-
Notifications
You must be signed in to change notification settings - Fork 2
133 lines (115 loc) · 3.87 KB
/
deploy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
name: Deploy with Terraform
on:
push:
branches:
- main
workflow_call:
secrets:
GIT_CRYPT_KEY:
required: true
workflow_dispatch:
env:
NIX_BUILDER: ""
jobs:
make-all:
name: Run all package Makefiles
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v3
with:
ref: ${{ github.ref_name }}
- name: Install Nix packages
uses: diamondburned/cache-install@main
with:
auto-optimise: true
instantiated-files: packages/
nix-install-url: https://releases.nixos.org/nix/nix-2.18.1/install
- name: Run all package Makefiles
run: ./scripts/pkg make
- name: Commit changes, if any
uses: stefanzweifel/git-auto-commit-action@v4
with:
branch: ${{ github.ref_name }}
commit_message: Run all Makefiles using GitHub Actions
deploy:
name: Deploy with Terraform
needs: make-all
runs-on: ubuntu-22.04
environment: Production
concurrency: Production
outputs:
commit_hash: ${{ steps.git-commit.outputs.commit_hash }}
steps:
- uses: actions/checkout@v3
with:
# Use ref_name instead of ref so we always get the branch to pull our
# latest commit from.
ref: ${{ github.ref_name }}
- name: Install Nix packages
id: nix-install
uses: diamondburned/cache-install@main
with:
auto-optimise: true
shell-file: shell.nix
instantiated-files: servers/*/default.nix
nix-install-url: https://releases.nixos.org/nix/nix-2.18.1/install
- name: Decrypt git-crypt secrets
uses: ./.github/actions/git-crypt
with:
key: ${{ secrets.GIT_CRYPT_KEY }}
- name: Initialize Tailscale
uses: tailscale/github-action@v2
with:
oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}
tags: tag:server
- name: Initialize Terraform
id: terraform-init
run: |-
chmod 640 secrets/terraform.tfstate*
terraform init
- name: Calculate a Terraform deployment plan
id: terraform-plan
run: |-
set +e
terraform plan --detailed-exitcode --out="/tmp/acm-aws-plan"
status=$?
set -e
if [[ $status == 1 ]]; then
echo "::error::Terraform plan failed, exiting..."
exit 1
fi
# 0 - Succeeded, diff is empty (no changes)
# 1 - Errored
# 2 - Succeeded, there is a diff
echo "status=$status" >> $GITHUB_OUTPUT
- name: Apply Terraform configurations
id: terraform-apply
if: steps.terraform-plan.outputs.status == 2
run: |-
set -o pipefail
./scripts/with-builder "$NIX_BUILDER" \
terraform apply --auto-approve "/tmp/acm-aws-plan" \
|& tee /tmp/terraform-apply.log \
|& grep -v 'deployment.null_resource.deploy_nixos (\(local\|remote\)-exec):'
- name: Commit changes, if any
id: git-commit
if: steps.terraform-plan.outputs.status == 2
uses: stefanzweifel/git-auto-commit-action@v4
with:
commit_message: "Update deployment using GitHub Actions"
branch: ${{ github.ref_name }}
- name: Prepare Terraform deployment logs
id: terraform-logs-prepare
if: steps.terraform-plan.outputs.status == 2 && failure()
run: |-
./scripts/encrypt-ssh \
/tmp/terraform-apply.log \
/tmp/terraform-apply.log.enc
- name: Upload Terraform deployment logs
id: terraform-logs-upload
if: steps.terraform-plan.outputs.status == 2 && failure()
uses: actions/upload-artifact@v4
with:
name: terraform-apply.log.enc
path: /tmp/terraform-apply.log.enc