From 8fdffdf12f79041e65d42b715965a95578c0a724 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Sun, 17 Mar 2024 11:35:07 +0100 Subject: [PATCH] prod: remove drone-ci --- .../prod/app/drone-ci/config/litestream.yml | 10 -- cluster/prod/app/drone-ci/deploy/server.hcl | 138 ------------------ .../prod/app/drone-ci/integration/README.md | 69 --------- .../drone-ci/integration/docker-compose.yml | 54 ------- .../prod/app/drone-ci/integration/nix.conf | 9 -- cluster/prod/app/drone-ci/secrets.toml | 48 ------ cluster/staging/known_hosts | 3 + 7 files changed, 3 insertions(+), 328 deletions(-) delete mode 100644 cluster/prod/app/drone-ci/config/litestream.yml delete mode 100644 cluster/prod/app/drone-ci/deploy/server.hcl delete mode 100644 cluster/prod/app/drone-ci/integration/README.md delete mode 100644 cluster/prod/app/drone-ci/integration/docker-compose.yml delete mode 100644 cluster/prod/app/drone-ci/integration/nix.conf delete mode 100644 cluster/prod/app/drone-ci/secrets.toml diff --git a/cluster/prod/app/drone-ci/config/litestream.yml b/cluster/prod/app/drone-ci/config/litestream.yml deleted file mode 100644 index 813c824..0000000 --- a/cluster/prod/app/drone-ci/config/litestream.yml +++ /dev/null @@ -1,10 +0,0 @@ -dbs: - - path: /ephemeral/drone.db - replicas: - - url: s3://{{ key "secrets/drone-ci/s3_db_bucket" | trimSpace }}/drone.db - region: garage - endpoint: https://garage.deuxfleurs.fr - access-key-id: {{ key "secrets/drone-ci/s3_ak" | trimSpace }} - secret-access-key: {{ key "secrets/drone-ci/s3_sk" | trimSpace }} - force-path-style: true - sync-interval: 60s diff --git a/cluster/prod/app/drone-ci/deploy/server.hcl b/cluster/prod/app/drone-ci/deploy/server.hcl deleted file mode 100644 index 99e95f6..0000000 --- a/cluster/prod/app/drone-ci/deploy/server.hcl +++ /dev/null @@ -1,138 +0,0 @@ -job "drone-ci" { - datacenters = ["neptune", "scorpio"] - type = "service" - - group "server" { - count = 1 - - network { - port "web_port" { - to = 80 - } - } - - task "restore-db" { - lifecycle { - hook = "prestart" - sidecar = false - } - - driver = "docker" - config { - image = "litestream/litestream:0.3.9" - args = [ - "restore", "-config", "/etc/litestream.yml", "/ephemeral/drone.db" - ] - volumes = [ - "../alloc/data:/ephemeral", - "secrets/litestream.yml:/etc/litestream.yml" - ] - } - - template { - data = file("../config/litestream.yml") - destination = "secrets/litestream.yml" - } - - resources { - memory = 200 - cpu = 100 - } - } - - task "drone_server" { - driver = "docker" - config { - image = "drone/drone:2.14.0" - ports = [ "web_port" ] - - volumes = [ - "../alloc/data:/ephemeral", - ] - } - - template { - data = < /dev/null -apt-get update -apt-get install -y docker-ce docker-ce-cli containerd.io - -curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose -chmod +x /usr/local/bin/docker-compose -``` - -## Install the runner - -*This is our Nix runner version 2, previously we had another way to start Nix runners. This one has a proper way to handle concurrency, require less boilerplate, and should be safer and more idiomatic.* - - -```bash -wget https://git.deuxfleurs.fr/Deuxfleurs/infrastructure/raw/branch/main/app/drone-ci/integration/nix.conf -wget https://git.deuxfleurs.fr/Deuxfleurs/infrastructure/raw/branch/main/app/drone-ci/integration/docker-compose.yml - -# Edit the docker-compose.yml to adapt its variables to your needs, -# especially the capacitiy value and its name. -COMPOSE_PROJECT_NAME=drone DRONE_SECRET=xxx docker-compose up -d -``` - -That's all folks. - -## Check if a given job is built by your runner - -```bash -export URL=https://drone.deuxfleurs.fr -export REPO=Deuxfleurs/garage -export BUILD=1312 -curl ${URL}/api/repos/${REPO}/builds/${BUILD} \ - | jq -c '[.stages[] | { name: .name, machine: .machine }]' -``` - -It will give you the following result: - -```json -[{"name":"default","machine":"1686a"},{"name":"release-linux-x86_64","machine":"vimaire"},{"name":"release-linux-i686","machine":"carcajou"},{"name":"release-linux-aarch64","machine":"caribou"},{"name":"release-linux-armv6l","machine":"cariacou"},{"name":"refresh-release-page","machine":null}] -``` - -## Random note - -*This part might be deprecated!* - -This setup is done mainly to allow nix builds with some cache. -To use the cache in Drone, you must set your repository as trusted. -The command line tool does not work (it says it successfully set your repository as trusted but it did nothing): -the only way to set your repository as trusted is to connect on the DB and set the `repo_trusted` field of your repo to true. - diff --git a/cluster/prod/app/drone-ci/integration/docker-compose.yml b/cluster/prod/app/drone-ci/integration/docker-compose.yml deleted file mode 100644 index 41938c2..0000000 --- a/cluster/prod/app/drone-ci/integration/docker-compose.yml +++ /dev/null @@ -1,54 +0,0 @@ -version: '3.4' -services: - nix-daemon: - image: nixpkgs/nix:nixos-22.05 - restart: always - command: nix-daemon - privileged: true - volumes: - - "nix:/nix" - - "./nix.conf:/etc/nix/nix.conf:ro" - - drone-runner: - image: drone/drone-runner-docker:1.8.2 - restart: always - environment: - - DRONE_RPC_PROTO=https - - DRONE_RPC_HOST=drone.deuxfleurs.fr - - DRONE_RPC_SECRET=${DRONE_SECRET} - - DRONE_RUNNER_CAPACITY=3 - - DRONE_DEBUG=true - - DRONE_LOGS_TRACE=true - - DRONE_RPC_DUMP_HTTP=true - - DRONE_RPC_DUMP_HTTP_BODY=true - - DRONE_RUNNER_NAME=i_forgot_to_change_my_runner_name - - DRONE_RUNNER_LABELS=nix-daemon:1 - # we should put "nix:/nix:ro but it is not supported by - # drone-runner-docker because the dependency envconfig does - # not support having two colons (:) in the same stanza. - # Without the RO flag (or using docker userns), build isolation - # is broken. - # https://discourse.drone.io/t/allow-mounting-a-host-volume-as-read-only/10071 - # https://github.com/kelseyhightower/envconfig/pull/153 - # - # A workaround for isolation is to configure docker with a userns, - # so even if the folder is writable to root, it is not to any non - # privileged docker daemon ran by drone! - - DRONE_RUNNER_VOLUMES=drone_nix:/nix - - DRONE_RUNNER_ENVIRON=NIX_REMOTE:daemon - ports: - - "3000:3000/tcp" - volumes: - - "/var/run/docker.sock:/var/run/docker.sock" - - drone-gc: - image: drone/gc:latest - restart: always - environment: - - GC_DEBUG=true - - GC_CACHE=10gb - - GC_INTERVAL=10m - volumes: - - "/var/run/docker.sock:/var/run/docker.sock" -volumes: - nix: diff --git a/cluster/prod/app/drone-ci/integration/nix.conf b/cluster/prod/app/drone-ci/integration/nix.conf deleted file mode 100644 index debea69..0000000 --- a/cluster/prod/app/drone-ci/integration/nix.conf +++ /dev/null @@ -1,9 +0,0 @@ -substituters = https://cache.nixos.org https://nix.web.deuxfleurs.fr -trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix.web.deuxfleurs.fr:eTGL6kvaQn6cDR/F9lDYUIP9nCVR/kkshYfLDJf1yKs= -max-jobs = auto -cores = 0 -log-lines = 200 -filter-syscalls = true -sandbox = true -keep-outputs = true -keep-derivations = true diff --git a/cluster/prod/app/drone-ci/secrets.toml b/cluster/prod/app/drone-ci/secrets.toml deleted file mode 100644 index ac07926..0000000 --- a/cluster/prod/app/drone-ci/secrets.toml +++ /dev/null @@ -1,48 +0,0 @@ -# Drone's secrets - -[secrets."drone-ci/rpc_secret"] -type = 'command' -command = 'openssl rand -hex 16' -# don't rotate, it would break all runners - -[secrets."drone-ci/cookie_secret"] -type = 'command' -rotate = true -command = 'openssl rand -hex 16' - -[secrets."drone-ci/db_enc_secret"] -type = 'command' -command = 'openssl rand -hex 16' -# don't rotate, it is used to encrypt data which we would lose if we change this - - -# Oauth config for gitea - -[secrets."drone-ci/oauth_client_secret"] -type = 'user' -description = 'OAuth client secret (for gitea)' - -[secrets."drone-ci/oauth_client_id"] -type = 'user' -description = 'OAuth client ID (on Gitea)' - - -# S3 config for Git LFS storage - -[secrets."drone-ci/s3_db_bucket"] -type = 'constant' -value = 'drone-db' - -[secrets."drone-ci/s3_sk"] -type = 'user' -description = 'S3 (garage) secret key for Drone' - -[secrets."drone-ci/s3_ak"] -type = 'user' -description = 'S3 (garage) access key for Drone' - -[secrets."drone-ci/s3_storage_bucket"] -type = 'constant' -value = 'drone-storage' - - diff --git a/cluster/staging/known_hosts b/cluster/staging/known_hosts index d4cca40..feb244e 100644 --- a/cluster/staging/known_hosts +++ b/cluster/staging/known_hosts @@ -12,3 +12,6 @@ df-pw5.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK/dJIxioCkfeeh 192.168.1.22 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMf/ioVSSb19Slu+HZLgKt4f1/XsL+K9uMxazSWb/+nQ 2a01:cb05:911e:ec00:223:24ff:feb0:ea82 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnpO6zpLWsyyugOoOj+2bUow9TUrcWgURFGGaoyu+co piranha.machine.staging.deuxfleurs.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnpO6zpLWsyyugOoOj+2bUow9TUrcWgURFGGaoyu+co +df-pw5.machine.staging.deuxfleurs.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK/dJIxioCkfeehxeGiZR7qquYGoqEH/YrRJ/ukEcaLH +origan.machine.staging.deuxfleurs.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsZas74RT6lCZwuUOPR23nPdbSdpWORyAmRgjoiMVHK +caribou.machine.staging.deuxfleurs.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPtsVFIoIu6tnYrzlcCbBiQXxNkFSWVMhMznUuSxGZ22