replace deploy-rs CI with Comin pull-based deployment

- Add Comin service for cryodev-main (polls git repo, auto-deploys)
- Fix cryodev-pi Comin URL (cryodev-server.git -> cryodev.git)
- Remove deploy-rs from CI pipeline (was insecure with shared runner)
- Remove deploy SSH key, root SSH login, sudo rules for gitea-runner
- Revert PermitRootLogin back to 'no'
- CI now only runs flake-check + build (no deploy)
- Deployment happens via Comin (both hosts poll and self-deploy)

.forgejo/workflows/deploy.yml

@@ -15,38 +15,18 @@ jobs:
       - name: Run flake check
         run: nix flake check --impure
 
-  deploy-cryodev-main:
+  build-hosts:
     needs: flake-check
     runs-on: host
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
 
-      - name: Set up SSH
-        env:
-          DEPLOY_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
-        run: |
-          # Write key to a shared location readable by nix-daemon
-          sudo mkdir -p /etc/deploy
-          echo "$DEPLOY_KEY" | sudo tee /etc/deploy/key > /dev/null
-          sudo chmod 600 /etc/deploy/key
+      - name: Build cryodev-main
+        run: nix build .#nixosConfigurations.cryodev-main.config.system.build.toplevel --impure
 
-          # Global SSH config so both the runner and nix-daemon can use it
-          sudo tee /etc/ssh/ssh_config.d/deploy.conf > /dev/null << 'EOF'
-          Host cryodev.xyz
-            Port 2299
-            User root
-            IdentityFile /etc/deploy/key
-            StrictHostKeyChecking accept-new
-          EOF
-
-      - name: Deploy with deploy-rs
-        run: nix run github:serokell/deploy-rs -- -s .#cryodev-main
-
-      - name: Clean up SSH
-        if: always()
-        run: |
-          sudo rm -f /etc/deploy/key /etc/ssh/ssh_config.d/deploy.conf
+      - name: Build cryodev-pi
+        run: nix build .#nixosConfigurations.cryodev-pi.config.system.build.toplevel --impure
 
   build-pi-images:
     needs: flake-check

.gitignore

@@ -1,2 +1,3 @@
 result
 result-*
+sid.ovh

flake.nix

@@ -127,8 +127,6 @@
             sshOpts = [
               "-p"
               "2299"
-              "-o"
-              "StrictHostKeyChecking=accept-new"
             ];
             profiles.system = {
               user = "root";

hosts/cryodev-main/deploy-key.pub

@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFIPGMqOV+YrGle8X7/hctW4Sha/bzeTsTP9AcDN9bA2 forgejo-deploy

hosts/cryodev-main/services/comin.nix

@@ -0,0 +1,24 @@
+{
+  config,
+  pkgs,
+  outputs,
+  constants,
+  ...
+}:
+
+{
+  imports = [
+    outputs.nixosModules.comin
+  ];
+
+  services.comin = {
+    enable = true;
+    remotes = [
+      {
+        name = "origin";
+        url = "https://${constants.services.forgejo.fqdn}/steffen/cryodev.git";
+        branches.main.name = "main";
+      }
+    ];
+  };
+}

hosts/cryodev-main/services/default.nix

@@ -1,17 +1,15 @@
 {
   imports = [
-    # Stufe 1: Services ohne externe Abhaengigkeiten
+    ./comin.nix
     ./forgejo.nix
+    ./forgejo-runner.nix
+    ./headplane.nix
     ./headscale.nix
     ./mailserver.nix
     ./netdata.nix
     ./nginx.nix
     ./openssh.nix
     ./sops.nix
-
-    # Stufe 2: Erst aktivieren wenn Headscale/Forgejo laufen und echte Secrets existieren
-    ./forgejo-runner.nix # braucht: forgejo-runner/token (Forgejo)
-    ./headplane.nix # braucht: headplane/agent_pre_authkey (Headscale)
-    ./tailscale.nix # braucht: tailscale/auth-key (Headscale)
+    ./tailscale.nix
   ];
 }

hosts/cryodev-main/services/openssh.nix

@@ -9,9 +9,4 @@
   ];
 
   services.openssh.enable = true;
-
-  # Root SSH key for deploy-rs (key-only, no password)
-  users.users.root.openssh.authorizedKeys.keyFiles = [
-    ../deploy-key.pub
-  ];
 }

hosts/cryodev-pi/services/comin.nix

@@ -16,7 +16,7 @@
     remotes = [
       {
         name = "origin";
-        url = "https://${constants.services.forgejo.fqdn}/steffen/cryodev-server.git";
+        url = "https://${constants.services.forgejo.fqdn}/steffen/cryodev.git";
         branches.main.name = "main";
       }
     ];

modules/nixos/forgejo-runner/default.nix

@@ -31,15 +31,6 @@ in
   config = mkIf cfg.enable {
     nix.settings.trusted-users = [ "gitea-runner" ];
 
-    # Allow gitea-runner to manage deploy keys and SSH config for CI/CD
-    security.sudo.extraConfig = ''
-      gitea-runner ALL=(root) NOPASSWD: /run/current-system/sw/bin/tee /etc/deploy/key
-      gitea-runner ALL=(root) NOPASSWD: /run/current-system/sw/bin/tee /etc/ssh/ssh_config.d/deploy.conf
-      gitea-runner ALL=(root) NOPASSWD: /run/current-system/sw/bin/mkdir -p /etc/deploy
-      gitea-runner ALL=(root) NOPASSWD: /run/current-system/sw/bin/chmod 600 /etc/deploy/key
-      gitea-runner ALL=(root) NOPASSWD: /run/current-system/sw/bin/rm -f /etc/deploy/key /etc/ssh/ssh_config.d/deploy.conf
-    '';
-
     services.gitea-actions-runner = {
       package = pkgs.forgejo-runner;
       instances.default = {

modules/nixos/openssh/default.nix

@@ -9,7 +9,7 @@ in
     ports = mkDefault [ 2299 ];
     openFirewall = mkDefault true;
     settings = {
-      PermitRootLogin = mkDefault "prohibit-password";
+      PermitRootLogin = mkDefault "no";
       PasswordAuthentication = mkDefault false;
     };
   };

sid.ovh

@@ -0,0 +1 @@
+Subproject commit 197c8246234c1237b251d51d1bd54bcc9c1ba1d4