rebuild: Fix display

Rebuild: Separate evaluation
remote-builds: Fix host key verification
2025-01-23 18:19:49 +01:00 · 2025-01-23 18:17:09 +01:00 · 2025-01-23 17:34:20 +01:00
3 changed files with 14 additions and 6 deletions
--- a/flake.nix
+++ b/flake.nix
@ -153,6 +153,7 @@
                      runtimeInputs = with pkgs; [
                        nix-output-monitor
                        nixos-rebuild
+                        jq
                      ];
                      text = builtins.readFile ./os/rebuild.sh;
                    }
--- a/os/rebuild.sh
+++ b/os/rebuild.sh
@ -24,12 +24,15 @@ then
  exit 2
 fi

-info "Building"
-tmpdir="$(mktemp -d)"
+info "Evaluating"
+# Evaluating can take a lot of memory, and Nix doesn't free it until the program ends,
+# which can be limiting on memory-constrained devices. Hence the build step is separate.
+# nix eval doesn't use the eval cache, so we do a nix build --dry-run
 # sudo so the eval cache is shared with nixos-rebuild
-sudo nom build "$self#nixosConfigurations.$HOSTNAME.config.system.build.toplevel" -o "$tmpdir/toplevel" "$@"
-toplevel="$(readlink -f "$tmpdir/toplevel")"
-rm -rf "$tmpdir"
+toplevel=$(time sudo nix build "$self#nixosConfigurations.$HOSTNAME.config.system.build.toplevel" --dry-run --json | jq '.[0].outputs.out' -r)
+
+info "Building"
+sudo nom build "$toplevel" --no-link "$@"

 info "Showing diff"
 nvd diff "$(readlink -f /nix/var/nix/profiles/system)" "$toplevel"
@ -47,7 +50,6 @@ do
 done <<< "$(ls /nix/var/nix/profiles/system/specialisation)"

 # Apply
-info "Applying"
 confirm="n"
 if [ "$verb" = "confirm" ]
 then
@ -56,6 +58,7 @@ then
 fi
 if [ "$verb" = "test" ] || [ "$verb" = "switch" ] || [ "$confirm" = "y" ]
 then
+  info "Applying"
  "$toplevel/bin/update-password-store"
  sudo nixos-rebuild --flake "$self#$HOSTNAME" test "${specialisationArgs[@]}" "$@"
 fi
@ -68,5 +71,6 @@ then
 fi
 if [ "$verb" = "boot" ] || [ "$verb" = "switch" ] || [ "$confirm" = "y" ]
 then
+  info "Setting as boot"
  sudo nixos-rebuild --flake "$self#$HOSTNAME" boot "$@"
 fi
--- a/os/remote-builds/default.nix
+++ b/os/remote-builds/default.nix
@ -54,7 +54,10 @@ in
                  ControlPath ~/.ssh/master-%r@%n:%p
                  ControlPersist 60s
                  VerifyHostKeyDNS yes
+                  UpdateHostKeys yes
              '') vivariumBuilders
+              # Check SSHFP records so hopefully no need to manually add SSH host keys,
+              # yet add them to known_hosts should we not be using DNSSEC-validating DNS.
            )
          )
        } > /root/.ssh/config
Author	SHA1	Message	Date
Geoffrey Frogeye	cce96e063d	rebuild: Fix display	2025-01-23 18:19:49 +01:00
Geoffrey Frogeye	cd4536c53b	Rebuild: Separate evaluation	2025-01-23 18:17:09 +01:00
Geoffrey Frogeye	fafc4d45b7	remote-builds: Fix host key verification	2025-01-23 17:34:20 +01:00