Compare commits

..

17 commits

Author SHA1 Message Date
sinavir
b00e47ec85
chore(netbox): Upgrade
Some checks failed
Check workflows / check_workflows (push) Failing after 24s
Check meta / check_dns (pull_request) Successful in 21s
Check meta / check_meta (pull_request) Successful in 22s
Check workflows / check_workflows (pull_request) Failing after 23s
Run pre-commit on all files / check (push) Successful in 27s
Build all the nodes / geo01 (pull_request) Successful in 4m4s
Build all the nodes / storage01 (pull_request) Successful in 3m59s
Build all the nodes / geo02 (pull_request) Successful in 4m2s
Build all the nodes / bridge01 (pull_request) Successful in 4m9s
Build all the nodes / rescue01 (pull_request) Successful in 4m4s
Build all the nodes / compute01 (pull_request) Successful in 4m22s
Run pre-commit on all files / check (pull_request) Successful in 24s
Build all the nodes / web02 (pull_request) Successful in 1m11s
Build all the nodes / web03 (pull_request) Successful in 1m24s
Build all the nodes / vault01 (pull_request) Successful in 1m36s
Build all the nodes / web01 (pull_request) Failing after 14m37s
2024-11-19 00:40:15 +01:00
a50637d55e
chore(stirling-pdf): New version
Some checks failed
Check meta / check_meta (pull_request) Successful in 18s
Check meta / check_dns (pull_request) Successful in 18s
Run pre-commit on all files / check (push) Successful in 26s
Check workflows / check_workflows (pull_request) Failing after 25s
Build all the nodes / bridge01 (pull_request) Successful in 1m6s
Build all the nodes / geo02 (pull_request) Successful in 54s
Build all the nodes / geo01 (pull_request) Successful in 56s
Build all the nodes / rescue01 (pull_request) Successful in 1m3s
Build all the nodes / storage01 (pull_request) Successful in 1m6s
Run pre-commit on all files / check (pull_request) Successful in 26s
Build all the nodes / web01 (pull_request) Failing after 51s
Build all the nodes / web02 (pull_request) Successful in 58s
Build all the nodes / vault01 (pull_request) Successful in 1m19s
Build all the nodes / compute01 (pull_request) Successful in 5m31s
Build all the nodes / web03 (pull_request) Successful in 2m39s
2024-11-19 00:13:49 +01:00
aa4f972085
fix(forgejo-runners): Let the shell handle colmena
Some checks failed
Check meta / check_meta (pull_request) Successful in 20s
Check meta / check_dns (pull_request) Successful in 20s
Run pre-commit on all files / check (push) Successful in 24s
Check workflows / check_workflows (pull_request) Failing after 26s
Build all the nodes / bridge01 (pull_request) Successful in 58s
Build all the nodes / compute01 (pull_request) Failing after 1m12s
Build all the nodes / geo02 (pull_request) Successful in 57s
Build all the nodes / geo01 (pull_request) Successful in 1m3s
Build all the nodes / rescue01 (pull_request) Successful in 1m14s
Build all the nodes / web01 (pull_request) Failing after 54s
Build all the nodes / vault01 (pull_request) Successful in 1m12s
Run pre-commit on all files / check (pull_request) Successful in 34s
Build all the nodes / web02 (pull_request) Successful in 1m4s
Build all the nodes / storage01 (pull_request) Successful in 6m43s
Build all the nodes / web03 (pull_request) Failing after 1m20s
2024-11-19 00:01:06 +01:00
8a5de73b47 chore(npins): Update
Some checks failed
Check meta / check_dns (pull_request) Successful in 1m59s
Check meta / check_meta (pull_request) Successful in 1m59s
Run pre-commit on all files / check (push) Successful in 2m1s
Check workflows / check_workflows (pull_request) Failing after 2m4s
Build all the nodes / compute01 (pull_request) Failing after 4m21s
Build all the nodes / bridge01 (pull_request) Successful in 6m35s
Build all the nodes / geo02 (pull_request) Successful in 4m50s
Build all the nodes / geo01 (pull_request) Successful in 4m58s
Build all the nodes / rescue01 (pull_request) Successful in 4m57s
Build all the nodes / web01 (pull_request) Failing after 51s
Build all the nodes / web02 (pull_request) Successful in 1m12s
Run pre-commit on all files / check (pull_request) Successful in 24s
Build all the nodes / vault01 (pull_request) Successful in 1m30s
Build all the nodes / web03 (pull_request) Failing after 1m6s
Build all the nodes / storage01 (pull_request) Failing after 1m18s
2024-11-18 15:29:55 +00:00
3fecacb482
chore(npins): Update nix-modules
All checks were successful
Build all the nodes / bridge01 (push) Successful in 1m8s
Build all the nodes / compute01 (push) Successful in 1m39s
Build all the nodes / geo01 (push) Successful in 54s
Build all the nodes / geo02 (push) Successful in 52s
Build all the nodes / rescue01 (push) Successful in 1m0s
Build all the nodes / storage01 (push) Successful in 1m13s
Build all the nodes / vault01 (push) Successful in 1m4s
Build all the nodes / web02 (push) Successful in 59s
Build all the nodes / web01 (push) Successful in 1m31s
Run pre-commit on all files / check (push) Successful in 26s
Build all the nodes / web03 (push) Successful in 1m4s
2024-11-18 13:03:13 +01:00
ded867d274
feat(dj-interludes): Add a real secret 2024-11-18 13:02:54 +01:00
f61bd85d63
chore(forgejo): Disallow more domains 2024-11-17 19:01:26 +01:00
bf06d2573b
feat(nix): Use passthru for shells and return to importing the scripts
All checks were successful
Check workflows / check_workflows (push) Successful in 23s
Build all the nodes / bridge01 (push) Successful in 1m7s
Build all the nodes / geo02 (push) Successful in 1m6s
Build all the nodes / geo01 (push) Successful in 1m8s
Build all the nodes / rescue01 (push) Successful in 1m13s
Build all the nodes / compute01 (push) Successful in 1m29s
Build all the nodes / storage01 (push) Successful in 1m9s
Run pre-commit on all files / check (push) Successful in 24s
Build all the nodes / vault01 (push) Successful in 1m13s
Build all the nodes / web02 (push) Successful in 1m12s
Build all the nodes / web03 (push) Successful in 1m17s
Build all the nodes / web01 (push) Successful in 1m49s
2024-11-14 22:18:40 +01:00
6fbda40e5e
feat(scripts): Unify behaviour and improve generation
All checks were successful
Build all the nodes / bridge01 (push) Successful in 1m17s
Build all the nodes / geo01 (push) Successful in 1m16s
Build all the nodes / geo02 (push) Successful in 1m22s
Build all the nodes / compute01 (push) Successful in 1m38s
Build all the nodes / storage01 (push) Successful in 1m13s
Build all the nodes / rescue01 (push) Successful in 1m22s
Build all the nodes / vault01 (push) Successful in 1m20s
Run pre-commit on all files / check (push) Successful in 24s
Build all the nodes / web01 (push) Successful in 1m46s
Build all the nodes / web02 (push) Successful in 1m6s
Build all the nodes / web03 (push) Successful in 1m9s
2024-11-14 22:01:58 +01:00
2ffd7732ba
feat(django-apps/interludes): Allow base webapps domain
All checks were successful
Build all the nodes / bridge01 (push) Successful in 1m19s
Build all the nodes / geo01 (push) Successful in 1m18s
Build all the nodes / geo02 (push) Successful in 1m22s
Build all the nodes / storage01 (push) Successful in 1m28s
Build all the nodes / rescue01 (push) Successful in 1m32s
Build all the nodes / compute01 (push) Successful in 1m45s
Run pre-commit on all files / check (push) Successful in 24s
Build all the nodes / web02 (push) Successful in 1m25s
Build all the nodes / web03 (push) Successful in 1m24s
Build all the nodes / vault01 (push) Successful in 1m36s
Build all the nodes / web01 (push) Successful in 1m57s
2024-11-12 15:08:17 +01:00
d45b044b22
feat(django-apps/interludes): Switch to interludes.ens.fr
All checks were successful
Build all the nodes / geo02 (push) Successful in 1m22s
Build all the nodes / bridge01 (push) Successful in 1m25s
Build all the nodes / geo01 (push) Successful in 1m25s
Build all the nodes / rescue01 (push) Successful in 1m42s
Build all the nodes / compute01 (push) Successful in 1m45s
Build all the nodes / storage01 (push) Successful in 1m12s
Build all the nodes / vault01 (push) Successful in 1m25s
Build all the nodes / web02 (push) Successful in 1m9s
Build all the nodes / web03 (push) Successful in 1m13s
Run pre-commit on all files / check (push) Successful in 24s
Build all the nodes / web01 (push) Successful in 1m47s
2024-11-12 14:55:04 +01:00
21b422b1ad
fix(nix-lib): Allow defining top-level imports
All checks were successful
Build all the nodes / geo02 (push) Successful in 1m18s
Build all the nodes / geo01 (push) Successful in 1m27s
Build all the nodes / bridge01 (push) Successful in 1m32s
Build all the nodes / rescue01 (push) Successful in 1m31s
Build all the nodes / storage01 (push) Successful in 1m31s
Build all the nodes / compute01 (push) Successful in 1m44s
Run pre-commit on all files / check (push) Successful in 28s
Build all the nodes / vault01 (push) Successful in 1m20s
Build all the nodes / web03 (push) Successful in 1m15s
Build all the nodes / web02 (push) Successful in 1m19s
Build all the nodes / web01 (push) Successful in 1m46s
2024-11-12 12:29:36 +01:00
420fe99984
fix(django-apps/interludes): Don't run in debug mode
All checks were successful
Build all the nodes / rescue01 (push) Successful in 2m49s
Build all the nodes / compute01 (push) Successful in 6m21s
Build all the nodes / bridge01 (push) Successful in 7m45s
Build all the nodes / geo02 (push) Successful in 7m56s
Build all the nodes / storage01 (push) Successful in 5m36s
Build all the nodes / geo01 (push) Successful in 8m38s
Run pre-commit on all files / check (push) Successful in 29s
Build all the nodes / vault01 (push) Successful in 7m35s
Build all the nodes / web02 (push) Successful in 6m24s
Build all the nodes / web01 (push) Successful in 7m21s
Build all the nodes / web03 (push) Successful in 1m14s
2024-11-12 10:52:49 +01:00
32f13adaad
feat(web03): Deploy interludes.webapps.dgnum.eu
Some checks failed
Build all the nodes / bridge01 (push) Successful in 1m25s
Build all the nodes / geo02 (push) Successful in 1m34s
Build all the nodes / rescue01 (push) Successful in 1m34s
Build all the nodes / geo01 (push) Successful in 1m56s
Build all the nodes / compute01 (push) Successful in 2m22s
Build all the nodes / storage01 (push) Successful in 1m43s
Build all the nodes / web01 (push) Successful in 1m50s
Run pre-commit on all files / check (push) Successful in 25s
Build all the nodes / web02 (push) Successful in 1m54s
Build all the nodes / vault01 (push) Successful in 2m20s
Build all the nodes / web03 (push) Failing after 1m39s
2024-11-12 10:40:09 +01:00
a816c81125
chore: Update nix-actions
All checks were successful
Build all the nodes / geo01 (push) Successful in 1m19s
Build all the nodes / geo02 (push) Successful in 1m21s
Build all the nodes / bridge01 (push) Successful in 1m23s
Build all the nodes / rescue01 (push) Successful in 1m25s
Build all the nodes / storage01 (push) Successful in 1m26s
Build all the nodes / compute01 (push) Successful in 1m40s
Run pre-commit on all files / check (push) Successful in 25s
Build all the nodes / web02 (push) Successful in 1m10s
Build all the nodes / web03 (push) Successful in 1m14s
Build all the nodes / vault01 (push) Successful in 1m23s
Build all the nodes / web01 (push) Successful in 1m48s
2024-11-11 22:05:16 +01:00
6ab3e4b685
fix(workflows): Correct typos
All checks were successful
Check workflows / check_workflows (push) Successful in 36s
Build all the nodes / geo01 (push) Successful in 1m35s
Build all the nodes / bridge01 (push) Successful in 1m37s
Build all the nodes / geo02 (push) Successful in 1m36s
Build all the nodes / compute01 (push) Successful in 1m58s
Build all the nodes / rescue01 (push) Successful in 1m26s
Build all the nodes / storage01 (push) Successful in 1m19s
Build all the nodes / vault01 (push) Successful in 1m26s
Build all the nodes / web02 (push) Successful in 1m12s
Run pre-commit on all files / check (push) Successful in 23s
Build all the nodes / web01 (push) Successful in 1m45s
Build all the nodes / web03 (push) Successful in 1m9s
2024-11-11 18:01:44 +01:00
5f1436e4bf
feat(workflows): Switch to a nix-based definition of workflows
Some checks failed
Build all the nodes / bridge01 (push) Failing after 13s
Build all the nodes / compute01 (push) Failing after 13s
Build all the nodes / geo02 (push) Failing after 12s
Build all the nodes / geo01 (push) Failing after 13s
Build all the nodes / rescue01 (push) Failing after 12s
Build all the nodes / storage01 (push) Failing after 12s
Build all the nodes / web01 (push) Failing after 12s
Build all the nodes / web02 (push) Failing after 12s
Build all the nodes / vault01 (push) Failing after 12s
Check workflows / check_workflows (push) Failing after 32s
Build all the nodes / web03 (push) Failing after 12s
Run pre-commit on all files / check (push) Successful in 22s
2024-11-11 17:57:23 +01:00
32 changed files with 625 additions and 471 deletions

1
.envrc
View file

@ -1 +1,2 @@
watch_file workflows/*
use nix

View file

@ -1,25 +1,21 @@
jobs:
check_dns:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check the validity of the DNS configuration
run: nix-build meta/verify.nix -A dns
check_meta:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check the validity of meta options
run: nix-build meta/verify.nix -A meta
name: Check meta
on:
'on':
pull_request:
branches:
- main
push:
paths:
- 'meta/*'
jobs:
check_meta:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check the validity of meta options
run: nix-build meta/verify.nix -A meta
check_dns:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check the validity of the DNS configuration
run: nix-build meta/verify.nix -A dns --no-out-link
- meta/*

View file

@ -0,0 +1,16 @@
jobs:
check_workflows:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check that the workflows are up to date
run: nix-shell -A check-workflows --run '[ $(git status --porcelain | wc -l)
-eq 0 ]'
name: Check workflows
'on':
pull_request:
branches:
- main
push:
paths:
- workflows/*

View file

@ -1,56 +0,0 @@
name: ds-fr update
on:
schedule:
- cron: "26 18 * * wed"
jobs:
npins_update:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- name: Update DS and open PR if necessary
run: |
# Fetch the latest release tag
VERSION=$(curl -L \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/demarches-simplifiees/demarches-simplifiees.fr/releases/latest \
| jq -r '.tag_name')
# Move to the ds-fr directory
cd machines/compute01/ds-fr/package
# Run the update script
./update.sh -v "$VERSION"
if [ ! -z "$(git diff --name-only)" ]; then
echo "[+] Changes detected, pushing updates."
git switch -C ds-update
git add .
git config user.name "DGNum Chores"
git config user.email "tech@dgnum.eu"
git commit --message "chore(ds-fr): Update"
git push --set-upstream origin ds-update --force
# Connect to the server with the cli
tea login add \
-n dgnum-chores \
-t '${{ secrets.TEA_DGNUM_CHORES_TOKEN }}' \
-u https://git.dgnum.eu
# Create a pull request if needed
# i.e. no PR with the same title exists
if [ -z "$(tea pr ls -f='title,author' -o simple | grep 'chore(ds-fr): Update dgnum-chores')" ]; then
tea pr create \
--description "Automatic ds-fr update" \
--title "chore(ds-fr): Update" \
--head ds-update
fi
fi

View file

@ -0,0 +1,119 @@
jobs:
bridge01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: bridge01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache bridge01
run: nix-shell -A eval-nodes --run cache-node
compute01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: compute01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache compute01
run: nix-shell -A eval-nodes --run cache-node
geo01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: geo01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache geo01
run: nix-shell -A eval-nodes --run cache-node
geo02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: geo02
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache geo02
run: nix-shell -A eval-nodes --run cache-node
rescue01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: rescue01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache rescue01
run: nix-shell -A eval-nodes --run cache-node
storage01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: storage01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache storage01
run: nix-shell -A eval-nodes --run cache-node
vault01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: vault01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache vault01
run: nix-shell -A eval-nodes --run cache-node
web01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: web01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache web01
run: nix-shell -A eval-nodes --run cache-node
web02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: web02
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache web02
run: nix-shell -A eval-nodes --run cache-node
web03:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: web03
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache web03
run: nix-shell -A eval-nodes --run cache-node
name: Build all the nodes
'on':
pull_request:
branches:
- main
push:
branches:
- main

View file

@ -1,200 +0,0 @@
name: build configuration
on:
pull_request:
types: [opened, synchronize, edited, reopened]
branches:
- main
push:
branches:
- main
jobs:
build_and_cache_compute01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "compute01"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_compute01
path: paths.txt
build_and_cache_storage01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "storage01"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_storage01
path: paths.txt
build_and_cache_rescue01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "rescue01"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_rescue01
path: paths.txt
build_and_cache_geo01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "geo01"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_geo01
path: paths.txt
build_and_cache_geo02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "geo02"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_geo02
path: paths.txt
build_and_cache_vault01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "vault01"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_vault01
path: paths.txt
build_and_cache_web01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "web01"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_web01
path: paths.txt
build_and_cache_web02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "web02"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_web02
path: paths.txt
build_and_cache_web03:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "web03"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_web02
path: paths.txt
build_and_cache_bridge01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "bridge01"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_web02
path: paths.txt

View file

@ -1,11 +0,0 @@
name: lint
on: [push, pull_request]
jobs:
check:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Run pre-commit on all files
run: nix-shell --run 'pre-commit run --all-files --hook-stage pre-push --show-diff-on-failure' -A shells.pre-commit ./.

View file

@ -0,0 +1,25 @@
jobs:
npins_update:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- name: Update dependencies and open PR if necessary
run: "npins update\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n echo\
\ \"[+] Changes detected, pushing updates.\"\n\n git switch -C npins-update\n\
\n git add npins\n\n git config user.name \"DGNum Chores\"\n git config\
\ user.email \"tech@dgnum.eu\"\n\n git commit --message \"chore(npins): Update\"\
\n git push --set-upstream origin npins-update --force\n\n # Connect to\
\ the server with the cli\n tea login add \\\n -n dgnum-chores \\\n \
\ -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN }}\" \\\n -u https://git.dgnum.eu\n\
\n # Create a pull request if needed\n # i.e. no PR with the same title\
\ exists\n if [ -z \"$(tea pr ls -f='title,author' -o simple | grep 'chore(npins):\
\ Update dgnum-chores')\" ]; then\n tea pr create \\\n --description\
\ \"Automatic npins update\" \\\n --title \"chore(npins): Update\" \\\
\n --head npins-update\n fi\nfi\n"
name: npins update
'on':
schedule:
- cron: 25 15 * * *

View file

@ -0,0 +1,12 @@
jobs:
check:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Run pre-commit on all files
run: nix-shell -A pre-commit --run 'pre-commit run --all-files --hook-stage
pre-push --show-diff-on-failure'
name: Run pre-commit on all files
'on':
- push
- pull_request

View file

@ -41,7 +41,15 @@
}:
let
git-checks = (import (builtins.storePath sources.git-hooks)).run {
inherit (pkgs.lib)
isFunction
mapAttrs
mapAttrs'
nameValuePair
removeSuffix
;
git-checks = (import sources.git-hooks).run {
src = ./.;
hooks = {
@ -67,6 +75,22 @@ let
commitizen.enable = true;
};
};
workflows = (import sources.nix-actions { inherit pkgs; }).install {
src = ./.;
workflows = mapAttrs' (
name: _:
nameValuePair (removeSuffix ".nix" name) (
let
w = import ./workflows/${name};
in
if isFunction w then w { inherit (pkgs) lib; } else w
)
) (builtins.readDir ./workflows);
};
scripts = import ./scripts { inherit pkgs; };
in
{
@ -78,36 +102,35 @@ in
mkCacheSettings = import ./machines/storage01/tvix-cache/cache-settings.nix;
shells = {
default = pkgs.mkShell {
devShell = pkgs.mkShell {
name = "dgnum-infra";
packages = [
(pkgs.nixos-generators.overrideAttrs (_: {
version = "1.8.0-unstable";
src = builtins.storePath sources.nixos-generators;
src = sources.nixos-generators;
}))
pkgs.npins
(pkgs.callPackage ./lib/colmena { inherit (nix-pkgs) colmena; })
(pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
(pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
] ++ (import ./scripts { inherit pkgs; });
] ++ (builtins.attrValues scripts);
shellHook = ''
${git-checks.shellHook}
${workflows.shellHook}
'';
preferLocalBuild = true;
};
pre-commit = pkgs.mkShell {
name = "pre-commit-shell";
###
# Alternative shells
shellHook = ''
${git-checks.shellHook}
'';
passthru = mapAttrs (name: value: pkgs.mkShell (value // { inherit name; })) {
pre-commit.shellHook = git-checks.shellHook;
check-workflows.shellHook = workflows.shellHook;
eval-nodes.packages = [ scripts.cache-node ];
};
};
}

View file

@ -190,8 +190,11 @@ rec {
recursiveFuse [
(enableModules enabledModules)
{ imports = mkImports root ([ "_hardware-configuration" ] ++ enabledServices); }
{
imports =
(extraConfig.imports or [ ]) ++ (mkImports root ([ "_hardware-configuration" ] ++ enabledServices));
}
extraConfig
(removeAttrs extraConfig [ "imports" ])
];
}

View file

@ -10,7 +10,7 @@ let
# - push to a new branch dgn-v0.A.B where A.B is the new version
# - finally, update the commit hash of the customization patch
dgn-id = "8f19cb1c9623f8da71f6512c1528d83acc35db57";
dgn-id = "d73e347b1cefe23092bfcb2d3f8a23903410203e";
port = 8084;
in

View file

@ -1,10 +1,4 @@
{
config,
pkgs,
nixpkgs,
sources,
...
}:
{ config, pkgs, ... }:
let
url = "https://git.dgnum.eu";
@ -30,8 +24,6 @@ let
options = "--cpus=4";
};
};
nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
in
{
services.forgejo-nix-runners = {
@ -43,10 +35,8 @@ in
tokenFile = config.age.secrets."forgejo_runners-token_file".path;
dependencies = [
nix-pkgs.colmena
pkgs.npins
pkgs.tea
nixpkgs.unstable.nixfmt-rfc-style
];
containerOptions = [ "--cpus=4" ];

View file

@ -61,7 +61,7 @@ in
service = {
EMAIL_DOMAIN_ALLOWLIST = "dgnum.eu,*";
EMAIL_DOMAIN_BLOCKLIST = "*.shop";
EMAIL_DOMAIN_BLOCKLIST = "*.shop,*.online,*.store";
ENABLE_NOTIFY_MAIL = true;
DISABLE_REGISTRATION = false;

View file

@ -3,6 +3,7 @@
./annuaire.nix
./bocal.nix
./gestiojeux.nix
./interludes.nix
./wikiens.nix
];

View file

@ -0,0 +1,66 @@
{
config,
pkgs,
sources,
...
}:
let
nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
in
{
services.webhook.extraArgs = [ "-debug" ];
services.django-apps.sites.interludes = {
source = "https://git.eleves.ens.fr/dlesbre/site-interludes";
branch = "master";
domain = "interludes.ens.fr";
nginx = {
enableACME = true;
forceSSL = true;
serverAliases = [ "interludes.webapps.dgnum.eu" ];
};
webHookSecret = config.age.secrets."webhook-interludes_token".path;
application = {
type = "wsgi";
module = "interludes";
};
dbType = "sqlite";
python = pkgs.python3.override {
packageOverrides = _: _: { inherit (nix-pkgs) python-cas loadcredential; };
};
django = ps: ps.django_4;
dependencies = ps: [
ps.loadcredential
ps.python-ldap
ps.python-cas
];
credentials = {
SECRET_KEY = config.age.secrets."dj_interludes-secret_key_file".path;
EMAIL_HOST_PASSWORD = config.age.secrets."dj_interludes-email_host_password_file".path;
};
environment = {
INTERLUDES_ALLOWED_HOSTS = [
"interludes.ens.fr"
"interludes.webapps.dgnum.eu"
];
# E-mail configuration
INTERLUDES_SERVER_EMAIL = "noreply-interludes-admin@ens.fr";
INTERLUDES_DEFAULT_FROM_EMAIL = "noreply-interludes@ens.fr";
INTERLUDES_EMAIL_HOST = "clipper.ens.fr";
INTERLUDES_EMAIL_PORT = 465;
INTERLUDES_EMAIL_HOST_USER = "interludes";
INTERLUDES_DEBUG = false;
};
};
}

View file

@ -0,0 +1,29 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA iJSzsbA8RiEhUIyhlKWCASQKoSQstjK4drMYl+PsChw
8THrknrBu0WGFEb4xTZiJxEY26q7sW83rwViDjyTE24
-> ssh-ed25519 QlRB9Q e7PRE212Ggt8nO6Bb+BabO85FOARsJGs9cPJmZNI9kg
ubKIBxI1ZBXttA7TWj401siKNT1HyB+N2MsZ+ldkgb8
-> ssh-ed25519 r+nK/Q EWV24Emm9hENa+yUAuQpkuJ0uJ0zIv+vRIbWpM4Wtg4
J59wnHRytgNqpX4+5HaJ9KZ5GvhckgtRK6TzfX7Ci8Y
-> ssh-rsa krWCLQ
AvmrzShR+XTpUpKaScoqvgFQ40PTSqh8p383p98xjG5LIz5kqJoWBnxJK7JabBpq
JkqVeq5XdH5RX4weobieG4KYUV8EDheLfOMXH5BrPgeJO4yhJ1rzH+oHBw4TwvFM
UvEZEAVgi3G1/suPfJAkO7QRkZjE7fRppEo5RAI0gMlM43YyJavrfqVIqB40Uugk
h0b0ybChUbKpXlZjqhYAAMN45jTAvW1emO0DMeIk6dbmnbZNdibul8f+NNdWKbI1
9NN5iH2IzuqTdc6gkE4912hdDeUJ4NZ6x/Fxp1/u3d1z/Yg7daUQUXUIoDX0Hyvb
+01dH0D/7kzRhEdNLO2NXA
-> ssh-ed25519 /vwQcQ GAsAj2i65KDQeFhe69YR2ycdGskop1wu3Lzrxp59sTg
wCSUqEtWv0i6sNg1RVtHI/jZh3VeNX3qtnbagXoNGT4
-> ssh-ed25519 0R97PA mFZ3q/3jd1guXl8bhRWyYjgsgE4JErJEels6vdmpfCs
7oIAT0MTsaKxbf26PSDBk7KqfyFgcBq09FGJ9v/rXqE
-> ssh-ed25519 JGx7Ng tpslfMWMJMUH46EGycbLiXotVdXlP4xmK0slb7XKYS8
wLLfX4jX4mIxzI8zr2GBlpBcPztTrHqKngi/ON0TExg
-> ssh-ed25519 bUjjig zLoniLfwKGH9Ctu34103WHBvjIyImtPyKx8O+5UMLUU
sYsterVGvCg6JWA0z3AO5sSlj9DBfj8u5o5jH9K2xeA
-> ssh-ed25519 VQSaNw oHzU9Lc/7p+MZAjVylzC63h586vOcffXkkpAi4XB8Q0
7T8CREpaCxM58KMYW28FY2i+ELjrx3eC3K7xaBy7O6A
-> (_o61>U-grease .P>ZRrj~ -=7S;N
6vnQVKKZwp4JowIwVb4klrhaR6NZjwlZYnngVQ0wqVenMZPj9oyhIXthLRqE1Q6/
k+sGxA
--- +yT0o8oZJS+32MeUAl8T9zREh31rq77pSVsSoFjHO5A
è ™ñΗ´ä!î^ûØÖ8ÔzøÑaÒÓ ÐàÔ@Ö¡s\ ˜_ÃÃúoÖö<C396>wõÖ¥Cr)¾€fû¿AÃ'•3D€â

View file

@ -0,0 +1,29 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA 7v2qJ+2ZSp0tf4m6gcK2ShFF9ulNm/g3aHu3Wqe4Sxo
ZyVqTqBCK51/U5yxtp23nywprQv46yL90zwx6+DqKRg
-> ssh-ed25519 QlRB9Q IePmluoRImtaDplOoVqNiwfTQMKF1CuF4M6AzurXGRY
JjtOeyvARlc9t5Q+LS2+TZwAUgV4Qn2L8SFkw9YLnaU
-> ssh-ed25519 r+nK/Q LGPI7PmVPnZDQe6Su5MZQauxRHZkBKehyNbMq+BKlGQ
3RvcfLAFKaScusYKf47zFNAtnot7wySvytuD81s6TwM
-> ssh-rsa krWCLQ
xGH7rl+r8L5HEp6JUlAm04ktn9rQsWfBBlSRp7UsOi6ojwCfjjIA91yUrYw8TYRs
Ci60uoLS7cuMtSE/jQVU/FuVtR5kwjhOkWmQDHrC7rUWb6CufusxPIVJ0xanp3wo
cc2t+EfSdpVyGIx5N8BEMhQ6sR2EfERHGfUrnKCpcL5hM5L8ZHnVh6CkRBtvZaq0
Zy44Ob4pqH6fDz7EziM1hBkfg9myN+/Iqfvg5OUnfSrqooLZ8l0gDvGafS5fok91
uqb0PGDiv6lwzpaj87jKUCaXAF3ag2KAa6j8sbZ4+fSsQeB/jhH7hTlWcAR/oEFW
fuPQDFKxMucAsPjv1H1iaQ
-> ssh-ed25519 /vwQcQ +5+xDNQyRwBWXT6c593S01OG9IemNul/81G4ie1hTVg
Tzkq0toOCqdHOZNPiy/rUrO2eQXTDHi7g+jKbrWU/hU
-> ssh-ed25519 0R97PA WEMs0phnuvw1kQaqeSkovwFUL6w7J6wh+V7D82NxfDs
V5npmkeTPVcnaNwDtoy7PqBRllPTuQjvF9Qu14V59os
-> ssh-ed25519 JGx7Ng 3bty0WCf+ElvPEFt7fSpgYf5MeFUPaZ4vVGWPUAjn0I
ggl5CgXaUx4T6qbA9EG1oaF9NbfFYye4davm7lKqUvI
-> ssh-ed25519 bUjjig zFlaOVzFEkPG+J3Yz7alPgSiCVbC/7u/hCTVIP8X/Ho
3PBIRu9ZKfb9lkzijw6kKjX0ztXBkiwVaQUx8rxuYJc
-> ssh-ed25519 VQSaNw btusrepFF5Jhl3x2YWs6wVrHwzb6qBXfDXESclQJAXo
HwfOU3tyP9OsNjTkaMMmJnd4b+0ZfxJLkP6xe5jsAZE
-> Tp-grease s03Py `u6"4 E|5 _
3CvcQ6NEZKLY1F6y0cTMQPwV9mJvHB0T7dauvWJAYKkfb95TymqfDYGWwW1veND2
n1XD/arAJHVwva95K7TaQdsNLPGo8/VePQGUnYqi
--- qe75UTWqdDd0gGg0nm054SFZ2AgqVBw/bbycvcZSfQY
ãñêÕ]¹¦zÂg©;Ê¡îñ˜öÓ´0éÅYëÀHãŒ!@ìp­ö¸T«?£iÞ‰áèÚ>I^ül·o5”¯ë:{¬gJk£vø>€W8ði

View file

@ -1,3 +1,6 @@
(import ../../../keys).mkSecrets [ "web03" ] [
# List of secrets for web03
"dj_interludes-email_host_password_file"
"dj_interludes-secret_key_file"
"webhook-interludes_token"
]

Binary file not shown.

View file

@ -87,9 +87,9 @@
"repo": "git-hooks.nix"
},
"branch": "master",
"revision": "d70155fdc00df4628446352fc58adc640cd705c2",
"url": "https://github.com/cachix/git-hooks.nix/archive/d70155fdc00df4628446352fc58adc640cd705c2.tar.gz",
"hash": "1s4w7bnign9lfzm8bm9j0zkvqfh5f1x671jp4g61psq42v5cfqvx"
"revision": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
"url": "https://github.com/cachix/git-hooks.nix/archive/cd1af27aa85026ac759d5d3fccf650abe7e1bbf0.tar.gz",
"hash": "1icl4cz33lkr4bz7fvlf3jppmahgpzij81wfa5any3z7w7b5lnxw"
},
"kadenios": {
"type": "Git",
@ -144,9 +144,9 @@
"url": "https://git.lix.systems/lix-project/lix.git"
},
"branch": "main",
"revision": "d1d96cc4c8bd661a65c6159039a9d7e7e8fdf771",
"revision": "c859d03013712b349d82ee6223948d6d03e63a8d",
"url": null,
"hash": "14yr9ivpd2xx5dw81sjnsv2m7adqjmm5sxxckh5wzjw6mi3gbjs4"
"hash": "14bn1c3azvnkp1wl28x7y288vpd2gp96nswlnfzrcp13a4ivbbbf"
},
"lix-module": {
"type": "Git",
@ -194,6 +194,20 @@
"url": "https://github.com/RaitoBezarius/microvm.nix/archive/49899c9a4fdf75320785e79709bf1608c34caeb8.tar.gz",
"hash": "0sz6azdpiz4bd36x23bcdhx6mwyqj8zl5cczjgv48xqfmysy8zwy"
},
"nix-actions": {
"type": "GitRelease",
"repository": {
"type": "Git",
"url": "https://git.dgnum.eu/DGNum/nix-actions.git"
},
"pre_releases": false,
"version_upper_bound": null,
"release_prefix": null,
"version": "v0.2.2",
"revision": "b9cb5d6f945d1e3fd7b70d63848c70335e9912e8",
"url": null,
"hash": "0m6bw5qlrchsigx7x4nz3xkcn3dnr14k5j0ws9lbggnldnz9qg2w"
},
"nix-modules": {
"type": "Git",
"repository": {
@ -201,9 +215,9 @@
"url": "https://git.hubrecht.ovh/hubrecht/nix-modules.git"
},
"branch": "main",
"revision": "662c5c6a78fb656be70be458ac9864def77a6dac",
"revision": "695cf83c526dd3d78c8ed79b33f80019db4c8019",
"url": null,
"hash": "0szvbh1djd5fnkrfba7yc44q8sdxwyrn9r729j5lnyyd1rxj0dw6"
"hash": "0xqv1rx0dnl3r1rhqdahcp8jqv8j9qc1v6xnmfiv0ddh81jd0szj"
},
"nix-patches": {
"type": "GitRelease",
@ -226,15 +240,15 @@
"url": "https://git.hubrecht.ovh/hubrecht/nix-pkgs"
},
"branch": "main",
"revision": "4ef413bdaccdf215ce35d99fc2909fbc26eb3d83",
"revision": "e27e07f9c03a3bc756f9447a2288ca6f14130ffc",
"url": null,
"hash": "1izrbhj3yx56ml2p39fi004p4k7253yi0lcvfww9b8n8f96m1a1q"
"hash": "06vydk09wniygpy04yjh07g9raswimhwwfj1cysigx2lxrg0997a"
},
"nixos-24.05": {
"type": "Channel",
"name": "nixos-24.05",
"url": "https://releases.nixos.org/nixos/24.05/nixos-24.05.6463.83fb6c028368/nixexprs.tar.xz",
"hash": "1h73z8c0fp8sh9wvh80gyv99hncnzzdrah65lyb5f47z3w2hqiqc"
"url": "https://releases.nixos.org/nixos/24.05/nixos-24.05.6668.e8c38b73aeb2/nixexprs.tar.xz",
"hash": "0lhh36z3fvd3b64dz7an08y3c3shb67aj17ny9z28bs21i3dc5yh"
},
"nixos-generators": {
"type": "Git",
@ -244,21 +258,21 @@
"repo": "nixos-generators"
},
"branch": "master",
"revision": "7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565",
"url": "https://github.com/nix-community/nixos-generators/archive/7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565.tar.gz",
"hash": "0n0nx4d68qyn2d5kvg8g3dczr1l9aq0k91hlvg4dw15rg0ycppdk"
"revision": "15a87ccb45e06d24a9fd5f99a49782efe11b23f0",
"url": "https://github.com/nix-community/nixos-generators/archive/15a87ccb45e06d24a9fd5f99a49782efe11b23f0.tar.gz",
"hash": "0mwllbwinr6cira94347vhzq3jn3zgp28xg6w1ga0ncls7s476q4"
},
"nixos-unstable": {
"type": "Channel",
"name": "nixos-unstable",
"url": "https://releases.nixos.org/nixos/unstable/nixos-24.11pre703931.4aa36568d413/nixexprs.tar.xz",
"hash": "1z0ljvlgqcrrm62wzp44lr0qlxy43xxn6q0wf7pb3hzxx5546bb3"
"url": "https://releases.nixos.org/nixos/unstable/nixos-25.05beta708622.5e4fbfb6b3de/nixexprs.tar.xz",
"hash": "18zd6qnn1zmz3pgq2q484lmdk486ncxyp8r5g9c71r9dc8jr5dnc"
},
"nixpkgs": {
"type": "Channel",
"name": "nixpkgs-unstable",
"url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.11pre704822.85f7e662eda4/nixexprs.tar.xz",
"hash": "0dqlz0xqd3nn49hnx943y5sfqd7nmj25s6gi1pjm907j3vbgg47k"
"url": "https://releases.nixos.org/nixpkgs/nixpkgs-25.05pre709559.5083ec887760/nixexprs.tar.xz",
"hash": "1z912j1lmrg8zp2hpmmi69dls9zlpvqfvdkvh5xc3x6iqkqwn0cd"
},
"proxmox-nixos": {
"type": "Git",
@ -302,9 +316,9 @@
"server": "https://git.helsinki.tools/"
},
"branch": "master",
"revision": "14dfb7590c74a67d93651492100ba2bf66d064af",
"url": "https://git.helsinki.tools/api/v4/projects/helsinki-systems%2Fwp4nix/repository/archive.tar.gz?sha=14dfb7590c74a67d93651492100ba2bf66d064af",
"hash": "04qyjqvi2f930yiss32ym24hknfyimlyvhc97r71hprz26y2yh42"
"revision": "10c3f658aecc0a54baf062137071b129f3897111",
"url": "https://git.helsinki.tools/api/v4/projects/helsinki-systems%2Fwp4nix/repository/archive.tar.gz?sha=10c3f658aecc0a54baf062137071b129f3897111",
"hash": "13gbzfrz9vv9iz43bfl67hl11lsmrh524mw6kkjavfwpzw5shm1g"
}
},
"version": 3

View file

@ -1,6 +1,9 @@
set -eu -o pipefail
set -o errexit
set -o nounset
set -o pipefail
shopt -s lastpipe
drv=$("@colmena@/bin/colmena" eval --instantiate -E "{ nodes, ... }: nodes.${BUILD_NODE}.config.system.build.toplevel")
drv=$(colmena eval --instantiate -E "{ nodes, ... }: nodes.${BUILD_NODE}.config.system.build.toplevel")
# Build the derivation and send it to the great beyond
nix-store --query --requisites --force-realise --include-outputs "$drv" | grep -v '.*\.drv' >paths.txt

View file

@ -1,7 +1,3 @@
#!/usr/bin/env bash
#!@bash@/bin/bash
# shellcheck shell=bash
set -o errexit
set -o nounset
set -o pipefail
@ -20,7 +16,7 @@ Exemple:
while [[ $# -gt 0 ]]; do
case "$1" in
--help|-h)
--help | -h)
echo "$usage"
exit 0
;;
@ -51,13 +47,13 @@ GIT_TOP_LEVEL=$(git rev-parse --show-toplevel)
echo "Cloning local main..."
git clone -q --branch main --single-branch "$GIT_TOP_LEVEL" "$TMP"
pushd "$TMP" > /dev/null || exit 2
pushd "$TMP" >/dev/null || exit 2
####################
# Evaluate configs #
####################
colmena_failed () {
colmena_failed() {
>&2 echo "Colmena failed. Check your config. Logs:"
>&2 cat "$COLMENA_LOGS"
exit 3
@ -68,7 +64,7 @@ COLMENA_LOGS=$(mktemp)
echo "Evaluating configs..."
# Disable warning because of '${}'
# shellcheck disable=SC2016
RESULTS=$(colmena eval -E '{ nodes, lib, ...}: lib.mapAttrsToList (k: v: { machine = k; path = v.config.system.build.toplevel; drv = v.config.system.build.toplevel.drvPath; domain = "${v.config.networking.hostName}.${v.config.networking.domain}"; }) nodes' 2> "$COLMENA_LOGS" || colmena_failed)
RESULTS=$(colmena eval -E '{ nodes, lib, ...}: lib.mapAttrsToList (k: v: { machine = k; path = v.config.system.build.toplevel; drv = v.config.system.build.toplevel.drvPath; domain = "${v.config.networking.hostName}.${v.config.networking.domain}"; }) nodes' 2>"$COLMENA_LOGS" || colmena_failed)
rm "$COLMENA_LOGS"
echo "Evaluation finished"
@ -77,39 +73,38 @@ echo "Evaluation finished"
# retrieve and check current-system #
#####################################
retrieve_current_system () {
retrieve_current_system() {
# TODO implement a less invasive method
ssh -n "root@$1" "readlink -f /run/current-system"
}
return_status=0
echo "$RESULTS" | @jq@/bin/jq -c '.[]' |
while IFS=$'\n' read -r c; do
echo "$RESULTS" | jq -c '.[]' |
while IFS=$'\n' read -r c; do
machine=$(echo "$c" | @jq@/bin/jq -r '.machine')
machine=$(echo "$c" | jq -r '.machine')
if [[ -n ${node-} ]] && [[ "$machine" != "$node" ]]; then
echo "Skipping ${machine}"
continue
fi
expected_path=$(echo "$c" | @jq@/bin/jq -r '.path')
domain=$(echo "$c" | @jq@/bin/jq -r '.domain')
drv_path=$(echo "$c" | @jq@/bin/jq -r '.drv')
expected_path=$(echo "$c" | jq -r '.path')
domain=$(echo "$c" | jq -r '.domain')
drv_path=$(echo "$c" | jq -r '.drv')
err=0
current_path=$(retrieve_current_system "$domain") || err=1
if [[ "1" == "${err}" ]] ; then
if [[ "1" == "${err}" ]]; then
echo "❌ failed to contact $domain !"
continue
fi
if [ "$expected_path" == "$current_path" ] ; then
if [ "$expected_path" == "$current_path" ]; then
echo "$machine -> OK"
elif [[ -n ${diff-} ]] ; then
elif [[ -n ${diff-} ]]; then
nix-copy-closure --from "root@$domain" "$current_path"
nix-store -r "$drv_path"
echo "$machine -> error. nvd output:"
@nvd@/bin/nvd diff "$expected_path" "$current_path"
nvd diff "$expected_path" "$current_path"
return_status=1
else
echo "☠️ $machine -> error:"
@ -117,9 +112,9 @@ while IFS=$'\n' read -r c; do
echo " - Current system: $current_path"
return_status=1
fi
done
done
popd > /dev/null || exit 2
popd >/dev/null || exit 2
rm -r "$TMP"
exit $return_status

View file

@ -1,39 +1,32 @@
{ pkgs, ... }:
{ pkgs }:
let
substitutions = {
inherit (pkgs.lib) mapAttrs;
inherit (pkgs)
bash
writeShellApplication
colmena
coreutils
nvd
git
jq
nvd
;
};
mkShellScript =
name:
(pkgs.substituteAll (
{
inherit name;
src = ./. + "/${name}.sh";
dir = "/bin/";
isExecutable = true;
checkPhase = ''
${pkgs.stdenv.shellDryRun} "$target"
'';
}
// substitutions
));
scripts = [
"cache-node"
"check-deployment"
"launch-vm"
"list-nodes"
scripts = {
cache-node = [ colmena ];
check-deployment = [
colmena
jq
nvd
];
launch-vm = [ colmena ];
list-nodes = [ jq ];
};
in
builtins.map mkShellScript scripts
mapAttrs (
name: runtimeInputs:
writeShellApplication {
inherit name runtimeInputs;
text = builtins.readFile ./${name}.sh;
}
) scripts

View file

@ -1,8 +1,7 @@
#!@bash@/bin/bash
# shellcheck shell=bash
set -o errexit
set -o nounset
set -o pipefail
shopt -s lastpipe
MACHINE=""
HOSTFWD=""
@ -17,17 +16,20 @@ while getopts 'p:o:h' opt; do
MACHINE="$OPTARG"
;;
h|?)
h | ?)
echo "Usage: $(basename "$0") [-p hostport-:guestport] -o MACHINE"
exit 1
;;
esac
done
shift "$((OPTIND -1))"
shift "$((OPTIND - 1))"
if [ -z "$MACHINE" ]; then echo "-o option needed"; exit 1; fi
if [ -z "$MACHINE" ]; then
echo "-o option needed"
exit 1
fi
DRV_PATH=$(@colmena@/bin/colmena eval --instantiate -E "{nodes, ...}: nodes.$MACHINE.config.system.build.vm")
DRV_PATH=$(colmena eval --instantiate -E "{nodes, ...}: nodes.$MACHINE.config.system.build.vm")
echo "Realising $DRV_PATH"
RESULT=$(nix-store -r "$DRV_PATH")

View file

@ -1,6 +1,8 @@
#!@bash@/bin/bash
# shellcheck shell=bash
set -o errexit
set -o nounset
set -o pipefail
shopt -s lastpipe
cd $(@git@/bin/git rev-parse --show-toplevel)
cd "$(git rev-parse --show-toplevel)"
nix-instantiate --strict --eval --json -A nodes | @jq@/bin/jq .
nix-instantiate --strict --eval --json -A nodes | jq .

View file

@ -1 +1 @@
(import ./. { }).shells.default
(import ./. { }).devShell

31
workflows/check-meta.nix Normal file
View file

@ -0,0 +1,31 @@
{
name = "Check meta";
on = {
pull_request.branches = [ "main" ];
push.paths = [ "meta/*" ];
};
jobs = {
check_meta = {
runs-on = "nix";
steps = [
{ uses = "actions/checkout@v3"; }
{
name = "Check the validity of meta options";
run = "nix-build meta/verify.nix -A meta";
}
];
};
check_dns = {
runs-on = "nix";
steps = [
{ uses = "actions/checkout@v3"; }
{
name = "Check the validity of the DNS configuration";
run = "nix-build meta/verify.nix -A dns";
}
];
};
};
}

View file

@ -0,0 +1,20 @@
{
name = "Check workflows";
on = {
pull_request.branches = [ "main" ];
push.paths = [ "workflows/*" ];
};
jobs = {
check_workflows = {
runs-on = "nix";
steps = [
{ uses = "actions/checkout@v3"; }
{
name = "Check that the workflows are up to date";
run = "nix-shell -A check-workflows --run '[ $(git status --porcelain | wc -l) -eq 0 ]'";
}
];
};
};
}

32
workflows/eval-nodes.nix Normal file
View file

@ -0,0 +1,32 @@
{ lib }:
let
inherit (lib) attrNames genAttrs;
nodes = attrNames (builtins.readDir ../machines);
in
{
name = "Build all the nodes";
on = {
pull_request.branches = [ "main" ];
push.branches = [ "main" ];
};
jobs = genAttrs nodes (node: {
runs-on = "nix";
steps = [
{ uses = "actions/checkout@v3"; }
{
name = "Build and cache ${node}";
run = "nix-shell -A eval-nodes --run cache-node";
env = {
STORE_ENDPOINT = "https://tvix-store.dgnum.eu/infra-signing/";
STORE_USER = "admin";
STORE_PASSWORD = "\${{ secrets.STORE_PASSWORD }}";
BUILD_NODE = node;
};
}
];
});
}

View file

@ -1,31 +1,24 @@
name: npins update
on:
schedule:
{
name = "npins update";
on.schedule = [
# Run at 11 o'clock every wednesday
- cron: "25 15 * * *"
{ cron = "25 15 * * *"; }
];
jobs:
npins_update:
runs-on: nix
steps:
# - name: Install applications
# run: apt-get update && apt-get install sudo
#
- uses: actions/checkout@v3
with:
depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
#
# - uses: https://github.com/cachix/install-nix-action@v22
# with:
# nix_path: nixpkgs=channel:nixos-unstable
jobs.npins_update = {
runs-on = "nix";
steps = [
{
uses = "actions/checkout@v3";
"with" = {
depth = 0;
token = "\${{ secrets.TEA_DGNUM_CHORES_TOKEN }}";
};
}
# - name: Install tea
# run: |
# nix-env -f '<nixpkgs>' -i tea
- name: Update dependencies and open PR if necessary
run: |
{
name = "Update dependencies and open PR if necessary";
run = ''
npins update
if [ ! -z "$(git diff --name-only)" ]; then
@ -44,7 +37,7 @@ jobs:
# Connect to the server with the cli
tea login add \
-n dgnum-chores \
-t '${{ secrets.TEA_DGNUM_CHORES_TOKEN }}' \
-t "''${{ secrets.TEA_DGNUM_CHORES_TOKEN }}" \
-u https://git.dgnum.eu
# Create a pull request if needed
@ -56,3 +49,8 @@ jobs:
--head npins-update
fi
fi
'';
}
];
};
}

18
workflows/pre-commit.nix Normal file
View file

@ -0,0 +1,18 @@
{
name = "Run pre-commit on all files";
on = [
"push"
"pull_request"
];
jobs.check = {
runs-on = "nix";
steps = [
{ uses = "actions/checkout@v3"; }
{
name = "Run pre-commit on all files";
run = "nix-shell -A pre-commit --run 'pre-commit run --all-files --hook-stage pre-push --show-diff-on-failure'";
}
];
};
}