From 2b8dce0920d97791f8c6c9e33b146ff5e1503750 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Sun, 28 Mar 2021 15:27:46 +0000 Subject: [PATCH] depot-wide: overhaul GitLab CI configuration We now use a stub configuration to kick off the pipeline, which is dynamically generated using Nix config. --- .gitlab-ci.yml | 159 +++------------------------ nix/default.nix | 1 + nix/gitlab-ci/default.nix | 50 +++++++++ ops/nixos/blade-chakotay/default.nix | 1 + ops/nixos/blade-kim/default.nix | 1 + ops/nixos/blade-paris/default.nix | 1 + ops/nixos/default.nix | 1 + ops/nixos/lib/common.nix | 11 +- ops/nixos/marukuru/default.nix | 1 + ops/nixos/porcorosso/default.nix | 3 + 10 files changed, 82 insertions(+), 147 deletions(-) create mode 100644 nix/gitlab-ci/default.nix diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 47416e8ea9..1a8367d6bd 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -3,158 +3,25 @@ # SPDX-License-Identifier: Apache-2.0 stages: - - build - - deploy + - generate + - start -nixCache: - stage: build +generatePipeline: + stage: generate image: "nixos/nix:latest" script: - - "nix run -f ./ third_party.nixpkgs.bash -c ./hack/populate_secrets.sh" - - "nix build -v -f ./ci-root.nix --substituters \"https://cache.nixos.org/ s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1\"" - - "nix copy -v --to 's3://lukegb-nix-cache?endpoint=storage.googleapis.com' ./result" - - "cat ./result/other-systemPathJSON > systems.json" + - "nix build -v -f . nix.gitlab-ci --substituters \"https://cache.nixos.org/ s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1\"" + - "cat ./result > gitlab-ci.yml" artifacts: paths: - - systems.json + - gitlab-ci.yml expire_in: '30 days' tags: - cacher -.deploy: - stage: deploy - needs: - - job: nixCache - artifacts: true - tags: - - deployer -# environment: -# deployment_tier: production - -marukuru: - extends: .deploy - resource_group: marukuru - script: './hack/deploy.sh "marukuru" "-p 20022"' - environment: - name: marukuru - -clouvider-fra01: - extends: .deploy - resource_group: clouvider-fra01 - script: './hack/deploy.sh "clouvider-fra01" ""' - environment: - name: clouvider-fra01 - -kusakabe: - extends: .deploy - resource_group: kusakabe - script: './hack/deploy.sh "kusakabe" ""' - environment: - name: kusakabe - -clouvider-lon01: - extends: .deploy - resource_group: clouvider-lon01 - script: './hack/deploy.sh "clouvider-lon01" ""' - environment: - name: clouvider-lon01 - -totoro: - extends: .deploy - resource_group: totoro - script: './hack/deploy.sh "totoro" ""' - environment: - name: totoro - -swann: - extends: .deploy - resource_group: swann - script: './hack/deploy.sh "swann" ""' - environment: - name: swann - -etheroute-lon01: - extends: .deploy - resource_group: etheroute-lon01 - script: './hack/deploy.sh "etheroute-lon01" ""' - environment: - name: etheroute-lon01 - -blade-janeway: - extends: .deploy - resource_group: blade-janeway - script: './hack/deploy.sh "blade-janeway" ""' - environment: - name: blade-janeway - -# chakotay and kim are not autodeployed because they're usually off. -#blade-chakotay: -# extends: .deploy -# resource_group: blade-chakotay -# script: './hack/deploy.sh "blade-chakotay" ""' -# environment: -# name: blade-chakotay -# -#blade-kim: -# extends: .deploy -# resource_group: blade-kim -# script: './hack/deploy.sh "blade-kim" ""' -# environment: -# name: blade-kim - -# paris and tuvok are not autodeployed because they are the routers, and I don't trust myself -#blade-paris: -# extends: .deploy -# resource_group: blade-paris -# script: './hack/deploy.sh "blade-paris" ""' -# environment: -# name: blade-paris -# -#blade-tuvok: -# extends: .deploy -# resource_group: blade-tuvok -# script: './hack/deploy.sh "blade-tuvok" ""' -# environment: -# name: blade-tuvok - -blade-torres: - extends: .deploy - resource_group: blade-torres - script: './hack/deploy.sh "blade-torres" ""' - environment: - name: blade-torres - -bvm-nixosmgmt: - extends: .deploy - resource_group: bvm-nixosmgmt - script: './hack/deploy.sh "bvm-nixosmgmt" ""' - environment: - name: bvm-nixosmgmt - -frantech-las01: - extends: .deploy - resource_group: frantech-las01 - script: './hack/deploy.sh "frantech-las01" ""' - environment: - name: frantech-las01 - -frantech-lux01: - extends: .deploy - resource_group: frantech-lux01 - script: './hack/deploy.sh "frantech-lux01" ""' - environment: - name: frantech-lux01 - -frantech-nyc01: - extends: .deploy - resource_group: frantech-nyc01 - script: './hack/deploy.sh "frantech-nyc01" ""' - environment: - name: frantech-nyc01 - -docker-push: - stage: deploy - tags: - # We run this on cacher instead, because disk space. - - cacher - script: './hack/dockerpush.sh' +startPipeline: + stage: start + trigger: + include: + - artifact: gitlab-ci.yml + job: generatePipeline diff --git a/nix/default.nix b/nix/default.nix index 1f00fb4240..6c4bec3ced 100644 --- a/nix/default.nix +++ b/nix/default.nix @@ -4,4 +4,5 @@ args: { pkgs = import ./pkgs args; + gitlab-ci = import ./gitlab-ci args; } diff --git a/nix/gitlab-ci/default.nix b/nix/gitlab-ci/default.nix new file mode 100644 index 0000000000..55be73926f --- /dev/null +++ b/nix/gitlab-ci/default.nix @@ -0,0 +1,50 @@ +# SPDX-FileCopyrightText: 2020 Luke Granger-Brown +# +# SPDX-License-Identifier: Apache-2.0 + +{ depot, lib, pkgs, ... }: +let + cfg = { + stages = [ "build" "deploy" ]; + + nixCache = { + stage = "build"; + image = "nixos/nix:latest"; + script = [ + "nix run -f ./ third_party.nixpkgs.bash -c ./hack/populate_secrets.sh" + "nix build -v -f ./ci-root.nix --substituters \"https://cache.nixos.org/ s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1\"" + "nix copy -v --to 's3://lukegb-nix-cache?endpoint=storage.googleapis.com' ./result" + "cat ./result/other-systemPathJSON > systems.json" + ]; + artifacts = { + paths = [ "systems.json" ]; + expire_in = "30 days"; + }; + tags = [ "cacher" ]; + }; + + docker-push = { + stage = "deploy"; + # This requires a sizable amount of temporary disk, so we run it on cacher instead. + tags = [ "cacher" ]; + script = "./hack/dockerpush.sh"; + }; + } // (lib.mapAttrs deployStage deployMachs); + + deployMachs = lib.filterAttrs (name: cfg: cfg.config.my.deploy.enable) depot.ops.nixos.systemConfigs; + deployStage = machName: mach: { + stage = "deploy"; + needs = [{ job = "nixCache"; artifacts = true; }]; + tags = [ "deployer" ]; + + resource_group = machName; + script = ''./hack/deploy.sh "${machName}" "${mach.config.my.deploy.args}"''; + environment = { + name = machName; + }; + }; + + format = pkgs.formats.yaml { }; + configFile = format.generate ".gitlab-ci.yml" cfg; +in + configFile diff --git a/ops/nixos/blade-chakotay/default.nix b/ops/nixos/blade-chakotay/default.nix index c4fad0958d..3d2fd1677e 100644 --- a/ops/nixos/blade-chakotay/default.nix +++ b/ops/nixos/blade-chakotay/default.nix @@ -23,6 +23,7 @@ in { internal = "e4:11:5b:ac:e3:b8"; storage = "e4:11:5b:ac:e3:bc"; }; + my.deploy.enable = false; services.ceph = { #osd.enable = true; diff --git a/ops/nixos/blade-kim/default.nix b/ops/nixos/blade-kim/default.nix index ffc0cc5515..82631d02c4 100644 --- a/ops/nixos/blade-kim/default.nix +++ b/ops/nixos/blade-kim/default.nix @@ -23,6 +23,7 @@ in { internal = "e4:11:5b:ac:d1:7a"; storage = "e4:11:5b:ac:d1:7e"; }; + my.deploy.enable = false; services.ceph = { #osd.enable = true; diff --git a/ops/nixos/blade-paris/default.nix b/ops/nixos/blade-paris/default.nix index 3cbce8d56f..f71c47ec21 100644 --- a/ops/nixos/blade-paris/default.nix +++ b/ops/nixos/blade-paris/default.nix @@ -39,6 +39,7 @@ in { storage = "e4:11:5b:ac:e4:8e"; internet = "e4:11:5b:ac:e4:8c"; }; + my.deploy.enable = false; services.ceph = { mon.enable = true; diff --git a/ops/nixos/default.nix b/ops/nixos/default.nix index 267f04cfb9..de8268f7e4 100644 --- a/ops/nixos/default.nix +++ b/ops/nixos/default.nix @@ -68,6 +68,7 @@ let installcdSystem = systemFor "installcd" (import ./installcd); in systemDrvs // { systems = systemDrvs; + systemConfigs = evaledSystems; systemExporters = systemExporters; tailscaleIPs = systemTailscaleIPs; diff --git a/ops/nixos/lib/common.nix b/ops/nixos/lib/common.nix index 92436fe7de..ef1d81fc60 100644 --- a/ops/nixos/lib/common.nix +++ b/ops/nixos/lib/common.nix @@ -25,10 +25,19 @@ in }; options.my.ip.tailscale = lib.mkOption { - type = lib.types.nullOr lib.types.string; + type = lib.types.nullOr lib.types.str; default = null; }; + options.my.deploy.enable = lib.mkOption { + type = lib.types.bool; + default = true; + }; + options.my.deploy.args = lib.mkOption { + type = lib.types.str; + default = ""; + }; + config = { hardware.enableRedistributableFirmware = true; diff --git a/ops/nixos/marukuru/default.nix b/ops/nixos/marukuru/default.nix index a5b50eefdd..816ea02c57 100644 --- a/ops/nixos/marukuru/default.nix +++ b/ops/nixos/marukuru/default.nix @@ -65,6 +65,7 @@ in { environment.systemPackages = with pkgs; []; services.openssh.ports = [ 20022 ]; + my.deploy.args = "-p 20022"; networking.firewall = { interfaces.docker0.allowedTCPPorts = [ 25 ]; diff --git a/ops/nixos/porcorosso/default.nix b/ops/nixos/porcorosso/default.nix index 04a500050d..5fa4d7eeee 100644 --- a/ops/nixos/porcorosso/default.nix +++ b/ops/nixos/porcorosso/default.nix @@ -68,6 +68,9 @@ in { powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; hardware.enableRedistributableFirmware = true; + # Laptop, don't autodeploy. + my.deploy.enable = false; + # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true;