diff --git a/.github/workflows/nodes.yml b/.github/workflows/nodes.yml index 87d075c8..2a8553d6 100644 --- a/.github/workflows/nodes.yml +++ b/.github/workflows/nodes.yml @@ -130,57 +130,6 @@ jobs: command: ci-build-cache quiet: false stdin: ${{ runner.temp }}/ci.build.cache - deploy-rs: - name: nodes-deploy-rs - runs-on: ubuntu-latest - steps: - - id: checkout - name: git clone - uses: actions/checkout@v4 - with: - submodules: false - - id: nix-install - name: nix install - uses: arcnmx/ci/actions/nix/install@v0.7 - - id: ci-dirty - name: nix test dirty - uses: arcnmx/ci/actions/nix/run@v0.7 - with: - attrs: ci.job.deploy-rs.run.test - command: ci-build-dirty - quiet: false - stdout: ${{ runner.temp }}/ci.build.dirty - - id: ci-test - name: nix test build - uses: arcnmx/ci/actions/nix/run@v0.7 - with: - attrs: ci.job.deploy-rs.run.test - command: ci-build-realise - ignore-exit-code: true - quiet: false - stdin: ${{ runner.temp }}/ci.build.dirty - - env: - CI_EXIT_CODE: ${{ steps.ci-test.outputs.exit-code }} - id: ci-summary - name: nix test results - uses: arcnmx/ci/actions/nix/run@v0.7 - with: - attrs: ci.job.deploy-rs.run.test - command: ci-build-summarise - quiet: false - stdin: ${{ runner.temp }}/ci.build.dirty - stdout: ${{ runner.temp }}/ci.build.cache - - env: - CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }} - id: ci-cache - if: always() - name: nix test cache - uses: arcnmx/ci/actions/nix/run@v0.7 - with: - attrs: ci.job.deploy-rs.run.test - command: ci-build-cache - quiet: false - stdin: ${{ runner.temp }}/ci.build.cache extern-test: name: nodes-extern-test runs-on: ubuntu-latest @@ -487,6 +436,57 @@ jobs: command: ci-build-cache quiet: false stdin: ${{ runner.temp }}/ci.build.cache + packages: + name: nodes-packages + runs-on: ubuntu-latest + steps: + - id: checkout + name: git clone + uses: actions/checkout@v4 + with: + submodules: false + - id: nix-install + name: nix install + uses: arcnmx/ci/actions/nix/install@v0.7 + - id: ci-dirty + name: nix test dirty + uses: arcnmx/ci/actions/nix/run@v0.7 + with: + attrs: ci.job.packages.run.test + command: ci-build-dirty + quiet: false + stdout: ${{ runner.temp }}/ci.build.dirty + - id: ci-test + name: nix test build + uses: arcnmx/ci/actions/nix/run@v0.7 + with: + attrs: ci.job.packages.run.test + command: ci-build-realise + ignore-exit-code: true + quiet: false + stdin: ${{ runner.temp }}/ci.build.dirty + - env: + CI_EXIT_CODE: ${{ steps.ci-test.outputs.exit-code }} + id: ci-summary + name: nix test results + uses: arcnmx/ci/actions/nix/run@v0.7 + with: + attrs: ci.job.packages.run.test + command: ci-build-summarise + quiet: false + stdin: ${{ runner.temp }}/ci.build.dirty + stdout: ${{ runner.temp }}/ci.build.cache + - env: + CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }} + id: ci-cache + if: always() + name: nix test cache + uses: arcnmx/ci/actions/nix/run@v0.7 + with: + attrs: ci.job.packages.run.test + command: ci-build-cache + quiet: false + stdin: ${{ runner.temp }}/ci.build.cache reimu: name: nodes-reimu runs-on: ubuntu-latest diff --git a/ci/common.nix b/ci/common.nix new file mode 100644 index 00000000..58599bb1 --- /dev/null +++ b/ci/common.nix @@ -0,0 +1,47 @@ +{ + lib, + channels, + config, + ... +}: { + nixpkgs.args = { + localSystem = "x86_64-linux"; + config = { + allowUnfree = true; + }; + }; + + ci = { + version = "v0.7"; + gh-actions = { + enable = true; + }; + }; + + /*nix.config = { + extra-platforms = ["aarch64-linux" "armv6l-linux" "armv7l-linux"]; + #extra-sandbox-paths = with channels.cipkgs; map (package: builtins.unsafeDiscardStringContext "${package}?") [bash qemu "/run/binfmt"]; + };*/ + + channels = { + nixfiles.path = ../.; + nixpkgs.path = "${channels.nixfiles.inputs.nixpkgs}"; + }; + + ci.gh-actions.checkoutOptions = { + submodules = false; + }; + + cache.cachix = { + arc = { + enable = true; + publicKey = "arc.cachix.org-1:DZmhclLkB6UO0rc0rBzNpwFbbaeLfyn+fYccuAy7YVY="; + signingKey = null; + }; + gensokyo-infrastructure = { + enable = true; + publicKey = "gensokyo-infrastructure.cachix.org-1:CY6ChfQ8KTUdwWoMbo8ZWr2QCLMXUQspHAxywnS2FyI="; + signingKey = "mewp"; + }; + }; +} diff --git a/ci/flake-cron.nix b/ci/flake-cron.nix index 9f5e32a3..f0453d3c 100644 --- a/ci/flake-cron.nix +++ b/ci/flake-cron.nix @@ -5,129 +5,98 @@ ... }: with lib; let - gitBranch = "main"; pkgs = channels.nixpkgs; in { - name = "flake-update"; + imports = [ ./common.nix ]; + config = { + name = "flake-update"; - nixpkgs.args.localSystem = "x86_64-linux"; - - ci = { - version = "v0.7"; gh-actions = { - enable = true; - }; - }; - - gh-actions.env.CACHIX_SIGNING_KEY = "\${{ secrets.CACHIX_SIGNING_KEY }}"; - - nix.config = { - extra-platforms = ["aarch64-linux" "armv6l-linux" "armv7l-linux"]; - #extra-sandbox-paths = with channels.cipkgs; map (package: builtins.unsafeDiscardStringContext "${package}?") [bash qemu "/run/binfmt"]; - }; - - gh-actions = { - on = let - paths = [ - "default.nix" # sourceCache - "ci/flake-cron.nix" - config.ci.gh-actions.path - ]; - in { - push = { - inherit paths; + env.CACHIX_SIGNING_KEY = "\${{ secrets.CACHIX_SIGNING_KEY }}"; + on = let + paths = [ + "default.nix" # sourceCache + "ci/flake-cron.nix" + config.ci.gh-actions.path + ]; + in { + push = { + inherit paths; + }; + pull_request = { + inherit paths; + }; + schedule = [ + { + cron = "0 0 * * *"; + } + ]; + workflow_dispatch = {}; }; - pull_request = { - inherit paths; - }; - schedule = [ - { - cron = "0 0 * * *"; - } - ]; - workflow_dispatch = {}; - }; - jobs.flake-update = { - # TODO: split this up into two phases, then push at the end so other CI tests can run first - step.flake-update = { - name = "flake update build"; - order = 500; - run = "nix run .#nf-update"; - env = { - CACHIX_SIGNING_KEY = "\${{ secrets.CACHIX_SIGNING_KEY }}"; - NF_UPDATE_GIT_COMMIT = "1"; - NF_UPDATE_CACHIX_PUSH = "1"; - NF_CONFIG_ROOT = "\${{ github.workspace }}"; + jobs.flake-update = { + # TODO: split this up into two phases, then push at the end so other CI tests can run first + step.flake-update = { + name = "flake update build"; + order = 500; + run = "nix run .#nf-update"; + env = { + CACHIX_SIGNING_KEY = "\${{ secrets.CACHIX_SIGNING_KEY }}"; + NF_UPDATE_GIT_COMMIT = "1"; + NF_UPDATE_CACHIX_PUSH = "1"; + NF_CONFIG_ROOT = "\${{ github.workspace }}"; + }; }; }; }; - }; - channels = { - nixfiles.path = ../.; - nixpkgs.path = "${channels.nixfiles.inputs.nixpkgs}"; - }; - - jobs = { - flake-update = { - }; - barcodebuddy-update = { - ci.gh-actions.name = "barcodebuddy update check"; - tasks.check = let - barcodebuddy-check = let - lock = importJSON ../flake.lock; - inherit (lock.nodes) barcodebuddy; - inherit (barcodebuddy.original) ref; - impure = toString builtins.currentTime or channels.nixfiles.inputs.sourceInfo.lastModified; - outputHashAlgo = "sha256"; - outputHash = builtins.hashString outputHashAlgo "${ref}!${impure}\n"; - in pkgs.runCommand "barcodebuddy-check-${ref}" { - inherit outputHash outputHashAlgo impure ref; - outputHashMode = "flat"; - preferLocalBuild = true; - allowSubstitutes = false; - impureEnvVars = lib.fetchers.proxyImpureEnvVars ++ [ "NIX_CURL_FLAGS" ]; - nativeBuildInputs = with pkgs.buildPackages; [ curl jq ]; - inherit (barcodebuddy.original) owner repo; - query = "sort_by(.tag_name) | [.[]|select(.prerelease==false and .draft==false)] | .[-1].tag_name"; - meta.displayName = "barcodebuddy ${ref} outdated"; - } '' - BB_RELEASES=$(curl \ - --insecure \ - -fSsL \ - -H "X-GitHub-Api-Version: 2022-11-28" \ - "https://api.github.com/repos/$owner/$repo/releases" - ) - BB_LATEST=$(jq -r "$query" - <<< "$BB_RELEASES") - if [[ $BB_LATEST = $ref ]]; then - echo "barcodebuddy-$ref up-to-date" >&2 - else - echo "barcodebuddy-$ref out of date, found version $BB_LATEST" >&2 - fi - printf '%s!%s\n' "$BB_LATEST" "$impure" > $out - ''; - in { - inputs = [ barcodebuddy-check ]; - cache.enable = false; + jobs = { + flake-update = { ... }: { + imports = [ ./packages.nix ]; + }; + barcodebuddy-update = { + ci.gh-actions.name = "barcodebuddy update check"; + tasks.check = let + barcodebuddy-check = let + lock = importJSON ../flake.lock; + inherit (lock.nodes) barcodebuddy; + inherit (barcodebuddy.original) ref; + impure = toString builtins.currentTime or channels.nixfiles.inputs.sourceInfo.lastModified; + outputHashAlgo = "sha256"; + outputHash = builtins.hashString outputHashAlgo "${ref}!${impure}\n"; + in pkgs.runCommand "barcodebuddy-check-${ref}" { + inherit outputHash outputHashAlgo impure ref; + outputHashMode = "flat"; + preferLocalBuild = true; + allowSubstitutes = false; + impureEnvVars = lib.fetchers.proxyImpureEnvVars ++ [ "NIX_CURL_FLAGS" ]; + nativeBuildInputs = with pkgs.buildPackages; [ curl jq ]; + inherit (barcodebuddy.original) owner repo; + query = "sort_by(.tag_name) | [.[]|select(.prerelease==false and .draft==false)] | .[-1].tag_name"; + meta.displayName = "barcodebuddy ${ref} outdated"; + } '' + BB_RELEASES=$(curl \ + --insecure \ + -fSsL \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "https://api.github.com/repos/$owner/$repo/releases" + ) + BB_LATEST=$(jq -r "$query" - <<< "$BB_RELEASES") + if [[ $BB_LATEST = $ref ]]; then + echo "barcodebuddy-$ref up-to-date" >&2 + else + echo "barcodebuddy-$ref out of date, found version $BB_LATEST" >&2 + fi + printf '%s!%s\n' "$BB_LATEST" "$impure" > $out + ''; + in { + inputs = [ barcodebuddy-check ]; + cache.enable = false; + }; }; }; - }; - ci.gh-actions.checkoutOptions = { - submodules = false; - fetch-depth = 0; - }; - - cache.cachix = { - arc = { - enable = true; - publicKey = "arc.cachix.org-1:DZmhclLkB6UO0rc0rBzNpwFbbaeLfyn+fYccuAy7YVY="; - signingKey = null; - }; - gensokyo-infrastructure = { - enable = true; - publicKey = "gensokyo-infrastructure.cachix.org-1:CY6ChfQ8KTUdwWoMbo8ZWr2QCLMXUQspHAxywnS2FyI="; - signingKey = "mewp"; + ci.gh-actions.checkoutOptions = { + fetch-depth = 0; }; }; } diff --git a/ci/nodes.nix b/ci/nodes.nix index 5e803243..97341248 100644 --- a/ci/nodes.nix +++ b/ci/nodes.nix @@ -6,48 +6,23 @@ ... }: with lib; { - name = "nodes"; + imports = [ ./common.nix ]; + config = { + name = "nodes"; - nixpkgs.args.localSystem = "x86_64-linux"; - - ci = { - version = "v0.7"; - gh-actions = { - enable = true; - }; - }; - channels.nixfiles.path = ../.; - - nix.config = { - extra-platforms = ["aarch64-linux" "armv6l-linux" "armv7l-linux"]; - #extra-sandbox-paths = with channels.cipkgs; map (package: builtins.unsafeDiscardStringContext "${package}?") [bash qemu "/run/binfmt"]; - }; - - jobs = let - enabledSystems = filterAttrs (_: system: system.config.ci.enable) channels.nixfiles.lib.systems; - mkSystemJob = name: system: nameValuePair "${name}" { - tasks.system = { - inputs = channels.nixfiles.nixosConfigurations.${name}.config.system.build.toplevel; - warn = system.config.ci.allowFailure; + jobs = let + enabledSystems = filterAttrs (_: system: system.config.ci.enable) channels.nixfiles.lib.systems; + mkSystemJob = name: system: nameValuePair "${name}" { + tasks.system = { + inputs = channels.nixfiles.nixosConfigurations.${name}.config.system.build.toplevel; + warn = system.config.ci.allowFailure; + }; }; - }; - systemJobs = mapAttrs' mkSystemJob enabledSystems; - in { - deploy-rs = { - tasks.binary = { - inputs = channels.nixfiles.packages.x86_64-linux.deploy-rs; + systemJobs = mapAttrs' mkSystemJob enabledSystems; + in { + packages = { ... }: { + imports = [ ./packages.nix ]; }; - }; - } // systemJobs; - - ci.gh-actions.checkoutOptions.submodules = false; - cache.cachix.arc = { - enable = true; - publicKey = "arc.cachix.org-1:DZmhclLkB6UO0rc0rBzNpwFbbaeLfyn+fYccuAy7YVY="; - }; - cache.cachix.gensokyo-infrastructure = { - enable = true; - publicKey = "gensokyo-infrastructure.cachix.org-1:CY6ChfQ8KTUdwWoMbo8ZWr2QCLMXUQspHAxywnS2FyI="; - signingKey = "mewp"; + } // systemJobs; }; } diff --git a/ci/packages.nix b/ci/packages.nix new file mode 100644 index 00000000..8cbe873b --- /dev/null +++ b/ci/packages.nix @@ -0,0 +1,32 @@ +{ + lib, + config, + channels, + ... +}: let + inherit (channels.nixfiles) packages legacyPackages; +in { + tasks = { + devShell.inputs = with packages.x86_64-linux; [ + deploy-rs + terraform tflint + alejandra deadnix statix + ssh-to-age + ]; + + # build+cache packages customized or added via overlay + barcodebuddy.inputs = packages.x86_64-linux.barcodebuddy; + samba.inputs = with packages.x86_64-linux; [ + legacyPackages.x86_64-linux.pkgs.samba + samba-ldap + freeipa-ipasam + ]; + nfs.inputs = [ + packages.x86_64-linux.nfs-utils-ldap + ]; + krb5.inputs = [ + packages.x86_64-linux.krb5-ldap + legacyPackages.x86_64-linux.pkgs._389-ds-base + ]; + }; +} diff --git a/packages/default.nix b/packages/default.nix index 041e9bc0..9ba878bd 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -42,7 +42,11 @@ ; inherit (inputs.deploy-rs.packages.${system}) deploy-rs; - inherit (pkgs) freeipa-ipasam samba-ldap samba-ipa; + inherit (pkgs) + freeipa-ipasam samba-ldap samba-ipa + krb5-ldap + nfs-utils-ldap + barcodebuddy; nf-setup-node = let reisen = ../systems/reisen;