aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--README.md31
-rw-r--r--pkgs/default.nix8
-rw-r--r--pkgs/krops/default.nix23
-rw-r--r--pkgs/overlay.nix10
-rw-r--r--pkgs/populate/default.nix37
5 files changed, 62 insertions, 47 deletions
diff --git a/README.md b/README.md
index 95a2728..561dae9 100644
--- a/README.md
+++ b/README.md
@@ -1,20 +1,21 @@
# krops (krebs ops)
-krops is a lightweigt toolkit to deploy nixos systems, remotely or locally.
+krops is a lightweigt toolkit to deploy NixOS systems, remotely or locally.
-fancy features include:
-- store your secrets in passwordstore
+## Some Features
+
+- store your secrets in [password store](https://www.passwordstore.org/)
- build your system remotely
-- minimal overhead
+- minimal overhead (it's basically just `nixos-rebuild switch`!)
- run from custom nixpkgs branch/checkout/fork
-minimal example:
+## Minimal Example
+
+Create a file named `krops.nix` (name doesn't matter) with following content:
-create a krops.nix somewhere
```
let
- #krops = ./.;
- krops = builtins.fetchGit {
+ krops = (import <nixpkgs> {}).fetchgit {
url = https://cgit.krebsco.de/krops/;
ref = "master";
};
@@ -24,12 +25,11 @@ let
source = lib.evalSource [{
nixpkgs.git = {
- ref = "origin/nixos-18.03";
- url = https://github.com/NixOS/nixpkgs-channels;
+ ref = "4b4bbce199d3b3a8001ee93495604289b01aaad3";
+ url = https://github.com/NixOS/nixpkgs;
};
nixos-config.file = toString (pkgs.writeText "nixos-config" ''
{ pkgs, ... }: {
-
fileSystems."/" = { device = "/dev/sda1"; };
boot.loader.systemd-boot.enable = true;
services.openssh.enable = true;
@@ -47,4 +47,11 @@ in
}
```
-and run `$(nix-build krops.nix)`. This results in a script which deploys the machine via ssh & rsync on the target machine.
+and run `$(nix-build --no-out-link krops.nix)` to deploy the target machine.
+
+Under the hood, this will make the sources available on the target machine
+below `/var/src`, and execute `nixos-rebuild switch -I /var/src`.
+
+## References
+
+- [In-depth example](http://tech.ingolf-wagner.de/nixos/krops/) by [Ingolf Wagner](https://ingolf-wagner.de/)
diff --git a/pkgs/default.nix b/pkgs/default.nix
index 639ed13..b8530a8 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -1,7 +1,15 @@
{ overlays ? [], ... }@args:
+let
+ nix-writers = builtins.fetchGit {
+ url = https://cgit.krebsco.de/nix-writers/;
+ rev = "c27a9416e8ee04d708b11b48f8cf1a055c0cc079";
+ };
+in
+
import <nixpkgs> (args // {
overlays = overlays ++ [
(import ./overlay.nix)
+ (import "${nix-writers}/pkgs")
];
})
diff --git a/pkgs/krops/default.nix b/pkgs/krops/default.nix
index d2f9c8a..2d3395d 100644
--- a/pkgs/krops/default.nix
+++ b/pkgs/krops/default.nix
@@ -2,7 +2,19 @@ let
lib = import ../../lib;
in
-{ nix, openssh, populate, writeDash, writeJSON }: {
+{ exec, nix, openssh, populate, writeDash }: rec {
+
+ rebuild = target:
+ exec "rebuild.${target.host}" rec {
+ filename = "${openssh}/bin/ssh";
+ argv = [
+ filename
+ "-l" target.user
+ "-p" target.port
+ target.host
+ "nixos-rebuild switch -I ${lib.escapeShellArg target.path}"
+ ];
+ };
writeDeploy = name: { source, target }: let
target' = lib.mkTarget target;
@@ -10,9 +22,7 @@ in
writeDash name ''
set -efu
${populate { inherit source; target = target'; }}
- ${openssh}/bin/ssh \
- ${target'.user}@${target'.host} -p ${target'.port} \
- nixos-rebuild switch -I ${target'.path}
+ ${rebuild target'}
'';
writeTest = name: { source, target }: let
@@ -23,12 +33,11 @@ in
set -efu
${populate { inherit source; target = target'; }}
${nix}/bin/nix-build \
- -A config.system.build.toplevel \
+ -A system \
-I ${target'.path} \
- --arg modules '[<nixos-config>]' \
--no-out-link \
--show-trace \
- '<nixpkgs/nixos/lib/eval-config.nix>'
+ '<nixpkgs/nixos>'
'';
}
diff --git a/pkgs/overlay.nix b/pkgs/overlay.nix
index 95d4938..24ecf17 100644
--- a/pkgs/overlay.nix
+++ b/pkgs/overlay.nix
@@ -5,14 +5,4 @@ in
self: super: {
krops = self.callPackage ./krops {};
populate = self.callPackage ./populate {};
- writeDash = name: text: self.writeScript name ''
- #! ${self.dash}/bin/dash
- ${text}
- '';
- writeJSON = name: value: self.runCommand name {
- json = lib.toJSON value;
- passAsFile = [ "json" ];
- } /* sh */ ''
- ${self.jq}/bin/jq . "$jsonPath" > "$out"
- '';
}
diff --git a/pkgs/populate/default.nix b/pkgs/populate/default.nix
index f0eb7d1..d8c1510 100644
--- a/pkgs/populate/default.nix
+++ b/pkgs/populate/default.nix
@@ -1,7 +1,7 @@
with import ../../lib;
with shell;
-{ coreutils, dash, findutils, git, jq, openssh, rsync, writeDash }:
+{ coreutils, dash, findutils, git, jq, openssh, pass, rsync, writeDash }:
let
check = { force, target }: let
@@ -20,21 +20,21 @@ let
fi
'';
- pop.file = target: file: rsync' target (quote file.path);
+ pop.file = target: source: rsync' target (quote source.path);
- pop.git = target: git: shell' target /* sh */ ''
+ pop.git = target: source: shell' target /* sh */ ''
if ! test -e ${quote target.path}; then
- git clone --recurse-submodules ${quote git.url} ${quote target.path}
+ git clone --recurse-submodules ${quote source.url} ${quote target.path}
fi
cd ${quote target.path}
if ! url=$(git config remote.origin.url); then
- git remote add origin ${quote git.url}
- elif test "$url" != ${quote git.url}; then
- git remote set-url origin ${quote git.url}
+ git remote add origin ${quote source.url}
+ elif test "$url" != ${quote source.url}; then
+ git remote set-url origin ${quote source.url}
fi
# TODO resolve git_ref to commit hash
- hash=${quote git.ref}
+ hash=${quote source.ref}
if ! test "$(git log --format=%H -1)" = "$hash"; then
if ! git log -1 "$hash" >/dev/null 2>&1; then
@@ -48,8 +48,8 @@ let
git clean -dfx
'';
- pop.pass = target: pass: let
- passPrefix = "${pass.dir}/${pass.name}";
+ pop.pass = target: source: let
+ passPrefix = "${source.dir}/${source.name}";
in /* sh */ ''
umask 0077
@@ -66,28 +66,28 @@ let
rel_name=''${rel_name%.gpg}
pass_date=$(
- ${git}/bin/git -C ${quote pass.dir} log -1 --format=%aI "$gpg_path"
+ ${git}/bin/git -C ${quote source.dir} log -1 --format=%aI "$gpg_path"
)
- pass_name=${quote pass.name}/$rel_name
+ pass_name=${quote source.name}/$rel_name
tmp_path=$tmp_dir/$rel_name
${coreutils}/bin/mkdir -p "$(${coreutils}/bin/dirname "$tmp_path")"
- PASSWORD_STORE_DIR=${quote pass.dir} pass show "$pass_name" > "$tmp_path"
+ PASSWORD_STORE_DIR=${quote source.dir} ${pass}/bin/pass show "$pass_name" > "$tmp_path"
${coreutils}/bin/touch -d "$pass_date" "$tmp_path"
done
${rsync' target /* sh */ "$tmp_dir"}
'';
- pop.pipe = target: pipe: /* sh */ ''
- ${quote pipe.command} | {
+ pop.pipe = target: source: /* sh */ ''
+ ${quote source.command} | {
${shell' target /* sh */ "cat > ${quote target.path}"}
}
'';
# TODO rm -fR instead of ln -f?
- pop.symlink = target: symlink: shell' target /* sh */ ''
- ln -fns ${quote symlink.target} ${quote target.path}
+ pop.symlink = target: source: shell' target /* sh */ ''
+ ln -fns ${quote source.target} ${quote target.path}
'';
populate = target: name: source: let
@@ -112,7 +112,8 @@ let
optionalString (!isLocalTarget target)
"${target.user}@${target.host}:" +
target.path
- )}
+ )} \
+ >&2
'';
shell' = target: script: