From b2d4695112b7b50250e0d9b4f017758d946b58e7 Mon Sep 17 00:00:00 2001 From: GuettliBot2 Date: Sun, 17 May 2026 11:50:39 +0200 Subject: [PATCH] ci: add remote Dagger server setup with port probing --- .forgejo/workflows/ci.yml | 40 ++++++++++++++++++ flake.nix | 4 ++ scripts/setup_dagger_remote.sh | 76 ++++++++++++++++++++++++++++++++++ 3 files changed, 120 insertions(+) create mode 100755 scripts/setup_dagger_remote.sh diff --git a/.forgejo/workflows/ci.yml b/.forgejo/workflows/ci.yml index d37af76..0c00f7d 100644 --- a/.forgejo/workflows/ci.yml +++ b/.forgejo/workflows/ci.yml @@ -25,6 +25,22 @@ jobs: mkdir -p ~/.config/nix echo "experimental-features = nix-command flakes" >> ~/.config/nix/nix.conf + - name: Setup Dagger Remote Engine (via stunnel) + env: + SSH_HOST: ${{ secrets.SSH_HOST }} + DAGGER_CA_CERT: ${{ secrets.DAGGER_CA_CERT }} + DAGGER_CLIENT_CERT: ${{ secrets.DAGGER_CLIENT_CERT }} + DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }} + run: nix develop --no-warn-dirty --command scripts/setup_dagger_remote.sh + + - name: Setup Dagger Remote Engine (via stunnel) + env: + SSH_HOST: ${{ secrets.SSH_HOST }} + DAGGER_CA_CERT: ${{ secrets.DAGGER_CA_CERT }} + DAGGER_CLIENT_CERT: ${{ secrets.DAGGER_CLIENT_CERT }} + DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }} + run: nix develop --no-warn-dirty --command scripts/setup_dagger_remote.sh + - name: Run Full Check Suite run: nix develop --no-warn-dirty --command dagger call --progress=plain -m ci check --source . @@ -48,6 +64,14 @@ jobs: mkdir -p ~/.config/nix echo "experimental-features = nix-command flakes" >> ~/.config/nix/nix.conf + - name: Setup Dagger Remote Engine (via stunnel) + env: + SSH_HOST: ${{ secrets.SSH_HOST }} + DAGGER_CA_CERT: ${{ secrets.DAGGER_CA_CERT }} + DAGGER_CLIENT_CERT: ${{ secrets.DAGGER_CLIENT_CERT }} + DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }} + run: nix develop --no-warn-dirty --command scripts/setup_dagger_remote.sh + - name: Build & Deploy Linux to server continue-on-error: true env: @@ -78,6 +102,14 @@ jobs: mkdir -p ~/.config/nix echo "experimental-features = nix-command flakes" >> ~/.config/nix/nix.conf + - name: Setup Dagger Remote Engine (via stunnel) + env: + SSH_HOST: ${{ secrets.SSH_HOST }} + DAGGER_CA_CERT: ${{ secrets.DAGGER_CA_CERT }} + DAGGER_CLIENT_CERT: ${{ secrets.DAGGER_CLIENT_CERT }} + DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }} + run: nix develop --no-warn-dirty --command scripts/setup_dagger_remote.sh + - name: Install Android SDK (cached on runner between runs) run: | SDK="${ANDROID_HOME:-$HOME/Android/Sdk}" @@ -145,6 +177,14 @@ jobs: mkdir -p ~/.config/nix echo "experimental-features = nix-command flakes" >> ~/.config/nix/nix.conf + - name: Setup Dagger Remote Engine (via stunnel) + env: + SSH_HOST: ${{ secrets.SSH_HOST }} + DAGGER_CA_CERT: ${{ secrets.DAGGER_CA_CERT }} + DAGGER_CLIENT_CERT: ${{ secrets.DAGGER_CLIENT_CERT }} + DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }} + run: nix develop --no-warn-dirty --command scripts/setup_dagger_remote.sh + - name: Generate build history and deploy website continue-on-error: true env: diff --git a/flake.nix b/flake.nix index a842c6c..6c5c993 100644 --- a/flake.nix +++ b/flake.nix @@ -29,7 +29,11 @@ cairo gdk-pixbuf harfbuzz + # Dagger remote setup dependencies + stunnel + netcat ]; + fgj = pkgs.stdenv.mkDerivation { pname = "fgj"; version = "0.4.0"; diff --git a/scripts/setup_dagger_remote.sh b/scripts/setup_dagger_remote.sh new file mode 100755 index 0000000..3ad5130 --- /dev/null +++ b/scripts/setup_dagger_remote.sh @@ -0,0 +1,76 @@ +#!/usr/bin/env bash +# Establishes a secure tunnel to a remote Dagger Engine via stunnel. +# Probes ports 8774 and 8775 to find the active server. +set -euo pipefail + +SERVER_IP="${DAGGER_SERVER_IP:-${SSH_HOST:-}}" +if [ -z "$SERVER_IP" ]; then + echo "Error: DAGGER_SERVER_IP or SSH_HOST must be set." + exit 1 +fi + +# 1. Probe for active port +REMOTE_PORT="" +for port in 8774 8775; do + echo "Probing $SERVER_IP:$port..." + if nc -zw 3 "$SERVER_IP" "$port" 2>/dev/null; then + echo "Found active Dagger server on $SERVER_IP:$port" + REMOTE_PORT="$port" + break + fi +done + +if [ -z "$REMOTE_PORT" ]; then + echo "Error: No Dagger server responded on $SERVER_IP:8774 or 8775" + # Fallback: If no remote server is found, we could just let Dagger start a local engine, + # but the user specifically wants the shared server. For now, we fail to be explicit. + exit 1 +fi + +# 2. Setup TLS credentials (passed as env vars from secrets) +mkdir -p /tmp/dagger-tls +echo "$DAGGER_CA_CERT" > /tmp/dagger-tls/ca.crt +echo "$DAGGER_CLIENT_CERT" > /tmp/dagger-tls/client.crt +echo "$DAGGER_CLIENT_KEY" > /tmp/dagger-tls/client.key +chmod 600 /tmp/dagger-tls/client.key + +# 3. Configure and start stunnel +# We use a temp config file +STUNNEL_CONF="/tmp/stunnel-dagger.conf" +cat << EOF > "$STUNNEL_CONF" +client = yes +foreground = yes +pid = /tmp/stunnel.pid + +[dagger] +accept = 127.0.0.1:1774 +connect = $SERVER_IP:$REMOTE_PORT +CAfile = /tmp/dagger-tls/ca.crt +cert = /tmp/dagger-tls/client.crt +key = /tmp/dagger-tls/client.key +verifyChain = yes +EOF + +# Start stunnel in the background +# We assume 'stunnel' is in the PATH (provided by Nix) +stunnel "$STUNNEL_CONF" & +TUNNEL_PID=$! + +# Give it a moment to establish +sleep 2 + +if ! kill -0 "$TUNNEL_PID" 2>/dev/null; then + echo "Error: stunnel failed to start" + exit 1 +fi + +# 4. Export environment for subsequent CI steps +if [ -n "${GITHUB_ENV:-}" ]; then + echo "_EXPERIMENTAL_DAGGER_RUNNER_HOST=tcp://127.0.0.1:1774" >> "$GITHUB_ENV" + echo "_DAGGER_RUNNER_HOST=tcp://127.0.0.1:1774" >> "$GITHUB_ENV" + echo "Tunnel established. Dagger is configured to use the remote engine." +else + export _EXPERIMENTAL_DAGGER_RUNNER_HOST=tcp://127.0.0.1:1774 + export _DAGGER_RUNNER_HOST=tcp://127.0.0.1:1774 + echo "Tunnel established. Run: export _DAGGER_RUNNER_HOST=tcp://127.0.0.1:1774" +fi