feat: attempt to integrate ci from Gensokyo-zone/infrastructure

ci/common.nix

@@ -0,0 +1,47 @@
+{
+  lib,
+  channels,
+  config,
+  ...
+}: {
+  nixpkgs.args = {
+    localSystem = "x86_64-linux";
+    config = {
+      allowUnfree = true;
+    };
+  };
+
+  ci = {
+    version = "v0.7";
+    gh-actions = {
+      enable = true;
+    };
+  };
+
+  /*nix.config = {
+    extra-platforms = ["aarch64-linux" "armv6l-linux" "armv7l-linux"];
+    #extra-sandbox-paths = with channels.cipkgs; map (package: builtins.unsafeDiscardStringContext "${package}?") [bash qemu "/run/binfmt"];
+  };*/
+
+  channels = {
+    nixfiles.path = ../.;
+    nixpkgs.path = "${channels.nixfiles.inputs.nixpkgs}";
+  };
+
+  ci.gh-actions.checkoutOptions = {
+    submodules = false;
+  };
+
+  cache.cachix = {
+    arc = {
+      enable = true;
+      publicKey = "arc.cachix.org-1:DZmhclLkB6UO0rc0rBzNpwFbbaeLfyn+fYccuAy7YVY=";
+      signingKey = null;
+    };
+    kittywitch = {
+     enable = true;
+     publicKey = "kittywitch.cachix.org-1:KIzX/G5cuPw5WgrXad6UnrRZ8UDr7jhXzRTK/lmqyK0=";
+      signingKey = "mewp";
+    };
+  };
+}

ci/flake-cron.nix

@@ -0,0 +1,61 @@
+{
+  lib,
+  channels,
+  config,
+  ...
+}:
+with lib; let
+  pkgs = channels.nixpkgs;
+in {
+  imports = [ ./common.nix ];
+  config = {
+    name = "flake-update";
+
+    gh-actions = {
+      env.CACHIX_SIGNING_KEY = "\${{ secrets.CACHIX_SIGNING_KEY }}";
+      on = let
+        paths = [
+          "default.nix" # sourceCache
+          "ci/flake-cron.nix"
+          config.ci.gh-actions.path
+        ];
+      in {
+        push = {
+          inherit paths;
+        };
+        pull_request = {
+          inherit paths;
+        };
+        schedule = [
+          {
+            cron = "0 0 * * *";
+          }
+        ];
+        workflow_dispatch = {};
+      };
+      jobs.flake-update = {
+        step.flake-update = {
+          name = "flake update build";
+          order = 500;
+          run = "nix run .#nf-update";
+          env = {
+            CACHIX_SIGNING_KEY = "\${{ secrets.CACHIX_SIGNING_KEY }}";
+            NF_UPDATE_GIT_COMMIT = "1";
+            NF_UPDATE_CACHIX_PUSH = "1";
+            NF_CONFIG_ROOT = "\${{ github.workspace }}";
+          };
+        };
+      };
+    };
+
+    jobs = {
+      flake-update = { ... }: {
+        imports = [ ./packages.nix ];
+      };
+    };
+
+    ci.gh-actions.checkoutOptions = {
+      fetch-depth = 0;
+    };
+  };
+}

ci/nix.nix

@@ -0,0 +1,8 @@
+{
+  ci = {
+    workflowConfigs = [
+      "nodes.nix"
+      "flake-cron.nix"
+    ];
+  };
+}

ci/nodes.nix

@@ -0,0 +1,28 @@
+{
+  lib,
+  config,
+  channels,
+  env,
+  ...
+}:
+with lib; {
+  imports = [ ./common.nix ];
+  config = {
+    name = "nodes";
+
+    jobs = let
+      enabledSystems = filterAttrs (_: system: system.config.ci.enable) channels.nixfiles.lib.systems;
+      mkSystemJob = name: system: nameValuePair "${name}" {
+        tasks.system = {
+          inputs = channels.nixfiles.nixosConfigurations.${name}.config.system.build.toplevel;
+          warn = system.config.ci.allowFailure;
+        };
+      };
+      systemJobs = mapAttrs' mkSystemJob enabledSystems;
+    in {
+      packages = { ... }: {
+        imports = [ ./packages.nix ];
+      };
+    } // systemJobs;
+  };
+}

ci/packages.nix

@@ -0,0 +1,17 @@
+{
+  lib,
+  config,
+  channels,
+  ...
+}: let
+  inherit (channels.nixfiles) packages legacyPackages;
+in {
+  tasks = {
+    devShell.inputs = with packages.x86_64-linux; [
+      deploy-rs
+      terraform tflint
+      alejandra deadnix statix
+      ssh-to-age
+    ];
+  };
+}

ci/secrets.yaml

@@ -0,0 +1,96 @@
+CACHIX_AUTH_TOKEN: ENC[AES256_GCM,data:oezH26CAPPAXFvbtqlmEfa/X6XADQHCoObajgoaUKB8cdtI6mVnsZfmYNVgcyQzmyPhcKcqG7X1d0SYNuJW1dI2eByKvWSWUwY5N2f0994/Hd1NB3s7E3dq1EZtkZqDyFJMSchQT7xkJtEMqzdQnQhL3Au2zaP0+m6hhmkxqIet6H1Yu4n+hGBkunzF26l0VTPsPiek=,iv:ODlzphfJOsrPp0Vb/vABkES74a2wbesrRFQKGeCY2Qs=,tag:/wAItpFQmQ4KNT0ZNo1ehg==,type:str]
+sops:
+    shamir_threshold: 1
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1n4kdchmkk3rfkaknxhveqr2ftprdpgwckutt23y6u8639lazzuks77tgav
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmRERhQVk0RTVDdUR6bXVm
+            NVZjanNwV2d1bm1xbDZvMHZpNEpkRHBSL1M4ClpLdFhEM0JhNTlTMkFjd040OUZF
+            Vjl3aFlLMUxKeGRuZTNXYmxDRG54YUUKLS0tIFVVWGgvZGJ3d2JtQTYzcUZuRUM3
+            bThmek1aUG1pb3VBZXMxNXZIZEdyd1kKeOSUooXs//DJBhJlIssaozUhnPy4X8Ty
+            RGgvKAp7/fE0Z1WMV8h7w4vsplSr4aocU49CH/QcdAlARdqF4as9sA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1cnu37d5fqyahh9vvc4hj6z6k8ur9ksuefln7sr6g3emmn927eutqxdawuh
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpdjV4VkdhdXVlUVN3MzNr
+            bW5Xb09vRFBtSTBWM2EvRHA0NS9kZTl4dFc4CjBCWlJ1NUp0MmQ5Z3FRWm5sanZs
+            UFdxSjl4ZWx3MWVZa3ZVT2ZEdC9NUkEKLS0tIEd0MUNRQStsSkVyTXBSRUt1Tms4
+            azBYYm5aU0hKOTEzV0FuNVF3ZHcyS3MKbHbT+cPPJ4XGWIgj/zxci9A88Ak60ja4
+            /2lBlLsVCUHmFEoHXueizAypcVhp+WwfbGdva3VWfCTMmYnzcdEv6A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1nr0qds8w3gldmdvhwu0p6w2ys8f4sd0h3xy94h9dsafjzttaypxquzmswc
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlSTFBeUVMMVFuNURCa2tH
+            bUJVQ2hrSVREeUdPZ0d3NmREZXFtSmxnRnhZCnRXbCtVR3VxMXludzBWMmw1ZFBS
+            WW54dzNDamRkUjc0cWcyQ2RpaGNua2cKLS0tIG1VVDd1VFNLdHl4cmhiRnk0S1A1
+            dm5vVVBrM1NYb3cxbU9STXBBMDdDSUkKy+ZNL/eYnqtagB3oom0xEXxihYqGz2w3
+            RJ2dQEQSPshuyMzC6AsV8nbaQhX6aNw+cgDSqX0E9G7+mBjWFSjEgw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age18hpxz0ghvswv9k30cle73prvnzrsuczqh87jjdk9fl50j3ddndmq9xae0n
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3STBnbDQ2K1ltVFZ4WjdG
+            bk1aMlY2NDFYWWZPcDgvL1VWT0YzdTc5eEdFCmxUejZkUG1BaVhHeU92cldLQVE5
+            UlNMb3pvdU5RY0V0KzExSDBKQVJLZkUKLS0tIDhxKzljTCsrVE9YRnNaMDF5WFBl
+            eGRWMnNqbFIvakhoVURYOFNrK2IrYlEKvFp1izuR11CBDTMdOKe5MMx/+hfg5zo8
+            bo09Ep3XzO++ZXmevtUOVKGKd+D2hstEZxi0Vfr6yp8iI8sAG/46yw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1xgy03g3vjydsxcl0qpdgm8rahjcjq95ucxfwlgr22zwjx3p7jf2s9jk6u5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrTk9FclJyeUxuNkJmTUFM
+            YVBLOEZqbXIyWXAxMk9pYnVvSXBjQTNhUGs0CmJ0NGJWenl5ZStHcXRubjdieHo0
+            QzhRdDZYV0xlU2N5dnpxWURNamN2aGcKLS0tIFRGc3ZJVnp3SnZtLy8ydVBQVUsy
+            STNxaHcyc3NINHFMR1F3OGg1a1liWW8KgVgMTA/Ut+xaLFmEP8EwSJ0oFVIEqh5n
+            PSD3ciDdx8t+2mzCvpTBZiH52jarZmBEhZhMYxwd301uS3uVUW5sGg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1fv5dafs4n3r5n83qm2hfz7xmnflsz0xf9r3saralrptpgf8mvuxq4t8k3u
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBckh5OC83b1JDY3lCVnFS
+            LzFRVElBTFVsWU5jMEkwbVlUTlpnaUl1L2pzCk9uNktBTEtFYUpHUCs0ODZrcGRp
+            WEdZenRMRFNhd256KzdINjYwZ25YaDQKLS0tIElGWkpBeXBqWXVha2NiczFzaUV4
+            NzJKWndUUlRTZ3NlYS9qam1xZ0xUakEKciZwpzQBxPz75xIPUIIsS4+YWXAWqIl5
+            MYURy5G8uMzzRlHK/CJ0OI53kjsj/MTkDy247gKX+lig7bXHnuYJ1A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age120530yclr75k6nrzp6k5jjftj8j4q9v3533guupzk4ct86mjxszqg9e5t5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoOXlDOE50bE1jRG5aZHRu
+            aDhoK2UxZzNobFEzN3drVmNlQmZoR0FBRlVVCmRhNStBRGkyaEkrYWJweDZBcWVL
+            Z2RDcjlyMk5zRTdOYi9zbjBGandCZEkKLS0tIExNcjByeXJxSkg5UGZLRWJSQ29Y
+            S1dxenc5M3ZhMTR3SEpqR3FxT20rdGMK4YtZe6NDBx5/LM6rbGuoXLrBEicOhDSx
+            azOPjHWLN+B2JdgBpemI9NDOfBWL+t/VGx00w40PUq7FsCYdoBmHtQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-07-13T18:21:10Z"
+    mac: ENC[AES256_GCM,data:6vjYEY6WsfXGHxryL3ypqlmRGbsgEse0WohV9N4Oepl+NDsmhsXraeSJsfQNwDgXHc7Hk6n7ORTeogXeVABMpeYZyOJnbzzfm5recAaXtB8Jq2yDC69KvS4Xuk9WzqmacLieeaZ5K1vET4hD0q52cBJtvRzgmJ2SAfEyXIeucO0=,iv:mzMAOI+aTzuGfQ4qyMTIv2QYYbXcaKcx9Wlfv7aY0CY=,tag:kwwdh7Ic0UtYqYJ1y6VqPw==,type:str]
+    pgp:
+        - created_at: "2024-07-13T18:20:50Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA82M54yws73UARAAiGNgIcZG1LnGi0DyBiLVagxNUhpS4iatKgdHosBUUWWk
+            DjPnAseCrhSLMxciRjrDwnDKjFFMeIS54m1h4wsAgI8g08E0vkskcsU2PmFQ9IK4
+            dUBsvf/0vC4Q5cabagZb/jmtOS3RPHnXk2uNePR3p2AN38qBNhvaLVn1QS0hOQNx
+            OReUKvaBGmb1Yi9lafxb0k0h7FQ7s8rNatvKvrbr7aeVHBKSWRX3Rjsy0/wl5Amd
+            pcubaFOolp4DGPIaT7l4cRE+ZoiPJ4RGWHHHW0zt1KD6PYSorgGnz4Want/1lEJK
+            18L2Jw0KuLzpYl9ndSMKeYBxQM7jmMbLWE+V9zElSXAvR/q+WS5vWt2Ua8ps1MxE
+            4FRupXidI0/VL2F3nX4xE+LhY6RtPFAUcaFHAsUa8H7Yd/kbpflD/t14u8cMvABA
+            TEwLZkKP/PUtLbYkzOts4p7lFvduVKjRPc2mO1os2Mbtw8LljPgMlncoJ0zbeZ4y
+            eZRbXEiYjCFlXN/rYgmkVMrAK/LzgXPYPG4CD2q/IQkWMVXvWuFLNegTs/oxiJMG
+            kO56ewlVvcVynjBxTnPAA2fOtK65FVw6WVAWCK5NdnWzVPwohdQ8wpZbzOymSyU9
+            Nu3Q04gI513quQhJxbf0SbUDodes02Vmoe4eMJfs3sIZgx2UCQfRdXkcifjfgnfS
+            XgFLEn0LsMfsPcni5E6/3ti2jYJqnDBP4C8fh3jt/pKkEqGjPhuaAMaMfXST9idH
+            p05AkFfPcj5kknVIVf9/gJoSSzqfzyPKHbebq/+yHcpxn4oJlFCKpMJw39PmQLU=
+            =FTkp
+            -----END PGP MESSAGE-----
+          fp: CD8CE78CB0B3BDD4
+    unencrypted_suffix: _unencrypted
+    version: 3.9.0