jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

gitea nixos cicd

Browse Source
This commit is contained in:
Danilo Reyes 2025-09-27 21:04:50 -06:00
parent 0b709f4ef0
commit e6c9e80a3b
6 changed files with 216 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

100
.github/workflows/weekly-build-cache.yml vendored Normal file
View File

@ -0,0 +1,100 @@
name: Weekly NixOS Build & Cache
on:
schedule:
# Run every Sunday at 2 AM UTC
- cron: '0 2 * * 0'
workflow_dispatch: # Allow manual trigger
jobs:
build-and-cache:
runs-on: nixos
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Configure Git for automated commits
run: |
git config user.name "NixOS Builder Bot"
git config user.email "noreply@servidos.lat"
- name: Update flake inputs
run: |
nix flake update
- name: Check for changes
id: check_changes
run: |
if git diff --quiet flake.lock; then
echo "changes=false" >> $GITHUB_OUTPUT
echo "No changes in flake.lock"
else
echo "changes=true" >> $GITHUB_OUTPUT
echo "Changes detected in flake.lock"
fi
- name: Configure Attic cache
if: steps.check_changes.outputs.changes == 'true'
run: |
# Configure attic client to use your cache server
attic login jawz-cache https://cache.servidos.lat ${{ secrets.ATTIC_TOKEN }}
- name: Build workstation configuration
if: steps.check_changes.outputs.changes == 'true'
run: |
echo "Building workstation configuration..."
nix build .#nixosConfigurations.workstation.config.system.build.toplevel --print-build-logs
- name: Build miniserver configuration
if: steps.check_changes.outputs.changes == 'true'
run: |
echo "Building miniserver configuration..."
nix build .#nixosConfigurations.miniserver.config.system.build.toplevel --print-build-logs
- name: Build server configuration
if: steps.check_changes.outputs.changes == 'true'
run: |
echo "Building server configuration..."
nix build .#nixosConfigurations.server.config.system.build.toplevel --print-build-logs
- name: Push to cache
if: steps.check_changes.outputs.changes == 'true'
run: |
echo "Pushing builds to cache..."
# Push all built derivations to cache
if ls result* 1> /dev/null 2>&1; then
attic push jawz-cache result*
fi
# Push the specific system derivations we just built
nix build .#nixosConfigurations.workstation.config.system.build.toplevel --print-out-paths | attic push jawz-cache --stdin
nix build .#nixosConfigurations.miniserver.config.system.build.toplevel --print-out-paths | attic push jawz-cache --stdin
nix build .#nixosConfigurations.server.config.system.build.toplevel --print-out-paths | attic push jawz-cache --stdin
- name: Commit updated flake.lock
if: steps.check_changes.outputs.changes == 'true'
run: |
git add flake.lock
git commit -m "Weekly flake update: $(date -u '+%Y-%m-%d %H:%M UTC')"
git push origin main
- name: Create release tag
if: steps.check_changes.outputs.changes == 'true'
run: |
TAG_NAME="weekly-$(date -u '+%Y-%m-%d')"
git tag -a "$TAG_NAME" -m "Weekly build and cache update for $(date -u '+%Y-%m-%d')"
git push origin "$TAG_NAME"
- name: Summary
run: |
if [[ "${{ steps.check_changes.outputs.changes }}" == "true" ]]; then
echo "✅ Weekly build completed successfully!"
echo "- Updated flake.lock"
echo "- Built all NixOS configurations"
echo "- Pushed builds to Atticd cache"
echo "- Committed changes and created release tag"
else
echo " No updates needed - flake.lock is already up to date"
fi

3
config/base.nix
View File

@ -94,6 +94,7 @@
"pipe-operators"
];
substituters = [
config.my.servers.atticd.url
"https://nix-gaming.cachix.org"
"https://nixpkgs-python.cachix.org"
"https://devenv.cachix.org"
@ -103,6 +104,8 @@
"https://cosmic.cachix.org"
];
trusted-public-keys = [
# TODO: Replace with actual atticd public key after setup
# "cache.servidos.lat:YOUR_ATTICD_PUBLIC_KEY_HERE"
"nix-gaming.cachix.org-1:nbjlureqMbRAxR1gJ/f3hxemL9svXaZF/Ees8vCUUs4="
"nixpkgs-python.cachix.org-1:hxjI7pFxTyuTHn2NkvWCrAUcNZLNS3ZAvfYNuYifcEU="
"devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw="

3
hosts/server/toggles.nix
View File

@ -26,7 +26,6 @@ in
services = enableList mkEnabled [
"network"
"nvidia"
# "wireguard"
];
dev = enableList mkEnabled [
"nix"
@ -46,7 +45,6 @@ in
"ffmpeg4discord"
"manage-library"
"library-report"
# "update-dns" #vps
"stream-dl"
"pika-list"
"find-dup-episodes"
@ -84,6 +82,7 @@ in
"gitea"
"mealie"
"metube"
"atticd"
]
// enableList mkEnabledIp [
"audiobookshelf"

31
modules/servers/gitea-actions-runners/nixos-builder.nix Normal file
View File

@ -0,0 +1,31 @@
{
lib,
config,
pkgs,
...
}:
let
cfg = config.my.servers.gitea;
in
{
config = lib.mkIf cfg.enable {
services.gitea-actions-runner.instances.nixos-builder = {
enable = true;
url = cfg.url;
name = "${config.networking.hostName}-nixos-builder";
tokenFile = config.sops.secrets.gitea.path;
labels = [
"nixos:host"
];
hostPackages = builtins.attrValues {
inherit (pkgs)
bash
coreutils
gitMinimal
nix
attic-client
;
};
};
};
}

60
modules/servers/gitea-actions-runners/ryujinx.nix Normal file
View File

@ -0,0 +1,60 @@
{
lib,
config,
pkgs,
...
}:
let
cfg = config.my.servers.gitea;
in
{
config = lib.mkIf cfg.enable {
services.gitea-actions-runner.instances.ryujinx = {
enable = true;
url = cfg.url;
name = "${config.networking.hostName}-ryujinx";
tokenFile = config.sops.secrets.gitea.path;
labels = [
"ubuntu-latest:host"
"ubuntu-20.04:host"
];
hostPackages =
let
python3 = pkgs.python3.withPackages (
ps:
builtins.attrValues {
inherit (ps)
pyyaml
lxml
;
}
);
in
builtins.attrValues {
inherit python3;
inherit (pkgs)
bash
coreutils
curl
gawk
gitMinimal
gnused
nodejs
wget
gnutar
gzip
dotnet-sdk_8
openal
vulkan-loader
libGL
gtk3
llvm_15
rcodesign
gh
p7zip
;
inherit (pkgs.xorg) libX11;
};
};
};
}

86
modules/servers/gitea.nix
View File

@ -9,76 +9,32 @@ let
setup = import ./setup.nix { inherit lib config; };
in
{
imports = [
./gitea-actions-runners/ryujinx.nix
./gitea-actions-runners/nixos-builder.nix
];
options.my.servers.gitea = setup.mkOptions "gitea" "git" 9083;
config = {
sops.secrets = lib.mkIf cfg.enable { gitea.sopsFile = ../../secrets/env.yaml; };
services = {
gitea = lib.mkIf cfg.enable {
enable = true;
domain = cfg.host;
rootUrl = cfg.url;
settings = {
session.COOKIE_SECURE = true;
server.HTTP_PORT = cfg.port;
mailer = {
ENABLED = true;
PROTOCOL = "sendmail";
FROM = config.my.smtpemail;
SENDMAIL_PATH = "${pkgs.msmtp}/bin/msmtp";
};
};
database = {
socket = config.my.postgresSocket;
type = "postgres";
createDatabase = false;
services.gitea = lib.mkIf cfg.enable {
enable = true;
domain = cfg.host;
rootUrl = cfg.url;
settings = {
session.COOKIE_SECURE = true;
server.HTTP_PORT = cfg.port;
mailer = {
ENABLED = true;
PROTOCOL = "sendmail";
FROM = config.my.smtpemail;
SENDMAIL_PATH = "${pkgs.msmtp}/bin/msmtp";
};
};
gitea-actions-runner.instances.ryujinx = lib.mkIf cfg.enable {
enable = true;
url = cfg.url;
name = "${config.networking.hostName}-ryujinx";
tokenFile = config.sops.secrets.gitea.path;
labels = [
"ubuntu-latest:host"
"ubuntu-20.04:host"
];
hostPackages =
let
python3 = pkgs.python3.withPackages (
ps:
builtins.attrValues {
inherit (ps)
pyyaml
lxml
;
}
);
in
builtins.attrValues {
inherit python3;
inherit (pkgs)
bash
coreutils
curl
gawk
gitMinimal
gnused
nodejs
wget
gnutar
gzip
dotnet-sdk_8
openal
vulkan-loader
libGL
gtk3
llvm_15
rcodesign
gh
p7zip
;
inherit (pkgs.xorg) libX11;
};
database = {
socket = config.my.postgresSocket;
type = "postgres";
createDatabase = false;
};
};
};