- Add -json flag to nomad job run (API JSON uses PascalCase, not HCL2)
- Quote heredoc to prevent shell from mangling Nomad interpolations
- Use Forgejo template expressions for S3 creds in fetch task env
- Fix Volumes to map format (Nomad API JSON, not array)
- Remove unused shell variable assignments
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Prestart task fetches from S3 binary cache into shared volume
- Server task serves from shared volume (read-only)
- Build uses S3 cache as substituter (ultra-fast builds for shared deps)
- Push entire closure to cache (derivation + dependencies)
- No host involvement, pure container isolation
Architecture:
- Site A builds nodejs_20 + vite → pushed to cache
- Site B builds → pulls nodejs_20 + vite from cache (instant)
- Only builds site-specific code
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Build in isolated Nix container
- Push to S3 binary cache (no host /nix/store access)
- Pull specific store paths to alvin
- Mount only specific /nix/store/hash to /var/www (read-only)
- Generate signing keys for cache authentication
- Update documentation with binary cache setup
Security improvements:
- Build container has no access to host /nix/store
- Web server only mounts its specific store path
- Proper isolation at every layer
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- New deploy-nix-site action using Nix flakes
- Runs in nixos/nix:latest container for proper isolation
- Builds using flake.nix, uploads to S3, deploys to Nomad
- Update deploy-site action to install Nomad CLI
- Document both actions in README
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
