flake: implement "deploy.self" app as replacement for nixos-rebuild switch

2024-02-14 13:45:15 +00:00 · 2024-02-14 13:45:15 +00:00 · b747742e23
parent 5907d9fa42
commit b747742e23
1 changed files with 34 additions and 15 deletions
--- a/flake.nix
+++ b/flake.nix
@ -257,26 +257,41 @@
          pkgs = self.legacyPackages."x86_64-linux";
          sanePkgs = import ./pkgs { inherit pkgs; };
          deployScript = host: addr: action: pkgs.writeShellScript "deploy-${host}" ''
-            nix build '.#nixosConfigurations.${host}.config.system.build.toplevel' --out-link ./result-${host} "$@"
-            storePath="$(readlink ./result-${host})"
-            sudo nix sign-paths -r -k /run/secrets/nix_serve_privkey "$storePath"
+            host="${host}"
+            addr="${addr}"
+            action="${action}"
+            runOnTarget() {
+              # run the command ($@) on the machine we're deploying to.
+              # if that's a remote machine, then do it via ssh, else local shell.
+              if [ -n "$addr" ]; then
+                ssh "$addr" "$@"
+              else
+                "$@"
+              fi
+            }

-            # N.B.: `--fast` option here is critical to cross-compiled deployments: without it the build machine will try to invoke the host machine's `nix` binary.
-            # nixos-rebuild --flake '.#${host}' <action> --target-host colin@${addr} --use-remote-sudo "$@" --fast
-            # instead of `nixos-rebuild --target-host`, recreate its main parts in-line, below.
-            # the benefit is fewer nix evals, and more granularity for debugging/tweaking.
-            # `nixos-rebuild --target-host` effectively does:
+            nix build ".#nixosConfigurations.$host.config.system.build.toplevel" --out-link "./result-$host" "$@"
+            storePath="$(readlink ./result-$host)"
+
+            # mimic `nixos-rebuild --target-host`, in effect:
            # - nix-copy-closure ...
            # - nix-env --set ...
            # - switch-to-configuration <boot|dry-activate|switch|test|>
+            # avoid the actual `nixos-rebuild` for a few reasons:
+            # - fewer nix evals
+            # - more introspectability and debuggability
+            # - sandbox friendliness (especially: `git` doesn't have to be run as root)

-            # add more `-v` for more verbosity (up to 5).
-            # i copy the closure here separately from the nixos-rebuild mostly for the sake of introspectability.
-            nix-copy-closure -v --gzip --to '${addr}' "$storePath"
-            ${pkgs.lib.optionalString (action != null) ''
-              ssh '${addr}' sudo nix-env -p /nix/var/nix/profiles/system --set "$storePath"
-              ssh '${addr}' sudo "$storePath/bin/switch-to-configuration" '${action}'
-            ''}
+            if [ -n "$addr" ]; then
+              sudo nix sign-paths -r -k /run/secrets/nix_serve_privkey "$storePath"
+              # add more `-v` for more verbosity (up to 5).
+              nix-copy-closure -v --gzip --to "$addr" "$storePath"
+            fi
+
+            if [ -n "$action" ]; then
+              runOnTarget sudo nix-env -p /nix/var/nix/profiles/system --set "$storePath"
+              runOnTarget sudo "$storePath/bin/switch-to-configuration" "$action"
+            fi
          '';
          deployApp = host: addr: action: {
            type = "app";
@ -391,6 +406,10 @@
            moby-light  = deployApp "moby-light"  "moby"  "switch";
            moby-test   = deployApp "moby"        "moby"  "test";
            servo       = deployApp "servo"       "servo" "switch";
+
+            # like `nixos-rebuild --flake . switch`
+            self        = deployApp "$(hostname)" ""      "switch";
+
            type = "app";
            program = builtins.toString (pkgs.writeShellScript "deploy-all" ''
              nix run '.#deploy.lappy'