We have 20-ish Raspberry Pis deployed, serving as Telegraf agents, configured via Nix and our own overlay to provide additional files and small packages to help bootstrap the configuration.
The configuration itself works well - but, we currently manually copy the file, each time. It would be awesome if we could automate the process. Right now, I am looking into system.activationScripts as a possibility, but I doubt that this is what it is supposed to be used for. So instead, I would like to know what I can do.
The idea is simple: We have a HTTPS server with an endpoint we can POST to. Now, we would like to automate this process:
Set a token in a newly created option.
Generate a shell script that launches after a successful switch
Run that script with cURL in itās $PATH (or just supply the full .outPath via something like $(pkgs.curl.outPath)) to upload the file to our server.
The server knows who we are by our token and moves the file into a date-time tagged archive.
How would you implement that?
The reason I am not using NixOps btw, is because all the Pis are behind different VPNs - and I have not found a way to associate each Pi with itās own OVPN config and creds. Soā¦ we manually establish a tunnel, then SSH into the Pi, and do maintenance.
Because we donāt use NixOps (too many different VPN configs associated with each individual Pi), we SSH into each device individually to update the configuration.nix and issue a nixos-rebuild switch respectively. However, we donāt have an automated mechanism to back up those configs at all - so my idea was to use some post-switch hook to send this config, to which a switch was in fact successful, to a remote storage with a basic but effective HTTP API - much like you demonstrated.
What I realized though is that there arenāt that many default packages loaded into the $PATH of those scripts; just coreutils, some net utillities and other basics. cURL is not included.
So I wondered if system.activationScripts is actually the way to go, considering how āearlyā it runs in a new generation - even the docs just say that it is ment to set up critical filesā¦and just backing up the configuration, albeit being somewhat critical, may not apply.
Would it be possible to call cURL regardless with something like
I am still relatively new to Nix and more or less speedrunning this due the demand in the company for more expertise. So chances are I overlooked somethingā¦
If you ssh into the devices to edit and switch anyway, I would keep /etc/nixos/in git. That gives you change history and backup to a remote host. Actually, that is how I manage NixOS and home-manager configurations on my servers and laptops.
Setup:
Remote host (user is āgitā but can be anything):