diff options
author | Alex Auvolat <alex@adnab.me> | 2022-08-24 15:42:47 +0200 |
---|---|---|
committer | Alex Auvolat <alex@adnab.me> | 2022-08-24 15:42:47 +0200 |
commit | 2e8923b383eb06c53261eee8e5c442b857fb67e4 (patch) | |
tree | 0ad148f75f7b54dfed2dbac8f43f6df9badc502a /app/drone-ci | |
parent | 9848f3090f77363a2fda0f9fa673ebcf1fb8228c (diff) | |
download | nixcfg-2e8923b383eb06c53261eee8e5c442b857fb67e4.tar.gz nixcfg-2e8923b383eb06c53261eee8e5c442b857fb67e4.zip |
Move app files into cluster subdirectories; add prod garage
Diffstat (limited to 'app/drone-ci')
-rw-r--r-- | app/drone-ci/build/.gitignore | 2 | ||||
-rw-r--r-- | app/drone-ci/build/Makefile | 8 | ||||
-rw-r--r-- | app/drone-ci/build/build-qcow2.nix | 24 | ||||
-rw-r--r-- | app/drone-ci/build/machine-config.nix | 89 | ||||
-rw-r--r-- | app/drone-ci/config/litestream.yml | 10 | ||||
-rw-r--r-- | app/drone-ci/deploy/bad-runner-vm.hcl | 48 | ||||
-rw-r--r-- | app/drone-ci/deploy/runner-docker.hcl | 91 | ||||
-rw-r--r-- | app/drone-ci/deploy/server.hcl | 139 | ||||
-rw-r--r-- | app/drone-ci/integration/README.md | 74 | ||||
-rw-r--r-- | app/drone-ci/integration/docker-compose.yml | 32 | ||||
-rw-r--r-- | app/drone-ci/secrets/drone-ci/cookie_secret | 1 | ||||
-rw-r--r-- | app/drone-ci/secrets/drone-ci/db_enc_secret | 1 | ||||
-rw-r--r-- | app/drone-ci/secrets/drone-ci/oauth_client_id | 1 | ||||
-rw-r--r-- | app/drone-ci/secrets/drone-ci/oauth_client_secret | 1 | ||||
-rw-r--r-- | app/drone-ci/secrets/drone-ci/rpc_secret | 1 | ||||
-rw-r--r-- | app/drone-ci/secrets/drone-ci/s3_ak | 1 | ||||
-rw-r--r-- | app/drone-ci/secrets/drone-ci/s3_db_bucket | 1 | ||||
-rw-r--r-- | app/drone-ci/secrets/drone-ci/s3_sk | 1 | ||||
-rw-r--r-- | app/drone-ci/secrets/drone-ci/s3_storage_bucket | 1 |
19 files changed, 0 insertions, 526 deletions
diff --git a/app/drone-ci/build/.gitignore b/app/drone-ci/build/.gitignore deleted file mode 100644 index ef92077..0000000 --- a/app/drone-ci/build/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -result/ -*.qcow2.zst diff --git a/app/drone-ci/build/Makefile b/app/drone-ci/build/Makefile deleted file mode 100644 index 2814a0d..0000000 --- a/app/drone-ci/build/Makefile +++ /dev/null @@ -1,8 +0,0 @@ -.PHONY: all - -all: - nix-build '<nixpkgs/nixos>' -A config.system.build.qcow2 --arg configuration "{ imports = [ ./build-qcow2.nix ]; }" --show-trace - zstd -7 -i result/nixos.qcow2 -o drone-runner.qcow2.zst -f - RESULTPATH=`readlink result`; rm result; nix-store --delete $$RESULTPATH - rclone copy drone-runner.qcow2.zst grgdf:alex/ -vv - diff --git a/app/drone-ci/build/build-qcow2.nix b/app/drone-ci/build/build-qcow2.nix deleted file mode 100644 index 3ad45f4..0000000 --- a/app/drone-ci/build/build-qcow2.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -{ - imports = - [ - <nixpkgs/nixos/modules/installer/cd-dvd/channel.nix> - ./machine-config.nix - ]; - - system.build.qcow2 = import <nixpkgs/nixos/lib/make-disk-image.nix> { - inherit lib config; - pkgs = import <nixpkgs> { inherit (pkgs) system; }; # ensure we use the regular qemu-kvm package - diskSize = 32768; - format = "qcow2"; - configFile = pkgs.writeText "configuration.nix" - '' - { - imports = [ <./machine-config.nix> ]; - } - ''; - }; -} diff --git a/app/drone-ci/build/machine-config.nix b/app/drone-ci/build/machine-config.nix deleted file mode 100644 index 73d3f09..0000000 --- a/app/drone-ci/build/machine-config.nix +++ /dev/null @@ -1,89 +0,0 @@ -{ pkgs, lib, ... }: - -with lib; - -{ - imports = [ - <nixpkgs/nixos/modules/profiles/qemu-guest.nix> - ]; - - config = { - fileSystems."/" = { - device = "/dev/disk/by-label/nixos"; - fsType = "ext4"; - autoResize = true; - }; - - fileSystems."/secrets" = { - device = "/dev/disk/by-label/QEMU\\x20VVFAT"; - fsType = "vfat"; - }; - - boot.growPartition = true; - boot.kernelParams = [ "console=ttyS0" ]; - boot.loader.grub.device = "/dev/vda"; - boot.loader.timeout = 0; - - environment.systemPackages = with pkgs; [ - iotop - jnettop - htop - ]; - - users.extraUsers.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJpaBZdYxHqMxhv2RExAOa7nkKhPBOHupMP3mYaZ73w9 lx@lindy" - ]; - services.openssh.enable = true; - services.openssh.permitRootLogin = "prohibit-password"; - networking.firewall = { - enable = true; - allowedTCPPorts = [ 22 ]; - }; - - virtualisation.docker.enable = true; - virtualisation.oci-containers.backend = "docker"; - systemd.services.drone_nix_setup = { - enable = true; - path = [ - pkgs.docker - ]; - script = '' - docker run --rm -v /var/lib/drone/nix:/mnt nixpkgs/nix:nixos-21.05 cp -r /nix/{store,var} /mnt/ - ''; - wantedBy = [ "multi-user.target" ]; - }; - virtualisation.oci-containers.containers = { - drone_runner = { - image = "drone/drone-runner-docker:1.4.0"; - volumes = [ - "/var/lib/drone/nix:/nix" - "/var/run/docker.sock:/var/run/docker.sock" - ]; - environment = { - DRONE_RPC_PROTO = "https"; - DRONE_RPC_HOST = "drone.deuxfleurs.fr"; - DRONE_RUNNER_CAPACITY = "1"; - DRONE_DEBUG = "true"; - DRONE_LOGS_TRACE = "true"; - DRONE_RPC_DUMP_HTTP = "true"; - DRONE_RPC_DUMP_HTTP_BODY = "true"; - DRONE_RUNNER_LABELS = "nix:1"; - }; - environmentFiles = [ - "/secrets/secret_env" - ]; - }; - drone_gc = { - image = "drone/gc:latest"; - volumes = [ - "/var/run/docker.sock:/var/run/docker.sock" - ]; - environment = { - GC_DEBUG = "true"; - GC_CACHE = "10gb"; - GC_INTERVAL = "10m"; - }; - }; - }; - }; -} diff --git a/app/drone-ci/config/litestream.yml b/app/drone-ci/config/litestream.yml deleted file mode 100644 index 813c824..0000000 --- a/app/drone-ci/config/litestream.yml +++ /dev/null @@ -1,10 +0,0 @@ -dbs: - - path: /ephemeral/drone.db - replicas: - - url: s3://{{ key "secrets/drone-ci/s3_db_bucket" | trimSpace }}/drone.db - region: garage - endpoint: https://garage.deuxfleurs.fr - access-key-id: {{ key "secrets/drone-ci/s3_ak" | trimSpace }} - secret-access-key: {{ key "secrets/drone-ci/s3_sk" | trimSpace }} - force-path-style: true - sync-interval: 60s diff --git a/app/drone-ci/deploy/bad-runner-vm.hcl b/app/drone-ci/deploy/bad-runner-vm.hcl deleted file mode 100644 index 7c3a7e2..0000000 --- a/app/drone-ci/deploy/bad-runner-vm.hcl +++ /dev/null @@ -1,48 +0,0 @@ -job "drone-runner" { - datacenters = ["neptune"] - type = "system" - - group "runner-vm" { - network { - port "ssh" { - static = 22544 - } - } - - task "drone-runner-vm" { - driver = "qemu" - - config { - image_path = "local/drone-runner.qcow2" - accelerator = "kvm" - args = [ - "-drive", "index=1,file=fat:rw:/var/lib/nomad/alloc/${NOMAD_ALLOC_ID}/${NOMAD_TASK_NAME}/secrets,format=raw,media=disk", - "-device", "e1000,netdev=user.0", - "-netdev", "user,id=user.0,hostfwd=tcp::${NOMAD_PORT_ssh}-:22", - "-smp", "2", - ] - port_map { - ssh = 22 - } - } - - artifact { - source = "https://alex.web.deuxfleurs.fr/drone-runner.qcow2.zst" - destination = "local/drone-runner.qcow2" - mode = "file" - } - - template { - data = <<EOH -DRONE_RPC_SECRET={{ key "secrets/drone-ci/rpc_secret" | trimSpace }} -DRONE_RUNNER_NAME={{ env "attr.unique.hostname" }} -EOH - destination = "secrets/secret_env" - } - - resources { - memory = 2000 - } - } - } -} diff --git a/app/drone-ci/deploy/runner-docker.hcl b/app/drone-ci/deploy/runner-docker.hcl deleted file mode 100644 index d7c6ef4..0000000 --- a/app/drone-ci/deploy/runner-docker.hcl +++ /dev/null @@ -1,91 +0,0 @@ -job "drone-runner" { - datacenters = ["neptune"] - type = "system" - - group "runner" { - - task "populate-nix-store" { - lifecycle { - hook = "prestart" - sidecar = false - } - - driver = "docker" - config { - image = "nixpkgs/nix:nixos-21.05" - command = "sh" - args = [ - "-c", "test -d /mnt/store || cp -rv /nix/{store,var} /mnt/" - ] - volumes = [ - "/var/lib/drone/nix:/mnt", - ] - } - - resources { - memory = 100 - cpu = 100 - } - } - - task "drone-runner" { - driver = "docker" - config { - image = "drone/drone-runner-docker:1.8.1" - - volumes = [ - "/var/lib/drone/nix:/nix", - "/var/run/docker.sock:/var/run/docker.sock" - ] - } - - template { - data = <<EOH -DRONE_RPC_PROTO=https -DRONE_RPC_HOST=drone.deuxfleurs.fr -DRONE_RPC_SECRET={{ key "secrets/drone-ci/rpc_secret" | trimSpace }} -DRONE_RUNNER_CAPACITY=1 -DRONE_DEBUG=true -DRONE_LOGS_TRACE=true -DRONE_RPC_DUMP_HTTP=true -DRONE_RPC_DUMP_HTTP_BODY=true -DRONE_RUNNER_NAME={{ env "attr.unique.hostname" }} -DRONE_RUNNER_LABELS=nix:1 -EOH - destination = "secrets/env" - env = true - } - - resources { - memory = 200 - cpu = 100 - } - } - - task "drone-gc" { - driver = "docker" - config { - image = "drone/gc:latest" - - volumes = [ - "/var/run/docker.sock:/var/run/docker.sock" - ] - } - - template { - data = <<EOH -GC_DEBUG=true -GC_CACHE=10gb -GC_INTERVAL=10m -EOH - destination = "secrets/env" - env = true - } - - resources { - memory = 100 - cpu = 100 - } - } - } -} diff --git a/app/drone-ci/deploy/server.hcl b/app/drone-ci/deploy/server.hcl deleted file mode 100644 index 85eb776..0000000 --- a/app/drone-ci/deploy/server.hcl +++ /dev/null @@ -1,139 +0,0 @@ -job "drone-ci" { - datacenters = ["neptune"] - type = "service" - - group "server" { - count = 1 - - network { - port "web_port" { - to = 80 - } - } - - task "restore-db" { - lifecycle { - hook = "prestart" - sidecar = false - } - - driver = "docker" - config { - image = "litestream/litestream:0.3.9" - args = [ - "restore", "-config", "/etc/litestream.yml", "/ephemeral/drone.db" - ] - volumes = [ - "../alloc/data:/ephemeral", - "secrets/litestream.yml:/etc/litestream.yml" - ] - } - - template { - data = file("../config/litestream.yml") - destination = "secrets/litestream.yml" - } - - resources { - memory = 200 - cpu = 1000 - } - } - - task "drone_server" { - driver = "docker" - config { - image = "drone/drone:2.12.0" - ports = [ "web_port" ] - - volumes = [ - "../alloc/data:/ephemeral", - ] - } - - template { - data = <<EOH -DRONE_GITEA_SERVER=https://git.deuxfleurs.fr -DRONE_GITEA_CLIENT_ID={{ key "secrets/drone-ci/oauth_client_id" }} -DRONE_GITEA_CLIENT_SECRET={{ key "secrets/drone-ci/oauth_client_secret" }} -DRONE_RPC_SECRET={{ key "secrets/drone-ci/rpc_secret" }} -DRONE_SERVER_HOST=drone.deuxfleurs.fr -DRONE_SERVER_PROTO=https -DRONE_DATABASE_SECRET={{ key "secrets/drone-ci/db_enc_secret" }} -DRONE_COOKIE_SECRET={{ key "secrets/drone-ci/cookie_secret" }} -AWS_ACCESS_KEY_ID={{ key "secrets/drone-ci/s3_ak" }} -AWS_SECRET_ACCESS_KEY={{ key "secrets/drone-ci/s3_sk" }} -AWS_DEFAULT_REGION=garage -AWS_REGION=garage -DRONE_S3_BUCKET={{ key "secrets/drone-ci/s3_storage_bucket" }} -DRONE_S3_ENDPOINT=https://garage.deuxfleurs.fr -DRONE_S3_PATH_STYLE=true -DRONE_DATABASE_DRIVER=sqlite3 -DRONE_DATABASE_DATASOURCE=/ephemeral/drone.db -DRONE_USER_CREATE=username:lx-admin,admin:true -__DRONE_REGISTRATION_CLOSED=true -DRONE_LOGS_TEXT=true -DRONE_LOGS_PRETTY=true -DRONE_LOGS_DEBUG=true -DOCKER_API_VERSION=1.39 -EOH - destination = "secrets/env" - env = true - } - - resources { - cpu = 100 - memory = 100 - } - - service { - name = "drone" - tags = [ - "drone", - "tricot drone.deuxfleurs.fr", - ] - port = "web_port" - address_mode = "host" - check { - type = "http" - protocol = "http" - port = "web_port" - path = "/" - interval = "60s" - timeout = "5s" - check_restart { - limit = 3 - grace = "600s" - ignore_warnings = false - } - } - } - } - - task "replicate-db" { - driver = "docker" - config { - image = "litestream/litestream:0.3.9" - entrypoint = [ "/bin/sh" ] - args = [ - "-c", - "echo sleeping; sleep 60; echo launching; litestream replicate -config /etc/litestream.yml" - ] - volumes = [ - "../alloc/data:/ephemeral", - "secrets/litestream.yml:/etc/litestream.yml" - ] - } - - template { - data = file("../config/litestream.yml") - destination = "secrets/litestream.yml" - } - - resources { - memory = 250 - cpu = 100 - } - } - } -} diff --git a/app/drone-ci/integration/README.md b/app/drone-ci/integration/README.md deleted file mode 100644 index b3c1cc6..0000000 --- a/app/drone-ci/integration/README.md +++ /dev/null @@ -1,74 +0,0 @@ -## Install Debian - -We recommend Debian Bullseye - -## Install Docker CE from docker.io - -Do not use the docker engine shipped by Debian - -Doc: - - - https://docs.docker.com/engine/install/debian/ - - https://docs.docker.com/compose/install/ - -On a fresh install, as root: - -```bash -apt-get remove -y docker docker-engine docker.io containerd runc -apt-get update -apt-get install apt-transport-https ca-certificates curl gnupg lsb-release -curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg - echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null -apt-get update -apt-get install -y docker-ce docker-ce-cli containerd.io - -curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose -chmod +x /usr/local/bin/docker-compose -``` - -## Prepare the runner - -Nix folder must be populated before launching any build. - -```bash -docker run --rm -it -v /var/lib/drone/nix:/mnt nixpkgs/nix:nixos-21.05 cp -r /nix/{store,var} /mnt/ -``` - -This folder will grow over time and might need to be garbage collected. -As a rule of thumb, after running a full release of Garage, this folder will require 10GB. -Consider provisioning it with at least 20GB. - -## Launch the runner - -Because we use a shared nix folder, we set the number of concurrent builds to 1. -For more details and customizations, see `docker-compose.yml`. - -```bash -DRONE_NAME=lheureduthe DRONE_OWNER=quentin DRONE_SECRET=xxx docker-compose up -d -``` - -That's all folks. - -## Check if a given job is built by your runner - -```bash -export URL=https://drone.deuxfleurs.fr -export REPO=Deuxfleurs/garage -export BUILD=1312 -curl ${URL}/api/repos/${REPO}/builds/${BUILD} \ - | jq -c '[.stages[] | { name: .name, machine: .machine }]' -``` - -It will give you the following result: - -```json -[{"name":"default","machine":"1686a"},{"name":"release-linux-x86_64","machine":"vimaire"},{"name":"release-linux-i686","machine":"carcajou"},{"name":"release-linux-aarch64","machine":"caribou"},{"name":"release-linux-armv6l","machine":"cariacou"},{"name":"refresh-release-page","machine":null}] -``` - -## Random note - -This setup is done mainly to allow nix builds with some cache. -To use the cache in Drone, you must set your repository as trusted. -The command line tool does not work (it says it successfully set your repository as trusted but it did nothing): -the only way to set your repository as trusted is to connect on the DB and set the `repo_trusted` field of your repo to true. - diff --git a/app/drone-ci/integration/docker-compose.yml b/app/drone-ci/integration/docker-compose.yml deleted file mode 100644 index 1e37255..0000000 --- a/app/drone-ci/integration/docker-compose.yml +++ /dev/null @@ -1,32 +0,0 @@ -version: '3.4' -services: - drone-runner: - image: drone/drone-runner-docker:latest - restart: always - environment: - - DRONE_RPC_PROTO=https - - DRONE_RPC_HOST=drone.deuxfleurs.fr - - DRONE_RPC_SECRET=${DRONE_SECRET} - - DRONE_RUNNER_CAPACITY=1 - - DRONE_DEBUG=true - - DRONE_LOGS_TRACE=true - - DRONE_RPC_DUMP_HTTP=true - - DRONE_RPC_DUMP_HTTP_BODY=true - - DRONE_RUNNER_NAME=${DRONE_NAME} - - DRONE_RUNNER_LABELS=nix:1 - #- DRONE_RUNNER_VOLUMES=/var/lib/drone/nix:/nix - ports: - - "3000:3000/tcp" - volumes: - - "/var/run/docker.sock:/var/run/docker.sock" - - "/var/lib/drone/nix:/var/lib/drone/nix" - - drone-gc: - image: drone/gc:latest - restart: always - environment: - - GC_DEBUG=true - - GC_CACHE=10gb - - GC_INTERVAL=10m - volumes: - - "/var/run/docker.sock:/var/run/docker.sock" diff --git a/app/drone-ci/secrets/drone-ci/cookie_secret b/app/drone-ci/secrets/drone-ci/cookie_secret deleted file mode 100644 index 04c819e..0000000 --- a/app/drone-ci/secrets/drone-ci/cookie_secret +++ /dev/null @@ -1 +0,0 @@ -CMD openssl rand -hex 16 diff --git a/app/drone-ci/secrets/drone-ci/db_enc_secret b/app/drone-ci/secrets/drone-ci/db_enc_secret deleted file mode 100644 index 3f9e696..0000000 --- a/app/drone-ci/secrets/drone-ci/db_enc_secret +++ /dev/null @@ -1 +0,0 @@ -CMD_ONCE openssl rand -hex 16 diff --git a/app/drone-ci/secrets/drone-ci/oauth_client_id b/app/drone-ci/secrets/drone-ci/oauth_client_id deleted file mode 100644 index c801b28..0000000 --- a/app/drone-ci/secrets/drone-ci/oauth_client_id +++ /dev/null @@ -1 +0,0 @@ -USER OAuth client ID (on Gitea) diff --git a/app/drone-ci/secrets/drone-ci/oauth_client_secret b/app/drone-ci/secrets/drone-ci/oauth_client_secret deleted file mode 100644 index b79b688..0000000 --- a/app/drone-ci/secrets/drone-ci/oauth_client_secret +++ /dev/null @@ -1 +0,0 @@ -USER OAuth client secret (for gitea) diff --git a/app/drone-ci/secrets/drone-ci/rpc_secret b/app/drone-ci/secrets/drone-ci/rpc_secret deleted file mode 100644 index 04c819e..0000000 --- a/app/drone-ci/secrets/drone-ci/rpc_secret +++ /dev/null @@ -1 +0,0 @@ -CMD openssl rand -hex 16 diff --git a/app/drone-ci/secrets/drone-ci/s3_ak b/app/drone-ci/secrets/drone-ci/s3_ak deleted file mode 100644 index 3a8e4a2..0000000 --- a/app/drone-ci/secrets/drone-ci/s3_ak +++ /dev/null @@ -1 +0,0 @@ -USER S3 (garage) access key for Drone diff --git a/app/drone-ci/secrets/drone-ci/s3_db_bucket b/app/drone-ci/secrets/drone-ci/s3_db_bucket deleted file mode 100644 index c36f17d..0000000 --- a/app/drone-ci/secrets/drone-ci/s3_db_bucket +++ /dev/null @@ -1 +0,0 @@ -CONST drone-db diff --git a/app/drone-ci/secrets/drone-ci/s3_sk b/app/drone-ci/secrets/drone-ci/s3_sk deleted file mode 100644 index 46fd9fa..0000000 --- a/app/drone-ci/secrets/drone-ci/s3_sk +++ /dev/null @@ -1 +0,0 @@ -USER S3 (garage) secret key for Drone diff --git a/app/drone-ci/secrets/drone-ci/s3_storage_bucket b/app/drone-ci/secrets/drone-ci/s3_storage_bucket deleted file mode 100644 index ca2702c..0000000 --- a/app/drone-ci/secrets/drone-ci/s3_storage_bucket +++ /dev/null @@ -1 +0,0 @@ -CONST drone-storage |