diff options
| -rw-r--r-- | krebs/5pkgs/krebs-ci/default.nix | 37 | ||||
| -rwxr-xr-x | krebs/5pkgs/krebs-ci/notes | 111 |
2 files changed, 148 insertions, 0 deletions
diff --git a/krebs/5pkgs/krebs-ci/default.nix b/krebs/5pkgs/krebs-ci/default.nix new file mode 100644 index 000000000..f5b302b52 --- /dev/null +++ b/krebs/5pkgs/krebs-ci/default.nix @@ -0,0 +1,37 @@ +{ stdenv, coreutils,makeWrapper, cac, cacpanel, gnumake, gnused, jq, openssh, ... }: + +stdenv.mkDerivation rec { + name = "krebs-ci-0.1.0"; + + src = ./notes; + + phases = [ + "installPhase" + ]; + buildInputs = [ makeWrapper ]; + + path = stdenv.lib.makeSearchPath "bin" [ + coreutils + cac + cacpanel + gnumake + gnused + jq + openssh + ]; + + installPhase = + '' + mkdir -p $out/bin + cp ${src} $out/bin/krebs-ci + chmod +x $out/bin/krebs-ci + wrapProgram $out/bin/krebs-ci \ + --prefix PATH : ${path} + ''; + meta = with stdenv.lib; { + homepage = http://krebsco.de; + description = "Krebs CI Scripts"; + license = licenses.wtfpl; + maintainers = [ maintainers.makefu ]; + }; +} diff --git a/krebs/5pkgs/krebs-ci/notes b/krebs/5pkgs/krebs-ci/notes new file mode 100755 index 000000000..7e34d6a28 --- /dev/null +++ b/krebs/5pkgs/krebs-ci/notes @@ -0,0 +1,111 @@ +#! /bin/sh + +# nix-shell -p gnumake jq openssh cac cacpanel +set -euf + +# 2 secrets are required: +krebs_cred=${krebs_cred-./cac.json} +retiolum_key=${retiolum_key-./retiolum.rsa_key.priv} + +# Sanity +if test ! -r "$krebs_cred";then + echo "\$krebs_cred=$krebs_cred must be readable"; exit 1 +fi +if test ! -r "$retiolum_key";then + echo "\$retiolum_key=$retiolum_key must be readable"; exit 1 +fi + +krebs_secrets=$(mktemp -d) +sec_file=$krebs_secrets/cac_config +krebs_ssh=$krebs_secrets/tempssh +# we need to receive this key from buildmaster to speed up tinc bootstrap +TRAP="rm $sec_file;rm -r $krebs_secrets" +trap "$TRAP" INT TERM EXIT + +cat > $sec_file <<EOF +cac_login="$(jq -r .email $krebs_cred)" +cac_key="$(cac-cli panel --config $krebs_cred settings | jq -r .apicode)" +EOF + +export cac_secrets=$sec_file +cac-cli panel --config $krebs_cred update-api-ip + +# test login: +cac update +cac servers + +# Template 26: CentOS7 +# TODO: use cac templates to determine the real Centos7 template in case it changes +name=$( cac build cpu=1 ram=512 storage=10 os=26 2>&1\ + | jq -r .servername) + +id=servername:$name +trap "cac delete $id;$TRAP" INT TERM EXIT +# TODO: timeout? +always_update=true cac waitstatus $id "Powered On" + +wait_login_cac(){ + # timeout + for t in `seq 60`;do + # now we have a working cac server + if cac ssh $1 cat /etc/redhat-release | \ + grep CentOS ;then + return 0 + fi + sleep 10 + done + return 1 +} +# die on timeout +wait_login_cac $id + +mkdir -p shared/2configs/temp +cac generatenetworking $id > \ + shared/2configs/temp/networking.nix +# new temporary ssh key we will use to log in after infest +ssh-keygen -f $krebs_ssh -N "" +cp $retiolum_key $krebs_secrets/retiolum.rsa_key.priv +# we override the directories for secrets and stockholm +# additionally we set the ssh key we generated +ip=$(cac getserver $id | jq -r .ip) + +cat > shared/2configs/temp/dirs.nix <<EOF +_: { + krebs.build.source.dir = { + secrets.path = "$krebs_secrets"; + stockholm.path = "$(pwd)"; + }; + users.extraUsers.root.openssh.authorizedKeys.keys = [ + "$(cat ${krebs_ssh}.pub)" + ]; + krebs.build.target = "$ip"; +} +EOF + +LOGNAME=shared make eval get=krebs.infest \ + target=derp system=test-centos7 filter=json \ + | sed -e "s#^ssh.*<<#cac ssh $id<<#" \ + -e "/^rsync/a -e 'cac ssh $id' \\\\" \ + -e "s#root.derp:#:#" > $krebs_secrets/infest +sh -x $krebs_secrets/infest + +# TODO: generate secrets directory $krebs_secrets for nix import +cac powerop $id reset + +wait_login(){ + # timeout + for t in `seq 20`;do + # now we have a working cac server + if ssh -o StrictHostKeyChecking=no \ + -o UserKnownHostsFile=/dev/null \ + -i $krebs_ssh \ + -o ConnectTimeout=10 \ + -o BatchMode=yes \ + root@$1 nixos-version ;then + return 0 + fi + sleep 10 + done + return 1 +} +wait_login $ip |