From f2e0f4c86f3318cc6df018b1948dd5bade77f082 Mon Sep 17 00:00:00 2001 From: "quentin@aristote.fr" Date: Sat, 22 Mar 2025 18:19:29 +0100 Subject: nixos: split nix and system; use own autoUpgrade script --- modules/nixos/personal/nix.nix | 164 ----------------------------------------- 1 file changed, 164 deletions(-) (limited to 'modules/nixos/personal/nix.nix') diff --git a/modules/nixos/personal/nix.nix b/modules/nixos/personal/nix.nix index cab9128..17471c2 100644 --- a/modules/nixos/personal/nix.nix +++ b/modules/nixos/personal/nix.nix @@ -5,72 +5,10 @@ ... }: let cfg = config.personal.nix; - hasFlake = cfg.flake != null; - hasFlakeInputs = cfg.autoUpgrade.autoUpdateInputs != []; - checkNetwork = { - path = [pkgs.unixtools.ping]; - # Check network connectivity - preStart = "(${lib.concatMapStringsSep " && " (host: "ping -c 1 ${host}") cfg.autoUpgrade.checkHosts}) || kill -s SIGUSR1 $$"; - unitConfig = { - StartLimitIntervalSec = 300; - StartLimitBurst = 5; - }; - serviceConfig = { - Restart = "on-abort"; - RestartSec = 30; - }; - }; in { options.personal.nix = { enable = lib.mkEnableOption "nix configuration"; - autoUpgrade = { - enable = lib.mkEnableOption "automatic system and nixpkgs upgrade"; - autoUpdateInputs = lib.mkOption { - type = with lib.types; listOf str; - default = ["nixpkgs" "my-nixpkgs/nur" "nixos-hardware"]; - }; - checkHosts = lib.mkOption { - type = with lib.types; listOf str; - default = with builtins; concatMap (match "https://([^/]*)/?") config.nix.settings.substituters; - }; - }; - flake = lib.mkOption { - type = with lib.types; nullOr str; - default = null; - }; gc.enable = lib.mkEnableOption "garbage collection"; - remoteBuilds = { - enable = lib.mkEnableOption "remote builds"; - machines.hephaistos = { - enable = lib.mkEnableOption "hephaistos remote builder"; - domain = lib.mkOption { - type = lib.types.str; - }; - user = lib.mkOption { - type = lib.types.str; - default = "nixremote"; - }; - protocol = lib.mkOption { - type = lib.types.str; - # Nix custom ssh-variant that avoids lots of "trusted-users" settings pain - default = "ssh-ng"; - }; - speedFactor = lib.mkOption { - type = - lib.types.int; - default = 8; - }; - require = lib.mkOption { - type = - lib.types.bool; - default = true; - description = '' - Whether this remote builder is required to build the configuration. - If so, network connectivity to this remote builder will be checked prior to building. - ''; - }; - }; - }; }; config = lib.mkIf cfg.enable (lib.mkMerge [ @@ -129,107 +67,5 @@ in { }; }; }) - - (lib.mkIf cfg.autoUpgrade.enable { - personal.boot.unattendedReboot = lib.mkIf config.system.autoUpgrade.allowReboot true; - system.autoUpgrade = { - enable = true; - flags = lib.optional (!hasFlake) "--upgrade-all"; - }; - systemd.services.nixos-upgrade = lib.mkMerge [ - checkNetwork - { - path = [config.nix.package]; - preStart = lib.mkAfter (lib.optionalString hasFlake '' - echo "Downloading flake inputs..." - nix flake archive ${cfg.flake} - '' - + '' - echo "Evaluating configuration..." - ${config.system.build.nixos-rebuild}/bin/nixos-rebuild dry-build ${toString config.system.autoUpgrade.flags} - ''); - personal.monitor = true; - } - (let - luksCfg = config.boot.initrd.luks.devices; - cryptExists = luksCfg ? crypt; - cryptCfg = luksCfg.crypt; - in - lib.mkIf (cryptExists && config.system.autoUpgrade.allowReboot) { - path = [pkgs.cryptsetup]; - script = lib.mkAfter '' - cryptsetup --verbose luksAddKey --key-file /etc/luks/keys/master ${cryptCfg.device} /etc/luks/keys/tmp - ''; - serviceConfig.TimeoutStopSec = "infinity"; - postStop = '' - # if a reboot due to nixos-upgrade happens, - # it should occur within a minute - sleep 60 - # if no reboot has happened, - # disable any leftover keyfile - while cryptsetup --verbose luksRemoveKey ${cryptCfg.device} --key-file /etc/luks/keys/tmp - do - : - done - ''; - }) - ]; - }) - - (lib.mkIf hasFlake { - system.autoUpgrade.flake = cfg.flake; - systemd.services.flake-update = lib.mkIf hasFlakeInputs (lib.mkMerge [ - checkNetwork - { - unitConfig.Description = "Update flake inputs"; - serviceConfig = { - ExecStart = "${config.nix.package}/bin/nix flake update --commit-lock-file --flake ${cfg.flake} " + lib.concatStringsSep " " cfg.autoUpgrade.autoUpdateInputs; - Type = "oneshot"; # Ensure that it finishes before starting nixos-upgrade - }; - before = ["nixos-upgrade.service"]; - requiredBy = ["nixos-upgrade.service"]; - path = [pkgs.git]; - personal.monitor = true; - } - ]); - - programs.git = lib.mkIf (lib.hasPrefix "git+file" cfg.flake) { - enable = true; - config.user = lib.mkDefault { - name = "Root user of ${config.networking.hostName}"; - email = "root@${config.networking.hostName}"; - }; - }; - }) - - (lib.mkIf cfg.remoteBuilds.enable (with cfg.remoteBuilds.machines.hephaistos; { - nix = { - distributedBuilds = true; - settings.builders-use-substitutes = true; - buildMachines = lib.optional enable { - inherit protocol speedFactor; - hostName = "hephaistos.${domain}"; - system = "x86_64-linux"; - maxJobs = 8; - supportedFeatures = ["nixos-test" "benchmark" "big-parallel" "kvm" "recursive-nix"]; - mandatoryFeatures = []; - }; - }; - - personal.nix.autoUpgrade.checkHosts = lib.mkOptionDefault (lib.optional require "hephaistos.${domain}"); - - programs.ssh = { - extraConfig = lib.optionalString enable '' - Host hephaistos.${domain} - # Prevent using ssh-agent or another keyfile, useful for testing - IdentitiesOnly yes - IdentityFile /etc/ssh/${user} - # The weakly privileged user on the remote builder - # If not set, 'root' is used – which will hopefully fail - User ${user} - ''; - knownHosts."hephaistos.${domain}".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvtqi8tziBuviUV8LDK2ddQQUbHdJYB02dgWTK5Olxq"; - }; - })) ]); } -- cgit v1.2.3