aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEuAndreh <eu@euandre.org>2023-04-01 11:21:23 -0300
committerEuAndreh <eu@euandre.org>2023-04-01 12:04:31 -0300
commitaf3075ec3d2e9e3a568e6b159a165298fa7851eb (patch)
tree38fa6158f75aa028f509641dae38139fd27b5621
parentsystem.scm: Allow "git" to run mkdir(1) as "deployer" (diff)
downloadtoph-af3075ec3d2e9e3a568e6b159a165298fa7851eb.tar.gz
toph-af3075ec3d2e9e3a568e6b159a165298fa7851eb.tar.xz
WIP Git Guix shell
Notes
See CI logs with: git notes --ref=refs/notes/ci-logs show af3075ec3d2e9e3a568e6b159a165298fa7851eb git notes --ref=refs/notes/ci-data show af3075ec3d2e9e3a568e6b159a165298fa7851eb Exit status: 0 Duration: 18
-rw-r--r--src/infrastructure/guix/system.scm3
-rwxr-xr-xsrc/infrastructure/scripts/cicd.sh154
2 files changed, 156 insertions, 1 deletions
diff --git a/src/infrastructure/guix/system.scm b/src/infrastructure/guix/system.scm
index dcf781b..18fb57b 100644
--- a/src/infrastructure/guix/system.scm
+++ b/src/infrastructure/guix/system.scm
@@ -284,7 +284,7 @@
%wheel ALL= ALL
%become-deployer ALL=(deployer) NOPASSWD: ALL
%become-secrets-keeper ALL=(secrets-keeper) NOPASSWD: /run/current-system/profile/bin/rsync, /run/current-system/profile/bin/setfacl, /run/current-system/profile/bin/rm
- git ALL= NOPASSWD: /run/current-system/profile/bin/reconfigure
+ git ALL= NOPASSWD: /run/current-system/profile/bin/reconfigure, /run/current-system/profile/bin/cicd
git ALL=(deployer) NOPASSWD: /run/current-system/profile/bin/rsync, /run/current-system/profile/bin/mkdir
"#))
(packages
@@ -315,6 +315,7 @@
(list
packages:servers
(script "gc" (file "src/infrastructure/scripts/gc.sh"))
+ (script "cicd" (file "src/infrastructure/scripts/cicd.sh"))
(script "check" (file "src/infrastructure/scripts/check.sh"))
(script "backup" (file "src/infrastructure/scripts/backup.sh"))
(script "deploy" (file "src/infrastructure/scripts/deploy.sh"))
diff --git a/src/infrastructure/scripts/cicd.sh b/src/infrastructure/scripts/cicd.sh
new file mode 100755
index 0000000..662abd5
--- /dev/null
+++ b/src/infrastructure/scripts/cicd.sh
@@ -0,0 +1,154 @@
+#!/bin/sh
+set -eu
+
+usage() {
+ cat <<-'EOF'
+ Usage:
+ cicd [-n] NAME [SHA]
+ cicd -h
+ EOF
+}
+
+help() {
+ cat <<-'EOF'
+
+
+ Options:
+ -n build the system, but don't switch to it (dry-run)
+ -h, --help show this message
+
+ NAME the name of the project
+ SHA the repository SHA to checkout (default: main)
+
+
+ Run a "guix system reconfigure" as root via "sudo -i". If a -U
+ flag is given, perform a "guix pull" (in root profile) prior to
+ the reconfigure. The user must be able to become the "deployer"
+ user, either via "sudo reconfigure" or by being member of the
+ "become-deployer" group.
+
+
+ Examples:
+
+ Reconfigure the system:
+
+ $ reconfigure
+
+
+ Build the system on a custom SHA, but don't switch to it:
+
+ $ reconfigure -n 916dafc092f797349a54515756f2c8e477326511
+
+
+ Update and upgrade:
+
+ $ reconfigure -U
+ EOF
+}
+
+
+for flag in "$@"; do
+ case "$flag" in
+ --)
+ break
+ ;;
+ --help)
+ usage
+ help
+ exit
+ ;;
+ *)
+ ;;
+ esac
+done
+
+DRY_RUN=false
+while getopts 'nh' flag; do
+ case "$flag" in
+ n)
+ DRY_RUN=true
+ ;;
+ h)
+ usage
+ help
+ exit
+ ;;
+ *)
+ usage >&2
+ exit 2
+ ;;
+ esac
+done
+shift $((OPTIND - 1))
+
+NAME="${1:-}"
+SHA="${2:-main}"
+REPO="/srv/git/$NAME.git"
+
+if [ -z "$NAME" ]; then
+ printf 'Missing NAME.\n\n' >&2
+ usage >&2
+ exit 2
+fi
+
+if [ "$(id -un)" != 'root' ]; then
+ printf 'This script must be run as root.\n\n' >&2
+ usage >&2
+ exit 2
+fi
+
+
+set +eu
+# shellcheck source=/dev/null
+. /etc/rc
+set -eu
+
+
+uuid() {
+ od -xN20 /dev/urandom |
+ head -n1 |
+ awk '{OFS="-"; print $2$3,$4,$5,$6,$7$8$9}'
+}
+
+tmpname() {
+ printf '%s/uuid-tmpname with spaces.%s' "${TMPDIR:-/tmp}" "$(uuid)"
+}
+
+mkdtemp() {
+ name="$(tmpname)"
+ mkdir -- "$name"
+ printf '%s' "$name"
+}
+
+
+TMP="$(mkdtemp)"
+trap 'rm -rf "$TMP"' EXIT
+
+
+set -x
+chown deployer:deployer "$TMP"
+cd "$TMP"
+sudo -u deployer git clone "$REPO" .
+sudo -u deployer --preserve-env=GIT_CONFIG_GLOBAL git checkout "$SHA"
+guix system describe
+
+if [ -f manifest.scm ]; then
+ guix shell -Cv3 -m manifest.scm -- make dev
+else
+ sudo -u deployer make dev
+fi
+
+if [ "$DRY_RUN" = false ]; then
+ # COMMENT: pre-receive is always running the previous version!
+ # The same is true for the reconfigure script itself.
+ sudo cp description "$REPO"/description
+ sudo cp aux/ci/git-pre-receive.sh "$REPO"/hooks/pre-receive
+
+ sudo -u deployer rsync \
+ --delete \
+ --chmod=D775,F664 \
+ --chown=deployer:deployer \
+ --exclude 'ci/*' \
+ -a \
+ public/ /srv/www/s/"$NAME"/
+fi