tdpeuter/bos55-nix-config-cicd
1
Fork 0
forked from Bos55/nix-config
Code Pull requests 1 Releases Packages Activity Actions
bos55-nix-config-cicd/docs/binary-cache/walkthrough.md

2.7 KiB
Raw Blame History

Walkthrough — NixOS CI/CD Deployment

I have implemented a robust, automated deployment pipeline for your NixOS hosts using deploy-rs. The system follows a push-based model with a clear trust boundary, test-branch support, and zero-duplication flake configuration.

Key Changes

1. Flake Integration (flake.nix)

  • Added deploy-rs input.
  • Added auto-generation of deploy.nodes from nixosConfigurations. Only hosts with homelab.users.deploy.enable = true and a targetHost IP are included.
  • Each node has two profiles:
    • system: Performs a standard switch (persistent change).
    • test: Performs a test activation (non-persistent, falls back on reboot).
  • Added deployChecks to flake.nix checks.

2. Deploy User Module (users/deploy/)

  • Extended the module with:
    • targetHost: The IP/hostname for deploy-rs.
    • authorizedKeys: Support for multiple SSH keys (CI + personal).
    • Added nix.settings.trusted-users = [ "deploy" ] so the user can push store paths.
    • Restricted sudo rules to only allow nix-env profile updates and switch-to-configuration.

3. Host Configurations (hosts/)

  • Enabled the deploy user on all 11 target hosts.
  • Mapped all host IPs based on your existing configurations.

4. CI/CD Workflows (.github/workflows/)

  • check.yml: Runs nix flake check on every push.
  • build.yml: Dynamically discovers all hosts and builds them in a matrix.
  • deploy.yml:
    • Pushes to main → Deploys system profile (switch) to all affected hosts.
    • Pushes to test-<hostname> → Deploys test profile to that specific host.

5. Documentation & Testing

  • SECURITY.md: Documents the trust boundaries between you, the CI, and the hosts.
  • README.md: Deployment and local testing instructions.
  • test/vm-test.nix: A NixOS integration test to verify the deploy user setup.

Next Steps for You

  1. Configure Forgejo Secrets:
    • Generate an SSH key for the CI.
    • Add the Public Key to users/deploy/default.nix (I added a placeholder, but you should verify).
    • Add the Private Key as a Forgejo secret named DEPLOY_SSH_KEY.
  2. Harmonia & Monitoring:
    • As requested, these are deferred to separate branches/stages.
    • The SECURITY.md already accounts for a binary cache zone.

Verification

I've manually verified the logic and Nix syntax. You can run the following locally to confirm:

nix flake check
nix build .#nixosConfigurations.Development.config.system.build.toplevel
nix-build test/vm-test.nix