magic_rb/dotfiles
1
0
Fork 0
mirror of https://git.sr.ht/~magic_rb/dotfiles synced 2024-11-29 03:26:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

Delete all of infrastructure

Browse source 
Signed-off-by: Magic_RB <magic_rb@redalder.org>
This commit is contained in:
Magic_RB 2021-05-09 23:40:07 +02:00
parent 41ae05b39b
commit 1ea74fa882
No known key found for this signature in database
GPG key ID: 08D5287CC5DDCA0E
7 changed files with 0 additions and 423 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

211
infrastructure/concourse/jobs/concourse-ci-web.hcl
View file

@ -1,211 +0,0 @@
job "concourse-ci-web" {
datacenters = ["homelab-1"]
type = "service"
group "svc" {
count = 1
volume "concourse-ci-web-db" {
type = "csi"
source = "concourse-ci-web-db"
read_only = false
}
network {
mode ="bridge"
port "db" {
to = "5432"
}
port "http" {
static = "8019"
to = "8080"
}
port "tsa" {
static = "1922"
to = "2222"
}
}
service {
name = "concourse-web"
port = "http"
check {
type = "http"
path = "/"
interval = "2s"
timeout = "2s"
}
}
service {
name = "concourse-tsa"
port = "2222"
}
service {
name = "concourse-db"
port = "db"
}
task "db" {
driver = "docker"
config {
image = "postgresql:local"
ports = ["db"]
volumes = [
"secrets/main.sh:/data/scripts/main.sh",
]
}
volume_mount {
volume = "concourse-ci-web-db"
destination = "/data/postgresql"
read_only = false
}
vault {
policies = ["concourse-db-policy"]
}
template {
data = <<EOF
{{ with secret "kv/data/concourse/db" }}
USER={{ .Data.data.root_user }}
PASSWORD={{ .Data.data.root_password }}
{{ end }}
EOF
destination = "${NOMAD_SECRETS_DIR}/data.env"
env = true
}
template {
data = <<EOF
#!/usr/bin/env bash
env
{{ with secret "kv/data/concourse/db" }}
if process_psql -tc "SELECT 1 FROM pg_database WHERE datname = '{{ .Data.data.database }}'" | grep -q 1
then
process_psql -c "ALTER USER {{ .Data.data.user }} WITH PASSWORD '{{ .Data.data.password }}'";
else
process_psql -c "CREATE DATABASE {{ .Data.data.database }}"
process_psql -c "CREATE USER {{ .Data.data.user }} WITH ENCRYPTED PASSWORD '{{ .Data.data.password }}'"
process_psql -c "GRANT ALL PRIVILEGES ON DATABASE {{ .Data.data.database }} TO {{ .Data.data.user }}"
{{ end }}
echo "host all all all md5" >> /data/postgresql/pg_hba.conf
cat << EOD >> /data/postgresql/postgresql.conf
listen_addresses = '0.0.0.0'
password_encryption = md5
EOD
fi
EOF
destination = "${NOMAD_SECRETS_DIR}/main.sh"
}
resources {
cpu = 3000
memory = 512
}
}
task "web" {
driver = "docker"
config {
image = "concourse/concourse@sha256:9adc59ea1ccdb2d0262451d30ff0298dc92139ba7cfb8bfd99b1a469441594e0"
command = "web"
ports = ["http", "tsa"]
}
vault {
policies = ["concourse-web-policy"]
}
restart {
attempts = 5
delay = "15s"
}
template {
data = <<EOF
[[ with secret "kv/data/concourse/web" ]]
CONCOURSE_ADD_LOCAL_USER=[[ .Data.data.local_user_name ]]:[[ .Data.data.local_user_pass ]]
CONCOURSE_MAIN_TEAM_LOCAL_USER=[[ .Data.data.local_user_name ]]
[[ end ]]
CONCOURSE_SESSION_SIGNING_KEY=[[ env "NOMAD_SECRETS_DIR" ]]/session_signing_key
CONCOURSE_TSA_HOST_KEY=[[ env "NOMAD_SECRETS_DIR" ]]/tsa_host_key
CONCOURSE_TSA_AUTHORIZED_KEYS=[[ env "NOMAD_SECRETS_DIR" ]]/authorized_worker_keys
CONCOURSE_EXTERNAL_URL=http://blowhole.in.redalder.org:8019/
CONCOURSE_POSTGRES_HOST=127.0.0.1
CONCOURSE_POSTGRES_PORT=5432
[[ with secret "kv/data/concourse/db" ]]
CONCOURSE_POSTGRES_DATABASE=[[ .Data.data.database ]]
CONCOURSE_POSTGRES_USER=[[ .Data.data.user ]]
CONCOURSE_POSTGRES_PASSWORD=[[ .Data.data.password ]]
[[ end ]]
CONCOURSE_VAULT_URL=https://vault.in.redalder.org:8200/
CONCOURSE_VAULT_CA_CERT=[[ env "NOMAD_SECRETS_DIR" ]]/vault.crt
CONCOURSE_VAULT_PATH_PREFIX=kv/concourse/pipelines
CONCOURSE_VAULT_CLIENT_TOKEN=[[ env "VAULT_TOKEN" ]]
CONCOURSE_VAULT_LOOKUP_TEMPLATES=/{{.Team}}/{{.Pipeline}}/{{.Secret}},/{{.Team}}/{{.Secret}}
EOF
destination = "${NOMAD_SECRETS_DIR}/data.env"
env = true
left_delimiter = "[["
right_delimiter = "]]"
}
template {
data = <<EOF
{{ with secret "kv/data/concourse/web" }}{{ .Data.data.session_signing_key }}{{ end }}
EOF
destination = "${NOMAD_SECRETS_DIR}/session_signing_key"
}
template {
data = <<EOF
{{ with secret "kv/data/concourse/web" }}{{ .Data.data.tsa_host_key }}{{ end }}
EOF
destination = "${NOMAD_SECRETS_DIR}/tsa_host_key"
}
template {
data = <<EOF
{{ with secret "kv/data/concourse/web" }}{{ .Data.data.redalder_org_cert }}{{ end }}
EOF
destination = "${NOMAD_SECRETS_DIR}/vault.crt"
}
template {
data = <<EOF
{{ range secrets "kv/metadata/concourse/workers/" }}
{{ with secret (printf "kv/data/concourse/workers/%s" .) }}
{{ .Data.data.public_key }}
{{ end }}
{{ end }}
EOF
destination = "${NOMAD_SECRETS_DIR}/authorized_worker_keys"
change_mode = "signal"
change_signal = "SIGHUP"
}
resources {
cpu = 3000
memory = 512
}
}
}
}

117
infrastructure/concourse/jobs/concourse-ci-worker.hcl
View file

@ -1,117 +0,0 @@
job "concourse-ci-worker" {
datacenters = ["homelab-1"]
type = "system"
group "svc" {
count = 1
constraint {
attribute = "${attr.unique.hostname}"
operator = "regexp"
value = "(heater|fractal)"
}
network {
mode = "bridge"
}
task "create-secret" {
driver = "docker"
config {
image = "magicrb/concourse-vault-runner@sha256:595011233c15e05ae23092cfb6e9fe0459d1c24fffc9bd519e5d32bec3b8e519"
args = [
"${NOMAD_TASK_DIR}/main.sh"
]
}
vault {
policies = ["concourse-worker-policy"]
}
lifecycle {
sidecar = false
hook = "prestart"
}
template {
data = <<EOF
HOST_HOSTNAME="{{ env "node.unique.name" }}"
VAULT_ADDR="https://vault.in.redalder.org:8200/"
EOF
env = true
destination = "${NOMAD_TASK_DIR}/data.env"
}
template {
data = <<EOF
if ! vault kv get kv/concourse/workers/{{ env "attr.unique.hostname" }} > /dev/null 2>&1
then
concourse generate-key -t ssh -f /worker_key
_worker_key="$(cat /worker_key)"
_worker_key_pub="$(cat /worker_key.pub)"
echo -e "$${_worker_key//$'\n'/\\\\n}" > /worker_key
echo -e "$${_worker_key_pub//$'\n'/\\\\n}" > /worker_key.pub
JSON_FMT='{"public_key":"%s","private_key":"%s"}'
printf "$JSON_FMT" "$(< /worker_key.pub)" "$(< /worker_key)" > secret.json
vault kv put kv/concourse/workers/{{ env "attr.unique.hostname" }} @secret.json
fi
EOF
destination = "${NOMAD_TASK_DIR}/main.sh"
}
}
task "worker" {
driver = "docker"
config {
image = "concourse/concourse@sha256:9adc59ea1ccdb2d0262451d30ff0298dc92139ba7cfb8bfd99b1a469441594e0"
command = "worker"
privileged = true
}
vault {
policies = ["concourse-worker-policy"]
}
template {
data = <<EOF
CONCOURSE_WORK_DIR=/opt/concourse/worker
CONCOURSE_TSA_HOST=10.64.1.201:1922
CONCOURSE_TSA_PUBLIC_KEY={{ env "NOMAD_SECRETS_DIR" }}/tsa_host_key.pub
CONCOURSE_TSA_WORKER_PRIVATE_KEY={{ env "NOMAD_SECRETS_DIR" }}/worker.key
EOF
env = true
destination = "${NOMAD_SECRETS_DIR}/data.env"
}
template {
data = <<EOF
{{ with secret (printf "kv/data/concourse/workers/%s" (env "node.unique.name") ) }}
{{ .Data.data.private_key }}
{{ end }}
EOF
destination = "${NOMAD_SECRETS_DIR}/worker.key"
}
template {
data = <<EOF
{{ with secret "kv/data/concourse/web" }}{{ .Data.data.tsa_host_key_pub }}{{ end }}
EOF
destination = "${NOMAD_SECRETS_DIR}/tsa_host_key.pub"
}
kill_timeout = "1h"
kill_signal = "SIGUSR2"
resources {
cpu = 32000
memory = 2048
}
}
}
}

3
infrastructure/concourse/policies/concourse-db-policy.hcl
View file

@ -1,3 +0,0 @@
path "kv/data/concourse/db" {
capabilities = ["read"]
}

19
infrastructure/concourse/policies/concourse-web-policy.hcl
View file

@ -1,19 +0,0 @@
path "kv/data/concourse/workers/*" {
capabilities = ["read"]
}
path "kv/metadata/concourse/workers" {
capabilities = ["list"]
}
path "kv/data/concourse/web" {
capabilities = ["read"]
}
path "kv/data/concourse/db" {
capabilities = ["read"]
}
path "kv/data/concourse/pipelines/+/+/*" {
capabilities = ["read"]
}

7
infrastructure/concourse/policies/concourse-worker-policy.hcl
View file

@ -1,7 +0,0 @@
path "kv/data/concourse/workers/*" {
capabilities = ["read", "update", "delete", "create"]
}
path "kv/data/concourse/web" {
capabilities = ["read"]
}

15
infrastructure/concourse/volumes/concourse-ci-web-db_volume.hcl
View file

@ -1,15 +0,0 @@
type = "csi"
id = "concourse-ci-web-db"
name = "concourse-ci-web-db"
plugin_id = "nfs"
access_mode = "single-node-writer"
attachment_mode = "file-system"
context {
server = "blowhole.in.redalder.org"
share = "/concourse-ci-web-db"
}
mount_options {
fs_type = "nfs"
}

51
infrastructure/dotfiles-pipeline.yaml
View file

@ -1,51 +0,0 @@
---
resources:
- name: dotfiles-git
type: git
icon: github
source:
uri: https://github.com/MagicRB/dotfiles.git
- name: nix-image
type: registry-image
icon: docker
source:
repository: magicrb/nix
tag: latest
- name: push-nix-image
type: registry-image
icon: docker
source:
repository: magicrb/nix
username: magicrb
password: ((docker_hub.magicrb_token))
jobs:
- name: test-build
public: true
plan:
- get: dotfiles-git
trigger: true
params: { submodules: none }
- get: nix-image
trigger: false
- task: build
image: nix-image
config:
platform: linux
inputs:
- name: dotfiles-git
path: src/
run:
path: /bin/entrypoint.sh
args:
- -c
- |
out=$(pwd)
cd src/nix
nix -vv --log-format raw -L --experimental-features 'nix-command flakes' build --out-link $out/nix.tar.gz .#dockerImages.x86_64-linux.nix.build
- put: push-nix-image
params:
image: nix.tar.gz