Deploy albatross using NixOS #120
Conversation
The project is built using opam-nix. To save space, the compiler from nixpkgs is used.
The nixos module runs albatrossd and albatross-console in a similar way to the systemd units in packaging/linux. It also setups the NAT and network interfaces and help expose ports.
This service runs albatross-tls-endpoint and exposes it to the internet. The server's private key is taken as an option. This is not ideal, the key is copied into the Nix store, which is readable by all users on the server and on the developper machine.
|
sounds good to me, any chance we can have an github action that uses nix? |
This only checks whether the package builds and whether the lock file is uptodate. Some work is needed to cache the Nix store.
|
I finally manage to write an action that runs in a reasonable time (3 min). It could run much faster, it's still downloading a lot on every builds and even building Opam for some reason. This seem to be due to opam-nix's multi-step builds and this trick to reduce the size of the closure that both make many of the build dependencies unrooted (and garbage collected). There's room for improvement. |
|
Thanks for your work @Julow. I'm wondering whether -- similar to mirage/ocaml-git#600 -- we can avoid to hardcode all the nix checksums, which is a burden on maintenance that I'd like to avoid. Does this sound feasible and reasonable to you? |
|
The lock file only locks the version of Opam repositories, build tools and nixpkgs. All of which needs to be defined at some point, none of them are defined in nixpkgs. The approach used in mirage/ocaml-git#600 is not less work and maintenance in the case of albatross because it has a lot of dependencies that are not in nixpkgs. |
|
I can give a try but this might take a bit of time. |
|
we can also merge this as is, but I won't be able to update the lock files on my own. If the nixos github action fails, I'd mention you so you can take a look - does this sound ok? (we can of course at a later point revise the github action) |
CHANGES: - BUGFIX policy (vmm_resources): when inserting a policy, check policies above, but not the same one (@hannesm) - tls-endpoint: listen on systemd socket, add systemd example (robur-coop/albatross#119 @Julow @reynir) - albatross-stats systemd service: allow AF_NETLINK to gather network interface statistics (@reynir) - BUGFIX albatross-stats: use if_nametoindex, simplify code (robur-coop/albatross#125 @dinosaure @reynir @hannesm) - Add deployment scripts for nixos (robur-coop/albatross#120 @Julow)
|
I volunteer for maintaining the flake and the nixos module. |
Have you a list of dependencies missings ? |
|
Not that many actually! It seems that I gave up too soon: The first 3 are just noise, the rest should be reasonable to add, with not many transitive deps. |
|
Does https://github.com/NixOS/nixpkgs/blob/master/pkgs/os-specific/solo5/default.nix contains solo5-elftool ? |
|
|
|
FWIW the solo5-elftool is mirrored (gitea push mirror) on GitHub https://github.com/roburio/ocaml-solo5-elftool (if this makes packaging easier in nixos, feel free to use that) |
3 participants
The
flake.nixfile define a package for albatross as well as a nixos module for deploying it as systemd services.The project is built with opam-nix, which should ensure that the package definition don't get out of date (as long as
opam installworks).The systemd units are taken from the existing
packaging/linuxwith slight changes. The module also configures a NAT and a network bridge namedservice.The TLS endpoint is placed in a separate module to make sure it is optional.
An example of use can be found here: https://github.com/Julow/albatross-nixos-example
A weakness of the module at the moment is that the TLS endpoint's private key is copied into the Nix store and available to all users.