diff options
| -rwxr-xr-x | .github/eval-flake.sh | 90 | ||||
| -rw-r--r-- | .github/workflows/ci.yaml | 113 | ||||
| -rw-r--r-- | .github/workflows/deploy.yaml | 18 | ||||
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | README.md | 4 | ||||
| -rw-r--r-- | ci.nix | 62 | ||||
| -rw-r--r-- | dev.nix | 3 | ||||
| -rw-r--r-- | flake.nix | 4 | ||||
| -rw-r--r-- | garnix.yaml | 10 | ||||
| -rw-r--r-- | modules/shared/nix.nix | 4 |
10 files changed, 252 insertions, 57 deletions
diff --git a/.github/eval-flake.sh b/.github/eval-flake.sh new file mode 100755 index 0000000..ceebcc9 --- /dev/null +++ b/.github/eval-flake.sh @@ -0,0 +1,90 @@ +#!/usr/bin/env bash +set -euo pipefail +### this is inspired by the ci script in [nixpkgs-unfree](https://github.com/numtide/nixpkgs-unfree) +### link: https://github.com/numtide/nixpkgs-unfree/blob/127b9b18583de04c6207c2a0e674abf64fc4a3b1/ci.sh +# +## MIT License +## +## Copyright (c) 2022 Jonas Chevalier +## +## Permission is hereby granted, free of charge, to any person obtaining a copy +## of this software and associated documentation files (the "Software"), to deal +## in the Software without restriction, including without limitation the rights +## to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +## copies of the Software, and to permit persons to whom the Software is +## furnished to do so, subject to the following conditions: +## +## The above copyright notice and this permission notice shall be included in all +## copies or substantial portions of the Software. +## +## THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +## IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +## FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +## AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +## LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +## OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +## SOFTWARE. + +function get_os() { + case "$1" in + "x86_64-linux") echo "ubuntu-latest" ;; + "x86_64-darwin") echo "macos-latest" ;; + "aarch64-linux") echo "ubuntu-latst" ;; + esac +} + +args=( + --gc-roots-dir gc-roots + --check-cache-status + --force-recurse + --option allow-import-from-derivation true + --show-trace + --flake + '.#hydraJobs' +) + +if [[ -n "${GITHUB_STEP_SUMMARY-}" ]]; then + log() { + echo "$*" >> "$GITHUB_STEP_SUMMARY" + } +else + log() { + echo "$*" + } +fi + +jobs=$(nix-eval-jobs "${args[@]}" | jq -r '. | @base64') +jq -n '{"include": []}' > matrix.json + +had_error=0 +echo "$jobs" | while read -r job; do + job=$(echo "$job" | base64 -d) + attr=$(echo "$job" | jq -r .attr) + echo "## $attr" + + error=$(echo "$job" | jq -r '.error') + if [[ $error == null ]]; then + log "### ✅ $attr" + + system=$(echo "$job" | jq -r .system) + isCached=$(echo "$job" | jq -r .isCached) + + jq ".include += [{\"attr\": \"$attr\", \"os\": \"$(get_os "$system")\", \"isCached\": $isCached}]" < matrix.json > matrix.json.tmp + mv matrix.json.tmp matrix.json + else + log "### ❌ $attr" + log + log "<details><summary>Evaluation error:</summary><pre>" + log "$error" + log "</pre></details>" + had_error=1 + fi +done + +if [[ $had_error -gt 0 ]]; then + rm matrix.json + exit 1 +fi + +echo "matrix=$(jq -r 'tostring' matrix.json)" >> "$GITHUB_OUTPUT" +rm matrix.json diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000..c4fc11e --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,113 @@ +name: CI + +on: + pull_request: + workflow_call: + secrets: + CACHIX_AUTH_TOKEN: + description: "auth token for cachi" + workflow_dispatch: + +jobs: + eval: + name: Evaluate flake + runs-on: ubuntu-latest + + outputs: + matrix: ${{ steps.eval.outputs.matrix }} + + steps: + - uses: actions/checkout@v4 + + - name: Install Nix + uses: DeterminateSystems/nix-installer-action@v9 + + - name: Setup Cachix + uses: cachix/cachix-action@v13 + with: + name: getchoo + authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} + + - name: Evaluate jobs + id: eval + run: | + nix shell --inputs-from . \ + nixpkgs#{bash,coreutils,jq,nix-eval-jobs} \ + --command bash ./.github/eval-flake.sh + + build: + needs: eval + + strategy: + matrix: ${{ fromJSON(needs.eval.outputs.matrix) }} + + name: Build (${{ matrix.attr }}) + runs-on: ${{ matrix.os }} + + steps: + - uses: actions/checkout@v4 + + - name: Install Nix + uses: DeterminateSystems/nix-installer-action@v9 + + - name: Setup Cachix + uses: cachix/cachix-action@v13 + with: + name: getchoo + authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} + + - name: Check if cached + if: ${{ matrix.isCached }} + run: | + echo ${{ matrix.attr }} is already built! + + - name: Run build + if: ${{ !matrix.isCached }} + run: | + nix build --print-build-logs --fallback \ + .#hydraJobs.${{ matrix.attr }} + + check: + strategy: + matrix: + os: [ubuntu-latest, macos-latest] + + name: Check flake (${{ matrix.os }}) + runs-on: ${{ matrix.os }} + + steps: + - uses: actions/checkout@v4 + + - name: Install Nix + uses: DeterminateSystems/nix-installer-action@v9 + + - name: Setup Cachix + uses: cachix/cachix-action@v13 + with: + name: getchoo + authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} + + - name: Run check + run: | + nix flake check \ + --print-build-logs \ + --fallback \ + --show-trace \ + --option allow-import-from-derivation true + + gate: + needs: [build, check] + + name: CI Gate + runs-on: ubuntu-latest + + if: always() + + steps: + - name: Exit with result + run: | + build_result="${{ needs.build.result }}" + check_result="${{ needs.check.result }}" + results=("$build_result" "$check_result") + for result in "${results[@]}"; do [ "$result" != "success" ] && exit 1; done + exit 0 diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 695d63c..98b3b1d 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -1,21 +1,21 @@ name: Deploy infrastructure on: - check_suite: - types: [completed] + push: + branches: [main] workflow_dispatch: jobs: + ci: + uses: ./.github/workflows/ci.yaml + secrets: inherit + nixos: + needs: ci + name: Deploy NixOS systems runs-on: ubuntu-latest - # https://github.com/sellout/bash-strict-mode/commit/9bf1d65c2f786a9887facfcb81e06d8b8b5f4667 - if: github.event.check_suite.app.name == 'Garnix CI' - && github.event.check_suite.conclusion == 'success' - && github.event.check_suite.latest_check_runs_count >= 10 - && github.event.check_suite.head_branch == 'main' - concurrency: group: deploy cancel-in-progress: true @@ -49,9 +49,9 @@ jobs: --command deploy opentofu: - name: Apply OpenTofu plan needs: nixos + name: Apply OpenTofu plan runs-on: ubuntu-latest concurrency: @@ -1,6 +1,7 @@ # nix build artifacts result* repl-result-out* +gc-roots/ # dev shell .pre-commit-config.yaml @@ -2,7 +2,7 @@ [](https://neovim.io/) [](https://nixos.org/) -[](https://garnix.io) + greasy taco i love @@ -34,9 +34,9 @@ my ampere arm server from oracle, services my miniflux instance. there are some amazing tools i use to make/manage this flake that i would highly recommend checking out: -- [garnix](https://garnix.io) - [home-manager](https://github.com/nix-community/home-manager) - [agenix](https://github.com/ryantm/agenix) +- [cachix](https://cachix.org) - [deploy-rs](https://github.com/serokell/deploy-rs) - [flake-parts](https://github.com/hercules-ci/flake-parts) - [terranix](https://github.com/terranix/terranix) @@ -1,35 +1,33 @@ -{self, ...}: { - perSystem = { - lib, - pkgs, - system, - config, - ... - }: { - packages = let - allConfigurations = [ - "nixosConfigurations" - "darwinConfigurations" - "homeConfigurations" - ]; +{ + lib, + self, + ... +}: { + flake.hydraJobs = let + ciSystems = ["x86_64-linux" "x86_64-darwin"]; + recursiveMerge = builtins.foldl' lib.recursiveUpdate {}; + in + recursiveMerge [ + (let + outputs = lib.getAttrs ["checks" "devShells"] self; + isCompatible = system: _: lib.elem system ciSystems; + in + lib.mapAttrs (_: lib.filterAttrs isCompatible) outputs) - configurations = lib.pipe allConfigurations [ - (configs: lib.getAttrs configs self) - builtins.attrValues - (lib.concatMap builtins.attrValues) - (lib.filter (deriv: deriv.pkgs.system == system)) - (map (deriv: deriv.config.system.build.toplevel or deriv.activationPackage)) - ]; + ( + let + configurations = + lib.getAttrs [ + "nixosConfigurations" + "darwinConfigurations" + "homeConfigurations" + ] + self; - required = [ - configurations - (builtins.attrValues config.checks) - (builtins.attrValues config.devShells) - ]; - in { - ciGate = pkgs.writeText "ci-gate" '' - ${lib.concatMapStringsSep "\n" toString required} - ''; - }; - }; + isCompatible = _: configuration: lib.elem configuration.pkgs.system ciSystems; + toDeriv = _: configuration: configuration.config.system.build.toplevel or configuration.activationPackage; + in + lib.mapAttrs (_: v: lib.mapAttrs toDeriv (lib.filterAttrs isCompatible v)) configurations + ) + ]; } @@ -35,6 +35,9 @@ just jq opentofu + + # ci + nix-eval-jobs ] ++ lib.optional stdenv.isLinux inputs'.agenix.packages.agenix; }; @@ -2,8 +2,8 @@ description = "getchoo's flake for system configurations"; nixConfig = { - extra-substituters = ["https://cache.garnix.io"]; - extra-trusted-public-keys = ["cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="]; + extra-substituters = ["https://getchoo.cachix.org"]; + extra-trusted-public-keys = ["getchoo.cachix.org-1:ftdbAUJVNaFonM0obRGgR5+nUmdLMM+AOvDOSx0z5tE="]; }; inputs = { diff --git a/garnix.yaml b/garnix.yaml deleted file mode 100644 index 9a8d227..0000000 --- a/garnix.yaml +++ /dev/null @@ -1,10 +0,0 @@ -builds: - exclude: - - "*.x86_64-darwin.*" - - "*.aarch64-darwin.*" - include: - - "checks.*.*" - - "devShells.x86_64-linux.default" - - "nixosConfigurations.*" - - "homeConfigurations.seth" - - "packages.*.*" diff --git a/modules/shared/nix.nix b/modules/shared/nix.nix index d88285d..53bddee 100644 --- a/modules/shared/nix.nix +++ b/modules/shared/nix.nix @@ -20,8 +20,8 @@ auto-optimise-store = pkgs.stdenv.isLinux; experimental-features = lib.mkDefault ["nix-command" "flakes" "auto-allocate-uids" "repl-flake"]; - trusted-substituters = lib.mkDefault ["https://cache.garnix.io"]; - trusted-public-keys = lib.mkDefault ["cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="]; + trusted-substituters = lib.mkDefault ["https://getchoo.cachix.org"]; + trusted-public-keys = lib.mkDefault ["getchoo.cachix.org-1:ftdbAUJVNaFonM0obRGgR5+nUmdLMM+AOvDOSx0z5tE="]; nix-path = config.nix.nixPath; }; |