diff --git a/docker-images.nix b/docker-images.nix index 6d8c725202..e814db6b3e 100644 --- a/docker-images.nix +++ b/docker-images.nix @@ -9,6 +9,7 @@ let images = { "registry.apps.k8s.lukegb.tech/twitterchiver/archiver:latest" = depot.go.twitterchiver.archiver.dockerImage; "registry.apps.k8s.lukegb.tech/lukegb-openshiftauth-test/example:latest" = depot.go.openshiftauth.example.dockerImage; + "registry.apps.k8s.lukegb.tech/depotcron/update_nixpkgs:latest" = depot.ops.maint.update_nixpkgs; }; crane = "${depot.nix.pkgs.crane}/bin/crane"; diff --git a/ops/default.nix b/ops/default.nix index ab4181cbb1..219e52433f 100644 --- a/ops/default.nix +++ b/ops/default.nix @@ -4,5 +4,6 @@ args: { nixos = import ./nixos args; + maint = import ./maint args; secrets = import ./secrets args; -} \ No newline at end of file +} diff --git a/ops/maint/default.nix b/ops/maint/default.nix new file mode 100644 index 0000000000..e46e735da0 --- /dev/null +++ b/ops/maint/default.nix @@ -0,0 +1,7 @@ +# SPDX-FileCopyrightText: 2020 Luke Granger-Brown +# +# SPDX-License-Identifier: Apache-2.0 + +args: { + update_nixpkgs = import ./update_nixpkgs args; +} diff --git a/ops/maint/update_nixpkgs/default.nix b/ops/maint/update_nixpkgs/default.nix new file mode 100644 index 0000000000..8a80357115 --- /dev/null +++ b/ops/maint/update_nixpkgs/default.nix @@ -0,0 +1,61 @@ +{ depot, lib, ... }: +let + inherit (depot) pkgs; + mercurial = (pkgs.mercurial.overridePythonAttrs (origAttrs: { + propagatedBuildInputs = origAttrs.propagatedBuildInputs ++ [pkgs.python3Packages.hg-evolve]; + })); + updateNixpkgs = pkgs.runCommandNoCC "update_nixpkgs" { + buildInputs = with pkgs; [ makeWrapper ]; + } '' + mkdir -p $out/bin + cp ${./update_nixpkgs.sh} $out/bin/update_nixpkgs + chmod +x $out/bin/update_nixpkgs + patchShebangs --host $out/bin + wrapProgram $out/bin/update_nixpkgs \ + --prefix PATH : ${pkgs.lib.makeBinPath (with pkgs; [ bashInteractive mercurial openssh coreutils copybara git gnused ])} + ''; +in +pkgs.dockerTools.buildImage { + name = "update_nixpkgs"; + config = { + Cmd = [ "${updateNixpkgs}/bin/update_nixpkgs" ]; + Env = [ + "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" + "USER=root" + ]; + }; + + contents = [ + pkgs.cacert updateNixpkgs + (pkgs.runCommandNoCC "update_nixpkgs_content" {} '' + mkdir $out $out/root $out/root/.ssh $out/etc $out/tmp + chmod 700 $out/root $out/root/.ssh + chmod 1777 $out/tmp + + cat <$out/etc/passwd +root:x:0:0:System administrator:/root:/run/current-system/sw/bin/bash +EOF + + cat <$out/root/.ssh/config +Host hg + Hostname hg.lukegb.com + User hg + StrictHostKeyChecking no + IdentityFile /secrets/ssh_id +EOF + + cat <$out/root/.hgrc +[extensions] +histedit = +rebase = +strip = +remotenames = +amend = +evolve = +topic = +purge = +share = +EOF + '') + ]; +} diff --git a/ops/maint/update_nixpkgs/localtest.sh b/ops/maint/update_nixpkgs/localtest.sh new file mode 100755 index 0000000000..c6ec7f0c18 --- /dev/null +++ b/ops/maint/update_nixpkgs/localtest.sh @@ -0,0 +1 @@ +cat $(nix-build --option builders '' -A ops.maint.update_nixpkgs $HOME/depot) | podman load update_nixpkgs && podman run -it --rm -v $(readlink -f $HOME/update_nixpkgs_tmp/secrets):/secrets -v $(readlink -f $HOME/update_nixpkgs_tmp/depot):/depot update_nixpkgs 2>&1 | tee $HOME/update_nixpkgs_tmp/log.log diff --git a/ops/maint/update_nixpkgs/update_nixpkgs.sh b/ops/maint/update_nixpkgs/update_nixpkgs.sh new file mode 100755 index 0000000000..4eb998af78 --- /dev/null +++ b/ops/maint/update_nixpkgs/update_nixpkgs.sh @@ -0,0 +1,77 @@ +#!/bin/env bash + +function die() { echo "$*" >&2; exit 1; } + +function check_preconditions() { + test -d /secrets || die "no /secrets directory" + test -d /depot || die "no /depot directory" +} + +function clone_depot() { + echo Cloning depot to /depot/depot >&2 + hg clone ssh://hg/lukegb/depot /depot/depot + cd /depot/depot +} + +function update_depot() { + echo Updating depot checkout in /depot/depot >&2 + cd /depot/depot + hg revert -a + hg pull + hg update -r default -C + hg purge --all + hg strip --no-backup 'roots(outgoing())' || true +} + +function make_depot_fresh() { + if test -d /depot/depot; then + update_depot + else + clone_depot + fi +} + +function clone_nixpkgs() { + echo Cloning nixpkgs to /depot/nixpkgs >&2 + git clone --bare https://github.com/NixOS/nixpkgs.git /depot/nixpkgs +} + +function update_nixpkgs() { + echo Updating nixpkgs checkout in /depot/nixpkgs >&2 + pushd /depot/nixpkgs + git fetch origin nixos-unstable + git branch -f master FETCH_HEAD + popd +} + +function make_nixpkgs_fresh() { + if test -d /depot/nixpkgs; then + update_nixpkgs + else + clone_nixpkgs + fi +} + +function main() { + set -euxo pipefail + check_preconditions + make_depot_fresh + make_nixpkgs_fresh + + # Pre-seed the copybara cache directory, so it doesn't try to do the clone itself. + mkdir -p $HOME/copybara/cache/{git_repos,hg_repos} + hg clone --noupdate /depot/depot $HOME/copybara/cache/hg_repos/file%3A%2F%2F%2Fdepot%2Fdepot + git clone --mirror /depot/nixpkgs $HOME/copybara/cache/git_repos/https%3A%2F%2Fgithub%2Ecom%2FNixOS%2Fnixpkgs%2Egit + + sed -i 's,file:///home/lukegb/depot,file:///depot/depot,g' ./third_party/nixpkgs/copy.bara.sky + copybara migrate --verbose ./third_party/nixpkgs/copy.bara.sky || exit 0 + + # Reset to a clean state. + hg update -r default -C + hg purge --all + + # And push, if it that worked. + hg push -r . +} + +main