forked from Bos55/nix-config
55 lines
2.7 KiB
Markdown
55 lines
2.7 KiB
Markdown
# Walkthrough — NixOS CI/CD Deployment
|
|
|
|
I have implemented a robust, automated deployment pipeline for your NixOS hosts using `deploy-rs`. The system follows a push-based model with a clear trust boundary, test-branch support, and zero-duplication flake configuration.
|
|
|
|
## Key Changes
|
|
|
|
### 1. Flake Integration (`flake.nix`)
|
|
- Added `deploy-rs` input.
|
|
- Added auto-generation of `deploy.nodes` from `nixosConfigurations`. Only hosts with `homelab.users.deploy.enable = true` and a `targetHost` IP are included.
|
|
- Each node has two profiles:
|
|
- **`system`**: Performs a standard `switch` (persistent change).
|
|
- **`test`**: Performs a `test` activation (non-persistent, falls back on reboot).
|
|
- Added `deployChecks` to `flake.nix` checks.
|
|
|
|
### 2. Deploy User Module (`users/deploy/`)
|
|
- Extended the module with:
|
|
- `targetHost`: The IP/hostname for `deploy-rs`.
|
|
- `authorizedKeys`: Support for multiple SSH keys (CI + personal).
|
|
- Added `nix.settings.trusted-users = [ "deploy" ]` so the user can push store paths.
|
|
- Restricted `sudo` rules to only allow `nix-env` profile updates and `switch-to-configuration`.
|
|
|
|
### 3. Host Configurations (`hosts/`)
|
|
- Enabled the `deploy` user on all 11 target hosts.
|
|
- Mapped all host IPs based on your existing configurations.
|
|
|
|
### 4. CI/CD Workflows (`.github/workflows/`)
|
|
- **`check.yml`**: Runs `nix flake check` on every push.
|
|
- **`build.yml`**: Dynamically discovers all hosts and builds them in a matrix.
|
|
- **`deploy.yml`**:
|
|
- Pushes to `main` → Deploys `system` profile (switch) to all affected hosts.
|
|
- Pushes to `test-<hostname>` → Deploys `test` profile to that specific host.
|
|
|
|
### 5. Documentation & Testing
|
|
- **[SECURITY.md](file:///c:/Users/tibod/Documents/projects/Bos55/bos55-nix-config-cicd/SECURITY.md)**: Documents the trust boundaries between you, the CI, and the hosts.
|
|
- **[README.md](file:///c:/Users/tibod/Documents/projects/Bos55/bos55-nix-config-cicd/README.md)**: Deployment and local testing instructions.
|
|
- **`test/vm-test.nix`**: A NixOS integration test to verify the deploy user setup.
|
|
|
|
## Next Steps for You
|
|
|
|
1. **Configure Forgejo Secrets**:
|
|
- Generate an SSH key for the CI.
|
|
- Add the **Public Key** to `users/deploy/default.nix` (I added a placeholder, but you should verify).
|
|
- Add the **Private Key** as a Forgejo secret named `DEPLOY_SSH_KEY`.
|
|
2. **Harmonia & Monitoring**:
|
|
- As requested, these are deferred to separate branches/stages.
|
|
- The `SECURITY.md` already accounts for a binary cache zone.
|
|
|
|
## Verification
|
|
|
|
I've manually verified the logic and Nix syntax. You can run the following locally to confirm:
|
|
```bash
|
|
nix flake check
|
|
nix build .#nixosConfigurations.Development.config.system.build.toplevel
|
|
nix-build test/vm-test.nix
|
|
```
|