From 9dadee200241480f3c20677bf6aea63126bb880f Mon Sep 17 00:00:00 2001
From: Franck Cuny <franck@fcuny.net>
Date: Fri, 2 Jan 2026 12:06:12 -0800
Subject: one last big shuffle

---
 home/programs/hashi.nix | 101 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 101 insertions(+)
 create mode 100644 home/programs/hashi.nix

(limited to 'home/programs/hashi.nix')

diff --git a/home/programs/hashi.nix b/home/programs/hashi.nix
new file mode 100644
index 0000000..424c7b3
--- /dev/null
+++ b/home/programs/hashi.nix
@@ -0,0 +1,101 @@
+{ config, pkgs, ... }:
+let
+  nomad-prod = pkgs.writeShellScriptBin "nomad-prod" ''
+    set -e
+
+    if [ $# -ne 1 ]; then
+      echo "Usage: nomad-ui CELL_ID"
+      exit 1
+    fi
+
+    CELL_ID=$1
+
+    echo ">> Fetching cell definition for $CELL_ID from GitHub"
+    REGION_ID=$(${pkgs.gh}/bin/gh api --hostname github.rbx.com repos/Roblox/cell-lifecycle/contents/definitions/''${CELL_ID}.yaml --jq '.content' | base64 -d | yq -r '.regionId')
+
+    if [ -z "$REGION_ID" ] || [ "$REGION_ID" = "null" ]; then
+      echo "Error: Could not retrieve regionId for cell $CELL_ID"
+      exit 1
+    fi
+
+    echo ">> Found regionId: $REGION_ID"
+
+    case "$REGION_ID" in
+      r002)
+      VAULT_REGION="chi1"
+      ;;
+      r003)
+      VAULT_REGION="ash1"
+      ;;
+      *)
+      echo "Error: Unknown regionId $REGION_ID. Expected r002 or r003."
+      exit 1
+      ;;
+    esac
+
+    echo ">> Using vault region: $VAULT_REGION"
+
+    echo ">> Login to $VAULT_REGION vault using Okta"
+    export VAULT_ADDR="https://$VAULT_REGION-vault.simulprod.com:8200"
+    export VAULT_TOKEN=$(${pkgs.vault}/bin/vault login -field=token -method=oidc username=$USER)
+
+    echo ">> Accessing cell $CELL_ID"
+    export NOMAD_ADDR="https://$CELL_ID-nomad.simulprod.com"
+    export NOMAD_TOKEN=$(${pkgs.vault}/bin/vault read -field secret_id ''${CELL_ID}_nomad/creds/management)
+
+    ${pkgs.nomad}/bin/nomad ui --authenticate
+  '';
+in
+{
+  home.packages = with pkgs; [
+    nomad-prod
+    hashi
+  ];
+
+  programs.fish = {
+    shellAbbrs =
+      let
+        environments = [
+          {
+            name = "chi1";
+            alias = "chi1";
+            jumpHost = "chi1-jumpcontainer-es";
+          }
+          {
+            name = "ash1";
+            alias = "ash1";
+            jumpHost = "chi1-jumpcontainer-es";
+          }
+          {
+            name = "sitetest3";
+            alias = "st3";
+            jumpHost = "st3-jumpcontainer-es";
+          }
+          {
+            name = "sitetest2-snc2";
+            alias = "st2-snc2";
+            jumpHost = "st2-snc2-jumpcontainer-es";
+          }
+        ];
+
+        # Generate all environment-specific aliases
+        envAliases = builtins.listToAttrs (
+          builtins.concatMap (env: [
+            {
+              name = "ssh-sign-${env.alias}";
+              value = "${pkgs.hashi}/bin/hashi -e ${env.name} sign --output-path=${config.home.homeDirectory}/.ssh/${env.alias}-cert.pub --key=(${pkgs._1password-cli}/bin/op read 'op://employee/default rbx ssh key/public key'|psub) key";
+            }
+            {
+              name = "hashi-${env.alias}";
+              value = "${pkgs.hashi}/bin/hashi -e ${env.name} show v";
+            }
+            {
+              name = "ssh-${env.alias}";
+              value = "${pkgs.kitty}/bin/kitten ssh -o StrictHostKeyChecking=no -J ${env.jumpHost} -o 'CertificateFile=~/.ssh/${env.alias}-cert.pub'";
+            }
+          ]) environments
+        );
+      in
+      envAliases;
+  };
+}
-- 
cgit v1.2.3