From 94a9c8afa8471cbb328262e6385fbda3383f7dde Mon Sep 17 00:00:00 2001
From: Alex Auvolat <alex@adnab.me>
Date: Thu, 22 Dec 2022 23:59:51 +0100
Subject: [PATCH] security for deployment on prod

---
 deploy_nixos | 17 +++++++++++++----
 sshtool      |  4 +++-
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/deploy_nixos b/deploy_nixos
index 4663acf..4f8aa2a 100755
--- a/deploy_nixos
+++ b/deploy_nixos
@@ -11,8 +11,17 @@ if [ "$CLUSTER" = "staging" ]; then
 	copy nix/nomad-driver-nix2.nix /etc/nixos/nomad-driver-nix2.nix
 fi
 
-# use ./upgrade_nixos instead to upgrade NixOS
-#cmd "nix-channel --add https://nixos.org/channels/nixos-22.05 nixos"
-#cmd nixos-rebuild switch --upgrade --show-trace
 
-cmd nixos-rebuild switch
+if [ "$CLUSTER" = "prod" ]; then
+	cmd nixos-rebuild boot
+	message "-------------------------------------------------------------------------------------"
+	message "New NixOS configuration hasn't been applied, to avoid disturbing production services."
+	message "Please apply the following procedure to node '$NIXHOST':"
+	message "1. Drain node in Nomad so that all jobs are relocated elsewhere"
+	message "2. Reboot node manually. You can also take the opportunity to upgrade with:"
+	message "         REBOOT_NODES=yes ./upgrade_nixos prod $NIXHOST"
+	message "3. Mark node as eligible again in Nomad"
+	message "-------------------------------------------------------------------------------------"
+else
+	cmd nixos-rebuild switch
+fi
diff --git a/sshtool b/sshtool
index ffe1e4e..8719ffa 100755
--- a/sshtool
+++ b/sshtool
@@ -45,7 +45,9 @@ function footer {
 }
 
 function message {
-	echo "echo '$@'"
+	echo "base64 -d <<EOG"
+	echo "$@" | base64
+	echo "EOG"
 }
 
 function cmd {