diff --git a/nixos/modules/deployment.nix b/nixos/modules/deployment.nix index 4c3a9dd0b8fa16e204495269616e09a1e715ad6b..b0a5e3c4c761d188922a076643fcd3a25a4b81f0 100755 --- a/nixos/modules/deployment.nix +++ b/nixos/modules/deployment.nix @@ -11,13 +11,7 @@ let # `restrict` means "disable all the things" then `command` means "but # enable running this one command" (the client does not have to supply the # command; if they authenticate, this is the command that will run). - # environment lets us pass an environment variable into the process - # started by the given command. It only works because we configured our - # sshd to allow this particular variable through. By passing this value, - # we can pin nixpkgs in the executed command to the same version - # configured for use here. It might be better if we just had a channel - # the system could be configured with ... but we don't at the moment. - "restrict,environment=\"NIXPKGS_FOR_MORPH=${pkgs.path}\",command=\"${command} ${gridName}\" ${authorizedKey}"; + "restrict,command=\"${command} ${gridName}\" ${authorizedKey}"; in { options = { services.private-storage.deployment.authorizedKey = lib.mkOption { @@ -50,10 +44,6 @@ in { ]; }; - services.openssh.extraConfig = '' - PermitUserEnvironment=NIXPKGS_FOR_MORPH - ''; - # Create a one-time service that will set up an ssh key that allows the # deployment user to authorize as root to perform the system update with # `morph deploy`. diff --git a/nixos/modules/update-deployment b/nixos/modules/update-deployment index 19599a4aa7ac2ec7bbb7e160ec1b37a8493b4a62..90adc6ff6c6b5223dadc71e81fced59f99f7b611 100755 --- a/nixos/modules/update-deployment +++ b/nixos/modules/update-deployment @@ -75,12 +75,15 @@ EOF # Make sure known_hosts has the host key in it. ssh -o StrictHostKeyChecking=no "$(hostname).$(domainname)" ":" -# Set nixpkgs to our preferred version for the morph build. The NIX_PATH -# environment variable itself receives special treatment by some parts of the -# system (especially those parts leading up to the execution of this script) -# so we pass the desired information through a different variable and then -# shuffle it into the right place here, just before it is needed. -export NIX_PATH="nixpkgs=$NIXPKGS_FOR_MORPH" +# Set nixpkgs to our preferred version for the morph build. Annoyingly, we +# can't just use nixpkgs-2105.nix as our nixpkgs because some code (in morph, +# at least) wants <nixpkgs> to be a fully-resolved path to a nixpkgs tree. +# For example, morph evaluated `import <nixpkgs/lib>` which would turn into +# something like `import nixpkgs-2105.nix/lib` which is nonsense. +# +# So instead, import our nixpkgs which forces it to be instantiated in the +# store, then ask for its path, then set NIX_PATH to that. +export NIX_PATH="nixpkgs=$(nix eval "(import ${CHECKOUT}/nixpkgs-2105.nix { }).path")" # Attempt to update just this host. Choose the morph grid definition matching # the grid we belong to and limit the morph deployment update to the host