Merge pull request 'update-deployment-workflow' (#18 ) from update-deployment-workflow into master

Reviewed-on: #18
deploy: run deployment when flake.lock is updated
2023-10-21 04:08:07 -04:00 · 2023-10-21 04:04:17 -04:00 · 2023-10-21 03:43:21 -04:00 · 2023-10-21 03:39:31 -04:00 · 2023-10-21 03:24:20 -04:00 · 2023-10-21 03:10:09 -04:00
12 changed files with 92 additions and 29 deletions
--- a/.forgejo/workflows/check.yml
+++ b/.forgejo/workflows/check.yml
@ -1,3 +1,5 @@
 name: flake check
 on: [push]
 jobs:
  check:
--- a/.forgejo/workflows/deployment/deploy-systems.yml
+++ b/.forgejo/workflows/deployment/deploy-systems.yml
@ -0,0 +1,27 @@
 name: deploy systems
 on:
  push:
    paths:
      - "**.lock"
 jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: install nix action
        uses: https://github.com/DeterminateSystems/nix-installer-action@v5
        with:
          github-token: ${{ secrets.GH_TOKEN }}
      - name: write private key
        run: |
          mkdir -p .ssh && cd .ssh
          echo "$SSH_KEY" > forgejo
          chmod 400 forgejo
        shell: bash
        env:
          SSH_KEY: ${{secrets.SSH_DEPLOY_KEY}}
      - name: deploy
        run: |
          cd .ssh
          nix run github:serokell/deploy-rs -- --ssh-opts="-i forgejo -o StrictHostKeyChecking=no" --skip-checks --targets .#arashi .#kariru .#sakura .#sora .#yuki
--- a/.forgejo/workflows/fmt.yml
+++ b/.forgejo/workflows/fmt.yml
@ -1,3 +1,5 @@
 name: fmt check
 on: [push]
 jobs:
  check:
--- a/hosts/arashi/default.nix
+++ b/hosts/arashi/default.nix
@ -28,6 +28,9 @@
  };
  users.users.notoh.openssh.authorizedKeys.keys = [
-    ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKWRbIwwHuyEOLhA9dKTf4TgFqtPR5MNcJorKm731S7G arashi''
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKWRbIwwHuyEOLhA9dKTf4TgFqtPR5MNcJorKm731S7G arashi"
  ];
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMd8j1+fC/ng7l17rsxugVtlhurUe1ICizwA9lQkSuNY forgejo"
  ];
 }
--- a/hosts/deploy.nix
+++ b/hosts/deploy.nix
@ -1,54 +1,64 @@
 inputs: {
  nodes = with inputs.deploy-rs.lib.x86_64-linux; {
    sakura = {
-      hostname = "sakura";
+      hostname = "100.121.201.47";
      profiles.system = {
        user = "root";
        path = activate.nixos inputs.self.nixosConfigurations.sakura;
      };
-      sshUser = "notoh";
+      sshUser = "root";
-      sshOpts = ["-t" "-i" "~/.ssh/sakura"];
+      sshOpts = ["-t" "-i" "~/.ssh/forgejo"];
-      magicRollback = false;
+      magicRollback = true;
    };
    kariru = {
-      hostname = "kariru";
+      hostname = "100.126.229.95";
      profiles.system = {
        user = "root";
        path = activate.nixos inputs.self.nixosConfigurations.kariru;
      };
-      sshUser = "notoh";
+      sshUser = "root";
-      sshOpts = ["-t" "-i" "~/.ssh/kariru"];
+      sshOpts = ["-t" "-i" "~/.ssh/forgejo"];
-      magicRollback = false;
+      magicRollback = true;
    };
    yuki = {
-      hostname = "yuki";
+      hostname = "100.110.140.130";
      profiles.system = {
        user = "root";
        path = activate.nixos inputs.self.nixosConfigurations.yuki;
      };
-      sshUser = "notoh";
+      sshUser = "root";
-      sshOpts = ["-t" "-i" "~/.ssh/yuki"];
+      sshOpts = ["-t" "-i" "~/.ssh/forgejo"];
-      magicRollback = false;
+      magicRollback = true;
    };
    arashi = {
-      hostname = "arashi";
+      hostname = "100.94.214.100";
      profiles.system = {
        user = "root";
        path = activate.nixos inputs.self.nixosConfigurations.arashi;
      };
-      sshUser = "notoh";
+      sshUser = "root";
-      sshOpts = ["-t" "-i" "~/.ssh/arashi"];
+      sshOpts = ["-t" "-i" "~/.ssh/forgejo"];
-      magicRollback = false;
+      magicRollback = true;
    };
    sora = {
-      hostname = "sora";
+      hostname = "100.87.54.48";
      profiles.system = {
        user = "root";
        path = activate.nixos inputs.self.nixosConfigurations.sora;
      };
-      sshUser = "notoh";
+      sshUser = "root";
-      sshOpts = ["-t" "-i" "~/.ssh/kumo"];
+      sshOpts = ["-t" "-i" "~/.ssh/forgejo"];
-      magicRollback = false;
+      magicRollback = true;
    };
    tsuru = {
      hostname = "100.82.146.40";
      profiles.system = {
        user = "root";
        path = activate.nixos inputs.self.nixosConfigurations.tsuru;
      };
      sshUser = "root";
      sshOpts = ["-t" "-i" "~/.ssh/forgejo"];
      magicRollback = true;
    };
  };
 }
--- a/hosts/kariru/default.nix
+++ b/hosts/kariru/default.nix
@ -24,6 +24,9 @@
  };
  users.users.notoh.openssh.authorizedKeys.keys = [
-    ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPmWafzbhah18nm2z1epc6139XVlcKT0ndAI0wbLj+/6 kariru''
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPmWafzbhah18nm2z1epc6139XVlcKT0ndAI0wbLj+/6 kariru"
  ];
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMd8j1+fC/ng7l17rsxugVtlhurUe1ICizwA9lQkSuNY forgejo"
  ];
 }
--- a/hosts/sakura/default.nix
+++ b/hosts/sakura/default.nix
@ -1,4 +1,4 @@
-{...}: {
+{pkgs, ...}: {
  imports = [
    ./hardware-configuration.nix
    ./services
@ -26,6 +26,11 @@
  };
  users.users.notoh.openssh.authorizedKeys.keys = [
-    ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICqAjaV2D2J8ln4n39ZvszCF5Jql+0IaSpFCJlzDSLv6 sakura''
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICqAjaV2D2J8ln4n39ZvszCF5Jql+0IaSpFCJlzDSLv6 sakura"
  ];
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMd8j1+fC/ng7l17rsxugVtlhurUe1ICizwA9lQkSuNY forgejo"
  ];
  environment.systemPackages = [pkgs.cowsay];
 }
--- a/hosts/sora/default.nix
+++ b/hosts/sora/default.nix
@ -10,6 +10,9 @@ _: {
  zramSwap.enable = true;
  networking.hostName = "sora";
  users.users.notoh.openssh.authorizedKeys.keys = [
-    ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGmI3hRDFjxLjrM3pE471e4jxSlcqeizh3iNVVdaMHeN sora''
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGmI3hRDFjxLjrM3pE471e4jxSlcqeizh3iNVVdaMHeN sora"
  ];
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMd8j1+fC/ng7l17rsxugVtlhurUe1ICizwA9lQkSuNY forgejo"
  ];
 }
--- a/hosts/tsuru/default.nix
+++ b/hosts/tsuru/default.nix
@ -24,6 +24,9 @@
  };
  users.users.notoh.openssh.authorizedKeys.keys = [
-    ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKwby2FLCKFZZlOLDRhsm9GckyYAuyk0mq28jRD02tdv tsuru''
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKwby2FLCKFZZlOLDRhsm9GckyYAuyk0mq28jRD02tdv tsuru"
  ];
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMd8j1+fC/ng7l17rsxugVtlhurUe1ICizwA9lQkSuNY forgejo"
  ];
 }
--- a/hosts/yuki/default.nix
+++ b/hosts/yuki/default.nix
@ -24,6 +24,9 @@
  };
  users.users.notoh.openssh.authorizedKeys.keys = [
-    ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINoLDqOjZIQQ+YYir9MQnlh8wgqI1dz5nYL054OnIgDa yuki''
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINoLDqOjZIQQ+YYir9MQnlh8wgqI1dz5nYL054OnIgDa yuki"
  ];
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMd8j1+fC/ng7l17rsxugVtlhurUe1ICizwA9lQkSuNY forgejo"
  ];
 }
--- a/modules/openssh.nix
+++ b/modules/openssh.nix
@ -5,7 +5,7 @@
      KbdInteractiveAuthentication = false;
      PasswordAuthentication = lib.mkForce false;
      PubkeyAuthentication = lib.mkForce true;
-      PermitRootLogin = lib.mkForce "no";
+      PermitRootLogin = lib.mkForce "yes";
      StreamLocalBindUnlink = "yes";
      GatewayPorts = "clientspecified";
    };
--- a/modules/security.nix
+++ b/modules/security.nix
@ -55,7 +55,9 @@
      "192.168.0.0/16"
      "172.16.0.0/12"
      "10.0.0.0/8"
-      "5.161.181.184"
+      "5.161.181.184/32"
      "100.71.49.65/10"
      "100.82.146.40/10"
    ];
    jails.DEFAULT = {
      settings = {
Author	SHA1	Message	Date
notohh	420e1fed57	Merge pull request 'update-deployment-workflow' (#18 ) from update-deployment-workflow into master All checks were successful flake check / check (push) Successful in 2m51s fmt check / check (push) Successful in 42s Reviewed-on: #18	2023-10-21 04:08:07 -04:00
notohh	d9ccd196d0	deploy: run deployment when flake.lock is updated All checks were successful flake check / check (push) Successful in 2m50s fmt check / check (push) Successful in 45s	2023-10-21 04:04:17 -04:00
notohh	b2b87a6b4c	sakura: add package to test deployment All checks were successful deploy systems / deploy (push) Successful in 13m16s flake check / check (push) Successful in 2m57s fmt check / check (push) Successful in 43s	2023-10-21 03:43:21 -04:00
notohh	935d809811	deploy: switch sakura back to tailscale Some checks reported warnings deploy systems / deploy (push) Has been cancelled fmt check / check (push) Successful in 42s flake check / check (push) Successful in 2m57s	2023-10-21 03:39:31 -04:00
notohh	84920a102b	deploy: test multi host deployment All checks were successful deploy systems / deploy (push) Successful in 13m29s flake check / check (push) Successful in 3m5s fmt check / check (push) Successful in 51s	2023-10-21 03:24:20 -04:00
notohh	503388ff9f	deploy: this should fix deploys Some checks reported warnings flake check / check (push) Has been cancelled deploy systems / deploy (push) Successful in 9m45s fmt check / check (push) Successful in 42s	2023-10-21 03:10:09 -04:00
notohh	cdfbf13fcd	try this Some checks failed flake check / check (push) Has been cancelled deploy systems / deploy (push) Failing after 9m36s fmt check / check (push) Successful in 42s	2023-10-21 02:41:33 -04:00
notohh	ccb33cb1f8	deploy: use bash over nushell Some checks failed flake check / check (push) Has been cancelled fmt check / check (push) Has been cancelled deploy systems / deploy (push) Failing after 9m31s	2023-10-21 02:31:20 -04:00
notohh	6ad184b3b3	deploy: change forgejo perms Some checks failed flake check / check (push) Has been cancelled fmt check / check (push) Has been cancelled deploy systems / deploy (push) Failing after 9m24s	2023-10-21 02:20:28 -04:00
notohh	dbe1f96376	deploy: add extra ssh opts Some checks failed flake check / check (push) Has been cancelled fmt check / check (push) Has been cancelled deploy systems / deploy (push) Failing after 9m30s	2023-10-21 02:07:24 -04:00
notohh	ab31386bfa	deploy: switch sakura to lan Some checks failed deploy systems / deploy (push) Failing after 9m29s fmt check / check (push) Successful in 41s flake check / check (push) Has been cancelled	2023-10-21 01:56:03 -04:00
notohh	b4ffe56ccf	deploy: add known_hosts Some checks failed deploy systems / deploy (push) Failing after 9m35s flake check / check (push) Has been cancelled fmt check / check (push) Has been cancelled	2023-10-21 01:46:18 -04:00
notohh	83a17b59e1	chore: didnt mean to commit this yet Some checks failed flake check / check (push) Has been cancelled deploy systems / deploy (push) Failing after 9m35s fmt check / check (push) Successful in 40s	2023-10-21 01:23:48 -04:00
notohh	365eb1b59c	deploy: switch to real ssh key	2023-10-21 01:23:14 -04:00
notohh	ea5da5a906	deploy: rollback test Some checks failed flake check / check (push) Has been cancelled deploy systems / deploy (push) Failing after 9m20s fmt check / check (push) Successful in 40s	2023-10-21 01:13:25 -04:00
notohh	b3c0ba4633	deploy: rollback test Some checks reported warnings flake check / check (push) Has been cancelled deploy systems / deploy (push) Successful in 13s fmt check / check (push) Successful in 41s	2023-10-21 01:11:22 -04:00
notohh	db2ca7eeeb	deploy: test deployment Some checks reported warnings flake check / check (push) Has been cancelled deploy systems / deploy (push) Successful in 13s fmt check / check (push) Successful in 40s	2023-10-21 01:10:11 -04:00
notohh	71e74662d9	deploy: rewrite Some checks failed flake check / check (push) Has been cancelled deploy systems / deploy (push) Failing after 9m15s fmt check / check (push) Successful in 41s	2023-10-21 00:58:54 -04:00
notohh	fa3e9e7058	deploy: try calling the secret Some checks failed fmt check / check (push) Has been cancelled flake check / check (push) Has been cancelled deploy systems / deploy (push) Failing after 18m20s	2023-10-21 00:25:34 -04:00
notohh	6c30cd85a7	deploy: add missing $ Some checks reported warnings flake check / check (push) Has been cancelled deploy systems / deploy (push) Has been cancelled fmt check / check (push) Successful in 40s	2023-10-21 00:05:55 -04:00
notohh	6cd17ea1ec	deploy: deploy-rs implementation first pass Some checks reported warnings flake check / check (push) Has been cancelled deploy systems / deploy (push) Has been cancelled fmt check / check (push) Has been cancelled	2023-10-21 00:04:27 -04:00
notohh	5fa9dcab2d	deployment: rename secret All checks were successful deploy systems / deploy (push) Successful in 13s fmt check / check (push) Successful in 39s flake check / check (push) Successful in 2m46s	2023-10-20 23:19:56 -04:00
notohh	7337bd2a40	hosts: rotate public keys	2023-10-20 23:19:56 -04:00
notohh	649883b5df	deploy: specify username	2023-10-20 23:19:56 -04:00
notohh	7624d672cd	deploy: use key instead of key_path	2023-10-20 23:19:55 -04:00
notohh	83e7aa9026	deployment: remove keypath	2023-10-20 23:19:55 -04:00
notohh	aef0f1e9c6	ci: update deployment.yml	2023-10-20 23:19:55 -04:00
notohh	6ec9d1f241	deploy: update nodes	2023-10-20 23:19:55 -04:00
notohh	1a90d94d09	hosts: update keys	2023-10-20 23:19:55 -04:00
notohh	5f64eca21f	ci: add double brackets	2023-10-20 23:19:55 -04:00
notohh	1c2a88276d	ci: fix deploy typo	2023-10-20 23:19:55 -04:00
notohh	678e98328c	ci: rename deploy.yml	2023-10-20 23:19:55 -04:00
notohh	6049d09d6a	ci: add testing deployment workflow	2023-10-20 23:19:55 -04:00
notohh	37a4469a51	workflows: add top level names	2023-10-20 23:19:54 -04:00
notohh	96ac8d076e	deploy: switch sshUser to root, and enable magicRollback on all systems	2023-10-20 23:19:54 -04:00
notohh	da2caff517	fail2ban: bypass tailscale ips	2023-10-20 23:19:54 -04:00
notohh	19d0371248	openssh: permit root login	2023-10-20 23:19:54 -04:00