Nix at Home - Configuration management for your House!

Video thumbnail (Frame 0) Video thumbnail (Frame 6005) Video thumbnail (Frame 6487) Video thumbnail (Frame 19817) Video thumbnail (Frame 20693) Video thumbnail (Frame 22966) Video thumbnail (Frame 26898)
Video in TIB AV-Portal: Nix at Home - Configuration management for your House!

Formal Metadata

Nix at Home - Configuration management for your House!
Or...How I use enterprise level tools to have sanity at home!
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
My talk I'm proposing is on how to use nix at home in a variety of different ways. We'll start with the basics, a single git repository with multiple machine configurations cloned to /etc/nixos. From there we'll talk about how to deploy machines using nixops with the none backend, specifically in the context of a home router machine with multiple interfaces running all the basic services needed for a secure usable home network. From their we'll foray into how nixos generations works under the hood a bit and talk about IOHK's work at making a remote deployable mac system using nix-darwin, as well as some custom code I wrote that allows you to run nix systemd services (example being prometheus node exporter) on any linux system. We'll wrap the talk up with some discussion about using nix for home automation and monitoring as well as a chance for Q&A. --- Bio: I've been involved with the nix community for a little over a year. I help out on IRC whenever I have a chance (disasm). I work on the devops team of IOHK using nix and haskell on a daily basis. I've been using nixops to deploy my main home router for a little over 6 months, and have been using custom haskell to deploy my mac systems using nix-darwin for about 3 months.
Laptop Server (computing) Enterprise architecture State of matter Multiplication sign Virtual machine Control flow Online help Data management Latent heat Mathematics Computer configuration System programming Energy level Software testing God Enterprise architecture Scaling (geometry) Physicalism Directory service Configuration management Type theory Software Software repository Repository (publishing) Mixed reality output Energy level
Data management Enterprise architecture Software developer Energy level
Demon Building Scripting language Code Multiplication sign Mehrplatzsystem Execution unit File format Turtle graphics Public key certificate Tracing (software) IP address Configuration management Web service Mathematics Different (Kate Ryan album) Cloning Multiplication Family Scripting language Service (economics) Electric generator File format Structural load Electronic mailing list Shared memory Type theory Data mining Latent heat Process (computing) Software repository Repository (publishing) System programming Normal (geometry) output Right angle Modul <Datentyp> Remote procedure call Resultant Router (computing) Laptop Laptop Slide rule Server (computing) Service (economics) Computer file Software developer Virtual machine Content (media) Binary file Rule of inference Scalability Attribute grammar Product (business) Revision control Latent heat Goodness of fit Internetworking Profil (magazine) String (computer science) Operator (mathematics) Computer hardware System programming Integrated development environment Router (computing) Booting Maß <Mathematik> Plug-in (computing) Module (mathematics) Installation art Default (computer science) Machine code Multiplication Electronic data interchange Demon Key (cryptography) Content (media) Code Computer network Directory service Configuration management Computer programming Power (physics) Software Rootkit Personal digital assistant Computer hardware Web service Password Mixed reality Key (cryptography) Electronic visual display
Point (geometry) Implementation Server (computing) Code Multiplication sign Control flow Open set Login Configuration management Radio-frequency identification Virtuelles privates Netzwerk Computer configuration Profil (magazine) Hacker (term) Semiconductor memory Software design pattern Source code System programming Software testing Implementation Router (computing) Stability theory State transition system Server (computing) Code Plastikkarte Planning Computer network Maxima and minima Directory service Configuration management User profile Software design pattern Wind tunnel Process (computing) Computer configuration Software Software repository System programming Codec Right angle Modul <Datentyp> Abstraction Spacetime
Laptop Default (computer science) Server (computing) Ferry Corsten State of matter Firewall (computing) Interface (computing) Drop (liquid) Solid geometry Public-key cryptography Power (physics) Virtual LAN Virtuelles privates Netzwerk Software Befehlsprozessor Hard disk drive Source code System programming Whiteboard Musical ensemble Router (computing) Booting Routing
all righty so it's time for the last talk of the day and so we've already heard about like Nick saw set scale and deploying to large physics things and God knows what but Samuel is actually going to talk about Nick's at home configuring Nick's for your laptop and yeah hello everyone I'm Samuel leathers I work at i/o HK I'm a senior DevOps engineer there and I will be talking about Nick's at home configuration management for your house or I like to subtitle it how I use enterprise level tools to have sanity at home credit where credit is due Graham Kristensen and clever helped me out a lot with getting this in the state it is now so thank you very much for all your help over the last couple years getting this repo where it is so why Nicks is great for home devices most of us don't have dedicated test networks to test changes out break it just scary with anything else with Nick's just roll back and it's free and easy ci to notify you when things break before you deploy so types of configuration management with Nix this is how many of you actually use Nick's at home almost everyone okay so you probably all know all this stuff so I'll run through it pretty quickly but on a laptop you have a few options you can do Nick so us rebuild switch from a git repo cloned Etsy mix OS and then just manage all your stuff using git that's nice but what if you have two laptops and you want to share stuff between those you can do a NYX ops deploy from git repository cloned anywhere so you can clone in your home directory and do Nick's ops deploy to your local host or to other servers in your house but you still run into the state issue that was mentioned earlier with Nick's ops where you can only do it from one machine at home that's usually not too big of a problem though and then what if you have OS X machines and you want to remote deploy those because who wants to actually log into an OS X machine and run Nix Darwin rebuild not me so and then what if you have other Linux systems are not Nix OS but you really want to run something consistently using next OS on it so like if you want to run prometheus node exporter on CentOS but you don't really want to have to deal with the hassle of updating young packages and everything so all those things we're gonna be talking about here today so for laptops managed locally we want to share some configuration we want some stuff specific per laptop and we want to be able to rebuild a laptop quickly or spin up a new one and we usually have bleeding edge software here some of you might not I usually run Nix OS unstable on my laptop with some custom commits cherry-picked that are not on my not in yet sometimes from pull requests or something and we want to easily test different channels at the same time so here's how I kind of do it let's see next OS that's where all your configurations go that's just a is it not going oh no Thanks
there now we're gone okay so how I do it at the neck so s is a clone of my network repo on my github repository these slides will be shared later if you want to look at that there's plenty of good stuff in there and I'm open to any questions later about it for configuration not Nix I actually do a symlink to machine slash hostname mix so I can have the same git repository clone to multiple hosts that have different configurations and hardware configurations I do the same thing it's a symlink to hardware - configuration / hostname mix if I want to share stuff between modules I have a modules directory that contains profiles roles and custom services I'll talk more about that a little later I include it with custom modules equals import modules module list nix and then custom modules is added to the imports attribute in the configuration next file after defining a profile I can just do profiles dot them dot enable equals true and now I have my special vim configuration that I want on all my systems for public shared content I just create a Nicks file called shared nicks that just has content in it so it's just a huge attribute set so I put things like my home CA certificate there and my public SSH keys something that I don't care being in the Internet where everyone can see it but it's still something I want to split across multiple things but what about the secret stuff like the passwords you don't want everyone to know so I create it I can get ignore I created a secret snicks file in the same format as shared Nicks and then I add a layer of misdirection for CI using load - secrets nix which just does a built-ins path exists secrets nixed and import it otherwise use this other attribute set that basically usually defines empty strings for everything so Hydra continues to work for home deployments so like I have a server and my main router at home both run NICs OS so that's easy I just use Nix ops deploy for that I have an infrastructure dot next file that lists all my infrastructure files and you'll see that right here and then I can use the same secrets type stuff there as well as the shared stuff and the custom modules that I use on my laptops and now all that stuff is shared across all my systems so if I change it in one place it can affect everything which is great when you add a new VIN plug-in and you don't want to have to ask this h into all your servers and install it again so this is just a general mix ops configure with the network and the name of the server and the deployment this is the none type so there's no automatically creating it because it's a physical thing at home and then I can add deployment keys in for secrets that I don't want to be living on the server after a reboot so it has to be deployed again to create the deployment we use the NYX apps create command and you can basically give the deployment a name and then you can specify I pinned the NIC speak a G's version to a specific version that one I believe it was the tip of 1809 when I created the slide deck here but basically you can specify - I Nix pkg is equals and then the path to the tarball on github and then that will pin it so you have to run Nick's ops modify then which is shown just below that to update it to a new version later and then you just do next ops deploy home that's simple enough deploy - d home and then for remote OSX deployments I don't use OSX very often even though this is a Mac it's running Nixa less like 99.999% of the time I do have another laptop at home that's a MacBook Air that's just thrown in the closet somewhere that I don't want to climb over everything to get to or I don't really want to BNC into it either or SSH and Manuel run stuff so Nix Darwin is great for giving you the same configuration management on Linux on Mac OS so buddy of mine at i/o HK Rodney he's not here today but he created a really cool tool for us there that basically prepares a system using Haskell installing Nix installing next Darwin and everything and then runs deployments remotely using turtle SSH and I did some improvements to that I won't go into the code here as this talk isn't about Haskell but Nix so remote OSX deployments the premise is to build two tools one called prepare and one called deploy these two tools remotely SSH into the host and handle the Nix Darwin stuff prepare installs nix and multi-user and deploys deploy deploys new changes a caveat here is Nix Darwin and Nix OS modules don't always have the same design so some breakage may occur if you share configuration code is in Nix Darwin tools in my repo the prepare script is slightly outdated if you want to do this I highly recommend looking at the IO HK version of this stuff even though it has a few io HK specific things in there it actually installs with multi-user now if prepare I haven't updated that in my repo because I've ran repairs since the default changed to using single user on OS X again and it requires an OSX build slave to build the tool running prepare will nuke all traces of Nix from the remote system so don't do this on a system that you've like very carefully crafted your pet on and for deployments you just do Nix build - a tools and then you can run result bin prepare Mac and then the IP address of it and then result bin deploy rule role and then the role is just in Nick's file that's like a configuration next file that you'd have on your Darwin system and yeah and then you can use the same modules you're using for Nix OS as long as you them in a way that they work on both Darwin and Linux for Linux deployments this is kind of cool but I kind of abandon it because everything runs next to us now at home so I don't have much use for it anymore but I wanted to share this anyways because I'm sure there's a lot of people here that might benefit from it and the initial premise was to set up prometheus new exporter running on non Nix OS Linux systems like Santa 7 and to do this I basically it looks like a normal mix OS configuration that you'd run Nick so us rebuild on but you do an import of Nick's pkg znik so s and then all only supports services so it only does system D services it doesn't do users this is probably good as it would probably break other things on the system if you started trying to mess with Etsy password and whatnot on a system that's being managed some other way and then you just specify your services out and then there's this recursive attribute set that does some building env stuff and max the paths to it and it literally dumps out a so you can then Nix build that on the system and if you do find dot slash results you'll see everything in there all you're gonna see our service files and then Nick C and V - P specify where your user root is for it so in this case I have user root CentOS monitor and then I specify the file I want to install there and I specify that I want to grab the all units attribute here and then I just simile that tatsi system D system Santos monitor do systemctl daemon reload systemctl start Prometheus node exporter and I now have Prometheus node being managed with Nick's code that could be automated further using Haskell to like write a tool or Python fabric or any other automation tool that uses SSH to make this a simple process very similar
to how the next Darwin stuff above was done this works I tested it before I wiped my last non ex OS system new runs of Nix env create a new generation so you can roll back with this too which is pretty cool I you really just need the Prometheus node exporter but I included other services so you can see that it's scalable and run multiple services this way to use in production like I said I'd recommend using some other deployment tool rather than just manually SSA Qing in and running Nix env that's never a good idea so the custom modules profiles
and roles I said I was going to touch back on later I first used the profiles and roles design pattern with puppet in a previous job if anyone's used puppet they've probably heard about the profiles and roles design pattern when used properly each system should only have one role and a role should only define profiles my repo does not follow this at all the initial code came from a repo by offline hacker but it's pretty different from his original implementation in essence both profiles and roles are just Nix OS modules with a different prefix I don't use roles a lot at all and my repo I have a base role that doesn't have an enable option for things I want on any system but that's pretty much all I use roles for profiles are glue around Nix OS configuration so for example something like profiles vim and Abel equals true abstracts away lots of em configuration set up and most profiles have an enable option if you don't have one it's gonna be on all your systems which is probably not what you want and my goal here is to clean up all the stuff and my legacy in Nix configs directory which is kind of a mess and have just like the bare minimum and nicks configs and everything else is just profiles but I just haven't had time to play with it yet and these can be shared across all the Linux OSX systems so you might have to do some conditional things based on how next darwin does something and Nix OS does
something and then most importantly we need CI to test everything so Hydra to test everything I define a NYX OS func stable Nixa west bunk unstable and annexed darwin func unstable that point to these that are defined in Hydra if you want to see how they're defined in Hydra you can look my Hydra configs repo under the same username on github and then Nix Darwin tools is what I told you about with the tools to actually deploy and so those are all tested as well so when they break from some LTS upgrade and latest Nix I know about it and this will actually test with every single commit that hits Nicholas unstable for serve and the Mac one for all the unstable commits and for my servers op Tina and portal it will hit 1809 any commits that hit it it will rerun and make sure everything's going so I know as soon as something upstream breaks something that I did that I need to fix and some other cool features about my network repo that I not going to get into a whole lot of detail here but I have full I pick C Network booting thanks to clever he really helped me with that one I have full IP v6 compatibility on my router my routers fully running NICs OS and I have wired guard VPN tunnels Open VPN tunnels Promethea smart monitoring and I had an elk stack for central logging by disabled it because of lack of resources on my server and just like running out of memory into space and it was like I don't need to keep all my logs anymore that is pretty much my talk here I can jump in I see we're at about 16 well no we're not at 16 minutes because we refresh this I don't remember how far we are okay so we can jump in here and I can walk you through some of the stuff I've done and my repo that requires me to mirror this though no I had a different plan that's right
team accession that's not good [Music] it's just exit this one and try Tmax attached there we go typing one-handed and holding a microphone is very difficult let's look at the router configured bit here because this might be interesting to some people that want to there we go that might be interesting to some people that want to run a router at home so we can look at that and the default dot NICs I basically define some internal interfaces these are VLANs on this interface here and then I have some wire guard stuff and those are my VPNs one of the cool things here is the eye pixie stuff I mentioned and this basically creates a TFTP route that Ipek see can boot and builds a NICs OS module NICs OS system that basically can be booted over the network and then I define interfaces here for the firewall a lot of this stuff came from Graham I have some cool extra commands here for like drop port no log except poured on interface board port to host and then I can basically just map across ports and then yeah wire garden interfaces those are public keys don't worry about it does anyone have any specific questions about this my router does not boot from the network my router is running a TFTP server so i can boot any laptop over the network so it's very useful for installing NICs on things I've been playing with trying to get Raspberry Pi to network boot as well but that's a little more difficult because you have to actually disable some GPIO pins Michael can tell you more about it later if you're interested he was showing me some of it but yeah my router does not network boot it's it has a solid state hard drive in it and it has monitoring on it and all that good stuff any other questions well I guess we can all go drink beer then [Laughter] [Applause]