tree: 640c4e55c44b312125978ed5bb08894d6a2f9eca [path history] [tgz]
  1. ceph/
  2. monitoring/
  3. sso/
  4. exports.nix
  5. machines.nix
  6. provision.nix
  7. README.md
ops/README.md

Operations

Deploying NixOS machines

Machine configurations are in ops/machines.nix.

Wrapper script to show all available machines and provision a single machine:

 $ $(nix-build -A ops.provision)
 Available machines:
  - bc01n01.hswaw.net
  - bc01n02.hswaw.net
  - dcr01s22.hswaw.net
  - dcr01s24.hswaw.net
  - edge01.waw.bgp.wtf

 $ $(nix-build -A ops.provision) edge01.waw.bgp.wtf

This can be slow, as it evaluates/builds all machines' configs. If you just want to deploy one machine and possible iterate faster:

$ $(nix-build -A 'ops.machines."edge01.waw.bgp.wtf".config.passthru.hscloud.provision')

Remote Builders (cross-compiling)

If you're attempting to deploy a machine which has a system architecture other than your host machine (eg. are deploying an Aarch64 Raspberry Pi4 from an Intel machine), you'll need to use a remote builder which has that target architecture.

Any machine of that target architecture running Nix(OS) will do, even the machine you're deploing. But we also have some dedicated build machines:

NameArchitectureCPUsRAM
larrythebuilder.q3k.orgAArch64424GiB

To use a machine $name as a remote builder:

  1. Make sure you have access to the machine. ssh $username@$name should work. If not, file a CR to get your key added to the machine and ask someone to review and deploy it. The machines' key confiurations are in hscloud.

  2. Check nix store ping --store ssh-ng://$username@$name. It should work.

  3. On NixOS, configure builders in your system configuration.nix and rebuild, eg.:

nix.buildMachines = [
  {
    system = "aarch64-linux";
    sshUser = "root";
    sshKey = "/home/q3k/.ssh/id_ed25519";
    maxJobs = 4;
    hostName = "larrythebuilder.q3k.org";
  }
];
nix.distributedBuilds = true;
  1. On non-NixOS, configure builders in your nix.conf, eg. builders = ssh://$username@$name aarch64-linux in your system/user nix.conf. Your nix-daemon should also specify that the local user is trusted.

We should automate this some day.