steffen/cryodev
1
0
Fork 0
Code Issues Pull requests Projects Releases 2 Packages Wiki Activity Actions

Compare commits

base: steffen:a4dfbdcd5225429ed64689f281ca6a3601bfaa08
Branches Tags
steffen:main
steffen:develop
steffen:v2026-03-14-b0f78c3
steffen:v2026-03-14-33bc9f5
...
compare: steffen:badf9700419b27358e958b13fee6cfba30988147
Branches Tags
steffen:main
steffen:develop
steffen:v2026-03-14-b0f78c3
steffen:v2026-03-14-33bc9f5

6 commits
a4dfbdcd52 ... badf970041

Author SHA1 Message Date
steffen
badf970041 Merge pull request 'develop' (#1) from develop into main
Some checks failed
Deploy / flake-check (push) Successful in 30s
Details
Deploy / build-hosts (push) Successful in 37s
Details
Deploy / build-pi-images (cryodev-pi) (push) Failing after 13m49s
Details
Deploy / create-release (push) Has been skipped
Details 
Reviewed-on: #1
 2026-03-14 15:21:30 +01:00
steffen
c81b43530a remove markdown-preview plugin, re-enable Pi builds in CI
All checks were successful
CI / flake-check (pull_request) Successful in 35s
Details
CI / build-hosts (pull_request) Successful in 6m51s
Details 
markdown-preview.nvim runs yarn install with native Node.js binaries
that crash under QEMU aarch64 emulation. The plugin is also useless
on headless servers (requires a browser). Removing it allows the Pi
build to succeed in CI again.

Re-enabled Pi build and SD image jobs in both ci.yml and deploy.yml.
 2026-03-14 15:12:24 +01:00
steffen
2a418868e6 disable Pi builds in CI: QEMU crashes on aarch64 Node.js packages 
markdown-preview.nvim runs yarn install which compiles native binaries.
Under QEMU aarch64 emulation on x86_64 this causes 'Illegal instruction'
crashes. Pi images must be built locally or on a native aarch64 runner.

Pi deployment still works via Comin (builds locally on the Pi itself).
 2026-03-14 15:08:35 +01:00
steffen
2155f4073f fix Pi build: force initrd modules to exclude x86 hardware
Some checks failed
CI / flake-check (pull_request) Successful in 31s
Details
CI / build-hosts (pull_request) Failing after 1m23s
Details 
sd-image.nix imports all-hardware.nix which adds modules like dw-hdmi
that don't exist in the RPi4 kernel. mkForce the availableKernelModules
list to only include Pi-relevant modules.
 2026-03-14 15:04:29 +01:00
steffen
6ad46e7452 fix Pi build and CI pipeline ordering
Some checks failed
CI / flake-check (pull_request) Successful in 33s
Details
CI / build-hosts (pull_request) Failing after 47s
Details 
- Fix Pi kernel build: disable includeDefaultModules in initrd.
  NixOS all-hardware.nix includes dw-hdmi which doesn't exist in
  the RPi4 kernel 6.12, causing module-shrunk to fail.
- Fix CI: SD image build now depends on build-hosts instead of
  flake-check, so it won't run if the Pi build fails.
- Apply same fix to raspberry-pi template.
 2026-03-14 14:56:10 +01:00
steffen
4e36cca637 remove all deploy-rs references from docs and config 
- Update README, AGENTS.md, docs/index.md, docs/deployment/cd.md,
  docs/services/forgejo.md: replace deploy-rs with Comin everywhere
- Fix repo URL references (cryodev-server -> cryodev)
- Fix forgejo admin create command to use shell alias
- Rewrite cd.md for Comin-only deployment
 2026-03-14 14:52:30 +01:00
11 changed files with 78 additions and 158 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.forgejo/workflows/ci.yml
View file

@ -23,4 +23,4 @@ jobs:
run: nix build .#nixosConfigurations.cryodev-main.config.system.build.toplevel --impure
- name: Build cryodev-pi
run: nix build .#nixosConfigurations.cryodev-pi.config.system.build.toplevel --impure
run: nix build .#nixosConfigurations.cryodev-pi.config.system.build.toplevel --impure --extra-platforms aarch64-linux

4
.forgejo/workflows/deploy.yml
View file

@ -26,10 +26,10 @@ jobs:
run: nix build .#nixosConfigurations.cryodev-main.config.system.build.toplevel --impure
- name: Build cryodev-pi
run: nix build .#nixosConfigurations.cryodev-pi.config.system.build.toplevel --impure
run: nix build .#nixosConfigurations.cryodev-pi.config.system.build.toplevel --impure --extra-platforms aarch64-linux
build-pi-images:
needs: flake-check
needs: build-hosts
runs-on: host
strategy:
matrix:

11
AGENTS.md
View file

@ -27,7 +27,7 @@ nix build .#nixosConfigurations.cryodev-pi.config.system.build.sdImage
# Format code (required before committing)
nix fmt
# Run all checks (lint, formatting, deploy-rs validation)
# Run all checks (lint, formatting)
nix flake check
# Quick evaluation test (faster than full build)
@ -46,14 +46,17 @@ nix develop
# Deploy all hosts via deploy app (uses deploy.json)
nix run .#deploy
# Deploy to cryodev-main via deploy-rs
nix run github:serokell/deploy-rs -- .#cryodev-main
# Deploy a specific host
nix run .#deploy -- -n cryodev-main
# Manual deployment via SSH
NIX_SSHOPTS="-p 2299" nixos-rebuild switch --flake .#<hostname> \
--target-host <user>@<ip> --sudo --ask-sudo-password
```
> **Note:** Both hosts use Comin for automatic pull-based deployment.
> Manual deployment is only needed for the initial setup or emergencies.
### Apps
```bash
@ -200,7 +203,7 @@ services.nginx.enable = lib.mkDefault true;
| Host | Strategy | Trigger |
|------|----------|---------|
| `cryodev-main` | Push via deploy-rs | Forgejo Actions on push to main |
| `cryodev-main` | Pull via Comin | Automatic polling |
| `cryodev-pi` | Pull via Comin | Automatic polling |
| SD Images | Built in CI | Push to main (for Pi hosts) |

8
README.md
View file

@ -6,8 +6,8 @@ Declarative NixOS infrastructure for the **cryodev** environment, managed with N
```bash
# Clone repository
git clone https://git.cryodev.xyz/steffen/cryodev-server.git
cd cryodev-server
git clone https://git.cryodev.xyz/steffen/cryodev.git
cd cryodev
# Check configuration
nix flake check
@ -20,7 +20,7 @@ nix build .#nixosConfigurations.cryodev-main.config.system.build.toplevel
| Host | Architecture | Deployment | Description |
|------|--------------|------------|-------------|
| `cryodev-main` | x86_64 | Push (deploy-rs) | Main server |
| `cryodev-main` | x86_64 | Pull (Comin) | Main server |
| `cryodev-pi` | aarch64 | Pull (Comin) | Raspberry Pi client |
## Services
@ -37,7 +37,7 @@ nix build .#nixosConfigurations.cryodev-main.config.system.build.toplevel
SD card images for Raspberry Pi clients are **built automatically** on every push to `main`.
Download from: [Releases](https://git.cryodev.xyz/steffen/cryodev-server/releases)
Download from: [Releases](https://git.cryodev.xyz/steffen/cryodev/releases)
```bash
# Flash to SD card

130
docs/deployment/cd.md
View file

@ -1,121 +1,38 @@
# Continuous Deployment
The cryodev infrastructure uses two deployment strategies optimized for different host types.
All hosts use **Comin** (pull-based) for automatic deployment.
## Overview
| Host | Strategy | Tool | Trigger |
|------|----------|------|---------|
| `cryodev-main` | Push-based | deploy-rs | Git push via Forgejo Actions |
| `cryodev-pi` | Pull-based | Comin | Periodic polling |
| `cryodev-main` | Pull-based | Comin | Automatic polling |
| `cryodev-pi` | Pull-based | Comin | Automatic polling |
## Push-based Deployment (cryodev-main)
### How It Works
## How It Works
1. Developer pushes to `main` branch
2. Forgejo Actions workflow triggers
3. `deploy-rs` connects via SSH and deploys
2. CI (Forgejo Actions) runs flake-check and builds all hosts
3. Comin on each host periodically polls the Git repository
4. On changes, Comin builds and activates the new configuration
### Setup
#### 1. Generate Deploy Key
```bash
ssh-keygen -t ed25519 -f deploy_key -C "forgejo-actions"
```
#### 2. Add Public Key to Server
On `cryodev-main`:
```bash
echo "PUBLIC_KEY_CONTENT" >> /root/.ssh/authorized_keys
```
#### 3. Add Private Key to Forgejo
1. Go to Repository Settings > Secrets
2. Add secret named `DEPLOY_SSH_KEY`
3. Paste the private key content
#### 4. Workflow Configuration
`.forgejo/workflows/deploy.yaml`:
```yaml
name: Deploy
on:
push:
branches: [main]
jobs:
check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: cachix/install-nix-action@v24
- run: nix flake check
deploy:
needs: check
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: cachix/install-nix-action@v24
- name: Setup SSH
env:
SSH_PRIVATE_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
run: |
mkdir -p ~/.ssh
echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
ssh-keyscan cryodev-main >> ~/.ssh/known_hosts
- name: Deploy
run: nix run github:serokell/deploy-rs -- .#cryodev-main
```
### Rollback
deploy-rs automatically rolls back if the new configuration fails health checks.
Manual rollback:
```bash
# List generations
sudo nix-env -p /nix/var/nix/profiles/system --list-generations
# Rollback to previous
sudo nixos-rebuild switch --rollback
```
## Pull-based Deployment (cryodev-pi)
### How It Works
1. Comin periodically polls the Git repository
2. On changes, it builds and activates the new configuration
3. Works through NAT without incoming connections
### Configuration
## Configuration
```nix
# hosts/cryodev-pi/services/comin.nix
# hosts/<hostname>/services/comin.nix
{
services.comin = {
enable = true;
remotes = [{
name = "origin";
url = "https://git.cryodev.xyz/steffen/cryodev-server.git";
url = "https://git.cryodev.xyz/steffen/cryodev.git";
branches.main.name = "main";
}];
};
}
```
### Monitoring
## Monitoring
Check Comin status:
@ -130,7 +47,7 @@ Force immediate update:
sudo systemctl restart comin
```
### Troubleshooting
## Troubleshooting
If Comin fails to build:
@ -140,23 +57,30 @@ sudo journalctl -u comin --since "1 hour ago"
# Manual build test
cd /var/lib/comin/repo
nix build .#nixosConfigurations.cryodev-pi.config.system.build.toplevel
nix build .#nixosConfigurations.<hostname>.config.system.build.toplevel
```
## Rollback
```bash
# List generations
sudo nix-env -p /nix/var/nix/profiles/system --list-generations
# Rollback to previous
sudo nixos-rebuild switch --rollback
```
## Manual Deployment
For hosts not using automated deployment:
For initial setup or emergencies:
```bash
# Build locally
nix build .#nixosConfigurations.<hostname>.config.system.build.toplevel
# Using the deploy app
nix run .#deploy -- -n <hostname>
# Deploy with nixos-rebuild
# Or manually with nixos-rebuild
NIX_SSHOPTS="-p 2299" nixos-rebuild switch --flake .#<hostname> \
--target-host <user>@<hostname> --sudo --ask-sudo-password
# Or using deploy-rs
nix run github:serokell/deploy-rs -- .#<hostname>
```
## Testing Changes

4
docs/index.md
View file

@ -90,5 +90,5 @@ Für Raspberry Pi: [SD-Image Referenz](getting-started/sd-image.md)
| Host | Strategie | Tool | Beschreibung |
|------|-----------|------|--------------|
| `cryodev-main` | Push-basiert | deploy-rs via Forgejo Actions | Sofortige Updates bei Push |
| `cryodev-pi` | Pull-basiert | Comin | Pollt Repository auf Änderungen |
| `cryodev-main` | Pull-basiert | Comin | Pollt Repository auf Aenderungen |
| `cryodev-pi` | Pull-basiert | Comin | Pollt Repository auf Aenderungen |

39
docs/services/forgejo.md
View file

@ -75,44 +75,23 @@ forgejo-runner:
## CI/CD Workflows
### deploy-rs Workflow
CI runs on every push to `main` via Forgejo Actions:
`.forgejo/workflows/deploy.yaml`:
1. **flake-check** -- validates the flake
2. **build-hosts** -- builds all host configurations
```yaml
name: Deploy
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Nix
uses: cachix/install-nix-action@v24
- name: Deploy
env:
SSH_PRIVATE_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
run: |
mkdir -p ~/.ssh
echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
nix run .#deploy
```
Deployment is handled by **Comin** (pull-based), not by CI.
See [CD documentation](../deployment/cd.md) for details.
## Administration
### Create Admin User
```bash
sudo -u forgejo forgejo admin user create \
--username admin \
--password changeme \
--email admin@cryodev.xyz \
forgejo admin user create \
--username <benutzername> \
--email <email>@<domain> \
--password <passwort> \
--admin
```

14
hosts/cryodev-pi/hardware.nix
View file

@ -3,11 +3,15 @@
{
boot = {
kernelPackages = pkgs.linuxKernel.packages.linux_rpi4;
initrd.availableKernelModules = [
"xhci_pci"
"usbhid"
"usb_storage"
];
initrd = {
availableKernelModules = [
"xhci_pci"
"usbhid"
"usb_storage"
];
# Disable default x86 modules that don't exist in the Pi kernel (e.g. dw-hdmi)
includeDefaultModules = false;
};
};
fileSystems = {

8
hosts/cryodev-pi/sd-image.nix
View file

@ -27,4 +27,12 @@
"vfat"
"ext4"
];
# sd-image.nix imports all-hardware.nix which adds x86 modules like dw-hdmi
# that don't exist in the RPi4 kernel. Filter them out.
boot.initrd.availableKernelModules = lib.mkForce [
"xhci_pci"
"usbhid"
"usb_storage"
];
}

2
modules/nixos/nixvim/plugins/default.nix
View file

@ -11,8 +11,6 @@
];
config.programs.nixvim.plugins = {
markdown-preview.enable = lib.mkDefault true;
# warning: Nixvim: `plugins.web-devicons` was enabled automatically because the following plugins are enabled. This behaviour is deprecated. Please explicitly define `plugins.web-devicons.enable`
web-devicons.enable = true;
};
}

14
templates/raspberry-pi/hardware.nix
View file

@ -3,11 +3,15 @@
{
boot = {
kernelPackages = pkgs.linuxKernel.packages.linux_rpi4;
initrd.availableKernelModules = [
"xhci_pci"
"usbhid"
"usb_storage"
];
initrd = {
availableKernelModules = [
"xhci_pci"
"usbhid"
"usb_storage"
];
# Disable default x86 modules that don't exist in the Pi kernel (e.g. dw-hdmi)
includeDefaultModules = false;
};
};
fileSystems = {