diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..2a3e781 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,72 @@ +name: CI + +on: + push: + branches: [main] + +jobs: + get-x86_64-hosts: + runs-on: self-hosted-x86_64-linux + outputs: + matrix: ${{ steps.hosts_out.outputs.matrix }} + steps: + - name: repository checkout + uses: actions/checkout@v4 + - id: hosts_out + name: set hosts var + run: | + { + echo -n "matrix=" + nix eval -I nixpkgs=$(nix flake metadata nixpkgs --json | jq -r .path) --raw --impure --expr ' + with import { }; + builtins.toJSON (lib.mapAttrsToList (n: v: n) + (lib.attrsets.filterAttrs (n: v: v.pkgs.system == pkgs.system) + (builtins.getFlake(builtins.toString ./.)).outputs.nixosConfigurations))' + echo "" + } >> "$GITHUB_OUTPUT" + + get-aarch64-hosts: + runs-on: self-hosted-aarch64-linux + outputs: + matrix: ${{ steps.hosts.outputs.matrix }} + steps: + - name: repository checkout + uses: actions/checkout@v4 + - name: hosts + run: | + { + echo -n "matrix=" + nix eval -I nixpkgs=$(nix flake metadata nixpkgs --json | jq -r .path) --raw --impure --expr ' + with import { }; + builtins.toJSON (lib.mapAttrsToList (n: v: n) + (lib.attrsets.filterAttrs (n: v: v.pkgs.system == pkgs.system) + (builtins.getFlake(builtins.toString ./.)).outputs.nixosConfigurations))' + } >> "$GITHUB_OUTPUT" + + build-nixos-x86_64-linux: + runs-on: self-hosted-x86_64-linux + needs: [get-x86_64-hosts] + strategy: + fail-fast: false + matrix: + host: ${{ fromJson(needs.get-x86_64-hosts.outputs.matrix) }} + steps: + - name: repository checkout + uses: actions/checkout@v4 + - name: build host configuration ${{ matrix.host }} + run: nixos-rebuild build --verbose --flake ".#${{ matrix.host }}" + + build-nixos-aarch64-linux: + runs-on: self-hosted-aarch64-linux + needs: [get-aarch64-hosts] + strategy: + fail-fast: false + matrix: + host: ${{ fromJson(needs.get-aarch64-hosts.outputs.matrix) }} + steps: + - name: repository checkout + uses: actions/checkout@v4 + - name: build host configuration ${{ matrix.host }} + run: nixos-rebuild build --verbose --flake ".#${{ matrix.host }}" + + diff --git a/modules/ci-runners.nix b/modules/ci-runners.nix index 3293b9f..6cc4796 100644 --- a/modules/ci-runners.nix +++ b/modules/ci-runners.nix @@ -3,47 +3,60 @@ let gitea-runner-directory = "/var/lib/gitea-runner"; meta = import ../meta.nix; + ci-packages = with pkgs; [ + bash + coreutils + curl + gawk + git-lfs + nixFlakes + gitFull + gnused + nodejs + wget + jq + nixos-rebuild + envsubst + ]; + ci-labels = [ + "nixos-${pkgs.system}:host" + "nixos:host" + "self-hosted-${pkgs.system}" + "self-hosted" + ]; in { age.secrets = { gitea-runner-token.file = ../secrets/gitea-runner-token-${config.networking.hostName}.age; + github-runner-token.file = + ../secrets/github-runner-token-${config.networking.hostName}.age; ci-secrets = { # for printer host sd images file = ../secrets/ci-secrets.age; mode = "444"; }; }; + services.github-runners."nix-${config.networking.hostName}" = { + enable = true; + extraLabels = ci-labels; + tokenFile = config.age.secrets.github-runner-token.path; + url = "https://github.com/arachnist/nibylandia"; + + extraPackages = ci-packages; + }; + services.gitea-actions-runner.instances.nix = { enable = true; name = config.networking.hostName; tokenFile = config.age.secrets.gitea-runner-token.path; - labels = [ - "nixos-${pkgs.system}:host" - "nixos:host" - "self-hosted-${pkgs.system}" - "self-hosted" - ]; + labels = ci-labels; url = "https://code.hackerspace.pl"; settings = { cache.enabled = true; host.workdir_parent = "${gitea-runner-directory}/action-cache-dir"; }; - hostPackages = with pkgs; [ - bash - coreutils - curl - gawk - git-lfs - nixFlakes - gitFull - gnused - nodejs - wget - jq - nixos-rebuild - envsubst - ]; + hostPackages = ci-packages; }; systemd.services.gitea-runner-nix.environment = { diff --git a/secrets.nix b/secrets.nix index 053988e..d196e0e 100644 --- a/secrets.nix +++ b/secrets.nix @@ -84,6 +84,10 @@ in { ++ [ meta.hosts.zorigami.publicKey ]; "secrets/gitea-runner-token-scylla.age".publicKeys = meta.users.ar ++ [ meta.hosts.scylla.publicKey ]; + "secrets/github-runner-token-zorigami.age".publicKeys = meta.users.ar + ++ [ meta.hosts.zorigami.publicKey ]; + "secrets/github-runner-token-scylla.age".publicKeys = meta.users.ar + ++ [ meta.hosts.scylla.publicKey ]; "secrets/ci-secrets.age".publicKeys = meta.users.ar ++ (with meta.hosts; [ scylla.publicKey zorigami.publicKey diff --git a/secrets/github-runner-token-scylla.age b/secrets/github-runner-token-scylla.age new file mode 100644 index 0000000..ee867d9 --- /dev/null +++ b/secrets/github-runner-token-scylla.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 kY4Rgg x91UKTDL+BFy/c7hvrzvSZZeMx7z74hAAC4xL838Xgk +gPIhvfNBAH6U0YfV8uihqDBgMJ3NYcEUmeyUZw/w7KE +-> ssh-ed25519 grc4Uw YPSkqvjIGyTBcsW400MCUwAoGSsaBB1bp30K9BNkkiA ++o4ggXpugZYHxuaVK7vNbPTu5cIXFZjSTA9dkYTs53A +-> ssh-ed25519 CJl5MQ ledMNLcITvGMSiMlKDzlsL9/0xtbqko8QJ/PelSWqFo +e83se5K8qwBqXCjO2tPcDZGPQ9Tnq296f3r056YjraQ +--- 9rN7EL1kFrdya85sOy6NAgNKPC+ca85IdhOi1QUW5D4 +;,Uk$[Nӗ.o㘢 Ӝ8,>TpP; \ No newline at end of file diff --git a/secrets/github-runner-token-zorigami.age b/secrets/github-runner-token-zorigami.age new file mode 100644 index 0000000..f296c24 --- /dev/null +++ b/secrets/github-runner-token-zorigami.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 kY4Rgg wXaqegoMDgK0MZ/QhwX7wIlHR4Y27IcPgeODG2Wubxk +xHJC1iR0/nTLcZeYHkGWCnMzCjOFxPhmfdAbe76B6Oo +-> ssh-ed25519 grc4Uw rKs94vbBfgXlKCv3qZBN8IPSxig5vWOOiJNqRC8yMkI +8AE1kp25a2Nzv+07p9n3/vuy6LY5fPjEcf+sLRvU/Bg +-> ssh-ed25519 DLT88w QP8cAQWsJJJSXUbnb/PJ9OGs5l4nifVyHQerDXcv0Bg +dqoBSDTc6XdmOoirOv8/2hDfrGKm1pHaTO1D3m89K+I +--- U/QEquparqU/juJuP85JQ9ttnBoypiYAtdCdsvWENZI +neT"; tމgS.S_m5#`!{<݌`p \ No newline at end of file