nixops/scripts/setup

   1 #!/usr/bin/env bash
   2
   3 set -euo pipefail
   4
   5 if ! which nix 2>/dev/null >/dev/null; then
   6   cat <<-EOF
   7         nix is needed, please install it:
   8         > curl https://nixos.org/nix/install | sh
   9         (or any other way handled by your distribution)
  10         EOF
  11   exit 1
  12 fi
  13
  14 if [ "${NIX_STORE:-/nix/store}" != "/nix/store" ]; then
  15   cat <<-EOF
  16         Nix store outside of /nix/store is not supported
  17         EOF
  18   exit 1
  19 fi
  20
  21 if ! which direnv 2>/dev/null >/dev/null; then
  22   cat <<-EOF
  23         direnv is needed, please install it
  24         EOF
  25   exit 1
  26 fi
  27
  28 if [ -z "$NIXOPS_ENV_LOADED" ]; then
  29   cat <<-EOF
  30         direnv environment needs to be loaded
  31         EOF
  32   exit 1
  33 fi
  34
  35 if [ "$(git config --get include.path)" != "../.gitconfig" ]; then
  36   cat <<-EOF
  37         it is recommended to include the .gitconfig file into (local) git configuration:
  38         git config --local include.path '../.gitconfig'
  39         Run this command? [y/N]
  40         EOF
  41   read y
  42   if [ "$y" = "y" -o "$y" = "Y" ]; then
  43     git config --local include.path '../.gitconfig'
  44   fi
  45 fi
  46
  47 gpg_keys=$(pass ls Nixops/GPGKeys | sed -e "1d" | cut -d" " -f2)
  48 for key in $gpg_keys; do
  49   content=$(pass show Nixops/GPGKeys/$key)
  50   fpr=$(echo "$content" | gpg --import-options show-only --import --with-colons | grep -e "^pub" | cut -d':' -f5)
  51   gpg --list-key "$fpr" >/dev/null 2>/dev/null && imported=yes || imported=no
  52   # /usr/share/doc/gnupg/DETAILS field 2
  53   (echo "$content" | gpg --import-options show-only --import --with-colons |
  54       grep -E '^pub:' |
  55       cut -d':' -f2 |
  56       grep -q '[fu]') && signed=yes || signed=no
  57   if [ "$signed" = no -o "$imported" = no ] ; then
  58     echo "The key for $key needs to be imported and signed (a local signature is enough)"
  59     echo "$content" | gpg --import-options show-only --import
  60     echo "Continue? [y/N]"
  61     read y
  62     if [ "$y" = "y" -o "$y" = "Y" ]; then
  63       echo "$content" | gpg --import
  64       gpg --expert --edit-key "$fpr" lsign quit
  65     else
  66       echo "Aborting"
  67       exit 1
  68     fi
  69   fi
  70 done
  71
  72 if nix show-config --json | jq -e '.sandbox.value == "true"' >/dev/null; then
  73   cat <<-EOF
  74         There used to be some impure derivations (grep __noChroot), you may need
  75           sandbox = "relaxed"
  76         in /etc/nix/nix.conf
  77         you may also want to add
  78           keep-outputs = true
  79           keep-derivations = true
  80         to prevent garbage collector from deleting build dependencies (they take a lot of time to build)
  81         and
  82           allow-import-from-derivation = false
  83         as an attempt to avoid having build-time derivations (doesn’t work for all packages)
  84         press key to continue
  85         EOF
  86   read y
  87 fi
  88
  89 cat <<-EOF
  90         All set up.
  91         Please make sure you’re using make commands when deploying
  92         EOF