diff --git a/ops/nixos/lib/common.nix b/ops/nixos/lib/common.nix index 3285d1abe7..bdbeb7bc2b 100644 --- a/ops/nixos/lib/common.nix +++ b/ops/nixos/lib/common.nix @@ -5,6 +5,8 @@ { pkgs, config, depot, lib, rebuilder, ... }@args: let inherit (lib) mkDefault; + + switch-prebuilt = import ./switch-prebuilt.nix args; in { imports = [ ../../../third_party/home-manager/nixos ]; @@ -60,6 +62,7 @@ in (mercurial.overridePythonAttrs (origAttrs: { propagatedBuildInputs = [python3Packages.hg-evolve depot.nix.pkgs.hg-git]; })) + switch-prebuilt ]; networking.firewall = { @@ -103,6 +106,9 @@ in commands = [{ command = "${rebuilder}/bin/rebuilder"; options = [ "NOPASSWD" ]; + } { + command = "${switch-prebuilt}/bin/switch-prebuilt"; + options = [ "NOPASSWD" ]; }]; }]; security.sudo.extraConfig = '' diff --git a/ops/nixos/lib/switch-prebuilt.nix b/ops/nixos/lib/switch-prebuilt.nix new file mode 100644 index 0000000000..5b0a3764c5 --- /dev/null +++ b/ops/nixos/lib/switch-prebuilt.nix @@ -0,0 +1,21 @@ +# SPDX-FileCopyrightText: 2020 Luke Granger-Brown +# +# SPDX-License-Identifier: Apache-2.0 + +{ depot, pkgs, ... }: +pkgs.writeShellScriptBin "switch-prebuilt" '' + set -ue + if [[ $EUID -ne 0 ]]; then + exec sudo "$0" "$@" + fi + + + export AWS_ACCESS_KEY_ID="${depot.ops.secrets.nixCache.AWS_ACCESS_KEY_ID}" + export AWS_SECRET_ACCESS_KEY="${depot.ops.secrets.nixCache.AWS_SECRET_ACCESS_KEY}" + system="''${1}" + + nix copy --from 's3://lukegb-nix-cache?endpoint=storage.googleapis.com' --no-check-sigs "$system" + diff "$system/etc/hostname" "/etc/hostname" + nix-env -p /nix/var/nix/profiles/system --set "$system" + "$system/bin/switch-to-configuration" switch +''