k 5 krebs-ci: initial commit
This commit is contained in:
parent
14d1655deb
commit
e6b1003fe2
37
krebs/5pkgs/krebs-ci/default.nix
Normal file
37
krebs/5pkgs/krebs-ci/default.nix
Normal file
@ -0,0 +1,37 @@
|
||||
{ stdenv, coreutils,makeWrapper, cac, cacpanel, gnumake, gnused, jq, openssh, ... }:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
name = "krebs-ci-0.1.0";
|
||||
|
||||
src = ./notes;
|
||||
|
||||
phases = [
|
||||
"installPhase"
|
||||
];
|
||||
buildInputs = [ makeWrapper ];
|
||||
|
||||
path = stdenv.lib.makeSearchPath "bin" [
|
||||
coreutils
|
||||
cac
|
||||
cacpanel
|
||||
gnumake
|
||||
gnused
|
||||
jq
|
||||
openssh
|
||||
];
|
||||
|
||||
installPhase =
|
||||
''
|
||||
mkdir -p $out/bin
|
||||
cp ${src} $out/bin/krebs-ci
|
||||
chmod +x $out/bin/krebs-ci
|
||||
wrapProgram $out/bin/krebs-ci \
|
||||
--prefix PATH : ${path}
|
||||
'';
|
||||
meta = with stdenv.lib; {
|
||||
homepage = http://krebsco.de;
|
||||
description = "Krebs CI Scripts";
|
||||
license = licenses.wtfpl;
|
||||
maintainers = [ maintainers.makefu ];
|
||||
};
|
||||
}
|
111
krebs/5pkgs/krebs-ci/notes
Executable file
111
krebs/5pkgs/krebs-ci/notes
Executable file
@ -0,0 +1,111 @@
|
||||
#! /bin/sh
|
||||
|
||||
# nix-shell -p gnumake jq openssh cac cacpanel
|
||||
set -euf
|
||||
|
||||
# 2 secrets are required:
|
||||
krebs_cred=${krebs_cred-./cac.json}
|
||||
retiolum_key=${retiolum_key-./retiolum.rsa_key.priv}
|
||||
|
||||
# Sanity
|
||||
if test ! -r "$krebs_cred";then
|
||||
echo "\$krebs_cred=$krebs_cred must be readable"; exit 1
|
||||
fi
|
||||
if test ! -r "$retiolum_key";then
|
||||
echo "\$retiolum_key=$retiolum_key must be readable"; exit 1
|
||||
fi
|
||||
|
||||
krebs_secrets=$(mktemp -d)
|
||||
sec_file=$krebs_secrets/cac_config
|
||||
krebs_ssh=$krebs_secrets/tempssh
|
||||
# we need to receive this key from buildmaster to speed up tinc bootstrap
|
||||
TRAP="rm $sec_file;rm -r $krebs_secrets"
|
||||
trap "$TRAP" INT TERM EXIT
|
||||
|
||||
cat > $sec_file <<EOF
|
||||
cac_login="$(jq -r .email $krebs_cred)"
|
||||
cac_key="$(cac-cli panel --config $krebs_cred settings | jq -r .apicode)"
|
||||
EOF
|
||||
|
||||
export cac_secrets=$sec_file
|
||||
cac-cli panel --config $krebs_cred update-api-ip
|
||||
|
||||
# test login:
|
||||
cac update
|
||||
cac servers
|
||||
|
||||
# Template 26: CentOS7
|
||||
# TODO: use cac templates to determine the real Centos7 template in case it changes
|
||||
name=$( cac build cpu=1 ram=512 storage=10 os=26 2>&1\
|
||||
| jq -r .servername)
|
||||
|
||||
id=servername:$name
|
||||
trap "cac delete $id;$TRAP" INT TERM EXIT
|
||||
# TODO: timeout?
|
||||
always_update=true cac waitstatus $id "Powered On"
|
||||
|
||||
wait_login_cac(){
|
||||
# timeout
|
||||
for t in `seq 60`;do
|
||||
# now we have a working cac server
|
||||
if cac ssh $1 cat /etc/redhat-release | \
|
||||
grep CentOS ;then
|
||||
return 0
|
||||
fi
|
||||
sleep 10
|
||||
done
|
||||
return 1
|
||||
}
|
||||
# die on timeout
|
||||
wait_login_cac $id
|
||||
|
||||
mkdir -p shared/2configs/temp
|
||||
cac generatenetworking $id > \
|
||||
shared/2configs/temp/networking.nix
|
||||
# new temporary ssh key we will use to log in after infest
|
||||
ssh-keygen -f $krebs_ssh -N ""
|
||||
cp $retiolum_key $krebs_secrets/retiolum.rsa_key.priv
|
||||
# we override the directories for secrets and stockholm
|
||||
# additionally we set the ssh key we generated
|
||||
ip=$(cac getserver $id | jq -r .ip)
|
||||
|
||||
cat > shared/2configs/temp/dirs.nix <<EOF
|
||||
_: {
|
||||
krebs.build.source.dir = {
|
||||
secrets.path = "$krebs_secrets";
|
||||
stockholm.path = "$(pwd)";
|
||||
};
|
||||
users.extraUsers.root.openssh.authorizedKeys.keys = [
|
||||
"$(cat ${krebs_ssh}.pub)"
|
||||
];
|
||||
krebs.build.target = "$ip";
|
||||
}
|
||||
EOF
|
||||
|
||||
LOGNAME=shared make eval get=krebs.infest \
|
||||
target=derp system=test-centos7 filter=json \
|
||||
| sed -e "s#^ssh.*<<#cac ssh $id<<#" \
|
||||
-e "/^rsync/a -e 'cac ssh $id' \\\\" \
|
||||
-e "s#root.derp:#:#" > $krebs_secrets/infest
|
||||
sh -x $krebs_secrets/infest
|
||||
|
||||
# TODO: generate secrets directory $krebs_secrets for nix import
|
||||
cac powerop $id reset
|
||||
|
||||
wait_login(){
|
||||
# timeout
|
||||
for t in `seq 20`;do
|
||||
# now we have a working cac server
|
||||
if ssh -o StrictHostKeyChecking=no \
|
||||
-o UserKnownHostsFile=/dev/null \
|
||||
-i $krebs_ssh \
|
||||
-o ConnectTimeout=10 \
|
||||
-o BatchMode=yes \
|
||||
root@$1 nixos-version ;then
|
||||
return 0
|
||||
fi
|
||||
sleep 10
|
||||
done
|
||||
return 1
|
||||
}
|
||||
wait_login $ip
|
Loading…
Reference in New Issue
Block a user