The deployment server listens for the github pull_request web hook, if the event has the merged_at attribute set then it will nixops deploy the origin/master branch from where it is running.
Note that for simplicity it will exclude the nixops machine so if you make changes to that machine configuration you will need to deploy manually. One of the issues is that if a change is made to the deployment server service then it will restart during the deployment and end the deployment early.
The deployment server is run on the nixops server however it is only enabled if the githubWebhookKey is present in secrets.json.
The deployment server relies on a nixops deployment called playgrounds existing. The reason for this is that it's difficult to manage ssh keys for the service however when a deployment is created the keys it is created with are stored in the state. Additionally this means you can rollback the deployment manually etc. Hopefully you called your original deployment playgrounds however if you didn't you can just create a new deployment with that name and delete the old one with the --force flag set.
If you're using the deployment server then whenever you deploy manually you will need to do nixops modify ./default.nix ./network.nix -d playgrounds first.
As far as I understand, the service needs to be run as root in order to run the deployment so there are limits on how much we can lock down this service.
- The server needs to be locked down a bit
- Expose to the internet
- Alert somewhere when deployment succeeds or fails
- Fix nixpkgsLocation FIXME
- Enable configuration of branch to deploy (not high priority)