diff --git a/sw/updater.nix b/sw/updater.nix index 445d766..1d7b297 100644 --- a/sw/updater.nix +++ b/sw/updater.nix @@ -43,6 +43,98 @@ with lib; # Service path for unprivileged (no flags) UNIT="update-system.service" +<<<<<<< HEAD + # Figure out the "real" invoking user, even under sudo. + INVOKER_USER="''${SUDO_USER:-$(id -un)}" + INVOKER_HOME="$(getent passwd "$INVOKER_USER" | cut -d: -f6)" + if [ -z "$INVOKER_HOME" ]; then + # fallback if getent is weird in some containers + INVOKER_HOME="''${HOME:-/home/$INVOKER_USER}" + fi + + # Defaults for flagged mode + DEFAULT_REMOTE_URL="https://git.factory.uga.edu/UGA-Innovation-Factory/athenix" + REPO_MODE="default" # default | local | remote + LOCAL_PATH="" + REMOTE_URL="" + BRANCH="" + IMPURE=0 + + usage() { + cat >&2 <<'EOF' + usage: + update-system + update-system [--local-repo[=PATH]] [--remote-repo=URL] [--branch=BRANCH] [--impure] + + notes: + - No flags: runs the systemd service (works for unprivileged users via polkit). + - Any flags: only allowed for root or wheel (runs nixos-rebuild directly). + EOF + exit 2 + } + + # No flags -> polkit-friendly systemd service route + if [ "$#" -eq 0 ]; then + journalctl -fu "$UNIT" -n 0 --output=cat & + JPID=$! + + if systemctl start --wait --no-ask-password "$UNIT"; then + STATUS=$? + else + STATUS=$? + fi + + sleep 2 + kill "$JPID" 2>/dev/null || true + exit "$STATUS" + fi + + # Flags -> require root or wheel + if ! is_root && ! in_wheel; then + printf "''${RED}error:''${NC} flags are only allowed for root or wheel. Run without flags (service path), or use sudo / add yourself to wheel.\n" >&2 + exit 2 + fi + + # Parse flags + while [ "$#" -gt 0 ]; do + case "$1" in + --local-repo) + REPO_MODE="local" + LOCAL_PATH="$INVOKER_HOME/athenix" + shift + ;; + --local-repo=*) + REPO_MODE="local" + LOCAL_PATH="''${1#*=}" + shift + ;; + --remote-repo=*) + REPO_MODE="remote" + REMOTE_URL="''${1#*=}" + shift + ;; + --branch) + [ "$#" -ge 2 ] || usage + BRANCH="$2" + shift 2 + ;; + --branch=*) + BRANCH="''${1#*=}" + shift + ;; + --impure) + IMPURE=1 + shift + ;; + -h|--help) usage ;; + *) + printf "''${RED}error:''${NC} unknown argument: %s\n" "$1" >&2 + usage + ;; + esac + done + +======= # Defaults for flagged mode DEFAULT_REMOTE_URL="https://git.factory.uga.edu/UGA-Innovation-Factory/athenix" REPO_MODE="default" # default | local | remote @@ -125,6 +217,7 @@ with lib; esac done +>>>>>>> origin/main if [ "$REPO_MODE" = "local" ] && [ -n "$REMOTE_URL" ]; then printf "''${RED}error:''${NC} can't use --local-repo and --remote-repo together.\n" >&2 exit 2 @@ -134,7 +227,11 @@ with lib; # Build flake ref if [ "$REPO_MODE" = "local" ]; then +<<<<<<< HEAD + [ -n "$LOCAL_PATH" ] || LOCAL_PATH="$INVOKER_HOME/athenix" +======= [ -n "$LOCAL_PATH" ] || LOCAL_PATH="''${HOME}/athenix" +>>>>>>> origin/main # Clone default repo if missing if [ ! -d "$LOCAL_PATH" ]; then @@ -177,7 +274,18 @@ with lib; impureFlag="--impure" fi +<<<<<<< HEAD + # If not root, re-exec via sudo to do the actual switch. + # Preserve our computed invoker context so sudo doesn't "helpfully" change it. + if ! is_root; then + exec sudo --preserve-env=HOME,USER,LOGNAME \ + nixos-rebuild switch --refresh --print-build-logs $impureFlag --flake "$flakeRef" + else + exec nixos-rebuild switch --refresh --print-build-logs $impureFlag --flake "$flakeRef" + fi +======= exec nixos-rebuild switch --refresh --print-build-logs $impureFlag --flake "''${flakeRef}" +>>>>>>> origin/main '') ];