feat(ops/terraform): add module for deploying NixOS system closures
This module makes it fairly easy to deploy NixOS system closures using Terraform, while properly separating the evaluation of a derivation (to determine whether a deploy is needed) from the building and copying of the closure itself. This has been on my stack for a while. It was originally developed for Resoptima, who agreed to open-sourcing it in depot back when we completed our work with them. Their contribution has been acknowledged in the README. Co-Authored-By: Florian Klink <flokli@flokli.de> Change-Id: Ica4c170658cd25f1fb7072c9a45735fcc4351474 Reviewed-on: https://cl.tvl.fyi/c/depot/+/7950 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
This commit is contained in:
Vincent Ambo
tazjin
parent
0b64577702
commit
dbca46d052
5 changed files with 187 additions and 0 deletions
23
ops/terraform/deploy-nixos/nixos-copy.sh
Executable file
23
ops/terraform/deploy-nixos/nixos-copy.sh
Executable file
|
|
@ -0,0 +1,23 @@
|
|||
#!/usr/bin/env bash
|
||||
#
|
||||
# Copies a NixOS system to a target host, using the provided key.
|
||||
set -ueo pipefail
|
||||
|
||||
scratch="$(mktemp -d)"
|
||||
trap 'rm -rf -- "${scratch}"' EXIT
|
||||
|
||||
echo -n "$DEPLOY_KEY" > $scratch/id_deploy
|
||||
chmod 0600 $scratch/id_deploy
|
||||
|
||||
export NIX_SSHOPTS="\
|
||||
-o StrictHostKeyChecking=no\
|
||||
-o UserKnownHostsFile=/dev/null\
|
||||
-o GlobalKnownHostsFile=/dev/null\
|
||||
-o IdentityFile=$scratch/id_deploy"
|
||||
|
||||
nix-copy-closure \
|
||||
--to ${TARGET_USER}@${TARGET_ADDRESS} \
|
||||
${SYSTEM_DRV} \
|
||||
--gzip \
|
||||
--include-outputs \
|
||||
--use-substitutes
|
||||
Loading…
Add table
Add a link
Reference in a new issue