rust-lang · pietroalbini · May 21, 2022 · Oct 14, 2021 · Oct 14, 2021 · Nov 16, 2021
diff --git a/ansible/envs/prod/hosts b/ansible/envs/prod/hosts
@@ -13,3 +13,6 @@ ci-arm-1.infra.rust-lang.org
 
 [playground]
 play-1.infra.rust-lang.org
+
+[dev-desktop]
+dev-desktop.infra.rust-lang.org
diff --git a/ansible/playbooks/dev-desktop.yml b/ansible/playbooks/dev-desktop.yml
@@ -0,0 +1,18 @@
+---
+
+- hosts: dev-desktop
+  become: yes
+  become_user: root
+
+  roles:
+
+    - role: common
+      papertrail_url: "{{ vars_papertrail_url }}"
+      collect_metrics_from: "{{ global_collect_metrics_from }}"
+      sudo_users:
+        - aidanhs
+        - simulacrum
+        - pietro
+        - oli-obk
+
+    - role: dev-desktop
diff --git a/ansible/roles/common/defaults/main.yml b/ansible/roles/common/defaults/main.yml
@@ -6,3 +6,4 @@ sudo_users: []
 collect_metrics_from: []
 avoid_removing_docker_users: []
 papertrail_url: null
+allow_ssh_extra_groups: ""
diff --git a/ansible/roles/common/files/ssh-keys/oli-obk.pub b/ansible/roles/common/files/ssh-keys/oli-obk.pub
@@ -0,0 +1,8 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDIU/eDOjiDgwwXrsKTqUW3/N8DWCgYedNOXF1ZhI5wybi13kX7TMehEDN/tVYVe5f4BP3v7dNNVhvrENe/5ubCKBAVVj/1UkosYo57uRq30zl/pRkthoG8eMVkHCMjfBzAAC0zEPEFrSk1rOsf8BZnnEnG7o+RsGg5rYBOdI+/EM6v7KEF0xKQ2nP5haPcu0D4o+PySa+HW9RyCPHq7aOY3L53XbvvEjaioeSSyrGAD3vFCQyX+N216kr2Riono7pXS1AiBtN45VLBojAvjnsf7xlU/P1kl5RkBz31EjppKjRaKnWtwbedhbXRnetTrlzkfsFc04JkMB1kwuqRz2qccb1EigZ3D3GX1d150ZmUrrSwBo5UdcntdWCw3KbIpHH66FeWF/O+vg4nvlqAZeGBonj3lwUqnzJyXLIGt00OPtOxHP3gnF3NJu2U89FtGH4PzmD9d5i56N8/kBTSYkIxuAhE5H2IBr97UKAZKfCuq307oAm/aEMr36HosypVmxrX8CeuYyFNMtALXrjlNS+ui8wwnbJeqJQq5yDLRWQMY3bzb6cwi6YKa/f8IcqwxaIPq3oUgORf2qNp+T1lWFK7JatbtDNLKYRrjwNWl/KNFnAf29hJpHW+NAMCU7dxgczV74kFbY/uM5YeRIlu2+JdQRGpQiHga8+VtVN9aYmavQ==
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsDBPCH2lzUzECUGoxfiArOkPjvhhVMMeryssp/C4aRZyH8OW48dFKcoL/dMG2wQONR+gVZWwwgqQvPnSN+c2sUY0mWI1Cy5Vgv2WXXh62DAoNHkVGArqx2IP7sBV3OFmfsPiIV60G7HY089ar6wmAYUBPbxSEBYxDp0/W/uB6V4HXfqW8LCBwCY/T0NVaxrihUqK3pFNu5n4tDtqAxZ4COaOhAR83Wxl+l0QIvYoNRsQYfmp5m/LUjGSdcDRTUx9Zey+0uSujy0J+QO/th06cZfd4774X03Q8sO6roMrQqmVs/v4ITbO7jO52la8BXBc8UBWi0gcMHRk38Fj1GDhv
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCXlBXwb0C4z6c55+66UtCZkgcbdc2K/HwLKm0LYbEDqrd6iu1G8h817iqGYX2g8yEcwdiopAZX3z3kgOlYrYlY4KuCJqYLlQR1GVKzxRUaAtT9TnojvR3R28Y0xoehPhYaG/ke07gDbCXdj0y2LqEFhoqYSx32sFpCCke+R3/pYz5lC+HBNavZWN4eNx2XIrmgRdtjX+24Iix07/bpfTLpo+30d9EMgSNFZ7RuIYbUEQD6sy8e0NdkAZ7pSTvtJxuZFySCP+Nve9bo0lfH3uWjKzXlqNDY58Xq491SnXK263y5RIAq22O3a75Xy7oKGdWEYZkFWVdP3KnsUXVB4Fq9
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCst20cn4CMMd/oNuc+p9fIBpaPbeyugbSuVyHX+VWBQXFogy6NeB/UgZF6uDpcRDlFkKrM25O52tKvaEo3antPLozeC52wlGiuMmFvsOQF2VWUDUgVMJeslONpx0JGa5MwcpcqmZ/7GEOC71L/PqQlXH4ijF9xaWUQj14StdrKq3bijrgSKXXDTlqGU1F8v3ZwFrpzfTK3VS9Q+g/cQjdSsq2h9uAMyI5FLovDErGUrurK1qcMuxNUXeEyzV5omQlDkcy82fkJH+lVsSzd6CggiUfCR8D/PAwH98vpsdSc7iW2fhrb7lKPG0E2W7WLdL92p1rj3zFeSsJI15nQZz0L
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDuJcwiHOOTrCWxTKgi3b5j48UqbBQzk5EM6jr6XfStO/xts/dgFoWfCzgxjoTTuIaj+/9Zk+wPhKh6PJR+mLdPeen2ImwtERNnJa5VDPYtCjMaxa8PLJcxWNJDVXLKHayUtwWRG0cUdB3Azd19dShYV2c88wotfmPYJ0bp4O/2JdvUN61iL23pjiltYatC13BhGh9AEJ/yn7OjFuETiNpPxQljjnqFSJ7BVn5D9WSgSOt0QGi4gWJRxMFLi0Z9uyKqVqxgFzmD375XqQ5zO23YUIR7BIHqgpxZWCJWb/Pv4tTHmlm6NOwpQ3ECSPcg5XB9u3YocIDA2PAJV9qyvRwv59jKrF/VOOQeQBGfFGLNLVaZve2iTKhFl0pfjmUVS5m3BNaYF094k4Y9oTtG9cagBFe9Ea83FPC1WWsOvEQz+cET0Ud3lVU/Ib/rXok9jkTBaFi8ZGDgUrzN8fdFP49X7DK6IpPiyxvIm7iBxs8Q3ms9kMdlOP19zHLctXDyjYE=
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCjm9yFjF2NJhkg1vJN2lQZ9oHpCNss3CXogzfJLSpy0jgd7aNdwhkaka4DMzBllFjw/o8QVXYjYRbzLcj8PaqgBTEuNBV9tntyd/qI6tjkEyYp0oJnw8LLYYLqvhAZkq1mioFwi7bvn92ncwNVirMsAhZpu/e8ZBYkkLCtsx0R51VU3gEDIPWIUvxgWdYFHgRCxWQbopWf0LulRTUnPHIgQab9iOuoM9p75ToGzwAKPHcU3l3MdTcx0eKFAph1C8/GlmajaFERAOjr12YrgPllbxHXcADYBx1eW0Ub16+3QZrDpCfIf9vI1tigPpst8cJCDcNZlgdvNACaG4757a/kjcERlp0KVLbcdW2iGPGnMNhCMWkm9x0aF7JxfhaenEIyHS3L/f4hamsHzGme2K4xo4g75p98Q0Qy/60hleszvtahI+M1T5PfRdI6hU5YfEYyWRhD6ywZyCnGRfrjNEpFrykmXt66TibDbp9h3JBu/nz/SaMfVMQk6mQFSA4g+4E=
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGovZggTNnX9Dk0kjs53fRWvRTNuJ+JDqxp9yigOGWMNbpPk+xKHAEHhUjs5fcVkSBuRDgCa6sP9mx0uaM9uAlIEfb36JNiYjXTRf8buanTyxRvQYnNJjKD3QxuvktaXty8rwF4rMXBqo/2mVk00gUb7SFP9b8Qy/Lfbr/BU+ORaIYqPj2QRiFWguTfuLlkujQk+oBA7Egheqq9uA/1u/81WkLuwdW2G2XTVtgF4Wq5Ps7njTEA/pquSFKfER0kH33Meqc9y7A78Qv0JBv5gjJ/uDzODHExetT0kqwuYEjPYuf85de2994HCpjRihVX+Y0uKeCcZ3ZD0QsNYJqgB72MQYMCnAW3kE9L5a862rC8ws0LZPvH+UDE1AIeIDjIpk7Nc+yZ9OhwfgCMcmSqGvuEGLWWyrGkgvW6Gs8OHyvcTRve3AOQz3MG3ZynPjvA1PwVD3ktedsxLnhBGyGBrStS3wCZjFrfgfmYEFBXeZKK9Y/vwcaHizd9ueQTT04Pd0=
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC72WFM7SMdUL7IRfLzWfFrKWj/S9Ri84LXSj80EnZy2iM2EISn2ZWUXhNRf+sKCRg1gLji9gdqojo5jB+e8/4O5lBG88y0lVtLi7HvVMK9QjzAlr7mU6o0iEjpeS1VFcTKjI8nxBpJQ1+URr31V52VzZ1yx2Rd2DxLoL2/+smFb3JwGJaAviPgL2BLjz444obX5rWNViFIp7OICLRWWXBxNdPrq7Ayiwubl3WA59PenjytKldaRY8eGLmDjAJvUM/xWcq0Fnep/+g5y7tou3MXO9a9+8EmcApB8OY7+dYNH8LSU26Erd6kx/qZgPD7omqTq3eNHavbW5HaWXhCwbJ38dqWgkocKWWVUjBHwdd5V5/tYIFuqam49QOyGKoJ2hDVt6xwDGYcUPIG3qAi6VfMGTF1C71BKq6aCRuthxs8owy4/LMea+O6XyLBJXUSk0DX7orPzamgVzbzfpEVGqdHb/gGqk2BmG86aWrmkV9vuIvDAJMpsI5ajdTaSYiCOXE=
diff --git a/ansible/roles/common/templates/ssh/sshd_config b/ansible/roles/common/templates/ssh/sshd_config
@@ -34,7 +34,7 @@ AcceptEnv LANG LC_*
 
 Subsystem sftp /usr/lib/openssh/sftp-server
 
-AllowGroups allow-ssh
+AllowGroups allow-ssh {{ allow_ssh_extra_groups }}
 
 {# The `Include` directive is not supported on older Ubuntu versions #}
 {% if ansible_distribution_release not in ["xenial", "bionic"] %}

diff --git a/ansible/roles/dev-desktop/defaults/main.yml b/ansible/roles/dev-desktop/defaults/main.yml
@@ -0,0 +1,4 @@
+---
+
+vars_team_login_path: "/root/team_login"
+allow_ssh_extra_groups: "dev-desktop-allow-ssh"
diff --git a/ansible/roles/dev-desktop/files/github_app/gen_temp_access_token.py b/ansible/roles/dev-desktop/files/github_app/gen_temp_access_token.py
@@ -0,0 +1,39 @@
+import requests
+import os
+
+from github import Github
+from pprint import pprint
+
+from sys import argv
+
+from datetime import datetime, timedelta, timezone
+
+from github import GithubIntegration
+
+real_path = os.path.realpath(__file__)
+dir_path = os.path.dirname(real_path)
+
+
+def token(user, repo):
+    with open(os.path.join(dir_path, 'app_id.txt'), 'r') as fh:
+        app_id = int(fh.read())
+
+    with open(os.path.join(dir_path, 'dev-desktop.private-key.pem'), 'rb') as fh:
+        private_key = fh.read()
+
+    integration = GithubIntegration(app_id, private_key)
+
+    installation = integration.get_installation(user, repo)
+
+    auth = integration.get_access_token(installation.id)
+
+    return auth.token
+
+
+if __name__ == '__main__':
+    # executed as script, fetch args and dump result on command line
+
+    if len(argv) < 2:
+        print("usage: <github_username> <github_repo_name>")
+
+    print(token(argv[1], argv[2]))
diff --git a/ansible/roles/dev-desktop/files/github_app/git-credential-dev-desktop b/ansible/roles/dev-desktop/files/github_app/git-credential-dev-desktop
@@ -0,0 +1,40 @@
+#!/usr/bin/python
+
+from sys import argv, stdin
+import os
+
+if argv[1] != "get":
+    exit(0)
+
+config = [x.strip() for x in stdin]
+
+if config[1] != "host=github.com":
+    exit(0)
+
+path = config[2].split('=')
+path = path[1].split('/')
+
+# Get the username of the caller, not the owner of
+# this script (which is setuid)
+user = os.getlogin()
+if user.starts_with("gh-"):
+    user = user[3:]
+
+# we don't support usernames differing from repo owner names for now
+if user != path[0]:
+    exit(0)
+repo = path[1].rsplit('.', 1)[0]
+
+real_path = os.path.realpath(__file__)
+dir_path = os.path.dirname(real_path)
+
+from dump import token
+
+for config in config:
+    print(config)
+
+print(f"username={user}")
+
+print(f"password={token(user, repo)}")
+print()
+
diff --git a/ansible/roles/dev-desktop/files/scripts/clean.sh b/ansible/roles/dev-desktop/files/scripts/clean.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+rm -rf rust*/build
diff --git a/ansible/roles/dev-desktop/files/scripts/detach_merged_prs.sh b/ansible/roles/dev-desktop/files/scripts/detach_merged_prs.sh
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+for d in rust*
+do
+    cd $d
+    echo $d
+    # if the fast forward is successful, this branch is merged, so we can kill it
+    git pull upstream master --ff-only && git checkout --detach && git submodule update --init --recursive
+    cd ..
+done
diff --git a/ansible/roles/dev-desktop/files/scripts/help.sh b/ansible/roles/dev-desktop/files/scripts/help.sh
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+echo "# Available scripts for managing your Rust checkouts"
+echo "init.sh              | first time setup, you should only have to execute this once on a new machine"
+echo "status.sh            | list the branches and git status of all copies of the Rust repo"
+echo "new_worktree.sh      | creates a worktree (shallow copy of the main git checkout of Rust, sharing the .git folder)"
+echo "detach_merged_prs.sh | invokes \"git pull --fast-forward-only\" on all worktrees and detaches those that are equal to the \"master\" branch"
+echo ""
+echo "# Rarer commands:"
+echo "set_defaults.sh      | connects the global config.toml with all worktrees. Use this when your setup is broken" 
+
diff --git a/ansible/roles/dev-desktop/files/scripts/init.sh b/ansible/roles/dev-desktop/files/scripts/init.sh
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+username=`id -u -n`
+gh_name=${username#"gh-"}
+
+# Using https instead of git urls because vscode only handles login on push/pull
+git clone https://github.com/$gh_name/rust.git
+pushd rust
+git remote add upstream https://github.com/rust-lang/rust.git
+git fetch upstream
+git checkout upstream/master
+popd
+
+./setup_rustup.sh
diff --git a/ansible/roles/dev-desktop/files/scripts/new_worktree.sh b/ansible/roles/dev-desktop/files/scripts/new_worktree.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+set -ex
+
+N=$(ls | grep -E -e "rust[0-9]+" | wc -l)
+echo $N
+pushd rust
+git worktree add --detach ../rust$N
+popd
+pushd rust$N
+git fetch upstream
+git checkout upstream/master
+ln -s ../config.toml
+popd
+
+./setup_rustup.sh
diff --git a/ansible/roles/dev-desktop/files/scripts/set_defaults.sh b/ansible/roles/dev-desktop/files/scripts/set_defaults.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+for D in rust*; do
+    if [ -d "${D}" ]; then
+        pushd $D
+            ln -s ../config.toml
+        popd
+    fi
+done
diff --git a/ansible/roles/dev-desktop/files/scripts/setup_rustup.sh b/ansible/roles/dev-desktop/files/scripts/setup_rustup.sh
@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+set -x
+
+rustup --version || curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
+
+for D in rust*; do
+    if [ -d "${D}" ]; then
+        rustup toolchain link "$D"_stage1 "$D/build/x86_64-unknown-linux-gnu/stage1"
+        rustup toolchain link "$D"_stage2 "$D/build/x86_64-unknown-linux-gnu/stage2"
+    fi
+done
diff --git a/ansible/roles/dev-desktop/files/scripts/status.sh b/ansible/roles/dev-desktop/files/scripts/status.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+for d in rust*
+do
+    cd $d
+    echo $d
+    git status --short --branch --untracked-files=no --ignore-submodules --no-ahead-behind --no-renames
+    cd ..
+done
diff --git a/ansible/roles/dev-desktop/files/skel/config.toml b/ansible/roles/dev-desktop/files/skel/config.toml
@@ -0,0 +1,9 @@
+changelog-seen = 2
+
+# Change this to the profile of your choice
+profile = "compiler"
+
+[rust]
+# Build with debug assertions so we get useful RUSTC_LOG
+# and notice debug assertions failing.
+debug = true
diff --git a/ansible/roles/dev-desktop/files/team_login/.gitignore b/ansible/roles/dev-desktop/files/team_login/.gitignore
@@ -0,0 +1 @@
+target