diff options
author | EuAndreh <eu@euandre.org> | 2023-04-01 11:21:23 -0300 |
---|---|---|
committer | EuAndreh <eu@euandre.org> | 2023-04-01 12:04:31 -0300 |
commit | af3075ec3d2e9e3a568e6b159a165298fa7851eb (patch) | |
tree | 38fa6158f75aa028f509641dae38139fd27b5621 | |
parent | system.scm: Allow "git" to run mkdir(1) as "deployer" (diff) | |
download | toph-af3075ec3d2e9e3a568e6b159a165298fa7851eb.tar.gz toph-af3075ec3d2e9e3a568e6b159a165298fa7851eb.tar.xz |
WIP Git Guix shell
Notes
See CI logs with:
git notes --ref=refs/notes/ci-logs show af3075ec3d2e9e3a568e6b159a165298fa7851eb
git notes --ref=refs/notes/ci-data show af3075ec3d2e9e3a568e6b159a165298fa7851eb
Exit status: 0
Duration: 18
-rw-r--r-- | src/infrastructure/guix/system.scm | 3 | ||||
-rwxr-xr-x | src/infrastructure/scripts/cicd.sh | 154 |
2 files changed, 156 insertions, 1 deletions
diff --git a/src/infrastructure/guix/system.scm b/src/infrastructure/guix/system.scm index dcf781b..18fb57b 100644 --- a/src/infrastructure/guix/system.scm +++ b/src/infrastructure/guix/system.scm @@ -284,7 +284,7 @@ %wheel ALL= ALL %become-deployer ALL=(deployer) NOPASSWD: ALL %become-secrets-keeper ALL=(secrets-keeper) NOPASSWD: /run/current-system/profile/bin/rsync, /run/current-system/profile/bin/setfacl, /run/current-system/profile/bin/rm - git ALL= NOPASSWD: /run/current-system/profile/bin/reconfigure + git ALL= NOPASSWD: /run/current-system/profile/bin/reconfigure, /run/current-system/profile/bin/cicd git ALL=(deployer) NOPASSWD: /run/current-system/profile/bin/rsync, /run/current-system/profile/bin/mkdir "#)) (packages @@ -315,6 +315,7 @@ (list packages:servers (script "gc" (file "src/infrastructure/scripts/gc.sh")) + (script "cicd" (file "src/infrastructure/scripts/cicd.sh")) (script "check" (file "src/infrastructure/scripts/check.sh")) (script "backup" (file "src/infrastructure/scripts/backup.sh")) (script "deploy" (file "src/infrastructure/scripts/deploy.sh")) diff --git a/src/infrastructure/scripts/cicd.sh b/src/infrastructure/scripts/cicd.sh new file mode 100755 index 0000000..662abd5 --- /dev/null +++ b/src/infrastructure/scripts/cicd.sh @@ -0,0 +1,154 @@ +#!/bin/sh +set -eu + +usage() { + cat <<-'EOF' + Usage: + cicd [-n] NAME [SHA] + cicd -h + EOF +} + +help() { + cat <<-'EOF' + + + Options: + -n build the system, but don't switch to it (dry-run) + -h, --help show this message + + NAME the name of the project + SHA the repository SHA to checkout (default: main) + + + Run a "guix system reconfigure" as root via "sudo -i". If a -U + flag is given, perform a "guix pull" (in root profile) prior to + the reconfigure. The user must be able to become the "deployer" + user, either via "sudo reconfigure" or by being member of the + "become-deployer" group. + + + Examples: + + Reconfigure the system: + + $ reconfigure + + + Build the system on a custom SHA, but don't switch to it: + + $ reconfigure -n 916dafc092f797349a54515756f2c8e477326511 + + + Update and upgrade: + + $ reconfigure -U + EOF +} + + +for flag in "$@"; do + case "$flag" in + --) + break + ;; + --help) + usage + help + exit + ;; + *) + ;; + esac +done + +DRY_RUN=false +while getopts 'nh' flag; do + case "$flag" in + n) + DRY_RUN=true + ;; + h) + usage + help + exit + ;; + *) + usage >&2 + exit 2 + ;; + esac +done +shift $((OPTIND - 1)) + +NAME="${1:-}" +SHA="${2:-main}" +REPO="/srv/git/$NAME.git" + +if [ -z "$NAME" ]; then + printf 'Missing NAME.\n\n' >&2 + usage >&2 + exit 2 +fi + +if [ "$(id -un)" != 'root' ]; then + printf 'This script must be run as root.\n\n' >&2 + usage >&2 + exit 2 +fi + + +set +eu +# shellcheck source=/dev/null +. /etc/rc +set -eu + + +uuid() { + od -xN20 /dev/urandom | + head -n1 | + awk '{OFS="-"; print $2$3,$4,$5,$6,$7$8$9}' +} + +tmpname() { + printf '%s/uuid-tmpname with spaces.%s' "${TMPDIR:-/tmp}" "$(uuid)" +} + +mkdtemp() { + name="$(tmpname)" + mkdir -- "$name" + printf '%s' "$name" +} + + +TMP="$(mkdtemp)" +trap 'rm -rf "$TMP"' EXIT + + +set -x +chown deployer:deployer "$TMP" +cd "$TMP" +sudo -u deployer git clone "$REPO" . +sudo -u deployer --preserve-env=GIT_CONFIG_GLOBAL git checkout "$SHA" +guix system describe + +if [ -f manifest.scm ]; then + guix shell -Cv3 -m manifest.scm -- make dev +else + sudo -u deployer make dev +fi + +if [ "$DRY_RUN" = false ]; then + # COMMENT: pre-receive is always running the previous version! + # The same is true for the reconfigure script itself. + sudo cp description "$REPO"/description + sudo cp aux/ci/git-pre-receive.sh "$REPO"/hooks/pre-receive + + sudo -u deployer rsync \ + --delete \ + --chmod=D775,F664 \ + --chown=deployer:deployer \ + --exclude 'ci/*' \ + -a \ + public/ /srv/www/s/"$NAME"/ +fi |