projects / perso / Immae / Config / Nix.git / blame
| Commit | Line | Data |
|---|---|---|
| 9f5da6d7 IB |
1 | #!/bin/bash |
| 2 | ||
| d07d139a | 3 | set -euo pipefail |
| 05ec8138 | 4 | |
| bcd108fe | 5 | RemoteRepo="gitolite@git.immae.eu:perso/Immae/Prive/Password_store/Sites" |
| 568d4240 IB |
6 | DeploymentUuid="cef694f3-081d-11e9-b31f-0242ec186adf" |
| 7 | ||
| 8 | if ! which nix 2>/dev/null >/dev/null; then | |
| 9 | cat <<-EOF | |
| 10 | nix is needed, please install it: | |
| 11 | > curl https://nixos.org/nix/install | sh | |
| 12 | (or any other way handled by your distribution) | |
| 13 | EOF | |
| 14 | exit 1 | |
| 15 | fi | |
| 9f5da6d7 | 16 | |
| df6dc085 IB |
17 | if [ "${NIX_STORE:-/nix/store}" != "/nix/store" ]; then |
| 18 | cat <<-EOF | |
| 19 | Nix store outside of /nix/store is not supported | |
| 20 | EOF | |
| 21 | exit 1 | |
| 22 | fi | |
| 23 | ||
| 9f5da6d7 IB |
24 | if [ -z "$NIXOPS_CONFIG_PASS_SUBTREE_REMOTE" \ |
| 25 | -o -z "$NIXOPS_CONFIG_PASS_SUBTREE_PATH" ]; then | |
| 26 | cat <<-EOF | |
| 568d4240 IB |
27 | Two environment variables are needed to setup the password store: |
| 28 | NIXOPS_CONFIG_PASS_SUBTREE_PATH : path where the subtree will be imported | |
| 29 | NIXOPS_CONFIG_PASS_SUBTREE_REMOTE : remote name to give to the repository | |
| 30 | EOF | |
| 9f5da6d7 IB |
31 | exit 1 |
| 32 | fi | |
| 33 | ||
| 34 | if ! pass $NIXOPS_CONFIG_PASS_SUBTREE_PATH > /dev/null 2>/dev/null; then | |
| 35 | cat <<-EOF | |
| 568d4240 IB |
36 | /!\ This will modify your password store to add and import a subtree |
| 37 | with the specific passwords files. Choose a path that doesn’t exist | |
| 38 | yet in your password store. | |
| 39 | > pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo | |
| 40 | > pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master | |
| 41 | Later, you can use pull_environment and push_environment scripts to | |
| 42 | update the passwords when needed | |
| 43 | Continue? [y/N] | |
| 44 | EOF | |
| 9f5da6d7 IB |
45 | read y |
| 46 | if [ "$y" = "y" -o "$y" = "Y" ]; then | |
| 47 | pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo | |
| 48 | pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master | |
| 49 | else | |
| 50 | echo "Aborting" | |
| 51 | exit 1 | |
| 52 | fi | |
| 53 | fi | |
| 54 | ||
| d07d139a IB |
55 | gpg_keys=$(pass ls $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys | sed -e "1d" | cut -d" " -f2) |
| 56 | for key in $gpg_keys; do | |
| 57 | content=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys/$key) | |
| 58 | fpr=$(echo "$content" | gpg --import-options show-only --import --with-colons | grep -e "^pub" | cut -d':' -f5) | |
| 59 | gpg --list-key "$fpr" >/dev/null 2>/dev/null && imported=yes || imported=no | |
| 60 | # /usr/share/doc/gnupg/DETAILS field 2 | |
| 61 | (echo "$content" | gpg --import-options show-only --import --with-colons | | |
| 62 | grep -E '^pub:' | | |
| 63 | cut -d':' -f2 | | |
| 64 | grep -q '[fu]') && signed=yes || signed=no | |
| 65 | if [ "$signed" = no -o "$imported" = no ] ; then | |
| 66 | echo "The key for $key needs to be imported and signed (a local signature is enough)" | |
| 67 | echo "$content" | gpg --import-options show-only --import | |
| 68 | echo "Continue? [y/N]" | |
| 69 | read y | |
| 70 | if [ "$y" = "y" -o "$y" = "Y" ]; then | |
| 71 | echo "$content" | gpg --import | |
| 72 | gpg --expert --edit-key "$fpr" lsign quit | |
| 73 | else | |
| 74 | echo "Aborting" | |
| 75 | exit 1 | |
| 76 | fi | |
| 77 | fi | |
| 78 | done | |
| 79 | ||
| df6dc085 IB |
80 | nix_group=$(stat -c %G /nix/store) |
| 81 | if [ "$nix_group" = "nixbld" ]; then | |
| 82 | nix_user="nixbld1" | |
| 83 | else | |
| 84 | nix_user="$(stat -c %U /nix/store)" | |
| 85 | fi | |
| 86 | ||
| 9f5da6d7 | 87 | if [ ! -f /etc/ssh/ssh_rsa_key_nixops ]; then |
| 568d4240 IB |
88 | cat <<-EOF |
| 89 | The key to access private git repositories (websites hosted by the | |
| 90 | server) needs to be accessible to nix builders. It will be put in | |
| 91 | /etc/ssh/ssh_rsa_key_nixops (sudo right is needed for that) | |
| 9690acd9 IB |
92 | > pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/SshKey | sudo tee /etc/ssh/ssh_rsa_key_nixops > /dev/null |
| 93 | > pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/SshKey.pub | sudo tee /etc/ssh/ssh_rsa_key_nixops.pub > /dev/null | |
| 568d4240 | 94 | > sudo chmod u=r,go-rwx /etc/ssh/ssh_rsa_key_nixops |
| df6dc085 | 95 | > sudo chown $nix_user:$nix_group /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub |
| 568d4240 IB |
96 | Continue? [y/N] |
| 97 | EOF | |
| 9f5da6d7 IB |
98 | read y |
| 99 | if [ "$y" = "y" -o "$y" = "Y" ]; then | |
| df6dc085 IB |
100 | if ! id -u $nix_user 2>/dev/null >/dev/null; then |
| 101 | echo "User $nix_user seems inexistant, did you install nix?" | |
| 9f5da6d7 IB |
102 | exit 1 |
| 103 | fi | |
| 104 | mask=$(umask) | |
| 105 | umask 0777 | |
| 106 | # Don’t forward it directly to tee, it would break ncurse pinentry | |
| 9690acd9 | 107 | key=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/SshKey) |
| 9f5da6d7 IB |
108 | echo "$key" | sudo tee /etc/ssh/ssh_rsa_key_nixops > /dev/null |
| 109 | sudo chmod u=r,go=- /etc/ssh/ssh_rsa_key_nixops | |
| 9690acd9 | 110 | pubkey=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/SshKey.pub) |
| 9f5da6d7 IB |
111 | echo "$pubkey" | sudo tee /etc/ssh/ssh_rsa_key_nixops.pub > /dev/null |
| 112 | sudo chmod a=r /etc/ssh/ssh_rsa_key_nixops.pub | |
| df6dc085 | 113 | sudo chown $nix_user:$nix_group /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub |
| 9f5da6d7 IB |
114 | umask $mask |
| 115 | else | |
| 116 | echo "Aborting" | |
| 117 | exit 1 | |
| 118 | fi | |
| 119 | fi | |
| 120 | ||
| 08822d6f IB |
121 | if nix show-config --json | jq -e '.sandbox.value == "true"' >/dev/null; then |
| 122 | cat <<-EOF | |
| 123 | There are some impure derivations in the repo currently (grep __noChroot), please put | |
| 124 | sandbox = "relaxed" | |
| 125 | in /etc/nix/nix.conf | |
| 126 | you may also want to add | |
| 127 | keep-outputs = true | |
| 128 | keep-derivations = true | |
| 129 | to prevent garbage collector from deleting build dependencies (they take a lot of time to build) | |
| 130 | EOF | |
| 131 | exit 1 | |
| 132 | fi | |
| 133 | ||
| 568d4240 IB |
134 | if ! which nixops 2>/dev/null >/dev/null; then |
| 135 | cat <<-EOF | |
| 136 | nixops is needed: | |
| 137 | > nix-env -i nixops | |
| 138 | If it fails, please check that $HOME/.nix-profile/bin is in your PATH. | |
| 139 | Continue? [y/N] | |
| 140 | EOF | |
| 141 | read y | |
| 142 | if [ "$y" = "y" -o "$y" = "Y" ]; then | |
| 143 | nix-env -i nixops | |
| 144 | if ! which nixops 2>/dev/null >/dev/null; then | |
| 145 | echo "Installation failed, please check that $HOME/.nix-profile/bin is in your path." | |
| 146 | exit 1 | |
| 147 | fi | |
| 148 | else | |
| 149 | echo "Aborting" | |
| 150 | exit 1 | |
| 151 | fi | |
| 152 | fi | |
| 153 | ||
| 154 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" | |
| 155 | export NIXOPS_STATE="$(dirname $DIR)/state/eldiron.nixops" | |
| 156 | export NIXOPS_DEPLOYMENT="$DeploymentUuid" | |
| 157 | ||
| 158 | if ! nixops info 2>/dev/null >/dev/null; then | |
| 159 | cat <<-EOF | |
| 160 | Importing deployment file into nixops: | |
| 161 | Continue? [y/N] | |
| 162 | EOF | |
| 163 | read y | |
| 164 | if [ "$y" = "y" -o "$y" = "Y" ]; then | |
| 9690acd9 | 165 | deployment=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/Deployment) |
| 568d4240 IB |
166 | echo "$deployment" | nixops import |
| 167 | ||
| 168 | nixops modify "$(dirname $DIR)/eldiron.nix" | |
| 169 | else | |
| 170 | echo "Aborting" | |
| 171 | exit 1 | |
| 34c58714 | 172 | fi |
| 9f5da6d7 | 173 | fi |
| 34c58714 | 174 | |
| 568d4240 IB |
175 | cat <<-EOF |
| 176 | All set up. | |
| 177 | Please make sure you’re using scripts/nixops_wrap when deploying | |
| 178 | EOF |