finalize nix-unprivileged-deployments
All checks were successful
Build Blog / Build (push) Successful in 5m38s
All checks were successful
Build Blog / Build (push) Successful in 5m38s
This commit is contained in:
parent
f0d3ae0aaa
commit
55875f4c25
|
|
@ -118,8 +118,10 @@ $ ls /nix/store | grep myblog
|
|||
mqhssdlmg9f03avpajwcqaah2apknl02-myblog
|
||||
```
|
||||
|
||||
Now I just need a symlink to this file, and a nginx vhost. I'll create a small NixOS
|
||||
module that will set this up:
|
||||
|
||||
Before we go any further, let's set up the nginx server,
|
||||
as well as a well-known path for our website. I'll also
|
||||
add a user here that we can use to deploy.
|
||||
|
||||
|
||||
```nix
|
||||
|
|
@ -157,6 +159,7 @@ in
|
|||
};
|
||||
|
||||
# make this user trusted (spooky)
|
||||
# you'll see why we need this in a moment.
|
||||
nix.settings.trusted-users = [ user ];
|
||||
|
||||
|
||||
|
|
@ -200,10 +203,10 @@ The last step is creating that symlink. This is where the concept of "activation
|
|||
For NixOS, `deploy-rs` activation just calls `switch-to-configuration` to make
|
||||
the system change the profile. We can effectively do whatever we want here.
|
||||
|
||||
|
||||
Reading the [custom activator](https://github.com/serokell/deploy-rs/blob/aa07eb05537d4cd025e2310397a6adcedfe72c76/flake.nix#L58C13-L96C17) source:
|
||||
```nix
|
||||
custom =
|
||||
{
|
||||
custom = {
|
||||
__functor = customSelf: base: activate:
|
||||
final.buildEnv {
|
||||
name = ("activatable-" + base.name);
|
||||
|
|
@ -240,7 +243,7 @@ custom =
|
|||
})
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
```
|
||||
|
||||
|
||||
|
|
@ -302,9 +305,24 @@ lrwxrwxrwx 1 static-site static-site 62 Apr 17 19:59 mysite-2-link -> /nix/sto
|
|||
lrwxrwxrwx 1 static-site static-site 62 Apr 17 21:33 mysite-8-link -> /nix/store/f1qsglj5zm6v0vzlllci3jqsay476d5l-activatable-myblog
|
||||
```
|
||||
|
||||
We can get an idea of how this works:
|
||||
The chain looks like this:
|
||||
|
||||
1. `/var/lib/static-site/public` points to the public folder in the `myblog` profile
|
||||
2. The profile is itself a link to `mysite-8-link`.
|
||||
3. `mysite-8-link` is also a link to a derivation in the nix store.
|
||||
3. `mysite-8-link` is again a link, this time to a derivation in the nix store.
|
||||
|
||||
A profile is just a symlink to a derivation in the nix store. One layer of indirection
|
||||
exists to make rollbacks easier.
|
||||
|
||||
|
||||
# End
|
||||
|
||||
I hope this was useful for you. I think non-root deployment is
|
||||
under-explored for nix since NixOS makes it easy to reconfigure.
|
||||
|
||||
As a follow on, you can probably host arbitrary services like this,
|
||||
if you used [home-manager](https://nix-community.github.io/home-manager/)
|
||||
to manage the user and the systemd services. Or you could hack together
|
||||
something similar yourself.
|
||||
|
||||
ok bai
|
||||
|
|
|
|||
|
|
@ -24,3 +24,4 @@ keypair
|
|||
|
||||
whitelabel
|
||||
|
||||
systemd
|
||||
|
|
|
|||
Loading…
Reference in a new issue