[buoh/ci] ci: Add Nix based build test

[Jan Tojnar <jtojnar src gnome org>]

commit 5aed558ce52b53830f06e7328b3f38cb7db0d6f0
Author: Jan Tojnar <jtojnar gmail com>
Date:   Thu Aug 30 12:59:12 2018 +0200

    ci: Add Nix based build test
    
    We compare the hash of default.nix file with a label of the Docker image
    stored in the container registry [1]. When they do not match, we will try
    to build an image based on nixos/nix [2] containing all the build dependencies,
    then upload the built image to the registry. Finally the image will be used
    to build the package using Nix, and to run checks.
    
    We use a different image tag for branches starting with “ci-” prefix so that
    we could develop the CI set-up without interfering with the deployed one.
    Since the CI tweaks are going to be quite rare, we are sharing a single
    tag among all of them, in order not to clog the registry.
    
    [1]: https://gitlab.com/help/user/project/container_registry
    [2]: https://hub.docker.com/r/nixos/nix/

 ci/Dockerfile     |  5 +++++
 ci/build-image.sh | 21 +++++++++++++++++++++
 ci/gitlab-ci.yaml | 45 +++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 71 insertions(+)
---
diff --git a/ci/Dockerfile b/ci/Dockerfile
new file mode 100644
index 0000000..b9ab6a4
--- /dev/null
+++ b/ci/Dockerfile
@@ -0,0 +1,5 @@
+FROM nixos/nix
+ARG EXPRESSION_HASH=unknown
+LABEL ExpressionHash=$EXPRESSION_HASH
+COPY default.nix /project/
+RUN cd /project && nix-shell --run ':'
diff --git a/ci/build-image.sh b/ci/build-image.sh
new file mode 100755
index 0000000..1158af3
--- /dev/null
+++ b/ci/build-image.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# usage: build-image.sh <job-token> <image-tag>
+
+alias jq="docker run -i stedolan/jq"
+alias skopeo="docker run -i alexeiled/skopeo skopeo"
+
+CI_JOB_TOKEN=$1
+IMAGE_TAG=$2
+
+NIX_EXPRESSION_HASH=$(sha256sum default.nix | cut -f 1 -d ' ')
+IMAGE_EXPRESSION_HASH=$(skopeo inspect "docker://$IMAGE_TAG" | jq -r '.Labels.ExpressionHash')
+
+if test "$NIX_EXPRESSION_HASH" = "$IMAGE_EXPRESSION_HASH"; then
+  echo 'Image already up to date, skipping build…'
+else
+  echo 'Building Docker image…'
+  docker login -u gitlab-ci-token -p "$CI_JOB_TOKEN" "$CI_REGISTRY"
+  docker build -t "$IMAGE_TAG" . -f ci/Dockerfile --build-arg "EXPRESSION_HASH=$NIX_EXPRESSION_HASH"
+  docker push "$IMAGE_TAG"
+fi
diff --git a/ci/gitlab-ci.yaml b/ci/gitlab-ci.yaml
new file mode 100644
index 0000000..eccefd5
--- /dev/null
+++ b/ci/gitlab-ci.yaml
@@ -0,0 +1,45 @@
+image: docker:stable
+
+services:
+  - docker:dind
+
+variables:
+  DOCKER_HOST: tcp://docker:2375
+  DOCKER_DRIVER: overlay2
+
+# We compare the hash of default.nix file with a label of the Docker image
+# stored in the container registry; when they do not match, we will try
+# to build an image based on nixos/nix containing all the build dependencies,
+# then upload the built image to the registry. Finally the image will be used
+# to build the package using Nix, and to run checks.
+
+build_image:
+  stage: build
+  script: ci/build-image.sh "$CI_JOB_TOKEN" "$CI_REGISTRY_IMAGE:latest"
+  except:
+    - /^ci-.*/
+
+build:
+  stage: test
+  image: $CI_REGISTRY_IMAGE:latest
+  script: nix-build
+  except:
+    - /^ci-.*/
+
+# We use a different image tag for branches starting with “ci-” prefix so that
+# we could develop the CI set-up without interfering with the deployed one.
+# Since the CI tweaks are going to be quite rare, we are sharing a single
+# tag among all of them, in order not to clog the registry.
+
+build_image_dev:
+  stage: build
+  script: ci/build-image.sh "$CI_JOB_TOKEN" "$CI_REGISTRY_IMAGE:development"
+  only:
+    - /^ci-.*/
+
+build_dev:
+  stage: test
+  image: $CI_REGISTRY_IMAGE:development
+  script: nix-build
+  only:
+    - /^ci-.*/