diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..75c06e3 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,87 @@ +name: CI + +on: + push: + branches: [main] + +jobs: + get-x86_64-hosts: + runs-on: self-hosted-x86_64-linux + outputs: + matrix: ${{ steps.output-hosts.outputs.matrix }} + steps: + - name: repository checkout + uses: actions/checkout@v4 + - name: output-hosts + run: | + { + echo -n "matrix={\"include\":" + nix eval -I nixpkgs=$(nix flake metadata nixpkgs --json | jq -r .path) --raw --impure --expr ' + with import { }; + builtins.toJSON (lib.mapAttrsToList (n: v: n) + (lib.attrsets.filterAttrs (n: v: v.pkgs.system == pkgs.system) + (builtins.getFlake(builtins.toString ./.)).outputs.nixosConfigurations))' + echo "}" + } > "$GITHUB_OUTPUT" + cat ${GITHUB_OUTPUT} + - name: verify-out + run: echo ${{ steps.output-hosts.outputs.matrix }} + + get-aarch64-hosts: + runs-on: self-hosted-aarch64-linux + outputs: + matrix: ${{ steps.output-hosts.outputs.matrix }} + steps: + - name: repository checkout + uses: actions/checkout@v4 + - name: output-hosts + run: | + { + echo -n "matrix={\"include\":" + nix eval -I nixpkgs=$(nix flake metadata nixpkgs --json | jq -r .path) --raw --impure --expr ' + with import { }; + builtins.toJSON (lib.mapAttrsToList (n: v: n) + (lib.attrsets.filterAttrs (n: v: v.pkgs.system == pkgs.system) + (builtins.getFlake(builtins.toString ./.)).outputs.nixosConfigurations))' + echo "}" + } > "$GITHUB_OUTPUT" + cat ${GITHUB_OUTPUT} + - name: verify-out + run: echo ${{ steps.output-hosts.outputs.matrix }} + + verify_outputs: + runs-on: self-hosted-x86_64-linux + needs: [get-x86_64-hosts, get-aarch64-hosts] + steps: + - name: check x86_64 output + run: | + echo "${{ needs.get-x86_64-hosts.outputs.matrix }}" + - name: check aarch64 output + run: | + echo "${{ needs.get-aarch64-hosts.outputs.matrix }}" + + build-nixos-x86_64-linux: + runs-on: self-hosted-x86_64-linux + needs: [verify_outputs, get-x86_64-hosts] + strategy: + matrix: + host: ${{ fromJson(needs.get-x86_64-hosts.outputs.matrix) }} + steps: + - name: repository checkout + uses: actions/checkout@v4 + - name: build host configuration ${{ matrix.host }} + run: | + nixos-rebuild build --verbose --flake ".#${{ matrix.host }}" + + build-nixos-aarch64-linux: + runs-on: self-hosted-aarch64-linux + needs: [verify_outputs, get-aarch64-hosts] + strategy: + matrix: + host: ${{ fromJson(needs.get-aarch64-hosts.outputs.matrix) }} + steps: + - name: repository checkout + uses: actions/checkout@v4 + - name: build host configuration ${{ matrix.host }} + run: | + nixos-rebuild build --verbose --flake ".#${{ matrix.host }}" diff --git a/modules/ci-runners.nix b/modules/ci-runners.nix index 3293b9f..6cc4796 100644 --- a/modules/ci-runners.nix +++ b/modules/ci-runners.nix @@ -3,47 +3,60 @@ let gitea-runner-directory = "/var/lib/gitea-runner"; meta = import ../meta.nix; + ci-packages = with pkgs; [ + bash + coreutils + curl + gawk + git-lfs + nixFlakes + gitFull + gnused + nodejs + wget + jq + nixos-rebuild + envsubst + ]; + ci-labels = [ + "nixos-${pkgs.system}:host" + "nixos:host" + "self-hosted-${pkgs.system}" + "self-hosted" + ]; in { age.secrets = { gitea-runner-token.file = ../secrets/gitea-runner-token-${config.networking.hostName}.age; + github-runner-token.file = + ../secrets/github-runner-token-${config.networking.hostName}.age; ci-secrets = { # for printer host sd images file = ../secrets/ci-secrets.age; mode = "444"; }; }; + services.github-runners."nix-${config.networking.hostName}" = { + enable = true; + extraLabels = ci-labels; + tokenFile = config.age.secrets.github-runner-token.path; + url = "https://github.com/arachnist/nibylandia"; + + extraPackages = ci-packages; + }; + services.gitea-actions-runner.instances.nix = { enable = true; name = config.networking.hostName; tokenFile = config.age.secrets.gitea-runner-token.path; - labels = [ - "nixos-${pkgs.system}:host" - "nixos:host" - "self-hosted-${pkgs.system}" - "self-hosted" - ]; + labels = ci-labels; url = "https://code.hackerspace.pl"; settings = { cache.enabled = true; host.workdir_parent = "${gitea-runner-directory}/action-cache-dir"; }; - hostPackages = with pkgs; [ - bash - coreutils - curl - gawk - git-lfs - nixFlakes - gitFull - gnused - nodejs - wget - jq - nixos-rebuild - envsubst - ]; + hostPackages = ci-packages; }; systemd.services.gitea-runner-nix.environment = { diff --git a/secrets/github-runner-token-scylla.age b/secrets/github-runner-token-scylla.age new file mode 100644 index 0000000..ee867d9 --- /dev/null +++ b/secrets/github-runner-token-scylla.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 kY4Rgg x91UKTDL+BFy/c7hvrzvSZZeMx7z74hAAC4xL838Xgk +gPIhvfNBAH6U0YfV8uihqDBgMJ3NYcEUmeyUZw/w7KE +-> ssh-ed25519 grc4Uw YPSkqvjIGyTBcsW400MCUwAoGSsaBB1bp30K9BNkkiA ++o4ggXpugZYHxuaVK7vNbPTu5cIXFZjSTA9dkYTs53A +-> ssh-ed25519 CJl5MQ ledMNLcITvGMSiMlKDzlsL9/0xtbqko8QJ/PelSWqFo +e83se5K8qwBqXCjO2tPcDZGPQ9Tnq296f3r056YjraQ +--- 9rN7EL1kFrdya85sOy6NAgNKPC+ca85IdhOi1QUW5D4 +�;��,U���k$[N������ӗ.��o�㘢�� ���Ӝ8��,���>T��p����P�; \ No newline at end of file diff --git a/secrets/github-runner-token-zorigami.age b/secrets/github-runner-token-zorigami.age new file mode 100644 index 0000000..f296c24 --- /dev/null +++ b/secrets/github-runner-token-zorigami.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 kY4Rgg wXaqegoMDgK0MZ/QhwX7wIlHR4Y27IcPgeODG2Wubxk +xHJC1iR0/nTLcZeYHkGWCnMzCjOFxPhmfdAbe76B6Oo +-> ssh-ed25519 grc4Uw rKs94vbBfgXlKCv3qZBN8IPSxig5vWOOiJNqRC8yMkI +8AE1kp25a2Nzv+07p9n3/vuy6LY5fPjEcf+sLRvU/Bg +-> ssh-ed25519 DLT88w QP8cAQWsJJJSXUbnb/PJ9OGs5l4nifVyHQerDXcv0Bg +dqoBSDTc6XdmOoirOv8/2hDfrGKm1pHaTO1D3m89K+I +--- U/QEquparqU/juJuP85JQ9ttnBoypiYAtdCdsvWENZI +�ne����T��";�������� tމgS�.S_m5#`���!{��<��݌��`p \ No newline at end of file