Merge branch 'local-dev-env-2' into 'develop'

Add local development network morph/nix configuration See merge request !82

Merge branch 'local-dev-env-2' into 'develop'
67b6b081 · Florian Sesser · 39e2c445 · 887522cb · 67b6b081 · 67b6b081
Commit 67b6b081 authored 4 years ago by Florian Sesser
--- a/morph/grid/local/README.rst
+++ b/morph/grid/local/README.rst
@@ -36,13 +36,35 @@ If you run an older Nixpkgs, retrieve and use the latest Vagrant development ver
 Use the local development environment
 `````````````````````````````````````

-Build and start the VMs::
+1. Build and start the VMs::

    VAGRANT_DEFAULT_PROVIDER=virtualbox vagrant up

-Then::
+2. Then, once::
+
+    vagrant ssh-config > ./vagrant-ssh-config
+
+3. Edit the output: Add the IPs from ``grid.nix`` to the ``vagrant-ssh-config`` **Host match blocks** so the config reads like::
+
+    Host payments1 192.168.67.21
+      HostName 192.168.67.21
+      User vagrant
+      Port 22
+      [...]
+
+4.  Then, make morph use this ssh config either - with newer morph [#]_ - by pointing it to it::
+
+     export SSH_CONFIG_FILE=./vagrant-ssh-config
+
+  Or, with older morph, adding the config to your user's ``~/.ssh/config`` file.
+
+  .. [#]  Morph honors the ``SSH_CONFIG_FILE`` environment variable `since 3f90aa88 (March 2020, v 1.5.0) <https://github.com/DBCDK/morph/commit/3f90aa885fac1c29fce9242452fa7c0c505744ef#diff-d155ad793bd62e6ea4c44ba985049ecb13a4f4f32f799791b2bce695a16c0101>`_.
+
+5. Then, build and deploy our software to the Vagrant VMs::

    morph build grid.nix
    morph push grid.nix
    morph deploy grid.nix switch

+  You will now be able to log in with the users and keys you set in your ``localdev-users.nix`` file.
+
--- a/morph/grid/local/Vagrantfile
+++ b/morph/grid/local/Vagrantfile
@@ -33,6 +33,7 @@ Vagrant.configure("2") do |config|
  end

  # To make the VMs assign the static IPs to the network interfaces we need a rebuild:
+  config.vm.provision "shell", inline: "echo '{nix.trustedUsers = [ \"@wheel\" \"root\" \"vagrant\" ];}' > /etc/nixos/custom-configuration.nix"
  config.vm.provision "shell", inline: "nixos-rebuild switch"

  config.trigger.after :up do |trigger|

--- a/morph/grid/local/config.json
+++ b/morph/grid/local/config.json
+{ "publicStoragePort": 8898
+, "ristrettoSigningKeyPath": "../../PrivateStorageSecrets/ristretto.signing-key"
+, "stripeSecretKeyPath": "../../PrivateStorageSecrets/privatestorageio-testing-stripe.secret"
+, "passValue": 1000000
+, "issuerDomain": "payments.localdev"
+, "letsEncryptAdminEmail": "florian@privatestorage.io"
+, "allowedChargeOrigins": [
+    "http://localhost:5000"
+  ]
+}
--- a/morph/grid/local/grid.nix
+++ b/morph/grid/local/grid.nix
+# Load the helper function and call it with arguments tailored for the local
+# grid.  It will make the morph configuration for us.  We share this function
+# with the production grid and have one fewer possible point of divergence.
+import ../../lib/make-grid.nix {
+  name = "LocalDev";
+  config = ./config.json;
+  nodes = cfg:
+  let
+    sshUsers = import ../../../../PrivateStorageSecrets/localdev-users.nix;
+  in {
+    "payments1" = import ../../lib/make-issuer.nix (rec {
+      publicIPv4 = "192.168.67.21";
+      inherit sshUsers;
+      hardware = import ./virtual-hardware.nix ({ inherit publicIPv4; });
+      stateVersion = "19.03";
+    } // cfg);
+
+    "storage1" = import ../../lib/make-testing.nix (rec {
+      publicIPv4 = "192.168.67.22";
+      inherit sshUsers;
+      hardware = import ./virtual-hardware.nix ({ inherit publicIPv4; });
+      stateVersion = "19.09";
+    } // cfg);
+
+    "storage2" = import ../../lib/make-testing.nix (rec {
+      publicIPv4 = "192.168.67.23";
+      inherit sshUsers;
+      hardware = import ./virtual-hardware.nix ({ inherit publicIPv4; });
+      stateVersion = "19.09";
+    } // cfg);
+  };
+}
--- a/morph/grid/local/vagrant-guest.nix
+++ b/morph/grid/local/vagrant-guest.nix
+# Minimal configuration that vagrant depends on
+
+{ config, pkgs, ... }:
+let
+  # Vagrant uses an insecure shared private key by default, but we
+  # don't use the authorizedKeys attribute under users because it should be
+  # removed on first boot and replaced with a random one. This script sets
+  # the correct permissions and installs the temporary key if no
+  # ~/.ssh/authorized_keys exists.
+  install-vagrant-ssh-key = pkgs.writeScriptBin "install-vagrant-ssh-key" ''
+    #!${pkgs.runtimeShell}
+    if [ ! -e ~/.ssh/authorized_keys ]; then
+      mkdir -m 0700 -p ~/.ssh
+      echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key" >> ~/.ssh/authorized_keys
+      chmod 0600 ~/.ssh/authorized_keys
+    fi
+  '';
+in
+{
+  # Services to enable:
+
+  # Enable the OpenSSH daemon.
+  services.openssh.enable = true;
+
+  # Enable DBus
+  services.dbus.enable    = true;
+
+  # Replace ntpd by timesyncd
+  services.timesyncd.enable = true;
+
+  # Packages for Vagrant
+  environment.systemPackages = with pkgs; [
+    findutils
+    gnumake
+    iputils
+    jq
+    nettools
+    netcat
+    nfs-utils
+    rsync
+  ];
+
+  users.users.root = { password = "vagrant"; };
+
+  # Creates a "vagrant" group & user with password-less sudo access
+  users.groups.vagrant = {
+    name = "vagrant";
+    members = [ "vagrant" ];
+  };
+  users.extraUsers.vagrant = {
+    isNormalUser    = true;
+    createHome      = true;
+    group           = "vagrant";
+    extraGroups     = [ "users" "wheel" ];
+    password        = "vagrant";
+    home            = "/home/vagrant";
+    useDefaultShell = true;
+  };
+
+  systemd.services.install-vagrant-ssh-key = {
+    description = "Vagrant SSH key install (if needed)";
+    after = [ "fs.target" ];
+    wants = [ "fs.target" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      ExecStart = "${install-vagrant-ssh-key}/bin/install-vagrant-ssh-key";
+      User = "vagrant";
+      # So it won't be (needlessly) restarted:
+      RemainAfterExit = true;
+    };
+  };
+
+  security.sudo.wheelNeedsPassword = false;
+
+  security.sudo.extraConfig =
+    ''
+      Defaults:root,%wheel env_keep+=LOCALE_ARCHIVE
+      Defaults:root,%wheel env_keep+=NIX_PATH
+      Defaults:root,%wheel env_keep+=TERMINFO_DIRS
+      Defaults env_keep+=SSH_AUTH_SOCK
+      Defaults lecture = never
+      root   ALL=(ALL) SETENV: ALL
+      %wheel ALL=(ALL) NOPASSWD: ALL, SETENV: ALL
+    '';
+}
+
--- a/morph/grid/local/virtual-hardware.nix
+++ b/morph/grid/local/virtual-hardware.nix
+{ publicIPv4, ... }:
+{
+  imports = [ ./vagrant-guest.nix ];
+
+  virtualisation.virtualbox.guest.enable = true;
+
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/sda";
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  # remove the fsck that runs at startup. It will always fail to run, stopping
+  # your boot until you press *.
+  boot.initrd.checkJournalingFS = false;
+
+  networking.interfaces.enp0s8.ipv4.addresses = [{
+    address = publicIPv4;
+    prefixLength = 24;
+  }];
+
+  fileSystems."/storage" = { fsType = "tmpfs"; };
+  fileSystems."/" =
+    { device = "/dev/sda1";
+      fsType = "ext4";
+    };
+  swapDevices = [ ];
+
+  # We want to push packages with morph without having to sign them
+  nix.trustedUsers = [ "@wheel" "root" "vagrant" ];
+}
+