tdpeuter/bos55-nix-config-cicd
1
Fork 0
forked from Bos55/nix-config
Code Pull requests 1 Releases Packages Activity Actions 3
No description
38 commits 13 branches 0 tags 556 KiB
Find a file
Exact
Tibo De Peuter 1c437333f3
Some checks failed
Build / build (Development) (push) Blocked by required conditions
Details
Build / build (Testing) (push) Blocked by required conditions
Details
Build / Determining hosts to build (push) Failing after 12m41s
Details
feat(security): implement metadata redaction and sops-nix migration 
Migrated authorized SSH keys and personal metadata (emails, tokens) to sops-nix to prevent infrastructure fingerprinting. Introduced centralized secrets module with placeholder fallbacks.
2026-03-17 19:41:31 +01:00
.github/workflows feat: Test Action 2026-03-05 20:09:05 +01:00
hosts feat(security): implement metadata redaction and sops-nix migration 2026-03-17 19:41:31 +01:00
modules feat(security): implement metadata redaction and sops-nix migration 2026-03-17 19:41:31 +01:00
secrets feat(sops): Setup sops 2025-10-04 19:59:03 +02:00
users feat(security): implement metadata redaction and sops-nix migration 2026-03-17 19:41:31 +01:00
.gitignore feat: Test Action 2026-03-05 20:09:05 +01:00
.sops.yaml fix(sops): Add Tibo-NixFat 2025-10-04 20:21:59 +02:00
flake.lock flake.lock: Update 2026-03-05 20:17:50 +01:00
flake.nix feat(security): implement metadata redaction and sops-nix migration 2026-03-17 19:41:31 +01:00
README.md refactor: optimize flake.nix and modularize networking config 2026-03-17 19:40:34 +01:00

README.md

Bos55 NixOS Config

Automated CI/CD deployment for NixOS homelab using deploy-rs.

Repository Structure

  • hosts/: Host-specific configurations.
  • modules/: Shared NixOS modules.
  • users/: User definitions (including the deploy user).
  • secrets/: Encrypted secrets via sops-nix.

Deployment Workflow

Prerequisites

  • SSH access to the deploy user on target hosts.
  • deploy-rs installed locally (nix profile install github:serokell/deploy-rs).

Deployment Modes

  1. Production Deployment (main branch): Triggered on push to main. Automatically builds and switches all hosts. bootloader is updated. Manual: deploy .

  2. Test Deployment (test- branch): Triggered on push to test-<hostname>. Builds and activates the configuration on the specific host without updating the bootloader. Reboots will revert to the previous generation. Manual: deploy .#<hostname>.test

  3. Kernel Upgrades / Maintenance: Use deploy .#<hostname>.system --boot to update the bootloader without immediate activation, followed by a manual reboot.

Local Development

1. Developer Shell

This repository includes a standardized development environment containing all necessary tools (deploy-rs, sops, age, etc.).

nix develop
# or if using direnv
direnv allow

2. Build a host VM

You can build a QEMU VM for any host configuration to test changes locally:

nix build .#nixosConfigurations.<hostname>.config.system.build.vm
./result/bin/run-<hostname>-vm

Warning

Network Conflict: Default VMs use user-mode networking (NAT) which is safe. However, if you configure the VM to use bridge networking, it will attempt to use the static IP defined in hostIp. Ensure you do not have a physical host with that IP active on the same bridge to avoid network interference.

3. Run Integration Tests

Run the automated test suite:

nix-build test/vm-test.nix

3. Test CI Workflows Locally

Use act to test the GitHub Actions workflows:

act -W .github/workflows/check.yml

Security

See SECURITY.md for details on the trust model and secret management.