Address medium severity security issues:
- Validate repo names in config only allow alphanumeric, dash, underscore
(prevents NATS subject injection via dots or wildcards)
- Validate repo URLs must start with git+https://, git+ssh://, or git+file://
- Validate ReplyTo field must start with "build.responses." to prevent
publishing responses to arbitrary NATS subjects
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add input validation to address security concerns:
- Validate Target field in BuildRequest against safe character pattern
(must be "all" or match alphanumeric/dash/underscore/dot pattern)
- Filter hostnames discovered from nix flake show output, skipping any
with invalid characters before using them in build commands
This prevents potential command injection via crafted NATS messages or
malicious flake configurations.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add a new "builder" capability to trigger Nix builds on a dedicated
build host via NATS messaging. This allows pre-building NixOS
configurations before deployment.
New components:
- Builder mode: subscribes to build.<repo>.* subjects, executes nix build
- Build CLI command: triggers builds with progress tracking
- MCP build tool: available with --enable-builds flag
- Builder metrics: tracks build success/failure per repo and host
- NixOS module: services.homelab-deploy.builder
The builder uses a YAML config file to define allowed repositories
with their URLs and default branches. Builds can target all hosts
or specific hosts, with real-time progress updates.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Send periodic "running" status messages while nixos-rebuild executes,
preventing the idle timeout from triggering before deployments complete.
This fixes false "Some deployments failed" warnings in MCP when builds
take longer than 30 seconds.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implement the complete homelab-deploy system with three operational modes:
- Listener mode: Runs on NixOS hosts as a systemd service, subscribes to
NATS subjects with configurable templates, executes nixos-rebuild on
deployment requests with concurrency control
- MCP mode: MCP server exposing deploy, deploy_admin, and list_hosts
tools for AI assistants with tiered access control
- CLI mode: Manual deployment commands with subject alias support via
environment variables
Key components:
- internal/messages: Request/response types with validation
- internal/nats: Client wrapper with NKey authentication
- internal/deploy: Executor with timeout and lock for concurrency
- internal/listener: Subject template expansion and request handling
- internal/cli: Deploy logic with alias resolution
- internal/mcp: MCP server with mcp-go integration
- nixos/module.nix: NixOS module with hardened systemd service
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
