aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlex Auvolat <alex@adnab.me>2022-05-30 14:57:05 +0200
committerAlex Auvolat <alex@adnab.me>2022-05-30 14:57:05 +0200
commitd47d4e93ab8682710e80eec8c7c9d6a7d2f14202 (patch)
treea0039fb674a7150c0338707606a20c9d62ced1e5
parent2d9adf82d04261f420af4cc5482e442297741a5d (diff)
downloadnixcfg-d47d4e93ab8682710e80eec8c7c9d6a7d2f14202.tar.gz
nixcfg-d47d4e93ab8682710e80eec8c7c9d6a7d2f14202.zip
Work on drone runner as VM
-rw-r--r--app/drone-ci/build/.gitignore2
-rw-r--r--app/drone-ci/build/Makefile8
-rw-r--r--app/drone-ci/build/build-qcow2.nix24
-rw-r--r--app/drone-ci/build/machine-config.nix68
-rw-r--r--app/drone-ci/deploy/runner-insecure.hcl91
-rw-r--r--app/drone-ci/deploy/runner-vm.hcl43
-rw-r--r--app/drone-ci/secrets/drone-ci/rpc_secret1
-rw-r--r--nix/configuration.nix2
-rw-r--r--nix/deuxfleurs.nix11
9 files changed, 250 insertions, 0 deletions
diff --git a/app/drone-ci/build/.gitignore b/app/drone-ci/build/.gitignore
new file mode 100644
index 0000000..ef92077
--- /dev/null
+++ b/app/drone-ci/build/.gitignore
@@ -0,0 +1,2 @@
+result/
+*.qcow2.zst
diff --git a/app/drone-ci/build/Makefile b/app/drone-ci/build/Makefile
new file mode 100644
index 0000000..2814a0d
--- /dev/null
+++ b/app/drone-ci/build/Makefile
@@ -0,0 +1,8 @@
+.PHONY: all
+
+all:
+ nix-build '<nixpkgs/nixos>' -A config.system.build.qcow2 --arg configuration "{ imports = [ ./build-qcow2.nix ]; }" --show-trace
+ zstd -7 -i result/nixos.qcow2 -o drone-runner.qcow2.zst -f
+ RESULTPATH=`readlink result`; rm result; nix-store --delete $$RESULTPATH
+ rclone copy drone-runner.qcow2.zst grgdf:alex/ -vv
+
diff --git a/app/drone-ci/build/build-qcow2.nix b/app/drone-ci/build/build-qcow2.nix
new file mode 100644
index 0000000..266ba2c
--- /dev/null
+++ b/app/drone-ci/build/build-qcow2.nix
@@ -0,0 +1,24 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+ imports =
+ [
+ <nixpkgs/nixos/modules/installer/cd-dvd/channel.nix>
+ ./machine-config.nix
+ ];
+
+ system.build.qcow2 = import <nixpkgs/nixos/lib/make-disk-image.nix> {
+ inherit lib config;
+ pkgs = import <nixpkgs> { inherit (pkgs) system; }; # ensure we use the regular qemu-kvm package
+ diskSize = 8192;
+ format = "qcow2";
+ configFile = pkgs.writeText "configuration.nix"
+ ''
+ {
+ imports = [ <./machine-config.nix> ];
+ }
+ '';
+ };
+}
diff --git a/app/drone-ci/build/machine-config.nix b/app/drone-ci/build/machine-config.nix
new file mode 100644
index 0000000..3b55078
--- /dev/null
+++ b/app/drone-ci/build/machine-config.nix
@@ -0,0 +1,68 @@
+{ pkgs, lib, ... }:
+
+with lib;
+
+{
+ imports = [
+ <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
+ ];
+
+ config = {
+ fileSystems."/" = {
+ device = "/dev/disk/by-label/nixos";
+ fsType = "ext4";
+ autoResize = true;
+ };
+
+ boot.growPartition = true;
+ boot.kernelParams = [ "console=ttyS0" ];
+ boot.loader.grub.device = "/dev/vda";
+ boot.loader.timeout = 0;
+
+ users.extraUsers.root.openssh.authorizedKeys.keys = [
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJpaBZdYxHqMxhv2RExAOa7nkKhPBOHupMP3mYaZ73w9 lx@lindy"
+ ];
+ services.openssh.enable = true;
+ services.openssh.permitRootLogin = "prohibit-password";
+ networking.firewall = {
+ enable = true;
+ allowedTCPPorts = [ 22 ];
+ };
+
+ virtualisation.docker.enable = true;
+ virtualisation.oci-containers.backend = "docker";
+ virtualisation.oci-containers.containers = {
+ drone_runner = {
+ image = "drone/drone-runner-docker:1.4.0";
+ volumes = [
+ "/nix:/nix"
+ "/var/run/docker.sock:/var/run/docker.sock"
+ ];
+ environment = {
+ DRONE_RPC_PROTO = "https";
+ DRONE_RPC_HOST = "drone.deuxfleurs.fr";
+ DRONE_RUNNER_CAPACITY = "1";
+ DRONE_DEBUG = "true";
+ DRONE_LOGS_TRACE = "true";
+ DRONE_RPC_DUMP_HTTP = "true";
+ DRONE_RPC_DUMP_HTTP_BODY = "true";
+ DRONE_RUNNER_LABELS = "nix:1";
+ };
+ environmentFiles = [
+ "/dev/qemu/dronesecret0"
+ ];
+ };
+ drone_gc = {
+ image = "drone/gc:latest";
+ volumes = [
+ "/var/run/docker.sock:/var/run/docker.sock"
+ ];
+ environment = {
+ GC_DEBUG = "true";
+ GC_CACHE = "10gb";
+ GC_INTERVAL = "10m";
+ };
+ };
+ };
+ };
+}
diff --git a/app/drone-ci/deploy/runner-insecure.hcl b/app/drone-ci/deploy/runner-insecure.hcl
new file mode 100644
index 0000000..2ea5638
--- /dev/null
+++ b/app/drone-ci/deploy/runner-insecure.hcl
@@ -0,0 +1,91 @@
+job "drone-runner" {
+ datacenters = ["neptune"]
+ type = "system"
+
+ group "runner" {
+
+ task "populate-nix-store" {
+ lifecycle {
+ hook = "prestart"
+ sidecar = false
+ }
+
+ driver = "docker"
+ config {
+ image = "nixpkgs/nix:nixos-21.05"
+ command = "sh"
+ args = [
+ "-c", "cp -rv /nix/{store,var} /mnt/"
+ ]
+ volumes = [
+ "/var/lib/drone/nix:/mnt",
+ ]
+ }
+
+ resources {
+ memory = 100
+ cpu = 100
+ }
+ }
+
+ task "drone-runner" {
+ driver = "docker"
+ config {
+ image = "drone/drone-runner-docker:1.4.0"
+
+ volumes = [
+ "/var/lib/drone/nix:/nix",
+ "/var/run/docker.sock:/var/run/docker.sock"
+ ]
+ }
+
+ template {
+ data = <<EOH
+DRONE_RPC_PROTO=https
+DRONE_RPC_HOST=drone.deuxfleurs.fr
+DRONE_RPC_SECRET={{ key "secrets/drone-ci/rpc_secret" | trimSpace }}
+DRONE_RUNNER_CAPACITY=1
+DRONE_DEBUG=true
+DRONE_LOGS_TRACE=true
+DRONE_RPC_DUMP_HTTP=true
+DRONE_RPC_DUMP_HTTP_BODY=true
+DRONE_RUNNER_NAME={{ env "attr.unique.hostname" }}
+DRONE_RUNNER_LABELS=nix:1
+EOH
+ destination = "secrets/env"
+ env = true
+ }
+
+ resources {
+ memory = 200
+ cpu = 100
+ }
+ }
+
+ task "drone-gc" {
+ driver = "docker"
+ config {
+ image = "drone/gc:latest"
+
+ volumes = [
+ "/var/run/docker.sock:/var/run/docker.sock"
+ ]
+ }
+
+ template {
+ data = <<EOH
+GC_DEBUG=true
+GC_CACHE=10gb
+GC_INTERVAL=10m
+EOH
+ destination = "secrets/env"
+ env = true
+ }
+
+ resources {
+ memory = 100
+ cpu = 100
+ }
+ }
+ }
+}
diff --git a/app/drone-ci/deploy/runner-vm.hcl b/app/drone-ci/deploy/runner-vm.hcl
new file mode 100644
index 0000000..28beeb8
--- /dev/null
+++ b/app/drone-ci/deploy/runner-vm.hcl
@@ -0,0 +1,43 @@
+job "drone-runner" {
+ datacenters = ["neptune"]
+ type = "system"
+
+ group "runner-vm" {
+ network {
+ port "ssh" { }
+ }
+
+ task "drone-runner-vm" {
+ driver = "qemu"
+
+ config {
+ image_path = "local/drone-runner.qcow2"
+ accelerator = "kvm"
+ args = [
+ "-object", "secret,id=dronesecret0,file=secrets/secret_env"
+ ]
+ port_map {
+ ssh = 22
+ }
+ }
+
+ artifact {
+ source = "https://alex.web.deuxfleurs.fr/drone-runner.qcow2.zst"
+ destination = "local/drone-runner.qcow2"
+ mode = "file"
+ }
+
+ template {
+ data = <<EOH
+DRONE_RPC_SECRET={{ key "secrets/drone-ci/rpc_secret" | trimSpace }}
+DRONE_RUNNER_NAME={{ env "attr.unique.hostname" }}
+EOH
+ destination = "secrets/secret_env"
+ }
+
+ resources {
+ memory = 2000
+ }
+ }
+ }
+}
diff --git a/app/drone-ci/secrets/drone-ci/rpc_secret b/app/drone-ci/secrets/drone-ci/rpc_secret
new file mode 100644
index 0000000..7f00649
--- /dev/null
+++ b/app/drone-ci/secrets/drone-ci/rpc_secret
@@ -0,0 +1 @@
+USER Drone RPC secret
diff --git a/nix/configuration.nix b/nix/configuration.nix
index 984307c..825cab2 100644
--- a/nix/configuration.nix
+++ b/nix/configuration.nix
@@ -71,6 +71,8 @@ SystemMaxUse=1G
docker-compose
wireguard
wesher
+ qemu
+ qemu_kvm
];
programs.vim.defaultEditor = true;
diff --git a/nix/deuxfleurs.nix b/nix/deuxfleurs.nix
index 055ac55..d20ea5d 100644
--- a/nix/deuxfleurs.nix
+++ b/nix/deuxfleurs.nix
@@ -151,6 +151,12 @@ in
services.nomad.enable = true;
services.nomad.package = pkgs.nomad_1_1;
+ services.nomad.extraPackages = [
+ pkgs.glibc
+ pkgs.zstd
+ pkgs.qemu
+ pkgs.qemu_kvm
+ ];
services.nomad.settings =
(if cfg.is_raft_server
then { server = {
@@ -201,6 +207,11 @@ in
];
}
];
+ qemu = [
+ {
+ enabled = true;
+ }
+ ];
}
];
};