WIP work on MacOWS

arianvp · Aug 23, 2024 · b9d646e · b9d646e
1 parent e7d009f
commit b9d646e
Show file tree

Hide file tree

Showing 8 changed files with 223 additions and 16 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -4,6 +4,12 @@ on:
       - main
   pull_request:
 jobs:
+  build:
+    permissions:
+      id-token: write
+      attestations: write
+      contents: read
+    runs-on: ubuntu-latest
   check:
     runs-on: ubuntu-latest
     steps:

diff --git a/.github/workflows/cosign.sh b/.github/workflows/cosign.sh
diff --git a/deploy/.terraform.lock.hcl b/deploy/.terraform.lock.hcl
diff --git a/deploy/instance.tf b/deploy/instance.tf
@@ -41,7 +41,7 @@ module "ssm_documents" {
 }
 
 resource "aws_instance" "web" {
-  count                = 2
+  count                = 0
   ami                  = data.aws_ami.nixos.id
   instance_type        = "t4g.micro"
   iam_instance_profile = module.instance_profile_web.name
@@ -98,7 +98,7 @@ resource "aws_ssm_association" "web" {
 }
 
 resource "aws_instance" "web_push" {
-  count                = 1
+  count                = 0
   ami                  = data.aws_ami.nixos_x86_64.id
   instance_type        = "t3.micro"
   iam_instance_profile = module.instance_profile_web.name

diff --git a/deploy/macos.tf b/deploy/macos.tf
@@ -0,0 +1,146 @@
+resource "aws_ec2_host" "macos" {
+  instance_type     = "mac2-m2.metal"
+  availability_zone = "eu-central-1a"
+}
+
+import {
+  id = "h-0e63deea1a63be003"
+  to = aws_ec2_host.macos
+}
+
+data "aws_ami" "macos" {
+  owners = ["amazon"]
+  filter {
+    name   = "architecture"
+    values = ["arm64_mac"]
+  }
+  most_recent = true
+}
+
+import {
+  id = "macos"
+  to = aws_iam_role.macos
+}
+
+import {
+  id = "macos"
+  to = aws_iam_instance_profile.macos
+}
+
+resource "aws_iam_role" "macos" {
+  name = "macos"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Principal = {
+          Service = "ec2.amazonaws.com"
+        }
+        Action = "sts:AssumeRole"
+      }
+    ]
+  })
+  managed_policy_arns = ["arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"]
+}
+
+resource "aws_iam_instance_profile" "macos" {
+  name = "macos"
+  role = aws_iam_role.macos.name
+}
+
+resource "aws_instance" "macos" {
+  ami                  = data.aws_ami.macos.id
+  instance_type        = "mac2-m2.metal"
+  tenancy              = "host"
+  iam_instance_profile = aws_iam_instance_profile.macos.name
+  ebs_optimized        = true
+
+  metadata_options {
+    http_tokens = "required"
+  }
+
+  root_block_device {
+    volume_type = "gp3"
+    throughput  = "1000"
+    iops        = "16000"
+  }
+  tags = {
+    Name = "macos"
+  }
+}
+
+resource "random_password" "password" {
+  length  = 16
+  special = false
+}
+
+resource "aws_ssm_document" "provision_macos" {
+  name          = "ProvisionMacOS"
+  document_type = "Command"
+  content = jsonencode({
+    schemaVersion = "2.2"
+    description   = "Enable AutoLogin"
+    mainSteps = [
+      {
+        action = "aws:runShellScript"
+        name   = "EnableAutoLogin"
+        inputs = {
+          runCommand = [<<-EOF
+            # skip if already enabled, continue if not enabled
+            (sudo defaults read /Library/Preferences/com.apple.loginwindow autoLoginUser && exit 0) || true
+
+            # Enable VNC
+            sudo launchctl enable system/com.apple.screensharing
+            sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.screensharing.plist
+
+            # Enable AutoLogin
+            curl -O https://raw.githubusercontent.com/timsutton/osx-vm-templates/eb09892c82215e15feaed04032d4045a37832a68/scripts/support/set_kcpassword.py
+            sudo defaults write /Library/Preferences/com.apple.loginwindow autoLoginUser ec2-user
+            sudo dscl . -passwd /Users/ec2-user '${random_password.password.result}'
+            sudo python3 ./set_kcpassword.py '${random_password.password.result}'
+
+            # Reboot to apply changes
+            # exit 194
+            EOF
+          ]
+        }
+      }
+    ]
+  })
+}
+
+# We use SSM instead of user-data as changing User-Data requires instance stop and start
+# which takes 2 hours for mac2.metal instances
+# NOTE: Make sure this document is idempotent!
+/*resource "aws_ssm_document" "provision_macos" {
+  name          = "ProvisionMacOS"
+  document_type = "Command"
+  content = jsonencode({
+    schemaVersion = "2.2"
+    description   = "Provision MacOS"
+    mainSteps = [
+      {
+        action = "aws:runShellScript"
+        name   = "ProvisionMacOS"
+        inputs = {
+          runCommand = [
+            "sudo -u ec2-user /opt/homebrew/bin/brew install cirruslabs/cli/tart",
+            "sudo -u ec2-user /opt/homebrew/bin/brew install hashicorp/tap/packer",
+            "sudo -u ec2-user /opt/homebrew/bin/brew install hashicorp/tap/terraform",
+            "sudo -u ec2-user /opt/homebrew/bin/tart pull ghcr.io/cirruslabs/macos-sonoma-base:latest"
+          ]
+        }
+      }
+    ]
+  })
+}*/
+
+resource "aws_ssm_association" "macos" {
+  name             = aws_ssm_document.provision_macos.name
+  document_version = aws_ssm_document.provision_macos.document_version
+  targets {
+    key    = "tag:Name"
+    values = ["macos"]
+  }
+}
diff --git a/deploy/set_kcpassword.py b/deploy/set_kcpassword.py
@@ -0,0 +1,36 @@
+#!/usr/bin/env python
+
+# Port of Gavin Brock's Perl kcpassword generator to Python, by Tom Taylor
+# <[email protected]>.
+# Perl version: http://www.brock-family.org/gavin/perl/kcpassword.html
+
+import sys
+import os
+
+def kcpassword(passwd):
+    # The magic 11 bytes - these are just repeated
+    # 0x7D 0x89 0x52 0x23 0xD2 0xBC 0xDD 0xEA 0xA3 0xB9 0x1F
+    key = [125,137,82,35,210,188,221,234,163,185,31]
+    key_len = len(key)
+
+    passwd = [ord(x) for x in list(passwd)]
+    # pad passwd length out to an even multiple of key length
+    r = len(passwd) % key_len
+    if (r > 0):
+        passwd = passwd + [0] * (key_len - r)
+
+    for n in range(0, len(passwd), len(key)):
+        ki = 0
+        for j in range(n, min(n+len(key), len(passwd))):
+            passwd[j] = passwd[j] ^ key[ki]
+            ki += 1
+
+    passwd = [chr(x) for x in passwd]
+    return "".join(passwd)
+
+if __name__ == "__main__":
+    passwd = kcpassword(sys.argv[1])
+    fd = os.open('/etc/kcpassword', os.O_WRONLY | os.O_CREAT, 0o600)
+    file = os.fdopen(fd, 'w')
+    file.write(passwd)
+    file.close()
diff --git a/flake.nix b/flake.nix
@@ -13,6 +13,7 @@
         packages = [
           opentofu
           awscli2
+          ssm-session-manager-plugin
           nodejs
           tflint
           actionlint
@@ -59,6 +60,5 @@
         };
       };
     });
-
   };
 }
diff --git a/nodes.nix b/nodes.nix
@@ -0,0 +1,17 @@
+{ lib, config, nodes, pkgs, ... }:
+{
+    nodes = {
+        prometheus = {
+            deployment.ssm = {
+                parameters = {
+                    substituters = [ "s3://mybucket" ];
+                    trusted-public-keys = [ "mykey" ];
+                };
+                targets = [ { Name = "tag:Name"; Values = ["prometheus"]; } ]
+                maxConcurrency = "50%";
+                maxErrors = "50%";
+            };
+            services.prometheus.enable = true;
+        };
+    };
+}