-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathexample-nginx-deployment.nix
155 lines (136 loc) · 5.01 KB
/
example-nginx-deployment.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
let
awsKeyId = "nixops-example-user"; # symbolic name looked up in ~/.ec2-keys or a ~/.aws/credentials profile name
region = "eu-central-1";
pkgs = import <nixpkgs> {};
# We must declare an AWS Subnet for each Availability Zone
# because Subnets cannot span AZs.
subnets = [
{ name = "my-nixops-vpc-subnet-a"; cidr = "10.0.0.0/19"; zone = "${region}a"; }
{ name = "my-nixops-vpc-subnet-b"; cidr = "10.0.32.0/19"; zone = "${region}b"; }
{ name = "my-nixops-vpc-subnet-c"; cidr = "10.0.64.0/19"; zone = "${region}c"; }
];
in
{
network.description = "NixOps example deployment";
network.enableRollback = true;
# Now follows a lot of AWS specific networking stuff that is required
# to create a machine with Internet in a non-default-VPC.
# Scroll past this unless you are interested in how to control
# AWS specific stuff with NixOps.
resources.ec2KeyPairs.my-key-pair = {
accessKeyId = awsKeyId;
inherit region;
};
resources.vpc.my-nixops-vpc = {
accessKeyId = awsKeyId;
inherit region;
instanceTenancy = "default";
enableDnsSupport = true;
enableDnsHostnames = true;
cidrBlock = "10.0.0.0/16";
tags.Source = "NixOps";
};
resources.vpcSubnets =
let
makeSubnet = { cidr, zone }: { resources, ... }: {
accessKeyId = awsKeyId;
inherit region zone;
vpcId = resources.vpc.my-nixops-vpc;
cidrBlock = cidr;
mapPublicIpOnLaunch = true;
tags.Source = "NixOps";
};
in
# We must declare a Subnet for each Availability Zone
# because Subnets cannot span AZs.
builtins.listToAttrs
(map
({ name, cidr, zone }: pkgs.lib.nameValuePair name (makeSubnet { inherit cidr zone; }) )
subnets
);
resources.ec2SecurityGroups.my-nixops-sg = { resources, lib, ... }: {
accessKeyId = awsKeyId;
inherit region;
vpcId = resources.vpc.my-nixops-vpc;
rules = [
{ toPort = 22; fromPort = 22; sourceIp = "0.0.0.0/0"; } # SSH
{ toPort = 80; fromPort = 80; sourceIp = "0.0.0.0/0"; } # HTTP
{ toPort = 443; fromPort = 443; sourceIp = "0.0.0.0/0"; } # HTTPS
];
};
resources.vpcRouteTables = {
route-table = { resources, ... }: {
accessKeyId = awsKeyId;
inherit region;
vpcId = resources.vpc.my-nixops-vpc;
};
};
resources.vpcRoutes = {
igw-route = { resources, ... }: {
accessKeyId = awsKeyId;
inherit region;
routeTableId = resources.vpcRouteTables.route-table;
destinationCidrBlock = "0.0.0.0/0";
gatewayId = resources.vpcInternetGateways.my-nixops-igw;
};
};
resources.vpcRouteTableAssociations =
let
association = subnetName: { resources, ... }: {
accessKeyId = awsKeyId;
inherit region;
subnetId = resources.vpcSubnets."${subnetName}";
routeTableId = resources.vpcRouteTables.route-table;
};
in
builtins.listToAttrs
(map
({ name, ... }: pkgs.lib.nameValuePair "association-${name}" (association name) )
subnets
);
resources.vpcInternetGateways.my-nixops-igw = { resources, ... }: {
accessKeyId = awsKeyId;
inherit region;
vpcId = resources.vpc.my-nixops-vpc;
};
# End of AWS-specific networking stuff.
# Define a machine.
# The key (`machine1`) will become the machine's host name.
# The value is a function that
# * returns a NixOS machine configuration (which is just what you would
# write into a `configuration.nix` file for a single NixOS machine),
# augmented with some NixOps specific `deployment.*` attributes.
# * as arguments, takes some global info, such as `resources` that NixOps
# created in your AWS account, all the `nodes` in the network
# (only `nodes.machine1` exists in this network), and some other stuff
# ignored using `...`.
# This can be used to, for example, insert the IP of one machine into
# the config file of a service on another machine.
machine1 = { resources, nodes, ... }: {
# Cloud provider settings; here for AWS
deployment.targetEnv = "ec2";
deployment.ec2.accessKeyId = awsKeyId; # symbolic name looked up in ~/.ec2-keys or a ~/.aws/credentials profile name
deployment.ec2.region = region;
deployment.ec2.instanceType = "t3.medium";
deployment.ec2.ebsInitialRootDiskSize = 20; # GB
deployment.ec2.keyPair = resources.ec2KeyPairs.my-key-pair;
deployment.ec2.associatePublicIpAddress = true;
deployment.ec2.subnetId = resources.vpcSubnets.my-nixops-vpc-subnet-a;
deployment.ec2.securityGroups = []; # we don't want its default `[ "default" ]`
deployment.ec2.securityGroupIds = [ resources.ec2SecurityGroups.my-nixops-sg.name ];
# Packages available in SSH sessions to the machine
environment.systemPackages = [
pkgs.bind.dnsutils # for `dig` etc.
pkgs.htop
pkgs.jq
];
networking.firewall.allowedTCPPorts = [
80 # HTTP
443 # HTTPs
];
# Enable nginx service
services.nginx = {
enable = true;
};
};
}