aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlex Auvolat <alex@adnab.me>2022-09-09 12:24:11 +0200
committerAlex Auvolat <alex@adnab.me>2022-09-09 12:24:11 +0200
commitbe0d7a7ccc46b7a847ef483f83759f8c9b790a1e (patch)
treeac1d2ec9e6fd79eb71bbb68f29cc453ab9d0abcd
parentb23218a7f6056d623f57dc4a06f0953252829fed (diff)
downloadnixcfg-be0d7a7ccc46b7a847ef483f83759f8c9b790a1e.tar.gz
nixcfg-be0d7a7ccc46b7a847ef483f83759f8c9b790a1e.zip
Drone integration files for new version (Nix runners)
-rw-r--r--cluster/prod/app/drone-ci/integration/README.md25
-rw-r--r--cluster/prod/app/drone-ci/integration/docker-compose.yml34
-rw-r--r--cluster/prod/app/drone-ci/integration/nix.conf9
3 files changed, 47 insertions, 21 deletions
diff --git a/cluster/prod/app/drone-ci/integration/README.md b/cluster/prod/app/drone-ci/integration/README.md
index b3c1cc6..ddd8530 100644
--- a/cluster/prod/app/drone-ci/integration/README.md
+++ b/cluster/prod/app/drone-ci/integration/README.md
@@ -26,25 +26,18 @@ curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compo
chmod +x /usr/local/bin/docker-compose
```
-## Prepare the runner
+## Install the runner
-Nix folder must be populated before launching any build.
+*This is our Nix runner version 2, previously we had another way to start Nix runners. This one has a proper way to handle concurrency, require less boilerplate, and should be safer and more idiomatic.*
-```bash
-docker run --rm -it -v /var/lib/drone/nix:/mnt nixpkgs/nix:nixos-21.05 cp -r /nix/{store,var} /mnt/
-```
-
-This folder will grow over time and might need to be garbage collected.
-As a rule of thumb, after running a full release of Garage, this folder will require 10GB.
-Consider provisioning it with at least 20GB.
-
-## Launch the runner
-
-Because we use a shared nix folder, we set the number of concurrent builds to 1.
-For more details and customizations, see `docker-compose.yml`.
```bash
-DRONE_NAME=lheureduthe DRONE_OWNER=quentin DRONE_SECRET=xxx docker-compose up -d
+wget https://git.deuxfleurs.fr/Deuxfleurs/infrastructure/raw/branch/main/app/drone-ci/integration/nix.conf
+wget https://git.deuxfleurs.fr/Deuxfleurs/infrastructure/raw/branch/main/app/drone-ci/integration/docker-compose.yml
+
+# Edit the docker-compose.yml to adapt its variables to your needs,
+# especially the capacitiy value and its name.
+COMPOSE_PROJECT_NAME=drone DRONE_SECRET=xxx docker-compose up -d
```
That's all folks.
@@ -67,6 +60,8 @@ It will give you the following result:
## Random note
+*This part might be deprecated!*
+
This setup is done mainly to allow nix builds with some cache.
To use the cache in Drone, you must set your repository as trusted.
The command line tool does not work (it says it successfully set your repository as trusted but it did nothing):
diff --git a/cluster/prod/app/drone-ci/integration/docker-compose.yml b/cluster/prod/app/drone-ci/integration/docker-compose.yml
index 1e37255..57fdd09 100644
--- a/cluster/prod/app/drone-ci/integration/docker-compose.yml
+++ b/cluster/prod/app/drone-ci/integration/docker-compose.yml
@@ -1,5 +1,14 @@
version: '3.4'
services:
+ nix-daemon:
+ image: nixpkgs/nix:nixos-22.05
+ restart: always
+ command: nix-daemon
+ privileged: true
+ volumes:
+ - "nix:/nix"
+ - "./nix.conf:/etc/nix/nix.conf:ro"
+
drone-runner:
image: drone/drone-runner-docker:latest
restart: always
@@ -7,21 +16,32 @@ services:
- DRONE_RPC_PROTO=https
- DRONE_RPC_HOST=drone.deuxfleurs.fr
- DRONE_RPC_SECRET=${DRONE_SECRET}
- - DRONE_RUNNER_CAPACITY=1
+ - DRONE_RUNNER_CAPACITY=3
- DRONE_DEBUG=true
- DRONE_LOGS_TRACE=true
- DRONE_RPC_DUMP_HTTP=true
- DRONE_RPC_DUMP_HTTP_BODY=true
- - DRONE_RUNNER_NAME=${DRONE_NAME}
- - DRONE_RUNNER_LABELS=nix:1
- #- DRONE_RUNNER_VOLUMES=/var/lib/drone/nix:/nix
+ - DRONE_RUNNER_NAME=i_forgot_to_change_my_runner_name
+ - DRONE_RUNNER_LABELS=nix-daemon:1
+ # we should put "nix:/nix:ro but it is not supported by
+ # drone-runner-docker because the dependency envconfig does
+ # not support having two colons (:) in the same stanza.
+ # Without the RO flag (or using docker userns), build isolation
+ # is broken.
+ # https://discourse.drone.io/t/allow-mounting-a-host-volume-as-read-only/10071
+ # https://github.com/kelseyhightower/envconfig/pull/153
+ #
+ # A workaround for isolation is to configure docker with a userns,
+ # so even if the folder is writable to root, it is not to any non
+ # privileged docker daemon ran by drone!
+ - DRONE_RUNNER_VOLUMES=drone_nix:/nix
+ - DRONE_RUNNER_ENVIRON=NIX_REMOTE:daemon
ports:
- "3000:3000/tcp"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
- - "/var/lib/drone/nix:/var/lib/drone/nix"
- drone-gc:
+ drone-gc:
image: drone/gc:latest
restart: always
environment:
@@ -30,3 +50,5 @@ services:
- GC_INTERVAL=10m
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
+volumes:
+ nix:
diff --git a/cluster/prod/app/drone-ci/integration/nix.conf b/cluster/prod/app/drone-ci/integration/nix.conf
new file mode 100644
index 0000000..debea69
--- /dev/null
+++ b/cluster/prod/app/drone-ci/integration/nix.conf
@@ -0,0 +1,9 @@
+substituters = https://cache.nixos.org https://nix.web.deuxfleurs.fr
+trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix.web.deuxfleurs.fr:eTGL6kvaQn6cDR/F9lDYUIP9nCVR/kkshYfLDJf1yKs=
+max-jobs = auto
+cores = 0
+log-lines = 200
+filter-syscalls = true
+sandbox = true
+keep-outputs = true
+keep-derivations = true