From 34abd6afa44c620a56416bd423a2438a09bd1ce4 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Isma=C3=ABl=20Bouya?= Date: Fri, 4 Sep 2020 02:40:24 +0200 Subject: [PATCH] Migrate to morph as a replacement to nixops The deployment tasks are now independent of any state --- .envrc | 2 - .gitignore | 1 + Makefile | 5 +- docs/migrate_hetzner.md | 20 ------ modules/private/system.nix | 10 ++- modules/private/system/backup-2.nix | 20 +++--- modules/private/system/dilion.nix | 91 +++++++++++++++---------- modules/private/system/eldiron.nix | 85 ++++++++++++++--------- modules/private/system/monitoring-1.nix | 19 +++--- modules/secrets.nix | 13 ++-- nixops/Makefile | 87 ++++++++--------------- nixops/default.nix | 11 +-- nixops/scripts/setup | 16 ----- nixops/scripts/with_env | 6 +- nixops/secrets | 2 +- nixops/state/.gitkeep | 0 overlays/default.nix | 1 + overlays/morph/default.nix | 5 ++ overlays/morph/verbose_nix.patch | 12 ++++ shell.nix | 2 +- 20 files changed, 196 insertions(+), 212 deletions(-) delete mode 100644 docs/migrate_hetzner.md delete mode 100644 nixops/state/.gitkeep create mode 100644 overlays/morph/default.nix create mode 100644 overlays/morph/verbose_nix.patch diff --git a/.envrc b/.envrc index 6eeaba9..8aa086a 100644 --- a/.envrc +++ b/.envrc @@ -1,7 +1,5 @@ # vim: filetype=bash export PASSWORD_STORE_DIR=$(expand_path nixops/secrets) -export NIXOPS_STATE=$(expand_path nixops/state/immaeEu.nixops) -export NIXOPS_DEPLOYMENT=cef694f3-081d-11e9-b31f-0242ec186adf export NIX_PATH=nixpkgs=$(cat $(expand_path nix/sources.json) | jq -r '."nixpkgs-nixops".url') export NIXOPS_ENV_LOADED=1 diff --git a/.gitignore b/.gitignore index 6786d42..ff9c9cf 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ /result* /versions_log .direnv/ +/nixops/.gcroots diff --git a/Makefile b/Makefile index 6ba059c..9c12ff4 100644 --- a/Makefile +++ b/Makefile @@ -1,8 +1,7 @@ subrecipes = setup nix-info edit_env -subrecipes += nixops ssh-eldiron ssh-backup-2 ssh-monitoring-1 -subrecipes += info debug dry-run build upload deploy deploy-reboot reboot +subrecipes += ssh-eldiron ssh-backup-2 ssh-monitoring-1 +subrecipes += debug build upload deploy deploy-reboot subrecipes += list-generations delete-generations cleanup -subrecipes += pull_deployment deployment_is_set push_deployment ${subrecipes}: @$(MAKE) --no-print-directory -C nixops/ $@ .PHONY: ${subrecipes} diff --git a/docs/migrate_hetzner.md b/docs/migrate_hetzner.md deleted file mode 100644 index c7fbe20..0000000 --- a/docs/migrate_hetzner.md +++ /dev/null @@ -1,20 +0,0 @@ -nixops show a deprecation message at each deployment because hetzner -info is outdated. To fix it: - - cp -a ~/.nixops ~/.nixops.bak - - nixops export --all > all.json - - network=$(cat all.json| jq -r '."cef694f3-081d-11e9-b31f-0242ec186adf".resources.eldiron."hetzner.networkInfo"' | jq -r -c '.networking.interfaces.eth0 = { "ipv4": { "addresses": [ { "address": .networking.interfaces.eth0.ipAddress, "prefixLength": .networking.interfaces.eth0.prefixLength } ] } }') - - cat all.json | jq --arg network "$network" '."cef694f3-081d-11e9-b31f-0242ec186adf".resources.eldiron."hetzner.networkInfo" = $network' > all_new.json - - nixops delete --force -d eldiron - - nixops import < all_new.json - - rm all.json all_new.json - -*check that everything works*, then: - - rm -rf ~/.nixops.bak diff --git a/modules/private/system.nix b/modules/private/system.nix index b667ee8..6b4ef6e 100644 --- a/modules/private/system.nix +++ b/modules/private/system.nix @@ -1,6 +1,12 @@ -{ pkgs, lib, config, name, ... }: +{ pkgs, lib, config, name, nodes, ... }: { config = { + networking.extraHosts = builtins.concatStringsSep "\n" + (lib.mapAttrsToList (n: v: "${v.config.hostEnv.ips.main.ip4} ${n}") nodes); + + users.extraUsers.root.openssh.authorizedKeys.keyFiles = [ "${config.myEnv.privateFiles}/id_ed25519.pub" ]; + services.openssh.enable = true; + services.duplyBackup.profiles.system = { rootDir = "/var/lib"; excludeFile = lib.mkAfter '' @@ -73,6 +79,8 @@ environment.systemPackages = [ pkgs.git pkgs.vim + pkgs.rsync + pkgs.strace ] ++ (lib.optional (builtins.length (config.hostEnv.users pkgs) > 0) pkgs.home-manager); diff --git a/modules/private/system/backup-2.nix b/modules/private/system/backup-2.nix index a49c374..d1064c7 100644 --- a/modules/private/system/backup-2.nix +++ b/modules/private/system/backup-2.nix @@ -1,26 +1,22 @@ { privateFiles }: { config, pkgs, resources, name, ... }: { + deployment = { + targetUser = "root"; + targetHost = config.hostEnv.ips.main.ip4; + substituteOnDestination = true; + }; boot.kernelPackages = pkgs.linuxPackages_latest; myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; }; - imports = builtins.attrValues (import ../..); - - deployment = { - targetEnv = "hetznerCloud"; - hetznerCloud = { - authToken = config.myEnv.hetznerCloud.authToken; - datacenter = "hel1-dc2"; - location ="hel1"; - serverType = "cx11"; - }; - }; + imports = [ ] ++ builtins.attrValues (import ../..); fileSystems = { "/backup2" = { fsType = "ext4"; device = "UUID=b9425333-f567-435d-94d8-b26c22d93426"; }; + "/" = { device = "/dev/sda1"; fsType = "ext4"; }; }; networking = { @@ -34,6 +30,8 @@ defaultGateway6 = { address = "fe80::1"; interface = "ens3"; }; }; + boot.loader.grub.device = "nodev"; + myServices.certificates.enable = true; security.acme.certs."${name}" = { user = config.services.nginx.user; diff --git a/modules/private/system/dilion.nix b/modules/private/system/dilion.nix index 5c24656..5abaac0 100644 --- a/modules/private/system/dilion.nix +++ b/modules/private/system/dilion.nix @@ -1,59 +1,81 @@ { privateFiles }: { config, pkgs, name, lib, ... }: { - boot.supportedFilesystems = [ "zfs" ]; - boot.kernelPackages = pkgs.linuxPackages_latest; + deployment = { + targetUser = "root"; + targetHost = config.hostEnv.ips.main.ip4; + substituteOnDestination = true; + }; + nixpkgs.system = lib.mkOverride 900 "x86_64-linux"; + boot = { + loader = { + grub = { + version = 2; + devices = [ "/dev/sda" "/dev/sdb" "/dev/sdc" "/dev/sdd" ]; + }; + timeout = 1; + }; + blacklistedKernelModules = [ "nvidiafb" ]; + supportedFilesystems = [ "zfs" ]; + kernelPackages = pkgs.linuxPackages_latest; + kernelModules = [ "kvm-intel" ]; + initrd.availableKernelModules = [ "ahci" "sd_mod" ]; + initrd.secrets = { + "/boot/pass.key" = "/boot/pass.key"; + }; + kernel.sysctl."vm.nr_hugepages" = 256; # for xmr-stak + }; + nix.maxJobs = 8; + powerManagement.cpuFreqGovernor = "powersave"; + hardware.enableRedistributableFirmware = true; + myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; }; + swapDevices = [ { label = "swap"; } ]; fileSystems = { - "/" = lib.mkForce { fsType = "zfs"; device = "zpool/root"; }; + "/" = { fsType = "zfs"; device = "zpool/root"; }; "/boot" = { fsType = "ext4"; device = "/dev/disk/by-uuid/fd1c511e-2bc0-49d5-b8bb-95e7e8c8c816"; }; "/etc" = { fsType = "zfs"; device = "zpool/root/etc"; }; "/home" = { fsType = "zfs"; device = "zpool/root/home"; }; "/home/immae" = { fsType = "zfs"; device = "zpool/root/home/immae"; }; "/tmp" = { fsType = "zfs"; device = "zpool/root/tmp"; }; "/var" = { fsType = "zfs"; device = "zpool/root/var"; }; + "/data" = { fsType = "ext4"; label = "data"; }; + "/nix" = { fsType = "ext4"; label = "nix"; }; }; - boot.initrd.secrets = { - "/boot/pass.key" = "/boot/pass.key"; - }; + + services.udev.extraRules = '' + ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="10:bf:48:7f:e6:3b", NAME="eth0" + ''; networking = { hostId = "27c3048d"; # generated with head -c4 /dev/urandom | od -A none -t x4 firewall.enable = false; - interfaces."eth0".ipv4.addresses = pkgs.lib.attrsets.mapAttrsToList - (n: ips: { address = ips.ip4; prefixLength = 32; }) - (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips); - interfaces."eth0".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList - (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or [])) - config.hostEnv.ips); + interfaces."eth0".ipv4.addresses = + [ { address = config.hostEnv.ips.main.ip4; prefixLength = 27; } ] + ++ pkgs.lib.attrsets.mapAttrsToList + (n: ips: { address = ips.ip4; prefixLength = 32; }) + (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips); + interfaces."eth0".ipv6.addresses = + [ { address = "2a01:4f8:141:53e7::"; prefixLength = 64; } ] + ++ pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList + (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or [])) + config.hostEnv.ips); + defaultGateway = { address = "176.9.10.225"; interface = "eth0"; }; + defaultGateway6 = { address = "fe80::1"; interface = "eth0"; }; + nameservers = [ + "213.133.98.98" + "213.133.99.99" + "213.133.100.100" + "2a01:4f8:0:a0a1::add:1010" + "2a01:4f8:0:a102::add:9999" + "2a01:4f8:0:a111::add:9898" + ]; }; myServices.ssh.modules = [ config.myServices.ssh.predefinedModules.regular ]; imports = builtins.attrValues (import ../..); - deployment = { - targetEnv = "hetzner"; - hetzner = { - robotUser = config.myEnv.hetzner.user; - robotPass = config.myEnv.hetzner.pass; - mainIPv4 = config.hostEnv.ips.main.ip4; - partitions = '' - clearpart --all --initlabel --drives=sda,sdb,sdc,sdd - - part swap --recommended --label=swap --fstype=swap --ondisk=sda - - part raid.1 --grow --ondisk=sdc - part raid.2 --grow --ondisk=sdd - - raid / --level=1 --device=md0 --fstype=ext4 --label=root raid.1 raid.2 - - part /nix --grow --label=nix --ondisk=sda - part /data --grow --label=data --ondisk=sdb - ''; - }; - }; - system.nssModules = [ pkgs.libvirt ]; system.nssDatabases.hosts = lib.mkForce [ "files" "libvirt_guest" "mymachines" "dns" "myhostname" ]; programs.zsh.enable = true; @@ -78,7 +100,6 @@ } ]; - boot.kernel.sysctl."vm.nr_hugepages" = 256; # for xmr-stak system.activationScripts.libvirtd_exports = '' install -m 0755 -o root -g root -d /var/lib/caldance ''; diff --git a/modules/private/system/eldiron.nix b/modules/private/system/eldiron.nix index 83e52b8..bb8bbfc 100644 --- a/modules/private/system/eldiron.nix +++ b/modules/private/system/eldiron.nix @@ -1,22 +1,45 @@ { privateFiles }: { config, pkgs, lib, ... }: { - boot.supportedFilesystems = [ "zfs" ]; - boot.kernelParams = ["zfs.zfs_arc_max=6442450944"]; - boot.kernelPackages = pkgs.linuxPackages_latest; + deployment = { + targetUser = "root"; + targetHost = config.hostEnv.ips.main.ip4; + substituteOnDestination = true; + }; + boot = { + kernelModules = [ "kvm-intel" ]; + blacklistedKernelModules = [ "nvidiafb" ]; + loader.timeout = 1; + loader.grub.devices = [ "/dev/sda" "/dev/sdb" ]; + kernel.sysctl = { + # https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md + "net.ipv4.tcp_sack" = 0; + }; + supportedFilesystems = [ "zfs" ]; + kernelParams = ["zfs.zfs_arc_max=6442450944"]; + kernelPackages = pkgs.linuxPackages_latest; + initrd.availableKernelModules = [ "ahci" "sd_mod" ]; + initrd.secrets = { + "/boot/pass.key" = "/boot/pass.key"; + }; + }; + services.udev.extraRules = '' + ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="c8:60:00:56:a0:88", NAME="eth0" + ''; + nix.maxJobs = 8; + powerManagement.cpuFreqGovernor = "powersave"; myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; }; fileSystems = { - "/" = lib.mkForce { fsType = "zfs"; device = "zpool/root"; }; + "/" = { fsType = "zfs"; device = "zpool/root"; }; "/boot" = { fsType = "ext4"; device = "/dev/disk/by-uuid/e6bb18fb-ff56-4b5f-ae9f-e60d40dc0622"; }; "/etc" = { fsType = "zfs"; device = "zpool/root/etc"; }; "/nix" = { fsType = "zfs"; device = "zpool/root/nix"; }; "/tmp" = { fsType = "zfs"; device = "zpool/root/tmp"; }; "/var" = { fsType = "zfs"; device = "zpool/root/var"; }; }; - boot.initrd.secrets = { - "/boot/pass.key" = "/boot/pass.key"; - }; + swapDevices = [ { label = "swap1"; } { label = "swap2"; } ]; + hardware.enableRedistributableFirmware = true; services.zfs = { autoScrub = { @@ -27,20 +50,34 @@ hostId = "8262ca33"; # generated with head -c4 /dev/urandom | od -A none -t x4 firewall.enable = true; # 176.9.151.89 declared in nixops -> infra / tools - interfaces."eth0".ipv4.addresses = pkgs.lib.attrsets.mapAttrsToList - (n: ips: { address = ips.ip4; prefixLength = 32; }) - (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips); + interfaces."eth0".ipv4.addresses = + pkgs.lib.attrsets.mapAttrsToList + (n: ips: { address = ips.ip4; prefixLength = 32; }) + (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips) + ++ [ { address = config.hostEnv.ips.main.ip4; prefixLength = 27; } ]; interfaces."eth0".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or [])) config.hostEnv.ips); + defaultGateway = "176.9.151.65"; + localCommands = '' + # FIXME: Those commands were added by nixops and may not be + # actually needed + ip -6 addr add '2a01:4f8:160:3445::/64' dev 'eth0' || true + ip -4 route change '176.9.151.64/27' via '176.9.151.65' dev 'eth0' || true + ip -6 route add default via 'fe80::1' dev eth0 || true + ''; + nameservers = [ + "213.133.98.98" + "213.133.99.99" + "213.133.100.100" + "2a01:4f8:0:a0a1::add:1010" + "2a01:4f8:0:a102::add:9999" + "2a01:4f8:0:a111::add:9898" + ]; }; imports = builtins.attrValues (import ../..); - boot.kernel.sysctl = { - # https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md - "net.ipv4.tcp_sack" = 0; - }; myServices.buildbot.enable = true; myServices.databases.enable = true; myServices.gitolite.enable = true; @@ -76,26 +113,6 @@ "${profile.host_key_type} ${profile.host_key}"; }; - deployment = { - targetEnv = "hetzner"; - hetzner = { - robotUser = config.myEnv.hetzner.user; - robotPass = config.myEnv.hetzner.pass; - mainIPv4 = config.hostEnv.ips.main.ip4; - partitions = '' - clearpart --all --initlabel --drives=sda,sdb - - part swap1 --recommended --label=swap1 --fstype=swap --ondisk=sda - part swap2 --recommended --label=swap2 --fstype=swap --ondisk=sdb - - part raid.1 --grow --ondisk=sda - part raid.2 --grow --ondisk=sdb - - raid / --level=1 --device=md0 --fstype=ext4 --label=root raid.1 raid.2 - ''; - }; - }; - services.cron = { enable = true; mailto = "cron@immae.eu"; diff --git a/modules/private/system/monitoring-1.nix b/modules/private/system/monitoring-1.nix index c87c784..2241b2b 100644 --- a/modules/private/system/monitoring-1.nix +++ b/modules/private/system/monitoring-1.nix @@ -1,20 +1,15 @@ { privateFiles }: { config, pkgs, resources, ... }: { + deployment = { + targetUser = "root"; + targetHost = config.hostEnv.ips.main.ip4; + substituteOnDestination = true; + }; boot.kernelPackages = pkgs.linuxPackages_latest; myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; }; - imports = builtins.attrValues (import ../..); - - deployment = { - targetEnv = "hetznerCloud"; - hetznerCloud = { - authToken = config.myEnv.hetznerCloud.authToken; - datacenter = "hel1-dc2"; - location ="hel1"; - serverType = "cx11"; - }; - }; + imports = [ ] ++ builtins.attrValues (import ../..); myServices.monitoring.enable = true; myServices.monitoring.master = true; @@ -29,6 +24,8 @@ config.hostEnv.ips); defaultGateway6 = { address = "fe80::1"; interface = "ens3"; }; }; + boot.loader.grub.device = "nodev"; + fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; myServices.mailRelay.enable = true; security.pki.certificateFiles = [ diff --git a/modules/secrets.nix b/modules/secrets.nix index a2424e9..a149f02 100644 --- a/modules/secrets.nix +++ b/modules/secrets.nix @@ -61,14 +61,13 @@ fi ''; }; - deployment.keys."secrets.tar" = { + system.extraDependencies = [ secrets ]; + deployment.secrets."secrets.tar" = { + source = "${secrets}"; + destination = "/run/keys/secrets.tar"; + owner.user = "root"; + owner.group = "root"; permissions = "0400"; - # keyFile below is not evaluated at build time by nixops, so the - # `secrets` path doesn’t necessarily exist when uploading the - # keys, and nixops is unhappy. - user = "root${builtins.substring 10000 1 secrets}"; - group = "root"; - keyFile = "${secrets}"; }; }; } diff --git a/nixops/Makefile b/nixops/Makefile index 18d48eb..0bebaf8 100644 --- a/nixops/Makefile +++ b/nixops/Makefile @@ -2,8 +2,6 @@ ifndef NIXOPS_ENV_LOADED $(error "Please load environment with direnv") endif -NIXOPS_PRIV = ./scripts/with_env nixops - ###### Current channel information nix-info: @version=$$(nix eval --raw nixpkgs.lib.version) && \ @@ -17,100 +15,69 @@ setup: ./scripts/setup .PHONY: setup -###### Nixops regular tasks +###### Morph regular tasks +PROFILE=/nix/var/nix/profiles/per-user/immae/morph/immaeEu TARGET ?= -NIXOPS_ARGS ?= +MORPH_ARGS ?= ifdef TARGET - override NIXOPS_ARGS +=--include=$(TARGET) + # multiple targets: --on="{machine1,machine2}" (works with * glob too) + override MORPH_ARGS +=--on=$(TARGET) endif SSH_ARGS ?= edit_env: pass edit Nixops/files/environment.nix || true -nixops: - $(NIXOPS_PRIV) $(NIXOPS_ARGS) - ssh-eldiron: - $(NIXOPS_PRIV) ssh eldiron -- $(SSH_ARGS) + ./scripts/with_env bash -c 'ssh -i $$SSH_IDENTITY_FILE root@eldiron $(SSH_ARGS)' ssh-dilion: - $(NIXOPS_PRIV) ssh dilion -- $(SSH_ARGS) + ./scripts/with_env bash -c 'ssh -i $$SSH_IDENTITY_FILE root@dilion $(SSH_ARGS)' ssh-backup-2: - $(NIXOPS_PRIV) ssh backup-2 -- $(SSH_ARGS) + ./scripts/with_env bash -c 'ssh -i $$SSH_IDENTITY_FILE root@backup-2 $(SSH_ARGS)' ssh-monitoring-1: - $(NIXOPS_PRIV) ssh monitoring-1 -- $(SSH_ARGS) - -info: - $(NIXOPS_PRIV) list - $(NIXOPS_PRIV) info + ./scripts/with_env bash -c 'ssh -i $$SSH_IDENTITY_FILE root@monitoring-1 $(SSH_ARGS)' debug: - $(NIXOPS_PRIV) deploy --build-only --show-trace $(NIXOPS_ARGS) - -dry-run: - $(NIXOPS_PRIV) deploy --dry-run $(NIXOPS_ARGS) + ./scripts/with_env morph build --show-trace default.nix $(MORPH_ARGS) build: - $(NIXOPS_PRIV) deploy --build-only $(NIXOPS_ARGS) + ./scripts/with_env morph build default.nix $(MORPH_ARGS) upload: - $(NIXOPS_PRIV) deploy --copy-only $(NIXOPS_ARGS) + ./scripts/with_env morph push default.nix $(MORPH_ARGS) deploy: - $(NIXOPS_PRIV) deploy $(NIXOPS_ARGS) + ./scripts/with_env morph deploy default.nix switch --keep-result --upload-secrets $(MORPH_ARGS) + nix-env -p $(PROFILE) --set .gcroots/default.nix deploy-reboot: - $(NIXOPS_PRIV) deploy --force-reboot $(NIXOPS_ARGS) + ./scripts/with_env morph deploy default.nix boot --reboot --upload-secrets $(MORPH_ARGS) -reboot: - $(NIXOPS_PRIV) reboot --include=$(TARGET) -.PHONY: nixops ssh-eldiron info debug dry-run build upload deploy deploy-reboot reboot +.PHONY: ssh-eldiron ssh-dilion ssh-monitoring-1 ssh-backup-2 debug build upload deploy deploy-reboot ###### Cleanup generations and garbage collection -profile := $$($(NIXOPS_PRIV) info | grep "^Nix profile: " | sed -e "s/^Nix profile: //") GEN ?= "+3" list-generations: - nix-env -p $(profile) --list-generations - $(NIXOPS_PRIV) ssh eldiron -- nix-env -p /nix/var/nix/profiles/system --list-generations + nix-env -p $(PROFILE) --list-generations + $(MAKE) ssh-eldiron SSH_ARGS="nix-env -p /nix/var/nix/profiles/system --list-generations" .PHONY: list-generations delete-generations: - nix-env -p $(profile) --delete-generations $(GEN) - $(NIXOPS_PRIV) ssh eldiron -- nix-env -p /nix/var/nix/profiles/system --delete-generations $(GEN) - $(NIXOPS_PRIV) ssh dilion -- nix-env -p /nix/var/nix/profiles/system --delete-generations $(GEN) - $(NIXOPS_PRIV) ssh backup-2 -- nix-env -p /nix/var/nix/profiles/system --delete-generations $(GEN) - $(NIXOPS_PRIV) ssh monitoring-1 -- nix-env -p /nix/var/nix/profiles/system --delete-generations $(GEN) + nix-env -p $(PROFILE) --delete-generations $(GEN) + $(MAKE) ssh-eldiron SSH_ARGS="nix-env -p /nix/var/nix/profiles/system --delete-generations $(GEN)" + $(MAKE) ssh-dilion SSH_ARGS="nix-env -p /nix/var/nix/profiles/system --delete-generations $(GEN)" + $(MAKE) ssh-backup-2 SSH_ARGS="nix-env -p /nix/var/nix/profiles/system --delete-generations $(GEN)" + $(MAKE) ssh-monitoring-1 SSH_ARGS="nix-env -p /nix/var/nix/profiles/system --delete-generations $(GEN)" .PHONY: delete-generations cleanup: delete-generations nix-store --gc - $(NIXOPS_PRIV) ssh eldiron -- nix-store --gc - $(NIXOPS_PRIV) ssh dilion -- nix-store --gc - $(NIXOPS_PRIV) ssh backup-2 -- nix-store --gc - $(NIXOPS_PRIV) ssh monitoring-1 -- nix-store --gc + $(MAKE) ssh-eldiron SSH_ARGS="nix-store --gc" + $(MAKE) ssh-dilion SSH_ARGS="nix-store --gc" + $(MAKE) ssh-backup-2 SSH_ARGS="nix-store --gc" + $(MAKE) ssh-monitoring-1 SSH_ARGS="nix-store --gc" .PHONY: cleanup - -###### Pull environment and deployment from remote -pull_deployment: - @if nixops info -d $(NIXOPS_DEPLOYMENT) 2>/dev/null >/dev/null ; then \ - echo "This will remove your current deployment file and recreate it!. Continue? [y/N]" && \ - read y && \ - [ "$$y" = "y" -o "$$y" = "Y" ] && \ - nixops delete --force -d $(NIXOPS_DEPLOYMENT); \ - fi - pass show Nixops/Deployment | nixops import - nixops modify -d $(NIXOPS_DEPLOYMENT) "$$(pwd)/default.nix" -.PHONY: pull_deployment - -deployment_is_set: - nixops info -d $(NIXOPS_DEPLOYMENT) 2>/dev/null >/dev/null -.PHONY: deployment_is_set - -###### Push deployment information to password store -push_deployment: - nixops export | pass insert -m Nixops/Deployment -.PHONY: push diff --git a/nixops/default.nix b/nixops/default.nix index 56b86e8..7c6dd38 100644 --- a/nixops/default.nix +++ b/nixops/default.nix @@ -1,12 +1,7 @@ -{ privateFiles ? ./. }: +let + privateFiles = ; +in { - network = { - description = "Immae's network"; - enableRollback = true; - }; - - # Used by hetzner cloud to provision machines - resources.sshKeyPairs.ssh-key = {}; dilion = import ../modules/private/system/dilion.nix { inherit privateFiles; }; eldiron = import ../modules/private/system/eldiron.nix { inherit privateFiles; }; backup-2 = import ../modules/private/system/backup-2.nix { inherit privateFiles; }; diff --git a/nixops/scripts/setup b/nixops/scripts/setup index 22f43ce..e161e43 100755 --- a/nixops/scripts/setup +++ b/nixops/scripts/setup @@ -2,8 +2,6 @@ set -euo pipefail -MAKEFILE_DIR="$( cd "$( dirname $( dirname "${BASH_SOURCE[0]}" ))" >/dev/null 2>&1 && pwd )" - if ! which nix 2>/dev/null >/dev/null; then cat <<-EOF nix is needed, please install it: @@ -62,20 +60,6 @@ if nix show-config --json | jq -e '.sandbox.value == "true"' >/dev/null; then read y fi -if ! make -C $MAKEFILE_DIR deployment_is_set 2>/dev/null >/dev/null; then - cat <<-EOF - Importing deployment file into nixops: - Continue? [y/N] - EOF - read y - if [ "$y" = "y" -o "$y" = "Y" ]; then - make -C $MAKEFILE_DIR pull_deployment - else - echo "Aborting" - exit 1 - fi -fi - cat <<-EOF All set up. Please make sure you’re using make commands when deploying diff --git a/nixops/scripts/with_env b/nixops/scripts/with_env index 9882f78..f8e5537 100755 --- a/nixops/scripts/with_env +++ b/nixops/scripts/with_env @@ -5,12 +5,12 @@ if [ -z "$NIXOPS_ENV_LOADED" ]; then exit 1; fi +umask 0077 TEMP=$(mktemp -d /tmp/XXXXXX-nixops-files) chmod go-rwx $TEMP finish() { rm -rf "$TEMP" - nixops set-args --unset privateFiles } trap finish EXIT @@ -21,6 +21,8 @@ files=$(pass ls Nixops/files | sed -e '1d' -e 's/^.* //') for file in $files; do pass show "Nixops/files/$file" > $TEMP/$file done -nixops set-args --argstr privateFiles "$TEMP" + +export NIX_PATH="privateFiles=$TEMP:$NIX_PATH" +export SSH_IDENTITY_FILE="$TEMP/id_ed25519" "$@" diff --git a/nixops/secrets b/nixops/secrets index 79b9910..def4146 160000 --- a/nixops/secrets +++ b/nixops/secrets @@ -1 +1 @@ -Subproject commit 79b991028b09aa59f719059de8dc1fba7d6b04fd +Subproject commit def4146f0e703ca9a32735fbbc3820d6f9bb22ef diff --git a/nixops/state/.gitkeep b/nixops/state/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/overlays/default.nix b/overlays/default.nix index 0c7c738..7444e15 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -32,5 +32,6 @@ doing = import ./doing; khal = import ./khal; nix-direnv = import ./nix-direnv; + morph = import ./morph; } // import ./python-packages diff --git a/overlays/morph/default.nix b/overlays/morph/default.nix new file mode 100644 index 0000000..ee59e25 --- /dev/null +++ b/overlays/morph/default.nix @@ -0,0 +1,5 @@ +self: super: { + morph = super.morph.overrideAttrs(old: { + patches = (old.patches or []) ++ [ ./verbose_nix.patch ]; + }); +} diff --git a/overlays/morph/verbose_nix.patch b/overlays/morph/verbose_nix.patch new file mode 100644 index 0000000..389a79c --- /dev/null +++ b/overlays/morph/verbose_nix.patch @@ -0,0 +1,12 @@ +diff --git a/nix/nix.go b/nix/nix.go +index bb63870..7fe04aa 100644 +--- a/nix/nix.go ++++ b/nix/nix.go +@@ -347,6 +347,7 @@ func Push(ctx *ssh.SSHContext, host Host, paths ...string) (err error) { + options := mkOptions(host) + for _, path := range paths { + args := []string{ ++ "-v", + "copy", + path, + "--to", "ssh://" + userArg + host.TargetHost + keyArg, diff --git a/shell.nix b/shell.nix index 70c7604..2a95658 100644 --- a/shell.nix +++ b/shell.nix @@ -1,4 +1,4 @@ { pkgs ? import { overlays = builtins.attrValues (import ./overlays); } }: pkgs.mkShell { - buildInputs = [ pkgs.nixops pkgs.niv pkgs.pass pkgs.curl pkgs.shellcheck pkgs.jq pkgs.gnumake ]; + buildInputs = [ pkgs.morph pkgs.niv pkgs.pass pkgs.curl pkgs.shellcheck pkgs.jq pkgs.gnumake ]; } -- 2.41.0