Get NIX_PATH set right for the morph command

11cd5a98 · Jean-Paul Calderone · 52f13148 · 11cd5a98 · 11cd5a98
Commit 11cd5a98 authored 3 years ago by Jean-Paul Calderone
--- a/nixos/modules/deployment.nix
+++ b/nixos/modules/deployment.nix
@@ -11,7 +11,13 @@ let
    # `restrict` means "disable all the things" then `command` means "but
    # enable running this one command" (the client does not have to supply the
    # command; if they authenticate, this is the command that will run).
-    "restrict,command=\"${command} ${gridName}\" ${authorizedKey}";
+    # environment lets us pass an environment variable into the process
+    # started by the given command.  It only works because we configured our
+    # sshd to allow this particular variable through.  By passing this value,
+    # we can pin nixpkgs in the executed command to the same version
+    # configured for use here.  It might be better if we just had a channel
+    # the system could be configured with ... but we don't at the moment.
+    "restrict,environment=\"NIXPKGS_FOR_MORPH=${pkgs.path}\",command=\"${command} ${gridName}\" ${authorizedKey}";
 in {
  options = {
    services.private-storage.deployment.authorizedKey = lib.mkOption {
@@ -44,6 +50,10 @@ in {
      ];
    };

+    services.openssh.extraConfig = ''
+      PermitUserEnvironment=NIXPKGS_FOR_MORPH
+    '';
+
    # Create a one-time service that will set up an ssh key that allows the
    # deployment user to authorize as root to perform the system update with
    # `morph deploy`.

--- a/nixos/modules/update-deployment
+++ b/nixos/modules/update-deployment
@@ -2,10 +2,6 @@

 set -euxo pipefail

-# XXX I just want to inherit this.  Why can't I get it through the environment
-# to here?
-export NIX_PATH=nixpkgs=https://github.com/PrivateStorageio/nixpkgs/archive/7e71ee63a67bd3e2c190abd982b541603f4f86b0.tar.gz
-
 # Accept the name of the grid this system is part of as a parameter.  This
 # lets us pick the correct morph grid source file later on.
 GRIDNAME=$1
@@ -77,6 +73,13 @@ EOF
 # Make sure known_hosts has the host key in it.
 ssh -o StrictHostKeyChecking=no "$(hostname).$(domainname)" ":"

+# Set nixpkgs to our preferred version for the morph build.  The NIX_PATH
+# environment variable itself receives special treatment by some parts of the
+# system (especially those parts leading up to the execution of this script)
+# so we pass the desired information through a different variable and then
+# shuffle it into the right place here, just before it is needed.
+export NIX_PATH="nixpkgs=$NIXPKGS_FOR_MORPH"
+
 # Attempt to update just this host.  Choose the morph grid definition matching
 # the grid we belong to and limit the morph deployment update to the host
 # matching our name.  morph uses just the bare hostname without the domain