Continuous deployment

You can have NixCI automatically deploy your code after a suite succeeds.

Step 1: Configuration

To activate the continuous deployment mechanism, add a deyloy section to the nix-ci output of your flake:

For example, this example deployment configures the packages.x86_64-linux.deploy-to-prod package to be run as a deployment:

{
  nix-ci = {
    deploy = {
      example = {
        package = "packages.x86_64-linux.deploy-to-prod";
      };
    };
  };
}

In particular, NixCI will nix run packages.x86_64-linux.deploy-to-prod , which will execute the package's meta.mainProgram .

Step 2: Secrets

NixCI can provide the secrets necessary for your deployment.

Secrets are declared in the nix-ci.deploy.<name>.secrets list.

Once a secret is declared, it is required for that deployment.

You can set a secret's value in the Secrets overview of your repository.

For example, this deployment is declared to require the FORGE_ACCESS_TOKEN to be set.

{
  nix-ci = {
    deploy = {
      example = {
        package = "packages.x86_64-linux.deploy-to-prod";
        secrets = ["FORGE_ACCESS_TOKEN"];
      };
    };
  };
}

During the deployment, the FORGE_ACCESS_TOKEN environment variable will be set to the secret.

SSH Keys

NixCI has special support for SSH keys.

You could provide SSH keys with the secrets as described above but it can be difficult to get libcrypto to load an SSH key. NixCI can take care of this for you.

In this example, the CI_SSH_KEY secret is declared to contain an SSH key with the given public key.

{
  nix-ci = {
    deploy = {
      example = {
        package = "packages.x86_64-linux.deploy-to-prod";
        ssh-keys = [{
          public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOJSjGhDsCpOGTldxNvLP3NCM1eLMNxjHKKg4y2my1PS";
          secret = "CI_SSH_KEY";
        }];
      };
    };
  };
}

During the deployment, the CI_SSH_KEY environment variable will be set to a file path of the given SSH key.

You can then use the -i option to use it: 

ssh -i "$CI_SSH_KEY"

Reference schema

nix-ci: # optional
  deploy: # optional
    # default: {}
    # Deploy Configurations
    <key>: 
      # DeployConfiguration
      enable: # optional
        # default: true
        # enable this deployment
        <boolean>
      package: # required
        # package of which the main program will be run
        <string>
      system: # optional
        # system on which the deployment will be run
        <string>
      branches: # optional
        # branches from which may be deployed
        - <string>
      secrets: # optional
        # default: []
        # secrets provided to the deployment
        - <string>
      ssh-keys: # optional
        # default: []
        # ssh keys provided to the deployment
        - # SshKeyConfiguration
          secret: # required
            # name of the secret to use as the private key
            <string>
          public-key: # required
            # public key of the ssh key
            <string>