tdpeuter/bos55-nix-config-cicd
1
Fork 0
forked from Bos55/nix-config
Code Pull requests 1 Releases Packages Activity Actions 3
No description
39 commits 13 branches 0 tags 556 KiB
Find a file
Exact
Tibo De Peuter ce0543a20f
Some checks failed
Check / check (push) Failing after 2s
Details
feat(ci): implement signed commit verification and update security policy 
Added a CI/CD step to verify cryptographic signatures for deployments. Updated SECURITY.md with the new trust model and refined GHA workflows for consistency.
2026-03-17 19:42:17 +01:00
.github/workflows feat(ci): implement signed commit verification and update security policy 2026-03-17 19:42:17 +01:00
hosts feat(security): implement metadata redaction and sops-nix migration 2026-03-17 19:41:31 +01:00
modules feat(security): implement metadata redaction and sops-nix migration 2026-03-17 19:41:31 +01:00
secrets feat(sops): Setup sops 2025-10-04 19:59:03 +02:00
users feat(security): implement metadata redaction and sops-nix migration 2026-03-17 19:41:31 +01:00
.gitignore feat: Test Action 2026-03-05 20:09:05 +01:00
.sops.yaml fix(sops): Add Tibo-NixFat 2025-10-04 20:21:59 +02:00
flake.lock flake.lock: Update 2026-03-05 20:17:50 +01:00
flake.nix feat(security): implement metadata redaction and sops-nix migration 2026-03-17 19:41:31 +01:00
README.md refactor: optimize flake.nix and modularize networking config 2026-03-17 19:40:34 +01:00
SECURITY.md feat(ci): implement signed commit verification and update security policy 2026-03-17 19:42:17 +01:00

README.md

Bos55 NixOS Config

Automated CI/CD deployment for NixOS homelab using deploy-rs.

Repository Structure

  • hosts/: Host-specific configurations.
  • modules/: Shared NixOS modules.
  • users/: User definitions (including the deploy user).
  • secrets/: Encrypted secrets via sops-nix.

Deployment Workflow

Prerequisites

  • SSH access to the deploy user on target hosts.
  • deploy-rs installed locally (nix profile install github:serokell/deploy-rs).

Deployment Modes

  1. Production Deployment (main branch): Triggered on push to main. Automatically builds and switches all hosts. bootloader is updated. Manual: deploy .

  2. Test Deployment (test- branch): Triggered on push to test-<hostname>. Builds and activates the configuration on the specific host without updating the bootloader. Reboots will revert to the previous generation. Manual: deploy .#<hostname>.test

  3. Kernel Upgrades / Maintenance: Use deploy .#<hostname>.system --boot to update the bootloader without immediate activation, followed by a manual reboot.

Local Development

1. Developer Shell

This repository includes a standardized development environment containing all necessary tools (deploy-rs, sops, age, etc.).

nix develop
# or if using direnv
direnv allow

2. Build a host VM

You can build a QEMU VM for any host configuration to test changes locally:

nix build .#nixosConfigurations.<hostname>.config.system.build.vm
./result/bin/run-<hostname>-vm

Warning

Network Conflict: Default VMs use user-mode networking (NAT) which is safe. However, if you configure the VM to use bridge networking, it will attempt to use the static IP defined in hostIp. Ensure you do not have a physical host with that IP active on the same bridge to avoid network interference.

3. Run Integration Tests

Run the automated test suite:

nix-build test/vm-test.nix

3. Test CI Workflows Locally

Use act to test the GitHub Actions workflows:

act -W .github/workflows/check.yml

Security

See SECURITY.md for details on the trust model and secret management.