POC for deploying nixin configurations with krops
Find a file
2024-12-22 15:58:09 +01:00
config add nextcloud to arachnide server, using a nixos container 2024-12-22 15:58:09 +01:00
modules add nextcloud to arachnide server, using a nixos container 2024-12-22 15:58:09 +01:00
.gitignore first version 2024-12-18 22:54:04 +01:00
krops.nix add forgejo runner to arachnide server 2024-12-21 00:28:35 +01:00
nixpkgs.json pre-fetch nixpkgs revision hash 2024-12-19 11:07:32 +01:00
README.md update readme 2024-12-20 00:22:55 +01:00

Nixin krops POC

This is a proof of concept of using krops to deploy nixos configurations generated by nixin

The configurations of the servers are stored in sub-directories of the config directory :

├── config
│   ├── server-01
│   │   ├── configuration.nix
│   │   └── hardware-configuration.nix
│   └── server-02
│       ├── configuration.nix
│       └── hardware-configuration.nix

These configurations can import shared modules stored in the modules directory

├── modules
│   ├── nixin.nix
│   ├── reverse-proxy.nix
│   ├── users.nix
│   └── wireguard-client.nix

The file nixpkgs.json contains the revision of nixpkgs to use. See the tips section for how to update it

The file krops.nix is the main deployment configuration that ties everything up. If new servers are added to the config directory, they must also be added in this file.

The servers mush be accessible with ssh as root or as a user with passwordless sudo capability, as defined in krops.nix

Secrets are stored in a sub directory of a separate git repository, managed with passwordstore
This directory must be available at ~/.password-store/nixin-password-store/krops. (This is also defined in krops.nix)
When deploying a configuration, the secrets files are decrypted and copied to server into the /var/srv/secret directory Referencing a secret file path in the configuration is done like this :

privateKeyFile = toString <secrets/wg-private.key>;

If instead the content of a secret file needs to be substituted into the configuration, it can be done like this :

security.pki.certificates = [ (builtins.readFile toString <secrets/ca-bundle.crt>) ];

Sample /var/src on a server after configuration deployment :

[root@arachnide:~]# ls -l /var/src
total 20
drwxr-xr-x  2 root root 4096 18 déc.  19:07 config
drwxr-xr-x  2 root root 4096 18 déc.  21:39 modules
lrwxrwxrwx  1 root root   24 19 déc.  10:28 nixos-config -> config/configuration.nix
drwxr-xr-x 10 root root 4096 19 déc.  10:29 nixpkgs
drwx------  2 root root 4096 19 déc.  10:30 secrets

Tips

The file /var/src/.populate needs to be created on target servers to be able to deploy a configuration to them. This is a protection to avoid deploying to a machine that is not meant to be managed with krops

Deploying configuration of only one server :
nix-build ./krops.nix -A arachnide && ./result

Deploying configuration of all servers :
nix-build ./krops.nix -A all && ./result

Updating the nixpkgs revision that is used :

nix-prefetch-git   --url https://github.com/NixOS/nixpkgs   --rev "refs/heads/nixos-24.11"   > nixpkgs.json

Rebuilding the system on the host itself :

nixos-rebuild switch -I /var/src

References