Skip to content

Commit 0cad770

Browse files
dermetfandermetfan
committed
deploy one cicero instance per branch
1 parent 3bd6dfd commit 0cad770

File tree

4 files changed

+80
-52
lines changed

4 files changed

+80
-52
lines changed

flake.lock

Lines changed: 6 additions & 6 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

nix/cloud/actions.nix

Lines changed: 43 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -7,11 +7,17 @@
77
lib,
88
ociRegistry,
99
...
10-
}: {
10+
}: let
11+
pushInput = "push";
12+
pushBody = config.run.facts.${pushInput}.value.github_body;
13+
branch = lib.removePrefix "refs/heads/" pushBody.ref;
14+
in {
1115
io = ''
1216
let cfg = {
1317
#lib.io.github_push,
18+
#input: "${pushInput}"
1419
#repo: "input-output-hk/cicero"
20+
#default_branch: false
1521
inputs: _final_inputs
1622
}
1723
@@ -35,35 +41,47 @@
3541
prepare = with cell.oci-images.cicero; [
3642
{
3743
type = "nix2container";
38-
name = "${ociRegistry}/${lib.removePrefix "registry.ci.iog.io/" imageName}:${imageTag}";
44+
name = "${ociRegistry}/${lib.removePrefix "registry.ci.iog.io/" imageName}:${branch}";
3945
imageDrv = drvPath;
4046
}
4147
];
4248

43-
job.cicero.type = "service";
49+
job = let
50+
inherit (pushBody.repository) default_branch;
4451

45-
imports = [
46-
(
47-
let
48-
hcl =
49-
(
50-
(lib.callPackageWith cell.constants.args.prod)
51-
./nomadEnvs/cicero
52-
{
53-
inherit cell;
54-
inputs =
55-
inputs
56-
// {
57-
cicero = builtins.getFlake "github:input-output-hk/cicero/${config.preset.github-ci.lib.getRevision "ci" null}";
58-
};
59-
}
60-
)
61-
.job;
52+
hcl =
53+
(
54+
(lib.callPackageWith (
55+
cell.constants.args.prod
56+
// {inherit branch default_branch;}
57+
))
58+
./nomadEnvs/cicero
59+
{
60+
inherit cell;
61+
inputs =
62+
inputs
63+
// {
64+
cicero =
65+
builtins.getFlake
66+
"github:input-output-hk/cicero/${config.preset.github-ci.lib.getRevision pushInput null}";
67+
};
68+
}
69+
)
70+
.job;
6271

63-
hclFile = __toFile "job.hcl" (builtins.unsafeDiscardStringContext (__toJSON {job = hcl;}));
64-
in
65-
lib.nix-nomad.importNomadModule hclFile {}
66-
)
67-
];
72+
hclFile = __toFile "job.hcl" (builtins.unsafeDiscardStringContext (__toJSON {job = hcl;}));
73+
74+
module = lib.nix-nomad.importNomadModule hclFile {};
75+
76+
jobName = "cicero" + lib.optionalString (branch != default_branch) "-${branch}";
77+
in {
78+
${jobName} = args:
79+
(
80+
__mapAttrs
81+
(_: job: {type = "service";} // job)
82+
(module args).job
83+
)
84+
.${jobName};
85+
};
6886
};
6987
}

nix/cloud/nomadEnvs/cicero/default.nix

Lines changed: 30 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -4,13 +4,23 @@
44
namespace,
55
domain,
66
datacenters ? ["eu-central-1"],
7+
default_branch ? "main",
8+
branch ? default_branch,
79
}: let
810
inherit (cell.library) ociNamer;
911
inherit (cell) oci-images;
1012
inherit (inputs.cicero.packages) cicero-entrypoint;
1113
inherit (inputs.data-merge) merge;
1214
inherit (inputs.nixpkgs) writeText lib;
1315

16+
subdomain =
17+
lib.optionalString (branch != default_branch) "${branch}."
18+
+ "cicero";
19+
20+
ciceroName =
21+
"cicero"
22+
+ lib.optionalString (branch != default_branch) "-${branch}";
23+
1424
nixConfig = ''
1525
substituters = http://spongix.service.consul:7745?compression=none
1626
extra-trusted-public-keys = ci-world-0:fdT/Z5YK5dxaV/kROE4EqaxwTcQSpVpVCSTKuTyIXFY= hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=
@@ -36,7 +46,7 @@
3646
# arbitrary revision from nixpkgs-unstable
3747
nixpkgsRev = "19574af0af3ffaf7c9e359744ed32556f34536bd";
3848
datacenters = ["eu-central-1"];
39-
ciceroWebUrl = "https://cicero.ci.iog.io";
49+
ciceroWebUrl = "https://${subdomain}.${domain}";
4050
inherit nixConfig postBuildHook;
4151
};
4252
in ''
@@ -103,7 +113,7 @@
103113
driver = "docker";
104114

105115
config = {
106-
image = ociNamer oci-images.cicero;
116+
image = "${oci-images.cicero.imageName}:${branch}";
107117
command = "${cell.entrypoints.cicero}/bin/entrypoint";
108118
};
109119

@@ -130,7 +140,7 @@
130140
# https://github.com/hashicorp/go-getter/blob/4553965d9c4a8d99bd0d381c1180c08e07eff5fd/netrc.go#L24
131141
NETRC = "/secrets/netrc";
132142

133-
CICERO_EVALUATOR_NIX_OCI_REGISTRY = "docker://registry.ci.iog.io";
143+
CICERO_EVALUATOR_NIX_OCI_REGISTRY = "docker://registry.${domain}";
134144
REGISTRY_AUTH_FILE = "/secrets/docker";
135145
};
136146

@@ -163,7 +173,7 @@
163173
data = let
164174
pass = ''{{with secret "kv/data/cicero/db"}}{{.Data.data.value}}{{end}}'';
165175
in ''
166-
DATABASE_URL=postgres://cicero:${pass}@master.${namespace}-database.service.consul/cicero?target_session_attrs=read-write
176+
DATABASE_URL=postgres://cicero:${pass}@master.${namespace}-database.service.consul/${ciceroName}?target_session_attrs=read-write
167177
'';
168178
env = true;
169179
}
@@ -173,7 +183,7 @@
173183
data = ''
174184
{
175185
"auths": {
176-
"registry.ci.iog.io": {
186+
"registry.${domain}": {
177187
"auth": "{{with secret "kv/data/cicero/docker"}}{{with .Data.data}}{{print .user ":" .password | base64Encode}}{{end}}{{end}}"
178188
}
179189
}
@@ -210,27 +220,27 @@
210220
};
211221
};
212222
in {
213-
job.cicero = {
223+
job.${ciceroName} = {
214224
inherit datacenters namespace;
215225

216226
group.cicero = merge commonGroup {
217227
service = [
218228
{
219-
name = "cicero-internal";
229+
name = "${ciceroName}-internal";
220230
address_mode = "auto";
221231
port = "http";
222232
tags = [
223233
"ingress"
224234
"traefik.enable=true"
225-
"traefik.http.routers.cicero-internal.rule=Host(`cicero.ci.iog.io`, `cicero.iog.io`) && HeadersRegexp(`Authorization`, `Basic`)"
226-
"traefik.http.routers.cicero-internal.middlewares=cicero-auth@consulcatalog"
235+
"traefik.http.routers.${ciceroName}-internal.rule=Host(`${subdomain}.${domain}`, `${subdomain}.iog.io`) && HeadersRegexp(`Authorization`, `Basic`)"
236+
"traefik.http.routers.${ciceroName}-internal.middlewares=cicero-auth@consulcatalog"
227237
"traefik.http.middlewares.cicero-auth.basicauth.users=cicero:$2y$05$lcwzbToms.S83xjBFlHSvO.Lt3Y37b8SLd/9aYuqoSxBOxR9693.2"
228238
"traefik.http.middlewares.cicero-auth.basicauth.realm=Cicero"
229-
"traefik.http.routers.cicero-internal.entrypoints=https"
230-
"traefik.http.routers.cicero-internal.tls=true"
231-
"traefik.http.routers.cicero-internal.tls.certresolver=acme"
239+
"traefik.http.routers.${ciceroName}-internal.entrypoints=https"
240+
"traefik.http.routers.${ciceroName}-internal.tls=true"
241+
"traefik.http.routers.${ciceroName}-internal.tls.certresolver=acme"
232242
];
233-
canary_tags = ["cicero"];
243+
canary_tags = [ciceroName];
234244
check = [
235245
{
236246
type = "tcp";
@@ -241,19 +251,19 @@ in {
241251
];
242252
}
243253
{
244-
name = "cicero";
254+
name = ciceroName;
245255
address_mode = "auto";
246256
port = "http";
247257
tags = [
248258
"ingress"
249259
"traefik.enable=true"
250-
"traefik.http.routers.cicero.rule=Host(`cicero.ci.iog.io`, `cicero.iog.io`)"
251-
"traefik.http.routers.cicero.middlewares=oauth-auth-redirect@file"
252-
"traefik.http.routers.cicero.entrypoints=https"
253-
"traefik.http.routers.cicero.tls=true"
254-
"traefik.http.routers.cicero.tls.certresolver=acme"
260+
"traefik.http.routers.${ciceroName}.rule=Host(`${subdomain}.${domain}`, `${subdomain}.iog.io`)"
261+
"traefik.http.routers.${ciceroName}.middlewares=oauth-auth-redirect@file"
262+
"traefik.http.routers.${ciceroName}.entrypoints=https"
263+
"traefik.http.routers.${ciceroName}.tls=true"
264+
"traefik.http.routers.${ciceroName}.tls.certresolver=acme"
255265
];
256-
canary_tags = ["cicero"];
266+
canary_tags = [ciceroName];
257267
check = [
258268
{
259269
type = "tcp";

nix/cloud/oci-images.nix

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@ in {
4343
in
4444
buildImage {
4545
name = "registry.ci.iog.io/cicero";
46-
tag = "latest";
46+
tag = "main"; # keep in sync with branch name of flake input
4747
config.Cmd = ["${cell.entrypoints.cicero}/bin/entrypoint"];
4848
config.Env = lib.mapAttrsToList (n: v: "${n}=${v}") {
4949
SSL_CERT_FILE = "${cacert}/etc/ssl/certs/ca-bundle.crt";

0 commit comments

Comments
 (0)