blob: dce8332f7284308b39e01ed65732f3d8ecf38b72 (
plain) (
tree)
|
|
#!/bin/bash
set -euo pipefail
RemoteRepo="gitolite@git.immae.eu:perso/Immae/Prive/Password_store/Sites"
DeploymentUuid="cef694f3-081d-11e9-b31f-0242ec186adf"
if ! which nix 2>/dev/null >/dev/null; then
cat <<-EOF
nix is needed, please install it:
> curl https://nixos.org/nix/install | sh
(or any other way handled by your distribution)
EOF
exit 1
fi
if [ "${NIX_STORE:-/nix/store}" != "/nix/store" ]; then
cat <<-EOF
Nix store outside of /nix/store is not supported
EOF
exit 1
fi
if [ -z "$NIXOPS_CONFIG_PASS_SUBTREE_REMOTE" \
-o -z "$NIXOPS_CONFIG_PASS_SUBTREE_PATH" ]; then
cat <<-EOF
Two environment variables are needed to setup the password store:
NIXOPS_CONFIG_PASS_SUBTREE_PATH : path where the subtree will be imported
NIXOPS_CONFIG_PASS_SUBTREE_REMOTE : remote name to give to the repository
EOF
exit 1
fi
if ! pass $NIXOPS_CONFIG_PASS_SUBTREE_PATH > /dev/null 2>/dev/null; then
cat <<-EOF
/!\ This will modify your password store to add and import a subtree
with the specific passwords files. Choose a path that doesn’t exist
yet in your password store.
> pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo
> pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master
Later, you can use pull_environment and push_environment scripts to
update the passwords when needed
Continue? [y/N]
EOF
read y
if [ "$y" = "y" -o "$y" = "Y" ]; then
pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo
pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master
else
echo "Aborting"
exit 1
fi
fi
# Repull it before using it, just in case
pass git subtree pull --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master
gpg_keys=$(pass ls $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys | sed -e "1d" | cut -d" " -f2)
for key in $gpg_keys; do
content=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys/$key)
fpr=$(echo "$content" | gpg --import-options show-only --import --with-colons | grep -e "^pub" | cut -d':' -f5)
gpg --list-key "$fpr" >/dev/null 2>/dev/null && imported=yes || imported=no
# /usr/share/doc/gnupg/DETAILS field 2
(echo "$content" | gpg --import-options show-only --import --with-colons |
grep -E '^pub:' |
cut -d':' -f2 |
grep -q '[fu]') && signed=yes || signed=no
if [ "$signed" = no -o "$imported" = no ] ; then
echo "The key for $key needs to be imported and signed (a local signature is enough)"
echo "$content" | gpg --import-options show-only --import
echo "Continue? [y/N]"
read y
if [ "$y" = "y" -o "$y" = "Y" ]; then
echo "$content" | gpg --import
gpg --expert --edit-key "$fpr" lsign quit
else
echo "Aborting"
exit 1
fi
fi
done
if nix show-config --json | jq -e '.sandbox.value == "true"' >/dev/null; then
cat <<-EOF
There are some impure derivations in the repo currently (grep __noChroot), please put
sandbox = "relaxed"
in /etc/nix/nix.conf
you may also want to add
keep-outputs = true
keep-derivations = true
to prevent garbage collector from deleting build dependencies (they take a lot of time to build)
EOF
exit 1
fi
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
export NIXOPS_STATE="$(dirname $DIR)/state/eldiron.nixops"
export NIXOPS_DEPLOYMENT="$DeploymentUuid"
source $(dirname $(dirname $DIR))/scripts/nix_env
if ! nixops_custom info 2>/dev/null >/dev/null; then
cat <<-EOF
Importing deployment file into nixops:
Continue? [y/N]
EOF
read y
if [ "$y" = "y" -o "$y" = "Y" ]; then
deployment=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/Deployment)
echo "$deployment" | nixops_custom import
else
echo "Aborting"
exit 1
fi
fi
nixops_custom modify "$(dirname $DIR)/default.nix"
cat <<-EOF
All set up.
Please make sure you’re using scripts/nixops_wrap when deploying
EOF
|