# vim: filetype=bash
export PASSWORD_STORE_DIR=$(expand_path nixops/secrets)
-export NIXOPS_STATE=$(expand_path nixops/state/immaeEu.nixops)
-export NIXOPS_DEPLOYMENT=cef694f3-081d-11e9-b31f-0242ec186adf
export NIX_PATH=nixpkgs=$(cat $(expand_path nix/sources.json) | jq -r '."nixpkgs-nixops".url')
export NIXOPS_ENV_LOADED=1
/result*
/versions_log
.direnv/
+/nixops/.gcroots
subrecipes = setup nix-info edit_env
-subrecipes += nixops ssh-eldiron ssh-backup-2 ssh-monitoring-1
-subrecipes += info debug dry-run build upload deploy deploy-reboot reboot
+subrecipes += ssh-eldiron ssh-backup-2 ssh-monitoring-1
+subrecipes += debug build upload deploy deploy-reboot
subrecipes += list-generations delete-generations cleanup
-subrecipes += pull_deployment deployment_is_set push_deployment
${subrecipes}:
@$(MAKE) --no-print-directory -C nixops/ $@
.PHONY: ${subrecipes}
+++ /dev/null
-nixops show a deprecation message at each deployment because hetzner
-info is outdated. To fix it:
-
- cp -a ~/.nixops ~/.nixops.bak
-
- nixops export --all > all.json
-
- network=$(cat all.json| jq -r '."cef694f3-081d-11e9-b31f-0242ec186adf".resources.eldiron."hetzner.networkInfo"' | jq -r -c '.networking.interfaces.eth0 = { "ipv4": { "addresses": [ { "address": .networking.interfaces.eth0.ipAddress, "prefixLength": .networking.interfaces.eth0.prefixLength } ] } }')
-
- cat all.json | jq --arg network "$network" '."cef694f3-081d-11e9-b31f-0242ec186adf".resources.eldiron."hetzner.networkInfo" = $network' > all_new.json
-
- nixops delete --force -d eldiron
-
- nixops import < all_new.json
-
- rm all.json all_new.json
-
-*check that everything works*, then:
-
- rm -rf ~/.nixops.bak
-{ pkgs, lib, config, name, ... }:
+{ pkgs, lib, config, name, nodes, ... }:
{
config = {
+ networking.extraHosts = builtins.concatStringsSep "\n"
+ (lib.mapAttrsToList (n: v: "${v.config.hostEnv.ips.main.ip4} ${n}") nodes);
+
+ users.extraUsers.root.openssh.authorizedKeys.keyFiles = [ "${config.myEnv.privateFiles}/id_ed25519.pub" ];
+ services.openssh.enable = true;
+
services.duplyBackup.profiles.system = {
rootDir = "/var/lib";
excludeFile = lib.mkAfter ''
environment.systemPackages = [
pkgs.git
pkgs.vim
+ pkgs.rsync
+ pkgs.strace
] ++
(lib.optional (builtins.length (config.hostEnv.users pkgs) > 0) pkgs.home-manager);
{ privateFiles }:
{ config, pkgs, resources, name, ... }:
{
+ deployment = {
+ targetUser = "root";
+ targetHost = config.hostEnv.ips.main.ip4;
+ substituteOnDestination = true;
+ };
boot.kernelPackages = pkgs.linuxPackages_latest;
myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };
- imports = builtins.attrValues (import ../..);
-
- deployment = {
- targetEnv = "hetznerCloud";
- hetznerCloud = {
- authToken = config.myEnv.hetznerCloud.authToken;
- datacenter = "hel1-dc2";
- location ="hel1";
- serverType = "cx11";
- };
- };
+ imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ] ++ builtins.attrValues (import ../..);
fileSystems = {
"/backup2" = {
fsType = "ext4";
device = "UUID=b9425333-f567-435d-94d8-b26c22d93426";
};
+ "/" = { device = "/dev/sda1"; fsType = "ext4"; };
};
networking = {
defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
};
+ boot.loader.grub.device = "nodev";
+
myServices.certificates.enable = true;
security.acme.certs."${name}" = {
user = config.services.nginx.user;
{ privateFiles }:
{ config, pkgs, name, lib, ... }:
{
- boot.supportedFilesystems = [ "zfs" ];
- boot.kernelPackages = pkgs.linuxPackages_latest;
+ deployment = {
+ targetUser = "root";
+ targetHost = config.hostEnv.ips.main.ip4;
+ substituteOnDestination = true;
+ };
+ nixpkgs.system = lib.mkOverride 900 "x86_64-linux";
+ boot = {
+ loader = {
+ grub = {
+ version = 2;
+ devices = [ "/dev/sda" "/dev/sdb" "/dev/sdc" "/dev/sdd" ];
+ };
+ timeout = 1;
+ };
+ blacklistedKernelModules = [ "nvidiafb" ];
+ supportedFilesystems = [ "zfs" ];
+ kernelPackages = pkgs.linuxPackages_latest;
+ kernelModules = [ "kvm-intel" ];
+ initrd.availableKernelModules = [ "ahci" "sd_mod" ];
+ initrd.secrets = {
+ "/boot/pass.key" = "/boot/pass.key";
+ };
+ kernel.sysctl."vm.nr_hugepages" = 256; # for xmr-stak
+ };
+ nix.maxJobs = 8;
+ powerManagement.cpuFreqGovernor = "powersave";
+ hardware.enableRedistributableFirmware = true;
+
myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };
+ swapDevices = [ { label = "swap"; } ];
fileSystems = {
- "/" = lib.mkForce { fsType = "zfs"; device = "zpool/root"; };
+ "/" = { fsType = "zfs"; device = "zpool/root"; };
"/boot" = { fsType = "ext4"; device = "/dev/disk/by-uuid/fd1c511e-2bc0-49d5-b8bb-95e7e8c8c816"; };
"/etc" = { fsType = "zfs"; device = "zpool/root/etc"; };
"/home" = { fsType = "zfs"; device = "zpool/root/home"; };
"/home/immae" = { fsType = "zfs"; device = "zpool/root/home/immae"; };
"/tmp" = { fsType = "zfs"; device = "zpool/root/tmp"; };
"/var" = { fsType = "zfs"; device = "zpool/root/var"; };
+ "/data" = { fsType = "ext4"; label = "data"; };
+ "/nix" = { fsType = "ext4"; label = "nix"; };
};
- boot.initrd.secrets = {
- "/boot/pass.key" = "/boot/pass.key";
- };
+
+ services.udev.extraRules = ''
+ ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="10:bf:48:7f:e6:3b", NAME="eth0"
+ '';
networking = {
hostId = "27c3048d"; # generated with head -c4 /dev/urandom | od -A none -t x4
firewall.enable = false;
- interfaces."eth0".ipv4.addresses = pkgs.lib.attrsets.mapAttrsToList
- (n: ips: { address = ips.ip4; prefixLength = 32; })
- (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips);
- interfaces."eth0".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
- (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or []))
- config.hostEnv.ips);
+ interfaces."eth0".ipv4.addresses =
+ [ { address = config.hostEnv.ips.main.ip4; prefixLength = 27; } ]
+ ++ pkgs.lib.attrsets.mapAttrsToList
+ (n: ips: { address = ips.ip4; prefixLength = 32; })
+ (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips);
+ interfaces."eth0".ipv6.addresses =
+ [ { address = "2a01:4f8:141:53e7::"; prefixLength = 64; } ]
+ ++ pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
+ (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or []))
+ config.hostEnv.ips);
+ defaultGateway = { address = "176.9.10.225"; interface = "eth0"; };
+ defaultGateway6 = { address = "fe80::1"; interface = "eth0"; };
+ nameservers = [
+ "213.133.98.98"
+ "213.133.99.99"
+ "213.133.100.100"
+ "2a01:4f8:0:a0a1::add:1010"
+ "2a01:4f8:0:a102::add:9999"
+ "2a01:4f8:0:a111::add:9898"
+ ];
};
myServices.ssh.modules = [ config.myServices.ssh.predefinedModules.regular ];
imports = builtins.attrValues (import ../..);
- deployment = {
- targetEnv = "hetzner";
- hetzner = {
- robotUser = config.myEnv.hetzner.user;
- robotPass = config.myEnv.hetzner.pass;
- mainIPv4 = config.hostEnv.ips.main.ip4;
- partitions = ''
- clearpart --all --initlabel --drives=sda,sdb,sdc,sdd
-
- part swap --recommended --label=swap --fstype=swap --ondisk=sda
-
- part raid.1 --grow --ondisk=sdc
- part raid.2 --grow --ondisk=sdd
-
- raid / --level=1 --device=md0 --fstype=ext4 --label=root raid.1 raid.2
-
- part /nix --grow --label=nix --ondisk=sda
- part /data --grow --label=data --ondisk=sdb
- '';
- };
- };
-
system.nssModules = [ pkgs.libvirt ];
system.nssDatabases.hosts = lib.mkForce [ "files" "libvirt_guest" "mymachines" "dns" "myhostname" ];
programs.zsh.enable = true;
}
];
- boot.kernel.sysctl."vm.nr_hugepages" = 256; # for xmr-stak
system.activationScripts.libvirtd_exports = ''
install -m 0755 -o root -g root -d /var/lib/caldance
'';
{ privateFiles }:
{ config, pkgs, lib, ... }:
{
- boot.supportedFilesystems = [ "zfs" ];
- boot.kernelParams = ["zfs.zfs_arc_max=6442450944"];
- boot.kernelPackages = pkgs.linuxPackages_latest;
+ deployment = {
+ targetUser = "root";
+ targetHost = config.hostEnv.ips.main.ip4;
+ substituteOnDestination = true;
+ };
+ boot = {
+ kernelModules = [ "kvm-intel" ];
+ blacklistedKernelModules = [ "nvidiafb" ];
+ loader.timeout = 1;
+ loader.grub.devices = [ "/dev/sda" "/dev/sdb" ];
+ kernel.sysctl = {
+ # https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
+ "net.ipv4.tcp_sack" = 0;
+ };
+ supportedFilesystems = [ "zfs" ];
+ kernelParams = ["zfs.zfs_arc_max=6442450944"];
+ kernelPackages = pkgs.linuxPackages_latest;
+ initrd.availableKernelModules = [ "ahci" "sd_mod" ];
+ initrd.secrets = {
+ "/boot/pass.key" = "/boot/pass.key";
+ };
+ };
+ services.udev.extraRules = ''
+ ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="c8:60:00:56:a0:88", NAME="eth0"
+ '';
+ nix.maxJobs = 8;
+ powerManagement.cpuFreqGovernor = "powersave";
myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };
fileSystems = {
- "/" = lib.mkForce { fsType = "zfs"; device = "zpool/root"; };
+ "/" = { fsType = "zfs"; device = "zpool/root"; };
"/boot" = { fsType = "ext4"; device = "/dev/disk/by-uuid/e6bb18fb-ff56-4b5f-ae9f-e60d40dc0622"; };
"/etc" = { fsType = "zfs"; device = "zpool/root/etc"; };
"/nix" = { fsType = "zfs"; device = "zpool/root/nix"; };
"/tmp" = { fsType = "zfs"; device = "zpool/root/tmp"; };
"/var" = { fsType = "zfs"; device = "zpool/root/var"; };
};
- boot.initrd.secrets = {
- "/boot/pass.key" = "/boot/pass.key";
- };
+ swapDevices = [ { label = "swap1"; } { label = "swap2"; } ];
+ hardware.enableRedistributableFirmware = true;
services.zfs = {
autoScrub = {
hostId = "8262ca33"; # generated with head -c4 /dev/urandom | od -A none -t x4
firewall.enable = true;
# 176.9.151.89 declared in nixops -> infra / tools
- interfaces."eth0".ipv4.addresses = pkgs.lib.attrsets.mapAttrsToList
- (n: ips: { address = ips.ip4; prefixLength = 32; })
- (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips);
+ interfaces."eth0".ipv4.addresses =
+ pkgs.lib.attrsets.mapAttrsToList
+ (n: ips: { address = ips.ip4; prefixLength = 32; })
+ (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips)
+ ++ [ { address = config.hostEnv.ips.main.ip4; prefixLength = 27; } ];
interfaces."eth0".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
(n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or []))
config.hostEnv.ips);
+ defaultGateway = "176.9.151.65";
+ localCommands = ''
+ # FIXME: Those commands were added by nixops and may not be
+ # actually needed
+ ip -6 addr add '2a01:4f8:160:3445::/64' dev 'eth0' || true
+ ip -4 route change '176.9.151.64/27' via '176.9.151.65' dev 'eth0' || true
+ ip -6 route add default via 'fe80::1' dev eth0 || true
+ '';
+ nameservers = [
+ "213.133.98.98"
+ "213.133.99.99"
+ "213.133.100.100"
+ "2a01:4f8:0:a0a1::add:1010"
+ "2a01:4f8:0:a102::add:9999"
+ "2a01:4f8:0:a111::add:9898"
+ ];
};
imports = builtins.attrValues (import ../..);
- boot.kernel.sysctl = {
- # https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
- "net.ipv4.tcp_sack" = 0;
- };
myServices.buildbot.enable = true;
myServices.databases.enable = true;
myServices.gitolite.enable = true;
"${profile.host_key_type} ${profile.host_key}";
};
- deployment = {
- targetEnv = "hetzner";
- hetzner = {
- robotUser = config.myEnv.hetzner.user;
- robotPass = config.myEnv.hetzner.pass;
- mainIPv4 = config.hostEnv.ips.main.ip4;
- partitions = ''
- clearpart --all --initlabel --drives=sda,sdb
-
- part swap1 --recommended --label=swap1 --fstype=swap --ondisk=sda
- part swap2 --recommended --label=swap2 --fstype=swap --ondisk=sdb
-
- part raid.1 --grow --ondisk=sda
- part raid.2 --grow --ondisk=sdb
-
- raid / --level=1 --device=md0 --fstype=ext4 --label=root raid.1 raid.2
- '';
- };
- };
-
services.cron = {
enable = true;
mailto = "cron@immae.eu";
{ privateFiles }:
{ config, pkgs, resources, ... }:
{
+ deployment = {
+ targetUser = "root";
+ targetHost = config.hostEnv.ips.main.ip4;
+ substituteOnDestination = true;
+ };
boot.kernelPackages = pkgs.linuxPackages_latest;
myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };
- imports = builtins.attrValues (import ../..);
-
- deployment = {
- targetEnv = "hetznerCloud";
- hetznerCloud = {
- authToken = config.myEnv.hetznerCloud.authToken;
- datacenter = "hel1-dc2";
- location ="hel1";
- serverType = "cx11";
- };
- };
+ imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ] ++ builtins.attrValues (import ../..);
myServices.monitoring.enable = true;
myServices.monitoring.master = true;
config.hostEnv.ips);
defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
};
+ boot.loader.grub.device = "nodev";
+ fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
myServices.mailRelay.enable = true;
security.pki.certificateFiles = [
fi
'';
};
- deployment.keys."secrets.tar" = {
+ system.extraDependencies = [ secrets ];
+ deployment.secrets."secrets.tar" = {
+ source = "${secrets}";
+ destination = "/run/keys/secrets.tar";
+ owner.user = "root";
+ owner.group = "root";
permissions = "0400";
- # keyFile below is not evaluated at build time by nixops, so the
- # `secrets` path doesn’t necessarily exist when uploading the
- # keys, and nixops is unhappy.
- user = "root${builtins.substring 10000 1 secrets}";
- group = "root";
- keyFile = "${secrets}";
};
};
}
$(error "Please load environment with direnv")
endif
-NIXOPS_PRIV = ./scripts/with_env nixops
-
###### Current channel information
nix-info:
@version=$$(nix eval --raw nixpkgs.lib.version) && \
./scripts/setup
.PHONY: setup
-###### Nixops regular tasks
+###### Morph regular tasks
+PROFILE=/nix/var/nix/profiles/per-user/immae/morph/immaeEu
TARGET ?=
-NIXOPS_ARGS ?=
+MORPH_ARGS ?=
ifdef TARGET
- override NIXOPS_ARGS +=--include=$(TARGET)
+ # multiple targets: --on="{machine1,machine2}" (works with * glob too)
+ override MORPH_ARGS +=--on=$(TARGET)
endif
SSH_ARGS ?=
edit_env:
pass edit Nixops/files/environment.nix || true
-nixops:
- $(NIXOPS_PRIV) $(NIXOPS_ARGS)
-
ssh-eldiron:
- $(NIXOPS_PRIV) ssh eldiron -- $(SSH_ARGS)
+ ./scripts/with_env bash -c 'ssh -i $$SSH_IDENTITY_FILE root@eldiron $(SSH_ARGS)'
ssh-dilion:
- $(NIXOPS_PRIV) ssh dilion -- $(SSH_ARGS)
+ ./scripts/with_env bash -c 'ssh -i $$SSH_IDENTITY_FILE root@dilion $(SSH_ARGS)'
ssh-backup-2:
- $(NIXOPS_PRIV) ssh backup-2 -- $(SSH_ARGS)
+ ./scripts/with_env bash -c 'ssh -i $$SSH_IDENTITY_FILE root@backup-2 $(SSH_ARGS)'
ssh-monitoring-1:
- $(NIXOPS_PRIV) ssh monitoring-1 -- $(SSH_ARGS)
-
-info:
- $(NIXOPS_PRIV) list
- $(NIXOPS_PRIV) info
+ ./scripts/with_env bash -c 'ssh -i $$SSH_IDENTITY_FILE root@monitoring-1 $(SSH_ARGS)'
debug:
- $(NIXOPS_PRIV) deploy --build-only --show-trace $(NIXOPS_ARGS)
-
-dry-run:
- $(NIXOPS_PRIV) deploy --dry-run $(NIXOPS_ARGS)
+ ./scripts/with_env morph build --show-trace default.nix $(MORPH_ARGS)
build:
- $(NIXOPS_PRIV) deploy --build-only $(NIXOPS_ARGS)
+ ./scripts/with_env morph build default.nix $(MORPH_ARGS)
upload:
- $(NIXOPS_PRIV) deploy --copy-only $(NIXOPS_ARGS)
+ ./scripts/with_env morph push default.nix $(MORPH_ARGS)
deploy:
- $(NIXOPS_PRIV) deploy $(NIXOPS_ARGS)
+ ./scripts/with_env morph deploy default.nix switch --keep-result --upload-secrets $(MORPH_ARGS)
+ nix-env -p $(PROFILE) --set .gcroots/default.nix
deploy-reboot:
- $(NIXOPS_PRIV) deploy --force-reboot $(NIXOPS_ARGS)
+ ./scripts/with_env morph deploy default.nix boot --reboot --upload-secrets $(MORPH_ARGS)
-reboot:
- $(NIXOPS_PRIV) reboot --include=$(TARGET)
-.PHONY: nixops ssh-eldiron info debug dry-run build upload deploy deploy-reboot reboot
+.PHONY: ssh-eldiron ssh-dilion ssh-monitoring-1 ssh-backup-2 debug build upload deploy deploy-reboot
###### Cleanup generations and garbage collection
-profile := $$($(NIXOPS_PRIV) info | grep "^Nix profile: " | sed -e "s/^Nix profile: //")
GEN ?= "+3"
list-generations:
- nix-env -p $(profile) --list-generations
- $(NIXOPS_PRIV) ssh eldiron -- nix-env -p /nix/var/nix/profiles/system --list-generations
+ nix-env -p $(PROFILE) --list-generations
+ $(MAKE) ssh-eldiron SSH_ARGS="nix-env -p /nix/var/nix/profiles/system --list-generations"
.PHONY: list-generations
delete-generations:
- nix-env -p $(profile) --delete-generations $(GEN)
- $(NIXOPS_PRIV) ssh eldiron -- nix-env -p /nix/var/nix/profiles/system --delete-generations $(GEN)
- $(NIXOPS_PRIV) ssh dilion -- nix-env -p /nix/var/nix/profiles/system --delete-generations $(GEN)
- $(NIXOPS_PRIV) ssh backup-2 -- nix-env -p /nix/var/nix/profiles/system --delete-generations $(GEN)
- $(NIXOPS_PRIV) ssh monitoring-1 -- nix-env -p /nix/var/nix/profiles/system --delete-generations $(GEN)
+ nix-env -p $(PROFILE) --delete-generations $(GEN)
+ $(MAKE) ssh-eldiron SSH_ARGS="nix-env -p /nix/var/nix/profiles/system --delete-generations $(GEN)"
+ $(MAKE) ssh-dilion SSH_ARGS="nix-env -p /nix/var/nix/profiles/system --delete-generations $(GEN)"
+ $(MAKE) ssh-backup-2 SSH_ARGS="nix-env -p /nix/var/nix/profiles/system --delete-generations $(GEN)"
+ $(MAKE) ssh-monitoring-1 SSH_ARGS="nix-env -p /nix/var/nix/profiles/system --delete-generations $(GEN)"
.PHONY: delete-generations
cleanup: delete-generations
nix-store --gc
- $(NIXOPS_PRIV) ssh eldiron -- nix-store --gc
- $(NIXOPS_PRIV) ssh dilion -- nix-store --gc
- $(NIXOPS_PRIV) ssh backup-2 -- nix-store --gc
- $(NIXOPS_PRIV) ssh monitoring-1 -- nix-store --gc
+ $(MAKE) ssh-eldiron SSH_ARGS="nix-store --gc"
+ $(MAKE) ssh-dilion SSH_ARGS="nix-store --gc"
+ $(MAKE) ssh-backup-2 SSH_ARGS="nix-store --gc"
+ $(MAKE) ssh-monitoring-1 SSH_ARGS="nix-store --gc"
.PHONY: cleanup
-
-###### Pull environment and deployment from remote
-pull_deployment:
- @if nixops info -d $(NIXOPS_DEPLOYMENT) 2>/dev/null >/dev/null ; then \
- echo "This will remove your current deployment file and recreate it!. Continue? [y/N]" && \
- read y && \
- [ "$$y" = "y" -o "$$y" = "Y" ] && \
- nixops delete --force -d $(NIXOPS_DEPLOYMENT); \
- fi
- pass show Nixops/Deployment | nixops import
- nixops modify -d $(NIXOPS_DEPLOYMENT) "$$(pwd)/default.nix"
-.PHONY: pull_deployment
-
-deployment_is_set:
- nixops info -d $(NIXOPS_DEPLOYMENT) 2>/dev/null >/dev/null
-.PHONY: deployment_is_set
-
-###### Push deployment information to password store
-push_deployment:
- nixops export | pass insert -m Nixops/Deployment
-.PHONY: push
-{ privateFiles ? ./. }:
+let
+ privateFiles = <privateFiles>;
+in
{
- network = {
- description = "Immae's network";
- enableRollback = true;
- };
-
- # Used by hetzner cloud to provision machines
- resources.sshKeyPairs.ssh-key = {};
dilion = import ../modules/private/system/dilion.nix { inherit privateFiles; };
eldiron = import ../modules/private/system/eldiron.nix { inherit privateFiles; };
backup-2 = import ../modules/private/system/backup-2.nix { inherit privateFiles; };
set -euo pipefail
-MAKEFILE_DIR="$( cd "$( dirname $( dirname "${BASH_SOURCE[0]}" ))" >/dev/null 2>&1 && pwd )"
-
if ! which nix 2>/dev/null >/dev/null; then
cat <<-EOF
nix is needed, please install it:
read y
fi
-if ! make -C $MAKEFILE_DIR deployment_is_set 2>/dev/null >/dev/null; then
- cat <<-EOF
- Importing deployment file into nixops:
- Continue? [y/N]
- EOF
- read y
- if [ "$y" = "y" -o "$y" = "Y" ]; then
- make -C $MAKEFILE_DIR pull_deployment
- else
- echo "Aborting"
- exit 1
- fi
-fi
-
cat <<-EOF
All set up.
Please make sure you’re using make commands when deploying
exit 1;
fi
+umask 0077
TEMP=$(mktemp -d /tmp/XXXXXX-nixops-files)
chmod go-rwx $TEMP
finish() {
rm -rf "$TEMP"
- nixops set-args --unset privateFiles
}
trap finish EXIT
for file in $files; do
pass show "Nixops/files/$file" > $TEMP/$file
done
-nixops set-args --argstr privateFiles "$TEMP"
+
+export NIX_PATH="privateFiles=$TEMP:$NIX_PATH"
+export SSH_IDENTITY_FILE="$TEMP/id_ed25519"
"$@"
-Subproject commit 79b991028b09aa59f719059de8dc1fba7d6b04fd
+Subproject commit def4146f0e703ca9a32735fbbc3820d6f9bb22ef
doing = import ./doing;
khal = import ./khal;
nix-direnv = import ./nix-direnv;
+ morph = import ./morph;
}
// import ./python-packages
--- /dev/null
+self: super: {
+ morph = super.morph.overrideAttrs(old: {
+ patches = (old.patches or []) ++ [ ./verbose_nix.patch ];
+ });
+}
--- /dev/null
+diff --git a/nix/nix.go b/nix/nix.go
+index bb63870..7fe04aa 100644
+--- a/nix/nix.go
++++ b/nix/nix.go
+@@ -347,6 +347,7 @@ func Push(ctx *ssh.SSHContext, host Host, paths ...string) (err error) {
+ options := mkOptions(host)
+ for _, path := range paths {
+ args := []string{
++ "-v",
+ "copy",
+ path,
+ "--to", "ssh://" + userArg + host.TargetHost + keyArg,
{ pkgs ? import <nixpkgs> { overlays = builtins.attrValues (import ./overlays); } }:
pkgs.mkShell {
- buildInputs = [ pkgs.nixops pkgs.niv pkgs.pass pkgs.curl pkgs.shellcheck pkgs.jq pkgs.gnumake ];
+ buildInputs = [ pkgs.morph pkgs.niv pkgs.pass pkgs.curl pkgs.shellcheck pkgs.jq pkgs.gnumake ];
}
projects / perso / Immae / Config / Nix.git / commitdiff
