Compare commits
No commits in common. "92bc5a4ef8d7add163d7fc5c707e3e35a327f7a4" and "220e252230461a4b5d75fdc1729ca96c0c4c9d40" have entirely different histories.
92bc5a4ef8
...
220e252230
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -2,6 +2,5 @@
|
||||||
.ci-store
|
.ci-store
|
||||||
.direnv
|
.direnv
|
||||||
result*
|
result*
|
||||||
release-assets
|
|
||||||
src/action/linux/selinux/nix.mod
|
src/action/linux/selinux/nix.mod
|
||||||
.idea
|
.idea
|
||||||
|
|
|
@ -5,7 +5,7 @@ Based on the [Determinate Installer](https://install.determinate.systems).
|
||||||
|
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
curl --proto '=https' --tlsv1.2 -sSf -L https://install.lix.systems/lix | sh -s -- install
|
curl --proto '=https' --tlsv1.2 -sSf -L https://install.lix.systems/nix | sh -s -- install
|
||||||
```
|
```
|
||||||
|
|
||||||
## Usage
|
## Usage
|
||||||
|
@ -341,11 +341,12 @@ Here are some example `nix` package URLs including nix version, OS and architect
|
||||||
Differing from the upstream [Nix](https://github.com/NixOS/nix) installer scripts:
|
Differing from the upstream [Nix](https://github.com/NixOS/nix) installer scripts:
|
||||||
|
|
||||||
* In `nix.conf`:
|
* In `nix.conf`:
|
||||||
+ the `nix-command` feature is enabled
|
+ the `nix-command` and `flakes` features are enabled
|
||||||
+ `bash-prompt-prefix` is set
|
+ `bash-prompt-prefix` is set
|
||||||
+ `auto-optimise-store` is set to `true` (On Linux only)
|
+ `auto-optimise-store` is set to `true` (On Linux only)
|
||||||
* if flakes are enabled, `extra-nix-path` is set to `nixpkgs=flake:nixpkgs`
|
* `extra-nix-path` is set to `nixpkgs=flake:nixpkgs`
|
||||||
* `max-jobs` is set to `auto`
|
* `max-jobs` is set to `auto`
|
||||||
|
* `upgrade-nix-store-path-url` is set to `https://install.lix.systems/lix-upgrade/stable/universal`
|
||||||
* an installation receipt (for uninstalling) is stored at `/nix/receipt.json` as well as a copy of the install binary at `/nix/lix-installer`
|
* an installation receipt (for uninstalling) is stored at `/nix/receipt.json` as well as a copy of the install binary at `/nix/lix-installer`
|
||||||
* `nix-channel --update` is not run, `~/.nix-channels` is not provisioned
|
* `nix-channel --update` is not run, `~/.nix-channels` is not provisioned
|
||||||
* `ssl-cert-file` is set in `/etc/nix/nix.conf` if the `ssl-cert-file` argument is used.
|
* `ssl-cert-file` is set in `/etc/nix/nix.conf` if the `ssl-cert-file` argument is used.
|
||||||
|
|
|
@ -1,63 +0,0 @@
|
||||||
#! /usr/bin/env nix-shell
|
|
||||||
#! nix-shell -i xonsh -p xonsh rustup cargo-zigbuild zig
|
|
||||||
#
|
|
||||||
# vim: ts=4 sw=4 et
|
|
||||||
#
|
|
||||||
# If the shebang line above was necessary, you probably should have used
|
|
||||||
# the flake, instead. But that's okay! You're valid. <3
|
|
||||||
#
|
|
||||||
""" Lix installer generation script.
|
|
||||||
|
|
||||||
This uses cargo-zigbuild to generate a cross-compiled variant for each platform,
|
|
||||||
and places the results in the `results` subdirectory of the current working dir.
|
|
||||||
"""
|
|
||||||
|
|
||||||
import sys
|
|
||||||
import xonsh
|
|
||||||
import functools
|
|
||||||
|
|
||||||
# Ensure we fail if any of our subcommands do.
|
|
||||||
$RAISE_SUBPROC_ERROR=True
|
|
||||||
|
|
||||||
# Specify the platforms we want to build for.
|
|
||||||
TARGET_PLATFORMS = [
|
|
||||||
"aarch64-apple-darwin",
|
|
||||||
"x86_64-apple-darwin",
|
|
||||||
"x86_64-unknown-linux-musl",
|
|
||||||
"aarch64-unknown-linux-musl",
|
|
||||||
]
|
|
||||||
|
|
||||||
# Create an alias for printing to stderr.
|
|
||||||
printerr = functools.partial(print, file=sys.stderr)
|
|
||||||
|
|
||||||
# Platform helpers.
|
|
||||||
IS_MACOS = not (xonsh.tools.ON_LINUX or xonsh.tools.ON_WINDOWS)
|
|
||||||
|
|
||||||
# Until our flake ships this with osxcross, we'll have to run this on macOS.
|
|
||||||
if not IS_MACOS:
|
|
||||||
printerr("This currently must be run from macOS due to cross-compile wonk. Sorry :(.")
|
|
||||||
sys.exit(-1)
|
|
||||||
|
|
||||||
|
|
||||||
# Pre-flight check: ensure we have all the rustup platforms we need.
|
|
||||||
all_targets_present = True
|
|
||||||
for platform in TARGET_PLATFORMS:
|
|
||||||
if platform not in $(rustup target list --installed):
|
|
||||||
printerr(f"ERROR: You don't have a rustup toolchain for {platform}! Install it with `rustup target add {platform}`")
|
|
||||||
all_targets_present = False
|
|
||||||
|
|
||||||
if not all_targets_present:
|
|
||||||
printerr("Failing out; install the platforms above and retry.")
|
|
||||||
sys.exit(-2)
|
|
||||||
|
|
||||||
# Build for each of our platforms.
|
|
||||||
printerr("> Building any platforms that need updating.")
|
|
||||||
for platform in TARGET_PLATFORMS:
|
|
||||||
|
|
||||||
# Build...
|
|
||||||
printerr(f"> Building for target {platform}")
|
|
||||||
cargo zigbuild --quiet --release --target=@(platform)
|
|
||||||
|
|
||||||
# ... and copy the output to the "results" directory.
|
|
||||||
mkdir -p ./results
|
|
||||||
cp target/@(platform)/release/lix-installer ./results/lix-installer-@(platform)
|
|
99
enter-env.sh
Executable file
99
enter-env.sh
Executable file
|
@ -0,0 +1,99 @@
|
||||||
|
#!/usr/bin/env nix-shell
|
||||||
|
#!nix-shell -p vault awscli2 jq -i bash
|
||||||
|
# shellcheck shell=bash
|
||||||
|
|
||||||
|
set +x # don't leak secrets!
|
||||||
|
set -eu
|
||||||
|
umask 077
|
||||||
|
|
||||||
|
scriptroot=$(dirname "$(realpath "$0")")
|
||||||
|
scratch=$(mktemp -d -t tmp.XXXXXXXXXX)
|
||||||
|
|
||||||
|
vault token lookup &>/dev/null || {
|
||||||
|
echo "You're not logged in to vault! Exiting."
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
function finish {
|
||||||
|
set +e
|
||||||
|
rm -rf "$scratch"
|
||||||
|
if [ "${VAULT_EXIT_ACCESSOR:-}" != "" ]; then
|
||||||
|
if vault token lookup &>/dev/null; then
|
||||||
|
echo "--> Revoking my token..." >&2
|
||||||
|
vault token revoke -self
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
set -e
|
||||||
|
}
|
||||||
|
trap finish EXIT
|
||||||
|
|
||||||
|
assume_role() {
|
||||||
|
role=$1
|
||||||
|
echo "--> Assuming role: $role" >&2
|
||||||
|
vault_creds=$(vault token create \
|
||||||
|
-display-name="$role" \
|
||||||
|
-format=json \
|
||||||
|
-role "$role")
|
||||||
|
|
||||||
|
VAULT_EXIT_ACCESSOR=$(jq -r .auth.accessor <<<"$vault_creds")
|
||||||
|
export VAULT_TOKEN
|
||||||
|
VAULT_TOKEN=$(jq -r .auth.client_token <<<"$vault_creds")
|
||||||
|
}
|
||||||
|
|
||||||
|
function provision_aws_creds() {
|
||||||
|
url="$1"
|
||||||
|
local ok=
|
||||||
|
echo "--> Setting AWS variables: " >&2
|
||||||
|
echo " AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN" >&2
|
||||||
|
|
||||||
|
aws_creds=$(vault kv get -format=json "$url")
|
||||||
|
export AWS_ACCESS_KEY_ID
|
||||||
|
AWS_ACCESS_KEY_ID=$(jq -r .data.access_key <<<"$aws_creds")
|
||||||
|
export AWS_SECRET_ACCESS_KEY
|
||||||
|
AWS_SECRET_ACCESS_KEY=$(jq -r .data.secret_key <<<"$aws_creds")
|
||||||
|
export AWS_SESSION_TOKEN
|
||||||
|
AWS_SESSION_TOKEN=$(jq -r .data.security_token <<<"$aws_creds")
|
||||||
|
if [ -z "$AWS_SESSION_TOKEN" ] || [ "$AWS_SESSION_TOKEN" == "null" ]; then
|
||||||
|
unset AWS_SESSION_TOKEN
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "--> Preflight testing the AWS credentials..." >&2
|
||||||
|
for _ in {0..20}; do
|
||||||
|
if check_output=$(aws sts get-caller-identity 2>&1 >/dev/null); then
|
||||||
|
ok=1
|
||||||
|
break
|
||||||
|
else
|
||||||
|
echo -n "." >&2
|
||||||
|
sleep 1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [[ -z "$ok" ]]; then
|
||||||
|
echo $'\nPreflight test failed:\n'"$check_output" >&2
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
echo
|
||||||
|
unset aws_creds
|
||||||
|
}
|
||||||
|
|
||||||
|
assume_role "internalservices_nix_installer_developer"
|
||||||
|
provision_aws_creds "internalservices/aws/creds/nix_installer"
|
||||||
|
|
||||||
|
if [ "${1:-}" == "" ]; then
|
||||||
|
cat <<\BASH > "$scratch/bashrc"
|
||||||
|
expiration_ts=$(date +%s -d "$(vault token lookup -format=json | jq -r '.data.expire_time')")
|
||||||
|
vault_prompt() {
|
||||||
|
local remaining=$(( $expiration_ts - $(date '+%s')))
|
||||||
|
if [[ "$remaining" -lt 1 ]]; then
|
||||||
|
remaining=expired
|
||||||
|
printf '\n\e[01;33mtoken expired\e[m';
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
printf '\n\e[01;32mTTL:%ss\e[m' "$remaining"
|
||||||
|
}
|
||||||
|
PROMPT_COMMAND=vault_prompt
|
||||||
|
BASH
|
||||||
|
|
||||||
|
bash --init-file "$scratch/bashrc"
|
||||||
|
else
|
||||||
|
"$@"
|
||||||
|
fi
|
|
@ -133,13 +133,9 @@
|
||||||
|
|
||||||
nativeBuildInputs = with pkgs; [ ];
|
nativeBuildInputs = with pkgs; [ ];
|
||||||
buildInputs = with pkgs; [
|
buildInputs = with pkgs; [
|
||||||
zig
|
|
||||||
xonsh
|
|
||||||
awscli2
|
|
||||||
toolchain
|
toolchain
|
||||||
rust-analyzer
|
rust-analyzer
|
||||||
cargo-outdated
|
cargo-outdated
|
||||||
cargo-zigbuild
|
|
||||||
cacert
|
cacert
|
||||||
cargo-audit
|
cargo-audit
|
||||||
cargo-watch
|
cargo-watch
|
||||||
|
|
|
@ -129,6 +129,11 @@ impl PlaceNixConfiguration {
|
||||||
"extra-nix-path".to_string(),
|
"extra-nix-path".to_string(),
|
||||||
"nixpkgs=flake:nixpkgs".to_string(),
|
"nixpkgs=flake:nixpkgs".to_string(),
|
||||||
);
|
);
|
||||||
|
settings.insert(
|
||||||
|
"upgrade-nix-store-path-url".to_string(),
|
||||||
|
"https://install.lix.systems/lix-upgrade/stable/universal".to_string(),
|
||||||
|
);
|
||||||
|
|
||||||
let create_directory = CreateDirectory::plan(NIX_CONF_FOLDER, None, None, 0o0755, force)
|
let create_directory = CreateDirectory::plan(NIX_CONF_FOLDER, None, None, 0o0755, force)
|
||||||
.await
|
.await
|
||||||
.map_err(Self::error)?;
|
.map_err(Self::error)?;
|
||||||
|
|
|
@ -11,21 +11,21 @@ use url::Url;
|
||||||
|
|
||||||
pub const SCRATCH_DIR: &str = "/nix/temp-install-dir";
|
pub const SCRATCH_DIR: &str = "/nix/temp-install-dir";
|
||||||
|
|
||||||
/// Default [`lix_package_url`](CommonSettings::lix_package_url) for Linux x86_64
|
/// Default [`nix_package_url`](CommonSettings::nix_package_url) for Linux x86_64
|
||||||
pub const NIX_X64_64_LINUX_URL: &str =
|
pub const NIX_X64_64_LINUX_URL: &str =
|
||||||
"https://releases.web.lix.systems/lix/lix-2.90.0pre20240412/lix-2.90.0pre20240412-x86_64-linux.tar.xz";
|
"https://releases.nixos.org/nix/nix-2.20.5/nix-2.20.5-x86_64-linux.tar.xz";
|
||||||
/// Default [`lix_package_url`](CommonSettings::lix_package_url) for Linux x86 (32 bit)
|
/// Default [`nix_package_url`](CommonSettings::nix_package_url) for Linux x86 (32 bit)
|
||||||
pub const NIX_I686_LINUX_URL: &str =
|
pub const NIX_I686_LINUX_URL: &str =
|
||||||
"https://releases.web.lix.systems/lix/lix-2.90.0pre20240412/lix-2.90.0pre20240412-i686-linux.tar.xz";
|
"https://releases.nixos.org/nix/nix-2.20.5/nix-2.20.5-i686-linux.tar.xz";
|
||||||
/// Default [`lix_package_url`](CommonSettings::lix_package_url) for Linux aarch64
|
/// Default [`nix_package_url`](CommonSettings::nix_package_url) for Linux aarch64
|
||||||
pub const NIX_AARCH64_LINUX_URL: &str =
|
pub const NIX_AARCH64_LINUX_URL: &str =
|
||||||
"https://releases.web.lix.systems/lix/lix-2.90.0pre20240412/lix-2.90.0pre20240412-aarch64-linux.tar.xz";
|
"https://releases.nixos.org/nix/nix-2.20.5/nix-2.20.5-aarch64-linux.tar.xz";
|
||||||
/// Default [`lix_package_url`](CommonSettings::lix_package_url) for Darwin x86_64
|
/// Default [`nix_package_url`](CommonSettings::nix_package_url) for Darwin x86_64
|
||||||
pub const NIX_X64_64_DARWIN_URL: &str =
|
pub const NIX_X64_64_DARWIN_URL: &str =
|
||||||
"https://releases.web.lix.systems/lix/lix-2.90.0pre20240412/lix-2.90.0pre20240412-x86_64-darwin.tar.xz";
|
"https://releases.nixos.org/nix/nix-2.20.5/nix-2.20.5-x86_64-darwin.tar.xz";
|
||||||
/// Default [`lix_package_url`](CommonSettings::lix_package_url) for Darwin aarch64
|
/// Default [`nix_package_url`](CommonSettings::nix_package_url) for Darwin aarch64
|
||||||
pub const NIX_AARCH64_DARWIN_URL: &str =
|
pub const NIX_AARCH64_DARWIN_URL: &str =
|
||||||
"https://releases.web.lix.systems/lix/lix-2.90.0pre20240412/lix-2.90.0pre20240412-aarch64-darwin.tar.xz";
|
"https://releases.nixos.org/nix/nix-2.20.5/nix-2.20.5-aarch64-darwin.tar.xz";
|
||||||
|
|
||||||
#[derive(Debug, serde::Deserialize, serde::Serialize, Clone, Copy, PartialEq, Eq)]
|
#[derive(Debug, serde::Deserialize, serde::Serialize, Clone, Copy, PartialEq, Eq)]
|
||||||
#[cfg_attr(feature = "cli", derive(clap::ValueEnum))]
|
#[cfg_attr(feature = "cli", derive(clap::ValueEnum))]
|
||||||
|
|
|
@ -1,109 +0,0 @@
|
||||||
#! /usr/bin/env nix-shell
|
|
||||||
#! nix-shell -i xonsh -p xonsh awscli2
|
|
||||||
#
|
|
||||||
# vim: ts=4 sw=4 et
|
|
||||||
#
|
|
||||||
# If the shebang line above was necessary, you probably should have used
|
|
||||||
# the flake, instead. But that's okay! You're valid. <3
|
|
||||||
#
|
|
||||||
""" Lix installer uploader.
|
|
||||||
|
|
||||||
Uploads our installers and install script to an S3 instance.
|
|
||||||
"""
|
|
||||||
|
|
||||||
import sys
|
|
||||||
import argparse
|
|
||||||
import functools
|
|
||||||
|
|
||||||
# Specify the platforms we want to build for.
|
|
||||||
TARGET_PLATFORMS = {
|
|
||||||
"aarch64-apple-darwin": "aarch64-darwin",
|
|
||||||
"x86_64-apple-darwin": "x86_64-darwin",
|
|
||||||
"aarch64-unknown-linux-musl": "aarch64-linux",
|
|
||||||
"x86_64-unknown-linux-musl": "x86_64-linux",
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
# Helpers functions.
|
|
||||||
printerr = functools.partial(print, file=sys.stderr)
|
|
||||||
|
|
||||||
#
|
|
||||||
# Arguments -- parsed while you wait!
|
|
||||||
#
|
|
||||||
parser = argparse.ArgumentParser(description="upload a lix-installer binary")
|
|
||||||
parser.add_argument("tag", help="the tag name to use while uploading")
|
|
||||||
parser.add_argument("folder", help="the results folder to use for uploading")
|
|
||||||
parser.add_argument("--make-default", help="makes this version the default for new installations",
|
|
||||||
action="store_true")
|
|
||||||
parser.add_argument("-E", "--endpoint", help="the endpoint URL to use for S3", default="https://s3.lix.systems")
|
|
||||||
parser.add_argument("-R", "--region", help="the region to use for the S3 upload", default="garage")
|
|
||||||
parser.add_argument("-B", "--bucket", help="the s3 bucket to target", default="install")
|
|
||||||
parser.add_argument("--force", help="allows overwriting an existing tag", action="store_true")
|
|
||||||
args = parser.parse_args()
|
|
||||||
|
|
||||||
# Extract our AWS command arguments from our argparse ones.
|
|
||||||
path_for = lambda platform : pf"{args.folder}/lix-installer-{platform}"
|
|
||||||
aws_args = [
|
|
||||||
"--endpoint-url",
|
|
||||||
args.endpoint,
|
|
||||||
"--region",
|
|
||||||
args.region
|
|
||||||
]
|
|
||||||
|
|
||||||
# Validate that we have the environment variables necessary to build.
|
|
||||||
if ('AWS_ACCESS_KEY_ID' not in ${...}) or ('AWS_SECRET_ACCESS_KEY' not in ${...}):
|
|
||||||
printerr("ERROR: the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables must be set")
|
|
||||||
sys.exit(-1)
|
|
||||||
|
|
||||||
|
|
||||||
#
|
|
||||||
# First, make sure we have all of the artifacts that we need before we start.
|
|
||||||
#
|
|
||||||
found_all_files = True
|
|
||||||
for platform in TARGET_PLATFORMS:
|
|
||||||
if not path_for(platform).exists():
|
|
||||||
printerr(f"ERROR: {platform} installer not found in {path_for(platform)}\n")
|
|
||||||
found_all_files = False
|
|
||||||
|
|
||||||
if not found_all_files:
|
|
||||||
printerr("Aborting due to missing results. Perhaps you want to run `build-all.xsh`?\n")
|
|
||||||
sys.exit(-2)
|
|
||||||
|
|
||||||
#
|
|
||||||
# Next, handle our uploads.
|
|
||||||
#
|
|
||||||
tag = args.tag
|
|
||||||
bucket = args.bucket
|
|
||||||
folder = args.folder
|
|
||||||
target_path = f"s3://{bucket}/lix/{tag}"
|
|
||||||
default_path = f"s3://{bucket}/lix"
|
|
||||||
|
|
||||||
# First, check to ensure that the relevant tag does not exist.
|
|
||||||
tag_exists = !(aws s3 @(aws_args) ls @(target_path))
|
|
||||||
if tag_exists:
|
|
||||||
if args.force:
|
|
||||||
printerr(f"WARNING: Overwriting existing tag '{tag}' due to --force!")
|
|
||||||
else:
|
|
||||||
printerr(f"ERROR: Tag '{tag}' already exists! Refusing to overwrite without --force.\n")
|
|
||||||
sys.exit(-3)
|
|
||||||
|
|
||||||
|
|
||||||
# From this point forward, fail if any of our subcommands do.
|
|
||||||
$RAISE_SUBPROC_ERROR=True
|
|
||||||
|
|
||||||
# Copy the core inner pieces...
|
|
||||||
printerr(f"\n>> Uploading tag '{tag}' from folder '{folder}'.")
|
|
||||||
for in_filename, out_filename in TARGET_PLATFORMS.items():
|
|
||||||
aws s3 @(aws_args) cp @(folder)/lix-installer-@(in_filename) @(target_path)/lix-installer-@(out_filename) --acl public-read
|
|
||||||
|
|
||||||
# ... and, if requested, copy the pieces that make this the default.
|
|
||||||
if args.make_default:
|
|
||||||
printerr(f"\n>> Installing {tag} as the default install provider.")
|
|
||||||
for in_filename, out_filename in TARGET_PLATFORMS.items():
|
|
||||||
aws s3 @(aws_args) cp @(folder)/lix-installer-@(in_filename) @(default_path)/lix-installer-@(out_filename) --acl public-read
|
|
||||||
|
|
||||||
printerr(f"\n>> Updating base install script...")
|
|
||||||
aws s3 @(aws_args) cp nix-installer.sh @(default_path) --acl public-read
|
|
||||||
|
|
||||||
# Make sure all of our lines are out.
|
|
||||||
sys.stderr.flush()
|
|
Loading…
Reference in a new issue