-
Notifications
You must be signed in to change notification settings - Fork 6
133 lines (116 loc) · 5.38 KB
/
colmena.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
name: "Run Colmena"
on:
push:
branches: [main]
pull_request:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
build:
name: Build
strategy:
matrix:
runner: [ubuntu-24.04]
node:
- "tgsatan"
- "blockmoths"
- "vpn"
- "@relay-amd64"
- "@staging"
include:
- node: "@relay-arm"
runner: ubuntu-24.04-arm
runs-on: ${{ matrix.runner }}
steps:
# We use commit hashes for specifying versions here, so a malicious tag can't gain access to our secrets (At least while sha-1 collisions are rare, anyway)
- name: Login to headscale
uses: tailscale/github-action@8688eb839e58e6b25c1ae96cd99d1c173299b842 # Connect to headscale
if: github.repository == 'tgstation-operations/infrastructure' && github.ref == 'refs/heads/main'
with:
authkey: ${{ secrets.TS_BUILD_AUTHKEY }}
args: --login-server=https://vpn.tgstation13.org
- name: Checkout Repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # Checkout the repository
- name: Install Nix (Without Attic)
if: github.ref != 'refs/heads/main'
uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # Install nix itself. We don't need to specify a channel since we're using flakes
with:
extra_nix_config: |
accept-flake-config = true
extra-substituters = https://nix-community.cachix.org
extra-trusted-public-keys = nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=
- name: Install Nix (With Attic)
if: github.repository == 'tgstation-operations/infrastructure' && github.ref == 'refs/heads/main'
uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72
with:
extra_nix_config: |
accept-flake-config = true
extra-substituters = https://nix-community.cachix.org https://attic.tgstation13.org/tgstation-infrastructure
extra-trusted-public-keys = nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= tgstation-infrastructure:aaSrfZGLWk7a+RtcX0NaFYkOs6E4QlJ+5MZ8padOt3o=
- name: Setup attic Binary Cache
if: github.repository == 'tgstation-operations/infrastructure' && github.ref == 'refs/heads/main'
# Format for pointing to caches is server:cache in these commands
run: |
nix profile install nixpkgs#attic-client
attic login tgstation https://attic.tgstation13.org ${{ secrets.ATTIC_JWT_TOKEN }}
- name: Print nix config before Build
run: nix config show
- name: Build closure
run: nix run github:zhaofengli/colmena -- build --impure -v --eval-node-limit 2 --keep-result --on ${{ matrix.node }}
- name: Push closure to attic
if: github.repository == 'tgstation-operations/infrastructure' && github.ref == 'refs/heads/main'
run: attic push tgstation:tgstation-infrastructure .gcroots/*
deploy:
name: Deploy
needs: build
if: ${{ github.repository == 'tgstation-operations/infrastructure' && github.ref == 'refs/heads/main' }}
environment: ${{ matrix.environment }}
continue-on-error: true
strategy:
matrix:
runner: [ubuntu-24.04]
node:
- "tgsatan"
- "blockmoths"
- "vpn"
- "@relay-amd64"
environment:
- production
include:
- runner: ubuntu-24.04-arm
node: "@relay-arm"
environment: production
- runner: ubuntu-24.04
node: "@staging"
environment: staging
runs-on: ${{ matrix.runner }}
steps:
- name: Install private ssh key
uses: shimataro/ssh-key-action@d4fffb50872869abe2d9a9098a6d9c5aa7d16be4 # Install our ssh key. TODO: Replace with our own bash script
with:
key: ${{ secrets.COLMENA_SSH_KEY }}
name: id_ed25519
known_hosts: ${{ vars.COLMENA_KNOWN_HOSTS }}
- name: Login to headscale
uses: tailscale/github-action@8688eb839e58e6b25c1ae96cd99d1c173299b842 # Connect to headscale
with:
authkey: ${{ secrets.TS_AUTHKEY }}
args: --login-server=https://vpn.tgstation13.org
- name: Checkout Repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # Checkout the repository
- name: Install Nix
uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # Install nix itself. We don't need to specify a channel since we're using flakes
with:
extra_nix_config: |
accept-flake-config = true
extra-substituters = https://nix-community.cachix.org https://attic.tgstation13.org/tgstation-infrastructure
extra-trusted-public-keys = nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= tgstation-infrastructure:aaSrfZGLWk7a+RtcX0NaFYkOs6E4QlJ+5MZ8padOt3o=
- name: Authenticate Attic Binary Cache
run: |
nix profile install nixpkgs#attic-client
attic login tgstation https://attic.tgstation13.org ${{ secrets.ATTIC_JWT_TOKEN }}
- name: Print nix config before Build
run: nix config show
- name: Deploy closure to Nodes
run: nix run github:zhaofengli/colmena -- apply --impure -v --on ${{ matrix.node }}