From df5d1bae4debba859dc37f2448e1ad346451c147 Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Wed, 18 Feb 2026 10:21:29 -0800 Subject: [PATCH] Add Dagger flake-lock function and improve provision-ringtail - New `flake-lock` Dagger function: runs `nix flake lock` in a nixos/nix container, returns the updated flake.lock file. - provision-ringtail now: updates flake.lock via Dagger before deploy, verifies current commit is pushed to forge, and passes the exact commit SHA to the ansible playbook. - Playbook accepts `ringtail_commit` var to deploy a specific ref. Co-Authored-By: Claude Opus 4.6 --- .dagger/src/blumeops_ci/main.py | 16 ++++++++++++++++ ansible/playbooks/ringtail.yml | 2 +- mise-tasks/provision-ringtail | 24 +++++++++++++++++++++++- 3 files changed, 40 insertions(+), 2 deletions(-) diff --git a/.dagger/src/blumeops_ci/main.py b/.dagger/src/blumeops_ci/main.py index 5cd70e4..4410f30 100644 --- a/.dagger/src/blumeops_ci/main.py +++ b/.dagger/src/blumeops_ci/main.py @@ -1,6 +1,8 @@ import dagger from dagger import dag, function, object_type +NIX_IMAGE = "nixos/nix:2.33.3" + @object_type class BlumeopsCi: @@ -67,3 +69,17 @@ class BlumeopsCi: ) .file(f"/docs-{version}.tar.gz") ) + + @function + async def flake_lock( + self, src: dagger.Directory, flake_path: str = "nixos/ringtail" + ) -> dagger.File: + """Resolve flake inputs and return updated flake.lock.""" + return await ( + dag.container() + .from_(NIX_IMAGE) + .with_directory("/workspace", src) + .with_workdir(f"/workspace/{flake_path}") + .with_exec(["nix", "flake", "lock", "--accept-flake-config"]) + .file(f"/workspace/{flake_path}/flake.lock") + ) diff --git a/ansible/playbooks/ringtail.yml b/ansible/playbooks/ringtail.yml index 61911a1..ad36511 100644 --- a/ansible/playbooks/ringtail.yml +++ b/ansible/playbooks/ringtail.yml @@ -8,7 +8,7 @@ ansible.builtin.git: repo: "https://forge.ops.eblu.me/eblume/blumeops.git" dest: /etc/blumeops - version: main + version: "{{ ringtail_commit | default('main') }}" force: true register: _repo diff --git a/mise-tasks/provision-ringtail b/mise-tasks/provision-ringtail index cb5effe..a2a84cb 100755 --- a/mise-tasks/provision-ringtail +++ b/mise-tasks/provision-ringtail @@ -5,5 +5,27 @@ set -euo pipefail export MISE_TASK_OUTPUT=interleave +# Update flake.lock via Dagger before deploying +echo "Updating nixos/ringtail/flake.lock..." +dagger call flake-lock --src=. --flake-path=nixos/ringtail \ + export --path=nixos/ringtail/flake.lock + +if ! git diff --quiet nixos/ringtail/flake.lock; then + git add nixos/ringtail/flake.lock + echo "flake.lock changed and staged. Commit, push, and re-run." + exit 1 +fi + +COMMIT=$(git rev-parse HEAD) +REMOTE_REF=$(git ls-remote origin "$(git rev-parse --abbrev-ref HEAD)" 2>/dev/null | awk '{print $1}') + +if [[ "$REMOTE_REF" != "$COMMIT" ]]; then + echo "ERROR: Current commit $COMMIT is not pushed to forge." + echo "Push your changes first: git push" + exit 1 +fi + +echo "Deploying commit $COMMIT to ringtail..." + cd ansible -ansible-playbook playbooks/ringtail.yml "$@" +ansible-playbook playbooks/ringtail.yml -e "ringtail_commit=$COMMIT" "$@"