From a4f67813a93fae71e7a2902169a6f20572603cc2 Mon Sep 17 00:00:00 2001 From: Victor Hang Date: Sat, 25 Jan 2025 19:53:40 +0100 Subject: [PATCH] =?UTF-8?q?feat=20=E2=9C=A8:=20ci=20push=20kaasix?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Victor Hang --- .github/workflows/build-kaasix.yaml | 74 ++++++++++++ default.nix | 20 ++++ nixosModules/kubernetes/default.nix | 112 +++++++++--------- .../{rintaro => kaasix}/configuration.nix | 0 profiles/{rintaro => kaasix}/default.nix | 5 + .../{rintaro => kaasix}/fastfetchConfig.nix | 4 +- shell.nix | 10 +- 7 files changed, 167 insertions(+), 58 deletions(-) create mode 100644 .github/workflows/build-kaasix.yaml rename profiles/{rintaro => kaasix}/configuration.nix (100%) rename profiles/{rintaro => kaasix}/default.nix (89%) rename profiles/{rintaro => kaasix}/fastfetchConfig.nix (71%) diff --git a/.github/workflows/build-kaasix.yaml b/.github/workflows/build-kaasix.yaml new file mode 100644 index 0000000..404eb0f --- /dev/null +++ b/.github/workflows/build-kaasix.yaml @@ -0,0 +1,74 @@ +name: Build KaaSix +on: + push: + tags: + - 'kaasix-v*.*.*' +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true +jobs: + pre_job: + # continue-on-error: true # Uncomment once integration is finished + runs-on: didactiklabs-runners + # Map a step output to a job output + outputs: + should_skip: ${{ steps.skip_check.outputs.should_skip }} + steps: + - id: skip_check + uses: fkirc/skip-duplicate-actions@master + with: + # All of these options are optional, so you can remove them if you are happy with the defaults + concurrent_skipping: 'never' + skip_after_successful_duplicate: 'true' + paths_ignore: '["**/README.md", "**/docs/**"]' + do_not_skip: '["pull_request", "workflow_dispatch", "schedule"]' + build: + needs: pre_job + if: ${{ needs.pre_job.outputs.should_skip != 'true' }} + runs-on: ubuntu-latest + steps: + - name: Free Disk Space (Ubuntu) + uses: jlumbroso/free-disk-space@main + with: + tool-cache: false + android: true + dotnet: true + haskell: false + large-packages: false + docker-images: false + swap-storage: true + - name: Checkout code + uses: actions/checkout@v3 + - name: Set output + id: vars + run: echo "tag=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT + - name: Get Nixpkgs revision for nixfmt + run: | + # This should not be a URL, because it would allow PRs to run arbitrary code in CI! + url=$(jq -r .pins.nixpkgs.url npins/sources.json) + echo "url=$url" >> "$GITHUB_ENV" + - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27 + with: + nix_path: nixpkgs=${{ env.url }} + extra_nix_config: | + fallback = true + trusted-public-keys = didactiklabs-nixcache:PxLKN0+ZkP07M8g8/B6xbP6A4MYpqQg6LH7V3muiy/0= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= + substituters = https://s3.didactiklabs.io/nix-cache https://cache.nixos.org/ + - name: Auth to s3 cache + run: | + aws --profile default configure set aws_access_key_id "${{ secrets.AWS_ACCESS_KEY_ID }}" + aws --profile default configure set aws_secret_access_key "${{ secrets.AWS_SECRET_ACCESS_KEY_ID }}" + - name: 'Set up skopeo' + uses: warjiang/setup-skopeo@v0.1.3 + - id: 'auth' + uses: 'google-github-actions/auth@v2' + with: + credentials_json: '${{ secrets.GCLOUD_AUTH_CREDENTIAL_FILE }}' + - name: Build and Push + run: | + nix-shell shell.nix --run "buildOciQcow2 kaasix" + gcloud auth configure-docker + skopeo --version + skopeo copy --authfile keyfile.json \ + docker-archive:output/kaasix-qcow2-oci.tar \ + docker://gcr.io/${{ secrets.GCLOUD_PROJECT }}/kaasix-$(nix eval --raw -f . nixosSystem.config.customNixOSModules.kubernetes.version.kubeadm --argstr profile kaasix):${{ steps.vars.outputs.tag }} diff --git a/default.nix b/default.nix index 1894357..f76d03f 100644 --- a/default.nix +++ b/default.nix @@ -1,6 +1,7 @@ { cloud ? false, partition ? "default60G", + profile ? "kaasix", ... }: let @@ -15,9 +16,20 @@ let ]; specialArgs = { inherit disko partition cloud; }; }; + nixosSystem = import (sources.nixpkgs + "/nixos") { + configuration = ./profiles/${profile}/configuration.nix; + }; + buildQcow2 = import { + inherit lib pkgs; + inherit (nixosSystem) config; + format = "qcow2"; + configFile = ./profiles/${profile}/configuration.nix; + }; + inherit (pkgs) lib; in { imports = [ ]; + inherit lib nixosSystem buildQcow2; buildIso = (isoInstall.extendModules { modules = [ @@ -27,4 +39,12 @@ in } ]; }).config.system.build.isoImage; + ociQcow2 = pkgs.dockerTools.streamLayeredImage { + name = "${profile}-${nixosSystem.config.customNixOSModules.kubernetes.version.kubeadm}"; + includeStorePaths = false; + fakeRootCommands = '' + mkdir -p ./disk + cp -L ${buildQcow2}/nixos.qcow2 ./disk/${profile}.qcow2 + ''; + }; } diff --git a/nixosModules/kubernetes/default.nix b/nixosModules/kubernetes/default.nix index 9831869..8e2daac 100644 --- a/nixosModules/kubernetes/default.nix +++ b/nixosModules/kubernetes/default.nix @@ -141,25 +141,63 @@ in }; # kubelet systemd unit is heavily inspired by official image-builder unit systemd = { - services.cloud-final = { - path = [ - "${kubeadm-bin}" - "${kubelet-bin}" - pkgs.cri-tools - ]; - after = [ "containerd.service" ]; - wants = [ "containerd.service" ]; - }; - services.kubeadm-upgrade = { - enable = true; - path = [ - "${kubeadm-bin}" - pkgs.jq - ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - ExecStart = "${pkgs.bash}/bin/bash -c '${kubeadm-upgrade}/bin/kubeadm-upgrade'"; - Restart = "on-failure"; + services = { + cloud-final = { + path = [ + "${kubeadm-bin}" + "${kubelet-bin}" + pkgs.cri-tools + ]; + after = [ "containerd.service" ]; + wants = [ "containerd.service" ]; + }; + kubeadm-upgrade = { + enable = true; + path = [ + "${kubeadm-bin}" + pkgs.jq + ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${pkgs.bash}/bin/bash -c '${kubeadm-upgrade}/bin/kubeadm-upgrade'"; + Restart = "on-failure"; + }; + }; + kubelet = { + enable = true; + description = "kubelet: The Kubernetes Node Agent"; + documentation = [ "https://kubernetes.io/docs/home/" ]; + path = [ + "/opt/cni/bin" + pkgs.mount + pkgs.umount + pkgs.util-linux + pkgs.file + pkgs.iproute2 + pkgs.iptables + pkgs.socat + pkgs.ethtool + pkgs.conntrack-tools + pkgs.multipath-tools + pkgs.openiscsi + pkgs.lsscsi + ]; + serviceConfig = { + Restart = "always"; + RestartSec = 10; + Environment = [ + ''KUBELET_KUBECONFIG_ARGS="--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf"'' + ''KUBELET_CONFIG_ARGS="--config=/var/lib/kubelet/config.yaml --config-dir=/etc/kubernetes/kubelet/config.d"'' + ]; + EnvironmentFile = [ + "-/var/lib/kubelet/kubeadm-flags.env" + "-/etc/sysconfig/kubelet" + ]; + ExecStart = [ + "${kubelet-bin}/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS" + ]; + }; + wantedBy = [ "multi-user.target" ]; }; }; timers.kubeadm-upgrade-timer = { @@ -172,42 +210,6 @@ in Unit = "kubeadm-upgrade.service"; }; }; - services.kubelet = { - enable = true; - description = "kubelet: The Kubernetes Node Agent"; - documentation = [ "https://kubernetes.io/docs/home/" ]; - path = [ - "/opt/cni/bin" - pkgs.mount - pkgs.umount - pkgs.util-linux - pkgs.file - pkgs.iproute2 - pkgs.iptables - pkgs.socat - pkgs.ethtool - pkgs.conntrack-tools - pkgs.multipath-tools - pkgs.openiscsi - pkgs.lsscsi - ]; - serviceConfig = { - Restart = "always"; - RestartSec = 10; - Environment = [ - ''KUBELET_KUBECONFIG_ARGS="--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf"'' - ''KUBELET_CONFIG_ARGS="--config=/var/lib/kubelet/config.yaml --config-dir=/etc/kubernetes/kubelet/config.d"'' - ]; - EnvironmentFile = [ - "-/var/lib/kubelet/kubeadm-flags.env" - "-/etc/sysconfig/kubelet" - ]; - ExecStart = [ - "${kubelet-bin}/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS" - ]; - }; - wantedBy = [ "multi-user.target" ]; - }; # we need cacert to be a real file to be mounted in kube's pods using hostPath volumes tmpfiles.rules = [ diff --git a/profiles/rintaro/configuration.nix b/profiles/kaasix/configuration.nix similarity index 100% rename from profiles/rintaro/configuration.nix rename to profiles/kaasix/configuration.nix diff --git a/profiles/rintaro/default.nix b/profiles/kaasix/default.nix similarity index 89% rename from profiles/rintaro/default.nix rename to profiles/kaasix/default.nix index 397cd93..31c31c0 100644 --- a/profiles/rintaro/default.nix +++ b/profiles/kaasix/default.nix @@ -22,12 +22,17 @@ in timeout = 0; grub = { enable = true; + devices = [ "nodev" ]; }; }; }; networking = { hostName = lib.mkForce ""; }; + fileSystems."/" = { + fsType = "ext4"; + device = "/dev/disk/by-label/nixos"; + }; networking.useDHCP = lib.mkDefault true; services.cloud-init.enable = true; customNixOSModules = { diff --git a/profiles/rintaro/fastfetchConfig.nix b/profiles/kaasix/fastfetchConfig.nix similarity index 71% rename from profiles/rintaro/fastfetchConfig.nix rename to profiles/kaasix/fastfetchConfig.nix index f93dda4..854110d 100644 --- a/profiles/rintaro/fastfetchConfig.nix +++ b/profiles/kaasix/fastfetchConfig.nix @@ -9,8 +9,8 @@ let logo = let image = pkgs.fetchurl { - url = "https://i.imgur.com/TTA9fgg.jpeg"; - sha256 = "sha256-+9/6Dei+k8e7MjsLYsQUF9njW8sRPqAxw9wCEFrzeFM="; + url = "https://i.imgur.com/YAndRSL.jpeg"; + sha256 = "sha256-6rn4xPmEbvv5BS29HWVbK2rDXgvXzS9iArg/2nZObrM="; }; in "${image}"; diff --git a/shell.nix b/shell.nix index cc778de..683586d 100644 --- a/shell.nix +++ b/shell.nix @@ -6,6 +6,7 @@ pkgs.mkShell { packages = [ pkgs.qemu + pkgs.docker (pkgs.writeShellScriptBin "buildIso" '' #!/bin/bash set -euo pipefail @@ -17,7 +18,14 @@ pkgs.mkShell { set -euo pipefail mkdir -p output chmod +w output -R - cp $(${pkgs.nixos-generators}/bin/nixos-generate -f qcow -c profiles/$1/configuration.nix -I nixpkgs=$(nix eval --raw -f npins nixpkgs.outPath)) output/$1.qcow2 + cp $(nix-build default.nix -A buildQcow2 --argstr profile $1)/$1.qcow2 output/$1.qcow2 + '') + (pkgs.writeShellScriptBin "buildOciQcow2" '' + #!/bin/bash + set -euo pipefail + mkdir -p output + chmod +w output -R + $(nix-build default.nix -A ociQcow2 --argstr profile $1) > output/$1-qcow2-oci.tar '') (pkgs.writeShellScriptBin "runQcow2" '' #!/bin/bash