feat: update the nixos deployment workflow

dunkirk.sh / dots

fork atom

Kieran's opinionated (and probably slightly dumb) nix config

fork atom

dunkirk.sh 3 weeks ago d97853c3 9d205408

verified

+99 -9

1 changed file

expand all

.github

workflows

deploy.yaml

+99 -9

.github/workflows/deploy.yaml

··· 7 7 workflow_dispatch: 8 8 9 9 jobs: 10 + pre-deploy: 11 + runs-on: ubuntu-latest 12 + outputs: 13 + generations: ${{ steps.capture.outputs.generations }} 14 + 15 + steps: 16 + - name: Setup Tailscale 17 + uses: tailscale/github-action@v3 18 + with: 19 + oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }} 20 + oauth-secret: ${{ secrets.TS_OAUTH_SECRET }} 21 + tags: tag:deploy 22 + use-cache: "true" 23 + 24 + - name: Configure SSH 25 + run: | 26 + mkdir -p ~/.ssh 27 + echo "StrictHostKeyChecking accept-new" >> ~/.ssh/config 28 + 29 + - name: Capture generations 30 + id: capture 31 + run: | 32 + GENERATIONS='{}' 33 + for NODE in terebithia; do 34 + GEN=$(ssh kierank@${NODE} \ 35 + "readlink /nix/var/nix/profiles/system | grep -oP 'system-\K[0-9]+'") 36 + GENERATIONS=$(echo "$GENERATIONS" | jq -c --arg node "$NODE" --arg gen "$GEN" '. + {($node): $gen}') 37 + done 38 + echo "generations=$GENERATIONS" >> "$GITHUB_OUTPUT" 39 + 10 40 deploy: 41 + needs: pre-deploy 42 + strategy: 43 + fail-fast: false 44 + matrix: 45 + node: 46 + - name: terebithia 47 + arch: aarch64-linux 48 + 49 + name: ${{ matrix.node.name }} 11 50 runs-on: ubuntu-latest 51 + environment: 52 + name: ${{ matrix.node.name }} 53 + 54 + concurrency: 55 + group: deploy-${{ matrix.node.name }} 56 + cancel-in-progress: false 57 + 12 58 steps: 13 59 - uses: actions/checkout@v4 14 60 ··· 19 65 extra-platforms = aarch64-linux 20 66 21 67 - name: Set up QEMU 68 + if: matrix.node.arch == 'aarch64-linux' 22 69 uses: docker/setup-qemu-action@v3 23 70 with: 24 71 platforms: arm64 ··· 36 83 mkdir -p ~/.ssh 37 84 echo "StrictHostKeyChecking accept-new" >> ~/.ssh/config 38 85 86 + - name: Deploy ${{ matrix.node.name }} 87 + run: | 88 + nix run 'github:serokell/deploy-rs' -- \ 89 + --skip-checks \ 90 + --remote-build \ 91 + --ssh-user kierank \ 92 + --ssh-opts="-o StrictHostKeyChecking=accept-new" \ 93 + .#${{ matrix.node.name }} 94 + 95 + rollback: 96 + needs: [pre-deploy, deploy] 97 + if: failure() 98 + runs-on: ubuntu-latest 99 + 100 + steps: 101 + - name: Setup Tailscale 102 + uses: tailscale/github-action@v3 103 + with: 104 + oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }} 105 + oauth-secret: ${{ secrets.TS_OAUTH_SECRET }} 106 + tags: tag:deploy 107 + use-cache: "true" 108 + 109 + - name: Configure SSH 110 + run: | 111 + mkdir -p ~/.ssh 112 + echo "StrictHostKeyChecking accept-new" >> ~/.ssh/config 113 + 114 + - name: Rollback all nodes 115 + env: 116 + GENERATIONS: ${{ needs.pre-deploy.outputs.generations }} 117 + run: | 118 + echo "$GENERATIONS" | jq -r 'to_entries[] | "\(.key) \(.value)"' | \ 119 + while read -r NODE GEN; do 120 + echo "::group::rollback $NODE → generation $GEN" 121 + ssh kierank@${NODE} " 122 + sudo nix-env -p /nix/var/nix/profiles/system --switch-generation ${GEN} 123 + sudo /nix/var/nix/profiles/system/bin/switch-to-configuration switch 124 + " 125 + echo "::endgroup::" 126 + done 127 + 128 + docs: 129 + needs: deploy 130 + runs-on: ubuntu-latest 131 + 132 + steps: 133 + - uses: actions/checkout@v4 134 + 135 + - name: Install Nix 136 + uses: DeterminateSystems/determinate-nix-action@main 137 + 39 138 - name: Build docs 40 139 run: nix build .#packages.x86_64-linux.docs -L 41 140 ··· 45 144 apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }} 46 145 accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} 47 146 command: pages deploy result --project-name=dots-docs 48 - 49 - - name: Deploy all configurations 50 - run: | 51 - nix run 'github:serokell/deploy-rs' -- \ 52 - --skip-checks \ 53 - --remote-build \ 54 - --ssh-user kierank \ 55 - --ssh-opts="-o StrictHostKeyChecking=accept-new" \ 56 - .