Christopher Mühl
19468d38d8
Replace low-level S3 operations with native Attic client for better performance, simplicity, and proper Nix binary cache protocol support. Changes: - Replace 'nix copy' + S3 with 'attic push' - Remove S3_ACCESS_KEY, S3_SECRET_KEY, NIX_SIGNING_KEY requirements - Add ATTIC_TOKEN requirement (explicit per-repo security) - Default to 'ci' cache instead of 'toph' - Update Nomad fetch task to pull from Attic instead of S3 - Simplify push-nix-cache to single attic push command - Update documentation with new security model Security: - ATTIC_TOKEN must be explicitly provided as Forgejo secret - Prevents untrusted repos from pushing to cache - Separate ci/toph caches for different trust levels Benefits: - Simpler: Single command instead of sign + copy + sync - Faster: Native Attic protocol vs S3 object storage - Safer: Explicit opt-in prevents unauthorized cache writes - Standards-compliant: Proper Nix binary cache protocol Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| images | ||
| action.yaml | ||
| nomad-job.nix | ||
| README.md | ||
deploy-static-site
Builds a Nix flake site, uploads a tarball to S3, and deploys it via Nomad using a shared static-server container image. Content is fetched from S3 at container startup — nothing is baked into the image.
Usage
- uses: https://git.toph.so/toph/ci-actions/deploy-static-site@main
with:
domain: example.com
env:
NOMAD_TOKEN: ${{ secrets.NOMAD_TOKEN }}
AWS_ACCESS_KEY_ID: ${{ secrets.S3_ACCESS_KEY }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.S3_SECRET_KEY }}
Inputs
| Input | Required | Default | Description |
|---|---|---|---|
domain |
yes | — | Domain the site is served at (e.g. toph.so) |
flake-output |
no | default |
Flake output to build (e.g. docs) |
nomad-addr |
no | http://172.17.0.1:4646 |
Nomad API address |
server-image |
no | registry.toph.so/static-server:latest |
OCI image for the static server |
datacenter |
no | contabo |
Nomad datacenter |
s3-endpoint |
no | https://s3.toph.so |
S3 endpoint URL |
s3-bucket |
no | nix-cache |
S3 bucket for site tarballs |
smoke-test |
no | true |
Run a smoke test after deploy |
Environment Variables
| Variable | Required | Description |
|---|---|---|
NOMAD_TOKEN |
yes | Nomad ACL token with deploy access to static-sites namespace |
AWS_ACCESS_KEY_ID |
yes | S3 access key |
AWS_SECRET_ACCESS_KEY |
yes | S3 secret key |
NIX_SIGNING_KEY |
no | If set, signs and pushes the Nix closure to the S3 binary cache (speeds up future builds) |
Infrastructure Requirements
- S3 bucket (
nix-cacheby default) must exist and be writable with the supplied credentials - Nomad namespace
static-sitesis created automatically on first deploy
Cold-Start (maintainer note)
The static-server image (registry.toph.so/static-server:latest) is built and pushed by the
build-static-server workflow in this repo.
It runs automatically when deploy-static-site/images/flake.nix changes,
or can be triggered manually via workflow_dispatch.
On a fresh infrastructure setup, run that workflow once before deploying any site.
Site Flake Requirements
The site repo's flake must expose a package output that produces a directory of static files:
packages.x86_64-linux.default = # derivation whose $out contains static files
Use site-lib from this repo to set this up with minimal boilerplate:
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
site-lib = {
url = "git+https://git.toph.so/toph/ci-actions?dir=site-lib";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = { self, nixpkgs, site-lib }:
site-lib.lib.mkSite {
inherit self nixpkgs;
src = ./.;
installPhase = ''
mkdir -p $out
cp -r dist/. $out/
'';
};
}