Merge branch '72.bounded-NIX_PATH' into 'develop'

Bounded NIX_PATH Closes #72 See merge request !131

Merge branch '72.bounded-NIX_PATH' into 'develop'
d1d42ecb · Jean-Paul Calderone · 3be0f782 · 9b2cd793 · d1d42ecb · d1d42ecb
Commit d1d42ecb authored 3 years ago by Jean-Paul Calderone
--- a/nixos/modules/deployment.nix
+++ b/nixos/modules/deployment.nix
@@ -11,13 +11,7 @@ let
    # `restrict` means "disable all the things" then `command` means "but
    # enable running this one command" (the client does not have to supply the
    # command; if they authenticate, this is the command that will run).
-    # environment lets us pass an environment variable into the process
-    # started by the given command.  It only works because we configured our
-    # sshd to allow this particular variable through.  By passing this value,
-    # we can pin nixpkgs in the executed command to the same version
-    # configured for use here.  It might be better if we just had a channel
-    # the system could be configured with ... but we don't at the moment.
-    "restrict,environment=\"NIXPKGS_FOR_MORPH=${pkgs.path}\",command=\"${command} ${gridName}\" ${authorizedKey}";
+    "restrict,command=\"${command} ${gridName}\" ${authorizedKey}";
 in {
  options = {
    services.private-storage.deployment.authorizedKey = lib.mkOption {
@@ -50,10 +44,6 @@ in {
      ];
    };

-    services.openssh.extraConfig = ''
-      PermitUserEnvironment=NIXPKGS_FOR_MORPH
-    '';
-
    # Create a one-time service that will set up an ssh key that allows the
    # deployment user to authorize as root to perform the system update with
    # `morph deploy`.

--- a/nixos/modules/update-deployment
+++ b/nixos/modules/update-deployment
@@ -75,12 +75,15 @@ EOF
 # Make sure known_hosts has the host key in it.
 ssh -o StrictHostKeyChecking=no "$(hostname).$(domainname)" ":"

-# Set nixpkgs to our preferred version for the morph build.  The NIX_PATH
-# environment variable itself receives special treatment by some parts of the
-# system (especially those parts leading up to the execution of this script)
-# so we pass the desired information through a different variable and then
-# shuffle it into the right place here, just before it is needed.
-export NIX_PATH="nixpkgs=$NIXPKGS_FOR_MORPH"
+# Set nixpkgs to our preferred version for the morph build.  Annoyingly, we
+# can't just use nixpkgs-2105.nix as our nixpkgs because some code (in morph,
+# at least) wants <nixpkgs> to be a fully-resolved path to a nixpkgs tree.
+# For example, morph evaluated `import <nixpkgs/lib>` which would turn into
+# something like `import nixpkgs-2105.nix/lib` which is nonsense.
+#
+# So instead, import our nixpkgs which forces it to be instantiated in the
+# store, then ask for its path, then set NIX_PATH to that.
+export NIX_PATH="nixpkgs=$(nix eval "(import ${CHECKOUT}/nixpkgs-2105.nix { }).path")"

 # Attempt to update just this host.  Choose the morph grid definition matching
 # the grid we belong to and limit the morph deployment update to the host