add cd

ArdanaLabs · Aug 18, 2021 · eb67f4a · eb67f4a
1 parent d59f6d3
commit eb67f4a
Show file tree

Hide file tree

Showing 7 changed files with 75 additions and 73 deletions.
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
@@ -0,0 +1,21 @@
+name: Continuous Delivery
+on:
+  push:
+    [ master ]
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: deploy self
+    runs-on: self-hosted
+    steps:
+      - uses: actions/checkout@v2
+      - run: |
+          source dummy-env.sh
+          eval "$(ssh-agent -s)"
+          ssh-add /build-key
+          which nixops; nixops --version
+          nixops destroy --all && nixops delete --all
+          nixops create -d ardana-ci realm.nix
+          nixops deploy -d ardana-ci -I nixpkgs=https://github.com/Fresheyeball/nixpkgs/archive/ef75aabffb4edc75bf4639af8c454eea267fa253.tar.gz
+          nixops destroy --all && nixops delete --all
diff --git a/box/ardana-ci/default.nix b/box/ardana-ci/default.nix
@@ -1,60 +1,46 @@
 { config, pkgs, resources, ... }:
 let
+  inherit (builtins) filter foldl' all attrValues attrNames;
+  keys =
+    { github-runner-token = {
+        path = atRun "github-runner-token";
+        contents = builtins.getEnv "GITHUB_RUNNER_TOKEN";
+        permissions = "655";
+      };
 
-  github-runner-token = rec {
-    name = "github-runner-token";
-    path = atRun name;
-    contents = builtins.getEnv "GITHUB_RUNNER_TOKEN";
-  };
-
-  cache-key = rec {
-    name = "cache-key";
-    path = atRun name;
-    contents = builtins.getEnv "CACHE_KEY";
-  };
+      cache-key = {
+        path = atRun "cache-key";
+        contents = builtins.getEnv "CACHE_KEY";
+      };
 
-  build-key = rec {
-    name = "build-key";
-    path = atRun name;
-    contents = builtins.getEnv "BUILD_KEY";
-  };
+      build-key = {
+        path = atRun "build-key";
+        contents = builtins.getEnv "BUILD_KEY";
+      };
+    };
 
   atRun = key: "/run/keys/${key}";
 
-in assert github-runner-token.contents != "";
-   assert cache-key.contents != "";
-   assert build-key.contents != "";
+  foldWithKey = f: i: xs: foldl' (acc: x: f acc x xs.${x}) i (attrNames xs);
+
+in assert all (key: key.contents != "") (attrValues keys);
 {
   deployment = {
     targetHost = "138.68.57.54";
     alwaysActivate = true;
-    keys = {
-      ${github-runner-token.name} = {
-        text = github-runner-token.contents;
-        permissions = "655";
-      };
-      ${cache-key.name} = {
-        text = cache-key.contents;
-        permissions = "600";
-      };
-      ${build-key.name} = {
-        text = build-key.contents;
-        permissions = "600";
-      };
-    };
+    keys = foldWithKey (acc: name: key: acc //
+      { ${name} = {
+          text = key.contents;
+          permissions = key.permissions or "600";
+        };
+      }) {} keys;
   };
   imports = [
     ../base.nix
     ./configuration.nix
-    (import ../../service/nix.nix {
-      cache-key = cache-key.path;
-      inherit pkgs;
-    })
-    (import ../../service/github-runner.nix {
-      tokenFile = github-runner-token.path;
-      buildFile = build-key.path;
-      inherit pkgs;
-    })
+    (import ../../service/nix.nix           { inherit pkgs; inherit (keys) cache-key; })
+    (import ../../service/github-runner.nix { inherit keys pkgs foldWithKey; })
   ];
-  users.users.root.openssh.authorizedKeys.keys = [ build-key.contents ];
+  users.users.root.openssh.authorizedKeys.keys =
+    [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBW7m5/g+hC+KqUID/OQtXL+cGF8Y/6O63HwVFEFrqUo root@ardana-ci" ];
 }
diff --git a/cd-env.sh b/cd-env.sh
@@ -0,0 +1,3 @@
+export GITHUB_RUNNER_TOKEN="$(cat /github-runner-token)"
+export CACHE_KEY="$(cat /cache-key)"
+export BUILD_KEY="$(cat /build-key)"
diff --git a/dummy-env.sh b/dummy-env.sh
@@ -1,3 +1,3 @@
 export GITHUB_RUNNER_TOKEN="toki-wartooth"
-export CACHE_KEY="toki-wartooth"
-export BUILD_KEY="toki-wartooth"
+export CACHE_KEY="daddy-warbucks"
+export BUILD_KEY="bob"
diff --git a/public-keys.nix b/public-keys.nix
@@ -0,0 +1,12 @@
+[
+# Oleg Prutz
+"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDRbUolirg06Wy9mOUcV+2f3Gq+d+D5QzEuI5icycm70VXjYMs0ua52jrBtAW8Ik3xsVp2GrA8Qo8ymRfvdsUgJYw3UR/w/FDYDgRkg6sOumQ34bCBlIFbGuU251Qef4v5ABbeziAjurGxTPXc0HBnjGkwYLVXLWL4Fy0kgAo73n3RJ99BeMynig7WSeq62sn1yy654S7zJ0qM4XrNstU11P/iIR7D2iEsVjEJ/WvFT2nbQRtapXqkLMlcER85ouQo9Zmax6YK4322FzPN3S/ZqPxGs4Kl7YeyHARX7YbToBfWSDkg93SROmdGsS3g0fdGwMwVz+2fowdAGDVyRzNHVuqX2x69Af+jkepLGdL+DRI1VCZP+re+7iqDJiYbHV4VqlBpQhYGZq+hHsoTJLaup7JYlCjrE18NYHPoQcO8KNt6NDTBv2luaIAqtz2kVuERwuEojLFeeA3I2yuDujzjhxgp22FHOw7pO/lfhJpEv0e2KKSlROACEcP6yJeC2+PE= oleg@nixos-dev-machine"
+# Andrzej Swatowski
+"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrbeDkKs4yjkBUIhpJV9yjuYP6RZ/wX1fcdJyFCF8/S"
+# Marcin Bugaj
+"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIygdL7zVacyc1Wh6CvRb1Rh20Jcm9ULK/6qb9lJLUiC [email protected]"
+# Ben Hard
+"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCe2GmcIGvLCyH8D81ZaZ3y9xh0pm4U4y5j1VEtAs2H1GaXLPyc6sgj9echehaTEdd6QqGP8jgGLJaLJB7+JuyjwP+lId3HO5dAE7F17aGJFtArsQ48pDYrR2Zlj7DCf9VRLe3Gsv3kC4q5j/XBwOyvo5aghiQYKMJXpdzep+xXobz25ojFxsBUae9Fr4gJu2wBTaomnLziHWWIZts/vbuvKSvp1dPNWYxBxYA/XsgGqUROui5du5GWqpDp+bb/3bger2YZHYnD+c2sKXJ9E4159PCDQoWrZatHXiYzQym9k+bxCl60DZOSle4yB5HbotrEFMYwCEZCpq40w5wYLl3Qta6XYhU7AlHOzZQWvJjyodGTXeor0esVod0Npw8BuMVmHm41wImKO8uHsK9Gul3Wch9LAGsCztzV8UBTFj8kdp4sBB8cKUYnTAdXyco+gmmbabZ8Ja+knqXOBRLV4mE3lXesLnMmJPq/QfiXQZJAdvJxsxCTmlAZ3LEKCSyV5wE= ben@beast-arch"
+# Ryan Kelker
+"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQA8RUWB10pnL4diJJKMV4ujkUV+d3ThxMXyv7HQiJQZxZwspSUuChsXo8JXq9rvfGJEBCt1oTzkzFhJ+oWD+THbDq2z4pZSz0DMMnABj+gNCx1AsmKt/kL8ewjDXOxXXVI9atxDrlAnONZmWLlVC2ZJ8v/YPJR2L10BwXX8MlP+bQQNNRuJztWPwNgVb+nBaQFrUie4GWf89nxT9rjgH9axs6abFK5dhXqoboV7zoKQCbVKqj2RaocoRP97FA42Aq/rq86+tXcuhN1iZqvyejDzRUoufU8u7yfq4HGPMuKraA3dU5G54tJWVR1Y9OKiYYCq8wyTkg7AjQr68nbPGoAx08O6SkGAqOwyczltrpfY2wamHXpbBmsGuHYYYH9LVQ+E+K23EcCxk3j93k/HLvokjkzPnI8uyRThA7s88hz6GEJozh7ovT7Mm5HqqkfOs//M94HKRGDvPJLIc0/SjV8K4vWpRf6B22c2Ta5VUq5LhEkDnwyhsrDIQkwVPjPCs= on@machine"
+]
diff --git a/service/github-runner.nix b/service/github-runner.nix
@@ -1,18 +1,12 @@
-{pkgs, tokenFile, buildFile}:
-let token = "/runner-token";
-    build-raw = "/build-key-raw";
-    build = "/build-key";
-in
+{ pkgs, keys, foldWithKey }:
 { containers = builtins.foldl' (acc: num: acc // { ${"Ardana-CI-Container-${num}"} = {
       autoStart = true;
       bindMounts = {
-        ${token}.hostPath = tokenFile;
-        ${build-raw}.hostPath = buildFile;
         "/nix" = {
           hostPath = "/nix";
           isReadOnly = false;
         };
-      };
+      } // foldWithKey (acc: name: key: { "/${name}".hostPath = key.path; }) {} keys;
       config = _:
         { services = {
             github-runner = {
@@ -36,16 +30,13 @@ in
                 nixops
                 which
               ];
-              tokenFile = token;
+              tokenFile = "/github-runner-token";
             };
           };
           systemd.services.build-key-permissions = {
             serviceConfig.Type = "oneshot";
             wantedBy = [ "default.target" "github-runner.service" ];
-            script = ''
-              cat ${build-raw} > ${build}
-              chown github-runner ${build}
-            '';
+            script = "chown github-runner ./build-key";
           };
         };
       };

diff --git a/service/nix.nix b/service/nix.nix
@@ -3,22 +3,11 @@
     sshServe = {
       enable = true;
       keys =
-          # Oleg Prutz
-        [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDRbUolirg06Wy9mOUcV+2f3Gq+d+D5QzEuI5icycm70VXjYMs0ua52jrBtAW8Ik3xsVp2GrA8Qo8ymRfvdsUgJYw3UR/w/FDYDgRkg6sOumQ34bCBlIFbGuU251Qef4v5ABbeziAjurGxTPXc0HBnjGkwYLVXLWL4Fy0kgAo73n3RJ99BeMynig7WSeq62sn1yy654S7zJ0qM4XrNstU11P/iIR7D2iEsVjEJ/WvFT2nbQRtapXqkLMlcER85ouQo9Zmax6YK4322FzPN3S/ZqPxGs4Kl7YeyHARX7YbToBfWSDkg93SROmdGsS3g0fdGwMwVz+2fowdAGDVyRzNHVuqX2x69Af+jkepLGdL+DRI1VCZP+re+7iqDJiYbHV4VqlBpQhYGZq+hHsoTJLaup7JYlCjrE18NYHPoQcO8KNt6NDTBv2luaIAqtz2kVuERwuEojLFeeA3I2yuDujzjhxgp22FHOw7pO/lfhJpEv0e2KKSlROACEcP6yJeC2+PE= oleg@nixos-dev-machine"
-          # Andrzej Swatowski
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrbeDkKs4yjkBUIhpJV9yjuYP6RZ/wX1fcdJyFCF8/S"
-          # Marcin Bugaj
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIygdL7zVacyc1Wh6CvRb1Rh20Jcm9ULK/6qb9lJLUiC [email protected]"
-          # Ben Hard
-          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCe2GmcIGvLCyH8D81ZaZ3y9xh0pm4U4y5j1VEtAs2H1GaXLPyc6sgj9echehaTEdd6QqGP8jgGLJaLJB7+JuyjwP+lId3HO5dAE7F17aGJFtArsQ48pDYrR2Zlj7DCf9VRLe3Gsv3kC4q5j/XBwOyvo5aghiQYKMJXpdzep+xXobz25ojFxsBUae9Fr4gJu2wBTaomnLziHWWIZts/vbuvKSvp1dPNWYxBxYA/XsgGqUROui5du5GWqpDp+bb/3bger2YZHYnD+c2sKXJ9E4159PCDQoWrZatHXiYzQym9k+bxCl60DZOSle4yB5HbotrEFMYwCEZCpq40w5wYLl3Qta6XYhU7AlHOzZQWvJjyodGTXeor0esVod0Npw8BuMVmHm41wImKO8uHsK9Gul3Wch9LAGsCztzV8UBTFj8kdp4sBB8cKUYnTAdXyco+gmmbabZ8Ja+knqXOBRLV4mE3lXesLnMmJPq/QfiXQZJAdvJxsxCTmlAZ3LEKCSyV5wE= ben@beast-arch"
-          # Ryan Kelker
-          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQA8RUWB10pnL4diJJKMV4ujkUV+d3ThxMXyv7HQiJQZxZwspSUuChsXo8JXq9rvfGJEBCt1oTzkzFhJ+oWD+THbDq2z4pZSz0DMMnABj+gNCx1AsmKt/kL8ewjDXOxXXVI9atxDrlAnONZmWLlVC2ZJ8v/YPJR2L10BwXX8MlP+bQQNNRuJztWPwNgVb+nBaQFrUie4GWf89nxT9rjgH9axs6abFK5dhXqoboV7zoKQCbVKqj2RaocoRP97FA42Aq/rq86+tXcuhN1iZqvyejDzRUoufU8u7yfq4HGPMuKraA3dU5G54tJWVR1Y9OKiYYCq8wyTkg7AjQr68nbPGoAx08O6SkGAqOwyczltrpfY2wamHXpbBmsGuHYYYH9LVQ+E+K23EcCxk3j93k/HLvokjkzPnI8uyRThA7s88hz6GEJozh7ovT7Mm5HqqkfOs//M94HKRGDvPJLIc0/SjV8K4vWpRf6B22c2Ta5VUq5LhEkDnwyhsrDIQkwVPjPCs= on@machine"
-        ]
-        ++ concatMap (user: user.openssh.authorizedKeys.keys)
-                       (attrValues (import ../users.nix));
+        (import ../public-keys.nix) ++ concatMap (user: user.openssh.authorizedKeys.keys)
+                                                 (attrValues (import ../users.nix));
     };
     extraOptions = ''
-      secret-key-files = ${cache-key}
+      secret-key-files = ${cache-key.path}
     '';
     optimise.automatic = true;
     nrBuildUsers = 1000;
@@ -42,7 +31,7 @@
     services.${name} = {
       serviceConfig.Type = "oneshot";
       path = [ pkgs.nix ];
-      script = "nix sign-paths --all -k ${cache-key}";
+      script = "nix sign-paths --all -k ${cache-key.path}";
     };
   };
 }