examples: add krops deployment method
This commit is contained in:
parent
e017675d5e
commit
fe118b28ff
20
examples/krops/deploy.nix
Normal file
20
examples/krops/deploy.nix
Normal file
@ -0,0 +1,20 @@
|
||||
let
|
||||
# FIXME:
|
||||
target = "root@HOSTNAME_OR_IP_ADDRESS";
|
||||
|
||||
extraSources = {
|
||||
"hardware-configuration.nix".file = toString ../hardware-configuration.nix;
|
||||
};
|
||||
|
||||
krops = (import <nix-bitcoin> {}).krops;
|
||||
in
|
||||
krops.pkgs.krops.writeDeploy "deploy" {
|
||||
inherit target;
|
||||
|
||||
source = import ./sources.nix { inherit extraSources krops; };
|
||||
|
||||
# Avoid having to create a sentinel file.
|
||||
# Otherwise /var/src/.populate must be created on the target node to signal krops
|
||||
# that it is allowed to deploy.
|
||||
force = true;
|
||||
}
|
7
examples/krops/krops-configuration.nix
Normal file
7
examples/krops/krops-configuration.nix
Normal file
@ -0,0 +1,7 @@
|
||||
# This file allows you to build your krops configuration locally
|
||||
{
|
||||
imports = [
|
||||
../configuration.nix
|
||||
<nix-bitcoin/modules/deployment/krops.nix>
|
||||
];
|
||||
}
|
33
examples/krops/sources.nix
Normal file
33
examples/krops/sources.nix
Normal file
@ -0,0 +1,33 @@
|
||||
{ extraSources, krops }:
|
||||
|
||||
krops.lib.evalSource [({
|
||||
nixos-config.file = builtins.toFile "nixos-config" ''
|
||||
{
|
||||
imports = [
|
||||
./configuration.nix
|
||||
<nix-bitcoin/modules/deployment/krops.nix>
|
||||
];
|
||||
}
|
||||
'';
|
||||
|
||||
"configuration.nix".file = toString ../configuration.nix;
|
||||
|
||||
# Enable `useChecksum` for sources which might be located in the nix store
|
||||
# and which therefore might have static timestamps.
|
||||
|
||||
nixpkgs.file = {
|
||||
path = toString <nixpkgs>;
|
||||
useChecksum = true;
|
||||
};
|
||||
|
||||
nix-bitcoin.file = {
|
||||
path = toString <nix-bitcoin>;
|
||||
useChecksum = true;
|
||||
filters = [{
|
||||
type = "exclude";
|
||||
pattern = ".git";
|
||||
}];
|
||||
};
|
||||
|
||||
secrets.file = toString ../secrets;
|
||||
} // extraSources)]
|
@ -28,6 +28,13 @@ stdenv.mkDerivation rec {
|
||||
|
||||
alias fetch-release="${toString nix-bitcoin-path}/helper/fetch-release"
|
||||
|
||||
krops-deploy() {
|
||||
# Ensure strict permissions on secrets/ directory before rsyncing it to
|
||||
# the target machine
|
||||
chmod 700 ${toString ./secrets}
|
||||
$(nix-build --no-out-link ${toString ./krops/deploy.nix})
|
||||
}
|
||||
|
||||
figlet "nix-bitcoin"
|
||||
(mkdir -p secrets; cd secrets; env -i ${nix-bitcoin.generate-secrets})
|
||||
|
||||
|
24
modules/deployment/krops.nix
Normal file
24
modules/deployment/krops.nix
Normal file
@ -0,0 +1,24 @@
|
||||
{ lib, ... }:
|
||||
{
|
||||
nix-bitcoin = {
|
||||
secretsDir = "/var/src/secrets";
|
||||
setupSecrets = true;
|
||||
};
|
||||
environment.variables.NIX_PATH = lib.mkForce "/var/src";
|
||||
|
||||
# The file syncing step in krops resets the secrets file permissions.
|
||||
# So force `setup-secrets.service` to restart on deployment.
|
||||
# Stop it at activation start so that it gets restarted at the end.
|
||||
system.activationScripts.nixBitcoinStopSetupSecrets = ''
|
||||
${/* Skip this step if systemd is not running, i.e. when booting or in nixos-install */ ""}
|
||||
if [[ -e /run/systemd/system ]]; then
|
||||
if ! output=$(/run/current-system/systemd/bin/systemctl stop setup-secrets.service --no-block 2>&1); then
|
||||
# Ignore if the unit is not loaded, which can happen on the first deployment
|
||||
if [[ $output != *setup-secrets.service\ not\ loaded* ]]; then
|
||||
echo "$output"
|
||||
false
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
'';
|
||||
}
|
Loading…
Reference in New Issue
Block a user