blob: 3989c6ea052c267152728460b4f8c827b92d1a1c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
|
{
config,
lib,
pkgs,
...
}: let
allowReboot = true;
in {
personal.nix = {
enable = true;
autoUpgrade.enable = true;
gc.enable = true;
flake = "git+file:///etc/nixos/";
remoteBuilds = {
enable = true;
machines.hephaistos = {
enable = true;
domain = "aristote.mesh";
user = config.networking.hostName;
};
};
};
system.autoUpgrade = {inherit allowReboot;};
# disable remote builds
nix.settings.max-jobs = 0;
nixpkgs.flake = {
setNixPath = true;
setFlakeRegistry = true;
};
systemd.services.nixos-upgrade = {
preStart = lib.mkForce ''
cd /etc/nixos
# requires to have added
# hephaistos.aristote.mesh:/~/nixos-configuration
# as remote hephaistos
git push --force hephaistos master
'';
script = lib.mkForce (let
hephaistos = "hephaistos.aristote.mesh";
in
''
RESULT=$(ssh ${hephaistos} -- \
'nix build --print-out-paths \
git+file://$(pwd)/nixos-configuration#nixosConfigurations.hermes.config.system.build.toplevel' \
)
nix-copy-closure --from ${hephaistos} "$RESULT"
''
+ (
let
switch = "$RESULT/bin/switch-to-configuration";
readlink = "${pkgs.coreutils}/bin/readlink";
luksCfg = config.boot.initrd.luks.devices;
in
if allowReboot
then
''
${switch} boot
booted="$(${readlink} /run/booted-system/{initrd,kernel,kernel-modules})"
built="$(${readlink} /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})"
if [ "$booted" = "$built" ]
then
${switch} switch
else ''
+ lib.optionalString (luksCfg ? crypt) ''
cryptsetup --verbose luksAddKey \
--key-file /etc/luks/keys/master \
${luksCfg.crypt.device} \
/etc/luks/keys/tmp
''
+ ''
shutdown -r +1
fi
''
else ''
${switch} switch
''
));
serviceConfig = {
MemoryAccounting = true;
MemoryHigh = "0.9G";
MemoryMax = "1G";
MemorySwapMax = "0";
};
};
}
|
