]>
Commit | Line | Data |
---|---|---|
9f5da6d7 IB |
1 | #!/bin/bash |
2 | ||
d07d139a | 3 | set -euo pipefail |
05ec8138 | 4 | |
bcd108fe | 5 | RemoteRepo="gitolite@git.immae.eu:perso/Immae/Prive/Password_store/Sites" |
568d4240 IB |
6 | DeploymentUuid="cef694f3-081d-11e9-b31f-0242ec186adf" |
7 | ||
8 | if ! which nix 2>/dev/null >/dev/null; then | |
9 | cat <<-EOF | |
10 | nix is needed, please install it: | |
11 | > curl https://nixos.org/nix/install | sh | |
12 | (or any other way handled by your distribution) | |
13 | EOF | |
14 | exit 1 | |
15 | fi | |
9f5da6d7 | 16 | |
df6dc085 IB |
17 | if [ "${NIX_STORE:-/nix/store}" != "/nix/store" ]; then |
18 | cat <<-EOF | |
19 | Nix store outside of /nix/store is not supported | |
20 | EOF | |
21 | exit 1 | |
22 | fi | |
23 | ||
9f5da6d7 IB |
24 | if [ -z "$NIXOPS_CONFIG_PASS_SUBTREE_REMOTE" \ |
25 | -o -z "$NIXOPS_CONFIG_PASS_SUBTREE_PATH" ]; then | |
26 | cat <<-EOF | |
568d4240 IB |
27 | Two environment variables are needed to setup the password store: |
28 | NIXOPS_CONFIG_PASS_SUBTREE_PATH : path where the subtree will be imported | |
29 | NIXOPS_CONFIG_PASS_SUBTREE_REMOTE : remote name to give to the repository | |
30 | EOF | |
9f5da6d7 IB |
31 | exit 1 |
32 | fi | |
33 | ||
34 | if ! pass $NIXOPS_CONFIG_PASS_SUBTREE_PATH > /dev/null 2>/dev/null; then | |
35 | cat <<-EOF | |
568d4240 IB |
36 | /!\ This will modify your password store to add and import a subtree |
37 | with the specific passwords files. Choose a path that doesn’t exist | |
38 | yet in your password store. | |
39 | > pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo | |
40 | > pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master | |
41 | Later, you can use pull_environment and push_environment scripts to | |
42 | update the passwords when needed | |
43 | Continue? [y/N] | |
44 | EOF | |
9f5da6d7 IB |
45 | read y |
46 | if [ "$y" = "y" -o "$y" = "Y" ]; then | |
47 | pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo | |
48 | pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master | |
49 | else | |
50 | echo "Aborting" | |
51 | exit 1 | |
52 | fi | |
53 | fi | |
54 | ||
d07d139a IB |
55 | gpg_keys=$(pass ls $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys | sed -e "1d" | cut -d" " -f2) |
56 | for key in $gpg_keys; do | |
57 | content=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys/$key) | |
58 | fpr=$(echo "$content" | gpg --import-options show-only --import --with-colons | grep -e "^pub" | cut -d':' -f5) | |
59 | gpg --list-key "$fpr" >/dev/null 2>/dev/null && imported=yes || imported=no | |
60 | # /usr/share/doc/gnupg/DETAILS field 2 | |
61 | (echo "$content" | gpg --import-options show-only --import --with-colons | | |
62 | grep -E '^pub:' | | |
63 | cut -d':' -f2 | | |
64 | grep -q '[fu]') && signed=yes || signed=no | |
65 | if [ "$signed" = no -o "$imported" = no ] ; then | |
66 | echo "The key for $key needs to be imported and signed (a local signature is enough)" | |
67 | echo "$content" | gpg --import-options show-only --import | |
68 | echo "Continue? [y/N]" | |
69 | read y | |
70 | if [ "$y" = "y" -o "$y" = "Y" ]; then | |
71 | echo "$content" | gpg --import | |
72 | gpg --expert --edit-key "$fpr" lsign quit | |
73 | else | |
74 | echo "Aborting" | |
75 | exit 1 | |
76 | fi | |
77 | fi | |
78 | done | |
79 | ||
df6dc085 IB |
80 | nix_group=$(stat -c %G /nix/store) |
81 | if [ "$nix_group" = "nixbld" ]; then | |
82 | nix_user="nixbld1" | |
83 | else | |
84 | nix_user="$(stat -c %U /nix/store)" | |
85 | fi | |
86 | ||
9f5da6d7 | 87 | if [ ! -f /etc/ssh/ssh_rsa_key_nixops ]; then |
568d4240 IB |
88 | cat <<-EOF |
89 | The key to access private git repositories (websites hosted by the | |
90 | server) needs to be accessible to nix builders. It will be put in | |
91 | /etc/ssh/ssh_rsa_key_nixops (sudo right is needed for that) | |
9690acd9 IB |
92 | > pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/SshKey | sudo tee /etc/ssh/ssh_rsa_key_nixops > /dev/null |
93 | > pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/SshKey.pub | sudo tee /etc/ssh/ssh_rsa_key_nixops.pub > /dev/null | |
568d4240 | 94 | > sudo chmod u=r,go-rwx /etc/ssh/ssh_rsa_key_nixops |
df6dc085 | 95 | > sudo chown $nix_user:$nix_group /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub |
568d4240 IB |
96 | Continue? [y/N] |
97 | EOF | |
9f5da6d7 IB |
98 | read y |
99 | if [ "$y" = "y" -o "$y" = "Y" ]; then | |
df6dc085 IB |
100 | if ! id -u $nix_user 2>/dev/null >/dev/null; then |
101 | echo "User $nix_user seems inexistant, did you install nix?" | |
9f5da6d7 IB |
102 | exit 1 |
103 | fi | |
104 | mask=$(umask) | |
105 | umask 0777 | |
106 | # Don’t forward it directly to tee, it would break ncurse pinentry | |
9690acd9 | 107 | key=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/SshKey) |
9f5da6d7 IB |
108 | echo "$key" | sudo tee /etc/ssh/ssh_rsa_key_nixops > /dev/null |
109 | sudo chmod u=r,go=- /etc/ssh/ssh_rsa_key_nixops | |
9690acd9 | 110 | pubkey=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/SshKey.pub) |
9f5da6d7 IB |
111 | echo "$pubkey" | sudo tee /etc/ssh/ssh_rsa_key_nixops.pub > /dev/null |
112 | sudo chmod a=r /etc/ssh/ssh_rsa_key_nixops.pub | |
df6dc085 | 113 | sudo chown $nix_user:$nix_group /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub |
9f5da6d7 IB |
114 | umask $mask |
115 | else | |
116 | echo "Aborting" | |
117 | exit 1 | |
118 | fi | |
119 | fi | |
120 | ||
08822d6f IB |
121 | if nix show-config --json | jq -e '.sandbox.value == "true"' >/dev/null; then |
122 | cat <<-EOF | |
123 | There are some impure derivations in the repo currently (grep __noChroot), please put | |
124 | sandbox = "relaxed" | |
125 | in /etc/nix/nix.conf | |
126 | you may also want to add | |
127 | keep-outputs = true | |
128 | keep-derivations = true | |
129 | to prevent garbage collector from deleting build dependencies (they take a lot of time to build) | |
130 | EOF | |
131 | exit 1 | |
132 | fi | |
133 | ||
568d4240 IB |
134 | if ! which nixops 2>/dev/null >/dev/null; then |
135 | cat <<-EOF | |
136 | nixops is needed: | |
137 | > nix-env -i nixops | |
138 | If it fails, please check that $HOME/.nix-profile/bin is in your PATH. | |
139 | Continue? [y/N] | |
140 | EOF | |
141 | read y | |
142 | if [ "$y" = "y" -o "$y" = "Y" ]; then | |
143 | nix-env -i nixops | |
144 | if ! which nixops 2>/dev/null >/dev/null; then | |
145 | echo "Installation failed, please check that $HOME/.nix-profile/bin is in your path." | |
146 | exit 1 | |
147 | fi | |
148 | else | |
149 | echo "Aborting" | |
150 | exit 1 | |
151 | fi | |
152 | fi | |
153 | ||
154 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" | |
155 | export NIXOPS_STATE="$(dirname $DIR)/state/eldiron.nixops" | |
156 | export NIXOPS_DEPLOYMENT="$DeploymentUuid" | |
157 | ||
158 | if ! nixops info 2>/dev/null >/dev/null; then | |
159 | cat <<-EOF | |
160 | Importing deployment file into nixops: | |
161 | Continue? [y/N] | |
162 | EOF | |
163 | read y | |
164 | if [ "$y" = "y" -o "$y" = "Y" ]; then | |
9690acd9 | 165 | deployment=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/Deployment) |
568d4240 IB |
166 | echo "$deployment" | nixops import |
167 | ||
168 | nixops modify "$(dirname $DIR)/eldiron.nix" | |
169 | else | |
170 | echo "Aborting" | |
171 | exit 1 | |
34c58714 | 172 | fi |
9f5da6d7 | 173 | fi |
34c58714 | 174 | |
568d4240 IB |
175 | cat <<-EOF |
176 | All set up. | |
177 | Please make sure you’re using scripts/nixops_wrap when deploying | |
178 | EOF |