Arrow #3
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Arrow | |
env: | |
TERRAFORM_DIRECTORY: hosts/arrow | |
DEPLOY_IDENTITY_BASE64: ${{ secrets.DEPLOY_IDENTITY_BASE64 }} | |
ARROW_IDENTITY_BASE64: ${{ secrets.ARROW_IDENTITY_BASE64 }} | |
CLOUDFLARE_R2_ENDPOINT: "${{ secrets.CLOUDFLARE_ACCOUNT_ID }}.r2.cloudflarestorage.com" | |
TF_VAR_cloudflare_account_id: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} | |
TF_VAR_cloudflare_r2_access_key: ${{ secrets.CLOUDFLARE_R2_ACCESS_KEY }} | |
TF_VAR_cloudflare_r2_secret_key: ${{ secrets.CLOUDFLARE_R2_SECRET_KEY }} | |
TF_VAR_vultr_api_key: ${{ secrets.VULTR_API_KEY }} | |
on: | |
workflow_dispatch: | |
inputs: | |
rebuild: | |
type: boolean | |
default: false | |
action: | |
type: choice | |
required: true | |
default: create | |
options: | |
- create | |
- destroy | |
jobs: | |
build-deploy: | |
name: Build and Deploy | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout Repo Code | |
uses: actions/checkout@v4 | |
# Enable access to KVM, required to build an image | |
- name: Enable KVM group perms | |
if: inputs.rebuild && inputs.action != 'destroy' | |
run: | | |
echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules | |
sudo udevadm control --reload-rules | |
sudo udevadm trigger --name-match=kvm | |
# Install Nix | |
- name: Install Nix | |
if: inputs.rebuild && inputs.action != 'destroy' | |
uses: cachix/install-nix-action@v17 | |
# Build the image | |
- name: Build Image | |
if: inputs.rebuild && inputs.action != 'destroy' | |
run: nix build .#image.arrow | |
- name: Upload Image to S3 | |
if: inputs.rebuild && inputs.action != 'destroy' | |
run: | | |
aws s3 cp \ | |
result/iso/nixos.iso \ | |
s3://noahmasur-arrow-images/arrow.iso \ | |
--endpoint-url "https://${{ env.CLOUDFLARE_R2_ENDPOINT }}" | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.CLOUDFLARE_R2_ACCESS_KEY }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.CLOUDFLARE_R2_SECRET_KEY }} | |
# # Copy the image to S3 | |
# - name: Upload Image to Cache | |
# env: | |
# NIX_CACHE_PRIVATE_KEY: ${{ secrets.NIX_CACHE_PRIVATE_KEY }} | |
# run: | | |
# echo "$NIX_CACHE_PRIVATE_KEY" > cache.key | |
# nix store sign --key-file cache.key $(readlink result) | |
# nix copy --to s3://t2-aws-nixos-test $(readlink result) | |
# rm cache.key | |
# Installs the Terraform binary and some other accessory functions. | |
- name: Setup Terraform | |
uses: hashicorp/setup-terraform@v2 | |
# Checks whether Terraform is formatted properly. If this fails, you | |
# should install the pre-commit hook. | |
- name: Check Formatting | |
run: | | |
terraform fmt -no-color -check -diff -recursive | |
# Connects to remote state backend and download providers. | |
- name: Terraform Init | |
working-directory: ${{ env.TERRAFORM_DIRECTORY }} | |
run: | | |
terraform init \ | |
-backend-config="endpoint=${{ env.CLOUDFLARE_R2_ENDPOINT }}" \ | |
-backend-config="workspace_key_prefix=${{ github.repository }}/arrow" \ | |
-backend-config="key=state.tfstate" \ | |
-backend-config="skip_credentials_validation=true" \ | |
-backend-config="skip_region_validation=true" \ | |
-backend-config="region=anything" \ | |
-backend-config="bucket=noahmasur-terraform" | |
# Deploys infrastructure or changes to infrastructure. | |
- name: Terraform Apply | |
if: inputs.action == 'create' | |
working-directory: ${{ env.TERRAFORM_DIRECTORY }} | |
run: | | |
terraform apply \ | |
-auto-approve \ | |
-input=false | |
# Removes infrastructure. | |
- name: Terraform Destroy | |
if: inputs.action == 'destroy' | |
working-directory: ${{ env.TERRAFORM_DIRECTORY }} | |
run: | | |
terraform destroy \ | |
-auto-approve \ | |
-input=false | |
- name: Get Host IP | |
if: inputs.action == 'create' | |
id: host | |
working-directory: ${{ env.TERRAFORM_DIRECTORY }} | |
run: terraform output host_ip | |
- name: Wait on SSH | |
uses: iFaxity/wait-on-action@v1.1.0 | |
with: | |
resource: tcp ${{ steps.host.outputs.stdout }}:22 | |
interval: 5000 | |
- name: Write Identity Keys to Files | |
if: inputs.action == 'create' | |
run: | | |
echo "${{ env.DEPLOY_IDENTITY_BASE64 }}" | base64 -d > deploy_ed25519 | |
echo "${{ env.ARROW_IDENTITY_BASE64 }}" | base64 -d > arrow_ed25519 | |
- name: Copy Identity File to Host | |
if: inputs.action == 'create' | |
run: scp -i deploy_ed25519 arrow_ed25519 noah@${{ steps.host.outputs.stdout }}:~/.ssh/id_ed25519 |