security for deployment on prod
This commit is contained in:
parent
0e1574a82b
commit
94a9c8afa8
2 changed files with 16 additions and 5 deletions
17
deploy_nixos
17
deploy_nixos
|
@ -11,8 +11,17 @@ if [ "$CLUSTER" = "staging" ]; then
|
||||||
copy nix/nomad-driver-nix2.nix /etc/nixos/nomad-driver-nix2.nix
|
copy nix/nomad-driver-nix2.nix /etc/nixos/nomad-driver-nix2.nix
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# use ./upgrade_nixos instead to upgrade NixOS
|
|
||||||
#cmd "nix-channel --add https://nixos.org/channels/nixos-22.05 nixos"
|
|
||||||
#cmd nixos-rebuild switch --upgrade --show-trace
|
|
||||||
|
|
||||||
cmd nixos-rebuild switch
|
if [ "$CLUSTER" = "prod" ]; then
|
||||||
|
cmd nixos-rebuild boot
|
||||||
|
message "-------------------------------------------------------------------------------------"
|
||||||
|
message "New NixOS configuration hasn't been applied, to avoid disturbing production services."
|
||||||
|
message "Please apply the following procedure to node '$NIXHOST':"
|
||||||
|
message "1. Drain node in Nomad so that all jobs are relocated elsewhere"
|
||||||
|
message "2. Reboot node manually. You can also take the opportunity to upgrade with:"
|
||||||
|
message " REBOOT_NODES=yes ./upgrade_nixos prod $NIXHOST"
|
||||||
|
message "3. Mark node as eligible again in Nomad"
|
||||||
|
message "-------------------------------------------------------------------------------------"
|
||||||
|
else
|
||||||
|
cmd nixos-rebuild switch
|
||||||
|
fi
|
||||||
|
|
4
sshtool
4
sshtool
|
@ -45,7 +45,9 @@ function footer {
|
||||||
}
|
}
|
||||||
|
|
||||||
function message {
|
function message {
|
||||||
echo "echo '$@'"
|
echo "base64 -d <<EOG"
|
||||||
|
echo "$@" | base64
|
||||||
|
echo "EOG"
|
||||||
}
|
}
|
||||||
|
|
||||||
function cmd {
|
function cmd {
|
||||||
|
|
Loading…
Reference in a new issue