feat(module): add magic rollback options

Author: water-sucks

nix/module.nix

@@ -47,6 +47,39 @@ in {
         prev;
     };
 
+    magic-rollback = {
+      enable = lib.mkOption {
+        type = types.bool;
+        description = ''
+          Enable `nixos-cli` magic rollback facilities for this system.
+
+          This option inserts a small binary into the NixOS system closure
+          at `/path/to/closure/bin/activation-supervisor` that can be used
+          by `nixos-cli` to control remote activation.
+
+          The activation supervisor runs the switch-to-configuration script
+          on this system, and then watches for a signal from the deployer
+          to confirm the activation; if no signal is given (i.e. if SSH
+          or all internet access is disconnected), then an automatic rollback
+          starts in order to regain connectivity again.
+
+          Enabling this option is required on the target systems that are
+          deployed using `nixos-cli`. However, this does not require
+          `nixos-cli` itself to be enabled on the target system.
+        '';
+        default = false;
+        example = true;
+      };
+
+      package = lib.mkOption {
+        type = types.package;
+        default = self.packages.${system}.activation-supervisor;
+        description = "Package to use for the activation supervisor that controls magic rollback";
+      };
+
+      # TODO: add an option to make rollback timeout configurable
+    };
+
     useActivationInterface = lib.mkOption {
       type = types.bool;
       default = false;
@@ -80,84 +113,114 @@ in {
     };
   };
 
-  config = lib.mkIf cfg.enable (lib.mkMerge [
-    {
-      environment.systemPackages = [cfg.package];
-
-      environment.etc."nixos-cli/config.toml".source =
-        tomlFormat.generate "nixos-cli-config.toml" cfg.config;
-
-      # Hijack system builder commands to insert a `nixos-version.json` file at the root.
-      system.systemBuilderCommands = let
-        nixos-version-json = builtins.toJSON {
-          nixosVersion = "${nixosCfg.distroName} ${nixosCfg.release} (${nixosCfg.codeName})";
-          nixpkgsRevision = nixosCfg.revision;
-          configurationRevision = "${builtins.toString config.system.configurationRevision}";
-          description = cfg.generationTag;
-        };
-      in ''
-        cat > "$out/nixos-version.json" << EOF
-        ${nixos-version-json}
-        EOF
-      '';
+  config = lib.mkMerge [
+    (lib.mkIf cfg.enable (
+      lib.mkMerge [
+        {
+          environment.systemPackages = [cfg.package];
+
+          environment.etc."nixos-cli/config.toml".source =
+            tomlFormat.generate "nixos-cli-config.toml" cfg.config;
+
+          # Hijack system builder commands to insert a `nixos-version.json` file at the root.
+          system.systemBuilderCommands = let
+            nixos-version-json = builtins.toJSON {
+              nixosVersion = "${nixosCfg.distroName} ${nixosCfg.release} (${nixosCfg.codeName})";
+              nixpkgsRevision = nixosCfg.revision;
+              configurationRevision = "${builtins.toString config.system.configurationRevision}";
+              description = cfg.generationTag;
+            };
+          in ''
+            cat > "$out/nixos-version.json" << EOF
+            ${nixos-version-json}
+            EOF
+          '';
+
+          # FIXME: should this be configurable? Not all users would want to preserve
+          # SSH_AUTH_SOCK, for example.
+          security.sudo.extraConfig = ''
+            # Preserve NIXOS_CONFIG and NIXOS_CLI_CONFIG in sudo invocations of
+            # `nixos apply`. This is required in order to keep ownership across
+            # automatic re-exec as root.
+            Defaults env_keep += "NIXOS_CONFIG"
+            Defaults env_keep += "NIXOS_GENERATION_TAG"
+            Defaults env_keep += "NIXOS_CLI_CONFIG"
+            Defaults env_keep += "NIXOS_CLI_DISABLE_STEPS"
+            Defaults env_keep += "NIXOS_CLI_DEBUG_MODE"
+            Defaults env_keep += "NIXOS_CLI_SUPPRESS_NO_SETTINGS_WARNING"
+            Defaults env_keep += "SSH_AUTH_SOCK"
+          '';
+        }
+        (lib.mkIf cfg.prebuildOptionCache {
+          # While there is already an `options.json` that exists in the
+          # `config.system.build.manual.optionsJSON` attribute, this is
+          # not as full-featured, because it does not contain NixOS options
+          # that are not available in base `nixpkgs`. This does increase
+          # eval time, but that's a fine tradeoff in this case since it
+          # is able to be disabled.
+          environment.etc."nixos-cli/options-cache.json" = {
+            text = let
+              optionList' = lib.optionAttrSetToDocList options;
+              optionList = builtins.filter (v: v.visible && !v.internal) optionList';
+            in
+              builtins.toJSON optionList;
+          };
+        })
+        (lib.mkIf cfg.useActivationInterface {
+          # This looks confusing, but this only stops the switch-to-configuration-ng
+          # program from being used. The system will still be switchable.
+          system.switch.enable = lib.mkForce false;
+
+          # Use a subshell so we can source makeWrapper's setup hook without
+          # affecting the rest of activatableSystemBuilderCommands.
+          system.activatableSystemBuilderCommands = ''
+            (
+              source ${pkgs.buildPackages.makeWrapper}/nix-support/setup-hook
+
+              mkdir -p $out/bin
+
+              ln -sf ${lib.getExe cfg.package} $out/bin/switch-to-configuration
+
+              wrapProgram $out/bin/switch-to-configuration \
+                --add-flags activate \
+                --set NIXOS_CLI_ATTEMPTING_ACTIVATION 1 \
+                --set OUT $out \
+                --set TOPLEVEL ''${!toplevelVar} \
+                --set DISTRO_ID ${lib.escapeShellArg config.system.nixos.distroId} \
+                --set INSTALL_BOOTLOADER ${lib.escapeShellArg config.system.build.installBootLoader} \
+                --set PRE_SWITCH_CHECK ${lib.escapeShellArg config.system.preSwitchChecksScript} \
+                --set LOCALE_ARCHIVE ${config.i18n.glibcLocales}/lib/locale/locale-archive \
+                --set SYSTEMD ${config.systemd.package}
+            )
+          '';
+        })
+      ]
+    ))
+    (lib.mkIf cfg.magic-rollback.enable {
+      assertions = [
+        {
+          assertion = cfg.useActivationInterface || config.system.switch.enable;
+          message = ''
+            `services.nixos-cli.magic-rollback` can only be used on switchable systems.
+
+            Either enable the `nixos-cli` activation interface or allow switching
+            systems using `switch-to-configuration-ng`.
+          '';
+        }
+      ];
 
-      # FIXME: should this be configurable? Not all users would want to preserve
-      # SSH_AUTH_SOCK, for example.
-      security.sudo.extraConfig = ''
-        # Preserve NIXOS_CONFIG and NIXOS_CLI_CONFIG in sudo invocations of
-        # `nixos apply`. This is required in order to keep ownership across
-        # automatic re-exec as root.
-        Defaults env_keep += "NIXOS_CONFIG"
-        Defaults env_keep += "NIXOS_GENERATION_TAG"
-        Defaults env_keep += "NIXOS_CLI_CONFIG"
-        Defaults env_keep += "NIXOS_CLI_DISABLE_STEPS"
-        Defaults env_keep += "NIXOS_CLI_DEBUG_MODE"
-        Defaults env_keep += "NIXOS_CLI_SUPPRESS_NO_SETTINGS_WARNING"
-        Defaults env_keep += "SSH_AUTH_SOCK"
-      '';
-    }
-    (lib.mkIf cfg.prebuildOptionCache {
-      # While there is already an `options.json` that exists in the
-      # `config.system.build.manual.optionsJSON` attribute, this is
-      # not as full-featured, because it does not contain NixOS options
-      # that are not available in base `nixpkgs`. This does increase
-      # eval time, but that's a fine tradeoff in this case since it
-      # is able to be disabled.
-      environment.etc."nixos-cli/options-cache.json" = {
-        text = let
-          optionList' = lib.optionAttrSetToDocList options;
-          optionList = builtins.filter (v: v.visible && !v.internal) optionList';
-        in
-          builtins.toJSON optionList;
-      };
-    })
-    (lib.mkIf cfg.useActivationInterface {
-      # This looks confusing, but this only stops the switch-to-configuration-ng
-      # program from being used. The system will still be switchable.
-      system.switch.enable = lib.mkForce false;
-
-      # Use a subshell so we can source makeWrapper's setup hook without
-      # affecting the rest of activatableSystemBuilderCommands.
-      system.activatableSystemBuilderCommands = ''
+      system.activatableSystemBuilderCommands = lib.mkAfter ''
         (
           source ${pkgs.buildPackages.makeWrapper}/nix-support/setup-hook
 
-          mkdir $out/bin
+          mkdir -p $out/bin
 
-          ln -sf ${lib.getExe cfg.package} $out/bin/switch-to-configuration
+          ln -sf ${lib.getExe cfg.magic-rollback.package} $out/bin/activation-supervisor
 
-          wrapProgram $out/bin/switch-to-configuration \
-            --add-flags activate \
-            --set NIXOS_CLI_ATTEMPTING_ACTIVATION 1 \
-            --set OUT $out \
-            --set TOPLEVEL ''${!toplevelVar} \
-            --set DISTRO_ID ${lib.escapeShellArg config.system.nixos.distroId} \
-            --set INSTALL_BOOTLOADER ${lib.escapeShellArg config.system.build.installBootLoader} \
-            --set PRE_SWITCH_CHECK ${lib.escapeShellArg config.system.preSwitchChecksScript} \
-            --set LOCALE_ARCHIVE ${config.i18n.glibcLocales}/lib/locale/locale-archive \
-            --set SYSTEMD ${config.systemd.package}
+          wrapProgram $out/bin/activation-supervisor \
+            --set TOPLEVEL ''${!toplevelVar}
         )
       '';
     })
-  ]);
+  ];
 }

nix/tests/example.test.nix

@@ -5,10 +5,13 @@
 }:
 pkgs.testers.runNixOSTest {
   name = "example-test";
-  nodes.machine1 = _: {
+  defaults = {
     imports = [self.nixosModules.nixos-cli];
     services.nixos-cli.enable = true;
+    services.nixos-cli.useActivationInterface = true;
+    services.nixos-cli.magic-rollback.enable = true;
   };
+  nodes.machine1 = _: {};
 
   testScript = ''
     machine1.succeed("nixos features")