diff options
Diffstat (limited to 'home/programs/hashi.nix')
| -rw-r--r-- | home/programs/hashi.nix | 101 |
1 files changed, 101 insertions, 0 deletions
diff --git a/home/programs/hashi.nix b/home/programs/hashi.nix new file mode 100644 index 0000000..424c7b3 --- /dev/null +++ b/home/programs/hashi.nix @@ -0,0 +1,101 @@ +{ config, pkgs, ... }: +let + nomad-prod = pkgs.writeShellScriptBin "nomad-prod" '' + set -e + + if [ $# -ne 1 ]; then + echo "Usage: nomad-ui CELL_ID" + exit 1 + fi + + CELL_ID=$1 + + echo ">> Fetching cell definition for $CELL_ID from GitHub" + REGION_ID=$(${pkgs.gh}/bin/gh api --hostname github.rbx.com repos/Roblox/cell-lifecycle/contents/definitions/''${CELL_ID}.yaml --jq '.content' | base64 -d | yq -r '.regionId') + + if [ -z "$REGION_ID" ] || [ "$REGION_ID" = "null" ]; then + echo "Error: Could not retrieve regionId for cell $CELL_ID" + exit 1 + fi + + echo ">> Found regionId: $REGION_ID" + + case "$REGION_ID" in + r002) + VAULT_REGION="chi1" + ;; + r003) + VAULT_REGION="ash1" + ;; + *) + echo "Error: Unknown regionId $REGION_ID. Expected r002 or r003." + exit 1 + ;; + esac + + echo ">> Using vault region: $VAULT_REGION" + + echo ">> Login to $VAULT_REGION vault using Okta" + export VAULT_ADDR="https://$VAULT_REGION-vault.simulprod.com:8200" + export VAULT_TOKEN=$(${pkgs.vault}/bin/vault login -field=token -method=oidc username=$USER) + + echo ">> Accessing cell $CELL_ID" + export NOMAD_ADDR="https://$CELL_ID-nomad.simulprod.com" + export NOMAD_TOKEN=$(${pkgs.vault}/bin/vault read -field secret_id ''${CELL_ID}_nomad/creds/management) + + ${pkgs.nomad}/bin/nomad ui --authenticate + ''; +in +{ + home.packages = with pkgs; [ + nomad-prod + hashi + ]; + + programs.fish = { + shellAbbrs = + let + environments = [ + { + name = "chi1"; + alias = "chi1"; + jumpHost = "chi1-jumpcontainer-es"; + } + { + name = "ash1"; + alias = "ash1"; + jumpHost = "chi1-jumpcontainer-es"; + } + { + name = "sitetest3"; + alias = "st3"; + jumpHost = "st3-jumpcontainer-es"; + } + { + name = "sitetest2-snc2"; + alias = "st2-snc2"; + jumpHost = "st2-snc2-jumpcontainer-es"; + } + ]; + + # Generate all environment-specific aliases + envAliases = builtins.listToAttrs ( + builtins.concatMap (env: [ + { + name = "ssh-sign-${env.alias}"; + value = "${pkgs.hashi}/bin/hashi -e ${env.name} sign --output-path=${config.home.homeDirectory}/.ssh/${env.alias}-cert.pub --key=(${pkgs._1password-cli}/bin/op read 'op://employee/default rbx ssh key/public key'|psub) key"; + } + { + name = "hashi-${env.alias}"; + value = "${pkgs.hashi}/bin/hashi -e ${env.name} show v"; + } + { + name = "ssh-${env.alias}"; + value = "${pkgs.kitty}/bin/kitten ssh -o StrictHostKeyChecking=no -J ${env.jumpHost} -o 'CertificateFile=~/.ssh/${env.alias}-cert.pub'"; + } + ]) environments + ); + in + envAliases; + }; +} |