Document and clean up substituter configuration (#14)

flox · Jun 9, 2023 · b5d2e8c · b5d2e8c · aakropotkin · Jun 9, 2023
1 parent 87d4bf1
commit b5d2e8c
Show file tree

Hide file tree

Showing 4 changed files with 108 additions and 22 deletions.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -33,24 +33,37 @@ jobs:
           - package: nixpkgs#jq
 
     steps:
+      - uses: "actions/checkout@v3"
       - name: Install flox
-        uses: flox/install-flox-action@main
+        uses: "./"
         with:
           substituter: "file://${{ runner.temp }}/nixcache"
           substituter-options: ""
+          # NOTE: This should be coming from the secrets conext.
+          # We're using the testing-only key here for testing purposes only!
+          # See for https://docs.github.com/en/actions/learn-github-actions/contexts#secrets-context more info.
           substituter-key: "testing-only:77peiBuSA5nrF81iUqmWef67KajfGpzqcqPOIfz/qyrJQMaV5w7xdt8VCKrThI7Eu0T94shSuAj1ferF78bpww=="
 
       - name: Build
         run: |
           flox nix build --json -L --print-out-paths ${{ matrix.package }}
-          rm result*
 
-      - name: Cache
+      - name: Clean results
+        run: |
+          rm -rf result*
+
+      - name: Clean cache
         run: |
           sudo rm -rf ${{ runner.temp }}/nixcache
+
+      - name: Cache
+        run: |
           flox nix copy --to "$FLOX_SUBSTITUTER" -vv ${{ matrix.package }}
 
-      - name: Build with caching
+      - name: Collect garbage
         run: |
           flox nix store gc
+
+      - name: Build with caching
+        run: |
           flox nix build -j0 --json -L --print-out-paths ${{ matrix.package }}
diff --git a/README.md b/README.md
@@ -80,6 +80,48 @@ jobs:
       run: flox build
 ```
 
+### Using substituters for caching
+
+You can have this action configure the substitutes for you. This will allow you to push build artifacts to a remote Nix store, and have subsequent builds substitute paths using that same store.
+
+See [nix help-stores] for more information on the supported URIs.
+
+[nix help-stores]: https://nixos.org/manual/nix/unstable/command-ref/new-cli/nix3-help-stores.html
+
+The following example configures a S3 substituter, builds a package, and pushes the artifact to the substituter. Subsequent runs of this workflow will use the substituted path, instead of building it again.
+
+```yml
+name: "Build, push and use substituters"
+
+on:
+  push:
+
+jobs:
+  substituter-build:
+    runs-on: ubuntu-latest
+    steps:
+
+    - name: Checkout
+      uses: actions/checkout@v3
+
+    - name: Install flox
+      uses: flox/install-flox-action@testing
+      with:
+        github-access-token: ${{ secrets.NIX_GIT_TOKEN }}
+        substituter: s3://your-cache-here # see `nix help-stores` for supported uris
+        substituter-key: ${{ secrets.FLOX_STORE_PUBLIC_NIX_SECRET_KEY }}
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
+    - name: Build
+      run: |
+        flox nix build --json -L --print-out-paths nixpkgs#hello
+
+    - name: Cache
+      run: |
+        flox nix copy --to "$FLOX_SUBSTITUTER" -v nixpkgs#hello
+```
+
 ## 📫 Have a question? Want to chat? Ran into a problem?
 
 We are happy to welcome you to our [Discourse forum][discourse] and answer your

diff --git a/action.yml b/action.yml
@@ -58,7 +58,6 @@ runs:
         INPUTS_SSH_AUTH_SOCK: "${{ inputs.ssh-auth-sock }}"
         INPUTS_GITHUB_ACCESS_TOKEN: "${{ inputs.github-access-token }}"
 
-
     - name: "Create Nix store cache"
       uses: "actions/cache@v3.0.8"
       id: "nix-cache"
@@ -77,6 +76,18 @@ runs:
       shell: "bash"
       run: "${{ github.action_path }}/install-flox.sh"
 
+    - name: "Setup substituter"
+      if: "inputs.substituter != ''"
+      shell: "bash"
+      run: "${{ github.action_path }}/configure-substituter.sh"
+      env:
+        INPUT_SUBSTITUTER: "${{ inputs.substituter }}"
+        INPUT_SUBSTITUTER_KEY: "${{ inputs.substituter-key }}"
+        INPUT_SUBSTITUTER_OPTIONS: "${{ inputs.substituter-options }}"
+        INPUT_AWS_ACCESS_KEY_ID: "${{ inputs.aws-access-key-id }}"
+        INPUT_AWS_SECRET_ACCESS_KEY: "${{ inputs.aws-secret-access-key }}"
+
+
     - name: "Enable using Nix post-build-hook on each built path"
       if: "inputs.post-build-hook != ''"
       shell: "bash"
@@ -85,23 +96,6 @@ runs:
         echo "post-build-hook = /etc/nix/post-build-hook" | sudo tee -a /etc/nix/nix.conf
         sudo chmod +x /tmp/post-build-hook
 
-    - name: "Setup substituter"
-      if: "inputs.substituter != ''"
-      shell: "bash"
-      run: |
-        echo "${{ inputs.substituter-key }}" > /tmp/secret-key
-        echo "FLOX_SUBSTITUTER=${{ inputs.substituter }}${{ inputs.substituter-options }}" >> "$GITHUB_ENV"
-        echo "${{ inputs.substituter-key }}" | flox nix key convert-secret-to-public | sed 's/^/extra-trusted-public-keys = /'  | sudo tee -a /etc/nix/nix.conf
-        echo | sudo tee -a /etc/nix/nix.conf
-        echo '${{ inputs.substituter }}' | sed 's/^/extra-substituters = /'  | sudo tee -a /etc/nix/nix.conf
-        sudo mkdir -p /etc/systemd/system/nix-daemon.service.d
-        printf "%s\n" '[Service]' 'Environment=AWS_ACCESS_KEY_ID=${{ inputs.aws-access-key-id }}' 'Environment=AWS_SECRET_ACCESS_KEY=${{ inputs.aws-secret-access-key }}' | sudo tee /etc/systemd/system/nix-daemon.service.d/aws-credentials.conf
-        echo "AWS_ACCESS_KEY_ID=${{ inputs.aws-access-key-id }}" >> "$GITHUB_ENV"
-        echo "AWS_SECRET_ACCESS_KEY=${{ inputs.aws-secret-access-key }}" >> "$GITHUB_ENV"
-        sudo systemctl cat nix-daemon.service
-        sudo systemctl daemon-reload
-        sudo systemctl restart nix-daemon.service
-
     - name: "Enable exporting Nix store to cache"
       if: "inputs.cache-key != ''"
       shell: "bash"

diff --git a/configure-substituter.sh b/configure-substituter.sh
@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+echo "::group::Setting up substituter ${INPUT_SUBSTITUTER}"
+
+echo "${INPUT_SUBSTITUTER_KEY}" >/tmp/secret-key
+
+echo "Populating the environment with the substituter's URL and options, and AWS's credentials"
+{
+	echo "FLOX_SUBSTITUTER=${INPUT_SUBSTITUTER}${INPUT_SUBSTITUTER_OPTIONS}"
+	echo "${INPUT_AWS_ACCESS_KEY_ID}"
+	echo "${INPUT_AWS_SECRET_ACCESS_KEY}"
+} >>"${GITHUB_ENV}"
+
+echo "Making the Nix daemon aware of the substituter"
+{
+	EXTRA_TRUSTED_PUBLIC_KEY=$(echo "${INPUT_SUBSTITUTER_KEY}" | nix key convert-secret-to-public)
+	echo "extra-trusted-public-keys = ${EXTRA_TRUSTED_PUBLIC_KEY}"
+	echo "extra-substituters = ${INPUT_SUBSTITUTER}"
+} | sudo tee -a /etc/nix/nix.conf >/dev/null
+
+echo "Making the Nix daemon aware of the AWS credentials"
+
+sudo mkdir -p /etc/systemd/system/nix-daemon.service.d
+printf "%s\n" \
+	'[Service]' \
+	"Environment=AWS_ACCESS_KEY_ID=${INPUT_AWS_ACCESS_KEY_ID}" \
+	"Environment=AWS_SECRET_ACCESS_KEY=${INPUT_AWS_SECRET_ACCESS_KEY}" |
+	sudo tee -a /etc/systemd/system/nix-daemon.service.d/aws-credentials.conf >/dev/null
+
+echo "Restarting the Nix daemon"
+
+sudo systemctl daemon-reload
+sudo systemctl restart nix-daemon.service
+
+echo "::endgroup::"