sammy/nixos-infect
1
0
Fork 0
forked from Mirrors/nixos-infect
Code Pull requests Activity

optimizations, comments

Browse source
This commit is contained in:
Eric Litak 2016-04-09 12:39:35 -07:00
parent 6e910a3c1b
commit 69787b1dc0
1 changed files with 73 additions and 58 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

131
nixos-infect
View file

@ -1,5 +1,9 @@
#! /usr/bin/env bash #! /usr/bin/env bash
# nixos-infect is so named because there's a good chance the system will get
# sick if anything goes wrong, and possibly die, requiring reprovisioning.
# Use with caution.
#
# WARNING NB This script wipes out the targeted host's root filesystem when it # WARNING NB This script wipes out the targeted host's root filesystem when it
# runs to completion. Any errors halt execution. set -x is used to help debug, # runs to completion. Any errors halt execution. set -x is used to help debug,
# as often a failed run leaves the system in an inconsistent state, requiring a # as often a failed run leaves the system in an inconsistent state, requiring a
@ -32,16 +36,16 @@
set -ex set -ex
# If you have another nixos host in the cloud, add it here to speed up the
# package downloads. Use "ssh -A" with your key loaded to run the script!
# This also reduces load on NixOS servers, so please make an effort to use it
# whenever possible.
#nix_options+=" --option ssh-substituter-hosts user@host"
makeConf() { makeConf() {
# NB remember to escape / $ ` in heredocs! # NB <<"EOF" quotes / $ ` in heredocs, <<EOF does not
# TODO use appended archive or some curl-able tarball?
mkdir -p /etc/nixos mkdir -p /etc/nixos
IFS=$'\n'; keys=($(cat /root/.ssh/authorized_keys)) local IFS=$'\n'; keys=($(cat /root/.ssh/authorized_keys))
cat > /etc/nixos/networking.nix << EOF
# This file will be populated at runtime with the
# networking details gathered from the active system.
{...}:{}
EOF
cat > /etc/nixos/configuration.nix << EOF cat > /etc/nixos/configuration.nix << EOF
{ ... }: { { ... }: {
imports = [ imports = [
@ -65,6 +69,45 @@ EOF
boot.loader.grub.devices = [ "/dev/vda" ]; boot.loader.grub.devices = [ "/dev/vda" ];
fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; }; fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; };
} }
EOF
local IFS=$'\n'
ip4s=($(ip address show dev eth0 | grep 'inet ' | sed -r 's|.*inet ([0-9.]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|'))
ip6s=($(ip address show dev eth0 | grep 'inet6 .*global' | sed -r 's|.*inet6 ([0-9a-f:]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|'))
gateway=($(ip route show dev eth0 | grep default | sed -r 's|default via ([0-9.]+).*|\1|'))
gateway6=($(ip -6 route show dev eth0 | grep default | sed -r 's|default via ([0-9a-f:]+).*|\1|'))
ether0=($(ip address show dev eth0 | grep link/ether | sed -r 's|.*link/ether ([0-9a-f:]+) .*|\1|'))
ether1=($(ip address show dev eth1 | grep link/ether | sed -r 's|.*link/ether ([0-9a-f:]+) .*|\1|'))
nameservers=($(grep ^nameserver /etc/resolv.conf | cut -f2 -d' '))
cat > /etc/nixos/networking.nix << EOF
{ ... }: {
# This file was populated at runtime with the networking
# details gathered from the active system.
networking = {
nameservers = [$(for a in ${nameservers[@]}; do echo -n "
\"$a\""; done)
];
defaultGateway = "${gateway}";
defaultGateway6 = "${gateway6}";
interfaces = {
eth0 = {
ip4 = [$(for a in ${ip4s[@]}; do echo -n "
$a"; done)
];
ip6 = [$(for a in ${ip6s[@]}; do echo -n "
$a"; done)
];
};
# eth1 is for private networking or something?
eth1.useDHCP = false;
};
};
services.udev.extraRules = ''
KERNEL=="eth*", ATTR{address}=="${ether0}", NAME="eth0"
KERNEL=="eth*", ATTR{address}=="${ether1}", NAME="eth1"
'';
}
EOF EOF
#! /usr/bin/env bash #! /usr/bin/env bash
# NB put your semi-sensitive (not posted to github) configuration in a separate # NB put your semi-sensitive (not posted to github) configuration in a separate
@ -81,12 +124,13 @@ EOF
if [[ `type -t customConfig` == "function" ]]; then customConfig; fi if [[ `type -t customConfig` == "function" ]]; then customConfig; fi
} }
swapFile=/tmp/swap
makeSwap() { makeSwap() {
if [[ ! -e /swap ]]; then if [[ ! -e $swapFile ]]; then
dd if=/dev/zero of=/swap bs=1M count=$((1024*2)) dd if=/dev/zero of=$swapFile bs=1M count=$((1024*2))
chmod 0600 /swap chmod 0600 $swapFile
mkswap /swap mkswap $swapFile
swapon /swap swapon $swapFile
fi fi
} }
@ -110,66 +154,37 @@ newRootMount=`mktemp -d`
oldRootMount=`mktemp -d` oldRootMount=`mktemp -d`
export NIXOS_CONFIG=/etc/nixos/configuration.nix export NIXOS_CONFIG=/etc/nixos/configuration.nix
nix-env -i -f /nix/var/nix/profiles/per-user/root/channels/nixpkgs/nixos \ nix-env -i \
-A config.system.build.nixos-install \ $nix_options \
-A config.system.build.nixos-option \ -f /nix/var/nix/profiles/per-user/root/channels/nixpkgs/nixos \
-A config.system.build.nixos-generate-config -A config.system.build.nixos-install
#-A config.system.build.nixos-option \
#-A config.system.build.nixos-generate-config
# XXX GOTCHA NB bindmount causes /bin/bash permission BUG on many # XXX GOTCHA NB bindmount causes /bin/bash permission BUG on many
# versions (nix 1.10-1.11, nixpkgs 15-16), so we must use loopback image instead. # versions (nix 1.10-1.11, nixpkgs 15-16), so we must use loopback image instead.
# See: https://github.com/NixOS/nixpkgs/issues/10230
dd if=/dev/zero of=$newRootImg bs=1M count=$((1024*2)) dd if=/dev/zero of=$newRootImg bs=1M count=$((1024*2))
mkfs.ext4 $newRootImg mkfs.ext4 -F $newRootImg
mount $newRootImg $newRootMount mount $newRootImg $newRootMount
rsync -aR /./etc/nixos $newRootMount rsync -aR /./etc/nixos $newRootMount
nixos-install --root $newRootMount nixos-install $nix_options --root $newRootMount
cp -a {,$newRootMount}/etc/resolv.conf # needed for final rebuild
swapoff /swap swapoff $swapFile || true
mount -B / $oldRootMount mount -B / $oldRootMount
# Everything up to this point is revertible; this is the truly destructive step.
rsync -a --delete --exclude=$(dirname $newRootMount) $newRootMount/ $oldRootMount rsync -a --delete --exclude=$(dirname $newRootMount) $newRootMount/ $oldRootMount
# restore access to commands # Restore access to commands
/nix/var/nix/profiles/system/activate /nix/var/nix/profiles/system/activate
source /nix/var/nix/profiles/system/etc/profile source /nix/var/nix/profiles/system/etc/profile
# XXX temporary fix for name resolution
echo nameserver 8.8.4.4 > /etc/resolv.conf
IFS=$'\n'
ip4s=($(ip address show dev eth0 | grep 'inet ' | sed -r 's|.*inet ([0-9.]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|'))
ip6s=($(ip address show dev eth0 | grep 'inet6 .*global' | sed -r 's|.*inet6 ([0-9a-f:]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|'))
gateway=($(ip route show dev eth0 | grep default | sed -r 's|default via ([0-9.]+).*|\1|'))
gateway6=($(ip -6 route show dev eth0 | grep default | sed -r 's|default via ([0-9a-f:]+).*|\1|'))
ether0=($(ip address show dev eth0 | grep link/ether | sed -r 's|.*link/ether ([0-9a-f:]+) .*|\1|'))
ether1=($(ip address show dev eth1 | grep link/ether | sed -r 's|.*link/ether ([0-9a-f:]+) .*|\1|'))
cat > /etc/nixos/networking.nix << EOF
{ ... }: {
networking = {
nameservers = [ "8.8.4.4" ];
defaultGateway = "${gateway}";
defaultGateway6 = "${gateway6}";
interfaces = {
eth0 = {
ip4 = [$(for a in ${ip4s[@]}; do echo -n "
$a"; done)
];
ip6 = [$(for a in ${ip6s[@]}; do echo -n "
$a"; done)
];
};
# eth1 is for private networking or something?
eth1.useDHCP = false;
};
};
services.udev.extraRules = ''
KERNEL=="eth*", ATTR{address}=="${ether0}", NAME="eth0"
KERNEL=="eth*", ATTR{address}=="${ether1}", NAME="eth1"
'';
}
EOF
# grub/initrd was probably installed incorrectly (using false root device), so we need a final rebuild # grub/initrd was probably installed incorrectly (using false root device), so we need a final rebuild
# TODO see aszlig's comment in issue about not even having to call rebuild, just nix-build system or something; without ever having to use nixos-install either? and separate ext4fs?
# man nixos-rebuild mentions this!!: nixos-rebuid build == nix-build /path/to/nixpkgs/nixos -A system
nixos-rebuild boot --install-grub nixos-rebuild boot --install-grub
sync sync