ptr.pet / nixos-cloud-resources
nixos modules for convenient deployment of cloud resources
fork atom

refactor(hetzner): improve command; make error logging better

ptr.pet 698c6ba2 4ef813c9

verified
options
unified split
Changed files
+37 -32
.gitignore
firewall
provider
hetzner
app.nix
app.nu
+2
.gitignore 
···

       

       
1

       
+

       
result


     

       

       
2

       
+

       
.hetzner
+2 -5
firewall/provider/hetzner/app.nix 
···

       
1

       
1

       
 

       
{pkgs, lib ? pkgs.lib, taggedPorts, id}: let


     

       
2

       
2

       
 

       
  l = lib // (import ./rules.nix {inherit lib;});


     

       
3

       

       
-

       



     

       
4

       
3

       
 

       
  firewallRules =


     

       
5

       
4

       
 

       
    builtins.toFile


     

       
6

       
5

       
 

       
    "hetzner-firewall-${toString id}-rules.json"


     

       
7

       
6

       
 

       
    (builtins.toJSON (l.mkFirewallRuleset taggedPorts));


     

       
8

       

       
-

       
in pkgs.writers.writeNu "apply-hetzner" ''


     

       
9

       

       
-

       
  let firewallId = ${toString id}


     

       
10

       

       
-

       
  let rulesFile = "${firewallRules}"


     

       
11

       

       
-

       
  ${l.fileContents ./app.nu}


     

       

       
7

       
+

       
in pkgs.writers.writeNu "apply-hetzner-firewall-${toString id}" ''


     

       

       
8

       
+

       
  nu ${./app.nu} ${toString id} ${firewallRules}


     

       
12

       
9

       
 

       
''
+33 -27
firewall/provider/hetzner/app.nu 
···

       
1

       
1

       
 

       
use std/log


     

       
2

       
2

       
 

       



     

       
3

       

       
-

       
let authHeader = ["authorization" $"Bearer ($env.HETZNER_API_TOKEN)"]


     

       

       
3

       
+

       
def main [firewallId: number, rulesFile: path, --auth-token (-t): string] {


     

       

       
4

       
+

       
    let auth_token: string = if $auth_token == null { $env.HETZNER_API_TOKEN? } else { $auth_token }


     

       

       
5

       
+

       
    let authHeader: list<string> = ["authorization" $"Bearer ($auth_token)"]


     

       
4

       
6

       
 

       



     

       
5

       

       
-

       
def makeApiUrl [path: string] {


     

       
6

       

       
-

       
  return $"https://api.hetzner.cloud/v1($path)"


     

       
7

       

       
-

       
}


     

       
8

       

       
-

       
def post [path: string] {


     

       
9

       

       
-

       
  $in | http post -e --full -H $authHeader --content-type application/json (makeApiUrl $path)


     

       
10

       

       
-

       
}


     

       
11

       

       
-

       
def get [path: string] {


     

       
12

       

       
-

       
  http get -e --full -H $authHeader (makeApiUrl $path)


     

       
13

       

       
-

       
}


     

       

       
7

       
+

       
    def makeApiUrl [path: string] {


     

       

       
8

       
+

       
        return $"https://api.hetzner.cloud/v1($path)"


     

       

       
9

       
+

       
    }


     

       

       
10

       
+

       
    def post [path: string] {


     

       

       
11

       
+

       
        $in | http post -e --full -H $authHeader --content-type application/json (makeApiUrl $path)


     

       

       
12

       
+

       
    }


     

       

       
13

       
+

       
    def get [path: string] {


     

       

       
14

       
+

       
        http get -e --full -H $authHeader (makeApiUrl $path)


     

       

       
15

       
+

       
    }


     

       
14

       
16

       
 

       



     

       
15

       

       
-

       
# first fetch firewall to see if it even exists


     

       
16

       

       
-

       
let resp = get $"/firewalls/($firewallId)"


     

       
17

       

       
-

       
if $resp.status == 404 {


     

       
18

       

       
-

       
  log error $"provided firewall \(id ($firewallId)\) does not exist"


     

       
19

       

       
-

       
  exit 1


     

       
20

       

       
-

       
}


     

       
21

       

       
-

       
let firewall = $resp.body | get firewall


     

       

       
17

       
+

       
    # first fetch firewall to see if it even exists


     

       

       
18

       
+

       
    let resp = get $"/firewalls/($firewallId)"


     

       

       
19

       
+

       
    if $resp.status == 404 {


     

       

       
20

       
+

       
        log error $"provided firewall \(id ($firewallId)\) does not exist"


     

       

       
21

       
+

       
        exit 1


     

       

       
22

       
+

       
    } else if $resp.status != 200 {


     

       

       
23

       
+

       
        log error $"could not get firewall \(id ($firewallId)\):\n($resp.body.error | to text -n)"


     

       

       
24

       
+

       
        exit 1


     

       

       
25

       
+

       
    }


     

       

       
26

       
+

       
    let firewall = $resp.body | get firewall


     

       
22

       
27

       
 

       



     

       
23

       

       
-

       
# backup firewall


     

       
24

       

       
-

       
let backupPath = $".hetzner/($firewallId).json"


     

       
25

       

       
-

       
mkdir .hetzner; $firewall | to json | save -f $backupPath


     

       
26

       

       
-

       
log info $"backing up firewall ($firewallId) to ($backupPath)"


     

       

       
28

       
+

       
    # backup firewall


     

       

       
29

       
+

       
    let backupPath = $".hetzner/($firewallId).json"


     

       

       
30

       
+

       
    mkdir .hetzner; $firewall | to json | save -f $backupPath


     

       

       
31

       
+

       
    log info $"backing up firewall ($firewallId) to ($backupPath)"


     

       
27

       
32

       
 

       



     

       
28

       

       
-

       
# apply rules


     

       
29

       

       
-

       
let resp = open $rulesFile | post $"/firewalls/($firewallId)/actions/set_rules"


     

       
30

       

       
-

       
if $resp.status != 201 {


     

       
31

       

       
-

       
  log error $"could not apply firewall \(id ($firewallId)\):\n($resp.body | to text)"


     

       
32

       

       
-

       
  exit 2


     

       

       
33

       
+

       
    # apply rules


     

       

       
34

       
+

       
    let resp = open $rulesFile | post $"/firewalls/($firewallId)/actions/set_rules"


     

       

       
35

       
+

       
    if $resp.status != 201 {


     

       

       
36

       
+

       
        log error $"could not apply firewall \(id ($firewallId)\):\n($resp.body.error | to text -n)"


     

       

       
37

       
+

       
        exit 2


     

       

       
38

       
+

       
    }


     

       

       
39

       
+

       
    log info $"applied firewall ($firewallId)"


     

       
33

       
40

       
 

       
}


     

       
34

       

       
-

       
log info $"applied firewall ($firewallId)"