markdown-preview.nvim runs yarn install with native Node.js binaries
that crash under QEMU aarch64 emulation. The plugin is also useless
on headless servers (requires a browser). Removing it allows the Pi
build to succeed in CI again.
Re-enabled Pi build and SD image jobs in both ci.yml and deploy.yml.
markdown-preview.nvim runs yarn install which compiles native binaries.
Under QEMU aarch64 emulation on x86_64 this causes 'Illegal instruction'
crashes. Pi images must be built locally or on a native aarch64 runner.
Pi deployment still works via Comin (builds locally on the Pi itself).
- Fix Pi kernel build: disable includeDefaultModules in initrd.
NixOS all-hardware.nix includes dw-hdmi which doesn't exist in
the RPi4 kernel 6.12, causing module-shrunk to fail.
- Fix CI: SD image build now depends on build-hosts instead of
flake-check, so it won't run if the Pi build fails.
- Apply same fix to raspberry-pi template.
- Add Comin service for cryodev-main (polls git repo, auto-deploys)
- Fix cryodev-pi Comin URL (cryodev-server.git -> cryodev.git)
- Remove deploy-rs from CI pipeline (was insecure with shared runner)
- Remove deploy SSH key, root SSH login, sudo rules for gitea-runner
- Revert PermitRootLogin back to 'no'
- CI now only runs flake-check + build (no deploy)
- Deployment happens via Comin (both hosts poll and self-deploy)
The nix-daemon runs as root and cannot access the gitea-runner user's
~/.ssh directory. Solution: write the deploy key and SSH config to
/etc/deploy/ and /etc/ssh/ssh_config.d/ which are readable by all
users including the nix-daemon.
- Deploy key is written to /etc/deploy/key (cleaned up after deploy)
- SSH config in /etc/ssh/ssh_config.d/deploy.conf (cleaned up after)
- Minimal NOPASSWD sudo rules for gitea-runner to manage these files
- Reverts local deploy approach, back to deploy-rs over SSH
Runner runs on the same server it deploys to, so SSH to itself was
unnecessarily complex. Now builds locally and activates directly.
- Replace deploy-rs SSH workflow with local build + switch
- Add NOPASSWD sudo for gitea-runner to run nix-env and
switch-to-configuration (required for local deployment)
- Remove SSH key setup from deploy workflow
deploy-rs was using 'gitea-runner' as ssh_user because the runner
process runs as that user. Set sshUser=root at the node level.
Also add StrictHostKeyChecking=accept-new as fallback for host key.
deploy-rs was configured with default port 22 and user root, but
SSH runs on port 2299 and root login is disabled. Also fix ssh-keyscan
in the deploy workflow to use the correct port.
Runner has label 'host' not 'docker'. Jobs were stuck in 'waiting to
run' because no runner matched the docker label. Also removed the
cachix/install-nix-action steps since Nix is already available on the
host runner.
Consolidate 4 separate workflows into 2:
- ci.yml (pull_request): flake-check -> build-hosts
- deploy.yml (push to main): flake-check -> deploy + build-pi-images
Previously, deploy and build-pi-image ran on push to main without
any checks. Now flake-check must pass before anything gets deployed
or built.
2026-03-14 13:52:21 +01:00
Renamed from .forgejo/workflows/build-pi-image.yml (Browse further)
