]>
Commit | Line | Data |
---|---|---|
9f5da6d7 IB |
1 | #!/bin/bash |
2 | ||
3 | RemoteRepo="gitolite@git.immae.eu:perso/Immae/Prive/Password_store/Mes_Sites/Paul" | |
34c58714 IB |
4 | NixChannelUrl='https://releases.nixos.org/nixos/18.09/nixos-18.09.1834.9d608a6f592' |
5 | NixChannelName='immaeNixpkgs' | |
568d4240 IB |
6 | DeploymentUuid="cef694f3-081d-11e9-b31f-0242ec186adf" |
7 | ||
8 | if ! which nix 2>/dev/null >/dev/null; then | |
9 | cat <<-EOF | |
10 | nix is needed, please install it: | |
11 | > curl https://nixos.org/nix/install | sh | |
12 | (or any other way handled by your distribution) | |
13 | EOF | |
14 | exit 1 | |
15 | fi | |
9f5da6d7 IB |
16 | |
17 | if [ -z "$NIXOPS_CONFIG_PASS_SUBTREE_REMOTE" \ | |
18 | -o -z "$NIXOPS_CONFIG_PASS_SUBTREE_PATH" ]; then | |
19 | cat <<-EOF | |
568d4240 IB |
20 | Two environment variables are needed to setup the password store: |
21 | NIXOPS_CONFIG_PASS_SUBTREE_PATH : path where the subtree will be imported | |
22 | NIXOPS_CONFIG_PASS_SUBTREE_REMOTE : remote name to give to the repository | |
23 | EOF | |
9f5da6d7 IB |
24 | exit 1 |
25 | fi | |
26 | ||
27 | if ! pass $NIXOPS_CONFIG_PASS_SUBTREE_PATH > /dev/null 2>/dev/null; then | |
28 | cat <<-EOF | |
568d4240 IB |
29 | /!\ This will modify your password store to add and import a subtree |
30 | with the specific passwords files. Choose a path that doesn’t exist | |
31 | yet in your password store. | |
32 | > pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo | |
33 | > pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master | |
34 | Later, you can use pull_environment and push_environment scripts to | |
35 | update the passwords when needed | |
36 | Continue? [y/N] | |
37 | EOF | |
9f5da6d7 IB |
38 | read y |
39 | if [ "$y" = "y" -o "$y" = "Y" ]; then | |
40 | pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo | |
41 | pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master | |
42 | else | |
43 | echo "Aborting" | |
44 | exit 1 | |
45 | fi | |
46 | fi | |
47 | ||
48 | if [ ! -f /etc/ssh/ssh_rsa_key_nixops ]; then | |
568d4240 IB |
49 | cat <<-EOF |
50 | The key to access private git repositories (websites hosted by the | |
51 | server) needs to be accessible to nix builders. It will be put in | |
52 | /etc/ssh/ssh_rsa_key_nixops (sudo right is needed for that) | |
53 | > pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey | sudo tee /etc/ssh/ssh_rsa_key_nixops > /dev/null | |
54 | > pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey.pub | sudo tee /etc/ssh/ssh_rsa_key_nixops.pub > /dev/null | |
55 | > sudo chmod u=r,go-rwx /etc/ssh/ssh_rsa_key_nixops | |
56 | > sudo chown nixbld1:nixbld /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub | |
57 | Continue? [y/N] | |
58 | EOF | |
9f5da6d7 IB |
59 | read y |
60 | if [ "$y" = "y" -o "$y" = "Y" ]; then | |
61 | if ! id -u nixbld1 2>/dev/null >/dev/null; then | |
62 | echo "User nixbld1 seems inexistant, did you install nix?" | |
63 | exit 1 | |
64 | fi | |
65 | mask=$(umask) | |
66 | umask 0777 | |
67 | # Don’t forward it directly to tee, it would break ncurse pinentry | |
68 | key=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey) | |
69 | echo "$key" | sudo tee /etc/ssh/ssh_rsa_key_nixops > /dev/null | |
70 | sudo chmod u=r,go=- /etc/ssh/ssh_rsa_key_nixops | |
71 | pubkey=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey.pub) | |
72 | echo "$pubkey" | sudo tee /etc/ssh/ssh_rsa_key_nixops.pub > /dev/null | |
73 | sudo chmod a=r /etc/ssh/ssh_rsa_key_nixops.pub | |
74 | sudo chown nixbld1:nixbld /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub | |
75 | umask $mask | |
76 | else | |
77 | echo "Aborting" | |
78 | exit 1 | |
79 | fi | |
80 | fi | |
81 | ||
34c58714 | 82 | if ! nix-channel --list | grep -q "$NixChannelName $NixChannelUrl"; then |
568d4240 IB |
83 | cat <<-EOF |
84 | A new nix channel will be installed (or upgraded) to freeze the packages | |
85 | version: | |
86 | $NixChannelName $NixChannelUrl | |
87 | > nix-channel --add $NixChannelUrl $NixChannelName | |
88 | > nix-channel --update | |
89 | If this step fail, you may have to disable sandboxing in | |
90 | /etc/nix/nix.conf and rerun | |
91 | > nix-channel --update | |
92 | manually. | |
93 | Continue? [y/N] | |
94 | EOF | |
34c58714 IB |
95 | read y |
96 | if [ "$y" = "y" -o "$y" = "Y" ]; then | |
97 | nix-channel --add $NixChannelUrl $NixChannelName | |
98 | nix-channel --update | |
568d4240 IB |
99 | else |
100 | echo "Aborting" | |
101 | exit 1 | |
102 | fi | |
103 | fi | |
104 | ||
105 | if ! which nixops 2>/dev/null >/dev/null; then | |
106 | cat <<-EOF | |
107 | nixops is needed: | |
108 | > nix-env -i nixops | |
109 | If it fails, please check that $HOME/.nix-profile/bin is in your PATH. | |
110 | Continue? [y/N] | |
111 | EOF | |
112 | read y | |
113 | if [ "$y" = "y" -o "$y" = "Y" ]; then | |
114 | nix-env -i nixops | |
115 | if ! which nixops 2>/dev/null >/dev/null; then | |
116 | echo "Installation failed, please check that $HOME/.nix-profile/bin is in your path." | |
117 | exit 1 | |
118 | fi | |
119 | else | |
120 | echo "Aborting" | |
121 | exit 1 | |
122 | fi | |
123 | fi | |
124 | ||
125 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" | |
126 | export NIXOPS_STATE="$(dirname $DIR)/state/eldiron.nixops" | |
127 | export NIXOPS_DEPLOYMENT="$DeploymentUuid" | |
128 | ||
129 | if ! nixops info 2>/dev/null >/dev/null; then | |
130 | cat <<-EOF | |
131 | Importing deployment file into nixops: | |
132 | Continue? [y/N] | |
133 | EOF | |
134 | read y | |
135 | if [ "$y" = "y" -o "$y" = "Y" ]; then | |
136 | deployment=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixDeployment) | |
137 | echo "$deployment" | nixops import | |
138 | ||
139 | nixops modify "$(dirname $DIR)/eldiron.nix" | |
140 | else | |
141 | echo "Aborting" | |
142 | exit 1 | |
34c58714 | 143 | fi |
9f5da6d7 | 144 | fi |
34c58714 | 145 | |
568d4240 IB |
146 | cat <<-EOF |
147 | All set up. | |
148 | Please make sure you’re using scripts/nixops_wrap when deploying | |
149 | EOF |