depot-wide: overhaul GitLab CI configuration

We now use a stub configuration to kick off the pipeline, which is dynamically
generated using Nix config.
This commit is contained in:
Luke Granger-Brown 2021-03-28 15:27:46 +00:00
parent f8b4903286
commit 2b8dce0920
10 changed files with 82 additions and 147 deletions

View file

@ -3,158 +3,25 @@
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
stages: stages:
- build - generate
- deploy - start
nixCache: generatePipeline:
stage: build stage: generate
image: "nixos/nix:latest" image: "nixos/nix:latest"
script: script:
- "nix run -f ./ third_party.nixpkgs.bash -c ./hack/populate_secrets.sh" - "nix build -v -f . nix.gitlab-ci --substituters \"https://cache.nixos.org/ s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1\""
- "nix build -v -f ./ci-root.nix --substituters \"https://cache.nixos.org/ s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1\"" - "cat ./result > gitlab-ci.yml"
- "nix copy -v --to 's3://lukegb-nix-cache?endpoint=storage.googleapis.com' ./result"
- "cat ./result/other-systemPathJSON > systems.json"
artifacts: artifacts:
paths: paths:
- systems.json - gitlab-ci.yml
expire_in: '30 days' expire_in: '30 days'
tags: tags:
- cacher - cacher
.deploy: startPipeline:
stage: deploy stage: start
needs: trigger:
- job: nixCache include:
artifacts: true - artifact: gitlab-ci.yml
tags: job: generatePipeline
- deployer
# environment:
# deployment_tier: production
marukuru:
extends: .deploy
resource_group: marukuru
script: './hack/deploy.sh "marukuru" "-p 20022"'
environment:
name: marukuru
clouvider-fra01:
extends: .deploy
resource_group: clouvider-fra01
script: './hack/deploy.sh "clouvider-fra01" ""'
environment:
name: clouvider-fra01
kusakabe:
extends: .deploy
resource_group: kusakabe
script: './hack/deploy.sh "kusakabe" ""'
environment:
name: kusakabe
clouvider-lon01:
extends: .deploy
resource_group: clouvider-lon01
script: './hack/deploy.sh "clouvider-lon01" ""'
environment:
name: clouvider-lon01
totoro:
extends: .deploy
resource_group: totoro
script: './hack/deploy.sh "totoro" ""'
environment:
name: totoro
swann:
extends: .deploy
resource_group: swann
script: './hack/deploy.sh "swann" ""'
environment:
name: swann
etheroute-lon01:
extends: .deploy
resource_group: etheroute-lon01
script: './hack/deploy.sh "etheroute-lon01" ""'
environment:
name: etheroute-lon01
blade-janeway:
extends: .deploy
resource_group: blade-janeway
script: './hack/deploy.sh "blade-janeway" ""'
environment:
name: blade-janeway
# chakotay and kim are not autodeployed because they're usually off.
#blade-chakotay:
# extends: .deploy
# resource_group: blade-chakotay
# script: './hack/deploy.sh "blade-chakotay" ""'
# environment:
# name: blade-chakotay
#
#blade-kim:
# extends: .deploy
# resource_group: blade-kim
# script: './hack/deploy.sh "blade-kim" ""'
# environment:
# name: blade-kim
# paris and tuvok are not autodeployed because they are the routers, and I don't trust myself
#blade-paris:
# extends: .deploy
# resource_group: blade-paris
# script: './hack/deploy.sh "blade-paris" ""'
# environment:
# name: blade-paris
#
#blade-tuvok:
# extends: .deploy
# resource_group: blade-tuvok
# script: './hack/deploy.sh "blade-tuvok" ""'
# environment:
# name: blade-tuvok
blade-torres:
extends: .deploy
resource_group: blade-torres
script: './hack/deploy.sh "blade-torres" ""'
environment:
name: blade-torres
bvm-nixosmgmt:
extends: .deploy
resource_group: bvm-nixosmgmt
script: './hack/deploy.sh "bvm-nixosmgmt" ""'
environment:
name: bvm-nixosmgmt
frantech-las01:
extends: .deploy
resource_group: frantech-las01
script: './hack/deploy.sh "frantech-las01" ""'
environment:
name: frantech-las01
frantech-lux01:
extends: .deploy
resource_group: frantech-lux01
script: './hack/deploy.sh "frantech-lux01" ""'
environment:
name: frantech-lux01
frantech-nyc01:
extends: .deploy
resource_group: frantech-nyc01
script: './hack/deploy.sh "frantech-nyc01" ""'
environment:
name: frantech-nyc01
docker-push:
stage: deploy
tags:
# We run this on cacher instead, because disk space.
- cacher
script: './hack/dockerpush.sh'

View file

@ -4,4 +4,5 @@
args: { args: {
pkgs = import ./pkgs args; pkgs = import ./pkgs args;
gitlab-ci = import ./gitlab-ci args;
} }

50
nix/gitlab-ci/default.nix Normal file
View file

@ -0,0 +1,50 @@
# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0
{ depot, lib, pkgs, ... }:
let
cfg = {
stages = [ "build" "deploy" ];
nixCache = {
stage = "build";
image = "nixos/nix:latest";
script = [
"nix run -f ./ third_party.nixpkgs.bash -c ./hack/populate_secrets.sh"
"nix build -v -f ./ci-root.nix --substituters \"https://cache.nixos.org/ s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1\""
"nix copy -v --to 's3://lukegb-nix-cache?endpoint=storage.googleapis.com' ./result"
"cat ./result/other-systemPathJSON > systems.json"
];
artifacts = {
paths = [ "systems.json" ];
expire_in = "30 days";
};
tags = [ "cacher" ];
};
docker-push = {
stage = "deploy";
# This requires a sizable amount of temporary disk, so we run it on cacher instead.
tags = [ "cacher" ];
script = "./hack/dockerpush.sh";
};
} // (lib.mapAttrs deployStage deployMachs);
deployMachs = lib.filterAttrs (name: cfg: cfg.config.my.deploy.enable) depot.ops.nixos.systemConfigs;
deployStage = machName: mach: {
stage = "deploy";
needs = [{ job = "nixCache"; artifacts = true; }];
tags = [ "deployer" ];
resource_group = machName;
script = ''./hack/deploy.sh "${machName}" "${mach.config.my.deploy.args}"'';
environment = {
name = machName;
};
};
format = pkgs.formats.yaml { };
configFile = format.generate ".gitlab-ci.yml" cfg;
in
configFile

View file

@ -23,6 +23,7 @@ in {
internal = "e4:11:5b:ac:e3:b8"; internal = "e4:11:5b:ac:e3:b8";
storage = "e4:11:5b:ac:e3:bc"; storage = "e4:11:5b:ac:e3:bc";
}; };
my.deploy.enable = false;
services.ceph = { services.ceph = {
#osd.enable = true; #osd.enable = true;

View file

@ -23,6 +23,7 @@ in {
internal = "e4:11:5b:ac:d1:7a"; internal = "e4:11:5b:ac:d1:7a";
storage = "e4:11:5b:ac:d1:7e"; storage = "e4:11:5b:ac:d1:7e";
}; };
my.deploy.enable = false;
services.ceph = { services.ceph = {
#osd.enable = true; #osd.enable = true;

View file

@ -39,6 +39,7 @@ in {
storage = "e4:11:5b:ac:e4:8e"; storage = "e4:11:5b:ac:e4:8e";
internet = "e4:11:5b:ac:e4:8c"; internet = "e4:11:5b:ac:e4:8c";
}; };
my.deploy.enable = false;
services.ceph = { services.ceph = {
mon.enable = true; mon.enable = true;

View file

@ -68,6 +68,7 @@ let
installcdSystem = systemFor "installcd" (import ./installcd); installcdSystem = systemFor "installcd" (import ./installcd);
in systemDrvs // { in systemDrvs // {
systems = systemDrvs; systems = systemDrvs;
systemConfigs = evaledSystems;
systemExporters = systemExporters; systemExporters = systemExporters;
tailscaleIPs = systemTailscaleIPs; tailscaleIPs = systemTailscaleIPs;

View file

@ -25,10 +25,19 @@ in
}; };
options.my.ip.tailscale = lib.mkOption { options.my.ip.tailscale = lib.mkOption {
type = lib.types.nullOr lib.types.string; type = lib.types.nullOr lib.types.str;
default = null; default = null;
}; };
options.my.deploy.enable = lib.mkOption {
type = lib.types.bool;
default = true;
};
options.my.deploy.args = lib.mkOption {
type = lib.types.str;
default = "";
};
config = { config = {
hardware.enableRedistributableFirmware = true; hardware.enableRedistributableFirmware = true;

View file

@ -65,6 +65,7 @@ in {
environment.systemPackages = with pkgs; []; environment.systemPackages = with pkgs; [];
services.openssh.ports = [ 20022 ]; services.openssh.ports = [ 20022 ];
my.deploy.args = "-p 20022";
networking.firewall = { networking.firewall = {
interfaces.docker0.allowedTCPPorts = [ 25 ]; interfaces.docker0.allowedTCPPorts = [ 25 ];

View file

@ -68,6 +68,9 @@ in {
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.enableRedistributableFirmware = true; hardware.enableRedistributableFirmware = true;
# Laptop, don't autodeploy.
my.deploy.enable = false;
# Use the systemd-boot EFI boot loader. # Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;