nixos-rebuild-ng: allow deploying closures (#482430)

phaer · web-flow · commit d8fe9f45bb7e · 2026-01-22T13:58:18.000Z
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
@@ -1107,6 +1107,9 @@ in
   nixos-rebuild-specialisations = runTestOn [ "x86_64-linux" ] {
     imports = [ ./nixos-rebuild-specialisations.nix ];
   };
+  nixos-rebuild-store-path = runTestOn [ "x86_64-linux" ] {
+    imports = [ ./nixos-rebuild-store-path.nix ];
+  };
   nixos-rebuild-target-host = runTest {
     imports = [ ./nixos-rebuild-target-host.nix ];
   };
diff --git a/nixos/tests/nixos-rebuild-store-path.nix b/nixos/tests/nixos-rebuild-store-path.nix
@@ -0,0 +1,101 @@
+{ hostPkgs, ... }:
+{
+  name = "nixos-rebuild-store-path";
+
+  # TODO: remove overlay from  nixos/modules/profiles/installation-device.nix
+  #        make it a _small package instead, then remove pkgsReadOnly = false;.
+  node.pkgsReadOnly = false;
+
+  nodes = {
+    machine =
+      { lib, pkgs, ... }:
+      {
+        imports = [
+          ../modules/profiles/installation-device.nix
+          ../modules/profiles/base.nix
+        ];
+
+        nix.settings = {
+          substituters = lib.mkForce [ ];
+          hashed-mirrors = null;
+          connect-timeout = 1;
+        };
+
+        system.includeBuildDependencies = true;
+
+        system.extraDependencies = [
+          # Not part of the initial build apparently?
+          pkgs.grub2
+        ];
+
+        system.switch.enable = true;
+
+        virtualisation = {
+          cores = 2;
+          memorySize = 4096;
+        };
+      };
+  };
+
+  testScript =
+    let
+      configFile =
+        hostname:
+        hostPkgs.writeText "configuration.nix" # nix
+          ''
+            { lib, pkgs, ... }: {
+              imports = [
+                ./hardware-configuration.nix
+                <nixpkgs/nixos/modules/testing/test-instrumentation.nix>
+              ];
+
+              boot.loader.grub = {
+                enable = true;
+                device = "/dev/vda";
+                forceInstall = true;
+              };
+
+              documentation.enable = false;
+
+              networking.hostName = "${hostname}";
+            }
+          '';
+
+    in
+    # python
+    ''
+      machine.start()
+      machine.succeed("udevadm settle")
+      machine.wait_for_unit("multi-user.target")
+
+      machine.succeed("nixos-generate-config")
+
+      with subtest("Build configuration without switching"):
+          machine.copy_from_host(
+              "${configFile "store-path-test"}",
+              "/etc/nixos/configuration.nix",
+          )
+          store_path = machine.succeed("nix-build '<nixpkgs/nixos>' -A system --no-out-link").strip()
+          machine.succeed(f"test -f {store_path}/nixos-version")
+
+      with subtest("Switch using --store-path"):
+          machine.succeed(f"nixos-rebuild switch --store-path {store_path}")
+          hostname = machine.succeed("cat /etc/hostname").strip()
+          assert hostname == "store-path-test", f"Expected hostname 'store-path-test', got '{hostname}'"
+
+      with subtest("Test using --store-path"):
+          machine.copy_from_host(
+              "${configFile "store-path-test-2"}",
+              "/etc/nixos/configuration.nix",
+          )
+          store_path_2 = machine.succeed("nix-build '<nixpkgs/nixos>' -A system --no-out-link").strip()
+          machine.succeed(f"nixos-rebuild test --store-path {store_path_2}")
+          hostname = machine.succeed("cat /etc/hostname").strip()
+          assert hostname == "store-path-test-2", f"Expected hostname 'store-path-test-2', got '{hostname}'"
+
+      with subtest("Ensure --store-path rejects invalid combinations"):
+          machine.fail(f"nixos-rebuild switch --store-path {store_path} --rollback")
+          machine.fail(f"nixos-rebuild switch --store-path {store_path} --flake .")
+          machine.fail(f"nixos-rebuild build --store-path {store_path}")
+    '';
+}
diff --git a/pkgs/by-name/ni/nixos-rebuild-ng/nixos-rebuild.8.scd b/pkgs/by-name/ni/nixos-rebuild-ng/nixos-rebuild.8.scd
@@ -21,7 +21,7 @@ nixos-rebuild - reconfigure a NixOS machine
 _nixos-rebuild_ \[--verbose] [--quiet] [--max-jobs MAX_JOBS] [--cores CORES] [--log-format LOG_FORMAT] [--keep-going] [--keep-failed] [--fallback] [--repair] [--option OPTION OPTION] [--builders BUILDERS] [--include INCLUDE]++
 	\[--print-build-logs] [--show-trace] [--accept-flake-config] [--refresh] [--impure] [--offline] [--no-net] [--recreate-lock-file] [--no-update-lock-file] [--no-write-lock-file] [--no-registries] [--commit-lock-file]++
 	\[--update-input UPDATE_INPUT] [--override-input OVERRIDE_INPUT OVERRIDE_INPUT] [--no-build-output] [--use-substitutes] [--help] [--debug] [--file FILE] [--attr ATTR] [--flake [FLAKE]] [--no-flake] [--install-bootloader]++
-	\[--profile-name PROFILE_NAME] [--specialisation SPECIALISATION] [--rollback] [--upgrade] [--upgrade-all] [--json] [--ask-sudo-password] [--sudo] [--no-reexec]++
+	\[--profile-name PROFILE_NAME] [--specialisation SPECIALISATION] [--rollback] [--store-path STORE_PATH] [--upgrade] [--upgrade-all] [--json] [--ask-sudo-password] [--sudo] [--no-reexec]++
 	\[--build-host BUILD_HOST] [--target-host TARGET_HOST] [--no-build-nix] [--image-variant IMAGE_VARIANT]++
 	\[{switch,boot,test,build,edit,repl,dry-build,dry-run,dry-activate,build-image,build-vm,build-vm-with-bootloader,list-generations}]
 
@@ -182,6 +182,20 @@ It must be one of the following:
 	(The previous configuration is defined as the one before the “current”
 	generation of the Nix profile _/nix/var/nix/profiles/system_.)
 
+*--store-path* _path_
+	Use a pre-built NixOS system store path at _path_ instead of evaluating
+	and building from the configuration. This skips the evaluation and build
+	phases entirely. The path must be a valid NixOS system closure
+	(containing _nixos-version_ and _bin/switch-to-configuration_).
+
+	This is useful for deploying closures that were built elsewhere, such as
+	in CI systems or on remote build machines.
+
+	Can only be used with *switch*, *boot*, *test*, and *dry-activate*
+	actions. Mutually exclusive with *--rollback*, *--flake*, *--file*, and
+	*--attr*. The *--build-host* option is ignored when *--store-path* is
+	specified.
+
 *--builders* _builder-spec_
 	Allow ad-hoc remote builders for building the new system. This requires
 	the user executing *nixos-rebuild* (usually root) to be configured as a
diff --git a/pkgs/by-name/ni/nixos-rebuild-ng/package.nix b/pkgs/by-name/ni/nixos-rebuild-ng/package.nix
@@ -98,6 +98,7 @@ python3Packages.buildPythonApplication rec {
           # FIXME: this test is disabled since it times out in @ofborg
           # nixos-rebuild-install-bootloader
           nixos-rebuild-specialisations
+          nixos-rebuild-store-path
           nixos-rebuild-target-host
           ;
         repl = callPackage ./tests/repl.nix { };
diff --git a/pkgs/by-name/ni/nixos-rebuild-ng/src/nixos_rebuild/__init__.py b/pkgs/by-name/ni/nixos-rebuild-ng/src/nixos_rebuild/__init__.py
@@ -136,6 +136,11 @@ def get_parser() -> tuple[argparse.ArgumentParser, dict[str, argparse.ArgumentPa
         action="store_true",
         help="Roll back to the previous configuration",
     )
+    main_parser.add_argument(
+        "--store-path",
+        metavar="PATH",
+        help="Use a pre-built NixOS system store path instead of building",
+    )
     main_parser.add_argument(
         "--upgrade",
         action="store_true",
@@ -269,6 +274,22 @@ def parser_warn(msg: str) -> None:
     if args.flake and (args.file or args.attr):
         parser.error("--flake cannot be used with --file or --attr")
 
+    if args.store_path:
+        if args.rollback:
+            parser.error("--store-path and --rollback are mutually exclusive")
+        if args.flake or args.file or args.attr:
+            parser.error("--store-path cannot be used with --flake, --file, or --attr")
+        if args.action not in (
+            Action.SWITCH.value,
+            Action.BOOT.value,
+            Action.TEST.value,
+            Action.DRY_ACTIVATE.value,
+        ):
+            parser.error(f"--store-path cannot be used with '{args.action}'")
+        if args.flake is None:
+            # Disable flake auto-detection since we're using a pre-built store path
+            args.flake = False
+
     return args, grouped_nix_args
 
 
@@ -297,7 +318,7 @@ def execute(argv: list[str]) -> None:
     build_attr = BuildAttr.from_arg(args.attr, args.file)
     flake = Flake.from_arg(args.flake, target_host)
 
-    if can_run and not flake:
+    if can_run and not flake and not args.store_path:
         services.write_version_suffix(grouped_nix_args)
 
     match action:
diff --git a/pkgs/by-name/ni/nixos-rebuild-ng/src/nixos_rebuild/services.py b/pkgs/by-name/ni/nixos-rebuild-ng/src/nixos_rebuild/services.py
@@ -290,7 +290,14 @@ def build_and_activate_system(
         grouped_nix_args=grouped_nix_args,
     )
 
-    if args.rollback:
+    if args.store_path:
+        path_to_config = Path(args.store_path)
+        nix.copy_closure(
+            path_to_config,
+            to_host=target_host,
+            copy_flags=grouped_nix_args.copy_flags,
+        )
+    elif args.rollback:
         path_to_config = _rollback_system(
             action=action,
             args=args,
diff --git a/pkgs/by-name/ni/nixos-rebuild-ng/src/tests/test_main.py b/pkgs/by-name/ni/nixos-rebuild-ng/src/tests/test_main.py

Original file line number	Diff line number	Diff line change
`@@ -98,6 +98,7 @@ python3Packages.buildPythonApplication rec {`
`98`	`98`	`# FIXME: this test is disabled since it times out in @ofborg`
`99`	`99`	`# nixos-rebuild-install-bootloader`
`100`	`100`	`nixos-rebuild-specialisations`
	`101`	`+ nixos-rebuild-store-path`
`101`	`102`	`nixos-rebuild-target-host`
`102`	`103`	`;`
`103`	`104`	`repl = callPackage ./tests/repl.nix { };`