nix-security-tracker/infra/deploy.sh at 824906d9dfbdbcc3ad481fc32623e89f3f3c5dfb · Erethon/nix-security-tracker · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p nixos-rebuild coreutils

set -eo pipefail

DIR=$(git rev-parse --show-toplevel)
VERB=${1:-switch}
# make sure we're building with the version of Nixpkgs under our control
# TODO: fix the build on the latest nixpkgs-unstable and use that one for deployment
# export NIX_PATH=nixpkgs=$(nix-instantiate --eval -E '(import ./infra/npins).nixpkgs.outPath' | tr -d '"')
export NIX_PATH=nixpkgs=$(nix-instantiate --eval -A pkgs.path)

# Note: we could refactor the conditional here.
# But `nixos-rebuild build --target-host ...` requiring network operations is an unexpected bug.
# Therefore, we keep the two conditionals separated for the day when we will
# replace `nixos-rebuild` by a tool that does not have this bug but similar
# semantics.
# Example: `colmena apply dry-activate` then `colmena build` does have these
# properties and would make the second conditional disappear.

if [[ "$VERB" != "build" ]]; then
  # Perform a dry-activation first.
  echo "dry-activating the configuration first..."
  nixos-rebuild dry-activate -I nixos-config=$DIR/infra/configuration.nix --target-host root@tracker.security.nixos.org
else
  echo "skipping the dry-activation as we are using an offline verb."
fi


if [[ "$VERB" != "build" ]]; then
  echo "$VERB-ing the configuration now."
  nixos-rebuild $VERB -I nixos-config=$DIR/infra/configuration.nix --target-host root@tracker.security.nixos.org
else
  echo "building the configuration now."
  nixos-rebuild build -I nixos-config=$DIR/infra/configuration.nix
fi