Shell Of A New Machine: Quickly configure new environments

Overview

Shell Of A New Machine

soanm is a dead-simple tool for easily configuring new UNIX machines, with almost zero prerequisites on the target machine. All it needs is curl.

Right now it works on MacOS and Linux on both aarch64 and x86_64, and OpenBSD on x86_64. These are the systems I typically use and can easily build on, but porting it to new platforms is as simple as compiling a new static Rust binary and adding it to the release on Github. If you want support for a new platform, add an issue and I'll be happy to get it ported.

The Basic Idea

When you install a new operating system on some machine, whether it's a server, a laptop, a desktop, or a VM, it can be a hassle to get to the point of feeling comfortable on that machine: You use dozens of tools that need to be installed, and many of these need to be configured. You need to set up Tailscale, and SSH keys, and API keys.

Wouldn't it be great if you could just do this all at once, in a totally custom way? Well, now you can!

You'll need two computers: One "sponsor", which is equipped with any resources needed for provisioning the other machine (the "enrollee"). For example, if you want your new machines to have access to GitHub, your sponsor computer should have the ability to add ssh keys to GitHub.

To configure soanm, you'll also want a directory that describes the configuration phases: It should have a subdirectory enroll, with programs that will be run on the enrollee, a subdirectory sponsor with programs that will be run on the sponsor, and a subdirectory results, where output from the enrollee will be stored. There must be the same number of programs in the sponsor and enroll directories, and these all must be set as executable.

Once you have created this configuration directory, the provisioning process is begun by running soanm sponsor [conf_directory]. This will print a corresponding command for you to run on the enrollee (this command will include a secret used to securely connect the computers to one another).

The program pairs will be run in order, sorted by filename. For each pair, the sponsor program is run first, and its output is sent over a Magic Wormhole. That output is then used as the input to the corresponding enroll program. The enroll output, in turn, is sent back to the sponsor and saved in the results directory, where it can be used by subsequent sponsor programs.

Note that on the sponsor machine, the stdin of the configuration programs is inherited from the top-level programs, allowing for user input. And on both sponsor and enrollee machines, stderr is printed to the corresponding terminal.

How to use it

The sponsor machine needs a relatively recent rust version, and a directory with a subdirectory for the sponsor programs, one for the enroll programs, and an empty one called results.

cargo install soanm
soanm sponsor config_dir

This will print out a command, which should be run on the enrollee.

Security considerations

Under some assumptions, it should be relatively safe to use this tool to pass secrets around.

You obviously have to trust that the release binaries provided here are not malicious. I hereby stake my reputation on the claim that I built them myself from the sources contained in this repository, which (of course) does not contain malicious code. But if you don't trust me, or the tree of dependencies I used to build these binaries, you should verify that the release binaries look safe. This also requires trusting GitHub to faithfully serve binaries that have been uploaded, as well as trusting that no one has unauthorized access to my Github account. For obvious reasons I try hard to protect my Github account, and I promise that I will never hand control of this repository to anyone else.

You also need to trust the magic-wormhole protocol. We use the default magic-wormhole rendezvous server (ws://relay.magic-wormhole.io:4000/v1) to establish a secure peer-to-peer connection, over which files are transmitted. We default to using a 128-bit passphrase (16 words) for the initial rendezvous, though this is configurable on the sponsor command line. We have chosen to use very long passphrases by default, since we want an extremely low probability of being man-in-the-middled, and since the usual scenario is that you're copy/paste-ing the passphrase from one shell to another.

Why not just use [a different tool]?

There are lots of tools that could be used for parts of this task. Foremost among them is Nix. If you only use Linux, MacOS, or maybe FreeBSD, Nix can do everything you need: Just write a quick script that installs nix, grabs your nix configuration, and instantiates it into your profile, and then you can curl -L [myscript] | bash to magically set everything up. But if you use any other platforms, like (say) OpenBSD, Nix isn't currently viable.

Other possibilities:

  • You could write a script that uses SCP to send your files and configuration scripts to the remote host, and then runs them. This would work fine, but it requires that you have SSH access to the new host, which isn't typically the case by default on a new laptop, for example.
  • You could use Ansible, or Puppet, or Terraform. But then you need to have the tool installed on the host, and of course you need to learn how to use these systems, which can be complicated. soanm doesn't require anything fancier than shell scripting, and lets you write code in any language you want as long as you ensure it's installed properly by an earlier stage. With most of these other tools, you'll likely need an additional tool for managing your secrets, while with soanm you can pipe them safely to the new host from the old one.
  • You could use a dotfiles manager, like chezmoi. These typically won't install packages for you, or run arbitrary code, though.

You can easily combine soanm with any of these other methods, if that's what you'd like to do.

There are probably a thousand ways to do this kind of task. I couldn't find one I liked, so I wrote one that I do. Maybe you'll like it too.

You might also like...
A command-line shell like fish, but POSIX compatible.
A command-line shell like fish, but POSIX compatible.

A command-line shell like fish, but POSIX compatible.

Zash - A Zuper Awesome Shell
Zash - A Zuper Awesome Shell

Zash - A Zuper Awesome Shell Welcome to zash, its activily being developed and is not near a stable release. Installation Arch: yay -S zash Paru seem

A very opinionated, zero-configuration shell prompt
A very opinionated, zero-configuration shell prompt

A very opinionated, zero-configuration shell prompt

An interactive shell environment for exploring the p2panda protocol
An interactive shell environment for exploring the p2panda protocol

An interactive shell environment for exploring the p2panda protocol. Uses a mock node and clients to simulate network logic.

Self-contained template system with Handlebars and inline shell scripts

Handlematters Self-contained template system with Handlebars and inline shell scripts Introduction Handlematters is a template system that combines Ha

A shell Made in rust 🦀

vsh A Blazingly fast shell made in Rust 🦀 Why make another shell? Because the current leading rust shell is very opinionated, atleast to me. As it br

dye is a tool to easily color text in shell.
dye is a tool to easily color text in shell.

Dye dye is a tool to easily color text in shell. Usage See the gif below to see these commands in action. echo $(dye --red WARN) This tool will knock

A Unix shell written and implemented in rust 🦀

vsh A Blazingly fast shell made in Rust 🦀 Installation Copy and paste the following command and choose the appropriate installtion method for you. Yo

Shellcheck - a static analysis tool for shell scripts
Shellcheck - a static analysis tool for shell scripts

ShellCheck - A shell script static analysis tool ShellCheck is a GPLv3 tool that gives warnings and suggestions for bash/sh shell scripts: The goals o

Owner
Ben Weinstein-Raun
Ben Weinstein-Raun
Quickly save and retrieve values for shell scripts.

Quickly save and retrieve values for shell scripts.

Alex Andrade 2 Dec 15, 2022
A new type of shell

A new type of shell

Nushell Project 22.5k Jan 8, 2023
A CLI to easily switch between multiple Neovim configuration environments, written in Rust

Neovim Configuration Switcher Neovim Configuration Switcher (short nvims) is a CLI to easily switch between multiple Neovim configuration environments

Nhan Pham 3 Mar 30, 2024
This tool was developed as part of a course on forensic analysis and cybersecurity. It is intended to be used as a training resource to help students understand the structure and content of job files in Windows environments.

Job File Parser Job File Parser is a Rust-based tool designed for parsing both legacy binary job files and modern XML job files used by the Windows Ta

Mehrnoush 3 Aug 12, 2024
Shell scripting that will knock your socks off

atom Shell scripting that will knock your socks off. NOTE: Click the image above for a video demonstration.

adam mcdaniel 256 Dec 14, 2022
🐢 Atuin replaces your existing shell history with a SQLite database, and records additional context for your commands

Atuin replaces your existing shell history with a SQLite database, and records additional context for your commands. Additionally, it provides optional and fully encrypted synchronisation of your history between machines, via an Atuin server.

Ellie Huxtable 4.6k Jan 1, 2023
a cute shell thingy that written in rust

a cute shell thingy that written in rust

奥田 龍馬 12 Dec 29, 2021
A shell for research papers

Reason: A Shell for Research Papers Did I ever read this paper? Which OSDI 2021 papers did I read? Which ones have the word 'Distributed' in their tit

Jae-Won Chung 121 Nov 27, 2022
Explore from the safety of your shell

turtlescan Explore from the safety of your shell Installation: cargo install turtlescan tui Starts a little tui which connects to your JSON-RPC server

Brian Cloutier 4 Sep 13, 2022
dune - A shell by the beach!

dune - A shell by the beach!

adam mcdaniel 640 Dec 29, 2022