From 757ff49541c53d783f0238b5a83ce125122f1cbf Mon Sep 17 00:00:00 2001
From: fury <john@ogle.fyi>
Date: Sun, 8 Feb 2026 18:16:18 -0800
Subject: [PATCH] feat(ci): add build-and-cache job for all nixosConfigurations

- Build all 6 machines (nix-book, boxy, zix790prors, nix-deck, john-endesktop, live-usb) in parallel matrix
- Only runs on push to main after check passes
- Signs closures with NIX_SIGNING_KEY secret
- Pushes to cache via SSH using CACHE_SSH_KEY, CACHE_HOST, CACHE_USER secrets
- Skips Darwin as no builder available

Required Gitea secrets:
- NIX_SIGNING_KEY: Cache signing private key
- CACHE_SSH_KEY: SSH key for cache server access
- CACHE_HOST: Cache server hostname
- CACHE_USER: SSH user for cache server

Closes: x-iyz0w

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .gitea/workflows/ci.yml | 47 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index c0891a5..6d5814f 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -18,3 +18,50 @@ jobs:
         run: nix flake check
         env:
           NIX_CONFIG: "access-tokens = git.johnogle.info=${{ secrets.GITEA_ACCESS_TOKEN }}"
+
+  build-and-cache:
+    runs-on: ubuntu-latest
+    needs: check
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    strategy:
+      fail-fast: false
+      matrix:
+        machine:
+          - nix-book
+          - boxy
+          - zix790prors
+          - nix-deck
+          - john-endesktop
+          - live-usb
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: https://git.johnogle.info/johno/gitea-actions/nix-setup@v1
+
+      - name: Build ${{ matrix.machine }}
+        id: build
+        run: |
+          OUT_PATH=$(nix build .#nixosConfigurations.${{ matrix.machine }}.config.system.build.toplevel --no-link --print-out-paths)
+          echo "out_path=$OUT_PATH" >> "$GITHUB_OUTPUT"
+        env:
+          NIX_CONFIG: "access-tokens = git.johnogle.info=${{ secrets.GITEA_ACCESS_TOKEN }}"
+
+      - name: Sign and push to cache
+        run: |
+          # Write signing key
+          echo "${{ secrets.NIX_SIGNING_KEY }}" > /tmp/signing-key
+          chmod 600 /tmp/signing-key
+
+          # Sign the closure
+          nix store sign --key-file /tmp/signing-key -r "${{ steps.build.outputs.out_path }}"
+
+          # Setup SSH key for cache push
+          mkdir -p ~/.ssh
+          echo "${{ secrets.CACHE_SSH_KEY }}" > ~/.ssh/cache_key
+          chmod 600 ~/.ssh/cache_key
+          ssh-keyscan -H ${{ secrets.CACHE_HOST }} >> ~/.ssh/known_hosts 2>/dev/null || true
+
+          # Push to cache
+          nix copy --to "ssh-ng://${{ secrets.CACHE_USER }}@${{ secrets.CACHE_HOST }}?ssh-key=$HOME/.ssh/cache_key" "${{ steps.build.outputs.out_path }}"
+        env:
+          NIX_CONFIG: "access-tokens = git.johnogle.info=${{ secrets.GITEA_ACCESS_TOKEN }}"