#! /bin/sh set -xeuf . ./lib/prelude.sh . ./lib/cac.sh . ./lib/cacnixos.sh nix_url=https://nixos.org/releases/nix/nix-1.8/nix-1.8-x86_64-linux.tar.bz2 nix_sha256=52fab207b4ce4d098a12d85357d0353e972c492bab0aa9e08e1600363e76fefb nix_find_sha1sum=86f8775bd4f0841edd4c816df861cebf509d58c3 # This is somewhat required because cloudatcost requires whitelisting # of hosts. If you whitelist your localhost, then leave this empty. # cac_via= # # cac_key= # cac_login= # cac_servername= # hostname= main() { server=$(cac_getserver_by_servername "$cac_servername") serverstatus=$(echo $server | jq -r .status) case $serverstatus in 'Powered On') : ;; *) echo $0: bad server status: $serverstatus >&2 exit 2 esac template=$(echo $server | jq -r .template) case $template in 'CentOS-7-64bit') infest_centos7_64bit "$server";; *) echo $0: bad template: $template >&2 exit 3 esac } infest_centos7_64bit() { server=$1 address=$(echo $server | jq -r .ip) RSYNC_RSH='sshpass -e ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null' SSHPASS=$(echo $server | jq -r .rootpass) export SSHPASS export RSYNC_RSH main="modules/$hostname/default.nix" target="root@$address" cacnixos_networking "$server" $hostname \ > modules/$hostname/networking.nix echo '( set -xeuf type bzip2 || yum install -y bzip2 type rsync || yum install -y rsync )' \ | sshpass -e ssh \ -o StrictHostKeyChecking=no \ -o UserKnownHostsFile=/dev/null \ "root@$address" \ /bin/sh rsync_filter "$main" \ | rsync -f '. -' -zvrlptD --delete-excluded ./ "$target":/etc/nixos/ # # # echo '( set -xeuf groupadd -g 30000 nixbld || : for i in `seq 1 10`; do useradd -c "foolsgarden Nix build user $i" \ -d /var/empty \ -s /sbin/nologin \ -g 30000 \ -G 30000 \ -l -u $(expr 30000 + $i) \ nixbld$i || : rm -f /var/spool/mail/nixbld$i done #curl https://nixos.org/nix/install | sh nix_tar=$nix_basename.tar.bz2 if ! echo $nix_sha256 $nix_tar | sha256sum -c; then curl -O -C - $nix_url || : if ! echo $nix_sha256 $nix_tar | sha256sum -c; then curl -O $nix_url || : if ! echo $nix_sha256 $nix_tar | sha256sum -c; then echo $0: cannot download $nix_url >&2 exit 5 fi fi fi if ! test -d $nix_basename; then tar jxf $nix_basename.tar.bz2 fi nix_find=$nix_basename.find.txt if ! echo $nix_find_sha1sum $nix_find | sha1sum -c; then find $nix_basename | sort > $nix_find if ! echo $nix_find_sha1sum $nix_find | sha1sum -c; then echo $0: cannot unpack $nix_basename.tar.bz2 >&2 # TODO we could retry exit 6 fi fi mkdir -p bin PATH=$HOME/bin:$PATH export PATH # generate fake sudo because # sudo: sorry, you must have a tty to run sudo { echo "#! /bin/sh" echo "exec env \"\$@\"" } > bin/sudo chmod +x bin/sudo ./$nix_basename/install . /root/.nix-profile/etc/profile.d/nix.sh nixpkgs_expr="import { system = builtins.currentSystem; }" nixpkgs_path=$( find /nix/store -mindepth 1 -maxdepth 1 -name *-nixpkgs-* -type d ) for i in nixos-generate-config nixos-install; do nix-env \ --arg config "{ nix.package = ($nixpkgs_expr).nix; }" \ --arg pkgs "$nixpkgs_expr" \ --arg modulesPath "throw \"no modulesPath\"" \ -f $nixpkgs_path/nixpkgs/nixos/modules/installer/tools/tools.nix \ -iA config.system.build.$i done # TODO following fail when aborted in-between if ! test -d /int; then mkdir -p /int mount --bind /int /mnt fi if ! test -d /mnt/boot; then mkdir -p /mnt/boot mount /dev/sda1 /mnt/boot fi mkdir -p /mnt/etc/nixos rsync -zvrlptD --delete-excluded /etc/nixos/ /mnt/etc/nixos/ mkdir -m 0444 -p /mnt/var/empty ln -s $main /mnt/etc/nixos/configuration.nix nixos-install \ -I secrets=/etc/nixos/secrets rsync -va --force /int/ / # find / -type f -mtime +1 -exec rm -v {} \; 2>&1 > rm.log # ^ too aggressive, kills journal which is bad # shutdown -r now # nix-channel --add https://nixos.org/channels/nixos-unstable nixos # nix-channel --remove nixpkgs # nix-channel --update )' \ | sshpass -e ssh \ -o StrictHostKeyChecking=no \ -o UserKnownHostsFile=/dev/null \ "root@$address" \ -T /usr/bin/env \ nix_url="$nix_url" \ nix_basename="$(basename $nix_url .tar.bz2)" \ nix_sha256="$nix_sha256" \ nix_find_sha1sum="$nix_find_sha1sum" \ main="$main" \ /bin/sh } main "$@"