gitea nixos cicd

.github/workflows/weekly-build-cache.yml

@@ -0,0 +1,100 @@
+name: Weekly NixOS Build & Cache
+
+on:
+  schedule:
+    # Run every Sunday at 2 AM UTC
+    - cron: '0 2 * * 0'
+  workflow_dispatch: # Allow manual trigger
+
+jobs:
+  build-and-cache:
+    runs-on: nixos
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Configure Git for automated commits
+        run: |
+          git config user.name "NixOS Builder Bot"
+          git config user.email "noreply@servidos.lat"
+
+      - name: Update flake inputs
+        run: |
+          nix flake update
+          
+      - name: Check for changes
+        id: check_changes
+        run: |
+          if git diff --quiet flake.lock; then
+            echo "changes=false" >> $GITHUB_OUTPUT
+            echo "No changes in flake.lock"
+          else
+            echo "changes=true" >> $GITHUB_OUTPUT
+            echo "Changes detected in flake.lock"
+          fi
+
+      - name: Configure Attic cache
+        if: steps.check_changes.outputs.changes == 'true'
+        run: |
+          # Configure attic client to use your cache server
+          attic login jawz-cache https://cache.servidos.lat ${{ secrets.ATTIC_TOKEN }}
+          
+      - name: Build workstation configuration
+        if: steps.check_changes.outputs.changes == 'true'
+        run: |
+          echo "Building workstation configuration..."
+          nix build .#nixosConfigurations.workstation.config.system.build.toplevel --print-build-logs
+          
+      - name: Build miniserver configuration  
+        if: steps.check_changes.outputs.changes == 'true'
+        run: |
+          echo "Building miniserver configuration..."
+          nix build .#nixosConfigurations.miniserver.config.system.build.toplevel --print-build-logs
+          
+      - name: Build server configuration
+        if: steps.check_changes.outputs.changes == 'true'
+        run: |
+          echo "Building server configuration..."
+          nix build .#nixosConfigurations.server.config.system.build.toplevel --print-build-logs
+
+      - name: Push to cache
+        if: steps.check_changes.outputs.changes == 'true'
+        run: |
+          echo "Pushing builds to cache..."
+          # Push all built derivations to cache
+          if ls result* 1> /dev/null 2>&1; then
+            attic push jawz-cache result*
+          fi
+          
+          # Push the specific system derivations we just built
+          nix build .#nixosConfigurations.workstation.config.system.build.toplevel --print-out-paths | attic push jawz-cache --stdin
+          nix build .#nixosConfigurations.miniserver.config.system.build.toplevel --print-out-paths | attic push jawz-cache --stdin  
+          nix build .#nixosConfigurations.server.config.system.build.toplevel --print-out-paths | attic push jawz-cache --stdin
+          
+      - name: Commit updated flake.lock
+        if: steps.check_changes.outputs.changes == 'true'
+        run: |
+          git add flake.lock
+          git commit -m "Weekly flake update: $(date -u '+%Y-%m-%d %H:%M UTC')"
+          git push origin main
+          
+      - name: Create release tag
+        if: steps.check_changes.outputs.changes == 'true'
+        run: |
+          TAG_NAME="weekly-$(date -u '+%Y-%m-%d')"
+          git tag -a "$TAG_NAME" -m "Weekly build and cache update for $(date -u '+%Y-%m-%d')"
+          git push origin "$TAG_NAME"
+          
+      - name: Summary
+        run: |
+          if [[ "${{ steps.check_changes.outputs.changes }}" == "true" ]]; then
+            echo "✅ Weekly build completed successfully!"
+            echo "- Updated flake.lock"
+            echo "- Built all NixOS configurations"  
+            echo "- Pushed builds to Atticd cache"
+            echo "- Committed changes and created release tag"
+          else
+            echo "ℹ️ No updates needed - flake.lock is already up to date"
+          fi 

config/base.nix

@@ -94,6 +94,7 @@
         "pipe-operators"
       ];
       substituters = [
+        config.my.servers.atticd.url
         "https://nix-gaming.cachix.org"
         "https://nixpkgs-python.cachix.org"
         "https://devenv.cachix.org"
@@ -103,6 +104,8 @@
         "https://cosmic.cachix.org"
       ];
       trusted-public-keys = [
+        # TODO: Replace with actual atticd public key after setup
+        # "cache.servidos.lat:YOUR_ATTICD_PUBLIC_KEY_HERE"
         "nix-gaming.cachix.org-1:nbjlureqMbRAxR1gJ/f3hxemL9svXaZF/Ees8vCUUs4="
         "nixpkgs-python.cachix.org-1:hxjI7pFxTyuTHn2NkvWCrAUcNZLNS3ZAvfYNuYifcEU="
         "devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw="

hosts/server/toggles.nix

@@ -26,7 +26,6 @@ in
   services = enableList mkEnabled [
     "network"
     "nvidia"
-    # "wireguard"
   ];
   dev = enableList mkEnabled [
     "nix"
@@ -46,7 +45,6 @@ in
     "ffmpeg4discord"
     "manage-library"
     "library-report"
-    # "update-dns" #vps
     "stream-dl"
     "pika-list"
     "find-dup-episodes"
@@ -84,6 +82,7 @@ in
     "gitea"
     "mealie"
     "metube"
+    "atticd"
   ]
   // enableList mkEnabledIp [
     "audiobookshelf"

modules/servers/gitea-actions-runners/nixos-builder.nix

@@ -0,0 +1,31 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.my.servers.gitea;
+in
+{
+  config = lib.mkIf cfg.enable {
+    services.gitea-actions-runner.instances.nixos-builder = {
+      enable = true;
+      url = cfg.url;
+      name = "${config.networking.hostName}-nixos-builder";
+      tokenFile = config.sops.secrets.gitea.path;
+      labels = [
+        "nixos:host"
+      ];
+      hostPackages = builtins.attrValues {
+        inherit (pkgs)
+          bash
+          coreutils
+          gitMinimal
+          nix
+          attic-client
+          ;
+      };
+    };
+  };
+}

modules/servers/gitea-actions-runners/ryujinx.nix

@@ -0,0 +1,60 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.my.servers.gitea;
+in
+{
+  config = lib.mkIf cfg.enable {
+    services.gitea-actions-runner.instances.ryujinx = {
+      enable = true;
+      url = cfg.url;
+      name = "${config.networking.hostName}-ryujinx";
+      tokenFile = config.sops.secrets.gitea.path;
+      labels = [
+        "ubuntu-latest:host"
+        "ubuntu-20.04:host"
+      ];
+      hostPackages =
+        let
+          python3 = pkgs.python3.withPackages (
+            ps:
+            builtins.attrValues {
+              inherit (ps)
+                pyyaml
+                lxml
+                ;
+            }
+          );
+        in
+        builtins.attrValues {
+          inherit python3;
+          inherit (pkgs)
+            bash
+            coreutils
+            curl
+            gawk
+            gitMinimal
+            gnused
+            nodejs
+            wget
+            gnutar
+            gzip
+            dotnet-sdk_8
+            openal
+            vulkan-loader
+            libGL
+            gtk3
+            llvm_15
+            rcodesign
+            gh
+            p7zip
+            ;
+          inherit (pkgs.xorg) libX11;
+        };
+    };
+  };
+}

modules/servers/gitea.nix

@@ -9,76 +9,32 @@ let
   setup = import ./setup.nix { inherit lib config; };
 in
 {
+  imports = [
+    ./gitea-actions-runners/ryujinx.nix
+    ./gitea-actions-runners/nixos-builder.nix
+  ];
+
   options.my.servers.gitea = setup.mkOptions "gitea" "git" 9083;
   config = {
     sops.secrets = lib.mkIf cfg.enable { gitea.sopsFile = ../../secrets/env.yaml; };
-    services = {
+    services.gitea = lib.mkIf cfg.enable {
-      gitea = lib.mkIf cfg.enable {
+      enable = true;
-        enable = true;
+      domain = cfg.host;
-        domain = cfg.host;
+      rootUrl = cfg.url;
-        rootUrl = cfg.url;
+      settings = {
-        settings = {
+        session.COOKIE_SECURE = true;
-          session.COOKIE_SECURE = true;
+        server.HTTP_PORT = cfg.port;
-          server.HTTP_PORT = cfg.port;
+        mailer = {
-          mailer = {
+          ENABLED = true;
-            ENABLED = true;
+          PROTOCOL = "sendmail";
-            PROTOCOL = "sendmail";
+          FROM = config.my.smtpemail;
-            FROM = config.my.smtpemail;
+          SENDMAIL_PATH = "${pkgs.msmtp}/bin/msmtp";
-            SENDMAIL_PATH = "${pkgs.msmtp}/bin/msmtp";
-          };
-        };
-        database = {
-          socket = config.my.postgresSocket;
-          type = "postgres";
-          createDatabase = false;
         };
       };
-      gitea-actions-runner.instances.ryujinx = lib.mkIf cfg.enable {
+      database = {
-        enable = true;
+        socket = config.my.postgresSocket;
-        url = cfg.url;
+        type = "postgres";
-        name = "${config.networking.hostName}-ryujinx";
+        createDatabase = false;
-        tokenFile = config.sops.secrets.gitea.path;
-        labels = [
-          "ubuntu-latest:host"
-          "ubuntu-20.04:host"
-        ];
-        hostPackages =
-          let
-            python3 = pkgs.python3.withPackages (
-              ps:
-              builtins.attrValues {
-                inherit (ps)
-                  pyyaml
-                  lxml
-                  ;
-              }
-            );
-          in
-          builtins.attrValues {
-            inherit python3;
-            inherit (pkgs)
-              bash
-              coreutils
-              curl
-              gawk
-              gitMinimal
-              gnused
-              nodejs
-              wget
-              gnutar
-              gzip
-              dotnet-sdk_8
-              openal
-              vulkan-loader
-              libGL
-              gtk3
-              llvm_15
-              rcodesign
-              gh
-              p7zip
-              ;
-            inherit (pkgs.xorg) libX11;
-          };
       };
     };
   };