Add nix building (#18)

.actrc

@@ -0,0 +1 @@
+-P ubuntu-latest=catthehacker/ubuntu:act-latest

.envrc

@@ -0,0 +1 @@
+use flake --accept-flake-config;

.github/workflows/ci.yaml

@@ -7,89 +7,160 @@ on:
     - 'templates/**'
     - 'Cargo.*'
     - 'Dockerfile'
+    - '**/*.nix'
     - '.github/workflows/ci.yaml'
+  workflow_dispatch: {}
 
 jobs:
-  docker:
+  nix:
+    strategy:
+      matrix:
+        target: ["aarch64", "x86_64"]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v3
-        with:
-          # list of Docker images to use as base name for tags
-          images: |
-            ghcr.io/kasuboski/feedreader
-          # generate Docker tags based on the following events/attributes
-          tags: |
-            type=schedule
-            type=ref,event=branch
-            type=ref,event=pr
-            type=sha
-
+        uses: actions/checkout@v3
+      - run: echo "CI_SHORT_SHA=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
       - name: Tailscale
         timeout-minutes: 10 # the action will just try connecting forever
         uses: tailscale/github-action@v1
         with:
           authkey: ${{ secrets.TAILSCALE_AUTHKEY }}
-
-      # get a specific version for the remote buildx driver
-      - name: Set up Docker Buildx
-        id: builder
-        uses: docker/setup-buildx-action@v1
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v4
         with:
-          use: false
-
-      - name: Setup Actions buildkitd
-        shell: bash
-        run: |
-          # should probably still use certs...
-          # https://github.com/moby/buildkit#expose-buildkit-as-a-tcp-service
-          docker run -d --name buildkitd --privileged -p 1234:1234 moby/buildkit:buildx-stable-1 --addr tcp://0.0.0.0:1234
-          docker buildx create --name gh-builder --driver remote --use tcp://0.0.0.0:1234
-          docker buildx inspect --bootstrap
-
-      - name: Store certs
-        shell: bash
-        env:
-          CA_CERT: ${{ secrets.BUILDKIT_CA }}
-          CLIENT_CERT: ${{ secrets.BUILDKIT_CLIENT_CERT }}
-          CLIENT_KEY: ${{ secrets.BUILDKIT_CLIENT_KEY }}
-        run: |
-          echo "$CA_CERT" > ca_cert.pem
-          echo "$CLIENT_CERT" > client_cert.pem
-          echo "$CLIENT_KEY" > key.pem
-
-      - name: "Append ARM buildkit builder"
-        shell: bash
+          github-token: ${{ github.token }}
+          extra-conf: |
+            builders = "josh@fettig x86_64-linux,aarch64-linux - 12 2 kvm,benchmark,big-parallel,nixos-test"
+            builders-use-substitutes = true
+      - uses: cachix/cachix-action@v12
+        with:
+          name: kasuboski-feedreader 
+          extraPullNames: nix-community
+      - name: Login to GHCR
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build Feedreader
+        # if: matrix.target == 'aarch64'
         run: |
-          docker buildx create --append --name gh-builder \
-              --node arm \
-              --driver remote \
-              --driver-opt key="$GITHUB_WORKSPACE/key.pem" \
-              --driver-opt cert="$GITHUB_WORKSPACE/client_cert.pem" \
-              --driver-opt cacert="$GITHUB_WORKSPACE/ca_cert.pem" \
-              tcp://buildkitd:1234
-          docker buildx ls
-          docker buildx inspect --bootstrap
-
+          nix build .#${{ matrix.target }}-linux-bin
+          nix build .#pushImage-${{ matrix.target }}-linux && ./result/bin/push-image 
+          nix develop --command just list-images
+      # - name: Build Feedreader
+      #   if: matrix.target == 'x86_64'
+      #   run: |
+      #     nix build .
+      #     nix build .#pushImage && ./result/bin/push-image 
+      #     nix develop --command just list-images
+  multi-push:
+    runs-on: ubuntu-latest
+    needs: nix
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - run: echo "CI_SHORT_SHA=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v2
+        with:
+          github-token: ${{ github.token }}
+      - uses: cachix/cachix-action@v12
+        with:
+          name: kasuboski-feedreader 
+          extraPullNames: nix-community
       - name: Login to GHCR
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Combine and Push images
+        run: |
+          nix develop --command just multiarch-push  
+  # docker:
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #     - name: Checkout
+  #       uses: actions/checkout@v2
+  #     - name: Docker meta
+  #       id: meta
+  #       uses: docker/metadata-action@v3
+  #       with:
+  #         # list of Docker images to use as base name for tags
+  #         images: |
+  #           ghcr.io/kasuboski/feedreader
+  #         # generate Docker tags based on the following events/attributes
+  #         tags: |
+  #           type=schedule
+  #           type=ref,event=branch
+  #           type=ref,event=pr
+  #           type=sha
 
-      - name: Build and push
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=registry,ref=ghcr.io/kasuboski/feedreader:buildcache
-          cache-to: type=registry,ref=ghcr.io/kasuboski/feedreader:buildcache,mode=max
+  #     - name: Tailscale
+  #       timeout-minutes: 10 # the action will just try connecting forever
+  #       uses: tailscale/github-action@v1
+  #       with:
+  #         authkey: ${{ secrets.TAILSCALE_AUTHKEY }}
+
+  #     # get a specific version for the remote buildx driver
+  #     - name: Set up Docker Buildx
+  #       id: builder
+  #       uses: docker/setup-buildx-action@v1
+  #       with:
+  #         use: false
+
+  #     - name: Setup Actions buildkitd
+  #       shell: bash
+  #       run: |
+  #         # should probably still use certs...
+  #         # https://github.com/moby/buildkit#expose-buildkit-as-a-tcp-service
+  #         docker run -d --name buildkitd --privileged -p 1234:1234 moby/buildkit:buildx-stable-1 --addr tcp://0.0.0.0:1234
+  #         docker buildx create --name gh-builder --driver remote --use tcp://0.0.0.0:1234
+  #         docker buildx inspect --bootstrap
+
+  #     - name: Store certs
+  #       shell: bash
+  #       env:
+  #         CA_CERT: ${{ secrets.BUILDKIT_CA }}
+  #         CLIENT_CERT: ${{ secrets.BUILDKIT_CLIENT_CERT }}
+  #         CLIENT_KEY: ${{ secrets.BUILDKIT_CLIENT_KEY }}
+  #       run: |
+  #         echo "$CA_CERT" > ca_cert.pem
+  #         echo "$CLIENT_CERT" > client_cert.pem
+  #         echo "$CLIENT_KEY" > key.pem
+
+  #     - name: "Append ARM buildkit builder"
+  #       shell: bash
+  #       run: |
+  #         docker buildx create --append --name gh-builder \
+  #             --node arm \
+  #             --driver remote \
+  #             --driver-opt key="$GITHUB_WORKSPACE/key.pem" \
+  #             --driver-opt cert="$GITHUB_WORKSPACE/client_cert.pem" \
+  #             --driver-opt cacert="$GITHUB_WORKSPACE/ca_cert.pem" \
+  #             tcp://buildkitd:1234
+  #         docker buildx ls
+  #         docker buildx inspect --bootstrap
+
+  #     - name: Login to GHCR
+  #       if: github.event_name != 'pull_request'
+  #       uses: docker/login-action@v1
+  #       with:
+  #         registry: ghcr.io
+  #         username: ${{ github.repository_owner }}
+  #         password: ${{ secrets.GITHUB_TOKEN }}
+
+  #     - name: Build and push
+  #       uses: docker/build-push-action@v2
+  #       with:
+  #         context: .
+  #         platforms: linux/amd64,linux/arm64
+  #         push: ${{ github.event_name != 'pull_request' }}
+  #         tags: ${{ steps.meta.outputs.tags }}
+  #         labels: ${{ steps.meta.outputs.labels }}
+  #         cache-from: type=registry,ref=ghcr.io/kasuboski/feedreader:buildcache
+  #         cache-to: type=registry,ref=ghcr.io/kasuboski/feedreader:buildcache,mode=max

.gitignore

@@ -1,2 +1,4 @@
 /target
 *.db
+result
+.direnv

Justfile

@@ -0,0 +1,28 @@
+default:
+    @just --list --unsorted
+
+build:
+    nix build .
+
+image:
+    nix build .#image
+
+push-image:
+    nix build .#pushImage && ./result/bin/push-image
+
+multiarch-push:
+    nix build .#combineImages && ./result/bin/combine-images
+
+list-images:
+    nix develop --command skopeo list-tags docker://ghcr.io/kasuboski/feedreader
+
+cache-nix:
+    nix build --json \
+    | jq -r '.[].outputs | to_entries[].value' \
+    | cachix push kasuboski-feedreader
+
+    nix develop --profile dev-profile --command 'true' # to preload or something :shrug:
+    cachix push kasuboski-feedreader dev-profile
+
+local-workflow:
+    act -s GITHUB_TOKEN="{{ env_var('GITHUB_TOKEN') }}"

default.nix

@@ -0,0 +1,69 @@
+{
+  nixpkgs,
+  crane,
+  flake-utils,
+  rust-overlay,
+  system,
+}:
+flake-utils.lib.eachDefaultSystem
+(
+  crossSystem: let
+    crossBuild = crossSystem != system;
+    overlays = [(import rust-overlay)];
+    pkgs = import nixpkgs {
+      inherit crossSystem;
+      localSystem = system;
+      inherit overlays;
+    };
+    rustToolchain = pkgs.pkgsBuildHost.rust-bin.fromRustupToolchainFile ./rust-toolchain.toml;
+    # this is how we can tell crane to use our toolchain!
+    craneLib = (crane.mkLib pkgs).overrideToolchain rustToolchain;
+    additionalFilter = path: _type: builtins.match ".*html$|.*opml$" path != null;
+    # https://crane.dev/API.html#cranelibfiltercargosources
+    src = nixpkgs.lib.cleanSourceWith {
+      src = craneLib.path ./.;
+      filter = path: type: (additionalFilter path type) || (craneLib.filterCargoSources path type);
+    };
+    nativeBuildInputs = with pkgs; [rustToolchain pkg-config];
+    buildInputs = with pkgs; [openssl sqlite];
+    # because we'll use it for both `cargoArtifacts` and `bin`
+    archInfo = {
+      x86_64-linux = {
+        rustTarget = "x86_64-unknown-linux-gnu";
+        qemu = "x86_64";
+      };
+      aarch64-linux = {
+        rustTarget = "aarch64-unknown-linux-gnu";
+        qemu = "aarch64";
+      };
+    };
+    baseArgs = {
+      inherit src buildInputs nativeBuildInputs;
+    };
+    crossArgs = {
+      doCheck = false;
+      depsBuildBuild = [pkgs.qemu];
+      cargoExtraArgs = "--target ${archInfo.${crossSystem}.rustTarget}";
+      "CARGO_TARGET_${pkgs.lib.strings.toUpper archInfo.${crossSystem}.qemu}_UNKNOWN_LINUX_GNU_LINKER" = "${pkgs.stdenv.cc.targetPrefix}cc";
+      "CARGO_TARGET_${pkgs.lib.strings.toUpper archInfo.${crossSystem}.qemu}_UNKNOWN_LINUX_GNU_RUNNER" = "qemu-${archInfo.${crossSystem}.qemu}";
+      HOST_CC = "${pkgs.stdenv.cc.nativePrefix}cc";
+      TARGET_CC = "${pkgs.stdenv.cc.targetPrefix}cc";
+    };
+    commonArgs =
+      if crossBuild
+      then baseArgs // crossArgs
+      else baseArgs;
+    cargoArtifacts = craneLib.buildDepsOnly commonArgs;
+    bin = craneLib.buildPackage (commonArgs
+      // {
+        inherit cargoArtifacts;
+      });
+  in rec {
+    packages = {
+      # that way we can build `bin` specifically,
+      # but it's also the default.
+      inherit bin;
+      default = bin;
+    };
+  }
+)