Support NixOS containers as targets

[vapourismo]

This adds support for applying a configuration to a NixOS container.

Note, this requires the respective container to already exist and be started.

---

Example:

Hive configuration (partial):

{
  # ...

  "test" = _: {
    deployment = {
      targetHost = "example.com";
      targetContainer = "test";
      buildOnTarget = true;
    };

    boot.isContainer = true;

    system = {
      stateVersion = "22.11";

      configurationRevision = "hello-world";
    };
  };
}

Apply the configuration:

λ colmena apply --on test
[INFO ] Using flake: git+file:///path/to/flake
[INFO ] Enumerating nodes...
[INFO ] Selected 1 out of 2 hosts.
      ✅ 7s All done!
 test ✅ 3s Evaluated test
 test ✅ 2s Built "/nix/store/n46xpmzlqvz76bnyl4dlfm26a20qhss1-nixos-system-nixos-22.11pre-git" on target node
 test ✅ 2s Activation successful

Verify:

[root@example.com:~]# nixos-container run test -- nixos-version --json
{"configurationRevision":"hello-world","nixosVersion":"22.11pre-git"}

[bjornfor]

Interesting! Does this work with extra-container too?

Background: I recently wanted to do something similar. I wrote a script to deploy extra-container containers on some (Ubuntu) hosts and then used colmena to manage them from there on. I access the container instead of the host by simply using a non-standard sshd port.

[vapourismo]

I haven't tried it, but I could imagine it might work if you use extra-container to provision the container and then update it with Colmena. However, there is the risk that extra-container detects a container has being changed (because Colmena did so) and resets it when you're trying to update some non-Colmena managed containers.

[vapourismo]

Actually, maybe Colmena can subsume your use of extra-container if it were to check and conditionally provision a container on the target host if it doesn't exist already.

[bjornfor]

Actually, maybe Colmena can subsume your use of extra-container if it were to check and conditionally provision a container on the target host if it doesn't exist already.

In my case the host is Ubuntu, so colmena has no provisioning powers there.

(My deploy script runs extra-container if the host/container is unreachable, then continues to run colmena. When re-running the deploy script, and the host/container is up, it bypasses extra-container and calls colmena directly.)

[vapourismo]

In that case, I think this change won't help you much as the host still needs to be NixOS-ish.

This container deployment mechanism relies on the fact that NixOS shares the Nix store between host and containers.

[bjornfor]

In that case, I think this change won't help you much as the host still needs to be NixOS-ish.

This container deployment mechanism relies on the fact that NixOS shares the Nix store between host and containers.

FYI, the extra-container container I have on Ubuntu does share the Nix store with the host.

[vapourismo]

@zhaofengli, do you have time to look at this?

[zhaofengli]

Hi, sorry for the delay. This is a bit too specialized in my view, and relies on pre-existing configurations on the target host (the container already running). I think something like the profile API in deploy-rs is more flexible to accommodate multiple usecases like this without adding all of them into Colmena itself.

[vapourismo]

Thanks for the comment, @zhaofengli.

This is a bit too specialized in my view, and relies on pre-existing configurations on the target host (the container already running).

I am not sure I follow this argument exactly.

The targetHost also needs to be pre-configured and up when applying, no? So this isn't too different from the existing "target" mechanism in my opinion.