Add deployment ssh key to all VMs

.github/workflows/ci.yml

@@ -25,11 +25,22 @@ jobs:
           attic use "$CACHE_REPOSITORY"
       - name: Run Builds and Checks
         run: nix-fast-build --no-nom --max-jobs 6 --skip-cached --attic-cache "$CACHE_REPOSITORY"
-      - name: Deploy Docs
+  deploy:
-        if: success() && github.ref == 'refs/heads/main'
+    needs: build
-        run: |
+    if: success() && github.ref == 'refs/heads/54-deploy-vms-automatically'
-          mkdir ~/.ssh/
+    runs-on: nix
-          echo -e "Host lindberg-webapps.backplane.net.qo.is\n    StrictHostKeyChecking no" >> ~/.ssh/config
+    env:
-          (umask 0077 && printf "%s\n" "${{ secrets.SSH_DEPLOY_KEY }}" > ~/.ssh/id_ed25519)
+      SSH_DEPLOY_KEY: "${{ secrets.SSH_DEPLOY_KEY }}"
-          deploy --skip-checks --remote-build .#lindberg-webapps.\"docs-ops.qo.is\"
+    strategy:
-          # Remote build is neccessary due to non-wheel nix users signing restrictions. However, the build should come from the cache anyway.
+      matrix:
+        profile:
+          - docs-ops.qo.is
+          - system-vm
+    steps:
+      - name: Initialize CI
+        uses: https://git.qo.is/qo.is/actions-nix-init@main
+        with:
+          token: ${{ secrets.CI_TOKEN }}
+          lfs: false
+      - name: "Deploy profile"
+        run: "auto-deploy ${{ matrix.profile }}"

nixos-modules/system/virtual-machine.nix

@@ -13,6 +13,10 @@ with lib;
 
   config = lib.mkIf cfg.enable {
 
+    users.users.root.openssh.authorizedKeys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBS65v7n5ozOUjYGuO/dgLC9C5MUGL5kTnQnvWAYP5B3 ci@git.qo.is"
+    ]; # TODO: Move this key to allow CI deployment for all machines.
+
     boot.loader.grub.enable = true;
 
     system.autoUpgrade.allowReboot = true;

packages/auto-deploy/script.bash

@@ -3,12 +3,28 @@
 #### Environment
 FLAKE_ROOT="$(git rev-parse --show-toplevel)"
 
-export PROFILE="${1:-''}"
+export PROFILE="${1:-}"
 if [ -z "${PROFILE}" ]; then
   echo "🛑 Error: No deployment profile was specified as first parameter (e.g. \"${0} system-vm\")" 1>&2
   exit 1
 fi
 
+if [ -z "${SSH_DEPLOY_KEY:-}" ]; then
+  echo "ℹ️ Info: SSH_DEPLOY_KEY env variable was not set, ignoring."
+  SSH_KEY_FILE_ARG=""
+else
+  TEMP_KEY_FILE=$(mktemp /dev/shm/ssh_deploy_key.XXXXXXXX)
+  touch "${TEMP_KEY_FILE}" && chmod 600 "${TEMP_KEY_FILE}"
+  printf "%s\n" "${SSH_DEPLOY_KEY}" >"${TEMP_KEY_FILE}"
+  SSH_KEY_FILE_ARG="-i ${TEMP_KEY_FILE}"
+
+  # Set up a trap to remove the temporary key file on script exit
+  trap 'rm -f "${TEMP_KEY_FILE}"' EXIT
+  trap 'rm -f "${TEMP_KEY_FILE}"' SIGINT
+  trap 'rm -f "${TEMP_KEY_FILE}"' SIGTERM
+  trap 'rm -f "${TEMP_KEY_FILE}"' SIGQUIT
+fi
+
 HOSTS=$(nix eval --raw "${FLAKE_ROOT}"#deploy.nodes --apply "
    nodes: let
      inherit (builtins) attrNames filter concatStringsSep;
@@ -31,7 +47,7 @@ retry() {
   local -i attempt_num=1
   until "$@"; do
     if ((attempt_num == max_attempts)); then
-      echo "⚠️ Warning: Attempt $attempt_num failed and there are no more attempts left!"
+      echo "🛑 Error: Attempt $attempt_num failed and there are no more attempts left!" 1>&2
       return 1
     else
       echo "⚠️ Attempt $attempt_num failed! Trying again in $attempt_num seconds..."
@@ -44,6 +60,6 @@ retry() {
 for HOST in $HOSTS; do
   retry 3 deploy \
     --skip-checks \
-    --ssh-opts "-o UserKnownHostsFile=${KNOWN_HOSTS_FILE}" \
+    --ssh-opts "-o UserKnownHostsFile=${KNOWN_HOSTS_FILE} ${SSH_KEY_FILE_ARG:-}" \
     --targets "${FLAKE_ROOT}#\"${HOST}\".\"${PROFILE}\""
 done