feat: add github actions, fix configs? remove chen

.github/workflows/flake-update.yml

@@ -0,0 +1,107 @@
+env:
+  CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }}
+  CI_ALLOW_ROOT: '1'
+  CI_CONFIG: ./ci/flake-cron.nix
+  CI_PLATFORM: gh-actions
+jobs:
+  ci-check:
+    name: flake-update check
+    runs-on: ubuntu-latest
+    steps:
+    - id: checkout
+      name: git clone
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+        submodules: false
+    - id: nix-install
+      name: nix install
+      uses: arcnmx/ci/actions/nix/install@v0.7
+    - id: ci-action-build
+      name: nix build ci.gh-actions.configFile
+      uses: arcnmx/ci/actions/nix/build@v0.7
+      with:
+        attrs: ci.gh-actions.configFile
+        out-link: .ci/workflow.yml
+    - id: ci-action-compare
+      name: gh-actions compare
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        args: -u .github/workflows/flake-update.yml .ci/workflow.yml
+        attrs: nixpkgs.diffutils
+        command: diff
+  flake-update:
+    name: flake-update
+    runs-on: ubuntu-latest
+    steps:
+    - id: checkout
+      name: git clone
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+        submodules: false
+    - id: nix-install
+      name: nix install
+      uses: arcnmx/ci/actions/nix/install@v0.7
+    - env:
+        CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }}
+        NF_CONFIG_ROOT: ${{ github.workspace }}
+        NF_UPDATE_CACHIX_PUSH: '1'
+        NF_UPDATE_GIT_COMMIT: '1'
+      id: flake-update
+      name: flake update build
+      run: nix run .#nf-update
+    - id: ci-dirty
+      name: nix test dirty
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.flake-update.run.test
+        command: ci-build-dirty
+        quiet: false
+        stdout: ${{ runner.temp }}/ci.build.dirty
+    - id: ci-test
+      name: nix test build
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.flake-update.run.test
+        command: ci-build-realise
+        ignore-exit-code: true
+        quiet: false
+        stdin: ${{ runner.temp }}/ci.build.dirty
+    - env:
+        CI_EXIT_CODE: ${{ steps.ci-test.outputs.exit-code }}
+      id: ci-summary
+      name: nix test results
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.flake-update.run.test
+        command: ci-build-summarise
+        quiet: false
+        stdin: ${{ runner.temp }}/ci.build.dirty
+        stdout: ${{ runner.temp }}/ci.build.cache
+    - env:
+        CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }}
+      id: ci-cache
+      if: always()
+      name: nix test cache
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.flake-update.run.test
+        command: ci-build-cache
+        quiet: false
+        stdin: ${{ runner.temp }}/ci.build.cache
+name: flake-update
+'on':
+  pull_request:
+    paths:
+    - default.nix
+    - ci/flake-cron.nix
+    - .github/workflows/flake-update.yml
+  push:
+    paths:
+    - default.nix
+    - ci/flake-cron.nix
+    - .github/workflows/flake-update.yml
+  schedule:
+  - cron: 0 0 * * *
+  workflow_dispatch: {}

.github/workflows/nodes.yml

@@ -0,0 +1,340 @@
+env:
+  CI_ALLOW_ROOT: '1'
+  CI_CONFIG: ./ci/nodes.nix
+  CI_PLATFORM: gh-actions
+jobs:
+  ci-check:
+    name: nodes check
+    runs-on: ubuntu-latest
+    steps:
+    - id: checkout
+      name: git clone
+      uses: actions/checkout@v4
+      with:
+        submodules: false
+    - id: nix-install
+      name: nix install
+      uses: arcnmx/ci/actions/nix/install@v0.7
+    - id: ci-action-build
+      name: nix build ci.gh-actions.configFile
+      uses: arcnmx/ci/actions/nix/build@v0.7
+      with:
+        attrs: ci.gh-actions.configFile
+        out-link: .ci/workflow.yml
+    - id: ci-action-compare
+      name: gh-actions compare
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        args: -u .github/workflows/nodes.yml .ci/workflow.yml
+        attrs: nixpkgs.diffutils
+        command: diff
+  goliath:
+    name: nodes-goliath
+    runs-on: ubuntu-latest
+    steps:
+    - id: checkout
+      name: git clone
+      uses: actions/checkout@v4
+      with:
+        submodules: false
+    - id: nix-install
+      name: nix install
+      uses: arcnmx/ci/actions/nix/install@v0.7
+    - id: ci-dirty
+      name: nix test dirty
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.goliath.run.test
+        command: ci-build-dirty
+        quiet: false
+        stdout: ${{ runner.temp }}/ci.build.dirty
+    - id: ci-test
+      name: nix test build
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.goliath.run.test
+        command: ci-build-realise
+        ignore-exit-code: true
+        quiet: false
+        stdin: ${{ runner.temp }}/ci.build.dirty
+    - env:
+        CI_EXIT_CODE: ${{ steps.ci-test.outputs.exit-code }}
+      id: ci-summary
+      name: nix test results
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.goliath.run.test
+        command: ci-build-summarise
+        quiet: false
+        stdin: ${{ runner.temp }}/ci.build.dirty
+        stdout: ${{ runner.temp }}/ci.build.cache
+    - env:
+        CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }}
+      id: ci-cache
+      if: always()
+      name: nix test cache
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.goliath.run.test
+        command: ci-build-cache
+        quiet: false
+        stdin: ${{ runner.temp }}/ci.build.cache
+  koishi:
+    name: nodes-koishi
+    runs-on: ubuntu-latest
+    steps:
+    - id: checkout
+      name: git clone
+      uses: actions/checkout@v4
+      with:
+        submodules: false
+    - id: nix-install
+      name: nix install
+      uses: arcnmx/ci/actions/nix/install@v0.7
+    - id: ci-dirty
+      name: nix test dirty
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.koishi.run.test
+        command: ci-build-dirty
+        quiet: false
+        stdout: ${{ runner.temp }}/ci.build.dirty
+    - id: ci-test
+      name: nix test build
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.koishi.run.test
+        command: ci-build-realise
+        ignore-exit-code: true
+        quiet: false
+        stdin: ${{ runner.temp }}/ci.build.dirty
+    - env:
+        CI_EXIT_CODE: ${{ steps.ci-test.outputs.exit-code }}
+      id: ci-summary
+      name: nix test results
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.koishi.run.test
+        command: ci-build-summarise
+        quiet: false
+        stdin: ${{ runner.temp }}/ci.build.dirty
+        stdout: ${{ runner.temp }}/ci.build.cache
+    - env:
+        CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }}
+      id: ci-cache
+      if: always()
+      name: nix test cache
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.koishi.run.test
+        command: ci-build-cache
+        quiet: false
+        stdin: ${{ runner.temp }}/ci.build.cache
+  mai:
+    name: nodes-mai
+    runs-on: ubuntu-latest
+    steps:
+    - id: checkout
+      name: git clone
+      uses: actions/checkout@v4
+      with:
+        submodules: false
+    - id: nix-install
+      name: nix install
+      uses: arcnmx/ci/actions/nix/install@v0.7
+    - id: ci-dirty
+      name: nix test dirty
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.mai.run.test
+        command: ci-build-dirty
+        quiet: false
+        stdout: ${{ runner.temp }}/ci.build.dirty
+    - id: ci-test
+      name: nix test build
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.mai.run.test
+        command: ci-build-realise
+        ignore-exit-code: true
+        quiet: false
+        stdin: ${{ runner.temp }}/ci.build.dirty
+    - env:
+        CI_EXIT_CODE: ${{ steps.ci-test.outputs.exit-code }}
+      id: ci-summary
+      name: nix test results
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.mai.run.test
+        command: ci-build-summarise
+        quiet: false
+        stdin: ${{ runner.temp }}/ci.build.dirty
+        stdout: ${{ runner.temp }}/ci.build.cache
+    - env:
+        CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }}
+      id: ci-cache
+      if: always()
+      name: nix test cache
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.mai.run.test
+        command: ci-build-cache
+        quiet: false
+        stdin: ${{ runner.temp }}/ci.build.cache
+  mei:
+    name: nodes-mei
+    runs-on: ubuntu-latest
+    steps:
+    - id: checkout
+      name: git clone
+      uses: actions/checkout@v4
+      with:
+        submodules: false
+    - id: nix-install
+      name: nix install
+      uses: arcnmx/ci/actions/nix/install@v0.7
+    - id: ci-dirty
+      name: nix test dirty
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.mei.run.test
+        command: ci-build-dirty
+        quiet: false
+        stdout: ${{ runner.temp }}/ci.build.dirty
+    - id: ci-test
+      name: nix test build
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.mei.run.test
+        command: ci-build-realise
+        ignore-exit-code: true
+        quiet: false
+        stdin: ${{ runner.temp }}/ci.build.dirty
+    - env:
+        CI_EXIT_CODE: ${{ steps.ci-test.outputs.exit-code }}
+      id: ci-summary
+      name: nix test results
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.mei.run.test
+        command: ci-build-summarise
+        quiet: false
+        stdin: ${{ runner.temp }}/ci.build.dirty
+        stdout: ${{ runner.temp }}/ci.build.cache
+    - env:
+        CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }}
+      id: ci-cache
+      if: always()
+      name: nix test cache
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.mei.run.test
+        command: ci-build-cache
+        quiet: false
+        stdin: ${{ runner.temp }}/ci.build.cache
+  packages:
+    name: nodes-packages
+    runs-on: ubuntu-latest
+    steps:
+    - id: checkout
+      name: git clone
+      uses: actions/checkout@v4
+      with:
+        submodules: false
+    - id: nix-install
+      name: nix install
+      uses: arcnmx/ci/actions/nix/install@v0.7
+    - id: ci-dirty
+      name: nix test dirty
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.packages.run.test
+        command: ci-build-dirty
+        quiet: false
+        stdout: ${{ runner.temp }}/ci.build.dirty
+    - id: ci-test
+      name: nix test build
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.packages.run.test
+        command: ci-build-realise
+        ignore-exit-code: true
+        quiet: false
+        stdin: ${{ runner.temp }}/ci.build.dirty
+    - env:
+        CI_EXIT_CODE: ${{ steps.ci-test.outputs.exit-code }}
+      id: ci-summary
+      name: nix test results
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.packages.run.test
+        command: ci-build-summarise
+        quiet: false
+        stdin: ${{ runner.temp }}/ci.build.dirty
+        stdout: ${{ runner.temp }}/ci.build.cache
+    - env:
+        CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }}
+      id: ci-cache
+      if: always()
+      name: nix test cache
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.packages.run.test
+        command: ci-build-cache
+        quiet: false
+        stdin: ${{ runner.temp }}/ci.build.cache
+  yukari:
+    name: nodes-yukari
+    runs-on: ubuntu-latest
+    steps:
+    - id: checkout
+      name: git clone
+      uses: actions/checkout@v4
+      with:
+        submodules: false
+    - id: nix-install
+      name: nix install
+      uses: arcnmx/ci/actions/nix/install@v0.7
+    - id: ci-dirty
+      name: nix test dirty
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.yukari.run.test
+        command: ci-build-dirty
+        quiet: false
+        stdout: ${{ runner.temp }}/ci.build.dirty
+    - id: ci-test
+      name: nix test build
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.yukari.run.test
+        command: ci-build-realise
+        ignore-exit-code: true
+        quiet: false
+        stdin: ${{ runner.temp }}/ci.build.dirty
+    - env:
+        CI_EXIT_CODE: ${{ steps.ci-test.outputs.exit-code }}
+      id: ci-summary
+      name: nix test results
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.yukari.run.test
+        command: ci-build-summarise
+        quiet: false
+        stdin: ${{ runner.temp }}/ci.build.dirty
+        stdout: ${{ runner.temp }}/ci.build.cache
+    - env:
+        CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }}
+      id: ci-cache
+      if: always()
+      name: nix test cache
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.yukari.run.test
+        command: ci-build-cache
+        quiet: false
+        stdin: ${{ runner.temp }}/ci.build.cache
+name: nodes
+'on':
+- push
+- pull_request

ci/nodes.nix

@@ -11,7 +11,7 @@ with lib; {
     name = "nodes";
 
     jobs = let
-      enabledSystems = filterAttrs (_: system: system.config.ci.enable) channels.nixfiles.lib.systems;
+      enabledSystems = filterAttrs (_: system: system.config.nixpkgs.system == "x86_64-linux") channels.nixfiles.nixosConfigurations;
       mkSystemJob = name: system: nameValuePair "${name}" {
         tasks.system = {
           inputs = channels.nixfiles.nixosConfigurations.${name}.config.system.build.toplevel;

systems/chen.nix

@@ -1,147 +0,0 @@
-_: let
-  hostConfig = {
-    lib,
-    tree,
-    inputs,
-    ...
-  }: let
-    inherit (lib.modules) mkForce;
-  in {
-    imports = with tree; [
-      inputs.wsl.nixosModules.wsl
-      kat.gui
-      nixos.gui.fonts
-      nixos.gui.gpg
-    ];
-
-    programs.dconf.enable = true;
-
-    networking.firewall.enable = mkForce false;
-
-    boot.kernel.sysctl = mkForce {};
-
-    systemd.services = {
-      systemd-sysctl.enable = false;
-    };
-
-    fileSystems = {
-      "/" = {
-        device = "/dev/sdc";
-        fsType = "ext4";
-      };
-      "/usr/lib/wsl/drivers" = {
-        device = "drivers";
-        fsType = "9p";
-      };
-      "/usr/lib/wsl/lib" = {
-        device = "none";
-        fsType = "overlay";
-      };
-      "/mnt/wsl" = {
-        device = "none";
-        fsType = "tmpfs";
-      };
-      "/mnt/wslg" = {
-        device = "none";
-        fsType = "tmpfs";
-      };
-      "/mnt/wslg/doc" = {
-        device = "none";
-        fsType = "overlay";
-      };
-      "/mnt/c" = {
-        device = "drvfs";
-        fsType = "9p";
-      };
-    };
-
-    swapDevices = [
-      {device = "/dev/sdb";}
-    ];
-
-    wsl = {
-      enable = true;
-      defaultUser = "kat";
-      startMenuLaunchers = true;
-      nativeSystemd = true;
-      wslConf.automount.root = "/mnt";
-    };
-
-    boot.isContainer = true;
-
-    services.openssh.enable = true;
-
-    home-manager.users.kat = {
-      services.gpg-agent.enable = false;
-      programs.git.signing.gpgPath = "/mnt/c/Program Files (x86)/GnuPG/bin/gpg.exe";
-      programs.zsh.profileExtra = ''
-        if [[ -n "$XDG_SESSION_ID" && "$TERM" == "dumb" &&
-            "$(ps -p $PPID -o comm=)" == "login" ]]; then
-            # Running in the background login process. Do nothing.
-            return
-        fi
-        gpg-connect-agent killagent /bye &> /dev/null
-        WIN_USER="kat"
-        SSH_DIR="''${HOME}/.ssh" #
-        mkdir -p "''${SSH_DIR}"
-        wsl2_ssh_pageant_bin="''${SSH_DIR}/wsl2-ssh-pageant.exe"
-        ln -sf "/mnt/c/Users/''${WIN_USER}/.ssh/wsl2-ssh-pageant.exe" "''${wsl2_ssh_pageant_bin}"
-
-        listen_socket() {
-          sock_path="$1" && shift
-          fork_args="''${sock_path},fork"
-          exec_args="''${wsl2_ssh_pageant_bin} $@"
-
-          if ! ps x | grep -v grep | grep -q "''${fork_args}"; then
-            rm -f "''${sock_path}"
-            (setsid nohup socat "UNIX-LISTEN:''${fork_args}" "EXEC:''${exec_args}" &>/dev/null &)
-          fi
-        }
-
-        # SSH
-        export SSH_AUTH_SOCK="''${SSH_DIR}/agent.sock"
-        listen_socket "''${SSH_AUTH_SOCK}"
-
-        # GPG
-        export GPG_AGENT_SOCK="''$(gpgconf --list-dirs socketdir)/S.gpg-agent"
-
-        if ! ss -a | grep -q "$GPG_AGENT_SOCK"; then
-          echo "1"
-          rm -rf "$GPG_AGENT_SOCK"
-          if test -x "$wsl2_ssh_pageant_bin"; then
-            (setsid nohup socat UNIX-LISTEN:"$GPG_AGENT_SOCK,fork" EXEC:"$wsl2_ssh_pageant_bin -gpg S.gpg-agent" >/dev/null 2>&1 &)
-          else
-            echo >&2 "WARNING: $wsl2_ssh_pageant_bin is not executable."
-          fi
-        fi
-        export GPG_AGENT_SOCK="/home/kat/.gnupg/S.gpg-agent"
-
-        if ! ss -a | grep -q "$GPG_AGENT_SOCK"; then
-          echo "1"
-          rm -rf "$GPG_AGENT_SOCK"
-          if test -x "$wsl2_ssh_pageant_bin"; then
-            (setsid nohup socat UNIX-LISTEN:"$GPG_AGENT_SOCK,fork" EXEC:"$wsl2_ssh_pageant_bin -gpg S.gpg-agent" >/dev/null 2>&1 &)
-          else
-            echo >&2 "WARNING: $wsl2_ssh_pageant_bin is not executable."
-          fi
-        fi
-          unset wsl2_ssh_pageant_bin
-      '';
-    };
-
-    programs.gnupg.agent.pinentryFlavor = mkForce "curses";
-
-    networking = {
-      hostId = "dddbb888";
-      useDHCP = false;
-    };
-
-    system.stateVersion = "22.05";
-  };
-in {
-  arch = "x86_64";
-  type = "NixOS";
-  modules = [
-    hostConfig
-  ];
-}

systems/goliath.nix

@@ -34,10 +34,7 @@ _: let
   in {
     imports =
       (with tree.nixos.hardware; [
-        amd_cpu
-        amd_gpu
         b550m-itx-ac
-        uefi
       ])
       ++ (with tree.nixos.profiles; [
         graphical