nixin-krops/README.md

# Nixin krops POC
This is a proof of concept of using krops to deploy nixos configurations generated by nixin  

The configurations of the servers are stored in a sub-directories of the config directory :  
```
├── config
│   ├── server-01
│   │   ├── configuration.nix
│   │   └── hardware-configuration.nix
│   └── server-02
│       ├── configuration.nix
│       └── hardware-configuration.nix
```

These configurations can import shared modules stored in the modules directory  
```
├── modules
│   ├── nixin.nix
│   └── users.nix
```

The file `nixpkgs.json` contains the revision of nixpkgs to use. See the tips section for how to update it  

The file `krops.nix` is the main deployment configuration that ties everything up. If new servers are added to the config directory, they must also be added in this file.  

The servers mush be accessible with ssh as `root` or as a user with passwordless sudo capability, as defined in `krops.nix`

Secrets are stored in a sub directory of a separate git repository, managed with [passwordstore](https://www.passwordstore.org/)  
This directory must available at ` ~/.password-store/nixin-password-store/krops`. (This is also defined in `krops.nix`)  
When building the configuration on the server, the secrets files are decrypted and copied to the /var/srv/secret directory

Sample `/var/src` on a server after configuration deployment : 
```sh
[root@arachnide:~]# ls -l /var/src
total 20
drwxr-xr-x  2 root root 4096 18 déc.  19:07 config
drwxr-xr-x  2 root root 4096 18 déc.  21:39 modules
lrwxrwxrwx  1 root root   24 19 déc.  10:28 nixos-config -> config/configuration.nix
drwxr-xr-x 10 root root 4096 19 déc.  10:29 nixpkgs
drwx------  2 root root 4096 19 déc.  10:30 secrets
```

## Tips

The file `/var/src/.populate` needs to be created on target servers to be able to deploy a configuration to them. This is a protection to avoid deploying to a machine that is not meant to be managed with krops  

Deploying configuration of only one server :  
nix-build ./krops.nix -A arachnide && ./result

Deploying configuration of all servers :  
nix-build ./krops.nix -A all && ./result

Updating the nixpkgs revision that is used :  
```sh
nix-prefetch-git   --url https://github.com/NixOS/nixpkgs   --rev "refs/heads/nixos-24.11"   > nixpkgs.json
```

Rebuilding the system on the host itself :  
```sh
nixos-rebuild switch -I /var/src
```

## References
- krops : https://github.com/krebs/krops
first commit 2024-12-18 21:21:38 +00:00			`# Nixin krops POC`
update readme 2024-12-19 11:51:56 +00:00			`This is a proof of concept of using krops to deploy nixos configurations generated by nixin`

update readme 2024-12-19 11:56:40 +00:00			`The configurations of the servers are stored in a sub-directories of the config directory :`
update readme 2024-12-19 11:51:56 +00:00			```
			`├── config`
			`│ ├── server-01`
			`│ │ ├── configuration.nix`
			`│ │ └── hardware-configuration.nix`
			`│ └── server-02`
			`│ ├── configuration.nix`
			`│ └── hardware-configuration.nix`
			```

update readme 2024-12-19 14:57:17 +00:00			`These configurations can import shared modules stored in the modules directory`
update readme 2024-12-19 11:51:56 +00:00			```
			`├── modules`
update readme 2024-12-19 14:57:17 +00:00			`│ ├── nixin.nix`
			`│ └── users.nix`
update readme 2024-12-19 11:51:56 +00:00			```

			The file `nixpkgs.json` contains the revision of nixpkgs to use. See the tips section for how to update it

			The file `krops.nix` is the main deployment configuration that ties everything up. If new servers are added to the config directory, they must also be added in this file.

			The servers mush be accessible with ssh as `root` or as a user with passwordless sudo capability, as defined in `krops.nix`

			`Secrets are stored in a sub directory of a separate git repository, managed with [passwordstore](https://www.passwordstore.org/)`
			This directory must available at ` ~/.password-store/nixin-password-store/krops`. (This is also defined in `krops.nix`)
			`When building the configuration on the server, the secrets files are decrypted and copied to the /var/srv/secret directory`

			Sample `/var/src` on a server after configuration deployment :
			```sh
			`[root@arachnide:~]# ls -l /var/src`
			`total 20`
			`drwxr-xr-x 2 root root 4096 18 déc. 19:07 config`
			`drwxr-xr-x 2 root root 4096 18 déc. 21:39 modules`
			`lrwxrwxrwx 1 root root 24 19 déc. 10:28 nixos-config -> config/configuration.nix`
			`drwxr-xr-x 10 root root 4096 19 déc. 10:29 nixpkgs`
			`drwx------ 2 root root 4096 19 déc. 10:30 secrets`
			```
first commit 2024-12-18 21:21:38 +00:00
pre-fetch nixpkgs revision hash 2024-12-19 10:07:32 +00:00			`## Tips`
update readme 2024-12-19 11:51:56 +00:00
			The file `/var/src/.populate` needs to be created on target servers to be able to deploy a configuration to them. This is a protection to avoid deploying to a machine that is not meant to be managed with krops

			`Deploying configuration of only one server :`
first commit 2024-12-18 21:21:38 +00:00			`nix-build ./krops.nix -A arachnide && ./result`

update readme 2024-12-19 11:51:56 +00:00			`Deploying configuration of all servers :`
first commit 2024-12-18 21:21:38 +00:00			`nix-build ./krops.nix -A all && ./result`

update readme 2024-12-19 11:51:56 +00:00			`Updating the nixpkgs revision that is used :`
			```sh
pre-fetch nixpkgs revision hash 2024-12-19 10:07:32 +00:00			`nix-prefetch-git --url https://github.com/NixOS/nixpkgs --rev "refs/heads/nixos-24.11" > nixpkgs.json`
update readme 2024-12-19 11:51:56 +00:00			```

			`Rebuilding the system on the host itself :`
			```sh
			`nixos-rebuild switch -I /var/src`
			```
pre-fetch nixpkgs revision hash 2024-12-19 10:07:32 +00:00
first commit 2024-12-18 21:21:38 +00:00			`## References`
			`- krops : https://github.com/krebs/krops`