refactor(immich): replace docker with nixos module #338
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Adapted from: | |
# https://lgug2z.com/articles/building-and-privately-caching-x86-and-aarch64-nixos-systems-on-github-actions/ | |
name: "build" | |
on: | |
- push | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
# Here we specify the matrix of our hosts and their target platform architectures | |
matrix: | |
machine: | |
- host: apollo | |
platform: x86-64-linux | |
- host: athena | |
platform: x86-64-linux | |
- host: bacchus | |
platform: x86-64-linux | |
- host: bro | |
platform: x86-64-linux | |
- host: feb | |
platform: x86-64-linux | |
- host: hera | |
platform: x86-64-linux | |
- host: phobos | |
platform: x86-64-linux | |
needs: ["build-packages"] | |
steps: | |
# Inspired by https://github.com/workflow/dotfiles/blob/c5ff98fc2ef05cefdca3b663d46dc517696e418e/.github/workflows/nixos.yml | |
- name: "Create Directory for Nix Store" | |
run: | | |
sudo mkdir /nix | |
- name: "Maximize Disk Space" | |
run: | | |
sudo rm -rf $AGENT_TOOLSDIRECTORY | |
sudo rm -rf /usr/local/.ghcup | |
sudo rm -rf /usr/local/share/powershell | |
sudo rm -rf /usr/local/share/chromium | |
sudo rm -rf /usr/local/lib/node_modules | |
sudo rm -rf /usr/local/lib/heroku | |
sudo rm -rf /var/lib/docker/overlay2 | |
sudo rm -rf /home/linuxbrew | |
sudo rm -rf /home/runner/.rustup | |
- name: "Maximize Disk Space 2" | |
uses: easimon/maximize-build-space@fc881a613ad2a34aca9c9624518214ebc21dfc0c # v10 | |
with: | |
# Save some space on root for /tmp (where packages are built) | |
root-reserve-mb: 16384 # 16 GiB | |
swap-size-mb: 1024 | |
build-mount-path: /nix | |
remove-dotnet: "true" | |
remove-android: "true" | |
remove-haskell: "true" | |
remove-codeql: "true" | |
remove-docker-images: "true" | |
- name: Assert Correct Ownership on /nix | |
run: | | |
sudo chown root:root /nix | |
- uses: actions/checkout@v4 | |
# We only run this if we are building an aarch64-linux system | |
- if: matrix.machine.platform == 'aarch64-linux' | |
uses: docker/setup-qemu-action@v3 | |
# We make our netrc file that is used to make authorized requests to Attic | |
- run: | | |
sudo mkdir -p /etc/nix | |
echo "machine nix-cache.diogotc.com password ${{ secrets.ATTIC_TOKEN }}" | sudo tee /etc/nix/netrc > /dev/null | |
- uses: DeterminateSystems/nix-installer-action@main | |
with: | |
# We add all the config for extra platforms, other binary caches and to raise the number of connections that can be made | |
extra-conf: | | |
fallback = true | |
http-connections = 128 | |
max-substitution-jobs = 128 | |
extra-platforms = i686-linux aarch64-linux | |
substituters = https://nix-cache.diogotc.com/dtc?priority=43 https://cache.nixos.org/ | |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= dtc:HU5hQrzlNDSFAcA/kvzKx+IhyDYLvR+xUS/1drh3o2U= | |
always-allow-substitutes = true | |
- uses: DeterminateSystems/magic-nix-cache-action@main | |
# We check if this system actually has anything to be built or if we're just going | |
# to be fetching from cache | |
- name: Check if build needed | |
id: build-needed | |
run: | | |
nix build .#nixosConfigurations.${{ matrix.machine.host }}.config.system.build.toplevel --dry-run 2> dry-run-output | |
echo "needs-build=$(cat dry-run-output | grep 'will be built' &> /dev/null && echo 1 || echo 0)" >> $GITHUB_OUTPUT | |
shell: bash | |
# We build each system in a separate job, targeting the configuration using matrix.machine.host | |
- name: Build system | |
if: steps.build-needed.outputs.needs-build == '1' | |
run: | | |
nix build .#nixosConfigurations.${{ matrix.machine.host }}.config.system.build.toplevel | |
# Once built, we login to Attic and push the built system to our cache! | |
- name: Push system | |
if: steps.build-needed.outputs.needs-build == '1' | |
run: | | |
nix run .#attic login phobos https://nix-cache.diogotc.com ${{ secrets.ATTIC_TOKEN }} | |
nix run .#attic push dtc result -j 2 | |
build-packages: | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
# Here we specify the packages to build | |
matrix: | |
package: | |
- alt-urls-discord-bot | |
- attic | |
- cybersec.flask-unsign | |
- cybersec.pycdc | |
steps: | |
- uses: actions/checkout@v4 | |
# We make our netrc file that is used to make authorized requests to Attic | |
- run: | | |
sudo mkdir -p /etc/nix | |
echo "machine nix-cache.diogotc.com password ${{ secrets.ATTIC_TOKEN }}" | sudo tee /etc/nix/netrc > /dev/null | |
- uses: DeterminateSystems/nix-installer-action@main | |
with: | |
# We add all the config for extra platforms, other binary caches and to raise the number of connections that can be made | |
extra-conf: | | |
fallback = true | |
http-connections = 128 | |
max-substitution-jobs = 128 | |
extra-platforms = i686-linux aarch64-linux | |
substituters = https://nix-cache.diogotc.com/dtc?priority=43 https://cache.nixos.org/ | |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= dtc:HU5hQrzlNDSFAcA/kvzKx+IhyDYLvR+xUS/1drh3o2U= | |
always-allow-substitutes = true | |
- uses: DeterminateSystems/magic-nix-cache-action@main | |
# We check if this package actually has anything to be built or if we're just going | |
# to be fetching from cache | |
- name: Check if build needed | |
id: build-needed | |
run: | | |
nix build .#${{ matrix.package }} --dry-run 2> dry-run-output | |
echo "needs-build=$(cat dry-run-output | grep 'will be built' &> /dev/null && echo 1 || echo 0)" >> $GITHUB_OUTPUT | |
shell: bash | |
# We build each package in a separate job, targeting the configuration using matrix.package | |
- name: Build package | |
if: steps.build-needed.outputs.needs-build == '1' | |
run: | | |
nix build .#${{ matrix.package }} | |
# Once built, we login to Attic and push the built package to our cache! | |
- name: Push package | |
if: steps.build-needed.outputs.needs-build == '1' | |
run: | | |
nix run .#attic login phobos https://nix-cache.diogotc.com ${{ secrets.ATTIC_TOKEN }} | |
nix run .#attic push dtc result -j 2 |