From 33fcc55bf5036e5b97db8d7f4c605698101cc3ec Mon Sep 17 00:00:00 2001 From: Tibo De Peuter Date: Tue, 17 Mar 2026 21:50:56 +0100 Subject: [PATCH] feat(ci): implement automated deployment pipeline with deploy-rs --- .github/workflows/build.yml | 53 +++++++++++-------- .github/workflows/check.yml | 24 +++++++++ .github/workflows/deploy.yml | 81 ++++++++++++++++++++++++++++ flake.nix | 93 +++++++++++++++++++++------------ hosts/ACE/default.nix | 6 ++- hosts/Binnenpost/default.nix | 4 +- hosts/Gitea/default.nix | 5 +- hosts/Ingress/default.nix | 13 +++-- hosts/Niko/default.nix | 1 + hosts/Production/default.nix | 4 +- hosts/ProductionArr/default.nix | 4 +- hosts/ProductionGPU/default.nix | 4 +- hosts/Testing/default.nix | 4 +- hosts/Vaultwarden/default.nix | 17 +++--- modules/common/default.nix | 1 + modules/common/networking.nix | 19 +++++++ users/deploy/default.nix | 17 +++++- 17 files changed, 274 insertions(+), 76 deletions(-) create mode 100644 .github/workflows/check.yml create mode 100644 .github/workflows/deploy.yml create mode 100644 modules/common/networking.nix diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 74d6457..e29b895 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,43 +1,50 @@ -name: "Build" +name: Build + on: - pull_request: push: + branches: + - main + - 'test-*' + pull_request: jobs: - determine-hosts: - name: "Determining hosts to build" + # Job to find all hosts that should be built + get-hosts: runs-on: ubuntu-latest container: catthehacker/ubuntu:act-24.04 outputs: - hosts: ${{ steps.hosts.outputs.hostnames }} + hosts: ${{ steps.set-hosts.outputs.hosts }} steps: - - uses: actions/checkout@v5 - - uses: https://github.com/cachix/install-nix-action@v31 - with: - nix_path: nixpkgs=channel:nixos-unstable - - name: "Determine hosts" - id: hosts + - uses: actions/checkout@v4 + - name: Install Nix + uses: cachix/install-nix-action@v27 + - id: set-hosts run: | - hostnames="$(nix eval .#nixosConfigurations --apply builtins.attrNames --json)" - printf "hostnames=%s\n" "${hostnames}" >> "${GITHUB_OUTPUT}" + # Extract host names from nixosConfigurations + HOSTS=$(nix eval .#nixosConfigurations --apply "builtins.attrNames" --json) + echo "hosts=$HOSTS" >> $GITHUB_OUTPUT build: + needs: get-hosts runs-on: ubuntu-latest container: catthehacker/ubuntu:act-24.04 - needs: determine-hosts strategy: + fail-fast: false matrix: - hostname: [ - Development, - Testing - ] - + host: ${{ fromJson(needs.get-hosts.outputs.hosts) }} steps: - - uses: actions/checkout@v5 - - uses: https://github.com/cachix/install-nix-action@v31 + - uses: actions/checkout@v4 + - name: Install Nix + uses: cachix/install-nix-action@v27 with: nix_path: nixpkgs=channel:nixos-unstable - - name: "Build host" + - name: Build NixOS configuration run: | - nix build ".#nixosConfigurations.${{ matrix.hostname }}.config.system.build.toplevel" --verbose + nix build .#nixosConfigurations.${{ matrix.host }}.config.system.build.toplevel + - name: "Push to Attic" + if: github.event_name == 'push' && github.ref == 'refs/heads/main' + run: | + nix profile install nixpkgs#attic-client + attic login homelab http://192.168.0.25:8080 "${{ secrets.ATTIC_TOKEN }}" + attic push homelab result diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml new file mode 100644 index 0000000..4cc892e --- /dev/null +++ b/.github/workflows/check.yml @@ -0,0 +1,24 @@ +name: Check + +on: + push: + branches: + - '**' + pull_request: + +jobs: + check: + runs-on: ubuntu-latest + container: catthehacker/ubuntu:act-24.04 + steps: + - uses: actions/checkout@v4 + + - name: Install Nix + uses: cachix/install-nix-action@v27 + with: + extra_nix_config: | + experimental-features = nix-command flakes + access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} + + - name: Flake check + run: nix flake check diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml new file mode 100644 index 0000000..a037a7a --- /dev/null +++ b/.github/workflows/deploy.yml @@ -0,0 +1,81 @@ +name: Deploy + +on: + push: + branches: + - main + - 'test-*' + workflow_dispatch: + inputs: + mode: + description: 'Activation mode (switch, boot, test)' + default: 'switch' + required: true + +jobs: + deploy: + runs-on: ubuntu-latest + container: catthehacker/ubuntu:act-24.04 + steps: + - uses: actions/checkout@v4 + + - name: Install Nix + uses: cachix/install-nix-action@v27 + with: + extra_nix_config: | + experimental-features = nix-command flakes + + - name: Setup SSH + run: | + mkdir -p ~/.ssh + echo "${{ secrets.DEPLOY_SSH_KEY }}" > ~/.ssh/id_ed25519 + chmod 600 ~/.ssh/id_ed25519 + ssh-keyscan -H 192.168.0.0/24 >> ~/.ssh/known_hosts || true + # Disable strict host key checking for the local network if needed, + # or rely on known_hosts. For homelab, we can be slightly more relaxed + # but let's try to be secure. + echo "StrictHostKeyChecking no" >> ~/.ssh/config + + - name: Verify Commit Signature + if: github.event.sender.login != 'renovate[bot]' + run: | + # TODO Hugo: Export your public GPG/SSH signing keys to a runner secret named 'TRUSTED_SIGNERS'. + # For GPG: gpg --export --armor | base64 -w0 + + if [ -z "${{ secrets.TRUSTED_SIGNERS }}" ]; then + echo "::error::TRUSTED_SIGNERS secret is missing. Deployment aborted for safety." + exit 1 + fi + + # Implementation note: This step expects a keyring in the TRUSTED_SIGNERS secret. + # We use git to verify the signature of the current commit. + echo "${{ secrets.TRUSTED_SIGNERS }}" | base64 -d > /tmp/trusted_keys.gpg + gpg --import /tmp/trusted_keys.gpg + + if ! git verify-commit HEAD; then + echo "::error::Commit signature verification failed. Only signed commits from trusted maintainers can be deployed." + exit 1 + fi + echo "Commit signature verified successfully." + + - name: Install deploy-rs + run: nix profile install github:serokell/deploy-rs + + - name: Deploy to hosts + run: | + # Determine profile based on branch + if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then + # Main site: persistent deployment + deploy . --skip-checks --targets $(deploy . --list | grep '.system$' | tr '\n' ' ') + elif [[ "${{ github.ref }}" == "refs/heads/test-"* ]]; then + # Test branch: non-persistent deployment (test profile) + # The branch name should be test- + HOSTNAME="${GITHUB_REF#refs/heads/test-}" + deploy .#${HOSTNAME}.test --skip-checks + fi + + - name: Manual Deploy + if: github.event_name == 'workflow_dispatch' + run: | + # TODO: Implement manual dispatch logic if needed + deploy . --skip-checks diff --git a/flake.nix b/flake.nix index aa18c00..8438f11 100644 --- a/flake.nix +++ b/flake.nix @@ -13,53 +13,78 @@ url = "github:gytis-ivaskevicius/flake-utils-plus"; inputs.flake-utils.follows = "flake-utils"; }; + deploy-rs = { + url = "github:serokell/deploy-rs"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = inputs@{ self, nixpkgs, - flake-utils, sops-nix, utils, + flake-utils, sops-nix, utils, deploy-rs, ... }: let system = utils.lib.system.x86_64-linux; + lib = nixpkgs.lib; in - utils.lib.mkFlake { - inherit self inputs; + utils.lib.mkFlake { + inherit self inputs; - hostDefaults = { - inherit system; - - modules = [ + hostDefaults.modules = [ ./modules ./users - sops-nix.nixosModules.sops ]; + + hosts = { + # Infrastructure + Niko.modules = [ ./hosts/Niko ]; + Ingress.modules = [ ./hosts/Ingress ]; + Gitea.modules = [ ./hosts/Gitea ]; + Vaultwarden.modules = [ ./hosts/Vaultwarden ]; + BinaryCache.modules = [ ./hosts/BinaryCache ]; + + # Production + Binnenpost.modules = [ ./hosts/Binnenpost ]; + Production.modules = [ ./hosts/Production ]; + ProductionGPU.modules = [ ./hosts/ProductionGPU ]; + ProductionArr.modules = [ ./hosts/ProductionArr ]; + ACE.modules = [ ./hosts/ACE ]; + + # Lab + Template.modules = [ ./hosts/Template ]; + Development.modules = [ ./hosts/Development ]; + Testing.modules = [ ./hosts/Testing ]; + }; + + deploy.nodes = let + pkg = deploy-rs.lib.${system}; + isDeployable = nixos: (nixos.config.homelab.users.deploy.enable or false) && (nixos.config.homelab.networking.hostIp != null); + in + builtins.mapAttrs (_: nixos: { + hostname = nixos.config.homelab.networking.hostIp; + sshUser = "deploy"; + user = "root"; + profiles.system.path = pkg.activate.nixos nixos; + profiles.test.path = pkg.activate.custom nixos.config.system.build.toplevel '' + $PROFILE/bin/switch-to-configuration test + ''; + }) (lib.filterAttrs (_: isDeployable) self.nixosConfigurations); + + checks = builtins.mapAttrs (_: lib: lib.deployChecks self.deploy) deploy-rs.lib; + + outputsBuilder = channels: { + formatter = channels.nixpkgs.alejandra; + devShells.default = channels.nixpkgs.mkShell { + name = "homelab-dev"; + buildInputs = [ + deploy-rs.packages.${system}.deploy-rs + channels.nixpkgs.sops + channels.nixpkgs.age + ]; + shellHook = "echo '🛡️ Homelab Development Shell Loaded'"; + }; + }; }; - - hosts = { - # Physical hosts - Niko.modules = [ ./hosts/Niko ]; - - # Virtual machines - - # Single-service - Ingress.modules = [ ./hosts/Ingress ]; - Gitea.modules = [ ./hosts/Gitea ]; - Vaultwarden.modules = [ ./hosts/Vaultwarden ]; - BinaryCache.modules = [ ./hosts/BinaryCache ]; - - # Production multi-service - Binnenpost.modules = [ ./hosts/Binnenpost ]; - Production.modules = [ ./hosts/Production ]; - ProductionGPU.modules = [ ./hosts/ProductionGPU ]; - ProductionArr.modules = [ ./hosts/ProductionArr ]; - ACE.modules = [ ./hosts/ACE ]; - - # Others - Template.modules = [ ./hosts/Template ]; - Development.modules = [ ./hosts/Development ]; - Testing.modules = [ ./hosts/Testing ]; - }; - }; } diff --git a/hosts/ACE/default.nix b/hosts/ACE/default.nix index 04aa284..094b077 100644 --- a/hosts/ACE/default.nix +++ b/hosts/ACE/default.nix @@ -1,10 +1,12 @@ -{ pkgs, ... }: +{ config, pkgs, ... }: { config = { homelab = { + networking.hostIp = "192.168.0.41"; services.actions.enable = true; virtualisation.guest.enable = true; + users.deploy.enable = true; }; networking = { @@ -24,7 +26,7 @@ interfaces.ens18 = { ipv4.addresses = [ { - address = "192.168.0.41"; + address = config.homelab.networking.hostIp; prefixLength = 24; } ]; diff --git a/hosts/Binnenpost/default.nix b/hosts/Binnenpost/default.nix index e1325ba..e325980 100644 --- a/hosts/Binnenpost/default.nix +++ b/hosts/Binnenpost/default.nix @@ -13,12 +13,14 @@ }; homelab = { + networking.hostIp = "192.168.0.89"; apps = { speedtest.enable = true; technitiumDNS.enable = true; traefik.enable = true; }; virtualisation.guest.enable = true; + users.deploy.enable = true; }; networking = { @@ -43,7 +45,7 @@ interfaces.ens18 = { ipv4.addresses = [ { - address = "192.168.0.89"; + address = config.homelab.networking.hostIp; prefixLength = 24; } ]; diff --git a/hosts/Gitea/default.nix b/hosts/Gitea/default.nix index c6c9b43..d6996b2 100644 --- a/hosts/Gitea/default.nix +++ b/hosts/Gitea/default.nix @@ -3,9 +3,12 @@ { config = { homelab = { + networking.hostIp = "192.168.0.24"; apps.gitea.enable = true; virtualisation.guest.enable = true; + users.deploy.enable = true; + users.admin = { enable = true; authorizedKeys = [ @@ -28,7 +31,7 @@ interfaces.ens18 = { ipv4.addresses = [ { - address = "192.168.0.24"; + address = config.homelab.networking.hostIp; prefixLength = 24; } ]; diff --git a/hosts/Ingress/default.nix b/hosts/Ingress/default.nix index c0a3ac9..c16f151 100644 --- a/hosts/Ingress/default.nix +++ b/hosts/Ingress/default.nix @@ -2,7 +2,11 @@ { config = { - homelab.virtualisation.guest.enable = true; + homelab = { + networking.hostIp = "192.168.0.10"; + virtualisation.guest.enable = true; + users.deploy.enable = true; + }; networking = { hostName = "Ingress"; @@ -19,8 +23,8 @@ interfaces.ens18 = { ipv4.addresses = [ { - address = "192.168.0.10"; -prefixLength = 24; + address = config.homelab.networking.hostIp; + prefixLength = 24; } ]; }; @@ -39,6 +43,7 @@ prefixLength = 24; }; }; + security.acme = { acceptTerms = true; defaults = { @@ -46,7 +51,7 @@ prefixLength = 24; dnsPropagationCheck = true; dnsProvider = "cloudflare"; dnsResolver = "1.1.1.1:53"; - email = "tibo.depeuter@telenet.be"; + email = config.sops.placeholder.acme_email or "acme-email@example.com"; credentialFiles = { CLOUDFLARE_DNS_API_TOKEN_FILE = "/var/lib/secrets/depeuter-dev-cloudflare-api-token"; }; diff --git a/hosts/Niko/default.nix b/hosts/Niko/default.nix index 910f325..c08ccdc 100644 --- a/hosts/Niko/default.nix +++ b/hosts/Niko/default.nix @@ -7,6 +7,7 @@ ]; homelab = { + networking.hostIp = "192.168.0.11"; apps = { technitiumDNS.enable = true; traefik.enable = true; diff --git a/hosts/Production/default.nix b/hosts/Production/default.nix index 9bb565d..a4ebc75 100644 --- a/hosts/Production/default.nix +++ b/hosts/Production/default.nix @@ -3,11 +3,13 @@ { config = { homelab = { + networking.hostIp = "192.168.0.31"; apps = { calibre.enable = true; traefik.enable = true; }; virtualisation.guest.enable = true; + users.deploy.enable = true; }; networking = { @@ -31,7 +33,7 @@ interfaces.ens18 = { ipv4.addresses = [ { - address = "192.168.0.31"; + address = config.homelab.networking.hostIp; prefixLength = 24; } ]; diff --git a/hosts/ProductionArr/default.nix b/hosts/ProductionArr/default.nix index ff4f4c2..1168bc8 100644 --- a/hosts/ProductionArr/default.nix +++ b/hosts/ProductionArr/default.nix @@ -3,11 +3,13 @@ { config = { homelab = { + networking.hostIp = "192.168.0.33"; apps = { arr.enable = true; traefik.enable = true; }; virtualisation.guest.enable = true; + users.deploy.enable = true; }; networking = { @@ -31,7 +33,7 @@ interfaces.ens18 = { ipv4.addresses = [ { - address = "192.168.0.33"; + address = config.homelab.networking.hostIp; prefixLength = 24; } ]; diff --git a/hosts/ProductionGPU/default.nix b/hosts/ProductionGPU/default.nix index fa9ca8c..5f8ad82 100644 --- a/hosts/ProductionGPU/default.nix +++ b/hosts/ProductionGPU/default.nix @@ -3,8 +3,10 @@ { config = { homelab = { + networking.hostIp = "192.168.0.94"; apps.jellyfin.enable = true; virtualisation.guest.enable = true; + users.deploy.enable = true; }; networking = { @@ -28,7 +30,7 @@ interfaces.ens18 = { ipv4.addresses = [ { - address = "192.168.0.94"; + address = config.homelab.networking.hostIp; prefixLength = 24; } ]; diff --git a/hosts/Testing/default.nix b/hosts/Testing/default.nix index cc353f6..cc4efcf 100644 --- a/hosts/Testing/default.nix +++ b/hosts/Testing/default.nix @@ -3,11 +3,13 @@ { config = { homelab = { + networking.hostIp = "192.168.0.92"; apps = { freshrss.enable = true; traefik.enable = true; }; virtualisation.guest.enable = true; + users.deploy.enable = true; }; networking = { @@ -32,7 +34,7 @@ interfaces.ens18 = { ipv4.addresses = [ { - address = "192.168.0.92"; + address = config.homelab.networking.hostIp; prefixLength = 24; } ]; diff --git a/hosts/Vaultwarden/default.nix b/hosts/Vaultwarden/default.nix index 5ded575..b24ef6d 100644 --- a/hosts/Vaultwarden/default.nix +++ b/hosts/Vaultwarden/default.nix @@ -3,6 +3,7 @@ { config = { homelab = { + networking.hostIp = "192.168.0.22"; apps.vaultwarden = { enable = true; domain = "https://vault.depeuter.dev"; @@ -10,11 +11,15 @@ }; virtualisation.guest.enable = true; - users.admin = { - enable = true; - authorizedKeys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnihoyozOCnm6T9OzL2xoMeMZckBYR2w43us68ABA93" - ]; + users = { + deploy.enable = true; + + admin = { + enable = true; + authorizedKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnihoyozOCnm6T9OzL2xoMeMZckBYR2w43us68ABA93" + ]; + }; }; }; @@ -32,7 +37,7 @@ interfaces.ens18 = { ipv4.addresses = [ { - address = "192.168.0.22"; + address = config.homelab.networking.hostIp; prefixLength = 24; } ]; diff --git a/modules/common/default.nix b/modules/common/default.nix index dc6cb5f..03fe2dd 100644 --- a/modules/common/default.nix +++ b/modules/common/default.nix @@ -1,5 +1,6 @@ { imports = [ + ./networking.nix ./secrets.nix ./substituters.nix ]; diff --git a/modules/common/networking.nix b/modules/common/networking.nix new file mode 100644 index 0000000..837684e --- /dev/null +++ b/modules/common/networking.nix @@ -0,0 +1,19 @@ +{ config, lib, ... }: + +{ + options.homelab.networking = { + hostIp = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = '' + The primary IP address of the host. + Used for automated deployment and internal service discovery. + ''; + }; + }; + + config = lib.mkIf (config.homelab.networking.hostIp != null) { + # If a hostIp is provided, we can potentially use it to configure + # networking interfaces or firewall rules automatically here in the future. + }; +} diff --git a/users/deploy/default.nix b/users/deploy/default.nix index 93505fc..5c28561 100644 --- a/users/deploy/default.nix +++ b/users/deploy/default.nix @@ -3,7 +3,19 @@ let cfg = config.homelab.users.deploy; in { - options.homelab.users.deploy.enable = lib.mkEnableOption "user Deploy"; + options.homelab.users.deploy = { + enable = lib.mkEnableOption "user Deploy"; + + authorizedKeys = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = []; + description = '' + Additional SSH public keys authorized for the deploy user. + The CI runner key should be provided as a base key; personal + workstation keys can be appended here per host or globally. + ''; + }; + }; config = lib.mkIf cfg.enable { users = { @@ -21,6 +33,9 @@ in { }; }; + # Allow the deploy user to push closures to the nix store + nix.settings.trusted-users = [ "deploy" ]; + security.sudo.extraRules = [ { groups = [