nixops/scripts/setup

   1 #!/bin/bash
   2
   3 RemoteRepo="gitolite@git.immae.eu:perso/Immae/Prive/Password_store/Mes_Sites/Paul"
   4 NixChannelUrl='https://releases.nixos.org/nixos/18.09/nixos-18.09.1834.9d608a6f592'
   5 NixChannelName='immaeNixpkgs'
   6
   7 if [ -z "$NIXOPS_CONFIG_PASS_SUBTREE_REMOTE" \
   8     -o -z "$NIXOPS_CONFIG_PASS_SUBTREE_PATH" ]; then
   9   cat <<-EOF
  10 Two environment variables are needed to setup the password store:
  11 NIXOPS_CONFIG_PASS_SUBTREE_PATH : path where the subtree will be imported
  12 NIXOPS_CONFIG_PASS_SUBTREE_REMOTE : remote name to give to the repository
  13 EOF
  14   exit 1
  15 fi
  16
  17 if ! pass $NIXOPS_CONFIG_PASS_SUBTREE_PATH > /dev/null 2>/dev/null; then
  18   cat <<-EOF
  19 /!\ This will modify your password store to add and import a subtree
  20 with the specific passwords files. Choose a path that doesn’t exist
  21 yet in your password store.
  22 > pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo
  23 > pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master
  24 Later, you can use pull_environment and push_environment scripts to
  25 update the passwords when needed
  26 Continue? [y/N]
  27 EOF
  28   read y
  29   if [ "$y" = "y" -o "$y" = "Y" ]; then
  30     pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo
  31     pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master
  32   else
  33     echo "Aborting"
  34     exit 1
  35   fi
  36 fi
  37
  38 if [ ! -f /etc/ssh/ssh_rsa_key_nixops ]; then
  39   cat <<EOF
  40 The key to access private git repositories (websites hosted by the
  41 server) needs to be accessible to nix builders. It will be put in
  42 /etc/ssh/ssh_rsa_key_nixops (sudo right is needed for that)
  43 > pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey | sudo tee /etc/ssh/ssh_rsa_key_nixops > /dev/null
  44 > pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey.pub | sudo tee /etc/ssh/ssh_rsa_key_nixops.pub > /dev/null
  45 > sudo chmod u=r,go-rwx /etc/ssh/ssh_rsa_key_nixops
  46 > sudo chown nixbld1:nixbld /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub
  47 Continue? [y/N]
  48 EOF
  49   read y
  50   if [ "$y" = "y" -o "$y" = "Y" ]; then
  51     if ! id -u nixbld1 2>/dev/null >/dev/null; then
  52       echo "User nixbld1 seems inexistant, did you install nix?"
  53       exit 1
  54     fi
  55     mask=$(umask)
  56     umask 0777
  57     # Don’t forward it directly to tee, it would break ncurse pinentry
  58     key=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey)
  59     echo "$key" | sudo tee /etc/ssh/ssh_rsa_key_nixops > /dev/null
  60     sudo chmod u=r,go=- /etc/ssh/ssh_rsa_key_nixops
  61     pubkey=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey.pub)
  62     echo "$pubkey" | sudo tee /etc/ssh/ssh_rsa_key_nixops.pub > /dev/null
  63     sudo chmod a=r /etc/ssh/ssh_rsa_key_nixops.pub
  64     sudo chown nixbld1:nixbld /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub
  65     umask $mask
  66   else
  67     echo "Aborting"
  68     exit 1
  69   fi
  70 fi
  71
  72 if ! nix-channel --list | grep -q "$NixChannelName $NixChannelUrl"; then
  73 cat <<EOF
  74 A new nix channel will be installed (or upgraded) to freeze the packages
  75 version:
  76 $NixChannelName $NixChannelUrl
  77 > nix-channel --add $NixChannelUrl $NixChannelName
  78 > nix-channel --update
  79 If this step fail, you may have to disable sandboxing in
  80 /etc/nix/nix.conf and rerun
  81 > nix-channel --update
  82 manually.
  83 Continue? [y/N]
  84 EOF
  85   read y
  86   if [ "$y" = "y" -o "$y" = "Y" ]; then
  87     nix-channel --add $NixChannelUrl $NixChannelName
  88     nix-channel --update
  89   fi
  90 fi
  91
  92 cat <<EOF
  93 All set up.
  94 Please make sure you’re using scripts/nixops_wrap when deploying
  95 EOF