lukegb/depot
1
0
Fork 0
Code Issues 1 Pull requests Projects Packages Activity Actions

switch-prebuilt: make latest slightly... better

Browse source
This commit is contained in:
Luke Granger-Brown 2024-01-07 17:57:27 +00:00
parent d6638eb663
commit f7a8e1c6c9
1 changed files with 48 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

74
ops/nixos/lib/switch-prebuilt.nix
View file

@ -1,38 +1,60 @@
# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com> # SPDX-FileCopyrightText: 2024 Luke Granger-Brown <depot@lukegb.com>
# #
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
{ depot, system, pkgs, ... }: { depot, system, pkgs, ... }:
pkgs.writeShellScriptBin "switch-prebuilt" '' pkgs.writeShellApplication {
set -ue name = "switch-prebuilt";
export AWS_ACCESS_KEY_ID="$(${pkgs.vault}/bin/vault kv get --address=unix:///run/tokend/sock -field=cacheAccessKeyID kv/apps/nix-daemon)" runtimeInputs = with pkgs; [ curl unzip jq ];
export AWS_SECRET_ACCESS_KEY="$(${pkgs.vault}/bin/vault kv get --address=unix:///run/tokend/sock -field=cacheSecretAccessKey kv/apps/nix-daemon)"
system="''${1}"
if [[ "$system" == "latest" ]]; then text = ''
tmpdir="$(mktemp -d)" set -ue
trap '{ rm -rf -- "$tmpdir"; }' EXIT system="''${1}"
${pkgs.curl}/bin/curl -so "$tmpdir/archive.zip" 'https://hg.lukegb.com/api/v4/projects/lukegb%2Fdepot/jobs/artifacts/branch%2Fdefault/download?job=nixCache-${system}' if [[ "$system" == "latest" ]]; then
${pkgs.unzip}/bin/unzip -d "$tmpdir" -q -o "$tmpdir/archive.zip" tmpdir="$(mktemp -d)"
system="$(${pkgs.jq}/bin/jq -r ".\"$(hostname)\"" "$tmpdir/systems.json")" trap '{ rm -rf -- "$tmpdir"; }' EXIT
echo "Switching to system ''$system" COMMIT_DATA="$(curl -s 'https://hg.lukegb.com/api/v4/projects/lukegb%2Fdepot/repository/commits/branch%2Fdefault')"
fi echo "Commit: $(echo "$COMMIT_DATA" | jq -r '.id') $(echo "$COMMIT_DATA" | jq -r '.title')"
if [[ "$(echo "$COMMIT_DATA" | jq -r '.last_pipeline.id')" == null ]]; then
echo "...but there's no CI pipeline for it"
exit 1
fi
if [[ ! -e "$system" ]]; then PARENT_PIPELINE_BRIDGES="$(curl -s "https://hg.lukegb.com/api/v4/projects/lukegb%2Fdepot/pipelines/$(echo "$COMMIT_DATA" | jq -r '.last_pipeline.id')/bridges")"
# We should be a trusted-user. if [[ "$(echo "$PARENT_PIPELINE_BRIDGES" | jq -r '. | length')" == 0 ]]; then
nix build -v "$system" echo "...but there's no downstream pipeline for it"
fi exit 1
fi
CHILD_PIPELINE_ID="$(echo "$PARENT_PIPELINE_BRIDGES" | jq -r '.[].downstream_pipeline.id')"
CHILD_PIPELINE_JOBS="$(curl -s "https://hg.lukegb.com/api/v4/projects/lukegb%2Fdepot/pipelines/$CHILD_PIPELINE_ID/jobs?per_page=100")"
CACHE_JOB_ID="$(echo "$CHILD_PIPELINE_JOBS" | jq -r '.[] | select(.name == "nixCache-linux") | .id')"
if [[ "$CACHE_JOB_ID" == "" ]]; then
echo "...but there's no data for the cache job"
exit 1
fi
diff "$system/etc/hostname" "/etc/hostname" curl -so "$tmpdir/systems.json" "https://hg.lukegb.com/api/v4/projects/lukegb%2Fdepot/jobs/$CACHE_JOB_ID/artifacts/systems.json"
system="$(jq -r ".\"$(hostname)\"" "$tmpdir/systems.json")"
# The next phase requires sudo, but it's harmless to run the preceding commands twice. echo "Switching to system ''$system"
if [[ $EUID -ne 0 ]]; then fi
exec sudo "$0" "$system"
fi
nix-env -p /nix/var/nix/profiles/system --set "$system" if [[ ! -e "$system" ]]; then
"$system/bin/switch-to-configuration" switch # We should be a trusted-user.
'' nix build -v "$system"
fi
diff "$system/etc/hostname" "/etc/hostname"
# The next phase requires sudo, but it's harmless to run the preceding commands twice.
if [[ $EUID -ne 0 ]]; then
exec sudo "$0" "$system"
fi
nix-env -p /nix/var/nix/profiles/system --set "$system"
"$system/bin/switch-to-configuration" switch
'';
}