Lock file maintenance (#47) #8
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy NixOS systems | |
| on: | |
| push: | |
| branches: | |
| - main | |
| jobs: | |
| discover: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| matrix: ${{ steps.set-matrix.outputs.matrix }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: cachix/install-nix-action@v26 | |
| - id: set-matrix | |
| name: Generate matrix | |
| run: | | |
| matrix=$( | |
| nix flake show --refresh --all-systems --json "." | | |
| jq ' | |
| path(.. | select(.type? == "nixos-configuration")) | last | { attr: ., fqdn: . | gsub("_"; ".") } | |
| ' | | |
| jq --slurp --compact-output | |
| ) | |
| echo "matrix=$matrix" >> "$GITHUB_OUTPUT" | |
| deploy: | |
| name: ${{ matrix.fqdn }} | |
| needs: discover | |
| runs-on: ubuntu-latest | |
| environment: ${{ matrix.fqdn }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: ${{ fromJSON(needs.discover.outputs.matrix) }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: cachix/install-nix-action@v26 | |
| with: | |
| extra_nix_config: | | |
| accept-flake-config = true | |
| always-allow-substitutes = true | |
| - name: Write SSH keys | |
| run: | | |
| install -m 600 -D /dev/null ~/.ssh/deploy_key | |
| echo "${{ secrets.SSH_DEPLOY_KEY }}" > ~/.ssh/deploy_key | |
| cp ssh_known_hosts ~/.ssh/known_hosts | |
| - name: Check if system should be reachable | |
| run: | | |
| if ! host ${{ matrix.fqdn }}; then | |
| echo "::notice::The system ${{ matrix.fqdn }} is not reachable, skipping deployment" | |
| echo "skip_deploy=true" >> "$GITHUB_ENV" | |
| fi | |
| - name: Get expected output path | |
| if: ${{ env.skip_deploy != 'true' }} | |
| run: | | |
| drv=$(nix path-info --derivation '.#nixosConfigurations."${{ matrix.attr }}".config.system.build.toplevel') | |
| out=$(nix derivation show $drv^* | jq -r ".\"$drv\".outputs.out.path") | |
| echo "out=$out" >> "$GITHUB_ENV" | |
| - name: Get current timestamp | |
| if: ${{ env.skip_deploy != 'true' }} | |
| run: echo "timestamp=$(date --utc +"%Y-%m-%dT%H:%M:%SZ")" >> "$GITHUB_ENV" | |
| - name: Start deployment | |
| if: ${{ env.skip_deploy != 'true' }} | |
| run: ssh -i ~/.ssh/deploy_key root@${{ matrix.fqdn }} systemctl start --no-block nixos-upgrade.service | |
| - name: Check if deployment was successful | |
| if: ${{ env.skip_deploy != 'true' }} | |
| timeout-minutes: 30 | |
| run: until [ "$(ssh -i ~/.ssh/deploy_key root@${{ matrix.fqdn }} readlink /run/current-system)" = "${{ env.out }}" ]; do sleep 10; done | |
| - name: Get deployment logs | |
| if: ${{ !cancelled() && env.skip_deploy != 'true' }} | |
| run: ssh -i ~/.ssh/deploy_key root@${{ matrix.fqdn }} journalctl --unit nixos-upgrade.service --since ${{ env.timestamp }} |