh | 7 | ||||
-rw-r--r-- | nixos/maintainers/scripts/azure-new/examples/basic/image.nix | 10 | ||||
-rw-r--r-- | nixos/maintainers/scripts/azure-new/examples/basic/system.nix | 34 | ||||
-rw-r--r-- | nixos/maintainers/scripts/azure-new/shell.nix | 13 | ||||
-rwxr-xr-x | nixos/maintainers/scripts/azure-new/upload-image.sh | 58 |
8 files changed, 201 insertions, 0 deletions
diff --git a/nixos/maintainers/scripts/azure-new/.gitignore b/nixos/maintainers/scripts/azure-new/.gitignore new file mode 100644 index 00000000000..26905a86234 --- /dev/null +++ b/nixos/maintainers/scripts/azure-new/.gitignore @@ -0,0 +1 @@ +azure \ No newline at end of file diff --git a/nixos/maintainers/scripts/azure-new/README.md b/nixos/maintainers/scripts/azure-new/README.md new file mode 100644 index 00000000000..20e81c44ce5 --- /dev/null +++ b/nixos/maintainers/scripts/azure-new/README.md @@ -0,0 +1,42 @@ +# azure + +## Demo + +Here's a demo of this being used: https://asciinema.org/a/euXb9dIeUybE3VkstLWLbvhmp + +## Usage + +This is meant to be an example image that you can copy into your own +project and modify to your own needs. Notice that the example image +includes a built-in test user account, which by default uses your +`~/.ssh/id_ed25519.pub` as an `authorized_key`. + +Build and upload the image +```shell +$ ./upload-image.sh ./examples/basic/image.nix + +... ++ attr=azbasic ++ nix-build ./examples/basic/image.nix --out-link azure +/nix/store/qdpzknpskzw30vba92mb24xzll1dqsmd-azure-image +... +95.5 %, 0 Done, 0 Failed, 1 Pending, 0 Skipped, 1 Total, 2-sec Throughput (Mb/s): 932.9565 +... +/subscriptions/aff271ee-e9be-4441-b9bb-42f5af4cbaeb/resourceGroups/nixos-images/providers/Microsoft.Compute/images/azure-image-todo-makethisbetter +``` + +Take the output, boot an Azure VM: + +``` +img="/subscriptions/.../..." # use output from last command +./boot-vm.sh "${img}" +... +=> booted +``` + +## Future Work + +1. If the user specifies a hard-coded user, then the agent could be removed. + Probably has security benefits; definitely has closure-size benefits. + (It's likely the VM will need to be booted with a special flag. See: + https://github.com/Azure/azure-cli/issues/12775 for details.) diff --git a/nixos/maintainers/scripts/azure-new/boot-vm.sh b/nixos/maintainers/scripts/azure-new/boot-vm.sh new file mode 100755 index 00000000000..1ce3a5f9db1 --- /dev/null +++ b/nixos/maintainers/scripts/azure-new/boot-vm.sh @@ -0,0 +1,36 @@ +#!/usr/bin/env bash +set -euo pipefail +set -x + +image="${1}" +location="westus2" +group="nixos-test-vm" +vm_size="Standard_D2s_v3"; os_size=42; + +# ensure group +az group create --location "westus2" --name "${group}" +group_id="$(az group show --name "${group}" -o tsv --query "[id]")" + +# (optional) identity +if ! az identity show -n "${group}-identity" -g "${group}" &>/dev/stderr; then + az identity create --name "${group}-identity" --resource-group "${group}" +fi + +# (optional) role assignment, to the resource group, bad but not really great alternatives +identity_id="$(az identity show --name "${group}-identity" --resource-group "${group}" -o tsv --query "[id]")" +principal_id="$(az identity show --name "${group}-identity" --resource-group "${group}" -o tsv --query "[principalId]")" +until az role assignment create --assignee "${principal_id}" --role "Owner" --scope "${group_id}"; do sleep 1; done + +# boot vm +az vm create \ + --name "${group}-vm" \ + --resource-group "${group}" \ + --assign-identity "${identity_id}" \ + --size "${vm_size}" \ + --os-disk-size-gb "${os_size}" \ + --image "${image}" \ + --admin-username "${USER}" \ + --location "westus2" \ + --storage-sku "Premium_LRS" \ + --ssh-key-values "$(ssh-add -L)" + diff --git a/nixos/maintainers/scripts/azure-new/common.sh b/nixos/maintainers/scripts/azure-new/common.sh new file mode 100644 index 00000000000..eb87c3e0650 --- /dev/null +++ b/nixos/maintainers/scripts/azure-new/common.sh @@ -0,0 +1,7 @@ +export group="${AZURE_RESOURCE_GROUP:-"azure"}" +export location="${AZURE_LOCATION:-"westus2"}" + +img_file=$(echo azure/*.vhd) +img_name="$(basename "${img_file}")" +img_name="${img_name%".vhd"}" +export img_name="${img_name//[._]/-}" diff --git a/nixos/maintainers/scripts/azure-new/examples/basic/image.nix b/nixos/maintainers/scripts/azure-new/examples/basic/image.nix new file mode 100644 index 00000000000..74b12815158 --- /dev/null +++ b/nixos/maintainers/scripts/azure-new/examples/basic/image.nix @@ -0,0 +1,10 @@ +let + pkgs = (import <nixpkgs> {}); + machine = import "${pkgs.path}/nixos/lib/eval-config.nix" { + system = "x86_64-linux"; + modules = [ + ({config, ...}: { imports = [ ./system.nix ]; }) + ]; + }; +in + machine.config.system.build.azureImage diff --git a/nixos/maintainers/scripts/azure-new/examples/basic/system.nix b/nixos/maintainers/scripts/azure-new/examples/basic/system.nix new file mode 100644 index 00000000000..855bd3bab71 --- /dev/null +++ b/nixos/maintainers/scripts/azure-new/examples/basic/system.nix @@ -0,0 +1,34 @@ +{ pkgs, modulesPath, ... }: + +let username = "azurenixosuser"; +in +{ + imports = [ + "${modulesPath}/virtualisation/azure-common.nix" + "${modulesPath}/virtualisation/azure-image.nix" + ]; + + ## NOTE: This is just an example of how to hard-code a user. + ## The normal Azure agent IS included and DOES provision a user based + ## on the information passed at VM creation time. + users.users."${username}" = { + isNormalUser = true; + home = "/home/${username}"; + description = "Azure NixOS Test User"; + openssh.authorizedKeys.keys = [ (builtins.readFile ~/.ssh/id_ed25519.pub) ]; + }; + nix.trustedUsers = [ username ]; + + virtualisation.azureImage.diskSize = 2500; + + system.stateVersion = "20.03"; + boot.kernelPackages = pkgs.linuxPackages_latest; + + # test user doesn't have a password + services.openssh.passwordAuthentication = false; + security.sudo.wheelNeedsPassword = false; + + environment.systemPackages = with pkgs; [ + git file htop wget curl + ]; +} diff --git a/nixos/maintainers/scripts/azure-new/shell.nix b/nixos/maintainers/scripts/azure-new/shell.nix new file mode 100644 index 00000000000..592f1bf9056 --- /dev/null +++ b/nixos/maintainers/scripts/azure-new/shell.nix @@ -0,0 +1,13 @@ +with (import ../../../../default.nix {}); +stdenv.mkDerivation { + name = "nixcfg-azure-devenv"; + + nativeBuildInputs = [ + azure-cli + bash + cacert + azure-storage-azcopy + ]; + + AZURE_CONFIG_DIR="/tmp/azure-cli/.azure"; +} diff --git a/nixos/maintainers/scripts/azure-new/upload-image.sh b/nixos/maintainers/scripts/azure-new/upload-image.sh new file mode 100755 index 00000000000..1466dcd1f0a --- /dev/null +++ b/nixos/maintainers/scripts/azure-new/upload-image.sh @@ -0,0 +1,58 @@ +#!/usr/bin/env bash +set -euo pipefail +set -x + +image_nix="${1:-"./examples/basic/image.nix"}" + +nix-build "${image_nix}" --out-link "azure" + +group="nixos-images" +location="westus2" +img_name="nixos-image" +img_file="$(readlink -f ./azure/disk.vhd)" + +if ! az group show -n "${group}" &>/dev/null; then + az group create --name "${group}" --location "${location}" +fi + +# note: the disk access token song/dance is tedious +# but allows us to upload direct to a disk image +# thereby avoid storage accounts (and naming them) entirely! +if ! az disk show -g "${group}" -n "${img_name}" &>/dev/null; then + bytes="$(stat -c %s ${img_file})" + size="30" + az disk create \ + --resource-group "${group}" \ + --name "${img_name}" \ + --for-upload true --upload-size-bytes "${bytes}" + + timeout=$(( 60 * 60 )) # disk access token timeout + sasurl="$(\ + az disk grant-access \ + --access-level Write \ + --resource-group "${group}" \ + --name "${img_name}" \ + --duration-in-seconds ${timeout} \ + | jq -r '.accessSas' + )" + + azcopy copy "${img_file}" "${sasurl}" \ + --blob-type PageBlob + + az disk revoke-access \ + --resource-group "${group}" \ + --name "${img_name}" +fi + +if ! az image show -g "${group}" -n "${img_name}" &>/dev/null; then + diskid="$(az disk show -g "${group}" -n "${img_name}" -o json | jq -r .id)" + + az image create \ + --resource-group "${group}" \ + --name "${img_name}" \ + --source "${diskid}" \ + --os-type "linux" >/dev/null +fi + +imageid="$(az image show -g "${group}" -n "${img_name}" -o json | jq -r .id)" +echo "${imageid}" |