yadunut/clan-core
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request 'nixosModules/clanCore: support nix-darwin' (#3287) from nix-darwin into main

Browse Source 
Reviewed-on: https://git.clan.lol/clan/clan-core/pulls/3287
This commit is contained in:
Michael Hoang
2025-04-22 13:50:38 +00:00
parent c1320192d0 f4b8f2e858
commit bf5bfbdc4d
20 changed files with 233 additions and 157 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
lib/build-clan/eval-docs.nix
View File

@@ -1,6 +1,7 @@
{ pkgs, lib }:
let
eval = lib.evalModules {
class = "nixos";
modules = [
./interface.nix
];

46
lib/build-clan/machineModules/forName.nix
View File

@@ -9,30 +9,24 @@
...
}:
{
imports = [
{
imports = builtins.filter builtins.pathExists (
[
"${directory}/machines/${name}/configuration.nix"
]
++ lib.optionals (_class == "nixos") [
"${directory}/machines/${name}/hardware-configuration.nix"
"${directory}/machines/${name}/disko.nix"
]
);
}
(lib.optionalAttrs (_class == "nixos") {
clan.core.settings = {
inherit (meta) name icon;
inherit directory;
machine = {
inherit name;
};
};
})
# TODO: move into nixos modules
({
networking.hostName = lib.mkDefault name;
})
];
imports = builtins.filter builtins.pathExists (
[
"${directory}/machines/${name}/configuration.nix"
]
++ lib.optionals (_class == "nixos") [
"${directory}/machines/${name}/hardware-configuration.nix"
"${directory}/machines/${name}/disko.nix"
]
);
clan.core.settings = {
inherit (meta) name icon;
inherit directory;
machine = {
inherit name;
};
};
# TODO: move into nixosModules
networking.hostName = lib.mkDefault name;
}

18
lib/build-clan/module.nix
View File

@@ -221,17 +221,11 @@ in
# machine specifics
machines = configsPerSystem;
all-machines-json =
if !lib.hasAttrByPath [ "darwinModules" "clanCore" ] clan-core then
lib.mapAttrs (
system: configs:
nixpkgs.legacyPackages.${system}.writers.writeJSON "machines.json" (
lib.mapAttrs (_: m: m.config.system.clan.deployment.data) (
lib.filterAttrs (_n: v: v.class == "nixos") configs
)
)
) configsPerSystem
else
throw "remove NixOS filter and support nix-darwin as well";
all-machines-json = lib.mapAttrs (
system: configs:
nixpkgs.legacyPackages.${system}.writers.writeJSON "machines.json" (
lib.mapAttrs (_: m: m.config.system.clan.deployment.data) configs
)
) configsPerSystem;
};
}

2
lib/inventory/eval-clan-modules/default.nix
View File

@@ -28,6 +28,7 @@ let
}:
let
evaled = lib.evalModules {
class = "nixos";
modules = [
(baseModule { inherit pkgs; })
{
@@ -83,6 +84,7 @@ let
name = role;
value =
(lib.evalModules {
class = "nixos";
modules = [
(baseModule { inherit pkgs; })
clan-core.nixosModules.clanCore

45
nixosModules/clanCore/default.nix
View File

@@ -1,23 +1,26 @@
{ _class, lib, ... }:
{
imports = [
./backups.nix
./defaults.nix
./facts
./inventory
./meta/interface.nix
./metadata.nix
./networking.nix
./nixos-facter.nix
./nix-settings.nix
./options.nix
./outputs.nix
./schema.nix
./sops.nix
./vars
./vm.nix
./wayland-proxy-virtwl.nix
./zerotier
./zfs.nix
];
imports =
[
./backups.nix
./defaults.nix
./facts
./inventory
./meta/interface.nix
./metadata.nix
./networking.nix
./nix-settings.nix
./options.nix
./outputs.nix
./schema.nix
./sops.nix
./vars
]
++ lib.optionals (_class == "nixos") [
./nixos-facter.nix
./vm.nix
./wayland-proxy-virtwl.nix
./zerotier
./zfs.nix
];
}

27
nixosModules/clanCore/defaults.nix
View File

@@ -1,10 +1,27 @@
{
_class,
lib,
config,
pkgs,
...
}:
{
imports = lib.optional (_class == "nixos") (
lib.mkIf config.clan.core.enableRecommendedDefaults {
# Use systemd during boot as well except:
# - systems with raids as this currently require manual configuration: https://github.com/NixOS/nixpkgs/issues/210210
# - for containers we currently rely on the `stage-2` init script that sets up our /etc
boot.initrd.systemd.enable = lib.mkDefault (!config.boot.swraid.enable && !config.boot.isContainer);
# Don't install the /lib/ld-linux.so.2 stub. This saves one instance of nixpkgs.
environment.ldso32 = null;
environment.systemPackages = [
pkgs.nixos-facter # for `clan machines update-hardware-config --backend nixos-facter`
];
}
);
options.clan.core.enableRecommendedDefaults = lib.mkOption {
type = lib.types.bool;
description = ''
@@ -20,11 +37,6 @@
};
config = lib.mkIf config.clan.core.enableRecommendedDefaults {
# Use systemd during boot as well except:
# - systems with raids as this currently require manual configuration: https://github.com/NixOS/nixpkgs/issues/210210
# - for containers we currently rely on the `stage-2` init script that sets up our /etc
boot.initrd.systemd.enable = lib.mkDefault (!config.boot.swraid.enable && !config.boot.isContainer);
# This disables the HTML manual and `nixos-help` command but leaves
# `man configuration.nix`
documentation.doc.enable = lib.mkDefault false;
@@ -32,9 +44,6 @@
# Work around for https://github.com/NixOS/nixpkgs/issues/124215
documentation.info.enable = lib.mkDefault false;
# Don't install the /lib/ld-linux.so.2 stub. This saves one instance of nixpkgs.
environment.ldso32 = null;
environment.systemPackages = [
# essential debugging tools for networked services
pkgs.dnsutils
@@ -43,8 +52,6 @@
pkgs.jq
pkgs.htop
pkgs.nixos-facter # for `clan machines update-hardware-config --backend nixos-facter`
pkgs.gitMinimal
];
};

39
nixosModules/clanCore/networking.nix
View File

@@ -1,4 +1,9 @@
{ config, lib, ... }:
{
_class,
config,
lib,
...
}:
{
options.clan.core = {
networking = {
@@ -96,23 +101,25 @@
]
)
];
config = lib.mkIf config.clan.core.enableRecommendedDefaults {
# conflicts with systemd-resolved
networking.useHostResolvConf = false;
config = lib.optionalAttrs (_class == "nixos") (
lib.mkIf config.clan.core.enableRecommendedDefaults {
# conflicts with systemd-resolved
networking.useHostResolvConf = false;
# Allow PMTU / DHCP
networking.firewall.allowPing = true;
# Allow PMTU / DHCP
networking.firewall.allowPing = true;
# The notion of "online" is a broken concept
# https://github.com/systemd/systemd/blob/e1b45a756f71deac8c1aa9a008bd0dab47f64777/NEWS#L13
systemd.services.NetworkManager-wait-online.enable = false;
systemd.network.wait-online.enable = false;
# The notion of "online" is a broken concept
# https://github.com/systemd/systemd/blob/e1b45a756f71deac8c1aa9a008bd0dab47f64777/NEWS#L13
systemd.services.NetworkManager-wait-online.enable = false;
systemd.network.wait-online.enable = false;
systemd.network.networks."99-ethernet-default-dhcp".networkConfig.MulticastDNS = lib.mkDefault true;
systemd.network.networks."99-wireless-client-dhcp".networkConfig.MulticastDNS = lib.mkDefault true;
networking.firewall.allowedUDPPorts = [ 5353 ]; # Multicast DNS
systemd.network.networks."99-ethernet-default-dhcp".networkConfig.MulticastDNS = lib.mkDefault true;
systemd.network.networks."99-wireless-client-dhcp".networkConfig.MulticastDNS = lib.mkDefault true;
networking.firewall.allowedUDPPorts = [ 5353 ]; # Multicast DNS
# Use networkd instead of the pile of shell scripts
networking.useNetworkd = lib.mkDefault true;
};
# Use networkd instead of the pile of shell scripts
networking.useNetworkd = lib.mkDefault true;
}
);
}

49
nixosModules/clanCore/nix-settings.nix
View File

@@ -1,27 +1,38 @@
{ lib, config, ... }:
{
_class,
lib,
config,
...
}:
# Taken from:
# https://github.com/nix-community/srvos/blob/main/nixos/common/nix.nix
lib.mkIf config.clan.core.enableRecommendedDefaults {
# Fallback quickly if substituters are not available.
nix.settings.connect-timeout = 5;
{
imports = lib.optional (_class == "nixos") (
lib.mkIf config.clan.core.enableRecommendedDefaults {
nix.daemonCPUSchedPolicy = lib.mkDefault "batch";
nix.daemonIOSchedClass = lib.mkDefault "idle";
nix.daemonIOSchedPriority = lib.mkDefault 7;
}
);
# Enable flakes
nix.settings.experimental-features = [
"nix-command"
"flakes"
];
config = lib.mkIf config.clan.core.enableRecommendedDefaults {
# Fallback quickly if substituters are not available.
nix.settings.connect-timeout = 5;
# The default at 10 is rarely enough.
nix.settings.log-lines = lib.mkDefault 25;
# Enable flakes
nix.settings.experimental-features = [
"nix-command"
"flakes"
];
# Avoid disk full issues
nix.settings.max-free = lib.mkDefault (3000 * 1024 * 1024);
nix.settings.min-free = lib.mkDefault (512 * 1024 * 1024);
# The default at 10 is rarely enough.
nix.settings.log-lines = lib.mkDefault 25;
nix.daemonCPUSchedPolicy = lib.mkDefault "batch";
nix.daemonIOSchedClass = lib.mkDefault "idle";
nix.daemonIOSchedPriority = lib.mkDefault 7;
# Avoid disk full issues
nix.settings.max-free = lib.mkDefault (3000 * 1024 * 1024);
nix.settings.min-free = lib.mkDefault (512 * 1024 * 1024);
# Avoid copying unnecessary stuff over SSH
nix.settings.builders-use-substitutes = true;
# Avoid copying unnecessary stuff over SSH
nix.settings.builders-use-substitutes = true;
};
}

1
nixosModules/clanCore/nixos-facter.nix
View File

@@ -6,6 +6,7 @@ let
hwConfig = "${directory}/machines/${machineName}/hardware-configuration.nix";
in
{
_class = "nixos";
facter.reportPath = lib.mkIf (builtins.pathExists facterJson) facterJson;
warnings =
lib.optionals

19
nixosModules/clanCore/vars/default.nix
View File

@@ -1,4 +1,5 @@
{
_class,
lib,
config,
pkgs,
@@ -9,18 +10,22 @@ let
submodule =
module:
submoduleWith {
class = _class;
specialArgs.pkgs = pkgs;
modules = [ module ];
};
in
{
imports = [
./public/in_repo.nix
./secret/fs.nix
./secret/password-store.nix
./secret/sops
./secret/vm.nix
];
imports =
[
./public/in_repo.nix
./secret/fs.nix
./secret/sops
./secret/vm.nix
]
++ lib.optionals (_class == "nixos") [
./secret/password-store.nix
];
options.clan.core.vars = lib.mkOption {
description = ''
Generated Variables

4
nixosModules/clanCore/vars/interface.nix
View File

@@ -1,4 +1,5 @@
{
_class,
lib,
config,
pkgs,
@@ -271,7 +272,8 @@ in
};
group = lib.mkOption {
description = "The group name or id that will own the file.";
default = "root";
default = if _class == "darwin" then "wheel" else "root";
defaultText = lib.literalExpression ''if _class == "darwin" then "wheel" else "root"'';
};
mode = lib.mkOption {
type = lib.types.strMatching "^[0-7]{3}$";

2
nixosModules/clanCore/vars/secret/password-store.nix
View File

@@ -52,6 +52,8 @@ let
in
{
_class = "nixos";
options.clan.vars.password-store = {
secretLocation = lib.mkOption {
type = lib.types.path;

2
nixosModules/clanCore/vm.nix
View File

@@ -122,6 +122,8 @@ let
vmConfig = extendModules { modules = [ vmModule ]; };
in
{
_class = "nixos";
options = {
clan.virtualisation = {
cores = lib.mkOption {

1
nixosModules/clanCore/wayland-proxy-virtwl.nix
View File

@@ -5,6 +5,7 @@
...
}:
{
_class = "nixos";
options = {
# maybe upstream this?
services.wayland-proxy-virtwl = {

2
nixosModules/clanCore/zfs.nix
View File

@@ -1,5 +1,7 @@
{ lib, config, ... }:
{
_class = "nixos";
# Use the same default hostID as the NixOS install ISO and nixos-anywhere.
# This allows us to import zfs pool without using a force import.
# ZFS has this as a safety mechanism for networked block storage (ISCSI), but

56
nixosModules/flake-module.nix
View File

@@ -1,25 +1,37 @@
{ inputs, self, ... }:
let
clanCore =
{
_class,
pkgs,
lib,
...
}:
{
imports =
[
./clanCore
inputs.sops-nix."${_class}Modules".sops
]
++ lib.optionals (_class == "nixos") [
inputs.nixos-facter-modules.nixosModules.facter
inputs.disko.nixosModules.default
inputs.data-mesher.nixosModules.data-mesher
];
config = {
clan.core.clanPkgs = lib.mkDefault self.packages.${pkgs.hostPlatform.system};
};
};
in
{
flake.nixosModules = {
hidden-ssh-announce.imports = [ ./hidden-ssh-announce.nix ];
bcachefs.imports = [ ./bcachefs.nix ];
installer.imports = [
./installer
self.nixosModules.hidden-ssh-announce
self.nixosModules.bcachefs
];
clanCore.imports = [
inputs.sops-nix.nixosModules.sops
inputs.nixos-facter-modules.nixosModules.facter
inputs.disko.nixosModules.default
inputs.data-mesher.nixosModules.data-mesher
./clanCore
(
{ pkgs, lib, ... }:
{
clan.core.clanPkgs = lib.mkDefault self.packages.${pkgs.hostPlatform.system};
}
)
];
};
flake.nixosModules.hidden-ssh-announce = ./hidden-ssh-announce.nix;
flake.nixosModules.bcachefs = ./bcachefs.nix;
flake.nixosModules.installer.imports = [
./installer
self.nixosModules.hidden-ssh-announce
self.nixosModules.bcachefs
];
flake.nixosModules.clanCore = clanCore;
flake.darwinModules.clanCore = clanCore;
}

24
pkgs/clan-cli/clan_cli/machines/machines.py
View File

@@ -7,11 +7,12 @@ from functools import cached_property
from pathlib import Path
from typing import TYPE_CHECKING, Any, Literal
from clan_cli.cmd import Log, RunOpts, run_no_stdout
from clan_cli.errors import ClanCmdError, ClanError
from clan_cli.facts import public_modules as facts_public_modules
from clan_cli.facts import secret_modules as facts_secret_modules
from clan_cli.flake import Flake
from clan_cli.nix import nix_config, nix_test_store
from clan_cli.nix import nix_config, nix_eval, nix_test_store
from clan_cli.ssh.host import Host
from clan_cli.ssh.host_key import HostKeyCheck
from clan_cli.ssh.parse import parse_deployment_address
@@ -196,6 +197,27 @@ class Machine:
meta={"machine": self, "target_host": self.target_host},
)
@cached_property
def deploy_as_root(self) -> bool:
if self._class_ == "nixos":
return True
# Currently nix-darwin HEAD requires you to deploy as a non-root user
# however there is a soon to be merged PR that requires deployment
# as root to match NixOS: https://github.com/nix-darwin/nix-darwin/pull/1341
return json.loads(
run_no_stdout(
nix_eval(
[
f"{self.flake}#darwinConfigurations.{self.name}.options.system",
"--apply",
"system: system ? primaryUser",
]
),
RunOpts(log=Log.NONE),
).stdout.strip()
)
def nix(
self,
attr: str,

44
pkgs/clan-cli/clan_cli/machines/update.py
View File

@@ -138,7 +138,6 @@ def deploy_machines(machines: list[Machine]) -> None:
nix_options = [
"--show-trace",
"--fast",
"--option",
"keep-going",
"true",
@@ -146,30 +145,37 @@ def deploy_machines(machines: list[Machine]) -> None:
"accept-flake-config",
"true",
"-L",
"--build-host",
"",
*machine.nix_options,
"--flake",
f"{path}#{machine.name}",
]
switch_cmd = ["nixos-rebuild", "switch", *nix_options]
test_cmd = ["nixos-rebuild", "test", *nix_options]
become_root = machine.deploy_as_root
target_host: Host | None = host.meta.get("target_host")
if target_host:
switch_cmd.extend(["--target-host", target_host.target])
test_cmd.extend(["--target-host", target_host.target])
if machine._class_ == "nixos":
nix_options += [
"--fast",
"--build-host",
"",
]
if (target_host and target_host.user != "root") or host.user != "root":
switch_cmd.extend(["--use-remote-sudo"])
test_cmd.extend(["--use-remote-sudo"])
target_host: Host | None = host.meta.get("target_host")
if target_host:
become_root = False
nix_options += ["--target-host", target_host.target]
if target_host.user != "root":
nix_options += ["--use-remote-sudo"]
switch_cmd = [f"{machine._class_}-rebuild", "switch", *nix_options]
test_cmd = [f"{machine._class_}-rebuild", "test", *nix_options]
env = host.nix_ssh_env(None)
ret = host.run(
switch_cmd,
RunOpts(check=False, msg_color=MsgColor(stderr=AnsiColor.DEFAULT)),
extra_env=env,
become_root=become_root,
)
# Last output line (config store path) is printed to stdout instead of stderr
@@ -192,11 +198,16 @@ def deploy_machines(machines: list[Machine]) -> None:
test_cmd if is_mobile else switch_cmd,
RunOpts(msg_color=MsgColor(stderr=AnsiColor.DEFAULT)),
extra_env=env,
become_root=True,
become_root=become_root,
)
with AsyncRuntime() as runtime:
for machine in machines:
if machine._class_ == "darwin":
if not machine.deploy_as_root and machine.target_host.user == "root":
msg = f"'TargetHost' should be set to a non-root user for deploying to nix-darwin on machine '{machine.name}'"
raise ClanError(msg)
machine.info(f"Updating {machine.name}")
runtime.async_run(
AsyncOpts(
@@ -231,8 +242,6 @@ def update_command(args: argparse.Namespace) -> None:
if len(args.machines) == 0:
ignored_machines = []
for machine in get_all_machines(args.flake, args.option):
if machine._class_ == "darwin":
continue
if machine.deployment.get("requireExplicitUpdate", False):
continue
try:
@@ -260,11 +269,6 @@ def update_command(args: argparse.Namespace) -> None:
machine.override_build_host = args.build_host
machine.host_key_check = HostKeyCheck.from_str(args.host_key_check)
for machine in machines:
if machine._class_ == "darwin":
machine.error("Updating macOS machines is not yet supported")
sys.exit(1)
config = nix_config()
system = config["system"]
machine_names = [machine.name for machine in machines]

4
pkgs/clan-cli/clan_cli/ssh/host.py
View File

@@ -38,13 +38,15 @@ class Host:
def __post_init__(self) -> None:
if not self.command_prefix:
self.command_prefix = self.host
if not self.user:
self.user = "root"
def __str__(self) -> str:
return self.target
@property
def target(self) -> str:
return f"{self.user or 'root'}@{self.host}"
return f"{self.user}@{self.host}"
@classmethod
def from_host(cls, host: "Host") -> "Host":

4
pkgs/clan-cli/clan_cli/tests/test_ssh_remote.py
View File

@@ -114,7 +114,9 @@ def test_parse_deployment_address(
assert result.host == expected_host
assert result.port == expected_port
assert result.user == expected_user
assert result.user == expected_user or (
expected_user == "" and result.user == "root"
)
assert result.ssh_options == expected_options