Deploy #181
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy | |
| on: | |
| workflow_dispatch: | |
| push: | |
| paths-ignore: | |
| - '.github/**' | |
| branches: | |
| - main | |
| concurrency: | |
| group: deploy | |
| cancel-in-progress: true | |
| jobs: | |
| deploy: | |
| strategy: | |
| matrix: | |
| include: | |
| - server: [email protected] | |
| system: kazuma | |
| sshKey: "kazuma.tie.rip ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDiWJmsj22woegXiWRA7GJ7guA/RHdksA1yBDpkgJ+dp" | |
| name: Deploy ${{ matrix.system }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Install nix | |
| uses: cachix/install-nix-action@v30 | |
| with: | |
| extra_nix_config: "extra-experimental-features = nix-command flakes" | |
| - name: Set up cachix | |
| uses: cachix/cachix-action@v15 | |
| with: | |
| name: tie-infra | |
| authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} | |
| - name: Set up ssh-agent | |
| uses: webfactory/[email protected] | |
| with: | |
| ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} | |
| - name: Set up known hosts | |
| run: | | |
| echo "$sshKnownHostKey" >known_hosts | |
| env: | |
| sshKnownHostKey: ${{ matrix.sshKey }} | |
| - name: Build configuration | |
| run: | | |
| nix run nixpkgs#nixos-rebuild -- build --fast --flake "$installable" | |
| env: | |
| installable: "github:${{ github.repository }}/${{ github.sha }}#${{ matrix.system }}" | |
| # Yikes, GitHub does not support IPv6 in hosted runners. | |
| # See https://github.com/actions/runner-images/issues/668 | |
| - name: Set up IPv6 | |
| run: | | |
| if curl --ipv6 --include https://cloudflare.com/cdn-cgi/trace; then | |
| exit 0 | |
| fi | |
| curl https://pkg.cloudflareclient.com/pubkey.gpg | sudo gpg --yes --dearmor --output /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg | |
| sudo tee /etc/apt/sources.list.d/cloudflare-client.list <<EOF | |
| deb [arch=amd64 signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ $(lsb_release -cs) main | |
| EOF | |
| sudo apt-get update | |
| sudo apt-get install -y cloudflare-warp | |
| warp-cli --accept-tos registration new | |
| warp-cli --accept-tos connect | |
| curl --ipv6 --include --retry 5 --retry-delay 1 --retry-all-errors https://cloudflare.com/cdn-cgi/trace | |
| - name: Switch configuration | |
| run: | | |
| nix run nixpkgs#nixos-rebuild -- switch --fast --flake "$installable" --target-host "$target" --use-remote-sudo | |
| env: | |
| NIX_SSHOPTS: "-o CheckHostIP=no -o UserKnownHostsFile=known_hosts" | |
| installable: "github:${{ github.repository }}/${{ github.sha }}#${{ matrix.system }}" | |
| target: ${{ matrix.server }} | |
| - name: Delete WARP registration | |
| if: always() | |
| run: | | |
| warp-cli --accept-tos registration delete |