diff options
Diffstat (limited to '')
-rw-r--r-- | src/activate.rs | 303 | ||||
-rw-r--r-- | src/main.rs | 439 | ||||
-rw-r--r-- | src/utils/data.rs | 74 | ||||
-rw-r--r-- | src/utils/deploy.rs | 169 | ||||
-rw-r--r-- | src/utils/mod.rs | 233 | ||||
-rw-r--r-- | src/utils/push.rs | 137 |
6 files changed, 1355 insertions, 0 deletions
diff --git a/src/activate.rs b/src/activate.rs new file mode 100644 index 0000000..4fdb59c --- /dev/null +++ b/src/activate.rs @@ -0,0 +1,303 @@ +// SPDX-FileCopyrightText: 2020 Serokell <https://serokell.io/> +// +// SPDX-License-Identifier: MPL-2.0 + +use clap::Clap; + +use futures_util::FutureExt; +use std::process::Stdio; +use tokio::fs; +use tokio::process::Command; +use tokio::time::timeout; + +use std::time::Duration; + +use futures_util::StreamExt; + +use std::path::Path; + +use inotify::Inotify; + +extern crate pretty_env_logger; +#[macro_use] +extern crate log; + +#[macro_use] +extern crate serde_derive; + +#[macro_use] +mod utils; + +/// Activation portion of the simple Rust Nix deploy tool +#[derive(Clap, Debug)] +#[clap(version = "1.0", author = "notgne2 <gen2@gen2.space>")] +struct Opts { + profile_path: String, + closure: String, + + /// Temp path for any temporary files that may be needed during activation + #[clap(long)] + temp_path: String, + + /// Maximum time to wait for confirmation after activation + #[clap(long)] + confirm_timeout: u16, + + /// Wait for confirmation after deployment and rollback if not confirmed + #[clap(long)] + magic_rollback: bool, + + /// Command for bootstrapping + #[clap(long)] + bootstrap_cmd: Option<String>, + + /// Auto rollback if failure + #[clap(long)] + auto_rollback: bool, +} + +pub async fn deactivate(profile_path: &str) -> Result<(), Box<dyn std::error::Error>> { + error!("De-activating due to error"); + + let nix_env_rollback_exit_status = Command::new("nix-env") + .arg("-p") + .arg(&profile_path) + .arg("--rollback") + .stdout(Stdio::null()) + .stderr(Stdio::null()) + .status() + .await?; + + if !nix_env_rollback_exit_status.success() { + good_panic!("`nix-env --rollback` failed"); + } + + debug!("Listing generations"); + + let nix_env_list_generations_out = Command::new("nix-env") + .arg("-p") + .arg(&profile_path) + .arg("--list-generations") + .output() + .await?; + + if !nix_env_list_generations_out.status.success() { + good_panic!("Listing `nix-env` generations failed"); + } + + let generations_list = String::from_utf8(nix_env_list_generations_out.stdout)?; + + let last_generation_line = generations_list + .lines() + .last() + .expect("Expected to find a generation in list"); + + let last_generation_id = last_generation_line + .split_whitespace() + .next() + .expect("Expected to get ID from generation entry"); + + debug!("Removing generation entry {}", last_generation_line); + warn!("Removing generation by ID {}", last_generation_id); + + let nix_env_delete_generation_exit_status = Command::new("nix-env") + .arg("-p") + .arg(&profile_path) + .arg("--delete-generations") + .arg(last_generation_id) + .stdout(Stdio::null()) + .stderr(Stdio::null()) + .status() + .await?; + + if !nix_env_delete_generation_exit_status.success() { + good_panic!("Failed to delete failed generation"); + } + + info!("Attempting to re-activate the last generation"); + + let re_activate_exit_status = Command::new(format!("{}/deploy-rs-activate", profile_path)) + .env("PROFILE", &profile_path) + .current_dir(&profile_path) + .status() + .await?; + + if !re_activate_exit_status.success() { + good_panic!("Failed to re-activate the last generation"); + } + + Ok(()) +} + +async fn deactivate_on_err<A, B: core::fmt::Debug>(profile_path: &str, r: Result<A, B>) -> A { + match r { + Ok(x) => x, + Err(err) => { + error!("Deactivating due to error: {:?}", err); + match deactivate(profile_path).await { + Ok(_) => (), + Err(err) => { + error!("Error de-activating, uh-oh: {:?}", err); + } + }; + + std::process::exit(1); + } + } +} + +pub async fn activation_confirmation( + profile_path: String, + temp_path: String, + confirm_timeout: u16, + closure: String, +) -> Result<(), Box<dyn std::error::Error>> { + let lock_hash = &closure[11 /* /nix/store/ */ ..]; + let lock_path = format!("{}/activating-{}", temp_path, lock_hash); + + if let Some(parent) = Path::new(&lock_path).parent() { + fs::create_dir_all(parent).await?; + } + + fs::File::create(&lock_path).await?; + + let mut inotify = Inotify::init()?; + inotify.add_watch(lock_path, inotify::WatchMask::DELETE)?; + + match fork::daemon(false, false).map_err(|x| x.to_string())? { + fork::Fork::Child => { + std::thread::spawn(move || { + let mut rt = tokio::runtime::Runtime::new().unwrap(); + + rt.block_on(async move { + info!("Waiting for confirmation event..."); + + let mut buffer = [0; 32]; + let mut stream = + deactivate_on_err(&profile_path, inotify.event_stream(&mut buffer)).await; + + deactivate_on_err( + &profile_path, + deactivate_on_err( + &profile_path, + deactivate_on_err( + &profile_path, + timeout(Duration::from_secs(confirm_timeout as u64), stream.next()) + .await, + ) + .await + .ok_or("Watcher ended prematurely"), + ) + .await, + ) + .await; + }); + }) + .join() + .unwrap(); + + info!("Confirmation successful!"); + + std::process::exit(0); + } + fork::Fork::Parent(_) => { + std::process::exit(0); + } + } +} + +pub async fn activate( + profile_path: String, + closure: String, + bootstrap_cmd: Option<String>, + auto_rollback: bool, + temp_path: String, + confirm_timeout: u16, + magic_rollback: bool, +) -> Result<(), Box<dyn std::error::Error>> { + info!("Activating profile"); + + let nix_env_set_exit_status = Command::new("nix-env") + .arg("-p") + .arg(&profile_path) + .arg("--set") + .arg(&closure) + .stdout(Stdio::null()) + .status() + .await?; + + if !nix_env_set_exit_status.success() { + good_panic!("Failed to update nix-env generation"); + } + + if let (Some(bootstrap_cmd), false) = (bootstrap_cmd, !Path::new(&profile_path).exists()) { + let bootstrap_status = Command::new("bash") + .arg("-c") + .arg(&bootstrap_cmd) + .env("PROFILE", &profile_path) + .stdout(Stdio::null()) + .stderr(Stdio::null()) + .status() + .await; + + match bootstrap_status { + Ok(s) if s.success() => (), + _ => { + tokio::fs::remove_file(&profile_path).await?; + good_panic!("Failed to execute bootstrap command"); + } + } + } + + let activate_status = Command::new(format!("{}/deploy-rs-activate", profile_path)) + .env("PROFILE", &profile_path) + .current_dir(&profile_path) + .status() + .await; + + let activate_status_all = match activate_status { + Ok(s) if s.success() => Ok(()), + Ok(_) => Err(std::io::Error::new(std::io::ErrorKind::Other, "Activation did not succeed")), + Err(x) => Err(x), + }; + + deactivate_on_err(&profile_path, activate_status_all).await; + + info!("Activation succeeded!"); + + if magic_rollback { + info!("Performing activation confirmation steps"); + deactivate_on_err( + &profile_path, + activation_confirmation(profile_path.clone(), temp_path, confirm_timeout, closure) + .await, + ) + .await; + } + + Ok(()) +} + +#[tokio::main] +async fn main() -> Result<(), Box<dyn std::error::Error>> { + if std::env::var("DEPLOY_LOG").is_err() { + std::env::set_var("DEPLOY_LOG", "info"); + } + + pretty_env_logger::init_custom_env("DEPLOY_LOG"); + + let opts: Opts = Opts::parse(); + + activate( + opts.profile_path, + opts.closure, + opts.bootstrap_cmd, + opts.auto_rollback, + opts.temp_path, + opts.confirm_timeout, + opts.magic_rollback, + ) + .await?; + + Ok(()) +} diff --git a/src/main.rs b/src/main.rs new file mode 100644 index 0000000..5dc6bb9 --- /dev/null +++ b/src/main.rs @@ -0,0 +1,439 @@ +// SPDX-FileCopyrightText: 2020 Serokell <https://serokell.io/> +// +// SPDX-License-Identifier: MPL-2.0 + +use clap::Clap; + +use std::process::Stdio; +use tokio::process::Command; + +use merge::Merge; + +extern crate pretty_env_logger; + +#[macro_use] +extern crate log; + +#[macro_use] +extern crate serde_derive; + +#[macro_use] +mod utils; + +/// Simple Rust rewrite of a simple Nix Flake deployment tool +#[derive(Clap, Debug)] +#[clap(version = "1.0", author = "Serokell <https://serokell.io/>")] +struct Opts { + /// The flake to deploy + #[clap(default_value = ".")] + flake: String, + /// Check signatures when using `nix copy` + #[clap(short, long)] + checksigs: bool, + /// Extra arguments to be passed to nix build + extra_build_args: Vec<String>, + + /// Keep the build outputs of each built profile + #[clap(short, long)] + keep_result: bool, + /// Location to keep outputs from built profiles in + #[clap(short, long)] + result_path: Option<String>, + + /// Skip the automatic pre-build checks + #[clap(short, long)] + skip_checks: bool, + + /// Override the SSH user with the given value + #[clap(long)] + ssh_user: Option<String>, + /// Override the profile user with the given value + #[clap(long)] + profile_user: Option<String>, + /// Override the SSH options used + #[clap(long)] + ssh_opts: Option<String>, + /// Override if the connecting to the target node should be considered fast + #[clap(long)] + fast_connection: Option<bool>, + /// Override if a rollback should be attempted if activation fails + #[clap(long)] + auto_rollback: Option<bool>, + /// Override hostname used for the node + #[clap(long)] + hostname: Option<String>, + /// Make activation wait for confirmation, or roll back after a period of time + #[clap(long)] + magic_rollback: Option<bool>, + /// How long activation should wait for confirmation (if using magic-rollback) + #[clap(long)] + confirm_timeout: Option<u16>, + /// Where to store temporary files (only used by magic-rollback) + #[clap(long)] + temp_path: Option<String>, +} + +async fn push_all_profiles( + node: &utils::data::Node, + node_name: &str, + supports_flakes: bool, + repo: &str, + top_settings: &utils::data::GenericSettings, + check_sigs: bool, + cmd_overrides: &utils::CmdOverrides, + keep_result: bool, + result_path: Option<&str>, +) -> Result<(), Box<dyn std::error::Error>> { + info!("Pushing all profiles for `{}`", node_name); + + let mut profiles_list: Vec<&str> = node + .node_settings + .profiles_order + .iter() + .map(|x| x.as_ref()) + .collect(); + + // Add any profiles which weren't in the provided order list + for profile_name in node.node_settings.profiles.keys() { + if !profiles_list.contains(&profile_name.as_str()) { + profiles_list.push(&profile_name); + } + } + + for profile_name in profiles_list { + let profile = match node.node_settings.profiles.get(profile_name) { + Some(x) => x, + None => good_panic!("No profile was found named `{}`", profile_name), + }; + + let mut merged_settings = top_settings.clone(); + merged_settings.merge(node.generic_settings.clone()); + merged_settings.merge(profile.generic_settings.clone()); + + let deploy_data = utils::make_deploy_data( + top_settings, + node, + node_name, + profile, + profile_name, + cmd_overrides, + )?; + + let deploy_defs = deploy_data.defs(); + + utils::push::push_profile( + supports_flakes, + check_sigs, + repo, + &deploy_data, + &deploy_defs, + keep_result, + result_path, + ) + .await?; + } + + Ok(()) +} + +#[inline] +async fn deploy_all_profiles( + node: &utils::data::Node, + node_name: &str, + top_settings: &utils::data::GenericSettings, + cmd_overrides: &utils::CmdOverrides, +) -> Result<(), Box<dyn std::error::Error>> { + info!("Deploying all profiles for `{}`", node_name); + + let mut profiles_list: Vec<&str> = node + .node_settings + .profiles_order + .iter() + .map(|x| x.as_ref()) + .collect(); + + // Add any profiles which weren't in the provided order list + for profile_name in node.node_settings.profiles.keys() { + if !profiles_list.contains(&profile_name.as_str()) { + profiles_list.push(&profile_name); + } + } + + for profile_name in profiles_list { + let profile = match node.node_settings.profiles.get(profile_name) { + Some(x) => x, + None => good_panic!("No profile was found named `{}`", profile_name), + }; + + let mut merged_settings = top_settings.clone(); + merged_settings.merge(node.generic_settings.clone()); + merged_settings.merge(profile.generic_settings.clone()); + + let deploy_data = utils::make_deploy_data( + top_settings, + node, + node_name, + profile, + profile_name, + cmd_overrides, + )?; + + let deploy_defs = deploy_data.defs(); + + utils::deploy::deploy_profile(&deploy_data, &deploy_defs).await?; + } + + Ok(()) +} + +/// Returns if the available Nix installation supports flakes +#[inline] +async fn test_flake_support() -> Result<bool, Box<dyn std::error::Error>> { + debug!("Checking for flake support"); + + Ok(Command::new("nix") + .arg("eval") + .arg("--expr") + .arg("builtins.getFlake") + .stdout(Stdio::null()) + .stderr(Stdio::null()) + .status() + .await? + .success()) +} + +async fn check_deployment(supports_flakes: bool, repo: &str, extra_build_args: &[String]) -> () { + info!("Running checks for flake in {}", repo); + + let mut c = match supports_flakes { + true => Command::new("nix"), + false => Command::new("nix-build"), + }; + + let mut check_command = match supports_flakes { + true => { + c.arg("flake") + .arg("check") + .arg(repo) + } + false => { + c.arg("-E") + .arg("--no-out-link") + .arg(format!("let r = import {}/.; in (if builtins.isFunction r then (r {{}}) else r).checks.${{builtins.currentSystem}}", repo)) + } + }; + + for extra_arg in extra_build_args { + check_command = check_command.arg(extra_arg); + } + + let check_status = match check_command.status().await { + Ok(x) => x, + Err(err) => good_panic!("Error running checks for the given flake repo: {:?}", err), + }; + + if !check_status.success() { + good_panic!("Checks failed for the given flake repo"); + } + + () +} + +/// Evaluates the Nix in the given `repo` and return the processed Data from it +async fn get_deployment_data( + supports_flakes: bool, + repo: &str, + extra_build_args: &[String], +) -> Result<utils::data::Data, Box<dyn std::error::Error>> { + info!("Evaluating flake in {}", repo); + + let mut c = match supports_flakes { + true => Command::new("nix"), + false => Command::new("nix-instantiate"), + }; + + let mut build_command = match supports_flakes { + true => { + c.arg("eval") + .arg("--json") + .arg(format!("{}#deploy", repo)) + } + false => { + c + .arg("--strict") + .arg("--read-write-mode") + .arg("--json") + .arg("--eval") + .arg("-E") + .arg(format!("let r = import {}/.; in if builtins.isFunction r then (r {{}}).deploy else r.deploy", repo)) + } + }; + + for extra_arg in extra_build_args { + build_command = build_command.arg(extra_arg); + } + + let build_child = build_command.stdout(Stdio::piped()).spawn()?; + + let build_output = build_child.wait_with_output().await?; + + if !build_output.status.success() { + good_panic!( + "Error building deploy props for the provided flake: {}", + repo + ); + } + + let data_json = String::from_utf8(build_output.stdout)?; + + Ok(serde_json::from_str(&data_json)?) +} + +async fn run_deploy( + deploy_flake: utils::DeployFlake<'_>, + data: utils::data::Data, + supports_flakes: bool, + check_sigs: bool, + cmd_overrides: utils::CmdOverrides, + keep_result: bool, + result_path: Option<&str>, +) -> Result<(), Box<dyn std::error::Error>> { + match (deploy_flake.node, deploy_flake.profile) { + (Some(node_name), Some(profile_name)) => { + let node = match data.nodes.get(node_name) { + Some(x) => x, + None => good_panic!("No node was found named `{}`", node_name), + }; + let profile = match node.node_settings.profiles.get(profile_name) { + Some(x) => x, + None => good_panic!("No profile was found named `{}`", profile_name), + }; + + let deploy_data = utils::make_deploy_data( + &data.generic_settings, + node, + node_name, + profile, + profile_name, + &cmd_overrides, + )?; + + let deploy_defs = deploy_data.defs(); + + utils::push::push_profile( + supports_flakes, + check_sigs, + deploy_flake.repo, + &deploy_data, + &deploy_defs, + keep_result, + result_path, + ) + .await?; + + utils::deploy::deploy_profile(&deploy_data, &deploy_defs).await?; + } + (Some(node_name), None) => { + let node = match data.nodes.get(node_name) { + Some(x) => x, + None => good_panic!("No node was found named `{}`", node_name), + }; + + push_all_profiles( + node, + node_name, + supports_flakes, + deploy_flake.repo, + &data.generic_settings, + check_sigs, + &cmd_overrides, + keep_result, + result_path, + ) + .await?; + + deploy_all_profiles(node, node_name, &data.generic_settings, &cmd_overrides).await?; + } + (None, None) => { + info!("Deploying all profiles on all nodes"); + + for (node_name, node) in &data.nodes { + push_all_profiles( + node, + node_name, + supports_flakes, + deploy_flake.repo, + &data.generic_settings, + check_sigs, + &cmd_overrides, + keep_result, + result_path, + ) + .await?; + } + + for (node_name, node) in &data.nodes { + deploy_all_profiles(node, node_name, &data.generic_settings, &cmd_overrides) + .await?; + } + } + (None, Some(_)) => { + good_panic!("Profile provided without a node, this is not (currently) supported") + } + }; + + Ok(()) +} + +#[tokio::main] +async fn main() -> Result<(), Box<dyn std::error::Error>> { + if std::env::var("DEPLOY_LOG").is_err() { + std::env::set_var("DEPLOY_LOG", "info"); + } + + pretty_env_logger::init_custom_env("DEPLOY_LOG"); + + let opts: Opts = Opts::parse(); + + let deploy_flake = utils::parse_flake(opts.flake.as_str()); + + let cmd_overrides = utils::CmdOverrides { + ssh_user: opts.ssh_user, + profile_user: opts.profile_user, + ssh_opts: opts.ssh_opts, + fast_connection: opts.fast_connection, + auto_rollback: opts.auto_rollback, + hostname: opts.hostname, + magic_rollback: opts.magic_rollback, + temp_path: opts.temp_path, + confirm_timeout: opts.confirm_timeout, + }; + + let supports_flakes = test_flake_support().await?; + + if !supports_flakes { + warn!("A Nix version without flakes support was detected, support for this is work in progress"); + } + + if !opts.skip_checks { + check_deployment(supports_flakes, deploy_flake.repo, &opts.extra_build_args).await; + } + + let data = + get_deployment_data(supports_flakes, deploy_flake.repo, &opts.extra_build_args).await?; + + let result_path = opts.result_path.as_deref(); + + run_deploy( + deploy_flake, + data, + supports_flakes, + opts.checksigs, + cmd_overrides, + opts.keep_result, + result_path, + ) + .await?; + + Ok(()) +} diff --git a/src/utils/data.rs b/src/utils/data.rs new file mode 100644 index 0000000..6cf2c5a --- /dev/null +++ b/src/utils/data.rs @@ -0,0 +1,74 @@ +// SPDX-FileCopyrightText: 2020 Serokell <https://serokell.io/> +// +// SPDX-License-Identifier: MPL-2.0 + +use merge::Merge; + +use std::collections::HashMap; + +#[derive(Deserialize, Debug, Clone, Merge)] +pub struct GenericSettings { + #[serde(rename(deserialize = "sshUser"))] + pub ssh_user: Option<String>, + pub user: Option<String>, + #[serde( + skip_serializing_if = "Vec::is_empty", + default, + rename(deserialize = "sshOpts") + )] + #[merge(strategy = merge::vec::append)] + pub ssh_opts: Vec<String>, + #[serde(rename(deserialize = "fastConnection"))] + pub fast_connection: Option<bool>, + #[serde(rename(deserialize = "autoRollback"))] + pub auto_rollback: Option<bool>, + #[serde(rename(deserialize = "confirmTimeout"))] + pub confirm_timeout: Option<u16>, + #[serde(rename(deserialize = "tempPath"))] + pub temp_path: Option<String>, + #[serde(rename(deserialize = "magicRollback"))] + pub magic_rollback: Option<bool>, +} + +#[derive(Deserialize, Debug, Clone)] +pub struct NodeSettings { + pub hostname: String, + pub profiles: HashMap<String, Profile>, + #[serde( + skip_serializing_if = "Vec::is_empty", + default, + rename(deserialize = "profilesOrder") + )] + pub profiles_order: Vec<String>, +} + +#[derive(Deserialize, Debug, Clone)] +pub struct ProfileSettings { + pub path: String, + pub bootstrap: Option<String>, + #[serde(rename(deserialize = "profilePath"))] + pub profile_path: Option<String>, +} + +#[derive(Deserialize, Debug, Clone)] +pub struct Profile { + #[serde(flatten)] + pub profile_settings: ProfileSettings, + #[serde(flatten)] + pub generic_settings: GenericSettings, +} + +#[derive(Deserialize, Debug, Clone)] +pub struct Node { + #[serde(flatten)] + pub generic_settings: GenericSettings, + #[serde(flatten)] + pub node_settings: NodeSettings, +} + +#[derive(Deserialize, Debug, Clone)] +pub struct Data { + #[serde(flatten)] + pub generic_settings: GenericSettings, + pub nodes: HashMap<String, Node>, +} diff --git a/src/utils/deploy.rs b/src/utils/deploy.rs new file mode 100644 index 0000000..59217df --- /dev/null +++ b/src/utils/deploy.rs @@ -0,0 +1,169 @@ +// SPDX-FileCopyrightText: 2020 Serokell <https://serokell.io/> +// +// SPDX-License-Identifier: MPL-2.0 + +use std::borrow::Cow; +use tokio::process::Command; + +fn build_activate_command( + activate_path_str: String, + sudo: &Option<String>, + profile_path: &str, + closure: &str, + bootstrap_cmd: &Option<String>, + auto_rollback: bool, + temp_path: &Cow<str>, + confirm_timeout: u16, + magic_rollback: bool, +) -> String { + let mut self_activate_command = format!( + "{} '{}' '{}' --temp-path {} --confirm-timeout {}", + activate_path_str, profile_path, closure, temp_path, confirm_timeout + ); + + if magic_rollback { + self_activate_command = format!("{} --magic-rollback", self_activate_command); + } + + if auto_rollback { + self_activate_command = format!("{} --auto-rollback", self_activate_command); + } + + if let Some(ref bootstrap_cmd) = bootstrap_cmd { + self_activate_command = format!( + "{} --bootstrap-cmd '{}'", + self_activate_command, bootstrap_cmd + ); + } + + if let Some(sudo_cmd) = &sudo { + self_activate_command = format!("{} {}", sudo_cmd, self_activate_command); + } + + self_activate_command +} + +#[test] +fn test_activation_command_builder() { + let activate_path_str = "/blah/bin/activate".to_string(); + let sudo = Some("sudo -u test".to_string()); + let profile_path = "/blah/profiles/test"; + let closure = "/blah/etc"; + let bootstrap_cmd = None; + let auto_rollback = true; + let temp_path = &"/tmp/deploy-rs".into(); + let confirm_timeout = 30; + let magic_rollback = true; + + assert_eq!( + build_activate_command( + activate_path_str, + &sudo, + profile_path, + closure, + &bootstrap_cmd, + auto_rollback, + temp_path, + confirm_timeout, + magic_rollback + ), + "sudo -u test /blah/bin/activate '/blah/profiles/test' '/blah/etc' --temp-path /tmp/deploy-rs --confirm-timeout 30 --magic-rollback --auto-rollback" + .to_string(), + ); +} + +pub async fn deploy_profile( + deploy_data: &super::DeployData<'_>, + deploy_defs: &super::DeployDefs<'_>, +) -> Result<(), Box<dyn std::error::Error>> { + info!( + "Activating profile `{}` for node `{}`", + deploy_data.profile_name, deploy_data.node_name + ); + + let activate_path_str = super::deploy_path_to_activate_path_str(&deploy_defs.current_exe)?; + + let temp_path: Cow<str> = match &deploy_data.merged_settings.temp_path { + Some(x) => x.into(), + None => "/tmp/deploy-rs".into(), + }; + + let confirm_timeout = deploy_data.merged_settings.confirm_timeout.unwrap_or(30); + + let magic_rollback = deploy_data.merged_settings.magic_rollback.unwrap_or(false); + + let auto_rollback = deploy_data.merged_settings.auto_rollback.unwrap_or(true); + + let self_activate_command = build_activate_command( + activate_path_str, + &deploy_defs.sudo, + &deploy_defs.profile_path, + &deploy_data.profile.profile_settings.path, + &deploy_data.profile.profile_settings.bootstrap, + auto_rollback, + &temp_path, + confirm_timeout, + magic_rollback, + ); + + debug!("Constructed activation command: {}", self_activate_command); + + let hostname = match deploy_data.cmd_overrides.hostname { + Some(ref x) => x, + None => &deploy_data.node.node_settings.hostname, + }; + + let mut c = Command::new("ssh"); + let mut ssh_command = c + .arg("-t") + .arg(format!("ssh://{}@{}", deploy_defs.ssh_user, hostname)); + + for ssh_opt in &deploy_data.merged_settings.ssh_opts { + ssh_command = ssh_command.arg(ssh_opt); + } + + let ssh_exit_status = ssh_command.arg(self_activate_command).status().await?; + + if !ssh_exit_status.success() { + good_panic!("Activation over SSH failed"); + } + + info!("Success activating!"); + + if magic_rollback { + info!("Attempting to confirm activation"); + + let mut c = Command::new("ssh"); + let mut ssh_confirm_command = c.arg(format!("ssh://{}@{}", deploy_defs.ssh_user, hostname)); + + for ssh_opt in &deploy_data.merged_settings.ssh_opts { + ssh_confirm_command = ssh_confirm_command.arg(ssh_opt); + } + + let lock_hash = &deploy_data.profile.profile_settings.path[11 /* /nix/store/ */ ..]; + let lock_path = format!("{}/activating-{}", temp_path, lock_hash); + + let mut confirm_command = format!("rm {}", lock_path); + if let Some(sudo_cmd) = &deploy_defs.sudo { + confirm_command = format!("{} {}", sudo_cmd, confirm_command); + } + + debug!( + "Attempting to run command to confirm deployment: {}", + confirm_command + ); + + let ssh_exit_status = ssh_confirm_command.arg(confirm_command).status().await?; + + if !ssh_exit_status.success() { + good_panic!( + "Failed to confirm deployment, the node will roll back in <{} seconds", + confirm_timeout + ); + } + + info!("Deployment confirmed."); + } + + Ok(()) +} diff --git a/src/utils/mod.rs b/src/utils/mod.rs new file mode 100644 index 0000000..a0e62e1 --- /dev/null +++ b/src/utils/mod.rs @@ -0,0 +1,233 @@ +// SPDX-FileCopyrightText: 2020 Serokell <https://serokell.io/> +// +// SPDX-License-Identifier: MPL-2.0 + +use std::borrow::Cow; +use std::path::PathBuf; + +use merge::Merge; + +#[macro_export] +macro_rules! good_panic { + ($($tts:tt)*) => {{ + error!($($tts)*); + std::process::exit(1); + }} +} + +pub mod data; +pub mod deploy; +pub mod push; + +pub struct CmdOverrides { + pub ssh_user: Option<String>, + pub profile_user: Option<String>, + pub ssh_opts: Option<String>, + pub fast_connection: Option<bool>, + pub auto_rollback: Option<bool>, + pub hostname: Option<String>, + pub magic_rollback: Option<bool>, + pub temp_path: Option<String>, + pub confirm_timeout: Option<u16>, +} + +#[derive(PartialEq, Debug)] +pub struct DeployFlake<'a> { + pub repo: &'a str, + pub node: Option<&'a str>, + pub profile: Option<&'a str>, +} + +pub fn parse_flake(flake: &str) -> DeployFlake { + let flake_fragment_start = flake.find('#'); + let (repo, maybe_fragment) = match flake_fragment_start { + Some(s) => (&flake[..s], Some(&flake[s + 1..])), + None => (flake, None), + }; + + let (node, profile) = match maybe_fragment { + Some(fragment) => { + let fragment_profile_start = fragment.find('.'); + match fragment_profile_start { + Some(s) => (Some(&fragment[..s]), Some(&fragment[s + 1..])), + None => (Some(fragment), None), + } + } + None => (None, None), + }; + + DeployFlake { + repo, + node, + profile, + } +} + +#[test] +fn test_parse_flake() { + assert_eq!( + parse_flake("../deploy/examples/system#example"), + DeployFlake { + repo: "../deploy/examples/system", + node: Some("example"), + profile: None + } + ); + + assert_eq!( + parse_flake("../deploy/examples/system#example.system"), + DeployFlake { + repo: "../deploy/examples/system", + node: Some("example"), + profile: Some("system") + } + ); + + assert_eq!( + parse_flake("../deploy/examples/system"), + DeployFlake { + repo: "../deploy/examples/system", + node: None, + profile: None, + } + ); +} + +pub struct DeployData<'a> { + pub node_name: &'a str, + pub node: &'a data::Node, + pub profile_name: &'a str, + pub profile: &'a data::Profile, + + pub cmd_overrides: &'a CmdOverrides, + + pub merged_settings: data::GenericSettings, +} + +pub struct DeployDefs<'a> { + pub ssh_user: Cow<'a, str>, + pub profile_user: Cow<'a, str>, + pub profile_path: Cow<'a, str>, + pub current_exe: PathBuf, + pub sudo: Option<String>, +} + +impl<'a> DeployData<'a> { + pub fn defs(&'a self) -> DeployDefs<'a> { + let ssh_user: Cow<str> = match self.merged_settings.ssh_user { + Some(ref u) => u.into(), + None => whoami::username().into(), + }; + + let profile_user: Cow<str> = match self.merged_settings.user { + Some(ref x) => x.into(), + None => match self.merged_settings.ssh_user { + Some(ref x) => x.into(), + None => good_panic!( + "Neither user nor sshUser set for profile `{}` of node `{}`", + self.profile_name, + self.node_name + ), + }, + }; + + let profile_path: Cow<str> = match self.profile.profile_settings.profile_path { + None => match &profile_user[..] { + "root" => format!("/nix/var/nix/profiles/{}", self.profile_name).into(), + _ => format!( + "/nix/var/nix/profiles/per-user/{}/{}", + profile_user, self.profile_name + ) + .into(), + }, + Some(ref x) => x.into(), + }; + + let sudo: Option<String> = match self.merged_settings.user { + Some(ref user) if user != &ssh_user => Some(format!("sudo -u {}", user)), + _ => None, + }; + + let current_exe = + std::env::current_exe().expect("Expected to find current executable path"); + + if !current_exe.starts_with("/nix/store/") { + good_panic!("The deploy binary must be in the Nix store"); + } + + DeployDefs { + ssh_user, + profile_user, + profile_path, + current_exe, + sudo, + } + } +} + +pub fn make_deploy_data<'a, 's>( + top_settings: &'s data::GenericSettings, + node: &'a data::Node, + node_name: &'a str, + profile: &'a data::Profile, + profile_name: &'a str, + cmd_overrides: &'a CmdOverrides, +) -> Result<DeployData<'a>, Box<dyn std::error::Error>> { + let mut merged_settings = top_settings.clone(); + merged_settings.merge(node.generic_settings.clone()); + merged_settings.merge(profile.generic_settings.clone()); + + if cmd_overrides.ssh_user.is_some() { + merged_settings.ssh_user = cmd_overrides.ssh_user.clone(); + } + if cmd_overrides.profile_user.is_some() { + merged_settings.user = cmd_overrides.profile_user.clone(); + } + if let Some(ref ssh_opts) = cmd_overrides.ssh_opts { + merged_settings.ssh_opts = ssh_opts.split(' ').map(|x| x.to_owned()).collect(); + } + if let Some(fast_connection) = cmd_overrides.fast_connection { + merged_settings.fast_connection = Some(fast_connection); + } + if let Some(auto_rollback) = cmd_overrides.auto_rollback { + merged_settings.auto_rollback = Some(auto_rollback); + } + if let Some(magic_rollback) = cmd_overrides.magic_rollback { + merged_settings.magic_rollback = Some(magic_rollback); + } + + Ok(DeployData { + profile, + profile_name, + node, + node_name, + + cmd_overrides, + + merged_settings, + }) +} + +pub fn deploy_path_to_activate_path_str( + deploy_path: &std::path::Path, +) -> Result<String, Box<dyn std::error::Error>> { + Ok(format!( + "{}/activate", + deploy_path + .parent() + .ok_or("Deploy path too short")? + .to_str() + .ok_or("Deploy path is not valid utf8")? + .to_owned() + )) +} + +#[test] +fn test_activate_path_generation() { + match deploy_path_to_activate_path_str(&std::path::PathBuf::from( + "/blah/blah/deploy-rs/bin/deploy", + )) { + Err(_) => panic!(""), + Ok(x) => assert_eq!(x, "/blah/blah/deploy-rs/bin/activate".to_string()), + } +} diff --git a/src/utils/push.rs b/src/utils/push.rs new file mode 100644 index 0000000..5e87d5c --- /dev/null +++ b/src/utils/push.rs @@ -0,0 +1,137 @@ +// SPDX-FileCopyrightText: 2020 Serokell <https://serokell.io/> +// +// SPDX-License-Identifier: MPL-2.0 + +use std::process::Stdio; +use tokio::process::Command; + +pub async fn push_profile( + supports_flakes: bool, + check_sigs: bool, + repo: &str, + deploy_data: &super::DeployData<'_>, + deploy_defs: &super::DeployDefs<'_>, + keep_result: bool, + result_path: Option<&str>, +) -> Result<(), Box<dyn std::error::Error>> { + info!( + "Building profile `{}` for node `{}`", + deploy_data.profile_name, deploy_data.node_name + ); + + let mut build_c = if supports_flakes { + Command::new("nix") + } else { + Command::new("nix-build") + }; + + let mut build_command = if supports_flakes { + build_c.arg("build").arg("--no-link").arg(format!( + "{}#deploy.nodes.{}.profiles.{}.path", + repo, deploy_data.node_name, deploy_data.profile_name + )) + } else { + build_c + .arg(&repo) + .arg("--no-out-link") + .arg("-A") + .arg(format!( + "deploy.nodes.{}.profiles.{}.path", + deploy_data.node_name, deploy_data.profile_name + )) + }; + + build_command = match (keep_result, supports_flakes) { + (true, _) => { + let result_path = match result_path { + Some(x) => x, + None => "./.deploy-gc", + }; + + build_command.arg("--out-link").arg(format!( + "{}/{}/{}", + result_path, deploy_data.node_name, deploy_data.profile_name + )) + } + (false, false) => build_command.arg("--no-out-link"), + (false, true) => build_command.arg("--no-link"), + }; + + let build_exit_status = build_command.stdout(Stdio::null()).status().await?; + + if !build_exit_status.success() { + good_panic!("`nix build` failed"); + } + + if let Ok(local_key) = std::env::var("LOCAL_KEY") { + info!( + "Signing key present! Signing profile `{}` for node `{}`", + deploy_data.profile_name, deploy_data.node_name + ); + + let sign_exit_status = Command::new("nix") + .arg("sign-paths") + .arg("-r") + .arg("-k") + .arg(local_key) + .arg(&deploy_data.profile.profile_settings.path) + .arg(&super::deploy_path_to_activate_path_str( + &deploy_defs.current_exe, + )?) + .stdout(Stdio::null()) + .stderr(Stdio::null()) + .status() + .await?; + + if !sign_exit_status.success() { + good_panic!("`nix sign-paths` failed"); + } + } + + debug!( + "Copying profile `{}` to node `{}`", + deploy_data.profile_name, deploy_data.node_name + ); + + let mut copy_command_ = Command::new("nix"); + let mut copy_command = copy_command_.arg("copy"); + + if let Some(true) = deploy_data.merged_settings.fast_connection { + copy_command = copy_command.arg("--substitute-on-destination"); + } + + if !check_sigs { + copy_command = copy_command.arg("--no-check-sigs"); + } + + let ssh_opts_str = deploy_data + .merged_settings + .ssh_opts + // This should provide some extra safety, but it also breaks for some reason, oh well + // .iter() + // .map(|x| format!("'{}'", x)) + // .collect::<Vec<String>>() + .join(" "); + + let hostname = match deploy_data.cmd_overrides.hostname { + Some(ref x) => x, + None => &deploy_data.node.node_settings.hostname, + }; + + let copy_exit_status = copy_command + .arg("--to") + .arg(format!("ssh://{}@{}", deploy_defs.ssh_user, hostname)) + .arg(&deploy_data.profile.profile_settings.path) + .arg(&super::deploy_path_to_activate_path_str( + &deploy_defs.current_exe, + )?) + .env("NIX_SSHOPTS", ssh_opts_str) + .status() + .await?; + + if !copy_exit_status.success() { + good_panic!("`nix copy` failed"); + } + + Ok(()) +} |