titaniumtown/dotfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

yarn: rely on server for updates
Some checks failed
Build / build (push) Failing after 3h10m1s
Details

Browse Source
This commit is contained in:
Simon Gardling
2026-04-14 20:56:35 -04:00
parent 6254f98ca7
commit d2032e517b
6 changed files with 61 additions and 112 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
.gitea/workflows/deploy.yml
View File

@@ -1,10 +1,10 @@
name: Build and Deploy
name: Build
on:
push:
branches: [main]
jobs:
deploy:
build:
runs-on: nix
steps:
- uses: https://github.com/actions/checkout@v4
@@ -18,22 +18,12 @@ jobs:
- name: Build NixOS configuration (yarn)
run: |
nix build .#nixosConfigurations.yarn.config.system.build.toplevel -L
mkdir -p /var/lib/dotfiles-deploy
readlink -f result > /var/lib/dotfiles-deploy/yarn
- name: Build NixOS configuration (mreow)
run: |
nix build .#nixosConfigurations.mreow.config.system.build.toplevel -L
- name: Deploy to desktop
run: |
eval $(ssh-agent -s)
ssh-add /run/agenix/ci-deploy-key
if ssh -i /run/agenix/ci-deploy-key -o StrictHostKeyChecking=no -o ConnectTimeout=10 root@desktop "echo reachable" 2>/dev/null; then
nix run github:serokell/deploy-rs -- .#yarn --ssh-opts="-o StrictHostKeyChecking=no"
echo "Deploy to desktop succeeded"
else
echo "Desktop unreachable - skipping deploy. Build succeeded."
fi
- name: Notify success
if: success()
run: |

8
AGENTS.md
View File

@@ -4,7 +4,7 @@
NixOS dotfiles for two hosts using Nix flakes + home-manager:
- **mreow** — Framework 13 AMD AI 300 laptop, niri WM, greetd, swaylock
- **yarn** — Desktop, Jovian-NixOS (Steam deck mode), impermanence, sddm, deploy-rs target
- **yarn** — Desktop, Jovian-NixOS (Steam deck mode), impermanence, sddm, pull-based updates from CI
Secrets in `system/secrets/` and `home-manager/secrets/` are encrypted with git-crypt. **Never read or write files in those directories.**
@@ -21,8 +21,10 @@ Secrets in `system/secrets/` and `home-manager/secrets/` are encrypted with git-
nix build .#nixosConfigurations.mreow.config.system.build.toplevel -L
nix build .#nixosConfigurations.yarn.config.system.build.toplevel -L
# Remote deploy to yarn via deploy-rs
deploy .#yarn
# yarn pulls updates automatically on boot from the binary cache.
# CI builds the yarn closure, records the store path, and Harmonia serves it.
# To manually trigger the pull on yarn:
systemctl start pull-update
# Format all Nix files (uses nixfmt-tree, declared in flake.nix)
nix fmt

86
flake.lock generated
View File

@@ -106,28 +106,6 @@
"type": "github"
}
},
"deploy-rs": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": [
"nixpkgs"
],
"utils": "utils"
},
"locked": {
"lastModified": 1770019181,
"narHash": "sha256-hwsYgDnby50JNVpTRYlF3UR/Rrpt01OrxVuryF40CFY=",
"owner": "serokell",
"repo": "deploy-rs",
"rev": "77c906c0ba56aabdbc72041bf9111b565cdd6171",
"type": "github"
},
"original": {
"owner": "serokell",
"repo": "deploy-rs",
"type": "github"
}
},
"disko": {
"inputs": {
"nixpkgs": [
@@ -211,22 +189,6 @@
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1733328505,
"narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1767039857,
@@ -242,7 +204,7 @@
"type": "github"
}
},
"flake-compat_3": {
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1767039857,
@@ -299,7 +261,7 @@
},
"flake-utils": {
"inputs": {
"systems": "systems_2"
"systems": "systems"
},
"locked": {
"lastModified": 1710146030,
@@ -470,7 +432,7 @@
"nixpkgs": [
"nixpkgs"
],
"systems": "systems_3",
"systems": "systems_2",
"treefmt-nix": "treefmt-nix"
},
"locked": {
@@ -551,7 +513,7 @@
"inputs": {
"cachyos-kernel": "cachyos-kernel",
"cachyos-kernel-patches": "cachyos-kernel-patches",
"flake-compat": "flake-compat_3",
"flake-compat": "flake-compat_2",
"flake-parts": "flake-parts_2",
"nixpkgs": [
"nixpkgs"
@@ -581,7 +543,7 @@
"nixpkgs": [
"nixpkgs"
],
"systems": "systems_4"
"systems": "systems_3"
},
"locked": {
"lastModified": 1776078956,
@@ -708,7 +670,7 @@
"noctalia",
"nixpkgs"
],
"systems": "systems_5",
"systems": "systems_4",
"treefmt-nix": "treefmt-nix_2"
},
"locked": {
@@ -727,7 +689,7 @@
},
"pre-commit": {
"inputs": {
"flake-compat": "flake-compat_2",
"flake-compat": "flake-compat",
"gitignore": "gitignore",
"nixpkgs": [
"lanzaboote",
@@ -750,7 +712,6 @@
},
"root": {
"inputs": {
"deploy-rs": "deploy-rs",
"disko": "disko",
"emacs-overlay": "emacs-overlay",
"firefox-addons": "firefox-addons",
@@ -837,21 +798,6 @@
}
},
"systems_4": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_5": {
"locked": {
"lastModified": 1689347949,
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
@@ -909,24 +855,6 @@
"type": "github"
}
},
"utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"xwayland-satellite-stable": {
"flake": false,
"locked": {

16
flake.nix
View File

@@ -63,12 +63,6 @@
inputs.nixpkgs.follows = "nixpkgs";
inputs.home-manager.follows = "home-manager";
};
deploy-rs = {
url = "github:serokell/deploy-rs";
inputs.nixpkgs.follows = "nixpkgs";
};
jovian-nixos = {
url = "github:Jovian-Experiments/Jovian-NixOS";
inputs.nixpkgs.follows = "nixpkgs";
@@ -101,7 +95,6 @@
lanzaboote,
nixos-hardware,
home-manager,
deploy-rs,
jovian-nixos,
...
}@inputs:
@@ -158,14 +151,5 @@
};
}
) { } hostnames;
# Deploy-rs configuration for yarn host only
deploy.nodes.yarn = {
hostname = "desktop";
profiles.system = {
sshUser = "root";
path = deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.yarn;
};
};
};
}

44
system/pull-update.nix Normal file
View File

@@ -0,0 +1,44 @@
# Pull-based NixOS updates for hosts that can't be pushed to reliably.
# CI builds the system closure on muffin (which Harmonia serves), then
# records the output store path at /deploy/<hostname>. On boot this
# service fetches that path, pulls the closure from the binary cache,
# and activates it.
{ pkgs, hostname, ... }:
let
deploy-url = "https://nix-cache.sigkill.computer/deploy/${hostname}";
pull-update = pkgs.writeShellScript "pull-update" ''
set -euo pipefail
STORE_PATH=$(${pkgs.lib.getExe pkgs.curl} -sf --max-time 30 "${deploy-url}" || true)
if [ -z "$STORE_PATH" ]; then
echo "Server unreachable or no deployment available, skipping"
exit 0
fi
CURRENT=$(readlink -f /nix/var/nix/profiles/system)
if [ "$CURRENT" = "$STORE_PATH" ]; then
echo "Already on latest configuration"
exit 0
fi
echo "Pulling update: $CURRENT -> $STORE_PATH"
nix-store -r "$STORE_PATH"
nix-env -p /nix/var/nix/profiles/system --set "$STORE_PATH"
"$STORE_PATH/bin/switch-to-configuration" switch
echo "Update applied"
'';
in
{
systemd.services.pull-update = {
description = "Pull latest NixOS configuration from binary cache";
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
ExecStart = pull-update;
};
};
}

1
system/system-yarn.nix
View File

@@ -11,6 +11,7 @@
./disk_yarn.nix
./common.nix
./impermanence.nix
./pull-update.nix
./no-rgb.nix
./vr.nix