steffen/cryodev
1
0
Fork 0
Code Issues Pull requests Projects Releases 2 Packages Wiki Activity Actions

Compare commits

base: steffen:a4dfbdcd5225429ed64689f281ca6a3601bfaa08
Branches Tags
steffen:main
steffen:develop
steffen:v2026-03-14-b0f78c3
steffen:v2026-03-14-33bc9f5
..
compare: steffen:4ef51998100a26f5b0ee13d559fac0c1a424f78a
Branches Tags
steffen:main
steffen:develop
steffen:v2026-03-14-b0f78c3
steffen:v2026-03-14-33bc9f5

No commits in common. "a4dfbdcd5225429ed64689f281ca6a3601bfaa08" and "4ef51998100a26f5b0ee13d559fac0c1a424f78a" have entirely different histories.
a4dfbdcd52 ... 4ef5199810

10 changed files with 129 additions and 41 deletions
Download patch file Download diff file Expand all files Collapse all files

17
.forgejo/workflows/deploy.yml
View file

@ -15,18 +15,25 @@ jobs:
- name: Run flake check - name: Run flake check
run: nix flake check --impure run: nix flake check --impure
build-hosts: deploy-cryodev-main:
needs: flake-check needs: flake-check
runs-on: host runs-on: host
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Build cryodev-main - name: Set up SSH
run: nix build .#nixosConfigurations.cryodev-main.config.system.build.toplevel --impure env:
DEPLOY_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
run: |
mkdir -p ~/.ssh
echo "$DEPLOY_KEY" > ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
ssh-keyscan -p 2299 -H cryodev.xyz >> ~/.ssh/known_hosts
chmod 644 ~/.ssh/known_hosts
- name: Build cryodev-pi - name: Deploy with deploy-rs
run: nix build .#nixosConfigurations.cryodev-pi.config.system.build.toplevel --impure run: NIX_SSHOPTS="-p 2299 -o StrictHostKeyChecking=accept-new" nix run github:serokell/deploy-rs -- -s .#cryodev-main
build-pi-images: build-pi-images:
needs: flake-check needs: flake-check

84
flake.lock generated
View file

@ -38,6 +38,28 @@
"type": "github" "type": "github"
} }
}, },
"deploy-rs": {
"inputs": {
"flake-compat": "flake-compat_2",
"nixpkgs": [
"nixpkgs"
],
"utils": "utils"
},
"locked": {
"lastModified": 1770019181,
"narHash": "sha256-hwsYgDnby50JNVpTRYlF3UR/Rrpt01OrxVuryF40CFY=",
"owner": "serokell",
"repo": "deploy-rs",
"rev": "77c906c0ba56aabdbc72041bf9111b565cdd6171",
"type": "github"
},
"original": {
"owner": "serokell",
"repo": "deploy-rs",
"type": "github"
}
},
"devshell": { "devshell": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -76,6 +98,22 @@
} }
}, },
"flake-compat_2": { "flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1733328505,
"narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_3": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1767039857, "lastModified": 1767039857,
@ -91,7 +129,7 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat_3": { "flake-compat_4": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1767039857, "lastModified": 1767039857,
@ -130,7 +168,7 @@
}, },
"flake-utils": { "flake-utils": {
"inputs": { "inputs": {
"systems": "systems" "systems": "systems_2"
}, },
"locked": { "locked": {
"lastModified": 1731533236, "lastModified": 1731533236,
@ -148,7 +186,7 @@
}, },
"flake-utils_2": { "flake-utils_2": {
"inputs": { "inputs": {
"systems": "systems_2" "systems": "systems_3"
}, },
"locked": { "locked": {
"lastModified": 1731533236, "lastModified": 1731533236,
@ -166,7 +204,7 @@
}, },
"git-hooks": { "git-hooks": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_2", "flake-compat": "flake-compat_3",
"gitignore": "gitignore", "gitignore": "gitignore",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
@ -306,7 +344,7 @@
"nixos-mailserver": { "nixos-mailserver": {
"inputs": { "inputs": {
"blobs": "blobs", "blobs": "blobs",
"flake-compat": "flake-compat_3", "flake-compat": "flake-compat_4",
"git-hooks": "git-hooks_2", "git-hooks": "git-hooks_2",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
@ -413,7 +451,7 @@
"nixpkgs" "nixpkgs"
], ],
"nuschtosSearch": "nuschtosSearch", "nuschtosSearch": "nuschtosSearch",
"systems": "systems_3" "systems": "systems_4"
}, },
"locked": { "locked": {
"lastModified": 1769049374, "lastModified": 1769049374,
@ -456,6 +494,7 @@
"root": { "root": {
"inputs": { "inputs": {
"comin": "comin", "comin": "comin",
"deploy-rs": "deploy-rs",
"git-hooks": "git-hooks", "git-hooks": "git-hooks",
"headplane": "headplane", "headplane": "headplane",
"nixos-mailserver": "nixos-mailserver", "nixos-mailserver": "nixos-mailserver",
@ -531,6 +570,21 @@
"type": "github" "type": "github"
} }
}, },
"systems_4": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"treefmt-nix": { "treefmt-nix": {
"inputs": { "inputs": {
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs"
@ -548,6 +602,24 @@
"repo": "treefmt-nix", "repo": "treefmt-nix",
"type": "github" "type": "github"
} }
},
"utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

24
flake.nix
View file

@ -15,6 +15,9 @@
comin.url = "github:nlewo/comin"; comin.url = "github:nlewo/comin";
comin.inputs.nixpkgs.follows = "nixpkgs"; comin.inputs.nixpkgs.follows = "nixpkgs";
deploy-rs.url = "github:serokell/deploy-rs";
deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
nixvim.url = "github:nix-community/nixvim/nixos-25.11"; nixvim.url = "github:nix-community/nixvim/nixos-25.11";
nixvim.inputs.nixpkgs.follows = "nixpkgs"; nixvim.inputs.nixpkgs.follows = "nixpkgs";
@ -116,6 +119,25 @@
pkgs.writeShellScriptBin "pre-commit-run" script pkgs.writeShellScriptBin "pre-commit-run" script
); );
deploy = {
nodes = {
cryodev-main = {
hostname = constants.domain;
sshUser = "root";
sshOpts = [
"-p"
"2299"
"-o"
"StrictHostKeyChecking=accept-new"
];
profiles.system = {
user = "root";
path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.cryodev-main;
};
};
};
};
checks = forAllSystems ( checks = forAllSystems (
system: system:
let let
@ -125,6 +147,7 @@
inherit system; inherit system;
overlays = [ self.overlays.modifications ]; overlays = [ self.overlays.modifications ];
}; };
deployChecks = inputs.deploy-rs.lib.${system}.deployChecks self.deploy;
in in
{ {
pre-commit-check = inputs.git-hooks.lib.${system}.run { pre-commit-check = inputs.git-hooks.lib.${system}.run {
@ -138,6 +161,7 @@
# package = overlaidPkgs.package; # package = overlaidPkgs.package;
}; };
} }
// deployChecks
); );
}; };
} }

1
hosts/cryodev-main/deploy-key.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFIPGMqOV+YrGle8X7/hctW4Sha/bzeTsTP9AcDN9bA2 forgejo-deploy

24
hosts/cryodev-main/services/comin.nix
View file

@ -1,24 +0,0 @@
{
config,
pkgs,
outputs,
constants,
...
}:
{
imports = [
outputs.nixosModules.comin
];
services.comin = {
enable = true;
remotes = [
{
name = "origin";
url = "https://${constants.services.forgejo.fqdn}/steffen/cryodev.git";
branches.main.name = "main";
}
];
};
}

10
hosts/cryodev-main/services/default.nix
View file

@ -1,15 +1,17 @@
{ {
imports = [ imports = [
./comin.nix # Stufe 1: Services ohne externe Abhaengigkeiten
./forgejo.nix ./forgejo.nix
./forgejo-runner.nix
./headplane.nix
./headscale.nix ./headscale.nix
./mailserver.nix ./mailserver.nix
./netdata.nix ./netdata.nix
./nginx.nix ./nginx.nix
./openssh.nix ./openssh.nix
./sops.nix ./sops.nix
./tailscale.nix
# Stufe 2: Erst aktivieren wenn Headscale/Forgejo laufen und echte Secrets existieren
./forgejo-runner.nix # braucht: forgejo-runner/token (Forgejo)
./headplane.nix # braucht: headplane/agent_pre_authkey (Headscale)
./tailscale.nix # braucht: tailscale/auth-key (Headscale)
]; ];
} }

5
hosts/cryodev-main/services/openssh.nix
View file

@ -9,4 +9,9 @@
]; ];
services.openssh.enable = true; services.openssh.enable = true;
# Root SSH key for deploy-rs (key-only, no password)
users.users.root.openssh.authorizedKeys.keyFiles = [
../deploy-key.pub
];
} }

2
hosts/cryodev-pi/services/comin.nix
View file

@ -16,7 +16,7 @@
remotes = [ remotes = [
{ {
name = "origin"; name = "origin";
url = "https://${constants.services.forgejo.fqdn}/steffen/cryodev.git"; url = "https://${constants.services.forgejo.fqdn}/steffen/cryodev-server.git";
branches.main.name = "main"; branches.main.name = "main";
} }
]; ];

1
modules/nixos/forgejo-runner/default.nix
View file

@ -49,6 +49,7 @@ in
nix nix
nodejs nodejs
openssh openssh
deploy-rs
]; ];
settings = { settings = {

2
modules/nixos/openssh/default.nix
View file

@ -9,7 +9,7 @@ in
ports = mkDefault [ 2299 ]; ports = mkDefault [ 2299 ];
openFirewall = mkDefault true; openFirewall = mkDefault true;
settings = { settings = {
PermitRootLogin = mkDefault "no"; PermitRootLogin = mkDefault "prohibit-password";
PasswordAuthentication = mkDefault false; PasswordAuthentication = mkDefault false;
}; };
}; };