]> git.immae.eu Git - perso/Immae/Config/Nix.git/blobdiff - nixops/scripts/setup
projects / perso / Immae / Config / Nix.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Add protection for setup script
[perso/Immae/Config/Nix.git] / nixops / scripts / setup
diff --git a/nixops/scripts/setup b/nixops/scripts/setup
index bb433babbdf13fafc6dfb5a15d5a93a9b9494667..758cc34e584f7b00a0f49c1d6590e4351781f0b8 100755 (executable)
--- a/nixops/scripts/setup
+++ b/nixops/scripts/setup
@@ -1,8 +1,8 @@
 #!/bin/bash
 
 #!/bin/bash
 
-RemoteRepo="gitolite@git.immae.eu:perso/Immae/Prive/Password_store/Mes_Sites/Paul"
-NixChannelUrl='https://releases.nixos.org/nixos/18.09/nixos-18.09.1834.9d608a6f592'
-NixChannelName='immaeNixpkgs'
+set -euxo pipefail
+
+RemoteRepo="gitolite@git.immae.eu:perso/Immae/Prive/Password_store/Sites"
 DeploymentUuid="cef694f3-081d-11e9-b31f-0242ec186adf"
 
 if ! which nix 2>/dev/null >/dev/null; then
 DeploymentUuid="cef694f3-081d-11e9-b31f-0242ec186adf"
 
 if ! which nix 2>/dev/null >/dev/null; then
@@ -50,8 +50,8 @@ if [ ! -f /etc/ssh/ssh_rsa_key_nixops ]; then
        The key to access private git repositories (websites hosted by the
        server) needs to be accessible to nix builders. It will be put in
        /etc/ssh/ssh_rsa_key_nixops (sudo right is needed for that)
        The key to access private git repositories (websites hosted by the
        server) needs to be accessible to nix builders. It will be put in
        /etc/ssh/ssh_rsa_key_nixops (sudo right is needed for that)
-       > pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey | sudo tee /etc/ssh/ssh_rsa_key_nixops > /dev/null
-       > pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey.pub | sudo tee /etc/ssh/ssh_rsa_key_nixops.pub > /dev/null
+       > pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/SshKey | sudo tee /etc/ssh/ssh_rsa_key_nixops > /dev/null
+       > pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/SshKey.pub | sudo tee /etc/ssh/ssh_rsa_key_nixops.pub > /dev/null
        > sudo chmod u=r,go-rwx /etc/ssh/ssh_rsa_key_nixops
        > sudo chown nixbld1:nixbld /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub
        Continue? [y/N]
        > sudo chmod u=r,go-rwx /etc/ssh/ssh_rsa_key_nixops
        > sudo chown nixbld1:nixbld /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub
        Continue? [y/N]
@@ -65,10 +65,10 @@ if [ ! -f /etc/ssh/ssh_rsa_key_nixops ]; then
     mask=$(umask)
     umask 0777
     # Don’t forward it directly to tee, it would break ncurse pinentry
     mask=$(umask)
     umask 0777
     # Don’t forward it directly to tee, it would break ncurse pinentry
-    key=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey)
+    key=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/SshKey)
     echo "$key" | sudo tee /etc/ssh/ssh_rsa_key_nixops > /dev/null
     sudo chmod u=r,go=- /etc/ssh/ssh_rsa_key_nixops
     echo "$key" | sudo tee /etc/ssh/ssh_rsa_key_nixops > /dev/null
     sudo chmod u=r,go=- /etc/ssh/ssh_rsa_key_nixops
-    pubkey=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey.pub)
+    pubkey=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/SshKey.pub)
     echo "$pubkey" | sudo tee /etc/ssh/ssh_rsa_key_nixops.pub > /dev/null
     sudo chmod a=r /etc/ssh/ssh_rsa_key_nixops.pub
     sudo chown nixbld1:nixbld /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub
     echo "$pubkey" | sudo tee /etc/ssh/ssh_rsa_key_nixops.pub > /dev/null
     sudo chmod a=r /etc/ssh/ssh_rsa_key_nixops.pub
     sudo chown nixbld1:nixbld /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub
@@ -79,29 +79,6 @@ if [ ! -f /etc/ssh/ssh_rsa_key_nixops ]; then
   fi
 fi
 
   fi
 fi
 
-if ! nix-channel --list | grep -q "$NixChannelName $NixChannelUrl"; then
-  cat <<-EOF
-       A new nix channel will be installed (or upgraded) to freeze the packages
-       version:
-       $NixChannelName $NixChannelUrl
-       > nix-channel --add $NixChannelUrl $NixChannelName
-       > nix-channel --update
-       If this step fail, you may have to disable sandboxing in
-       /etc/nix/nix.conf and rerun
-       > nix-channel --update
-       manually.
-       Continue? [y/N]
-       EOF
-  read y
-  if [ "$y" = "y" -o "$y" = "Y" ]; then
-    nix-channel --add $NixChannelUrl $NixChannelName
-    nix-channel --update
-  else
-    echo "Aborting"
-    exit 1
-  fi
-fi
-
 if ! which nixops 2>/dev/null >/dev/null; then
   cat <<-EOF
        nixops is needed:
 if ! which nixops 2>/dev/null >/dev/null; then
   cat <<-EOF
        nixops is needed:
@@ -133,7 +110,7 @@ if ! nixops info 2>/dev/null >/dev/null; then
        EOF
   read y
   if [ "$y" = "y" -o "$y" = "Y" ]; then
        EOF
   read y
   if [ "$y" = "y" -o "$y" = "Y" ]; then
-    deployment=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixDeployment)
+    deployment=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/Deployment)
     echo "$deployment" | nixops import
 
     nixops modify "$(dirname $DIR)/eldiron.nix"
     echo "$deployment" | nixops import
 
     nixops modify "$(dirname $DIR)/eldiron.nix"
My infrastructure configuration