Merge branch 'add-nix-option' of github.com:misumisumi/nixos-anywhere…

… into add-nix-option
nix-community · Jun 15, 2024 · 4f4b15f · 4f4b15f
2 parents 6d2efa2 + 137aaf9
commit 4f4b15f
Show file tree

Hide file tree

Showing 12 changed files with 62 additions and 64 deletions.
diff --git a/README.md b/README.md
@@ -81,7 +81,7 @@ data has been migrated.
   - The machine must be reachable over the public internet or local network.
     Nixos-anywhere does not support wifi networks. If a VPN is needed, define a
     custom installer via the --kexec flag which connects to your VPN.
-  - Must have at least 1.5 GB of RAM, excluding swap.
+  - (when `kexec` is used) must have at least 1.5 GB of RAM, excluding swap.
 
 ## How to use nixos-anywhere
 

diff --git a/docs/cli.md b/docs/cli.md
@@ -9,7 +9,7 @@ Options:
   set the flake to install the system from
 * -s, --store-paths
   set the store paths to the disko-script and nixos-system directly
-  if this is give, flake is not needed
+  if this is given, flake is not needed
 * --kexec url
   use another kexec tarball to bootstrap NixOS
 * --debug

diff --git a/docs/howtos/no-os.md b/docs/howtos/no-os.md
@@ -11,7 +11,7 @@ has detailed instructions on how to boot the installer.
 
 When you run `nixos-anywhere`, it will determine whether a NixOS installer is
 present by checking whether the `/etc/os-release` file contains the identifier
-`VARIANT=installer`. This identifier is available on releases NixOS 23.05 or
+`VARIANT_ID=installer`. This identifier is available on releases NixOS 23.05 or
 later.
 
 If an installer is detected, `nixos-anywhere` will not attempt to `kexec` into

diff --git a/docs/howtos/use-without-flakes.md b/docs/howtos/use-without-flakes.md
@@ -13,37 +13,37 @@ Before you can use `nixos-anywhere` without flakes, you'll need to manually
 generate the paths for the NixOS system toplevel and disk image. The paths are
 generated using `nix-build` and are necessary for executing `nixos-anywhere`.
 
-### Generating NixOS System Toplevel:
+### Generating Disk Image without Dependencies:
 
-Execute the following command to generate the store path for the NixOS system
-toplevel:
+To generate the disk image without dependencies, execute:
 
 ```bash
-nix-build -I nixos-config=/etc/nixos/configuration.nix -E '(import <nixpkgs/nixos> {}).config.system.build.toplevel'
+nix-build -I nixos-config=/etc/nixos/configuration.nix -E '(import <nixpkgs/nixos> {}).config.system.build.diskoNoDeps'
 ```
 
-This will output a path in `/nix/store` that corresponds to the system toplevel,
-which includes all the software and configurations for the system. Make note of
-this path for later use.
+This will output a script path in `/nix/store` that will format your disk. Make
+note of this path for later use.
 
-### Generating Disk Image without Dependencies:
+### Generating NixOS System Toplevel:
 
-To generate the disk image without dependencies, execute:
+Execute the following command to generate the store path for the NixOS system
+toplevel:
 
 ```bash
-nix-build -I nixos-config=/etc/nixos/configuration.nix -E '(import <nixpkgs/nixos> {}).config.system.build.diskoNoDeps'
+nix-build -I nixos-config=/etc/nixos/configuration.nix -E '(import <nixpkgs/nixos> {}).config.system.build.toplevel'
 ```
 
-This will also output a script path in `/nix/store` that will format your disk.
-Keep this path handy as well.
+This will output a path in `/nix/store` that corresponds to the system toplevel,
+which includes all the software and configurations for the system. Keep this
+path handy as well.
 
 ## Running NixOS-Anywhere
 
 With both paths in hand, you can execute `nixos-anywhere` as follows:
 
 ```bash
-nixos-anywhere --store-paths /nix/store/[your-toplevel-path] /nix/store/[your-disk-image-path]
+nixos-anywhere --store-paths /nix/store/[your-disk-image-path] /nix/store/[your-toplevel-path]
 ```
 
-Replace `[your-toplevel-path]` and `[your-disk-image-path]` with the
+Replace `[your-disk-image-path]` and `[your-toplevel-path]` with the
 corresponding store paths you generated earlier.
diff --git a/src/default.nix b/src/default.nix
@@ -1,7 +1,6 @@
 { stdenv
 , openssh
 , gitMinimal
-, rsync
 , nixVersions
 , nix
 , coreutils
@@ -28,21 +27,18 @@ let
     findutils
     gnused # needed by ssh-copy-id
     sshpass # used to provide password for ssh-copy-id
-    rsync # used to upload extra-files
   ];
 in
 stdenv.mkDerivation {
   pname = "nixos-anywhere";
-  version = "1.0.0";
+  version = "1.2.0";
   src = ./..;
   nativeBuildInputs = [ makeWrapper ];
   installPhase = ''
     install -D --target-directory=$out/libexec/nixos-anywhere/ -m 0755 src/*.sh
 
     # We prefer the system's openssh over our own, since it might come with features not present in ours:
     # https://github.com/nix-community/nixos-anywhere/issues/62
-    #
-    # We also prefer system rsync to prevent crashes between rsync and ssh.
     makeShellWrapper $out/libexec/nixos-anywhere/nixos-anywhere.sh $out/bin/nixos-anywhere \
       --prefix PATH : ${lib.makeBinPath runtimeDeps} --suffix PATH : ${lib.makeBinPath [ openssh ]}
   '';

diff --git a/src/get-facts.sh b/src/get-facts.sh
@@ -11,7 +11,7 @@ is_kexec=$(if test -f /etc/is_kexec; then echo "y"; else echo "n"; fi)
 is_nixos=$is_nixos
 is_installer=$(if [ "$is_nixos" = "y" ] && grep -q VARIANT_ID=installer /etc/os-release; then echo "y"; else echo "n"; fi)
 is_container=$(if [ "$(has systemd-detect-virt)" = "y" ]; then systemd-detect-virt --container; else echo "none"; fi)
-has_ipv6_only=$(if [[ "$(has ip)" == "n" ]] || ip r g 1 >/dev/null 2>/dev/null || ! ip -6 r g :: >/dev/null 2>/dev/null; then echo "n"; else echo "y"; fi)
+has_ipv6_only=$(if [ "$(has ip)" = "n" ] || ip r g 1 >/dev/null 2>/dev/null || ! ip -6 r g :: >/dev/null 2>/dev/null; then echo "n"; else echo "y"; fi)
 has_tar=$(has tar)
 has_sudo=$(has sudo)
 has_doas=$(has doas)

diff --git a/src/nixos-anywhere.sh b/src/nixos-anywhere.sh
@@ -33,8 +33,9 @@ Options:
   copy over existing /etc/ssh/ssh_host_* host keys to the installation
 * --stop-after-disko
   exit after disko formatting, you can then proceed to install manually or some other way
-* --extra-files <file...>
-  files to copy into the new nixos installation
+* --extra-files <path>
+  path to a directory to copy into the root of the new nixos installation.
+  Copied files will be owned by root.
 * --disk-encryption-keys <remote_path> <local_path>
   copy the contents of the file or pipe in local_path to remote_path in the installer environment,
   after kexec but before installation. Can be repeated.
@@ -419,7 +420,8 @@ fi
 # Installation will fail if non-root user is used for installer.
 # Switch to root user by copying authorized_keys.
 if [[ ${is_installer-n} == "y" ]] && [[ ${ssh_user} != "root" ]]; then
-  ssh_ "${maybe_sudo} mkdir -p /root/.ssh; ${maybe_sudo} cp ~/.ssh/authorized_keys /root/.ssh"
+  # Allow copy to fail if authorized_keys does not exist, like if using /etc/ssh/authorized_keys.d/
+  ssh_ "${maybe_sudo} mkdir -p /root/.ssh; ${maybe_sudo} cp ~/.ssh/authorized_keys /root/.ssh || true"
   ssh_connection="root@${ssh_host}"
 fi
 
@@ -474,15 +476,9 @@ elif [[ ${build_on_remote-n} == "y" ]]; then
 fi
 
 if [[ -n ${extra_files-} ]]; then
-  if [[ -d $extra_files ]]; then
-    extra_files="$extra_files/"
-  fi
   step Copying extra files
-  rsync -rlpv -FF \
-    -e "ssh -i \"$ssh_key_dir\"/nixos-anywhere -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no ${ssh_args[*]}" \
-    "$extra_files" \
-    "${ssh_connection}:/mnt/"
-  ssh_ "chmod 755 /mnt" # rsync also changes permissions of /mnt
+  tar -C "$extra_files" -cpf- . | ssh_ "${maybe_sudo} tar -C /mnt -xf- --no-same-owner"
+  ssh_ "chmod 755 /mnt" # tar also changes permissions of /mnt
 fi
 
 step Installing NixOS

diff --git a/terraform/all-in-one.md b/terraform/all-in-one.md
@@ -48,7 +48,7 @@ mkdir -p etc/ssh var/lib/secrets
 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
 
 umask 0177
-sops --extract '["initrd_ssh_key"]' -d "$SCRIPT_DIR/secrets.yaml" >./var/lib/secrets/initrd_ssh_key
+sops --extract '["initrd_ssh_key"]' --decrypt "$SCRIPT_DIR/secrets.yaml" >./var/lib/secrets/initrd_ssh_key
 
 # restore umask
 umask 0022
@@ -59,7 +59,7 @@ for keyname in ssh_host_rsa_key ssh_host_rsa_key.pub ssh_host_ed25519_key ssh_ho
   else
     umask 0177
   fi
-  sops --extract '["'$keyname'"]' -d "$SCRIPT_DIR/secrets.yaml" >"./etc/ssh/$keyname"
+  sops --extract '["'$keyname'"]' --decrypt "$SCRIPT_DIR/secrets.yaml" >"./etc/ssh/$keyname"
 done
 ```
 
@@ -72,7 +72,7 @@ set -euo pipefail
 
 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
 cd "$SCRIPT_DIR"
-sops --extract '["zfs-key"]' -d "$SCRIPT_DIR/secrets.yaml" >"./etc/ssh/$keyname"
+sops --extract '["zfs-key"]' --decrypt "$SCRIPT_DIR/secrets.yaml"
 ```
 
 ## See also
@@ -111,12 +111,13 @@ No resources.
 | <a name="input_deployment_ssh_key"></a> [deployment\_ssh\_key](#input_deployment_ssh_key)                             | Content of private key used to deploy to the target\_host after initial installation. To ensure maximum security, it is advisable to connect to your host using ssh-agent instead of relying on this variable                                             | `string`                                                               | `null`   |    no    |
 | <a name="input_disk_encryption_key_scripts"></a> [disk\_encryption\_key\_scripts](#input_disk_encryption_key_scripts) | Each of these script files will be executed locally and the output of each of them will be made present at the given path to disko during installation. The keys will be not copied to the final system                                                   | <pre>list(object({<br> path = string<br> script = string<br> }))</pre> | `[]`     |    no    |
 | <a name="input_extra_environment"></a> [extra\_environment](#input_extra_environment)                                 | Extra environment variables to be set during installation. This can be usefull to set extra variables for the extra\_files\_script or disk\_encryption\_key\_scripts                                                                                      | `map(string)`                                                          | `{}`     |    no    |
-| <a name="input_extra_files_script"></a> [extra\_files\_script](#input_extra_files_script)                             | A script file that prepares extra files to be copied to the target host during installation. The script expected to write all its files to the current directory. This directory is rsynced to the target host during installation to the / directory.    | `string`                                                               | `null`   |    no    |
+| <a name="input_extra_files_script"></a> [extra\_files\_script](#input_extra_files_script)                             | A script file that prepares extra files to be copied to the target host during installation. The script expected to write all its files to the current directory. This directory is copied to the target host during installation to the / directory.     | `string`                                                               | `null`   |    no    |
 | <a name="input_file"></a> [file](#input_file)                                                                         | Nix file containing the nixos\_system\_attr and nixos\_partitioner\_attr. Use this if you are not using flake                                                                                                                                             | `string`                                                               | `null`   |    no    |
 | <a name="input_install_ssh_key"></a> [install\_ssh\_key](#input_install_ssh_key)                                      | Content of private key used to connect to the target\_host during initial installation                                                                                                                                                                    | `string`                                                               | `null`   |    no    |
 | <a name="input_install_user"></a> [install\_user](#input_install_user)                                                | SSH user used to connect to the target\_host, before installing NixOS. If null than the value of `target_host` is used                                                                                                                                    | `string`                                                               | `null`   |    no    |
 | <a name="input_instance_id"></a> [instance\_id](#input_instance_id)                                                   | The instance id of the target\_host, used to track when to reinstall the machine                                                                                                                                                                          | `string`                                                               | `null`   |    no    |
 | <a name="input_kexec_tarball_url"></a> [kexec\_tarball\_url](#input_kexec_tarball_url)                                | NixOS kexec installer tarball url                                                                                                                                                                                                                         | `string`                                                               | `null`   |    no    |
+| <a name="input_nix_options"></a> [nix\_options](#input_nix_options)                                                   | the options of nix                                                                                                                                                                                                                                        | `map(string)`                                                          | `null`   |    no    |
 | <a name="input_nixos_partitioner_attr"></a> [nixos\_partitioner\_attr](#input_nixos_partitioner_attr)                 | Nixos partitioner and mount script i.e. your-flake#nixosConfigurations.your-evaluated-nixos.config.system.build.diskoNoDeps or just your-evaluated.config.system.build.diskNoDeps. `config.system.build.diskNoDeps` is provided by the disko nixos module | `string`                                                               | n/a      |   yes    |
 | <a name="input_nixos_system_attr"></a> [nixos\_system\_attr](#input_nixos_system_attr)                                | The nixos system to deploy i.e. your-flake#nixosConfigurations.your-evaluated-nixos.config.system.build.toplevel or just your-evaluated-nixos.config.system.build.toplevel if you are not using flakes                                                    | `string`                                                               | n/a      |   yes    |
 | <a name="input_no_reboot"></a> [no\_reboot](#input_no_reboot)                                                         | Do not reboot after installation                                                                                                                                                                                                                          | `bool`                                                                 | `false`  |    no    |
@@ -127,8 +128,8 @@ No resources.
 
 ## Outputs
 
-| Name                                                  | Description                                                |
-| ----------------------------------------------------- | ---------------------------------------------------------- |
-| <a name="output_result"></a> [result](#output_result) | The resulting store path from building `nixos_system_attr` |
+| Name                                                  | Description |
+| ----------------------------------------------------- | ----------- |
+| <a name="output_result"></a> [result](#output_result) | n/a         |
 
 <!-- END_TF_DOCS -->
diff --git a/terraform/all-in-one/variables.tf b/terraform/all-in-one/variables.tf
@@ -77,7 +77,7 @@ variable "stop_after_disko" {
 
 variable "extra_files_script" {
   type        = string
-  description = "A script file that prepares extra files to be copied to the target host during installation. The script expected to write all its files to the current directory. This directory is rsynced to the target host during installation to the / directory."
+  description = "A script file that prepares extra files to be copied to the target host during installation. The script expected to write all its files to the current directory. This directory is copied to the target host during installation to the / directory."
   default     = null
 }