From e2e87d56946c92f379693ca7e81a20fdc5b1204a Mon Sep 17 00:00:00 2001
From: steffen <steffen@portuus.de>
Date: Sat, 14 Mar 2026 14:33:06 +0100
Subject: [PATCH] switch CI deploy to local nixos-rebuild instead of deploy-rs
 over SSH

Runner runs on the same server it deploys to, so SSH to itself was
unnecessarily complex. Now builds locally and activates directly.

- Replace deploy-rs SSH workflow with local build + switch
- Add NOPASSWD sudo for gitea-runner to run nix-env and
  switch-to-configuration (required for local deployment)
- Remove SSH key setup from deploy workflow
---
 .forgejo/workflows/deploy.yml            | 15 ++++-----------
 modules/nixos/forgejo-runner/default.nix |  6 ++++++
 2 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/.forgejo/workflows/deploy.yml b/.forgejo/workflows/deploy.yml
index a08e312..ac98e74 100644
--- a/.forgejo/workflows/deploy.yml
+++ b/.forgejo/workflows/deploy.yml
@@ -22,18 +22,11 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
 
-      - name: Set up SSH
-        env:
-          DEPLOY_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
-        run: |
-          mkdir -p ~/.ssh
-          echo "$DEPLOY_KEY" > ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
-          ssh-keyscan -p 2299 -H cryodev.xyz >> ~/.ssh/known_hosts
-          chmod 644 ~/.ssh/known_hosts
+      - name: Build system configuration
+        run: nix build .#nixosConfigurations.cryodev-main.config.system.build.toplevel --out-link result
 
-      - name: Deploy with deploy-rs
-        run: NIX_SSHOPTS="-p 2299 -o StrictHostKeyChecking=accept-new" nix run github:serokell/deploy-rs -- -s .#cryodev-main
+      - name: Deploy locally
+        run: sudo nix-env -p /nix/var/nix/profiles/system --set $(readlink -f result) && sudo result/bin/switch-to-configuration switch
 
   build-pi-images:
     needs: flake-check
diff --git a/modules/nixos/forgejo-runner/default.nix b/modules/nixos/forgejo-runner/default.nix
index 2547f0e..d61e9a9 100644
--- a/modules/nixos/forgejo-runner/default.nix
+++ b/modules/nixos/forgejo-runner/default.nix
@@ -31,6 +31,12 @@ in
   config = mkIf cfg.enable {
     nix.settings.trusted-users = [ "gitea-runner" ];
 
+    # Allow gitea-runner to deploy system configurations without password
+    security.sudo.extraConfig = ''
+      gitea-runner ALL=(root) NOPASSWD: /run/current-system/sw/bin/nix-env -p /nix/var/nix/profiles/system --set *
+      gitea-runner ALL=(root) NOPASSWD: /nix/store/*/bin/switch-to-configuration *
+    '';
+
     services.gitea-actions-runner = {
       package = pkgs.forgejo-runner;
       instances.default = {