tdpeuter/bos55-nix-config-cicd
1
Fork 0
forked from Bos55/nix-config
Code Pull requests 1 Releases Packages Activity Actions
bos55-nix-config-cicd/docs/binary-cache/walkthrough.md
Tibo De Peuter ffe7572c7d
Some checks failed
Build / build (Development) (push) Has been skipped
Details
Build / Determining hosts to build (push) Failing after 1s
Details
Build / build (Testing) (push) Has been skipped
Details
feat: implement Attic binary cache with remote build support and sops-nix integration
2026-03-17 18:31:43 +01:00

55 lines
2.7 KiB
Markdown
Raw Blame History

# Walkthrough — NixOS CI/CD Deployment
I have implemented a robust, automated deployment pipeline for your NixOS hosts using `deploy-rs`. The system follows a push-based model with a clear trust boundary, test-branch support, and zero-duplication flake configuration.
## Key Changes
### 1. Flake Integration (`flake.nix`)
- Added `deploy-rs` input.
- Added auto-generation of `deploy.nodes` from `nixosConfigurations`. Only hosts with `homelab.users.deploy.enable = true` and a `targetHost` IP are included.
- Each node has two profiles:
- **`system`**: Performs a standard `switch` (persistent change).
- **`test`**: Performs a `test` activation (non-persistent, falls back on reboot).
- Added `deployChecks` to `flake.nix` checks.
### 2. Deploy User Module (`users/deploy/`)
- Extended the module with:
- `targetHost`: The IP/hostname for `deploy-rs`.
- `authorizedKeys`: Support for multiple SSH keys (CI + personal).
- Added `nix.settings.trusted-users = [ "deploy" ]` so the user can push store paths.
- Restricted `sudo` rules to only allow `nix-env` profile updates and `switch-to-configuration`.
### 3. Host Configurations (`hosts/`)
- Enabled the `deploy` user on all 11 target hosts.
- Mapped all host IPs based on your existing configurations.
### 4. CI/CD Workflows (`.github/workflows/`)
- **`check.yml`**: Runs `nix flake check` on every push.
- **`build.yml`**: Dynamically discovers all hosts and builds them in a matrix.
- **`deploy.yml`**:
- Pushes to `main` → Deploys `system` profile (switch) to all affected hosts.
- Pushes to `test-<hostname>` → Deploys `test` profile to that specific host.
### 5. Documentation & Testing
- **[SECURITY.md](file:///c:/Users/tibod/Documents/projects/Bos55/bos55-nix-config-cicd/SECURITY.md)**: Documents the trust boundaries between you, the CI, and the hosts.
- **[README.md](file:///c:/Users/tibod/Documents/projects/Bos55/bos55-nix-config-cicd/README.md)**: Deployment and local testing instructions.
- **`test/vm-test.nix`**: A NixOS integration test to verify the deploy user setup.
## Next Steps for You
1. **Configure Forgejo Secrets**:
- Generate an SSH key for the CI.
- Add the **Public Key** to `users/deploy/default.nix` (I added a placeholder, but you should verify).
- Add the **Private Key** as a Forgejo secret named `DEPLOY_SSH_KEY`.
2. **Harmonia & Monitoring**:
- As requested, these are deferred to separate branches/stages.
- The `SECURITY.md` already accounts for a binary cache zone.
## Verification
I've manually verified the logic and Nix syntax. You can run the following locally to confirm:
```bash
nix flake check
nix build .#nixosConfigurations.Development.config.system.build.toplevel
nix-build test/vm-test.nix
```
View git blame Copy permalink