Simplify management of secrets in nixops

diff --git a/.gitmodules b/.gitmodules
new file mode 100644 (file)
index 0000000..c2d9b18
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "nixops/secrets"]
+       path = nixops/secrets
+       url = gitolite@git.immae.eu:perso/Immae/Config/Nix/Nixops/Secrets

diff --git a/Makefile b/Makefile
index d5b8e5a46980c02287ce7e84c42792e9ae41a1be..6ba059c64cdd0364cfb8bf42ae15ddd466e17fa3 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -1,8 +1,8 @@
-subrecipes = setup nix-info
+subrecipes = setup nix-info edit_env
 subrecipes += nixops ssh-eldiron ssh-backup-2 ssh-monitoring-1
 subrecipes += info debug dry-run build upload deploy deploy-reboot reboot
 subrecipes += list-generations delete-generations cleanup
-subrecipes += pull pull_environment pull_deployment deployment_is_set push push_deployment push_environment
+subrecipes += pull_deployment deployment_is_set push_deployment
 ${subrecipes}:
        @$(MAKE) --no-print-directory -C nixops/ $@
 .PHONY: ${subrecipes}

diff --git a/nixops/Makefile b/nixops/Makefile
index c5216829862c4c27bca76605bb4052611428c494..a7b24cd98c7cd7dfe7d78daf57eadb0f39612a91 100644 (file)
--- a/nixops/Makefile
+++ b/nixops/Makefile
@@ -1,8 +1,5 @@
 export
-ifndef NIXOPS_CONFIG_PASS_SUBTREE_PATH
-  $(error Please set NIXOPS_CONFIG_PASS_SUBTREE_PATH to the password-store subtree path)
-endif
-
+PASSWORD_STORE_DIR = $(shell pwd)/secrets
 NIXOPS_STATE ?= ./state/eldiron.nixops
 NIXOPS_DEPLOYMENT = cef694f3-081d-11e9-b31f-0242ec186adf
 nixpkgs ?= $(shell cat ../nix/sources.json | jq -r '."nixpkgs-nixops".url')
@@ -34,6 +31,9 @@ ifdef TARGET
 endif
 SSH_ARGS ?=
 
+edit_env:
+       pass edit Nixops/files/environment.nix || true
+
 nixops:
        $(NIXOPS_PRIV) $(NIXOPS_ARGS)
 
@@ -101,17 +101,6 @@ cleanup: delete-generations
 .PHONY: cleanup
 
 ###### Pull environment and deployment from remote
-# Don't include pull_deployment by default as this should happen only rarely
-pull: pull_environment;
-.PHONY: pull
-
-pull_environment:
-ifndef NIXOPS_CONFIG_PASS_SUBTREE_REMOTE
-       $(error "Please set NIXOPS_CONFIG_PASS_SUBTREE_REMOTE to the password-store subtree remote name")
-endif
-       pass git subtree pull --prefix=$(NIXOPS_CONFIG_PASS_SUBTREE_PATH) $(NIXOPS_CONFIG_PASS_SUBTREE_REMOTE) master
-.PHONY: pull_environment
-
 pull_deployment:
        @if $(NIXOPS) info -d $(NIXOPS_DEPLOYMENT) 2>/dev/null >/dev/null ; then \
          echo "This will remove your current deployment file and recreate it!. Continue? [y/N]" && \
@@ -119,7 +108,7 @@ pull_deployment:
          [ "$$y" = "y" -o "$$y" = "Y" ] && \
          $(NIXOPS) delete --force -d $(NIXOPS_DEPLOYMENT); \
        fi
-       pass show $(NIXOPS_CONFIG_PASS_SUBTREE_PATH)/Nixops/Deployment | $(NIXOPS) import
+       pass show Nixops/Deployment | $(NIXOPS) import
        $(NIXOPS) modify -d $(NIXOPS_DEPLOYMENT) "$$(pwd)/default.nix"
 .PHONY: pull_deployment
 
@@ -127,17 +116,7 @@ deployment_is_set:
        $(NIXOPS) info -d $(NIXOPS_DEPLOYMENT) 2>/dev/null >/dev/null
 .PHONY: deployment_is_set
 
-###### Push environment and deployment information to password store
-push: push_deployment push_environment;
-.PHONY: push
-
+###### Push deployment information to password store
 push_deployment:
-       $(NIXOPS) export | pass insert -m $(NIXOPS_CONFIG_PASS_SUBTREE_PATH)/Nixops/Deployment
-.PHONY: push_deployment
-
-push_environment:
-ifndef NIXOPS_CONFIG_PASS_SUBTREE_REMOTE
-       $(error "Please set NIXOPS_CONFIG_PASS_SUBTREE_REMOTE to the password-store subtree remote name")
-endif
-       pass git subtree push --prefix=$(NIXOPS_CONFIG_PASS_SUBTREE_PATH) $(NIXOPS_CONFIG_PASS_SUBTREE_REMOTE) master
-.PHONY: push_environment
+       $(NIXOPS) export | pass insert -m Nixops/Deployment
+.PHONY: push

diff --git a/nixops/scripts/setup b/nixops/scripts/setup
index 3b364ac74fa48196d897fef5da72fcb970f59fe7..22f43ce0b8af983b39e6da0ea4a3ceadb504a812 100755 (executable)
--- a/nixops/scripts/setup
+++ b/nixops/scripts/setup
@@ -2,7 +2,6 @@
 
 set -euo pipefail
 
-RemoteRepo="gitolite@git.immae.eu:perso/Immae/Prive/Password_store/Sites"
 MAKEFILE_DIR="$( cd "$( dirname $( dirname "${BASH_SOURCE[0]}" ))" >/dev/null 2>&1 && pwd )"
 
 if ! which nix 2>/dev/null >/dev/null; then
@@ -21,43 +20,9 @@ if [ "${NIX_STORE:-/nix/store}" != "/nix/store" ]; then
   exit 1
 fi
 
-if [ -z "$NIXOPS_CONFIG_PASS_SUBTREE_REMOTE" \
-    -o -z "$NIXOPS_CONFIG_PASS_SUBTREE_PATH" ]; then
-  cat <<-EOF
-       Two environment variables are needed to setup the password store:
-       NIXOPS_CONFIG_PASS_SUBTREE_PATH : path where the subtree will be imported
-       NIXOPS_CONFIG_PASS_SUBTREE_REMOTE : remote name to give to the repository
-       EOF
-  exit 1
-fi
-
-if ! pass $NIXOPS_CONFIG_PASS_SUBTREE_PATH > /dev/null 2>/dev/null; then
-  cat <<-EOF
-       /!\ This will modify your password store to add and import a subtree
-       with the specific passwords files. Choose a path that doesn’t exist
-       yet in your password store.
-       > pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo
-       > pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master
-       Later, you can use pull_environment and push_environment scripts to
-       update the passwords when needed
-       Continue? [y/N]
-       EOF
-  read y
-  if [ "$y" = "y" -o "$y" = "Y" ]; then
-    pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo
-    pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master
-  else
-    echo "Aborting"
-    exit 1
-  fi
-fi
-
-# Repull it before adding keys, just in case
-make -C $MAKEFILE_DIR pull_environment
-
-gpg_keys=$(pass ls $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys | sed -e "1d" | cut -d" " -f2)
+gpg_keys=$(pass ls Nixops/GPGKeys | sed -e "1d" | cut -d" " -f2)
 for key in $gpg_keys; do
-  content=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys/$key)
+  content=$(pass show Nixops/GPGKeys/$key)
   fpr=$(echo "$content" | gpg --import-options show-only --import --with-colons | grep -e "^pub" | cut -d':' -f5)
   gpg --list-key "$fpr" >/dev/null 2>/dev/null && imported=yes || imported=no
   # /usr/share/doc/gnupg/DETAILS field 2

diff --git a/nixops/scripts/with_env b/nixops/scripts/with_env
index dd0fecba878f2965e4139ee27dab33c98311f778..26e74b5f6d77b2f1851c9159f249344ad7f17b6c 100755 (executable)
--- a/nixops/scripts/with_env
+++ b/nixops/scripts/with_env
@@ -5,11 +5,6 @@ if [ -z "$NIXOPS" ]; then
   exit 1;
 fi
 
-if [ -z "$NIXOPS_CONFIG_PASS_SUBTREE_PATH" ]; then
-  echo "Please set NIXOPS_CONFIG_PASS_SUBTREE_PATH to the password-store subtree path"
-  exit 1;
-fi
-
 TEMP=$(mktemp -d /tmp/XXXXXX-nixops-files)
 chmod go-rwx $TEMP
 
@@ -21,10 +16,10 @@ finish() {
 trap finish EXIT
 
 # pass cannot "just" list files in a directory without showing a tree :(
-files=$(pass ls $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/files | sed -e '1d' -e 's/^.* //')
+files=$(pass ls Nixops/files | sed -e '1d' -e 's/^.* //')
 
 for file in $files; do
-  pass show "$NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/files/$file" > $TEMP/$file
+  pass show "Nixops/files/$file" > $TEMP/$file
 done
 $NIXOPS set-args --argstr privateFiles "$TEMP"
 

diff --git a/nixops/secrets b/nixops/secrets
new file mode 160000 (submodule)
index 0000000..d34d549
--- /dev/null
+++ b/nixops/secrets
@@ -0,0 +1 @@
+Subproject commit d34d5490226809ff9863ce4e66bd59a68ead861c