Luke Granger-Brown
7592e76a31
tokend is responsible for issuing service-scoped tokens based on the token held and generated by the Vault Agent. It can also generate "server-user" scoped tokens, which exist for convenience's sake: they are not a strong attestation of the user on the machine, and have limited privileges compared to a Vault token issued using e.g. `vault login -method=oidc`.
36 lines
1.3 KiB
Nix
36 lines
1.3 KiB
Nix
# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
{ depot, pkgs, ... }:
|
|
pkgs.writeShellScriptBin "switch-prebuilt" ''
|
|
set -ue
|
|
|
|
export AWS_ACCESS_KEY_ID="$(${pkgs.vault}/bin/vault kv get --address=unix:///run/tokend/sock -field=cacheAccessKeyID kv/apps/nix-daemon)"
|
|
export AWS_SECRET_ACCESS_KEY="$(${pkgs.vault}/bin/vault kv get --address=unix:///run/tokend/sock -field=cacheSecretAccessKey kv/apps/nix-daemon)"
|
|
system="''${1}"
|
|
|
|
if [[ "$system" == "latest" ]]; then
|
|
tmpdir="$(mktemp -d)"
|
|
trap '{ rm -rf -- "$tmpdir"; }' EXIT
|
|
|
|
${pkgs.curl}/bin/curl -so "$tmpdir/archive.zip" 'https://hg.lukegb.com/api/v4/projects/lukegb%2Fdepot/jobs/artifacts/branch%2Fdefault/download?job=nixCache'
|
|
${pkgs.unzip}/bin/unzip -d "$tmpdir" -q -o "$tmpdir/archive.zip"
|
|
system="$(${pkgs.jq}/bin/jq -r ".\"$(hostname)\"" "$tmpdir/systems.json")"
|
|
fi
|
|
|
|
if [[ ! -e "$system" ]]; then
|
|
# We should be a trusted-user.
|
|
nix build -v "$system"
|
|
fi
|
|
|
|
diff "$system/etc/hostname" "/etc/hostname"
|
|
|
|
# The next phase requires sudo, but it's harmless to run the preceding commands twice.
|
|
if [[ $EUID -ne 0 ]]; then
|
|
exec sudo "$0" "$system"
|
|
fi
|
|
|
|
nix-env -p /nix/var/nix/profiles/system --set "$system"
|
|
"$system/bin/switch-to-configuration" switch
|
|
''
|