name: deploy on: push: branches: [main] jobs: deploy: runs-on: nixos steps: - uses: actions/checkout@v4 - name: Setup deploy SSH key run: | mkdir -p ~/.ssh # Dedicated key file so we never overwrite the runner user's own key. # nix/deploy.nix pins this via `-i ~/.ssh/gebos_deploy`. install -m 600 /dev/stdin ~/.ssh/gebos_deploy <<< "${{ secrets.DEPLOY_SSH_KEY }}" ssh-keyscan -H db.gebos.online app.gebos.online ingest.gebos.online >> ~/.ssh/known_hosts 2>/dev/null || true - name: Build all closures run: nix flake check --no-build # TEMPORARY: diagnose the SSH auth failure to db-host. Prints only the # PUBLIC key fingerprint (no private material) and the ssh negotiation. # Remove once deploys succeed. - name: Debug SSH to db-host run: | echo "== runner =="; whoami; echo "HOME=$HOME" echo "== installed deploy PUBLIC key (compare to nix/hosts/common.nix:26-27) ==" ssh-keygen -y -f ~/.ssh/gebos_deploy -P "" < /dev/null \ || echo ">>> KEY UNREADABLE: encrypted (has passphrase) or missing" echo "deploy should be ...Z+SU" echo "me@larsnolden.com should be ...cdd0" echo "== ssh auth negotiation ==" ssh -vvv -F none -i ~/.ssh/gebos_deploy -o IdentitiesOnly=yes \ -o StrictHostKeyChecking=accept-new -o BatchMode=yes \ deploy@db.gebos.online 'echo CONNECTED as $(whoami)@$(hostname)' 2>&1 \ | grep -Ei 'CONNECTED|denied|Server accepts|Offering|Authenticated|not accessible|Host key|incorrect passphrase|No such' \ || true # Order matters: db schema migrations are part of db-host's activation, # so it must land first. App-host's Supabase compose stack expects the # schemas to exist. mqtt-ingest only needs the network paths to db-host. - name: Deploy db-host run: nix run github:serokell/deploy-rs -- .#db-host --skip-checks - name: Deploy app-host run: nix run github:serokell/deploy-rs -- .#app-host --skip-checks - name: Deploy mqtt-ingest run: nix run github:serokell/deploy-rs -- .#mqtt-ingest --skip-checks