From a4365be29f1b10696e7c35da6d8cd253bd51aeaf Mon Sep 17 00:00:00 2001 From: oddlama Date: Mon, 25 Sep 2023 21:39:50 +0200 Subject: [PATCH] feat: remove colmena, add own lightweight deploy script --- README.md | 2 +- flake.lock | 78 +++------------------ flake.nix | 15 +---- modules/config/nix.nix | 4 +- modules/optional/dev/default.nix | 5 +- nix/hosts.nix | 15 ----- pkgs/default.nix | 1 + pkgs/deploy.nix | 112 +++++++++++++++++++++++++++++++ 8 files changed, 132 insertions(+), 100 deletions(-) create mode 100644 pkgs/deploy.nix diff --git a/README.md b/README.md index cb76de9..286fbb9 100644 --- a/README.md +++ b/README.md @@ -82,7 +82,7 @@ Afterwards: - Retrieve the new host identity by using `ssh-keyscan | grep -o 'ssh-ed25519.*' > hosts//secrets/host.pub` - (If the host has microvms, also retrieve their identities!) - Rekey the secrets for the new identity `nix run .#rekey` -- Deploy again remotely via colmena +- Deploy again #### Remote encrypted unlock diff --git a/flake.lock b/flake.lock index 9d95575..e613d5c 100644 --- a/flake.lock +++ b/flake.lock @@ -83,34 +83,9 @@ "type": "github" } }, - "colmena": { - "inputs": { - "flake-compat": "flake-compat_2", - "flake-utils": [ - "flake-utils" - ], - "nixpkgs": [ - "nixpkgs" - ], - "stable": "stable" - }, - "locked": { - "lastModified": 1693920448, - "narHash": "sha256-BZtC7hZVt2BwM0LIypZ2jqNhVUeHAthbd9/jkUn5PhU=", - "owner": "oddlama", - "repo": "colmena", - "rev": "e6144983a262f2ac7c34d0c9c5ea3b5bcff2ab92", - "type": "github" - }, - "original": { - "owner": "oddlama", - "repo": "colmena", - "type": "github" - } - }, "crane": { "inputs": { - "flake-compat": "flake-compat_3", + "flake-compat": "flake-compat_2", "flake-utils": "flake-utils", "nixpkgs": [ "elewrap", @@ -281,11 +256,11 @@ "flake-compat_2": { "flake": false, "locked": { - "lastModified": 1650374568, - "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", "owner": "edolstra", "repo": "flake-compat", - "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", "type": "github" }, "original": { @@ -311,22 +286,6 @@ } }, "flake-compat_4": { - "flake": false, - "locked": { - "lastModified": 1673956053, - "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_5": { "locked": { "lastModified": 1688025799, "narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=", @@ -341,7 +300,7 @@ "type": "github" } }, - "flake-compat_6": { + "flake-compat_5": { "flake": false, "locked": { "lastModified": 1673956053, @@ -357,7 +316,7 @@ "type": "github" } }, - "flake-compat_7": { + "flake-compat_6": { "flake": false, "locked": { "lastModified": 1673956053, @@ -830,7 +789,7 @@ }, "nixpkgs-wayland": { "inputs": { - "flake-compat": "flake-compat_5", + "flake-compat": "flake-compat_4", "lib-aggregate": "lib-aggregate", "nix-eval-jobs": "nix-eval-jobs", "nixpkgs": [ @@ -920,7 +879,7 @@ }, "pre-commit-hooks_2": { "inputs": { - "flake-compat": "flake-compat_4", + "flake-compat": "flake-compat_3", "flake-utils": [ "elewrap", "flake-utils" @@ -948,7 +907,7 @@ }, "pre-commit-hooks_3": { "inputs": { - "flake-compat": "flake-compat_6", + "flake-compat": "flake-compat_5", "flake-utils": [ "flake-utils" ], @@ -976,7 +935,6 @@ "inputs": { "agenix": "agenix", "agenix-rekey": "agenix-rekey", - "colmena": "colmena", "devshell": "devshell_2", "disko": "disko", "elewrap": "elewrap", @@ -1024,26 +982,10 @@ "type": "github" } }, - "stable": { - "locked": { - "lastModified": 1669735802, - "narHash": "sha256-qtG/o/i5ZWZLmXw108N2aPiVsxOcidpHJYNkT45ry9Q=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "731cc710aeebecbf45a258e977e8b68350549522", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-22.11", - "repo": "nixpkgs", - "type": "github" - } - }, "stylix": { "inputs": { "base16": "base16", - "flake-compat": "flake-compat_7", + "flake-compat": "flake-compat_6", "home-manager": [ "home-manager" ], diff --git a/flake.nix b/flake.nix index 56ce765..ddd57b5 100644 --- a/flake.nix +++ b/flake.nix @@ -14,12 +14,6 @@ inputs.flake-utils.follows = "flake-utils"; }; - colmena = { - url = "github:oddlama/colmena"; - inputs.nixpkgs.follows = "nixpkgs"; - inputs.flake-utils.follows = "flake-utils"; - }; - devshell = { url = "github:numtide/devshell"; inputs.nixpkgs.follows = "nixpkgs"; @@ -103,7 +97,6 @@ outputs = { self, agenix-rekey, - colmena, devshell, flake-utils, nixos-generators, @@ -135,7 +128,6 @@ inherit (import ./nix/hosts.nix inputs) - colmena hosts microvmConfigurations nixosConfigurations @@ -207,14 +199,13 @@ # `nix develop` devShells.default = pkgs.devshell.mkShell { name = "nix-config"; - packages = with pkgs; [ - faketty # Used in my colmena patch to show progress, XXX: should theoretically be propagated automatically from the patch.... - nix # Always use the nix version from this flake's nixpkgs version, so that nix-plugins (below) doesn't fail because of different nix versions. + packages = [ + pkgs.nix # Always use the nix version from this flake's nixpkgs version, so that nix-plugins (below) doesn't fail because of different nix versions. ]; commands = [ { - package = colmena.packages.${system}.colmena; + package = pkgs.deploy; help = "Build and deploy this nix config to nodes"; } { diff --git a/modules/config/nix.nix b/modules/config/nix.nix index 087260d..22573fd 100644 --- a/modules/config/nix.nix +++ b/modules/config/nix.nix @@ -4,7 +4,7 @@ ... }: { environment.etc."nixos/configuration.nix".source = pkgs.writeText "configuration.nix" '' - assert builtins.trace "This is a dummy config, use colmena!" false; + assert builtins.trace "This is a dummy config, please deploy via the flake!" false; { } ''; @@ -12,7 +12,7 @@ settings = { auto-optimise-store = true; allowed-users = ["@wheel"]; - trusted-users = ["root" "@wheel"]; + trusted-users = ["root"]; substituters = [ "https://cache.nixos.org" "https://nix-community.cachix.org" diff --git a/modules/optional/dev/default.nix b/modules/optional/dev/default.nix index c88ebf8..4300169 100644 --- a/modules/optional/dev/default.nix +++ b/modules/optional/dev/default.nix @@ -11,6 +11,7 @@ environment.systemPackages = [pkgs.man-pages pkgs.man-pages-posix]; environment.enableDebugInfo = true; - # XXX: TODO reenable once https://github.com/symphorien/nixseparatedebuginfod/issues/11 is answered - services.nixseparatedebuginfod.enable = false; + + services.nixseparatedebuginfod.enable = true; + nix.settings.allowed-users = ["nixseparatedebuginfod"]; } diff --git a/nix/hosts.nix b/nix/hosts.nix index cdd3777..f51cf46 100644 --- a/nix/hosts.nix +++ b/nix/hosts.nix @@ -11,8 +11,6 @@ inputs: let nixosSystem ; - mapNixosConfigs = f: mapAttrs (_: f) self.nixosConfigurations; - # Creates a new nixosSystem with the correct specialArgs, pkgs and name definition mkHost = name: system: let pkgs = self.pkgs.${system}; @@ -49,18 +47,6 @@ inputs: let # Process each nixosHosts declaration and generatea nixosSystem definitions nixosConfigurations = flip mapAttrs nixosHosts (name: hostCfg: mkHost name hostCfg.system); - # We now wrap nixosConfigurations so that colmena understands it - colmena = - { - meta = { - # Just a required dummy for colmena, overwritten on a per-node basis by nodeNixpkgs below. - nixpkgs = self.pkgs.x86_64-linux; - nodeNixpkgs = mapNixosConfigs (v: v.pkgs); - nodeSpecialArgs = mapNixosConfigs (v: v._module.specialArgs); - }; - } - // mapNixosConfigs (v: {imports = v._module.args.modules;}); - # True NixOS nodes can define additional microvms (guest nodes) that are built # together with the true host. We collect all defined microvm nodes # from each node here to allow accessing any node via the unified attribute `nodes`. @@ -70,7 +56,6 @@ inputs: let (node.config.meta.microvms.vms or {})); in { inherit - colmena hosts microvmConfigurations nixosConfigurations diff --git a/pkgs/default.nix b/pkgs/default.nix index 3cb2418..e6cd67e 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -2,6 +2,7 @@ (import ./caddy.nix) (import ./oauth2-proxy) (_self: super: { + deploy = super.callPackage ./deploy.nix {}; git-fuzzy = super.callPackage ./git-fuzzy {}; kanidm-secret-manipulator = super.callPackage ./kanidm-secret-manipulator.nix {}; segoe-ui-ttf = super.callPackage ./segoe-ui-ttf.nix {}; diff --git a/pkgs/deploy.nix b/pkgs/deploy.nix new file mode 100644 index 0000000..4dbf326 --- /dev/null +++ b/pkgs/deploy.nix @@ -0,0 +1,112 @@ +{ + writeShellApplication, + bc, +}: let + deploy = writeShellApplication { + name = "deploy"; + text = '' + set -euo pipefail + shopt -s lastpipe # allow cmd | readarray + + function die() { echo "error: $*" >&2; exit 1; } + function show_help() { + echo 'Usage: deploy [OPTIONS] [ACTION]' + echo "Builds, pushes and activates nixosConfigurations on target systems." + echo "" + echo 'ACTION:' + echo ' switch [default] Switch immediately to the new configuration and make it the boot default' + echo ' boot Make the configuration the new boot default' + echo " test Activate the configuration but don't make it the boot default" + echo " dry-activate Don't activate, just show what would be done" + echo "" + echo 'OPTIONS: [passed to nix build]' + } + + function time_start() { + T_START=$(date +%s.%N) + } + + function time_next() { + T_END=$(date +%s.%N) + T_LAST=$(${bc}/bin/bc <<< "scale=1; ($T_END - $T_START)/1") + T_START="$T_END" + } + + USER_FLAKE_DIR=$(git rev-parse --show-toplevel 2>/dev/null || pwd) \ + || die "Could not determine current working directory. Something went very wrong." + [[ -e "$USER_FLAKE_DIR/flake.nix" ]] \ + || die "Could not determine location of your project's flake.nix. Please run this at or below your main directory containing the flake.nix." + cd "$USER_FLAKE_DIR" + + [[ $# -gt 0 ]] || { + show_help + exit 1 + } + + OPTIONS=() + POSITIONAL_ARGS=() + while [[ $# -gt 0 ]]; do + case "$1" in + "help"|"--help"|"-help"|"-h") + show_help + exit 1 + ;; + + -*) OPTIONS+=("$1") ;; + *) POSITIONAL_ARGS+=("$1") ;; + esac + shift + done + + [[ ''${#POSITIONAL_ARGS[@]} -ge 1 ]] \ + || die "Missing argument: " + [[ ''${#POSITIONAL_ARGS[@]} -le 2 ]] \ + || die "Too many arguments given." + + tr , '\n' <<< "''${POSITIONAL_ARGS[0]}" | sort -u | readarray -t HOSTS + ACTION="''${POSITIONAL_ARGS[1]-switch}" + + # Expand flake paths for hosts definitions + declare -A TOPLEVEL_FLAKE_PATHS + for host in "''${HOSTS[@]}"; do + TOPLEVEL_FLAKE_PATHS["$host"]=".#nixosConfigurations.$host.config.system.build.toplevel" + done + + time_start + #echo " Building 📦 ''${#TOPLEVEL_FLAKE_PATHS[*]} configuration(s)" + #nix build --no-link "''${TOPLEVEL_FLAKE_PATHS[@]}" "''${OPTIONS[@]}" \ + # || die "Failed to build derivations" + #time_next + #echo " Built ✅ ''${#TOPLEVEL_FLAKE_PATHS[*]} configuration(s) in ''${T_LAST}s" + + # Get outputs of all derivations (should be cached) + declare -A TOPLEVEL_STORE_PATHS + for host in "''${HOSTS[@]}"; do + toplevel="''${TOPLEVEL_FLAKE_PATHS["$host"]}" + echo " Building 📦 configuration for $host" + TOPLEVEL_STORE_PATHS["$host"]=$(nix build --no-link --print-out-paths "''${OPTIONS[@]}" "$toplevel") \ + || die "Failed to get derivation path for $host from ''${TOPLEVEL_FLAKE_PATHS["$host"]}" + time_next + echo " Built ✅ configuration for $host in ''${T_LAST}s" + done + + for host in "''${HOSTS[@]}"; do + store_path="''${TOPLEVEL_STORE_PATHS["$host"]}" + echo " Copying ➡️ to $host" + nix copy --to "ssh-ng://$host" "$store_path" + time_next + echo " Copied ✅ $store_path to $host in ''${T_LAST}s" + done + + for host in "''${HOSTS[@]}"; do + store_path="''${TOPLEVEL_STORE_PATHS["$host"]}" + echo " Applying ⚙️ on $host" + ssh "$host" -- "$store_path"/bin/switch-to-configuration "$ACTION" + nix copy --to "ssh-ng://$host" "$store_path" + time_next + echo " Applied ✅ on $host in ''${T_LAST}s" + done + ''; + }; +in + deploy