feat(ci): implement automated deployment pipeline with deploy-rs

2026-03-17 21:50:56 +01:00 · 2026-03-17 21:50:56 +01:00 · 33fcc55bf5
commit 33fcc55bf5
parent de1ee54b8b
17 changed files with 274 additions and 76 deletions
--- a/users/deploy/default.nix
+++ b/users/deploy/default.nix
@ -3,7 +3,19 @@
 let
  cfg = config.homelab.users.deploy;
 in {
-  options.homelab.users.deploy.enable = lib.mkEnableOption "user Deploy";
+  options.homelab.users.deploy = {
+    enable = lib.mkEnableOption "user Deploy";
+
+    authorizedKeys = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [];
+      description = ''
+        Additional SSH public keys authorized for the deploy user.
+        The CI runner key should be provided as a base key; personal
+        workstation keys can be appended here per host or globally.
+      '';
+    };
+  };

  config = lib.mkIf cfg.enable {
    users = {
@ -21,6 +33,9 @@ in {
      };
    };

+    # Allow the deploy user to push closures to the nix store
+    nix.settings.trusted-users = [ "deploy" ];
+
    security.sudo.extraRules = [
      {
        groups = [