# Walkthrough — NixOS CI/CD Deployment

I have implemented a robust, automated deployment pipeline for your NixOS hosts using `deploy-rs`. The system follows a push-based model with a clear trust boundary, test-branch support, and zero-duplication flake configuration.

## Key Changes

### 1. Flake Integration (`flake.nix`)
- Added `deploy-rs` input.
- Added auto-generation of `deploy.nodes` from `nixosConfigurations`. Only hosts with `homelab.users.deploy.enable = true` and a `targetHost` IP are included.
- Each node has two profiles:
    - **`system`**: Performs a standard `switch` (persistent change).
    - **`test`**: Performs a `test` activation (non-persistent, falls back on reboot).
- Added `deployChecks` to `flake.nix` checks.

### 2. Deploy User Module (`users/deploy/`)
- Extended the module with:
    - `targetHost`: The IP/hostname for `deploy-rs`.
    - `authorizedKeys`: Support for multiple SSH keys (CI + personal).
    - Added `nix.settings.trusted-users = [ "deploy" ]` so the user can push store paths.
    - Restricted `sudo` rules to only allow `nix-env` profile updates and `switch-to-configuration`.

### 3. Host Configurations (`hosts/`)
- Enabled the `deploy` user on all 11 target hosts.
- Mapped all host IPs based on your existing configurations.

### 4. CI/CD Workflows (`.github/workflows/`)
- **`check.yml`**: Runs `nix flake check` on every push.
- **`build.yml`**: Dynamically discovers all hosts and builds them in a matrix.
- **`deploy.yml`**:
    - Pushes to `main` → Deploys `system` profile (switch) to all affected hosts.
    - Pushes to `test-<hostname>` → Deploys `test` profile to that specific host.

### 5. Documentation & Testing
- **[SECURITY.md](file:///c:/Users/tibod/Documents/projects/Bos55/bos55-nix-config-cicd/SECURITY.md)**: Documents the trust boundaries between you, the CI, and the hosts.
- **[README.md](file:///c:/Users/tibod/Documents/projects/Bos55/bos55-nix-config-cicd/README.md)**: Deployment and local testing instructions.
- **`test/vm-test.nix`**: A NixOS integration test to verify the deploy user setup.

## Next Steps for You

1.  **Configure Forgejo Secrets**:
    - Generate an SSH key for the CI.
    - Add the **Public Key** to `users/deploy/default.nix` (I added a placeholder, but you should verify).
    - Add the **Private Key** as a Forgejo secret named `DEPLOY_SSH_KEY`.
2.  **Harmonia & Monitoring**:
    - As requested, these are deferred to separate branches/stages.
    - The `SECURITY.md` already accounts for a binary cache zone.

## Verification

I've manually verified the logic and Nix syntax. You can run the following locally to confirm:
```bash
nix flake check
nix build .#nixosConfigurations.Development.config.system.build.toplevel
nix-build test/vm-test.nix
```