2023-06-08 11:39:57 +10:00
|
|
|
{ self, withSystem, ... }:
|
2023-04-06 11:49:28 +10:00
|
|
|
{
|
|
|
|
|
herculesCI = { config, ... }:
|
2023-05-24 16:02:18 +10:00
|
|
|
withSystem "x86_64-linux" ({ hci-effects, pkgs, self', ... }:
|
2023-06-10 21:10:16 +10:00
|
|
|
let
|
|
|
|
|
# using the drv path here avoids downloading the closure on the deploying machine
|
2023-07-17 09:37:43 +10:00
|
|
|
darwin02 = builtins.unsafeDiscardStringContext self.darwinConfigurations.darwin02.config.system.build.toplevel.drvPath;
|
|
|
|
|
darwin03 = builtins.unsafeDiscardStringContext self.darwinConfigurations.darwin03.config.system.build.toplevel.drvPath;
|
2023-06-12 10:10:59 +10:00
|
|
|
|
|
|
|
|
inherit (config.repo) ref;
|
|
|
|
|
inherit (hci-effects) mkEffect runIf;
|
|
|
|
|
inherit (pkgs.lib) hasPrefix;
|
2023-06-10 21:10:16 +10:00
|
|
|
in
|
2023-05-24 16:02:18 +10:00
|
|
|
{
|
|
|
|
|
onPush.default.outputs.effects = {
|
2023-06-12 10:10:59 +10:00
|
|
|
darwin-deploy = runIf (hasPrefix "refs/heads/gh-readonly-queue/master/" ref)
|
|
|
|
|
(mkEffect {
|
|
|
|
|
name = "darwin-deploy";
|
2023-06-03 18:53:46 +10:00
|
|
|
secretsMap.hercules-ssh = "hercules-ssh";
|
2023-06-10 21:10:16 +10:00
|
|
|
effectScript = ''
|
2023-06-03 18:53:46 +10:00
|
|
|
writeSSHKey hercules-ssh
|
|
|
|
|
cat >>~/.ssh/known_hosts <<EOF
|
|
|
|
|
darwin02.nix-community.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBt6uTauhRbs5A6jwAT3p3i3P1keNC6RpaA1Na859BCa
|
2023-07-17 09:37:43 +10:00
|
|
|
darwin03.nix-community.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKX7W1ztzAtVXT+NBMITU+JLXcIE5HTEOd7Q3fQNu80S
|
2023-06-03 18:53:46 +10:00
|
|
|
EOF
|
2023-06-10 21:10:16 +10:00
|
|
|
${hci-effects.ssh { destination = "m1@darwin02.nix-community.org"; } ''
|
2023-06-12 10:10:59 +10:00
|
|
|
set -eux
|
2023-07-17 09:37:43 +10:00
|
|
|
newProfile=$(nix-store --realise ${darwin02})
|
|
|
|
|
sudo -H nix-env --profile /nix/var/nix/profiles/system --set $newProfile
|
|
|
|
|
$newProfile/sw/bin/darwin-rebuild activate
|
|
|
|
|
set +x
|
|
|
|
|
''}
|
|
|
|
|
${hci-effects.ssh { destination = "hetzner@darwin03.nix-community.org"; } ''
|
|
|
|
|
set -eux
|
|
|
|
|
newProfile=$(nix-store --realise ${darwin03})
|
2023-06-10 21:10:16 +10:00
|
|
|
sudo -H nix-env --profile /nix/var/nix/profiles/system --set $newProfile
|
|
|
|
|
$newProfile/sw/bin/darwin-rebuild activate
|
2023-06-14 10:13:27 +10:00
|
|
|
set +x
|
2023-06-10 21:10:16 +10:00
|
|
|
''}
|
2023-06-03 18:53:46 +10:00
|
|
|
'';
|
|
|
|
|
});
|
2023-06-12 10:10:59 +10:00
|
|
|
terraform-deploy = runIf (hasPrefix "refs/heads/gh-readonly-queue/master/" ref)
|
|
|
|
|
(mkEffect {
|
2023-05-24 16:02:18 +10:00
|
|
|
name = "terraform-deploy";
|
|
|
|
|
inputs = [ self'.devShells.terraform.nativeBuildInputs ];
|
2023-06-12 10:10:59 +10:00
|
|
|
src = self;
|
2023-05-24 16:02:18 +10:00
|
|
|
secretsMap.tf-secrets = "tf-secrets";
|
|
|
|
|
effectScript = ''
|
|
|
|
|
export TF_IN_AUTOMATION=1
|
|
|
|
|
export TF_INPUT=0
|
|
|
|
|
export SOPS_AGE_KEY="$(readSecretString tf-secrets .SOPS_AGE_KEY)"
|
|
|
|
|
export TF_TOKEN_app_terraform_io="$(readSecretString tf-secrets .TF_TOKEN_app_terraform_io)"
|
2023-04-06 11:49:28 +10:00
|
|
|
|
2023-06-12 10:10:59 +10:00
|
|
|
set -eux
|
2023-05-24 16:02:18 +10:00
|
|
|
pushd terraform
|
|
|
|
|
terraform init
|
|
|
|
|
terraform validate
|
|
|
|
|
terraform apply -auto-approve
|
2023-06-14 10:13:27 +10:00
|
|
|
set +x
|
2023-05-24 16:02:18 +10:00
|
|
|
'';
|
|
|
|
|
});
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
);
|
2023-04-06 11:49:28 +10:00
|
|
|
}
|
