74 lines
2.9 KiB
Markdown
74 lines
2.9 KiB
Markdown
# Nixin krops POC
|
|
This is a proof of concept of using krops to deploy nixos configurations generated by nixin
|
|
|
|
The configurations of the servers are stored in sub-directories of the config directory :
|
|
```
|
|
├── config
|
|
│ ├── server-01
|
|
│ │ ├── configuration.nix
|
|
│ │ └── hardware-configuration.nix
|
|
│ └── server-02
|
|
│ ├── configuration.nix
|
|
│ └── hardware-configuration.nix
|
|
```
|
|
|
|
These configurations can import shared modules stored in the modules directory
|
|
```
|
|
├── modules
|
|
│ ├── nixin.nix
|
|
│ ├── users.nix
|
|
│ └── wireguard-client.nix
|
|
```
|
|
|
|
The file `nixpkgs.json` contains the revision of nixpkgs to use. See the tips section for how to update it
|
|
|
|
The file `krops.nix` is the main deployment configuration that ties everything up. If new servers are added to the config directory, they must also be added in this file.
|
|
|
|
The servers mush be accessible with ssh as `root` or as a user with passwordless sudo capability, as defined in `krops.nix`
|
|
|
|
Secrets are stored in a sub directory of a separate git repository, managed with [passwordstore](https://www.passwordstore.org/)
|
|
This directory must available at ` ~/.password-store/nixin-password-store/krops`. (This is also defined in `krops.nix`)
|
|
When building the configuration on the server, the secrets files are decrypted and copied to server into the /var/srv/secret directory
|
|
Referencing a secret file path in the configuration is done like this :
|
|
```nix
|
|
privateKeyFile = toString <secrets/wg-private.key>;
|
|
```
|
|
If instead the content of the file needs to be substituted into the configuration it can be done like this :
|
|
```nix
|
|
security.pki.certificates = [ (builtins.readFile toString <secrets/ca-bundle.crt>) ];
|
|
```
|
|
|
|
Sample `/var/src` on a server after configuration deployment :
|
|
```sh
|
|
[root@arachnide:~]# ls -l /var/src
|
|
total 20
|
|
drwxr-xr-x 2 root root 4096 18 déc. 19:07 config
|
|
drwxr-xr-x 2 root root 4096 18 déc. 21:39 modules
|
|
lrwxrwxrwx 1 root root 24 19 déc. 10:28 nixos-config -> config/configuration.nix
|
|
drwxr-xr-x 10 root root 4096 19 déc. 10:29 nixpkgs
|
|
drwx------ 2 root root 4096 19 déc. 10:30 secrets
|
|
```
|
|
|
|
## Tips
|
|
|
|
The file `/var/src/.populate` needs to be created on target servers to be able to deploy a configuration to them. This is a protection to avoid deploying to a machine that is not meant to be managed with krops
|
|
|
|
Deploying configuration of only one server :
|
|
nix-build ./krops.nix -A arachnide && ./result
|
|
|
|
Deploying configuration of all servers :
|
|
nix-build ./krops.nix -A all && ./result
|
|
|
|
Updating the nixpkgs revision that is used :
|
|
```sh
|
|
nix-prefetch-git --url https://github.com/NixOS/nixpkgs --rev "refs/heads/nixos-24.11" > nixpkgs.json
|
|
```
|
|
|
|
Rebuilding the system on the host itself :
|
|
```sh
|
|
nixos-rebuild switch -I /var/src
|
|
```
|
|
|
|
## References
|
|
- krops : https://github.com/krebs/krops
|
|
|