diff options
| author | aristote <quentin.aristote@irif.fr> | 2025-07-29 15:25:11 +0200 |
|---|---|---|
| committer | aristote <quentin.aristote@irif.fr> | 2025-07-29 15:25:11 +0200 |
| commit | fc019d789523ce5f89436b8dbc458cf3b79abf43 (patch) | |
| tree | ec56fd1b1ed9fc75096c0b09db48a152975e4d53 /modules/nixos/personal/system.nix | |
| parent | a3d19bc509d9f39fb41256cd55d2bd7706de202f (diff) | |
reformat everything with nixfmt
Diffstat (limited to 'modules/nixos/personal/system.nix')
| -rw-r--r-- | modules/nixos/personal/system.nix | 275 |
1 files changed, 146 insertions, 129 deletions
diff --git a/modules/nixos/personal/system.nix b/modules/nixos/personal/system.nix index 332384a..3337b96 100644 --- a/modules/nixos/personal/system.nix +++ b/modules/nixos/personal/system.nix @@ -3,14 +3,16 @@ lib, pkgs, ... -}: let +}: +let cfg = config.personal.system; cfgRemote = cfg.autoUpgrade.remoteBuilding; cfgNix = config.nix; cfgLuks = config.boot.initrd.luks.devices; name = config.networking.hostName; -in { +in +{ options.personal.system = { flake = lib.mkOption { type = with lib.types; nullOr str; @@ -20,7 +22,11 @@ in { enable = lib.mkEnableOption "automatic system and nixpkgs upgrade"; autoUpdateInputs = lib.mkOption { type = with lib.types; listOf str; - default = ["nixpkgs" "my-nixpkgs/nur" "nixos-hardware"]; + default = [ + "nixpkgs" + "my-nixpkgs/nur" + "nixos-hardware" + ]; }; checkHosts = lib.mkOption { type = with lib.types; listOf str; @@ -33,7 +39,7 @@ in { type = lib.types.str; default = "hephaistos"; }; - domain = lib.mkOption {type = lib.types.str;}; + domain = lib.mkOption { type = lib.types.str; }; user = lib.mkOption { type = lib.types.str; default = name; @@ -44,8 +50,7 @@ in { default = "ssh-ng"; }; speedFactor = lib.mkOption { - type = - lib.types.int; + type = lib.types.int; default = 8; }; }; @@ -53,45 +58,55 @@ in { }; }; - config = let - hasFlake = cfg.flake != null; - hasFlakeInputs = cfg.autoUpgrade.autoUpdateInputs != []; + config = + let + hasFlake = cfg.flake != null; + hasFlakeInputs = cfg.autoUpgrade.autoUpdateInputs != [ ]; - reboot = config.system.autoUpgrade.allowReboot; - nixosRebuild = "nixos-rebuild ${toString config.system.autoUpgrade.flags}"; + reboot = config.system.autoUpgrade.allowReboot; + nixosRebuild = "nixos-rebuild ${toString config.system.autoUpgrade.flags}"; - remoteBuilder = with cfgRemote.builder; "${hostName}.${domain}"; + remoteBuilder = with cfgRemote.builder; "${hostName}.${domain}"; - checkNetwork = { - path = [pkgs.unixtools.ping]; - # Check network connectivity - preStart = "(${lib.concatMapStringsSep " && " (host: "ping -c 1 ${host}") cfg.autoUpgrade.checkHosts}) || kill -s SIGUSR1 $$"; - unitConfig = { - StartLimitIntervalSec = 300; - StartLimitBurst = 5; - }; - serviceConfig = lib.mkIf (!config.personal.monitoring.enable) { - Restart = "on-abort"; - RestartSec = 30; - RestartMode = "direct"; # dependent units will not fail + checkNetwork = { + path = [ pkgs.unixtools.ping ]; + # Check network connectivity + preStart = "(${ + lib.concatMapStringsSep " && " (host: "ping -c 1 ${host}") cfg.autoUpgrade.checkHosts + }) || kill -s SIGUSR1 $$"; + unitConfig = { + StartLimitIntervalSec = 300; + StartLimitBurst = 5; + }; + serviceConfig = lib.mkIf (!config.personal.monitoring.enable) { + Restart = "on-abort"; + RestartSec = 30; + RestartMode = "direct"; # dependent units will not fail + }; }; - }; - in + in lib.mkMerge [ (lib.mkIf hasFlake { system.autoUpgrade.flake = cfg.flake; - systemd.services.flake-update = lib.mkIf hasFlakeInputs (lib.mkMerge [ - checkNetwork - { - description = "Update flake inputs"; - serviceConfig.Type = "oneshot"; - script = "nix flake update --commit-lock-file --flake ${cfg.flake} " + lib.concatStringsSep " " cfg.autoUpgrade.autoUpdateInputs; - before = ["nixos-upgrade.service"]; - requiredBy = ["nixos-upgrade.service"]; - path = [pkgs.git cfgNix.package]; - personal.monitor = true; - } - ]); + systemd.services.flake-update = lib.mkIf hasFlakeInputs ( + lib.mkMerge [ + checkNetwork + { + description = "Update flake inputs"; + serviceConfig.Type = "oneshot"; + script = + "nix flake update --commit-lock-file --flake ${cfg.flake} " + + lib.concatStringsSep " " cfg.autoUpgrade.autoUpdateInputs; + before = [ "nixos-upgrade.service" ]; + requiredBy = [ "nixos-upgrade.service" ]; + path = [ + pkgs.git + cfgNix.package + ]; + personal.monitor = true; + } + ] + ); programs.git = lib.mkIf (lib.hasPrefix "git+file" cfg.flake) { enable = true; @@ -102,28 +117,27 @@ in { }; }) - ( - lib.mkIf (cfg.autoUpgrade.enable && cfgRemote.enable) { - assertions = [ - { - assertion = hasFlake && lib.hasPrefix "git+file://" cfg.flake; - message = "Auto remote upgrade is only supported when the system is specified by a flake with path of the shape 'git+file://...'"; - } - ]; + (lib.mkIf (cfg.autoUpgrade.enable && cfgRemote.enable) { + assertions = [ + { + assertion = hasFlake && lib.hasPrefix "git+file://" cfg.flake; + message = "Auto remote upgrade is only supported when the system is specified by a flake with path of the shape 'git+file://...'"; + } + ]; - personal.system.autoUpgrade.checkHosts = lib.mkOptionDefault [remoteBuilder]; + personal.system.autoUpgrade.checkHosts = lib.mkOptionDefault [ remoteBuilder ]; - programs.ssh = { - extraConfig = '' - Host ${remoteBuilder} - IdentitiesOnly yes - IdentityFile /etc/ssh/remoteBuilder - User ${cfgRemote.builder.user} - ''; - knownHosts."${remoteBuilder}".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvtqi8tziBuviUV8LDK2ddQQUbHdJYB02dgWTK5Olxq"; - }; - } - ) + programs.ssh = { + extraConfig = '' + Host ${remoteBuilder} + IdentitiesOnly yes + IdentityFile /etc/ssh/remoteBuilder + User ${cfgRemote.builder.user} + ''; + knownHosts."${remoteBuilder}".publicKey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvtqi8tziBuviUV8LDK2ddQQUbHdJYB02dgWTK5Olxq"; + }; + }) (lib.mkIf cfg.autoUpgrade.enable { personal.boot.unattendedReboot = lib.mkIf reboot true; @@ -137,83 +151,86 @@ in { path = lib.optional reboot pkgs.coreutils ++ [ - ( - if cfgRemote.enable - then cfgNix.package - else pkgs.nixos-rebuild - ) + (if cfgRemote.enable then cfgNix.package else pkgs.nixos-rebuild) ] ++ lib.optional (reboot && cfgLuks ? crypt) pkgs.cryptsetup; personal.monitor = true; - script = lib.mkForce (lib.concatStrings [ - '' - ## build configuration - '' - ( - let - in - if cfgRemote.enable - then '' - # update remote flake - pushd ${lib.removePrefix "git+file://" cfg.flake} - git push --force ${cfgRemote.builder.hostName} local:master - popd - # build remotely - config=$(ssh ${remoteBuilder} -- \ - 'nix build --refresh --print-out-paths \ - git+file://$(pwd)/nixos-configuration#nixosConfigurations.${name}.config.system.build.toplevel') - # copy result locally - nix-copy-closure --from ${remoteBuilder} "$config" - # create new generation - nix-env --profile /nix/var/nix/profiles/system \ - --set "$config" + script = lib.mkForce ( + lib.concatStrings [ + '' + ## build configuration + '' + ( + let + in + if cfgRemote.enable then + '' + # update remote flake + pushd ${lib.removePrefix "git+file://" cfg.flake} + git push --force ${cfgRemote.builder.hostName} local:master + popd + # build remotely + config=$(ssh ${remoteBuilder} -- \ + 'nix build --refresh --print-out-paths \ + git+file://$(pwd)/nixos-configuration#nixosConfigurations.${name}.config.system.build.toplevel') + # copy result locally + nix-copy-closure --from ${remoteBuilder} "$config" + # create new generation + nix-env --profile /nix/var/nix/profiles/system \ + --set "$config" - switch="$config/bin/switch-to-configuration" - '' - else '' - switch="${nixosRebuild}" - '' - ) - '' - ## check whether a reboot is necessary" - '' - ( - if reboot - then '' - $switch boot - booted="$(readlink /run/booted-system/{initrd,kernel,kernel-modules})" - built="$(readlink /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})" - reboot="$([ "$booted" = "$built" ] || echo true)" + switch="$config/bin/switch-to-configuration" + '' + else + '' + switch="${nixosRebuild}" + '' + ) '' - else '' - reboot="" + ## check whether a reboot is necessary" '' - ) - '' - ## switch to new configuration - '' - (let - ifcrypt = lib.optionalString (cfgLuks ? crypt); - crypt = cfgLuks.crypt.device; - luksKey = x: "/etc/luks/keys/" + x; - in '' - if [ "$reboot" ] - then - ${ifcrypt '' - cryptsetup luksAddKey ${crypt} ${luksKey "tmp"} \ - --key-file ${luksKey "master"} \ - --verbose - ''} - shutdown -r now ${ifcrypt '' - || cryptsetup luksRemoveKey ${crypt} \ - --key-file ${luksKey "tmp"} \ - --verbose - ''} - else - $switch switch - fi - '') - ]); + ( + if reboot then + '' + $switch boot + booted="$(readlink /run/booted-system/{initrd,kernel,kernel-modules})" + built="$(readlink /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})" + reboot="$([ "$booted" = "$built" ] || echo true)" + '' + else + '' + reboot="" + '' + ) + '' + ## switch to new configuration + '' + ( + let + ifcrypt = lib.optionalString (cfgLuks ? crypt); + crypt = cfgLuks.crypt.device; + luksKey = x: "/etc/luks/keys/" + x; + in + '' + if [ "$reboot" ] + then + ${ifcrypt '' + cryptsetup luksAddKey ${crypt} ${luksKey "tmp"} \ + --key-file ${luksKey "master"} \ + --verbose + ''} + shutdown -r now ${ifcrypt '' + || cryptsetup luksRemoveKey ${crypt} \ + --key-file ${luksKey "tmp"} \ + --verbose + ''} + else + $switch switch + fi + '' + ) + ] + ); } ]; }) |