Merge remote-tracking branch 'ni/master' into HEAD

2024-11-23 03:29:48 +01:00 · 2018-09-29 20:44:50 +02:00 · 2018-09-29 20:44:50 +02:00 · 913e7b41bb
commit 913e7b41bb
parent 7e1bcc4d4b 5b27dc84c8
5 changed files with 62 additions and 47 deletions
--- a/README.md
+++ b/README.md
@ -1,20 +1,21 @@
 # krops (krebs ops)

-krops is a lightweigt toolkit to deploy nixos systems, remotely or locally.
+krops is a lightweigt toolkit to deploy NixOS systems, remotely or locally.

-fancy features include:
- store your secrets in passwordstore
+## Some Features
+
+- store your secrets in [password store](https://www.passwordstore.org/)
 - build your system remotely
- minimal overhead
+- minimal overhead (it's basically just `nixos-rebuild switch`!)
 - run from custom nixpkgs branch/checkout/fork

-minimal example:
+## Minimal Example
+
+Create a file named `krops.nix` (name doesn't matter) with following content:

-create a krops.nix somewhere
 ```
 let
-  #krops = ./.;
-  krops = builtins.fetchGit {
+  krops = (import <nixpkgs> {}).fetchgit {
    url = https://cgit.krebsco.de/krops/;
    ref = "master";
  };
@ -24,12 +25,11 @@ let

  source = lib.evalSource [{
    nixpkgs.git = {
-      ref = "origin/nixos-18.03";
-      url = https://github.com/NixOS/nixpkgs-channels;
+      ref = "4b4bbce199d3b3a8001ee93495604289b01aaad3";
+      url = https://github.com/NixOS/nixpkgs;
    };
    nixos-config.file = toString (pkgs.writeText "nixos-config" ''
      { pkgs, ... }: {
-
        fileSystems."/" = { device = "/dev/sda1"; };
        boot.loader.systemd-boot.enable = true;
        services.openssh.enable = true;
@ -47,4 +47,11 @@ in
  }
 ```

-and run `$(nix-build krops.nix)`. This results in a script which deploys the machine via ssh & rsync on the target machine.
+and run `$(nix-build --no-out-link krops.nix)` to deploy the target machine.
+
+Under the hood, this will make the sources available on the target machine
+below `/var/src`, and execute `nixos-rebuild switch -I /var/src`.
+
+## References
+
+- [In-depth example](http://tech.ingolf-wagner.de/nixos/krops/) by [Ingolf Wagner](https://ingolf-wagner.de/)
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -1,7 +1,15 @@
 { overlays ? [], ... }@args:

+let
+  nix-writers = builtins.fetchGit {
+    url = https://cgit.krebsco.de/nix-writers/;
+    rev = "c27a9416e8ee04d708b11b48f8cf1a055c0cc079";
+  };
+in
+
 import <nixpkgs> (args // {
  overlays = overlays ++ [
    (import ./overlay.nix)
+    (import "${nix-writers}/pkgs")
  ];
 })
--- a/pkgs/krops/default.nix
+++ b/pkgs/krops/default.nix
@ -2,7 +2,19 @@ let
  lib = import ../../lib;
 in

-{ nix, openssh, populate, writeDash, writeJSON }: {
+{ exec, nix, openssh, populate, writeDash }: rec {
+
+  rebuild = target:
+    exec "rebuild.${target.host}" rec {
+      filename = "${openssh}/bin/ssh";
+      argv = [
+        filename
+        "-l" target.user
+        "-p" target.port
+        target.host
+        "nixos-rebuild switch -I ${lib.escapeShellArg target.path}"
+      ];
+    };

  writeDeploy = name: { source, target }: let
    target' = lib.mkTarget target;
@ -10,9 +22,7 @@ in
    writeDash name ''
      set -efu
      ${populate { inherit source; target = target'; }}
-      ${openssh}/bin/ssh \
-          ${target'.user}@${target'.host} -p ${target'.port} \
-          nixos-rebuild switch -I ${target'.path}
+      ${rebuild target'}
    '';

  writeTest = name: { source, target }: let
@ -23,12 +33,11 @@ in
      set -efu
      ${populate { inherit source; target = target'; }}
      ${nix}/bin/nix-build \
-          -A config.system.build.toplevel \
+          -A system \
          -I ${target'.path} \
-          --arg modules '[<nixos-config>]' \
          --no-out-link \
          --show-trace \
-          '<nixpkgs/nixos/lib/eval-config.nix>'
+          '<nixpkgs/nixos>'
    '';

 }
--- a/pkgs/overlay.nix
+++ b/pkgs/overlay.nix
@ -5,14 +5,4 @@ in
 self: super: {
  krops = self.callPackage ./krops {};
  populate = self.callPackage ./populate {};
-  writeDash = name: text: self.writeScript name ''
-    #! ${self.dash}/bin/dash
-    ${text}
-  '';
-  writeJSON = name: value: self.runCommand name {
-    json = lib.toJSON value;
-    passAsFile = [ "json" ];
-  } /* sh */ ''
-    ${self.jq}/bin/jq . "$jsonPath" > "$out"
-  '';
 }
--- a/pkgs/populate/default.nix
+++ b/pkgs/populate/default.nix
@ -1,7 +1,7 @@
 with import ../../lib;
 with shell;

-{ coreutils, dash, findutils, git, jq, openssh, rsync, writeDash }:
+{ coreutils, dash, findutils, git, jq, openssh, pass, rsync, writeDash }:

 let
  check = { force, target }: let
@ -20,21 +20,21 @@ let
    fi
  '';

-  pop.file = target: file: rsync' target (quote file.path);
+  pop.file = target: source: rsync' target (quote source.path);

-  pop.git = target: git: shell' target /* sh */ ''
+  pop.git = target: source: shell' target /* sh */ ''
    if ! test -e ${quote target.path}; then
-      git clone --recurse-submodules ${quote git.url} ${quote target.path}
+      git clone --recurse-submodules ${quote source.url} ${quote target.path}
    fi
    cd ${quote target.path}
    if ! url=$(git config remote.origin.url); then
-      git remote add origin ${quote git.url}
-    elif test "$url" != ${quote git.url}; then
-      git remote set-url origin ${quote git.url}
+      git remote add origin ${quote source.url}
+    elif test "$url" != ${quote source.url}; then
+      git remote set-url origin ${quote source.url}
    fi

    # TODO resolve git_ref to commit hash
-    hash=${quote git.ref}
+    hash=${quote source.ref}

    if ! test "$(git log --format=%H -1)" = "$hash"; then
      if ! git log -1 "$hash" >/dev/null 2>&1; then
@ -48,8 +48,8 @@ let
    git clean -dfx
  '';

-  pop.pass = target: pass: let
-    passPrefix = "${pass.dir}/${pass.name}";
+  pop.pass = target: source: let
+    passPrefix = "${source.dir}/${source.name}";
  in /* sh */ ''
    umask 0077

@ -66,28 +66,28 @@ let
      rel_name=''${rel_name%.gpg}

      pass_date=$(
-        ${git}/bin/git -C ${quote pass.dir} log -1 --format=%aI "$gpg_path"
+        ${git}/bin/git -C ${quote source.dir} log -1 --format=%aI "$gpg_path"
      )
-      pass_name=${quote pass.name}/$rel_name
+      pass_name=${quote source.name}/$rel_name
      tmp_path=$tmp_dir/$rel_name

      ${coreutils}/bin/mkdir -p "$(${coreutils}/bin/dirname "$tmp_path")"
-      PASSWORD_STORE_DIR=${quote pass.dir} pass show "$pass_name" > "$tmp_path"
+      PASSWORD_STORE_DIR=${quote source.dir} ${pass}/bin/pass show "$pass_name" > "$tmp_path"
      ${coreutils}/bin/touch -d "$pass_date" "$tmp_path"
    done

    ${rsync' target /* sh */ "$tmp_dir"}
  '';

-  pop.pipe = target: pipe: /* sh */ ''
-    ${quote pipe.command} | {
+  pop.pipe = target: source: /* sh */ ''
+    ${quote source.command} | {
      ${shell' target /* sh */ "cat > ${quote target.path}"}
    }
  '';

  # TODO rm -fR instead of ln -f?
-  pop.symlink = target: symlink: shell' target /* sh */ ''
-    ln -fns ${quote symlink.target} ${quote target.path}
+  pop.symlink = target: source: shell' target /* sh */ ''
+    ln -fns ${quote source.target} ${quote target.path}
  '';

  populate = target: name: source: let
@ -112,7 +112,8 @@ let
          optionalString (!isLocalTarget target)
                         "${target.user}@${target.host}:" +
          target.path
-        )}
+        )} \
+      >&2
  '';

  shell' = target: script: