# Bos55 NixOS Config

Automated CI/CD deployment for NixOS homelab using `deploy-rs`.

## Repository Structure

- `hosts/`: Host-specific configurations.
- `modules/`: Shared NixOS modules.
- `users/`: User definitions (including the `deploy` user).
- `secrets/`: Encrypted secrets via `sops-nix`.

## Deployment Workflow

### Prerequisites
- SSH access to the `deploy` user on target hosts.
- `deploy-rs` installed locally (`nix profile install github:serokell/deploy-rs`).

### Deployment Modes

1.  **Production Deployment (main branch):**
    Triggered on push to `main`. Automatically builds and switches all hosts. bootloader is updated.
    Manual: `deploy .`

2.  **Test Deployment (test-<hostname> branch):**
    Triggered on push to `test-<hostname>`. Builds and activates the configuration on the specific host **without** updating the bootloader. Reboots will revert to the previous generation.
    Manual: `deploy .#<hostname>.test`

3.  **Kernel Upgrades / Maintenance:**
    Use `deploy .#<hostname>.system --boot` to update the bootloader without immediate activation, followed by a manual reboot.

## Local Development

### 1. Developer Shell
This repository includes a standardized development environment containing all necessary tools (`deploy-rs`, `sops`, `age`, etc.).
```bash
nix develop
# or if using direnv
direnv allow
```

### 2. Build a host VM
You can build a QEMU VM for any host configuration to test changes locally:
```bash
nix build .#nixosConfigurations.<hostname>.config.system.build.vm
./result/bin/run-<hostname>-vm
```

> [!WARNING]
> **Network Conflict**: Default VMs use user-mode networking (NAT) which is safe. However, if you configure the VM to use bridge networking, it will attempt to use the static IP defined in `hostIp`. Ensure you do not have a physical host with that IP active on the same bridge to avoid network interference.

### 3. Run Integration Tests
Run the automated test suite:
```bash
nix-build test/vm-test.nix
```

### 3. Test CI Workflows Locally
Use `act` to test the GitHub Actions workflows:
```bash
act -W .github/workflows/check.yml
```

## Security
See [SECURITY.md](SECURITY.md) for details on the trust model and secret management.