Continuous Deployment of NixOS

NexusSocial · Nov 18, 2024 · 641aa82 · 641aa82
1 parent ed4b8cd
commit 641aa82
Show file tree

Hide file tree

Showing 8 changed files with 62 additions and 29 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -49,6 +49,7 @@ jobs:
     name: Nix
     needs: check-inputs
     uses: ./.github/workflows/nix.yaml
+    secrets: inherit
     with:
       deploy: ${{ needs.check-inputs.outputs.is-default-branch == 'true' }}
 

diff --git a/.github/workflows/nix.yaml b/.github/workflows/nix.yaml
@@ -5,6 +5,11 @@ on:
       deploy:
         required: true
         type: boolean
+    secrets:
+      SSH_KEY_PRIV:
+        required: true
+      CACHIX_AUTH_TOKEN:
+        required: true
 
 jobs:
   fmt:
@@ -16,21 +21,44 @@ jobs:
     - uses: cachix/cachix-action@v15
       with:
         name: nexus-ci
-        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+        authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
     - run: nix develop -c nixpkgs-fmt --check .
 
   build:
-    name: Build NixOS config
+    name: Build NixOS Machines
     runs-on: ubuntu-24.04
     steps:
     - uses: actions/checkout@v4
     - uses: cachix/install-nix-action@v30
     - uses: cachix/cachix-action@v15
       with:
         name: nexus-ci
-        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
-    - name: Build NixOS machines
+        authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+    - name: Build Linode
       run: |
         nix build .#nixosConfigurations.servers-us-east-1.config.formats.linode
     - name: Run Flake Checks
       run: nix flake check
+
+  deploy:
+    name: Deploy NixOS Machines
+    if: inputs.deploy
+    needs: [build, fmt]
+    runs-on: ubuntu-24.04
+    steps:
+    - uses: actions/checkout@v4
+    - uses: cachix/install-nix-action@v30
+    - uses: cachix/cachix-action@v15
+      with:
+        name: nexus-ci
+        authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+    - name: Set up ssh-agent
+      uses: webfactory/[email protected]
+      with:
+        ssh-private-key: ${{ secrets.SSH_KEY_PRIV }}
+    - name: Test SSH connection to servers
+      run: ssh -T -o StrictHostKeyChecking=no [email protected]
+    - name: Deploy via deploy-rs
+      run: nix run .#deploy-rs -- .
+
+
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -8,12 +8,12 @@
     nixos-24_05.url = "github:NixOS/nixpkgs/nixos-24.05";
     nixos-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
     nixos-generators = {
-      url = "github:nix-community/nixos-generators";
-      inputs.nixpkgs.follows = "nixos-unstable";
+      url = "github:nix-community/nixos-generators/7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565";
+      inputs.nixpkgs.follows = "nixos-24_05";
     };
     home-manager = {
-      url = "github:nix-community/home-manager";
-      inputs.nixpkgs.follows = "nixos-unstable";
+      url = "github:nix-community/home-manager/release-24.05";
+      inputs.nixpkgs.follows = "nixos-24_05";
     };
 
     #Darwin

diff --git a/nix/deploy-rs.nix b/nix/deploy-rs.nix
@@ -8,6 +8,9 @@
       };
     };
     sshUser = "admin";
+    sshOpts = [ "-o" "StrictHostKeyChecking=no" ];
+
+
 
     # Timeout for profile activation.
     activationTimeout = 240;

diff --git a/nix/inputs.nix b/nix/inputs.nix
@@ -5,7 +5,7 @@ let
 in
 {
   self = inputs-raw.self;
-  nixpkgs = if isDarwin then inputs-raw.nixpkgs-24_05-darwin else inputs-raw.nixos-unstable;
+  nixpkgs = if isDarwin then inputs-raw.nixpkgs-24_05-darwin else inputs-raw.nixos-24_05;
   nixpkgs-unstable = if isDarwin then inputs-raw.nixpkgs-unstable else inputs-raw.nixos-unstable;
   # fenix = if isDarwin then inputs-raw.fenix-darwin else inputs-raw.fenix-linux;
   fenix = inputs-raw.fenix;

diff --git a/nix/nixos/nixosConfigurations.nix b/nix/nixos/nixosConfigurations.nix
@@ -11,11 +11,11 @@ let
     let
       inherit (s.${system}) pkgs inputs;
     in
-    inputs.nixpkgs-unstable.lib.nixosSystem
+    inputs.nixpkgs.lib.nixosSystem
       rec {
         inherit system;
         specialArgs = {
-          inherit inputs hostname username pkgs; modulesPath = "${inputs.nixpkgs-unstable}/nixos/modules";
+          inherit inputs hostname username pkgs; modulesPath = "${inputs.nixpkgs}/nixos/modules";
         };
         modules = [
           # See https://github.com/nix-community/nixos-generators/blob/06ffce1a/README.md#using-as-a-nixos-module
@@ -24,7 +24,7 @@ let
 
             formatConfigs.linode = { config, ... }: {
               # set disk size to to 20G
-              virtualisation.diskSize = 1 * 1024;
+              # virtualisation.diskSize = 1 * 1024;
             };
 
 

diff --git a/nix/nixos/servers-us-east-1/configuration.nix b/nix/nixos/servers-us-east-1/configuration.nix
@@ -26,7 +26,7 @@
 
   networking = {
     usePredictableInterfaceNames = false;
-    useDHCP = false; # Disable DHCP globally as we will not need it.
+    useDHCP = lib.mkForce false; # Disable DHCP globally as we will not need it.
     # required for ssh?
     interfaces.eth0.useDHCP = true;
   };
@@ -51,20 +51,19 @@
       flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs;
     in
     {
+      package = pkgs.nix;
       settings = {
         # Enable flakes and new 'nix' command
         experimental-features = "nix-command flakes";
-        # Opinionated: disable global registry
-        flake-registry = "";
-        # Workaround for https://github.com/NixOS/nix/issues/9574
-        nix-path = config.nix.nixPath;
+        trusted-users = [
+          "root"
+          "@admin"
+          username
+        ];
       };
+      nixPath = lib.mkForce [ "nixpkgs=flake:nixpkgs" ];
       # Opinionated: disable channels
       channel.enable = false;
-
-      # Opinionated: make flake registry and nix path match flake inputs
-      registry = lib.mapAttrs (_: flake: { inherit flake; }) flakeInputs;
-      nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
     };
 
   networking.hostName = hostname;