feat: remove colmena, add own lightweight deploy script

2025-10-10 14:50:40 +02:00 · 2023-09-25 21:39:50 +02:00 · 2023-09-25 21:39:50 +02:00 · a4365be29f
commit a4365be29f
parent b705d8266f
8 changed files with 132 additions and 100 deletions
--- a/README.md
+++ b/README.md
@ -82,7 +82,7 @@ Afterwards:
 - Retrieve the new host identity by using `ssh-keyscan <host/ip> | grep -o 'ssh-ed25519.*' > hosts/<host>/secrets/host.pub`
 - (If the host has microvms, also retrieve their identities!)
 - Rekey the secrets for the new identity `nix run .#rekey`
- Deploy again remotely via colmena
+- Deploy again

 #### Remote encrypted unlock

--- a/flake.lock
+++ b/flake.lock
@ -83,34 +83,9 @@
        "type": "github"
      }
    },
-    "colmena": {
-      "inputs": {
-        "flake-compat": "flake-compat_2",
-        "flake-utils": [
-          "flake-utils"
-        ],
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "stable": "stable"
-      },
-      "locked": {
-        "lastModified": 1693920448,
-        "narHash": "sha256-BZtC7hZVt2BwM0LIypZ2jqNhVUeHAthbd9/jkUn5PhU=",
-        "owner": "oddlama",
-        "repo": "colmena",
-        "rev": "e6144983a262f2ac7c34d0c9c5ea3b5bcff2ab92",
-        "type": "github"
-      },
-      "original": {
-        "owner": "oddlama",
-        "repo": "colmena",
-        "type": "github"
-      }
-    },
    "crane": {
      "inputs": {
-        "flake-compat": "flake-compat_3",
+        "flake-compat": "flake-compat_2",
        "flake-utils": "flake-utils",
        "nixpkgs": [
          "elewrap",
@ -281,11 +256,11 @@
    "flake-compat_2": {
      "flake": false,
      "locked": {
-        "lastModified": 1650374568,
-        "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
+        "lastModified": 1673956053,
+        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "b4a34015c698c7793d592d66adbab377907a2be8",
+        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
        "type": "github"
      },
      "original": {
@ -311,22 +286,6 @@
      }
    },
    "flake-compat_4": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1673956053,
-        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
-    "flake-compat_5": {
      "locked": {
        "lastModified": 1688025799,
        "narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=",
@ -341,7 +300,7 @@
        "type": "github"
      }
    },
-    "flake-compat_6": {
+    "flake-compat_5": {
      "flake": false,
      "locked": {
        "lastModified": 1673956053,
@ -357,7 +316,7 @@
        "type": "github"
      }
    },
-    "flake-compat_7": {
+    "flake-compat_6": {
      "flake": false,
      "locked": {
        "lastModified": 1673956053,
@ -830,7 +789,7 @@
    },
    "nixpkgs-wayland": {
      "inputs": {
-        "flake-compat": "flake-compat_5",
+        "flake-compat": "flake-compat_4",
        "lib-aggregate": "lib-aggregate",
        "nix-eval-jobs": "nix-eval-jobs",
        "nixpkgs": [
@ -920,7 +879,7 @@
    },
    "pre-commit-hooks_2": {
      "inputs": {
-        "flake-compat": "flake-compat_4",
+        "flake-compat": "flake-compat_3",
        "flake-utils": [
          "elewrap",
          "flake-utils"
@ -948,7 +907,7 @@
    },
    "pre-commit-hooks_3": {
      "inputs": {
-        "flake-compat": "flake-compat_6",
+        "flake-compat": "flake-compat_5",
        "flake-utils": [
          "flake-utils"
        ],
@ -976,7 +935,6 @@
      "inputs": {
        "agenix": "agenix",
        "agenix-rekey": "agenix-rekey",
-        "colmena": "colmena",
        "devshell": "devshell_2",
        "disko": "disko",
        "elewrap": "elewrap",
@ -1024,26 +982,10 @@
        "type": "github"
      }
    },
-    "stable": {
-      "locked": {
-        "lastModified": 1669735802,
-        "narHash": "sha256-qtG/o/i5ZWZLmXw108N2aPiVsxOcidpHJYNkT45ry9Q=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "731cc710aeebecbf45a258e977e8b68350549522",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-22.11",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
    "stylix": {
      "inputs": {
        "base16": "base16",
-        "flake-compat": "flake-compat_7",
+        "flake-compat": "flake-compat_6",
        "home-manager": [
          "home-manager"
        ],
--- a/flake.nix
+++ b/flake.nix
@ -14,12 +14,6 @@
      inputs.flake-utils.follows = "flake-utils";
    };

-    colmena = {
-      url = "github:oddlama/colmena";
-      inputs.nixpkgs.follows = "nixpkgs";
-      inputs.flake-utils.follows = "flake-utils";
-    };
-
    devshell = {
      url = "github:numtide/devshell";
      inputs.nixpkgs.follows = "nixpkgs";
@ -103,7 +97,6 @@
  outputs = {
    self,
    agenix-rekey,
-    colmena,
    devshell,
    flake-utils,
    nixos-generators,
@ -135,7 +128,6 @@

      inherit
        (import ./nix/hosts.nix inputs)
-        colmena
        hosts
        microvmConfigurations
        nixosConfigurations
@ -207,14 +199,13 @@
      # `nix develop`
      devShells.default = pkgs.devshell.mkShell {
        name = "nix-config";
-        packages = with pkgs; [
-          faketty # Used in my colmena patch to show progress, XXX: should theoretically be propagated automatically from the patch....
-          nix # Always use the nix version from this flake's nixpkgs version, so that nix-plugins (below) doesn't fail because of different nix versions.
+        packages = [
+          pkgs.nix # Always use the nix version from this flake's nixpkgs version, so that nix-plugins (below) doesn't fail because of different nix versions.
        ];

        commands = [
          {
-            package = colmena.packages.${system}.colmena;
+            package = pkgs.deploy;
            help = "Build and deploy this nix config to nodes";
          }
          {
--- a/modules/config/nix.nix
+++ b/modules/config/nix.nix
@ -4,7 +4,7 @@
  ...
 }: {
  environment.etc."nixos/configuration.nix".source = pkgs.writeText "configuration.nix" ''
-    assert builtins.trace "This is a dummy config, use colmena!" false;
+    assert builtins.trace "This is a dummy config, please deploy via the flake!" false;
    { }
  '';

@ -12,7 +12,7 @@
    settings = {
      auto-optimise-store = true;
      allowed-users = ["@wheel"];
-      trusted-users = ["root" "@wheel"];
+      trusted-users = ["root"];
      substituters = [
        "https://cache.nixos.org"
        "https://nix-community.cachix.org"
--- a/modules/optional/dev/default.nix
+++ b/modules/optional/dev/default.nix
@ -11,6 +11,7 @@

  environment.systemPackages = [pkgs.man-pages pkgs.man-pages-posix];
  environment.enableDebugInfo = true;
-  # XXX: TODO reenable once https://github.com/symphorien/nixseparatedebuginfod/issues/11 is answered
-  services.nixseparatedebuginfod.enable = false;
+
+  services.nixseparatedebuginfod.enable = true;
+  nix.settings.allowed-users = ["nixseparatedebuginfod"];
 }
--- a/nix/hosts.nix
+++ b/nix/hosts.nix
@ -11,8 +11,6 @@ inputs: let
    nixosSystem
    ;

-  mapNixosConfigs = f: mapAttrs (_: f) self.nixosConfigurations;
-
  # Creates a new nixosSystem with the correct specialArgs, pkgs and name definition
  mkHost = name: system: let
    pkgs = self.pkgs.${system};
@ -49,18 +47,6 @@ inputs: let
  # Process each nixosHosts declaration and generatea nixosSystem definitions
  nixosConfigurations = flip mapAttrs nixosHosts (name: hostCfg: mkHost name hostCfg.system);

-  # We now wrap nixosConfigurations so that colmena understands it
-  colmena =
-    {
-      meta = {
-        # Just a required dummy for colmena, overwritten on a per-node basis by nodeNixpkgs below.
-        nixpkgs = self.pkgs.x86_64-linux;
-        nodeNixpkgs = mapNixosConfigs (v: v.pkgs);
-        nodeSpecialArgs = mapNixosConfigs (v: v._module.specialArgs);
-      };
-    }
-    // mapNixosConfigs (v: {imports = v._module.args.modules;});
-
  # True NixOS nodes can define additional microvms (guest nodes) that are built
  # together with the true host. We collect all defined microvm nodes
  # from each node here to allow accessing any node via the unified attribute `nodes`.
@ -70,7 +56,6 @@ inputs: let
    (node.config.meta.microvms.vms or {}));
 in {
  inherit
-    colmena
    hosts
    microvmConfigurations
    nixosConfigurations
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -2,6 +2,7 @@
  (import ./caddy.nix)
  (import ./oauth2-proxy)
  (_self: super: {
+    deploy = super.callPackage ./deploy.nix {};
    git-fuzzy = super.callPackage ./git-fuzzy {};
    kanidm-secret-manipulator = super.callPackage ./kanidm-secret-manipulator.nix {};
    segoe-ui-ttf = super.callPackage ./segoe-ui-ttf.nix {};
--- a/pkgs/deploy.nix
+++ b/pkgs/deploy.nix
@ -0,0 +1,112 @@
+{
+  writeShellApplication,
+  bc,
+}: let
+  deploy = writeShellApplication {
+    name = "deploy";
+    text = ''
+      set -euo pipefail
+      shopt -s lastpipe # allow cmd | readarray
+
+      function die() { echo "error: $*" >&2; exit 1; }
+      function show_help() {
+        echo 'Usage: deploy [OPTIONS] <host,...> [ACTION]'
+        echo "Builds, pushes and activates nixosConfigurations on target systems."
+        echo ""
+        echo 'ACTION:'
+        echo '  switch          [default] Switch immediately to the new configuration and make it the boot default'
+        echo '  boot            Make the configuration the new boot default'
+        echo "  test            Activate the configuration but don't make it the boot default"
+        echo "  dry-activate    Don't activate, just show what would be done"
+        echo ""
+        echo 'OPTIONS: [passed to nix build]'
+      }
+
+      function time_start() {
+        T_START=$(date +%s.%N)
+      }
+
+      function time_next() {
+        T_END=$(date +%s.%N)
+        T_LAST=$(${bc}/bin/bc <<< "scale=1; ($T_END - $T_START)/1")
+        T_START="$T_END"
+      }
+
+      USER_FLAKE_DIR=$(git rev-parse --show-toplevel 2>/dev/null || pwd) \
+        || die "Could not determine current working directory. Something went very wrong."
+      [[ -e "$USER_FLAKE_DIR/flake.nix" ]] \
+        || die "Could not determine location of your project's flake.nix. Please run this at or below your main directory containing the flake.nix."
+      cd "$USER_FLAKE_DIR"
+
+      [[ $# -gt 0 ]] || {
+        show_help
+        exit 1
+      }
+
+      OPTIONS=()
+      POSITIONAL_ARGS=()
+      while [[ $# -gt 0 ]]; do
+        case "$1" in
+          "help"|"--help"|"-help"|"-h")
+            show_help
+            exit 1
+            ;;
+
+          -*) OPTIONS+=("$1") ;;
+          *) POSITIONAL_ARGS+=("$1") ;;
+        esac
+        shift
+      done
+
+      [[ ''${#POSITIONAL_ARGS[@]} -ge 1 ]] \
+        || die "Missing argument: <hosts...>"
+      [[ ''${#POSITIONAL_ARGS[@]} -le 2 ]] \
+        || die "Too many arguments given."
+
+      tr , '\n' <<< "''${POSITIONAL_ARGS[0]}" | sort -u | readarray -t HOSTS
+      ACTION="''${POSITIONAL_ARGS[1]-switch}"
+
+      # Expand flake paths for hosts definitions
+      declare -A TOPLEVEL_FLAKE_PATHS
+      for host in "''${HOSTS[@]}"; do
+        TOPLEVEL_FLAKE_PATHS["$host"]=".#nixosConfigurations.$host.config.system.build.toplevel"
+      done
+
+      time_start
+      #echo "[1;36m    Building [m📦 ''${#TOPLEVEL_FLAKE_PATHS[*]} configuration(s)"
+      #nix build --no-link "''${TOPLEVEL_FLAKE_PATHS[@]}" "''${OPTIONS[@]}" \
+      #  || die "Failed to build derivations"
+      #time_next
+      #echo "[1;32m       Built [m✅ ''${#TOPLEVEL_FLAKE_PATHS[*]} configuration(s) [90min ''${T_LAST}s[m"
+
+      # Get outputs of all derivations (should be cached)
+      declare -A TOPLEVEL_STORE_PATHS
+      for host in "''${HOSTS[@]}"; do
+        toplevel="''${TOPLEVEL_FLAKE_PATHS["$host"]}"
+        echo "[1;36m    Building [m📦 configuration for [34m$host[m"
+        TOPLEVEL_STORE_PATHS["$host"]=$(nix build --no-link --print-out-paths "''${OPTIONS[@]}" "$toplevel") \
+          || die "Failed to get derivation path for $host from ''${TOPLEVEL_FLAKE_PATHS["$host"]}"
+        time_next
+        echo "[1;32m       Built [m✅ configuration for [34m$host[m [90min ''${T_LAST}s[m"
+      done
+
+      for host in "''${HOSTS[@]}"; do
+        store_path="''${TOPLEVEL_STORE_PATHS["$host"]}"
+        echo "[1;36m     Copying [m➡️ to [34m$host[m"
+        nix copy --to "ssh-ng://$host" "$store_path"
+        time_next
+        echo "[1;32m      Copied [m✅ [33m$store_path[m to [34m$host[m [90min ''${T_LAST}s[m"
+      done
+
+      for host in "''${HOSTS[@]}"; do
+        store_path="''${TOPLEVEL_STORE_PATHS["$host"]}"
+        echo "[1;36m    Applying [m⚙️ on [34m$host[m"
+        ssh "$host" -- "$store_path"/bin/switch-to-configuration "$ACTION"
+        nix copy --to "ssh-ng://$host" "$store_path"
+        time_next
+        echo "[1;32m     Applied [m✅ on [34m$host[m [90min ''${T_LAST}s[m"
+      done
+    '';
+  };
+in
+  deploy