diff --git a/.forgejo/workflows/deploy.yml b/.forgejo/workflows/deploy.yml index d7d7fd8..d69d66e 100644 --- a/.forgejo/workflows/deploy.yml +++ b/.forgejo/workflows/deploy.yml @@ -29,7 +29,7 @@ jobs: run: nix build .#nixosConfigurations.cryodev-pi.config.system.build.toplevel --impure build-pi-images: - needs: build-hosts + needs: flake-check runs-on: host strategy: matrix: diff --git a/AGENTS.md b/AGENTS.md index 367ea5c..0b23dfa 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -27,7 +27,7 @@ nix build .#nixosConfigurations.cryodev-pi.config.system.build.sdImage # Format code (required before committing) nix fmt -# Run all checks (lint, formatting) +# Run all checks (lint, formatting, deploy-rs validation) nix flake check # Quick evaluation test (faster than full build) @@ -46,17 +46,14 @@ nix develop # Deploy all hosts via deploy app (uses deploy.json) nix run .#deploy -# Deploy a specific host -nix run .#deploy -- -n cryodev-main +# Deploy to cryodev-main via deploy-rs +nix run github:serokell/deploy-rs -- .#cryodev-main # Manual deployment via SSH NIX_SSHOPTS="-p 2299" nixos-rebuild switch --flake .# \ --target-host @ --sudo --ask-sudo-password ``` -> **Note:** Both hosts use Comin for automatic pull-based deployment. -> Manual deployment is only needed for the initial setup or emergencies. - ### Apps ```bash @@ -203,7 +200,7 @@ services.nginx.enable = lib.mkDefault true; | Host | Strategy | Trigger | |------|----------|---------| -| `cryodev-main` | Pull via Comin | Automatic polling | +| `cryodev-main` | Push via deploy-rs | Forgejo Actions on push to main | | `cryodev-pi` | Pull via Comin | Automatic polling | | SD Images | Built in CI | Push to main (for Pi hosts) | diff --git a/README.md b/README.md index fde2dc0..3605ade 100644 --- a/README.md +++ b/README.md @@ -6,8 +6,8 @@ Declarative NixOS infrastructure for the **cryodev** environment, managed with N ```bash # Clone repository -git clone https://git.cryodev.xyz/steffen/cryodev.git -cd cryodev +git clone https://git.cryodev.xyz/steffen/cryodev-server.git +cd cryodev-server # Check configuration nix flake check @@ -20,7 +20,7 @@ nix build .#nixosConfigurations.cryodev-main.config.system.build.toplevel | Host | Architecture | Deployment | Description | |------|--------------|------------|-------------| -| `cryodev-main` | x86_64 | Pull (Comin) | Main server | +| `cryodev-main` | x86_64 | Push (deploy-rs) | Main server | | `cryodev-pi` | aarch64 | Pull (Comin) | Raspberry Pi client | ## Services @@ -37,7 +37,7 @@ nix build .#nixosConfigurations.cryodev-main.config.system.build.toplevel SD card images for Raspberry Pi clients are **built automatically** on every push to `main`. -Download from: [Releases](https://git.cryodev.xyz/steffen/cryodev/releases) +Download from: [Releases](https://git.cryodev.xyz/steffen/cryodev-server/releases) ```bash # Flash to SD card diff --git a/docs/deployment/cd.md b/docs/deployment/cd.md index 223b397..628ee5e 100644 --- a/docs/deployment/cd.md +++ b/docs/deployment/cd.md @@ -1,38 +1,121 @@ # Continuous Deployment -All hosts use **Comin** (pull-based) for automatic deployment. +The cryodev infrastructure uses two deployment strategies optimized for different host types. ## Overview | Host | Strategy | Tool | Trigger | |------|----------|------|---------| -| `cryodev-main` | Pull-based | Comin | Automatic polling | -| `cryodev-pi` | Pull-based | Comin | Automatic polling | +| `cryodev-main` | Push-based | deploy-rs | Git push via Forgejo Actions | +| `cryodev-pi` | Pull-based | Comin | Periodic polling | -## How It Works +## Push-based Deployment (cryodev-main) + +### How It Works 1. Developer pushes to `main` branch -2. CI (Forgejo Actions) runs flake-check and builds all hosts -3. Comin on each host periodically polls the Git repository -4. On changes, Comin builds and activates the new configuration +2. Forgejo Actions workflow triggers +3. `deploy-rs` connects via SSH and deploys -## Configuration +### Setup + +#### 1. Generate Deploy Key + +```bash +ssh-keygen -t ed25519 -f deploy_key -C "forgejo-actions" +``` + +#### 2. Add Public Key to Server + +On `cryodev-main`: + +```bash +echo "PUBLIC_KEY_CONTENT" >> /root/.ssh/authorized_keys +``` + +#### 3. Add Private Key to Forgejo + +1. Go to Repository Settings > Secrets +2. Add secret named `DEPLOY_SSH_KEY` +3. Paste the private key content + +#### 4. Workflow Configuration + +`.forgejo/workflows/deploy.yaml`: + +```yaml +name: Deploy +on: + push: + branches: [main] + +jobs: + check: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: cachix/install-nix-action@v24 + - run: nix flake check + + deploy: + needs: check + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: cachix/install-nix-action@v24 + + - name: Setup SSH + env: + SSH_PRIVATE_KEY: ${{ secrets.DEPLOY_SSH_KEY }} + run: | + mkdir -p ~/.ssh + echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519 + chmod 600 ~/.ssh/id_ed25519 + ssh-keyscan cryodev-main >> ~/.ssh/known_hosts + + - name: Deploy + run: nix run github:serokell/deploy-rs -- .#cryodev-main +``` + +### Rollback + +deploy-rs automatically rolls back if the new configuration fails health checks. + +Manual rollback: + +```bash +# List generations +sudo nix-env -p /nix/var/nix/profiles/system --list-generations + +# Rollback to previous +sudo nixos-rebuild switch --rollback +``` + +## Pull-based Deployment (cryodev-pi) + +### How It Works + +1. Comin periodically polls the Git repository +2. On changes, it builds and activates the new configuration +3. Works through NAT without incoming connections + +### Configuration ```nix -# hosts//services/comin.nix +# hosts/cryodev-pi/services/comin.nix { services.comin = { enable = true; remotes = [{ name = "origin"; - url = "https://git.cryodev.xyz/steffen/cryodev.git"; + url = "https://git.cryodev.xyz/steffen/cryodev-server.git"; branches.main.name = "main"; }]; }; } ``` -## Monitoring +### Monitoring Check Comin status: @@ -47,7 +130,7 @@ Force immediate update: sudo systemctl restart comin ``` -## Troubleshooting +### Troubleshooting If Comin fails to build: @@ -57,30 +140,23 @@ sudo journalctl -u comin --since "1 hour ago" # Manual build test cd /var/lib/comin/repo -nix build .#nixosConfigurations..config.system.build.toplevel -``` - -## Rollback - -```bash -# List generations -sudo nix-env -p /nix/var/nix/profiles/system --list-generations - -# Rollback to previous -sudo nixos-rebuild switch --rollback +nix build .#nixosConfigurations.cryodev-pi.config.system.build.toplevel ``` ## Manual Deployment -For initial setup or emergencies: +For hosts not using automated deployment: ```bash -# Using the deploy app -nix run .#deploy -- -n +# Build locally +nix build .#nixosConfigurations..config.system.build.toplevel -# Or manually with nixos-rebuild +# Deploy with nixos-rebuild NIX_SSHOPTS="-p 2299" nixos-rebuild switch --flake .# \ --target-host @ --sudo --ask-sudo-password + +# Or using deploy-rs +nix run github:serokell/deploy-rs -- .# ``` ## Testing Changes diff --git a/docs/index.md b/docs/index.md index c63bb6c..47ad07d 100644 --- a/docs/index.md +++ b/docs/index.md @@ -90,5 +90,5 @@ Für Raspberry Pi: [SD-Image Referenz](getting-started/sd-image.md) | Host | Strategie | Tool | Beschreibung | |------|-----------|------|--------------| -| `cryodev-main` | Pull-basiert | Comin | Pollt Repository auf Aenderungen | -| `cryodev-pi` | Pull-basiert | Comin | Pollt Repository auf Aenderungen | +| `cryodev-main` | Push-basiert | deploy-rs via Forgejo Actions | Sofortige Updates bei Push | +| `cryodev-pi` | Pull-basiert | Comin | Pollt Repository auf Änderungen | diff --git a/docs/services/forgejo.md b/docs/services/forgejo.md index 5955405..09d5b6a 100644 --- a/docs/services/forgejo.md +++ b/docs/services/forgejo.md @@ -75,23 +75,44 @@ forgejo-runner: ## CI/CD Workflows -CI runs on every push to `main` via Forgejo Actions: +### deploy-rs Workflow -1. **flake-check** -- validates the flake -2. **build-hosts** -- builds all host configurations +`.forgejo/workflows/deploy.yaml`: -Deployment is handled by **Comin** (pull-based), not by CI. -See [CD documentation](../deployment/cd.md) for details. +```yaml +name: Deploy +on: + push: + branches: [main] + +jobs: + deploy: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Install Nix + uses: cachix/install-nix-action@v24 + + - name: Deploy + env: + SSH_PRIVATE_KEY: ${{ secrets.DEPLOY_SSH_KEY }} + run: | + mkdir -p ~/.ssh + echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519 + chmod 600 ~/.ssh/id_ed25519 + nix run .#deploy +``` ## Administration ### Create Admin User ```bash -forgejo admin user create \ - --username \ - --email @ \ - --password \ +sudo -u forgejo forgejo admin user create \ + --username admin \ + --password changeme \ + --email admin@cryodev.xyz \ --admin ``` diff --git a/hosts/cryodev-pi/hardware.nix b/hosts/cryodev-pi/hardware.nix index bb0722b..a0d751a 100644 --- a/hosts/cryodev-pi/hardware.nix +++ b/hosts/cryodev-pi/hardware.nix @@ -3,15 +3,11 @@ { boot = { kernelPackages = pkgs.linuxKernel.packages.linux_rpi4; - initrd = { - availableKernelModules = [ - "xhci_pci" - "usbhid" - "usb_storage" - ]; - # Disable default x86 modules that don't exist in the Pi kernel (e.g. dw-hdmi) - includeDefaultModules = false; - }; + initrd.availableKernelModules = [ + "xhci_pci" + "usbhid" + "usb_storage" + ]; }; fileSystems = { diff --git a/templates/raspberry-pi/hardware.nix b/templates/raspberry-pi/hardware.nix index bb0722b..a0d751a 100644 --- a/templates/raspberry-pi/hardware.nix +++ b/templates/raspberry-pi/hardware.nix @@ -3,15 +3,11 @@ { boot = { kernelPackages = pkgs.linuxKernel.packages.linux_rpi4; - initrd = { - availableKernelModules = [ - "xhci_pci" - "usbhid" - "usb_storage" - ]; - # Disable default x86 modules that don't exist in the Pi kernel (e.g. dw-hdmi) - includeDefaultModules = false; - }; + initrd.availableKernelModules = [ + "xhci_pci" + "usbhid" + "usb_storage" + ]; }; fileSystems = {