Check on every deploy ssh connection if we are on the right machine

2023-11-13 23:55:22 +01:00 · 2023-11-13 23:55:22 +01:00 · a8bde144b3
parent 362cf35957
commit a8bde144b3
2 changed files with 17 additions and 8 deletions
--- a/modules/microvm.nix
+++ b/modules/microvm.nix
@ -157,6 +157,7 @@ in
      '';

      runOnServer = pkgs.writeShellScript "run-on-${server}" ''
+        # we cannot execute any other commands here because it grabs away $@
        ssh root@${serverFQDN} -- $@
      '';
    };
--- a/packages.nix
+++ b/packages.nix
@ -115,9 +115,9 @@ lib.attrsets.mapAttrs
            exit 2
          ''}

-          if [[ $(ssh ${target} cat /etc/hostname) != ${name} ]]; then
-            echo "hostname of the target machine does not match, please manually investigate!"
-            echo "  $(ssh ${target} cat /etc/hostname) != ${name}"
+          hostname="$(ssh ${target} cat /etc/hostname)"
+          if [[ "$hostname" != ${name} ]]; then
+            echo "hostname of ${target} was expected to be ${name} but is $hostname. Aborting to be safe..."
            exit 2
          fi
          nix copy --no-check-sigs --to ssh-ng://${target} ${inputPaths}
@ -125,7 +125,9 @@ lib.attrsets.mapAttrs

          # use nixos-rebuild from target config
          ssh ${target} bash -e <<END
-          nix build ${toplevelDrvPath}
+          set -eou pipefail
+          set -x
+          nix build --no-link ${toplevelDrvPath}
          ${discardStringCtx hostConfig.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set ${toplevelOutPath}
          ${toplevelOutPath}/bin/switch-to-configuration "''${@:-switch}"
          END
@ -161,7 +163,13 @@ lib.attrsets.mapAttrs
        "${name}-nixos-rebuild-local" = pkgs.writeScriptBin "${name}-nixos-rebuild" ''
          set -eou pipefail

-          [[ ''${1:-} == build || $(ssh ${target} cat /etc/hostname) == ${name} ]]
+          if [[ ''${1:-} == build; then
+            hostname=$(ssh root@${target} cat /etc/hostname)"
+            if [[ "$hostname" != ${name} ]]; then
+              echo "hostname of ${target} was expected to be ${name} but is $hostname. Aborting to be safe..."
+              exit 2
+            fi
+          fi
          # don't re-execute, otherwise we run the targetPlatform locally
          _NIXOS_REBUILD_REEXEC=1 ${lib.getExe pkgs.nixos-rebuild} ${rebuildArg} --target-host ${target} --use-remote-sudo "$@"
        '';
@ -219,9 +227,9 @@ lib.attrsets.mapAttrs
              ssh ${target} bash -e <<END
              set -eou pipefail

-              if [[ \$(cat /etc/hostname) != ${name} ]]; then
-                echo "hostname of the target machine does not match, please manually investigate!"
-                echo "  $(cat /etc/hostname) != ${name}"
+              hostname=\$(cat /etc/hostname)
+              if [[ "\$hostname" != ${name} ]]; then
+                echo "hostname of ${target} was expected to be ${name} but is \$hostname. Aborting to be safe..."
                exit 2
              fi
              ${toplevelOutPath}/bin/switch-to-configuration "''${@:-switch}"