forked from colemickens/nixcfg
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ci-next.nu
executable file
·344 lines (289 loc) · 11.5 KB
/
ci-next.nu
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
#!/usr/bin/env nu
# TODO:
# - follow up on self-hosted runners being weird about HOME + sshkeys
# - figure out a strategy for pinning the most recent build with a gcroot so we can enable GC again
let ROOT = ([$env.FILE_PWD "../" ] | path join)
let gcrootdir = $"($ROOT)/_gcroots"
git config --global user.name 'Cole Botkens'
git config --global user.email '[email protected]'
$env.CACHIX_SIGNING_KEY = (try { open "/run/secrets/cachix_signkey_colemickens" } catch { "" })
let nfbflags = [
--no-nom
--eval-workers 1 # we keep getting killed in the GHA (on raisin) :(
]
let ssh_hosts = $"($env.HOME)/.ssh/known_hosts"
mkdir $"($env.HOME)/.ssh"
rm -f $ssh_hosts
[
# github host keys - used to push -next{,-wip} branches to github
"github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl"
"github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg="
"github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk="
# per-host host keys - used to (download paths | deploy) to a given host
# zeph
"100.109.239.83 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA8xzm2cJvb/6bLBjVaMsFHc50BOUQdcQv7EZgvk8QR8"
# slynux
"100.81.167.123 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtqJfWwWtcxeWHKwjbY34VHnp79PGcjS9g21WRuJKdo"
# raisin
"100.112.194.64 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICFL0c9gNJWpGPyyQgWLbao6zSNMAMFDmwQQGHeOcVCU"
# xeep
"100.72.11.62 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFzCYIpoxOMwsHMKGTcpmtAuu+yTfkP6ZhaF/YjWAzFI"
# rock5b
"100.118.5.4 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJzIZu1IiwNvioKhw59hmH46SfUSDBUPqoVffCEQFDOY"
"100.118.5.4 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCZl8BBtLiyPbM2WXUn+RTTbeQdL3bTvrR+HBVxK1yTNzFP+BlSfJ7jLDXq+jjlXSZsLrOfDED7RVPFJUV/hm+RfXi5RCxaTqA8GovN2qCAR+ghwFdigN9cKXKWOXjDNZpECWpANHROBdkWSremPb/SSmF3r6j2P2L6HGi2mYGjHrAliNHjzSNByIgmc02HMOdEhyIRmYYFhv7HqB4RS8wrcyFSwbSSRmL3KpVokzel6dMjI13mBrNIZiHsA/tseqQg8h1bT1/Jjw2B9xDRdebx1ZFsRqAAguQP14HtkF4OtwgCwOf4RUf2pyK+MaameIce54/47W50Ru2qrqxPkM3tV2iKhwFkrWuUWhNuzAOQhnXACZNKs8Q17REB2Uua7ZO2XzE+Mzr0UUVVE5YCNh/JFtaBT8YGm7CcIj/8U81MeDAQcndXFNWzbSbk6V/60LEUDDuykLSSlPvvkTILTdHhr1JYhttev8owlFZjSWsQbxfBUIRtSSRtHwTd0dtPLMzc+tglKXwgXQoRlibrUk8a/pdZLoPmAT1sAygBnlMKtADY8vh6E+TbFz1meh7qVKfp5XxPlMiYhuxSOFzHtwTogRQoLsPSPe0eYp2tlMDK+X50HnhjpyUWw8iFBnt/ObwtglZlWgP5xrQbcVzqIo6bOeEGuBoF6D49SgBNH7H16Q=="
# openstick
"100.121.148.102 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUYISzsaKXXf0OTojyzpbsA8M4p9+DjQ+PHZ2aLUrT6"
"100.121.148.102 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCfYSjPHl9PERzgJ1G5iPj431YKO1PvBGfpGfvOQekAWcdnD0s7eY/cAfTnGZ9C3+z/5stXx6XCPL683rk8SacvHVENIpfccZUyXNsruRUDiVFvJrZLX9jZDbREPxIXHRI0pckcLp4S43+ogzkD9B+7yTBe3h48vA+DMubXT3Gk72z/HUSfOFeJqRb9HpNtMa8+F6MAjk1BOaL62IJBekI5qTJV/r+6eWxfq11hIs1ADuawhqu2/c6ATMD4ILb/qa4F+sPDCHlnxz+wlOkqyKRoyf48JLJE4jJx3Vo4Za90YOAOpTxz2NRQTMzMvtTiFxg2NDLF4AB2We1dzzlGiNayi2cZsD9xQxGvmzrZhk1JW17XIcH9e04gH9GafGH74t3v5Jkrri4Q4wHD3tri8MSgMctH9cQ2SzEEQHlu02vSGIaEGR/akXzixq1ymPNUy49IdxudNCKxjEFiO95WagTD+s/bn91ex633h8/ay9JS20omsXGJYYZIzmKOTS32um0uoIhh5FozKi+yKiZ8/ZiGgnm+gC7ZzIxK91Q1OR41wfTQZ+6ABsaCcGjpjH38loTiI3dy/duBYlwLFTGsiV1GbKJuhVDKuEKzm2TADxvnv6FffYQ0tvSFTz+UTEzqzxMaFLYhFoX28Eml1cwH7+4Z7/lB9HlU4xJQbcamTEDtKQ=="
# radxazero1
"100.99.105.68 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMfVuQZf/7s1ph1xsACPnbtW47qxpjYv7An99uFzgsMg"
] | save -a $ssh_hosts
let runid = $"($env.GITHUB_RUN_ID)-($env.GITHUB_RUN_NUMBER)-($env.GITHUB_RUN_ATTEMPT)"
let sshargs = [ "-i" "/run/secrets/github-colebot-sshkey" "-o" $"UserKnownHostsFile=($env.HOME)/.ssh/known_hosts" ]
$env.GIT_SSH_COMMAND = $"ssh ($sshargs | str join ' ')"
def "main extra" [] {
print -e "doing extra things"
}
def "main clean-actions" [] {
$env.NO_PAGER = 1
$env.GH_PAGER = "cat"
let keep_runs = 10
let runurl = $"repos/($env.GITHUB_REPOSITORY)/actions/runs"
loop {
let runs = (^gh api $"($runurl)?per_page=100&status=completed" | from json)
let wf_runs = ($runs | get -i workflow_runs | skip $keep_runs)
if ($wf_runs | length) == 0 {
print -e "nothing to do!"
break
}
($wf_runs
| select name id status node_id
| each { |it|
sleep 1sec
let id = $it.id
let delurl = $"($runurl)/($id)"
print -e $"(ansi red)delete ($delurl)(ansi reset)"
^gh api $"($delurl)" -X DELETE
}
)
}
print -e $"(ansi green_reverse)all done(ansi reset)"
}
def "main deploy" [host: string --activate = true] {
ls -al .latest | print -e
let out = open $".latest/result-x86_64-linux.toplevel-($host)"
let addr = ^tailscale ip --4 $host
let xeep_addr = ^tailscale ip --4 xeep
print -e $"deploy ($out) to ($addr)"
if $host == "openstick" or $host == "rock5b" {
let sw_ip = if $host == "openstick" { "192.168.1.166" } else { "192.168.1.195" }
let sw_nm = if $host == "openstick" { "wp6_sw102_relay" } else { "wp6_sw105_relay" }
try {
print -e "predeploy: check uname directly"
^timeout 15 ssh ...[...$sshargs $"cole@($addr)" uname -a]
} catch {
print -e "predeploy: couldn't uname; force reboot and wait"
^ssh ...[...$sshargs $"cole@($xeep_addr)"
curl -d 'true' -X POST $"http://($sw_ip):9111/switch/($sw_nm)/turn_off"]
sleep 2sec
^ssh ...[...$sshargs $"cole@($xeep_addr)"
curl -d 'true' -X POST $"http://($sw_ip):9111/switch/($sw_nm)/turn_on"]
sleep 75sec
print -e "predeploy: couldn't uname; force reboot and wait... now uname-check"
^timeout 15 ssh ...[...$sshargs $"cole@($addr)" uname -a]
}
}
if (not $activate) {
^ssh ...$sshargs $"cole@($addr)" $"sudo nix build -j0 --no-link ($out)"
return
}
^ssh ...$sshargs $"cole@($addr)" $"sudo nix build -j0 --no-link --profile /nix/var/nix/profiles/system ($out)"
^ssh ...$sshargs $"cole@($addr)" $"sudo ($out)/bin/switch-to-configuration switch"
if $host == "openstick" {
^ssh ...$sshargs $"cole@($addr)" "sudo reboot"
sleep 60sec;
^ssh ...[...$sshargs $"cole@($addr)" uname -a]
}
if $host == "openstick" {
do -i {
print -e "openstick-predeploy: reboot"
^ssh ...$sshargs $"cole@($addr)" "sudo reboot"
sleep 60sec;
print -e "openstick-predeploy: garbage collect"
^ssh ...$sshargs $"cole@($addr)" "nix-env --profile ~/.local/state/nix/profiles/home-manager --delete-generations +1"
^ssh ...$sshargs $"cole@($addr)" "sudo nix-collect-garbage -d"
}
}
}
def "main update" [] {
let url = $"[email protected]:colemickens/nixcfg"
let dir = $"($ROOT)/nixcfg"
mkdir $dir
print "::group::init"
do {
cd $dir
git remote set-url origin $url
git remote update
do -i { git rebase --abort }
git switch -C main-next-wip
git reset --hard origin/main
git push origin HEAD -f
}
let url = $"[email protected]:colemickens/nixpkgs"
let dir = $"($ROOT)/nixpkgs/cmpkgs"
mkdir $dir
do {
cd $dir
do -i { git init }
do -i { git remote add origin $url }
do -i { git remote set-url origin $url }
git remote update
do -i { git rebase --abort }
git switch -C cmpkgs-next-wip
git reset --hard origin/cmpkgs
do -i { git remote add nixos https://github.com/nixos/nixpkgs }
git remote update
git rebase nixos/nixos-unstable
git push origin HEAD -f
}
let url = $"[email protected]:colemickens/home-manager"
let dir = $"($ROOT)/home-manager/cmhm"
mkdir $dir
do {
cd $dir
do -i { git init }
do -i { git remote add origin $url }
do -i { git remote set-url origin $url }
git remote update
do -i { git rebase --abort }
git switch -C cmhm-next-wip
git reset --hard origin/cmhm
do -i { git remote add nix-community https://github.com/nix-community/home-manager }
git remote update
git rebase nix-community/master
git push origin HEAD -f
}
print "::endgroup"
do {
cd $"($ROOT)/nixcfg"
^nix ...[
flake lock
--recreate-lock-file
--commit-lock-file
--override-input cmpkgs github:colemickens/nixpkgs/cmpkgs-next-wip
--override-input home-manager github:colemickens/home-manager/cmhm-next-wip
]
git push origin HEAD
}
## PKGUP
do {
cd $"($ROOT)/nixcfg"
let pkgref = $"($env.PWD)#packages.x86_64-linux"
let pkglist = ^nix ...[
eval
--json $pkgref
--apply "x: builtins.attrNames x"
] | str trim | from json
for pkgname in $pkglist {
print -e $"::group::pkgup ($pkgname)"
do {
try {
^nix-update ...[
--flake
--build
--commit
--format
--version branch
$pkgname
]
git push origin HEAD
print -e $"pushed ($pkgname)"
} catch {
git restore $"./pkgs/($pkgname)"
print -e $"pkgup: ($pkgname): restoring/undoing"
}
}
print "::endgroup"
}
}
## NIX-FAST-BUILD
print "::group::nfb"
try {
nix-fast-build ...$nfbflags
} catch {
ls -l result* | print -e
^ls -d result* | cachix push colemickens
print -e "::warning::nix-fast-build failed, but we cached something"
exit -1
}
print "::endgroup"
print "::group::cachix push"
do {
^ls -d result* | tee /dev/stderr | cachix push colemickens
}
print "::endgroup"
# collect results
print "::group::save results"
do {
rm -rf .latest/
mkdir .latest/
rm -rf $gcrootdir
mkdir $gcrootdir
print -e "DEBUGDEBUGDEBUG1111"
do -i { ls -l result-* }
print -e "DEBUGDEBUGDEBUG2222"
do -i { ls -la | print -e }
print -e "DEBUGDEBUGDEBUG2222"
do -i { ls -l "result-*" | print -e }
print -e "DEBUGDEBUGDEBUG3333"
do -i { ^ls -la }
print -e "DEBUGDEBUGDEBUG4444"
do -i { ^ls -l "result-*" }
print -e "DEBUGDEBUGDEBUG DONE"
let results = (ls -l result-*)
for res in $results {
let filename = $".latest/($res.name)"
print -e $"saving ($res.target) in ($filename)"
$res.target | save $filename
nix build -j0 --out-link $"($gcrootdir)/($res.name)" $res.target
}
}
print "::endgroup"
print "::group::git commit-push"
do {
^git add -f ./.latest
^git commit -m $".latest: latest build results ($runid)" ./.latest
git push origin HEAD
}
print "::endgroup"
## NOW UPDATE BRANCHES
print "::group::git update branches"
do {
cd $"($ROOT)/nixpkgs/cmpkgs"
git switch -C cmpkgs-next
git reset --hard origin/cmpkgs-next-wip
git push origin HEAD -f
}
do {
cd $"($ROOT)/home-manager/cmhm"
git switch -C cmhm-next
git reset --hard origin/cmhm-next-wip
git push origin HEAD -f
}
do {
cd $"($ROOT)/nixcfg"
git switch -C main-next
git reset --hard main-next-wip
^nix ...[
flake lock
--recreate-lock-file
--commit-lock-file
--override-input cmpkgs github:colemickens/nixpkgs/cmpkgs-next
--override-input home-manager github:colemickens/home-manager/cmhm-next
]
git push origin HEAD -f
}
print "::endgroup"
}
def main [] {
print -e "use [deploy,update] subcommands"
}