[perso/Immae/Config/Nix.git] / nixops / scripts / setup

#!/bin/bash

RemoteRepo="gitolite@git.immae.eu:perso/Immae/Prive/Password_store/Mes_Sites/Paul"
NixChannelUrl='https://releases.nixos.org/nixos/18.09/nixos-18.09.1834.9d608a6f592'
NixChannelName='immaeNixpkgs'

if [ -z "$NIXOPS_CONFIG_PASS_SUBTREE_REMOTE" \
    -o -z "$NIXOPS_CONFIG_PASS_SUBTREE_PATH" ]; then
  cat <<-EOF
Two environment variables are needed to setup the password store:
NIXOPS_CONFIG_PASS_SUBTREE_PATH : path where the subtree will be imported
NIXOPS_CONFIG_PASS_SUBTREE_REMOTE : remote name to give to the repository
EOF
  exit 1
fi

if ! pass $NIXOPS_CONFIG_PASS_SUBTREE_PATH > /dev/null 2>/dev/null; then
  cat <<-EOF
/!\ This will modify your password store to add and import a subtree
with the specific passwords files. Choose a path that doesn’t exist
yet in your password store.
> pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo
> pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master
Later, you can use pull_environment and push_environment scripts to
update the passwords when needed
Continue? [y/N]
EOF
  read y
  if [ "$y" = "y" -o "$y" = "Y" ]; then
    pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo
    pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master
  else
    echo "Aborting"
    exit 1
  fi
fi

if [ ! -f /etc/ssh/ssh_rsa_key_nixops ]; then
  cat <<EOF
The key to access private git repositories (websites hosted by the
server) needs to be accessible to nix builders. It will be put in
/etc/ssh/ssh_rsa_key_nixops (sudo right is needed for that)
> pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey | sudo tee /etc/ssh/ssh_rsa_key_nixops > /dev/null
> pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey.pub | sudo tee /etc/ssh/ssh_rsa_key_nixops.pub > /dev/null
> sudo chmod u=r,go-rwx /etc/ssh/ssh_rsa_key_nixops
> sudo chown nixbld1:nixbld /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub
Continue? [y/N]
EOF
  read y
  if [ "$y" = "y" -o "$y" = "Y" ]; then
    if ! id -u nixbld1 2>/dev/null >/dev/null; then
      echo "User nixbld1 seems inexistant, did you install nix?"
      exit 1
    fi
    mask=$(umask)
    umask 0777
    # Don’t forward it directly to tee, it would break ncurse pinentry
    key=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey)
    echo "$key" | sudo tee /etc/ssh/ssh_rsa_key_nixops > /dev/null
    sudo chmod u=r,go=- /etc/ssh/ssh_rsa_key_nixops
    pubkey=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey.pub)
    echo "$pubkey" | sudo tee /etc/ssh/ssh_rsa_key_nixops.pub > /dev/null
    sudo chmod a=r /etc/ssh/ssh_rsa_key_nixops.pub
    sudo chown nixbld1:nixbld /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub
    umask $mask
  else
    echo "Aborting"
    exit 1
  fi
fi

if ! nix-channel --list | grep -q "$NixChannelName $NixChannelUrl"; then
cat <<EOF
A new nix channel will be installed (or upgraded) to freeze the packages
version:
$NixChannelName $NixChannelUrl
> nix-channel --add $NixChannelUrl $NixChannelName
> nix-channel --update
If this step fail, you may have to disable sandboxing in
/etc/nix/nix.conf and rerun
> nix-channel --update
manually.
Continue? [y/N]
EOF
  read y
  if [ "$y" = "y" -o "$y" = "Y" ]; then
    nix-channel --add $NixChannelUrl $NixChannelName
    nix-channel --update
  fi
fi

cat <<EOF
All set up.
Please make sure you’re using scripts/nixops_wrap when deploying
EOF
Commit	Line	Data
9f5da6d7 IB	1	#!/bin/bash
	2
	3	RemoteRepo="gitolite@git.immae.eu:perso/Immae/Prive/Password_store/Mes_Sites/Paul"
34c58714 IB	4	NixChannelUrl='https://releases.nixos.org/nixos/18.09/nixos-18.09.1834.9d608a6f592'
34c58714 IB	5	NixChannelName='immaeNixpkgs'
9f5da6d7 IB	6
	7	if [ -z "$NIXOPS_CONFIG_PASS_SUBTREE_REMOTE" \
	8	-o -z "$NIXOPS_CONFIG_PASS_SUBTREE_PATH" ]; then
	9	cat <<-EOF
	10	Two environment variables are needed to setup the password store:
	11	NIXOPS_CONFIG_PASS_SUBTREE_PATH : path where the subtree will be imported
	12	NIXOPS_CONFIG_PASS_SUBTREE_REMOTE : remote name to give to the repository
	13	EOF
	14	exit 1
	15	fi
	16
	17	if ! pass $NIXOPS_CONFIG_PASS_SUBTREE_PATH > /dev/null 2>/dev/null; then
	18	cat <<-EOF
	19	/!\ This will modify your password store to add and import a subtree
	20	with the specific passwords files. Choose a path that doesn’t exist
	21	yet in your password store.
	22	> pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo
	23	> pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master
	24	Later, you can use pull_environment and push_environment scripts to
	25	update the passwords when needed
	26	Continue? [y/N]
	27	EOF
	28	read y
	29	if [ "$y" = "y" -o "$y" = "Y" ]; then
	30	pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo
	31	pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master
	32	else
	33	echo "Aborting"
	34	exit 1
	35	fi
	36	fi
	37
	38	if [ ! -f /etc/ssh/ssh_rsa_key_nixops ]; then
	39	cat <<EOF
	40	The key to access private git repositories (websites hosted by the
	41	server) needs to be accessible to nix builders. It will be put in
	42	/etc/ssh/ssh_rsa_key_nixops (sudo right is needed for that)
	43	> pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey \| sudo tee /etc/ssh/ssh_rsa_key_nixops > /dev/null
	44	> pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey.pub \| sudo tee /etc/ssh/ssh_rsa_key_nixops.pub > /dev/null
	45	> sudo chmod u=r,go-rwx /etc/ssh/ssh_rsa_key_nixops
	46	> sudo chown nixbld1:nixbld /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub
	47	Continue? [y/N]
	48	EOF
	49	read y
	50	if [ "$y" = "y" -o "$y" = "Y" ]; then
	51	if ! id -u nixbld1 2>/dev/null >/dev/null; then
	52	echo "User nixbld1 seems inexistant, did you install nix?"
	53	exit 1
	54	fi
	55	mask=$(umask)
	56	umask 0777
	57	# Don’t forward it directly to tee, it would break ncurse pinentry
	58	key=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey)
	59	echo "$key" \| sudo tee /etc/ssh/ssh_rsa_key_nixops > /dev/null
	60	sudo chmod u=r,go=- /etc/ssh/ssh_rsa_key_nixops
	61	pubkey=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey.pub)
	62	echo "$pubkey" \| sudo tee /etc/ssh/ssh_rsa_key_nixops.pub > /dev/null
	63	sudo chmod a=r /etc/ssh/ssh_rsa_key_nixops.pub
	64	sudo chown nixbld1:nixbld /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub
	65	umask $mask
	66	else
	67	echo "Aborting"
	68	exit 1
	69	fi
70	fi
71
34c58714	72	if ! nix-channel --list \| grep -q "$NixChannelName $NixChannelUrl"; then
9f5da6d7	73	cat <<EOF
34c58714 IB	74	A new nix channel will be installed (or upgraded) to freeze the packages
	75	version:
	76	$NixChannelName $NixChannelUrl
	77	> nix-channel --add $NixChannelUrl $NixChannelName
	78	> nix-channel --update
	79	If this step fail, you may have to disable sandboxing in
	80	/etc/nix/nix.conf and rerun
	81	> nix-channel --update
	82	manually.
	83	Continue? [y/N]
9f5da6d7	84	EOF
34c58714 IB	85	read y
	86	if [ "$y" = "y" -o "$y" = "Y" ]; then
	87	nix-channel --add $NixChannelUrl $NixChannelName
	88	nix-channel --update
	89	fi
9f5da6d7	90	fi
34c58714 IB	91
	92	cat <<EOF
	93	All set up.
	94	Please make sure you’re using scripts/nixops_wrap when deploying
	95	EOF