Remove old staging deployment, automatically deploy tracker.security.nixos.org

.github/workflows/bump.yaml

@@ -18,9 +18,9 @@
     steps:
       - uses: actions/checkout@v4
       - uses: cachix/install-nix-action@v29
       - uses: DeterminateSystems/magic-nix-cache-action@main
       - run: |
-          nix-shell default.nix -A ci --run "npins -d ./staging/npins update"
+          nix-shell default.nix -A ci --run "npins -d ./infra/npins update"
       - uses: actions/create-github-app-token@v1
         id: generate-token
         with:

.github/workflows/deployments.yaml

@@ -18,10 +18,10 @@
           stack: dual
       - uses: actions/checkout@v4
       - uses: cachix/install-nix-action@v29
       - uses: DeterminateSystems/magic-nix-cache-action@main
       - uses: webfactory/ssh-agent@v0.9.0
         with:
           ssh-private-key: ${{ secrets.DEPLOY_SSH_PRIVATE_KEY }}
       - name: Trust staging server public SSH host keys
-        run: cat ./staging/staging_host_keys >> ~/.ssh/known_hosts
+        run: cat ./infra/host_keys >> ~/.ssh/known_hosts
       - run: nix-shell default.nix -A ci --run deploy

.github/workflows/dry-activations.yaml

@@ -14,16 +14,12 @@
   staging:
     runs-on: ubuntu-latest
     steps:
-      - name: Setup WARP to gain IPv6
-        uses: fscarmen/warp-on-actions@v1.1
-        with:
-          stack: dual
       - uses: actions/checkout@v4
       - uses: cachix/install-nix-action@v29
       - uses: DeterminateSystems/magic-nix-cache-action@main
       - uses: webfactory/ssh-agent@v0.9.0
         with:
           ssh-private-key: ${{ secrets.DEPLOY_SSH_PRIVATE_KEY }}
       - name: Trust staging server public SSH host keys
-        run: cat ./staging/staging_host_keys >> ~/.ssh/known_hosts
+        run: cat ./infra/host_keys >> ~/.ssh/known_hosts
       - run: nix-shell default.nix -A ci --run "deploy dry-activate"

CONTRIBUTING.md

@@ -279,12 +279,12 @@ Not passing `--subset N` will take about an hour and produce ~500 MB of data.
 If you have your SSH keys set up on the staging environment (and can connect through IPv6), you can deploy the service with:
 
 ```console
-./staging/deploy.sh
+./infra/deploy.sh
 ```
 
 ### Adding SSH keys
 
-Add your SSH keys to `./staging/configuration.nix` and let existing owners deploy them.
+Add your SSH keys to `./infra/configuration.nix` and let existing owners deploy them.
 
 ## Operators guidance
 
@@ -295,5 +295,3 @@ Sentry-like collectors are endpoints where we ship error information from the Py
 Collectors are configured using [a DSN, i.e. a data source name.](https://docs.sentry.io/concepts/key-terms/dsn-explainer/) in Sentry parlance, this is where events are sent to.
 
 You can set `GLITCHTIP_DSN` as a credential secret with a DSN and this will connect to a Sentry-like endpoint via your DSN.
-
-We don't use Sentry but we run GlitchTip on staging.

default.nix

@@ -18,7 +18,7 @@ rec {
   overlays = [ overlay ];
   package = pkgs.web-security-tracker;
   module = import ./nix/web-security-tracker.nix;
-  dev-container = import ./staging/container.nix;
+  dev-container = import ./infra/container.nix;
   dev-setup = import ./nix/dev-setup.nix;
 
   pre-commit-check = pkgs.pre-commit-hooks {
@@ -98,30 +98,19 @@ rec {
     let
       deploy = pkgs.writeShellApplication {
         name = "deploy";
-        text = builtins.readFile ./staging/deploy.sh;
+        text = builtins.readFile ./infra/deploy.sh;
         runtimeInputs = with pkgs; [
           nixos-rebuild
           coreutils
         ];
         # TODO: satisfy shellcheck
         checkPhase = "";
       };
-      dump-database = pkgs.writeShellApplication {
-        name = "dump-database";
-        text = builtins.readFile ./staging/dump-database.sh;
-        runtimeInputs = with pkgs; [
-          awscli
-          pv
-        ];
-        # TODO: satisfy shellcheck
-        checkPhase = "";
-      };
     in
     pkgs.mkShellNoCC {
       packages = [
         pkgs.npins
         deploy
-        dump-database
       ];
     };
 
@@ -130,7 +119,7 @@ rec {
       manage = pkgs.writeScriptBin "manage" ''
         ${python3}/bin/python ${toString ./src/website/manage.py} $@
       '';
-      deploymentSources = import ./staging/npins;
+      deploymentSources = import ./infra/npins;
     in
     pkgs.mkShellNoCC {
       env = {

staging/deploy.sh → infra/deploy.sh

@@ -7,7 +7,7 @@ DIR=$(git rev-parse --show-toplevel)
 VERB=${1:-switch}
 # make sure we're building with the version of Nixpkgs under our control
 # TODO: fix the build on the latest nixpkgs-unstable and use that one for deployment
-# export NIX_PATH=nixpkgs=$(nix-instantiate --eval -E '(import ./staging/npins).nixpkgs.outPath' | tr -d '"')
+# export NIX_PATH=nixpkgs=$(nix-instantiate --eval -E '(import ./infra/npins).nixpkgs.outPath' | tr -d '"')
 export NIX_PATH=nixpkgs=$(nix-instantiate --eval -A pkgs.path)
 
 # Note: we could refactor the conditional here.
@@ -21,18 +21,16 @@ export NIX_PATH=nixpkgs=$(nix-instantiate --eval -A pkgs.path)
 if [[ "$VERB" != "build" ]]; then
   # Perform a dry-activation first.
   echo "dry-activating the configuration first..."
-  nixos-rebuild dry-activate -I nixos-config=$DIR/staging/configuration.nix --target-host root@sectracker.nixpkgs.lahfa.xyz
+  nixos-rebuild dry-activate -I nixos-config=$DIR/infra/configuration.nix --target-host root@tracker.security.nixos.org
 else
   echo "skipping the dry-activation as we are using an offline verb."
 fi
 
 
 if [[ "$VERB" != "build" ]]; then
-  # This requires IPv6 to work as SSH is only IPv6-only.
-  # Sorry, not sorry.
   echo "$VERB-ing the configuration now."
-  nixos-rebuild $VERB -I nixos-config=$DIR/staging/configuration.nix --target-host root@sectracker.nixpkgs.lahfa.xyz
+  nixos-rebuild $VERB -I nixos-config=$DIR/infra/configuration.nix --target-host root@tracker.security.nixos.org
 else
   echo "building the configuration now."
-  nixos-rebuild build -I nixos-config=$DIR/staging/configuration.nix
+  nixos-rebuild build -I nixos-config=$DIR/infra/configuration.nix
 fi

infra/host_keys

@@ -0,0 +1,7 @@
+# tracker.security.nixos.org:22 SSH-2.0-OpenSSH_9.8
+# tracker.security.nixos.org:22 SSH-2.0-OpenSSH_9.8
+# tracker.security.nixos.org:22 SSH-2.0-OpenSSH_9.8
+tracker.security.nixos.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQClYYPyUzZa686OZUspMsuhyPLgKKV/4IE6ygmx9DfduKkXj21LvvuxO7m+xxnfcd3YLP/NckObF+wyR4BdQSDJw+G140YzkHWEDeAgPVgXAs4+wlLhAzsHmJ+bEwDCVKcOhjRYDV4J0WbBel5EgVf1f3BsDFAxDrgFM8K8ZkJcLScOPbCYfJWhqCsjKzeMwfZKJfWivIO7lW44reX+GhwzmmBfWXyWX6ueMrjA8fUDagT8mGrEFa0nXwn/pFAchkQSzEozrMa6HyoNjzN1y8ddTxz+nMaRsf4uIbInZAb+h4RI8cD+sAzNDtNuVQZld9s8Q9M/HNQVC6c4qwyVSg6SysdHZgErpwVEmg07fvZbS67WfeOQi1K3ECgdpS5jfCOtu6eM/MjSPz64EHQesR1PzxmufOaq6kE3vg9CyixVaZ54jQlqu3Hw/a+QlW1ZwReJ87onrjRWTU69oEyGWoZinLqZRzV9fO7iQFwQO7zdTLQZ7aXeX9x9NDS66vOMVCL+LuwhP6HTb2QvAOZdfLMEbyiK1MUa/GmHdzQStCxPyi0SxtEZGPK0Pdf91Rjhf0PzeBSwEXUKTPyhk9XYE220ibCy8lc0SQdyaBOHANguonVETIAmHI9bd2yj/6qFe/ZTtRXraIEou5ZxPl7oO81tNQ4txZTqVH0rqxvrouM3tw==
+# tracker.security.nixos.org:22 SSH-2.0-OpenSSH_9.8
+tracker.security.nixos.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHib5Kk39PzPEheOf8fwIyeVbVgSzUiqUN2vSIXHO7N
+# tracker.security.nixos.org:22 SSH-2.0-OpenSSH_9.8

infra/npins/sources.json

@@ -18,9 +18,9 @@
     "nixpkgs": {
       "type": "Channel",
       "name": "nixpkgs-unstable",
-      "url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.11pre704822.85f7e662eda4/nixexprs.tar.xz",
-      "hash": "0dqlz0xqd3nn49hnx943y5sfqd7nmj25s6gi1pjm907j3vbgg47k"
+      "url": "https://releases.nixos.org/nixpkgs/nixpkgs-25.05pre746410.102a39bfee44/nixexprs.tar.xz",
+      "hash": "0gky8z82fvcriqfnpwiisgx35x7ap2fx0nbr2h1l47352cpmq72l"
     }
   },
   "version": 3
-}
+}

infra/terraform.tf

@@ -29,7 +29,7 @@ provider "hcloud" {
 resource "hcloud_server" "stfmaster" {
   name        = "security-tracker-1"
   image       = "debian-12"
-  server_type = "cx32"
+  server_type = "cpx41"
   public_net {
     ipv4_enabled = true
     ipv6_enabled = true