git.delta.rocks / jrsonnet / refs/commits / fcbbd811def9

difftreelog

feat sign in remote_derivation

pstpnwwkYaroslav Bolyukin2026-01-22parent: #69498f5.patch.diff
in: trunk

3 files changed

modifiedcrates/fleet-base/src/deploy.rsdiffbeforeafterboth
259	location: GenerationStorage,259	location: GenerationStorage,
260	generation: PathBuf,260	generation: PathBuf,
261) -> Result<PathBuf> {261) -> Result<PathBuf> {
262	let local_host = config.local_host();
263	if matches!(location, GenerationStorage::Pusher) {262	if matches!(location, GenerationStorage::Pusher) {
264		bail!("pusher is not enabled in this version of fleet");263		bail!("pusher is not enabled in this version of fleet");
265	}264	}
266	if !host.local {265	if !host.local {
267		info!("uploading system closure");266		info!("uploading system closure");
268		{
269			// TODO: Move to remote_derivation method.
270			// Alternatively, nix store make-content-addressed can be used,
271			// at least for the first deployment, to provide trusted store key.
272			//
273			// It is much slower, yet doesn't require root on the deployer machine.
274			let Ok(mut sign) = local_host.cmd("nix").await else {
275				bail!("failed to setup local");
276			};
277			// Private key for host machine is registered in nix-sign.nix
278			sign.arg("store")
279				.arg("sign")
280				.comparg("--key-file", "/etc/nix/private-key")
281				.arg("-r")
282				.arg(&generation);
283			if let Err(e) = sign.sudo().run_nix().await {
284				warn!("failed to sign store paths: {e}");
285			};
286		}
287		let mut tries = 0;267		let mut tries = 0;
288		loop {268		loop {
289			match host.remote_derivation(&generation).await {269			match host.remote_derivation(&generation).await {
modifiedcrates/fleet-base/src/host.rsdiffbeforeafterboth
456			// Path is located locally, thus already trusted.456			// Path is located locally, thus already trusted.
457			return Ok(path.to_owned());457			return Ok(path.to_owned());
458		}458		}
459		let mut sign = MyCommand::new(
460			// TODO: Look at the current escalation strategy.
461			// ... or switch to run0 right after polkit update
462			EscalationStrategy::Sudo,
463			"nix",
464		);
465		sign.arg("store")
466			.arg("sign")
467			.comparg("--key-file", "/etc/nix/private-key")
468			.arg("-r")
469			.arg(&path);
470		if let Err(e) = sign.sudo().run_nix().await {
471			warn!("failed to sign store paths: {e}");
472		}
459		let mut nix = MyCommand::new(473		let mut nix = MyCommand::new(
460			// Not used474			// Not used
461			EscalationStrategy::Su,475			EscalationStrategy::Su,
modifiedcrates/nix-eval/src/lib.rsdiffbeforeafterboth
308}308}
309309
310static GLOBAL_STATE: LazyLock<GlobalState> = LazyLock::new(|| {310static GLOBAL_STATE: LazyLock<GlobalState> = LazyLock::new(|| {
311	info!("initializing nix global state");
312	GlobalState::new().expect("global state init shouldn't fail")311	GlobalState::new().expect("global state init shouldn't fail")
313});312});
314313