diff options
| author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-20 00:42:49 +0200 |
|---|---|---|
| committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-20 00:42:49 +0200 |
| commit | d07d139ae42fb2c4263c96167ca6ca67f562bbe9 (patch) | |
| tree | 71e2876a24746fb1a7aecac4450a6b74e0fc33b7 /nixops/scripts | |
| parent | 08822d6f730053c97cfd9c27111b4302d9a94081 (diff) | |
| download | Nix-d07d139ae42fb2c4263c96167ca6ca67f562bbe9.tar.gz Nix-d07d139ae42fb2c4263c96167ca6ca67f562bbe9.tar.zst Nix-d07d139ae42fb2c4263c96167ca6ca67f562bbe9.zip | |
Add GPG keys importing from password store
Diffstat (limited to 'nixops/scripts')
| -rwxr-xr-x | nixops/scripts/setup | 27 |
1 files changed, 26 insertions, 1 deletions
diff --git a/nixops/scripts/setup b/nixops/scripts/setup index 38cee65..81ba8aa 100755 --- a/nixops/scripts/setup +++ b/nixops/scripts/setup | |||
| @@ -1,6 +1,6 @@ | |||
| 1 | #!/bin/bash | 1 | #!/bin/bash |
| 2 | 2 | ||
| 3 | set -euxo pipefail | 3 | set -euo pipefail |
| 4 | 4 | ||
| 5 | RemoteRepo="gitolite@git.immae.eu:perso/Immae/Prive/Password_store/Sites" | 5 | RemoteRepo="gitolite@git.immae.eu:perso/Immae/Prive/Password_store/Sites" |
| 6 | DeploymentUuid="cef694f3-081d-11e9-b31f-0242ec186adf" | 6 | DeploymentUuid="cef694f3-081d-11e9-b31f-0242ec186adf" |
| @@ -52,6 +52,31 @@ if ! pass $NIXOPS_CONFIG_PASS_SUBTREE_PATH > /dev/null 2>/dev/null; then | |||
| 52 | fi | 52 | fi |
| 53 | fi | 53 | fi |
| 54 | 54 | ||
| 55 | gpg_keys=$(pass ls $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys | sed -e "1d" | cut -d" " -f2) | ||
| 56 | for key in $gpg_keys; do | ||
| 57 | content=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys/$key) | ||
| 58 | fpr=$(echo "$content" | gpg --import-options show-only --import --with-colons | grep -e "^pub" | cut -d':' -f5) | ||
| 59 | gpg --list-key "$fpr" >/dev/null 2>/dev/null && imported=yes || imported=no | ||
| 60 | # /usr/share/doc/gnupg/DETAILS field 2 | ||
| 61 | (echo "$content" | gpg --import-options show-only --import --with-colons | | ||
| 62 | grep -E '^pub:' | | ||
| 63 | cut -d':' -f2 | | ||
| 64 | grep -q '[fu]') && signed=yes || signed=no | ||
| 65 | if [ "$signed" = no -o "$imported" = no ] ; then | ||
| 66 | echo "The key for $key needs to be imported and signed (a local signature is enough)" | ||
| 67 | echo "$content" | gpg --import-options show-only --import | ||
| 68 | echo "Continue? [y/N]" | ||
| 69 | read y | ||
| 70 | if [ "$y" = "y" -o "$y" = "Y" ]; then | ||
| 71 | echo "$content" | gpg --import | ||
| 72 | gpg --expert --edit-key "$fpr" lsign quit | ||
| 73 | else | ||
| 74 | echo "Aborting" | ||
| 75 | exit 1 | ||
| 76 | fi | ||
| 77 | fi | ||
| 78 | done | ||
| 79 | |||
| 55 | nix_group=$(stat -c %G /nix/store) | 80 | nix_group=$(stat -c %G /nix/store) |
| 56 | if [ "$nix_group" = "nixbld" ]; then | 81 | if [ "$nix_group" = "nixbld" ]; then |
| 57 | nix_user="nixbld1" | 82 | nix_user="nixbld1" |