titaniumtown/nixos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b21bb3b33bc2d731c3997e052064f01a5b61b1e1
nixos/deploy.sh
Simon Gardling b21bb3b33b
All checks were successful
Build and Deploy / mreow (push) Successful in 1m21s
Details
Build and Deploy / yarn (push) Successful in 45s
Details
Build and Deploy / muffin (push) Successful in 1m26s
Details
deploy guard: expose binary
2026-04-22 07:28:56 -04:00

75 lines
2.6 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh
# Wrapper around nixos-rebuild and deploy-rs for the three hosts.
#
# Usage:
# ./deploy.sh # nixos-rebuild boot on current host (mreow/yarn)
# ./deploy.sh switch # apply immediately on current host
# ./deploy.sh test # apply without adding boot entry
# ./deploy.sh build # build only, no activation
# ./deploy.sh muffin # preflight deploy guard + deploy-rs to muffin
# ./deploy.sh muffin --force # skip the preflight deploy guard
#
# muffin cannot be rebuilt locally from another host — this script only issues
# the remote deploy via deploy-rs when explicitly named.
#
# DEPLOY_GUARD_FORCE=1 is equivalent to passing --force.
#
# The preflight builds the guard derivation locally, copies it to muffin's
# nix store, then invokes it by /nix/store path over SSH as root (so the
# jellyfin check can read /run/agenix/jellyfin-api-key). Building the exact
# binary we're about to deploy avoids the bootstrap gap where
# /run/current-system/sw/bin/deploy-guard-check may not yet exist on the target
# (first deploy of the feature, post-rollback wiping it, etc).
set -eu
host="$(hostname -s)"
arg="${1:-boot}"
case "$arg" in
muffin)
shift # consume "muffin"
force=0
if [ "${DEPLOY_GUARD_FORCE:-0}" = "1" ]; then force=1; fi
if [ "${1:-}" = "--force" ]; then force=1; shift; fi
if [ "$force" = "1" ]; then
echo "deploy-guard: preflight skipped (--force)"
else
echo "deploy-guard: building preflight binary..."
guard=$(nix build --no-link --print-out-paths \
'.#nixosConfigurations.muffin.config.system.build.deployGuardCheck')
echo "deploy-guard: copying to muffin..."
nix copy --to ssh-ng://root@server-public "$guard"
output=$(ssh -o BatchMode=yes -o ConnectTimeout=5 \
root@server-public "$guard/bin/deploy-guard-check" 2>&1) && rc=0 || rc=$?
if [ "$rc" -eq 0 ]; then
[ -n "$output" ] && printf '%s\n' "$output"
elif [ "$rc" -eq 255 ]; then
echo "deploy-guard: preflight SSH failed (rc=255)." >&2
printf '%s\n' "$output" >&2
echo "Re-run with --force once you've confirmed the host is idle." >&2
exit 1
else
printf '%s\n' "$output"
echo >&2
echo "Blocked by deploy guard. Bypass: ./deploy.sh muffin --force" >&2
exit 1
fi
fi
exec nix run .#deploy -- .#muffin "$@"
;;
boot | switch | test | build)
exec nixos-rebuild "$arg" --flake ".#$host" --use-remote-sudo
;;
*)
echo "usage: $0 [muffin [--force] | boot | switch | test | build]" >&2
exit 2
;;
esac
Reference in New Issue View Git Blame Copy Permalink