Update build process ci and docs

2025-03-25 15:04:59 +02:00 · 2025-03-25 15:04:59 +02:00 · 172e4c37a3
commit 172e4c37a3
parent cad4f35ee9
5 changed files with 57 additions and 88 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -1,8 +1,12 @@
 name: CI
 on:
  push:
+defaults:
+  run:
+    shell: nix develop --command bash -c "{0}"
 env:
-  ATTIC_AUTH_TOKEN: ${{ secrets.ATTIC_AUTH_TOKEN }}
+  CACHE_NAME: qois
+  CACHE_REPOSITORY: qois:qois-infrastructure
 jobs:
  build:
    runs-on: nix
@ -12,20 +16,20 @@ jobs:
        with:
          token: ${{ secrets.CI_TOKEN }}
          lfs: false
-      - name: Use attic cache
-        run: nix run .#cache use
-      - name: Build
+      - name: Setup Attic Cache
+        env:
+          SERVER: https://attic.qo.is/
+          ATTIC_AUTH_TOKEN: ${{ secrets.ATTIC_AUTH_TOKEN }}
        run: |
-          nix build --max-jobs 12 --cores 12
-          nix run .#cache push
-      - name: Run Checks
-        run: nix flake check
+          attic login "$CACHE_NAME" "$SERVER" "$ATTIC_AUTH_TOKEN"
+          attic use "$CACHE_REPOSITORY"
+      - name: Run Builds and Checks
+        run: nix-fast-build --no-nom --max-jobs 6 --skip-cached --attic-cache "$CACHE_REPOSITORY"
      - name: Deploy Docs
        if: success() && github.ref == 'refs/heads/main'
        run: |
          mkdir ~/.ssh/
          echo -e "Host lindberg-webapps.backplane.net.qo.is\n    StrictHostKeyChecking no" >> ~/.ssh/config
          (umask 0077 && printf "%s\n" "${{ secrets.SSH_DEPLOY_KEY }}" > ~/.ssh/id_ed25519)
-          # Remote build might be neccessary due to non-wheel nix users signing restrictions.
-          # However, the build should come from the cache anyway.
-          nix develop --command deploy --skip-checks --remote-build .#lindberg-webapps.\"docs-ops.qo.is\"
+          deploy --skip-checks --remote-build .#lindberg-webapps.\"docs-ops.qo.is\"
+          # Remote build is neccessary due to non-wheel nix users signing restrictions. However, the build should come from the cache anyway.
--- a/README.md
+++ b/README.md
@ -11,61 +11,60 @@ Check out the current [rendered documentation](https://docs-ops.qo.is).
 `nixos-modules`: Custom modules (e.g. for vpn and routers)\
 `private`: Private configuration values (like users, sops-encrypted secrets and keys)

-## Building
+## Development

 This repository requires [nix flakes](https://nixos.wiki/wiki/Flakes)

- `nix build`\
-  Build all host configurations and docs
- `nix build .#nixosConfigurations.<hostname>.config.system.build.toplevel`\
-  Build a single host configuration with
- `nix build .#docs`\
-  Build the documentation website
+- `nix flake check`\
+  Execute the project's checks, which includes building all configurations and packages. See [Tests](./checks/README.md).

-## Development
+- `nix build .#nixosConfigurations.<hostname>.config.system.build.toplevel`\
+  Build a single host configuration.
+
+- `nix build .#docs`\
+  Build the documentation website.

 - `nix develop`\
  Development environment
- `nix flake check`\
-  Execute the project's checks
+
 - `nix fmt`\
  Autofix formatting

-### Working with the private submodule
+### Secrets and `private` Submodule

-To clone with submodules (if you have access):
+Secret management is done with [nix-sops](https://github.com/Mic92/sops-nix) and a git submodule in `private`.\
+Make sure you have the submodule correctly available. To clone with submodules (if you have access):

 ```bash
 git clone --recurse-submodules https://git.qo.is/qo.is/infrastructure.git
+# See below for how to commit changes.
 ```

-On changes:
-
-```bash
-git add private
-nix flake lock --update-input private
-```
-
-## Deployment
-
-`nix run .#deploy-qois`
-
-See [Deployment](deploy/README.md) for details.
-
-## Secrets
-
-Secret management is done with [nix-sops](https://github.com/Mic92/sops-nix).
-
 Secrets are stored in `private/passwords.sops.yaml` (sysadmin passwords),
 `private/nixos-configurations/secrets.sops.yaml` (shared secrets for all hosts) and
 `private/nixos-configurations/<hostname>/secrets.sops.yaml` (host specific secrets).

-Usage:
+To modify secrets:

 ```bash
 sops $file # To edit a file
 sops-rekey # To rekey all secrets, e.g. after a key rollover or new host
 ```

-After changing secrets, don't forget to push the sub-repository and run
-`nix flake update private` in the infrastructure repository to use the changes in builds.
+After changing secrets:
+
+```bash
+# Commit changes in subrepo
+pushd private
+  git commit
+  git push
+  nix flake prefetch . # Make subrepo available in nix store. Required until nix 2.27.
+popd
+
+git add private
+nix flake lock --update-input private
+```
+
+## Deployment
+
+See [Deployment](deploy/README.md) for details.
--- a/checks/README.md
+++ b/checks/README.md
@ -1,5 +1,13 @@
 # Tests

+`nix flake check` currently:
+
+- builds all nixos-configurations
+- builds all packages
+- runs all [nixos-module tests](#module-tests)
+- checks all deployment configurations
+- checks repository formatting.
+
 ## Module Tests

 We test our nixos modules with [NixOS tests](https://nixos.org/manual/nixos/stable/index.html#sec-nixos-tests).
--- a/dev-shells/default.nix
+++ b/dev-shells/default.nix
@ -29,7 +29,6 @@ in
      pre-commit-check.enabledPackages
      ++ [ vscodium-with-extensions ]
      ++ (with self.packages.${system}; [
-        cache
        deploy-qois
        sops
        sops-rekey
@ -37,14 +36,15 @@ in
      ++ (with pkgs; [
        attic-client
        deploy-rs
+        jq
+        nix-fast-build
        nixVersions.git
        nixd
        nixfmt-rfc-style
        nixos-anywhere
-        ssh-to-age
        pssh
+        ssh-to-age
        yq
-        jq
      ]);
    LANG = "C.UTF-8";
    LC_ALL = "C.UTF-8";
--- a/packages/cache/default.nix
+++ b/packages/cache/default.nix
@ -1,42 +0,0 @@
-{
-  attic-client,
-  findutils,
-  gnugrep,
-  writeShellApplication,
-  ...
-}:
-writeShellApplication {
-  name = "cache";
-  meta.description = "Access the infrastructure's attic cache. Mostly used in CI.";
-  runtimeInputs = [
-    attic-client
-    findutils
-    gnugrep
-  ];
-  text = ''
-    SERVER="https://attic.qo.is/"
-    CACHE_NAME="qois"
-    CACHE_REPO="$CACHE_NAME:qois-infrastructure"
-    if [ -z "$ATTIC_AUTH_TOKEN" ]; then
-      echo "Please set the \$ATTIC_AUTH_TOKEN environment variable to access the cache."
-      exit 3
-    fi
-    attic login "$CACHE_NAME" "$SERVER" "$ATTIC_AUTH_TOKEN"
-
-    case "$1" in
-      use)
-        attic use "$CACHE_REPO"
-      ;;
-      watch)
-        attic watch-store "$CACHE_REPO"
-      ;;
-      push)
-        RESULT_PATH="./result"
-        # Add build dependencies as well
-        nix-store -qR --include-outputs "$(nix-store -qd $RESULT_PATH)"   | grep -v '\.drv$' \
-          | xargs attic push "$CACHE_REPO" "$RESULT_PATH"
-      ;;
-
-    esac
-  '';
-}