From 6cda28182a8bca6ae434a406954da4fbf14b4f1b Mon Sep 17 00:00:00 2001 From: Alexander Tomokhov Date: Sat, 18 Nov 2023 06:47:34 +0400 Subject: [PATCH] first test --- .drone.yml | 146 ++++++++++++++++++++ nixos-infect | 378 ++++++++++++++++++++++++--------------------------- 2 files changed, 325 insertions(+), 199 deletions(-) create mode 100644 .drone.yml diff --git a/.drone.yml b/.drone.yml new file mode 100644 index 0000000..2eefbc7 --- /dev/null +++ b/.drone.yml @@ -0,0 +1,146 @@ +kind: pipeline +type: exec +name: default + +steps: +- name: deploy + environment: + PASSWORD: + from_secret: HETZNER_TOKEN + DOMAIN: + from_secret: DOMAIN + CLOUDFLARE_TOKEN: + from_secret: CLOUDFLARE_TOKEN + USER_PASS: + from_secret: USER_PASS + + commands: + # Create infect user script and then export it to a remote machine on server creation. + - echo '#!/bin/sh' > infect.sh + - echo "curl https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-infect/raw/branch/$DRONE_SOURCE_BRANCH/nixos-infect | PROVIDER=hetzner DOMAIN=$DOMAIN LUSER=cicdcicd ENCODED_PASSWORD=\"$(printf $USER_PASS | base64)\" CF_TOKEN=$CLOUDFLARE_TOKEN DB_PASSWORD=$USER_PASS API_TOKEN=$USER_PASS HOSTNAME=selfprivacy-ci-test DNS_PROVIDER_TYPE=CLOUDFLARE STAGING_ACME=false NIX_VERSION=2.18.2 NIXOS_CONFIG_NAME=sp-nixos CONFIG_URL=https://git.selfprivacy.org/api/v1/repos/alexoundos/selfprivacy-nixos-top-level/archive/master.tar.gz bash 2>&1 | tee /root/infect.log" >> infect.sh + - http -v --check-status --ignore-stdin POST https://api.hetzner.cloud/v1/servers Authorization:"Bearer $PASSWORD" name=ci-sibling server_type=cx11 start_after_create:=true image=ubuntu-20.04 user_data=@infect.sh automount:=false location=fsn1 + - echo "Wait for 100 seconds." + - sleep 100 + - false + +- name: dns + environment: + PASSWORD: + from_secret: HETZNER_TOKEN + CLOUDFLARE_TOKEN: + from_secret: CLOUDFLARE_TOKEN + DOMAIN: + from_secret: DOMAIN + ZONE_ID: + from_secret: ZONE_ID + + commands: + # Read all available machines and export IP of 'ci-sibling' + # Create DNS entires for main domain and subdomains + - > + curl -s -H "Authorization: Bearer $PASSWORD" 'https://api.hetzner.cloud/v1/servers' > .machine.json + - > + export machineip=$( for i in {0..24}; do jq 'if .servers['$i'].name == "ci-sibling" then .servers['$i'].public_net.ipv4.ip else null end' .machine.json; done | grep -v null | sed 's/"//' | sed 's/"//' ) + - echo $machineip + - > + curl -s -X GET "https://api.cloudflare.com/client/v4/zones?name=$DOMAIN" + -H "Authorization: Bearer $CLOUDFLARE_TOKEN" + -H "Content-Type: application/json" + - > + curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records" + -H "Authorization: Bearer $CLOUDFLARE_TOKEN" + -H "Content-Type: application/json" + --data '{"type":"A","name":"@","content":"'"$$machineip"'","ttl":3600,"priority":10,"proxied":false}' + - > + http --check-status --ignore-stdin POST https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records Authorization:"Bearer $CLOUDFLARE_TOKEN" type=A name=api content=$machineip ttl:=3600 priority:=10 proxied:=false + - > + http --check-status --ignore-stdin POST https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records Authorization:"Bearer $CLOUDFLARE_TOKEN" type=A name=cloud content=$machineip ttl:=3600 priority:=10 proxied:=false + - > + http --check-status --ignore-stdin POST https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records Authorization:"Bearer $CLOUDFLARE_TOKEN" type=A name=password content=$machineip ttl:=3600 priority:=10 proxied:=false + - > + curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records" + -H "Authorization: Bearer $CLOUDFLARE_TOKEN" + -H "Content-Type: application/json" + --data '{"type":"MX","name":"@","content":"'"$$DOMAIN"'","ttl":3600,"priority":10,"proxied":false}' + - > + curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records" + -H "Authorization: Bearer $CLOUDFLARE_TOKEN" + -H "Content-Type: application/json" + --data '{"type":"TXT","name":"_dmarc","content":"v=DMARC1; p=none","ttl":18000,"priority":10,"proxied":false}' + - > + curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records" + -H "Authorization: Bearer $CLOUDFLARE_TOKEN" + -H "Content-Type: application/json" + --data '{"type":"TXT","name":"'"$$DOMAIN"'","content":"v=spf1 a mx ip4:$machineip -all","ttl":18000,"priority":10,"proxied":false}' + +- name: sleep + commands: + - echo "Wait for 100 seconds." + - sleep 100 + +- name: test + environment: + DOMAIN: + from_secret: DOMAIN + USER_PASS: + from_secret: USER_PASS + TEST_EMAIL_PASS: + from_secret: TEST_EMAIL_PASS + commands: + - > + dig api.$DOMAIN + - > + http -v --verify=false --check-status --ignore-stdin GET https://api.$DOMAIN/services/status Authorization:"Bearer $USER_PASS" + - > + swaks --to ci@$DOMAIN -s selfprivacy.org -tls -au test@selfprivacy.org -ap $TEST_EMAIL_PASS + - > + http -v --verify=false --check-status --ignore-stdin GET https://cloud.$DOMAIN/ocs/v2.php/apps/serverinfo/api/v1/info?format=json -a admin:$USER_PASS + - > + echo "File to test nextcloud upload" > file + - > + http -v --verify=false --check-status --ignore-stdin PUT https://cloud.$DOMAIN/remote.php/dav/files/admin/file @file -a admin:$USER_PASS + - > + http -v --verify=false --check-status --ignore-stdin GET https://cloud.$DOMAIN/remote.php/dav/files/admin/file -a admin:$USER_PASS + #- > + #http -v --verify=false --check-status --ignore-stdin GET https://password.$DOMAIN/admin/diagnostics + +- name: teardown + environment: + PASSWORD: + from_secret: HETZNER_TOKEN + CLOUDFLARE_TOKEN: + from_secret: CLOUDFLARE_TOKEN + DOMAIN: + from_secret: DOMAIN + ZONE_ID: + from_secret: ZONE_ID + commands: + # Delete our machine called 'ci-sibling' and all the found DNS records on it. + - > + curl -s "https://api.hetzner.cloud/v1/servers" -H "Authorization: Bearer $PASSWORD" > .hetzner_servers.json + - > + export machineid=$( for i in {0..24}; do jq 'if .servers['$i'].name == "ci-sibling" then .servers['$i'].id else null end' .hetzner_servers.json; done | grep -v null | sed 's/"//g') + - > + curl -s -X DELETE "https://api.hetzner.cloud/v1/servers/$machineid" -H "Authorization: Bearer $PASSWORD" + - > + json=$(curl -X GET "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records" -H "Authorization: Bearer $CLOUDFLARE_TOKEN" -H "Content-Type: application/json") + - > + echo "$json" > .dns-records.json + - > + result=$(jq -r ".result" <<< "$json") + - > + echo "$ZONE_ID" + - > + echo "$result" | jq '.[] | "\(.id)"' | while read id ; do echo "Deleting $id"; http -v --check-status --ignore-stdin DELETE https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records/$(echo $id | cut -f 2 -d '"') Authorization:"Bearer $CLOUDFLARE_TOKEN"; done + when: + status: + - failure + - success + +- name: switch + environment: + CHANNEL_SWITCHER_KEY: + from_secret: CHANNEL_SWITCHER_KEY + commands: + - > + curl -X POST -H "Authorization: $CHANNEL_SWITCHER_KEY" 'https://channel.selfprivacy.org/nixos-selfpricacy/upgrade' diff --git a/nixos-infect b/nixos-infect index ba285ec..1c2878f 100755 --- a/nixos-infect +++ b/nixos-infect @@ -1,205 +1,129 @@ #! /usr/bin/env bash -# More info at: https://github.com/elitak/nixos-infect +# More info at: +# - https://github.com/elitak/nixos-infect +# - https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-infect -set -e -o pipefail +: "${API_TOKEN:?API_TOKEN variable is not set}" +: "${DOMAIN:?DOMAIN variable is not set}" +: "${LUSER:?LUSER variable is not set}" +: "${HOSTNAME:?HOSTNAME variable is not set}" +: "${PROVIDER:?PROVIDER variable is not set}" +: "${DNS_PROVIDER_TYPE:?DNS_PROVIDER_TYPE variable is not set}" +: "${STAGING_ACME:?STAGING_ACME variable is not set}" +: "${CF_TOKEN:?CF_TOKEN variable is not set}" +: "${DB_PASSWORD:?DB_PASSWORD variable is not set}" +: "${ENCODED_PASSWORD:?ENCODED_PASSWORD variable is not set}" +: "${NIX_VERSION:?NIX_VERSION variable is not set}" +: "${NIXOS_CONFIG_NAME:?NIXOS_CONFIG_NAME variable is not set}" +: "${SUDO_USER:?SUDO_USER variable is not set}" +: "${CONFIG_URL:?CONFIG_URL variable is not set}" -makeConf() { - # Skip everything if main config already present - [[ -e /etc/nixos/configuration.nix ]] && return 0 - if [[ -z $PASSWORD ]]; then - export PASSWORD=$(printf $ENCODED_PASSWORD | base64 --decode) - fi +readonly LOCAL_FLAKE_DIR="/etc/nixos" +readonly SECRETS_FILEPATH="/etc/selfprivacy/secrets.json" - if [[ -z $DNS_PROVIDER_TYPE ]]; then - export DNS_PROVIDER_TYPE='CLOUDFLARE' - fi +# Merge original userdata.json with deployment specific fields and print result. +genUserdata() { + local password HASHED_PASSWORD userdata_infect + password=$(printf "%s" "$ENCODED_PASSWORD" | base64 --decode) + HASHED_PASSWORD=$(mkpasswd -m sha-512 "$password") - if [[ -z $STAGING_ACME ]]; then - export STAGING_ACME='false' - fi + userdata_infect=$(cat << EOF +{ + "dns": { + "provider": "$DNS_PROVIDER_TYPE", + "useStagingACME": "$STAGING_ACME" + }, + "server": { + "provider": "$PROVIDER" + }, + "domain": "DOMAIN", + "hashedMasterPassword": "$HASHED_PASSWORD", + "hostname": "HOSTNAME", + "username": "$LADMIN" +} +EOF +) - export ESCAPED_PASSWORD=$(printf $ENCODED_PASSWORD | base64 --decode | jq -Rs .) - export HASHED_PASSWORD=$( mkpasswd -m sha-512 "$PASSWORD" ) + jq -s '.[0] * .[1]' \ + "${1:?no userdata.json given to merge with}" <(printf "%s" "$userdata_infect") +} - # NB <<"EOF" quotes / $ ` in heredocs, < /etc/nixos/userdata/userdata.json << EOF + cat << EOF { "api": { "token": "$API_TOKEN", "skippedMigrations": ["migrate_to_selfprivacy_channel", "mount_volume"] }, - "backup": { - "provider": "BACKBLAZE", - "accountId": "$BACKBLAZE_KEY_ID", - "accountKey": "$BACKBLAZE_ACCOUNT_KEY", - "bucket": "$BACKBLAZE_BUCKET_NAME" - }, - "bitwarden": { - "enable": true, - "location": "sdb" - }, - "dns": { - "provider": "$DNS_PROVIDER_TYPE", - "apiKey": "$CF_TOKEN", - "useStagingACME": $STAGING_ACME - }, - "server": { - "provider": "HETZNER" - }, "databasePassword": "$DB_PASSWORD", - "domain": "$DOMAIN", - "hashedMasterPassword": "$HASHED_PASSWORD", - "hostname": "$HOSTNAME", - "nextcloud": { - "enable": true, - "adminPassword": $ESCAPED_PASSWORD, - "databasePassword": $ESCAPED_PASSWORD, - "location": "sdb" + "dns": { + "apiKey": "$CF_TOKEN" }, - "gitea": { - "enable": true, - "location": "sdb" + "modules": { + "nextcloud": { + "adminPassword": $ESCAPED_PASSWORD, + "databasePassword": $ESCAPED_PASSWORD, + } }, - "jitsi": { - "enable": true - }, - "ocserv": { - "enable": false - }, - "pleroma": { - "enable": false, - "location": "sdb" - }, - "timezone": "Europe/Uzhgorod", - "resticPassword": $ESCAPED_PASSWORD, - "username": "$LUSER", - "volumes": [ - { - "device": "/dev/sdb", - "mountPoint": "/volumes/sdb", - "fsType": "ext4" - } - ], - "useBinds": true + "resticPassword": $ESCAPED_PASSWORD } EOF - chmod 0600 /etc/nixos/userdata/userdata.json +} - if isEFI; then +genHardwareConfiguration() { + local bootcfg + if ((isEFI)); then bootcfg=$(cat << EOF boot.loader.grub = { efiSupport = true; efiInstallAsRemovable = true; device = "nodev"; }; - fileSystems."/boot" = { device = "$esp"; fsType = "vfat"; }; + fileSystems."/boot" = { device = "$ESP"; fsType = "vfat"; }; EOF ) else bootcfg=$(cat << EOF - boot.loader.grub.device = "$grubdev"; + boot.loader.grub.device = "$GRUBDEV"; EOF ) fi - # If you rerun this later, be sure to prune the filesSystems attr - cat > /etc/nixos/hardware-configuration.nix << EOF + cat << EOF { modulesPath, ... }: { imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; $bootcfg boot.initrd.kernelModules = [ "nvme" ]; - fileSystems."/" = { device = "$rootfsdev"; fsType = "$rootfstype"; }; + fileSystems."/" = { device = "$ROOTFSDEV"; fsType = "$ROOTFSTYPE"; }; } EOF - - [[ -n "$doNetConf" ]] && makeNetworkingConf || true } -makeNetworkingConf() { - # XXX It'd be better if we used procfs for all this... - local IFS=$'\n' - eth0_name=$(ip address show | grep '^2:' | awk -F': ' '{print $2}') - eth0_ip4s=$(ip address show dev "$eth0_name" | grep 'inet ' | sed -r 's|.*inet ([0-9.]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|') - eth0_ip6s=$(ip address show dev "$eth0_name" | grep 'inet6 ' | sed -r 's|.*inet6 ([0-9a-f:]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|' || '') - gateway=$(ip route show dev "$eth0_name" | grep default | sed -r 's|default via ([0-9.]+).*|\1|') - gateway6=$(ip -6 route show dev "$eth0_name" | grep default | sed -r 's|default via ([0-9a-f:]+).*|\1|' || true) - ether0=$(ip address show dev "$eth0_name" | grep link/ether | sed -r 's|.*link/ether ([0-9a-f:]+) .*|\1|') - - eth1_name=$(ip address show | grep '^3:' | awk -F': ' '{print $2}')||true - if [ -n "$eth1_name" ];then - eth1_ip4s=$(ip address show dev "$eth1_name" | grep 'inet ' | sed -r 's|.*inet ([0-9.]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|') - eth1_ip6s=$(ip address show dev "$eth1_name" | grep 'inet6 ' | sed -r 's|.*inet6 ([0-9a-f:]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|' || '') - ether1=$(ip address show dev "$eth1_name" | grep link/ether | sed -r 's|.*link/ether ([0-9a-f:]+) .*|\1|') - interfaces1=<< EOF - $eth1_name = { - ipv4.addresses = [$(for a in "${eth1_ip4s[@]}"; do echo -n " - $a"; done) - ]; - ipv6.addresses = [$(for a in "${eth1_ip6s[@]}"; do echo -n " - $a"; done) - ]; -EOF - extraRules1="ATTR{address}==\"${ether1}\", NAME=\"${eth1_name}\"" - else - interfaces1="" - extraRules1="" +setupConf() { + mkdir -p ${LOCAL_FLAKE_DIR} + if ! curl "${CONFIG_URL}" | tar -xz -C ${LOCAL_FLAKE_DIR} --strip-components=1 + then + echo "Error downloading/extracting top level flake configuration!" + exit 1 fi - readarray nameservers < <(grep ^nameserver /etc/resolv.conf | sed -r \ - -e 's/^nameserver[[:space:]]+([0-9.a-fA-F:]+).*/"\1"/' \ - -e 's/127[0-9.]+/8.8.8.8/' \ - -e 's/::1/8.8.8.8/' ) + # generate and write hardware-configuration.nix + genHardwareConfiguration > ${LOCAL_FLAKE_DIR}/hardware-configuration.nix - if [[ "$eth0_name" = eth* ]]; then - predictable_inames="usePredictableInterfaceNames = lib.mkForce false;" - else - predictable_inames="usePredictableInterfaceNames = lib.mkForce true;" - fi - cat > /etc/nixos/networking.nix << EOF -{ lib, ... }: { - # This file was populated at runtime with the networking - # details gathered from the active system. - networking = { - nameservers = [ ${nameservers[@]} ]; - defaultGateway = "${gateway}"; - defaultGateway6 = "${gateway6}"; - dhcpcd.enable = false; - $predictable_inames - interfaces = { - $eth0_name = { - ipv4.addresses = [$(for a in "${eth0_ip4s[@]}"; do echo -n " - $a"; done) - ]; - ipv6.addresses = [$(for a in "${eth0_ip6s[@]}"; do echo -n " - $a"; done) - ]; - ipv4.routes = [ { address = "${gateway}"; prefixLength = 32; } ]; - ipv6.routes = [ { address = "${gateway6}"; prefixLength = 128; } ]; - }; - $interfaces1 - }; - }; - services.udev.extraRules = '' - ATTR{address}=="${ether0}", NAME="${eth0_name}" - $extraRules1 - ''; -} -EOF + # generate infected userdata based on original + local userdataInfected + userdataInfected="$(genUserdata ${LOCAL_FLAKE_DIR}/userdata.json)" + printf "%s" "$userdataInfected" > ${LOCAL_FLAKE_DIR}/userdata.json + + # generate and write secrets + local secrets + secrets="$(genSecrets)" + install -m0600 <(printf "%s" "$secrets") -DT ${SECRETS_FILEPATH} } makeSwap() { @@ -216,12 +140,8 @@ removeSwap() { rm -vf /tmp/nixos-infect.*.swp } -isEFI() { - [ -d /sys/firmware/efi ] -} - findESP() { - esp="" + local esp for d in /boot/EFI /boot/efi /boot; do [[ ! -d "$d" ]] && continue [[ "$d" == "$(df "$d" --output=target | sed 1d)" ]] \ @@ -230,22 +150,26 @@ findESP() { done [[ -z "$esp" ]] && { echo "ERROR: No ESP mount point found"; return 1; } for uuid in /dev/disk/by-uuid/*; do - [[ $(readlink -f "$uuid") == "$esp" ]] && echo $uuid && return 0 + [[ $(readlink -f "$uuid") == "$esp" ]] && echo "$uuid" && return 0 done } prepareEnv() { - # $esp and $grubdev are used in makeConf() - if isEFI; then - esp="$(findESP)" + isEFI=0 + [ -d /sys/firmware/efi ] || isEFI=1 + + if ((isEFI)); then + ESP="$(findESP)" else - for grubdev in /dev/vda /dev/sda /dev/nvme0n1 ; do [[ -e $grubdev ]] && break; done + for GRUBDEV in /dev/vda /dev/sda /dev/nvme0n1; do + [[ -e $GRUBDEV ]] && break; + done fi # Retrieve root fs block device # (get root mount) (get partition or logical volume) - rootfsdev=$(mount | grep "on / type" | awk '{print $1;}') - rootfstype=$(df $rootfsdev --output=fstype | sed 1d) + ROOTFSDEV=$(mount | grep "on / type" | awk '{print $1;}') + ROOTFSTYPE=$(df "$ROOTFSDEV" --output=fstype | sed 1d) # DigitalOcean doesn't seem to set USER while running user data export USER="root" @@ -295,9 +219,6 @@ checkEnv() { # Perform some easy fixups before checking # TODO prevent multiple calls to apt-get update (which dnf && dnf install -y perl-Digest-SHA) || true # Fedora 24 - which bzcat || (which yum && yum install -y bzip2) \ - || (which apt-get && apt-get update && apt-get install -y bzip2) \ - || true which xzcat || (which yum && yum install -y xz-utils) \ || (which apt-get && apt-get update && apt-get install -y xz-utils) \ || true @@ -306,48 +227,100 @@ checkEnv() { || true req curl || req wget || { echo "ERROR: Missing both curl and wget"; return 1; } - req bzcat || { echo "ERROR: Missing bzcat"; return 1; } req xzcat || { echo "ERROR: Missing xzcat"; return 1; } - req groupadd || { echo "ERROR: Missing groupadd"; return 1; } - req useradd || { echo "ERROR: Missing useradd"; return 1; } - req ip || { echo "ERROR: Missing ip"; return 1; } req awk || { echo "ERROR: Missing awk"; return 1; } req cut || req df || { echo "ERROR: Missing coreutils (cut, df)"; return 1; } } +# Download and execute the nix installer script. +installNix() { + local nixReleaseBase='https://releases.nixos.org' + local installURL="${nixReleaseBase}/nix/nix-${NIX_VERSION}/install" + local shaURL="${installURL}.sha256" + local sha tmpNixInstall + + # temporary destination for install script + tmpNixInstall="$(mktemp -t nix-install-XXXXXXXXXX)" + if [[ ! -f "${tmpNixInstall}" ]]; then + echo "Failed creating a temporary file for Nix install script!" + return 1 + fi + + echo "Downloading install script from ${installURL}..." + if ! curl "${installURL}" -o "${tmpNixInstall}" &>/dev/null; then + echo "Failure while downloading Nix install script!" + return 1 + fi + + if ! sha="$(curl "${shaURL}")"; then + echo "Failure while downloading Nix install script sha!" + return 1 + fi + + echo "Validating Nix install script checksum..." + if ! echo "${sha} ${tmpNixInstall}" | sha256sum -c; then + echo "Checksum validation failed!" + return 1 + fi + + echo "Running nix installer..." + if $SHELL "${tmpNixInstall}"; then + echo "Nix is installed" + rm "${tmpNixInstall}" + else + echo "Nix installation script failed!" + return 1 + fi +} + infect() { # Add nix build users # FIXME run only if necessary, rather than defaulting true - groupadd nixbld -g 30000 || true - for i in {1..10}; do - useradd -c "Nix build user $i" -d /var/empty -g nixbld -G nixbld -M -N -r -s "$(which nologin)" "nixbld$i" || true - done + # groupadd nixbld -g 30000 || true + # for i in {1..10}; do + # useradd -c "Nix build user $i" -d /var/empty -g nixbld -G nixbld -M -N -r -s "$(which nologin)" "nixbld$i" || true + # done # TODO use addgroup and adduser as fallbacks #addgroup nixbld -g 30000 || true #for i in {1..10}; do adduser -DH -G nixbld nixbld$i || true; done - curl -L https://nixos.org/nix/install | $SHELL + # install Nix in the current system + # (this should create system nixbld users too) + # curl -L "https://releases.nixos.org/nix/nix-$NIX_VERSION/install" | $SHELL + if ! installNix; then + echo "Nix installation failed!" + exit 1 + fi # shellcheck disable=SC1090 - source ~/.nix-profile/etc/profile.d/nix.sh + # is it needed? + # source ~/.nix-profile/etc/profile.d/nix.sh - nix-channel --remove nixpkgs - nix-channel --add "https://channel.selfprivacy.org/nixos-selfpricacy" nixos - nix-channel --update + echo "nix build the configuration flake..." + if ! /root/.nix-profile/bin/nix build \ + --extra-experimental-features "nix-command flakes" \ + --profile /nix/var/nix/profiles/system \ + ${LOCAL_FLAKE_DIR}/#nixosConfigurations.sp-nixos.config.system.build.toplevel + then + echo "Failed!" + exit 1 + fi - export NIXOS_CONFIG=/etc/nixos/configuration.nix + echo "activate the built configuration..." + if ! /nix/var/nix/profiles/system/activate; then + echo "Failed!"; exit 1 + fi - nix-env --set \ - -I nixpkgs=$HOME/.nix-defexpr/channels/nixos \ - -f '' \ - -p /nix/var/nix/profiles/system \ - -A system + echo "make configuration switch..." + if /nix/var/nix/profiles/system/bin/switch-to-configuration switch; then + echo "Failed!"; exit 1 + fi - # Remove nix installed with curl | bash + # Remove nix installed by the "install" script. rm -fv /nix/var/nix/profiles/default* /nix/var/nix/profiles/system/sw/bin/nix-collect-garbage - # Reify resolv.conf + # Reify resolv.conf (???) [[ -L /etc/resolv.conf ]] && mv -v /etc/resolv.conf /etc/resolv.conf.lnk && cat /etc/resolv.conf.lnk > /etc/resolv.conf # Stage the Nix coup d'état @@ -357,24 +330,31 @@ infect() { echo root/.nix-defexpr/channels >> /etc/NIXOS_LUSTRATE rm -rf /boot.bak - isEFI && umount "$esp" + ((isEFI)) && umount "$ESP" mv -v /boot /boot.bak - if isEFI; then + if ((isEFI)); then mkdir /boot - mount "$esp" /boot + mount "$ESP" /boot find /boot -depth ! -path /boot -exec rm -rf {} + fi - /nix/var/nix/profiles/system/bin/switch-to-configuration boot + + echo "make configuration boot by default..." + if /nix/var/nix/profiles/system/bin/switch-to-configuration boot; then + echo "Failed!"; exit 1 + fi } -[ "$PROVIDER" = "digitalocean" ] && doNetConf=y # digitalocean requires detailed network config to be generated +set -o pipefail +set -o nounset +set -o xtrace +set -o errexit apt update -apt install -y git tar wget curl whois jq +apt install -y git tar wget curl jq checkEnv prepareEnv makeSwap # smallest (512MB) droplet needs extra memory! -makeConf +setupConf infect removeSwap