nixos-anywhere/src/nixos-remote.sh

showUsage() {
  cat <<USAGE
Usage: nixos-remote [options] ssh-host

Options:

* -f, --flake flake
  set the flake to install the system from
* -s, --store-paths
  set the store paths to the disko-script and nixos-system directly
  if this is give, flake is not needed
* --no-ssh-copy
  skip copying ssh-keys to target system
* --no-reboot
  do not reboot after installation, allowing further customization of the target installation.
* --kexec url
  use another kexec tarball to bootstrap NixOS
* --stop-after-disko
  exit after disko formating, you can then proceed to install manually or some other way
* --extra-files files
  files to copy into the new nixos installation
* --disk-encryption-keys remote_path local_path
  copy the contents of the file or pipe in local_path to remote_path in the installer environment,
  after kexec but before installation. Can be repeated.
* --debug
  enable debug output
USAGE
}

abort() {
  echo "aborted: $*" >&2
  exit 1
}

kexec_url=https://github.com/nix-community/nixos-images/releases/download/nixos-22.11/nixos-kexec-installer-x86_64-linux.tar.gz
enable_debug=""
maybereboot="reboot"

declare -A disk_encryption_keys

while [[ $# -gt 0 ]]; do
  case "$1" in
    -f | --flake)
      flake=$2
      shift
      ;;
    -s | --store-paths)
      disko_script=$(readlink -f "$2")
      nixos_system=$(readlink -f "$3")
      shift
      shift
      ;;
    --help)
      showUsage
      exit 0
      ;;
    --kexec)
      kexec_url=$2
      shift
      ;;
    --no-ssh-copy-id)
      no_ssh_copy=y
      ;;
    --debug)
      enable_debug="-x"
      set -x
      ;;
    --extra-files)
      extra_files=$2
      shift
      ;;
    --disk-encryption-keys)
      disk_encryption_keys["$2"]="$3"
      shift
      shift
      ;;
    --stop-after-disko)
      stop_after_disko=y
      ;;
    --no-reboot)
      maybereboot=""
      ;;
    *)
      if [[ -z ${ssh_connection:-} ]]; then
        ssh_connection="$1"
      else
        showUsage
        exit 1
      fi
      ;;
  esac
  shift
done


# ssh wrapper
timeout_ssh_() {
  timeout 10 ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "$ssh_connection" "$@"
}
ssh_() {
  ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "$ssh_connection" "$@"
}
nixCopy() {
  NIX_SSHOPTS='-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' nix copy --extra-experimental-features nix-command "$@"
}
nix_build() {
  nix \
    --experimental-features flakes build \
    --extra-experimental-features nix-command \
    --no-write-lock-file \
    --print-out-paths \
    "$@"
}

if [[ -z ${ssh_connection:-} ]]; then
  abort "ssh-host must be set"
fi

# parse flake nixos-install style syntax, get the system attr
if [[ -n "${flake:-}" ]]; then
  if [[ $flake =~ ^(.*)\#([^\#\"]*)$ ]]; then
   flake="${BASH_REMATCH[1]}"
   flakeAttr="${BASH_REMATCH[2]}"
  fi
  if [[ -z "${flakeAttr:-}" ]]; then
    echo "Please specify the name of the NixOS configuration to be installed, as a URI fragment in the flake-uri."
    echo "For example, to use the output nixosConfigurations.foo from the flake.nix, append \"#foo\" to the flake-uri."
    exit 1
  fi
  disko_script=$(nix_build "${flake}#nixosConfigurations.${flakeAttr}.config.system.build.disko")
  nixos_system=$(nix_build "${flake}#nixosConfigurations.${flakeAttr}.config.system.build.toplevel")
elif [[ -n "${disko_script:-}" ]] && [[ -n "${nixos_system:-}" ]]; then
  if [[ ! -e "${disko_script}" ]] || [[ ! -e "${nixos_system}" ]]; then
    echo "${disko_script} and ${nixos_system} must be existing store-paths"
    exit 1
  fi
  :
else
  abort "flake must be set"
fi

# wait for machine to become reachable (possibly forever)
# TODO we probably need an architecture detection here
# TODO if we have specified a user here but we are already booted into the
# installer, than the user might not work anymore
until facts=$(ssh_ -o ConnectTimeout=10 -- <<SSH
set -efu ${enable_debug}
has(){
  command -v tar >/dev/null && echo "y" || echo "n"
}
cat <<FACTS
is_os=\$(uname)
is_kexec=\$(if test -f /etc/is_kexec; then echo "y"; else echo "n"; fi)
has_tar=\$(has tar)
has_sudo=\$(has sudo)
has_wget=\$(has wget)
has_curl=\$(has curl)
FACTS
SSH
); do
  sleep 5
done

# make facts available in script
# shellcheck disable=SC2046
export $(echo "$facts" | grep -E '^(has|is)_[a-z0-9_]+=\S+' | xargs)

if [[ ${has_tar-n} == "n" ]]; then
  abort "no tar command found, but required to unpack kexec tarball"
fi
maybesudo=""
if [[ ${has_sudo-n} == "y" ]]; then
  maybesudo="sudo"
fi
if [[ ${is_os-n} != "Linux" ]]; then
  abort "This script requires Linux as the operating system, but got $is_os"
fi

if [[ ${is_kexec-n} != "y" ]] && [[ ${no_ssh_copy-n} != "y" ]]; then
  ssh-copy-id -o ConnectTimeout=10 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "$ssh_connection"
fi

if [[ ${is_kexec-n} == "n" ]]; then
  ssh_ << SSH
set -efu ${enable_debug}
"${maybesudo}" rm -rf /root/kexec
"${maybesudo}" mkdir -p /root/kexec
SSH

  if [[ -f "$kexec_url" ]]; then
    ssh_ "${maybesudo} tar -C /root/kexec -xvzf-" < "$kexec_url"
  elif [[ ${has_curl-n} == "y" ]]; then
    ssh_ "curl --fail -Ss -L '${kexec_url}' | ${maybesudo} tar -C /root/kexec -xvzf-"
  elif [[ ${has_wget-n} == "y" ]]; then
    ssh_ "wget '${kexec_url}' -O- | ${maybesudo} tar -C /root/kexec -xvzf-"
  else
    curl --fail -Ss -L "${kexec_url}" | ssh_ "${maybesudo} tar -C /root/kexec -xvzf-"
  fi

  ssh_ << SSH
TMPDIR=/root/kexec setsid ${maybesudo} /root/kexec/kexec/run
SSH

  # wait for machine to become unreachable
  while timeout_ssh_ -- exit 0; do sleep 1; done

  # After kexec we explicitly set the user to root@
  ssh_connection="root@${ssh_connection#*@}"

  # watiting for machine to become available again
  until ssh_ -o ConnectTimeout=10 -- exit 0; do sleep 5; done
fi
for path in "${!disk_encryption_keys[@]}"
do
  echo "Uploading ${disk_encryption_keys[$path]} to $path"
  ssh_ "umask 077; cat > $path" < "${disk_encryption_keys[$path]}"
done

nixCopy --to "ssh://$ssh_connection" "$disko_script"
ssh_ "$disko_script"

if [[ ${stop_after_disko-n} == "y" ]]; then
  exit 0
fi

nixCopy --to "ssh://$ssh_connection?remote-store=local?root=/mnt" "$nixos_system"
if [[ -n ${extra_files:-} ]]; then
  if [[ -d "$extra_files" ]]; then
    extra_files="$extra_files/"
  fi
  rsync -vrlF -e "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" "$extra_files" "${ssh_connection}:/mnt/"
fi

ssh_ <<SSH
set -efu ${enable_debug}
# needed for installation if initrd-secrets are used
mkdir -m777 -p /mnt/tmp
nixos-install --no-root-passwd --no-channel-copy --system "$nixos_system"
${maybereboot}
SSH
init nixos-remote 2022-11-10 16:42:06 +03:00			`showUsage() {`
			`cat <<USAGE`
nixos-remote: don't display wrapped executable in usage this is confusing and leaking implementation details. 2022-12-09 17:37:41 +03:00			`Usage: nixos-remote [options] ssh-host`
init nixos-remote 2022-11-10 16:42:06 +03:00
			`Options:`

			`* -f, --flake flake`
			`set the flake to install the system from`
allow settings store paths directly 2022-12-07 18:06:02 +03:00			`* -s, --store-paths`
			`set the store paths to the disko-script and nixos-system directly`
			`if this is give, flake is not needed`
help: document --no-ssh-copy 2022-12-07 18:06:20 +03:00			`* --no-ssh-copy`
			`skip copying ssh-keys to target system`
add --no-reboot... alternative would be use --stop-after [disko\|install]. test: add --no-reboot 2022-12-29 22:11:06 +03:00			`* --no-reboot`
			`do not reboot after installation, allowing further customization of the target installation.`
add --kexec paramter to specify custom image 2022-11-10 17:30:50 +03:00			`* --kexec url`
			`use another kexec tarball to bootstrap NixOS`
add --stop-after-disko paramter 2022-12-27 21:43:41 +03:00			`* --stop-after-disko`
			`exit after disko formating, you can then proceed to install manually or some other way`
add --extra-files option 2022-12-23 20:22:25 +03:00			`* --extra-files files`
			`files to copy into the new nixos installation`
allow pipes for --disk-encryption-keys... this allows passing multiple disk encryption keys, some of which might come in the form of unix pipes. It can be used with bash file substition facilities to pass a secret to the remote machine without writing it locally to disk. Example --disk-encryption-keys /tmp/disk-1.key <(echo "my-secret") --disk-encryption-keys /tmp/disk-2.key /tmp/static-file.key 2023-01-04 22:02:23 +03:00			`* --disk-encryption-keys remote_path local_path`
			`copy the contents of the file or pipe in local_path to remote_path in the installer environment,`
			`after kexec but before installation. Can be repeated.`
nixos-remote: only set -x if debug is enabled 2022-12-09 17:26:44 +03:00			`* --debug`
			`enable debug output`
init nixos-remote 2022-11-10 16:42:06 +03:00			`USAGE`
			`}`

			`abort() {`
			`echo "aborted: $*" >&2`
			`exit 1`
			`}`

upgrade to 22.11 2022-12-14 15:25:31 +03:00			`kexec_url=https://github.com/nix-community/nixos-images/releases/download/nixos-22.11/nixos-kexec-installer-x86_64-linux.tar.gz`
refactor to add fact gathering phase This allows us to use sudo properly and handle more conditionals locally. I.e. nix-remote will now fallback to local curl if no curl/wget has been found on the server. 2022-12-30 15:16:00 +03:00			`enable_debug=""`
			`maybereboot="reboot"`
init nixos-remote 2022-11-10 16:42:06 +03:00
allow pipes for --disk-encryption-keys... this allows passing multiple disk encryption keys, some of which might come in the form of unix pipes. It can be used with bash file substition facilities to pass a secret to the remote machine without writing it locally to disk. Example --disk-encryption-keys /tmp/disk-1.key <(echo "my-secret") --disk-encryption-keys /tmp/disk-2.key /tmp/static-file.key 2023-01-04 22:02:23 +03:00			`declare -A disk_encryption_keys`

init nixos-remote 2022-11-10 16:42:06 +03:00			`while [[ $# -gt 0 ]]; do`
			`case "$1" in`
			`-f \| --flake)`
			`flake=$2`
			`shift`
			`;;`
allow settings store paths directly 2022-12-07 18:06:02 +03:00			`-s \| --store-paths)`
allow symlinks for --store-paths nix copy is otherwise picky about it. 2022-12-30 20:26:02 +03:00			`disko_script=$(readlink -f "$2")`
			`nixos_system=$(readlink -f "$3")`
allow settings store paths directly 2022-12-07 18:06:02 +03:00			`shift`
			`shift`
			`;;`
init nixos-remote 2022-11-10 16:42:06 +03:00			`--help)`
			`showUsage`
			`exit 0`
			`;;`
add --kexec paramter to specify custom image 2022-11-10 17:30:50 +03:00			`--kexec)`
			`kexec_url=$2`
			`shift`
			`;;`
start installation with ssh-copy-id, allow custom kexec tarball 2022-11-24 20:28:47 +03:00			`--no-ssh-copy-id)`
			`no_ssh_copy=y`
			`;;`
nixos-remote: only set -x if debug is enabled 2022-12-09 17:26:44 +03:00			`--debug)`
refactor to add fact gathering phase This allows us to use sudo properly and handle more conditionals locally. I.e. nix-remote will now fallback to local curl if no curl/wget has been found on the server. 2022-12-30 15:16:00 +03:00			`enable_debug="-x"`
nixos-remote: only set -x if debug is enabled 2022-12-09 17:26:44 +03:00			`set -x`
			`;;`
add --extra-files option 2022-12-23 20:22:25 +03:00			`--extra-files)`
			`extra_files=$2`
			`shift`
			`;;`
Add --disk-encryption-keys option 2022-12-28 17:19:23 +03:00			`--disk-encryption-keys)`
allow pipes for --disk-encryption-keys... this allows passing multiple disk encryption keys, some of which might come in the form of unix pipes. It can be used with bash file substition facilities to pass a secret to the remote machine without writing it locally to disk. Example --disk-encryption-keys /tmp/disk-1.key <(echo "my-secret") --disk-encryption-keys /tmp/disk-2.key /tmp/static-file.key 2023-01-04 22:02:23 +03:00			`disk_encryption_keys["$2"]="$3"`
			`shift`
Add --disk-encryption-keys option 2022-12-28 17:19:23 +03:00			`shift`
			`;;`
add --stop-after-disko paramter 2022-12-27 21:43:41 +03:00			`--stop-after-disko)`
			`stop_after_disko=y`
			`;;`
add no-reboot option 2022-12-30 13:24:26 +03:00			`--no-reboot)`
refactor to add fact gathering phase This allows us to use sudo properly and handle more conditionals locally. I.e. nix-remote will now fallback to local curl if no curl/wget has been found on the server. 2022-12-30 15:16:00 +03:00			`maybereboot=""`
add no-reboot option 2022-12-30 13:24:26 +03:00			`;;`
init nixos-remote 2022-11-10 16:42:06 +03:00			`*)`
remove POSIX sh Use [[ ]] everywhere, use :- instead of +x 2022-12-21 21:06:58 +03:00			`if [[ -z ${ssh_connection:-} ]]; then`
fix ipv6 address support 2022-12-29 19:18:46 +03:00			`ssh_connection="$1"`
init nixos-remote 2022-11-10 16:42:06 +03:00			`else`
			`showUsage`
			`exit 1`
			`fi`
			`;;`
			`esac`
			`shift`
			`done`

nixos-remote: check if ssh-host is set 2022-12-09 18:20:48 +03:00
init nixos-remote 2022-11-10 16:42:06 +03:00			`# ssh wrapper`
ssh: use timout only for waiting 2022-11-10 18:45:14 +03:00			`timeout_ssh_() {`
ssh timeout 2022-11-10 17:31:43 +03:00			`timeout 10 ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "$ssh_connection" "$@"`
init nixos-remote 2022-11-10 16:42:06 +03:00			`}`
ssh: use timout only for waiting 2022-11-10 18:45:14 +03:00			`ssh_() {`
			`ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "$ssh_connection" "$@"`
			`}`
use local eval and copy-closure to the target 2022-11-23 20:32:36 +03:00			`nixCopy() {`
			`NIX_SSHOPTS='-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' nix copy --extra-experimental-features nix-command "$@"`
			`}`
			`nix_build() {`
			`nix \`
			`--experimental-features flakes build \`
			`--extra-experimental-features nix-command \`
			`--no-write-lock-file \`
			`--print-out-paths \`
			`"$@"`
			`}`

remove POSIX sh Use [[ ]] everywhere, use :- instead of +x 2022-12-21 21:06:58 +03:00			`if [[ -z ${ssh_connection:-} ]]; then`
nixos-remote: check if ssh-host is set 2022-12-09 18:20:48 +03:00			`abort "ssh-host must be set"`
			`fi`

use local eval and copy-closure to the target 2022-11-23 20:32:36 +03:00			`# parse flake nixos-install style syntax, get the system attr`
remove POSIX sh Use [[ ]] everywhere, use :- instead of +x 2022-12-21 21:06:58 +03:00			`if [[ -n "${flake:-}" ]]; then`
use local eval and copy-closure to the target 2022-11-23 20:32:36 +03:00			`if [[ $flake =~ ^(.)\#([^\#\"])$ ]]; then`
			`flake="${BASH_REMATCH[1]}"`
			`flakeAttr="${BASH_REMATCH[2]}"`
			`fi`
remove POSIX sh Use [[ ]] everywhere, use :- instead of +x 2022-12-21 21:06:58 +03:00			`if [[ -z "${flakeAttr:-}" ]]; then`
use local eval and copy-closure to the target 2022-11-23 20:32:36 +03:00			`echo "Please specify the name of the NixOS configuration to be installed, as a URI fragment in the flake-uri."`
			`echo "For example, to use the output nixosConfigurations.foo from the flake.nix, append \"#foo\" to the flake-uri."`
			`exit 1`
			`fi`
			`disko_script=$(nix_build "${flake}#nixosConfigurations.${flakeAttr}.config.system.build.disko")`
			`nixos_system=$(nix_build "${flake}#nixosConfigurations.${flakeAttr}.config.system.build.toplevel")`
remove POSIX sh Use [[ ]] everywhere, use :- instead of +x 2022-12-21 21:06:58 +03:00			`elif [[ -n "${disko_script:-}" ]] && [[ -n "${nixos_system:-}" ]]; then`
allow settings store paths directly 2022-12-07 18:06:02 +03:00			`if [[ ! -e "${disko_script}" ]] \|\| [[ ! -e "${nixos_system}" ]]; then`
			`echo "${disko_script} and ${nixos_system} must be existing store-paths"`
			`exit 1`
			`fi`
			`:`
use local eval and copy-closure to the target 2022-11-23 20:32:36 +03:00			`else`
			`abort "flake must be set"`
			`fi`

			`# wait for machine to become reachable (possibly forever)`
refactor to add fact gathering phase This allows us to use sudo properly and handle more conditionals locally. I.e. nix-remote will now fallback to local curl if no curl/wget has been found on the server. 2022-12-30 15:16:00 +03:00			`# TODO we probably need an architecture detection here`
fix sudo support and add test 2022-12-30 20:51:46 +03:00			`# TODO if we have specified a user here but we are already booted into the`
			`# installer, than the user might not work anymore`
refactor to add fact gathering phase This allows us to use sudo properly and handle more conditionals locally. I.e. nix-remote will now fallback to local curl if no curl/wget has been found on the server. 2022-12-30 15:16:00 +03:00			`until facts=$(ssh_ -o ConnectTimeout=10 -- <<SSH`
			`set -efu ${enable_debug}`
			`has(){`
			`command -v tar >/dev/null && echo "y" \|\| echo "n"`
			`}`
			`cat <<FACTS`
			`is_os=\$(uname)`
			`is_kexec=\$(if test -f /etc/is_kexec; then echo "y"; else echo "n"; fi)`
			`has_tar=\$(has tar)`
			`has_sudo=\$(has sudo)`
			`has_wget=\$(has wget)`
			`has_curl=\$(has curl)`
			`FACTS`
			`SSH`
			`); do`
fix facts on non nixos systems 2023-01-03 15:31:26 +03:00			`sleep 5`
refactor to add fact gathering phase This allows us to use sudo properly and handle more conditionals locally. I.e. nix-remote will now fallback to local curl if no curl/wget has been found on the server. 2022-12-30 15:16:00 +03:00			`done`
fix facts on non nixos systems 2023-01-03 15:31:26 +03:00
refactor to add fact gathering phase This allows us to use sudo properly and handle more conditionals locally. I.e. nix-remote will now fallback to local curl if no curl/wget has been found on the server. 2022-12-30 15:16:00 +03:00			`# make facts available in script`
			`# shellcheck disable=SC2046`
fix facts on non nixos systems 2023-01-03 15:31:26 +03:00			`export $(echo "$facts" \| grep -E '^(has\|is)_[a-z0-9_]+=\S+' \| xargs)`
init nixos-remote 2022-11-10 16:42:06 +03:00
refactor to add fact gathering phase This allows us to use sudo properly and handle more conditionals locally. I.e. nix-remote will now fallback to local curl if no curl/wget has been found on the server. 2022-12-30 15:16:00 +03:00			`if [[ ${has_tar-n} == "n" ]]; then`
			`abort "no tar command found, but required to unpack kexec tarball"`
debug ssh commands if --debug is passed 2022-12-14 15:34:23 +03:00			`fi`
refactor to add fact gathering phase This allows us to use sudo properly and handle more conditionals locally. I.e. nix-remote will now fallback to local curl if no curl/wget has been found on the server. 2022-12-30 15:16:00 +03:00			`maybesudo=""`
			`if [[ ${has_sudo-n} == "y" ]]; then`
			`maybesudo="sudo"`
check target OS 2022-11-10 19:15:00 +03:00			`fi`
refactor to add fact gathering phase This allows us to use sudo properly and handle more conditionals locally. I.e. nix-remote will now fallback to local curl if no curl/wget has been found on the server. 2022-12-30 15:16:00 +03:00			`if [[ ${is_os-n} != "Linux" ]]; then`
			`abort "This script requires Linux as the operating system, but got $is_os"`
start installation with ssh-copy-id, allow custom kexec tarball 2022-11-24 20:28:47 +03:00			`fi`

refactor to add fact gathering phase This allows us to use sudo properly and handle more conditionals locally. I.e. nix-remote will now fallback to local curl if no curl/wget has been found on the server. 2022-12-30 15:16:00 +03:00			`if [[ ${is_kexec-n} != "y" ]] && [[ ${no_ssh_copy-n} != "y" ]]; then`
			`ssh-copy-id -o ConnectTimeout=10 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "$ssh_connection"`
			`fi`
start installation with ssh-copy-id, allow custom kexec tarball 2022-11-24 20:28:47 +03:00
refactor to add fact gathering phase This allows us to use sudo properly and handle more conditionals locally. I.e. nix-remote will now fallback to local curl if no curl/wget has been found on the server. 2022-12-30 15:16:00 +03:00			`if [[ ${is_kexec-n} == "n" ]]; then`
start installation with ssh-copy-id, allow custom kexec tarball 2022-11-24 20:28:47 +03:00			`ssh_ << SSH`
refactor to add fact gathering phase This allows us to use sudo properly and handle more conditionals locally. I.e. nix-remote will now fallback to local curl if no curl/wget has been found on the server. 2022-12-30 15:16:00 +03:00			`set -efu ${enable_debug}`
			`"${maybesudo}" rm -rf /root/kexec`
			`"${maybesudo}" mkdir -p /root/kexec`
			`SSH`

			`if [[ -f "$kexec_url" ]]; then`
fix sudo support and add test 2022-12-30 20:51:46 +03:00			`ssh_ "${maybesudo} tar -C /root/kexec -xvzf-" < "$kexec_url"`
refactor to add fact gathering phase This allows us to use sudo properly and handle more conditionals locally. I.e. nix-remote will now fallback to local curl if no curl/wget has been found on the server. 2022-12-30 15:16:00 +03:00			`elif [[ ${has_curl-n} == "y" ]]; then`
			`ssh_ "curl --fail -Ss -L '${kexec_url}' \| ${maybesudo} tar -C /root/kexec -xvzf-"`
			`elif [[ ${has_wget-n} == "y" ]]; then`
			`ssh_ "wget '${kexec_url}' -O- \| ${maybesudo} tar -C /root/kexec -xvzf-"`
init nixos-remote 2022-11-10 16:42:06 +03:00			`else`
refactor to add fact gathering phase This allows us to use sudo properly and handle more conditionals locally. I.e. nix-remote will now fallback to local curl if no curl/wget has been found on the server. 2022-12-30 15:16:00 +03:00			`curl --fail -Ss -L "${kexec_url}" \| ssh_ "${maybesudo} tar -C /root/kexec -xvzf-"`
init nixos-remote 2022-11-10 16:42:06 +03:00			`fi`
fix tar test 2022-11-12 13:47:17 +03:00
refactor to add fact gathering phase This allows us to use sudo properly and handle more conditionals locally. I.e. nix-remote will now fallback to local curl if no curl/wget has been found on the server. 2022-12-30 15:16:00 +03:00			`ssh_ << SSH`
			`TMPDIR=/root/kexec setsid ${maybesudo} /root/kexec/kexec/run`
init nixos-remote 2022-11-10 16:42:06 +03:00			`SSH`
start installation with ssh-copy-id, allow custom kexec tarball 2022-11-24 20:28:47 +03:00
init nixos-remote 2022-11-10 16:42:06 +03:00			`# wait for machine to become unreachable`
ssh: use timout only for waiting 2022-11-10 18:45:14 +03:00			`while timeout_ssh_ -- exit 0; do sleep 1; done`
init nixos-remote 2022-11-10 16:42:06 +03:00
fix sudo support and add test 2022-12-30 20:51:46 +03:00			`# After kexec we explicitly set the user to root@`
			`ssh_connection="root@${ssh_connection#*@}"`

init nixos-remote 2022-11-10 16:42:06 +03:00			`# watiting for machine to become available again`
ssh timeout 2022-11-10 17:31:43 +03:00			`until ssh_ -o ConnectTimeout=10 -- exit 0; do sleep 5; done`
init nixos-remote 2022-11-10 16:42:06 +03:00			`fi`
allow pipes for --disk-encryption-keys... this allows passing multiple disk encryption keys, some of which might come in the form of unix pipes. It can be used with bash file substition facilities to pass a secret to the remote machine without writing it locally to disk. Example --disk-encryption-keys /tmp/disk-1.key <(echo "my-secret") --disk-encryption-keys /tmp/disk-2.key /tmp/static-file.key 2023-01-04 22:02:23 +03:00			`for path in "${!disk_encryption_keys[@]}"`
			`do`
			`echo "Uploading ${disk_encryption_keys[$path]} to $path"`
fix: umask 077 for disk_encryption_keys Co-authored-by: Jörg Thalheim <Mic92@users.noreply.github.com> 2023-01-05 18:28:42 +03:00			`ssh_ "umask 077; cat > $path" < "${disk_encryption_keys[$path]}"`
allow pipes for --disk-encryption-keys... this allows passing multiple disk encryption keys, some of which might come in the form of unix pipes. It can be used with bash file substition facilities to pass a secret to the remote machine without writing it locally to disk. Example --disk-encryption-keys /tmp/disk-1.key <(echo "my-secret") --disk-encryption-keys /tmp/disk-2.key /tmp/static-file.key 2023-01-04 22:02:23 +03:00			`done`
Add --disk-encryption-keys option 2022-12-28 17:19:23 +03:00
fix ipv6 address support 2022-12-29 19:18:46 +03:00			`nixCopy --to "ssh://$ssh_connection" "$disko_script"`
fix various shellcheck errors 2022-12-21 15:57:39 +03:00			`ssh_ "$disko_script"`
init nixos-remote 2022-11-10 16:42:06 +03:00
add --stop-after-disko paramter 2022-12-27 21:43:41 +03:00			`if [[ ${stop_after_disko-n} == "y" ]]; then`
			`exit 0`
			`fi`

fix ipv6 address support 2022-12-29 19:18:46 +03:00			`nixCopy --to "ssh://$ssh_connection?remote-store=local?root=/mnt" "$nixos_system"`
add --extra-files option 2022-12-23 20:22:25 +03:00			`if [[ -n ${extra_files:-} ]]; then`
			`if [[ -d "$extra_files" ]]; then`
			`extra_files="$extra_files/"`
			`fi`
Don't preserve local permissions for --extra-files 2022-12-29 13:33:47 +03:00			`rsync -vrlF -e "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" "$extra_files" "${ssh_connection}:/mnt/"`
add --extra-files option 2022-12-23 20:22:25 +03:00			`fi`
add no-reboot option 2022-12-30 13:24:26 +03:00
refactor to add fact gathering phase This allows us to use sudo properly and handle more conditionals locally. I.e. nix-remote will now fallback to local curl if no curl/wget has been found on the server. 2022-12-30 15:16:00 +03:00			`ssh_ <<SSH`
			`set -efu ${enable_debug}`
Add --disk-encryption-keys option 2022-12-28 17:19:23 +03:00			`# needed for installation if initrd-secrets are used`
fix /mnt/tmp permissions Co-authored-by: Jörg Thalheim <Mic92@users.noreply.github.com> 2022-12-30 03:09:07 +03:00			`mkdir -m777 -p /mnt/tmp`
refactor to add fact gathering phase This allows us to use sudo properly and handle more conditionals locally. I.e. nix-remote will now fallback to local curl if no curl/wget has been found on the server. 2022-12-30 15:16:00 +03:00			`nixos-install --no-root-passwd --no-channel-copy --system "$nixos_system"`
			`${maybereboot}`
			`SSH`