diff options
-rw-r--r-- | app/drone-ci/build/.gitignore | 2 | ||||
-rw-r--r-- | app/drone-ci/build/Makefile | 8 | ||||
-rw-r--r-- | app/drone-ci/build/build-qcow2.nix | 24 | ||||
-rw-r--r-- | app/drone-ci/build/machine-config.nix | 68 | ||||
-rw-r--r-- | app/drone-ci/deploy/runner-insecure.hcl | 91 | ||||
-rw-r--r-- | app/drone-ci/deploy/runner-vm.hcl | 43 | ||||
-rw-r--r-- | app/drone-ci/secrets/drone-ci/rpc_secret | 1 | ||||
-rw-r--r-- | nix/configuration.nix | 2 | ||||
-rw-r--r-- | nix/deuxfleurs.nix | 11 |
9 files changed, 250 insertions, 0 deletions
diff --git a/app/drone-ci/build/.gitignore b/app/drone-ci/build/.gitignore new file mode 100644 index 0000000..ef92077 --- /dev/null +++ b/app/drone-ci/build/.gitignore @@ -0,0 +1,2 @@ +result/ +*.qcow2.zst diff --git a/app/drone-ci/build/Makefile b/app/drone-ci/build/Makefile new file mode 100644 index 0000000..2814a0d --- /dev/null +++ b/app/drone-ci/build/Makefile @@ -0,0 +1,8 @@ +.PHONY: all + +all: + nix-build '<nixpkgs/nixos>' -A config.system.build.qcow2 --arg configuration "{ imports = [ ./build-qcow2.nix ]; }" --show-trace + zstd -7 -i result/nixos.qcow2 -o drone-runner.qcow2.zst -f + RESULTPATH=`readlink result`; rm result; nix-store --delete $$RESULTPATH + rclone copy drone-runner.qcow2.zst grgdf:alex/ -vv + diff --git a/app/drone-ci/build/build-qcow2.nix b/app/drone-ci/build/build-qcow2.nix new file mode 100644 index 0000000..266ba2c --- /dev/null +++ b/app/drone-ci/build/build-qcow2.nix @@ -0,0 +1,24 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + imports = + [ + <nixpkgs/nixos/modules/installer/cd-dvd/channel.nix> + ./machine-config.nix + ]; + + system.build.qcow2 = import <nixpkgs/nixos/lib/make-disk-image.nix> { + inherit lib config; + pkgs = import <nixpkgs> { inherit (pkgs) system; }; # ensure we use the regular qemu-kvm package + diskSize = 8192; + format = "qcow2"; + configFile = pkgs.writeText "configuration.nix" + '' + { + imports = [ <./machine-config.nix> ]; + } + ''; + }; +} diff --git a/app/drone-ci/build/machine-config.nix b/app/drone-ci/build/machine-config.nix new file mode 100644 index 0000000..3b55078 --- /dev/null +++ b/app/drone-ci/build/machine-config.nix @@ -0,0 +1,68 @@ +{ pkgs, lib, ... }: + +with lib; + +{ + imports = [ + <nixpkgs/nixos/modules/profiles/qemu-guest.nix> + ]; + + config = { + fileSystems."/" = { + device = "/dev/disk/by-label/nixos"; + fsType = "ext4"; + autoResize = true; + }; + + boot.growPartition = true; + boot.kernelParams = [ "console=ttyS0" ]; + boot.loader.grub.device = "/dev/vda"; + boot.loader.timeout = 0; + + users.extraUsers.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJpaBZdYxHqMxhv2RExAOa7nkKhPBOHupMP3mYaZ73w9 lx@lindy" + ]; + services.openssh.enable = true; + services.openssh.permitRootLogin = "prohibit-password"; + networking.firewall = { + enable = true; + allowedTCPPorts = [ 22 ]; + }; + + virtualisation.docker.enable = true; + virtualisation.oci-containers.backend = "docker"; + virtualisation.oci-containers.containers = { + drone_runner = { + image = "drone/drone-runner-docker:1.4.0"; + volumes = [ + "/nix:/nix" + "/var/run/docker.sock:/var/run/docker.sock" + ]; + environment = { + DRONE_RPC_PROTO = "https"; + DRONE_RPC_HOST = "drone.deuxfleurs.fr"; + DRONE_RUNNER_CAPACITY = "1"; + DRONE_DEBUG = "true"; + DRONE_LOGS_TRACE = "true"; + DRONE_RPC_DUMP_HTTP = "true"; + DRONE_RPC_DUMP_HTTP_BODY = "true"; + DRONE_RUNNER_LABELS = "nix:1"; + }; + environmentFiles = [ + "/dev/qemu/dronesecret0" + ]; + }; + drone_gc = { + image = "drone/gc:latest"; + volumes = [ + "/var/run/docker.sock:/var/run/docker.sock" + ]; + environment = { + GC_DEBUG = "true"; + GC_CACHE = "10gb"; + GC_INTERVAL = "10m"; + }; + }; + }; + }; +} diff --git a/app/drone-ci/deploy/runner-insecure.hcl b/app/drone-ci/deploy/runner-insecure.hcl new file mode 100644 index 0000000..2ea5638 --- /dev/null +++ b/app/drone-ci/deploy/runner-insecure.hcl @@ -0,0 +1,91 @@ +job "drone-runner" { + datacenters = ["neptune"] + type = "system" + + group "runner" { + + task "populate-nix-store" { + lifecycle { + hook = "prestart" + sidecar = false + } + + driver = "docker" + config { + image = "nixpkgs/nix:nixos-21.05" + command = "sh" + args = [ + "-c", "cp -rv /nix/{store,var} /mnt/" + ] + volumes = [ + "/var/lib/drone/nix:/mnt", + ] + } + + resources { + memory = 100 + cpu = 100 + } + } + + task "drone-runner" { + driver = "docker" + config { + image = "drone/drone-runner-docker:1.4.0" + + volumes = [ + "/var/lib/drone/nix:/nix", + "/var/run/docker.sock:/var/run/docker.sock" + ] + } + + template { + data = <<EOH +DRONE_RPC_PROTO=https +DRONE_RPC_HOST=drone.deuxfleurs.fr +DRONE_RPC_SECRET={{ key "secrets/drone-ci/rpc_secret" | trimSpace }} +DRONE_RUNNER_CAPACITY=1 +DRONE_DEBUG=true +DRONE_LOGS_TRACE=true +DRONE_RPC_DUMP_HTTP=true +DRONE_RPC_DUMP_HTTP_BODY=true +DRONE_RUNNER_NAME={{ env "attr.unique.hostname" }} +DRONE_RUNNER_LABELS=nix:1 +EOH + destination = "secrets/env" + env = true + } + + resources { + memory = 200 + cpu = 100 + } + } + + task "drone-gc" { + driver = "docker" + config { + image = "drone/gc:latest" + + volumes = [ + "/var/run/docker.sock:/var/run/docker.sock" + ] + } + + template { + data = <<EOH +GC_DEBUG=true +GC_CACHE=10gb +GC_INTERVAL=10m +EOH + destination = "secrets/env" + env = true + } + + resources { + memory = 100 + cpu = 100 + } + } + } +} diff --git a/app/drone-ci/deploy/runner-vm.hcl b/app/drone-ci/deploy/runner-vm.hcl new file mode 100644 index 0000000..28beeb8 --- /dev/null +++ b/app/drone-ci/deploy/runner-vm.hcl @@ -0,0 +1,43 @@ +job "drone-runner" { + datacenters = ["neptune"] + type = "system" + + group "runner-vm" { + network { + port "ssh" { } + } + + task "drone-runner-vm" { + driver = "qemu" + + config { + image_path = "local/drone-runner.qcow2" + accelerator = "kvm" + args = [ + "-object", "secret,id=dronesecret0,file=secrets/secret_env" + ] + port_map { + ssh = 22 + } + } + + artifact { + source = "https://alex.web.deuxfleurs.fr/drone-runner.qcow2.zst" + destination = "local/drone-runner.qcow2" + mode = "file" + } + + template { + data = <<EOH +DRONE_RPC_SECRET={{ key "secrets/drone-ci/rpc_secret" | trimSpace }} +DRONE_RUNNER_NAME={{ env "attr.unique.hostname" }} +EOH + destination = "secrets/secret_env" + } + + resources { + memory = 2000 + } + } + } +} diff --git a/app/drone-ci/secrets/drone-ci/rpc_secret b/app/drone-ci/secrets/drone-ci/rpc_secret new file mode 100644 index 0000000..7f00649 --- /dev/null +++ b/app/drone-ci/secrets/drone-ci/rpc_secret @@ -0,0 +1 @@ +USER Drone RPC secret diff --git a/nix/configuration.nix b/nix/configuration.nix index 984307c..825cab2 100644 --- a/nix/configuration.nix +++ b/nix/configuration.nix @@ -71,6 +71,8 @@ SystemMaxUse=1G docker-compose wireguard wesher + qemu + qemu_kvm ]; programs.vim.defaultEditor = true; diff --git a/nix/deuxfleurs.nix b/nix/deuxfleurs.nix index 055ac55..d20ea5d 100644 --- a/nix/deuxfleurs.nix +++ b/nix/deuxfleurs.nix @@ -151,6 +151,12 @@ in services.nomad.enable = true; services.nomad.package = pkgs.nomad_1_1; + services.nomad.extraPackages = [ + pkgs.glibc + pkgs.zstd + pkgs.qemu + pkgs.qemu_kvm + ]; services.nomad.settings = (if cfg.is_raft_server then { server = { @@ -201,6 +207,11 @@ in ]; } ]; + qemu = [ + { + enabled = true; + } + ]; } ]; }; |