- Build in isolated Nix container
- Push to S3 binary cache (no host /nix/store access)
- Pull specific store paths to alvin
- Mount only specific /nix/store/hash to /var/www (read-only)
- Generate signing keys for cache authentication
- Update documentation with binary cache setup
Security improvements:
- Build container has no access to host /nix/store
- Web server only mounts its specific store path
- Proper isolation at every layer
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- New deploy-nix-site action using Nix flakes
- Runs in nixos/nix:latest container for proper isolation
- Builds using flake.nix, uploads to S3, deploys to Nomad
- Update deploy-site action to install Nomad CLI
- Document both actions in README
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
