summaryrefslogtreecommitdiffstats
path: root/krebs/default.nix
diff options
context:
space:
mode:
Diffstat (limited to 'krebs/default.nix')
-rw-r--r--krebs/default.nix149
1 files changed, 83 insertions, 66 deletions
diff --git a/krebs/default.nix b/krebs/default.nix
index c23cf152a..31a7f7d04 100644
--- a/krebs/default.nix
+++ b/krebs/default.nix
@@ -1,14 +1,16 @@
{ current-date
, current-host-name
, current-user-name
+, lib
, stockholm
+, StrictHostKeyChecking ? "yes"
}:
let out = {
inherit deploy;
inherit infest;
inherit init;
- inherit lib;
+ inherit nixos-install;
};
deploy =
@@ -23,7 +25,7 @@ let out = {
set -efu
(${populate args})
${rootssh target ''
- ${install args}
+ ${nix-install args}
${config.krebs.build.profile}/bin/switch-to-configuration switch
''}
echo OK
@@ -39,63 +41,14 @@ let out = {
# krebs.infest
set -efu
- # XXX type -p is non-standard
- #export RSYNC_RSH; RSYNC_RSH="$(type -p ssh) \
- # -o 'HostName $ {target.host.infest.addr}' \
- # -o 'Port $ {toString target.host.infest.port}' \
- #"
- #ssh() {
- # eval "$RSYNC_RSH \"\$@\""
- #}
-
- ${lib.rootssh target ''
+ ${rootssh target ''
${builtins.readFile ./4lib/infest/prepare.sh}
${builtins.readFile ./4lib/infest/install-nix.sh}
''}
- (${lib.populate args})
-
- ${lib.rootssh target ''
- export PATH; PATH=/root/.nix-profile/bin:$PATH
-
- src=$(type -p nixos-install)
- cat_src() {
- sed < "$src" "$(
- { sed < "$src" -n '
- /^if ! test -e "\$mountPoint\/\$NIXOS_CONFIG/,/^fi$/=
- /^nixpkgs=/=
- /^NIX_PATH=/,/^$/{/./=}
-
- # Disable: Copy the NixOS/Nixpkgs sources to the target as
- # the initial contents of the NixOS channel.
- /^srcs=/,/^ln -sfn /=
- '
- } | sed 's:$:s/^/#krebs#/:'
- )"
- }
-
- # Location to insert install
- i=$(sed -n '/^echo "building the system configuration/=' "$src")
-
- {
- cat_src | sed -n "1,$i{p}"
- cat ${lib.doc (install args)}
- cat_src | sed -n "$i,\''${$i!p}"
- } > nixos-install
- chmod +x nixos-install
-
- ## Wrap inserted install into chroot.
- #nix_env=$(cat_src | sed -n '
- # s:.*\(/nix/store/[a-z0-9]*-nix-[0-9.]\+/bin/nix-env\).*:\1:p;T;q
- #')
- #echo nix-env is $nix_env
- #sed -i '
- # s:^nix-env:chroot $mountPoint '"$nix_env"':
- #' nixos-install
-
- unset SSL_CERT_FILE
- ./nixos-install
+ (${nixos-install args})
+ ${rootssh target ''
${builtins.readFile ./4lib/infest/finalize.sh}
''}
'';
@@ -135,10 +88,74 @@ let out = {
EOF
'';
- lib = import ./4lib { lib = import <nixpkgs/lib>; } // rec {
- stockholm-path = ../.;
- nspath = ns: p: stockholm-path + "/${ns}/${p}";
- };
+ nixos-install =
+ { system ? current-host-name
+ , target ? system
+ }@args: let
+ in ''
+ #! /bin/sh
+ # ${current-date} ${current-user-name}@${current-host-name}
+ # krebs.nixos-install
+ (${populate args})
+
+ ${rootssh target ''
+ export PATH; PATH=/root/.nix-profile/bin:$PATH
+
+ src=$(type -p nixos-install)
+ cat_src() {
+ sed < "$src" "$(
+ { sed < "$src" -n '
+ /^if ! test -e "\$mountPoint\/\$NIXOS_CONFIG/,/^fi$/=
+ /^nixpkgs=/=
+ /^NIX_PATH=/,/^$/{/./=}
+
+ # Disable: Copy the NixOS/Nixpkgs sources to the target as
+ # the initial contents of the NixOS channel.
+ /^srcs=/,/^ln -sfn /=
+ '
+ } | sed 's:$:s/^/#krebs#/:'
+ )"
+ }
+
+ # Location to insert `nix-install`
+ i=$(sed -n '/^echo "building the system configuration/=' "$src")
+
+ {
+ cat_src | sed -n "1,$i{p}"
+ cat ${doc (nix-install args)}
+ cat_src | sed -n "$i,\''${$i!p}"
+ } > nixos-install
+ chmod +x nixos-install
+
+ # Wrap inserted nix-install into chroot.
+ nix_env=$(cat_src | sed -n '
+ s:.*\(/nix/store/[a-z0-9]*-nix-[0-9.]\+/bin/nix-env\).*:\1:p;T;q
+ ')
+ echo "nix-env is $nix_env" >&2
+ findpkg() {(
+ name=$1
+ path=$(find /nix/store \
+ -mindepth 1 -maxdepth 1 -type d -name '*-'"$name"'-*' \
+ | head -n 1 | sed s:^/mnt::)
+ if echo "$path" | grep .; then
+ echo "$name is $path" >&2
+ else
+ echo "Error: package not found: $name" >&2
+ exit 1
+ fi
+ )}
+ cacert=$(findpkg cacert)
+ coreutils=$(findpkg coreutils)
+ cp "$cacert"/etc/ssl/certs/ca-bundle.crt /mnt/root/SSL_CERT_FILE
+ env="$coreutils/bin/env SSL_CERT_FILE=/root/SSL_CERT_FILE"
+ sed -i '
+ s:^NIX_PATH=:chroot $mountPoint '"$env"' &:
+ s:^nix-env:'"$nix_env"':
+ ' nixos-install
+
+ ./nixos-install
+ ''}
+ '';
doc = s:
let b = "EOF${builtins.hashString "sha256" s}"; in
@@ -152,7 +169,7 @@ let out = {
stockholm.users.${current-user-name}.${system}.config
or (abort "unknown system: ${system}, user: ${current-user-name}");
- install =
+ nix-install =
{ system ? current-host-name
, target ? system
}:
@@ -203,11 +220,8 @@ let out = {
current-host = config.krebs.hosts.${current-host-name};
current-user = config.krebs.users.${current-user-name};
- target-host = config.krebs.hosts.${system};
-
methods.dir = config:
let
- can-link = config.host.name == target-host.name;
can-push = config.host.name == current-host.name;
push-method = ''
rsync \
@@ -221,11 +235,11 @@ let out = {
${config.path}/ \
root@${target}:${config.target-path}
'';
- url = "file://${config.host.name}${config.path}";
in
- #if can-link then link-method else
if can-push then push-method else
- throw "cannot source ${url}";
+ let dir = "file://${config.host.name}${config.path}"; in
+ # /!\ revise this message when using more than just push-method
+ throw "No way to push ${dir} from ${current-host.name} to ${target}";
methods.git = config:
rootssh target ''
@@ -251,7 +265,10 @@ let out = {
in out;
rootssh = target: script:
- "ssh root@${target} -T ${doc ''
+ let
+ flags = "-o StrictHostKeyChecking=${StrictHostKeyChecking}";
+ in
+ "ssh ${flags} root@${target} -T ${doc ''
set -efu
${script}
''}";