Merge pull request #3 from obadz/nixos-infect-with-lustrate

Use NIXOS_LUSTRATE
This commit is contained in:
Eric Litak 2016-08-24 06:20:50 -07:00 committed by GitHub
commit 4e2e63a812

View file

@ -21,6 +21,14 @@
# - Deploy the droplet indicated at the top of the file, enable ipv6, add your ssh key # - Deploy the droplet indicated at the top of the file, enable ipv6, add your ssh key
# - cat customConfig.optional nixos-infect | ssh root@targethost # - cat customConfig.optional nixos-infect | ssh root@targethost
# #
# Alternatively, use the user data mechamism by supplying the following lines (without >)
# in the Digital Ocean Web UI (or HTTP API):
#
# > #cloud-config
# >
# > runcmd:
# > - curl https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect | bash 2>&1 | tee /tmp/infect.log
#
# Potential tweaks: # Potential tweaks:
# /etc/nixos/{,hardware-}configuration.nix : rudimentary mostly static config # /etc/nixos/{,hardware-}configuration.nix : rudimentary mostly static config
# /etc/nixos/networking.nix, networking settings determined at runtime # /etc/nixos/networking.nix, networking settings determined at runtime
@ -37,7 +45,8 @@
set -ex set -ex
nixos_channel=nixos-unstable # nixpkgs="https://github.com/NixOS/nixpkgs-channels/archive/nixos-unstable.tar.gz"
nixpkgs="https://github.com/NixOS/nixpkgs/archive/ba50fd7.tar.gz"
makeConf() { makeConf() {
# NB <<"EOF" quotes / $ ` in heredocs, <<EOF does not # NB <<"EOF" quotes / $ ` in heredocs, <<EOF does not
@ -64,7 +73,7 @@ EOF
{ ... }: { ... }:
{ {
imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ]; imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ];
boot.loader.grub.device = "nodev"; boot.loader.grub.device = "/dev/vda";
fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; }; fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; };
} }
EOF EOF
@ -133,54 +142,43 @@ makeSwap() {
makeConf makeConf
makeSwap # smallest (512MB) droplet needs extra memory! makeSwap # smallest (512MB) droplet needs extra memory!
dnf install -y perl-Digest-SHA || true # Fedora 24 which dnf && dnf install -y perl-Digest-SHA # Fedora 24
groupadd -r nixbld # DigitalOcean doesn't seem to set USER while running user data
export USER="root"
export HOME="/root"
groupadd -r nixbld -g 30000
seq 1 10 | xargs -I{} useradd -c "Nix build user {}" -d /var/empty -g nixbld -G nixbld -M -N -r -s `which nologin` nixbld{} seq 1 10 | xargs -I{} useradd -c "Nix build user {}" -d /var/empty -g nixbld -G nixbld -M -N -r -s `which nologin` nixbld{}
curl https://nixos.org/nix/install | sh curl https://nixos.org/nix/install | sh
source ~/.nix-profile/etc/profile.d/nix.sh source ~/.nix-profile/etc/profile.d/nix.sh
nix-channel --add https://nixos.org/channels/${nixos_channel} nixos nix-channel --remove \*
nix-channel --update export NIX_PATH="nixpkgs=$nixpkgs"
newRootImg=`mktemp`
newRootMount=`mktemp -d`
oldRootMount=`mktemp -d`
export NIXOS_CONFIG=/etc/nixos/configuration.nix export NIXOS_CONFIG=/etc/nixos/configuration.nix
nix-env -i \
-f /nix/var/nix/profiles/per-user/root/channels/nixpkgs/nixos \
-A config.system.build.nixos-install
# XXX GOTCHA NB bindmount causes /bin/bash permission BUG on many nix-env --set \
# versions (nix 1.10-1.11, nixpkgs 15-16), so we must use loopback image instead. -f '<nixpkgs/nixos>' \
# See: https://github.com/NixOS/nixpkgs/issues/10230 -p /nix/var/nix/profiles/system \
dd if=/dev/zero of=$newRootImg bs=1M count=2047 # XXX 2048+ will cause mkfs.ext4 to fail on x86 -A system
mkfs.ext4 -F $newRootImg
mount $newRootImg $newRootMount
rsync -Ra /./etc/nixos $newRootMount # Remove nix installed with curl | bash
nixos-install --root $newRootMount rm -fv /nix/var/nix/profiles/default*
/nix/var/nix/profiles/system/sw/bin/nix-collect-garbage
mount -B / $oldRootMount # Follow the symlinks
[ -L /etc/resolv.conf ] && mv -v /etc/resolv.conf /etc/resolv.conf.lnk && cat /etc/resolv.conf.lnk > /etc/resolv.conf
# Everything up to this point is revertible; this is the truly destructive step. # Staging for the Nix coup d'état
# GOTCHAs when running manually: very easy to forget slash at end of source, or use / as dest instead of bindmounted root, both of which are catastrophic... touch /etc/NIXOS
rsync -a --delete --exclude=$(dirname $newRootMount) $newRootMount/ $oldRootMount || true cat > /etc/NIXOS_LUSTRATE << EOF
etc/nixos
etc/resolv.conf
EOF
# Restore access to commands mv -v /boot /boot.bak &&
/nix/var/nix/profiles/system/activate # (this destroys resolv.conf) /nix/var/nix/profiles/system/bin/switch-to-configuration boot
for ns in ${nameservers[@]}; do echo "nameserver $ns" >> /etc/resolv.conf; done
source /nix/var/nix/profiles/system/etc/profile
# grub/initrd was skipped with "nodev", because installing from inside install-root would result in wrong fs UUID, so we need a final rebuild reboot
sed -i 's,nodev,/dev/vda,' /etc/nixos/hardware-configuration.nix
# TODO see aszlig's comment in issue about not even having to call rebuild, just nix-build system or something; without ever having to use nixos-install either? and separate ext4fs?
# man nixos-rebuild mentions this!!: nixos-rebuid build == nix-build /path/to/nixpkgs/nixos -A system
nixos-rebuild boot --install-grub || echo "WARNING: could not install grub, but we'll hope for the best: that the old installation of grub will manage to boot the new installation."
sync
echo "You may now Ctrl-C or otherwise terminate this process."
reboot -f