# NixOS CI/CD Deployment — Tasks

## Planning
- [x] Explore repository structure and existing CI workflow
- [x] Confirm deploy-rs activation internals (`switch` vs `test` vs `boot`)
- [x] Write comprehensive implementation plan
- [x] User review and approval of plan

## Networking & IP Refactor
- [ ] Create `modules/common/networking.nix` with `homelab.networking.hostIp`
- [ ] Update all host configs to use the new `hostIp` option
- [ ] Update `deploy.nodes` to use `hostIp` instead of `targetHost` in deploy user module

## Flake & deploy-rs Refinement
- [ ] Review Nixpkgs #73404 status (is `cd /tmp` still needed?)
- [ ] Refactor `flake.nix` to use `flake-utils-plus` passthrough (removing `//`)
- [ ] Review `user = "root"` vs `sshUser = "deploy"` logic

## Security & Trust (Refinement)
- [ ] Add "Supply Chain Attacks" section to `SECURITY.md`
- [ ] Document project assumptions in `SECURITY.md`

## Local testing (Fixes)
- [ ] Debug and fix `test/vm-test.nix` exit error
- [ ] Verify test passes in WSL

## CI Workflows
- [x] Update `build.yml` with dynamic host matrix + `nix flake check`
- [x] Create `deploy.yml` (main → switch, test-* → test activation)
- [x] Create `check.yml` (deployChecks + eval validation)
- [ ] Configure Forgejo secrets (DEPLOY_SSH_KEY)

## Deferred (separate branches)
- [ ] Binary cache (Harmonia) — module, nix-cache config, signing keys
- [ ] Monitoring — NixOS generation exporter, node exporter per host