tdpeuter/bos55-nix-config-cicd
1
Fork 0
forked from Bos55/nix-config
Code Pull requests 1 Releases Packages Activity Actions

refactor: optimize flake.nix and modularize networking config

Browse source 
Cleaner deploy.nodes generation, improved devShell experience, and centralized host IP definitions using utils.lib.system variables.
This commit is contained in:
Tibo De Peuter 2026-03-17 19:40:34 +01:00
parent 5a031b48ed
commit f8ed707253
Signed by: tdpeuter
GPG key ID: 38297DE43F75FFE2
13 changed files with 182 additions and 48 deletions
Download patch file Download diff file Expand all files Collapse all files

64
README.md Normal file
View file

@ -0,0 +1,64 @@
# Bos55 NixOS Config
Automated CI/CD deployment for NixOS homelab using `deploy-rs`.
## Repository Structure
- `hosts/`: Host-specific configurations.
- `modules/`: Shared NixOS modules.
- `users/`: User definitions (including the `deploy` user).
- `secrets/`: Encrypted secrets via `sops-nix`.
## Deployment Workflow
### Prerequisites
- SSH access to the `deploy` user on target hosts.
- `deploy-rs` installed locally (`nix profile install github:serokell/deploy-rs`).
### Deployment Modes
1. **Production Deployment (main branch):**
Triggered on push to `main`. Automatically builds and switches all hosts. bootloader is updated.
Manual: `deploy .`
2. **Test Deployment (test-<hostname> branch):**
Triggered on push to `test-<hostname>`. Builds and activates the configuration on the specific host **without** updating the bootloader. Reboots will revert to the previous generation.
Manual: `deploy .#<hostname>.test`
3. **Kernel Upgrades / Maintenance:**
Use `deploy .#<hostname>.system --boot` to update the bootloader without immediate activation, followed by a manual reboot.
## Local Development
### 1. Developer Shell
This repository includes a standardized development environment containing all necessary tools (`deploy-rs`, `sops`, `age`, etc.).
```bash
nix develop
# or if using direnv
direnv allow
```
### 2. Build a host VM
You can build a QEMU VM for any host configuration to test changes locally:
```bash
nix build .#nixosConfigurations.<hostname>.config.system.build.vm
./result/bin/run-<hostname>-vm
```
> [!WARNING]
> **Network Conflict**: Default VMs use user-mode networking (NAT) which is safe. However, if you configure the VM to use bridge networking, it will attempt to use the static IP defined in `hostIp`. Ensure you do not have a physical host with that IP active on the same bridge to avoid network interference.
### 3. Run Integration Tests
Run the automated test suite:
```bash
nix-build test/vm-test.nix
```
### 3. Test CI Workflows Locally
Use `act` to test the GitHub Actions workflows:
```bash
act -W .github/workflows/check.yml
```
## Security
See [SECURITY.md](SECURITY.md) for details on the trust model and secret management.

53
flake.nix
View file

@ -13,52 +13,77 @@
url = "github:gytis-ivaskevicius/flake-utils-plus";
inputs.flake-utils.follows = "flake-utils";
};
deploy-rs = {
url = "github:serokell/deploy-rs";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = inputs@{
self, nixpkgs,
flake-utils, sops-nix, utils,
flake-utils, sops-nix, utils, deploy-rs,
...
}:
let
system = utils.lib.system.x86_64-linux;
lib = nixpkgs.lib;
in
utils.lib.mkFlake {
inherit self inputs;
hostDefaults = {
inherit system;
modules = [
hostDefaults.modules = [
./modules
./users
sops-nix.nixosModules.sops
];
};
hosts = {
# Physical hosts
# Infrastructure
Niko.modules = [ ./hosts/Niko ];
# Virtual machines
# Single-service
Ingress.modules = [ ./hosts/Ingress ];
Gitea.modules = [ ./hosts/Gitea ];
Vaultwarden.modules = [ ./hosts/Vaultwarden ];
# Production multi-service
# Production
Binnenpost.modules = [ ./hosts/Binnenpost ];
Production.modules = [ ./hosts/Production ];
ProductionGPU.modules = [ ./hosts/ProductionGPU ];
ProductionArr.modules = [ ./hosts/ProductionArr ];
ACE.modules = [ ./hosts/ACE ];
# Others
# Lab
Template.modules = [ ./hosts/Template ];
Development.modules = [ ./hosts/Development ];
Testing.modules = [ ./hosts/Testing ];
};
deploy.nodes = let
pkg = deploy-rs.lib.${system};
isDeployable = nixos: (nixos.config.homelab.users.deploy.enable or false) && (nixos.config.homelab.networking.hostIp != null);
in
builtins.mapAttrs (_: nixos: {
hostname = nixos.config.homelab.networking.hostIp;
sshUser = "deploy";
user = "root";
profiles.system.path = pkg.activate.nixos nixos;
profiles.test.path = pkg.activate.custom nixos.config.system.build.toplevel ''
$PROFILE/bin/switch-to-configuration test
'';
}) (lib.filterAttrs (_: isDeployable) self.nixosConfigurations);
checks = builtins.mapAttrs (_: lib: lib.deployChecks self.deploy) deploy-rs.lib;
outputsBuilder = channels: {
formatter = channels.nixpkgs.alejandra;
devShells.default = channels.nixpkgs.mkShell {
name = "homelab-dev";
buildInputs = [
deploy-rs.packages.${system}.deploy-rs
channels.nixpkgs.sops
channels.nixpkgs.age
];
shellHook = "echo '🛡 Homelab Development Shell Loaded'";
};
};
};
}

6
hosts/ACE/default.nix
View file

@ -1,10 +1,12 @@
{ pkgs, ... }:
{ config, pkgs, ... }:
{
config = {
homelab = {
networking.hostIp = "192.168.0.41";
services.actions.enable = true;
virtualisation.guest.enable = true;
users.deploy.enable = true;
};
networking = {
@ -24,7 +26,7 @@
interfaces.ens18 = {
ipv4.addresses = [
{
address = "192.168.0.41";
address = config.homelab.networking.hostIp;
prefixLength = 24;
}
];

6
hosts/Binnenpost/default.nix
View file

@ -1,4 +1,4 @@
{ pkgs, ... }:
{ config, pkgs, ... }:
{
config = {
@ -13,12 +13,14 @@
};
homelab = {
networking.hostIp = "192.168.0.89";
apps = {
speedtest.enable = true;
technitiumDNS.enable = true;
traefik.enable = true;
};
virtualisation.guest.enable = true;
users.deploy.enable = true;
};
networking = {
@ -43,7 +45,7 @@
interfaces.ens18 = {
ipv4.addresses = [
{
address = "192.168.0.89";
address = config.homelab.networking.hostIp;
prefixLength = 24;
}
];

5
hosts/Gitea/default.nix
View file

@ -3,9 +3,12 @@
{
config = {
homelab = {
networking.hostIp = "192.168.0.24";
apps.gitea.enable = true;
virtualisation.guest.enable = true;
users.deploy.enable = true;
users.admin = {
enable = true;
authorizedKeys = [
@ -28,7 +31,7 @@
interfaces.ens18 = {
ipv4.addresses = [
{
address = "192.168.0.24";
address = config.homelab.networking.hostIp;
prefixLength = 24;
}
];

1
hosts/Niko/default.nix
View file

@ -7,6 +7,7 @@
];
homelab = {
networking.hostIp = "192.168.0.11";
apps = {
technitiumDNS.enable = true;
traefik.enable = true;

4
hosts/Production/default.nix
View file

@ -3,11 +3,13 @@
{
config = {
homelab = {
networking.hostIp = "192.168.0.31";
apps = {
calibre.enable = true;
traefik.enable = true;
};
virtualisation.guest.enable = true;
users.deploy.enable = true;
};
networking = {
@ -31,7 +33,7 @@
interfaces.ens18 = {
ipv4.addresses = [
{
address = "192.168.0.31";
address = config.homelab.networking.hostIp;
prefixLength = 24;
}
];

4
hosts/ProductionArr/default.nix
View file

@ -3,11 +3,13 @@
{
config = {
homelab = {
networking.hostIp = "192.168.0.33";
apps = {
arr.enable = true;
traefik.enable = true;
};
virtualisation.guest.enable = true;
users.deploy.enable = true;
};
networking = {
@ -31,7 +33,7 @@
interfaces.ens18 = {
ipv4.addresses = [
{
address = "192.168.0.33";
address = config.homelab.networking.hostIp;
prefixLength = 24;
}
];

4
hosts/ProductionGPU/default.nix
View file

@ -3,8 +3,10 @@
{
config = {
homelab = {
networking.hostIp = "192.168.0.94";
apps.jellyfin.enable = true;
virtualisation.guest.enable = true;
users.deploy.enable = true;
};
networking = {
@ -28,7 +30,7 @@
interfaces.ens18 = {
ipv4.addresses = [
{
address = "192.168.0.94";
address = config.homelab.networking.hostIp;
prefixLength = 24;
}
];

4
hosts/Testing/default.nix
View file

@ -3,11 +3,13 @@
{
config = {
homelab = {
networking.hostIp = "192.168.0.92";
apps = {
freshrss.enable = true;
traefik.enable = true;
};
virtualisation.guest.enable = true;
users.deploy.enable = true;
};
networking = {
@ -32,7 +34,7 @@
interfaces.ens18 = {
ipv4.addresses = [
{
address = "192.168.0.92";
address = config.homelab.networking.hostIp;
prefixLength = 24;
}
];

9
hosts/Vaultwarden/default.nix
View file

@ -3,6 +3,7 @@
{
config = {
homelab = {
networking.hostIp = "192.168.0.22";
apps.vaultwarden = {
enable = true;
domain = "https://vault.depeuter.dev";
@ -10,13 +11,17 @@
};
virtualisation.guest.enable = true;
users.admin = {
users = {
deploy.enable = true;
admin = {
enable = true;
authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnihoyozOCnm6T9OzL2xoMeMZckBYR2w43us68ABA93"
];
};
};
};
networking = {
hostId = "aaaa1300";
@ -32,7 +37,7 @@
interfaces.ens18 = {
ipv4.addresses = [
{
address = "192.168.0.22";
address = config.homelab.networking.hostIp;
prefixLength = 24;
}
];

5
modules/common/default.nix
View file

@ -1,4 +1,9 @@
{
imports = [
./networking.nix
./secrets.nix
];
config = {
homelab = {
services.openssh.enable = true;

19
modules/common/networking.nix Normal file
View file

@ -0,0 +1,19 @@
{ config, lib, ... }:
{
options.homelab.networking = {
hostIp = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = ''
The primary IP address of the host.
Used for automated deployment and internal service discovery.
'';
};
};
config = lib.mkIf (config.homelab.networking.hostIp != null) {
# If a hostIp is provided, we can potentially use it to configure
# networking interfaces or firewall rules automatically here in the future.
};
}