nix: init tooling; replace docker

.envrc

@@ -0,0 +1 @@
+use flake

.github/workflows/docker-push.yml

@@ -3,31 +3,20 @@ name: Docker Image CI
 
 on:
   push:
-    paths-ignore:
-      - ".github/**"
-      - ".dockerignore"
-      - "docker-compose.yml"
-      - "Dockerfile"
-    tags:
-      - v*
-    branches:
-      - main
   pull_request:
-    paths-ignore:
-      - ".github/**"
-      - ".dockerignore"
-      - "docker-compose.yml"
-      - "Dockerfile"
-    branches:
-      - main
+  workflow_dispatch:
 
 jobs:
   build-and-push:
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        arch: [x86_64] # more can be added here, if necessary
+
     steps:
       # Checkout to the git repository
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       # Logs into Docker using the credientals from the repository secrets
       - name: Login to Docker Hub
@@ -36,16 +25,16 @@ jobs:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      # Docker builds now require buildx
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+      - name: Build Docker image
+        run: |
+          nix build .#packages.${{ matrix.arch }}-linux.docker
 
-      # build the image using the provided Dockerfile
-      # and push them to Dockerhub
-      - name: Build and push
-        uses: docker/build-push-action@v4
-        with:
-          context: .
-          file: ./Dockerfile
-          push: true
-          tags: ${{ secrets.DOCKERHUB_USERNAME }}/bryanbot:latest
+      - name: Load and preview Docker image
+        run: |
+          docker load < result &&
+          docker images
+
+      - name: Push Docker image
+        run: |
+          docker tag ${{ secrets.DOCKER_HUB_USERNAME }}/${{ secrets.DOCKER_HUB_REPO }}:latest ${{ secrets.DOCKER_HUB_USERNAME }}/${{ secrets.DOCKER_HUB_REPO }}:${{ matrix.arch }}-latest
+          docker push ${{ secrets.DOCKER_HUB_USERNAME }}/${{ secrets.DOCKER_HUB_REPO }}:${{ matrix.arch }}-latest

flake.nix

@@ -0,0 +1,25 @@
+{
+  description = "Bryanbot";
+  inputs.nixpkgs.url = "github:NixOS/nixpkgs?ref=nixos-unstable";
+
+  outputs = {
+    self,
+    nixpkgs,
+    ...
+  }: let
+    systems = ["x86_64-linux" "aarch64-linux"];
+    forEachSystem = nixpkgs.lib.genAttrs systems;
+    pkgsForEach = nixpkgs.legacyPackages;
+  in {
+    packages = forEachSystem (system: {
+      docker = pkgsForEach.${system}.callPackage ./nix/packages/docker.nix {inherit self;};
+      bryanbot = pkgsForEach.${system}.callPackage ./nix/packages/bryanbot.nix {};
+    });
+
+    devShells = forEachSystem (system: {
+      default = pkgsForEach.${system}.callPackage ./nix/shell.nix {};
+    });
+
+    hydraJobs = self.packages;
+  };
+}

nix/packages/bryanbot.nix

@@ -0,0 +1,54 @@
+{
+  lib,
+  stdenvNoCC,
+  git,
+  nodejs,
+  pnpm_10,
+  makeWrapper,
+  nix-update-script,
+}:
+stdenvNoCC.mkDerivation (finalAttrs: {
+  pname = "BryanBot";
+  version = "2.0.0";
+
+  src = builtins.path {
+    path = ../../.;
+    name = "bryanbot-source";
+  };
+
+  pnpmDeps = pnpm_10.fetchDeps {
+    inherit (finalAttrs) pname version src;
+    hash = "sha256-oSVQfkeG+Kw2YAOJSqOSySReozWe0/3jcB7uRZ8a7ng=";
+  };
+
+  nativeBuildInputs = [
+    git
+    nodejs
+    pnpm_10.configHook
+    makeWrapper
+  ];
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/bin
+    cp $src/src/index.js $out/bin/bryanbot
+    chmod +x $out/bin/bryanbot
+    wrapProgram $out/bin/bryanbot \
+      --prefix PATH : ${lib.makeBinPath [nodejs]}
+
+    runHook postInstall
+  '';
+
+  passthru.updateScript = nix-update-script {};
+
+  meta = {
+    description = "Modular, up-to-date Discord bot that just works";
+    homepage = "https://github.com/BryanBotDev/BryanBot";
+    platforms = lib.platforms.linux;
+    mainProgram = "bryanbot";
+    maintainers = [
+      lib.maintainers.NotAShelf
+    ];
+  };
+})

nix/packages/docker.nix

@@ -0,0 +1,51 @@
+{
+  self,
+  dockerTools,
+  buildEnv,
+  nodejs,
+  ...
+}: let
+  name = "node";
+  tag = "current-alpine";
+  digest = "sha256:b2f1e6d2f9eaf82afc910ec1e3b14f2a252be3f91e661602017974dee1bd9f40";
+
+  # TODO: we can stick all of this into a "manifest" in JSON and update it with nix-prefetch-docker
+  baseImage = dockerTools.pullImage {
+    imageName = name;
+    imageDigest = digest;
+    finalImageName = name;
+    finalImageTag = tag;
+    sha256 = "sha256-nk6QCkQQe7Ms0ZJjDqEz9U7fXnydnaRJj5nam3hTGq4=";
+  };
+in
+  dockerTools.buildImage {
+    name = "brayanbot";
+    tag = "latest";
+
+    # Decent compression at the cost of some additional system resources. Since
+    # this image will be built by GitHub's runners, the cost is negligible.
+    compressor = "zstd";
+
+    # First we pull the appropriate nodejs image. This is the equivalent of
+    # 'FROM node:current-alpine as base'
+    fromImage = baseImage;
+
+    copyToRoot = buildEnv {
+      name = "image-root";
+      paths = [nodejs self];
+      pathsToLink = ["/bin" "/src"];
+    };
+
+    config = {
+      Cmd = ["node" "/src/index.js"];
+      WorkingDir = "/data";
+      Volumes = {
+        "/data" = {};
+      };
+
+      ExposedPorts = {};
+    };
+
+    diskSize = 1024;
+    buildVMMemorySize = 512;
+  }

nix/shell.nix

@@ -0,0 +1,16 @@
+{
+  mkShellNoCC,
+  eslint_d,
+  prettierd,
+  nodejs-slim,
+  pnpm,
+}:
+mkShellNoCC {
+  name = "bryanbot";
+  packages = [
+    eslint_d
+    prettierd
+    nodejs-slim
+    pnpm
+  ];
+}