Set up automatic deployments from main branch

matrss · Feb 9, 2024 · de8ecfd · de8ecfd
1 parent 319d9ac
commit de8ecfd
Show file tree

Hide file tree

Showing 6 changed files with 74 additions and 4 deletions.
diff --git a/.github/workflows/build-flake-outputs.yml b/.github/workflows/build-flake-outputs.yml
@@ -1,10 +1,7 @@
 name: Build flake outputs
 
 on:
-  pull_request:
-  push:
-    branches:
-      - main
+  workflow_call:
 
 jobs:
   discover:

diff --git a/.github/workflows/deploy-nixos-systems.yml b/.github/workflows/deploy-nixos-systems.yml
@@ -0,0 +1,41 @@
+name: Deploy NixOS systems
+
+on:
+  workflow_call:
+
+jobs:
+  discover:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: cachix/install-nix-action@v25
+      - id: set-matrix
+        name: Generate matrix
+        run: |
+          matrix=$(
+            nix flake show --refresh --all-systems --json "." |
+              jq '
+                path(.. | select(.type? == "nixos-configuration")) | last | { fqdn: . }
+              ' |
+              jq --slurp --compact-output
+          )
+          echo "matrix=$matrix" >> "$GITHUB_OUTPUT"
+
+  deploy:
+    name: ${{ matrix.fqdn }}
+    needs: discover
+    runs-on: ubuntu-latest
+    environment: live
+    strategy:
+      fail-fast: false
+      matrix:
+        include: ${{ fromJSON(needs.discover.outputs.matrix) }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Write SSH keys
+        run: |
+          install -m 600 -D /dev/null ~/.ssh/deploy_key
+          echo "${{ secrets.SSH_DEPLOY_KEY }}" > ~/.ssh/deploy_key
+          cp ssh_known_hosts ~/.ssh/known_hosts
+      - name: Deploy systems
+        run: ssh root@${{ matrix.fqdn }} system-upgrade
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -0,0 +1,15 @@
+name: Build and deploy
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  build-flake-outputs:
+    uses: ./.github/workflows/build-flake-outputs.yml
+
+  deploy-nixos-systems:
+    needs: build-flake-outputs
+    concurrency: live
+    uses: ./.github/workflows/deploy-nixos-systems.yml
diff --git a/.github/workflows/prs.yml b/.github/workflows/prs.yml
@@ -0,0 +1,10 @@
+name: Build
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  build-flake-outputs:
+    uses: ./.github/workflows/build-flake-outputs.yml
diff --git a/profiles/users/root/default.nix b/profiles/users/root/default.nix
@@ -1,5 +1,6 @@
 {
   users.users.root.openssh.authorizedKeys.keys = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIByQhPnALCgo9Q4FbqYBCSTbMbP6OuSNmgRafdDo6yAx matrss@ipsmin"
+    "command=\"system-upgrade\" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC60edKap3Qyp9AX1KJuGpZr72eA4KWSdn1Lg4GRzQfL GitHub Actions deploy"
   ];
 }
diff --git a/ssh_known_hosts b/ssh_known_hosts
@@ -0,0 +1,6 @@
+hazuno.m.0px.xyz ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC5dZFOeU93I5RiaYl/qsEKrQOFxcGpC9Eu8hiWx3y5uCpeiDrxZtEKY6m1XfqbAA2kfdkEDYAOIT80YA6zdw5Cgi24BWgi98b1aTjUEHRBT6i69Bn4dzQKv/j0mf7v3vGdbfxQHxtdV3nA8vCMoHr3NiYsYUKXTqkh1ZOMNLpNjlnMFDBdH2lYYMk7BYSJd8xs+bL2kyYUi9/POqD2WJqxIApj2t5CyjCrLe/QmMurXtRhCwObKpJeHmFqMk4hfTkcwxjjCSznh8xGuFOaCEYh6SErC1ku2hRyBnYGuaQEP3PqQJu5fiQcoIMvv38TutsMKOyVsJxTqwQszkHmpIPioain5cddjvVDOd/YdtjvBJNLmOX4Yn/1hnRnURbJpXfAjN1Q3dKujhjWZPXLFwa7r/kdCButVDzjHOhlpsAP5QbKFXEtk82KQwAwipmHK9oXsQg8kud01D+/9+WCAkFB0M0gRrlJCLuU6pWVwdA7JEaJSdMBeus/p/qavwuczs8=
+hazuno.m.0px.xyz ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIHx0xGfsrxFarc6BJSWphMPeEW52epLa78U55SU80oH
+ipsmin.m.0px.xyz ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyA/HTyfFja9uQPaBGsyNMPVjmFTzzfBCWaJIaz6usyQLqZmoZZ/MtClDNjUNI/zisJ5bRupquKlzQO9cC6QGlP/zMNk9kcMpIJSoRJZcM9kuKGH36oKN59P4pNWFPjYEqNLhr1+M1wCg02HTUev4WdFR2YeKDJi1H6MLkrLtopWuYm4vkj0exER9O4o318liqNnhBEjAv+e4MGeGCVu7mNAYVHpMcv5UP48xgbnM4t/OwVwvPvKycgdorTIm8V4gVQsSDcwKHrpC70IWMgb4whZ5ln5igxz0ur7of38QfMKC1xEft6LAsKd3wWIt0NYWltAnyPN6rinhHRsQh3uhDurgs80/M9gdxG+xPLEWd8Cd55ztR59P5wXkNtnlub3C/lrKm1FY6DQ32cOaLCMezVXPApcoPBHPqC6SIfPllaGaf7grt3e5pLTYeJ8PV0jFhfLpII2sY1Mj+QTGo92afTj38YLy8lIf9v33TB7lSoGrzfcCLFsRTvYA/j60qCREky3IMTutj1guNT+h8xoegwkRYAORoOEgYYbbLU/jPnzgcPAeCWMZ6+PWTYBNdpJLnQ+xouWielUylE01ilx7Qkj9ZkX120YzKrBbZv9lF6c3Wcpgs/YKiiKQ+rua1Q7HFQMI6+FQlpI3199g3LkJyTJq2ArgXEfkVs5hctZhR8w==
+ipsmin.m.0px.xyz ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID53rHRfCLWrXCXsk/BaxjZLt/bN6yRMWRYglNcGZdzl
+nelvte.m.0px.xyz ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDn2GDaudjMF2Gxl6y5KwsePsQv1/8rxXhejrrihYH683fd3qmFyBcl0gSvPqEEbfIwrM90H+bFhksTYb/q3xLByXrh0hsWaq3yqAI+ca+z3YCmlOvn/XulW4+cwqe/hjnxIncN94EPOVeiK8ioaorA+R9YThmxdFT0KGoN9pE7TUUJhed+z9oTipLfiUpVmoY63RAtTzmmWwfiu12l7gC7lJ0u1+nMSP5d3C5WVH96MOcCjyB5dRhTKWKeW4gEV/Vmp8qi8KaezohzXq57tPOc72GYI+sSdp/EbDe+09j3Lc0JnNrqTWOen3xm4XOo+/dpQxQTcYMnveKD+Bs6BLSC+Z5lh5Bnp96nbBRvfuq6yZoYDrHqD18dvT3ftrVOqVJe4V/YNd+E62t76YZpvZkbe1JVzTfN5sPY+PLTOVq266ySqdKI+zzPZxkoSjwef5GbSuLQamLiD3FbjMIi8zaHLoyF0T5yjP4KnRoSfusoys+SfH58J4ewPfdmn/0BywbOG7BB4z7aXQhefc5bZSaKK6NqpbNVbQ2t01XIG+uS3i5FQM2Q9ohdqlC3fuV7ZF/E7h/eU4OiLwT6yOKd8tc8b3+i9UwLe7bOcwVueSDfatyuulwBR9tf50ZeXPAyRnAvBAdmskstWDxzJg6MPSkH8+WXBI2c0rIvDRwz23n+Ow==
+nelvte.m.0px.xyz ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFe/Jz6dVKz0WP0aSkrf22diqCR5bRqysnGm5NnAsOXr