dotfiles/.github/workflows/arrow.yml

name: Arrow

env:
  TERRAFORM_DIRECTORY: hosts/arrow
  DEPLOY_IDENTITY_BASE64: ${{ secrets.DEPLOY_IDENTITY_BASE64 }}
  ARROW_IDENTITY_BASE64: ${{ secrets.ARROW_IDENTITY_BASE64 }}
  CLOUDFLARE_R2_ENDPOINT: "${{ secrets.CLOUDFLARE_ACCOUNT_ID }}.r2.cloudflarestorage.com"
  AWS_ACCESS_KEY_ID: ${{ secrets.CLOUDFLARE_R2_ACCESS_KEY }}
  AWS_SECRET_ACCESS_KEY: ${{ secrets.CLOUDFLARE_R2_SECRET_KEY }}
  AWS_DEFAULT_REGION: auto
  AWS_ENDPOINT_URL_S3: "https://${{ secrets.CLOUDFLARE_ACCOUNT_ID }}.r2.cloudflarestorage.com"
  TF_VAR_vultr_api_key: ${{ secrets.VULTR_API_KEY }}

on:
  workflow_dispatch:
    inputs:
      rebuild:
        type: boolean
        default: false
      action:
        type: choice
        required: true
        default: create
        options:
          - create
          - destroy

jobs:
  build-deploy:
    name: Build and Deploy
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repo Code
        uses: actions/checkout@v4

      # Enable access to KVM, required to build an image
      - name: Enable KVM group perms
        if: inputs.rebuild && inputs.action != 'destroy'
        run: |
            echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules
            sudo udevadm control --reload-rules
            sudo udevadm trigger --name-match=kvm

      # Install Nix
      - name: Install Nix
        if: inputs.rebuild && inputs.action != 'destroy'
        uses: cachix/install-nix-action@v17

      # Build the image
      - name: Build Image
        if: inputs.rebuild && inputs.action != 'destroy'
        run: nix build .#image.arrow

      - name: Upload Image to S3
        if: inputs.rebuild && inputs.action != 'destroy'
        run: |
          aws s3 cp \
            result/iso/nixos.iso \
            s3://noahmasur-arrow-images/arrow.iso \
            --endpoint-url "https://${{ env.CLOUDFLARE_R2_ENDPOINT }}"

      # # Copy the image to S3
      # - name: Upload Image to Cache
      #   env:
      #     NIX_CACHE_PRIVATE_KEY: ${{ secrets.NIX_CACHE_PRIVATE_KEY }}
      #   run: |
      #     echo "$NIX_CACHE_PRIVATE_KEY" > cache.key
      #     nix store sign --key-file cache.key $(readlink result)
      #     nix copy --to s3://t2-aws-nixos-test $(readlink result)
      #     rm cache.key

      # Installs the Terraform binary and some other accessory functions.
      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v2

      # Checks whether Terraform is formatted properly. If this fails, you
      # should install the pre-commit hook.
      - name: Check Formatting
        working-directory: ${{ env.TERRAFORM_DIRECTORY }}
        run: |
          terraform fmt -no-color -check -diff -recursive

      # Connects to remote state backend and download providers.
      - name: Terraform Init
        working-directory: ${{ env.TERRAFORM_DIRECTORY }}
        run: terraform init

      # Deploys infrastructure or changes to infrastructure.
      - name: Terraform Apply
        if: inputs.action == 'create'
        working-directory: ${{ env.TERRAFORM_DIRECTORY }}
        run: |
          terraform apply \
            -auto-approve \
            -input=false

      # Removes infrastructure.
      - name: Terraform Destroy
        if: inputs.action == 'destroy'
        working-directory: ${{ env.TERRAFORM_DIRECTORY }}
        run: |
          terraform destroy \
            -auto-approve \
            -input=false

      - name: Get Host IP
        if: inputs.action == 'create'
        id: host
        working-directory: ${{ env.TERRAFORM_DIRECTORY }}
        run: terraform output -raw host_ip

      - name: Wait on SSH
        if: inputs.action == 'create'
        run: |
          for i in $(seq 1 15); do
            if $(nc -z -w 3 ${{ steps.host.outputs.stdout }} 22); then
              exit 0
            fi
            sleep 10
          done

      - name: Write Identity Keys to Files
        if: inputs.action == 'create'
        run: |
          echo "${{ env.DEPLOY_IDENTITY_BASE64 }}" | base64 -d > deploy_ed25519
          echo "${{ env.ARROW_IDENTITY_BASE64 }}" | base64 -d > arrow_ed25519

      - name: Copy Identity File to Host
        if: inputs.action == 'create'
        run: |
          ssh noah@${{ steps.host.outputs.stdout }} 'mkdir -pv .ssh'
          scp -i deploy_ed25519 arrow_ed25519 noah@${{ steps.host.outputs.stdout }}:~/.ssh/id_ed25519
introduce arrow host and deployment 2024-03-24 17:16:20 +00:00			`name: Arrow`

			`env:`
			`TERRAFORM_DIRECTORY: hosts/arrow`
			`DEPLOY_IDENTITY_BASE64: ${{ secrets.DEPLOY_IDENTITY_BASE64 }}`
			`ARROW_IDENTITY_BASE64: ${{ secrets.ARROW_IDENTITY_BASE64 }}`
			`CLOUDFLARE_R2_ENDPOINT: "${{ secrets.CLOUDFLARE_ACCOUNT_ID }}.r2.cloudflarestorage.com"`
try mixing up secrets 2024-03-24 18:29:51 +00:00			`AWS_ACCESS_KEY_ID: ${{ secrets.CLOUDFLARE_R2_ACCESS_KEY }}`
			`AWS_SECRET_ACCESS_KEY: ${{ secrets.CLOUDFLARE_R2_SECRET_KEY }}`
fix: s3 cp failing in github actions 2024-03-24 19:06:38 +00:00			`AWS_DEFAULT_REGION: auto`
tf init with definition in main 2024-03-24 18:36:23 +00:00			`AWS_ENDPOINT_URL_S3: "https://${{ secrets.CLOUDFLARE_ACCOUNT_ID }}.r2.cloudflarestorage.com"`
introduce arrow host and deployment 2024-03-24 17:16:20 +00:00			`TF_VAR_vultr_api_key: ${{ secrets.VULTR_API_KEY }}`

			`on:`
			`workflow_dispatch:`
			`inputs:`
			`rebuild:`
fix: boolean input in gh action 2024-03-24 18:00:38 +00:00			`type: boolean`
introduce arrow host and deployment 2024-03-24 17:16:20 +00:00			`default: false`
			`action:`
			`type: choice`
			`required: true`
			`default: create`
			`options:`
			`- create`
			`- destroy`

			`jobs:`
			`build-deploy:`
			`name: Build and Deploy`
			`runs-on: ubuntu-latest`
			`steps:`
			`- name: Checkout Repo Code`
			`uses: actions/checkout@v4`

			`# Enable access to KVM, required to build an image`
			`- name: Enable KVM group perms`
			`if: inputs.rebuild && inputs.action != 'destroy'`
			`run: \|`
			`echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' \| sudo tee /etc/udev/rules.d/99-kvm4all.rules`
			`sudo udevadm control --reload-rules`
			`sudo udevadm trigger --name-match=kvm`

			`# Install Nix`
			`- name: Install Nix`
			`if: inputs.rebuild && inputs.action != 'destroy'`
			`uses: cachix/install-nix-action@v17`

			`# Build the image`
			`- name: Build Image`
			`if: inputs.rebuild && inputs.action != 'destroy'`
			`run: nix build .#image.arrow`

			`- name: Upload Image to S3`
			`if: inputs.rebuild && inputs.action != 'destroy'`
			`run: \|`
			`aws s3 cp \`
			`result/iso/nixos.iso \`
			`s3://noahmasur-arrow-images/arrow.iso \`
			`--endpoint-url "https://${{ env.CLOUDFLARE_R2_ENDPOINT }}"`

			`# # Copy the image to S3`
			`# - name: Upload Image to Cache`
			`# env:`
			`# NIX_CACHE_PRIVATE_KEY: ${{ secrets.NIX_CACHE_PRIVATE_KEY }}`
			`# run: \|`
			`# echo "$NIX_CACHE_PRIVATE_KEY" > cache.key`
			`# nix store sign --key-file cache.key $(readlink result)`
			`# nix copy --to s3://t2-aws-nixos-test $(readlink result)`
			`# rm cache.key`

			`# Installs the Terraform binary and some other accessory functions.`
			`- name: Setup Terraform`
			`uses: hashicorp/setup-terraform@v2`

			`# Checks whether Terraform is formatted properly. If this fails, you`
			`# should install the pre-commit hook.`
			`- name: Check Formatting`
fix: formatting for just the specific folder 2024-03-24 18:24:09 +00:00			`working-directory: ${{ env.TERRAFORM_DIRECTORY }}`
introduce arrow host and deployment 2024-03-24 17:16:20 +00:00			`run: \|`
			`terraform fmt -no-color -check -diff -recursive`

			`# Connects to remote state backend and download providers.`
			`- name: Terraform Init`
			`working-directory: ${{ env.TERRAFORM_DIRECTORY }}`
tf init with definition in main 2024-03-24 18:36:23 +00:00			`run: terraform init`
introduce arrow host and deployment 2024-03-24 17:16:20 +00:00
			`# Deploys infrastructure or changes to infrastructure.`
			`- name: Terraform Apply`
			`if: inputs.action == 'create'`
			`working-directory: ${{ env.TERRAFORM_DIRECTORY }}`
			`run: \|`
			`terraform apply \`
			`-auto-approve \`
			`-input=false`

			`# Removes infrastructure.`
			`- name: Terraform Destroy`
			`if: inputs.action == 'destroy'`
			`working-directory: ${{ env.TERRAFORM_DIRECTORY }}`
			`run: \|`
			`terraform destroy \`
			`-auto-approve \`
			`-input=false`

			`- name: Get Host IP`
			`if: inputs.action == 'create'`
			`id: host`
			`working-directory: ${{ env.TERRAFORM_DIRECTORY }}`
temp: skip wait for identity 2024-03-24 18:55:17 +00:00			`run: terraform output -raw host_ip`
introduce arrow host and deployment 2024-03-24 17:16:20 +00:00
			`- name: Wait on SSH`
switch ssh wait with a script 2024-03-24 19:34:12 +00:00			`if: inputs.action == 'create'`
			`run: \|`
			`for i in $(seq 1 15); do`
			`if $(nc -z -w 3 ${{ steps.host.outputs.stdout }} 22); then`
			`exit 0`
			`fi`
			`sleep 10`
			`done`
introduce arrow host and deployment 2024-03-24 17:16:20 +00:00
			`- name: Write Identity Keys to Files`
			`if: inputs.action == 'create'`
			`run: \|`
			`echo "${{ env.DEPLOY_IDENTITY_BASE64 }}" \| base64 -d > deploy_ed25519`
			`echo "${{ env.ARROW_IDENTITY_BASE64 }}" \| base64 -d > arrow_ed25519`

			`- name: Copy Identity File to Host`
			`if: inputs.action == 'create'`
fixes to cloudflare dyndns and ssh 2024-03-24 19:04:40 +00:00			`run: \|`
			`ssh noah@${{ steps.host.outputs.stdout }} 'mkdir -pv .ssh'`
			`scp -i deploy_ed25519 arrow_ed25519 noah@${{ steps.host.outputs.stdout }}:~/.ssh/id_ed25519`