aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlex Auvolat <alex@adnab.me>2024-03-17 11:35:07 +0100
committerAlex Auvolat <alex@adnab.me>2024-03-17 11:35:07 +0100
commit8fdffdf12f79041e65d42b715965a95578c0a724 (patch)
tree1ec20a78f288ba996fa41680ef44e88460492678
parentd55c9610a9a24ffff63894092b7ab241fccd6860 (diff)
downloadnixcfg-8fdffdf12f79041e65d42b715965a95578c0a724.tar.gz
nixcfg-8fdffdf12f79041e65d42b715965a95578c0a724.zip
prod: remove drone-ci
-rw-r--r--cluster/prod/app/drone-ci/config/litestream.yml10
-rw-r--r--cluster/prod/app/drone-ci/deploy/server.hcl138
-rw-r--r--cluster/prod/app/drone-ci/integration/README.md69
-rw-r--r--cluster/prod/app/drone-ci/integration/docker-compose.yml54
-rw-r--r--cluster/prod/app/drone-ci/integration/nix.conf9
-rw-r--r--cluster/prod/app/drone-ci/secrets.toml48
-rw-r--r--cluster/staging/known_hosts3
7 files changed, 3 insertions, 328 deletions
diff --git a/cluster/prod/app/drone-ci/config/litestream.yml b/cluster/prod/app/drone-ci/config/litestream.yml
deleted file mode 100644
index 813c824..0000000
--- a/cluster/prod/app/drone-ci/config/litestream.yml
+++ /dev/null
@@ -1,10 +0,0 @@
-dbs:
- - path: /ephemeral/drone.db
- replicas:
- - url: s3://{{ key "secrets/drone-ci/s3_db_bucket" | trimSpace }}/drone.db
- region: garage
- endpoint: https://garage.deuxfleurs.fr
- access-key-id: {{ key "secrets/drone-ci/s3_ak" | trimSpace }}
- secret-access-key: {{ key "secrets/drone-ci/s3_sk" | trimSpace }}
- force-path-style: true
- sync-interval: 60s
diff --git a/cluster/prod/app/drone-ci/deploy/server.hcl b/cluster/prod/app/drone-ci/deploy/server.hcl
deleted file mode 100644
index 99e95f6..0000000
--- a/cluster/prod/app/drone-ci/deploy/server.hcl
+++ /dev/null
@@ -1,138 +0,0 @@
-job "drone-ci" {
- datacenters = ["neptune", "scorpio"]
- type = "service"
-
- group "server" {
- count = 1
-
- network {
- port "web_port" {
- to = 80
- }
- }
-
- task "restore-db" {
- lifecycle {
- hook = "prestart"
- sidecar = false
- }
-
- driver = "docker"
- config {
- image = "litestream/litestream:0.3.9"
- args = [
- "restore", "-config", "/etc/litestream.yml", "/ephemeral/drone.db"
- ]
- volumes = [
- "../alloc/data:/ephemeral",
- "secrets/litestream.yml:/etc/litestream.yml"
- ]
- }
-
- template {
- data = file("../config/litestream.yml")
- destination = "secrets/litestream.yml"
- }
-
- resources {
- memory = 200
- cpu = 100
- }
- }
-
- task "drone_server" {
- driver = "docker"
- config {
- image = "drone/drone:2.14.0"
- ports = [ "web_port" ]
-
- volumes = [
- "../alloc/data:/ephemeral",
- ]
- }
-
- template {
- data = <<EOH
-DRONE_GITEA_SERVER=https://git.deuxfleurs.fr
-DRONE_GITEA_CLIENT_ID={{ key "secrets/drone-ci/oauth_client_id" }}
-DRONE_GITEA_CLIENT_SECRET={{ key "secrets/drone-ci/oauth_client_secret" }}
-DRONE_RPC_SECRET={{ key "secrets/drone-ci/rpc_secret" }}
-DRONE_SERVER_HOST=drone.deuxfleurs.fr
-DRONE_SERVER_PROTO=https
-DRONE_DATABASE_SECRET={{ key "secrets/drone-ci/db_enc_secret" }}
-DRONE_COOKIE_SECRET={{ key "secrets/drone-ci/cookie_secret" }}
-AWS_ACCESS_KEY_ID={{ key "secrets/drone-ci/s3_ak" }}
-AWS_SECRET_ACCESS_KEY={{ key "secrets/drone-ci/s3_sk" }}
-AWS_DEFAULT_REGION=garage
-AWS_REGION=garage
-DRONE_S3_BUCKET={{ key "secrets/drone-ci/s3_storage_bucket" }}
-DRONE_S3_ENDPOINT=https://garage.deuxfleurs.fr
-DRONE_S3_PATH_STYLE=true
-DRONE_DATABASE_DRIVER=sqlite3
-DRONE_DATABASE_DATASOURCE=/ephemeral/drone.db
-DRONE_USER_CREATE=username:lx-admin,admin:true
-DRONE_REGISTRATION_CLOSED=true
-DRONE_LOGS_DEBUG=true
-DRONE_LOGS_TRACE=true
-EOH
- destination = "secrets/env"
- env = true
- }
-
- resources {
- cpu = 100
- memory = 200
- }
-
- service {
- name = "drone"
- tags = [
- "drone",
- "tricot drone.deuxfleurs.fr",
- "d53-cname drone.deuxfleurs.fr",
- ]
- port = "web_port"
- address_mode = "host"
- check {
- type = "http"
- protocol = "http"
- port = "web_port"
- path = "/"
- interval = "60s"
- timeout = "5s"
- check_restart {
- limit = 3
- grace = "600s"
- ignore_warnings = false
- }
- }
- }
- }
-
- task "replicate-db" {
- driver = "docker"
- config {
- image = "litestream/litestream:0.3.9"
- entrypoint = [ "/bin/sh" ]
- args = [
- "-c",
- "echo sleeping; sleep 60; echo launching; litestream replicate -config /etc/litestream.yml"
- ]
- volumes = [
- "../alloc/data:/ephemeral",
- "secrets/litestream.yml:/etc/litestream.yml"
- ]
- }
-
- template {
- data = file("../config/litestream.yml")
- destination = "secrets/litestream.yml"
- }
-
- resources {
- memory = 200
- cpu = 100
- }
- }
- }
-}
diff --git a/cluster/prod/app/drone-ci/integration/README.md b/cluster/prod/app/drone-ci/integration/README.md
deleted file mode 100644
index ddd8530..0000000
--- a/cluster/prod/app/drone-ci/integration/README.md
+++ /dev/null
@@ -1,69 +0,0 @@
-## Install Debian
-
-We recommend Debian Bullseye
-
-## Install Docker CE from docker.io
-
-Do not use the docker engine shipped by Debian
-
-Doc:
-
- - https://docs.docker.com/engine/install/debian/
- - https://docs.docker.com/compose/install/
-
-On a fresh install, as root:
-
-```bash
-apt-get remove -y docker docker-engine docker.io containerd runc
-apt-get update
-apt-get install apt-transport-https ca-certificates curl gnupg lsb-release
-curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
- echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
-apt-get update
-apt-get install -y docker-ce docker-ce-cli containerd.io
-
-curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
-chmod +x /usr/local/bin/docker-compose
-```
-
-## Install the runner
-
-*This is our Nix runner version 2, previously we had another way to start Nix runners. This one has a proper way to handle concurrency, require less boilerplate, and should be safer and more idiomatic.*
-
-
-```bash
-wget https://git.deuxfleurs.fr/Deuxfleurs/infrastructure/raw/branch/main/app/drone-ci/integration/nix.conf
-wget https://git.deuxfleurs.fr/Deuxfleurs/infrastructure/raw/branch/main/app/drone-ci/integration/docker-compose.yml
-
-# Edit the docker-compose.yml to adapt its variables to your needs,
-# especially the capacitiy value and its name.
-COMPOSE_PROJECT_NAME=drone DRONE_SECRET=xxx docker-compose up -d
-```
-
-That's all folks.
-
-## Check if a given job is built by your runner
-
-```bash
-export URL=https://drone.deuxfleurs.fr
-export REPO=Deuxfleurs/garage
-export BUILD=1312
-curl ${URL}/api/repos/${REPO}/builds/${BUILD} \
- | jq -c '[.stages[] | { name: .name, machine: .machine }]'
-```
-
-It will give you the following result:
-
-```json
-[{"name":"default","machine":"1686a"},{"name":"release-linux-x86_64","machine":"vimaire"},{"name":"release-linux-i686","machine":"carcajou"},{"name":"release-linux-aarch64","machine":"caribou"},{"name":"release-linux-armv6l","machine":"cariacou"},{"name":"refresh-release-page","machine":null}]
-```
-
-## Random note
-
-*This part might be deprecated!*
-
-This setup is done mainly to allow nix builds with some cache.
-To use the cache in Drone, you must set your repository as trusted.
-The command line tool does not work (it says it successfully set your repository as trusted but it did nothing):
-the only way to set your repository as trusted is to connect on the DB and set the `repo_trusted` field of your repo to true.
-
diff --git a/cluster/prod/app/drone-ci/integration/docker-compose.yml b/cluster/prod/app/drone-ci/integration/docker-compose.yml
deleted file mode 100644
index 41938c2..0000000
--- a/cluster/prod/app/drone-ci/integration/docker-compose.yml
+++ /dev/null
@@ -1,54 +0,0 @@
-version: '3.4'
-services:
- nix-daemon:
- image: nixpkgs/nix:nixos-22.05
- restart: always
- command: nix-daemon
- privileged: true
- volumes:
- - "nix:/nix"
- - "./nix.conf:/etc/nix/nix.conf:ro"
-
- drone-runner:
- image: drone/drone-runner-docker:1.8.2
- restart: always
- environment:
- - DRONE_RPC_PROTO=https
- - DRONE_RPC_HOST=drone.deuxfleurs.fr
- - DRONE_RPC_SECRET=${DRONE_SECRET}
- - DRONE_RUNNER_CAPACITY=3
- - DRONE_DEBUG=true
- - DRONE_LOGS_TRACE=true
- - DRONE_RPC_DUMP_HTTP=true
- - DRONE_RPC_DUMP_HTTP_BODY=true
- - DRONE_RUNNER_NAME=i_forgot_to_change_my_runner_name
- - DRONE_RUNNER_LABELS=nix-daemon:1
- # we should put "nix:/nix:ro but it is not supported by
- # drone-runner-docker because the dependency envconfig does
- # not support having two colons (:) in the same stanza.
- # Without the RO flag (or using docker userns), build isolation
- # is broken.
- # https://discourse.drone.io/t/allow-mounting-a-host-volume-as-read-only/10071
- # https://github.com/kelseyhightower/envconfig/pull/153
- #
- # A workaround for isolation is to configure docker with a userns,
- # so even if the folder is writable to root, it is not to any non
- # privileged docker daemon ran by drone!
- - DRONE_RUNNER_VOLUMES=drone_nix:/nix
- - DRONE_RUNNER_ENVIRON=NIX_REMOTE:daemon
- ports:
- - "3000:3000/tcp"
- volumes:
- - "/var/run/docker.sock:/var/run/docker.sock"
-
- drone-gc:
- image: drone/gc:latest
- restart: always
- environment:
- - GC_DEBUG=true
- - GC_CACHE=10gb
- - GC_INTERVAL=10m
- volumes:
- - "/var/run/docker.sock:/var/run/docker.sock"
-volumes:
- nix:
diff --git a/cluster/prod/app/drone-ci/integration/nix.conf b/cluster/prod/app/drone-ci/integration/nix.conf
deleted file mode 100644
index debea69..0000000
--- a/cluster/prod/app/drone-ci/integration/nix.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-substituters = https://cache.nixos.org https://nix.web.deuxfleurs.fr
-trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix.web.deuxfleurs.fr:eTGL6kvaQn6cDR/F9lDYUIP9nCVR/kkshYfLDJf1yKs=
-max-jobs = auto
-cores = 0
-log-lines = 200
-filter-syscalls = true
-sandbox = true
-keep-outputs = true
-keep-derivations = true
diff --git a/cluster/prod/app/drone-ci/secrets.toml b/cluster/prod/app/drone-ci/secrets.toml
deleted file mode 100644
index ac07926..0000000
--- a/cluster/prod/app/drone-ci/secrets.toml
+++ /dev/null
@@ -1,48 +0,0 @@
-# Drone's secrets
-
-[secrets."drone-ci/rpc_secret"]
-type = 'command'
-command = 'openssl rand -hex 16'
-# don't rotate, it would break all runners
-
-[secrets."drone-ci/cookie_secret"]
-type = 'command'
-rotate = true
-command = 'openssl rand -hex 16'
-
-[secrets."drone-ci/db_enc_secret"]
-type = 'command'
-command = 'openssl rand -hex 16'
-# don't rotate, it is used to encrypt data which we would lose if we change this
-
-
-# Oauth config for gitea
-
-[secrets."drone-ci/oauth_client_secret"]
-type = 'user'
-description = 'OAuth client secret (for gitea)'
-
-[secrets."drone-ci/oauth_client_id"]
-type = 'user'
-description = 'OAuth client ID (on Gitea)'
-
-
-# S3 config for Git LFS storage
-
-[secrets."drone-ci/s3_db_bucket"]
-type = 'constant'
-value = 'drone-db'
-
-[secrets."drone-ci/s3_sk"]
-type = 'user'
-description = 'S3 (garage) secret key for Drone'
-
-[secrets."drone-ci/s3_ak"]
-type = 'user'
-description = 'S3 (garage) access key for Drone'
-
-[secrets."drone-ci/s3_storage_bucket"]
-type = 'constant'
-value = 'drone-storage'
-
-
diff --git a/cluster/staging/known_hosts b/cluster/staging/known_hosts
index d4cca40..feb244e 100644
--- a/cluster/staging/known_hosts
+++ b/cluster/staging/known_hosts
@@ -12,3 +12,6 @@ df-pw5.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK/dJIxioCkfeeh
192.168.1.22 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMf/ioVSSb19Slu+HZLgKt4f1/XsL+K9uMxazSWb/+nQ
2a01:cb05:911e:ec00:223:24ff:feb0:ea82 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnpO6zpLWsyyugOoOj+2bUow9TUrcWgURFGGaoyu+co
piranha.machine.staging.deuxfleurs.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnpO6zpLWsyyugOoOj+2bUow9TUrcWgURFGGaoyu+co
+df-pw5.machine.staging.deuxfleurs.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK/dJIxioCkfeehxeGiZR7qquYGoqEH/YrRJ/ukEcaLH
+origan.machine.staging.deuxfleurs.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsZas74RT6lCZwuUOPR23nPdbSdpWORyAmRgjoiMVHK
+caribou.machine.staging.deuxfleurs.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPtsVFIoIu6tnYrzlcCbBiQXxNkFSWVMhMznUuSxGZ22