security for deployment on prod

1 files changed, 13 insertions, 4 deletions

diff --git a/deploy_nixos b/deploy_nixos
index 4663acf..4f8aa2a 100755
--- a/deploy_nixos
+++ b/deploy_nixos
@@ -11,8 +11,17 @@ if [ "$CLUSTER" = "staging" ]; then
 	copy nix/nomad-driver-nix2.nix /etc/nixos/nomad-driver-nix2.nix
 fi
 
-# use ./upgrade_nixos instead to upgrade NixOS
-#cmd "nix-channel --add https://nixos.org/channels/nixos-22.05 nixos"
-#cmd nixos-rebuild switch --upgrade --show-trace
 
-cmd nixos-rebuild switch
+if [ "$CLUSTER" = "prod" ]; then
+	cmd nixos-rebuild boot
+	message "-------------------------------------------------------------------------------------"
+	message "New NixOS configuration hasn't been applied, to avoid disturbing production services."
+	message "Please apply the following procedure to node '$NIXHOST':"
+	message "1. Drain node in Nomad so that all jobs are relocated elsewhere"
+	message "2. Reboot node manually. You can also take the opportunity to upgrade with:"
+	message "         REBOOT_NODES=yes ./upgrade_nixos prod $NIXHOST"
+	message "3. Mark node as eligible again in Nomad"
+	message "-------------------------------------------------------------------------------------"
+else
+	cmd nixos-rebuild switch
+fi