#!/bin/bash
-RemoteRepo="gitolite@git.immae.eu:perso/Immae/Prive/Password_store/Mes_Sites/Paul"
+set -euo pipefail
+
+RemoteRepo="gitolite@git.immae.eu:perso/Immae/Prive/Password_store/Sites"
+DeploymentUuid="cef694f3-081d-11e9-b31f-0242ec186adf"
+
+if ! which nix 2>/dev/null >/dev/null; then
+ cat <<-EOF
+ nix is needed, please install it:
+ > curl https://nixos.org/nix/install | sh
+ (or any other way handled by your distribution)
+ EOF
+ exit 1
+fi
+
+if [ "${NIX_STORE:-/nix/store}" != "/nix/store" ]; then
+ cat <<-EOF
+ Nix store outside of /nix/store is not supported
+ EOF
+ exit 1
+fi
if [ -z "$NIXOPS_CONFIG_PASS_SUBTREE_REMOTE" \
-o -z "$NIXOPS_CONFIG_PASS_SUBTREE_PATH" ]; then
cat <<-EOF
-Two environment variables are needed to setup the password store:
-NIXOPS_CONFIG_PASS_SUBTREE_PATH : path where the subtree will be imported
-NIXOPS_CONFIG_PASS_SUBTREE_REMOTE : remote name to give to the repository
-EOF
+ Two environment variables are needed to setup the password store:
+ NIXOPS_CONFIG_PASS_SUBTREE_PATH : path where the subtree will be imported
+ NIXOPS_CONFIG_PASS_SUBTREE_REMOTE : remote name to give to the repository
+ EOF
exit 1
fi
if ! pass $NIXOPS_CONFIG_PASS_SUBTREE_PATH > /dev/null 2>/dev/null; then
cat <<-EOF
-/!\ This will modify your password store to add and import a subtree
-with the specific passwords files. Choose a path that doesn’t exist
-yet in your password store.
-> pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo
-> pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master
-Later, you can use pull_environment and push_environment scripts to
-update the passwords when needed
-Continue? [y/N]
-EOF
+ /!\ This will modify your password store to add and import a subtree
+ with the specific passwords files. Choose a path that doesn’t exist
+ yet in your password store.
+ > pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo
+ > pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master
+ Later, you can use pull_environment and push_environment scripts to
+ update the passwords when needed
+ Continue? [y/N]
+ EOF
read y
if [ "$y" = "y" -o "$y" = "Y" ]; then
pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo
fi
fi
+# Repull it before using it, just in case
+pass git subtree pull --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master
+
+gpg_keys=$(pass ls $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys | sed -e "1d" | cut -d" " -f2)
+for key in $gpg_keys; do
+ content=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys/$key)
+ fpr=$(echo "$content" | gpg --import-options show-only --import --with-colons | grep -e "^pub" | cut -d':' -f5)
+ gpg --list-key "$fpr" >/dev/null 2>/dev/null && imported=yes || imported=no
+ # /usr/share/doc/gnupg/DETAILS field 2
+ (echo "$content" | gpg --import-options show-only --import --with-colons |
+ grep -E '^pub:' |
+ cut -d':' -f2 |
+ grep -q '[fu]') && signed=yes || signed=no
+ if [ "$signed" = no -o "$imported" = no ] ; then
+ echo "The key for $key needs to be imported and signed (a local signature is enough)"
+ echo "$content" | gpg --import-options show-only --import
+ echo "Continue? [y/N]"
+ read y
+ if [ "$y" = "y" -o "$y" = "Y" ]; then
+ echo "$content" | gpg --import
+ gpg --expert --edit-key "$fpr" lsign quit
+ else
+ echo "Aborting"
+ exit 1
+ fi
+ fi
+done
+
+nix_group=$(stat -c %G /nix/store)
+if [ "$nix_group" = "nixbld" ]; then
+ nix_user="nixbld1"
+else
+ nix_user="$(stat -c %U /nix/store)"
+fi
+
if [ ! -f /etc/ssh/ssh_rsa_key_nixops ]; then
- cat <<EOF
-The key to access private git repositories (websites hosted by the
-server) needs to be accessible to nix builders. It will be put in
-/etc/ssh/ssh_rsa_key_nixops (sudo right is needed for that)
-> pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey | sudo tee /etc/ssh/ssh_rsa_key_nixops > /dev/null
-> pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey.pub | sudo tee /etc/ssh/ssh_rsa_key_nixops.pub > /dev/null
-> sudo chmod u=r,go-rwx /etc/ssh/ssh_rsa_key_nixops
-> sudo chown nixbld1:nixbld /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub
-Continue? [y/N]
-EOF
+ cat <<-EOF
+ The key to access private git repositories (websites hosted by the
+ server) needs to be accessible to nix builders. It will be put in
+ /etc/ssh/ssh_rsa_key_nixops (sudo right is needed for that)
+ > pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/SshKey | sudo tee /etc/ssh/ssh_rsa_key_nixops > /dev/null
+ > pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/SshKey.pub | sudo tee /etc/ssh/ssh_rsa_key_nixops.pub > /dev/null
+ > sudo chmod u=r,go-rwx /etc/ssh/ssh_rsa_key_nixops
+ > sudo chown $nix_user:$nix_group /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub
+ Continue? [y/N]
+ EOF
read y
if [ "$y" = "y" -o "$y" = "Y" ]; then
- if ! id -u nixbld1 2>/dev/null >/dev/null; then
- echo "User nixbld1 seems inexistant, did you install nix?"
+ if ! id -u $nix_user 2>/dev/null >/dev/null; then
+ echo "User $nix_user seems inexistant, did you install nix?"
exit 1
fi
mask=$(umask)
umask 0777
# Don’t forward it directly to tee, it would break ncurse pinentry
- key=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey)
+ key=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/SshKey)
echo "$key" | sudo tee /etc/ssh/ssh_rsa_key_nixops > /dev/null
sudo chmod u=r,go=- /etc/ssh/ssh_rsa_key_nixops
- pubkey=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey.pub)
+ pubkey=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/SshKey.pub)
echo "$pubkey" | sudo tee /etc/ssh/ssh_rsa_key_nixops.pub > /dev/null
sudo chmod a=r /etc/ssh/ssh_rsa_key_nixops.pub
- sudo chown nixbld1:nixbld /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub
+ sudo chown $nix_user:$nix_group /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub
umask $mask
else
echo "Aborting"
fi
fi
+if nix show-config --json | jq -e '.sandbox.value == "true"' >/dev/null; then
+ cat <<-EOF
+ There are some impure derivations in the repo currently (grep __noChroot), please put
+ sandbox = "relaxed"
+ in /etc/nix/nix.conf
+ you may also want to add
+ keep-outputs = true
+ keep-derivations = true
+ to prevent garbage collector from deleting build dependencies (they take a lot of time to build)
+ EOF
+ exit 1
+fi
+
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
-nix_config="ssh-config-file=$(dirname $DIR)/ssh/config"
-if echo "$NIX_PATH" | grep -q "$nix_config"; then
- cat <<EOF
-All set up
-EOF
-else
-cat <<EOF
-All set up, please add
-ssh-config-file=$(dirname $DIR)/ssh/config
-to your NIX_PATH environment variable (colon-separated)
-EOF
+source $(dirname $(dirname $DIR))/nix_path_env
+nixops="$(nix-build --no-out-link "$(dirname $DIR)/custom_nixops.nix")/bin/nixops"
+export NIXOPS_STATE="$(dirname $DIR)/state/eldiron.nixops"
+export NIXOPS_DEPLOYMENT="$DeploymentUuid"
+
+if ! $nixops info 2>/dev/null >/dev/null; then
+ cat <<-EOF
+ Importing deployment file into nixops:
+ Continue? [y/N]
+ EOF
+ read y
+ if [ "$y" = "y" -o "$y" = "Y" ]; then
+ deployment=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/Deployment)
+ echo "$deployment" | $nixops import
+
+ $nixops modify "$(dirname $DIR)/eldiron.nix"
+ else
+ echo "Aborting"
+ exit 1
+ fi
fi
+
+cat <<-EOF
+ All set up.
+ Please make sure you’re using scripts/nixops_wrap when deploying
+ EOF