From 3a2686f358514095a6315bdeb21a0752352eaff3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Fri, 13 May 2022 23:24:44 +0200
Subject: [PATCH] move ci to garnix

---
 .github/workflows/test.yml | 28 ++-------------------------
 .gitlab-ci.yml             |  8 --------
 flake.lock                 |  6 +++---
 flake.nix                  | 39 +++++++++++++++++++++++++-------------
 unit-tests.nix             |  3 +--
 5 files changed, 32 insertions(+), 52 deletions(-)
 delete mode 100644 .gitlab-ci.yml

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 9722d27..97d2668 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -5,35 +5,11 @@ on:
     - cron:  '51 2 * * *'
 jobs:
   tests:
-    strategy:
-      matrix:
-        nixPath:
-          - nixpkgs=https://github.com/NixOS/nixpkgs/archive/nixos-21.05.tar.gz
-          - nixpkgs=https://github.com/NixOS/nixpkgs/archive/nixos-unstable.tar.gz
-        os: [ ubuntu-latest, macos-latest ]
-    runs-on: ${{ matrix.os }}
+    runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v3
     - uses: cachix/install-nix-action@v17
-      with:
-        nix_path: "${{ matrix.nixPath }}"
-    - name: Setup cachix
-      uses: cachix/cachix-action@v10
-      with:
-        name: mic92
-        signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
     - name: Add keys group (needed for go tests)
       run: sudo groupadd keys
-      if: matrix.os == 'ubuntu-latest'
-    - name: Run lint
-      run: nix-build --no-out-link default.nix -A lint
-      if: matrix.os == 'ubuntu-latest'
-    - name: List flake structure
-      run: nix flake show
-    - name: Run flake check (flake)
-      run: nix flake check -L
-    # this should be the same as `nix flake check`
-    - name: Build nix packages
-      run: nix-build --no-out-link release.nix
     - name: Run unit tests
-      run: nix-shell --no-out-link ./unit-tests.nix --argstr sudo "$(command -v sudo)" --pure --run 'true'
+      run: nix develop .#unit-tests --command "true"
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
deleted file mode 100644
index f951f02..0000000
--- a/.gitlab-ci.yml
+++ /dev/null
@@ -1,8 +0,0 @@
-stages:
-  - build
-
-build-job:
-  stage: build
-  script:
-    - nix-build -I nixpkgs=https://github.com/NixOS/nixpkgs/archive/nixpkgs-unstable.tar.gz -A sops-install-secrets.tests
-    - nix-build -I nixpkgs=https://github.com/NixOS/nixpkgs/archive/nixos-21.11.tar.gz -A sops-install-secrets.tests
diff --git a/flake.lock b/flake.lock
index 3336199..3f1e19c 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1638097282,
-        "narHash": "sha256-EXCzj9b8X/lqDPJapxZThIOKL5ASbpsJZ+8L1LnY1ig=",
+        "lastModified": 1652252629,
+        "narHash": "sha256-SvT64apetqc8P5nYp1/fOZvUmHUPdPFUZbhSpKy+1aI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "78cb77b29d37a9663e05b61abb4fa09465da4b70",
+        "rev": "d2fc6856824cb87742177eefc8dd534bdb6c3439",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index d345af1..5991bff 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,7 +1,12 @@
 {
   description = "Integrates sops into nixos";
   inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
-  outputs = { self, nixpkgs }: let
+  nixConfig.extra-substituters = ["https://cache.garnix.io"];
+  nixConfig.extra-trusted-public-keys = ["cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="];
+  outputs = {
+    self,
+    nixpkgs,
+  }: let
     systems = [
       "x86_64-linux"
       "i686-linux"
@@ -13,21 +18,29 @@
     ];
     forAllSystems = f: nixpkgs.lib.genAttrs systems (system: f system);
   in {
-    overlay = final: prev:
-      let
-        localPkgs = import ./default.nix { pkgs = final; };
-      in {
-        inherit (localPkgs) sops-install-secrets sops-init-gpg-key sops-pgp-hook sops-import-keys-hook sops-ssh-to-age;
-        # backward compatibility
-        inherit (prev) ssh-to-pgp;
-      };
+    overlay = final: prev: let
+      localPkgs = import ./default.nix {pkgs = final;};
+    in {
+      inherit (localPkgs) sops-install-secrets sops-init-gpg-key sops-pgp-hook sops-import-keys-hook sops-ssh-to-age;
+      # backward compatibility
+      inherit (prev) ssh-to-pgp;
+    };
     nixosModules.sops = import ./modules/sops;
     nixosModule = self.nixosModules.sops;
-    packages = forAllSystems (system: import ./default.nix {
-      pkgs = import nixpkgs { inherit system; };
-    });
-    checks = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ]
+    packages = forAllSystems (system:
+      import ./default.nix {
+        pkgs = import nixpkgs {inherit system;};
+      });
+    checks =
+      nixpkgs.lib.genAttrs ["x86_64-linux" "aarch64-linux"]
       (system: self.packages.${system}.sops-install-secrets.tests);
     defaultPackage = forAllSystems (system: self.packages.${system}.sops-init-gpg-key);
+    devShell = forAllSystems (
+      system:
+        nixpkgs.legacyPackages.${system}.callPackage ./shell.nix {}
+    );
+    devShells = forAllSystems (system: {
+      unit-tests = nixpkgs.legacyPackages.${system}.callPackage ./unit-tests.nix {};
+    });
   };
 }
diff --git a/unit-tests.nix b/unit-tests.nix
index 7483fa0..20029a7 100644
--- a/unit-tests.nix
+++ b/unit-tests.nix
@@ -1,5 +1,4 @@
 { pkgs ? import <nixpkgs> {}
-, sudo ? "sudo"
 }:
 let
   sopsPkgs = import ./. { inherit pkgs; };
@@ -22,7 +21,7 @@ in pkgs.stdenv.mkDerivation {
     NIX_PATH=nixpkgs=${toString pkgs.path} TEST_ASSETS=$(realpath ./pkgs/sops-pgp-hook/test-assets) \
       sops-pgp-hook.test
     ${pkgs.lib.optionalString (pkgs.stdenv.isLinux) ''
-      ${sudo} TEST_ASSETS=$(realpath ./pkgs/sops-install-secrets/test-assets) \
+      sudo TEST_ASSETS=$(realpath ./pkgs/sops-install-secrets/test-assets) \
         unshare --mount --fork sops-install-secrets.test
     ''}
   '';