diff options
| -rw-r--r-- | .github/workflows/check.yml | 6 | ||||
| -rw-r--r-- | .github/workflows/ci.yml | 6 | ||||
| -rw-r--r-- | flake.lock | 81 | ||||
| -rw-r--r-- | flake.nix | 181 | ||||
| -rw-r--r-- | parts/default.nix | 22 | ||||
| -rw-r--r-- | parts/deployment.nix | 82 | ||||
| -rw-r--r-- | parts/dev.nix | 62 | ||||
| -rw-r--r-- | parts/packages.nix | 44 | ||||
| -rw-r--r-- | parts/toolchain.nix | 24 |
9 files changed, 319 insertions, 189 deletions
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index d436e31..691d77d 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -7,12 +7,14 @@ on: - "**.nix" - "**.rs" - "**.toml" + pull_request: paths: - "**.lock" - "**.nix" - "**.rs" - "**.toml" + workflow_dispatch: jobs: @@ -22,12 +24,10 @@ jobs: - uses: actions/checkout@v3 - uses: cachix/install-nix-action@v20 - with: - github_access_token: ${{ secrets.GITHUB_TOKEN }} - uses: cachix/cachix-action@v12 with: name: getchoo authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} - - run: nix flake check -L + - run: nix flake check --accept-flake-config -L diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 51f5e9e..eb0ec21 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -7,12 +7,14 @@ on: - "**.nix" - "**.rs" - "**.toml" + pull_request: paths: - "**.lock" - "**.nix" - "**.rs" - "**.toml" + workflow_dispatch: jobs: @@ -34,8 +36,6 @@ jobs: - uses: actions/checkout@v3 - uses: cachix/install-nix-action@v20 - with: - github_access_token: ${{ secrets.GITHUB_TOKEN }} - uses: cachix/cachix-action@v12 with: @@ -52,7 +52,7 @@ jobs: - name: build run: | - nix build -L .#${{ matrix.output }} + nix build --accept-flake-config -L .#${{ matrix.output }} - name: upload to ghcr if: ${{ matrix.output == 'container' && github.ref == 'refs/heads/main' }} @@ -14,11 +14,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1680584903, - "narHash": "sha256-uraq+D3jcLzw/UVk0xMHcnfILfIMa0DLrtAEq2nNlxU=", + "lastModified": 1684468982, + "narHash": "sha256-EoC1N5sFdmjuAP3UOkyQujSOT6EdcXTnRw8hPjJkEgc=", "owner": "ipetkov", "repo": "crane", - "rev": "65d3f6a3970cd46bef5eedfd458300f72c56b3c5", + "rev": "99de890b6ef4b4aab031582125b6056b792a4a30", "type": "github" }, "original": { @@ -35,11 +35,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1680762089, - "narHash": "sha256-62lgi+xb+nn9H4O+ZIYNkHeQ8ryzstALKMJuoXiot0I=", + "lastModified": 1684650006, + "narHash": "sha256-cIWPr9nCddVu3DITyHBNWy9tBbfc86u+BxPEnRWslMM=", "owner": "nix-community", "repo": "fenix", - "rev": "5794e58068fb6a8eccad9e4ff77ffe1c08ded13c", + "rev": "fb17fb7db07709d2aca1efc1000fb1cf60b00b4e", "type": "github" }, "original": { @@ -64,13 +64,36 @@ "type": "github" } }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1683560683, + "narHash": "sha256-XAygPMN5Xnk/W2c1aW0jyEa6lfMDZWlQgiNtmHXytPc=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "006c75898cf814ef9497252b022e91c946ba8e17", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { + "inputs": { + "systems": "systems" + }, "locked": { - "lastModified": 1676283394, - "narHash": "sha256-XX2f9c3iySLCw54rJ/CZs+ZK6IQy7GXNY4nSOyu2QG4=", + "lastModified": 1681202837, + "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", "owner": "numtide", "repo": "flake-utils", - "rev": "3db36a8b464d0c4532ba1c7dda728f4576d6d073", + "rev": "cfacdce06f30d2b68473a46042957675eebb3401", "type": "github" }, "original": { @@ -102,11 +125,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1677050843, - "narHash": "sha256-3fcFxn58eCtrXrVPeW/nAg6NR5wUERVEf8zOtjPDzuM=", + "lastModified": 1684668519, + "narHash": "sha256-KkVvlXTqdLLwko9Y0p1Xv6KQ9QTcQorrU098cGilb7c=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9e0eed654c705c7cafe192a8eba1610217f70544", + "rev": "85340996ba67cc02f01ba324e18b1306892ed6f5", "type": "github" }, "original": { @@ -133,11 +156,11 @@ ] }, "locked": { - "lastModified": 1676879534, - "narHash": "sha256-HU4RXcwsAX1u7AUbGOBDxkYQkeODcn+HZjXqKa1y/hk=", + "lastModified": 1684195081, + "narHash": "sha256-IKnQUSBhQTChFERxW2AzuauVpY1HRgeVzAjNMAA4B6I=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "c9495f017f67a11e9c9909b032dc7762dfc853cf", + "rev": "96eabec58248ed8f4b0ad59e7ce9398018684fdc", "type": "github" }, "original": { @@ -151,6 +174,7 @@ "crane": "crane", "fenix": "fenix", "flake-compat": "flake-compat", + "flake-parts": "flake-parts", "flake-utils": "flake-utils", "nixpkgs": "nixpkgs", "pre-commit-hooks": "pre-commit-hooks" @@ -159,11 +183,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1680727375, - "narHash": "sha256-hb8AosuONAg0D9yoZ4VrBsjf5hINMYVLPEGekXF4qVE=", + "lastModified": 1684616122, + "narHash": "sha256-PLQN+e93BC1Yiqt4QNCj3cJ4mHtsO7Xlgn0VprgxiX4=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "ea22d245b671f97b820cf761108251c6292c3152", + "rev": "a04d8456be1d289c814846178cc1ff63b4fc297b", "type": "github" }, "original": { @@ -185,11 +209,11 @@ ] }, "locked": { - "lastModified": 1680488274, - "narHash": "sha256-0vYMrZDdokVmPQQXtFpnqA2wEgCCUXf5a3dDuDVshn0=", + "lastModified": 1683080331, + "narHash": "sha256-nGDvJ1DAxZIwdn6ww8IFwzoHb2rqBP4wv/65Wt5vflk=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "7ec2ff598a172c6e8584457167575b3a1a5d80d8", + "rev": "d59c3fa0cba8336e115b376c2d9e91053aa59e56", "type": "github" }, "original": { @@ -197,6 +221,21 @@ "repo": "rust-overlay", "type": "github" } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } } }, "root": "root", @@ -1,13 +1,27 @@ { description = "teawie moment"; + nixConfig = { + extra-substituters = [ + "https://getchoo.cachix.org" + ]; + extra-trusted-public-keys = [ + "getchoo.cachix.org-1:ftdbAUJVNaFonM0obRGgR5+nUmdLMM+AOvDOSx0z5tE=" + ]; + }; + inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; - flake-utils.url = "github:numtide/flake-utils"; flake-compat = { url = "github:edolstra/flake-compat"; flake = false; }; + flake-parts = { + url = "github:hercules-ci/flake-parts"; + inputs.nixpkgs-lib.follows = "nixpkgs"; + }; + # this is just to avoid having multiple versions in flake.lock + flake-utils.url = "github:numtide/flake-utils"; crane = { url = "github:ipetkov/crane"; inputs.nixpkgs.follows = "nixpkgs"; @@ -27,165 +41,8 @@ }; }; - outputs = { - self, - nixpkgs, - flake-utils, - crane, - fenix, - pre-commit-hooks, - ... - }: let - supportedSystems = with flake-utils.lib.system; [ - x86_64-linux - x86_64-darwin - aarch64-linux - aarch64-darwin - ]; - - packageFn = craneLib: cargoArtifacts: pkgs: let - inherit (pkgs.lib) licenses maintainers platforms; - inherit (craneLib) buildPackage; - in { - teawiebot = buildPackage { - src = ./.; - inherit cargoArtifacts; - - meta = { - description = "funni bot"; - homepage = "https://github.com/getchoo/teawiebot"; - license = licenses.mit; - platforms = platforms.unix; - maintainers = with maintainers; [getchoo]; - }; - }; - }; - in - flake-utils.lib.eachSystem supportedSystems (system: let - pkgs = import nixpkgs { - inherit system; - overlays = [fenix.overlays.default]; - }; - - toolchain = with pkgs.fenix; - with stable; - combine [ - cargo - rustc - rustfmt - clippy - targets."x86_64-unknown-linux-musl".stable.rust-std - ]; - - craneLib = (crane.mkLib pkgs).overrideToolchain toolchain; - - cargoArtifacts = craneLib.buildDepsOnly { - src = ./.; - }; - in { - packages = let - inherit (packageFn craneLib cargoArtifacts pkgs) teawiebot; - - teawiebot-smol = - teawiebot.overrideAttrs (_: { - # statically link musl, optimize for size - CARGO_BUILD_TARGET = "x86_64-unknown-linux-musl"; - CARGO_BUILD_RUSTFLAGS = "-C lto=fat -C embed-bitcode=yes \ - -C target-feature=+crt-static -C opt-level=z -C strip=symbols -C codegen-units=1"; - CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_LINKER = let - inherit (pkgs.pkgsStatic.stdenv) cc; - in "${cc}/bin/${cc.targetPrefix}cc"; - }); - cmd = "${teawiebot-smol}/bin/teawiebot"; - in - { - inherit teawiebot teawiebot-smol; - container = let - inherit (pkgs.dockerTools) buildLayeredImage caCertificates; - in - buildLayeredImage { - name = "teawiebot"; - tag = "latest"; - contents = [caCertificates]; - config.Cmd = ["${cmd}"]; - }; - service = let - inherit (pkgs) cacert portableService; - service = pkgs.writeTextFile { - name = "teawiebot.service"; - text = '' - [Unit] - Description=portable service for teawiebot - - [Service] - DynamicUser=yes - ExecStart="${cmd}" - - [Install] - WantedBy=multi-user.target - ''; - }; - in - portableService { - inherit (teawiebot) pname; - inherit (teawiebot-smol) version; - description = "portable service for teawiebot!"; - units = [service]; - symlinks = [ - { - object = "${cacert}/etc/ssl"; - symlink = "/etc/ssl"; - } - ]; - }; - } - // {default = self.packages.${system}.teawiebot;}; - - checks = let - commonArgs = { - src = ./.; - }; - - inherit (craneLib) cargoClippy cargoFmt; - in { - inherit (self.packages.${system}) teawiebot; - - clippy = cargoClippy (commonArgs - // { - inherit cargoArtifacts; - cargoClippyExtraArgs = "--all-targets"; - }); - - fmt = cargoFmt commonArgs; - - pre-commit-check = pre-commit-hooks.lib.${system}.run { - src = ./.; - hooks = { - actionlint.enable = true; - alejandra.enable = true; - deadnix.enable = true; - statix.enable = true; - }; - }; - }; - - devShells = let - inherit (pkgs) mkShell; - inherit (self.checks.${system}.pre-commit-check) shellHook; - in { - default = mkShell { - inherit shellHook; - packages = with pkgs; [ - actionlint - alejandra - deadnix - statix - - toolchain - ]; - }; - }; - - formatter = pkgs.alejandra; - }); + outputs = inputs: + inputs.flake-parts.lib.mkFlake + {inherit inputs;} + {imports = [./parts];}; } diff --git a/parts/default.nix b/parts/default.nix new file mode 100644 index 0000000..ecace0f --- /dev/null +++ b/parts/default.nix @@ -0,0 +1,22 @@ +_: { + imports = [ + ./deployment.nix + ./dev.nix + ./packages.nix + ./toolchain.nix + ]; + + systems = [ + "x86_64-linux" + "x86_64-darwin" + "aarch64-linux" + "aarch64-darwin" + ]; + + perSystem = _: { + _module.args.src = builtins.path { + name = "teawiebot-src"; + path = ../.; + }; + }; +} diff --git a/parts/deployment.nix b/parts/deployment.nix new file mode 100644 index 0000000..f0ab7d1 --- /dev/null +++ b/parts/deployment.nix @@ -0,0 +1,82 @@ +{self, ...}: let + bin = teawiebot-smol: "${teawiebot-smol}/bin/teawiebot"; + service = pkgs: cmd: + pkgs.writeTextFile { + name = "teawiebot.service"; + text = '' + [Unit] + Description=teawiebot service + + [Service] + Environment="TOKEN=" + ExecStart="${cmd}" + DynamicUser=yes + ProtectSystem=strict + ProtectHome=yes + ProtectKernelTunables=yes + ProtectKernelModules=yes + ProtectControlGroups=yes + SystemCallFilter=@system-service + SystemCallErrorNumber=EPERM + NoNewPrivileges=yes + PrivateTmp=yes + + [Install] + WantedBy=multi-user.target + ''; + }; +in { + perSystem = { + pkgs, + system, + ... + }: let + inherit (pkgs) cacert dockerTools portableService; + inherit (self.packages.${system}) teawiebot teawiebot-smol; + cmd = bin teawiebot-smol; + in { + packages = { + container = dockerTools.buildLayeredImage { + name = "teawiebot"; + tag = "latest"; + contents = [dockerTools.caCertificates]; + config.Cmd = ["${cmd}"]; + }; + + service = portableService { + inherit (teawiebot) pname; + inherit (teawiebot-smol) version; + description = "portable service for teawiebot!"; + units = [(service pkgs cmd)]; + symlinks = [ + { + object = "${cacert}/etc/ssl"; + symlink = "/etc/ssl"; + } + ]; + }; + }; + }; + + flake = { + nixosModules = { + default = { + config, + lib, + pkgs, + ... + }: let + cfg = config.services.teawiebot; + inherit (lib) mkEnableOption mkIf; + in { + options.services.teawiebot.enable = mkEnableOption "enable teawiebot"; + + config.systemd.services = mkIf cfg.enable { + teawiebot = { + text = service pkgs (bin pkgs.teawiebot-smol); + }; + }; + }; + }; + }; +} diff --git a/parts/dev.nix b/parts/dev.nix new file mode 100644 index 0000000..01c33c6 --- /dev/null +++ b/parts/dev.nix @@ -0,0 +1,62 @@ +{ + inputs, + self, + ... +}: { + perSystem = { + craneLib, + pkgs, + system, + src, + toolchain, + ... + }: { + checks = let + commonArgs = { + inherit src; + }; + + inherit (craneLib) cargoClippy cargoFmt; + in { + inherit (self.packages.${system}) teawiebot; + + clippy = cargoClippy (commonArgs + // { + inherit (self.packages.${system}) cargoArtifacts; + cargoClippyExtraArgs = "--all-targets"; + }); + + fmt = cargoFmt commonArgs; + + pre-commit-check = inputs.pre-commit-hooks.lib.${system}.run { + inherit src; + hooks = { + actionlint.enable = true; + alejandra.enable = true; + deadnix.enable = true; + nil.enable = true; + statix.enable = true; + }; + }; + }; + + devShells = let + inherit (pkgs) mkShell; + in { + default = mkShell { + inherit (self.checks.${system}.pre-commit-check) shellHook; + packages = with pkgs; [ + actionlint + alejandra + deadnix + nil + statix + + toolchain + ]; + }; + }; + + formatter = pkgs.alejandra; + }; +} diff --git a/parts/packages.nix b/parts/packages.nix new file mode 100644 index 0000000..1b8acd8 --- /dev/null +++ b/parts/packages.nix @@ -0,0 +1,44 @@ +{self, ...}: { + perSystem = { + craneLib, + pkgs, + src, + system, + ... + }: let + inherit (pkgs.lib) licenses maintainers platforms; + inherit (craneLib) buildPackage; + in { + packages = { + cargoArtifacts = craneLib.buildDepsOnly {inherit src;}; + + teawiebot = buildPackage { + inherit src; + inherit (self.packages.${system}) cargoArtifacts; + + meta = { + description = "funni bot"; + homepage = "https://github.com/getchoo/teawiebot"; + license = licenses.mit; + platforms = platforms.unix; + maintainers = with maintainers; [getchoo]; + }; + }; + + teawiebot-smol = + self.packages.${system}.teawiebot.overrideAttrs (_: { + # statically link musl, optimize for size + CARGO_BUILD_TARGET = "x86_64-unknown-linux-musl"; + + CARGO_BUILD_RUSTFLAGS = "-C lto=fat -C embed-bitcode=yes \ + -C target-feature=+crt-static -C opt-level=z -C strip=symbols -C codegen-units=1"; + + CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_LINKER = let + inherit (pkgs.pkgsStatic.stdenv) cc; + in "${cc}/bin/${cc.targetPrefix}cc"; + }); + + default = self.packages.${system}.teawiebot; + }; + }; +} diff --git a/parts/toolchain.nix b/parts/toolchain.nix new file mode 100644 index 0000000..e2201f9 --- /dev/null +++ b/parts/toolchain.nix @@ -0,0 +1,24 @@ +{inputs, ...}: { + perSystem = {system, ...}: let + pkgs = import inputs.nixpkgs { + inherit system; + overlays = [inputs.fenix.overlays.default]; + }; + + toolchain = with pkgs.fenix; + with stable; + combine [ + cargo + rustc + rustfmt + clippy + targets."x86_64-unknown-linux-musl".stable.rust-std + ]; + in { + _module.args = { + inherit pkgs toolchain; + + craneLib = (inputs.crane.mkLib pkgs).overrideToolchain toolchain; + }; + }; +} |