From 46e633c8b938d5f0b741f270f429ca868bffd645 Mon Sep 17 00:00:00 2001
From: Noah Masur <7386960+nmasur@users.noreply.github.com>
Date: Sat, 24 Jun 2023 12:36:57 -0600
Subject: [PATCH] fixup updates to ami workflow

---
 generators/aws/workflow.yml | 38 ++++++++++++++++++++++++++++---------
 1 file changed, 29 insertions(+), 9 deletions(-)

diff --git a/generators/aws/workflow.yml b/generators/aws/workflow.yml
index c0210e2..b8e38d1 100644
--- a/generators/aws/workflow.yml
+++ b/generators/aws/workflow.yml
@@ -1,7 +1,6 @@
 name: 'Terraform'
 env:
 
-
   AWS_ACCOUNT_NUMBER: ''
   AWS_PLAN_ROLE_NAME: github_actions_plan
   AWS_APPLY_ROLE_NAME: github_actions_admin
@@ -82,15 +81,14 @@ jobs:
 
       # Downloads the current repo code to the runner.
       - name: Checkout Repo Code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
-      # Install Nix
-      - name: Install Nix
-        uses: cachix/install-nix-action@v17
-
-      # Build the image
-      - name: Build Image
-        run: nix build .#aws
+      # Enable access to KVM, required to build an image
+      - name: Enable KVM group perms
+        run: |
+            echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules
+            sudo udevadm control --reload-rules
+            sudo udevadm trigger --name-match=kvm
 
       # Login to AWS
       - name: AWS Assume Role
@@ -99,6 +97,28 @@ jobs:
           role-to-assume: ${{ env.AWS_ROLE_ARN }}
           aws-region: ${{ env.AWS_REGION }}
 
+      # Install Nix
+      - name: Install Nix
+        uses: cachix/install-nix-action@v17
+        with:
+          extra_nix_config: |
+            substituters = s3://insert-cache-bucket https://cache.nixos.org/
+            trusted-public-keys = insert-cache-bucket:M6PsZjHXcLvbQyPUBLICKEYGVoNwI84g1FBQzouRU= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
+
+      # Build the image
+      - name: Build Image
+        run: nix build .#aws
+
+      # Copy the image to S3
+      - name: Upload Image to Cache
+        env:
+          NIX_CACHE_PRIVATE_KEY: ${{ secrets.NIX_CACHE_PRIVATE_KEY }}
+        run: |
+          echo "$NIX_CACHE_PRIVATE_KEY" > cache.key
+          nix store sign --key-file cache.key $(readlink result)
+          nix copy --to s3://t2-aws-nixos-test $(readlink result)
+          rm cache.key
+
       # Exports all GitHub Secrets as environment variables prefixed by
       # "TF_VAR_", which exposes them to Terraform. The name of each GitHub
       # Secret must match its Terraform variable name exactly.