git.delta.rocks / jrsonnet / refs/commits / 53dc93b160c1

difftreelog

feat sign built systems by default

Yaroslav Bolyukin2023-10-22parent: #7a60d07.patch.diff
in: trunk

6 files changed

modifiedcmds/fleet/src/cmds/build_systems.rsdiffbeforeafterboth
191	// TODO: If rollback target exists - bail, it should be removed. Lockfile will not work in case if rollback191	// TODO: If rollback target exists - bail, it should be removed. Lockfile will not work in case if rollback
192	// is scheduler on next boot (default behavior). On current boot - rollback activator will fail due to192	// is scheduler on next boot (default behavior). On current boot - rollback activator will fail due to
193	// unit name conflict in systemd-run193	// unit name conflict in systemd-run
194	// This code is tied to rollback.nix
194	if !build.disable_rollback {195	if !build.disable_rollback {
195		let _span = info_span!("preparing").entered();196		let _span = info_span!("preparing").entered();
196		info!("preparing for rollback");197		info!("preparing for rollback");
334			Action::Upload { action } => {335			Action::Upload { action } => {
335				if !config.is_local(&host) {336				if !config.is_local(&host) {
336					info!("uploading system closure");337					info!("uploading system closure");
338					{
339						let mut sign = MyCommand::new("sudo");
340						// Private key for host machine is registered in nix-sign.nix
341						sign.arg("nix")
342							.arg("store")
343							.arg("sign")
344							.comparg("-k", "/etc/nix/private-key")
345							.arg("-r")
346							.arg(&built);
347						if let Err(e) = sign.run_nix().await {
348							warn!("Failed to sign store paths: {e}");
349						};
350					}
337					let mut tries = 0;351					let mut tries = 0;
338					loop {352					loop {
339						let mut nix = MyCommand::new("nix");353						let mut nix = MyCommand::new("nix");
modifiedcmds/fleet/src/command.rsdiffbeforeafterboth
269								drv = pkg;269								drv = pkg;
270							}270							}
271						}271						}
272						info!(target: "nix","copying {} {} -> {}", drv, from, to);272						// info!(target: "nix","copying {} {} -> {}", drv, from, to);
273						let span = info_span!("copy", from, to, drv);273						let span = info_span!("copy", from, to, drv);
274						span.pb_start();274						span.pb_start();
275						self.spans.insert(id, span);275						self.spans.insert(id, span);
modifiednixos/modules/module-list.nixdiffbeforeafterboth
3  ../meta.nix3  ../meta.nix
4  ../secrets.nix4  ../secrets.nix
5  ../rollback.nix5  ../rollback.nix
6  ../nix-sign.nix
6]7]
78
addednixos/nix-sign.nixdiffbeforeafterboth

no changes

modifiednixos/rollback.nixdiffbeforeafterboth
1# Tied to build_systems.rs
1{config, ...}: {2{config, ...}: {
2  # TODO: Make it work with systemd-initrd approach.3  # TODO: Make it work with systemd-initrd approach.
3  # In this case we can't just switch generation and re-run activation script, since the root filesystem might not be4  # In this case we can't just switch generation and re-run activation script, since the root filesystem might not be
addedscripts/install-trusted-cert.shdiffbeforeafterboth

no changes