chore: add flake.nix (#382)

.github/workflows/flow-main.yml

@@ -0,0 +1,110 @@
+---
+name: Release Please and GoReleaser
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  nix-update:
+    runs-on: ubuntu-latest
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}
+      cancel-in-progress: true
+    permissions:
+      actions: read
+      contents: write
+      statuses: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+        with:
+          # use more powerful token to trigger subsequent workflows
+          token: ${{ secrets.MYKSO_BOT_GITHUB_TOKEN }}
+      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+        with:
+          github_access_token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Update nix flake
+        run: nix run github:Mic92/nix-update -- --flake myks --version=skip
+      - name: Import GPG key
+        uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6
+        with:
+          gpg_private_key: ${{ secrets.MYKSO_BOT_GPG_PRIVATE_KEY }}
+          git_user_signingkey: true
+          git_commit_gpgsign: true
+      - name: Commit changes
+        id: commit
+        uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5
+        with:
+          commit_message: "chore: nix-update"
+          commit_user_name: Mykso Bot
+          commit_user_email: [email protected]
+      - name: Set commit status
+        uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1
+        with:
+          context: nix-update
+          description:
+            ${{ steps.commit.outputs.changes_detected == 'true' && 'New changes
+            have been committed' || 'Flake is up to date' }}
+          # When running on a PR, set the commit status on the latest commit in
+          # the branch. Otherwise, the PR will be waiting for the commit status
+          # indefinitely. This, in particular, blocks Renovate from merging PRs
+          # automatically.
+          # If running on a push, set the commit status on the current commit.
+          sha:
+            ${{ steps.commit.outputs.commit_hash ||
+            github.event.pull_request.head.sha || github.sha }}
+          status: success
+
+  release-please:
+    runs-on: ubuntu-latest
+    needs: nix-update
+    steps:
+      - name: Release Please
+        uses: googleapis/release-please-action@v4
+        id: release
+        with:
+          # The PAT is needed to run required checks on the release PR.
+          # If a PR is created with the GITHUB_TOKEN, it will not trigger workflows.
+          token: ${{ secrets.MYKSO_BOT_GITHUB_TOKEN }}
+    outputs:
+      release_created: ${{ steps.release.outputs.release_created }}
+
+  release:
+    runs-on: ubuntu-latest
+    needs: release-please
+    if: needs.release-please.outputs.release_created == 'true'
+    permissions:
+      contents: write
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+      - name: Import GPG key
+        id: import_gpg
+        uses: crazy-max/ghaction-import-gpg@v6
+        with:
+          gpg_private_key: ${{ secrets.MYKSO_BOT_GPG_PRIVATE_KEY }}
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.22"
+      - name: GoReleaser
+        uses: goreleaser/goreleaser-action@v6
+        env:
+          AUR_SSH_KEY: ${{ secrets.AUR_SSH_KEY }}
+          GITHUB_TOKEN: ${{ github.token }}
+          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
+          HOMEBREW_TAP_REPO_TOKEN: ${{ secrets.MYKSO_BOT_GITHUB_TOKEN }}
+        with:
+          args: release --clean

.github/workflows/flow-pr.yml

@@ -7,3 +7,17 @@ jobs:
     uses: ./.github/workflows/job-lint.yml
   test:
     uses: ./.github/workflows/job-test.yml
+  nix-update:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+        with:
+          persist-credentials: false
+      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+        with:
+          github_access_token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Try to update nix flake
+        run: nix run github:Mic92/nix-update -- --flake myks --version=skip
+      - name: Print changes
+        run: git diff

docs/README.md

@@ -103,10 +103,21 @@ brew install myks
 
 ### Nix
 
+The package is available in the Nixpkgs repository under the name
+[`myks`](https://search.nixos.org/packages?channel=unstable&show=myks&from=0&size=50&sort=relevance&type=packages&query=myks).
+
 ```
-nix-shell -p myks helm git
+nix-shell -p myks kubernetes-helm git
 ```
 
+> [!NOTE]  
+> The version in Nixpkgs is falling behind the latest release. If you need the
+> latest version, use the flake.
+>
+> ```shell
+> nix shell 'github:mykso/myks/main#myks' 'nixpkgs#helm' 'nixpkgs#git'
+> ```
+
 ### Download manually
 
 Download an archive for your OS from the
@@ -227,7 +238,7 @@ Here are some of the requirements we had:
 - to have automatic updates and version management;
 - to provide a single source of truth for the configuration.
 
-[//]: # "Links"
+[//]: # 'Links'
 [ArgoCD]: https://argoproj.github.io/cd/
 [helm]: https://helm.sh/
 [sops]: https://github.com/getsops/sops

flake.nix

@@ -0,0 +1,26 @@
+{
+  description = "Configuration framework for Kubernetes applications";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
+    flake-utils.url = "github:numtide/flake-utils";
+  };
+
+  outputs = {
+    self,
+    nixpkgs,
+    flake-utils,
+    ...
+  }:
+    flake-utils.lib.eachDefaultSystem (system: let
+      pkgs = import nixpkgs {inherit system;};
+      package = import ./package.nix {
+        inherit pkgs self;
+      };
+    in {
+      packages.default = package;
+      packages.myks = package;
+
+      devShells.default = import ./shell.nix {inherit pkgs package;};
+    });
+}

package.nix

@@ -0,0 +1,31 @@
+{
+  pkgs,
+  self,
+}: let
+  baseVersion = "4.2.3"; # x-release-please-version
+  commit = self.shortRev or self.dirtyShortRev or "unknown";
+  version = "${baseVersion}-${commit}";
+in
+  pkgs.buildGoModule {
+    pname = "myks";
+    src = ./.;
+    vendorHash = "sha256-cTRyQu3lXrIrBHtEYYQIdv0F705KrgyXgDS8meHVRJw=";
+    version = version;
+
+    env.CGO_ENABLED = 0;
+    doCheck = false;
+    ldflags = [
+      "-s"
+      "-w"
+      "-X=main.version=${baseVersion}"
+      "-X=main.commit=${commit}"
+      "-X=main.date=1970-01-01"
+    ];
+
+    meta = {
+      changelog = "https://github.com/mykso/myks/blob/${baseVersion}/CHANGELOG.md";
+      description = "Configuration framework for Kubernetes applications";
+      homepage = "https://github.com/mykso/myks";
+      license = pkgs.lib.licenses.mit;
+    };
+  }

release-please-config.json

@@ -0,0 +1,11 @@
+{
+  "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",
+  "release-type": "go",
+  "packages": {
+    ".": {
+      "extra-files": [
+        "flake.nix"
+      ]
+    }
+  }
+}

shell.nix

@@ -0,0 +1,22 @@
+{
+  pkgs,
+  package,
+}:
+pkgs.mkShell {
+  packages =
+    (with pkgs; [
+      gnused
+      go
+      go-task
+      gofumpt
+      goimports-reviser
+      golangci-lint
+      goreleaser
+      gosec
+      lefthook
+      nix-update
+    ])
+    ++ [
+      package
+    ];
+}