Skip to content
Snippets Groups Projects
Select Git revision
  • 9f3d006aa53e6326bb420109fba4cb3b5a56f890
  • develop default protected
  • production protected
  • nixpkgs-upgrade-2025-06-16
  • nixpkgs-upgrade-2024-12-23
  • 190-our-regular-updates-fill-up-the-servers-boot-partitions
  • nixpkgs-upgrade-2024-10-14
  • hro-cloud protected
  • 162.flexible-grafana-module
  • nixpkgs-upgrade-2024-05-13
  • nixpkgs-upgrade-2024-04-22
  • nixpkgs-upgrade-2024-03-25
  • nixpkgs-upgrade-2024-03-18
  • nixpkgs-upgrade-2024-03-11
  • nixpkgs-upgrade-2024-03-04
  • 163.jp-to-ben-for-prod
  • nixpkgs-upgrade-2024-02-26
  • 164.grafana-alert-rules
  • 157.authorize-new-hro-key
  • nixpkgs-upgrade-2024-02-19
  • nixpkgs-upgrade-2024-02-12
21 results

docs.nix

Blame
  • deployment.nix 4.22 KiB
    # A NixOS module which enables remotely-triggered deployment updates.
    { config, lib, pkgs, ... }:
    let
      # A handy alias for our part of the configuration.
      cfg = config.services.private-storage.deployment;
    
      # Compute an authorized_keys line that allows the holder of a certain key to
      # execute a certain command *only*.
      restrictedKey =
        { authorizedKey, command, gridName }:
        # `restrict` means "disable all the things" then `command` means "but
        # enable running this one command" (the client does not have to supply the
        # command; if they authenticate, this is the command that will run).
        "restrict,command=\"${command} ${gridName}\" ${authorizedKey}";
    in {
      options = {
        services.private-storage.deployment.authorizedKey = lib.mkOption {
          type = lib.types.str;
          example = ''
            ssh-ed25519 AAAAC3N...
          '';
          description = ''
            The SSH public key to authorize to trigger a deployment update.
          '';
        };
        services.private-storage.deployment.gridName = lib.mkOption {
          type = lib.types.str;
          example = "staging";
          description = ''
            The name of the grid configuration to use to update this deployment.
          '';
        };
      };
    
      config = {
        # Configure the system to use our binary cache so that deployment updates
        # only require downloading pre-built software, not building it ourselves.
        nix = {
          binaryCachePublicKeys = [
            "saxtons.private.storage:MplOcEH8G/6mRlhlKkbA8GdeFR3dhCFsSszrspE/ZwY="
          ];
          binaryCaches = [
            "http://saxtons.private.storage"
          ];
        };
    
        # Create a one-time service that will set up an ssh key that allows the
        # deployment user to authorize as root to perform the system update with
        # `morph deploy`.
        systemd.services.authorize-morph-as-root = {
          enable = true;
          serviceConfig = {
            # Tell systemd that the service is a process that runs and then exits.
            # By being "oneshot" instead of "simple" any dependencies are not
            # started until after the process exits.  We have no dependencies yet
            # but if we did it would be more correct for them to wait until we are
            # done.
            #
            # It is not clear that "oneshot" means "run once" though (maybe it
            # does, I can't tell) so the script is robust in the face of repeated
            # runs even though it should only ever need to be run once.
            Type = "oneshot";
          };
          wantedBy = [
            # Run this to reach the multi-user target, a good target that is
            # reached in the typical course of system startup.
            "multi-user.target"
          ];
          # Here's the program to run for this unit.  It's a shell script that
          # creates an ssh key that authorized root access via ssh and give it to