├── .github └── workflows │ └── flakehub-ci.yml ├── LICENSE ├── README.md ├── apply.sh ├── auto-login.sh ├── configuration.nix ├── flake.lock ├── flake.nix ├── install-nix-fetcher.sh ├── setup-password.sh ├── setup-ssh.sh ├── setup-vault.sh └── setup-without-nix.sh /.github/workflows/flakehub-ci.yml: -------------------------------------------------------------------------------- 1 | name: FlakeHub CI 2 | 3 | on: 4 | pull_request: 5 | workflow_dispatch: 6 | push: 7 | branches: 8 | - main 9 | tags: 10 | - v?[0-9]+.[0-9]+.[0-9]+* 11 | 12 | concurrency: 13 | group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} 14 | cancel-in-progress: true 15 | 16 | jobs: 17 | DeterminateCI: 18 | uses: DeterminateSystems/ci/.github/workflows/workflow.yml@main 19 | permissions: 20 | id-token: write 21 | contents: read 22 | with: 23 | visibility: public 24 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Mozilla Public License Version 2.0 2 | ================================== 3 | 4 | 1. Definitions 5 | -------------- 6 | 7 | 1.1. "Contributor" 8 | means each individual or legal entity that creates, contributes to 9 | the creation of, or owns Covered Software. 10 | 11 | 1.2. "Contributor Version" 12 | means the combination of the Contributions of others (if any) used 13 | by a Contributor and that particular Contributor's Contribution. 14 | 15 | 1.3. "Contribution" 16 | means Covered Software of a particular Contributor. 17 | 18 | 1.4. "Covered Software" 19 | means Source Code Form to which the initial Contributor has attached 20 | the notice in Exhibit A, the Executable Form of such Source Code 21 | Form, and Modifications of such Source Code Form, in each case 22 | including portions thereof. 23 | 24 | 1.5. "Incompatible With Secondary Licenses" 25 | means 26 | 27 | (a) that the initial Contributor has attached the notice described 28 | in Exhibit B to the Covered Software; or 29 | 30 | (b) that the Covered Software was made available under the terms of 31 | version 1.1 or earlier of the License, but not also under the 32 | terms of a Secondary License. 33 | 34 | 1.6. "Executable Form" 35 | means any form of the work other than Source Code Form. 36 | 37 | 1.7. "Larger Work" 38 | means a work that combines Covered Software with other material, in 39 | a separate file or files, that is not Covered Software. 40 | 41 | 1.8. "License" 42 | means this document. 43 | 44 | 1.9. "Licensable" 45 | means having the right to grant, to the maximum extent possible, 46 | whether at the time of the initial grant or subsequently, any and 47 | all of the rights conveyed by this License. 48 | 49 | 1.10. "Modifications" 50 | means any of the following: 51 | 52 | (a) any file in Source Code Form that results from an addition to, 53 | deletion from, or modification of the contents of Covered 54 | Software; or 55 | 56 | (b) any new file in Source Code Form that contains any Covered 57 | Software. 58 | 59 | 1.11. "Patent Claims" of a Contributor 60 | means any patent claim(s), including without limitation, method, 61 | process, and apparatus claims, in any patent Licensable by such 62 | Contributor that would be infringed, but for the grant of the 63 | License, by the making, using, selling, offering for sale, having 64 | made, import, or transfer of either its Contributions or its 65 | Contributor Version. 66 | 67 | 1.12. "Secondary License" 68 | means either the GNU General Public License, Version 2.0, the GNU 69 | Lesser General Public License, Version 2.1, the GNU Affero General 70 | Public License, Version 3.0, or any later versions of those 71 | licenses. 72 | 73 | 1.13. "Source Code Form" 74 | means the form of the work preferred for making modifications. 75 | 76 | 1.14. "You" (or "Your") 77 | means an individual or a legal entity exercising rights under this 78 | License. For legal entities, "You" includes any entity that 79 | controls, is controlled by, or is under common control with You. For 80 | purposes of this definition, "control" means (a) the power, direct 81 | or indirect, to cause the direction or management of such entity, 82 | whether by contract or otherwise, or (b) ownership of more than 83 | fifty percent (50%) of the outstanding shares or beneficial 84 | ownership of such entity. 85 | 86 | 2. License Grants and Conditions 87 | -------------------------------- 88 | 89 | 2.1. Grants 90 | 91 | Each Contributor hereby grants You a world-wide, royalty-free, 92 | non-exclusive license: 93 | 94 | (a) under intellectual property rights (other than patent or trademark) 95 | Licensable by such Contributor to use, reproduce, make available, 96 | modify, display, perform, distribute, and otherwise exploit its 97 | Contributions, either on an unmodified basis, with Modifications, or 98 | as part of a Larger Work; and 99 | 100 | (b) under Patent Claims of such Contributor to make, use, sell, offer 101 | for sale, have made, import, and otherwise transfer either its 102 | Contributions or its Contributor Version. 103 | 104 | 2.2. Effective Date 105 | 106 | The licenses granted in Section 2.1 with respect to any Contribution 107 | become effective for each Contribution on the date the Contributor first 108 | distributes such Contribution. 109 | 110 | 2.3. Limitations on Grant Scope 111 | 112 | The licenses granted in this Section 2 are the only rights granted under 113 | this License. No additional rights or licenses will be implied from the 114 | distribution or licensing of Covered Software under this License. 115 | Notwithstanding Section 2.1(b) above, no patent license is granted by a 116 | Contributor: 117 | 118 | (a) for any code that a Contributor has removed from Covered Software; 119 | or 120 | 121 | (b) for infringements caused by: (i) Your and any other third party's 122 | modifications of Covered Software, or (ii) the combination of its 123 | Contributions with other software (except as part of its Contributor 124 | Version); or 125 | 126 | (c) under Patent Claims infringed by Covered Software in the absence of 127 | its Contributions. 128 | 129 | This License does not grant any rights in the trademarks, service marks, 130 | or logos of any Contributor (except as may be necessary to comply with 131 | the notice requirements in Section 3.4). 132 | 133 | 2.4. Subsequent Licenses 134 | 135 | No Contributor makes additional grants as a result of Your choice to 136 | distribute the Covered Software under a subsequent version of this 137 | License (see Section 10.2) or under the terms of a Secondary License (if 138 | permitted under the terms of Section 3.3). 139 | 140 | 2.5. Representation 141 | 142 | Each Contributor represents that the Contributor believes its 143 | Contributions are its original creation(s) or it has sufficient rights 144 | to grant the rights to its Contributions conveyed by this License. 145 | 146 | 2.6. Fair Use 147 | 148 | This License is not intended to limit any rights You have under 149 | applicable copyright doctrines of fair use, fair dealing, or other 150 | equivalents. 151 | 152 | 2.7. Conditions 153 | 154 | Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted 155 | in Section 2.1. 156 | 157 | 3. Responsibilities 158 | ------------------- 159 | 160 | 3.1. Distribution of Source Form 161 | 162 | All distribution of Covered Software in Source Code Form, including any 163 | Modifications that You create or to which You contribute, must be under 164 | the terms of this License. You must inform recipients that the Source 165 | Code Form of the Covered Software is governed by the terms of this 166 | License, and how they can obtain a copy of this License. You may not 167 | attempt to alter or restrict the recipients' rights in the Source Code 168 | Form. 169 | 170 | 3.2. Distribution of Executable Form 171 | 172 | If You distribute Covered Software in Executable Form then: 173 | 174 | (a) such Covered Software must also be made available in Source Code 175 | Form, as described in Section 3.1, and You must inform recipients of 176 | the Executable Form how they can obtain a copy of such Source Code 177 | Form by reasonable means in a timely manner, at a charge no more 178 | than the cost of distribution to the recipient; and 179 | 180 | (b) You may distribute such Executable Form under the terms of this 181 | License, or sublicense it under different terms, provided that the 182 | license for the Executable Form does not attempt to limit or alter 183 | the recipients' rights in the Source Code Form under this License. 184 | 185 | 3.3. Distribution of a Larger Work 186 | 187 | You may create and distribute a Larger Work under terms of Your choice, 188 | provided that You also comply with the requirements of this License for 189 | the Covered Software. If the Larger Work is a combination of Covered 190 | Software with a work governed by one or more Secondary Licenses, and the 191 | Covered Software is not Incompatible With Secondary Licenses, this 192 | License permits You to additionally distribute such Covered Software 193 | under the terms of such Secondary License(s), so that the recipient of 194 | the Larger Work may, at their option, further distribute the Covered 195 | Software under the terms of either this License or such Secondary 196 | License(s). 197 | 198 | 3.4. Notices 199 | 200 | You may not remove or alter the substance of any license notices 201 | (including copyright notices, patent notices, disclaimers of warranty, 202 | or limitations of liability) contained within the Source Code Form of 203 | the Covered Software, except that You may alter any license notices to 204 | the extent required to remedy known factual inaccuracies. 205 | 206 | 3.5. Application of Additional Terms 207 | 208 | You may choose to offer, and to charge a fee for, warranty, support, 209 | indemnity or liability obligations to one or more recipients of Covered 210 | Software. However, You may do so only on Your own behalf, and not on 211 | behalf of any Contributor. You must make it absolutely clear that any 212 | such warranty, support, indemnity, or liability obligation is offered by 213 | You alone, and You hereby agree to indemnify every Contributor for any 214 | liability incurred by such Contributor as a result of warranty, support, 215 | indemnity or liability terms You offer. You may include additional 216 | disclaimers of warranty and limitations of liability specific to any 217 | jurisdiction. 218 | 219 | 4. Inability to Comply Due to Statute or Regulation 220 | --------------------------------------------------- 221 | 222 | If it is impossible for You to comply with any of the terms of this 223 | License with respect to some or all of the Covered Software due to 224 | statute, judicial order, or regulation then You must: (a) comply with 225 | the terms of this License to the maximum extent possible; and (b) 226 | describe the limitations and the code they affect. Such description must 227 | be placed in a text file included with all distributions of the Covered 228 | Software under this License. Except to the extent prohibited by statute 229 | or regulation, such description must be sufficiently detailed for a 230 | recipient of ordinary skill to be able to understand it. 231 | 232 | 5. Termination 233 | -------------- 234 | 235 | 5.1. The rights granted under this License will terminate automatically 236 | if You fail to comply with any of its terms. However, if You become 237 | compliant, then the rights granted under this License from a particular 238 | Contributor are reinstated (a) provisionally, unless and until such 239 | Contributor explicitly and finally terminates Your grants, and (b) on an 240 | ongoing basis, if such Contributor fails to notify You of the 241 | non-compliance by some reasonable means prior to 60 days after You have 242 | come back into compliance. Moreover, Your grants from a particular 243 | Contributor are reinstated on an ongoing basis if such Contributor 244 | notifies You of the non-compliance by some reasonable means, this is the 245 | first time You have received notice of non-compliance with this License 246 | from such Contributor, and You become compliant prior to 30 days after 247 | Your receipt of the notice. 248 | 249 | 5.2. If You initiate litigation against any entity by asserting a patent 250 | infringement claim (excluding declaratory judgment actions, 251 | counter-claims, and cross-claims) alleging that a Contributor Version 252 | directly or indirectly infringes any patent, then the rights granted to 253 | You by any and all Contributors for the Covered Software under Section 254 | 2.1 of this License shall terminate. 255 | 256 | 5.3. In the event of termination under Sections 5.1 or 5.2 above, all 257 | end user license agreements (excluding distributors and resellers) which 258 | have been validly granted by You or Your distributors under this License 259 | prior to termination shall survive termination. 260 | 261 | ************************************************************************ 262 | * * 263 | * 6. Disclaimer of Warranty * 264 | * ------------------------- * 265 | * * 266 | * Covered Software is provided under this License on an "as is" * 267 | * basis, without warranty of any kind, either expressed, implied, or * 268 | * statutory, including, without limitation, warranties that the * 269 | * Covered Software is free of defects, merchantable, fit for a * 270 | * particular purpose or non-infringing. The entire risk as to the * 271 | * quality and performance of the Covered Software is with You. * 272 | * Should any Covered Software prove defective in any respect, You * 273 | * (not any Contributor) assume the cost of any necessary servicing, * 274 | * repair, or correction. This disclaimer of warranty constitutes an * 275 | * essential part of this License. No use of any Covered Software is * 276 | * authorized under this License except under this disclaimer. * 277 | * * 278 | ************************************************************************ 279 | 280 | ************************************************************************ 281 | * * 282 | * 7. Limitation of Liability * 283 | * -------------------------- * 284 | * * 285 | * Under no circumstances and under no legal theory, whether tort * 286 | * (including negligence), contract, or otherwise, shall any * 287 | * Contributor, or anyone who distributes Covered Software as * 288 | * permitted above, be liable to You for any direct, indirect, * 289 | * special, incidental, or consequential damages of any character * 290 | * including, without limitation, damages for lost profits, loss of * 291 | * goodwill, work stoppage, computer failure or malfunction, or any * 292 | * and all other commercial damages or losses, even if such party * 293 | * shall have been informed of the possibility of such damages. This * 294 | * limitation of liability shall not apply to liability for death or * 295 | * personal injury resulting from such party's negligence to the * 296 | * extent applicable law prohibits such limitation. Some * 297 | * jurisdictions do not allow the exclusion or limitation of * 298 | * incidental or consequential damages, so this exclusion and * 299 | * limitation may not apply to You. * 300 | * * 301 | ************************************************************************ 302 | 303 | 8. Litigation 304 | ------------- 305 | 306 | Any litigation relating to this License may be brought only in the 307 | courts of a jurisdiction where the defendant maintains its principal 308 | place of business and such litigation shall be governed by laws of that 309 | jurisdiction, without reference to its conflict-of-law provisions. 310 | Nothing in this Section shall prevent a party's ability to bring 311 | cross-claims or counter-claims. 312 | 313 | 9. Miscellaneous 314 | ---------------- 315 | 316 | This License represents the complete agreement concerning the subject 317 | matter hereof. If any provision of this License is held to be 318 | unenforceable, such provision shall be reformed only to the extent 319 | necessary to make it enforceable. Any law or regulation which provides 320 | that the language of a contract shall be construed against the drafter 321 | shall not be used to construe this License against a Contributor. 322 | 323 | 10. Versions of the License 324 | --------------------------- 325 | 326 | 10.1. New Versions 327 | 328 | Mozilla Foundation is the license steward. Except as provided in Section 329 | 10.3, no one other than the license steward has the right to modify or 330 | publish new versions of this License. Each version will be given a 331 | distinguishing version number. 332 | 333 | 10.2. Effect of New Versions 334 | 335 | You may distribute the Covered Software under the terms of the version 336 | of the License under which You originally received the Covered Software, 337 | or under the terms of any subsequent version published by the license 338 | steward. 339 | 340 | 10.3. Modified Versions 341 | 342 | If you create software not governed by this License, and you want to 343 | create a new license for such software, you may create and use a 344 | modified version of this License if you rename the license and remove 345 | any references to the name of the license steward (except to note that 346 | such modified license differs from this License). 347 | 348 | 10.4. Distributing Source Code Form that is Incompatible With Secondary 349 | Licenses 350 | 351 | If You choose to distribute Source Code Form that is Incompatible With 352 | Secondary Licenses under the terms of this version of the License, the 353 | notice described in Exhibit B of this License must be attached. 354 | 355 | Exhibit A - Source Code Form License Notice 356 | ------------------------------------------- 357 | 358 | This Source Code Form is subject to the terms of the Mozilla Public 359 | License, v. 2.0. If a copy of the MPL was not distributed with this 360 | file, You can obtain one at http://mozilla.org/MPL/2.0/. 361 | 362 | If it is not possible or desirable to put the notice in a particular 363 | file, then You may include the notice in a location (such as a LICENSE 364 | file in a relevant directory) where a recipient would be likely to look 365 | for such a notice. 366 | 367 | You may add additional accurate notices of copyright ownership. 368 | 369 | Exhibit B - "Incompatible With Secondary Licenses" Notice 370 | --------------------------------------------------------- 371 | 372 | This Source Code Form is "Incompatible With Secondary Licenses", as 373 | defined by the Mozilla Public License, v. 2.0. 374 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Ephemeral macOS Deployment 2 | 3 | Internally, we use this tooling to support the testing of our software on macOS, and the Nix installer itself. 4 | 5 | This repository makes many assumptions about your workflow and how you want to use this code. 6 | These assumptions are a byproduct of the repository only being used internally, and are likely not difficult to remove. 7 | If you use this code and documentation for yourself, consider sending contributions upstream that make it easier for people to use. 8 | 9 | ### Included configuration.nix 10 | 11 | Set up macOS machines to automatically erase and provision themselves on a Tailscale network with Buildkite. 12 | An erase/reinstall cycle can complete in less than 10 minutes, making it suitable for regular automation. 13 | 14 | This README and tooling is public documentation for Determinate Systems, Inc.'s internal use. 15 | The goal of making it public is to share the information, and foster the use of ephemeral macOS machines running Nix. 16 | 17 | 18 | ## Requirements 19 | 20 | * We assume you are using recent Macs with either a T2 chip or Apple Silicon. 21 | * You're using Mosyle MDM. 22 | Other MDMs might work, but we're focused on Mosyle. 23 | Feel free to send pull requests supporting other MDMs. 24 | * Your Macs are already part of your Apple Business Manager account. 25 | Once you have an Apple Business Manager account, they can provide documentation on adding existing Macs. 26 | 27 | ### Hardware Requirements 28 | 29 | * [A USB-A Logitech Unifying Receiver](https://www.amazon.com/dp/B072JW9LT8) to act as a mouse and keyboard. 30 | The Logitech receiver doesn't need to be configured or paired. 31 | Note that macOS is very paricular about the mouse and keyboard hardware directly after erasing. 32 | The TinyPilot KVM was not recognized as a mouse. 33 | Using a USB hub between the mouse and the computer didn't work either. 34 | A cheap Targus mouse's dongle worked as well. 35 | * [A USB-C thumb disk](https://www.amazon.com/dp/B09WB2RPS4) formatted and named "CONFIG". 36 | SSH keys and other persistent state is stored here. 37 | * [A "Dummy" HMDI plug](https://www.amazon.com/dp/B07FB64V4Y) to convince macOS to stay alive. 38 | A TinyPilot KVM works as well. 39 | Any display should be fine. 40 | * [A TRRS 3.5mm male audio jack](https://www.amazon.com/dp/B01CHNZHQY) to disable built-in speakers and microphones. 41 | Optional. 42 | 43 | #### Port Availability 44 | 45 | ##### 2020 M1 Mac Mini 46 | 47 | * 2x Thunderbolt 4 / USB-C 48 | * 1x 1Gbase-T Ethernet (10Gbase-T optional) 49 | * 1x HDMI 50 | * 2x USB-A 51 | * 1x 3.5mm headphone jack 52 | 53 | ##### 2018 Intel Mac Mini 54 | 55 | * 4x Thunderbolt 3 / USB-C 56 | * 1x 1Gbase-T Ethernet (10Gbase-T optional) 57 | * 1x HDMI 58 | * 2x USB-A 59 | * 1x 3.5mm headphone jack 60 | 61 | ##### 2022 M1 (Max, Ultra) Mac Studio 62 | 63 | Front: 64 | 65 | * 2x Thunderbolt 4 / USB-C 66 | * 1x SDXC 67 | 68 | Back: 69 | 70 | * 4x Thunderbolt 4 / USB-C 71 | * 1x 10Gbase-T Ethernet 72 | * 1x HDMI 73 | * 2x USB-A 74 | * 1x 3.5mm headphone jack 75 | 76 | ## Erasing a Mac 77 | 78 | Select the device in `Management`, 79 | then `Devices Overview`, 80 | then select the `More` menu. 81 | Click `Erase device`. 82 | Change `Obliteration Behavior` to `Do not Obliterate`. 83 | This requires a T2 or Apple Silicon chip. 84 | See "ObliterationBehavior" on https://developer.apple.com/documentation/devicemanagement/erasedevicecommand/command/. 85 | 86 | # Setting up Mosyle 87 | 88 | ## Automatic Enrollment 89 | 90 | After erasing, the machine should fully boot and configure itself without any human interaction. 91 | The main tasks here are to configure the region, language, and the initial user account. 92 | 93 | ### Steps 94 | 95 | On the `Organization` tab, 96 | select `Apple Basic Setup`, 97 | select `Enrollment`, 98 | click `Automated Device Enrollment` 99 | to get to the `Device Enrollment (DEP)` page. 100 | Click your default profile. 101 | 102 | 1. Tick `If enabled, macOS will automatically advance through all Setup Assistant screens. Available for macOS 11+ when connected to Ethernet.` 103 | 1. Select your language and region 104 | 1. Untick `Prompt user to create an account` 105 | 1. Move on to `Create additional local admin during Setup Assistant` 106 | 1. Enter a full name and use `ephemeraladmin` for the username. Note that other pieces of this system depends on the user being named `ephemeraladmin`. 107 | 1. Change the `Password` dropdown to automatically generate a password for each device 108 | 1. Tick `Set this account to be managed.` 109 | 1. Set `Rename devices after enrollment` to `mac-ephemeral-%SerialNumber%` 110 | 111 | Click `Save`. 112 | 113 | ## Device Groups 114 | 115 | The described automation is applied to specific machines through `Device Groups`. 116 | 117 | ### Steps 118 | 119 | On the `Management` tab, 120 | on the left side under `Devices`, 121 | select `Device Groups`, 122 | click `Add Device Group`. 123 | 124 | 1. Name it `Ephemeral CI` 125 | 1. Add your macs to the group 126 | 127 | Click `Save`. 128 | 129 | ## Management Profile: Software Update 130 | 131 | In general, software updates should be applied quickly and without any user interaction. 132 | I want to be able to forget this machine exists after setup, so we have fully automated the update process. 133 | 134 | ### Steps 135 | 136 | On the `Management` tab, 137 | on the left side under `Management Profiles`, 138 | select `Software Update`, 139 | click `Add new profile`. 140 | 141 | If the profile type isn't there, 142 | click `Activate New Profile Type`, 143 | search for it by name, 144 | click `Activate`, 145 | then click `Add new profile`. 146 | 147 | 1. Name the profile `Automatic Updates` 148 | 1. All of the defaults are fine as is 149 | 150 | Under `Profile Assignment`, 151 | click `+ Add Assignment`, 152 | select `Devices from specific Devices Group`, 153 | tick `Ephemeral CI`. 154 | 155 | Click `Save`. 156 | 157 | ## Management Profile: Energy Saver 158 | 159 | If the machine sleeps it is generally not easy to wake it back up. 160 | On my Mac Studio, waking it back up requires physically pressing the `Power` button on the back. 161 | I tried using a wireless mouse and a KVM, but neither were able to replace it. 162 | 163 | This profile disables sleeping. 164 | 165 | ### Steps 166 | 167 | On the `Management` tab, 168 | on the left side under `Management Profiles`, 169 | select `Energy Saver`, 170 | click `Add new profile`. 171 | 172 | If the profile type isn't there, 173 | click `Activate New Profile Type`, 174 | search for it by name, 175 | click `Activate`, 176 | then click `Add new profile`. 177 | 178 | 1. Name the profile `Don't sleep` 179 | 1. Select the `Desktop` profile tab 180 | 1. Set `Put the display(s) to sleep after:` to `2 minutes` 181 | 1. Set `Put the computer to sleep after:` to `Never` 182 | 1. Set `Put the hard disk(s) to sleep after` to `Do not configure this option` 183 | 1. Under `Wake options`, tick `Wake for Ethernet network administrator access` 184 | 1. Under `Other options`, tick `Start up automatically after a power failure` 185 | 186 | 187 | Under `Profile Assignment`, 188 | click `+ Add Assignment`, 189 | select `Devices from specific Devices Group`, 190 | tick `Ephemeral CI`. 191 | 192 | Click `Save`. 193 | 194 | ## Management Profile: Security & Privacy: Granting Mosyle access to Removable Volumes 195 | 196 | Our provisioning script uses SSH keys stored on an external volume to survive wipes. 197 | Apple widely prohibits programs from reading removable storage. 198 | This means Mosyle MDM agent cannot access removable media out of the box. 199 | 200 | This profile allows Mosyle to access removable storage. 201 | 202 | Note that we don't actually _enable_ anything in this profile except a single checkbox for the Self-Service app. 203 | That is intentional: that tickbox is all we need. 204 | 205 | ### Steps 206 | 207 | On the `Management` tab, 208 | on the left side under `Management Profiles`, 209 | select `Security & Privacy`, 210 | near the top of the screen select the `Privacy` tab 211 | click `Add new profile`. 212 | 213 | If the profile type isn't there, 214 | click `Activate New Profile Type`, 215 | search for it by name, 216 | click `Activate`, 217 | then click `Add new profile`. 218 | 219 | 1. Name the profile `Allow Mosyle access to Removable Volumes` 220 | 1. Tick `Install the Privacy Preferences Policy Control settings for the Mosyle Self-Service app to allow access to all necessary files and application data.` 221 | 222 | Under `Profile Assignment`, 223 | click `+ Add Assignment`, 224 | select `Devices from specific Devices Group`, 225 | tick `Ephemeral CI`. 226 | 227 | Click `Save`. 228 | 229 | ## Management Profile: Custom Commands: Autologin as CI 230 | 231 | Autologin is necessary to allow fast erases and reprovisions. 232 | 233 | Modern macOS software and hardware has two erase modes: "Erase All Content and Settings" (EACS) and "Obliterate". 234 | EACS takes approximately 5 minutes and involves a brief reboot after clearing the existing content and settings. 235 | Obliterate completely erases the disk and then rewrites the operating system, annd can take up to several hours. 236 | Obliterate is the only option on older hardware. 237 | 238 | EACS is the preferred method of implementing an ephemeral macOS machine because of the fast cycle time. 239 | In order for EACS to work, the machine must have a "Bootstrap Token" escrowed with our MDM server. 240 | The only way to escrow a bootstrap token is to have an administrative user log in. 241 | 242 | This profile creates an administrative user with a random, unknown password, and causes it to automatically log in. 243 | After creating the user, the machine is rebooted to cause the login to happen. 244 | ### Steps 245 | 246 | On the `Management` tab, 247 | on the left side under `Management Profiles`, 248 | select `Custom Commands`, 249 | click `Add new profile`. 250 | 251 | If the profile type isn't there, 252 | click `Activate New Profile Type`, 253 | search for it by name, 254 | click `Activate`, 255 | then click `Add new profile`. 256 | 257 | 1. Name the profile `Autologin as CI` 258 | 1. Select the `Code` profile tab 259 | 1. Click the code text box 260 | 1. Paste the contents of `auto-login.sh` into the box 261 | 1. Click the checkmark in the top right of the Code Edit window 262 | 1. Select the `Execution Settings` profile tab 263 | 1. For `Execute Command` select `Only based on schedule or events` 264 | 1. For `Event` tick `Upon Enrollment Only` 265 | 266 | Under `Profile Assignment`, 267 | click `+ Add Assignment`, 268 | select `Devices from specific Devices Group`, 269 | tick `Ephemeral CI`. 270 | 271 | Click `Save`. 272 | 273 | ## Management Profile: Custom Commands: Setup SSH 274 | 275 | Configure SSH keys and start the SSH daemon for the DEP-managed administrative user, `ephemeraladmin`. 276 | 277 | This script runs very frequently to ensure SSH is both running, and your users' keys are on the machine. 278 | 279 | ### Steps 280 | 281 | On the `Management` tab, 282 | on the left side under `Management Profiles`, 283 | select `Custom Commands`, 284 | click `Add new profile`. 285 | 286 | If the profile type isn't there, 287 | click `Activate New Profile Type`, 288 | search for it by name, 289 | click `Activate`, 290 | then click `Add new profile`. 291 | 292 | 1. Name the profile `Setup SSH` 293 | 1. Select the `Code` profile tab 294 | 1. Click the code text box 295 | 1. Paste the contents of `setup-ssh.sh` into the box 296 | 1. Edit the list of GitHub user names near line 9 to match your own users 297 | 1. Click the checkmark in the top right of the Code Edit window 298 | 1. Select the `Execution Settings` profile tab 299 | 1. For `Execute Command` select `Only based on schedule or events` 300 | 1. For `Event` untick `Upon Enrollment Only` 301 | 1. For `Event` tick `Every start up of the Mac`, `Every user sign-in`, and `Every "Device Info Update"`. 302 | 303 | Under `Profile Assignment`, 304 | click `+ Add Assignment`, 305 | select `Devices from specific Devices Group`, 306 | tick `Ephemeral CI`. 307 | 308 | Click `Save`. 309 | 310 | 311 | ## Management Profile: Custom Commands: Install Nix 312 | 313 | Installs Nix and nix-darwin, which is configured to run a Buildkite agent and join our Tailscale network.] 314 | 315 | Note that right now this code assumes you're installing everything for DetSys purposes. 316 | It is an explicit goal for this repository to support configuring things for *your* purposes without necessarily having to fork the repo. 317 | Please open issues discussing or send PRs improving this. 318 | 319 | #### Tailscale Token 320 | 321 | First configure a tag to assign to ephemeral macs, by adding this to your Tailscale ACL: 322 | 323 | ```json 324 | "tagOwners": { 325 | "tag:ephemeral-mac-ci": ["you@example.com"], 326 | } 327 | ``` 328 | 329 | The actual acquisition of pre-auth tokens is done through Vault on our systems (see `setup-vault.sh`). 330 | 331 | #### Buildkite Token 332 | 333 | Save the buildkite agent token into `/Volumes/CONFIG/buildkite.token`. 334 | 335 | ### Steps 336 | 337 | On the `Management` tab, 338 | on the left side under `Management Profiles`, 339 | select `Custom Commands`, 340 | click `Add new profile`. 341 | 342 | If the profile type isn't there, 343 | click `Activate New Profile Type`, 344 | search for it by name, 345 | click `Activate`, 346 | then click `Add new profile`. 347 | 348 | 1. Name the profile `Install Nix` 349 | 1. Select the `Code` profile tab 350 | 1. Click the code text box 351 | 1. Paste the contents of `install-nix-fetcher.sh` into the box 352 | 1. Edit the last lines (`repo`, `branch`, `cfgpath`) to point to your repository and configuration. 353 | Note you can use Mosyle's tags and variables to do dynamic configuration dispatch. 354 | See the end for an example. 355 | 1. Click the checkmark in the top right of the Code Edit window 356 | 1. Select the `Execution Settings` profile tab 357 | 1. For `Execute Command` select `Only based on schedule or events` 358 | 1. For `Event` untick `Upon Enrollment Only` 359 | 1. For `Event` tick `Every user sign-in` 360 | 361 | Under `Profile Assignment`, 362 | click `+ Add Assignment`, 363 | select `Devices from specific Devices Group`, 364 | tick `Ephemeral CI`. 365 | 366 | Click `Save`. 367 | 368 | 369 | 370 | ## Management Profile: Custom Commands: Show Public SSH Key 371 | 372 | Shows the public key of the private key generated on the box. 373 | 374 | ### Steps 375 | 376 | On the `Management` tab, 377 | on the left side under `Management Profiles`, 378 | select `Custom Commands`, 379 | click `Add new profile`. 380 | 381 | If the profile type isn't there, 382 | click `Activate New Profile Type`, 383 | search for it by name, 384 | click `Activate`, 385 | then click `Add new profile`. 386 | 387 | 1. Name the profile `Show Public SSH Key` 388 | 1. Select the `Code` profile tab 389 | 1. Click the code text box 390 | 1. Paste `cat /Volumes/CONFIG/buildkite-agent/sshkey.pub` into the box 391 | 1. Click the checkmark in the top right of the Code Edit window 392 | 1. Select the `Execution Settings` profile tab 393 | 1. For `Execute Command` select `Only based on schedule or events` 394 | 1. For `Event` untick `Upon Enrollment Only` 395 | 1. For `Event` tick `Every start up of the Mac` 396 | 1. For `Event` tick `Every user sign-in` 397 | 1. For `Event` tick `Every "Device info" update"` 398 | 399 | Under `Profile Assignment`, 400 | click `+ Add Assignment`, 401 | select `Devices from specific Devices Group`, 402 | tick `Ephemeral CI`. 403 | 404 | Click `Save`. 405 | 406 | --- 407 | 408 | ### Using Mosyle's Variables for Dynamic Dispatch 409 | 410 | ```sh 411 | repo="https://github.com/DeterminateSystems/macos-ephemeral.git" 412 | branch="HEAD" 413 | cfgpath="config.nix" 414 | 415 | if (echo "%Tags%" | grep -q "beta"); then 416 | branch="beta" 417 | cfgpath="configuration.nix" 418 | fi 419 | ``` 420 | -------------------------------------------------------------------------------- /apply.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -eu 4 | 5 | CONFIG_FLAKE_REF=$1 6 | 7 | #set -x 8 | 9 | while ! ping -c1 github.com; do 10 | sleep 1 11 | done 12 | 13 | # mostly from darwin-installer: https://github.com/LnL7/nix-darwin/blob/d3d7db7b86c8a2f3fa9925fe5d38d29025e7cb7f/pkgs/darwin-installer/installer.nix#L40-L48 14 | if ! grep -q '^run\b' /etc/synthetic.conf 2>/dev/null; then 15 | printf "run\tprivate/var/run\n" | sudo tee -a /etc/synthetic.conf >/dev/null 16 | /System/Library/Filesystems/apfs.fs/Contents/Resources/apfs.util -B &>/dev/null || true 17 | /System/Library/Filesystems/apfs.fs/Contents/Resources/apfs.util -t &>/dev/null || true 18 | fi 19 | 20 | if [ ! -f /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh ]; then 21 | #curl -L -o install.xz https://hydra.nixos.org/job/nix/master/binaryTarball.aarch64-darwin/latest/download/1 22 | #tar -xf install.xz 23 | #cd nix-* 24 | 25 | curl -Lo install https://install.determinate.systems/nix 26 | time sh ./install install --no-confirm 2>&1 | tail -n5 27 | fi 28 | 29 | if ! hash nix; then 30 | set +eux 31 | . '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh' 32 | set -eux 33 | fi 34 | 35 | if [ ! -d /nix/home ]; then 36 | mkdir -p /nix/home 37 | fi 38 | 39 | export HOME=/nix/home 40 | 41 | nix --extra-experimental-features 'nix-command flakes' build "$CONFIG_FLAKE_REF" 42 | 43 | sudo rm -f /etc/nix/nix.conf 44 | sudo rm -f /etc/zshrc 45 | sudo rm -f /etc/zshenv 46 | sudo rm -f /etc/bashrc 47 | 48 | # This is essentially what `darwin-rebuild switch` does. 49 | profile=/nix/var/nix/profiles/system 50 | systemConfig="$(readlink -f ./result)" 51 | nix-env -p "$profile" --set "$systemConfig" 52 | "$systemConfig/activate-user" 53 | "$systemConfig/activate" 54 | 55 | echo "Done!" 56 | -------------------------------------------------------------------------------- /auto-login.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -eux 4 | 5 | 6 | while ! ping -c1 github.com; do 7 | sleep 1 8 | done 9 | 10 | cd "$(mktemp -d)" 11 | 12 | cat < mkuser.sh.check 13 | 10a45bd537435482cd5caef0272d6b6b95dc7089 ./mkuser.sh 14 | EOF 15 | curl -L https://raw.githubusercontent.com/freegeek-pdx/mkuser/2022.9.30-1/mkuser.sh > mkuser.sh 16 | if ! shasum -c ./mkuser.sh.check; then 17 | echo "mkuser.sh was not what we expected." 18 | exit 1 19 | fi 20 | 21 | chmod +x ./mkuser.sh 22 | 23 | openssl rand -base64 48 | ./mkuser.sh \ 24 | --do-not-confirm \ 25 | --administrator \ 26 | --automatic-login \ 27 | --no-picture \ 28 | --stdin-password \ 29 | --account-name ci \ 30 | --full-name ci 31 | 32 | cat < /dev/null 33 | 34 | 35 | 36 | 37 | Label 38 | systems.determinate.ephemeral-macos.reboot 39 | ProgramArguments 40 | 41 | /bin/sh 42 | -c 43 | sleep 5; /sbin/reboot 44 | 45 | 46 | 47 | EOF 48 | 49 | launchctl unload /Library/LaunchDaemons/systems.determinate.ephemeral-macos.reboot.plist 50 | launchctl load -w /Library/LaunchDaemons/systems.determinate.ephemeral-macos.reboot.plist 51 | launchctl kickstart -kp system/systems.determinate.ephemeral-macos.reboot 52 | -------------------------------------------------------------------------------- /configuration.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, inputs, ... }: 2 | { 3 | environment.systemPackages = 4 | [ 5 | pkgs.git 6 | pkgs.vault 7 | pkgs.tailscale 8 | ]; 9 | 10 | # https://github.com/LnL7/nix-darwin/pull/552 11 | documentation.enable = false; 12 | 13 | programs.zsh.enable = true; 14 | programs.zsh.enableCompletion = false; 15 | programs.bash.enable = true; 16 | programs.bash.enableCompletion = false; 17 | 18 | #services.activate-system.enable = true; 19 | 20 | users.knownUsers = [ "buildkite-agent-agent" ]; 21 | users.knownGroups = [ "buildkite-agent-agent" ]; 22 | users.groups.buildkite-agent-agent.gid = 531; 23 | users.users.buildkite-agent-agent.uid = 531; 24 | users.users.buildkite-agent-agent.gid = config.users.groups.buildkite-agent-agent.gid; 25 | users.users.buildkite-agent-agent.shell = "/bin/sh"; 26 | 27 | services.nix-daemon.enable = true; 28 | 29 | nix = { 30 | settings = { 31 | "extra-experimental-features" = [ "nix-command" "flakes" ]; 32 | "trusted-users" = [ "root" "ephemeraladmin" ]; 33 | }; 34 | }; 35 | 36 | services.buildkite-agents.agent = { 37 | enable = true; 38 | tokenPath = "/nix/home/buildkite.token"; 39 | extraConfig = '' 40 | spawn = 4 41 | meta-data = "mac=1,nix=1,system=${pkgs.system}" 42 | tags-from-host=true 43 | ''; 44 | }; 45 | 46 | system.activationScripts.pam.text = '' 47 | echo >&2 "setting up pam..." 48 | ( 49 | echo "%admin ALL = NOPASSWD: ALL" > /etc/sudoers.d/passwordless 50 | ) 51 | ''; 52 | 53 | system.activationScripts.preActivation.text = 54 | let 55 | buildkite-agent = config.users.users.buildkite-agent-agent; 56 | 57 | ssh_key = "/Volumes/CONFIG/buildkite-agent/sshkey"; 58 | in 59 | '' 60 | while [ ! -d /Volumes/CONFIG ]; do 61 | echo "Waiting for /Volumes/CONFIG to exist ..." 62 | sleep 1 63 | done 64 | 65 | if [ ! -f ${lib.escapeShellArg ssh_key} ]; then 66 | mkdir -p "$(dirname ${lib.escapeShellArg ssh_key})" || true 67 | echo "Waiting a second in case the config volume shows up" 68 | sleep 5 69 | fi 70 | 71 | if [ ! -f ${lib.escapeShellArg ssh_key} ]; then 72 | mkdir -p "$(dirname ${lib.escapeShellArg ssh_key})" || true 73 | ssh-keygen -t ed25519 -f ${lib.escapeShellArg ssh_key} -N "" 74 | fi 75 | 76 | mkdir -p ${lib.escapeShellArg buildkite-agent.home} || true 77 | 78 | mkdir -m 0700 -p ${lib.escapeShellArg buildkite-agent.home}/.ssh 79 | cp ${lib.escapeShellArg ssh_key} ${lib.escapeShellArg buildkite-agent.home}/.ssh/id_ed25519 80 | cp ${lib.escapeShellArg ssh_key}.pub ${lib.escapeShellArg buildkite-agent.home}/.ssh/id_ed25519.pub 81 | chmod 600 ${lib.escapeShellArg buildkite-agent.home}/.ssh/id_ed25519 82 | 83 | chown ${toString buildkite-agent.uid}:${toString buildkite-agent.gid} \ 84 | ${lib.escapeShellArg buildkite-agent.home} \ 85 | ${lib.escapeShellArg buildkite-agent.home}/.ssh \ 86 | ${lib.escapeShellArg buildkite-agent.home}/.ssh/id_ed25519 \ 87 | ${lib.escapeShellArg buildkite-agent.home}/.ssh/id_ed25519.pub 88 | 89 | install -m 0600 -o ${toString buildkite-agent.uid} -g ${toString buildkite-agent.gid} /Volumes/CONFIG/buildkite.token '${lib.escapeShellArg config.services.buildkite-agents.agent.tokenPath}' 90 | ''; 91 | 92 | #launchd.daemons.prometheus-node-exporter = { 93 | # script = '' 94 | # exec ${pkgs.prometheus-node-exporter}/bin/node_exporter 95 | # ''; 96 | # 97 | # serviceConfig.KeepAlive = true; 98 | # serviceConfig.StandardErrorPath = "/var/log/prometheus-node-exporter.log"; 99 | # serviceConfig.StandardOutPath = "/var/log/prometheus-node-exporter.log"; 100 | #}; 101 | 102 | launchd.daemons.tailscaled = { 103 | script = '' 104 | exec ${pkgs.tailscale}/bin/tailscaled -state mem: 105 | ''; 106 | 107 | serviceConfig.KeepAlive = true; 108 | serviceConfig.StandardErrorPath = "/var/log/tailscaled.log"; 109 | serviceConfig.StandardOutPath = "/var/log/tailscaled.log"; 110 | }; 111 | 112 | launchd.daemons.tailscale-auth = { 113 | script = '' 114 | set -eux 115 | 116 | sleep 5 117 | ${pkgs.tailscale}/bin/tailscale up --accept-routes --auth-key file:/var/root/tailscale.token 118 | while true; do 119 | sleep 604800 120 | done 121 | ''; 122 | 123 | serviceConfig.KeepAlive = true; 124 | serviceConfig.StandardErrorPath = "/var/log/tailscale-auth.log"; 125 | serviceConfig.StandardOutPath = "/var/log/tailscale-auth.log"; 126 | }; 127 | } 128 | -------------------------------------------------------------------------------- /flake.lock: -------------------------------------------------------------------------------- 1 | { 2 | "nodes": { 3 | "darwin": { 4 | "inputs": { 5 | "nixpkgs": [ 6 | "nixpkgs" 7 | ] 8 | }, 9 | "locked": { 10 | "lastModified": 1695114819, 11 | "narHash": "sha256-/aIfbZxP39QZ8m7qX2RzQTy5PWzz2e22cCcZ+AOO7lA=", 12 | "owner": "LnL7", 13 | "repo": "nix-darwin", 14 | "rev": "afeddc412b3a3b0e7c9ef7ea5fbdf2186781d102", 15 | "type": "github" 16 | }, 17 | "original": { 18 | "owner": "LnL7", 19 | "repo": "nix-darwin", 20 | "type": "github" 21 | } 22 | }, 23 | "nixpkgs": { 24 | "locked": { 25 | "lastModified": 1701068326, 26 | "narHash": "sha256-vmMceA+q6hG1yrjb+MP8T0YFDQIrW3bl45e7z24IEts=", 27 | "rev": "8cfef6986adfb599ba379ae53c9f5631ecd2fd9c", 28 | "revCount": 553283, 29 | "type": "tarball", 30 | "url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.1.553283%2Brev-8cfef6986adfb599ba379ae53c9f5631ecd2fd9c/018c18d1-b364-7bfd-aced-a123b87538af/source.tar.gz" 31 | }, 32 | "original": { 33 | "type": "tarball", 34 | "url": "https://flakehub.com/f/NixOS/nixpkgs/0.1.533189.tar.gz" 35 | } 36 | }, 37 | "root": { 38 | "inputs": { 39 | "darwin": "darwin", 40 | "nixpkgs": "nixpkgs" 41 | } 42 | } 43 | }, 44 | "root": "root", 45 | "version": 7 46 | } 47 | -------------------------------------------------------------------------------- /flake.nix: -------------------------------------------------------------------------------- 1 | { 2 | description = "macos-ephemeral"; 3 | 4 | inputs = { 5 | nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/0.1.533189.tar.gz"; 6 | darwin = { url = "github:LnL7/nix-darwin"; inputs.nixpkgs.follows = "nixpkgs"; }; 7 | }; 8 | 9 | outputs = 10 | { nixpkgs 11 | , darwin 12 | , ... 13 | }@inputs: 14 | { 15 | inputs = { 16 | nixpkgs = "${nixpkgs}"; 17 | darwin = "${darwin}"; 18 | }; 19 | 20 | darwinConfigurations = 21 | let 22 | ephemeral = system: darwin.lib.darwinSystem { 23 | inherit system; 24 | inputs = { inherit darwin nixpkgs; }; 25 | 26 | modules = [ 27 | ./configuration.nix 28 | ]; 29 | }; 30 | in 31 | { 32 | arm64 = ephemeral "aarch64-darwin"; 33 | x86_64 = ephemeral "x86_64-darwin"; 34 | }; 35 | }; 36 | } 37 | -------------------------------------------------------------------------------- /install-nix-fetcher.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -eux 4 | 5 | while ! ping -c1 github.com; do 6 | sleep 1 7 | done 8 | 9 | cd "$(mktemp -d)" 10 | 11 | curl -L -o apply.sh https://github.com/DeterminateSystems/macos-ephemeral/raw/main/apply.sh 12 | chmod +x ./apply.sh 13 | 14 | repo="https://github.com/DeterminateSystems/macos-ephemeral.git" 15 | branch="HEAD" 16 | cfgpath="configuration.nix" 17 | 18 | ./apply.sh "$repo" "$branch" "$cfgpath" 19 | -------------------------------------------------------------------------------- /setup-password.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -eux 4 | set -o pipefail 5 | 6 | ( 7 | date 8 | 9 | while ! ping -c1 github.com; do 10 | sleep 1 11 | done 12 | 13 | if [ "$(uname -m)" = "arm64" ]; then 14 | jobset=nixpkgs-unstable-aarch64-darwin 15 | arch=aarch64-darwin 16 | else 17 | jobset=trunk 18 | arch=x86_64-darwin 19 | fi 20 | 21 | cd ~root 22 | 23 | while [ ! -d /Volumes/CONFIG ]; do 24 | echo "Waiting for /Volumes/CONFIG to exist ..." 25 | sleep 1 26 | done 27 | 28 | # If vault isn't already available (i.e. via Nixpkgs), and it doesn't exist at 29 | # that path, then get it from Hydra 30 | export VAULT 31 | if ! hash vault; then 32 | if ! test -f /usr/local/bin/vault; then 33 | curl -L -o vault "https://hydra.nixos.org/job/nixpkgs/$jobset/vault.$arch/latest/download/1/out/bin/vault" 34 | chmod +x ./vault 35 | 36 | mkdir -p /usr/local/bin/ 37 | mv ./vault /usr/local/bin/vault 38 | fi 39 | 40 | VAULT=/usr/local/bin/vault 41 | else 42 | VAULT="$(command -v vault)" 43 | fi 44 | 45 | # Don't accidentally leak any vault secrets 46 | set +x 47 | 48 | # We unconditionally do this vault thing, _IF_ the secret_id file exists and is readable 49 | if test -r /Volumes/CONFIG/secret_id; then 50 | export VAULT_ADDR=https://vault-ipv6.detsys.dev 51 | export ROLE_ID_FILE="/Volumes/CONFIG/role_id" 52 | export SECRET_ID_FILE="/Volumes/CONFIG/secret_id" 53 | 54 | export AUTH_PATH 55 | 56 | # Yes, this is ugly, but it's necessary; there's no other easy way to 57 | # distinguish between the foundation and detsys macs. 58 | if grep -q foundation "$ROLE_ID_FILE"; then 59 | AUTH_PATH=auth/internalservices/macos_foundation/approle/login 60 | else 61 | AUTH_PATH=auth/internalservices/macos/approle/login 62 | fi 63 | 64 | export VAULT_TOKEN="$($VAULT write -field=token "$AUTH_PATH" role_id=@"$ROLE_ID_FILE" secret_id=@"$SECRET_ID_FILE")" 65 | unset AUTH_PATH 66 | unset SECRET_ID_FILE 67 | 68 | $VAULT kv patch internalservices/macos/kv/"$(cat $ROLE_ID_FILE)"/password ephemeraladmin=@"$EPHEMERALADMIN_PASSWORD_FILE" \ 69 | || $VAULT kv put internalservices/macos/kv/"$(cat $ROLE_ID_FILE)"/password ephemeraladmin=@"$EPHEMERALADMIN_PASSWORD_FILE" 70 | rm "$EPHEMERALADMIN_PASSWORD_FILE" 71 | unset EPHEMERALADMIN_PASSWORD_FILE 72 | unset ROLE_ID_FILE 73 | else 74 | echo "Device does not have a secret_id! Exiting." 75 | exit 1 76 | fi 77 | 78 | set -x 79 | 80 | # We'll get vault somewhere in the setup-vault.sh script 81 | rm $VAULT 82 | ) 2>&1 | tee -a /var/log/mosyle-password-script.log 83 | -------------------------------------------------------------------------------- /setup-ssh.sh: -------------------------------------------------------------------------------- 1 | set -eux 2 | 3 | launchctl load -w /System/Library/LaunchDaemons/ssh.plist 4 | 5 | mkdir -p /Users/ephemeraladmin/.ssh 6 | cd /Users/ephemeraladmin/.ssh 7 | 8 | while ! ping -c1 github.com; do 9 | sleep 1 10 | done 11 | 12 | echo "" > keys.next 13 | for ghuser in grahamc grahamc grahamc; do 14 | curl -L https://github.com/$ghuser.keys >> keys.next 15 | done 16 | 17 | mv keys.next authorized_keys 18 | 19 | chown -R ephemeraladmin /Users/ephemeraladmin/.ssh 20 | -------------------------------------------------------------------------------- /setup-vault.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -eux 4 | set -o pipefail 5 | 6 | ( 7 | date 8 | 9 | ls /Volumes || true 10 | ls /Volumes/CONFIG || true 11 | 12 | while ! ping -c1 github.com; do 13 | sleep 1 14 | done 15 | 16 | if [ "$(uname -m)" = "arm64" ]; then 17 | jobset=nixpkgs-unstable-aarch64-darwin 18 | arch=aarch64-darwin 19 | else 20 | jobset=trunk 21 | arch=x86_64-darwin 22 | fi 23 | 24 | cd ~root 25 | 26 | while [ ! -d /Volumes/CONFIG ]; do 27 | echo "Waiting for /Volumes/CONFIG to exist ..." 28 | sleep 1 29 | done 30 | 31 | # If vault isn't already available (i.e. via Nixpkgs), and it doesn't exist at 32 | # that path, then get it from Hydra 33 | export VAULT 34 | if ! hash vault; then 35 | if ! test -f /usr/local/bin/vault; then 36 | curl -L -o vault "https://hydra.nixos.org/job/nixpkgs/$jobset/vault.$arch/latest/download/1/out/bin/vault" 37 | chmod +x ./vault 38 | 39 | mkdir -p /usr/local/bin/ 40 | mv ./vault /usr/local/bin/vault 41 | fi 42 | 43 | VAULT=/usr/local/bin/vault 44 | else 45 | VAULT="$(command -v vault)" 46 | fi 47 | 48 | if ! test -f /etc/ssh/ssh_host_rsa_key.pub; then 49 | echo "generating host keys because they don't exist" 50 | ssh-keygen -A 51 | echo "loading ssh because host pubkeys don't exist" 52 | launchctl load -w /System/Library/LaunchDaemons/ssh.plist 53 | 54 | max=30 55 | while ! test -f /etc/ssh/ssh_host_rsa_key.pub; do 56 | echo "waiting for /etc/ssh/ssh_host_rsa_key.pub to show up... trying $max more times" 57 | [[ $((--max)) -gt 0 ]] || break 58 | sleep 3 59 | done 60 | fi 61 | 62 | # Don't accidentally leak any vault secrets 63 | set +x 64 | 65 | # We unconditionally do this vault thing, _IF_ the secret_id file exists and is readable 66 | if test -r /Volumes/CONFIG/secret_id; then 67 | export VAULT_ADDR=https://vault-ipv6.detsys.dev 68 | export ROLE_ID_FILE="/Volumes/CONFIG/role_id" 69 | export SECRET_ID_FILE="/Volumes/CONFIG/secret_id" 70 | 71 | export AUTH_PATH 72 | export SIGN_PATH 73 | export ROLE 74 | 75 | # Yes, this is ugly, but it's necessary; there's no other easy way to 76 | # distinguish between the foundation and detsys macs. 77 | if grep -q foundation "$ROLE_ID_FILE"; then 78 | AUTH_PATH=auth/internalservices/macos_foundation/approle/login 79 | SIGN_PATH=internalservices/macos_foundation/ssh_host_keys/sign/host 80 | ROLE=internalservices_macos_foundation_ssh_host_key_signer 81 | else 82 | AUTH_PATH=auth/internalservices/macos/approle/login 83 | SIGN_PATH=internalservices/macos/ssh_host_keys/sign/host 84 | ROLE=internalservices_macos_ssh_host_key_signer 85 | fi 86 | 87 | export VAULT_TOKEN="$($VAULT write -field=token "$AUTH_PATH" role_id=@"$ROLE_ID_FILE" secret_id=@"$SECRET_ID_FILE")" 88 | unset AUTH_PATH 89 | unset SECRET_ID_FILE 90 | (set -x 91 | umask 077 92 | if ! grep -q foundation "$ROLE_ID_FILE" ; then 93 | $VAULT read -field=key internalservices/macos/tailscale/key tags=tag:ephemeral-mac-ci ephemeral=true > /var/root/tailscale.token 94 | fi 95 | ) 96 | unset ROLE_ID_FILE 97 | 98 | export VAULT_TOKEN="$($VAULT token create -field=token -role="$ROLE")" 99 | unset ROLE 100 | $VAULT write -field=signed_key "$SIGN_PATH" cert_type=host public_key=@/etc/ssh/ssh_host_rsa_key.pub > /etc/ssh/ssh_host_rsa_key.signed.pub 101 | unset VAULT_TOKEN 102 | unset SIGN_PATH 103 | echo "HostCertificate /etc/ssh/ssh_host_rsa_key.signed.pub" > /etc/ssh/sshd_config.d/001-ca-cert.conf 104 | launchctl stop com.openssh.sshd 105 | launchctl start com.openssh.sshd 106 | ssh-keyscan -c localhost 107 | else 108 | echo "Device does not have a secret_id! Exiting." 109 | exit 1 110 | fi 111 | 112 | set -x 113 | ) 2>&1 | tee -a /var/log/mosyle-vault-script.log 114 | -------------------------------------------------------------------------------- /setup-without-nix.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -eux 4 | set -o pipefail 5 | 6 | ( 7 | date 8 | 9 | ls /Volumes || true 10 | ls /Volumes/CONFIG || true 11 | 12 | echo "%admin ALL = NOPASSWD: ALL" > /etc/sudoers.d/passwordless 13 | 14 | while ! ping -c1 github.com; do 15 | sleep 1 16 | done 17 | 18 | if [ "$(uname -m)" = "arm64" ]; then 19 | jobset=nixpkgs-unstable-aarch64-darwin 20 | arch=aarch64-darwin 21 | else 22 | jobset=trunk 23 | arch=x86_64-darwin 24 | fi 25 | 26 | cd ~root 27 | 28 | while [ ! -d /Volumes/CONFIG ]; do 29 | echo "Waiting for /Volumes/CONFIG to exist ..." 30 | sleep 1 31 | done 32 | 33 | if [ ! -f /Volumes/CONFIG/buildkite-agent/sshkey ]; then 34 | mkdir -p "$(dirname /Volumes/CONFIG/buildkite-agent/sshkey)" || true 35 | echo "Waiting a second in case the config volume shows up" 36 | sleep 5 37 | fi 38 | 39 | if [ ! -f /Volumes/CONFIG/buildkite-agent/sshkey ]; then 40 | mkdir -p "$(dirname /Volumes/CONFIG/buildkite-agent/sshkey)" || true 41 | ssh-keygen -t ed25519 -f /Volumes/CONFIG/buildkite-agent/sshkey -N "" 42 | fi 43 | 44 | # install xcode (for git) ugh 45 | # inspired by https://gist.github.com/mokagio/b974620ee8dcf5c0671f 46 | # and yes, this file is required, or else the command line tools don't show up in softwareupdate -l 47 | touch /tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress 48 | softwareupdate -i "$(softwareupdate -l | grep "\*.*Command Line" | tail -n 1 | sed 's/^[^C]* //')" 49 | if ! git --help &>/dev/null; then 50 | # Didn't find command line tools first time, try again? 51 | softwareupdate -i "$(softwareupdate -l | grep "\*.*Command Line" | tail -n 1 | sed 's/^[^C]* //')" 52 | fi 53 | 54 | if ! pgrep -qf "tailscaled"; then 55 | # tailscale 56 | curl -L -o tailscale "https://hydra.nixos.org/job/nixpkgs/$jobset/tailscale.$arch/latest/download/1/out/bin/tailscale" 57 | curl -L -o tailscaled "https://hydra.nixos.org/job/nixpkgs/$jobset/tailscale.$arch/latest/download/1/out/bin/tailscaled" 58 | chmod +x ./tailscale{,d} 59 | 60 | mkdir -p /usr/local/bin/ 61 | mv ./tailscaled /usr/local/bin/tailscaled 62 | mv ./tailscale /usr/local/bin/tailscale 63 | 64 | cat < /Library/LaunchDaemons/com.tailscale.tailscaled.plist 65 | 66 | 67 | 68 | 69 | 70 | Label 71 | com.tailscale.tailscaled 72 | 73 | ProgramArguments 74 | 75 | /usr/local/bin/tailscaled 76 | -state 77 | mem: 78 | 79 | 80 | RunAtLoad 81 | 82 | 83 | StandardErrorPath 84 | /var/log/tailscaled.log 85 | StandardOutPath 86 | /var/log/tailscaled.log 87 | 88 | 89 | 90 | EOF 91 | 92 | launchctl load /Library/LaunchDaemons/com.tailscale.tailscaled.plist 93 | launchctl start /Library/LaunchDaemons/com.tailscale.tailscaled.plist || true 94 | 95 | cat < /Library/LaunchDaemons/com.tailscale.tailscale-auth.plist 96 | 97 | 98 | 99 | 100 | 101 | Label 102 | com.tailscale.tailscale-auth 103 | 104 | ProgramArguments 105 | 106 | /bin/sh 107 | -xc 108 | sleep 5 ; /usr/local/bin/tailscale up --accept-routes --auth-key file:/var/root/tailscale.token && (while true; do sleep 2073600; done) 109 | 110 | 111 | RunAtLoad 112 | 113 | KeepAlive 114 | 115 | 116 | StandardErrorPath 117 | /var/log/tailscale-auth.log 118 | StandardOutPath 119 | /var/log/tailscale-auth.log 120 | 121 | 122 | 123 | EOF 124 | 125 | launchctl load /Library/LaunchDaemons/com.tailscale.tailscale-auth.plist 126 | launchctl start /Library/LaunchDaemons/com.tailscale.tailscale-auth.plist || true 127 | fi 128 | 129 | if ! pgrep -qf "buildkite-agent"; then 130 | # buildkite-agent 131 | curl -sL https://raw.githubusercontent.com/buildkite/agent/main/install.sh -o install-buildkite.sh 132 | HOME=/tmp/buildkite-agent-staging bash ./install-buildkite.sh 133 | 134 | mv /tmp/buildkite-agent-staging/.buildkite-agent /var/lib/buildkite-agent 135 | 136 | cat < /var/lib/buildkite-agent/buildkite-agent.cfg 137 | token="$(cat /Volumes/CONFIG/buildkite.token)" 138 | name="%hostname-%n" 139 | spawn=1 140 | disconnect-after-job=true 141 | meta-data="queue=bootstrap,mac=1,nix=0,system=$arch" 142 | build-path="/var/lib/buildkite-agent/builds" 143 | hooks-path="/var/lib/buildkite-agent/hooks" 144 | tags-from-host=true 145 | EOF 146 | 147 | cp /Volumes/CONFIG/buildkite-agent/sshkey ~ephemeraladmin/.ssh/id_ed25519 148 | cp /Volumes/CONFIG/buildkite-agent/sshkey.pub ~ephemeraladmin/.ssh/id_ed25519.pub 149 | chmod 600 ~ephemeraladmin/.ssh/id_ed25519 150 | chown ephemeraladmin:staff \ 151 | ~ephemeraladmin/.ssh/id_ed25519 \ 152 | ~ephemeraladmin/.ssh/id_ed25519.pub 153 | 154 | mkdir -p /var/lib/buildkite-agent/hooks 155 | cat <<'EOF' > /var/lib/buildkite-agent/hooks/agent-shutdown 156 | #!/bin/sh 157 | 158 | while sleep 1; do 159 | for machine in bonk{,-{1,2,3,4,5}}; do 160 | curl -X POST --connect-timeout 1 -v "http://$machine/erase-self" 161 | sleep 1 162 | done 163 | done 164 | EOF 165 | chmod +x /var/lib/buildkite-agent/hooks/agent-shutdown 166 | 167 | chown -R ephemeraladmin:staff /var/lib/buildkite-agent 168 | 169 | touch /var/log/buildkite-agent.log 170 | chown ephemeraladmin:staff /var/log/buildkite-agent.log 171 | 172 | cat < /Library/LaunchDaemons/com.buildkite.buildkite-agent.plist 173 | 174 | 175 | 176 | 177 | Label 178 | com.buildkite.buildkite-agent 179 | ProgramArguments 180 | 181 | /var/lib/buildkite-agent/bin/buildkite-agent 182 | start 183 | --config 184 | /var/lib/buildkite-agent/buildkite-agent.cfg 185 | 186 | RunAtLoad 187 | 188 | StandardErrorPath 189 | /var/log/buildkite-agent.log 190 | StandardOutPath 191 | /var/log/buildkite-agent.log 192 | UserName 193 | ephemeraladmin 194 | 195 | 196 | EOF 197 | 198 | launchctl load /Library/LaunchDaemons/com.buildkite.buildkite-agent.plist 199 | launchctl start /Library/LaunchDaemons/com.buildkite.buildkite-agent.plist || true 200 | fi 201 | ) 2>&1 | tee -a /var/log/mosyle-bootstrap-script.log 202 | --------------------------------------------------------------------------------