mirror of
https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-infect.git
synced 2024-11-05 11:13:11 +00:00
343 lines
9.3 KiB
Bash
Executable file
343 lines
9.3 KiB
Bash
Executable file
#! /usr/bin/env bash
|
|
|
|
# More info at:
|
|
# - https://github.com/elitak/nixos-infect
|
|
# - https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-infect
|
|
|
|
: "${API_TOKEN:?API_TOKEN variable is not set}"
|
|
: "${DOMAIN:?DOMAIN variable is not set}"
|
|
: "${LUSER:?LUSER variable is not set}"
|
|
: "${HOSTNAME:?HOSTNAME variable is not set}"
|
|
: "${PROVIDER:?PROVIDER variable is not set}"
|
|
: "${DNS_PROVIDER_TYPE:?DNS_PROVIDER_TYPE variable is not set}"
|
|
: "${STAGING_ACME:?STAGING_ACME variable is not set}"
|
|
: "${CF_TOKEN:?CF_TOKEN variable is not set}"
|
|
: "${DB_PASSWORD:?DB_PASSWORD variable is not set}"
|
|
: "${ENCODED_PASSWORD:?ENCODED_PASSWORD variable is not set}"
|
|
: "${NIX_VERSION:?NIX_VERSION variable is not set}"
|
|
: "${NIXOS_CONFIG_NAME:?NIXOS_CONFIG_NAME variable is not set}"
|
|
: "${CONFIG_URL:?CONFIG_URL variable is not set}"
|
|
|
|
readonly LOCAL_FLAKE_DIR="/etc/nixos"
|
|
readonly SECRETS_FILEPATH="/etc/selfprivacy/secrets.json"
|
|
|
|
# Merge original userdata.json with deployment specific fields and print result.
|
|
genUserdata() {
|
|
local password HASHED_PASSWORD userdata_infect
|
|
password=$(printf "%s" "$ENCODED_PASSWORD" | base64 --decode)
|
|
HASHED_PASSWORD=$(mkpasswd -m sha-512 "$password")
|
|
|
|
userdata_infect=$(cat << EOF
|
|
{
|
|
"dns": {
|
|
"provider": "$DNS_PROVIDER_TYPE",
|
|
"useStagingACME": $STAGING_ACME
|
|
},
|
|
"server": {
|
|
"provider": "$PROVIDER"
|
|
},
|
|
"domain": "$DOMAIN",
|
|
"hashedMasterPassword": "$HASHED_PASSWORD",
|
|
"hostname": "$HOSTNAME",
|
|
"username": "$LUSER"
|
|
}
|
|
EOF
|
|
)
|
|
|
|
jq -s '.[0] * .[1]' \
|
|
"${1:?no userdata.json given to merge with}" <(printf "%s" "$userdata_infect")
|
|
}
|
|
|
|
genSecrets() {
|
|
local ESCAPED_PASSWORD
|
|
ESCAPED_PASSWORD=$(printf "%s" "$ENCODED_PASSWORD" | base64 --decode | jq -Rs .)
|
|
|
|
cat << EOF
|
|
{
|
|
"api": {
|
|
"token": "$API_TOKEN",
|
|
"skippedMigrations": ["migrate_to_selfprivacy_channel", "mount_volume"]
|
|
},
|
|
"databasePassword": "$DB_PASSWORD",
|
|
"dns": {
|
|
"apiKey": "$CF_TOKEN"
|
|
},
|
|
"modules": {
|
|
"nextcloud": {
|
|
"adminPassword": $ESCAPED_PASSWORD,
|
|
"databasePassword": $ESCAPED_PASSWORD,
|
|
}
|
|
},
|
|
"resticPassword": $ESCAPED_PASSWORD
|
|
}
|
|
EOF
|
|
}
|
|
|
|
genHardwareConfiguration() {
|
|
local bootcfg
|
|
if ((isEFI)); then
|
|
bootcfg=$(cat << EOF
|
|
boot.loader.grub = {
|
|
efiSupport = true;
|
|
efiInstallAsRemovable = true;
|
|
device = "nodev";
|
|
};
|
|
fileSystems."/boot" = { device = "$ESP"; fsType = "vfat"; };
|
|
EOF
|
|
)
|
|
else
|
|
bootcfg=$(cat << EOF
|
|
boot.loader.grub.device = "$GRUBDEV";
|
|
EOF
|
|
)
|
|
fi
|
|
|
|
cat << EOF
|
|
{ modulesPath, ... }:
|
|
{
|
|
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
|
|
$bootcfg
|
|
boot.initrd.kernelModules = [ "nvme" ];
|
|
fileSystems."/" = { device = "$ROOTFSDEV"; fsType = "$ROOTFSTYPE"; };
|
|
}
|
|
EOF
|
|
}
|
|
|
|
setupConf() {
|
|
mkdir -p ${LOCAL_FLAKE_DIR}
|
|
if ! curl "${CONFIG_URL}" \
|
|
| tar -xz -C ${LOCAL_FLAKE_DIR} --strip-components=1 --exclude=".*"
|
|
then
|
|
echo "Error downloading/extracting top level flake configuration!"
|
|
exit 1
|
|
fi
|
|
|
|
# generate and write hardware-configuration.nix
|
|
genHardwareConfiguration > ${LOCAL_FLAKE_DIR}/hardware-configuration.nix
|
|
|
|
# generate infected userdata based on original
|
|
local userdataInfected
|
|
userdataInfected="$(genUserdata ${LOCAL_FLAKE_DIR}/userdata.json)"
|
|
printf "%s" "$userdataInfected" > ${LOCAL_FLAKE_DIR}/userdata.json
|
|
|
|
# generate and write secrets
|
|
local secrets
|
|
secrets="$(genSecrets)"
|
|
install -m0600 <(printf "%s" "$secrets") -DT ${SECRETS_FILEPATH}
|
|
}
|
|
|
|
makeSwap() {
|
|
# TODO check currently available swapspace first
|
|
swapFile=$(mktemp /tmp/nixos-infect.XXXXX.swp)
|
|
dd if=/dev/zero "of=$swapFile" bs=1M count=$((1*1024))
|
|
chmod 0600 "$swapFile"
|
|
mkswap "$swapFile"
|
|
swapon -v "$swapFile"
|
|
}
|
|
|
|
removeSwap() {
|
|
swapoff -a
|
|
rm -vf /tmp/nixos-infect.*.swp
|
|
}
|
|
|
|
findESP() {
|
|
local esp
|
|
for d in /boot/EFI /boot/efi /boot; do
|
|
[[ ! -d "$d" ]] && continue
|
|
[[ "$d" == "$(df "$d" --output=target | sed 1d)" ]] \
|
|
&& esp="$(df "$d" --output=source | sed 1d)" \
|
|
&& break
|
|
done
|
|
[[ -z "$esp" ]] && { echo "ERROR: No ESP mount point found"; return 1; }
|
|
for uuid in /dev/disk/by-uuid/*; do
|
|
[[ $(readlink -f "$uuid") == "$esp" ]] && echo "$uuid" && return 0
|
|
done
|
|
}
|
|
|
|
prepareEnv() {
|
|
isEFI=0
|
|
[ -d /sys/firmware/efi ] && isEFI=1
|
|
|
|
if ((isEFI)); then
|
|
ESP="$(findESP)"
|
|
else
|
|
for GRUBDEV in /dev/vda /dev/sda /dev/nvme0n1; do
|
|
[[ -e $GRUBDEV ]] && break;
|
|
done
|
|
fi
|
|
|
|
# Retrieve root fs block device
|
|
# (get root mount) (get partition or logical volume)
|
|
ROOTFSDEV=$(mount | grep "on / type" | awk '{print $1;}')
|
|
ROOTFSTYPE=$(df "$ROOTFSDEV" --output=fstype | sed 1d)
|
|
|
|
# DigitalOcean doesn't seem to set USER while running user data
|
|
export USER="root"
|
|
export HOME="/root"
|
|
|
|
# Nix installer tries to use sudo regardless of whether we're already uid 0
|
|
#which sudo || { sudo() { eval "$@"; }; export -f sudo; }
|
|
# shellcheck disable=SC2174
|
|
mkdir -p -m 0755 /nix
|
|
}
|
|
|
|
fakeCurlUsingWget() {
|
|
# Use adapted wget if curl is missing
|
|
which wget && { \
|
|
curl() {
|
|
eval "wget $(
|
|
(local isStdout=1
|
|
for arg in "$@"; do
|
|
case "$arg" in
|
|
"-o")
|
|
echo "-O";
|
|
isStdout=0
|
|
;;
|
|
"-O")
|
|
isStdout=0
|
|
;;
|
|
"-L")
|
|
;;
|
|
*)
|
|
echo "$arg"
|
|
;;
|
|
esac
|
|
done;
|
|
[[ $isStdout -eq 1 ]] && echo "-O-"
|
|
)| tr '\n' ' '
|
|
)"
|
|
}; export -f curl; }
|
|
}
|
|
|
|
req() {
|
|
type "$1" > /dev/null 2>&1 || which "$1" > /dev/null 2>&1
|
|
}
|
|
|
|
checkEnv() {
|
|
[[ "$(whoami)" == "root" ]] || { echo "ERROR: Must run as root"; return 1; }
|
|
|
|
# Perform some easy fixups before checking
|
|
# TODO prevent multiple calls to apt-get update
|
|
(which dnf && dnf install -y perl-Digest-SHA) || true # Fedora 24
|
|
which xzcat || (which yum && yum install -y xz-utils) \
|
|
|| (which apt-get && apt-get update && apt-get install -y xz-utils) \
|
|
|| true
|
|
which curl || fakeCurlUsingWget \
|
|
|| (which apt-get && apt-get update && apt-get install -y curl) \
|
|
|| true
|
|
|
|
req curl || req wget || { echo "ERROR: Missing both curl and wget"; return 1; }
|
|
req xzcat || { echo "ERROR: Missing xzcat"; return 1; }
|
|
req awk || { echo "ERROR: Missing awk"; return 1; }
|
|
req cut || req df || { echo "ERROR: Missing coreutils (cut, df)"; return 1; }
|
|
}
|
|
|
|
# Download and execute the nix installer script.
|
|
installNix() {
|
|
local nixReleaseBase='https://releases.nixos.org'
|
|
local installURL="${nixReleaseBase}/nix/nix-${NIX_VERSION}/install"
|
|
local shaURL="${installURL}.sha256"
|
|
local sha tmpNixInstall
|
|
|
|
# temporary destination for install script
|
|
tmpNixInstall="$(mktemp -t nix-install-XXXXXXXXXX)"
|
|
if [[ ! -f "${tmpNixInstall}" ]]; then
|
|
echo "Failed creating a temporary file for Nix install script!"
|
|
return 1
|
|
fi
|
|
|
|
echo "Downloading install script from ${installURL}..."
|
|
if ! curl "${installURL}" -o "${tmpNixInstall}" &>/dev/null; then
|
|
echo "Failure while downloading Nix install script!"
|
|
return 1
|
|
fi
|
|
|
|
if ! sha="$(curl "${shaURL}")"; then
|
|
echo "Failure while downloading Nix install script sha!"
|
|
return 1
|
|
fi
|
|
|
|
echo "Validating Nix install script checksum..."
|
|
if ! echo "${sha} ${tmpNixInstall}" | sha256sum -c; then
|
|
echo "Checksum validation failed!"
|
|
return 1
|
|
fi
|
|
|
|
echo "Running nix installer..."
|
|
if $SHELL "${tmpNixInstall}" \
|
|
--daemon --no-channel-add --daemon-user-count 4; then
|
|
echo "Nix is installed"
|
|
rm "${tmpNixInstall}"
|
|
else
|
|
echo "Nix installation script failed!"
|
|
return 1
|
|
fi
|
|
}
|
|
|
|
infect() {
|
|
# install multiuser (system-wide with nix-daemon) Nix in the current system
|
|
if ! installNix; then
|
|
echo "Nix installation failed!"
|
|
exit 1
|
|
fi
|
|
|
|
# this is needed solely for accpeting the sp-module subflake
|
|
/root/.nix-profile/bin/nix flake lock ${LOCAL_FLAKE_DIR} \
|
|
--extra-experimental-features "nix-command flakes" \
|
|
--update-input sp-modules
|
|
|
|
echo "nix build the configuration flake..."
|
|
if ! /root/.nix-profile/bin/nix build \
|
|
--extra-experimental-features "nix-command flakes" \
|
|
--profile /nix/var/nix/profiles/system \
|
|
${LOCAL_FLAKE_DIR}/#nixosConfigurations.sp-nixos.config.system.build.toplevel
|
|
then
|
|
echo "Failed!"
|
|
exit 1
|
|
fi
|
|
|
|
# Remove nix installed by the "install" script.
|
|
rm -fv /nix/var/nix/profiles/default*
|
|
/nix/var/nix/profiles/system/sw/bin/nix-collect-garbage
|
|
|
|
# Reify resolv.conf (???)
|
|
[[ -L /etc/resolv.conf ]] && mv -v /etc/resolv.conf /etc/resolv.conf.lnk && cat /etc/resolv.conf.lnk > /etc/resolv.conf
|
|
|
|
# Stage the Nix coup d'état
|
|
touch /etc/NIXOS
|
|
echo etc/nixos > /etc/NIXOS_LUSTRATE
|
|
echo etc/resolv.conf >> /etc/NIXOS_LUSTRATE
|
|
|
|
rm -rf /boot.bak
|
|
((isEFI)) && umount "$ESP"
|
|
mv -v /boot /boot.bak
|
|
if ((isEFI)); then
|
|
mkdir /boot
|
|
mount "$ESP" /boot
|
|
find /boot -depth ! -path /boot -exec rm -rf {} +
|
|
fi
|
|
|
|
echo "make configuration boot by default..."
|
|
if ! /nix/var/nix/profiles/system/bin/switch-to-configuration boot; then
|
|
echo "Failed!"; exit 1
|
|
fi
|
|
}
|
|
|
|
set -o pipefail
|
|
set -o nounset
|
|
set -o xtrace
|
|
set -o errexit
|
|
|
|
apt update
|
|
apt install -y git tar curl jq
|
|
checkEnv
|
|
prepareEnv
|
|
makeSwap # smallest (512MB) droplet needs extra memory!
|
|
setupConf
|
|
infect
|
|
removeSwap
|
|
|
|
if [[ -z "${NO_REBOOT+x}" ]]; then
|
|
reboot
|
|
fi
|