Use the nixos-rebuild script

Question

Use the nixos-rebuild script

roberth opened this issue 5 years ago · 6 comments

As noted by zimbatm in #25, the deploy script is starting to look like nixos-rebuild.
It seems like my use case from #25 is actually subsumed by nixos-rebuild, unlike my earlier quick interpretation of the docs. Clearly I didn't find the parenthesized bit from --target-host:

(and no build artifacts will be copied to the local machine)

challenges

nixos-rebuild does need some bootstrapping. nixos-rebuild.sh has a build process that substitutes some dependencies into the script. Replicating this is a step back from the current script, which takes dependencies from the environment, allowing it to run without a proper /nix/store store. This is useful when deploying from restrictive environments without root access or mount namespace capability. So instead of substituting dependencies from the nix store into the script, we should allow values from the environment.

Note: static nix is not officially supported yet, but here's a branch that makes it work on x86_64-linux deployer machines. https://github.com/tweag/terraform-nixos/compare/master...hercules-ci:install-static-user-nix?expand=1

Answer 1 · 2020-03-10T12:27:34.000Z

Assuming that nix is installed on the system, the deploy script could also build and invoke nixos-rebuild.sh on the fly. I don't think it's going to add too much to the invocation time.

Static nix is interesting but seems a bit orthogonal.

Answer 2 · 2020-03-10T12:34:15.000Z

Static nix is what allows us to use nix without a /nix directory.

The nixos-rebuild script as-is won't work if it's not in /nix/store.
Also you'd have to build it, which requires that the deployer is a Nix trusted-user on multi-user systems.

Answer 3 · 2020-03-10T13:37:27.000Z

While it would be nice if the terraform module also worked on machines that didn't have nix installed on them, isn't that an existing requirement because the nixos-instantiate.sh script invokes nix-instantiate?

Answer 4 · 2020-03-10T13:44:45.000Z

Not quite. nixos-instantiate has to be available in the environment, but it does not have to be installed into /nix/store. This works with static nix.

Building any derivations is not feasible in such a restricted environment, but instantiation works.

Answer 5 · 2020-03-10T13:53:56.000Z

Nice. Does that also work on Darwin or does it depend on having user namespaces available?

Answer 6 · 2020-03-10T14:01:33.000Z

No namespaces used. I see no reason why it shouldn't work on Darwin.