NixOps:如何部署到现有的NixOS VM上？

Question

我的问题跟这个问题差不多，但从来没有人回答过：

nixops:如何使用本地ssh键在机器上部署现有的nixos (targetEnv为none)？

不过我没有用Terraform。只有NixOS + NixOps。到目前为止，我：

• 在Vultr上创建了一个新的VM
• 从当前的iso安装标准NixOS (20.09PROM)，设置根密码
• 使用root密码身份验证启用ssh并执行nixos-rebuild switch
• 在我的笔记本电脑上手动生成ssh键盘
• ssh使用密码进入VM，并将公钥添加到/root/.ssh/authorized_keys中。

现在，我可以使用新键手动进入VM，正如预期的那样：

ssh -i .secrets/vultrtest1_rsa root@XXX.XXX.XXX.XXX

凉爽的。接下来，我将现有的NixOS配置文件复制到我的笔记本上，并试图将它们连接到NixOps上。我尝试了一个最小的test1.nix，并在下面添加了deployment."none"和/或users.users.root.openssh部分。

vultrtest1
├── configuration.nix
└── hardware-configuration.nix
test1.nix

# test1.nix
{
  network.description = "vultr test 1";
  network.enableRollback = true;

  vultrtest1 = { config, pkgs, ... } : {
    deployment.targetHost = "XXX.XXX.XXX.XXX";
    imports = [ ./vultrtest1/configuration.nix ];

    # deployment.targetEnv = "none"; # existing nixos vm

    # same result with or without this section:
    deployment."none" = {
      sshPrivateKey = builtins.readFile ./secrets/vultrtest1_rsa;
      sshPublicKey  = builtins.readFile ./secrets/vultrtest1_rsa.pub;
      sshPublicKeyDeployed = true;
    };

    # same result with or without this:
    users.users.root.openssh.authorizedKeys.keyFiles = [ ./secrets/vultrtest1_rsa.pub ];
  };

}

在所有情况下，当我尝试创建和部署网络NixOps时，尝试生成另一个SSH密钥，然后无法登录：

$ nixops create test1.nix -d test1
created deployment ‘b4ac25fa-c842-11ea-9a84-00163e5e6c00’
b4ac25fa-c842-11ea-9a84-00163e5e6c00

$ nixops list
+--------------------------------------+-------+------------------------+------------+------+
| UUID                                 | Name  | Description            | # Machines | Type |
+--------------------------------------+-------+------------------------+------------+------+
| b4ac25fa-c842-11ea-9a84-00163e5e6c00 | test1 | Unnamed NixOps network |          0 |      |
+--------------------------------------+-------+------------------------+------------+------+

$ nixops deploy -d test1                                                             
vultrtest1> generating new SSH keypair... done
root@XXX.XXX.XXX.XXX: Permission denied (publickey,keyboard-interactive).
vultrtest1> could not connect to ‘root@XXX.XXX.XXX.XXX’, retrying in 1 seconds...
root@XXX.XXX.XXX.XXX: Permission denied (publickey,keyboard-interactive).
vultrtest1> could not connect to ‘root@XXX.XXX.XXX.XXX’, retrying in 2 seconds...
root@XXX.XXX.XXX.XXX: Permission denied (publickey,keyboard-interactive).
vultrtest1> could not connect to ‘root@XXX.XXX.XXX.XXX’, retrying in 4 seconds...
root@XXX.XXX.XXX.XXX: Permission denied (publickey,keyboard-interactive).
vultrtest1> could not connect to ‘root@XXX.XXX.XXX.XXX’, retrying in 8 seconds...
root@XXX.XXX.XXX.XXX: Permission denied (publickey,keyboard-interactive).
Traceback (most recent call last):
  File "/nix/store/kybdy5m979h4kvswq2gx3la3rpw5cq5k-nixops-1.7/bin/..nixops-wrapped-wrapped", line 991, in <module>
    args.op()
  File "/nix/store/kybdy5m979h4kvswq2gx3la3rpw5cq5k-nixops-1.7/bin/..nixops-wrapped-wrapped", line 412, in op_deploy
    max_concurrent_activate=args.max_concurrent_activate)
  File "/nix/store/kybdy5m979h4kvswq2gx3la3rpw5cq5k-nixops-1.7/lib/python2.7/site-packages/nixops/deployment.py", line 1063, in deploy
    self.run_with_notify('deploy', lambda: self._deploy(**kwargs))
  File "/nix/store/kybdy5m979h4kvswq2gx3la3rpw5cq5k-nixops-1.7/lib/python2.7/site-packages/nixops/deployment.py", line 1052, in run_with_notify
    f()
  File "/nix/store/kybdy5m979h4kvswq2gx3la3rpw5cq5k-nixops-1.7/lib/python2.7/site-packages/nixops/deployment.py", line 1063, in <lambda>
    self.run_with_notify('deploy', lambda: self._deploy(**kwargs))
  File "/nix/store/kybdy5m979h4kvswq2gx3la3rpw5cq5k-nixops-1.7/lib/python2.7/site-packages/nixops/deployment.py", line 996, in _deploy
    nixops.parallel.run_tasks(nr_workers=-1, tasks=self.active_resources.itervalues(), worker_fun=worker)
  File "/nix/store/kybdy5m979h4kvswq2gx3la3rpw5cq5k-nixops-1.7/lib/python2.7/site-packages/nixops/parallel.py", line 44, in thread_fun
    result_queue.put((worker_fun(t), None, t.name))
  File "/nix/store/kybdy5m979h4kvswq2gx3la3rpw5cq5k-nixops-1.7/lib/python2.7/site-packages/nixops/deployment.py", line 979, in worker
    os_release = r.run_command("cat /etc/os-release", capture_stdout=True)
  File "/nix/store/kybdy5m979h4kvswq2gx3la3rpw5cq5k-nixops-1.7/lib/python2.7/site-packages/nixops/backends/__init__.py", line 337, in run_command
    return self.ssh.run_command(command, self.get_ssh_flags(), **kwargs)
  File "/nix/store/kybdy5m979h4kvswq2gx3la3rpw5cq5k-nixops-1.7/lib/python2.7/site-packages/nixops/ssh_util.py", line 280, in run_command
    master = self.get_master(flags, timeout, user)
  File "/nix/store/kybdy5m979h4kvswq2gx3la3rpw5cq5k-nixops-1.7/lib/python2.7/site-packages/nixops/ssh_util.py", line 200, in get_master
    compress=self._compress)
  File "/nix/store/kybdy5m979h4kvswq2gx3la3rpw5cq5k-nixops-1.7/lib/python2.7/site-packages/nixops/ssh_util.py", line 57, in __init__
    "‘{0}’".format(target)
nixops.ssh_util.SSHConnectionFailed: unable to start SSH master connection to ‘root@XXX.XXX.XXX.XXX’

我遗漏了什么？也许我可以手动添加刚才生成的密钥NixOps？

更新:我使用SQLiteBrowser查看NixOps状态数据库，并将生成的公钥粘贴到authorized_keys中。现在我可以手动使用新生成的密钥进入ssh，但是NixOps仍然无法部署。

Answer 1

以一种不太令人满意的方式暂时解决了这个问题：

• 浏览了生成的公钥+私钥NixOps的数据库
• 手动将它们添加到VM上的authorized_keys中
• 还将旧键添加到本地~/.ssh中，并在~/.ssh/config中添加一个条目

不知道为什么NixOps使用本地ssh配置，也不知道如何防止这种情况发生。工作的条目看起来如下：

Host XXX.XXX.XXX.XXX
  HostName XXX.XXX.XXX.XXX
  Port 22
  User root
  IdentityFile ~/.ssh/vultrtest1_rsa

将等待几天，然后将其标记为解决方案，除非有人能够解释如何让NixOps从.secrets而不是~/.ssh中使用本地密钥。

Answer 2

查看源在

https://github.com/NixOS/nixops/blob/master/nix/options.nix

有deployment.provisionSSHKey选项

上面写着。

  deployment.provisionSSHKey = mkOption {
  type = types.bool;
  default = true;
  description = ''
    This option specifies whether to let NixOps provision SSH deployment keys.
    NixOps will by default generate an SSH key, store the private key in its state file,
    and add the public key to the remote host.
    Setting this option to <literal>false</literal> will disable this behaviour
    and rely on you to manage your own SSH keys by yourself and to ensure
    that <command>ssh</command> has access to any keys it requires.
  '';
};

也许这个能帮上忙？一旦我回到我的Nixops机器，我就试一试。