diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-20 00:42:49 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-20 00:42:49 +0200 |
commit | d07d139ae42fb2c4263c96167ca6ca67f562bbe9 (patch) | |
tree | 71e2876a24746fb1a7aecac4450a6b74e0fc33b7 /nixops/scripts | |
parent | 08822d6f730053c97cfd9c27111b4302d9a94081 (diff) | |
download | Nix-d07d139ae42fb2c4263c96167ca6ca67f562bbe9.tar.gz Nix-d07d139ae42fb2c4263c96167ca6ca67f562bbe9.tar.zst Nix-d07d139ae42fb2c4263c96167ca6ca67f562bbe9.zip |
Add GPG keys importing from password store
Diffstat (limited to 'nixops/scripts')
-rwxr-xr-x | nixops/scripts/setup | 27 |
1 files changed, 26 insertions, 1 deletions
diff --git a/nixops/scripts/setup b/nixops/scripts/setup index 38cee65..81ba8aa 100755 --- a/nixops/scripts/setup +++ b/nixops/scripts/setup | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | 2 | ||
3 | set -euxo pipefail | 3 | set -euo pipefail |
4 | 4 | ||
5 | RemoteRepo="gitolite@git.immae.eu:perso/Immae/Prive/Password_store/Sites" | 5 | RemoteRepo="gitolite@git.immae.eu:perso/Immae/Prive/Password_store/Sites" |
6 | DeploymentUuid="cef694f3-081d-11e9-b31f-0242ec186adf" | 6 | DeploymentUuid="cef694f3-081d-11e9-b31f-0242ec186adf" |
@@ -52,6 +52,31 @@ if ! pass $NIXOPS_CONFIG_PASS_SUBTREE_PATH > /dev/null 2>/dev/null; then | |||
52 | fi | 52 | fi |
53 | fi | 53 | fi |
54 | 54 | ||
55 | gpg_keys=$(pass ls $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys | sed -e "1d" | cut -d" " -f2) | ||
56 | for key in $gpg_keys; do | ||
57 | content=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys/$key) | ||
58 | fpr=$(echo "$content" | gpg --import-options show-only --import --with-colons | grep -e "^pub" | cut -d':' -f5) | ||
59 | gpg --list-key "$fpr" >/dev/null 2>/dev/null && imported=yes || imported=no | ||
60 | # /usr/share/doc/gnupg/DETAILS field 2 | ||
61 | (echo "$content" | gpg --import-options show-only --import --with-colons | | ||
62 | grep -E '^pub:' | | ||
63 | cut -d':' -f2 | | ||
64 | grep -q '[fu]') && signed=yes || signed=no | ||
65 | if [ "$signed" = no -o "$imported" = no ] ; then | ||
66 | echo "The key for $key needs to be imported and signed (a local signature is enough)" | ||
67 | echo "$content" | gpg --import-options show-only --import | ||
68 | echo "Continue? [y/N]" | ||
69 | read y | ||
70 | if [ "$y" = "y" -o "$y" = "Y" ]; then | ||
71 | echo "$content" | gpg --import | ||
72 | gpg --expert --edit-key "$fpr" lsign quit | ||
73 | else | ||
74 | echo "Aborting" | ||
75 | exit 1 | ||
76 | fi | ||
77 | fi | ||
78 | done | ||
79 | |||
55 | nix_group=$(stat -c %G /nix/store) | 80 | nix_group=$(stat -c %G /nix/store) |
56 | if [ "$nix_group" = "nixbld" ]; then | 81 | if [ "$nix_group" = "nixbld" ]; then |
57 | nix_user="nixbld1" | 82 | nix_user="nixbld1" |