Fix Deploy workflow

.gitea/workflows/deploy.yml

@@ -0,0 +1,67 @@
+name: Deploy
+
+on:
+  workflow_run:
+    workflows: ["CI"]
+    types:
+      - completed
+    branches: ["main"]
+
+jobs:
+  deploy:
+    runs-on: nix
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    env:
+      NIXPKGS_ALLOW_UNFREE: "1"
+    steps:
+      - name: Checkout
+        run: git clone https://git.cyperpunk.de/DerGrumpf/cyper-nix.git .
+
+      - name: Setup SSH key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+          echo "StrictHostKeyChecking no" >> ~/.ssh/config
+          ssh-keyscan -H 192.168.2.2 192.168.2.40 192.168.2.30 192.168.2.31 localhost >> ~/.ssh/known_hosts
+          ssh-keyscan -H proxy.cyperpunk.de >> ~/.ssh/known_hosts
+
+      - name: Deploy cyper-controller
+        continue-on-error: true
+        run: |
+          nixos-rebuild switch --flake .#cyper-controller \
+            --target-host phil@192.168.2.2 \
+            --build-host localhost \
+            --elevate=sudo
+
+      - name: Deploy cyper-desktop
+        continue-on-error: true
+        run: |
+          nixos-rebuild switch --flake .#cyper-desktop \
+            --target-host phil@192.168.2.40 \
+            --build-host localhost \
+            --elevate=sudo
+
+      - name: Deploy cyper-proxy
+        continue-on-error: true
+        run: |
+          nixos-rebuild switch --flake .#cyper-proxy \
+            --target-host phil@proxy.cyperpunk.de \
+            --build-host localhost \
+            --elevate=sudo
+
+      - name: Deploy cyper-node-1
+        continue-on-error: true
+        run: |
+          nixos-rebuild switch --flake .#cyper-node-1 \
+            --target-host phil@192.168.2.30 \
+            --build-host localhost \
+            --elevate=sudo
+
+      - name: Deploy cyper-node-2
+        continue-on-error: true
+        run: |
+          nixos-rebuild switch --flake .#cyper-node-2 \
+            --target-host phil@192.168.2.31 \
+            --build-host localhost \
+            --elevate=sudo

.gitea/workflows/release.yml

@@ -1,7 +1,7 @@
 name: Release ISOs
 
 on:
-  workflow_run:
+  workflow_dispatch:
     workflows: ["CI"]
     types:
       - completed
@@ -10,7 +10,6 @@ on:
 jobs:
   build-isos:
     runs-on: nix
-    if: ${{ github.event.workflow_run.conclusion == 'success' }}
     env:
       NIXPKGS_ALLOW_UNFREE: "1"
     steps:
@@ -39,7 +38,7 @@ jobs:
           RELEASE_ID=$(echo $RELEASE | grep -o '"id":[0-9]*' | head -1 | cut -d: -f2)
 
           for result in result-desktop result-controller result-proxy result-node-1 result-node-2; do
-            iso=$(find $result -name "*.iso" | head -1)
+            iso=$(find $result/iso -name "*.iso" | head -1)
             curl -s -X POST \
               -H "Authorization: token ${{ secrets.CI_TOKEN }}" \
               -F "attachment=@${iso};filename=${result}.iso" \

nixos/default.nix

@@ -22,6 +22,11 @@
     ./catppuccin.nix
   ];
 
+  sops.secrets."nix_cache_priv_key" = {
+
+    mode = "0400";
+  };
+
   nix = {
     settings = {
       trusted-users = [
@@ -42,11 +47,13 @@
         "https://nix-community.cachix.org"
         "https://cyper-cache.cachix.org"
       ];
+      secret-key-files = [ config.sops.secrets."nix_cache_priv_key".path ];
       trusted-public-keys = [
         "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
         "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
         "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
         "cyper-cache.cachix.org-1:pOpeWFEjGHg9XvqRg+DQpYnGRQNp+z+QEF8Ev2mbSoM="
+        "cyper-nix:+YuG586UwrtNkXeGiivcr5GTCbZK70ILU2YqOxUoIWw="
       ];
       auto-optimise-store = true;
     };

nixos/roles/gitea.nix

@@ -221,7 +221,15 @@ in
         nodejs
         wget
         nix
+        openssh
+        nixos-rebuild
       ];
+
+      settings = {
+        runner.env_vars = {
+          PATH = "/run/wrappers/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin:/usr/bin:/bin";
+        };
+      };
     };
   };
 

nixos/roles/nginx.nix

@@ -64,7 +64,7 @@ in
       # controller services (proxied to upstream tailscale node)
       "git.cyperpunk.de" = (mkProxy 9000) // {
         extraConfig = ''
-          client_max_body_size 500m;
+          client_max_body_size 8192m;
         '';
       };
       "search.cyperpunk.de" = mkProxy 11080;

nixos/ssh.nix

@@ -10,8 +10,14 @@
   };
   users.users.${primaryUser}.openssh.authorizedKeys.keyFiles = [ ../secrets/ssh-key ];
   programs.ssh.startAgent = true;
-  security.doas = {
-    enable = true;
-    wheelNeedsPassword = false;
+  security = {
+    sudo = {
+      enable = true;
+      wheelNeedsPassword = false;
+    };
+    doas = {
+      enable = true;
+      wheelNeedsPassword = false;
+    };
   };
 }

secrets/secrets.yaml

@@ -33,6 +33,7 @@ gitea:
     runnerToken: ENC[AES256_GCM,data:giY3e3oHqWytgIWfnuKxOfrp8R+u7I0lMzEGnLWXnZWL9aQkVsM1kiF1FNKn/A==,iv:YsQrAKU8pncPeSSosOFn9BjU676KCh956FGC2hnCuac=,tag:+eZ1y6P/85XNPD9gVVNMgA==,type:str]
 ssh_private_key: ENC[AES256_GCM,data:R511mVFVk1ogAd5CKk/2P6rtT4NnHIFfKyqeCen545QgcvDqDFmW0rFBmPJyipaya2srJNoWvKJbnvxWtTYeJh2tPAybRMoUicStIFMUn3FPNfjx/WuQFLhKLoU3UOHHPJnkFqkQ9MBqLq2k5K7MVsNNFTxIDCKS1jPgkTmAWjRZ0EFiRXLa+Gvnz3GP5ltgfjDwdPeb5xp0/AqKPD8jea9w5ClR6ckrRHCLsfXhL2e9IaF4B96JlIv4rICLX3HmeIgM2PKl2MnSt8we5z39bBoLSA0yWG6BvpiMBaFqbo7jeHf1SxI6R404/emHhwW3pwSCDrq2ZE1ATG2UmA5NssFcVuaBPBoQer+n5haVYMNpNUp6rtKZeAIbf5JEOXJ6CJqiInfnnzOMNGhGFkGUYkhsy3p6Ti/lmNMPX/xtY+8ZqMwXf5drssm5KgnQ5nDbVqnTWAhoT/D3t+cJVAaXGTGw88fU0X95dZr8vaL/5nBCj1uUdv5cRBJ8PGhqbBX8PoiXrtGooBGhxf6nHbxIneSzG1++MZGo3e1G,iv:D1lgCnZKm3Gyv6cZpQ7zGW7JXN5RCwoaas+LroTkhPc=,tag:WI6Nr1cX8gm5pjFpu/Ok0w==,type:str]
 ssh_github_key: ENC[AES256_GCM,data:vZAH4cRDsgGXLAppQKOyUPOvmBJZ27bujMGz4hQ8tt0xhGFUP28llwGZz/VRuU02Yv4alLgVWBAIPuyhZT9f35KnjIR1Mmb7HXk/6oaNM59/lBiISLrnOpC10WmJ9O5krKdxwP8ZDvHA34B0s+oYNkTNXiU0S8AVg3icploax7ylKH5Dorj53kjdYSTjd8KN6ZsgCKmcz97+GnP0IgdmauyNL7e+kv9WIfE8Xx1kGvC8WVnidX2YhSxm6vt8l60eUj9etRigU88oFYTDZ+mIf4lucSpzaLZutz2fM/16D/o9SS7mmTrEllj2S+IXc9ZZTRKKDLbW+yv0XUi0XZi+OHAdZScjS54NZKyT9uWrc/IDJHammGsoHRQpHZtbGhkeFi/KdJsYBsWItslXjM0xJVtFIM2tMnd10kv9UGuXsSl9J4NC0rpz3aXnQqG4ZAhMjN9D/DTJpB4K0pcFyd2FDWdrbKq5iPfnU/V6ecnHPML6wCt6gua/LdK1MWoG3l2SqwMLYj1r7UW5fQZqSw1EK0BAtp9cQMLBL/2w8ykMfWpLekE=,iv:gcinU7xOoXQkFVkLNB3sQYHAcZy3pZN+bDRIq4sspys=,tag:yawgAHBKIkGpnKPHsRId4g==,type:str]
+nix_cache_priv_key: ENC[AES256_GCM,data:FbRHM4n7BDMDgZYtTOdpS0SQx80afxMC3uw6PtdKb1zcAjyQRYwJe0esTDLklLDh8Kx6dgZOJbrf2sYIzF5xVv09U1Uz0C1UnF4M6yhbg+Nqg0HfVj55L3Z6ulrxNlgq7gY=,iv:F9DZUsyzZocKoB0yByeBcrCw9Ytcp+Xk6y8+ZH4OV7k=,tag:mSf1zVciPkifzr3kVFAt0g==,type:str]
 sops:
     age:
         - enc: |
@@ -44,7 +45,7 @@ sops:
             6fuez+zApathZfl14w41kAUojPWBznnxDqYtNvzVVLXwnpp3BMx+7w==
             -----END AGE ENCRYPTED FILE-----
           recipient: age10pyhca0jy75wtqv5hrn0gf0jcam5272zx9h73a8xwwaxyfq89c0qs5dr9t
-    lastmodified: "2026-06-22T18:17:22Z"
-    mac: ENC[AES256_GCM,data:nIGjfBCia9y1+f0dE6TRK6pBLo3B+vqmK88t5xrCY9j+SIzPvCc2Iv6h8AXSfunvIZpxODhn+PmX2FBwa9TtNVePi/Iywu43fRGHz67gSVYTyTBoLRAxqW/7hEvRMXu0ECUfAPzQCq3rd4iWjMXyIYU/FsX9g4NlIno0zcCV5cs=,iv:M4FBoxzojH01hScrRoET3AwmG3qevhkxiET+W94drh0=,tag:rHf7wbkp64FKybjZL0EDDQ==,type:str]
+    lastmodified: "2026-06-23T07:50:18Z"
+    mac: ENC[AES256_GCM,data:KlPMGQNnGdXGfUhuGviQ/lvDBOfjy9IiTFhLaJEwafJfAQmyYe+VclRV2kKK1A98rvZqhey/pvXyrpU1FQNbrvTVCgPMKiX8ggSmF62Ocz2ljj/tQqQhyZbtPM229k69FXdoDFjl0vg9T8nrYtNh+S8Xy17yw5CA1gI7GYILCF0=,iv:Km4NRYjTsZO3NYoWCUdQrmeXUPdbN+cI4CqJFkH70ww=,tag:TTCA8X2jAO1x20NILNyngg==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.13.1