Files
nixos/.gitea/workflows/deploy.yml
Simon Gardling b21bb3b33b
All checks were successful
Build and Deploy / mreow (push) Successful in 1m21s
Build and Deploy / yarn (push) Successful in 45s
Build and Deploy / muffin (push) Successful in 1m26s
deploy guard: expose binary
2026-04-22 07:28:56 -04:00

115 lines
4.2 KiB
YAML

name: Build and Deploy
on:
push:
branches: [main]
# The runner has capacity=1 so these serialize; order matters for the
# healthcheck (muffin runs last so yarn's pull-update can test against the
# freshly-deployed harmonia if needed).
jobs:
mreow:
runs-on: nix
steps:
- uses: https://github.com/actions/checkout@v4
with:
fetch-depth: 0
- name: Unlock git-crypt
run: git-crypt unlock /run/agenix/git-crypt-key-nixos
- name: Build mreow
run: nix build .#nixosConfigurations.mreow.config.system.build.toplevel -L
- name: Record mreow store path
continue-on-error: true
run: |
install -d /var/lib/nix-deploy
readlink -f result > /var/lib/nix-deploy/mreow
nix-store --add-root /var/lib/nix-deploy/mreow-gcroot -r "$(readlink -f result)"
yarn:
runs-on: nix
steps:
- uses: https://github.com/actions/checkout@v4
with:
fetch-depth: 0
- name: Unlock git-crypt
run: git-crypt unlock /run/agenix/git-crypt-key-nixos
- name: Build yarn
run: nix build .#nixosConfigurations.yarn.config.system.build.toplevel -L
- name: Record yarn store path for pull-update
continue-on-error: true
run: |
install -d /var/lib/nix-deploy
readlink -f result > /var/lib/nix-deploy/yarn
nix-store --add-root /var/lib/nix-deploy/yarn-gcroot -r "$(readlink -f result)"
muffin:
runs-on: nix
env:
GIT_SSH_COMMAND: "ssh -i /run/agenix/ci-deploy-key -o StrictHostKeyChecking=yes -o UserKnownHostsFile=/etc/ci-known-hosts"
steps:
- uses: https://github.com/actions/checkout@v4
with:
fetch-depth: 0
- name: Unlock git-crypt
run: git-crypt unlock /run/agenix/git-crypt-key-nixos
- name: Build muffin
run: nix build .#nixosConfigurations.muffin.config.system.build.toplevel -L
- name: Deploy guard preflight
run: |
# The gitea runner runs on muffin itself, so the /nix/store path
# produced by "Build muffin" is already resolvable on the target.
# SSH to root is still needed so the check can read agenix secrets
# (e.g. /run/agenix/jellyfin-api-key is mode 0400 root).
guard=$(readlink -f result)/sw/bin/deploy-guard-check
ssh -i /run/agenix/ci-deploy-key \
-o StrictHostKeyChecking=yes \
-o UserKnownHostsFile=/etc/ci-known-hosts \
root@server-public "$guard"
- name: Deploy via deploy-rs
run: |
eval $(ssh-agent -s)
ssh-add /run/agenix/ci-deploy-key
nix run github:serokell/deploy-rs -- .#muffin --skip-checks --ssh-opts="-o StrictHostKeyChecking=yes -o UserKnownHostsFile=/etc/ci-known-hosts"
- name: Health check
run: |
sleep 10
ssh -i /run/agenix/ci-deploy-key -o StrictHostKeyChecking=yes -o UserKnownHostsFile=/etc/ci-known-hosts root@server-public \
"systemctl is-active gitea && systemctl is-active caddy && systemctl is-active continuwuity && systemctl is-active coturn"
- name: Notify success
if: success()
run: |
TOPIC=$(cat /run/agenix/ntfy-alerts-topic | tr -d '[:space:]')
TOKEN=$(cat /run/agenix/ntfy-alerts-token | tr -d '[:space:]')
curl -sf -o /dev/null -X POST \
"https://ntfy.sigkill.computer/$TOPIC" \
-H "Authorization: Bearer $TOKEN" \
-H "Title: [muffin] Deploy succeeded" \
-H "Priority: default" \
-H "Tags: white_check_mark" \
-d "nixos deployed from commit ${GITHUB_SHA::8}"
- name: Notify failure
if: failure()
run: |
TOPIC=$(cat /run/agenix/ntfy-alerts-topic 2>/dev/null | tr -d '[:space:]')
TOKEN=$(cat /run/agenix/ntfy-alerts-token 2>/dev/null | tr -d '[:space:]')
curl -sf -o /dev/null -X POST \
"https://ntfy.sigkill.computer/$TOPIC" \
-H "Authorization: Bearer $TOKEN" \
-H "Title: [muffin] Deploy FAILED" \
-H "Priority: urgent" \
-H "Tags: rotating_light" \
-d "nixos muffin deploy failed at commit ${GITHUB_SHA::8}" || true