nixos/krops.md : filled out the grid but there is still stuff to do
parent
b1c873fdea
commit
37cb4f1492
|
@ -9,8 +9,6 @@ tags:
|
|||
- password-store
|
||||
---
|
||||
|
||||
# Krops = Krebs OPs an alternative to NixOPs
|
||||
|
||||
[NixOps](https://nixos.org/nixops/) the official DevOps tool of
|
||||
[NixOS ](https://nixos.org) is nice, but it has some flaws.
|
||||
[Krops](https://cgit.krebsco.de/krops/) is an alternative to
|
||||
|
@ -22,7 +20,7 @@ If you're looking for a good document on how to use
|
|||
have a look at
|
||||
[this excelent article](https://blog.wearewizards.io/how-to-use-nixops-in-a-team).
|
||||
|
||||
# Krops vs NixOps feature-crunch
|
||||
# Krops vs NixOps (feature comparison)
|
||||
|
||||
## Krops
|
||||
|
||||
|
@ -57,3 +55,239 @@ have a look at
|
|||
* you need a database (for some reason).
|
||||
* Build/Download happens on deploying machine, which is bad when you have a bad internet-connection.
|
||||
|
||||
# Krops Structure by Example
|
||||
|
||||
Krops is not a binary like NixOps, is a library you use to write binaries,
|
||||
which do the actual deployment.
|
||||
|
||||
Lets say you have a very simple `configuration.nix`
|
||||
|
||||
```
|
||||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
environment.systemPackages = [ pkgs.git ];
|
||||
}
|
||||
```
|
||||
|
||||
Than you can use the following script (`krops.nix`) to deploy it
|
||||
on the machine `server01.mydomain.org`.
|
||||
|
||||
```
|
||||
let
|
||||
|
||||
krops = (import <nixpkgs> {}).fetchgit {
|
||||
url = "https://cgit.krebsco.de/krops/";
|
||||
rev = "806b500e1e48fa096c2e26b44407e9f368f8d204";
|
||||
sha256 = "1vfmm7aqi6y6cjz7vivamc70dkaxxxlihj48qvqc0dlj1bi331c2";
|
||||
};
|
||||
|
||||
lib = import "${krops}/lib";
|
||||
pkgs = import "${krops}/pkgs" {};
|
||||
|
||||
source = lib.evalSource [
|
||||
{
|
||||
nixpkgs.git = {
|
||||
ref = "nixos-18.03";
|
||||
url = https://github.com/NixOS/nixpkgs-channels;
|
||||
};
|
||||
|
||||
nixos-config.file = toString ./configuration.nix;
|
||||
}
|
||||
];
|
||||
|
||||
server01 = pkgs.krops.writeDeploy "deploy-server01" {
|
||||
source = source;
|
||||
target = "root@server01.mydomain.org";
|
||||
};
|
||||
|
||||
in {
|
||||
|
||||
server01 = server01;
|
||||
|
||||
}
|
||||
```
|
||||
Now you can deploy the machine by running :
|
||||
```
|
||||
$> nix-build ./krops.nix && result
|
||||
```
|
||||
You need to make sure you have ssh access to the root user on `server01.mydomain.org`.
|
||||
|
||||
{{% note %}}
|
||||
You most likely get a message like
|
||||
```
|
||||
bla bla : /var/src/.populate
|
||||
```
|
||||
This is because you need to create `/var/src/.populate` before krops will do anything.
|
||||
Once `/var/src/.populate` is created, you can run the command `./result` again.
|
||||
{{% /note %}}
|
||||
|
||||
Korps will copy the file `configuration.nix` into `/var/src` on `server01`
|
||||
as well cloning the nixpkgs into `/var/src`.
|
||||
After that if krops will run `nixos-rebuild switch -I /var/src` which will provision `server01`.
|
||||
|
||||
## The different parts explained
|
||||
|
||||
Let's start with the kryptic part at the beginning.
|
||||
|
||||
```
|
||||
let
|
||||
|
||||
krops = (import <nixpkgs> {}).fetchgit {
|
||||
url = "https://cgit.krebsco.de/krops/";
|
||||
rev = "806b500e1e48fa096c2e26b44407e9f368f8d204";
|
||||
sha256 = "1vfmm7aqi6y6cjz7vivamc70dkaxxxlihj48qvqc0dlj1bi331c2";
|
||||
};
|
||||
|
||||
lib = import "${krops}/lib";
|
||||
pkgs = import "${krops}/pkgs" {};
|
||||
```
|
||||
It downloads korps and put krops in the nix load path.
|
||||
So you can used it in the following script.
|
||||
|
||||
```
|
||||
server01 = pkgs.krops.writeDeploy "deploy-server01" {
|
||||
source = source;
|
||||
target = "root@server01.mydomain.org";
|
||||
};
|
||||
|
||||
in {
|
||||
|
||||
server01 = server01;
|
||||
|
||||
}
|
||||
```
|
||||
|
||||
The binary `server01` is which results in the link `./result`.
|
||||
It is a `krops.writeDeploy` function with parameters
|
||||
|
||||
* `target` the host passed to the ssh command
|
||||
* `source` the list of folders and files which are copied to `/var/src`
|
||||
|
||||
|
||||
```
|
||||
source = lib.evalSource [
|
||||
{
|
||||
nixpkgs.git = {
|
||||
ref = "nixos-18.03";
|
||||
url = https://github.com/NixOS/nixpkgs-channels;
|
||||
};
|
||||
|
||||
nixos-config.file = toString ./configuration.nix;
|
||||
}
|
||||
];
|
||||
```
|
||||
|
||||
The list of folders and files are managed by the `source` parameter.
|
||||
The keys in will be the names of the folders or files in `/var/src`.
|
||||
`nixpkgs` and `nixos-config` are mandatory.
|
||||
|
||||
All other files/folders must be referenced in the resultint `nixos-config` file.
|
||||
|
||||
|
||||
## Different Sources
|
||||
|
||||
### files and folders (TODO)
|
||||
|
||||
### symlinks (TODO)
|
||||
|
||||
### git repositories (TODO)
|
||||
|
||||
### Passwordstore
|
||||
|
||||
lets assume `secrets` is a folder managed by
|
||||
[passwordstore](https://www.passwordstore.org/).
|
||||
|
||||
```
|
||||
secrets
|
||||
|-- server01
|
||||
| `-- wpa_supplicant.conf.gpg
|
||||
`-- server02
|
||||
`-- wpa_supplicant.conf.gpg
|
||||
```
|
||||
|
||||
Use the `.pass` argument to include the subfolder `server01`
|
||||
into your deployment.
|
||||
|
||||
```
|
||||
source = lib.evalSource [
|
||||
{
|
||||
secrets.pass = {
|
||||
dir = toString ./secrets";
|
||||
name = "server01";
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
```
|
||||
|
||||
`secrets/server01` will be copied to `/var/src/secrets` after it is decrypted.
|
||||
You will be prompted to enter the password.
|
||||
|
||||
## How to use sources in configuration.nix (WIP)
|
||||
|
||||
You can use these folders very pleasantly in the `configuration.nix`
|
||||
|
||||
|
||||
|
||||
```
|
||||
{ config, libs, pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
<modules>
|
||||
<config/hardware-configuration.nix>
|
||||
];
|
||||
networking.supplicant."wlan0".configFile.path = toString <secrets/wpa_supplicant.conf>;
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
|
||||
# Some Tips
|
||||
|
||||
So far this is everything krops does.
|
||||
It is simple and very close to the usual way Nix and NixOS works.
|
||||
Let's look on some common pattern to solve some common issues.
|
||||
|
||||
## Multiple Server (WIP)
|
||||
|
||||
```
|
||||
let
|
||||
source = name: lib.evalSource [
|
||||
{
|
||||
nixos-config.symlink = "config/${name}/configuration.nix"
|
||||
nixpkgs.git = {
|
||||
ref = "nixos-18.03";
|
||||
url = https://github.com/NixOS/nixpkgs-channels;
|
||||
};
|
||||
config.file = toString ./config;
|
||||
modules.file = toString ./modules;
|
||||
secrets.pass = {
|
||||
dir = toString ./secrets";
|
||||
name = "server01";
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
server01 = pkgs.krops.writeDeploy "deploy-server01" {
|
||||
source = source "server01";
|
||||
target = "root@server01.mydomain.org";
|
||||
};
|
||||
|
||||
server02 = pkgs.krops.writeDeploy "deploy-server02" {
|
||||
source = source "server02";
|
||||
target = "root@server01.mydomain.org";
|
||||
};
|
||||
|
||||
in {
|
||||
server01 = server01;
|
||||
server02 = server02;
|
||||
all = pkgs.writeScript "deploy-all-servers"
|
||||
(lib.concatStringSep "\n" [ server01 server02 ]);
|
||||
}
|
||||
|
||||
```
|
||||
|
||||
## Update Hashes (WIP)
|
||||
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue