11 files changed, 159 insertions, 30 deletions
diff --git a/.github/workflows/autobot.yaml b/.github/workflows/autobot.yaml
index 0982f30..9401d45 100644
--- a/.github/workflows/autobot.yaml
+++ b/.github/workflows/autobot.yaml
@@ -2,13 +2,14 @@ name: auto-merge dependabot
 
 on: pull_request
 
-permissions:
-  contents: write
-  pull-requests: write
-
 jobs:
   automerge:
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+      pull-requests: write
+
     if: github.actor == 'dependabot[bot]'
     steps:
       - uses: dependabot/fetch-metadata@v1
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
new file mode 100644
index 0000000..6a30315
--- /dev/null
+++ b/.github/workflows/ci.yaml
@@ -0,0 +1,118 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  eval:
+    runs-on: ubuntu-latest
+
+    outputs:
+      matrix: ${{ steps.generate.outputs.matrix }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: install nix
+        uses: DeterminateSystems/nix-installer-action@v6
+
+      - name: setup cachix
+        uses: cachix/cachix-action@master
+        with:
+          name: getchoo
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+          skipAddingSubstituter: 'true'
+
+      - name: generate matrix
+        id: generate
+        run: |
+          set -Eeu
+          echo "matrix=$(nix eval --accept-flake-config --show-trace --json .#githubWorkflow.matrix)" >> "$GITHUB_OUTPUT"
+
+  build:
+    needs: eval
+
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJSON(needs.eval.outputs.matrix) }}
+
+    runs-on: ${{ matrix.os }}
+
+    name: build (${{matrix.attr}})
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: setup qemu
+        if: matrix.arch == 'aarch64'
+        run: |
+          sudo apt update -y
+          sudo apt install -y qemu-user-static
+
+      - name: install nix
+        if: matrix.arch != 'aarch64'
+        uses: DeterminateSystems/nix-installer-action@v6
+
+      - name: install nix (with aarch64)
+        if: matrix.arch == 'aarch64'
+        uses: DeterminateSystems/nix-installer-action@v6
+        with:
+          extra-conf: "extra-platforms = aarch64-linux arm-linux"
+
+      - name: setup cachix
+        uses: cachix/cachix-action@master
+        with:
+          name: getchoo
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+          skipAddingSubstituter: 'true'
+
+      - name: build ${{ matrix.attr }}
+        run: nix build -L --accept-flake-config --fallback .#${{ matrix.attr }}
+
+  check:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: install nix
+        uses: DeterminateSystems/nix-installer-action@v6
+
+      - name: setup cachix
+        uses: cachix/cachix-action@master
+        with:
+          name: getchoo
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+          skipAddingSubstituter: 'true'
+
+      - name: setup cachix
+        uses: cachix/cachix-action@v12
+        with:
+          name: getchoo
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+          skipAddingSubstituter: 'true'
+
+      - name: run check
+        run: nix flake check --accept-flake-config --show-trace
+
+  # https://github.com/orgs/community/discussions/26822#discussioncomment-3305794
+  gate:
+    needs: [build, check]
+    runs-on: ubuntu-latest
+
+    if: always()
+
+    steps:
+      - name: exit with result
+        run: |
+          buildResult="${{ needs.build.result }}"
+          checkResult="${{ needs.check.result }}"
+
+          results=("$buildResult" "$checkResult")
+
+          for result in "${results[@]}"; do [ "$result" != "success" ] && exit 1; done
+
+          exit 0
diff --git a/.github/workflows/update-inputs.yaml b/.github/workflows/update-inputs.yaml
index a18c59d..8d795dc 100644
--- a/.github/workflows/update-inputs.yaml
+++ b/.github/workflows/update-inputs.yaml
@@ -6,12 +6,10 @@ on:
     - cron: "0 0 * * 6"
   workflow_dispatch:
 
-permissions:
-  contents: write
-  pull-requests: write
-
 jobs:
   update:
     uses: ./.github/workflows/update-lock.yaml
     with:
       commit-msg: "flake: update all inputs"
+    secrets:
+      token: ${{ secrets.MERGE_TOKEN }}
diff --git a/.github/workflows/update-lock.yaml b/.github/workflows/update-lock.yaml
index 0bf8b1d..cb70c94 100644
--- a/.github/workflows/update-lock.yaml
+++ b/.github/workflows/update-lock.yaml
@@ -12,6 +12,10 @@ on:
         required: false
         default: ""
         type: string
+    secrets:
+      token:
+        description: PAT for creating creating/merging the PR
+        required: true
 
 jobs:
   update:
@@ -27,11 +31,11 @@ jobs:
           commit-msg: ${{ inputs.commit-msg }}
           inputs: ${{ inputs.inputs }}
           pr-title: ${{ inputs.commit-msg }}
-          token: ${{ github.token }}
+          token: ${{ secrets.token }}
 
       - name: enable auto-merge
         shell: bash
         run: gh pr merge --auto --rebase "$PR_ID"
         env:
-          GITHUB_TOKEN: ${{ github.token }}
+          GITHUB_TOKEN: ${{ secrets.token }}
           PR_ID: ${{ steps.update.outputs.pull-request-number }}
diff --git a/.github/workflows/update-nixpkgs.yaml b/.github/workflows/update-nixpkgs.yaml
index 734bf2a..c8cccdf 100644
--- a/.github/workflows/update-nixpkgs.yaml
+++ b/.github/workflows/update-nixpkgs.yaml
@@ -6,13 +6,11 @@ on:
     - cron: "0 0 * * *"
   workflow_dispatch:
 
-permissions:
-  contents: write
-  pull-requests: write
-
 jobs:
   update:
     uses: ./.github/workflows/update-lock.yaml
     with:
       commit-msg: "flake: update nixpkgs"
       inputs: "nixpkgs nixpkgs-stable"
+    secrets:
+      token: ${{ secrets.MERGE_TOKEN }}
diff --git a/README.md b/README.md
index 7f07641..21f301c 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 
 [![made with neovim](https://img.shields.io/static/v1?label=made%20with&message=neovim&color=00b952&style=flat-square&logo=neovim)](https://neovim.io/)
 [![nixos unstable](https://img.shields.io/static/v1?label=NixOS&message=unstable&color=5277c3&style=flat-square&logo=nixos)](https://nixos.org/)
-[![built with garnix](https://img.shields.io/endpoint?url=https%3A%2F%2Fgarnix.io%2Fapi%2Fbadges%2Fgetchoo%2Fflake%3Fbranch%3Dmain)](https://garnix.io)
+![built status](https://github.com/getchoo/flake/actions/workflows/ci.yaml/badge.svg)
 
 greasy taco i love
 
@@ -34,7 +34,6 @@ my ampere arm server from oracle, services my miniflux instance.
 
 there are some amazing tools i use to make/manage this flake that i would highly recommend checking out:
 
-- [garnix](https://garnix.io)
 - [home-manager](https://github.com/nix-community/home-manager)
 - [agenix](https://github.com/ryantm/agenix)
 - [flake-parts](https://github.com/hercules-ci/flake-parts)
diff --git a/flake.lock b/flake.lock
index 77f5468..b963c5b 100644
--- a/flake.lock
+++ b/flake.lock
@@ -160,11 +160,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1699059137,
-        "narHash": "sha256-jz+O1qyE7rX11LFH0R+Y9Jxo1fY2DZKOM4jXvIaFLnQ=",
+        "lastModified": 1699210446,
+        "narHash": "sha256-Srh4ydjVoteLEF9t5PolV2Y9a1Y7QNzvu8YCy5Cy4WI=",
         "owner": "getchoo",
         "repo": "nix-exprs",
-        "rev": "48b17c233c9ecf100d03d6fc8f7ac2eea6f74340",
+        "rev": "602193a4d8d0c8a886f9bb4f7e2bca2b968771fc",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index 2a1fb35..930f3b5 100644
--- a/flake.nix
+++ b/flake.nix
@@ -2,8 +2,8 @@
   description = "getchoo's flake for system configurations";
 
   nixConfig = {
-    extra-substituters = ["https://cache.garnix.io"];
-    extra-trusted-public-keys = ["cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="];
+    extra-substituters = ["https://getchoo.cachix.org"];
+    extra-trusted-public-keys = ["getchoo.cachix.org-1:ftdbAUJVNaFonM0obRGgR5+nUmdLMM+AOvDOSx0z5tE="];
   };
 
   inputs = {
@@ -140,12 +140,14 @@
     parts.lib.mkFlake {inherit inputs;} {
       imports = [
         inputs.pre-commit.flakeModule
+        inputs.getchoo.flakeModules.githubWorkflowGenerator
 
         ./modules
         ./overlay
         ./systems
         ./users
         ./dev.nix
+        ./workflow.nix
       ];
 
       systems = [
diff --git a/garnix.yaml b/garnix.yaml
deleted file mode 100644
index bbc3681..0000000
--- a/garnix.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-builds:
-  exclude: []
-  include:
-    - "checks.x86_64-linux.*"
-    - "devShells.x86_64-linux.default"
-    - "nixosConfigurations.*"
-    - "homeConfigurations.seth"
diff --git a/modules/shared/nix.nix b/modules/shared/nix.nix
index d496f72..72c3e00 100644
--- a/modules/shared/nix.nix
+++ b/modules/shared/nix.nix
@@ -19,8 +19,8 @@
       auto-optimise-store = pkgs.stdenv.isLinux;
       experimental-features = lib.mkDefault ["nix-command" "flakes" "auto-allocate-uids" "repl-flake"];
 
-      trusted-substituters = lib.mkDefault ["https://cache.garnix.io"];
-      trusted-public-keys = lib.mkDefault ["cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="];
+      trusted-substituters = lib.mkDefault ["https://getchoo.cachix.org"];
+      trusted-public-keys = lib.mkDefault ["getchoo.cachix.org-1:ftdbAUJVNaFonM0obRGgR5+nUmdLMM+AOvDOSx0z5tE="];
       nix-path = config.nix.nixPath;
     };
 
diff --git a/workflow.nix b/workflow.nix
new file mode 100644
index 0000000..e9cec5d
--- /dev/null
+++ b/workflow.nix
@@ -0,0 +1,16 @@
+{
+  githubWorkflowGenerator = {
+    outputs = [
+      "checks"
+      "devShells"
+      "darwinConfigurations"
+      "nixosConfigurations"
+      "homeConfigurations"
+    ];
+
+    overrides = {
+      checks.systems = ["x86_64-linux"];
+      devShells.systems = ["x86_64-linux" "x86_64-darwin"];
+    };
+  };
+}