diff --git a/.github/actions/nix-install-ephemeral/action.yml b/.github/actions/nix-install-ephemeral/action.yml index 7edeb02de..7e77059ba 100644 --- a/.github/actions/nix-install-ephemeral/action.yml +++ b/.github/actions/nix-install-ephemeral/action.yml @@ -42,9 +42,11 @@ runs: NIX_SIGN_SECRET_KEY: ${{ env.NIX_SIGN_SECRET_KEY }} - uses: NixOS/nix-installer-action@d6ef7ecd8f685af89869e5aca0580a33e3e3150c with: - installer-version: 2.33.1 + installer-version: 2.32.5 extra-conf: | substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= ${{ inputs.push-to-cache == 'true' && 'post-build-hook = /etc/nix/upload-to-cache.sh' || '' }} + extra-experimental-features = auto-allocate-uids cgroups + auto-allocate-uids = true max-jobs = 4 diff --git a/.github/workflows/ansible-test.yml b/.github/workflows/ansible-test.yml new file mode 100644 index 000000000..2b75b5a22 --- /dev/null +++ b/.github/workflows/ansible-test.yml @@ -0,0 +1,27 @@ +name: Ansible Test + +on: + pull_request: + merge_group: + workflow_dispatch: + +permissions: + id-token: write + +jobs: + ansible-test: + runs-on: ubuntu-latest + steps: + - name: Checkout Repo + uses: supabase/postgres/.github/actions/shared-checkout@HEAD + + - name: Install nix + uses: ./.github/actions/nix-install-ephemeral + with: + push-to-cache: 'true' + env: + DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }} + NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }} + + - name: Run Ansible Test + run: nix run .#ansible-test diff --git a/.github/workflows/check-system-manager.yml b/.github/workflows/check-system-manager.yml new file mode 100644 index 000000000..9c1fb934d --- /dev/null +++ b/.github/workflows/check-system-manager.yml @@ -0,0 +1,27 @@ +name: Check System Manager + +on: + pull_request: + merge_group: + workflow_dispatch: + +permissions: + id-token: write + +jobs: + check-system-manager: + runs-on: ubuntu-latest + steps: + - name: Checkout Repo + uses: supabase/postgres/.github/actions/shared-checkout@HEAD + + - name: Install nix + uses: ./.github/actions/nix-install-ephemeral + with: + push-to-cache: 'true' + env: + DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }} + NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }} + + - name: Run check-system-manager + run: nix build .#checks.x86_64-linux.check-system-manager -L diff --git a/ansible/tasks/setup-nix.yml b/ansible/tasks/setup-nix.yml new file mode 100644 index 000000000..9675677dd --- /dev/null +++ b/ansible/tasks/setup-nix.yml @@ -0,0 +1,11 @@ +--- +- name: Check if nix is installed + ansible.builtin.command: which nix + register: nix_installed + failed_when: nix_installed.rc != 0 + ignore_errors: true + +- name: Install nix + ansible.builtin.shell: curl --proto '=https' --tlsv1.2 -sSf -L https://artifacts.nixos.org/experimental-installer | sh -s -- install --no-confirm --extra-conf 'substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com' --extra-conf 'trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=' + when: nix_installed.rc != 0 + become: true diff --git a/ansible/tasks/setup-system-manager.yml b/ansible/tasks/setup-system-manager.yml new file mode 100644 index 000000000..990af5120 --- /dev/null +++ b/ansible/tasks/setup-system-manager.yml @@ -0,0 +1,7 @@ +--- +- name: Deploy system manager + ansible.builtin.shell: | + . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh + cd /tmp + nix run --accept-flake-config /flake#system-manager -- switch --flake /flake + become: true diff --git a/ansible/tests/nix.yaml b/ansible/tests/nix.yaml new file mode 100644 index 000000000..44e5fa19e --- /dev/null +++ b/ansible/tests/nix.yaml @@ -0,0 +1,8 @@ +--- +- name: Test nix setup and system-manager deployment + hosts: localhost + tasks: + - name: Setup nix + ansible.builtin.import_tasks: ../tasks/setup-nix.yml + - name: Setup system-manager + ansible.builtin.import_tasks: ../tasks/setup-system-manager.yml diff --git a/ansible/tests/test_nix.py b/ansible/tests/test_nix.py new file mode 100644 index 000000000..606aa5a26 --- /dev/null +++ b/ansible/tests/test_nix.py @@ -0,0 +1,10 @@ +import pytest + + +@pytest.fixture(scope="module", autouse=True) +def run_ansible(run_ansible_playbook): + run_ansible_playbook("nix.yaml", verbose=True) + + +def test_nix_service(host): + assert host.service("nix-daemon.service").is_running diff --git a/flake.lock b/flake.lock index d2f121414..315b42a30 100644 --- a/flake.lock +++ b/flake.lock @@ -36,6 +36,22 @@ "type": "github" } }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1767039857, + "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" @@ -54,6 +70,28 @@ "type": "github" } }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": [ + "system-manager", + "userborn", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1768135262, + "narHash": "sha256-PVvu7OqHBGWN16zSi6tEmPwwHQ4rLPU9Plvs8/1TUBY=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "80daad04eddbbf5a4d883996a73f3f542fa437ac", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems" @@ -115,6 +153,29 @@ "type": "github" } }, + "gitignore_2": { + "inputs": { + "nixpkgs": [ + "system-manager", + "userborn", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "nix": { "flake": false, "locked": { @@ -256,6 +317,34 @@ "url": "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz" } }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "system-manager", + "userborn", + "flake-compat" + ], + "gitignore": "gitignore_2", + "nixpkgs": [ + "system-manager", + "userborn", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1769069492, + "narHash": "sha256-Efs3VUPelRduf3PpfPP2ovEB4CXT7vHf8W+xc49RL/U=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "a1ef738813b15cf8ec759bdff5761b027e3e1d23", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { "devshell": "devshell", @@ -268,6 +357,7 @@ "nixpkgs": "nixpkgs_2", "nixpkgs-oldstable": "nixpkgs-oldstable", "rust-overlay": "rust-overlay", + "system-manager": "system-manager", "treefmt-nix": "treefmt-nix" } }, @@ -291,6 +381,28 @@ "type": "github" } }, + "system-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "userborn": "userborn" + }, + "locked": { + "lastModified": 1770379612, + "narHash": "sha256-f6BiRYbTXiwe6oF1IRmvl0PTTt/LJ1cEuVt0wDc0O2A=", + "owner": "numtide", + "repo": "system-manager", + "rev": "ac6e466dafd72a627b2040b497c8a27c06a03acd", + "type": "github" + }, + "original": { + "owner": "numtide", + "ref": "fix-shadow-perm-owner", + "repo": "system-manager", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, @@ -306,6 +418,21 @@ "type": "github" } }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "treefmt-nix": { "inputs": { "nixpkgs": [ @@ -325,6 +452,32 @@ "repo": "treefmt-nix", "type": "github" } + }, + "userborn": { + "inputs": { + "flake-compat": "flake-compat_2", + "flake-parts": "flake-parts_2", + "nixpkgs": [ + "system-manager", + "nixpkgs" + ], + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "systems": "systems_2" + }, + "locked": { + "lastModified": 1770377964, + "narHash": "sha256-q2pnlX2IW0kg80GLFnwWd/GigIpkuZnyKPLhrgJql3E=", + "owner": "jfroche", + "repo": "userborn", + "rev": "55c2cd7952c207a62736a5bbd9499ea73da18d24", + "type": "github" + }, + "original": { + "owner": "jfroche", + "ref": "system-manager", + "repo": "userborn", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 2145185d1..4364545f5 100644 --- a/flake.nix +++ b/flake.nix @@ -29,6 +29,8 @@ rust-overlay.url = "github:oxalica/rust-overlay"; treefmt-nix.inputs.nixpkgs.follows = "nixpkgs"; treefmt-nix.url = "github:numtide/treefmt-nix"; + system-manager.inputs.nixpkgs.follows = "nixpkgs"; + system-manager.url = "github:numtide/system-manager/fix-shadow-perm-owner"; }; outputs = @@ -50,6 +52,8 @@ nix/nixpkgs.nix nix/packages nix/overlays + nix/systemModules + nix/systemConfigs.nix ]; }); } diff --git a/nix/packages/ansible-test.nix b/nix/packages/ansible-test.nix index 6aaec68b3..e7dfb9289 100644 --- a/nix/packages/ansible-test.nix +++ b/nix/packages/ansible-test.nix @@ -1,4 +1,7 @@ -{ self, pkgs }: +{ + self, + pkgs, +}: pkgs.writeShellApplication { name = "ansible-test"; runtimeInputs = with pkgs; [ diff --git a/nix/packages/default.nix b/nix/packages/default.nix index f4fdaa695..3501244f1 100644 --- a/nix/packages/default.nix +++ b/nix/packages/default.nix @@ -33,9 +33,9 @@ { packages = ( { + ansible-test = pkgs.callPackage ./ansible-test.nix { inherit self; }; build-ami = pkgs.callPackage ./build-ami.nix { packer = self'.packages.packer; }; build-test-ami = pkgs.callPackage ./build-test-ami.nix { packer = self'.packages.packer; }; - ansible-test = pkgs.callPackage ./ansible-test.nix { inherit self; }; cleanup-ami = pkgs.callPackage ./cleanup-ami.nix { }; dbmate-tool = pkgs.callPackage ./dbmate-tool.nix { inherit (self.supabase) defaults; }; docker-ansible-test = pkgs.callPackage ./docker-ansible-test.nix { @@ -80,6 +80,7 @@ inherit (self'.packages) overlayfs-on-package; }; sync-exts-versions = pkgs.callPackage ./sync-exts-versions.nix { inherit (inputs') nix-editor; }; + system-manager = inputs'.system-manager.packages.default; trigger-nix-build = pkgs.callPackage ./trigger-nix-build.nix { }; update-readme = pkgs.callPackage ./update-readme.nix { }; inherit (pkgs.callPackage ./wal-g.nix { }) wal-g-2; diff --git a/nix/systemConfigs.nix b/nix/systemConfigs.nix new file mode 100644 index 000000000..7f50ded93 --- /dev/null +++ b/nix/systemConfigs.nix @@ -0,0 +1,30 @@ +{ self, inputs, ... }: +let + mkModules = system: [ + ({ + services.nginx.enable = true; + nixpkgs.hostPlatform = system; + }) + ]; + + systems = [ + "aarch64-linux" + "x86_64-linux" + ]; + + mkSystemConfig = system: { + name = system; + value.default = inputs.system-manager.lib.makeSystemConfig { + modules = mkModules system; + extraSpecialArgs = { + inherit self; + inherit system; + }; + }; + }; +in +{ + flake = { + systemConfigs = builtins.listToAttrs (map mkSystemConfig systems); + }; +} diff --git a/nix/systemModules/default.nix b/nix/systemModules/default.nix new file mode 100644 index 000000000..4810dff46 --- /dev/null +++ b/nix/systemModules/default.nix @@ -0,0 +1,14 @@ +{ + flake-parts-lib, + withSystem, + self, + ... +}: +{ + imports = [ ./tests ]; + flake = { + systemModules = { + nginx = flake-parts-lib.importApply ./nginx.nix { inherit withSystem self; }; + }; + }; +} diff --git a/nix/systemModules/tests/default.nix b/nix/systemModules/tests/default.nix new file mode 100644 index 000000000..e959f6321 --- /dev/null +++ b/nix/systemModules/tests/default.nix @@ -0,0 +1,33 @@ +{ self, inputs, ... }: +{ + perSystem = + { + lib, + pkgs, + ... + }: + { + checks = lib.optionalAttrs pkgs.stdenv.hostPlatform.isLinux { + check-system-manager = + let + toplevel = self.systemConfigs.${pkgs.system}.default; + in + inputs.system-manager.lib.containerTest.makeContainerTest { + hostPkgs = pkgs; + name = "check-system-manager"; + inherit toplevel; + testScript = '' + start_all() + + machine.wait_for_unit("multi-user.target") + + machine.activate() + machine.wait_for_unit("system-manager.target") + + with subtest("Verify nginx service"): + assert machine.service("nginx").is_running, "nginx should be running" + ''; + }; + }; + }; +}