nixos/krops.md: "finished" the article
parent
37cb4f1492
commit
a10e13e619
|
@ -17,43 +17,75 @@ with some very simple concepts.
|
|||
|
||||
If you're looking for a good document on how to use
|
||||
[NixOps](https://nixos.org/nixops/) in the fields,
|
||||
have a look at
|
||||
have a look at
|
||||
[this excelent article](https://blog.wearewizards.io/how-to-use-nixops-in-a-team).
|
||||
|
||||
# Krops vs NixOps (feature comparison)
|
||||
|
||||
## Krops
|
||||
<table class="comparison">
|
||||
<tr>
|
||||
<th class="text">Feature</th>
|
||||
<th>NixOps</th>
|
||||
<th>krops</th>
|
||||
</tr>
|
||||
<tr>
|
||||
<td title="serverA is unstable, serverB is stable, serverC on commit=XY">
|
||||
precies versioning for every machine.
|
||||
</td>
|
||||
<td class="bad"> No </td>
|
||||
<td class="good"> Yes </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="text">Well documented</td>
|
||||
<td class="good"> Yes </td>
|
||||
<td class="bad"> No</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="text">Lightweight</td>
|
||||
<td class="ok"> Kinda </td>
|
||||
<td class="good"> Yes </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="text"
|
||||
title="krops uses passwordstore.org, see more below">
|
||||
native Folder encryption
|
||||
</td>
|
||||
<td class="bad"> No </td>
|
||||
<td class="good"> Yes </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="text"
|
||||
title="nixops has deployment.keys">
|
||||
TMPFS Key management
|
||||
</td>
|
||||
<td class="good"> Yes </td>
|
||||
<td class="bad"> No </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="text"
|
||||
title="run nixos-rebuild on the target system">
|
||||
Manual Deployment Possible
|
||||
</td>
|
||||
<td class="bad"> No </td>
|
||||
<td class="good"> Yes </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="text" >
|
||||
Needs Database
|
||||
</td>
|
||||
<td class="bad"> Yes </td>
|
||||
<td class="good"> No </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="text"
|
||||
title="where are the .drv files are created">
|
||||
Build and Download happens on
|
||||
</td>
|
||||
<td class="ok"> Client </td>
|
||||
<td class="good"> Target </td>
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
### Pro
|
||||
|
||||
* very lightweight, it is just a lib
|
||||
* precise versioning of [NixPkgs](https://github.com/NixOS/nixpkgs)
|
||||
you can specify nixpkgs commit/branch/tag you want to roll out on which machine.
|
||||
( your server runs `18.03` and your desktop `unstable` )
|
||||
* native [password-store](https://www.passwordstore.org/) support.
|
||||
* You can rerun you deployment on the machine itself using `nixos-rebuild switch`.
|
||||
* No Database needed.
|
||||
* Build/Download happens on the target system.
|
||||
|
||||
### Con
|
||||
|
||||
* you need to have git installed (yeah not a real con)
|
||||
* not as good documented as NixOps.
|
||||
* works only on NixOs *(?)*
|
||||
|
||||
## NixOps
|
||||
|
||||
### Pro
|
||||
|
||||
* well documented
|
||||
|
||||
### Con
|
||||
|
||||
* quite heavy
|
||||
* host channel is roled out on servers ( not possible to have different channels on different servers )
|
||||
* can't just run `nixos-rebuild switch` on the target machines.
|
||||
* you need a database (for some reason).
|
||||
* Build/Download happens on deploying machine, which is bad when you have a bad internet-connection.
|
||||
|
||||
# Krops Structure by Example
|
||||
|
||||
|
@ -110,12 +142,13 @@ Now you can deploy the machine by running :
|
|||
```
|
||||
$> nix-build ./krops.nix && result
|
||||
```
|
||||
You need to make sure you have ssh access to the root user on `server01.mydomain.org`.
|
||||
You need to make sure you have ssh access to the root user on `server01.mydomain.org`
|
||||
and `git` is installed on `server01.mydomain.org`.
|
||||
|
||||
{{% note %}}
|
||||
You most likely get a message like
|
||||
If you run this command the first time you will most likely get a message like
|
||||
```
|
||||
bla bla : /var/src/.populate
|
||||
error: missing sentinel file: server01.mydomain.org:/var/src/.populate
|
||||
```
|
||||
This is because you need to create `/var/src/.populate` before krops will do anything.
|
||||
Once `/var/src/.populate` is created, you can run the command `./result` again.
|
||||
|
@ -123,7 +156,7 @@ Once `/var/src/.populate` is created, you can run the command `./result` again.
|
|||
|
||||
Korps will copy the file `configuration.nix` into `/var/src` on `server01`
|
||||
as well cloning the nixpkgs into `/var/src`.
|
||||
After that if krops will run `nixos-rebuild switch -I /var/src` which will provision `server01`.
|
||||
After that krops will run `nixos-rebuild switch -I /var/src` which will provision `server01`.
|
||||
|
||||
## The different parts explained
|
||||
|
||||
|
@ -186,11 +219,62 @@ All other files/folders must be referenced in the resultint `nixos-config` file.
|
|||
|
||||
## Different Sources
|
||||
|
||||
### files and folders (TODO)
|
||||
### files and folders
|
||||
|
||||
### symlinks (TODO)
|
||||
You can use the `.file` argument for folders and files.
|
||||
But it always must be an absolute path.
|
||||
|
||||
```
|
||||
source = lib.evalSource [
|
||||
{
|
||||
modules.file = toString ./modules;
|
||||
}
|
||||
];
|
||||
```
|
||||
This copies `./modules` to `/var/src/modules`.
|
||||
|
||||
### symlinks
|
||||
|
||||
You can also use the `.symlink` argument
|
||||
to create symlinks on the target system.
|
||||
|
||||
```
|
||||
source = lib.evalSource [
|
||||
{
|
||||
config.file = toString ./config;
|
||||
nix-config.symlink = "config/server01/configuration.nix";
|
||||
}
|
||||
];
|
||||
```
|
||||
This copies `./config` to `/var/src/config` and creates a symlink
|
||||
`/var/src/nix-config` to `config/server01/configuration.nix`.
|
||||
|
||||
{{% note %}}
|
||||
krops will not check if the target is valid.
|
||||
{{% /note %}}
|
||||
|
||||
### git repositories
|
||||
|
||||
You can pull git repositories using the `.git` argument
|
||||
from everywhere you want,
|
||||
as long as the target host sees it.
|
||||
|
||||
```
|
||||
source = lib.evalSource [
|
||||
{
|
||||
nix-writers.git = {
|
||||
url = https://cgit.krebsco.de/nix-writers/;
|
||||
ref = "4d0829328e885a6d7163b513998a975e60dd0a72";
|
||||
};
|
||||
}
|
||||
];
|
||||
```
|
||||
This pulles the [nix-writers](https://cgit.krebsco.de/nix-writers/)
|
||||
repository
|
||||
into `/var/src/nix-writers`.
|
||||
|
||||
the `ref` parameter also accepts branches or tags.
|
||||
|
||||
### git repositories (TODO)
|
||||
|
||||
### Passwordstore
|
||||
|
||||
|
@ -220,27 +304,33 @@ source = lib.evalSource [
|
|||
|
||||
```
|
||||
|
||||
`secrets/server01` will be copied to `/var/src/secrets` after it is decrypted.
|
||||
This copies `secrets/server01` into `/var/src/secrets` after it is decrypted.
|
||||
You will be prompted to enter the password.
|
||||
|
||||
## How to use sources in configuration.nix (WIP)
|
||||
|
||||
You can use these folders very pleasantly in the `configuration.nix`
|
||||
|
||||
## How to use sources in configuration.nix
|
||||
|
||||
You can use folders copied by krops
|
||||
very pleasantly in the `configuration.nix`.
|
||||
|
||||
```
|
||||
{ config, libs, pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
<modules>
|
||||
<config/hardware-configuration.nix>
|
||||
<config/service01/hardware-configuration.nix>
|
||||
];
|
||||
networking.supplicant."wlan0".configFile.path = toString <secrets/wpa_supplicant.conf>;
|
||||
}
|
||||
```
|
||||
|
||||
## How to manually rebuild the system
|
||||
|
||||
If you, for some reason, want to rebuild the system on the host itself,
|
||||
you can do that simply by running as root
|
||||
|
||||
```
|
||||
#> nixos-rebuild switch -I /var/src
|
||||
```
|
||||
|
||||
# Some Tips
|
||||
|
||||
|
@ -248,22 +338,28 @@ So far this is everything krops does.
|
|||
It is simple and very close to the usual way Nix and NixOS works.
|
||||
Let's look on some common pattern to solve some common issues.
|
||||
|
||||
## Multiple Server (WIP)
|
||||
## Multiple Server
|
||||
|
||||
If you want to manage multiple computers,
|
||||
the following adjustments might help you.
|
||||
|
||||
Take a closer look to the `source` function and the parameter
|
||||
`nixos-config` and `secrets`.
|
||||
|
||||
```
|
||||
let
|
||||
source = name: lib.evalSource [
|
||||
{
|
||||
config.file = toString ./config;
|
||||
modules.file = toString ./modules;
|
||||
nixos-config.symlink = "config/${name}/configuration.nix"
|
||||
nixpkgs.git = {
|
||||
ref = "nixos-18.03";
|
||||
url = https://github.com/NixOS/nixpkgs-channels;
|
||||
};
|
||||
config.file = toString ./config;
|
||||
modules.file = toString ./modules;
|
||||
secrets.pass = {
|
||||
dir = toString ./secrets";
|
||||
name = "server01";
|
||||
name = "${name}";
|
||||
};
|
||||
}
|
||||
];
|
||||
|
@ -275,7 +371,7 @@ let
|
|||
|
||||
server02 = pkgs.krops.writeDeploy "deploy-server02" {
|
||||
source = source "server02";
|
||||
target = "root@server01.mydomain.org";
|
||||
target = "root@server02.mydomain.org";
|
||||
};
|
||||
|
||||
in {
|
||||
|
@ -287,7 +383,56 @@ in {
|
|||
|
||||
```
|
||||
|
||||
## Update Hashes (WIP)
|
||||
Now you can create multiple `./result`s or you can use the `-A` parameter of nix-build to choose what
|
||||
`./result` will be.
|
||||
|
||||
```
|
||||
$> nix-build ./krops.nix -A server01 && ./result
|
||||
$> nix-build ./krops.nix -A server02 && ./result
|
||||
$> nix-build ./krops.nix -A all && ./result
|
||||
```
|
||||
|
||||
## Update and Fixing Git commits
|
||||
|
||||
Updating Hashes for git repositories is anoying and using branches might break consistency.
|
||||
To avoid editing files you can use use the `nix-prefetch-git` and `lib.importJson` to make
|
||||
your live easier.
|
||||
|
||||
```
|
||||
nix-prefetch-git \
|
||||
--url https://github.com/NixOS/nixpkgs-channels \
|
||||
--rev refs/heads/nixos-18.03 \
|
||||
> nixpkgs.json
|
||||
```
|
||||
|
||||
results in a file `nixpkgs.json` which looks like this
|
||||
|
||||
```
|
||||
{
|
||||
"url": "https://github.com/NixOS/nixpkgs-channels.git",
|
||||
"rev": "9cbc7363543ebeb5a0182aa171f23bb19332b99f",
|
||||
"date": "2018-08-14T14:00:50+02:00",
|
||||
"sha256": "1i3iwc23cl085w429zm6qip1058bsi7zavj7pdwqiqm9nymy7plq",
|
||||
"fetchSubmodules": true
|
||||
}
|
||||
```
|
||||
And it can be importet in `./krops.nix` like this.
|
||||
|
||||
```
|
||||
let
|
||||
|
||||
importJson = (import <nixpkgs> {}).lib.importJSON;
|
||||
|
||||
source = lib.evalSource [
|
||||
{
|
||||
nixpkgs.git = {
|
||||
ref = (importJson ./nixpkgs.json).rev;
|
||||
url = https://github.com/NixOS/nixpkgs-channels;
|
||||
};
|
||||
}];
|
||||
```
|
||||
|
||||
Now you can just have to call the `nix-prefetch-git` command
|
||||
and the commit reference will be updated, and is fixed.
|
||||
|
||||
This should also make it simpler to maintain different channels on different machines.
|
||||
|
|
|
@ -15,6 +15,8 @@ pkgs.mkShell {
|
|||
|
||||
rake
|
||||
feh
|
||||
|
||||
ion
|
||||
];
|
||||
|
||||
# run this on start
|
||||
|
|
|
@ -5,3 +5,7 @@
|
|||
|
||||
@color-warning-background: rgba(188, 32, 11, 0.55);
|
||||
@color-note-background: rgba(94, 188, 11, 0.55);
|
||||
|
||||
@color-comparison-good: #ABE953;
|
||||
@color-comparison-ok: #E9E653;
|
||||
@color-comparison-bad: #E96D53;
|
||||
|
|
|
@ -66,3 +66,29 @@ p > code {
|
|||
.warning {
|
||||
background: @color-warning-background;
|
||||
}
|
||||
|
||||
table.comparison {
|
||||
width: 100%;
|
||||
.text{
|
||||
width: 80%;
|
||||
}
|
||||
.good {
|
||||
background: @color-comparison-good;
|
||||
text-align: center;
|
||||
}
|
||||
.bad {
|
||||
background: @color-comparison-bad;
|
||||
text-align: center;
|
||||
}
|
||||
.ok {
|
||||
background: @color-comparison-ok;
|
||||
text-align: center;
|
||||
}
|
||||
}
|
||||
|
||||
@media @desktop {
|
||||
table.comparison {
|
||||
margin: 0em 2em .8em 2em;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue