*: try setting up automated deploys

This won't work yet, since the deployer user isn't correctly configured,
but this should at least trigger the right sets of things to happen.
This commit is contained in:
Luke Granger-Brown 2020-05-09 18:53:17 +01:00
parent c5d03b795e
commit 84f607d7cf
3 changed files with 86 additions and 0 deletions

View file

@ -1,5 +1,6 @@
stages:
- build
- deploy
nixCache:
stage: build
@ -9,3 +10,19 @@ nixCache:
- "cp ${OPS_SECRETS_DEFAULT_NIX} ops/secrets/default.nix"
- "nix build -v -f ./ci-root.nix --substituters \"https://cache.nixos.org s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1\""
- "nix copy -v --to 's3://lukegb-nix-cache?endpoint=storage.googleapis.com' ./result"
.deploy:
stage: deploy
rules:
- if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
variables:
SSH_ARGS: ''
script: './hack/deploy.sh "$DEPLOY_TO" "$SSH_ARGS"'
tags:
- deployer
ixvm-fra01:
extends: .deploy
variables:
# TODO(lukegb): DNS...
DEPLOY_TO: "141.98.136.124"

19
hack/deploy.sh Executable file
View file

@ -0,0 +1,19 @@
#!/usr/bin/env bash
set -euo pipefail
echo Dropping files into place as defined by manifest...
while read -r manifest_line; do
IFS='=' read -ra manifest_bits <<< "$manifest_line"
if [[ "${#manifest_bits[@]}" -ne 2 ]]; then continue; fi
echo -e "\t${manifest_bits[1]}"
cp "${!manifest_bits[0]}" "${manifest_bits[1]}"
done <<< "$SECRETS_MANIFEST"
if [ -z ${2+x} ]; then ssh_cmd="ssh"; else ssh_cmd="ssh $2"; fi
echo Syncing repo content to machine "$1"
rsync -e "$ssh_cmd" -avz --exclude='.hg/' ./ "deployer@$1:depot/"
echo Triggering rebuild
$ssh_cmd -t "deployer@$1" rebuilder depot/

View file

@ -142,5 +142,55 @@ in {
};
};
# Container networking.
networking.nat = {
enable = true;
internalInterfaces = [ "ve-+" ];
externalInterface = "eth0";
};
networking.networkmanager.unmanaged = [ "interface-name:ve-*" ];
containers.deployer = {
config = { config, pkgs, ... }: {
environment.etc."secrets/gitlab-runner-registration" = {
text = ''
CI_SERVER_URL=https://hg.lukegb.com
REGISTRATION_TOKEN=${depot.ops.secrets.deployer.registrationToken}
'';
mode = "0600";
};
services.gitlab-runner = {
enable = true;
concurrent = 4;
services = {
deployer = {
registrationConfigFile = "/etc/secrets/gitlab-runner-registration";
executor = "shell";
tagList = [ "deployer" ];
};
};
gracefulTermination = true;
gracefulTimeout = "4min";
package = depot.nix.pkgs.heptapod-runner;
};
users.users.gitlab-runner = {
createHome = true;
home = "/srv/gitlab-runner";
};
system.activationScripts.deployer-key = lib.stringAfter [ "users" "groups" ] ''
mkdir -p /srv/gitlab-runner/.ssh
chown -R gitlab-runner:nogroup /srv/gitlab-runner/.ssh
chmod -R u=rwX,go= /srv/gitlab-runner/.ssh
cp "${pkgs.writeTextFile {
name = "gitlab-runner-key";
destination = "/private/id_ed25519";
text = depot.ops.secrets.deployer.privateKey;
}}/private/id_ed25519" /srv/gitlab-runner/.ssh/id_ed25519
chown -R gitlab-runner:nogroup /srv/gitlab-runner/.ssh
chmod -R u=rwX,go= /srv/gitlab-runner/.ssh
'';
};
};
system.stateVersion = "20.03";
}