X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=nixops%2Fscripts%2Fsetup;h=55dd9d99d883dc5935a15b7c8a0d6da86e032755;hb=11234d0798eeb56b2a09bfc66925e782ace465e3;hp=ff20fc91df48c16d166affd44e9eadf99ad47c77;hpb=9f5da6d7e9dbde93330f8c69ccdee9fac643696e;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/nixops/scripts/setup b/nixops/scripts/setup index ff20fc9..55dd9d9 100755 --- a/nixops/scripts/setup +++ b/nixops/scripts/setup @@ -1,28 +1,47 @@ #!/bin/bash -RemoteRepo="gitolite@git.immae.eu:perso/Immae/Prive/Password_store/Mes_Sites/Paul" +set -euo pipefail + +RemoteRepo="gitolite@git.immae.eu:perso/Immae/Prive/Password_store/Sites" +DeploymentUuid="cef694f3-081d-11e9-b31f-0242ec186adf" + +if ! which nix 2>/dev/null >/dev/null; then + cat <<-EOF + nix is needed, please install it: + > curl https://nixos.org/nix/install | sh + (or any other way handled by your distribution) + EOF + exit 1 +fi + +if [ "${NIX_STORE:-/nix/store}" != "/nix/store" ]; then + cat <<-EOF + Nix store outside of /nix/store is not supported + EOF + exit 1 +fi if [ -z "$NIXOPS_CONFIG_PASS_SUBTREE_REMOTE" \ -o -z "$NIXOPS_CONFIG_PASS_SUBTREE_PATH" ]; then cat <<-EOF -Two environment variables are needed to setup the password store: -NIXOPS_CONFIG_PASS_SUBTREE_PATH : path where the subtree will be imported -NIXOPS_CONFIG_PASS_SUBTREE_REMOTE : remote name to give to the repository -EOF + Two environment variables are needed to setup the password store: + NIXOPS_CONFIG_PASS_SUBTREE_PATH : path where the subtree will be imported + NIXOPS_CONFIG_PASS_SUBTREE_REMOTE : remote name to give to the repository + EOF exit 1 fi if ! pass $NIXOPS_CONFIG_PASS_SUBTREE_PATH > /dev/null 2>/dev/null; then cat <<-EOF -/!\ This will modify your password store to add and import a subtree -with the specific passwords files. Choose a path that doesn’t exist -yet in your password store. -> pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo -> pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master -Later, you can use pull_environment and push_environment scripts to -update the passwords when needed -Continue? [y/N] -EOF + /!\ This will modify your password store to add and import a subtree + with the specific passwords files. Choose a path that doesn’t exist + yet in your password store. + > pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo + > pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master + Later, you can use pull_environment and push_environment scripts to + update the passwords when needed + Continue? [y/N] + EOF read y if [ "$y" = "y" -o "$y" = "Y" ]; then pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo @@ -33,33 +52,68 @@ EOF fi fi +# Repull it before using it, just in case +pass git subtree pull --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master + +gpg_keys=$(pass ls $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys | sed -e "1d" | cut -d" " -f2) +for key in $gpg_keys; do + content=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys/$key) + fpr=$(echo "$content" | gpg --import-options show-only --import --with-colons | grep -e "^pub" | cut -d':' -f5) + gpg --list-key "$fpr" >/dev/null 2>/dev/null && imported=yes || imported=no + # /usr/share/doc/gnupg/DETAILS field 2 + (echo "$content" | gpg --import-options show-only --import --with-colons | + grep -E '^pub:' | + cut -d':' -f2 | + grep -q '[fu]') && signed=yes || signed=no + if [ "$signed" = no -o "$imported" = no ] ; then + echo "The key for $key needs to be imported and signed (a local signature is enough)" + echo "$content" | gpg --import-options show-only --import + echo "Continue? [y/N]" + read y + if [ "$y" = "y" -o "$y" = "Y" ]; then + echo "$content" | gpg --import + gpg --expert --edit-key "$fpr" lsign quit + else + echo "Aborting" + exit 1 + fi + fi +done + +nix_group=$(stat -c %G /nix/store) +if [ "$nix_group" = "nixbld" ]; then + nix_user="nixbld1" +else + nix_user="$(stat -c %U /nix/store)" +fi + if [ ! -f /etc/ssh/ssh_rsa_key_nixops ]; then - cat < pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey | sudo tee /etc/ssh/ssh_rsa_key_nixops > /dev/null -> pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey.pub | sudo tee /etc/ssh/ssh_rsa_key_nixops.pub > /dev/null -> sudo chmod u=r,go-rwx /etc/ssh/ssh_rsa_key_nixops -> sudo chown nixbld1:nixbld /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub -Continue? [y/N] -EOF + cat <<-EOF + The key to access private git repositories (websites hosted by the + server) needs to be accessible to nix builders. It will be put in + /etc/ssh/ssh_rsa_key_nixops (sudo right is needed for that) + > pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/SshKey | sudo tee /etc/ssh/ssh_rsa_key_nixops > /dev/null + > pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/SshKey.pub | sudo tee /etc/ssh/ssh_rsa_key_nixops.pub > /dev/null + > sudo chmod u=r,go-rwx /etc/ssh/ssh_rsa_key_nixops + > sudo chown $nix_user:$nix_group /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub + Continue? [y/N] + EOF read y if [ "$y" = "y" -o "$y" = "Y" ]; then - if ! id -u nixbld1 2>/dev/null >/dev/null; then - echo "User nixbld1 seems inexistant, did you install nix?" + if ! id -u $nix_user 2>/dev/null >/dev/null; then + echo "User $nix_user seems inexistant, did you install nix?" exit 1 fi mask=$(umask) umask 0777 # Don’t forward it directly to tee, it would break ncurse pinentry - key=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey) + key=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/SshKey) echo "$key" | sudo tee /etc/ssh/ssh_rsa_key_nixops > /dev/null sudo chmod u=r,go=- /etc/ssh/ssh_rsa_key_nixops - pubkey=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey.pub) + pubkey=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/SshKey.pub) echo "$pubkey" | sudo tee /etc/ssh/ssh_rsa_key_nixops.pub > /dev/null sudo chmod a=r /etc/ssh/ssh_rsa_key_nixops.pub - sudo chown nixbld1:nixbld /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub + sudo chown $nix_user:$nix_group /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub umask $mask else echo "Aborting" @@ -67,16 +121,43 @@ EOF fi fi +if nix show-config --json | jq -e '.sandbox.value == "true"' >/dev/null; then + cat <<-EOF + There are some impure derivations in the repo currently (grep __noChroot), please put + sandbox = "relaxed" + in /etc/nix/nix.conf + you may also want to add + keep-outputs = true + keep-derivations = true + to prevent garbage collector from deleting build dependencies (they take a lot of time to build) + EOF + exit 1 +fi + DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" -nix_config="ssh-config-file=$(dirname $DIR)/ssh/config" -if echo "$NIX_PATH" | grep -q "$nix_config"; then - cat </dev/null >/dev/null; then + cat <<-EOF + Importing deployment file into nixops: + Continue? [y/N] + EOF + read y + if [ "$y" = "y" -o "$y" = "Y" ]; then + deployment=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/Deployment) + echo "$deployment" | $nixops import + + $nixops modify "$(dirname $DIR)/eldiron.nix" + else + echo "Aborting" + exit 1 + fi fi + +cat <<-EOF + All set up. + Please make sure you’re using scripts/nixops_wrap when deploying + EOF