From b5b39d150087386e4861b1cf394567b725dec715 Mon Sep 17 00:00:00 2001 From: Colin Date: Wed, 12 Jun 2024 09:04:17 +0000 Subject: [PATCH] scripts/deploy: add the equivalent of my "pre-deploy" functionality --- scripts/deploy | 87 +++++++++++++++++++++++++++++++++----------------- 1 file changed, 58 insertions(+), 29 deletions(-) diff --git a/scripts/deploy b/scripts/deploy index 98440b9c..22251979 100755 --- a/scripts/deploy +++ b/scripts/deploy @@ -8,8 +8,12 @@ usage() { echo "" echo "usage: deploy [options] [host]" echo "options:" - echo "- --action switch|test" - echo "- --variant light|min" + echo "- --action copy|switch|test (default: 'switch')" + echo "- --variant light|min|''|all (default: '')" + echo "- --pre: alias for --action copy --variant all all" + echo "" + echo "common idioms:" + echo "deploy all: deploy all hosts, sequentially" exit 1 } @@ -40,6 +44,11 @@ parseArgs() { (crappy|desko|lappy|moby|servo) host="$arg" ;; + (--pre) + action=copy + host=all + variant=all + ;; (*) nixArgs+=("$arg") ;; @@ -57,33 +66,53 @@ runOnTarget() { fi } +# deployOneHost $host $variant +deployOneHost() { + local host="$1" + local variant="$2" + + nix-build -A "hosts.$host$variant" --out-link "./build/result-$host$variant" "${nixArgs[@]}" + storePath="$(readlink ./build/result-$host$variant)" + + # mimic `nixos-rebuild --target-host`, in effect: + # - nix-copy-closure ... + # - nix-env --set ... + # - switch-to-configuration + # avoid the actual `nixos-rebuild` for a few reasons: + # - fewer nix evals + # - more introspectability and debuggability + # - sandbox friendliness (especially: `git` doesn't have to be run as root) + + if [ -n "$host" ]; then + if [ -e /run/secrets/nix_signing_key ]; then + sudo nix store sign -r -k /run/secrets/nix_signing_key "$storePath" + else + echo "not signing store paths: /run/secrets/nix_signing_key does not exist" + fi + # add more `-v` for more verbosity (up to 5). + # builders-use-substitutes false: optimizes so that the remote machine doesn't try to get paths from its substituters. + # we already have all paths here, and the remote substitution is slow to check and SERIOUSLY flaky on moby in particular. + nix copy -vv --option builders-use-substitutes false --to "ssh-ng://$host" "$storePath" + fi + + if [ -n "$action" ] && [ "$action" != "copy" ]; then + runOnTarget sudo nix-env -p /nix/var/nix/profiles/system --set "$storePath" + runOnTarget sudo "$storePath/bin/switch-to-configuration" "$action" + fi +} + parseArgs "$@" -nix-build -A "hosts.$host$variant" --out-link "./build/result-$host$variant" "${nixArgs[@]}" -storePath="$(readlink ./build/result-$host$variant)" - -# mimic `nixos-rebuild --target-host`, in effect: -# - nix-copy-closure ... -# - nix-env --set ... -# - switch-to-configuration -# avoid the actual `nixos-rebuild` for a few reasons: -# - fewer nix evals -# - more introspectability and debuggability -# - sandbox friendliness (especially: `git` doesn't have to be run as root) - -if [ -n "$host" ]; then - if [ -e /run/secrets/nix_signing_key ]; then - sudo nix store sign -r -k /run/secrets/nix_signing_key "$storePath" - else - echo "not signing store paths: /run/secrets/nix_signing_key does not exist" - fi - # add more `-v` for more verbosity (up to 5). - # builders-use-substitutes false: optimizes so that the remote machine doesn't try to get paths from its substituters. - # we already have all paths here, and the remote substitution is slow to check and SERIOUSLY flaky on moby in particular. - nix copy -vv --option builders-use-substitutes false --to "ssh-ng://$host" "$storePath" -fi - -if [ -n "$action" ]; then - runOnTarget sudo nix-env -p /nix/var/nix/profiles/system --set "$storePath" - runOnTarget sudo "$storePath/bin/switch-to-configuration" "$action" +if [ "$host" = "all" ]; then + for host in moby lappy crappy servo desko; do + if [ "$variant" = "all" ]; then + for variant in -min -light ""; do + deployOneHost "$host" "$variant" + done + else + deployOneHost "$host" "$variant" + fi + done +else + deployOneHost "$host" "variant" fi