forked from DGNum/colmena
host/local: Upload keys with sudo as well
This commit is contained in:
parent
d7aa4ab864
commit
dd3f4b252c
4 changed files with 18 additions and 4 deletions
|
@ -4,6 +4,13 @@ let
|
||||||
tools = pkgs.callPackage ../tools.nix {
|
tools = pkgs.callPackage ../tools.nix {
|
||||||
targets = [];
|
targets = [];
|
||||||
prebuiltTarget = "deployer";
|
prebuiltTarget = "deployer";
|
||||||
|
extraDeployerConfig = {
|
||||||
|
users.users.colmena = {
|
||||||
|
isNormalUser = true;
|
||||||
|
extraGroups = [ "wheel" ];
|
||||||
|
};
|
||||||
|
security.sudo.wheelNeedsPassword = false;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
in tools.makeTest {
|
in tools.makeTest {
|
||||||
name = "colmena-apply-local";
|
name = "colmena-apply-local";
|
||||||
|
@ -11,7 +18,8 @@ in tools.makeTest {
|
||||||
bundle = ./.;
|
bundle = ./.;
|
||||||
|
|
||||||
testScript = ''
|
testScript = ''
|
||||||
deployer.succeed("cd /tmp/bundle && ${tools.colmenaExec} apply-local")
|
deployer.succeed("cd /tmp/bundle && sudo -u colmena ${tools.colmenaExec} apply-local --sudo")
|
||||||
deployer.succeed("grep SUCCESS /etc/deployment")
|
deployer.succeed("grep SUCCESS /etc/deployment")
|
||||||
|
deployer.succeed("grep SECRET /run/keys/key-text")
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
|
|
@ -19,5 +19,8 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
environment.etc."deployment".text = "SUCCESS";
|
environment.etc."deployment".text = "SUCCESS";
|
||||||
|
|
||||||
|
# /run/keys/key-text
|
||||||
|
deployment.keys."key-text".text = "SECRET";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -10,6 +10,7 @@
|
||||||
{ insideVm ? false
|
{ insideVm ? false
|
||||||
, deployers ? [ "deployer" ] # Nodes configured as deployers (with Colmena and pre-built system closure)
|
, deployers ? [ "deployer" ] # Nodes configured as deployers (with Colmena and pre-built system closure)
|
||||||
, targets ? [ "alpha" "beta" "gamma" ] # Nodes configured as targets (minimal config)
|
, targets ? [ "alpha" "beta" "gamma" ] # Nodes configured as targets (minimal config)
|
||||||
|
, extraDeployerConfig ? {} # Extra config on the deployer
|
||||||
, prebuiltTarget ? "alpha" # Target node to prebuild system closure for, or null
|
, prebuiltTarget ? "alpha" # Target node to prebuild system closure for, or null
|
||||||
|
|
||||||
, pkgs ? if insideVm then import <nixpkgs> {} else throw "Must specify pkgs"
|
, pkgs ? if insideVm then import <nixpkgs> {} else throw "Must specify pkgs"
|
||||||
|
@ -38,6 +39,10 @@ let
|
||||||
# so it can build system profiles for the targets without
|
# so it can build system profiles for the targets without
|
||||||
# network access.
|
# network access.
|
||||||
deployerConfig = { lib, config, ... }: {
|
deployerConfig = { lib, config, ... }: {
|
||||||
|
imports = [
|
||||||
|
extraDeployerConfig
|
||||||
|
];
|
||||||
|
|
||||||
nix.nixPath = [
|
nix.nixPath = [
|
||||||
"nixpkgs=${pkgs.path}"
|
"nixpkgs=${pkgs.path}"
|
||||||
];
|
];
|
||||||
|
|
|
@ -143,9 +143,7 @@ impl Local {
|
||||||
let path = key.path();
|
let path = key.path();
|
||||||
let key_script = format!("'{}'", key_uploader::generate_script(key, path, require_ownership));
|
let key_script = format!("'{}'", key_uploader::generate_script(key, path, require_ownership));
|
||||||
|
|
||||||
let mut command = Command::new("sh");
|
let mut command = self.make_privileged_command(&["sh", "-c", &key_script]);
|
||||||
|
|
||||||
command.args(&["-c", &key_script]);
|
|
||||||
command.stdin(Stdio::piped());
|
command.stdin(Stdio::piped());
|
||||||
command.stderr(Stdio::piped());
|
command.stderr(Stdio::piped());
|
||||||
command.stdout(Stdio::piped());
|
command.stdout(Stdio::piped());
|
||||||
|
|
Loading…
Reference in a new issue