19468d38d8
refactor: migrate from S3 to Attic binary cache
...
Replace low-level S3 operations with native Attic client for better
performance, simplicity, and proper Nix binary cache protocol support.
Changes:
- Replace 'nix copy' + S3 with 'attic push'
- Remove S3_ACCESS_KEY, S3_SECRET_KEY, NIX_SIGNING_KEY requirements
- Add ATTIC_TOKEN requirement (explicit per-repo security)
- Default to 'ci' cache instead of 'toph'
- Update Nomad fetch task to pull from Attic instead of S3
- Simplify push-nix-cache to single attic push command
- Update documentation with new security model
Security:
- ATTIC_TOKEN must be explicitly provided as Forgejo secret
- Prevents untrusted repos from pushing to cache
- Separate ci/toph caches for different trust levels
Benefits:
- Simpler: Single command instead of sign + copy + sync
- Faster: Native Attic protocol vs S3 object storage
- Safer: Explicit opt-in prevents unauthorized cache writes
- Standards-compliant: Proper Nix binary cache protocol
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-27 21:19:09 +01:00
694c591332
debug: check NOMAD_ADDR and reachability in deploy step
2026-02-19 01:43:27 +01:00
b7ba4c1c0a
fix(deploy-static-site): inject NOMAD_ADDR via runner, use shared nomad/jobs var
...
Remove hardcoded nomad-addr input — NOMAD_ADDR is now injected by the
Forgejo runner via container.options using host.docker.internal.
Switch Nomad Variable path from static-sites/s3 to nomad/jobs so all
jobs in the namespace can read it without explicit ACL policies.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-19 01:15:08 +01:00
bcca32baae
fix(deploy-static-site): remove nix profile install, tools provided by runner image
2026-02-19 00:24:36 +01:00
3f27f6b84f
fix(deploy-static-site): inline tool cache push to fix HOME expansion in with block
2026-02-18 22:25:06 +01:00
cc2f605905
fix(deploy-static-site): quote action_path in nix eval expr to handle @ in path
2026-02-18 22:03:55 +01:00
8edf272e90
fix(deploy-static-site): cache installed tools to S3 after first build
2026-02-18 22:02:29 +01:00
ae48e175e2
fix(deploy-static-site): remove namespace apply (pre-created in infra setup)
2026-02-18 21:52:45 +01:00
c0ba8096ba
fix(deploy-static-site): add nix profile bin to PATH after install
2026-02-18 18:23:51 +01:00
b094952455
feat: add push-nix-cache action, wire into deploy-static-site and build-static-server
...
Build and Push static-server Image / build (push) Failing after 1m45s
Extracts sign+push logic into a reusable push-nix-cache action.
Both the site deploy and the image build now use it.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-18 13:38:06 +01:00
bc2885c5c7
feat: pin server image to digest at deploy time
2026-02-18 13:23:18 +01:00
af9a4e3e29
feat: auto-create static-sites namespace on deploy
2026-02-18 13:19:44 +01:00
4b1bbce9af
feat: make NIX_SIGNING_KEY optional, skip Nix cache push if unset
2026-02-18 13:18:11 +01:00
4af132296e
refactor: replace generate-job.py with nomad-job.nix, add flake-output input
...
Use nix eval --raw --impure + builtins.getEnv instead of Python for
Nomad job JSON generation. Add flake-output input (default: default)
so projects can build non-default outputs like docs.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-18 13:16:08 +01:00
95bf5517f7
fix: allow unfree for nomad install (BSL license)
2026-02-18 13:11:52 +01:00
644dfc4978
refactor: s3 endpoint+bucket as action inputs, secrets stay in env
...
S3_BUCKET and S3_ENDPOINT are config, not secrets. Move them to
inputs with defaults (s3.toph.so / nix-cache). Calling workflows
only need to supply AWS credentials, NIX_SIGNING_KEY, NOMAD_TOKEN.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-18 13:09:47 +01:00
55652569b2
feat: add deploy-static-site action, site-lib, images; remove deploy-oci-site
...
Content now served from S3 at runtime via shared static-server image.
- deploy-static-site: reads creds from Nomad vars, builds site, pushes
tarball to S3, generates per-domain Nomad job JSON, deploys
- generate-job.py: emits Nomad job JSON for a static site deployment
- site-lib/flake.nix: mkSite helper, packages.default + devShells only
- images/flake.nix: shared static-server OCI image (sws + awscli2 + tools)
- images CI: builds and pushes static-server on images/flake.nix changes
- deploy-oci-site: removed (superseded by deploy-static-site)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-18 11:27:27 +01:00
