Use hercules to deploy nixos
This commit is contained in:
Jörg Thalheim
parent
8ffc250951
commit
428fa51089
5 changed files with 84 additions and 22 deletions
24
ci.nix
24
ci.nix
|
|
@ -6,5 +6,27 @@ let
|
|||
self = builtins.getFlake (toString ./.);
|
||||
nixpkgs = self.inputs.nixpkgs;
|
||||
effects = self.inputs.hercules-ci-effects.lib.withPkgs nixpkgs.legacyPackages.x86_64-linux;
|
||||
|
||||
deployNixOS = args@{
|
||||
hostname,
|
||||
drv,
|
||||
...
|
||||
}: effects.mkEffect (args // {
|
||||
|
||||
# This style of variable passing allows overrideAttrs and modification in
|
||||
# hooks like the userSetupScript.
|
||||
inherit hostname drv;
|
||||
effectScript = ''
|
||||
umask 077 # so ssh does not complain about key permissions
|
||||
readSecretString seploy .ssh-key > deploy-key
|
||||
ssh -i deploy-key root@"$hostname" "$(nix-store -r $drv)/bin/switch-to-configuration $action"
|
||||
'';
|
||||
});
|
||||
in
|
||||
nixpkgs.lib.mapAttrs' (name: config: nixpkgs.lib.nameValuePair "nixos-${name}" config.config.system.build.toplevel) self.outputs.nixosConfigurations
|
||||
(nixpkgs.lib.mapAttrs' (name: config: nixpkgs.lib.nameValuePair "nixos-${name}" config.config.system.build.toplevel) self.outputs.nixosConfigurations) // {
|
||||
build01 = deployNixOS {
|
||||
hostname = "build01.nix-community.org";
|
||||
# using the drv path here avoids downloading the closure on the deploying machine
|
||||
drv = self.outputs.nixosConfigurations.nix-community-build01.config.system.build.toplevel.drvPath;
|
||||
};
|
||||
}
|
||||
|
|
|
|||
65
flake.lock
generated
65
flake.lock
generated
|
|
@ -16,6 +16,24 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"hercules-ci-effects": {
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1655158531,
|
||||
"narHash": "sha256-5LeaONqA6pgSNeA39gzu5XUipw3mXNZ04LUiy2TVImU=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "hercules-ci-effects",
|
||||
"rev": "bda248e06dc44cbba9f4db350abbb10c3fe3b6fd",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "hercules-ci",
|
||||
"repo": "hercules-ci-effects",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"hydra": {
|
||||
"inputs": {
|
||||
"newNixpkgs": "newNixpkgs",
|
||||
|
|
@ -95,7 +113,7 @@
|
|||
"nix": {
|
||||
"inputs": {
|
||||
"lowdown-src": "lowdown-src",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"nixpkgs": "nixpkgs_2",
|
||||
"nixpkgs-regression": "nixpkgs-regression"
|
||||
},
|
||||
"locked": {
|
||||
|
|
@ -115,17 +133,18 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1645296114,
|
||||
"narHash": "sha256-y53N7TyIkXsjMpOG7RhvqJFGDacLs9HlyHeSTBioqYU=",
|
||||
"lastModified": 1647297614,
|
||||
"narHash": "sha256-ulGq3W5XsrBMU/u5k9d4oPy65pQTkunR4HKKtTq0RwY=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "530a53dcbc9437363471167a5e4762c5fcfa34a1",
|
||||
"rev": "73ad5f9e147c0d2a2061f1d4bd91e05078dc0b58",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nixpkgs",
|
||||
"ref": "nixos-21.05-small",
|
||||
"type": "indirect"
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-22_05": {
|
||||
|
|
@ -179,7 +198,7 @@
|
|||
"inputs": {
|
||||
"flake-compat": "flake-compat",
|
||||
"mmdoc": "mmdoc",
|
||||
"nixpkgs": "nixpkgs_3"
|
||||
"nixpkgs": "nixpkgs_4"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1660354290,
|
||||
|
|
@ -229,11 +248,26 @@
|
|||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1660209832,
|
||||
"narHash": "sha256-HhggOS2nZo30g7DqkXhXj+sOkLuuM+ZKMQDExuFncnM=",
|
||||
"lastModified": 1645296114,
|
||||
"narHash": "sha256-y53N7TyIkXsjMpOG7RhvqJFGDacLs9HlyHeSTBioqYU=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "439f25de4d6b919d4a05fd552359736b7a2a283d",
|
||||
"rev": "530a53dcbc9437363471167a5e4762c5fcfa34a1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nixpkgs",
|
||||
"ref": "nixos-21.05-small",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"nixpkgs_3": {
|
||||
"locked": {
|
||||
"lastModified": 1660358575,
|
||||
"narHash": "sha256-EMIn5yM/fDorK5C+DLaxz4/ysP0lpj9xEwbN6gKIkWM=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "71d9ee04f44051acbca335b6c5f583902e329987",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -243,7 +277,7 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_3": {
|
||||
"nixpkgs_4": {
|
||||
"locked": {
|
||||
"lastModified": 1629859457,
|
||||
"narHash": "sha256-JlAU1EboVCOJeMXNLJusf+0vnx++xK1Y4DW5y80zMfY=",
|
||||
|
|
@ -258,7 +292,7 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_4": {
|
||||
"nixpkgs_5": {
|
||||
"locked": {
|
||||
"lastModified": 1659190188,
|
||||
"narHash": "sha256-LudYrDFPFaQMW0l68TYkPWRPKmqpxIFU1nWfylIp9AQ=",
|
||||
|
|
@ -276,8 +310,9 @@
|
|||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"hercules-ci-effects": "hercules-ci-effects",
|
||||
"hydra": "hydra",
|
||||
"nixpkgs": "nixpkgs_2",
|
||||
"nixpkgs": "nixpkgs_3",
|
||||
"nixpkgs-update": "nixpkgs-update",
|
||||
"nixpkgs-update-github-releases": "nixpkgs-update-github-releases",
|
||||
"nixpkgs-update-pypi-releases": "nixpkgs-update-pypi-releases",
|
||||
|
|
@ -286,7 +321,7 @@
|
|||
},
|
||||
"sops-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs_4",
|
||||
"nixpkgs": "nixpkgs_5",
|
||||
"nixpkgs-22_05": "nixpkgs-22_05"
|
||||
},
|
||||
"locked": {
|
||||
|
|
|
|||
|
|
@ -18,6 +18,7 @@
|
|||
nixpkgs-update-pypi-releases.url = "github:ryantm/nixpkgs-update-pypi-releases";
|
||||
nixpkgs-update-pypi-releases.flake = false;
|
||||
sops-nix.url = "github:Mic92/sops-nix";
|
||||
hercules-ci-effects.url = "github:hercules-ci/hercules-ci-effects";
|
||||
hydra.url = "github:NixOS/hydra";
|
||||
hydra.inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
|
|
@ -28,6 +29,7 @@
|
|||
, nixpkgs-update-github-releases
|
||||
, nixpkgs-update-pypi-releases
|
||||
, sops-nix
|
||||
, hercules-ci-effects
|
||||
, hydra
|
||||
}: {
|
||||
devShell.x86_64-linux = let
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
cluster-join-token.key: ENC[AES256_GCM,data:Ba8S5Cx3NJR/FoKkSVc5pX1bwKkYHAhTid3dlWcGRXPCmVtrMgBKLjDZ5b3AajZio+IvS7XNajsVqPUB/rsBUPL+mz/DPbnI4bibLkB0KZl5v6FnMf6RbGr7RWbEsGXWlJh77l/AmGRWJTj7Dh3LaQ53dguhNIDuXGvNhTLs690/93Xnc+x+d5tzl2hNz/A4/IQxpsRoJJKygqGndbc0bTUPo0QZMLtf8kHQtCiozfm1SeW49ITnM+4VCOJB8NkSkwUfy5Rs574fFijYSOGT8LSSH0ly2oxHEY+UaJudRhjr5uzrcZPI/WrrtkI=,iv:87JRtvlkkExu37uYRaHojsk1vjhO1ocw2L9yE+7shpI=,tag:0de71eZjy8F/w0LQzOVAyg==,type:str]
|
||||
binary-caches.json: ENC[AES256_GCM,data:pshvo/BxcIDXrWpW6jb1Hti8pqIEER+andBFpbOArKdaSb1LoVC45G+QwqLxjnDckiBeJm+refQE/x8i6QI0kYHcHEmX4iByvtcDM7RB6ZQSghTO0oqhi1blZRp+NjVdpgeti9VOkLPOYR+ruCDXeZmjt9fWnpGxC6ok5h5z5XLtq5xICy0DBl4VJXw3NwMnpIfj4vvczTP1TlUmP3GElHImRj6F59Vyw4jbTZRIqrib97x8nrO24t3P6RqooY0WHPR1sQXJebxCCO3TiJjxLHNtjLhJgez/O6Ou8CJx999wGvGmm3k8DzUDh94bnG12tal0PrPSJLdsQItpYqDPbK6f6R0wVmzcAywW22SCqk6kaCLGSDCYQRh3xGNsdmVfDQSJPjnAOJDNjJR5adoe8KPHIrc5eZiXjS9mJO7eYPX2IfkNHlM18NjT/Q716Ez9tnBatVb5+YKLlZMm+SSgWNxwZhBiQUvR3wdX3jOXIAjdfCGy4ocCffP05WC4YzjHo5E1EsOBN/cr5LfAS36XFwChHJ6iE4zjwsQe3X7jN9mlZdksBe8gEKFns2rr5IMmXG/enLdVjigRgDShNglP,iv:IOqba6lLXCEVZ+HNaH3uM4E3lbKzm8XCXlbAp6UPBIE=,tag:RX2d2UEWpZu48pW1UUaQcQ==,type:str]
|
||||
hercules-secrets: ENC[AES256_GCM,data:nnVLdDiqh64PcPtdkik/MKI34vLb2EVdzMxQzT4nIZ5B+sSZnXgGQfuls4EsHlQovfv3zA5siEq3l491EQ9OB0S+01QuiEQBid7dEGu/RyItPxIqdhwvRD1JIM3iiLqsKoXu2EhJSgf0ij3SMZs38/Pvw4FTmyt2QnHQYWGkZUlholQUMN2cKc8lVH3Dui6sYMOXCP2a7QBooauVUpmt+ud6/2LT7hh7qy6gvlvwCBD+SIp4h4EKDNW70pvhnost4y+TKhcgGLbIdwg58IUukEAHuIgMuCIhLx4iAwLQhuSaNiMmgGzi84HCDxgT8FTNViU7Vtd62f2I3SoizJSU0WskFOSv/EB0UJnuM45KblFm+t9OcoT4frJguj0+rY3Opuec+xmxDF/agMNud2+d+zhmtsQ6Jjpz3MqZjZRToFGgynFHSICXA70FiW2ONQ+FoywYxmNcULk0EIdkX6+b8GXN9ztAZmPq8OxxkfUue1y7QlAtdwW7ftmxwwV3opqdZs0LZK/SfEoDdP5xiMczh/wBA4MdSdfqD8fSZIQTkSFLbbyAcvjbtNLoAGpGD7xynWO45Px6,iv:5SU8P/zBvDcmREOMh4ictrzvNNDTvZnrRAzHmKueVWs=,tag:4/x7sDC8cucFiWLkAnMJfA==,type:str]
|
||||
hercules-secrets: ENC[AES256_GCM,data:0E2eLlNpJj6RupixKGLHsb9dz4ohYBoEr8hIclBAc4R6VZRWiChAaTF4MKW6CIhOvO0wWYRxKYXsWAA53ySFyK5XAgG1nWrejaUF+dACQSTjghdcYOEDJXppQGpT7kULFjKhMmUBJqSu33swZnPq01nP9HEk0hMMPs1kEc9PgL9F9WvzSDzekQ8mKa/+mE1G/Bq8m+vtXQ0ALOkq6hPYTl76o9fQcFQDO6FnI0Sdh44yLBxbOskIVG2Ao9zNQOvxjm1NgyOenX/9K1JO56Nvc6p3sqRwGrnZ7tp7a06czPQtRpwA94heSgsrlkCw4s1wp1NjwjFAPqdfLZVV4i6rzU8AQprfI7ao+kYwxggsL51aBVREmnTzN/0moNqLINLhqtBu6XPu6knrjW84g62crmnuZv02WJUt5XsY+klz5Wvt66U3yLqQBa1Qmk7mAiIhVfVVNpFsKkEPhmf1/PeL/q0ag4brHNXEq7eevXPND3oMkD9W/acm4RU7CfOaS1dbk9R80cc/i1omUy2VpfkKsnY9hCg+1HGghlYnZi7ygBzMynypReGLft6gbnFHpDItRvEKcg8E3gQl1/gEYn67yt98TX3J59UM8Np9iWiPkUmqOWOpx3wRMaYm/muVEfQinnKCB43XWeOJyVRYNnx/toM0JwpHEX/0LTo9n7XCtRReX1KvK9ZhfRjCmnCuztyHyKK50HTe3UJRVpsh4S35dD6u/L+62sVqnCvheF79DnSTgpUYGksWVakkux+kiDJ2EslZ27g4fSecHh7BSxguffteBY4CtS08PASj4PYz1iwoXg6/77tlkj90B2+pXEQAdaIC6ILfvUVCeY5jpvYJgWiQ5RFJJ/y0SM+OzGsg+PiW1LDad/ne0qaY8zsF+R9Ji1A=,iv:WHs2aOtablCfy3NvTjayEippA+ODAKio3sKVWD5JGaA=,tag:H/y4AFVngrfPovZFy8wH4A==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
|
|
@ -52,8 +52,8 @@ sops:
|
|||
b3IybVIrUGdwV2FOaElhL1oyemVhbDgKFi2eAycdA8Zrwr02AtQdTXVNhkEWFWx1
|
||||
NKmyO1r7PGeKkvBewpneNUN43/bmz4V3fSZstpVvO1v7jtuD7e70CQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2021-12-24T06:34:20Z"
|
||||
mac: ENC[AES256_GCM,data:2RX/yMV/oEQJt4HGvLfLgwJ8LP2TydQDPCb+OkL/CxjMwKKvI7Azw5r1CE1FPvMUr25bWbQgZm3xsYvh4JHqmLXw5AVPfE+Xl1NiGBMsilFmdQkUy5N7u4KGNort2LnlRtLPL/WNRlZUfaVzjZxLpK3CoujKeanUgzZx2nXFDgc=,iv:jYMTXzwR9myo7V1w1JOUczXW4wmILHmy08+x3g2YbtU=,tag:nKVn2ovWeSktEpl5r1mHSg==,type:str]
|
||||
lastmodified: "2022-08-13T07:46:14Z"
|
||||
mac: ENC[AES256_GCM,data:xjmHX1ERMBJeo0Q9llquFVOAmCQYcYYek6bBkZzRBVw7ulFwRY2Qxlgi1lYD4OnkdtEffZT6GRVqL+6ADJrDSQKSx9KlK0l0gvXYbxvyFPd6KCRZon7DCkf3rGCW5wQ8NWxykc7PigO85L8TtYjPTm4uMQNSEHDZ4bFxBMviVc4=,iv:kWc6WA00g+90+rum9jZWqRFaVPqoeeR056PuZGuBjSY=,tag:qgXVyiJ5Bw/7tk6Q1DFtTg==,type:str]
|
||||
pgp:
|
||||
- created_at: "2021-12-26T07:57:50Z"
|
||||
enc: |
|
||||
|
|
@ -71,4 +71,4 @@ sops:
|
|||
-----END PGP MESSAGE-----
|
||||
fp: 260353B993F8CE16752EF48C71BAF6D40C1D63D7
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.1
|
||||
version: 3.7.3
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ in
|
|||
|
||||
# Assign keys from all users in wheel group
|
||||
# This is only done because nixops cant be deployed from any other account
|
||||
users.extraUsers.root.openssh.authorizedKeys.keys = lib.unique (
|
||||
users.extraUsers.root.openssh.authorizedKeys.keys = (lib.unique (
|
||||
lib.flatten (
|
||||
builtins.map (u: u.openssh.authorizedKeys.keys)
|
||||
(
|
||||
|
|
@ -31,5 +31,8 @@ in
|
|||
)
|
||||
)
|
||||
)
|
||||
);
|
||||
)) ++ [
|
||||
# used by hercules
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjsihPp4fAXUknBtDCBt5tpP7nIjWLdmNiDT34NJYzq deploy-key"
|
||||
];
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue