diff --git a/nixos/roles/laminar/default.nix b/nixos/roles/laminar/default.nix index 2490b030..6e270e66 100644 --- a/nixos/roles/laminar/default.nix +++ b/nixos/roles/laminar/default.nix @@ -4,6 +4,8 @@ let stateDir = "/var/lib/laminar"; cfgDir = "${stateDir}/cfg"; cfg = config.services.laminar; + cacheResult = "${pkgs.writeShellScript "cache-result-as-root" + "${pkgs.nix}/bin/nix-store -r --indirect --add-root /var/cache/gc-links/$2 $1"}"; in { options = { services.laminar = { @@ -21,6 +23,14 @@ in { }; imports = [ ./kassandra.nix ./test-config.nix ]; config = { + security.sudo.extraRules = let allowedCommands = [ cacheResult ]; + in [{ + commands = map (command: { + inherit command; + options = [ "NOPASSWD" ]; + }) allowedCommands; + users = [ "laminar" ]; + }]; services.laminar.cfgFiles = { env = builtins.toFile "laminar-env" '' TIMEOUT=14400 @@ -31,6 +41,9 @@ in { ghcEnv.PATH = "${lib.makeBinPath [ pkgs.laminar pkgs.nix ]}:$PATH"; ghcArgs = [ "-threaded" ]; } (builtins.readFile ./nix-jobs.hs); + "cache-result" = pkgs.writeShellScript "cache-result" '' + /run/wrappers/bin/sudo ${cacheResult} $1 $2 + ''; }; jobs = { "nix-build.run" = pkgs.writeShellScript "nix-build" '' diff --git a/nixos/roles/laminar/kassandra.nix b/nixos/roles/laminar/kassandra.nix index 7522ed31..f060d2a3 100644 --- a/nixos/roles/laminar/kassandra.nix +++ b/nixos/roles/laminar/kassandra.nix @@ -16,6 +16,7 @@ let drv=$(readlink -f $(nix-instantiate release.nix -A ${name} --add-root ./drv --indirect $FLAGS)) echo "Evaluation done." nix-jobs realise $drv + cache-result $drv kassandra-${name}-result ''; in { services.laminar.cfgFiles.jobs = { diff --git a/nixos/roles/laminar/test-config.nix b/nixos/roles/laminar/test-config.nix index d6be87ba..e0ef89af 100644 --- a/nixos/roles/laminar/test-config.nix +++ b/nixos/roles/laminar/test-config.nix @@ -11,20 +11,24 @@ let say [i|Trying to build ${name} config for #{hostname}.|] (Text.dropAround ('"' ==) . decodeUtf8 . trim -> derivationName) <- (nix_instantiate $ ${drv}) |> captureTrim exe "nix-jobs" ["realise", toString derivationName] - exe "/run/wrappers/bin/sudo" ["${cacheResult}", toString derivationName, ${target}] + exe "cache-result" [toString derivationName, ${target}] say [i|Build of ${name} config for #{hostname} was successful.|] ''; test-system-config = pkgs.writeHaskellScript { name = "test-system-config"; inherit bins; inherit imports; - } (haskellBody "system" ''buildSystemParams ++ paths ++ ["-I", [i|nixos-config=#{configDir}/nixos/machines/#{hostname}/configuration.nix|]]'' "[i|result-system-#{hostname}|]"); + } (haskellBody "system" '' + buildSystemParams ++ paths ++ ["-I", [i|nixos-config=#{configDir}/nixos/machines/#{hostname}/configuration.nix|]]'' + "[i|result-system-#{hostname}|]"); test-home-config = pkgs.writeHaskellScript { name = "test-home-config"; inherit bins; inherit imports; - } (haskellBody "home" ''paths ++ [[i|#{configDir}/home-manager/target.nix|], "-A", hostname]'' "[i|result-home-manager-#{hostname}|]"); + } (haskellBody "home" + ''paths ++ [[i|#{configDir}/home-manager/target.nix|], "-A", hostname]'' + "[i|result-home-manager-#{hostname}|]"); path = [ pkgs.git pkgs.nix pkgs.gnutar pkgs.gzip pkgs.openssh pkgs.laminar ]; common = '' set -e @@ -66,8 +70,6 @@ let }); deployCommand = "${pkgs.writeShellScript "deploy-system-config" "${pkgs.systemd}/bin/systemctl start update-config"}"; - cacheResult = "${pkgs.writeShellScript "cache-result" - "${pkgs.nix}/bin/nix-store -r --indirect --add-root /var/cache/gc-links/$2 $1"}"; in { services.laminar.cfgFiles.jobs = { "test-config.run" = pkgs.writeHaskell "test-config" { @@ -87,7 +89,7 @@ in { } (builtins.readFile ./bump-config.hs); } // lib.listToAttrs (map mkHomeJob homes) // lib.listToAttrs (map mkSystemJob homes); - security.sudo.extraRules = let allowedCommands = [ deployCommand cacheResult ]; + security.sudo.extraRules = let allowedCommands = [ deployCommand ]; in [{ commands = map (command: { inherit command;