mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-10 23:00:39 +02:00
Code Activity

feat: remove colmena, add own lightweight deploy script

Browse source
This commit is contained in:
oddlama 2023-09-25 21:39:50 +02:00
parent b705d8266f
commit a4365be29f
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
8 changed files with 132 additions and 100 deletions
Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -82,7 +82,7 @@ Afterwards:
- Retrieve the new host identity by using `ssh-keyscan <host/ip> | grep -o 'ssh-ed25519.*' > hosts/<host>/secrets/host.pub` - Retrieve the new host identity by using `ssh-keyscan <host/ip> | grep -o 'ssh-ed25519.*' > hosts/<host>/secrets/host.pub`
- (If the host has microvms, also retrieve their identities!) - (If the host has microvms, also retrieve their identities!)
- Rekey the secrets for the new identity `nix run .#rekey` - Rekey the secrets for the new identity `nix run .#rekey`
- Deploy again remotely via colmena - Deploy again
#### Remote encrypted unlock #### Remote encrypted unlock

78
flake.lock generated
View file

@ -83,34 +83,9 @@
"type": "github" "type": "github"
} }
}, },
"colmena": {
"inputs": {
"flake-compat": "flake-compat_2",
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
],
"stable": "stable"
},
"locked": {
"lastModified": 1693920448,
"narHash": "sha256-BZtC7hZVt2BwM0LIypZ2jqNhVUeHAthbd9/jkUn5PhU=",
"owner": "oddlama",
"repo": "colmena",
"rev": "e6144983a262f2ac7c34d0c9c5ea3b5bcff2ab92",
"type": "github"
},
"original": {
"owner": "oddlama",
"repo": "colmena",
"type": "github"
}
},
"crane": { "crane": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_3", "flake-compat": "flake-compat_2",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"nixpkgs": [ "nixpkgs": [
"elewrap", "elewrap",
@ -281,11 +256,11 @@
"flake-compat_2": { "flake-compat_2": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1650374568, "lastModified": 1673956053,
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra", "owner": "edolstra",
"repo": "flake-compat", "repo": "flake-compat",
"rev": "b4a34015c698c7793d592d66adbab377907a2be8", "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -311,22 +286,6 @@
} }
}, },
"flake-compat_4": { "flake-compat_4": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_5": {
"locked": { "locked": {
"lastModified": 1688025799, "lastModified": 1688025799,
"narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=", "narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=",
@ -341,7 +300,7 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat_6": { "flake-compat_5": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1673956053, "lastModified": 1673956053,
@ -357,7 +316,7 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat_7": { "flake-compat_6": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1673956053, "lastModified": 1673956053,
@ -830,7 +789,7 @@
}, },
"nixpkgs-wayland": { "nixpkgs-wayland": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_5", "flake-compat": "flake-compat_4",
"lib-aggregate": "lib-aggregate", "lib-aggregate": "lib-aggregate",
"nix-eval-jobs": "nix-eval-jobs", "nix-eval-jobs": "nix-eval-jobs",
"nixpkgs": [ "nixpkgs": [
@ -920,7 +879,7 @@
}, },
"pre-commit-hooks_2": { "pre-commit-hooks_2": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_4", "flake-compat": "flake-compat_3",
"flake-utils": [ "flake-utils": [
"elewrap", "elewrap",
"flake-utils" "flake-utils"
@ -948,7 +907,7 @@
}, },
"pre-commit-hooks_3": { "pre-commit-hooks_3": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_6", "flake-compat": "flake-compat_5",
"flake-utils": [ "flake-utils": [
"flake-utils" "flake-utils"
], ],
@ -976,7 +935,6 @@
"inputs": { "inputs": {
"agenix": "agenix", "agenix": "agenix",
"agenix-rekey": "agenix-rekey", "agenix-rekey": "agenix-rekey",
"colmena": "colmena",
"devshell": "devshell_2", "devshell": "devshell_2",
"disko": "disko", "disko": "disko",
"elewrap": "elewrap", "elewrap": "elewrap",
@ -1024,26 +982,10 @@
"type": "github" "type": "github"
} }
}, },
"stable": {
"locked": {
"lastModified": 1669735802,
"narHash": "sha256-qtG/o/i5ZWZLmXw108N2aPiVsxOcidpHJYNkT45ry9Q=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "731cc710aeebecbf45a258e977e8b68350549522",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-22.11",
"repo": "nixpkgs",
"type": "github"
}
},
"stylix": { "stylix": {
"inputs": { "inputs": {
"base16": "base16", "base16": "base16",
"flake-compat": "flake-compat_7", "flake-compat": "flake-compat_6",
"home-manager": [ "home-manager": [
"home-manager" "home-manager"
], ],

15
flake.nix
View file

@ -14,12 +14,6 @@
inputs.flake-utils.follows = "flake-utils"; inputs.flake-utils.follows = "flake-utils";
}; };
colmena = {
url = "github:oddlama/colmena";
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
};
devshell = { devshell = {
url = "github:numtide/devshell"; url = "github:numtide/devshell";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@ -103,7 +97,6 @@
outputs = { outputs = {
self, self,
agenix-rekey, agenix-rekey,
colmena,
devshell, devshell,
flake-utils, flake-utils,
nixos-generators, nixos-generators,
@ -135,7 +128,6 @@
inherit inherit
(import ./nix/hosts.nix inputs) (import ./nix/hosts.nix inputs)
colmena
hosts hosts
microvmConfigurations microvmConfigurations
nixosConfigurations nixosConfigurations
@ -207,14 +199,13 @@
# `nix develop` # `nix develop`
devShells.default = pkgs.devshell.mkShell { devShells.default = pkgs.devshell.mkShell {
name = "nix-config"; name = "nix-config";
packages = with pkgs; [ packages = [
faketty # Used in my colmena patch to show progress, XXX: should theoretically be propagated automatically from the patch.... pkgs.nix # Always use the nix version from this flake's nixpkgs version, so that nix-plugins (below) doesn't fail because of different nix versions.
nix # Always use the nix version from this flake's nixpkgs version, so that nix-plugins (below) doesn't fail because of different nix versions.
]; ];
commands = [ commands = [
{ {
package = colmena.packages.${system}.colmena; package = pkgs.deploy;
help = "Build and deploy this nix config to nodes"; help = "Build and deploy this nix config to nodes";
} }
{ {

4
modules/config/nix.nix
View file

@ -4,7 +4,7 @@
... ...
}: { }: {
environment.etc."nixos/configuration.nix".source = pkgs.writeText "configuration.nix" '' environment.etc."nixos/configuration.nix".source = pkgs.writeText "configuration.nix" ''
assert builtins.trace "This is a dummy config, use colmena!" false; assert builtins.trace "This is a dummy config, please deploy via the flake!" false;
{ } { }
''; '';
@ -12,7 +12,7 @@
settings = { settings = {
auto-optimise-store = true; auto-optimise-store = true;
allowed-users = ["@wheel"]; allowed-users = ["@wheel"];
trusted-users = ["root" "@wheel"]; trusted-users = ["root"];
substituters = [ substituters = [
"https://cache.nixos.org" "https://cache.nixos.org"
"https://nix-community.cachix.org" "https://nix-community.cachix.org"

5
modules/optional/dev/default.nix
View file

@ -11,6 +11,7 @@
environment.systemPackages = [pkgs.man-pages pkgs.man-pages-posix]; environment.systemPackages = [pkgs.man-pages pkgs.man-pages-posix];
environment.enableDebugInfo = true; environment.enableDebugInfo = true;
# XXX: TODO reenable once https://github.com/symphorien/nixseparatedebuginfod/issues/11 is answered
services.nixseparatedebuginfod.enable = false; services.nixseparatedebuginfod.enable = true;
nix.settings.allowed-users = ["nixseparatedebuginfod"];
} }

15
nix/hosts.nix
View file

@ -11,8 +11,6 @@ inputs: let
nixosSystem nixosSystem
; ;
mapNixosConfigs = f: mapAttrs (_: f) self.nixosConfigurations;
# Creates a new nixosSystem with the correct specialArgs, pkgs and name definition # Creates a new nixosSystem with the correct specialArgs, pkgs and name definition
mkHost = name: system: let mkHost = name: system: let
pkgs = self.pkgs.${system}; pkgs = self.pkgs.${system};
@ -49,18 +47,6 @@ inputs: let
# Process each nixosHosts declaration and generatea nixosSystem definitions # Process each nixosHosts declaration and generatea nixosSystem definitions
nixosConfigurations = flip mapAttrs nixosHosts (name: hostCfg: mkHost name hostCfg.system); nixosConfigurations = flip mapAttrs nixosHosts (name: hostCfg: mkHost name hostCfg.system);
# We now wrap nixosConfigurations so that colmena understands it
colmena =
{
meta = {
# Just a required dummy for colmena, overwritten on a per-node basis by nodeNixpkgs below.
nixpkgs = self.pkgs.x86_64-linux;
nodeNixpkgs = mapNixosConfigs (v: v.pkgs);
nodeSpecialArgs = mapNixosConfigs (v: v._module.specialArgs);
};
}
// mapNixosConfigs (v: {imports = v._module.args.modules;});
# True NixOS nodes can define additional microvms (guest nodes) that are built # True NixOS nodes can define additional microvms (guest nodes) that are built
# together with the true host. We collect all defined microvm nodes # together with the true host. We collect all defined microvm nodes
# from each node here to allow accessing any node via the unified attribute `nodes`. # from each node here to allow accessing any node via the unified attribute `nodes`.
@ -70,7 +56,6 @@ inputs: let
(node.config.meta.microvms.vms or {})); (node.config.meta.microvms.vms or {}));
in { in {
inherit inherit
colmena
hosts hosts
microvmConfigurations microvmConfigurations
nixosConfigurations nixosConfigurations

1
pkgs/default.nix
View file

@ -2,6 +2,7 @@
(import ./caddy.nix) (import ./caddy.nix)
(import ./oauth2-proxy) (import ./oauth2-proxy)
(_self: super: { (_self: super: {
deploy = super.callPackage ./deploy.nix {};
git-fuzzy = super.callPackage ./git-fuzzy {}; git-fuzzy = super.callPackage ./git-fuzzy {};
kanidm-secret-manipulator = super.callPackage ./kanidm-secret-manipulator.nix {}; kanidm-secret-manipulator = super.callPackage ./kanidm-secret-manipulator.nix {};
segoe-ui-ttf = super.callPackage ./segoe-ui-ttf.nix {}; segoe-ui-ttf = super.callPackage ./segoe-ui-ttf.nix {};

112
pkgs/deploy.nix Normal file
View file

@ -0,0 +1,112 @@
{
writeShellApplication,
bc,
}: let
deploy = writeShellApplication {
name = "deploy";
text = ''
set -euo pipefail
shopt -s lastpipe # allow cmd | readarray
function die() { echo "error: $*" >&2; exit 1; }
function show_help() {
echo 'Usage: deploy [OPTIONS] <host,...> [ACTION]'
echo "Builds, pushes and activates nixosConfigurations on target systems."
echo ""
echo 'ACTION:'
echo ' switch [default] Switch immediately to the new configuration and make it the boot default'
echo ' boot Make the configuration the new boot default'
echo " test Activate the configuration but don't make it the boot default"
echo " dry-activate Don't activate, just show what would be done"
echo ""
echo 'OPTIONS: [passed to nix build]'
}
function time_start() {
T_START=$(date +%s.%N)
}
function time_next() {
T_END=$(date +%s.%N)
T_LAST=$(${bc}/bin/bc <<< "scale=1; ($T_END - $T_START)/1")
T_START="$T_END"
}
USER_FLAKE_DIR=$(git rev-parse --show-toplevel 2>/dev/null || pwd) \
|| die "Could not determine current working directory. Something went very wrong."
[[ -e "$USER_FLAKE_DIR/flake.nix" ]] \
|| die "Could not determine location of your project's flake.nix. Please run this at or below your main directory containing the flake.nix."
cd "$USER_FLAKE_DIR"
[[ $# -gt 0 ]] || {
show_help
exit 1
}
OPTIONS=()
POSITIONAL_ARGS=()
while [[ $# -gt 0 ]]; do
case "$1" in
"help"|"--help"|"-help"|"-h")
show_help
exit 1
;;
-*) OPTIONS+=("$1") ;;
*) POSITIONAL_ARGS+=("$1") ;;
esac
shift
done
[[ ''${#POSITIONAL_ARGS[@]} -ge 1 ]] \
|| die "Missing argument: <hosts...>"
[[ ''${#POSITIONAL_ARGS[@]} -le 2 ]] \
|| die "Too many arguments given."
tr , '\n' <<< "''${POSITIONAL_ARGS[0]}" | sort -u | readarray -t HOSTS
ACTION="''${POSITIONAL_ARGS[1]-switch}"
# Expand flake paths for hosts definitions
declare -A TOPLEVEL_FLAKE_PATHS
for host in "''${HOSTS[@]}"; do
TOPLEVEL_FLAKE_PATHS["$host"]=".#nixosConfigurations.$host.config.system.build.toplevel"
done
time_start
#echo " Building 📦 ''${#TOPLEVEL_FLAKE_PATHS[*]} configuration(s)"
#nix build --no-link "''${TOPLEVEL_FLAKE_PATHS[@]}" "''${OPTIONS[@]}" \
# || die "Failed to build derivations"
#time_next
#echo " Built ✅ ''${#TOPLEVEL_FLAKE_PATHS[*]} configuration(s) in ''${T_LAST}s"
# Get outputs of all derivations (should be cached)
declare -A TOPLEVEL_STORE_PATHS
for host in "''${HOSTS[@]}"; do
toplevel="''${TOPLEVEL_FLAKE_PATHS["$host"]}"
echo " Building 📦 configuration for $host"
TOPLEVEL_STORE_PATHS["$host"]=$(nix build --no-link --print-out-paths "''${OPTIONS[@]}" "$toplevel") \
|| die "Failed to get derivation path for $host from ''${TOPLEVEL_FLAKE_PATHS["$host"]}"
time_next
echo " Built  configuration for $host in ''${T_LAST}s"
done
for host in "''${HOSTS[@]}"; do
store_path="''${TOPLEVEL_STORE_PATHS["$host"]}"
echo " Copying  to $host"
nix copy --to "ssh-ng://$host" "$store_path"
time_next
echo " Copied  $store_path to $host in ''${T_LAST}s"
done
for host in "''${HOSTS[@]}"; do
store_path="''${TOPLEVEL_STORE_PATHS["$host"]}"
echo " Applying  on $host"
ssh "$host" -- "$store_path"/bin/switch-to-configuration "$ACTION"
nix copy --to "ssh-ng://$host" "$store_path"
time_next
echo " Applied  on $host in ''${T_LAST}s"
done
'';
};
in
deploy