Add initial support for hetzner cloud #944
Conversation
This is based on the digital ocean backend. It also uses nixos-infect. I extended nixos-infect to be generic for both backends. Fixes #855
It's working, almost done and the only thing missing is a NixOS-infect style thing. I was planning of using @cleverca22's kexec-based approach to that, which might be the fastest way to do it and allow to boot straight into the target nixos system. A difference I can see between our approaches from skimming the PR for 1 minute is that you use the REST API directly while I use a Python package that does it. @goodraven Are you in a hurry getting this merged? Otherwise I recommend we take some time to read each other's PRs in detail and then unify them. |
|
awesome! Is there any chance to get this merged in the next time? |
|
Is this PR in a state, so that I could test it? |
|
@goodraven I just tested your PR. Thank you for this amazing work! Let's merge this! :-) |
|
|
||
| def destroy(self, wipe=False): | ||
| if not self.server_id: | ||
| self.log('server {} was never made'.format(self.name)) |
| import nixops.util | ||
| import nixops.known_hosts | ||
|
|
||
| infect_path = os.path.abspath(os.path.join(os.path.dirname(__file__), '..', 'data', 'nixos-infect')) |
There was a problem hiding this comment.
Probably would make sense to use upper-case INFECT_PATH.
| resources.sshKeyPairs.ssh-key = {}; | ||
|
|
||
| machine = { config, pkgs, ... }: { | ||
| services.openssh.enable = true; |
There was a problem hiding this comment.
This is shouldn't needed, as it's already enabled in nix/hetzner-cloud.nix.
| deployment.targetEnv = "hetznerCloud"; | ||
| deployment.hetznerCloud.serverType = "cx11"; | ||
|
|
||
| networking.firewall.allowedTCPPorts = [ 22 ]; |
There was a problem hiding this comment.
Same here, as it's done by the sshd module (openFirewall is enabled by default).
| the infect itself, another after we pushed the nixos image. | ||
| """ | ||
| import os | ||
| import os.path |
There was a problem hiding this comment.
Not needed when we already have an import for os.
| ssh_key_id = self._create_ssh_key(ssh_key.public_key) | ||
|
|
||
| req = { | ||
| 'name': self.name, |
|
|
||
| self.wait_for_ssh() | ||
| self.log_start("running nixos-infect") | ||
| self.run_command('bash </dev/stdin 2>&1', stdin=open(infect_path)) |
There was a problem hiding this comment.
It should not be needed to redirect /dev/stdin here as bash reads from stdin by default if not connected to a terminal.
|
|
||
| for interface in ${interfaces[@]}; do | ||
| ip4s=($(ip address show dev $interface | grep 'inet ' | sed -r 's|.*inet ([0-9.]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|')) | ||
| ip6s=($(ip address show dev $interface | grep 'inet6 .*global' | sed -r 's|.*inet6 ([0-9a-f:]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|')) |
There was a problem hiding this comment.
grep should not be needed here because sed has a -n flag.
| ]; | ||
| }; | ||
| ens4 = { | ||
| ip4 = [$(for a in ${ens4_ip4s[@]}; do echo -n " |
There was a problem hiding this comment.
Did you test other backends using nixos-infect whether they still work?
| }) | ||
|
|
||
| def get_ssh_private_key_file(self): | ||
| return self.write_ssh_private_key(self.depl.active_resources.get('ssh-key').private_key) |
There was a problem hiding this comment.
I'd either internalize this for every machine state or allow to specify a specific resource rather than a hardcoded one. The former would have the advantage that it would require less options and later on we can still add an option so users can use an ssh key resource instead of the internal one.
|
Is this PR still being worked on? |
|
This pull request has been mentioned on Nix community. There might be relevant details there: https://discourse.nixos.org/t/help-customizing-nixops-version/2718/1 |
|
Hello! Thank you for this PR. In the past several months, some major changes have taken place in
This is all accumulating in to what I hope will be a NixOps 2.0 My hope is that by adding types and more thorough automated testing, However, because of the major changes, it has become likely that this If you would like to see this merge, please bring it up to date with Thank you again for the work you've done here, I am sorry to be Graham |
This is based on the digital ocean backend. It also uses nixos-infect. I extended nixos-infect to be generic
for both backends.
Fixes #855
--
I see @nh2 has some work at https://github.com/nh2/nixops/tree/hetznercloud but I'm not sure what the status of that is.