README.md and GHA nixos tests

esselius · Jul 8, 2024 · 1e11808 · 1e11808
1 parent 4d8de2e
commit 1e11808
Show file tree

Hide file tree

Showing 7 changed files with 61 additions and 8 deletions.
diff --git a/.github/workflows/nixos-tests.yaml b/.github/workflows/nixos-tests.yaml
@@ -0,0 +1,24 @@
+name: "NixOS Tests"
+on:
+  pull_request:
+  push:
+jobs:
+  tests:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: cachix/install-nix-action@v27
+        with:
+          extra_nix_config: "system-features = nixos-test benchmark big-parallel kvm"
+
+      - uses: cachix/cachix-action@v15
+        with:
+          name: esselius-config
+          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+          extraPullNames: nix-community
+
+      - uses: rrbutani/use-nix-shell-action@v1
+
+      - name: Monitoring Auth
+        run: nix run .#nixosTests.monitoring-auth
diff --git a/README.md b/README.md
@@ -1,15 +1,43 @@
 # Usage
 
+## Local darwin config
+
 Install nix with the [DeterminateSystems nix-installer](https://github.com/DeterminateSystems/nix-installer)
 
 ```shell
 $ nix-installer plan macos --case-sensitive --extra-conf "use-case-hack = false" --encrypt true > plan.json
 $ nix-installer install plan.json
+
+$ sudo mv /etc/nix/nix.conf{,.before-nix-darwin}
+$ nix  --extra-experimental-features 'flakes nix-command' run nix-darwin -- switch --flake .
 ```
 
-Switch darwin config
+## Raspberry Pi bootstrap
+
+Generate SD card image
 
 ```shell
-$ sudo mv /etc/nix/nix.conf{,.before-nix-darwin}
-$ nix  --extra-experimental-features 'flakes nix-command' run nix-darwin -- switch --flake .
+$ nix build .#nixosConfigurations.adama.config.system.build.sdImage
+$ unzstd result/sd-image/nixos-sd-image-24.05.20240706.49ee0e9-aarch64-linux.img.zst -o x.img
+```
+
+Flash SD card or USB stick with `x.img` using [Raspberry Pi Imager](https://www.raspberrypi.com/software/), put in RPi and start attached to network.
+
+Grab new ssh host key.
+
+```shell
+$ ssh-keyscan 192.168.1.195
+```
+
+Update host key in `secrets/secrets.nix` and rekey secrets.
+
+```shell
+$ cd secrets
+$ agenix --rekey
+```
+
+Deploy refreshed secrets.
+
+```shell
+$ nixos-rebuild switch --flake . --target-host 192.168.1.195 --fast --use-remote-sudo
 ```
diff --git a/home-modules/tools.nix b/home-modules/tools.nix
@@ -19,5 +19,6 @@
     nixpkgs-fmt
     jq
     zstd
+    nixos-rebuild
   ];
 }
diff --git a/secrets/authentik-env.age b/secrets/authentik-env.age
diff --git a/secrets/github-token.age b/secrets/github-token.age
diff --git a/secrets/home-email.age b/secrets/home-email.age
@@ -1,5 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 q0q77g oRcBQhZIoKzLlVZdsRlf4LdxmX9SuTEefbF0mJ3s6lU
-F1xEx2BBzLL9/G4pvuNyeV8foPy9XPCspiXRsRgsT+g
---- km9jGq8etKb4qrdyzmy6gSROuUuklHfYQ8/DQbrkwP4
-���c�Sj���}~��j�WKD��˭�B���f�Bk%6�'�:��
+-> ssh-ed25519 q0q77g 9i/kyZ2fTApdkvxZtGQM8nr6Dm7Tr0Gk5HDfgcOLlSI
+Z/zX899laT67h1+bzeDTu6gw/HpBi8xFa5QQovJuOzY
+--- /f9vBC76yKogzwhVZt2QwELwGasnCiLWgFDxGtAhYWw
+tm��ܶ���7��;j*�g�}*P�p{����A�4�~���m��{;.
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
@@ -2,7 +2,7 @@ let
   home-peteresselius = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIoqhLqzuQJEyn/M4WmBkpPlMou2zIXoJUikAcFgvx4C";
   work-peteresselius = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJmUlguPPHN+XxAvF9OEmF8mnn7mXSWez5PjkG04ECL2";
 
-  adama = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUVGYoACAxqrVXHBGiG+kxd6GwFULIHC/3luk59tize";
+  adama = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOTzyGpnD7Zlfj/7oxOq3ZQ1URPtRP60UaxOKyOm7Mgn";
 in
 {
   "work-email.age".publicKeys = [ work-peteresselius ];
-Original file line number
+Diff line change
@@ Expand Up / @@ -19,5 +19,6 @@ @@
         nixpkgs-fmt
         jq
         zstd
+        nixos-rebuild
       ];
     }