From 33e3a6cc33fdeb84e64be97296160fc360d75e85 Mon Sep 17 00:00:00 2001
From: Lach <iam@lach.pw>
Date: Thu, 24 Apr 2025 21:57:20 +0000
Subject: [PATCH] feat: basic lustration helper


---
--- a/cmds/fleet/src/cmds/build_systems.rs
+++ b/cmds/fleet/src/cmds/build_systems.rs
@@ -1,6 +1,6 @@
 use std::{env::current_dir, os::unix::fs::symlink, path::PathBuf, time::Duration};
 
-use anyhow::{anyhow, bail, Result};
+use anyhow::{anyhow, bail, Context, Result};
 use clap::{Parser, ValueEnum};
 use fleet_base::{
 	host::{Config, ConfigHost, DeployKind},
@@ -132,10 +132,10 @@
 	disable_rollback: bool,
 ) -> Result<()> {
 	let deploy_kind = host.deploy_kind().await?;
-	if deploy_kind == DeployKind::NixosInstall
+	if (deploy_kind == DeployKind::NixosInstall || deploy_kind == DeployKind::NixosLustrate)
 		&& !matches!(action, DeployAction::Boot | DeployAction::Upload)
 	{
-		bail!("nixos-install deploy kind only supports boot and upload actions");
+		bail!("{deploy_kind:?} deploy kind only supports boot and upload actions");
 	}
 
 	let mut failed = false;
@@ -184,6 +184,17 @@
 			}
 		}
 	}
+	if deploy_kind == DeployKind::NixosLustrate {
+		// Fleet could also create this file, but as this operation is potentially disruptive,
+		// make user do it themself.
+		if !host.file_exists("/etc/NIXOS_LUSTRATE").await? {
+			bail!("/etc/NIXOS_LUSTRATE should be created on remote host");
+		}
+		// Wanted by NixOS to recognize the system as NixOS.
+		let mut cmd = host.cmd("touch").await?;
+		cmd.arg("/etc/NIXOS");
+		cmd.sudo().run().await.context("creating /etc/NIXOS")?;
+	}
 	if deploy_kind == DeployKind::NixosInstall {
 		info!(
 			"running nixos-install to switch profile, install bootloader, and perform activation"
@@ -247,6 +258,9 @@
 			};
 			let switch_script = specialised.join("bin/switch-to-configuration");
 			let mut cmd = host.cmd(switch_script).in_current_span().await?;
+			if deploy_kind == DeployKind::NixosLustrate {
+				cmd.env("NIXOS_INSTALL_BOOTLOADER", "1");
+			}
 			cmd.env("FLEET_ONLINE_ACTIVATION", "1")
 				.arg(action.name().expect("upload.should_activate == false"));
 			if let Err(e) = cmd.sudo().run().in_current_span().await {
--- a/crates/fleet-base/src/host.rs
+++ b/crates/fleet-base/src/host.rs
@@ -23,8 +23,10 @@
 };
 
 pub struct FleetConfigInternals {
+	/// Fleet project directory, containing fleet.nix file.
+	pub directory: PathBuf,
+	/// builtins.currentSystem
 	pub local_system: String,
-	pub directory: PathBuf,
 	pub data: Mutex<FleetData>,
 	pub nix_args: Vec<OsString>,
 	/// fleet_config.config
@@ -34,6 +36,7 @@
 
 	/// import nixpkgs {system = local};
 	pub default_pkgs: Value,
+	/// inputs.nixpkgs
 	pub nixpkgs: Value,
 
 	pub nix_session: NixSession,
@@ -58,7 +61,7 @@
 	Su,
 }
 
-#[derive(Clone, PartialEq, Copy)]
+#[derive(Clone, PartialEq, Copy, Debug)]
 pub enum DeployKind {
 	/// NixOS => NixOS managed by fleet
 	UpgradeToFleet,
@@ -67,6 +70,10 @@
 	/// Remote host has /mnt, /mnt/boot mounted,
 	/// generated config is added to fleet configuration.
 	NixosInstall,
+	/// Remote host has some system and nix installed in multi-user mode (/nix is owned by root),
+	/// generated config is added to fleet configuration,
+	/// and /etc/NIXOS_LUSTRATE exists, fleet will perform the rest.
+	NixosLustrate,
 }
 
 impl FromStr for DeployKind {
@@ -302,7 +309,7 @@
 		nix.arg("copy").arg("--substitute-on-destination");
 
 		match self.deploy_kind().await? {
-			DeployKind::Fleet | DeployKind::UpgradeToFleet => {
+			DeployKind::Fleet | DeployKind::UpgradeToFleet | DeployKind::NixosLustrate => {
 				nix.comparg("--to", format!("ssh-ng://{}", self.name));
 			}
 			DeployKind::NixosInstall => {
--- a/crates/fleet-base/src/opts.rs
+++ b/crates/fleet-base/src/opts.rs
@@ -6,7 +6,7 @@
 	sync::{Arc, Mutex},
 };
 
-use anyhow::{Context, Result};
+use anyhow::{bail, Context, Result};
 use clap::Parser;
 use nix_eval::{nix_go, util::assert_warn, NixSessionPool, Value};
 use nom::{
@@ -182,7 +182,23 @@
 
 	// TODO: Config should be detached from opts.
 	pub async fn build(&self, nix_args: Vec<OsString>, assert: bool) -> Result<Config> {
-		let directory = current_dir()?;
+		let cwd = current_dir()?;
+		let mut directory = cwd.clone();
+		let mut fleet_data_path = directory.join("fleet.nix");
+		while !fleet_data_path.is_file() {
+			// fleet.nix
+			fleet_data_path.pop();
+			if !directory.pop() || !fleet_data_path.pop() {
+				bail!(
+					"fleet.nix not found at {} or any of the parent directories",
+					cwd.display()
+				);
+			}
+			fleet_data_path.push("fleet.nix");
+		}
+		let bytes =
+			std::fs::read_to_string(&fleet_data_path).context("reading fleet state (fleet.nix)")?;
+		let data: Mutex<FleetData> = nixlike::parse_str(&bytes)?;
 
 		let pool = NixSessionPool::new(
 			directory.as_os_str().to_owned(),
@@ -193,12 +209,6 @@
 		let nix_session = pool.get().await?;
 
 		let builtins_field = Value::binding(nix_session.clone(), "builtins").await?;
-
-		let mut fleet_data_path = directory.clone();
-		fleet_data_path.push("fleet.nix");
-		let bytes =
-			std::fs::read_to_string(fleet_data_path).context("reading fleet state (fleet.nix)")?;
-		let data: Mutex<FleetData> = nixlike::parse_str(&bytes)?;
 
 		let fleet_root = Value::binding(nix_session.clone(), "fleetConfigurations").await?;
 		let fleet_field = nix_go!(fleet_root.default({ data }));

-- 
gitstuff