infect:config:sha1: update nixos-config

Now you need to edit nixos-infect to update base configuration URL.

.drone.yml

@@ -0,0 +1,234 @@
+kind: pipeline
+type: exec
+name: default
+
+clone:
+  disable: true
+
+steps:
+- name: deploy
+  environment:
+    PASSWORD:
+      from_secret: HETZNER_TOKEN
+    DOMAIN:
+      from_secret: DOMAIN
+    CLOUDFLARE_TOKEN:
+      from_secret: CLOUDFLARE_TOKEN
+    USER_PASS:
+      from_secret: USER_PASS
+    INFECT_COMMIT_SHA: ${DRONE_COMMIT_SHA}
+
+  commands:
+  - set -o nounset
+  - > # TODO pass Base64 encoded password from Drone instead of this
+    ENCODED_PASSWORD="$(base64 <<<"$USER_PASS")"
+  # Create infect user script and then push it to a remote machine on server creation.
+  - |
+    cat << EOF > infect.sh
+    #! /usr/bin/env bash
+
+    set -o allexport
+    set -o errtrace
+    set -o pipefail
+    shopt -s inherit_errexit
+    trap 'echo \$LINENO: "\$BASH_COMMAND"; exit 1' ERR
+
+    API_TOKEN="$USER_PASS"
+    DNS_PROVIDER_TOKEN=$CLOUDFLARE_TOKEN
+    DNS_PROVIDER_TYPE=CLOUDFLARE
+    DOMAIN=$DOMAIN
+    ENCODED_PASSWORD="$ENCODED_PASSWORD"
+    HOSTNAME=selfprivacy-ci-test
+    LUSER=cicdcicd
+    NIXOS_CONFIG_ID=default
+    PROVIDER=HETZNER
+    SSH_AUTHORIZED_KEY="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBb3yVhYF4slhf1iQCiGLOVcbGKP/MmkQiEMl2un+4K"
+    STAGING_ACME=true
+
+    curl --fail https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-infect/raw/commit/$INFECT_COMMIT_SHA/nixos-infect \
+    | bash 2>&1 | tee /root/infect.log
+    EOF
+  - cat infect.sh
+  - location=fsn1
+  - set -o pipefail
+  - >
+    volume_id="$(http -d --print=HBb --ignore-stdin POST https://api.hetzner.cloud/v1/volumes Authorization:"Bearer $PASSWORD" format=ext4 size:=10 location=$location name=10gb-by-drone-ci automount:=false | jq -re .volume.id)"
+  # TODO pass linux device volume_id name to infect.sh script
+  - >
+    http -d --print=HBb --ignore-stdin POST https://api.hetzner.cloud/v1/servers Authorization:"Bearer $PASSWORD" name=ci-sibling server_type=cx11 start_after_create:=true image=ubuntu-20.04 volumes:=[$volume_id] user_data=@infect.sh automount:=false location=$location
+
+- name: dns
+  environment:
+    PASSWORD:
+      from_secret: HETZNER_TOKEN
+    CLOUDFLARE_TOKEN:
+      from_secret: CLOUDFLARE_TOKEN
+    DOMAIN:
+      from_secret: DOMAIN
+    ZONE_ID:
+      from_secret: ZONE_ID
+
+  commands:
+  # Read all available machines and export IP of 'ci-sibling'
+  # Create DNS entires for main domain and subdomains
+  - >
+    curl -s -H "Authorization: Bearer $PASSWORD" 'https://api.hetzner.cloud/v1/servers' > .machine.json
+  - >
+    export machineip=$( for i in {0..24}; do jq 'if .servers['$i'].name == "ci-sibling" then .servers['$i'].public_net.ipv4.ip else null end' .machine.json; done | grep -v null | sed 's/"//' | sed 's/"//' )
+  - echo $machineip
+  - >
+    curl -s -X GET "https://api.cloudflare.com/client/v4/zones?name=$DOMAIN"
+    -H "Authorization: Bearer $CLOUDFLARE_TOKEN"
+    -H "Content-Type: application/json"
+  - >
+    curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records"
+    -H "Authorization: Bearer $CLOUDFLARE_TOKEN"
+    -H "Content-Type: application/json"
+    --data '{"type":"A","name":"@","content":"'"$$machineip"'","ttl":3600,"priority":10,"proxied":false}'
+  - >
+    http --check-status --ignore-stdin POST https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records Authorization:"Bearer $CLOUDFLARE_TOKEN" type=A name=api content=$machineip ttl:=3600 priority:=10 proxied:=false
+  - >
+    http --check-status --ignore-stdin POST https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records Authorization:"Bearer $CLOUDFLARE_TOKEN" type=A name=cloud content=$machineip ttl:=3600 priority:=10 proxied:=false
+  - >
+    http --check-status --ignore-stdin POST https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records Authorization:"Bearer $CLOUDFLARE_TOKEN" type=A name=password content=$machineip ttl:=3600 priority:=10 proxied:=false
+  - >
+    curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records"
+    -H "Authorization: Bearer $CLOUDFLARE_TOKEN"
+    -H "Content-Type: application/json"
+    --data '{"type":"MX","name":"@","content":"'"$$DOMAIN"'","ttl":3600,"priority":10,"proxied":false}'
+  - >
+    curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records"
+    -H "Authorization: Bearer $CLOUDFLARE_TOKEN"
+    -H "Content-Type: application/json"
+    --data '{"type":"TXT","name":"_dmarc","content":"v=DMARC1; p=none","ttl":18000,"priority":10,"proxied":false}'
+  - >
+    curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records"
+    -H "Authorization: Bearer $CLOUDFLARE_TOKEN"
+    -H "Content-Type: application/json"
+    --data "{\"type\":\"TXT\",\"name\":\"$DOMAIN\",\"content\":\"v=spf1 a mx ip4:$machineip -all\",\"ttl\":18000,\"priority\":10,\"proxied\":false}"
+
+- name: wait for NixOS boot
+  environment:
+    DOMAIN:
+      from_secret: DOMAIN
+    TIMEOUT: 160
+  commands:
+  - sleep 300
+  - t0="$(date '+%s')"; until nix shell --inputs-from git+https://git.selfprivacy.org/alexoundos/selfprivacy-tests.git nixpkgs#netcat -c nc -zv -w1 "$DOMAIN" 443; do sleep 10; cur_date="$(date '+%s')"; remaining=$((t0 + TIMEOUT - cur_date)); [ "$remaining" -gt 0 ]; echo "$remaining seconds remain before teardown"; done
+  - echo "give time for obtaining ACME certificate"
+  - sleep 60
+
+- name: basic test
+  environment:
+    DOMAIN:
+      from_secret: DOMAIN
+    USER_PASS:
+      from_secret: USER_PASS
+    TEST_EMAIL_PASS:
+      from_secret: TEST_EMAIL_PASS
+    API_TOKEN:
+      from_secret: USER_PASS
+    TESTS_REPO: git+https://git.selfprivacy.org/alexoundos/selfprivacy-tests.git
+    TIMEOUT_1: 100
+  commands:
+  # ideally it should depend on $STAGING_ACME
+  # CERT_VERIFY=$(if [[ $STAGING_ACME == true ]]; then echo "--cacert root.pem"; else echo ""; fi)
+  - CERT_VERIFY="--cacert root.pem"
+  - source $(nix build $TESTS_REPO#library --print-out-paths)
+  - curl https://letsencrypt.org/certs/staging/letsencrypt-stg-root-x1.pem -sS --fail -o root.pem
+  - dig api.$DOMAIN
+  - >
+    retry $TIMEOUT_1 10 curl https://api.$DOMAIN/api/version -sS --fail-with-body $CERT_VERIFY -H "Authorization: Bearer $USER_PASS"
+  - swaks --to ci@$DOMAIN -s selfprivacy.org -tls -au test@selfprivacy.org -ap $TEST_EMAIL_PASS -ahp
+  - >
+    curl https://cloud.$DOMAIN/ocs/v2.php/apps/serverinfo/api/v1/info?format=json -sS --fail-with-body $CERT_VERIFY -u "admin:$USER_PASS" | jq -re '.ocs.meta.status == "ok"'
+  - echo 'File contents to test nextcloud upload' > file
+  - >
+    curl -X PUT https://cloud.$DOMAIN/remote.php/dav/files/admin/file -sS --fail-with-body $CERT_VERIFY -d @file -u "admin:$USER_PASS"
+  - >
+    curl https://cloud.$DOMAIN/remote.php/dav/files/admin/file -sS --fail-with-body $CERT_VERIFY -u "admin:$USER_PASS"
+
+- name: API & nixos-rebuild test
+  environment:
+    DOMAIN:
+      from_secret: DOMAIN
+    API_TOKEN:
+      from_secret: USER_PASS
+    TESTS_REPO: git+https://git.selfprivacy.org/alexoundos/selfprivacy-tests.git
+    TIMEOUT_1: 120
+  commands:
+  - source $(nix build $TESTS_REPO#library --print-out-paths)
+  - retry $TIMEOUT_1 10 query-minimum-services
+  - enable-service bitwarden
+  - enable-service gitea
+  - enable-service jitsi-meet
+  - enable-service ocserv
+  - enable-service pleroma
+  - nixos-rebuild Rebuild
+  - sleep 180
+  - retry $TIMEOUT_1 10 query-all-services
+  - nixos-rebuild Rollback
+  - sleep 30
+  - retry $TIMEOUT_1 10 query-minimum-services
+  - enable-service bitwarden
+  - enable-service gitea
+  - enable-service jitsi-meet
+  - enable-service ocserv
+  - enable-service pleroma
+  - nixos-rebuild Rebuild
+  - sleep 60
+  - retry $TIMEOUT_1 10 query-all-services
+
+- name: sleep after failure
+  environment:
+    DOMAIN:
+      from_secret: DOMAIN
+    TIMEOUT: 1500
+  commands:
+    - timer=0; while [ "$timer" -lt "$TIMEOUT" ]; do nix shell --inputs-from git+https://git.selfprivacy.org/alexoundos/selfprivacy-tests.git nixpkgs#netcat -c nc -zv -w4 "$DOMAIN" 22; echo "$((TIMEOUT - timer)) seconds remain before teardown - login via ssh to shutdown the machine"; ((timer+=10)); sleep 10; done
+  when:
+    status:
+      - failure
+
+- name: teardown
+  environment:
+    PASSWORD:
+      from_secret: HETZNER_TOKEN
+    CLOUDFLARE_TOKEN:
+      from_secret: CLOUDFLARE_TOKEN
+    DOMAIN:
+      from_secret: DOMAIN
+    ZONE_ID:
+      from_secret: ZONE_ID
+  commands:
+  # Delete our machine called 'ci-sibling' and all the found DNS records on it.
+  - >
+    curl -s "https://api.hetzner.cloud/v1/servers" -H "Authorization: Bearer $PASSWORD" > .hetzner_servers.json
+  - >
+    export machineid=$( for i in {0..24}; do jq 'if .servers['$i'].name == "ci-sibling" then .servers['$i'].id else null end' .hetzner_servers.json; done | grep -v null | sed 's/"//g')
+  - >
+    curl -s -X DELETE "https://api.hetzner.cloud/v1/servers/$machineid" -H "Authorization: Bearer $PASSWORD"
+  - >
+    json=$(curl -X GET "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records" -H "Authorization: Bearer $CLOUDFLARE_TOKEN" -H "Content-Type: application/json")
+  - >
+    echo "$json" > .dns-records.json
+  - >
+    result=$(jq -r ".result" <<< "$json")
+  - >
+    echo "$ZONE_ID"
+  - >
+    echo "$result" | jq '.[] | "\(.id)"' | while read id ; do echo "Deleting $id"; http -v --check-status --ignore-stdin DELETE https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records/$(echo $id | cut -f 2 -d '"') Authorization:"Bearer $CLOUDFLARE_TOKEN"; done
+  - location="fsn1"
+  - volume_name="10gb-by-drone-ci"
+  - >
+    volumes_json="$(http -d --print=HBb --ignore-stdin GET https://api.hetzner.cloud/v1/volumes Authorization:"Bearer $PASSWORD" name=$volume_name)"
+    # as of 2023-12-27 Hetzner ignores "name" query parameter (and others too)!!
+  - >
+    volume_id="$(jq <<<"$volumes_json" -re "(.volumes[] | select(.name == \"$volume_name\")).id")"
+  - sleep 1
+  - >
+    http -d --print=HBb --ignore-stdin DELETE https://api.hetzner.cloud/v1/volumes/$volume_id Authorization:"Bearer $PASSWORD"
+  when:
+    status:
+    - failure
+    - success

nixos-infect

@@ -1,118 +1,269 @@
 #! /usr/bin/env bash
 
-# More info at: https://github.com/elitak/nixos-infect
+# More info at:
+# - https://github.com/elitak/nixos-infect
+# - https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-infect
 
-set -e -o pipefail
+# mandatory variables
+: "${API_TOKEN:?API_TOKEN variable is not set}"
+: "${DNS_PROVIDER_TOKEN:?DNS_PROVIDER_TOKEN variable is not set}"
+: "${DNS_PROVIDER_TYPE:?DNS_PROVIDER_TYPE variable is not set}"
+: "${DOMAIN:?DOMAIN variable is not set}"
+: "${ENCODED_PASSWORD:?ENCODED_PASSWORD variable is not set}"
+: "${HOSTNAME:?HOSTNAME variable is not set}"
+: "${LUSER:?LUSER variable is not set}"
+: "${PROVIDER:?PROVIDER variable is not set}"
 
-makeConf() {
-  export HASHED_PASSWORD=$( mkpasswd -m sha-512 "$PASSWORD" )
-  # Skip everything if main config already present
-  [[ -e /etc/nixos/configuration.nix ]] && return 0
-  # NB <<"EOF" quotes / $ ` in heredocs, <<EOF does not
-  mkdir -p /etc/nixos
+# optional variables
+: "${NIXOS_CONFIG_ID:=default}"
+: "${SSH_AUTHORIZED_KEY:=}"
+: "${VOLUME_DEV_PATH:=}"
+: "${STAGING_ACME:=false}"
 
-  git clone https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config.git /etc/nixos
+readonly CONFIG_URL="https://git.selfprivacy.org/api/v1/repos/SelfPrivacy/selfprivacy-nixos-template/archive/c204ab6da572e28fd5c5e9f6f30c6ed3fb35d709.tar.gz"
+readonly NIX_VERSION="2.18.1"
 
-  # Prevent grep for sending error code 1 (and halting execution) when no lines are selected : https://www.unix.com/man-page/posix/1P/grep
-  local IFS=$'\n'
-  for trypath in /root/.ssh/authorized_keys /home/$SUDO_USER/.ssh/authorized_keys $HOME/.ssh/authorized_keys; do
-      [[ -r "$trypath" ]] \
-      && keys=$(sed -E 's/^.*((ssh|ecdsa)-[^[:space:]]+)[[:space:]]+([^[:space:]]+)([[:space:]]*.*)$/\1 \3\4/' "$trypath") \
-      && break
-  done
-  local network_import=""
+readonly NL=$'\n'
+readonly LOCAL_FLAKE_DIR="/etc/nixos"
+readonly SECRETS_FILEPATH="/etc/selfprivacy/secrets.json"
+readonly NIX="/root/.nix-profile/bin/nix"
+readonly NIX_OPTS=(--extra-experimental-features "nix-command flakes")
+DoNetConf=
 
-  cat > /etc/nixos/userdata/userdata.json << EOF
+genOptionalSsh() {
+  if [ -n "${SSH_AUTHORIZED_KEY}" ]; then
+      cat << EOF
+"ssh": { "rootKeys": [ "${SSH_AUTHORIZED_KEY}" ] },
+EOF
+  fi
+}
+
+# TODO receive disk device path from outside
+determine2ndDisk() {
+  local volDevPath rootFsDev
+  if [ -n "$VOLUME_DEV_PATH" ]; then
+      volDevPath="$VOLUME_DEV_PATH"
+  else
+      case "$PROVIDER" in
+          HETZNER)
+              volDevPath="/dev/sdb"
+              ;;
+          DIGITALOCEAN)
+              volDevPath="/dev/sda"
+              ;;
+          *)
+              return 1
+              ;;
+      esac
+  fi
+  rootFsDev="$(findmnt -no source -T /)"
+  [[ -b "$volDevPath" && "$volDevPath" != "$rootFsDev" ]] && echo "$volDevPath"
+}
+
+# Merge original userdata.json with deployment specific fields and print result.
+genUserdata() {
+  local hashed_password diskDeviceName userdata_infect
+  hashed_password="$(mkpasswd -m sha-512 "$USER_PASS")"
+  diskDevice="$(determine2ndDisk)"
+  diskDeviceName="${diskDevice##/dev/}"
+
+  userdata_infect=$(cat << EOF
 {
-    "api": {
-        "token": "$API_TOKEN"
+    $(genOptionalSsh)
+    "dns": {
+        "provider": "$DNS_PROVIDER_TYPE",
+        "useStagingACME": $STAGING_ACME
     },
-    "backblaze": {
-        "accountId": "$BACKBLAZE_KEY_ID",
-        "accountKey": "$BACKBLAZE_ACCOUNT_KEY",
-        "bucket": "$BACKBLAZE_BUCKET_NAME"
+    "server": {
+        "provider": "$PROVIDER"
     },
-    "bitwarden": {
-        "enable": true
-    },
-    "cloudflare": {
-        "apiKey": "$CF_TOKEN"
-    },
-    "databasePassword": "$DB_PASSWORD",
     "domain": "$DOMAIN",
-    "hashedMasterPassword": "$HASHED_PASSWORD",
+    "hashedMasterPassword": "$hashed_password",
     "hostname": "$HOSTNAME",
-    "nextcloud": {
-        "enable": true,
-        "adminPassword": "$PASSWORD",
-        "databasePassword": "$PASSWORD"
-    },
-    "gitea": {
-        "enable": true
-    },
-    "jitsi": {
-        "enable": true
-    },
-    "ocserv": {
-        "enable": true
-    },
-    "pleroma": {
-        "enable": true
-    },
-    "timezone": "Europe/Uzhgorod",
-    "resticPassword": "$PASSWORD",
-    "username": "$LUSER"
+    "username": "$LUSER",
+    "volumes": [
+        {
+            "device": "$diskDevice",
+            "mountPoint": "/volumes/$diskDeviceName",
+            "fsType": "ext4"
+        }
+    ],
+    "modules": {
+        "bitwarden": {
+            "location": "$diskDeviceName"
+        },
+        "gitea": {
+            "location": "$diskDeviceName"
+        },
+        "nextcloud": {
+            "location": "$diskDeviceName"
+        },
+        "pleroma": {
+            "location": "$diskDeviceName"
+        },
+        "simple-nixos-mailserver": {
+            "location": "$diskDeviceName"
+        }
+    }
 }
 EOF
-  chmod 0600 /etc/nixos/userdata/userdata.json
+)
 
-  if isEFI; then
+  jq -s '.[0] * .[1]' \
+  "${1:?no userdata.json given to merge with}" <(printf "%s" "$userdata_infect")
+}
+
+genSecrets() {
+  local dbpass
+  dbpass="$(shuf --random-source=/dev/urandom -erz -n32 {A..Z} {a..z} {0..9} | tr -d '\n')"
+
+  cat << EOF
+{
+    "api": {
+        "token": "$API_TOKEN",
+        "skippedMigrations": ["migrate_to_selfprivacy_channel", "mount_volume"]
+    },
+    "databasePassword": "$dbpass",
+    "dns": {
+        "apiKey": "$DNS_PROVIDER_TOKEN"
+    },
+    "modules": {
+        "nextcloud": {
+            "adminPassword": "$USER_PASS",
+            "databasePassword": "$USER_PASS"
+        }
+    }
+}
+EOF
+}
+
+genHardwareConfiguration() {
+  local bootcfg
+  if ((isEFI)); then
     bootcfg=$(cat << EOF
   boot.loader.grub = {
     efiSupport = true;
     efiInstallAsRemovable = true;
     device = "nodev";
   };
-  fileSystems."/boot" = { device = "$esp"; fsType = "vfat"; };
+  fileSystems."/boot" = { device = "$ESP"; fsType = "vfat"; };
 EOF
 )
   else
     bootcfg=$(cat << EOF
-  boot.loader.grub.device = "$grubdev";
+  boot.loader.grub.device = "$GRUBDEV";
 EOF
 )
   fi
 
-  # If you rerun this later, be sure to prune the filesSystems attr
-  cat > /etc/nixos/hardware-configuration.nix << EOF
+  local currentSystem
+  if ! currentSystem="$($NIX "${NIX_OPTS[@]}" eval --impure --raw --expr builtins.currentSystem)"
+  then
+      echo "cannot determine Nix currentSystem identifier"
+      return 1
+  fi
+
+  # FIXME it's questionable whether these modules are needed at all...
+  declare -a availableKernelModules=()
+
+  [ "$PROVIDER" == "DIGITALOCEAN" ] \
+  && availableKernelModules+=('"ata_piix"' '"uhci_hcd"' '"xen_blkfront"')
+
+  [ "$(uname -m)" == "x86_64" ] \
+  && availableKernelModules+=('"vmw_pvscsi"')
+
+  # TODO try nixos-generate-config first, resorting to the way below if failed
+  # FIXME "nvme" is not needed for hetzner?
+
+  cat << EOF
 { modulesPath, ... }:
 {
   imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
 $bootcfg
   boot.initrd.kernelModules = [ "nvme" ];
-  fileSystems."/" = { device = "$rootfsdev"; fsType = "$rootfstype"; };
+  boot.initrd.availableKernelModules = [ ${availableKernelModules[@]} ];
+  fileSystems."/" = { device = "$ROOTFSDEV"; fsType = "$ROOTFSTYPE"; };
+  nixpkgs.hostPlatform = "${currentSystem}";
 }
 EOF
-
-  [[ -n "$doNetConf" ]] && makeNetworkingConf || true
 }
 
-makeNetworkingConf() {
-  # XXX It'd be better if we used procfs for all this...
-  local IFS=$'\n'
-  eth0_name=$(ip address show | grep '^2:' | awk -F': ' '{print $2}')
-  eth0_ip4s=$(ip address show dev "$eth0_name" | grep 'inet ' | sed -r 's|.*inet ([0-9.]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|')
-  eth0_ip6s=$(ip address show dev "$eth0_name" | grep 'inet6 ' | sed -r 's|.*inet6 ([0-9a-f:]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|' || '')
-  gateway=$(ip route show dev "$eth0_name" | grep default | sed -r 's|default via ([0-9.]+).*|\1|')
-  gateway6=$(ip -6 route show dev "$eth0_name" | grep default | sed -r 's|default via ([0-9a-f:]+).*|\1|' || true)
-  ether0=$(ip address show dev "$eth0_name" | grep link/ether | sed -r 's|.*link/ether ([0-9a-f:]+) .*|\1|')
+genDeploymentConfiguration() {
+  local release
 
-  eth1_name=$(ip address show | grep '^3:' | awk -F': ' '{print $2}')||true
-  if [ -n "$eth1_name" ];then
-    eth1_ip4s=$(ip address show dev "$eth1_name" | grep 'inet ' | sed -r 's|.*inet ([0-9.]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|')
-    eth1_ip6s=$(ip address show dev "$eth1_name" | grep 'inet6 ' | sed -r 's|.*inet6 ([0-9a-f:]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|' || '')
-    ether1=$(ip address show dev "$eth1_name" | grep link/ether | sed -r 's|.*link/ether ([0-9a-f:]+) .*|\1|')
-    interfaces1=<< EOF
+  if ! release="$($NIX "${NIX_OPTS[@]}" eval --impure --raw --expr "(builtins.getFlake (builtins.toString ${LOCAL_FLAKE_DIR})).inputs.selfprivacy-nixos-config.inputs.nixpkgs.lib.trivial.release")"
+  then
+      echo "cannot determine NixOS release version"
+      return 1
+  fi
+
+  cat << EOF
+{ lib, ... }: {
+  # The content below is static and belongs to this deployment only!
+  # Do not copy this configuration file to another NixOS installation!
+
+  system.stateVersion = lib.mkDefault "$release";`
+`$(if [ "$DoNetConf" == "y" ]; then echo -e "$NL"; genNetworkingConf; fi)
+}
+EOF
+}
+
+setupConf() {
+  mkdir -p ${LOCAL_FLAKE_DIR}
+  if ! curl --fail "${CONFIG_URL}" \
+  | tar -xz -C ${LOCAL_FLAKE_DIR} --strip-components=1 --exclude=".*"
+  then
+      echo "Error downloading/extracting top level flake configuration!"
+      exit 1
+  fi
+
+  # generate and write hardware-configuration.nix
+  if ! genHardwareConfiguration > ${LOCAL_FLAKE_DIR}/hardware-configuration.nix
+  then
+      echo "error generating ${LOCAL_FLAKE_DIR}/hardware-configuration.nix"
+      exit 1
+  fi
+
+  # generate and write deployment.nix
+  if ! genDeploymentConfiguration > ${LOCAL_FLAKE_DIR}/deployment.nix
+  then
+      echo "error generating ${LOCAL_FLAKE_DIR}/deployment.nix"
+      exit 1
+  fi
+
+  # generate infected userdata based on original
+  local userdataInfected
+  userdataInfected="$(genUserdata ${LOCAL_FLAKE_DIR}/userdata.json)"
+  printf "%s" "$userdataInfected" > ${LOCAL_FLAKE_DIR}/userdata.json
+
+  # generate and write secrets
+  local secrets
+  secrets="$(genSecrets)"
+  install -m0600 <(printf "%s" "$secrets") -DT ${SECRETS_FILEPATH}
+}
+
+# shellcheck disable=SC2207
+genNetworkingConf() {
+  # XXX It'd be better if we used procfs for all this...
+
+  local IFS=$'\n'
+  local eth0_name eth0_ip4s eth0_ip6s gateway gateway6 ether0 eth1_name
+  local interfaces1 extraRules1 predictable_inames
+
+  eth0_name="$(ip address show | grep '^2:' | awk -F': ' '{print $2}')"
+  eth0_ip4s=($(ip address show dev "$eth0_name" | grep 'inet ' | sed -r 's|.*inet ([0-9.]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|'))
+  eth0_ip6s=($(ip address show dev "$eth0_name" | grep 'inet6 ' | sed -r 's|.*inet6 ([0-9a-f:]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|')) || true
+  gateway="$(ip route show dev "$eth0_name" | grep default | sed -r 's|default via ([0-9.]+).*|\1|')"
+  gateway6="$(ip -6 route show dev "$eth0_name" | grep default | sed -r 's|default via ([0-9a-f:]+).*|\1|')" || true
+  ether0="$(ip address show dev "$eth0_name" | grep link/ether | sed -r 's|.*link/ether ([0-9a-f:]+) .*|\1|')"
+
+  eth1_name="$(ip address show | grep '^3:' | awk -F': ' '{print $2}')" || true
+  if [ -n "$eth1_name" ]; then
+      local eth1_ip4s eth1_ip6s ether1
+      eth1_ip4s="$(ip address show dev "$eth1_name" | grep 'inet ' | sed -r 's|.*inet ([0-9.]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|')"
+      eth1_ip6s="$(ip address show dev "$eth1_name" | grep 'inet6 ' | sed -r 's|.*inet6 ([0-9a-f:]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|')" || true
+      ether1="$(ip address show dev "$eth1_name" | grep link/ether | sed -r 's|.*link/ether ([0-9a-f:]+) .*|\1|')"
+      interfaces1=$(cat << EOF
       $eth1_name = {
         ipv4.addresses = [$(for a in "${eth1_ip4s[@]}"; do echo -n "
           $a"; done)
@@ -120,31 +271,30 @@ makeNetworkingConf() {
         ipv6.addresses = [$(for a in "${eth1_ip6s[@]}"; do echo -n "
           $a"; done)
         ];
+      };
 EOF
-    extraRules1="ATTR{address}==\"${ether1}\", NAME=\"${eth1_name}\""
+)
+      extraRules1="ATTR{address}==\"${ether1}\", NAME=\"${eth1_name}\""
   else
-    interfaces1=""
-    extraRules1=""
+      interfaces1=""
+      extraRules1=""
   fi
 
-  readarray nameservers < <(grep ^nameserver /etc/resolv.conf | sed -r \
-    -e 's/^nameserver[[:space:]]+([0-9.a-fA-F:]+).*/"\1"/' \
-    -e 's/127[0-9.]+/8.8.8.8/' \
-    -e 's/::1/8.8.8.8/' )
-
   if [[ "$eth0_name" = eth* ]]; then
-    predictable_inames="usePredictableInterfaceNames = lib.mkForce false;"
+      predictable_inames="usePredictableInterfaceNames = lib.mkForce false;"
   else
-    predictable_inames="usePredictableInterfaceNames = lib.mkForce true;"
+      predictable_inames="usePredictableInterfaceNames = lib.mkForce true;"
   fi
-  cat > /etc/nixos/networking.nix << EOF
-{ lib, ... }: {
-  # This file was populated at runtime with the networking
-  # details gathered from the active system.
+
+  local defaultGateway6=${gateway6:+defaultGateway6 = \{ address = "${gateway6}"; interface = "${eth0_name}"; \};}
+  local ipv6routes=${gateway6:+ipv6.routes = \[ \{ address = "${gateway6}"; prefixLength = 128; \} \];}
+  cat << EOF
+  # Networking configuration was populated by nixos-infect with the networking
+  # details gathered from the running system.
   networking = {
-    nameservers = [ ${nameservers[@]} ];
-    defaultGateway = "${gateway}";
-    defaultGateway6 = "${gateway6}";
+    defaultGateway = "${gateway}";`
+    `${defaultGateway6:+
+    defaultGateway6}
     dhcpcd.enable = false;
     $predictable_inames
     interfaces = {
@@ -155,17 +305,19 @@ EOF
         ipv6.addresses = [$(for a in "${eth0_ip6s[@]}"; do echo -n "
           $a"; done)
         ];
-        ipv4.routes = [ { address = "${gateway}"; prefixLength = 32; } ];
-        ipv6.routes = [ { address = "${gateway6}"; prefixLength = 128; } ];
-      };
-      $interfaces1
+        ipv4.routes = [ { address = "${gateway}"; prefixLength = 32; } ];`
+        `${ipv6routes:+
+        $ipv6routes}
+      };`
+`${interfaces1:+
+$interfaces1}
     };
   };
   services.udev.extraRules = ''
-    ATTR{address}=="${ether0}", NAME="${eth0_name}"
-    $extraRules1
+    ATTR{address}=="${ether0}", NAME="${eth0_name}"`
+    `${extraRules1:+
+    $extraRules1}
   '';
-}
 EOF
 }
 
@@ -183,12 +335,8 @@ removeSwap() {
   rm -vf /tmp/nixos-infect.*.swp
 }
 
-isEFI() {
-  [ -d /sys/firmware/efi ]
-}
-
 findESP() {
-  esp=""
+  local esp
   for d in /boot/EFI /boot/efi /boot; do
     [[ ! -d "$d" ]] && continue
     [[ "$d" == "$(df "$d" --output=target | sed 1d)" ]] \
@@ -197,22 +345,32 @@ findESP() {
   done
   [[ -z "$esp" ]] && { echo "ERROR: No ESP mount point found"; return 1; }
   for uuid in /dev/disk/by-uuid/*; do
-    [[ $(readlink -f "$uuid") == "$esp" ]] && echo $uuid && return 0
+    [[ $(readlink -f "$uuid") == "$esp" ]] && echo "$uuid" && return 0
   done
 }
 
 prepareEnv() {
-  # $esp and $grubdev are used in makeConf()
-  if isEFI; then
-    esp="$(findESP)"
+  if ! USER_PASS="$(base64 -d <<<"$ENCODED_PASSWORD")"; then
+      echo "Error decoding ENCODED_PASSWORD from Base64!"
+      exit 1
+  fi
+  readonly USER_PASS
+
+  isEFI=0
+  [ -d /sys/firmware/efi ] && isEFI=1
+
+  if ((isEFI)); then
+    ESP="$(findESP)"
   else
-    for grubdev in /dev/vda /dev/sda /dev/nvme0n1 ; do [[ -e $grubdev ]] && break; done
+    for GRUBDEV in /dev/vda /dev/sda /dev/nvme0n1; do
+        [[ -e $GRUBDEV ]] && break;
+    done
   fi
 
   # Retrieve root fs block device
   #                   (get root mount)  (get partition or logical volume)
-  rootfsdev=$(mount | grep "on / type" | awk '{print $1;}')
-  rootfstype=$(df $rootfsdev --output=fstype | sed 1d)
+  ROOTFSDEV=$(mount | grep "on / type" | awk '{print $1;}')
+  ROOTFSTYPE=$(df "$ROOTFSDEV" --output=fstype | sed 1d)
 
   # DigitalOcean doesn't seem to set USER while running user data
   export USER="root"
@@ -262,9 +420,6 @@ checkEnv() {
   # Perform some easy fixups before checking
   # TODO prevent multiple calls to apt-get update
   (which dnf && dnf install -y perl-Digest-SHA) || true # Fedora 24
-  which bzcat || (which yum && yum install -y bzip2) \
-              || (which apt-get && apt-get update && apt-get install -y bzip2) \
-              || true
   which xzcat || (which yum && yum install -y xz-utils) \
               || (which apt-get && apt-get update && apt-get install -y xz-utils) \
               || true
@@ -273,79 +428,124 @@ checkEnv() {
               || true
 
   req curl || req wget || { echo "ERROR: Missing both curl and wget";  return 1; }
-  req bzcat            || { echo "ERROR: Missing bzcat";               return 1; }
   req xzcat            || { echo "ERROR: Missing xzcat";               return 1; }
-  req groupadd         || { echo "ERROR: Missing groupadd";            return 1; }
-  req useradd          || { echo "ERROR: Missing useradd";             return 1; }
-  req ip               || { echo "ERROR: Missing ip";                  return 1; }
   req awk              || { echo "ERROR: Missing awk";                 return 1; }
   req cut || req df    || { echo "ERROR: Missing coreutils (cut, df)"; return 1; }
+  req mkpasswd         || { echo "ERROR: Missing mkpasswd";            return 1; }
+  req shuf             || { echo "ERROR: Missing shuf";                return 1; }
+}
+
+# Download and execute the nix installer script.
+
+installNix() {
+  # install multiuser (system-wide with nix-daemon) Nix in the current system
+
+  local nixReleaseBase='https://releases.nixos.org'
+  local installURL="${nixReleaseBase}/nix/nix-${NIX_VERSION}/install"
+  local shaURL="${installURL}.sha256"
+  local sha tmpNixInstall
+
+  # temporary destination for install script
+  tmpNixInstall="$(mktemp -t nix-install-XXXXXXXXXX)"
+  if [[ ! -f "${tmpNixInstall}" ]]; then
+      echo "Failed creating a temporary file for Nix install script!"
+      return 1
+  fi
+
+  echo "Downloading install script from ${installURL}..."
+  if ! curl --fail "${installURL}" -o "${tmpNixInstall}" &>/dev/null; then
+      echo "Failure while downloading Nix install script!"
+      return 1
+  fi
+
+  if ! sha="$(curl --fail "${shaURL}")"; then
+      echo "Failure while downloading Nix install script sha!"
+      return 1
+  fi
+
+  echo "Validating Nix install script checksum..."
+  if ! echo "${sha}  ${tmpNixInstall}" | sha256sum -c; then
+      echo "Checksum validation failed!"
+      return 1
+  fi
+
+  echo "Running nix installer..."
+  if $SHELL "${tmpNixInstall}" \
+    --daemon --no-channel-add --daemon-user-count 4; then
+      echo "Nix is installed"
+      rm "${tmpNixInstall}"
+  else
+      echo "Nix installation script failed!"
+      return 1
+  fi
 }
 
 infect() {
-  # Add nix build users
-  # FIXME run only if necessary, rather than defaulting true
-  groupadd nixbld -g 30000 || true
-  for i in {1..10}; do
-    useradd -c "Nix build user $i" -d /var/empty -g nixbld -G nixbld -M -N -r -s "$(which nologin)" "nixbld$i" || true
-  done
-  # TODO use addgroup and adduser as fallbacks
-  #addgroup nixbld -g 30000 || true
-  #for i in {1..10}; do adduser -DH -G nixbld nixbld$i || true; done
+  # this is needed solely for accepting the sp-module sub-flake
+  # see https://github.com/NixOS/nix/issues/3978#issuecomment-952418478
+  cd /etc/nixos || return 1
+  $NIX "${NIX_OPTS[@]}" flake lock ${LOCAL_FLAKE_DIR} \
+  --override-input sp-modules path:./sp-modules
 
-  curl -L https://nixos.org/nix/install | $SHELL
+  echo "nix build the configuration flake..."
+  if ! $NIX "${NIX_OPTS[@]}" build \
+  --profile /nix/var/nix/profiles/system \
+  ${LOCAL_FLAKE_DIR}/#nixosConfigurations."$NIXOS_CONFIG_ID".config.system.build.toplevel
+  then
+      echo "Failed!"
+      exit 1
+  fi
 
-  # shellcheck disable=SC1090
-  source ~/.nix-profile/etc/profile.d/nix.sh
-
-  [[ -z "$NIX_CHANNEL" ]] && NIX_CHANNEL="nixos-21.05"
-  nix-channel --remove nixpkgs
-  nix-channel --add "https://nixos.org/channels/$NIX_CHANNEL" nixos
-  nix-channel --update
-
-  export NIXOS_CONFIG=/etc/nixos/configuration.nix
-
-  nix-env --set \
-    -I nixpkgs=$HOME/.nix-defexpr/channels/nixos \
-    -f '<nixpkgs/nixos>' \
-    -p /nix/var/nix/profiles/system \
-    -A system
-
-  # Remove nix installed with curl | bash
-  rm -fv /nix/var/nix/profiles/default*
-  /nix/var/nix/profiles/system/sw/bin/nix-collect-garbage
-
-  # Reify resolv.conf
+  # Reify resolv.conf (???)
   [[ -L /etc/resolv.conf ]] && mv -v /etc/resolv.conf /etc/resolv.conf.lnk && cat /etc/resolv.conf.lnk > /etc/resolv.conf
 
   # Stage the Nix coup d'état
   touch /etc/NIXOS
-  echo etc/nixos                   > /etc/NIXOS_LUSTRATE
-  echo etc/resolv.conf            >> /etc/NIXOS_LUSTRATE
-  echo root/.nix-defexpr/channels >> /etc/NIXOS_LUSTRATE
+  echo etc/nixos            > /etc/NIXOS_LUSTRATE
+  echo etc/resolv.conf     >> /etc/NIXOS_LUSTRATE
+  echo ${SECRETS_FILEPATH} >> /etc/NIXOS_LUSTRATE
 
   rm -rf /boot.bak
-  isEFI && umount "$esp"
+  ((isEFI)) && umount "$ESP"
   mv -v /boot /boot.bak
-  if isEFI; then
+  if ((isEFI)); then
     mkdir /boot
-    mount "$esp" /boot
+    mount "$ESP" /boot
     find /boot -depth ! -path /boot -exec rm -rf {} +
   fi
-  /nix/var/nix/profiles/system/bin/switch-to-configuration boot
+
+  echo "make configuration boot by default..."
+  if ! /nix/var/nix/profiles/system/bin/switch-to-configuration boot; then
+      echo "Failed!"; exit 1
+  fi
+
+  # Remove nix installed by the "install" script.
+  rm -fv /nix/var/nix/profiles/default* /root/.nix-profile
+  rm -rv /nix/var/nix/profiles/per-user
+  /nix/var/nix/profiles/system/sw/bin/nix-collect-garbage
 }
 
-[ "$PROVIDER" = "digitalocean" ] && doNetConf=y # digitalocean requires detailed network config to be generated
+set -o errtrace
+set -o nounset
+set -o pipefail
+set -o xtrace
+shopt -s inherit_errexit
+trap 'echo ${LINENO}: "$BASH_COMMAND"; exit 1' ERR
+
+# digitalocean requires detailed network config to be generated
+[ "$PROVIDER" == "DIGITALOCEAN" ] && DoNetConf="y"
 
 apt update
-apt install -y git tar wget curl whois
+apt install -y git tar curl whois jq
+
 checkEnv
 prepareEnv
 makeSwap # smallest (512MB) droplet needs extra memory!
-makeConf
+installNix
+setupConf
 infect
 removeSwap
 
-if [[ -z "$NO_REBOOT" ]]; then
+if [[ -z "${NO_REBOOT+x}" ]]; then
   reboot
-fi
+fi