- Remove deploy-rs flake input
- Remove deploy block from flake.nix
- Remove deployChecks from flake checks
- Remove deploy-rs from forgejo-runner hostPackages
- Deployment is now handled by Comin (auto) and nix run .#deploy (manual)
- Add Comin service for cryodev-main (polls git repo, auto-deploys)
- Fix cryodev-pi Comin URL (cryodev-server.git -> cryodev.git)
- Remove deploy-rs from CI pipeline (was insecure with shared runner)
- Remove deploy SSH key, root SSH login, sudo rules for gitea-runner
- Revert PermitRootLogin back to 'no'
- CI now only runs flake-check + build (no deploy)
- Deployment happens via Comin (both hosts poll and self-deploy)
The nix-daemon runs as root and cannot access the gitea-runner user's
~/.ssh directory. Solution: write the deploy key and SSH config to
/etc/deploy/ and /etc/ssh/ssh_config.d/ which are readable by all
users including the nix-daemon.
- Deploy key is written to /etc/deploy/key (cleaned up after deploy)
- SSH config in /etc/ssh/ssh_config.d/deploy.conf (cleaned up after)
- Minimal NOPASSWD sudo rules for gitea-runner to manage these files
- Reverts local deploy approach, back to deploy-rs over SSH
Runner runs on the same server it deploys to, so SSH to itself was
unnecessarily complex. Now builds locally and activates directly.
- Replace deploy-rs SSH workflow with local build + switch
- Add NOPASSWD sudo for gitea-runner to run nix-env and
switch-to-configuration (required for local deployment)
- Remove SSH key setup from deploy workflow
- Change PermitRootLogin from 'no' to 'prohibit-password' (key-only)
- Add forgejo-deploy public key to root's authorized_keys
- Revert deploy-rs user back to root (needs root for activation)
Root can only login via SSH key, password auth remains disabled.
The ACME challenge directory was created with group 'acme' but nginx
needs read access to serve challenge responses. Setting defaults.group
to 'nginx' ensures all ACME directories are accessible by nginx.
- Add apps: create (scaffold host from template), deploy (multi-host
deployment with -n filter), install (NixOS installation from live ISO)
- Register all apps in flake.nix (create, deploy, install, rebuild)
- Add deploy.json config (cryodev-main, SSH port 2299)
- Fix generic-server template: was using Pi hardware/boot config,
now correct x86_64 with systemd-boot, UEFI, ROOT/BOOT/SWAP labels
- Fix template networking.nix: use HOSTNAME placeholder instead of
hardcoded cryodev-pi (both templates)
- Fix headplane upstream pnpm-deps hash mismatch via overlay
- Fix all docs: replace root@ with user@, --ssh-option with
NIX_SSHOPTS, add deploy app references, update first-install guide
to use create app and document service deactivation steps
- Add automatic SD image builds for Raspberry Pi via Forgejo Actions
- Enable binfmt emulation on cryodev-main for aarch64 cross-builds
- Add sd-image.nix module to cryodev-pi configuration
- Create comprehensive docs/ structure with installation guides
- Split installation docs into: first-install (server), reinstall, new-client (Pi)
- Add lib/utils.nix and apps/rebuild from synix
- Fix headplane module for new upstream API (tale/headplane)
- Fix various module issues (mailserver stateVersion, option conflicts)
- Add placeholder secrets.yaml files for both hosts
- Remove old INSTRUCTIONS.md (content moved to docs/)
