From 11a5fe484f5a6509059892d95f018d81074da027 Mon Sep 17 00:00:00 2001
From: "quentin@aristote.fr" <quentin@aristote.fr>
Date: Sun, 16 Mar 2025 15:09:36 +0100
Subject: nixos: autoUpgrade: eval nix on remote machine

---
 config/nix.nix | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 58 insertions(+), 7 deletions(-)

diff --git a/config/nix.nix b/config/nix.nix
index ddc3bc5..e3b7602 100644
--- a/config/nix.nix
+++ b/config/nix.nix
@@ -1,4 +1,11 @@
-{config, ...}: {
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  allowReboot = true;
+in {
   personal.nix = {
     enable = true;
     autoUpgrade.enable = true;
@@ -14,7 +21,7 @@
     };
   };
 
-  system.autoUpgrade.allowReboot = true;
+  system.autoUpgrade = {inherit allowReboot;};
 
   # disable remote builds
   nix.settings.max-jobs = 0;
@@ -23,10 +30,54 @@
     setFlakeRegistry = true;
   };
 
-  systemd.services.nixos-upgrade.serviceConfig = {
-    MemoryAccounting = true;
-    MemoryHigh = "0.9G";
-    MemoryMax = "1G";
-    MemorySwapMax = "0";
+  systemd.services.nixos-upgrade = {
+    preStart = lib.mkForce ''
+      cd /etc/nixos
+      # requires to have added
+      # hephaistos.aristote.mesh:/~/nixos-configuration
+      # as remote hephaistos
+      git push --force hephaistos master
+    '';
+    script = lib.mkForce (let
+      hephaistos = "hephaistos.aristote.mesh";
+    in
+      ''
+        RESULT=$(ssh ${hephaistos} -- \
+          'nix build --print-out-paths \
+                     git+file://$(pwd)/nixos-configuration#nixosConfigurations.hermes.config.system.build.toplevel' \
+          )
+        nix-copy-closure --from ${hephaistos} "$RESULT"
+      ''
+      + (
+        let
+          switch = "$RESULT/bin/switch-to-configuration";
+          readlink = "${pkgs.coreutils}/bin/readlink";
+        in
+          if allowReboot
+          then ''
+            ${switch} boot
+            booted="$(${readlink} /run/booted-system/{initrd,kernel,kernel-modules})"
+            built="$(${readlink} /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})"
+            if [ "$booted" = "$built" ]
+            then
+              ${switch} switch
+            else
+              cryptsetup --verbose luksAddKey \
+                         --key-file /etc/luks/keys/master \
+                         ${config.boot.initrd.luks.devices.crypt.device} \
+                         /etc/luks/keys/tmp
+              shutdown -r +1
+            fi
+          ''
+          else ''
+            ${switch} switch
+          ''
+      ));
+    serviceConfig = {
+      MemoryAccounting = true;
+      MemoryHigh = "0.9G";
+      MemoryMax = "1G";
+      MemorySwapMax = "0";
+    };
   };
 }
-- 
cgit v1.2.3