palo
/
tech-ingolf-wagner-de
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

nixos/krops.md : filled out the grid but there is still stuff to do

master
Ingolf Wagner 2018-08-15 21:26:35 +02:00
parent b1c873fdea
commit 37cb4f1492
1 changed files with 237 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

240
content/nixos/krops.md
View File

@ -9,8 +9,6 @@ tags:
- password-store
---
# Krops = Krebs OPs an alternative to NixOPs
[NixOps](https://nixos.org/nixops/) the official DevOps tool of
[NixOS ](https://nixos.org) is nice, but it has some flaws.
[Krops](https://cgit.krebsco.de/krops/) is an alternative to
@ -22,7 +20,7 @@ If you're looking for a good document on how to use
have a look at
[this excelent article](https://blog.wearewizards.io/how-to-use-nixops-in-a-team).
# Krops vs NixOps feature-crunch
# Krops vs NixOps (feature comparison)
## Krops
@ -57,3 +55,239 @@ have a look at
* you need a database (for some reason).
* Build/Download happens on deploying machine, which is bad when you have a bad internet-connection.
# Krops Structure by Example
Krops is not a binary like NixOps, is a library you use to write binaries,
which do the actual deployment.
Lets say you have a very simple `configuration.nix`
```
{ config, lib, pkgs, ... }:
{
environment.systemPackages = [ pkgs.git ];
}
```
Than you can use the following script (`krops.nix`) to deploy it
on the machine `server01.mydomain.org`.
```
let
krops = (import <nixpkgs> {}).fetchgit {
url = "https://cgit.krebsco.de/krops/";
rev = "806b500e1e48fa096c2e26b44407e9f368f8d204";
sha256 = "1vfmm7aqi6y6cjz7vivamc70dkaxxxlihj48qvqc0dlj1bi331c2";
};
lib = import "${krops}/lib";
pkgs = import "${krops}/pkgs" {};
source = lib.evalSource [
{
nixpkgs.git = {
ref = "nixos-18.03";
url = https://github.com/NixOS/nixpkgs-channels;
};
nixos-config.file = toString ./configuration.nix;
}
];
server01 = pkgs.krops.writeDeploy "deploy-server01" {
source = source;
target = "root@server01.mydomain.org";
};
in {
server01 = server01;
}
```
Now you can deploy the machine by running :
```
$> nix-build ./krops.nix && result
```
You need to make sure you have ssh access to the root user on `server01.mydomain.org`.
{{% note %}}
You most likely get a message like
```
bla bla : /var/src/.populate
```
This is because you need to create `/var/src/.populate` before krops will do anything.
Once `/var/src/.populate` is created, you can run the command `./result` again.
{{% /note %}}
Korps will copy the file `configuration.nix` into `/var/src` on `server01`
as well cloning the nixpkgs into `/var/src`.
After that if krops will run `nixos-rebuild switch -I /var/src` which will provision `server01`.
## The different parts explained
Let's start with the kryptic part at the beginning.
```
let
krops = (import <nixpkgs> {}).fetchgit {
url = "https://cgit.krebsco.de/krops/";
rev = "806b500e1e48fa096c2e26b44407e9f368f8d204";
sha256 = "1vfmm7aqi6y6cjz7vivamc70dkaxxxlihj48qvqc0dlj1bi331c2";
};
lib = import "${krops}/lib";
pkgs = import "${krops}/pkgs" {};
```
It downloads korps and put krops in the nix load path.
So you can used it in the following script.
```
server01 = pkgs.krops.writeDeploy "deploy-server01" {
source = source;
target = "root@server01.mydomain.org";
};
in {
server01 = server01;
}
```
The binary `server01` is which results in the link `./result`.
It is a `krops.writeDeploy` function with parameters
* `target` the host passed to the ssh command
* `source` the list of folders and files which are copied to `/var/src`
```
source = lib.evalSource [
{
nixpkgs.git = {
ref = "nixos-18.03";
url = https://github.com/NixOS/nixpkgs-channels;
};
nixos-config.file = toString ./configuration.nix;
}
];
```
The list of folders and files are managed by the `source` parameter.
The keys in will be the names of the folders or files in `/var/src`.
`nixpkgs` and `nixos-config` are mandatory.
All other files/folders must be referenced in the resultint `nixos-config` file.
## Different Sources
### files and folders (TODO)
### symlinks (TODO)
### git repositories (TODO)
### Passwordstore
lets assume `secrets` is a folder managed by
[passwordstore](https://www.passwordstore.org/).
```
secrets
|-- server01
| `-- wpa_supplicant.conf.gpg
`-- server02
`-- wpa_supplicant.conf.gpg
```
Use the `.pass` argument to include the subfolder `server01`
into your deployment.
```
source = lib.evalSource [
{
secrets.pass = {
dir = toString ./secrets";
name = "server01";
};
}
];
```
`secrets/server01` will be copied to `/var/src/secrets` after it is decrypted.
You will be prompted to enter the password.
## How to use sources in configuration.nix (WIP)
You can use these folders very pleasantly in the `configuration.nix`
```
{ config, libs, pkgs, ... }:
{
imports = [
<modules>
<config/hardware-configuration.nix>
];
networking.supplicant."wlan0".configFile.path = toString <secrets/wpa_supplicant.conf>;
}
```
# Some Tips
So far this is everything krops does.
It is simple and very close to the usual way Nix and NixOS works.
Let's look on some common pattern to solve some common issues.
## Multiple Server (WIP)
```
let
source = name: lib.evalSource [
{
nixos-config.symlink = "config/${name}/configuration.nix"
nixpkgs.git = {
ref = "nixos-18.03";
url = https://github.com/NixOS/nixpkgs-channels;
};
config.file = toString ./config;
modules.file = toString ./modules;
secrets.pass = {
dir = toString ./secrets";
name = "server01";
};
}
];
server01 = pkgs.krops.writeDeploy "deploy-server01" {
source = source "server01";
target = "root@server01.mydomain.org";
};
server02 = pkgs.krops.writeDeploy "deploy-server02" {
source = source "server02";
target = "root@server01.mydomain.org";
};
in {
server01 = server01;
server02 = server02;
all = pkgs.writeScript "deploy-all-servers"
(lib.concatStringSep "\n" [ server01 server02 ]);
}
```
## Update Hashes (WIP)