Compare commits
5 Commits
master
...
805c135e5b
| Author | SHA1 | Date | |
|---|---|---|---|
| 805c135e5b | |||
| 9ad7e54527 | |||
| 29222f17c8 | |||
| 55f18b1439 | |||
| 91fe154ad1 |
@@ -68,7 +68,9 @@ jobs:
|
|||||||
done
|
done
|
||||||
done
|
done
|
||||||
|
|
||||||
# 4. Build smoke — every changed package must build.
|
# 4. Build smoke — every changed package must build. Cache push
|
||||||
|
# is intentionally absent for now (no shared binary cache);
|
||||||
|
# add a step here once cache infra is decided.
|
||||||
- name: build smoke
|
- name: build smoke
|
||||||
if: steps.changed.outputs.packages != ''
|
if: steps.changed.outputs.packages != ''
|
||||||
run: |
|
run: |
|
||||||
@@ -77,18 +79,6 @@ jobs:
|
|||||||
.#${pkg} --no-link --print-out-paths
|
.#${pkg} --no-link --print-out-paths
|
||||||
done
|
done
|
||||||
|
|
||||||
# 4b. Push the validated outputs to the binary cache. The runner's
|
|
||||||
# config.yaml bind-mounts /srv/cargoxx-cache and the signing
|
|
||||||
# key into every job container.
|
|
||||||
- name: push to binary cache
|
|
||||||
if: steps.changed.outputs.packages != ''
|
|
||||||
run: |
|
|
||||||
for pkg in ${{ steps.changed.outputs.packages }}; do
|
|
||||||
nix copy --extra-experimental-features 'nix-command flakes' \
|
|
||||||
--to "file:///srv/cargoxx-cache/store?secret-key=/srv/cargoxx-cache/keys/cache.sec" \
|
|
||||||
.#${pkg}
|
|
||||||
done
|
|
||||||
|
|
||||||
# 5. Maintainer check — PR must come from someone listed in
|
# 5. Maintainer check — PR must come from someone listed in
|
||||||
# recipes/<pkg>/maintainers.txt (auto-pass for new packages,
|
# recipes/<pkg>/maintainers.txt (auto-pass for new packages,
|
||||||
# since the PR introduces the file in the same commit).
|
# since the PR introduces the file in the same commit).
|
||||||
|
|||||||
@@ -1,17 +0,0 @@
|
|||||||
schema = 1
|
|
||||||
name = "greeter"
|
|
||||||
version = "0.1.1"
|
|
||||||
|
|
||||||
[source]
|
|
||||||
type = "git"
|
|
||||||
url = "https://git.amadey.xyz/mozart/greeter"
|
|
||||||
commit = "d79a99468a158e2b37739404073dcfaab8c12308"
|
|
||||||
sha256 = "sha256-1IV9HrdYoQOFcI3bP280/CYsdmuYvuMFK9hvjdanNto="
|
|
||||||
|
|
||||||
[lock]
|
|
||||||
nixpkgs_rev = "d233902339c02a9c334e7e593de68855ad26c4cb"
|
|
||||||
flake_utils_rev = "11707dc2f618dd54ca8739b309ec4fc024de578b"
|
|
||||||
|
|
||||||
[meta]
|
|
||||||
description = "minimal cargoxx demo library — greets you"
|
|
||||||
license = "MIT"
|
|
||||||
8
runner/.gitignore
vendored
8
runner/.gitignore
vendored
@@ -1,11 +1,3 @@
|
|||||||
.env
|
.env
|
||||||
data/
|
data/
|
||||||
result
|
result
|
||||||
|
|
||||||
# Binary cache state + signing keys. The cache.sec must never be
|
|
||||||
# committed; the public key is regenerated per deployment too
|
|
||||||
# (`nix-store --generate-binary-cache-key`).
|
|
||||||
cache/
|
|
||||||
|
|
||||||
# Caddy state: ACME account + issued certs + on-disk config tree.
|
|
||||||
caddy/
|
|
||||||
|
|||||||
@@ -1,43 +0,0 @@
|
|||||||
# Caddy config for the cargoxx binary cache.
|
|
||||||
#
|
|
||||||
# The router does PAT (port forwarding) so the *external* world reaches
|
|
||||||
# us at the standard 80/443 but the *internal* ports are different.
|
|
||||||
# `http_port` and `https_port` below must match the internal ports the
|
|
||||||
# router forwards to. Override via runner/.env:
|
|
||||||
#
|
|
||||||
# CADDY_HTTP_PORT=8080
|
|
||||||
# CADDY_HTTPS_PORT=8443
|
|
||||||
#
|
|
||||||
# (Those env vars are picked up by compose.yml to publish the ports
|
|
||||||
# AND injected into this Caddyfile via the {$VAR:default} substitution
|
|
||||||
# below — Caddy expands env vars natively.)
|
|
||||||
{
|
|
||||||
# Internal ports — must equal whatever the router forwards 80/443 to.
|
|
||||||
http_port {$CADDY_HTTP_PORT:8080}
|
|
||||||
https_port {$CADDY_HTTPS_PORT:8443}
|
|
||||||
# ACME's HTTP-01 challenge probe still arrives at host:80 → router
|
|
||||||
# → :8080; Caddy answers it on the internal port. Auto cert works
|
|
||||||
# as long as the PAT maps 80 → CADDY_HTTP_PORT and 443 → CADDY_HTTPS_PORT.
|
|
||||||
email vorontsov@amadey.xyz
|
|
||||||
}
|
|
||||||
|
|
||||||
cache.cargoxx.amadey.xyz {
|
|
||||||
root * /srv/cache
|
|
||||||
file_server
|
|
||||||
|
|
||||||
# narinfo / nar are immutable per content hash → cache aggressively.
|
|
||||||
@cache_immutable path *.narinfo *.nar.xz *.nar
|
|
||||||
header @cache_immutable Cache-Control "public, immutable, max-age=31536000"
|
|
||||||
|
|
||||||
# Substituter probe; short cache so new entries land quickly.
|
|
||||||
@cache_info path /nix-cache-info
|
|
||||||
header @cache_info Cache-Control "public, max-age=300"
|
|
||||||
|
|
||||||
log {
|
|
||||||
output file /data/access.log {
|
|
||||||
roll_size 50MiB
|
|
||||||
roll_keep 5
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -46,45 +46,7 @@ Self-hosted Gitea Actions runner that validates package PRs.
|
|||||||
GITEA_RUNNER_LABELS=self-hosted
|
GITEA_RUNNER_LABELS=self-hosted
|
||||||
```
|
```
|
||||||
|
|
||||||
4. **Generate the binary-cache signing key** + cache directory. The
|
4. **Start the runner**:
|
||||||
workflow's "push to binary cache" step writes here; nginx (or
|
|
||||||
anything you point at it) serves it back over HTTPS to consumers.
|
|
||||||
|
|
||||||
```sh
|
|
||||||
mkdir -p cache/store
|
|
||||||
nix-store --generate-binary-cache-key \
|
|
||||||
cache.cargoxx.<your-domain> \
|
|
||||||
cache/cache.sec cache/cache.pub
|
|
||||||
chmod 600 cache/cache.sec
|
|
||||||
```
|
|
||||||
|
|
||||||
The `cache/` directory is gitignored. Both keys live alongside
|
|
||||||
`compose.yml`; the named volume binds use `${PWD}/cache/...`.
|
|
||||||
|
|
||||||
5. **Pick the Caddy ports.** `compose.yml` runs Caddy alongside the
|
|
||||||
runner to HTTPS-front the cache. Because the router does PAT, the
|
|
||||||
*internal* ports Caddy listens on must equal whatever 80/443 are
|
|
||||||
forwarded to. Add to `.env`:
|
|
||||||
|
|
||||||
```env
|
|
||||||
CADDY_HTTP_PORT=8080
|
|
||||||
CADDY_HTTPS_PORT=8443
|
|
||||||
```
|
|
||||||
|
|
||||||
Both compose.yml and the Caddyfile pick those up. The Caddyfile
|
|
||||||
already targets `cache.cargoxx.amadey.xyz` and the e-mail
|
|
||||||
`vorontsov@amadey.xyz`; edit if you're deploying somewhere else.
|
|
||||||
|
|
||||||
ACME provisioning works as long as the router forwards 80 →
|
|
||||||
CADDY_HTTP_PORT and 443 → CADDY_HTTPS_PORT, so Let's Encrypt's
|
|
||||||
HTTP-01 challenge reaches Caddy.
|
|
||||||
|
|
||||||
Consumers' substituter config (`substituters = https://cache.<domain>`,
|
|
||||||
`trusted-public-keys = <cache.pub>`) is baked into cargoxx's own
|
|
||||||
wrapper (`cargoxx/flake.nix:cargoxxNixConfig`), so any installed
|
|
||||||
`cargoxx` binary picks them up — no per-user setup needed.
|
|
||||||
|
|
||||||
6. **Start the runner**:
|
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
docker compose up -d
|
docker compose up -d
|
||||||
|
|||||||
@@ -1,11 +1,9 @@
|
|||||||
# Runs two services on the host:
|
# Runs the act_runner that listens to Gitea and spawns one job
|
||||||
# - act_runner — polls Gitea, spawns one job container per workflow
|
# container per workflow run. The job image (cargoxx-runner-job:latest)
|
||||||
# run via the host docker socket. Job image built reproducibly from
|
# is built reproducibly from runner/flake.nix — run `nix run .#load-image`
|
||||||
# runner/flake.nix (`nix run .#load-image`).
|
# in this directory to load it into the host's Docker daemon before
|
||||||
# - caddy — HTTPS-fronts the binary cache (./cache/store) so
|
# starting the runner.
|
||||||
# consumers' substituter config can read it. Custom ports because
|
version: "3.8"
|
||||||
# the router does PAT (port-forwarding 80→CADDY_HTTP_PORT,
|
|
||||||
# 443→CADDY_HTTPS_PORT). Set those in .env.
|
|
||||||
services:
|
services:
|
||||||
runner:
|
runner:
|
||||||
image: docker.io/gitea/act_runner:nightly
|
image: docker.io/gitea/act_runner:nightly
|
||||||
@@ -20,59 +18,3 @@ services:
|
|||||||
- ./config.yaml:/config.yaml:ro
|
- ./config.yaml:/config.yaml:ro
|
||||||
- ./data:/data
|
- ./data:/data
|
||||||
- /var/run/docker.sock:/var/run/docker.sock
|
- /var/run/docker.sock:/var/run/docker.sock
|
||||||
# Binary cache — `validate-pr.yml`'s push step writes `$out` NAR
|
|
||||||
# archives here. Named volumes (defined below) make the same
|
|
||||||
# storage reachable from this runner container AND every job
|
|
||||||
# container act_runner spawns AND the caddy frontend below.
|
|
||||||
- cargoxx-cache-store:/srv/cargoxx-cache/store
|
|
||||||
- cargoxx-cache-keys:/srv/cargoxx-cache/keys:ro
|
|
||||||
|
|
||||||
caddy:
|
|
||||||
image: docker.io/caddy:2
|
|
||||||
restart: unless-stopped
|
|
||||||
ports:
|
|
||||||
- "${CADDY_HTTP_PORT:-8080}:${CADDY_HTTP_PORT:-8080}"
|
|
||||||
- "${CADDY_HTTPS_PORT:-8443}:${CADDY_HTTPS_PORT:-8443}"
|
|
||||||
environment:
|
|
||||||
CADDY_HTTP_PORT: "${CADDY_HTTP_PORT:-8080}"
|
|
||||||
CADDY_HTTPS_PORT: "${CADDY_HTTPS_PORT:-8443}"
|
|
||||||
volumes:
|
|
||||||
- ./Caddyfile:/etc/caddy/Caddyfile:ro
|
|
||||||
- cargoxx-cache-store:/srv/cache:ro
|
|
||||||
- caddy-data:/data
|
|
||||||
- caddy-config:/config
|
|
||||||
|
|
||||||
volumes:
|
|
||||||
cargoxx-cache-store:
|
|
||||||
# Explicit name disables compose's project-prefix so spawned job
|
|
||||||
# containers (which don't know about compose) can reference the
|
|
||||||
# same volume by the same name.
|
|
||||||
name: cargoxx-cache-store
|
|
||||||
driver: local
|
|
||||||
driver_opts:
|
|
||||||
type: none
|
|
||||||
o: bind
|
|
||||||
device: "${PWD}/cache/store"
|
|
||||||
cargoxx-cache-keys:
|
|
||||||
name: cargoxx-cache-keys
|
|
||||||
driver: local
|
|
||||||
driver_opts:
|
|
||||||
type: none
|
|
||||||
o: bind
|
|
||||||
device: "${PWD}/cache/keys"
|
|
||||||
caddy-data:
|
|
||||||
# Caddy's own state: ACME account, issued certificates, OCSP
|
|
||||||
# staples. Persist so we don't re-issue certs every restart.
|
|
||||||
name: caddy-data
|
|
||||||
driver: local
|
|
||||||
driver_opts:
|
|
||||||
type: none
|
|
||||||
o: bind
|
|
||||||
device: "${PWD}/caddy/data"
|
|
||||||
caddy-config:
|
|
||||||
name: caddy-config
|
|
||||||
driver: local
|
|
||||||
driver_opts:
|
|
||||||
type: none
|
|
||||||
o: bind
|
|
||||||
device: "${PWD}/caddy/config"
|
|
||||||
|
|||||||
@@ -18,19 +18,9 @@ cache:
|
|||||||
container:
|
container:
|
||||||
network: bridge
|
network: bridge
|
||||||
privileged: false
|
privileged: false
|
||||||
# Bind the binary cache into every job container by referencing the
|
options: ""
|
||||||
# named volumes defined in compose.yml — those, in turn, are bound
|
|
||||||
# to ./cache/{store,cache.sec} via `${PWD}` so the path is
|
|
||||||
# deployment-relative, not absolute.
|
|
||||||
options: "-v cargoxx-cache-store:/srv/cargoxx-cache/store
|
|
||||||
-v cargoxx-cache-keys:/srv/cargoxx-cache/keys:ro"
|
|
||||||
workdir_parent: /workspace
|
workdir_parent: /workspace
|
||||||
# Whitelist regex of bind specs act_runner forwards to spawned job
|
valid_volumes: []
|
||||||
# containers. The regex matches the full `source:target[:opts]`
|
|
||||||
# string, so a permissive prefix is enough.
|
|
||||||
valid_volumes:
|
|
||||||
- "cargoxx-cache-store"
|
|
||||||
- "cargoxx-cache-keys"
|
|
||||||
docker_host: "unix:///var/run/docker.sock"
|
docker_host: "unix:///var/run/docker.sock"
|
||||||
force_pull: false
|
force_pull: false
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user