Deployment tool #5

New Issue

Closed

opened 2020-12-04 18:11:04 +01:00 by simon · 1 comment

simon commented

2020-12-04 18:11:04 +01:00

Owner

To address #4 (and to some extent #2), I should use a deployment tool.

It has to support the following:

Secrets with pass (place them under /var/secrets with configurable permissions; see #4)
Pinning nixpkgs (ideally with flakes (see #3))
Local and remote activation
Optional: Support for system.autoUpgrade (optional since this breaks reproducibility)

Possible deployment tools

NixOps

Advantages

Support for secrets (with pass support when using pass branch)
Flake support
Can deploy locally with localhost as host

Disadvantages

Does not update channel (not needed anymore when using flakes; #3)
Uses nixpkgs from $NIX_PATH (also not a problem anymore when using flakes; #3)
Adds more complexity (e.g. deployments)
Makes things that rely on /etc/nixos/configuration.nix (e.g. system.autoUpgrade) not work
State

Krops

Advantages

Fairly simple (runs a shell script that uses rsync, ssh and nixos-rebuild)
Native support for pass (no need for hacks)
No state

Disadvantages

Does not stop rebuild when ^Cing script
Strictly evals on the target (so it only copies configuration.nix and not dependent files)

Morph

Advantages

Native support for secrets (including advanced permission management)
No state

Disadvantages

Only supports secrets from files, not from a variable or pass
Seems to ignore nixpkgs config in configuration.nix (alternative: Create file that builds nixpkgs with all overlays and specific config)

Plan

Krops looks most promising (supports secrets with pass, pinning nixpkgs, activation on every ssh enabled host and optionally system.autoUpgrade). The only caveat is, that it has no interal ability to set the permissions of secrets. This, however can be circumvented by using system.activationScripts or a systemd unit (see https://github.com/krebs/krops/issues/4 for more examples).

Even without permissions, krops is better than the current situation, since that means every machine knows every secret.

To address #4 (and to some extent #2), I should use a deployment tool. It has to support the following: * Secrets with `pass` (place them under `/var/secrets` with configurable permissions; see #4) * Pinning `nixpkgs` (ideally with flakes (see #3)) * Local and remote activation * Optional: Support for `system.autoUpgrade` (optional since this breaks reproducibility) ## Possible deployment tools ### NixOps #### Advantages * Support for secrets (with pass support when using [`pass` branch](https://git.sbruder.de/simon/nixos-config/src/branch/pass)) * Flake support * Can deploy locally with `localhost` as host #### Disadvantages * Does not update channel (not needed anymore when using flakes; #3) * Uses nixpkgs from $NIX_PATH (also not a problem anymore when using flakes; #3) * Adds more complexity (e.g. deployments) * Makes things that rely on `/etc/nixos/configuration.nix` (e.g. `system.autoUpgrade`) not work * State ### Krops #### Advantages * Fairly simple (runs a shell script that uses `rsync`, `ssh` and `nixos-rebuild`) * Native support for `pass` (no need for hacks) * No state #### Disadvantages * Does not stop rebuild when `^C`ing script * Strictly evals on the target (so it only copies `configuration.nix` and not dependent files) ### Morph #### Advantages * Native support for secrets (including advanced permission management) * No state #### Disadvantages * Only supports secrets from files, not from a variable or `pass` * Seems to ignore nixpkgs config in `configuration.nix` (alternative: Create file that builds nixpkgs with all overlays and specific config) ## Plan Krops looks most promising (supports secrets with `pass`, pinning nixpkgs, activation on every ssh enabled host and optionally `system.autoUpgrade`). The only caveat is, that it has no interal ability to set the permissions of secrets. This, however can be circumvented by using `system.activationScripts` or a systemd unit (see https://github.com/krebs/krops/issues/4 for more examples). Even without permissions, krops is better than the current situation, since that means every machine knows every secret.