ci: re-introduce github actions

.github/workflows/ci.yml

@@ -0,0 +1,87 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+
+jobs:
+  get-x86_64-hosts:
+    runs-on: self-hosted-x86_64-linux
+    outputs:
+      matrix: ${{ steps.output-hosts.outputs.matrix }}
+    steps:
+      - name: repository checkout
+        uses: actions/checkout@v4
+      - name: output-hosts
+        run: |
+          {
+            echo -n "matrix={\"include\":"
+            nix eval -I nixpkgs=$(nix flake metadata nixpkgs --json | jq -r .path) --raw --impure --expr '
+              with import <nixpkgs> { };
+              builtins.toJSON (lib.mapAttrsToList (n: v: n)
+                (lib.attrsets.filterAttrs (n: v: v.pkgs.system == pkgs.system)
+                  (builtins.getFlake(builtins.toString ./.)).outputs.nixosConfigurations))'
+            echo "}"
+          }  > "$GITHUB_OUTPUT"
+          cat ${GITHUB_OUTPUT}
+      - name: verify-out
+        run: echo ${{ steps.output-hosts.outputs.matrix }}
+
+  get-aarch64-hosts:
+    runs-on: self-hosted-aarch64-linux
+    outputs:
+      matrix: ${{ steps.output-hosts.outputs.matrix }}
+    steps:
+      - name: repository checkout
+        uses: actions/checkout@v4
+      - name: output-hosts
+        run: |
+          {
+            echo -n "matrix={\"include\":"
+            nix eval -I nixpkgs=$(nix flake metadata nixpkgs --json | jq -r .path) --raw --impure --expr '
+              with import <nixpkgs> { };
+              builtins.toJSON (lib.mapAttrsToList (n: v: n)
+                (lib.attrsets.filterAttrs (n: v: v.pkgs.system == pkgs.system)
+                  (builtins.getFlake(builtins.toString ./.)).outputs.nixosConfigurations))'
+            echo "}"
+          }  > "$GITHUB_OUTPUT"
+          cat ${GITHUB_OUTPUT}
+      - name: verify-out
+        run: echo ${{ steps.output-hosts.outputs.matrix }}
+
+  verify_outputs:
+    runs-on: self-hosted-x86_64-linux
+    needs: [get-x86_64-hosts, get-aarch64-hosts]
+    steps:
+      - name: check x86_64 output
+        run: |
+          echo "${{ needs.get-x86_64-hosts.outputs.matrix }}"
+      - name: check aarch64 output
+        run: |
+          echo "${{ needs.get-aarch64-hosts.outputs.matrix }}"
+
+  build-nixos-x86_64-linux:
+    runs-on: self-hosted-x86_64-linux
+    needs: [verify_outputs, get-x86_64-hosts]
+    strategy:
+      matrix:
+        host: ${{ fromJson(needs.get-x86_64-hosts.outputs.matrix) }}
+    steps:
+      - name: repository checkout
+        uses: actions/checkout@v4
+      - name: build host configuration ${{ matrix.host }}
+        run: |
+          nixos-rebuild build --verbose --flake ".#${{ matrix.host }}"
+
+  build-nixos-aarch64-linux:
+    runs-on: self-hosted-aarch64-linux
+    needs: [verify_outputs, get-aarch64-hosts]
+    strategy:
+      matrix:
+        host: ${{ fromJson(needs.get-aarch64-hosts.outputs.matrix) }}
+    steps:
+      - name: repository checkout
+        uses: actions/checkout@v4
+      - name: build host configuration ${{ matrix.host }}
+        run: |
+          nixos-rebuild build --verbose --flake ".#${{ matrix.host }}"

modules/ci-runners.nix

@@ -3,47 +3,60 @@
 let
   gitea-runner-directory = "/var/lib/gitea-runner";
   meta = import ../meta.nix;
+  ci-packages = with pkgs; [
+    bash
+    coreutils
+    curl
+    gawk
+    git-lfs
+    nixFlakes
+    gitFull
+    gnused
+    nodejs
+    wget
+    jq
+    nixos-rebuild
+    envsubst
+  ];
+  ci-labels = [
+    "nixos-${pkgs.system}:host"
+    "nixos:host"
+    "self-hosted-${pkgs.system}"
+    "self-hosted"
+  ];
 in {
   age.secrets = {
     gitea-runner-token.file =
       ../secrets/gitea-runner-token-${config.networking.hostName}.age;
+    github-runner-token.file =
+      ../secrets/github-runner-token-${config.networking.hostName}.age;
     ci-secrets = { # for printer host sd images
       file = ../secrets/ci-secrets.age;
       mode = "444";
     };
   };
 
+  services.github-runners."nix-${config.networking.hostName}" = {
+    enable = true;
+    extraLabels = ci-labels;
+    tokenFile = config.age.secrets.github-runner-token.path;
+    url = "https://github.com/arachnist/nibylandia";
+
+    extraPackages = ci-packages;
+  };
+
   services.gitea-actions-runner.instances.nix = {
     enable = true;
     name = config.networking.hostName;
     tokenFile = config.age.secrets.gitea-runner-token.path;
-    labels = [
-      "nixos-${pkgs.system}:host"
-      "nixos:host"
-      "self-hosted-${pkgs.system}"
-      "self-hosted"
-    ];
+    labels = ci-labels;
     url = "https://code.hackerspace.pl";
     settings = {
       cache.enabled = true;
       host.workdir_parent = "${gitea-runner-directory}/action-cache-dir";
     };
 
-    hostPackages = with pkgs; [
-      bash
-      coreutils
-      curl
-      gawk
-      git-lfs
-      nixFlakes
-      gitFull
-      gnused
-      nodejs
-      wget
-      jq
-      nixos-rebuild
-      envsubst
-    ];
+    hostPackages = ci-packages;
   };
 
   systemd.services.gitea-runner-nix.environment = {

secrets/github-runner-token-scylla.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 kY4Rgg x91UKTDL+BFy/c7hvrzvSZZeMx7z74hAAC4xL838Xgk
+gPIhvfNBAH6U0YfV8uihqDBgMJ3NYcEUmeyUZw/w7KE
+-> ssh-ed25519 grc4Uw YPSkqvjIGyTBcsW400MCUwAoGSsaBB1bp30K9BNkkiA
++o4ggXpugZYHxuaVK7vNbPTu5cIXFZjSTA9dkYTs53A
+-> ssh-ed25519 CJl5MQ ledMNLcITvGMSiMlKDzlsL9/0xtbqko8QJ/PelSWqFo
+e83se5K8qwBqXCjO2tPcDZGPQ9Tnq296f3r056YjraQ
+--- 9rN7EL1kFrdya85sOy6NAgNKPC+ca85IdhOi1QUW5D4
+�;��,U���k$[N������ӗ.��o�㘢�����Ӝ8��,���>
T��p����P�;

secrets/github-runner-token-zorigami.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 kY4Rgg wXaqegoMDgK0MZ/QhwX7wIlHR4Y27IcPgeODG2Wubxk
+xHJC1iR0/nTLcZeYHkGWCnMzCjOFxPhmfdAbe76B6Oo
+-> ssh-ed25519 grc4Uw rKs94vbBfgXlKCv3qZBN8IPSxig5vWOOiJNqRC8yMkI
+8AE1kp25a2Nzv+07p9n3/vuy6LY5fPjEcf+sLRvU/Bg
+-> ssh-ed25519 DLT88w QP8cAQWsJJJSXUbnb/PJ9OGs5l4nifVyHQerDXcv0Bg
+dqoBSDTc6XdmOoirOv8/2hDfrGKm1pHaTO1D3m89K+I
+--- U/QEquparqU/juJuP85JQ9ttnBoypiYAtdCdsvWENZI
+�ne����T��";��������tމgS�.S_m5#`���!{��<��݌��`p