infra: Migrate jobs/scripts to new staging host

Author: Erethon

.github/workflows/bump.yaml

@@ -20,7 +20,7 @@ jobs:
       - uses: cachix/install-nix-action@v29
       - uses: DeterminateSystems/magic-nix-cache-action@main
       - run: |
-          nix-shell default.nix -A ci --run "npins -d ./staging/npins update"
+          nix-shell default.nix -A ci --run "npins -d ./infra/npins update"
       - uses: actions/create-github-app-token@v1
         id: generate-token
         with:

.github/workflows/database-dumps.yaml

@@ -23,5 +23,5 @@ jobs:
         with:
           ssh-private-key: ${{ secrets.DEPLOY_SSH_PRIVATE_KEY }}
       - name: Trust staging server public SSH host keys
-        run: cat ./staging/staging_host_keys >> ~/.ssh/known_hosts
+        run: cat ./infra/host_keys >> ~/.ssh/known_hosts
       - run: nix-shell default.nix -A ci --run deploy

.github/workflows/deployments.yaml

@@ -14,16 +14,12 @@ jobs:
   staging:
     runs-on: ubuntu-latest
     steps:
-      - name: Setup WARP to gain IPv6
-        uses: fscarmen/warp-on-actions@v1.1
-        with:
-          stack: dual
       - uses: actions/checkout@v4
       - uses: cachix/install-nix-action@v29
       - uses: DeterminateSystems/magic-nix-cache-action@main
       - uses: webfactory/ssh-agent@v0.9.0
         with:
           ssh-private-key: ${{ secrets.DEPLOY_SSH_PRIVATE_KEY }}
       - name: Trust staging server public SSH host keys
-        run: cat ./staging/staging_host_keys >> ~/.ssh/known_hosts
+        run: cat ./infra/host_keys >> ~/.ssh/known_hosts
       - run: nix-shell default.nix -A ci --run "deploy dry-activate"

.github/workflows/dry-activations.yaml

@@ -279,12 +279,12 @@ Not passing `--subset N` will take about an hour and produce ~500 MB of data.
 If you have your SSH keys set up on the staging environment (and can connect through IPv6), you can deploy the service with:
 
 ```console
-./staging/deploy.sh
+./infra/deploy.sh
 ```
 
 ### Adding SSH keys
 
-Add your SSH keys to `./staging/configuration.nix` and let existing owners deploy them.
+Add your SSH keys to `./infra/configuration.nix` and let existing owners deploy them.
 
 ## Operators guidance
 
@@ -295,5 +295,3 @@ Sentry-like collectors are endpoints where we ship error information from the Py
 Collectors are configured using [a DSN, i.e. a data source name.](https://docs.sentry.io/concepts/key-terms/dsn-explainer/) in Sentry parlance, this is where events are sent to.
 
 You can set `GLITCHTIP_DSN` as a credential secret with a DSN and this will connect to a Sentry-like endpoint via your DSN.
-
-We don't use Sentry but we run GlitchTip on staging.

CONTRIBUTING.md

@@ -98,30 +98,19 @@ rec {
     let
       deploy = pkgs.writeShellApplication {
         name = "deploy";
-        text = builtins.readFile ./staging/deploy.sh;
+        text = builtins.readFile ./infra/deploy.sh;
         runtimeInputs = with pkgs; [
           nixos-rebuild
           coreutils
         ];
         # TODO: satisfy shellcheck
         checkPhase = "";
       };
-      dump-database = pkgs.writeShellApplication {
-        name = "dump-database";
-        text = builtins.readFile ./staging/dump-database.sh;
-        runtimeInputs = with pkgs; [
-          awscli
-          pv
-        ];
-        # TODO: satisfy shellcheck
-        checkPhase = "";
-      };
     in
     pkgs.mkShellNoCC {
       packages = [
         pkgs.npins
         deploy
-        dump-database
       ];
     };
 
@@ -130,7 +119,7 @@ rec {
       manage = pkgs.writeScriptBin "manage" ''
         ${python3}/bin/python ${toString ./src/website/manage.py} $@
       '';
-      deploymentSources = import ./staging/npins;
+      deploymentSources = import ./infra/npins;
     in
     pkgs.mkShellNoCC {
       env = {

default.nix

@@ -0,0 +1,36 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p nixos-rebuild coreutils
+
+set -eo pipefail
+
+DIR=$(git rev-parse --show-toplevel)
+VERB=${1:-switch}
+# make sure we're building with the version of Nixpkgs under our control
+# TODO: fix the build on the latest nixpkgs-unstable and use that one for deployment
+# export NIX_PATH=nixpkgs=$(nix-instantiate --eval -E '(import ./infra/npins).nixpkgs.outPath' | tr -d '"')
+export NIX_PATH=nixpkgs=$(nix-instantiate --eval -A pkgs.path)
+
+# Note: we could refactor the conditional here.
+# But `nixos-rebuild build --target-host ...` requiring network operations is an unexpected bug.
+# Therefore, we keep the two conditionals separated for the day when we will
+# replace `nixos-rebuild` by a tool that does not have this bug but similar
+# semantics.
+# Example: `colmena apply dry-activate` then `colmena build` does have these
+# properties and would make the second conditional disappear.
+
+if [[ "$VERB" != "build" ]]; then
+  # Perform a dry-activation first.
+  echo "dry-activating the configuration first..."
+  nixos-rebuild dry-activate -I nixos-config=$DIR/infra/configuration.nix --target-host root@tracker.security.nixos.org
+else
+  echo "skipping the dry-activation as we are using an offline verb."
+fi
+
+
+if [[ "$VERB" != "build" ]]; then
+  echo "$VERB-ing the configuration now."
+  nixos-rebuild $VERB -I nixos-config=$DIR/infra/configuration.nix --target-host root@tracker.security.nixos.org
+else
+  echo "building the configuration now."
+  nixos-rebuild build -I nixos-config=$DIR/infra/configuration.nix
+fi

infra/deploy.sh

@@ -0,0 +1,7 @@
+# tracker.security.nixos.org:22 SSH-2.0-OpenSSH_9.8
+# tracker.security.nixos.org:22 SSH-2.0-OpenSSH_9.8
+# tracker.security.nixos.org:22 SSH-2.0-OpenSSH_9.8
+tracker.security.nixos.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQClYYPyUzZa686OZUspMsuhyPLgKKV/4IE6ygmx9DfduKkXj21LvvuxO7m+xxnfcd3YLP/NckObF+wyR4BdQSDJw+G140YzkHWEDeAgPVgXAs4+wlLhAzsHmJ+bEwDCVKcOhjRYDV4J0WbBel5EgVf1f3BsDFAxDrgFM8K8ZkJcLScOPbCYfJWhqCsjKzeMwfZKJfWivIO7lW44reX+GhwzmmBfWXyWX6ueMrjA8fUDagT8mGrEFa0nXwn/pFAchkQSzEozrMa6HyoNjzN1y8ddTxz+nMaRsf4uIbInZAb+h4RI8cD+sAzNDtNuVQZld9s8Q9M/HNQVC6c4qwyVSg6SysdHZgErpwVEmg07fvZbS67WfeOQi1K3ECgdpS5jfCOtu6eM/MjSPz64EHQesR1PzxmufOaq6kE3vg9CyixVaZ54jQlqu3Hw/a+QlW1ZwReJ87onrjRWTU69oEyGWoZinLqZRzV9fO7iQFwQO7zdTLQZ7aXeX9x9NDS66vOMVCL+LuwhP6HTb2QvAOZdfLMEbyiK1MUa/GmHdzQStCxPyi0SxtEZGPK0Pdf91Rjhf0PzeBSwEXUKTPyhk9XYE220ibCy8lc0SQdyaBOHANguonVETIAmHI9bd2yj/6qFe/ZTtRXraIEou5ZxPl7oO81tNQ4txZTqVH0rqxvrouM3tw==
+# tracker.security.nixos.org:22 SSH-2.0-OpenSSH_9.8
+tracker.security.nixos.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHib5Kk39PzPEheOf8fwIyeVbVgSzUiqUN2vSIXHO7N
+# tracker.security.nixos.org:22 SSH-2.0-OpenSSH_9.8

infra/host_keys

@@ -29,7 +29,7 @@ provider "hcloud" {
 resource "hcloud_server" "stfmaster" {
   name        = "security-tracker-1"
   image       = "debian-12"
-  server_type = "cx32"
+  server_type = "cpx41"
   public_net {
     ipv4_enabled = true
     ipv6_enabled = true