Compare commits
12 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 DerGrumpf
|
ecfccf757e | ||
|
DerGrumpf
|
46c32ada33 | ||
|
DerGrumpf
|
fd6e4e37e1 | ||
|
DerGrumpf
|
cf0364d37e | ||
|
DerGrumpf
|
fc4fba565d | ||
|
DerGrumpf
|
b4ee759957 | ||
|
DerGrumpf
|
b2d1876d7e | ||
|
DerGrumpf
|
72235282af | ||
|
DerGrumpf
|
065567d44a | ||
|
DerGrumpf
|
811546a64c | ||
|
DerGrumpf
|
8e6df3bc7b | ||
|
DerGrumpf
|
1d2ac46eea |
@@ -0,0 +1,59 @@
|
|||||||
|
name: Deploy
|
||||||
|
|
||||||
|
on:
|
||||||
|
workflow_run:
|
||||||
|
workflows: ["CI"]
|
||||||
|
types:
|
||||||
|
- completed
|
||||||
|
branches: ["main"]
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
deploy:
|
||||||
|
runs-on: nix
|
||||||
|
if: ${{ github.event.workflow_run.conclusion == 'success' }}
|
||||||
|
env:
|
||||||
|
NIXPKGS_ALLOW_UNFREE: "1"
|
||||||
|
HOME: /var/lib/gitea-runner
|
||||||
|
NIX_SSHOPTS: "-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i /var/lib/gitea-runner/.ssh/id_ed25519"
|
||||||
|
steps:
|
||||||
|
- name: Checkout
|
||||||
|
run: git clone https://git.cyperpunk.de/DerGrumpf/cyper-nix.git .
|
||||||
|
|
||||||
|
- name: Setup SSH key
|
||||||
|
run: |
|
||||||
|
mkdir -p ~/.ssh
|
||||||
|
echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_ed25519
|
||||||
|
chmod 600 ~/.ssh/id_ed25519
|
||||||
|
|
||||||
|
- name: Deploy cyper-controller
|
||||||
|
run: |
|
||||||
|
nixos-rebuild switch --flake .#cyper-controller \
|
||||||
|
--target-host phil@192.168.2.2 \
|
||||||
|
--elevate=sudo
|
||||||
|
|
||||||
|
- name: Deploy cyper-desktop
|
||||||
|
continue-on-error: true
|
||||||
|
run: |
|
||||||
|
nixos-rebuild switch --flake .#cyper-desktop \
|
||||||
|
--target-host phil@192.168.2.40 \
|
||||||
|
--elevate=sudo
|
||||||
|
|
||||||
|
- name: Deploy cyper-proxy
|
||||||
|
run: |
|
||||||
|
nixos-rebuild switch --flake .#cyper-proxy \
|
||||||
|
--target-host phil@proxy.cyperpunk.de \
|
||||||
|
--elevate=sudo
|
||||||
|
|
||||||
|
- name: Deploy cyper-node-1
|
||||||
|
continue-on-error: true
|
||||||
|
run: |
|
||||||
|
nixos-rebuild switch --flake .#cyper-node-1 \
|
||||||
|
--target-host phil@192.168.2.30 \
|
||||||
|
--elevate=sudo
|
||||||
|
|
||||||
|
- name: Deploy cyper-node-2
|
||||||
|
continue-on-error: true
|
||||||
|
run: |
|
||||||
|
nixos-rebuild switch --flake .#cyper-node-2 \
|
||||||
|
--target-host phil@192.168.2.31 \
|
||||||
|
--elevate=sudo
|
||||||
@@ -38,7 +38,7 @@ jobs:
|
|||||||
RELEASE_ID=$(echo $RELEASE | grep -o '"id":[0-9]*' | head -1 | cut -d: -f2)
|
RELEASE_ID=$(echo $RELEASE | grep -o '"id":[0-9]*' | head -1 | cut -d: -f2)
|
||||||
|
|
||||||
for result in result-desktop result-controller result-proxy result-node-1 result-node-2; do
|
for result in result-desktop result-controller result-proxy result-node-1 result-node-2; do
|
||||||
iso=$(readlink -f $(find $result -name "*.iso" | head -1))
|
iso=$(find $result/iso -name "*.iso" | head -1)
|
||||||
curl -s -X POST \
|
curl -s -X POST \
|
||||||
-H "Authorization: token ${{ secrets.CI_TOKEN }}" \
|
-H "Authorization: token ${{ secrets.CI_TOKEN }}" \
|
||||||
-F "attachment=@${iso};filename=${result}.iso" \
|
-F "attachment=@${iso};filename=${result}.iso" \
|
||||||
|
|||||||
@@ -38,6 +38,7 @@
|
|||||||
nix-index
|
nix-index
|
||||||
ncdu
|
ncdu
|
||||||
tty-solitaire
|
tty-solitaire
|
||||||
|
cowsay
|
||||||
]
|
]
|
||||||
++ lib.optionals (!pkgs.stdenv.isDarwin) [
|
++ lib.optionals (!pkgs.stdenv.isDarwin) [
|
||||||
# dev tools
|
# dev tools
|
||||||
|
|||||||
@@ -22,6 +22,11 @@
|
|||||||
./catppuccin.nix
|
./catppuccin.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
|
sops.secrets."nix_cache_priv_key" = {
|
||||||
|
|
||||||
|
mode = "0400";
|
||||||
|
};
|
||||||
|
|
||||||
nix = {
|
nix = {
|
||||||
settings = {
|
settings = {
|
||||||
trusted-users = [
|
trusted-users = [
|
||||||
@@ -42,11 +47,13 @@
|
|||||||
"https://nix-community.cachix.org"
|
"https://nix-community.cachix.org"
|
||||||
"https://cyper-cache.cachix.org"
|
"https://cyper-cache.cachix.org"
|
||||||
];
|
];
|
||||||
|
secret-key-files = [ config.sops.secrets."nix_cache_priv_key".path ];
|
||||||
trusted-public-keys = [
|
trusted-public-keys = [
|
||||||
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
|
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
|
||||||
"hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
|
"hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
|
||||||
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
|
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
|
||||||
"cyper-cache.cachix.org-1:pOpeWFEjGHg9XvqRg+DQpYnGRQNp+z+QEF8Ev2mbSoM="
|
"cyper-cache.cachix.org-1:pOpeWFEjGHg9XvqRg+DQpYnGRQNp+z+QEF8Ev2mbSoM="
|
||||||
|
"cyper-nix:+YuG586UwrtNkXeGiivcr5GTCbZK70ILU2YqOxUoIWw="
|
||||||
];
|
];
|
||||||
auto-optimise-store = true;
|
auto-optimise-store = true;
|
||||||
};
|
};
|
||||||
|
|||||||
@@ -221,7 +221,15 @@ in
|
|||||||
nodejs
|
nodejs
|
||||||
wget
|
wget
|
||||||
nix
|
nix
|
||||||
|
openssh
|
||||||
|
nixos-rebuild
|
||||||
];
|
];
|
||||||
|
|
||||||
|
settings = {
|
||||||
|
runner.env_vars = {
|
||||||
|
PATH = "/run/wrappers/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin:/usr/bin:/bin";
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
@@ -64,7 +64,7 @@ in
|
|||||||
# controller services (proxied to upstream tailscale node)
|
# controller services (proxied to upstream tailscale node)
|
||||||
"git.cyperpunk.de" = (mkProxy 9000) // {
|
"git.cyperpunk.de" = (mkProxy 9000) // {
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
client_max_body_size 500m;
|
client_max_body_size 8192m;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
"search.cyperpunk.de" = mkProxy 11080;
|
"search.cyperpunk.de" = mkProxy 11080;
|
||||||
|
|||||||
+9
-3
@@ -10,8 +10,14 @@
|
|||||||
};
|
};
|
||||||
users.users.${primaryUser}.openssh.authorizedKeys.keyFiles = [ ../secrets/ssh-key ];
|
users.users.${primaryUser}.openssh.authorizedKeys.keyFiles = [ ../secrets/ssh-key ];
|
||||||
programs.ssh.startAgent = true;
|
programs.ssh.startAgent = true;
|
||||||
security.doas = {
|
security = {
|
||||||
enable = true;
|
sudo = {
|
||||||
wheelNeedsPassword = false;
|
enable = true;
|
||||||
|
wheelNeedsPassword = false;
|
||||||
|
};
|
||||||
|
doas = {
|
||||||
|
enable = true;
|
||||||
|
wheelNeedsPassword = false;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -33,6 +33,7 @@ gitea:
|
|||||||
runnerToken: ENC[AES256_GCM,data:giY3e3oHqWytgIWfnuKxOfrp8R+u7I0lMzEGnLWXnZWL9aQkVsM1kiF1FNKn/A==,iv:YsQrAKU8pncPeSSosOFn9BjU676KCh956FGC2hnCuac=,tag:+eZ1y6P/85XNPD9gVVNMgA==,type:str]
|
runnerToken: ENC[AES256_GCM,data:giY3e3oHqWytgIWfnuKxOfrp8R+u7I0lMzEGnLWXnZWL9aQkVsM1kiF1FNKn/A==,iv:YsQrAKU8pncPeSSosOFn9BjU676KCh956FGC2hnCuac=,tag:+eZ1y6P/85XNPD9gVVNMgA==,type:str]
|
||||||
ssh_private_key: ENC[AES256_GCM,data:R511mVFVk1ogAd5CKk/2P6rtT4NnHIFfKyqeCen545QgcvDqDFmW0rFBmPJyipaya2srJNoWvKJbnvxWtTYeJh2tPAybRMoUicStIFMUn3FPNfjx/WuQFLhKLoU3UOHHPJnkFqkQ9MBqLq2k5K7MVsNNFTxIDCKS1jPgkTmAWjRZ0EFiRXLa+Gvnz3GP5ltgfjDwdPeb5xp0/AqKPD8jea9w5ClR6ckrRHCLsfXhL2e9IaF4B96JlIv4rICLX3HmeIgM2PKl2MnSt8we5z39bBoLSA0yWG6BvpiMBaFqbo7jeHf1SxI6R404/emHhwW3pwSCDrq2ZE1ATG2UmA5NssFcVuaBPBoQer+n5haVYMNpNUp6rtKZeAIbf5JEOXJ6CJqiInfnnzOMNGhGFkGUYkhsy3p6Ti/lmNMPX/xtY+8ZqMwXf5drssm5KgnQ5nDbVqnTWAhoT/D3t+cJVAaXGTGw88fU0X95dZr8vaL/5nBCj1uUdv5cRBJ8PGhqbBX8PoiXrtGooBGhxf6nHbxIneSzG1++MZGo3e1G,iv:D1lgCnZKm3Gyv6cZpQ7zGW7JXN5RCwoaas+LroTkhPc=,tag:WI6Nr1cX8gm5pjFpu/Ok0w==,type:str]
|
ssh_private_key: ENC[AES256_GCM,data:R511mVFVk1ogAd5CKk/2P6rtT4NnHIFfKyqeCen545QgcvDqDFmW0rFBmPJyipaya2srJNoWvKJbnvxWtTYeJh2tPAybRMoUicStIFMUn3FPNfjx/WuQFLhKLoU3UOHHPJnkFqkQ9MBqLq2k5K7MVsNNFTxIDCKS1jPgkTmAWjRZ0EFiRXLa+Gvnz3GP5ltgfjDwdPeb5xp0/AqKPD8jea9w5ClR6ckrRHCLsfXhL2e9IaF4B96JlIv4rICLX3HmeIgM2PKl2MnSt8we5z39bBoLSA0yWG6BvpiMBaFqbo7jeHf1SxI6R404/emHhwW3pwSCDrq2ZE1ATG2UmA5NssFcVuaBPBoQer+n5haVYMNpNUp6rtKZeAIbf5JEOXJ6CJqiInfnnzOMNGhGFkGUYkhsy3p6Ti/lmNMPX/xtY+8ZqMwXf5drssm5KgnQ5nDbVqnTWAhoT/D3t+cJVAaXGTGw88fU0X95dZr8vaL/5nBCj1uUdv5cRBJ8PGhqbBX8PoiXrtGooBGhxf6nHbxIneSzG1++MZGo3e1G,iv:D1lgCnZKm3Gyv6cZpQ7zGW7JXN5RCwoaas+LroTkhPc=,tag:WI6Nr1cX8gm5pjFpu/Ok0w==,type:str]
|
||||||
ssh_github_key: ENC[AES256_GCM,data:vZAH4cRDsgGXLAppQKOyUPOvmBJZ27bujMGz4hQ8tt0xhGFUP28llwGZz/VRuU02Yv4alLgVWBAIPuyhZT9f35KnjIR1Mmb7HXk/6oaNM59/lBiISLrnOpC10WmJ9O5krKdxwP8ZDvHA34B0s+oYNkTNXiU0S8AVg3icploax7ylKH5Dorj53kjdYSTjd8KN6ZsgCKmcz97+GnP0IgdmauyNL7e+kv9WIfE8Xx1kGvC8WVnidX2YhSxm6vt8l60eUj9etRigU88oFYTDZ+mIf4lucSpzaLZutz2fM/16D/o9SS7mmTrEllj2S+IXc9ZZTRKKDLbW+yv0XUi0XZi+OHAdZScjS54NZKyT9uWrc/IDJHammGsoHRQpHZtbGhkeFi/KdJsYBsWItslXjM0xJVtFIM2tMnd10kv9UGuXsSl9J4NC0rpz3aXnQqG4ZAhMjN9D/DTJpB4K0pcFyd2FDWdrbKq5iPfnU/V6ecnHPML6wCt6gua/LdK1MWoG3l2SqwMLYj1r7UW5fQZqSw1EK0BAtp9cQMLBL/2w8ykMfWpLekE=,iv:gcinU7xOoXQkFVkLNB3sQYHAcZy3pZN+bDRIq4sspys=,tag:yawgAHBKIkGpnKPHsRId4g==,type:str]
|
ssh_github_key: ENC[AES256_GCM,data:vZAH4cRDsgGXLAppQKOyUPOvmBJZ27bujMGz4hQ8tt0xhGFUP28llwGZz/VRuU02Yv4alLgVWBAIPuyhZT9f35KnjIR1Mmb7HXk/6oaNM59/lBiISLrnOpC10WmJ9O5krKdxwP8ZDvHA34B0s+oYNkTNXiU0S8AVg3icploax7ylKH5Dorj53kjdYSTjd8KN6ZsgCKmcz97+GnP0IgdmauyNL7e+kv9WIfE8Xx1kGvC8WVnidX2YhSxm6vt8l60eUj9etRigU88oFYTDZ+mIf4lucSpzaLZutz2fM/16D/o9SS7mmTrEllj2S+IXc9ZZTRKKDLbW+yv0XUi0XZi+OHAdZScjS54NZKyT9uWrc/IDJHammGsoHRQpHZtbGhkeFi/KdJsYBsWItslXjM0xJVtFIM2tMnd10kv9UGuXsSl9J4NC0rpz3aXnQqG4ZAhMjN9D/DTJpB4K0pcFyd2FDWdrbKq5iPfnU/V6ecnHPML6wCt6gua/LdK1MWoG3l2SqwMLYj1r7UW5fQZqSw1EK0BAtp9cQMLBL/2w8ykMfWpLekE=,iv:gcinU7xOoXQkFVkLNB3sQYHAcZy3pZN+bDRIq4sspys=,tag:yawgAHBKIkGpnKPHsRId4g==,type:str]
|
||||||
|
nix_cache_priv_key: ENC[AES256_GCM,data:FbRHM4n7BDMDgZYtTOdpS0SQx80afxMC3uw6PtdKb1zcAjyQRYwJe0esTDLklLDh8Kx6dgZOJbrf2sYIzF5xVv09U1Uz0C1UnF4M6yhbg+Nqg0HfVj55L3Z6ulrxNlgq7gY=,iv:F9DZUsyzZocKoB0yByeBcrCw9Ytcp+Xk6y8+ZH4OV7k=,tag:mSf1zVciPkifzr3kVFAt0g==,type:str]
|
||||||
sops:
|
sops:
|
||||||
age:
|
age:
|
||||||
- enc: |
|
- enc: |
|
||||||
@@ -44,7 +45,7 @@ sops:
|
|||||||
6fuez+zApathZfl14w41kAUojPWBznnxDqYtNvzVVLXwnpp3BMx+7w==
|
6fuez+zApathZfl14w41kAUojPWBznnxDqYtNvzVVLXwnpp3BMx+7w==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
recipient: age10pyhca0jy75wtqv5hrn0gf0jcam5272zx9h73a8xwwaxyfq89c0qs5dr9t
|
recipient: age10pyhca0jy75wtqv5hrn0gf0jcam5272zx9h73a8xwwaxyfq89c0qs5dr9t
|
||||||
lastmodified: "2026-06-22T18:17:22Z"
|
lastmodified: "2026-06-23T07:50:18Z"
|
||||||
mac: ENC[AES256_GCM,data:nIGjfBCia9y1+f0dE6TRK6pBLo3B+vqmK88t5xrCY9j+SIzPvCc2Iv6h8AXSfunvIZpxODhn+PmX2FBwa9TtNVePi/Iywu43fRGHz67gSVYTyTBoLRAxqW/7hEvRMXu0ECUfAPzQCq3rd4iWjMXyIYU/FsX9g4NlIno0zcCV5cs=,iv:M4FBoxzojH01hScrRoET3AwmG3qevhkxiET+W94drh0=,tag:rHf7wbkp64FKybjZL0EDDQ==,type:str]
|
mac: ENC[AES256_GCM,data:KlPMGQNnGdXGfUhuGviQ/lvDBOfjy9IiTFhLaJEwafJfAQmyYe+VclRV2kKK1A98rvZqhey/pvXyrpU1FQNbrvTVCgPMKiX8ggSmF62Ocz2ljj/tQqQhyZbtPM229k69FXdoDFjl0vg9T8nrYtNh+S8Xy17yw5CA1gI7GYILCF0=,iv:Km4NRYjTsZO3NYoWCUdQrmeXUPdbN+cI4CqJFkH70ww=,tag:TTCA8X2jAO1x20NILNyngg==,type:str]
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.13.1
|
version: 3.13.1
|
||||||
|
|||||||
Reference in New Issue
Block a user