update readme
This commit is contained in:
parent
a0709dba1b
commit
986c4696e0
3 changed files with 27 additions and 8 deletions
27
README.md
27
README.md
|
@ -8,6 +8,8 @@ promoting best practices to self-host a wide range of services. Also,
|
||||||
the design will be extendable to allow users to add services not
|
the design will be extendable to allow users to add services not
|
||||||
provided by SHB.
|
provided by SHB.
|
||||||
|
|
||||||
|
It's goal is to be to disnix what nixpkgs is to NixOS.
|
||||||
|
|
||||||
As far as features and best practices go, I intend to provide, for all
|
As far as features and best practices go, I intend to provide, for all
|
||||||
services:
|
services:
|
||||||
- Protection and single sign-on using [Keycloak](https://www.keycloak.org/), where sensible.
|
- Protection and single sign-on using [Keycloak](https://www.keycloak.org/), where sensible.
|
||||||
|
@ -92,20 +94,31 @@ this. You can install on a could machine or a self-hosted server.
|
||||||
|
|
||||||
Second, you need a machine where Nix is installed, to drive the
|
Second, you need a machine where Nix is installed, to drive the
|
||||||
deploy. It can be Nix or NixOS here. To install Nix, see the [official
|
deploy. It can be Nix or NixOS here. To install Nix, see the [official
|
||||||
guide](https://nixos.org/download.html).
|
guide](https://nixos.org/download.html). You'll then need to install
|
||||||
|
the following packages:
|
||||||
|
- `nixops_unstable`,
|
||||||
|
- `disnix`,
|
||||||
|
- `disnixos`,
|
||||||
|
- and `sops-nix` + `age` by following the [readme](https://github.com/Mic92/sops-nix).
|
||||||
|
|
||||||
Assuming this is done, you need to create a folder which will hold 3 files:
|
Assuming this is done, you need to create a folder which will hold 3 files:
|
||||||
- `network.nix` explains how to provision each deploy _target_. For
|
- One `network-<env>.nix` per environment - staging, prod - explains
|
||||||
example, you'd tell here which user or package should exist. That
|
how to provision each deploy _target_. For example, you'd tell here
|
||||||
being said, the goal here is to keep this file minimal and instead
|
which user or package should exist. That being said, the goal here
|
||||||
use the `service.nix`.
|
is to keep this file minimal and instead use the `service.nix`.
|
||||||
- `services.nix` is used to install any service - a database, a
|
- `services.nix` is used to install any service - a database, a
|
||||||
reverse proxy, an app, etc. The goal here is to make the install
|
reverse proxy, an app, etc. The goal here is to make the install
|
||||||
procedure machine independent.
|
procedure machine independent.
|
||||||
- `distribution.nix` is used to tell which service goes to which
|
- `distribution.nix` is used to tell which service goes to which
|
||||||
deployment target.
|
deployment target.
|
||||||
|
|
||||||
Please see the [integration tests](/tests/integration) for examples.
|
You'll need to setup password store, following [this
|
||||||
|
tutorial](https://elvishjerricco.github.io/2018/06/24/secure-declarative-key-management.html).
|
||||||
|
|
||||||
|
Next, look at the [examples](/docs/examples) for inspiration.
|
||||||
|
|
||||||
|
Also, the [integration tests](/tests/integration) contain more
|
||||||
|
bite-sized examples.
|
||||||
|
|
||||||
## Advised Workflow
|
## Advised Workflow
|
||||||
|
|
||||||
|
@ -252,3 +265,5 @@ In rough order of highest to lowest priority.
|
||||||
- [ ] Use something else than `pass` to retrieve secrets. Or better,
|
- [ ] Use something else than `pass` to retrieve secrets. Or better,
|
||||||
allow multiple options.
|
allow multiple options.
|
||||||
- [ ] Explain how to setup secret keys.
|
- [ ] Explain how to setup secret keys.
|
||||||
|
- [ ] Switch to using modules https://nixos.wiki/wiki/NixOS_modules
|
||||||
|
to setup configuration.
|
||||||
|
|
|
@ -10,7 +10,7 @@ export DISNIXOS_USE_NIXOPS=1
|
||||||
|
|
||||||
nixops create ./network-prod.nix -d prod
|
nixops create ./network-prod.nix -d prod
|
||||||
|
|
||||||
nixops deploy --option extra-builtins-file $(pwd)/pkgs/extra-builtins.nix
|
nixops deploy --option extra-builtins-file $(pwd)/extra-builtins.nix
|
||||||
nixops reboot
|
nixops reboot
|
||||||
|
|
||||||
disnixos-env -s services.nix -n network-prod.nix -d distribution.nix
|
disnixos-env -s services.nix -n network-prod.nix -d distribution.nix
|
||||||
|
|
|
@ -10,12 +10,16 @@ export DISNIXOS_USE_NIXOPS=1
|
||||||
|
|
||||||
nixops create ./network-virtualbox.nix -d vboxtest
|
nixops create ./network-virtualbox.nix -d vboxtest
|
||||||
|
|
||||||
nixops deploy --option extra-builtins-file $(pwd)/pkgs/extra-builtins.nix
|
nixops deploy --option extra-builtins-file $(pwd)/extra-builtins.nix
|
||||||
nixops reboot
|
nixops reboot
|
||||||
|
|
||||||
disnixos-env -s services.nix -n network-virtualbox.nix -d distribution.nix
|
disnixos-env -s services.nix -n network-virtualbox.nix -d distribution.nix
|
||||||
```
|
```
|
||||||
|
|
||||||
|
For the `nixops deploy` step to start, you'll need to generate all
|
||||||
|
necessary passwords. The easiest is to try the command and see on what
|
||||||
|
password it fails, generating it then re-issuing the command.
|
||||||
|
|
||||||
It's okay if the `nixops deploy` command fails to activate the new
|
It's okay if the `nixops deploy` command fails to activate the new
|
||||||
configuration on first run because of the `virtualbox.service`. If
|
configuration on first run because of the `virtualbox.service`. If
|
||||||
that happens, continue with the `nixops reboot` command. The service
|
that happens, continue with the `nixops reboot` command. The service
|
||||||
|
|
Loading…
Reference in a new issue