Merge pull request #3 from obadz/nixos-infect-with-lustrate

Use NIXOS_LUSTRATE
This commit is contained in:
Eric Litak 2016-08-24 06:20:50 -07:00 committed by GitHub
commit 4e2e63a812

View file

@ -21,6 +21,14 @@
# - Deploy the droplet indicated at the top of the file, enable ipv6, add your ssh key
# - cat customConfig.optional nixos-infect | ssh root@targethost
#
# Alternatively, use the user data mechamism by supplying the following lines (without >)
# in the Digital Ocean Web UI (or HTTP API):
#
# > #cloud-config
# >
# > runcmd:
# > - curl https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect | bash 2>&1 | tee /tmp/infect.log
#
# Potential tweaks:
# /etc/nixos/{,hardware-}configuration.nix : rudimentary mostly static config
# /etc/nixos/networking.nix, networking settings determined at runtime
@ -37,7 +45,8 @@
set -ex
nixos_channel=nixos-unstable
# nixpkgs="https://github.com/NixOS/nixpkgs-channels/archive/nixos-unstable.tar.gz"
nixpkgs="https://github.com/NixOS/nixpkgs/archive/ba50fd7.tar.gz"
makeConf() {
# NB <<"EOF" quotes / $ ` in heredocs, <<EOF does not
@ -64,7 +73,7 @@ EOF
{ ... }:
{
imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ];
boot.loader.grub.device = "nodev";
boot.loader.grub.device = "/dev/vda";
fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; };
}
EOF
@ -133,54 +142,43 @@ makeSwap() {
makeConf
makeSwap # smallest (512MB) droplet needs extra memory!
dnf install -y perl-Digest-SHA || true # Fedora 24
which dnf && dnf install -y perl-Digest-SHA # Fedora 24
groupadd -r nixbld
# DigitalOcean doesn't seem to set USER while running user data
export USER="root"
export HOME="/root"
groupadd -r nixbld -g 30000
seq 1 10 | xargs -I{} useradd -c "Nix build user {}" -d /var/empty -g nixbld -G nixbld -M -N -r -s `which nologin` nixbld{}
curl https://nixos.org/nix/install | sh
source ~/.nix-profile/etc/profile.d/nix.sh
nix-channel --add https://nixos.org/channels/${nixos_channel} nixos
nix-channel --update
newRootImg=`mktemp`
newRootMount=`mktemp -d`
oldRootMount=`mktemp -d`
nix-channel --remove \*
export NIX_PATH="nixpkgs=$nixpkgs"
export NIXOS_CONFIG=/etc/nixos/configuration.nix
nix-env -i \
-f /nix/var/nix/profiles/per-user/root/channels/nixpkgs/nixos \
-A config.system.build.nixos-install
# XXX GOTCHA NB bindmount causes /bin/bash permission BUG on many
# versions (nix 1.10-1.11, nixpkgs 15-16), so we must use loopback image instead.
# See: https://github.com/NixOS/nixpkgs/issues/10230
dd if=/dev/zero of=$newRootImg bs=1M count=2047 # XXX 2048+ will cause mkfs.ext4 to fail on x86
mkfs.ext4 -F $newRootImg
mount $newRootImg $newRootMount
nix-env --set \
-f '<nixpkgs/nixos>' \
-p /nix/var/nix/profiles/system \
-A system
rsync -Ra /./etc/nixos $newRootMount
nixos-install --root $newRootMount
# Remove nix installed with curl | bash
rm -fv /nix/var/nix/profiles/default*
/nix/var/nix/profiles/system/sw/bin/nix-collect-garbage
mount -B / $oldRootMount
# Follow the symlinks
[ -L /etc/resolv.conf ] && mv -v /etc/resolv.conf /etc/resolv.conf.lnk && cat /etc/resolv.conf.lnk > /etc/resolv.conf
# Everything up to this point is revertible; this is the truly destructive step.
# GOTCHAs when running manually: very easy to forget slash at end of source, or use / as dest instead of bindmounted root, both of which are catastrophic...
rsync -a --delete --exclude=$(dirname $newRootMount) $newRootMount/ $oldRootMount || true
# Staging for the Nix coup d'état
touch /etc/NIXOS
cat > /etc/NIXOS_LUSTRATE << EOF
etc/nixos
etc/resolv.conf
EOF
# Restore access to commands
/nix/var/nix/profiles/system/activate # (this destroys resolv.conf)
for ns in ${nameservers[@]}; do echo "nameserver $ns" >> /etc/resolv.conf; done
source /nix/var/nix/profiles/system/etc/profile
mv -v /boot /boot.bak &&
/nix/var/nix/profiles/system/bin/switch-to-configuration boot
# grub/initrd was skipped with "nodev", because installing from inside install-root would result in wrong fs UUID, so we need a final rebuild
sed -i 's,nodev,/dev/vda,' /etc/nixos/hardware-configuration.nix
# TODO see aszlig's comment in issue about not even having to call rebuild, just nix-build system or something; without ever having to use nixos-install either? and separate ext4fs?
# man nixos-rebuild mentions this!!: nixos-rebuid build == nix-build /path/to/nixpkgs/nixos -A system
nixos-rebuild boot --install-grub || echo "WARNING: could not install grub, but we'll hope for the best: that the old installation of grub will manage to boot the new installation."
sync
echo "You may now Ctrl-C or otherwise terminate this process."
reboot -f
reboot