gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 04:19:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(ci): cache overlaid packages

Browse source
This commit is contained in:
arcnmx 2024-05-03 09:35:33 -07:00
parent fc930cd4a2
commit e8b8ddccca
6 changed files with 230 additions and 203 deletions
Download patch file Download diff file Expand all files Collapse all files

102
.github/workflows/nodes.yml vendored
View file

@ -130,57 +130,6 @@ jobs:
command: ci-build-cache command: ci-build-cache
quiet: false quiet: false
stdin: ${{ runner.temp }}/ci.build.cache stdin: ${{ runner.temp }}/ci.build.cache
deploy-rs:
name: nodes-deploy-rs
runs-on: ubuntu-latest
steps:
- id: checkout
name: git clone
uses: actions/checkout@v4
with:
submodules: false
- id: nix-install
name: nix install
uses: arcnmx/ci/actions/nix/install@v0.7
- id: ci-dirty
name: nix test dirty
uses: arcnmx/ci/actions/nix/run@v0.7
with:
attrs: ci.job.deploy-rs.run.test
command: ci-build-dirty
quiet: false
stdout: ${{ runner.temp }}/ci.build.dirty
- id: ci-test
name: nix test build
uses: arcnmx/ci/actions/nix/run@v0.7
with:
attrs: ci.job.deploy-rs.run.test
command: ci-build-realise
ignore-exit-code: true
quiet: false
stdin: ${{ runner.temp }}/ci.build.dirty
- env:
CI_EXIT_CODE: ${{ steps.ci-test.outputs.exit-code }}
id: ci-summary
name: nix test results
uses: arcnmx/ci/actions/nix/run@v0.7
with:
attrs: ci.job.deploy-rs.run.test
command: ci-build-summarise
quiet: false
stdin: ${{ runner.temp }}/ci.build.dirty
stdout: ${{ runner.temp }}/ci.build.cache
- env:
CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }}
id: ci-cache
if: always()
name: nix test cache
uses: arcnmx/ci/actions/nix/run@v0.7
with:
attrs: ci.job.deploy-rs.run.test
command: ci-build-cache
quiet: false
stdin: ${{ runner.temp }}/ci.build.cache
extern-test: extern-test:
name: nodes-extern-test name: nodes-extern-test
runs-on: ubuntu-latest runs-on: ubuntu-latest
@ -487,6 +436,57 @@ jobs:
command: ci-build-cache command: ci-build-cache
quiet: false quiet: false
stdin: ${{ runner.temp }}/ci.build.cache stdin: ${{ runner.temp }}/ci.build.cache
packages:
name: nodes-packages
runs-on: ubuntu-latest
steps:
- id: checkout
name: git clone
uses: actions/checkout@v4
with:
submodules: false
- id: nix-install
name: nix install
uses: arcnmx/ci/actions/nix/install@v0.7
- id: ci-dirty
name: nix test dirty
uses: arcnmx/ci/actions/nix/run@v0.7
with:
attrs: ci.job.packages.run.test
command: ci-build-dirty
quiet: false
stdout: ${{ runner.temp }}/ci.build.dirty
- id: ci-test
name: nix test build
uses: arcnmx/ci/actions/nix/run@v0.7
with:
attrs: ci.job.packages.run.test
command: ci-build-realise
ignore-exit-code: true
quiet: false
stdin: ${{ runner.temp }}/ci.build.dirty
- env:
CI_EXIT_CODE: ${{ steps.ci-test.outputs.exit-code }}
id: ci-summary
name: nix test results
uses: arcnmx/ci/actions/nix/run@v0.7
with:
attrs: ci.job.packages.run.test
command: ci-build-summarise
quiet: false
stdin: ${{ runner.temp }}/ci.build.dirty
stdout: ${{ runner.temp }}/ci.build.cache
- env:
CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }}
id: ci-cache
if: always()
name: nix test cache
uses: arcnmx/ci/actions/nix/run@v0.7
with:
attrs: ci.job.packages.run.test
command: ci-build-cache
quiet: false
stdin: ${{ runner.temp }}/ci.build.cache
reimu: reimu:
name: nodes-reimu name: nodes-reimu
runs-on: ubuntu-latest runs-on: ubuntu-latest

47
ci/common.nix Normal file
View file

@ -0,0 +1,47 @@
{
lib,
channels,
config,
...
}: {
nixpkgs.args = {
localSystem = "x86_64-linux";
config = {
allowUnfree = true;
};
};
ci = {
version = "v0.7";
gh-actions = {
enable = true;
};
};
/*nix.config = {
extra-platforms = ["aarch64-linux" "armv6l-linux" "armv7l-linux"];
#extra-sandbox-paths = with channels.cipkgs; map (package: builtins.unsafeDiscardStringContext "${package}?") [bash qemu "/run/binfmt"];
};*/
channels = {
nixfiles.path = ../.;
nixpkgs.path = "${channels.nixfiles.inputs.nixpkgs}";
};
ci.gh-actions.checkoutOptions = {
submodules = false;
};
cache.cachix = {
arc = {
enable = true;
publicKey = "arc.cachix.org-1:DZmhclLkB6UO0rc0rBzNpwFbbaeLfyn+fYccuAy7YVY=";
signingKey = null;
};
gensokyo-infrastructure = {
enable = true;
publicKey = "gensokyo-infrastructure.cachix.org-1:CY6ChfQ8KTUdwWoMbo8ZWr2QCLMXUQspHAxywnS2FyI=";
signingKey = "mewp";
};
};
}

191
ci/flake-cron.nix
View file

@ -5,129 +5,98 @@
... ...
}: }:
with lib; let with lib; let
gitBranch = "main";
pkgs = channels.nixpkgs; pkgs = channels.nixpkgs;
in { in {
name = "flake-update"; imports = [ ./common.nix ];
config = {
name = "flake-update";
nixpkgs.args.localSystem = "x86_64-linux";
ci = {
version = "v0.7";
gh-actions = { gh-actions = {
enable = true; env.CACHIX_SIGNING_KEY = "\${{ secrets.CACHIX_SIGNING_KEY }}";
}; on = let
}; paths = [
"default.nix" # sourceCache
gh-actions.env.CACHIX_SIGNING_KEY = "\${{ secrets.CACHIX_SIGNING_KEY }}"; "ci/flake-cron.nix"
config.ci.gh-actions.path
nix.config = { ];
extra-platforms = ["aarch64-linux" "armv6l-linux" "armv7l-linux"]; in {
#extra-sandbox-paths = with channels.cipkgs; map (package: builtins.unsafeDiscardStringContext "${package}?") [bash qemu "/run/binfmt"]; push = {
}; inherit paths;
};
gh-actions = { pull_request = {
on = let inherit paths;
paths = [ };
"default.nix" # sourceCache schedule = [
"ci/flake-cron.nix" {
config.ci.gh-actions.path cron = "0 0 * * *";
]; }
in { ];
push = { workflow_dispatch = {};
inherit paths;
}; };
pull_request = { jobs.flake-update = {
inherit paths; # TODO: split this up into two phases, then push at the end so other CI tests can run first
}; step.flake-update = {
schedule = [ name = "flake update build";
{ order = 500;
cron = "0 0 * * *"; run = "nix run .#nf-update";
} env = {
]; CACHIX_SIGNING_KEY = "\${{ secrets.CACHIX_SIGNING_KEY }}";
workflow_dispatch = {}; NF_UPDATE_GIT_COMMIT = "1";
}; NF_UPDATE_CACHIX_PUSH = "1";
jobs.flake-update = { NF_CONFIG_ROOT = "\${{ github.workspace }}";
# TODO: split this up into two phases, then push at the end so other CI tests can run first };
step.flake-update = {
name = "flake update build";
order = 500;
run = "nix run .#nf-update";
env = {
CACHIX_SIGNING_KEY = "\${{ secrets.CACHIX_SIGNING_KEY }}";
NF_UPDATE_GIT_COMMIT = "1";
NF_UPDATE_CACHIX_PUSH = "1";
NF_CONFIG_ROOT = "\${{ github.workspace }}";
}; };
}; };
}; };
};
channels = { jobs = {
nixfiles.path = ../.; flake-update = { ... }: {
nixpkgs.path = "${channels.nixfiles.inputs.nixpkgs}"; imports = [ ./packages.nix ];
}; };
barcodebuddy-update = {
jobs = { ci.gh-actions.name = "barcodebuddy update check";
flake-update = { tasks.check = let
}; barcodebuddy-check = let
barcodebuddy-update = { lock = importJSON ../flake.lock;
ci.gh-actions.name = "barcodebuddy update check"; inherit (lock.nodes) barcodebuddy;
tasks.check = let inherit (barcodebuddy.original) ref;
barcodebuddy-check = let impure = toString builtins.currentTime or channels.nixfiles.inputs.sourceInfo.lastModified;
lock = importJSON ../flake.lock; outputHashAlgo = "sha256";
inherit (lock.nodes) barcodebuddy; outputHash = builtins.hashString outputHashAlgo "${ref}!${impure}\n";
inherit (barcodebuddy.original) ref; in pkgs.runCommand "barcodebuddy-check-${ref}" {
impure = toString builtins.currentTime or channels.nixfiles.inputs.sourceInfo.lastModified; inherit outputHash outputHashAlgo impure ref;
outputHashAlgo = "sha256"; outputHashMode = "flat";
outputHash = builtins.hashString outputHashAlgo "${ref}!${impure}\n"; preferLocalBuild = true;
in pkgs.runCommand "barcodebuddy-check-${ref}" { allowSubstitutes = false;
inherit outputHash outputHashAlgo impure ref; impureEnvVars = lib.fetchers.proxyImpureEnvVars ++ [ "NIX_CURL_FLAGS" ];
outputHashMode = "flat"; nativeBuildInputs = with pkgs.buildPackages; [ curl jq ];
preferLocalBuild = true; inherit (barcodebuddy.original) owner repo;
allowSubstitutes = false; query = "sort_by(.tag_name) | [.[]|select(.prerelease==false and .draft==false)] | .[-1].tag_name";
impureEnvVars = lib.fetchers.proxyImpureEnvVars ++ [ "NIX_CURL_FLAGS" ]; meta.displayName = "barcodebuddy ${ref} outdated";
nativeBuildInputs = with pkgs.buildPackages; [ curl jq ]; } ''
inherit (barcodebuddy.original) owner repo; BB_RELEASES=$(curl \
query = "sort_by(.tag_name) | [.[]|select(.prerelease==false and .draft==false)] | .[-1].tag_name"; --insecure \
meta.displayName = "barcodebuddy ${ref} outdated"; -fSsL \
} '' -H "X-GitHub-Api-Version: 2022-11-28" \
BB_RELEASES=$(curl \ "https://api.github.com/repos/$owner/$repo/releases"
--insecure \ )
-fSsL \ BB_LATEST=$(jq -r "$query" - <<< "$BB_RELEASES")
-H "X-GitHub-Api-Version: 2022-11-28" \ if [[ $BB_LATEST = $ref ]]; then
"https://api.github.com/repos/$owner/$repo/releases" echo "barcodebuddy-$ref up-to-date" >&2
) else
BB_LATEST=$(jq -r "$query" - <<< "$BB_RELEASES") echo "barcodebuddy-$ref out of date, found version $BB_LATEST" >&2
if [[ $BB_LATEST = $ref ]]; then fi
echo "barcodebuddy-$ref up-to-date" >&2 printf '%s!%s\n' "$BB_LATEST" "$impure" > $out
else '';
echo "barcodebuddy-$ref out of date, found version $BB_LATEST" >&2 in {
fi inputs = [ barcodebuddy-check ];
printf '%s!%s\n' "$BB_LATEST" "$impure" > $out cache.enable = false;
''; };
in {
inputs = [ barcodebuddy-check ];
cache.enable = false;
}; };
}; };
};
ci.gh-actions.checkoutOptions = { ci.gh-actions.checkoutOptions = {
submodules = false; fetch-depth = 0;
fetch-depth = 0;
};
cache.cachix = {
arc = {
enable = true;
publicKey = "arc.cachix.org-1:DZmhclLkB6UO0rc0rBzNpwFbbaeLfyn+fYccuAy7YVY=";
signingKey = null;
};
gensokyo-infrastructure = {
enable = true;
publicKey = "gensokyo-infrastructure.cachix.org-1:CY6ChfQ8KTUdwWoMbo8ZWr2QCLMXUQspHAxywnS2FyI=";
signingKey = "mewp";
}; };
}; };
} }

55
ci/nodes.nix
View file

@ -6,48 +6,23 @@
... ...
}: }:
with lib; { with lib; {
name = "nodes"; imports = [ ./common.nix ];
config = {
name = "nodes";
nixpkgs.args.localSystem = "x86_64-linux"; jobs = let
enabledSystems = filterAttrs (_: system: system.config.ci.enable) channels.nixfiles.lib.systems;
ci = { mkSystemJob = name: system: nameValuePair "${name}" {
version = "v0.7"; tasks.system = {
gh-actions = { inputs = channels.nixfiles.nixosConfigurations.${name}.config.system.build.toplevel;
enable = true; warn = system.config.ci.allowFailure;
}; };
};
channels.nixfiles.path = ../.;
nix.config = {
extra-platforms = ["aarch64-linux" "armv6l-linux" "armv7l-linux"];
#extra-sandbox-paths = with channels.cipkgs; map (package: builtins.unsafeDiscardStringContext "${package}?") [bash qemu "/run/binfmt"];
};
jobs = let
enabledSystems = filterAttrs (_: system: system.config.ci.enable) channels.nixfiles.lib.systems;
mkSystemJob = name: system: nameValuePair "${name}" {
tasks.system = {
inputs = channels.nixfiles.nixosConfigurations.${name}.config.system.build.toplevel;
warn = system.config.ci.allowFailure;
}; };
}; systemJobs = mapAttrs' mkSystemJob enabledSystems;
systemJobs = mapAttrs' mkSystemJob enabledSystems; in {
in { packages = { ... }: {
deploy-rs = { imports = [ ./packages.nix ];
tasks.binary = {
inputs = channels.nixfiles.packages.x86_64-linux.deploy-rs;
}; };
}; } // systemJobs;
} // systemJobs;
ci.gh-actions.checkoutOptions.submodules = false;
cache.cachix.arc = {
enable = true;
publicKey = "arc.cachix.org-1:DZmhclLkB6UO0rc0rBzNpwFbbaeLfyn+fYccuAy7YVY=";
};
cache.cachix.gensokyo-infrastructure = {
enable = true;
publicKey = "gensokyo-infrastructure.cachix.org-1:CY6ChfQ8KTUdwWoMbo8ZWr2QCLMXUQspHAxywnS2FyI=";
signingKey = "mewp";
}; };
} }

32
ci/packages.nix Normal file
View file

@ -0,0 +1,32 @@
{
lib,
config,
channels,
...
}: let
inherit (channels.nixfiles) packages legacyPackages;
in {
tasks = {
devShell.inputs = with packages.x86_64-linux; [
deploy-rs
terraform tflint
alejandra deadnix statix
ssh-to-age
];
# build+cache packages customized or added via overlay
barcodebuddy.inputs = packages.x86_64-linux.barcodebuddy;
samba.inputs = with packages.x86_64-linux; [
legacyPackages.x86_64-linux.pkgs.samba
samba-ldap
freeipa-ipasam
];
nfs.inputs = [
packages.x86_64-linux.nfs-utils-ldap
];
krb5.inputs = [
packages.x86_64-linux.krb5-ldap
legacyPackages.x86_64-linux.pkgs._389-ds-base
];
};
}

6
packages/default.nix
View file

@ -42,7 +42,11 @@
; ;
inherit (inputs.deploy-rs.packages.${system}) deploy-rs; inherit (inputs.deploy-rs.packages.${system}) deploy-rs;
inherit (pkgs) freeipa-ipasam samba-ldap samba-ipa; inherit (pkgs)
freeipa-ipasam samba-ldap samba-ipa
krb5-ldap
nfs-utils-ldap
barcodebuddy;
nf-setup-node = let nf-setup-node = let
reisen = ../systems/reisen; reisen = ../systems/reisen;