From 5a93bdeb2815f67fbbeb20018474a57ed598f21a Mon Sep 17 00:00:00 2001 From: beatzaplenty Date: Tue, 12 May 2026 11:53:43 +1000 Subject: [PATCH 1/4] updated authorized keys --- modules/nix/cache-server.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/nix/cache-server.nix b/modules/nix/cache-server.nix index ae4d34c..0ce941c 100644 --- a/modules/nix/cache-server.nix +++ b/modules/nix/cache-server.nix @@ -38,7 +38,8 @@ # openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAA... client@host" ]; # # Avoid absolute keyFiles paths here because they break pure flake evaluation. - openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFDEA1S2ikpObREgbP5uVBWMxIOGbY8B+Wx7VTZK1m6t root@server" ]; + openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFDEA1S2ikpObREgbP5uVBWMxIOGbY8B+Wx7VTZK1m6t root@server", + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPAYIT9ormlmxZ0SziyDQaUntnKI8HK9/s3Qac1ZKjP2 root@docker" ]; }; services.openssh.enable = true; From 286d7347a181d4ff9ac828dd8ce328fb7ede19b2 Mon Sep 17 00:00:00 2001 From: beatzaplenty Date: Tue, 12 May 2026 11:55:56 +1000 Subject: [PATCH 2/4] updated authorized keys --- modules/nix/cache-server.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nix/cache-server.nix b/modules/nix/cache-server.nix index 0ce941c..466433a 100644 --- a/modules/nix/cache-server.nix +++ b/modules/nix/cache-server.nix @@ -38,7 +38,7 @@ # openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAA... client@host" ]; # # Avoid absolute keyFiles paths here because they break pure flake evaluation. - openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFDEA1S2ikpObREgbP5uVBWMxIOGbY8B+Wx7VTZK1m6t root@server", + openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFDEA1S2ikpObREgbP5uVBWMxIOGbY8B+Wx7VTZK1m6t root@server" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPAYIT9ormlmxZ0SziyDQaUntnKI8HK9/s3Qac1ZKjP2 root@docker" ]; }; From 1a4a0c47ef16d2dc8f978faeec077685254cb6e0 Mon Sep 17 00:00:00 2001 From: beatzaplenty Date: Tue, 12 May 2026 12:07:59 +1000 Subject: [PATCH 3/4] updated docker container monitoring script path --- hosts/docker/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/docker/configuration.nix b/hosts/docker/configuration.nix index e4f0452..91e81a3 100644 --- a/hosts/docker/configuration.nix +++ b/hosts/docker/configuration.nix @@ -149,7 +149,7 @@ systemd.timers.update-containers = { # Run as root so it can read /etc/secrets and access docker socket # User = "root"; #EnvironmentFile = "-/etc/secrets/docker-health-alert.env"; - ExecStart = "${pkgs.bash}/bin/bash /mnt/docker-persistent-data/docker/gotify/docker-health-to-gotify.sh"; + ExecStart = "${pkgs.bash}/bin/bash /mnt/docker-persistent-data/docker/monitoring/gotify/docker-health-to-gotify.sh"; StandardOutput = "journal"; StandardError = "journal"; }; From bcccf523bf20b6a44357420f49fa35d6c518404b Mon Sep 17 00:00:00 2001 From: beatz174-bit Date: Tue, 12 May 2026 12:28:37 +1000 Subject: [PATCH 4/4] ci: automate flake lock updates and host evaluation --- .gitea/workflows/check-nixos.yml | 27 ++++++++++ .gitea/workflows/update-flake-lock.yml | 32 +++++++++++ .github/workflows/check-nixos.yml | 27 ++++++++++ .github/workflows/update-flake-lock.yml | 37 +++++++++++++ docs/flake-lock-automation.md | 71 +++++++++++++++++++++++++ 5 files changed, 194 insertions(+) create mode 100644 .gitea/workflows/check-nixos.yml create mode 100644 .gitea/workflows/update-flake-lock.yml create mode 100644 .github/workflows/check-nixos.yml create mode 100644 .github/workflows/update-flake-lock.yml create mode 100644 docs/flake-lock-automation.md diff --git a/.gitea/workflows/check-nixos.yml b/.gitea/workflows/check-nixos.yml new file mode 100644 index 0000000..27c5c9a --- /dev/null +++ b/.gitea/workflows/check-nixos.yml @@ -0,0 +1,27 @@ +name: Check NixOS configurations + +on: + pull_request: + push: + branches: + - main + workflow_dispatch: + +jobs: + eval-hosts: + runs-on: ubuntu-latest + steps: + - name: Check out repository + uses: actions/checkout@v4 + + - name: Install Nix + uses: DeterminateSystems/nix-installer-action@v19 + + - name: Evaluate all NixOS hosts + run: | + set -euo pipefail + for host in nixos docker kuma server nix-cache nix-minimal; do + echo "Evaluating ${host}" + nix --extra-experimental-features 'nix-command flakes' eval \ + ".#nixosConfigurations.${host}.config.system.build.toplevel.drvPath" --raw + done diff --git a/.gitea/workflows/update-flake-lock.yml b/.gitea/workflows/update-flake-lock.yml new file mode 100644 index 0000000..a9ab97f --- /dev/null +++ b/.gitea/workflows/update-flake-lock.yml @@ -0,0 +1,32 @@ +name: Update flake.lock + +on: + schedule: + - cron: "0 6 * * 1" + workflow_dispatch: + +jobs: + update-flake-lock: + runs-on: ubuntu-latest + steps: + - name: Check out repository + uses: actions/checkout@v4 + + - name: Install Nix + uses: DeterminateSystems/nix-installer-action@v19 + + - name: Update and commit flake.lock + run: | + set -euo pipefail + nix --extra-experimental-features 'nix-command flakes' flake update + + if git diff --quiet -- flake.lock; then + echo "No flake.lock changes detected" + exit 0 + fi + + git config user.name "gitea-actions" + git config user.email "gitea-actions@nix-cache.local" + git add flake.lock + git commit -m "chore: update flake.lock" + git push diff --git a/.github/workflows/check-nixos.yml b/.github/workflows/check-nixos.yml new file mode 100644 index 0000000..27c5c9a --- /dev/null +++ b/.github/workflows/check-nixos.yml @@ -0,0 +1,27 @@ +name: Check NixOS configurations + +on: + pull_request: + push: + branches: + - main + workflow_dispatch: + +jobs: + eval-hosts: + runs-on: ubuntu-latest + steps: + - name: Check out repository + uses: actions/checkout@v4 + + - name: Install Nix + uses: DeterminateSystems/nix-installer-action@v19 + + - name: Evaluate all NixOS hosts + run: | + set -euo pipefail + for host in nixos docker kuma server nix-cache nix-minimal; do + echo "Evaluating ${host}" + nix --extra-experimental-features 'nix-command flakes' eval \ + ".#nixosConfigurations.${host}.config.system.build.toplevel.drvPath" --raw + done diff --git a/.github/workflows/update-flake-lock.yml b/.github/workflows/update-flake-lock.yml new file mode 100644 index 0000000..caf910c --- /dev/null +++ b/.github/workflows/update-flake-lock.yml @@ -0,0 +1,37 @@ +name: Update flake.lock + +on: + schedule: + - cron: "0 6 * * 1" + workflow_dispatch: + +permissions: + contents: write + pull-requests: write + +jobs: + update-flake-lock: + runs-on: ubuntu-latest + steps: + - name: Check out repository + uses: actions/checkout@v4 + + - name: Install Nix + uses: DeterminateSystems/nix-installer-action@v19 + + - name: Update flake.lock + run: | + nix --extra-experimental-features 'nix-command flakes' flake update + + - name: Create pull request + uses: peter-evans/create-pull-request@v6 + with: + token: ${{ secrets.GITHUB_TOKEN }} + add-paths: flake.lock + branch: chore/update-flake-lock + title: chore: update flake.lock + commit-message: chore: update flake.lock + body: | + This is an automated update of `flake.lock` generated by the scheduled workflow. + + It updates pinned flake inputs so dependency updates can be reviewed and merged via PR. diff --git a/docs/flake-lock-automation.md b/docs/flake-lock-automation.md new file mode 100644 index 0000000..8ac34b9 --- /dev/null +++ b/docs/flake-lock-automation.md @@ -0,0 +1,71 @@ +# flake.lock automation + +This repository uses CI workflows to keep `flake.lock` up to date on a schedule and to verify that all declared NixOS hosts still evaluate after dependency updates. + +## What this automation does + +- A scheduled workflow runs `nix flake update` once per week. +- On GitHub, any resulting `flake.lock` change is proposed through a pull request. +- On Gitea, the workflow can commit and push `flake.lock` directly when PR automation is not configured. +- A separate CI workflow evaluates every configured host before merge: + - `nixos` + - `docker` + - `kuma` + - `server` + - `nix-cache` + - `nix-minimal` + +## Why hosts should stop using `--upgrade-all` + +`flake.lock` is the source of truth for pinned dependency versions in a flake-based workflow. Normal host rebuilds should consume the committed lock file instead of upgrading dependencies ad-hoc on each machine. + +Recommended rebuild command: + +```bash +sudo nixos-rebuild switch --flake git+https://gitea.lan.ddnsgeek.com/beatzaplenty/nixos.git#$(hostname) +``` + +Using the committed lock file keeps all hosts aligned and makes updates auditable through CI and code review. + +## Command differences + +- `nix flake update` + - Updates flake input pins in `flake.lock`. + - Should be run in CI or in a dedicated update PR workflow. +- `nixos-rebuild --upgrade` + - Primarily for channel-based workflows; not the normal path for flake-pinned deployments. +- `nixos-rebuild --upgrade-all` + - Aggressively updates package sources and bypasses coordinated lock-file updates. + - Avoid for routine flake-based host rebuilds. + +## nix-cache and remote builder fit + +With `nix-cache` acting as a binary cache and remote builder, lock-file updates become safer and more reproducible: + +- CI verifies host evaluations against the updated lock file. +- Builds can be performed once on the remote builder. +- Built artifacts can be served via `nix-cache` to other hosts, reducing rebuild time and drift. + +## Token and secret handling + +Do **not** commit access tokens into `flake.nix`, `flake.lock`, or any other tracked file. + +If private source access is needed: + +- configure tokens locally in `~/.config/nix/nix.conf` or equivalent machine-local config, or +- provide tokens through CI secrets/environment variables. + +## GitHub Actions setup notes + +- Ensure `GITHUB_TOKEN` has permission to create branches and pull requests (workflow sets `contents: write` and `pull-requests: write`). +- The update workflow uses `peter-evans/create-pull-request` with branch `chore/update-flake-lock`. +- The evaluation workflow runs on pull requests, pushes to `main`, and manual dispatch. + +## Gitea Actions runner setup notes + +- Ensure the runner image includes Git and can execute the Nix installer action. +- For direct push mode, grant workflow push permission to the repository. +- The workflow sets commit identity to: + - `user.name = gitea-actions` + - `user.email = gitea-actions@nix-cache.local` +- Commits are only created when `flake.lock` actually changes.