nixos: Add dry activation for users/groups#136605
Conversation
github-actions
bot
added
6.topic: nixos
dasJ
changed the title
dasJ
changed the title
|
@GrahamcOfBorg test simple |
ofborg
bot
added
10.rebuild-darwin: 0
There was a problem hiding this comment.
I think this is a useful feature but could this be implemented without introducing another option?
system.activationScripts is a module, where we could add a .dryActivate option or so.
Than I would set an environment variable i.e. DRY_ACTIVATE instead of a flag to mark an activation script as dry-able. Does this make sense? I think this way we would duplicate less code.
There was a problem hiding this comment.
This idea sounds better than mine, thank you for the suggestion. Going to force-push soon-ish
There was a problem hiding this comment.
in the original system.activationScripts this function could be moved out and take the also a set parameter.
Then this function could be applied twice for script and dryScript, where the latter one would receive the filtered set.
dasJ
force-pushed
the
feat/dry-activation-scripts
branch
from
bd61bc7 to
db95206
Compare
stigtsp
left a comment
stigtsp
left a comment
There was a problem hiding this comment.
Diff LGTM
Got some minor suggestions.
dasJ
force-pushed
the
feat/dry-activation-scripts
branch
3 times, most recently
from
d51a6dc to
3ec871b
Compare
|
Diff LGTM.
This is pretty cool.
|
|
@grahamc since you know a bit of Perl ;) |
There was a problem hiding this comment.
It looks okay to me. It looks like it could be a bit cleaner by taking the is_dry checks from the parse functions, and before any of those lines print output lines like "The plan is:" vs. "Applying:" and then changing the call sites to only call updateFile if we're not in dry run. What would you think about that?
EDIT: I think about this because it looks like it is sort of doing a "plan" phase already, so adding a dry run, I think, would not be so tricky. If I'm missing something that makes this hard ... understood :).
dasJ
force-pushed
the
feat/dry-activation-scripts
branch
from
3ec871b to
a851b4d
Compare
|
Should all be done now. I also enabled runtime warnings |
|
@GrahamcOfBorg test mutableUsers |
|
Should this be added to the (future) release notes? |
|
@asymmetric The option or the fact that users/groups uses the feature? |
|
Re: ryantm/agenix#55 @dasJ it seems to me like this is maybe a bug with this that it considers an activation script to support dry-activation when one of its deps does not support it. |
|
Oh I'm so sorry, it didn't strike me that third-party repos might add dependencies to existing activation scripts. |
|
@dasJ We're working on adding it. We also need to add it for |
|
@dasJ I pushed a workaround to agenix that just disables dry activation on users and groups for now. So no worries! |
|
This would be also relevant for: https://github.com/Mic92/sops-nix/blob/3e4ebc851c91d1ce5c65da23436726c555a0d7e8/modules/sops/default.nix#L171 |
|
@Mic92 It's not relevant since the problem only occurs when adding dependencies to an activation script that does support dry mode to depend on scripts that don't. Last night I had an idea how to properly fix this and I'll try to implement it now. |
8 participants
Motivation for this change
This can be extended to any degree with activation scripts offering dry-activation modes.
The users-groups activation script seemed like a good place to start because the removal of users/groups is something that's nice to know before it actually happens.
Things done
sandbox = trueset innix.conf? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)