tdpeuter/bos55-nix-config-cicd
1
Fork 0
forked from Bos55/nix-config
Code Pull requests 1 Releases Packages Activity Actions

feat(ci): implement automated deployment pipeline with deploy-rs

Browse source
This commit is contained in:
Tibo De Peuter 2026-03-17 21:50:56 +01:00
parent de1ee54b8b
commit 33fcc55bf5
Signed by: tdpeuter
GPG key ID: 38297DE43F75FFE2
17 changed files with 274 additions and 76 deletions
Download patch file Download diff file Expand all files Collapse all files

53
.github/workflows/build.yml vendored
View file

@ -1,43 +1,50 @@
name: "Build"
name: Build
on:
pull_request:
push:
branches:
- main
- 'test-*'
pull_request:
jobs:
determine-hosts:
name: "Determining hosts to build"
# Job to find all hosts that should be built
get-hosts:
runs-on: ubuntu-latest
container: catthehacker/ubuntu:act-24.04
outputs:
hosts: ${{ steps.hosts.outputs.hostnames }}
hosts: ${{ steps.set-hosts.outputs.hosts }}
steps:
- uses: actions/checkout@v5
- uses: https://github.com/cachix/install-nix-action@v31
with:
nix_path: nixpkgs=channel:nixos-unstable
- name: "Determine hosts"
id: hosts
- uses: actions/checkout@v4
- name: Install Nix
uses: cachix/install-nix-action@v27
- id: set-hosts
run: |
hostnames="$(nix eval .#nixosConfigurations --apply builtins.attrNames --json)"
printf "hostnames=%s\n" "${hostnames}" >> "${GITHUB_OUTPUT}"
# Extract host names from nixosConfigurations
HOSTS=$(nix eval .#nixosConfigurations --apply "builtins.attrNames" --json)
echo "hosts=$HOSTS" >> $GITHUB_OUTPUT
build:
needs: get-hosts
runs-on: ubuntu-latest
container: catthehacker/ubuntu:act-24.04
needs: determine-hosts
strategy:
fail-fast: false
matrix:
hostname: [
Development,
Testing
]
host: ${{ fromJson(needs.get-hosts.outputs.hosts) }}
steps:
- uses: actions/checkout@v5
- uses: https://github.com/cachix/install-nix-action@v31
- uses: actions/checkout@v4
- name: Install Nix
uses: cachix/install-nix-action@v27
with:
nix_path: nixpkgs=channel:nixos-unstable
- name: "Build host"
- name: Build NixOS configuration
run: |
nix build ".#nixosConfigurations.${{ matrix.hostname }}.config.system.build.toplevel" --verbose
nix build .#nixosConfigurations.${{ matrix.host }}.config.system.build.toplevel
- name: "Push to Attic"
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
run: |
nix profile install nixpkgs#attic-client
attic login homelab http://192.168.0.25:8080 "${{ secrets.ATTIC_TOKEN }}"
attic push homelab result

24
.github/workflows/check.yml vendored Normal file
View file

@ -0,0 +1,24 @@
name: Check
on:
push:
branches:
- '**'
pull_request:
jobs:
check:
runs-on: ubuntu-latest
container: catthehacker/ubuntu:act-24.04
steps:
- uses: actions/checkout@v4
- name: Install Nix
uses: cachix/install-nix-action@v27
with:
extra_nix_config: |
experimental-features = nix-command flakes
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
- name: Flake check
run: nix flake check

81
.github/workflows/deploy.yml vendored Normal file
View file

@ -0,0 +1,81 @@
name: Deploy
on:
push:
branches:
- main
- 'test-*'
workflow_dispatch:
inputs:
mode:
description: 'Activation mode (switch, boot, test)'
default: 'switch'
required: true
jobs:
deploy:
runs-on: ubuntu-latest
container: catthehacker/ubuntu:act-24.04
steps:
- uses: actions/checkout@v4
- name: Install Nix
uses: cachix/install-nix-action@v27
with:
extra_nix_config: |
experimental-features = nix-command flakes
- name: Setup SSH
run: |
mkdir -p ~/.ssh
echo "${{ secrets.DEPLOY_SSH_KEY }}" > ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
ssh-keyscan -H 192.168.0.0/24 >> ~/.ssh/known_hosts || true
# Disable strict host key checking for the local network if needed,
# or rely on known_hosts. For homelab, we can be slightly more relaxed
# but let's try to be secure.
echo "StrictHostKeyChecking no" >> ~/.ssh/config
- name: Verify Commit Signature
if: github.event.sender.login != 'renovate[bot]'
run: |
# TODO Hugo: Export your public GPG/SSH signing keys to a runner secret named 'TRUSTED_SIGNERS'.
# For GPG: gpg --export --armor <id> | base64 -w0
if [ -z "${{ secrets.TRUSTED_SIGNERS }}" ]; then
echo "::error::TRUSTED_SIGNERS secret is missing. Deployment aborted for safety."
exit 1
fi
# Implementation note: This step expects a keyring in the TRUSTED_SIGNERS secret.
# We use git to verify the signature of the current commit.
echo "${{ secrets.TRUSTED_SIGNERS }}" | base64 -d > /tmp/trusted_keys.gpg
gpg --import /tmp/trusted_keys.gpg
if ! git verify-commit HEAD; then
echo "::error::Commit signature verification failed. Only signed commits from trusted maintainers can be deployed."
exit 1
fi
echo "Commit signature verified successfully."
- name: Install deploy-rs
run: nix profile install github:serokell/deploy-rs
- name: Deploy to hosts
run: |
# Determine profile based on branch
if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
# Main site: persistent deployment
deploy . --skip-checks --targets $(deploy . --list | grep '.system$' | tr '\n' ' ')
elif [[ "${{ github.ref }}" == "refs/heads/test-"* ]]; then
# Test branch: non-persistent deployment (test profile)
# The branch name should be test-<hostname>
HOSTNAME="${GITHUB_REF#refs/heads/test-}"
deploy .#${HOSTNAME}.test --skip-checks
fi
- name: Manual Deploy
if: github.event_name == 'workflow_dispatch'
run: |
# TODO: Implement manual dispatch logic if needed
deploy . --skip-checks

53
flake.nix
View file

@ -13,53 +13,78 @@
url = "github:gytis-ivaskevicius/flake-utils-plus";
inputs.flake-utils.follows = "flake-utils";
};
deploy-rs = {
url = "github:serokell/deploy-rs";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = inputs@{
self, nixpkgs,
flake-utils, sops-nix, utils,
flake-utils, sops-nix, utils, deploy-rs,
...
}:
let
system = utils.lib.system.x86_64-linux;
lib = nixpkgs.lib;
in
utils.lib.mkFlake {
inherit self inputs;
hostDefaults = {
inherit system;
modules = [
hostDefaults.modules = [
./modules
./users
sops-nix.nixosModules.sops
];
};
hosts = {
# Physical hosts
# Infrastructure
Niko.modules = [ ./hosts/Niko ];
# Virtual machines
# Single-service
Ingress.modules = [ ./hosts/Ingress ];
Gitea.modules = [ ./hosts/Gitea ];
Vaultwarden.modules = [ ./hosts/Vaultwarden ];
BinaryCache.modules = [ ./hosts/BinaryCache ];
# Production multi-service
# Production
Binnenpost.modules = [ ./hosts/Binnenpost ];
Production.modules = [ ./hosts/Production ];
ProductionGPU.modules = [ ./hosts/ProductionGPU ];
ProductionArr.modules = [ ./hosts/ProductionArr ];
ACE.modules = [ ./hosts/ACE ];
# Others
# Lab
Template.modules = [ ./hosts/Template ];
Development.modules = [ ./hosts/Development ];
Testing.modules = [ ./hosts/Testing ];
};
deploy.nodes = let
pkg = deploy-rs.lib.${system};
isDeployable = nixos: (nixos.config.homelab.users.deploy.enable or false) && (nixos.config.homelab.networking.hostIp != null);
in
builtins.mapAttrs (_: nixos: {
hostname = nixos.config.homelab.networking.hostIp;
sshUser = "deploy";
user = "root";
profiles.system.path = pkg.activate.nixos nixos;
profiles.test.path = pkg.activate.custom nixos.config.system.build.toplevel ''
$PROFILE/bin/switch-to-configuration test
'';
}) (lib.filterAttrs (_: isDeployable) self.nixosConfigurations);
checks = builtins.mapAttrs (_: lib: lib.deployChecks self.deploy) deploy-rs.lib;
outputsBuilder = channels: {
formatter = channels.nixpkgs.alejandra;
devShells.default = channels.nixpkgs.mkShell {
name = "homelab-dev";
buildInputs = [
deploy-rs.packages.${system}.deploy-rs
channels.nixpkgs.sops
channels.nixpkgs.age
];
shellHook = "echo '🛡 Homelab Development Shell Loaded'";
};
};
};
}

6
hosts/ACE/default.nix
View file

@ -1,10 +1,12 @@
{ pkgs, ... }:
{ config, pkgs, ... }:
{
config = {
homelab = {
networking.hostIp = "192.168.0.41";
services.actions.enable = true;
virtualisation.guest.enable = true;
users.deploy.enable = true;
};
networking = {
@ -24,7 +26,7 @@
interfaces.ens18 = {
ipv4.addresses = [
{
address = "192.168.0.41";
address = config.homelab.networking.hostIp;
prefixLength = 24;
}
];

4
hosts/Binnenpost/default.nix
View file

@ -13,12 +13,14 @@
};
homelab = {
networking.hostIp = "192.168.0.89";
apps = {
speedtest.enable = true;
technitiumDNS.enable = true;
traefik.enable = true;
};
virtualisation.guest.enable = true;
users.deploy.enable = true;
};
networking = {
@ -43,7 +45,7 @@
interfaces.ens18 = {
ipv4.addresses = [
{
address = "192.168.0.89";
address = config.homelab.networking.hostIp;
prefixLength = 24;
}
];

5
hosts/Gitea/default.nix
View file

@ -3,9 +3,12 @@
{
config = {
homelab = {
networking.hostIp = "192.168.0.24";
apps.gitea.enable = true;
virtualisation.guest.enable = true;
users.deploy.enable = true;
users.admin = {
enable = true;
authorizedKeys = [
@ -28,7 +31,7 @@
interfaces.ens18 = {
ipv4.addresses = [
{
address = "192.168.0.24";
address = config.homelab.networking.hostIp;
prefixLength = 24;
}
];

13
hosts/Ingress/default.nix
View file

@ -2,7 +2,11 @@
{
config = {
homelab.virtualisation.guest.enable = true;
homelab = {
networking.hostIp = "192.168.0.10";
virtualisation.guest.enable = true;
users.deploy.enable = true;
};
networking = {
hostName = "Ingress";
@ -19,8 +23,8 @@
interfaces.ens18 = {
ipv4.addresses = [
{
address = "192.168.0.10";
prefixLength = 24;
address = config.homelab.networking.hostIp;
prefixLength = 24;
}
];
};
@ -39,6 +43,7 @@ prefixLength = 24;
};
};
security.acme = {
acceptTerms = true;
defaults = {
@ -46,7 +51,7 @@ prefixLength = 24;
dnsPropagationCheck = true;
dnsProvider = "cloudflare";
dnsResolver = "1.1.1.1:53";
email = "tibo.depeuter@telenet.be";
email = config.sops.placeholder.acme_email or "acme-email@example.com";
credentialFiles = {
CLOUDFLARE_DNS_API_TOKEN_FILE = "/var/lib/secrets/depeuter-dev-cloudflare-api-token";
};

1
hosts/Niko/default.nix
View file

@ -7,6 +7,7 @@
];
homelab = {
networking.hostIp = "192.168.0.11";
apps = {
technitiumDNS.enable = true;
traefik.enable = true;

4
hosts/Production/default.nix
View file

@ -3,11 +3,13 @@
{
config = {
homelab = {
networking.hostIp = "192.168.0.31";
apps = {
calibre.enable = true;
traefik.enable = true;
};
virtualisation.guest.enable = true;
users.deploy.enable = true;
};
networking = {
@ -31,7 +33,7 @@
interfaces.ens18 = {
ipv4.addresses = [
{
address = "192.168.0.31";
address = config.homelab.networking.hostIp;
prefixLength = 24;
}
];

4
hosts/ProductionArr/default.nix
View file

@ -3,11 +3,13 @@
{
config = {
homelab = {
networking.hostIp = "192.168.0.33";
apps = {
arr.enable = true;
traefik.enable = true;
};
virtualisation.guest.enable = true;
users.deploy.enable = true;
};
networking = {
@ -31,7 +33,7 @@
interfaces.ens18 = {
ipv4.addresses = [
{
address = "192.168.0.33";
address = config.homelab.networking.hostIp;
prefixLength = 24;
}
];

4
hosts/ProductionGPU/default.nix
View file

@ -3,8 +3,10 @@
{
config = {
homelab = {
networking.hostIp = "192.168.0.94";
apps.jellyfin.enable = true;
virtualisation.guest.enable = true;
users.deploy.enable = true;
};
networking = {
@ -28,7 +30,7 @@
interfaces.ens18 = {
ipv4.addresses = [
{
address = "192.168.0.94";
address = config.homelab.networking.hostIp;
prefixLength = 24;
}
];

4
hosts/Testing/default.nix
View file

@ -3,11 +3,13 @@
{
config = {
homelab = {
networking.hostIp = "192.168.0.92";
apps = {
freshrss.enable = true;
traefik.enable = true;
};
virtualisation.guest.enable = true;
users.deploy.enable = true;
};
networking = {
@ -32,7 +34,7 @@
interfaces.ens18 = {
ipv4.addresses = [
{
address = "192.168.0.92";
address = config.homelab.networking.hostIp;
prefixLength = 24;
}
];

9
hosts/Vaultwarden/default.nix
View file

@ -3,6 +3,7 @@
{
config = {
homelab = {
networking.hostIp = "192.168.0.22";
apps.vaultwarden = {
enable = true;
domain = "https://vault.depeuter.dev";
@ -10,13 +11,17 @@
};
virtualisation.guest.enable = true;
users.admin = {
users = {
deploy.enable = true;
admin = {
enable = true;
authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnihoyozOCnm6T9OzL2xoMeMZckBYR2w43us68ABA93"
];
};
};
};
networking = {
hostId = "aaaa1300";
@ -32,7 +37,7 @@
interfaces.ens18 = {
ipv4.addresses = [
{
address = "192.168.0.22";
address = config.homelab.networking.hostIp;
prefixLength = 24;
}
];

1
modules/common/default.nix
View file

@ -1,5 +1,6 @@
{
imports = [
./networking.nix
./secrets.nix
./substituters.nix
];

19
modules/common/networking.nix Normal file
View file

@ -0,0 +1,19 @@
{ config, lib, ... }:
{
options.homelab.networking = {
hostIp = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = ''
The primary IP address of the host.
Used for automated deployment and internal service discovery.
'';
};
};
config = lib.mkIf (config.homelab.networking.hostIp != null) {
# If a hostIp is provided, we can potentially use it to configure
# networking interfaces or firewall rules automatically here in the future.
};
}

17
users/deploy/default.nix
View file

@ -3,7 +3,19 @@
let
cfg = config.homelab.users.deploy;
in {
options.homelab.users.deploy.enable = lib.mkEnableOption "user Deploy";
options.homelab.users.deploy = {
enable = lib.mkEnableOption "user Deploy";
authorizedKeys = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [];
description = ''
Additional SSH public keys authorized for the deploy user.
The CI runner key should be provided as a base key; personal
workstation keys can be appended here per host or globally.
'';
};
};
config = lib.mkIf cfg.enable {
users = {
@ -21,6 +33,9 @@ in {
};
};
# Allow the deploy user to push closures to the nix store
nix.settings.trusted-users = [ "deploy" ];
security.sudo.extraRules = [
{
groups = [