qo.is/infrastructure
3
0
Fork 0
Code Issues 10 Pull requests Projects Activity Actions

Update build process ci and docs
Some checks failed
CI / build (push) Failing after 15s
Details

Browse source
This commit is contained in:
Fabian Hauser 2025-03-25 15:04:59 +02:00
parent cad4f35ee9
commit 172e4c37a3
5 changed files with 57 additions and 88 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
.github/workflows/ci.yml vendored
View file

@ -1,8 +1,12 @@
name: CI name: CI
on: on:
push: push:
defaults:
run:
shell: nix develop --command bash -c "{0}"
env: env:
ATTIC_AUTH_TOKEN: ${{ secrets.ATTIC_AUTH_TOKEN }} CACHE_NAME: qois
CACHE_REPOSITORY: qois:qois-infrastructure
jobs: jobs:
build: build:
runs-on: nix runs-on: nix
@ -12,20 +16,20 @@ jobs:
with: with:
token: ${{ secrets.CI_TOKEN }} token: ${{ secrets.CI_TOKEN }}
lfs: false lfs: false
- name: Use attic cache - name: Setup Attic Cache
run: nix run .#cache use env:
- name: Build SERVER: https://attic.qo.is/
ATTIC_AUTH_TOKEN: ${{ secrets.ATTIC_AUTH_TOKEN }}
run: | run: |
nix build --max-jobs 12 --cores 12 attic login "$CACHE_NAME" "$SERVER" "$ATTIC_AUTH_TOKEN"
nix run .#cache push attic use "$CACHE_REPOSITORY"
- name: Run Checks - name: Run Builds and Checks
run: nix flake check run: nix-fast-build --no-nom --max-jobs 6 --skip-cached --attic-cache "$CACHE_REPOSITORY"
- name: Deploy Docs - name: Deploy Docs
if: success() && github.ref == 'refs/heads/main' if: success() && github.ref == 'refs/heads/main'
run: | run: |
mkdir ~/.ssh/ mkdir ~/.ssh/
echo -e "Host lindberg-webapps.backplane.net.qo.is\n StrictHostKeyChecking no" >> ~/.ssh/config echo -e "Host lindberg-webapps.backplane.net.qo.is\n StrictHostKeyChecking no" >> ~/.ssh/config
(umask 0077 && printf "%s\n" "${{ secrets.SSH_DEPLOY_KEY }}" > ~/.ssh/id_ed25519) (umask 0077 && printf "%s\n" "${{ secrets.SSH_DEPLOY_KEY }}" > ~/.ssh/id_ed25519)
# Remote build might be neccessary due to non-wheel nix users signing restrictions. deploy --skip-checks --remote-build .#lindberg-webapps.\"docs-ops.qo.is\"
# However, the build should come from the cache anyway. # Remote build is neccessary due to non-wheel nix users signing restrictions. However, the build should come from the cache anyway.
nix develop --command deploy --skip-checks --remote-build .#lindberg-webapps.\"docs-ops.qo.is\"

63
README.md
View file

@ -11,61 +11,60 @@ Check out the current [rendered documentation](https://docs-ops.qo.is).
`nixos-modules`: Custom modules (e.g. for vpn and routers)\ `nixos-modules`: Custom modules (e.g. for vpn and routers)\
`private`: Private configuration values (like users, sops-encrypted secrets and keys) `private`: Private configuration values (like users, sops-encrypted secrets and keys)
## Building ## Development
This repository requires [nix flakes](https://nixos.wiki/wiki/Flakes) This repository requires [nix flakes](https://nixos.wiki/wiki/Flakes)
- `nix build`\ - `nix flake check`\
Build all host configurations and docs Execute the project's checks, which includes building all configurations and packages. See [Tests](./checks/README.md).
- `nix build .#nixosConfigurations.<hostname>.config.system.build.toplevel`\
Build a single host configuration with
- `nix build .#docs`\
Build the documentation website
## Development - `nix build .#nixosConfigurations.<hostname>.config.system.build.toplevel`\
Build a single host configuration.
- `nix build .#docs`\
Build the documentation website.
- `nix develop`\ - `nix develop`\
Development environment Development environment
- `nix flake check`\
Execute the project's checks
- `nix fmt`\ - `nix fmt`\
Autofix formatting Autofix formatting
### Working with the private submodule ### Secrets and `private` Submodule
To clone with submodules (if you have access): Secret management is done with [nix-sops](https://github.com/Mic92/sops-nix) and a git submodule in `private`.\
Make sure you have the submodule correctly available. To clone with submodules (if you have access):
```bash ```bash
git clone --recurse-submodules https://git.qo.is/qo.is/infrastructure.git git clone --recurse-submodules https://git.qo.is/qo.is/infrastructure.git
# See below for how to commit changes.
``` ```
On changes:
```bash
git add private
nix flake lock --update-input private
```
## Deployment
`nix run .#deploy-qois`
See [Deployment](deploy/README.md) for details.
## Secrets
Secret management is done with [nix-sops](https://github.com/Mic92/sops-nix).
Secrets are stored in `private/passwords.sops.yaml` (sysadmin passwords), Secrets are stored in `private/passwords.sops.yaml` (sysadmin passwords),
`private/nixos-configurations/secrets.sops.yaml` (shared secrets for all hosts) and `private/nixos-configurations/secrets.sops.yaml` (shared secrets for all hosts) and
`private/nixos-configurations/<hostname>/secrets.sops.yaml` (host specific secrets). `private/nixos-configurations/<hostname>/secrets.sops.yaml` (host specific secrets).
Usage: To modify secrets:
```bash ```bash
sops $file # To edit a file sops $file # To edit a file
sops-rekey # To rekey all secrets, e.g. after a key rollover or new host sops-rekey # To rekey all secrets, e.g. after a key rollover or new host
``` ```
After changing secrets, don't forget to push the sub-repository and run After changing secrets:
`nix flake update private` in the infrastructure repository to use the changes in builds.
```bash
# Commit changes in subrepo
pushd private
git commit
git push
nix flake prefetch . # Make subrepo available in nix store. Required until nix 2.27.
popd
git add private
nix flake lock --update-input private
```
## Deployment
See [Deployment](deploy/README.md) for details.

8
checks/README.md
View file

@ -1,5 +1,13 @@
# Tests # Tests
`nix flake check` currently:
- builds all nixos-configurations
- builds all packages
- runs all [nixos-module tests](#module-tests)
- checks all deployment configurations
- checks repository formatting.
## Module Tests ## Module Tests
We test our nixos modules with [NixOS tests](https://nixos.org/manual/nixos/stable/index.html#sec-nixos-tests). We test our nixos modules with [NixOS tests](https://nixos.org/manual/nixos/stable/index.html#sec-nixos-tests).

6
dev-shells/default.nix
View file

@ -29,7 +29,6 @@ in
pre-commit-check.enabledPackages pre-commit-check.enabledPackages
++ [ vscodium-with-extensions ] ++ [ vscodium-with-extensions ]
++ (with self.packages.${system}; [ ++ (with self.packages.${system}; [
cache
deploy-qois deploy-qois
sops sops
sops-rekey sops-rekey
@ -37,14 +36,15 @@ in
++ (with pkgs; [ ++ (with pkgs; [
attic-client attic-client
deploy-rs deploy-rs
jq
nix-fast-build
nixVersions.git nixVersions.git
nixd nixd
nixfmt-rfc-style nixfmt-rfc-style
nixos-anywhere nixos-anywhere
ssh-to-age
pssh pssh
ssh-to-age
yq yq
jq
]); ]);
LANG = "C.UTF-8"; LANG = "C.UTF-8";
LC_ALL = "C.UTF-8"; LC_ALL = "C.UTF-8";

42
packages/cache/default.nix vendored
View file

@ -1,42 +0,0 @@
{
attic-client,
findutils,
gnugrep,
writeShellApplication,
...
}:
writeShellApplication {
name = "cache";
meta.description = "Access the infrastructure's attic cache. Mostly used in CI.";
runtimeInputs = [
attic-client
findutils
gnugrep
];
text = ''
SERVER="https://attic.qo.is/"
CACHE_NAME="qois"
CACHE_REPO="$CACHE_NAME:qois-infrastructure"
if [ -z "$ATTIC_AUTH_TOKEN" ]; then
echo "Please set the \$ATTIC_AUTH_TOKEN environment variable to access the cache."
exit 3
fi
attic login "$CACHE_NAME" "$SERVER" "$ATTIC_AUTH_TOKEN"
case "$1" in
use)
attic use "$CACHE_REPO"
;;
watch)
attic watch-store "$CACHE_REPO"
;;
push)
RESULT_PATH="./result"
# Add build dependencies as well
nix-store -qR --include-outputs "$(nix-store -qd $RESULT_PATH)" | grep -v '\.drv$' \
| xargs attic push "$CACHE_REPO" "$RESULT_PATH"
;;
esac
'';
}