ci: add basic nix and cachix support (#15)

2020-04-07 13:31:11 +00:00 · 2020-04-07 13:31:11 +00:00 · 53e2bc01d4
commit 53e2bc01d4
parent cc67646556
7 changed files with 86 additions and 23 deletions
--- a/.github/workflows/nix.yml
+++ b/.github/workflows/nix.yml
@ -0,0 +1,15 @@
+name: "Nix"
+on:
+  push:
+jobs:
+  tests:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - uses: cachix/install-nix-action@v8
+    - uses: cachix/cachix-action@v5
+      with:
+        name: nix-community
+        signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
+        # Only needed for private caches
+        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
--- a/default.nix
+++ b/default.nix
@ -0,0 +1,14 @@
+# Add derivations to be built from the cache to this file
+{ system ? builtins.currentSystem }:
+let
+  pkgs = import ./nix { inherit system; };
+
+  importNixOS = configuration: system:
+    (import "${toString pkgs.path}/nixos") {
+      inherit configuration system;
+    };
+in
+  pkgs.nix-community-infra // rec {
+    build01 = importNixOS ./build01/configuration.nix "x86_64-linux";
+    build01-system = build01.system;
+  }
--- a/11
+++ b/11
@ -2,10 +2,17 @@
 #! nix-shell ./shell.nix -i bash
 set -euo pipefail

+options=(
+  --option extra-substituters "https://nix-community.cachix.org"
+  --option binary-cache-public-keys "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+)
+
 mkdir -p state

 if [ $(nixops list --state "$NIXOPS_STATE" | grep -c "$NIXOPS_DEPLOYMENT") -eq 0 ]; then
-  nixops create ./deployment.nix --deployment "$NIXOPS_DEPLOYMENT" --state "$NIXOPS_STATE"
+  nixops create ./deployment.nix \
+    "${options[@]}" \
+    --deployment "$NIXOPS_DEPLOYMENT" --state "$NIXOPS_STATE"
 fi

-nixops deploy "$@"
+nixops deploy "${options[@]}" "$@"
--- a/nix/default.nix
+++ b/nix/default.nix
@ -0,0 +1,11 @@
+{ system ? builtins.currentSystem }:
+let
+  sources = import ./sources.nix;
+
+  pkgs = import sources.nixpkgs {
+    inherit system;
+    config = {};
+    overlays = [ (import ./overlay.nix) ];
+  };
+in
+  pkgs
--- a/nix/overlay.nix
+++ b/nix/overlay.nix
@ -0,0 +1,21 @@
+let
+  nix-community-infra = pkgs: {
+    inherit (pkgs)
+      git-crypt
+      niv
+      nixops
+      ;
+
+    terraform = pkgs.terraform.withPlugins (
+      p: [
+        p.cloudflare
+      ]
+    );
+  };
+
+  overlay = self: super: {
+    sources = import ./sources.nix;
+    nix-community-infra = nix-community-infra super;
+  };
+in
+  overlay
--- a/profiles/common.nix
+++ b/profiles/common.nix
@ -19,10 +19,16 @@
  # Entropy gathering daemon
  services.haveged.enable = true;

-  nix = let
-    asGB = size: toString (size * 1024 * 1024);
-  in
+  nix =
+    let asGB = size: toString (size * 1024 * 1024); in
    {
+      binaryCachePublicKeys = [
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      ];
+      binaryCaches = [
+        "https://nix-community.cachix.org"
+      ];
+
      extraOptions = ''
        # auto-free the /nix/store
        min-free = ${asGB 10}
--- a/shell.nix
+++ b/shell.nix
@ -1,11 +1,6 @@
+{ system ? builtins.currentSystem }:
 let
-  sources = import ./nix/sources.nix;
-
-  pkgs = import sources.nixpkgs {
-    config = {};
-    overlays = [];
-  };
-
+  pkgs = import ./nix { inherit system; };
 in
 pkgs.mkShell {

@ -14,17 +9,11 @@ pkgs.mkShell {
  NIXOPS_DEPLOYMENT = "nix-community-infra";
  NIXOPS_STATE = toString ./state/deployment-state.nixops;

-  buildInputs = [
-    pkgs.git-crypt
-    pkgs.niv
-    pkgs.nixops
-    (
-      pkgs.terraform.withPlugins (
-        p: [
-          p.cloudflare
-        ]
-      )
-    )
+  buildInputs = with pkgs.nix-community-infra; [
+    git-crypt
+    niv
+    nixops
+    terraform
  ];

  # terraform cloud without the remote execution part