1
0
Fork 0
mirror of https://cgit.krebsco.de/krops synced 2024-12-23 10:19:52 +01:00
Mirror of Krops
Find a file
tv f2f8cbf1af
Merge pull request #9 from nyantec/feature/sudo
ssh: fix mistake with sudo on remote
2019-12-02 14:31:07 +01:00
lib ssh: support using ssh-configured user 2019-11-29 13:21:04 +01:00
pkgs ssh: fix mistake with sudo on remote 2019-12-02 11:31:02 +01:00
ci.nix ci.nix: define nixpkgs 2018-12-13 10:15:40 +01:00
LICENSE LICENSE: import WTFPL 2 2019-02-26 16:29:52 +01:00
README.md README: talk about the target attribute 2019-11-29 13:41:39 +01:00

krops (krebs ops)

krops is a lightweigt toolkit to deploy NixOS systems, remotely or locally.

Some Features

  • store your secrets in password store
  • build your system remotely
  • minimal overhead (it's basically just nixos-rebuild switch!)
  • run from custom nixpkgs branch/checkout/fork

Minimal Example

Create a file named krops.nix (name doesn't matter) with following content:

let
  krops = (import <nixpkgs> {}).fetchgit {
    url = https://cgit.krebsco.de/krops/;
    rev = "v1.17.0";
    sha256 = "150jlz0hlb3ngf9a1c9xgcwzz1zz8v2lfgnzw08l3ajlaaai8smd";
  };

  lib = import "${krops}/lib";
  pkgs = import "${krops}/pkgs" {};

  source = lib.evalSource [{
    nixpkgs.git = {
      clean.exclude = ["/.version-suffix"];
      ref = "4b4bbce199d3b3a8001ee93495604289b01aaad3";
      url = https://github.com/NixOS/nixpkgs;
    };
    nixos-config.file = toString (pkgs.writeText "nixos-config" ''
      { pkgs, ... }: {
        fileSystems."/" = { device = "/dev/sda1"; };
        boot.loader.systemd-boot.enable = true;
        services.openssh.enable = true;
        environment.systemPackages = [ pkgs.git ];
        users.users.root.openssh.authorizedKeys.keys = [
          "ssh-rsa ADD_YOUR_OWN_PUBLIC_KEY_HERE user@localhost"
        ];
      }
    '');
  }];
in
  pkgs.krops.writeDeploy "deploy" {
    source = source;
    target = "root@YOUR_IP_ADDRESS_OR_HOST_NAME_HERE";
  }

and run $(nix-build --no-out-link krops.nix) to deploy the target machine.

Under the hood, this will make the sources available on the target machine below /var/src, and execute nixos-rebuild switch -I /var/src.

Deployment Target Attribute

The target attribute to writeDeploy can either be a string or an attribute set, specifying where to make the sources available, as well as where to run the deployment.

If specified as string, the format could be described as:

[[USER]@]HOST[:PORT][/SOME/PATH]

Portions in square brakets are optional.

If the USER is the empty string, as in e.g. @somehost, then the username will be obtained by SSH from its configuration files.

If the target attribute is an attribute set, then it has to define the attributes host, path, port, sudo, and user. This allows to deploy to targets that don't allow sshing in as root, but allow (preferably passwordless) sudo:

pkgs.krops.writeDeploy "deploy" {
  source = /* ... */;
  target = lib.mkTarget "user@host/path" // {
    sudo = true;
  };
}

For more details about the target attribute, please check the mkTarget function in lib/default.nix.

Source Types

derivation

Nix expression to be built at the target machine.

Supported attributes:

  • text - Nix expression to be built.

file

The file source type transfers local files (and folders) to the target using rsync.

Supported attributes:

  • path - absolute path to files that should by transfered

  • useChecksum (optional) - boolean that controls whether file contents should be checked to decide whether a file has changed. This is useful when path points at files with mangled timestamps, e.g. the Nix store.

git

Git sources that will be fetched on the target machine.

Supported attributes:

  • url - URL of the Git repository that should be fetched.

  • ref - Branch / tag / commit that should be fetched.

  • clean.exclude - List of patterns that should be excluded from Git cleaning.

pass

The pass source type transfers contents from a local password store to the target machine.

Supported attributes:

  • dir - absolute path to the password store.

  • name - sub-directory in the password store.

pipe

Executes a local command, capture its stdout, and send that as a file to the target machine.

Supported attributes:

  • command - The (shell) command to run.

Symlink to create at the target, relative to the target directory. This can be used to reference files in other sources.

Supported attributes:

  • target - Content of the symlink. This is typically a relative path.

References

Communication

Comments, questions, pull-requests, etc. are very welcome, and can be directed at: