diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 0587e9be6d..0109bba679 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,5 +1,6 @@ stages: - build + - deploy nixCache: stage: build @@ -9,3 +10,19 @@ nixCache: - "cp ${OPS_SECRETS_DEFAULT_NIX} ops/secrets/default.nix" - "nix build -v -f ./ci-root.nix --substituters \"https://cache.nixos.org s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1\"" - "nix copy -v --to 's3://lukegb-nix-cache?endpoint=storage.googleapis.com' ./result" + +.deploy: + stage: deploy + rules: + - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' + variables: + SSH_ARGS: '' + script: './hack/deploy.sh "$DEPLOY_TO" "$SSH_ARGS"' + tags: + - deployer + +ixvm-fra01: + extends: .deploy + variables: + # TODO(lukegb): DNS... + DEPLOY_TO: "141.98.136.124" diff --git a/hack/deploy.sh b/hack/deploy.sh new file mode 100755 index 0000000000..8951a08cfa --- /dev/null +++ b/hack/deploy.sh @@ -0,0 +1,19 @@ +#!/usr/bin/env bash + +set -euo pipefail + +echo Dropping files into place as defined by manifest... +while read -r manifest_line; do + IFS='=' read -ra manifest_bits <<< "$manifest_line" + if [[ "${#manifest_bits[@]}" -ne 2 ]]; then continue; fi + echo -e "\t${manifest_bits[1]}" + cp "${!manifest_bits[0]}" "${manifest_bits[1]}" +done <<< "$SECRETS_MANIFEST" + +if [ -z ${2+x} ]; then ssh_cmd="ssh"; else ssh_cmd="ssh $2"; fi + +echo Syncing repo content to machine "$1" +rsync -e "$ssh_cmd" -avz --exclude='.hg/' ./ "deployer@$1:depot/" + +echo Triggering rebuild +$ssh_cmd -t "deployer@$1" rebuilder depot/ diff --git a/ops/nixos/marukuru/default.nix b/ops/nixos/marukuru/default.nix index 1e2c7bab54..2590be0804 100644 --- a/ops/nixos/marukuru/default.nix +++ b/ops/nixos/marukuru/default.nix @@ -142,5 +142,55 @@ in { }; }; + # Container networking. + networking.nat = { + enable = true; + internalInterfaces = [ "ve-+" ]; + externalInterface = "eth0"; + }; + networking.networkmanager.unmanaged = [ "interface-name:ve-*" ]; + + containers.deployer = { + config = { config, pkgs, ... }: { + environment.etc."secrets/gitlab-runner-registration" = { + text = '' + CI_SERVER_URL=https://hg.lukegb.com + REGISTRATION_TOKEN=${depot.ops.secrets.deployer.registrationToken} + ''; + mode = "0600"; + }; + services.gitlab-runner = { + enable = true; + concurrent = 4; + services = { + deployer = { + registrationConfigFile = "/etc/secrets/gitlab-runner-registration"; + executor = "shell"; + tagList = [ "deployer" ]; + }; + }; + gracefulTermination = true; + gracefulTimeout = "4min"; + package = depot.nix.pkgs.heptapod-runner; + }; + users.users.gitlab-runner = { + createHome = true; + home = "/srv/gitlab-runner"; + }; + system.activationScripts.deployer-key = lib.stringAfter [ "users" "groups" ] '' + mkdir -p /srv/gitlab-runner/.ssh + chown -R gitlab-runner:nogroup /srv/gitlab-runner/.ssh + chmod -R u=rwX,go= /srv/gitlab-runner/.ssh + cp "${pkgs.writeTextFile { + name = "gitlab-runner-key"; + destination = "/private/id_ed25519"; + text = depot.ops.secrets.deployer.privateKey; + }}/private/id_ed25519" /srv/gitlab-runner/.ssh/id_ed25519 + chown -R gitlab-runner:nogroup /srv/gitlab-runner/.ssh + chmod -R u=rwX,go= /srv/gitlab-runner/.ssh + ''; + }; + }; + system.stateVersion = "20.03"; }