From 53cd55a9e118315890e2ee4f9b5eb4e2c533568f Mon Sep 17 00:00:00 2001 From: Jon Seager Date: Thu, 11 Jan 2024 21:48:58 +0000 Subject: [PATCH] ci: deploy to Fly using nix built container --- .github/workflows/publish.yaml | 34 ++++++++++++++--- Dockerfile | 39 ------------------- flake.nix | 70 +++++++++++++++++++++------------- fly.toml | 4 -- 4 files changed, 72 insertions(+), 75 deletions(-) delete mode 100644 Dockerfile diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 20a26c2..1bee80a 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -3,13 +3,37 @@ on: push: branches: - main -env: - FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }} + +permissions: + packages: write + jobs: deploy: name: Deploy app runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: superfly/flyctl-actions/setup-flyctl@master - - run: flyctl deploy --remote-only --no-cache + - name: Checkout + uses: actions/checkout@v4 + + - name: Install nix + uses: DeterminateSystems/nix-installer-action@v9 + + - name: Setup magic-nix-cache + uses: DeterminateSystems/magic-nix-cache-action@main + + - name: Build container + run: | + nix build .#container + + - name: Upload container to ghcr.io + run: | + sudo -E nix run nixpkgs#skopeo -- \ + --insecure-policy copy \ + oci-archive:./result \ + "docker://ghcr.io/jnsgruk/jnsgr.uk:$GITHUB_SHA" \ + --dest-creds "${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}" + + - name: Deploy site + run: | + nix run nixpkgs#flyctl -- auth login -t ${{ secrets.FLY_API_TOKEN }} + nix run nixpkgs#flyctl -- deploy -i "ghcr.io/jnsgruk/jnsgr.uk:$GITHUB_SHA" diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index 9303b32..0000000 --- a/Dockerfile +++ /dev/null @@ -1,39 +0,0 @@ -FROM alpine:latest as build -SHELL ["/bin/ash", "-eo", "pipefail", "-c"] -# Specify version of Gosherve -ENV GOSHERVE_VERSION 0.2.3 -ENV HUGO_VERSION 0.121.2 -# Copy the source code into the build container -COPY . /home/gosherve/src -# Install dependencies and set permissions -RUN adduser -D gosherve && \ - apk add --no-cache ca-certificates go git && \ - chown -R gosherve: /home/gosherve -# Change user and directory -USER gosherve -WORKDIR /home/gosherve/src - -# Fetch Hugo, compile the Hugo page and fetch gosherve -RUN wget -qO /tmp/hugo.tar.gz "https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_${HUGO_VERSION}_linux-amd64.tar.gz" && \ - tar -C /tmp -xvzf /tmp/hugo.tar.gz && \ - /tmp/hugo --minify && \ - # Fetch gosherve - wget -qO /tmp/gosherve.tar.gz "https://github.com/jnsgruk/gosherve/releases/download/${GOSHERVE_VERSION}/gosherve_${GOSHERVE_VERSION}_linux_x86_64.tar.gz" && \ - # Untar the executable - tar -C /tmp -xvzf /tmp/gosherve.tar.gz - -FROM scratch -# Copy the passwd file so we run as a non-priv user -COPY --from=build /etc/passwd /etc/passwd -# Install SSL certificates so the server can fetch the redirect map -COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt -# Copy in the website source -COPY --from=build /home/gosherve/src/public /public/ -# Add the gosherve binary -COPY --from=build /tmp/gosherve /gosherve -# Switch user -USER gosherve -# Set entrypoint -EXPOSE 8080 -EXPOSE 8081 -ENTRYPOINT [ "/gosherve" ] \ No newline at end of file diff --git a/flake.nix b/flake.nix index 8a15e85..af62587 100644 --- a/flake.nix +++ b/flake.nix @@ -20,36 +20,50 @@ }); in { - packages = forAllSystems (system: - let - inherit (pkgsForSystem system) buildGoModule hugo cacert; - inherit (self) lastModifiedDate; - version = self.rev or self.dirtyRev or "dirty"; - in - rec { - default = jnsgruk; - jnsgruk = buildGoModule { - inherit version; - pname = "jnsgruk"; - src = self; - vendorHash = "sha256-bHGM+4aL2rjddEGXd4RGUFLK7/gTc2fMGa4KqLou0lk="; - buildInputs = [ cacert ]; - nativeBuildInputs = [ hugo ]; + packages = forAllSystems + (system: + let + inherit (pkgsForSystem system) buildGoModule buildEnv dockerTools hugo lib cacert; + inherit (self) lastModifiedDate; + version = self.rev or "dirty"; + in + rec { + default = jnsgruk; + jnsgruk = buildGoModule { + inherit version; + pname = "jnsgruk"; + src = lib.cleanSource ./.; + vendorHash = "sha256-bHGM+4aL2rjddEGXd4RGUFLK7/gTc2fMGa4KqLou0lk="; + buildInputs = [ cacert ]; + nativeBuildInputs = [ hugo ]; - preBuild = '' - go generate ./... - ''; + preBuild = '' + go generate ./... + ''; - ldflags = [ - "-X main.commit=${version}" - "-X main.date=${lastModifiedDate}" - ]; + ldflags = [ + "-X main.commit=${version}" + "-X main.date=${lastModifiedDate}" + ]; - postInstall = '' - mv $out/bin/jnsgr.uk $out/bin/jnsgruk - ''; - }; - }); + postInstall = '' + mv $out/bin/jnsgr.uk $out/bin/jnsgruk + ''; + }; + + container = dockerTools.buildImage { + name = "jnsgruk/jnsgr.uk"; + tag = version; + created = "now"; + copyToRoot = buildEnv { + name = "image-root"; + paths = [ jnsgruk cacert ]; + pathsToLink = [ "/bin" "/etc/ssl/certs" ]; + }; + config.Entrypoint = [ "${jnsgruk}/bin/jnsgruk" ]; + config.User = "1000:1000"; + }; + }); devShells = forAllSystems (system: let @@ -65,6 +79,8 @@ gofumpt gopls hugo + flyctl + skopeo zsh ]; shellHook = "exec zsh"; diff --git a/fly.toml b/fly.toml index c73ecfe..98b10af 100644 --- a/fly.toml +++ b/fly.toml @@ -11,10 +11,6 @@ kill_timeout = "5s" [experimental] auto_rollback = true -[env] - GOSHERVE_REDIRECT_MAP_URL = "https://gist.githubusercontent.com/jnsgruk/b590f114af1b041eeeab3e7f6e9851b7/raw" - GOSHERVE_WEBROOT = "./public" - [[services]] protocol = "tcp" internal_port = 8080