From e78b3631ce8289c7883078f8ef66b22a681254b8 Mon Sep 17 00:00:00 2001 From: xavier Date: Thu, 30 Apr 2026 10:54:49 +0200 Subject: [PATCH 1/5] First iteration. Not tested yet. --- nixos-infra/scripts/create-lxc-nixos.sh | 116 ++++++++++++++++++++++++ 1 file changed, 116 insertions(+) diff --git a/nixos-infra/scripts/create-lxc-nixos.sh b/nixos-infra/scripts/create-lxc-nixos.sh index e69de29..9aa7b33 100644 --- a/nixos-infra/scripts/create-lxc-nixos.sh +++ b/nixos-infra/scripts/create-lxc-nixos.sh @@ -0,0 +1,116 @@ +#!/usr/bin/env bash +set -euo pipefail + +# --- Dépendances --- +# Vérifier que docopts est installé (pour Bash) +if ! command -v docopts &> /dev/null; then + echo "❌ Erreur : 'docopts' est requis pour Bash." >&2 + echo "Installez-le avec : wget https://raw.githubusercontent.com/docopt/docopts/master/docopts && chmod +x docopts && sudo mv docopts /usr/local/bin/" >&2 + exit 1 +fi + +# --- Usage et documentation --- +usage="Usage: + $0 [options] + +Options: + -h, --help Affiche ce message. + -t, --template TEMPLATE Template LXC (ex: local:vztmpl/nixos-unstable-amd64-default_20260428_0830-rootfs.tar.gz). + -r, --rootfs-size SIZE Taille du stockage racine (ex: 8G). + -c, --cores CORES Nombre de cœurs CPU. + -m, --memory MEMORY RAM en Mo. + -s, --swap SWAP Swap en Mo. + -p, --password PASSWORD Mot de passe root. + -b, --bridge BRIDGE Bridge réseau (ex: vmbr0). + -v, --vlan VLAN VLAN (ex: tag=10). + -d, --domain DOMAIN Domaine DNS. + -u, --unprivileged UNPRIV Conteneur non privilégié (0 ou 1). + -i, --ip IP IP statique (ex: 192.168.1.100/24). + --pve-host HOST Hôte Proxmox (ex: pve). + --pve-user USER Utilisateur Proxmox (ex: root). + --pve-port PORT Port SSH Proxmox (ex: 22). +" + +# --- Paramètres par défaut (variables d'environnement) --- +# Serveur Proxmox +PVE_HOST="${PVE_HOST:-pve}" +PVE_USER="${PVE_USER:-root}" +PVE_PORT="${PVE_PORT:-22}" + +# Conteneur LXC +TEMPLATE="${TEMPLATE:-local:vztmpl/nixos-unstable-amd64-default_20260428_0830-rootfs.tar.gz}" +ROOTFS_SIZE="${ROOTFS_SIZE:-8G}" +CORES="${CORES:-2}" +MEMORY="${MEMORY:-2048}" +SWAP="${SWAP:-1024}" +PASSWORD="${PASSWORD:-changeme}" +BRIDGE="${BRIDGE:-vmbr0}" +VLAN="${VLAN:-}" +DOMAIN="${DOMAIN:-lagraula.fr}" +UNPRIVILEGED="${UNPRIVILEGED:-0}" +IP="${IP:-}" + +# --- Parsing des arguments avec docopts (priorité la plus basse) --- +args=$(docopts -h "$usage" : "$@") +eval "$args" + +# Nom court de la machine (paramètre obligatoire) +SHORT_NAME="${argv[0]:-}" +if [ -z "$SHORT_NAME" ]; then + echo "❌ Erreur : Le nom court de la machine est obligatoire." >&2 + echo "$usage" >&2 + exit 1 +fi + +# --- Surcharge par /etc/nixos-infra/hosts/ (priorité moyenne) --- +if [ -f "/etc/nixos-infra/hosts/$SHORT_NAME" ]; then + echo "📄 Application des paramètres depuis /etc/nixos-infra/hosts/$SHORT_NAME..." + set -a + source "/etc/nixos-infra/hosts/$SHORT_NAME" + set +a +fi + +# --- Surcharge par ./ (priorité moyenne) --- +if [ -f "./$SHORT_NAME" ]; then + echo "📄 Application des paramètres depuis ./$SHORT_NAME..." + set -a + source "./$SHORT_NAME" + set +a +fi + +# --- Application des arguments de la ligne de commande (priorité la plus haute) --- +# On réapplique les valeurs de docopts pour écraser les fichiers de configuration +eval "$args" + +# --- Vérification des paramètres critiques --- +if [ -z "$TEMPLATE" ] || [ -z "$ROOTFS_SIZE" ] || [ -z "$CORES" ] || \ + [ -z "$MEMORY" ] || [ -z "$SWAP" ] || [ -z "$PASSWORD" ] || \ + [ -z "$BRIDGE" ] || [ -z "$DOMAIN" ] || [ -z "$UNPRIVILEGED" ] || \ + [ -z "$PVE_HOST" ] || [ -z "$PVE_USER" ] || [ -z "$PVE_PORT" ]; then + echo "❌ Erreur : Un ou plusieurs paramètres critiques sont manquants." >&2 + exit 1 +fi + +# --- Connexion SSH au serveur Proxmox --- +run_proxmox() { + ssh -p "$PVE_PORT" "$PVE_USER@$PVE_HOST" "$1" +} + +# --- Construction des options réseau --- +NET_OPTS="name=eth0,bridge=$BRIDGE" +if [ -n "$VLAN" ]; then + NET_OPTS="$NET_OPTS,$VLAN" +fi +if [ -n "$IP" ]; then + NET_OPTS="$NET_OPTS,ip=$IP" +fi + +# --- Création du conteneur --- +echo "🚀 Création du conteneur LXC $SHORT_NAME sur $PVE_HOST..." +LXC_ID=$(run_proxmox "pct create $ROOTFS_SIZE $TEMPLATE --cores $CORES --memory $MEMORY --swap $SWAP --hostname $SHORT_NAME.$DOMAIN --password $PASSWORD --unprivileged $UNPRIVILEGED --net0 $NET_OPTS --onboot 1" | grep -oP '\d+') +if [ -z "$LXC_ID" ]; then + echo "❌ Erreur : Échec de la création du conteneur." >&2 + exit 1 +fi + +echo "✅ Conteneur LXC $SHORT_NAME créé avec succès (ID: $LXC_ID)." \ No newline at end of file From 56a0326d9d2b1b1cf305ad9849cf8456709e737d Mon Sep 17 00:00:00 2001 From: xavier Date: Thu, 30 Apr 2026 13:00:00 +0200 Subject: [PATCH 2/5] Add SSH key authentication to proxmox. Not tested yet. --- nixos-infra/scripts/create-lxc-nixos.sh | 41 +++++++++++++++++++++---- 1 file changed, 35 insertions(+), 6 deletions(-) diff --git a/nixos-infra/scripts/create-lxc-nixos.sh b/nixos-infra/scripts/create-lxc-nixos.sh index 9aa7b33..b0d9be6 100644 --- a/nixos-infra/scripts/create-lxc-nixos.sh +++ b/nixos-infra/scripts/create-lxc-nixos.sh @@ -20,22 +20,26 @@ Options: -c, --cores CORES Nombre de cœurs CPU. -m, --memory MEMORY RAM en Mo. -s, --swap SWAP Swap en Mo. - -p, --password PASSWORD Mot de passe root. + -p, --password PASSWORD Mot de passe root du conteneur. -b, --bridge BRIDGE Bridge réseau (ex: vmbr0). -v, --vlan VLAN VLAN (ex: tag=10). -d, --domain DOMAIN Domaine DNS. -u, --unprivileged UNPRIV Conteneur non privilégié (0 ou 1). -i, --ip IP IP statique (ex: 192.168.1.100/24). --pve-host HOST Hôte Proxmox (ex: pve). - --pve-user USER Utilisateur Proxmox (ex: root). + --pve-user USER Utilisateur Proxmox (ex: admin). --pve-port PORT Port SSH Proxmox (ex: 22). + --pve-password PASSWORD Mot de passe pour l'authentification SSH sur Proxmox. + --pve-ssh-key KEY Fichier de clé SSH pour l'authentification (ex: ~/.ssh/id_admin). " # --- Paramètres par défaut (variables d'environnement) --- # Serveur Proxmox -PVE_HOST="${PVE_HOST:-pve}" -PVE_USER="${PVE_USER:-root}" +PVE_HOST="${PVE_HOST:-}" +PVE_USER="${PVE_USER:-admin}" PVE_PORT="${PVE_PORT:-22}" +PVE_PASSWORD="${PVE_PASSWORD:-}" +PVE_SSH_KEY="${PVE_SSH_KEY:-}" # Conteneur LXC TEMPLATE="${TEMPLATE:-local:vztmpl/nixos-unstable-amd64-default_20260428_0830-rootfs.tar.gz}" @@ -79,9 +83,15 @@ if [ -f "./$SHORT_NAME" ]; then fi # --- Application des arguments de la ligne de commande (priorité la plus haute) --- -# On réapplique les valeurs de docopts pour écraser les fichiers de configuration eval "$args" +# --- Gestion de la clé SSH par défaut --- +if [ "$PVE_SSH_KEY" = "default" ]; then + PVE_SSH_KEY="${HOME}/.ssh/id_${PVE_USER}" +elif [ -z "$PVE_SSH_KEY" ] && [ -z "$PVE_PASSWORD" ]; then + PVE_SSH_KEY="${HOME}/.ssh/id_${PVE_USER}" +fi + # --- Vérification des paramètres critiques --- if [ -z "$TEMPLATE" ] || [ -z "$ROOTFS_SIZE" ] || [ -z "$CORES" ] || \ [ -z "$MEMORY" ] || [ -z "$SWAP" ] || [ -z "$PASSWORD" ] || \ @@ -91,9 +101,28 @@ if [ -z "$TEMPLATE" ] || [ -z "$ROOTFS_SIZE" ] || [ -z "$CORES" ] || \ exit 1 fi +# Vérification de l'authentification +if [ -z "$PVE_PASSWORD" ]; then + if [ -z "$PVE_SSH_KEY" ]; then + echo "❌ Erreur : Aucun paramètre d'authentification (mot de passe ou clé SSH) n'est défini." >&2 + exit 1 + elif [ ! -f "$PVE_SSH_KEY" ]; then + echo "❌ Erreur : Le fichier de clé SSH '$PVE_SSH_KEY' n'existe pas." >&2 + exit 1 + fi +fi + # --- Connexion SSH au serveur Proxmox --- run_proxmox() { - ssh -p "$PVE_PORT" "$PVE_USER@$PVE_HOST" "$1" + local ssh_cmd="ssh -p $PVE_PORT" + # Priorité à la clé SSH si elle est fournie et existe + if [ -n "$PVE_SSH_KEY" ] && [ -f "$PVE_SSH_KEY" ]; then + ssh_cmd="$ssh_cmd -i $PVE_SSH_KEY" + else + # Utiliser le mot de passe si la clé SSH n'est pas disponible + ssh_cmd="$ssh_cmd -o PreferredAuthentications=password -o StrictHostKeyChecking=no" + fi + $ssh_cmd "$PVE_USER@$PVE_HOST" "$1" } # --- Construction des options réseau --- From f1ddf089e1ebaef23345c516bb0091a3dc55472c Mon Sep 17 00:00:00 2001 From: xavier Date: Thu, 30 Apr 2026 13:05:18 +0200 Subject: [PATCH 3/5] Translated to english for an international audience. --- nixos-infra/scripts/create-lxc-nixos.sh | 96 ++++++++++++------------- 1 file changed, 48 insertions(+), 48 deletions(-) diff --git a/nixos-infra/scripts/create-lxc-nixos.sh b/nixos-infra/scripts/create-lxc-nixos.sh index b0d9be6..716652f 100644 --- a/nixos-infra/scripts/create-lxc-nixos.sh +++ b/nixos-infra/scripts/create-lxc-nixos.sh @@ -1,47 +1,47 @@ #!/usr/bin/env bash set -euo pipefail -# --- Dépendances --- -# Vérifier que docopts est installé (pour Bash) +# --- Dependencies --- +# Check if docopts is installed (for Bash) if ! command -v docopts &> /dev/null; then - echo "❌ Erreur : 'docopts' est requis pour Bash." >&2 - echo "Installez-le avec : wget https://raw.githubusercontent.com/docopt/docopts/master/docopts && chmod +x docopts && sudo mv docopts /usr/local/bin/" >&2 + echo "❌ Error: 'docopts' is required for Bash." >&2 + echo "Install it with: wget https://raw.githubusercontent.com/docopt/docopts/master/docopts && chmod +x docopts && sudo mv docopts /usr/local/bin/" >&2 exit 1 fi -# --- Usage et documentation --- +# --- Usage and Documentation --- usage="Usage: - $0 [options] + $0 [options] Options: - -h, --help Affiche ce message. - -t, --template TEMPLATE Template LXC (ex: local:vztmpl/nixos-unstable-amd64-default_20260428_0830-rootfs.tar.gz). - -r, --rootfs-size SIZE Taille du stockage racine (ex: 8G). - -c, --cores CORES Nombre de cœurs CPU. - -m, --memory MEMORY RAM en Mo. - -s, --swap SWAP Swap en Mo. - -p, --password PASSWORD Mot de passe root du conteneur. - -b, --bridge BRIDGE Bridge réseau (ex: vmbr0). - -v, --vlan VLAN VLAN (ex: tag=10). - -d, --domain DOMAIN Domaine DNS. - -u, --unprivileged UNPRIV Conteneur non privilégié (0 ou 1). - -i, --ip IP IP statique (ex: 192.168.1.100/24). - --pve-host HOST Hôte Proxmox (ex: pve). - --pve-user USER Utilisateur Proxmox (ex: admin). - --pve-port PORT Port SSH Proxmox (ex: 22). - --pve-password PASSWORD Mot de passe pour l'authentification SSH sur Proxmox. - --pve-ssh-key KEY Fichier de clé SSH pour l'authentification (ex: ~/.ssh/id_admin). + -h, --help Show this message. + -t, --template TEMPLATE LXC template (e.g., local:vztmpl/nixos-unstable-amd64-default_20260428_0830-rootfs.tar.gz). + -r, --rootfs-size SIZE Root filesystem size (e.g., 8G). + -c, --cores CORES Number of CPU cores. + -m, --memory MEMORY RAM in MiB. + -s, --swap SWAP Swap in MiB. + -p, --password PASSWORD Root password for the container. + -b, --bridge BRIDGE Network bridge (e.g., vmbr0). + -v, --vlan VLAN VLAN tag (e.g., tag=10). + -d, --domain DOMAIN DNS domain. + -u, --unprivileged UNPRIV Unprivileged container (0 or 1). + -i, --ip IP Static IP (e.g., 192.168.1.100/24). + --pve-host HOST Proxmox host (e.g., pve). + --pve-user USER Proxmox user (default: admin). + --pve-port PORT SSH port for Proxmox (default: 22). + --pve-password PASSWORD Password for SSH authentication on Proxmox. + --pve-ssh-key KEY SSH key file for authentication (e.g., ~/.ssh/id_admin). " -# --- Paramètres par défaut (variables d'environnement) --- -# Serveur Proxmox +# --- Default Parameters (Environment Variables) --- +# Proxmox Server PVE_HOST="${PVE_HOST:-}" PVE_USER="${PVE_USER:-admin}" PVE_PORT="${PVE_PORT:-22}" PVE_PASSWORD="${PVE_PASSWORD:-}" PVE_SSH_KEY="${PVE_SSH_KEY:-}" -# Conteneur LXC +# LXC Container TEMPLATE="${TEMPLATE:-local:vztmpl/nixos-unstable-amd64-default_20260428_0830-rootfs.tar.gz}" ROOTFS_SIZE="${ROOTFS_SIZE:-8G}" CORES="${CORES:-2}" @@ -54,78 +54,78 @@ DOMAIN="${DOMAIN:-lagraula.fr}" UNPRIVILEGED="${UNPRIVILEGED:-0}" IP="${IP:-}" -# --- Parsing des arguments avec docopts (priorité la plus basse) --- +# --- Parse Arguments with docopts (Lowest Priority) --- args=$(docopts -h "$usage" : "$@") eval "$args" -# Nom court de la machine (paramètre obligatoire) +# Short name of the machine (mandatory parameter) SHORT_NAME="${argv[0]:-}" if [ -z "$SHORT_NAME" ]; then - echo "❌ Erreur : Le nom court de la machine est obligatoire." >&2 + echo "❌ Error: The short name of the machine is required." >&2 echo "$usage" >&2 exit 1 fi -# --- Surcharge par /etc/nixos-infra/hosts/ (priorité moyenne) --- +# --- Override with /etc/nixos-infra/hosts/ (Medium Priority) --- if [ -f "/etc/nixos-infra/hosts/$SHORT_NAME" ]; then - echo "📄 Application des paramètres depuis /etc/nixos-infra/hosts/$SHORT_NAME..." + echo "📄 Applying parameters from /etc/nixos-infra/hosts/$SHORT_NAME..." set -a source "/etc/nixos-infra/hosts/$SHORT_NAME" set +a fi -# --- Surcharge par ./ (priorité moyenne) --- +# --- Override with ./ (Medium Priority) --- if [ -f "./$SHORT_NAME" ]; then - echo "📄 Application des paramètres depuis ./$SHORT_NAME..." + echo "📄 Applying parameters from ./$SHORT_NAME..." set -a source "./$SHORT_NAME" set +a fi -# --- Application des arguments de la ligne de commande (priorité la plus haute) --- +# --- Apply Command-Line Arguments (Highest Priority) --- eval "$args" -# --- Gestion de la clé SSH par défaut --- +# --- SSH Key Default Logic --- if [ "$PVE_SSH_KEY" = "default" ]; then PVE_SSH_KEY="${HOME}/.ssh/id_${PVE_USER}" elif [ -z "$PVE_SSH_KEY" ] && [ -z "$PVE_PASSWORD" ]; then PVE_SSH_KEY="${HOME}/.ssh/id_${PVE_USER}" fi -# --- Vérification des paramètres critiques --- +# --- Critical Parameters Validation --- if [ -z "$TEMPLATE" ] || [ -z "$ROOTFS_SIZE" ] || [ -z "$CORES" ] || \ [ -z "$MEMORY" ] || [ -z "$SWAP" ] || [ -z "$PASSWORD" ] || \ [ -z "$BRIDGE" ] || [ -z "$DOMAIN" ] || [ -z "$UNPRIVILEGED" ] || \ [ -z "$PVE_HOST" ] || [ -z "$PVE_USER" ] || [ -z "$PVE_PORT" ]; then - echo "❌ Erreur : Un ou plusieurs paramètres critiques sont manquants." >&2 + echo "❌ Error: One or more critical parameters are missing." >&2 exit 1 fi -# Vérification de l'authentification +# Authentication Validation if [ -z "$PVE_PASSWORD" ]; then if [ -z "$PVE_SSH_KEY" ]; then - echo "❌ Erreur : Aucun paramètre d'authentification (mot de passe ou clé SSH) n'est défini." >&2 + echo "❌ Error: No authentication parameter (password or SSH key) is defined." >&2 exit 1 elif [ ! -f "$PVE_SSH_KEY" ]; then - echo "❌ Erreur : Le fichier de clé SSH '$PVE_SSH_KEY' n'existe pas." >&2 + echo "❌ Error: SSH key file '$PVE_SSH_KEY' does not exist." >&2 exit 1 fi fi -# --- Connexion SSH au serveur Proxmox --- +# --- SSH Connection to Proxmox Server --- run_proxmox() { local ssh_cmd="ssh -p $PVE_PORT" - # Priorité à la clé SSH si elle est fournie et existe + # Priority to SSH key if it is provided and exists if [ -n "$PVE_SSH_KEY" ] && [ -f "$PVE_SSH_KEY" ]; then ssh_cmd="$ssh_cmd -i $PVE_SSH_KEY" else - # Utiliser le mot de passe si la clé SSH n'est pas disponible + # Use password if SSH key is not available ssh_cmd="$ssh_cmd -o PreferredAuthentications=password -o StrictHostKeyChecking=no" fi $ssh_cmd "$PVE_USER@$PVE_HOST" "$1" } -# --- Construction des options réseau --- +# --- Network Options Construction --- NET_OPTS="name=eth0,bridge=$BRIDGE" if [ -n "$VLAN" ]; then NET_OPTS="$NET_OPTS,$VLAN" @@ -134,12 +134,12 @@ if [ -n "$IP" ]; then NET_OPTS="$NET_OPTS,ip=$IP" fi -# --- Création du conteneur --- -echo "🚀 Création du conteneur LXC $SHORT_NAME sur $PVE_HOST..." +# --- Container Creation --- +echo "🚀 Creating LXC container $SHORT_NAME on $PVE_HOST..." LXC_ID=$(run_proxmox "pct create $ROOTFS_SIZE $TEMPLATE --cores $CORES --memory $MEMORY --swap $SWAP --hostname $SHORT_NAME.$DOMAIN --password $PASSWORD --unprivileged $UNPRIVILEGED --net0 $NET_OPTS --onboot 1" | grep -oP '\d+') if [ -z "$LXC_ID" ]; then - echo "❌ Erreur : Échec de la création du conteneur." >&2 + echo "❌ Error: Failed to create the container." >&2 exit 1 fi -echo "✅ Conteneur LXC $SHORT_NAME créé avec succès (ID: $LXC_ID)." \ No newline at end of file +echo "✅ LXC container $SHORT_NAME created successfully (ID: $LXC_ID)." \ No newline at end of file From fa4808f34d36295a9774100c3264053eaafd55f1 Mon Sep 17 00:00:00 2001 From: xavier Date: Thu, 30 Apr 2026 14:00:48 +0200 Subject: [PATCH 4/5] Added the console mode (default to "console") and dry run options. --- nixos-infra/scripts/create-lxc-nixos.sh | 67 +++++++++++++++++-------- 1 file changed, 46 insertions(+), 21 deletions(-) diff --git a/nixos-infra/scripts/create-lxc-nixos.sh b/nixos-infra/scripts/create-lxc-nixos.sh index 716652f..813696b 100644 --- a/nixos-infra/scripts/create-lxc-nixos.sh +++ b/nixos-infra/scripts/create-lxc-nixos.sh @@ -5,32 +5,37 @@ set -euo pipefail # Check if docopts is installed (for Bash) if ! command -v docopts &> /dev/null; then echo "❌ Error: 'docopts' is required for Bash." >&2 - echo "Install it with: wget https://raw.githubusercontent.com/docopt/docopts/master/docopts && chmod +x docopts && sudo mv docopts /usr/local/bin/" >&2 + echo "See https://github.com/docopt/docopts to install it." >&2 exit 1 fi # --- Usage and Documentation --- -usage="Usage: +usage="Create and configure an LXC container on a remote Proxmox VE 9 server. + +Usage: $0 [options] Options: -h, --help Show this message. - -t, --template TEMPLATE LXC template (e.g., local:vztmpl/nixos-unstable-amd64-default_20260428_0830-rootfs.tar.gz). - -r, --rootfs-size SIZE Root filesystem size (e.g., 8G). + -t, --template TEMPLATE LXC template (e.g. local:vztmpl/nixos-unstable). + -r, --rootfs-size SIZE Root filesystem size (e.g. 8G). -c, --cores CORES Number of CPU cores. -m, --memory MEMORY RAM in MiB. -s, --swap SWAP Swap in MiB. -p, --password PASSWORD Root password for the container. - -b, --bridge BRIDGE Network bridge (e.g., vmbr0). - -v, --vlan VLAN VLAN tag (e.g., tag=10). + -b, --bridge BRIDGE Network bridge (e.g. vmbr0). + -v, --vlan VLAN VLAN tag (e.g. tag=10). -d, --domain DOMAIN DNS domain. -u, --unprivileged UNPRIV Unprivileged container (0 or 1). - -i, --ip IP Static IP (e.g., 192.168.1.100/24). - --pve-host HOST Proxmox host (e.g., pve). + -i, --ip IP Static IP (e.g. 192.168.1.100/24). + -C, --cmode CMODE Console mode (console or tty). Default: console. + -T, --tags TAGS Tags for the container (optional). + --pve-host HOST Proxmox host (e.g. pve). --pve-user USER Proxmox user (default: admin). --pve-port PORT SSH port for Proxmox (default: 22). --pve-password PASSWORD Password for SSH authentication on Proxmox. - --pve-ssh-key KEY SSH key file for authentication (e.g., ~/.ssh/id_admin). + --pve-ssh-key KEY SSH key file for authentication. + --dry-run Simulate container creation without execution. " # --- Default Parameters (Environment Variables) --- @@ -40,9 +45,10 @@ PVE_USER="${PVE_USER:-admin}" PVE_PORT="${PVE_PORT:-22}" PVE_PASSWORD="${PVE_PASSWORD:-}" PVE_SSH_KEY="${PVE_SSH_KEY:-}" +DRY_RUN="${DRY_RUN:-false}" # LXC Container -TEMPLATE="${TEMPLATE:-local:vztmpl/nixos-unstable-amd64-default_20260428_0830-rootfs.tar.gz}" +TEMPLATE="${TEMPLATE:-local:vztmpl/nixos-unstable-amd64-default_20260428}" ROOTFS_SIZE="${ROOTFS_SIZE:-8G}" CORES="${CORES:-2}" MEMORY="${MEMORY:-2048}" @@ -53,6 +59,8 @@ VLAN="${VLAN:-}" DOMAIN="${DOMAIN:-lagraula.fr}" UNPRIVILEGED="${UNPRIVILEGED:-0}" IP="${IP:-}" +CMODE="${CMODE:-console}" +TAGS="${TAGS:-}" # --- Parse Arguments with docopts (Lowest Priority) --- args=$(docopts -h "$usage" : "$@") @@ -66,7 +74,7 @@ if [ -z "$SHORT_NAME" ]; then exit 1 fi -# --- Override with /etc/nixos-infra/hosts/ (Medium Priority) --- +# --- Override with /etc/nixos-infra/hosts/ (Medium Priority) if [ -f "/etc/nixos-infra/hosts/$SHORT_NAME" ]; then echo "📄 Applying parameters from /etc/nixos-infra/hosts/$SHORT_NAME..." set -a @@ -96,7 +104,8 @@ fi if [ -z "$TEMPLATE" ] || [ -z "$ROOTFS_SIZE" ] || [ -z "$CORES" ] || \ [ -z "$MEMORY" ] || [ -z "$SWAP" ] || [ -z "$PASSWORD" ] || \ [ -z "$BRIDGE" ] || [ -z "$DOMAIN" ] || [ -z "$UNPRIVILEGED" ] || \ - [ -z "$PVE_HOST" ] || [ -z "$PVE_USER" ] || [ -z "$PVE_PORT" ]; then + [ -z "$CMODE" ] || [ -z "$PVE_HOST" ] || [ -z "$PVE_USER" ] || \ + [ -z "$PVE_PORT" ]; then echo "❌ Error: One or more critical parameters are missing." >&2 exit 1 fi @@ -104,7 +113,7 @@ fi # Authentication Validation if [ -z "$PVE_PASSWORD" ]; then if [ -z "$PVE_SSH_KEY" ]; then - echo "❌ Error: No authentication parameter (password or SSH key) is defined." >&2 + echo "❌ Error: No authentication parameter is defined." >&2 exit 1 elif [ ! -f "$PVE_SSH_KEY" ]; then echo "❌ Error: SSH key file '$PVE_SSH_KEY' does not exist." >&2 @@ -115,12 +124,11 @@ fi # --- SSH Connection to Proxmox Server --- run_proxmox() { local ssh_cmd="ssh -p $PVE_PORT" - # Priority to SSH key if it is provided and exists if [ -n "$PVE_SSH_KEY" ] && [ -f "$PVE_SSH_KEY" ]; then ssh_cmd="$ssh_cmd -i $PVE_SSH_KEY" else - # Use password if SSH key is not available - ssh_cmd="$ssh_cmd -o PreferredAuthentications=password -o StrictHostKeyChecking=no" + ssh_cmd="$ssh_cmd -o PreferredAuthentications=password \ + -o StrictHostKeyChecking=no" fi $ssh_cmd "$PVE_USER@$PVE_HOST" "$1" } @@ -136,10 +144,27 @@ fi # --- Container Creation --- echo "🚀 Creating LXC container $SHORT_NAME on $PVE_HOST..." -LXC_ID=$(run_proxmox "pct create $ROOTFS_SIZE $TEMPLATE --cores $CORES --memory $MEMORY --swap $SWAP --hostname $SHORT_NAME.$DOMAIN --password $PASSWORD --unprivileged $UNPRIVILEGED --net0 $NET_OPTS --onboot 1" | grep -oP '\d+') -if [ -z "$LXC_ID" ]; then - echo "❌ Error: Failed to create the container." >&2 - exit 1 +CREATE_CMD="pct create $ROOTFS_SIZE $TEMPLATE --cores $CORES \ +--memory $MEMORY --swap $SWAP --hostname $SHORT_NAME.$DOMAIN \ +--password $PASSWORD --unprivileged $UNPRIVILEGED --net0 $NET_OPTS \ +--onboot 1 --cmode $CMODE" +if [ -n "$TAGS" ]; then + CREATE_CMD="$CREATE_CMD --tags $TAGS" fi -echo "✅ LXC container $SHORT_NAME created successfully (ID: $LXC_ID)." \ No newline at end of file +# Display the command (with password masked) +DISPLAY_CMD=$(echo "$CREATE_CMD" | + sed "s/--password [^ ]*/--password \*\*\*\*\*/g") +echo "🔧 Command to execute on $PVE_HOST: $DISPLAY_CMD" + +# Execute or simulate +if [ "$DRY_RUN" = "true" ]; then + echo "🧪 Dry run: Skipping actual execution." +else + LXC_ID=$(run_proxmox "$CREATE_CMD" | grep -oP '\d+') + if [ -z "$LXC_ID" ]; then + echo "❌ Error: Failed to create the container." >&2 + exit 1 + fi + echo "✅ LXC container $SHORT_NAME created successfully (ID: $LXC_ID)." +fi \ No newline at end of file From 0ad90d81d616b3be33b184cf4e90201f1509d589 Mon Sep 17 00:00:00 2001 From: xavier Date: Thu, 30 Apr 2026 17:03:38 +0200 Subject: [PATCH 5/5] Adding --ssh-public-keys parameter to secure initial deployment. --- nixos-infra/scripts/create-lxc-nixos.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/nixos-infra/scripts/create-lxc-nixos.sh b/nixos-infra/scripts/create-lxc-nixos.sh index 813696b..2dcd517 100644 --- a/nixos-infra/scripts/create-lxc-nixos.sh +++ b/nixos-infra/scripts/create-lxc-nixos.sh @@ -30,6 +30,7 @@ Options: -i, --ip IP Static IP (e.g. 192.168.1.100/24). -C, --cmode CMODE Console mode (console or tty). Default: console. -T, --tags TAGS Tags for the container (optional). + -k, --ssh-public-keys KEYS SSH public keys for the container. --pve-host HOST Proxmox host (e.g. pve). --pve-user USER Proxmox user (default: admin). --pve-port PORT SSH port for Proxmox (default: 22). @@ -61,6 +62,7 @@ UNPRIVILEGED="${UNPRIVILEGED:-0}" IP="${IP:-}" CMODE="${CMODE:-console}" TAGS="${TAGS:-}" +SSH_PUBLIC_KEYS="${SSH_PUBLIC_KEYS:-}" # --- Parse Arguments with docopts (Lowest Priority) --- args=$(docopts -h "$usage" : "$@") @@ -104,8 +106,8 @@ fi if [ -z "$TEMPLATE" ] || [ -z "$ROOTFS_SIZE" ] || [ -z "$CORES" ] || \ [ -z "$MEMORY" ] || [ -z "$SWAP" ] || [ -z "$PASSWORD" ] || \ [ -z "$BRIDGE" ] || [ -z "$DOMAIN" ] || [ -z "$UNPRIVILEGED" ] || \ - [ -z "$CMODE" ] || [ -z "$PVE_HOST" ] || [ -z "$PVE_USER" ] || \ - [ -z "$PVE_PORT" ]; then + [ -z "$CMODE" ] || [ -z "$SSH_PUBLIC_KEYS" ] || \ + [ -z "$PVE_HOST" ] || [ -z "$PVE_USER" ] || [ -z "$PVE_PORT" ]; then echo "❌ Error: One or more critical parameters are missing." >&2 exit 1 fi @@ -147,7 +149,7 @@ echo "🚀 Creating LXC container $SHORT_NAME on $PVE_HOST..." CREATE_CMD="pct create $ROOTFS_SIZE $TEMPLATE --cores $CORES \ --memory $MEMORY --swap $SWAP --hostname $SHORT_NAME.$DOMAIN \ --password $PASSWORD --unprivileged $UNPRIVILEGED --net0 $NET_OPTS \ ---onboot 1 --cmode $CMODE" +--onboot 1 --cmode $CMODE --ssh-public-keys $SSH_PUBLIC_KEYS" if [ -n "$TAGS" ]; then CREATE_CMD="$CREATE_CMD --tags $TAGS" fi