titaniumtown/nixos
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

deploy guard: fix actions
Some checks failed
Build and Deploy / mreow (push) Successful in 2m8s
Details
Build and Deploy / yarn (push) Successful in 1m2s
Details
Build and Deploy / muffin (push) Failing after 27s
Details

Browse Source
This commit is contained in:
Simon Gardling
2026-04-22 01:18:09 -04:00
parent aef99e7365
commit b0b4bcb0b3
4 changed files with 37 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
flake.nix
View File

@@ -372,37 +372,17 @@
profiles.system = {
sshUser = "root";
user = "root";
# Wrap deploy-rs.activate.nixos so the guard runs before
# switch-to-configuration. If the guard exits non-zero, deploy-rs's
# auto-rollback restores the previous profile. Bypass via
# DEPLOY_GUARD_BYPASS=1 or by pre-touching /run/deploy-guard-bypass.
path =
let
base = self.nixosConfigurations.muffin;
activate = deploy-rs.lib.${system}.activate;
bootloaderDefaultCleanup = nixpkgs-stable.lib.optionalString base.config.boot.loader.systemd-boot.enable "sed -i '/^default /d' ${base.config.boot.loader.efi.efiSysMountPoint}/loader/loader.conf";
in
(
activate.custom
// {
dryActivate = "$PROFILE/bin/switch-to-configuration dry-activate";
boot = "$PROFILE/bin/switch-to-configuration boot";
}
)
base.config.system.build.toplevel
''
# work around https://github.com/NixOS/nixpkgs/issues/73404
cd /tmp
# Halt deploys while users are actively using services.
# See modules/server-deploy-guard.nix.
"$PROFILE/sw/bin/deploy-guard-check"
$PROFILE/bin/switch-to-configuration switch
# https://github.com/serokell/deploy-rs/issues/31
${bootloaderDefaultCleanup}
'';
# Deploy guard enforcement lives in the preflight driver (deploy.sh
# and .gitea/workflows/deploy.yml) — not in activation. Activation-
# time enforcement is unsafe: deploy-rs sets the new profile pointer
# before running deploy-rs-activate, so a non-zero activation exit
# triggers auto-rollback which re-runs switch-to-configuration on the
# previous generation. That re-activation rotates agenix secrets,
# reinstalls lanzaboote, and reloads systemd units — side effects we
# want to avoid when the deploy is supposed to be a no-op blocked by
# the guard. Blocking before the deploy-rs invocation is the only
# clean way to leave the running system untouched.
path = deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.muffin;
};
};