From 1d3201d8e5f385b96094e16424273e46e832bf28 Mon Sep 17 00:00:00 2001 From: Fabian Hauser Date: Sat, 19 Apr 2025 18:11:01 +0300 Subject: [PATCH 1/4] Add SSH_DEPLOY_KEY handling to auto-deploy script --- packages/auto-deploy/script.bash | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/packages/auto-deploy/script.bash b/packages/auto-deploy/script.bash index 66c4520..442eb4c 100644 --- a/packages/auto-deploy/script.bash +++ b/packages/auto-deploy/script.bash @@ -3,12 +3,28 @@ #### Environment FLAKE_ROOT="$(git rev-parse --show-toplevel)" -export PROFILE="${1:-''}" +export PROFILE="${1:-}" if [ -z "${PROFILE}" ]; then echo "🛑 Error: No deployment profile was specified as first parameter (e.g. \"${0} system-vm\")" 1>&2 exit 1 fi +if [ -z "${SSH_DEPLOY_KEY:-}" ]; then + echo "ℹī¸ Info: SSH_DEPLOY_KEY env variable was not set, ignoring." + SSH_KEY_FILE_ARG="" +else + TEMP_KEY_FILE=$(mktemp /dev/shm/ssh_deploy_key.XXXXXXXX) + touch "${TEMP_KEY_FILE}" && chmod 600 "${TEMP_KEY_FILE}" + printf "%s\n" "${SSH_DEPLOY_KEY}" >"${TEMP_KEY_FILE}" + SSH_KEY_FILE_ARG="-i ${TEMP_KEY_FILE}" + + # Set up a trap to remove the temporary key file on script exit + trap 'rm -f "${TEMP_KEY_FILE}"' EXIT + trap 'rm -f "${TEMP_KEY_FILE}"' SIGINT + trap 'rm -f "${TEMP_KEY_FILE}"' SIGTERM + trap 'rm -f "${TEMP_KEY_FILE}"' SIGQUIT +fi + HOSTS=$(nix eval --raw "${FLAKE_ROOT}"#deploy.nodes --apply " nodes: let inherit (builtins) attrNames filter concatStringsSep; @@ -31,7 +47,7 @@ retry() { local -i attempt_num=1 until "$@"; do if ((attempt_num == max_attempts)); then - echo "⚠ī¸ Warning: Attempt $attempt_num failed and there are no more attempts left!" + echo "🛑 Error: Attempt $attempt_num failed and there are no more attempts left!" 1>&2 return 1 else echo "⚠ī¸ Attempt $attempt_num failed! Trying again in $attempt_num seconds..." @@ -44,6 +60,6 @@ retry() { for HOST in $HOSTS; do retry 3 deploy \ --skip-checks \ - --ssh-opts "-o UserKnownHostsFile=${KNOWN_HOSTS_FILE}" \ + --ssh-opts "-o UserKnownHostsFile=${KNOWN_HOSTS_FILE} ${SSH_KEY_FILE_ARG:-}" \ --targets "${FLAKE_ROOT}#\"${HOST}\".\"${PROFILE}\"" done From 54c4cf23ff9614633f5b5baf852f35cdc7b29563 Mon Sep 17 00:00:00 2001 From: Fabian Hauser Date: Sat, 19 Apr 2025 18:20:30 +0300 Subject: [PATCH 2/4] Update CI pipleline for auto deployment --- .github/workflows/ci.yml | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c40fdf4..0d886cc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -25,11 +25,22 @@ jobs: attic use "$CACHE_REPOSITORY" - name: Run Builds and Checks run: nix-fast-build --no-nom --max-jobs 6 --skip-cached --attic-cache "$CACHE_REPOSITORY" - - name: Deploy Docs - if: success() && github.ref == 'refs/heads/main' - run: | - mkdir ~/.ssh/ - echo -e "Host lindberg-webapps.backplane.net.qo.is\n StrictHostKeyChecking no" >> ~/.ssh/config - (umask 0077 && printf "%s\n" "${{ secrets.SSH_DEPLOY_KEY }}" > ~/.ssh/id_ed25519) - deploy --skip-checks --remote-build .#lindberg-webapps.\"docs-ops.qo.is\" - # Remote build is neccessary due to non-wheel nix users signing restrictions. However, the build should come from the cache anyway. + deploy: + needs: build + if: success() && github.ref == 'refs/heads/main' + runs-on: nix + env: + SSH_DEPLOY_KEY: "${{ secrets.SSH_DEPLOY_KEY }}" + strategy: + matrix: + profile: + - docs-ops.qo.is + - system-vm + steps: + - name: Initialize CI + uses: https://git.qo.is/qo.is/actions-nix-init@main + with: + token: ${{ secrets.CI_TOKEN }} + lfs: false + - name: "Deploy profile" + run: "auto-deploy ${{ matrix.profile }}" From 4f79f48b992dc1a3804499d44af48444755d5776 Mon Sep 17 00:00:00 2001 From: Fabian Hauser Date: Sat, 19 Apr 2025 18:20:49 +0300 Subject: [PATCH 3/4] TMP: Deploy from deploy-vms-branch --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0d886cc..6b0fe23 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -27,7 +27,7 @@ jobs: run: nix-fast-build --no-nom --max-jobs 6 --skip-cached --attic-cache "$CACHE_REPOSITORY" deploy: needs: build - if: success() && github.ref == 'refs/heads/main' + if: success() && github.ref == 'refs/heads/54-deploy-vms-automatically' runs-on: nix env: SSH_DEPLOY_KEY: "${{ secrets.SSH_DEPLOY_KEY }}" From 90026d27346d4699d710f412a8aafa89d6eea079 Mon Sep 17 00:00:00 2001 From: Fabian Hauser Date: Sat, 19 Apr 2025 18:42:34 +0300 Subject: [PATCH 4/4] Add deployment ssh key to all VMs --- nixos-modules/system/virtual-machine.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nixos-modules/system/virtual-machine.nix b/nixos-modules/system/virtual-machine.nix index 5e5a8ae..99e7267 100644 --- a/nixos-modules/system/virtual-machine.nix +++ b/nixos-modules/system/virtual-machine.nix @@ -13,6 +13,10 @@ with lib; config = lib.mkIf cfg.enable { + users.users.root.openssh.authorizedKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBS65v7n5ozOUjYGuO/dgLC9C5MUGL5kTnQnvWAYP5B3 ci@git.qo.is" + ]; # TODO: Move this key to allow CI deployment for all machines. + boot.loader.grub.enable = true; system.autoUpgrade.allowReboot = true;