remove deploy-rs completely

- Remove deploy-rs flake input - Remove deploy block from flake.nix - Remove deployChecks from flake checks - Remove deploy-rs from forgejo-runner hostPackages - Deployment is now handled by Comin (auto) and nix run .#deploy (manual)
remove sid.ovh and clean up gitignore
2026-03-14 14:47:49 +01:00 · 2026-03-14 14:44:44 +01:00 · 2026-03-14 14:43:15 +01:00 · 2026-03-14 14:35:56 +01:00 · 2026-03-14 14:33:06 +01:00
10 changed files with 41 additions and 129 deletions
--- a/.forgejo/workflows/deploy.yml
+++ b/.forgejo/workflows/deploy.yml
@ -15,25 +15,18 @@ jobs:
      - name: Run flake check
        run: nix flake check --impure
-  deploy-cryodev-main:
+  build-hosts:
    needs: flake-check
    runs-on: host
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
-      - name: Set up SSH
+      - name: Build cryodev-main
-        env:
+        run: nix build .#nixosConfigurations.cryodev-main.config.system.build.toplevel --impure
          DEPLOY_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
        run: |
          mkdir -p ~/.ssh
          echo "$DEPLOY_KEY" > ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
          ssh-keyscan -p 2299 -H cryodev.xyz >> ~/.ssh/known_hosts
          chmod 644 ~/.ssh/known_hosts
-      - name: Deploy with deploy-rs
+      - name: Build cryodev-pi
-        run: NIX_SSHOPTS="-p 2299 -o StrictHostKeyChecking=accept-new" nix run github:serokell/deploy-rs -- -s .#cryodev-main
+        run: nix build .#nixosConfigurations.cryodev-pi.config.system.build.toplevel --impure
  build-pi-images:
    needs: flake-check
--- a/flake.lock
+++ b/flake.lock
@ -38,28 +38,6 @@
        "type": "github"
      }
    },
    "deploy-rs": {
      "inputs": {
        "flake-compat": "flake-compat_2",
        "nixpkgs": [
          "nixpkgs"
        ],
        "utils": "utils"
      },
      "locked": {
        "lastModified": 1770019181,
        "narHash": "sha256-hwsYgDnby50JNVpTRYlF3UR/Rrpt01OrxVuryF40CFY=",
        "owner": "serokell",
        "repo": "deploy-rs",
        "rev": "77c906c0ba56aabdbc72041bf9111b565cdd6171",
        "type": "github"
      },
      "original": {
        "owner": "serokell",
        "repo": "deploy-rs",
        "type": "github"
      }
    },
    "devshell": {
      "inputs": {
        "nixpkgs": [
@ -98,22 +76,6 @@
      }
    },
    "flake-compat_2": {
      "flake": false,
      "locked": {
        "lastModified": 1733328505,
        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-compat_3": {
      "flake": false,
      "locked": {
        "lastModified": 1767039857,
@ -129,7 +91,7 @@
        "type": "github"
      }
    },
-    "flake-compat_4": {
+    "flake-compat_3": {
      "flake": false,
      "locked": {
        "lastModified": 1767039857,
@ -168,7 +130,7 @@
    },
    "flake-utils": {
      "inputs": {
-        "systems": "systems_2"
+        "systems": "systems"
      },
      "locked": {
        "lastModified": 1731533236,
@ -186,7 +148,7 @@
    },
    "flake-utils_2": {
      "inputs": {
-        "systems": "systems_3"
+        "systems": "systems_2"
      },
      "locked": {
        "lastModified": 1731533236,
@ -204,7 +166,7 @@
    },
    "git-hooks": {
      "inputs": {
-        "flake-compat": "flake-compat_3",
+        "flake-compat": "flake-compat_2",
        "gitignore": "gitignore",
        "nixpkgs": [
          "nixpkgs"
@ -344,7 +306,7 @@
    "nixos-mailserver": {
      "inputs": {
        "blobs": "blobs",
-        "flake-compat": "flake-compat_4",
+        "flake-compat": "flake-compat_3",
        "git-hooks": "git-hooks_2",
        "nixpkgs": [
          "nixpkgs"
@ -451,7 +413,7 @@
          "nixpkgs"
        ],
        "nuschtosSearch": "nuschtosSearch",
-        "systems": "systems_4"
+        "systems": "systems_3"
      },
      "locked": {
        "lastModified": 1769049374,
@ -494,7 +456,6 @@
    "root": {
      "inputs": {
        "comin": "comin",
        "deploy-rs": "deploy-rs",
        "git-hooks": "git-hooks",
        "headplane": "headplane",
        "nixos-mailserver": "nixos-mailserver",
@ -570,21 +531,6 @@
        "type": "github"
      }
    },
    "systems_4": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "treefmt-nix": {
      "inputs": {
        "nixpkgs": "nixpkgs"
@ -602,24 +548,6 @@
        "repo": "treefmt-nix",
        "type": "github"
      }
    },
    "utils": {
      "inputs": {
        "systems": "systems"
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -15,9 +15,6 @@
    comin.url = "github:nlewo/comin";
    comin.inputs.nixpkgs.follows = "nixpkgs";
    deploy-rs.url = "github:serokell/deploy-rs";
    deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
    nixvim.url = "github:nix-community/nixvim/nixos-25.11";
    nixvim.inputs.nixpkgs.follows = "nixpkgs";
@ -119,25 +116,6 @@
        pkgs.writeShellScriptBin "pre-commit-run" script
      );
      deploy = {
        nodes = {
          cryodev-main = {
            hostname = constants.domain;
            sshUser = "root";
            sshOpts = [
              "-p"
              "2299"
              "-o"
              "StrictHostKeyChecking=accept-new"
            ];
            profiles.system = {
              user = "root";
              path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.cryodev-main;
            };
          };
        };
      };
      checks = forAllSystems (
        system:
        let
@ -147,7 +125,6 @@
            inherit system;
            overlays = [ self.overlays.modifications ];
          };
          deployChecks = inputs.deploy-rs.lib.${system}.deployChecks self.deploy;
        in
        {
          pre-commit-check = inputs.git-hooks.lib.${system}.run {
@ -161,7 +138,6 @@
            # package = overlaidPkgs.package;
          };
        }
        // deployChecks
      );
    };
 }
--- a/hosts/cryodev-main/deploy-key.pub
+++ b/hosts/cryodev-main/deploy-key.pub
@ -1 +0,0 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFIPGMqOV+YrGle8X7/hctW4Sha/bzeTsTP9AcDN9bA2 forgejo-deploy
--- a/hosts/cryodev-main/services/comin.nix
+++ b/hosts/cryodev-main/services/comin.nix
@ -0,0 +1,24 @@
 {
  config,
  pkgs,
  outputs,
  constants,
  ...
 }:
 {
  imports = [
    outputs.nixosModules.comin
  ];
  services.comin = {
    enable = true;
    remotes = [
      {
        name = "origin";
        url = "https://${constants.services.forgejo.fqdn}/steffen/cryodev.git";
        branches.main.name = "main";
      }
    ];
  };
 }
--- a/hosts/cryodev-main/services/default.nix
+++ b/hosts/cryodev-main/services/default.nix
@ -1,17 +1,15 @@
 {
  imports = [
-    # Stufe 1: Services ohne externe Abhaengigkeiten
+    ./comin.nix
    ./forgejo.nix
    ./forgejo-runner.nix
    ./headplane.nix
    ./headscale.nix
    ./mailserver.nix
    ./netdata.nix
    ./nginx.nix
    ./openssh.nix
    ./sops.nix
-
+    ./tailscale.nix
    # Stufe 2: Erst aktivieren wenn Headscale/Forgejo laufen und echte Secrets existieren
    ./forgejo-runner.nix # braucht: forgejo-runner/token (Forgejo)
    ./headplane.nix # braucht: headplane/agent_pre_authkey (Headscale)
    ./tailscale.nix # braucht: tailscale/auth-key (Headscale)
  ];
 }
--- a/hosts/cryodev-main/services/openssh.nix
+++ b/hosts/cryodev-main/services/openssh.nix
@ -9,9 +9,4 @@
  ];
  services.openssh.enable = true;
  # Root SSH key for deploy-rs (key-only, no password)
  users.users.root.openssh.authorizedKeys.keyFiles = [
    ../deploy-key.pub
  ];
 }
--- a/hosts/cryodev-pi/services/comin.nix
+++ b/hosts/cryodev-pi/services/comin.nix
@ -16,7 +16,7 @@
    remotes = [
      {
        name = "origin";
-        url = "https://${constants.services.forgejo.fqdn}/steffen/cryodev-server.git";
+        url = "https://${constants.services.forgejo.fqdn}/steffen/cryodev.git";
        branches.main.name = "main";
      }
    ];
--- a/modules/nixos/forgejo-runner/default.nix
+++ b/modules/nixos/forgejo-runner/default.nix
@ -49,7 +49,6 @@ in
          nix
          nodejs
          openssh
          deploy-rs
        ];
        settings = {
--- a/modules/nixos/openssh/default.nix
+++ b/modules/nixos/openssh/default.nix
@ -9,7 +9,7 @@ in
    ports = mkDefault [ 2299 ];
    openFirewall = mkDefault true;
    settings = {
-      PermitRootLogin = mkDefault "prohibit-password";
+      PermitRootLogin = mkDefault "no";
      PasswordAuthentication = mkDefault false;
    };
  };
Author	SHA1	Message	Date
steffen	a4dfbdcd52	remove deploy-rs completely Some checks failed Deploy / flake-check (push) Successful in 37s Details Deploy / build-hosts (push) Failing after 50s Details Deploy / build-pi-images (cryodev-pi) (push) Failing after 29s Details Deploy / create-release (push) Has been skipped Details - Remove deploy-rs flake input - Remove deploy block from flake.nix - Remove deployChecks from flake checks - Remove deploy-rs from forgejo-runner hostPackages - Deployment is now handled by Comin (auto) and nix run .#deploy (manual)	2026-03-14 14:47:49 +01:00
steffen	e9a5af27e9	remove sid.ovh and clean up gitignore	2026-03-14 14:44:44 +01:00
steffen	c45a603d1c	replace deploy-rs CI with Comin pull-based deployment - Add Comin service for cryodev-main (polls git repo, auto-deploys) - Fix cryodev-pi Comin URL (cryodev-server.git -> cryodev.git) - Remove deploy-rs from CI pipeline (was insecure with shared runner) - Remove deploy SSH key, root SSH login, sudo rules for gitea-runner - Revert PermitRootLogin back to 'no' - CI now only runs flake-check + build (no deploy) - Deployment happens via Comin (both hosts poll and self-deploy)	2026-03-14 14:43:15 +01:00
steffen	ed806bf5fb	fix CI deploy: use global SSH config for deploy-rs The nix-daemon runs as root and cannot access the gitea-runner user's ~/.ssh directory. Solution: write the deploy key and SSH config to /etc/deploy/ and /etc/ssh/ssh_config.d/ which are readable by all users including the nix-daemon. - Deploy key is written to /etc/deploy/key (cleaned up after deploy) - SSH config in /etc/ssh/ssh_config.d/deploy.conf (cleaned up after) - Minimal NOPASSWD sudo rules for gitea-runner to manage these files - Reverts local deploy approach, back to deploy-rs over SSH	2026-03-14 14:35:56 +01:00
steffen	e2e87d5694	switch CI deploy to local nixos-rebuild instead of deploy-rs over SSH Runner runs on the same server it deploys to, so SSH to itself was unnecessarily complex. Now builds locally and activates directly. - Replace deploy-rs SSH workflow with local build + switch - Add NOPASSWD sudo for gitea-runner to run nix-env and switch-to-configuration (required for local deployment) - Remove SSH key setup from deploy workflow	2026-03-14 14:33:06 +01:00
		`@ -1 +0,0 @@`
			`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFIPGMqOV+YrGle8X7/hctW4Sha/bzeTsTP9AcDN9bA2 forgejo-deploy`