feat(workflows): Switch to a nix-based definition of workflows

workflows/check-meta.nix

@@ -0,0 +1,31 @@
+{
+  name = "Check meta";
+  on = {
+    pull_request.branches = [ "main" ];
+    push.paths = [ "meta/*" ];
+  };
+
+  jobs = {
+    check_meta = {
+      runs-on = "nix";
+      steps = [
+        { uses = "actions/checkout@v3"; }
+        {
+          name = "Check the validity of meta options";
+          run = "nix-build meta/verify.nix -A meta";
+        }
+      ];
+    };
+
+    check_dns = {
+      runs-on = "nix";
+      steps = [
+        { uses = "actions/checkout@v3"; }
+        {
+          name = "Check the validity of the DNS configuration";
+          run = "nix-build meta/verify.nix -A dns --no-out-link";
+        }
+      ];
+    };
+  };
+}

workflows/check-workflows.nix

@@ -0,0 +1,20 @@
+{
+  name = "Check workflows";
+  on = {
+    pull_request.branches = [ "main" ];
+    push.paths = [ "workflows/*" ];
+  };
+
+  jobs = {
+    check_workflows = {
+      runs-on = "nix";
+      steps = [
+        { uses = "actions/checkout@v3"; }
+        {
+          name = "Check that the workflows are up to date";
+          run = "nix-shell --run '[ $(git status --porcelain) -eq 0 ]'";
+        }
+      ];
+    };
+  };
+}

workflows/eval-nodes.nix

@@ -0,0 +1,32 @@
+{ lib }:
+
+let
+  inherit (lib) attrNames genAttrs;
+
+  nodes = attrNames (builtins.readDir ../machines);
+in
+
+{
+  name = "Build all the nodes";
+  on = {
+    pull_request.branches = [ "main" ];
+    push.branches = [ "main" ];
+  };
+
+  jobs = genAttrs nodes (node: {
+    runs-on = "nix";
+    steps = [
+      { uses = "actions/checkous@v3"; }
+      {
+        name = "Build and cache ${node}";
+        run = "nix-shell --run cache-node";
+        env = {
+          STORE_ENDPOINT = "https://tvix-store.dgnum.eu/infra-signing/";
+          STORE_USER = "admin";
+          STORE_PASSWORD = "\${{ secrets.STORE_PASSWORD }}";
+          BUILD_NODE = node;
+        };
+      }
+    ];
+  });
+}

workflows/npins-update.nix

@@ -0,0 +1,56 @@
+{
+  name = "npins update";
+  on.schedule = [
+    # Run at 11 o'clock every wednesday
+    { cron = "25 15 * * *"; }
+  ];
+
+  jobs.npins_update = {
+    runs-on = "nix";
+    steps = [
+      {
+        uses = "actions/checkout@v3";
+        "with" = {
+          depth = 0;
+          token = "\${{ secrets.TEA_DGNUM_CHORES_TOKEN }}";
+        };
+      }
+
+      {
+        name = "Update dependencies and open PR if necessary";
+        run = ''
+          npins update
+
+          if [ ! -z "$(git diff --name-only)" ]; then
+            echo "[+] Changes detected, pushing updates."
+
+            git switch -C npins-update
+
+            git add npins
+
+            git config user.name "DGNum Chores"
+            git config user.email "tech@dgnum.eu"
+
+            git commit --message "chore(npins): Update"
+            git push --set-upstream origin npins-update --force
+
+            # Connect to the server with the cli
+            tea login add \
+              -n dgnum-chores \
+              -t "''${{ secrets.TEA_DGNUM_CHORES_TOKEN }}" \
+              -u https://git.dgnum.eu
+
+            # Create a pull request if needed
+            # i.e. no PR with the same title exists
+            if [ -z "$(tea pr ls -f='title,author' -o simple | grep 'chore(npins): Update dgnum-chores')" ]; then
+              tea pr create \
+                --description "Automatic npins update" \
+                --title "chore(npins): Update" \
+                --head npins-update
+            fi
+          fi
+        '';
+      }
+    ];
+  };
+}

workflows/pre-commit.nix

@@ -0,0 +1,18 @@
+{
+  name = "Run pre-commit on all files";
+  on = [
+    "push"
+    "pull_request"
+  ];
+
+  jobs.check = {
+    runs-on = "nix";
+    steps = [
+      { uses = "actions/checkout@v3"; }
+      {
+        name = "Run pre-commit on all files";
+        run = "nix-shell --run 'pre-commit run --all-files --hook-stage pre-push --show-diff-on-failure' -A shells.pre-commit ./.";
+      }
+    ];
+  };
+}