From 8f7c59e10a48c24120dd580b196acd419e5875d0 Mon Sep 17 00:00:00 2001 From: Max Audron Date: Fri, 11 Aug 2023 16:51:35 +0200 Subject: add custom nixinate impl --- flake.lock | 46 +++++++++++++++-------------- flake.nix | 64 +++++++++++++++++++++++++++++------------ machines/nixos-test.nix | 5 ---- machines/nixos-test/default.nix | 2 +- modules/default.nix | 6 ++-- modules/nix-settings.nix | 2 +- nixinate/default.nix | 18 ++++++++++++ nixinate/generate-apps.nix | 32 +++++++++++++++++++++ nixinate/make-deploy-script.nix | 45 +++++++++++++++++++++++++++++ 9 files changed, 170 insertions(+), 50 deletions(-) delete mode 100644 machines/nixos-test.nix create mode 100644 nixinate/default.nix create mode 100644 nixinate/generate-apps.nix create mode 100644 nixinate/make-deploy-script.nix diff --git a/flake.lock b/flake.lock index 587f63f..957f203 100644 --- a/flake.lock +++ b/flake.lock @@ -1,59 +1,61 @@ { "nodes": { - "nixinate": { + "flake-parts": { "inputs": { - "nixpkgs": "nixpkgs" + "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1688141737, - "narHash": "sha256-qHrNMYWukOKmKVf6wXOGKj1xxUnOGjvTRbt/PLLXuBE=", - "owner": "matthewcroughan", - "repo": "nixinate", - "rev": "7902ae845e6cc5bd450e510cdf5e009a6e4a44d9", + "lastModified": 1690933134, + "narHash": "sha256-ab989mN63fQZBFrkk4Q8bYxQCktuHmBIBqUG1jl6/FQ=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "59cf3f1447cfc75087e7273b04b31e689a8599fb", "type": "github" }, "original": { - "owner": "matthewcroughan", - "repo": "nixinate", + "owner": "hercules-ci", + "repo": "flake-parts", "type": "github" } }, "nixpkgs": { "locked": { - "lastModified": 1653060744, - "narHash": "sha256-kfRusllRumpt33J1hPV+CeCCylCXEU7e0gn2/cIM7cY=", + "lastModified": 1691421349, + "narHash": "sha256-RRJyX0CUrs4uW4gMhd/X4rcDG8PTgaaCQM5rXEJOx6g=", "owner": "nixos", "repo": "nixpkgs", - "rev": "dfd82985c273aac6eced03625f454b334daae2e8", + "rev": "011567f35433879aae5024fc6ec53f2a0568a6c4", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-unstable", + "ref": "nixos-23.05", "repo": "nixpkgs", "type": "github" } }, - "nixpkgs_2": { + "nixpkgs-lib": { "locked": { - "lastModified": 1691421349, - "narHash": "sha256-RRJyX0CUrs4uW4gMhd/X4rcDG8PTgaaCQM5rXEJOx6g=", - "owner": "nixos", + "dir": "lib", + "lastModified": 1690881714, + "narHash": "sha256-h/nXluEqdiQHs1oSgkOOWF+j8gcJMWhwnZ9PFabN6q0=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "011567f35433879aae5024fc6ec53f2a0568a6c4", + "rev": "9e1960bc196baf6881340d53dccb203a951745a2", "type": "github" }, "original": { - "owner": "nixos", - "ref": "nixos-23.05", + "dir": "lib", + "owner": "NixOS", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } }, "root": { "inputs": { - "nixinate": "nixinate", - "nixpkgs": "nixpkgs_2" + "flake-parts": "flake-parts", + "nixpkgs": "nixpkgs" } } }, diff --git a/flake.nix b/flake.nix index d7bc07e..4746c2e 100644 --- a/flake.nix +++ b/flake.nix @@ -1,28 +1,54 @@ { inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; - nixinate.url = "github:matthewcroughan/nixinate"; + flake-parts.url = "github:hercules-ci/flake-parts"; }; - outputs = { self, nixpkgs, nixinate }: { - apps = nixinate.nixinate.aarch64-darwin self; - nixosConfigurations = { - nixos-test = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - (import ./machines/nixos-test) + outputs = inputs@{ self, nixpkgs, flake-parts, ... }: + flake-parts.lib.mkFlake { inherit inputs; } ({ withSystem, flake-parts-lib, ... }: + let + inherit (flake-parts-lib) importApply; + flakeModules.nixinate = importApply ./nixinate { inherit withSystem; }; + in + { + imports = [ + flakeModules.nixinate + ]; + flake = + let + specialArgs = inputs // { inherit inputs; }; + system = "x86_64-linux"; + in { - _module.args.nixinate = { - host = "10.49.212.3"; - sshUser = "root"; - buildOn = "remote"; - substituteOnTarget = true; - hermetic = false; + inherit flakeModules; + nixosConfigurations = { + nixos-test = nixpkgs.lib.nixosSystem { + system = system; + specialArgs = specialArgs // { inherit system; }; + modules = [ + (import ./machines/nixos-test) + + (import ./modules) + (import ./modules/users) + { + _module.args.nixinate = { + host = "10.49.212.3"; + sshUser = "audron"; + buildOn = "remote"; + substituteOnTarget = true; + hermetic = false; + }; + } + ]; + }; }; - } - # ... other configuration ... + }; + systems = [ + "x86_64-linux" + "x86_64-darwin" + "aarch64-linux" + "aarch64-darwin" ]; - }; - }; - }; + perSystem = { config, ... }: { }; + }); } diff --git a/machines/nixos-test.nix b/machines/nixos-test.nix deleted file mode 100644 index 865d469..0000000 --- a/machines/nixos-test.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - -} diff --git a/machines/nixos-test/default.nix b/machines/nixos-test/default.nix index 6a83e9a..ce1d9d9 100644 --- a/machines/nixos-test/default.nix +++ b/machines/nixos-test/default.nix @@ -5,7 +5,7 @@ ./hardware-configuration.nix ]; - boot.cleanTmpDir = true; + boot.tmp.cleanOnBoot = true; zramSwap.enable = true; networking.hostName = "default"; networking.domain = ""; diff --git a/modules/default.nix b/modules/default.nix index 7f71fab..f94ece5 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -34,8 +34,10 @@ security.sudo.wheelNeedsPassword = false; services.openssh = { enable = true; - passwordAuthentication = false; - permitRootLogin = "no"; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "no"; + }; }; # CPU diff --git a/modules/nix-settings.nix b/modules/nix-settings.nix index 5219a67..9e2eeb9 100644 --- a/modules/nix-settings.nix +++ b/modules/nix-settings.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, nixpkgs, lib, pkgs, ... }: { environment.etc = { diff --git a/nixinate/default.nix b/nixinate/default.nix new file mode 100644 index 0000000..26cd4d4 --- /dev/null +++ b/nixinate/default.nix @@ -0,0 +1,18 @@ +# The importApply argument. Use this to reference things defined locally, +# as opposed to the flake where this is imported. +localFlake: + +# Regular module arguments; self, inputs, etc all reference the final user flake, +# where this module was imported. +{ lib, config, self, inputs, ... }: +let + lib = inputs.nixpkgs.lib; + generateApps = import ./generate-apps.nix inputs.nixpkgs; +in +{ + flake = { + }; + perSystem = { system, pkgs, ... }: { + apps = generateApps pkgs self; + }; +} diff --git a/nixinate/generate-apps.nix b/nixinate/generate-apps.nix new file mode 100644 index 0000000..6871d04 --- /dev/null +++ b/nixinate/generate-apps.nix @@ -0,0 +1,32 @@ +nixpkgs: pkgs: flake: + +let + machines = builtins.attrNames flake.nixosConfigurations; + validMachines = nixpkgs.lib.remove "" + (nixpkgs.lib.forEach machines + (x: nixpkgs.lib.optionalString + (flake.nixosConfigurations."${x}"._module.args ? nixinate) "${x}")); + mkDeployScript = import ./make-deploy-script.nix { inherit nixpkgs pkgs flake; }; +in +nixpkgs.lib.genAttrs + validMachines + (x: + { + type = "app"; + program = toString (mkDeployScript { + machine = x; + dryRun = false; + }); + } + ) + // nixpkgs.lib.genAttrs + (map (a: a + "-dry-run") validMachines) + (x: + { + type = "app"; + program = toString (mkDeployScript { + machine = nixpkgs.lib.removeSuffix "-dry-run" x; + dryRun = true; + }); + } + ) diff --git a/nixinate/make-deploy-script.nix b/nixinate/make-deploy-script.nix new file mode 100644 index 0000000..ab128b3 --- /dev/null +++ b/nixinate/make-deploy-script.nix @@ -0,0 +1,45 @@ +{ nixpkgs, pkgs, flake, ... }: +{ machine, dryRun }: +let + inherit (builtins) abort; + inherit (pkgs.lib) getExe optionalString concatStringsSep; + + nix = "${getExe pkgs.nix}"; + nixos-rebuild = "${getExe pkgs.nixos-rebuild}"; + openssh = "${getExe pkgs.openssh}"; + flock = "${getExe pkgs.flock}"; + + n = flake.nixosConfigurations.${machine}._module.args.nixinate; + hermetic = n.hermetic or true; + user = n.sshUser or "root"; + host = n.host; + where = n.buildOn or "remote"; + remote = if where == "remote" then true else if where == "local" then false else abort "_module.args.nixinate.buildOn is not set to a valid value of 'local' or 'remote'"; + substituteOnTarget = n.substituteOnTarget or false; + switch = if dryRun then "dry-activate" else "switch"; + nixOptions = concatStringsSep " " (n.nixOptions or [ ]); + + script = + '' + set -e + echo "🚀 Deploying nixosConfigurations.${machine} from ${flake}" + echo "👤 SSH User: ${user}" + echo "🌐 SSH Host: ${host}" + '' + (if remote then '' + echo "🚀 Sending flake to ${machine} via nix copy:" + ( set -x; ${nix} ${nixOptions} copy ${flake} --to ssh://${user}@${host} ) + '' + (if hermetic then '' + echo "🤞 Activating configuration hermetically on ${machine} via ssh:" + ( set -x; ${nix} ${nixOptions} copy --derivation ${nixos-rebuild} ${flock} --to ssh://${user}@${host} ) + ( set -x; ${openssh} -t ${user}@${host} "sudo nix-store --realise ${nixos-rebuild} ${flock} && sudo ${flock} -w 60 /dev/shm/nixinate-${machine} ${nixos-rebuild} ${nixOptions} ${switch} --flake ${flake}#${machine}" ) + '' else '' + echo "🤞 Activating configuration non-hermetically on ${machine} via ssh:" + ( set -x; ${openssh} -t ${user}@${host} "sudo flock -w 60 /dev/shm/nixinate-${machine} nixos-rebuild ${switch} --flake ${flake}#${machine}" ) + '') + else '' + echo "🔨 Building system closure locally, copying it to remote store and activating it:" + ( set -x; NIX_SSHOPTS="-t" ${flock} -w 60 /dev/shm/nixinate-${machine} ${nixos-rebuild} ${nixOptions} ${switch} --flake ${flake}#${machine} --target-host ${user}@${host} --use-remote-sudo ${optionalString substituteOnTarget "-s"} ) + + ''); +in +pkgs.writeScript "deploy-${machine}.sh" script -- cgit v1.2.3