Browse Source

create proper example

Ingolf Wanger 1 year ago
parent
commit
1240cbee62
6 changed files with 106 additions and 130 deletions
  1. 34 46
      README.md
  2. 0 10
      doc/50_keys.md
  3. 14 0
      doc/50_tmpfs.md
  4. 0 72
      example.nix
  5. 56 0
      example/shell.nix
  6. 2 2
      shell.nix

+ 34 - 46
README.md

@@ -14,85 +14,73 @@ minimal setup
 ``` {.nix}
 
 let
+  # import plops with pkgs and lib
   ops = import ((import <nixpkgs> {}).fetchgit {
     url = "https://github.com/mrVanDalo/plops.git";
     rev = "ed4308552511a91021bc979d8cfde029995a9543";
     sha256 = "0vc1wqgxz85il8az07npnppckm8hrnvn9zlb4niw1snmkd2jjzx8";
   });
-
   lib = ops.lib;
   pkgs = ops.pkgs;
 
+  # define all sources
   sources = {
 
-    nixPkgs = {
-      nixpkgs.git = {
-        ref = "19.03";
-        url = https://github.com/NixOS/nixpkgs-channels;
-      };
-      nixpkgs-unstable.git = {
-        ref = "19.09";
-        url = https://github.com/NixOS/nixpkgs-channels;
-      };
+    # nixpkgs (no need for channels anymore)
+    nixPkgs.nixpkgs.git = {
+      ref = "19.03";
+      url = https://github.com/NixOS/nixpkgs-channels;
     };
 
+    # system configurations
     system = name: {
-      system.file = toString ./system;
       configs.file = toString ./configs;
       nixos-config.symlink = "configs/${name}/configuration.nix";
     };
 
+    # secrets which are hold and stored by pass
     secrets = name: {
       secrets.pass = {
         dir  = toString ./secrets;
-        name = "${name}/persist";
-      };
-    };
-    keys = name: {
-      keys.pass = {
-        dir  = toString ./secrets;
-        name = "${name}/tmpfs";
+        name = name;
       };
     };
   };
 
-  serverDeployment = name: {
-    host ? "${name}.private",
-    user ? "root"
-  }:
-  with ops;
-  jobs "deploy-${name}" "${user}@${host}" [
-    (populateTmpfs (source.keys name))
-    (populate (source.secrets name))
-    (populate (source.system name))
-    (populate source.nixPkgs)
-    switch
-  ];
-
-  servers = with lib;
-  let
-    serverList = [ "schasch" "kruck" "sputnik" "porani" ];
-    deployments = flip map serverList  ( name:  serverDeployment name {} );
-  in
-  deployments;
-
 in
 pkgs.mkShell {
 
-  buildInputs = servers;
+  # define 2 servers
+  buildInputs = with ops; [
+    (jobs "deploy-server" "root@94.3.23.12" [
+      # deploy secrets to /run/secrets
+      (populateTmps (source.secrets name))
+      # deploy system to /var/src/system
+      (populate (source.system name))
+      # deploy nixpkgs to /var/src/nixpkgs
+      (populate source.nixPkgs)
+      # run nixos-rebuild switch -I /var/src -I /run/secrets
+      # todo : make sure that -I /run/secrets are is called
+      switch
+    ])
+  ];
 
   shellHook = ''
-      export PASSWORD_STORE_DIR=./secrets
+    export PASSWORD_STORE_DIR=./secrets
   '';
 }
 ```
 
-`/run/keys`
-===========
+tmpfs
+-----
 
-the switch command includes also everything in `/run/keys` which can be
-populated using `populatedTmpfs` and can be accessed via `<keys/...>`
+`plops` can populate your files and folders everywhere you want. It
+comes with a function `populateTmpfs` which populates the files and
+folders in `/run/keys/<name>`. So these keys will be gone after a
+restart of the machine.
 
-These keys will be gone after a restart of the machine.
+You can reference theses folder in your `configuration.nix` like all the
+other sources. For this example it would be `<secrets/my-secret-key>`.
 
-There is a module which makes it easy to handle theses tmpfs-keys.
+There is a module which makes it easy to handle systemd services
+depending on theses tmpfs files (which are not present at boot time).

+ 0 - 10
doc/50_keys.md

@@ -1,10 +0,0 @@
-# `/run/keys`
-
-the switch command includes also everything
-in `/run/keys` which can be populated using 
-`populatedTmpfs` and can be accessed via `<keys/...>`
-
-These keys will be gone after a restart of the machine.
-
-There is a module which makes it easy to handle
-theses tmpfs-keys.

+ 14 - 0
doc/50_tmpfs.md

@@ -0,0 +1,14 @@
+## tmpfs
+
+`plops` can populate your files and folders everywhere you want.
+It comes with a function `populateTmpfs`
+which populates the files and folders in `/run/keys/<name>`.
+So these keys will be gone after a restart of the machine.
+
+You can reference theses folder in your `configuration.nix`
+like all the other sources.
+For this example it would be `<secrets/my-secret-key>`.
+
+There is a module which makes it easy to handle
+systemd services depending on theses tmpfs files
+(which are not present at boot time).

+ 0 - 72
example.nix

@@ -1,72 +0,0 @@
-let
-  ops = import ((import <nixpkgs> {}).fetchgit {
-    url = "https://github.com/mrVanDalo/plops.git";
-    rev = "ed4308552511a91021bc979d8cfde029995a9543";
-    sha256 = "0vc1wqgxz85il8az07npnppckm8hrnvn9zlb4niw1snmkd2jjzx8";
-  });
-
-  lib = ops.lib;
-  pkgs = ops.pkgs;
-
-  sources = {
-
-    nixPkgs = {
-      nixpkgs.git = {
-        ref = "19.03";
-        url = https://github.com/NixOS/nixpkgs-channels;
-      };
-      nixpkgs-unstable.git = {
-        ref = "19.09";
-        url = https://github.com/NixOS/nixpkgs-channels;
-      };
-    };
-
-    system = name: {
-      system.file = toString ./system;
-      configs.file = toString ./configs;
-      nixos-config.symlink = "configs/${name}/configuration.nix";
-    };
-
-    secrets = name: {
-      secrets.pass = {
-        dir  = toString ./secrets;
-        name = "${name}/persist";
-      };
-    };
-    keys = name: {
-      keys.pass = {
-        dir  = toString ./secrets;
-        name = "${name}/tmpfs";
-      };
-    };
-  };
-
-  serverDeployment = name: {
-    host ? "${name}.private",
-    user ? "root"
-  }:
-  with ops;
-  jobs "deploy-${name}" "${user}@${host}" [
-    (populateTmpfs (source.keys name))
-    (populate (source.secrets name))
-    (populate (source.system name))
-    (populate source.nixPkgs)
-    switch
-  ];
-
-  servers = with lib;
-  let
-    serverList = [ "schasch" "kruck" "sputnik" "porani" ];
-    deployments = flip map serverList  ( name:  serverDeployment name {} );
-  in
-  deployments;
-
-in
-pkgs.mkShell {
-
-  buildInputs = servers;
-
-  shellHook = ''
-      export PASSWORD_STORE_DIR=./secrets
-  '';
-}

+ 56 - 0
example/shell.nix

@@ -0,0 +1,56 @@
+let
+  # import plops with pkgs and lib
+  ops = import ((import <nixpkgs> {}).fetchgit {
+    url = "https://github.com/mrVanDalo/plops.git";
+    rev = "ed4308552511a91021bc979d8cfde029995a9543";
+    sha256 = "0vc1wqgxz85il8az07npnppckm8hrnvn9zlb4niw1snmkd2jjzx8";
+  });
+  lib = ops.lib;
+  pkgs = ops.pkgs;
+
+  # define all sources
+  sources = {
+
+    # nixpkgs (no need for channels anymore)
+    nixPkgs.nixpkgs.git = {
+      ref = "19.03";
+      url = https://github.com/NixOS/nixpkgs-channels;
+    };
+
+    # system configurations
+    system = name: {
+      configs.file = toString ./configs;
+      nixos-config.symlink = "configs/${name}/configuration.nix";
+    };
+
+    # secrets which are hold and stored by pass
+    secrets = name: {
+      secrets.pass = {
+        dir  = toString ./secrets;
+        name = name;
+      };
+    };
+  };
+
+in
+pkgs.mkShell {
+
+  # define 2 servers
+  buildInputs = with ops; [
+    (jobs "deploy-server" "root@94.3.23.12" [
+      # deploy secrets to /run/secrets
+      (populateTmps (source.secrets name))
+      # deploy system to /var/src/system
+      (populate (source.system name))
+      # deploy nixpkgs to /var/src/nixpkgs
+      (populate source.nixPkgs)
+      # run nixos-rebuild switch -I /var/src -I /run/secrets
+      # todo : make sure that -I /run/secrets are is called
+      switch
+    ])
+  ];
+
+  shellHook = ''
+    export PASSWORD_STORE_DIR=./secrets
+  '';
+}

+ 2 - 2
shell.nix

@@ -7,9 +7,9 @@ let
                  -s \
                  ${toString ./doc/10_intro.md} \
                  ${toString ./doc/20_example.md} \
-                 ${toString ./example.nix} \
+                 ${toString ./example/shell.nix} \
                  ${toString ./doc/21_example.md} \
-                 ${toString ./doc/50_keys.md} \
+                 ${toString ./doc/50_tmpfs.md} \
                  -f markdown -t markdown \
                  -o ${toString ./README.md}
   '';