feat(ci): cache overlaid packages

2026-02-09 04:19:19 -08:00 · 2024-05-03 09:35:33 -07:00 · 2024-05-03 09:35:33 -07:00 · e8b8ddccca
commit e8b8ddccca
parent fc930cd4a2
6 changed files with 230 additions and 203 deletions
--- a/.github/workflows/nodes.yml
+++ b/.github/workflows/nodes.yml
@ -130,57 +130,6 @@ jobs:
        command: ci-build-cache
        quiet: false
        stdin: ${{ runner.temp }}/ci.build.cache
-  deploy-rs:
-    name: nodes-deploy-rs
-    runs-on: ubuntu-latest
-    steps:
-    - id: checkout
-      name: git clone
-      uses: actions/checkout@v4
-      with:
-        submodules: false
-    - id: nix-install
-      name: nix install
-      uses: arcnmx/ci/actions/nix/install@v0.7
-    - id: ci-dirty
-      name: nix test dirty
-      uses: arcnmx/ci/actions/nix/run@v0.7
-      with:
-        attrs: ci.job.deploy-rs.run.test
-        command: ci-build-dirty
-        quiet: false
-        stdout: ${{ runner.temp }}/ci.build.dirty
-    - id: ci-test
-      name: nix test build
-      uses: arcnmx/ci/actions/nix/run@v0.7
-      with:
-        attrs: ci.job.deploy-rs.run.test
-        command: ci-build-realise
-        ignore-exit-code: true
-        quiet: false
-        stdin: ${{ runner.temp }}/ci.build.dirty
-    - env:
-        CI_EXIT_CODE: ${{ steps.ci-test.outputs.exit-code }}
-      id: ci-summary
-      name: nix test results
-      uses: arcnmx/ci/actions/nix/run@v0.7
-      with:
-        attrs: ci.job.deploy-rs.run.test
-        command: ci-build-summarise
-        quiet: false
-        stdin: ${{ runner.temp }}/ci.build.dirty
-        stdout: ${{ runner.temp }}/ci.build.cache
-    - env:
-        CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }}
-      id: ci-cache
-      if: always()
-      name: nix test cache
-      uses: arcnmx/ci/actions/nix/run@v0.7
-      with:
-        attrs: ci.job.deploy-rs.run.test
-        command: ci-build-cache
-        quiet: false
-        stdin: ${{ runner.temp }}/ci.build.cache
  extern-test:
    name: nodes-extern-test
    runs-on: ubuntu-latest
@ -487,6 +436,57 @@ jobs:
        command: ci-build-cache
        quiet: false
        stdin: ${{ runner.temp }}/ci.build.cache
+  packages:
+    name: nodes-packages
+    runs-on: ubuntu-latest
+    steps:
+    - id: checkout
+      name: git clone
+      uses: actions/checkout@v4
+      with:
+        submodules: false
+    - id: nix-install
+      name: nix install
+      uses: arcnmx/ci/actions/nix/install@v0.7
+    - id: ci-dirty
+      name: nix test dirty
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.packages.run.test
+        command: ci-build-dirty
+        quiet: false
+        stdout: ${{ runner.temp }}/ci.build.dirty
+    - id: ci-test
+      name: nix test build
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.packages.run.test
+        command: ci-build-realise
+        ignore-exit-code: true
+        quiet: false
+        stdin: ${{ runner.temp }}/ci.build.dirty
+    - env:
+        CI_EXIT_CODE: ${{ steps.ci-test.outputs.exit-code }}
+      id: ci-summary
+      name: nix test results
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.packages.run.test
+        command: ci-build-summarise
+        quiet: false
+        stdin: ${{ runner.temp }}/ci.build.dirty
+        stdout: ${{ runner.temp }}/ci.build.cache
+    - env:
+        CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }}
+      id: ci-cache
+      if: always()
+      name: nix test cache
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.packages.run.test
+        command: ci-build-cache
+        quiet: false
+        stdin: ${{ runner.temp }}/ci.build.cache
  reimu:
    name: nodes-reimu
    runs-on: ubuntu-latest
--- a/ci/common.nix
+++ b/ci/common.nix
@ -0,0 +1,47 @@
+{
+  lib,
+  channels,
+  config,
+  ...
+}: {
+  nixpkgs.args = {
+    localSystem = "x86_64-linux";
+    config = {
+      allowUnfree = true;
+    };
+  };
+
+  ci = {
+    version = "v0.7";
+    gh-actions = {
+      enable = true;
+    };
+  };
+
+  /*nix.config = {
+    extra-platforms = ["aarch64-linux" "armv6l-linux" "armv7l-linux"];
+    #extra-sandbox-paths = with channels.cipkgs; map (package: builtins.unsafeDiscardStringContext "${package}?") [bash qemu "/run/binfmt"];
+  };*/
+
+  channels = {
+    nixfiles.path = ../.;
+    nixpkgs.path = "${channels.nixfiles.inputs.nixpkgs}";
+  };
+
+  ci.gh-actions.checkoutOptions = {
+    submodules = false;
+  };
+
+  cache.cachix = {
+    arc = {
+      enable = true;
+      publicKey = "arc.cachix.org-1:DZmhclLkB6UO0rc0rBzNpwFbbaeLfyn+fYccuAy7YVY=";
+      signingKey = null;
+    };
+    gensokyo-infrastructure = {
+      enable = true;
+      publicKey = "gensokyo-infrastructure.cachix.org-1:CY6ChfQ8KTUdwWoMbo8ZWr2QCLMXUQspHAxywnS2FyI=";
+      signingKey = "mewp";
+    };
+  };
+}
--- a/ci/flake-cron.nix
+++ b/ci/flake-cron.nix
@ -5,28 +5,14 @@
  ...
 }:
 with lib; let
-  gitBranch = "main";
  pkgs = channels.nixpkgs;
 in {
+  imports = [ ./common.nix ];
+  config = {
    name = "flake-update";

-  nixpkgs.args.localSystem = "x86_64-linux";
-
-  ci = {
-    version = "v0.7";
-    gh-actions = {
-      enable = true;
-    };
-  };
-
-  gh-actions.env.CACHIX_SIGNING_KEY = "\${{ secrets.CACHIX_SIGNING_KEY }}";
-
-  nix.config = {
-    extra-platforms = ["aarch64-linux" "armv6l-linux" "armv7l-linux"];
-    #extra-sandbox-paths = with channels.cipkgs; map (package: builtins.unsafeDiscardStringContext "${package}?") [bash qemu "/run/binfmt"];
-  };
-
    gh-actions = {
+      env.CACHIX_SIGNING_KEY = "\${{ secrets.CACHIX_SIGNING_KEY }}";
      on = let
        paths = [
          "default.nix" # sourceCache
@ -63,13 +49,9 @@ in {
      };
    };

-  channels = {
-    nixfiles.path = ../.;
-    nixpkgs.path = "${channels.nixfiles.inputs.nixpkgs}";
-  };
-
    jobs = {
-    flake-update = {
+      flake-update = { ... }: {
+        imports = [ ./packages.nix ];
      };
      barcodebuddy-update = {
        ci.gh-actions.name = "barcodebuddy update check";
@ -114,20 +96,7 @@ in {
    };

    ci.gh-actions.checkoutOptions = {
-    submodules = false;
      fetch-depth = 0;
    };
-
-  cache.cachix = {
-    arc = {
-      enable = true;
-      publicKey = "arc.cachix.org-1:DZmhclLkB6UO0rc0rBzNpwFbbaeLfyn+fYccuAy7YVY=";
-      signingKey = null;
-    };
-    gensokyo-infrastructure = {
-      enable = true;
-      publicKey = "gensokyo-infrastructure.cachix.org-1:CY6ChfQ8KTUdwWoMbo8ZWr2QCLMXUQspHAxywnS2FyI=";
-      signingKey = "mewp";
-    };
  };
 }
--- a/ci/nodes.nix
+++ b/ci/nodes.nix
@ -6,23 +6,10 @@
  ...
 }:
 with lib; {
+  imports = [ ./common.nix ];
+  config = {
    name = "nodes";

-  nixpkgs.args.localSystem = "x86_64-linux";
-
-  ci = {
-    version = "v0.7";
-    gh-actions = {
-      enable = true;
-    };
-  };
-  channels.nixfiles.path = ../.;
-
-  nix.config = {
-    extra-platforms = ["aarch64-linux" "armv6l-linux" "armv7l-linux"];
-    #extra-sandbox-paths = with channels.cipkgs; map (package: builtins.unsafeDiscardStringContext "${package}?") [bash qemu "/run/binfmt"];
-  };
-
    jobs = let
      enabledSystems = filterAttrs (_: system: system.config.ci.enable) channels.nixfiles.lib.systems;
      mkSystemJob = name: system: nameValuePair "${name}" {
@ -33,21 +20,9 @@ with lib; {
      };
      systemJobs = mapAttrs' mkSystemJob enabledSystems;
    in {
-    deploy-rs = {
-      tasks.binary = {
-        inputs = channels.nixfiles.packages.x86_64-linux.deploy-rs;
-      };
+      packages = { ... }: {
+        imports = [ ./packages.nix ];
      };
    } // systemJobs;
-
-  ci.gh-actions.checkoutOptions.submodules = false;
-  cache.cachix.arc = {
-    enable = true;
-    publicKey = "arc.cachix.org-1:DZmhclLkB6UO0rc0rBzNpwFbbaeLfyn+fYccuAy7YVY=";
-  };
-  cache.cachix.gensokyo-infrastructure = {
-    enable = true;
-    publicKey = "gensokyo-infrastructure.cachix.org-1:CY6ChfQ8KTUdwWoMbo8ZWr2QCLMXUQspHAxywnS2FyI=";
-    signingKey = "mewp";
  };
 }
--- a/ci/packages.nix
+++ b/ci/packages.nix
@ -0,0 +1,32 @@
+{
+  lib,
+  config,
+  channels,
+  ...
+}: let
+  inherit (channels.nixfiles) packages legacyPackages;
+in {
+  tasks = {
+    devShell.inputs = with packages.x86_64-linux; [
+      deploy-rs
+      terraform tflint
+      alejandra deadnix statix
+      ssh-to-age
+    ];
+
+    # build+cache packages customized or added via overlay
+    barcodebuddy.inputs = packages.x86_64-linux.barcodebuddy;
+    samba.inputs = with packages.x86_64-linux; [
+      legacyPackages.x86_64-linux.pkgs.samba
+      samba-ldap
+      freeipa-ipasam
+    ];
+    nfs.inputs = [
+      packages.x86_64-linux.nfs-utils-ldap
+    ];
+    krb5.inputs = [
+      packages.x86_64-linux.krb5-ldap
+      legacyPackages.x86_64-linux.pkgs._389-ds-base
+    ];
+  };
+}
--- a/packages/default.nix
+++ b/packages/default.nix
@ -42,7 +42,11 @@
      ;
    inherit (inputs.deploy-rs.packages.${system}) deploy-rs;

-    inherit (pkgs) freeipa-ipasam samba-ldap samba-ipa;
+    inherit (pkgs)
+      freeipa-ipasam samba-ldap samba-ipa
+      krb5-ldap
+      nfs-utils-ldap
+      barcodebuddy;

    nf-setup-node = let
      reisen = ../systems/reisen;