From 422c47c3e0a90f06408e04fa646a86c3e0b29e08 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Sat, 20 Mar 2021 13:22:17 +0000 Subject: [PATCH] switch-prebuilt: run stuff assuming we're a trusted-user --- ops/nixos/lib/switch-prebuilt.nix | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/ops/nixos/lib/switch-prebuilt.nix b/ops/nixos/lib/switch-prebuilt.nix index 5b0a3764c5..4adbb16a27 100644 --- a/ops/nixos/lib/switch-prebuilt.nix +++ b/ops/nixos/lib/switch-prebuilt.nix @@ -5,17 +5,20 @@ { depot, pkgs, ... }: pkgs.writeShellScriptBin "switch-prebuilt" '' set -ue - if [[ $EUID -ne 0 ]]; then - exec sudo "$0" "$@" - fi - export AWS_ACCESS_KEY_ID="${depot.ops.secrets.nixCache.AWS_ACCESS_KEY_ID}" export AWS_SECRET_ACCESS_KEY="${depot.ops.secrets.nixCache.AWS_SECRET_ACCESS_KEY}" system="''${1}" - nix copy --from 's3://lukegb-nix-cache?endpoint=storage.googleapis.com' --no-check-sigs "$system" + # We should be a trusted-user. + nix copy -v --from 's3://lukegb-nix-cache?endpoint=storage.googleapis.com' --no-check-sigs "$system" diff "$system/etc/hostname" "/etc/hostname" + + # The next phase requires sudo, but it's harmless to run the preceding commands twice. + if [[ $EUID -ne 0 ]]; then + exec sudo "$0" "$@" + fi + nix-env -p /nix/var/nix/profiles/system --set "$system" "$system/bin/switch-to-configuration" switch ''