Work on drone runner as VM

2022-05-30 14:57:05 +02:00 · 2022-05-30 14:57:05 +02:00 · d47d4e93ab
commit d47d4e93ab
parent 2d9adf82d0
9 changed files with 250 additions and 0 deletions
--- a/app/drone-ci/build/.gitignore
+++ b/app/drone-ci/build/.gitignore
@ -0,0 +1,2 @@
+result/
+*.qcow2.zst
--- a/app/drone-ci/build/Makefile
+++ b/app/drone-ci/build/Makefile
@ -0,0 +1,8 @@
+.PHONY: all
+
+all:
+	nix-build '<nixpkgs/nixos>' -A config.system.build.qcow2 --arg configuration "{ imports = [ ./build-qcow2.nix ]; }" --show-trace
+	zstd -7 -i result/nixos.qcow2 -o drone-runner.qcow2.zst -f
+	RESULTPATH=`readlink result`; rm result; nix-store --delete $$RESULTPATH
+	rclone copy drone-runner.qcow2.zst grgdf:alex/ -vv
+	
--- a/app/drone-ci/build/build-qcow2.nix
+++ b/app/drone-ci/build/build-qcow2.nix
@ -0,0 +1,24 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  imports =
+    [ 
+      <nixpkgs/nixos/modules/installer/cd-dvd/channel.nix>
+      ./machine-config.nix
+    ];
+
+  system.build.qcow2 = import <nixpkgs/nixos/lib/make-disk-image.nix> {
+    inherit lib config;
+    pkgs = import <nixpkgs> { inherit (pkgs) system; }; # ensure we use the regular qemu-kvm package
+    diskSize = 8192;
+    format = "qcow2";
+    configFile = pkgs.writeText "configuration.nix"
+      ''
+        {
+          imports = [ <./machine-config.nix> ];
+        }
+      '';
+  };
+}
--- a/app/drone-ci/build/machine-config.nix
+++ b/app/drone-ci/build/machine-config.nix
@ -0,0 +1,68 @@
+{ pkgs, lib, ... }:
+
+with lib;
+
+{
+  imports = [
+    <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
+  ];
+
+  config = {
+    fileSystems."/" = {
+      device = "/dev/disk/by-label/nixos";
+      fsType = "ext4";
+      autoResize = true;
+    };
+
+    boot.growPartition = true;
+    boot.kernelParams = [ "console=ttyS0" ];
+    boot.loader.grub.device = "/dev/vda";
+    boot.loader.timeout = 0;
+
+    users.extraUsers.root.openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJpaBZdYxHqMxhv2RExAOa7nkKhPBOHupMP3mYaZ73w9 lx@lindy"
+    ];
+    services.openssh.enable = true;
+    services.openssh.permitRootLogin = "prohibit-password";
+    networking.firewall = {
+      enable = true;
+      allowedTCPPorts = [ 22 ];
+    };
+
+    virtualisation.docker.enable = true;
+    virtualisation.oci-containers.backend = "docker";
+    virtualisation.oci-containers.containers = {
+      drone_runner = {
+        image = "drone/drone-runner-docker:1.4.0";
+        volumes = [
+          "/nix:/nix"
+          "/var/run/docker.sock:/var/run/docker.sock"
+        ];
+        environment = {
+          DRONE_RPC_PROTO = "https";
+          DRONE_RPC_HOST = "drone.deuxfleurs.fr";
+          DRONE_RUNNER_CAPACITY = "1";
+          DRONE_DEBUG = "true";
+          DRONE_LOGS_TRACE = "true";
+          DRONE_RPC_DUMP_HTTP = "true";
+          DRONE_RPC_DUMP_HTTP_BODY = "true";
+          DRONE_RUNNER_LABELS = "nix:1";
+        };
+        environmentFiles = [
+          "/dev/qemu/dronesecret0"
+        ];
+      };
+      drone_gc = {
+        image = "drone/gc:latest";
+        volumes = [
+          "/var/run/docker.sock:/var/run/docker.sock"
+        ];
+        environment = {
+          GC_DEBUG = "true";
+          GC_CACHE = "10gb";
+          GC_INTERVAL = "10m";
+        };
+      };
+    };
+  };
+}
--- a/app/drone-ci/deploy/runner-insecure.hcl
+++ b/app/drone-ci/deploy/runner-insecure.hcl
@ -0,0 +1,91 @@
+job "drone-runner" {
+  datacenters = ["neptune"]
+  type = "system"
+
+  group "runner" {
+
+    task "populate-nix-store" {
+      lifecycle {
+        hook = "prestart"
+        sidecar = false
+      }
+
+      driver = "docker"
+      config {
+        image = "nixpkgs/nix:nixos-21.05"
+        command = "sh"
+        args = [
+          "-c", "cp -rv /nix/{store,var} /mnt/"
+        ]
+        volumes = [
+          "/var/lib/drone/nix:/mnt",
+        ]
+      }
+
+      resources {
+        memory = 100
+        cpu = 100
+      }
+    }
+
+    task "drone-runner" {
+      driver = "docker"
+      config {
+        image = "drone/drone-runner-docker:1.4.0"
+
+        volumes = [
+          "/var/lib/drone/nix:/nix",
+          "/var/run/docker.sock:/var/run/docker.sock"
+        ]
+      }
+
+      template {
+        data = <<EOH
+DRONE_RPC_PROTO=https
+DRONE_RPC_HOST=drone.deuxfleurs.fr
+DRONE_RPC_SECRET={{ key "secrets/drone-ci/rpc_secret" | trimSpace }}
+DRONE_RUNNER_CAPACITY=1
+DRONE_DEBUG=true
+DRONE_LOGS_TRACE=true
+DRONE_RPC_DUMP_HTTP=true
+DRONE_RPC_DUMP_HTTP_BODY=true
+DRONE_RUNNER_NAME={{ env "attr.unique.hostname" }}
+DRONE_RUNNER_LABELS=nix:1
+EOH
+        destination = "secrets/env"
+        env = true
+      }
+
+      resources {
+        memory = 200
+        cpu = 100
+      }
+    }
+  
+    task "drone-gc" {
+      driver = "docker"
+      config {
+        image = "drone/gc:latest"
+
+        volumes = [
+          "/var/run/docker.sock:/var/run/docker.sock"
+        ]
+      }
+
+      template {
+        data = <<EOH
+GC_DEBUG=true
+GC_CACHE=10gb
+GC_INTERVAL=10m
+EOH
+        destination = "secrets/env"
+        env = true
+      }
+
+      resources {
+        memory = 100
+        cpu = 100
+      }
+    }
+  }
+}
--- a/app/drone-ci/deploy/runner-vm.hcl
+++ b/app/drone-ci/deploy/runner-vm.hcl
@ -0,0 +1,43 @@
+job "drone-runner" {
+  datacenters = ["neptune"]
+  type = "system"
+
+  group "runner-vm" {
+    network {
+      port "ssh" { }
+    }
+
+    task "drone-runner-vm" {
+      driver = "qemu"
+
+      config {
+        image_path = "local/drone-runner.qcow2"
+        accelerator = "kvm"
+        args = [
+          "-object", "secret,id=dronesecret0,file=secrets/secret_env"
+        ]
+        port_map {
+          ssh = 22
+        }
+      }
+
+      artifact {
+        source = "https://alex.web.deuxfleurs.fr/drone-runner.qcow2.zst"
+        destination = "local/drone-runner.qcow2"
+        mode = "file"
+      }
+
+      template {
+        data = <<EOH
+DRONE_RPC_SECRET={{ key "secrets/drone-ci/rpc_secret" | trimSpace }}
+DRONE_RUNNER_NAME={{ env "attr.unique.hostname" }}
+EOH
+        destination = "secrets/secret_env"
+      }
+
+      resources {
+        memory = 2000
+      }
+    }
+  }
+}
--- a/app/drone-ci/secrets/drone-ci/rpc_secret
+++ b/app/drone-ci/secrets/drone-ci/rpc_secret
@ -0,0 +1 @@
+USER Drone RPC secret
--- a/nix/configuration.nix
+++ b/nix/configuration.nix
@ -71,6 +71,8 @@ SystemMaxUse=1G
    docker-compose
    wireguard
    wesher
+    qemu
+    qemu_kvm
  ];

  programs.vim.defaultEditor = true;
--- a/nix/deuxfleurs.nix
+++ b/nix/deuxfleurs.nix
@ -151,6 +151,12 @@ in

    services.nomad.enable = true;
    services.nomad.package = pkgs.nomad_1_1;
+    services.nomad.extraPackages = [
+      pkgs.glibc
+      pkgs.zstd
+      pkgs.qemu
+      pkgs.qemu_kvm
+    ];
    services.nomad.settings =
      (if cfg.is_raft_server
      then { server = {
@ -201,6 +207,11 @@ in
              ];
            }
          ];
+          qemu = [
+            {
+              enabled = true;
+            }
+          ];
        }
      ];
    };