flesh out some further deployment integration (#1081)

* Update determinate flake to have an x86_64-darwin build

* Embed determinate-nixd for aarch64-darwin and x86_64-darwin

* Don't check to see if dnixd is already installed ahead of time, we've got it.

* Set the const on everything but x86 linux

* Move the ProvisionDeterminateNixd plan step to Common

* CreateDirectory: don't fail if the dir exists already, so we can create /etc/nix before mounting too

* create determinate nix volume: create /etc/nix before mounting

* Move service writing on Linux from ProvisionDeterminateNixd to ConfigureDeterminateNixd

* Move ProvisionDeterminateNixd to before we create the volume on macOS, since we use it for mounting.

* Remove checkpolicy from the Linux dev shell as it is broken

* factor out the determinate nixd path

* Pick the binary path for determinate-nixd based on the init

* Explain the cfg

* Revert "Update determinate flake to have an x86_64-darwin build"

This reverts commit ec9b13d.

* Update determinate

* uncomment checkpolicy

* Actuall do the thing: break out the list of supported systems into a list, put it next to the overall supportedSystems

flake.nix

@@ -46,6 +46,7 @@
     } @ inputs:
     let
       supportedSystems = [ "i686-linux" "x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin" ];
+      systemsSupportedByDeterminateNixd = [ "x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin" ];
 
       forAllSystems = f: nixpkgs.lib.genAttrs supportedSystems (system: (forSystem system f));
 
@@ -73,6 +74,8 @@
       nixTarballs = forAllSystems ({ system, ... }:
         inputs.nix.tarballs_direct.${system}
           or "${inputs.nix.checks."${system}".binaryTarball}/nix-${inputs.nix.packages."${system}".default.version}-${system}.tar.xz");
+
+      optionalPathToDeterminateNixd = system: if builtins.elem system systemsSupportedByDeterminateNixd then "${inputs.determinate.packages.${system}.default}/bin/determinate-nixd" else null;
     in
     {
       overlays.default = final: prev:
@@ -106,7 +109,7 @@
             cargoTestOptions = f: f ++ [ "--all" ];
 
             NIX_INSTALLER_TARBALL_PATH = nixTarballs.${final.stdenv.system};
-            DETERMINATE_NIXD_BINARY_PATH = if final.stdenv.system == "x86_64-linux" || final.stdenv.system == "aarch64-linux" then "${inputs.determinate.packages.${final.stdenv.system}.default}/bin/determinate-nixd" else null;
+            DETERMINATE_NIXD_BINARY_PATH = optionalPathToDeterminateNixd final.stdenv.system;
 
             override = { preBuild ? "", ... }: {
               preBuild = preBuild + ''
@@ -152,7 +155,7 @@
 
             RUST_SRC_PATH = "${toolchain}/lib/rustlib/src/rust/library";
             NIX_INSTALLER_TARBALL_PATH = nixTarballs.${system};
-            DETERMINATE_NIXD_BINARY_PATH = if system == "x86_64-linux" || system == "aarch64-linux" then "${inputs.determinate.packages.${system}.default}/bin/determinate-nixd" else null;
+            DETERMINATE_NIXD_BINARY_PATH = optionalPathToDeterminateNixd system;
 
             nativeBuildInputs = with pkgs; [ ];
             buildInputs = with pkgs; [

src/action/base/create_directory.rs

@@ -3,7 +3,7 @@ use std::path::{Path, PathBuf};
 
 use nix::unistd::{chown, Group, User};
 
-use tokio::fs::{create_dir, remove_dir_all, remove_file};
+use tokio::fs::{create_dir_all, remove_dir_all, remove_file};
 use tokio::process::Command;
 use tracing::{span, Span};
 
@@ -183,7 +183,7 @@ impl Action for CreateDirectory {
             None
         };
 
-        create_dir(&path)
+        create_dir_all(&path)
             .await
             .map_err(|e| ActionErrorKind::CreateDirectory(path.clone(), e))
             .map_err(Self::error)?;

src/action/common/configure_determinate_nixd_init_service.rs → src/action/common/configure_determinate_nixd_init_service/mod.rs

@@ -10,8 +10,7 @@ use crate::action::{common::ConfigureInitService, Action, ActionDescription};
 use crate::settings::InitSystem;
 
 // Linux
-const SERVICE_DEST: &str = "/etc/systemd/system/nix-daemon.service";
-pub const DETERMINATE_NIXD_SERVICE_SRC: &str = "/nix/determinate/nix-daemon.service";
+const LINUX_NIXD_DAEMON_DEST: &str = "/etc/systemd/system/nix-daemon.service";
 
 // Darwin
 const DARWIN_NIXD_DAEMON_DEST: &str = "/Library/LaunchDaemons/systems.determinate.nix-daemon.plist";
@@ -36,17 +35,9 @@ impl ConfigureDeterminateNixdInitService {
         init: InitSystem,
         start_daemon: bool,
     ) -> Result<StatefulAction<Self>, ActionError> {
-        let service_src: Option<PathBuf> = match init {
-            InitSystem::Launchd => {
-                // We'll write it out down in the execute step
-                None
-            },
-            InitSystem::Systemd => Some(DETERMINATE_NIXD_SERVICE_SRC.into()),
-            InitSystem::None => None,
-        };
         let service_dest: Option<PathBuf> = match init {
             InitSystem::Launchd => Some(DARWIN_NIXD_DAEMON_DEST.into()),
-            InitSystem::Systemd => Some(SERVICE_DEST.into()),
+            InitSystem::Systemd => Some(LINUX_NIXD_DAEMON_DEST.into()),
             InitSystem::None => None,
         };
         let service_name: Option<String> = match init {
@@ -55,7 +46,7 @@ impl ConfigureDeterminateNixdInitService {
         };
 
         let configure_init_service =
-            ConfigureInitService::plan(init, start_daemon, service_src, service_dest, service_name)
+            ConfigureInitService::plan(init, start_daemon, None, service_dest, service_name)
                 .await
                 .map_err(Self::error)?;
 
@@ -98,9 +89,9 @@ impl Action for ConfigureDeterminateNixdInitService {
             configure_init_service,
         } = self;
 
-        let daemon_file = DARWIN_NIXD_DAEMON_DEST;
-
         if *init == InitSystem::Launchd {
+            let daemon_file = DARWIN_NIXD_DAEMON_DEST;
+
             // This is the only part that is actually different from configure_init_service, beyond variable parameters.
 
             let generated_plist = generate_plist();
@@ -118,6 +109,16 @@ impl Action for ConfigureDeterminateNixdInitService {
             file.write_all(&buf)
                 .await
                 .map_err(|e| Self::error(ActionErrorKind::Write(PathBuf::from(daemon_file), e)))?;
+        } else if *init == InitSystem::Systemd {
+            let daemon_file = PathBuf::from(LINUX_NIXD_DAEMON_DEST);
+
+            tokio::fs::write(
+                &daemon_file,
+                include_str!("./nix-daemon.determinate-nixd.service"),
+            )
+            .await
+            .map_err(|e| ActionErrorKind::Write(daemon_file.clone(), e))
+            .map_err(Self::error)?;
         }
 
         configure_init_service

src/action/common/mod.rs

@@ -9,6 +9,7 @@ pub(crate) mod create_nix_tree;
 pub(crate) mod create_users_and_groups;
 pub(crate) mod delete_users;
 pub(crate) mod place_nix_configuration;
+pub(crate) mod provision_determinate_nixd;
 pub(crate) mod provision_nix;
 
 pub use configure_determinate_nixd_init_service::ConfigureDeterminateNixdInitService;
@@ -20,4 +21,5 @@ pub use create_nix_tree::CreateNixTree;
 pub use create_users_and_groups::CreateUsersAndGroups;
 pub use delete_users::DeleteUsersInGroup;
 pub use place_nix_configuration::PlaceNixConfiguration;
+pub use provision_determinate_nixd::ProvisionDeterminateNixd;
 pub use provision_nix::ProvisionNix;

src/action/common/place_nix_configuration.rs

@@ -11,7 +11,7 @@ use crate::settings::UrlOrPathOrString;
 use indexmap::map::Entry;
 use std::path::PathBuf;
 
-const NIX_CONF_FOLDER: &str = "/etc/nix";
+pub const NIX_CONF_FOLDER: &str = "/etc/nix";
 const NIX_CONF: &str = "/etc/nix/nix.conf";
 
 /**

src/action/linux/provision_determinate_nixd/mod.rs → src/action/common/provision_determinate_nixd.rs

@@ -4,31 +4,34 @@ use std::path::PathBuf;
 use tokio::fs::{create_dir_all, remove_file};
 use tracing::{span, Span};
 
-use crate::action::common::configure_determinate_nixd_init_service::DETERMINATE_NIXD_SERVICE_SRC;
 use crate::action::{
     Action, ActionDescription, ActionError, ActionErrorKind, ActionTag, StatefulAction,
 };
+use crate::settings::InitSystem;
 
-const DETERMINATE_NIXD_BINARY_PATH: &str = "/nix/determinate/determinate-nixd";
+const LINUX_DETERMINATE_NIXD_BINARY_PATH: &str = "/nix/determinate/determinate-nixd";
+const MACOS_DETERMINATE_NIXD_BINARY_PATH: &str = "/usr/local/bin/determinate-nixd";
 /**
 Provision the determinate-nixd binary
 */
 #[derive(Debug, serde::Deserialize, serde::Serialize, Clone)]
 #[serde(tag = "action_name", rename = "provision_determinate_nixd")]
 pub struct ProvisionDeterminateNixd {
     binary_location: PathBuf,
-    service_location: PathBuf,
 }
 
 impl ProvisionDeterminateNixd {
     #[tracing::instrument(level = "debug", skip_all)]
-    pub async fn plan() -> Result<StatefulAction<Self>, ActionError> {
+    pub async fn plan(init: InitSystem) -> Result<StatefulAction<Self>, ActionError> {
         crate::settings::DETERMINATE_NIXD_BINARY
             .ok_or_else(|| Self::error(ActionErrorKind::DeterminateNixUnavailable))?;
 
         let this = Self {
-            binary_location: DETERMINATE_NIXD_BINARY_PATH.into(),
-            service_location: DETERMINATE_NIXD_SERVICE_SRC.into(),
+            binary_location: match init {
+                InitSystem::Launchd => MACOS_DETERMINATE_NIXD_BINARY_PATH.into(),
+                InitSystem::Systemd => LINUX_DETERMINATE_NIXD_BINARY_PATH.into(),
+                InitSystem::None => LINUX_DETERMINATE_NIXD_BINARY_PATH.into(),
+            },
         };
 
         Ok(StatefulAction::uncompleted(this))
@@ -89,14 +92,6 @@ impl Action for ProvisionDeterminateNixd {
             .map_err(|e| ActionErrorKind::Write(self.binary_location.clone(), e))
             .map_err(Self::error)?;
 
-        tokio::fs::write(
-            &self.service_location,
-            include_str!("./nix-daemon.determinate-nixd.service"),
-        )
-        .await
-        .map_err(|e| ActionErrorKind::Write(self.service_location.clone(), e))
-        .map_err(Self::error)?;
-
         Ok(())
     }
 

src/action/linux/mod.rs

@@ -1,12 +1,10 @@
 pub(crate) mod ensure_steamos_nix_directory;
-pub(crate) mod provision_determinate_nixd;
 pub(crate) mod provision_selinux;
 pub(crate) mod revert_clean_steamos_nix_offload;
 pub(crate) mod start_systemd_unit;
 pub(crate) mod systemctl_daemon_reload;
 
 pub use ensure_steamos_nix_directory::EnsureSteamosNixDirectory;
-pub use provision_determinate_nixd::ProvisionDeterminateNixd;
 pub use provision_selinux::ProvisionSelinux;
 pub use revert_clean_steamos_nix_offload::RevertCleanSteamosNixOffload;
 pub use start_systemd_unit::{StartSystemdUnit, StartSystemdUnitError};

src/action/macos/create_determinate_nix_volume.rs

@@ -1,5 +1,6 @@
 use crate::action::{
-    base::{create_or_insert_into_file, CreateOrInsertIntoFile},
+    base::{create_or_insert_into_file, CreateDirectory, CreateOrInsertIntoFile},
+    common::place_nix_configuration::NIX_CONF_FOLDER,
     macos::{
         CreateApfsVolume, CreateSyntheticObjects, EnableOwnership, EncryptApfsVolume,
         UnmountApfsVolume,
@@ -22,6 +23,7 @@ pub struct CreateDeterminateNixVolume {
     disk: PathBuf,
     name: String,
     case_sensitive: bool,
+    create_directory: StatefulAction<CreateDirectory>,
     create_or_append_synthetic_conf: StatefulAction<CreateOrInsertIntoFile>,
     create_synthetic_objects: StatefulAction<CreateSyntheticObjects>,
     unmount_volume: StatefulAction<UnmountApfsVolume>,
@@ -37,6 +39,7 @@ impl CreateDeterminateNixVolume {
         disk: impl AsRef<Path>,
         name: String,
         case_sensitive: bool,
+        force: bool,
     ) -> Result<StatefulAction<Self>, ActionError> {
         let disk = disk.as_ref();
         let create_or_append_synthetic_conf = CreateOrInsertIntoFile::plan(
@@ -50,6 +53,10 @@ impl CreateDeterminateNixVolume {
         .await
         .map_err(Self::error)?;
 
+        let create_directory = CreateDirectory::plan(NIX_CONF_FOLDER, None, None, 0o0755, force)
+            .await
+            .map_err(Self::error)?;
+
         let create_synthetic_objects = CreateSyntheticObjects::plan().await.map_err(Self::error)?;
 
         let unmount_volume = UnmountApfsVolume::plan(disk, name.clone())
@@ -72,6 +79,7 @@ impl CreateDeterminateNixVolume {
             disk: disk.to_path_buf(),
             name,
             case_sensitive,
+            create_directory,
             create_or_append_synthetic_conf,
             create_synthetic_objects,
             unmount_volume,
@@ -109,6 +117,7 @@ impl Action for CreateDeterminateNixVolume {
 
     fn execute_description(&self) -> Vec<ActionDescription> {
         let explanation = vec![
+            self.create_directory.tracing_synopsis(),
             self.create_or_append_synthetic_conf.tracing_synopsis(),
             self.create_synthetic_objects.tracing_synopsis(),
             self.unmount_volume.tracing_synopsis(),
@@ -123,6 +132,10 @@ impl Action for CreateDeterminateNixVolume {
 
     #[tracing::instrument(level = "debug", skip_all)]
     async fn execute(&mut self) -> Result<(), ActionError> {
+        self.create_directory
+            .try_execute()
+            .await
+            .map_err(Self::error)?;
         self.create_or_append_synthetic_conf
             .try_execute()
             .await
@@ -222,6 +235,7 @@ impl Action for CreateDeterminateNixVolume {
 
     fn revert_description(&self) -> Vec<ActionDescription> {
         let explanation = vec![
+            self.create_directory.tracing_synopsis(),
             self.create_or_append_synthetic_conf.tracing_synopsis(),
             self.create_synthetic_objects.tracing_synopsis(),
             self.unmount_volume.tracing_synopsis(),
@@ -270,6 +284,10 @@ impl Action for CreateDeterminateNixVolume {
             errors.push(err)
         }
 
+        if let Err(err) = self.create_directory.try_revert().await {
+            errors.push(err);
+        }
+
         if errors.is_empty() {
             Ok(())
         } else if errors.len() == 1 {