Deploying nix flakes to nixos hosts using github actions

README.md

All Nix(OS) deploy

• update-flake-lock.yml
• deploy-host-flake.yml
• flake.nix
• some-service somewhere on git

This is an example of (all nix) deployment. The architecture is the following:

1. you have some-service flake somewhere on a repository; let's assume it's private and hosted at github.com/foobar/some-service.
2. you have a nixos host used for running github actions and running deploy, in this examples it is tagged as nixos-runner; this is not strictly required and this might also work using github actions with cachix/install-nix-action.
3. there's a github action update-flake-lock.yml that checks whenever some-service is updated: it will run manually or with a cron job: if the some-service flake is to be updated, a PR will be opened; a SSH key is set up for this action to run so it can access private repos as well.
4. there's a github action deploy-host-flake.yml that performs nixos-rebuild to deploy a flake; in this example it is run manually, but it might be tweaked to run automatically after the PR is merged.

deploy-host-flake.yml

name: deploy-nix-flakes

on:
  workflow_dispatch:
    inputs:
      output:
        required: true
        description: flake output to use e.g. .#some-host
      host:
        required: true
        description: for --build and --target e.g. [email protected]

jobs:
  deploy-nix:
    runs-on: [self-hosted, linux, x64, nixos-runner]

    steps:
      - name: Checkout repository
        uses: actions/checkout@v2

      - name: Prepare ssh keys
        run: |
          # Generate a directory for the config
          CONFDIR=$(mktemp -d "${{ runner.temp }}/tmp.XXXXXX")

          echo "Preparing SSH key"
          mkdir -p $CONFDIR/.ssh && chmod 700 $CONFDIR/.ssh

          touch $CONFDIR/.ssh/id_ed25519
          chmod 600 $CONFDIR/.ssh/id_ed25519
          echo "${{ secrets.CI03_DEPLOY_SSH_PRIVATE_KEY }}" > $CONFDIR/.ssh/id_ed25519

          # Options to pass to NIX for ssh connection
          echo "NIX_SSHOPTS=-i $CONFDIR/.ssh/id_ed25519 -o StrictHostKeyChecking=no" >>$GITHUB_ENV

      - name: Run nix deploy
        run: nixos-rebuild switch --build-host "${{ github.event.inputs.host }}" --target-host "${{ github.event.inputs.host }}" --flake "${{ github.event.inputs.output }}"

flake.nix

{
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
    some-service.url = "git+ssh://[email protected]/foobar/some-service?ref=main";
  };
  outputs =
    { self
    , nixpkgs
    , some-service
    ,
    }: {
      nixosConfigurations.demo = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
        modules = [
          ./configuration.nix
          some-service.nixosModules.default
        ];
      };
    };
}

update-flake-lock.yml

name: update-flake-locks
on:
  workflow_dispatch:
  schedule:
    - cron: '0 0 * * 0' # runs weekly on Sunday at 00:00

jobs:
  lockfile:
    # note this is running on a nixos-hosted github action runner
    runs-on: [self-hosted, linux, x64, nixos-runner]
    steps:
      - name: Checkout repository
        uses: actions/checkout@v2

      - name: Prepare ssh keys
        run: |
          # Generate a directory for the config
          CONFDIR=$(mktemp -d "${{ runner.temp }}/tmp.XXXXXX")

          echo "Preparing SSH key"
          mkdir -p $CONFDIR/.ssh && chmod 700 $CONFDIR/.ssh
          
          touch $CONFDIR/.ssh/id_ed25519
          chmod 600 $CONFDIR/.ssh/id_ed25519
          echo "${{ secrets.CI03_SSH_PRIVATE_KEY }}" > $CONFDIR/.ssh/id_ed25519
          
          # Save the path to config in workflow environment file:
          # ssh won't honor $HOME and will expand ~ to passwd entry
          echo "GIT_SSH_COMMAND=ssh -i $CONFDIR/.ssh/id_ed25519" >>$GITHUB_ENV

      - name: Update flake.lock
        uses: DeterminateSystems/update-flake-lock@v23
        with:
          pr-title: "Update flake.lock" # Title of PR to be created
          inputs: some-service
          path-to-flake-dir: '/'