name: Build and Deploy on: push: branches: [main] jobs: deploy: runs-on: nix env: GIT_SSH_COMMAND: "ssh -i /run/agenix/ci-deploy-key -o StrictHostKeyChecking=yes -o UserKnownHostsFile=/etc/ci-known-hosts" steps: - uses: https://github.com/actions/checkout@v4 with: fetch-depth: 0 - name: Unlock git-crypt run: | git-crypt unlock /run/agenix/git-crypt-key-server-config - name: Build NixOS configuration run: | nix build .#nixosConfigurations.muffin.config.system.build.toplevel -L - name: Deploy via deploy-rs run: | eval $(ssh-agent -s) ssh-add /run/agenix/ci-deploy-key nix run github:serokell/deploy-rs -- .#muffin --skip-checks --ssh-opts="-o StrictHostKeyChecking=yes -o UserKnownHostsFile=/etc/ci-known-hosts" - name: Health check run: | sleep 10 ssh -i /run/agenix/ci-deploy-key -o StrictHostKeyChecking=yes -o UserKnownHostsFile=/etc/ci-known-hosts root@server-public \ "systemctl is-active gitea && systemctl is-active caddy && systemctl is-active continuwuity && systemctl is-active coturn" - name: Notify success if: success() run: | TOPIC=$(cat /run/agenix/ntfy-alerts-topic | tr -d '[:space:]') TOKEN=$(cat /run/agenix/ntfy-alerts-token | tr -d '[:space:]') curl -sf -o /dev/null -X POST \ "https://ntfy.sigkill.computer/$TOPIC" \ -H "Authorization: Bearer $TOKEN" \ -H "Title: [muffin] Deploy succeeded" \ -H "Priority: default" \ -H "Tags: white_check_mark" \ -d "server-config deployed from commit ${GITHUB_SHA::8}" - name: Notify failure if: failure() run: | TOPIC=$(cat /run/agenix/ntfy-alerts-topic 2>/dev/null | tr -d '[:space:]') TOKEN=$(cat /run/agenix/ntfy-alerts-token 2>/dev/null | tr -d '[:space:]') curl -sf -o /dev/null -X POST \ "https://ntfy.sigkill.computer/$TOPIC" \ -H "Authorization: Bearer $TOKEN" \ -H "Title: [muffin] Deploy FAILED" \ -H "Priority: urgent" \ -H "Tags: rotating_light" \ -d "server-config deploy failed at commit ${GITHUB_SHA::8}" || true