Building nixos-wsl image from CI / CD (github actions)

[mhemeryck]

Hey all,

Thank you for this nice project, I recently started using nixos / nix / home-manager ... for my personal and work setup and even though I feel there's still a lot I need to learn, overall, I really like the overall concept.

Now that I have my entire OS and home manager setup under version control, I was wondering whether it'd be possible to build specifically the OS image as part of a CI setup, e.g. through github actions. I did see there's already a github action install nix action but that does not allow to assume sudo, as detailed in this page about building nixos-wsl.

My question is thus:

• has anyone attempted to do something like this before?
• why is sudo needed actually in the first place? Is it because of some permissions to be set in the tarball?

I guess I could just build the image from my existing setup, but it would be nice to have something in pipeline; maybe other people could benefit from it.

Thanks in advance!

update

This was the config I did use as a test (slightly adapted):

name: "Build NixOS-WSL"
on:
  pull_request:
  push:
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - uses: cachix/install-nix-action@v27
      with:
        github_access_token: ${{ secrets.GITHUB_TOKEN }}
    - run: nix flake check
    - run: sudo nix run .#nixosConfigurations.configName.config.system.build.tarballBuilder

[nzbr]

Take a look at the run-build workflow and the build-wsl-tarball action

A simple workflow to build the tarball could look like this for example:

name: Build system tarball

on:
  push:
    branches: [main]

jobs:
  build:
    name: Build Tarball
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: cachix/install-nix-action@v30
        with:
          github_access_token: ${{ github.token }}

      - name: Build tarballBuilder
        run: |
          nix build .#nixosConfigurations.yourConfigNameHere.system.build.tarballBuilder

      - name: Run tarballBuilder
        run: |
          sudo ./result/bin/tarballBuilder nixos-wsl-custom.tar.gz

      - uses: actions/upload-artifact@v2
        with:
          name: tarball
          path: nixos-wsl-custom.tar.gz

[mhemeryck]

Thank you for your input!

It's only now that I see that I didn't post my github actions config before 😅

I pretty much did the same thing, but the main issue is in invoking sudo; the github action cachix/install-nix-action@v30 installs it for the non-privileged user, so once you try to invoke it for sudo, it does not work. Hence the reason why I was wondering why I'd need sudo in the first place.

update: I see now what you did; separate the build from the run.

Thanks, will look into that further!

[nzbr]

The tarball builder script uses nixos-install and nixos-enter internally, which chroot into the temporary directory that gets packaged into the tarball. That's why it needs to run as root

[mhemeryck]

OK, took some more time changing the setup, and now I have something that works for me. The key ingredient is obviously the separate build (without sudo) and run step (with sudo).

See

name: "Build NixOS-WSL"
on:
  workflow_dispatch: # Allow manual trigger
  pull_request:
  push:
    branches:
      - master

jobs:
  test:
    defaults:
      run:
        working-directory: ./hosts/tinkerbell
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - uses: cachix/install-nix-action@v27
      with:
        github_access_token: ${{ secrets.GITHUB_TOKEN }}
    - name: Run nix flake check
      run: nix flake check

  build:
    if: github.event_name == 'workflow_dispatch' || github.event_name == 'push'
    needs: test
    defaults:
      run:
        working-directory: ./hosts/tinkerbell
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - uses: cachix/install-nix-action@v27
      with:
        github_access_token: ${{ secrets.GITHUB_TOKEN }}
    - name: Build tarballBuilder
      run: nix build .#nixosConfigurations.tinkerbell.config.system.build.tarballBuilder
    - name: Run tarballBuilder
      run: sudo ./result/bin/nixos-wsl-tarball-builder
    - name: Upload artifact
      uses: actions/upload-artifact@v4
      with:
        name: nixos-wsl-tinkerbell-${{ github.sha }}.tar.gz
        path: hosts/tinkerbell/nixos-wsl.tar.gz

  release:
    if: github.ref == 'refs/heads/master'
    needs: build
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - uses: actions-ecosystem/action-get-latest-tag@v1
      id: get-latest-tag
    - name: Bump version
      id: bump_version
      uses: actions-ecosystem/action-bump-semver@v1
      with:
        current_version: ${{ steps.get-latest-tag.outputs.tag }}
        level: minor
    - name: Download artifact
      uses: actions/download-artifact@v4
      with:
        name: nixos-wsl-tinkerbell-${{ github.sha }}.tar.gz
    - name: Rename artifact
      run: cp nixos-wsl.tar.gz nixos-wsl-tinkerbell-${{ github.sha }}.tar.gz
    - name: Create GitHub Release
      uses: softprops/action-gh-release@v2
      with:
        tag_name: ${{ steps.bump_version.outputs.new_version }}
        name: Release ${{ steps.bump_version.outputs.new_version }}
        files: nixos-wsl-tinkerbell-${{ github.sha }}.tar.gz # Attach the build artifact to the release

I did make it bit more extensive:

• separate step to just run a test step for all commits in a PR
• build step which runs conditionally, either on manual trigger or as part of a release flow
• release flow, which uses the built artifact and puts it on the release

Thanks again for the input!

Side note: I was wondering of open sourcing the setup, since there shouldn't be any secrets in there, but I still feel a bit hesitant, given you really give away your entire dev setup to a potential attacker ...