diff --git a/.envrc b/.envrc new file mode 100644 index 00000000..044ee005 --- /dev/null +++ b/.envrc @@ -0,0 +1,9 @@ +# shellcheck disable=all + +export DIRENV_WARN_TIMEOUT=20s + +eval "$(devenv direnvrc)" + +# The use_devenv function supports passing flags to the devenv command +# For example: use devenv --impure --option services.postgres.enable:bool true +use devenv diff --git a/.gitignore b/.gitignore index 9f1e5952..9ccd8d34 100644 --- a/.gitignore +++ b/.gitignore @@ -18,3 +18,16 @@ secrets/*/dev/* # used in move_stable script move_stable_repositories + +# Devenv +.devenv* +devenv.local.nix + +# direnv +.direnv + +# Ansible collections from remote sources +.ansible + +# Python dependencies installed from devenv.sh +.venv diff --git a/devenv.lock b/devenv.lock new file mode 100644 index 00000000..4b206a12 --- /dev/null +++ b/devenv.lock @@ -0,0 +1,103 @@ +{ + "nodes": { + "devenv": { + "locked": { + "dir": "src/modules", + "lastModified": 1752456450, + "owner": "cachix", + "repo": "devenv", + "rev": "e2a9d0dd4cf87a1801c6d9e0d7a57bdd6de26ace", + "type": "github" + }, + "original": { + "dir": "src/modules", + "owner": "cachix", + "repo": "devenv", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1747046372, + "owner": "edolstra", + "repo": "flake-compat", + "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "git-hooks": { + "inputs": { + "flake-compat": "flake-compat", + "gitignore": "gitignore", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1750779888, + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "git-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1751984180, + "owner": "nixos", + "repo": "nixpkgs", + "rev": "9807714d6944a957c2e036f84b0ff8caf9930bc0", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "devenv": "devenv", + "git-hooks": "git-hooks", + "nixpkgs": "nixpkgs", + "pre-commit-hooks": [ + "git-hooks" + ] + } + } + }, + "root": "root", + "version": 7 +} diff --git a/devenv.nix b/devenv.nix new file mode 100644 index 00000000..68d9fdb4 --- /dev/null +++ b/devenv.nix @@ -0,0 +1,30 @@ +{ pkgs, lib, config, inputs, ... }: + +{ + packages = [ + pkgs.openshift + + pkgs.ansible + pkgs.ansible-navigator + ]; + + languages.python = { + enable = true; + + venv = { + enable = true; + requirements = '' + # Needed for k8s ansible module + kubernetes + + # Needed for changelog script + click + GitPython + ogr + + # Needed for move-stable script + copr + ''; + }; + }; +} diff --git a/devenv.yaml b/devenv.yaml new file mode 100644 index 00000000..50be2727 --- /dev/null +++ b/devenv.yaml @@ -0,0 +1,5 @@ +inputs: + nixpkgs: + # [TODO] Ideally swap to the cachix/rolling once Ansible issues are resolved. + # url: github:cachix/devenv-nixpkgs/rolling + url: github:nixos/nixpkgs/nixos-unstable diff --git a/docs/deployment/continuous-deployment.md b/docs/deployment/continuous-deployment.md index 60e3bf00..d24dda00 100644 --- a/docs/deployment/continuous-deployment.md +++ b/docs/deployment/continuous-deployment.md @@ -31,11 +31,9 @@ It has several significant benefits: ## Manual production re-deployment 1. Trigger `:prod` images builds - - Run [scripts/move_stable.py](https://github.com/packit/deployment/blob/main/scripts/move_stable.py) to move `stable` branches to a newer commit. 2. Import images -> re-deploy - - If you don't want to wait for [it to be done automatically](#continuous-deployment), you can [do that manually](#manually-import-a-newer-image) once the images are built (check Actions in each repo). diff --git a/docs/deployment/nix.md b/docs/deployment/nix.md new file mode 100644 index 00000000..6ac665b8 --- /dev/null +++ b/docs/deployment/nix.md @@ -0,0 +1,59 @@ +--- +title: Nix & devenv support +author: mfocko +--- + +# Nix & devenv support + +:::tip tl;dr + +Ideal for atomic linux distributions and macOS setup. + +There's one file (`devenv.nix`) containing everything that's needed to set up an +environment for the project (`packit/deployment` in this case). All tools and +deps are kept only for this project, i.e., they don't pollute the host system. + +Since Nix and devenv.sh support pinning, it is also possible to acquire +a reproducible environment. + +[`direnv`](https://devenv.sh/automatic-shell-activation/) makes sure the development environment is set up upon entering the repo. + +::: + +## What is [Nix](https://nixos.org/)? + +From the homepage: + +> Nix is a tool that takes a unique approach to package management and system +> configuration. Learn how to make reproducible, declarative and reliable systems. + +Basically you have global environment and smaller `nix-shell`s that are usually +tied to git repos (or any other directory). You aim for as small base environment +as possible, i.e., you don't want to keep all utilities / dependencies everywhere. + +One benefit, in comparison to containers, lies in the fact that the packages are +defined by hash, name and version which allows them to be stored in a global +location (usually `/nix`). Including packages in “environments” is done by +adjusting `$PATH` (and related) variable. + +## What is [devenv.sh](https://devenv.sh/)? + +Builds on top of the _Nix_ and _nix-shell_ themselves. Is a bit more robust, +cause it also allows specifying environment variables, defining tasks, services, +and processes. For example it allows you to automatically spin up `nginx` or +`postgres` server once you enter the repo. + +## Getting started + +Feel free to follow the [devenv.sh' “Getting Started”](https://devenv.sh/getting-started/). + +1. You need to have _Nix_ set up. (single-user / non-daemon setup is recommended + for users with SELinux enabled) +2. Install the _devenv.sh_ itself. +3. Have _direnv_ present (since it automatically loads the environment upon + entering the directory with _devenv.sh_). + +## Caveats + +Bitwarden CLI is currently broken on macOS, therefore it's not included in the +devenv.sh' config. diff --git a/docs/deployment/resource-requirements.md b/docs/deployment/resource-requirements.md index 0a932625..2e0ee14c 100644 --- a/docs/deployment/resource-requirements.md +++ b/docs/deployment/resource-requirements.md @@ -83,14 +83,12 @@ resource requirements. 1. Request adjustments of the quotas such that we can have some buffer (database migrations, higher load on service, etc.), but also could **permanently** scale up the workers if we find service to be more reliable that way - - Based on the calculations above, 2× the current quotas on memory would be sufficient, but if we were to scale the workers up too (and account for possible adjustments, e.g., Redict) we should probably go for 3× 1. Migrate tokman to different toolchain, it's a small self-contained app, so it is easy to migrate to either Rust or Go that should leave smaller footprint. - - Opened an issue for testing out running without Tokman deployment https://github.com/packit/tokman/issues/72 diff --git a/docs/deployment/specifics/packit-service.md b/docs/deployment/specifics/packit-service.md index 6c37470e..a86f4c0c 100644 --- a/docs/deployment/specifics/packit-service.md +++ b/docs/deployment/specifics/packit-service.md @@ -60,7 +60,6 @@ To make it work, you need to: - Since our infrastructure does not support shared volumes, we need to attach one volume with a cache to each worker and one to each corresponding sandbox pod. - - In the case of workers, this is done during the deployment. - For sandboxes, there is an option in the service config (the environment variable needs to differ for each worker and is set during startup of the diff --git a/docs/deployment/specifics/redict.md b/docs/deployment/specifics/redict.md index 29a563e9..c6ef0b6b 100644 --- a/docs/deployment/specifics/redict.md +++ b/docs/deployment/specifics/redict.md @@ -8,7 +8,6 @@ We have tested a seamless migration from Redis to Redict on our production deployment. To reproduce: 1. We have deployed Redict to our production cluster. - - Defaults have been changed to: ```yaml @@ -34,7 +33,6 @@ deployment. To reproduce: 3. After the data exchange is done, change **all** references in variables to redis to point to the new hostname, in this case `redis → redict`. - - Run ``` diff --git a/scripts/download_secrets.sh b/scripts/download_secrets.sh index 66ad62d0..a323f261 100755 --- a/scripts/download_secrets.sh +++ b/scripts/download_secrets.sh @@ -1,4 +1,4 @@ -#!/usr/bin/bash +#!/bin/bash set -eu diff --git a/scripts/render_secrets_from_templates.sh b/scripts/render_secrets_from_templates.sh index 8f3d5931..01ce5d9e 100755 --- a/scripts/render_secrets_from_templates.sh +++ b/scripts/render_secrets_from_templates.sh @@ -1,4 +1,4 @@ -#!/usr/bin/bash +#!/bin/bash # Mimic what we do during deployment when we render secret files # from their templates before we create k8s secrets from them. diff --git a/scripts/update_bw_secret.sh b/scripts/update_bw_secret.sh index dfbc2041..7e605a7c 100755 --- a/scripts/update_bw_secret.sh +++ b/scripts/update_bw_secret.sh @@ -1,4 +1,4 @@ -#!/usr/bin/bash +#!/bin/bash # Script to update the attachment of a secret item in Bitwarden # diff --git a/scripts/update_oc_secret.sh b/scripts/update_oc_secret.sh index 36553fc5..cfa9d1d0 100755 --- a/scripts/update_oc_secret.sh +++ b/scripts/update_oc_secret.sh @@ -1,4 +1,4 @@ -#!/usr/bin/bash +#!/bin/bash # This quick script updates a data field of an OpenShift secret with the # content of a file.