xin/bin/deploy

157 lines
4.0 KiB
Bash
Executable File
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/usr/bin/env sh
. ./common.sh
trap error INT TERM
start
rebuild() {
host="$(resolveAlias $1)"
skip_check=$2
msg "Rebuilding: ${host}"
if ! tsAlive $host; then
msg "can't reach ${1}.. skipping.."
return
fi
hostVersion=$(${SSH} root@${host} 'nixos-version --json | jq -r .configurationRevision')
if [ $? != 0 ]; then
return $?
fi
if [ "$hostVersion" = "$CurrentVersion" ] && [ $skip_check = false ]; then
msg "Up-to-date: ${host}"
return 0
fi
nixos-rebuild --flake .#${1} --build-host root@${host} --target-host root@${host} switch
return $?
}
if [ "$1" = "watch" ]; then
if [ "$2" = "update" ]; then
msg "updating watches..."
for f in pull_requests/*.json; do
pr=$(basename $f .json)
curl -s -o - https://pr-status.humpback-trout.ts.net/${pr} | jq -rS >pull_requests/${pr}.json
msg "Updated watch for ${pr}: $(jq -r .title <pull_requests/${pr}.json)"
done
else
pr="$2"
curl -s -o - https://pr-status.humpback-trout.ts.net/${pr} | jq -rS >pull_requests/${pr}.json
msg "Added watch for ${pr}: $(jq -r .title <pull_requests/${pr}.json)"
fi
exit 0
fi
if [ "$1" = "status" ]; then
rev=$(git rev-parse HEAD)
msg "Currently at: ${rev}\t($(git log --format=%B -n 1 $rev | head -n1))"
for h in $(listNixOSHosts); do
host="$(resolveAlias $h)"
if ! tsAlive $host; then
msg "can't reach ${h}.. skipping.."
continue
fi
echo -n "===> $h: "
host_data="$(${SSH} root@${host} 'xin-status')"
remote_rev=$(echo $host_data | jq -r .configurationRevision)
remote_ver=$(echo $host_data | jq -r .nixosVersion)
needs_reboot=$(echo $host_data | jq -r .needs_restart)
rev_msg="DIRTY"
rev_status="✓"
if [ "$remote_rev" != "DIRTY" ]; then
rev_msg=$(git log --format=%B -n1 $remote_rev | head -n1)
if [ "${remote_rev}" != "${rev}" ]; then
rev_status="×"
fi
fi
echo -en "\t\t${remote_ver}\t${rev_status}\t(${rev_msg})"
if [ "$needs_reboot" == "false" ]; then
echo -e "\tOK"
else
echo -e "\tREBOOT"
fi
done
exit 0
fi
if [ "$1" = "install" ]; then
h="$2"
host="$(resolveAlias $2)"
dest="${3:-/nix/store}"
shift
shift
if [ ! -d hosts/${h} ]; then
msg "No config found for $h"
exit 1
fi
set -eu
set -x
mkdir -p .gcroots
out=$(nix build -o .gcroots/${h} --json .#nixosConfigurations.${h}.config.system.build.toplevel | jq -r '.[0].outputs.out')
nix copy -s --to "ssh://root@${host}?remote-store=${dest}" "$out"
nix copy -s --derivation --to "ssh://root@${host}?remote-store=${dest}" "$out"
${SSH} "root@${host}" NIXOS_INSTALL_BOOTLOADER=1 nixos-enter --root "$dest" -- nix --extra-experimental-features nix-command build --profile /nix/var/nix/profiles/system "$out"
${SSH} "root@${host}" NIXOS_INSTALL_BOOTLOADER=1 nixos-enter --root "$dest" -- /run/current-system/bin/switch-to-configuration switch
exit 0
fi
if [ "$1" = "local" ]; then
sudo nixos-rebuild --flake .#$(uname -n) switch
exit $?
fi
if [ "$1" = "update" ]; then
single="$2"
can_sign=0
for i in $(ssh-add -L | awk '{print $NF}'); do
grep -q $i .allowed_signers && can_sign=1
done
# TODO: capture commit message and wrap it with what is being updated.
if [ $can_sign = 1 ]; then
if [ "$single" != "" ]; then
nix flake lock --commit-lock-file --update-input "$single"
else
nix flake update --commit-lock-file
fi
exit
else
echo "Can't find signing key."
exit 1
fi
fi
if [ "$1" = "installer" ]; then
nix build .#nixosConfigurations.isoInstall.config.system.build.isoImage
exit $?
fi
if [ "$1" = "diff" ]; then
host="$(resolveAlias $2)"
mkdir -p .gcroots
out=$(nix build -o .gcroots/${host} --json .#nixosConfigurations.${2}.config.system.build.toplevel | jq -r '.[0].outputs.out')
nix copy -s --to "ssh://root@$host" "$out"
nix copy -s --derivation --to "ssh://root@$host" "$out"
${SSH} "root@$host" "nix-store -qd /run/current-system $out | xargs nix-diff --color=always" | less
exit $?
fi
ret=0
if [ ${#@} = 1 ]; then
rebuild $1 true || ret=1
else
lock
for host in $(listNixOSHosts); do
rebuild $host false || ret=1
done
fi