Add cachix binary cache

2025-12-11 15:18:54 +00:00 · 2025-12-11 15:18:54 +00:00 · ad7253e93d
parent 40a7e43761
commit ad7253e93d
11 changed files with 136 additions and 11 deletions
--- a/.github/workflows/push_cachix_dev.yml
+++ b/.github/workflows/push_cachix_dev.yml
@ -0,0 +1,39 @@
+name: Push packages to AsterNixOS's development cache on Cachix
+
+on:
+  workflow_dispatch:
+  pull_request:
+    paths:
+      - .github/workflows/push_cachix_pkgs.yml
+      - distro/**
+  push:
+    branches:
+      - main
+    paths:
+      - .github/workflows/push_cachix_pkgs.yml
+      - distro/**
+
+jobs:
+  push-pkgs:
+    runs-on: ubuntu-4-cores-150GB-ssd
+    container:
+      image: asterinas/asterinas:0.16.2-20251209
+      options: -v /dev:/dev --privileged
+    timeout-minutes: 60
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build Asterinas NixOS patched packages (dry run)
+        if: github.event_name == 'pull_request'
+        run: |
+          make kernel BOOT_PROTOCOL=linux-efi-handover64 || true
+          make cachix
+
+      - name: Build Asterinas NixOS patched packages and push to development cache
+        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+        run: |
+          make kernel BOOT_PROTOCOL=linux-efi-handover64 || true
+          export CACHIX_AUTH_TOKEN=${{ secrets.CACHIX_AUTH_TOKEN_FOR_DEV_CACHE }}
+          make push_cachix 2>&1 | tee cachix.log || true
+          tail --lines 10 cachix.log | grep -q -E "^(All done|Nothing to push)" || (echo "Push cachix failed" && exit 1)
+          echo "Push cachix succeeds!"
--- a/.gitignore
+++ b/.gitignore
@ -32,3 +32,6 @@ aster-nix-profile-*.svg

 # distro results
 distro/result
+
+# cachix package list
+cachix.list
--- a/28
+++ b/28
@ -67,6 +67,16 @@ NIXOS_STAGE_2_INIT ?= /bin/sh -l
 AUTO_INSTALL ?= true
 # End of ISO installer settings

+# Cachix binary cache settings
+CACHIX_AUTH_TOKEN ?=
+RELEASE_CACHIX_NAME ?= "aster-nixos-release"
+RELEASE_SUBSTITUTER ?= https://aster-nixos-release.cachix.org
+RELEASE_TRUSTED_PUBLIC_KEY ?= aster-nixos-release.cachix.org-1:xB6U/f5ck5vGDJZ04kPp3zGpZ4Nro9X4+TSSMAETVFE=
+DEV_CACHIX_NAME ?= "aster-nixos-dev"
+DEV_SUBSTITUTER ?= https://aster-nixos-dev.cachix.org
+DEV_TRUSTED_PUBLIC_KEY ?= aster-nixos-dev.cachix.org-1:xrCbE2flfliFTQCY/2HeJoT2tCO+5kMTZeLIUH9lnIA=
+# End of Cachix binary cache settings
+
 # ========================= End of Makefile options. ==========================

 SHELL := /bin/bash
@ -333,6 +343,24 @@ run_nixos: OVMF = off
 run_nixos:
 	@./tools/nixos/run_nixos.sh target/nixos

+# Build the Asterinas NixOS patched packages
+cachix:
+	@nix-build distro/cachix \
+		--argstr test-command "${NIXOS_TEST_COMMAND}" \
+		--option extra-substituters "${RELEASE_SUBSTITUTER} ${DEV_SUBSTITUTER}" \
+		--option extra-trusted-public-keys "${RELEASE_TRUSTED_PUBLIC_KEY} ${DEV_TRUSTED_PUBLIC_KEY}" \
+		--out-link cachix.list
+
+# Push the Asterinas NixOS patched packages to Cachix
+.PHONY: push_cachix
+push_cachix: USE_RELEASE_CACHE ?= 0
+push_cachix: cachix
+ifeq ($(USE_RELEASE_CACHE), 1)
+	@cachix push $(RELEASE_CACHIX_NAME) < cachix.list
+else
+	@cachix push $(DEV_CACHIX_NAME) < cachix.list
+endif
+
 .PHONY: gdb_server
 gdb_server: initramfs $(CARGO_OSDK)
 	@cd kernel && cargo osdk run $(CARGO_OSDK_BUILD_ARGS) --gdb-server wait-client,vscode,addr=:$(GDB_TCP_PORT)
--- a/distro/aster_nixos_installer/default.nix
+++ b/distro/aster_nixos_installer/default.nix
@ -1,5 +1,6 @@
 { disable-systemd ? "false", stage-2-hook ? "/bin/sh -l", log-level ? "error"
-, console ? "hvc0", test-command ? "", pkgs ? import <nixpkgs> { } }:
+, console ? "hvc0", test-command ? "", extra-substituters ? ""
+, extra-trusted-public-keys ? "", pkgs ? import <nixpkgs> { } }:
 let
  aster-kernel = builtins.path {
    name = "aster-nix-osdk-bin";
@ -16,6 +17,8 @@ let
      aster-log-level = log-level;
      aster-console = console;
      aster-test-command = test-command;
+      aster-substituters = extra-substituters;
+      aster-trusted-public-keys = extra-trusted-public-keys;
    };
  };
  install_aster_nixos = pkgs.replaceVarsWith {
@ -23,6 +26,8 @@ let
    replacements = {
      aster-configuration = aster_configuration;
      aster-etc-nixos = etc-nixos;
+      aster-substituters = extra-substituters;
+      aster-trusted-public-keys = extra-trusted-public-keys;
    };
    isExecutable = true;
  };
@ -32,10 +37,10 @@ in pkgs.stdenv.mkDerivation {
  buildCommand = ''
    mkdir -p $out/{bin,etc_nixos}
    cp ${install_aster_nixos} $out/bin/install_aster_nixos.sh
-    ln -s ${aster_configuration} $out/etc_nixos/aster_configuration.nix
-    ln -s ${etc-nixos}/configuration.nix $out/etc_nixos/configuration.nix
-    ln -s ${etc-nixos}/modules $out/etc_nixos/modules
-    ln -s ${etc-nixos}/overlays $out/etc_nixos/overlays
+    cp -L ${aster_configuration} $out/etc_nixos/aster_configuration.nix
+    cp -L ${etc-nixos}/configuration.nix $out/etc_nixos/configuration.nix
+    cp -r ${etc-nixos}/modules $out/etc_nixos/modules
+    cp -r ${etc-nixos}/overlays $out/etc_nixos/overlays
    ln -s ${aster-kernel} $out/kernel
  '';
 }
--- a/distro/aster_nixos_installer/templates/aster_configuration.nix
+++ b/distro/aster_nixos_installer/templates/aster_configuration.nix
@ -74,6 +74,16 @@
        description =
          "If set to true, the system will not proceed to switch to the root filesystem after initial boot. Instead, it will drop into an initramfs shell. This is primarily intended for debugging purposes.";
      };
+      substituters = lib.mkOption {
+        type = lib.types.str;
+        default = "@aster-substituters@";
+        description = "The substituters fo Asterinas NixOS.";
+      };
+      trusted-public-keys = lib.mkOption {
+        type = lib.types.str;
+        default = "@aster-trusted-public-keys@";
+        description = "The trusted public keys of Asterinas NixOS.";
+      };
    };
  };
 }
--- a/distro/aster_nixos_installer/templates/install_nixos.sh
+++ b/distro/aster_nixos_installer/templates/install_nixos.sh
@ -132,6 +132,8 @@ cp -r @aster-etc-nixos@/modules ${BUILD_DIR}/etc/nixos
 cp -r @aster-etc-nixos@/overlays ${BUILD_DIR}/etc/nixos

 export PATH=${PATH}:/run/current-system/sw/bin
-nixos-install --root ${BUILD_DIR} --no-root-passwd
+nixos-install --root ${BUILD_DIR} --no-root-passwd \
+    --option extra-substituters "@aster-substituters@" \
+    --option extra-trusted-public-keys "@aster-trusted-public-keys@"

 echo "Congratulations! Asterinas NixOS has been installed successfully!"
--- a/distro/cachix/default.nix
+++ b/distro/cachix/default.nix
@ -0,0 +1,28 @@
+{ pkgs ? import <nixpkgs> { }, test-command ? "", extra-substituters ? ""
+, extra-trusted-public-keys ? "", ... }:
+let
+  installer = pkgs.callPackage ../aster_nixos_installer {
+    inherit test-command extra-substituters extra-trusted-public-keys;
+  };
+  nixos = pkgs.nixos (import "${installer}/etc_nixos/configuration.nix");
+  cachixPkgs = with nixos.pkgs;
+    [
+      hello-asterinas
+      xfce.xfdesktop
+      xfce.xfwm4
+      xorg.xorgserver
+      runc
+      runc.man
+      podman
+      podman.man
+      aster_systemd
+    ] ++ (with nixos.config; [
+      system.build.toplevel
+      systemd.package
+      systemd.package.debug
+      systemd.package.dev
+      systemd.package.man
+      virtualisation.podman.package
+      virtualisation.podman.package.man
+    ]);
+in pkgs.writeClosure cachixPkgs
--- a/distro/etc_nixos/modules/core.nix
+++ b/distro/etc_nixos/modules/core.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, options, ... }:
 let
  kernel = builtins.path {
    name = "aster-nix-osdk-bin";
@ -100,6 +100,8 @@ in {
  '';
  system.activationScripts.modprobe = lib.mkForce "";

+  nix.nixPath = options.nix.nixPath.default
+    ++ [ "nixpkgs-overlays=/etc/nixos/overlays" ];
  nix.settings = {
    filter-syscalls = false;
    require-sigs = false;
@ -107,6 +109,8 @@ in {
    # FIXME: Support Nix build users (nixbld*) and remove this setting. For detailed gaps, see
    # <https://github.com/asterinas/asterinas/issues/2672>.
    build-users-group = "";
+    substituters = [ "${config.aster_nixos.substituters}" ];
+    trusted-public-keys = [ "${config.aster_nixos.trusted-public-keys}" ];
  };

  # FIXME: Currently, during `nixos-rebuild`, `texinfo/install-info` encounters a `SIGBUS`.
--- a/distro/iso_image/default.nix
+++ b/distro/iso_image/default.nix
@ -1,7 +1,9 @@
-{ pkgs ? import <nixpkgs> { }, autoInstall ? false, test-command ? "", ... }:
+{ pkgs ? import <nixpkgs> { }, autoInstall ? false, test-command ? ""
+, extra-substituters ? "", extra-trusted-public-keys ? "", ... }:
 let
-  installer =
-    pkgs.callPackage ../aster_nixos_installer { inherit test-command; };
+  installer = pkgs.callPackage ../aster_nixos_installer {
+    inherit test-command extra-substituters extra-trusted-public-keys;
+  };
  configuration = {
    imports = [
      "${pkgs.path}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix"
--- a/tools/nixos/build_iso.sh
+++ b/tools/nixos/build_iso.sh
@ -14,4 +14,6 @@ mkdir -p ${TARGET_DIR}
 nix-build ${DISTRO_DIR}/iso_image \
    --arg autoInstall ${AUTO_INSTALL} \
    --argstr test-command "${NIXOS_TEST_COMMAND}" \
+    --argstr extra-substituters "${RELEASE_SUBSTITUTER} ${DEV_SUBSTITUTER}" \
+    --argstr extra-trusted-public-keys "${RELEASE_TRUSTED_PUBLIC_KEY} ${DEV_TRUSTED_PUBLIC_KEY}" \
    --out-link ${TARGET_DIR}/iso_image
--- a/tools/nixos/build_nixos.sh
+++ b/tools/nixos/build_nixos.sh
@ -16,7 +16,9 @@ nix-build aster_nixos_installer/default.nix \
    --argstr stage-2-hook "${NIXOS_STAGE_2_INIT}" \
    --argstr log-level "${LOG_LEVEL}" \
    --argstr console "${CONSOLE}" \
-    --argstr test-command "${NIXOS_TEST_COMMAND}"
+    --argstr test-command "${NIXOS_TEST_COMMAND}" \
+    --argstr extra-substituters "${RELEASE_SUBSTITUTER} ${DEV_SUBSTITUTER}" \
+    --argstr extra-trusted-public-keys "${RELEASE_TRUSTED_PUBLIC_KEY} ${DEV_TRUSTED_PUBLIC_KEY}"
 popd

 mkdir -p ${ASTERINAS_DIR}/target/nixos