Simplify management of secrets in nixops

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2020-08-27 23:53:36 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2020-08-27 23:53:36 +0200
commit: 1052bfda27ad0607cd4dc5dc91e2d8e8220c30c7 (patch)
tree: bb6335465082ec87ac6503f0fccecda7d89ad958 /nixops/scripts
parent: 7e214bf9e1bb58b83317db95dfb70dbeac0a4e28 (diff)
download: Nix-1052bfda27ad0607cd4dc5dc91e2d8e8220c30c7.tar.gz
Nix-1052bfda27ad0607cd4dc5dc91e2d8e8220c30c7.tar.zst
Nix-1052bfda27ad0607cd4dc5dc91e2d8e8220c30c7.zip
2 files changed, 4 insertions, 44 deletions
diff --git a/nixops/scripts/setup b/nixops/scripts/setup
index 3b364ac..22f43ce 100755
--- a/nixops/scripts/setup
+++ b/nixops/scripts/setup
@@ -2,7 +2,6 @@
 set -euo pipefail
-RemoteRepo="gitolite@git.immae.eu:perso/Immae/Prive/Password_store/Sites"
 MAKEFILE_DIR="$( cd "$( dirname $( dirname "${BASH_SOURCE[0]}" ))" >/dev/null 2>&1 && pwd )"
 if ! which nix 2>/dev/null >/dev/null; then
@@ -21,43 +20,9 @@ if [ "${NIX_STORE:-/nix/store}" != "/nix/store" ]; then
  exit 1
 fi
-if [ -z "$NIXOPS_CONFIG_PASS_SUBTREE_REMOTE" \
+gpg_keys=$(pass ls Nixops/GPGKeys | sed -e "1d" | cut -d" " -f2)
-    -o -z "$NIXOPS_CONFIG_PASS_SUBTREE_PATH" ]; then
-  cat <<-EOF
-        Two environment variables are needed to setup the password store:
-        NIXOPS_CONFIG_PASS_SUBTREE_PATH : path where the subtree will be imported
-        NIXOPS_CONFIG_PASS_SUBTREE_REMOTE : remote name to give to the repository
-        EOF
-  exit 1
-fi
-if ! pass $NIXOPS_CONFIG_PASS_SUBTREE_PATH > /dev/null 2>/dev/null; then
-  cat <<-EOF
-        /!\ This will modify your password store to add and import a subtree
-        with the specific passwords files. Choose a path that doesn’t exist
-        yet in your password store.
-        > pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo
-        > pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master
-        Later, you can use pull_environment and push_environment scripts to
-        update the passwords when needed
-        Continue? [y/N]
-        EOF
-  read y
-  if [ "$y" = "y" -o "$y" = "Y" ]; then
-    pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo
-    pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master
-  else
-    echo "Aborting"
-    exit 1
-  fi
-fi
-# Repull it before adding keys, just in case
-make -C $MAKEFILE_DIR pull_environment
-gpg_keys=$(pass ls $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys | sed -e "1d" | cut -d" " -f2)
 for key in $gpg_keys; do
-  content=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys/$key)
+  content=$(pass show Nixops/GPGKeys/$key)
  fpr=$(echo "$content" | gpg --import-options show-only --import --with-colons | grep -e "^pub" | cut -d':' -f5)
  gpg --list-key "$fpr" >/dev/null 2>/dev/null && imported=yes || imported=no
  # /usr/share/doc/gnupg/DETAILS field 2
diff --git a/nixops/scripts/with_env b/nixops/scripts/with_env
index dd0fecb..26e74b5 100755
--- a/nixops/scripts/with_env
+++ b/nixops/scripts/with_env
@@ -5,11 +5,6 @@ if [ -z "$NIXOPS" ]; then
  exit 1;
 fi
-if [ -z "$NIXOPS_CONFIG_PASS_SUBTREE_PATH" ]; then
-  echo "Please set NIXOPS_CONFIG_PASS_SUBTREE_PATH to the password-store subtree path"
-  exit 1;
-fi
 TEMP=$(mktemp -d /tmp/XXXXXX-nixops-files)
 chmod go-rwx $TEMP
@@ -21,10 +16,10 @@ finish() {
 trap finish EXIT
 # pass cannot "just" list files in a directory without showing a tree :(
-files=$(pass ls $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/files | sed -e '1d' -e 's/^.* //')
+files=$(pass ls Nixops/files | sed -e '1d' -e 's/^.* //')
 for file in $files; do
-  pass show "$NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/files/$file" > $TEMP/$file
+  pass show "Nixops/files/$file" > $TEMP/$file
 done
 $NIXOPS set-args --argstr privateFiles "$TEMP"
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2020-08-27 23:53:36 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2020-08-27 23:53:36 +0200
commit	1052bfda27ad0607cd4dc5dc91e2d8e8220c30c7 (patch)
tree	bb6335465082ec87ac6503f0fccecda7d89ad958 /nixops/scripts
parent	7e214bf9e1bb58b83317db95dfb70dbeac0a4e28 (diff)
download	Nix-1052bfda27ad0607cd4dc5dc91e2d8e8220c30c7.tar.gz Nix-1052bfda27ad0607cd4dc5dc91e2d8e8220c30c7.tar.zst Nix-1052bfda27ad0607cd4dc5dc91e2d8e8220c30c7.zip

diff --git a/nixops/scripts/setup b/nixops/scripts/setup index 3b364ac..22f43ce 100755 --- a/nixops/scripts/setup +++ b/nixops/scripts/setup
@@ -2,7 +2,6 @@
2		2
3	set -euo pipefail	3	set -euo pipefail
4		4
5	RemoteRepo="gitolite@git.immae.eu:perso/Immae/Prive/Password_store/Sites"
6	MAKEFILE_DIR="$( cd "$( dirname $( dirname "${BASH_SOURCE[0]}" ))" >/dev/null 2>&1 && pwd )"	5	MAKEFILE_DIR="$( cd "$( dirname $( dirname "${BASH_SOURCE[0]}" ))" >/dev/null 2>&1 && pwd )"
7		6
8	if ! which nix 2>/dev/null >/dev/null; then	7	if ! which nix 2>/dev/null >/dev/null; then
@@ -21,43 +20,9 @@ if [ "${NIX_STORE:-/nix/store}" != "/nix/store" ]; then
21	exit 1	20	exit 1
22	fi	21	fi
23		22
24	if [ -z "$NIXOPS_CONFIG_PASS_SUBTREE_REMOTE" \	23	gpg_keys=$(pass ls Nixops/GPGKeys \| sed -e "1d" \| cut -d" " -f2)
25	-o -z "$NIXOPS_CONFIG_PASS_SUBTREE_PATH" ]; then
26	cat <<-EOF
27	Two environment variables are needed to setup the password store:
28	NIXOPS_CONFIG_PASS_SUBTREE_PATH : path where the subtree will be imported
29	NIXOPS_CONFIG_PASS_SUBTREE_REMOTE : remote name to give to the repository
30	EOF
31	exit 1
32	fi
33
34	if ! pass $NIXOPS_CONFIG_PASS_SUBTREE_PATH > /dev/null 2>/dev/null; then
35	cat <<-EOF
36	/!\ This will modify your password store to add and import a subtree
37	with the specific passwords files. Choose a path that doesn’t exist
38	yet in your password store.
39	> pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo
40	> pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master
41	Later, you can use pull_environment and push_environment scripts to
42	update the passwords when needed
43	Continue? [y/N]
44	EOF
45	read y
46	if [ "$y" = "y" -o "$y" = "Y" ]; then
47	pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo
48	pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master
49	else
50	echo "Aborting"
51	exit 1
52	fi
53	fi
54
55	# Repull it before adding keys, just in case
56	make -C $MAKEFILE_DIR pull_environment
57
58	gpg_keys=$(pass ls $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys \| sed -e "1d" \| cut -d" " -f2)
59	for key in $gpg_keys; do	24	for key in $gpg_keys; do
60	content=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys/$key)	25	content=$(pass show Nixops/GPGKeys/$key)
61	fpr=$(echo "$content" \| gpg --import-options show-only --import --with-colons \| grep -e "^pub" \| cut -d':' -f5)	26	fpr=$(echo "$content" \| gpg --import-options show-only --import --with-colons \| grep -e "^pub" \| cut -d':' -f5)
62	gpg --list-key "$fpr" >/dev/null 2>/dev/null && imported=yes \|\| imported=no	27	gpg --list-key "$fpr" >/dev/null 2>/dev/null && imported=yes \|\| imported=no
63	# /usr/share/doc/gnupg/DETAILS field 2	28	# /usr/share/doc/gnupg/DETAILS field 2


diff --git a/nixops/scripts/with_env b/nixops/scripts/with_env index dd0fecb..26e74b5 100755 --- a/nixops/scripts/with_env +++ b/nixops/scripts/with_env
@@ -5,11 +5,6 @@ if [ -z "$NIXOPS" ]; then
5	exit 1;	5	exit 1;
6	fi	6	fi
7		7
8	if [ -z "$NIXOPS_CONFIG_PASS_SUBTREE_PATH" ]; then
9	echo "Please set NIXOPS_CONFIG_PASS_SUBTREE_PATH to the password-store subtree path"
10	exit 1;
11	fi
12
13	TEMP=$(mktemp -d /tmp/XXXXXX-nixops-files)	8	TEMP=$(mktemp -d /tmp/XXXXXX-nixops-files)
14	chmod go-rwx $TEMP	9	chmod go-rwx $TEMP
15		10
@@ -21,10 +16,10 @@ finish() {
21	trap finish EXIT	16	trap finish EXIT
22		17
23	# pass cannot "just" list files in a directory without showing a tree :(	18	# pass cannot "just" list files in a directory without showing a tree :(
24	files=$(pass ls $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/files \| sed -e '1d' -e 's/^.* //')	19	files=$(pass ls Nixops/files \| sed -e '1d' -e 's/^.* //')
25		20
26	for file in $files; do	21	for file in $files; do
27	pass show "$NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/files/$file" > $TEMP/$file	22	pass show "Nixops/files/$file" > $TEMP/$file
28	done	23	done
29	$NIXOPS set-args --argstr privateFiles "$TEMP"	24	$NIXOPS set-args --argstr privateFiles "$TEMP"
30		25