Merge branch 'build/runner-terraform' into 'main'

Build/runner terraform

See merge request veilid/veilid!9

.gitlab-ci.yml

@@ -1,82 +1,14 @@
 variables:
-  GIT_SUBMODULE_STRATEGY: recursive
-  BUILD_IMAGE_LINUX_AMD64: $CI_REGISTRY/veilid/ci-cd/veilid-build-linux-amd64:latest
+  NO_DOCKER: 1
+  BUILDKIT_HOST: tcp://veilid-runner-1:8372
+  EARTHLY_EXEC_CMD: "/bin/sh"
 
-stages:
-  - clippy
-  - test
-  - build
-
-############# Clippy Lint
-
-clippy:
-  stage: clippy
-  image: ${BUILD_IMAGE_LINUX_AMD64}
-  cache:
-    key: $CI_COMMIT_REF_SLUG-linux-amd64
-    paths:
-      - target/
-  tags:
-    - linux
-    - amd64
-  script:
-    - cargo clippy
-  # Only run clippy on non-protected branches, for development
-  rules:
-    - if: $CI_COMMIT_TAG
-      when: never
-    - if: $CI_MERGE_REQUEST_IID
-      when: never
-    - if: $CI_COMMIT_REF_PROTECTED == "false"
-
-############# Unit Testing
-
-.test_rules_common:
-  # Only do tests for tags, protected branches, or merge requests
-  rules:
-    - if: $CI_COMMIT_TAG
-    - if: $CI_MERGE_REQUEST_IID
-    - if: $CI_COMMIT_REF_PROTECTED == "true"
-
-test_linux_amd64:
-  stage: test
-  image: ${BUILD_IMAGE_LINUX_AMD64}
-  cache:
-    key: $CI_COMMIT_REF_SLUG-linux-amd64
-    paths:
-      - target/
-  tags:
-    - linux
-    - amd64
-  script:
-    - RUST_BACKTRACE=1 dbus-run-session -- cargo test -- --nocapture
-  rules:
-    - !reference [.test_rules_common, rules]
-
-############# Build
-
-.build_rules_common:
-  # Only build for tags or protected branches
-  rules:
-    - if: $CI_COMMIT_TAG
-    - if: $CI_COMMIT_REF_PROTECTED == "true"
-
-build_linux_amd64:
+earthly:
   stage: build
-  image: ${BUILD_IMAGE_LINUX_AMD64}
-  cache:
-    key: $CI_COMMIT_REF_SLUG-linux-amd64
-    paths:
-      - target/
+  image: earthly/earthly:v0.6.28
   tags:
     - linux
     - amd64
   script:
-    - cargo build --release
-  artifacts:
-    name: $CI_COMMIT_REF_SLUG-linux-amd64
-    paths:
-      - target/release/veilid-cli
-      - target/release/veilid-server
-  rules:
-    - !reference [.build_rules_common, rules]
+    - earthly --ci -P --no-cache +package-linux
+

Earthfile

@@ -144,4 +144,4 @@ package-linux-arm64:
 
 package-linux:
     BUILD +package-linux-amd64
-    BUILD +package-linux-arm64
+    BUILD +package-linux-arm64

cicd/.gitignore

@@ -0,0 +1,2 @@
+.terraform*
+terraform.tfstate*

cicd/Makefile

@@ -0,0 +1,33 @@
+DO_PAT := $(shell cat ~/.config/doctl/config.yaml | yq e '.access-token' -)
+GITLAB_REG_KEY := $(shell sops -d secrets.yaml | yq e '.gitlab-reg-key' -)
+GITLAB_SERVER_URL := $(shell sops -d secrets.yaml | yq e '.gitlab-server-url' -)
+RUNNER_NAME := "veilid-runner-1"
+KEYNAME := "pensfabriko"
+
+
+plan-runner:
+	terraform plan \
+		-var "do_token=${DO_PAT}" \
+		-var "pvt_key=${HOME}/.ssh/id_rsa" \
+		-var "ssh_key=${KEYNAME}" \
+		-var "reg_key=${GITLAB_REG_KEY}" \
+		-var "ci_server_url=${GITLAB_SERVER_URL}" \
+		-var "runner_name=${RUNNER_NAME}"
+
+create-runner:
+	terraform apply \
+		-var "do_token=${DO_PAT}" \
+		-var "pvt_key=${HOME}/.ssh/id_rsa" \
+		-var "ssh_key=${KEYNAME}" \
+		-var "reg_key=${GITLAB_REG_KEY}" \
+		-var "ci_server_url=${GITLAB_SERVER_URL}" \
+		-var "runner_name=${RUNNER_NAME}"
+
+destroy-runner:
+	terraform destroy \
+		-var "do_token=${DO_PAT}" \
+		-var "pvt_key=${HOME}/.ssh/id_rsa" \
+		-var "ssh_key=${KEYNAME}" \
+		-var "reg_key=${GITLAB_REG_KEY}" \
+		-var "ci_server_url=${GITLAB_SERVER_URL}" \
+		-var "runner_name=${RUNNER_NAME}"

cicd/README.md

@@ -0,0 +1,48 @@
+# Terraform for Gitlab Runner
+
+After having had trouble with my Gitlab Runner, I decided to put together a plan
+for creating runners more automatically, thus this Terraform configuration.
+
+This plan assumes running a Gitlab Runner, Docker Executor on a DigitalOcean
+droplet. Running this plan requires an active DigitalOcean account, a configured
+SSH key that will be installed on any created droplet, and a DigitalOcean
+personal access token (PAT).
+
+## Creating the runner
+
+Before creating the runner, we run a `plan` to ensure we are creating the
+droplet that we expect. First, we will export our access token as an environment
+variable:
+
+```shell
+export DO_PAT="$(cat ~/.config/doctl/config.yaml | yq e '.access-token' -)"
+```
+
+Then we can run our plan:
+
+```shell
+terraform plan \
+  -var "do_token=${DO_PAT}" \
+  -var "pvt_key=${HOME}/.ssh/id_rsa" \
+  -var "ssh_key=${KEYNAME}" \
+  -var "reg_key=${GITLAB_REG_KEY}"
+```
+
+If the output is what was expected, we may now create the droplet:
+
+```shell
+terraform apply \
+  -var "do_token=${DO_PAT}" \
+  -var "pvt_key=${HOME}/.ssh/id_rsa" \
+  -var "ssh_key=${KEYNAME}"
+  -var "reg_key=${GITLAB_REG_KEY}"
+```
+
+## Destroying the runner
+
+```shell
+terraform destroy \
+  -var "do_token=${DO_PAT}" \
+  -var "pvt_key=${HOME}/.ssh/id_rsa" \
+  -var "ssh_key=${KEYNAME}"
+```

cicd/config/config.toml

@@ -0,0 +1,20 @@
+concurrent = 1
+check_interval = 0
+
+[session_server]
+  session_timeout = 1800
+
+[[runners]]
+  [runners.custom_build_dir]
+  [runners.cache]
+    [runners.cache.s3]
+    [runners.cache.gcs]
+    [runners.cache.azure]
+  [runners.docker]
+    privileged = true
+    tls_verify = false
+    disable_entrypoint_overwrite = false
+    oom_kill_disable = false
+    disable_cache = false
+    shm_size = 0
+

cicd/config/template.config.toml

@@ -0,0 +1,5 @@
+[[runners]]
+  [runners.docker]
+    privileged = true
+    network_mode = "host"
+    volumes = ["/cache", "/var/run/docker.sock:/var/run/docker.sock:rw"]

cicd/docker-install.yaml

@@ -0,0 +1,39 @@
+- name: Prepare Docker Executor
+  become: yes
+  hosts: all
+  tasks:
+    - name: install-dependencies
+      ansible.builtin.apt:
+        pkg:
+        - ca-certificates
+        - curl
+        - gnupg
+        - lsb-release
+        - git
+    - name: install-docker-sources
+      ansible.builtin.script: ./docker-sources.sh
+    - name: install-docker-packages
+      ansible.builtin.apt:
+        pkg:
+          - docker-ce
+          - docker-ce-cli
+          - containerd.io
+          - docker-compose-plugin
+    - name: install-earthly
+      ansible.builtin.script: ./earthly-setup.sh
+    - name: copy-config
+      ansible.builtin.copy:
+        src: ./config/config.toml
+        dest: /etc/gitlab-runner/
+    - name: copy-config-template
+      ansible.builtin.copy:
+        src: ./config/template.config.toml
+        dest: /tmp/gitlab-runner/
+    - name: install-gitlab-runner
+      ansible.builtin.script: ./gitlab-runner.sh install
+    - name: register-gitlab-runner
+      ansible.builtin.script: ./gitlab-runner.sh register
+      environment:
+        CI_SERVER_URL: "{{ ci_server_url }}"
+        REGISTRATION_TOKEN: "{{ regkey }}"
+        RUNNER_NAME: "{{ runner_name }}"

cicd/docker-sources.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+set -e
+
+KEYRING=/etc/apt/keyrings/docker.gpg
+
+# Download Docker source keyring
+mkdir -p /etc/apt/keyrings
+curl -fsSL https://download.docker.com/linux/debian/gpg \
+  | gpg --dearmor -o ${KEYRING}
+
+# Set Docker apt source
+echo "deb [arch=$(dpkg --print-architecture) signed-by=${KEYRING}] https://download.docker.com/linux/debian $(lsb_release -cs) stable" \
+  | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
+
+# Update sources
+apt-get update

cicd/earthly-setup.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+docker run -d --restart always \
+  --privileged \
+  --name earthly-buildkit \
+  --hostname earthly-buildkit \
+  --network host \
+  -t -p 8372:8372 \
+  -v earthly-tmp:/tmp/earthly:rw \
+  -v /var/run/docker.sock:/var/run/docker.sock \
+  --env BUILDKIT_TCP_TRANSPORT_ENABLED=true \
+  --env CNI_MTU=1500 \
+  earthly/buildkitd:v0.6.28

cicd/gitlab-runner.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+
+install () {
+  docker run -d --name gitlab-runner --restart always \
+    -v /srv/gitlab-runner/config:/etc/gitlab-runner \
+    -v /var/run/docker.sock:/var/run/docker.sock \
+    --hostname="gitlab-runner" \
+    --network="host" \
+    gitlab/gitlab-runner:latest
+}
+
+register () {
+
+  docker run --rm -it \
+    -v /srv/gitlab-runner/config:/etc/gitlab-runner \
+    -v /tmp/gitlab-runner:/tmp/gitlab-runner \
+    --network="host" \
+    gitlab/gitlab-runner register \
+    --config /etc/gitlab-runner/config.toml \
+    --template-config /tmp/gitlab-runner/template.config.toml \
+    --non-interactive \
+    --executor "docker" \
+    --docker-image alpine:latest \
+    --url "${CI_SERVER_URL}" \
+    --registration-token "${REGISTRATION_TOKEN}" \
+    --description "${RUNNER_NAME}" \
+    --tag-list "amd64,linux"
+}
+
+case $1 in
+  install)
+    install
+    ;;
+
+  register)
+    register
+    ;;
+
+esac

cicd/provider.tf

@@ -0,0 +1,23 @@
+terraform {
+  required_providers {
+    digitalocean = {
+      source = "digitalocean/digitalocean"
+      version = "~> 2.0"
+    }
+  }
+}
+
+variable "do_token" {}
+variable "ssh_key" {}
+variable "pvt_key" {}
+variable "reg_key" {}
+variable "ci_server_url" {}
+variable "runner_name" {}
+
+provider "digitalocean" {
+  token = var.do_token
+}
+
+data "digitalocean_ssh_key" "ssh_key" {
+  name = var.ssh_key 
+}

cicd/runner.tf

@@ -0,0 +1,38 @@
+resource "digitalocean_droplet" "veilid-runner-1" {
+  image = "debian-11-x64"
+  name = "veilid-runner-1"
+  region = "nyc1"
+  size = "s-1vcpu-512mb-10gb"
+  ssh_keys = [
+    data.digitalocean_ssh_key.ssh_key.id
+  ]
+
+  connection {
+    host = self.ipv4_address
+    user = "root"
+    type = "ssh"
+    private_key = file(var.pvt_key)
+    timeout = "2m"
+  }
+
+  provisioner "remote-exec" {
+    inline = [
+      "apt-get update",
+      "apt-get install python3-apt -y"
+    ]
+  }
+
+  provisioner "local-exec" {
+    command = <<EOF
+ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u root \
+  -i '${self.ipv4_address},' \
+  --private-key ${var.pvt_key} \
+  -e "regkey=${var.reg_key} ci_server_url=${var.ci_server_url} runner_name=${var.runner_name}" \
+  docker-install.yaml
+EOF
+  }
+}
+
+output "droplet_ip_address" {
+  value = digitalocean_droplet.veilid-runner-1
+}

cicd/secrets.yaml

@@ -0,0 +1,28 @@
+gitlab-reg-key: ENC[AES256_GCM,data:vGTp6/EfJVVZ1KmsmIlAdV1ynpT3HJgoRMUQ+3c=,iv:DM56MT4tAr4Xxx7hfP5pw+JS+5IWY8EYAGv5wJNyj94=,tag:PIYWkE8TXSIjduDHKnkQsA==,type:str]
+gitlab-server-url: ENC[AES256_GCM,data:iPz2mtv0zMfj7We2428Kn2Eq0/3Q/c1mMBm9,iv:hS/vfJEQTB+53mgjj2XILmBJBmtqOpb5r5xmjyfcrV0=,tag:agwv9j97wX0yDc3UyoWXww==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2022-10-29T22:11:50Z"
+    mac: ENC[AES256_GCM,data:RNo6R6ABnHnMyi4HRiDjwu+GVXi/LNv2WQw/wZZZtDbxJZ/YWAHJ1At0JfDMzV4ggcMX3nlZEPfvrlTPKcfz0X2SFYJX1LUfhU9BHcUXCwJuTFCMaibH2zbvZj9ZcARi1cA5UDiwXdN0coyAu+ZgOy5XO+fC+D9Fcn453KCkuNY=,iv:+88gp8+BCkBsMMwZf+DyWV8TRQ4WFTXUjM9nbciPJlg=,tag:Fg/UB6ojU70yDr4gSXMfMg==,type:str]
+    pgp:
+        - created_at: "2022-10-22T01:00:42Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMA1ZcWAF5W+pcAQgAwpQp7pmZnkEgvOu8apWz3FLSFnCGnduVSXb+Y2cjat+Z
+            hu7U4c8HdowdZqpad4kw1OYFkwtjIlz3ruDYHAFSXP3Snkr27VfwbPU16QrjyzUx
+            guUV24v8K1T1XP3XooL2caYjG5eOqavkBezPexTNvxqLoioD1EYruOh22xaum13R
+            +GZ+SuLg3Y19QNucZK+pwK5UNnPD8nF/c56XiWbIvZ3RHWGJf6+/IvSdXrIlKQ8A
+            L6JmBeYaZDXXVwHqYY8c6h7mUP7FIMKzsI3jypLGu6eqeRYdDWUOdyk4AutckSdP
+            LF8t2eBNUNB6acgtTZsLaWAs9y9fdQYZ25qzoAFxR9LmAdmcamB7ZL+2PEhdyYuR
+            SDVHWLZgZciuV5rOwi25a2xaLew5+yII2+6htF8Zo8sG/WfPQPv/wPaMEWPJaP4r
+            heRyMtJQ2Cijhd7MBaPq4Uib4jl4cOsA
+            =c/s1
+            -----END PGP MESSAGE-----
+          fp: 900E8D917F74DE26D78EC5CA439943DBA05D9F36
+    unencrypted_suffix: _unencrypted
+    version: 3.7.2