120 lines
2.7 KiB
Markdown
120 lines
2.7 KiB
Markdown
# Nix Build System
|
|
|
|
SolidHaus uses Nix flakes for reproducible builds and automated OCI image creation.
|
|
|
|
## Quick Start
|
|
|
|
```bash
|
|
# Build the SvelteKit app
|
|
nix build .#solidhaus
|
|
|
|
# Build the OCI image
|
|
nix build .#solidhaus-image
|
|
|
|
# Push to registry (requires authentication)
|
|
nix run .#push-solidhaus-image
|
|
|
|
# Enter dev shell
|
|
nix develop
|
|
```
|
|
|
|
## Packages
|
|
|
|
### `solidhaus`
|
|
|
|
Builds the SvelteKit application using `buildNpmPackage`.
|
|
|
|
- **Output**: Static SPA in `/nix/store/.../`
|
|
- **Build command**: `npm run build`
|
|
- **Dependencies**: Locked with `npmDepsHash`
|
|
|
|
### `solidhaus-image`
|
|
|
|
OCI image with nginx serving the built app.
|
|
|
|
- **Image name**: `registry.toph.so/solidhaus`
|
|
- **Tag**: `latest`
|
|
- **Web server**: nginx
|
|
- **Port**: 80
|
|
|
|
**Features**:
|
|
- SPA fallback routing (`try_files $uri /index.html`)
|
|
- Gzip compression for text assets
|
|
- Security headers (X-Frame-Options, X-Content-Type-Options, X-XSS-Protection)
|
|
- 1-year cache for static assets (`.js`, `.css`, `.woff2`, etc.)
|
|
|
|
## CI/CD
|
|
|
|
Forgejo Actions workflow (`.forgejo/workflows/build-image.yml`) automatically:
|
|
|
|
1. **On every push/PR**: Build OCI image to verify it works
|
|
2. **On main branch**: Push image to `registry.toph.so/solidhaus`
|
|
- Tagged as `:latest`
|
|
- Tagged with `:${commit-sha}` for rollback capability
|
|
|
|
**Requirements**:
|
|
- Forgejo runner with `nix` label
|
|
- Uses `registry.toph.so/nix-runner:latest` (see `/srv/infra/jobs/forgejo-runner/image.nix`)
|
|
|
|
## Updating Dependencies
|
|
|
|
When `package.json` dependencies change:
|
|
|
|
1. Build will fail with hash mismatch
|
|
2. Copy the "got:" hash from error message
|
|
3. Update `npmDepsHash` in `flake.nix`
|
|
4. Rebuild
|
|
|
|
Example:
|
|
```
|
|
error: hash mismatch in fixed-output derivation
|
|
specified: sha256-AAAAA...
|
|
got: sha256-BBBBB...
|
|
```
|
|
|
|
Update `flake.nix`:
|
|
```nix
|
|
npmDepsHash = "sha256-BBBBB...";
|
|
```
|
|
|
|
## Local Testing
|
|
|
|
Test the OCI image locally:
|
|
|
|
```bash
|
|
# Build image
|
|
nix build .#solidhaus-image
|
|
|
|
# Load into Docker/Podman
|
|
docker load < result
|
|
|
|
# Run
|
|
docker run -p 8080:80 registry.toph.so/solidhaus:latest
|
|
|
|
# Visit http://localhost:8080
|
|
```
|
|
|
|
## Integration with /srv/infra
|
|
|
|
The Nomad job definition in `/srv/infra/jobs/solidhaus/default.nix` can be updated to use the OCI image:
|
|
|
|
```nix
|
|
task.web = {
|
|
driver = "docker";
|
|
config = {
|
|
image = "registry.toph.so/solidhaus:latest";
|
|
ports = ["http"];
|
|
};
|
|
# ... rest of config
|
|
};
|
|
```
|
|
|
|
This replaces the current two-task setup (build + web) with a single pre-built image.
|
|
|
|
## Why Nix?
|
|
|
|
- **Reproducible builds**: Same inputs = same outputs, always
|
|
- **Hermetic builds**: No reliance on system Node.js version
|
|
- **Cacheable**: Nix store enables efficient caching
|
|
- **Declarative**: Build configuration is code
|
|
- **Flake-based**: Pin exact dependency versions (flake.lock)
|