[perso/Immae/Config/Nix.git] / nixops / scripts / setup

#!/bin/bash

set -euo pipefail

if ! which nix 2>/dev/null >/dev/null; then
  cat <<-EOF
	nix is needed, please install it:
	> curl https://nixos.org/nix/install | sh
	(or any other way handled by your distribution)
	EOF
  exit 1
fi

if [ "${NIX_STORE:-/nix/store}" != "/nix/store" ]; then
  cat <<-EOF
	Nix store outside of /nix/store is not supported
	EOF
  exit 1
fi

gpg_keys=$(pass ls Nixops/GPGKeys | sed -e "1d" | cut -d" " -f2)
for key in $gpg_keys; do
  content=$(pass show Nixops/GPGKeys/$key)
  fpr=$(echo "$content" | gpg --import-options show-only --import --with-colons | grep -e "^pub" | cut -d':' -f5)
  gpg --list-key "$fpr" >/dev/null 2>/dev/null && imported=yes || imported=no
  # /usr/share/doc/gnupg/DETAILS field 2
  (echo "$content" | gpg --import-options show-only --import --with-colons |
      grep -E '^pub:' |
      cut -d':' -f2 |
      grep -q '[fu]') && signed=yes || signed=no
  if [ "$signed" = no -o "$imported" = no ] ; then
    echo "The key for $key needs to be imported and signed (a local signature is enough)"
    echo "$content" | gpg --import-options show-only --import
    echo "Continue? [y/N]"
    read y
    if [ "$y" = "y" -o "$y" = "Y" ]; then
      echo "$content" | gpg --import
      gpg --expert --edit-key "$fpr" lsign quit
    else
      echo "Aborting"
      exit 1
    fi
  fi
done

if nix show-config --json | jq -e '.sandbox.value == "true"' >/dev/null; then
  cat <<-EOF
	There used to be some impure derivations (grep __noChroot), you may need
	  sandbox = "relaxed"
	in /etc/nix/nix.conf
	you may also want to add
	  keep-outputs = true
	  keep-derivations = true
	to prevent garbage collector from deleting build dependencies (they take a lot of time to build)
        and
	  allow-import-from-derivation = false
	as an attempt to avoid having build-time derivations (doesn’t work for all packages)
	press key to continue
	EOF
  read y
fi

cat <<-EOF
	All set up.
	Please make sure you’re using make commands when deploying
	EOF
Commit	Line	Data
9f5da6d7 IB	1	#!/bin/bash
9f5da6d7 IB	2
d07d139a	3	set -euo pipefail
05ec8138	4
568d4240 IB	5	if ! which nix 2>/dev/null >/dev/null; then
	6	cat <<-EOF
	7	nix is needed, please install it:
	8	> curl https://nixos.org/nix/install \| sh
	9	(or any other way handled by your distribution)
	10	EOF
	11	exit 1
	12	fi
9f5da6d7	13
df6dc085 IB	14	if [ "${NIX_STORE:-/nix/store}" != "/nix/store" ]; then
	15	cat <<-EOF
	16	Nix store outside of /nix/store is not supported
	17	EOF
	18	exit 1
	19	fi
	20
1052bfda	21	gpg_keys=$(pass ls Nixops/GPGKeys \| sed -e "1d" \| cut -d" " -f2)
d07d139a	22	for key in $gpg_keys; do
1052bfda	23	content=$(pass show Nixops/GPGKeys/$key)
d07d139a IB	24	fpr=$(echo "$content" \| gpg --import-options show-only --import --with-colons \| grep -e "^pub" \| cut -d':' -f5)
	25	gpg --list-key "$fpr" >/dev/null 2>/dev/null && imported=yes \|\| imported=no
	26	# /usr/share/doc/gnupg/DETAILS field 2
	27	(echo "$content" \| gpg --import-options show-only --import --with-colons \|
	28	grep -E '^pub:' \|
	29	cut -d':' -f2 \|
	30	grep -q '[fu]') && signed=yes \|\| signed=no
	31	if [ "$signed" = no -o "$imported" = no ] ; then
	32	echo "The key for $key needs to be imported and signed (a local signature is enough)"
	33	echo "$content" \| gpg --import-options show-only --import
	34	echo "Continue? [y/N]"
	35	read y
	36	if [ "$y" = "y" -o "$y" = "Y" ]; then
	37	echo "$content" \| gpg --import
	38	gpg --expert --edit-key "$fpr" lsign quit
	39	else
	40	echo "Aborting"
	41	exit 1
	42	fi
	43	fi
	44	done
	45
08822d6f IB	46	if nix show-config --json \| jq -e '.sandbox.value == "true"' >/dev/null; then
08822d6f IB	47	cat <<-EOF
e83ec961	48	There used to be some impure derivations (grep __noChroot), you may need
08822d6f IB	49	sandbox = "relaxed"
	50	in /etc/nix/nix.conf
	51	you may also want to add
	52	keep-outputs = true
	53	keep-derivations = true
	54	to prevent garbage collector from deleting build dependencies (they take a lot of time to build)
e83ec961 IB	55	and
	56	allow-import-from-derivation = false
	57	as an attempt to avoid having build-time derivations (doesn’t work for all packages)
	58	press key to continue
08822d6f	59	EOF
e83ec961	60	read y
08822d6f IB	61	fi
08822d6f IB	62
568d4240 IB	63	cat <<-EOF
568d4240 IB	64	All set up.
4506dbe5	65	Please make sure you’re using make commands when deploying
568d4240	66	EOF