From 8bb463db7e232bc507d82d602a92cb752c873d79 Mon Sep 17 00:00:00 2001 From: Ben Sima Date: Mon, 20 May 2024 23:15:31 -0400 Subject: Fix push.sh, act as $USER instead of root At some point I guess the activation script changed to no longer include the domain, so I have to get it form the 'domainname' systemd service. Also I switched to sshing as $USER instead of root, which just seems like better security practice. I originally used root because I thought you had to be root to do nix system stuff, but it turns out that's not the case. --- Biz/Ide/push.sh | 13 +++++++------ Biz/OsBase.nix | 1 + 2 files changed, 8 insertions(+), 6 deletions(-) (limited to 'Biz') diff --git a/Biz/Ide/push.sh b/Biz/Ide/push.sh index 6729c2f..43dff28 100755 --- a/Biz/Ide/push.sh +++ b/Biz/Ide/push.sh @@ -10,10 +10,11 @@ else target="$prefix.$1" fi what=$(realpath "${CODEROOT:?}/_/nix/$target") -# hack: get the domain from the activation script. there does not seem -# to be a way to get it from nix-instantiate -where=$(rg -r '$2' -e '(domainname ")(.*)(")' "$what/activate") -nix copy --to ssh://root@"$where" "$what" -ssh root@"$where" "$what"/bin/switch-to-configuration switch -ssh root@"$where" nix-env --profile /nix/var/nix/profiles/system --set "$what" +# hack: get the domain from the systemd service. there does not seem to be a way +# to get it from nix-instantiate. (or, maybe i should put this in bild --plan?) +where=$(rg --only-matching --replace '$2' --regexp '(domainname ")(.*)(")' \ + "$what/etc/systemd/system/domainname.service") +nix copy --to ssh://"$USER"@"$where" "$what" +ssh "$USER"@"$where" sudo "$what"/bin/switch-to-configuration switch +ssh "$USER"@"$where" sudo nix-env --profile /nix/var/nix/profiles/system --set "$what" echo "${GRN}good: push: $target${NC}" diff --git a/Biz/OsBase.nix b/Biz/OsBase.nix index a9407ab..d9c6be9 100644 --- a/Biz/OsBase.nix +++ b/Biz/OsBase.nix @@ -20,6 +20,7 @@ in { nix.optimise.automatic = true; nix.optimise.dates = [ "Sunday 02:30" ]; nix.settings.extra-sandbox-paths = [ config.programs.ccache.cacheDir ]; + nix.settings.trusted-users = [ "ben" ]; programs.ccache.enable = true; programs.mosh.enable = true; programs.mosh.withUtempter = true; -- cgit v1.2.3