flake: introduce sets

.github/actions/release_artifacts/action.yml

@@ -28,13 +28,14 @@ runs:
       shell: bash
       env:
         CONTAINER_REGISTRY: ${{ inputs.container_registry }}
+        SET: base
       run: |
-        coordinatorImg=$(nix run .#containers.push-coordinator -- "${CONTAINER_REGISTRY}/contrast/coordinator")
-        nodeInstallerKataImg=$(nix run .#containers.push-node-installer-kata -- "${CONTAINER_REGISTRY}/contrast/node-installer-kata")
-        nodeInstallerKataGPUImg=$(nix run .#containers.push-node-installer-kata-gpu -- "${CONTAINER_REGISTRY}/contrast/node-installer-kata-gpu")
-        initializerImg=$(nix run .#containers.push-initializer -- "${CONTAINER_REGISTRY}/contrast/initializer")
-        serviceMeshImg=$(nix run .#containers.push-service-mesh-proxy -- "${CONTAINER_REGISTRY}/contrast/service-mesh-proxy")
-        debugShellImg=$(nix run .#containers.push-debugshell -- "${CONTAINER_REGISTRY}/contrast/debugshell")
+        coordinatorImg=$(nix run ".#${SET}.containers.push-coordinator" -- "${CONTAINER_REGISTRY}/contrast/coordinator")
+        nodeInstallerKataImg=$(nix run ".#${SET}.containers.push-node-installer-kata" -- "${CONTAINER_REGISTRY}/contrast/node-installer-kata")
+        nodeInstallerKataGPUImg=$(nix run ".#${SET}.containers.push-node-installer-kata-gpu" -- "${CONTAINER_REGISTRY}/contrast/node-installer-kata-gpu")
+        initializerImg=$(nix run ".#${SET}.containers.push-initializer" -- "${CONTAINER_REGISTRY}/contrast/initializer")
+        serviceMeshImg=$(nix run ".#${SET}.containers.push-service-mesh-proxy" -- "${CONTAINER_REGISTRY}/contrast/service-mesh-proxy")
+        debugShellImg=$(nix run ".#${SET}.containers.push-debugshell" -- "${CONTAINER_REGISTRY}/contrast/debugshell")
         echo "coordinatorImg=$coordinatorImg" | tee -a "$GITHUB_OUTPUT"
         echo "nodeInstallerMsftImg=$nodeInstallerMsftImg" | tee -a "$GITHUB_OUTPUT"
         echo "nodeInstallerKataImg=$nodeInstallerKataImg" | tee -a "$GITHUB_OUTPUT"
@@ -123,15 +124,19 @@ runs:
         EOF
     - name: Create coordinator resource definitions
       shell: bash
+      env:
+        SET: base
       run: |
         mkdir -p workspace
 
-        nix shell .#contrast.resourcegen --command resourcegen \
+        nix shell ".#${SET}.contrast.resourcegen" --command resourcegen \
           --image-replacements "./image-replacements.txt" \
           --add-load-balancers \
           coordinator > "workspace/coordinator.yml"
     - name: Create runtime resource definitions
       shell: bash
+      env:
+        SET: base
       run: |
         platforms=(
           "metal-qemu-snp-gpu"
@@ -140,7 +145,7 @@ runs:
           "metal-qemu-tdx-gpu"
         )
         for platform in "${platforms[@]}"; do
-          nix shell .#contrast.resourcegen --command resourcegen \
+          nix shell ".#${SET}.contrast.resourcegen" --command resourcegen \
             --image-replacements ./image-replacements.txt \
             --namespace contrast-system \
             --add-namespace-object \
@@ -149,28 +154,32 @@ runs:
         done
     - name: Create demo resource definitions
       shell: bash
+      env:
+        SET: base
       run: |
-        nix shell .#contrast.resourcegen --command resourcegen \
+        nix shell ".#${SET}.contrast.resourcegen" --command resourcegen \
           --image-replacements ./image-replacements.txt \
           --add-load-balancers emojivoto-sm-ingress > workspace/emojivoto-demo.yml
-        nix shell .#contrast.resourcegen --command resourcegen \
+        nix shell ".#${SET}.contrast.resourcegen" --command resourcegen \
           --image-replacements ./image-replacements.txt \
           --add-load-balancers mysql > workspace/mysql-demo.yml
-        nix shell .#contrast.resourcegen --command resourcegen \
+        nix shell ".#${SET}.contrast.resourcegen" --command resourcegen \
           --image-replacements ./image-replacements.txt \
           --add-load-balancers vault > workspace/vault-demo.yml
     - name: Create node installer target configs
       shell: bash
       run: |
-        nix shell .#contrast.resourcegen --command resourcegen \
+        nix shell ".#${SET}.contrast.resourcegen" --command resourcegen \
           --node-installer-target-conf-type k3s \
           --namespace contrast-system \
           --add-namespace-object \
           node-installer-target-conf > workspace/node-installer-target-config-k3s.yml
     - name: Build CLI
       shell: bash
+      env:
+        SET: base
       run: |
-        nix build -L .#contrast.cli-release --out-link workspace/contrast-cli
+        nix build -L ".#${SET}.contrast.cli-release" --out-link workspace/contrast-cli
     - name: AWS login (IAM role)
       uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
       with:

.github/workflows/bm_maintenance.yml

@@ -73,6 +73,8 @@ jobs:
       snp-gpu: ${{ steps.report.outputs.Metal-QEMU-SNP-GPU }}
       snp-dev: ${{ steps.report.outputs.Metal-QEMU-SNP-DEV }}
       tdx-gpu: ${{ steps.report.outputs.Metal-QEMU-TDX-GPU }}
+    env:
+      SET: base
     permissions:
       contents: read
     strategy:
@@ -96,15 +98,15 @@ jobs:
       - uses: nicknovitski/nix-develop@9be7cfb4b10451d3390a75dc18ad0465bed4932a # v1.2.1
       - name: Update storageclass
         run: |
-          nix build .#csi-driver-host-path
+          nix build ".#${SET}.csi-driver-host-path"
           kubectl apply -k result
       - name: Update sync fifo for GPU platform
         if: ${{ matrix.platform.name == 'Metal-QEMU-SNP-GPU' || matrix.platform.name == 'Metal-QEMU-TDX-GPU' }}
         run: |
           kubectl apply -k tools/bm-maintenance/sync-fifo
           kubectl rollout status statefulset/sync --timeout=5m
           kubectl wait --for=jsonpath='{.status.loadBalancer.ingress[0].ip}' --timeout=5m svc/sync
-          nix run .#scripts.renew-sync-fifo
+          nix run ".#${SET}.scripts.renew-sync-fifo"
       - name: Update namespace cleanup cronjob
         id: update
         env:
@@ -120,7 +122,7 @@ jobs:
           if [[ "${{ matrix.platform.name }}" == "Metal-QEMU-TDX-GPU" ]]; then
             OPTS+=(--blackwell)
           fi
-          nix run .#scripts.upgrade-gpu-operator -- "${OPTS[@]}"
+          nix run ".#${SET}.scripts.upgrade-gpu-operator" -- "${OPTS[@]}"
       - name: Report success
         id: report
         run: |

.github/workflows/check_patches.yml

@@ -14,6 +14,8 @@ jobs:
     timeout-minutes: 15
     permissions:
       contents: read
+    env:
+      SET: base
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -26,7 +28,7 @@ jobs:
       - id: kataversion
         working-directory: contrast
         run: |
-          echo "v=$(nix eval --raw .#kata.runtime.version)" >> "$GITHUB_OUTPUT"
+          echo "v=$(nix eval --raw ".#${SET}.kata.runtime.version")" >> "$GITHUB_OUTPUT"
       - name: Check out Kata
         env:
           KATA_VERSION: ${{ steps.kataversion.outputs.v }}

.github/workflows/docs_publish.yml

@@ -36,6 +36,7 @@ jobs:
       (github.repository_owner == github.event.pull_request.head.repo.owner.login)
     env:
       PREVIEW: ${{ !(github.event_name == 'push' && github.ref_name == 'main') }}
+      SET: base
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -48,7 +49,7 @@ jobs:
       - name: Build production website
         if: env.PREVIEW == 'false'
         run: |
-          nix build -L .#contrast.docs
+          nix build -L ".#${SET}.contrast.docs"
       - name: Publish docs to GitHub Pages
         if: env.PREVIEW == 'false'
         uses: JamesIves/github-pages-deploy-action@d92aa235d04922e8f08b40ce78cc5442fcfbfa2f # v4.8.0
@@ -61,7 +62,7 @@ jobs:
       - name: Build preview website
         if: env.PREVIEW == 'true'
         run: |
-          nix build -L --impure --expr "(builtins.getFlake \"git+file://$(pwd)?shallow=1\").outputs.legacyPackages.x86_64-linux.contrast.docs.override { docusaurusBaseUrl = \"contrast/pr-preview/pr-${{ github.event.number }}\"; }"
+          nix build -L --impure --expr "(builtins.getFlake \"git+file://$(pwd)?shallow=1\").outputs.legacyPackages.x86_64-linux.${SET}.contrast.docs.override { docusaurusBaseUrl = \"contrast/pr-preview/pr-${{ github.event.number }}\"; }"
       - name: Deploy preview
         if: env.PREVIEW == 'true'
         uses: rossjrw/pr-preview-action@ffa7509e91a3ec8dfc2e5536c4d5c1acdf7a6de9 # v1.8.1

.github/workflows/e2e.yml

@@ -51,6 +51,7 @@ jobs:
       TEST_NAME: ${{ inputs.test-name }}
       CONTRAST_GHCR_READ: ${{ secrets.CONTRAST_GHCR_READ }}
       DEBUG_SHELL: ${{ inputs.debug-shell }}
+      SET: base
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -75,6 +76,7 @@ jobs:
           node_installer_target_conf_type=${NODE_INSTALLER_TARGET_CONF_TYPE}
           debug=${DEBUG_SHELL}
           namespace_suffix="-ci"
+          set="${SET}"
           EOF
       - name: Build and push container images
         run: |
@@ -89,8 +91,8 @@ jobs:
           just get-credentials
       - name: E2E Test
         run: |
-          nix build .#scripts.get-logs
-          nix run .#scripts.get-logs start workspace/just.namespace &
+          nix build ".#${SET}.scripts.get-logs"
+          nix run ".#${SET}.scripts.get-logs" start workspace/just.namespace &
           just e2e "${TEST_NAME}"
       - name: Check for skipped
         id: skipped
@@ -104,7 +106,7 @@ jobs:
       - name: Download logs
         if: always() && steps.skipped.outputs.skipped == 'false'
         run: |
-          nix run .#scripts.get-logs download workspace/just.namespace
+          nix run ".#${SET}.scripts.get-logs" download workspace/just.namespace
       - name: Upload logs
         if: always() && steps.skipped.outputs.skipped == 'false'
         uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0

.github/workflows/e2e_runtime-reproducibility.yml

@@ -27,6 +27,8 @@ jobs:
     runs-on: ${{ matrix.os }}
     permissions:
       contents: write
+    env:
+      SET: base
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -44,11 +46,11 @@ jobs:
       - name: Build
         id: build
         run: |
-          nix build .#${{ matrix.build-target }} --option substituters https://cache.nixos.org --builders ""
+          nix build ".#${SET}.${{ matrix.build-target }}" --option substituters https://cache.nixos.org --builders ""
           reference_checksum="$(jq  -r '.manifests[0].digest' result/index.json)"
           echo "$reference_checksum" > ${{ matrix.build-target }}-${{ matrix.os }}-reference_checksum.txt
 
-          nix build .#${{ matrix.build-target }} --rebuild --option substituters https://cache.nixos.org --builders "" -o rebuild
+          nix build ".#${SET}.${{ matrix.build-target }}" --rebuild --option substituters https://cache.nixos.org --builders "" -o rebuild
           rebuild_checksum="$(jq  -r '.manifests[0].digest' rebuild/index.json)"
           echo "$rebuild_checksum" > ${{ matrix.build-target }}-${{ matrix.os }}-rebuild_checksum.txt
       - name: Upload Build Artifacts

.github/workflows/imagepuller-benchmark.yml

@@ -18,6 +18,8 @@ jobs:
       contents: read
       packages: read
       id-token: write
+    env:
+      SET: base
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -41,8 +43,8 @@ jobs:
           EOF
       - name: Run imagepuller-benchmark script
         run: |
-          imagpullerbenchmark="$(nix build .#imagepuller-benchmark --print-out-paths)/bin/imagepuller-benchmark"
-          imagepuller="$(nix build .#imagepuller --print-out-paths)/bin/imagepuller"
+          imagpullerbenchmark="$(nix build ".#${SET}.imagepuller-benchmark" --print-out-paths)/bin/imagepuller-benchmark"
+          imagepuller="$(nix build ".#${SET}.imagepuller" --print-out-paths)/bin/imagepuller"
           sudo "$imagpullerbenchmark" \
             "$imagepuller" \
             ./tools/imagepuller-benchmark/benchmark.json \

.github/workflows/links.yml

@@ -15,6 +15,8 @@ jobs:
     timeout-minutes: 15
     permissions:
       contents: read
+    env:
+      SET: base
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -34,7 +36,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          nix run .#nixpkgs.lychee -- --config tools/lychee/config-external.toml .
+          nix run ".#${SET}.nixpkgs.lychee" -- --config tools/lychee/config-external.toml .
       - name: Save lychee cache
         uses: actions/cache/save@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
         if: always()

.github/workflows/release.yml

@@ -131,6 +131,7 @@ jobs:
       VERSION: ${{ inputs.version }}
       MAJOR_MINOR: ${{ needs.process-inputs.outputs.MAJOR_MINOR }}
       MAJOR_MINOR_PATCH: ${{ needs.process-inputs.outputs.MAJOR_MINOR_PATCH }}
+      SET: base
     steps:
       - name: Checkout working branch
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -156,8 +157,8 @@ jobs:
         if: inputs.kind == 'minor'
         working-directory: contrast-main/docs
         run: |
-          nix run .#nixpkgs.yarn install
-          nix run .#nixpkgs.yarn docusaurus docs:version "${MAJOR_MINOR}"
+          nix run ".#${SET}.nixpkgs.yarn install"
+          nix run ".#${SET}.nixpkgs.yarn" docusaurus docs:version "${MAJOR_MINOR}"
           git add .
           git commit -am "docs: release ${MAJOR_MINOR}"
           # Clean up auxiliary files, so next steps run on a clean tree
@@ -169,7 +170,7 @@ jobs:
           name: image-replacements
       - name: Update release urls in docs with tags
         working-directory: contrast-main
-        run: nix run .#scripts.update-release-urls
+        run: nix run ".#${SET}.scripts.update-release-urls"
       - name: Commit updated docs
         working-directory: contrast-main
         run: |
@@ -184,7 +185,7 @@ jobs:
           path: ./contrast-main
       - name: Update contrast-releases.json with new release
         working-directory: contrast-main
-        run: nix run .#scripts.update-contrast-releases
+        run: nix run ".#${SET}.scripts.update-contrast-releases"
       - name: Commit updated contrast-releases.json
         working-directory: contrast-main
         run: |
@@ -318,6 +319,7 @@ jobs:
     needs: [process-inputs, release, nightly]
     env:
       VERSION: ${{ inputs.version }}
+      SET: base
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -355,9 +357,9 @@ jobs:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           mkdir -p workspace
-          nix build .#scripts.get-logs
-          nix run .#scripts.get-logs start workspace/just.namespace &
-          nix shell -L .#contrast.e2e --command release.test \
+          nix build ".#${SET}.scripts.get-logs"
+          nix run ".#${SET}.scripts.get-logs start" workspace/just.namespace &
+          nix shell -L ".#${SET}.contrast.e2e" --command release.test \
             -test.v \
             --tag "${VERSION}" \
             --platform ${{ matrix.platform.name }} \
@@ -366,7 +368,7 @@ jobs:
       - name: Download logs
         if: always()
         run: |
-          nix run .#scripts.get-logs download workspace/just.namespace
+          nix run ".#${SET}.scripts.get-logs download" workspace/just.namespace
       - name: Cleanup
         if: always()
         run: |

.github/workflows/rim_updates.yml

@@ -12,6 +12,8 @@ jobs:
     timeout-minutes: 20
     permissions:
       contents: read
+    env:
+      SET: base
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -24,7 +26,7 @@ jobs:
           cachixToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
       - name: Update RIM IDs
         run: |
-          nix run .#scripts.get-nvidia-rim-ids > dev-docs/nvidia/rim-ids.json
+          nix run ".#${SET}.scripts.get-nvidia-rim-ids" > dev-docs/nvidia/rim-ids.json
       - name: Create PR
         uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
         with: