Blame - core/installer/tasks/infra.go - pcloud

blob: d71842848276f3e750860faeffb3f5c0ac1ee212 [file] [log] [blame]

Giorgi Lekveishvili	46743d4	2023-12-10 15:47:23 +0400	[diff] [blame]	1	package tasks
				2
				3	import (
				4	"fmt"
Giorgi Lekveishvili	9d5e3f5	2024-03-13 15:02:50 +0400	[diff] [blame]	5	"net"
Giorgi Lekveishvili	46743d4	2023-12-10 15:47:23 +0400	[diff] [blame]	6	"net/netip"
Giorgi Lekveishvili	d542b73	2024-03-25 18:17:39 +0400	[diff] [blame]	7	"strings"
Giorgi Lekveishvili	46743d4	2023-12-10 15:47:23 +0400	[diff] [blame]	8
				9	"github.com/miekg/dns"
				10
				11	"github.com/giolekva/pcloud/core/installer"
Giorgi Lekveishvili	46743d4	2023-12-10 15:47:23 +0400	[diff] [blame]	12	)
				13
Giorgi Lekveishvili	d542b73	2024-03-25 18:17:39 +0400	[diff] [blame]	14	var initGroups = []string{"admin"}
				15
Giorgi Lekveishvili	5c1b06e	2024-03-28 15:19:44 +0400	[diff] [blame]	16	func CreateRepoClient(env Env, st *state) Task {
				17	t := newLeafTask("Create repo client", func() error {
Giorgi Lekveishvili	77ee2dc	2023-12-11 16:51:10 +0400	[diff] [blame]	18	repo, err := st.ssClient.GetRepo("config")
Giorgi Lekveishvili	46743d4	2023-12-10 15:47:23 +0400	[diff] [blame]	19	if err != nil {
				20	return err
				21	}
gio	3af4394	2024-04-16 08:13:50 +0400	[diff] [blame^]	22	r, err := installer.NewRepoIO(repo, st.ssClient.Signer)
				23	if err != nil {
				24	return err
				25	}
Giorgi Lekveishvili	77ee2dc	2023-12-11 16:51:10 +0400	[diff] [blame]	26	appManager, err := installer.NewAppManager(r, st.nsCreator)
				27	if err != nil {
				28	return err
				29	}
Giorgi Lekveishvili	378ea88	2023-12-12 13:59:18 +0400	[diff] [blame]	30	st.appManager = appManager
				31	st.appsRepo = installer.NewInMemoryAppRepository(installer.CreateAllApps())
Giorgi Lekveishvili	378ea88	2023-12-12 13:59:18 +0400	[diff] [blame]	32	return nil
				33	})
Giorgi Lekveishvili	ab7ff6e	2024-03-29 13:11:30 +0400	[diff] [blame]	34	t.beforeStart = func() {
				35	st.infoListener("Setting up core infrastructure services.")
				36	}
Giorgi Lekveishvili	5c1b06e	2024-03-28 15:19:44 +0400	[diff] [blame]	37	return &t
				38	}
				39
				40	func SetupInfra(env Env, startIP net.IP, st *state) Task {
				41	return newConcurrentParentTask(
				42	"Setup core services",
				43	true,
				44	SetupNetwork(env, startIP, st),
				45	SetupCertificateIssuers(env, st),
				46	SetupAuth(env, st),
				47	SetupGroupMemberships(env, st),
				48	SetupHeadscale(env, startIP, st),
				49	SetupWelcome(env, st),
				50	SetupAppStore(env, st),
				51	)
Giorgi Lekveishvili	378ea88	2023-12-12 13:59:18 +0400	[diff] [blame]	52	}
				53
				54	func CommitEnvironmentConfiguration(env Env, st *state) Task {
Giorgi Lekveishvili	5c1b06e	2024-03-28 15:19:44 +0400	[diff] [blame]	55	t := newLeafTask("commit config", func() error {
Giorgi Lekveishvili	378ea88	2023-12-12 13:59:18 +0400	[diff] [blame]	56	repo, err := st.ssClient.GetRepo("config")
				57	if err != nil {
Giorgi Lekveishvili	77ee2dc	2023-12-11 16:51:10 +0400	[diff] [blame]	58	return err
				59	}
gio	3af4394	2024-04-16 08:13:50 +0400	[diff] [blame^]	60	r, err := installer.NewRepoIO(repo, st.ssClient.Signer)
				61	if err != nil {
				62	return err
Giorgi Lekveishvili	378ea88	2023-12-12 13:59:18 +0400	[diff] [blame]	63	}
gio	3af4394	2024-04-16 08:13:50 +0400	[diff] [blame^]	64	r.Atomic(func(r installer.RepoFS) (string, error) {
				65	{
				66	// TODO(giolekva): private domain can be configurable as well
				67	config := installer.Config{
				68	Values: installer.Values{
				69	PCloudEnvName: env.PCloudEnvName,
				70	Id: env.Name,
				71	ContactEmail: env.ContactEmail,
				72	Domain: env.Domain,
				73	PrivateDomain: fmt.Sprintf("p.%s", env.Domain),
				74	PublicIP: st.publicIPs[0].String(),
				75	NamespacePrefix: fmt.Sprintf("%s-", env.Name),
				76	},
				77	}
				78	if err := installer.WriteYaml(r, "config.yaml", config); err != nil {
				79	return "", err
				80	}
				81	}
Giorgi Lekveishvili	77ee2dc	2023-12-11 16:51:10 +0400	[diff] [blame]	82	out, err := r.Writer("pcloud-charts.yaml")
				83	if err != nil {
gio	3af4394	2024-04-16 08:13:50 +0400	[diff] [blame^]	84	return "", err
Giorgi Lekveishvili	77ee2dc	2023-12-11 16:51:10 +0400	[diff] [blame]	85	}
				86	defer out.Close()
				87	_, err = fmt.Fprintf(out, `
Giorgi Lekveishvili	46743d4	2023-12-10 15:47:23 +0400	[diff] [blame]	88	apiVersion: source.toolkit.fluxcd.io/v1
				89	kind: GitRepository
				90	metadata:
				91	name: pcloud
				92	namespace: %s
				93	spec:
				94	interval: 1m0s
				95	url: https://github.com/giolekva/pcloud
				96	ref:
Giorgi Lekveishvili	b59b7c2	2024-04-03 22:17:50 +0400	[diff] [blame]	97	branch: ingress-port-allocator
Giorgi Lekveishvili	77ee2dc	2023-12-11 16:51:10 +0400	[diff] [blame]	98	`, env.Name)
				99	if err != nil {
gio	3af4394	2024-04-16 08:13:50 +0400	[diff] [blame^]	100	return "", err
Giorgi Lekveishvili	77ee2dc	2023-12-11 16:51:10 +0400	[diff] [blame]	101	}
gio	3af4394	2024-04-16 08:13:50 +0400	[diff] [blame^]	102	rootKust, err := installer.ReadKustomization(r, "kustomization.yaml")
Giorgi Lekveishvili	378ea88	2023-12-12 13:59:18 +0400	[diff] [blame]	103	if err != nil {
gio	3af4394	2024-04-16 08:13:50 +0400	[diff] [blame^]	104	return "", err
Giorgi Lekveishvili	378ea88	2023-12-12 13:59:18 +0400	[diff] [blame]	105	}
				106	rootKust.AddResources("pcloud-charts.yaml")
gio	3af4394	2024-04-16 08:13:50 +0400	[diff] [blame^]	107	if err := installer.WriteYaml(r, "kustomization.yaml", rootKust); err != nil {
				108	return "", err
Giorgi Lekveishvili	378ea88	2023-12-12 13:59:18 +0400	[diff] [blame]	109	}
gio	3af4394	2024-04-16 08:13:50 +0400	[diff] [blame^]	110	return "configure charts repo", nil
				111	})
Giorgi Lekveishvili	378ea88	2023-12-12 13:59:18 +0400	[diff] [blame]	112	return nil
				113	})
				114	return &t
				115	}
				116
Giorgi Lekveishvili	d542b73	2024-03-25 18:17:39 +0400	[diff] [blame]	117	type firstAccount struct {
				118	Created bool `json:"created"`
				119	Groups []string `json:"groups"`
				120	}
				121
				122	func ConfigureFirstAccount(env Env, st *state) Task {
				123	t := newLeafTask("Configure first account settings", func() error {
				124	repo, err := st.ssClient.GetRepo("config")
				125	if err != nil {
				126	return err
				127	}
gio	3af4394	2024-04-16 08:13:50 +0400	[diff] [blame^]	128	r, err := installer.NewRepoIO(repo, st.ssClient.Signer)
				129	if err != nil {
Giorgi Lekveishvili	d542b73	2024-03-25 18:17:39 +0400	[diff] [blame]	130	return err
				131	}
gio	3af4394	2024-04-16 08:13:50 +0400	[diff] [blame^]	132	return r.Atomic(func(r installer.RepoFS) (string, error) {
				133	fa := firstAccount{false, initGroups}
				134	if err := installer.WriteYaml(r, "first-account.yaml", fa); err != nil {
				135	return "", err
				136	}
				137	return "first account membership configuration", nil
				138	})
Giorgi Lekveishvili	d542b73	2024-03-25 18:17:39 +0400	[diff] [blame]	139	})
				140	return &t
				141	}
				142
Giorgi Lekveishvili	9d5e3f5	2024-03-13 15:02:50 +0400	[diff] [blame]	143	func SetupNetwork(env Env, startIP net.IP, st *state) Task {
Giorgi Lekveishvili	5c1b06e	2024-03-28 15:19:44 +0400	[diff] [blame]	144	t := newLeafTask("Setup private and public networks", func() error {
Giorgi Lekveishvili	9d5e3f5	2024-03-13 15:02:50 +0400	[diff] [blame]	145	startAddr, err := netip.ParseAddr(startIP.String())
Giorgi Lekveishvili	46743d4	2023-12-10 15:47:23 +0400	[diff] [blame]	146	if err != nil {
				147	return err
				148	}
Giorgi Lekveishvili	9d5e3f5	2024-03-13 15:02:50 +0400	[diff] [blame]	149	if !startAddr.Is4() {
				150	return fmt.Errorf("Expected IPv4, got %s instead", startAddr)
				151	}
				152	addr := startAddr.AsSlice()
				153	if addr[3] != 0 {
				154	return fmt.Errorf("Expected last byte to be zero, got %d instead", addr[3])
				155	}
				156	addr[3] = 10
				157	fromIP, ok := netip.AddrFromSlice(addr)
				158	if !ok {
				159	return fmt.Errorf("Must not reach")
				160	}
				161	addr[3] = 254
				162	toIP, ok := netip.AddrFromSlice(addr)
				163	if !ok {
				164	return fmt.Errorf("Must not reach")
				165	}
Giorgi Lekveishvili	77ee2dc	2023-12-11 16:51:10 +0400	[diff] [blame]	166	{
Giorgi Lekveishvili	9d5e3f5	2024-03-13 15:02:50 +0400	[diff] [blame]	167	ingressPrivateIP := startAddr
Giorgi Lekveishvili	77ee2dc	2023-12-11 16:51:10 +0400	[diff] [blame]	168	headscaleIP := ingressPrivateIP.Next()
Giorgi Lekveishvili	378ea88	2023-12-12 13:59:18 +0400	[diff] [blame]	169	app, err := st.appsRepo.Find("metallb-ipaddresspool")
Giorgi Lekveishvili	77ee2dc	2023-12-11 16:51:10 +0400	[diff] [blame]	170	if err != nil {
				171	return err
				172	}
gio	3af4394	2024-04-16 08:13:50 +0400	[diff] [blame^]	173	{
				174	appDir := fmt.Sprintf("/apps/%s-ingress-private", app.Name())
				175	namespace := fmt.Sprintf("%s%s-ingress-private", env.NamespacePrefix, app.Namespace())
				176	if err := st.appManager.Install(app, appDir, namespace, map[string]any{
				177	"name": fmt.Sprintf("%s-ingress-private", env.Name),
				178	"from": ingressPrivateIP.String(),
				179	"to": ingressPrivateIP.String(),
				180	"autoAssign": false,
				181	"namespace": "metallb-system",
				182	}); err != nil {
				183	return err
				184	}
Giorgi Lekveishvili	77ee2dc	2023-12-11 16:51:10 +0400	[diff] [blame]	185	}
gio	3af4394	2024-04-16 08:13:50 +0400	[diff] [blame^]	186	{
				187	appDir := fmt.Sprintf("/apps/%s-headscale", app.Name())
				188	namespace := fmt.Sprintf("%s%s-ingress-private", env.NamespacePrefix, app.Namespace())
				189	if err := st.appManager.Install(app, appDir, namespace, map[string]any{
				190	"name": fmt.Sprintf("%s-headscale", env.Name),
				191	"from": headscaleIP.String(),
				192	"to": headscaleIP.String(),
				193	"autoAssign": false,
				194	"namespace": "metallb-system",
				195	}); err != nil {
				196	return err
				197	}
Giorgi Lekveishvili	77ee2dc	2023-12-11 16:51:10 +0400	[diff] [blame]	198	}
gio	3af4394	2024-04-16 08:13:50 +0400	[diff] [blame^]	199	{
				200	appDir := fmt.Sprintf("/apps/%s", app.Name())
				201	namespace := fmt.Sprintf("%s%s", env.NamespacePrefix, app.Namespace())
				202	if err := st.appManager.Install(app, appDir, namespace, map[string]any{
				203	"name": env.Name,
				204	"from": fromIP.String(),
				205	"to": toIP.String(),
				206	"autoAssign": false,
				207	"namespace": "metallb-system",
				208	}); err != nil {
				209	return err
				210	}
Giorgi Lekveishvili	77ee2dc	2023-12-11 16:51:10 +0400	[diff] [blame]	211	}
Giorgi Lekveishvili	46743d4	2023-12-10 15:47:23 +0400	[diff] [blame]	212	}
Giorgi Lekveishvili	77ee2dc	2023-12-11 16:51:10 +0400	[diff] [blame]	213	{
Giorgi Lekveishvili	b59b7c2	2024-04-03 22:17:50 +0400	[diff] [blame]	214	keys, err := installer.NewSSHKeyPair("port-allocator")
				215	if err != nil {
				216	return err
				217	}
				218	user := fmt.Sprintf("%s-port-allocator", env.Name)
				219	if err := st.ssClient.AddUser(user, keys.AuthorizedKey()); err != nil {
				220	return err
				221	}
				222	if err := st.ssClient.AddReadWriteCollaborator("config", user); err != nil {
				223	return err
				224	}
Giorgi Lekveishvili	378ea88	2023-12-12 13:59:18 +0400	[diff] [blame]	225	app, err := st.appsRepo.Find("private-network")
Giorgi Lekveishvili	77ee2dc	2023-12-11 16:51:10 +0400	[diff] [blame]	226	if err != nil {
				227	return err
				228	}
gio	3af4394	2024-04-16 08:13:50 +0400	[diff] [blame^]	229	appDir := fmt.Sprintf("/apps/%s", app.Name())
				230	namespace := fmt.Sprintf("%s%s", env.NamespacePrefix, app.Namespace())
				231	if err := st.appManager.Install(app, appDir, namespace, map[string]any{
Giorgi Lekveishvili	e009a5d	2024-01-05 14:10:11 +0400	[diff] [blame]	232	"privateNetwork": map[string]any{
				233	"hostname": "private-network-proxy",
				234	"username": "private-network-proxy",
Giorgi Lekveishvili	9d5e3f5	2024-03-13 15:02:50 +0400	[diff] [blame]	235	"ipSubnet": fmt.Sprintf("%s/24", startIP.String()),
Giorgi Lekveishvili	77ee2dc	2023-12-11 16:51:10 +0400	[diff] [blame]	236	},
Giorgi Lekveishvili	b59b7c2	2024-04-03 22:17:50 +0400	[diff] [blame]	237	"sshPrivateKey": string(keys.RawPrivateKey()),
Giorgi Lekveishvili	77ee2dc	2023-12-11 16:51:10 +0400	[diff] [blame]	238	}); err != nil {
				239	return err
				240	}
Giorgi Lekveishvili	46743d4	2023-12-10 15:47:23 +0400	[diff] [blame]	241	}
Giorgi Lekveishvili	378ea88	2023-12-12 13:59:18 +0400	[diff] [blame]	242	return nil
				243	})
				244	return &t
				245	}
				246
				247	func SetupCertificateIssuers(env Env, st *state) Task {
				248	pub := newLeafTask(fmt.Sprintf("Public %s", env.Domain), func() error {
				249	app, err := st.appsRepo.Find("certificate-issuer-public")
				250	if err != nil {
				251	return err
Giorgi Lekveishvili	46743d4	2023-12-10 15:47:23 +0400	[diff] [blame]	252	}
gio	3af4394	2024-04-16 08:13:50 +0400	[diff] [blame^]	253	appDir := fmt.Sprintf("/apps/%s", app.Name())
				254	namespace := fmt.Sprintf("%s%s", env.NamespacePrefix, app.Namespace())
				255	if err := st.appManager.Install(app, appDir, namespace, map[string]any{}); err != nil {
Giorgi Lekveishvili	378ea88	2023-12-12 13:59:18 +0400	[diff] [blame]	256	return err
Giorgi Lekveishvili	46743d4	2023-12-10 15:47:23 +0400	[diff] [blame]	257	}
Giorgi Lekveishvili	378ea88	2023-12-12 13:59:18 +0400	[diff] [blame]	258	return nil
				259	})
				260	priv := newLeafTask(fmt.Sprintf("Private p.%s", env.Domain), func() error {
				261	app, err := st.appsRepo.Find("certificate-issuer-private")
				262	if err != nil {
				263	return err
Giorgi Lekveishvili	46743d4	2023-12-10 15:47:23 +0400	[diff] [blame]	264	}
gio	3af4394	2024-04-16 08:13:50 +0400	[diff] [blame^]	265	appDir := fmt.Sprintf("/apps/%s", app.Name())
				266	namespace := fmt.Sprintf("%s%s", env.NamespacePrefix, app.Namespace())
				267	if err := st.appManager.Install(app, appDir, namespace, map[string]any{
Giorgi Lekveishvili	e009a5d	2024-01-05 14:10:11 +0400	[diff] [blame]	268	"apiConfigMap": map[string]any{
				269	"name": "api-config", // TODO(gio): take from global pcloud config
				270	"namespace": fmt.Sprintf("%s-dns-zone-manager", env.PCloudEnvName),
Giorgi Lekveishvili	378ea88	2023-12-12 13:59:18 +0400	[diff] [blame]	271	},
				272	}); err != nil {
				273	return err
Giorgi Lekveishvili	46743d4	2023-12-10 15:47:23 +0400	[diff] [blame]	274	}
Giorgi Lekveishvili	378ea88	2023-12-12 13:59:18 +0400	[diff] [blame]	275	return nil
				276	})
Giorgi Lekveishvili	5c1b06e	2024-03-28 15:19:44 +0400	[diff] [blame]	277	return newSequentialParentTask("Configure TLS certificate issuers", false, &pub, &priv)
Giorgi Lekveishvili	378ea88	2023-12-12 13:59:18 +0400	[diff] [blame]	278	}
				279
				280	func SetupAuth(env Env, st *state) Task {
				281	t := newLeafTask("Setup", func() error {
				282	app, err := st.appsRepo.Find("core-auth")
				283	if err != nil {
				284	return err
Giorgi Lekveishvili	46743d4	2023-12-10 15:47:23 +0400	[diff] [blame]	285	}
gio	3af4394	2024-04-16 08:13:50 +0400	[diff] [blame^]	286	appDir := fmt.Sprintf("/apps/%s", app.Name())
				287	namespace := fmt.Sprintf("%s%s", env.NamespacePrefix, app.Namespace())
				288	if err := st.appManager.Install(app, appDir, namespace, map[string]any{
Giorgi Lekveishvili	e009a5d	2024-01-05 14:10:11 +0400	[diff] [blame]	289	"subdomain": "test", // TODO(giolekva): make core-auth chart actually use this
Giorgi Lekveishvili	378ea88	2023-12-12 13:59:18 +0400	[diff] [blame]	290	}); err != nil {
				291	return err
				292	}
				293	return nil
				294	})
				295	return newSequentialParentTask(
				296	"Authentication services",
Giorgi Lekveishvili	5c1b06e	2024-03-28 15:19:44 +0400	[diff] [blame]	297	false,
Giorgi Lekveishvili	378ea88	2023-12-12 13:59:18 +0400	[diff] [blame]	298	&t,
				299	waitForAddr(fmt.Sprintf("https://accounts-ui.%s", env.Domain)),
				300	)
				301	}
				302
Giorgi Lekveishvili	a09fad7	2024-03-21 15:24:35 +0400	[diff] [blame]	303	func SetupGroupMemberships(env Env, st *state) Task {
				304	t := newLeafTask("Setup", func() error {
				305	app, err := st.appsRepo.Find("memberships")
				306	if err != nil {
				307	return err
				308	}
gio	3af4394	2024-04-16 08:13:50 +0400	[diff] [blame^]	309	appDir := fmt.Sprintf("/apps/%s", app.Name())
				310	namespace := fmt.Sprintf("%s%s", env.NamespacePrefix, app.Namespace())
				311	if err := st.appManager.Install(app, appDir, namespace, map[string]any{
Giorgi Lekveishvili	d542b73	2024-03-25 18:17:39 +0400	[diff] [blame]	312	"authGroups": strings.Join(initGroups, ","),
				313	}); err != nil {
Giorgi Lekveishvili	a09fad7	2024-03-21 15:24:35 +0400	[diff] [blame]	314	return err
				315	}
				316	return nil
				317	})
				318	return newSequentialParentTask(
Giorgi Lekveishvili	5c1b06e	2024-03-28 15:19:44 +0400	[diff] [blame]	319	"Group membership",
				320	false,
Giorgi Lekveishvili	a09fad7	2024-03-21 15:24:35 +0400	[diff] [blame]	321	&t,
				322	waitForAddr(fmt.Sprintf("https://memberships.p.%s", env.Domain)),
				323	)
				324	}
				325
Giorgi Lekveishvili	9d5e3f5	2024-03-13 15:02:50 +0400	[diff] [blame]	326	func SetupHeadscale(env Env, startIP net.IP, st *state) Task {
Giorgi Lekveishvili	378ea88	2023-12-12 13:59:18 +0400	[diff] [blame]	327	t := newLeafTask("Setup", func() error {
				328	app, err := st.appsRepo.Find("headscale")
				329	if err != nil {
				330	return err
				331	}
gio	3af4394	2024-04-16 08:13:50 +0400	[diff] [blame^]	332	appDir := fmt.Sprintf("/apps/%s", app.Name())
				333	namespace := fmt.Sprintf("%s%s", env.NamespacePrefix, app.Namespace())
				334	if err := st.appManager.Install(app, appDir, namespace, map[string]any{
Giorgi Lekveishvili	e009a5d	2024-01-05 14:10:11 +0400	[diff] [blame]	335	"subdomain": "headscale",
Giorgi Lekveishvili	9d5e3f5	2024-03-13 15:02:50 +0400	[diff] [blame]	336	"ipSubnet": fmt.Sprintf("%s/24", startIP),
Giorgi Lekveishvili	378ea88	2023-12-12 13:59:18 +0400	[diff] [blame]	337	}); err != nil {
				338	return err
				339	}
				340	return nil
				341	})
				342	return newSequentialParentTask(
Giorgi Lekveishvili	5c1b06e	2024-03-28 15:19:44 +0400	[diff] [blame]	343	"Setup mesh VPN",
				344	false,
Giorgi Lekveishvili	378ea88	2023-12-12 13:59:18 +0400	[diff] [blame]	345	&t,
				346	waitForAddr(fmt.Sprintf("https://headscale.%s/apple", env.Domain)),
				347	)
				348	}
				349
				350	func SetupWelcome(env Env, st *state) Task {
				351	t := newLeafTask("Setup", func() error {
				352	keys, err := installer.NewSSHKeyPair("welcome")
				353	if err != nil {
				354	return err
				355	}
				356	user := fmt.Sprintf("%s-welcome", env.Name)
				357	if err := st.ssClient.AddUser(user, keys.AuthorizedKey()); err != nil {
				358	return err
				359	}
				360	if err := st.ssClient.AddReadWriteCollaborator("config", user); err != nil {
				361	return err
				362	}
				363	app, err := st.appsRepo.Find("welcome")
				364	if err != nil {
				365	return err
				366	}
gio	3af4394	2024-04-16 08:13:50 +0400	[diff] [blame^]	367	appDir := fmt.Sprintf("/apps/%s", app.Name())
				368	namespace := fmt.Sprintf("%s%s", env.NamespacePrefix, app.Namespace())
				369	if err := st.appManager.Install(app, appDir, namespace, map[string]any{
Giorgi Lekveishvili	e009a5d	2024-01-05 14:10:11 +0400	[diff] [blame]	370	"repoAddr": st.ssClient.GetRepoAddress("config"),
				371	"sshPrivateKey": string(keys.RawPrivateKey()),
Giorgi Lekveishvili	378ea88	2023-12-12 13:59:18 +0400	[diff] [blame]	372	}); err != nil {
				373	return err
				374	}
				375	return nil
				376	})
				377	return newSequentialParentTask(
				378	"Welcome service",
Giorgi Lekveishvili	5c1b06e	2024-03-28 15:19:44 +0400	[diff] [blame]	379	false,
Giorgi Lekveishvili	378ea88	2023-12-12 13:59:18 +0400	[diff] [blame]	380	&t,
				381	waitForAddr(fmt.Sprintf("https://welcome.%s", env.Domain)),
				382	)
				383	}
				384
				385	func SetupAppStore(env Env, st *state) Task {
				386	t := newLeafTask("Application marketplace", func() error {
				387	user := fmt.Sprintf("%s-appmanager", env.Name)
				388	keys, err := installer.NewSSHKeyPair(user)
				389	if err != nil {
				390	return err
				391	}
				392	if err := st.ssClient.AddUser(user, keys.AuthorizedKey()); err != nil {
				393	return err
				394	}
				395	if err := st.ssClient.AddReadWriteCollaborator("config", user); err != nil {
				396	return err
				397	}
				398	app, err := st.appsRepo.Find("app-manager") // TODO(giolekva): configure
				399	if err != nil {
				400	return err
				401	}
gio	3af4394	2024-04-16 08:13:50 +0400	[diff] [blame^]	402	appDir := fmt.Sprintf("/apps/%s", app.Name())
				403	namespace := fmt.Sprintf("%s%s", env.NamespacePrefix, app.Namespace())
				404	if err := st.appManager.Install(app, appDir, namespace, map[string]any{
Giorgi Lekveishvili	e009a5d	2024-01-05 14:10:11 +0400	[diff] [blame]	405	"repoAddr": st.ssClient.GetRepoAddress("config"),
				406	"sshPrivateKey": string(keys.RawPrivateKey()),
Giorgi Lekveishvili	3c91e8b	2024-03-25 20:20:14 +0400	[diff] [blame]	407	"authGroups": strings.Join(initGroups, ","),
Giorgi Lekveishvili	378ea88	2023-12-12 13:59:18 +0400	[diff] [blame]	408	}); err != nil {
				409	return err
Giorgi Lekveishvili	46743d4	2023-12-10 15:47:23 +0400	[diff] [blame]	410	}
Giorgi Lekveishvili	77ee2dc	2023-12-11 16:51:10 +0400	[diff] [blame]	411	return nil
				412	})
				413	return &t
Giorgi Lekveishvili	46743d4	2023-12-10 15:47:23 +0400	[diff] [blame]	414	}
				415
				416	type DNSSecKey struct {
				417	Basename string `json:"basename,omitempty"`
				418	Key []byte `json:"key,omitempty"`
				419	Private []byte `json:"private,omitempty"`
				420	DS []byte `json:"ds,omitempty"`
				421	}
				422
				423	func newDNSSecKey(zone string) (DNSSecKey, error) {
				424	key := &dns.DNSKEY{
				425	Hdr: dns.RR_Header{Name: dns.Fqdn(zone), Class: dns.ClassINET, Ttl: 3600, Rrtype: dns.TypeDNSKEY},
				426	Algorithm: dns.ECDSAP256SHA256, Flags: 257, Protocol: 3,
				427	}
				428	priv, err := key.Generate(256)
				429	if err != nil {
				430	return DNSSecKey{}, err
				431	}
				432	return DNSSecKey{
				433	Basename: fmt.Sprintf("K%s+%03d+%05d", key.Header().Name, key.Algorithm, key.KeyTag()),
				434	Key: []byte(key.String()),
				435	Private: []byte(key.PrivateKeyString(priv)),
				436	DS: []byte(key.ToDS(dns.SHA256).String()),
				437	}, nil
				438	}