--- a/crates/fleet-base/src/deploy.rs +++ b/crates/fleet-base/src/deploy.rs @@ -259,31 +259,11 @@ location: GenerationStorage, generation: PathBuf, ) -> Result { - let local_host = config.local_host(); if matches!(location, GenerationStorage::Pusher) { bail!("pusher is not enabled in this version of fleet"); } if !host.local { info!("uploading system closure"); - { - // TODO: Move to remote_derivation method. - // Alternatively, nix store make-content-addressed can be used, - // at least for the first deployment, to provide trusted store key. - // - // It is much slower, yet doesn't require root on the deployer machine. - let Ok(mut sign) = local_host.cmd("nix").await else { - bail!("failed to setup local"); - }; - // Private key for host machine is registered in nix-sign.nix - sign.arg("store") - .arg("sign") - .comparg("--key-file", "/etc/nix/private-key") - .arg("-r") - .arg(&generation); - if let Err(e) = sign.sudo().run_nix().await { - warn!("failed to sign store paths: {e}"); - }; - } let mut tries = 0; loop { match host.remote_derivation(&generation).await { --- a/crates/fleet-base/src/host.rs +++ b/crates/fleet-base/src/host.rs @@ -456,6 +456,20 @@ // Path is located locally, thus already trusted. return Ok(path.to_owned()); } + let mut sign = MyCommand::new( + // TODO: Look at the current escalation strategy. + // ... or switch to run0 right after polkit update + EscalationStrategy::Sudo, + "nix", + ); + sign.arg("store") + .arg("sign") + .comparg("--key-file", "/etc/nix/private-key") + .arg("-r") + .arg(&path); + if let Err(e) = sign.sudo().run_nix().await { + warn!("failed to sign store paths: {e}"); + } let mut nix = MyCommand::new( // Not used EscalationStrategy::Su, --- a/crates/nix-eval/src/lib.rs +++ b/crates/nix-eval/src/lib.rs @@ -308,7 +308,6 @@ } static GLOBAL_STATE: LazyLock = LazyLock::new(|| { - info!("initializing nix global state"); GlobalState::new().expect("global state init shouldn't fail") });