nixops/scripts/setup

   1 #!/bin/bash
   2
   3 set -euo pipefail
   4
   5 MAKEFILE_DIR="$( cd "$( dirname $( dirname "${BASH_SOURCE[0]}" ))" >/dev/null 2>&1 && pwd )"
   6
   7 if ! which nix 2>/dev/null >/dev/null; then
   8   cat <<-EOF
   9         nix is needed, please install it:
  10         > curl https://nixos.org/nix/install | sh
  11         (or any other way handled by your distribution)
  12         EOF
  13   exit 1
  14 fi
  15
  16 if [ "${NIX_STORE:-/nix/store}" != "/nix/store" ]; then
  17   cat <<-EOF
  18         Nix store outside of /nix/store is not supported
  19         EOF
  20   exit 1
  21 fi
  22
  23 gpg_keys=$(pass ls Nixops/GPGKeys | sed -e "1d" | cut -d" " -f2)
  24 for key in $gpg_keys; do
  25   content=$(pass show Nixops/GPGKeys/$key)
  26   fpr=$(echo "$content" | gpg --import-options show-only --import --with-colons | grep -e "^pub" | cut -d':' -f5)
  27   gpg --list-key "$fpr" >/dev/null 2>/dev/null && imported=yes || imported=no
  28   # /usr/share/doc/gnupg/DETAILS field 2
  29   (echo "$content" | gpg --import-options show-only --import --with-colons |
  30       grep -E '^pub:' |
  31       cut -d':' -f2 |
  32       grep -q '[fu]') && signed=yes || signed=no
  33   if [ "$signed" = no -o "$imported" = no ] ; then
  34     echo "The key for $key needs to be imported and signed (a local signature is enough)"
  35     echo "$content" | gpg --import-options show-only --import
  36     echo "Continue? [y/N]"
  37     read y
  38     if [ "$y" = "y" -o "$y" = "Y" ]; then
  39       echo "$content" | gpg --import
  40       gpg --expert --edit-key "$fpr" lsign quit
  41     else
  42       echo "Aborting"
  43       exit 1
  44     fi
  45   fi
  46 done
  47
  48 if nix show-config --json | jq -e '.sandbox.value == "true"' >/dev/null; then
  49   cat <<-EOF
  50         There used to be some impure derivations (grep __noChroot), you may need
  51           sandbox = "relaxed"
  52         in /etc/nix/nix.conf
  53         you may also want to add
  54           keep-outputs = true
  55           keep-derivations = true
  56         to prevent garbage collector from deleting build dependencies (they take a lot of time to build)
  57         and
  58           allow-import-from-derivation = false
  59         as an attempt to avoid having build-time derivations (doesn’t work for all packages)
  60         press key to continue
  61         EOF
  62   read y
  63 fi
  64
  65 if ! make -C $MAKEFILE_DIR deployment_is_set 2>/dev/null >/dev/null; then
  66   cat <<-EOF
  67         Importing deployment file into nixops:
  68         Continue? [y/N]
  69         EOF
  70   read y
  71   if [ "$y" = "y" -o "$y" = "Y" ]; then
  72     make -C $MAKEFILE_DIR pull_deployment
  73   else
  74     echo "Aborting"
  75     exit 1
  76   fi
  77 fi
  78
  79 cat <<-EOF
  80         All set up.
  81         Please make sure you’re using make commands when deploying
  82         EOF