From c45a603d1c26e3d723b31e47205b8d8cba49e8ed Mon Sep 17 00:00:00 2001
From: steffen <steffen@portuus.de>
Date: Sat, 14 Mar 2026 14:43:15 +0100
Subject: [PATCH] replace deploy-rs CI with Comin pull-based deployment

- Add Comin service for cryodev-main (polls git repo, auto-deploys)
- Fix cryodev-pi Comin URL (cryodev-server.git -> cryodev.git)
- Remove deploy-rs from CI pipeline (was insecure with shared runner)
- Remove deploy SSH key, root SSH login, sudo rules for gitea-runner
- Revert PermitRootLogin back to 'no'
- CI now only runs flake-check + build (no deploy)
- Deployment happens via Comin (both hosts poll and self-deploy)
---
 .forgejo/workflows/deploy.yml            | 30 ++++--------------------
 .gitignore                               |  1 +
 flake.nix                                |  2 --
 hosts/cryodev-main/deploy-key.pub        |  1 -
 hosts/cryodev-main/services/comin.nix    | 24 +++++++++++++++++++
 hosts/cryodev-main/services/default.nix  | 10 ++++----
 hosts/cryodev-main/services/openssh.nix  |  5 ----
 hosts/cryodev-pi/services/comin.nix      |  2 +-
 modules/nixos/forgejo-runner/default.nix |  9 -------
 modules/nixos/openssh/default.nix        |  2 +-
 sid.ovh                                  |  1 +
 11 files changed, 37 insertions(+), 50 deletions(-)
 delete mode 100644 hosts/cryodev-main/deploy-key.pub
 create mode 100644 hosts/cryodev-main/services/comin.nix
 create mode 160000 sid.ovh

diff --git a/.forgejo/workflows/deploy.yml b/.forgejo/workflows/deploy.yml
index a78eb0c..d69d66e 100644
--- a/.forgejo/workflows/deploy.yml
+++ b/.forgejo/workflows/deploy.yml
@@ -15,38 +15,18 @@ jobs:
       - name: Run flake check
         run: nix flake check --impure
 
-  deploy-cryodev-main:
+  build-hosts:
     needs: flake-check
     runs-on: host
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
 
-      - name: Set up SSH
-        env:
-          DEPLOY_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
-        run: |
-          # Write key to a shared location readable by nix-daemon
-          sudo mkdir -p /etc/deploy
-          echo "$DEPLOY_KEY" | sudo tee /etc/deploy/key > /dev/null
-          sudo chmod 600 /etc/deploy/key
+      - name: Build cryodev-main
+        run: nix build .#nixosConfigurations.cryodev-main.config.system.build.toplevel --impure
 
-          # Global SSH config so both the runner and nix-daemon can use it
-          sudo tee /etc/ssh/ssh_config.d/deploy.conf > /dev/null << 'EOF'
-          Host cryodev.xyz
-            Port 2299
-            User root
-            IdentityFile /etc/deploy/key
-            StrictHostKeyChecking accept-new
-          EOF
-
-      - name: Deploy with deploy-rs
-        run: nix run github:serokell/deploy-rs -- -s .#cryodev-main
-
-      - name: Clean up SSH
-        if: always()
-        run: |
-          sudo rm -f /etc/deploy/key /etc/ssh/ssh_config.d/deploy.conf
+      - name: Build cryodev-pi
+        run: nix build .#nixosConfigurations.cryodev-pi.config.system.build.toplevel --impure
 
   build-pi-images:
     needs: flake-check
diff --git a/.gitignore b/.gitignore
index 750baeb..e6fb7da 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 result
 result-*
+sid.ovh
diff --git a/flake.nix b/flake.nix
index 597bd18..d55310f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -127,8 +127,6 @@
             sshOpts = [
               "-p"
               "2299"
-              "-o"
-              "StrictHostKeyChecking=accept-new"
             ];
             profiles.system = {
               user = "root";
diff --git a/hosts/cryodev-main/deploy-key.pub b/hosts/cryodev-main/deploy-key.pub
deleted file mode 100644
index b4e3f23..0000000
--- a/hosts/cryodev-main/deploy-key.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFIPGMqOV+YrGle8X7/hctW4Sha/bzeTsTP9AcDN9bA2 forgejo-deploy
diff --git a/hosts/cryodev-main/services/comin.nix b/hosts/cryodev-main/services/comin.nix
new file mode 100644
index 0000000..35ab81f
--- /dev/null
+++ b/hosts/cryodev-main/services/comin.nix
@@ -0,0 +1,24 @@
+{
+  config,
+  pkgs,
+  outputs,
+  constants,
+  ...
+}:
+
+{
+  imports = [
+    outputs.nixosModules.comin
+  ];
+
+  services.comin = {
+    enable = true;
+    remotes = [
+      {
+        name = "origin";
+        url = "https://${constants.services.forgejo.fqdn}/steffen/cryodev.git";
+        branches.main.name = "main";
+      }
+    ];
+  };
+}
diff --git a/hosts/cryodev-main/services/default.nix b/hosts/cryodev-main/services/default.nix
index 4b447cd..a7e03dc 100644
--- a/hosts/cryodev-main/services/default.nix
+++ b/hosts/cryodev-main/services/default.nix
@@ -1,17 +1,15 @@
 {
   imports = [
-    # Stufe 1: Services ohne externe Abhaengigkeiten
+    ./comin.nix
     ./forgejo.nix
+    ./forgejo-runner.nix
+    ./headplane.nix
     ./headscale.nix
     ./mailserver.nix
     ./netdata.nix
     ./nginx.nix
     ./openssh.nix
     ./sops.nix
-
-    # Stufe 2: Erst aktivieren wenn Headscale/Forgejo laufen und echte Secrets existieren
-    ./forgejo-runner.nix # braucht: forgejo-runner/token (Forgejo)
-    ./headplane.nix # braucht: headplane/agent_pre_authkey (Headscale)
-    ./tailscale.nix # braucht: tailscale/auth-key (Headscale)
+    ./tailscale.nix
   ];
 }
diff --git a/hosts/cryodev-main/services/openssh.nix b/hosts/cryodev-main/services/openssh.nix
index db9a56a..f71c084 100644
--- a/hosts/cryodev-main/services/openssh.nix
+++ b/hosts/cryodev-main/services/openssh.nix
@@ -9,9 +9,4 @@
   ];
 
   services.openssh.enable = true;
-
-  # Root SSH key for deploy-rs (key-only, no password)
-  users.users.root.openssh.authorizedKeys.keyFiles = [
-    ../deploy-key.pub
-  ];
 }
diff --git a/hosts/cryodev-pi/services/comin.nix b/hosts/cryodev-pi/services/comin.nix
index 2317b06..35ab81f 100644
--- a/hosts/cryodev-pi/services/comin.nix
+++ b/hosts/cryodev-pi/services/comin.nix
@@ -16,7 +16,7 @@
     remotes = [
       {
         name = "origin";
-        url = "https://${constants.services.forgejo.fqdn}/steffen/cryodev-server.git";
+        url = "https://${constants.services.forgejo.fqdn}/steffen/cryodev.git";
         branches.main.name = "main";
       }
     ];
diff --git a/modules/nixos/forgejo-runner/default.nix b/modules/nixos/forgejo-runner/default.nix
index a4f77ba..2547f0e 100644
--- a/modules/nixos/forgejo-runner/default.nix
+++ b/modules/nixos/forgejo-runner/default.nix
@@ -31,15 +31,6 @@ in
   config = mkIf cfg.enable {
     nix.settings.trusted-users = [ "gitea-runner" ];
 
-    # Allow gitea-runner to manage deploy keys and SSH config for CI/CD
-    security.sudo.extraConfig = ''
-      gitea-runner ALL=(root) NOPASSWD: /run/current-system/sw/bin/tee /etc/deploy/key
-      gitea-runner ALL=(root) NOPASSWD: /run/current-system/sw/bin/tee /etc/ssh/ssh_config.d/deploy.conf
-      gitea-runner ALL=(root) NOPASSWD: /run/current-system/sw/bin/mkdir -p /etc/deploy
-      gitea-runner ALL=(root) NOPASSWD: /run/current-system/sw/bin/chmod 600 /etc/deploy/key
-      gitea-runner ALL=(root) NOPASSWD: /run/current-system/sw/bin/rm -f /etc/deploy/key /etc/ssh/ssh_config.d/deploy.conf
-    '';
-
     services.gitea-actions-runner = {
       package = pkgs.forgejo-runner;
       instances.default = {
diff --git a/modules/nixos/openssh/default.nix b/modules/nixos/openssh/default.nix
index 00f05c1..0958445 100644
--- a/modules/nixos/openssh/default.nix
+++ b/modules/nixos/openssh/default.nix
@@ -9,7 +9,7 @@ in
     ports = mkDefault [ 2299 ];
     openFirewall = mkDefault true;
     settings = {
-      PermitRootLogin = mkDefault "prohibit-password";
+      PermitRootLogin = mkDefault "no";
       PasswordAuthentication = mkDefault false;
     };
   };
diff --git a/sid.ovh b/sid.ovh
new file mode 160000
index 0000000..197c824
--- /dev/null
+++ b/sid.ovh
@@ -0,0 +1 @@
+Subproject commit 197c8246234c1237b251d51d1bd54bcc9c1ba1d4