[buoh/ci] ci: Add Nix based build test

[Jan Tojnar <jtojnar src gnome org>]

commit e7ce20f1e2489843eeb489a751a68fa8777af156
Author: Jan Tojnar <jtojnar gmail com>
Date:   Thu Aug 30 12:59:12 2018 +0200

    ci: Add Nix based build test
    
    We compare the hash of default.nix file with a label of the Docker image
    stored in the container registry [1]. When they do not match, we will try
    to build an image based on nixos/nix [2] containing all the build dependencies,
    then upload the built image to the registry. Finally the image will be used
    to build the package using Nix, and to run checks.
    
    [1]: https://gitlab.com/help/user/project/container_registry
    [2]: https://hub.docker.com/r/nixos/nix/

 ci/Dockerfile     |  5 +++++
 ci/build-image.sh | 23 +++++++++++++++++++++++
 ci/gitlab-ci.yaml | 41 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 69 insertions(+)
---
diff --git a/ci/Dockerfile b/ci/Dockerfile
new file mode 100644
index 0000000..b9ab6a4
--- /dev/null
+++ b/ci/Dockerfile
@@ -0,0 +1,5 @@
+FROM nixos/nix
+ARG EXPRESSION_HASH=unknown
+LABEL ExpressionHash=$EXPRESSION_HASH
+COPY default.nix /project/
+RUN cd /project && nix-shell --run ':'
diff --git a/ci/build-image.sh b/ci/build-image.sh
new file mode 100755
index 0000000..c8ec4f5
--- /dev/null
+++ b/ci/build-image.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+# usage: build-image.sh <job-token> <image-tag>
+
+alias jq="docker run -i stedolan/jq"
+alias skopeo="docker run -i alexeiled/skopeo skopeo"
+
+CI_JOB_TOKEN=$1
+IMAGE_TAG=$2
+
+NIX_EXPRESSION_HASH=$(sha256sum default.nix | cut -f 1 -d ' ')
+IMAGE_EXPRESSION_HASH=$(skopeo inspect "docker://$IMAGE_TAG" | jq '.Labels.ExpressionHash')
+
+echo $NIX_EXPRESSION_HASH $IMAGE_EXPRESSION_HASH
+
+if test "$NIX_EXPRESSION_HASH" = "$IMAGE_EXPRESSION_HASH"; then
+  echo 'Image already up to date, skipping build…'
+else
+  echo 'Building Docker image…'
+  docker login -u gitlab-ci-token -p "$CI_JOB_TOKEN" "$CI_REGISTRY"
+  docker build -t "$IMAGE_TAG" . -f ci/Dockerfile --build-arg "EXPRESSION_HASH=$NIX_EXPRESSION_HASH"
+  docker push "$IMAGE_TAG"
+fi
diff --git a/ci/gitlab-ci.yaml b/ci/gitlab-ci.yaml
new file mode 100644
index 0000000..b39d3c1
--- /dev/null
+++ b/ci/gitlab-ci.yaml
@@ -0,0 +1,41 @@
+image: docker:stable
+
+services:
+  - docker:dind
+
+variables:
+  DOCKER_HOST: tcp://docker:2375
+  DOCKER_DRIVER: overlay2
+
+# We compare the hash of default.nix file with a label of the Docker image
+# stored in the container registry. When they do not match, we will try
+# to build an image based on nixos/nix containing all the build dependencies,
+# then upload the built image to the registry. Finally the image will be used
+# to build the package using Nix, and to run checks.
+
+build_image:
+  stage: build
+  script: ci/build-image.sh "$CI_JOB_TOKEN" "$CI_REGISTRY_IMAGE:latest"
+  except: /^ci-.*/
+
+build:
+  stage: test
+  image: $CI_REGISTRY_IMAGE:latest
+  script: nix-build
+  except: /^ci-.*/
+
+# We use a different image tag for branches starting with “ci-” prefix so that
+# we could develop the CI set-up without interfering with the deployed
+# one. Since the CI tweaks are going to be quite rare, we are sharing a single
+# tag between all of them, in order not to clog the registry.
+
+build_image_dev:
+  stage: build
+  script: ci/build-image.sh "$CI_JOB_TOKEN" "$CI_REGISTRY_IMAGE:development"
+  only: /^ci-.*/
+
+build_dev:
+  stage: test
+  image: $CI_REGISTRY_IMAGE:development
+  script: nix-build
+  only: /^ci-.*/