magic_rb/dotfiles
1
0
Fork 0
mirror of https://git.sr.ht/~magic_rb/dotfiles synced 2024-11-29 03:26:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

Some random Concourse stuff

Browse source 
Signed-off-by: Magic_RB <magic_rb@redalder.org>
This commit is contained in:
Magic_RB 2021-05-09 23:39:29 +02:00
parent 889e2c99e0
commit 41ae05b39b
No known key found for this signature in database
GPG key ID: 08D5287CC5DDCA0E
5 changed files with 72 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

45
infrastructure/concourse/jobs/concourse-ci-web.hcl
View file

@ -107,13 +107,18 @@ fi
EOF
destination = "${NOMAD_SECRETS_DIR}/main.sh"
}
resources {
cpu = 3000
memory = 512
}
}
task "web" {
driver = "docker"
config {
image = "concourse/concourse@sha256:fa136abb336f2c2aed8d41d21b382d364c3387c24f3fdef15c720c292c9216d4"
image = "concourse/concourse@sha256:9adc59ea1ccdb2d0262451d30ff0298dc92139ba7cfb8bfd99b1a469441594e0"
command = "web"
ports = ["http", "tsa"]
}
@ -129,34 +134,37 @@ EOF
template {
data = <<EOF
{{ with secret "kv/data/concourse/web" }}
CONCOURSE_ADD_LOCAL_USER={{ .Data.data.local_user_name }}:{{ .Data.data.local_user_pass }}
CONCOURSE_MAIN_TEAM_LOCAL_USER={{ .Data.data.local_user_name }}
{{ end }}
[[ with secret "kv/data/concourse/web" ]]
CONCOURSE_ADD_LOCAL_USER=[[ .Data.data.local_user_name ]]:[[ .Data.data.local_user_pass ]]
CONCOURSE_MAIN_TEAM_LOCAL_USER=[[ .Data.data.local_user_name ]]
[[ end ]]
CONCOURSE_SESSION_SIGNING_KEY={{ env "NOMAD_SECRETS_DIR" }}/session_signing_key
CONCOURSE_TSA_HOST_KEY={{ env "NOMAD_SECRETS_DIR" }}/tsa_host_key
CONCOURSE_TSA_AUTHORIZED_KEYS={{ env "NOMAD_SECRETS_DIR" }}/authorized_worker_keys
CONCOURSE_SESSION_SIGNING_KEY=[[ env "NOMAD_SECRETS_DIR" ]]/session_signing_key
CONCOURSE_TSA_HOST_KEY=[[ env "NOMAD_SECRETS_DIR" ]]/tsa_host_key
CONCOURSE_TSA_AUTHORIZED_KEYS=[[ env "NOMAD_SECRETS_DIR" ]]/authorized_worker_keys
CONCOURSE_EXTERNAL_URL=http://blowhole.in.redalder.org:8019/
CONCOURSE_POSTGRES_HOST=127.0.0.1
CONCOURSE_POSTGRES_PORT=5432
{{ with secret "kv/data/concourse/db" }}
CONCOURSE_POSTGRES_DATABASE={{ .Data.data.database }}
CONCOURSE_POSTGRES_USER={{ .Data.data.user }}
CONCOURSE_POSTGRES_PASSWORD={{ .Data.data.password }}
{{ end }}
[[ with secret "kv/data/concourse/db" ]]
CONCOURSE_POSTGRES_DATABASE=[[ .Data.data.database ]]
CONCOURSE_POSTGRES_USER=[[ .Data.data.user ]]
CONCOURSE_POSTGRES_PASSWORD=[[ .Data.data.password ]]
[[ end ]]
CONCOURSE_VAULT_URL=https://vault.in.redalder.org:8200/
CONCOURSE_VAULT_CA_CERT={{ env "NOMAD_SECRETS_DIR" }}/vault.crt
CONCOURSE_VAULT_PATH_PREFIX=/concourse/pipelines
CONCOURSE_VAULT_CA_CERT=[[ env "NOMAD_SECRETS_DIR" ]]/vault.crt
CONCOURSE_VAULT_PATH_PREFIX=kv/concourse/pipelines
CONCOURSE_VAULT_CLIENT_TOKEN={{ env "VAULT_TOKEN" }}
CONCOURSE_VAULT_CLIENT_TOKEN=[[ env "VAULT_TOKEN" ]]
CONCOURSE_VAULT_LOOKUP_TEMPLATES=/{{.Team}}/{{.Pipeline}}/{{.Secret}},/{{.Team}}/{{.Secret}}
EOF
destination = "${NOMAD_SECRETS_DIR}/data.env"
env = true
left_delimiter = "[["
right_delimiter = "]]"
}
template {
@ -193,6 +201,11 @@ EOF
change_mode = "signal"
change_signal = "SIGHUP"
}
resources {
cpu = 3000
memory = 512
}
}
}
}

42
infrastructure/concourse/jobs/concourse-ci-worker.hcl
View file

@ -4,6 +4,12 @@ job "concourse-ci-worker" {
group "svc" {
count = 1
constraint {
attribute = "${attr.unique.hostname}"
operator = "regexp"
value = "(heater|fractal)"
}
network {
mode = "bridge"
@ -13,7 +19,10 @@ job "concourse-ci-worker" {
driver = "docker"
config {
image = "concourse-vault-sidecar:local"
image = "magicrb/concourse-vault-runner@sha256:595011233c15e05ae23092cfb6e9fe0459d1c24fffc9bd519e5d32bec3b8e519"
args = [
"${NOMAD_TASK_DIR}/main.sh"
]
}
vault {
@ -33,13 +42,34 @@ EOF
env = true
destination = "${NOMAD_TASK_DIR}/data.env"
}
template {
data = <<EOF
if ! vault kv get kv/concourse/workers/{{ env "attr.unique.hostname" }} > /dev/null 2>&1
then
concourse generate-key -t ssh -f /worker_key
_worker_key="$(cat /worker_key)"
_worker_key_pub="$(cat /worker_key.pub)"
echo -e "$${_worker_key//$'\n'/\\\\n}" > /worker_key
echo -e "$${_worker_key_pub//$'\n'/\\\\n}" > /worker_key.pub
JSON_FMT='{"public_key":"%s","private_key":"%s"}'
printf "$JSON_FMT" "$(< /worker_key.pub)" "$(< /worker_key)" > secret.json
vault kv put kv/concourse/workers/{{ env "attr.unique.hostname" }} @secret.json
fi
EOF
destination = "${NOMAD_TASK_DIR}/main.sh"
}
}
task "worker" {
driver = "docker"
config {
image = "concourse/concourse@sha256:fa136abb336f2c2aed8d41d21b382d364c3387c24f3fdef15c720c292c9216d4"
image = "concourse/concourse@sha256:9adc59ea1ccdb2d0262451d30ff0298dc92139ba7cfb8bfd99b1a469441594e0"
command = "worker"
privileged = true
}
@ -74,6 +104,14 @@ EOF
EOF
destination = "${NOMAD_SECRETS_DIR}/tsa_host_key.pub"
}
kill_timeout = "1h"
kill_signal = "SIGUSR2"
resources {
cpu = 32000
memory = 2048
}
}
}
}

2
infrastructure/concourse/policies/concourse-web-policy.hcl
View file

@ -14,6 +14,6 @@ path "kv/data/concourse/db" {
capabilities = ["read"]
}
path "kv/data/concourse/pipelines/*" {
path "kv/data/concourse/pipelines/+/+/*" {
capabilities = ["read"]
}

2
infrastructure/concourse/policies/concourse-worker-policy.hcl
View file

@ -1,5 +1,5 @@
path "kv/data/concourse/workers/*" {
capabilities = ["read", "update", "delete"]
capabilities = ["read", "update", "delete", "create"]
}
path "kv/data/concourse/web" {

2
infrastructure/dotfiles-pipeline.yaml
View file

@ -45,7 +45,7 @@ jobs:
out=$(pwd)
cd src/nix
nix -v --log-format raw -L --experimental-features 'nix-command flakes' build --out-link $out/nix.tar.gz .#dockerImages.x86_64-linux.nix.build
nix -vv --log-format raw -L --experimental-features 'nix-command flakes' build --out-link $out/nix.tar.gz .#dockerImages.x86_64-linux.nix.build
- put: push-nix-image
params:
image: nix.tar.gz