diff options
author | Alex Auvolat <alex@adnab.me> | 2024-03-17 11:35:07 +0100 |
---|---|---|
committer | Alex Auvolat <alex@adnab.me> | 2024-03-17 11:35:07 +0100 |
commit | 8fdffdf12f79041e65d42b715965a95578c0a724 (patch) | |
tree | 1ec20a78f288ba996fa41680ef44e88460492678 | |
parent | d55c9610a9a24ffff63894092b7ab241fccd6860 (diff) | |
download | nixcfg-8fdffdf12f79041e65d42b715965a95578c0a724.tar.gz nixcfg-8fdffdf12f79041e65d42b715965a95578c0a724.zip |
prod: remove drone-ci
-rw-r--r-- | cluster/prod/app/drone-ci/config/litestream.yml | 10 | ||||
-rw-r--r-- | cluster/prod/app/drone-ci/deploy/server.hcl | 138 | ||||
-rw-r--r-- | cluster/prod/app/drone-ci/integration/README.md | 69 | ||||
-rw-r--r-- | cluster/prod/app/drone-ci/integration/docker-compose.yml | 54 | ||||
-rw-r--r-- | cluster/prod/app/drone-ci/integration/nix.conf | 9 | ||||
-rw-r--r-- | cluster/prod/app/drone-ci/secrets.toml | 48 | ||||
-rw-r--r-- | cluster/staging/known_hosts | 3 |
7 files changed, 3 insertions, 328 deletions
diff --git a/cluster/prod/app/drone-ci/config/litestream.yml b/cluster/prod/app/drone-ci/config/litestream.yml deleted file mode 100644 index 813c824..0000000 --- a/cluster/prod/app/drone-ci/config/litestream.yml +++ /dev/null @@ -1,10 +0,0 @@ -dbs: - - path: /ephemeral/drone.db - replicas: - - url: s3://{{ key "secrets/drone-ci/s3_db_bucket" | trimSpace }}/drone.db - region: garage - endpoint: https://garage.deuxfleurs.fr - access-key-id: {{ key "secrets/drone-ci/s3_ak" | trimSpace }} - secret-access-key: {{ key "secrets/drone-ci/s3_sk" | trimSpace }} - force-path-style: true - sync-interval: 60s diff --git a/cluster/prod/app/drone-ci/deploy/server.hcl b/cluster/prod/app/drone-ci/deploy/server.hcl deleted file mode 100644 index 99e95f6..0000000 --- a/cluster/prod/app/drone-ci/deploy/server.hcl +++ /dev/null @@ -1,138 +0,0 @@ -job "drone-ci" { - datacenters = ["neptune", "scorpio"] - type = "service" - - group "server" { - count = 1 - - network { - port "web_port" { - to = 80 - } - } - - task "restore-db" { - lifecycle { - hook = "prestart" - sidecar = false - } - - driver = "docker" - config { - image = "litestream/litestream:0.3.9" - args = [ - "restore", "-config", "/etc/litestream.yml", "/ephemeral/drone.db" - ] - volumes = [ - "../alloc/data:/ephemeral", - "secrets/litestream.yml:/etc/litestream.yml" - ] - } - - template { - data = file("../config/litestream.yml") - destination = "secrets/litestream.yml" - } - - resources { - memory = 200 - cpu = 100 - } - } - - task "drone_server" { - driver = "docker" - config { - image = "drone/drone:2.14.0" - ports = [ "web_port" ] - - volumes = [ - "../alloc/data:/ephemeral", - ] - } - - template { - data = <<EOH -DRONE_GITEA_SERVER=https://git.deuxfleurs.fr -DRONE_GITEA_CLIENT_ID={{ key "secrets/drone-ci/oauth_client_id" }} -DRONE_GITEA_CLIENT_SECRET={{ key "secrets/drone-ci/oauth_client_secret" }} -DRONE_RPC_SECRET={{ key "secrets/drone-ci/rpc_secret" }} -DRONE_SERVER_HOST=drone.deuxfleurs.fr -DRONE_SERVER_PROTO=https -DRONE_DATABASE_SECRET={{ key "secrets/drone-ci/db_enc_secret" }} -DRONE_COOKIE_SECRET={{ key "secrets/drone-ci/cookie_secret" }} -AWS_ACCESS_KEY_ID={{ key "secrets/drone-ci/s3_ak" }} -AWS_SECRET_ACCESS_KEY={{ key "secrets/drone-ci/s3_sk" }} -AWS_DEFAULT_REGION=garage -AWS_REGION=garage -DRONE_S3_BUCKET={{ key "secrets/drone-ci/s3_storage_bucket" }} -DRONE_S3_ENDPOINT=https://garage.deuxfleurs.fr -DRONE_S3_PATH_STYLE=true -DRONE_DATABASE_DRIVER=sqlite3 -DRONE_DATABASE_DATASOURCE=/ephemeral/drone.db -DRONE_USER_CREATE=username:lx-admin,admin:true -DRONE_REGISTRATION_CLOSED=true -DRONE_LOGS_DEBUG=true -DRONE_LOGS_TRACE=true -EOH - destination = "secrets/env" - env = true - } - - resources { - cpu = 100 - memory = 200 - } - - service { - name = "drone" - tags = [ - "drone", - "tricot drone.deuxfleurs.fr", - "d53-cname drone.deuxfleurs.fr", - ] - port = "web_port" - address_mode = "host" - check { - type = "http" - protocol = "http" - port = "web_port" - path = "/" - interval = "60s" - timeout = "5s" - check_restart { - limit = 3 - grace = "600s" - ignore_warnings = false - } - } - } - } - - task "replicate-db" { - driver = "docker" - config { - image = "litestream/litestream:0.3.9" - entrypoint = [ "/bin/sh" ] - args = [ - "-c", - "echo sleeping; sleep 60; echo launching; litestream replicate -config /etc/litestream.yml" - ] - volumes = [ - "../alloc/data:/ephemeral", - "secrets/litestream.yml:/etc/litestream.yml" - ] - } - - template { - data = file("../config/litestream.yml") - destination = "secrets/litestream.yml" - } - - resources { - memory = 200 - cpu = 100 - } - } - } -} diff --git a/cluster/prod/app/drone-ci/integration/README.md b/cluster/prod/app/drone-ci/integration/README.md deleted file mode 100644 index ddd8530..0000000 --- a/cluster/prod/app/drone-ci/integration/README.md +++ /dev/null @@ -1,69 +0,0 @@ -## Install Debian - -We recommend Debian Bullseye - -## Install Docker CE from docker.io - -Do not use the docker engine shipped by Debian - -Doc: - - - https://docs.docker.com/engine/install/debian/ - - https://docs.docker.com/compose/install/ - -On a fresh install, as root: - -```bash -apt-get remove -y docker docker-engine docker.io containerd runc -apt-get update -apt-get install apt-transport-https ca-certificates curl gnupg lsb-release -curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg - echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null -apt-get update -apt-get install -y docker-ce docker-ce-cli containerd.io - -curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose -chmod +x /usr/local/bin/docker-compose -``` - -## Install the runner - -*This is our Nix runner version 2, previously we had another way to start Nix runners. This one has a proper way to handle concurrency, require less boilerplate, and should be safer and more idiomatic.* - - -```bash -wget https://git.deuxfleurs.fr/Deuxfleurs/infrastructure/raw/branch/main/app/drone-ci/integration/nix.conf -wget https://git.deuxfleurs.fr/Deuxfleurs/infrastructure/raw/branch/main/app/drone-ci/integration/docker-compose.yml - -# Edit the docker-compose.yml to adapt its variables to your needs, -# especially the capacitiy value and its name. -COMPOSE_PROJECT_NAME=drone DRONE_SECRET=xxx docker-compose up -d -``` - -That's all folks. - -## Check if a given job is built by your runner - -```bash -export URL=https://drone.deuxfleurs.fr -export REPO=Deuxfleurs/garage -export BUILD=1312 -curl ${URL}/api/repos/${REPO}/builds/${BUILD} \ - | jq -c '[.stages[] | { name: .name, machine: .machine }]' -``` - -It will give you the following result: - -```json -[{"name":"default","machine":"1686a"},{"name":"release-linux-x86_64","machine":"vimaire"},{"name":"release-linux-i686","machine":"carcajou"},{"name":"release-linux-aarch64","machine":"caribou"},{"name":"release-linux-armv6l","machine":"cariacou"},{"name":"refresh-release-page","machine":null}] -``` - -## Random note - -*This part might be deprecated!* - -This setup is done mainly to allow nix builds with some cache. -To use the cache in Drone, you must set your repository as trusted. -The command line tool does not work (it says it successfully set your repository as trusted but it did nothing): -the only way to set your repository as trusted is to connect on the DB and set the `repo_trusted` field of your repo to true. - diff --git a/cluster/prod/app/drone-ci/integration/docker-compose.yml b/cluster/prod/app/drone-ci/integration/docker-compose.yml deleted file mode 100644 index 41938c2..0000000 --- a/cluster/prod/app/drone-ci/integration/docker-compose.yml +++ /dev/null @@ -1,54 +0,0 @@ -version: '3.4' -services: - nix-daemon: - image: nixpkgs/nix:nixos-22.05 - restart: always - command: nix-daemon - privileged: true - volumes: - - "nix:/nix" - - "./nix.conf:/etc/nix/nix.conf:ro" - - drone-runner: - image: drone/drone-runner-docker:1.8.2 - restart: always - environment: - - DRONE_RPC_PROTO=https - - DRONE_RPC_HOST=drone.deuxfleurs.fr - - DRONE_RPC_SECRET=${DRONE_SECRET} - - DRONE_RUNNER_CAPACITY=3 - - DRONE_DEBUG=true - - DRONE_LOGS_TRACE=true - - DRONE_RPC_DUMP_HTTP=true - - DRONE_RPC_DUMP_HTTP_BODY=true - - DRONE_RUNNER_NAME=i_forgot_to_change_my_runner_name - - DRONE_RUNNER_LABELS=nix-daemon:1 - # we should put "nix:/nix:ro but it is not supported by - # drone-runner-docker because the dependency envconfig does - # not support having two colons (:) in the same stanza. - # Without the RO flag (or using docker userns), build isolation - # is broken. - # https://discourse.drone.io/t/allow-mounting-a-host-volume-as-read-only/10071 - # https://github.com/kelseyhightower/envconfig/pull/153 - # - # A workaround for isolation is to configure docker with a userns, - # so even if the folder is writable to root, it is not to any non - # privileged docker daemon ran by drone! - - DRONE_RUNNER_VOLUMES=drone_nix:/nix - - DRONE_RUNNER_ENVIRON=NIX_REMOTE:daemon - ports: - - "3000:3000/tcp" - volumes: - - "/var/run/docker.sock:/var/run/docker.sock" - - drone-gc: - image: drone/gc:latest - restart: always - environment: - - GC_DEBUG=true - - GC_CACHE=10gb - - GC_INTERVAL=10m - volumes: - - "/var/run/docker.sock:/var/run/docker.sock" -volumes: - nix: diff --git a/cluster/prod/app/drone-ci/integration/nix.conf b/cluster/prod/app/drone-ci/integration/nix.conf deleted file mode 100644 index debea69..0000000 --- a/cluster/prod/app/drone-ci/integration/nix.conf +++ /dev/null @@ -1,9 +0,0 @@ -substituters = https://cache.nixos.org https://nix.web.deuxfleurs.fr -trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix.web.deuxfleurs.fr:eTGL6kvaQn6cDR/F9lDYUIP9nCVR/kkshYfLDJf1yKs= -max-jobs = auto -cores = 0 -log-lines = 200 -filter-syscalls = true -sandbox = true -keep-outputs = true -keep-derivations = true diff --git a/cluster/prod/app/drone-ci/secrets.toml b/cluster/prod/app/drone-ci/secrets.toml deleted file mode 100644 index ac07926..0000000 --- a/cluster/prod/app/drone-ci/secrets.toml +++ /dev/null @@ -1,48 +0,0 @@ -# Drone's secrets - -[secrets."drone-ci/rpc_secret"] -type = 'command' -command = 'openssl rand -hex 16' -# don't rotate, it would break all runners - -[secrets."drone-ci/cookie_secret"] -type = 'command' -rotate = true -command = 'openssl rand -hex 16' - -[secrets."drone-ci/db_enc_secret"] -type = 'command' -command = 'openssl rand -hex 16' -# don't rotate, it is used to encrypt data which we would lose if we change this - - -# Oauth config for gitea - -[secrets."drone-ci/oauth_client_secret"] -type = 'user' -description = 'OAuth client secret (for gitea)' - -[secrets."drone-ci/oauth_client_id"] -type = 'user' -description = 'OAuth client ID (on Gitea)' - - -# S3 config for Git LFS storage - -[secrets."drone-ci/s3_db_bucket"] -type = 'constant' -value = 'drone-db' - -[secrets."drone-ci/s3_sk"] -type = 'user' -description = 'S3 (garage) secret key for Drone' - -[secrets."drone-ci/s3_ak"] -type = 'user' -description = 'S3 (garage) access key for Drone' - -[secrets."drone-ci/s3_storage_bucket"] -type = 'constant' -value = 'drone-storage' - - diff --git a/cluster/staging/known_hosts b/cluster/staging/known_hosts index d4cca40..feb244e 100644 --- a/cluster/staging/known_hosts +++ b/cluster/staging/known_hosts @@ -12,3 +12,6 @@ df-pw5.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK/dJIxioCkfeeh 192.168.1.22 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMf/ioVSSb19Slu+HZLgKt4f1/XsL+K9uMxazSWb/+nQ 2a01:cb05:911e:ec00:223:24ff:feb0:ea82 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnpO6zpLWsyyugOoOj+2bUow9TUrcWgURFGGaoyu+co piranha.machine.staging.deuxfleurs.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnpO6zpLWsyyugOoOj+2bUow9TUrcWgURFGGaoyu+co +df-pw5.machine.staging.deuxfleurs.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK/dJIxioCkfeehxeGiZR7qquYGoqEH/YrRJ/ukEcaLH +origan.machine.staging.deuxfleurs.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsZas74RT6lCZwuUOPR23nPdbSdpWORyAmRgjoiMVHK +caribou.machine.staging.deuxfleurs.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPtsVFIoIu6tnYrzlcCbBiQXxNkFSWVMhMznUuSxGZ22 |