feat: interoperate [deploy-rs, colmena]

2026-02-09 04:19:19 -08:00 · 2025-10-13 04:25:45 -07:00 · 2025-10-13 04:25:45 -07:00 · f108a20f26
commit f108a20f26
parent 0fef01bfe6
15 changed files with 235 additions and 122 deletions
--- a/colmena.nix
+++ b/colmena.nix
@ -0,0 +1,38 @@
+{
+  inputs,
+  systems,
+  lib,
+  ...
+}: rec {
+  colmenaHive = inputs.colmena.lib.makeHive colmena;
+  colmena = let
+    inherit (lib.attrsets) mapAttrs filterAttrs;
+    colmenaBase = {
+      meta = {
+        description = "Kat's Infrastructure";
+        nodeSpecialArgs = mapAttrs (_k: v: v._module.specialArgs) systems.nixosConfigurations;
+        nodeNixpkgs = mapAttrs (_k: v: v.config.pkgs) systems.systems;
+        nixpkgs = import inputs.nixpkgs {
+          # this upsets me deeply.
+          system = "x86_64-linux";
+          overlays = [];
+        };
+      };
+    };
+    colmenaHosts = mapAttrs (_k: v: {
+      config,
+      lib,
+      ...
+    }: let
+      inherit (lib.modules) mkDefault;
+    in {
+      imports = v.config.modules;
+      deployment =
+        {
+          targetPort = mkDefault (builtins.head config.services.openssh.ports);
+        }
+        // v.config.colmena;
+    }) (filterAttrs (_k: v: v.config.folder == "nixos") systems.systems);
+  in
+    colmenaBase // colmenaHosts;
+}
--- a/common/nix.nix
+++ b/common/nix.nix
@ -17,8 +17,8 @@ in {
    package = pkgs.lixPackageSets.stable.lix;
    settings = {
      experimental-features = list.optional (versionAtLeast config.nix.package.version "2.4") "nix-command flakes";
-      substituters = ["https://arc.cachix.org" "https://kittywitch.cachix.org" "https://nix-gaming.cachix.org" "https://nix-community.cachix.org"];
-      trusted-public-keys = ["arc.cachix.org-1:DZmhclLkB6UO0rc0rBzNpwFbbaeLfyn+fYccuAy7YVY=" "kittywitch.cachix.org-1:KIzX/G5cuPw5WgrXad6UnrRZ8UDr7jhXzRTK/lmqyK0=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "nix-gaming.cachix.org-1:nbjlureqMbRAxR1gJ/f3hxemL9svXaZF/Ees8vCUUs4="];
+      substituters = ["https://arc.cachix.org" "https://kittywitch.cachix.org" "https://nix-gaming.cachix.org" "https://nix-community.cachix.org" "https://colmena.cachix.org"];
+      trusted-public-keys = ["arc.cachix.org-1:DZmhclLkB6UO0rc0rBzNpwFbbaeLfyn+fYccuAy7YVY=" "kittywitch.cachix.org-1:KIzX/G5cuPw5WgrXad6UnrRZ8UDr7jhXzRTK/lmqyK0=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "nix-gaming.cachix.org-1:nbjlureqMbRAxR1gJ/f3hxemL9svXaZF/Ees8vCUUs4=" "colmena.cachix.org-1:7BzpDnjjH8ki2CT3f6GdOk7QAzPOl+1t3LvTLXqYcSg="];
      auto-optimise-store = true;
      trusted-users = ["root" "@wheel"];
    };
--- a/flake.lock
+++ b/flake.lock
@ -201,6 +201,28 @@
        "type": "github"
      }
    },
+    "colmena": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "flake-utils": "flake-utils",
+        "nix-github-actions": "nix-github-actions_2",
+        "nixpkgs": "nixpkgs_3",
+        "stable": "stable"
+      },
+      "locked": {
+        "lastModified": 1755272288,
+        "narHash": "sha256-ypTPb2eKcOBbOoyvPV0j4ZOXs4kayo73/2KI456QnE0=",
+        "owner": "zhaofengli",
+        "repo": "colmena",
+        "rev": "5bf4ce6a24adba74a5184f4a9bef01d545a09473",
+        "type": "github"
+      },
+      "original": {
+        "owner": "zhaofengli",
+        "repo": "colmena",
+        "type": "github"
+      }
+    },
    "crane": {
      "locked": {
        "lastModified": 1731098351,
@ -334,6 +356,22 @@
      }
    },
    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1650374568,
+        "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "b4a34015c698c7793d592d66adbab377907a2be8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_2": {
      "flake": false,
      "locked": {
        "lastModified": 1733328505,
@ -383,17 +421,12 @@
      }
    },
    "flake-utils": {
-      "inputs": {
-        "systems": [
-          "systems"
-        ]
-      },
      "locked": {
-        "lastModified": 1731533236,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "lastModified": 1659877975,
+        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
        "type": "github"
      },
      "original": {
@ -422,6 +455,26 @@
        "type": "github"
      }
    },
+    "flake-utils_2": {
+      "inputs": {
+        "systems": [
+          "systems"
+        ]
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
    "flakelib": {
      "inputs": {
        "fl-config": "fl-config",
@ -1017,7 +1070,7 @@
        "flake-parts": [
          "flake-parts"
        ],
-        "nixpkgs": "nixpkgs_3"
+        "nixpkgs": "nixpkgs_4"
      },
      "locked": {
        "lastModified": 1759801625,
@ -1056,6 +1109,27 @@
        "type": "github"
      }
    },
+    "nix-github-actions_2": {
+      "inputs": {
+        "nixpkgs": [
+          "colmena",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1729742964,
+        "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "type": "github"
+      }
+    },
    "nix-index-database": {
      "inputs": {
        "nixpkgs": [
@ -1239,6 +1313,22 @@
      }
    },
    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1750134718,
+        "narHash": "sha256-v263g4GbxXv87hMXMCpjkIxd/viIF7p3JpJrwgKdNiI=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "9e83b64f727c88a7711a2c463a7b16eedb69a84c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_4": {
      "locked": {
        "lastModified": 1759536663,
        "narHash": "sha256-hhM8SUI6kQMei5TImFdNQy9EDT8g2hAD161DUtbfAy0=",
@ -1436,12 +1526,13 @@
        "chaotic": "chaotic",
        "ci": "ci",
        "clipboard-sync": "clipboard-sync",
+        "colmena": "colmena",
        "darwin": "darwin",
        "deploy-rs": "deploy-rs",
        "empty": "empty",
-        "flake-compat": "flake-compat",
+        "flake-compat": "flake-compat_2",
        "flake-parts": "flake-parts",
-        "flake-utils": "flake-utils",
+        "flake-utils": "flake-utils_2",
        "flake-utils-plus": "flake-utils-plus",
        "flakelib": "flakelib",
        "git-hooks": "git-hooks",
@ -1655,6 +1746,22 @@
        "type": "github"
      }
    },
+    "stable": {
+      "locked": {
+        "lastModified": 1750133334,
+        "narHash": "sha256-urV51uWH7fVnhIvsZIELIYalMYsyr2FCalvlRTzqWRw=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "36ab78dab7da2e4e27911007033713bab534187b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-25.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "std": {
      "inputs": {
        "nix-std": [
--- a/flake.nix
+++ b/flake.nix
@ -224,6 +224,7 @@
        utils.follows = "flake-utils";
      };
    };
+    colmena.url = "github:zhaofengli/colmena";
    # self-explanatory
    home-manager = {
      url = "github:nix-community/home-manager/master";
--- a/modules/system/colmena.nix
+++ b/modules/system/colmena.nix
@ -0,0 +1,44 @@
+{
+  name,
+  config,
+  lib,
+  inputs,
+  ...
+}: let
+  inherit (lib.modules) mkIf mkOptionDefault mkDefault;
+in {
+  options = let
+    inherit (lib.types) nullOr;
+    inherit (lib.options) mkOption;
+  in {
+    colmena = mkOption {
+      type = nullOr inputs.arcexprs.lib.json.types.attrs;
+    };
+  };
+  config = {
+    colmena = {
+      targetHost = mkDefault config.deploy.hostname;
+      targetUser = mkDefault config.deploy.sshUser;
+      tags = mkOptionDefault [
+        "all"
+      ];
+    };
+    deploy = let
+      nixos = config.built;
+    in {
+      sshUser = mkOptionDefault "deploy";
+      user = mkOptionDefault "root";
+      sshOpts = mkIf (config.type == "NixOS") (
+        mkOptionDefault ["-p" "${builtins.toString (builtins.head nixos.config.services.openssh.ports)}"]
+      );
+      autoRollback = mkOptionDefault true;
+      magicRollback = mkOptionDefault true;
+      fastConnection = mkOptionDefault false;
+      hostname = mkOptionDefault "${name}.devices.inskip.me";
+      profiles.system = {
+        user = "root";
+        path = inputs.deploy-rs.lib.${config.system}.activate.nixos inputs.self.nixosConfigurations.${name};
+      };
+    };
+  };
+}
--- a/modules/system/host.nix
+++ b/modules/system/host.nix
@ -47,6 +47,10 @@ in {
      type = attrs;
      internal = true;
    };
+    pkgs = mkOption {
+      type = unspecified;
+      internal = true;
+    };
    builder = mkOption {
      type = unspecified;
      internal = true;
@ -148,6 +152,7 @@ in {
        inherit (config) system modules specialArgs;
      })
    config.builder);
+    pkgs = pkgs.${config.system};
    specialArgs = {
      inherit name inputs std tree;
      systemType = config.folder;
--- a/outputs.nix
+++ b/outputs.nix
@ -6,6 +6,7 @@
  systems = import ./systems {inherit inputs tree lib std pkgs;};
  shells = import ./shells {inherit inputs tree lib std pkgs checks;};
  inherit (import ./pkgs.nix {inherit inputs tree overlay;}) pkgs;
+  colmena = import ./colmena.nix {inherit inputs systems lib;};
  formatting = import ./formatting.nix {inherit inputs pkgs;};
  inherit (std) set;
  forAllSystems = lib.genAttrs inputs.flake-utils.lib.defaultSystems;
@ -37,6 +38,7 @@ in
    legacyPackages = pkgs;
    #packages = set.merge [pkgs wrappers.packages];
    inherit (formatting) formatter;
+    inherit (colmena) colmenaHive colmena;
  }
  // systems
  // shells
--- a/overlays.nix
+++ b/overlays.nix
@ -13,7 +13,12 @@
      colmena
      ;
  })
+  inputs.colmena.overlays.default
  inputs.ida-pro-overlay.overlays.default
+  # To get this not to garbage collect, make sure to create a gcroot by manually
+  # building the package with an output (anywhere you want, really). You can't
+  # then delete that output, however, or rename or move it. So place it somewhere
+  # you're ok with it being.
  (final: prev: {
    ida-pro-kat = prev.callPackage final.ida-pro {
      runfile = final.requireFile {
--- a/shells/repo.nix
+++ b/shells/repo.nix
@ -8,6 +8,7 @@ with pkgs; let
  git-hooks = systemless-git-hooks pkgs.system;
  repoShell = mkShell {
    nativeBuildInputs = [
+      colmena
      opentofu
      nf-build-system
      nf-update
--- a/systems/daiyousei.nix
+++ b/systems/daiyousei.nix
@ -52,8 +52,12 @@ _: let
  };
 in {
  arch = "aarch64";
-  deploy.hostname = "daiyousei.inskip.me";
  type = "NixOS";
+  deploy.hostname = "daiyousei.inskip.me";
+  colmena.tags = [
+    "server"
+    "oci"
+  ];
  modules = [
    hostConfig
  ];
--- a/systems/goliath.nix
+++ b/systems/goliath.nix
@ -250,6 +250,9 @@ _: let
 in {
  arch = "x86_64";
  type = "NixOS";
+  colmena.tags = [
+    "personal"
+  ];
  ci.enable = false; # Closure too large
  modules = [
    hostConfig
--- a/systems/koishi.nix
+++ b/systems/koishi.nix
@ -166,6 +166,9 @@ _: let
 in {
  arch = "x86_64";
  deploy.hostname = "10.1.1.171";
+  colmena.tags = [
+    "personal"
+  ];
  ci.enable = false; # Closure too large
  type = "NixOS";
  modules = [
--- a/systems/mai.nix
+++ b/systems/mai.nix
@ -22,6 +22,10 @@ _: let
 in {
  arch = "x86_64";
  type = "NixOS";
+  colmena.tags = [
+    "server"
+    "oci"
+  ];
  modules = [
    hostConfig
  ];
--- a/systems/mei.nix
+++ b/systems/mei.nix
@ -20,6 +20,10 @@ _: let
 in {
  arch = "x86_64";
  type = "NixOS";
+  colmena.tags = [
+    "server"
+    "oci"
+  ];
  modules = [
    hostConfig
  ];
--- a/systems/renko.nix
+++ b/systems/renko.nix
@ -1,108 +0,0 @@
-_: let
-  hostConfig = {
-    lib,
-    pkgs,
-    inputs,
-    ...
-  }: let
-    inherit (lib.modules) mkDefault mkForce;
-  in {
-    imports = [
-      "${inputs.nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
-    ];
-
-    nix.extraOptions = "extra-platforms = x86_64-linux i686-linux";
-
-    networking = {
-      nftables.enable = mkForce false;
-      firewall.enable = mkForce false;
-      useDHCP = false;
-      interfaces.eth0.useDHCP = true;
-    };
-
-    nixpkgs.hostPlatform = mkDefault "aarch64-linux";
-
-    boot.kernelPackages = pkgs.linuxPackages_6_3;
-
-    environment.systemPackages = with pkgs; [
-      awscli2
-      kubectl
-    ];
-
-    system.stateVersion = "22.11";
-
-    security.sudo.extraRules = [
-      {
-        users = ["kat"];
-        commands = [
-          {
-            command = "ALL";
-            options = ["NOPASSWD"];
-          }
-        ];
-      }
-    ];
-
-    # add OrbStack CLI tools to PATH
-    environment.shellInit = ''
-      . /opt/orbstack-guest/etc/profile-early
-
-      # add your customizations here
-
-      . /opt/orbstack-guest/etc/profile-late
-      export PATH="/opt/homebrew/opt/ruby/bin:$PATH"
-      export LDFLAGS="-L/opt/homebrew/opt/ruby/lib"
-      export CPPFLAGS="-I/opt/homebrew/opt/ruby/include"
-    '';
-
-    # faster DHCP - OrbStack uses SLAAC exclusively
-    networking.dhcpcd.extraConfig = ''
-      noarp
-      noipv6
-    '';
-
-    # disable sshd
-    services.openssh.enable = true;
-
-    # systemd
-    systemd.services = {
-      "systemd-oomd".serviceConfig.WatchdogSec = 0;
-      "systemd-resolved".serviceConfig.WatchdogSec = 0;
-      "systemd-userdbd".serviceConfig.WatchdogSec = 0;
-      "systemd-udevd".serviceConfig.WatchdogSec = 0;
-      "systemd-timesyncd".serviceConfig.WatchdogSec = 0;
-      "systemd-timedated".serviceConfig.WatchdogSec = 0;
-      "systemd-portabled".serviceConfig.WatchdogSec = 0;
-      "systemd-nspawn@".serviceConfig.WatchdogSec = 0;
-      "systemd-networkd".serviceConfig.WatchdogSec = 0;
-      "systemd-machined".serviceConfig.WatchdogSec = 0;
-      "systemd-localed".serviceConfig.WatchdogSec = 0;
-      "systemd-logind".serviceConfig.WatchdogSec = 0;
-      "systemd-journald@".serviceConfig.WatchdogSec = 0;
-      "systemd-journald".serviceConfig.WatchdogSec = 0;
-      "systemd-journal-remote".serviceConfig.WatchdogSec = 0;
-      "systemd-journal-upload".serviceConfig.WatchdogSec = 0;
-      "systemd-importd".serviceConfig.WatchdogSec = 0;
-      "systemd-hostnamed".serviceConfig.WatchdogSec = 0;
-      "systemd-homed".serviceConfig.WatchdogSec = 0;
-    };
-
-    # package installation: not needed
-
-    # ssh config
-    programs.ssh.extraConfig = ''
-      Include /opt/orbstack-guest/etc/ssh_config
-    '';
-
-    # extra certificates
-    security.pki.certificateFiles = [
-      "/opt/orbstack-guest/run/extra-certs.crt"
-    ];
-  };
-in {
-  arch = "aarch64";
-  type = "NixOS";
-  modules = [
-    hostConfig
-  ];
-}