-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathjustfile
351 lines (296 loc) Β· 10.5 KB
/
justfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
# Default command when 'just' is run without arguments
# Run 'just <command>' to execute a command.
default: help
# Display help
help:
@printf "\nRun 'just -n <command>' to print what would be executed...\n\n"
@just --list --unsorted
@printf "\n...by running 'just <command>'.\n"
@printf "This message is printed by 'just help' and just 'just'.\n"
# Print nix flake inputs and outputs
[group('nix')]
io:
nix flake metadata
nix flake show
# Update nix flake
[group('nix')]
update:
nix flake update
# Lint nix files
[group('nix')]
lint:
nix fmt
# Check nix flake
[group('nix')]
check:
nix flake check
# Manually enter dev shell
[group('nix')]
dev:
nix develop
# Build nix flake
[group('nix')]
build: lint check
nix build
# Remove build output link (no garbage collection)
[group('nix')]
clean:
rm -f ./result
# Run nix flake to setup environment
[group('nix')]
run: lint check
nix run
# Compile nix flake to OCI json format
[group('nix')]
oci:
nix build .#container
# Build and copy OCI format container image to docker daemon
[group('nix')]
nixcontainer:
docker info > /dev/null 2>&1 || (echo "The docker daemon is not running" && exit 1)
nix run .#container.copyToDockerDaemon
#----------------------------------------------------------------
# The just recipes below are for testing the flake in a container
#----------------------------------------------------------------
builder := "docker"
container_user := "runner"
container_home := "/home" / container_user
container_work := container_home / "work"
container_registry := "ghcr.io/cameronraysmith/"
container_type := "testing" # or "container"
container_image := if container_type == "testing" {
"debnix"
} else if container_type == "container" {
"nixpod"
} else {
error("container_type must be either 'testing' or 'container'")
}
container_tag := "latest"
architecture := if arch() == "x86_64" {
"amd64"
} else if arch() == "aarch64" {
"arm64"
} else {
error("unsupported architecture must be amd64 or arm64")
}
opsys := if os() == "macos" {
"darwin"
} else if os() == "linux" {
"linux"
} else {
error("unsupported operating system must be darwin or linux")
}
devpod_release := "latest" # or "v0.3.7" or "v0.4.0-alpha.4"
devpod_binary_url := if devpod_release == "latest" {
"https://github.com/loft-sh/devpod/releases/latest/download/devpod-" + opsys + "-" + architecture
} else {
"https://github.com/loft-sh/devpod/releases/download/" + devpod_release + "/devpod-" + opsys + "-" + architecture
}
# Install devpod
[unix]
install-devpod:
curl -L -o devpod {{devpod_binary_url}} && \
sudo install -c -m 0755 devpod /usr/local/bin && \
rm -f devpod
which devpod
devpod version
# Print devpod info
devpod:
devpod version && echo
devpod context list
devpod provider list
devpod list
# Install and use devpod kubernetes provider
provider:
devpod provider add kubernetes --silent || true \
&& devpod provider use kubernetes
# Run latest container_image in current kube context
pod:
devpod up \
--devcontainer-image {{container_registry}}{{container_image}}:{{container_tag}} \
--provider kubernetes \
--ide vscode \
--open-ide \
--source git:https://github.com/cameronraysmith/nixpod \
--provider-option DISK_SIZE=100Gi \
{{container_image}}
# Interactively select devpod to stop
stop:
devpod stop
# Interactively select devpod to delete
delete:
devpod delete
container_command_type := "sysbash"
# If you want to
# **test the flake manually**
# check the output of
# $ just -n container_command_type="testingbash" container-run
# and then run the container with
# $ just container_command_type="testingbash" container-run
# To activate home manager inside the container run:
# > rm -f ~/.bashrc ~/.profile && nix run && direnv allow && zsh
container_command := if container_command_type == "runflake" {
"cd " + container_home + " && rm -f .bashrc .profile .zshrc && cd "
+ container_work + " && nix run && direnv allow && zsh"
} else if container_command_type == "testingbash" {
"cd " + container_work + ' && echo "export PS1=\"> \"" >> ~/.bashrc && exec bash'
} else if container_command_type == "sysbash" {
"/bin/bash"
} else if container_command_type == "zsh" {
"zsh"
} else {
error("container_command_type must be one of
'runflake', 'testingbash', 'sysbash' or 'zsh'")
}
# Pull container image from registry
container-pull:
{{builder}} pull {{container_registry}}{{container_image}}:{{container_tag}}
# Build and load image for running the flake in a container
container-build: container-pull
{{builder}} build -t {{container_registry}}{{container_image}}:{{container_tag}} -f containers/Containerfile.{{container_image}} .
# Build the image only if pull fails
container-pull-or-build:
{{builder}} pull {{container_registry}}{{container_image}}:{{container_tag}} || \
{{builder}} build -t {{container_registry}}{{container_image}}:{{container_tag}} -f containers/Containerfile.{{container_image}} .
# Run the container image
container-run mount_path="$(pwd)": container-pull-or-build
{{builder}} run -it \
--rm -v {{mount_path}}:{{container_work}} {{container_registry}}{{container_image}}:{{container_tag}} \
-c '{{container_command}}'
# Get base image digest
basecontainer-digest:
{{builder}} run -it --rm \
--entrypoint skopeo quay.io/skopeo/stable \
inspect docker://docker.io/debian:stable-slim | \
jq -r .Digest | tr -d '\n'
# Get base image tarball sha256
basecontainer-sha256:
{{builder}} pull debian:stable-slim
{{builder}} save -o debian_stable_slim.tar debian:stable-slim
nix-hash --type sha256 --base16 debian_stable_slim.tar
nix-hash --type sha256 --base32 debian_stable_slim.tar
nix-hash --type sha256 --base64 debian_stable_slim.tar
rm debian_stable_slim.tar || true
# Run nixpkgs hello and nix-health
[group('nix')]
checknix:
nix run nixpkgs#hello # 30s
nix run github:srid/nix-health # 3m
## CI/CD
# Docker command to run sethvargo/ratchet to pin GitHub Actions workflows version tags to commit hashes
ratchet_base := "docker run -it --rm -v \"${PWD}:${PWD}\" -w \"${PWD}\" ghcr.io/sethvargo/ratchet:0.9.2"
# List of GitHub Actions workflows
gha_workflows := ".github/actions/tag-build-push-container/action.yml .github/workflows/cid.yaml .github/workflows/cd.yml .github/workflows/update-flake-lock.yml .github/workflows/labeler.yml .github/workflows/release-drafter.yaml"
# Pin all workflow versions to hash values (requires Docker)
[group('CI/CD')]
ratchet-pin:
@for workflow in {{gha_workflows}}; do \
eval "{{ratchet_base}} pin $workflow"; \
done
# Unpin hashed workflow versions to semantic values (requires Docker)
[group('CI/CD')]
ratchet-unpin:
@for workflow in {{gha_workflows}}; do \
eval "{{ratchet_base}} unpin $workflow"; \
done
# Update GitHub Actions workflows to the latest version (requires Docker)
[group('CI/CD')]
ratchet-update:
@for workflow in {{gha_workflows}}; do \
eval "{{ratchet_base}} update $workflow"; \
done
# Update github vars for repo from environment variables
[group('CI/CD')]
ghvars repo="cameronraysmith/nixpod":
@echo "vars before updates:"
@echo
PAGER=cat gh variable list --repo={{ repo }}
@echo
gh variable set CACHIX_CACHE_NAME --repo={{ repo }} --body="$CACHIX_CACHE_NAME"
gh variable set FAST_FORWARD_ACTOR --repo={{ repo }} --body="$FAST_FORWARD_ACTOR"
@echo
@echo vars after updates:
@echo
PAGER=cat gh variable list --repo={{ repo }}
# Update github secrets for repo from environment variables
[group('CI/CD')]
ghsecrets repo="cameronraysmith/nixpod":
@echo "secrets before updates:"
@echo
PAGER=cat gh secret list --repo={{ repo }}
@echo
eval "$(teller sh)" && \
gh secret set CACHIX_AUTH_TOKEN --repo={{ repo }} --body="$CACHIX_AUTH_TOKEN" && \
gh secret set ARTIFACT_REGISTRY_PASSWORD --repo={{ repo }} --body="$ARTIFACT_REGISTRY_PASSWORD" && \
gh secret set FAST_FORWARD_PAT --repo={{ repo }} --body="$FAST_FORWARD_PAT"
@echo
@echo secrets after updates:
@echo
PAGER=cat gh secret list --repo={{ repo }}
# List available workflows and associated jobs.
[group('CI/CD')]
list-workflows:
@act -l
# Execute flake.yaml workflow.
[group('CI/CD')]
test-flake-workflow:
@teller run -s -- \
act workflow_dispatch \
-W '.github/workflows/cid.yaml' \
-j nixci \
-s GITHUB_TOKEN -s CACHIX_AUTH_TOKEN \
--matrix os:ubuntu-latest
## secrets
# Define the project variable
gcp_project_id := env_var_or_default('GCP_PROJECT_ID', 'development')
# Show existing secrets
[group('secrets')]
show:
@teller show
# Create a secret with the given name
[group('secrets')]
create-secret name:
@gcloud secrets create {{name}} --replication-policy="automatic" --project {{gcp_project_id}}
# Populate a single secret with the contents of a dotenv-formatted file
[group('secrets')]
populate-single-secret name path:
@gcloud secrets versions add {{name}} --data-file={{path}} --project {{gcp_project_id}}
# Populate each line of a dotenv-formatted file as a separate secret
[group('secrets')]
populate-separate-secrets path:
@grep -v '^[[:space:]]*#' {{path}} | while IFS= read -r line; do \
KEY=$(echo $line | cut -d '=' -f 1); \
VALUE=$(echo $line | cut -d '=' -f 2); \
gcloud secrets create $KEY --replication-policy="automatic" --project {{gcp_project_id}} 2>/dev/null; \
printf "$VALUE" | gcloud secrets versions add $KEY --data-file=- --project {{gcp_project_id}}; \
done
# Complete process: Create a secret and populate it with the entire contents of a dotenv file
[group('secrets')]
create-and-populate-single-secret name path:
@just create-secret {{name}}
@just populate-single-secret {{name}} {{path}}
# Complete process: Create and populate separate secrets for each line in the dotenv file
[group('secrets')]
create-and-populate-separate-secrets path:
@just populate-separate-secrets {{path}}
# Retrieve the contents of a given secret
[group('secrets')]
get-secret name:
@gcloud secrets versions access latest --secret={{name}} --project={{gcp_project_id}}
# Create empty dotenv from template
[group('secrets')]
seed-dotenv:
@cp .template.env .env
# Export unique secrets to dotenv format
[group('secrets')]
export:
@teller export env | sort | uniq | grep -v '^$' > .secrets.env
# Check secrets are available in teller shell.
[group('secrets')]
check-secrets:
@printf "Check teller environment for secrets\n\n"
@teller run -s -- env | grep -E 'GITHUB|CACHIX' | teller redact
# Save KUBECONFIG to file
[group('secrets')]
get-kubeconfig:
@teller run -s -- printenv KUBECONFIG > kubeconfig.yaml