qo.is/infrastructure
3
0
Fork 0
Code Issues 12 Pull requests 1 Projects 1 Activity Actions

Compare commits

base: qo.is:5c88f24f8e7153928ef355866af86789d4e188d0
Branches Tags
qo.is:main
qo.is:auto-deploy-physical-hosts
qo.is:18-caral
..
compare: qo.is:cb25445e2363ccf07c34ee0b1394f31b986e3968
Branches Tags
qo.is:main
qo.is:auto-deploy-physical-hosts
qo.is:18-caral

1 commit
5c88f24f8e ... cb25445e23

Author SHA1 Message Date
Fabian Hauser
cb25445e23 WIP: Create script to deploy in CI
All checks were successful
CI / build (push) Successful in 5m3s
Details
2025-04-19 16:22:20 +03:00
8 changed files with 29 additions and 92 deletions
Download patch file Download diff file Expand all files Collapse all files

22
.github/workflows/ci.yml vendored
View file

@ -25,17 +25,11 @@ jobs:
attic use "$CACHE_REPOSITORY" attic use "$CACHE_REPOSITORY"
- name: Run Builds and Checks - name: Run Builds and Checks
run: nix-fast-build --no-nom --max-jobs 6 --skip-cached --attic-cache "$CACHE_REPOSITORY" run: nix-fast-build --no-nom --max-jobs 6 --skip-cached --attic-cache "$CACHE_REPOSITORY"
deploy: - name: Deploy Docs
needs: build if: success() && github.ref == 'refs/heads/main'
if: success() && github.ref == 'refs/heads/54-deploy-vms-automatically' run: |
runs-on: nix mkdir ~/.ssh/
env: echo -e "Host lindberg-webapps.backplane.net.qo.is\n StrictHostKeyChecking no" >> ~/.ssh/config
SSH_DEPLOY_KEY: "${{ secrets.SSH_DEPLOY_KEY }}" (umask 0077 && printf "%s\n" "${{ secrets.SSH_DEPLOY_KEY }}" > ~/.ssh/id_ed25519)
strategy: deploy --skip-checks --remote-build .#lindberg-webapps.\"docs-ops.qo.is\"
matrix: # Remote build is neccessary due to non-wheel nix users signing restrictions. However, the build should come from the cache anyway.
profile:
- docs-ops.qo.is
- system-vm
steps:
- name: "Deploy Profile ${{ matrix.profile }}"
run: "auto-deploy ${{ matrix.profile }}"

13
deploy/README.md
View file

@ -6,17 +6,12 @@ and that you need to have SSH root access to the target machines.
## Deploy system categories ## Deploy system categories
We currently split out nixosConfigurations into these categories: This is also used in CI.
- `system-ci`: Systems should be updated separately because they might break automated deployment processes.
- `system-vm`: Virtual systems.
- `system-physical`: Physical systems.
You can roll updates with retries by category with:
```bash ```bash
auto-deploy system-vm
auto-deploy system-physical auto-deploy vm
auto-deploy physical
``` ```
## Deploy to selected target hosts ## Deploy to selected target hosts

1
deploy/docs-ops/default.nix
View file

@ -12,6 +12,5 @@ in
sshUser = "nginx-${domain}"; sshUser = "nginx-${domain}";
path = deployPkgs.deploy-rs.lib.activate.noop self.packages.${system}.docs; path = deployPkgs.deploy-rs.lib.activate.noop self.packages.${system}.docs;
profilePath = "/var/lib/nginx-${domain}/root"; profilePath = "/var/lib/nginx-${domain}/root";
remoteBuild = true;
}; };
} }

27
deploy/system-ci/default.nix
View file

@ -1,27 +0,0 @@
{
deployPkgs,
pkgs,
self,
...
}:
let
inherit (pkgs.lib) pipe filterAttrs mapAttrs;
in
{
nodes = pipe self.nixosConfigurations [
(filterAttrs (_n: v: v.config.qois.git-ci-runner.enable))
(mapAttrs (
host: config: {
hostname = "${host}.backplane.net.qo.is";
profiles.system-ci = {
sshUser = "root";
user = "root";
activationTimeout = 300;
confirmTimeout = 60;
remoteBuild = true;
path = deployPkgs.deploy-rs.lib.activate.nixos config;
};
}
))
];
}

2
deploy/system-physical/default.nix
View file

@ -9,7 +9,7 @@ let
in in
{ {
nodes = pipe self.nixosConfigurations [ nodes = pipe self.nixosConfigurations [
(filterAttrs (_n: v: !v.config.services.qemuGuest.enable && !v.config.qois.git-ci-runner.enable)) (filterAttrs (_n: v: v.config.services.qemuGuest.enable == false))
(mapAttrs ( (mapAttrs (
host: config: { host: config: {
hostname = "${host}.backplane.net.qo.is"; hostname = "${host}.backplane.net.qo.is";

2
deploy/system-vm/default.nix
View file

@ -9,7 +9,7 @@ let
in in
{ {
nodes = pipe self.nixosConfigurations [ nodes = pipe self.nixosConfigurations [
(filterAttrs (_n: v: v.config.services.qemuGuest.enable && !v.config.qois.git-ci-runner.enable)) (filterAttrs (_n: v: v.config.services.qemuGuest.enable))
(mapAttrs ( (mapAttrs (
host: config: { host: config: {
hostname = "${host}.backplane.net.qo.is"; hostname = "${host}.backplane.net.qo.is";

46
packages/auto-deploy/script.bash
View file

@ -3,42 +3,25 @@
#### Environment #### Environment
FLAKE_ROOT="$(git rev-parse --show-toplevel)" FLAKE_ROOT="$(git rev-parse --show-toplevel)"
export PROFILE="${1:-}" export PROFILE=""
if [ -z "${PROFILE}" ]; then case "${1:-''}" in
echo "🛑 Error: No deployment profile was specified as first parameter (e.g. \"${0} system-vm\")" 1>&2 vm | physical)
PROFILE="system-$1"
;;
*)
echo "🛑 Error: Please use 'vm' or 'physical' as first parameter."
exit 1 exit 1
fi ;;
esac
if [ -z "${SSH_DEPLOY_KEY:-}" ]; then HOSTS=$(nix eval --raw "$FLAKE_ROOT"#deploy.nodes --apply "
echo " Info: SSH_DEPLOY_KEY env variable was not set, ignoring."
SSH_KEY_FILE_ARG=""
else
TEMP_KEY_FILE=$(mktemp /dev/shm/ssh_deploy_key.XXXXXXXX)
touch "${TEMP_KEY_FILE}" && chmod 600 "${TEMP_KEY_FILE}"
printf "%s\n" "${SSH_DEPLOY_KEY}" >"${TEMP_KEY_FILE}"
SSH_KEY_FILE_ARG="-i ${TEMP_KEY_FILE}"
# Set up a trap to remove the temporary key file on script exit
trap 'rm -f "${TEMP_KEY_FILE}"' EXIT
trap 'rm -f "${TEMP_KEY_FILE}"' SIGINT
trap 'rm -f "${TEMP_KEY_FILE}"' SIGTERM
trap 'rm -f "${TEMP_KEY_FILE}"' SIGQUIT
fi
HOSTS=$(nix eval --raw "${FLAKE_ROOT}"#deploy.nodes --apply "
nodes: let nodes: let
inherit (builtins) attrNames filter concatStringsSep; inherit (builtins) attrNames filter concatStringsSep;
names = attrNames nodes; names = attrNames nodes;
profile = \"${PROFILE}\"; profile = \"$PROFILE\";
filteredNames = filter (name: nodes.\${name}.profiles ? \${profile}) names; filteredNames = filter (name: nodes.\${name}.profiles ? \${profile}) names;
in concatStringsSep \"\\n\" filteredNames in concatStringsSep \"\\n\" filteredNames
") ")
if [ -z "$HOSTS" ]; then
echo "🛑 Error: No deployments matching the profile ${PROFILE} were found." 1>&2
exit 1
fi
KNOWN_HOSTS_FILE=$(nix eval --raw .#nixosConfigurations.lindberg.config.environment.etc."ssh/ssh_known_hosts".source)
#### Helpers #### Helpers
retry() { retry() {
@ -47,7 +30,7 @@ retry() {
local -i attempt_num=1 local -i attempt_num=1
until "$@"; do until "$@"; do
if ((attempt_num == max_attempts)); then if ((attempt_num == max_attempts)); then
echo "🛑 Error: Attempt $attempt_num failed and there are no more attempts left!" 1>&2 echo "⚠️ Warning: Attempt $attempt_num failed and there are no more attempts left!"
return 1 return 1
else else
echo "⚠️ Attempt $attempt_num failed! Trying again in $attempt_num seconds..." echo "⚠️ Attempt $attempt_num failed! Trying again in $attempt_num seconds..."
@ -58,8 +41,5 @@ retry() {
#### Execution #### Execution
for HOST in $HOSTS; do for HOST in $HOSTS; do
retry 3 deploy \ retry 3 deploy --skip-checks --targets "${FLAKE_ROOT}#${HOST}.${PROFILE}"
--skip-checks \
--ssh-opts "-o UserKnownHostsFile=${KNOWN_HOSTS_FILE} ${SSH_KEY_FILE_ARG:-''}" \
--targets "${FLAKE_ROOT}#\"${HOST}\".\"${PROFILE}\""
done done

8
updates.md
View file

@ -22,14 +22,10 @@ Deploy updates:
nix develop nix develop
# Deploy vms # Deploy vms
auto-deploy system-vm auto-deploy vm
# Deploy CI hosts
auto-deploy system-ci
# Deploy physical hosts # Deploy physical hosts
auto-deploy system-physical auto-deploy physical
``` ```