maurice/snix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(ops/terraform): add module for deploying NixOS system closures

Browse source 
This module makes it fairly easy to deploy NixOS system closures using
Terraform, while properly separating the evaluation of a
derivation (to determine whether a deploy is needed) from the building
and copying of the closure itself.

This has been on my stack for a while. It was originally developed for
Resoptima, who agreed to open-sourcing it in depot back when we
completed our work with them. Their contribution has been acknowledged
in the README.

Co-Authored-By: Florian Klink <flokli@flokli.de>
Change-Id: Ica4c170658cd25f1fb7072c9a45735fcc4351474
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7950
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
This commit is contained in:
Vincent Ambo 2023-01-29 19:44:23 +03:00 committed by tazjin
parent 0b64577702
commit dbca46d052
5 changed files with 187 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

45
ops/terraform/deploy-nixos/README.md Normal file
View file

@ -0,0 +1,45 @@
deploy-nixos
============
This is a Terraform module to deploy a NixOS system closure to a
remote machine.
The system closure must be accessible by Nix-importing the repository
root and building a specific attribute
(e.g. `nix-build -A ops.machines.machine-name`).
The target machine must be accessible normally over SSH, and an SSH
key must be used for access.
Notably this module separates the evaluation of the system closure from building
and deploying it, and uses the closure's derivation hash to determine whether a
deploy is necessary.
## Usage example:
```terraform
module "deploy_somehost" {
source = "git::https://code.tvl.fyi/depot.git:/ops/terraform/deploy-nixos.git"
attrpath = "ops.nixos.somehost"
target_name = "somehost"
target_host = "somehost.tvl.su"
target_user = "someone"
target_user_ssh_key = tls_private_key.somehost.private_key_pem
}
```
## Future work
Several things can be improved about this module, for example:
* The repository root (relative to which the attribute path is evaluated) could
be made configurable.
* The remote system closure could be discovered to restore remote system state
after manual deploys on the target (i.e. "stomping" of changes).
More ideas and contributions are, of course, welcome.
## Acknowledgements
Development of this module was sponsored by [Resoptima](https://resoptima.com/).