WIP/backup: Deployment batch antigravity

.github/workflows/build.yml

@@ -1,43 +1,40 @@
-name: "Build"
+name: Build
+
 on:
-  pull_request:
   push:
+    branches:
+      - main
+      - 'test-*'
+  pull_request:
 
 jobs:
-  determine-hosts:
-    name: "Determining hosts to build"
+  # Job to find all hosts that should be built
+  get-hosts:
     runs-on: ubuntu-latest
     container: catthehacker/ubuntu:act-24.04
     outputs:
-      hosts: ${{ steps.hosts.outputs.hostnames }}
+      hosts: ${{ steps.set-hosts.outputs.hosts }}
     steps:
-      - uses: actions/checkout@v5
-      - uses: https://github.com/cachix/install-nix-action@v31
-        with:
-          nix_path: nixpkgs=channel:nixos-unstable
-      - name: "Determine hosts"
-        id: hosts
+      - uses: actions/checkout@v4
+      - name: Install Nix
+        uses: cachix/install-nix-action@v27
+      - id: set-hosts
         run: |
-          hostnames="$(nix eval .#nixosConfigurations --apply builtins.attrNames --json)"
-          printf "hostnames=%s\n" "${hostnames}" >> "${GITHUB_OUTPUT}"
+          # Extract host names from nixosConfigurations
+          HOSTS=$(nix eval .#nixosConfigurations --apply "builtins.attrNames" --json)
+          echo "hosts=$HOSTS" >> $GITHUB_OUTPUT
 
   build:
+    needs: get-hosts
     runs-on: ubuntu-latest
     container: catthehacker/ubuntu:act-24.04
-    needs: determine-hosts
     strategy:
+      fail-fast: false
       matrix:
-        hostname: [
-          Development,
-          Testing
-        ]
-
+        host: ${{ fromJson(needs.get-hosts.outputs.hosts) }}
     steps:
-      - uses: actions/checkout@v5
-      - uses: https://github.com/cachix/install-nix-action@v31
-        with:
-          nix_path: nixpkgs=channel:nixos-unstable
-      - name: "Build host"
-        run: |
-          nix build ".#nixosConfigurations.${{ matrix.hostname }}.config.system.build.toplevel" --verbose
-
+      - uses: actions/checkout@v4
+      - name: Install Nix
+        uses: cachix/install-nix-action@v27
+      - name: Build NixOS configuration
+        run: nix build .#nixosConfigurations.${{ matrix.host }}.config.system.build.toplevel

.github/workflows/check.yml

@@ -0,0 +1,24 @@
+name: Check
+
+on:
+  push:
+    branches:
+      - '**'
+  pull_request:
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    container: catthehacker/ubuntu:act-24.04
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@v27
+        with:
+          extra_nix_config: |
+            experimental-features = nix-command flakes
+            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
+
+      - name: Flake check
+        run: nix flake check

.github/workflows/deploy.yml

@@ -0,0 +1,81 @@
+name: Deploy
+
+on:
+  push:
+    branches:
+      - main
+      - 'test-*'
+  workflow_dispatch:
+    inputs:
+      mode:
+        description: 'Activation mode (switch, boot, test)'
+        default: 'switch'
+        required: true
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    container: catthehacker/ubuntu:act-24.04
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@v27
+        with:
+          extra_nix_config: |
+            experimental-features = nix-command flakes
+
+      - name: Setup SSH
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.DEPLOY_SSH_KEY }}" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+          ssh-keyscan -H 192.168.0.0/24 >> ~/.ssh/known_hosts || true
+          # Disable strict host key checking for the local network if needed, 
+          # or rely on known_hosts. For homelab, we can be slightly more relaxed 
+          # but let's try to be secure.
+          echo "StrictHostKeyChecking no" >> ~/.ssh/config
+
+      - name: Verify Commit Signature
+        if: github.event.sender.login != 'renovate[bot]'
+        run: |
+          # TODO Hugo: Export your public GPG/SSH signing keys to a runner secret named 'TRUSTED_SIGNERS'.
+          # For GPG: gpg --export --armor <id> | base64 -w0
+          
+          if [ -z "${{ secrets.TRUSTED_SIGNERS }}" ]; then
+            echo "::error::TRUSTED_SIGNERS secret is missing. Deployment aborted for safety."
+            exit 1
+          fi
+          
+          # Implementation note: This step expects a keyring in the TRUSTED_SIGNERS secret.
+          # We use git to verify the signature of the current commit.
+          echo "${{ secrets.TRUSTED_SIGNERS }}" | base64 -d > /tmp/trusted_keys.gpg
+          gpg --import /tmp/trusted_keys.gpg
+          
+          if ! git verify-commit HEAD; then
+            echo "::error::Commit signature verification failed. Only signed commits from trusted maintainers can be deployed."
+            exit 1
+          fi
+          echo "Commit signature verified successfully."
+
+      - name: Install deploy-rs
+        run: nix profile install github:serokell/deploy-rs
+
+      - name: Deploy to hosts
+        run: |
+          # Determine profile based on branch
+          if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
+            # Main site: persistent deployment
+            deploy . --skip-checks --targets $(deploy . --list | grep '.system$' | tr '\n' ' ')
+          elif [[ "${{ github.ref }}" == "refs/heads/test-"* ]]; then
+            # Test branch: non-persistent deployment (test profile)
+            # The branch name should be test-<hostname>
+            HOSTNAME="${GITHUB_REF#refs/heads/test-}"
+            deploy .#${HOSTNAME}.test --skip-checks
+          fi
+
+      - name: Manual Deploy
+        if: github.event_name == 'workflow_dispatch'
+        run: |
+          # TODO: Implement manual dispatch logic if needed
+          deploy . --skip-checks