]>
git.immae.eu Git - perso/Immae/Config/Nix.git/blob - nixops/scripts/setup
5 RemoteRepo
="gitolite@git.immae.eu:perso/Immae/Prive/Password_store/Sites"
6 DeploymentUuid
="cef694f3-081d-11e9-b31f-0242ec186adf"
8 if ! which nix
2>/dev
/null
>/dev
/null
; then
10 nix is needed, please install it:
11 > curl https://nixos.org/nix/install | sh
12 (or any other way handled by your distribution)
17 if [ "${NIX_STORE:-/nix/store}" != "/nix/store" ]; then
19 Nix store outside of /nix/store is not supported
24 if [ -z "$NIXOPS_CONFIG_PASS_SUBTREE_REMOTE" \
25 -o -z "$NIXOPS_CONFIG_PASS_SUBTREE_PATH" ]; then
27 Two environment variables are needed to setup the password store:
28 NIXOPS_CONFIG_PASS_SUBTREE_PATH : path where the subtree will be imported
29 NIXOPS_CONFIG_PASS_SUBTREE_REMOTE : remote name to give to the repository
34 if ! pass
$NIXOPS_CONFIG_PASS_SUBTREE_PATH > /dev
/null
2>/dev
/null
; then
36 /!\ This will modify your password store to add and import a subtree
37 with the specific passwords files. Choose a path that doesn’t exist
38 yet in your password store.
39 > pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo
40 > pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master
41 Later, you can use pull_environment and push_environment scripts to
42 update the passwords when needed
46 if [ "$y" = "y" -o "$y" = "Y" ]; then
47 pass git remote add
$NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo
48 pass git subtree add
--prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master
55 # Repull it before using it, just in case
56 pass git subtree pull
--prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master
58 gpg_keys
=$(pass ls $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys | sed -e "1d" | cut -d" " -f2)
59 for key
in $gpg_keys; do
60 content
=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys/$key)
61 fpr
=$(echo "$content" | gpg --import-options show-only --import --with-colons | grep -e "^pub" | cut -d':' -f5)
62 gpg
--list-key "$fpr" >/dev
/null
2>/dev
/null
&& imported
=yes || imported
=no
63 # /usr/share/doc/gnupg/DETAILS field 2
64 (echo "$content" | gpg
--import-options show
-only --import --with-colons |
67 grep -q '[fu]') && signed
=yes || signed
=no
68 if [ "$signed" = no
-o "$imported" = no
] ; then
69 echo "The key for $key needs to be imported and signed (a local signature is enough)"
70 echo "$content" | gpg
--import-options show
-only --import
71 echo "Continue? [y/N]"
73 if [ "$y" = "y" -o "$y" = "Y" ]; then
74 echo "$content" | gpg
--import
75 gpg
--expert --edit-key "$fpr" lsign quit
83 nix_group
=$(stat -c %G /nix/store)
84 if [ "$nix_group" = "nixbld" ]; then
87 nix_user
="$(stat -c %U /nix/store)"
90 if [ ! -f /etc
/ssh
/ssh_rsa_key_nixops
]; then
92 The key to access private git repositories (websites hosted by the
93 server) needs to be accessible to nix builders. It will be put in
94 /etc/ssh/ssh_rsa_key_nixops (sudo right is needed for that)
95 > pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/SshKey | sudo tee /etc/ssh/ssh_rsa_key_nixops > /dev/null
96 > pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/SshKey.pub | sudo tee /etc/ssh/ssh_rsa_key_nixops.pub > /dev/null
97 > sudo chmod u=r,go-rwx /etc/ssh/ssh_rsa_key_nixops
98 > sudo chown $nix_user:$nix_group /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub
102 if [ "$y" = "y" -o "$y" = "Y" ]; then
103 if ! id
-u $nix_user 2>/dev
/null
>/dev
/null
; then
104 echo "User $nix_user seems inexistant, did you install nix?"
109 # Don’t forward it directly to tee, it would break ncurse pinentry
110 key
=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/SshKey)
111 echo "$key" | sudo
tee /etc
/ssh
/ssh_rsa_key_nixops
> /dev
/null
112 sudo
chmod u
=r
,go
=- /etc
/ssh
/ssh_rsa_key_nixops
113 pubkey
=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/SshKey.pub)
114 echo "$pubkey" | sudo
tee /etc
/ssh
/ssh_rsa_key_nixops.pub
> /dev
/null
115 sudo
chmod a
=r
/etc
/ssh
/ssh_rsa_key_nixops.pub
116 sudo chown
$nix_user:$nix_group /etc
/ssh
/ssh_rsa_key_nixops
/etc
/ssh
/ssh_rsa_key_nixops.pub
124 if nix show
-config --json | jq
-e '.sandbox.value == "true"' >/dev
/null
; then
126 There are some impure derivations in the repo currently (grep __noChroot), please put
129 you may also want to add
131 keep-derivations = true
132 to prevent garbage collector from deleting build dependencies (they take a lot of time to build)
137 DIR
="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev
/null
2>&1 && pwd )"
138 nixops="$(nix-build --no-out-link -A nixops "$(dirname $(dirname $DIR))")/bin/nixops"
139 export NIXOPS_STATE
="$(dirname $DIR)/state/eldiron.nixops"
140 export NIXOPS_DEPLOYMENT
="$DeploymentUuid"
142 if ! $nixops info
2>/dev
/null
>/dev
/null
; then
144 Importing deployment file into nixops:
148 if [ "$y" = "y" -o "$y" = "Y" ]; then
149 deployment
=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/Deployment)
150 echo "$deployment" | $nixops import
152 $nixops modify
"$(dirname $DIR)/eldiron.nix"
161 Please make sure you’re using scripts/nixops_wrap when deploying