#!/bin/bash set -euo pipefail RemoteRepo="gitolite@git.immae.eu:perso/Immae/Prive/Password_store/Sites" DeploymentUuid="cef694f3-081d-11e9-b31f-0242ec186adf" if ! which nix 2>/dev/null >/dev/null; then cat <<-EOF nix is needed, please install it: > curl https://nixos.org/nix/install | sh (or any other way handled by your distribution) EOF exit 1 fi if [ "${NIX_STORE:-/nix/store}" != "/nix/store" ]; then cat <<-EOF Nix store outside of /nix/store is not supported EOF exit 1 fi if [ -z "$NIXOPS_CONFIG_PASS_SUBTREE_REMOTE" \ -o -z "$NIXOPS_CONFIG_PASS_SUBTREE_PATH" ]; then cat <<-EOF Two environment variables are needed to setup the password store: NIXOPS_CONFIG_PASS_SUBTREE_PATH : path where the subtree will be imported NIXOPS_CONFIG_PASS_SUBTREE_REMOTE : remote name to give to the repository EOF exit 1 fi if ! pass $NIXOPS_CONFIG_PASS_SUBTREE_PATH > /dev/null 2>/dev/null; then cat <<-EOF /!\ This will modify your password store to add and import a subtree with the specific passwords files. Choose a path that doesn’t exist yet in your password store. > pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo > pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master Later, you can use pull_environment and push_environment scripts to update the passwords when needed Continue? [y/N] EOF read y if [ "$y" = "y" -o "$y" = "Y" ]; then pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master else echo "Aborting" exit 1 fi fi # Repull it before using it, just in case pass git subtree pull --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master gpg_keys=$(pass ls $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys | sed -e "1d" | cut -d" " -f2) for key in $gpg_keys; do content=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys/$key) fpr=$(echo "$content" | gpg --import-options show-only --import --with-colons | grep -e "^pub" | cut -d':' -f5) gpg --list-key "$fpr" >/dev/null 2>/dev/null && imported=yes || imported=no # /usr/share/doc/gnupg/DETAILS field 2 (echo "$content" | gpg --import-options show-only --import --with-colons | grep -E '^pub:' | cut -d':' -f2 | grep -q '[fu]') && signed=yes || signed=no if [ "$signed" = no -o "$imported" = no ] ; then echo "The key for $key needs to be imported and signed (a local signature is enough)" echo "$content" | gpg --import-options show-only --import echo "Continue? [y/N]" read y if [ "$y" = "y" -o "$y" = "Y" ]; then echo "$content" | gpg --import gpg --expert --edit-key "$fpr" lsign quit else echo "Aborting" exit 1 fi fi done if nix show-config --json | jq -e '.sandbox.value == "true"' >/dev/null; then cat <<-EOF There are some impure derivations in the repo currently (grep __noChroot), please put sandbox = "relaxed" in /etc/nix/nix.conf you may also want to add keep-outputs = true keep-derivations = true to prevent garbage collector from deleting build dependencies (they take a lot of time to build) EOF exit 1 fi DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" source $(dirname $(dirname $DIR))/scripts/nix_env export NIXOPS_STATE="$(dirname $DIR)/state/eldiron.nixops" export NIXOPS_DEPLOYMENT="$DeploymentUuid" if ! nixops_custom info 2>/dev/null >/dev/null; then cat <<-EOF Importing deployment file into nixops: Continue? [y/N] EOF read y if [ "$y" = "y" -o "$y" = "Y" ]; then deployment=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/Deployment) echo "$deployment" | nixops_custom import else echo "Aborting" exit 1 fi fi nixops_custom modify "$(dirname $DIR)/default.nix" cat <<-EOF All set up. Please make sure you’re using scripts/nixops_wrap when deploying EOF