deploy: refactor to use modified/*/paths.nix

2015-07-07 05:55:28 +02:00 · 2015-07-07 05:55:28 +02:00 · 366373e9c6
commit 366373e9c6
parent 9c2bc5b4d0
15 changed files with 217 additions and 166 deletions
--- a/bin/nixos-build
+++ b/bin/nixos-build
@ -1,24 +0,0 @@
-#! /bin/sh
-#
-# nixos-build system_name -> system_path
-#
-set -euf
-
-system_name=$1
-
-NIXOS_CONFIG=$config_root/modules/$system_name
-export NIXOS_CONFIG
-
-# Notice how host's NIX_PATH is used to prefetch nixpkgs.
-prefetch nixpkgs "$nixpkgs_root/$system_name"
-
-NIX_PATH=$nixpkgs_root/$system_name
-NIX_PATH=$NIX_PATH:secrets=$secrets_root/$system_name/nix
-NIX_PATH=$NIX_PATH:pubkeys=$config_root/pubkeys
-NIX_PATH=$NIX_PATH:retiolum-hosts=$retiolum_hosts
-export NIX_PATH
-
-exec nix-build \
-  -A system \
-  --no-out-link \
-  '<nixos>'
--- a/bin/nixos-deploy
+++ b/bin/nixos-deploy
@ -1,16 +0,0 @@
-#! /bin/sh
-#
-# nixos-deploy system_name target
-#
-set -euf
-
-system_name=$1
-target=$2
-
-system=$(nixos-build "$system_name")
-
-nix-copy-closure --gzip --to "$target" "$system"
-
-copy-secrets "$system_name" "$target"
-
-ssh ${NIX_SSHOPTS-} "$target" "$system/bin/switch-to-configuration" switch
--- a/bin/prefetch
+++ b/bin/prefetch
@ -1,88 +0,0 @@
-#! /bin/sh
-#
-# usage: prefetch repo_name out_link
-#
-# Make the specified repository available as out_link.
-#
-set -euf
-
-repo_name=$1
-out_link=$2
-
-if test "$repo_name" != nixpkgs; then
-  echo "prefetch: cannot fetch $repo_name, yet" >&2
-  exit -1
-fi
-
-git_rev=$(nixos-query nixpkgs.rev)
-git_url=$(nixos-query nixpkgs.url)
-dirty=$(nixos-query nixpkgs.dirty)
-
-case $dirty in true)
-  ln -snf "$git_url" "$out_link"
-  echo "prefetch: using $git_url as it is" >&2
-  exit
-esac
-
-# Put all bases in the same place as out_link.
-# Notice how out_link must not clash with cache_dir and work_dir.
-cache_base=$(dirname "$out_link")
-work_base=$(dirname "$out_link")
-
-# cache_dir points to a (maybe non-existent) directory, where a shared cache of
-# the repository should be maintained.  The shared cache is used to create
-# multiple working trees of the repository.
-cache_dir=$cache_base/$(echo "$git_url" | urlencode)
-
-# work_dir points to a (maybe non-existent) directory, where a specific
-# revision of the repository is checked out.
-work_dir=$work_base/$(echo "$git_rev" | urlencode)
-
-cache_git() {
-  git --git-dir="$cache_dir" "$@"
-}
-
-work_git() {
-  git -C "$work_dir" "$@"
-}
-
-is_up_to_date() {
-  test -d "$cache_dir" &&
-  test -d "$work_dir" &&
-  test "$(cache_git rev-parse --verify "$git_rev")" = "$git_rev" &&
-  test "$(work_git rev-parse --verify HEAD)" = "$git_rev"
-}
-
-# Notice how the remote name "origin" has been chosen arbitrarily, but must be
-# kept in sync with the default value of nixpkgs.rev.
-if ! is_up_to_date; then
-  if ! test -d "$cache_dir"; then
-    mkdir -p "$cache_dir"
-    cache_git init --bare
-  fi
-  if ! cache_git_url=$(cache_git config remote.origin.url); then
-    cache_git remote add origin "$git_url"
-  elif test "$cache_git_url" != "$git_url"; then
-    cache_git remote set-url origin "$git_url"
-  fi
-  cache_git fetch origin
-  if ! test -d "$work_dir"; then
-    git clone -n --shared "$cache_dir" "$work_dir"
-  fi
-  commit_name=$(cache_git rev-parse --verify "$git_rev")
-  work_git checkout "$commit_name" -- "$(readlink -f "$work_dir")"
-  work_git checkout -q "$commit_name"
-  work_git submodule init
-  work_git submodule update
-fi
-work_git clean -dxf
-
-# Relative links are nicer, and actually we know that work_dir and out_link are
-# the same.  But, for robustness, check anyway.. :)
-if test "$(dirname "$work_dir")" = "$(dirname "$out_link")"; then
-  ln -snf "$(basename "$work_dir")" "$out_link"
-else
-  ln -snf "$work_dir" "$out_link"
-fi
-
-echo "prefetch: using $git_url $(work_git log --oneline -n1)" >&2
--- a/default.nix
+++ b/default.nix
@ -0,0 +1,151 @@
+{ system-name
+, rsync-target ? null
+, deploy-target ? null
+}:
+
+# TODO assert that only one of rsync-target or deploy-target is not null
+
+with builtins;
+assert (typeOf system-name == "string");
+with import <nixpkgs/lib>;
+let
+  paths-file = toPath "${dirOf __curPos.file}/modules/${system-name}/paths.nix";
+
+  paths = import paths-file;
+
+  prefetch.file = ''
+    echo "$prefetch_in_url"
+  '';
+
+  prefetch.git = ''
+    ${concatMapStringsSep "\n" (attr-name: ''
+      case ''${prefetch_in_${escapeShellArg attr-name}-?} in \?)
+        printf '%s: %s: missing attribute: %s' \
+          ${escapeShellArg paths-file} \
+          "$prefetch_name" \
+          ${escapeShellArg attr-name} \
+          >&2
+        return 1
+      esac
+    '') [ "rev" "url" "cache" ]}
+
+    git_rev=$prefetch_in_rev
+    git_url=$prefetch_in_url
+
+    # cache_dir points to a (maybe non-existent) directory, where a shared cache of
+    # the repository should be maintained.  The shared cache is used to create
+    # multiple working trees of the repository.
+    cache_dir=$prefetch_in_cache/$(echo "$git_url" | urlencode)
+    cache_git() {
+      git --git-dir="$cache_dir" "$@"
+    }
+
+    # work_dir points to a (maybe non-existent) directory, where a specific
+    # revision of the repository is checked out.
+    # XXX this is probably a bad idea if git_rev is not a commit
+    work_dir=$cache_dir-$(cache_git rev-parse --verify "$git_rev" | urlencode)
+    work_git() {
+      git -C "$work_dir" "$@"
+    }
+
+    is_up_to_date() {
+      test -d "$cache_dir" &&
+      test -d "$work_dir" &&
+      test "$(cache_git rev-parse --verify "$git_rev")" = "$git_rev" &&
+      test "$(work_git rev-parse --verify HEAD)" = "$git_rev"
+    }
+
+    # Notice how the remote name "origin" has been chosen arbitrarily, but must be
+    # kept in sync with the default value of nixpkgs.rev.
+    if ! is_up_to_date; then
+      if ! test -d "$cache_dir"; then
+        mkdir -p "$cache_dir"
+        cache_git init --bare
+      fi
+      if ! cache_git_url=$(cache_git config remote.origin.url); then
+        cache_git remote add origin "$git_url"
+      elif test "$cache_git_url" != "$git_url"; then
+        cache_git remote set-url origin "$git_url"
+      fi
+      cache_git fetch origin
+      if ! test -d "$work_dir"; then
+        git clone -n --shared "$cache_dir" "$work_dir"
+      fi
+      commit_name=$(cache_git rev-parse --verify "$git_rev")
+      work_git checkout "$commit_name" -- "$(readlink -f "$work_dir")"
+      work_git checkout -q "$commit_name"
+      work_git submodule init
+      work_git submodule update
+    fi
+    work_git clean -dxf
+
+    echo "$work_dir"
+  '';
+
+
+  f = pkg-name: pkg-spec:
+    let
+      types = attrNames pkg-spec;
+      type = elemAt types 0;
+    in
+    assert (length types == 1); # there can be only one source type
+    ''
+      out=$(${concatStringsSep " \\\n" (mapAttrsToList (k: v:
+          "prefetch_in_${escapeShellArg k}=${escapeShellArg (toString v)}") pkg-spec.${type})} \
+          prefetch_name=${escapeShellArg pkg-name} \
+          __prefetch_${escapeShellArg type})
+      printf '%s=%s\n' \
+        ${escapeShellArg pkg-name} \
+        "$out"
+    '';
+in
+''
+#! /bin/sh
+set -euf
+
+PATH=${toString ./.}/bin:$PATH
+export PATH
+
+__prefetch_file() {
+${prefetch.file}
+}
+__prefetch_git() {
+${prefetch.git}
+}
+
+# TODO make sure x contains only sane chars
+x=$(${concatStrings (mapAttrsToList f paths)})
+
+${optionalString (rsync-target != null) ''
+  proot $(echo "$x" | sed -n 's@^\([^=]\+\)=\(.*\)@-b \2:/shitment/\1@p') \
+    rsync --delete --delete-excluded \
+      --filter='- /*/.git' \
+      --rsync-path='mkdir -p -m 0700 /shitment/ && rsync' \
+      -vaz \
+      --no-owner \
+      --no-group \
+      '/shitment/' \
+      ${escapeShellArg rsync-target}
+''}
+
+
+${optionalString (deploy-target != null) ''
+  system_path=$(proot $(echo "$x" | sed -n 's@^\([^=]\+\)=\(.*\)@-b \2:/shitment/\1@p') \
+    env \
+        NIX_PATH=/shitment \
+        NIXOS_CONFIG=/shitment/modules/${escapeShellArg system-name} \
+      nix-build -A system --no-out-link '<nixpkgs/nixos>')
+
+  system_name=${escapeShellArg system-name}
+  target=${escapeShellArg deploy-target}
+
+  nix-copy-closure --gzip --to "$target" "$system_path"
+
+  secrets_root=${toString ./.}/secrets \
+  config_root=${toString ./.} \
+    copy-secrets "$system_name" "$target"
+
+  ssh ''${NIX_SSHOPTS-} "$target" "$system_path/bin/switch-to-configuration" switch
+''}
+
+''
--- a/14
+++ b/14
@ -7,11 +7,9 @@ set -euf
 system_name=$1
 target=${2-root@$system_name}

-export PATH="$PWD/bin:$PATH"
-#export nixpkgs=/var/nixpkgs
-export nixpkgs_root=$PWD/tmp/nixpkgs
-export config_root=$PWD
-export retiolum_hosts=$PWD/hosts
-export secrets_root=$PWD/secrets
-
-exec nixos-deploy "$system_name" "$target"
+nix-instantiate \
+    --argstr system-name "$system_name" \
+    --argstr deploy-target "$target" \
+    --eval --json . \
+  | jq -r .  \
+  | sh
--- a/modules/cd/default.nix
+++ b/modules/cd/default.nix
@ -10,7 +10,6 @@ in
      { users.extraUsers = import <secrets/extraUsers.nix>; }
      ./networking.nix
      ./users.nix
-      ../common/nixpkgs.nix
      ../tv/base.nix
      ../tv/base-cac-CentOS-7-64bit.nix
      ../tv/ejabberd.nix # XXX echtes modul
@ -50,11 +49,6 @@ in
  # "Developer 2" plan has two vCPUs.
  nix.maxJobs = 2;

-  nixpkgs = {
-    url = "https://github.com/NixOS/nixpkgs";
-    rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870";
-  };
-
  environment.systemPackages = with pkgs; [
    git # required for ./deploy, clone_or_update
    htop
--- a/modules/cd/paths.nix
+++ b/modules/cd/paths.nix
@ -0,0 +1,12 @@
+{
+  lib.file.url = ../../lib;
+  modules.file.url = ../../modules;
+  nixpkgs.git = {
+    url = https://github.com/NixOS/nixpkgs;
+    rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870";
+    cache = ../../tmp/git-cache;
+  };
+  pubkeys.file.url = ../../pubkeys;
+  retiolum-hosts.file.url = ../../hosts;
+  secrets.file.url = ../../secrets/cd/nix;
+}
--- a/modules/mkdir/default.nix
+++ b/modules/mkdir/default.nix
@ -10,7 +10,6 @@ in
      { users.extraUsers = import <secrets/extraUsers.nix>; }
      ./networking.nix
      ./users.nix
-      ../common/nixpkgs.nix
      ../tv/base.nix
      ../tv/base-cac-CentOS-7-64bit.nix
      ../tv/exim-smarthost.nix
@ -49,11 +48,6 @@ in

  nix.maxJobs = 1;

-  nixpkgs = {
-    url = "https://github.com/NixOS/nixpkgs";
-    rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870";
-  };
-
  environment.systemPackages = with pkgs; [
    git # required for ./deploy, clone_or_update
    htop
--- a/modules/mkdir/paths.nix
+++ b/modules/mkdir/paths.nix
@ -0,0 +1,12 @@
+{
+  lib.file.url = ../../lib;
+  modules.file.url = ../../modules;
+  nixpkgs.git = {
+    url = https://github.com/NixOS/nixpkgs;
+    rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870";
+    cache = ../../tmp/git-cache;
+  };
+  pubkeys.file.url = ../../pubkeys;
+  retiolum-hosts.file.url = ../../hosts;
+  secrets.file.url = ../../secrets/cd/nix;
+}
--- a/modules/mu/default.nix
+++ b/modules/mu/default.nix
@ -11,7 +11,6 @@ in
 {
  imports = [
    <secrets/mu.hashedPasswords.nix>
-    ../common/nixpkgs.nix
    ../tv/base.nix
    ../tv/exim-retiolum.nix
    ../tv/retiolum.nix
@ -20,11 +19,6 @@ in

  nix.maxJobs = 2;

-  nixpkgs = {
-    url = "https://github.com/NixOS/nixpkgs";
-    rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870";
-  };
-
  services.udev.extraRules = ''
    SUBSYSTEM=="net", ATTR{address}=="00:90:f5:da:aa:c3", NAME="en0"
    SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:1b:ae:6c", NAME="wl0"
--- a/modules/mu/paths.nix
+++ b/modules/mu/paths.nix
@ -0,0 +1,12 @@
+{
+  lib.file.url = ../../lib;
+  modules.file.url = ../../modules;
+  nixpkgs.git = {
+    url = https://github.com/NixOS/nixpkgs;
+    rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870";
+    cache = ../../tmp/git-cache;
+  };
+  pubkeys.file.url = ../../pubkeys;
+  retiolum-hosts.file.url = ../../hosts;
+  secrets.file.url = ../../secrets/wu/nix;
+}
--- a/modules/rmdir/default.nix
+++ b/modules/rmdir/default.nix
@ -10,7 +10,6 @@ in
      { users.extraUsers = import <secrets/extraUsers.nix>; }
      ./networking.nix
      ./users.nix
-      ../common/nixpkgs.nix
      ../tv/base.nix
      ../tv/base-cac-CentOS-7-64bit.nix
      ../tv/exim-smarthost.nix
@ -50,11 +49,6 @@ in

  nix.maxJobs = 1;

-  nixpkgs = {
-    url = "https://github.com/NixOS/nixpkgs";
-    rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870";
-  };
-
  environment.systemPackages = with pkgs; [
    git # required for ./deploy, clone_or_update
    htop
--- a/modules/rmdir/paths.nix
+++ b/modules/rmdir/paths.nix
@ -0,0 +1,12 @@
+{
+  lib.file.url = ../../lib;
+  modules.file.url = ../../modules;
+  nixpkgs.git = {
+    url = https://github.com/NixOS/nixpkgs;
+    rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870";
+    cache = ../../tmp/git-cache;
+  };
+  pubkeys.file.url = ../../pubkeys;
+  retiolum-hosts.file.url = ../../hosts;
+  secrets.file.url = ../../secrets/cd/nix;
+}
--- a/modules/wu/default.nix
+++ b/modules/wu/default.nix
@ -11,7 +11,6 @@ in
 {
  imports = [
    ./hosts.nix
-    ../common/nixpkgs.nix
    ../tv/base.nix
    ../tv/exim-retiolum.nix
    ../tv/sanitize.nix
@ -63,11 +62,6 @@ in
    daemonNiceLevel = 1;
  };

-  nixpkgs = {
-    url = "https://github.com/NixOS/nixpkgs";
-    rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870";
-  };
-
  services.udev.extraRules = ''
    SUBSYSTEM=="net", ATTR{address}=="00:90:f5:da:aa:c3", NAME="en0"
    SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:1b:ae:6c", NAME="wl0"
--- a/modules/wu/paths.nix
+++ b/modules/wu/paths.nix
@ -0,0 +1,12 @@
+{
+  lib.file.url = ../../lib;
+  modules.file.url = ../../modules;
+  nixpkgs.git = {
+    url = https://github.com/NixOS/nixpkgs;
+    rev = "e1af50c4c4c0332136283e9231f0a32ac11f2b90";
+    cache = ../../tmp/git-cache;
+  };
+  pubkeys.file.url = ../../pubkeys;
+  retiolum-hosts.file.url = ../../hosts;
+  secrets.file.url = ../../secrets/wu/nix;
+}