-
Notifications
You must be signed in to change notification settings - Fork 7
342 lines (268 loc) · 13.6 KB
/
deb.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
name: deb
on:
push:
branches:
- master
- fix-cryptography
jobs:
build:
runs-on: ubuntu-22.04
steps:
- name: Check out repository
uses: actions/checkout@v2
- name: Extract branch name
id: extract_branch
shell: bash
run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT
- name: Generate release tag
id: tag
run: echo "tag=$(date -u '+%y%m%d%H%M')-${{steps.extract_branch.outputs.branch}}" >> $GITHUB_OUTPUT
- uses: uraimo/[email protected]
name: Build deb
with:
arch: armv6
distro: bullseye # Equivalent to Raspbian 8
githubToken: ${{ github.token }}
# Create an artifacts directory
setup: |
mkdir -p "${PWD}/artifacts"
# Mount the artifacts directory as /artifacts in the container
dockerRunArgs: |
--volume "${PWD}/artifacts:/artifacts"
install: |
set -x
apt-get update -q -y
# Install Python, fpm deps (ruby) and the kitchen sink required to build everything...
apt-get install -q -y git python3 python3-venv python3-dev python3-pip build-essential libffi-dev libreadline-gplv2-dev libncursesw5-dev libssl-dev libsqlite3-dev libgdbm-dev libc6-dev libbz2-dev squashfs-tools ruby-full jq libpq-dev postgresql postgresql-contrib
# these dependencies are installed for compiling cryptography
apt-get install -q -y curl libssl-dev pkg-config
# install rustc using rustup script
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | bash -s -- -y
source "$HOME/.cargo/env"
# Install FPM
gem install fpm
# Install Poetry (requires 1.2.0+)
# curl -sSL https://install.python-poetry.org | POETRY_VERSION=1.5.0 python3 - --yes || true
# export PATH=$PATH:/root/.local/bin
# poetry requires cryptography, but the latest version wants to be compiled by Rust, and this environment doesn't like Rust.
# the same logic applies to the cryptography installation in the run section.
# using pip to install poetry, instead of shell script in Adam's work
pip install poetry==1.5.1
run: |
set -x
# Add Poetry to $PATH
export PATH=$PATH:/root/.local/bin
# We want to write to _actual_ /opt as some installation processes
# are creating hard coded shebangs pointing to the venv location.
mkdir -p /opt
# Create virtualenv
python3 -m venv /opt/hackman
. /opt/hackman/bin/activate
# workaround for poetry installation stalling. what's happening here: use pip to install the packages specified in poetry.
# source: https://github.com/python-poetry/poetry/issues/7148#issuecomment-1398322105
# 2 things are happening here that makes poetry stall.
# the first is poetry wants to compile cryptography and gevent from source, which stalls
# the second is if pip install from requirements.txt, cryptography and gevent stall as well. To get around this is to install both of them specifically using pip.
poetry export -f requirements.txt --output requirements.txt
pip install -r requirements.txt
# Install dependencies
poetry install --no-interaction --no-root --only main
# ^^^ this should practically do nothing, becasue the work is already done by pip. ^^^
# Install self into env
poetry build -f wheel -n
pip install --no-deps dist/*.whl
rm -rf dist *.egg-info
# Generate Django static files
env DJANGO_SETTINGS_MODULE=hackman.settings_prod hackman-manage collectstatic
# Create a temporary rootfs directory
mkdir -p rootfs/opt
mv /opt/hackman rootfs/opt/hackman
# Create symlinks to all binaries starting with hackman* or dsl* in /usr/bin
mkdir -p rootfs/usr/bin
for bin in rootfs/opt/hackman/bin/dsl* rootfs/opt/hackman/bin/hackman*; do
ln -s /opt/hackman/bin/$(basename $bin) rootfs/usr/bin/$(basename $bin)
done
# Copy systemd units
mkdir -p rootfs/lib/systemd
cp -rv systemd rootfs/lib/systemd/system
# Copy nginx configuration
cp -rv nginx rootfs/opt/hackman/nginx
# Create a postinstall script that enables all the shipped units
# and symlinks our nginx configuration in place of the default one.
# We also set up the database user in this block
echo "#/bin/sh" > postinstall.sh
for f in ./systemd/*; do
echo "systemctl enable $(basename $f)" >> postinstall.sh
done
echo "ln -sf /opt/hackman/nginx/default /etc/nginx/sites-enabled/default" >> postinstall.sh
# Ugly auto-generated escape sequences galore! \o/
echo 'echo '"'"'CREATE DATABASE hackman;'"'"' | sudo -u postgres psql' >> postinstall.sh
echo 'echo '"'"'CREATE USER hackman WITH PASSWORD '"'"'"'"'"'"'"'"'hackman'"'"'"'"'"'"'"'"';'"'"' | sudo -u postgres psql' >> postinstall.sh
echo 'echo '"'"'ALTER ROLE hackman SET client_encoding TO '"'"'"'"'"'"'"'"'utf8'"'"'"'"'"'"'"'"';'"'"' | sudo -u postgres psql' >> postinstall.sh
echo 'echo '"'"'ALTER ROLE hackman SET default_transaction_isolation TO '"'"'"'"'"'"'"'"'read committed'"'"'"'"'"'"'"'"';'"'"' | sudo -u postgres psql' >> postinstall.sh
echo 'echo '"'"'ALTER ROLE hackman SET timezone TO '"'"'"'"'"'"'"'"'UTC'"'"'"'"'"'"'"'"';'"'"' | sudo -u postgres psql' >> postinstall.sh
echo 'echo '"'"'GRANT ALL PRIVILEGES ON DATABASE hackman TO hackman;'"'"' | sudo -u postgres psql' >> postinstall.sh
# Reload main systemd units
echo "systemctl start hackman" >> postinstall.sh
echo "systemctl reload nginx" >> postinstall.sh
chmod +x postinstall.sh
# Build deb
version=$(grep '^version' pyproject.toml | cut -d = -f 2 | jq -r)
fpm \
-s dir \
-t deb \
-C rootfs \
--name hackman \
--version $version \
--iteration ${{ steps.tag.outputs.tag }} \
--description "DSL Hackman" \
--depends redis-server \
--depends python3 \
--depends nginx \
--depends libffi-dev \
--depends libpq-dev \
--depends postgresql \
--depends postgresql-contrib \
--after-install ./postinstall.sh \
.
mv *.deb /artifacts/
- name: Upload binaries to release
id: upload_deb
uses: svenstaro/upload-release-action@v2
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
file: ./artifacts/*
file_glob: true
tag: ${{ steps.tag.outputs.tag }}
overwrite: true
- name: Print artifacts url
run: echo "${{ steps.upload_deb.outputs.browser_download_url }}"
# ^^^ end of building debian package ^^^ #
# vvv start of pi-gen image vvv #
- name: Create files for stage2a
run: |
# the name stage2a came from developing on the pi-gen repository
mkdir -p stage2a/01-install-hackman/
cat > stage2a/01-install-hackman/00-packages <<-EOF
redis-server
nginx
libffi-dev
libpq-dev
postgresql
postgresql-contrib
EOF
cat stage2a/01-install-hackman/00-packages
RRRR=stage2a/01-install-hackman/01-run.sh
echo "#!/bin/bash -e" >> $RRRR
echo "on_chroot << EOF" >> $RRRR
echo "curl -sLO ${{ steps.upload_deb.outputs.browser_download_url }}" >> $RRRR
echo "dpkg -i hackman*.deb" >> $RRRR
echo "EOF" >> $RRRR
cat stage2a/01-install-hackman/01-run.sh
cat > stage2a/prerun.sh <<-EOF
#!/bin/bash -e
if [ ! -d "\${ROOTFS_DIR}" ]; then
copy_previous
fi
EOF
cat stage2a/prerun.sh
chmod +x stage2a/01-install-hackman/01-run.sh
chmod +x stage2a/prerun.sh
- name: PiGen image
uses: usimd/pi-gen-action@v1
id: pigen
with:
# Compression to apply on final image (either "none", "zip", "xz" or "gz").
compression: zip
# Compression level to be used. From 0 to 9 (refer to the tool man page for more
# information on this. Usually 0 is no compression but very fast, up to 9 with the
# best compression but very slow).
compression-level: 6
# Disable the renaming of the first user during the first boot. This make it so
# 'username' stays activated. 'username' must be set for this to work. Please be
# aware of the implied security risk of defining a default username and password
# for your devices.
disable-first-boot-user-rename: 1
# Additional options to include in PIGEN_DOCKER_OPTS
docker-opts: ''
# Set whether a NOOBS image should be built as well. If enabled, the output
# directory containing the NOOBS files will be saved as output variable
# 'image-noobs-path'.
enable-noobs: false
# Enable SSH access to Pi.
enable-ssh: 1
# If this feature is enabled, the action will configure pi-gen to not export any
# stage as image but the last one defined in property 'stage-list'. This is
# helpful when building a single image flavor (in contrast to building a
# lite/server and full-blown desktop image), since it speeds up the build process
# significantly.
export-last-stage-only: true
# Comma or whitespace separated list of additional packages to install on host
# before running pi-gen. Use this list to add any packages your custom stages may
# require. Note that this is not affecting the final image. In order to add
# additional packages, you need to add a respective 'XX-packages' file in your
# custom stage.
extra-host-dependencies: ''
# Comma or whitespace separated list of additional modules to load on host before
# running pi-gen. If your custom stage requires additional software or kernel
# modules to be loaded, add them here. Note that this is not meant to configure
# modules to be loaded in the target image.
extra-host-modules: ''
# Token to use for checking out pi-gen repo.
github-token: ${{ github.token }}
# Host name of the image.
hostname: door
# Final image name.
image-name: "door-${{steps.tag.outputs.tag}}"
# Default keyboard keymap.
keyboard-keymap: us
# Default keyboard layout.
keyboard-layout: English (US)
# Default locale of the system image.
locale: en_US.UTF-8
# Password of the intial user account, locked if empty.
password: 'door' # fixme
# Path where selected pi-gen ref will be checked out to. If the path does not yet
# exist, it will be created (including its parents).
pi-gen-dir: pi-gen
# GitHub repository to fetch pi-gen from, must be a fork from RPi-Distro/pi-gen.
pi-gen-repository: RPi-Distro/pi-gen
# Release version of pi-gen to use. This can both be a branch or tag name known in
# the pi-gen repository.
pi-gen-version: 2023-05-03-raspios-bullseye
# The release version to build images against. Valid values are jessie, stretch,
# buster, bullseye, and testing.
release: bullseye
# Setting to `1` will prevent pi-gen from dropping the "capabilities" feature.
# Generating the root filesystem with capabilities enabled and running it from a
# filesystem that does not support capabilities (like NFS) can cause issues. Only
# enable this if you understand what it is.
setfcap: ''
# List of stage name to execute in given order. Relative and absolute paths to
# custom stage directories are allowed here. Note that by default pi-gen exports
# images in stage2 (lite), stage4 and stage5. You probably want to hook in custom
# stages before one of the exported stages. Otherwise, the action will make sure
# any custom stage will include an image export directive.
stage-list: stage0 stage1 stage2 ./stage2a
# System timezone.
timezone: Asia/Hong_Kong
# Use qcow2 images to reduce space and runtime requirements.
use-qcow2: 1
# Name of the initial user account.
username: pi
# Print all output from pi-gen.
verbose-output: true
# Wifi country code of default network to connect to.
wpa-country: ''
# SSID of a default wifi network to connect to.
wpa-essid: ''
# Password of default wifi network to connect to.
wpa-password: ''
- name: Upload pi-gen image to release
uses: svenstaro/upload-release-action@v2
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
file: ${{ steps.pigen.outputs.image-path }}
file_glob: true
tag: ${{ steps.tag.outputs.tag }}
overwrite: true