2021-01-05 22:54:24 +01:00
|
|
|
# krops (krebs operations)
|
2018-05-01 15:56:49 +02:00
|
|
|
|
2019-12-29 22:43:58 +01:00
|
|
|
krops is a lightweight toolkit to deploy NixOS systems, remotely or locally.
|
2018-05-01 15:56:49 +02:00
|
|
|
|
2019-02-26 21:38:32 +01:00
|
|
|
|
2018-09-28 17:01:38 +02:00
|
|
|
## Some Features
|
2018-09-28 16:04:22 +02:00
|
|
|
|
2018-09-28 17:03:24 +02:00
|
|
|
- store your secrets in [password store](https://www.passwordstore.org/)
|
2024-01-11 04:37:02 +01:00
|
|
|
or [passage](https://github.com/FiloSottile/passage)
|
2021-10-26 13:06:03 +02:00
|
|
|
- build your systems remotely
|
2018-09-28 17:01:38 +02:00
|
|
|
- minimal overhead (it's basically just `nixos-rebuild switch`!)
|
2018-05-01 15:56:49 +02:00
|
|
|
- run from custom nixpkgs branch/checkout/fork
|
|
|
|
|
2019-02-26 21:38:32 +01:00
|
|
|
|
2018-09-28 17:01:38 +02:00
|
|
|
## Minimal Example
|
|
|
|
|
|
|
|
Create a file named `krops.nix` (name doesn't matter) with following content:
|
2018-05-01 15:56:49 +02:00
|
|
|
|
2019-11-29 13:41:39 +01:00
|
|
|
```nix
|
2018-05-01 15:56:49 +02:00
|
|
|
let
|
2018-05-01 16:55:06 +02:00
|
|
|
krops = (import <nixpkgs> {}).fetchgit {
|
|
|
|
url = https://cgit.krebsco.de/krops/;
|
2021-08-09 13:29:29 +02:00
|
|
|
rev = "v1.25.0";
|
|
|
|
sha256 = "07mg3iaqjf1w49vmwfchi7b1w55bh7rvsbgicp2m47gnj9alwdb6";
|
2018-05-01 15:56:49 +02:00
|
|
|
};
|
|
|
|
|
2018-05-01 16:55:06 +02:00
|
|
|
lib = import "${krops}/lib";
|
|
|
|
pkgs = import "${krops}/pkgs" {};
|
2018-05-01 15:56:49 +02:00
|
|
|
|
|
|
|
source = lib.evalSource [{
|
|
|
|
nixpkgs.git = {
|
2018-10-31 18:24:57 +01:00
|
|
|
clean.exclude = ["/.version-suffix"];
|
2018-05-01 15:56:49 +02:00
|
|
|
ref = "4b4bbce199d3b3a8001ee93495604289b01aaad3";
|
|
|
|
url = https://github.com/NixOS/nixpkgs;
|
|
|
|
};
|
2018-05-01 16:55:06 +02:00
|
|
|
nixos-config.file = toString (pkgs.writeText "nixos-config" ''
|
|
|
|
{ pkgs, ... }: {
|
|
|
|
fileSystems."/" = { device = "/dev/sda1"; };
|
|
|
|
boot.loader.systemd-boot.enable = true;
|
|
|
|
services.openssh.enable = true;
|
|
|
|
environment.systemPackages = [ pkgs.git ];
|
2018-05-03 21:52:15 +02:00
|
|
|
users.users.root.openssh.authorizedKeys.keys = [
|
|
|
|
"ssh-rsa ADD_YOUR_OWN_PUBLIC_KEY_HERE user@localhost"
|
|
|
|
];
|
2018-05-01 15:56:49 +02:00
|
|
|
}
|
2018-05-01 16:55:06 +02:00
|
|
|
'');
|
2018-05-01 15:56:49 +02:00
|
|
|
}];
|
|
|
|
in
|
2018-05-01 16:55:06 +02:00
|
|
|
pkgs.krops.writeDeploy "deploy" {
|
2018-05-01 15:56:49 +02:00
|
|
|
source = source;
|
2018-05-03 21:52:43 +02:00
|
|
|
target = "root@YOUR_IP_ADDRESS_OR_HOST_NAME_HERE";
|
2018-05-01 15:56:49 +02:00
|
|
|
}
|
|
|
|
```
|
|
|
|
|
2018-09-28 17:01:38 +02:00
|
|
|
and run `$(nix-build --no-out-link krops.nix)` to deploy the target machine.
|
2020-05-12 14:31:39 +02:00
|
|
|
krops exports some funtions under `krops.` namely:
|
2018-09-28 17:01:38 +02:00
|
|
|
|
2020-05-12 14:31:39 +02:00
|
|
|
## writeDeploy
|
|
|
|
|
|
|
|
This will make the sources available on the target machine
|
2018-09-28 17:01:38 +02:00
|
|
|
below `/var/src`, and execute `nixos-rebuild switch -I /var/src`.
|
2018-09-28 16:11:52 +02:00
|
|
|
|
2019-12-29 22:43:58 +01:00
|
|
|
|
|
|
|
### `target`
|
2019-11-29 13:41:39 +01:00
|
|
|
|
|
|
|
The `target` attribute to `writeDeploy` can either be a string or an attribute
|
|
|
|
set, specifying where to make the sources available, as well as where to run
|
|
|
|
the deployment.
|
|
|
|
|
|
|
|
If specified as string, the format could be described as:
|
|
|
|
```
|
|
|
|
[[USER]@]HOST[:PORT][/SOME/PATH]
|
|
|
|
```
|
|
|
|
|
2020-06-08 23:00:27 +02:00
|
|
|
Portions in square brackets are optional.
|
2019-11-29 13:41:39 +01:00
|
|
|
|
|
|
|
If the `USER` is the empty string, as in e.g. `@somehost`, then the username
|
2020-04-19 01:30:15 +02:00
|
|
|
will be obtained by ssh from its configuration files.
|
2019-11-29 13:41:39 +01:00
|
|
|
|
2020-04-19 01:30:15 +02:00
|
|
|
If the `target` attribute is an attribute set, then it can specify the
|
|
|
|
attributes `extraOptions`, `host`, `path`, `port`, `sudo`, and `user`.
|
|
|
|
The `extraOptions` is a list of strings that get passed to ssh as additional
|
|
|
|
arguments. The `sudo` attribute is a boolean and if set to true, then it's
|
|
|
|
possible to to deploy to targets that disallow sshing in as root, but allow
|
|
|
|
(preferably passwordless) sudo.
|
|
|
|
Example:
|
2019-11-29 13:41:39 +01:00
|
|
|
|
|
|
|
```nix
|
|
|
|
pkgs.krops.writeDeploy "deploy" {
|
|
|
|
source = /* ... */;
|
|
|
|
target = lib.mkTarget "user@host/path" // {
|
2020-04-19 01:30:15 +02:00
|
|
|
extraOptions = [
|
2021-02-16 17:13:33 +01:00
|
|
|
"-o" "LogLevel=DEBUG"
|
2020-04-19 01:30:15 +02:00
|
|
|
];
|
2019-11-29 13:41:39 +01:00
|
|
|
sudo = true;
|
|
|
|
};
|
|
|
|
}
|
|
|
|
```
|
|
|
|
For more details about the `target` attribute, please check the `mkTarget`
|
2023-04-08 17:00:11 +02:00
|
|
|
function in [lib/default.nix](lib/default.nix).
|
2019-12-29 22:43:58 +01:00
|
|
|
|
|
|
|
### `backup` (optional, defaults to false)
|
|
|
|
|
|
|
|
Backup all paths specified in source before syncing new sources.
|
|
|
|
|
|
|
|
### `buildTarget` (optional)
|
|
|
|
|
|
|
|
If set the evaluation and build of the system will be executed on this host.
|
|
|
|
`buildTarget` takes the same arguments as target.
|
|
|
|
Sources will be synced to both `buildTarget` and `target`.
|
|
|
|
Built packages will be uploaded from the `buildTarget` to `target` directly
|
|
|
|
This requires the building machine to have ssh access to the target.
|
|
|
|
To build the system on the same machine, that runs the krops command,
|
|
|
|
set up a local ssh service and set the build host to localhost.
|
|
|
|
|
2019-12-29 22:44:21 +01:00
|
|
|
### `crossDeploy` (optional, defaults to false)
|
|
|
|
|
|
|
|
Use this option if target host architecture is not the same as the build host
|
|
|
|
architecture as set by `buildHost` i.e. deploying to aarch64 from a x86_64
|
|
|
|
machine. Setting this option will disable building & running nix in the wrong
|
|
|
|
architecture when running `nixos-rebuild` on the deploying machine. It is
|
|
|
|
required to set `nixpkgs.localSystem.system` in the NixOS configuration to the
|
|
|
|
architecture of the target host. This option is only useful if the build host
|
|
|
|
also has remote builders that are capable of producing artifacts for the deploy
|
|
|
|
architecture.
|
|
|
|
|
2019-12-29 22:43:58 +01:00
|
|
|
### `fast` (optional, defaults to false)
|
|
|
|
|
2022-07-16 16:50:32 +02:00
|
|
|
Run `nixos-rebuild` immediately without building the system in a dedicated `nix
|
|
|
|
build` step.
|
2019-12-29 22:43:58 +01:00
|
|
|
|
|
|
|
### `force` (optional, defaults to false)
|
|
|
|
|
|
|
|
Create the sentinel file (`/var/src/.populate`) before syncing the new source.
|
2019-02-26 21:38:32 +01:00
|
|
|
|
2022-07-16 16:50:32 +02:00
|
|
|
### `operation` (optional, defaults to "switch")
|
|
|
|
|
|
|
|
Specifies which `nixos-rebuild` operation to perform.
|
|
|
|
|
2022-08-23 14:16:39 +02:00
|
|
|
### `useNixOutputMonitor` (optional, defaults to `"opportunistic"`)
|
|
|
|
|
|
|
|
Specifies when to pipe `nixos-rebuild`'s output to
|
|
|
|
[nom](https://github.com/maralorn/nix-output-monitor).
|
|
|
|
|
|
|
|
Supported values:
|
|
|
|
|
|
|
|
* `"opportunistic"` (default) -
|
|
|
|
Use `nom` only if it is present on the target machine.
|
|
|
|
|
|
|
|
* `"optimistic"` -
|
|
|
|
Use `nom`, assuming it is present on the target machine.
|
|
|
|
|
|
|
|
* `"pessimistic"` -
|
|
|
|
Use `nom` via `nix-shell` on the target machine.
|
|
|
|
|
|
|
|
* `true` -
|
|
|
|
Use `nom`.
|
|
|
|
If it is not present on the target machine, then use it via `nix-shell`.
|
|
|
|
|
|
|
|
* `false` -
|
|
|
|
Don't use `nom`
|
|
|
|
|
2020-05-12 14:31:39 +02:00
|
|
|
## writeTest
|
|
|
|
|
|
|
|
Very similiar to writeDeploy, but just builds the system on the target without
|
|
|
|
activating it.
|
|
|
|
|
|
|
|
This basically makes the sources available on the target machine
|
|
|
|
below `/var/src`, and executes `NIX_PATH=/var/src nix-build -A system '<nixpkgs/nixos>'`.
|
|
|
|
|
|
|
|
### `target`
|
|
|
|
|
|
|
|
[see `writeDeploy`](#writeDeploy)
|
|
|
|
|
|
|
|
### `backup` (optional, defaults to false)
|
|
|
|
|
|
|
|
[see `writeDeploy`](#writeDeploy)
|
|
|
|
|
|
|
|
### `force` (optional, defaults to false)
|
|
|
|
|
|
|
|
[see `writeDeploy`](#writeDeploy)
|
|
|
|
|
2022-06-07 16:13:04 +02:00
|
|
|
### `trace` (optional, defaults to false)
|
|
|
|
|
|
|
|
run nix-build with `--show-trace`
|
|
|
|
|
2020-05-12 14:31:39 +02:00
|
|
|
## writeCommand
|
|
|
|
|
|
|
|
This can be used to run other commands than `nixos-rebuild` or pre/post build hooks.
|
|
|
|
|
|
|
|
### `command`
|
|
|
|
|
|
|
|
A function which takes the targetPath as an attribute.
|
|
|
|
Example to activate/deactivate a swapfile before/after build:
|
|
|
|
|
|
|
|
```nix
|
|
|
|
pkgs.krops.writeCommand "deploy-with-swap" {
|
|
|
|
source = source;
|
|
|
|
target = "root@YOUR_IP_ADDRESS_OR_HOST_NAME_HERE";
|
|
|
|
command = targetPath: ''
|
|
|
|
swapon /var/swapfile
|
|
|
|
nixos-rebuild -I ${targetPath} switch
|
|
|
|
swapoff /var/swapfile
|
|
|
|
'';
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
### `target`
|
|
|
|
|
|
|
|
[see `writeDeploy`](#writeDeploy)
|
|
|
|
|
|
|
|
### `backup` (optional, defaults to false)
|
|
|
|
|
|
|
|
[see `writeDeploy`](#writeDeploy)
|
|
|
|
|
|
|
|
### `force` (optional, defaults to false)
|
|
|
|
|
|
|
|
[see `writeDeploy`](#writeDeploy)
|
|
|
|
|
2021-03-27 20:25:31 +01:00
|
|
|
### `allocateTTY` (optional, defaults to false)
|
|
|
|
|
|
|
|
whether the ssh session should do a pseudo-terminal allocation.
|
|
|
|
sets `-t` on the ssh command.
|
2020-05-12 14:31:39 +02:00
|
|
|
|
2019-02-26 21:38:32 +01:00
|
|
|
## Source Types
|
|
|
|
|
|
|
|
### `derivation`
|
|
|
|
|
|
|
|
Nix expression to be built at the target machine.
|
|
|
|
|
|
|
|
Supported attributes:
|
|
|
|
|
|
|
|
* `text` -
|
|
|
|
Nix expression to be built.
|
|
|
|
|
|
|
|
|
|
|
|
### `file`
|
|
|
|
|
|
|
|
The file source type transfers local files (and folders) to the target
|
|
|
|
using [`rsync`](https://rsync.samba.org/).
|
|
|
|
|
|
|
|
Supported attributes:
|
|
|
|
|
|
|
|
* `path` -
|
2021-10-26 13:07:07 +02:00
|
|
|
absolute path to files that should by transferred.
|
2019-02-26 21:38:32 +01:00
|
|
|
|
|
|
|
* `useChecksum` (optional) -
|
|
|
|
boolean that controls whether file contents should be checked to decide
|
|
|
|
whether a file has changed. This is useful when `path` points at files
|
|
|
|
with mangled timestamps, e.g. the Nix store.
|
|
|
|
|
2021-10-26 13:05:49 +02:00
|
|
|
The default value is `true` if `path` is a derivation, and `false` otherwise.
|
|
|
|
|
2020-02-03 16:37:55 +01:00
|
|
|
* `filters` (optional)
|
2020-03-17 19:32:46 +01:00
|
|
|
List of filters that should be passed to [`rsync`](https://rsync.samba.org/).
|
|
|
|
Filters are specified as attribute sets with the attributes `type` and
|
|
|
|
`pattern`. Supported filter types are `include` and `exclude`.
|
|
|
|
Checkout the filter rules section in the
|
|
|
|
[rsync manual](https://download.samba.org/pub/rsync/rsync.html)
|
|
|
|
for further information.
|
2020-02-03 16:37:55 +01:00
|
|
|
|
|
|
|
* `deleteExcluded` (optional)
|
|
|
|
boolean that controls whether the excluded directories should be deleted
|
|
|
|
if they exist on the target. This is passed to the `--delete-excluded` option
|
|
|
|
of rsync. Defaults to `true`.
|
|
|
|
|
2019-02-26 21:38:32 +01:00
|
|
|
|
|
|
|
### `git`
|
|
|
|
|
|
|
|
Git sources that will be fetched on the target machine.
|
|
|
|
|
|
|
|
Supported attributes:
|
|
|
|
|
|
|
|
* `url` -
|
|
|
|
URL of the Git repository that should be fetched.
|
|
|
|
|
|
|
|
* `ref` -
|
|
|
|
Branch / tag / commit that should be fetched.
|
|
|
|
|
|
|
|
* `clean.exclude` -
|
|
|
|
List of patterns that should be excluded from Git cleaning.
|
|
|
|
|
2020-07-02 09:27:55 +02:00
|
|
|
* `shallow` (optional)
|
|
|
|
boolean that controls whether only the requested commit ref. should be fetched
|
|
|
|
instead of the whole history, to save disk space and bandwith. Defaults to `false`.
|
|
|
|
|
2019-02-26 21:38:32 +01:00
|
|
|
|
|
|
|
### `pass`
|
|
|
|
|
|
|
|
The pass source type transfers contents from a local
|
|
|
|
[password store](https://www.passwordstore.org/) to the target machine.
|
|
|
|
|
|
|
|
Supported attributes:
|
|
|
|
|
|
|
|
* `dir` -
|
|
|
|
absolute path to the password store.
|
|
|
|
|
|
|
|
* `name` -
|
|
|
|
sub-directory in the password store.
|
|
|
|
|
|
|
|
|
2024-01-11 04:37:02 +01:00
|
|
|
### `passage`
|
|
|
|
|
|
|
|
The passage source type decrypts files from a local
|
|
|
|
[passage store](https://github.com/FiloSottile/passage)
|
|
|
|
and transfers them to the target using
|
|
|
|
[`rsync`](https://rsync.samba.org/).
|
|
|
|
|
|
|
|
Supported attributes:
|
|
|
|
|
|
|
|
* `dir` -
|
|
|
|
Path to the passage store.
|
|
|
|
For a partial transfer, this may point to a subdirectory.
|
|
|
|
Example: `~/.passage/store/hosts/MYHOSTNAME`
|
|
|
|
|
|
|
|
* `identities_file` (optional) -
|
|
|
|
Path to the identities file.
|
|
|
|
Defaults to `~/.passage/identities`.
|
|
|
|
|
|
|
|
* `age` (optional) -
|
|
|
|
Path of the age binary.
|
|
|
|
Defaults to `age` (absolute path gets resolved using `passage`'s search path.)
|
|
|
|
|
|
|
|
|
2019-02-26 21:38:32 +01:00
|
|
|
### `pipe`
|
|
|
|
|
|
|
|
Executes a local command, capture its stdout, and send that as a file to the
|
|
|
|
target machine.
|
|
|
|
|
|
|
|
Supported attributes:
|
|
|
|
|
|
|
|
* `command` -
|
|
|
|
The (shell) command to run.
|
|
|
|
|
|
|
|
### `symlink`
|
|
|
|
|
|
|
|
Symlink to create at the target, relative to the target directory.
|
|
|
|
This can be used to reference files in other sources.
|
|
|
|
|
|
|
|
Supported attributes:
|
|
|
|
|
|
|
|
* `target` -
|
|
|
|
Content of the symlink. This is typically a relative path.
|
|
|
|
|
|
|
|
|
2018-09-28 16:11:52 +02:00
|
|
|
## References
|
|
|
|
|
2018-09-28 17:01:38 +02:00
|
|
|
- [In-depth example](http://tech.ingolf-wagner.de/nixos/krops/) by [Ingolf Wagner](https://ingolf-wagner.de/)
|
2018-10-05 20:13:26 +02:00
|
|
|
|
2019-02-26 21:38:32 +01:00
|
|
|
|
2018-10-05 20:13:26 +02:00
|
|
|
## Communication
|
|
|
|
|
2020-12-14 16:25:15 +01:00
|
|
|
Comments, questions, pull-requests and patches, etc. are very welcome, and can be directed
|
2018-10-05 20:13:26 +02:00
|
|
|
at:
|
|
|
|
|
2021-07-22 08:19:15 +02:00
|
|
|
- IRC: #krebs at hackint
|
2018-10-05 20:13:26 +02:00
|
|
|
- Mail: [spam@krebsco.de](mailto:spam@krebsco.de)
|
2020-12-14 16:25:15 +01:00
|
|
|
- Github: https://github.com/krebs/krops/
|