aboutsummaryrefslogtreecommitdiff
path: root/app/drone-ci
diff options
context:
space:
mode:
authorAlex Auvolat <alex@adnab.me>2022-08-24 15:42:47 +0200
committerAlex Auvolat <alex@adnab.me>2022-08-24 15:42:47 +0200
commit2e8923b383eb06c53261eee8e5c442b857fb67e4 (patch)
tree0ad148f75f7b54dfed2dbac8f43f6df9badc502a /app/drone-ci
parent9848f3090f77363a2fda0f9fa673ebcf1fb8228c (diff)
downloadnixcfg-2e8923b383eb06c53261eee8e5c442b857fb67e4.tar.gz
nixcfg-2e8923b383eb06c53261eee8e5c442b857fb67e4.zip
Move app files into cluster subdirectories; add prod garage
Diffstat (limited to 'app/drone-ci')
-rw-r--r--app/drone-ci/build/.gitignore2
-rw-r--r--app/drone-ci/build/Makefile8
-rw-r--r--app/drone-ci/build/build-qcow2.nix24
-rw-r--r--app/drone-ci/build/machine-config.nix89
-rw-r--r--app/drone-ci/config/litestream.yml10
-rw-r--r--app/drone-ci/deploy/bad-runner-vm.hcl48
-rw-r--r--app/drone-ci/deploy/runner-docker.hcl91
-rw-r--r--app/drone-ci/deploy/server.hcl139
-rw-r--r--app/drone-ci/integration/README.md74
-rw-r--r--app/drone-ci/integration/docker-compose.yml32
-rw-r--r--app/drone-ci/secrets/drone-ci/cookie_secret1
-rw-r--r--app/drone-ci/secrets/drone-ci/db_enc_secret1
-rw-r--r--app/drone-ci/secrets/drone-ci/oauth_client_id1
-rw-r--r--app/drone-ci/secrets/drone-ci/oauth_client_secret1
-rw-r--r--app/drone-ci/secrets/drone-ci/rpc_secret1
-rw-r--r--app/drone-ci/secrets/drone-ci/s3_ak1
-rw-r--r--app/drone-ci/secrets/drone-ci/s3_db_bucket1
-rw-r--r--app/drone-ci/secrets/drone-ci/s3_sk1
-rw-r--r--app/drone-ci/secrets/drone-ci/s3_storage_bucket1
19 files changed, 0 insertions, 526 deletions
diff --git a/app/drone-ci/build/.gitignore b/app/drone-ci/build/.gitignore
deleted file mode 100644
index ef92077..0000000
--- a/app/drone-ci/build/.gitignore
+++ /dev/null
@@ -1,2 +0,0 @@
-result/
-*.qcow2.zst
diff --git a/app/drone-ci/build/Makefile b/app/drone-ci/build/Makefile
deleted file mode 100644
index 2814a0d..0000000
--- a/app/drone-ci/build/Makefile
+++ /dev/null
@@ -1,8 +0,0 @@
-.PHONY: all
-
-all:
- nix-build '<nixpkgs/nixos>' -A config.system.build.qcow2 --arg configuration "{ imports = [ ./build-qcow2.nix ]; }" --show-trace
- zstd -7 -i result/nixos.qcow2 -o drone-runner.qcow2.zst -f
- RESULTPATH=`readlink result`; rm result; nix-store --delete $$RESULTPATH
- rclone copy drone-runner.qcow2.zst grgdf:alex/ -vv
-
diff --git a/app/drone-ci/build/build-qcow2.nix b/app/drone-ci/build/build-qcow2.nix
deleted file mode 100644
index 3ad45f4..0000000
--- a/app/drone-ci/build/build-qcow2.nix
+++ /dev/null
@@ -1,24 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-{
- imports =
- [
- <nixpkgs/nixos/modules/installer/cd-dvd/channel.nix>
- ./machine-config.nix
- ];
-
- system.build.qcow2 = import <nixpkgs/nixos/lib/make-disk-image.nix> {
- inherit lib config;
- pkgs = import <nixpkgs> { inherit (pkgs) system; }; # ensure we use the regular qemu-kvm package
- diskSize = 32768;
- format = "qcow2";
- configFile = pkgs.writeText "configuration.nix"
- ''
- {
- imports = [ <./machine-config.nix> ];
- }
- '';
- };
-}
diff --git a/app/drone-ci/build/machine-config.nix b/app/drone-ci/build/machine-config.nix
deleted file mode 100644
index 73d3f09..0000000
--- a/app/drone-ci/build/machine-config.nix
+++ /dev/null
@@ -1,89 +0,0 @@
-{ pkgs, lib, ... }:
-
-with lib;
-
-{
- imports = [
- <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
- ];
-
- config = {
- fileSystems."/" = {
- device = "/dev/disk/by-label/nixos";
- fsType = "ext4";
- autoResize = true;
- };
-
- fileSystems."/secrets" = {
- device = "/dev/disk/by-label/QEMU\\x20VVFAT";
- fsType = "vfat";
- };
-
- boot.growPartition = true;
- boot.kernelParams = [ "console=ttyS0" ];
- boot.loader.grub.device = "/dev/vda";
- boot.loader.timeout = 0;
-
- environment.systemPackages = with pkgs; [
- iotop
- jnettop
- htop
- ];
-
- users.extraUsers.root.openssh.authorizedKeys.keys = [
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJpaBZdYxHqMxhv2RExAOa7nkKhPBOHupMP3mYaZ73w9 lx@lindy"
- ];
- services.openssh.enable = true;
- services.openssh.permitRootLogin = "prohibit-password";
- networking.firewall = {
- enable = true;
- allowedTCPPorts = [ 22 ];
- };
-
- virtualisation.docker.enable = true;
- virtualisation.oci-containers.backend = "docker";
- systemd.services.drone_nix_setup = {
- enable = true;
- path = [
- pkgs.docker
- ];
- script = ''
- docker run --rm -v /var/lib/drone/nix:/mnt nixpkgs/nix:nixos-21.05 cp -r /nix/{store,var} /mnt/
- '';
- wantedBy = [ "multi-user.target" ];
- };
- virtualisation.oci-containers.containers = {
- drone_runner = {
- image = "drone/drone-runner-docker:1.4.0";
- volumes = [
- "/var/lib/drone/nix:/nix"
- "/var/run/docker.sock:/var/run/docker.sock"
- ];
- environment = {
- DRONE_RPC_PROTO = "https";
- DRONE_RPC_HOST = "drone.deuxfleurs.fr";
- DRONE_RUNNER_CAPACITY = "1";
- DRONE_DEBUG = "true";
- DRONE_LOGS_TRACE = "true";
- DRONE_RPC_DUMP_HTTP = "true";
- DRONE_RPC_DUMP_HTTP_BODY = "true";
- DRONE_RUNNER_LABELS = "nix:1";
- };
- environmentFiles = [
- "/secrets/secret_env"
- ];
- };
- drone_gc = {
- image = "drone/gc:latest";
- volumes = [
- "/var/run/docker.sock:/var/run/docker.sock"
- ];
- environment = {
- GC_DEBUG = "true";
- GC_CACHE = "10gb";
- GC_INTERVAL = "10m";
- };
- };
- };
- };
-}
diff --git a/app/drone-ci/config/litestream.yml b/app/drone-ci/config/litestream.yml
deleted file mode 100644
index 813c824..0000000
--- a/app/drone-ci/config/litestream.yml
+++ /dev/null
@@ -1,10 +0,0 @@
-dbs:
- - path: /ephemeral/drone.db
- replicas:
- - url: s3://{{ key "secrets/drone-ci/s3_db_bucket" | trimSpace }}/drone.db
- region: garage
- endpoint: https://garage.deuxfleurs.fr
- access-key-id: {{ key "secrets/drone-ci/s3_ak" | trimSpace }}
- secret-access-key: {{ key "secrets/drone-ci/s3_sk" | trimSpace }}
- force-path-style: true
- sync-interval: 60s
diff --git a/app/drone-ci/deploy/bad-runner-vm.hcl b/app/drone-ci/deploy/bad-runner-vm.hcl
deleted file mode 100644
index 7c3a7e2..0000000
--- a/app/drone-ci/deploy/bad-runner-vm.hcl
+++ /dev/null
@@ -1,48 +0,0 @@
-job "drone-runner" {
- datacenters = ["neptune"]
- type = "system"
-
- group "runner-vm" {
- network {
- port "ssh" {
- static = 22544
- }
- }
-
- task "drone-runner-vm" {
- driver = "qemu"
-
- config {
- image_path = "local/drone-runner.qcow2"
- accelerator = "kvm"
- args = [
- "-drive", "index=1,file=fat:rw:/var/lib/nomad/alloc/${NOMAD_ALLOC_ID}/${NOMAD_TASK_NAME}/secrets,format=raw,media=disk",
- "-device", "e1000,netdev=user.0",
- "-netdev", "user,id=user.0,hostfwd=tcp::${NOMAD_PORT_ssh}-:22",
- "-smp", "2",
- ]
- port_map {
- ssh = 22
- }
- }
-
- artifact {
- source = "https://alex.web.deuxfleurs.fr/drone-runner.qcow2.zst"
- destination = "local/drone-runner.qcow2"
- mode = "file"
- }
-
- template {
- data = <<EOH
-DRONE_RPC_SECRET={{ key "secrets/drone-ci/rpc_secret" | trimSpace }}
-DRONE_RUNNER_NAME={{ env "attr.unique.hostname" }}
-EOH
- destination = "secrets/secret_env"
- }
-
- resources {
- memory = 2000
- }
- }
- }
-}
diff --git a/app/drone-ci/deploy/runner-docker.hcl b/app/drone-ci/deploy/runner-docker.hcl
deleted file mode 100644
index d7c6ef4..0000000
--- a/app/drone-ci/deploy/runner-docker.hcl
+++ /dev/null
@@ -1,91 +0,0 @@
-job "drone-runner" {
- datacenters = ["neptune"]
- type = "system"
-
- group "runner" {
-
- task "populate-nix-store" {
- lifecycle {
- hook = "prestart"
- sidecar = false
- }
-
- driver = "docker"
- config {
- image = "nixpkgs/nix:nixos-21.05"
- command = "sh"
- args = [
- "-c", "test -d /mnt/store || cp -rv /nix/{store,var} /mnt/"
- ]
- volumes = [
- "/var/lib/drone/nix:/mnt",
- ]
- }
-
- resources {
- memory = 100
- cpu = 100
- }
- }
-
- task "drone-runner" {
- driver = "docker"
- config {
- image = "drone/drone-runner-docker:1.8.1"
-
- volumes = [
- "/var/lib/drone/nix:/nix",
- "/var/run/docker.sock:/var/run/docker.sock"
- ]
- }
-
- template {
- data = <<EOH
-DRONE_RPC_PROTO=https
-DRONE_RPC_HOST=drone.deuxfleurs.fr
-DRONE_RPC_SECRET={{ key "secrets/drone-ci/rpc_secret" | trimSpace }}
-DRONE_RUNNER_CAPACITY=1
-DRONE_DEBUG=true
-DRONE_LOGS_TRACE=true
-DRONE_RPC_DUMP_HTTP=true
-DRONE_RPC_DUMP_HTTP_BODY=true
-DRONE_RUNNER_NAME={{ env "attr.unique.hostname" }}
-DRONE_RUNNER_LABELS=nix:1
-EOH
- destination = "secrets/env"
- env = true
- }
-
- resources {
- memory = 200
- cpu = 100
- }
- }
-
- task "drone-gc" {
- driver = "docker"
- config {
- image = "drone/gc:latest"
-
- volumes = [
- "/var/run/docker.sock:/var/run/docker.sock"
- ]
- }
-
- template {
- data = <<EOH
-GC_DEBUG=true
-GC_CACHE=10gb
-GC_INTERVAL=10m
-EOH
- destination = "secrets/env"
- env = true
- }
-
- resources {
- memory = 100
- cpu = 100
- }
- }
- }
-}
diff --git a/app/drone-ci/deploy/server.hcl b/app/drone-ci/deploy/server.hcl
deleted file mode 100644
index 85eb776..0000000
--- a/app/drone-ci/deploy/server.hcl
+++ /dev/null
@@ -1,139 +0,0 @@
-job "drone-ci" {
- datacenters = ["neptune"]
- type = "service"
-
- group "server" {
- count = 1
-
- network {
- port "web_port" {
- to = 80
- }
- }
-
- task "restore-db" {
- lifecycle {
- hook = "prestart"
- sidecar = false
- }
-
- driver = "docker"
- config {
- image = "litestream/litestream:0.3.9"
- args = [
- "restore", "-config", "/etc/litestream.yml", "/ephemeral/drone.db"
- ]
- volumes = [
- "../alloc/data:/ephemeral",
- "secrets/litestream.yml:/etc/litestream.yml"
- ]
- }
-
- template {
- data = file("../config/litestream.yml")
- destination = "secrets/litestream.yml"
- }
-
- resources {
- memory = 200
- cpu = 1000
- }
- }
-
- task "drone_server" {
- driver = "docker"
- config {
- image = "drone/drone:2.12.0"
- ports = [ "web_port" ]
-
- volumes = [
- "../alloc/data:/ephemeral",
- ]
- }
-
- template {
- data = <<EOH
-DRONE_GITEA_SERVER=https://git.deuxfleurs.fr
-DRONE_GITEA_CLIENT_ID={{ key "secrets/drone-ci/oauth_client_id" }}
-DRONE_GITEA_CLIENT_SECRET={{ key "secrets/drone-ci/oauth_client_secret" }}
-DRONE_RPC_SECRET={{ key "secrets/drone-ci/rpc_secret" }}
-DRONE_SERVER_HOST=drone.deuxfleurs.fr
-DRONE_SERVER_PROTO=https
-DRONE_DATABASE_SECRET={{ key "secrets/drone-ci/db_enc_secret" }}
-DRONE_COOKIE_SECRET={{ key "secrets/drone-ci/cookie_secret" }}
-AWS_ACCESS_KEY_ID={{ key "secrets/drone-ci/s3_ak" }}
-AWS_SECRET_ACCESS_KEY={{ key "secrets/drone-ci/s3_sk" }}
-AWS_DEFAULT_REGION=garage
-AWS_REGION=garage
-DRONE_S3_BUCKET={{ key "secrets/drone-ci/s3_storage_bucket" }}
-DRONE_S3_ENDPOINT=https://garage.deuxfleurs.fr
-DRONE_S3_PATH_STYLE=true
-DRONE_DATABASE_DRIVER=sqlite3
-DRONE_DATABASE_DATASOURCE=/ephemeral/drone.db
-DRONE_USER_CREATE=username:lx-admin,admin:true
-__DRONE_REGISTRATION_CLOSED=true
-DRONE_LOGS_TEXT=true
-DRONE_LOGS_PRETTY=true
-DRONE_LOGS_DEBUG=true
-DOCKER_API_VERSION=1.39
-EOH
- destination = "secrets/env"
- env = true
- }
-
- resources {
- cpu = 100
- memory = 100
- }
-
- service {
- name = "drone"
- tags = [
- "drone",
- "tricot drone.deuxfleurs.fr",
- ]
- port = "web_port"
- address_mode = "host"
- check {
- type = "http"
- protocol = "http"
- port = "web_port"
- path = "/"
- interval = "60s"
- timeout = "5s"
- check_restart {
- limit = 3
- grace = "600s"
- ignore_warnings = false
- }
- }
- }
- }
-
- task "replicate-db" {
- driver = "docker"
- config {
- image = "litestream/litestream:0.3.9"
- entrypoint = [ "/bin/sh" ]
- args = [
- "-c",
- "echo sleeping; sleep 60; echo launching; litestream replicate -config /etc/litestream.yml"
- ]
- volumes = [
- "../alloc/data:/ephemeral",
- "secrets/litestream.yml:/etc/litestream.yml"
- ]
- }
-
- template {
- data = file("../config/litestream.yml")
- destination = "secrets/litestream.yml"
- }
-
- resources {
- memory = 250
- cpu = 100
- }
- }
- }
-}
diff --git a/app/drone-ci/integration/README.md b/app/drone-ci/integration/README.md
deleted file mode 100644
index b3c1cc6..0000000
--- a/app/drone-ci/integration/README.md
+++ /dev/null
@@ -1,74 +0,0 @@
-## Install Debian
-
-We recommend Debian Bullseye
-
-## Install Docker CE from docker.io
-
-Do not use the docker engine shipped by Debian
-
-Doc:
-
- - https://docs.docker.com/engine/install/debian/
- - https://docs.docker.com/compose/install/
-
-On a fresh install, as root:
-
-```bash
-apt-get remove -y docker docker-engine docker.io containerd runc
-apt-get update
-apt-get install apt-transport-https ca-certificates curl gnupg lsb-release
-curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
- echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
-apt-get update
-apt-get install -y docker-ce docker-ce-cli containerd.io
-
-curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
-chmod +x /usr/local/bin/docker-compose
-```
-
-## Prepare the runner
-
-Nix folder must be populated before launching any build.
-
-```bash
-docker run --rm -it -v /var/lib/drone/nix:/mnt nixpkgs/nix:nixos-21.05 cp -r /nix/{store,var} /mnt/
-```
-
-This folder will grow over time and might need to be garbage collected.
-As a rule of thumb, after running a full release of Garage, this folder will require 10GB.
-Consider provisioning it with at least 20GB.
-
-## Launch the runner
-
-Because we use a shared nix folder, we set the number of concurrent builds to 1.
-For more details and customizations, see `docker-compose.yml`.
-
-```bash
-DRONE_NAME=lheureduthe DRONE_OWNER=quentin DRONE_SECRET=xxx docker-compose up -d
-```
-
-That's all folks.
-
-## Check if a given job is built by your runner
-
-```bash
-export URL=https://drone.deuxfleurs.fr
-export REPO=Deuxfleurs/garage
-export BUILD=1312
-curl ${URL}/api/repos/${REPO}/builds/${BUILD} \
- | jq -c '[.stages[] | { name: .name, machine: .machine }]'
-```
-
-It will give you the following result:
-
-```json
-[{"name":"default","machine":"1686a"},{"name":"release-linux-x86_64","machine":"vimaire"},{"name":"release-linux-i686","machine":"carcajou"},{"name":"release-linux-aarch64","machine":"caribou"},{"name":"release-linux-armv6l","machine":"cariacou"},{"name":"refresh-release-page","machine":null}]
-```
-
-## Random note
-
-This setup is done mainly to allow nix builds with some cache.
-To use the cache in Drone, you must set your repository as trusted.
-The command line tool does not work (it says it successfully set your repository as trusted but it did nothing):
-the only way to set your repository as trusted is to connect on the DB and set the `repo_trusted` field of your repo to true.
-
diff --git a/app/drone-ci/integration/docker-compose.yml b/app/drone-ci/integration/docker-compose.yml
deleted file mode 100644
index 1e37255..0000000
--- a/app/drone-ci/integration/docker-compose.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-version: '3.4'
-services:
- drone-runner:
- image: drone/drone-runner-docker:latest
- restart: always
- environment:
- - DRONE_RPC_PROTO=https
- - DRONE_RPC_HOST=drone.deuxfleurs.fr
- - DRONE_RPC_SECRET=${DRONE_SECRET}
- - DRONE_RUNNER_CAPACITY=1
- - DRONE_DEBUG=true
- - DRONE_LOGS_TRACE=true
- - DRONE_RPC_DUMP_HTTP=true
- - DRONE_RPC_DUMP_HTTP_BODY=true
- - DRONE_RUNNER_NAME=${DRONE_NAME}
- - DRONE_RUNNER_LABELS=nix:1
- #- DRONE_RUNNER_VOLUMES=/var/lib/drone/nix:/nix
- ports:
- - "3000:3000/tcp"
- volumes:
- - "/var/run/docker.sock:/var/run/docker.sock"
- - "/var/lib/drone/nix:/var/lib/drone/nix"
-
- drone-gc:
- image: drone/gc:latest
- restart: always
- environment:
- - GC_DEBUG=true
- - GC_CACHE=10gb
- - GC_INTERVAL=10m
- volumes:
- - "/var/run/docker.sock:/var/run/docker.sock"
diff --git a/app/drone-ci/secrets/drone-ci/cookie_secret b/app/drone-ci/secrets/drone-ci/cookie_secret
deleted file mode 100644
index 04c819e..0000000
--- a/app/drone-ci/secrets/drone-ci/cookie_secret
+++ /dev/null
@@ -1 +0,0 @@
-CMD openssl rand -hex 16
diff --git a/app/drone-ci/secrets/drone-ci/db_enc_secret b/app/drone-ci/secrets/drone-ci/db_enc_secret
deleted file mode 100644
index 3f9e696..0000000
--- a/app/drone-ci/secrets/drone-ci/db_enc_secret
+++ /dev/null
@@ -1 +0,0 @@
-CMD_ONCE openssl rand -hex 16
diff --git a/app/drone-ci/secrets/drone-ci/oauth_client_id b/app/drone-ci/secrets/drone-ci/oauth_client_id
deleted file mode 100644
index c801b28..0000000
--- a/app/drone-ci/secrets/drone-ci/oauth_client_id
+++ /dev/null
@@ -1 +0,0 @@
-USER OAuth client ID (on Gitea)
diff --git a/app/drone-ci/secrets/drone-ci/oauth_client_secret b/app/drone-ci/secrets/drone-ci/oauth_client_secret
deleted file mode 100644
index b79b688..0000000
--- a/app/drone-ci/secrets/drone-ci/oauth_client_secret
+++ /dev/null
@@ -1 +0,0 @@
-USER OAuth client secret (for gitea)
diff --git a/app/drone-ci/secrets/drone-ci/rpc_secret b/app/drone-ci/secrets/drone-ci/rpc_secret
deleted file mode 100644
index 04c819e..0000000
--- a/app/drone-ci/secrets/drone-ci/rpc_secret
+++ /dev/null
@@ -1 +0,0 @@
-CMD openssl rand -hex 16
diff --git a/app/drone-ci/secrets/drone-ci/s3_ak b/app/drone-ci/secrets/drone-ci/s3_ak
deleted file mode 100644
index 3a8e4a2..0000000
--- a/app/drone-ci/secrets/drone-ci/s3_ak
+++ /dev/null
@@ -1 +0,0 @@
-USER S3 (garage) access key for Drone
diff --git a/app/drone-ci/secrets/drone-ci/s3_db_bucket b/app/drone-ci/secrets/drone-ci/s3_db_bucket
deleted file mode 100644
index c36f17d..0000000
--- a/app/drone-ci/secrets/drone-ci/s3_db_bucket
+++ /dev/null
@@ -1 +0,0 @@
-CONST drone-db
diff --git a/app/drone-ci/secrets/drone-ci/s3_sk b/app/drone-ci/secrets/drone-ci/s3_sk
deleted file mode 100644
index 46fd9fa..0000000
--- a/app/drone-ci/secrets/drone-ci/s3_sk
+++ /dev/null
@@ -1 +0,0 @@
-USER S3 (garage) secret key for Drone
diff --git a/app/drone-ci/secrets/drone-ci/s3_storage_bucket b/app/drone-ci/secrets/drone-ci/s3_storage_bucket
deleted file mode 100644
index ca2702c..0000000
--- a/app/drone-ci/secrets/drone-ci/s3_storage_bucket
+++ /dev/null
@@ -1 +0,0 @@
-CONST drone-storage