titaniumtown/nixos
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
b0b4bcb0b30ab1be2b397bf15d16e830c46ad19d
nixos/deploy.sh
Simon Gardling b0b4bcb0b3
Some checks failed
Build and Deploy / mreow (push) Successful in 2m8s
Details
Build and Deploy / yarn (push) Successful in 1m2s
Details
Build and Deploy / muffin (push) Failing after 27s
Details
deploy guard: fix actions
2026-04-22 01:18:09 -04:00

64 lines
2.1 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh
# Wrapper around nixos-rebuild and deploy-rs for the three hosts.
#
# Usage:
# ./deploy.sh # nixos-rebuild boot on current host (mreow/yarn)
# ./deploy.sh switch # apply immediately on current host
# ./deploy.sh test # apply without adding boot entry
# ./deploy.sh build # build only, no activation
# ./deploy.sh muffin # preflight deploy guard + deploy-rs to muffin
# ./deploy.sh muffin --force # skip the preflight deploy guard
#
# muffin cannot be rebuilt locally from another host — this script only issues
# the remote deploy via deploy-rs when explicitly named.
#
# DEPLOY_GUARD_FORCE=1 is equivalent to passing --force.
set -eu
host="$(hostname -s)"
arg="${1:-boot}"
case "$arg" in
muffin)
shift # consume "muffin"
force=0
if [ "${DEPLOY_GUARD_FORCE:-0}" = "1" ]; then force=1; fi
if [ "${1:-}" = "--force" ]; then force=1; shift; fi
if [ "$force" = "1" ]; then
echo "deploy-guard: preflight skipped (--force)"
else
# Single SSH probe. Exit 255 is a connectivity failure; treat as a hard
# abort — without the preflight there is no other gate that prevents
# deploy-rs from partially activating while users are online.
output=$(ssh -o BatchMode=yes -o ConnectTimeout=5 \
root@server-public deploy-guard-check 2>&1) && rc=0 || rc=$?
if [ "$rc" -eq 0 ]; then
[ -n "$output" ] && printf '%s\n' "$output"
elif [ "$rc" -eq 255 ]; then
echo "deploy-guard: preflight SSH failed (rc=255)." >&2
printf '%s\n' "$output" >&2
echo "Re-run with --force once you've confirmed the host is idle." >&2
exit 1
else
printf '%s\n' "$output"
echo >&2
echo "Blocked by deploy guard. Bypass: ./deploy.sh muffin --force" >&2
exit 1
fi
fi
exec nix run .#deploy -- .#muffin "$@"
;;
boot | switch | test | build)
exec nixos-rebuild "$arg" --flake ".#$host" --use-remote-sudo
;;
*)
echo "usage: $0 [muffin [--force] | boot | switch | test | build]" >&2
exit 2
;;
esac
Reference in New Issue View Git Blame Copy Permalink