colmena/src/nix/mod.rs

use std::collections::HashMap;
use std::hash::Hash;
use std::ops::Deref;
use std::path::Path;

use serde::de;
use serde::{Deserialize, Deserializer, Serialize};
use users::get_current_username;
use validator::{Validate, ValidationError as ValidationErrorType};

use crate::error::{ColmenaResult, ColmenaError};

pub mod host;
pub use host::{Host, CopyDirection, CopyOptions};
use host::Ssh;

pub mod hive;
pub use hive::{Hive, HivePath};

pub mod store;
pub use store::{StorePath, StoreDerivation, BuildResult};

pub mod key;
pub use key::Key;

pub mod profile;
pub use profile::{Profile, ProfileDerivation};

pub mod deployment;
pub use deployment::Goal;

pub mod info;
pub use info::NixCheck;

pub mod flake;
pub use flake::Flake;

pub mod node_filter;
pub use node_filter::NodeFilter;

/// Path to the main system profile.
pub const SYSTEM_PROFILE: &str = "/nix/var/nix/profiles/system";

/// Path to the system profile that's currently active.
pub const CURRENT_PROFILE: &str = "/run/current-system";

/// A node's attribute name.
#[derive(Serialize, Deserialize, Clone, Debug, Hash, Eq, PartialEq)]
#[serde(transparent)]
pub struct NodeName(
    #[serde(deserialize_with = "NodeName::deserialize")]
    String
);

#[derive(Debug, Clone, Validate, Deserialize)]
pub struct NodeConfig {
    #[serde(rename = "targetHost")]
    target_host: Option<String>,

    #[serde(rename = "targetUser")]
    target_user: Option<String>,

    #[serde(rename = "targetPort")]
    target_port: Option<u16>,

    #[serde(rename = "allowLocalDeployment")]
    allow_local_deployment: bool,

    #[serde(rename = "buildOnTarget")]
    build_on_target: bool,

    tags: Vec<String>,

    #[serde(rename = "replaceUnknownProfiles")]
    replace_unknown_profiles: bool,

    #[serde(rename = "privilegeEscalationCommand")]
    privilege_escalation_command: Vec<String>,

    #[validate(custom = "validate_keys")]
    keys: HashMap<String, Key>,
}

impl NodeName {
    /// Returns the string.
    pub fn as_str(&self) -> &str {
        &self.0
    }

    /// Creates a NodeName from a String.
    pub fn new(name: String) -> ColmenaResult<Self> {
        let validated = Self::validate(name)?;
        Ok(Self(validated))
    }

    /// Deserializes a potentially-invalid node name.
    fn deserialize<'de, D>(deserializer: D) -> Result<String, D::Error>
        where D: Deserializer<'de>
    {
        use de::Error;
        String::deserialize(deserializer)
            .and_then(|s| {
                Self::validate(s).map_err(|e| Error::custom(e.to_string()))
            })
    }

    fn validate(s: String) -> ColmenaResult<String> {
        // FIXME: Elaborate
        if s.is_empty() {
            return Err(ColmenaError::EmptyNodeName);
        }

        Ok(s)
    }
}

impl Deref for NodeName {
    type Target = str;

    fn deref(&self) -> &str {
        self.0.as_str()
    }
}

impl NodeConfig {
    pub fn tags(&self) -> &[String] { &self.tags }
    pub fn allows_local_deployment(&self) -> bool { self.allow_local_deployment }

    pub fn build_on_target(&self) -> bool { self.build_on_target }
    pub fn set_build_on_target(&mut self, enable: bool) {
        self.build_on_target = enable;
    }

    pub fn to_ssh_host(&self) -> Option<Ssh> {
        self.target_host.as_ref().map(|target_host| {
            let username =
                match &self.target_user {
                    Some(uname) => uname.clone(),
                    None => get_current_username().unwrap().into_string().unwrap(),
                };
            let mut host = Ssh::new(username, target_host.clone());
            host.set_privilege_escalation_command(self.privilege_escalation_command.clone());

            if let Some(target_port) = self.target_port {
                host.set_port(target_port);
            }

            host
        })
    }
}

fn validate_keys(keys: &HashMap<String, Key>) -> Result<(), ValidationErrorType> {
    // Bad secret names:
    // - /etc/passwd
    // - ../../../../../etc/passwd

    for name in keys.keys() {
        let path = Path::new(name);
        if path.has_root() {
            return Err(ValidationErrorType::new("Secret key name cannot be absolute"));
        }

        if path.components().count() != 1 {
            return Err(ValidationErrorType::new("Secret key name cannot contain path separators"));
        }
    }
    Ok(())
}
Refactoring and deployment.keys implementation More refactoring of the deployment process, as well as an initial implementation of `deployment.keys`. Fixes #2. 2021-02-08 18:38:14 -08:00			`use std::collections::HashMap;`
Refactor node names 2021-11-20 23:34:52 -08:00			`use std::hash::Hash;`
			`use std::ops::Deref;`
nix: Key names can contain one path component only Well, I changed my mind and this should be cleaner. 2021-02-10 18:17:49 -08:00			`use std::path::Path;`
Initial commit 2020-12-15 20:21:26 -08:00
Move nix::NixCommand to util::CommandExt 2022-01-08 01:20:36 -08:00			`use serde::de;`
Refactor node names 2021-11-20 23:34:52 -08:00			`use serde::{Deserialize, Deserializer, Serialize};`
Allow selecting ssh user dynamically ...by setting `deployment.targetUser = null`. This allows sharing a deployment file (hive.nix/flake.nix) between multiple admins, without having to use a shared root account. 2021-10-23 13:22:35 +02:00			`use users::get_current_username;`
Move nix::{NixResult, NixError} to error::{ColmenaResult, ColmenaError} 2022-01-08 01:20:36 -08:00			`use validator::{Validate, ValidationError as ValidationErrorType};`

			`use crate::error::{ColmenaResult, ColmenaError};`
Redesign deployment process Now evaluation can be automatically split into chunks based on available RAM. All three stages of the deployment process (evaluate, build, apply) can happen concurrently. Fixes #1. 2021-01-24 14:08:48 -08:00
Support per-node Nixpkgs overrides and local deployment Also renamed the `network` key to `meta`. 2020-12-19 15:07:29 -08:00			`pub mod host;`
Allow disabling --use-substitutes and --gzip during copying 2021-01-13 12:20:27 -08:00			`pub use host::{Host, CopyDirection, CopyOptions};`
Refactoring and deployment.keys implementation More refactoring of the deployment process, as well as an initial implementation of `deployment.keys`. Fixes #2. 2021-02-08 18:38:14 -08:00			`use host::Ssh;`
Initial commit 2020-12-15 20:21:26 -08:00
Redesign deployment process Now evaluation can be automatically split into chunks based on available RAM. All three stages of the deployment process (evaluate, build, apply) can happen concurrently. Fixes #1. 2021-01-24 14:08:48 -08:00			`pub mod hive;`
Add basic Flakes support Co-authored-by: Alex Zero <joseph@marsden.space> 2021-06-29 01:02:43 -07:00			`pub use hive::{Hive, HivePath};`
Redesign deployment process Now evaluation can be automatically split into chunks based on available RAM. All three stages of the deployment process (evaluate, build, apply) can happen concurrently. Fixes #1. 2021-01-24 14:08:48 -08:00
			`pub mod store;`
Support building on target nodes This partially addresses #33, and allows Colmena to be used more easily on bandwidth-constrained hosts and macOS. With `deployment.buildOnTarget = true;` deployment works fine from macOS without designated builders, except when IFD is involved. 2022-01-01 16:41:35 -08:00			`pub use store::{StorePath, StoreDerivation, BuildResult};`
Redesign deployment process Now evaluation can be automatically split into chunks based on available RAM. All three stages of the deployment process (evaluate, build, apply) can happen concurrently. Fixes #1. 2021-01-24 14:08:48 -08:00
Refactoring and deployment.keys implementation More refactoring of the deployment process, as well as an initial implementation of `deployment.keys`. Fixes #2. 2021-02-08 18:38:14 -08:00			`pub mod key;`
			`pub use key::Key;`

Redesign deployment process Now evaluation can be automatically split into chunks based on available RAM. All three stages of the deployment process (evaluate, build, apply) can happen concurrently. Fixes #1. 2021-01-24 14:08:48 -08:00			`pub mod profile;`
Build each node individually Now nodes that take a long time to build won't bottleneck the deployment of other nodes in the same chunk. Fixes #47. 2021-12-07 23:13:31 -08:00			`pub use profile::{Profile, ProfileDerivation};`
Redesign deployment process Now evaluation can be automatically split into chunks based on available RAM. All three stages of the deployment process (evaluate, build, apply) can happen concurrently. Fixes #1. 2021-01-24 14:08:48 -08:00
			`pub mod deployment;`
Redesign deployment process (again) We now ship Events from different parts of the deployment process via a channel to a job monitor. 2021-11-20 23:34:52 -08:00			`pub use deployment::Goal;`
Initial commit 2020-12-15 20:21:26 -08:00
Add check for Flakes support 2021-06-29 01:02:43 -07:00			`pub mod info;`
			`pub use info::NixCheck;`

Make flake resolution (slightly) less terrible Instead of using `path:` which always copies the entire directory, we now try to resolve the Flake URI using `nix flake metadata` which may give us a `git+file:`. 2021-10-25 23:38:10 -07:00			`pub mod flake;`
			`pub use flake::Flake;`

Refactor node names 2021-11-20 23:34:52 -08:00			`pub mod node_filter;`
			`pub use node_filter::NodeFilter;`

Refactor current profile detection 2022-01-08 01:20:36 -08:00			`/// Path to the main system profile.`
Misc cleanup 2021-11-23 13:33:23 -08:00			`pub const SYSTEM_PROFILE: &str = "/nix/var/nix/profiles/system";`
nix: Also set the system profile... 2020-12-19 16:28:34 -08:00
Refactor current profile detection 2022-01-08 01:20:36 -08:00			`/// Path to the system profile that's currently active.`
			`pub const CURRENT_PROFILE: &str = "/run/current-system";`

Refactor node names 2021-11-20 23:34:52 -08:00			`/// A node's attribute name.`
			`#[derive(Serialize, Deserialize, Clone, Debug, Hash, Eq, PartialEq)]`
			`#[serde(transparent)]`
			`pub struct NodeName(`
			`#[serde(deserialize_with = "NodeName::deserialize")]`
			`String`
			`);`

Refactoring and deployment.keys implementation More refactoring of the deployment process, as well as an initial implementation of `deployment.keys`. Fixes #2. 2021-02-08 18:38:14 -08:00			`#[derive(Debug, Clone, Validate, Deserialize)]`
Redesign deployment process Now evaluation can be automatically split into chunks based on available RAM. All three stages of the deployment process (evaluate, build, apply) can happen concurrently. Fixes #1. 2021-01-24 14:08:48 -08:00			`pub struct NodeConfig {`
Initial commit 2020-12-15 20:21:26 -08:00			`#[serde(rename = "targetHost")]`
Support per-node Nixpkgs overrides and local deployment Also renamed the `network` key to `meta`. 2020-12-19 15:07:29 -08:00			`target_host: Option<String>,`
Initial commit 2020-12-15 20:21:26 -08:00
			`#[serde(rename = "targetUser")]`
Allow selecting ssh user dynamically ...by setting `deployment.targetUser = null`. This allows sharing a deployment file (hive.nix/flake.nix) between multiple admins, without having to use a shared root account. 2021-10-23 13:22:35 +02:00			`target_user: Option<String>,`
Support per-node Nixpkgs overrides and local deployment Also renamed the `network` key to `meta`. 2020-12-19 15:07:29 -08:00
Allow customization of SSH configurations 2021-02-09 21:02:00 -08:00			`#[serde(rename = "targetPort")]`
			`target_port: Option<u16>,`

Support per-node Nixpkgs overrides and local deployment Also renamed the `network` key to `meta`. 2020-12-19 15:07:29 -08:00			`#[serde(rename = "allowLocalDeployment")]`
			`allow_local_deployment: bool,`
Support building on target nodes This partially addresses #33, and allows Colmena to be used more easily on bandwidth-constrained hosts and macOS. With `deployment.buildOnTarget = true;` deployment works fine from macOS without designated builders, except when IFD is involved. 2022-01-01 16:41:35 -08:00
			`#[serde(rename = "buildOnTarget")]`
			`build_on_target: bool,`

Initial commit 2020-12-15 20:21:26 -08:00			`tags: Vec<String>,`
Refactoring and deployment.keys implementation More refactoring of the deployment process, as well as an initial implementation of `deployment.keys`. Fixes #2. 2021-02-08 18:38:14 -08:00
apply: Add `deployment.replaceUnknownProfiles` option and `--force-replace-unknown-profiles` switch If `deployment.replaceUnknownProfiles` is set to false, a diverged hive config (in a shared git repo for example) won't result in accidentally undoing another applied configuration profile. The deployment option is set to true so that fiction is minimized from aggressive garbage collection, first time profile application and low contention hives. 2021-04-08 01:14:28 -07:00			`#[serde(rename = "replaceUnknownProfiles")]`
			`replace_unknown_profiles: bool,`

Add deployment.privilegeEscalationCommand This adds a NixOps-equivalent option for non-root deployment on remote hosts. Fixes #27. 2021-05-24 00:15:38 -07:00			`#[serde(rename = "privilegeEscalationCommand")]`
			`privilege_escalation_command: Vec<String>,`

Refactoring and deployment.keys implementation More refactoring of the deployment process, as well as an initial implementation of `deployment.keys`. Fixes #2. 2021-02-08 18:38:14 -08:00			`#[validate(custom = "validate_keys")]`
			`keys: HashMap<String, Key>,`
Initial commit 2020-12-15 20:21:26 -08:00			`}`

Refactor node names 2021-11-20 23:34:52 -08:00			`impl NodeName {`
			`/// Returns the string.`
			`pub fn as_str(&self) -> &str {`
			`&self.0`
			`}`

			`/// Creates a NodeName from a String.`
Move nix::{NixResult, NixError} to error::{ColmenaResult, ColmenaError} 2022-01-08 01:20:36 -08:00			`pub fn new(name: String) -> ColmenaResult<Self> {`
Refactor node names 2021-11-20 23:34:52 -08:00			`let validated = Self::validate(name)?;`
			`Ok(Self(validated))`
			`}`

			`/// Deserializes a potentially-invalid node name.`
			`fn deserialize<'de, D>(deserializer: D) -> Result<String, D::Error>`
			`where D: Deserializer<'de>`
			`{`
			`use de::Error;`
			`String::deserialize(deserializer)`
			`.and_then(\|s\| {`
			`Self::validate(s).map_err(\|e\| Error::custom(e.to_string()))`
			`})`
			`}`

Move nix::{NixResult, NixError} to error::{ColmenaResult, ColmenaError} 2022-01-08 01:20:36 -08:00			`fn validate(s: String) -> ColmenaResult<String> {`
Refactor node names 2021-11-20 23:34:52 -08:00			`// FIXME: Elaborate`
Misc cleanup 2021-11-23 13:33:23 -08:00			`if s.is_empty() {`
Move nix::{NixResult, NixError} to error::{ColmenaResult, ColmenaError} 2022-01-08 01:20:36 -08:00			`return Err(ColmenaError::EmptyNodeName);`
Refactor node names 2021-11-20 23:34:52 -08:00			`}`

			`Ok(s)`
			`}`
			`}`

			`impl Deref for NodeName {`
			`type Target = str;`

			`fn deref(&self) -> &str {`
			`self.0.as_str()`
			`}`
			`}`

Redesign deployment process Now evaluation can be automatically split into chunks based on available RAM. All three stages of the deployment process (evaluate, build, apply) can happen concurrently. Fixes #1. 2021-01-24 14:08:48 -08:00			`impl NodeConfig {`
Refactoring and other stuff 2020-12-18 01:27:44 -08:00			`pub fn tags(&self) -> &[String] { &self.tags }`
Support per-node Nixpkgs overrides and local deployment Also renamed the `network` key to `meta`. 2020-12-19 15:07:29 -08:00			`pub fn allows_local_deployment(&self) -> bool { self.allow_local_deployment }`

Support building on target nodes This partially addresses #33, and allows Colmena to be used more easily on bandwidth-constrained hosts and macOS. With `deployment.buildOnTarget = true;` deployment works fine from macOS without designated builders, except when IFD is involved. 2022-01-01 16:41:35 -08:00			`pub fn build_on_target(&self) -> bool { self.build_on_target }`
			`pub fn set_build_on_target(&mut self, enable: bool) {`
			`self.build_on_target = enable;`
			`}`

Allow customization of SSH configurations 2021-02-09 21:02:00 -08:00			`pub fn to_ssh_host(&self) -> Option<Ssh> {`
Support per-node Nixpkgs overrides and local deployment Also renamed the `network` key to `meta`. 2020-12-19 15:07:29 -08:00			`self.target_host.as_ref().map(\|target_host\| {`
Allow selecting ssh user dynamically ...by setting `deployment.targetUser = null`. This allows sharing a deployment file (hive.nix/flake.nix) between multiple admins, without having to use a shared root account. 2021-10-23 13:22:35 +02:00			`let username =`
			`match &self.target_user {`
			`Some(uname) => uname.clone(),`
nix: Remove unneeded ok() 2021-10-23 20:49:14 -07:00			`None => get_current_username().unwrap().into_string().unwrap(),`
Allow selecting ssh user dynamically ...by setting `deployment.targetUser = null`. This allows sharing a deployment file (hive.nix/flake.nix) between multiple admins, without having to use a shared root account. 2021-10-23 13:22:35 +02:00			`};`
Misc cleanup 2021-11-23 13:33:23 -08:00			`let mut host = Ssh::new(username, target_host.clone());`
Add deployment.privilegeEscalationCommand This adds a NixOps-equivalent option for non-root deployment on remote hosts. Fixes #27. 2021-05-24 00:15:38 -07:00			`host.set_privilege_escalation_command(self.privilege_escalation_command.clone());`
Allow customization of SSH configurations 2021-02-09 21:02:00 -08:00
			`if let Some(target_port) = self.target_port {`
			`host.set_port(target_port);`
			`}`

Support per-node Nixpkgs overrides and local deployment Also renamed the `network` key to `meta`. 2020-12-19 15:07:29 -08:00			`host`
			`})`
Refactoring and other stuff 2020-12-18 01:27:44 -08:00			`}`
Initial commit 2020-12-15 20:21:26 -08:00			`}`

Refactoring and deployment.keys implementation More refactoring of the deployment process, as well as an initial implementation of `deployment.keys`. Fixes #2. 2021-02-08 18:38:14 -08:00			`fn validate_keys(keys: &HashMap<String, Key>) -> Result<(), ValidationErrorType> {`
			`// Bad secret names:`
			`// - /etc/passwd`
			`// - ../../../../../etc/passwd`

			`for name in keys.keys() {`
			`let path = Path::new(name);`
			`if path.has_root() {`
			`return Err(ValidationErrorType::new("Secret key name cannot be absolute"));`
			`}`

Misc cleanup 2021-11-23 13:33:23 -08:00			`if path.components().count() != 1 {`
nix: Key names can contain one path component only Well, I changed my mind and this should be cleaner. 2021-02-10 18:17:49 -08:00			`return Err(ValidationErrorType::new("Secret key name cannot contain path separators"));`
Refactoring and deployment.keys implementation More refactoring of the deployment process, as well as an initial implementation of `deployment.keys`. Fixes #2. 2021-02-08 18:38:14 -08:00			`}`
			`}`
			`Ok(())`
			`}`