gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(ci): build

Browse source
This commit is contained in:
arcnmx 2024-01-27 20:50:01 -08:00
parent dc6b335423
commit 7b647b96f1
14 changed files with 208 additions and 80 deletions
Download patch file Download diff file Expand all files Collapse all files

124
.github/workflows/nodes.yml vendored
View file

@ -28,6 +28,68 @@ jobs:
args: -u .github/workflows/nodes.yml .ci/workflow.yml
attrs: nixpkgs.diffutils
command: diff
ct:
name: nodes-ct
runs-on: ubuntu-latest
steps:
- id: checkout
name: git clone
uses: actions/checkout@v3
with:
submodules: false
- id: nix-install
name: nix install
uses: arcnmx/ci/actions/nix/install@v0.6
- id: ci-setup
name: nix setup
uses: arcnmx/ci/actions/nix/run@v0.6
with:
attrs: ci.job.ct.run.bootstrap
quiet: false
- id: architectures
name: prepare for emulated builds
run: 'sudo $(which archbinfmt)
'
- id: ci-dirty
name: nix test dirty
uses: arcnmx/ci/actions/nix/run@v0.6
with:
attrs: ci.job.ct.run.test
command: ci-build-dirty
quiet: false
stdout: ${{ runner.temp }}/ci.build.dirty
- id: ci-test
name: nix test build
uses: arcnmx/ci/actions/nix/run@v0.6
with:
attrs: ci.job.ct.run.test
command: ci-build-realise
ignore-exit-code: true
quiet: false
stdin: ${{ runner.temp }}/ci.build.dirty
- env:
CI_EXIT_CODE: ${{ steps.ci-test.outputs.exit-code }}
id: ci-summary
name: nix test results
uses: arcnmx/ci/actions/nix/run@v0.6
with:
attrs: ci.job.ct.run.test
command: ci-build-summarise
quiet: false
stdin: ${{ runner.temp }}/ci.build.dirty
stdout: ${{ runner.temp }}/ci.build.cache
- env:
CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }}
id: ci-cache
if: always()
name: nix test cache
uses: arcnmx/ci/actions/nix/run@v0.6
with:
attrs: ci.job.ct.run.test
command: ci-build-cache
quiet: false
stdin: ${{ runner.temp }}/ci.build.cache
hakurei:
name: nodes-hakurei
runs-on: ubuntu-latest
@ -152,68 +214,6 @@ jobs:
command: ci-build-cache
quiet: false
stdin: ${{ runner.temp }}/ci.build.cache
reisen-ct:
name: nodes-reisen-ct
runs-on: ubuntu-latest
steps:
- id: checkout
name: git clone
uses: actions/checkout@v3
with:
submodules: false
- id: nix-install
name: nix install
uses: arcnmx/ci/actions/nix/install@v0.6
- id: ci-setup
name: nix setup
uses: arcnmx/ci/actions/nix/run@v0.6
with:
attrs: ci.job.reisen-ct.run.bootstrap
quiet: false
- id: architectures
name: prepare for emulated builds
run: 'sudo $(which archbinfmt)
'
- id: ci-dirty
name: nix test dirty
uses: arcnmx/ci/actions/nix/run@v0.6
with:
attrs: ci.job.reisen-ct.run.test
command: ci-build-dirty
quiet: false
stdout: ${{ runner.temp }}/ci.build.dirty
- id: ci-test
name: nix test build
uses: arcnmx/ci/actions/nix/run@v0.6
with:
attrs: ci.job.reisen-ct.run.test
command: ci-build-realise
ignore-exit-code: true
quiet: false
stdin: ${{ runner.temp }}/ci.build.dirty
- env:
CI_EXIT_CODE: ${{ steps.ci-test.outputs.exit-code }}
id: ci-summary
name: nix test results
uses: arcnmx/ci/actions/nix/run@v0.6
with:
attrs: ci.job.reisen-ct.run.test
command: ci-build-summarise
quiet: false
stdin: ${{ runner.temp }}/ci.build.dirty
stdout: ${{ runner.temp }}/ci.build.cache
- env:
CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }}
id: ci-cache
if: always()
name: nix test cache
uses: arcnmx/ci/actions/nix/run@v0.6
with:
attrs: ci.job.reisen-ct.run.test
command: ci-build-cache
quiet: false
stdin: ${{ runner.temp }}/ci.build.cache
tei:
name: nodes-tei
runs-on: ubuntu-latest

4
ci/deploy.sh
View file

@ -4,7 +4,7 @@ set -eu
NF_CONFIG_ROOT=${NF_CONFIG_ROOT-.}
NF_HOST=${NF_HOST-tewi}
NIXOS_TOPLEVEL=network.nodes.$NF_HOST.system.build.toplevel
NIXOS_TOPLEVEL=nixosConfigurations.$NF_HOST.config.system.build.toplevel
NF_ADDR=${NF_ADDR-${NF_HOST}.local}
if [[ $NF_ADDR = tewi.local ]]; then
@ -19,7 +19,7 @@ fi
if [[ $1 = tarball ]]; then
shift
set -- build "$@"
NIXOS_TOPLEVEL=network.nodes.$NF_HOST.system.build.tarball
NIXOS_TOPLEVEL=nixosConfigurations.$NF_HOST.config.system.build.tarball
fi
if [[ $1 = build ]]; then

4
ci/flake-cron.nix
View file

@ -98,14 +98,14 @@ in {
command = let
filteredHosts = [ "hakurei" "tei" "mediabox" ];
gcBetweenHosts = false;
nodeBuildString = concatMapStringsSep " && " (node: "nix build -Lf . network.nodes.${node}.system.build.toplevel -o result-${node}" + optionalString gcBetweenHosts " && nix-collect-garbage -d") filteredHosts;
nodeBuildString = concatMapStringsSep " && " (node: "nix build -Lf . nixosConfigurations.${node}.config.system.build.toplevel -o result-${node}" + optionalString gcBetweenHosts " && nix-collect-garbage -d") filteredHosts;
in ''
# ${toString builtins.currentTime}
nix flake update
if git status --porcelain | grep -qF flake.lock; then
git -P diff flake.lock
echo "checking that network.nodes.still build..." >&2
echo "checking that nodes still build..." >&2
if ${nodeBuildString}; then
if [[ -n $CACHIX_SIGNING_KEY ]]; then
cachix push gensokyo-infrastructure result*/ &

4
ci/nodes.nix
View file

@ -60,10 +60,10 @@ with lib; {
};
jobs = let
enabledHosts = ["hakurei" "tei" "mediabox" "reisen-ct"];
enabledHosts = ["hakurei" "tei" "mediabox" "ct"];
in
mapAttrs' (k: nameValuePair "${k}") (genAttrs enabledHosts (host: {
tasks.${host}.inputs = channels.nixfiles.nixosConfigurations.${host}.system.build.toplevel;
tasks.${host}.inputs = channels.nixfiles.nixosConfigurations.${host}.config.system.build.toplevel;
}));
ci.gh-actions.checkoutOptions.submodules = false;

5
devShell.nix
View file

@ -2,8 +2,7 @@
inputs,
system,
}: let
meta = import ./outputs.nix {inherit inputs;};
pkgs = meta.legacyPackages.${system};
pkgs = inputs.nixpkgs.legacyPackages.${system};
nf-actions = pkgs.writeShellScriptBin "nf-actions" ''
NF_CONFIG_FILES=($NF_CONFIG_ROOT/ci/{nodes,flake-cron}.nix)
for f in "''${NF_CONFIG_FILES[@]}"; do
@ -13,7 +12,7 @@
'';
nf-actions-test = pkgs.writeShellScriptBin "nf-actions-test" ''
set -eu
for host in hakurei tei mediabox reisen-ct; do
for host in hakurei tei mediabox ct; do
nix run --argstr config "$NF_CONFIG_ROOT/ci/nodes.nix" -f '${inputs.ci}' job.$host.test
done
'';

6
flake.lock generated
View file

@ -1,7 +1,11 @@
{
"nodes": {
"arcexprs": {
"flake": false,
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1706385294,
"narHash": "sha256-mGqas+TDp2DtR7ufx10SDlKnL+aRZ/jhbkGYlF8NLO4=",

2
flake.nix
View file

@ -4,7 +4,7 @@
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
arcexprs = {
url = "github:arcnmx/nixexprs/master";
flake = false;
inputs.nixpkgs.follows = "nixpkgs";
};
std = {
url = "github:chessai/nix-std";

32
modules/meta/access.nix Normal file
View file

@ -0,0 +1,32 @@
{
config,
access,
...
}: let
nixosModule = {
config,
...
}: {
config = {
_module.args.access = access // {
systemFor = hostName: if hostName == config.networking.hostName
then config
else access.systemFor hostName;
systemForOrNull = hostName: if hostName == config.networking.hostName
then config
else access.systemForOrNull hostName;
};
};
};
in {
config = {
network.nixos.extraModules = [
nixosModule
];
_module.args.access = {
systemFor = hostName: config.network.nodes.${hostName};
systemForOrNull = hostName: config.network.nodes.${hostName} or null;
};
};
}

13
modules/nixos/access.nix
View file

@ -1,4 +1,5 @@
{
inputs,
config,
lib,
...
@ -95,4 +96,16 @@ in {
];
};
};
config._module.args.access = let
systemFor = hostName: inputs.self.nixosConfigurations.${hostName}.config;
systemForOrNull = hostName: inputs.self.nixosConfigurations.${hostName}.config or null;
in {
systemFor = hostName: if hostName == config.networking.hostName
then config
else systemFor hostName;
systemForOrNull = hostName: if hostName == config.networking.hostName
then config
else systemForOrNull hostName;
};
}

16
nixos/base/nixpkgs.nix
View file

@ -1,5 +1,17 @@
_: {
{
inputs,
...
}: {
nixpkgs = {
config.allowUnfree = true;
overlays = [
(import ../../overlays/local)
inputs.arcexprs.overlays.default
];
config = {
allowUnfree = true;
permittedInsecurePackages = [
"openssl-1.1.1w"
];
};
};
}

6
outputs.nix
View file

@ -20,6 +20,11 @@
(system: rec {
devShells.default = import ./devShell.nix {inherit system inputs;};
});
packages =
inputs.flake-utils.lib.eachDefaultSystem
(system: rec {
packages = import ./packages {inherit system inputs lib;};
});
std = import ./std.nix {inherit inputs;};
inherit (std) set;
checks = set.map (_: deployLib: deployLib.deployChecks inputs.self.deploy) inputs.deploy-rs.lib;
@ -31,3 +36,4 @@ in
}
// systems
// shells
// packages

6
overlays/default.nix
View file

@ -8,16 +8,14 @@ inputs.flake-utils.lib.eachDefaultSystem (system: {
(import ./local)
(import ./lib)
inputs.deploy-rs.overlay
inputs.arcexprs.overlays.default
(final: prev: {
jemalloc =
if final.hostPlatform != "aarch64-darwin"
then prev.jemalloc
else null;
})
]
++ (map (path: import "${path}/overlay.nix") [
inputs.arcexprs
]);
];
config = {
allowUnfree = true;
allowBroken = true;

64
packages/default.nix Normal file
View file

@ -0,0 +1,64 @@
{
system,
inputs,
lib,
}: let
inherit (lib.options) mkOption;
inherit (lib.types) attrsOf package;
inherit (lib.meta) getExe;
inherit (lib.strings) concatStringsSep concatMapStringsSep;
packages = inputs.self.packages.${system};
pkgs = inputs.nixpkgs.legacyPackages.${system};
fmt = import ../ci/fmt.nix;
output = {
inherit (pkgs.buildPackages)
terraform tflint
alejandra deadnix statix
;
nf-deploy = pkgs.writeShellScriptBin "nf-deploy" ''
exec ${pkgs.runtimeShell} ${../ci/deploy.sh} "$@"
'';
nf-statix = pkgs.writeShellScriptBin "nf-statix" ''
if [[ $# -eq 0 ]]; then
set -- check
fi
if [[ ''${1-} = check ]]; then
shift
set -- check --config ${../ci/statix.toml} "$@"
fi
exec ${getExe packages.statix} "$@"
'';
nf-deadnix = let
inherit (fmt.nix) blacklistDirs;
excludes = "${getExe pkgs.buildPackages.findutils} ${concatStringsSep " " blacklistDirs} -type f";
in pkgs.writeShellScriptBin "nf-deadnix" ''
exec ${getExe packages.deadnix} "$@" \
--no-lambda-arg \
--exclude $(${excludes})
'';
nf-alejandra = let
inherit (fmt.nix) blacklistDirs;
excludes = concatMapStringsSep " " (dir: "--exclude ${dir}") blacklistDirs;
in pkgs.writeShellScriptBin "nf-alejandra" ''
exec ${getExe packages.alejandra} \
${excludes} \
"$@"
'';
nf-lint-tf = pkgs.writeShellScriptBin "nf-lint-tf" ''
${getExe packages.terraform} fmt "$@" &&
${packages.tflint}/bin/tflint
'';
nf-lint-nix = pkgs.writeShellScriptBin "nf-lint-nix" ''
${getExe packages.nf-statix} check "$@" &&
${getExe packages.nf-deadnix} -f "$@"
'';
nf-fmt-nix = let
inherit (fmt.nix) whitelist;
includes = concatStringsSep " " whitelist;
in pkgs.writeShellScriptBin "nf-fmt-nix" ''
exec ${getExe packages.nf-alejandra} ${includes} "$@"
'';
};
in output

2
readme.md
View file

@ -51,5 +51,5 @@ vim .sops.yaml
### Template
```shell
NF_HOST=reisen-ct nf-deploy tarball
NF_HOST=ct nf-deploy tarball
```