git.delta.rocks / jrsonnet / refs/commits / fcbbd811def9

difftreelog

feat sign in remote_derivation

pstpnwwkYaroslav Bolyukin2026-01-22parent: #69498f5.patch.diff
in: trunk

3 files changed

modifiedcrates/fleet-base/src/deploy.rsdiffbeforeafterboth
--- a/crates/fleet-base/src/deploy.rs
+++ b/crates/fleet-base/src/deploy.rs
@@ -259,31 +259,11 @@
 	location: GenerationStorage,
 	generation: PathBuf,
 ) -> Result<PathBuf> {
-	let local_host = config.local_host();
 	if matches!(location, GenerationStorage::Pusher) {
 		bail!("pusher is not enabled in this version of fleet");
 	}
 	if !host.local {
 		info!("uploading system closure");
-		{
-			// TODO: Move to remote_derivation method.
-			// Alternatively, nix store make-content-addressed can be used,
-			// at least for the first deployment, to provide trusted store key.
-			//
-			// It is much slower, yet doesn't require root on the deployer machine.
-			let Ok(mut sign) = local_host.cmd("nix").await else {
-				bail!("failed to setup local");
-			};
-			// Private key for host machine is registered in nix-sign.nix
-			sign.arg("store")
-				.arg("sign")
-				.comparg("--key-file", "/etc/nix/private-key")
-				.arg("-r")
-				.arg(&generation);
-			if let Err(e) = sign.sudo().run_nix().await {
-				warn!("failed to sign store paths: {e}");
-			};
-		}
 		let mut tries = 0;
 		loop {
 			match host.remote_derivation(&generation).await {
modifiedcrates/fleet-base/src/host.rsdiffbeforeafterboth
--- a/crates/fleet-base/src/host.rs
+++ b/crates/fleet-base/src/host.rs
@@ -456,6 +456,20 @@
 			// Path is located locally, thus already trusted.
 			return Ok(path.to_owned());
 		}
+		let mut sign = MyCommand::new(
+			// TODO: Look at the current escalation strategy.
+			// ... or switch to run0 right after polkit update
+			EscalationStrategy::Sudo,
+			"nix",
+		);
+		sign.arg("store")
+			.arg("sign")
+			.comparg("--key-file", "/etc/nix/private-key")
+			.arg("-r")
+			.arg(&path);
+		if let Err(e) = sign.sudo().run_nix().await {
+			warn!("failed to sign store paths: {e}");
+		}
 		let mut nix = MyCommand::new(
 			// Not used
 			EscalationStrategy::Su,
modifiedcrates/nix-eval/src/lib.rsdiffbeforeafterboth
308}308}
309309
310static GLOBAL_STATE: LazyLock<GlobalState> = LazyLock::new(|| {310static GLOBAL_STATE: LazyLock<GlobalState> = LazyLock::new(|| {
311	info!("initializing nix global state");
312	GlobalState::new().expect("global state init shouldn't fail")311	GlobalState::new().expect("global state init shouldn't fail")
313});312});
314313