From 54eb130eaac19eb532097fdd9c94fd5e477f153d Mon Sep 17 00:00:00 2001 From: Henri Rosten Date: Mon, 2 Dec 2024 10:25:15 +0200 Subject: [PATCH] Update main README.md Signed-off-by: Henri Rosten --- README.md | 259 +++++++++++++++----------------------------------- docs/tasks.md | 121 +++++++++++++++++++++++ 2 files changed, 198 insertions(+), 182 deletions(-) create mode 100644 docs/tasks.md diff --git a/README.md b/README.md index b921a90d..3184b12d 100644 --- a/README.md +++ b/README.md @@ -4,221 +4,116 @@ SPDX-License-Identifier: CC-BY-SA-4.0 --> # Ghaf Infra -This repository contains NixOS configurations for the [Ghaf](https://github.com/tiiuae/ghaf) CI/CD infrastructure. - -## Highlights -This repository defines flakes-based NixOS configurations for the following targets: -- **[ghafhydra](./hosts/ghafhydra/configuration.nix)** - *[Hydra](https://nixos.wiki/wiki/Hydra) with pre-configured jobset for Ghaf*: - - Hydra: declaratively configured with Ghaf flake jobset, building on localhost. - - Binary cache: using [nix-serve-ng](https://github.com/aristanetworks/nix-serve-ng) signing packages that [can be verified](https://github.com/tiiuae/ghaf-infra/blob/c528714a310b420592ec6e73666d80288c5d0f12/docs/adapting-to-new-environments.md?plain=1#L231) with public key: `cache.ghafhydra:XQx1U4555ZzfCCQOZAjOKKPTavumCMbRNd3TJt/NzbU=`. - - Automatic nix store garbage collection: when free disk space in `/nix/store` drops below [threshold value](https://github.com/tiiuae/ghaf-infra/blob/4624f751e38f0d3dfd0fee37e1a4bdfdcf6308be/hosts/common.nix#L46) automatically remove garbage. - - Pre-defined users: allow ssh access for a set of users based on ssh public keys. - - Secrets: uses [sops-nix](https://github.com/Mic92/sops-nix) to manage secrets - secrets, such as hydra admin password and binary cache signing key, are stored encrypted based on host ssh key. - - Openssh server with pre-defined host ssh key. Server private key is stored encrypted as [sops secret](https://github.com/tiiuae/ghaf-infra/blob/4624f751e38f0d3dfd0fee37e1a4bdfdcf6308be/hosts/ghafhydra/secrets.yaml#L5) and automatically deployed on [host installation](https://github.com/tiiuae/ghaf-infra/blob/4624f751e38f0d3dfd0fee37e1a4bdfdcf6308be/tasks.py#L243). -## Usage -**Important**: -The configuration files in this repository declaratively define the system configuration for all hosts in the Ghaf CI/CD infrastructure. That is, all system configurations - including the secrets - are stored and version controlled in this repository, no additional manual configuration is required. Indeed, all the hosts in the infrastructure might be reinstalled without further notice, so do not assume that anything outside the configurations defined in this repository would be available in the hosts. This includes the administrator's home directories: do not keep any important data in your home, since the contents of `/home` will be regularly deleted. - -### Pre-requisites -If you still don't have nix package manager on your local host, install it following the package manager installation instructions from https://nixos.org/download.html. - -Then, clone this repository: -```bash -$ git clone https://github.com/tiiuae/ghaf-infra.git -$ cd ghaf-infra -``` - -All example commands in this document are executed from nix-shell in the root path of your local copy of this repository. Run the following commands to start a nix-shell: - -```bash -# Start nix-shell -$ nix-shell -``` - -### Tasks -Inspired by [nix-community infra](https://github.com/nix-community/infra), this project makes use of [pyinvoke](https://www.pyinvoke.org/) to help with deployment [tasks](./tasks.py). - -Run the following command to list the available tasks: -```bash -$ invoke --list -Available tasks: - - alias-list List available targets (i.e. configurations and alias names) - build-local Build NixOS configuration `alias` locally. - deploy Deploy the configuration for `alias`. - install Install `alias` configuration using nixos-anywhere, deploying host private key. - pre-push Run 'pre-push' checks: black, pylint, pycodestyle, reuse lint, nix fmt. - print-keys Decrypt host private key, print ssh and age public keys for `alias` config. - reboot Reboot host identified as `alias`. - update-sops-files Update all sops yaml and json files according to .sops.yaml rules. - -``` +This repository contains NixOS and Terraform configuration for the [Ghaf](https://github.com/tiiuae/ghaf) CI/CD infrastructure. -In the following sections, we will explain the intended usage of the most common above deployment tasks. +## Getting Started -#### alias-list -The `alias-list` task lists the alias names for ghaf-infra targets. Alias is simply a name given for the combination of nixosConfig and hostname. All ghaf-infra tasks that need to identify a target, accept an alias name as an argument. +This document assumes you have [`nix`](https://nixos.org/download.html) package manager installed on your development host. +Experimental feature "nix-command" must be enabled. +Clone this repository: ```bash -$ invoke alias-list - -Current ghaf-infra targets: - -╒═══════════════╤═══════════════╤══════════════╕ -│ alias │ nixosconfig │ hostname │ -╞═══════════════╪═══════════════╪══════════════╡ -│ ghafhydra-dev │ ghafhydra │ 51.12.56.79 │ -╘═══════════════╧═══════════════╧══════════════╛ -``` - -In case `hostname` is not directly accessible for your current `$USER`, use `~/.ssh/config` to specify the ssh connection details such as username, port, or key file used to access the specific host. - -As an example, to access host `51.12.56.79` with a specific username and key, you would add the following to `~/.ssh/config`: - +❯ git clone https://github.com/tiiuae/ghaf-infra.git +❯ cd ghaf-infra ``` -$ cat ~/.ssh/config -Host 51.12.56.79 - HostName 51.12.56.79 - User my_remote_user_name - IdentityFile /path/to/my/private_key -``` - -Since `task.py` internally uses ssh when accessing hosts, the above example configuration would be applied when accessing the `ghafhydra-dev` alias. - -#### build-local -The `build-local` task builds the given alias configuration locally. If the alias name is not specified `build-local` builds all alias configurations: +Bootstrap ghaf-infra development environment, loading the required development dependencies: ```bash -$ invoke build-local -INFO Running: nixos-rebuild build --option accept-flake-config true -v --flake .#ghafhydra -... -building '/nix/store/m0z520c0rpz1qjjw391srjw50426626z-etc.drv'... -building '/nix/store/7jx57i82zmkcjsimb761vqsdcx2sc8yq-nixos-system-ghafhydra-23.05.20231021.5550a85.drv'... +# Start a nix-shell with required dependencies: +❯ nix-shell ``` -#### pre-push -The `pre-push` task runs a set of checks for the contents of this repository. The checks include: python linters, license compliance checks, formatting checks for nix and terraform files and nix flake check for the ghaf-infra flake. The `pre-push` task also locally builds all the alias configurations: +All commands referenced in the documentation are executed inside the nix-shell. +## Directory Structure ```bash -$ invoke pre-push -INFO Running: find . -type f -name *.py ! -path *result* ! -path *eggs* -INFO Running: black -q ./tasks.py -INFO Running: pylint --disable duplicate-code -rn ./tasks.py -INFO Running: pycodestyle --max-line-length=90 ./tasks.py -INFO Running: reuse lint -INFO Running: terraform fmt -check -recursive -INFO Running: nix fmt -INFO Running: nix flake check -v +ghaf-infra +├── hosts # NixOS host configurations +│   ├── azure # Azure ghaf-infra nix host configurations +│   │   ├── binary-cache +│   │   ├── builder +│   │   └── jenkins-controller +│   ├── builders # Stand-alone builder configurations +│   │   ├── build3 +│   │   ├── build4 +│   │   ├── hetzarm +│   │   └── developers.nix # Users with access to build3 and hetzarm +│   ├── ... +│   └── testagent # Stand-alone testagent configurations +│   ├── dev +│   ├── prod +│   └── release +├── nix # Nix devshell, checks, deployments, etc. +├── pkgs # Patched/modified packages +├── scripts # Misc helper scripts +├── services # NixOS service modules +├── slsa # SLSA provenance buildtype document +├── terraform # Azure ghaf-infra terraform configuration +│   ├── ... +│   ├── main.tf +│   ├── README-azure.md +│   └── README.md +├── users # Ghaf-infra users ... -INFO All pre-push checks passed +├── README.md +├── ssh-keys.yaml # Azure ghaf-infra user ssh keys +└── tasks.py # Entrypoint for pyinvoke deployment tasks ``` -#### install -The `install` task installs the given alias configuration on the target host with [nixos-anywhere](https://github.com/nix-community/nixos-anywhere). It will automatically partition and re-format the host hard drive, meaning all data on the target will be completely overwritten with no option to rollback. During installation, it will also decrypt and deploy the host private key from the sops secrets. The intended use of the `install` task is to install NixOS configuration on a non-NixOS host, or to repurpose an existing server. +Ghaf-infra repository includes configuration files for Ghaf CI/CD infrastructure. +The configuration in this repository is split in two parts: +- `terraform/` directory contains the terraform configuration describing the image-based CI setup in Azure infra. An example instance is the 'prod' instance, which provides the Jenkins interface at: https://ghaf-jenkins-controller-prod.northeurope.cloudapp.azure.com/ as well as the Ghaf nix binary cache at: https://prod-cache.vedenemo.dev. The host configuration files in `hosts/azure` describe the NixOS configuration for the `binary-cache`, `builder`, and `jenkins-controller` hosts as outlined in [README-azure.md](https://github.com/tiiuae/ghaf-infra/blob/main/terraform/README-azure.md#image-based-builds). +- In addition to the terraform Azure infra, this repository contains NixOS configurations for various other stand-alone hosts in Ghaf CI/CD infra. + Following are examples of some of the stand-alone configurations and their current usage in the CI/CD infrastructure: + - `hosts/builders/hetzarm` defines the configuration for shared aarch64 builder, which currently runs in Hetzner cloud (hetzarm.vedenemo.dev). Developers can use `hetzarm.vedenemo.dev` as a remote builder for Ghaf aarch builds. Additionally, `hetzarm` is used both from Ghaf github actions and non-release Jenkins builds as a remote builder. + - `hosts/builders/build3` defines the configuration for shared x86_64 builder, which currently runs in Ficolo cloud (builder.vedenemo.dev). Developers can use the `builder.vedenemo.dev` as a remote builder for Ghaf x86 builds. + - `hosts/builders/build4` defines the configuration for an x86_64 builder, which currently runs in Ficolo cloud (build4.vedenemo.dev). Build4 is currently used as a remote builder both from Ghaf github actions and non-release Jenkins builds. + - `hosts/builders/testagents/*` define the configuration for testagents used from Azure ghaf-infra. -Note: `ìnstall` task assumes the given NixOS configuration is compatible with the specified host. In the existing Ghaf CI/CD infrastructure you can safely assume this holds true. However, if you plan to apply the NixOS configurations from this repository on a new infrastructure or onboard new hosts, please read the documentation in [adapting-to-new-environments.md](./docs/adapting-to-new-environments.md). - -```bash -$ invoke install --alias ghafhydra-dev -Install configuration 'ghafhydra' on host '51.12.50.33'? [y/N] y -... -### Uploading install SSH keys ### -### Gathering machine facts ### -### Switching system into kexec ### -### Formatting hard drive with disko ### -### Uploading the system closure ### -### Copying extra files ### -### Installing NixOS ### -### Waiting for the machine to become reachable again ### -### Done! ### -... -``` +Usage and deployment of the Azure infra is described in [`terraform/README.md`](https://github.com/tiiuae/ghaf-infra/blob/main/terraform/README.md). +Following sections describe the intended usage and deployment of the stand-alone NixOS configurations. -#### deploy -The `deploy` task deploys the given alias configuration to the target host with [nixos-rebuild](https://nixos.wiki/wiki/Nixos-rebuild) `switch` subcommand. This task assumes the target host is already running NixOS, and fails if it's not. - -Note: unlike the changes made with `install` task, `deploy` changes can be [reverted](https://zero-to-nix.com/concepts/nixos#rollbacks) with `nixos-rebuild switch --rollback` or similar. - -```bash -$ invoke deploy --alias ghafhydra-dev -[51.12.50.33] $ nix flake archive --to ssh://51.12.50.33 --json -[51.12.50.33] copying path '/nix/store/dbppismymjc6382g4v6d6sb99pjby37b-source' from 'https://cache.vedenemo.dev'... -[51.12.50.33] copying path '/nix/store/r2ip1850igy8kciyaagw502s3c6ph1s4-source' to 'ssh://51.12.50.33'... -[51.12.50.33] copying path '/nix/store/yj1wxm9hh8610iyzqnz75kvs6xl8j3my-source' to 'ssh://51.12.50.33'... -[51.12.50.33] $ sudo nixos-rebuild switch --option accept-flake-config true --flake /nix/store/1y4kqqi8xbw4ic96ahhhjgl61p61lvdg-source#ghafhydra -... -``` - -# alternative - -## Deploy by using deploy-rs - -[follow instructions](./docs/deploy-rs.md) - -#### update-sops-files -The `update-sops-files` task updates all sops yaml and json files according to the rules in [`.sops.yaml`](.sops.yaml). The intended use is to update the secrets after adding new hosts, admins, or secrets: - -```bash -$ invoke update-sops-files -2023/10/23 08:37:34 Syncing keys for file ghaf-infra/hosts/ghafhydra/secrets.yaml -2023/10/23 08:37:34 File ghaf-infra/hosts/ghafhydra/secrets.yaml already up to date -``` - -### Updating target hosts -First, update the flake: - -```bash -$ nix flake update -... -• Updated input 'nixpkgs': - 'github:nixos/nixpkgs/898cb2064b6e98b8c5499f37e81adbdf2925f7c5' (2023-10-13) - → 'github:nixos/nixpkgs/5550a85a087c04ddcace7f892b0bdc9d8bb080c8' (2023-10-21) -... -``` - -Then, deploy the updated configuration to the target host(s): -```bash -$ invoke deploy --alias ghafhydra-dev -``` - -Notice: be sure to manually verify the target services work as expected after the update. Also, make sure the `install` task still works after the flake update by running the `invoke install alias-name-here` against a test (dev) configuration. - -### Onboarding new admins -Onboarding new admins requires the following manual steps: -- Add their user and ssh key to [users](./users/) and [import the user](https://github.com/tiiuae/ghaf-infra/blob/b740f96bcd28e4821f701f6556f4ef2914c7fdf5/hosts/ghafhydra/configuration.nix#L26) on the hosts they need access to. -- Add their [age key](./docs/adapting-to-new-environments.md#add-your-admin-sops-key) to [.sops.yaml](.sops.yaml), update the `creation_rules`, and run the [`update-sops-files`](./README.md#update-sops-files) task. -- [Deploy](./README.md#deploy) the new configuration to changed hosts. +## Usage +**Important**: +The configuration files in this repository declaratively define the system configuration for all hosts in the Ghaf CI/CD infrastructure. That is, all system configurations - including the secrets - are stored and version controlled in this repository. Indeed, all the hosts in the infrastructure might be reinstalled without further notice, so do not assume that anything outside the configurations defined in this repository would be available in the hosts. This includes the administrator's home directories: do not keep any important data in your home, since the contents of `/home` might be deleted without further notice. -## Secrets +### Secrets For deployment secrets (such as the binary cache signing key), this project uses [sops-nix](https://github.com/Mic92/sops-nix). -The general idea is: each host have `secrets.yaml` file that contains the encrypted secrets required by that host. As an example, the `secrets.yaml` file for the host ghafhydra defines a secret [`cache-sig-key`](https://github.com/tiiuae/ghaf-infra/blob/4624f751e38f0d3dfd0fee37e1a4bdfdcf6308be/hosts/ghafhydra/secrets.yaml#L2) which is used by the host ghafhydra in [its](https://github.com/tiiuae/ghaf-infra/blob/4624f751e38f0d3dfd0fee37e1a4bdfdcf6308be/hosts/ghafhydra/configuration.nix#L15) binary cache [configuration](https://github.com/tiiuae/ghaf-infra/blob/4624f751e38f0d3dfd0fee37e1a4bdfdcf6308be/services/binarycache/binary-cache.nix#L12) to sign packages in the nix binary cache. All secrets in `secrets.yaml` can be decrypted with each host's ssh key - sops automatically decrypts the host secrets when the system activates (i.e. on boot or whenever nixos-rebuild switch occurs) and places the decrypted secrets in the configured file paths. An [admin user](https://github.com/tiiuae/ghaf-infra/blob/4624f751e38f0d3dfd0fee37e1a4bdfdcf6308be/.sops.yaml#L6) manages the secrets by using the `sops` command line tool. +The general idea is: each host have `secrets.yaml` file that contains the encrypted secrets required by that host. As an example, the `secrets.yaml` file for the host ghaf-proxy defines a secret [`loki_password`](https://github.com/tiiuae/ghaf-infra/blob/6be2cb637af86ddb1abd8bfb60160f81ce6581ca/hosts/ghaf-proxy/secrets.yaml#L2) which is used by the host ghaf-proxy in [its](https://github.com/tiiuae/ghaf-infra/blob/6be2cb637af86ddb1abd8bfb60160f81ce6581ca/hosts/ghaf-proxy/configuration.nix#L51) monitoring service configuration to push logs to Grafana Loki. All secrets in `secrets.yaml` can be decrypted with each host's ssh key - sops automatically decrypts the host secrets when the system activates (i.e. on boot or whenever nixos-rebuild switch occurs) and places the decrypted secrets in the configured file paths. An [admin user](https://github.com/tiiuae/ghaf-infra/blob/6be2cb637af86ddb1abd8bfb60160f81ce6581ca/.sops.yaml#L6-L12) manages the secrets by using the `sops` command line tool. -Each host's private ssh key is stored as sops secret and automatically deployed on [host installation](https://github.com/tiiuae/ghaf-infra/blob/4624f751e38f0d3dfd0fee37e1a4bdfdcf6308be/tasks.py#L243). +Each host's private ssh key is stored as sops secret and automatically deployed on [host installation](https://github.com/tiiuae/ghaf-infra/blob/6be2cb637af86ddb1abd8bfb60160f81ce6581ca/tasks.py#L438). `secrets.yaml` files are created and edited with the `sops` utility. The [`.sops.yaml`](.sops.yaml) file tells sops what secrets get encrypted with what keys. The secrets configuration and the usage of `sops` is adopted from [nix-community infra](https://github.com/nix-community/infra) project. -## Git commit hook +### Onboarding new remote builder users +Onboarding new users to remote builders require the following manual steps: +- Add their user and ssh key to [developers](./hosts/builders/developers.nix). +- [Deploy](./docs/deploy-rs.md) the new configuration to changed hosts. -When contributing to this repo you should take the git commit hook into use. - -This hook will check the commit message for most trivial mistakes against [current Ghaf commit message guidelines](https://github.com/tiiuae/ghaf/blob/main/CONTRIBUTING.md#commit-message-guidelines) - -### Installing git hooks +### Onboarding new admins +Onboarding new admins require the following manual steps: +- Add their user and ssh key to [users](./users/) and import the user on the hosts they need access to. +- If they need to manage sops secrets, add their [age key](./docs/adapting-to-new-environments.md#add-your-admin-sops-key) to [.sops.yaml](.sops.yaml), update the `creation_rules`, and run the [`update-sops-files`](./docs/tasks.md#update-sops-files) task. +- [Deploy](./docs/deploy-rs.md) the new configuration to changed hosts (build3, hetzarm). -Just run ``./githooks/install-git-hooks.sh`` in repository main directory, and you should be good to go. Commit message checking script will then run when you commit something. +### Deploy using deploy-rs +Follow the instructions at https://github.com/tiiuae/ghaf-infra/blob/main/docs/deploy-rs.md -If you have branches before the git hooks were committed to the repo, you'll have to either rebase them on top of main branch or cherry pick the git hooks commit into your branch. +### Deploy using tasks.py +Follow the instructions at https://github.com/tiiuae/ghaf-infra/blob/main/docs/tasks.md -Also note that any existing commit messages in any branch won't be checked, only new commit messages will be checked. +### Git commit hook +This project uses git hooks to ensure the git commit message aligns with [Ghaf commit message guidelines](https://github.com/tiiuae/ghaf/blob/main/CONTRIBUTING.md#commit-message-guidelines) -If you encounter any issues with the git commit message hook, please report them. And while waiting for a fix, you may remove the hook by running ``rm -f .git/hooks/commit-msg`` in the main directory of the repository. +To install the commit hook, run `./githooks/install-git-hooks.sh`. Commit message check [script](./githooks/check-commit.sh) will then run for all ghaf-infra git commits. +To remove the hook, run ``rm -f .git/hooks/commit-msg`` in the repository main directory. ## License -This repository follows the Ghaf team licensing: +This repository uses the following licenses: | License Full Name | SPDX Short Identifier | Description | --- | --- | --- diff --git a/docs/tasks.md b/docs/tasks.md new file mode 100644 index 00000000..df802216 --- /dev/null +++ b/docs/tasks.md @@ -0,0 +1,121 @@ + + +# Tasks + +Originally inspired by [nix-community infra](https://github.com/nix-community/infra) this project makes use of [pyinvoke](https://www.pyinvoke.org/) to help with deployment [tasks](../tasks.py). + +Run the following command to list the available tasks: +```bash +❯ invoke --list +Available tasks: + + alias-list List available targets (i.e. configurations and alias names) + build-local Build NixOS configuration `alias` locally. + deploy Deploy the configuration for `alias`. + install Install `alias` configuration using nixos-anywhere, deploying host private key. + pre-push Run 'pre-push' checks. + print-keys Decrypt host private key, print ssh and age public keys for `alias` config. + reboot Reboot host identified as `alias`. + update-sops-files Update all sops yaml and json files according to .sops.yaml rules. + +``` + +In the following sections, we will explain the intended usage of the most common of the above deployment tasks. + +## alias-list +The `alias-list` task lists the alias names for ghaf-infra targets. Alias is simply a name given for the combination of nixosConfig and hostname. All ghaf-infra tasks that need to identify a target, accept an alias name as an argument. + +```bash +❯ invoke alias-list + +Current ghaf-infra targets: + +╒════════════════════╤═══════════════════╤════════════════╕ +│ alias │ nixosconfig │ hostname │ +╞════════════════════╪═══════════════════╪════════════════╡ +│ binarycache-ficolo │ binarycache │ 172.18.20.109 │ +│ monitoring-ficolo │ monitoring │ 172.18.20.108 │ +│ build3-ficolo │ build3 │ 172.18.20.104 │ +│ build4-ficolo │ build4 │ 172.18.20.105 │ +│ himalia │ himalia │ 172.18.20.106 │ +│ testagent-dev │ testagent-dev │ 172.18.16.33 │ +│ testagent-prod │ testagent-prod │ 172.18.16.60 │ +│ testagent-release │ testagent-release │ 172.18.16.32 │ +│ hetzarm │ hetzarm │ 65.21.20.242 │ +│ ghaf-log │ ghaf-log │ 95.217.177.197 │ +│ ghaf-coverity │ ghaf-coverity │ 135.181.103.32 │ +│ ghaf-proxy │ ghaf-proxy │ 95.216.200.85 │ +│ ghaf-webserver │ ghaf-webserver │ 37.27.204.82 │ +╘════════════════════╧═══════════════════╧════════════════╛ + +``` + +In case `hostname` is not directly accessible for your current `$USER`, use `~/.ssh/config` to specify the ssh connection details such as username, port, or key file used to access the specific host. + +As an example, to access host `65.21.20.242` with a specific username and key, you would add the following to `~/.ssh/config`: + +``` +❯ cat ~/.ssh/config +Host 65.21.20.242 + HostName 65.21.20.242 + User my_remote_user_name + IdentityFile /path/to/my/private_key +``` + +Since `task.py` internally uses ssh when accessing hosts, the above example configuration would be applied when accessing the `hetzarm` alias. + +## build-local +The `build-local` task builds the given alias configuration locally. If the alias name is not specified `build-local` builds all alias configurations: + +```bash +❯ invoke build-local --alias ghaf-log +INFO Running: nixos-rebuild build --option accept-flake-config true -v --flake .#ghaf-log +building the system configuration... +Building in flake mode. +... +building '/nix/store/y2m2f5ad5xh6z6z1r31591sgzdl84mcr-etc.drv'... +building '/nix/store/wks2pw9692flrfaqdpv1m0pwfyn17ggj-nixos-system-ghaf-log-24.05.20240830.6e99f2a.drv'... +``` + +## install +The `install` task installs the given alias configuration on the target host with [nixos-anywhere](https://github.com/nix-community/nixos-anywhere). It will automatically partition and re-format the host hard drive, meaning all data on the target will be completely overwritten with no option to rollback. During installation, it will also decrypt and deploy the host private key from the sops secrets. The intended use of the `install` task is to install NixOS configuration on a non-NixOS host, or to repurpose an existing server. + +Note: `ìnstall` task assumes the given NixOS configuration is compatible with the specified host. In the existing Ghaf CI/CD infrastructure you can safely assume this holds true. However, if you plan to apply the NixOS configurations from this repository on a new infrastructure or onboard new hosts, please read the documentation in [adapting-to-new-environments.md](./adapting-to-new-environments.md). + +```bash +❯ invoke install --alias ghaf-webserver +Install configuration 'ghaf-webserver' on host '37.27.204.82'? [y/N] y +... +### Uploading install SSH keys ### +### Gathering machine facts ### +### Switching system into kexec ### +### Formatting hard drive with disko ### +### Uploading the system closure ### +### Copying extra files ### +### Installing NixOS ### +### Waiting for the machine to become reachable again ### +### Done! ### +... +``` + +## deploy +Note: it's strongly recommended to use the [deploy-rs](https://github.com/tiiuae/ghaf-infra/blob/main/docs/deploy-rs.md) instead of the `deploy` task. + +The `deploy` task deploys the given alias configuration to the target host with [nixos-rebuild](https://nixos.wiki/wiki/Nixos-rebuild) `switch` subcommand. This task assumes the target host is already running NixOS, and fails if it's not. + +Note: unlike the changes made with `install` task, `deploy` changes can be [reverted](https://zero-to-nix.com/concepts/nixos#rollbacks) with `nixos-rebuild switch --rollback` or similar. + +```bash +❯ invoke deploy --alias ghaf-webserver +... +``` + +## update-sops-files +The `update-sops-files` task updates all sops yaml and json files according to the rules in [`.sops.yaml`](../.sops.yaml). The intended use is to update the secrets after adding new hosts, admins, or secrets: + +```bash +$ invoke update-sops-files +```