From 230c1d727b951e032603a5c776f540003829bff6 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Thu, 30 Dec 2021 18:09:20 +0100 Subject: Increase security: sudo with password, no more docker group for users --- deploy.sh | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) (limited to 'deploy.sh') diff --git a/deploy.sh b/deploy.sh index e4470c0..4d6387f 100755 --- a/deploy.sh +++ b/deploy.sh @@ -8,6 +8,8 @@ else NIXHOSTLIST="$@" fi +TMP_PATH=/tmp/tmp-deploy-$(date +%s) + for NIXHOST in $NIXHOSTLIST; do NIXHOST=${NIXHOST%.*} @@ -21,13 +23,25 @@ for NIXHOST in $NIXHOSTLIST; do echo "Sending NixOS config files" - cat configuration.nix | ssh -F ssh_config $SSH_DEST sudo tee /etc/nixos/configuration.nix > /dev/null - cat node/$NIXHOST.nix | ssh -F ssh_config $SSH_DEST sudo tee /etc/nixos/node.nix > /dev/null - cat node/$NIXHOST.site.nix | ssh -F ssh_config $SSH_DEST sudo tee /etc/nixos/site.nix > /dev/null + ssh -F ssh_config $SSH_DEST mkdir -p $TMP_PATH + cat configuration.nix | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/configuration.nix > /dev/null + cat node/$NIXHOST.nix | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/node.nix > /dev/null + cat node/$NIXHOST.site.nix | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/site.nix > /dev/null echo "Sending secret files" - test -f secrets/rclone.conf && (cat secrets/rclone.conf | ssh -F ssh_config $SSH_DEST sudo tee /root/rclone.conf > /dev/null) + test -f secrets/rclone.conf && (cat secrets/rclone.conf | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/rclone.conf > /dev/null) echo "Rebuilding NixOS" - ssh -F ssh_config $SSH_DEST sudo nixos-rebuild switch + + ssh -F ssh_config $SSH_DEST tee $TMP_PATH/deploy.sh > /dev/null <