Nginx Nomad job, with Nix

2024-11-22 08:04:20 +01:00 · 2021-02-07 14:23:15 +01:00 · 2021-02-07 14:23:15 +01:00 · 17bc131266
parent 7b3ab825e3
commit 17bc131266
5 changed files with 249 additions and 1 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,58 @@
 bin/
+
+# Created by https://www.toptal.com/developers/gitignore/api/emacs
+# Edit at https://www.toptal.com/developers/gitignore?templates=emacs
+
+### Emacs ###
+# -*- mode: gitignore; -*-
+*~
+\#*\#
+/.emacs.desktop
+/.emacs.desktop.lock
+*.elc
+auto-save-list
+tramp
+.\#*
+
+# Org-mode
+.org-id-locations
+*_archive
+ltximg/**
+
+# flymake-mode
+*_flymake.*
+
+# eshell files
+/eshell/history
+/eshell/lastdir
+
+# elpa packages
+/elpa/
+
+# reftex files
+*.rel
+
+# AUCTeX auto folder
+/auto/
+
+# cask packages
+.cask/
+dist/
+
+# Flycheck
+flycheck_*.el
+
+# server auth directory
+/server/
+
+# projectiles files
+.projectile
+
+# directory configuration
+.dir-locals.el
+
+# network security
+/network-security.data
+
+
+# End of https://www.toptal.com/developers/gitignore/api/emacs
--- a/flake.nix
+++ b/flake.nix
@ -52,5 +52,9 @@
        }).config.services.mysql.dataDir;
    in {
      inherit flakes dockerImages containerTest;
+
+      nginx-test = import ./infrastructure/nginx-test {
+        inherit rlib inputs pkgs;
+      };
    };
 }
--- a/infrastructure/nginx-test/default.nix
+++ b/infrastructure/nginx-test/default.nix
@ -0,0 +1,10 @@
+{ pkgs, rlib, inputs }:
+let
+  lockedNixpkgs =
+    (builtins.fromJSON (builtins.readFile ../../flake.lock))
+      .nodes.nixpkgs.locked;
+in
+rlib.substitute pkgs.runCommandNoCC "nginx-test.hcl" ./job.hcl {
+  "nixpkgs.rev" = lockedNixpkgs.rev;
+  "nixpkgs.sha" = lockedNixpkgs.narHash;
+}
--- a/infrastructure/nginx-test/job.hcl
+++ b/infrastructure/nginx-test/job.hcl
@ -0,0 +1,166 @@
+job "nginx-test" {
+  datacenters = [ "homelab-1" ]
+  type = "service"
+
+  group "nginx-test" {
+    count = 1
+
+    network {
+      port "http" {
+	static = "8087"
+	to = "80"
+      }
+    }
+
+    task "nix-prestart" {
+      lifecycle {
+	hook = "prestart"
+	sidecar = false
+      }
+
+      driver = "raw_exec"
+
+      template {
+	data = <<EOF
+#!/usr/bin/env bash 
+
+_profile_dir=/nix/var/nix/profiles/nomad/${NOMAD_GROUP_NAME}-${NOMAD_ALLOC_INDEX}
+_gcroots_dir=/nix/var/nix/gcroots/nomad/${NOMAD_GROUP_NAME}-${NOMAD_ALLOC_INDEX}
+
+if [[ ! -d ${_profile_dir} ]]
+then
+    mkdir -p "${_profile_dir}"
+else
+    echo "${_profile_dir} exists when it shouldn't! Exiting..." ; exit 1
+fi
+
+if [[ ! -d ${_gcroots} ]]
+then
+    mkdir -p "${_gcroots_dir}"
+else
+    echo "${_gcroots_dir} exists when it shouldn't! Exiting..." ; exit 1
+fi
+
+/nix/var/nix/profiles/default/bin/nix-build "${NOMAD_TASK_DIR}/default.nix" -o "${_profile_dir}/system"
+
+EOF
+	destination = "/local/prepare.sh"
+      }
+
+      template {
+	data = <<EOF
+let
+  nixpkgs = builtins.fetchTarball {
+    url = "https://github.com/NixOS/nixpkgs/tarball/@nixpkgs.rev@";
+    sha256 = "@nixpkgs.sha@"; 
+  };
+  pkgs = import nixpkgs {};
+  nixosSystem = import /nix/store/v61f12269zsqsliilpl0jqwg8xsvbvai-nixpkgs-21.03pre268117.64c12484642/nixpkgs/nixos;
+  nspawn-init = pkgs.writeShellScriptBin "nspawn-init" ''
+    ${pkgs.bash}/bin/bash /nix/var/nix/profiles/system/activate
+    exec /nix/var/nix/profiles/system/sw/bin/init
+  '';
+in
+  (nixosSystem {
+    system = "x86_64-linux";
+    
+    configuration = _: {
+      boot.isContainer = true;
+      time.timeZone = "Europe/Bratislava";
+
+      environment.systemPackages = [
+        nspawn-init
+      ];
+
+      systemd.extraConfig = ''
+        DefaultStandardOutput=tty 
+      '';
+      
+      networking.firewall.enable = false;
+      services.nginx = { 
+        enable = true;
+      };
+    };
+  }).config.system.build.toplevel
+EOF
+	destination = "/local/default.nix"
+      }
+
+      config {
+	command = "bash"
+	args = [ "${NOMAD_TASK_DIR}/prepare.sh" ]
+      }
+    }
+
+    task "app" {
+      driver = "nspawn"
+
+      config {
+	image = "/nomad-nspawn-empty-dir"
+	resolv_conf = "off"
+
+	ephemeral = true
+
+	bind_read_only = {
+	  "/nix/store" = "/nix/store"
+	  "/nix/var/nix/db" = "/nix/var/nix/db"
+	  "/nix/var/nix/daemon-socket" = "/nix/var/nix/daemon-socket"
+	}
+
+	bind = {
+	  "/run/systemd/notify" = "/var/lib/provate/host-notify"
+	  "/nix/var/nix/profiles/nomad/${NOMAD_GROUP_NAME}-${NOMAD_ALLOC_INDEX}":"/nix/var/nix/profiles"
+	  "/nix/var/nix/gcroots/nomad/${NOMAD_GROUP_NAME}-${NOMAD_ALLOC_INDEX}":"/nix/var/nix/gcroots"
+	}
+
+	user_namespacing = false
+	boot = false
+
+	command = [
+	  "/nix/var/nix/profiles/system/sw/bin/bash",
+	  "/nix/var/nix/profiles/system/sw/bin/nspawn-init"
+	]
+
+	ports = ["http"]
+      }
+    }
+
+    task "nix-poststop" {
+      lifecycle {
+	hook = "poststop"
+	sidecar = false
+      }
+
+      driver = "raw_exec"
+
+      template {
+	data = <<EOF
+#!/usr/bin/env bash 
+
+_profile_dir=/nix/var/nix/profiles/nomad/${NOMAD_GROUP_NAME}-${NOMAD_ALLOC_INDEX}
+_gcroots_dir=/nix/var/nix/gcroots/nomad/${NOMAD_GROUP_NAME}-${NOMAD_ALLOC_INDEX}
+
+if [[ -d ${_profile_dir} ]]
+then
+    rm -r ${_profile_dir}
+else
+    echo "${_profile_dir} does not exist! Exiting..." ; exit 1
+fi
+
+if [[ -d ${_gcroots_dir} ]]
+then
+    rm -r ${_gcroots_dir}
+else
+    echo "${_gcroots_dir} does not exist! Exiting..." ; exit 1
+fi
+EOF
+	destination = "/local/cleanup.sh"
+      }
+
+      config {
+	command = "bash"
+	args = [ "${NOMAD_TASK_DIR}/cleanup.sh" ]
+      }
+    }
+  }
+}
--- a/lib.nix
+++ b/lib.nix
@ -1,5 +1,16 @@
 { nixpkgs, pkgs, system, inputs }:
 with pkgs.lib; {
+  substitute = runCommand: name: inFile: vars: 
+    runCommand name {}
+      (let
+        varsStr = pkgs.lib.mapAttrsToList
+          (name: value: ''--subst-var-by "${name}" "${value}"'')
+          vars;
+      in
+        ''
+          substitute ${inFile} $out \
+          ${builtins.concatStringsSep " " varsStr}
+        '');
  flakes = path: modules: genAttrs modules (module:
    let
      self = (import (path + "/${module}/flake.nix")).outputs (inputs // { inherit self; });