This is the source code for a Slack bot. It is coded in Javascript using bolt. It has three components: bot, command-handler, and server. The bot is set up to run in socket mode. The server is a heart-beat monitor and runs on port 5000, while the bolt server listens on port 3000 by default. Read more in
- Docker installed
- Slack App setup
- Hetzner Account and configured with API Token in the cloud projects
- Tailscale Account and configured with API Token to install, add, remove machines
- Provisioner API Deployed to provision VMs on libvirt
-
pull down the latest image from ghcr
-
You can then run the bot
docker run --env-file <path-to-.env-file -d -p 5000:5000 -p 3000:3000 --name dev-bot <ghcr image>
If you change the bolt port or the server port, make sure to update that in the docker command -
You can find an example.env file in bot/example.env. Steps to generate all the tokens required and set up the bot are below.
If you would like to change the source code, or compile the slack Bot yourself:
-
Download the latest Slack Bot release
-
extract the zip folder. You can make modifications to the source code here.
-
Compile the bot code
docker build -t <DOCKER_IMAGE_NAME> .
-
You can then run the bot
docker run --env-file <path-to-.env-file -d -p 5000:5000 -p 3000:3000 --name dev-bot <ghcr image>
If you change the bolt port or the server port, make sure to update that in the docker command -
You can find an example.env file in bot/example.env. Steps to generate all the tokens required and set up the bot are below.
-
You will need to create a slack app
-
In the app creation progress, create new app from a manifest:
{
"display_information": {
"name": "Dev Bot"
},
"features": {
"bot_user": {
"display_name": "Dev Bot",
"always_online": true
}
},
"oauth_config": {
"scopes": {
"bot": [
"channels:history",
"chat:write",
"groups:history",
"im:history",
"mpim:history",
"users:read.email",
"users:read"
]
}
},
"settings": {
"event_subscriptions": {
"request_url": "<your server's url>",
"bot_events": [
"message.channels",
"message.groups",
"message.im",
"message.mpim"
]
},
"interactivity": {
"is_enabled": true,
"request_url": "<your server's url>"
},
"org_deploy_enabled": false,
"socket_mode_enabled": false,
"token_rotation_enabled": false
}
}
-
Once you have created your Slack App, in the App credentials under Basic information, you will find your signing secret.
-
Scroll down to App-Level-Tokens and generate a token with connections:write scope. This will be your app token
-
In the left bar settings menu, Select Install App. This will generate your bot token for you.
-
Navigate to hetzner cloud
-
Create a project.
-
Once in the project, select security from the left menu bar options.
-
Select API tokens and generate an API Token with Read & Write permissions. This will be your hetzner api token.
Note: For the steps below use a service account that has Admin permissions.
-
Navigate to tailscale admin console
-
In the top menu bar, click DNS. This will give you your Tailnet name.
-
In the top menu bar select Settings.
-
In the left menu bar select keys.
-
Generate an auth key: you will need to give it a description, and select Reusable. The key must be rotated and has a max expiration of 90 days, but can be shortened. Leave Ephemeral, and Tags unchecked and generate the key. This will be your tailscale auth key.
-
Generate an API acess token: you will need to give it a description. The key must be rotated and has a max expiration of 90 days, but can be shortened. This will be your Tailscale api token.
Here is an example ACL that does the following:
- Machines with
tag:app-prod-provisioner-api
can talk totag:app-prod-provisioner-nodes
and vice versa. - Users in
group:app-prod-provisioner-developers
can talk totag:app-prod-provisioner-api
andtag:app-prod-provisioner-nodes
[email protected]
is part ofgroup:app-prod-provisioner-developers
[email protected]
can access their own instances tagged withtag:tim-cook
however because we are using a SVC Admin account to tag the machinestim.cook
doesn't actually own the tag itself.
The goals of this ACL policy are to allow the provisioner API to access "provisioner nodes" via SSH (port 2222 since tailscale SSH takes over port 22). tim.cook
needs to be able to admistrate provisioner nodes so he is part of group:app-prod-provisioner-developers
otherwise he can be kept out of this group. tim.cook
also uses a workspace himself so he needs to have a tag himself. Any user that uses a developer workspace will need their own tag so that this slack workspace bot can assign machines to them (e.g. tag:tim-cook
).
When testing new policies/ACLs it's best to just create a separate tailnet/tailscale account for testing.
{
"acls": [
{
"action": "accept",
"dst": [
"tag:app-prod-provisioner-api:*",
"tag:app-prod-provisioner-nodes:*"
],
"src": [
"group:app-prod-provisioner-developers"
]
},
{
"action": "accept",
"dst": [
"tag:app-prod-provisioner-nodes:*"
],
"src": [
"tag:app-prod-provisioner-api"
]
},
{
"action": "accept",
"dst": [
"tag:tim-cook:*"
],
"src": [
"[email protected]"
]
}
],
"groups": {
"group:app-prod-provisioner-developers": [
"[email protected]"
]
},
"ssh": [
{
"action": "check",
"dst": [
"autogroup:self"
],
"src": [
"autogroup:member"
],
"users": [
"autogroup:nonroot",
"root"
]
},
{
"action": "check",
"dst": [
"tag:tim-cook"
],
"src": [
"autogroup:member",
"autogroup:admin"
],
"users": [
"autogroup:nonroot",
"root"
]
},
{
"action": "check",
"dst": [
"tag:app-prod-provisioner-api",
"tag:app-prod-provisioner-nodes"
],
"src": [
"group:app-prod-provisioner-developers"
],
"users": [
"autogroup:nonroot",
"root"
]
}
],
"tagOwners": {
"tag:tim-cook": [
"autogroup:admin"
],
"tag:app-prod-provisioner-api": [
"group:app-prod-provisioner-developers"
],
"tag:app-prod-provisioner-nodes": [
"group:app-prod-provisioner-developers"
]
}
}
The bot is set up with a command handler to process text commands with a prefix of ! i.e. !vm. It currently does not support slash commands.
The bot has some built in example commands found in bot/src/commands. To register a new command, create a file command.js in either the bot/src/commands, or command-handler/src/commands with myCommand.js
being the command you want to register.