diff --git a/.forgejo/workflows/deploy.yml b/.forgejo/workflows/deploy.yml index a08e312..d69d66e 100644 --- a/.forgejo/workflows/deploy.yml +++ b/.forgejo/workflows/deploy.yml @@ -15,25 +15,18 @@ jobs: - name: Run flake check run: nix flake check --impure - deploy-cryodev-main: + build-hosts: needs: flake-check runs-on: host steps: - name: Checkout repository uses: actions/checkout@v4 - - name: Set up SSH - env: - DEPLOY_KEY: ${{ secrets.DEPLOY_SSH_KEY }} - run: | - mkdir -p ~/.ssh - echo "$DEPLOY_KEY" > ~/.ssh/id_ed25519 - chmod 600 ~/.ssh/id_ed25519 - ssh-keyscan -p 2299 -H cryodev.xyz >> ~/.ssh/known_hosts - chmod 644 ~/.ssh/known_hosts + - name: Build cryodev-main + run: nix build .#nixosConfigurations.cryodev-main.config.system.build.toplevel --impure - - name: Deploy with deploy-rs - run: NIX_SSHOPTS="-p 2299 -o StrictHostKeyChecking=accept-new" nix run github:serokell/deploy-rs -- -s .#cryodev-main + - name: Build cryodev-pi + run: nix build .#nixosConfigurations.cryodev-pi.config.system.build.toplevel --impure build-pi-images: needs: flake-check diff --git a/flake.lock b/flake.lock index 5c8265f..3342164 100644 --- a/flake.lock +++ b/flake.lock @@ -38,28 +38,6 @@ "type": "github" } }, - "deploy-rs": { - "inputs": { - "flake-compat": "flake-compat_2", - "nixpkgs": [ - "nixpkgs" - ], - "utils": "utils" - }, - "locked": { - "lastModified": 1770019181, - "narHash": "sha256-hwsYgDnby50JNVpTRYlF3UR/Rrpt01OrxVuryF40CFY=", - "owner": "serokell", - "repo": "deploy-rs", - "rev": "77c906c0ba56aabdbc72041bf9111b565cdd6171", - "type": "github" - }, - "original": { - "owner": "serokell", - "repo": "deploy-rs", - "type": "github" - } - }, "devshell": { "inputs": { "nixpkgs": [ @@ -98,22 +76,6 @@ } }, "flake-compat_2": { - "flake": false, - "locked": { - "lastModified": 1733328505, - "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_3": { "flake": false, "locked": { "lastModified": 1767039857, @@ -129,7 +91,7 @@ "type": "github" } }, - "flake-compat_4": { + "flake-compat_3": { "flake": false, "locked": { "lastModified": 1767039857, @@ -168,7 +130,7 @@ }, "flake-utils": { "inputs": { - "systems": "systems_2" + "systems": "systems" }, "locked": { "lastModified": 1731533236, @@ -186,7 +148,7 @@ }, "flake-utils_2": { "inputs": { - "systems": "systems_3" + "systems": "systems_2" }, "locked": { "lastModified": 1731533236, @@ -204,7 +166,7 @@ }, "git-hooks": { "inputs": { - "flake-compat": "flake-compat_3", + "flake-compat": "flake-compat_2", "gitignore": "gitignore", "nixpkgs": [ "nixpkgs" @@ -344,7 +306,7 @@ "nixos-mailserver": { "inputs": { "blobs": "blobs", - "flake-compat": "flake-compat_4", + "flake-compat": "flake-compat_3", "git-hooks": "git-hooks_2", "nixpkgs": [ "nixpkgs" @@ -451,7 +413,7 @@ "nixpkgs" ], "nuschtosSearch": "nuschtosSearch", - "systems": "systems_4" + "systems": "systems_3" }, "locked": { "lastModified": 1769049374, @@ -494,7 +456,6 @@ "root": { "inputs": { "comin": "comin", - "deploy-rs": "deploy-rs", "git-hooks": "git-hooks", "headplane": "headplane", "nixos-mailserver": "nixos-mailserver", @@ -570,21 +531,6 @@ "type": "github" } }, - "systems_4": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "treefmt-nix": { "inputs": { "nixpkgs": "nixpkgs" @@ -602,24 +548,6 @@ "repo": "treefmt-nix", "type": "github" } - }, - "utils": { - "inputs": { - "systems": "systems" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 597bd18..f157f22 100644 --- a/flake.nix +++ b/flake.nix @@ -15,9 +15,6 @@ comin.url = "github:nlewo/comin"; comin.inputs.nixpkgs.follows = "nixpkgs"; - deploy-rs.url = "github:serokell/deploy-rs"; - deploy-rs.inputs.nixpkgs.follows = "nixpkgs"; - nixvim.url = "github:nix-community/nixvim/nixos-25.11"; nixvim.inputs.nixpkgs.follows = "nixpkgs"; @@ -119,25 +116,6 @@ pkgs.writeShellScriptBin "pre-commit-run" script ); - deploy = { - nodes = { - cryodev-main = { - hostname = constants.domain; - sshUser = "root"; - sshOpts = [ - "-p" - "2299" - "-o" - "StrictHostKeyChecking=accept-new" - ]; - profiles.system = { - user = "root"; - path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.cryodev-main; - }; - }; - }; - }; - checks = forAllSystems ( system: let @@ -147,7 +125,6 @@ inherit system; overlays = [ self.overlays.modifications ]; }; - deployChecks = inputs.deploy-rs.lib.${system}.deployChecks self.deploy; in { pre-commit-check = inputs.git-hooks.lib.${system}.run { @@ -161,7 +138,6 @@ # package = overlaidPkgs.package; }; } - // deployChecks ); }; } diff --git a/hosts/cryodev-main/deploy-key.pub b/hosts/cryodev-main/deploy-key.pub deleted file mode 100644 index b4e3f23..0000000 --- a/hosts/cryodev-main/deploy-key.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFIPGMqOV+YrGle8X7/hctW4Sha/bzeTsTP9AcDN9bA2 forgejo-deploy diff --git a/hosts/cryodev-main/services/comin.nix b/hosts/cryodev-main/services/comin.nix new file mode 100644 index 0000000..35ab81f --- /dev/null +++ b/hosts/cryodev-main/services/comin.nix @@ -0,0 +1,24 @@ +{ + config, + pkgs, + outputs, + constants, + ... +}: + +{ + imports = [ + outputs.nixosModules.comin + ]; + + services.comin = { + enable = true; + remotes = [ + { + name = "origin"; + url = "https://${constants.services.forgejo.fqdn}/steffen/cryodev.git"; + branches.main.name = "main"; + } + ]; + }; +} diff --git a/hosts/cryodev-main/services/default.nix b/hosts/cryodev-main/services/default.nix index 4b447cd..a7e03dc 100644 --- a/hosts/cryodev-main/services/default.nix +++ b/hosts/cryodev-main/services/default.nix @@ -1,17 +1,15 @@ { imports = [ - # Stufe 1: Services ohne externe Abhaengigkeiten + ./comin.nix ./forgejo.nix + ./forgejo-runner.nix + ./headplane.nix ./headscale.nix ./mailserver.nix ./netdata.nix ./nginx.nix ./openssh.nix ./sops.nix - - # Stufe 2: Erst aktivieren wenn Headscale/Forgejo laufen und echte Secrets existieren - ./forgejo-runner.nix # braucht: forgejo-runner/token (Forgejo) - ./headplane.nix # braucht: headplane/agent_pre_authkey (Headscale) - ./tailscale.nix # braucht: tailscale/auth-key (Headscale) + ./tailscale.nix ]; } diff --git a/hosts/cryodev-main/services/openssh.nix b/hosts/cryodev-main/services/openssh.nix index db9a56a..f71c084 100644 --- a/hosts/cryodev-main/services/openssh.nix +++ b/hosts/cryodev-main/services/openssh.nix @@ -9,9 +9,4 @@ ]; services.openssh.enable = true; - - # Root SSH key for deploy-rs (key-only, no password) - users.users.root.openssh.authorizedKeys.keyFiles = [ - ../deploy-key.pub - ]; } diff --git a/hosts/cryodev-pi/services/comin.nix b/hosts/cryodev-pi/services/comin.nix index 2317b06..35ab81f 100644 --- a/hosts/cryodev-pi/services/comin.nix +++ b/hosts/cryodev-pi/services/comin.nix @@ -16,7 +16,7 @@ remotes = [ { name = "origin"; - url = "https://${constants.services.forgejo.fqdn}/steffen/cryodev-server.git"; + url = "https://${constants.services.forgejo.fqdn}/steffen/cryodev.git"; branches.main.name = "main"; } ]; diff --git a/modules/nixos/forgejo-runner/default.nix b/modules/nixos/forgejo-runner/default.nix index 2547f0e..7748483 100644 --- a/modules/nixos/forgejo-runner/default.nix +++ b/modules/nixos/forgejo-runner/default.nix @@ -49,7 +49,6 @@ in nix nodejs openssh - deploy-rs ]; settings = { diff --git a/modules/nixos/openssh/default.nix b/modules/nixos/openssh/default.nix index 00f05c1..0958445 100644 --- a/modules/nixos/openssh/default.nix +++ b/modules/nixos/openssh/default.nix @@ -9,7 +9,7 @@ in ports = mkDefault [ 2299 ]; openFirewall = mkDefault true; settings = { - PermitRootLogin = mkDefault "prohibit-password"; + PermitRootLogin = mkDefault "no"; PasswordAuthentication = mkDefault false; }; };