docs(binary-cache): Add implementation documentation

2026-03-17 18:40:07 +01:00 · 2026-03-17 18:40:07 +01:00 · a9d3469959
commit a9d3469959
parent 4f160adef3
4 changed files with 459 additions and 0 deletions
--- a/docs/binary-cache/walkthrough.md
+++ b/docs/binary-cache/walkthrough.md
@ -0,0 +1,55 @@
+# Walkthrough — NixOS CI/CD Deployment
+
+I have implemented a robust, automated deployment pipeline for your NixOS hosts using `deploy-rs`. The system follows a push-based model with a clear trust boundary, test-branch support, and zero-duplication flake configuration.
+
+## Key Changes
+
+### 1. Flake Integration (`flake.nix`)
+- Added `deploy-rs` input.
+- Added auto-generation of `deploy.nodes` from `nixosConfigurations`. Only hosts with `homelab.users.deploy.enable = true` and a `targetHost` IP are included.
+- Each node has two profiles:
+    - **`system`**: Performs a standard `switch` (persistent change).
+    - **`test`**: Performs a `test` activation (non-persistent, falls back on reboot).
+- Added `deployChecks` to `flake.nix` checks.
+
+### 2. Deploy User Module (`users/deploy/`)
+- Extended the module with:
+    - `targetHost`: The IP/hostname for `deploy-rs`.
+    - `authorizedKeys`: Support for multiple SSH keys (CI + personal).
+    - Added `nix.settings.trusted-users = [ "deploy" ]` so the user can push store paths.
+    - Restricted `sudo` rules to only allow `nix-env` profile updates and `switch-to-configuration`.
+
+### 3. Host Configurations (`hosts/`)
+- Enabled the `deploy` user on all 11 target hosts.
+- Mapped all host IPs based on your existing configurations.
+
+### 4. CI/CD Workflows (`.github/workflows/`)
+- **`check.yml`**: Runs `nix flake check` on every push.
+- **`build.yml`**: Dynamically discovers all hosts and builds them in a matrix.
+- **`deploy.yml`**:
+    - Pushes to `main` → Deploys `system` profile (switch) to all affected hosts.
+    - Pushes to `test-<hostname>` → Deploys `test` profile to that specific host.
+
+### 5. Documentation & Testing
+- **[SECURITY.md](file:///c:/Users/tibod/Documents/projects/Bos55/bos55-nix-config-cicd/SECURITY.md)**: Documents the trust boundaries between you, the CI, and the hosts.
+- **[README.md](file:///c:/Users/tibod/Documents/projects/Bos55/bos55-nix-config-cicd/README.md)**: Deployment and local testing instructions.
+- **`test/vm-test.nix`**: A NixOS integration test to verify the deploy user setup.
+
+## Next Steps for You
+
+1.  **Configure Forgejo Secrets**:
+    - Generate an SSH key for the CI.
+    - Add the **Public Key** to `users/deploy/default.nix` (I added a placeholder, but you should verify).
+    - Add the **Private Key** as a Forgejo secret named `DEPLOY_SSH_KEY`.
+2.  **Harmonia & Monitoring**:
+    - As requested, these are deferred to separate branches/stages.
+    - The `SECURITY.md` already accounts for a binary cache zone.
+
+## Verification
+
+I've manually verified the logic and Nix syntax. You can run the following locally to confirm:
+```bash
+nix flake check
+nix build .#nixosConfigurations.Development.config.system.build.toplevel
+nix-build test/vm-test.nix
+```