port deploy/secrets operations to mise tasks and update README

syscod3 · syscod3 · commit 013da1951133 · 2026-03-16T01:11:31.000Z
diff --git a/README.md b/README.md
@@ -140,39 +140,40 @@ Build without switching (test configuration):
 sudo nixos-rebuild build --flake .#laptop
 ```
 
-### Legacy operational commands (migration pending)
+### Operational commands (mise-first)
 
-Host install/deploy and secret operations are still `just`-based while task migration is in progress.
+Use `mise` tasks for deploy and secrets workflows.
 
 ### Remote Deployment (from central laptop)
 
 Deploy to a remote machine:
 ```bash
-just deploy <hostname>
+HOST=<hostname> mise run deploy
 
 # Examples
-just deploy spark
-just deploy vps-alpha
+HOST=spark mise run deploy
+HOST=vps-alpha mise run deploy
 ```
 
 Pull latest changes and deploy:
 ```bash
-just pull-deploy <hostname>
+HOST=<hostname> mise run pull-deploy
 ```
 
 Sync changes made on remote machine back to central repo:
 ```bash
-just sync-remote <hostname>
+HOST=<hostname> mise run sync-remote
 # Then review, commit, and push
 ```
 
 ### Update flake inputs (update nixpkgs, home-manager, etc.)
 ```bash
-just update
+mise run update
 ```
 
-### List all available legacy operational commands
+### Legacy compatibility commands
 ```bash
+# Still available during migration window:
 just --list
 ```
 
@@ -213,18 +214,18 @@ This repository uses **sops-nix** with GPG and age for secrets encryption.
 
 ### Edit encrypted secrets:
 ```bash
-just secrets                              # Edit common secrets
-just secrets secrets/vps/knock-sequences.yaml  # Edit specific file
+mise run secrets                                     # Edit common secrets
+FILE=secrets/vps/knock-sequences.yaml mise run secrets
 ```
 
 ### View decrypted secrets:
 ```bash
-just secrets-view secrets/common/secrets.yaml
+FILE=secrets/common/secrets.yaml mise run secrets-view
 ```
 
 ### Update encryption keys (after adding new host):
 ```bash
-just secrets-update
+mise run secrets-update
 ```
 
 **See `docs/SOPS_GPG_SETUP.md` for complete setup guide.**
@@ -311,13 +312,21 @@ mise tasks ls
 mise run ci-validate
 mise run ci-security
 
-# Legacy ops path (still just-based while migration is in progress)
+# Deploy + sync operations
+HOST=<hostname> mise run deploy
+HOST=<hostname> mise run pull-deploy
+HOST=<hostname> mise run sync-remote
+HOST=<hostname> BRANCH=main mise run remote-push
+
+# Secrets operations
+mise run secrets
+FILE=secrets/common/secrets.yaml mise run secrets-view
+mise run secrets-update
+
+# Flake input update
+mise run update
+
+# Legacy path for host bootstrap/install (until migrated)
 just --list
 just install <host> <category> <ip>
-just deploy <hostname>
-just deploy-all
-just update
-just secrets
-just knock <vps-hostname>
-just sync-remote <hostname>
 ```
diff --git a/mise.toml b/mise.toml
@@ -1,6 +1,11 @@
 [tools]
 python = "3.13"
 
+[tasks.check]
+description = "Alias for flake check"
+depends = ["flake-check"]
+run = "echo 'check complete'"
+
 [tasks.fmt]
 description = "Format Nix files"
 run = '''
@@ -53,3 +58,66 @@ if find . -type f -exec grep -l "BEGIN.*PRIVATE KEY" {} \\; | grep -v ".secrets.
   exit 1
 fi
 '''
+
+[tasks.update]
+description = "Update flake inputs"
+run = '''
+set -euo pipefail
+./scripts/mise/update.sh
+'''
+
+[tasks.deploy]
+description = "Deploy to host (set HOST=<name>)"
+run = '''
+set -euo pipefail
+./scripts/mise/deploy.sh
+'''
+
+[tasks.deploy-all]
+description = "Deploy to standard host set"
+run = '''
+set -euo pipefail
+./scripts/mise/deploy-all.sh
+'''
+
+[tasks.pull-deploy]
+description = "git pull then deploy (set HOST=<name>)"
+run = '''
+set -euo pipefail
+./scripts/mise/pull-deploy.sh
+'''
+
+[tasks.sync-remote]
+description = "Sync changed files from remote host (set HOST=<name>)"
+run = '''
+set -euo pipefail
+./scripts/mise/sync-remote.sh
+'''
+
+[tasks.remote-push]
+description = "Commit/push from remote host via agent forwarding (HOST, optional BRANCH)"
+run = '''
+set -euo pipefail
+./scripts/mise/remote-push.sh
+'''
+
+[tasks.secrets]
+description = "Edit encrypted secrets (optional FILE=secrets/...yaml)"
+run = '''
+set -euo pipefail
+./scripts/mise/secrets-edit.sh
+'''
+
+[tasks.secrets-view]
+description = "View decrypted secrets (optional FILE=secrets/...yaml)"
+run = '''
+set -euo pipefail
+./scripts/mise/secrets-view.sh
+'''
+
+[tasks.secrets-update]
+description = "Run sops updatekeys on secrets/*.yaml"
+run = '''
+set -euo pipefail
+./scripts/mise/secrets-update.sh
+'''
diff --git a/scripts/mise/deploy-all.sh b/scripts/mise/deploy-all.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+set -euo pipefail
+hosts=(bit spark hermes vps-alpha server-alpha)
+for host in "${hosts[@]}"; do
+  echo "deploying $host"
+  deploy ".#$host"
+done
diff --git a/scripts/mise/deploy.sh b/scripts/mise/deploy.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+host="${HOST:-${1:-}}"
+if [ -z "$host" ]; then
+  echo "usage: HOST=<host> mise run deploy"
+  exit 1
+fi
+exec deploy ".#$host"
diff --git a/scripts/mise/pull-deploy.sh b/scripts/mise/pull-deploy.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+set -euo pipefail
+host="${HOST:-${1:-}}"
+if [ -z "$host" ]; then
+  echo "usage: HOST=<host> mise run pull-deploy"
+  exit 1
+fi
+git pull --ff-only
+deploy ".#$host"
diff --git a/scripts/mise/remote-push.sh b/scripts/mise/remote-push.sh
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+set -euo pipefail
+host="${HOST:-${1:-}}"
+branch="${BRANCH:-${2:-main}}"
+remote_path="${REMOTE_PATH:-/etc/nixos}"
+if [ -z "$host" ]; then
+  echo "usage: HOST=<host> [BRANCH=main] mise run remote-push"
+  exit 1
+fi
+
+ssh -A "$host" bash -s <<EOS
+set -euo pipefail
+cd "$remote_path"
+if [[ -z \\$(git status --porcelain) ]]; then
+  echo "no changes to commit on $host"
+  exit 0
+fi
+git add .
+git commit -m "chore: update from $host [\\$(date +%Y-%m-%d)]"
+git push origin "$branch"
+EOS
diff --git a/scripts/mise/secrets-edit.sh b/scripts/mise/secrets-edit.sh
@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+set -euo pipefail
+file="${FILE:-${1:-secrets/common/secrets.yaml}}"
+exec sops "$file"
diff --git a/scripts/mise/secrets-update.sh b/scripts/mise/secrets-update.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+set -euo pipefail
+while IFS= read -r file; do
+  [ -n "$file" ] || continue
+  echo "updating keys: $file"
+  sops updatekeys "$file"
+done < <(find secrets -type f \( -name '*.yaml' -o -name '*.yml' \) | sort)
diff --git a/scripts/mise/secrets-view.sh b/scripts/mise/secrets-view.sh
@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+set -euo pipefail
+file="${FILE:-${1:-secrets/common/secrets.yaml}}"
+exec sops -d "$file"
diff --git a/scripts/mise/sync-remote.sh b/scripts/mise/sync-remote.sh
@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+set -euo pipefail
+host="${HOST:-${1:-}}"
+remote_path="${REMOTE_PATH:-/etc/nixos}"
+if [ -z "$host" ]; then
+  echo "usage: HOST=<host> mise run sync-remote"
+  exit 1
+fi
+
+tmp_dir="$(mktemp -d)"
+trap 'rm -rf "$tmp_dir"' EXIT
+
+ssh "$host" "cd '$remote_path' && git diff --name-only" > "$tmp_dir/changed_files.txt"
+if [ ! -s "$tmp_dir/changed_files.txt" ]; then
+  echo "no changes on $host"
+  exit 0
+fi
+
+echo "changed files:"
+cat "$tmp_dir/changed_files.txt"
+
+while IFS= read -r file; do
+  [ -n "$file" ] || continue
+  mkdir -p "$(dirname "$file")"
+  scp "$host:$remote_path/$file" "$file"
+done < "$tmp_dir/changed_files.txt"
+
+echo "sync complete; review with git diff"
diff --git a/scripts/mise/update.sh b/scripts/mise/update.sh
@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+set -euo pipefail
+nix flake update
+echo "flake inputs updated; review flake.lock and commit"
