drone: track current version of each nixos host

2023-06-17 13:47:47 +01:00 · 2023-06-17 13:47:47 +01:00 · 68ee1a18eb
commit 68ee1a18eb
parent 0fe5f63844
8 changed files with 124 additions and 4 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -1,21 +1,26 @@
 ---
 kind: pipeline
 type: docker
-name: default
+name: check

 steps:
  - name: lint
-    image: nixos/nix:2.11.1
+    image: nixos/nix:2.16.1
    commands:
      - nix --extra-experimental-features 'nix-command flakes' fmt
      - git diff --exit-code

  - name: check
-    image: nixos/nix:2.11.1
+    image: nixos/nix:2.16.1
    commands:
      - nix --extra-experimental-features 'nix-command flakes' flake check
+
+trigger:
+  event:
+    exclude:
+    - tag
 ---
 kind: signature
-hmac: da929dc55d2e11b17bc29e48293b78ba1e3588df90a87e022e7dc4f1cb40d6e5
+hmac: 27c93405b251bb8bc80c82d7271702f80753ff63a0422678e62bbe2c4a025840

 ...
--- a/hosts/vm.strangervm.ts.hillion.co.uk/default.nix
+++ b/hosts/vm.strangervm.ts.hillion.co.uk/default.nix
@ -23,6 +23,7 @@
      locations.autoServe = true;
      www.global.enable = true;
      services.matrix.enable = true;
+      services.version_tracker.enable = true;
    };

    ## Networking
--- a/modules/common/default.nix
+++ b/modules/common/default.nix
@ -52,4 +52,6 @@
    networkmanager.dns = "none";
  };
  networking.firewall.enable = true;
+
+  custom.hostinfo.enable = true;
 }
--- a/modules/common/hostinfo.nix
+++ b/modules/common/hostinfo.nix
@ -0,0 +1,23 @@
+{ pkgs, lib, config, ... }:
+
+let
+  cfg = config.custom.hostinfo;
+in
+{
+  options.custom.hostinfo = {
+    enable = lib.mkEnableOption "hostinfo";
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.caddy = {
+      enable = true;
+
+      virtualHosts.":30653".extraConfig = ''
+        respond /nixos/system/configurationRevision ${config.system.configurationRevision} 200
+        respond 404
+      '';
+    };
+
+    networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ 30653 ];
+  };
+}
--- a/modules/default.nix
+++ b/modules/default.nix
@ -4,11 +4,13 @@
  imports = [
    ./backups/default.nix
    ./chia.nix
+    ./common/hostinfo.nix
    ./desktop/awesome/default.nix
    ./locations.nix
    ./resilio.nix
    ./services/mastodon/default.nix
    ./services/matrix.nix
+    ./services/version_tracker.nix
    ./storj.nix
    ./tailscale.nix
    ./www/global.nix
--- a/modules/services/version_tracker.nix
+++ b/modules/services/version_tracker.nix
@ -0,0 +1,84 @@
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.custom.services.version_tracker;
+in
+{
+  options.custom.services.version_tracker = {
+    enable = lib.mkEnableOption "version_tracker";
+
+    path = lib.mkOption {
+      type = lib.types.str;
+      default = "/var/cache/version_tracker";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.groups.version_tracker = { };
+    users.users.version_tracker = {
+      home = cfg.path;
+      createHome = true;
+      isSystemUser = true;
+      group = "version_tracker";
+    };
+
+    age.secrets."version_tracker/ssh.key" = {
+      file = ../../secrets/version_tracker/ssh.key.age;
+      owner = "version_tracker";
+      group = "version_tracker";
+    };
+
+    systemd.services.version_tracker = {
+      description = "NixOS version tracker.";
+
+      environment = {
+        GIT_SSH_COMMAND = "${pkgs.openssh}/bin/ssh -i ${config.age.secrets."version_tracker/ssh.key".path}";
+      };
+
+      preStart = with pkgs; ''
+        if ! test -d repo/.git; then
+            ${git}/bin/git clone git@ssh.gitea.hillion.co.uk:JakeHillion/nixos.git repo
+        fi
+        cd repo
+        ${git}/bin/git fetch
+      '';
+      script = with pkgs; ''
+        PORT=30653
+        cd repo
+
+        code=0
+        for path in hosts/*
+        do
+            hostname=''${path##*/}
+            if test -f "hosts/$hostname/darwin"; then continue; fi
+
+            if rev=$(${curl}/bin/curl -s --connect-timeout 15 http://$hostname:30653/nixos/system/configurationRevision); then
+                echo "$hostname: $rev"
+                if ! ${git}/bin/git tag -f "live/$hostname" $rev; then
+                    echo "WARNING: $hostname points to invalid ref!"
+                    continue
+                fi
+                ${git}/bin/git push -f origin "live/$hostname"
+            else
+                echo "$hostname: failed to reach"
+            fi
+        done
+      '';
+
+      serviceConfig = {
+        User = "version_tracker";
+        Group = "version_tracker";
+
+        WorkingDirectory = cfg.path;
+      };
+    };
+    systemd.timers.version_tracker = {
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnBootSec = "5m";
+        OnUnitInactiveSec = "15m";
+        Unit = "version_tracker.service";
+      };
+    };
+  };
+}
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -83,4 +83,7 @@ in

  # Storj Secrets
  "storj/tywin/zfs_auth.age".publicKeys = jake_users ++ [ ts.storage.tywin ];
+
+  # Version tracker secrets
+  "version_tracker/ssh.key.age".publicKeys = jake_users ++ [ ts.strangervm.vm ];
 }
--- a/secrets/version_tracker/ssh.key.age
+++ b/secrets/version_tracker/ssh.key.age