summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorseth <[email protected]>2023-12-13 22:06:24 -0500
committerseth <[email protected]>2023-12-14 03:34:54 -0500
commit78a344c27ded577693734ed733a57cfd582700a3 (patch)
tree2679c6b33073c70c6f33a66f5ef3955fefe64bff
parent974decdfa3449f47892532f9ac728275fb9fa2df (diff)
tree-wide: back to attic & gha again
Diffstat
-rw-r--r--.github/workflows/ci.yaml123
-rw-r--r--.github/workflows/deploy.yaml28
-rw-r--r--README.md4
-rw-r--r--ci.nix33
-rw-r--r--dev.nix5
-rw-r--r--flake.lock57
-rw-r--r--flake.nix23
-rw-r--r--garnix.yaml9
-rw-r--r--modules/shared/nix.nix4
-rw-r--r--secrets/atlas/atticCreds.age10
-rw-r--r--secrets/secrets.nix1
-rw-r--r--systems/atlas/attic.nix33
-rw-r--r--systems/atlas/default.nix1
-rw-r--r--systems/atlas/nginx.nix24
-rw-r--r--systems/default.nix5
-rw-r--r--tf/cloudflare/dns.nix5
-rw-r--r--users/seth/programs/default.nix39
-rw-r--r--workflow.nix16
18 files changed, 332 insertions, 88 deletions
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
new file mode 100644
index 0000000..60e2dec
--- /dev/null
+++ b/.github/workflows/ci.yaml
@@ -0,0 +1,123 @@
+name: CI
+
+on:
+ pull_request:
+ workflow_call:
+ secrets:
+ ATTIC_TOKEN:
+ required: true
+ workflow_dispatch:
+
+jobs:
+ eval:
+ name: Evaluate flake
+ runs-on: ubuntu-latest
+
+ outputs:
+ matrix: ${{ steps.evaluate.outputs.matrix }}
+
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Install Nix
+ uses: DeterminateSystems/nix-installer-action@v9
+
+ - name: Evaluate matrix
+ id: evaluate
+ run: |
+ set -eu
+ echo "matrix=$(nix eval --show-trace --json .#githubWorkflow.matrix)" >> "$GITHUB_OUTPUT"
+
+ build:
+ needs: eval
+
+ strategy:
+ fail-fast: false
+ matrix: ${{ fromJSON(needs.eval.outputs.matrix) }}
+
+ name: Build (${{ matrix.attr }})
+ runs-on: ${{ matrix.os }}
+
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Setup QEMU
+ if: matrix.arch == 'aarch64'
+ uses: docker/setup-qemu-action@v3
+ with:
+ platforms: "arm64"
+
+ - name: Install Nix
+ if: matrix.arch != 'aarch64'
+ uses: DeterminateSystems/nix-installer-action@v9
+
+ - name: Install Nix (with aarch64)
+ if: matrix.arch == 'aarch64'
+ uses: DeterminateSystems/nix-installer-action@v9
+ with:
+ extra-conf: "extra-platforms = aarch64-linux arm-linux"
+
+ - name: Setup local Nix cache
+ uses: DeterminateSystems/magic-nix-cache-action@v2
+
+ - name: Setup Attic cache
+ if: github.event_name != 'pull_request'
+ uses: ryanccn/attic-action@v0
+ with:
+ endpoint: https://cache.mydadleft.me
+ cache: flake
+ token: ${{ secrets.ATTIC_TOKEN }}
+
+ - name: Run build
+ run: |
+ nix build -L --accept-flake-config .#${{ matrix.attr }}
+
+ check:
+ strategy:
+ fail-fast: false
+ matrix:
+ os: [ubuntu-latest, macos-latest]
+
+ name: Check flake (${{ matrix.os }})
+ runs-on: ${{ matrix.os }}
+
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Install Nix
+ uses: DeterminateSystems/nix-installer-action@v9
+
+ - name: Setup local Nix cache
+ uses: DeterminateSystems/magic-nix-cache-action@v2
+
+ - name: Setup Attic cache
+ if: github.event_name != 'pull_request'
+ uses: ryanccn/attic-action@v0
+ with:
+ endpoint: https://cache.mydadleft.me
+ cache: flake
+ token: ${{ secrets.ATTIC_TOKEN }}
+
+ - name: Run check
+ run: nix flake check --show-trace --accept-flake-config
+
+ # https://github.com/orgs/community/discussions/26822#discussioncomment-3305794
+ gate:
+ needs: [build, check]
+
+ name: CI Gate
+ runs-on: ubuntu-latest
+
+ if: always()
+
+ steps:
+ - name: Exit with result
+ run: |
+ build_result="${{ needs.build.result }}"
+ check_result="${{ needs.check.result }}"
+
+ results=("$build_result" "$check_result")
+
+ for result in "${results[@]}"; do [ "$result" != "success" ] && exit 1; done
+
+ exit 0
diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
index 083269b..0311f3f 100644
--- a/.github/workflows/deploy.yaml
+++ b/.github/workflows/deploy.yaml
@@ -1,34 +1,38 @@
name: Deploy infrastructure
on:
- check_suite:
- types: [completed]
+ push:
+ branches: [main]
workflow_dispatch:
jobs:
+ ci:
+ name: CI
+ uses: ./.github/workflows/ci.yaml
+ secrets: inherit
+
nixos:
- name: Deploy NixOS systems
+ needs: ci
+ name: Deploy NixOS systems
runs-on: ubuntu-latest
concurrency:
group: deploy
cancel-in-progress: true
- # https://github.com/sellout/bash-strict-mode/commit/9bf1d65c2f786a9887facfcb81e06d8b8b5f4667
- if: github.event.check_suite.app.name == 'Garnix CI'
- && github.event.check_suite.conclusion == 'success'
- && github.event.check_suite.latest_check_runs_count >= 12
- && github.event.check_suite.head_branch == 'main'
-
steps:
- uses: actions/checkout@v4
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@v9
- - name: Setup local Nix cache
- uses: DeterminateSystems/magic-nix-cache-action@v2
+ - name: Setup Attic cache
+ uses: ryanccn/attic-action@v0
+ with:
+ endpoint: https://cache.mydadleft.me
+ cache: flake
+ token: ${{ secrets.ATTIC_TOKEN }}
- name: Connect to Tailscale
uses: tailscale/github-action@v2
@@ -97,7 +101,7 @@ jobs:
- name: Validate plan
run: |
nix develop --accept-flake-config \
- --command tofu validate
+ --command tofu validate
- name: Apply
run: |
diff --git a/README.md b/README.md
index 720d277..641c89d 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
[![made with neovim](https://img.shields.io/static/v1?label=made%20with&message=neovim&color=00b952&style=flat-square&logo=neovim)](https://neovim.io/)
[![nixos unstable](https://img.shields.io/static/v1?label=NixOS&message=unstable&color=5277c3&style=flat-square&logo=nixos)](https://nixos.org/)
-[![built with garnix](https://img.shields.io/endpoint?url=https%3A%2F%2Fgarnix.io%2Fapi%2Fbadges%2Fgetchoo%2Fflake%3Fbranch%3Dmain)](https://garnix.io)
+![build status](https://img.shields.io/github/actions/workflow/status/getchoo/flake/deploy.yaml?style=flat-square&logo=github&logoColor=238F97CB&label=CI&color=8f97cb)
greasy taco i love
@@ -34,7 +34,7 @@ my ampere arm server from oracle, services my miniflux instance.
there are some amazing tools i use to make/manage this flake that i would highly recommend checking out:
-- [garnix](https://garnix.io)
+- [attic](https://github.com/zhaofengli/attic)
- [home-manager](https://github.com/nix-community/home-manager)
- [agenix](https://github.com/ryantm/agenix)
- [deploy-rs](https://github.com/serokell/deploy-rs)
diff --git a/ci.nix b/ci.nix
deleted file mode 100644
index 0dda2c0..0000000
--- a/ci.nix
+++ /dev/null
@@ -1,33 +0,0 @@
-{self, ...}: {
- perSystem = {
- lib,
- pkgs,
- system,
- config,
- ...
- }: let
- # get applicable system configurations
- configurations = lib.getAttrs ["darwinConfigurations" "homeConfigurations" "nixosConfigurations"] self;
-
- systems = lib.pipe (builtins.attrValues configurations) [
- (builtins.foldl' (acc: attr: acc // attr) {})
- (lib.filterAttrs (_: v: v.pkgs.system == system))
- (lib.mapAttrsToList (_: v: v.config.system.build.toplevel or v.activationPackage))
- ];
-
- required = lib.concatLists [
- systems
- # and other checks
- (builtins.attrValues (builtins.removeAttrs config.checks ["ciGate"]))
- ];
-
- paths =
- builtins.foldl' (
- acc: deriv:
- acc // {${deriv.pname or deriv.name} = deriv.path or deriv.outPath;}
- ) {}
- required;
- in {
- packages.ciGate = pkgs.linkFarm "ci-gate" paths;
- };
-}
diff --git a/dev.nix b/dev.nix
index 49b6215..7ff2996 100644
--- a/dev.nix
+++ b/dev.nix
@@ -36,7 +36,10 @@
jq
opentofu
]
- ++ lib.optional stdenv.isLinux inputs'.agenix.packages.agenix;
+ ++ lib.optionals stdenv.isLinux (with inputs'; [
+ agenix.packages.agenix
+ attic.packages.default
+ ]);
};
};
diff --git a/flake.lock b/flake.lock
index 31fbfce..2448789 100644
--- a/flake.lock
+++ b/flake.lock
@@ -57,6 +57,41 @@
"type": "github"
}
},
+ "attic": {
+ "inputs": {
+ "crane": [
+ "lanzaboote",
+ "crane"
+ ],
+ "flake-compat": [
+ "pre-commit",
+ "flake-compat"
+ ],
+ "flake-utils": [
+ "pre-commit",
+ "flake-utils"
+ ],
+ "nixpkgs": [
+ "nixpkgs"
+ ],
+ "nixpkgs-stable": [
+ "nixpkgs-stable"
+ ]
+ },
+ "locked": {
+ "lastModified": 1698258239,
+ "narHash": "sha256-qnhoYYIJ0L/P7H/f56lQUEvpzNlXh4sxuHpRERV+B44=",
+ "owner": "zhaofengli",
+ "repo": "attic",
+ "rev": "e9918bc6be268da6fa97af6ced15193d8a0421c0",
+ "type": "github"
+ },
+ "original": {
+ "owner": "zhaofengli",
+ "repo": "attic",
+ "type": "github"
+ }
+ },
"catppuccin": {
"inputs": {
"home-manager": [
@@ -390,6 +425,26 @@
"type": "github"
}
},
+ "nix2workflow": {
+ "inputs": {
+ "nixpkgs-lib": [
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1699416125,
+ "narHash": "sha256-IQHjxELWK6DBWbqYwggO4Q9gJbOm0XS3aCgMRzQWwZU=",
+ "owner": "getchoo",
+ "repo": "nix2workflow",
+ "rev": "f1de38cfea711e9a788794b5a658298b4062defb",
+ "type": "github"
+ },
+ "original": {
+ "owner": "getchoo",
+ "repo": "nix2workflow",
+ "type": "github"
+ }
+ },
"nixos-hardware": {
"locked": {
"lastModified": 1701656485,
@@ -548,6 +603,7 @@
"inputs": {
"agenix": "agenix",
"arkenfox": "arkenfox",
+ "attic": "attic",
"catppuccin": "catppuccin",
"darwin": "darwin",
"deploy": "deploy",
@@ -556,6 +612,7 @@
"hm": "hm",
"lanzaboote": "lanzaboote",
"nix-index-database": "nix-index-database",
+ "nix2workflow": "nix2workflow",
"nixos-hardware": "nixos-hardware",
"nixos-wsl": "nixos-wsl",
"nixpkgs": "nixpkgs",
diff --git a/flake.nix b/flake.nix
index ac378c3..1be8bbf 100644
--- a/flake.nix
+++ b/flake.nix
@@ -2,8 +2,8 @@
description = "getchoo's flake for system configurations";
nixConfig = {
- extra-substituters = ["https://cache.garnix.io"];
- extra-trusted-public-keys = ["cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="];
+ extra-substituters = ["https://cache.mydadleft.me/flake"];
+ extra-trusted-public-keys = ["flake:qQ6D8Mem+0lqpvzgCwKiUkwjoB7iRhVJwVh71+iwk9U="];
};
inputs = {
@@ -38,6 +38,17 @@
};
};
+ attic = {
+ url = "github:zhaofengli/attic";
+ inputs = {
+ nixpkgs.follows = "nixpkgs";
+ nixpkgs-stable.follows = "nixpkgs-stable";
+ crane.follows = "lanzaboote/crane";
+ flake-compat.follows = "pre-commit/flake-compat";
+ flake-utils.follows = "pre-commit/flake-utils";
+ };
+ };
+
catppuccin = {
url = "github:Stonks3141/ctp-nix";
inputs = {
@@ -88,6 +99,11 @@
};
};
+ nix2workflow = {
+ url = "github:getchoo/nix2workflow";
+ inputs.nixpkgs-lib.follows = "nixpkgs";
+ };
+
nix-index-database = {
url = "github:nix-community/nix-index-database";
inputs.nixpkgs.follows = "nixpkgs";
@@ -142,14 +158,15 @@
parts.lib.mkFlake {inherit inputs;} {
imports = [
inputs.pre-commit.flakeModule
+ inputs.nix2workflow.flakeModule
./modules
./overlay
./systems
./tf
./users
- ./ci.nix
./dev.nix
+ ./workflow.nix
];
systems = [
diff --git a/garnix.yaml b/garnix.yaml
deleted file mode 100644
index 56fb2e4..0000000
--- a/garnix.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-builds:
- exclude:
- - "*.x86_64-darwin.*"
- include:
- - "checks.*.*"
- - "devShells.x86_64-linux.default"
- - "nixosConfigurations.*"
- - "homeConfigurations.seth"
- - "packages.*.*"
diff --git a/modules/shared/nix.nix b/modules/shared/nix.nix
index d88285d..603a485 100644
--- a/modules/shared/nix.nix
+++ b/modules/shared/nix.nix
@@ -20,8 +20,8 @@
auto-optimise-store = pkgs.stdenv.isLinux;
experimental-features = lib.mkDefault ["nix-command" "flakes" "auto-allocate-uids" "repl-flake"];
- trusted-substituters = lib.mkDefault ["https://cache.garnix.io"];
- trusted-public-keys = lib.mkDefault ["cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="];
+ trusted-substituters = lib.mkDefault ["https://cache.mydadleft.me/flake"];
+ trusted-public-keys = lib.mkDefault ["flake:qQ6D8Mem+0lqpvzgCwKiUkwjoB7iRhVJwVh71+iwk9U="];
nix-path = config.nix.nixPath;
};
diff --git a/secrets/atlas/atticCreds.age b/secrets/atlas/atticCreds.age
new file mode 100644
index 0000000..66f67de
--- /dev/null
+++ b/secrets/atlas/atticCreds.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 Z+DMuj5SNF0RLnMM/BduObtsCoSP3towH0Y84dZdb2c
+aZvItxg0B//pl6nxrFKDrz3jOiqWmfo4IILx3my9ZAU
+-> X25519 twK0Y9wvS9oqG08KxkVi4ukc+MmVrV6KLsTgt3LhvVk
+Rsk9a3Zn/OjiRJKBdHYGozJP8D/G2cayJq1BMJ4fegI
+-> ^_ibAP-(-grease {wh# G
+x9Q8AQm5K/Juzfe185fe1Rq2dyclD+62p8onj/KFR7ZUvd8uL4sMwg
+--- bSh0kIICHCV1vFS0p7d1MqX3YVf52NPFuipjGjBDzf8
+@BCޛ�NJ�e�a����,�@�� ��J�Qj�Q�{�q��D���闼-qN(�)3:�� �""��5`��}���� ��Bmi�WK�?4
+6�\�8�^������C�j�??�k���4s�Ѻ ,,���-6Lɪ���R�>̗���� ��Vq�O8�� \ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 958eda3..afb5fcb 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -27,6 +27,7 @@ let
files = [
"rootPassword.age"
"userPassword.age"
+ "atticCreds.age"
"miniflux.age"
"tailscaleAuthKey.age"
"cloudflaredCreds.age"
diff --git a/systems/atlas/attic.nix b/systems/atlas/attic.nix
new file mode 100644
index 0000000..a810eb5
--- /dev/null
+++ b/systems/atlas/attic.nix
@@ -0,0 +1,33 @@
+{
+ config,
+ inputs',
+ secretsDir,
+ ...
+}: {
+ age.secrets.atticCreds.file = secretsDir + "/atticCreds.age";
+
+ environment.systemPackages = [inputs'.attic.packages.default];
+
+ services.atticd = {
+ enable = true;
+
+ credentialsFile = config.age.secrets.atticCreds.path;
+
+ settings = {
+ listen = "[::]:5000";
+
+ api-endpoint = "https://cache.${config.networking.domain}/";
+
+ chunking = let
+ kb = 1024;
+ in {
+ nar-size-threshold = 64 * kb;
+ min-size = 16 * kb;
+ avg-size = 64 * kb;
+ max-size = 256 * kb;
+ };
+
+ compression.type = "zstd";
+ };
+ };
+}
diff --git a/systems/atlas/default.nix b/systems/atlas/default.nix
index 2a8346f..e527af9 100644
--- a/systems/atlas/default.nix
+++ b/systems/atlas/default.nix
@@ -6,6 +6,7 @@
}: {
imports = [
./hardware-configuration.nix
+ ./attic.nix
./miniflux.nix
./nginx.nix
];
diff --git a/systems/atlas/nginx.nix b/systems/atlas/nginx.nix
index 866b605..fbf081a 100644
--- a/systems/atlas/nginx.nix
+++ b/systems/atlas/nginx.nix
@@ -1,29 +1,41 @@
-{config, ...}: let
- inherit (config.networking) domain;
-
+{
+ config,
+ lib,
+ ...
+}: let
mkProxy = endpoint: port: {
"${endpoint}" = {
proxyPass = "http://localhost:${toString port}";
proxyWebsockets = true;
};
};
+
+ toVHosts = lib.mapAttrs' (
+ name: value: lib.nameValuePair "${name}.${config.networking.domain}" value
+ );
in {
server.services.cloudflared.enable = true;
services.nginx = {
enable = true;
+ clientMaxBodySize = "1250m";
+
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
- virtualHosts = {
- "miniflux.${domain}" = {
+ virtualHosts = toVHosts {
+ cache = {
+ locations = mkProxy "/" "5000";
+ };
+
+ miniflux = {
locations = mkProxy "/" "7000";
};
- "msix.${domain}" = {
+ msix = {
root = "/var/www/msix";
};
};
diff --git a/systems/default.nix b/systems/default.nix
index de2f9e1..2c7eec4 100644
--- a/systems/default.nix
+++ b/systems/default.nix
@@ -65,9 +65,10 @@ in {
atlas = {
builder = inputs.nixpkgs-stable.lib.nixosSystem;
system = "aarch64-linux";
- modules =
+ modules = with inputs;
[
- inputs.teawiebot.nixosModules.default
+ teawiebot.nixosModules.default
+ attic.nixosModules.atticd
]
++ server;
};
diff --git a/tf/cloudflare/dns.nix b/tf/cloudflare/dns.nix
index 9618019..9598b71 100644
--- a/tf/cloudflare/dns.nix
+++ b/tf/cloudflare/dns.nix
@@ -31,6 +31,11 @@ in {
type = "CNAME";
};
+ cache = {
+ value = atlas_tunnel;
+ type = "CNAME";
+ };
+
miniflux = {
value = atlas_tunnel;
type = "CNAME";
diff --git a/users/seth/programs/default.nix b/users/seth/programs/default.nix
index c61a4d1..0de43c0 100644
--- a/users/seth/programs/default.nix
+++ b/users/seth/programs/default.nix
@@ -13,24 +13,27 @@
./vim.nix
];
- home.packages = with pkgs; [
- fd
- nurl
- rclone
- restic
-
- (let
- getchvim = inputs'.getchvim.packages.default;
- in
- # remove desktop file
- symlinkJoin {
- name = builtins.replaceStrings ["neovim"] ["neovim-nodesktop"] getchvim.name;
- paths = [getchvim];
- postBuild = ''
- rm -rf $out/share/{applications,icons}
- '';
- })
- ];
+ home.packages = with pkgs;
+ [
+ fd
+ nix-output-monitor
+ nurl
+ rclone
+ restic
+
+ (let
+ getchvim = inputs'.getchvim.packages.default;
+ in
+ # remove desktop file
+ symlinkJoin {
+ name = builtins.replaceStrings ["neovim"] ["neovim-nodesktop"] getchvim.name;
+ paths = [getchvim];
+ postBuild = ''
+ rm -rf $out/share/{applications,icons}
+ '';
+ })
+ ]
+ ++ lib.optional stdenv.isLinux inputs'.attic.packages.default;
catppuccin.flavour = "mocha";
diff --git a/workflow.nix b/workflow.nix
new file mode 100644
index 0000000..ad34794
--- /dev/null
+++ b/workflow.nix
@@ -0,0 +1,16 @@
+{
+ githubWorkflowGenerator = {
+ outputs = [
+ "checks"
+ "devShells"
+ "nixosConfigurations"
+ "darwinConfigurations"
+ ];
+
+ overrides = {
+ app.systems = ["x86_64-linux"];
+ checks.systems = ["x86_64-linux"];
+ devShells.systems = ["x86_64-linux"];
+ };
+ };
+}
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-06 16:34:33 +0000