examples: add krops deployment method

This commit is contained in:
Jonas Nick 2021-03-10 14:08:39 +01:00 committed by Erik Arvstedt
parent e017675d5e
commit fe118b28ff
No known key found for this signature in database
GPG Key ID: 33312B944DD97846
5 changed files with 91 additions and 0 deletions

20
examples/krops/deploy.nix Normal file
View File

@ -0,0 +1,20 @@
let
# FIXME:
target = "root@HOSTNAME_OR_IP_ADDRESS";
extraSources = {
"hardware-configuration.nix".file = toString ../hardware-configuration.nix;
};
krops = (import <nix-bitcoin> {}).krops;
in
krops.pkgs.krops.writeDeploy "deploy" {
inherit target;
source = import ./sources.nix { inherit extraSources krops; };
# Avoid having to create a sentinel file.
# Otherwise /var/src/.populate must be created on the target node to signal krops
# that it is allowed to deploy.
force = true;
}

View File

@ -0,0 +1,7 @@
# This file allows you to build your krops configuration locally
{
imports = [
../configuration.nix
<nix-bitcoin/modules/deployment/krops.nix>
];
}

View File

@ -0,0 +1,33 @@
{ extraSources, krops }:
krops.lib.evalSource [({
nixos-config.file = builtins.toFile "nixos-config" ''
{
imports = [
./configuration.nix
<nix-bitcoin/modules/deployment/krops.nix>
];
}
'';
"configuration.nix".file = toString ../configuration.nix;
# Enable `useChecksum` for sources which might be located in the nix store
# and which therefore might have static timestamps.
nixpkgs.file = {
path = toString <nixpkgs>;
useChecksum = true;
};
nix-bitcoin.file = {
path = toString <nix-bitcoin>;
useChecksum = true;
filters = [{
type = "exclude";
pattern = ".git";
}];
};
secrets.file = toString ../secrets;
} // extraSources)]

View File

@ -28,6 +28,13 @@ stdenv.mkDerivation rec {
alias fetch-release="${toString nix-bitcoin-path}/helper/fetch-release" alias fetch-release="${toString nix-bitcoin-path}/helper/fetch-release"
krops-deploy() {
# Ensure strict permissions on secrets/ directory before rsyncing it to
# the target machine
chmod 700 ${toString ./secrets}
$(nix-build --no-out-link ${toString ./krops/deploy.nix})
}
figlet "nix-bitcoin" figlet "nix-bitcoin"
(mkdir -p secrets; cd secrets; env -i ${nix-bitcoin.generate-secrets}) (mkdir -p secrets; cd secrets; env -i ${nix-bitcoin.generate-secrets})

View File

@ -0,0 +1,24 @@
{ lib, ... }:
{
nix-bitcoin = {
secretsDir = "/var/src/secrets";
setupSecrets = true;
};
environment.variables.NIX_PATH = lib.mkForce "/var/src";
# The file syncing step in krops resets the secrets file permissions.
# So force `setup-secrets.service` to restart on deployment.
# Stop it at activation start so that it gets restarted at the end.
system.activationScripts.nixBitcoinStopSetupSecrets = ''
${/* Skip this step if systemd is not running, i.e. when booting or in nixos-install */ ""}
if [[ -e /run/systemd/system ]]; then
if ! output=$(/run/current-system/systemd/bin/systemctl stop setup-secrets.service --no-block 2>&1); then
# Ignore if the unit is not loaded, which can happen on the first deployment
if [[ $output != *setup-secrets.service\ not\ loaded* ]]; then
echo "$output"
false
fi
fi
fi
'';
}