From e4b2886f5443af06e885b3c4d871c30a33ede3fb Mon Sep 17 00:00:00 2001
From: Hermes <hermes@lazyworkhorse.net>
Date: Wed, 20 May 2026 14:19:13 -0400
Subject: [PATCH] ci: add NixOS build and test workflow

Creates .gitea/workflows/build-nixos.yml that triggers on push/PR to
master when Nix files, flake.lock, secrets, hosts, or modules change.

Includes:
- Setup step to enable Nix experimental features and install nh
- Build step for lazyworkhorse (x86_64-linux) via nh os build
- Build step for cyt-pi (aarch64-linux) via nh os build
- Placeholder integration test step

Runner label: nixos-builder (Docker image nixos/nix)
---
 .gitea/workflows/build-nixos.yml | 64 ++++++++++++++++++++++++++++++++
 1 file changed, 64 insertions(+)
 create mode 100644 .gitea/workflows/build-nixos.yml

diff --git a/.gitea/workflows/build-nixos.yml b/.gitea/workflows/build-nixos.yml
new file mode 100644
index 0000000..51de282
--- /dev/null
+++ b/.gitea/workflows/build-nixos.yml
@@ -0,0 +1,64 @@
+name: NixOS Build & Test
+run-name: Build ${{ gitea.event_name == 'push' && gitea.ref_name || format('PR #{0}', gitea.event.pull_request.number) }}
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - '**.nix'
+      - 'flake.lock'
+      - 'secrets/**'
+      - 'hosts/**'
+      - 'modules/**'
+  pull_request:
+    branches:
+      - master
+    paths:
+      - '**.nix'
+      - 'flake.lock'
+      - 'secrets/**'
+      - 'hosts/**'
+      - 'modules/**'
+
+jobs:
+  build:
+    runs-on: nixos-builder
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Nix environment
+        run: |
+          echo "extra-experimental-features = nix-command flakes" >> ~/.config/nix/nix.conf
+          cat ~/.config/nix/nix.conf
+
+      - name: Install nh (nix helper)
+        run: |
+          nix --extra-experimental-features "nix-command flakes" \
+            profile add nixpkgs#nh
+          nh --version
+
+      - name: Build NixOS configuration (lazyworkhorse)
+        run: |
+          nh os build .#lazyworkhorse
+        env:
+          NIX_CONFIG: "extra-experimental-features = nix-command flakes"
+
+      - name: Build NixOS configuration (cyt-pi)
+        run: |
+          nh os build .#cyt-pi
+        env:
+          NIX_CONFIG: "extra-experimental-features = nix-command flakes"
+
+      - name: Integration tests (placeholder)
+        run: |
+          echo "TODO: Add integration tests here"
+          echo ""
+          echo "Suggested future checks:"
+          echo "  - nix flake check  (evaluate all NixOS configs)"
+          echo "  - Validate agenix secrets are decryptable"
+          echo "  - Check services are defined correctly"
+          echo "  - Run VM test if nixos-test infrastructure exists"