depot-wide: overhaul GitLab CI configuration
We now use a stub configuration to kick off the pipeline, which is dynamically generated using Nix config.
This commit is contained in:
parent
f8b4903286
commit
2b8dce0920
10 changed files with 82 additions and 147 deletions
159
.gitlab-ci.yml
159
.gitlab-ci.yml
|
@ -3,158 +3,25 @@
|
||||||
# SPDX-License-Identifier: Apache-2.0
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
stages:
|
stages:
|
||||||
- build
|
- generate
|
||||||
- deploy
|
- start
|
||||||
|
|
||||||
nixCache:
|
generatePipeline:
|
||||||
stage: build
|
stage: generate
|
||||||
image: "nixos/nix:latest"
|
image: "nixos/nix:latest"
|
||||||
script:
|
script:
|
||||||
- "nix run -f ./ third_party.nixpkgs.bash -c ./hack/populate_secrets.sh"
|
- "nix build -v -f . nix.gitlab-ci --substituters \"https://cache.nixos.org/ s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1\""
|
||||||
- "nix build -v -f ./ci-root.nix --substituters \"https://cache.nixos.org/ s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1\""
|
- "cat ./result > gitlab-ci.yml"
|
||||||
- "nix copy -v --to 's3://lukegb-nix-cache?endpoint=storage.googleapis.com' ./result"
|
|
||||||
- "cat ./result/other-systemPathJSON > systems.json"
|
|
||||||
artifacts:
|
artifacts:
|
||||||
paths:
|
paths:
|
||||||
- systems.json
|
- gitlab-ci.yml
|
||||||
expire_in: '30 days'
|
expire_in: '30 days'
|
||||||
tags:
|
tags:
|
||||||
- cacher
|
- cacher
|
||||||
|
|
||||||
.deploy:
|
startPipeline:
|
||||||
stage: deploy
|
stage: start
|
||||||
needs:
|
trigger:
|
||||||
- job: nixCache
|
include:
|
||||||
artifacts: true
|
- artifact: gitlab-ci.yml
|
||||||
tags:
|
job: generatePipeline
|
||||||
- deployer
|
|
||||||
# environment:
|
|
||||||
# deployment_tier: production
|
|
||||||
|
|
||||||
marukuru:
|
|
||||||
extends: .deploy
|
|
||||||
resource_group: marukuru
|
|
||||||
script: './hack/deploy.sh "marukuru" "-p 20022"'
|
|
||||||
environment:
|
|
||||||
name: marukuru
|
|
||||||
|
|
||||||
clouvider-fra01:
|
|
||||||
extends: .deploy
|
|
||||||
resource_group: clouvider-fra01
|
|
||||||
script: './hack/deploy.sh "clouvider-fra01" ""'
|
|
||||||
environment:
|
|
||||||
name: clouvider-fra01
|
|
||||||
|
|
||||||
kusakabe:
|
|
||||||
extends: .deploy
|
|
||||||
resource_group: kusakabe
|
|
||||||
script: './hack/deploy.sh "kusakabe" ""'
|
|
||||||
environment:
|
|
||||||
name: kusakabe
|
|
||||||
|
|
||||||
clouvider-lon01:
|
|
||||||
extends: .deploy
|
|
||||||
resource_group: clouvider-lon01
|
|
||||||
script: './hack/deploy.sh "clouvider-lon01" ""'
|
|
||||||
environment:
|
|
||||||
name: clouvider-lon01
|
|
||||||
|
|
||||||
totoro:
|
|
||||||
extends: .deploy
|
|
||||||
resource_group: totoro
|
|
||||||
script: './hack/deploy.sh "totoro" ""'
|
|
||||||
environment:
|
|
||||||
name: totoro
|
|
||||||
|
|
||||||
swann:
|
|
||||||
extends: .deploy
|
|
||||||
resource_group: swann
|
|
||||||
script: './hack/deploy.sh "swann" ""'
|
|
||||||
environment:
|
|
||||||
name: swann
|
|
||||||
|
|
||||||
etheroute-lon01:
|
|
||||||
extends: .deploy
|
|
||||||
resource_group: etheroute-lon01
|
|
||||||
script: './hack/deploy.sh "etheroute-lon01" ""'
|
|
||||||
environment:
|
|
||||||
name: etheroute-lon01
|
|
||||||
|
|
||||||
blade-janeway:
|
|
||||||
extends: .deploy
|
|
||||||
resource_group: blade-janeway
|
|
||||||
script: './hack/deploy.sh "blade-janeway" ""'
|
|
||||||
environment:
|
|
||||||
name: blade-janeway
|
|
||||||
|
|
||||||
# chakotay and kim are not autodeployed because they're usually off.
|
|
||||||
#blade-chakotay:
|
|
||||||
# extends: .deploy
|
|
||||||
# resource_group: blade-chakotay
|
|
||||||
# script: './hack/deploy.sh "blade-chakotay" ""'
|
|
||||||
# environment:
|
|
||||||
# name: blade-chakotay
|
|
||||||
#
|
|
||||||
#blade-kim:
|
|
||||||
# extends: .deploy
|
|
||||||
# resource_group: blade-kim
|
|
||||||
# script: './hack/deploy.sh "blade-kim" ""'
|
|
||||||
# environment:
|
|
||||||
# name: blade-kim
|
|
||||||
|
|
||||||
# paris and tuvok are not autodeployed because they are the routers, and I don't trust myself
|
|
||||||
#blade-paris:
|
|
||||||
# extends: .deploy
|
|
||||||
# resource_group: blade-paris
|
|
||||||
# script: './hack/deploy.sh "blade-paris" ""'
|
|
||||||
# environment:
|
|
||||||
# name: blade-paris
|
|
||||||
#
|
|
||||||
#blade-tuvok:
|
|
||||||
# extends: .deploy
|
|
||||||
# resource_group: blade-tuvok
|
|
||||||
# script: './hack/deploy.sh "blade-tuvok" ""'
|
|
||||||
# environment:
|
|
||||||
# name: blade-tuvok
|
|
||||||
|
|
||||||
blade-torres:
|
|
||||||
extends: .deploy
|
|
||||||
resource_group: blade-torres
|
|
||||||
script: './hack/deploy.sh "blade-torres" ""'
|
|
||||||
environment:
|
|
||||||
name: blade-torres
|
|
||||||
|
|
||||||
bvm-nixosmgmt:
|
|
||||||
extends: .deploy
|
|
||||||
resource_group: bvm-nixosmgmt
|
|
||||||
script: './hack/deploy.sh "bvm-nixosmgmt" ""'
|
|
||||||
environment:
|
|
||||||
name: bvm-nixosmgmt
|
|
||||||
|
|
||||||
frantech-las01:
|
|
||||||
extends: .deploy
|
|
||||||
resource_group: frantech-las01
|
|
||||||
script: './hack/deploy.sh "frantech-las01" ""'
|
|
||||||
environment:
|
|
||||||
name: frantech-las01
|
|
||||||
|
|
||||||
frantech-lux01:
|
|
||||||
extends: .deploy
|
|
||||||
resource_group: frantech-lux01
|
|
||||||
script: './hack/deploy.sh "frantech-lux01" ""'
|
|
||||||
environment:
|
|
||||||
name: frantech-lux01
|
|
||||||
|
|
||||||
frantech-nyc01:
|
|
||||||
extends: .deploy
|
|
||||||
resource_group: frantech-nyc01
|
|
||||||
script: './hack/deploy.sh "frantech-nyc01" ""'
|
|
||||||
environment:
|
|
||||||
name: frantech-nyc01
|
|
||||||
|
|
||||||
docker-push:
|
|
||||||
stage: deploy
|
|
||||||
tags:
|
|
||||||
# We run this on cacher instead, because disk space.
|
|
||||||
- cacher
|
|
||||||
script: './hack/dockerpush.sh'
|
|
||||||
|
|
|
@ -4,4 +4,5 @@
|
||||||
|
|
||||||
args: {
|
args: {
|
||||||
pkgs = import ./pkgs args;
|
pkgs = import ./pkgs args;
|
||||||
|
gitlab-ci = import ./gitlab-ci args;
|
||||||
}
|
}
|
||||||
|
|
50
nix/gitlab-ci/default.nix
Normal file
50
nix/gitlab-ci/default.nix
Normal file
|
@ -0,0 +1,50 @@
|
||||||
|
# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
|
||||||
|
#
|
||||||
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
|
{ depot, lib, pkgs, ... }:
|
||||||
|
let
|
||||||
|
cfg = {
|
||||||
|
stages = [ "build" "deploy" ];
|
||||||
|
|
||||||
|
nixCache = {
|
||||||
|
stage = "build";
|
||||||
|
image = "nixos/nix:latest";
|
||||||
|
script = [
|
||||||
|
"nix run -f ./ third_party.nixpkgs.bash -c ./hack/populate_secrets.sh"
|
||||||
|
"nix build -v -f ./ci-root.nix --substituters \"https://cache.nixos.org/ s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1\""
|
||||||
|
"nix copy -v --to 's3://lukegb-nix-cache?endpoint=storage.googleapis.com' ./result"
|
||||||
|
"cat ./result/other-systemPathJSON > systems.json"
|
||||||
|
];
|
||||||
|
artifacts = {
|
||||||
|
paths = [ "systems.json" ];
|
||||||
|
expire_in = "30 days";
|
||||||
|
};
|
||||||
|
tags = [ "cacher" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
docker-push = {
|
||||||
|
stage = "deploy";
|
||||||
|
# This requires a sizable amount of temporary disk, so we run it on cacher instead.
|
||||||
|
tags = [ "cacher" ];
|
||||||
|
script = "./hack/dockerpush.sh";
|
||||||
|
};
|
||||||
|
} // (lib.mapAttrs deployStage deployMachs);
|
||||||
|
|
||||||
|
deployMachs = lib.filterAttrs (name: cfg: cfg.config.my.deploy.enable) depot.ops.nixos.systemConfigs;
|
||||||
|
deployStage = machName: mach: {
|
||||||
|
stage = "deploy";
|
||||||
|
needs = [{ job = "nixCache"; artifacts = true; }];
|
||||||
|
tags = [ "deployer" ];
|
||||||
|
|
||||||
|
resource_group = machName;
|
||||||
|
script = ''./hack/deploy.sh "${machName}" "${mach.config.my.deploy.args}"'';
|
||||||
|
environment = {
|
||||||
|
name = machName;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
format = pkgs.formats.yaml { };
|
||||||
|
configFile = format.generate ".gitlab-ci.yml" cfg;
|
||||||
|
in
|
||||||
|
configFile
|
|
@ -23,6 +23,7 @@ in {
|
||||||
internal = "e4:11:5b:ac:e3:b8";
|
internal = "e4:11:5b:ac:e3:b8";
|
||||||
storage = "e4:11:5b:ac:e3:bc";
|
storage = "e4:11:5b:ac:e3:bc";
|
||||||
};
|
};
|
||||||
|
my.deploy.enable = false;
|
||||||
|
|
||||||
services.ceph = {
|
services.ceph = {
|
||||||
#osd.enable = true;
|
#osd.enable = true;
|
||||||
|
|
|
@ -23,6 +23,7 @@ in {
|
||||||
internal = "e4:11:5b:ac:d1:7a";
|
internal = "e4:11:5b:ac:d1:7a";
|
||||||
storage = "e4:11:5b:ac:d1:7e";
|
storage = "e4:11:5b:ac:d1:7e";
|
||||||
};
|
};
|
||||||
|
my.deploy.enable = false;
|
||||||
|
|
||||||
services.ceph = {
|
services.ceph = {
|
||||||
#osd.enable = true;
|
#osd.enable = true;
|
||||||
|
|
|
@ -39,6 +39,7 @@ in {
|
||||||
storage = "e4:11:5b:ac:e4:8e";
|
storage = "e4:11:5b:ac:e4:8e";
|
||||||
internet = "e4:11:5b:ac:e4:8c";
|
internet = "e4:11:5b:ac:e4:8c";
|
||||||
};
|
};
|
||||||
|
my.deploy.enable = false;
|
||||||
|
|
||||||
services.ceph = {
|
services.ceph = {
|
||||||
mon.enable = true;
|
mon.enable = true;
|
||||||
|
|
|
@ -68,6 +68,7 @@ let
|
||||||
installcdSystem = systemFor "installcd" (import ./installcd);
|
installcdSystem = systemFor "installcd" (import ./installcd);
|
||||||
in systemDrvs // {
|
in systemDrvs // {
|
||||||
systems = systemDrvs;
|
systems = systemDrvs;
|
||||||
|
systemConfigs = evaledSystems;
|
||||||
systemExporters = systemExporters;
|
systemExporters = systemExporters;
|
||||||
tailscaleIPs = systemTailscaleIPs;
|
tailscaleIPs = systemTailscaleIPs;
|
||||||
|
|
||||||
|
|
|
@ -25,10 +25,19 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
options.my.ip.tailscale = lib.mkOption {
|
options.my.ip.tailscale = lib.mkOption {
|
||||||
type = lib.types.nullOr lib.types.string;
|
type = lib.types.nullOr lib.types.str;
|
||||||
default = null;
|
default = null;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
options.my.deploy.enable = lib.mkOption {
|
||||||
|
type = lib.types.bool;
|
||||||
|
default = true;
|
||||||
|
};
|
||||||
|
options.my.deploy.args = lib.mkOption {
|
||||||
|
type = lib.types.str;
|
||||||
|
default = "";
|
||||||
|
};
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
hardware.enableRedistributableFirmware = true;
|
hardware.enableRedistributableFirmware = true;
|
||||||
|
|
||||||
|
|
|
@ -65,6 +65,7 @@ in {
|
||||||
environment.systemPackages = with pkgs; [];
|
environment.systemPackages = with pkgs; [];
|
||||||
|
|
||||||
services.openssh.ports = [ 20022 ];
|
services.openssh.ports = [ 20022 ];
|
||||||
|
my.deploy.args = "-p 20022";
|
||||||
|
|
||||||
networking.firewall = {
|
networking.firewall = {
|
||||||
interfaces.docker0.allowedTCPPorts = [ 25 ];
|
interfaces.docker0.allowedTCPPorts = [ 25 ];
|
||||||
|
|
|
@ -68,6 +68,9 @@ in {
|
||||||
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
|
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
|
||||||
hardware.enableRedistributableFirmware = true;
|
hardware.enableRedistributableFirmware = true;
|
||||||
|
|
||||||
|
# Laptop, don't autodeploy.
|
||||||
|
my.deploy.enable = false;
|
||||||
|
|
||||||
# Use the systemd-boot EFI boot loader.
|
# Use the systemd-boot EFI boot loader.
|
||||||
boot.loader.systemd-boot.enable = true;
|
boot.loader.systemd-boot.enable = true;
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
|
|
Loading…
Reference in a new issue