diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml index cf3be7e..a31cd96 100644 --- a/.gitea/workflows/deploy.yml +++ b/.gitea/workflows/deploy.yml @@ -7,7 +7,7 @@ jobs: deploy: runs-on: nix env: - GIT_SSH_COMMAND: "ssh -i /run/agenix/ci-deploy-key -o StrictHostKeyChecking=no" + GIT_SSH_COMMAND: "ssh -i /run/agenix/ci-deploy-key -o StrictHostKeyChecking=yes -o UserKnownHostsFile=/etc/ci-known-hosts" steps: - uses: https://github.com/actions/checkout@v4 with: @@ -25,12 +25,12 @@ jobs: run: | eval $(ssh-agent -s) ssh-add /run/agenix/ci-deploy-key - nix run github:serokell/deploy-rs -- .#muffin --skip-checks --ssh-opts="-o StrictHostKeyChecking=no" + nix run github:serokell/deploy-rs -- .#muffin --skip-checks --ssh-opts="-o StrictHostKeyChecking=yes -o UserKnownHostsFile=/etc/ci-known-hosts" - name: Health check run: | sleep 10 - ssh -i /run/agenix/ci-deploy-key -o StrictHostKeyChecking=no root@server-public \ + ssh -i /run/agenix/ci-deploy-key -o StrictHostKeyChecking=yes -o UserKnownHostsFile=/etc/ci-known-hosts root@server-public \ "systemctl is-active gitea && systemctl is-active caddy && systemctl is-active continuwuity && systemctl is-active coturn" - name: Notify success @@ -38,7 +38,7 @@ jobs: run: | TOPIC=$(cat /run/agenix/ntfy-alerts-topic | tr -d '[:space:]') TOKEN=$(cat /run/agenix/ntfy-alerts-token | tr -d '[:space:]') - curl -sf -X POST \ + curl -sf -o /dev/null -X POST \ "https://ntfy.sigkill.computer/$TOPIC" \ -H "Authorization: Bearer $TOKEN" \ -H "Title: [muffin] Deploy succeeded" \ @@ -51,7 +51,7 @@ jobs: run: | TOPIC=$(cat /run/agenix/ntfy-alerts-topic 2>/dev/null | tr -d '[:space:]') TOKEN=$(cat /run/agenix/ntfy-alerts-token 2>/dev/null | tr -d '[:space:]') - curl -sf -X POST \ + curl -sf -o /dev/null -X POST \ "https://ntfy.sigkill.computer/$TOPIC" \ -H "Authorization: Bearer $TOKEN" \ -H "Title: [muffin] Deploy FAILED" \ diff --git a/configuration.nix b/configuration.nix index 0867266..cad6b63 100644 --- a/configuration.nix +++ b/configuration.nix @@ -79,6 +79,14 @@ networking.hosts."192.168.1.50" = [ "server-public" ]; networking.hosts."192.168.1.223" = [ "desktop" ]; + # SSH known_hosts for CI runner (pinned host keys) + environment.etc."ci-known-hosts".text = '' + server-public ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFMjgaMnE+zS7tL+m5E7gh9Q9U1zurLdmU0qcmEmaucu + 192.168.1.50 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFMjgaMnE+zS7tL+m5E7gh9Q9U1zurLdmU0qcmEmaucu + git.sigkill.computer ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFMjgaMnE+zS7tL+m5E7gh9Q9U1zurLdmU0qcmEmaucu + git.gardling.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFMjgaMnE+zS7tL+m5E7gh9Q9U1zurLdmU0qcmEmaucu + ''; + services.kmscon.enable = true; systemd.targets = { diff --git a/modules/age-secrets.nix b/modules/age-secrets.nix index 18d28cd..2effde8 100644 --- a/modules/age-secrets.nix +++ b/modules/age-secrets.nix @@ -140,8 +140,8 @@ git-crypt-key-dotfiles = { file = ../secrets/git-crypt-key-dotfiles.age; mode = "0400"; - owner = "gitea-runner"; - group = "gitea-runner"; + owner = "root"; + group = "root"; }; # Git-crypt symmetric key for server-config repo diff --git a/services/gitea-actions-runner.nix b/services/gitea-actions-runner.nix index 686063a..748d47b 100644 --- a/services/gitea-actions-runner.nix +++ b/services/gitea-actions-runner.nix @@ -41,6 +41,6 @@ User = "gitea-runner"; Group = "gitea-runner"; }; - environment.GIT_SSH_COMMAND = "ssh -i /run/agenix/ci-deploy-key -o StrictHostKeyChecking=no"; + environment.GIT_SSH_COMMAND = "ssh -i /run/agenix/ci-deploy-key -o StrictHostKeyChecking=yes -o UserKnownHostsFile=/etc/ci-known-hosts"; }; }