Merge branch '#5_improve_dev_shell' into 'main'
#5 improve dev shell Closes #5 See merge request compsoc1/skynet/nixos!5
This commit is contained in:
commit
5c62e7ede5
3 changed files with 120 additions and 34 deletions
102
README.md
Normal file
102
README.md
Normal file
|
@ -0,0 +1,102 @@
|
||||||
|
# Skynet
|
||||||
|
|
||||||
|
This is teh core config for teh skynet cluster which uses [NixOS][1].
|
||||||
|
|
||||||
|
## Dev
|
||||||
|
### Prep
|
||||||
|
|
||||||
|
1. Install [Nix][2]
|
||||||
|
2. Enable [Flakes][3]
|
||||||
|
|
||||||
|
The system ye use does nto matter much, I (@silver) use nix in wsl and it works grand.
|
||||||
|
|
||||||
|
### Shell
|
||||||
|
|
||||||
|
Now ye got nix installed and flakes enabled run ``nix develop`` in the root folder (same place this readme is).
|
||||||
|
The dev dependencies you need to work with the project will be automatically installed.
|
||||||
|
The specific config for this can be found [here][4].
|
||||||
|
|
||||||
|
Specifically it installs [Colmena][5] and [Agenix][6].
|
||||||
|
Colmena is a build and deployment tool, Agenix is for secret management.
|
||||||
|
|
||||||
|
All following commands are inside the shell.
|
||||||
|
### Colmena
|
||||||
|
|
||||||
|
#### Building
|
||||||
|
|
||||||
|
To build all nodes (servers) run:
|
||||||
|
```shell
|
||||||
|
colmena build
|
||||||
|
```
|
||||||
|
|
||||||
|
To build a specific one
|
||||||
|
```shell
|
||||||
|
colmena build --on skynet
|
||||||
|
```
|
||||||
|
|
||||||
|
To build a group (for example the dns servers)
|
||||||
|
```shell
|
||||||
|
colmena build --on @active-dns
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Deploy
|
||||||
|
Deploying is putting (apply-ing) the config tat was built onto the server, there is no need to build first, it will automatically do so.
|
||||||
|
|
||||||
|
While the ***recommended way of deploying is using the CI/CD process*** there are times when you will have to manually deploy the config.
|
||||||
|
One such case is the ``@active-gitlab`` group if either Gitlab or Gitlab-runner got updated.
|
||||||
|
Another is if ye have fecked up DNS.
|
||||||
|
|
||||||
|
```shell
|
||||||
|
colmena apply --on @active-gitlab
|
||||||
|
```
|
||||||
|
|
||||||
|
The CI/CD pipeline has a manual job that can be triggered to update ``@active-gitlab`` if you know it wont cause issues.
|
||||||
|
|
||||||
|
### Agenix
|
||||||
|
|
||||||
|
Agenix is for storing secrets in an encrypted manner using ssh keys.
|
||||||
|
|
||||||
|
All these commands require you to be in the secrets folder ``cd secrets``
|
||||||
|
|
||||||
|
#### Prep
|
||||||
|
1. Go to yer .ssh folder and see if you have a ``id_ed25519`` key ([tutorial][7])
|
||||||
|
2. Make a pull request to add (``id_ed25519.pub``) to the [secrets config][8].
|
||||||
|
3. An existing admin will pull, run ``agenix --rekey`` and commit changes.
|
||||||
|
4. Once committed and pushed up and merged in, you will be able to edit secrets.
|
||||||
|
|
||||||
|
``id_ed25519`` is preferred due to its neatness and security (Yes @silver is pedantic.)
|
||||||
|
|
||||||
|
#### Editing
|
||||||
|
When editing a terminal editor will open (nano).
|
||||||
|
You must use teh path defined in the ``secrets.nix`` file.
|
||||||
|
|
||||||
|
````shell
|
||||||
|
agenix -e stream_ulfm.age
|
||||||
|
agenix -e ldap/self_service.age
|
||||||
|
agenix -e gitlab/runners/runner01.age
|
||||||
|
````
|
||||||
|
|
||||||
|
### Updating inputs
|
||||||
|
Occasionally you will want to update the inputs for the project.
|
||||||
|
It is best to do this every few months or so, there is always a risk of things changing so a small pain often is better than a nightmare if left longer.
|
||||||
|
As seen in [this merge request][9] the layout of one config changed which had to be fixed.
|
||||||
|
|
||||||
|
We should be updating ``nixpkgs`` at least once a semester, ideally to teh next NixOS release so we cna show ITD our servers are patched and up to date.
|
||||||
|
|
||||||
|
```shell
|
||||||
|
nix flake lock --update-input nixpkgs
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
[1]: https://nixos.org/explore
|
||||||
|
[2]: https://nixos.org/download
|
||||||
|
[3]: https://nixos.wiki/wiki/Flakes
|
||||||
|
[4]: https://gitlab.skynet.ie/compsoc1/skynet/nixos/-/blob/main/flake.nix#L33
|
||||||
|
[5]: https://github.com/zhaofengli/colmena
|
||||||
|
[6]: https://github.com/ryantm/agenix
|
||||||
|
[7]: https://docs.gitlab.com/ee/user/ssh.html#see-if-you-have-an-existing-ssh-key-pair
|
||||||
|
[8]: https://gitlab.skynet.ie/compsoc1/skynet/nixos/-/blob/main/secrets/secrets.nix#L2
|
||||||
|
[9]: https://gitlab.skynet.ie/compsoc1/skynet/nixos/-/merge_requests/4
|
29
dev.nix
29
dev.nix
|
@ -1,29 +0,0 @@
|
||||||
# run with: nix-shell dev.nix
|
|
||||||
# has everything installed for dev
|
|
||||||
|
|
||||||
{ pkgs ? import <nixpkgs> {} }:
|
|
||||||
with pkgs;
|
|
||||||
let
|
|
||||||
imports =
|
|
||||||
let agenixCommit = "42d371d861a227149dc9a7e03350c9ab8b8ddd68";
|
|
||||||
in
|
|
||||||
{
|
|
||||||
agenix = import
|
|
||||||
(builtins.fetchTarball {
|
|
||||||
url = "https://github.com/ryantm/agenix/archive/${agenixCommit}.tar.gz";
|
|
||||||
sha256 = "14sszf5s85i4jd3lc8c167fbxvpj13da45wl1j7wpd20n0fic5c1";
|
|
||||||
})
|
|
||||||
{ inherit pkgs; };
|
|
||||||
};
|
|
||||||
in mkShell {
|
|
||||||
# nativeBuildInputs is usually what you want -- tools you need to run
|
|
||||||
nativeBuildInputs = [
|
|
||||||
pkgs.buildPackages.git
|
|
||||||
pkgs.buildPackages.colmena
|
|
||||||
pkgs.buildPackages.nmap
|
|
||||||
];
|
|
||||||
|
|
||||||
buildInputs = [ imports.agenix.agenix ];
|
|
||||||
|
|
||||||
shellHook = ''export EDITOR="${pkgs.nano}/bin/nano --nonewlines"'';
|
|
||||||
}
|
|
23
flake.nix
23
flake.nix
|
@ -23,11 +23,24 @@
|
||||||
skynet_website_2016.url = "gitlab:compsoc1%2Fskynet%2Fwebsite/2016?host=gitlab.skynet.ie";
|
skynet_website_2016.url = "gitlab:compsoc1%2Fskynet%2Fwebsite/2016?host=gitlab.skynet.ie";
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = { self, nixpkgs, ... } @inputs: {
|
nixConfig.bash-prompt-suffix = "[Skynet Dev] ";
|
||||||
# https://github.com/zhaofengli/colmena
|
|
||||||
# colmena apply --on agentjones
|
outputs = { self, nixpkgs, agenix, ... } @inputs:
|
||||||
# colmena apply --on @dns
|
let
|
||||||
# nix flake lock --update-input skynet_ldap_backend
|
pkgs = nixpkgs.legacyPackages.x86_64-linux.pkgs;
|
||||||
|
in {
|
||||||
|
|
||||||
|
devShells.x86_64-linux.default = pkgs.mkShell {
|
||||||
|
name = "Skynet build env";
|
||||||
|
nativeBuildInputs = [
|
||||||
|
pkgs.buildPackages.git
|
||||||
|
pkgs.buildPackages.colmena
|
||||||
|
pkgs.buildPackages.nmap
|
||||||
|
];
|
||||||
|
buildInputs = [ agenix.packages.x86_64-linux.default ];
|
||||||
|
shellHook = ''export EDITOR="${pkgs.nano}/bin/nano --nonewlines"'';
|
||||||
|
};
|
||||||
|
|
||||||
colmena = {
|
colmena = {
|
||||||
meta = {
|
meta = {
|
||||||
nixpkgs = import nixpkgs {
|
nixpkgs = import nixpkgs {
|
||||||
|
|
Loading…
Reference in a new issue