ci: deploy to Fly using nix built container

.github/workflows/publish.yaml

@@ -3,13 +3,37 @@ on:
   push:
     branches:
       - main
-env:
-  FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }}
+
+permissions:
+  packages: write
+
 jobs:
   deploy:
     name: Deploy app
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: superfly/flyctl-actions/setup-flyctl@master
-      - run: flyctl deploy --remote-only --no-cache
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install nix
+        uses: DeterminateSystems/nix-installer-action@v9
+
+      - name: Setup magic-nix-cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - name: Build container
+        run: |
+          nix build .#container
+
+      - name: Upload container to ghcr.io
+        run: |
+          sudo -E nix run nixpkgs#skopeo -- \
+            --insecure-policy copy \
+            oci-archive:./result \
+            "docker://ghcr.io/jnsgruk/jnsgr.uk:$GITHUB_SHA" \
+            --dest-creds "${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Deploy site
+        run: |
+          nix run nixpkgs#flyctl -- auth login -t ${{ secrets.FLY_API_TOKEN }}
+          nix run nixpkgs#flyctl -- deploy -i "ghcr.io/jnsgruk/jnsgr.uk:$GITHUB_SHA"

flake.nix

@@ -20,36 +20,50 @@
       });
     in
     {
-      packages = forAllSystems (system:
-        let
-          inherit (pkgsForSystem system) buildGoModule hugo cacert;
-          inherit (self) lastModifiedDate;
-          version = self.rev or self.dirtyRev or "dirty";
-        in
-        rec {
-          default = jnsgruk;
-          jnsgruk = buildGoModule {
-            inherit version;
-            pname = "jnsgruk";
-            src = self;
-            vendorHash = "sha256-bHGM+4aL2rjddEGXd4RGUFLK7/gTc2fMGa4KqLou0lk=";
-            buildInputs = [ cacert ];
-            nativeBuildInputs = [ hugo ];
+      packages = forAllSystems
+        (system:
+          let
+            inherit (pkgsForSystem system) buildGoModule buildEnv dockerTools hugo lib cacert;
+            inherit (self) lastModifiedDate;
+            version = self.rev or "dirty";
+          in
+          rec {
+            default = jnsgruk;
+            jnsgruk = buildGoModule {
+              inherit version;
+              pname = "jnsgruk";
+              src = lib.cleanSource ./.;
+              vendorHash = "sha256-bHGM+4aL2rjddEGXd4RGUFLK7/gTc2fMGa4KqLou0lk=";
+              buildInputs = [ cacert ];
+              nativeBuildInputs = [ hugo ];
 
-            preBuild = ''
-              go generate ./...
-            '';
+              preBuild = ''
+                go generate ./...
+              '';
 
-            ldflags = [
-              "-X main.commit=${version}"
-              "-X main.date=${lastModifiedDate}"
-            ];
+              ldflags = [
+                "-X main.commit=${version}"
+                "-X main.date=${lastModifiedDate}"
+              ];
 
-            postInstall = ''
-              mv $out/bin/jnsgr.uk $out/bin/jnsgruk
-            '';
-          };
-        });
+              postInstall = ''
+                mv $out/bin/jnsgr.uk $out/bin/jnsgruk
+              '';
+            };
+
+            container = dockerTools.buildImage {
+              name = "jnsgruk/jnsgr.uk";
+              tag = version;
+              created = "now";
+              copyToRoot = buildEnv {
+                name = "image-root";
+                paths = [ jnsgruk cacert ];
+                pathsToLink = [ "/bin" "/etc/ssl/certs" ];
+              };
+              config.Entrypoint = [ "${jnsgruk}/bin/jnsgruk" ];
+              config.User = "1000:1000";
+            };
+          });
 
       devShells = forAllSystems (system:
         let
@@ -65,6 +79,8 @@
               gofumpt
               gopls
               hugo
+              flyctl
+              skopeo
               zsh
             ];
             shellHook = "exec zsh";

fly.toml

@@ -11,10 +11,6 @@ kill_timeout = "5s"
 [experimental]
   auto_rollback = true
 
-[env]
-  GOSHERVE_REDIRECT_MAP_URL = "https://gist.githubusercontent.com/jnsgruk/b590f114af1b041eeeab3e7f6e9851b7/raw"
-  GOSHERVE_WEBROOT = "./public"
-
 [[services]]
   protocol = "tcp"
   internal_port = 8080