kiara/Fediversity
1
0
Fork 0
forked from fediversity/fediversity
Code Pull requests Activity

factor out ssh deployment to make for reusable invocation

Browse source
This commit is contained in:
Kiara Grouwstra 2025-08-30 19:24:50 +02:00
parent cc66348444
commit ca5d7f1909
Signed by: kiara
SSH key fingerprint: SHA256:COspvLoLJ5WC5rFb9ZDe5urVCkK4LJZOsjfF4duRJFU
11 changed files with 246 additions and 90 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
deployment/check/basic/constants.nix
View file

@ -4,6 +4,6 @@
"cowsay" "cowsay"
]; ];
pathToRoot = ../../..; pathToRoot = ../../..;
pathFromRoot = ./.; pathFromRoot = "/deployment/check/data-model-ssh";
useFlake = true; useFlake = true;
} }

2
deployment/check/cli/constants.nix
View file

@ -6,7 +6,7 @@
"pixelfed" "pixelfed"
]; ];
pathToRoot = ../../..; pathToRoot = ../../..;
pathFromRoot = ./.; pathFromRoot = "/deployment/check/data-model-ssh";
enableAcme = true; enableAcme = true;
useFlake = true; useFlake = true;
} }

49
deployment/check/common/data-model.nix
View file

@ -1,17 +1,21 @@
{ {
config, config,
system, system,
inputs ? (import ../../../default.nix { }).inputs, inputs ? (import ../../../default.nix { }).inputs, # XXX can't be serialized
sources ? import ../../../npins, sources ? import ../../../npins,
... ...
}: }@args:
let let
# self = ./data-model.nix;
self = "deployment/check/common/data-model.nix";
# args = { inherit config system inputs sources; };
# self args
inherit (sources) nixpkgs; inherit (sources) nixpkgs;
pkgs = import nixpkgs { inherit system; }; pkgs = import nixpkgs { inherit system; };
inherit (pkgs) lib; inherit (pkgs) lib;
deployment-config = config; deployment-config = config;
inherit (deployment-config) nodeName; inherit (deployment-config) nodeName pathToRoot;
inherit (lib) mkOption types; inherit (lib) mkOption types;
eval = eval =
module: module:
@ -124,17 +128,26 @@ let
{ {
single-nixos-vm-ssh = environment: { single-nixos-vm-ssh = environment: {
resources."operator-environment".login-shell.username = "operator"; resources."operator-environment".login-shell.username = "operator";
implementation = requests: { implementation =
input = requests; {
output.ssh-host = { required-resources,
nixos-configuration = mkNixosConfiguration environment requests; deployment-name,
ssh = { root-path,
username = "root"; }:
host = nodeName; {
key-file = null; input = required-resources;
output.ssh-host = {
nixos-configuration = mkNixosConfiguration environment required-resources;
ssh = {
username = "root";
host = nodeName;
key-file = null;
};
module = self;
inherit args deployment-name root-path;
# deployment-name = "";
}; };
}; };
};
}; };
single-nixos-vm-nixops4 = environment: { single-nixos-vm-nixops4 = environment: {
resources."operator-environment".login-shell.username = "operator"; resources."operator-environment".login-shell.username = "operator";
@ -175,7 +188,11 @@ let
in in
mkOption { mkOption {
type = env.resource-mapping.output-type; type = env.resource-mapping.output-type;
default = env.deployment config."example-configuration"; default = env.deployment {
deployment-name = "ssh-deployment";
configuration = config."example-configuration";
root-path = pathToRoot;
};
}; };
"nixops4-deployment" = "nixops4-deployment" =
let let
@ -183,7 +200,11 @@ let
in in
mkOption { mkOption {
type = env.resource-mapping.output-type; type = env.resource-mapping.output-type;
default = env.deployment config."example-configuration"; default = env.deployment {
deployment-name = "nixops4-deployment";
configuration = config."example-configuration";
root-path = pathToRoot;
};
}; };
}; };
} }

3
deployment/check/common/sharedOptions.nix
View file

@ -32,11 +32,10 @@ in
}; };
pathFromRoot = mkOption { pathFromRoot = mkOption {
type = types.path; type = types.str;
description = '' description = ''
Path from the root of the repository to the working directory. Path from the root of the repository to the working directory.
''; '';
apply = x: lib.path.removePrefix config.pathToRoot x;
}; };
pathToCwd = mkOption { pathToCwd = mkOption {

2
deployment/check/data-model-nixops4/constants.nix
View file

@ -3,7 +3,7 @@
"nixops4" "nixops4"
]; ];
pathToRoot = ../../..; pathToRoot = ../../..;
pathFromRoot = ./.; pathFromRoot = "/deployment/check/data-model-ssh";
enableAcme = true; enableAcme = true;
useFlake = true; useFlake = true;
} }

2
deployment/check/data-model-ssh/constants.nix
View file

@ -3,6 +3,6 @@
"ssh" "ssh"
]; ];
pathToRoot = ../../..; pathToRoot = ../../..;
pathFromRoot = ./.; pathFromRoot = "/deployment/check/data-model-ssh";
enableAcme = true; enableAcme = true;
} }

67
deployment/check/data-model-ssh/nixosTest.nix
View file

@ -1,30 +1,20 @@
{ {
lib, lib,
config,
pkgs, pkgs,
inputs,
... ...
}: }:
let let
inherit (import ./constants.nix) pathToRoot pathFromRoot; inherit (import ./constants.nix) pathToRoot pathFromRoot;
inherit (pkgs) system; inherit (pkgs) system;
escapedJson = v: lib.replaceStrings [ "\"" ] [ "\\\\\"" ] (lib.strings.toJSON v);
deployment-config = { deployment-config = {
inherit pathToRoot pathFromRoot; inherit pathToRoot pathFromRoot;
inherit (config) enableAcme;
acmeNodeIP = if config.enableAcme then config.nodes.acme.networking.primaryIPAddress else null;
nodeName = "ssh"; nodeName = "ssh";
}; };
inherit deployment =
((import ../common/data-model.nix { (import ../common/data-model.nix {
inherit system inputs; inherit system;
config = deployment-config; config = deployment-config;
})."ssh-deployment".ssh-host.ssh })."ssh-deployment".ssh-host;
)
host
username
key-file
;
in in
{ {
_class = "nixosTest"; _class = "nixosTest";
@ -36,6 +26,10 @@ in
sourceFileset = lib.fileset.unions [ sourceFileset = lib.fileset.unions [
../../data-model.nix ../../data-model.nix
../../function.nix ../../function.nix
../../nixos.nix
../../run/ssh-single-host/run.sh
../../../npins/default.nix
../../../npins/sources.json
../common/data-model.nix ../common/data-model.nix
../common/data-model-options.nix ../common/data-model-options.nix
./constants.nix ./constants.nix
@ -58,51 +52,12 @@ in
}; };
extraTestScript = '' extraTestScript = ''
with subtest("ssh: Check the status before deployment"): with subtest("Check the status before deployment"):
ssh.fail("hello 1>&2") ssh.fail("hello 1>&2")
with subtest("ssh: Run the deployment"): with subtest("Run the deployment"):
deployer.succeed(""" deployer.succeed("""
set -euo pipefail ${deployment.run}
# INSTANTIATE
command=(nix-instantiate --show-trace --expr '
let
system = "${pkgs.system}"; # FIXME: what system are we deploying to?
in
import ${pathToRoot}/deployment/nixos.nix {
inherit system;
configuration = (
import ${pathToRoot}/deployment/check/common/data-model.nix {
inherit system;
config = builtins.fromJSON "${escapedJson deployment-config}";
}
)."ssh-deployment".ssh-host.nixos-configuration;
}
')
# DEPLOY
host="${lib.defaultTo "root" username}@${host}"
sshOpts=(
${if key-file == null then "" else "-i ${key-file}"}
-o StrictHostKeyChecking=no
-o "ConnectTimeout=1"
-o "ServerAliveInterval=1"
)
# instantiate the config in /nix/store
"''${command[@]}" --show-trace -A out_path
# get the realized derivation to deploy
outPath=$(nix-store --realize "$("''${command[@]}" --show-trace --eval --strict --json | jq -r '.drv_path')")
# deploy the config by nix-copy-closure
NIX_SSHOPTS="''${sshOpts[*]}" nix-copy-closure --to "$host" "$outPath" --gzip --use-substitutes
# switch the remote host to the config
output=$(ssh "''${sshOpts[@]}" "$host" "nix-env --profile /nix/var/nix/profiles/system --set $outPath; nohup $outPath/bin/switch-to-configuration switch &" 2>&1) || echo "status code: $?"
echo "output: $output"
if [[ $output != *"Timeout, server ssh not responding"* ]]; then
echo "non-timeout error: $output"
exit 1
else
exit 0
fi
""") """)
ssh.wait_for_unit("multi-user.target") ssh.wait_for_unit("multi-user.target")
ssh.succeed("su - operator -c hello 1>&2") ssh.succeed("su - operator -c hello 1>&2")

2
deployment/check/panel/constants.nix
View file

@ -6,7 +6,7 @@
"pixelfed" "pixelfed"
]; ];
pathToRoot = ../../..; pathToRoot = ../../..;
pathFromRoot = ./.; pathFromRoot = "/deployment/check/data-model-ssh";
enableAcme = true; enableAcme = true;
useFlake = true; useFlake = true;
} }

128
deployment/data-model.nix
View file

@ -71,12 +71,109 @@ let
deployment-type = attrTag { deployment-type = attrTag {
ssh-host = mkOption { ssh-host = mkOption {
description = "A deployment by SSH to update a single existing NixOS host."; description = "A deployment by SSH to update a single existing NixOS host.";
type = submodule { type = submodule (ssh-host: {
options = { options = {
inherit nixos-configuration; inherit nixos-configuration;
ssh = host-ssh; ssh = host-ssh;
module = mkOption {
description = "The module to call to obtain the NixOS configuration from.";
type = types.str;
};
args = mkOption {
description = "The arguments with which to call the module to obtain the NixOS configuration.";
type = types.attrs;
};
deployment-name = mkOption {
description = "The name of the deployment for which to obtain the NixOS configuration.";
type = types.str;
};
root-path = mkOption {
description = "The path to the root of the repository.";
type = types.path;
};
run = mkOption {
# type = types.path;
type = types.str;
# readOnly = true;
default =
let
# inherit (ssh-host.config) ssh nixos-configuration;
inherit (ssh-host.config)
ssh
module
args
deployment-name
root-path
;
# inherit (ssh-host.config) ssh module args;
inherit (ssh) host username key-file;
# inherit (import ./nixos.nix {
# # inherit system;
# system = pkgs.system; # XXX recheck this is the right one
# configuration = nixos-configuration;
# # commandFn = outPath: '''';
# }) drv_path;
# command
environment = {
# inherit (ssh-host) host username key-file;
# inherit host username drv_path;
key_file = key-file;
deployment_name = deployment-name;
root_path = root-path;
system = pkgs.system; # XXX recheck this is the right one
# config_nix = nixos-configuration;
# config_tf = {};
# inherit host username;
inherit
host
username
module
args
# root_path
;
deployment_type = "ssh-host";
# module = ;
# args = ;
# deployment_name = ;
# deployment_type = ;
# root_path = builtins.toString ./..;
# root_path = ;
};
in
# error: cannot coerce a function to a string: «lambda mkNixosConfiguration @ /nix/store/ifj5ykvb5hv05m9qcr4r1aah4s4f9pdi-source/deployment/check/common/data-model.nix:106:15»
# ''
# env ${toString (lib.mapAttrsToList (k: v: lib.trace (if k == "config_nix" then v {} else k) "${k}='${v}'") environment)} ${./run/ssh-single-host/run.sh}";
# '';
# ''
# env ${toString (lib.mapAttrsToList (k: v: lib.trace k "${k}=${lib.strings.toJSON v}") environment)} ${./run/ssh-single-host/run.sh}";
# '';
# if v == null then toString v else
# lib.traceVal
# ''
# env ${toString (lib.mapAttrsToList (k: v: lib.trace k "${k}='${v}'") (lib.filterAttrs (_: v: v != null) environment))} ${./run/ssh-single-host/run.sh}
# '';
lib.traceVal ''
env ${
toString (
lib.mapAttrsToList (
k: v:
lib.trace k "${k}=\"${
lib.replaceStrings [ "\"" ] [ "\\\\\"" ] (
if lib.isAttrs v then
lib.strings.toJSON v
else if lib.isPath v then
toString v
else
v
)
}\""
) (lib.filterAttrs (_: v: v != null) environment)
)
} bash ./deployment/run/ssh-single-host/run.sh
'';
};
}; };
}; });
}; };
nixops4 = mkOption { nixops4 = mkOption {
description = "A NixOps4 NixOS deployment. For an example, see https://github.com/nixops4/nixops4-nixos/blob/main/example/deployment.nix."; description = "A NixOps4 NixOS deployment. For an example, see https://github.com/nixops4/nixops4-nixos/blob/main/example/deployment.nix.";
@ -192,7 +289,19 @@ in
type = submodule functionType; type = submodule functionType;
readOnly = true; readOnly = true;
default = { default = {
input-type = attrsOf application-resources; input-type = submodule {
options = {
deployment-name = mkOption {
type = types.str;
};
root-path = mkOption {
type = types.str;
};
required-resources = mkOption {
type = attrsOf application-resources;
};
};
};
output-type = deployment-type; output-type = deployment-type;
}; };
}; };
@ -201,17 +310,24 @@ in
# then the deployments can simply be the result of the function application baked into this module. # then the deployments can simply be the result of the function application baked into this module.
deployment = mkOption { deployment = mkOption {
description = "Generate a deployment from a configuration, by applying an environment's resource policies to the applications' resource mappings"; description = "Generate a deployment from a configuration, by applying an environment's resource policies to the applications' resource mappings";
# type = functionTo (functionTo (environment.config.resource-mapping.output-type));
type = functionTo (environment.config.resource-mapping.output-type); type = functionTo (environment.config.resource-mapping.output-type);
readOnly = true; readOnly = true;
default = default =
cfg: {
deployment-name,
root-path,
configuration,
}:
# deployment-name: cfg:
# TODO: check cfg.enable.true # TODO: check cfg.enable.true
let let
required-resources = lib.mapAttrs ( required-resources = lib.mapAttrs (
name: application-settings: config.applications.${name}.resources application-settings name: application-settings: config.applications.${name}.resources application-settings
) cfg.applications; ) configuration.applications;
in in
(environment.config.implementation required-resources).output; (environment.config.implementation { inherit required-resources deployment-name root-path; })
.output;
}; };
}; };

22
deployment/nixos.nix
View file

@ -1,6 +1,7 @@
{ {
configuration, configuration,
system, system,
# commandFn,
sources ? import ../npins, sources ? import ../npins,
}: }:
let let
@ -11,13 +12,20 @@ let
}; };
modules = [ configuration ]; modules = [ configuration ];
}; };
os = { inherit
inherit (eval) pkgs config options; (
system = eval.config.system.build.toplevel; {
inherit (eval.config.system.build) vm vmWithBootLoader; inherit (eval) pkgs config options;
}; system = eval.config.system.build.toplevel;
inherit (eval.config.system.build) vm vmWithBootLoader;
}
.config.system.build
)
toplevel
;
in in
{ {
drv_path = os.config.system.build.toplevel.drvPath; drv_path = toplevel.drvPath;
out_path = os.config.system.build.toplevel; out_path = toplevel;
# command = commandFn "$(nix-instantiate --realize ${toplevel.drvPath})";
} }

57
deployment/run/ssh-single-host/run.sh Executable file
View file

@ -0,0 +1,57 @@
#! /usr/bin/env bash
set -xeuo pipefail
declare username host system module args deployment_name deployment_type args #key_file root_path
# DEPLOY
sshOpts=(
-o BatchMode=yes
-o StrictHostKeyChecking=no
# TODO set key for production
# ${if key-file == null then "" else "-i ${key-file}"}
# NOTE the below options are for tests
-o ConnectTimeout=1
-o ServerAliveInterval=1
)
destination="$username@$host"
# echo "$cwd/deployment"
# ls "$cwd/deployment"
# echo "$args"
root=$(echo "$args" | jq -r '.config.pathToRoot')
# echo "$root/deployment/nixos.nix"
# ls "$root/deployment/nixos.nix"
# FIXME: ensure [[ $root_path == $root ]] so i could just rely on stuff from /deployment/data-model.nix
# cwd=$root_path
cwd=$root
command=(nix-instantiate --show-trace --expr "
import $cwd/deployment/nixos.nix {
system = \"$system\";
configuration = (import \"$cwd/$module\" (builtins.fromJSON ''$args'')).$deployment_name.$deployment_type.nixos-configuration;
}
")
# INSTANTIATE
# instantiate the config in /nix/store
"${command[@]}" -A out_path
# get the realized derivation to deploy
# "${command[@]}" --show-trace --eval --strict --json | jq -r '.command')"
outPath=$(nix-store --realize "$("${command[@]}" --show-trace --eval --strict --json | jq -r '.drv_path')")
# deploy the config by nix-copy-closure
NIX_SSHOPTS="${sshOpts[*]}" nix-copy-closure --to "$destination" "$outPath" --gzip --use-substitutes
# switch the remote host to the config
# NOTE checks here are for tests - in production time-outs could be a real thing, rather than indicator of success!
# shellcheck disable=SC2029
ssh "${sshOpts[@]}" "$destination" "nix-env --profile /nix/var/nix/profiles/system --set $outPath"
# shellcheck disable=SC2029
output=$(ssh "${sshOpts[@]}" "$destination" "nohup $outPath/bin/switch-to-configuration switch &" 2>&1) || echo "status code: $?"
echo "output: $output"
if [[ $output != *"Timeout, server $host not responding"* ]]; then
echo "non-timeout error: $output"
exit 1
else
exit 0
fi