feat(ci): cache overlaid packages

ci/common.nix

@@ -0,0 +1,47 @@
+{
+  lib,
+  channels,
+  config,
+  ...
+}: {
+  nixpkgs.args = {
+    localSystem = "x86_64-linux";
+    config = {
+      allowUnfree = true;
+    };
+  };
+
+  ci = {
+    version = "v0.7";
+    gh-actions = {
+      enable = true;
+    };
+  };
+
+  /*nix.config = {
+    extra-platforms = ["aarch64-linux" "armv6l-linux" "armv7l-linux"];
+    #extra-sandbox-paths = with channels.cipkgs; map (package: builtins.unsafeDiscardStringContext "${package}?") [bash qemu "/run/binfmt"];
+  };*/
+
+  channels = {
+    nixfiles.path = ../.;
+    nixpkgs.path = "${channels.nixfiles.inputs.nixpkgs}";
+  };
+
+  ci.gh-actions.checkoutOptions = {
+    submodules = false;
+  };
+
+  cache.cachix = {
+    arc = {
+      enable = true;
+      publicKey = "arc.cachix.org-1:DZmhclLkB6UO0rc0rBzNpwFbbaeLfyn+fYccuAy7YVY=";
+      signingKey = null;
+    };
+    gensokyo-infrastructure = {
+      enable = true;
+      publicKey = "gensokyo-infrastructure.cachix.org-1:CY6ChfQ8KTUdwWoMbo8ZWr2QCLMXUQspHAxywnS2FyI=";
+      signingKey = "mewp";
+    };
+  };
+}

ci/flake-cron.nix

@@ -5,129 +5,98 @@
   ...
 }:
 with lib; let
-  gitBranch = "main";
   pkgs = channels.nixpkgs;
 in {
-  name = "flake-update";
+  imports = [ ./common.nix ];
+  config = {
+    name = "flake-update";
 
-  nixpkgs.args.localSystem = "x86_64-linux";
-
-  ci = {
-    version = "v0.7";
     gh-actions = {
-      enable = true;
-    };
-  };
-
-  gh-actions.env.CACHIX_SIGNING_KEY = "\${{ secrets.CACHIX_SIGNING_KEY }}";
-
-  nix.config = {
-    extra-platforms = ["aarch64-linux" "armv6l-linux" "armv7l-linux"];
-    #extra-sandbox-paths = with channels.cipkgs; map (package: builtins.unsafeDiscardStringContext "${package}?") [bash qemu "/run/binfmt"];
-  };
-
-  gh-actions = {
-    on = let
-      paths = [
-        "default.nix" # sourceCache
-        "ci/flake-cron.nix"
-        config.ci.gh-actions.path
-      ];
-    in {
-      push = {
-        inherit paths;
+      env.CACHIX_SIGNING_KEY = "\${{ secrets.CACHIX_SIGNING_KEY }}";
+      on = let
+        paths = [
+          "default.nix" # sourceCache
+          "ci/flake-cron.nix"
+          config.ci.gh-actions.path
+        ];
+      in {
+        push = {
+          inherit paths;
+        };
+        pull_request = {
+          inherit paths;
+        };
+        schedule = [
+          {
+            cron = "0 0 * * *";
+          }
+        ];
+        workflow_dispatch = {};
       };
-      pull_request = {
-        inherit paths;
-      };
-      schedule = [
-        {
-          cron = "0 0 * * *";
-        }
-      ];
-      workflow_dispatch = {};
-    };
-    jobs.flake-update = {
-      # TODO: split this up into two phases, then push at the end so other CI tests can run first
-      step.flake-update = {
-        name = "flake update build";
-        order = 500;
-        run = "nix run .#nf-update";
-        env = {
-          CACHIX_SIGNING_KEY = "\${{ secrets.CACHIX_SIGNING_KEY }}";
-          NF_UPDATE_GIT_COMMIT = "1";
-          NF_UPDATE_CACHIX_PUSH = "1";
-          NF_CONFIG_ROOT = "\${{ github.workspace }}";
+      jobs.flake-update = {
+        # TODO: split this up into two phases, then push at the end so other CI tests can run first
+        step.flake-update = {
+          name = "flake update build";
+          order = 500;
+          run = "nix run .#nf-update";
+          env = {
+            CACHIX_SIGNING_KEY = "\${{ secrets.CACHIX_SIGNING_KEY }}";
+            NF_UPDATE_GIT_COMMIT = "1";
+            NF_UPDATE_CACHIX_PUSH = "1";
+            NF_CONFIG_ROOT = "\${{ github.workspace }}";
+          };
         };
       };
     };
-  };
 
-  channels = {
-    nixfiles.path = ../.;
-    nixpkgs.path = "${channels.nixfiles.inputs.nixpkgs}";
-  };
-
-  jobs = {
-    flake-update = {
-    };
-    barcodebuddy-update = {
-      ci.gh-actions.name = "barcodebuddy update check";
-      tasks.check = let
-        barcodebuddy-check = let
-          lock = importJSON ../flake.lock;
-          inherit (lock.nodes) barcodebuddy;
-          inherit (barcodebuddy.original) ref;
-          impure = toString builtins.currentTime or channels.nixfiles.inputs.sourceInfo.lastModified;
-          outputHashAlgo = "sha256";
-          outputHash = builtins.hashString outputHashAlgo "${ref}!${impure}\n";
-        in pkgs.runCommand "barcodebuddy-check-${ref}" {
-          inherit outputHash outputHashAlgo impure ref;
-          outputHashMode = "flat";
-          preferLocalBuild = true;
-          allowSubstitutes = false;
-          impureEnvVars = lib.fetchers.proxyImpureEnvVars ++ [ "NIX_CURL_FLAGS" ];
-          nativeBuildInputs = with pkgs.buildPackages; [ curl jq ];
-          inherit (barcodebuddy.original) owner repo;
-          query = "sort_by(.tag_name) | [.[]|select(.prerelease==false and .draft==false)] | .[-1].tag_name";
-          meta.displayName = "barcodebuddy ${ref} outdated";
-        } ''
-          BB_RELEASES=$(curl \
-            --insecure \
-            -fSsL \
-            -H "X-GitHub-Api-Version: 2022-11-28" \
-            "https://api.github.com/repos/$owner/$repo/releases"
-          )
-          BB_LATEST=$(jq -r "$query" - <<< "$BB_RELEASES")
-          if [[ $BB_LATEST = $ref ]]; then
-            echo "barcodebuddy-$ref up-to-date" >&2
-          else
-            echo "barcodebuddy-$ref out of date, found version $BB_LATEST" >&2
-          fi
-          printf '%s!%s\n' "$BB_LATEST" "$impure" > $out
-        '';
-      in {
-        inputs = [ barcodebuddy-check ];
-        cache.enable = false;
+    jobs = {
+      flake-update = { ... }: {
+        imports = [ ./packages.nix ];
+      };
+      barcodebuddy-update = {
+        ci.gh-actions.name = "barcodebuddy update check";
+        tasks.check = let
+          barcodebuddy-check = let
+            lock = importJSON ../flake.lock;
+            inherit (lock.nodes) barcodebuddy;
+            inherit (barcodebuddy.original) ref;
+            impure = toString builtins.currentTime or channels.nixfiles.inputs.sourceInfo.lastModified;
+            outputHashAlgo = "sha256";
+            outputHash = builtins.hashString outputHashAlgo "${ref}!${impure}\n";
+          in pkgs.runCommand "barcodebuddy-check-${ref}" {
+            inherit outputHash outputHashAlgo impure ref;
+            outputHashMode = "flat";
+            preferLocalBuild = true;
+            allowSubstitutes = false;
+            impureEnvVars = lib.fetchers.proxyImpureEnvVars ++ [ "NIX_CURL_FLAGS" ];
+            nativeBuildInputs = with pkgs.buildPackages; [ curl jq ];
+            inherit (barcodebuddy.original) owner repo;
+            query = "sort_by(.tag_name) | [.[]|select(.prerelease==false and .draft==false)] | .[-1].tag_name";
+            meta.displayName = "barcodebuddy ${ref} outdated";
+          } ''
+            BB_RELEASES=$(curl \
+              --insecure \
+              -fSsL \
+              -H "X-GitHub-Api-Version: 2022-11-28" \
+              "https://api.github.com/repos/$owner/$repo/releases"
+            )
+            BB_LATEST=$(jq -r "$query" - <<< "$BB_RELEASES")
+            if [[ $BB_LATEST = $ref ]]; then
+              echo "barcodebuddy-$ref up-to-date" >&2
+            else
+              echo "barcodebuddy-$ref out of date, found version $BB_LATEST" >&2
+            fi
+            printf '%s!%s\n' "$BB_LATEST" "$impure" > $out
+          '';
+        in {
+          inputs = [ barcodebuddy-check ];
+          cache.enable = false;
+        };
       };
     };
-  };
 
-  ci.gh-actions.checkoutOptions = {
-    submodules = false;
-    fetch-depth = 0;
-  };
-
-  cache.cachix = {
-    arc = {
-      enable = true;
-      publicKey = "arc.cachix.org-1:DZmhclLkB6UO0rc0rBzNpwFbbaeLfyn+fYccuAy7YVY=";
-      signingKey = null;
-    };
-    gensokyo-infrastructure = {
-      enable = true;
-      publicKey = "gensokyo-infrastructure.cachix.org-1:CY6ChfQ8KTUdwWoMbo8ZWr2QCLMXUQspHAxywnS2FyI=";
-      signingKey = "mewp";
+    ci.gh-actions.checkoutOptions = {
+      fetch-depth = 0;
     };
   };
 }

ci/nodes.nix

@@ -6,48 +6,23 @@
   ...
 }:
 with lib; {
-  name = "nodes";
+  imports = [ ./common.nix ];
+  config = {
+    name = "nodes";
 
-  nixpkgs.args.localSystem = "x86_64-linux";
-
-  ci = {
-    version = "v0.7";
-    gh-actions = {
-      enable = true;
-    };
-  };
-  channels.nixfiles.path = ../.;
-
-  nix.config = {
-    extra-platforms = ["aarch64-linux" "armv6l-linux" "armv7l-linux"];
-    #extra-sandbox-paths = with channels.cipkgs; map (package: builtins.unsafeDiscardStringContext "${package}?") [bash qemu "/run/binfmt"];
-  };
-
-  jobs = let
-    enabledSystems = filterAttrs (_: system: system.config.ci.enable) channels.nixfiles.lib.systems;
-    mkSystemJob = name: system: nameValuePair "${name}" {
-      tasks.system = {
-        inputs = channels.nixfiles.nixosConfigurations.${name}.config.system.build.toplevel;
-        warn = system.config.ci.allowFailure;
+    jobs = let
+      enabledSystems = filterAttrs (_: system: system.config.ci.enable) channels.nixfiles.lib.systems;
+      mkSystemJob = name: system: nameValuePair "${name}" {
+        tasks.system = {
+          inputs = channels.nixfiles.nixosConfigurations.${name}.config.system.build.toplevel;
+          warn = system.config.ci.allowFailure;
+        };
       };
-    };
-    systemJobs = mapAttrs' mkSystemJob enabledSystems;
-  in {
-    deploy-rs = {
-      tasks.binary = {
-        inputs = channels.nixfiles.packages.x86_64-linux.deploy-rs;
+      systemJobs = mapAttrs' mkSystemJob enabledSystems;
+    in {
+      packages = { ... }: {
+        imports = [ ./packages.nix ];
       };
-    };
-  } // systemJobs;
-
-  ci.gh-actions.checkoutOptions.submodules = false;
-  cache.cachix.arc = {
-    enable = true;
-    publicKey = "arc.cachix.org-1:DZmhclLkB6UO0rc0rBzNpwFbbaeLfyn+fYccuAy7YVY=";
-  };
-  cache.cachix.gensokyo-infrastructure = {
-    enable = true;
-    publicKey = "gensokyo-infrastructure.cachix.org-1:CY6ChfQ8KTUdwWoMbo8ZWr2QCLMXUQspHAxywnS2FyI=";
-    signingKey = "mewp";
+    } // systemJobs;
   };
 }

ci/packages.nix

@@ -0,0 +1,32 @@
+{
+  lib,
+  config,
+  channels,
+  ...
+}: let
+  inherit (channels.nixfiles) packages legacyPackages;
+in {
+  tasks = {
+    devShell.inputs = with packages.x86_64-linux; [
+      deploy-rs
+      terraform tflint
+      alejandra deadnix statix
+      ssh-to-age
+    ];
+
+    # build+cache packages customized or added via overlay
+    barcodebuddy.inputs = packages.x86_64-linux.barcodebuddy;
+    samba.inputs = with packages.x86_64-linux; [
+      legacyPackages.x86_64-linux.pkgs.samba
+      samba-ldap
+      freeipa-ipasam
+    ];
+    nfs.inputs = [
+      packages.x86_64-linux.nfs-utils-ldap
+    ];
+    krb5.inputs = [
+      packages.x86_64-linux.krb5-ldap
+      legacyPackages.x86_64-linux.pkgs._389-ds-base
+    ];
+  };
+}