try-connect: use for deploy scripts

flake.nix

@@ -94,7 +94,10 @@
         {
           ${localSystem} =
             let
-              pkgs = nixpkgs.legacyPackages.${localSystem};
+              pkgs = import nixpkgs {
+                system = localSystem;
+                overlays = [ self.overlays.default ];
+              };
               lib = nixpkgs.lib;
             in
             lib.mergeAttrsList [
@@ -113,45 +116,31 @@
                   hostname:
                   let
                     machines = import lib/machines.nix;
-                    systemAddresses =
-                      system:
-                      lib.optionals (system ? "internalIp") [ system.internalIp ]
-                      ++ lib.optionals (system ? "externalIp") [ system.externalIp ]
-                      ++ lib.optionals (system ? "retiolum") [
-                        system.retiolum.ipv6
-                        system.retiolum.ipv4
-                      ]
-                      ++ lib.optionals (system ? "mycelium") [ system.mycelium.ipv6 ];
-                    addresses = lib.listToAttrs (
-                      map (name: {
-                        inherit name;
-                        value = systemAddresses (machines.${hostname});
-                      }) (builtins.attrNames self.nixosConfigurations)
-                    );
                     deployScript = pkgs.writers.writeBash "deploy-${hostname}" ''
-                      # try to connect to any of the known addresses
+                      reachable=$(${pkgs.try-connect.${hostname}}/bin/try-connect)
-                      targets=(
+
-                        ${lib.concatStringsSep " " (map (addr: "\"root@${addr}\"") addresses.${hostname})}
+                      if [ -z "$reachable" ]; then
-                      )
-                      for target in "''${targets[@]}"; do
-                        nc -z -w 2 "$(echo $target | cut -d'@' -f2)" ${
-                          toString machines.${hostname}.sshPort
-                        } && reachable_target=$target && break
-                      done
-                      if [ -z "$reachable_target" ]; then
-                        echo "No reachable target found for ${hostname}" >&2
                         exit 1
                       fi
-                      echo "Deploying to ${hostname} via $reachable_target"
+
-                      export NIX_SSHOPTS='-p ${toString machines.${hostname}.sshPort}'
+                      target="root@$reachable"
+                      echo "Deploying to ${hostname} via $target"
+
+                      # Set SSH options based on address type
+                      if [[ "$reachable" == *.onion ]]; then
+                        export NIX_SSHOPTS="-p ${
+                          toString machines.${hostname}.sshPort
+                        } -o ProxyCommand='${pkgs.netcat}/bin/nc -x localhost:9050 %h %p' -o ControlPath=none"
+                      else
+                        export NIX_SSHOPTS="-p ${toString machines.${hostname}.sshPort}"
+                      fi
+
                       ${pkgs.nixos-rebuild-ng}/bin/nixos-rebuild-ng switch \
                         --max-jobs 2 \
                         --log-format internal-json \
                         --flake .#${hostname} \
-                        --target-host "$reachable_target" \
+                        --target-host "$target" \
-                        ${
+                        ${lib.optionalString (localSystem != machines.${hostname}.system) "--build-host $target"} \
-                          lib.optionalString (localSystem != machines.${hostname}.system) "--build-host $reachable_target"
-                        } \
                         |& ${pkgs.nix-output-monitor}/bin/nom --json
                     '';
                   in
@@ -321,6 +310,7 @@
         tocharian-font = prev.callPackage packages/tocharian-font.nix { };
         ttspaste = prev.callPackage packages/ttspaste.nix { };
         niveum-ssh = prev.callPackage packages/niveum-ssh.nix { };
+        try-connect = prev.callPackage packages/try-connect.nix {};
         unicodmenu = prev.callPackage packages/unicodmenu.nix { };
         vg = prev.callPackage packages/vg.nix { };
         vim-kmein = prev.callPackage packages/vim-kmein { };
@@ -382,7 +372,10 @@
         {
           ful = nixpkgs.lib.nixosSystem {
             system = "aarch64-linux";
-            modules = profiles.default ++ profiles.server ++ [
+            modules =
+              profiles.default
+              ++ profiles.server
+              ++ [
                 systems/ful/configuration.nix
                 self.nixosModules.panoptikon
                 self.nixosModules.go-webring
@@ -393,7 +386,10 @@
           };
           zaatar = nixpkgs.lib.nixosSystem {
             system = "x86_64-linux";
-            modules = profiles.default ++ profiles.server ++ [
+            modules =
+              profiles.default
+              ++ profiles.server
+              ++ [
                 systems/zaatar/configuration.nix
               ];
           };
@@ -408,7 +404,10 @@
           };
           makanek = nixpkgs.lib.nixosSystem {
             system = "x86_64-linux";
-            modules = profiles.default ++ profiles.server ++ [
+            modules =
+              profiles.default
+              ++ profiles.server
+              ++ [
                 systems/makanek/configuration.nix
                 self.nixosModules.telegram-bot
                 nur.modules.nixos.default
@@ -534,6 +533,7 @@
             timer
             tocharian-font
             trans
+            try-connect
             ttspaste
             unicodmenu
             untilport

packages/niveum-ssh.nix

@@ -4,63 +4,31 @@
   lib,
   netcat,
   openssh,
+  try-connect,
 }:
 let
   inherit (lib.niveum) machines;
   sshableMachines = lib.filterAttrs (name: value: value ? "sshPort") machines;
-  systemAddresses =
-    system:
-    lib.optionals (system ? "internalIp") [ system.internalIp ]
-    ++ lib.optionals (system ? "externalIp") [ system.externalIp ]
-    ++ lib.optionals (system ? "retiolum") [
-      system.retiolum.ipv6
-      system.retiolum.ipv4
-    ]
-    ++ lib.optionals (system ? "mycelium") [ system.mycelium.ipv6 ]
-    ++ lib.optionals (system ? "torAddress") [ system.torAddress ];
-  addresses = lib.listToAttrs (
-    map (name: {
-      inherit name;
-      value = systemAddresses (machines.${name});
-    }) (builtins.attrNames sshableMachines)
-  );
 in
 symlinkJoin {
   name = "niveum-ssh";
   paths = lib.mapAttrsToList (
     hostname: _:
     writers.writeBashBin "niveum-ssh-${hostname}" ''
-      targets=(
+      reachable=$(${try-connect.${hostname}}/bin/try-connect)
-        ${lib.concatStringsSep " " (map (addr: "\"root@${addr}\"") addresses.${hostname})}
-      )
 
-      for target in "''${targets[@]}"; do
+      if [ -z "$reachable" ]; then
-        host="$(echo $target | cut -d'@' -f2)"
+        exit 1
+      fi
 
-        # Check if it's an onion address
+      if [[ "$reachable" == *.onion ]]; then
-        if [[ "$host" == *.onion ]]; then
-          # For onion addresses, try connecting through Tor
-          if ${netcat}/bin/nc -z localhost 9050 2>/dev/null; then
-            echo "Trying $target via Tor..." >&2
-            if echo | ${netcat}/bin/nc -x localhost:9050 -w 5 "$host" ${
-              toString machines.${hostname}.sshPort
-            } 2>/dev/null; then
         exec ${openssh}/bin/ssh -p ${toString machines.${hostname}.sshPort} \
           -o ProxyCommand="${netcat}/bin/nc -x localhost:9050 %h %p" \
-                "$target" "$@"
+          "root@$reachable" "$@"
-            fi
-          fi
       else
-          # For regular addresses, try direct connection
+        exec ${openssh}/bin/ssh -p ${toString machines.${hostname}.sshPort} \
-          echo "Trying $target..." >&2
+          "root@$reachable" "$@"
-          if ${netcat}/bin/nc -z -w 2 "$host" ${toString machines.${hostname}.sshPort} 2>/dev/null; then
-            exec ${openssh}/bin/ssh -p ${toString machines.${hostname}.sshPort} "$target" "$@"
       fi
-        fi
-      done
-
-      echo "No reachable target found for ${hostname}" >&2
-      exit 1
     ''
   ) sshableMachines;
 }

packages/try-connect.nix

@@ -0,0 +1,53 @@
+{
+  lib,
+  writers,
+  netcat,
+}:
+let
+  inherit (lib.niveum) machines;
+  sshableMachines = lib.filterAttrs (name: value: value ? "sshPort") machines;
+  systemAddresses =
+    system:
+    lib.optionals (system ? "internalIp") [ system.internalIp ]
+    ++ lib.optionals (system ? "externalIp") [ system.externalIp ]
+    ++ lib.optionals (system ? "retiolum") [
+      system.retiolum.ipv6
+      system.retiolum.ipv4
+    ]
+    ++ lib.optionals (system ? "mycelium") [ system.mycelium.ipv6 ]
+    ++ lib.optionals (system ? "torAddress") [ system.torAddress ];
+  addresses = lib.listToAttrs (
+    map (name: {
+      inherit name;
+      value = systemAddresses (machines.${name});
+    }) (builtins.attrNames sshableMachines)
+  );
+in
+lib.mapAttrs (
+  name: _:
+  writers.writeBashBin "try-connect" ''
+    port=${toString machines.${name}.sshPort}
+
+    for addr in ${lib.concatStringsSep " " addresses.${name}}; do
+      # Check if it's an onion address
+      if [[ "$addr" == *.onion ]]; then
+        if ${netcat}/bin/nc -z localhost 9050 2>/dev/null; then
+          echo "Trying $addr via Tor..." >&2
+          if echo | ${netcat}/bin/nc -z -x localhost:9050 -w 5 "$addr" "$port" 2>/dev/null; then
+            echo "$addr"
+            exit 0
+          fi
+        fi
+      else
+        echo "Trying $addr..." >&2
+        if ${netcat}/bin/nc -z -w 2 "$addr" "$port" 2>/dev/null; then
+          echo "$addr"
+          exit 0
+        fi
+      fi
+    done
+
+    echo "No reachable address found for ${name}" >&2
+    exit 1
+  ''
+) sshableMachines