Compare commits
17 commits
0559e91c9c
...
b00e47ec85
Author | SHA1 | Date | |
---|---|---|---|
|
b00e47ec85 | ||
a50637d55e | |||
aa4f972085 | |||
8a5de73b47 | |||
3fecacb482 | |||
ded867d274 | |||
f61bd85d63 | |||
bf06d2573b | |||
6fbda40e5e | |||
2ffd7732ba | |||
d45b044b22 | |||
21b422b1ad | |||
420fe99984 | |||
32f13adaad | |||
a816c81125 | |||
6ab3e4b685 | |||
5f1436e4bf |
32 changed files with 625 additions and 471 deletions
1
.envrc
1
.envrc
|
@ -1 +1,2 @@
|
|||
watch_file workflows/*
|
||||
use nix
|
||||
|
|
|
@ -1,25 +1,21 @@
|
|||
jobs:
|
||||
check_dns:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- name: Check the validity of the DNS configuration
|
||||
run: nix-build meta/verify.nix -A dns
|
||||
check_meta:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- name: Check the validity of meta options
|
||||
run: nix-build meta/verify.nix -A meta
|
||||
name: Check meta
|
||||
on:
|
||||
'on':
|
||||
pull_request:
|
||||
branches:
|
||||
- main
|
||||
push:
|
||||
paths:
|
||||
- 'meta/*'
|
||||
|
||||
jobs:
|
||||
check_meta:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
- name: Check the validity of meta options
|
||||
run: nix-build meta/verify.nix -A meta
|
||||
|
||||
check_dns:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
- name: Check the validity of the DNS configuration
|
||||
run: nix-build meta/verify.nix -A dns --no-out-link
|
||||
- meta/*
|
||||
|
|
16
.forgejo/workflows/check-workflows.yaml
Normal file
16
.forgejo/workflows/check-workflows.yaml
Normal file
|
@ -0,0 +1,16 @@
|
|||
jobs:
|
||||
check_workflows:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- name: Check that the workflows are up to date
|
||||
run: nix-shell -A check-workflows --run '[ $(git status --porcelain | wc -l)
|
||||
-eq 0 ]'
|
||||
name: Check workflows
|
||||
'on':
|
||||
pull_request:
|
||||
branches:
|
||||
- main
|
||||
push:
|
||||
paths:
|
||||
- workflows/*
|
|
@ -1,56 +0,0 @@
|
|||
name: ds-fr update
|
||||
on:
|
||||
schedule:
|
||||
- cron: "26 18 * * wed"
|
||||
|
||||
jobs:
|
||||
npins_update:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
with:
|
||||
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
|
||||
|
||||
- name: Update DS and open PR if necessary
|
||||
run: |
|
||||
# Fetch the latest release tag
|
||||
VERSION=$(curl -L \
|
||||
-H "Accept: application/vnd.github+json" \
|
||||
-H "X-GitHub-Api-Version: 2022-11-28" \
|
||||
https://api.github.com/repos/demarches-simplifiees/demarches-simplifiees.fr/releases/latest \
|
||||
| jq -r '.tag_name')
|
||||
|
||||
# Move to the ds-fr directory
|
||||
cd machines/compute01/ds-fr/package
|
||||
|
||||
# Run the update script
|
||||
./update.sh -v "$VERSION"
|
||||
|
||||
if [ ! -z "$(git diff --name-only)" ]; then
|
||||
echo "[+] Changes detected, pushing updates."
|
||||
|
||||
git switch -C ds-update
|
||||
|
||||
git add .
|
||||
|
||||
git config user.name "DGNum Chores"
|
||||
git config user.email "tech@dgnum.eu"
|
||||
|
||||
git commit --message "chore(ds-fr): Update"
|
||||
git push --set-upstream origin ds-update --force
|
||||
|
||||
# Connect to the server with the cli
|
||||
tea login add \
|
||||
-n dgnum-chores \
|
||||
-t '${{ secrets.TEA_DGNUM_CHORES_TOKEN }}' \
|
||||
-u https://git.dgnum.eu
|
||||
|
||||
# Create a pull request if needed
|
||||
# i.e. no PR with the same title exists
|
||||
if [ -z "$(tea pr ls -f='title,author' -o simple | grep 'chore(ds-fr): Update dgnum-chores')" ]; then
|
||||
tea pr create \
|
||||
--description "Automatic ds-fr update" \
|
||||
--title "chore(ds-fr): Update" \
|
||||
--head ds-update
|
||||
fi
|
||||
fi
|
119
.forgejo/workflows/eval-nodes.yaml
Normal file
119
.forgejo/workflows/eval-nodes.yaml
Normal file
|
@ -0,0 +1,119 @@
|
|||
jobs:
|
||||
bridge01:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- env:
|
||||
BUILD_NODE: bridge01
|
||||
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
|
||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||
STORE_USER: admin
|
||||
name: Build and cache bridge01
|
||||
run: nix-shell -A eval-nodes --run cache-node
|
||||
compute01:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- env:
|
||||
BUILD_NODE: compute01
|
||||
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
|
||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||
STORE_USER: admin
|
||||
name: Build and cache compute01
|
||||
run: nix-shell -A eval-nodes --run cache-node
|
||||
geo01:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- env:
|
||||
BUILD_NODE: geo01
|
||||
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
|
||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||
STORE_USER: admin
|
||||
name: Build and cache geo01
|
||||
run: nix-shell -A eval-nodes --run cache-node
|
||||
geo02:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- env:
|
||||
BUILD_NODE: geo02
|
||||
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
|
||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||
STORE_USER: admin
|
||||
name: Build and cache geo02
|
||||
run: nix-shell -A eval-nodes --run cache-node
|
||||
rescue01:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- env:
|
||||
BUILD_NODE: rescue01
|
||||
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
|
||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||
STORE_USER: admin
|
||||
name: Build and cache rescue01
|
||||
run: nix-shell -A eval-nodes --run cache-node
|
||||
storage01:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- env:
|
||||
BUILD_NODE: storage01
|
||||
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
|
||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||
STORE_USER: admin
|
||||
name: Build and cache storage01
|
||||
run: nix-shell -A eval-nodes --run cache-node
|
||||
vault01:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- env:
|
||||
BUILD_NODE: vault01
|
||||
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
|
||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||
STORE_USER: admin
|
||||
name: Build and cache vault01
|
||||
run: nix-shell -A eval-nodes --run cache-node
|
||||
web01:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- env:
|
||||
BUILD_NODE: web01
|
||||
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
|
||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||
STORE_USER: admin
|
||||
name: Build and cache web01
|
||||
run: nix-shell -A eval-nodes --run cache-node
|
||||
web02:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- env:
|
||||
BUILD_NODE: web02
|
||||
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
|
||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||
STORE_USER: admin
|
||||
name: Build and cache web02
|
||||
run: nix-shell -A eval-nodes --run cache-node
|
||||
web03:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- env:
|
||||
BUILD_NODE: web03
|
||||
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
|
||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||
STORE_USER: admin
|
||||
name: Build and cache web03
|
||||
run: nix-shell -A eval-nodes --run cache-node
|
||||
name: Build all the nodes
|
||||
'on':
|
||||
pull_request:
|
||||
branches:
|
||||
- main
|
||||
push:
|
||||
branches:
|
||||
- main
|
|
@ -1,200 +0,0 @@
|
|||
name: build configuration
|
||||
on:
|
||||
pull_request:
|
||||
types: [opened, synchronize, edited, reopened]
|
||||
branches:
|
||||
- main
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
build_and_cache_compute01:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
- name: Build and cache the node
|
||||
run: nix-shell --run cache-node
|
||||
env:
|
||||
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
|
||||
STORE_USER: "admin"
|
||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||
BUILD_NODE: "compute01"
|
||||
|
||||
- uses: actions/upload-artifact@v3
|
||||
if: always()
|
||||
with:
|
||||
name: outputs_compute01
|
||||
path: paths.txt
|
||||
|
||||
build_and_cache_storage01:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
- name: Build and cache the node
|
||||
run: nix-shell --run cache-node
|
||||
env:
|
||||
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
|
||||
STORE_USER: "admin"
|
||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||
BUILD_NODE: "storage01"
|
||||
|
||||
- uses: actions/upload-artifact@v3
|
||||
if: always()
|
||||
with:
|
||||
name: outputs_storage01
|
||||
path: paths.txt
|
||||
|
||||
build_and_cache_rescue01:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
- name: Build and cache the node
|
||||
run: nix-shell --run cache-node
|
||||
env:
|
||||
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
|
||||
STORE_USER: "admin"
|
||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||
BUILD_NODE: "rescue01"
|
||||
|
||||
- uses: actions/upload-artifact@v3
|
||||
if: always()
|
||||
with:
|
||||
name: outputs_rescue01
|
||||
path: paths.txt
|
||||
|
||||
build_and_cache_geo01:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
- name: Build and cache the node
|
||||
run: nix-shell --run cache-node
|
||||
env:
|
||||
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
|
||||
STORE_USER: "admin"
|
||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||
BUILD_NODE: "geo01"
|
||||
|
||||
- uses: actions/upload-artifact@v3
|
||||
if: always()
|
||||
with:
|
||||
name: outputs_geo01
|
||||
path: paths.txt
|
||||
|
||||
build_and_cache_geo02:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
- name: Build and cache the node
|
||||
run: nix-shell --run cache-node
|
||||
env:
|
||||
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
|
||||
STORE_USER: "admin"
|
||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||
BUILD_NODE: "geo02"
|
||||
|
||||
- uses: actions/upload-artifact@v3
|
||||
if: always()
|
||||
with:
|
||||
name: outputs_geo02
|
||||
path: paths.txt
|
||||
|
||||
build_and_cache_vault01:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
- name: Build and cache the node
|
||||
run: nix-shell --run cache-node
|
||||
env:
|
||||
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
|
||||
STORE_USER: "admin"
|
||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||
BUILD_NODE: "vault01"
|
||||
|
||||
- uses: actions/upload-artifact@v3
|
||||
if: always()
|
||||
with:
|
||||
name: outputs_vault01
|
||||
path: paths.txt
|
||||
|
||||
build_and_cache_web01:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
- name: Build and cache the node
|
||||
run: nix-shell --run cache-node
|
||||
env:
|
||||
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
|
||||
STORE_USER: "admin"
|
||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||
BUILD_NODE: "web01"
|
||||
|
||||
- uses: actions/upload-artifact@v3
|
||||
if: always()
|
||||
with:
|
||||
name: outputs_web01
|
||||
path: paths.txt
|
||||
|
||||
build_and_cache_web02:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
- name: Build and cache the node
|
||||
run: nix-shell --run cache-node
|
||||
env:
|
||||
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
|
||||
STORE_USER: "admin"
|
||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||
BUILD_NODE: "web02"
|
||||
|
||||
- uses: actions/upload-artifact@v3
|
||||
if: always()
|
||||
with:
|
||||
name: outputs_web02
|
||||
path: paths.txt
|
||||
|
||||
build_and_cache_web03:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
- name: Build and cache the node
|
||||
run: nix-shell --run cache-node
|
||||
env:
|
||||
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
|
||||
STORE_USER: "admin"
|
||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||
BUILD_NODE: "web03"
|
||||
|
||||
- uses: actions/upload-artifact@v3
|
||||
if: always()
|
||||
with:
|
||||
name: outputs_web02
|
||||
path: paths.txt
|
||||
|
||||
build_and_cache_bridge01:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
- name: Build and cache the node
|
||||
run: nix-shell --run cache-node
|
||||
env:
|
||||
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
|
||||
STORE_USER: "admin"
|
||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||
BUILD_NODE: "bridge01"
|
||||
|
||||
- uses: actions/upload-artifact@v3
|
||||
if: always()
|
||||
with:
|
||||
name: outputs_web02
|
||||
path: paths.txt
|
|
@ -1,11 +0,0 @@
|
|||
name: lint
|
||||
on: [push, pull_request]
|
||||
|
||||
jobs:
|
||||
check:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
- name: Run pre-commit on all files
|
||||
run: nix-shell --run 'pre-commit run --all-files --hook-stage pre-push --show-diff-on-failure' -A shells.pre-commit ./.
|
25
.forgejo/workflows/npins-update.yaml
Normal file
25
.forgejo/workflows/npins-update.yaml
Normal file
|
@ -0,0 +1,25 @@
|
|||
jobs:
|
||||
npins_update:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
with:
|
||||
depth: 0
|
||||
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
|
||||
- name: Update dependencies and open PR if necessary
|
||||
run: "npins update\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n echo\
|
||||
\ \"[+] Changes detected, pushing updates.\"\n\n git switch -C npins-update\n\
|
||||
\n git add npins\n\n git config user.name \"DGNum Chores\"\n git config\
|
||||
\ user.email \"tech@dgnum.eu\"\n\n git commit --message \"chore(npins): Update\"\
|
||||
\n git push --set-upstream origin npins-update --force\n\n # Connect to\
|
||||
\ the server with the cli\n tea login add \\\n -n dgnum-chores \\\n \
|
||||
\ -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN }}\" \\\n -u https://git.dgnum.eu\n\
|
||||
\n # Create a pull request if needed\n # i.e. no PR with the same title\
|
||||
\ exists\n if [ -z \"$(tea pr ls -f='title,author' -o simple | grep 'chore(npins):\
|
||||
\ Update dgnum-chores')\" ]; then\n tea pr create \\\n --description\
|
||||
\ \"Automatic npins update\" \\\n --title \"chore(npins): Update\" \\\
|
||||
\n --head npins-update\n fi\nfi\n"
|
||||
name: npins update
|
||||
'on':
|
||||
schedule:
|
||||
- cron: 25 15 * * *
|
12
.forgejo/workflows/pre-commit.yaml
Normal file
12
.forgejo/workflows/pre-commit.yaml
Normal file
|
@ -0,0 +1,12 @@
|
|||
jobs:
|
||||
check:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- name: Run pre-commit on all files
|
||||
run: nix-shell -A pre-commit --run 'pre-commit run --all-files --hook-stage
|
||||
pre-push --show-diff-on-failure'
|
||||
name: Run pre-commit on all files
|
||||
'on':
|
||||
- push
|
||||
- pull_request
|
47
default.nix
47
default.nix
|
@ -41,7 +41,15 @@
|
|||
}:
|
||||
|
||||
let
|
||||
git-checks = (import (builtins.storePath sources.git-hooks)).run {
|
||||
inherit (pkgs.lib)
|
||||
isFunction
|
||||
mapAttrs
|
||||
mapAttrs'
|
||||
nameValuePair
|
||||
removeSuffix
|
||||
;
|
||||
|
||||
git-checks = (import sources.git-hooks).run {
|
||||
src = ./.;
|
||||
|
||||
hooks = {
|
||||
|
@ -67,6 +75,22 @@ let
|
|||
commitizen.enable = true;
|
||||
};
|
||||
};
|
||||
|
||||
workflows = (import sources.nix-actions { inherit pkgs; }).install {
|
||||
src = ./.;
|
||||
|
||||
workflows = mapAttrs' (
|
||||
name: _:
|
||||
nameValuePair (removeSuffix ".nix" name) (
|
||||
let
|
||||
w = import ./workflows/${name};
|
||||
in
|
||||
if isFunction w then w { inherit (pkgs) lib; } else w
|
||||
)
|
||||
) (builtins.readDir ./workflows);
|
||||
};
|
||||
|
||||
scripts = import ./scripts { inherit pkgs; };
|
||||
in
|
||||
|
||||
{
|
||||
|
@ -78,36 +102,35 @@ in
|
|||
|
||||
mkCacheSettings = import ./machines/storage01/tvix-cache/cache-settings.nix;
|
||||
|
||||
shells = {
|
||||
default = pkgs.mkShell {
|
||||
devShell = pkgs.mkShell {
|
||||
name = "dgnum-infra";
|
||||
|
||||
packages = [
|
||||
(pkgs.nixos-generators.overrideAttrs (_: {
|
||||
version = "1.8.0-unstable";
|
||||
src = builtins.storePath sources.nixos-generators;
|
||||
src = sources.nixos-generators;
|
||||
}))
|
||||
pkgs.npins
|
||||
|
||||
(pkgs.callPackage ./lib/colmena { inherit (nix-pkgs) colmena; })
|
||||
(pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
|
||||
(pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
|
||||
|
||||
] ++ (import ./scripts { inherit pkgs; });
|
||||
] ++ (builtins.attrValues scripts);
|
||||
|
||||
shellHook = ''
|
||||
${git-checks.shellHook}
|
||||
${workflows.shellHook}
|
||||
'';
|
||||
|
||||
preferLocalBuild = true;
|
||||
};
|
||||
|
||||
pre-commit = pkgs.mkShell {
|
||||
name = "pre-commit-shell";
|
||||
###
|
||||
# Alternative shells
|
||||
|
||||
shellHook = ''
|
||||
${git-checks.shellHook}
|
||||
'';
|
||||
passthru = mapAttrs (name: value: pkgs.mkShell (value // { inherit name; })) {
|
||||
pre-commit.shellHook = git-checks.shellHook;
|
||||
check-workflows.shellHook = workflows.shellHook;
|
||||
eval-nodes.packages = [ scripts.cache-node ];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -190,8 +190,11 @@ rec {
|
|||
recursiveFuse [
|
||||
(enableModules enabledModules)
|
||||
|
||||
{ imports = mkImports root ([ "_hardware-configuration" ] ++ enabledServices); }
|
||||
{
|
||||
imports =
|
||||
(extraConfig.imports or [ ]) ++ (mkImports root ([ "_hardware-configuration" ] ++ enabledServices));
|
||||
}
|
||||
|
||||
extraConfig
|
||||
(removeAttrs extraConfig [ "imports" ])
|
||||
];
|
||||
}
|
||||
|
|
|
@ -10,7 +10,7 @@ let
|
|||
# - push to a new branch dgn-v0.A.B where A.B is the new version
|
||||
# - finally, update the commit hash of the customization patch
|
||||
|
||||
dgn-id = "8f19cb1c9623f8da71f6512c1528d83acc35db57";
|
||||
dgn-id = "d73e347b1cefe23092bfcb2d3f8a23903410203e";
|
||||
port = 8084;
|
||||
in
|
||||
|
||||
|
|
|
@ -1,10 +1,4 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
nixpkgs,
|
||||
sources,
|
||||
...
|
||||
}:
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
let
|
||||
url = "https://git.dgnum.eu";
|
||||
|
@ -30,8 +24,6 @@ let
|
|||
options = "--cpus=4";
|
||||
};
|
||||
};
|
||||
|
||||
nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
|
||||
in
|
||||
{
|
||||
services.forgejo-nix-runners = {
|
||||
|
@ -43,10 +35,8 @@ in
|
|||
tokenFile = config.age.secrets."forgejo_runners-token_file".path;
|
||||
|
||||
dependencies = [
|
||||
nix-pkgs.colmena
|
||||
pkgs.npins
|
||||
pkgs.tea
|
||||
nixpkgs.unstable.nixfmt-rfc-style
|
||||
];
|
||||
|
||||
containerOptions = [ "--cpus=4" ];
|
||||
|
|
|
@ -61,7 +61,7 @@ in
|
|||
|
||||
service = {
|
||||
EMAIL_DOMAIN_ALLOWLIST = "dgnum.eu,*";
|
||||
EMAIL_DOMAIN_BLOCKLIST = "*.shop";
|
||||
EMAIL_DOMAIN_BLOCKLIST = "*.shop,*.online,*.store";
|
||||
ENABLE_NOTIFY_MAIL = true;
|
||||
|
||||
DISABLE_REGISTRATION = false;
|
||||
|
|
|
@ -3,6 +3,7 @@
|
|||
./annuaire.nix
|
||||
./bocal.nix
|
||||
./gestiojeux.nix
|
||||
./interludes.nix
|
||||
./wikiens.nix
|
||||
];
|
||||
|
||||
|
|
66
machines/web03/django-apps/interludes.nix
Normal file
66
machines/web03/django-apps/interludes.nix
Normal file
|
@ -0,0 +1,66 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
sources,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
|
||||
in
|
||||
|
||||
{
|
||||
services.webhook.extraArgs = [ "-debug" ];
|
||||
services.django-apps.sites.interludes = {
|
||||
source = "https://git.eleves.ens.fr/dlesbre/site-interludes";
|
||||
branch = "master";
|
||||
domain = "interludes.ens.fr";
|
||||
|
||||
nginx = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
||||
serverAliases = [ "interludes.webapps.dgnum.eu" ];
|
||||
};
|
||||
|
||||
webHookSecret = config.age.secrets."webhook-interludes_token".path;
|
||||
|
||||
application = {
|
||||
type = "wsgi";
|
||||
module = "interludes";
|
||||
};
|
||||
|
||||
dbType = "sqlite";
|
||||
|
||||
python = pkgs.python3.override {
|
||||
packageOverrides = _: _: { inherit (nix-pkgs) python-cas loadcredential; };
|
||||
};
|
||||
|
||||
django = ps: ps.django_4;
|
||||
dependencies = ps: [
|
||||
ps.loadcredential
|
||||
ps.python-ldap
|
||||
ps.python-cas
|
||||
];
|
||||
|
||||
credentials = {
|
||||
SECRET_KEY = config.age.secrets."dj_interludes-secret_key_file".path;
|
||||
EMAIL_HOST_PASSWORD = config.age.secrets."dj_interludes-email_host_password_file".path;
|
||||
};
|
||||
|
||||
environment = {
|
||||
INTERLUDES_ALLOWED_HOSTS = [
|
||||
"interludes.ens.fr"
|
||||
"interludes.webapps.dgnum.eu"
|
||||
];
|
||||
|
||||
# E-mail configuration
|
||||
INTERLUDES_SERVER_EMAIL = "noreply-interludes-admin@ens.fr";
|
||||
INTERLUDES_DEFAULT_FROM_EMAIL = "noreply-interludes@ens.fr";
|
||||
INTERLUDES_EMAIL_HOST = "clipper.ens.fr";
|
||||
INTERLUDES_EMAIL_PORT = 465;
|
||||
INTERLUDES_EMAIL_HOST_USER = "interludes";
|
||||
INTERLUDES_DEBUG = false;
|
||||
};
|
||||
};
|
||||
}
|
|
@ -0,0 +1,29 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 jIXfPA iJSzsbA8RiEhUIyhlKWCASQKoSQstjK4drMYl+PsChw
|
||||
8THrknrBu0WGFEb4xTZiJxEY26q7sW83rwViDjyTE24
|
||||
-> ssh-ed25519 QlRB9Q e7PRE212Ggt8nO6Bb+BabO85FOARsJGs9cPJmZNI9kg
|
||||
ubKIBxI1ZBXttA7TWj401siKNT1HyB+N2MsZ+ldkgb8
|
||||
-> ssh-ed25519 r+nK/Q EWV24Emm9hENa+yUAuQpkuJ0uJ0zIv+vRIbWpM4Wtg4
|
||||
J59wnHRytgNqpX4+5HaJ9KZ5GvhckgtRK6TzfX7Ci8Y
|
||||
-> ssh-rsa krWCLQ
|
||||
AvmrzShR+XTpUpKaScoqvgFQ40PTSqh8p383p98xjG5LIz5kqJoWBnxJK7JabBpq
|
||||
JkqVeq5XdH5RX4weobieG4KYUV8EDheLfOMXH5BrPgeJO4yhJ1rzH+oHBw4TwvFM
|
||||
UvEZEAVgi3G1/suPfJAkO7QRkZjE7fRppEo5RAI0gMlM43YyJavrfqVIqB40Uugk
|
||||
h0b0ybChUbKpXlZjqhYAAMN45jTAvW1emO0DMeIk6dbmnbZNdibul8f+NNdWKbI1
|
||||
9NN5iH2IzuqTdc6gkE4912hdDeUJ4NZ6x/Fxp1/u3d1z/Yg7daUQUXUIoDX0Hyvb
|
||||
+01dH0D/7kzRhEdNLO2NXA
|
||||
-> ssh-ed25519 /vwQcQ GAsAj2i65KDQeFhe69YR2ycdGskop1wu3Lzrxp59sTg
|
||||
wCSUqEtWv0i6sNg1RVtHI/jZh3VeNX3qtnbagXoNGT4
|
||||
-> ssh-ed25519 0R97PA mFZ3q/3jd1guXl8bhRWyYjgsgE4JErJEels6vdmpfCs
|
||||
7oIAT0MTsaKxbf26PSDBk7KqfyFgcBq09FGJ9v/rXqE
|
||||
-> ssh-ed25519 JGx7Ng tpslfMWMJMUH46EGycbLiXotVdXlP4xmK0slb7XKYS8
|
||||
wLLfX4jX4mIxzI8zr2GBlpBcPztTrHqKngi/ON0TExg
|
||||
-> ssh-ed25519 bUjjig zLoniLfwKGH9Ctu34103WHBvjIyImtPyKx8O+5UMLUU
|
||||
sYsterVGvCg6JWA0z3AO5sSlj9DBfj8u5o5jH9K2xeA
|
||||
-> ssh-ed25519 VQSaNw oHzU9Lc/7p+MZAjVylzC63h586vOcffXkkpAi4XB8Q0
|
||||
7T8CREpaCxM58KMYW28FY2i+ELjrx3eC3K7xaBy7O6A
|
||||
-> (_o61>U-grease .P>ZRrj~ -=7S;N
|
||||
6vnQVKKZwp4JowIwVb4klrhaR6NZjwlZYnngVQ0wqVenMZPj9oyhIXthLRqE1Q6/
|
||||
k+sGxA
|
||||
--- +yT0o8oZJS+32MeUAl8T9zREh31rq77pSVsSoFjHO5A
|
||||
è™ñΗ´ä!î^ûØÖ8Ô‚zøÑaÒÓÐàÔ@Ö¡s\ ˜_ÃÃúoÖö<C396>wõÖ¥Cr)¾€fû¿AÃ'•3D€â
|
29
machines/web03/secrets/dj_interludes-secret_key_file
Normal file
29
machines/web03/secrets/dj_interludes-secret_key_file
Normal file
|
@ -0,0 +1,29 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 jIXfPA 7v2qJ+2ZSp0tf4m6gcK2ShFF9ulNm/g3aHu3Wqe4Sxo
|
||||
ZyVqTqBCK51/U5yxtp23nywprQv46yL90zwx6+DqKRg
|
||||
-> ssh-ed25519 QlRB9Q IePmluoRImtaDplOoVqNiwfTQMKF1CuF4M6AzurXGRY
|
||||
JjtOeyvARlc9t5Q+LS2+TZwAUgV4Qn2L8SFkw9YLnaU
|
||||
-> ssh-ed25519 r+nK/Q LGPI7PmVPnZDQe6Su5MZQauxRHZkBKehyNbMq+BKlGQ
|
||||
3RvcfLAFKaScusYKf47zFNAtnot7wySvytuD81s6TwM
|
||||
-> ssh-rsa krWCLQ
|
||||
xGH7rl+r8L5HEp6JUlAm04ktn9rQsWfBBlSRp7UsOi6ojwCfjjIA91yUrYw8TYRs
|
||||
Ci60uoLS7cuMtSE/jQVU/FuVtR5kwjhOkWmQDHrC7rUWb6CufusxPIVJ0xanp3wo
|
||||
cc2t+EfSdpVyGIx5N8BEMhQ6sR2EfERHGfUrnKCpcL5hM5L8ZHnVh6CkRBtvZaq0
|
||||
Zy44Ob4pqH6fDz7EziM1hBkfg9myN+/Iqfvg5OUnfSrqooLZ8l0gDvGafS5fok91
|
||||
uqb0PGDiv6lwzpaj87jKUCaXAF3ag2KAa6j8sbZ4+fSsQeB/jhH7hTlWcAR/oEFW
|
||||
fuPQDFKxMucAsPjv1H1iaQ
|
||||
-> ssh-ed25519 /vwQcQ +5+xDNQyRwBWXT6c593S01OG9IemNul/81G4ie1hTVg
|
||||
Tzkq0toOCqdHOZNPiy/rUrO2eQXTDHi7g+jKbrWU/hU
|
||||
-> ssh-ed25519 0R97PA WEMs0phnuvw1kQaqeSkovwFUL6w7J6wh+V7D82NxfDs
|
||||
V5npmkeTPVcnaNwDtoy7PqBRllPTuQjvF9Qu14V59os
|
||||
-> ssh-ed25519 JGx7Ng 3bty0WCf+ElvPEFt7fSpgYf5MeFUPaZ4vVGWPUAjn0I
|
||||
ggl5CgXaUx4T6qbA9EG1oaF9NbfFYye4davm7lKqUvI
|
||||
-> ssh-ed25519 bUjjig zFlaOVzFEkPG+J3Yz7alPgSiCVbC/7u/hCTVIP8X/Ho
|
||||
3PBIRu9ZKfb9lkzijw6kKjX0ztXBkiwVaQUx8rxuYJc
|
||||
-> ssh-ed25519 VQSaNw btusrepFF5Jhl3x2YWs6wVrHwzb6qBXfDXESclQJAXo
|
||||
HwfOU3tyP9OsNjTkaMMmJnd4b+0ZfxJLkP6xe5jsAZE
|
||||
-> Tp-grease s03Py `u6"4 E|5 _
|
||||
3CvcQ6NEZKLY1F6y0cTMQPwV9mJvHB0T7dauvWJAYKkfb95TymqfDYGWwW1veND2
|
||||
n1XD/arAJHVwva95K7TaQdsNLPGo8/VePQGUnYqi
|
||||
--- qe75UTWqdDd0gGg0nm054SFZ2AgqVBw/bbycvcZSfQY
|
||||
ãñêÕ]¹¦zÂg©;Ê¡îñ˜öÓ´0éÅYëÀHãŒ!@ìpö¸T«?£iÞ‰áèÚ>I^ü‚l·o5”¯ë:{¬gJk£vø>€W8ði
|
|
@ -1,3 +1,6 @@
|
|||
(import ../../../keys).mkSecrets [ "web03" ] [
|
||||
# List of secrets for web03
|
||||
"dj_interludes-email_host_password_file"
|
||||
"dj_interludes-secret_key_file"
|
||||
"webhook-interludes_token"
|
||||
]
|
||||
|
|
BIN
machines/web03/secrets/webhook-interludes_token
Normal file
BIN
machines/web03/secrets/webhook-interludes_token
Normal file
Binary file not shown.
|
@ -87,9 +87,9 @@
|
|||
"repo": "git-hooks.nix"
|
||||
},
|
||||
"branch": "master",
|
||||
"revision": "d70155fdc00df4628446352fc58adc640cd705c2",
|
||||
"url": "https://github.com/cachix/git-hooks.nix/archive/d70155fdc00df4628446352fc58adc640cd705c2.tar.gz",
|
||||
"hash": "1s4w7bnign9lfzm8bm9j0zkvqfh5f1x671jp4g61psq42v5cfqvx"
|
||||
"revision": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
|
||||
"url": "https://github.com/cachix/git-hooks.nix/archive/cd1af27aa85026ac759d5d3fccf650abe7e1bbf0.tar.gz",
|
||||
"hash": "1icl4cz33lkr4bz7fvlf3jppmahgpzij81wfa5any3z7w7b5lnxw"
|
||||
},
|
||||
"kadenios": {
|
||||
"type": "Git",
|
||||
|
@ -144,9 +144,9 @@
|
|||
"url": "https://git.lix.systems/lix-project/lix.git"
|
||||
},
|
||||
"branch": "main",
|
||||
"revision": "d1d96cc4c8bd661a65c6159039a9d7e7e8fdf771",
|
||||
"revision": "c859d03013712b349d82ee6223948d6d03e63a8d",
|
||||
"url": null,
|
||||
"hash": "14yr9ivpd2xx5dw81sjnsv2m7adqjmm5sxxckh5wzjw6mi3gbjs4"
|
||||
"hash": "14bn1c3azvnkp1wl28x7y288vpd2gp96nswlnfzrcp13a4ivbbbf"
|
||||
},
|
||||
"lix-module": {
|
||||
"type": "Git",
|
||||
|
@ -194,6 +194,20 @@
|
|||
"url": "https://github.com/RaitoBezarius/microvm.nix/archive/49899c9a4fdf75320785e79709bf1608c34caeb8.tar.gz",
|
||||
"hash": "0sz6azdpiz4bd36x23bcdhx6mwyqj8zl5cczjgv48xqfmysy8zwy"
|
||||
},
|
||||
"nix-actions": {
|
||||
"type": "GitRelease",
|
||||
"repository": {
|
||||
"type": "Git",
|
||||
"url": "https://git.dgnum.eu/DGNum/nix-actions.git"
|
||||
},
|
||||
"pre_releases": false,
|
||||
"version_upper_bound": null,
|
||||
"release_prefix": null,
|
||||
"version": "v0.2.2",
|
||||
"revision": "b9cb5d6f945d1e3fd7b70d63848c70335e9912e8",
|
||||
"url": null,
|
||||
"hash": "0m6bw5qlrchsigx7x4nz3xkcn3dnr14k5j0ws9lbggnldnz9qg2w"
|
||||
},
|
||||
"nix-modules": {
|
||||
"type": "Git",
|
||||
"repository": {
|
||||
|
@ -201,9 +215,9 @@
|
|||
"url": "https://git.hubrecht.ovh/hubrecht/nix-modules.git"
|
||||
},
|
||||
"branch": "main",
|
||||
"revision": "662c5c6a78fb656be70be458ac9864def77a6dac",
|
||||
"revision": "695cf83c526dd3d78c8ed79b33f80019db4c8019",
|
||||
"url": null,
|
||||
"hash": "0szvbh1djd5fnkrfba7yc44q8sdxwyrn9r729j5lnyyd1rxj0dw6"
|
||||
"hash": "0xqv1rx0dnl3r1rhqdahcp8jqv8j9qc1v6xnmfiv0ddh81jd0szj"
|
||||
},
|
||||
"nix-patches": {
|
||||
"type": "GitRelease",
|
||||
|
@ -226,15 +240,15 @@
|
|||
"url": "https://git.hubrecht.ovh/hubrecht/nix-pkgs"
|
||||
},
|
||||
"branch": "main",
|
||||
"revision": "4ef413bdaccdf215ce35d99fc2909fbc26eb3d83",
|
||||
"revision": "e27e07f9c03a3bc756f9447a2288ca6f14130ffc",
|
||||
"url": null,
|
||||
"hash": "1izrbhj3yx56ml2p39fi004p4k7253yi0lcvfww9b8n8f96m1a1q"
|
||||
"hash": "06vydk09wniygpy04yjh07g9raswimhwwfj1cysigx2lxrg0997a"
|
||||
},
|
||||
"nixos-24.05": {
|
||||
"type": "Channel",
|
||||
"name": "nixos-24.05",
|
||||
"url": "https://releases.nixos.org/nixos/24.05/nixos-24.05.6463.83fb6c028368/nixexprs.tar.xz",
|
||||
"hash": "1h73z8c0fp8sh9wvh80gyv99hncnzzdrah65lyb5f47z3w2hqiqc"
|
||||
"url": "https://releases.nixos.org/nixos/24.05/nixos-24.05.6668.e8c38b73aeb2/nixexprs.tar.xz",
|
||||
"hash": "0lhh36z3fvd3b64dz7an08y3c3shb67aj17ny9z28bs21i3dc5yh"
|
||||
},
|
||||
"nixos-generators": {
|
||||
"type": "Git",
|
||||
|
@ -244,21 +258,21 @@
|
|||
"repo": "nixos-generators"
|
||||
},
|
||||
"branch": "master",
|
||||
"revision": "7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565",
|
||||
"url": "https://github.com/nix-community/nixos-generators/archive/7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565.tar.gz",
|
||||
"hash": "0n0nx4d68qyn2d5kvg8g3dczr1l9aq0k91hlvg4dw15rg0ycppdk"
|
||||
"revision": "15a87ccb45e06d24a9fd5f99a49782efe11b23f0",
|
||||
"url": "https://github.com/nix-community/nixos-generators/archive/15a87ccb45e06d24a9fd5f99a49782efe11b23f0.tar.gz",
|
||||
"hash": "0mwllbwinr6cira94347vhzq3jn3zgp28xg6w1ga0ncls7s476q4"
|
||||
},
|
||||
"nixos-unstable": {
|
||||
"type": "Channel",
|
||||
"name": "nixos-unstable",
|
||||
"url": "https://releases.nixos.org/nixos/unstable/nixos-24.11pre703931.4aa36568d413/nixexprs.tar.xz",
|
||||
"hash": "1z0ljvlgqcrrm62wzp44lr0qlxy43xxn6q0wf7pb3hzxx5546bb3"
|
||||
"url": "https://releases.nixos.org/nixos/unstable/nixos-25.05beta708622.5e4fbfb6b3de/nixexprs.tar.xz",
|
||||
"hash": "18zd6qnn1zmz3pgq2q484lmdk486ncxyp8r5g9c71r9dc8jr5dnc"
|
||||
},
|
||||
"nixpkgs": {
|
||||
"type": "Channel",
|
||||
"name": "nixpkgs-unstable",
|
||||
"url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.11pre704822.85f7e662eda4/nixexprs.tar.xz",
|
||||
"hash": "0dqlz0xqd3nn49hnx943y5sfqd7nmj25s6gi1pjm907j3vbgg47k"
|
||||
"url": "https://releases.nixos.org/nixpkgs/nixpkgs-25.05pre709559.5083ec887760/nixexprs.tar.xz",
|
||||
"hash": "1z912j1lmrg8zp2hpmmi69dls9zlpvqfvdkvh5xc3x6iqkqwn0cd"
|
||||
},
|
||||
"proxmox-nixos": {
|
||||
"type": "Git",
|
||||
|
@ -302,9 +316,9 @@
|
|||
"server": "https://git.helsinki.tools/"
|
||||
},
|
||||
"branch": "master",
|
||||
"revision": "14dfb7590c74a67d93651492100ba2bf66d064af",
|
||||
"url": "https://git.helsinki.tools/api/v4/projects/helsinki-systems%2Fwp4nix/repository/archive.tar.gz?sha=14dfb7590c74a67d93651492100ba2bf66d064af",
|
||||
"hash": "04qyjqvi2f930yiss32ym24hknfyimlyvhc97r71hprz26y2yh42"
|
||||
"revision": "10c3f658aecc0a54baf062137071b129f3897111",
|
||||
"url": "https://git.helsinki.tools/api/v4/projects/helsinki-systems%2Fwp4nix/repository/archive.tar.gz?sha=10c3f658aecc0a54baf062137071b129f3897111",
|
||||
"hash": "13gbzfrz9vv9iz43bfl67hl11lsmrh524mw6kkjavfwpzw5shm1g"
|
||||
}
|
||||
},
|
||||
"version": 3
|
||||
|
|
|
@ -1,6 +1,9 @@
|
|||
set -eu -o pipefail
|
||||
set -o errexit
|
||||
set -o nounset
|
||||
set -o pipefail
|
||||
shopt -s lastpipe
|
||||
|
||||
drv=$("@colmena@/bin/colmena" eval --instantiate -E "{ nodes, ... }: nodes.${BUILD_NODE}.config.system.build.toplevel")
|
||||
drv=$(colmena eval --instantiate -E "{ nodes, ... }: nodes.${BUILD_NODE}.config.system.build.toplevel")
|
||||
|
||||
# Build the derivation and send it to the great beyond
|
||||
nix-store --query --requisites --force-realise --include-outputs "$drv" | grep -v '.*\.drv' >paths.txt
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
#!/usr/bin/env bash
|
||||
#!@bash@/bin/bash
|
||||
# shellcheck shell=bash
|
||||
|
||||
set -o errexit
|
||||
set -o nounset
|
||||
set -o pipefail
|
||||
|
@ -20,7 +16,7 @@ Exemple:
|
|||
|
||||
while [[ $# -gt 0 ]]; do
|
||||
case "$1" in
|
||||
--help|-h)
|
||||
--help | -h)
|
||||
echo "$usage"
|
||||
exit 0
|
||||
;;
|
||||
|
@ -51,13 +47,13 @@ GIT_TOP_LEVEL=$(git rev-parse --show-toplevel)
|
|||
|
||||
echo "Cloning local main..."
|
||||
git clone -q --branch main --single-branch "$GIT_TOP_LEVEL" "$TMP"
|
||||
pushd "$TMP" > /dev/null || exit 2
|
||||
pushd "$TMP" >/dev/null || exit 2
|
||||
|
||||
####################
|
||||
# Evaluate configs #
|
||||
####################
|
||||
|
||||
colmena_failed () {
|
||||
colmena_failed() {
|
||||
>&2 echo "Colmena failed. Check your config. Logs:"
|
||||
>&2 cat "$COLMENA_LOGS"
|
||||
exit 3
|
||||
|
@ -68,7 +64,7 @@ COLMENA_LOGS=$(mktemp)
|
|||
echo "Evaluating configs..."
|
||||
# Disable warning because of '${}'
|
||||
# shellcheck disable=SC2016
|
||||
RESULTS=$(colmena eval -E '{ nodes, lib, ...}: lib.mapAttrsToList (k: v: { machine = k; path = v.config.system.build.toplevel; drv = v.config.system.build.toplevel.drvPath; domain = "${v.config.networking.hostName}.${v.config.networking.domain}"; }) nodes' 2> "$COLMENA_LOGS" || colmena_failed)
|
||||
RESULTS=$(colmena eval -E '{ nodes, lib, ...}: lib.mapAttrsToList (k: v: { machine = k; path = v.config.system.build.toplevel; drv = v.config.system.build.toplevel.drvPath; domain = "${v.config.networking.hostName}.${v.config.networking.domain}"; }) nodes' 2>"$COLMENA_LOGS" || colmena_failed)
|
||||
|
||||
rm "$COLMENA_LOGS"
|
||||
echo "Evaluation finished"
|
||||
|
@ -77,39 +73,38 @@ echo "Evaluation finished"
|
|||
# retrieve and check current-system #
|
||||
#####################################
|
||||
|
||||
retrieve_current_system () {
|
||||
retrieve_current_system() {
|
||||
# TODO implement a less invasive method
|
||||
ssh -n "root@$1" "readlink -f /run/current-system"
|
||||
}
|
||||
|
||||
|
||||
return_status=0
|
||||
echo "$RESULTS" | @jq@/bin/jq -c '.[]' |
|
||||
while IFS=$'\n' read -r c; do
|
||||
echo "$RESULTS" | jq -c '.[]' |
|
||||
while IFS=$'\n' read -r c; do
|
||||
|
||||
machine=$(echo "$c" | @jq@/bin/jq -r '.machine')
|
||||
machine=$(echo "$c" | jq -r '.machine')
|
||||
if [[ -n ${node-} ]] && [[ "$machine" != "$node" ]]; then
|
||||
echo "Skipping ${machine}"
|
||||
continue
|
||||
fi
|
||||
expected_path=$(echo "$c" | @jq@/bin/jq -r '.path')
|
||||
domain=$(echo "$c" | @jq@/bin/jq -r '.domain')
|
||||
drv_path=$(echo "$c" | @jq@/bin/jq -r '.drv')
|
||||
expected_path=$(echo "$c" | jq -r '.path')
|
||||
domain=$(echo "$c" | jq -r '.domain')
|
||||
drv_path=$(echo "$c" | jq -r '.drv')
|
||||
|
||||
err=0
|
||||
current_path=$(retrieve_current_system "$domain") || err=1
|
||||
if [[ "1" == "${err}" ]] ; then
|
||||
if [[ "1" == "${err}" ]]; then
|
||||
echo "❌ failed to contact $domain !"
|
||||
continue
|
||||
fi
|
||||
|
||||
if [ "$expected_path" == "$current_path" ] ; then
|
||||
if [ "$expected_path" == "$current_path" ]; then
|
||||
echo "✅ $machine -> OK"
|
||||
elif [[ -n ${diff-} ]] ; then
|
||||
elif [[ -n ${diff-} ]]; then
|
||||
nix-copy-closure --from "root@$domain" "$current_path"
|
||||
nix-store -r "$drv_path"
|
||||
echo "$machine -> error. nvd output:"
|
||||
@nvd@/bin/nvd diff "$expected_path" "$current_path"
|
||||
nvd diff "$expected_path" "$current_path"
|
||||
return_status=1
|
||||
else
|
||||
echo "☠️ $machine -> error:"
|
||||
|
@ -117,9 +112,9 @@ while IFS=$'\n' read -r c; do
|
|||
echo " - Current system: $current_path"
|
||||
return_status=1
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
popd > /dev/null || exit 2
|
||||
popd >/dev/null || exit 2
|
||||
rm -r "$TMP"
|
||||
|
||||
exit $return_status
|
||||
|
|
|
@ -1,39 +1,32 @@
|
|||
{ pkgs, ... }:
|
||||
{ pkgs }:
|
||||
|
||||
let
|
||||
substitutions = {
|
||||
inherit (pkgs.lib) mapAttrs;
|
||||
|
||||
inherit (pkgs)
|
||||
bash
|
||||
writeShellApplication
|
||||
colmena
|
||||
coreutils
|
||||
nvd
|
||||
git
|
||||
jq
|
||||
nvd
|
||||
;
|
||||
};
|
||||
|
||||
mkShellScript =
|
||||
name:
|
||||
(pkgs.substituteAll (
|
||||
{
|
||||
inherit name;
|
||||
src = ./. + "/${name}.sh";
|
||||
dir = "/bin/";
|
||||
isExecutable = true;
|
||||
|
||||
checkPhase = ''
|
||||
${pkgs.stdenv.shellDryRun} "$target"
|
||||
'';
|
||||
}
|
||||
// substitutions
|
||||
));
|
||||
|
||||
scripts = [
|
||||
"cache-node"
|
||||
"check-deployment"
|
||||
"launch-vm"
|
||||
"list-nodes"
|
||||
scripts = {
|
||||
cache-node = [ colmena ];
|
||||
check-deployment = [
|
||||
colmena
|
||||
jq
|
||||
nvd
|
||||
];
|
||||
launch-vm = [ colmena ];
|
||||
list-nodes = [ jq ];
|
||||
};
|
||||
in
|
||||
|
||||
builtins.map mkShellScript scripts
|
||||
mapAttrs (
|
||||
name: runtimeInputs:
|
||||
writeShellApplication {
|
||||
inherit name runtimeInputs;
|
||||
|
||||
text = builtins.readFile ./${name}.sh;
|
||||
}
|
||||
) scripts
|
||||
|
|
|
@ -1,8 +1,7 @@
|
|||
#!@bash@/bin/bash
|
||||
# shellcheck shell=bash
|
||||
set -o errexit
|
||||
set -o nounset
|
||||
set -o pipefail
|
||||
shopt -s lastpipe
|
||||
|
||||
MACHINE=""
|
||||
HOSTFWD=""
|
||||
|
@ -17,17 +16,20 @@ while getopts 'p:o:h' opt; do
|
|||
MACHINE="$OPTARG"
|
||||
;;
|
||||
|
||||
h|?)
|
||||
h | ?)
|
||||
echo "Usage: $(basename "$0") [-p hostport-:guestport] -o MACHINE"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
shift "$((OPTIND -1))"
|
||||
shift "$((OPTIND - 1))"
|
||||
|
||||
if [ -z "$MACHINE" ]; then echo "-o option needed"; exit 1; fi
|
||||
if [ -z "$MACHINE" ]; then
|
||||
echo "-o option needed"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
DRV_PATH=$(@colmena@/bin/colmena eval --instantiate -E "{nodes, ...}: nodes.$MACHINE.config.system.build.vm")
|
||||
DRV_PATH=$(colmena eval --instantiate -E "{nodes, ...}: nodes.$MACHINE.config.system.build.vm")
|
||||
|
||||
echo "Realising $DRV_PATH"
|
||||
RESULT=$(nix-store -r "$DRV_PATH")
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
#!@bash@/bin/bash
|
||||
# shellcheck shell=bash
|
||||
set -o errexit
|
||||
set -o nounset
|
||||
set -o pipefail
|
||||
shopt -s lastpipe
|
||||
|
||||
cd $(@git@/bin/git rev-parse --show-toplevel)
|
||||
cd "$(git rev-parse --show-toplevel)"
|
||||
|
||||
nix-instantiate --strict --eval --json -A nodes | @jq@/bin/jq .
|
||||
nix-instantiate --strict --eval --json -A nodes | jq .
|
||||
|
|
|
@ -1 +1 @@
|
|||
(import ./. { }).shells.default
|
||||
(import ./. { }).devShell
|
||||
|
|
31
workflows/check-meta.nix
Normal file
31
workflows/check-meta.nix
Normal file
|
@ -0,0 +1,31 @@
|
|||
{
|
||||
name = "Check meta";
|
||||
on = {
|
||||
pull_request.branches = [ "main" ];
|
||||
push.paths = [ "meta/*" ];
|
||||
};
|
||||
|
||||
jobs = {
|
||||
check_meta = {
|
||||
runs-on = "nix";
|
||||
steps = [
|
||||
{ uses = "actions/checkout@v3"; }
|
||||
{
|
||||
name = "Check the validity of meta options";
|
||||
run = "nix-build meta/verify.nix -A meta";
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
check_dns = {
|
||||
runs-on = "nix";
|
||||
steps = [
|
||||
{ uses = "actions/checkout@v3"; }
|
||||
{
|
||||
name = "Check the validity of the DNS configuration";
|
||||
run = "nix-build meta/verify.nix -A dns";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
20
workflows/check-workflows.nix
Normal file
20
workflows/check-workflows.nix
Normal file
|
@ -0,0 +1,20 @@
|
|||
{
|
||||
name = "Check workflows";
|
||||
on = {
|
||||
pull_request.branches = [ "main" ];
|
||||
push.paths = [ "workflows/*" ];
|
||||
};
|
||||
|
||||
jobs = {
|
||||
check_workflows = {
|
||||
runs-on = "nix";
|
||||
steps = [
|
||||
{ uses = "actions/checkout@v3"; }
|
||||
{
|
||||
name = "Check that the workflows are up to date";
|
||||
run = "nix-shell -A check-workflows --run '[ $(git status --porcelain | wc -l) -eq 0 ]'";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
32
workflows/eval-nodes.nix
Normal file
32
workflows/eval-nodes.nix
Normal file
|
@ -0,0 +1,32 @@
|
|||
{ lib }:
|
||||
|
||||
let
|
||||
inherit (lib) attrNames genAttrs;
|
||||
|
||||
nodes = attrNames (builtins.readDir ../machines);
|
||||
in
|
||||
|
||||
{
|
||||
name = "Build all the nodes";
|
||||
on = {
|
||||
pull_request.branches = [ "main" ];
|
||||
push.branches = [ "main" ];
|
||||
};
|
||||
|
||||
jobs = genAttrs nodes (node: {
|
||||
runs-on = "nix";
|
||||
steps = [
|
||||
{ uses = "actions/checkout@v3"; }
|
||||
{
|
||||
name = "Build and cache ${node}";
|
||||
run = "nix-shell -A eval-nodes --run cache-node";
|
||||
env = {
|
||||
STORE_ENDPOINT = "https://tvix-store.dgnum.eu/infra-signing/";
|
||||
STORE_USER = "admin";
|
||||
STORE_PASSWORD = "\${{ secrets.STORE_PASSWORD }}";
|
||||
BUILD_NODE = node;
|
||||
};
|
||||
}
|
||||
];
|
||||
});
|
||||
}
|
|
@ -1,31 +1,24 @@
|
|||
name: npins update
|
||||
on:
|
||||
schedule:
|
||||
{
|
||||
name = "npins update";
|
||||
on.schedule = [
|
||||
# Run at 11 o'clock every wednesday
|
||||
- cron: "25 15 * * *"
|
||||
{ cron = "25 15 * * *"; }
|
||||
];
|
||||
|
||||
jobs:
|
||||
npins_update:
|
||||
runs-on: nix
|
||||
steps:
|
||||
# - name: Install applications
|
||||
# run: apt-get update && apt-get install sudo
|
||||
#
|
||||
- uses: actions/checkout@v3
|
||||
with:
|
||||
depth: 0
|
||||
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
|
||||
#
|
||||
# - uses: https://github.com/cachix/install-nix-action@v22
|
||||
# with:
|
||||
# nix_path: nixpkgs=channel:nixos-unstable
|
||||
jobs.npins_update = {
|
||||
runs-on = "nix";
|
||||
steps = [
|
||||
{
|
||||
uses = "actions/checkout@v3";
|
||||
"with" = {
|
||||
depth = 0;
|
||||
token = "\${{ secrets.TEA_DGNUM_CHORES_TOKEN }}";
|
||||
};
|
||||
}
|
||||
|
||||
# - name: Install tea
|
||||
# run: |
|
||||
# nix-env -f '<nixpkgs>' -i tea
|
||||
|
||||
- name: Update dependencies and open PR if necessary
|
||||
run: |
|
||||
{
|
||||
name = "Update dependencies and open PR if necessary";
|
||||
run = ''
|
||||
npins update
|
||||
|
||||
if [ ! -z "$(git diff --name-only)" ]; then
|
||||
|
@ -44,7 +37,7 @@ jobs:
|
|||
# Connect to the server with the cli
|
||||
tea login add \
|
||||
-n dgnum-chores \
|
||||
-t '${{ secrets.TEA_DGNUM_CHORES_TOKEN }}' \
|
||||
-t "''${{ secrets.TEA_DGNUM_CHORES_TOKEN }}" \
|
||||
-u https://git.dgnum.eu
|
||||
|
||||
# Create a pull request if needed
|
||||
|
@ -56,3 +49,8 @@ jobs:
|
|||
--head npins-update
|
||||
fi
|
||||
fi
|
||||
'';
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
18
workflows/pre-commit.nix
Normal file
18
workflows/pre-commit.nix
Normal file
|
@ -0,0 +1,18 @@
|
|||
{
|
||||
name = "Run pre-commit on all files";
|
||||
on = [
|
||||
"push"
|
||||
"pull_request"
|
||||
];
|
||||
|
||||
jobs.check = {
|
||||
runs-on = "nix";
|
||||
steps = [
|
||||
{ uses = "actions/checkout@v3"; }
|
||||
{
|
||||
name = "Run pre-commit on all files";
|
||||
run = "nix-shell -A pre-commit --run 'pre-commit run --all-files --hook-stage pre-push --show-diff-on-failure'";
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
Loading…
Reference in a new issue