finalize nix-unprivileged-deployments
All checks were successful
Build Blog / Build (push) Successful in 5m38s
All checks were successful
Build Blog / Build (push) Successful in 5m38s
This commit is contained in:
parent
f0d3ae0aaa
commit
55875f4c25
|
|
@ -118,8 +118,10 @@ $ ls /nix/store | grep myblog
|
||||||
mqhssdlmg9f03avpajwcqaah2apknl02-myblog
|
mqhssdlmg9f03avpajwcqaah2apknl02-myblog
|
||||||
```
|
```
|
||||||
|
|
||||||
Now I just need a symlink to this file, and a nginx vhost. I'll create a small NixOS
|
|
||||||
module that will set this up:
|
Before we go any further, let's set up the nginx server,
|
||||||
|
as well as a well-known path for our website. I'll also
|
||||||
|
add a user here that we can use to deploy.
|
||||||
|
|
||||||
|
|
||||||
```nix
|
```nix
|
||||||
|
|
@ -157,6 +159,7 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
# make this user trusted (spooky)
|
# make this user trusted (spooky)
|
||||||
|
# you'll see why we need this in a moment.
|
||||||
nix.settings.trusted-users = [ user ];
|
nix.settings.trusted-users = [ user ];
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -200,47 +203,47 @@ The last step is creating that symlink. This is where the concept of "activation
|
||||||
For NixOS, `deploy-rs` activation just calls `switch-to-configuration` to make
|
For NixOS, `deploy-rs` activation just calls `switch-to-configuration` to make
|
||||||
the system change the profile. We can effectively do whatever we want here.
|
the system change the profile. We can effectively do whatever we want here.
|
||||||
|
|
||||||
|
|
||||||
Reading the [custom activator](https://github.com/serokell/deploy-rs/blob/aa07eb05537d4cd025e2310397a6adcedfe72c76/flake.nix#L58C13-L96C17) source:
|
Reading the [custom activator](https://github.com/serokell/deploy-rs/blob/aa07eb05537d4cd025e2310397a6adcedfe72c76/flake.nix#L58C13-L96C17) source:
|
||||||
```nix
|
```nix
|
||||||
custom =
|
custom = {
|
||||||
{
|
__functor = customSelf: base: activate:
|
||||||
__functor = customSelf: base: activate:
|
final.buildEnv {
|
||||||
final.buildEnv {
|
name = ("activatable-" + base.name);
|
||||||
name = ("activatable-" + base.name);
|
paths =
|
||||||
paths =
|
[
|
||||||
[
|
base
|
||||||
base
|
(final.writeTextFile {
|
||||||
(final.writeTextFile {
|
name = base.name + "-activate-path";
|
||||||
name = base.name + "-activate-path";
|
text = ''
|
||||||
text = ''
|
#!${final.runtimeShell}
|
||||||
#!${final.runtimeShell}
|
set -euo pipefail
|
||||||
set -euo pipefail
|
|
||||||
|
|
||||||
if [[ "''${DRY_ACTIVATE:-}" == "1" ]]
|
if [[ "''${DRY_ACTIVATE:-}" == "1" ]]
|
||||||
then
|
then
|
||||||
${customSelf.dryActivate or "echo ${final.writeScript "activate" activate}"}
|
${customSelf.dryActivate or "echo ${final.writeScript "activate" activate}"}
|
||||||
elif [[ "''${BOOT:-}" == "1" ]]
|
elif [[ "''${BOOT:-}" == "1" ]]
|
||||||
then
|
then
|
||||||
${customSelf.boot or "echo ${final.writeScript "activate" activate}"}
|
${customSelf.boot or "echo ${final.writeScript "activate" activate}"}
|
||||||
else
|
else
|
||||||
${activate}
|
${activate}
|
||||||
fi
|
fi
|
||||||
'';
|
'';
|
||||||
executable = true;
|
executable = true;
|
||||||
destination = "/deploy-rs-activate";
|
destination = "/deploy-rs-activate";
|
||||||
})
|
})
|
||||||
(final.writeTextFile {
|
(final.writeTextFile {
|
||||||
name = base.name + "-activate-rs";
|
name = base.name + "-activate-rs";
|
||||||
text = ''
|
text = ''
|
||||||
#!${final.runtimeShell}
|
#!${final.runtimeShell}
|
||||||
exec ${final.deploy-rs.deploy-rs}/bin/activate "$@"
|
exec ${final.deploy-rs.deploy-rs}/bin/activate "$@"
|
||||||
'';
|
'';
|
||||||
executable = true;
|
executable = true;
|
||||||
destination = "/activate-rs";
|
destination = "/activate-rs";
|
||||||
})
|
})
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -302,9 +305,24 @@ lrwxrwxrwx 1 static-site static-site 62 Apr 17 19:59 mysite-2-link -> /nix/sto
|
||||||
lrwxrwxrwx 1 static-site static-site 62 Apr 17 21:33 mysite-8-link -> /nix/store/f1qsglj5zm6v0vzlllci3jqsay476d5l-activatable-myblog
|
lrwxrwxrwx 1 static-site static-site 62 Apr 17 21:33 mysite-8-link -> /nix/store/f1qsglj5zm6v0vzlllci3jqsay476d5l-activatable-myblog
|
||||||
```
|
```
|
||||||
|
|
||||||
We can get an idea of how this works:
|
The chain looks like this:
|
||||||
|
|
||||||
1. `/var/lib/static-site/public` points to the public folder in the `myblog` profile
|
1. `/var/lib/static-site/public` points to the public folder in the `myblog` profile
|
||||||
2. The profile is itself a link to `mysite-8-link`.
|
2. The profile is itself a link to `mysite-8-link`.
|
||||||
3. `mysite-8-link` is also a link to a derivation in the nix store.
|
3. `mysite-8-link` is again a link, this time to a derivation in the nix store.
|
||||||
|
|
||||||
|
A profile is just a symlink to a derivation in the nix store. One layer of indirection
|
||||||
|
exists to make rollbacks easier.
|
||||||
|
|
||||||
|
|
||||||
|
# End
|
||||||
|
|
||||||
|
I hope this was useful for you. I think non-root deployment is
|
||||||
|
under-explored for nix since NixOS makes it easy to reconfigure.
|
||||||
|
|
||||||
|
As a follow on, you can probably host arbitrary services like this,
|
||||||
|
if you used [home-manager](https://nix-community.github.io/home-manager/)
|
||||||
|
to manage the user and the systemd services. Or you could hack together
|
||||||
|
something similar yourself.
|
||||||
|
|
||||||
|
ok bai
|
||||||
|
|
|
||||||
|
|
@ -24,3 +24,4 @@ keypair
|
||||||
|
|
||||||
whitelabel
|
whitelabel
|
||||||
|
|
||||||
|
systemd
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue