phase 4: unified CI workflow, deploy.sh wrapper, root AGENTS.md

- .gitea/workflows/deploy.yml: three jobs (mreow, yarn, muffin) sharing a single git-crypt unlock step. muffin job retains the healthcheck + ntfy success/failure notifications from the old server-config pipeline verbatim. - CI writes to /var/lib/nix-deploy/ (renamed from /var/lib/dotfiles-deploy/). The URL path /deploy/<host> is preserved; only the on-disk directory name changes. Harmonia's Caddy root is updated in Phase 6. - deploy.sh: inspects hostname, dispatches to nixos-rebuild for desktops or deploy-rs for muffin. Accepts boot/switch/test/build/muffin. - AGENTS.md: intersected rules from both repos, split into host-agnostic conventions + muffin-specific service pattern. Rewritten layout section reflects the new tree.
2026-04-18 01:07:56 -04:00
parent 3150d29e1a
commit 01de310296
3 changed files with 313 additions and 0 deletions
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -0,0 +1,102 @@
+name: Build and Deploy
+on:
+  push:
+    branches: [main]
+
+# The runner has capacity=1 so these serialize; order matters for the
+# healthcheck (muffin runs last so yarn's pull-update can test against the
+# freshly-deployed harmonia if needed).
+
+jobs:
+  mreow:
+    runs-on: nix
+    steps:
+      - uses: https://github.com/actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Unlock git-crypt
+        run: git-crypt unlock /run/agenix/git-crypt-key-nixos
+
+      - name: Build mreow
+        run: nix build .#nixosConfigurations.mreow.config.system.build.toplevel -L
+
+      - name: Record mreow store path
+        continue-on-error: true
+        run: |
+          install -d /var/lib/nix-deploy
+          readlink -f result > /var/lib/nix-deploy/mreow
+          nix-store --add-root /var/lib/nix-deploy/mreow-gcroot -r "$(readlink -f result)"
+
+  yarn:
+    runs-on: nix
+    steps:
+      - uses: https://github.com/actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Unlock git-crypt
+        run: git-crypt unlock /run/agenix/git-crypt-key-nixos
+
+      - name: Build yarn
+        run: nix build .#nixosConfigurations.yarn.config.system.build.toplevel -L
+
+      - name: Record yarn store path for pull-update
+        continue-on-error: true
+        run: |
+          install -d /var/lib/nix-deploy
+          readlink -f result > /var/lib/nix-deploy/yarn
+          nix-store --add-root /var/lib/nix-deploy/yarn-gcroot -r "$(readlink -f result)"
+
+  muffin:
+    runs-on: nix
+    env:
+      GIT_SSH_COMMAND: "ssh -i /run/agenix/ci-deploy-key -o StrictHostKeyChecking=yes -o UserKnownHostsFile=/etc/ci-known-hosts"
+    steps:
+      - uses: https://github.com/actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Unlock git-crypt
+        run: git-crypt unlock /run/agenix/git-crypt-key-nixos
+
+      - name: Build muffin
+        run: nix build .#nixosConfigurations.muffin.config.system.build.toplevel -L
+
+      - name: Deploy via deploy-rs
+        run: |
+          eval $(ssh-agent -s)
+          ssh-add /run/agenix/ci-deploy-key
+          nix run github:serokell/deploy-rs -- .#muffin --skip-checks --ssh-opts="-o StrictHostKeyChecking=yes -o UserKnownHostsFile=/etc/ci-known-hosts"
+
+      - name: Health check
+        run: |
+          sleep 10
+          ssh -i /run/agenix/ci-deploy-key -o StrictHostKeyChecking=yes -o UserKnownHostsFile=/etc/ci-known-hosts root@server-public \
+            "systemctl is-active gitea && systemctl is-active caddy && systemctl is-active continuwuity && systemctl is-active coturn"
+
+      - name: Notify success
+        if: success()
+        run: |
+          TOPIC=$(cat /run/agenix/ntfy-alerts-topic | tr -d '[:space:]')
+          TOKEN=$(cat /run/agenix/ntfy-alerts-token | tr -d '[:space:]')
+          curl -sf -o /dev/null -X POST \
+            "https://ntfy.sigkill.computer/$TOPIC" \
+            -H "Authorization: Bearer $TOKEN" \
+            -H "Title: [muffin] Deploy succeeded" \
+            -H "Priority: default" \
+            -H "Tags: white_check_mark" \
+            -d "nixos deployed from commit ${GITHUB_SHA::8}"
+
+      - name: Notify failure
+        if: failure()
+        run: |
+          TOPIC=$(cat /run/agenix/ntfy-alerts-topic 2>/dev/null | tr -d '[:space:]')
+          TOKEN=$(cat /run/agenix/ntfy-alerts-token 2>/dev/null | tr -d '[:space:]')
+          curl -sf -o /dev/null -X POST \
+            "https://ntfy.sigkill.computer/$TOPIC" \
+            -H "Authorization: Bearer $TOKEN" \
+            -H "Title: [muffin] Deploy FAILED" \
+            -H "Priority: urgent" \
+            -H "Tags: rotating_light" \
+            -d "nixos muffin deploy failed at commit ${GITHUB_SHA::8}" || true