nixos-anywhere: always set maybeSudo after facts are imported

Enzime · Enzime · commit 8441ad7259dc · 2025-08-13T12:49:23.000+10:00
diff --git a/src/get-facts.sh b/src/get-facts.sh
@@ -10,6 +10,7 @@ isArch=$(uname -m)
 isNixos=$isNixos
 isInstaller=$(if [ "$isNixos" = "y" ] && grep -Eq 'VARIANT_ID="?installer"?' /etc/os-release; then echo "y"; else echo "n"; fi)
 isContainer=$(if [ "$(has systemd-detect-virt)" = "y" ]; then systemd-detect-virt --container; else echo "none"; fi)
+isRoot=$(if [ "$(id -u)" -eq 0 ]; then echo "y"; else echo "n"; fi)
 hasIpv6Only=$(if [ "$(has ip)" = "n" ] || ip r g 1 >/dev/null 2>/dev/null || ! ip -6 r g :: >/dev/null 2>/dev/null; then echo "n"; else echo "y"; fi)
 hasTar=$(has tar)
 hasCpio=$(has cpio)
diff --git a/src/nixos-anywhere.sh b/src/nixos-anywhere.sh
@@ -48,6 +48,7 @@ isOs=
 isArch=
 isInstaller=
 isContainer=
+isRoot=
 hasIpv6Only=
 hasTar=
 hasCpio=
@@ -519,20 +520,31 @@ importFacts() {
   fi
   filteredFacts=$(echo "$facts" | grep -E '^(has|is)[A-Za-z0-9_]+=\S+')
   if [[ -z $filteredFacts ]]; then
-    abort "Retrieving host facts via ssh failed. Check with --debug for the root cause, unless you have done so already"
+    abort "Retrieving host facts via SSH failed. Check with --debug for the root cause, unless you have done so already"
   fi
   # make facts available in script
   # shellcheck disable=SC2046
   export $(echo "$filteredFacts" | xargs)
 
   # Necessary to prevent Bash erroring before printing out which fact had an issue
   set +u
-  for var in isOs isArch isInstaller isContainer hasIpv6Only hasTar hasCpio hasSudo hasDoas hasWget hasCurl hasSetsid; do
+  for var in isOs isArch isInstaller isContainer isRoot hasIpv6Only hasTar hasCpio hasSudo hasDoas hasWget hasCurl hasSetsid; do
     if [[ -z ${!var} ]]; then
       abort "Failed to retrieve fact $var from host"
     fi
   done
   set -u
+
+  if [[ ${isRoot} == "y" ]]; then
+    maybeSudo=
+  elif [[ ${hasSudo} == "y" ]]; then
+    maybeSudo=sudo
+  elif [[ ${hasDoas} == "y" ]]; then
+    maybeSudo=doas
+  else
+    # shellcheck disable=SC2016
+    abort 'Unable to find a command to use to escalate privileges: Could not find `sudo` or `doas`'
+  fi
 }
 
 checkBuildLocally() {
@@ -579,7 +591,6 @@ checkBuildLocally() {
 }
 
 generateHardwareConfig() {
-  local maybeSudo="$maybeSudo"
   mkdir -p "$(dirname "$hardwareConfigPath")"
   case "$hardwareConfigBackend" in
   nixos-facter)
@@ -703,9 +714,6 @@ TMPDIR=/root/kexec setsid --wait ${maybeSudo} /root/kexec/kexec/run --kexec-extr
   # After kexec we explicitly set the user to root@
   sshConnection="root@${sshHost}"
 
-  # TODO: remove this after we reimport facts post-kexec and set this as a fact
-  maybeSudo=""
-
   # waiting for machine to become available again
   until runSsh -o ConnectTimeout=10 -- exit 0; do sleep 5; done
 
@@ -872,13 +880,6 @@ main() {
     abort "no setsid command found, but required to run the kexec script under a new session"
   fi
 
-  maybeSudo=""
-  if [[ ${hasSudo-n} == "y" ]]; then
-    maybeSudo="sudo"
-  elif [[ ${hasDoas-n} == "y" ]]; then
-    maybeSudo="doas"
-  fi
-
   if [[ ${isOs} != "Linux" ]]; then
     abort "This script requires Linux as the operating system, but got $isOs"
   fi
