diff --git a/.forgejo/workflows/deploy.yml b/.forgejo/workflows/deploy.yml index d69d66e..a08e312 100644 --- a/.forgejo/workflows/deploy.yml +++ b/.forgejo/workflows/deploy.yml @@ -15,18 +15,25 @@ jobs: - name: Run flake check run: nix flake check --impure - build-hosts: + deploy-cryodev-main: needs: flake-check runs-on: host steps: - name: Checkout repository uses: actions/checkout@v4 - - name: Build cryodev-main - run: nix build .#nixosConfigurations.cryodev-main.config.system.build.toplevel --impure + - name: Set up SSH + env: + DEPLOY_KEY: ${{ secrets.DEPLOY_SSH_KEY }} + run: | + mkdir -p ~/.ssh + echo "$DEPLOY_KEY" > ~/.ssh/id_ed25519 + chmod 600 ~/.ssh/id_ed25519 + ssh-keyscan -p 2299 -H cryodev.xyz >> ~/.ssh/known_hosts + chmod 644 ~/.ssh/known_hosts - - name: Build cryodev-pi - run: nix build .#nixosConfigurations.cryodev-pi.config.system.build.toplevel --impure + - name: Deploy with deploy-rs + run: NIX_SSHOPTS="-p 2299 -o StrictHostKeyChecking=accept-new" nix run github:serokell/deploy-rs -- -s .#cryodev-main build-pi-images: needs: flake-check diff --git a/flake.lock b/flake.lock index 3342164..5c8265f 100644 --- a/flake.lock +++ b/flake.lock @@ -38,6 +38,28 @@ "type": "github" } }, + "deploy-rs": { + "inputs": { + "flake-compat": "flake-compat_2", + "nixpkgs": [ + "nixpkgs" + ], + "utils": "utils" + }, + "locked": { + "lastModified": 1770019181, + "narHash": "sha256-hwsYgDnby50JNVpTRYlF3UR/Rrpt01OrxVuryF40CFY=", + "owner": "serokell", + "repo": "deploy-rs", + "rev": "77c906c0ba56aabdbc72041bf9111b565cdd6171", + "type": "github" + }, + "original": { + "owner": "serokell", + "repo": "deploy-rs", + "type": "github" + } + }, "devshell": { "inputs": { "nixpkgs": [ @@ -76,6 +98,22 @@ } }, "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1733328505, + "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_3": { "flake": false, "locked": { "lastModified": 1767039857, @@ -91,7 +129,7 @@ "type": "github" } }, - "flake-compat_3": { + "flake-compat_4": { "flake": false, "locked": { "lastModified": 1767039857, @@ -130,7 +168,7 @@ }, "flake-utils": { "inputs": { - "systems": "systems" + "systems": "systems_2" }, "locked": { "lastModified": 1731533236, @@ -148,7 +186,7 @@ }, "flake-utils_2": { "inputs": { - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1731533236, @@ -166,7 +204,7 @@ }, "git-hooks": { "inputs": { - "flake-compat": "flake-compat_2", + "flake-compat": "flake-compat_3", "gitignore": "gitignore", "nixpkgs": [ "nixpkgs" @@ -306,7 +344,7 @@ "nixos-mailserver": { "inputs": { "blobs": "blobs", - "flake-compat": "flake-compat_3", + "flake-compat": "flake-compat_4", "git-hooks": "git-hooks_2", "nixpkgs": [ "nixpkgs" @@ -413,7 +451,7 @@ "nixpkgs" ], "nuschtosSearch": "nuschtosSearch", - "systems": "systems_3" + "systems": "systems_4" }, "locked": { "lastModified": 1769049374, @@ -456,6 +494,7 @@ "root": { "inputs": { "comin": "comin", + "deploy-rs": "deploy-rs", "git-hooks": "git-hooks", "headplane": "headplane", "nixos-mailserver": "nixos-mailserver", @@ -531,6 +570,21 @@ "type": "github" } }, + "systems_4": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "treefmt-nix": { "inputs": { "nixpkgs": "nixpkgs" @@ -548,6 +602,24 @@ "repo": "treefmt-nix", "type": "github" } + }, + "utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index f157f22..597bd18 100644 --- a/flake.nix +++ b/flake.nix @@ -15,6 +15,9 @@ comin.url = "github:nlewo/comin"; comin.inputs.nixpkgs.follows = "nixpkgs"; + deploy-rs.url = "github:serokell/deploy-rs"; + deploy-rs.inputs.nixpkgs.follows = "nixpkgs"; + nixvim.url = "github:nix-community/nixvim/nixos-25.11"; nixvim.inputs.nixpkgs.follows = "nixpkgs"; @@ -116,6 +119,25 @@ pkgs.writeShellScriptBin "pre-commit-run" script ); + deploy = { + nodes = { + cryodev-main = { + hostname = constants.domain; + sshUser = "root"; + sshOpts = [ + "-p" + "2299" + "-o" + "StrictHostKeyChecking=accept-new" + ]; + profiles.system = { + user = "root"; + path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.cryodev-main; + }; + }; + }; + }; + checks = forAllSystems ( system: let @@ -125,6 +147,7 @@ inherit system; overlays = [ self.overlays.modifications ]; }; + deployChecks = inputs.deploy-rs.lib.${system}.deployChecks self.deploy; in { pre-commit-check = inputs.git-hooks.lib.${system}.run { @@ -138,6 +161,7 @@ # package = overlaidPkgs.package; }; } + // deployChecks ); }; } diff --git a/hosts/cryodev-main/deploy-key.pub b/hosts/cryodev-main/deploy-key.pub new file mode 100644 index 0000000..b4e3f23 --- /dev/null +++ b/hosts/cryodev-main/deploy-key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFIPGMqOV+YrGle8X7/hctW4Sha/bzeTsTP9AcDN9bA2 forgejo-deploy diff --git a/hosts/cryodev-main/services/comin.nix b/hosts/cryodev-main/services/comin.nix deleted file mode 100644 index 35ab81f..0000000 --- a/hosts/cryodev-main/services/comin.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ - config, - pkgs, - outputs, - constants, - ... -}: - -{ - imports = [ - outputs.nixosModules.comin - ]; - - services.comin = { - enable = true; - remotes = [ - { - name = "origin"; - url = "https://${constants.services.forgejo.fqdn}/steffen/cryodev.git"; - branches.main.name = "main"; - } - ]; - }; -} diff --git a/hosts/cryodev-main/services/default.nix b/hosts/cryodev-main/services/default.nix index a7e03dc..4b447cd 100644 --- a/hosts/cryodev-main/services/default.nix +++ b/hosts/cryodev-main/services/default.nix @@ -1,15 +1,17 @@ { imports = [ - ./comin.nix + # Stufe 1: Services ohne externe Abhaengigkeiten ./forgejo.nix - ./forgejo-runner.nix - ./headplane.nix ./headscale.nix ./mailserver.nix ./netdata.nix ./nginx.nix ./openssh.nix ./sops.nix - ./tailscale.nix + + # Stufe 2: Erst aktivieren wenn Headscale/Forgejo laufen und echte Secrets existieren + ./forgejo-runner.nix # braucht: forgejo-runner/token (Forgejo) + ./headplane.nix # braucht: headplane/agent_pre_authkey (Headscale) + ./tailscale.nix # braucht: tailscale/auth-key (Headscale) ]; } diff --git a/hosts/cryodev-main/services/openssh.nix b/hosts/cryodev-main/services/openssh.nix index f71c084..db9a56a 100644 --- a/hosts/cryodev-main/services/openssh.nix +++ b/hosts/cryodev-main/services/openssh.nix @@ -9,4 +9,9 @@ ]; services.openssh.enable = true; + + # Root SSH key for deploy-rs (key-only, no password) + users.users.root.openssh.authorizedKeys.keyFiles = [ + ../deploy-key.pub + ]; } diff --git a/hosts/cryodev-pi/services/comin.nix b/hosts/cryodev-pi/services/comin.nix index 35ab81f..2317b06 100644 --- a/hosts/cryodev-pi/services/comin.nix +++ b/hosts/cryodev-pi/services/comin.nix @@ -16,7 +16,7 @@ remotes = [ { name = "origin"; - url = "https://${constants.services.forgejo.fqdn}/steffen/cryodev.git"; + url = "https://${constants.services.forgejo.fqdn}/steffen/cryodev-server.git"; branches.main.name = "main"; } ]; diff --git a/modules/nixos/forgejo-runner/default.nix b/modules/nixos/forgejo-runner/default.nix index 7748483..2547f0e 100644 --- a/modules/nixos/forgejo-runner/default.nix +++ b/modules/nixos/forgejo-runner/default.nix @@ -49,6 +49,7 @@ in nix nodejs openssh + deploy-rs ]; settings = { diff --git a/modules/nixos/openssh/default.nix b/modules/nixos/openssh/default.nix index 0958445..00f05c1 100644 --- a/modules/nixos/openssh/default.nix +++ b/modules/nixos/openssh/default.nix @@ -9,7 +9,7 @@ in ports = mkDefault [ 2299 ]; openFirewall = mkDefault true; settings = { - PermitRootLogin = mkDefault "no"; + PermitRootLogin = mkDefault "prohibit-password"; PasswordAuthentication = mkDefault false; }; };