Implement NixOS configuration for webforge with CI/CD Nix workflow

Signed-off-by: Benoit Donneaux <benoit@leastauthority.com>

Author: btlogy

.github/workflows/nix.yml

@@ -0,0 +1,129 @@
+name: Nix
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - '.github/workflows/nix.yml'
+      - 'nix/**'
+      - 'flake.*'
+      - 'secrets/**'
+  pull_request:
+    paths:
+      - '.github/workflows/nix.yml'
+      - 'nix/**'
+      - 'flake.*'
+      - 'secrets/**'
+
+jobs:
+  check:
+    name: Check
+    runs-on: ubuntu-24.04
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        id: install_nix
+        uses: nixbuild/nix-quick-install-action@v28
+
+      - name: Check Nix Flake
+        id: check
+        run: |
+          nix flake show
+          nix flake check
+
+      - name: Set matrix
+        id: set-matrix
+        run: |
+          # Extract targets from the flake
+          IFS=","
+          target_arr=( $(nix eval --json --apply 'builtins.attrNames' .#nixosConfigurations | sed -r -e 's/\[([^\[]+)\]/\1/' -e 's/"//g') )
+          index=0
+          size=${#target_arr[@]}
+          output="matrix={\"include\":["
+          IFS=" "
+          for target in ${target_arr[@]}; do
+            output+="{\"target\":\"${target}\","
+            output+="\"hostname\":$(nix eval .#nixosConfigurations.${target}.config.networking.hostName),"
+            output+="\"domain\":$(nix eval .#nixosConfigurations.${target}.config.networking.domain)}"
+            if [[ $((index++)) -lt $((size -1)) ]]; then
+              output+=","
+            fi
+          done
+          output+="]}"
+          echo $output
+          echo $output >> $GITHUB_OUTPUT
+
+  build:
+    name: Build
+    runs-on: ubuntu-22.04
+    if: github.event_name == 'pull_request'
+    needs: check
+    strategy:
+      fail-fast: false
+      matrix: ${{fromJson(needs.check.outputs.matrix)}}
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        id: install_nix
+        uses: nixbuild/nix-quick-install-action@v28
+
+      - name: Restore and cache Nix store ${{ matrix.target }}
+        uses: nix-community/cache-nix-action@v5
+        with:
+          # restore and save a cache using this key
+          primary-key: ${{ runner.os }}-Nix-${{ matrix.target }}-${{ hashFiles('flake.*', 'nix/common/*.nix', 'nix/modules/**.nix', format('nix/hosts/{0}/*.nix', matrix.target)) }}
+          # if there's no cache hit, restore a cache by this prefix
+          restore-prefixes-first-match: ${{ runner.os }}-Nix-${{ matrix.target }}-
+          # collect garbage until Nix store size (in bytes) is at most this number
+          # before trying to save a new cache
+          gc-max-store-size-linux: 1073741824
+          # do purge caches
+          purge: true
+          # purge all versions of the cache
+          purge-prefixes: ${{ runner.os }}-Nix-${{ matrix.target }}-
+          # created more than 0 seconds ago relative to the start of the `Post Restore` phase
+          purge-created: 0
+          # except the version with the `primary-key`, if it exists
+          purge-primary-key: never
+
+      - name: Build nixosConfiguration for ${{ matrix.target }}
+        id: check_target
+        run: |
+          nix build .#nixosConfigurations.${{ matrix.target }}.config.system.build.toplevel
+
+  deploy:
+    name: Deploy
+    runs-on: ubuntu-24.04
+    if: github.ref == 'refs/heads/main'
+    needs: check
+    strategy:
+      fail-fast: false
+      matrix: ${{fromJson(needs.check.outputs.matrix)}}
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@v4
+
+      - name: Load ssh key in agent
+        id: ssh_agent
+        uses: LeastAuthority/ssh-agent-action@v1
+        with:
+          private_key: ${{ secrets.DEPLOYMENT_SSH_KEY }}
+
+      - name: Deploy nixosConfiguration on ${{ matrix.target }}
+        id: deploy_target
+        run: |
+          # Specifying the target revision we want to deploy
+          target_rev=$(git log -n 1 --format='format:%H')
+          echo "Target revision: ${target_rev}"
+          echo -n "${target_rev}" | \
+          ssh -T -o "UserKnownHostsFile=nix/known_hosts" "bot-cd@${{ matrix.hostname }}.${{ matrix.domain }}"

.sops.yaml

@@ -0,0 +1,37 @@
+# This files uses YAML anchors which allows reuse of multiple keys 
+# without having to repeat yourself.
+# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml
+# for a more complex example.
+keys:
+  # The following public keys can be found in secrets/.public-keys
+  # They have to be imported and trusted
+  # E.g.: `gpg --import ...` and `gpg --edit-key ...`
+  # First the GPG fingerprints of the admin (hardware token recommanded)
+  - &adm_btlogy 411eb16d13b422490feba1155a7a09f0c279fcd6
+  - &adm_hacklschorsch 5244970fbec8aa66658ec4b6d7d4a441431a73f1
+  # Then the GPG fingerprints derivated of the sshd RSA key of the servers
+  # which can be obtain by running the following command on the server
+  # nix-shell -p ssh-to-pgp --run "ssh-to-pgp -i /etc/ssh/ssh_host_rsa_key"
+  - &srv_webforge 122ace3a40ab7fc47e5659c29c159e5083d0ed64
+creation_rules:
+  # The following files can be created with:
+  # `nix-shell -p sops --run "sops <file>"`
+  # To update after changing the keys:
+  # `nix-shell -p sops --run "sops updatekeys <file>"`
+  - path_regex: secrets/common\.(yaml|json|env|ini)$
+    key_groups:
+    - pgp:
+      - *adm_btlogy
+      - *adm_hacklschorsch
+      - *srv_webforge
+  - path_regex: secrets/webforge\.(yaml|json|env|ini)$
+    key_groups:
+    - pgp:
+      - *adm_btlogy
+      - *adm_hacklschorsch
+      - *srv_webforge
+  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - pgp:
+      - *adm_btlogy
+      - *adm_hacklschorsch