[perso/Immae/Config/Nix.git] / nixops / scripts / setup

#!/bin/bash

set -euo pipefail

MAKEFILE_DIR="$( cd "$( dirname $( dirname "${BASH_SOURCE[0]}" ))" >/dev/null 2>&1 && pwd )"

if ! which nix 2>/dev/null >/dev/null; then
  cat <<-EOF
	nix is needed, please install it:
	> curl https://nixos.org/nix/install | sh
	(or any other way handled by your distribution)
	EOF
  exit 1
fi

if [ "${NIX_STORE:-/nix/store}" != "/nix/store" ]; then
  cat <<-EOF
	Nix store outside of /nix/store is not supported
	EOF
  exit 1
fi

gpg_keys=$(pass ls Nixops/GPGKeys | sed -e "1d" | cut -d" " -f2)
for key in $gpg_keys; do
  content=$(pass show Nixops/GPGKeys/$key)
  fpr=$(echo "$content" | gpg --import-options show-only --import --with-colons | grep -e "^pub" | cut -d':' -f5)
  gpg --list-key "$fpr" >/dev/null 2>/dev/null && imported=yes || imported=no
  # /usr/share/doc/gnupg/DETAILS field 2
  (echo "$content" | gpg --import-options show-only --import --with-colons |
      grep -E '^pub:' |
      cut -d':' -f2 |
      grep -q '[fu]') && signed=yes || signed=no
  if [ "$signed" = no -o "$imported" = no ] ; then
    echo "The key for $key needs to be imported and signed (a local signature is enough)"
    echo "$content" | gpg --import-options show-only --import
    echo "Continue? [y/N]"
    read y
    if [ "$y" = "y" -o "$y" = "Y" ]; then
      echo "$content" | gpg --import
      gpg --expert --edit-key "$fpr" lsign quit
    else
      echo "Aborting"
      exit 1
    fi
  fi
done

if nix show-config --json | jq -e '.sandbox.value == "true"' >/dev/null; then
  cat <<-EOF
	There used to be some impure derivations (grep __noChroot), you may need
	  sandbox = "relaxed"
	in /etc/nix/nix.conf
	you may also want to add
	  keep-outputs = true
	  keep-derivations = true
	to prevent garbage collector from deleting build dependencies (they take a lot of time to build)
        and
	  allow-import-from-derivation = false
	as an attempt to avoid having build-time derivations (doesn’t work for all packages)
	press key to continue
	EOF
  read y
fi

if ! make -C $MAKEFILE_DIR deployment_is_set 2>/dev/null >/dev/null; then
  cat <<-EOF
	Importing deployment file into nixops:
	Continue? [y/N]
	EOF
  read y
  if [ "$y" = "y" -o "$y" = "Y" ]; then
    make -C $MAKEFILE_DIR pull_deployment
  else
    echo "Aborting"
    exit 1
  fi
fi

cat <<-EOF
	All set up.
	Please make sure you’re using make commands when deploying
	EOF
Commit	Line	Data
9f5da6d7 IB	1	#!/bin/bash
9f5da6d7 IB	2
d07d139a	3	set -euo pipefail
05ec8138	4
4506dbe5	5	MAKEFILE_DIR="$( cd "$( dirname $( dirname "${BASH_SOURCE[0]}" ))" >/dev/null 2>&1 && pwd )"
568d4240 IB	6
	7	if ! which nix 2>/dev/null >/dev/null; then
	8	cat <<-EOF
	9	nix is needed, please install it:
	10	> curl https://nixos.org/nix/install \| sh
	11	(or any other way handled by your distribution)
	12	EOF
	13	exit 1
	14	fi
9f5da6d7	15
df6dc085 IB	16	if [ "${NIX_STORE:-/nix/store}" != "/nix/store" ]; then
	17	cat <<-EOF
	18	Nix store outside of /nix/store is not supported
	19	EOF
	20	exit 1
	21	fi
	22
1052bfda	23	gpg_keys=$(pass ls Nixops/GPGKeys \| sed -e "1d" \| cut -d" " -f2)
d07d139a	24	for key in $gpg_keys; do
1052bfda	25	content=$(pass show Nixops/GPGKeys/$key)
d07d139a IB	26	fpr=$(echo "$content" \| gpg --import-options show-only --import --with-colons \| grep -e "^pub" \| cut -d':' -f5)
	27	gpg --list-key "$fpr" >/dev/null 2>/dev/null && imported=yes \|\| imported=no
	28	# /usr/share/doc/gnupg/DETAILS field 2
	29	(echo "$content" \| gpg --import-options show-only --import --with-colons \|
	30	grep -E '^pub:' \|
	31	cut -d':' -f2 \|
	32	grep -q '[fu]') && signed=yes \|\| signed=no
	33	if [ "$signed" = no -o "$imported" = no ] ; then
	34	echo "The key for $key needs to be imported and signed (a local signature is enough)"
	35	echo "$content" \| gpg --import-options show-only --import
	36	echo "Continue? [y/N]"
	37	read y
	38	if [ "$y" = "y" -o "$y" = "Y" ]; then
	39	echo "$content" \| gpg --import
	40	gpg --expert --edit-key "$fpr" lsign quit
	41	else
	42	echo "Aborting"
	43	exit 1
	44	fi
	45	fi
	46	done
	47
08822d6f IB	48	if nix show-config --json \| jq -e '.sandbox.value == "true"' >/dev/null; then
08822d6f IB	49	cat <<-EOF
e83ec961	50	There used to be some impure derivations (grep __noChroot), you may need
08822d6f IB	51	sandbox = "relaxed"
	52	in /etc/nix/nix.conf
	53	you may also want to add
	54	keep-outputs = true
	55	keep-derivations = true
	56	to prevent garbage collector from deleting build dependencies (they take a lot of time to build)
e83ec961 IB	57	and
	58	allow-import-from-derivation = false
	59	as an attempt to avoid having build-time derivations (doesn’t work for all packages)
	60	press key to continue
08822d6f	61	EOF
e83ec961	62	read y
08822d6f IB	63	fi
08822d6f IB	64
4506dbe5	65	if ! make -C $MAKEFILE_DIR deployment_is_set 2>/dev/null >/dev/null; then
568d4240 IB	66	cat <<-EOF
	67	Importing deployment file into nixops:
	68	Continue? [y/N]
	69	EOF
	70	read y
	71	if [ "$y" = "y" -o "$y" = "Y" ]; then
4506dbe5	72	make -C $MAKEFILE_DIR pull_deployment
568d4240 IB	73	else
	74	echo "Aborting"
	75	exit 1
34c58714	76	fi
9f5da6d7	77	fi
34c58714	78
568d4240 IB	79	cat <<-EOF
568d4240 IB	80	All set up.
4506dbe5	81	Please make sure you’re using make commands when deploying
568d4240	82	EOF