From 836f80a011d6f14e4733fc1290aae5c2a912a176 Mon Sep 17 00:00:00 2001 From: primary Date: Sat, 18 Apr 2026 01:17:02 -0400 Subject: [PATCH] scripts/cutover-muffin.sh: pre-seed nix-deploy + deploy + verify Bundles Phases 5.5 + 6.2 + 6.3 into one invocation. Order-sensitive: pre-seed must happen BEFORE the deploy-rs run so yarn's pull-update URL stays resolvable across the harmonia /var/lib/dotfiles-deploy \u2192 /var/lib/nix-deploy rename. --- scripts/cutover-muffin.sh | 70 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100755 scripts/cutover-muffin.sh diff --git a/scripts/cutover-muffin.sh b/scripts/cutover-muffin.sh new file mode 100755 index 0000000..777a347 --- /dev/null +++ b/scripts/cutover-muffin.sh @@ -0,0 +1,70 @@ +#!/usr/bin/env bash +# Phase 5.5 + 6.2 + 6.3 helper: deploy the unified nixos flake to muffin, +# pre-seeding /var/lib/nix-deploy/ so yarn's pull-update keeps working across +# the harmonia path rename. +# +# Run from the repo root on a machine that can SSH to root@server-public. +# Assumes the caller has the new git-crypt key (or a GPG user added to the repo) +# so that secrets/ is in plaintext on this machine. +# +# Sequence: +# 1. Pre-seed /var/lib/nix-deploy/ on muffin from /var/lib/dotfiles-deploy/ +# 2. deploy-rs the new flake to muffin +# 3. Verify /run/agenix/git-crypt-key-nixos exists + readable +# 4. Verify /var/lib/nix-deploy/{mreow,yarn} still resolves via +# https://nix-cache.sigkill.computer/deploy/ +# +# If any step fails, the old paths are untouched — you can roll back by +# deploying server-config. + +set -euo pipefail + +SSH_HOST="${SSH_HOST:-root@server-public}" + +echo "[1/4] Pre-seeding /var/lib/nix-deploy from /var/lib/dotfiles-deploy..." +ssh "$SSH_HOST" ' + set -euo pipefail + if [ -d /var/lib/dotfiles-deploy ] && [ ! -d /var/lib/nix-deploy ]; then + cp -a /var/lib/dotfiles-deploy /var/lib/nix-deploy + echo " seeded $(ls /var/lib/nix-deploy | wc -l) entries" + elif [ -d /var/lib/nix-deploy ]; then + echo " /var/lib/nix-deploy already present; leaving untouched" + else + echo " WARN: /var/lib/dotfiles-deploy missing on server (ok if fresh install)" + fi +' + +echo "[2/4] Deploying via deploy-rs..." +nix run .#deploy -- .#muffin + +echo "[3/4] Verifying new agenix key is present..." +ssh "$SSH_HOST" ' + if [ -r /run/agenix/git-crypt-key-nixos ]; then + echo " OK: /run/agenix/git-crypt-key-nixos ($(stat -c%s /run/agenix/git-crypt-key-nixos) bytes)" + else + echo " FAIL: /run/agenix/git-crypt-key-nixos missing or unreadable" >&2 + exit 1 + fi + # Confirm it belongs to gitea-runner + owner=$(stat -c%U /run/agenix/git-crypt-key-nixos) + if [ "$owner" = "gitea-runner" ]; then + echo " OK: owned by gitea-runner" + else + echo " WARN: owner is $owner (expected gitea-runner)" + fi +' + +echo "[4/4] Verifying yarn pull-update path still resolves..." +ssh "$SSH_HOST" ' + if [ -f /var/lib/nix-deploy/yarn ]; then + echo " OK: /var/lib/nix-deploy/yarn points at $(cat /var/lib/nix-deploy/yarn)" + else + echo " WARN: /var/lib/nix-deploy/yarn missing (harmless on first CI run from new repo)" + fi +' + +echo "" +echo "Done. muffin is running the unified flake. The old server-config Gitea" +echo "Actions pipeline should be disabled next (Phase 6.1) before the first" +echo "push to the new nixos Gitea repo — otherwise both will race for the" +echo "binary cache write paths."