1. 15
  1.  

  2. 6

    Maybe this is new, but turns out, NixOS has a startAt attribute on services to automate creating that timer. I only just found out and have some code to cleanup myself. :-)

    There’s also environment for setting vars, instead of in the shell script, which could be helpful if you’re worried about escaping values.

    I’m not sure if the readFile has any benefit of protecting the secret here. The contents will still be part of the unit definition generated by Nix and present in the (world-readable) store. I think it really needs to be read run-time somehow?

    1. 3

      I’m not sure if the readFile has any benefit of protecting the secret here. The contents will still be part of the unit definition generated by Nix and present in the (world-readable) store. I think it really needs to be read run-time somehow?

      I should have explained how to do it with nixops and its keys, however a webhook leak isn’t really that bad because it is post only and easily replaced. I’m working on a nixops tutorial at the moment though.

      1. 2

        Today I learned! Thanks. That will make things much easier.

      2. 3

        It seems nice ; but that looks like a lot of work to generate 10 lines of systemd config. or even just one line in a cron job?

        1. 3

          It’s about declaring what your system config / app deployment should look like in a single place, rather than changing details across a running system. You can combine that systemd unit and cronjob in a single NixOS module that you keep in a git repo, and that’s just a very small example. More complicated applications can also include virtual host config, build steps, etc. in a single file, if the developer feels they logically belong together.

          Some of this is comparable to what tools like Ansible achieve. What if you have to reinstall the machine? Or what if you want to share some configuration across machines? You don’t want to figure out how to setup your server / app all over again, especially if the situation is unexpected and you’re pressed for time.

          NixOS goes a bit further than Ansible et al by not describing steps to apply to an Ubuntu system (for example), but by being its own Linux distribution built entirely with Nix. (Benefits of that are a separate discussion, I think.)

          1. 2

            That was kind of my point. We now need a custom Linux distribution with its own (new) programming language to achieve very simple things. Well, at least it’s not YAML again.

            1. 4

              The language and distribution are about 17 years old, so I guess new is relative here.

              1. 2

                A matter of perspective, maybe? I’ve tried often to get comfortable with Debian packaging for my own (also work) applications and smaller tools, but couldn’t. Instead, it’s always just ‘treat the OS like a black box’ and deploy to /opt or similar. NixOS is a lot more approachable to me, despite the learning curve. (I guess a different learning curve.)

            2. 3

              It’s not just 10 lines of systemd config. It’s also putting that config in the right place and implicitly activating it so you can’t mess it up. One line of cronjob doesn’t give you logs for that cronjob when it fails. The basic process here can also be adapted to other things like backup scripts.

              This blogpost was cherry-picked from this config: https://github.com/Xe/nixos-configs/blob/master/hosts/chrysalis/tulpachat.nix, which uses Nix functions to dynamically create discord webhook timers so I can add an arbitrary number of them in the future.

              For a more complicated example, see here: https://github.com/Xe/nixos-configs/blob/master/common/services/mi.nix, this handles a service called mi and exposes it at mi.within.website. I could “just write the systemd units by hand”, but that doesn’t handle pushing the units and scripts to the machine and making sure they are enabled. This allows me to rest assured that I can trivially move the config to other machines if I need to, such as if I get a new home server. Not to mention automatically building and installing all the services on the machine and then making sure the systemd units point to the correct binaries.

              Sure, I can write 10 lines of systemd config today and I will be fine. However tomorrow it may end up not working out when circumstances and facts change.

              1. 1

                One line of cronjob doesn’t give you logs for that cronjob when it fails.

                Well, I used to get emails from failed cron jobs, and systemd logs are still a thing if you’re on Linux.

                I completely understand the appeal of having the state/config integrated in one repository, but it looks like we only reach as far as tools like Ansible/Chef/Salt do for now. I’ve only seen a few bits of nix config here and there so far, and there’s probably a bigger picture that makes it all very exciting, but I guess I’d need to dig myself into that hole to find out if I like digging.

                1. 4

                  The key difference is Ansible, Chef, and Salt are all still saying what you want to do, not what you want to end up with. What I mean by this is with each of these tools:

                  1. start with a new system
                  2. define a service you want running
                  3. deploy
                  4. delete that service from your configuration repository
                  5. deploy

                  Chef and friends will just stop managing that service, but the service will still exist. NixOS, though, won’t have that service anymore.

                  1. 1

                    The key difference is Ansible, Chef, and Salt are all still saying what you want to do, not what you want to end up with.

                    That should be tag line for nix in general. For whatever reason, that really resonates with me.

                    Chef and friends will just stop managing that service, but the service will still exist. NixOS, though, won’t have that service anymore.

                    I don’t want to be pedantic, but if not having the service anymore is your goal, that’s still totally doable with chef and friends.

                    1. 1

                      Yes it is possible, but you have to make it your goal. Again, you’re so used to having to think about what you want to do, not just what you want. Nix lets you skip past that and just write down what you want.