 |
Title: OpenBSD in a CI environment with sourcehut |
|
Author: Solène |
|
Date: 03 December 2023 |
|
Tags: openbsd devops git |
|
Description: In this article, you will learn how to use sourcehut git |
|
forge to run CI in an OpenBSD environment |
|
|
|
# Introduction |
|
|
|
If you ever required continuous integration pipelines to do some |
|
actions in an OpenBSD environment, you certainly figured that most Git |
|
"forge" didn't provide OpenBSD as a host environment for the CI. |
|
|
|
It turns out that sourcehut is offering many environments, and OpenBSD |
|
is one among them, but you can also find Guix, NixOS, NetBSD, FreeBSD |
|
or even 9front! |
|
|
|
Let's see how this works. |
|
|
 |
sourcehut official website |
|
sourcehut: Documentation about host systems offering in CI |
|
|
|
Note that the CI is only available to paid accounts, the minimal fee is |
|
"$2/month or $20/year". There are no tiers, so as long as you pay |
|
something you have a paid account. sourcehut is offering a |
|
clutter-free web interface, and developing an open source product that |
|
is also capable of running OpenBSD in a CI environment, I decided to |
|
support them (I really rarely subscribe to any kind of services). |
|
|
|
PS: sourcehut supports Mercurial projects too. |
|
|
|
# The CI |
|
|
|
Upon each CI trigger, a new VM is created, it's possible to define the |
|
operating system and version you want for the environment, and then |
|
what to do in it. |
|
|
|
The CI works when you have a "manifest" file in your project with the |
|
path `.build.yml` at the root of your project, it contains all the |
|
information about what to do. |
|
|
|
sourcehut: Documentation about manifests and builds |
|
|
|
# Secret management |
|
|
|
When you run code in a CI, you often need secrets, and most often you |
|
require SSH keys if you want to push artefacts. |
|
|
|
The SSH key secret is simplified, if sourcehut recognizes a secret to |
|
be a private SSH key, it will automatically save it at the right place. |
|
|
|
sourcehut: Documentation about secrets in CI |
|
|
|
# Example |
|
|
|
Here is a simple example of a manifest file I use to build a website |
|
using the static generator hugo, and then push the result on a remote |
|
server. |
|
|
|
``` |
|
image: openbsd/latest |
|
packages: |
|
- hugo-- |
|
- rsync-- |
|
secrets: |
|
- f20c67ec-64c2-46a2-a308-6ad929c5d2e7 |
|
sources: |
|
- [email protected]:~solene/my-project |
|
tasks: |
|
- init: | |
|
cd my-project |
|
git clone https://github.com/adityatelange/hugo-PaperMod themes/PaperMod … |
|
- build: | |
|
cd my-project |
|
echo 'web.perso.pw ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKRj0NK7ZPMQgkgqw8… |
|
make |
|
``` |
|
|
|
On the example above, we can notice different parts: |
|
|
|
* image: this tells the manifest which OS to use, openbsd/latest means |
|
latest release. |
|
* packages: this tells which packages to install, it's OS-agnostic. I |
|
use extra dashes because some alternate versions of these packages |
|
exists, I just want the simple flavour for each. |
|
* secrets: this tells which secret I want among the secrets stored in |
|
sourcehut. This is a dedicated private SSH key in this case. |
|
* sources: this tells which sources to clone in the CI. Be careful |
|
though, if a repository is private, the CI needs to have the SSH key to |
|
access the repository. I spent some time figuring this the hard way. |
|
* tasks: this defines which commands to run, they are grouped in jobs. |
|
|
|
If you use SSH, don't forget to either use `ssh-keyscan` to generate |
|
the content for `~/.ssh/known_hosts`, or add the known fingerprint like |
|
me that would require an update if the SSH host key changes. |
|
|
|
A cool thing is when your CI job failed, the environment will continue |
|
to live for at least 10 minutes while offering an SSH access for debug |
|
purpose. |
|
|
|
sourcehut: Documentation about SSH into build environments |
|
|
|
# Conclusion |
|
|
|
I finally found a Git forge that is ethic and supportive of niche |
|
operating system. Its interface may be rude with fewer features, but |
|
it loads faster and is cleaner to understand. The price ($20/year) is |
|
higher than the competition (GitHub or GitLab) which can be used freely |
|
(up to some point) but they don't offer the CI choice and the elegant |
|
workflow sourcehut has. |
|
|
|
# Going further |
|
|
|
You can self-host a sourcehut instance if you prefer, it's open source |
|
and packaged for some Linux distributions. |
|
|
|
sourcehut: Documentation about the deployment process |
